linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 4.17 000/220] 4.17.4-stable review
@ 2018-07-01 16:20 Greg Kroah-Hartman
  2018-07-01 16:20 ` [PATCH 4.17 001/220] x86/spectre_v1: Disable compiler optimizations over array_index_mask_nospec() Greg Kroah-Hartman
                   ` (212 more replies)
  0 siblings, 213 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:20 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	ben.hutchings, lkft-triage, stable

This is the start of the stable review cycle for the 4.17.4 release.
There are 220 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Tue Jul  3 16:08:27 UTC 2018.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.17.4-rc1.gz
or in the git tree and branch at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.17.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 4.17.4-rc1

Wenwen Wang <wang6495@umn.edu>
    virt: vbox: Only copy_from_user the request-header once

Mike Snitzer <snitzer@redhat.com>
    dm thin: handle running out of data space vs concurrent discard

Bart Van Assche <bart.vanassche@wdc.com>
    dm zoned: avoid triggering reclaim from inside dmz_map()

Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
    x86/efi: Fix efi_call_phys_epilog() with CONFIG_X86_5LEVEL=y

Andy Lutomirski <luto@kernel.org>
    x86/entry/64/compat: Fix "x86/entry/64/compat: Preserve r8-r11 in int $0x80"

Jann Horn <jannh@google.com>
    selinux: move user accesses in selinuxfs out of locked regions

Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
    x86/e820: put !E820_TYPE_RAM regions into memblock.reserved

Bart Van Assche <bart.vanassche@wdc.com>
    block: Fix cloning of requests with a special payload

Keith Busch <keith.busch@intel.com>
    block: Fix transfer when chunk sectors exceeds max

Ross Zwisler <ross.zwisler@linux.intel.com>
    pmem: only set QUEUE_FLAG_DAX for fsdax mode

Mike Snitzer <snitzer@redhat.com>
    dm: use bio_split() when splitting out the already processed bio

Jason A. Donenfeld <Jason@zx2c4.com>
    kasan: depend on CONFIG_SLUB_DEBUG

Mikulas Patocka <mpatocka@redhat.com>
    slub: fix failure when we delete and create a slab cache

Wolfram Sang <wsa+renesas@sang-engineering.com>
    i2c: gpio: initialize SCL to HIGH again

Wolfram Sang <wsa+renesas@sang-engineering.com>
    Revert "i2c: algo-bit: init the bus to a known state"

Hui Wang <hui.wang@canonical.com>
    ALSA: hda/realtek - Fix the problem of two front mics on more machines

Takashi Iwai <tiwai@suse.de>
    ALSA: hda/realtek - Add a quirk for FSC ESPRIMO U9210

Takashi Iwai <tiwai@suse.de>
    ALSA: hda/realtek - Fix pop noise on Lenovo P50 & co

Takashi Iwai <tiwai@suse.de>
    ALSA: hda - Force to link down at runtime suspend on ATI/AMD HDMI

Takashi Iwai <tiwai@suse.de>
    ALSA: timer: Fix UBSAN warning at SNDRV_TIMER_IOCTL_NEXT_DEVICE ioctl

??? <kt.liao@emc.com.tw>
    Input: elantech - fix V4 report decoding for module with middle key

Aaron Ma <aaron.ma@canonical.com>
    Input: elantech - enable middle button of touchpads on ThinkPad P52

Ben Hutchings <ben.hutchings@codethink.co.uk>
    Input: elan_i2c_smbus - fix more potential stack buffer overflows

Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Input: psmouse - fix button reporting for basic protocols

Enno Boland <gottox@voidlinux.eu>
    Input: xpad - fix GPD Win 2 controller name

Jan Kara <jack@suse.cz>
    udf: Detect incorrect directory size

Bartosz Golaszewski <bgolaszewski@baylibre.com>
    net: ethernet: fix suspend/resume in davinci_emac

Boris Ostrovsky <boris.ostrovsky@oracle.com>
    xen: Remove unnecessary BUG_ON from __unbind_from_irq()

Steven Rostedt (VMware) <rostedt@goodmis.org>
    tracing: Check for no filter when processing event filters

Dan Williams <dan.j.williams@intel.com>
    mm: fix devmem_is_allowed() for sub-page System RAM intersections

Jia He <jia.he@hxt-semitech.com>
    mm/ksm.c: ignore STABLE_FLAG of rmap_item->address in rmap_walk_ksm()

Dongsheng Yang <dongsheng.yang@easystack.cn>
    rbd: flush rbd_dev->watch_dwork after watch is unregistered

Hans de Goede <hdegoede@redhat.com>
    pwm: lpss: platform: Save/restore the ctrl register over a suspend/resume

Alexandr Savca <alexandr.savca@saltedge.com>
    Input: elan_i2c - add ELAN0618 (Lenovo v330 15IKB) ACPI ID

Hans de Goede <hdegoede@redhat.com>
    Input: silead - add MSSL0002 ACPI HID

Hans de Goede <hdegoede@redhat.com>
    ACPI / LPSS: Add missing prv_offset setting for byt/cht PWM devices

Kees Cook <keescook@chromium.org>
    video: uvesafb: Fix integer overflow in allocation

Trond Myklebust <trond.myklebust@hammerspace.com>
    NFSv4: Fix a typo in nfs41_sequence_process

Trond Myklebust <trond.myklebust@hammerspace.com>
    NFSv4: Revert commit 5f83d86cf531d ("NFSv4.x: Fix wraparound issues..")

Dave Wysochanski <dwysocha@redhat.com>
    NFSv4: Fix possible 1-byte stack overflow in nfs_idmap_read_and_verify_message

Scott Mayhew <smayhew@redhat.com>
    nfsd: restrict rd_maxcount to svc_max_payload in nfsd_encode_readdir

Mauro Carvalho Chehab <mchehab@kernel.org>
    media: dvb_frontend: fix locking issues at dvb_frontend_get_event()

Sean Young <sean@mess.org>
    media: rc: mce_kbd decoder: fix stuck keys

Kai-Heng Feng <kai.heng.feng@canonical.com>
    media: cx231xx: Add support for AverMedia DVD EZMaker 7

Mauro Carvalho Chehab <mchehab@kernel.org>
    media: v4l2-compat-ioctl32: prevent go past max size

Brad Love <brad@nextdimension.cc>
    media: cx231xx: Ignore an i2c mux adapter

ming_qian <ming_qian@realsil.com.cn>
    media: uvcvideo: Support realtek's UVC 1.5 device

Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
    media: vsp1: Release buffers for each video node

Adrian Hunter <adrian.hunter@intel.com>
    perf intel-pt: Fix packet decoding of CYC packets

Adrian Hunter <adrian.hunter@intel.com>
    perf intel-pt: Fix "Unexpected indirect branch" error

Adrian Hunter <adrian.hunter@intel.com>
    perf intel-pt: Fix MTC timing after overflow

Adrian Hunter <adrian.hunter@intel.com>
    perf intel-pt: Fix decoding to accept CBR between FUP and corresponding TIP

Adrian Hunter <adrian.hunter@intel.com>
    perf intel-pt: Fix sync_switch INTEL_PT_SS_NOT_TRACING

Adrian Hunter <adrian.hunter@intel.com>
    perf tools: Fix symbol and object code resolution for vdso32 and vdsox32

Sean Wang <sean.wang@mediatek.com>
    arm: dts: mt7623: fix invalid memory node being generated

Sibi Sankar <sibis@codeaurora.org>
    remoteproc: Prevent incorrect rproc state on xfer mem ownership failure

Jarkko Nikula <jarkko.nikula@linux.intel.com>
    mfd: intel-lpss: Fix Intel Cannon Lake LPSS I2C input clock

Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    mfd: intel-lpss: Program REMAP register in PIO mode

Peter Ujfalusi <peter.ujfalusi@ti.com>
    mfd: twl-core: Fix clock initialization

Anton Ivanov <anton.ivanov@cambridgegreys.com>
    um: Fix raw interface options

Anton Ivanov <anton.ivanov@cambridgegreys.com>
    um: Fix initialization of vector queues

Chao Yu <yuchao0@huawei.com>
    f2fs: don't use GFP_ZERO for page caches

Linus Torvalds <torvalds@linux-foundation.org>
    Revert "iommu/amd_iommu: Use CONFIG_DMA_DIRECT_OPS=y and dma_direct_{alloc,free}()"

Johan Hovold <johan@kernel.org>
    backlight: tps65217_bl: Fix Device Tree node lookup

Johan Hovold <johan@kernel.org>
    backlight: max8925_bl: Fix Device Tree node lookup

Johan Hovold <johan@kernel.org>
    backlight: as3711_bl: Fix Device Tree node lookup

Silvio Cesare <silvio.cesare@gmail.com>
    UBIFS: Fix potential integer overflow in allocation

Richard Weinberger <richard@nod.at>
    ubi: fastmap: Correctly handle interrupted erasures in EBA

Richard Weinberger <richard@nod.at>
    ubi: fastmap: Cancel work upon detach

Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
    rpmsg: smd: do not use mananged resources for endpoints and channels

NeilBrown <neilb@suse.com>
    md: fix two problems with setting the "re-add" device state.

Michael Trimarchi <michael@amarulasolutions.com>
    rtc: sun6i: Fix bit_idx value for clk_register_gate

Marcin Ziemianowicz <marcin@ziemianowicz.com>
    clk: at91: PLL recalc_rate() now using cached MUL and DIV values

Martin Blumenstingl <martin.blumenstingl@googlemail.com>
    clk: meson: meson8b: mark fclk_div2 gate clocks as CLK_IS_CRITICAL

Ross Zwisler <ross.zwisler@linux.intel.com>
    libnvdimm, pmem: Unconditionally deep flush on *sync

Robert Elliott <elliott@hpe.com>
    linvdimm, pmem: Preserve read-only setting for pmem devices

Steffen Maier <maier@linux.ibm.com>
    scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread

Steffen Maier <maier@linux.ibm.com>
    scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED

Steffen Maier <maier@linux.ibm.com>
    scsi: zfcp: fix missing REC trigger trace on terminate_rport_io for ERP_FAILED

Steffen Maier <maier@linux.ibm.com>
    scsi: zfcp: fix missing REC trigger trace on terminate_rport_io early return

Steffen Maier <maier@linux.ibm.com>
    scsi: zfcp: fix misleading REC trigger trace where erp_action setup failed

Steffen Maier <maier@linux.ibm.com>
    scsi: zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF

Steffen Maier <maier@linux.ibm.com>
    scsi: zfcp: fix missing SCSI trace for result of eh_host_reset_handler

Mikhail Malygin <m.malygin@yadro.com>
    scsi: qla2xxx: Spinlock recursion in qla_target

Anil Gurumurthy <anil.gurumurthy@cavium.com>
    scsi: qla2xxx: Mask off Scope bits in retry delay

Himanshu Madhani <himanshu.madhani@cavium.com>
    scsi: qla2xxx: Fix setting lower transfer speed if GPSC fails

Quinn Tran <quinn.tran@cavium.com>
    scsi: qla2xxx: Delete session for nport id change

Sinan Kaya <okaya@codeaurora.org>
    scsi: hpsa: disable device during shutdown

Luis Henriques <lhenriques@suse.com>
    scsi: scsi_debug: Fix memory leak on module unload

Dan Williams <dan.j.williams@intel.com>
    mm: fix __gup_device_huge vs unmap

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    iio: sca3000: Fix an error handling path in 'sca3000_probe()'

Alexandru Ardelean <alexandru.ardelean@analog.com>
    iio: adc: ad7791: remove sample freq sysfs attributes

Filipe Manana <fdmanana@suse.com>
    Btrfs: fix return value on rename exchange failure

Maciej S. Szmigiero <mail@maciej.szmigiero.name>
    X.509: unpack RSA signatureValue field from BIT STRING

Waiman Long <longman@redhat.com>
    locking/rwsem: Fix up_read_non_owner() warning with DEBUG_RWSEMS

Yang Yingliang <yangyingliang@huawei.com>
    irqchip/gic-v3-its: Don't bind LPI to unavailable NUMA node

Geert Uytterhoeven <geert@linux-m68k.org>
    time: Make sure jiffies_to_msecs() preserves non-zero time periods

Huacai Chen <chenhc@lemote.com>
    MIPS: io: Add barrier after register read in inX()

Linus Walleij <linus.walleij@linaro.org>
    MIPS: pb44: Fix i2c-gpio GPIO descriptor table

Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
    cpufreq: intel_pstate: Fix scaling max/min limits with Turbo 3.0

Fabio Estevam <fabio.estevam@nxp.com>
    pinctrl: devicetree: Fix pctldev pointer overwrite

Paweł Chmiel <pawel.mikolaj.chmiel@gmail.com>
    pinctrl: samsung: Correct EINTG banks order

Terry Zhou <bjzhou@marvell.com>
    pinctrl: armada-37xx: Fix spurious irq management

Randy Dunlap <rdunlap@infradead.org>
    auxdisplay: fix broken menu

Mika Westerberg <mika.westerberg@linux.intel.com>
    PCI: Account for all bridges on bus when distributing bus numbers

Mika Westerberg <mika.westerberg@linux.intel.com>
    PCI: pciehp: Clear Presence Detect and Data Link Layer Status Changed on resume

Mika Westerberg <mika.westerberg@linux.intel.com>
    PCI: Add ACS quirk for Intel 300 series

Alex Williamson <alex.williamson@redhat.com>
    PCI: Add ACS quirk for Intel 7th & 8th Gen mobile

Sridhar Pitchai <Sridhar.Pitchai@microsoft.com>
    PCI: hv: Make sure the bus domain is really unique

Jae Hyun Yoo <jae.hyun.yoo@linux.intel.com>
    clk:aspeed: Fix reset bits for PCI/VGA and PECI

Tokunori Ikegami <ikegami@allied-telesis.co.jp>
    MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum

Joakim Tjernlund <joakim.tjernlund@infinera.com>
    mtd: cfi_cmdset_0002: Avoid walking all chips when unlocking.

Joakim Tjernlund <joakim.tjernlund@infinera.com>
    mtd: cfi_cmdset_0002: Fix unlocking requests crossing a chip boudary

Joakim Tjernlund <joakim.tjernlund@infinera.com>
    mtd: cfi_cmdset_0002: fix SEGV unlocking multiple chips

Joakim Tjernlund <joakim.tjernlund@infinera.com>
    mtd: cfi_cmdset_0002: Use right chip in do_ppb_xxlock()

Mason Yang <masonccyang@mxic.com.tw>
    mtd: rawnand: All AC chips have a broken GET_FEATURES(TIMINGS).

Chris Packham <chris.packham@alliedtelesis.co.nz>
    mtd: rawnand: micron: add ONFI_FEATURE_ON_DIE_ECC to supported features

Martin Kaiser <martin@kaiser.cx>
    mtd: rawnand: mxc: set spare area size register explicitly

Abhishek Sahu <absahu@codeaurora.org>
    mtd: rawnand: fix return value check for bad block status

Masahiro Yamada <yamada.masahiro@socionext.com>
    mtd: rawnand: denali_dt: set clk_x_rate to 200 MHz unconditionally

Tokunori Ikegami <ikegami@allied-telesis.co.jp>
    mtd: cfi_cmdset_0002: Change write buffer to check correct value

Boris Brezillon <boris.brezillon@bootlin.com>
    mtd: rawnand: Do not check FAIL bit when executing a SET_FEATURES op

Bharat Potnuri <bharat@chelsio.com>
    RDMA/core: Save kernel caller name when creating CQ using ib_create_cq()

Chuck Lever <chuck.lever@oracle.com>
    xprtrdma: Return -ENOBUFS when no pages are available

Leon Romanovsky <leon@kernel.org>
    RDMA/mlx4: Discard unknown SQP work requests

Jason Gunthorpe <jgg@ziepe.ca>
    IB/uverbs: Fix ordering of ucontext check in ib_uverbs_write

Mike Marciniszyn <mike.marciniszyn@intel.com>
    IB/hfi1: Fix user context tail allocation for DMA_RTAIL

Sebastian Sanchez <sebastian.sanchez@intel.com>
    IB/hfi1: Optimize kthread pointer locking when queuing CQ entries

Michael J. Ruhl <michael.j.ruhl@intel.com>
    IB/hfi1: Reorder incorrect send context disable

Mike Marciniszyn <mike.marciniszyn@intel.com>
    IB/hfi1: Fix fault injection init/exit issues

Max Gurtovoy <maxg@mellanox.com>
    IB/isert: fix T10-pi check mask setting

Alex Estrin <alex.estrin@intel.com>
    IB/isert: Fix for lib/dma_debug check_sync warning

Erez Shitrit <erezsh@mellanox.com>
    IB/mlx5: Fetch soft WQE's on fatal error state

Jack Morgenstein <jackm@dev.mellanox.co.il>
    IB/core: Make testing MR flags for writability a static inline function

Jack Morgenstein <jackm@dev.mellanox.co.il>
    IB/mlx4: Mark user MR as writable if actual virtual memory is writable

Alex Estrin <alex.estrin@intel.com>
    IB/{hfi1, qib}: Add handling of kernel restart

Mike Marciniszyn <mike.marciniszyn@intel.com>
    IB/qib: Fix DMA api warning with debug kernel

Hans de Goede <hdegoede@redhat.com>
    efi/libstub/tpm: Initialize efi_physical_addr_t vars to zero for mixed mode

Tadeusz Struk <tadeusz.struk@intel.com>
    tpm: fix race condition in tpm_common_write()

Tadeusz Struk <tadeusz.struk@intel.com>
    tpm: fix use after free in tpm2_load_context()

Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
    of: platform: stop accessing invalid dev in of_platform_device_destroy

Stefan M Schaeckeler <sschaeck@cisco.com>
    of: unittest: for strings, account for trailing \0 in property length field

Frank Rowand <frank.rowand@sony.com>
    of: overlay: validate offset from property fixups

Kevin Hilman <khilman@baylibre.com>
    ARM64: dts: meson-gx: fix ATF reserved memory region

Jerome Brunet <jbrunet@baylibre.com>
    ARM64: dts: meson: disable sd-uhs modes on the libretech-cc

Thor Thayer <thor.thayer@linux.intel.com>
    arm64: dts: stratix10: Fix SPI nodes for Stratix10

Miquel Raynal <miquel.raynal@bootlin.com>
    arm64: dts: marvell: fix CP110 ICU node size

Will Deacon <will.deacon@arm.com>
    arm64: mm: Ensure writes to swapper are ordered wrt subsequent cache maintenance

Will Deacon <will.deacon@arm.com>
    arm64: kpti: Use early_param for kpti= command-line option

Jia He <hejianet@gmail.com>
    crypto: arm64/aes-blk - fix and move skcipher_walk_done out of kernel_neon_begin, _end

Dave Martin <Dave.Martin@arm.com>
    arm64: Fix syscall restarting around signal suppressed by tracer

Joel Fernandes (Google) <joel@joelfernandes.org>
    softirq: Reorder trace_softirqs_on to prevent lockdep splat

Michael Buesch <m@bues.ch>
    hwrng: core - Always drop the RNG in hwrng_unregister()

Dinh Nguyen <dinguyen@kernel.org>
    ARM: dts: socfpga: Fix NAND controller node compatible for Arria10

Marek Vasut <marex@denx.de>
    ARM: dts: socfpga: Fix NAND controller clock supply

Marek Vasut <marex@denx.de>
    ARM: dts: socfpga: Fix NAND controller node compatible

Thor Thayer <thor.thayer@linux.intel.com>
    ARM: dts: Fix SPI node for Arria10

Chen-Yu Tsai <wens@csie.org>
    ARM: dts: sun8i: h3: fix ALL-H3-CC H3 ver VCC-1V2 regulator voltage

Icenowy Zheng <icenowy@aosc.io>
    ARM: dts: sun8i: h3: fix ALL-H3-CC H3 ver VDD-CPUX voltage

David Rivshin <DRivshin@allworx.com>
    ARM: 8764/1: kgdb: fix NUMREGBYTES so that gdb_regs[] is the correct size

Vaibhav Jain <vaibhav@linux.ibm.com>
    cxl: Disable prefault_mode in Radix mode

Vaibhav Jain <vaibhav@linux.vnet.ibm.com>
    cxl: Configure PSL to not use APC virtual machines

Michael Ellerman <mpe@ellerman.id.au>
    powerpc/64s: Fix DT CPU features Power9 DD2.1 logic

Michael Jeanson <mjeanson@efficios.com>
    powerpc/e500mc: Set assembler machine type to e500mc

Nicholas Piggin <npiggin@gmail.com>
    powerpc/64s/radix: Fix radix_kvm_prefetch_workaround paca access of not possible CPU

Finley Xiao <finley.xiao@rock-chips.com>
    soc: rockchip: power-domain: Fix wrong value when power up pd with writemask

Ross Zwisler <ross.zwisler@linux.intel.com>
    libnvdimm, pmem: Do not flush power-fail protected CPU caches

Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
    powerpc/fadump: Unregister fadump on kexec down path.

Gautham R. Shenoy <ego@linux.vnet.ibm.com>
    cpuidle: powernv: Fix promotion from snooze if next state disabled

Akshay Adiga <akshay.adiga@linux.vnet.ibm.com>
    powerpc/powernv/cpuidle: Init all present cpus for deep states

Haren Myneni <haren@us.ibm.com>
    powerpc/powernv: copy/paste - Mask SO bit in CR

Alexey Kardashevskiy <aik@ozlabs.ru>
    powerpc/powernv/ioda2: Remove redundant free of TCE pages

Michael Neuling <mikey@neuling.org>
    powerpc/ptrace: Fix enforcement of DAWR constraints

Anju T Sudhakar <anju@linux.vnet.ibm.com>
    powerpc/perf: Fix memory allocation for core-imc based on num_possible_cpus()

Michael Neuling <mikey@neuling.org>
    powerpc/ptrace: Fix setting 512B aligned breakpoints with PTRACE_SET_DEBUGREG

Ram Pai <linuxram@us.ibm.com>
    powerpc/pkeys: Detach execute_only key on !PROT_EXEC

Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
    powerpc/mm/hash: Add missing isync prior to kernel stack SLB switch

Miklos Szeredi <mszeredi@redhat.com>
    fuse: fix control dir setup and teardown

Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    fuse: don't keep dead fuse_conn at fuse_fill_super().

Miklos Szeredi <mszeredi@redhat.com>
    fuse: atomic_o_trunc should truncate pagecache

Tejun Heo <tj@kernel.org>
    fuse: fix congested state leak on aborted connections

Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    printk: fix possible reuse of va_list variable

Amit Pundir <amit.pundir@linaro.org>
    Bluetooth: hci_qca: Avoid missing rampatch failure with userspace fw loader

Corey Minyard <cminyard@mvista.com>
    ipmi:bt: Set the timeout before doing a capabilities check

Mikulas Patocka <mpatocka@redhat.com>
    branch-check: fix long->int truncation when profiling branches

Matthias Schiffer <mschiffer@universe-factory.net>
    mips: ftrace: fix static function graph tracing

Steven Rostedt (VMware) <rostedt@goodmis.org>
    ftrace/selftest: Have the reset_trigger code be a bit more careful

Geert Uytterhoeven <geert+renesas@glider.be>
    lib/vsprintf: Remove atomic-unsafe support for %pCr

Geert Uytterhoeven <geert+renesas@glider.be>
    clk: renesas: cpg-mssr: Stop using printk format %pCr

Geert Uytterhoeven <geert+renesas@glider.be>
    thermal: bcm2835: Stop using printk format %pCr

Alexander Sverdlin <alexander.sverdlin@gmail.com>
    ASoC: cirrus: i2s: Fix {TX|RX}LinCtrlData setup

Alexander Sverdlin <alexander.sverdlin@gmail.com>
    ASoC: cirrus: i2s: Fix LRCLK configuration

Kai Chieh Chuang <kaichieh.chuang@mediatek.com>
    ASoC: mediatek: preallocate pages use platform device

Paul Handrigan <Paul.Handrigan@cirrus.com>
    ASoC: cs35l35: Add use_single_rw to regmap config

Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
    ASoC: dapm: delete dapm_kcontrol_data paths list before freeing it

Ingo Flaschberger <ingo.flaschberger@gmail.com>
    1wire: family module autoload fails because of upper/lower case mismatch.

Maxim Moseychuk <franchesko.salias.hudro.pedros@gmail.com>
    usb: do not reset if a low-speed or full-speed device timed out

Wolfram Sang <wsa+renesas@sang-engineering.com>
    mmc: renesas_sdhi: really fix WP logic regressions

Waldemar Rymarkiewicz <waldemar.rymarkiewicz@gmail.com>
    PM / OPP: Update voltage in case freq == old_freq

Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    PM / core: Fix supplier device runtime PM usage counter imbalance

Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    ACPI / LPSS: Avoid PM quirks on suspend and resume from S3

Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    PCI / PM: Do not clear state_saved for devices that remain suspended

Ulf Hansson <ulf.hansson@linaro.org>
    PM / Domains: Fix error path during attach in genpd

Eric W. Biederman <ebiederm@xmission.com>
    signal/xtensa: Consistenly use SIGBUS in do_unaligned_user

Daniel Wagner <daniel.wagner@siemens.com>
    serial: sh-sci: Use spin_{try}lock_irqsave instead of open coding version

Mika Westerberg <mika.westerberg@linux.intel.com>
    mtd: spi-nor: intel-spi: Fix atomic sequence handling

Guenter Roeck <linux@roeck-us.net>
    hwmon: (k10temp) Add support for Stoney Ridge and Bristol Ridge CPUs

Dmitry Torokhov <dmitry.torokhov@gmail.com>
    platform/chrome: cros_ec_lpc: do not try DMI match when ACPI device found

Finn Thain <fthain@telegraphics.com.au>
    m68k/mac: Fix SWIM memory resource end address

Michael Schmitz <schmitzmic@gmail.com>
    m68k/mm: Adjust VM area to be unmapped by gap size for __iounmap()

Siarhei Liakh <Siarhei.Liakh@concurrent-rt.com>
    x86: Call fixup_exception() before notify_die() in math_error()

Borislav Petkov <bp@suse.de>
    x86/mce: Do not overwrite MCi_STATUS in mce_no_way_out()

Tony Luck <tony.luck@intel.com>
    x86/mce: Fix incorrect "Machine check from unknown source" message

Tony Luck <tony.luck@intel.com>
    x86/mce: Check for alternate indication of machine check recovery on Skylake

Tony Luck <tony.luck@intel.com>
    x86/mce: Improve error message when kernel cannot recover

mike.travis@hpe.com <mike.travis@hpe.com>
    x86/platform/UV: Add kernel parameter to set memory block size

mike.travis@hpe.com <mike.travis@hpe.com>
    x86/platform/UV: Use new set memory block size function

mike.travis@hpe.com <mike.travis@hpe.com>
    x86/platform/UV: Add adjustable set memory block size function

Juergen Gross <jgross@suse.com>
    x86/xen: Add call of speculative_store_bypass_ht_init() to PV paths

Dan Williams <dan.j.williams@intel.com>
    x86/spectre_v1: Disable compiler optimizations over array_index_mask_nospec()


-------------

Diffstat:

 Documentation/ABI/testing/sysfs-class-cxl          |   4 +-
 Documentation/core-api/printk-formats.rst          |   3 +-
 Makefile                                           |   4 +-
 arch/arm/boot/dts/mt7623.dtsi                      |   3 +-
 arch/arm/boot/dts/mt7623n-bananapi-bpi-r2.dts      |   1 +
 arch/arm/boot/dts/mt7623n-rfb.dtsi                 |   1 +
 arch/arm/boot/dts/socfpga.dtsi                     |   4 +-
 arch/arm/boot/dts/socfpga_arria10.dtsi             |   5 +-
 arch/arm/boot/dts/sun8i-h3-libretech-all-h3-cc.dts |   8 +-
 arch/arm/include/asm/kgdb.h                        |   2 +-
 arch/arm64/boot/dts/altera/socfpga_stratix10.dtsi  |   6 +-
 arch/arm64/boot/dts/amlogic/meson-gx.dtsi          |   6 +
 .../dts/amlogic/meson-gxl-s905x-libretech-cc.dts   |   3 -
 arch/arm64/boot/dts/amlogic/meson-gxl.dtsi         |   8 --
 arch/arm64/boot/dts/marvell/armada-cp110.dtsi      |   2 +-
 arch/arm64/crypto/aes-glue.c                       |   2 +-
 arch/arm64/kernel/cpufeature.c                     |   2 +-
 arch/arm64/kernel/signal.c                         |   5 +-
 arch/arm64/mm/proc.S                               |   5 +-
 arch/m68k/mac/config.c                             |   2 +-
 arch/m68k/mm/kmap.c                                |   3 +-
 arch/mips/ath79/mach-pb44.c                        |   2 +-
 arch/mips/bcm47xx/setup.c                          |   6 +
 arch/mips/include/asm/io.h                         |   2 +
 arch/mips/include/asm/mipsregs.h                   |   3 +
 arch/mips/kernel/mcount.S                          |  27 ++---
 arch/powerpc/Makefile                              |   1 +
 arch/powerpc/kernel/dt_cpu_ftrs.c                  |   3 +-
 arch/powerpc/kernel/entry_64.S                     |   1 +
 arch/powerpc/kernel/fadump.c                       |   3 +
 arch/powerpc/kernel/hw_breakpoint.c                |   4 +-
 arch/powerpc/kernel/ptrace.c                       |   1 +
 arch/powerpc/mm/pkeys.c                            |   4 +-
 arch/powerpc/mm/tlb-radix.c                        |   2 +
 arch/powerpc/perf/imc-pmu.c                        |   4 +-
 arch/powerpc/platforms/powernv/copy-paste.h        |   3 +-
 arch/powerpc/platforms/powernv/idle.c              |   4 +-
 arch/powerpc/platforms/powernv/pci-ioda.c          |   1 -
 arch/um/drivers/vector_kern.c                      |  20 +++-
 arch/x86/entry/entry_64_compat.S                   |  16 +--
 arch/x86/include/asm/barrier.h                     |   2 +-
 arch/x86/kernel/apic/x2apic_uv_x.c                 |  60 +++++++++-
 arch/x86/kernel/cpu/mcheck/mce-severity.c          |   5 +
 arch/x86/kernel/cpu/mcheck/mce.c                   |  44 +++++---
 arch/x86/kernel/e820.c                             |  15 ++-
 arch/x86/kernel/quirks.c                           |  11 +-
 arch/x86/kernel/traps.c                            |  14 ++-
 arch/x86/mm/init.c                                 |   4 +-
 arch/x86/mm/init_64.c                              |  20 +++-
 arch/x86/platform/efi/efi_64.c                     |   4 +-
 arch/x86/xen/smp_pv.c                              |   5 +
 arch/xtensa/kernel/traps.c                         |   2 +-
 block/blk-core.c                                   |   4 +
 crypto/asymmetric_keys/x509_cert_parser.c          |   9 ++
 drivers/acpi/acpi_lpss.c                           |  20 ++--
 drivers/auxdisplay/Kconfig                         |  10 +-
 drivers/base/core.c                                |  15 ++-
 drivers/base/power/domain.c                        |   3 +
 drivers/block/rbd.c                                |   2 +-
 drivers/bluetooth/hci_qca.c                        |   6 +
 drivers/char/hw_random/core.c                      |  11 +-
 drivers/char/ipmi/ipmi_bt_sm.c                     |   3 +-
 drivers/char/tpm/tpm-dev-common.c                  |  40 +++----
 drivers/char/tpm/tpm-dev.h                         |   2 +-
 drivers/char/tpm/tpm2-space.c                      |   3 +-
 drivers/clk/at91/clk-pll.c                         |  13 +--
 drivers/clk/clk-aspeed.c                           |   4 +-
 drivers/clk/meson/meson8b.c                        |   7 ++
 drivers/clk/renesas/renesas-cpg-mssr.c             |   9 +-
 drivers/cpufreq/intel_pstate.c                     |  27 ++++-
 drivers/cpuidle/cpuidle-powernv.c                  |  32 +++++-
 drivers/firmware/efi/libstub/tpm.c                 |   2 +-
 drivers/hwmon/k10temp.c                            |   5 +
 drivers/i2c/algos/i2c-algo-bit.c                   |   5 -
 drivers/i2c/busses/i2c-gpio.c                      |   4 +-
 drivers/iio/accel/sca3000.c                        |   9 +-
 drivers/iio/adc/ad7791.c                           |  49 --------
 drivers/infiniband/core/umem.c                     |  11 +-
 drivers/infiniband/core/uverbs_main.c              |  14 ++-
 drivers/infiniband/core/verbs.c                    |  14 ++-
 drivers/infiniband/hw/hfi1/chip.c                  |   8 +-
 drivers/infiniband/hw/hfi1/debugfs.c               |   8 +-
 drivers/infiniband/hw/hfi1/file_ops.c              |   4 +-
 drivers/infiniband/hw/hfi1/hfi.h                   |   1 +
 drivers/infiniband/hw/hfi1/init.c                  |  22 +++-
 drivers/infiniband/hw/hfi1/pio.c                   |  44 ++++++--
 drivers/infiniband/hw/mlx4/mad.c                   |   1 -
 drivers/infiniband/hw/mlx4/mr.c                    |  50 +++++++--
 drivers/infiniband/hw/mlx5/cq.c                    |  15 ++-
 drivers/infiniband/hw/qib/qib.h                    |   4 +-
 drivers/infiniband/hw/qib/qib_file_ops.c           |  10 +-
 drivers/infiniband/hw/qib/qib_init.c               |  13 +++
 drivers/infiniband/hw/qib/qib_user_pages.c         |  20 ++--
 drivers/infiniband/sw/rdmavt/cq.c                  |  31 ++++--
 drivers/infiniband/ulp/isert/ib_isert.c            |  28 +++--
 drivers/input/joystick/xpad.c                      |   2 +-
 drivers/input/mouse/elan_i2c.h                     |   2 +
 drivers/input/mouse/elan_i2c_core.c                |   3 +-
 drivers/input/mouse/elan_i2c_smbus.c               |  10 +-
 drivers/input/mouse/elantech.c                     |  11 +-
 drivers/input/mouse/psmouse-base.c                 |  12 +-
 drivers/input/touchscreen/silead.c                 |   1 +
 drivers/iommu/Kconfig                              |   1 -
 drivers/iommu/amd_iommu.c                          |  68 ++++++++----
 drivers/irqchip/irq-gic-v3-its.c                   |   9 +-
 drivers/md/dm-thin.c                               |  11 +-
 drivers/md/dm-zoned-target.c                       |   2 +-
 drivers/md/dm.c                                    |   5 +-
 drivers/md/md.c                                    |   4 +-
 drivers/media/dvb-core/dvb_frontend.c              |  23 ++--
 drivers/media/platform/vsp1/vsp1_video.c           |  21 ++--
 drivers/media/rc/ir-mce_kbd-decoder.c              |   2 +
 drivers/media/usb/cx231xx/cx231xx-cards.c          |   3 +
 drivers/media/usb/cx231xx/cx231xx-dvb.c            |   2 +-
 drivers/media/usb/uvc/uvc_video.c                  |  24 +++-
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c      |   2 +-
 drivers/mfd/intel-lpss-pci.c                       |  25 +++--
 drivers/mfd/intel-lpss.c                           |   4 +-
 drivers/mfd/twl-core.c                             |   2 +-
 drivers/misc/cxl/pci.c                             |   4 +-
 drivers/misc/cxl/sysfs.c                           |  16 ++-
 drivers/mmc/host/renesas_sdhi_core.c               |   5 +
 drivers/mmc/host/renesas_sdhi_internal_dmac.c      |   1 +
 drivers/mmc/host/renesas_sdhi_sys_dmac.c           |   3 +
 drivers/mtd/chips/cfi_cmdset_0002.c                |  21 ++--
 drivers/mtd/nand/raw/denali_dt.c                   |   6 +-
 drivers/mtd/nand/raw/mxc_nand.c                    |   5 +-
 drivers/mtd/nand/raw/nand_base.c                   |  29 ++---
 drivers/mtd/nand/raw/nand_macronix.c               |  48 ++++++--
 drivers/mtd/nand/raw/nand_micron.c                 |   2 +
 drivers/mtd/spi-nor/intel-spi.c                    |  76 +++++++++++--
 drivers/mtd/ubi/build.c                            |   3 +
 drivers/mtd/ubi/eba.c                              |  90 ++++++++++++++-
 drivers/mtd/ubi/wl.c                               |   4 +-
 drivers/net/ethernet/ti/davinci_emac.c             |  15 ++-
 drivers/nvdimm/bus.c                               |  14 ++-
 drivers/nvdimm/pmem.c                              |  10 +-
 drivers/nvdimm/region_devs.c                       |   3 +-
 drivers/of/platform.c                              |   5 +-
 drivers/of/resolver.c                              |   5 +
 drivers/of/unittest.c                              |   8 +-
 drivers/opp/core.c                                 |   2 +-
 drivers/pci/host/pci-hyperv.c                      |  11 --
 drivers/pci/hotplug/pciehp.h                       |   2 +-
 drivers/pci/hotplug/pciehp_core.c                  |   2 +-
 drivers/pci/hotplug/pciehp_hpc.c                   |  13 ++-
 drivers/pci/pci-driver.c                           |   5 +-
 drivers/pci/probe.c                                |  15 ++-
 drivers/pci/quirks.c                               |  20 ++++
 drivers/pinctrl/devicetree.c                       |   7 +-
 drivers/pinctrl/mvebu/pinctrl-armada-37xx.c        |   3 +-
 drivers/pinctrl/samsung/pinctrl-exynos-arm.c       |   4 +-
 drivers/platform/chrome/cros_ec_lpc.c              |  13 ++-
 drivers/pwm/pwm-lpss-platform.c                    |   5 +
 drivers/pwm/pwm-lpss.c                             |  30 +++++
 drivers/pwm/pwm-lpss.h                             |   2 +
 drivers/remoteproc/qcom_q6v5_pil.c                 |  10 +-
 drivers/rpmsg/qcom_smd.c                           |  18 +--
 drivers/rtc/rtc-sun6i.c                            |   4 +-
 drivers/s390/scsi/zfcp_dbf.c                       |  40 +++++++
 drivers/s390/scsi/zfcp_erp.c                       | 123 ++++++++++++++++-----
 drivers/s390/scsi/zfcp_ext.h                       |   5 +
 drivers/s390/scsi/zfcp_scsi.c                      |  18 ++-
 drivers/scsi/hpsa.c                                |  10 +-
 drivers/scsi/qla2xxx/qla_gs.c                      |   4 +-
 drivers/scsi/qla2xxx/qla_init.c                    |   3 +-
 drivers/scsi/qla2xxx/qla_isr.c                     |   8 +-
 drivers/scsi/qla2xxx/qla_target.c                  |   7 +-
 drivers/scsi/scsi_debug.c                          |   2 +-
 drivers/soc/rockchip/pm_domains.c                  |   2 +-
 drivers/thermal/broadcom/bcm2835_thermal.c         |   4 +-
 drivers/tty/serial/sh-sci.c                        |   8 +-
 drivers/usb/core/hub.c                             |   4 +-
 drivers/video/backlight/as3711_bl.c                |  33 ++++--
 drivers/video/backlight/max8925_bl.c               |   4 +-
 drivers/video/backlight/tps65217_bl.c              |   4 +-
 drivers/video/fbdev/uvesafb.c                      |   3 +-
 drivers/virt/vboxguest/vboxguest_linux.c           |   4 +-
 drivers/w1/w1.c                                    |   2 +-
 drivers/xen/events/events_base.c                   |   2 -
 fs/btrfs/inode.c                                   |   4 +-
 fs/f2fs/checkpoint.c                               |   4 +-
 fs/f2fs/inode.c                                    |   4 +-
 fs/f2fs/segment.c                                  |   3 +
 fs/f2fs/segment.h                                  |   1 +
 fs/fuse/control.c                                  |  13 ++-
 fs/fuse/dev.c                                      |   3 +-
 fs/fuse/dir.c                                      |  13 ++-
 fs/fuse/inode.c                                    |   1 +
 fs/nfs/callback_proc.c                             |   7 +-
 fs/nfs/nfs4idmap.c                                 |   5 +-
 fs/nfs/nfs4proc.c                                  |   2 +-
 fs/nfsd/nfs4xdr.c                                  |   5 +-
 fs/ubifs/journal.c                                 |   5 +-
 fs/udf/directory.c                                 |   3 +
 include/dt-bindings/clock/aspeed-clock.h           |   2 +-
 include/linux/blkdev.h                             |   4 +-
 include/linux/compiler.h                           |   2 +-
 include/linux/memory.h                             |   1 +
 include/linux/slub_def.h                           |   4 +
 include/rdma/ib_verbs.h                            |  27 ++++-
 include/rdma/rdma_vt.h                             |   2 +-
 kernel/locking/rwsem.c                             |   1 +
 kernel/printk/printk_safe.c                        |   5 +-
 kernel/softirq.c                                   |   6 +-
 kernel/time/time.c                                 |   6 +-
 kernel/trace/trace_events_filter.c                 |  10 +-
 lib/Kconfig.kasan                                  |   1 +
 lib/vsprintf.c                                     |   3 -
 mm/gup.c                                           |  36 ++++--
 mm/ksm.c                                           |  14 ++-
 mm/slab_common.c                                   |   4 +
 mm/slub.c                                          |   7 +-
 net/sunrpc/xprtrdma/rpc_rdma.c                     |   2 +-
 security/selinux/selinuxfs.c                       |  78 ++++++-------
 sound/core/timer.c                                 |   2 +-
 sound/pci/hda/hda_codec.c                          |   5 +-
 sound/pci/hda/hda_codec.h                          |   1 +
 sound/pci/hda/patch_hdmi.c                         |   5 +
 sound/pci/hda/patch_realtek.c                      |  20 +++-
 sound/soc/cirrus/edb93xx.c                         |   2 +-
 sound/soc/cirrus/ep93xx-i2s.c                      |  26 +++--
 sound/soc/cirrus/snappercl15.c                     |   2 +-
 sound/soc/codecs/cs35l35.c                         |   1 +
 .../soc/mediatek/common/mtk-afe-platform-driver.c  |   4 +-
 sound/soc/soc-dapm.c                               |   2 +
 tools/perf/util/dso.c                              |   2 +
 .../perf/util/intel-pt-decoder/intel-pt-decoder.c  |  23 +++-
 .../perf/util/intel-pt-decoder/intel-pt-decoder.h  |   9 ++
 .../util/intel-pt-decoder/intel-pt-pkt-decoder.c   |   2 +-
 tools/perf/util/intel-pt.c                         |   5 +
 tools/testing/selftests/ftrace/test.d/functions    |  21 +++-
 232 files changed, 1706 insertions(+), 756 deletions(-)



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 001/220] x86/spectre_v1: Disable compiler optimizations over array_index_mask_nospec()
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
@ 2018-07-01 16:20 ` Greg Kroah-Hartman
  2018-07-01 16:20 ` [PATCH 4.17 002/220] x86/xen: Add call of speculative_store_bypass_ht_init() to PV paths Greg Kroah-Hartman
                   ` (211 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:20 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mark Rutland, Dan Williams,
	Thomas Gleixner, Linus Torvalds, Peter Zijlstra, Ingo Molnar

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Williams <dan.j.williams@intel.com>

commit eab6870fee877258122a042bfd99ee7908c40280 upstream.

Mark Rutland noticed that GCC optimization passes have the potential to elide
necessary invocations of the array_index_mask_nospec() instruction sequence,
so mark the asm() volatile.

Mark explains:

"The volatile will inhibit *some* cases where the compiler could lift the
 array_index_nospec() call out of a branch, e.g. where there are multiple
 invocations of array_index_nospec() with the same arguments:

        if (idx < foo) {
                idx1 = array_idx_nospec(idx, foo)
                do_something(idx1);
        }

        < some other code >

        if (idx < foo) {
                idx2 = array_idx_nospec(idx, foo);
                do_something_else(idx2);
        }

 ... since the compiler can determine that the two invocations yield the same
 result, and reuse the first result (likely the same register as idx was in
 originally) for the second branch, effectively re-writing the above as:

        if (idx < foo) {
                idx = array_idx_nospec(idx, foo);
                do_something(idx);
        }

        < some other code >

        if (idx < foo) {
                do_something_else(idx);
        }

 ... if we don't take the first branch, then speculatively take the second, we
 lose the nospec protection.

 There's more info on volatile asm in the GCC docs:

   https://gcc.gnu.org/onlinedocs/gcc/Extended-Asm.html#Volatile
 "

Reported-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: <stable@vger.kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Fixes: babdde2698d4 ("x86: Implement array_index_mask_nospec")
Link: https://lkml.kernel.org/lkml/152838798950.14521.4893346294059739135.stgit@dwillia2-desk3.amr.corp.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/include/asm/barrier.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/include/asm/barrier.h
+++ b/arch/x86/include/asm/barrier.h
@@ -38,7 +38,7 @@ static inline unsigned long array_index_
 {
 	unsigned long mask;
 
-	asm ("cmp %1,%2; sbb %0,%0;"
+	asm volatile ("cmp %1,%2; sbb %0,%0;"
 			:"=r" (mask)
 			:"g"(size),"r" (index)
 			:"cc");



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 002/220] x86/xen: Add call of speculative_store_bypass_ht_init() to PV paths
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
  2018-07-01 16:20 ` [PATCH 4.17 001/220] x86/spectre_v1: Disable compiler optimizations over array_index_mask_nospec() Greg Kroah-Hartman
@ 2018-07-01 16:20 ` Greg Kroah-Hartman
  2018-07-01 16:20 ` [PATCH 4.17 003/220] x86/platform/UV: Add adjustable set memory block size function Greg Kroah-Hartman
                   ` (210 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:20 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Brian Woods, Juergen Gross,
	Linus Torvalds, Peter Zijlstra, Thomas Gleixner, boris.ostrovsky,
	xen-devel, Ingo Molnar

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Juergen Gross <jgross@suse.com>

commit 74899d92e66663dc7671a8017b3146dcd4735f3b upstream.

Commit:

  1f50ddb4f418 ("x86/speculation: Handle HT correctly on AMD")

... added speculative_store_bypass_ht_init() to the per-CPU initialization sequence.

speculative_store_bypass_ht_init() needs to be called on each CPU for
PV guests, too.

Reported-by: Brian Woods <brian.woods@amd.com>
Tested-by: Brian Woods <brian.woods@amd.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Cc: <stable@vger.kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: boris.ostrovsky@oracle.com
Cc: xen-devel@lists.xenproject.org
Fixes: 1f50ddb4f4189243c05926b842dc1a0332195f31 ("x86/speculation: Handle HT correctly on AMD")
Link: https://lore.kernel.org/lkml/20180621084331.21228-1-jgross@suse.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/xen/smp_pv.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/arch/x86/xen/smp_pv.c
+++ b/arch/x86/xen/smp_pv.c
@@ -32,6 +32,7 @@
 #include <xen/interface/vcpu.h>
 #include <xen/interface/xenpmu.h>
 
+#include <asm/spec-ctrl.h>
 #include <asm/xen/interface.h>
 #include <asm/xen/hypercall.h>
 
@@ -70,6 +71,8 @@ static void cpu_bringup(void)
 	cpu_data(cpu).x86_max_cores = 1;
 	set_cpu_sibling_map(cpu);
 
+	speculative_store_bypass_ht_init();
+
 	xen_setup_cpu_clockevents();
 
 	notify_cpu_starting(cpu);
@@ -250,6 +253,8 @@ static void __init xen_pv_smp_prepare_cp
 	}
 	set_cpu_sibling_map(0);
 
+	speculative_store_bypass_ht_init();
+
 	xen_pmu_init(0);
 
 	if (xen_smp_intr_init(0) || xen_smp_intr_init_pv(0))



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 003/220] x86/platform/UV: Add adjustable set memory block size function
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
  2018-07-01 16:20 ` [PATCH 4.17 001/220] x86/spectre_v1: Disable compiler optimizations over array_index_mask_nospec() Greg Kroah-Hartman
  2018-07-01 16:20 ` [PATCH 4.17 002/220] x86/xen: Add call of speculative_store_bypass_ht_init() to PV paths Greg Kroah-Hartman
@ 2018-07-01 16:20 ` Greg Kroah-Hartman
  2018-07-01 16:20 ` [PATCH 4.17 004/220] x86/platform/UV: Use new " Greg Kroah-Hartman
                   ` (209 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:20 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mike Travis, Andrew Banman,
	Andrew Morton, Dimitri Sivanich, Linus Torvalds, Peter Zijlstra,
	Russ Anderson, Thomas Gleixner, dan.j.williams, jgross,
	kirill.shutemov, mhocko, Ingo Molnar

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: mike.travis@hpe.com <mike.travis@hpe.com>

commit f642fb5864a6e3645edce6f85ffe7b44d5e9b990 upstream.

Add a new function to "adjust" the current fixed UV memory block size
of 2GB so it can be changed to a different physical boundary.  This is
out of necessity so arch dependent code can accommodate specific BIOS
requirements which can align these new PMEM modules at less than the
default boundaries.

A "set order" type of function was used to insure that the memory block
size will be a power of two value without requiring a validity check.
64GB was chosen as the upper limit for memory block size values to
accommodate upcoming 4PB systems which have 6 more bits of physical
address space (46 becoming 52).

Signed-off-by: Mike Travis <mike.travis@hpe.com>
Reviewed-by: Andrew Banman <andrew.banman@hpe.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Dimitri Sivanich <dimitri.sivanich@hpe.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Russ Anderson <russ.anderson@hpe.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: dan.j.williams@intel.com
Cc: jgross@suse.com
Cc: kirill.shutemov@linux.intel.com
Cc: mhocko@suse.com
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/lkml/20180524201711.609546602@stormcage.americas.sgi.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/mm/init_64.c  |   20 ++++++++++++++++----
 include/linux/memory.h |    1 +
 2 files changed, 17 insertions(+), 4 deletions(-)

--- a/arch/x86/mm/init_64.c
+++ b/arch/x86/mm/init_64.c
@@ -1350,16 +1350,28 @@ int kern_addr_valid(unsigned long addr)
 /* Amount of ram needed to start using large blocks */
 #define MEM_SIZE_FOR_LARGE_BLOCK (64UL << 30)
 
+/* Adjustable memory block size */
+static unsigned long set_memory_block_size;
+int __init set_memory_block_size_order(unsigned int order)
+{
+	unsigned long size = 1UL << order;
+
+	if (size > MEM_SIZE_FOR_LARGE_BLOCK || size < MIN_MEMORY_BLOCK_SIZE)
+		return -EINVAL;
+
+	set_memory_block_size = size;
+	return 0;
+}
+
 static unsigned long probe_memory_block_size(void)
 {
 	unsigned long boot_mem_end = max_pfn << PAGE_SHIFT;
 	unsigned long bz;
 
-	/* If this is UV system, always set 2G block size */
-	if (is_uv_system()) {
-		bz = MAX_BLOCK_SIZE;
+	/* If memory block size has been set, then use it */
+	bz = set_memory_block_size;
+	if (bz)
 		goto done;
-	}
 
 	/* Use regular block if RAM is smaller than MEM_SIZE_FOR_LARGE_BLOCK */
 	if (boot_mem_end < MEM_SIZE_FOR_LARGE_BLOCK) {
--- a/include/linux/memory.h
+++ b/include/linux/memory.h
@@ -38,6 +38,7 @@ struct memory_block {
 
 int arch_get_memory_phys_device(unsigned long start_pfn);
 unsigned long memory_block_size_bytes(void);
+int set_memory_block_size_order(unsigned int order);
 
 /* These states are exposed to userspace as text strings in sysfs */
 #define	MEM_ONLINE		(1<<0) /* exposed to userspace */



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 004/220] x86/platform/UV: Use new set memory block size function
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2018-07-01 16:20 ` [PATCH 4.17 003/220] x86/platform/UV: Add adjustable set memory block size function Greg Kroah-Hartman
@ 2018-07-01 16:20 ` Greg Kroah-Hartman
  2018-07-01 16:20 ` [PATCH 4.17 005/220] x86/platform/UV: Add kernel parameter to set memory block size Greg Kroah-Hartman
                   ` (208 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:20 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mike Travis, Andrew Banman,
	Andrew Morton, Dimitri Sivanich, Linus Torvalds, Peter Zijlstra,
	Russ Anderson, Thomas Gleixner, dan.j.williams, jgross,
	kirill.shutemov, mhocko, Ingo Molnar

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: mike.travis@hpe.com <mike.travis@hpe.com>

commit bbbd2b51a2aa0d76b3676271e216cf3647773397 upstream.

Add a call to the new function to "adjust" the current fixed UV memory
block size of 2GB so it can be changed to a different physical boundary.
This accommodates changes in the Intel BIOS, and therefore UV BIOS,
which now can align boundaries different than the previous UV standard
of 2GB.  It also flags any UV Global Address boundaries from BIOS that
cause a change in the mem block size (boundary).

The current boundary of 2GB has been used on UV since the first system
release in 2009 with Linux 2.6 and has worked fine.  But the new NVDIMM
persistent memory modules (PMEM), along with the Intel BIOS changes to
support these modules caused the memory block size boundary to be set
to a lower limit.  Intel only guarantees that this minimum boundary at
64MB though the current Linux limit is 128MB.

Note that the default remains 2GB if no changes occur.

Signed-off-by: Mike Travis <mike.travis@hpe.com>
Reviewed-by: Andrew Banman <andrew.banman@hpe.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Dimitri Sivanich <dimitri.sivanich@hpe.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Russ Anderson <russ.anderson@hpe.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: dan.j.williams@intel.com
Cc: jgross@suse.com
Cc: kirill.shutemov@linux.intel.com
Cc: mhocko@suse.com
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/lkml/20180524201711.732785782@stormcage.americas.sgi.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/apic/x2apic_uv_x.c |   49 ++++++++++++++++++++++++++++++++++---
 1 file changed, 46 insertions(+), 3 deletions(-)

--- a/arch/x86/kernel/apic/x2apic_uv_x.c
+++ b/arch/x86/kernel/apic/x2apic_uv_x.c
@@ -26,6 +26,7 @@
 #include <linux/delay.h>
 #include <linux/crash_dump.h>
 #include <linux/reboot.h>
+#include <linux/memory.h>
 
 #include <asm/uv/uv_mmrs.h>
 #include <asm/uv/uv_hub.h>
@@ -392,6 +393,40 @@ extern int uv_hub_info_version(void)
 }
 EXPORT_SYMBOL(uv_hub_info_version);
 
+/* Default UV memory block size is 2GB */
+static unsigned long mem_block_size = (2UL << 30);
+
+static __init int adj_blksize(u32 lgre)
+{
+	unsigned long base = (unsigned long)lgre << UV_GAM_RANGE_SHFT;
+	unsigned long size;
+
+	for (size = mem_block_size; size > MIN_MEMORY_BLOCK_SIZE; size >>= 1)
+		if (IS_ALIGNED(base, size))
+			break;
+
+	if (size >= mem_block_size)
+		return 0;
+
+	mem_block_size = size;
+	return 1;
+}
+
+static __init void set_block_size(void)
+{
+	unsigned int order = ffs(mem_block_size);
+
+	if (order) {
+		/* adjust for ffs return of 1..64 */
+		set_memory_block_size_order(order - 1);
+		pr_info("UV: mem_block_size set to 0x%lx\n", mem_block_size);
+	} else {
+		/* bad or zero value, default to 1UL << 31 (2GB) */
+		pr_err("UV: mem_block_size error with 0x%lx\n", mem_block_size);
+		set_memory_block_size_order(31);
+	}
+}
+
 /* Build GAM range lookup table: */
 static __init void build_uv_gr_table(void)
 {
@@ -1180,23 +1215,30 @@ static void __init decode_gam_rng_tbl(un
 					<< UV_GAM_RANGE_SHFT);
 		int order = 0;
 		char suffix[] = " KMGTPE";
+		int flag = ' ';
 
 		while (size > 9999 && order < sizeof(suffix)) {
 			size /= 1024;
 			order++;
 		}
 
+		/* adjust max block size to current range start */
+		if (gre->type == 1 || gre->type == 2)
+			if (adj_blksize(lgre))
+				flag = '*';
+
 		if (!index) {
 			pr_info("UV: GAM Range Table...\n");
-			pr_info("UV:  # %20s %14s %5s %4s %5s %3s %2s\n", "Range", "", "Size", "Type", "NASID", "SID", "PN");
+			pr_info("UV:  # %20s %14s %6s %4s %5s %3s %2s\n", "Range", "", "Size", "Type", "NASID", "SID", "PN");
 		}
-		pr_info("UV: %2d: 0x%014lx-0x%014lx %5lu%c %3d   %04x  %02x %02x\n",
+		pr_info("UV: %2d: 0x%014lx-0x%014lx%c %5lu%c %3d   %04x  %02x %02x\n",
 			index++,
 			(unsigned long)lgre << UV_GAM_RANGE_SHFT,
 			(unsigned long)gre->limit << UV_GAM_RANGE_SHFT,
-			size, suffix[order],
+			flag, size, suffix[order],
 			gre->type, gre->nasid, gre->sockid, gre->pnode);
 
+		/* update to next range start */
 		lgre = gre->limit;
 		if (sock_min > gre->sockid)
 			sock_min = gre->sockid;
@@ -1427,6 +1469,7 @@ static void __init uv_system_init_hub(vo
 
 	build_socket_tables();
 	build_uv_gr_table();
+	set_block_size();
 	uv_init_hub_info(&hub_info);
 	uv_possible_blades = num_possible_nodes();
 	if (!_node_to_pnode)



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 005/220] x86/platform/UV: Add kernel parameter to set memory block size
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2018-07-01 16:20 ` [PATCH 4.17 004/220] x86/platform/UV: Use new " Greg Kroah-Hartman
@ 2018-07-01 16:20 ` Greg Kroah-Hartman
  2018-07-01 16:20 ` [PATCH 4.17 006/220] x86/mce: Improve error message when kernel cannot recover Greg Kroah-Hartman
                   ` (207 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:20 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mike Travis, Andrew Banman,
	Andrew Morton, Dimitri Sivanich, Linus Torvalds, Peter Zijlstra,
	Russ Anderson, Thomas Gleixner, dan.j.williams, jgross,
	kirill.shutemov, mhocko, Ingo Molnar

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: mike.travis@hpe.com <mike.travis@hpe.com>

commit d7609f4210cb716c11abfe2bfb5997191095d00b upstream.

Add a kernel parameter that allows setting UV memory block size.  This
is to provide an adjustment for new forms of PMEM and other DIMM memory
that might require alignment restrictions other than scanning the global
address table for the required minimum alignment.  The value set will be
further adjusted by both the GAM range table scan as well as restrictions
imposed by set_memory_block_size_order().

Signed-off-by: Mike Travis <mike.travis@hpe.com>
Reviewed-by: Andrew Banman <andrew.banman@hpe.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Dimitri Sivanich <dimitri.sivanich@hpe.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Russ Anderson <russ.anderson@hpe.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: dan.j.williams@intel.com
Cc: jgross@suse.com
Cc: kirill.shutemov@linux.intel.com
Cc: mhocko@suse.com
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/lkml/20180524201711.854849120@stormcage.americas.sgi.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/apic/x2apic_uv_x.c |   11 +++++++++++
 1 file changed, 11 insertions(+)

--- a/arch/x86/kernel/apic/x2apic_uv_x.c
+++ b/arch/x86/kernel/apic/x2apic_uv_x.c
@@ -396,6 +396,17 @@ EXPORT_SYMBOL(uv_hub_info_version);
 /* Default UV memory block size is 2GB */
 static unsigned long mem_block_size = (2UL << 30);
 
+/* Kernel parameter to specify UV mem block size */
+static int parse_mem_block_size(char *ptr)
+{
+	unsigned long size = memparse(ptr, NULL);
+
+	/* Size will be rounded down by set_block_size() below */
+	mem_block_size = size;
+	return 0;
+}
+early_param("uv_memblksize", parse_mem_block_size);
+
 static __init int adj_blksize(u32 lgre)
 {
 	unsigned long base = (unsigned long)lgre << UV_GAM_RANGE_SHFT;



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 006/220] x86/mce: Improve error message when kernel cannot recover
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2018-07-01 16:20 ` [PATCH 4.17 005/220] x86/platform/UV: Add kernel parameter to set memory block size Greg Kroah-Hartman
@ 2018-07-01 16:20 ` Greg Kroah-Hartman
  2018-07-01 16:20 ` [PATCH 4.17 007/220] x86/mce: Check for alternate indication of machine check recovery on Skylake Greg Kroah-Hartman
                   ` (206 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:20 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tony Luck, Thomas Gleixner,
	Qiuxu Zhuo, Ashok Raj, Dan Williams, Borislav Petkov

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tony Luck <tony.luck@intel.com>

commit c7d606f560e4c698884697fef503e4abacdd8c25 upstream.

Since we added support to add recovery from some errors inside the kernel in:

commit b2f9d678e28c ("x86/mce: Check for faults tagged in EXTABLE_CLASS_FAULT exception table entries")

we have done a less than stellar job at reporting the cause of recoverable
machine checks that occur in other parts of the kernel. The user just gets
the unhelpful message:

	mce: [Hardware Error]: Machine check: Action required: unknown MCACOD

doubly unhelpful when they check the manual for the reported IA32_MSR_STATUS.MCACOD
and see that it is listed as one of the standard recoverable values.

Add an extra rule to the MCE severity table to catch this case and report it
as:

	mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel

Fixes: b2f9d678e28c ("x86/mce: Check for faults tagged in EXTABLE_CLASS_FAULT exception table entries")
Signed-off-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
Cc: Ashok Raj <ashok.raj@intel.com>
Cc: stable@vger.kernel.org # 4.6+
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Borislav Petkov <bp@suse.de>
Link: https://lkml.kernel.org/r/4cc7c465150a9a48b8b9f45d0b840278e77eb9b5.1527283897.git.tony.luck@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/cpu/mcheck/mce-severity.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/arch/x86/kernel/cpu/mcheck/mce-severity.c
+++ b/arch/x86/kernel/cpu/mcheck/mce-severity.c
@@ -160,6 +160,11 @@ static struct severity {
 		SER, MASK(MCI_STATUS_OVER|MCI_UC_SAR|MCI_ADDR|MCACOD, MCI_UC_SAR|MCI_ADDR|MCACOD_INSTR),
 		USER
 		),
+	MCESEV(
+		PANIC, "Data load in unrecoverable area of kernel",
+		SER, MASK(MCI_STATUS_OVER|MCI_UC_SAR|MCI_ADDR|MCACOD, MCI_UC_SAR|MCI_ADDR|MCACOD_DATA),
+		KERNEL
+		),
 #endif
 	MCESEV(
 		PANIC, "Action required: unknown MCACOD",



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 007/220] x86/mce: Check for alternate indication of machine check recovery on Skylake
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2018-07-01 16:20 ` [PATCH 4.17 006/220] x86/mce: Improve error message when kernel cannot recover Greg Kroah-Hartman
@ 2018-07-01 16:20 ` Greg Kroah-Hartman
  2018-07-01 16:20 ` [PATCH 4.17 008/220] x86/mce: Fix incorrect "Machine check from unknown source" message Greg Kroah-Hartman
                   ` (205 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:20 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tony Luck, Thomas Gleixner,
	Qiuxu Zhuo, Ashok Raj, Dan Williams, Borislav Petkov

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tony Luck <tony.luck@intel.com>

commit 4c5717da1d021cf368eabb3cb1adcaead56c0d1e upstream.

Currently we just check the "CAPID0" register to see whether the CPU
can recover from machine checks.

But there are also some special SKUs which do not have all advanced
RAS features, but do enable machine check recovery for use with NVDIMMs.

Add a check for any of bits {8:5} in the "CAPID5" register (each
reports some NVDIMM mode available, if any of them are set, then
the system supports memory machine check recovery).

Signed-off-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
Cc: Ashok Raj <ashok.raj@intel.com>
Cc: stable@vger.kernel.org # 4.9
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Borislav Petkov <bp@suse.de>
Link: https://lkml.kernel.org/r/03cbed6e99ddafb51c2eadf9a3b7c8d7a0cc204e.1527283897.git.tony.luck@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/quirks.c |   11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

--- a/arch/x86/kernel/quirks.c
+++ b/arch/x86/kernel/quirks.c
@@ -645,12 +645,19 @@ static void quirk_intel_brickland_xeon_r
 /* Skylake */
 static void quirk_intel_purley_xeon_ras_cap(struct pci_dev *pdev)
 {
-	u32 capid0;
+	u32 capid0, capid5;
 
 	pci_read_config_dword(pdev, 0x84, &capid0);
+	pci_read_config_dword(pdev, 0x98, &capid5);
 
-	if ((capid0 & 0xc0) == 0xc0)
+	/*
+	 * CAPID0{7:6} indicate whether this is an advanced RAS SKU
+	 * CAPID5{8:5} indicate that various NVDIMM usage modes are
+	 * enabled, so memory machine check recovery is also enabled.
+	 */
+	if ((capid0 & 0xc0) == 0xc0 || (capid5 & 0x1e0))
 		static_branch_inc(&mcsafe_key);
+
 }
 DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x0ec3, quirk_intel_brickland_xeon_ras_cap);
 DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x2fc0, quirk_intel_brickland_xeon_ras_cap);



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 008/220] x86/mce: Fix incorrect "Machine check from unknown source" message
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2018-07-01 16:20 ` [PATCH 4.17 007/220] x86/mce: Check for alternate indication of machine check recovery on Skylake Greg Kroah-Hartman
@ 2018-07-01 16:20 ` Greg Kroah-Hartman
  2018-07-01 16:20 ` [PATCH 4.17 009/220] x86/mce: Do not overwrite MCi_STATUS in mce_no_way_out() Greg Kroah-Hartman
                   ` (204 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:20 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tony Luck, Borislav Petkov,
	Thomas Gleixner, Ashok Raj, Dan Williams, Qiuxu Zhuo, linux-edac

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tony Luck <tony.luck@intel.com>

commit 40c36e2741d7fe1e66d6ec55477ba5fd19c9c5d2 upstream.

Some injection testing resulted in the following console log:

  mce: [Hardware Error]: CPU 22: Machine Check Exception: f Bank 1: bd80000000100134
  mce: [Hardware Error]: RIP 10:<ffffffffc05292dd> {pmem_do_bvec+0x11d/0x330 [nd_pmem]}
  mce: [Hardware Error]: TSC c51a63035d52 ADDR 3234bc4000 MISC 88
  mce: [Hardware Error]: PROCESSOR 0:50654 TIME 1526502199 SOCKET 0 APIC 38 microcode 2000043
  mce: [Hardware Error]: Run the above through 'mcelog --ascii'
  Kernel panic - not syncing: Machine check from unknown source

This confused everybody because the first line quite clearly shows
that we found a logged error in "Bank 1", while the last line says
"unknown source".

The problem is that the Linux code doesn't do the right thing
for a local machine check that results in a fatal error.

It turns out that we know very early in the handler whether the
machine check is fatal. The call to mce_no_way_out() has checked
all the banks for the CPU that took the local machine check. If
it says we must crash, we can do so right away with the right
messages.

We do scan all the banks again. This means that we might initially
not see a problem, but during the second scan find something fatal.
If this happens we print a slightly different message (so I can
see if it actually every happens).

[ bp: Remove unneeded severity assignment. ]

Signed-off-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Ashok Raj <ashok.raj@intel.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
Cc: linux-edac <linux-edac@vger.kernel.org>
Cc: stable@vger.kernel.org # 4.2
Link: http://lkml.kernel.org/r/52e049a497e86fd0b71c529651def8871c804df0.1527283897.git.tony.luck@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/cpu/mcheck/mce.c |   26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

--- a/arch/x86/kernel/cpu/mcheck/mce.c
+++ b/arch/x86/kernel/cpu/mcheck/mce.c
@@ -1205,13 +1205,18 @@ void do_machine_check(struct pt_regs *re
 		lmce = m.mcgstatus & MCG_STATUS_LMCES;
 
 	/*
+	 * Local machine check may already know that we have to panic.
+	 * Broadcast machine check begins rendezvous in mce_start()
 	 * Go through all banks in exclusion of the other CPUs. This way we
 	 * don't report duplicated events on shared banks because the first one
-	 * to see it will clear it. If this is a Local MCE, then no need to
-	 * perform rendezvous.
+	 * to see it will clear it.
 	 */
-	if (!lmce)
+	if (lmce) {
+		if (no_way_out)
+			mce_panic("Fatal local machine check", &m, msg);
+	} else {
 		order = mce_start(&no_way_out);
+	}
 
 	for (i = 0; i < cfg->banks; i++) {
 		__clear_bit(i, toclear);
@@ -1287,12 +1292,17 @@ void do_machine_check(struct pt_regs *re
 			no_way_out = worst >= MCE_PANIC_SEVERITY;
 	} else {
 		/*
-		 * Local MCE skipped calling mce_reign()
-		 * If we found a fatal error, we need to panic here.
+		 * If there was a fatal machine check we should have
+		 * already called mce_panic earlier in this function.
+		 * Since we re-read the banks, we might have found
+		 * something new. Check again to see if we found a
+		 * fatal error. We call "mce_severity()" again to
+		 * make sure we have the right "msg".
 		 */
-		 if (worst >= MCE_PANIC_SEVERITY && mca_cfg.tolerant < 3)
-			mce_panic("Machine check from unknown source",
-				NULL, NULL);
+		if (worst >= MCE_PANIC_SEVERITY && mca_cfg.tolerant < 3) {
+			mce_severity(&m, cfg->tolerant, &msg, true);
+			mce_panic("Local fatal machine check!", &m, msg);
+		}
 	}
 
 	/*



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 009/220] x86/mce: Do not overwrite MCi_STATUS in mce_no_way_out()
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2018-07-01 16:20 ` [PATCH 4.17 008/220] x86/mce: Fix incorrect "Machine check from unknown source" message Greg Kroah-Hartman
@ 2018-07-01 16:20 ` Greg Kroah-Hartman
  2018-07-01 16:20 ` [PATCH 4.17 010/220] x86: Call fixup_exception() before notify_die() in math_error() Greg Kroah-Hartman
                   ` (203 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:20 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tony Luck, Borislav Petkov, Thomas Gleixner

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Borislav Petkov <bp@suse.de>

commit 1f74c8a64798e2c488f86efc97e308b85fb7d7aa upstream.

mce_no_way_out() does a quick check during #MC to see whether some of
the MCEs logged would require the kernel to panic immediately. And it
passes a struct mce where MCi_STATUS gets written.

However, after having saved a valid status value, the next iteration
of the loop which goes over the MCA banks on the CPU, overwrites the
valid status value because we're using struct mce as storage instead of
a temporary variable.

Which leads to MCE records with an empty status value:

  mce: [Hardware Error]: CPU 0: Machine Check Exception: 6 Bank 0: 0000000000000000
  mce: [Hardware Error]: RIP 10:<ffffffffbd42fbd7> {trigger_mce+0x7/0x10}

In order to prevent the loss of the status register value, return
immediately when severity is a panic one so that we can panic
immediately with the first fatal MCE logged. This is also the intention
of this function and not to noodle over the banks while a fatal MCE is
already logged.

Tony: read the rest of the MCA bank to populate the struct mce fully.

Suggested-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: <stable@vger.kernel.org>
Link: https://lkml.kernel.org/r/20180622095428.626-8-bp@alien8.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/cpu/mcheck/mce.c |   18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

--- a/arch/x86/kernel/cpu/mcheck/mce.c
+++ b/arch/x86/kernel/cpu/mcheck/mce.c
@@ -772,23 +772,25 @@ EXPORT_SYMBOL_GPL(machine_check_poll);
 static int mce_no_way_out(struct mce *m, char **msg, unsigned long *validp,
 			  struct pt_regs *regs)
 {
-	int i, ret = 0;
 	char *tmp;
+	int i;
 
 	for (i = 0; i < mca_cfg.banks; i++) {
 		m->status = mce_rdmsrl(msr_ops.status(i));
-		if (m->status & MCI_STATUS_VAL) {
-			__set_bit(i, validp);
-			if (quirk_no_way_out)
-				quirk_no_way_out(i, m, regs);
-		}
+		if (!(m->status & MCI_STATUS_VAL))
+			continue;
+
+		__set_bit(i, validp);
+		if (quirk_no_way_out)
+			quirk_no_way_out(i, m, regs);
 
 		if (mce_severity(m, mca_cfg.tolerant, &tmp, true) >= MCE_PANIC_SEVERITY) {
+			mce_read_aux(m, i);
 			*msg = tmp;
-			ret = 1;
+			return 1;
 		}
 	}
-	return ret;
+	return 0;
 }
 
 /*



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 010/220] x86: Call fixup_exception() before notify_die() in math_error()
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2018-07-01 16:20 ` [PATCH 4.17 009/220] x86/mce: Do not overwrite MCi_STATUS in mce_no_way_out() Greg Kroah-Hartman
@ 2018-07-01 16:20 ` Greg Kroah-Hartman
  2018-07-01 16:20 ` [PATCH 4.17 011/220] m68k/mm: Adjust VM area to be unmapped by gap size for __iounmap() Greg Kroah-Hartman
                   ` (202 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:20 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Siarhei Liakh, Thomas Gleixner,
	Andy Lutomirski, H. Peter Anvin, Borislav Petkov

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Siarhei Liakh <Siarhei.Liakh@concurrent-rt.com>

commit 3ae6295ccb7cf6d344908209701badbbbb503e40 upstream.

fpu__drop() has an explicit fwait which under some conditions can trigger a
fixable FPU exception while in kernel. Thus, we should attempt to fixup the
exception first, and only call notify_die() if the fixup failed just like
in do_general_protection(). The original call sequence incorrectly triggers
KDB entry on debug kernels under particular FPU-intensive workloads.

Andy noted, that this makes the whole conditional irq enable thing even
more inconsistent, but fixing that it outside the scope of this.

Signed-off-by: Siarhei Liakh <siarhei.liakh@concurrent-rt.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Andy Lutomirski <luto@kernel.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: "Borislav  Petkov" <bpetkov@suse.de>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/DM5PR11MB201156F1CAB2592B07C79A03B17D0@DM5PR11MB2011.namprd11.prod.outlook.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/traps.c |   14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

--- a/arch/x86/kernel/traps.c
+++ b/arch/x86/kernel/traps.c
@@ -834,16 +834,18 @@ static void math_error(struct pt_regs *r
 	char *str = (trapnr == X86_TRAP_MF) ? "fpu exception" :
 						"simd exception";
 
-	if (notify_die(DIE_TRAP, str, regs, error_code, trapnr, SIGFPE) == NOTIFY_STOP)
-		return;
 	cond_local_irq_enable(regs);
 
 	if (!user_mode(regs)) {
-		if (!fixup_exception(regs, trapnr)) {
-			task->thread.error_code = error_code;
-			task->thread.trap_nr = trapnr;
+		if (fixup_exception(regs, trapnr))
+			return;
+
+		task->thread.error_code = error_code;
+		task->thread.trap_nr = trapnr;
+
+		if (notify_die(DIE_TRAP, str, regs, error_code,
+					trapnr, SIGFPE) != NOTIFY_STOP)
 			die(str, regs, error_code);
-		}
 		return;
 	}
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 011/220] m68k/mm: Adjust VM area to be unmapped by gap size for __iounmap()
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2018-07-01 16:20 ` [PATCH 4.17 010/220] x86: Call fixup_exception() before notify_die() in math_error() Greg Kroah-Hartman
@ 2018-07-01 16:20 ` Greg Kroah-Hartman
  2018-07-01 16:20 ` [PATCH 4.17 012/220] m68k/mac: Fix SWIM memory resource end address Greg Kroah-Hartman
                   ` (201 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:20 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael Schmitz, Geert Uytterhoeven

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Michael Schmitz <schmitzmic@gmail.com>

commit 3f90f9ef2dda316d64e420d5d51ba369587ccc55 upstream.

If 020/030 support is enabled, get_io_area() leaves an IO_SIZE gap
between mappings which is added to the vm_struct representing the
mapping.  __ioremap() uses the actual requested size (after alignment),
while __iounmap() is passed the size from the vm_struct.

On 020/030, early termination descriptors are used to set up mappings of
extent 'size', which are validated on unmapping. The unmapped gap of
size IO_SIZE defeats the sanity check of the pmd tables, causing
__iounmap() to loop forever on 030.

On 040/060, unmapping of page table entries does not check for a valid
mapping, so the umapping loop always completes there.

Adjust size to be unmapped by the gap that had been added in the
vm_struct prior.

This fixes the hang in atari_platform_init() reported a long time ago,
and a similar one reported by Finn recently (addressed by removing
ioremap() use from the SWIM driver.

Tested on my Falcon in 030 mode - untested but should work the same on
040/060 (the extra page tables cleared there would never have been set
up anyway).

Signed-off-by: Michael Schmitz <schmitzmic@gmail.com>
[geert: Minor commit description improvements]
[geert: This was fixed in 2.4.23, but not in 2.5.x]
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/m68k/mm/kmap.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/m68k/mm/kmap.c
+++ b/arch/m68k/mm/kmap.c
@@ -89,7 +89,8 @@ static inline void free_io_area(void *ad
 	for (p = &iolist ; (tmp = *p) ; p = &tmp->next) {
 		if (tmp->addr == addr) {
 			*p = tmp->next;
-			__iounmap(tmp->addr, tmp->size);
+			/* remove gap added in get_io_area() */
+			__iounmap(tmp->addr, tmp->size - IO_SIZE);
 			kfree(tmp);
 			return;
 		}



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 012/220] m68k/mac: Fix SWIM memory resource end address
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2018-07-01 16:20 ` [PATCH 4.17 011/220] m68k/mm: Adjust VM area to be unmapped by gap size for __iounmap() Greg Kroah-Hartman
@ 2018-07-01 16:20 ` Greg Kroah-Hartman
  2018-07-01 16:20 ` [PATCH 4.17 013/220] platform/chrome: cros_ec_lpc: do not try DMI match when ACPI device found Greg Kroah-Hartman
                   ` (200 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:20 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Laurent Vivier, Stan Johnson,
	Finn Thain, Geert Uytterhoeven

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Finn Thain <fthain@telegraphics.com.au>

commit 3e2816c1078eb2b5a3276eb83d4da156b3e2d04f upstream.

The resource size is 0x2000 == end - start + 1.
Therefore end == start + 0x2000 - 1.

Cc: Laurent Vivier <lvivier@redhat.com>
Cc: stable@vger.kernel.org # v4.14+
Tested-by: Stan Johnson <userm57@yahoo.com>
Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
Acked-by: Laurent Vivier <lvivier@redhat.com>
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/m68k/mac/config.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/m68k/mac/config.c
+++ b/arch/m68k/mac/config.c
@@ -1005,7 +1005,7 @@ int __init mac_platform_init(void)
 		struct resource swim_rsrc = {
 			.flags = IORESOURCE_MEM,
 			.start = (resource_size_t)swim_base,
-			.end   = (resource_size_t)swim_base + 0x2000,
+			.end   = (resource_size_t)swim_base + 0x1FFF,
 		};
 
 		platform_device_register_simple("swim", -1, &swim_rsrc, 1);



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 013/220] platform/chrome: cros_ec_lpc: do not try DMI match when ACPI device found
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2018-07-01 16:20 ` [PATCH 4.17 012/220] m68k/mac: Fix SWIM memory resource end address Greg Kroah-Hartman
@ 2018-07-01 16:20 ` Greg Kroah-Hartman
  2018-07-01 16:20 ` [PATCH 4.17 014/220] hwmon: (k10temp) Add support for Stoney Ridge and Bristol Ridge CPUs Greg Kroah-Hartman
                   ` (199 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:20 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dmitry Torokhov, Benson Leung

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry Torokhov <dmitry.torokhov@gmail.com>

commit b410b1226620b6c959f1e9c87529acd058e90caf upstream.

Older models of Chromebooks did not describe the LPC EC in their ACPI
tables; starting with Strago-based devices Google is using GOOG0004 device
to describe EC LPC.

DMI-based match is fragile and does not work reliably, especially when
using custom firmware. It is also not needed when we can locate the right
ACPI device, so let's stop bailing out when DMI does not match but the
right ACPI device is present.

Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Benson Leung <bleung@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/platform/chrome/cros_ec_lpc.c |   13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

--- a/drivers/platform/chrome/cros_ec_lpc.c
+++ b/drivers/platform/chrome/cros_ec_lpc.c
@@ -435,7 +435,13 @@ static int __init cros_ec_lpc_init(void)
 	int ret;
 	acpi_status status;
 
-	if (!dmi_check_system(cros_ec_lpc_dmi_table)) {
+	status = acpi_get_devices(ACPI_DRV_NAME, cros_ec_lpc_parse_device,
+				  &cros_ec_lpc_acpi_device_found, NULL);
+	if (ACPI_FAILURE(status))
+		pr_warn(DRV_NAME ": Looking for %s failed\n", ACPI_DRV_NAME);
+
+	if (!cros_ec_lpc_acpi_device_found &&
+	    !dmi_check_system(cros_ec_lpc_dmi_table)) {
 		pr_err(DRV_NAME ": unsupported system.\n");
 		return -ENODEV;
 	}
@@ -450,11 +456,6 @@ static int __init cros_ec_lpc_init(void)
 		return ret;
 	}
 
-	status = acpi_get_devices(ACPI_DRV_NAME, cros_ec_lpc_parse_device,
-				  &cros_ec_lpc_acpi_device_found, NULL);
-	if (ACPI_FAILURE(status))
-		pr_warn(DRV_NAME ": Looking for %s failed\n", ACPI_DRV_NAME);
-
 	if (!cros_ec_lpc_acpi_device_found) {
 		/* Register the device, and it'll get hooked up automatically */
 		ret = platform_device_register(&cros_ec_lpc_device);



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 014/220] hwmon: (k10temp) Add support for Stoney Ridge and Bristol Ridge CPUs
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2018-07-01 16:20 ` [PATCH 4.17 013/220] platform/chrome: cros_ec_lpc: do not try DMI match when ACPI device found Greg Kroah-Hartman
@ 2018-07-01 16:20 ` Greg Kroah-Hartman
  2018-07-01 16:20 ` [PATCH 4.17 015/220] mtd: spi-nor: intel-spi: Fix atomic sequence handling Greg Kroah-Hartman
                   ` (198 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:20 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gabriel Craciunescu, Guenter Roeck

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Guenter Roeck <linux@roeck-us.net>

commit ccaf63b4d6eaf3447037cefbb0b1038fa80c6639 upstream.

Add support for Stoney Ridge and Bristol Ridge (Family 15h Model 0x70)
CPUs. Registers match those of Family 15h Model 0x60.

Cc: stable@vger.kernel.org # v4.16+
Tested-by: Gabriel Craciunescu <nix.or.die@gmail.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hwmon/k10temp.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/hwmon/k10temp.c
+++ b/drivers/hwmon/k10temp.c
@@ -37,6 +37,10 @@ MODULE_PARM_DESC(force, "force loading o
 /* Provide lock for writing to NB_SMU_IND_ADDR */
 static DEFINE_MUTEX(nb_smu_ind_mutex);
 
+#ifndef PCI_DEVICE_ID_AMD_15H_M70H_NB_F3
+#define PCI_DEVICE_ID_AMD_15H_M70H_NB_F3	0x15b3
+#endif
+
 #ifndef PCI_DEVICE_ID_AMD_17H_DF_F3
 #define PCI_DEVICE_ID_AMD_17H_DF_F3	0x1463
 #endif
@@ -320,6 +324,7 @@ static const struct pci_device_id k10tem
 	{ PCI_VDEVICE(AMD, PCI_DEVICE_ID_AMD_15H_M10H_F3) },
 	{ PCI_VDEVICE(AMD, PCI_DEVICE_ID_AMD_15H_M30H_NB_F3) },
 	{ PCI_VDEVICE(AMD, PCI_DEVICE_ID_AMD_15H_M60H_NB_F3) },
+	{ PCI_VDEVICE(AMD, PCI_DEVICE_ID_AMD_15H_M70H_NB_F3) },
 	{ PCI_VDEVICE(AMD, PCI_DEVICE_ID_AMD_16H_NB_F3) },
 	{ PCI_VDEVICE(AMD, PCI_DEVICE_ID_AMD_16H_M30H_NB_F3) },
 	{ PCI_VDEVICE(AMD, PCI_DEVICE_ID_AMD_17H_DF_F3) },



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 015/220] mtd: spi-nor: intel-spi: Fix atomic sequence handling
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2018-07-01 16:20 ` [PATCH 4.17 014/220] hwmon: (k10temp) Add support for Stoney Ridge and Bristol Ridge CPUs Greg Kroah-Hartman
@ 2018-07-01 16:20 ` Greg Kroah-Hartman
  2018-07-01 16:20 ` [PATCH 4.17 016/220] serial: sh-sci: Use spin_{try}lock_irqsave instead of open coding version Greg Kroah-Hartman
                   ` (197 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:20 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mika Westerberg, Marek Vasut,
	Boris Brezillon

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mika Westerberg <mika.westerberg@linux.intel.com>

commit c7d6a82d90e193b1e4daba957e3908f26306d491 upstream.

On many older systems using SW sequencer the PREOP_OPTYPE register
contains two preopcodes as following:

  PREOP_OPTYPE=0xf2785006

The last two bytes are the opcodes decoded to:

  0x50 - Write enable for volatile status register
  0x06 - Write enable

The former is used to modify volatile bits in the status register. For
non-volatile bits the latter is needed. Preopcodes are used in SW
sequencer to send one command "atomically" without anything else
interfering the transfer. The sequence that gets executed is:

  - Send preopcode (write enable) from PREOP_OPTYPE register
  - Send the actual SPI command
  - Poll busy bit in the status register (0x05, RDSR)

Commit 8c473dd61bb5 ("spi-nor: intel-spi: Don't assume OPMENU0/1 to be
programmed by BIOS") enabled atomic sequence handling but because both
preopcodes are programmed, the following happens:

  if (preop >> 8)
  	val |= SSFSTS_CTL_SPOP;

Since on these systems preop >> 8 == 0x50 we end up picking volatile
write enable instead. Because of this the actual write command is pretty
much NOP unless there is a WREN latched in the chip already.

Furthermore we should not really just assume that WREN was issued in
previous call to intel_spi_write_reg() because that might not be the
case.

This updates driver to first check that the opcode is actually available
in PREOP_OPTYPE register and if not return error back to the spi-nor
core (if the controller is not locked we program it now). In addition we
save the opcode to ispi->atomic_preopcode field which is checked in next
call to intel_spi_sw_cycle() to actually enable atomic sequence using
the requested preopcode.

Fixes: 8c473dd61bb5 ("spi-nor: intel-spi: Don't assume OPMENU0/1 to be programmed by BIOS")
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Cc: stable@vger.kernel.org
Reviewed-by: Marek Vasut <marek.vasut@gmail.com>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mtd/spi-nor/intel-spi.c |   76 +++++++++++++++++++++++++++++++++++-----
 1 file changed, 67 insertions(+), 9 deletions(-)

--- a/drivers/mtd/spi-nor/intel-spi.c
+++ b/drivers/mtd/spi-nor/intel-spi.c
@@ -136,6 +136,7 @@
  * @swseq_reg: Use SW sequencer in register reads/writes
  * @swseq_erase: Use SW sequencer in erase operation
  * @erase_64k: 64k erase supported
+ * @atomic_preopcode: Holds preopcode when atomic sequence is requested
  * @opcodes: Opcodes which are supported. This are programmed by BIOS
  *           before it locks down the controller.
  */
@@ -153,6 +154,7 @@ struct intel_spi {
 	bool swseq_reg;
 	bool swseq_erase;
 	bool erase_64k;
+	u8 atomic_preopcode;
 	u8 opcodes[8];
 };
 
@@ -474,7 +476,7 @@ static int intel_spi_sw_cycle(struct int
 			      int optype)
 {
 	u32 val = 0, status;
-	u16 preop;
+	u8 atomic_preopcode;
 	int ret;
 
 	ret = intel_spi_opcode_index(ispi, opcode, optype);
@@ -484,17 +486,42 @@ static int intel_spi_sw_cycle(struct int
 	if (len > INTEL_SPI_FIFO_SZ)
 		return -EINVAL;
 
+	/*
+	 * Always clear it after each SW sequencer operation regardless
+	 * of whether it is successful or not.
+	 */
+	atomic_preopcode = ispi->atomic_preopcode;
+	ispi->atomic_preopcode = 0;
+
 	/* Only mark 'Data Cycle' bit when there is data to be transferred */
 	if (len > 0)
 		val = ((len - 1) << SSFSTS_CTL_DBC_SHIFT) | SSFSTS_CTL_DS;
 	val |= ret << SSFSTS_CTL_COP_SHIFT;
 	val |= SSFSTS_CTL_FCERR | SSFSTS_CTL_FDONE;
 	val |= SSFSTS_CTL_SCGO;
-	preop = readw(ispi->sregs + PREOP_OPTYPE);
-	if (preop) {
-		val |= SSFSTS_CTL_ACS;
-		if (preop >> 8)
-			val |= SSFSTS_CTL_SPOP;
+	if (atomic_preopcode) {
+		u16 preop;
+
+		switch (optype) {
+		case OPTYPE_WRITE_NO_ADDR:
+		case OPTYPE_WRITE_WITH_ADDR:
+			/* Pick matching preopcode for the atomic sequence */
+			preop = readw(ispi->sregs + PREOP_OPTYPE);
+			if ((preop & 0xff) == atomic_preopcode)
+				; /* Do nothing */
+			else if ((preop >> 8) == atomic_preopcode)
+				val |= SSFSTS_CTL_SPOP;
+			else
+				return -EINVAL;
+
+			/* Enable atomic sequence */
+			val |= SSFSTS_CTL_ACS;
+			break;
+
+		default:
+			return -EINVAL;
+		}
+
 	}
 	writel(val, ispi->sregs + SSFSTS_CTL);
 
@@ -538,13 +565,31 @@ static int intel_spi_write_reg(struct sp
 
 	/*
 	 * This is handled with atomic operation and preop code in Intel
-	 * controller so skip it here now. If the controller is not locked,
-	 * program the opcode to the PREOP register for later use.
+	 * controller so we only verify that it is available. If the
+	 * controller is not locked, program the opcode to the PREOP
+	 * register for later use.
+	 *
+	 * When hardware sequencer is used there is no need to program
+	 * any opcodes (it handles them automatically as part of a command).
 	 */
 	if (opcode == SPINOR_OP_WREN) {
-		if (!ispi->locked)
+		u16 preop;
+
+		if (!ispi->swseq_reg)
+			return 0;
+
+		preop = readw(ispi->sregs + PREOP_OPTYPE);
+		if ((preop & 0xff) != opcode && (preop >> 8) != opcode) {
+			if (ispi->locked)
+				return -EINVAL;
 			writel(opcode, ispi->sregs + PREOP_OPTYPE);
+		}
 
+		/*
+		 * This enables atomic sequence on next SW sycle. Will
+		 * be cleared after next operation.
+		 */
+		ispi->atomic_preopcode = opcode;
 		return 0;
 	}
 
@@ -569,6 +614,13 @@ static ssize_t intel_spi_read(struct spi
 	u32 val, status;
 	ssize_t ret;
 
+	/*
+	 * Atomic sequence is not expected with HW sequencer reads. Make
+	 * sure it is cleared regardless.
+	 */
+	if (WARN_ON_ONCE(ispi->atomic_preopcode))
+		ispi->atomic_preopcode = 0;
+
 	switch (nor->read_opcode) {
 	case SPINOR_OP_READ:
 	case SPINOR_OP_READ_FAST:
@@ -627,6 +679,9 @@ static ssize_t intel_spi_write(struct sp
 	u32 val, status;
 	ssize_t ret;
 
+	/* Not needed with HW sequencer write, make sure it is cleared */
+	ispi->atomic_preopcode = 0;
+
 	while (len > 0) {
 		block_size = min_t(size_t, len, INTEL_SPI_FIFO_SZ);
 
@@ -707,6 +762,9 @@ static int intel_spi_erase(struct spi_no
 		return 0;
 	}
 
+	/* Not needed with HW sequencer erase, make sure it is cleared */
+	ispi->atomic_preopcode = 0;
+
 	while (len > 0) {
 		writel(offs, ispi->base + FADDR);
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 016/220] serial: sh-sci: Use spin_{try}lock_irqsave instead of open coding version
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2018-07-01 16:20 ` [PATCH 4.17 015/220] mtd: spi-nor: intel-spi: Fix atomic sequence handling Greg Kroah-Hartman
@ 2018-07-01 16:20 ` Greg Kroah-Hartman
  2018-07-01 16:20 ` [PATCH 4.17 017/220] signal/xtensa: Consistenly use SIGBUS in do_unaligned_user Greg Kroah-Hartman
                   ` (196 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:20 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sebastian Andrzej Siewior,
	Daniel Wagner, Geert Uytterhoeven

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Daniel Wagner <daniel.wagner@siemens.com>

commit 8afb1d2c12163f77777f84616a8e9444d0050ebe upstream.

Commit 40f70c03e33a ("serial: sh-sci: add locking to console write
function to avoid SMP lockup") copied the strategy to avoid locking
problems in conjuncture with the console from the UART8250
driver. Instead using directly spin_{try}lock_irqsave(),
local_irq_save() followed by spin_{try}lock() was used. While this is
correct on mainline, for -rt it is a problem. spin_{try}lock() will
check if it is running in a valid context. Since the local_irq_save()
has already been executed, the context has changed and
spin_{try}lock() will complain. The reason why spin_{try}lock()
complains is that on -rt the spin locks are turned into mutexes and
therefore can sleep. Sleeping with interrupts disabled is not valid.

BUG: sleeping function called from invalid context at /home/wagi/work/rt/v4.4-cip-rt/kernel/locking/rtmutex.c:995
in_atomic(): 0, irqs_disabled(): 128, pid: 778, name: irq/76-eth0
CPU: 0 PID: 778 Comm: irq/76-eth0 Not tainted 4.4.126-test-cip22-rt14-00403-gcd03665c8318 #12
Hardware name: Generic RZ/G1 (Flattened Device Tree)
Backtrace:
[<c00140a0>] (dump_backtrace) from [<c001424c>] (show_stack+0x18/0x1c)
 r7:c06b01f0 r6:60010193 r5:00000000 r4:c06b01f0
[<c0014234>] (show_stack) from [<c01d3c94>] (dump_stack+0x78/0x94)
[<c01d3c1c>] (dump_stack) from [<c004c134>] (___might_sleep+0x134/0x194)
 r7:60010113 r6:c06d3559 r5:00000000 r4:ffffe000
[<c004c000>] (___might_sleep) from [<c04ded60>] (rt_spin_lock+0x20/0x74)
 r5:c06f4d60 r4:c06f4d60
[<c04ded40>] (rt_spin_lock) from [<c02577e4>] (serial_console_write+0x100/0x118)
 r5:c06f4d60 r4:c06f4d60
[<c02576e4>] (serial_console_write) from [<c0061060>] (call_console_drivers.constprop.15+0x10c/0x124)
 r10:c06d2894 r9:c04e18b0 r8:00000028 r7:00000000 r6:c06d3559 r5:c06d2798
 r4:c06b9914 r3:c02576e4
[<c0060f54>] (call_console_drivers.constprop.15) from [<c0062984>] (console_unlock+0x32c/0x430)
 r10:c06d30d8 r9:00000028 r8:c06dd518 r7:00000005 r6:00000000 r5:c06d2798
 r4:c06d2798 r3:00000028
[<c0062658>] (console_unlock) from [<c0062e1c>] (vprintk_emit+0x394/0x4f0)
 r10:c06d2798 r9:c06d30ee r8:00000006 r7:00000005 r6:c06a78fc r5:00000027
 r4:00000003
[<c0062a88>] (vprintk_emit) from [<c0062fa0>] (vprintk+0x28/0x30)
 r10:c060bd46 r9:00001000 r8:c06b9a90 r7:c06b9a90 r6:c06b994c r5:c06b9a3c
 r4:c0062fa8
[<c0062f78>] (vprintk) from [<c0062fb8>] (vprintk_default+0x10/0x14)
[<c0062fa8>] (vprintk_default) from [<c009cd30>] (printk+0x78/0x84)
[<c009ccbc>] (printk) from [<c025afdc>] (credit_entropy_bits+0x17c/0x2cc)
 r3:00000001 r2:decade60 r1:c061a5ee r0:c061a523
 r4:00000006
[<c025ae60>] (credit_entropy_bits) from [<c025bf74>] (add_interrupt_randomness+0x160/0x178)
 r10:466e7196 r9:1f536000 r8:fffeef74 r7:00000000 r6:c06b9a60 r5:c06b9a3c
 r4:dfbcf680
[<c025be14>] (add_interrupt_randomness) from [<c006536c>] (irq_thread+0x1e8/0x248)
 r10:c006537c r9:c06cdf21 r8:c0064fcc r7:df791c24 r6:df791c00 r5:ffffe000
 r4:df525180
[<c0065184>] (irq_thread) from [<c003fba4>] (kthread+0x108/0x11c)
 r10:00000000 r9:00000000 r8:c0065184 r7:df791c00 r6:00000000 r5:df791d00
 r4:decac000
[<c003fa9c>] (kthread) from [<c00101b8>] (ret_from_fork+0x14/0x3c)
 r8:00000000 r7:00000000 r6:00000000 r5:c003fa9c r4:df791d00

Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Daniel Wagner <daniel.wagner@siemens.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serial/sh-sci.c |    8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

--- a/drivers/tty/serial/sh-sci.c
+++ b/drivers/tty/serial/sh-sci.c
@@ -2890,16 +2890,15 @@ static void serial_console_write(struct
 	unsigned long flags;
 	int locked = 1;
 
-	local_irq_save(flags);
 #if defined(SUPPORT_SYSRQ)
 	if (port->sysrq)
 		locked = 0;
 	else
 #endif
 	if (oops_in_progress)
-		locked = spin_trylock(&port->lock);
+		locked = spin_trylock_irqsave(&port->lock, flags);
 	else
-		spin_lock(&port->lock);
+		spin_lock_irqsave(&port->lock, flags);
 
 	/* first save SCSCR then disable interrupts, keep clock source */
 	ctrl = serial_port_in(port, SCSCR);
@@ -2919,8 +2918,7 @@ static void serial_console_write(struct
 	serial_port_out(port, SCSCR, ctrl);
 
 	if (locked)
-		spin_unlock(&port->lock);
-	local_irq_restore(flags);
+		spin_unlock_irqrestore(&port->lock, flags);
 }
 
 static int serial_console_setup(struct console *co, char *options)



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 017/220] signal/xtensa: Consistenly use SIGBUS in do_unaligned_user
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2018-07-01 16:20 ` [PATCH 4.17 016/220] serial: sh-sci: Use spin_{try}lock_irqsave instead of open coding version Greg Kroah-Hartman
@ 2018-07-01 16:20 ` Greg Kroah-Hartman
  2018-07-01 16:20 ` [PATCH 4.17 018/220] PM / Domains: Fix error path during attach in genpd Greg Kroah-Hartman
                   ` (195 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:20 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chris Zankel, Max Filippov,
	linux-xtensa, Eric W. Biederman

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric W. Biederman <ebiederm@xmission.com>

commit 7de712ccc096b81d23cc0a941cd9b8cb3956605d upstream.

While working on changing this code to use force_sig_fault I
discovered that do_unaliged_user is sets si_signo to SIGBUS and passes
SIGSEGV to force_sig_info.  Which is just b0rked.

The code is reporting a SIGBUS error so replace the SIGSEGV with SIGBUS.

Cc: Chris Zankel <chris@zankel.net>
Cc: Max Filippov <jcmvbkbc@gmail.com>
Cc: linux-xtensa@linux-xtensa.org
Cc: stable@vger.kernel.org
Acked-by: Max Filippov <jcmvbkbc@gmail.com>
Fixes: 5a0015d62668 ("[PATCH] xtensa: Architecture support for Tensilica Xtensa Part 3")
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/xtensa/kernel/traps.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/xtensa/kernel/traps.c
+++ b/arch/xtensa/kernel/traps.c
@@ -338,7 +338,7 @@ do_unaligned_user (struct pt_regs *regs)
 	info.si_errno = 0;
 	info.si_code = BUS_ADRALN;
 	info.si_addr = (void *) regs->excvaddr;
-	force_sig_info(SIGSEGV, &info, current);
+	force_sig_info(SIGBUS, &info, current);
 
 }
 #endif



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 018/220] PM / Domains: Fix error path during attach in genpd
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2018-07-01 16:20 ` [PATCH 4.17 017/220] signal/xtensa: Consistenly use SIGBUS in do_unaligned_user Greg Kroah-Hartman
@ 2018-07-01 16:20 ` Greg Kroah-Hartman
  2018-07-01 16:20 ` [PATCH 4.17 019/220] PCI / PM: Do not clear state_saved for devices that remain suspended Greg Kroah-Hartman
                   ` (194 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:20 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ulf Hansson, Rafael J. Wysocki

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ulf Hansson <ulf.hansson@linaro.org>

commit 72038df3c580c4c326b83c86149d7ac34007532a upstream.

In case the PM domain fails to be powered on in genpd_dev_pm_attach(), it
returns -EPROBE_DEFER, but keeping the device attached to its PM domain.
This leads to problems when the next attempt to attach is re-tried. More
precisely, in that situation an -EEXIST error code is returned, because the
device already has its PM domain pointer assigned, from the first attempt.

Now, because of the sloppy error handling by the existing callers of
dev_pm_domain_attach(), probing is allowed to continue when -EEXIST is
returned. However, in such case there are no guarantees that the PM domain
is powered on by genpd, which may lead to hangs when buses/drivers tried to
access their devices.

Let's fix this behaviour, simply by detaching the device when powering on
fails in genpd_dev_pm_attach().

Cc: v4.11+ <stable@vger.kernel.org> # v4.11+
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/base/power/domain.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/base/power/domain.c
+++ b/drivers/base/power/domain.c
@@ -2246,6 +2246,9 @@ int genpd_dev_pm_attach(struct device *d
 	genpd_lock(pd);
 	ret = genpd_power_on(pd, 0);
 	genpd_unlock(pd);
+
+	if (ret)
+		genpd_remove_device(pd, dev);
 out:
 	return ret ? -EPROBE_DEFER : 0;
 }



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 019/220] PCI / PM: Do not clear state_saved for devices that remain suspended
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2018-07-01 16:20 ` [PATCH 4.17 018/220] PM / Domains: Fix error path during attach in genpd Greg Kroah-Hartman
@ 2018-07-01 16:20 ` Greg Kroah-Hartman
  2018-07-01 16:20 ` [PATCH 4.17 020/220] ACPI / LPSS: Avoid PM quirks on suspend and resume from S3 Greg Kroah-Hartman
                   ` (193 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:20 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rafael J. Wysocki, Mika Westerberg,
	Bjorn Helgaas

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

commit 656088aa9b513907833ba091d0dcde87571fe05b upstream.

The state_saved flag should not be cleared in pci_pm_suspend() if the
given device is going to remain suspended, or the device's config
space will not be restored properly during the subsequent resume.

Namely, if the device is going to stay in suspend, both the late
and noirq callbacks return early for it, so if its state_saved flag
is cleared in pci_pm_suspend(), it will remain unset throughout the
remaining part of suspend and resume and pci_restore_state() called
for the device going forward will return without doing anything.

For this reason, change pci_pm_suspend() to only clear state_saved
if the given device is not going to remain suspended.  [This is
analogous to what commit ae860a19f37c (PCI / PM: Do not clear
state_saved in pci_pm_freeze() when smart suspend is set) did for
hibernation.]

Fixes: c4b65157aeef (PCI / PM: Take SMART_SUSPEND driver flag into account)
Cc: 4.15+ <stable@vger.kernel.org> # 4.15+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Acked-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/pci/pci-driver.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/pci/pci-driver.c
+++ b/drivers/pci/pci-driver.c
@@ -753,10 +753,11 @@ static int pci_pm_suspend(struct device
 	 * better to resume the device from runtime suspend here.
 	 */
 	if (!dev_pm_test_driver_flags(dev, DPM_FLAG_SMART_SUSPEND) ||
-	    !pci_dev_keep_suspended(pci_dev))
+	    !pci_dev_keep_suspended(pci_dev)) {
 		pm_runtime_resume(dev);
+		pci_dev->state_saved = false;
+	}
 
-	pci_dev->state_saved = false;
 	if (pm->suspend) {
 		pci_power_t prev = pci_dev->current_state;
 		int error;



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 020/220] ACPI / LPSS: Avoid PM quirks on suspend and resume from S3
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2018-07-01 16:20 ` [PATCH 4.17 019/220] PCI / PM: Do not clear state_saved for devices that remain suspended Greg Kroah-Hartman
@ 2018-07-01 16:20 ` Greg Kroah-Hartman
  2018-07-01 16:20 ` [PATCH 4.17 021/220] PM / core: Fix supplier device runtime PM usage counter imbalance Greg Kroah-Hartman
                   ` (192 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:20 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kai-Heng Feng, Rafael J. Wysocki,
	Ulf Hansson, Andy Shevchenko, Mika Westerberg

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

commit a09c591306881dfb04387c6ee7b7e2e4683fa531 upstream.

It is reported that commit a192aa923b66a (ACPI / LPSS: Consolidate
runtime PM and system sleep handling) introduced a system suspend
regression on some machines, but the only functional change made by
it was to cause the PM quirks in the LPSS to also be used during
system suspend and resume.  While that should always work for
suspend-to-idle, it turns out to be problematic for S3
(suspend-to-RAM).

To address that issue restore the previous S3 suspend and resume
behavior of the LPSS to avoid applying PM quirks then.

Fixes: a192aa923b66a (ACPI / LPSS: Consolidate runtime PM and system sleep handling)
Link: https://bugs.launchpad.net/bugs/1774950
Reported-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Tested-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Cc: 4.15+ <stable@vger.kernel.org> # 4.15+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/acpi/acpi_lpss.c |   18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

--- a/drivers/acpi/acpi_lpss.c
+++ b/drivers/acpi/acpi_lpss.c
@@ -22,6 +22,7 @@
 #include <linux/pm_domain.h>
 #include <linux/pm_runtime.h>
 #include <linux/pwm.h>
+#include <linux/suspend.h>
 #include <linux/delay.h>
 
 #include "internal.h"
@@ -940,9 +941,10 @@ static void lpss_iosf_exit_d3_state(void
 	mutex_unlock(&lpss_iosf_mutex);
 }
 
-static int acpi_lpss_suspend(struct device *dev, bool wakeup)
+static int acpi_lpss_suspend(struct device *dev, bool runtime)
 {
 	struct lpss_private_data *pdata = acpi_driver_data(ACPI_COMPANION(dev));
+	bool wakeup = runtime || device_may_wakeup(dev);
 	int ret;
 
 	if (pdata->dev_desc->flags & LPSS_SAVE_CTX)
@@ -955,13 +957,14 @@ static int acpi_lpss_suspend(struct devi
 	 * wrong status for devices being about to be powered off. See
 	 * lpss_iosf_enter_d3_state() for further information.
 	 */
-	if (lpss_quirks & LPSS_QUIRK_ALWAYS_POWER_ON && iosf_mbi_available())
+	if ((runtime || !pm_suspend_via_firmware()) &&
+	    lpss_quirks & LPSS_QUIRK_ALWAYS_POWER_ON && iosf_mbi_available())
 		lpss_iosf_enter_d3_state();
 
 	return ret;
 }
 
-static int acpi_lpss_resume(struct device *dev)
+static int acpi_lpss_resume(struct device *dev, bool runtime)
 {
 	struct lpss_private_data *pdata = acpi_driver_data(ACPI_COMPANION(dev));
 	int ret;
@@ -970,7 +973,8 @@ static int acpi_lpss_resume(struct devic
 	 * This call is kept first to be in symmetry with
 	 * acpi_lpss_runtime_suspend() one.
 	 */
-	if (lpss_quirks & LPSS_QUIRK_ALWAYS_POWER_ON && iosf_mbi_available())
+	if ((runtime || !pm_resume_via_firmware()) &&
+	    lpss_quirks & LPSS_QUIRK_ALWAYS_POWER_ON && iosf_mbi_available())
 		lpss_iosf_exit_d3_state();
 
 	ret = acpi_dev_resume(dev);
@@ -994,12 +998,12 @@ static int acpi_lpss_suspend_late(struct
 		return 0;
 
 	ret = pm_generic_suspend_late(dev);
-	return ret ? ret : acpi_lpss_suspend(dev, device_may_wakeup(dev));
+	return ret ? ret : acpi_lpss_suspend(dev, false);
 }
 
 static int acpi_lpss_resume_early(struct device *dev)
 {
-	int ret = acpi_lpss_resume(dev);
+	int ret = acpi_lpss_resume(dev, false);
 
 	return ret ? ret : pm_generic_resume_early(dev);
 }
@@ -1014,7 +1018,7 @@ static int acpi_lpss_runtime_suspend(str
 
 static int acpi_lpss_runtime_resume(struct device *dev)
 {
-	int ret = acpi_lpss_resume(dev);
+	int ret = acpi_lpss_resume(dev, true);
 
 	return ret ? ret : pm_generic_runtime_resume(dev);
 }



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 021/220] PM / core: Fix supplier device runtime PM usage counter imbalance
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2018-07-01 16:20 ` [PATCH 4.17 020/220] ACPI / LPSS: Avoid PM quirks on suspend and resume from S3 Greg Kroah-Hartman
@ 2018-07-01 16:20 ` Greg Kroah-Hartman
  2018-07-01 16:20 ` [PATCH 4.17 022/220] PM / OPP: Update voltage in case freq == old_freq Greg Kroah-Hartman
                   ` (191 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:20 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ulf Hansson, Marek Szyprowski,
	Rafael J. Wysocki

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

commit 47e5abfb546a3ace23a77453dc2e9db92704c5ac upstream.

If a device link is added via device_link_add() by the driver of the
link's consumer device, the supplier's runtime PM usage counter is
going to be dropped by the pm_runtime_put_suppliers() call in
driver_probe_device().  However, in that case it is not incremented
unless the supplier driver is already present and the link is not
stateless.  That leads to a runtime PM usage counter imbalance for
the supplier device in a few cases.

To prevent that from happening, bump up the supplier runtime
PM usage counter in device_link_add() for all links with the
DL_FLAG_PM_RUNTIME flag set that are added at the consumer probe
time.  Use pm_runtime_get_noresume() for that as the callers of
device_link_add() who want the supplier to be resumed by it are
expected to pass DL_FLAG_RPM_ACTIVE in flags to it anyway, but
additionally resume the supplier if the link is added during
consumer driver probe to retain the existing behavior for the
callers depending on it.

Fixes: 21d5c57b3726 (PM / runtime: Use device links)
Reported-by: Ulf Hansson <ulf.hansson@linaro.org>
Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
Cc: 4.10+ <stable@vger.kernel.org> # 4.10+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/base/core.c |   15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

--- a/drivers/base/core.c
+++ b/drivers/base/core.c
@@ -216,6 +216,13 @@ struct device_link *device_link_add(stru
 			link->rpm_active = true;
 		}
 		pm_runtime_new_link(consumer);
+		/*
+		 * If the link is being added by the consumer driver at probe
+		 * time, balance the decrementation of the supplier's runtime PM
+		 * usage counter after consumer probe in driver_probe_device().
+		 */
+		if (consumer->links.status == DL_DEV_PROBING)
+			pm_runtime_get_noresume(supplier);
 	}
 	get_device(supplier);
 	link->supplier = supplier;
@@ -235,12 +242,12 @@ struct device_link *device_link_add(stru
 			switch (consumer->links.status) {
 			case DL_DEV_PROBING:
 				/*
-				 * Balance the decrementation of the supplier's
-				 * runtime PM usage counter after consumer probe
-				 * in driver_probe_device().
+				 * Some callers expect the link creation during
+				 * consumer driver probe to resume the supplier
+				 * even without DL_FLAG_RPM_ACTIVE.
 				 */
 				if (flags & DL_FLAG_PM_RUNTIME)
-					pm_runtime_get_sync(supplier);
+					pm_runtime_resume(supplier);
 
 				link->status = DL_STATE_CONSUMER_PROBE;
 				break;



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 022/220] PM / OPP: Update voltage in case freq == old_freq
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2018-07-01 16:20 ` [PATCH 4.17 021/220] PM / core: Fix supplier device runtime PM usage counter imbalance Greg Kroah-Hartman
@ 2018-07-01 16:20 ` Greg Kroah-Hartman
  2018-07-01 16:20 ` [PATCH 4.17 023/220] mmc: renesas_sdhi: really fix WP logic regressions Greg Kroah-Hartman
                   ` (190 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:20 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Waldemar Rymarkiewicz, Viresh Kumar

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@gmail.com>

commit c5c2a97b3ac7d1ec19e7cff9e38caca6afefc3de upstream.

This commit fixes a rare but possible case when the clk rate is updated
without update of the regulator voltage.

At boot up, CPUfreq checks if the system is running at the right freq. This
is a sanity check in case a bootloader set clk rate that is outside of freq
table present with cpufreq core. In such cases system can be unstable so
better to change it to a freq that is preset in freq-table.

The CPUfreq takes next freq that is >= policy->cur and this is our
target_freq that needs to be set now.

dev_pm_opp_set_rate(dev, target_freq) checks the target_freq and the
old_freq (a current rate). If these are equal it returns early. If not,
it searches for OPP (old_opp) that fits best to old_freq (not listed in
the table) and updates old_freq (!).

Here, we can end up with old_freq = old_opp.rate = target_freq, which
is not handled in _generic_set_opp_regulator(). It's supposed to update
voltage only when freq > old_freq  || freq > old_freq.

if (freq > old_freq) {
		ret = _set_opp_voltage(dev, reg, new_supply);
[...]
if (freq < old_freq) {
		ret = _set_opp_voltage(dev, reg, new_supply);
		if (ret)

It results in, no voltage update while clk rate is updated.

Example:
freq-table = {
	1000MHz   1.15V
	 666MHZ   1.10V
	 333MHz   1.05V
}
boot-up-freq        = 800MHz   # not listed in freq-table
freq = target_freq  = 1GHz
old_freq            = 800Mhz
old_opp = _find_freq_ceil(opp_table, &old_freq);  #(old_freq is modified!)
old_freq            = 1GHz

Fixes: 6a0712f6f199 ("PM / OPP: Add dev_pm_opp_set_rate()")
Cc: 4.6+ <stable@vger.kernel.org> # v4.6+
Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@gmail.com>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/opp/core.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/opp/core.c
+++ b/drivers/opp/core.c
@@ -591,7 +591,7 @@ static int _generic_set_opp_regulator(co
 	}
 
 	/* Scaling up? Scale voltage before frequency */
-	if (freq > old_freq) {
+	if (freq >= old_freq) {
 		ret = _set_opp_voltage(dev, reg, new_supply);
 		if (ret)
 			goto restore_voltage;



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 023/220] mmc: renesas_sdhi: really fix WP logic regressions
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2018-07-01 16:20 ` [PATCH 4.17 022/220] PM / OPP: Update voltage in case freq == old_freq Greg Kroah-Hartman
@ 2018-07-01 16:20 ` Greg Kroah-Hartman
  2018-07-01 16:20 ` [PATCH 4.17 024/220] usb: do not reset if a low-speed or full-speed device timed out Greg Kroah-Hartman
                   ` (189 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:20 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yoshihiro Shimoda, Wolfram Sang, Ulf Hansson

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Wolfram Sang <wsa+renesas@sang-engineering.com>

commit ef5332c10d4f332a2ac79e9ad5452f4e89d1815a upstream.

This reverts commit e060d376cc61 ("mmc: renesas_sdhi: fix WP detection")
and adds some code to really fix the regressions.

It was missed so far that Renesas R-Car instantiations of SDHI chose to
disable internal WP and used the existence of "wp-gpios" to en/disable
WP at all.

With the first refactoring by Yamada-san with commit 2ad1db059b9a ("mmc:
renesas_sdhi: use MMC_CAP2_NO_WRITE_PROTECT instead of TMIO own flag"),
WP was always disabled even when GPIOs were present. With Wolfram's
first fix which gets now reverted, GPIOs were honored. But when not
available, the fallback was to internal WP and not to disabled WP. This
caused wrong WP status on uSD card slots.

Restore the old behaviour now. By default, WP is disabled. When a GPIO
is found, the GPIO re-enables WP. We will think about possible better
ways to handle this in the future.

Tested on a previously regressing Renesas Lager board (H2) and a still
working Renesas Salvator-X board (M3-W).

Reported-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Cc: stable@vger.kernel.org # v4.17+
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mmc/host/renesas_sdhi_core.c          |    5 +++++
 drivers/mmc/host/renesas_sdhi_internal_dmac.c |    1 +
 drivers/mmc/host/renesas_sdhi_sys_dmac.c      |    3 +++
 3 files changed, 9 insertions(+)

--- a/drivers/mmc/host/renesas_sdhi_core.c
+++ b/drivers/mmc/host/renesas_sdhi_core.c
@@ -28,6 +28,7 @@
 #include <linux/of_device.h>
 #include <linux/platform_device.h>
 #include <linux/mmc/host.h>
+#include <linux/mmc/slot-gpio.h>
 #include <linux/mfd/tmio.h>
 #include <linux/sh_dma.h>
 #include <linux/delay.h>
@@ -534,6 +535,10 @@ int renesas_sdhi_probe(struct platform_d
 	host->multi_io_quirk	= renesas_sdhi_multi_io_quirk;
 	host->dma_ops		= dma_ops;
 
+	/* For some SoC, we disable internal WP. GPIO may override this */
+	if (mmc_can_gpio_ro(host->mmc))
+		mmc_data->capabilities2 &= ~MMC_CAP2_NO_WRITE_PROTECT;
+
 	/* SDR speeds are only available on Gen2+ */
 	if (mmc_data->flags & TMIO_MMC_MIN_RCAR2) {
 		/* card_busy caused issues on r8a73a4 (pre-Gen2) CD-less SDHI */
--- a/drivers/mmc/host/renesas_sdhi_internal_dmac.c
+++ b/drivers/mmc/host/renesas_sdhi_internal_dmac.c
@@ -87,6 +87,7 @@ static const struct renesas_sdhi_of_data
 			  TMIO_MMC_HAVE_CBSY | TMIO_MMC_MIN_RCAR2,
 	.capabilities	= MMC_CAP_SD_HIGHSPEED | MMC_CAP_SDIO_IRQ |
 			  MMC_CAP_CMD23,
+	.capabilities2	= MMC_CAP2_NO_WRITE_PROTECT,
 	.bus_shift	= 2,
 	.scc_offset	= 0x1000,
 	.taps		= rcar_gen3_scc_taps,
--- a/drivers/mmc/host/renesas_sdhi_sys_dmac.c
+++ b/drivers/mmc/host/renesas_sdhi_sys_dmac.c
@@ -42,6 +42,7 @@ static const struct renesas_sdhi_of_data
 static const struct renesas_sdhi_of_data of_rcar_gen1_compatible = {
 	.tmio_flags	= TMIO_MMC_HAS_IDLE_WAIT | TMIO_MMC_CLK_ACTUAL,
 	.capabilities	= MMC_CAP_SD_HIGHSPEED | MMC_CAP_SDIO_IRQ,
+	.capabilities2	= MMC_CAP2_NO_WRITE_PROTECT,
 };
 
 /* Definitions for sampling clocks */
@@ -61,6 +62,7 @@ static const struct renesas_sdhi_of_data
 			  TMIO_MMC_HAVE_CBSY | TMIO_MMC_MIN_RCAR2,
 	.capabilities	= MMC_CAP_SD_HIGHSPEED | MMC_CAP_SDIO_IRQ |
 			  MMC_CAP_CMD23,
+	.capabilities2	= MMC_CAP2_NO_WRITE_PROTECT,
 	.dma_buswidth	= DMA_SLAVE_BUSWIDTH_4_BYTES,
 	.dma_rx_offset	= 0x2000,
 	.scc_offset	= 0x0300,
@@ -81,6 +83,7 @@ static const struct renesas_sdhi_of_data
 			  TMIO_MMC_HAVE_CBSY | TMIO_MMC_MIN_RCAR2,
 	.capabilities	= MMC_CAP_SD_HIGHSPEED | MMC_CAP_SDIO_IRQ |
 			  MMC_CAP_CMD23,
+	.capabilities2	= MMC_CAP2_NO_WRITE_PROTECT,
 	.bus_shift	= 2,
 	.scc_offset	= 0x1000,
 	.taps		= rcar_gen3_scc_taps,



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 024/220] usb: do not reset if a low-speed or full-speed device timed out
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2018-07-01 16:20 ` [PATCH 4.17 023/220] mmc: renesas_sdhi: really fix WP logic regressions Greg Kroah-Hartman
@ 2018-07-01 16:20 ` Greg Kroah-Hartman
  2018-07-01 16:20 ` [PATCH 4.17 026/220] ASoC: dapm: delete dapm_kcontrol_data paths list before freeing it Greg Kroah-Hartman
                   ` (188 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:20 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Maxim Moseychuk

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Maxim Moseychuk <franchesko.salias.hudro.pedros@gmail.com>

commit 6e01827ed93947895680fbdad68c072a0f4e2450 upstream.

Some low-speed and full-speed devices (for example, bluetooth)
do not have time to initialize. For them, ETIMEDOUT is a valid error.
We need to give them another try. Otherwise, they will
never be initialized correctly and in dmesg will be messages
"Bluetooth: hci0 command 0x1002 tx timeout" or similars.

Fixes: 264904ccc33c ("usb: retry reset if a device times out")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Maxim Moseychuk <franchesko.salias.hudro.pedros@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/core/hub.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -4551,7 +4551,9 @@ hub_port_init(struct usb_hub *hub, struc
 				 * reset. But only on the first attempt,
 				 * lest we get into a time out/reset loop
 				 */
-				if (r == 0  || (r == -ETIMEDOUT && retries == 0))
+				if (r == 0 || (r == -ETIMEDOUT &&
+						retries == 0 &&
+						udev->speed > USB_SPEED_FULL))
 					break;
 			}
 			udev->descriptor.bMaxPacketSize0 =



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 026/220] ASoC: dapm: delete dapm_kcontrol_data paths list before freeing it
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2018-07-01 16:20 ` [PATCH 4.17 024/220] usb: do not reset if a low-speed or full-speed device timed out Greg Kroah-Hartman
@ 2018-07-01 16:20 ` Greg Kroah-Hartman
  2018-07-01 16:20 ` [PATCH 4.17 027/220] ASoC: cs35l35: Add use_single_rw to regmap config Greg Kroah-Hartman
                   ` (187 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:20 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Srinivas Kandagatla, Mark Brown

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>

commit ff2faf1289c1f81b5b26b9451dd1c2006aac8db8 upstream.

dapm_kcontrol_data is freed as part of dapm_kcontrol_free(), leaving the
paths pointer dangling in the list.

This leads to system crash when we try to unload and reload sound card.
I hit this bug during ADSP crash/reboot test case on Dragon board DB410c.

Without this patch, on SLAB Poisoning enabled build, kernel crashes with
"BUG kmalloc-128 (Tainted: G        W        ): Poison overwritten"

Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/soc/soc-dapm.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/sound/soc/soc-dapm.c
+++ b/sound/soc/soc-dapm.c
@@ -433,6 +433,8 @@ err_data:
 static void dapm_kcontrol_free(struct snd_kcontrol *kctl)
 {
 	struct dapm_kcontrol_data *data = snd_kcontrol_chip(kctl);
+
+	list_del(&data->paths);
 	kfree(data->wlist);
 	kfree(data);
 }



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 027/220] ASoC: cs35l35: Add use_single_rw to regmap config
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2018-07-01 16:20 ` [PATCH 4.17 026/220] ASoC: dapm: delete dapm_kcontrol_data paths list before freeing it Greg Kroah-Hartman
@ 2018-07-01 16:20 ` Greg Kroah-Hartman
  2018-07-01 16:20 ` [PATCH 4.17 028/220] ASoC: mediatek: preallocate pages use platform device Greg Kroah-Hartman
                   ` (186 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:20 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Paul Handrigan, Mark Brown

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Paul Handrigan <Paul.Handrigan@cirrus.com>

commit 6a6ad7face95af0b9e6aaf1eb2261eb70240b89b upstream.

Add the use_single_rw flag to regmap config since the
device does not support bulk transactions over i2c.

Signed-off-by: Paul Handrigan <Paul.Handrigan@cirrus.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/soc/codecs/cs35l35.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/soc/codecs/cs35l35.c
+++ b/sound/soc/codecs/cs35l35.c
@@ -1105,6 +1105,7 @@ static struct regmap_config cs35l35_regm
 	.readable_reg = cs35l35_readable_register,
 	.precious_reg = cs35l35_precious_register,
 	.cache_type = REGCACHE_RBTREE,
+	.use_single_rw = true,
 };
 
 static irqreturn_t cs35l35_irq(int irq, void *data)



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 028/220] ASoC: mediatek: preallocate pages use platform device
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2018-07-01 16:20 ` [PATCH 4.17 027/220] ASoC: cs35l35: Add use_single_rw to regmap config Greg Kroah-Hartman
@ 2018-07-01 16:20 ` Greg Kroah-Hartman
  2018-07-01 16:20 ` [PATCH 4.17 029/220] ASoC: cirrus: i2s: Fix LRCLK configuration Greg Kroah-Hartman
                   ` (185 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:20 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, KaiChieh Chuang, Mark Brown

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kai Chieh Chuang <kaichieh.chuang@mediatek.com>

commit 5845e6155d8f4a4a9bae2d4c1d1bb4a4d9a925c2 upstream.

preallocate pages should use platform device,
since we set dma mask for platform device.

Signed-off-by: KaiChieh Chuang <kaichieh.chuang@mediatek.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/soc/mediatek/common/mtk-afe-platform-driver.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/sound/soc/mediatek/common/mtk-afe-platform-driver.c
+++ b/sound/soc/mediatek/common/mtk-afe-platform-driver.c
@@ -64,14 +64,14 @@ static const struct snd_pcm_ops mtk_afe_
 static int mtk_afe_pcm_new(struct snd_soc_pcm_runtime *rtd)
 {
 	size_t size;
-	struct snd_card *card = rtd->card->snd_card;
 	struct snd_pcm *pcm = rtd->pcm;
 	struct snd_soc_component *component = snd_soc_rtdcom_lookup(rtd, AFE_PCM_NAME);
 	struct mtk_base_afe *afe = snd_soc_component_get_drvdata(component);
 
 	size = afe->mtk_afe_hardware->buffer_bytes_max;
 	return snd_pcm_lib_preallocate_pages_for_all(pcm, SNDRV_DMA_TYPE_DEV,
-						     card->dev, size, size);
+						     rtd->platform->dev,
+						     size, size);
 }
 
 static void mtk_afe_pcm_free(struct snd_pcm *pcm)



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 029/220] ASoC: cirrus: i2s: Fix LRCLK configuration
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2018-07-01 16:20 ` [PATCH 4.17 028/220] ASoC: mediatek: preallocate pages use platform device Greg Kroah-Hartman
@ 2018-07-01 16:20 ` Greg Kroah-Hartman
  2018-07-01 16:20 ` [PATCH 4.17 031/220] thermal: bcm2835: Stop using printk format %pCr Greg Kroah-Hartman
                   ` (184 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:20 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alexander Sverdlin, Mark Brown

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alexander Sverdlin <alexander.sverdlin@gmail.com>

commit 2d534113be9a2aa532a1ae127a57e83558aed358 upstream.

The bit responsible for LRCLK polarity is i2s_tlrs (0), not i2s_trel (2)
(refer to "EP93xx User's Guide").

Previously card drivers which specified SND_SOC_DAIFMT_NB_IF actually got
SND_SOC_DAIFMT_NB_NF, an adaptation is necessary to retain the old
behavior.

Signed-off-by: Alexander Sverdlin <alexander.sverdlin@gmail.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/soc/cirrus/edb93xx.c     |    2 +-
 sound/soc/cirrus/ep93xx-i2s.c  |    8 ++++----
 sound/soc/cirrus/snappercl15.c |    2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

--- a/sound/soc/cirrus/edb93xx.c
+++ b/sound/soc/cirrus/edb93xx.c
@@ -67,7 +67,7 @@ static struct snd_soc_dai_link edb93xx_d
 	.cpu_dai_name	= "ep93xx-i2s",
 	.codec_name	= "spi0.0",
 	.codec_dai_name	= "cs4271-hifi",
-	.dai_fmt	= SND_SOC_DAIFMT_I2S | SND_SOC_DAIFMT_NB_IF |
+	.dai_fmt	= SND_SOC_DAIFMT_I2S | SND_SOC_DAIFMT_NB_NF |
 			  SND_SOC_DAIFMT_CBS_CFS,
 	.ops		= &edb93xx_ops,
 };
--- a/sound/soc/cirrus/ep93xx-i2s.c
+++ b/sound/soc/cirrus/ep93xx-i2s.c
@@ -213,24 +213,24 @@ static int ep93xx_i2s_set_dai_fmt(struct
 	switch (fmt & SND_SOC_DAIFMT_INV_MASK) {
 	case SND_SOC_DAIFMT_NB_NF:
 		/* Negative bit clock, lrclk low on left word */
-		clk_cfg &= ~(EP93XX_I2S_CLKCFG_CKP | EP93XX_I2S_CLKCFG_REL);
+		clk_cfg &= ~(EP93XX_I2S_CLKCFG_CKP | EP93XX_I2S_CLKCFG_LRS);
 		break;
 
 	case SND_SOC_DAIFMT_NB_IF:
 		/* Negative bit clock, lrclk low on right word */
 		clk_cfg &= ~EP93XX_I2S_CLKCFG_CKP;
-		clk_cfg |= EP93XX_I2S_CLKCFG_REL;
+		clk_cfg |= EP93XX_I2S_CLKCFG_LRS;
 		break;
 
 	case SND_SOC_DAIFMT_IB_NF:
 		/* Positive bit clock, lrclk low on left word */
 		clk_cfg |= EP93XX_I2S_CLKCFG_CKP;
-		clk_cfg &= ~EP93XX_I2S_CLKCFG_REL;
+		clk_cfg &= ~EP93XX_I2S_CLKCFG_LRS;
 		break;
 
 	case SND_SOC_DAIFMT_IB_IF:
 		/* Positive bit clock, lrclk low on right word */
-		clk_cfg |= EP93XX_I2S_CLKCFG_CKP | EP93XX_I2S_CLKCFG_REL;
+		clk_cfg |= EP93XX_I2S_CLKCFG_CKP | EP93XX_I2S_CLKCFG_LRS;
 		break;
 	}
 
--- a/sound/soc/cirrus/snappercl15.c
+++ b/sound/soc/cirrus/snappercl15.c
@@ -72,7 +72,7 @@ static struct snd_soc_dai_link snappercl
 	.codec_dai_name	= "tlv320aic23-hifi",
 	.codec_name	= "tlv320aic23-codec.0-001a",
 	.platform_name	= "ep93xx-i2s",
-	.dai_fmt	= SND_SOC_DAIFMT_I2S | SND_SOC_DAIFMT_NB_IF |
+	.dai_fmt	= SND_SOC_DAIFMT_I2S | SND_SOC_DAIFMT_NB_NF |
 			  SND_SOC_DAIFMT_CBS_CFS,
 	.ops		= &snappercl15_ops,
 };



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 031/220] thermal: bcm2835: Stop using printk format %pCr
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2018-07-01 16:20 ` [PATCH 4.17 029/220] ASoC: cirrus: i2s: Fix LRCLK configuration Greg Kroah-Hartman
@ 2018-07-01 16:20 ` Greg Kroah-Hartman
  2018-07-01 16:20 ` [PATCH 4.17 032/220] clk: renesas: cpg-mssr: " Greg Kroah-Hartman
                   ` (183 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:20 UTC (permalink / raw)
  To: linux-kernel, Jia-Ju Bai, Jonathan Corbet, Michael Turquette,
	Stephen Boyd, Zhang Rui, Eduardo Valentin, Eric Anholt,
	Stefan Wahren
  Cc: Greg Kroah-Hartman, stable, Sergey Senozhatsky, Petr Mladek,
	Linus Torvalds, Steven Rostedt, linux-doc, linux-clk, linux-pm,
	linux-serial, linux-arm-kernel, linux-renesas-soc,
	Geert Uytterhoeven

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Geert Uytterhoeven <geert+renesas@glider.be>

commit bd2a07f71a1e2e198f8a30cb551d9defe422d83d upstream.

Printk format "%pCr" will be removed soon, as clk_get_rate() must not be
called in atomic context.

Replace it by printing the variable that already holds the clock rate.
Note that calling clk_get_rate() is safe here, as the code runs in task
context.

Link: http://lkml.kernel.org/r/1527845302-12159-3-git-send-email-geert+renesas@glider.be
To: Jia-Ju Bai <baijiaju1990@gmail.com>
To: Jonathan Corbet <corbet@lwn.net>
To: Michael Turquette <mturquette@baylibre.com>
To: Stephen Boyd <sboyd@kernel.org>
To: Zhang Rui <rui.zhang@intel.com>
To: Eduardo Valentin <edubezval@gmail.com>
To: Eric Anholt <eric@anholt.net>
To: Stefan Wahren <stefan.wahren@i2se.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
Cc: Petr Mladek <pmladek@suse.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: linux-doc@vger.kernel.org
Cc: linux-clk@vger.kernel.org
Cc: linux-pm@vger.kernel.org
Cc: linux-serial@vger.kernel.org
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-renesas-soc@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: stable@vger.kernel.org # 4.12+
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Acked-by: Stefan Wahren <stefan.wahren@i2se.com>
Signed-off-by: Petr Mladek <pmladek@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/thermal/broadcom/bcm2835_thermal.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/thermal/broadcom/bcm2835_thermal.c
+++ b/drivers/thermal/broadcom/bcm2835_thermal.c
@@ -213,8 +213,8 @@ static int bcm2835_thermal_probe(struct
 	rate = clk_get_rate(data->clk);
 	if ((rate < 1920000) || (rate > 5000000))
 		dev_warn(&pdev->dev,
-			 "Clock %pCn running at %pCr Hz is outside of the recommended range: 1.92 to 5MHz\n",
-			 data->clk, data->clk);
+			 "Clock %pCn running at %lu Hz is outside of the recommended range: 1.92 to 5MHz\n",
+			 data->clk, rate);
 
 	/* register of thermal sensor and get info from DT */
 	tz = thermal_zone_of_sensor_register(&pdev->dev, 0, data,



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 032/220] clk: renesas: cpg-mssr: Stop using printk format %pCr
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2018-07-01 16:20 ` [PATCH 4.17 031/220] thermal: bcm2835: Stop using printk format %pCr Greg Kroah-Hartman
@ 2018-07-01 16:20 ` Greg Kroah-Hartman
  2018-07-01 16:20 ` [PATCH 4.17 033/220] lib/vsprintf: Remove atomic-unsafe support for %pCr Greg Kroah-Hartman
                   ` (182 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:20 UTC (permalink / raw)
  To: linux-kernel, Jia-Ju Bai, Jonathan Corbet, Michael Turquette,
	Stephen Boyd, Zhang Rui, Eduardo Valentin, Eric Anholt,
	Stefan Wahren
  Cc: Greg Kroah-Hartman, stable, Sergey Senozhatsky, Petr Mladek,
	Linus Torvalds, Steven Rostedt, linux-doc, linux-clk, linux-pm,
	linux-serial, linux-arm-kernel, linux-renesas-soc,
	Geert Uytterhoeven

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Geert Uytterhoeven <geert+renesas@glider.be>

commit ef4b0be62641d296cf4c0ad8f75ab83ab066ed51 upstream.

Printk format "%pCr" will be removed soon, as clk_get_rate() must not be
called in atomic context.

Replace it by open-coding the operation.  This is safe here, as the code
runs in task context.

Link: http://lkml.kernel.org/r/1527845302-12159-2-git-send-email-geert+renesas@glider.be
To: Jia-Ju Bai <baijiaju1990@gmail.com>
To: Jonathan Corbet <corbet@lwn.net>
To: Michael Turquette <mturquette@baylibre.com>
To: Stephen Boyd <sboyd@kernel.org>
To: Zhang Rui <rui.zhang@intel.com>
To: Eduardo Valentin <edubezval@gmail.com>
To: Eric Anholt <eric@anholt.net>
To: Stefan Wahren <stefan.wahren@i2se.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
Cc: Petr Mladek <pmladek@suse.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: linux-doc@vger.kernel.org
Cc: linux-clk@vger.kernel.org
Cc: linux-pm@vger.kernel.org
Cc: linux-serial@vger.kernel.org
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-renesas-soc@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: Geert Uytterhoeven <geert+renesas@glider.be>
Cc: stable@vger.kernel.org # 4.5+
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Acked-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Petr Mladek <pmladek@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/clk/renesas/renesas-cpg-mssr.c |    9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/drivers/clk/renesas/renesas-cpg-mssr.c
+++ b/drivers/clk/renesas/renesas-cpg-mssr.c
@@ -258,8 +258,9 @@ struct clk *cpg_mssr_clk_src_twocell_get
 		dev_err(dev, "Cannot get %s clock %u: %ld", type, clkidx,
 		       PTR_ERR(clk));
 	else
-		dev_dbg(dev, "clock (%u, %u) is %pC at %pCr Hz\n",
-			clkspec->args[0], clkspec->args[1], clk, clk);
+		dev_dbg(dev, "clock (%u, %u) is %pC at %lu Hz\n",
+			clkspec->args[0], clkspec->args[1], clk,
+			clk_get_rate(clk));
 	return clk;
 }
 
@@ -326,7 +327,7 @@ static void __init cpg_mssr_register_cor
 	if (IS_ERR_OR_NULL(clk))
 		goto fail;
 
-	dev_dbg(dev, "Core clock %pC at %pCr Hz\n", clk, clk);
+	dev_dbg(dev, "Core clock %pC at %lu Hz\n", clk, clk_get_rate(clk));
 	priv->clks[id] = clk;
 	return;
 
@@ -392,7 +393,7 @@ static void __init cpg_mssr_register_mod
 	if (IS_ERR(clk))
 		goto fail;
 
-	dev_dbg(dev, "Module clock %pC at %pCr Hz\n", clk, clk);
+	dev_dbg(dev, "Module clock %pC at %lu Hz\n", clk, clk_get_rate(clk));
 	priv->clks[id] = clk;
 	priv->smstpcr_saved[clock->index / 32].mask |= BIT(clock->index % 32);
 	return;



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 033/220] lib/vsprintf: Remove atomic-unsafe support for %pCr
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2018-07-01 16:20 ` [PATCH 4.17 032/220] clk: renesas: cpg-mssr: " Greg Kroah-Hartman
@ 2018-07-01 16:20 ` Greg Kroah-Hartman
  2018-07-01 16:20 ` [PATCH 4.17 034/220] ftrace/selftest: Have the reset_trigger code be a bit more careful Greg Kroah-Hartman
                   ` (181 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:20 UTC (permalink / raw)
  To: linux-kernel, Jia-Ju Bai, Jonathan Corbet, Michael Turquette,
	Stephen Boyd, Zhang Rui, Eduardo Valentin, Eric Anholt,
	Stefan Wahren
  Cc: Greg Kroah-Hartman, stable, Sergey Senozhatsky, Petr Mladek,
	Linus Torvalds, Steven Rostedt, linux-doc, linux-clk, linux-pm,
	linux-serial, linux-arm-kernel, linux-renesas-soc,
	Geert Uytterhoeven

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Geert Uytterhoeven <geert+renesas@glider.be>

commit 666902e42fd8344b923c02dc5b0f37948ff4f225 upstream.

"%pCr" formats the current rate of a clock, and calls clk_get_rate().
The latter obtains a mutex, hence it must not be called from atomic
context.

Remove support for this rarely-used format, as vsprintf() (and e.g.
printk()) must be callable from any context.

Any remaining out-of-tree users will start seeing the clock's name
printed instead of its rate.

Reported-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Fixes: 900cca2944254edd ("lib/vsprintf: add %pC{,n,r} format specifiers for clocks")
Link: http://lkml.kernel.org/r/1527845302-12159-5-git-send-email-geert+renesas@glider.be
To: Jia-Ju Bai <baijiaju1990@gmail.com>
To: Jonathan Corbet <corbet@lwn.net>
To: Michael Turquette <mturquette@baylibre.com>
To: Stephen Boyd <sboyd@kernel.org>
To: Zhang Rui <rui.zhang@intel.com>
To: Eduardo Valentin <edubezval@gmail.com>
To: Eric Anholt <eric@anholt.net>
To: Stefan Wahren <stefan.wahren@i2se.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
Cc: Petr Mladek <pmladek@suse.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: linux-doc@vger.kernel.org
Cc: linux-clk@vger.kernel.org
Cc: linux-pm@vger.kernel.org
Cc: linux-serial@vger.kernel.org
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-renesas-soc@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: Geert Uytterhoeven <geert+renesas@glider.be>
Cc: stable@vger.kernel.org # 4.1+
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Petr Mladek <pmladek@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 Documentation/core-api/printk-formats.rst |    3 +--
 lib/vsprintf.c                            |    3 ---
 2 files changed, 1 insertion(+), 5 deletions(-)

--- a/Documentation/core-api/printk-formats.rst
+++ b/Documentation/core-api/printk-formats.rst
@@ -419,11 +419,10 @@ struct clk
 
 	%pC	pll1
 	%pCn	pll1
-	%pCr	1560000000
 
 For printing struct clk structures. %pC and %pCn print the name
 (Common Clock Framework) or address (legacy clock framework) of the
-structure; %pCr prints the current clock rate.
+structure.
 
 Passed by reference.
 
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -1456,9 +1456,6 @@ char *clock(char *buf, char *end, struct
 		return string(buf, end, NULL, spec);
 
 	switch (fmt[1]) {
-	case 'r':
-		return number(buf, end, clk_get_rate(clk), spec);
-
 	case 'n':
 	default:
 #ifdef CONFIG_COMMON_CLK



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 034/220] ftrace/selftest: Have the reset_trigger code be a bit more careful
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2018-07-01 16:20 ` [PATCH 4.17 033/220] lib/vsprintf: Remove atomic-unsafe support for %pCr Greg Kroah-Hartman
@ 2018-07-01 16:20 ` Greg Kroah-Hartman
  2018-07-01 16:20 ` [PATCH 4.17 035/220] mips: ftrace: fix static function graph tracing Greg Kroah-Hartman
                   ` (180 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:20 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Namhyung Kim, Masami Hiramatsu,
	Steven Rostedt (VMware)

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Steven Rostedt (VMware) <rostedt@goodmis.org>

commit 756b56a9e832e063edc83be7c3889e98c536dd2b upstream.

The trigger code is picky in how it can be disabled as there may be
dependencies between different events and synthetic events. Change the order
on how triggers are reset.

 1) Reset triggers of all synthetic events first
 2) Remove triggers with actions attached to them
 3) Remove all other triggers

If this order isn't followed, then some triggers will not be reset, and an
error may happen because a trigger is busy.

Cc: stable@vger.kernel.org
Fixes: cfa0963dc474f ("kselftests/ftrace : Add event trigger testcases")
Reviewed-by: Namhyung Kim <namhyung@kernel.org>
Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/testing/selftests/ftrace/test.d/functions |   21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

--- a/tools/testing/selftests/ftrace/test.d/functions
+++ b/tools/testing/selftests/ftrace/test.d/functions
@@ -15,14 +15,29 @@ reset_tracer() { # reset the current tra
     echo nop > current_tracer
 }
 
-reset_trigger() { # reset all current setting triggers
-    grep -v ^# events/*/*/trigger |
+reset_trigger_file() {
+    # remove action triggers first
+    grep -H ':on[^:]*(' $@ |
+    while read line; do
+        cmd=`echo $line | cut -f2- -d: | cut -f1 -d" "`
+	file=`echo $line | cut -f1 -d:`
+	echo "!$cmd" >> $file
+    done
+    grep -Hv ^# $@ |
     while read line; do
         cmd=`echo $line | cut -f2- -d: | cut -f1 -d" "`
-	echo "!$cmd" > `echo $line | cut -f1 -d:`
+	file=`echo $line | cut -f1 -d:`
+	echo "!$cmd" > $file
     done
 }
 
+reset_trigger() { # reset all current setting triggers
+    if [ -d events/synthetic ]; then
+        reset_trigger_file events/synthetic/*/trigger
+    fi
+    reset_trigger_file events/*/*/trigger
+}
+
 reset_events_filter() { # reset all current setting filters
     grep -v ^none events/*/*/filter |
     while read line; do



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 035/220] mips: ftrace: fix static function graph tracing
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2018-07-01 16:20 ` [PATCH 4.17 034/220] ftrace/selftest: Have the reset_trigger code be a bit more careful Greg Kroah-Hartman
@ 2018-07-01 16:20 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 036/220] branch-check: fix long->int truncation when profiling branches Greg Kroah-Hartman
                   ` (179 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:20 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matthias Schiffer, Matt Redfearn,
	Paul Burton

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Matthias Schiffer <mschiffer@universe-factory.net>

commit 6fb8656646f996d1eef42e6d56203c4915cb9e08 upstream.

ftrace_graph_caller was never run after calling ftrace_trace_function,
breaking the function graph tracer. Fix this, bringing it in line with the
x86 implementation.

While we're at it, also streamline the control flow of _mcount a bit to
reduce the number of branches.

This issue was reported before:
https://www.linux-mips.org/archives/linux-mips/2014-11/msg00295.html

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Tested-by: Matt Redfearn <matt.redfearn@mips.com>
Patchwork: https://patchwork.linux-mips.org/patch/18929/
Signed-off-by: Paul Burton <paul.burton@mips.com>
Cc: stable@vger.kernel.org # v3.17+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/mips/kernel/mcount.S |   27 ++++++++++++---------------
 1 file changed, 12 insertions(+), 15 deletions(-)

--- a/arch/mips/kernel/mcount.S
+++ b/arch/mips/kernel/mcount.S
@@ -119,10 +119,20 @@ NESTED(_mcount, PT_SIZE, ra)
 EXPORT_SYMBOL(_mcount)
 	PTR_LA	t1, ftrace_stub
 	PTR_L	t2, ftrace_trace_function /* Prepare t2 for (1) */
-	bne	t1, t2, static_trace
+	beq	t1, t2, fgraph_trace
 	 nop
 
+	MCOUNT_SAVE_REGS
+
+	move	a0, ra		/* arg1: self return address */
+	jalr	t2		/* (1) call *ftrace_trace_function */
+	 move	a1, AT		/* arg2: parent's return address */
+
+	MCOUNT_RESTORE_REGS
+
+fgraph_trace:
 #ifdef	CONFIG_FUNCTION_GRAPH_TRACER
+	PTR_LA	t1, ftrace_stub
 	PTR_L	t3, ftrace_graph_return
 	bne	t1, t3, ftrace_graph_caller
 	 nop
@@ -131,24 +141,11 @@ EXPORT_SYMBOL(_mcount)
 	bne	t1, t3, ftrace_graph_caller
 	 nop
 #endif
-	b	ftrace_stub
-#ifdef CONFIG_32BIT
-	 addiu sp, sp, 8
-#else
-	 nop
-#endif
-
-static_trace:
-	MCOUNT_SAVE_REGS
-
-	move	a0, ra		/* arg1: self return address */
-	jalr	t2		/* (1) call *ftrace_trace_function */
-	 move	a1, AT		/* arg2: parent's return address */
 
-	MCOUNT_RESTORE_REGS
 #ifdef CONFIG_32BIT
 	addiu sp, sp, 8
 #endif
+
 	.globl ftrace_stub
 ftrace_stub:
 	RETURN_BACK



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 036/220] branch-check: fix long->int truncation when profiling branches
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2018-07-01 16:20 ` [PATCH 4.17 035/220] mips: ftrace: fix static function graph tracing Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 037/220] ipmi:bt: Set the timeout before doing a capabilities check Greg Kroah-Hartman
                   ` (178 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ingo Molnar, Mikulas Patocka,
	Steven Rostedt (VMware)

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mikulas Patocka <mpatocka@redhat.com>

commit 2026d35741f2c3ece73c11eb7e4a15d7c2df9ebe upstream.

The function __builtin_expect returns long type (see the gcc
documentation), and so do macros likely and unlikely. Unfortunatelly, when
CONFIG_PROFILE_ANNOTATED_BRANCHES is selected, the macros likely and
unlikely expand to __branch_check__ and __branch_check__ truncates the
long type to int. This unintended truncation may cause bugs in various
kernel code (we found a bug in dm-writecache because of it), so it's
better to fix __branch_check__ to return long.

Link: http://lkml.kernel.org/r/alpine.LRH.2.02.1805300818140.24812@file01.intranet.prod.int.rdu2.redhat.com

Cc: Ingo Molnar <mingo@redhat.com>
Cc: stable@vger.kernel.org
Fixes: 1f0d69a9fc815 ("tracing: profile likely and unlikely annotations")
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/compiler.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/include/linux/compiler.h
+++ b/include/linux/compiler.h
@@ -21,7 +21,7 @@ void ftrace_likely_update(struct ftrace_
 #define unlikely_notrace(x)	__builtin_expect(!!(x), 0)
 
 #define __branch_check__(x, expect, is_constant) ({			\
-			int ______r;					\
+			long ______r;					\
 			static struct ftrace_likely_data		\
 				__attribute__((__aligned__(4)))		\
 				__attribute__((section("_ftrace_annotated_branch"))) \



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 037/220] ipmi:bt: Set the timeout before doing a capabilities check
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 036/220] branch-check: fix long->int truncation when profiling branches Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 038/220] Bluetooth: hci_qca: Avoid missing rampatch failure with userspace fw loader Greg Kroah-Hartman
                   ` (177 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Nordmark Claes, Corey Minyard

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Corey Minyard <cminyard@mvista.com>

commit fe50a7d0393a552e4539da2d31261a59d6415950 upstream.

There was one place where the timeout value for an operation was
not being set, if a capabilities request was done from idle.  Move
the timeout value setting to before where that change might be
requested.

IMHO the cause here is the invisible returns in the macros.  Maybe
that's a job for later, though.

Reported-by: Nordmark Claes <Claes.Nordmark@tieto.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/char/ipmi/ipmi_bt_sm.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/char/ipmi/ipmi_bt_sm.c
+++ b/drivers/char/ipmi/ipmi_bt_sm.c
@@ -504,11 +504,12 @@ static enum si_sm_result bt_event(struct
 		if (status & BT_H_BUSY)		/* clear a leftover H_BUSY */
 			BT_CONTROL(BT_H_BUSY);
 
+		bt->timeout = bt->BT_CAP_req2rsp;
+
 		/* Read BT capabilities if it hasn't been done yet */
 		if (!bt->BT_CAP_outreqs)
 			BT_STATE_CHANGE(BT_STATE_CAPABILITIES_BEGIN,
 					SI_SM_CALL_WITHOUT_DELAY);
-		bt->timeout = bt->BT_CAP_req2rsp;
 		BT_SI_SM_RETURN(SI_SM_IDLE);
 
 	case BT_STATE_XACTION_START:



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 038/220] Bluetooth: hci_qca: Avoid missing rampatch failure with userspace fw loader
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 037/220] ipmi:bt: Set the timeout before doing a capabilities check Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 039/220] printk: fix possible reuse of va_list variable Greg Kroah-Hartman
                   ` (176 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Loic Poulain, Nicolas Dechesne,
	Marcel Holtmann, Johan Hedberg, Amit Pundir

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Amit Pundir <amit.pundir@linaro.org>

commit 7dc5fe0814c35ec4e7d2e8fa30abab72e0e6a172 upstream.

AOSP use userspace firmware loader to load firmwares, which will
return -EAGAIN in case qca/rampatch_00440302.bin is not found.
Since there is no rampatch for dragonboard820c QCA controller
revision, just make it work as is.

CC: Loic Poulain <loic.poulain@linaro.org>
CC: Nicolas Dechesne <nicolas.dechesne@linaro.org>
CC: Marcel Holtmann <marcel@holtmann.org>
CC: Johan Hedberg <johan.hedberg@gmail.com>
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/bluetooth/hci_qca.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -935,6 +935,12 @@ static int qca_setup(struct hci_uart *hu
 	} else if (ret == -ENOENT) {
 		/* No patch/nvm-config found, run with original fw/config */
 		ret = 0;
+	} else if (ret == -EAGAIN) {
+		/*
+		 * Userspace firmware loader will return -EAGAIN in case no
+		 * patch/nvm-config is found, so run with original fw/config.
+		 */
+		ret = 0;
 	}
 
 	/* Setup bdaddr */



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 039/220] printk: fix possible reuse of va_list variable
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 038/220] Bluetooth: hci_qca: Avoid missing rampatch failure with userspace fw loader Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 040/220] fuse: fix congested state leak on aborted connections Greg Kroah-Hartman
                   ` (175 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Peter Zijlstra, Steven Rostedt,
	dvyukov, syzkaller, fengguang.wu, Tetsuo Handa,
	Sergey Senozhatsky, Petr Mladek

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>

commit 988a35f8da1dec5a8cd2788054d1e717be61bf25 upstream.

I noticed that there is a possibility that printk_safe_log_store() causes
kernel oops because "args" parameter is passed to vsnprintf() again when
atomic_cmpxchg() detected that we raced. Fix this by using va_copy().

Link: http://lkml.kernel.org/r/201805112002.GIF21216.OFVHFOMLJtQFSO@I-love.SAKURA.ne.jp
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: dvyukov@google.com
Cc: syzkaller@googlegroups.com
Cc: fengguang.wu@intel.com
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Fixes: 42a0bb3f71383b45 ("printk/nmi: generic solution for safe printk in NMI")
Cc: 4.7+ <stable@vger.kernel.org> # v4.7+
Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Signed-off-by: Petr Mladek <pmladek@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/printk/printk_safe.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/kernel/printk/printk_safe.c
+++ b/kernel/printk/printk_safe.c
@@ -82,6 +82,7 @@ static __printf(2, 0) int printk_safe_lo
 {
 	int add;
 	size_t len;
+	va_list ap;
 
 again:
 	len = atomic_read(&s->len);
@@ -100,7 +101,9 @@ again:
 	if (!len)
 		smp_rmb();
 
-	add = vscnprintf(s->buffer + len, sizeof(s->buffer) - len, fmt, args);
+	va_copy(ap, args);
+	add = vscnprintf(s->buffer + len, sizeof(s->buffer) - len, fmt, ap);
+	va_end(ap);
 	if (!add)
 		return 0;
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 040/220] fuse: fix congested state leak on aborted connections
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 039/220] printk: fix possible reuse of va_list variable Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 041/220] fuse: atomic_o_trunc should truncate pagecache Greg Kroah-Hartman
                   ` (174 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tejun Heo, Joshua Miller,
	Johannes Weiner, Jan Kara, Miklos Szeredi

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tejun Heo <tj@kernel.org>

commit 8a301eb16d99983a4961f884690ec97b92e7dcfe upstream.

If a connection gets aborted while congested, FUSE can leave
nr_wb_congested[] stuck until reboot causing wait_iff_congested() to
wait spuriously which can lead to severe performance degradation.

The leak is caused by gating congestion state clearing with
fc->connected test in request_end().  This was added way back in 2009
by 26c3679101db ("fuse: destroy bdi on umount").  While the commit
description doesn't explain why the test was added, it most likely was
to avoid dereferencing bdi after it got destroyed.

Since then, bdi lifetime rules have changed many times and now we're
always guaranteed to have access to the bdi while the superblock is
alive (fc->sb).

Drop fc->connected conditional to avoid leaking congestion states.

Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Joshua Miller <joshmiller@fb.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: stable@vger.kernel.org # v2.6.29+
Acked-by: Jan Kara <jack@suse.cz>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/dev.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -381,8 +381,7 @@ static void request_end(struct fuse_conn
 		if (!fc->blocked && waitqueue_active(&fc->blocked_waitq))
 			wake_up(&fc->blocked_waitq);
 
-		if (fc->num_background == fc->congestion_threshold &&
-		    fc->connected && fc->sb) {
+		if (fc->num_background == fc->congestion_threshold && fc->sb) {
 			clear_bdi_congested(fc->sb->s_bdi, BLK_RW_SYNC);
 			clear_bdi_congested(fc->sb->s_bdi, BLK_RW_ASYNC);
 		}



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 041/220] fuse: atomic_o_trunc should truncate pagecache
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 040/220] fuse: fix congested state leak on aborted connections Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 042/220] fuse: dont keep dead fuse_conn at fuse_fill_super() Greg Kroah-Hartman
                   ` (173 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Chad Austin, Miklos Szeredi

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Miklos Szeredi <mszeredi@redhat.com>

commit df0e91d488276086bc07da2e389986cae0048c37 upstream.

Fuse has an "atomic_o_trunc" mode, where userspace filesystem uses the
O_TRUNC flag in the OPEN request to truncate the file atomically with the
open.

In this mode there's no need to send a SETATTR request to userspace after
the open, so fuse_do_setattr() checks this mode and returns.  But this
misses the important step of truncating the pagecache.

Add the missing parts of truncation to the ATTR_OPEN branch.

Reported-by: Chad Austin <chadaustin@fb.com>
Fixes: 6ff958edbf39 ("fuse: add atomic open+truncate support")
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/dir.c |   13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -1629,8 +1629,19 @@ int fuse_do_setattr(struct dentry *dentr
 		return err;
 
 	if (attr->ia_valid & ATTR_OPEN) {
-		if (fc->atomic_o_trunc)
+		/* This is coming from open(..., ... | O_TRUNC); */
+		WARN_ON(!(attr->ia_valid & ATTR_SIZE));
+		WARN_ON(attr->ia_size != 0);
+		if (fc->atomic_o_trunc) {
+			/*
+			 * No need to send request to userspace, since actual
+			 * truncation has already been done by OPEN.  But still
+			 * need to truncate page cache.
+			 */
+			i_size_write(inode, 0);
+			truncate_pagecache(inode, 0);
 			return 0;
+		}
 		file = NULL;
 	}
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 042/220] fuse: dont keep dead fuse_conn at fuse_fill_super().
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 041/220] fuse: atomic_o_trunc should truncate pagecache Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 043/220] fuse: fix control dir setup and teardown Greg Kroah-Hartman
                   ` (172 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tetsuo Handa, syzbot, John Muir,
	Csaba Henk, Anand Avati, Miklos Szeredi

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>

commit 543b8f8662fe6d21f19958b666ab0051af9db21a upstream.

syzbot is reporting use-after-free at fuse_kill_sb_blk() [1].
Since sb->s_fs_info field is not cleared after fc was released by
fuse_conn_put() when initialization failed, fuse_kill_sb_blk() finds
already released fc and tries to hold the lock. Fix this by clearing
sb->s_fs_info field after calling fuse_conn_put().

[1] https://syzkaller.appspot.com/bug?id=a07a680ed0a9290585ca424546860464dd9658db

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reported-by: syzbot <syzbot+ec3986119086fe4eec97@syzkaller.appspotmail.com>
Fixes: 3b463ae0c626 ("fuse: invalidation reverse calls")
Cc: John Muir <john@jmuir.com>
Cc: Csaba Henk <csaba@gluster.com>
Cc: Anand Avati <avati@redhat.com>
Cc: <stable@vger.kernel.org> # v2.6.31
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/inode.c |    1 +
 1 file changed, 1 insertion(+)

--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -1179,6 +1179,7 @@ static int fuse_fill_super(struct super_
 	fuse_dev_free(fud);
  err_put_conn:
 	fuse_conn_put(fc);
+	sb->s_fs_info = NULL;
  err_fput:
 	fput(file);
  err:



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 043/220] fuse: fix control dir setup and teardown
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 042/220] fuse: dont keep dead fuse_conn at fuse_fill_super() Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 044/220] powerpc/mm/hash: Add missing isync prior to kernel stack SLB switch Greg Kroah-Hartman
                   ` (171 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, syzbot, Miklos Szeredi

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Miklos Szeredi <mszeredi@redhat.com>

commit 6becdb601bae2a043d7fb9762c4d48699528ea6e upstream.

syzbot is reporting NULL pointer dereference at fuse_ctl_remove_conn() [1].
Since fc->ctl_ndents is incremented by fuse_ctl_add_conn() when new_inode()
failed, fuse_ctl_remove_conn() reaches an inode-less dentry and tries to
clear d_inode(dentry)->i_private field.

Fix by only adding the dentry to the array after being fully set up.

When tearing down the control directory, do d_invalidate() on it to get rid
of any mounts that might have been added.

[1] https://syzkaller.appspot.com/bug?id=f396d863067238959c91c0b7cfc10b163638cac6
Reported-by: syzbot <syzbot+32c236387d66c4516827@syzkaller.appspotmail.com>
Fixes: bafa96541b25 ("[PATCH] fuse: add control filesystem")
Cc: <stable@vger.kernel.org> # v2.6.18
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/control.c |   13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

--- a/fs/fuse/control.c
+++ b/fs/fuse/control.c
@@ -211,10 +211,11 @@ static struct dentry *fuse_ctl_add_dentr
 	if (!dentry)
 		return NULL;
 
-	fc->ctl_dentry[fc->ctl_ndents++] = dentry;
 	inode = new_inode(fuse_control_sb);
-	if (!inode)
+	if (!inode) {
+		dput(dentry);
 		return NULL;
+	}
 
 	inode->i_ino = get_next_ino();
 	inode->i_mode = mode;
@@ -228,6 +229,9 @@ static struct dentry *fuse_ctl_add_dentr
 	set_nlink(inode, nlink);
 	inode->i_private = fc;
 	d_add(dentry, inode);
+
+	fc->ctl_dentry[fc->ctl_ndents++] = dentry;
+
 	return dentry;
 }
 
@@ -284,7 +288,10 @@ void fuse_ctl_remove_conn(struct fuse_co
 	for (i = fc->ctl_ndents - 1; i >= 0; i--) {
 		struct dentry *dentry = fc->ctl_dentry[i];
 		d_inode(dentry)->i_private = NULL;
-		d_drop(dentry);
+		if (!i) {
+			/* Get rid of submounts: */
+			d_invalidate(dentry);
+		}
 		dput(dentry);
 	}
 	drop_nlink(d_inode(fuse_control_sb->s_root));



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 044/220] powerpc/mm/hash: Add missing isync prior to kernel stack SLB switch
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 043/220] fuse: fix control dir setup and teardown Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 045/220] powerpc/pkeys: Detach execute_only key on !PROT_EXEC Greg Kroah-Hartman
                   ` (170 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Aneesh Kumar K.V, Michael Ellerman

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>

commit 91d06971881f71d945910de128658038513d1b24 upstream.

Currently we do not have an isync, or any other context synchronizing
instruction prior to the slbie/slbmte in _switch() that updates the
SLB entry for the kernel stack.

However that is not correct as outlined in the ISA.

>From Power ISA Version 3.0B, Book III, Chapter 11, page 1133:

  "Changing the contents of ... the contents of SLB entries ... can
   have the side effect of altering the context in which data
   addresses and instruction addresses are interpreted, and in which
   instructions are executed and data accesses are performed.
   ...
   These side effects need not occur in program order, and therefore
   may require explicit synchronization by software.
   ...
   The synchronizing instruction before the context-altering
   instruction ensures that all instructions up to and including that
   synchronizing instruction are fetched and executed in the context
   that existed before the alteration."

And page 1136:

  "For data accesses, the context synchronizing instruction before the
   slbie, slbieg, slbia, slbmte, tlbie, or tlbiel instruction ensures
   that all preceding instructions that access data storage have
   completed to a point at which they have reported all exceptions
   they will cause."

We're not aware of any bugs caused by this, but it should be fixed
regardless.

Add the missing isync when updating kernel stack SLB entry.

Cc: stable@vger.kernel.org
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
[mpe: Flesh out change log with more ISA text & explanation]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/kernel/entry_64.S |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/powerpc/kernel/entry_64.S
+++ b/arch/powerpc/kernel/entry_64.S
@@ -596,6 +596,7 @@ END_MMU_FTR_SECTION_IFSET(MMU_FTR_1T_SEG
 	 * actually hit this code path.
 	 */
 
+	isync
 	slbie	r6
 	slbie	r6		/* Workaround POWER5 < DD2.1 issue */
 	slbmte	r7,r0



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 045/220] powerpc/pkeys: Detach execute_only key on !PROT_EXEC
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 044/220] powerpc/mm/hash: Add missing isync prior to kernel stack SLB switch Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 046/220] powerpc/ptrace: Fix setting 512B aligned breakpoints with PTRACE_SET_DEBUGREG Greg Kroah-Hartman
                   ` (169 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Shakeel Butt, Ram Pai,
	Thiago Jung Bauermann, Michael Ellerman

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ram Pai <linuxram@us.ibm.com>

commit eabdb8ca8690eedd461e61ea7780595fbbae8132 upstream.

Disassociate the exec_key from a VMA if the VMA permission is not
PROT_EXEC anymore. Otherwise the exec_only key continues to be
associated with the vma, causing unexpected behavior.

The problem was reported on x86 by Shakeel Butt, which is also
applicable on powerpc.

Fixes: 5586cf61e108 ("powerpc: introduce execute-only pkey")
Cc: stable@vger.kernel.org # v4.16+
Reported-by: Shakeel Butt <shakeelb@google.com>
Signed-off-by: Ram Pai <linuxram@us.ibm.com>
Reviewed-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/mm/pkeys.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/powerpc/mm/pkeys.c
+++ b/arch/powerpc/mm/pkeys.c
@@ -383,9 +383,9 @@ int __arch_override_mprotect_pkey(struct
 {
 	/*
 	 * If the currently associated pkey is execute-only, but the requested
-	 * protection requires read or write, move it back to the default pkey.
+	 * protection is not execute-only, move it back to the default pkey.
 	 */
-	if (vma_is_pkey_exec_only(vma) && (prot & (PROT_READ | PROT_WRITE)))
+	if (vma_is_pkey_exec_only(vma) && (prot != PROT_EXEC))
 		return 0;
 
 	/*



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 046/220] powerpc/ptrace: Fix setting 512B aligned breakpoints with PTRACE_SET_DEBUGREG
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 045/220] powerpc/pkeys: Detach execute_only key on !PROT_EXEC Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 047/220] powerpc/perf: Fix memory allocation for core-imc based on num_possible_cpus() Greg Kroah-Hartman
                   ` (168 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael Neuling, Michael Ellerman

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Michael Neuling <mikey@neuling.org>

commit 4f7c06e26ec9cf7fe9f0c54dc90079b6a4f4b2c3 upstream.

In commit e2a800beaca1 ("powerpc/hw_brk: Fix off by one error when
validating DAWR region end") we fixed setting the DAWR end point to
its max value via PPC_PTRACE_SETHWDEBUG. Unfortunately we broke
PTRACE_SET_DEBUGREG when setting a 512 byte aligned breakpoint.

PTRACE_SET_DEBUGREG currently sets the length of the breakpoint to
zero (memset() in hw_breakpoint_init()). This worked with
arch_validate_hwbkpt_settings() before the above patch was applied but
is now broken if the breakpoint is 512byte aligned.

This sets the length of the breakpoint to 8 bytes when using
PTRACE_SET_DEBUGREG.

Fixes: e2a800beaca1 ("powerpc/hw_brk: Fix off by one error when validating DAWR region end")
Cc: stable@vger.kernel.org # v3.11+
Signed-off-by: Michael Neuling <mikey@neuling.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/kernel/ptrace.c |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/powerpc/kernel/ptrace.c
+++ b/arch/powerpc/kernel/ptrace.c
@@ -2443,6 +2443,7 @@ static int ptrace_set_debugreg(struct ta
 	/* Create a new breakpoint request if one doesn't exist already */
 	hw_breakpoint_init(&attr);
 	attr.bp_addr = hw_brk.address;
+	attr.bp_len = 8;
 	arch_bp_generic_fields(hw_brk.type,
 			       &attr.bp_type);
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 047/220] powerpc/perf: Fix memory allocation for core-imc based on num_possible_cpus()
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 046/220] powerpc/ptrace: Fix setting 512B aligned breakpoints with PTRACE_SET_DEBUGREG Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 048/220] powerpc/ptrace: Fix enforcement of DAWR constraints Greg Kroah-Hartman
                   ` (167 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pridhiviraj Paidipeddi,
	Anju T Sudhakar, Balbir Singh, Michael Ellerman

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Anju T Sudhakar <anju@linux.vnet.ibm.com>

commit d2032678e57fc508d7878307badde8f89b632ba3 upstream.

Currently memory is allocated for core-imc based on cpu_present_mask,
which has bit 'cpu' set iff cpu is populated. We use (cpu number / threads
per core) as the array index to access the memory.

Under some circumstances firmware marks a CPU as GUARDed CPU and boot the
system, until cleared of errors, these CPU's are unavailable for all
subsequent boots. GUARDed CPUs are possible but not present from linux
view, so it blows a hole when we assume the max length of our allocation
is driven by our max present cpus, where as one of the cpus might be online
and be beyond the max present cpus, due to the hole.
So (cpu number / threads per core) value bounds the array index and leads
to memory overflow.

Call trace observed during a guard test:

Faulting instruction address: 0xc000000000149f1c
cpu 0x69: Vector: 380 (Data Access Out of Range) at [c000003fea303420]
    pc:c000000000149f1c: prefetch_freepointer+0x14/0x30
    lr:c00000000014e0f8: __kmalloc+0x1a8/0x1ac
    sp:c000003fea3036a0
   msr:9000000000009033
   dar:c9c54b2c91dbf6b7
  current = 0xc000003fea2c0000
  paca    = 0xc00000000fddd880	 softe: 3	 irq_happened: 0x01
    pid   = 1, comm = swapper/104
Linux version 4.16.7-openpower1 (smc@smc-desktop) (gcc version 6.4.0
(Buildroot 2018.02.1-00006-ga8d1126)) #2 SMP Fri May 4 16:44:54 PDT 2018
enter ? for help
call trace:
	 __kmalloc+0x1a8/0x1ac
	 (unreliable)
	 init_imc_pmu+0x7f4/0xbf0
	 opal_imc_counters_probe+0x3fc/0x43c
	 platform_drv_probe+0x48/0x80
	 driver_probe_device+0x22c/0x308
	 __driver_attach+0xa0/0xd8
	 bus_for_each_dev+0x88/0xb4
	 driver_attach+0x2c/0x40
	 bus_add_driver+0x1e8/0x228
	 driver_register+0xd0/0x114
	 __platform_driver_register+0x50/0x64
	 opal_imc_driver_init+0x24/0x38
	 do_one_initcall+0x150/0x15c
	 kernel_init_freeable+0x250/0x254
	 kernel_init+0x1c/0x150
	 ret_from_kernel_thread+0x5c/0xc8

Allocating memory for core-imc based on cpu_possible_mask, which has
bit 'cpu' set iff cpu is populatable, will fix this issue.

Reported-by: Pridhiviraj Paidipeddi <ppaidipe@linux.vnet.ibm.com>
Signed-off-by: Anju T Sudhakar <anju@linux.vnet.ibm.com>
Reviewed-by: Balbir Singh <bsingharora@gmail.com>
Tested-by: Pridhiviraj Paidipeddi <ppaidipe@linux.vnet.ibm.com>
Fixes: 39a846db1d57 ("powerpc/perf: Add core IMC PMU support")
Cc: stable@vger.kernel.org # v4.14+
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/perf/imc-pmu.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/powerpc/perf/imc-pmu.c
+++ b/arch/powerpc/perf/imc-pmu.c
@@ -1146,7 +1146,7 @@ static int init_nest_pmu_ref(void)
 
 static void cleanup_all_core_imc_memory(void)
 {
-	int i, nr_cores = DIV_ROUND_UP(num_present_cpus(), threads_per_core);
+	int i, nr_cores = DIV_ROUND_UP(num_possible_cpus(), threads_per_core);
 	struct imc_mem_info *ptr = core_imc_pmu->mem_info;
 	int size = core_imc_pmu->counter_mem_size;
 
@@ -1264,7 +1264,7 @@ static int imc_mem_init(struct imc_pmu *
 		if (!pmu_ptr->pmu.name)
 			return -ENOMEM;
 
-		nr_cores = DIV_ROUND_UP(num_present_cpus(), threads_per_core);
+		nr_cores = DIV_ROUND_UP(num_possible_cpus(), threads_per_core);
 		pmu_ptr->mem_info = kcalloc(nr_cores, sizeof(struct imc_mem_info),
 								GFP_KERNEL);
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 048/220] powerpc/ptrace: Fix enforcement of DAWR constraints
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 047/220] powerpc/perf: Fix memory allocation for core-imc based on num_possible_cpus() Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 049/220] powerpc/powernv/ioda2: Remove redundant free of TCE pages Greg Kroah-Hartman
                   ` (166 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael Neuling, Michael Ellerman

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Michael Neuling <mikey@neuling.org>

commit cd6ef7eebf171bfcba7dc2df719c2a4958775040 upstream.

Back when we first introduced the DAWR, in commit 4ae7ebe9522a
("powerpc: Change hardware breakpoint to allow longer ranges"), we
screwed up the constraint making it a 1024 byte boundary rather than a
512. This makes the check overly permissive. Fortunately GDB is the
only real user and it always did they right thing, so we never
noticed.

This fixes the constraint to 512 bytes.

Fixes: 4ae7ebe9522a ("powerpc: Change hardware breakpoint to allow longer ranges")
Cc: stable@vger.kernel.org # v3.9+
Signed-off-by: Michael Neuling <mikey@neuling.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/kernel/hw_breakpoint.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/powerpc/kernel/hw_breakpoint.c
+++ b/arch/powerpc/kernel/hw_breakpoint.c
@@ -178,8 +178,8 @@ int arch_validate_hwbkpt_settings(struct
 	if (cpu_has_feature(CPU_FTR_DAWR)) {
 		length_max = 512 ; /* 64 doublewords */
 		/* DAWR region can't cross 512 boundary */
-		if ((bp->attr.bp_addr >> 10) != 
-		    ((bp->attr.bp_addr + bp->attr.bp_len - 1) >> 10))
+		if ((bp->attr.bp_addr >> 9) !=
+		    ((bp->attr.bp_addr + bp->attr.bp_len - 1) >> 9))
 			return -EINVAL;
 	}
 	if (info->len >



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 049/220] powerpc/powernv/ioda2: Remove redundant free of TCE pages
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 048/220] powerpc/ptrace: Fix enforcement of DAWR constraints Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 050/220] powerpc/powernv: copy/paste - Mask SO bit in CR Greg Kroah-Hartman
                   ` (165 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexey Kardashevskiy, Michael Ellerman

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alexey Kardashevskiy <aik@ozlabs.ru>

commit 98fd72fe82527fd26618062b60cfd329451f2329 upstream.

When IODA2 creates a PE, it creates an IOMMU table with it_ops::free
set to pnv_ioda2_table_free() which calls pnv_pci_ioda2_table_free_pages().

Since iommu_tce_table_put() calls it_ops::free when the last reference
to the table is released, explicit call to pnv_pci_ioda2_table_free_pages()
is not needed so let's remove it.

This should fix double free in the case of PCI hotuplug as
pnv_pci_ioda2_table_free_pages() does not reset neither
iommu_table::it_base nor ::it_size.

This was not exposed by SRIOV as it uses different code path via
pnv_pcibios_sriov_disable().

IODA1 does not inialize it_ops::free so it does not have this issue.

Fixes: c5f7700bbd2e ("powerpc/powernv: Dynamically release PE")
Cc: stable@vger.kernel.org # v4.8+
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/platforms/powernv/pci-ioda.c |    1 -
 1 file changed, 1 deletion(-)

--- a/arch/powerpc/platforms/powernv/pci-ioda.c
+++ b/arch/powerpc/platforms/powernv/pci-ioda.c
@@ -3642,7 +3642,6 @@ static void pnv_pci_ioda2_release_pe_dma
 		WARN_ON(pe->table_group.group);
 	}
 
-	pnv_pci_ioda2_table_free_pages(tbl);
 	iommu_tce_table_put(tbl);
 }
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 050/220] powerpc/powernv: copy/paste - Mask SO bit in CR
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 049/220] powerpc/powernv/ioda2: Remove redundant free of TCE pages Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 051/220] powerpc/powernv/cpuidle: Init all present cpus for deep states Greg Kroah-Hartman
                   ` (164 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Haren Myneni, Michael Ellerman

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Haren Myneni <haren@us.ibm.com>

commit 75743649064ec0cf5ddd69f240ef23af66dde16e upstream.

NX can set the 3rd bit in CR register for XER[SO] (Summary overflow)
which is not related to paste request. The current paste function
returns failure for a successful request when this bit is set. So mask
this bit and check the proper return status.

Fixes: 2392c8c8c045 ("powerpc/powernv/vas: Define copy/paste interfaces")
Cc: stable@vger.kernel.org # v4.14+
Signed-off-by: Haren Myneni <haren@us.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/platforms/powernv/copy-paste.h |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/powerpc/platforms/powernv/copy-paste.h
+++ b/arch/powerpc/platforms/powernv/copy-paste.h
@@ -42,5 +42,6 @@ static inline int vas_paste(void *paste_
 		: "b" (offset), "b" (paste_address)
 		: "memory", "cr0");
 
-	return (cr >> CR0_SHIFT) & CR0_MASK;
+	/* We mask with 0xE to ignore SO */
+	return (cr >> CR0_SHIFT) & 0xE;
 }



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 051/220] powerpc/powernv/cpuidle: Init all present cpus for deep states
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 050/220] powerpc/powernv: copy/paste - Mask SO bit in CR Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 052/220] cpuidle: powernv: Fix promotion from snooze if next state disabled Greg Kroah-Hartman
                   ` (163 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Akshay Adiga, Michael Ellerman

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Akshay Adiga <akshay.adiga@linux.vnet.ibm.com>

commit ac9816dcbab53c57bcf1d7b15370b08f1e284318 upstream.

Init all present cpus for deep states instead of "all possible" cpus.
Init fails if a possible cpu is guarded. Resulting in making only
non-deep states available for cpuidle/hotplug.

Stewart says, this means that for single threaded workloads, if you
guard out a CPU core you'll not get WoF (Workload Optimised
Frequency), which means that performance goes down when you wouldn't
expect it to.

Fixes: 77b54e9f213f ("powernv/powerpc: Add winkle support for offline cpus")
Cc: stable@vger.kernel.org # v3.19+
Signed-off-by: Akshay Adiga <akshay.adiga@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/platforms/powernv/idle.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/powerpc/platforms/powernv/idle.c
+++ b/arch/powerpc/platforms/powernv/idle.c
@@ -79,7 +79,7 @@ static int pnv_save_sprs_for_deep_states
 	uint64_t msr_val = MSR_IDLE;
 	uint64_t psscr_val = pnv_deepest_stop_psscr_val;
 
-	for_each_possible_cpu(cpu) {
+	for_each_present_cpu(cpu) {
 		uint64_t pir = get_hard_smp_processor_id(cpu);
 		uint64_t hsprg0_val = (uint64_t)paca_ptrs[cpu];
 
@@ -814,7 +814,7 @@ static int __init pnv_init_idle_states(v
 		int cpu;
 
 		pr_info("powernv: idle: Saving PACA pointers of all CPUs in their thread sibling PACA\n");
-		for_each_possible_cpu(cpu) {
+		for_each_present_cpu(cpu) {
 			int base_cpu = cpu_first_thread_sibling(cpu);
 			int idx = cpu_thread_in_core(cpu);
 			int i;



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 052/220] cpuidle: powernv: Fix promotion from snooze if next state disabled
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 051/220] powerpc/powernv/cpuidle: Init all present cpus for deep states Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 053/220] powerpc/fadump: Unregister fadump on kexec down path Greg Kroah-Hartman
                   ` (162 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gautham R. Shenoy, Balbir Singh,
	Michael Ellerman

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Gautham R. Shenoy <ego@linux.vnet.ibm.com>

commit 0a4ec6aa035a52c422eceb2ed51ed88392a3d6c2 upstream.

The commit 78eaa10f027c ("cpuidle: powernv/pseries: Auto-promotion of
snooze to deeper idle state") introduced a timeout for the snooze idle
state so that it could be eventually be promoted to a deeper idle
state. The snooze timeout value is static and set to the target
residency of the next idle state, which would train the cpuidle
governor to pick the next idle state eventually.

The unfortunate side-effect of this is that if the next idle state(s)
is disabled, the CPU will forever remain in snooze, despite the fact
that the system is completely idle, and other deeper idle states are
available.

This patch fixes the issue by dynamically setting the snooze timeout
to the target residency of the next enabled state on the device.

Before Patch:
  POWER8 : Only nap disabled.
  $ cpupower monitor sleep 30
  sleep took 30.01297 seconds and exited with status 0
                |Idle_Stats
  PKG |CORE|CPU | snoo | Nap  | Fast
     0|   8|   0| 96.41|  0.00|  0.00
     0|   8|   1| 96.43|  0.00|  0.00
     0|   8|   2| 96.47|  0.00|  0.00
     0|   8|   3| 96.35|  0.00|  0.00
     0|   8|   4| 96.37|  0.00|  0.00
     0|   8|   5| 96.37|  0.00|  0.00
     0|   8|   6| 96.47|  0.00|  0.00
     0|   8|   7| 96.47|  0.00|  0.00

  POWER9: Shallow states (stop0lite, stop1lite, stop2lite, stop0, stop1,
  stop2) disabled:
  $ cpupower monitor sleep 30
  sleep took 30.05033 seconds and exited with status 0
                |Idle_Stats
  PKG |CORE|CPU | snoo | stop | stop | stop | stop | stop | stop | stop | stop
     0|  16|   0| 89.79|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00
     0|  16|   1| 90.12|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00
     0|  16|   2| 90.21|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00
     0|  16|   3| 90.29|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00

After Patch:
  POWER8 : Only nap disabled.
  $ cpupower monitor sleep 30
  sleep took 30.01200 seconds and exited with status 0
                |Idle_Stats
  PKG |CORE|CPU | snoo | Nap  | Fast
     0|   8|   0| 16.58|  0.00| 77.21
     0|   8|   1| 18.42|  0.00| 75.38
     0|   8|   2|  4.70|  0.00| 94.09
     0|   8|   3| 17.06|  0.00| 81.73
     0|   8|   4|  3.06|  0.00| 95.73
     0|   8|   5|  7.00|  0.00| 96.80
     0|   8|   6|  1.00|  0.00| 98.79
     0|   8|   7|  5.62|  0.00| 94.17

  POWER9: Shallow states (stop0lite, stop1lite, stop2lite, stop0, stop1,
  stop2) disabled:

  $ cpupower monitor sleep 30
  sleep took 30.02110 seconds and exited with status 0
                |Idle_Stats
  PKG |CORE|CPU | snoo | stop | stop | stop | stop | stop | stop | stop | stop
     0|   0|   0|  0.69|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00|  9.39| 89.70
     0|   0|   1|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00|  0.05| 93.21
     0|   0|   2|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00| 89.93
     0|   0|   3|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00|  0.00| 93.26

Fixes: 78eaa10f027c ("cpuidle: powernv/pseries: Auto-promotion of snooze to deeper idle state")
Cc: stable@vger.kernel.org # v4.2+
Signed-off-by: Gautham R. Shenoy <ego@linux.vnet.ibm.com>
Reviewed-by: Balbir Singh <bsingharora@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/cpuidle/cpuidle-powernv.c |   32 ++++++++++++++++++++++++++------
 1 file changed, 26 insertions(+), 6 deletions(-)

--- a/drivers/cpuidle/cpuidle-powernv.c
+++ b/drivers/cpuidle/cpuidle-powernv.c
@@ -43,9 +43,31 @@ struct stop_psscr_table {
 
 static struct stop_psscr_table stop_psscr_table[CPUIDLE_STATE_MAX] __read_mostly;
 
-static u64 snooze_timeout __read_mostly;
+static u64 default_snooze_timeout __read_mostly;
 static bool snooze_timeout_en __read_mostly;
 
+static u64 get_snooze_timeout(struct cpuidle_device *dev,
+			      struct cpuidle_driver *drv,
+			      int index)
+{
+	int i;
+
+	if (unlikely(!snooze_timeout_en))
+		return default_snooze_timeout;
+
+	for (i = index + 1; i < drv->state_count; i++) {
+		struct cpuidle_state *s = &drv->states[i];
+		struct cpuidle_state_usage *su = &dev->states_usage[i];
+
+		if (s->disabled || su->disable)
+			continue;
+
+		return s->target_residency * tb_ticks_per_usec;
+	}
+
+	return default_snooze_timeout;
+}
+
 static int snooze_loop(struct cpuidle_device *dev,
 			struct cpuidle_driver *drv,
 			int index)
@@ -56,7 +78,7 @@ static int snooze_loop(struct cpuidle_de
 
 	local_irq_enable();
 
-	snooze_exit_time = get_tb() + snooze_timeout;
+	snooze_exit_time = get_tb() + get_snooze_timeout(dev, drv, index);
 	ppc64_runlatch_off();
 	HMT_very_low();
 	while (!need_resched()) {
@@ -465,11 +487,9 @@ static int powernv_idle_probe(void)
 		cpuidle_state_table = powernv_states;
 		/* Device tree can indicate more idle states */
 		max_idle_state = powernv_add_idle_states();
-		if (max_idle_state > 1) {
+		default_snooze_timeout = TICK_USEC * tb_ticks_per_usec;
+		if (max_idle_state > 1)
 			snooze_timeout_en = true;
-			snooze_timeout = powernv_states[1].target_residency *
-					 tb_ticks_per_usec;
-		}
  	} else
  		return -ENODEV;
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 053/220] powerpc/fadump: Unregister fadump on kexec down path.
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 052/220] cpuidle: powernv: Fix promotion from snooze if next state disabled Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 054/220] libnvdimm, pmem: Do not flush power-fail protected CPU caches Greg Kroah-Hartman
                   ` (161 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mahesh Salgaonkar, Michael Ellerman

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>

commit 722cde76d68e8cc4f3de42e71c82fd40dea4f7b9 upstream.

Unregister fadump on kexec down path otherwise the fadump registration
in new kexec-ed kernel complains that fadump is already registered.
This makes new kernel to continue using fadump registered by previous
kernel which may lead to invalid vmcore generation. Hence this patch
fixes this issue by un-registering fadump in fadump_cleanup() which is
called during kexec path so that new kernel can register fadump with
new valid values.

Fixes: b500afff11f6 ("fadump: Invalidate registration and release reserved memory for general use.")
Cc: stable@vger.kernel.org # v3.4+
Signed-off-by: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/kernel/fadump.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/arch/powerpc/kernel/fadump.c
+++ b/arch/powerpc/kernel/fadump.c
@@ -1155,6 +1155,9 @@ void fadump_cleanup(void)
 		init_fadump_mem_struct(&fdm,
 			be64_to_cpu(fdm_active->cpu_state_data.destination_address));
 		fadump_invalidate_dump(&fdm);
+	} else if (fw_dump.dump_registered) {
+		/* Un-register Firmware-assisted dump if it was registered. */
+		fadump_unregister_dump(&fdm);
 	}
 }
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 054/220] libnvdimm, pmem: Do not flush power-fail protected CPU caches
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 053/220] powerpc/fadump: Unregister fadump on kexec down path Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 055/220] soc: rockchip: power-domain: Fix wrong value when power up pd with writemask Greg Kroah-Hartman
                   ` (160 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ross Zwisler, Dan Williams

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ross Zwisler <ross.zwisler@linux.intel.com>

commit 546eb0317cfa3c4f9e1d9ab892766d65d7f78fad upstream.

This commit:

5fdf8e5ba566 ("libnvdimm: re-enable deep flush for pmem devices via fsync()")

intended to make sure that deep flush was always available even on
platforms which support a power-fail protected CPU cache.  An unintended
side effect of this change was that we also lost the ability to skip
flushing CPU caches on those power-fail protected CPU cache.

Fix this by skipping the low level cache flushing in dax_flush() if we have
CPU caches which are power-fail protected.  The user can still override this
behavior by manually setting the write_cache state of a namespace.  See
libndctl's ndctl_namespace_write_cache_is_enabled(),
ndctl_namespace_enable_write_cache() and
ndctl_namespace_disable_write_cache() functions.

Cc: <stable@vger.kernel.org>
Fixes: 5fdf8e5ba566 ("libnvdimm: re-enable deep flush for pmem devices via fsync()")
Signed-off-by: Ross Zwisler <ross.zwisler@linux.intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/nvdimm/region_devs.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/nvdimm/region_devs.c
+++ b/drivers/nvdimm/region_devs.c
@@ -1132,7 +1132,8 @@ EXPORT_SYMBOL_GPL(nvdimm_has_flush);
 
 int nvdimm_has_cache(struct nd_region *nd_region)
 {
-	return is_nd_pmem(&nd_region->dev);
+	return is_nd_pmem(&nd_region->dev) &&
+		!test_bit(ND_REGION_PERSIST_CACHE, &nd_region->flags);
 }
 EXPORT_SYMBOL_GPL(nvdimm_has_cache);
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 055/220] soc: rockchip: power-domain: Fix wrong value when power up pd with writemask
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 054/220] libnvdimm, pmem: Do not flush power-fail protected CPU caches Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 056/220] powerpc/64s/radix: Fix radix_kvm_prefetch_workaround paca access of not possible CPU Greg Kroah-Hartman
                   ` (159 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Finley Xiao, Elaine Zhang,
	Ulf Hansson, Heiko Stuebner

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Finley Xiao <finley.xiao@rock-chips.com>

commit 9e59c5f66c624b43c766a9fe3b2430e0e976bf0e upstream.

Solve the pd could only ever turn off but never turn them on again,
if the pd registers have the writemask bits.

So far this affects the rk3328 only.

Fixes: 79bb17ce8edb ("soc: rockchip: power-domain: Support domain control in hiword-registers")
Cc: stable@vger.kernel.org
Signed-off-by: Finley Xiao <finley.xiao@rock-chips.com>
Signed-off-by: Elaine Zhang <zhangqing@rock-chips.com>
Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/soc/rockchip/pm_domains.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/soc/rockchip/pm_domains.c
+++ b/drivers/soc/rockchip/pm_domains.c
@@ -255,7 +255,7 @@ static void rockchip_do_pmu_set_power_do
 		return;
 	else if (pd->info->pwr_w_mask)
 		regmap_write(pmu->regmap, pmu->info->pwr_offset,
-			     on ? pd->info->pwr_mask :
+			     on ? pd->info->pwr_w_mask :
 			     (pd->info->pwr_mask | pd->info->pwr_w_mask));
 	else
 		regmap_update_bits(pmu->regmap, pmu->info->pwr_offset,



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 056/220] powerpc/64s/radix: Fix radix_kvm_prefetch_workaround paca access of not possible CPU
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 055/220] soc: rockchip: power-domain: Fix wrong value when power up pd with writemask Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 057/220] powerpc/e500mc: Set assembler machine type to e500mc Greg Kroah-Hartman
                   ` (158 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, stable, Pridhiviraj Paidipeddi,
	Nicholas Piggin, Michael Ellerman

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nicholas Piggin <npiggin@gmail.com>

commit 758380b8155f69b4e2f77f27562f8a7a466749d6 upstream.

If possible CPUs are limited (e.g., by kexec), then the kvm prefetch
workaround function can access the paca pointer for a !possible CPU.

Fixes: d2e60075a3d44 ("powerpc/64: Use array of paca pointers and allocate pacas individually")
Cc: stable@kernel.org
Reported-by: Pridhiviraj Paidipeddi <ppaidipe@linux.vnet.ibm.com>
Tested-by: Pridhiviraj Paidipeddi <ppaidipe@linux.vnet.ibm.com>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/mm/tlb-radix.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/arch/powerpc/mm/tlb-radix.c
+++ b/arch/powerpc/mm/tlb-radix.c
@@ -733,6 +733,8 @@ extern void radix_kvm_prefetch_workaroun
 		for (; sib <= cpu_last_thread_sibling(cpu) && !flush; sib++) {
 			if (sib == cpu)
 				continue;
+			if (!cpu_possible(sib))
+				continue;
 			if (paca_ptrs[sib]->kvm_hstate.kvm_vcpu)
 				flush = true;
 		}



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 057/220] powerpc/e500mc: Set assembler machine type to e500mc
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 056/220] powerpc/64s/radix: Fix radix_kvm_prefetch_workaround paca access of not possible CPU Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 058/220] powerpc/64s: Fix DT CPU features Power9 DD2.1 logic Greg Kroah-Hartman
                   ` (157 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael Jeanson, Mathieu Desnoyers,
	Benjamin Herrenschmidt, Paul Mackerras, Michael Ellerman,
	Kumar Gala, Vakul Garg, Scott Wood, linuxppc-dev

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Michael Jeanson <mjeanson@efficios.com>

commit 69a8405999aa1c489de4b8d349468f0c2b83f093 upstream.

In binutils 2.26 a new opcode for the "wait" instruction was added for the
POWER9 and has precedence over the one specific to the e500mc. Commit
ebf714ff3756 ("powerpc/e500mc: Add support for the wait instruction in
e500_idle") uses this instruction specifically on the e500mc to work around
an erratum.

This results in an invalid instruction in idle_e500 when we build for the
e500mc on bintutils >= 2.26 with the default assembler machine type.

Since multiplatform between e500 and non-e500 is not supported, set the
assembler machine type globaly when CONFIG_PPC_E500MC=y.

Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
Reviewed-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
CC: Benjamin Herrenschmidt <benh@kernel.crashing.org>
CC: Paul Mackerras <paulus@samba.org>
CC: Michael Ellerman <mpe@ellerman.id.au>
CC: Kumar Gala <galak@kernel.crashing.org>
CC: Vakul Garg <vakul.garg@nxp.com>
CC: Scott Wood <swood@redhat.com>
CC: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
CC: linuxppc-dev@lists.ozlabs.org
CC: linux-kernel@vger.kernel.org
CC: stable@vger.kernel.org
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/Makefile |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/powerpc/Makefile
+++ b/arch/powerpc/Makefile
@@ -251,6 +251,7 @@ cpu-as-$(CONFIG_4xx)		+= -Wa,-m405
 cpu-as-$(CONFIG_ALTIVEC)	+= $(call as-option,-Wa$(comma)-maltivec)
 cpu-as-$(CONFIG_E200)		+= -Wa,-me200
 cpu-as-$(CONFIG_PPC_BOOK3S_64)	+= -Wa,-mpower4
+cpu-as-$(CONFIG_PPC_E500MC)	+= $(call as-option,-Wa$(comma)-me500mc)
 
 KBUILD_AFLAGS += $(cpu-as-y)
 KBUILD_CFLAGS += $(cpu-as-y)



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 058/220] powerpc/64s: Fix DT CPU features Power9 DD2.1 logic
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 057/220] powerpc/e500mc: Set assembler machine type to e500mc Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 059/220] cxl: Configure PSL to not use APC virtual machines Greg Kroah-Hartman
                   ` (156 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Paul Mackerras, Michael Ellerman,
	Nicholas Piggin

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Michael Ellerman <mpe@ellerman.id.au>

commit 749a0278c2177b2d16da5d8b135ba7f940bb4199 upstream.

In the device tree CPU features quirk code we want to set
CPU_FTR_POWER9_DD2_1 on all Power9s that aren't DD2.0 or earlier. But
we got the logic wrong and instead set it on all CPUs that aren't
Power9 DD2.0 or earlier, ie. including Power8.

Fix it by making sure we're on a Power9. This isn't a bug in practice
because the only code that checks the feature is Power9 only to begin
with. But we'll backport it anyway to avoid confusion.

Fixes: 9e9626ed3a4a ("powerpc/64s: Fix POWER9 DD2.2 and above in DT CPU features")
Cc: stable@vger.kernel.org # v4.17+
Reported-by: Paul Mackerras <paulus@samba.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Acked-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/kernel/dt_cpu_ftrs.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/powerpc/kernel/dt_cpu_ftrs.c
+++ b/arch/powerpc/kernel/dt_cpu_ftrs.c
@@ -711,7 +711,8 @@ static __init void cpufeatures_cpu_quirk
 		cur_cpu_spec->cpu_features |= CPU_FTR_P9_TM_HV_ASSIST;
 		cur_cpu_spec->cpu_features |= CPU_FTR_P9_TM_XER_SO_BUG;
 		cur_cpu_spec->cpu_features |= CPU_FTR_POWER9_DD2_1;
-	} else /* DD2.1 and up have DD2_1 */
+	} else if ((version & 0xffff0000) == 0x004e0000)
+		/* DD2.1 and up have DD2_1 */
 		cur_cpu_spec->cpu_features |= CPU_FTR_POWER9_DD2_1;
 
 	if ((version & 0xffff0000) == 0x004e0000) {



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 059/220] cxl: Configure PSL to not use APC virtual machines
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 058/220] powerpc/64s: Fix DT CPU features Power9 DD2.1 logic Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 060/220] cxl: Disable prefault_mode in Radix mode Greg Kroah-Hartman
                   ` (155 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vaibhav Jain, Andrew Donnellan,
	Alastair DSilva, Christophe Lombard, Michael Ellerman

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vaibhav Jain <vaibhav@linux.vnet.ibm.com>

commit 9a6d2022bacd8fca0be6297459a02dfd28dad6ba upstream.

APC virtual machines arent used on POWER-9 chips and are already
disabled in on-chip CAPP. They also need to be disabled on the PSL via
'PSL Data Send Control Register' by setting bit(47). This forces the
PSL to send commands to CAPP with queue.id == 0.

Fixes: 5632874311db ("cxl: Add support for POWER9 DD2")
Cc: stable@vger.kernel.org # v4.15+
Signed-off-by: Vaibhav Jain <vaibhav@linux.vnet.ibm.com>
Acked-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
Reviewed-by: Alastair D'Silva <alastair@d-silva.org>
Reviewed-by: Christophe Lombard <clombard@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/misc/cxl/pci.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/misc/cxl/pci.c
+++ b/drivers/misc/cxl/pci.c
@@ -514,9 +514,9 @@ static int init_implementation_adapter_r
 	cxl_p1_write(adapter, CXL_PSL9_FIR_CNTL, psl_fircntl);
 
 	/* Setup the PSL to transmit packets on the PCIe before the
-	 * CAPP is enabled
+	 * CAPP is enabled. Make sure that CAPP virtual machines are disabled
 	 */
-	cxl_p1_write(adapter, CXL_PSL9_DSNDCTL, 0x0001001000002A10ULL);
+	cxl_p1_write(adapter, CXL_PSL9_DSNDCTL, 0x0001001000012A10ULL);
 
 	/*
 	 * A response to an ASB_Notify request is returned by the



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 060/220] cxl: Disable prefault_mode in Radix mode
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 059/220] cxl: Configure PSL to not use APC virtual machines Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 061/220] ARM: 8764/1: kgdb: fix NUMREGBYTES so that gdb_regs[] is the correct size Greg Kroah-Hartman
                   ` (154 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vaibhav Jain, Frederic Barrat,
	Andrew Donnellan, Michael Ellerman

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vaibhav Jain <vaibhav@linux.ibm.com>

commit b6c84ba22ff3a198eb8d5552cf9b8fda1d792e54 upstream.

Currently we see a kernel-oops reported on Power-9 while attaching a
context to an AFU, with radix-mode and sysfs attr 'prefault_mode' set
to anything other than 'none'. The backtrace of the oops is of this
form:

  Unable to handle kernel paging request for data at address 0x00000080
  Faulting instruction address: 0xc00800000bcf3b20
  cpu 0x1: Vector: 300 (Data Access) at [c00000037f003800]
      pc: c00800000bcf3b20: cxl_load_segment+0x178/0x290 [cxl]
      lr: c00800000bcf39f0: cxl_load_segment+0x48/0x290 [cxl]
      sp: c00000037f003a80
     msr: 9000000000009033
     dar: 80
   dsisr: 40000000
    current = 0xc00000037f280000
    paca    = 0xc0000003ffffe600   softe: 3        irq_happened: 0x01
      pid   = 3529, comm = afp_no_int
  <snip>
  cxl_prefault+0xfc/0x248 [cxl]
  process_element_entry_psl9+0xd8/0x1a0 [cxl]
  cxl_attach_dedicated_process_psl9+0x44/0x130 [cxl]
  native_attach_process+0xc0/0x130 [cxl]
  afu_ioctl+0x3f4/0x5e0 [cxl]
  do_vfs_ioctl+0xdc/0x890
  ksys_ioctl+0x68/0xf0
  sys_ioctl+0x40/0xa0
  system_call+0x58/0x6c

The issue is caused as on Power-8 the AFU attr 'prefault_mode' was
used to improve initial storage fault performance by prefaulting
process segments. However on Power-9 with radix mode we don't have
Storage-Segments that we can prefault. Also prefaulting process Pages
will be too costly and fine-grained.

Hence, since the prefaulting mechanism doesn't makes sense of
radix-mode, this patch updates prefault_mode_store() to not allow any
other value apart from CXL_PREFAULT_NONE when radix mode is enabled.

Fixes: f24be42aab37 ("cxl: Add psl9 specific code")
Cc: stable@vger.kernel.org # v4.12+
Signed-off-by: Vaibhav Jain <vaibhav@linux.ibm.com>
Acked-by: Frederic Barrat <fbarrat@linux.vnet.ibm.com>
Acked-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 Documentation/ABI/testing/sysfs-class-cxl |    4 +++-
 drivers/misc/cxl/sysfs.c                  |   16 ++++++++++++----
 2 files changed, 15 insertions(+), 5 deletions(-)

--- a/Documentation/ABI/testing/sysfs-class-cxl
+++ b/Documentation/ABI/testing/sysfs-class-cxl
@@ -69,7 +69,9 @@ Date:           September 2014
 Contact:        linuxppc-dev@lists.ozlabs.org
 Description:    read/write
                 Set the mode for prefaulting in segments into the segment table
-                when performing the START_WORK ioctl. Possible values:
+                when performing the START_WORK ioctl. Only applicable when
+                running under hashed page table mmu.
+                Possible values:
                         none: No prefaulting (default)
                         work_element_descriptor: Treat the work element
                                  descriptor as an effective address and
--- a/drivers/misc/cxl/sysfs.c
+++ b/drivers/misc/cxl/sysfs.c
@@ -353,12 +353,20 @@ static ssize_t prefault_mode_store(struc
 	struct cxl_afu *afu = to_cxl_afu(device);
 	enum prefault_modes mode = -1;
 
-	if (!strncmp(buf, "work_element_descriptor", 23))
-		mode = CXL_PREFAULT_WED;
-	if (!strncmp(buf, "all", 3))
-		mode = CXL_PREFAULT_ALL;
 	if (!strncmp(buf, "none", 4))
 		mode = CXL_PREFAULT_NONE;
+	else {
+		if (!radix_enabled()) {
+
+			/* only allowed when not in radix mode */
+			if (!strncmp(buf, "work_element_descriptor", 23))
+				mode = CXL_PREFAULT_WED;
+			if (!strncmp(buf, "all", 3))
+				mode = CXL_PREFAULT_ALL;
+		} else {
+			dev_err(device, "Cannot prefault with radix enabled\n");
+		}
+	}
 
 	if (mode == -1)
 		return -EINVAL;



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 061/220] ARM: 8764/1: kgdb: fix NUMREGBYTES so that gdb_regs[] is the correct size
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 060/220] cxl: Disable prefault_mode in Radix mode Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 062/220] ARM: dts: sun8i: h3: fix ALL-H3-CC H3 ver VDD-CPUX voltage Greg Kroah-Hartman
                   ` (153 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David Rivshin, Rabin Vincent,
	Daniel Thompson, Russell King

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: David Rivshin <DRivshin@allworx.com>

commit 76ed0b803a2ab793a1b27d1dfe0de7955282cd34 upstream.

NUMREGBYTES (which is used as the size for gdb_regs[]) is incorrectly
based on DBG_MAX_REG_NUM instead of GDB_MAX_REGS. DBG_MAX_REG_NUM
is the number of total registers, while GDB_MAX_REGS is the number
of 'unsigned longs' it takes to serialize those registers. Since
FP registers require 3 'unsigned longs' each, DBG_MAX_REG_NUM is
smaller than GDB_MAX_REGS.

This causes GDB 8.0 give the following error on connect:
"Truncated register 19 in remote 'g' packet"

This also causes the register serialization/deserialization logic
to overflow gdb_regs[], overwriting whatever follows.

Fixes: 834b2964b7ab ("kgdb,arm: fix register dump")
Cc: <stable@vger.kernel.org> # 2.6.37+
Signed-off-by: David Rivshin <drivshin@allworx.com>
Acked-by: Rabin Vincent <rabin@rab.in>
Tested-by: Daniel Thompson <daniel.thompson@linaro.org>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/include/asm/kgdb.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/include/asm/kgdb.h
+++ b/arch/arm/include/asm/kgdb.h
@@ -77,7 +77,7 @@ extern int kgdb_fault_expected;
 
 #define KGDB_MAX_NO_CPUS	1
 #define BUFMAX			400
-#define NUMREGBYTES		(DBG_MAX_REG_NUM << 2)
+#define NUMREGBYTES		(GDB_MAX_REGS << 2)
 #define NUMCRITREGBYTES		(32 << 2)
 
 #define _R0			0



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 062/220] ARM: dts: sun8i: h3: fix ALL-H3-CC H3 ver VDD-CPUX voltage
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 061/220] ARM: 8764/1: kgdb: fix NUMREGBYTES so that gdb_regs[] is the correct size Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 063/220] ARM: dts: sun8i: h3: fix ALL-H3-CC H3 ver VCC-1V2 regulator voltage Greg Kroah-Hartman
                   ` (152 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Icenowy Zheng, Chen-Yu Tsai

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Icenowy Zheng <icenowy@aosc.io>

commit e6e7b7c2c81e05c8774193da06348119583d4292 upstream.

The VDD-CPUX voltage of ALL-H3-CC H3 ver should be 1.2V, not the 3.3V
currently defined in the device tree.

Fix the voltage in the device tree.

Fixes: 6ca358645d4d ("ARM: dts: sun8i: h3: Add dts file for Libre Computer Board ALL-H3-CC H3 ver.")
Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
Reviewed-by: Chen-Yu Tsai <wens@csie.org>
Cc: <stable@vger.kernel.org> # 4.16.x
Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/sun8i-h3-libretech-all-h3-cc.dts |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/arm/boot/dts/sun8i-h3-libretech-all-h3-cc.dts
+++ b/arch/arm/boot/dts/sun8i-h3-libretech-all-h3-cc.dts
@@ -113,8 +113,8 @@
 	reg_vdd_cpux: vdd-cpux {
 		compatible = "regulator-fixed";
 		regulator-name = "vdd-cpux";
-		regulator-min-microvolt = <3300000>;
-		regulator-max-microvolt = <3300000>;
+		regulator-min-microvolt = <1200000>;
+		regulator-max-microvolt = <1200000>;
 		regulator-always-on;
 		regulator-boot-on;
 		vin-supply = <&reg_vcc5v0>;



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 063/220] ARM: dts: sun8i: h3: fix ALL-H3-CC H3 ver VCC-1V2 regulator voltage
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 062/220] ARM: dts: sun8i: h3: fix ALL-H3-CC H3 ver VDD-CPUX voltage Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 064/220] ARM: dts: Fix SPI node for Arria10 Greg Kroah-Hartman
                   ` (151 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Chen-Yu Tsai, Maxime Ripard

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Chen-Yu Tsai <wens@csie.org>

commit bceb1f25b8614e529cc74c5f2339e84f4d4a88ae upstream.

The voltage of the VCC-1V2 regulator on the ALL-H3-CC H3 ver. should be
1.2V, not the 3.3V currently defined in the device tree.

Fix the voltage in the device tree.

Fixes: 6ca358645d4d ("ARM: dts: sun8i: h3: Add dts file for Libre
		      Computer Board ALL-H3-CC H3 ver.")
Cc: <stable@vger.kernel.org> # 4.16.x
Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/sun8i-h3-libretech-all-h3-cc.dts |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/arm/boot/dts/sun8i-h3-libretech-all-h3-cc.dts
+++ b/arch/arm/boot/dts/sun8i-h3-libretech-all-h3-cc.dts
@@ -62,8 +62,8 @@
 	reg_vcc1v2: vcc1v2 {
 		compatible = "regulator-fixed";
 		regulator-name = "vcc1v2";
-		regulator-min-microvolt = <3300000>;
-		regulator-max-microvolt = <3300000>;
+		regulator-min-microvolt = <1200000>;
+		regulator-max-microvolt = <1200000>;
 		regulator-always-on;
 		regulator-boot-on;
 		vin-supply = <&reg_vcc5v0>;



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 064/220] ARM: dts: Fix SPI node for Arria10
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (60 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 063/220] ARM: dts: sun8i: h3: fix ALL-H3-CC H3 ver VCC-1V2 regulator voltage Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 065/220] ARM: dts: socfpga: Fix NAND controller node compatible Greg Kroah-Hartman
                   ` (150 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thor Thayer, Dinh Nguyen, Olof Johansson

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Thor Thayer <thor.thayer@linux.intel.com>

commit 975ba94c2c3aca4d9f1ae26f3916d7787495ce86 upstream.

Remove the unused bus-num node and change num-chipselect
to num-cs to match SPI bindings.

Cc: stable@vger.kernel.org
Fixes: f2d6f8f817814 ("ARM: dts: socfpga: Add SPI Master1 for Arria10 SR chip")
Signed-off-by: Thor Thayer <thor.thayer@linux.intel.com>
Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
Signed-off-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/socfpga_arria10.dtsi |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/arch/arm/boot/dts/socfpga_arria10.dtsi
+++ b/arch/arm/boot/dts/socfpga_arria10.dtsi
@@ -593,8 +593,7 @@
 			#size-cells = <0>;
 			reg = <0xffda5000 0x100>;
 			interrupts = <0 102 4>;
-			num-chipselect = <4>;
-			bus-num = <0>;
+			num-cs = <4>;
 			/*32bit_access;*/
 			tx-dma-channel = <&pdma 16>;
 			rx-dma-channel = <&pdma 17>;



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 065/220] ARM: dts: socfpga: Fix NAND controller node compatible
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (61 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 064/220] ARM: dts: Fix SPI node for Arria10 Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 066/220] ARM: dts: socfpga: Fix NAND controller clock supply Greg Kroah-Hartman
                   ` (149 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marek Vasut, Steffen Trumtrar, Dinh Nguyen

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Marek Vasut <marex@denx.de>

commit d9a695f3c8098ac9684689774a151cff30d8aa25 upstream.

The compatible string for the Denali NAND controller is incorrect,
fix it by replacing it with one matching the DT bindings and the
driver.

Cc: stable@vger.kernel.org
Signed-off-by: Marek Vasut <marex@denx.de>
Fixes: d837a80d19 ("ARM: dts: socfpga: add nand controller nodes")
Cc: Steffen Trumtrar <s.trumtrar@pengutronix.de>
Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/socfpga.dtsi |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/boot/dts/socfpga.dtsi
+++ b/arch/arm/boot/dts/socfpga.dtsi
@@ -748,7 +748,7 @@
 		nand0: nand@ff900000 {
 			#address-cells = <0x1>;
 			#size-cells = <0x1>;
-			compatible = "denali,denali-nand-dt";
+			compatible = "altr,socfpga-denali-nand";
 			reg = <0xff900000 0x100000>,
 			      <0xffb80000 0x10000>;
 			reg-names = "nand_data", "denali_reg";



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 066/220] ARM: dts: socfpga: Fix NAND controller clock supply
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (62 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 065/220] ARM: dts: socfpga: Fix NAND controller node compatible Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 067/220] ARM: dts: socfpga: Fix NAND controller node compatible for Arria10 Greg Kroah-Hartman
                   ` (148 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marek Vasut, Steffen Trumtrar, Dinh Nguyen

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Marek Vasut <marex@denx.de>

commit 4eda9b766b042ea38d84df91581b03f6145a2ab0 upstream.

The Denali NAND x-clock should be supplied by nand_x_clk, not by
nand_clk. Fix this, otherwise the Denali driver gets incorrect
clock frequency information and incorrectly configures the NAND
timing.

Cc: stable@vger.kernel.org
Signed-off-by: Marek Vasut <marex@denx.de>
Fixes: d837a80d19 ("ARM: dts: socfpga: add nand controller nodes")
Cc: Steffen Trumtrar <s.trumtrar@pengutronix.de>
Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/socfpga.dtsi |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/boot/dts/socfpga.dtsi
+++ b/arch/arm/boot/dts/socfpga.dtsi
@@ -754,7 +754,7 @@
 			reg-names = "nand_data", "denali_reg";
 			interrupts = <0x0 0x90 0x4>;
 			dma-mask = <0xffffffff>;
-			clocks = <&nand_clk>;
+			clocks = <&nand_x_clk>;
 			status = "disabled";
 		};
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 067/220] ARM: dts: socfpga: Fix NAND controller node compatible for Arria10
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (63 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 066/220] ARM: dts: socfpga: Fix NAND controller clock supply Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 069/220] softirq: Reorder trace_softirqs_on to prevent lockdep splat Greg Kroah-Hartman
                   ` (147 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dinh Nguyen

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dinh Nguyen <dinguyen@kernel.org>

commit 3877ef7a1ccecaae378c497e1dcddbc2dccb664c upstream.

The NAND compatible "denali,denal-nand-dt" property has never been used and
is obsolete. Remove it.

Cc: stable@vger.kernel.org
Fixes: f549af06e9b6("ARM: dts: socfpga: Add NAND device tree for Arria10")
Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/socfpga_arria10.dtsi |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/boot/dts/socfpga_arria10.dtsi
+++ b/arch/arm/boot/dts/socfpga_arria10.dtsi
@@ -632,7 +632,7 @@
 		nand: nand@ffb90000 {
 			#address-cells = <1>;
 			#size-cells = <1>;
-			compatible = "denali,denali-nand-dt", "altr,socfpga-denali-nand";
+			compatible = "altr,socfpga-denali-nand";
 			reg = <0xffb90000 0x72000>,
 			      <0xffb80000 0x10000>;
 			reg-names = "nand_data", "denali_reg";



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 069/220] softirq: Reorder trace_softirqs_on to prevent lockdep splat
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (64 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 067/220] ARM: dts: socfpga: Fix NAND controller node compatible for Arria10 Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 070/220] arm64: Fix syscall restarting around signal suppressed by tracer Greg Kroah-Hartman
                   ` (146 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Peter Zijlstra, Ingo Molnar,
	Linus Torvalds, Mathieu Desnoyers, Tom Zanussi, Namhyung Kim,
	Thomas Glexiner, Boqun Feng, Paul McKenney, Masami Hiramatsu,
	Todd Kjos, Erick Reyes, Julia Cartwright, Byungchul Park,
	Steven Rostedt (VMware), Joel Fernandes (Google)

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Joel Fernandes (Google) <joel@joelfernandes.org>

commit 1a63dcd8765bc8680481dc2f9acf6ef13cee6d27 upstream.

I'm able to reproduce a lockdep splat with config options:
CONFIG_PROVE_LOCKING=y,
CONFIG_DEBUG_LOCK_ALLOC=y and
CONFIG_PREEMPTIRQ_EVENTS=y

$ echo 1 > /d/tracing/events/preemptirq/preempt_enable/enable

[   26.112609] DEBUG_LOCKS_WARN_ON(current->softirqs_enabled)
[   26.112636] WARNING: CPU: 0 PID: 118 at kernel/locking/lockdep.c:3854
[...]
[   26.144229] Call Trace:
[   26.144926]  <IRQ>
[   26.145506]  lock_acquire+0x55/0x1b0
[   26.146499]  ? __do_softirq+0x46f/0x4d9
[   26.147571]  ? __do_softirq+0x46f/0x4d9
[   26.148646]  trace_preempt_on+0x8f/0x240
[   26.149744]  ? trace_preempt_on+0x4d/0x240
[   26.150862]  ? __do_softirq+0x46f/0x4d9
[   26.151930]  preempt_count_sub+0x18a/0x1a0
[   26.152985]  __do_softirq+0x46f/0x4d9
[   26.153937]  irq_exit+0x68/0xe0
[   26.154755]  smp_apic_timer_interrupt+0x271/0x280
[   26.156056]  apic_timer_interrupt+0xf/0x20
[   26.157105]  </IRQ>

The issue was this:

preempt_count = 1 << SOFTIRQ_SHIFT

	__local_bh_enable(cnt = 1 << SOFTIRQ_SHIFT) {
		if (softirq_count() == (cnt && SOFTIRQ_MASK)) {
			trace_softirqs_on() {
				current->softirqs_enabled = 1;
			}
		}
		preempt_count_sub(cnt) {
			trace_preempt_on() {
				tracepoint() {
					rcu_read_lock_sched() {
						// jumps into lockdep

Where preempt_count still has softirqs disabled, but
current->softirqs_enabled is true, and we get a splat.

Link: http://lkml.kernel.org/r/20180607201143.247775-1-joel@joelfernandes.org

Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Tom Zanussi <tom.zanussi@linux.intel.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Thomas Glexiner <tglx@linutronix.de>
Cc: Boqun Feng <boqun.feng@gmail.com>
Cc: Paul McKenney <paulmck@linux.vnet.ibm.com>
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Todd Kjos <tkjos@google.com>
Cc: Erick Reyes <erickreyes@google.com>
Cc: Julia Cartwright <julia@ni.com>
Cc: Byungchul Park <byungchul.park@lge.com>
Cc: stable@vger.kernel.org
Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Fixes: d59158162e032 ("tracing: Add support for preempt and irq enable/disable events")
Signed-off-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/softirq.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/kernel/softirq.c
+++ b/kernel/softirq.c
@@ -139,9 +139,13 @@ static void __local_bh_enable(unsigned i
 {
 	lockdep_assert_irqs_disabled();
 
+	if (preempt_count() == cnt)
+		trace_preempt_on(CALLER_ADDR0, get_lock_parent_ip());
+
 	if (softirq_count() == (cnt & SOFTIRQ_MASK))
 		trace_softirqs_on(_RET_IP_);
-	preempt_count_sub(cnt);
+
+	__preempt_count_sub(cnt);
 }
 
 /*



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 070/220] arm64: Fix syscall restarting around signal suppressed by tracer
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (65 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 069/220] softirq: Reorder trace_softirqs_on to prevent lockdep splat Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 071/220] crypto: arm64/aes-blk - fix and move skcipher_walk_done out of kernel_neon_begin, _end Greg Kroah-Hartman
                   ` (145 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dave Martin, Sumit Semwal,
	Will Deacon, Catalin Marinas

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dave Martin <Dave.Martin@arm.com>

commit 0fe42512b2f03f9e5a20b9f55ef1013a68b4cd48 upstream.

Commit 17c2895 ("arm64: Abstract syscallno manipulation") abstracts
out the pt_regs.syscallno value for a syscall cancelled by a tracer
as NO_SYSCALL, and provides helpers to set and check for this
condition.  However, the way this was implemented has the
unintended side-effect of disabling part of the syscall restart
logic.

This comes about because the second in_syscall() check in
do_signal() re-evaluates the "in a syscall" condition based on the
updated pt_regs instead of the original pt_regs.  forget_syscall()
is explicitly called prior to the second check in order to prevent
restart logic in the ret_to_user path being spuriously triggered,
which means that the second in_syscall() check always yields false.

This triggers a failure in
tools/testing/selftests/seccomp/seccomp_bpf.c, when using ptrace to
suppress a signal that interrups a nanosleep() syscall.

Misbehaviour of this type is only expected in the case where a
tracer suppresses a signal and the target process is either being
single-stepped or the interrupted syscall attempts to restart via
-ERESTARTBLOCK.

This patch restores the old behaviour by performing the
in_syscall() check only once at the start of the function.

Fixes: 17c289586009 ("arm64: Abstract syscallno manipulation")
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Reported-by: Sumit Semwal <sumit.semwal@linaro.org>
Cc: Will Deacon <will.deacon@arm.com>
Cc: <stable@vger.kernel.org> # 4.14.x-
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/kernel/signal.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/arch/arm64/kernel/signal.c
+++ b/arch/arm64/kernel/signal.c
@@ -830,11 +830,12 @@ static void do_signal(struct pt_regs *re
 	unsigned long continue_addr = 0, restart_addr = 0;
 	int retval = 0;
 	struct ksignal ksig;
+	bool syscall = in_syscall(regs);
 
 	/*
 	 * If we were from a system call, check for system call restarting...
 	 */
-	if (in_syscall(regs)) {
+	if (syscall) {
 		continue_addr = regs->pc;
 		restart_addr = continue_addr - (compat_thumb_mode(regs) ? 2 : 4);
 		retval = regs->regs[0];
@@ -886,7 +887,7 @@ static void do_signal(struct pt_regs *re
 	 * Handle restarting a different system call. As above, if a debugger
 	 * has chosen to restart at a different PC, ignore the restart.
 	 */
-	if (in_syscall(regs) && regs->pc == restart_addr) {
+	if (syscall && regs->pc == restart_addr) {
 		if (retval == -ERESTART_RESTARTBLOCK)
 			setup_restart_syscall(regs);
 		user_rewind_single_step(current);



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 071/220] crypto: arm64/aes-blk - fix and move skcipher_walk_done out of kernel_neon_begin, _end
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (66 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 070/220] arm64: Fix syscall restarting around signal suppressed by tracer Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 072/220] arm64: kpti: Use early_param for kpti= command-line option Greg Kroah-Hartman
                   ` (144 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, jia.he, Ard Biesheuvel, Will Deacon,
	Herbert Xu

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jia He <hejianet@gmail.com>

commit 6e88f01206edab0e5bc105d8f35fac10f4ee14c5 upstream.

In a arm64 server(QDF2400),I met a similar might-sleep warning as [1]:
[    7.019116] BUG: sleeping function called from invalid context at
./include/crypto/algapi.h:416
[    7.027863] in_atomic(): 1, irqs_disabled(): 0, pid: 410, name:
cryptomgr_test
[    7.035106] 1 lock held by cryptomgr_test/410:
[    7.039549]  #0:         (ptrval) (&drbg->drbg_mutex){+.+.}, at:
drbg_instantiate+0x34/0x398
[    7.048038] CPU: 9 PID: 410 Comm: cryptomgr_test Not tainted
4.17.0-rc6+ #27
[    7.068228]  dump_backtrace+0x0/0x1c0
[    7.071890]  show_stack+0x24/0x30
[    7.075208]  dump_stack+0xb0/0xec
[    7.078523]  ___might_sleep+0x160/0x238
[    7.082360]  skcipher_walk_done+0x118/0x2c8
[    7.086545]  ctr_encrypt+0x98/0x130
[    7.090035]  simd_skcipher_encrypt+0x68/0xc0
[    7.094304]  drbg_kcapi_sym_ctr+0xd4/0x1f8
[    7.098400]  drbg_ctr_update+0x98/0x330
[    7.102236]  drbg_seed+0x1b8/0x2f0
[    7.105637]  drbg_instantiate+0x2ac/0x398
[    7.109646]  drbg_kcapi_seed+0xbc/0x188
[    7.113482]  crypto_rng_reset+0x4c/0xb0
[    7.117319]  alg_test_drbg+0xec/0x330
[    7.120981]  alg_test.part.6+0x1c8/0x3c8
[    7.124903]  alg_test+0x58/0xa0
[    7.128044]  cryptomgr_test+0x50/0x58
[    7.131708]  kthread+0x134/0x138
[    7.134936]  ret_from_fork+0x10/0x1c

Seems there is a bug in Ard Biesheuvel's commit.
Fixes: 683381747270 ("crypto: arm64/aes-blk - move kernel mode neon
en/disable into loop")

[1] https://www.spinics.net/lists/linux-crypto/msg33103.html

Signed-off-by: jia.he@hxt-semitech.com
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: <stable@vger.kernel.org> # 4.17
Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/crypto/aes-glue.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm64/crypto/aes-glue.c
+++ b/arch/arm64/crypto/aes-glue.c
@@ -223,8 +223,8 @@ static int ctr_encrypt(struct skcipher_r
 		kernel_neon_begin();
 		aes_ctr_encrypt(walk.dst.virt.addr, walk.src.virt.addr,
 				(u8 *)ctx->key_enc, rounds, blocks, walk.iv);
-		err = skcipher_walk_done(&walk, walk.nbytes % AES_BLOCK_SIZE);
 		kernel_neon_end();
+		err = skcipher_walk_done(&walk, walk.nbytes % AES_BLOCK_SIZE);
 	}
 	if (walk.nbytes) {
 		u8 __aligned(8) tail[AES_BLOCK_SIZE];



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 072/220] arm64: kpti: Use early_param for kpti= command-line option
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (67 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 071/220] crypto: arm64/aes-blk - fix and move skcipher_walk_done out of kernel_neon_begin, _end Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 073/220] arm64: mm: Ensure writes to swapper are ordered wrt subsequent cache maintenance Greg Kroah-Hartman
                   ` (143 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wei Xu, Sudeep Holla, Will Deacon,
	Catalin Marinas

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Will Deacon <will.deacon@arm.com>

commit b5b7dd647f2d21b93f734ce890671cd908e69b0a upstream.

We inspect __kpti_forced early on as part of the cpufeature enable
callback which remaps the swapper page table using non-global entries.

Ensure that __kpti_forced has been updated to reflect the kpti=
command-line option before we start using it.

Fixes: ea1e3de85e94 ("arm64: entry: Add fake CPU feature for unmapping the kernel at EL0")
Cc: <stable@vger.kernel.org> # 4.16.x-
Reported-by: Wei Xu <xuwei5@hisilicon.com>
Tested-by: Sudeep Holla <sudeep.holla@arm.com>
Tested-by: Wei Xu <xuwei5@hisilicon.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/kernel/cpufeature.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm64/kernel/cpufeature.c
+++ b/arch/arm64/kernel/cpufeature.c
@@ -937,7 +937,7 @@ static int __init parse_kpti(char *str)
 	__kpti_forced = enabled ? 1 : -1;
 	return 0;
 }
-__setup("kpti=", parse_kpti);
+early_param("kpti", parse_kpti);
 #endif	/* CONFIG_UNMAP_KERNEL_AT_EL0 */
 
 #ifdef CONFIG_ARM64_HW_AFDBM



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 073/220] arm64: mm: Ensure writes to swapper are ordered wrt subsequent cache maintenance
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (68 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 072/220] arm64: kpti: Use early_param for kpti= command-line option Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 074/220] arm64: dts: marvell: fix CP110 ICU node size Greg Kroah-Hartman
                   ` (142 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mark Rutland, Will Deacon, Catalin Marinas

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Will Deacon <will.deacon@arm.com>

commit 71c8fc0c96abf8e53e74ed4d891d671e585f9076 upstream.

When rewriting swapper using nG mappings, we must performance cache
maintenance around each page table access in order to avoid coherency
problems with the host's cacheable alias under KVM. To ensure correct
ordering of the maintenance with respect to Device memory accesses made
with the Stage-1 MMU disabled, DMBs need to be added between the
maintenance and the corresponding memory access.

This patch adds a missing DMB between writing a new page table entry and
performing a clean+invalidate on the same line.

Fixes: f992b4dfd58b ("arm64: kpti: Add ->enable callback to remap swapper using nG mappings")
Cc: <stable@vger.kernel.org> # 4.16.x-
Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/mm/proc.S |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/arch/arm64/mm/proc.S
+++ b/arch/arm64/mm/proc.S
@@ -217,8 +217,9 @@ ENDPROC(idmap_cpu_replace_ttbr1)
 
 	.macro __idmap_kpti_put_pgtable_ent_ng, type
 	orr	\type, \type, #PTE_NG		// Same bit for blocks and pages
-	str	\type, [cur_\()\type\()p]	// Update the entry and ensure it
-	dc	civac, cur_\()\type\()p		// is visible to all CPUs.
+	str	\type, [cur_\()\type\()p]	// Update the entry and ensure
+	dmb	sy				// that it is visible to all
+	dc	civac, cur_\()\type\()p		// CPUs.
 	.endm
 
 /*



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 074/220] arm64: dts: marvell: fix CP110 ICU node size
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (69 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 073/220] arm64: mm: Ensure writes to swapper are ordered wrt subsequent cache maintenance Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 075/220] arm64: dts: stratix10: Fix SPI nodes for Stratix10 Greg Kroah-Hartman
                   ` (141 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Miquel Raynal, Thomas Petazzoni,
	Gregory CLEMENT

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Miquel Raynal <miquel.raynal@bootlin.com>

commit 2f872ddcdb1e8e2186162616cea4581b8403849d upstream.

ICU size in CP110 is not 0x10 but at least 0x440 bytes long (from the
specification).

Fixes: 6ef84a827c37 ("arm64: dts: marvell: enable GICP and ICU on Armada 7K/8K")
Cc: stable@vger.kernel.org
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Reviewed-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/boot/dts/marvell/armada-cp110.dtsi |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm64/boot/dts/marvell/armada-cp110.dtsi
+++ b/arch/arm64/boot/dts/marvell/armada-cp110.dtsi
@@ -149,7 +149,7 @@
 
 		CP110_LABEL(icu): interrupt-controller@1e0000 {
 			compatible = "marvell,cp110-icu";
-			reg = <0x1e0000 0x10>;
+			reg = <0x1e0000 0x440>;
 			#interrupt-cells = <3>;
 			interrupt-controller;
 			msi-parent = <&gicp>;



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 075/220] arm64: dts: stratix10: Fix SPI nodes for Stratix10
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (70 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 074/220] arm64: dts: marvell: fix CP110 ICU node size Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 076/220] ARM64: dts: meson: disable sd-uhs modes on the libretech-cc Greg Kroah-Hartman
                   ` (140 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thor Thayer, Dinh Nguyen, Olof Johansson

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Thor Thayer <thor.thayer@linux.intel.com>

commit 4595299c5eaebbec0ca5822214ad1925a10b3876 upstream.

Remove the unused bus-num node and change num-chipselect
to num-cs to match SPI bindings.

Cc: stable@vger.kernel.org
Fixes: 78cd6a9d8e154 ("arm64: dts: Add base stratix 10 dtsi")
Signed-off-by: Thor Thayer <thor.thayer@linux.intel.com>
Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
Signed-off-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/boot/dts/altera/socfpga_stratix10.dtsi |    6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

--- a/arch/arm64/boot/dts/altera/socfpga_stratix10.dtsi
+++ b/arch/arm64/boot/dts/altera/socfpga_stratix10.dtsi
@@ -252,8 +252,7 @@
 			interrupts = <0 99 4>;
 			resets = <&rst SPIM0_RESET>;
 			reg-io-width = <4>;
-			num-chipselect = <4>;
-			bus-num = <0>;
+			num-cs = <4>;
 			status = "disabled";
 		};
 
@@ -265,8 +264,7 @@
 			interrupts = <0 100 4>;
 			resets = <&rst SPIM1_RESET>;
 			reg-io-width = <4>;
-			num-chipselect = <4>;
-			bus-num = <0>;
+			num-cs = <4>;
 			status = "disabled";
 		};
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 076/220] ARM64: dts: meson: disable sd-uhs modes on the libretech-cc
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (71 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 075/220] arm64: dts: stratix10: Fix SPI nodes for Stratix10 Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 077/220] ARM64: dts: meson-gx: fix ATF reserved memory region Greg Kroah-Hartman
                   ` (139 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jerome Brunet, Kevin Hilman

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jerome Brunet <jbrunet@baylibre.com>

commit d5b4885b1dff72ac670b518cfeaac719d768bd4d upstream.

There is a problem with the sd-uhs mode when doing a soft reboot.
Switching back from 1.8v to 3.3v messes with the card, which no longer
respond (timeout errors). According to the specification, we should
perform a card reset (power cycling the card) but this is something we
cannot control on this design.

Then the only solution to restore the communication with the card is an
"unplug-plug" which is not acceptable

Until we find a solution, if any, disable the sd-uhs modes on this design.
For the people using uhs at the moment, there will a performance drop as
a result.

Fixes: 3cde63ebc85c ("ARM64: dts: meson-gxl: libretech-cc: enable high speed modes")
Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
Cc: stable@vger.kernel.org
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/boot/dts/amlogic/meson-gxl-s905x-libretech-cc.dts |    3 ---
 1 file changed, 3 deletions(-)

--- a/arch/arm64/boot/dts/amlogic/meson-gxl-s905x-libretech-cc.dts
+++ b/arch/arm64/boot/dts/amlogic/meson-gxl-s905x-libretech-cc.dts
@@ -234,9 +234,6 @@
 
 	bus-width = <4>;
 	cap-sd-highspeed;
-	sd-uhs-sdr12;
-	sd-uhs-sdr25;
-	sd-uhs-sdr50;
 	max-frequency = <100000000>;
 	disable-wp;
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 077/220] ARM64: dts: meson-gx: fix ATF reserved memory region
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (72 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 076/220] ARM64: dts: meson: disable sd-uhs modes on the libretech-cc Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 078/220] of: overlay: validate offset from property fixups Greg Kroah-Hartman
                   ` (138 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Neil Armstrong, Kevin Hilman

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kevin Hilman <khilman@baylibre.com>

commit 48e21ded0432ee1e2359d4143d7a6925cefee1b5 upstream.

Vendor firmware/uboot has different reserved regions depending on
firmware version, but current codebase reserves the same regions on
GXL and GXBB, so move the additional reserved memory region to common
.dtsi.

Found when putting a recent vendor u-boot on meson-gxbb-p200.

Suggested-by: Neil Armstrong <narmstrong@baylibre.com>
Cc: stable@vger.kernel.org
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/boot/dts/amlogic/meson-gx.dtsi  |    6 ++++++
 arch/arm64/boot/dts/amlogic/meson-gxl.dtsi |    8 --------
 2 files changed, 6 insertions(+), 8 deletions(-)

--- a/arch/arm64/boot/dts/amlogic/meson-gx.dtsi
+++ b/arch/arm64/boot/dts/amlogic/meson-gx.dtsi
@@ -35,6 +35,12 @@
 			no-map;
 		};
 
+		/* Alternate 3 MiB reserved for ARM Trusted Firmware (BL31) */
+		secmon_reserved_alt: secmon@5000000 {
+			reg = <0x0 0x05000000 0x0 0x300000>;
+			no-map;
+		};
+
 		linux,cma {
 			compatible = "shared-dma-pool";
 			reusable;
--- a/arch/arm64/boot/dts/amlogic/meson-gxl.dtsi
+++ b/arch/arm64/boot/dts/amlogic/meson-gxl.dtsi
@@ -13,14 +13,6 @@
 / {
 	compatible = "amlogic,meson-gxl";
 
-	reserved-memory {
-		/* Alternate 3 MiB reserved for ARM Trusted Firmware (BL31) */
-		secmon_reserved_alt: secmon@5000000 {
-			reg = <0x0 0x05000000 0x0 0x300000>;
-			no-map;
-		};
-	};
-
 	soc {
 		usb0: usb@c9000000 {
 			status = "disabled";



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 078/220] of: overlay: validate offset from property fixups
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (73 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 077/220] ARM64: dts: meson-gx: fix ATF reserved memory region Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 079/220] of: unittest: for strings, account for trailing \0 in property length field Greg Kroah-Hartman
                   ` (137 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Frank Rowand, Rob Herring

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Frank Rowand <frank.rowand@sony.com>

commit 482137bf2aecd887ebfa8756456764a2f6a0e545 upstream.

The smatch static checker marks the data in offset as untrusted,
leading it to warn:

  drivers/of/resolver.c:125 update_usages_of_a_phandle_reference()
  error: buffer underflow 'prop->value' 's32min-s32max'

Add check to verify that offset is within the property data.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Frank Rowand <frank.rowand@sony.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Rob Herring <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/of/resolver.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/of/resolver.c
+++ b/drivers/of/resolver.c
@@ -122,6 +122,11 @@ static int update_usages_of_a_phandle_re
 			goto err_fail;
 		}
 
+		if (offset < 0 || offset + sizeof(__be32) > prop->length) {
+			err = -EINVAL;
+			goto err_fail;
+		}
+
 		*(__be32 *)(prop->value + offset) = cpu_to_be32(phandle);
 	}
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 079/220] of: unittest: for strings, account for trailing \0 in property length field
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (74 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 078/220] of: overlay: validate offset from property fixups Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 080/220] of: platform: stop accessing invalid dev in of_platform_device_destroy Greg Kroah-Hartman
                   ` (136 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stefan M Schaeckeler, Frank Rowand,
	Rob Herring

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Stefan M Schaeckeler <sschaeck@cisco.com>

commit 3b9cf7905fe3ab35ab437b5072c883e609d3498d upstream.

For strings, account for trailing \0 in property length field:

This is consistent with how dtc builds string properties.

Function __of_prop_dup() would misbehave on such properties as it duplicates
properties based on the property length field creating new string values
without trailing \0s.

Signed-off-by: Stefan M Schaeckeler <sschaeck@cisco.com>
Reviewed-by: Frank Rowand <frank.rowand@sony.com>
Tested-by: Frank Rowand <frank.rowand@sony.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Rob Herring <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/of/unittest.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/of/unittest.c
+++ b/drivers/of/unittest.c
@@ -165,20 +165,20 @@ static void __init of_unittest_dynamic(v
 	/* Add a new property - should pass*/
 	prop->name = "new-property";
 	prop->value = "new-property-data";
-	prop->length = strlen(prop->value);
+	prop->length = strlen(prop->value) + 1;
 	unittest(of_add_property(np, prop) == 0, "Adding a new property failed\n");
 
 	/* Try to add an existing property - should fail */
 	prop++;
 	prop->name = "new-property";
 	prop->value = "new-property-data-should-fail";
-	prop->length = strlen(prop->value);
+	prop->length = strlen(prop->value) + 1;
 	unittest(of_add_property(np, prop) != 0,
 		 "Adding an existing property should have failed\n");
 
 	/* Try to modify an existing property - should pass */
 	prop->value = "modify-property-data-should-pass";
-	prop->length = strlen(prop->value);
+	prop->length = strlen(prop->value) + 1;
 	unittest(of_update_property(np, prop) == 0,
 		 "Updating an existing property should have passed\n");
 
@@ -186,7 +186,7 @@ static void __init of_unittest_dynamic(v
 	prop++;
 	prop->name = "modify-property";
 	prop->value = "modify-missing-property-data-should-pass";
-	prop->length = strlen(prop->value);
+	prop->length = strlen(prop->value) + 1;
 	unittest(of_update_property(np, prop) == 0,
 		 "Updating a missing property should have passed\n");
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 080/220] of: platform: stop accessing invalid dev in of_platform_device_destroy
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (75 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 079/220] of: unittest: for strings, account for trailing \0 in property length field Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 081/220] tpm: fix use after free in tpm2_load_context() Greg Kroah-Hartman
                   ` (135 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Srinivas Kandagatla, Rob Herring

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>

commit 522811e944ed9b36806faa019faec10f9d259cca upstream.

Immediately after the platform_device_unregister() the device will be
cleaned up. Accessing the freed pointer immediately after that will
crash the system.

Found this bug when kernel is built with CONFIG_PAGE_POISONING and testing
loading/unloading audio drivers in a loop on Qcom platforms.

Fix this by moving of_node_clear_flag() just before the unregister calls.

Below is the crash trace:

Unable to handle kernel paging request at virtual address 6b6b6b6b6b6c03
Mem abort info:
  ESR = 0x96000021
  Exception class = DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
Data abort info:
  ISV = 0, ISS = 0x00000021
  CM = 0, WnR = 0
[006b6b6b6b6b6c03] address between user and kernel address ranges
Internal error: Oops: 96000021 [#1] PREEMPT SMP
Modules linked in:
CPU: 2 PID: 1784 Comm: sh Tainted: G        W         4.17.0-rc7-02230-ge3a63a7ef641-dirty #204
Hardware name: Qualcomm Technologies, Inc. APQ 8016 SBC (DT)
pstate: 80000005 (Nzcv daif -PAN -UAO)
pc : clear_bit+0x18/0x2c
lr : of_platform_device_destroy+0x64/0xb8
sp : ffff00000c9c3930
x29: ffff00000c9c3930 x28: ffff80003d39b200
x27: ffff000008bb1000 x26: 0000000000000040
x25: 0000000000000124 x24: ffff80003a9a3080
x23: 0000000000000060 x22: ffff00000939f518
x21: ffff80003aa79e98 x20: ffff80003aa3dae0
x19: ffff80003aa3c890 x18: ffff800009feb794
x17: 0000000000000000 x16: 0000000000000000
x15: ffff800009feb790 x14: 0000000000000000
x13: ffff80003a058778 x12: ffff80003a058728
x11: ffff80003a058750 x10: 0000000000000000
x9 : 0000000000000006 x8 : ffff80003a825988
x7 : bbbbbbbbbbbbbbbb x6 : 0000000000000001
x5 : 0000000000000000 x4 : 0000000000000001
x3 : 0000000000000008 x2 : 0000000000000001
x1 : 6b6b6b6b6b6b6c03 x0 : 0000000000000000
Process sh (pid: 1784, stack limit = 0x        (ptrval))
Call trace:
 clear_bit+0x18/0x2c
 q6afe_remove+0x20/0x38
 apr_device_remove+0x30/0x70
 device_release_driver_internal+0x170/0x208
 device_release_driver+0x14/0x20
 bus_remove_device+0xcc/0x150
 device_del+0x10c/0x310
 device_unregister+0x1c/0x70
 apr_remove_device+0xc/0x18
 device_for_each_child+0x50/0x80
 apr_remove+0x18/0x20
 rpmsg_dev_remove+0x38/0x68
 device_release_driver_internal+0x170/0x208
 device_release_driver+0x14/0x20
 bus_remove_device+0xcc/0x150
 device_del+0x10c/0x310
 device_unregister+0x1c/0x70
 qcom_smd_remove_device+0xc/0x18
 device_for_each_child+0x50/0x80
 qcom_smd_unregister_edge+0x3c/0x70
 smd_subdev_remove+0x18/0x28
 rproc_stop+0x48/0xd8
 rproc_shutdown+0x60/0xe8
 state_store+0xbc/0xf8
 dev_attr_store+0x18/0x28
 sysfs_kf_write+0x3c/0x50
 kernfs_fop_write+0x118/0x1e0
 __vfs_write+0x18/0x110
 vfs_write+0xa4/0x1a8
 ksys_write+0x48/0xb0
 sys_write+0xc/0x18
 el0_svc_naked+0x30/0x34
Code: d2800022 8b400c21 f9800031 9ac32043 (c85f7c22)
---[ end trace 32020935775616a2 ]---

Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Cc: stable@vger.kernel.org
Signed-off-by: Rob Herring <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/of/platform.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/of/platform.c
+++ b/drivers/of/platform.c
@@ -537,6 +537,9 @@ int of_platform_device_destroy(struct de
 	if (of_node_check_flag(dev->of_node, OF_POPULATED_BUS))
 		device_for_each_child(dev, NULL, of_platform_device_destroy);
 
+	of_node_clear_flag(dev->of_node, OF_POPULATED);
+	of_node_clear_flag(dev->of_node, OF_POPULATED_BUS);
+
 	if (dev->bus == &platform_bus_type)
 		platform_device_unregister(to_platform_device(dev));
 #ifdef CONFIG_ARM_AMBA
@@ -544,8 +547,6 @@ int of_platform_device_destroy(struct de
 		amba_device_unregister(to_amba_device(dev));
 #endif
 
-	of_node_clear_flag(dev->of_node, OF_POPULATED);
-	of_node_clear_flag(dev->of_node, OF_POPULATED_BUS);
 	return 0;
 }
 EXPORT_SYMBOL_GPL(of_platform_device_destroy);



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 081/220] tpm: fix use after free in tpm2_load_context()
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (76 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 080/220] of: platform: stop accessing invalid dev in of_platform_device_destroy Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 082/220] tpm: fix race condition in tpm_common_write() Greg Kroah-Hartman
                   ` (134 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Tadeusz Struk, Jarkko Sakkinen

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tadeusz Struk <tadeusz.struk@intel.com>

commit 8c81c24758ffbf17cf06c6835d361ffa57be2f0e upstream.

If load context command returns with TPM2_RC_HANDLE or TPM2_RC_REFERENCE_H0
then we have use after free in line 114 and double free in 117.

Fixes: 4d57856a21ed2 ("tpm2: add session handle context saving and restoring to the space code")
Cc: stable@vger.kernel.org
Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off--by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/char/tpm/tpm2-space.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/char/tpm/tpm2-space.c
+++ b/drivers/char/tpm/tpm2-space.c
@@ -102,8 +102,9 @@ static int tpm2_load_context(struct tpm_
 		 * TPM_RC_REFERENCE_H0 means the session has been
 		 * flushed outside the space
 		 */
-		rc = -ENOENT;
+		*handle = 0;
 		tpm_buf_destroy(&tbuf);
+		return -ENOENT;
 	} else if (rc > 0) {
 		dev_warn(&chip->dev, "%s: failed with a TPM error 0x%04X\n",
 			 __func__, rc);



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 082/220] tpm: fix race condition in tpm_common_write()
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (77 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 081/220] tpm: fix use after free in tpm2_load_context() Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 083/220] efi/libstub/tpm: Initialize efi_physical_addr_t vars to zero for mixed mode Greg Kroah-Hartman
                   ` (133 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Tadeusz Struk, Jarkko Sakkinen

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tadeusz Struk <tadeusz.struk@intel.com>

commit 3ab2011ea368ec3433ad49e1b9e1c7b70d2e65df upstream.

There is a race condition in tpm_common_write function allowing
two threads on the same /dev/tpm<N>, or two different applications
on the same /dev/tpmrm<N> to overwrite each other commands/responses.
Fixed this by taking the priv->buffer_mutex early in the function.

Also converted the priv->data_pending from atomic to a regular size_t
type. There is no need for it to be atomic since it is only touched
under the protection of the priv->buffer_mutex.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/char/tpm/tpm-dev-common.c |   40 +++++++++++++++++---------------------
 drivers/char/tpm/tpm-dev.h        |    2 -
 2 files changed, 19 insertions(+), 23 deletions(-)

--- a/drivers/char/tpm/tpm-dev-common.c
+++ b/drivers/char/tpm/tpm-dev-common.c
@@ -37,7 +37,7 @@ static void timeout_work(struct work_str
 	struct file_priv *priv = container_of(work, struct file_priv, work);
 
 	mutex_lock(&priv->buffer_mutex);
-	atomic_set(&priv->data_pending, 0);
+	priv->data_pending = 0;
 	memset(priv->data_buffer, 0, sizeof(priv->data_buffer));
 	mutex_unlock(&priv->buffer_mutex);
 }
@@ -46,7 +46,6 @@ void tpm_common_open(struct file *file,
 		     struct file_priv *priv)
 {
 	priv->chip = chip;
-	atomic_set(&priv->data_pending, 0);
 	mutex_init(&priv->buffer_mutex);
 	timer_setup(&priv->user_read_timer, user_reader_timeout, 0);
 	INIT_WORK(&priv->work, timeout_work);
@@ -58,29 +57,24 @@ ssize_t tpm_common_read(struct file *fil
 			size_t size, loff_t *off)
 {
 	struct file_priv *priv = file->private_data;
-	ssize_t ret_size;
-	ssize_t orig_ret_size;
+	ssize_t ret_size = 0;
 	int rc;
 
 	del_singleshot_timer_sync(&priv->user_read_timer);
 	flush_work(&priv->work);
-	ret_size = atomic_read(&priv->data_pending);
-	if (ret_size > 0) {	/* relay data */
-		orig_ret_size = ret_size;
-		if (size < ret_size)
-			ret_size = size;
+	mutex_lock(&priv->buffer_mutex);
 
-		mutex_lock(&priv->buffer_mutex);
+	if (priv->data_pending) {
+		ret_size = min_t(ssize_t, size, priv->data_pending);
 		rc = copy_to_user(buf, priv->data_buffer, ret_size);
-		memset(priv->data_buffer, 0, orig_ret_size);
+		memset(priv->data_buffer, 0, priv->data_pending);
 		if (rc)
 			ret_size = -EFAULT;
 
-		mutex_unlock(&priv->buffer_mutex);
+		priv->data_pending = 0;
 	}
 
-	atomic_set(&priv->data_pending, 0);
-
+	mutex_unlock(&priv->buffer_mutex);
 	return ret_size;
 }
 
@@ -91,17 +85,19 @@ ssize_t tpm_common_write(struct file *fi
 	size_t in_size = size;
 	ssize_t out_size;
 
+	if (in_size > TPM_BUFSIZE)
+		return -E2BIG;
+
+	mutex_lock(&priv->buffer_mutex);
+
 	/* Cannot perform a write until the read has cleared either via
 	 * tpm_read or a user_read_timer timeout. This also prevents split
 	 * buffered writes from blocking here.
 	 */
-	if (atomic_read(&priv->data_pending) != 0)
+	if (priv->data_pending != 0) {
+		mutex_unlock(&priv->buffer_mutex);
 		return -EBUSY;
-
-	if (in_size > TPM_BUFSIZE)
-		return -E2BIG;
-
-	mutex_lock(&priv->buffer_mutex);
+	}
 
 	if (copy_from_user
 	    (priv->data_buffer, (void __user *) buf, in_size)) {
@@ -132,7 +128,7 @@ ssize_t tpm_common_write(struct file *fi
 		return out_size;
 	}
 
-	atomic_set(&priv->data_pending, out_size);
+	priv->data_pending = out_size;
 	mutex_unlock(&priv->buffer_mutex);
 
 	/* Set a timeout by which the reader must come claim the result */
@@ -149,5 +145,5 @@ void tpm_common_release(struct file *fil
 	del_singleshot_timer_sync(&priv->user_read_timer);
 	flush_work(&priv->work);
 	file->private_data = NULL;
-	atomic_set(&priv->data_pending, 0);
+	priv->data_pending = 0;
 }
--- a/drivers/char/tpm/tpm-dev.h
+++ b/drivers/char/tpm/tpm-dev.h
@@ -8,7 +8,7 @@ struct file_priv {
 	struct tpm_chip *chip;
 
 	/* Data passed to and from the tpm via the read/write calls */
-	atomic_t data_pending;
+	size_t data_pending;
 	struct mutex buffer_mutex;
 
 	struct timer_list user_read_timer;      /* user needs to claim result */



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 083/220] efi/libstub/tpm: Initialize efi_physical_addr_t vars to zero for mixed mode
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (78 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 082/220] tpm: fix race condition in tpm_common_write() Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 084/220] IB/qib: Fix DMA api warning with debug kernel Greg Kroah-Hartman
                   ` (132 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans de Goede, Ard Biesheuvel,
	Linus Torvalds, Peter Zijlstra, Thomas Gleixner, linux-efi,
	Ingo Molnar

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Hans de Goede <hdegoede@redhat.com>

commit 52e1cf2d19c2e62e6a81b8de3f7320d033917dd5 upstream.

Commit:

  79832f0b5f71 ("efi/libstub/tpm: Initialize pointer variables to zero for mixed mode")

fixes a problem with the tpm code on mixed mode (64-bit kernel on 32-bit UEFI),
where 64-bit pointer variables are not fully initialized by the 32-bit EFI code.

A similar problem applies to the efi_physical_addr_t variables which
are written by the ->get_event_log() EFI call. Even though efi_physical_addr_t
is 64-bit everywhere, it seems that some 32-bit UEFI implementations only
fill in the lower 32 bits when passed a pointer to an efi_physical_addr_t
to fill.

This commit initializes these to 0 to, to ensure the upper 32 bits are
0 in mixed mode. This fixes recent kernels sometimes hanging during
early boot on mixed mode UEFI systems.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: <stable@vger.kernel.org> # v4.16+
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-efi@vger.kernel.org
Link: http://lkml.kernel.org/r/20180622064222.11633-2-ard.biesheuvel@linaro.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/firmware/efi/libstub/tpm.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/firmware/efi/libstub/tpm.c
+++ b/drivers/firmware/efi/libstub/tpm.c
@@ -64,7 +64,7 @@ void efi_retrieve_tpm2_eventlog_1_2(efi_
 	efi_guid_t tcg2_guid = EFI_TCG2_PROTOCOL_GUID;
 	efi_guid_t linux_eventlog_guid = LINUX_EFI_TPM_EVENT_LOG_GUID;
 	efi_status_t status;
-	efi_physical_addr_t log_location, log_last_entry;
+	efi_physical_addr_t log_location = 0, log_last_entry = 0;
 	struct linux_efi_tpm_eventlog *log_tbl = NULL;
 	unsigned long first_entry_addr, last_entry_addr;
 	size_t log_size, last_entry_size;



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 084/220] IB/qib: Fix DMA api warning with debug kernel
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (79 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 083/220] efi/libstub/tpm: Initialize efi_physical_addr_t vars to zero for mixed mode Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 085/220] IB/{hfi1, qib}: Add handling of kernel restart Greg Kroah-Hartman
                   ` (131 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alex Estrin, Don Dutile,
	Mike Marciniszyn, Dennis Dalessandro, Doug Ledford

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mike Marciniszyn <mike.marciniszyn@intel.com>

commit 0252f73334f9ef68868e4684200bea3565a4fcee upstream.

The following error occurs in a debug build when running MPI PSM:

[  307.415911] WARNING: CPU: 4 PID: 23867 at lib/dma-debug.c:1158
check_unmap+0x4ee/0xa20
[  307.455661] ib_qib 0000:05:00.0: DMA-API: device driver failed to check map
error[device address=0x00000000df82b000] [size=4096 bytes] [mapped as page]
[  307.517494] Modules linked in:
[  307.531584]  ib_isert iscsi_target_mod ib_srpt target_core_mod rpcrdma
sunrpc ib_srp scsi_transport_srp scsi_tgt ib_iser libiscsi ib_ipoib
scsi_transport_iscsi rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm
ib_qib intel_powerclamp coretemp rdmavt intel_rapl iosf_mbi kvm_intel kvm
irqbypass crc32_pclmul ghash_clmulni_intel ipmi_ssif ib_core aesni_intel sg
ipmi_si lrw gf128mul dca glue_helper ipmi_devintf iTCO_wdt gpio_ich hpwdt
iTCO_vendor_support ablk_helper hpilo acpi_power_meter cryptd ipmi_msghandler
ie31200_edac shpchp pcc_cpufreq lpc_ich pcspkr ip_tables xfs libcrc32c sd_mod
crc_t10dif crct10dif_generic mgag200 i2c_algo_bit drm_kms_helper syscopyarea
sysfillrect sysimgblt fb_sys_fops ttm ahci crct10dif_pclmul crct10dif_common
drm crc32c_intel libahci tg3 libata serio_raw ptp i2c_core
[  307.846113]  pps_core dm_mirror dm_region_hash dm_log dm_mod
[  307.866505] CPU: 4 PID: 23867 Comm: mpitests-IMB-MP Kdump: loaded Not
tainted 3.10.0-862.el7.x86_64.debug #1
[  307.911178] Hardware name: HP ProLiant DL320e Gen8, BIOS J05 11/09/2013
[  307.944206] Call Trace:
[  307.956973]  [<ffffffffbd9e915b>] dump_stack+0x19/0x1b
[  307.982201]  [<ffffffffbd2a2f58>] __warn+0xd8/0x100
[  308.005999]  [<ffffffffbd2a2fdf>] warn_slowpath_fmt+0x5f/0x80
[  308.034260]  [<ffffffffbd5f667e>] check_unmap+0x4ee/0xa20
[  308.060801]  [<ffffffffbd41acaa>] ? page_add_file_rmap+0x2a/0x1d0
[  308.090689]  [<ffffffffbd5f6c4d>] debug_dma_unmap_page+0x9d/0xb0
[  308.120155]  [<ffffffffbd4082e0>] ? might_fault+0xa0/0xb0
[  308.146656]  [<ffffffffc07761a5>] qib_tid_free.isra.14+0x215/0x2a0 [ib_qib]
[  308.180739]  [<ffffffffc0776bf4>] qib_write+0x894/0x1280 [ib_qib]
[  308.210733]  [<ffffffffbd540b00>] ? __inode_security_revalidate+0x70/0x80
[  308.244837]  [<ffffffffbd53c2b7>] ? security_file_permission+0x27/0xb0
[  308.266025] qib_ib0.8006: multicast join failed for
ff12:401b:8006:0000:0000:0000:ffff:ffff, status -22
[  308.323421]  [<ffffffffbd46f5d3>] vfs_write+0xc3/0x1f0
[  308.347077]  [<ffffffffbd492a5c>] ? fget_light+0xfc/0x510
[  308.372533]  [<ffffffffbd47045a>] SyS_write+0x8a/0x100
[  308.396456]  [<ffffffffbd9ff355>] system_call_fastpath+0x1c/0x21

The code calls a qib_map_page() which has never correctly tested for a
mapping error.

Fix by testing for pci_dma_mapping_error() in all cases and properly
handling the failure in the caller.

Additionally, streamline qib_map_page() arguments to satisfy just
the single caller.

Cc: <stable@vger.kernel.org>
Reviewed-by: Alex Estrin <alex.estrin@intel.com>
Tested-by: Don Dutile <ddutile@redhat.com>
Reviewed-by: Don Dutile <ddutile@redhat.com>
Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/hw/qib/qib.h            |    3 +--
 drivers/infiniband/hw/qib/qib_file_ops.c   |   10 +++++++---
 drivers/infiniband/hw/qib/qib_user_pages.c |   20 ++++++++++++--------
 3 files changed, 20 insertions(+), 13 deletions(-)

--- a/drivers/infiniband/hw/qib/qib.h
+++ b/drivers/infiniband/hw/qib/qib.h
@@ -1423,8 +1423,7 @@ u64 qib_sps_ints(void);
 /*
  * dma_addr wrappers - all 0's invalid for hw
  */
-dma_addr_t qib_map_page(struct pci_dev *, struct page *, unsigned long,
-			  size_t, int);
+int qib_map_page(struct pci_dev *d, struct page *p, dma_addr_t *daddr);
 struct pci_dev *qib_get_pci_dev(struct rvt_dev_info *rdi);
 
 /*
--- a/drivers/infiniband/hw/qib/qib_file_ops.c
+++ b/drivers/infiniband/hw/qib/qib_file_ops.c
@@ -364,6 +364,8 @@ static int qib_tid_update(struct qib_ctx
 		goto done;
 	}
 	for (i = 0; i < cnt; i++, vaddr += PAGE_SIZE) {
+		dma_addr_t daddr;
+
 		for (; ntids--; tid++) {
 			if (tid == tidcnt)
 				tid = 0;
@@ -380,12 +382,14 @@ static int qib_tid_update(struct qib_ctx
 			ret = -ENOMEM;
 			break;
 		}
+		ret = qib_map_page(dd->pcidev, pagep[i], &daddr);
+		if (ret)
+			break;
+
 		tidlist[i] = tid + tidoff;
 		/* we "know" system pages and TID pages are same size */
 		dd->pageshadow[ctxttid + tid] = pagep[i];
-		dd->physshadow[ctxttid + tid] =
-			qib_map_page(dd->pcidev, pagep[i], 0, PAGE_SIZE,
-				     PCI_DMA_FROMDEVICE);
+		dd->physshadow[ctxttid + tid] = daddr;
 		/*
 		 * don't need atomic or it's overhead
 		 */
--- a/drivers/infiniband/hw/qib/qib_user_pages.c
+++ b/drivers/infiniband/hw/qib/qib_user_pages.c
@@ -99,23 +99,27 @@ bail:
  *
  * I'm sure we won't be so lucky with other iommu's, so FIXME.
  */
-dma_addr_t qib_map_page(struct pci_dev *hwdev, struct page *page,
-			unsigned long offset, size_t size, int direction)
+int qib_map_page(struct pci_dev *hwdev, struct page *page, dma_addr_t *daddr)
 {
 	dma_addr_t phys;
 
-	phys = pci_map_page(hwdev, page, offset, size, direction);
+	phys = pci_map_page(hwdev, page, 0, PAGE_SIZE, PCI_DMA_FROMDEVICE);
+	if (pci_dma_mapping_error(hwdev, phys))
+		return -ENOMEM;
 
-	if (phys == 0) {
-		pci_unmap_page(hwdev, phys, size, direction);
-		phys = pci_map_page(hwdev, page, offset, size, direction);
+	if (!phys) {
+		pci_unmap_page(hwdev, phys, PAGE_SIZE, PCI_DMA_FROMDEVICE);
+		phys = pci_map_page(hwdev, page, 0, PAGE_SIZE,
+				    PCI_DMA_FROMDEVICE);
+		if (pci_dma_mapping_error(hwdev, phys))
+			return -ENOMEM;
 		/*
 		 * FIXME: If we get 0 again, we should keep this page,
 		 * map another, then free the 0 page.
 		 */
 	}
-
-	return phys;
+	*daddr = phys;
+	return 0;
 }
 
 /**



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 085/220] IB/{hfi1, qib}: Add handling of kernel restart
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (80 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 084/220] IB/qib: Fix DMA api warning with debug kernel Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 086/220] IB/mlx4: Mark user MR as writable if actual virtual memory is writable Greg Kroah-Hartman
                   ` (130 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mike Marciniszyn, Alex Estrin,
	Dennis Dalessandro, Doug Ledford

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alex Estrin <alex.estrin@intel.com>

commit 8d3e71136a080d007620472f50c7b3e63ba0f5cf upstream.

A warm restart will fail to unload the driver, leaving link state
potentially flapping up to the point the BIOS resets the adapter.
Correct the issue by hooking the shutdown pci method,
which will bring port down.

Cc: <stable@vger.kernel.org> # 4.9.x
Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Alex Estrin <alex.estrin@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/hw/hfi1/hfi.h     |    1 +
 drivers/infiniband/hw/hfi1/init.c    |   13 +++++++++++++
 drivers/infiniband/hw/qib/qib.h      |    1 +
 drivers/infiniband/hw/qib/qib_init.c |   13 +++++++++++++
 4 files changed, 28 insertions(+)

--- a/drivers/infiniband/hw/hfi1/hfi.h
+++ b/drivers/infiniband/hw/hfi1/hfi.h
@@ -1856,6 +1856,7 @@ struct cc_state *get_cc_state_protected(
 #define HFI1_HAS_SDMA_TIMEOUT  0x8
 #define HFI1_HAS_SEND_DMA      0x10   /* Supports Send DMA */
 #define HFI1_FORCED_FREEZE     0x80   /* driver forced freeze mode */
+#define HFI1_SHUTDOWN          0x100  /* device is shutting down */
 
 /* IB dword length mask in PBC (lower 11 bits); same for all chips */
 #define HFI1_PBC_LENGTH_MASK                     ((1 << 11) - 1)
--- a/drivers/infiniband/hw/hfi1/init.c
+++ b/drivers/infiniband/hw/hfi1/init.c
@@ -1058,6 +1058,10 @@ static void shutdown_device(struct hfi1_
 	unsigned pidx;
 	int i;
 
+	if (dd->flags & HFI1_SHUTDOWN)
+		return;
+	dd->flags |= HFI1_SHUTDOWN;
+
 	for (pidx = 0; pidx < dd->num_pports; ++pidx) {
 		ppd = dd->pport + pidx;
 
@@ -1391,6 +1395,7 @@ void hfi1_disable_after_error(struct hfi
 
 static void remove_one(struct pci_dev *);
 static int init_one(struct pci_dev *, const struct pci_device_id *);
+static void shutdown_one(struct pci_dev *);
 
 #define DRIVER_LOAD_MSG "Intel " DRIVER_NAME " loaded: "
 #define PFX DRIVER_NAME ": "
@@ -1407,6 +1412,7 @@ static struct pci_driver hfi1_pci_driver
 	.name = DRIVER_NAME,
 	.probe = init_one,
 	.remove = remove_one,
+	.shutdown = shutdown_one,
 	.id_table = hfi1_pci_tbl,
 	.err_handler = &hfi1_pci_err_handler,
 };
@@ -1816,6 +1822,13 @@ static void remove_one(struct pci_dev *p
 	postinit_cleanup(dd);
 }
 
+static void shutdown_one(struct pci_dev *pdev)
+{
+	struct hfi1_devdata *dd = pci_get_drvdata(pdev);
+
+	shutdown_device(dd);
+}
+
 /**
  * hfi1_create_rcvhdrq - create a receive header queue
  * @dd: the hfi1_ib device
--- a/drivers/infiniband/hw/qib/qib.h
+++ b/drivers/infiniband/hw/qib/qib.h
@@ -1228,6 +1228,7 @@ static inline struct qib_ibport *to_ipor
 #define QIB_BADINTR           0x8000 /* severe interrupt problems */
 #define QIB_DCA_ENABLED       0x10000 /* Direct Cache Access enabled */
 #define QIB_HAS_QSFP          0x20000 /* device (card instance) has QSFP */
+#define QIB_SHUTDOWN          0x40000 /* device is shutting down */
 
 /*
  * values for ppd->lflags (_ib_port_ related flags)
--- a/drivers/infiniband/hw/qib/qib_init.c
+++ b/drivers/infiniband/hw/qib/qib_init.c
@@ -841,6 +841,10 @@ static void qib_shutdown_device(struct q
 	struct qib_pportdata *ppd;
 	unsigned pidx;
 
+	if (dd->flags & QIB_SHUTDOWN)
+		return;
+	dd->flags |= QIB_SHUTDOWN;
+
 	for (pidx = 0; pidx < dd->num_pports; ++pidx) {
 		ppd = dd->pport + pidx;
 
@@ -1182,6 +1186,7 @@ void qib_disable_after_error(struct qib_
 
 static void qib_remove_one(struct pci_dev *);
 static int qib_init_one(struct pci_dev *, const struct pci_device_id *);
+static void qib_shutdown_one(struct pci_dev *);
 
 #define DRIVER_LOAD_MSG "Intel " QIB_DRV_NAME " loaded: "
 #define PFX QIB_DRV_NAME ": "
@@ -1199,6 +1204,7 @@ static struct pci_driver qib_driver = {
 	.name = QIB_DRV_NAME,
 	.probe = qib_init_one,
 	.remove = qib_remove_one,
+	.shutdown = qib_shutdown_one,
 	.id_table = qib_pci_tbl,
 	.err_handler = &qib_pci_err_handler,
 };
@@ -1549,6 +1555,13 @@ static void qib_remove_one(struct pci_de
 	qib_postinit_cleanup(dd);
 }
 
+static void qib_shutdown_one(struct pci_dev *pdev)
+{
+	struct qib_devdata *dd = pci_get_drvdata(pdev);
+
+	qib_shutdown_device(dd);
+}
+
 /**
  * qib_create_rcvhdrq - create a receive header queue
  * @dd: the qlogic_ib device



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 086/220] IB/mlx4: Mark user MR as writable if actual virtual memory is writable
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (81 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 085/220] IB/{hfi1, qib}: Add handling of kernel restart Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 087/220] IB/core: Make testing MR flags for writability a static inline function Greg Kroah-Hartman
                   ` (129 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jason Gunthorpe, Jack Morgenstein,
	Leon Romanovsky

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jack Morgenstein <jackm@dev.mellanox.co.il>

commit d8f9cc328c8888369880e2527e9186d745f2bbf6 upstream.

To allow rereg_user_mr to modify the MR from read-only to writable without
using get_user_pages again, we needed to define the initial MR as writable.
However, this was originally done unconditionally, without taking into
account the writability of the underlying virtual memory.

As a result, any attempt to register a read-only MR over read-only
virtual memory failed.

To fix this, do not add the writable flag bit when the user virtual memory
is not writable (e.g. const memory).

However, when the underlying memory is NOT writable (and we therefore
do not define the initial MR as writable), the IB core adds a
"force writable" flag to its user-pages request. If this succeeds,
the reg_user_mr caller gets a writable copy of the original pages.

If the user-space caller then does a rereg_user_mr operation to enable
writability, this will succeed. This should not be allowed, since
the original virtual memory was not writable.

Cc: <stable@vger.kernel.org>
Fixes: 9376932d0c26 ("IB/mlx4_ib: Add support for user MR re-registration")
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/hw/mlx4/mr.c |   50 +++++++++++++++++++++++++++++++++-------
 1 file changed, 42 insertions(+), 8 deletions(-)

--- a/drivers/infiniband/hw/mlx4/mr.c
+++ b/drivers/infiniband/hw/mlx4/mr.c
@@ -367,6 +367,40 @@ end:
 	return block_shift;
 }
 
+static struct ib_umem *mlx4_get_umem_mr(struct ib_ucontext *context, u64 start,
+					u64 length, u64 virt_addr,
+					int access_flags)
+{
+	/*
+	 * Force registering the memory as writable if the underlying pages
+	 * are writable.  This is so rereg can change the access permissions
+	 * from readable to writable without having to run through ib_umem_get
+	 * again
+	 */
+	if (!ib_access_writable(access_flags)) {
+		struct vm_area_struct *vma;
+
+		down_read(&current->mm->mmap_sem);
+		/*
+		 * FIXME: Ideally this would iterate over all the vmas that
+		 * cover the memory, but for now it requires a single vma to
+		 * entirely cover the MR to support RO mappings.
+		 */
+		vma = find_vma(current->mm, start);
+		if (vma && vma->vm_end >= start + length &&
+		    vma->vm_start <= start) {
+			if (vma->vm_flags & VM_WRITE)
+				access_flags |= IB_ACCESS_LOCAL_WRITE;
+		} else {
+			access_flags |= IB_ACCESS_LOCAL_WRITE;
+		}
+
+		up_read(&current->mm->mmap_sem);
+	}
+
+	return ib_umem_get(context, start, length, access_flags, 0);
+}
+
 struct ib_mr *mlx4_ib_reg_user_mr(struct ib_pd *pd, u64 start, u64 length,
 				  u64 virt_addr, int access_flags,
 				  struct ib_udata *udata)
@@ -381,10 +415,8 @@ struct ib_mr *mlx4_ib_reg_user_mr(struct
 	if (!mr)
 		return ERR_PTR(-ENOMEM);
 
-	/* Force registering the memory as writable. */
-	/* Used for memory re-registeration. HCA protects the access */
-	mr->umem = ib_umem_get(pd->uobject->context, start, length,
-			       access_flags | IB_ACCESS_LOCAL_WRITE, 0);
+	mr->umem = mlx4_get_umem_mr(pd->uobject->context, start, length,
+				    virt_addr, access_flags);
 	if (IS_ERR(mr->umem)) {
 		err = PTR_ERR(mr->umem);
 		goto err_free;
@@ -454,6 +486,9 @@ int mlx4_ib_rereg_user_mr(struct ib_mr *
 	}
 
 	if (flags & IB_MR_REREG_ACCESS) {
+		if (ib_access_writable(mr_access_flags) && !mmr->umem->writable)
+			return -EPERM;
+
 		err = mlx4_mr_hw_change_access(dev->dev, *pmpt_entry,
 					       convert_access(mr_access_flags));
 
@@ -467,10 +502,9 @@ int mlx4_ib_rereg_user_mr(struct ib_mr *
 
 		mlx4_mr_rereg_mem_cleanup(dev->dev, &mmr->mmr);
 		ib_umem_release(mmr->umem);
-		mmr->umem = ib_umem_get(mr->uobject->context, start, length,
-					mr_access_flags |
-					IB_ACCESS_LOCAL_WRITE,
-					0);
+		mmr->umem =
+			mlx4_get_umem_mr(mr->uobject->context, start, length,
+					 virt_addr, mr_access_flags);
 		if (IS_ERR(mmr->umem)) {
 			err = PTR_ERR(mmr->umem);
 			/* Prevent mlx4_ib_dereg_mr from free'ing invalid pointer */



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 087/220] IB/core: Make testing MR flags for writability a static inline function
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (82 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 086/220] IB/mlx4: Mark user MR as writable if actual virtual memory is writable Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 088/220] IB/mlx5: Fetch soft WQEs on fatal error state Greg Kroah-Hartman
                   ` (128 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jason Gunthorpe, Jack Morgenstein,
	Leon Romanovsky

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jack Morgenstein <jackm@dev.mellanox.co.il>

commit 08bb558ac11ab944e0539e78619d7b4c356278bd upstream.

Make the MR writability flags check, which is performed in umem.c,
a static inline function in file ib_verbs.h

This allows the function to be used by low-level infiniband drivers.

Cc: <stable@vger.kernel.org>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/core/umem.c |   11 +----------
 include/rdma/ib_verbs.h        |   14 ++++++++++++++
 2 files changed, 15 insertions(+), 10 deletions(-)

--- a/drivers/infiniband/core/umem.c
+++ b/drivers/infiniband/core/umem.c
@@ -119,16 +119,7 @@ struct ib_umem *ib_umem_get(struct ib_uc
 	umem->length     = size;
 	umem->address    = addr;
 	umem->page_shift = PAGE_SHIFT;
-	/*
-	 * We ask for writable memory if any of the following
-	 * access flags are set.  "Local write" and "remote write"
-	 * obviously require write access.  "Remote atomic" can do
-	 * things like fetch and add, which will modify memory, and
-	 * "MW bind" can change permissions by binding a window.
-	 */
-	umem->writable  = !!(access &
-		(IB_ACCESS_LOCAL_WRITE   | IB_ACCESS_REMOTE_WRITE |
-		 IB_ACCESS_REMOTE_ATOMIC | IB_ACCESS_MW_BIND));
+	umem->writable   = ib_access_writable(access);
 
 	if (access & IB_ACCESS_ON_DEMAND) {
 		ret = ib_umem_odp_get(context, umem, access);
--- a/include/rdma/ib_verbs.h
+++ b/include/rdma/ib_verbs.h
@@ -3734,6 +3734,20 @@ static inline int ib_check_mr_access(int
 	return 0;
 }
 
+static inline bool ib_access_writable(int access_flags)
+{
+	/*
+	 * We have writable memory backing the MR if any of the following
+	 * access flags are set.  "Local write" and "remote write" obviously
+	 * require write access.  "Remote atomic" can do things like fetch and
+	 * add, which will modify memory, and "MW bind" can change permissions
+	 * by binding a window.
+	 */
+	return access_flags &
+		(IB_ACCESS_LOCAL_WRITE   | IB_ACCESS_REMOTE_WRITE |
+		 IB_ACCESS_REMOTE_ATOMIC | IB_ACCESS_MW_BIND);
+}
+
 /**
  * ib_check_mr_status: lightweight check of MR status.
  *     This routine may provide status checks on a selected



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 088/220] IB/mlx5: Fetch soft WQEs on fatal error state
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (83 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 087/220] IB/core: Make testing MR flags for writability a static inline function Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 089/220] IB/isert: Fix for lib/dma_debug check_sync warning Greg Kroah-Hartman
                   ` (127 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Erez Shitrit, Leon Romanovsky,
	Jason Gunthorpe

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Erez Shitrit <erezsh@mellanox.com>

commit 7b74a83cf54a3747e22c57e25712bd70eef8acee upstream.

On fatal error the driver simulates CQE's for ULPs that rely on
completion of all their posted work-request.

For the GSI traffic, the mlx5 has its own mechanism that sends the
completions via software CQE's directly to the relevant CQ.

This should be kept in fatal error too, so the driver should simulate
such CQE's with the specified error state in order to complete GSI QP
work requests.

Without the fix the next deadlock might appears:
        schedule_timeout+0x274/0x350
        wait_for_common+0xec/0x240
        mcast_remove_one+0xd0/0x120 [ib_core]
        ib_unregister_device+0x12c/0x230 [ib_core]
        mlx5_ib_remove+0xc4/0x270 [mlx5_ib]
        mlx5_detach_device+0x184/0x1a0 [mlx5_core]
        mlx5_unload_one+0x308/0x340 [mlx5_core]
        mlx5_pci_err_detected+0x74/0xe0 [mlx5_core]

Cc: <stable@vger.kernel.org> # 4.7
Fixes: 89ea94a7b6c4 ("IB/mlx5: Reset flow support for IB kernel ULPs")
Signed-off-by: Erez Shitrit <erezsh@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/hw/mlx5/cq.c |   15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

--- a/drivers/infiniband/hw/mlx5/cq.c
+++ b/drivers/infiniband/hw/mlx5/cq.c
@@ -637,7 +637,7 @@ repoll:
 }
 
 static int poll_soft_wc(struct mlx5_ib_cq *cq, int num_entries,
-			struct ib_wc *wc)
+			struct ib_wc *wc, bool is_fatal_err)
 {
 	struct mlx5_ib_dev *dev = to_mdev(cq->ibcq.device);
 	struct mlx5_ib_wc *soft_wc, *next;
@@ -650,6 +650,10 @@ static int poll_soft_wc(struct mlx5_ib_c
 		mlx5_ib_dbg(dev, "polled software generated completion on CQ 0x%x\n",
 			    cq->mcq.cqn);
 
+		if (unlikely(is_fatal_err)) {
+			soft_wc->wc.status = IB_WC_WR_FLUSH_ERR;
+			soft_wc->wc.vendor_err = MLX5_CQE_SYNDROME_WR_FLUSH_ERR;
+		}
 		wc[npolled++] = soft_wc->wc;
 		list_del(&soft_wc->list);
 		kfree(soft_wc);
@@ -670,12 +674,17 @@ int mlx5_ib_poll_cq(struct ib_cq *ibcq,
 
 	spin_lock_irqsave(&cq->lock, flags);
 	if (mdev->state == MLX5_DEVICE_STATE_INTERNAL_ERROR) {
-		mlx5_ib_poll_sw_comp(cq, num_entries, wc, &npolled);
+		/* make sure no soft wqe's are waiting */
+		if (unlikely(!list_empty(&cq->wc_list)))
+			soft_polled = poll_soft_wc(cq, num_entries, wc, true);
+
+		mlx5_ib_poll_sw_comp(cq, num_entries - soft_polled,
+				     wc + soft_polled, &npolled);
 		goto out;
 	}
 
 	if (unlikely(!list_empty(&cq->wc_list)))
-		soft_polled = poll_soft_wc(cq, num_entries, wc);
+		soft_polled = poll_soft_wc(cq, num_entries, wc, false);
 
 	for (npolled = 0; npolled < num_entries - soft_polled; npolled++) {
 		if (mlx5_poll_one(cq, &cur_qp, wc + soft_polled + npolled))



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 089/220] IB/isert: Fix for lib/dma_debug check_sync warning
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (84 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 088/220] IB/mlx5: Fetch soft WQEs on fatal error state Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 090/220] IB/isert: fix T10-pi check mask setting Greg Kroah-Hartman
                   ` (126 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mike Marciniszyn, Don Dutile,
	Alex Estrin, Dennis Dalessandro, Doug Ledford

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alex Estrin <alex.estrin@intel.com>

commit 763b69654bfb88ea3230d015e7d755ee8339f8ee upstream.

The following error message occurs on a target host in a debug build
during session login:

[ 3524.411874] WARNING: CPU: 5 PID: 12063 at lib/dma-debug.c:1207 check_sync+0x4ec/0x5b0
[ 3524.421057] infiniband hfi1_0: DMA-API: device driver tries to sync DMA memory it has not allocated [device address=0x0000000000000000] [size=76 bytes]
......snip .....

[ 3524.535846] CPU: 5 PID: 12063 Comm: iscsi_np Kdump: loaded Not tainted 3.10.0-862.el7.x86_64.debug #1
[ 3524.546764] Hardware name: Dell Inc. PowerEdge R430/03XKDV, BIOS 1.2.6 06/08/2015
[ 3524.555740] Call Trace:
[ 3524.559102]  [<ffffffffa5fe915b>] dump_stack+0x19/0x1b
[ 3524.565477]  [<ffffffffa58a2f58>] __warn+0xd8/0x100
[ 3524.571557]  [<ffffffffa58a2fdf>] warn_slowpath_fmt+0x5f/0x80
[ 3524.578610]  [<ffffffffa5bf5b8c>] check_sync+0x4ec/0x5b0
[ 3524.585177]  [<ffffffffa58efc3f>] ? set_cpus_allowed_ptr+0x5f/0x1c0
[ 3524.592812]  [<ffffffffa5bf5cd0>] debug_dma_sync_single_for_cpu+0x80/0x90
[ 3524.601029]  [<ffffffffa586add3>] ? x2apic_send_IPI_mask+0x13/0x20
[ 3524.608574]  [<ffffffffa585ee1b>] ? native_smp_send_reschedule+0x5b/0x80
[ 3524.616699]  [<ffffffffa58e9b76>] ? resched_curr+0xf6/0x140
[ 3524.623567]  [<ffffffffc0879af0>] isert_create_send_desc.isra.26+0xe0/0x110 [ib_isert]
[ 3524.633060]  [<ffffffffc087af95>] isert_put_login_tx+0x55/0x8b0 [ib_isert]
[ 3524.641383]  [<ffffffffa58ef114>] ? try_to_wake_up+0x1a4/0x430
[ 3524.648561]  [<ffffffffc098cfed>] iscsi_target_do_tx_login_io+0xdd/0x230 [iscsi_target_mod]
[ 3524.658557]  [<ffffffffc098d827>] iscsi_target_do_login+0x1a7/0x600 [iscsi_target_mod]
[ 3524.668084]  [<ffffffffa59f9bc9>] ? kstrdup+0x49/0x60
[ 3524.674420]  [<ffffffffc098e976>] iscsi_target_start_negotiation+0x56/0xc0 [iscsi_target_mod]
[ 3524.684656]  [<ffffffffc098c2ee>] __iscsi_target_login_thread+0x90e/0x1070 [iscsi_target_mod]
[ 3524.694901]  [<ffffffffc098ca50>] ? __iscsi_target_login_thread+0x1070/0x1070 [iscsi_target_mod]
[ 3524.705446]  [<ffffffffc098ca50>] ? __iscsi_target_login_thread+0x1070/0x1070 [iscsi_target_mod]
[ 3524.715976]  [<ffffffffc098ca78>] iscsi_target_login_thread+0x28/0x60 [iscsi_target_mod]
[ 3524.725739]  [<ffffffffa58d60ff>] kthread+0xef/0x100
[ 3524.732007]  [<ffffffffa58d6010>] ? insert_kthread_work+0x80/0x80
[ 3524.739540]  [<ffffffffa5fff1b7>] ret_from_fork_nospec_begin+0x21/0x21
[ 3524.747558]  [<ffffffffa58d6010>] ? insert_kthread_work+0x80/0x80
[ 3524.755088] ---[ end trace 23f8bf9238bd1ed8 ]---
[ 3595.510822] iSCSI/iqn.1994-05.com.redhat:537fa56299: Unsupported SCSI Opcode 0xa3, sending CHECK_CONDITION.

The code calls dma_sync on login_tx_desc->dma_addr prior to initializing it
with dma-mapped address.
login_tx_desc is a part of iser_conn structure and is used only once
during login negotiation, so the issue is fixed by eliminating
dma_sync call for this buffer using a special case routine.

Cc: <stable@vger.kernel.org>
Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Reviewed-by: Don Dutile <ddutile@redhat.com>
Signed-off-by: Alex Estrin <alex.estrin@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/ulp/isert/ib_isert.c |   26 +++++++++++++++++---------
 1 file changed, 17 insertions(+), 9 deletions(-)

--- a/drivers/infiniband/ulp/isert/ib_isert.c
+++ b/drivers/infiniband/ulp/isert/ib_isert.c
@@ -886,15 +886,9 @@ isert_login_post_send(struct isert_conn
 }
 
 static void
-isert_create_send_desc(struct isert_conn *isert_conn,
-		       struct isert_cmd *isert_cmd,
-		       struct iser_tx_desc *tx_desc)
+__isert_create_send_desc(struct isert_device *device,
+			 struct iser_tx_desc *tx_desc)
 {
-	struct isert_device *device = isert_conn->device;
-	struct ib_device *ib_dev = device->ib_device;
-
-	ib_dma_sync_single_for_cpu(ib_dev, tx_desc->dma_addr,
-				   ISER_HEADERS_LEN, DMA_TO_DEVICE);
 
 	memset(&tx_desc->iser_header, 0, sizeof(struct iser_ctrl));
 	tx_desc->iser_header.flags = ISCSI_CTRL;
@@ -907,6 +901,20 @@ isert_create_send_desc(struct isert_conn
 	}
 }
 
+static void
+isert_create_send_desc(struct isert_conn *isert_conn,
+		       struct isert_cmd *isert_cmd,
+		       struct iser_tx_desc *tx_desc)
+{
+	struct isert_device *device = isert_conn->device;
+	struct ib_device *ib_dev = device->ib_device;
+
+	ib_dma_sync_single_for_cpu(ib_dev, tx_desc->dma_addr,
+				   ISER_HEADERS_LEN, DMA_TO_DEVICE);
+
+	__isert_create_send_desc(device, tx_desc);
+}
+
 static int
 isert_init_tx_hdrs(struct isert_conn *isert_conn,
 		   struct iser_tx_desc *tx_desc)
@@ -994,7 +1002,7 @@ isert_put_login_tx(struct iscsi_conn *co
 	struct iser_tx_desc *tx_desc = &isert_conn->login_tx_desc;
 	int ret;
 
-	isert_create_send_desc(isert_conn, NULL, tx_desc);
+	__isert_create_send_desc(device, tx_desc);
 
 	memcpy(&tx_desc->iscsi_header, &login->rsp[0],
 	       sizeof(struct iscsi_hdr));



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 090/220] IB/isert: fix T10-pi check mask setting
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (85 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 089/220] IB/isert: Fix for lib/dma_debug check_sync warning Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 091/220] IB/hfi1: Fix fault injection init/exit issues Greg Kroah-Hartman
                   ` (125 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christoph Hellwig, Sagi Grimberg,
	Martin K. Petersen, Max Gurtovoy, Jason Gunthorpe

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Max Gurtovoy <maxg@mellanox.com>

commit 0e12af84cdd3056460f928adc164f9e87f4b303b upstream.

A copy/paste bug (probably) caused setting of an app_tag check mask
in case where a ref_tag check was needed.

Fixes: 38a2d0d429f1 ("IB/isert: convert to the generic RDMA READ/WRITE API")
Fixes: 9e961ae73c2c ("IB/isert: Support T10-PI protected transactions")
Cc: stable@vger.kernel.org
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Max Gurtovoy <maxg@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/ulp/isert/ib_isert.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/infiniband/ulp/isert/ib_isert.c
+++ b/drivers/infiniband/ulp/isert/ib_isert.c
@@ -2116,7 +2116,7 @@ isert_set_sig_attrs(struct se_cmd *se_cm
 
 	sig_attrs->check_mask =
 	       (se_cmd->prot_checks & TARGET_DIF_CHECK_GUARD  ? 0xc0 : 0) |
-	       (se_cmd->prot_checks & TARGET_DIF_CHECK_REFTAG ? 0x30 : 0) |
+	       (se_cmd->prot_checks & TARGET_DIF_CHECK_APPTAG ? 0x30 : 0) |
 	       (se_cmd->prot_checks & TARGET_DIF_CHECK_REFTAG ? 0x0f : 0);
 	return 0;
 }



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 091/220] IB/hfi1: Fix fault injection init/exit issues
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (86 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 090/220] IB/isert: fix T10-pi check mask setting Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 092/220] IB/hfi1: Reorder incorrect send context disable Greg Kroah-Hartman
                   ` (124 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael J. Ruhl, Mike Marciniszyn,
	Dennis Dalessandro, Doug Ledford

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mike Marciniszyn <mike.marciniszyn@intel.com>

commit 8c79d8223bb11b2f005695a32ddd3985de97727c upstream.

There are config dependent code paths that expose panics in unload
paths both in this file and in debugfs_remove_recursive() because
CONFIG_FAULT_INJECTION and CONFIG_FAULT_INJECTION_DEBUG_FS can be
set independently.

Having CONFIG_FAULT_INJECTION set and CONFIG_FAULT_INJECTION_DEBUG_FS
reset causes fault_create_debugfs_attr() to return an error.

The debugfs.c routines tolerate failures, but the module unload panics
dereferencing a NULL in the two exit routines.  If that is fixed, the
dir passed to debugfs_remove_recursive comes from a memory location
that was freed and potentially reused causing a segfault or corrupting
memory.

Here is an example of the NULL deref panic:

[66866.286829] BUG: unable to handle kernel NULL pointer dereference at 0000000000000088
[66866.295602] IP: hfi1_dbg_ibdev_exit+0x2a/0x80 [hfi1]
[66866.301138] PGD 858496067 P4D 858496067 PUD 8433a7067 PMD 0
[66866.307452] Oops: 0000 [#1] SMP
[66866.310953] Modules linked in: hfi1(-) rdmavt rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm iw_cm ib_cm ib_core rpcsec_gss_krb5 nfsv4 dns_resolver nfsv3 nfs fscache sb_edac x86_pkg_temp_thermal intel_powerclamp vfat fat coretemp kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel iTCO_wdt iTCO_vendor_support crypto_simd mei_me glue_helper cryptd mxm_wmi ipmi_si pcspkr lpc_ich sg mei ioatdma ipmi_devintf i2c_i801 mfd_core shpchp ipmi_msghandler wmi acpi_power_meter acpi_cpufreq nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables ext4 mbcache jbd2 sd_mod mgag200 drm_kms_helper syscopyarea sysfillrect sysimgblt igb fb_sys_fops ttm ahci ptp crc32c_intel libahci pps_core drm dca libata i2c_algo_bit i2c_core [last unloaded: opa_vnic]
[66866.385551] CPU: 8 PID: 7470 Comm: rmmod Not tainted 4.14.0-mam-tid-rdma #2
[66866.393317] Hardware name: Intel Corporation S2600WT2/S2600WT2, BIOS SE5C610.86B.01.01.0018.C4.072020161249 07/20/2016
[66866.405252] task: ffff88084f28c380 task.stack: ffffc90008454000
[66866.411866] RIP: 0010:hfi1_dbg_ibdev_exit+0x2a/0x80 [hfi1]
[66866.417984] RSP: 0018:ffffc90008457da0 EFLAGS: 00010202
[66866.423812] RAX: 0000000000000000 RBX: ffff880857de0000 RCX: 0000000180040001
[66866.431773] RDX: 0000000180040002 RSI: ffffea0021088200 RDI: 0000000040000000
[66866.439734] RBP: ffffc90008457da8 R08: ffff88084220e000 R09: 0000000180040001
[66866.447696] R10: 000000004220e001 R11: ffff88084220e000 R12: ffff88085a31c000
[66866.455657] R13: ffffffffa07c9820 R14: ffffffffa07c9890 R15: ffff881059d78100
[66866.463618] FS:  00007f6876047740(0000) GS:ffff88085f800000(0000) knlGS:0000000000000000
[66866.472644] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[66866.479053] CR2: 0000000000000088 CR3: 0000000856357006 CR4: 00000000001606e0
[66866.487013] Call Trace:
[66866.489747]  remove_one+0x1f/0x220 [hfi1]
[66866.494221]  pci_device_remove+0x39/0xc0
[66866.498596]  device_release_driver_internal+0x141/0x210
[66866.504424]  driver_detach+0x3f/0x80
[66866.508409]  bus_remove_driver+0x55/0xd0
[66866.512784]  driver_unregister+0x2c/0x50
[66866.517164]  pci_unregister_driver+0x2a/0xa0
[66866.521934]  hfi1_mod_cleanup+0x10/0xaa2 [hfi1]
[66866.526988]  SyS_delete_module+0x171/0x250
[66866.531558]  do_syscall_64+0x67/0x1b0
[66866.535644]  entry_SYSCALL64_slow_path+0x25/0x25
[66866.540792] RIP: 0033:0x7f6875525c27
[66866.544777] RSP: 002b:00007ffd48528e78 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
[66866.553224] RAX: ffffffffffffffda RBX: 0000000001cc01d0 RCX: 00007f6875525c27
[66866.561185] RDX: 00007f6875596000 RSI: 0000000000000800 RDI: 0000000001cc0238
[66866.569146] RBP: 0000000000000000 R08: 00007f68757e9060 R09: 00007f6875596000
[66866.577120] R10: 00007ffd48528c00 R11: 0000000000000206 R12: 00007ffd48529db4
[66866.585080] R13: 0000000000000000 R14: 0000000001cc01d0 R15: 0000000001cc0010
[66866.593040] Code: 90 0f 1f 44 00 00 48 83 3d a3 8b 03 00 00 55 48 89 e5 53 48 89 fb 74 4e 48 8d bf 18 0c 00 00 e8 9d f2 ff ff 48 8b 83 20 0c 00 00 <48> 8b b8 88 00 00 00 e8 2a 21 b3 e0 48 8b bb 20 0c 00 00 e8 0e
[66866.614127] RIP: hfi1_dbg_ibdev_exit+0x2a/0x80 [hfi1] RSP: ffffc90008457da0
[66866.621885] CR2: 0000000000000088
[66866.625618] ---[ end trace c4817425783fb092 ]---

Fix by insuring that upon failure from fault_create_debugfs_attr() the
parent pointer for the routines is always set to NULL and guards added
in the exit routines to insure that debugfs_remove_recursive() is not
called when when the parent pointer is NULL.

Fixes: 0181ce31b260 ("IB/hfi1: Add receive fault injection feature")
Cc: <stable@vger.kernel.org> # 4.14.x
Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/hw/hfi1/debugfs.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/infiniband/hw/hfi1/debugfs.c
+++ b/drivers/infiniband/hw/hfi1/debugfs.c
@@ -1227,7 +1227,8 @@ DEBUGFS_FILE_OPS(fault_stats);
 
 static void fault_exit_opcode_debugfs(struct hfi1_ibdev *ibd)
 {
-	debugfs_remove_recursive(ibd->fault_opcode->dir);
+	if (ibd->fault_opcode)
+		debugfs_remove_recursive(ibd->fault_opcode->dir);
 	kfree(ibd->fault_opcode);
 	ibd->fault_opcode = NULL;
 }
@@ -1255,6 +1256,7 @@ static int fault_init_opcode_debugfs(str
 					  &ibd->fault_opcode->attr);
 	if (IS_ERR(ibd->fault_opcode->dir)) {
 		kfree(ibd->fault_opcode);
+		ibd->fault_opcode = NULL;
 		return -ENOENT;
 	}
 
@@ -1278,7 +1280,8 @@ fail:
 
 static void fault_exit_packet_debugfs(struct hfi1_ibdev *ibd)
 {
-	debugfs_remove_recursive(ibd->fault_packet->dir);
+	if (ibd->fault_packet)
+		debugfs_remove_recursive(ibd->fault_packet->dir);
 	kfree(ibd->fault_packet);
 	ibd->fault_packet = NULL;
 }
@@ -1304,6 +1307,7 @@ static int fault_init_packet_debugfs(str
 					  &ibd->fault_opcode->attr);
 	if (IS_ERR(ibd->fault_packet->dir)) {
 		kfree(ibd->fault_packet);
+		ibd->fault_packet = NULL;
 		return -ENOENT;
 	}
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 092/220] IB/hfi1: Reorder incorrect send context disable
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (87 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 091/220] IB/hfi1: Fix fault injection init/exit issues Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 093/220] IB/hfi1: Optimize kthread pointer locking when queuing CQ entries Greg Kroah-Hartman
                   ` (123 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mitko Haralanov, Mike Marciniszyn,
	Michael J. Ruhl, Dennis Dalessandro, Doug Ledford

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Michael J. Ruhl <michael.j.ruhl@intel.com>

commit a93a0a31111231bb1949f4a83b17238f0fa32d6a upstream.

User send context integrity bits are cleared before the context is
disabled.  If the send context is still processing data, any packets
that need those integrity bits will cause an error and halt the send
context.

During the disable handling, the driver waits for the context to drain.
If the context is halted, the driver will eventually timeout because
the context won't drain and then incorrectly bounce the link.

Reorder the bit clearing and the context disable.

Examine the software state and send context status as well as the
egress status to determine if a send context is in the halted state.

Promote the check macros to static functions for consistency with the
new check and to follow kernel style.

Remove an unused define that refers to the egress timeout.

Cc: <stable@vger.kernel.org> # 4.9.x
Reviewed-by: Mitko Haralanov <mitko.haralanov@intel.com>
Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/hw/hfi1/file_ops.c |    2 -
 drivers/infiniband/hw/hfi1/pio.c      |   44 ++++++++++++++++++++++++++--------
 2 files changed, 35 insertions(+), 11 deletions(-)

--- a/drivers/infiniband/hw/hfi1/file_ops.c
+++ b/drivers/infiniband/hw/hfi1/file_ops.c
@@ -689,8 +689,8 @@ static int hfi1_file_close(struct inode
 	 * checks to default and disable the send context.
 	 */
 	if (uctxt->sc) {
-		set_pio_integrity(uctxt->sc);
 		sc_disable(uctxt->sc);
+		set_pio_integrity(uctxt->sc);
 	}
 
 	hfi1_free_ctxt_rcv_groups(uctxt);
--- a/drivers/infiniband/hw/hfi1/pio.c
+++ b/drivers/infiniband/hw/hfi1/pio.c
@@ -50,8 +50,6 @@
 #include "qp.h"
 #include "trace.h"
 
-#define SC_CTXT_PACKET_EGRESS_TIMEOUT 350 /* in chip cycles */
-
 #define SC(name) SEND_CTXT_##name
 /*
  * Send Context functions
@@ -961,15 +959,40 @@ void sc_disable(struct send_context *sc)
 }
 
 /* return SendEgressCtxtStatus.PacketOccupancy */
-#define packet_occupancy(r) \
-	(((r) & SEND_EGRESS_CTXT_STATUS_CTXT_EGRESS_PACKET_OCCUPANCY_SMASK)\
-	>> SEND_EGRESS_CTXT_STATUS_CTXT_EGRESS_PACKET_OCCUPANCY_SHIFT)
+static u64 packet_occupancy(u64 reg)
+{
+	return (reg &
+		SEND_EGRESS_CTXT_STATUS_CTXT_EGRESS_PACKET_OCCUPANCY_SMASK)
+		>> SEND_EGRESS_CTXT_STATUS_CTXT_EGRESS_PACKET_OCCUPANCY_SHIFT;
+}
 
 /* is egress halted on the context? */
-#define egress_halted(r) \
-	((r) & SEND_EGRESS_CTXT_STATUS_CTXT_EGRESS_HALT_STATUS_SMASK)
+static bool egress_halted(u64 reg)
+{
+	return !!(reg & SEND_EGRESS_CTXT_STATUS_CTXT_EGRESS_HALT_STATUS_SMASK);
+}
+
+/* is the send context halted? */
+static bool is_sc_halted(struct hfi1_devdata *dd, u32 hw_context)
+{
+	return !!(read_kctxt_csr(dd, hw_context, SC(STATUS)) &
+		  SC(STATUS_CTXT_HALTED_SMASK));
+}
 
-/* wait for packet egress, optionally pause for credit return  */
+/**
+ * sc_wait_for_packet_egress
+ * @sc: valid send context
+ * @pause: wait for credit return
+ *
+ * Wait for packet egress, optionally pause for credit return
+ *
+ * Egress halt and Context halt are not necessarily the same thing, so
+ * check for both.
+ *
+ * NOTE: The context halt bit may not be set immediately.  Because of this,
+ * it is necessary to check the SW SFC_HALTED bit (set in the IRQ) and the HW
+ * context bit to determine if the context is halted.
+ */
 static void sc_wait_for_packet_egress(struct send_context *sc, int pause)
 {
 	struct hfi1_devdata *dd = sc->dd;
@@ -981,8 +1004,9 @@ static void sc_wait_for_packet_egress(st
 		reg_prev = reg;
 		reg = read_csr(dd, sc->hw_context * 8 +
 			       SEND_EGRESS_CTXT_STATUS);
-		/* done if egress is stopped */
-		if (egress_halted(reg))
+		/* done if any halt bits, SW or HW are set */
+		if (sc->flags & SCF_HALTED ||
+		    is_sc_halted(dd, sc->hw_context) || egress_halted(reg))
 			break;
 		reg = packet_occupancy(reg);
 		if (reg == 0)



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 093/220] IB/hfi1: Optimize kthread pointer locking when queuing CQ entries
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (88 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 092/220] IB/hfi1: Reorder incorrect send context disable Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 094/220] IB/hfi1: Fix user context tail allocation for DMA_RTAIL Greg Kroah-Hartman
                   ` (122 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mike Marciniszyn, Sebastian Sanchez,
	Dennis Dalessandro, Doug Ledford

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sebastian Sanchez <sebastian.sanchez@intel.com>

commit af8aab71370a692eaf7e7969ba5b1a455ac20113 upstream.

All threads queuing CQ entries on different CQs are unnecessarily
synchronized by a spin lock to check if the CQ kthread worker hasn't
been destroyed before queuing an CQ entry.

The lock used in 6efaf10f163d ("IB/rdmavt: Avoid queuing work into a
destroyed cq kthread worker") is a device global lock and will have
poor performance at scale as completions are entered from a large
number of CPUs.

Convert to use RCU where the read side of RCU is rvt_cq_enter() to
determine that the worker is alive prior to triggering the
completion event.
Apply write side RCU semantics in rvt_driver_cq_init() and
rvt_cq_exit().

Fixes: 6efaf10f163d ("IB/rdmavt: Avoid queuing work into a destroyed cq kthread worker")
Cc: <stable@vger.kernel.org> # 4.14.x
Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Sebastian Sanchez <sebastian.sanchez@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/sw/rdmavt/cq.c |   31 +++++++++++++++++++------------
 include/rdma/rdma_vt.h            |    2 +-
 2 files changed, 20 insertions(+), 13 deletions(-)

--- a/drivers/infiniband/sw/rdmavt/cq.c
+++ b/drivers/infiniband/sw/rdmavt/cq.c
@@ -120,17 +120,20 @@ void rvt_cq_enter(struct rvt_cq *cq, str
 	if (cq->notify == IB_CQ_NEXT_COMP ||
 	    (cq->notify == IB_CQ_SOLICITED &&
 	     (solicited || entry->status != IB_WC_SUCCESS))) {
+		struct kthread_worker *worker;
+
 		/*
 		 * This will cause send_complete() to be called in
 		 * another thread.
 		 */
-		spin_lock(&cq->rdi->n_cqs_lock);
-		if (likely(cq->rdi->worker)) {
+		rcu_read_lock();
+		worker = rcu_dereference(cq->rdi->worker);
+		if (likely(worker)) {
 			cq->notify = RVT_CQ_NONE;
 			cq->triggered++;
-			kthread_queue_work(cq->rdi->worker, &cq->comptask);
+			kthread_queue_work(worker, &cq->comptask);
 		}
-		spin_unlock(&cq->rdi->n_cqs_lock);
+		rcu_read_unlock();
 	}
 
 	spin_unlock_irqrestore(&cq->lock, flags);
@@ -512,7 +515,7 @@ int rvt_driver_cq_init(struct rvt_dev_in
 	int cpu;
 	struct kthread_worker *worker;
 
-	if (rdi->worker)
+	if (rcu_access_pointer(rdi->worker))
 		return 0;
 
 	spin_lock_init(&rdi->n_cqs_lock);
@@ -524,7 +527,7 @@ int rvt_driver_cq_init(struct rvt_dev_in
 		return PTR_ERR(worker);
 
 	set_user_nice(worker->task, MIN_NICE);
-	rdi->worker = worker;
+	RCU_INIT_POINTER(rdi->worker, worker);
 	return 0;
 }
 
@@ -536,15 +539,19 @@ void rvt_cq_exit(struct rvt_dev_info *rd
 {
 	struct kthread_worker *worker;
 
-	/* block future queuing from send_complete() */
-	spin_lock_irq(&rdi->n_cqs_lock);
-	worker = rdi->worker;
+	if (!rcu_access_pointer(rdi->worker))
+		return;
+
+	spin_lock(&rdi->n_cqs_lock);
+	worker = rcu_dereference_protected(rdi->worker,
+					   lockdep_is_held(&rdi->n_cqs_lock));
 	if (!worker) {
-		spin_unlock_irq(&rdi->n_cqs_lock);
+		spin_unlock(&rdi->n_cqs_lock);
 		return;
 	}
-	rdi->worker = NULL;
-	spin_unlock_irq(&rdi->n_cqs_lock);
+	RCU_INIT_POINTER(rdi->worker, NULL);
+	spin_unlock(&rdi->n_cqs_lock);
+	synchronize_rcu();
 
 	kthread_destroy_worker(worker);
 }
--- a/include/rdma/rdma_vt.h
+++ b/include/rdma/rdma_vt.h
@@ -402,7 +402,7 @@ struct rvt_dev_info {
 	spinlock_t pending_lock; /* protect pending mmap list */
 
 	/* CQ */
-	struct kthread_worker *worker; /* per device cq worker */
+	struct kthread_worker __rcu *worker; /* per device cq worker */
 	u32 n_cqs_allocated;    /* number of CQs allocated for device */
 	spinlock_t n_cqs_lock; /* protect count of in use cqs */
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 094/220] IB/hfi1: Fix user context tail allocation for DMA_RTAIL
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (89 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 093/220] IB/hfi1: Optimize kthread pointer locking when queuing CQ entries Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:21 ` [PATCH 4.17 095/220] IB/uverbs: Fix ordering of ucontext check in ib_uverbs_write Greg Kroah-Hartman
                   ` (121 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael J. Ruhl, Mike Marciniszyn,
	Dennis Dalessandro, Jason Gunthorpe

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mike Marciniszyn <mike.marciniszyn@intel.com>

commit 1bc0299d976e000ececc6acd76e33b4582646cb7 upstream.

The following code fails to allocate a buffer for the
tail address that the hardware DMAs into when the user
context DMA_RTAIL is set.

if (HFI1_CAP_KGET_MASK(rcd->flags, DMA_RTAIL)) {
	rcd->rcvhdrtail_kvaddr = dma_zalloc_coherent(
		&dd->pcidev->dev, PAGE_SIZE, &dma_hdrqtail,
                gfp_flags);
	if (!rcd->rcvhdrtail_kvaddr)
		goto bail_free;
	rcd->rcvhdrqtailaddr_dma = dma_hdrqtail;
}

So the rcvhdrtail_kvaddr would then be NULL.

The mmap logic fails to check for a NULL rcvhdrtail_kvaddr.

The fix is to test for both user and kernel DMA_TAIL options
during the allocation as well as testing for a NULL
rcvhdrtail_kvaddr during the mmap processing.

Additionally, all downstream testing of the capmask for DMA_RTAIL
have been eliminated in favor of testing rcvhdrtail_kvaddr.

Cc: <stable@vger.kernel.org> # 4.9.x
Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/hw/hfi1/chip.c     |    8 ++++----
 drivers/infiniband/hw/hfi1/file_ops.c |    2 +-
 drivers/infiniband/hw/hfi1/init.c     |    9 ++++-----
 3 files changed, 9 insertions(+), 10 deletions(-)

--- a/drivers/infiniband/hw/hfi1/chip.c
+++ b/drivers/infiniband/hw/hfi1/chip.c
@@ -6829,7 +6829,7 @@ static void rxe_kernel_unfreeze(struct h
 		}
 		rcvmask = HFI1_RCVCTRL_CTXT_ENB;
 		/* HFI1_RCVCTRL_TAILUPD_[ENB|DIS] needs to be set explicitly */
-		rcvmask |= HFI1_CAP_KGET_MASK(rcd->flags, DMA_RTAIL) ?
+		rcvmask |= rcd->rcvhdrtail_kvaddr ?
 			HFI1_RCVCTRL_TAILUPD_ENB : HFI1_RCVCTRL_TAILUPD_DIS;
 		hfi1_rcvctrl(dd, rcvmask, rcd);
 		hfi1_rcd_put(rcd);
@@ -8355,7 +8355,7 @@ static inline int check_packet_present(s
 	u32 tail;
 	int present;
 
-	if (!HFI1_CAP_IS_KSET(DMA_RTAIL))
+	if (!rcd->rcvhdrtail_kvaddr)
 		present = (rcd->seq_cnt ==
 				rhf_rcv_seq(rhf_to_cpu(get_rhf_addr(rcd))));
 	else /* is RDMA rtail */
@@ -11823,7 +11823,7 @@ void hfi1_rcvctrl(struct hfi1_devdata *d
 		/* reset the tail and hdr addresses, and sequence count */
 		write_kctxt_csr(dd, ctxt, RCV_HDR_ADDR,
 				rcd->rcvhdrq_dma);
-		if (HFI1_CAP_KGET_MASK(rcd->flags, DMA_RTAIL))
+		if (rcd->rcvhdrtail_kvaddr)
 			write_kctxt_csr(dd, ctxt, RCV_HDR_TAIL_ADDR,
 					rcd->rcvhdrqtailaddr_dma);
 		rcd->seq_cnt = 1;
@@ -11903,7 +11903,7 @@ void hfi1_rcvctrl(struct hfi1_devdata *d
 		rcvctrl |= RCV_CTXT_CTRL_INTR_AVAIL_SMASK;
 	if (op & HFI1_RCVCTRL_INTRAVAIL_DIS)
 		rcvctrl &= ~RCV_CTXT_CTRL_INTR_AVAIL_SMASK;
-	if (op & HFI1_RCVCTRL_TAILUPD_ENB && rcd->rcvhdrqtailaddr_dma)
+	if ((op & HFI1_RCVCTRL_TAILUPD_ENB) && rcd->rcvhdrtail_kvaddr)
 		rcvctrl |= RCV_CTXT_CTRL_TAIL_UPD_SMASK;
 	if (op & HFI1_RCVCTRL_TAILUPD_DIS) {
 		/* See comment on RcvCtxtCtrl.TailUpd above */
--- a/drivers/infiniband/hw/hfi1/file_ops.c
+++ b/drivers/infiniband/hw/hfi1/file_ops.c
@@ -505,7 +505,7 @@ static int hfi1_file_mmap(struct file *f
 			ret = -EINVAL;
 			goto done;
 		}
-		if (flags & VM_WRITE) {
+		if ((flags & VM_WRITE) || !uctxt->rcvhdrtail_kvaddr) {
 			ret = -EPERM;
 			goto done;
 		}
--- a/drivers/infiniband/hw/hfi1/init.c
+++ b/drivers/infiniband/hw/hfi1/init.c
@@ -1844,7 +1844,6 @@ int hfi1_create_rcvhdrq(struct hfi1_devd
 	u64 reg;
 
 	if (!rcd->rcvhdrq) {
-		dma_addr_t dma_hdrqtail;
 		gfp_t gfp_flags;
 
 		/*
@@ -1869,13 +1868,13 @@ int hfi1_create_rcvhdrq(struct hfi1_devd
 			goto bail;
 		}
 
-		if (HFI1_CAP_KGET_MASK(rcd->flags, DMA_RTAIL)) {
+		if (HFI1_CAP_KGET_MASK(rcd->flags, DMA_RTAIL) ||
+		    HFI1_CAP_UGET_MASK(rcd->flags, DMA_RTAIL)) {
 			rcd->rcvhdrtail_kvaddr = dma_zalloc_coherent(
-				&dd->pcidev->dev, PAGE_SIZE, &dma_hdrqtail,
-				gfp_flags);
+				&dd->pcidev->dev, PAGE_SIZE,
+				&rcd->rcvhdrqtailaddr_dma, gfp_flags);
 			if (!rcd->rcvhdrtail_kvaddr)
 				goto bail_free;
-			rcd->rcvhdrqtailaddr_dma = dma_hdrqtail;
 		}
 
 		rcd->rcvhdrq_size = amt;



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 095/220] IB/uverbs: Fix ordering of ucontext check in ib_uverbs_write
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (90 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 094/220] IB/hfi1: Fix user context tail allocation for DMA_RTAIL Greg Kroah-Hartman
@ 2018-07-01 16:21 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 096/220] RDMA/mlx4: Discard unknown SQP work requests Greg Kroah-Hartman
                   ` (120 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mark Bloch, Jason Gunthorpe, Leon Romanovsky

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jason Gunthorpe <jgg@mellanox.com>

commit 1eb9364ce81d9445ad6f9d44921a91d2a6597156 upstream.

During disassociation the ucontext will become NULL, however due to how
the SRCU locking works the ucontext must only be examined after looking
at the ib_dev, which governs the RCU control flow.

With the wrong ordering userspace will see EINVAL instead of EIO for a
disassociated uverbs FD, which breaks rdma-core.

Cc: stable@vger.kernel.org
Fixes: 491d5c6a3023 ("RDMA/uverbs: Move uncontext check before SRCU read lock")
Reported-by: Mark Bloch <markb@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/core/uverbs_main.c |   14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

--- a/drivers/infiniband/core/uverbs_main.c
+++ b/drivers/infiniband/core/uverbs_main.c
@@ -734,10 +734,6 @@ static ssize_t ib_uverbs_write(struct fi
 	if (ret)
 		return ret;
 
-	if (!file->ucontext &&
-	    (command != IB_USER_VERBS_CMD_GET_CONTEXT || extended))
-		return -EINVAL;
-
 	if (extended) {
 		if (count < (sizeof(hdr) + sizeof(ex_hdr)))
 			return -EINVAL;
@@ -757,6 +753,16 @@ static ssize_t ib_uverbs_write(struct fi
 		goto out;
 	}
 
+	/*
+	 * Must be after the ib_dev check, as once the RCU clears ib_dev ==
+	 * NULL means ucontext == NULL
+	 */
+	if (!file->ucontext &&
+	    (command != IB_USER_VERBS_CMD_GET_CONTEXT || extended)) {
+		ret = -EINVAL;
+		goto out;
+	}
+
 	if (!verify_command_mask(ib_dev, command, extended)) {
 		ret = -EOPNOTSUPP;
 		goto out;



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 096/220] RDMA/mlx4: Discard unknown SQP work requests
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (91 preceding siblings ...)
  2018-07-01 16:21 ` [PATCH 4.17 095/220] IB/uverbs: Fix ordering of ucontext check in ib_uverbs_write Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 097/220] xprtrdma: Return -ENOBUFS when no pages are available Greg Kroah-Hartman
                   ` (119 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Leon Romanovsky, Doug Ledford

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Leon Romanovsky <leonro@mellanox.com>

commit 6b1ca7ece15e94251d1d0d919f813943e4a58059 upstream.

There is no need to crash the machine if unknown work request was
received in SQP MAD.

Cc: <stable@vger.kernel.org> # 3.6
Fixes: 37bfc7c1e83f ("IB/mlx4: SR-IOV multiplex and demultiplex MADs")
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/hw/mlx4/mad.c |    1 -
 1 file changed, 1 deletion(-)

--- a/drivers/infiniband/hw/mlx4/mad.c
+++ b/drivers/infiniband/hw/mlx4/mad.c
@@ -1934,7 +1934,6 @@ static void mlx4_ib_sqp_comp_worker(stru
 					       "buf:%lld\n", wc.wr_id);
 				break;
 			default:
-				BUG_ON(1);
 				break;
 			}
 		} else  {



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 097/220] xprtrdma: Return -ENOBUFS when no pages are available
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (92 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 096/220] RDMA/mlx4: Discard unknown SQP work requests Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 098/220] RDMA/core: Save kernel caller name when creating CQ using ib_create_cq() Greg Kroah-Hartman
                   ` (118 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Chuck Lever, Anna Schumaker

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Chuck Lever <chuck.lever@oracle.com>

commit a8f688ec437dc2045cc8f0c89fe877d5803850da upstream.

The use of -EAGAIN in rpcrdma_convert_iovs() is a latent bug: the
transport never calls xprt_write_space() when more pages become
available. -ENOBUFS will trigger the correct "delay briefly and call
again" logic.

Fixes: 7a89f9c626e3 ("xprtrdma: Honor ->send_request API contract")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Cc: stable@vger.kernel.org # 4.8+
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/sunrpc/xprtrdma/rpc_rdma.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/sunrpc/xprtrdma/rpc_rdma.c
+++ b/net/sunrpc/xprtrdma/rpc_rdma.c
@@ -230,7 +230,7 @@ rpcrdma_convert_iovs(struct rpcrdma_xprt
 			 */
 			*ppages = alloc_page(GFP_ATOMIC);
 			if (!*ppages)
-				return -EAGAIN;
+				return -ENOBUFS;
 		}
 		seg->mr_page = *ppages;
 		seg->mr_offset = (char *)page_base;



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 098/220] RDMA/core: Save kernel caller name when creating CQ using ib_create_cq()
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (93 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 097/220] xprtrdma: Return -ENOBUFS when no pages are available Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 099/220] mtd: rawnand: Do not check FAIL bit when executing a SET_FEATURES op Greg Kroah-Hartman
                   ` (117 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Steve Wise, Potnuri Bharat Teja,
	Leon Romanovsky, Jason Gunthorpe

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Bharat Potnuri <bharat@chelsio.com>

commit 7350cdd0257e73a37df57253fb9decd8effacd37 upstream.

Few kernel applications like SCST-iSER create CQ using ib_create_cq(),
where accessing CQ structures using rdma restrack tool leads to below NULL
pointer dereference. This patch saves caller kernel module name similar to
ib_alloc_cq().

BUG: unable to handle kernel NULL pointer dereference at           (null)
IP: [<ffffffff8132ca70>] skip_spaces+0x30/0x30
PGD 738bac067 PUD 8533f0067 PMD 0
Oops: 0000 [#1] SMP
R10: ffff88017fc03300 R11: 0000000000000246 R12: 0000000000000000
R13: ffff88082fa5a668 R14: ffff88017475a000 R15: 0000000000000000
FS:  00002b32726582c0(0000) GS:ffff88087fc40000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000008491a1000 CR4: 00000000003607e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 [<ffffffffc05af69c>] ? fill_res_name_pid+0x7c/0x90 [ib_core]
 [<ffffffffc05af79f>] fill_res_cq_entry+0xef/0x170 [ib_core]
 [<ffffffffc05af4c4>] res_get_common_dumpit+0x3c4/0x480 [ib_core]
 [<ffffffffc05af5d3>] nldev_res_get_cq_dumpit+0x13/0x20 [ib_core]
 [<ffffffff815bc1e7>] netlink_dump+0x117/0x2e0
 [<ffffffff815bcb8b>] __netlink_dump_start+0x1ab/0x230
 [<ffffffffc059fead>] ibnl_rcv_msg+0x11d/0x1f0 [ib_core]
 [<ffffffffc05af5c0>] ? nldev_res_get_mr_dumpit+0x20/0x20 [ib_core]
 [<ffffffffc059fd90>] ? rdma_nl_multicast+0x30/0x30 [ib_core]
 [<ffffffff815bea49>] netlink_rcv_skb+0xa9/0xc0
 [<ffffffffc05a0018>] ibnl_rcv+0x98/0xb0 [ib_core]
 [<ffffffff815be132>] netlink_unicast+0xf2/0x1b0
 [<ffffffff815be50f>] netlink_sendmsg+0x31f/0x6a0
 [<ffffffff8156b580>] sock_sendmsg+0xb0/0xf0
 [<ffffffff816ace9e>] ? _raw_spin_unlock_bh+0x1e/0x20
 [<ffffffff8156f998>] ? release_sock+0x118/0x170
 [<ffffffff8156b731>] SYSC_sendto+0x121/0x1c0
 [<ffffffff81568340>] ? sock_alloc_file+0xa0/0x140
 [<ffffffff81221265>] ? __fd_install+0x25/0x60
 [<ffffffff8156c2ce>] SyS_sendto+0xe/0x10
 [<ffffffff816b6c2a>] system_call_fastpath+0x16/0x1b
RIP  [<ffffffff8132ca70>] skip_spaces+0x30/0x30
RSP <ffff88072be97760>
CR2: 0000000000000000

Cc: <stable@vger.kernel.org>
Fixes: f66c8ba4c9fa ("RDMA/core: Save kernel caller name when creating PD and CQ objects")
Reviewed-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Potnuri Bharat Teja <bharat@chelsio.com>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/core/verbs.c |   14 ++++++++------
 include/rdma/ib_verbs.h         |   13 ++++++++-----
 2 files changed, 16 insertions(+), 11 deletions(-)

--- a/drivers/infiniband/core/verbs.c
+++ b/drivers/infiniband/core/verbs.c
@@ -1562,11 +1562,12 @@ EXPORT_SYMBOL(ib_destroy_qp);
 
 /* Completion queues */
 
-struct ib_cq *ib_create_cq(struct ib_device *device,
-			   ib_comp_handler comp_handler,
-			   void (*event_handler)(struct ib_event *, void *),
-			   void *cq_context,
-			   const struct ib_cq_init_attr *cq_attr)
+struct ib_cq *__ib_create_cq(struct ib_device *device,
+			     ib_comp_handler comp_handler,
+			     void (*event_handler)(struct ib_event *, void *),
+			     void *cq_context,
+			     const struct ib_cq_init_attr *cq_attr,
+			     const char *caller)
 {
 	struct ib_cq *cq;
 
@@ -1580,12 +1581,13 @@ struct ib_cq *ib_create_cq(struct ib_dev
 		cq->cq_context    = cq_context;
 		atomic_set(&cq->usecnt, 0);
 		cq->res.type = RDMA_RESTRACK_CQ;
+		cq->res.kern_name = caller;
 		rdma_restrack_add(&cq->res);
 	}
 
 	return cq;
 }
-EXPORT_SYMBOL(ib_create_cq);
+EXPORT_SYMBOL(__ib_create_cq);
 
 int rdma_set_cq_moderation(struct ib_cq *cq, u16 cq_count, u16 cq_period)
 {
--- a/include/rdma/ib_verbs.h
+++ b/include/rdma/ib_verbs.h
@@ -3310,11 +3310,14 @@ int ib_process_cq_direct(struct ib_cq *c
  *
  * Users can examine the cq structure to determine the actual CQ size.
  */
-struct ib_cq *ib_create_cq(struct ib_device *device,
-			   ib_comp_handler comp_handler,
-			   void (*event_handler)(struct ib_event *, void *),
-			   void *cq_context,
-			   const struct ib_cq_init_attr *cq_attr);
+struct ib_cq *__ib_create_cq(struct ib_device *device,
+			     ib_comp_handler comp_handler,
+			     void (*event_handler)(struct ib_event *, void *),
+			     void *cq_context,
+			     const struct ib_cq_init_attr *cq_attr,
+			     const char *caller);
+#define ib_create_cq(device, cmp_hndlr, evt_hndlr, cq_ctxt, cq_attr) \
+	__ib_create_cq((device), (cmp_hndlr), (evt_hndlr), (cq_ctxt), (cq_attr), KBUILD_MODNAME)
 
 /**
  * ib_resize_cq - Modifies the capacity of the CQ.



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 099/220] mtd: rawnand: Do not check FAIL bit when executing a SET_FEATURES op
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (94 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 098/220] RDMA/core: Save kernel caller name when creating CQ using ib_create_cq() Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 100/220] mtd: cfi_cmdset_0002: Change write buffer to check correct value Greg Kroah-Hartman
                   ` (116 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Boris Brezillon, Miquel Raynal

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Boris Brezillon <boris.brezillon@bootlin.com>

commit 782d1967d0479ffd59412b2f3179c8bb35f50ff6 upstream.

The ONFI spec clearly says that FAIL bit is only valid for PROGRAM,
ERASE and READ-with-on-die-ECC operations, and should be ignored
otherwise.

It seems that checking it after sending a SET_FEATURES is a bad idea
because a previous READ, PROGRAM or ERASE op may have failed, and
depending on the implementation, the FAIL bit is not cleared until a
new READ, PROGRAM or ERASE is started.

This leads to ->set_features() returning -EIO while it actually worked,
which can sometimes stop a batch of READ/PROGRAM ops.

Note that we only fix the ->exec_op() path here, because some drivers
are abusing the NAND_STATUS_FAIL flag in their ->waitfunc()
implementation to propagate other kind of errors, like
wait-ready-timeout or controller-related errors. Let's not try to fix
those drivers since they worked fine so far.

Fixes: 8878b126df76 ("mtd: nand: add ->exec_op() implementation")
Cc: stable@vger.kernel.org
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Acked-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mtd/nand/raw/nand_base.c |   29 ++++++++++-------------------
 1 file changed, 10 insertions(+), 19 deletions(-)

--- a/drivers/mtd/nand/raw/nand_base.c
+++ b/drivers/mtd/nand/raw/nand_base.c
@@ -2174,7 +2174,6 @@ static int nand_set_features_op(struct n
 	struct mtd_info *mtd = nand_to_mtd(chip);
 	const u8 *params = data;
 	int i, ret;
-	u8 status;
 
 	if (chip->exec_op) {
 		const struct nand_sdr_timings *sdr =
@@ -2188,26 +2187,18 @@ static int nand_set_features_op(struct n
 		};
 		struct nand_operation op = NAND_OPERATION(instrs);
 
-		ret = nand_exec_op(chip, &op);
-		if (ret)
-			return ret;
-
-		ret = nand_status_op(chip, &status);
-		if (ret)
-			return ret;
-	} else {
-		chip->cmdfunc(mtd, NAND_CMD_SET_FEATURES, feature, -1);
-		for (i = 0; i < ONFI_SUBFEATURE_PARAM_LEN; ++i)
-			chip->write_byte(mtd, params[i]);
-
-		ret = chip->waitfunc(mtd, chip);
-		if (ret < 0)
-			return ret;
-
-		status = ret;
+		return nand_exec_op(chip, &op);
 	}
 
-	if (status & NAND_STATUS_FAIL)
+	chip->cmdfunc(mtd, NAND_CMD_SET_FEATURES, feature, -1);
+	for (i = 0; i < ONFI_SUBFEATURE_PARAM_LEN; ++i)
+		chip->write_byte(mtd, params[i]);
+
+	ret = chip->waitfunc(mtd, chip);
+	if (ret < 0)
+		return ret;
+
+	if (ret & NAND_STATUS_FAIL)
 		return -EIO;
 
 	return 0;



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 100/220] mtd: cfi_cmdset_0002: Change write buffer to check correct value
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (95 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 099/220] mtd: rawnand: Do not check FAIL bit when executing a SET_FEATURES op Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 101/220] mtd: rawnand: denali_dt: set clk_x_rate to 200 MHz unconditionally Greg Kroah-Hartman
                   ` (115 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tokunori Ikegami, Joakim Tjernlund,
	Chris Packham, Brian Norris, David Woodhouse, Boris Brezillon,
	Marek Vasut, Richard Weinberger, Cyrille Pitchen, linux-mtd,
	Boris Brezillon

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tokunori Ikegami <ikegami@allied-telesis.co.jp>

commit dfeae1073583dc35c33b32150e18b7048bbb37e6 upstream.

For the word write it is checked if the chip has the correct value.
But it is not checked for the write buffer as only checked if ready.
To make sure for the write buffer change to check the value.

It is enough as this patch is only checking the last written word.
Since it is described by data sheets to check the operation status.

Signed-off-by: Tokunori Ikegami <ikegami@allied-telesis.co.jp>
Reviewed-by: Joakim Tjernlund <Joakim.Tjernlund@infinera.com>
Cc: Chris Packham <chris.packham@alliedtelesis.co.nz>
Cc: Brian Norris <computersforpeace@gmail.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Boris Brezillon <boris.brezillon@free-electrons.com>
Cc: Marek Vasut <marek.vasut@gmail.com>
Cc: Richard Weinberger <richard@nod.at>
Cc: Cyrille Pitchen <cyrille.pitchen@wedev4u.fr>
Cc: linux-mtd@lists.infradead.org
Cc: stable@vger.kernel.org
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mtd/chips/cfi_cmdset_0002.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/mtd/chips/cfi_cmdset_0002.c
+++ b/drivers/mtd/chips/cfi_cmdset_0002.c
@@ -1880,7 +1880,7 @@ static int __xipram do_write_buffer(stru
 		if (time_after(jiffies, timeo) && !chip_ready(map, adr))
 			break;
 
-		if (chip_ready(map, adr)) {
+		if (chip_good(map, adr, datum)) {
 			xip_enable(map, chip, adr);
 			goto op_done;
 		}



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 101/220] mtd: rawnand: denali_dt: set clk_x_rate to 200 MHz unconditionally
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (96 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 100/220] mtd: cfi_cmdset_0002: Change write buffer to check correct value Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 102/220] mtd: rawnand: fix return value check for bad block status Greg Kroah-Hartman
                   ` (114 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Philipp Rosenberger, Boris Brezillon,
	Masahiro Yamada, Richard Weinberger

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Masahiro Yamada <yamada.masahiro@socionext.com>

commit 3f6e6986045d47f87bd982910821b7ab9758487e upstream.

Since commit 1bb88666775e ("mtd: nand: denali: handle timing parameters
by setup_data_interface()"), denali_dt.c gets the clock rate from the
clock driver.  The driver expects the frequency of the bus interface
clock, whereas the clock driver of SOCFPGA provides the core clock.
Thus, the setup_data_interface() hook calculates timing parameters
based on a wrong frequency.

To make it work without relying on the clock driver, hard-code the clock
frequency, 200MHz.  This is fine for existing DT of UniPhier, and also
fixes the issue of SOCFPGA because both platforms use 200 MHz for the
bus interface clock.

Fixes: 1bb88666775e ("mtd: nand: denali: handle timing parameters by setup_data_interface()")
Cc: linux-stable <stable@vger.kernel.org> #4.14+
Reported-by: Philipp Rosenberger <p.rosenberger@linutronix.de>
Suggested-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Tested-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mtd/nand/raw/denali_dt.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/mtd/nand/raw/denali_dt.c
+++ b/drivers/mtd/nand/raw/denali_dt.c
@@ -123,7 +123,11 @@ static int denali_dt_probe(struct platfo
 	if (ret)
 		return ret;
 
-	denali->clk_x_rate = clk_get_rate(dt->clk);
+	/*
+	 * Hardcode the clock rate for the backward compatibility.
+	 * This works for both SOCFPGA and UniPhier.
+	 */
+	denali->clk_x_rate = 200000000;
 
 	ret = denali_init(denali);
 	if (ret)



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 102/220] mtd: rawnand: fix return value check for bad block status
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (97 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 101/220] mtd: rawnand: denali_dt: set clk_x_rate to 200 MHz unconditionally Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 103/220] mtd: rawnand: mxc: set spare area size register explicitly Greg Kroah-Hartman
                   ` (113 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Abhishek Sahu, Miquel Raynal,
	Boris Brezillon

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Abhishek Sahu <absahu@codeaurora.org>

commit e9893e6fa932f42c90c4ac5849fa9aa0f0f00a34 upstream.

Positive return value from read_oob() is making false BAD
blocks. For some of the NAND controllers, OOB bytes will be
protected with ECC and read_oob() will return number of bitflips.
If there is any bitflip in ECC protected OOB bytes for BAD block
status page, then that block is getting treated as BAD.

Fixes: c120e75e0e7d ("mtd: nand: use read_oob() instead of cmdfunc() for bad block check")
Cc: <stable@vger.kernel.org>
Signed-off-by: Abhishek Sahu <absahu@codeaurora.org>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mtd/nand/raw/nand_base.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/mtd/nand/raw/nand_base.c
+++ b/drivers/mtd/nand/raw/nand_base.c
@@ -440,7 +440,7 @@ static int nand_block_bad(struct mtd_inf
 
 	for (; page < page_end; page++) {
 		res = chip->ecc.read_oob(mtd, chip, page);
-		if (res)
+		if (res < 0)
 			return res;
 
 		bad = chip->oob_poi[chip->badblockpos];



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 103/220] mtd: rawnand: mxc: set spare area size register explicitly
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (98 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 102/220] mtd: rawnand: fix return value check for bad block status Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 104/220] mtd: rawnand: micron: add ONFI_FEATURE_ON_DIE_ECC to supported features Greg Kroah-Hartman
                   ` (112 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin Kaiser, Sascha Hauer,
	Miquel Raynal, Boris Brezillon

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Martin Kaiser <martin@kaiser.cx>

commit 3f77f244d8ec28e3a0a81240ffac7d626390060c upstream.

The v21 version of the NAND flash controller contains a Spare Area Size
Register (SPAS) at offset 0x10. Its setting defaults to the maximum
spare area size of 218 bytes. The size that is set in this register is
used by the controller when it calculates the ECC bytes internally in
hardware.

Usually, this register is updated from settings in the IIM fuses when
the system is booting from NAND flash. For other boot media, however,
the SPAS register remains at the default setting, which may not work for
the particular flash chip on the board. The same goes for flash chips
whose configuration cannot be set in the IIM fuses (e.g. chips with 2k
sector size and 128 bytes spare area size can't be configured in the IIM
fuses on imx25 systems).

Set the SPAS register explicitly during the preset operation. Derive the
register value from mtd->oobsize that was detected during probe by
decoding the flash chip's ID bytes.

While at it, rename the define for the spare area register's offset to
NFC_V21_RSLTSPARE_AREA. The register at offset 0x10 on v1 controllers is
different from the register on v21 controllers.

Fixes: d484018 ("mtd: mxc_nand: set NFC registers after reset")
Cc: stable@vger.kernel.org
Signed-off-by: Martin Kaiser <martin@kaiser.cx>
Reviewed-by: Sascha Hauer <s.hauer@pengutronix.de>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mtd/nand/raw/mxc_nand.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/mtd/nand/raw/mxc_nand.c
+++ b/drivers/mtd/nand/raw/mxc_nand.c
@@ -48,7 +48,7 @@
 #define NFC_V1_V2_CONFIG		(host->regs + 0x0a)
 #define NFC_V1_V2_ECC_STATUS_RESULT	(host->regs + 0x0c)
 #define NFC_V1_V2_RSLTMAIN_AREA		(host->regs + 0x0e)
-#define NFC_V1_V2_RSLTSPARE_AREA	(host->regs + 0x10)
+#define NFC_V21_RSLTSPARE_AREA		(host->regs + 0x10)
 #define NFC_V1_V2_WRPROT		(host->regs + 0x12)
 #define NFC_V1_UNLOCKSTART_BLKADDR	(host->regs + 0x14)
 #define NFC_V1_UNLOCKEND_BLKADDR	(host->regs + 0x16)
@@ -1274,6 +1274,9 @@ static void preset_v2(struct mtd_info *m
 	writew(config1, NFC_V1_V2_CONFIG1);
 	/* preset operation */
 
+	/* spare area size in 16-bit half-words */
+	writew(mtd->oobsize / 2, NFC_V21_RSLTSPARE_AREA);
+
 	/* Unlock the internal RAM Buffer */
 	writew(0x2, NFC_V1_V2_CONFIG);
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 104/220] mtd: rawnand: micron: add ONFI_FEATURE_ON_DIE_ECC to supported features
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (99 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 103/220] mtd: rawnand: mxc: set spare area size register explicitly Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 105/220] mtd: rawnand: All AC chips have a broken GET_FEATURES(TIMINGS) Greg Kroah-Hartman
                   ` (111 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chris Packham, Miquel Raynal,
	Boris Brezillon

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Chris Packham <chris.packham@alliedtelesis.co.nz>

commit 12baf7721143c83150fa973484b7b5fcd86b23f0 upstream.

Add ONFI_FEATURE_ON_DIE_ECC to the set/get features list for Micron
NAND flash.

Fixes: 789157e41a06 ("mtd: rawnand: allow vendors to declare (un)supported features")
Cc: <stable@vger.kernel.org>
Signed-off-by: Chris Packham <chris.packham@alliedtelesis.co.nz>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mtd/nand/raw/nand_micron.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/mtd/nand/raw/nand_micron.c
+++ b/drivers/mtd/nand/raw/nand_micron.c
@@ -66,7 +66,9 @@ static int micron_nand_onfi_init(struct
 
 	if (p->supports_set_get_features) {
 		set_bit(ONFI_FEATURE_ADDR_READ_RETRY, p->set_feature_list);
+		set_bit(ONFI_FEATURE_ON_DIE_ECC, p->set_feature_list);
 		set_bit(ONFI_FEATURE_ADDR_READ_RETRY, p->get_feature_list);
+		set_bit(ONFI_FEATURE_ON_DIE_ECC, p->get_feature_list);
 	}
 
 	return 0;



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 105/220] mtd: rawnand: All AC chips have a broken GET_FEATURES(TIMINGS).
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (100 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 104/220] mtd: rawnand: micron: add ONFI_FEATURE_ON_DIE_ECC to supported features Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 106/220] mtd: cfi_cmdset_0002: Use right chip in do_ppb_xxlock() Greg Kroah-Hartman
                   ` (110 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mason Yang, Boris Brezillon, Miquel Raynal

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mason Yang <masonccyang@mxic.com.tw>

commit fe3dd97dd66bb7fb23b8077a3803d2f951e60b00 upstream.

Make sure we flag all broken chips as not supporting this feature.
Also move this logic to a new function to keep things readable.

Fixes: 34c5c01e0c8c ("mtd: rawnand: macronix: nack the support of changing timings for one chip")
Cc: <stable@vger.kernel.org>
Signed-off-by: Mason Yang <masonccyang@mxic.com.tw>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mtd/nand/raw/nand_macronix.c |   48 ++++++++++++++++++++++++++---------
 1 file changed, 36 insertions(+), 12 deletions(-)

--- a/drivers/mtd/nand/raw/nand_macronix.c
+++ b/drivers/mtd/nand/raw/nand_macronix.c
@@ -17,23 +17,47 @@
 
 #include <linux/mtd/rawnand.h>
 
+/*
+ * Macronix AC series does not support using SET/GET_FEATURES to change
+ * the timings unlike what is declared in the parameter page. Unflag
+ * this feature to avoid unnecessary downturns.
+ */
+static void macronix_nand_fix_broken_get_timings(struct nand_chip *chip)
+{
+	unsigned int i;
+	static const char * const broken_get_timings[] = {
+		"MX30LF1G18AC",
+		"MX30LF1G28AC",
+		"MX30LF2G18AC",
+		"MX30LF2G28AC",
+		"MX30LF4G18AC",
+		"MX30LF4G28AC",
+		"MX60LF8G18AC",
+	};
+
+	if (!chip->parameters.supports_set_get_features)
+		return;
+
+	for (i = 0; i < ARRAY_SIZE(broken_get_timings); i++) {
+		if (!strcmp(broken_get_timings[i], chip->parameters.model))
+			break;
+	}
+
+	if (i == ARRAY_SIZE(broken_get_timings))
+		return;
+
+	bitmap_clear(chip->parameters.get_feature_list,
+		     ONFI_FEATURE_ADDR_TIMING_MODE, 1);
+	bitmap_clear(chip->parameters.set_feature_list,
+		     ONFI_FEATURE_ADDR_TIMING_MODE, 1);
+}
+
 static int macronix_nand_init(struct nand_chip *chip)
 {
 	if (nand_is_slc(chip))
 		chip->bbt_options |= NAND_BBT_SCAN2NDPAGE;
 
-	/*
-	 * MX30LF2G18AC chip does not support using SET/GET_FEATURES to change
-	 * the timings unlike what is declared in the parameter page. Unflag
-	 * this feature to avoid unnecessary downturns.
-	 */
-	if (chip->parameters.supports_set_get_features &&
-	    !strcmp("MX30LF2G18AC", chip->parameters.model)) {
-		bitmap_clear(chip->parameters.get_feature_list,
-			     ONFI_FEATURE_ADDR_TIMING_MODE, 1);
-		bitmap_clear(chip->parameters.set_feature_list,
-			     ONFI_FEATURE_ADDR_TIMING_MODE, 1);
-	}
+	macronix_nand_fix_broken_get_timings(chip);
 
 	return 0;
 }



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 106/220] mtd: cfi_cmdset_0002: Use right chip in do_ppb_xxlock()
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (101 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 105/220] mtd: rawnand: All AC chips have a broken GET_FEATURES(TIMINGS) Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 107/220] mtd: cfi_cmdset_0002: fix SEGV unlocking multiple chips Greg Kroah-Hartman
                   ` (109 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Joakim Tjernlund, Boris Brezillon

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Joakim Tjernlund <joakim.tjernlund@infinera.com>

commit f93aa8c4de307069c270b2d81741961162bead6c upstream.

do_ppb_xxlock() fails to add chip->start when querying for lock status
(and chip_ready test), which caused false status reports.
Fix that by adding adr += chip->start and adjust call sites
accordingly.

Fixes: 1648eaaa1575 ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking")
Cc: stable@vger.kernel.org
Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mtd/chips/cfi_cmdset_0002.c |    9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/drivers/mtd/chips/cfi_cmdset_0002.c
+++ b/drivers/mtd/chips/cfi_cmdset_0002.c
@@ -2533,8 +2533,9 @@ static int __maybe_unused do_ppb_xxlock(
 	unsigned long timeo;
 	int ret;
 
+	adr += chip->start;
 	mutex_lock(&chip->mutex);
-	ret = get_chip(map, chip, adr + chip->start, FL_LOCKING);
+	ret = get_chip(map, chip, adr, FL_LOCKING);
 	if (ret) {
 		mutex_unlock(&chip->mutex);
 		return ret;
@@ -2552,8 +2553,8 @@ static int __maybe_unused do_ppb_xxlock(
 
 	if (thunk == DO_XXLOCK_ONEBLOCK_LOCK) {
 		chip->state = FL_LOCKING;
-		map_write(map, CMD(0xA0), chip->start + adr);
-		map_write(map, CMD(0x00), chip->start + adr);
+		map_write(map, CMD(0xA0), adr);
+		map_write(map, CMD(0x00), adr);
 	} else if (thunk == DO_XXLOCK_ONEBLOCK_UNLOCK) {
 		/*
 		 * Unlocking of one specific sector is not supported, so we
@@ -2591,7 +2592,7 @@ static int __maybe_unused do_ppb_xxlock(
 	map_write(map, CMD(0x00), chip->start);
 
 	chip->state = FL_READY;
-	put_chip(map, chip, adr + chip->start);
+	put_chip(map, chip, adr);
 	mutex_unlock(&chip->mutex);
 
 	return ret;



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 107/220] mtd: cfi_cmdset_0002: fix SEGV unlocking multiple chips
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (102 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 106/220] mtd: cfi_cmdset_0002: Use right chip in do_ppb_xxlock() Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 108/220] mtd: cfi_cmdset_0002: Fix unlocking requests crossing a chip boudary Greg Kroah-Hartman
                   ` (108 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Joakim Tjernlund, Boris Brezillon

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Joakim Tjernlund <joakim.tjernlund@infinera.com>

commit 5fdfc3dbad099281bf027a353d5786c09408a8e5 upstream.

cfi_ppb_unlock() tries to relock all sectors that were locked before
unlocking the whole chip.
This locking used the chip start address + the FULL offset from the
first flash chip, thereby forming an illegal address. Fix that by using
the chip offset(adr).

Fixes: 1648eaaa1575 ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking")
Cc: stable@vger.kernel.org
Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mtd/chips/cfi_cmdset_0002.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/mtd/chips/cfi_cmdset_0002.c
+++ b/drivers/mtd/chips/cfi_cmdset_0002.c
@@ -2515,7 +2515,7 @@ static int cfi_atmel_unlock(struct mtd_i
 
 struct ppb_lock {
 	struct flchip *chip;
-	loff_t offset;
+	unsigned long adr;
 	int locked;
 };
 
@@ -2651,7 +2651,7 @@ static int __maybe_unused cfi_ppb_unlock
 		 */
 		if ((adr < ofs) || (adr >= (ofs + len))) {
 			sect[sectors].chip = &cfi->chips[chipnum];
-			sect[sectors].offset = offset;
+			sect[sectors].adr = adr;
 			sect[sectors].locked = do_ppb_xxlock(
 				map, &cfi->chips[chipnum], adr, 0,
 				DO_XXLOCK_ONEBLOCK_GETLOCK);
@@ -2695,7 +2695,7 @@ static int __maybe_unused cfi_ppb_unlock
 	 */
 	for (i = 0; i < sectors; i++) {
 		if (sect[i].locked)
-			do_ppb_xxlock(map, sect[i].chip, sect[i].offset, 0,
+			do_ppb_xxlock(map, sect[i].chip, sect[i].adr, 0,
 				      DO_XXLOCK_ONEBLOCK_LOCK);
 	}
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 108/220] mtd: cfi_cmdset_0002: Fix unlocking requests crossing a chip boudary
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (103 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 107/220] mtd: cfi_cmdset_0002: fix SEGV unlocking multiple chips Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 109/220] mtd: cfi_cmdset_0002: Avoid walking all chips when unlocking Greg Kroah-Hartman
                   ` (107 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Joakim Tjernlund, Boris Brezillon

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Joakim Tjernlund <joakim.tjernlund@infinera.com>

commit 0cd8116f172eed018907303dbff5c112690eeb91 upstream.

The "sector is in requested range" test used to determine whether
sectors should be re-locked or not is done on a variable that is reset
everytime we cross a chip boundary, which can lead to some blocks being
re-locked while the caller expect them to be unlocked.
Fix the check to make sure this cannot happen.

Fixes: 1648eaaa1575 ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking")
Cc: stable@vger.kernel.org
Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mtd/chips/cfi_cmdset_0002.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/mtd/chips/cfi_cmdset_0002.c
+++ b/drivers/mtd/chips/cfi_cmdset_0002.c
@@ -2649,7 +2649,7 @@ static int __maybe_unused cfi_ppb_unlock
 		 * sectors shall be unlocked, so lets keep their locking
 		 * status at "unlocked" (locked=0) for the final re-locking.
 		 */
-		if ((adr < ofs) || (adr >= (ofs + len))) {
+		if ((offset < ofs) || (offset >= (ofs + len))) {
 			sect[sectors].chip = &cfi->chips[chipnum];
 			sect[sectors].adr = adr;
 			sect[sectors].locked = do_ppb_xxlock(



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 109/220] mtd: cfi_cmdset_0002: Avoid walking all chips when unlocking.
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (104 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 108/220] mtd: cfi_cmdset_0002: Fix unlocking requests crossing a chip boudary Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 111/220] clk:aspeed: Fix reset bits for PCI/VGA and PECI Greg Kroah-Hartman
                   ` (106 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Joakim Tjernlund, Boris Brezillon

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Joakim Tjernlund <joakim.tjernlund@infinera.com>

commit f1ce87f6080b1dda7e7b1eda3da332add19d87b9 upstream.

cfi_ppb_unlock() walks all flash chips when unlocking sectors,
avoid walking chips unaffected by the unlock operation.

Fixes: 1648eaaa1575 ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking")
Cc: stable@vger.kernel.org
Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mtd/chips/cfi_cmdset_0002.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/mtd/chips/cfi_cmdset_0002.c
+++ b/drivers/mtd/chips/cfi_cmdset_0002.c
@@ -2665,6 +2665,8 @@ static int __maybe_unused cfi_ppb_unlock
 			i++;
 
 		if (adr >> cfi->chipshift) {
+			if (offset >= (ofs + len))
+				break;
 			adr = 0;
 			chipnum++;
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 111/220] clk:aspeed: Fix reset bits for PCI/VGA and PECI
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (105 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 109/220] mtd: cfi_cmdset_0002: Avoid walking all chips when unlocking Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 112/220] PCI: hv: Make sure the bus domain is really unique Greg Kroah-Hartman
                   ` (105 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jae Hyun Yoo, Stephen Boyd

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jae Hyun Yoo <jae.hyun.yoo@linux.intel.com>

commit e76e56823a318ca580be4cfc5a6a9269bc70abea upstream.

This commit fixes incorrect setting of reset bits for PCI/VGA and
PECI modules.

1. Reset bit for PCI/VGA is 8.
2. PECI reset bit is missing so added bit 10 as its reset bit.

Signed-off-by: Jae Hyun Yoo <jae.hyun.yoo@linux.intel.com>
Fixes: 15ed8ce5f84e ("clk: aspeed: Register gated clocks")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/clk/clk-aspeed.c                 |    4 ++--
 include/dt-bindings/clock/aspeed-clock.h |    2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/clk/clk-aspeed.c
+++ b/drivers/clk/clk-aspeed.c
@@ -88,7 +88,7 @@ static const struct aspeed_gate_data asp
 	[ASPEED_CLK_GATE_GCLK] =	{  1,  7, "gclk-gate",		NULL,	0 }, /* 2D engine */
 	[ASPEED_CLK_GATE_MCLK] =	{  2, -1, "mclk-gate",		"mpll",	CLK_IS_CRITICAL }, /* SDRAM */
 	[ASPEED_CLK_GATE_VCLK] =	{  3,  6, "vclk-gate",		NULL,	0 }, /* Video Capture */
-	[ASPEED_CLK_GATE_BCLK] =	{  4, 10, "bclk-gate",		"bclk",	0 }, /* PCIe/PCI */
+	[ASPEED_CLK_GATE_BCLK] =	{  4,  8, "bclk-gate",		"bclk",	0 }, /* PCIe/PCI */
 	[ASPEED_CLK_GATE_DCLK] =	{  5, -1, "dclk-gate",		NULL,	0 }, /* DAC */
 	[ASPEED_CLK_GATE_REFCLK] =	{  6, -1, "refclk-gate",	"clkin", CLK_IS_CRITICAL },
 	[ASPEED_CLK_GATE_USBPORT2CLK] =	{  7,  3, "usb-port2-gate",	NULL,	0 }, /* USB2.0 Host port 2 */
@@ -297,7 +297,7 @@ static const u8 aspeed_resets[] = {
 	[ASPEED_RESET_JTAG_MASTER] = 22,
 	[ASPEED_RESET_MIC]	= 18,
 	[ASPEED_RESET_PWM]	=  9,
-	[ASPEED_RESET_PCIVGA]	=  8,
+	[ASPEED_RESET_PECI]	= 10,
 	[ASPEED_RESET_I2C]	=  2,
 	[ASPEED_RESET_AHB]	=  1,
 };
--- a/include/dt-bindings/clock/aspeed-clock.h
+++ b/include/dt-bindings/clock/aspeed-clock.h
@@ -45,7 +45,7 @@
 #define ASPEED_RESET_JTAG_MASTER	3
 #define ASPEED_RESET_MIC		4
 #define ASPEED_RESET_PWM		5
-#define ASPEED_RESET_PCIVGA		6
+#define ASPEED_RESET_PECI		6
 #define ASPEED_RESET_I2C		7
 #define ASPEED_RESET_AHB		8
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 112/220] PCI: hv: Make sure the bus domain is really unique
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (106 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 111/220] clk:aspeed: Fix reset bits for PCI/VGA and PECI Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 113/220] PCI: Add ACS quirk for Intel 7th & 8th Gen mobile Greg Kroah-Hartman
                   ` (104 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sridhar Pitchai, Lorenzo Pieralisi,
	Bjorn Helgaas

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sridhar Pitchai <Sridhar.Pitchai@microsoft.com>

commit 29927dfb7f69bcf2ae7fd1cda10997e646a5189c upstream.

When Linux runs as a guest VM in Hyper-V and Hyper-V adds the virtual PCI
bus to the guest, Hyper-V always provides unique PCI domain.

commit 4a9b0933bdfc ("PCI: hv: Use device serial number as PCI domain")
overrode unique domain with the serial number of the first device added to
the virtual PCI bus.

The reason for that patch was to have a consistent and short name for the
device, but Hyper-V doesn't provide unique serial numbers. Using non-unique
serial numbers as domain IDs leads to duplicate device addresses, which
causes PCI bus registration to fail.

commit 0c195567a8f6 ("netvsc: transparent VF management") avoids the need
for commit 4a9b0933bdfc ("PCI: hv: Use device serial number as PCI
domain").  When scripts were used to configure VF devices, the name of
the VF needed to be consistent and short, but with commit 0c195567a8f6
("netvsc: transparent VF management") all the setup is done in the kernel,
and we do not need to maintain consistent name.

Revert commit 4a9b0933bdfc ("PCI: hv: Use device serial number as PCI
domain") so we can reliably support multiple devices being assigned to
a guest.

Tag the patch for stable kernels containing commit 0c195567a8f6
("netvsc: transparent VF management").

Fixes: 4a9b0933bdfc ("PCI: hv: Use device serial number as PCI domain")
Signed-off-by: Sridhar Pitchai <sridhar.pitchai@microsoft.com>
[lorenzo.pieralisi@arm.com: trimmed commit log]
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Cc: stable@vger.kernel.org # v4.14+
Reviewed-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/pci/host/pci-hyperv.c |   11 -----------
 1 file changed, 11 deletions(-)

--- a/drivers/pci/host/pci-hyperv.c
+++ b/drivers/pci/host/pci-hyperv.c
@@ -1596,17 +1596,6 @@ static struct hv_pci_dev *new_pcichild_d
 	get_pcichild(hpdev, hv_pcidev_ref_childlist);
 	spin_lock_irqsave(&hbus->device_list_lock, flags);
 
-	/*
-	 * When a device is being added to the bus, we set the PCI domain
-	 * number to be the device serial number, which is non-zero and
-	 * unique on the same VM.  The serial numbers start with 1, and
-	 * increase by 1 for each device.  So device names including this
-	 * can have shorter names than based on the bus instance UUID.
-	 * Only the first device serial number is used for domain, so the
-	 * domain number will not change after the first device is added.
-	 */
-	if (list_empty(&hbus->children))
-		hbus->sysdata.domain = desc->ser;
 	list_add_tail(&hpdev->list_entry, &hbus->children);
 	spin_unlock_irqrestore(&hbus->device_list_lock, flags);
 	return hpdev;



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 113/220] PCI: Add ACS quirk for Intel 7th & 8th Gen mobile
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (107 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 112/220] PCI: hv: Make sure the bus domain is really unique Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 114/220] PCI: Add ACS quirk for Intel 300 series Greg Kroah-Hartman
                   ` (103 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alex Williamson, Bjorn Helgaas

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alex Williamson <alex.williamson@redhat.com>

commit e8440f4bfedc623bee40c84797ac78d9303d0db6 upstream.

The specification update indicates these have the same errata for
implementing non-standard ACS capabilities.

Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
CC: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/pci/quirks.c |   14 ++++++++++++++
 1 file changed, 14 insertions(+)

--- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c
@@ -4230,11 +4230,24 @@ static int pci_quirk_qcom_rp_acs(struct
  * 0xa290-0xa29f PCI Express Root port #{0-16}
  * 0xa2e7-0xa2ee PCI Express Root port #{17-24}
  *
+ * Mobile chipsets are also affected, 7th & 8th Generation
+ * Specification update confirms ACS errata 22, status no fix: (7th Generation
+ * Intel Processor Family I/O for U/Y Platforms and 8th Generation Intel
+ * Processor Family I/O for U Quad Core Platforms Specification Update,
+ * August 2017, Revision 002, Document#: 334660-002)[6]
+ * Device IDs from I/O datasheet: (7th Generation Intel Processor Family I/O
+ * for U/Y Platforms and 8th Generation Intel ® Processor Family I/O for U
+ * Quad Core Platforms, Vol 1 of 2, August 2017, Document#: 334658-003)[7]
+ *
+ * 0x9d10-0x9d1b PCI Express Root port #{1-12}
+ *
  * [1] http://www.intel.com/content/www/us/en/chipsets/100-series-chipset-datasheet-vol-2.html
  * [2] http://www.intel.com/content/www/us/en/chipsets/100-series-chipset-datasheet-vol-1.html
  * [3] http://www.intel.com/content/www/us/en/chipsets/100-series-chipset-spec-update.html
  * [4] http://www.intel.com/content/www/us/en/chipsets/200-series-chipset-pch-spec-update.html
  * [5] http://www.intel.com/content/www/us/en/chipsets/200-series-chipset-pch-datasheet-vol-1.html
+ * [6] https://www.intel.com/content/www/us/en/processors/core/7th-gen-core-family-mobile-u-y-processor-lines-i-o-spec-update.html
+ * [7] https://www.intel.com/content/www/us/en/processors/core/7th-gen-core-family-mobile-u-y-processor-lines-i-o-datasheet-vol-1.html
  */
 static bool pci_quirk_intel_spt_pch_acs_match(struct pci_dev *dev)
 {
@@ -4244,6 +4257,7 @@ static bool pci_quirk_intel_spt_pch_acs_
 	switch (dev->device) {
 	case 0xa110 ... 0xa11f: case 0xa167 ... 0xa16a: /* Sunrise Point */
 	case 0xa290 ... 0xa29f: case 0xa2e7 ... 0xa2ee: /* Union Point */
+	case 0x9d10 ... 0x9d1b: /* 7th & 8th Gen Mobile */
 		return true;
 	}
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 114/220] PCI: Add ACS quirk for Intel 300 series
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (108 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 113/220] PCI: Add ACS quirk for Intel 7th & 8th Gen mobile Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 115/220] PCI: pciehp: Clear Presence Detect and Data Link Layer Status Changed on resume Greg Kroah-Hartman
                   ` (102 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mika Westerberg, Bjorn Helgaas

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mika Westerberg <mika.westerberg@linux.intel.com>

commit f154a718e6cc0d834f5ac4dc4c3b174e65f3659e upstream.

Intel 300 series chipset still has the same ACS issue as the previous
generations so extend the ACS quirk to cover it as well.

Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
CC: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/pci/quirks.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c
@@ -4241,6 +4241,11 @@ static int pci_quirk_qcom_rp_acs(struct
  *
  * 0x9d10-0x9d1b PCI Express Root port #{1-12}
  *
+ * The 300 series chipset suffers from the same bug so include those root
+ * ports here as well.
+ *
+ * 0xa32c-0xa343 PCI Express Root port #{0-24}
+ *
  * [1] http://www.intel.com/content/www/us/en/chipsets/100-series-chipset-datasheet-vol-2.html
  * [2] http://www.intel.com/content/www/us/en/chipsets/100-series-chipset-datasheet-vol-1.html
  * [3] http://www.intel.com/content/www/us/en/chipsets/100-series-chipset-spec-update.html
@@ -4258,6 +4263,7 @@ static bool pci_quirk_intel_spt_pch_acs_
 	case 0xa110 ... 0xa11f: case 0xa167 ... 0xa16a: /* Sunrise Point */
 	case 0xa290 ... 0xa29f: case 0xa2e7 ... 0xa2ee: /* Union Point */
 	case 0x9d10 ... 0x9d1b: /* 7th & 8th Gen Mobile */
+	case 0xa32c ... 0xa343:				/* 300 series */
 		return true;
 	}
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 115/220] PCI: pciehp: Clear Presence Detect and Data Link Layer Status Changed on resume
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (109 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 114/220] PCI: Add ACS quirk for Intel 300 series Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 116/220] PCI: Account for all bridges on bus when distributing bus numbers Greg Kroah-Hartman
                   ` (101 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mika Westerberg, Bjorn Helgaas,
	Rafael J. Wysocki, Andy Shevchenko

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mika Westerberg <mika.westerberg@linux.intel.com>

commit 13c65840feab8109194f9490c9870587173cb29d upstream.

After a suspend/resume cycle the Presence Detect or Data Link Layer Status
Changed bits might be set.  If we don't clear them those events will not
fire anymore and nothing happens for instance when a device is now
hot-unplugged.

Fix this by clearing those bits in a newly introduced function
pcie_reenable_notification().  This should be fine because immediately
after, we check if the adapter is still present by reading directly from
the status register.

Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/pci/hotplug/pciehp.h      |    2 +-
 drivers/pci/hotplug/pciehp_core.c |    2 +-
 drivers/pci/hotplug/pciehp_hpc.c  |   13 ++++++++++++-
 3 files changed, 14 insertions(+), 3 deletions(-)

--- a/drivers/pci/hotplug/pciehp.h
+++ b/drivers/pci/hotplug/pciehp.h
@@ -121,7 +121,7 @@ struct controller *pcie_init(struct pcie
 int pcie_init_notification(struct controller *ctrl);
 int pciehp_enable_slot(struct slot *p_slot);
 int pciehp_disable_slot(struct slot *p_slot);
-void pcie_enable_notification(struct controller *ctrl);
+void pcie_reenable_notification(struct controller *ctrl);
 int pciehp_power_on_slot(struct slot *slot);
 void pciehp_power_off_slot(struct slot *slot);
 void pciehp_get_power_status(struct slot *slot, u8 *status);
--- a/drivers/pci/hotplug/pciehp_core.c
+++ b/drivers/pci/hotplug/pciehp_core.c
@@ -283,7 +283,7 @@ static int pciehp_resume(struct pcie_dev
 	ctrl = get_service_data(dev);
 
 	/* reinitialize the chipset's event detection logic */
-	pcie_enable_notification(ctrl);
+	pcie_reenable_notification(ctrl);
 
 	slot = ctrl->slot;
 
--- a/drivers/pci/hotplug/pciehp_hpc.c
+++ b/drivers/pci/hotplug/pciehp_hpc.c
@@ -659,7 +659,7 @@ static irqreturn_t pcie_isr(int irq, voi
 	return handled;
 }
 
-void pcie_enable_notification(struct controller *ctrl)
+static void pcie_enable_notification(struct controller *ctrl)
 {
 	u16 cmd, mask;
 
@@ -697,6 +697,17 @@ void pcie_enable_notification(struct con
 		 pci_pcie_cap(ctrl->pcie->port) + PCI_EXP_SLTCTL, cmd);
 }
 
+void pcie_reenable_notification(struct controller *ctrl)
+{
+	/*
+	 * Clear both Presence and Data Link Layer Changed to make sure
+	 * those events still fire after we have re-enabled them.
+	 */
+	pcie_capability_write_word(ctrl->pcie->port, PCI_EXP_SLTSTA,
+				   PCI_EXP_SLTSTA_PDC | PCI_EXP_SLTSTA_DLLSC);
+	pcie_enable_notification(ctrl);
+}
+
 static void pcie_disable_notification(struct controller *ctrl)
 {
 	u16 mask;



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 116/220] PCI: Account for all bridges on bus when distributing bus numbers
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (110 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 115/220] PCI: pciehp: Clear Presence Detect and Data Link Layer Status Changed on resume Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 117/220] auxdisplay: fix broken menu Greg Kroah-Hartman
                   ` (100 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mario Limonciello, Mika Westerberg,
	Bjorn Helgaas, Rafael J. Wysocki, Andy Shevchenko

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mika Westerberg <mika.westerberg@linux.intel.com>

commit 3374c545c27c5350b954d1ab03c880d5502e5eba upstream.

When distributing extra bus number space to hotplug bridges for future
extension, we don't account for the fact that there might be non-hotplug
bridges on the bus after the hotplug bridges.  For example:

  01:00.0 --+- 02:00.0 (HotPlug-) -- Thunderbolt host controller
            +- 02:01.0 (HotPlug+)
            \- 02:02.0 (HotPlug-) -- xHCI host controller

pci_scan_child_bus_extend() is supposed to distribute the remaining bus
numbers to the hotplug bridge at 02:01.0, but only after accounting for all
bridges on bus 02.  Since we don't check whether there's another
non-hotplug bridge after the hotplug bridge 02:01.0, it may not leave space
for the non-hotplug bridge:

  pci 0000:00:1b.0: PCI bridge to [bus 01-39]  (Root Port)
  pci 0000:01:00.0: PCI bridge to [bus 02-39]
  ...
  pci 0000:02:00.0: PCI bridge to [bus 03]
  pci 0000:02:01.0: PCI bridge to [bus 04]
  pci_bus 0000:04: [bus 04-39] extended by 0x35
  pci_bus 0000:04: bus scan returning with max=39
  pci_bus 0000:04: busn_res: [bus 04-39] end is updated to 39
  pci 0000:02:02.0: scanning [bus 00-00] behind bridge, pass 1
  pci_bus 0000:3a: scanning bus
  pci_bus 0000:3a: bus scan returning with max=3a
  pci_bus 0000:3a: busn_res: [bus 3a] end is updated to 3a
  pci_bus 0000:3a: [bus 3a] partially hidden behind bridge 0000:02 [bus 02-39]
  pci_bus 0000:3a: [bus 3a] partially hidden behind bridge 0000:01 [bus 01-39]
  pci_bus 0000:02: bus scan returning with max=3a
  pci_bus 0000:02: busn_res: [bus 02-39] end can not be updated to 3a

The resulting 'lspci -t' output looks like this:

  +-1b.0-[01-39]----00.0-[02-3a]--+-00.0-[03]----00.0
                             ^^   +-01.0-[04-39]--
                                  \-02.0-[3a]----00.0
                                          ^^
The xHCI host controller behind 02:02.0 is not usable because it would have
to be assigned bus 3a, which is not accessible through 00:1b.0.

To fix this, reserve at least one bus for each bridge while scanning
already configured bridges.  Then use this information in the second
scan to correct the available extra bus space for hotplug bridges.

After this change the 'lspci -t' output is what is expected:

  +-1b.0-[01-39]----00.0-[02-39]--+-00.0-[03]----00.0
                                  +-01.0-[04-38]--
                                  \-02.0-[39]----00.0

The xHCI controller is now on bus 39, where it is usable.

Fixes: 1c02ea810065 ("PCI: Distribute available buses to hotplug-capable bridges")
Reported-by: Mario Limonciello <mario.limonciello@dell.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
[bhelgaas: changelog]
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/pci/probe.c |   15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -2638,7 +2638,14 @@ static unsigned int pci_scan_child_bus_e
 	for_each_pci_bridge(dev, bus) {
 		cmax = max;
 		max = pci_scan_bridge_extend(bus, dev, max, 0, 0);
-		used_buses += cmax - max;
+
+		/*
+		 * Reserve one bus for each bridge now to avoid extending
+		 * hotplug bridges too much during the second scan below.
+		 */
+		used_buses++;
+		if (cmax - max > 1)
+			used_buses += cmax - max - 1;
 	}
 
 	/* Scan bridges that need to be reconfigured */
@@ -2661,12 +2668,14 @@ static unsigned int pci_scan_child_bus_e
 			 * bridges if any.
 			 */
 			buses = available_buses / hotplug_bridges;
-			buses = min(buses, available_buses - used_buses);
+			buses = min(buses, available_buses - used_buses + 1);
 		}
 
 		cmax = max;
 		max = pci_scan_bridge_extend(bus, dev, cmax, buses, 1);
-		used_buses += max - cmax;
+		/* One bus is already accounted so don't add it again */
+		if (max - cmax > 1)
+			used_buses += max - cmax - 1;
 	}
 
 	/*



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 117/220] auxdisplay: fix broken menu
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (111 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 116/220] PCI: Account for all bridges on bus when distributing bus numbers Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 118/220] pinctrl: armada-37xx: Fix spurious irq management Greg Kroah-Hartman
                   ` (99 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Geert Uytterhoeven, Andy Shevchenko,
	Randy Dunlap, Miguel Ojeda

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Randy Dunlap <rdunlap@infradead.org>

commit b5b903fba96a4d1771422efd5c713ebb73f7dc82 upstream.

Having the CHARLCD Kconfig symbol between "menuconfig AUXDISPLAY"
and "if AUXDISPLAY" breaks the AUXDISPLAY submenus, so move the
CHARLCD Kconfig symbol near the end of the file so that the menu
display is continuous.

Also include ARM_CHARLCD inside of the if AUXDISPLAY/endif block.
Geert says that it should be there.

Fixes: 39f8ea46724e ("auxdisplay: charlcd: Extract character LCD core from misc/panel")

Cc: stable@vger.kernel.org # v4.12
Cc: Geert Uytterhoeven <geert@linux-m68k.org>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/auxdisplay/Kconfig |   10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

--- a/drivers/auxdisplay/Kconfig
+++ b/drivers/auxdisplay/Kconfig
@@ -14,9 +14,6 @@ menuconfig AUXDISPLAY
 
 	  If you say N, all options in this submenu will be skipped and disabled.
 
-config CHARLCD
-	tristate "Character LCD core support" if COMPILE_TEST
-
 if AUXDISPLAY
 
 config HD44780
@@ -157,8 +154,6 @@ config HT16K33
 	  Say yes here to add support for Holtek HT16K33, RAM mapping 16*8
 	  LED controller driver with keyscan.
 
-endif # AUXDISPLAY
-
 config ARM_CHARLCD
 	bool "ARM Ltd. Character LCD Driver"
 	depends on PLAT_VERSATILE
@@ -169,6 +164,8 @@ config ARM_CHARLCD
 	  line and the Linux version on the second line, but that's
 	  still useful.
 
+endif # AUXDISPLAY
+
 config PANEL
 	tristate "Parallel port LCD/Keypad Panel support"
 	depends on PARPORT
@@ -448,3 +445,6 @@ config PANEL_BOOT_MESSAGE
 	  printf()-formatted message is valid with newline and escape codes.
 
 endif # PANEL
+
+config CHARLCD
+	tristate "Character LCD core support" if COMPILE_TEST



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 118/220] pinctrl: armada-37xx: Fix spurious irq management
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (112 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 117/220] auxdisplay: fix broken menu Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 121/220] cpufreq: intel_pstate: Fix scaling max/min limits with Turbo 3.0 Greg Kroah-Hartman
                   ` (98 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Terry Zhou, Gregory CLEMENT, Linus Walleij

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Terry Zhou <bjzhou@marvell.com>

commit 702d1e81feae70aa16ca364b4d2d95ccad801022 upstream.

Until now, if we found spurious irq in irq_handler, we only updated the
status in register but not the status in the code. Due to this the system
will got stuck dues to the infinite loop

[gregory.clement@bootlin.com: update comment and add fix and stable tags]
Fixes: 30ac0d3b0702 ("pinctrl: armada-37xx: Add edge both type gpio irq support")
Cc: <stable@vger.kernel.org>
Signed-off-by: Terry Zhou <bjzhou@marvell.com>
Reviewed-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/pinctrl/mvebu/pinctrl-armada-37xx.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c
+++ b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c
@@ -679,12 +679,13 @@ static void armada_37xx_irq_handler(stru
 					writel(1 << hwirq,
 					       info->base +
 					       IRQ_STATUS + 4 * i);
-					continue;
+					goto update_status;
 				}
 			}
 
 			generic_handle_irq(virq);
 
+update_status:
 			/* Update status in case a new IRQ appears */
 			spin_lock_irqsave(&info->irq_lock, flags);
 			status = readl_relaxed(info->base +



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 121/220] cpufreq: intel_pstate: Fix scaling max/min limits with Turbo 3.0
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (113 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 118/220] pinctrl: armada-37xx: Fix spurious irq management Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 122/220] MIPS: pb44: Fix i2c-gpio GPIO descriptor table Greg Kroah-Hartman
                   ` (97 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Srinivas Pandruvada, Rafael J. Wysocki

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>

commit ff7c9917143b3a6cf2fa61212a32d67cf259bf9c upstream.

When scaling max/min settings are changed, internally they are converted
to a ratio using the max turbo 1 core turbo frequency. This works fine
when 1 core max is same irrespective of the core. But under Turbo 3.0,
this will not be the case. For example:
Core 0: max turbo pstate: 43 (4.3GHz)
Core 1: max turbo pstate: 45 (4.5GHz)
In this case 1 core turbo ratio will be maximum of all, so it will be
45 (4.5GHz). Suppose scaling max is set to 4GHz (ratio 40) for all cores
,then on core one it will be
 = max_state * policy->max / max_freq;
 = 43 * (4000000/4500000) = 38 (3.8GHz)
 = 38
which is 200MHz less than the desired.
On core2, it will be correctly set to ratio 40 (4GHz). Same holds true
for scaling min frequency limit. So this requires usage of correct turbo
max frequency for core one, which in this case is 4.3GHz. So we need to
adjust per CPU cpu->pstate.turbo_freq using the maximum HWP ratio of that
core.

This change uses the HWP capability of a core to adjust max turbo
frequency. But since Broadwell HWP doesn't use ratios in the HWP
capabilities, we have to use legacy max 1 core turbo ratio. This is not
a problem as the HWP capabilities don't differ among cores in Broadwell.
We need to check for non Broadwell CPU model for applying this change,
though.

Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Cc: 4.6+ <stable@vger.kernel.org> # 4.6+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/cpufreq/intel_pstate.c |   27 ++++++++++++++++++++++-----
 1 file changed, 22 insertions(+), 5 deletions(-)

--- a/drivers/cpufreq/intel_pstate.c
+++ b/drivers/cpufreq/intel_pstate.c
@@ -284,6 +284,7 @@ struct pstate_funcs {
 static struct pstate_funcs pstate_funcs __read_mostly;
 
 static int hwp_active __read_mostly;
+static int hwp_mode_bdw __read_mostly;
 static bool per_cpu_limits __read_mostly;
 
 static struct cpufreq_driver *intel_pstate_driver __read_mostly;
@@ -1370,7 +1371,15 @@ static void intel_pstate_get_cpu_pstates
 	cpu->pstate.turbo_pstate = pstate_funcs.get_turbo();
 	cpu->pstate.scaling = pstate_funcs.get_scaling();
 	cpu->pstate.max_freq = cpu->pstate.max_pstate * cpu->pstate.scaling;
-	cpu->pstate.turbo_freq = cpu->pstate.turbo_pstate * cpu->pstate.scaling;
+
+	if (hwp_active && !hwp_mode_bdw) {
+		unsigned int phy_max, current_max;
+
+		intel_pstate_get_hwp_max(cpu->cpu, &phy_max, &current_max);
+		cpu->pstate.turbo_freq = phy_max * cpu->pstate.scaling;
+	} else {
+		cpu->pstate.turbo_freq = cpu->pstate.turbo_pstate * cpu->pstate.scaling;
+	}
 
 	if (pstate_funcs.get_aperf_mperf_shift)
 		cpu->aperf_mperf_shift = pstate_funcs.get_aperf_mperf_shift();
@@ -2252,28 +2261,36 @@ static inline bool intel_pstate_has_acpi
 static inline void intel_pstate_request_control_from_smm(void) {}
 #endif /* CONFIG_ACPI */
 
+#define INTEL_PSTATE_HWP_BROADWELL	0x01
+
+#define ICPU_HWP(model, hwp_mode) \
+	{ X86_VENDOR_INTEL, 6, model, X86_FEATURE_HWP, hwp_mode }
+
 static const struct x86_cpu_id hwp_support_ids[] __initconst = {
-	{ X86_VENDOR_INTEL, 6, X86_MODEL_ANY, X86_FEATURE_HWP },
+	ICPU_HWP(INTEL_FAM6_BROADWELL_X, INTEL_PSTATE_HWP_BROADWELL),
+	ICPU_HWP(INTEL_FAM6_BROADWELL_XEON_D, INTEL_PSTATE_HWP_BROADWELL),
+	ICPU_HWP(X86_MODEL_ANY, 0),
 	{}
 };
 
 static int __init intel_pstate_init(void)
 {
+	const struct x86_cpu_id *id;
 	int rc;
 
 	if (no_load)
 		return -ENODEV;
 
-	if (x86_match_cpu(hwp_support_ids)) {
+	id = x86_match_cpu(hwp_support_ids);
+	if (id) {
 		copy_cpu_funcs(&core_funcs);
 		if (!no_hwp) {
 			hwp_active++;
+			hwp_mode_bdw = id->driver_data;
 			intel_pstate.attr = hwp_cpufreq_attrs;
 			goto hwp_cpu_matched;
 		}
 	} else {
-		const struct x86_cpu_id *id;
-
 		id = x86_match_cpu(intel_pstate_cpu_ids);
 		if (!id)
 			return -ENODEV;



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 122/220] MIPS: pb44: Fix i2c-gpio GPIO descriptor table
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (114 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 121/220] cpufreq: intel_pstate: Fix scaling max/min limits with Turbo 3.0 Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 123/220] MIPS: io: Add barrier after register read in inX() Greg Kroah-Hartman
                   ` (96 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Simon Guinot, Linus Walleij,
	Paul Burton, Ralf Baechle, Wolfram Sang, linux-mips, James Hogan

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Linus Walleij <linus.walleij@linaro.org>

commit 326345f995a83e326fa2e01d54bfa9a6a307bd4d upstream.

I used bad names in my clumsiness when rewriting many board
files to use GPIO descriptors instead of platform data. A few
had the platform_device ID set to -1 which would indeed give
the device name "i2c-gpio".

But several had it set to >=0 which gives the names
"i2c-gpio.0", "i2c-gpio.1" ...

Fix the one affected board in the MIPS tree. Sorry.

Fixes: b2e63555592f ("i2c: gpio: Convert to use descriptors")
Reported-by: Simon Guinot <simon.guinot@sequanux.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Reviewed-by: Paul Burton <paul.burton@mips.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Wolfram Sang <wsa@the-dreams.de>
Cc: Simon Guinot <simon.guinot@sequanux.org>
Cc: linux-mips@linux-mips.org
Cc: <stable@vger.kernel.org> # 4.15+
Patchwork: https://patchwork.linux-mips.org/patch/19387/
Signed-off-by: James Hogan <jhogan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/mips/ath79/mach-pb44.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/mips/ath79/mach-pb44.c
+++ b/arch/mips/ath79/mach-pb44.c
@@ -34,7 +34,7 @@
 #define PB44_KEYS_DEBOUNCE_INTERVAL	(3 * PB44_KEYS_POLL_INTERVAL)
 
 static struct gpiod_lookup_table pb44_i2c_gpiod_table = {
-	.dev_id = "i2c-gpio",
+	.dev_id = "i2c-gpio.0",
 	.table = {
 		GPIO_LOOKUP_IDX("ath79-gpio", PB44_GPIO_I2C_SDA,
 				NULL, 0, GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN),



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 123/220] MIPS: io: Add barrier after register read in inX()
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (115 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 122/220] MIPS: pb44: Fix i2c-gpio GPIO descriptor table Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 125/220] irqchip/gic-v3-its: Dont bind LPI to unavailable NUMA node Greg Kroah-Hartman
                   ` (95 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Huacai Chen, Paul Burton,
	James Hogan, linux-mips, Fuxin Zhang, Zhangjin Wu, Huacai Chen

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Huacai Chen <chenhc@lemote.com>

commit 18f3e95b90b28318ef35910d21c39908de672331 upstream.

While a barrier is present in the outX() functions before the register
write, a similar barrier is missing in the inX() functions after the
register read. This could allow memory accesses following inX() to
observe stale data.

This patch is very similar to commit a1cc7034e33d12dc1 ("MIPS: io: Add
barrier after register read in readX()"). Because war_io_reorder_wmb()
is both used by writeX() and outX(), if readX() need a barrier then so
does inX().

Cc: stable@vger.kernel.org
Signed-off-by: Huacai Chen <chenhc@lemote.com>
Patchwork: https://patchwork.linux-mips.org/patch/19516/
Signed-off-by: Paul Burton <paul.burton@mips.com>
Cc: James Hogan <james.hogan@mips.com>
Cc: linux-mips@linux-mips.org
Cc: Fuxin Zhang <zhangfx@lemote.com>
Cc: Zhangjin Wu <wuzhangjin@gmail.com>
Cc: Huacai Chen <chenhuacai@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/mips/include/asm/io.h |    2 ++
 1 file changed, 2 insertions(+)

--- a/arch/mips/include/asm/io.h
+++ b/arch/mips/include/asm/io.h
@@ -414,6 +414,8 @@ static inline type pfx##in##bwlq##p(unsi
 	__val = *__addr;						\
 	slow;								\
 									\
+	/* prevent prefetching of coherent DMA data prematurely */	\
+	rmb();								\
 	return pfx##ioswab##bwlq(__addr, __val);			\
 }
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 125/220] irqchip/gic-v3-its: Dont bind LPI to unavailable NUMA node
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (116 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 123/220] MIPS: io: Add barrier after register read in inX() Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 126/220] locking/rwsem: Fix up_read_non_owner() warning with DEBUG_RWSEMS Greg Kroah-Hartman
                   ` (94 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yang Yingliang, Marc Zyngier,
	Thomas Gleixner, Jason Cooper, Alexandre Belloni, Sumit Garg

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Yang Yingliang <yangyingliang@huawei.com>

commit c1797b11a09c8323c92b074fd48b89a936c991d0 upstream.

On a NUMA system, if an ITS is local to an offline node, the ITS driver may
pick an offline CPU to bind the LPI.  In this case, pick an online CPU (and
the first one will do).

But on some systems, binding an LPI to non-local node CPU may cause
deadlock (see Cavium erratum 23144).  In this case, just fail the activate
and return an error code.

Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Jason Cooper <jason@lakedaemon.net>
Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
Cc: Sumit Garg <sumit.garg@linaro.org>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20180622095254.5906-5-marc.zyngier@arm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/irqchip/irq-gic-v3-its.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/drivers/irqchip/irq-gic-v3-its.c
+++ b/drivers/irqchip/irq-gic-v3-its.c
@@ -2309,7 +2309,14 @@ static int its_irq_domain_activate(struc
 		cpu_mask = cpumask_of_node(its_dev->its->numa_node);
 
 	/* Bind the LPI to the first possible CPU */
-	cpu = cpumask_first(cpu_mask);
+	cpu = cpumask_first_and(cpu_mask, cpu_online_mask);
+	if (cpu >= nr_cpu_ids) {
+		if (its_dev->its->flags & ITS_FLAGS_WORKAROUND_CAVIUM_23144)
+			return -EINVAL;
+
+		cpu = cpumask_first(cpu_online_mask);
+	}
+
 	its_dev->event_map.col_map[event] = cpu;
 	irq_data_update_effective_affinity(d, cpumask_of(cpu));
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 126/220] locking/rwsem: Fix up_read_non_owner() warning with DEBUG_RWSEMS
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (117 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 125/220] irqchip/gic-v3-its: Dont bind LPI to unavailable NUMA node Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 127/220] X.509: unpack RSA signatureValue field from BIT STRING Greg Kroah-Hartman
                   ` (93 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Waiman Long, Thomas Gleixner,
	Peter Zijlstra (Intel),
	Gavin Schenk, Davidlohr Bueso, Dan Williams, Arnd Bergmann,
	linux-nfs

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Waiman Long <longman@redhat.com>

commit 03eeafdd9ab06a770d42c2b264d50dff7e2f4eee upstream.

It was found that the use of up_read_non_owner() in NFS was causing
the following warning when DEBUG_RWSEMS was configured.

  DEBUG_LOCKS_WARN_ON(sem->owner != ((struct task_struct *)(1UL << 0)))

Looking into the rwsem.c file, it was discovered that the corresponding
down_read_non_owner() function was not setting the owner field properly.
This is fixed now, and the warning should be gone.

Fixes: 5149cbac4235 ("locking/rwsem: Add DEBUG_RWSEMS to look for lock/unlock mismatches")
Signed-off-by: Waiman Long <longman@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: Gavin Schenk <g.schenk@eckelmann.de>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: linux-nfs@vger.kernel.org
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/1527168398-4291-1-git-send-email-longman@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/locking/rwsem.c |    1 +
 1 file changed, 1 insertion(+)

--- a/kernel/locking/rwsem.c
+++ b/kernel/locking/rwsem.c
@@ -181,6 +181,7 @@ void down_read_non_owner(struct rw_semap
 	might_sleep();
 
 	__down_read(sem);
+	rwsem_set_reader_owned(sem);
 }
 
 EXPORT_SYMBOL(down_read_non_owner);



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 127/220] X.509: unpack RSA signatureValue field from BIT STRING
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (118 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 126/220] locking/rwsem: Fix up_read_non_owner() warning with DEBUG_RWSEMS Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 128/220] Btrfs: fix return value on rename exchange failure Greg Kroah-Hartman
                   ` (92 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maciej S. Szmigiero, James Morris

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Maciej S. Szmigiero <mail@maciej.szmigiero.name>

commit b65c32ec5a942ab3ada93a048089a938918aba7f upstream.

The signatureValue field of a X.509 certificate is encoded as a BIT STRING.
For RSA signatures this BIT STRING is of so-called primitive subtype, which
contains a u8 prefix indicating a count of unused bits in the encoding.

We have to strip this prefix from signature data, just as we already do for
key data in x509_extract_key_data() function.

This wasn't noticed earlier because this prefix byte is zero for RSA key
sizes divisible by 8. Since BIT STRING is a big-endian encoding adding zero
prefixes has no bearing on its value.

The signature length, however was incorrect, which is a problem for RSA
implementations that need it to be exactly correct (like AMD CCP).

Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
Fixes: c26fd69fa009 ("X.509: Add a crypto key parser for binary (DER) X.509 certificates")
Cc: stable@vger.kernel.org
Signed-off-by: James Morris <james.morris@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 crypto/asymmetric_keys/x509_cert_parser.c |    9 +++++++++
 1 file changed, 9 insertions(+)

--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -249,6 +249,15 @@ int x509_note_signature(void *context, s
 		return -EINVAL;
 	}
 
+	if (strcmp(ctx->cert->sig->pkey_algo, "rsa") == 0) {
+		/* Discard the BIT STRING metadata */
+		if (vlen < 1 || *(const u8 *)value != 0)
+			return -EBADMSG;
+
+		value++;
+		vlen--;
+	}
+
 	ctx->cert->raw_sig = value;
 	ctx->cert->raw_sig_size = vlen;
 	return 0;



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 128/220] Btrfs: fix return value on rename exchange failure
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (119 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 127/220] X.509: unpack RSA signatureValue field from BIT STRING Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 129/220] iio: adc: ad7791: remove sample freq sysfs attributes Greg Kroah-Hartman
                   ` (91 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Filipe Manana, David Sterba

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Filipe Manana <fdmanana@suse.com>

commit c5b4a50b74018b3677098151ec5f4fce07d5e6a0 upstream.

If we failed during a rename exchange operation after starting/joining a
transaction, we would end up replacing the return value, stored in the
local 'ret' variable, with the return value from btrfs_end_transaction().
So this could end up returning 0 (success) to user space despite the
operation having failed and aborted the transaction, because if there are
multiple tasks having a reference on the transaction at the time
btrfs_end_transaction() is called by the rename exchange, that function
returns 0 (otherwise it returns -EIO and not the original error value).
So fix this by not overwriting the return value on error after getting
a transaction handle.

Fixes: cdd1fedf8261 ("btrfs: add support for RENAME_EXCHANGE and RENAME_WHITEOUT")
CC: stable@vger.kernel.org # 4.9+
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/inode.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -9475,6 +9475,7 @@ static int btrfs_rename_exchange(struct
 	u64 new_idx = 0;
 	u64 root_objectid;
 	int ret;
+	int ret2;
 	bool root_log_pinned = false;
 	bool dest_log_pinned = false;
 
@@ -9671,7 +9672,8 @@ out_fail:
 			dest_log_pinned = false;
 		}
 	}
-	ret = btrfs_end_transaction(trans);
+	ret2 = btrfs_end_transaction(trans);
+	ret = ret ? ret : ret2;
 out_notrans:
 	if (new_ino == BTRFS_FIRST_FREE_OBJECTID)
 		up_read(&fs_info->subvol_sem);



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 129/220] iio: adc: ad7791: remove sample freq sysfs attributes
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (120 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 128/220] Btrfs: fix return value on rename exchange failure Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 130/220] iio: sca3000: Fix an error handling path in sca3000_probe() Greg Kroah-Hartman
                   ` (90 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexandru Ardelean, Stable, Jonathan Cameron

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alexandru Ardelean <alexandru.ardelean@analog.com>

commit 7eb6b35d93c356f1afebbfb808bc296d6351e708 upstream.

In the current state, these attributes are broken, because they are
registered already, and the kernel throws a warning.
The first registration happens via the `IIO_CHAN_INFO_SAMP_FREQ` flag from
the `ad_sigma_delta` driver.

In this commit these attrs are removed, and in the following the
IIO_CHAN_INFO_SAMP_FREQ behavior will be implemented, which replaces these
hooks.

This is done to make things a bit easier to review as there is a bit of
overlap in the patch if it's done all at once.

Fixes: a13e831fcaa7 ("staging: iio: ad7192: implement IIO_CHAN_INFO_SAMP_FREQ")

Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/adc/ad7791.c |   49 -----------------------------------------------
 1 file changed, 49 deletions(-)

--- a/drivers/iio/adc/ad7791.c
+++ b/drivers/iio/adc/ad7791.c
@@ -244,58 +244,9 @@ static int ad7791_read_raw(struct iio_de
 	return -EINVAL;
 }
 
-static const char * const ad7791_sample_freq_avail[] = {
-	[AD7791_FILTER_RATE_120] = "120",
-	[AD7791_FILTER_RATE_100] = "100",
-	[AD7791_FILTER_RATE_33_3] = "33.3",
-	[AD7791_FILTER_RATE_20] = "20",
-	[AD7791_FILTER_RATE_16_6] = "16.6",
-	[AD7791_FILTER_RATE_16_7] = "16.7",
-	[AD7791_FILTER_RATE_13_3] = "13.3",
-	[AD7791_FILTER_RATE_9_5] = "9.5",
-};
-
-static ssize_t ad7791_read_frequency(struct device *dev,
-	struct device_attribute *attr, char *buf)
-{
-	struct iio_dev *indio_dev = dev_to_iio_dev(dev);
-	struct ad7791_state *st = iio_priv(indio_dev);
-	unsigned int rate = st->filter & AD7791_FILTER_RATE_MASK;
-
-	return sprintf(buf, "%s\n", ad7791_sample_freq_avail[rate]);
-}
-
-static ssize_t ad7791_write_frequency(struct device *dev,
-	struct device_attribute *attr, const char *buf, size_t len)
-{
-	struct iio_dev *indio_dev = dev_to_iio_dev(dev);
-	struct ad7791_state *st = iio_priv(indio_dev);
-	int i, ret;
-
-	i = sysfs_match_string(ad7791_sample_freq_avail, buf);
-	if (i < 0)
-		return i;
-
-	ret = iio_device_claim_direct_mode(indio_dev);
-	if (ret)
-		return ret;
-	st->filter &= ~AD7791_FILTER_RATE_MASK;
-	st->filter |= i;
-	ad_sd_write_reg(&st->sd, AD7791_REG_FILTER, sizeof(st->filter),
-			st->filter);
-	iio_device_release_direct_mode(indio_dev);
-
-	return len;
-}
-
-static IIO_DEV_ATTR_SAMP_FREQ(S_IWUSR | S_IRUGO,
-		ad7791_read_frequency,
-		ad7791_write_frequency);
-
 static IIO_CONST_ATTR_SAMP_FREQ_AVAIL("120 100 33.3 20 16.7 16.6 13.3 9.5");
 
 static struct attribute *ad7791_attributes[] = {
-	&iio_dev_attr_sampling_frequency.dev_attr.attr,
 	&iio_const_attr_sampling_frequency_available.dev_attr.attr,
 	NULL
 };



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 130/220] iio: sca3000: Fix an error handling path in sca3000_probe()
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (121 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 129/220] iio: adc: ad7791: remove sample freq sysfs attributes Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 131/220] mm: fix __gup_device_huge vs unmap Greg Kroah-Hartman
                   ` (89 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christophe JAILLET, Stable, Jonathan Cameron

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>

commit 4a5b45383ca371e123ba103d34d4b3b87616245c upstream.

Use 'devm_iio_kfifo_allocate()' instead of 'iio_kfifo_allocate()' in order
to simplify code and avoid a memory leak in an error path in
'sca3000_probe()'. A call to 'sca3000_unconfigure_ring()' was missing.

Sent via the next merge window as unimportant bug and there are
other patches dependent on it.

Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/accel/sca3000.c |    9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

--- a/drivers/iio/accel/sca3000.c
+++ b/drivers/iio/accel/sca3000.c
@@ -1277,7 +1277,7 @@ static int sca3000_configure_ring(struct
 {
 	struct iio_buffer *buffer;
 
-	buffer = iio_kfifo_allocate();
+	buffer = devm_iio_kfifo_allocate(&indio_dev->dev);
 	if (!buffer)
 		return -ENOMEM;
 
@@ -1287,11 +1287,6 @@ static int sca3000_configure_ring(struct
 	return 0;
 }
 
-static void sca3000_unconfigure_ring(struct iio_dev *indio_dev)
-{
-	iio_kfifo_free(indio_dev->buffer);
-}
-
 static inline
 int __sca3000_hw_ring_state_set(struct iio_dev *indio_dev, bool state)
 {
@@ -1546,8 +1541,6 @@ static int sca3000_remove(struct spi_dev
 	if (spi->irq)
 		free_irq(spi->irq, indio_dev);
 
-	sca3000_unconfigure_ring(indio_dev);
-
 	return 0;
 }
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 131/220] mm: fix __gup_device_huge vs unmap
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (122 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 130/220] iio: sca3000: Fix an error handling path in sca3000_probe() Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 132/220] scsi: scsi_debug: Fix memory leak on module unload Greg Kroah-Hartman
                   ` (88 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jan Kara, Dan Williams

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Williams <dan.j.williams@intel.com>

commit a9b6de77b1a3ff729f7bfc54b2e17711776a416c upstream.

get_user_pages_fast() for device pages is missing the typical validation
that all page references have been taken while the mapping was valid.
Without this validation truncate operations can not reliably coordinate
against new page reference events like O_DIRECT.

Cc: <stable@vger.kernel.org>
Fixes: 3565fce3a659 ("mm, x86: get_user_pages() for dax mappings")
Reported-by: Jan Kara <jack@suse.cz>
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/gup.c |   36 ++++++++++++++++++++++++++----------
 1 file changed, 26 insertions(+), 10 deletions(-)

--- a/mm/gup.c
+++ b/mm/gup.c
@@ -1459,32 +1459,48 @@ static int __gup_device_huge(unsigned lo
 	return 1;
 }
 
-static int __gup_device_huge_pmd(pmd_t pmd, unsigned long addr,
+static int __gup_device_huge_pmd(pmd_t orig, pmd_t *pmdp, unsigned long addr,
 		unsigned long end, struct page **pages, int *nr)
 {
 	unsigned long fault_pfn;
+	int nr_start = *nr;
 
-	fault_pfn = pmd_pfn(pmd) + ((addr & ~PMD_MASK) >> PAGE_SHIFT);
-	return __gup_device_huge(fault_pfn, addr, end, pages, nr);
+	fault_pfn = pmd_pfn(orig) + ((addr & ~PMD_MASK) >> PAGE_SHIFT);
+	if (!__gup_device_huge(fault_pfn, addr, end, pages, nr))
+		return 0;
+
+	if (unlikely(pmd_val(orig) != pmd_val(*pmdp))) {
+		undo_dev_pagemap(nr, nr_start, pages);
+		return 0;
+	}
+	return 1;
 }
 
-static int __gup_device_huge_pud(pud_t pud, unsigned long addr,
+static int __gup_device_huge_pud(pud_t orig, pud_t *pudp, unsigned long addr,
 		unsigned long end, struct page **pages, int *nr)
 {
 	unsigned long fault_pfn;
+	int nr_start = *nr;
 
-	fault_pfn = pud_pfn(pud) + ((addr & ~PUD_MASK) >> PAGE_SHIFT);
-	return __gup_device_huge(fault_pfn, addr, end, pages, nr);
+	fault_pfn = pud_pfn(orig) + ((addr & ~PUD_MASK) >> PAGE_SHIFT);
+	if (!__gup_device_huge(fault_pfn, addr, end, pages, nr))
+		return 0;
+
+	if (unlikely(pud_val(orig) != pud_val(*pudp))) {
+		undo_dev_pagemap(nr, nr_start, pages);
+		return 0;
+	}
+	return 1;
 }
 #else
-static int __gup_device_huge_pmd(pmd_t pmd, unsigned long addr,
+static int __gup_device_huge_pmd(pmd_t orig, pmd_t *pmdp, unsigned long addr,
 		unsigned long end, struct page **pages, int *nr)
 {
 	BUILD_BUG();
 	return 0;
 }
 
-static int __gup_device_huge_pud(pud_t pud, unsigned long addr,
+static int __gup_device_huge_pud(pud_t pud, pud_t *pudp, unsigned long addr,
 		unsigned long end, struct page **pages, int *nr)
 {
 	BUILD_BUG();
@@ -1502,7 +1518,7 @@ static int gup_huge_pmd(pmd_t orig, pmd_
 		return 0;
 
 	if (pmd_devmap(orig))
-		return __gup_device_huge_pmd(orig, addr, end, pages, nr);
+		return __gup_device_huge_pmd(orig, pmdp, addr, end, pages, nr);
 
 	refs = 0;
 	page = pmd_page(orig) + ((addr & ~PMD_MASK) >> PAGE_SHIFT);
@@ -1540,7 +1556,7 @@ static int gup_huge_pud(pud_t orig, pud_
 		return 0;
 
 	if (pud_devmap(orig))
-		return __gup_device_huge_pud(orig, addr, end, pages, nr);
+		return __gup_device_huge_pud(orig, pudp, addr, end, pages, nr);
 
 	refs = 0;
 	page = pud_page(orig) + ((addr & ~PUD_MASK) >> PAGE_SHIFT);



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 132/220] scsi: scsi_debug: Fix memory leak on module unload
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (123 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 131/220] mm: fix __gup_device_huge vs unmap Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 133/220] scsi: hpsa: disable device during shutdown Greg Kroah-Hartman
                   ` (87 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Luis Henriques, Douglas Gilbert,
	Martin K. Petersen

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Luis Henriques <lhenriques@suse.com>

commit 52ab9768f723823a71dc659f0fad803a90f80236 upstream.

Since commit 80c49563e250 ("scsi: scsi_debug: implement IMMED bit") there
are long delays in F_SYNC_DELAY and F_SSU_DELAY.  This can cause a memory
leak in schedule_resp(), which can be invoked while unloading the
scsi_debug module: free_all_queued() had already freed all sd_dp and
schedule_resp will alloc a new one, which will never get freed.  Here's the
kmemleak report while running xfstests generic/350:

unreferenced object 0xffff88007d752b00 (size 128):
  comm "rmmod", pid 26940, jiffies 4295816945 (age 7.588s)
  hex dump (first 32 bytes):
    00 2b 75 7d 00 88 ff ff 00 00 00 00 00 00 00 00  .+u}............
    00 00 00 00 00 00 00 00 8e 31 a2 34 5f 03 00 00  .........1.4_...
  backtrace:
    [<000000002abd83d0>] 0xffffffffa000705e
    [<000000004c063fda>] scsi_dispatch_cmd+0xc7/0x1a0
    [<000000000c119a00>] scsi_request_fn+0x251/0x550
    [<000000009de0c736>] __blk_run_queue+0x3f/0x60
    [<000000001c4453c8>] blk_execute_rq_nowait+0x98/0xd0
    [<00000000d17ec79f>] blk_execute_rq+0x3a/0x50
    [<00000000a7654b6e>] scsi_execute+0x113/0x250
    [<00000000fd78f7cd>] sd_sync_cache+0x95/0x160
    [<0000000024dacb14>] sd_shutdown+0x9b/0xd0
    [<00000000e9101710>] sd_remove+0x5f/0xb0
    [<00000000c43f0d63>] device_release_driver_internal+0x13c/0x1f0
    [<00000000e8ad57b6>] bus_remove_device+0xe9/0x160
    [<00000000713a7b8a>] device_del+0x120/0x320
    [<00000000e5db670c>] __scsi_remove_device+0x115/0x150
    [<00000000eccbef30>] scsi_forget_host+0x20/0x60
    [<00000000cd5a0738>] scsi_remove_host+0x6d/0x120

Cc: stable@vger.kernel.org # v4.17+
Signed-off-by: Luis Henriques <lhenriques@suse.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/scsi_debug.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -5506,9 +5506,9 @@ static void __exit scsi_debug_exit(void)
 	int k = sdebug_add_host;
 
 	stop_all_queued();
-	free_all_queued();
 	for (; k; k--)
 		sdebug_remove_adapter();
+	free_all_queued();
 	driver_unregister(&sdebug_driverfs_driver);
 	bus_unregister(&pseudo_lld_bus);
 	root_device_unregister(pseudo_primary);



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 133/220] scsi: hpsa: disable device during shutdown
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (124 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 132/220] scsi: scsi_debug: Fix memory leak on module unload Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 134/220] scsi: qla2xxx: Delete session for nport id change Greg Kroah-Hartman
                   ` (86 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sinan Kaya, Ryan Finnie, Don Brace,
	Martin K. Petersen

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sinan Kaya <okaya@codeaurora.org>

commit 0d98ba8d70b0070ac117452ea0b663e26bbf46bf upstream.

'Commit cc27b735ad3a ("PCI/portdrv: Turn off PCIe services during
shutdown")' has been added to kernel to shutdown pending PCIe port service
interrupts during reboot so that a newly started kexec kernel wouldn't
observe pending interrupts.

pcie_port_device_remove() is disabling the root port and switches by
calling pci_disable_device() after all PCIe service drivers are shutdown.

This has been found to cause crashes on HP DL360 Gen9 machines during
reboot due to hpsa driver not clearing the bus master bit during the
shutdown procedure by calling pci_disable_device().

Disable device as part of the shutdown sequence.

Signed-off-by: Sinan Kaya <okaya@codeaurora.org>
Link: https://bugzilla.kernel.org/show_bug.cgi?id=199779
Fixes: cc27b735ad3a ("PCI/portdrv: Turn off PCIe services during shutdown")
Cc: stable@vger.kernel.org
Reported-by: Ryan Finnie <ryan@finnie.org>
Tested-by: Don Brace <don.brace@microsemi.com>
Acked-by: Don Brace <don.brace@microsemi.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/hpsa.c |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

--- a/drivers/scsi/hpsa.c
+++ b/drivers/scsi/hpsa.c
@@ -8869,7 +8869,7 @@ out:
 	kfree(options);
 }
 
-static void hpsa_shutdown(struct pci_dev *pdev)
+static void __hpsa_shutdown(struct pci_dev *pdev)
 {
 	struct ctlr_info *h;
 
@@ -8884,6 +8884,12 @@ static void hpsa_shutdown(struct pci_dev
 	hpsa_disable_interrupt_mode(h);		/* pci_init 2 */
 }
 
+static void hpsa_shutdown(struct pci_dev *pdev)
+{
+	__hpsa_shutdown(pdev);
+	pci_disable_device(pdev);
+}
+
 static void hpsa_free_device_info(struct ctlr_info *h)
 {
 	int i;
@@ -8927,7 +8933,7 @@ static void hpsa_remove_one(struct pci_d
 		scsi_remove_host(h->scsi_host);		/* init_one 8 */
 	/* includes hpsa_free_irqs - init_one 4 */
 	/* includes hpsa_disable_interrupt_mode - pci_init 2 */
-	hpsa_shutdown(pdev);
+	__hpsa_shutdown(pdev);
 
 	hpsa_free_device_info(h);		/* scan */
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 134/220] scsi: qla2xxx: Delete session for nport id change
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (125 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 133/220] scsi: hpsa: disable device during shutdown Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 135/220] scsi: qla2xxx: Fix setting lower transfer speed if GPSC fails Greg Kroah-Hartman
                   ` (85 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Quinn Tran, Himanshu Madhani,
	Martin K. Petersen

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Quinn Tran <quinn.tran@cavium.com>

commit 1d317b21231bb2b81a6e0f94f708b8619ec8775b upstream.

This patch fixes regression introduced by commit a4239945b8ad ("scsi:
qla2xxx: Add switch command to simplify fabric discovery") by scheduling
session deletion when Nport ID changes.

[mkp: clarified commit]

Fixes: a4239945b8ad ("scsi: qla2xxx: Add switch command to simplify fabric discovery")
Cc: <stable@vger.kernel.org>
Signed-off-by: Quinn Tran <quinn.tran@cavium.com>
Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/qla2xxx/qla_gs.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/scsi/qla2xxx/qla_gs.c
+++ b/drivers/scsi/qla2xxx/qla_gs.c
@@ -3915,7 +3915,6 @@ void qla24xx_async_gnnft_done(scsi_qla_h
 			if (memcmp(rp->port_name, fcport->port_name, WWN_SIZE))
 				continue;
 			fcport->scan_state = QLA_FCPORT_FOUND;
-			fcport->d_id.b24 = rp->id.b24;
 			found = true;
 			/*
 			 * If device was not a fabric device before.
@@ -3923,7 +3922,10 @@ void qla24xx_async_gnnft_done(scsi_qla_h
 			if ((fcport->flags & FCF_FABRIC_DEVICE) == 0) {
 				qla2x00_clear_loop_id(fcport);
 				fcport->flags |= FCF_FABRIC_DEVICE;
+			} else if (fcport->d_id.b24 != rp->id.b24) {
+				qlt_schedule_sess_for_deletion(fcport);
 			}
+			fcport->d_id.b24 = rp->id.b24;
 			break;
 		}
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 135/220] scsi: qla2xxx: Fix setting lower transfer speed if GPSC fails
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (126 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 134/220] scsi: qla2xxx: Delete session for nport id change Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 136/220] scsi: qla2xxx: Mask off Scope bits in retry delay Greg Kroah-Hartman
                   ` (84 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Himanshu Madhani, Eda Zhou,
	Ewan D. Milne, Martin K. Petersen

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Himanshu Madhani <himanshu.madhani@cavium.com>

commit 413c2f33489b134e3cc65d9c3ff7861e8fdfe899 upstream.

This patch prevents driver from setting lower default speed of 1 GB/sec,
if the switch does not support Get Port Speed Capabilities (GPSC)
command. Setting this default speed results into much lower write
performance for large sequential WRITE.  This patch modifies driver to
check for gpsc_supported flags and prevents driver from issuing
MBC_SET_PORT_PARAM (001Ah) to set default speed of 1 GB/sec. If driver
does not send this mailbox command, firmware assumes maximum supported
link speed and will operate at the max speed.

Cc: stable@vger.kernel.org
Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
Reported-by: Eda Zhou <ezhou@redhat.com>
Reviewed-by: Ewan D. Milne <emilne@redhat.com>
Tested-by: Ewan D. Milne <emilne@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/qla2xxx/qla_init.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/scsi/qla2xxx/qla_init.c
+++ b/drivers/scsi/qla2xxx/qla_init.c
@@ -5037,7 +5037,8 @@ qla2x00_iidma_fcport(scsi_qla_host_t *vh
 		return;
 
 	if (fcport->fp_speed == PORT_SPEED_UNKNOWN ||
-	    fcport->fp_speed > ha->link_data_rate)
+	    fcport->fp_speed > ha->link_data_rate ||
+	    !ha->flags.gpsc_supported)
 		return;
 
 	rval = qla2x00_set_idma_speed(vha, fcport->loop_id, fcport->fp_speed,



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 136/220] scsi: qla2xxx: Mask off Scope bits in retry delay
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (127 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 135/220] scsi: qla2xxx: Fix setting lower transfer speed if GPSC fails Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 137/220] scsi: qla2xxx: Spinlock recursion in qla_target Greg Kroah-Hartman
                   ` (83 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Anil Gurumurthy, Giridhar Malavali,
	Himanshu Madhani, Ewan D. Milne, Martin Wilck,
	Martin K. Petersen

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Anil Gurumurthy <anil.gurumurthy@cavium.com>

commit 3cedc8797b9c0f2222fd45a01f849c57c088828b upstream.

Some newer target uses "Status Qualifier" response in a returned "Busy
Status". This new response code of 0x4001, which is "Scope" bits,
translates to "Affects all units accessible by target".  Due to this new
value returned in the Scope bits, driver was using that value as timeout
value which resulted into driver waiting for 27min timeout.

This patch masks off this Scope bits so that driver does not use this
value as retry delay time.

Cc: <stable@vger.kernel.org>
Signed-off-by: Anil Gurumurthy <anil.gurumurthy@cavium.com>
Signed-off-by: Giridhar Malavali <giridhar.malavali@cavium.com>
Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
Reviewed-by: Ewan D. Milne <emilne@redhat.com>
Reviewed-by: Martin Wilck <mwilck@suse.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/qla2xxx/qla_isr.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/scsi/qla2xxx/qla_isr.c
+++ b/drivers/scsi/qla2xxx/qla_isr.c
@@ -2494,8 +2494,12 @@ qla2x00_status_entry(scsi_qla_host_t *vh
 		ox_id = le16_to_cpu(sts24->ox_id);
 		par_sense_len = sizeof(sts24->data);
 		/* Valid values of the retry delay timer are 0x1-0xffef */
-		if (sts24->retry_delay > 0 && sts24->retry_delay < 0xfff1)
-			retry_delay = sts24->retry_delay;
+		if (sts24->retry_delay > 0 && sts24->retry_delay < 0xfff1) {
+			retry_delay = sts24->retry_delay & 0x3fff;
+			ql_dbg(ql_dbg_io, sp->vha, 0x3033,
+			    "%s: scope=%#x retry_delay=%#x\n", __func__,
+			    sts24->retry_delay >> 14, retry_delay);
+		}
 	} else {
 		if (scsi_status & SS_SENSE_LEN_VALID)
 			sense_len = le16_to_cpu(sts->req_sense_length);



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 137/220] scsi: qla2xxx: Spinlock recursion in qla_target
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (128 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 136/220] scsi: qla2xxx: Mask off Scope bits in retry delay Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 138/220] scsi: zfcp: fix missing SCSI trace for result of eh_host_reset_handler Greg Kroah-Hartman
                   ` (82 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mikhail Malygin, Himanshu Madhani,
	Martin K. Petersen

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mikhail Malygin <m.malygin@yadro.com>

commit 49d7bd36813ea8e6b4c97b640d24e7fbd44c84f0 upstream.

The patch reverts changes done in qlt_schedule_sess_for_deletion() to
avoid spinlock recursion sess->vha->work_lock should be used instead
of ha->tgt.sess_lock, that can be locked in callers: qlt_reset() or
qlt_handle_login()

[mkp: roll in build warning reported by sfr]

Fixes: 1c6cacf4ea6c04 ("scsi: qla2xxx: Fixup locking for session deletion")
Cc: <stable@vger.kernel.org> #v4.17
Signed-off-by: Mikhail Malygin <m.malygin@yadro.com>
Reported-by: Mikhail Malygin <m.malygin@yadro.com>
Tested-by: Mikhail Malygin <m.malygin@yadro.com>
Acked-by: Himanshu Madhani <himanshu.madhani@cavium.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/qla2xxx/qla_target.c |    7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

--- a/drivers/scsi/qla2xxx/qla_target.c
+++ b/drivers/scsi/qla2xxx/qla_target.c
@@ -1230,7 +1230,6 @@ static void qla24xx_chk_fcp_state(struct
 void qlt_schedule_sess_for_deletion(struct fc_port *sess)
 {
 	struct qla_tgt *tgt = sess->tgt;
-	struct qla_hw_data *ha = sess->vha->hw;
 	unsigned long flags;
 
 	if (sess->disc_state == DSC_DELETE_PEND)
@@ -1247,16 +1246,16 @@ void qlt_schedule_sess_for_deletion(stru
 			return;
 	}
 
-	spin_lock_irqsave(&ha->tgt.sess_lock, flags);
 	if (sess->deleted == QLA_SESS_DELETED)
 		sess->logout_on_delete = 0;
 
+	spin_lock_irqsave(&sess->vha->work_lock, flags);
 	if (sess->deleted == QLA_SESS_DELETION_IN_PROGRESS) {
-		spin_unlock_irqrestore(&ha->tgt.sess_lock, flags);
+		spin_unlock_irqrestore(&sess->vha->work_lock, flags);
 		return;
 	}
 	sess->deleted = QLA_SESS_DELETION_IN_PROGRESS;
-	spin_unlock_irqrestore(&ha->tgt.sess_lock, flags);
+	spin_unlock_irqrestore(&sess->vha->work_lock, flags);
 
 	sess->disc_state = DSC_DELETE_PEND;
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 138/220] scsi: zfcp: fix missing SCSI trace for result of eh_host_reset_handler
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (129 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 137/220] scsi: qla2xxx: Spinlock recursion in qla_target Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 139/220] scsi: zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF Greg Kroah-Hartman
                   ` (81 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Steffen Maier, Jens Remus,
	Benjamin Block, Martin K. Petersen

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Steffen Maier <maier@linux.ibm.com>

commit df30781699f53e4fd4c494c6f7dd16e3d5c21d30 upstream.

For problem determination we need to see whether and why we were successful
or not. This allows deduction of scsi_eh escalation.

Example trace record formatted with zfcpdbf from s390-tools:

Timestamp      : ...
Area           : SCSI
Subarea        : 00
Level          : 1
Exception      : -
CPU ID         : ..
Caller         : 0x...
Record ID      : 1
Tag            : schrh_r        SCSI host reset handler result
Request ID     : 0x0000000000000000                     none (invalid)
SCSI ID        : 0xffffffff                             none (invalid)
SCSI LUN       : 0xffffffff                             none (invalid)
SCSI LUN high  : 0xffffffff                             none (invalid)
SCSI result    : 0x00002002     field re-used for midlayer value: SUCCESS
                                or in other cases: 0x2009 == FAST_IO_FAIL
SCSI retries   : 0xff                                   none (invalid)
SCSI allowed   : 0xff                                   none (invalid)
SCSI scribble  : 0xffffffffffffffff                     none (invalid)
SCSI opcode    : ffffffff ffffffff ffffffff ffffffff    none (invalid)
FCP rsp inf cod: 0xff                                   none (invalid)
FCP rsp IU     : 00000000 00000000 00000000 00000000    none (invalid)
                 00000000 00000000

v2.6.35 commit a1dbfddd02d2 ("[SCSI] zfcp: Pass return code from
fc_block_scsi_eh to scsi eh") introduced the first return with something
other than the previously hardcoded single SUCCESS return path.

Signed-off-by: Steffen Maier <maier@linux.ibm.com>
Fixes: a1dbfddd02d2 ("[SCSI] zfcp: Pass return code from fc_block_scsi_eh to scsi eh")
Cc: <stable@vger.kernel.org> #2.6.38+
Reviewed-by: Jens Remus <jremus@linux.ibm.com>
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/s390/scsi/zfcp_dbf.c  |   40 ++++++++++++++++++++++++++++++++++++++++
 drivers/s390/scsi/zfcp_ext.h  |    2 ++
 drivers/s390/scsi/zfcp_scsi.c |   11 ++++++-----
 3 files changed, 48 insertions(+), 5 deletions(-)

--- a/drivers/s390/scsi/zfcp_dbf.c
+++ b/drivers/s390/scsi/zfcp_dbf.c
@@ -664,6 +664,46 @@ void zfcp_dbf_scsi(char *tag, int level,
 	spin_unlock_irqrestore(&dbf->scsi_lock, flags);
 }
 
+/**
+ * zfcp_dbf_scsi_eh() - Trace event for special cases of scsi_eh callbacks.
+ * @tag: Identifier for event.
+ * @adapter: Pointer to zfcp adapter as context for this event.
+ * @scsi_id: SCSI ID/target to indicate scope of task management function (TMF).
+ * @ret: Return value of calling function.
+ *
+ * This SCSI trace variant does not depend on any of:
+ * scsi_cmnd, zfcp_fsf_req, scsi_device.
+ */
+void zfcp_dbf_scsi_eh(char *tag, struct zfcp_adapter *adapter,
+		      unsigned int scsi_id, int ret)
+{
+	struct zfcp_dbf *dbf = adapter->dbf;
+	struct zfcp_dbf_scsi *rec = &dbf->scsi_buf;
+	unsigned long flags;
+	static int const level = 1;
+
+	if (unlikely(!debug_level_enabled(adapter->dbf->scsi, level)))
+		return;
+
+	spin_lock_irqsave(&dbf->scsi_lock, flags);
+	memset(rec, 0, sizeof(*rec));
+
+	memcpy(rec->tag, tag, ZFCP_DBF_TAG_LEN);
+	rec->id = ZFCP_DBF_SCSI_CMND;
+	rec->scsi_result = ret; /* re-use field, int is 4 bytes and fits */
+	rec->scsi_retries = ~0;
+	rec->scsi_allowed = ~0;
+	rec->fcp_rsp_info = ~0;
+	rec->scsi_id = scsi_id;
+	rec->scsi_lun = (u32)ZFCP_DBF_INVALID_LUN;
+	rec->scsi_lun_64_hi = (u32)(ZFCP_DBF_INVALID_LUN >> 32);
+	rec->host_scribble = ~0;
+	memset(rec->scsi_opcode, 0xff, ZFCP_DBF_SCSI_OPCODE);
+
+	debug_event(dbf->scsi, level, rec, sizeof(*rec));
+	spin_unlock_irqrestore(&dbf->scsi_lock, flags);
+}
+
 static debug_info_t *zfcp_dbf_reg(const char *name, int size, int rec_size)
 {
 	struct debug_info *d;
--- a/drivers/s390/scsi/zfcp_ext.h
+++ b/drivers/s390/scsi/zfcp_ext.h
@@ -52,6 +52,8 @@ extern void zfcp_dbf_san_res(char *, str
 extern void zfcp_dbf_san_in_els(char *, struct zfcp_fsf_req *);
 extern void zfcp_dbf_scsi(char *, int, struct scsi_cmnd *,
 			  struct zfcp_fsf_req *);
+extern void zfcp_dbf_scsi_eh(char *tag, struct zfcp_adapter *adapter,
+			     unsigned int scsi_id, int ret);
 
 /* zfcp_erp.c */
 extern void zfcp_erp_set_adapter_status(struct zfcp_adapter *, u32);
--- a/drivers/s390/scsi/zfcp_scsi.c
+++ b/drivers/s390/scsi/zfcp_scsi.c
@@ -323,15 +323,16 @@ static int zfcp_scsi_eh_host_reset_handl
 {
 	struct zfcp_scsi_dev *zfcp_sdev = sdev_to_zfcp(scpnt->device);
 	struct zfcp_adapter *adapter = zfcp_sdev->port->adapter;
-	int ret;
+	int ret = SUCCESS, fc_ret;
 
 	zfcp_erp_adapter_reopen(adapter, 0, "schrh_1");
 	zfcp_erp_wait(adapter);
-	ret = fc_block_scsi_eh(scpnt);
-	if (ret)
-		return ret;
+	fc_ret = fc_block_scsi_eh(scpnt);
+	if (fc_ret)
+		ret = fc_ret;
 
-	return SUCCESS;
+	zfcp_dbf_scsi_eh("schrh_r", adapter, ~0, ret);
+	return ret;
 }
 
 struct scsi_transport_template *zfcp_scsi_transport_template;



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 139/220] scsi: zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (130 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 138/220] scsi: zfcp: fix missing SCSI trace for result of eh_host_reset_handler Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 140/220] scsi: zfcp: fix misleading REC trigger trace where erp_action setup failed Greg Kroah-Hartman
                   ` (80 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Steffen Maier, Benjamin Block,
	Martin K. Petersen

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Steffen Maier <maier@linux.ibm.com>

commit 81979ae63e872ef650a7197f6ce6590059d37172 upstream.

We already have a SCSI trace for the end of abort and scsi_eh TMF. Due to
zfcp_erp_wait() and fc_block_scsi_eh() time can pass between the start of
our eh callback and an actual send/recv of an abort / TMF request.  In order
to see the temporal sequence including any abort / TMF send retries, add a
trace before the above two blocking functions.  This supports problem
determination with scsi_eh and parallel zfcp ERP.

No need to explicitly trace the beginning of our eh callback, since we
typically can send an abort / TMF and see its HBA response (in the worst
case, it's a pseudo response on dismiss all of adapter recovery, e.g. due to
an FSF request timeout [fsrth_1] of the abort / TMF). If we cannot send, we
now get a trace record for the first "abrt_wt" or "[lt]r_wait" which denotes
almost the beginning of the callback.

No need to explicitly trace the wakeup after the above two blocking
functions because the next retry loop causes another trace in any case and
that is sufficient.

Example trace records formatted with zfcpdbf from s390-tools:

Timestamp      : ...
Area           : SCSI
Subarea        : 00
Level          : 1
Exception      : -
CPU ID         : ..
Caller         : 0x...
Record ID      : 1
Tag            : abrt_wt        abort, before zfcp_erp_wait()
Request ID     : 0x0000000000000000                     none (invalid)
SCSI ID        : 0x<scsi_id>
SCSI LUN       : 0x<scsi_lun>
SCSI LUN high  : 0x<scsi_lun_high>
SCSI result    : 0x<scsi_result_of_cmd_to_be_aborted>
SCSI retries   : 0x<retries_of_cmd_to_be_aborted>
SCSI allowed   : 0x<allowed_retries_of_cmd_to_be_aborted>
SCSI scribble  : 0x<req_id_of_cmd_to_be_aborted>
SCSI opcode    : <CDB_of_cmd_to_be_aborted>
FCP rsp inf cod: 0x..                                   none (invalid)
FCP rsp IU     : ...                                    none (invalid)

Timestamp      : ...
Area           : SCSI
Subarea        : 00
Level          : 1
Exception      : -
CPU ID         : ..
Caller         : 0x...
Record ID      : 1
Tag            : lr_wait        LUN reset, before zfcp_erp_wait()
Request ID     : 0x0000000000000000                     none (invalid)
SCSI ID        : 0x<scsi_id>
SCSI LUN       : 0x<scsi_lun>
SCSI LUN high  : 0x<scsi_lun_high>
SCSI result    : 0x...                                  unrelated
SCSI retries   : 0x..                                   unrelated
SCSI allowed   : 0x..                                   unrelated
SCSI scribble  : 0x...                                  unrelated
SCSI opcode    : ...                                    unrelated
FCP rsp inf cod: 0x..                                   none (invalid)
FCP rsp IU     : ...                                    none (invalid)

Signed-off-by: Steffen Maier <maier@linux.ibm.com>
Fixes: 63caf367e1c9 ("[SCSI] zfcp: Improve reliability of SCSI eh handlers in zfcp")
Fixes: af4de36d911a ("[SCSI] zfcp: Block scsi_eh thread for rport state BLOCKED")
Cc: <stable@vger.kernel.org> #2.6.38+
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/s390/scsi/zfcp_scsi.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/s390/scsi/zfcp_scsi.c
+++ b/drivers/s390/scsi/zfcp_scsi.c
@@ -181,6 +181,7 @@ static int zfcp_scsi_eh_abort_handler(st
 		if (abrt_req)
 			break;
 
+		zfcp_dbf_scsi_abort("abrt_wt", scpnt, NULL);
 		zfcp_erp_wait(adapter);
 		ret = fc_block_scsi_eh(scpnt);
 		if (ret) {
@@ -277,6 +278,7 @@ static int zfcp_task_mgmt_function(struc
 		if (fsf_req)
 			break;
 
+		zfcp_dbf_scsi_devreset("wait", scpnt, tm_flags, NULL);
 		zfcp_erp_wait(adapter);
 		ret = fc_block_scsi_eh(scpnt);
 		if (ret) {



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 140/220] scsi: zfcp: fix misleading REC trigger trace where erp_action setup failed
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (131 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 139/220] scsi: zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 141/220] scsi: zfcp: fix missing REC trigger trace on terminate_rport_io early return Greg Kroah-Hartman
                   ` (79 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Steffen Maier, Benjamin Block,
	Martin K. Petersen

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Steffen Maier <maier@linux.ibm.com>

commit 512857a795cbbda5980efa4cdb3c0b6602330408 upstream.

If a SCSI device is deleted during scsi_eh host reset, we cannot get a
reference to the SCSI device anymore since scsi_device_get returns !=0 by
design. Assuming the recovery of adapter and port(s) was successful,
zfcp_erp_strategy_followup_success() attempts to trigger a LUN reset for the
half-gone SCSI device. Unfortunately, it causes the following confusing
trace record which states that zfcp will do a LUN recovery as "ERP need" is
ZFCP_ERP_ACTION_REOPEN_LUN == 1 and equals "ERP want".

Old example trace record formatted with zfcpdbf from s390-tools:

Tag:           : ersfs_3 ERP, trigger, unit reopen, port reopen succeeded
LUN            : 0x<FCP_LUN>
WWPN           : 0x<WWPN>
D_ID           : 0x<N_Port-ID>
Adapter status : 0x5400050b
Port status    : 0x54000001
LUN status     : 0x40000000     ZFCP_STATUS_COMMON_RUNNING
                                but not ZFCP_STATUS_COMMON_UNBLOCKED as it
                                was closed on close part of adapter reopen
ERP want       : 0x01
ERP need       : 0x01           misleading

However, zfcp_erp_setup_act() returns NULL as it cannot get the reference.
Hence, zfcp_erp_action_enqueue() takes an early goto out and _NO_ recovery
actually happens.

We always do want the recovery trigger trace record even if no erp_action
could be enqueued as in this case. For other cases where we did not enqueue
an erp_action, 'need' has always been zero to indicate this. In order to
indicate above goto out, introduce an eyecatcher "flag" to mark the "ERP
need" as 'not needed' but still keep the information which erp_action type,
that zfcp_erp_required_act() had decided upon, is needed.  0xc_ is chosen to
be visibly different from 0x0_ in "ERP want".

New example trace record formatted with zfcpdbf from s390-tools:

Tag:           : ersfs_3 ERP, trigger, unit reopen, port reopen succeeded
LUN            : 0x<FCP_LUN>
WWPN           : 0x<WWPN>
D_ID           : 0x<N_Port-ID>
Adapter status : 0x5400050b
Port status    : 0x54000001
LUN status     : 0x40000000
ERP want       : 0x01
ERP need       : 0xc1           would need LUN ERP, but no action set up
                   ^

Before v2.6.38 commit ae0904f60fab ("[SCSI] zfcp: Redesign of the debug
tracing for recovery actions.") we could detect this case because the
"erp_action" field in the trace was NULL. The rework removed erp_action as
argument and field from the trace.

This patch here is for tracing. A fix to allow LUN recovery in the case at
hand is a topic for a separate patch.

See also commit fdbd1c5e27da ("[SCSI] zfcp: Allow running unit/LUN shutdown
without acquiring reference") for a similar case and background info.

Signed-off-by: Steffen Maier <maier@linux.ibm.com>
Fixes: ae0904f60fab ("[SCSI] zfcp: Redesign of the debug tracing for recovery actions.")
Cc: <stable@vger.kernel.org> #2.6.38+
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/s390/scsi/zfcp_erp.c |   16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

--- a/drivers/s390/scsi/zfcp_erp.c
+++ b/drivers/s390/scsi/zfcp_erp.c
@@ -35,11 +35,23 @@ enum zfcp_erp_steps {
 	ZFCP_ERP_STEP_LUN_OPENING	= 0x2000,
 };
 
+/**
+ * enum zfcp_erp_act_type - Type of ERP action object.
+ * @ZFCP_ERP_ACTION_REOPEN_LUN: LUN recovery.
+ * @ZFCP_ERP_ACTION_REOPEN_PORT: Port recovery.
+ * @ZFCP_ERP_ACTION_REOPEN_PORT_FORCED: Forced port recovery.
+ * @ZFCP_ERP_ACTION_REOPEN_ADAPTER: Adapter recovery.
+ * @ZFCP_ERP_ACTION_NONE: Eyecatcher pseudo flag to bitwise or-combine with
+ *			  either of the other enum values.
+ *			  Used to indicate that an ERP action could not be
+ *			  set up despite a detected need for some recovery.
+ */
 enum zfcp_erp_act_type {
 	ZFCP_ERP_ACTION_REOPEN_LUN         = 1,
 	ZFCP_ERP_ACTION_REOPEN_PORT	   = 2,
 	ZFCP_ERP_ACTION_REOPEN_PORT_FORCED = 3,
 	ZFCP_ERP_ACTION_REOPEN_ADAPTER     = 4,
+	ZFCP_ERP_ACTION_NONE		   = 0xc0,
 };
 
 enum zfcp_erp_act_state {
@@ -257,8 +269,10 @@ static int zfcp_erp_action_enqueue(int w
 		goto out;
 
 	act = zfcp_erp_setup_act(need, act_status, adapter, port, sdev);
-	if (!act)
+	if (!act) {
+		need |= ZFCP_ERP_ACTION_NONE; /* marker for trace */
 		goto out;
+	}
 	atomic_or(ZFCP_STATUS_ADAPTER_ERP_PENDING, &adapter->status);
 	++adapter->erp_total_count;
 	list_add_tail(&act->list, &adapter->erp_ready_head);



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 141/220] scsi: zfcp: fix missing REC trigger trace on terminate_rport_io early return
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (132 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 140/220] scsi: zfcp: fix misleading REC trigger trace where erp_action setup failed Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 142/220] scsi: zfcp: fix missing REC trigger trace on terminate_rport_io for ERP_FAILED Greg Kroah-Hartman
                   ` (78 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Steffen Maier, Benjamin Block,
	Martin K. Petersen

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Steffen Maier <maier@linux.ibm.com>

commit 96d9270499471545048ed8a6d7f425a49762283d upstream.

get_device() and its internally used kobject_get() only return NULL if they
get passed NULL as argument. zfcp_get_port_by_wwpn() loops over
adapter->port_list so the iteration variable port is always non-NULL.
Struct device is embedded in struct zfcp_port so &port->dev is always
non-NULL. This is the argument to get_device().  However, if we get an
fc_rport in terminate_rport_io() for which we cannot find a match within
zfcp_get_port_by_wwpn(), the latter can return NULL.  v2.6.30 commit
70932935b61e ("[SCSI] zfcp: Fix oops when port disappears") introduced an
early return without adding a trace record for this case.  Even if we don't
need recovery in this case, for debugging we should still see that our
callback was invoked originally by scsi_transport_fc.

Example trace record formatted with zfcpdbf from s390-tools:

Timestamp      : ...
Area           : REC
Subarea        : 00
Level          : 1
Exception      : -
CPU ID         : ..
Caller         : 0x...
Record ID      : 1
Tag            : sctrpin        SCSI terminate rport I/O, no zfcp port
LUN            : 0xffffffffffffffff                     none (invalid)
WWPN           : 0x<wwpn>               WWPN
D_ID           : 0x<n_port_id>          N_Port-ID
Adapter status : 0x...
Port status    : 0xffffffff             unknown (-1)
LUN status     : 0x00000000                             none (invalid)
Ready count    : 0x...
Running count  : 0x...
ERP want       : 0x03                   ZFCP_ERP_ACTION_REOPEN_PORT_FORCED
ERP need       : 0xc0                   ZFCP_ERP_ACTION_NONE

Signed-off-by: Steffen Maier <maier@linux.ibm.com>
Fixes: 70932935b61e ("[SCSI] zfcp: Fix oops when port disappears")
Cc: <stable@vger.kernel.org> #2.6.38+
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/s390/scsi/zfcp_erp.c  |   20 ++++++++++++++++++++
 drivers/s390/scsi/zfcp_ext.h  |    3 +++
 drivers/s390/scsi/zfcp_scsi.c |    5 +++++
 3 files changed, 28 insertions(+)

--- a/drivers/s390/scsi/zfcp_erp.c
+++ b/drivers/s390/scsi/zfcp_erp.c
@@ -283,6 +283,26 @@ static int zfcp_erp_action_enqueue(int w
 	return retval;
 }
 
+void zfcp_erp_port_forced_no_port_dbf(char *id, struct zfcp_adapter *adapter,
+				      u64 port_name, u32 port_id)
+{
+	unsigned long flags;
+	static /* don't waste stack */ struct zfcp_port tmpport;
+
+	write_lock_irqsave(&adapter->erp_lock, flags);
+	/* Stand-in zfcp port with fields just good enough for
+	 * zfcp_dbf_rec_trig() and zfcp_dbf_set_common().
+	 * Under lock because tmpport is static.
+	 */
+	atomic_set(&tmpport.status, -1); /* unknown */
+	tmpport.wwpn = port_name;
+	tmpport.d_id = port_id;
+	zfcp_dbf_rec_trig(id, adapter, &tmpport, NULL,
+			  ZFCP_ERP_ACTION_REOPEN_PORT_FORCED,
+			  ZFCP_ERP_ACTION_NONE);
+	write_unlock_irqrestore(&adapter->erp_lock, flags);
+}
+
 static int _zfcp_erp_adapter_reopen(struct zfcp_adapter *adapter,
 				    int clear_mask, char *id)
 {
--- a/drivers/s390/scsi/zfcp_ext.h
+++ b/drivers/s390/scsi/zfcp_ext.h
@@ -58,6 +58,9 @@ extern void zfcp_dbf_scsi_eh(char *tag,
 /* zfcp_erp.c */
 extern void zfcp_erp_set_adapter_status(struct zfcp_adapter *, u32);
 extern void zfcp_erp_clear_adapter_status(struct zfcp_adapter *, u32);
+extern void zfcp_erp_port_forced_no_port_dbf(char *id,
+					     struct zfcp_adapter *adapter,
+					     u64 port_name, u32 port_id);
 extern void zfcp_erp_adapter_reopen(struct zfcp_adapter *, int, char *);
 extern void zfcp_erp_adapter_shutdown(struct zfcp_adapter *, int, char *);
 extern void zfcp_erp_set_port_status(struct zfcp_port *, u32);
--- a/drivers/s390/scsi/zfcp_scsi.c
+++ b/drivers/s390/scsi/zfcp_scsi.c
@@ -605,6 +605,11 @@ static void zfcp_scsi_terminate_rport_io
 	if (port) {
 		zfcp_erp_port_forced_reopen(port, 0, "sctrpi1");
 		put_device(&port->dev);
+	} else {
+		zfcp_erp_port_forced_no_port_dbf(
+			"sctrpin", adapter,
+			rport->port_name /* zfcp_scsi_rport_register */,
+			rport->port_id /* zfcp_scsi_rport_register */);
 	}
 }
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 142/220] scsi: zfcp: fix missing REC trigger trace on terminate_rport_io for ERP_FAILED
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (133 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 141/220] scsi: zfcp: fix missing REC trigger trace on terminate_rport_io early return Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 143/220] scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED Greg Kroah-Hartman
                   ` (77 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Steffen Maier, Benjamin Block,
	Martin K. Petersen

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Steffen Maier <maier@linux.ibm.com>

commit d70aab55924b44f213fec2b900b095430b33eec6 upstream.

For problem determination we always want to see when we were invoked on the
terminate_rport_io callback whether we perform something or not.

Temporal event sequence of interest with a long fast_io_fail_tmo of 27 sec:

loose remote port

t   workqueue
[s] zfcp_q_<dev>       IRQ                 zfcperp<dev>

=== ================== =================== ============================

  0                    recv RSCN
                       q p.test_link_work
    block rport
     start fast_io_fail_tmo
    send ADISC ELS
  4                    recv ADISC fail
                       block zfcp_port
                                           port forced reopen
                                           send open port
 12                    recv open port fail
                                           q p.gid_pn_work
                                           zfcp_erp_wakeup
                                           (zfcp_erp_wait would return)
    GID_PN fail

Before this point, we got a SCSI trace with tag "sctrpi1" on fast_io_fail,
e.g. with the typical 5 sec setting.

    port.status |= ERP_FAILED

If fast_io_fail_tmo triggers after this point, we missed a SCSI trace.

    workqueue
    fc_dl_<host>
    ==================
 27 fc_timeout_fail_rport_io
    fc_terminate_rport_io
    zfcp_scsi_terminate_rport_io
    zfcp_erp_port_forced_reopen
    _zfcp_erp_port_forced_reopen
     if (port.status & ERP_FAILED)
      return;

Therefore, write a trace before above early return.

Example trace record formatted with zfcpdbf from s390-tools:

Timestamp      : ...
Area           : REC
Subarea        : 00
Level          : 1
Exception      : -
CPU ID         : ..
Caller         : 0x...
Record ID      : 1                      ZFCP_DBF_REC_TRIG
Tag            : sctrpi1                SCSI terminate rport I/O
LUN            : 0xffffffffffffffff                     none (invalid)
WWPN           : 0x<wwpn>
D_ID           : 0x<n_port_id>
Adapter status : 0x...
Port status    : 0x...
LUN status     : 0x00000000                             none (invalid)
Ready count    : 0x...
Running count  : 0x...
ERP want       : 0x03                   ZFCP_ERP_ACTION_REOPEN_PORT_FORCED
ERP need       : 0xe0                   ZFCP_ERP_ACTION_FAILED

Signed-off-by: Steffen Maier <maier@linux.ibm.com>
Cc: <stable@vger.kernel.org> #2.6.38+
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/s390/scsi/zfcp_erp.c |   13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

--- a/drivers/s390/scsi/zfcp_erp.c
+++ b/drivers/s390/scsi/zfcp_erp.c
@@ -42,9 +42,13 @@ enum zfcp_erp_steps {
  * @ZFCP_ERP_ACTION_REOPEN_PORT_FORCED: Forced port recovery.
  * @ZFCP_ERP_ACTION_REOPEN_ADAPTER: Adapter recovery.
  * @ZFCP_ERP_ACTION_NONE: Eyecatcher pseudo flag to bitwise or-combine with
- *			  either of the other enum values.
+ *			  either of the first four enum values.
  *			  Used to indicate that an ERP action could not be
  *			  set up despite a detected need for some recovery.
+ * @ZFCP_ERP_ACTION_FAILED: Eyecatcher pseudo flag to bitwise or-combine with
+ *			    either of the first four enum values.
+ *			    Used to indicate that ERP not needed because
+ *			    the object has ZFCP_STATUS_COMMON_ERP_FAILED.
  */
 enum zfcp_erp_act_type {
 	ZFCP_ERP_ACTION_REOPEN_LUN         = 1,
@@ -52,6 +56,7 @@ enum zfcp_erp_act_type {
 	ZFCP_ERP_ACTION_REOPEN_PORT_FORCED = 3,
 	ZFCP_ERP_ACTION_REOPEN_ADAPTER     = 4,
 	ZFCP_ERP_ACTION_NONE		   = 0xc0,
+	ZFCP_ERP_ACTION_FAILED		   = 0xe0,
 };
 
 enum zfcp_erp_act_state {
@@ -379,8 +384,12 @@ static void _zfcp_erp_port_forced_reopen
 	zfcp_erp_port_block(port, clear);
 	zfcp_scsi_schedule_rport_block(port);
 
-	if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED)
+	if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED) {
+		zfcp_dbf_rec_trig(id, port->adapter, port, NULL,
+				  ZFCP_ERP_ACTION_REOPEN_PORT_FORCED,
+				  ZFCP_ERP_ACTION_FAILED);
 		return;
+	}
 
 	zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_PORT_FORCED,
 				port->adapter, port, NULL, id, 0);



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 143/220] scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (134 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 142/220] scsi: zfcp: fix missing REC trigger trace on terminate_rport_io for ERP_FAILED Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 144/220] scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread Greg Kroah-Hartman
                   ` (76 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Steffen Maier, Benjamin Block,
	Martin K. Petersen

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Steffen Maier <maier@linux.ibm.com>

commit 8c3d20aada70042a39c6a6625be037c1472ca610 upstream.

That other commit introduced an inconsistency because it would trace on
ERP_FAILED for all callers of port forced reopen triggers (not just
terminate_rport_io), but it would not trace on ERP_FAILED for all callers of
other ERP triggers such as adapter, port regular, LUN.

Therefore, generalize that other commit. zfcp_erp_action_enqueue() already
had two early outs which re-used the one zfcp_dbf_rec_trig() call.  All ERP
trigger functions finally run through zfcp_erp_action_enqueue().  So move
the special handling for ZFCP_STATUS_COMMON_ERP_FAILED into
zfcp_erp_action_enqueue() and add another early out with new trace marker
for pseudo ERP need in this case. This removes all early returns from all
ERP trigger functions so we always end up at zfcp_dbf_rec_trig().

Example trace record formatted with zfcpdbf from s390-tools:

Timestamp      : ...
Area           : REC
Subarea        : 00
Level          : 1
Exception      : -
CPU ID         : ..
Caller         : 0x...
Record ID      : 1                      ZFCP_DBF_REC_TRIG
Tag            : .......
LUN            : 0x...
WWPN           : 0x...
D_ID           : 0x...
Adapter status : 0x...
Port status    : 0x...
LUN status     : 0x...
Ready count    : 0x...
Running count  : 0x...
ERP want       : 0x0.                   ZFCP_ERP_ACTION_REOPEN_...
ERP need       : 0xe0                   ZFCP_ERP_ACTION_FAILED

Signed-off-by: Steffen Maier <maier@linux.ibm.com>
Cc: <stable@vger.kernel.org> #2.6.38+
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/s390/scsi/zfcp_erp.c |   79 +++++++++++++++++++++++++++----------------
 1 file changed, 51 insertions(+), 28 deletions(-)

--- a/drivers/s390/scsi/zfcp_erp.c
+++ b/drivers/s390/scsi/zfcp_erp.c
@@ -143,6 +143,49 @@ static void zfcp_erp_action_dismiss_adap
 	}
 }
 
+static int zfcp_erp_handle_failed(int want, struct zfcp_adapter *adapter,
+				  struct zfcp_port *port,
+				  struct scsi_device *sdev)
+{
+	int need = want;
+	struct zfcp_scsi_dev *zsdev;
+
+	switch (want) {
+	case ZFCP_ERP_ACTION_REOPEN_LUN:
+		zsdev = sdev_to_zfcp(sdev);
+		if (atomic_read(&zsdev->status) & ZFCP_STATUS_COMMON_ERP_FAILED)
+			need = 0;
+		break;
+	case ZFCP_ERP_ACTION_REOPEN_PORT_FORCED:
+		if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED)
+			need = 0;
+		break;
+	case ZFCP_ERP_ACTION_REOPEN_PORT:
+		if (atomic_read(&port->status) &
+		    ZFCP_STATUS_COMMON_ERP_FAILED) {
+			need = 0;
+			/* ensure propagation of failed status to new devices */
+			zfcp_erp_set_port_status(
+				port, ZFCP_STATUS_COMMON_ERP_FAILED);
+		}
+		break;
+	case ZFCP_ERP_ACTION_REOPEN_ADAPTER:
+		if (atomic_read(&adapter->status) &
+		    ZFCP_STATUS_COMMON_ERP_FAILED) {
+			need = 0;
+			/* ensure propagation of failed status to new devices */
+			zfcp_erp_set_adapter_status(
+				adapter, ZFCP_STATUS_COMMON_ERP_FAILED);
+		}
+		break;
+	default:
+		need = 0;
+		break;
+	}
+
+	return need;
+}
+
 static int zfcp_erp_required_act(int want, struct zfcp_adapter *adapter,
 				 struct zfcp_port *port,
 				 struct scsi_device *sdev)
@@ -266,6 +309,12 @@ static int zfcp_erp_action_enqueue(int w
 	int retval = 1, need;
 	struct zfcp_erp_action *act;
 
+	need = zfcp_erp_handle_failed(want, adapter, port, sdev);
+	if (!need) {
+		need = ZFCP_ERP_ACTION_FAILED; /* marker for trace */
+		goto out;
+	}
+
 	if (!adapter->erp_thread)
 		return -EIO;
 
@@ -314,12 +363,6 @@ static int _zfcp_erp_adapter_reopen(stru
 	zfcp_erp_adapter_block(adapter, clear_mask);
 	zfcp_scsi_schedule_rports_block(adapter);
 
-	/* ensure propagation of failed status to new devices */
-	if (atomic_read(&adapter->status) & ZFCP_STATUS_COMMON_ERP_FAILED) {
-		zfcp_erp_set_adapter_status(adapter,
-					    ZFCP_STATUS_COMMON_ERP_FAILED);
-		return -EIO;
-	}
 	return zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_ADAPTER,
 				       adapter, NULL, NULL, id, 0);
 }
@@ -338,12 +381,8 @@ void zfcp_erp_adapter_reopen(struct zfcp
 	zfcp_scsi_schedule_rports_block(adapter);
 
 	write_lock_irqsave(&adapter->erp_lock, flags);
-	if (atomic_read(&adapter->status) & ZFCP_STATUS_COMMON_ERP_FAILED)
-		zfcp_erp_set_adapter_status(adapter,
-					    ZFCP_STATUS_COMMON_ERP_FAILED);
-	else
-		zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_ADAPTER, adapter,
-					NULL, NULL, id, 0);
+	zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_ADAPTER, adapter,
+				NULL, NULL, id, 0);
 	write_unlock_irqrestore(&adapter->erp_lock, flags);
 }
 
@@ -384,13 +423,6 @@ static void _zfcp_erp_port_forced_reopen
 	zfcp_erp_port_block(port, clear);
 	zfcp_scsi_schedule_rport_block(port);
 
-	if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED) {
-		zfcp_dbf_rec_trig(id, port->adapter, port, NULL,
-				  ZFCP_ERP_ACTION_REOPEN_PORT_FORCED,
-				  ZFCP_ERP_ACTION_FAILED);
-		return;
-	}
-
 	zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_PORT_FORCED,
 				port->adapter, port, NULL, id, 0);
 }
@@ -416,12 +448,6 @@ static int _zfcp_erp_port_reopen(struct
 	zfcp_erp_port_block(port, clear);
 	zfcp_scsi_schedule_rport_block(port);
 
-	if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED) {
-		/* ensure propagation of failed status to new devices */
-		zfcp_erp_set_port_status(port, ZFCP_STATUS_COMMON_ERP_FAILED);
-		return -EIO;
-	}
-
 	return zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_PORT,
 				       port->adapter, port, NULL, id, 0);
 }
@@ -461,9 +487,6 @@ static void _zfcp_erp_lun_reopen(struct
 
 	zfcp_erp_lun_block(sdev, clear);
 
-	if (atomic_read(&zfcp_sdev->status) & ZFCP_STATUS_COMMON_ERP_FAILED)
-		return;
-
 	zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_LUN, adapter,
 				zfcp_sdev->port, sdev, id, act_status);
 }



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 144/220] scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (135 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 143/220] scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 145/220] linvdimm, pmem: Preserve read-only setting for pmem devices Greg Kroah-Hartman
                   ` (75 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Steffen Maier, Benjamin Block,
	Martin K. Petersen

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Steffen Maier <maier@linux.ibm.com>

commit 6a76550841d412330bd86aed3238d1888ba70f0e upstream.

Example trace record formatted with zfcpdbf from s390-tools:

Timestamp      : ...
Area           : REC
Subarea        : 00
Level          : 1
Exception      : -
CPU ID         : ..
Caller         : 0x...
Record ID      : 1                      ZFCP_DBF_REC_TRIG
Tag            : .......
LUN            : 0x...
WWPN           : 0x...
D_ID           : 0x...
Adapter status : 0x...
Port status    : 0x...
LUN status     : 0x...
Ready count    : 0x...
Running count  : 0x...
ERP want       : 0x0.                   ZFCP_ERP_ACTION_REOPEN_...
ERP need       : 0xc0                   ZFCP_ERP_ACTION_NONE

Signed-off-by: Steffen Maier <maier@linux.ibm.com>
Cc: <stable@vger.kernel.org> #2.6.38+
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/s390/scsi/zfcp_erp.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/drivers/s390/scsi/zfcp_erp.c
+++ b/drivers/s390/scsi/zfcp_erp.c
@@ -315,8 +315,11 @@ static int zfcp_erp_action_enqueue(int w
 		goto out;
 	}
 
-	if (!adapter->erp_thread)
-		return -EIO;
+	if (!adapter->erp_thread) {
+		need = ZFCP_ERP_ACTION_NONE; /* marker for trace */
+		retval = -EIO;
+		goto out;
+	}
 
 	need = zfcp_erp_required_act(want, adapter, port, sdev);
 	if (!need)



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 145/220] linvdimm, pmem: Preserve read-only setting for pmem devices
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (136 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 144/220] scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 146/220] libnvdimm, pmem: Unconditionally deep flush on *sync Greg Kroah-Hartman
                   ` (74 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Robert Elliott, Dan Williams

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Robert Elliott <elliott@hpe.com>

commit 254a4cd50b9fe2291a12b8902e08e56dcc4e9b10 upstream.

The pmem driver does not honor a forced read-only setting for very long:
	$ blockdev --setro /dev/pmem0
	$ blockdev --getro /dev/pmem0
	1

followed by various commands like these:
	$ blockdev --rereadpt /dev/pmem0
	or
	$ mkfs.ext4 /dev/pmem0

results in this in the kernel serial log:
	 nd_pmem namespace0.0: region0 read-write, marking pmem0 read-write

with the read-only setting lost:
	$ blockdev --getro /dev/pmem0
	0

That's from bus.c nvdimm_revalidate_disk(), which always applies the
setting from nd_region (which is initially based on the ACPI NFIT
NVDIMM state flags not_armed bit).

In contrast, commit 20bd1d026aac ("scsi: sd: Keep disk read-only when
re-reading partition") fixed this issue for SCSI devices to preserve
the previous setting if it was set to read-only.

This patch modifies bus.c to preserve any previous read-only setting.
It also eliminates the kernel serial log print except for cases where
read-write is changed to read-only, so it doesn't print read-only to
read-only non-changes.

Cc: <stable@vger.kernel.org>
Fixes: 581388209405 ("libnvdimm, nfit: handle unarmed dimms, mark namespaces read-only")
Signed-off-by: Robert Elliott <elliott@hpe.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/nvdimm/bus.c |   14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

--- a/drivers/nvdimm/bus.c
+++ b/drivers/nvdimm/bus.c
@@ -566,14 +566,18 @@ int nvdimm_revalidate_disk(struct gendis
 {
 	struct device *dev = disk_to_dev(disk)->parent;
 	struct nd_region *nd_region = to_nd_region(dev->parent);
-	const char *pol = nd_region->ro ? "only" : "write";
+	int disk_ro = get_disk_ro(disk);
 
-	if (nd_region->ro == get_disk_ro(disk))
+	/*
+	 * Upgrade to read-only if the region is read-only preserve as
+	 * read-only if the disk is already read-only.
+	 */
+	if (disk_ro || nd_region->ro == disk_ro)
 		return 0;
 
-	dev_info(dev, "%s read-%s, marking %s read-%s\n",
-			dev_name(&nd_region->dev), pol, disk->disk_name, pol);
-	set_disk_ro(disk, nd_region->ro);
+	dev_info(dev, "%s read-only, marking %s read-only\n",
+			dev_name(&nd_region->dev), disk->disk_name);
+	set_disk_ro(disk, 1);
 
 	return 0;
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 146/220] libnvdimm, pmem: Unconditionally deep flush on *sync
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (137 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 145/220] linvdimm, pmem: Preserve read-only setting for pmem devices Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 147/220] clk: meson: meson8b: mark fclk_div2 gate clocks as CLK_IS_CRITICAL Greg Kroah-Hartman
                   ` (73 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ross Zwisler, Dan Williams

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ross Zwisler <ross.zwisler@linux.intel.com>

commit ce7f11a230d5b7165480b96c0cc7a90358b5b5e2 upstream.

Prior to this commit we would only do a "deep flush" (have nvdimm_flush()
write to each of the flush hints for a region) in response to an
msync/fsync/sync call if the nvdimm_has_cache() returned true at the time
we were setting up the request queue.  This happens due to the write cache
value passed in to blk_queue_write_cache(), which then causes the block
layer to send down BIOs with REQ_FUA and REQ_PREFLUSH set.  We do have a
"write_cache" sysfs entry for namespaces, i.e.:

  /sys/bus/nd/devices/pfn0.1/block/pmem0/dax/write_cache

which can be used to control whether or not the kernel thinks a given
namespace has a write cache, but this didn't modify the deep flush behavior
that we set up when the driver was initialized.  Instead, it only modified
whether or not DAX would flush CPU caches via dax_flush() in response to
*sync calls.

Simplify this by making the *sync deep flush always happen, regardless of
the write cache setting of a namespace.  The DAX CPU cache flushing will
still be controlled the write_cache setting of the namespace.

Cc: <stable@vger.kernel.org>
Fixes: 5fdf8e5ba566 ("libnvdimm: re-enable deep flush for pmem devices via fsync()")
Signed-off-by: Ross Zwisler <ross.zwisler@linux.intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/nvdimm/pmem.c |    7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

--- a/drivers/nvdimm/pmem.c
+++ b/drivers/nvdimm/pmem.c
@@ -299,7 +299,7 @@ static int pmem_attach_disk(struct devic
 {
 	struct nd_namespace_io *nsio = to_nd_namespace_io(&ndns->dev);
 	struct nd_region *nd_region = to_nd_region(dev->parent);
-	int nid = dev_to_node(dev), fua, wbc;
+	int nid = dev_to_node(dev), fua;
 	struct resource *res = &nsio->res;
 	struct resource bb_res;
 	struct nd_pfn *nd_pfn = NULL;
@@ -335,7 +335,6 @@ static int pmem_attach_disk(struct devic
 		dev_warn(dev, "unable to guarantee persistence of writes\n");
 		fua = 0;
 	}
-	wbc = nvdimm_has_cache(nd_region);
 
 	if (!devm_request_mem_region(dev, res->start, resource_size(res),
 				dev_name(&ndns->dev))) {
@@ -382,7 +381,7 @@ static int pmem_attach_disk(struct devic
 		return PTR_ERR(addr);
 	pmem->virt_addr = addr;
 
-	blk_queue_write_cache(q, wbc, fua);
+	blk_queue_write_cache(q, true, fua);
 	blk_queue_make_request(q, pmem_make_request);
 	blk_queue_physical_block_size(q, PAGE_SIZE);
 	blk_queue_logical_block_size(q, pmem_sector_size(ndns));
@@ -413,7 +412,7 @@ static int pmem_attach_disk(struct devic
 		put_disk(disk);
 		return -ENOMEM;
 	}
-	dax_write_cache(dax_dev, wbc);
+	dax_write_cache(dax_dev, nvdimm_has_cache(nd_region));
 	pmem->dax_dev = dax_dev;
 
 	gendev = disk_to_dev(disk);



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 147/220] clk: meson: meson8b: mark fclk_div2 gate clocks as CLK_IS_CRITICAL
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (138 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 146/220] libnvdimm, pmem: Unconditionally deep flush on *sync Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 148/220] clk: at91: PLL recalc_rate() now using cached MUL and DIV values Greg Kroah-Hartman
                   ` (72 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin Blumenstingl, Kevin Hilman,
	Jerome Brunet

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>

commit 72e1f2302040398dafb64bbb93abdde78c1f2267 upstream.

Until commit 05f814402d6174 ("clk: meson: add fdiv clock gates") we
relied on the bootloader to enable the fclk_div clock gates. It turns
out that our clock tree is incomplete at least on Meson8b (tested with
an Odroid-C1, which uses an RGMII PHY) because after the mentioned
commit Ethernet is not working anymore (no RX/TX activity can be seen).
At the same time Ethernet was still working on Meson8m2 with a RMII PHY.

Testing has shown that as soon as "fclk_div2" is disabled Ethernet stops
working on Odroid-C1. Unfortunately it's currently not clear what the
Ethernet controller IP block uses the fclk_div2 clock for. Mark the
clock as CLK_IS_CRITICAL to keep it enabled (as it's already enabled by
most bootloaders by default, which is why we didn't notice it before).

Fixes: 05f814402d6174 ("clk: meson: add fdiv clock gates")
Cc: stable@vger.kernel.org
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Tested-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/clk/meson/meson8b.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/drivers/clk/meson/meson8b.c
+++ b/drivers/clk/meson/meson8b.c
@@ -246,6 +246,13 @@ static struct clk_regmap meson8b_fclk_di
 		.ops = &clk_regmap_gate_ops,
 		.parent_names = (const char *[]){ "fclk_div2_div" },
 		.num_parents = 1,
+		/*
+		 * FIXME: Ethernet with a RGMII PHYs is not working if
+		 * fclk_div2 is disabled. it is currently unclear why this
+		 * is. keep it enabled until the Ethernet driver knows how
+		 * to manage this clock.
+		 */
+		.flags = CLK_IS_CRITICAL,
 	},
 };
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 148/220] clk: at91: PLL recalc_rate() now using cached MUL and DIV values
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (139 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 147/220] clk: meson: meson8b: mark fclk_div2 gate clocks as CLK_IS_CRITICAL Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 149/220] rtc: sun6i: Fix bit_idx value for clk_register_gate Greg Kroah-Hartman
                   ` (71 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marcin Ziemianowicz, Boris Brezillon,
	Stephen Boyd

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Marcin Ziemianowicz <marcin@ziemianowicz.com>

commit a982e45dc150da3a08907b6dd676b735391704b4 upstream.

When a USB device is connected to the USB host port on the SAM9N12 then
you get "-62" error which seems to indicate USB replies from the device
are timing out. Based on a logic sniffer, I saw the USB bus was running
at half speed.

The PLL code uses cached MUL and DIV values which get set in set_rate()
and applied in prepare(), but the recalc_rate() function instead
queries the hardware instead of using these cached values. Therefore,
if recalc_rate() is called between a set_rate() and prepare(), the
wrong frequency is calculated and later the USB clock divider for the
SAM9N12 SOC will be configured for an incorrect clock.

In my case, the PLL hardware was set to 96 Mhz before the OHCI
driver loads, and therefore the usb clock divider was being set
to /2 even though the OHCI driver set the PLL to 48 Mhz.

As an alternative explanation, I noticed this was fixed in the past by
87e2ed338f1b ("clk: at91: fix recalc_rate implementation of PLL
driver") but the bug was later re-introduced by 1bdf02326b71 ("clk:
at91: make use of syscon/regmap internally").

Fixes: 1bdf02326b71 ("clk: at91: make use of syscon/regmap internally)
Cc: <stable@vger.kernel.org>
Signed-off-by: Marcin Ziemianowicz <marcin@ziemianowicz.com>
Acked-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/clk/at91/clk-pll.c |   13 +------------
 1 file changed, 1 insertion(+), 12 deletions(-)

--- a/drivers/clk/at91/clk-pll.c
+++ b/drivers/clk/at91/clk-pll.c
@@ -132,19 +132,8 @@ static unsigned long clk_pll_recalc_rate
 					 unsigned long parent_rate)
 {
 	struct clk_pll *pll = to_clk_pll(hw);
-	unsigned int pllr;
-	u16 mul;
-	u8 div;
 
-	regmap_read(pll->regmap, PLL_REG(pll->id), &pllr);
-
-	div = PLL_DIV(pllr);
-	mul = PLL_MUL(pllr, pll->layout);
-
-	if (!div || !mul)
-		return 0;
-
-	return (parent_rate / div) * (mul + 1);
+	return (parent_rate / pll->div) * (pll->mul + 1);
 }
 
 static long clk_pll_get_best_div_mul(struct clk_pll *pll, unsigned long rate,



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 149/220] rtc: sun6i: Fix bit_idx value for clk_register_gate
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (140 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 148/220] clk: at91: PLL recalc_rate() now using cached MUL and DIV values Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 150/220] md: fix two problems with setting the "re-add" device state Greg Kroah-Hartman
                   ` (70 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael Trimarchi, Jagan Teki,
	Maxime Ripard, Alexandre Belloni

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Michael Trimarchi <michael@amarulasolutions.com>

commit 09018d4bd7994c2c9f775029bc24589bc85f76fa upstream.

clk-gate core will take bit_idx through clk_register_gate
and then do clk_gate_ops by using BIT(bit_idx), but rtc-sun6i
is passing bit_idx as BIT(bit_idx) it becomes BIT(BIT(bit_idx)
which is wrong and eventually external gate clock is not enabling.

This patch fixed by passing bit index and the original change
introduced from below commit.
"rtc: sun6i: Add support for the external oscillator gate"
(sha1: 	17ecd246414b3a0fe0cb248c86977a8bda465b7b)

Signed-off-by: Michael Trimarchi <michael@amarulasolutions.com>
Fixes: 17ecd246414b ("rtc: sun6i: Add support for the external oscillator gate")
Cc: stable@vger.kernel.org
Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
Acked-by: Maxime Ripard <maxime.ripard@bootlin.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/rtc/rtc-sun6i.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/rtc/rtc-sun6i.c
+++ b/drivers/rtc/rtc-sun6i.c
@@ -74,7 +74,7 @@
 #define SUN6I_ALARM_CONFIG_WAKEUP		BIT(0)
 
 #define SUN6I_LOSC_OUT_GATING			0x0060
-#define SUN6I_LOSC_OUT_GATING_EN		BIT(0)
+#define SUN6I_LOSC_OUT_GATING_EN_OFFSET		0
 
 /*
  * Get date values
@@ -255,7 +255,7 @@ static void __init sun6i_rtc_clk_init(st
 				      &clkout_name);
 	rtc->ext_losc = clk_register_gate(NULL, clkout_name, rtc->hw.init->name,
 					  0, rtc->base + SUN6I_LOSC_OUT_GATING,
-					  SUN6I_LOSC_OUT_GATING_EN, 0,
+					  SUN6I_LOSC_OUT_GATING_EN_OFFSET, 0,
 					  &rtc->lock);
 	if (IS_ERR(rtc->ext_losc)) {
 		pr_crit("Couldn't register the LOSC external gate\n");



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 150/220] md: fix two problems with setting the "re-add" device state.
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (141 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 149/220] rtc: sun6i: Fix bit_idx value for clk_register_gate Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 151/220] rpmsg: smd: do not use mananged resources for endpoints and channels Greg Kroah-Hartman
                   ` (69 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, NeilBrown, Goldwyn Rodrigues, Shaohua Li

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: NeilBrown <neilb@suse.com>

commit 011abdc9df559ec75779bb7c53a744c69b2a94c6 upstream.

If "re-add" is written to the "state" file for a device
which is faulty, this has an effect similar to removing
and re-adding the device.  It should take up the
same slot in the array that it previously had, and
an accelerated (e.g. bitmap-based) rebuild should happen.

The slot that "it previously had" is determined by
rdev->saved_raid_disk.
However this is not set when a device fails (only when a device
is added), and it is cleared when resync completes.
This means that "re-add" will normally work once, but may not work a
second time.

This patch includes two fixes.
1/ when a device fails, record the ->raid_disk value in
    ->saved_raid_disk before clearing ->raid_disk
2/ when "re-add" is written to a device for which
    ->saved_raid_disk is not set, fail.

I think this is suitable for stable as it can
cause re-adding a device to be forced to do a full
resync which takes a lot longer and so puts data at
more risk.

Cc: <stable@vger.kernel.org> (v4.1)
Fixes: 97f6cd39da22 ("md-cluster: re-add capabilities")
Signed-off-by: NeilBrown <neilb@suse.com>
Reviewed-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/md.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -2853,7 +2853,8 @@ state_store(struct md_rdev *rdev, const
 			err = 0;
 		}
 	} else if (cmd_match(buf, "re-add")) {
-		if (test_bit(Faulty, &rdev->flags) && (rdev->raid_disk == -1)) {
+		if (test_bit(Faulty, &rdev->flags) && (rdev->raid_disk == -1) &&
+			rdev->saved_raid_disk >= 0) {
 			/* clear_bit is performed _after_ all the devices
 			 * have their local Faulty bit cleared. If any writes
 			 * happen in the meantime in the local node, they
@@ -8641,6 +8642,7 @@ static int remove_and_add_spares(struct
 			if (mddev->pers->hot_remove_disk(
 				    mddev, rdev) == 0) {
 				sysfs_unlink_rdev(mddev, rdev);
+				rdev->saved_raid_disk = rdev->raid_disk;
 				rdev->raid_disk = -1;
 				removed++;
 			}



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 151/220] rpmsg: smd: do not use mananged resources for endpoints and channels
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (142 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 150/220] md: fix two problems with setting the "re-add" device state Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 152/220] ubi: fastmap: Cancel work upon detach Greg Kroah-Hartman
                   ` (68 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Srinivas Kandagatla, Bjorn Andersson

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>

commit 4a2e84c6ed85434ce7843e4844b4d3263f7e233b upstream.

All the managed resources would be freed by the time release function
is invoked. Handling such memory in qcom_smd_edge_release() would do
bad things.

Found this issue while testing Audio usecase where the dsp is started up
and shutdown in a loop.

This patch fixes this issue by using simple kzalloc for allocating
channel->name and channel which is then freed in qcom_smd_edge_release().

Without this patch restarting a remoteproc would crash the system.
Fixes: 53e2822e56c7 ("rpmsg: Introduce Qualcomm SMD backend")
Cc: <stable@vger.kernel.org>
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/rpmsg/qcom_smd.c |   18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

--- a/drivers/rpmsg/qcom_smd.c
+++ b/drivers/rpmsg/qcom_smd.c
@@ -1100,12 +1100,12 @@ static struct qcom_smd_channel *qcom_smd
 	void *info;
 	int ret;
 
-	channel = devm_kzalloc(&edge->dev, sizeof(*channel), GFP_KERNEL);
+	channel = kzalloc(sizeof(*channel), GFP_KERNEL);
 	if (!channel)
 		return ERR_PTR(-ENOMEM);
 
 	channel->edge = edge;
-	channel->name = devm_kstrdup(&edge->dev, name, GFP_KERNEL);
+	channel->name = kstrdup(name, GFP_KERNEL);
 	if (!channel->name)
 		return ERR_PTR(-ENOMEM);
 
@@ -1156,8 +1156,8 @@ static struct qcom_smd_channel *qcom_smd
 	return channel;
 
 free_name_and_channel:
-	devm_kfree(&edge->dev, channel->name);
-	devm_kfree(&edge->dev, channel);
+	kfree(channel->name);
+	kfree(channel);
 
 	return ERR_PTR(ret);
 }
@@ -1378,13 +1378,13 @@ static int qcom_smd_parse_edge(struct de
  */
 static void qcom_smd_edge_release(struct device *dev)
 {
-	struct qcom_smd_channel *channel;
+	struct qcom_smd_channel *channel, *tmp;
 	struct qcom_smd_edge *edge = to_smd_edge(dev);
 
-	list_for_each_entry(channel, &edge->channels, list) {
-		SET_RX_CHANNEL_INFO(channel, state, SMD_CHANNEL_CLOSED);
-		SET_RX_CHANNEL_INFO(channel, head, 0);
-		SET_RX_CHANNEL_INFO(channel, tail, 0);
+	list_for_each_entry_safe(channel, tmp, &edge->channels, list) {
+		list_del(&channel->list);
+		kfree(channel->name);
+		kfree(channel);
 	}
 
 	kfree(edge);



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 152/220] ubi: fastmap: Cancel work upon detach
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (143 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 151/220] rpmsg: smd: do not use mananged resources for endpoints and channels Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 153/220] ubi: fastmap: Correctly handle interrupted erasures in EBA Greg Kroah-Hartman
                   ` (67 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ben Hutchings, Martin Townsend,
	Richard Weinberger

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Richard Weinberger <richard@nod.at>

commit 6e7d80161066c99d12580d1b985cb1408bb58cf1 upstream.

Ben Hutchings pointed out that 29b7a6fa1ec0 ("ubi: fastmap: Don't flush
fastmap work on detach") does not really fix the problem, it just
reduces the risk to hit the race window where fastmap work races against
free()'ing ubi->volumes[].

The correct approach is making sure that no more fastmap work is in
progress before we free ubi data structures.
So we cancel fastmap work right after the ubi background thread is
stopped.
By setting ubi->thread_enabled to zero we make sure that no further work
tries to wake the thread.

Fixes: 29b7a6fa1ec0 ("ubi: fastmap: Don't flush fastmap work on detach")
Fixes: 74cdaf24004a ("UBI: Fastmap: Fix memory leaks while closing the WL sub-system")
Cc: stable@vger.kernel.org
Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
Cc: Martin Townsend <mtownsend1973@gmail.com>

Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mtd/ubi/build.c |    3 +++
 drivers/mtd/ubi/wl.c    |    4 +---
 2 files changed, 4 insertions(+), 3 deletions(-)

--- a/drivers/mtd/ubi/build.c
+++ b/drivers/mtd/ubi/build.c
@@ -1091,6 +1091,9 @@ int ubi_detach_mtd_dev(int ubi_num, int
 	if (ubi->bgt_thread)
 		kthread_stop(ubi->bgt_thread);
 
+#ifdef CONFIG_MTD_UBI_FASTMAP
+	cancel_work_sync(&ubi->fm_work);
+#endif
 	ubi_debugfs_exit_dev(ubi);
 	uif_close(ubi);
 
--- a/drivers/mtd/ubi/wl.c
+++ b/drivers/mtd/ubi/wl.c
@@ -1505,6 +1505,7 @@ int ubi_thread(void *u)
 	}
 
 	dbg_wl("background thread \"%s\" is killed", ubi->bgt_name);
+	ubi->thread_enabled = 0;
 	return 0;
 }
 
@@ -1514,9 +1515,6 @@ int ubi_thread(void *u)
  */
 static void shutdown_work(struct ubi_device *ubi)
 {
-#ifdef CONFIG_MTD_UBI_FASTMAP
-	flush_work(&ubi->fm_work);
-#endif
 	while (!list_empty(&ubi->works)) {
 		struct ubi_work *wrk;
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 153/220] ubi: fastmap: Correctly handle interrupted erasures in EBA
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (144 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 152/220] ubi: fastmap: Cancel work upon detach Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:22 ` [PATCH 4.17 154/220] UBIFS: Fix potential integer overflow in allocation Greg Kroah-Hartman
                   ` (66 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, martin bayern, Richard Weinberger

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Richard Weinberger <richard@nod.at>

commit 781932375ffc6411713ee0926ccae8596ed0261c upstream.

Fastmap cannot track the LEB unmap operation, therefore it can
happen that after an interrupted erasure the mapping still looks
good from Fastmap's point of view, while reading from the PEB will
cause an ECC error and confuses the upper layer.

Instead of teaching users of UBI how to deal with that, we read back
the VID header and check for errors. If the PEB is empty or shows ECC
errors we fixup the mapping and schedule the PEB for erasure.

Fixes: dbb7d2a88d2a ("UBI: Add fastmap core")
Cc: <stable@vger.kernel.org>
Reported-by: martin bayern <Martinbayern@outlook.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mtd/ubi/eba.c |   90 +++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 89 insertions(+), 1 deletion(-)

--- a/drivers/mtd/ubi/eba.c
+++ b/drivers/mtd/ubi/eba.c
@@ -490,6 +490,82 @@ out_unlock:
 	return err;
 }
 
+#ifdef CONFIG_MTD_UBI_FASTMAP
+/**
+ * check_mapping - check and fixup a mapping
+ * @ubi: UBI device description object
+ * @vol: volume description object
+ * @lnum: logical eraseblock number
+ * @pnum: physical eraseblock number
+ *
+ * Checks whether a given mapping is valid. Fastmap cannot track LEB unmap
+ * operations, if such an operation is interrupted the mapping still looks
+ * good, but upon first read an ECC is reported to the upper layer.
+ * Normaly during the full-scan at attach time this is fixed, for Fastmap
+ * we have to deal with it while reading.
+ * If the PEB behind a LEB shows this symthom we change the mapping to
+ * %UBI_LEB_UNMAPPED and schedule the PEB for erasure.
+ *
+ * Returns 0 on success, negative error code in case of failure.
+ */
+static int check_mapping(struct ubi_device *ubi, struct ubi_volume *vol, int lnum,
+			 int *pnum)
+{
+	int err;
+	struct ubi_vid_io_buf *vidb;
+
+	if (!ubi->fast_attach)
+		return 0;
+
+	vidb = ubi_alloc_vid_buf(ubi, GFP_NOFS);
+	if (!vidb)
+		return -ENOMEM;
+
+	err = ubi_io_read_vid_hdr(ubi, *pnum, vidb, 0);
+	if (err > 0 && err != UBI_IO_BITFLIPS) {
+		int torture = 0;
+
+		switch (err) {
+			case UBI_IO_FF:
+			case UBI_IO_FF_BITFLIPS:
+			case UBI_IO_BAD_HDR:
+			case UBI_IO_BAD_HDR_EBADMSG:
+				break;
+			default:
+				ubi_assert(0);
+		}
+
+		if (err == UBI_IO_BAD_HDR_EBADMSG || err == UBI_IO_FF_BITFLIPS)
+			torture = 1;
+
+		down_read(&ubi->fm_eba_sem);
+		vol->eba_tbl->entries[lnum].pnum = UBI_LEB_UNMAPPED;
+		up_read(&ubi->fm_eba_sem);
+		ubi_wl_put_peb(ubi, vol->vol_id, lnum, *pnum, torture);
+
+		*pnum = UBI_LEB_UNMAPPED;
+	} else if (err < 0) {
+		ubi_err(ubi, "unable to read VID header back from PEB %i: %i",
+			*pnum, err);
+
+		goto out_free;
+	}
+
+	err = 0;
+
+out_free:
+	ubi_free_vid_buf(vidb);
+
+	return err;
+}
+#else
+static int check_mapping(struct ubi_device *ubi, struct ubi_volume *vol, int lnum,
+		  int *pnum)
+{
+	return 0;
+}
+#endif
+
 /**
  * ubi_eba_read_leb - read data.
  * @ubi: UBI device description object
@@ -522,7 +598,13 @@ int ubi_eba_read_leb(struct ubi_device *
 		return err;
 
 	pnum = vol->eba_tbl->entries[lnum].pnum;
-	if (pnum < 0) {
+	if (pnum >= 0) {
+		err = check_mapping(ubi, vol, lnum, &pnum);
+		if (err < 0)
+			goto out_unlock;
+	}
+
+	if (pnum == UBI_LEB_UNMAPPED) {
 		/*
 		 * The logical eraseblock is not mapped, fill the whole buffer
 		 * with 0xFF bytes. The exception is static volumes for which
@@ -931,6 +1013,12 @@ int ubi_eba_write_leb(struct ubi_device
 
 	pnum = vol->eba_tbl->entries[lnum].pnum;
 	if (pnum >= 0) {
+		err = check_mapping(ubi, vol, lnum, &pnum);
+		if (err < 0)
+			goto out;
+	}
+
+	if (pnum >= 0) {
 		dbg_eba("write %d bytes at offset %d of LEB %d:%d, PEB %d",
 			len, offset, vol_id, lnum, pnum);
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 154/220] UBIFS: Fix potential integer overflow in allocation
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (145 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 153/220] ubi: fastmap: Correctly handle interrupted erasures in EBA Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 18:48   ` Richard Weinberger
  2018-07-01 16:22 ` [PATCH 4.17 155/220] backlight: as3711_bl: Fix Device Tree node lookup Greg Kroah-Hartman
                   ` (65 subsequent siblings)
  212 siblings, 1 reply; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Silvio Cesare, Kees Cook

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Silvio Cesare <silvio.cesare@gmail.com>

commit 353748a359f1821ee934afc579cf04572406b420 upstream.

There is potential for the size and len fields in ubifs_data_node to be
too large causing either a negative value for the length fields or an
integer overflow leading to an incorrect memory allocation. Likewise,
when the len field is small, an integer underflow may occur.

Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
Fixes: 1e51764a3c2ac ("UBIFS: add new flash file system")
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ubifs/journal.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/fs/ubifs/journal.c
+++ b/fs/ubifs/journal.c
@@ -1283,10 +1283,11 @@ static int truncate_data_node(const stru
 			      int *new_len)
 {
 	void *buf;
-	int err, dlen, compr_type, out_len, old_dlen;
+	int err, compr_type;
+	u32 dlen, out_len, old_dlen;
 
 	out_len = le32_to_cpu(dn->size);
-	buf = kmalloc(out_len * WORST_COMPR_FACTOR, GFP_NOFS);
+	buf = kmalloc_array(out_len, WORST_COMPR_FACTOR, GFP_NOFS);
 	if (!buf)
 		return -ENOMEM;
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 155/220] backlight: as3711_bl: Fix Device Tree node lookup
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (146 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 154/220] UBIFS: Fix potential integer overflow in allocation Greg Kroah-Hartman
@ 2018-07-01 16:22 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 156/220] backlight: max8925_bl: " Greg Kroah-Hartman
                   ` (64 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johan Hovold, Daniel Thompson, Lee Jones

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 4a9c8bb2aca5b5a2a15744333729745dd9903562 upstream.

Fix child-node lookup during probe, which ended up searching the whole
device tree depth-first starting at the parent rather than just matching
on its children.

To make things worse, the parent mfd node was also prematurely freed.

Cc: stable <stable@vger.kernel.org>     # 3.10
Fixes: 59eb2b5e57ea ("drivers/video/backlight/as3711_bl.c: add OF support")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/video/backlight/as3711_bl.c |   33 +++++++++++++++++++++++----------
 1 file changed, 23 insertions(+), 10 deletions(-)

--- a/drivers/video/backlight/as3711_bl.c
+++ b/drivers/video/backlight/as3711_bl.c
@@ -262,10 +262,10 @@ static int as3711_bl_register(struct pla
 static int as3711_backlight_parse_dt(struct device *dev)
 {
 	struct as3711_bl_pdata *pdata = dev_get_platdata(dev);
-	struct device_node *bl =
-		of_find_node_by_name(dev->parent->of_node, "backlight"), *fb;
+	struct device_node *bl, *fb;
 	int ret;
 
+	bl = of_get_child_by_name(dev->parent->of_node, "backlight");
 	if (!bl) {
 		dev_dbg(dev, "backlight node not found\n");
 		return -ENODEV;
@@ -279,7 +279,7 @@ static int as3711_backlight_parse_dt(str
 		if (pdata->su1_max_uA <= 0)
 			ret = -EINVAL;
 		if (ret < 0)
-			return ret;
+			goto err_put_bl;
 	}
 
 	fb = of_parse_phandle(bl, "su2-dev", 0);
@@ -292,7 +292,7 @@ static int as3711_backlight_parse_dt(str
 		if (pdata->su2_max_uA <= 0)
 			ret = -EINVAL;
 		if (ret < 0)
-			return ret;
+			goto err_put_bl;
 
 		if (of_find_property(bl, "su2-feedback-voltage", NULL)) {
 			pdata->su2_feedback = AS3711_SU2_VOLTAGE;
@@ -314,8 +314,10 @@ static int as3711_backlight_parse_dt(str
 			pdata->su2_feedback = AS3711_SU2_CURR_AUTO;
 			count++;
 		}
-		if (count != 1)
-			return -EINVAL;
+		if (count != 1) {
+			ret = -EINVAL;
+			goto err_put_bl;
+		}
 
 		count = 0;
 		if (of_find_property(bl, "su2-fbprot-lx-sd4", NULL)) {
@@ -334,8 +336,10 @@ static int as3711_backlight_parse_dt(str
 			pdata->su2_fbprot = AS3711_SU2_GPIO4;
 			count++;
 		}
-		if (count != 1)
-			return -EINVAL;
+		if (count != 1) {
+			ret = -EINVAL;
+			goto err_put_bl;
+		}
 
 		count = 0;
 		if (of_find_property(bl, "su2-auto-curr1", NULL)) {
@@ -355,11 +359,20 @@ static int as3711_backlight_parse_dt(str
 		 * At least one su2-auto-curr* must be specified iff
 		 * AS3711_SU2_CURR_AUTO is used
 		 */
-		if (!count ^ (pdata->su2_feedback != AS3711_SU2_CURR_AUTO))
-			return -EINVAL;
+		if (!count ^ (pdata->su2_feedback != AS3711_SU2_CURR_AUTO)) {
+			ret = -EINVAL;
+			goto err_put_bl;
+		}
 	}
 
+	of_node_put(bl);
+
 	return 0;
+
+err_put_bl:
+	of_node_put(bl);
+
+	return ret;
 }
 
 static int as3711_backlight_probe(struct platform_device *pdev)



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 156/220] backlight: max8925_bl: Fix Device Tree node lookup
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (147 preceding siblings ...)
  2018-07-01 16:22 ` [PATCH 4.17 155/220] backlight: as3711_bl: Fix Device Tree node lookup Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 157/220] backlight: tps65217_bl: " Greg Kroah-Hartman
                   ` (63 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johan Hovold, Daniel Thompson, Lee Jones

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit d1cc0ec3da23e44c23712579515494b374f111c9 upstream.

Fix child-node lookup during probe, which ended up searching the whole
device tree depth-first starting at the parent rather than just matching
on its children.

To make things worse, the parent mfd node was also prematurely freed,
while the child backlight node was leaked.

Cc: stable <stable@vger.kernel.org>     # 3.9
Fixes: 47ec340cb8e2 ("mfd: max8925: Support dt for backlight")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/video/backlight/max8925_bl.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/video/backlight/max8925_bl.c
+++ b/drivers/video/backlight/max8925_bl.c
@@ -116,7 +116,7 @@ static void max8925_backlight_dt_init(st
 	if (!pdata)
 		return;
 
-	np = of_find_node_by_name(nproot, "backlight");
+	np = of_get_child_by_name(nproot, "backlight");
 	if (!np) {
 		dev_err(&pdev->dev, "failed to find backlight node\n");
 		return;
@@ -125,6 +125,8 @@ static void max8925_backlight_dt_init(st
 	if (!of_property_read_u32(np, "maxim,max8925-dual-string", &val))
 		pdata->dual_string = val;
 
+	of_node_put(np);
+
 	pdev->dev.platform_data = pdata;
 }
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 157/220] backlight: tps65217_bl: Fix Device Tree node lookup
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (148 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 156/220] backlight: max8925_bl: " Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 159/220] f2fs: dont use GFP_ZERO for page caches Greg Kroah-Hartman
                   ` (62 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johan Hovold, Daniel Thompson, Lee Jones

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 2b12dfa124dbadf391cb9a616aaa6b056823bf75 upstream.

Fix child-node lookup during probe, which ended up searching the whole
device tree depth-first starting at the parent rather than just matching
on its children.

This would only cause trouble if the child node is missing while there
is an unrelated node named "backlight" elsewhere in the tree.

Cc: stable <stable@vger.kernel.org>     # 3.7
Fixes: eebfdc17cc6c ("backlight: Add TPS65217 WLED driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/video/backlight/tps65217_bl.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/video/backlight/tps65217_bl.c
+++ b/drivers/video/backlight/tps65217_bl.c
@@ -184,11 +184,11 @@ static struct tps65217_bl_pdata *
 tps65217_bl_parse_dt(struct platform_device *pdev)
 {
 	struct tps65217 *tps = dev_get_drvdata(pdev->dev.parent);
-	struct device_node *node = of_node_get(tps->dev->of_node);
+	struct device_node *node;
 	struct tps65217_bl_pdata *pdata, *err;
 	u32 val;
 
-	node = of_find_node_by_name(node, "backlight");
+	node = of_get_child_by_name(tps->dev->of_node, "backlight");
 	if (!node)
 		return ERR_PTR(-ENODEV);
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 159/220] f2fs: dont use GFP_ZERO for page caches
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (149 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 157/220] backlight: tps65217_bl: " Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 160/220] um: Fix initialization of vector queues Greg Kroah-Hartman
                   ` (61 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Chao Yu, Jaegeuk Kim

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Chao Yu <yuchao0@huawei.com>

commit 81114baa835b59ed02d14aa1d67f91ea874077cd upstream.

Related to https://lkml.org/lkml/2018/4/8/661

Sometimes, we need to write meta data to new allocated block address,
then we will allocate a zeroed page in inner inode's address space, and
fill partial data in it, and leave other place with zero value which means
some fields are initial status.

There are two inner inodes (meta inode and node inode) setting __GFP_ZERO,
I have just checked them, for both of them, we can avoid using __GFP_ZERO,
and do initialization by ourselves to avoid unneeded/redundant zeroing
from mm.

Cc: <stable@vger.kernel.org>
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/f2fs/checkpoint.c |    4 +++-
 fs/f2fs/inode.c      |    4 ++--
 fs/f2fs/segment.c    |    3 +++
 fs/f2fs/segment.h    |    1 +
 4 files changed, 9 insertions(+), 3 deletions(-)

--- a/fs/f2fs/checkpoint.c
+++ b/fs/f2fs/checkpoint.c
@@ -100,8 +100,10 @@ repeat:
 	 * readonly and make sure do not write checkpoint with non-uptodate
 	 * meta page.
 	 */
-	if (unlikely(!PageUptodate(page)))
+	if (unlikely(!PageUptodate(page))) {
+		memset(page_address(page), 0, PAGE_SIZE);
 		f2fs_stop_checkpoint(sbi, false);
+	}
 out:
 	return page;
 }
--- a/fs/f2fs/inode.c
+++ b/fs/f2fs/inode.c
@@ -320,10 +320,10 @@ struct inode *f2fs_iget(struct super_blo
 make_now:
 	if (ino == F2FS_NODE_INO(sbi)) {
 		inode->i_mapping->a_ops = &f2fs_node_aops;
-		mapping_set_gfp_mask(inode->i_mapping, GFP_F2FS_ZERO);
+		mapping_set_gfp_mask(inode->i_mapping, GFP_NOFS);
 	} else if (ino == F2FS_META_INO(sbi)) {
 		inode->i_mapping->a_ops = &f2fs_meta_aops;
-		mapping_set_gfp_mask(inode->i_mapping, GFP_F2FS_ZERO);
+		mapping_set_gfp_mask(inode->i_mapping, GFP_NOFS);
 	} else if (S_ISREG(inode->i_mode)) {
 		inode->i_op = &f2fs_file_inode_operations;
 		inode->i_fop = &f2fs_file_operations;
--- a/fs/f2fs/segment.c
+++ b/fs/f2fs/segment.c
@@ -2020,6 +2020,7 @@ static void write_current_sum_page(struc
 	struct f2fs_summary_block *dst;
 
 	dst = (struct f2fs_summary_block *)page_address(page);
+	memset(dst, 0, PAGE_SIZE);
 
 	mutex_lock(&curseg->curseg_mutex);
 
@@ -3116,6 +3117,7 @@ static void write_compacted_summaries(st
 
 	page = grab_meta_page(sbi, blkaddr++);
 	kaddr = (unsigned char *)page_address(page);
+	memset(kaddr, 0, PAGE_SIZE);
 
 	/* Step 1: write nat cache */
 	seg_i = CURSEG_I(sbi, CURSEG_HOT_DATA);
@@ -3140,6 +3142,7 @@ static void write_compacted_summaries(st
 			if (!page) {
 				page = grab_meta_page(sbi, blkaddr++);
 				kaddr = (unsigned char *)page_address(page);
+				memset(kaddr, 0, PAGE_SIZE);
 				written_size = 0;
 			}
 			summary = (struct f2fs_summary *)(kaddr + written_size);
--- a/fs/f2fs/segment.h
+++ b/fs/f2fs/segment.h
@@ -375,6 +375,7 @@ static inline void seg_info_to_sit_page(
 	int i;
 
 	raw_sit = (struct f2fs_sit_block *)page_address(page);
+	memset(raw_sit, 0, PAGE_SIZE);
 	for (i = 0; i < end - start; i++) {
 		rs = &raw_sit->entries[i];
 		se = get_seg_entry(sbi, start + i);



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 160/220] um: Fix initialization of vector queues
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (150 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 159/220] f2fs: dont use GFP_ZERO for page caches Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 161/220] um: Fix raw interface options Greg Kroah-Hartman
                   ` (60 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Capenter, Anton Ivanov,
	Richard Weinberger

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Anton Ivanov <anton.ivanov@cambridgegreys.com>

commit 4579a1ba692af81da7ea6ce197f8169ddc0c327f upstream.

UML vector drivers could derefence uninitialized memory
when cleaning up after a queue allocation failure.

Fixes: 49da7e64f33e ("High Performance UML Vector Network Driver")
Cc: <stable@vger.kernel.org>
Reported-by: Dan Capenter <dan.carpenter@oracle.com>
Signed-off-by: Anton Ivanov <anton.ivanov@cambridgegreys.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/um/drivers/vector_kern.c |   15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

--- a/arch/um/drivers/vector_kern.c
+++ b/arch/um/drivers/vector_kern.c
@@ -504,15 +504,19 @@ static struct vector_queue *create_queue
 
 	result = kmalloc(sizeof(struct vector_queue), GFP_KERNEL);
 	if (result == NULL)
-		goto out_fail;
+		return NULL;
 	result->max_depth = max_size;
 	result->dev = vp->dev;
 	result->mmsg_vector = kmalloc(
 		(sizeof(struct mmsghdr) * max_size), GFP_KERNEL);
+	if (result->mmsg_vector == NULL)
+		goto out_mmsg_fail;
 	result->skbuff_vector = kmalloc(
 		(sizeof(void *) * max_size), GFP_KERNEL);
-	if (result->mmsg_vector == NULL || result->skbuff_vector == NULL)
-		goto out_fail;
+	if (result->skbuff_vector == NULL)
+		goto out_skb_fail;
+
+	/* further failures can be handled safely by destroy_queue*/
 
 	mmsg_vector = result->mmsg_vector;
 	for (i = 0; i < max_size; i++) {
@@ -563,6 +567,11 @@ static struct vector_queue *create_queue
 	result->head = 0;
 	result->tail = 0;
 	return result;
+out_skb_fail:
+	kfree(result->mmsg_vector);
+out_mmsg_fail:
+	kfree(result);
+	return NULL;
 out_fail:
 	destroy_queue(result);
 	return NULL;



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 161/220] um: Fix raw interface options
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (151 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 160/220] um: Fix initialization of vector queues Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 162/220] mfd: twl-core: Fix clock initialization Greg Kroah-Hartman
                   ` (59 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Anton Ivanov, Richard Weinberger

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Anton Ivanov <anton.ivanov@cambridgegreys.com>

commit 5ec9121195a4f1cecd0fa592636c5f81eb03dc8c upstream.

Raw interface initialization needs QDISC_BYPASS. Otherwise
it sees its own packets when transmitting.

Fixes: 49da7e64f33e ("High Performance UML Vector Network Driver")
Cc: <stable@vger.kernel.org>
Signed-off-by: Anton Ivanov <anton.ivanov@cambridgegreys.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/um/drivers/vector_kern.c |    5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

--- a/arch/um/drivers/vector_kern.c
+++ b/arch/um/drivers/vector_kern.c
@@ -188,7 +188,7 @@ static int get_transport_options(struct
 	if (strncmp(transport, TRANS_TAP, TRANS_TAP_LEN) == 0)
 		return (vec_rx | VECTOR_BPF);
 	if (strncmp(transport, TRANS_RAW, TRANS_RAW_LEN) == 0)
-		return (vec_rx | vec_tx);
+		return (vec_rx | vec_tx | VECTOR_QDISC_BYPASS);
 	return (vec_rx | vec_tx);
 }
 
@@ -1241,9 +1241,8 @@ static int vector_net_open(struct net_de
 
 	if ((vp->options & VECTOR_QDISC_BYPASS) != 0) {
 		if (!uml_raw_enable_qdisc_bypass(vp->fds->rx_fd))
-			vp->options = vp->options | VECTOR_BPF;
+			vp->options |= VECTOR_BPF;
 	}
-
 	if ((vp->options & VECTOR_BPF) != 0)
 		vp->bpf = uml_vector_default_bpf(vp->fds->rx_fd, dev->dev_addr);
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 162/220] mfd: twl-core: Fix clock initialization
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (152 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 161/220] um: Fix raw interface options Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 163/220] mfd: intel-lpss: Program REMAP register in PIO mode Greg Kroah-Hartman
                   ` (58 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Peter Ujfalusi, Lee Jones

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Peter Ujfalusi <peter.ujfalusi@ti.com>

commit c218b3b242bd04539621b468f01ecd2af5a21a45 upstream.

When looking up the clock we must use the client->dev as device since that
is the one which is probed via DT.

Cc: stable@vger.kernel.org # 4.16+
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mfd/twl-core.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/mfd/twl-core.c
+++ b/drivers/mfd/twl-core.c
@@ -1177,7 +1177,7 @@ twl_probe(struct i2c_client *client, con
 	twl_priv->ready = true;
 
 	/* setup clock framework */
-	clocks_init(&pdev->dev, pdata ? pdata->clock : NULL);
+	clocks_init(&client->dev, pdata ? pdata->clock : NULL);
 
 	/* read TWL IDCODE Register */
 	if (twl_class_is_4030()) {



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 163/220] mfd: intel-lpss: Program REMAP register in PIO mode
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (153 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 162/220] mfd: twl-core: Fix clock initialization Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 164/220] mfd: intel-lpss: Fix Intel Cannon Lake LPSS I2C input clock Greg Kroah-Hartman
                   ` (57 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Andy Shevchenko, Lee Jones

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>

commit d28b62520830b2d0bffa2d98e81afc9f5e537e8b upstream.

According to documentation REMAP register has to be programmed in
either DMA or PIO mode of the slice.

Move the DMA capability check below to let REMAP register be programmed
in PIO mode.

Cc: stable@vger.kernel.org # 4.3+
Fixes: 4b45efe85263 ("mfd: Add support for Intel Sunrisepoint LPSS devices")
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mfd/intel-lpss.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/mfd/intel-lpss.c
+++ b/drivers/mfd/intel-lpss.c
@@ -275,11 +275,11 @@ static void intel_lpss_init_dev(const st
 
 	intel_lpss_deassert_reset(lpss);
 
+	intel_lpss_set_remap_addr(lpss);
+
 	if (!intel_lpss_has_idma(lpss))
 		return;
 
-	intel_lpss_set_remap_addr(lpss);
-
 	/* Make sure that SPI multiblock DMA transfers are re-enabled */
 	if (lpss->type == LPSS_DEV_SPI)
 		writel(value, lpss->priv + LPSS_PRIV_SSP_REG);



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 164/220] mfd: intel-lpss: Fix Intel Cannon Lake LPSS I2C input clock
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (154 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 163/220] mfd: intel-lpss: Program REMAP register in PIO mode Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 165/220] remoteproc: Prevent incorrect rproc state on xfer mem ownership failure Greg Kroah-Hartman
                   ` (56 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jian-Hong Pan, Chris Chiu,
	Daniel Drake, Jarkko Nikula, Andy Shevchenko, Mika Westerberg,
	Lee Jones

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jarkko Nikula <jarkko.nikula@linux.intel.com>

commit 4e93a658576ab115977225c9d0992b97ff19ba8c upstream.

Intel Cannon Lake PCH has much higher 216 MHz input clock to LPSS I2C
than Sunrisepoint which uses 120 MHz. Preliminary information was that
both share the same clock rate but actual silicon implements elevated
rate for better support for 3.4 MHz high-speed I2C.

This incorrect input clock rate results too high I2C bus clock in case
ACPI doesn't provide tuned I2C timing parameters since I2C host
controller driver calculates them from input clock rate.

Fix this by using the correct rate. We still share the same 230 ns SDA
hold time value than Sunrisepoint.

Cc: stable@vger.kernel.org
Fixes: b418bbff36dd ("mfd: intel-lpss: Add Intel Cannonlake PCI IDs")
Reported-by: Jian-Hong Pan <jian-hong@endlessm.com>
Reported-by: Chris Chiu <chiu@endlessm.com>
Reported-by: Daniel Drake <drake@endlessm.com>
Signed-off-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Tested-by: Jian-Hong Pan <jian-hong@endlessm.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mfd/intel-lpss-pci.c |   25 +++++++++++++++----------
 1 file changed, 15 insertions(+), 10 deletions(-)

--- a/drivers/mfd/intel-lpss-pci.c
+++ b/drivers/mfd/intel-lpss-pci.c
@@ -124,6 +124,11 @@ static const struct intel_lpss_platform_
 	.properties = apl_i2c_properties,
 };
 
+static const struct intel_lpss_platform_info cnl_i2c_info = {
+	.clk_rate = 216000000,
+	.properties = spt_i2c_properties,
+};
+
 static const struct pci_device_id intel_lpss_pci_ids[] = {
 	/* BXT A-Step */
 	{ PCI_VDEVICE(INTEL, 0x0aac), (kernel_ulong_t)&bxt_i2c_info },
@@ -207,13 +212,13 @@ static const struct pci_device_id intel_
 	{ PCI_VDEVICE(INTEL, 0x9daa), (kernel_ulong_t)&spt_info },
 	{ PCI_VDEVICE(INTEL, 0x9dab), (kernel_ulong_t)&spt_info },
 	{ PCI_VDEVICE(INTEL, 0x9dfb), (kernel_ulong_t)&spt_info },
-	{ PCI_VDEVICE(INTEL, 0x9dc5), (kernel_ulong_t)&spt_i2c_info },
-	{ PCI_VDEVICE(INTEL, 0x9dc6), (kernel_ulong_t)&spt_i2c_info },
+	{ PCI_VDEVICE(INTEL, 0x9dc5), (kernel_ulong_t)&cnl_i2c_info },
+	{ PCI_VDEVICE(INTEL, 0x9dc6), (kernel_ulong_t)&cnl_i2c_info },
 	{ PCI_VDEVICE(INTEL, 0x9dc7), (kernel_ulong_t)&spt_uart_info },
-	{ PCI_VDEVICE(INTEL, 0x9de8), (kernel_ulong_t)&spt_i2c_info },
-	{ PCI_VDEVICE(INTEL, 0x9de9), (kernel_ulong_t)&spt_i2c_info },
-	{ PCI_VDEVICE(INTEL, 0x9dea), (kernel_ulong_t)&spt_i2c_info },
-	{ PCI_VDEVICE(INTEL, 0x9deb), (kernel_ulong_t)&spt_i2c_info },
+	{ PCI_VDEVICE(INTEL, 0x9de8), (kernel_ulong_t)&cnl_i2c_info },
+	{ PCI_VDEVICE(INTEL, 0x9de9), (kernel_ulong_t)&cnl_i2c_info },
+	{ PCI_VDEVICE(INTEL, 0x9dea), (kernel_ulong_t)&cnl_i2c_info },
+	{ PCI_VDEVICE(INTEL, 0x9deb), (kernel_ulong_t)&cnl_i2c_info },
 	/* SPT-H */
 	{ PCI_VDEVICE(INTEL, 0xa127), (kernel_ulong_t)&spt_uart_info },
 	{ PCI_VDEVICE(INTEL, 0xa128), (kernel_ulong_t)&spt_uart_info },
@@ -240,10 +245,10 @@ static const struct pci_device_id intel_
 	{ PCI_VDEVICE(INTEL, 0xa32b), (kernel_ulong_t)&spt_info },
 	{ PCI_VDEVICE(INTEL, 0xa37b), (kernel_ulong_t)&spt_info },
 	{ PCI_VDEVICE(INTEL, 0xa347), (kernel_ulong_t)&spt_uart_info },
-	{ PCI_VDEVICE(INTEL, 0xa368), (kernel_ulong_t)&spt_i2c_info },
-	{ PCI_VDEVICE(INTEL, 0xa369), (kernel_ulong_t)&spt_i2c_info },
-	{ PCI_VDEVICE(INTEL, 0xa36a), (kernel_ulong_t)&spt_i2c_info },
-	{ PCI_VDEVICE(INTEL, 0xa36b), (kernel_ulong_t)&spt_i2c_info },
+	{ PCI_VDEVICE(INTEL, 0xa368), (kernel_ulong_t)&cnl_i2c_info },
+	{ PCI_VDEVICE(INTEL, 0xa369), (kernel_ulong_t)&cnl_i2c_info },
+	{ PCI_VDEVICE(INTEL, 0xa36a), (kernel_ulong_t)&cnl_i2c_info },
+	{ PCI_VDEVICE(INTEL, 0xa36b), (kernel_ulong_t)&cnl_i2c_info },
 	{ }
 };
 MODULE_DEVICE_TABLE(pci, intel_lpss_pci_ids);



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 165/220] remoteproc: Prevent incorrect rproc state on xfer mem ownership failure
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (155 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 164/220] mfd: intel-lpss: Fix Intel Cannon Lake LPSS I2C input clock Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 166/220] arm: dts: mt7623: fix invalid memory node being generated Greg Kroah-Hartman
                   ` (55 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Sibi Sankar, Bjorn Andersson

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sibi Sankar <sibis@codeaurora.org>

commit 2724807f7f70a6a3e67b3f6bf921cc77ed39c8a1 upstream.

Any failure in the secure call for transferring mem ownership of mba
region to Q6 would result in reporting that the remoteproc device
is running. This is because the previous q6v5_clk_enable would have
been a success. Prevent this by updating variable 'ret' accordingly.

Cc: stable@vger.kernel.org
Signed-off-by: Sibi Sankar <sibis@codeaurora.org>
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/remoteproc/qcom_q6v5_pil.c |   10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

--- a/drivers/remoteproc/qcom_q6v5_pil.c
+++ b/drivers/remoteproc/qcom_q6v5_pil.c
@@ -761,13 +761,11 @@ static int q6v5_start(struct rproc *rpro
 	}
 
 	/* Assign MBA image access in DDR to q6 */
-	xfermemop_ret = q6v5_xfer_mem_ownership(qproc, &qproc->mba_perm, true,
-						qproc->mba_phys,
-						qproc->mba_size);
-	if (xfermemop_ret) {
+	ret = q6v5_xfer_mem_ownership(qproc, &qproc->mba_perm, true,
+				      qproc->mba_phys, qproc->mba_size);
+	if (ret) {
 		dev_err(qproc->dev,
-			"assigning Q6 access to mba memory failed: %d\n",
-			xfermemop_ret);
+			"assigning Q6 access to mba memory failed: %d\n", ret);
 		goto disable_active_clks;
 	}
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 166/220] arm: dts: mt7623: fix invalid memory node being generated
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (156 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 165/220] remoteproc: Prevent incorrect rproc state on xfer mem ownership failure Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 167/220] perf tools: Fix symbol and object code resolution for vdso32 and vdsox32 Greg Kroah-Hartman
                   ` (54 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sean Wang, Rob Herring, Matthias Brugger

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sean Wang <sean.wang@mediatek.com>

commit c0b0d540db1a8bfb041166c4991dd6f624e8de45 upstream.

Below two wrong nodes in existing DTS files would cause a fail boot since
in fact the address 0 is not the correct place the memory device locates
at.

memory {
        device_type = "memory";
        reg = <0x0 0x0 0x0 0x0>;
};

memory@80000000 {
        reg = <0x0 0x80000000 0x0 0x40000000>;
};

In order to avoid having a memory node starting at address 0, we can't
include file skeleton64.dtsi and instead need to explicitly manually
define a few of properties the DTS relies on such as #address-cells
and #size-cells in root node and device_type in the node memory@80000000.

Cc: stable@vger.kernel.org
Fixes: 31ac0d69a1d4 ("ARM: dts: mediatek: add MT7623 basic support")
Signed-off-by: Sean Wang <sean.wang@mediatek.com>
Cc: Rob Herring <robh+dt@kernel.org>
Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/mt7623.dtsi                 |    3 ++-
 arch/arm/boot/dts/mt7623n-bananapi-bpi-r2.dts |    1 +
 arch/arm/boot/dts/mt7623n-rfb.dtsi            |    1 +
 3 files changed, 4 insertions(+), 1 deletion(-)

--- a/arch/arm/boot/dts/mt7623.dtsi
+++ b/arch/arm/boot/dts/mt7623.dtsi
@@ -22,11 +22,12 @@
 #include <dt-bindings/phy/phy.h>
 #include <dt-bindings/reset/mt2701-resets.h>
 #include <dt-bindings/thermal/thermal.h>
-#include "skeleton64.dtsi"
 
 / {
 	compatible = "mediatek,mt7623";
 	interrupt-parent = <&sysirq>;
+	#address-cells = <2>;
+	#size-cells = <2>;
 
 	cpu_opp_table: opp-table {
 		compatible = "operating-points-v2";
--- a/arch/arm/boot/dts/mt7623n-bananapi-bpi-r2.dts
+++ b/arch/arm/boot/dts/mt7623n-bananapi-bpi-r2.dts
@@ -109,6 +109,7 @@
 	};
 
 	memory@80000000 {
+		device_type = "memory";
 		reg = <0 0x80000000 0 0x40000000>;
 	};
 };
--- a/arch/arm/boot/dts/mt7623n-rfb.dtsi
+++ b/arch/arm/boot/dts/mt7623n-rfb.dtsi
@@ -47,6 +47,7 @@
 	};
 
 	memory@80000000 {
+		device_type = "memory";
 		reg = <0 0x80000000 0 0x40000000>;
 	};
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 167/220] perf tools: Fix symbol and object code resolution for vdso32 and vdsox32
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (157 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 166/220] arm: dts: mt7623: fix invalid memory node being generated Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 168/220] perf intel-pt: Fix sync_switch INTEL_PT_SS_NOT_TRACING Greg Kroah-Hartman
                   ` (53 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Adrian Hunter, Jiri Olsa, Wang Nan,
	Arnaldo Carvalho de Melo

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Adrian Hunter <adrian.hunter@intel.com>

commit aef4feace285f27c8ed35830a5d575bec7f3e90a upstream.

Fix __kmod_path__parse() so that perf tools does not treat vdso32 and
vdsox32 as kernel modules and fail to find the object.

Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Wang Nan <wangnan0@huawei.com>
Cc: stable@vger.kernel.org
Fixes: 1f121b03d058 ("perf tools: Deal with kernel module names in '[]' correctly")
Link: http://lkml.kernel.org/r/1528117014-30032-3-git-send-email-adrian.hunter@intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/perf/util/dso.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/tools/perf/util/dso.c
+++ b/tools/perf/util/dso.c
@@ -354,6 +354,8 @@ int __kmod_path__parse(struct kmod_path
 		if ((strncmp(name, "[kernel.kallsyms]", 17) == 0) ||
 		    (strncmp(name, "[guest.kernel.kallsyms", 22) == 0) ||
 		    (strncmp(name, "[vdso]", 6) == 0) ||
+		    (strncmp(name, "[vdso32]", 8) == 0) ||
+		    (strncmp(name, "[vdsox32]", 9) == 0) ||
 		    (strncmp(name, "[vsyscall]", 10) == 0)) {
 			m->kmod = false;
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 168/220] perf intel-pt: Fix sync_switch INTEL_PT_SS_NOT_TRACING
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (158 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 167/220] perf tools: Fix symbol and object code resolution for vdso32 and vdsox32 Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 169/220] perf intel-pt: Fix decoding to accept CBR between FUP and corresponding TIP Greg Kroah-Hartman
                   ` (52 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Adrian Hunter, Arnaldo Carvalho de Melo

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Adrian Hunter <adrian.hunter@intel.com>

commit dbcb82b93f3e8322891e47472c89e63058b81e99 upstream.

sync_switch is a facility to synchronize decoding more closely with the
point in the kernel when the context actually switched.

In one case, INTEL_PT_SS_NOT_TRACING state was not correctly
transitioning to INTEL_PT_SS_TRACING state due to a missing case clause.
Add it.

Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: stable@vger.kernel.org
Link: http://lkml.kernel.org/r/1527762225-26024-2-git-send-email-adrian.hunter@intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/perf/util/intel-pt.c |    1 +
 1 file changed, 1 insertion(+)

--- a/tools/perf/util/intel-pt.c
+++ b/tools/perf/util/intel-pt.c
@@ -1523,6 +1523,7 @@ static int intel_pt_sample(struct intel_
 
 	if (intel_pt_is_switch_ip(ptq, state->to_ip)) {
 		switch (ptq->switch_state) {
+		case INTEL_PT_SS_NOT_TRACING:
 		case INTEL_PT_SS_UNKNOWN:
 		case INTEL_PT_SS_EXPECTING_SWITCH_IP:
 			err = intel_pt_next_tid(pt, ptq);



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 169/220] perf intel-pt: Fix decoding to accept CBR between FUP and corresponding TIP
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (159 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 168/220] perf intel-pt: Fix sync_switch INTEL_PT_SS_NOT_TRACING Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 170/220] perf intel-pt: Fix MTC timing after overflow Greg Kroah-Hartman
                   ` (51 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Adrian Hunter, Arnaldo Carvalho de Melo

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Adrian Hunter <adrian.hunter@intel.com>

commit bd2e49ec48feb1855f7624198849eea4610e2286 upstream.

It is possible to have a CBR packet between a FUP packet and
corresponding TIP packet. Stop treating it as an error.

Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: stable@vger.kernel.org
Link: http://lkml.kernel.org/r/1527762225-26024-3-git-send-email-adrian.hunter@intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/perf/util/intel-pt-decoder/intel-pt-decoder.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
+++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
@@ -1604,7 +1604,6 @@ static int intel_pt_walk_fup_tip(struct
 		case INTEL_PT_PSB:
 		case INTEL_PT_TSC:
 		case INTEL_PT_TMA:
-		case INTEL_PT_CBR:
 		case INTEL_PT_MODE_TSX:
 		case INTEL_PT_BAD:
 		case INTEL_PT_PSBEND:
@@ -1620,6 +1619,10 @@ static int intel_pt_walk_fup_tip(struct
 			decoder->pkt_step = 0;
 			return -ENOENT;
 
+		case INTEL_PT_CBR:
+			intel_pt_calc_cbr(decoder);
+			break;
+
 		case INTEL_PT_OVF:
 			return intel_pt_overflow(decoder);
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 170/220] perf intel-pt: Fix MTC timing after overflow
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (160 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 169/220] perf intel-pt: Fix decoding to accept CBR between FUP and corresponding TIP Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 171/220] perf intel-pt: Fix "Unexpected indirect branch" error Greg Kroah-Hartman
                   ` (50 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Adrian Hunter, Arnaldo Carvalho de Melo

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Adrian Hunter <adrian.hunter@intel.com>

commit dd27b87ab5fcf3ea1c060b5e3ab5d31cc78e9f4c upstream.

On some platforms, overflows will clear before MTC wraparound, and there
is no following TSC/TMA packet. In that case the previous TMA is valid.
Since there will be a valid TMA either way, stop setting 'have_tma' to
false upon overflow.

Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: stable@vger.kernel.org
Link: http://lkml.kernel.org/r/1527762225-26024-4-git-send-email-adrian.hunter@intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/perf/util/intel-pt-decoder/intel-pt-decoder.c |    1 -
 1 file changed, 1 deletion(-)

--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
+++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
@@ -1376,7 +1376,6 @@ static int intel_pt_overflow(struct inte
 {
 	intel_pt_log("ERROR: Buffer overflow\n");
 	intel_pt_clear_tx_flags(decoder);
-	decoder->have_tma = false;
 	decoder->cbr = 0;
 	decoder->timestamp_insn_cnt = 0;
 	decoder->pkt_state = INTEL_PT_STATE_ERR_RESYNC;



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 171/220] perf intel-pt: Fix "Unexpected indirect branch" error
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (161 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 170/220] perf intel-pt: Fix MTC timing after overflow Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 172/220] perf intel-pt: Fix packet decoding of CYC packets Greg Kroah-Hartman
                   ` (49 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Adrian Hunter, Arnaldo Carvalho de Melo

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Adrian Hunter <adrian.hunter@intel.com>

commit 9fb523363f6e3984457fee95bb7019395384ffa7 upstream.

Some Atom CPUs can produce FUP packets that contain NLIP (next linear
instruction pointer) instead of CLIP (current linear instruction
pointer).  That will result in "Unexpected indirect branch" errors. Fix
by comparing IP to NLIP in that case.

Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: stable@vger.kernel.org
Link: http://lkml.kernel.org/r/1527762225-26024-5-git-send-email-adrian.hunter@intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/perf/util/intel-pt-decoder/intel-pt-decoder.c |   17 +++++++++++++++--
 tools/perf/util/intel-pt-decoder/intel-pt-decoder.h |    9 +++++++++
 tools/perf/util/intel-pt.c                          |    4 ++++
 3 files changed, 28 insertions(+), 2 deletions(-)

--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
+++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
@@ -113,6 +113,7 @@ struct intel_pt_decoder {
 	bool have_cyc;
 	bool fixup_last_mtc;
 	bool have_last_ip;
+	enum intel_pt_param_flags flags;
 	uint64_t pos;
 	uint64_t last_ip;
 	uint64_t ip;
@@ -226,6 +227,8 @@ struct intel_pt_decoder *intel_pt_decode
 	decoder->return_compression = params->return_compression;
 	decoder->branch_enable      = params->branch_enable;
 
+	decoder->flags              = params->flags;
+
 	decoder->period             = params->period;
 	decoder->period_type        = params->period_type;
 
@@ -1097,6 +1100,15 @@ static bool intel_pt_fup_event(struct in
 	return ret;
 }
 
+static inline bool intel_pt_fup_with_nlip(struct intel_pt_decoder *decoder,
+					  struct intel_pt_insn *intel_pt_insn,
+					  uint64_t ip, int err)
+{
+	return decoder->flags & INTEL_PT_FUP_WITH_NLIP && !err &&
+	       intel_pt_insn->branch == INTEL_PT_BR_INDIRECT &&
+	       ip == decoder->ip + intel_pt_insn->length;
+}
+
 static int intel_pt_walk_fup(struct intel_pt_decoder *decoder)
 {
 	struct intel_pt_insn intel_pt_insn;
@@ -1109,10 +1121,11 @@ static int intel_pt_walk_fup(struct inte
 		err = intel_pt_walk_insn(decoder, &intel_pt_insn, ip);
 		if (err == INTEL_PT_RETURN)
 			return 0;
-		if (err == -EAGAIN) {
+		if (err == -EAGAIN ||
+		    intel_pt_fup_with_nlip(decoder, &intel_pt_insn, ip, err)) {
 			if (intel_pt_fup_event(decoder))
 				return 0;
-			return err;
+			return -EAGAIN;
 		}
 		decoder->set_fup_tx_flags = false;
 		if (err)
--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.h
+++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.h
@@ -60,6 +60,14 @@ enum {
 	INTEL_PT_ERR_MAX,
 };
 
+enum intel_pt_param_flags {
+	/*
+	 * FUP packet can contain next linear instruction pointer instead of
+	 * current linear instruction pointer.
+	 */
+	INTEL_PT_FUP_WITH_NLIP	= 1 << 0,
+};
+
 struct intel_pt_state {
 	enum intel_pt_sample_type type;
 	int err;
@@ -106,6 +114,7 @@ struct intel_pt_params {
 	unsigned int mtc_period;
 	uint32_t tsc_ctc_ratio_n;
 	uint32_t tsc_ctc_ratio_d;
+	enum intel_pt_param_flags flags;
 };
 
 struct intel_pt_decoder;
--- a/tools/perf/util/intel-pt.c
+++ b/tools/perf/util/intel-pt.c
@@ -751,6 +751,7 @@ static struct intel_pt_queue *intel_pt_a
 						   unsigned int queue_nr)
 {
 	struct intel_pt_params params = { .get_trace = 0, };
+	struct perf_env *env = pt->machine->env;
 	struct intel_pt_queue *ptq;
 
 	ptq = zalloc(sizeof(struct intel_pt_queue));
@@ -832,6 +833,9 @@ static struct intel_pt_queue *intel_pt_a
 		}
 	}
 
+	if (env->cpuid && !strncmp(env->cpuid, "GenuineIntel,6,92,", 18))
+		params.flags |= INTEL_PT_FUP_WITH_NLIP;
+
 	ptq->decoder = intel_pt_decoder_new(&params);
 	if (!ptq->decoder)
 		goto out_free;



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 172/220] perf intel-pt: Fix packet decoding of CYC packets
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (162 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 171/220] perf intel-pt: Fix "Unexpected indirect branch" error Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 173/220] media: vsp1: Release buffers for each video node Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Adrian Hunter, Jiri Olsa,
	Arnaldo Carvalho de Melo

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Adrian Hunter <adrian.hunter@intel.com>

commit 621a5a327c1e36ffd7bb567f44a559f64f76358f upstream.

Use a 64-bit type so that the cycle count is not limited to 32-bits.

Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: stable@vger.kernel.org
Link: http://lkml.kernel.org/r/1528371002-8862-1-git-send-email-adrian.hunter@intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/perf/util/intel-pt-decoder/intel-pt-pkt-decoder.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/tools/perf/util/intel-pt-decoder/intel-pt-pkt-decoder.c
+++ b/tools/perf/util/intel-pt-decoder/intel-pt-pkt-decoder.c
@@ -366,7 +366,7 @@ static int intel_pt_get_cyc(unsigned int
 		if (len < offs)
 			return INTEL_PT_NEED_MORE_BYTES;
 		byte = buf[offs++];
-		payload |= (byte >> 1) << shift;
+		payload |= ((uint64_t)byte >> 1) << shift;
 	}
 
 	packet->type = INTEL_PT_CYC;



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 173/220] media: vsp1: Release buffers for each video node
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (163 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 172/220] perf intel-pt: Fix packet decoding of CYC packets Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 174/220] media: uvcvideo: Support realteks UVC 1.5 device Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kieran Bingham, Laurent Pinchart,
	Mauro Carvalho Chehab

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>

commit 83967993f2320575c0ab27a80bf1d7535909c2f4 upstream.

Commit 372b2b0399fc ("media: v4l: vsp1: Release buffers in
start_streaming error path") introduced a helper to clean up buffers on
error paths, but inadvertently changed the code such that only the
output WPF buffers were cleaned, rather than the video node being
operated on.

Since then vsp1_video_cleanup_pipeline() has grown to perform both video
node cleanup, as well as pipeline cleanup. Split the implementation into
two distinct functions that perform the required work, so that each
video node can release its buffers correctly on streamoff. The pipe
cleanup that was performed in the vsp1_video_stop_streaming() (releasing
the pipe->dl) is moved to the function for clarity.

Fixes: 372b2b0399fc ("media: v4l: vsp1: Release buffers in start_streaming error path")

Cc: stable@vger.kernel.org # v4.14+
Signed-off-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/platform/vsp1/vsp1_video.c |   21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

--- a/drivers/media/platform/vsp1/vsp1_video.c
+++ b/drivers/media/platform/vsp1/vsp1_video.c
@@ -849,9 +849,8 @@ static int vsp1_video_setup_pipeline(str
 	return 0;
 }
 
-static void vsp1_video_cleanup_pipeline(struct vsp1_pipeline *pipe)
+static void vsp1_video_release_buffers(struct vsp1_video *video)
 {
-	struct vsp1_video *video = pipe->output->video;
 	struct vsp1_vb2_buffer *buffer;
 	unsigned long flags;
 
@@ -861,12 +860,18 @@ static void vsp1_video_cleanup_pipeline(
 		vb2_buffer_done(&buffer->buf.vb2_buf, VB2_BUF_STATE_ERROR);
 	INIT_LIST_HEAD(&video->irqqueue);
 	spin_unlock_irqrestore(&video->irqlock, flags);
+}
+
+static void vsp1_video_cleanup_pipeline(struct vsp1_pipeline *pipe)
+{
+	lockdep_assert_held(&pipe->lock);
 
 	/* Release our partition table allocation */
-	mutex_lock(&pipe->lock);
 	kfree(pipe->part_table);
 	pipe->part_table = NULL;
-	mutex_unlock(&pipe->lock);
+
+	vsp1_dl_list_put(pipe->dl);
+	pipe->dl = NULL;
 }
 
 static int vsp1_video_start_streaming(struct vb2_queue *vq, unsigned int count)
@@ -881,8 +886,9 @@ static int vsp1_video_start_streaming(st
 	if (pipe->stream_count == pipe->num_inputs) {
 		ret = vsp1_video_setup_pipeline(pipe);
 		if (ret < 0) {
-			mutex_unlock(&pipe->lock);
+			vsp1_video_release_buffers(video);
 			vsp1_video_cleanup_pipeline(pipe);
+			mutex_unlock(&pipe->lock);
 			return ret;
 		}
 
@@ -932,13 +938,12 @@ static void vsp1_video_stop_streaming(st
 		if (ret == -ETIMEDOUT)
 			dev_err(video->vsp1->dev, "pipeline stop timeout\n");
 
-		vsp1_dl_list_put(pipe->dl);
-		pipe->dl = NULL;
+		vsp1_video_cleanup_pipeline(pipe);
 	}
 	mutex_unlock(&pipe->lock);
 
 	media_pipeline_stop(&video->video.entity);
-	vsp1_video_cleanup_pipeline(pipe);
+	vsp1_video_release_buffers(video);
 	vsp1_video_pipeline_put(pipe);
 }
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 174/220] media: uvcvideo: Support realteks UVC 1.5 device
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (164 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 173/220] media: vsp1: Release buffers for each video node Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 175/220] media: cx231xx: Ignore an i2c mux adapter Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, ming_qian, Laurent Pinchart,
	Kai-Heng Feng, Ana Guerrero Lopez, Mauro Carvalho Chehab

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: ming_qian <ming_qian@realsil.com.cn>

commit f620d1d7afc7db57ab59f35000752840c91f67e7 upstream.

media: uvcvideo: Support UVC 1.5 video probe & commit controls

The length of UVC 1.5 video control is 48, and it is 34 for UVC 1.1.
Change it to 48 for UVC 1.5 device, and the UVC 1.5 device can be
recognized.

More changes to the driver are needed for full UVC 1.5 compatibility.
However, at least the UVC 1.5 Realtek RTS5847/RTS5852 cameras have been
reported to work well.

[laurent.pinchart@ideasonboard.com: Factor out code to helper function, update size checks]

Cc: stable@vger.kernel.org
Signed-off-by: ming_qian <ming_qian@realsil.com.cn>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Tested-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Tested-by: Ana Guerrero Lopez <ana.guerrero@collabora.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/usb/uvc/uvc_video.c |   24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

--- a/drivers/media/usb/uvc/uvc_video.c
+++ b/drivers/media/usb/uvc/uvc_video.c
@@ -163,14 +163,27 @@ static void uvc_fixup_video_ctrl(struct
 	}
 }
 
+static size_t uvc_video_ctrl_size(struct uvc_streaming *stream)
+{
+	/*
+	 * Return the size of the video probe and commit controls, which depends
+	 * on the protocol version.
+	 */
+	if (stream->dev->uvc_version < 0x0110)
+		return 26;
+	else if (stream->dev->uvc_version < 0x0150)
+		return 34;
+	else
+		return 48;
+}
+
 static int uvc_get_video_ctrl(struct uvc_streaming *stream,
 	struct uvc_streaming_control *ctrl, int probe, u8 query)
 {
+	u16 size = uvc_video_ctrl_size(stream);
 	u8 *data;
-	u16 size;
 	int ret;
 
-	size = stream->dev->uvc_version >= 0x0110 ? 34 : 26;
 	if ((stream->dev->quirks & UVC_QUIRK_PROBE_DEF) &&
 			query == UVC_GET_DEF)
 		return -EIO;
@@ -225,7 +238,7 @@ static int uvc_get_video_ctrl(struct uvc
 	ctrl->dwMaxVideoFrameSize = get_unaligned_le32(&data[18]);
 	ctrl->dwMaxPayloadTransferSize = get_unaligned_le32(&data[22]);
 
-	if (size == 34) {
+	if (size >= 34) {
 		ctrl->dwClockFrequency = get_unaligned_le32(&data[26]);
 		ctrl->bmFramingInfo = data[30];
 		ctrl->bPreferedVersion = data[31];
@@ -254,11 +267,10 @@ out:
 static int uvc_set_video_ctrl(struct uvc_streaming *stream,
 	struct uvc_streaming_control *ctrl, int probe)
 {
+	u16 size = uvc_video_ctrl_size(stream);
 	u8 *data;
-	u16 size;
 	int ret;
 
-	size = stream->dev->uvc_version >= 0x0110 ? 34 : 26;
 	data = kzalloc(size, GFP_KERNEL);
 	if (data == NULL)
 		return -ENOMEM;
@@ -275,7 +287,7 @@ static int uvc_set_video_ctrl(struct uvc
 	put_unaligned_le32(ctrl->dwMaxVideoFrameSize, &data[18]);
 	put_unaligned_le32(ctrl->dwMaxPayloadTransferSize, &data[22]);
 
-	if (size == 34) {
+	if (size >= 34) {
 		put_unaligned_le32(ctrl->dwClockFrequency, &data[26]);
 		data[30] = ctrl->bmFramingInfo;
 		data[31] = ctrl->bPreferedVersion;



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 175/220] media: cx231xx: Ignore an i2c mux adapter
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (165 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 174/220] media: uvcvideo: Support realteks UVC 1.5 device Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 176/220] media: v4l2-compat-ioctl32: prevent go past max size Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Brad Love, Mauro Carvalho Chehab

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Brad Love <brad@nextdimension.cc>

commit 13a257f8d5a530bd2aa004a067ba1f2b8f5ef76d upstream.

Hauppauge 935C cannot communicate with the si2157
when using the mux adapter returned by the si2168,
so disable it to fix the device.

Signed-off-by: Brad Love <brad@nextdimension.cc>
Cc: stable@vger.kernel.org
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/usb/cx231xx/cx231xx-dvb.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/media/usb/cx231xx/cx231xx-dvb.c
+++ b/drivers/media/usb/cx231xx/cx231xx-dvb.c
@@ -1151,7 +1151,7 @@ static int dvb_init(struct cx231xx *dev)
 		info.platform_data = &si2157_config;
 		request_module("si2157");
 
-		client = i2c_new_device(adapter, &info);
+		client = i2c_new_device(tuner_i2c, &info);
 		if (client == NULL || client->dev.driver == NULL) {
 			module_put(dvb->i2c_client_demod[0]->dev.driver->owner);
 			i2c_unregister_device(dvb->i2c_client_demod[0]);



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 176/220] media: v4l2-compat-ioctl32: prevent go past max size
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (166 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 175/220] media: cx231xx: Ignore an i2c mux adapter Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 177/220] media: cx231xx: Add support for AverMedia DVD EZMaker 7 Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mauro Carvalho Chehab

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mauro Carvalho Chehab <mchehab@s-opensource.com>

commit ea72fbf588ac9c017224dcdaa2019ff52ca56fee upstream.

As warned by smatch:
	drivers/media/v4l2-core/v4l2-compat-ioctl32.c:879 put_v4l2_ext_controls32() warn: check for integer overflow 'count'

The access_ok() logic should check for too big arrays too.

Cc: stable@vger.kernel.org
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -871,7 +871,7 @@ static int put_v4l2_ext_controls32(struc
 	    get_user(kcontrols, &kp->controls))
 		return -EFAULT;
 
-	if (!count)
+	if (!count || count > (U32_MAX/sizeof(*ucontrols)))
 		return 0;
 	if (get_user(p, &up->controls))
 		return -EFAULT;



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 177/220] media: cx231xx: Add support for AverMedia DVD EZMaker 7
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (167 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 176/220] media: v4l2-compat-ioctl32: prevent go past max size Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 178/220] media: rc: mce_kbd decoder: fix stuck keys Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kai-Heng Feng, Hans Verkuil,
	Mauro Carvalho Chehab

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kai-Heng Feng <kai.heng.feng@canonical.com>

commit 29e61d6ef061b012d320327af7dbb3990e75be45 upstream.

User reports AverMedia DVD EZMaker 7 can be driven by VIDEO_GRABBER.
Add the device to the id_table to make it work.

BugLink: https://bugs.launchpad.net/bugs/1620762

Cc: stable@vger.kernel.org
Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Signed-off-by: Hans Verkuil <hansverk@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/usb/cx231xx/cx231xx-cards.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/media/usb/cx231xx/cx231xx-cards.c
+++ b/drivers/media/usb/cx231xx/cx231xx-cards.c
@@ -1024,6 +1024,9 @@ struct usb_device_id cx231xx_id_table[]
 	 .driver_info = CX231XX_BOARD_CNXT_RDE_250},
 	{USB_DEVICE(0x0572, 0x58A0),
 	 .driver_info = CX231XX_BOARD_CNXT_RDU_250},
+	/* AverMedia DVD EZMaker 7 */
+	{USB_DEVICE(0x07ca, 0xc039),
+	 .driver_info = CX231XX_BOARD_CNXT_VIDEO_GRABBER},
 	{USB_DEVICE(0x2040, 0xb110),
 	 .driver_info = CX231XX_BOARD_HAUPPAUGE_USB2_FM_PAL},
 	{USB_DEVICE(0x2040, 0xb111),



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 178/220] media: rc: mce_kbd decoder: fix stuck keys
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (168 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 177/220] media: cx231xx: Add support for AverMedia DVD EZMaker 7 Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 179/220] media: dvb_frontend: fix locking issues at dvb_frontend_get_event() Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sean Young, Mauro Carvalho Chehab

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sean Young <sean@mess.org>

commit 63039c29f7a4ce8a8bd165173840543c0098d7b0 upstream.

The MCE Remote sends a 0 scancode when keys are released. If this is not
received or decoded, then keys can get "stuck"; the keyup event is not
sent since the input_sync() is missing from the timeout handler.

Cc: stable@vger.kernel.org
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/rc/ir-mce_kbd-decoder.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/media/rc/ir-mce_kbd-decoder.c
+++ b/drivers/media/rc/ir-mce_kbd-decoder.c
@@ -130,6 +130,8 @@ static void mce_kbd_rx_timeout(struct ti
 
 	for (i = 0; i < MCIR2_MASK_KEYS_START; i++)
 		input_report_key(raw->mce_kbd.idev, kbd_keycodes[i], 0);
+
+	input_sync(raw->mce_kbd.idev);
 }
 
 static enum mce_kbd_mode mce_kbd_mode(struct mce_kbd_dec *data)



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 179/220] media: dvb_frontend: fix locking issues at dvb_frontend_get_event()
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (169 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 178/220] media: rc: mce_kbd decoder: fix stuck keys Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 180/220] nfsd: restrict rd_maxcount to svc_max_payload in nfsd_encode_readdir Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mauro Carvalho Chehab

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mauro Carvalho Chehab <mchehab@s-opensource.com>

commit 76d81243a487c09619822ef8e7201a756e58a87d upstream.

As warned by smatch:
	drivers/media/dvb-core/dvb_frontend.c:314 dvb_frontend_get_event() warn: inconsistent returns 'sem:&fepriv->sem'.
	  Locked on:   line 288
	               line 295
	               line 306
	               line 314
	  Unlocked on: line 303

The lock implementation for get event is wrong, as, if an
interrupt occurs, down_interruptible() will fail, and the
routine will call up() twice when userspace calls the ioctl
again.

The bad code is there since when Linux migrated to git, in
2005.

Cc: stable@vger.kernel.org
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/dvb-core/dvb_frontend.c |   23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

--- a/drivers/media/dvb-core/dvb_frontend.c
+++ b/drivers/media/dvb-core/dvb_frontend.c
@@ -275,8 +275,20 @@ static void dvb_frontend_add_event(struc
 	wake_up_interruptible (&events->wait_queue);
 }
 
+static int dvb_frontend_test_event(struct dvb_frontend_private *fepriv,
+				   struct dvb_fe_events *events)
+{
+	int ret;
+
+	up(&fepriv->sem);
+	ret = events->eventw != events->eventr;
+	down(&fepriv->sem);
+
+	return ret;
+}
+
 static int dvb_frontend_get_event(struct dvb_frontend *fe,
-			    struct dvb_frontend_event *event, int flags)
+			          struct dvb_frontend_event *event, int flags)
 {
 	struct dvb_frontend_private *fepriv = fe->frontend_priv;
 	struct dvb_fe_events *events = &fepriv->events;
@@ -294,13 +306,8 @@ static int dvb_frontend_get_event(struct
 		if (flags & O_NONBLOCK)
 			return -EWOULDBLOCK;
 
-		up(&fepriv->sem);
-
-		ret = wait_event_interruptible (events->wait_queue,
-						events->eventw != events->eventr);
-
-		if (down_interruptible (&fepriv->sem))
-			return -ERESTARTSYS;
+		ret = wait_event_interruptible(events->wait_queue,
+					       dvb_frontend_test_event(fepriv, events));
 
 		if (ret < 0)
 			return ret;



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 180/220] nfsd: restrict rd_maxcount to svc_max_payload in nfsd_encode_readdir
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (170 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 179/220] media: dvb_frontend: fix locking issues at dvb_frontend_get_event() Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 181/220] NFSv4: Fix possible 1-byte stack overflow in nfs_idmap_read_and_verify_message Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Scott Mayhew, J. Bruce Fields

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Scott Mayhew <smayhew@redhat.com>

commit 9c2ece6ef67e9d376f32823086169b489c422ed0 upstream.

nfsd4_readdir_rsize restricts rd_maxcount to svc_max_payload when
estimating the size of the readdir reply, but nfsd_encode_readdir
restricts it to INT_MAX when encoding the reply.  This can result in log
messages like "kernel: RPC request reserved 32896 but used 1049444".

Restrict rd_dircount similarly (no reason it should be larger than
svc_max_payload).

Signed-off-by: Scott Mayhew <smayhew@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/nfsd/nfs4xdr.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -3651,7 +3651,8 @@ nfsd4_encode_readdir(struct nfsd4_compou
 		nfserr = nfserr_resource;
 		goto err_no_verf;
 	}
-	maxcount = min_t(u32, readdir->rd_maxcount, INT_MAX);
+	maxcount = svc_max_payload(resp->rqstp);
+	maxcount = min_t(u32, readdir->rd_maxcount, maxcount);
 	/*
 	 * Note the rfc defines rd_maxcount as the size of the
 	 * READDIR4resok structure, which includes the verifier above
@@ -3665,7 +3666,7 @@ nfsd4_encode_readdir(struct nfsd4_compou
 
 	/* RFC 3530 14.2.24 allows us to ignore dircount when it's 0: */
 	if (!readdir->rd_dircount)
-		readdir->rd_dircount = INT_MAX;
+		readdir->rd_dircount = svc_max_payload(resp->rqstp);
 
 	readdir->xdr = xdr;
 	readdir->rd_maxcount = maxcount;



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 181/220] NFSv4: Fix possible 1-byte stack overflow in nfs_idmap_read_and_verify_message
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (171 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 180/220] nfsd: restrict rd_maxcount to svc_max_payload in nfsd_encode_readdir Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 182/220] NFSv4: Revert commit 5f83d86cf531d ("NFSv4.x: Fix wraparound issues..") Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dave Wysochanski, Stephen Johnston,
	Trond Myklebust

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dave Wysochanski <dwysocha@redhat.com>

commit d68894800ec5712d7ddf042356f11e36f87d7f78 upstream.

In nfs_idmap_read_and_verify_message there is an incorrect sprintf '%d'
that converts the __u32 'im_id' from struct idmap_msg to 'id_str', which
is a stack char array variable of length NFS_UINT_MAXLEN == 11.
If a uid or gid value is > 2147483647 = 0x7fffffff, the conversion
overflows into a negative value, for example:
crash> p (unsigned) (0x80000000)
$1 = 2147483648
crash> p (signed) (0x80000000)
$2 = -2147483648
The '-' sign is written to the buffer and this causes a 1 byte overflow
when the NULL byte is written, which corrupts kernel stack memory.  If
CONFIG_CC_STACKPROTECTOR_STRONG is set we see a stack-protector panic:

[11558053.616565] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffffa05b8a8c
[11558053.639063] CPU: 6 PID: 9423 Comm: rpc.idmapd Tainted: G        W      ------------ T 3.10.0-514.el7.x86_64 #1
[11558053.641990] Hardware name: Red Hat OpenStack Compute, BIOS 1.10.2-3.el7_4.1 04/01/2014
[11558053.644462]  ffffffff818c7bc0 00000000b1f3aec1 ffff880de0f9bd48 ffffffff81685eac
[11558053.646430]  ffff880de0f9bdc8 ffffffff8167f2b3 ffffffff00000010 ffff880de0f9bdd8
[11558053.648313]  ffff880de0f9bd78 00000000b1f3aec1 ffffffff811dcb03 ffffffffa05b8a8c
[11558053.650107] Call Trace:
[11558053.651347]  [<ffffffff81685eac>] dump_stack+0x19/0x1b
[11558053.653013]  [<ffffffff8167f2b3>] panic+0xe3/0x1f2
[11558053.666240]  [<ffffffff811dcb03>] ? kfree+0x103/0x140
[11558053.682589]  [<ffffffffa05b8a8c>] ? idmap_pipe_downcall+0x1cc/0x1e0 [nfsv4]
[11558053.689710]  [<ffffffff810855db>] __stack_chk_fail+0x1b/0x30
[11558053.691619]  [<ffffffffa05b8a8c>] idmap_pipe_downcall+0x1cc/0x1e0 [nfsv4]
[11558053.693867]  [<ffffffffa00209d6>] rpc_pipe_write+0x56/0x70 [sunrpc]
[11558053.695763]  [<ffffffff811fe12d>] vfs_write+0xbd/0x1e0
[11558053.702236]  [<ffffffff810acccc>] ? task_work_run+0xac/0xe0
[11558053.704215]  [<ffffffff811fec4f>] SyS_write+0x7f/0xe0
[11558053.709674]  [<ffffffff816964c9>] system_call_fastpath+0x16/0x1b

Fix this by calling the internally defined nfs_map_numeric_to_string()
function which properly uses '%u' to convert this __u32.  For consistency,
also replace the one other place where snprintf is called.

Signed-off-by: Dave Wysochanski <dwysocha@redhat.com>
Reported-by: Stephen Johnston <sjohnsto@redhat.com>
Fixes: cf4ab538f1516 ("NFSv4: Fix the string length returned by the idmapper")
Cc: stable@vger.kernel.org # v3.4+
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/nfs/nfs4idmap.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/fs/nfs/nfs4idmap.c
+++ b/fs/nfs/nfs4idmap.c
@@ -343,7 +343,7 @@ static ssize_t nfs_idmap_lookup_name(__u
 	int id_len;
 	ssize_t ret;
 
-	id_len = snprintf(id_str, sizeof(id_str), "%u", id);
+	id_len = nfs_map_numeric_to_string(id, id_str, sizeof(id_str));
 	ret = nfs_idmap_get_key(id_str, id_len, type, buf, buflen, idmap);
 	if (ret < 0)
 		return -EINVAL;
@@ -627,7 +627,8 @@ static int nfs_idmap_read_and_verify_mes
 		if (strcmp(upcall->im_name, im->im_name) != 0)
 			break;
 		/* Note: here we store the NUL terminator too */
-		len = sprintf(id_str, "%d", im->im_id) + 1;
+		len = 1 + nfs_map_numeric_to_string(im->im_id, id_str,
+						    sizeof(id_str));
 		ret = nfs_idmap_instantiate(key, authkey, id_str, len);
 		break;
 	case IDMAP_CONV_IDTONAME:



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 182/220] NFSv4: Revert commit 5f83d86cf531d ("NFSv4.x: Fix wraparound issues..")
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (172 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 181/220] NFSv4: Fix possible 1-byte stack overflow in nfs_idmap_read_and_verify_message Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 183/220] NFSv4: Fix a typo in nfs41_sequence_process Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Trond Myklebust

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Trond Myklebust <trond.myklebust@hammerspace.com>

commit fc40724fc6731d90cc7fb6d62d66135f85a33dd2 upstream.

The correct behaviour for NFSv4 sequence IDs is to wrap around
to the value 0 after 0xffffffff.
See https://tools.ietf.org/html/rfc5661#section-2.10.6.1

Fixes: 5f83d86cf531d ("NFSv4.x: Fix wraparound issues when validing...")
Cc: stable@vger.kernel.org # 4.6+
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/nfs/callback_proc.c |    7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

--- a/fs/nfs/callback_proc.c
+++ b/fs/nfs/callback_proc.c
@@ -420,11 +420,8 @@ validate_seqid(const struct nfs4_slot_ta
 		return htonl(NFS4ERR_SEQ_FALSE_RETRY);
 	}
 
-	/* Wraparound */
-	if (unlikely(slot->seq_nr == 0xFFFFFFFFU)) {
-		if (args->csa_sequenceid == 1)
-			return htonl(NFS4_OK);
-	} else if (likely(args->csa_sequenceid == slot->seq_nr + 1))
+	/* Note: wraparound relies on seq_nr being of type u32 */
+	if (likely(args->csa_sequenceid == slot->seq_nr + 1))
 		return htonl(NFS4_OK);
 
 	/* Misordered request */



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 183/220] NFSv4: Fix a typo in nfs41_sequence_process
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (173 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 182/220] NFSv4: Revert commit 5f83d86cf531d ("NFSv4.x: Fix wraparound issues..") Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 184/220] video: uvesafb: Fix integer overflow in allocation Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Trond Myklebust

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Trond Myklebust <trond.myklebust@hammerspace.com>

commit 995891006ccbb73c0c9c3923cf9d25c4d07ec16b upstream.

We want to compare the slot_id to the highest slot number advertised by the
server.

Fixes: 3be0f80b5fe9c ("NFSv4.1: Fix up replays of interrupted requests")
Cc: stable@vger.kernel.org # 4.15+
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/nfs/nfs4proc.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -751,7 +751,7 @@ static int nfs41_sequence_process(struct
 		 * The slot id we used was probably retired. Try again
 		 * using a different slot id.
 		 */
-		if (slot->seq_nr < slot->table->target_highest_slotid)
+		if (slot->slot_nr < slot->table->target_highest_slotid)
 			goto session_recover;
 		goto retry_nowait;
 	case -NFS4ERR_SEQ_MISORDERED:



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 184/220] video: uvesafb: Fix integer overflow in allocation
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (174 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 183/220] NFSv4: Fix a typo in nfs41_sequence_process Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 185/220] ACPI / LPSS: Add missing prv_offset setting for byt/cht PWM devices Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dr Silvio Cesare of InfoSect, Kees Cook

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kees Cook <keescook@chromium.org>

commit 9f645bcc566a1e9f921bdae7528a01ced5bc3713 upstream.

cmap->len can get close to INT_MAX/2, allowing for an integer overflow in
allocation. This uses kmalloc_array() instead to catch the condition.

Reported-by: Dr Silvio Cesare of InfoSect <silvio.cesare@gmail.com>
Fixes: 8bdb3a2d7df48 ("uvesafb: the driver core")
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/video/fbdev/uvesafb.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/video/fbdev/uvesafb.c
+++ b/drivers/video/fbdev/uvesafb.c
@@ -1044,7 +1044,8 @@ static int uvesafb_setcmap(struct fb_cma
 		    info->cmap.len || cmap->start < info->cmap.start)
 			return -EINVAL;
 
-		entries = kmalloc(sizeof(*entries) * cmap->len, GFP_KERNEL);
+		entries = kmalloc_array(cmap->len, sizeof(*entries),
+					GFP_KERNEL);
 		if (!entries)
 			return -ENOMEM;
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 185/220] ACPI / LPSS: Add missing prv_offset setting for byt/cht PWM devices
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (175 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 184/220] video: uvesafb: Fix integer overflow in allocation Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 186/220] Input: silead - add MSSL0002 ACPI HID Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans de Goede, Rafael J . Wysocki,
	Thierry Reding

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Hans de Goede <hdegoede@redhat.com>

commit fdcb613d49321b5bf5d5a1bd0fba8e7c241dcc70 upstream.

The LPSS PWM device on on Bay Trail and Cherry Trail devices has a set
of private registers at offset 0x800, the current lpss_device_desc for
them already sets the LPSS_SAVE_CTX flag to have these saved/restored
over device-suspend, but the current lpss_device_desc was not setting
the prv_offset field, leading to the regular device registers getting
saved/restored instead.

This is causing the PWM controller to no longer work, resulting in a black
screen,  after a suspend/resume on systems where the firmware clears the
APB clock and reset bits at offset 0x804.

This commit fixes this by properly setting prv_offset to 0x800 for
the PWM devices.

Cc: stable@vger.kernel.org
Fixes: e1c748179754 ("ACPI / LPSS: Add Intel BayTrail ACPI mode PWM")
Fixes: 1bfbd8eb8a7f ("ACPI / LPSS: Add ACPI IDs for Intel Braswell")
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Rafael J . Wysocki <rjw@rjwysocki.net>
Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/acpi/acpi_lpss.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/acpi/acpi_lpss.c
+++ b/drivers/acpi/acpi_lpss.c
@@ -230,11 +230,13 @@ static const struct lpss_device_desc lpt
 
 static const struct lpss_device_desc byt_pwm_dev_desc = {
 	.flags = LPSS_SAVE_CTX,
+	.prv_offset = 0x800,
 	.setup = byt_pwm_setup,
 };
 
 static const struct lpss_device_desc bsw_pwm_dev_desc = {
 	.flags = LPSS_SAVE_CTX | LPSS_NO_D3_DELAY,
+	.prv_offset = 0x800,
 	.setup = bsw_pwm_setup,
 };
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 186/220] Input: silead - add MSSL0002 ACPI HID
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (176 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 185/220] ACPI / LPSS: Add missing prv_offset setting for byt/cht PWM devices Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 187/220] Input: elan_i2c - add ELAN0618 (Lenovo v330 15IKB) ACPI ID Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Hans de Goede, Dmitry Torokhov

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Hans de Goede <hdegoede@redhat.com>

commit fc573af632b44f355f8fa15ab505f5593368078d upstream.

The Silead touchscreen on the Chuwi Vi8 tablet uses MSSL0002 as ACPI HID,
rather then the usual MSSL1680 id.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/touchscreen/silead.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/input/touchscreen/silead.c
+++ b/drivers/input/touchscreen/silead.c
@@ -603,6 +603,7 @@ static const struct acpi_device_id silea
 	{ "GSL3692", 0 },
 	{ "MSSL1680", 0 },
 	{ "MSSL0001", 0 },
+	{ "MSSL0002", 0 },
 	{ }
 };
 MODULE_DEVICE_TABLE(acpi, silead_ts_acpi_match);



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 187/220] Input: elan_i2c - add ELAN0618 (Lenovo v330 15IKB) ACPI ID
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (177 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 186/220] Input: silead - add MSSL0002 ACPI HID Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 188/220] pwm: lpss: platform: Save/restore the ctrl register over a suspend/resume Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alexandr Savca, Dmitry Torokhov

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alexandr Savca <alexandr.savca@saltedge.com>

commit 8938fc7b8fe9ccfa11751ead502a8d385b607967 upstream.

Add ELAN0618 to the list of supported touchpads; this ID is used in
Lenovo v330 15IKB devices.

Signed-off-by: Alexandr Savca <alexandr.savca@saltedge.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/mouse/elan_i2c_core.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/input/mouse/elan_i2c_core.c
+++ b/drivers/input/mouse/elan_i2c_core.c
@@ -1263,6 +1263,7 @@ static const struct acpi_device_id elan_
 	{ "ELAN060C", 0 },
 	{ "ELAN0611", 0 },
 	{ "ELAN0612", 0 },
+	{ "ELAN0618", 0 },
 	{ "ELAN1000", 0 },
 	{ }
 };



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 188/220] pwm: lpss: platform: Save/restore the ctrl register over a suspend/resume
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (178 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 187/220] Input: elan_i2c - add ELAN0618 (Lenovo v330 15IKB) ACPI ID Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 189/220] rbd: flush rbd_dev->watch_dwork after watch is unregistered Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans de Goede, Andy Shevchenko,
	Thierry Reding

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Hans de Goede <hdegoede@redhat.com>

commit 1d375b58c12f08d8570b30b865def4734517f04f upstream.

On some devices the contents of the ctrl register get lost over a
suspend/resume and the PWM comes back up disabled after the resume.

This is seen on some Bay Trail devices with the PWM in ACPI enumerated
mode, so it shows up as a platform device instead of a PCI device.

If we still think it is enabled and then try to change the duty-cycle
after this, we end up with a "PWM_SW_UPDATE was not cleared" error and
the PWM is stuck in that state from then on.

This commit adds suspend and resume pm callbacks to the pwm-lpss-platform
code, which save/restore the ctrl register over a suspend/resume, fixing
this.

Note that:

1) There is no need to do this over a runtime suspend, since we
only runtime suspend when disabled and then we properly set the enable
bit and reprogram the timings when we re-enable the PWM.

2) This may be happening on more systems then we realize, but has been
covered up sofar by a bug in the acpi-lpss.c code which was save/restoring
the regular device registers instead of the lpss private registers due to
lpss_device_desc.prv_offset not being set. This is fixed by a later patch
in this series.

Cc: stable@vger.kernel.org
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/pwm/pwm-lpss-platform.c |    5 +++++
 drivers/pwm/pwm-lpss.c          |   30 ++++++++++++++++++++++++++++++
 drivers/pwm/pwm-lpss.h          |    2 ++
 3 files changed, 37 insertions(+)

--- a/drivers/pwm/pwm-lpss-platform.c
+++ b/drivers/pwm/pwm-lpss-platform.c
@@ -74,6 +74,10 @@ static int pwm_lpss_remove_platform(stru
 	return pwm_lpss_remove(lpwm);
 }
 
+static SIMPLE_DEV_PM_OPS(pwm_lpss_platform_pm_ops,
+			 pwm_lpss_suspend,
+			 pwm_lpss_resume);
+
 static const struct acpi_device_id pwm_lpss_acpi_match[] = {
 	{ "80860F09", (unsigned long)&pwm_lpss_byt_info },
 	{ "80862288", (unsigned long)&pwm_lpss_bsw_info },
@@ -86,6 +90,7 @@ static struct platform_driver pwm_lpss_d
 	.driver = {
 		.name = "pwm-lpss",
 		.acpi_match_table = pwm_lpss_acpi_match,
+		.pm = &pwm_lpss_platform_pm_ops,
 	},
 	.probe = pwm_lpss_probe_platform,
 	.remove = pwm_lpss_remove_platform,
--- a/drivers/pwm/pwm-lpss.c
+++ b/drivers/pwm/pwm-lpss.c
@@ -32,10 +32,13 @@
 /* Size of each PWM register space if multiple */
 #define PWM_SIZE			0x400
 
+#define MAX_PWMS			4
+
 struct pwm_lpss_chip {
 	struct pwm_chip chip;
 	void __iomem *regs;
 	const struct pwm_lpss_boardinfo *info;
+	u32 saved_ctrl[MAX_PWMS];
 };
 
 static inline struct pwm_lpss_chip *to_lpwm(struct pwm_chip *chip)
@@ -177,6 +180,9 @@ struct pwm_lpss_chip *pwm_lpss_probe(str
 	unsigned long c;
 	int ret;
 
+	if (WARN_ON(info->npwm > MAX_PWMS))
+		return ERR_PTR(-ENODEV);
+
 	lpwm = devm_kzalloc(dev, sizeof(*lpwm), GFP_KERNEL);
 	if (!lpwm)
 		return ERR_PTR(-ENOMEM);
@@ -212,6 +218,30 @@ int pwm_lpss_remove(struct pwm_lpss_chip
 }
 EXPORT_SYMBOL_GPL(pwm_lpss_remove);
 
+int pwm_lpss_suspend(struct device *dev)
+{
+	struct pwm_lpss_chip *lpwm = dev_get_drvdata(dev);
+	int i;
+
+	for (i = 0; i < lpwm->info->npwm; i++)
+		lpwm->saved_ctrl[i] = readl(lpwm->regs + i * PWM_SIZE + PWM);
+
+	return 0;
+}
+EXPORT_SYMBOL_GPL(pwm_lpss_suspend);
+
+int pwm_lpss_resume(struct device *dev)
+{
+	struct pwm_lpss_chip *lpwm = dev_get_drvdata(dev);
+	int i;
+
+	for (i = 0; i < lpwm->info->npwm; i++)
+		writel(lpwm->saved_ctrl[i], lpwm->regs + i * PWM_SIZE + PWM);
+
+	return 0;
+}
+EXPORT_SYMBOL_GPL(pwm_lpss_resume);
+
 MODULE_DESCRIPTION("PWM driver for Intel LPSS");
 MODULE_AUTHOR("Mika Westerberg <mika.westerberg@linux.intel.com>");
 MODULE_LICENSE("GPL v2");
--- a/drivers/pwm/pwm-lpss.h
+++ b/drivers/pwm/pwm-lpss.h
@@ -28,5 +28,7 @@ struct pwm_lpss_boardinfo {
 struct pwm_lpss_chip *pwm_lpss_probe(struct device *dev, struct resource *r,
 				     const struct pwm_lpss_boardinfo *info);
 int pwm_lpss_remove(struct pwm_lpss_chip *lpwm);
+int pwm_lpss_suspend(struct device *dev);
+int pwm_lpss_resume(struct device *dev);
 
 #endif	/* __PWM_LPSS_H */



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 189/220] rbd: flush rbd_dev->watch_dwork after watch is unregistered
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (179 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 188/220] pwm: lpss: platform: Save/restore the ctrl register over a suspend/resume Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 190/220] mm/ksm.c: ignore STABLE_FLAG of rmap_item->address in rmap_walk_ksm() Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dongsheng Yang, Ilya Dryomov

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dongsheng Yang <dongsheng.yang@easystack.cn>

commit 23edca864951250af845a11da86bb3ea63522ed2 upstream.

There is a problem if we are going to unmap a rbd device and the
watch_dwork is going to queue delayed work for watch:

unmap Thread                    watch Thread                  timer
do_rbd_remove
  cancel_tasks_sync(rbd_dev)
                                queue_delayed_work for watch
  destroy_workqueue(rbd_dev->task_wq)
    drain_workqueue(wq)
    destroy other resources in wq
                                                              call_timer_fn
                                                                __queue_work()

Then the delayed work escape the cancel_tasks_sync() and
destroy_workqueue() and we will get an user-after-free call trace:

  BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
  PGD 0 P4D 0
  Oops: 0000 [#1] SMP PTI
  Modules linked in:
  CPU: 7 PID: 0 Comm: swapper/7 Tainted: G           OE     4.17.0-rc6+ #13
  Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
  RIP: 0010:__queue_work+0x6a/0x3b0
  RSP: 0018:ffff9427df1c3e90 EFLAGS: 00010086
  RAX: ffff9427deca8400 RBX: 0000000000000000 RCX: 0000000000000000
  RDX: ffff9427deca8400 RSI: ffff9427df1c3e50 RDI: 0000000000000000
  RBP: ffff942783e39e00 R08: ffff9427deca8400 R09: ffff9427df1c3f00
  R10: 0000000000000004 R11: 0000000000000005 R12: ffff9427cfb85970
  R13: 0000000000002000 R14: 000000000001eca0 R15: 0000000000000007
  FS:  0000000000000000(0000) GS:ffff9427df1c0000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000000000000000 CR3: 00000004c900a005 CR4: 00000000000206e0
  Call Trace:
   <IRQ>
   ? __queue_work+0x3b0/0x3b0
   call_timer_fn+0x2d/0x130
   run_timer_softirq+0x16e/0x430
   ? tick_sched_timer+0x37/0x70
   __do_softirq+0xd2/0x280
   irq_exit+0xd5/0xe0
   smp_apic_timer_interrupt+0x6c/0x130
   apic_timer_interrupt+0xf/0x20

[ Move rbd_dev->watch_dwork cancellation so that rbd_reregister_watch()
  either bails out early because the watch is UNREGISTERED at that point
  or just gets cancelled. ]

Cc: stable@vger.kernel.org
Fixes: 99d1694310df ("rbd: retry watch re-registration periodically")
Signed-off-by: Dongsheng Yang <dongsheng.yang@easystack.cn>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/block/rbd.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -3397,7 +3397,6 @@ static void cancel_tasks_sync(struct rbd
 {
 	dout("%s rbd_dev %p\n", __func__, rbd_dev);
 
-	cancel_delayed_work_sync(&rbd_dev->watch_dwork);
 	cancel_work_sync(&rbd_dev->acquired_lock_work);
 	cancel_work_sync(&rbd_dev->released_lock_work);
 	cancel_delayed_work_sync(&rbd_dev->lock_dwork);
@@ -3415,6 +3414,7 @@ static void rbd_unregister_watch(struct
 	rbd_dev->watch_state = RBD_WATCH_STATE_UNREGISTERED;
 	mutex_unlock(&rbd_dev->watch_mutex);
 
+	cancel_delayed_work_sync(&rbd_dev->watch_dwork);
 	ceph_osdc_flush_notifies(&rbd_dev->rbd_client->client->osdc);
 }
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 190/220] mm/ksm.c: ignore STABLE_FLAG of rmap_item->address in rmap_walk_ksm()
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (180 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 189/220] rbd: flush rbd_dev->watch_dwork after watch is unregistered Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 191/220] mm: fix devmem_is_allowed() for sub-page System RAM intersections Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jia He, Andrea Arcangeli, Jia He,
	Suzuki K Poulose, Minchan Kim, Claudio Imbrenda, Arvind Yadav,
	Mike Rapoport, Andrew Morton, Linus Torvalds

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jia He <jia.he@hxt-semitech.com>

commit 1105a2fc022f3c7482e32faf516e8bc44095f778 upstream.

In our armv8a server(QDF2400), I noticed lots of WARN_ON caused by
PAGE_SIZE unaligned for rmap_item->address under memory pressure
tests(start 20 guests and run memhog in the host).

  WARNING: CPU: 4 PID: 4641 at virt/kvm/arm/mmu.c:1826 kvm_age_hva_handler+0xc0/0xc8
  CPU: 4 PID: 4641 Comm: memhog Tainted: G        W 4.17.0-rc3+ #8
  Call trace:
   kvm_age_hva_handler+0xc0/0xc8
   handle_hva_to_gpa+0xa8/0xe0
   kvm_age_hva+0x4c/0xe8
   kvm_mmu_notifier_clear_flush_young+0x54/0x98
   __mmu_notifier_clear_flush_young+0x6c/0xa0
   page_referenced_one+0x154/0x1d8
   rmap_walk_ksm+0x12c/0x1d0
   rmap_walk+0x94/0xa0
   page_referenced+0x194/0x1b0
   shrink_page_list+0x674/0xc28
   shrink_inactive_list+0x26c/0x5b8
   shrink_node_memcg+0x35c/0x620
   shrink_node+0x100/0x430
   do_try_to_free_pages+0xe0/0x3a8
   try_to_free_pages+0xe4/0x230
   __alloc_pages_nodemask+0x564/0xdc0
   alloc_pages_vma+0x90/0x228
   do_anonymous_page+0xc8/0x4d0
   __handle_mm_fault+0x4a0/0x508
   handle_mm_fault+0xf8/0x1b0
   do_page_fault+0x218/0x4b8
   do_translation_fault+0x90/0xa0
   do_mem_abort+0x68/0xf0
   el0_da+0x24/0x28

In rmap_walk_ksm, the rmap_item->address might still have the
STABLE_FLAG, then the start and end in handle_hva_to_gpa might not be
PAGE_SIZE aligned.  Thus it will cause exceptions in handle_hva_to_gpa
on arm64.

This patch fixes it by ignoring (not removing) the low bits of address
when doing rmap_walk_ksm.

IMO, it should be backported to stable tree.  the storm of WARN_ONs is
very easy for me to reproduce.  More than that, I watched a panic (not
reproducible) as follows:

  page:ffff7fe003742d80 count:-4871 mapcount:-2126053375 mapping: (null) index:0x0
  flags: 0x1fffc00000000000()
  raw: 1fffc00000000000 0000000000000000 0000000000000000 ffffecf981470000
  raw: dead000000000100 dead000000000200 ffff8017c001c000 0000000000000000
  page dumped because: nonzero _refcount
  CPU: 29 PID: 18323 Comm: qemu-kvm Tainted: G W 4.14.15-5.hxt.aarch64 #1
  Hardware name: <snip for confidential issues>
  Call trace:
    dump_backtrace+0x0/0x22c
    show_stack+0x24/0x2c
    dump_stack+0x8c/0xb0
    bad_page+0xf4/0x154
    free_pages_check_bad+0x90/0x9c
    free_pcppages_bulk+0x464/0x518
    free_hot_cold_page+0x22c/0x300
    __put_page+0x54/0x60
    unmap_stage2_range+0x170/0x2b4
    kvm_unmap_hva_handler+0x30/0x40
    handle_hva_to_gpa+0xb0/0xec
    kvm_unmap_hva_range+0x5c/0xd0

I even injected a fault on purpose in kvm_unmap_hva_range by seting
size=size-0x200, the call trace is similar as above.  So I thought the
panic is similarly caused by the root cause of WARN_ON.

Andrea said:

: It looks a straightforward safe fix, on x86 hva_to_gfn_memslot would
: zap those bits and hide the misalignment caused by the low metadata
: bits being erroneously left set in the address, but the arm code
: notices when that's the last page in the memslot and the hva_end is
: getting aligned and the size is below one page.
:
: I think the problem triggers in the addr += PAGE_SIZE of
: unmap_stage2_ptes that never matches end because end is aligned but
: addr is not.
:
: 	} while (pte++, addr += PAGE_SIZE, addr != end);
:
: x86 again only works on hva_start/hva_end after converting it to
: gfn_start/end and that being in pfn units the bits are zapped before
: they risk to cause trouble.

Jia He said:

: I've tested by myself in arm64 server (QDF2400,46 cpus,96G mem) Without
: this patch, the WARN_ON is very easy for reproducing.  After this patch, I
: have run the same benchmarch for a whole day without any WARN_ONs

Link: http://lkml.kernel.org/r/1525403506-6750-1-git-send-email-hejianet@gmail.com
Signed-off-by: Jia He <jia.he@hxt-semitech.com>
Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
Tested-by: Jia He <hejianet@gmail.com>
Cc: Suzuki K Poulose <Suzuki.Poulose@arm.com>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Claudio Imbrenda <imbrenda@linux.vnet.ibm.com>
Cc: Arvind Yadav <arvind.yadav.cs@gmail.com>
Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/ksm.c |   14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

--- a/mm/ksm.c
+++ b/mm/ksm.c
@@ -199,6 +199,8 @@ struct rmap_item {
 #define SEQNR_MASK	0x0ff	/* low bits of unstable tree seqnr */
 #define UNSTABLE_FLAG	0x100	/* is a node of the unstable tree */
 #define STABLE_FLAG	0x200	/* is listed from the stable tree */
+#define KSM_FLAG_MASK	(SEQNR_MASK|UNSTABLE_FLAG|STABLE_FLAG)
+				/* to mask all the flags */
 
 /* The stable and unstable tree heads */
 static struct rb_root one_stable_tree[1] = { RB_ROOT };
@@ -2570,10 +2572,15 @@ again:
 		anon_vma_lock_read(anon_vma);
 		anon_vma_interval_tree_foreach(vmac, &anon_vma->rb_root,
 					       0, ULONG_MAX) {
+			unsigned long addr;
+
 			cond_resched();
 			vma = vmac->vma;
-			if (rmap_item->address < vma->vm_start ||
-			    rmap_item->address >= vma->vm_end)
+
+			/* Ignore the stable/unstable/sqnr flags */
+			addr = rmap_item->address & ~KSM_FLAG_MASK;
+
+			if (addr < vma->vm_start || addr >= vma->vm_end)
 				continue;
 			/*
 			 * Initially we examine only the vma which covers this
@@ -2587,8 +2594,7 @@ again:
 			if (rwc->invalid_vma && rwc->invalid_vma(vma, rwc->arg))
 				continue;
 
-			if (!rwc->rmap_one(page, vma,
-					rmap_item->address, rwc->arg)) {
+			if (!rwc->rmap_one(page, vma, addr, rwc->arg)) {
 				anon_vma_unlock_read(anon_vma);
 				return;
 			}



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 191/220] mm: fix devmem_is_allowed() for sub-page System RAM intersections
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (181 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 190/220] mm/ksm.c: ignore STABLE_FLAG of rmap_item->address in rmap_walk_ksm() Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 192/220] tracing: Check for no filter when processing event filters Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Williams, Hussam Al-Tayeb,
	Christoph Hellwig, Andrew Morton, Linus Torvalds

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Williams <dan.j.williams@intel.com>

commit 2bdce74412c249ac01dfe36b6b0043ffd7a5361e upstream.

Hussam reports:

    I was poking around and for no real reason, I did cat /dev/mem and
    strings /dev/mem.  Then I saw the following warning in dmesg. I saved it
    and rebooted immediately.

     memremap attempted on mixed range 0x000000000009c000 size: 0x1000
     ------------[ cut here ]------------
     WARNING: CPU: 0 PID: 11810 at kernel/memremap.c:98 memremap+0x104/0x170
     [..]
     Call Trace:
      xlate_dev_mem_ptr+0x25/0x40
      read_mem+0x89/0x1a0
      __vfs_read+0x36/0x170

The memremap() implementation checks for attempts to remap System RAM
with MEMREMAP_WB and instead redirects those mapping attempts to the
linear map.  However, that only works if the physical address range
being remapped is page aligned.  In low memory we have situations like
the following:

    00000000-00000fff : Reserved
    00001000-0009fbff : System RAM
    0009fc00-0009ffff : Reserved

...where System RAM intersects Reserved ranges on a sub-page page
granularity.

Given that devmem_is_allowed() special cases any attempt to map System
RAM in the first 1MB of memory, replace page_is_ram() with the more
precise region_intersects() to trap attempts to map disallowed ranges.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=199999
Link: http://lkml.kernel.org/r/152856436164.18127.2847888121707136898.stgit@dwillia2-desk3.amr.corp.intel.com
Fixes: 92281dee825f ("arch: introduce memremap()")
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Reported-by: Hussam Al-Tayeb <me@hussam.eu.org>
Tested-by: Hussam Al-Tayeb <me@hussam.eu.org>
Cc: Christoph Hellwig <hch@lst.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/mm/init.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/arch/x86/mm/init.c
+++ b/arch/x86/mm/init.c
@@ -706,7 +706,9 @@ void __init init_mem_mapping(void)
  */
 int devmem_is_allowed(unsigned long pagenr)
 {
-	if (page_is_ram(pagenr)) {
+	if (region_intersects(PFN_PHYS(pagenr), PAGE_SIZE,
+				IORESOURCE_SYSTEM_RAM, IORES_DESC_NONE)
+			!= REGION_DISJOINT) {
 		/*
 		 * For disallowed memory regions in the low 1MB range,
 		 * request that the page be shown as all zeros.



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 192/220] tracing: Check for no filter when processing event filters
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (182 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 191/220] mm: fix devmem_is_allowed() for sub-page System RAM intersections Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 193/220] xen: Remove unnecessary BUG_ON from __unbind_from_irq() Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, air icy, Steven Rostedt (VMware)

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Steven Rostedt (VMware) <rostedt@goodmis.org>

commit 70303420b5721c38998cf987e6b7d30cc62d4ff1 upstream.

The syzkaller detected a out-of-bounds issue with the events filter code,
specifically here:

	prog[N].pred = NULL;					/* #13 */
	prog[N].target = 1;		/* TRUE */
	prog[N+1].pred = NULL;
	prog[N+1].target = 0;		/* FALSE */
->	prog[N-1].target = N;
	prog[N-1].when_to_branch = false;

As that's the first reference to a "N-1" index, it appears that the code got
here with N = 0, which means the filter parser found no filter to parse
(which shouldn't ever happen, but apparently it did).

Add a new error to the parsing code that will check to make sure that N is
not zero before going into this part of the code. If N = 0, then -EINVAL is
returned, and a error message is added to the filter.

Cc: stable@vger.kernel.org
Fixes: 80765597bc587 ("tracing: Rewrite filter logic to be simpler and faster")
Reported-by: air icy <icytxw@gmail.com>
bugzilla url: https://bugzilla.kernel.org/show_bug.cgi?id=200019
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/trace/trace_events_filter.c |   10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

--- a/kernel/trace/trace_events_filter.c
+++ b/kernel/trace/trace_events_filter.c
@@ -78,7 +78,8 @@ static const char * ops[] = { OPS };
 	C(TOO_MANY_PREDS,	"Too many terms in predicate expression"), \
 	C(INVALID_FILTER,	"Meaningless filter expression"),	\
 	C(IP_FIELD_ONLY,	"Only 'ip' field is supported for function trace"), \
-	C(INVALID_VALUE,	"Invalid value (did you forget quotes)?"),
+	C(INVALID_VALUE,	"Invalid value (did you forget quotes)?"), \
+	C(NO_FILTER,		"No filter found"),
 
 #undef C
 #define C(a, b)		FILT_ERR_##a
@@ -550,6 +551,13 @@ predicate_parse(const char *str, int nr_
 		goto out_free;
 	}
 
+	if (!N) {
+		/* No program? */
+		ret = -EINVAL;
+		parse_error(pe, FILT_ERR_NO_FILTER, ptr - str);
+		goto out_free;
+	}
+
 	prog[N].pred = NULL;					/* #13 */
 	prog[N].target = 1;		/* TRUE */
 	prog[N+1].pred = NULL;



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 193/220] xen: Remove unnecessary BUG_ON from __unbind_from_irq()
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (183 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 192/220] tracing: Check for no filter when processing event filters Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 194/220] net: ethernet: fix suspend/resume in davinci_emac Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ben Hutchings, Boris Ostrovsky,
	Juergen Gross

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Boris Ostrovsky <boris.ostrovsky@oracle.com>

commit eef04c7b3786ff0c9cb1019278b6c6c2ea0ad4ff upstream.

Commit 910f8befdf5b ("xen/pirq: fix error path cleanup when binding
MSIs") fixed a couple of errors in error cleanup path of
xen_bind_pirq_msi_to_irq(). This cleanup allowed a call to
__unbind_from_irq() with an unbound irq, which would result in
triggering the BUG_ON there.

Since there is really no reason for the BUG_ON (xen_free_irq() can
operate on unbound irqs) we can remove it.

Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: stable@vger.kernel.org
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/xen/events/events_base.c |    2 --
 1 file changed, 2 deletions(-)

--- a/drivers/xen/events/events_base.c
+++ b/drivers/xen/events/events_base.c
@@ -628,8 +628,6 @@ static void __unbind_from_irq(unsigned i
 		xen_irq_info_cleanup(info);
 	}
 
-	BUG_ON(info_for_irq(irq)->type == IRQT_UNBOUND);
-
 	xen_free_irq(irq);
 }
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 194/220] net: ethernet: fix suspend/resume in davinci_emac
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (184 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 193/220] xen: Remove unnecessary BUG_ON from __unbind_from_irq() Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 195/220] udf: Detect incorrect directory size Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bartosz Golaszewski, Lukas Wunner,
	David S. Miller

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Bartosz Golaszewski <bgolaszewski@baylibre.com>

commit dc45519eb181b5687ac8382361a8aa085acd1fe1 upstream.

This patch reverts commit 3243ff2a05ec ("net: ethernet: davinci_emac:
Deduplicate bus_find_device() by name matching") and adds a comment
which should stop anyone from reintroducing the same "fix" in the future.

We can't use bus_find_device_by_name() here because the device name is
not guaranteed to be 'davinci_mdio'. On some systems it can be
'davinci_mdio.0' so we need to use strncmp() against the first part of
the string to correctly match it.

Fixes: 3243ff2a05ec ("net: ethernet: davinci_emac: Deduplicate bus_find_device() by name matching")
Cc: stable@vger.kernel.org
Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Acked-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/ethernet/ti/davinci_emac.c |   15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

--- a/drivers/net/ethernet/ti/davinci_emac.c
+++ b/drivers/net/ethernet/ti/davinci_emac.c
@@ -1385,6 +1385,11 @@ static int emac_devioctl(struct net_devi
 		return -EOPNOTSUPP;
 }
 
+static int match_first_device(struct device *dev, void *data)
+{
+	return !strncmp(dev_name(dev), "davinci_mdio", 12);
+}
+
 /**
  * emac_dev_open - EMAC device open
  * @ndev: The DaVinci EMAC network adapter
@@ -1484,8 +1489,14 @@ static int emac_dev_open(struct net_devi
 
 	/* use the first phy on the bus if pdata did not give us a phy id */
 	if (!phydev && !priv->phy_id) {
-		phy = bus_find_device_by_name(&mdio_bus_type, NULL,
-					      "davinci_mdio");
+		/* NOTE: we can't use bus_find_device_by_name() here because
+		 * the device name is not guaranteed to be 'davinci_mdio'. On
+		 * some systems it can be 'davinci_mdio.0' so we need to use
+		 * strncmp() against the first part of the string to correctly
+		 * match it.
+		 */
+		phy = bus_find_device(&mdio_bus_type, NULL, NULL,
+				      match_first_device);
 		if (phy) {
 			priv->phy_id = dev_name(phy);
 			if (!priv->phy_id || !*priv->phy_id)



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 195/220] udf: Detect incorrect directory size
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (185 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 194/220] net: ethernet: fix suspend/resume in davinci_emac Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 196/220] Input: xpad - fix GPD Win 2 controller name Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Anatoly Trosinenko, Jan Kara

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jan Kara <jack@suse.cz>

commit fa65653e575fbd958bdf5fb9c4a71a324e39510d upstream.

Detect when a directory entry is (possibly partially) beyond directory
size and return EIO in that case since it means the filesystem is
corrupted. Otherwise directory operations can further corrupt the
directory and possibly also oops the kernel.

CC: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
CC: stable@vger.kernel.org
Reported-and-tested-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/udf/directory.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/fs/udf/directory.c
+++ b/fs/udf/directory.c
@@ -152,6 +152,9 @@ struct fileIdentDesc *udf_fileident_read
 			       sizeof(struct fileIdentDesc));
 		}
 	}
+	/* Got last entry outside of dir size - fs is corrupted! */
+	if (*nf_pos > dir->i_size)
+		return NULL;
 	return fi;
 }
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 196/220] Input: xpad - fix GPD Win 2 controller name
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (186 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 195/220] udf: Detect incorrect directory size Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 197/220] Input: psmouse - fix button reporting for basic protocols Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Enno Boland, Dmitry Torokhov

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Enno Boland <gottox@voidlinux.eu>

commit dd6bee81c942c0ea01030da9356026afb88f9d18 upstream.

This fixes using the controller with SDL2.

SDL2 has a naive algorithm to apply the correct settings to a controller.
For X-Box compatible controllers it expects that the controller name
contains a variation of a 'XBOX'-string.

This patch changes the identifier to contain "X-Box" as substring.  Tested
with Steam and C-Dogs-SDL which both detect the controller properly after
adding this patch.

Fixes: c1ba08390a8b ("Input: xpad - add GPD Win 2 Controller USB IDs")
Cc: stable@vger.kernel.org
Signed-off-by: Enno Boland <gottox@voidlinux.eu>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/joystick/xpad.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/input/joystick/xpad.c
+++ b/drivers/input/joystick/xpad.c
@@ -123,7 +123,7 @@ static const struct xpad_device {
 	u8 mapping;
 	u8 xtype;
 } xpad_device[] = {
-	{ 0x0079, 0x18d4, "GPD Win 2 Controller", 0, XTYPE_XBOX360 },
+	{ 0x0079, 0x18d4, "GPD Win 2 X-Box Controller", 0, XTYPE_XBOX360 },
 	{ 0x044f, 0x0f00, "Thrustmaster Wheel", 0, XTYPE_XBOX },
 	{ 0x044f, 0x0f03, "Thrustmaster Wheel", 0, XTYPE_XBOX },
 	{ 0x044f, 0x0f07, "Thrustmaster, Inc. Controller", 0, XTYPE_XBOX },



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 197/220] Input: psmouse - fix button reporting for basic protocols
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (187 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 196/220] Input: xpad - fix GPD Win 2 controller name Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 198/220] Input: elan_i2c_smbus - fix more potential stack buffer overflows Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jiri Slaby, Dmitry Torokhov

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry Torokhov <dmitry.torokhov@gmail.com>

commit 03ae3a9caf4a59edd32b65c89c375a98ce3ea1ef upstream.

The commit ba667650c568 ("Input: psmouse - clean up code") was pretty
brain-dead and broke extra buttons reporting for variety of PS/2 mice:
Genius, Thinkmouse and Intellimouse Explorer. We need to actually inspect
the data coming from the device when reporting events.

Fixes: ba667650c568 ("Input: psmouse - clean up code")
Reported-by: Jiri Slaby <jslaby@suse.cz>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/mouse/psmouse-base.c |   12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

--- a/drivers/input/mouse/psmouse-base.c
+++ b/drivers/input/mouse/psmouse-base.c
@@ -192,8 +192,8 @@ psmouse_ret_t psmouse_process_byte(struc
 			else
 				input_report_rel(dev, REL_WHEEL, -wheel);
 
-			input_report_key(dev, BTN_SIDE,  BIT(4));
-			input_report_key(dev, BTN_EXTRA, BIT(5));
+			input_report_key(dev, BTN_SIDE,  packet[3] & BIT(4));
+			input_report_key(dev, BTN_EXTRA, packet[3] & BIT(5));
 			break;
 		}
 		break;
@@ -203,13 +203,13 @@ psmouse_ret_t psmouse_process_byte(struc
 		input_report_rel(dev, REL_WHEEL, -(s8) packet[3]);
 
 		/* Extra buttons on Genius NewNet 3D */
-		input_report_key(dev, BTN_SIDE,  BIT(6));
-		input_report_key(dev, BTN_EXTRA, BIT(7));
+		input_report_key(dev, BTN_SIDE,  packet[0] & BIT(6));
+		input_report_key(dev, BTN_EXTRA, packet[0] & BIT(7));
 		break;
 
 	case PSMOUSE_THINKPS:
 		/* Extra button on ThinkingMouse */
-		input_report_key(dev, BTN_EXTRA, BIT(3));
+		input_report_key(dev, BTN_EXTRA, packet[0] & BIT(3));
 
 		/*
 		 * Without this bit of weirdness moving up gives wildly
@@ -223,7 +223,7 @@ psmouse_ret_t psmouse_process_byte(struc
 		 * Cortron PS2 Trackball reports SIDE button in the
 		 * 4th bit of the first byte.
 		 */
-		input_report_key(dev, BTN_SIDE, BIT(3));
+		input_report_key(dev, BTN_SIDE, packet[0] & BIT(3));
 		packet[0] |= BIT(3);
 		break;
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 198/220] Input: elan_i2c_smbus - fix more potential stack buffer overflows
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (188 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 197/220] Input: psmouse - fix button reporting for basic protocols Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 199/220] Input: elantech - enable middle button of touchpads on ThinkPad P52 Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ben Hutchings, Benjamin Tissoires,
	Dmitry Torokhov

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <ben.hutchings@codethink.co.uk>

commit 50fc7b61959af4b95fafce7fe5dd565199e0b61a upstream.

Commit 40f7090bb1b4 ("Input: elan_i2c_smbus - fix corrupted stack")
fixed most of the functions using i2c_smbus_read_block_data() to
allocate a buffer with the maximum block size.  However three
functions were left unchanged:

* In elan_smbus_initialize(), increase the buffer size in the same
  way.
* In elan_smbus_calibrate_result(), the buffer is provided by the
  caller (calibrate_store()), so introduce a bounce buffer.  Also
  name the result buffer size.
* In elan_smbus_get_report(), the buffer is provided by the caller
  but happens to be the right length.  Add a compile-time assertion
  to ensure this remains the case.

Cc: <stable@vger.kernel.org> # 3.19+
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/mouse/elan_i2c.h       |    2 ++
 drivers/input/mouse/elan_i2c_core.c  |    2 +-
 drivers/input/mouse/elan_i2c_smbus.c |   10 ++++++++--
 3 files changed, 11 insertions(+), 3 deletions(-)

--- a/drivers/input/mouse/elan_i2c.h
+++ b/drivers/input/mouse/elan_i2c.h
@@ -27,6 +27,8 @@
 #define ETP_DISABLE_POWER	0x0001
 #define ETP_PRESSURE_OFFSET	25
 
+#define ETP_CALIBRATE_MAX_LEN	3
+
 /* IAP Firmware handling */
 #define ETP_PRODUCT_ID_FORMAT_STRING	"%d.0"
 #define ETP_FW_NAME		"elan_i2c_" ETP_PRODUCT_ID_FORMAT_STRING ".bin"
--- a/drivers/input/mouse/elan_i2c_core.c
+++ b/drivers/input/mouse/elan_i2c_core.c
@@ -610,7 +610,7 @@ static ssize_t calibrate_store(struct de
 	int tries = 20;
 	int retval;
 	int error;
-	u8 val[3];
+	u8 val[ETP_CALIBRATE_MAX_LEN];
 
 	retval = mutex_lock_interruptible(&data->sysfs_mutex);
 	if (retval)
--- a/drivers/input/mouse/elan_i2c_smbus.c
+++ b/drivers/input/mouse/elan_i2c_smbus.c
@@ -56,7 +56,7 @@
 static int elan_smbus_initialize(struct i2c_client *client)
 {
 	u8 check[ETP_SMBUS_HELLOPACKET_LEN] = { 0x55, 0x55, 0x55, 0x55, 0x55 };
-	u8 values[ETP_SMBUS_HELLOPACKET_LEN] = { 0, 0, 0, 0, 0 };
+	u8 values[I2C_SMBUS_BLOCK_MAX] = {0};
 	int len, error;
 
 	/* Get hello packet */
@@ -117,12 +117,16 @@ static int elan_smbus_calibrate(struct i
 static int elan_smbus_calibrate_result(struct i2c_client *client, u8 *val)
 {
 	int error;
+	u8 buf[I2C_SMBUS_BLOCK_MAX] = {0};
+
+	BUILD_BUG_ON(ETP_CALIBRATE_MAX_LEN > sizeof(buf));
 
 	error = i2c_smbus_read_block_data(client,
-					  ETP_SMBUS_CALIBRATE_QUERY, val);
+					  ETP_SMBUS_CALIBRATE_QUERY, buf);
 	if (error < 0)
 		return error;
 
+	memcpy(val, buf, ETP_CALIBRATE_MAX_LEN);
 	return 0;
 }
 
@@ -472,6 +476,8 @@ static int elan_smbus_get_report(struct
 {
 	int len;
 
+	BUILD_BUG_ON(I2C_SMBUS_BLOCK_MAX > ETP_SMBUS_REPORT_LEN);
+
 	len = i2c_smbus_read_block_data(client,
 					ETP_SMBUS_PACKET_QUERY,
 					&report[ETP_SMBUS_REPORT_OFFSET]);



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 199/220] Input: elantech - enable middle button of touchpads on ThinkPad P52
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (189 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 198/220] Input: elan_i2c_smbus - fix more potential stack buffer overflows Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 200/220] Input: elantech - fix V4 report decoding for module with middle key Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Aaron Ma, Benjamin Tissoires,
	Dmitry Torokhov

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Aaron Ma <aaron.ma@canonical.com>

commit 24bb555e6e46d96e2a954aa0295029a81cc9bbaa upstream.

PNPID is better way to identify the type of touchpads.
Enable middle button support on 2 types of touchpads on Lenovo P52.

Cc: stable@vger.kernel.org
Signed-off-by: Aaron Ma <aaron.ma@canonical.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/mouse/elantech.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/drivers/input/mouse/elantech.c
+++ b/drivers/input/mouse/elantech.c
@@ -1169,6 +1169,12 @@ static const struct dmi_system_id elante
 	{ }
 };
 
+static const char * const middle_button_pnp_ids[] = {
+	"LEN2131", /* ThinkPad P52 w/ NFC */
+	"LEN2132", /* ThinkPad P52 */
+	NULL
+};
+
 /*
  * Set the appropriate event bits for the input subsystem
  */
@@ -1188,7 +1194,8 @@ static int elantech_set_input_params(str
 	__clear_bit(EV_REL, dev->evbit);
 
 	__set_bit(BTN_LEFT, dev->keybit);
-	if (dmi_check_system(elantech_dmi_has_middle_button))
+	if (dmi_check_system(elantech_dmi_has_middle_button) ||
+			psmouse_matches_pnp_id(psmouse, middle_button_pnp_ids))
 		__set_bit(BTN_MIDDLE, dev->keybit);
 	__set_bit(BTN_RIGHT, dev->keybit);
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 200/220] Input: elantech - fix V4 report decoding for module with middle key
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (190 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 199/220] Input: elantech - enable middle button of touchpads on ThinkPad P52 Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 201/220] ALSA: timer: Fix UBSAN warning at SNDRV_TIMER_IOCTL_NEXT_DEVICE ioctl Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, KT Liao, Dmitry Torokhov

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: ??? <kt.liao@emc.com.tw>

commit e0ae2519ca004a628fa55aeef969c37edce522d3 upstream.

Some touchpad has middle key and it will be indicated in bit 2 of packet[0].
We need to fix V4 formation's byte mask to prevent error decoding.

Signed-off-by: KT Liao <kt.liao@emc.com.tw>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/mouse/elantech.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/input/mouse/elantech.c
+++ b/drivers/input/mouse/elantech.c
@@ -796,7 +796,7 @@ static int elantech_packet_check_v4(stru
 	else if (ic_version == 7 && etd->samples[1] == 0x2A)
 		sanity_check = ((packet[3] & 0x1c) == 0x10);
 	else
-		sanity_check = ((packet[0] & 0x0c) == 0x04 &&
+		sanity_check = ((packet[0] & 0x08) == 0x00 &&
 				(packet[3] & 0x1c) == 0x10);
 
 	if (!sanity_check)



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 201/220] ALSA: timer: Fix UBSAN warning at SNDRV_TIMER_IOCTL_NEXT_DEVICE ioctl
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (191 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 200/220] Input: elantech - fix V4 report decoding for module with middle key Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 203/220] ALSA: hda/realtek - Fix pop noise on Lenovo P50 & co Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit b41f794f284966fd6ec634111e3b40d241389f96 upstream.

The kernel may spew a WARNING about UBSAN undefined behavior at
handling ALSA timer ioctl SNDRV_TIMER_IOCTL_NEXT_DEVICE:

UBSAN: Undefined behaviour in sound/core/timer.c:1524:19
signed integer overflow:
2147483647 + 1 cannot be represented in type 'int'
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x122/0x1c8 lib/dump_stack.c:113
 ubsan_epilogue+0x12/0x86 lib/ubsan.c:159
 handle_overflow+0x1c2/0x21f lib/ubsan.c:190
 __ubsan_handle_add_overflow+0x2a/0x31 lib/ubsan.c:198
 snd_timer_user_next_device sound/core/timer.c:1524 [inline]
 __snd_timer_user_ioctl+0x204d/0x2520 sound/core/timer.c:1939
 snd_timer_user_ioctl+0x67/0x95 sound/core/timer.c:1994
 ....

It happens only when a value with INT_MAX is passed, as we're
incrementing it unconditionally.  So the fix is trivial, check the
value with INT_MAX.  Although the bug itself is fairly harmless, it's
better to fix it so that fuzzers won't hit this again later.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200213
Reported-and-tested-by: Team OWL337 <icytxw@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/core/timer.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -1517,7 +1517,7 @@ static int snd_timer_user_next_device(st
 				} else {
 					if (id.subdevice < 0)
 						id.subdevice = 0;
-					else
+					else if (id.subdevice < INT_MAX)
 						id.subdevice++;
 				}
 			}



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 203/220] ALSA: hda/realtek - Fix pop noise on Lenovo P50 & co
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (192 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 201/220] ALSA: timer: Fix UBSAN warning at SNDRV_TIMER_IOCTL_NEXT_DEVICE ioctl Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 204/220] ALSA: hda/realtek - Add a quirk for FSC ESPRIMO U9210 Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans de Goede, Benjamin Berg, Takashi Iwai

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit d5a6cabf02210b896a60eee7c04c670ee9ba6dca upstream.

Some Lenovo laptops, e.g. Lenovo P50, showed the pop noise at resume
or runtime resume.  It turned out to be reduced by applying
alc_no_shutup() just like TPT440 quirk does.

Since there are many Lenovo models showing the same behavior, put this
workaround in ALC269_FIXUP_THINKPAD_ACPI entry so that it's applied
commonly to all such Lenovo machines.

Reported-by: Hans de Goede <hdegoede@redhat.com>
Tested-by: Benjamin Berg <bberg@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -4985,7 +4985,6 @@ static void alc_fixup_tpt440_dock(struct
 	struct alc_spec *spec = codec->spec;
 
 	if (action == HDA_FIXUP_ACT_PRE_PROBE) {
-		spec->shutup = alc_no_shutup; /* reduce click noise */
 		spec->reboot_notify = alc_d3_at_reboot; /* reduce noise */
 		spec->parse_flags = HDA_PINCFG_NO_HP_FIXUP;
 		codec->power_save_node = 0; /* avoid click noises */
@@ -5384,6 +5383,13 @@ static void alc274_fixup_bind_dacs(struc
 /* for hda_fixup_thinkpad_acpi() */
 #include "thinkpad_helper.c"
 
+static void alc_fixup_thinkpad_acpi(struct hda_codec *codec,
+				    const struct hda_fixup *fix, int action)
+{
+	alc_fixup_no_shutup(codec, fix, action); /* reduce click noise */
+	hda_fixup_thinkpad_acpi(codec, fix, action);
+}
+
 /* for dell wmi mic mute led */
 #include "dell_wmi_helper.c"
 
@@ -5927,7 +5933,7 @@ static const struct hda_fixup alc269_fix
 	},
 	[ALC269_FIXUP_THINKPAD_ACPI] = {
 		.type = HDA_FIXUP_FUNC,
-		.v.func = hda_fixup_thinkpad_acpi,
+		.v.func = alc_fixup_thinkpad_acpi,
 		.chained = true,
 		.chain_id = ALC269_FIXUP_SKU_IGNORE,
 	},



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 204/220] ALSA: hda/realtek - Add a quirk for FSC ESPRIMO U9210
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (193 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 203/220] ALSA: hda/realtek - Fix pop noise on Lenovo P50 & co Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 205/220] ALSA: hda/realtek - Fix the problem of two front mics on more machines Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 275ec0cb946cb75ac8977f662e608fce92f8b8a8 upstream.

Fujitsu Seimens ESPRIMO Mobile U9210 requires the same fixup as H270
for the correct pin configs.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200107
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -2542,6 +2542,7 @@ static const struct snd_pci_quirk alc262
 	SND_PCI_QUIRK(0x10cf, 0x1397, "Fujitsu Lifebook S7110", ALC262_FIXUP_FSC_S7110),
 	SND_PCI_QUIRK(0x10cf, 0x142d, "Fujitsu Lifebook E8410", ALC262_FIXUP_BENQ),
 	SND_PCI_QUIRK(0x10f1, 0x2915, "Tyan Thunder n6650W", ALC262_FIXUP_TYAN),
+	SND_PCI_QUIRK(0x1734, 0x1141, "FSC ESPRIMO U9210", ALC262_FIXUP_FSC_H270),
 	SND_PCI_QUIRK(0x1734, 0x1147, "FSC Celsius H270", ALC262_FIXUP_FSC_H270),
 	SND_PCI_QUIRK(0x17aa, 0x384e, "Lenovo 3000", ALC262_FIXUP_LENOVO_3000),
 	SND_PCI_QUIRK(0x17ff, 0x0560, "Benq ED8", ALC262_FIXUP_BENQ),



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 205/220] ALSA: hda/realtek - Fix the problem of two front mics on more machines
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (194 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 204/220] ALSA: hda/realtek - Add a quirk for FSC ESPRIMO U9210 Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 206/220] Revert "i2c: algo-bit: init the bus to a known state" Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Hui Wang, Takashi Iwai

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Hui Wang <hui.wang@canonical.com>

commit e41fc8c5bd41b96bfae5ce4c66bee6edabc932e8 upstream.

We have 3 more Lenovo machines, they all have 2 front mics on them,
so they need the fixup to change the location for one of two mics.

Among these 3 Lenovo machines, one of them has the same pin cfg as the
machine with subid 0x17aa3138, so use the pin cfg table to apply fixup
for them. The rest machines don't share the same pin cfg, so far use
the subid to apply fixup for them.

Fixes: a3dafb2200bf ("ALSA: hda/realtek - adjust the location of one mic")
Cc: <stable@vger.kernel.org>
Signed-off-by: Hui Wang <hui.wang@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -6584,8 +6584,9 @@ static const struct snd_pci_quirk alc269
 	SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
 	SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
 	SND_PCI_QUIRK(0x17aa, 0x310c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION),
+	SND_PCI_QUIRK(0x17aa, 0x312a, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION),
 	SND_PCI_QUIRK(0x17aa, 0x312f, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION),
-	SND_PCI_QUIRK(0x17aa, 0x3138, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION),
+	SND_PCI_QUIRK(0x17aa, 0x3136, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION),
 	SND_PCI_QUIRK(0x17aa, 0x313c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION),
 	SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI),
 	SND_PCI_QUIRK(0x17aa, 0x3977, "IdeaPad S210", ALC283_FIXUP_INT_MIC),
@@ -6763,6 +6764,12 @@ static const struct snd_hda_pin_quirk al
 		{0x14, 0x90170110},
 		{0x19, 0x02a11030},
 		{0x21, 0x02211020}),
+	SND_HDA_PIN_QUIRK(0x10ec0235, 0x17aa, "Lenovo", ALC294_FIXUP_LENOVO_MIC_LOCATION,
+		{0x14, 0x90170110},
+		{0x19, 0x02a11030},
+		{0x1a, 0x02a11040},
+		{0x1b, 0x01014020},
+		{0x21, 0x0221101f}),
 	SND_HDA_PIN_QUIRK(0x10ec0236, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
 		{0x12, 0x90a60140},
 		{0x14, 0x90170110},



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 206/220] Revert "i2c: algo-bit: init the bus to a known state"
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (195 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 205/220] ALSA: hda/realtek - Fix the problem of two front mics on more machines Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 207/220] i2c: gpio: initialize SCL to HIGH again Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sergey Larin, Wolfram Sang,
	Alex Deucher, Wolfram Sang, stable

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Wolfram Sang <wsa+renesas@sang-engineering.com>

commit 2a2c8ee2d72c4f1ba0f7fbb02dc74f971df0f934 upstream.

This reverts commit 3e5f06bed72fe72166a6778f630241a893f67799. As per
bugzilla #200045, this caused a regression. I don't really see a way to
fix it without having the hardware. So, revert the patch and I will fix
the issue I was seeing originally in the i2c-gpio driver itself. I
couldn't find new users of this algorithm since, so there should be no
one depending on the new behaviour.

Reported-by: Sergey Larin <cerg2010cerg2010@mail.ru>
Fixes: 3e5f06bed72f ("i2c: algo-bit: init the bus to a known state")
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Tested-by: Sergey Larin <cerg2010cerg2010@mail.ru>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/i2c/algos/i2c-algo-bit.c |    5 -----
 1 file changed, 5 deletions(-)

--- a/drivers/i2c/algos/i2c-algo-bit.c
+++ b/drivers/i2c/algos/i2c-algo-bit.c
@@ -649,11 +649,6 @@ static int __i2c_bit_add_bus(struct i2c_
 	if (bit_adap->getscl == NULL)
 		adap->quirks = &i2c_bit_quirk_no_clk_stretch;
 
-	/* Bring bus to a known state. Looks like STOP if bus is not free yet */
-	setscl(bit_adap, 1);
-	udelay(bit_adap->udelay);
-	setsda(bit_adap, 1);
-
 	ret = add_adapter(adap);
 	if (ret < 0)
 		return ret;



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 207/220] i2c: gpio: initialize SCL to HIGH again
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (196 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 206/220] Revert "i2c: algo-bit: init the bus to a known state" Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 208/220] slub: fix failure when we delete and create a slab cache Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wolfram Sang, Geert Uytterhoeven,
	Linus Walleij, Wolfram Sang, stable

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Wolfram Sang <wsa+renesas@sang-engineering.com>

commit 12b731dd46d9ee646318e6e9dc587314a3908a46 upstream.

It seems that during the conversion from gpio* to gpiod*, the initial
state of SCL was wrongly switched to LOW. Fix it to be HIGH again.

Fixes: 7bb75029ef34 ("i2c: gpio: Enforce open drain through gpiolib")
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/i2c/busses/i2c-gpio.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/i2c/busses/i2c-gpio.c
+++ b/drivers/i2c/busses/i2c-gpio.c
@@ -279,9 +279,9 @@ static int i2c_gpio_probe(struct platfor
 	 * required for an I2C bus.
 	 */
 	if (pdata->scl_is_open_drain)
-		gflags = GPIOD_OUT_LOW;
+		gflags = GPIOD_OUT_HIGH;
 	else
-		gflags = GPIOD_OUT_LOW_OPEN_DRAIN;
+		gflags = GPIOD_OUT_HIGH_OPEN_DRAIN;
 	priv->scl = i2c_gpio_get_desc(dev, "scl", 1, gflags);
 	if (IS_ERR(priv->scl))
 		return PTR_ERR(priv->scl);



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 208/220] slub: fix failure when we delete and create a slab cache
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (197 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 207/220] i2c: gpio: initialize SCL to HIGH again Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 209/220] kasan: depend on CONFIG_SLUB_DEBUG Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mikulas Patocka, Mike Snitzer,
	Christoph Lameter, Pekka Enberg, David Rientjes, Joonsoo Kim,
	Andrew Morton, Linus Torvalds

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mikulas Patocka <mpatocka@redhat.com>

commit d50d82faa0c964e31f7a946ba8aba7c715ca7ab0 upstream.

In kernel 4.17 I removed some code from dm-bufio that did slab cache
merging (commit 21bb13276768: "dm bufio: remove code that merges slab
caches") - both slab and slub support merging caches with identical
attributes, so dm-bufio now just calls kmem_cache_create and relies on
implicit merging.

This uncovered a bug in the slub subsystem - if we delete a cache and
immediatelly create another cache with the same attributes, it fails
because of duplicate filename in /sys/kernel/slab/.  The slub subsystem
offloads freeing the cache to a workqueue - and if we create the new
cache before the workqueue runs, it complains because of duplicate
filename in sysfs.

This patch fixes the bug by moving the call of kobject_del from
sysfs_slab_remove_workfn to shutdown_cache.  kobject_del must be called
while we hold slab_mutex - so that the sysfs entry is deleted before a
cache with the same attributes could be created.

Running device-mapper-test-suite with:

  dmtest run --suite thin-provisioning -n /commit_failure_causes_fallback/

triggered:

  Buffer I/O error on dev dm-0, logical block 1572848, async page read
  device-mapper: thin: 253:1: metadata operation 'dm_pool_alloc_data_block' failed: error = -5
  device-mapper: thin: 253:1: aborting current metadata transaction
  sysfs: cannot create duplicate filename '/kernel/slab/:a-0000144'
  CPU: 2 PID: 1037 Comm: kworker/u48:1 Not tainted 4.17.0.snitm+ #25
  Hardware name: Supermicro SYS-1029P-WTR/X11DDW-L, BIOS 2.0a 12/06/2017
  Workqueue: dm-thin do_worker [dm_thin_pool]
  Call Trace:
   dump_stack+0x5a/0x73
   sysfs_warn_dup+0x58/0x70
   sysfs_create_dir_ns+0x77/0x80
   kobject_add_internal+0xba/0x2e0
   kobject_init_and_add+0x70/0xb0
   sysfs_slab_add+0xb1/0x250
   __kmem_cache_create+0x116/0x150
   create_cache+0xd9/0x1f0
   kmem_cache_create_usercopy+0x1c1/0x250
   kmem_cache_create+0x18/0x20
   dm_bufio_client_create+0x1ae/0x410 [dm_bufio]
   dm_block_manager_create+0x5e/0x90 [dm_persistent_data]
   __create_persistent_data_objects+0x38/0x940 [dm_thin_pool]
   dm_pool_abort_metadata+0x64/0x90 [dm_thin_pool]
   metadata_operation_failed+0x59/0x100 [dm_thin_pool]
   alloc_data_block.isra.53+0x86/0x180 [dm_thin_pool]
   process_cell+0x2a3/0x550 [dm_thin_pool]
   do_worker+0x28d/0x8f0 [dm_thin_pool]
   process_one_work+0x171/0x370
   worker_thread+0x49/0x3f0
   kthread+0xf8/0x130
   ret_from_fork+0x35/0x40
  kobject_add_internal failed for :a-0000144 with -EEXIST, don't try to register things with the same name in the same directory.
  kmem_cache_create(dm_bufio_buffer-16) failed with error -17

Link: http://lkml.kernel.org/r/alpine.LRH.2.02.1806151817130.6333@file01.intranet.prod.int.rdu2.redhat.com
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Reported-by: Mike Snitzer <snitzer@redhat.com>
Tested-by: Mike Snitzer <snitzer@redhat.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/slub_def.h |    4 ++++
 mm/slab_common.c         |    4 ++++
 mm/slub.c                |    7 ++++++-
 3 files changed, 14 insertions(+), 1 deletion(-)

--- a/include/linux/slub_def.h
+++ b/include/linux/slub_def.h
@@ -156,8 +156,12 @@ struct kmem_cache {
 
 #ifdef CONFIG_SYSFS
 #define SLAB_SUPPORTS_SYSFS
+void sysfs_slab_unlink(struct kmem_cache *);
 void sysfs_slab_release(struct kmem_cache *);
 #else
+static inline void sysfs_slab_unlink(struct kmem_cache *s)
+{
+}
 static inline void sysfs_slab_release(struct kmem_cache *s)
 {
 }
--- a/mm/slab_common.c
+++ b/mm/slab_common.c
@@ -566,10 +566,14 @@ static int shutdown_cache(struct kmem_ca
 	list_del(&s->list);
 
 	if (s->flags & SLAB_TYPESAFE_BY_RCU) {
+#ifdef SLAB_SUPPORTS_SYSFS
+		sysfs_slab_unlink(s);
+#endif
 		list_add_tail(&s->list, &slab_caches_to_rcu_destroy);
 		schedule_work(&slab_caches_to_rcu_destroy_work);
 	} else {
 #ifdef SLAB_SUPPORTS_SYSFS
+		sysfs_slab_unlink(s);
 		sysfs_slab_release(s);
 #else
 		slab_kmem_cache_release(s);
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -5714,7 +5714,6 @@ static void sysfs_slab_remove_workfn(str
 	kset_unregister(s->memcg_kset);
 #endif
 	kobject_uevent(&s->kobj, KOBJ_REMOVE);
-	kobject_del(&s->kobj);
 out:
 	kobject_put(&s->kobj);
 }
@@ -5799,6 +5798,12 @@ static void sysfs_slab_remove(struct kme
 	schedule_work(&s->kobj_remove_work);
 }
 
+void sysfs_slab_unlink(struct kmem_cache *s)
+{
+	if (slab_state >= FULL)
+		kobject_del(&s->kobj);
+}
+
 void sysfs_slab_release(struct kmem_cache *s)
 {
 	if (slab_state >= FULL)



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 209/220] kasan: depend on CONFIG_SLUB_DEBUG
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (198 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 208/220] slub: fix failure when we delete and create a slab cache Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 210/220] dm: use bio_split() when splitting out the already processed bio Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jason A. Donenfeld, Michal Hocko,
	Shakeel Butt, Christoph Lameter, David Rientjes, Pekka Enberg,
	Joonsoo Kim, Andrey Ryabinin, Andrew Morton, Linus Torvalds

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jason A. Donenfeld <Jason@zx2c4.com>

commit dd275caf4a0d9b219fffe49288b6cc33cd564312 upstream.

KASAN depends on having access to some of the accounting that SLUB_DEBUG
does; without it, there are immediate crashes [1].  So, the natural
thing to do is to make KASAN select SLUB_DEBUG.

[1] http://lkml.kernel.org/r/CAHmME9rtoPwxUSnktxzKso14iuVCWT7BE_-_8PAC=pGw1iJnQg@mail.gmail.com

Link: http://lkml.kernel.org/r/20180622154623.25388-1-Jason@zx2c4.com
Fixes: f9e13c0a5a33 ("slab, slub: skip unnecessary kasan_cache_shutdown()")
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Reviewed-by: Shakeel Butt <shakeelb@google.com>
Acked-by: Christoph Lameter <cl@linux.com>
Cc: Shakeel Butt <shakeelb@google.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 lib/Kconfig.kasan |    1 +
 1 file changed, 1 insertion(+)

--- a/lib/Kconfig.kasan
+++ b/lib/Kconfig.kasan
@@ -6,6 +6,7 @@ if HAVE_ARCH_KASAN
 config KASAN
 	bool "KASan: runtime memory debugger"
 	depends on SLUB || (SLAB && !DEBUG_SLAB)
+	select SLUB_DEBUG if SLUB
 	select CONSTRUCTORS
 	select STACKDEPOT
 	help



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 210/220] dm: use bio_split() when splitting out the already processed bio
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (199 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 209/220] kasan: depend on CONFIG_SLUB_DEBUG Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 211/220] pmem: only set QUEUE_FLAG_DAX for fsdax mode Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christoph Hellwig, NeilBrown, Mike Snitzer

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mike Snitzer <snitzer@redhat.com>

commit f21c601a2bb319ec19eb4562eadc7797d90fd90e upstream.

Use of bio_clone_bioset() is inefficient if there is no need to clone
the original bio's bio_vec array.  Best to use the bio_clone_fast()
variant.  Also, just using bio_advance() is only part of what is needed
to properly setup the clone -- it doesn't account for the various
bio_integrity() related work that also needs to be performed (see
bio_split).

Address both of these issues by switching from bio_clone_bioset() to
bio_split().

Fixes: 18a25da8 ("dm: ensure bio submission follows a depth-first tree walk")
Cc: stable@vger.kernel.org # 4.15+, requires removal of '&' before md->queue->bio_split
Reported-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: NeilBrown <neilb@suse.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/dm.c |    5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -1582,10 +1582,9 @@ static blk_qc_t __split_and_process_bio(
 				 * the usage of io->orig_bio in dm_remap_zone_report()
 				 * won't be affected by this reassignment.
 				 */
-				struct bio *b = bio_clone_bioset(bio, GFP_NOIO,
-								 md->queue->bio_split);
+				struct bio *b = bio_split(bio, bio_sectors(bio) - ci.sector_count,
+							  GFP_NOIO, md->queue->bio_split);
 				ci.io->orig_bio = b;
-				bio_advance(bio, (bio_sectors(bio) - ci.sector_count) << 9);
 				bio_chain(b, bio);
 				ret = generic_make_request(bio);
 				break;



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 211/220] pmem: only set QUEUE_FLAG_DAX for fsdax mode
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (200 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 210/220] dm: use bio_split() when splitting out the already processed bio Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 212/220] block: Fix transfer when chunk sectors exceeds max Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ross Zwisler, Mike Snitzer,
	Dan Williams, Toshi Kani

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ross Zwisler <ross.zwisler@linux.intel.com>

commit 4557641b4c7046625c026fb809c47ef0d43ae595 upstream.

QUEUE_FLAG_DAX is an indication that a given block device supports
filesystem DAX and should not be set for PMEM namespaces which are in "raw"
mode.  These namespaces lack struct page and are prevented from
participating in filesystem DAX as of commit 569d0365f571 ("dax: require
'struct page' by default for filesystem dax").

Signed-off-by: Ross Zwisler <ross.zwisler@linux.intel.com>
Suggested-by: Mike Snitzer <snitzer@redhat.com>
Fixes: 569d0365f571 ("dax: require 'struct page' by default for filesystem dax")
Cc: stable@vger.kernel.org
Acked-by: Dan Williams <dan.j.williams@intel.com>
Reviewed-by: Toshi Kani <toshi.kani@hpe.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/nvdimm/pmem.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/nvdimm/pmem.c
+++ b/drivers/nvdimm/pmem.c
@@ -387,7 +387,8 @@ static int pmem_attach_disk(struct devic
 	blk_queue_logical_block_size(q, pmem_sector_size(ndns));
 	blk_queue_max_hw_sectors(q, UINT_MAX);
 	blk_queue_flag_set(QUEUE_FLAG_NONROT, q);
-	blk_queue_flag_set(QUEUE_FLAG_DAX, q);
+	if (pmem->pfn_flags & PFN_MAP)
+		blk_queue_flag_set(QUEUE_FLAG_DAX, q);
 	q->queuedata = pmem;
 
 	disk = alloc_disk_node(0, nid);



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 212/220] block: Fix transfer when chunk sectors exceeds max
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (201 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 211/220] pmem: only set QUEUE_FLAG_DAX for fsdax mode Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 213/220] block: Fix cloning of requests with a special payload Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jitendra Bhivare, Martin K. Petersen,
	Keith Busch, Jens Axboe

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Keith Busch <keith.busch@intel.com>

commit 15bfd21fbc5d35834b9ea383dc458a1f0c9e3434 upstream.

A device may have boundary restrictions where the number of sectors
between boundaries exceeds its max transfer size. In this case, we need
to cap the max size to the smaller of the two limits.

Reported-by: Jitendra Bhivare <jitendra.bhivare@broadcom.com>
Tested-by: Jitendra Bhivare <jitendra.bhivare@broadcom.com>
Cc: <stable@vger.kernel.org>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Keith Busch <keith.busch@intel.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/blkdev.h |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/include/linux/blkdev.h
+++ b/include/linux/blkdev.h
@@ -1124,8 +1124,8 @@ static inline unsigned int blk_max_size_
 	if (!q->limits.chunk_sectors)
 		return q->limits.max_sectors;
 
-	return q->limits.chunk_sectors -
-			(offset & (q->limits.chunk_sectors - 1));
+	return min(q->limits.max_sectors, (unsigned int)(q->limits.chunk_sectors -
+			(offset & (q->limits.chunk_sectors - 1))));
 }
 
 static inline unsigned int blk_rq_get_max_sectors(struct request *rq,



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 213/220] block: Fix cloning of requests with a special payload
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (202 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 212/220] block: Fix transfer when chunk sectors exceeds max Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 214/220] x86/e820: put !E820_TYPE_RAM regions into memblock.reserved Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ming Lei, Christoph Hellwig,
	Mike Snitzer, Bart Van Assche, Hannes Reinecke,
	Johannes Thumshirn, Jens Axboe

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Bart Van Assche <bart.vanassche@wdc.com>

commit 297ba57dcdec7ea37e702bcf1a577ac32a034e21 upstream.

This patch avoids that removing a path controlled by the dm-mpath driver
while mkfs is running triggers the following kernel bug:

    kernel BUG at block/blk-core.c:3347!
    invalid opcode: 0000 [#1] PREEMPT SMP KASAN
    CPU: 20 PID: 24369 Comm: mkfs.ext4 Not tainted 4.18.0-rc1-dbg+ #2
    RIP: 0010:blk_end_request_all+0x68/0x70
    Call Trace:
     <IRQ>
     dm_softirq_done+0x326/0x3d0 [dm_mod]
     blk_done_softirq+0x19b/0x1e0
     __do_softirq+0x128/0x60d
     irq_exit+0x100/0x110
     smp_call_function_single_interrupt+0x90/0x330
     call_function_single_interrupt+0xf/0x20
     </IRQ>

Fixes: f9d03f96b988 ("block: improve handling of the magic discard payload")
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Acked-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
Cc: Hannes Reinecke <hare@suse.com>
Cc: Johannes Thumshirn <jthumshirn@suse.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 block/blk-core.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/block/blk-core.c
+++ b/block/blk-core.c
@@ -3487,6 +3487,10 @@ static void __blk_rq_prep_clone(struct r
 	dst->cpu = src->cpu;
 	dst->__sector = blk_rq_pos(src);
 	dst->__data_len = blk_rq_bytes(src);
+	if (src->rq_flags & RQF_SPECIAL_PAYLOAD) {
+		dst->rq_flags |= RQF_SPECIAL_PAYLOAD;
+		dst->special_vec = src->special_vec;
+	}
 	dst->nr_phys_segments = src->nr_phys_segments;
 	dst->ioprio = src->ioprio;
 	dst->extra_len = src->extra_len;



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 214/220] x86/e820: put !E820_TYPE_RAM regions into memblock.reserved
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (203 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 213/220] block: Fix cloning of requests with a special payload Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:23 ` [PATCH 4.17 215/220] selinux: move user accesses in selinuxfs out of locked regions Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Naoya Horiguchi, Oscar Salvador,
	Herton R. Krzesinski, Michal Hocko, Pavel Tatashin,
	Steven Sistare, Daniel Jordan, Matthew Wilcox, Andrew Morton,
	Linus Torvalds

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>

commit 124049decbb121ec32742c94fb5d9d6bed8f24d8 upstream.

There is a kernel panic that is triggered when reading /proc/kpageflags
on the kernel booted with kernel parameter 'memmap=nn[KMG]!ss[KMG]':

  BUG: unable to handle kernel paging request at fffffffffffffffe
  PGD 9b20e067 P4D 9b20e067 PUD 9b210067 PMD 0
  Oops: 0000 [#1] SMP PTI
  CPU: 2 PID: 1728 Comm: page-types Not tainted 4.17.0-rc6-mm1-v4.17-rc6-180605-0816-00236-g2dfb086ef02c+ #160
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.fc28 04/01/2014
  RIP: 0010:stable_page_flags+0x27/0x3c0
  Code: 00 00 00 0f 1f 44 00 00 48 85 ff 0f 84 a0 03 00 00 41 54 55 49 89 fc 53 48 8b 57 08 48 8b 2f 48 8d 42 ff 83 e2 01 48 0f 44 c7 <48> 8b 00 f6 c4 01 0f 84 10 03 00 00 31 db 49 8b 54 24 08 4c 89 e7
  RSP: 0018:ffffbbd44111fde0 EFLAGS: 00010202
  RAX: fffffffffffffffe RBX: 00007fffffffeff9 RCX: 0000000000000000
  RDX: 0000000000000001 RSI: 0000000000000202 RDI: ffffed1182fff5c0
  RBP: ffffffffffffffff R08: 0000000000000001 R09: 0000000000000001
  R10: ffffbbd44111fed8 R11: 0000000000000000 R12: ffffed1182fff5c0
  R13: 00000000000bffd7 R14: 0000000002fff5c0 R15: ffffbbd44111ff10
  FS:  00007efc4335a500(0000) GS:ffff93a5bfc00000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: fffffffffffffffe CR3: 00000000b2a58000 CR4: 00000000001406e0
  Call Trace:
   kpageflags_read+0xc7/0x120
   proc_reg_read+0x3c/0x60
   __vfs_read+0x36/0x170
   vfs_read+0x89/0x130
   ksys_pread64+0x71/0x90
   do_syscall_64+0x5b/0x160
   entry_SYSCALL_64_after_hwframe+0x44/0xa9
  RIP: 0033:0x7efc42e75e23
  Code: 09 00 ba 9f 01 00 00 e8 ab 81 f4 ff 66 2e 0f 1f 84 00 00 00 00 00 90 83 3d 29 0a 2d 00 00 75 13 49 89 ca b8 11 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 34 c3 48 83 ec 08 e8 db d3 01 00 48 89 04 24

According to kernel bisection, this problem became visible due to commit
f7f99100d8d9 ("mm: stop zeroing memory during allocation in vmemmap")
which changes how struct pages are initialized.

Memblock layout affects the pfn ranges covered by node/zone.  Consider
that we have a VM with 2 NUMA nodes and each node has 4GB memory, and
the default (no memmap= given) memblock layout is like below:

  MEMBLOCK configuration:
   memory size = 0x00000001fff75c00 reserved size = 0x000000000300c000
   memory.cnt  = 0x4
   memory[0x0]     [0x0000000000001000-0x000000000009efff], 0x000000000009e000 bytes on node 0 flags: 0x0
   memory[0x1]     [0x0000000000100000-0x00000000bffd6fff], 0x00000000bfed7000 bytes on node 0 flags: 0x0
   memory[0x2]     [0x0000000100000000-0x000000013fffffff], 0x0000000040000000 bytes on node 0 flags: 0x0
   memory[0x3]     [0x0000000140000000-0x000000023fffffff], 0x0000000100000000 bytes on node 1 flags: 0x0
   ...

If you give memmap=1G!4G (so it just covers memory[0x2]),
the range [0x100000000-0x13fffffff] is gone:

  MEMBLOCK configuration:
   memory size = 0x00000001bff75c00 reserved size = 0x000000000300c000
   memory.cnt  = 0x3
   memory[0x0]     [0x0000000000001000-0x000000000009efff], 0x000000000009e000 bytes on node 0 flags: 0x0
   memory[0x1]     [0x0000000000100000-0x00000000bffd6fff], 0x00000000bfed7000 bytes on node 0 flags: 0x0
   memory[0x2]     [0x0000000140000000-0x000000023fffffff], 0x0000000100000000 bytes on node 1 flags: 0x0
   ...

This causes shrinking node 0's pfn range because it is calculated by the
address range of memblock.memory.  So some of struct pages in the gap
range are left uninitialized.

We have a function zero_resv_unavail() which does zeroing the struct pages
within the reserved unavailable range (i.e.  memblock.memory &&
!memblock.reserved).  This patch utilizes it to cover all unavailable
ranges by putting them into memblock.reserved.

Link: http://lkml.kernel.org/r/20180615072947.GB23273@hori1.linux.bs1.fc.nec.co.jp
Fixes: f7f99100d8d9 ("mm: stop zeroing memory during allocation in vmemmap")
Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Tested-by: Oscar Salvador <osalvador@suse.de>
Tested-by: "Herton R. Krzesinski" <herton@redhat.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Reviewed-by: Pavel Tatashin <pasha.tatashin@oracle.com>
Cc: Steven Sistare <steven.sistare@oracle.com>
Cc: Daniel Jordan <daniel.m.jordan@oracle.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/e820.c |   15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

--- a/arch/x86/kernel/e820.c
+++ b/arch/x86/kernel/e820.c
@@ -1246,6 +1246,7 @@ void __init e820__memblock_setup(void)
 {
 	int i;
 	u64 end;
+	u64 addr = 0;
 
 	/*
 	 * The bootstrap memblock region count maximum is 128 entries
@@ -1262,13 +1263,21 @@ void __init e820__memblock_setup(void)
 		struct e820_entry *entry = &e820_table->entries[i];
 
 		end = entry->addr + entry->size;
+		if (addr < entry->addr)
+			memblock_reserve(addr, entry->addr - addr);
+		addr = end;
 		if (end != (resource_size_t)end)
 			continue;
 
+		/*
+		 * all !E820_TYPE_RAM ranges (including gap ranges) are put
+		 * into memblock.reserved to make sure that struct pages in
+		 * such regions are not left uninitialized after bootup.
+		 */
 		if (entry->type != E820_TYPE_RAM && entry->type != E820_TYPE_RESERVED_KERN)
-			continue;
-
-		memblock_add(entry->addr, entry->size);
+			memblock_reserve(entry->addr, entry->size);
+		else
+			memblock_add(entry->addr, entry->size);
 	}
 
 	/* Throw away partial pages: */



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 215/220] selinux: move user accesses in selinuxfs out of locked regions
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (204 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 214/220] x86/e820: put !E820_TYPE_RAM regions into memblock.reserved Greg Kroah-Hartman
@ 2018-07-01 16:23 ` Greg Kroah-Hartman
  2018-07-01 16:24 ` [PATCH 4.17 216/220] x86/entry/64/compat: Fix "x86/entry/64/compat: Preserve r8-r11 in int $0x80" Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jann Horn, Stephen Smalley, Paul Moore

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jann Horn <jannh@google.com>

commit 0da74120c5341389b97c4ee27487a97224999ee1 upstream.

If a user is accessing a file in selinuxfs with a pointer to a userspace
buffer that is backed by e.g. a userfaultfd, the userspace access can
stall indefinitely, which can block fsi->mutex if it is held.

For sel_read_policy(), remove the locking, since this method doesn't seem
to access anything that requires locking.

For sel_read_bool(), move the user access below the locked region.

For sel_write_bool() and sel_commit_bools_write(), move the user access
up above the locked region.

Cc: stable@vger.kernel.org
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
[PM: removed an unused variable in sel_read_policy()]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 security/selinux/selinuxfs.c |   78 ++++++++++++++++++-------------------------
 1 file changed, 33 insertions(+), 45 deletions(-)

--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -435,22 +435,16 @@ static int sel_release_policy(struct ino
 static ssize_t sel_read_policy(struct file *filp, char __user *buf,
 			       size_t count, loff_t *ppos)
 {
-	struct selinux_fs_info *fsi = file_inode(filp)->i_sb->s_fs_info;
 	struct policy_load_memory *plm = filp->private_data;
 	int ret;
 
-	mutex_lock(&fsi->mutex);
-
 	ret = avc_has_perm(&selinux_state,
 			   current_sid(), SECINITSID_SECURITY,
 			  SECCLASS_SECURITY, SECURITY__READ_POLICY, NULL);
 	if (ret)
-		goto out;
+		return ret;
 
-	ret = simple_read_from_buffer(buf, count, ppos, plm->data, plm->len);
-out:
-	mutex_unlock(&fsi->mutex);
-	return ret;
+	return simple_read_from_buffer(buf, count, ppos, plm->data, plm->len);
 }
 
 static int sel_mmap_policy_fault(struct vm_fault *vmf)
@@ -1182,25 +1176,29 @@ static ssize_t sel_read_bool(struct file
 	ret = -EINVAL;
 	if (index >= fsi->bool_num || strcmp(name,
 					     fsi->bool_pending_names[index]))
-		goto out;
+		goto out_unlock;
 
 	ret = -ENOMEM;
 	page = (char *)get_zeroed_page(GFP_KERNEL);
 	if (!page)
-		goto out;
+		goto out_unlock;
 
 	cur_enforcing = security_get_bool_value(fsi->state, index);
 	if (cur_enforcing < 0) {
 		ret = cur_enforcing;
-		goto out;
+		goto out_unlock;
 	}
 	length = scnprintf(page, PAGE_SIZE, "%d %d", cur_enforcing,
 			  fsi->bool_pending_values[index]);
-	ret = simple_read_from_buffer(buf, count, ppos, page, length);
-out:
 	mutex_unlock(&fsi->mutex);
+	ret = simple_read_from_buffer(buf, count, ppos, page, length);
+out_free:
 	free_page((unsigned long)page);
 	return ret;
+
+out_unlock:
+	mutex_unlock(&fsi->mutex);
+	goto out_free;
 }
 
 static ssize_t sel_write_bool(struct file *filep, const char __user *buf,
@@ -1213,6 +1211,17 @@ static ssize_t sel_write_bool(struct fil
 	unsigned index = file_inode(filep)->i_ino & SEL_INO_MASK;
 	const char *name = filep->f_path.dentry->d_name.name;
 
+	if (count >= PAGE_SIZE)
+		return -ENOMEM;
+
+	/* No partial writes. */
+	if (*ppos != 0)
+		return -EINVAL;
+
+	page = memdup_user_nul(buf, count);
+	if (IS_ERR(page))
+		return PTR_ERR(page);
+
 	mutex_lock(&fsi->mutex);
 
 	length = avc_has_perm(&selinux_state,
@@ -1227,22 +1236,6 @@ static ssize_t sel_write_bool(struct fil
 					     fsi->bool_pending_names[index]))
 		goto out;
 
-	length = -ENOMEM;
-	if (count >= PAGE_SIZE)
-		goto out;
-
-	/* No partial writes. */
-	length = -EINVAL;
-	if (*ppos != 0)
-		goto out;
-
-	page = memdup_user_nul(buf, count);
-	if (IS_ERR(page)) {
-		length = PTR_ERR(page);
-		page = NULL;
-		goto out;
-	}
-
 	length = -EINVAL;
 	if (sscanf(page, "%d", &new_value) != 1)
 		goto out;
@@ -1274,6 +1267,17 @@ static ssize_t sel_commit_bools_write(st
 	ssize_t length;
 	int new_value;
 
+	if (count >= PAGE_SIZE)
+		return -ENOMEM;
+
+	/* No partial writes. */
+	if (*ppos != 0)
+		return -EINVAL;
+
+	page = memdup_user_nul(buf, count);
+	if (IS_ERR(page))
+		return PTR_ERR(page);
+
 	mutex_lock(&fsi->mutex);
 
 	length = avc_has_perm(&selinux_state,
@@ -1283,22 +1287,6 @@ static ssize_t sel_commit_bools_write(st
 	if (length)
 		goto out;
 
-	length = -ENOMEM;
-	if (count >= PAGE_SIZE)
-		goto out;
-
-	/* No partial writes. */
-	length = -EINVAL;
-	if (*ppos != 0)
-		goto out;
-
-	page = memdup_user_nul(buf, count);
-	if (IS_ERR(page)) {
-		length = PTR_ERR(page);
-		page = NULL;
-		goto out;
-	}
-
 	length = -EINVAL;
 	if (sscanf(page, "%d", &new_value) != 1)
 		goto out;



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 216/220] x86/entry/64/compat: Fix "x86/entry/64/compat: Preserve r8-r11 in int $0x80"
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (205 preceding siblings ...)
  2018-07-01 16:23 ` [PATCH 4.17 215/220] selinux: move user accesses in selinuxfs out of locked regions Greg Kroah-Hartman
@ 2018-07-01 16:24 ` Greg Kroah-Hartman
  2018-07-01 16:24 ` [PATCH 4.17 217/220] x86/efi: Fix efi_call_phys_epilog() with CONFIG_X86_5LEVEL=y Greg Kroah-Hartman
                   ` (5 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:24 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, zhijianx.li, Andy Lutomirski,
	Arjan van de Ven, Borislav Petkov, Dan Williams, Dave Hansen,
	David Woodhouse, Josh Poimboeuf, Linus Torvalds, Peter Zijlstra,
	Thomas Gleixner, Ingo Molnar

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Andy Lutomirski <luto@kernel.org>

commit 22cd978e598618e82c3c3348d2069184f6884182 upstream.

Commit:

  8bb2610bc496 ("x86/entry/64/compat: Preserve r8-r11 in int $0x80")

was busted: my original patch had a minor conflict with
some of the nospec changes, but "git apply" is very clever
and silently accepted the patch by making the same changes
to a different function in the same file.  There was obviously
a huge offset, but "git apply" for some reason doesn't feel
any need to say so.

Move the changes to the correct function.  Now the
test_syscall_vdso_32 selftests passes.

If anyone cares to observe the original problem, try applying the
patch at:

  https://lore.kernel.org/lkml/d4c4d9985fbe64f8c9e19291886453914b48caee.1523975710.git.luto@kernel.org/raw

to the kernel at 316d097c4cd4e7f2ef50c40cff2db266593c4ec4:

 - "git am" and "git apply" accept the patch without any complaints at all
 - "patch -p1" at least prints out a message about the huge offset.

Reported-by: zhijianx.li@intel.com
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Cc: Arjan van de Ven <arjan@linux.intel.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org #v4.17+
Fixes: 8bb2610bc496 ("x86/entry/64/compat: Preserve r8-r11 in int $0x80")
Link: http://lkml.kernel.org/r/6012b922485401bc42676e804171ded262fc2ef2.1530078306.git.luto@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/entry/entry_64_compat.S |   16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

--- a/arch/x86/entry/entry_64_compat.S
+++ b/arch/x86/entry/entry_64_compat.S
@@ -84,13 +84,13 @@ ENTRY(entry_SYSENTER_compat)
 	pushq	%rdx			/* pt_regs->dx */
 	pushq	%rcx			/* pt_regs->cx */
 	pushq	$-ENOSYS		/* pt_regs->ax */
-	pushq   %r8			/* pt_regs->r8 */
+	pushq   $0			/* pt_regs->r8  = 0 */
 	xorl	%r8d, %r8d		/* nospec   r8 */
-	pushq   %r9			/* pt_regs->r9 */
+	pushq   $0			/* pt_regs->r9  = 0 */
 	xorl	%r9d, %r9d		/* nospec   r9 */
-	pushq   %r10			/* pt_regs->r10 */
+	pushq   $0			/* pt_regs->r10 = 0 */
 	xorl	%r10d, %r10d		/* nospec   r10 */
-	pushq   %r11			/* pt_regs->r11 */
+	pushq   $0			/* pt_regs->r11 = 0 */
 	xorl	%r11d, %r11d		/* nospec   r11 */
 	pushq   %rbx                    /* pt_regs->rbx */
 	xorl	%ebx, %ebx		/* nospec   rbx */
@@ -374,13 +374,13 @@ ENTRY(entry_INT80_compat)
 	pushq	%rcx			/* pt_regs->cx */
 	xorl	%ecx, %ecx		/* nospec   cx */
 	pushq	$-ENOSYS		/* pt_regs->ax */
-	pushq   $0			/* pt_regs->r8  = 0 */
+	pushq   %r8			/* pt_regs->r8 */
 	xorl	%r8d, %r8d		/* nospec   r8 */
-	pushq   $0			/* pt_regs->r9  = 0 */
+	pushq   %r9			/* pt_regs->r9 */
 	xorl	%r9d, %r9d		/* nospec   r9 */
-	pushq   $0			/* pt_regs->r10 = 0 */
+	pushq   %r10			/* pt_regs->r10*/
 	xorl	%r10d, %r10d		/* nospec   r10 */
-	pushq   $0			/* pt_regs->r11 = 0 */
+	pushq   %r11			/* pt_regs->r11 */
 	xorl	%r11d, %r11d		/* nospec   r11 */
 	pushq   %rbx                    /* pt_regs->rbx */
 	xorl	%ebx, %ebx		/* nospec   rbx */



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 217/220] x86/efi: Fix efi_call_phys_epilog() with CONFIG_X86_5LEVEL=y
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (206 preceding siblings ...)
  2018-07-01 16:24 ` [PATCH 4.17 216/220] x86/entry/64/compat: Fix "x86/entry/64/compat: Preserve r8-r11 in int $0x80" Greg Kroah-Hartman
@ 2018-07-01 16:24 ` Greg Kroah-Hartman
  2018-07-01 16:24 ` [PATCH 4.17 218/220] dm zoned: avoid triggering reclaim from inside dmz_map() Greg Kroah-Hartman
                   ` (4 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:24 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kirill A. Shutemov, Ard Biesheuvel,
	Andrey Ryabinin, Baoquan He, Linus Torvalds, Matt Fleming,
	Peter Zijlstra, Thomas Gleixner, Ingo Molnar

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>

commit cfe19577047e74cdac5826adbdc2337d8437f8fb upstream.

Open-coded page table entry checks don't work correctly when we fold the
page table level at runtime.

pgd_present() on 4-level paging machine always returns true, but
open-coded version of the check may return false-negative result and
we silently skip the rest of the loop body in efi_call_phys_epilog().

Replace open-coded checks with proper helpers.

Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Baoquan He <bhe@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Matt Fleming <matt@codeblueprint.co.uk>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org # v4.12+
Fixes: 94133e46a0f5 ("x86/efi: Correct EFI identity mapping under 'efi=old_map' when KASLR is enabled")
Link: http://lkml.kernel.org/r/20180625120852.18300-1-kirill.shutemov@linux.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/platform/efi/efi_64.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/x86/platform/efi/efi_64.c
+++ b/arch/x86/platform/efi/efi_64.c
@@ -166,14 +166,14 @@ void __init efi_call_phys_epilog(pgd_t *
 		pgd = pgd_offset_k(pgd_idx * PGDIR_SIZE);
 		set_pgd(pgd_offset_k(pgd_idx * PGDIR_SIZE), save_pgd[pgd_idx]);
 
-		if (!(pgd_val(*pgd) & _PAGE_PRESENT))
+		if (!pgd_present(*pgd))
 			continue;
 
 		for (i = 0; i < PTRS_PER_P4D; i++) {
 			p4d = p4d_offset(pgd,
 					 pgd_idx * PGDIR_SIZE + i * P4D_SIZE);
 
-			if (!(p4d_val(*p4d) & _PAGE_PRESENT))
+			if (!p4d_present(*p4d))
 				continue;
 
 			pud = (pud_t *)p4d_page_vaddr(*p4d);



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 218/220] dm zoned: avoid triggering reclaim from inside dmz_map()
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (207 preceding siblings ...)
  2018-07-01 16:24 ` [PATCH 4.17 217/220] x86/efi: Fix efi_call_phys_epilog() with CONFIG_X86_5LEVEL=y Greg Kroah-Hartman
@ 2018-07-01 16:24 ` Greg Kroah-Hartman
  2018-07-01 16:24 ` [PATCH 4.17 219/220] dm thin: handle running out of data space vs concurrent discard Greg Kroah-Hartman
                   ` (3 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:24 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Bart Van Assche <bart.vanassche@wdc.com>

commit 2d0b2d64d325e22939d9db3ba784f1236459ed98 upstream.

This patch avoids that lockdep reports the following:

======================================================
WARNING: possible circular locking dependency detected
4.18.0-rc1 #62 Not tainted
------------------------------------------------------
kswapd0/84 is trying to acquire lock:
00000000c313516d (&xfs_nondir_ilock_class){++++}, at: xfs_free_eofblocks+0xa2/0x1e0

but task is already holding lock:
00000000591c83ae (fs_reclaim){+.+.}, at: __fs_reclaim_acquire+0x5/0x30

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-> #2 (fs_reclaim){+.+.}:
  kmem_cache_alloc+0x2c/0x2b0
  radix_tree_node_alloc.constprop.19+0x3d/0xc0
  __radix_tree_create+0x161/0x1c0
  __radix_tree_insert+0x45/0x210
  dmz_map+0x245/0x2d0 [dm_zoned]
  __map_bio+0x40/0x260
  __split_and_process_non_flush+0x116/0x220
  __split_and_process_bio+0x81/0x180
  __dm_make_request.isra.32+0x5a/0x100
  generic_make_request+0x36e/0x690
  submit_bio+0x6c/0x140
  mpage_readpages+0x19e/0x1f0
  read_pages+0x6d/0x1b0
  __do_page_cache_readahead+0x21b/0x2d0
  force_page_cache_readahead+0xc4/0x100
  generic_file_read_iter+0x7c6/0xd20
  __vfs_read+0x102/0x180
  vfs_read+0x9b/0x140
  ksys_read+0x55/0xc0
  do_syscall_64+0x5a/0x1f0
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #1 (&dmz->chunk_lock){+.+.}:
  dmz_map+0x133/0x2d0 [dm_zoned]
  __map_bio+0x40/0x260
  __split_and_process_non_flush+0x116/0x220
  __split_and_process_bio+0x81/0x180
  __dm_make_request.isra.32+0x5a/0x100
  generic_make_request+0x36e/0x690
  submit_bio+0x6c/0x140
  _xfs_buf_ioapply+0x31c/0x590
  xfs_buf_submit_wait+0x73/0x520
  xfs_buf_read_map+0x134/0x2f0
  xfs_trans_read_buf_map+0xc3/0x580
  xfs_read_agf+0xa5/0x1e0
  xfs_alloc_read_agf+0x59/0x2b0
  xfs_alloc_pagf_init+0x27/0x60
  xfs_bmap_longest_free_extent+0x43/0xb0
  xfs_bmap_btalloc_nullfb+0x7f/0xf0
  xfs_bmap_btalloc+0x428/0x7c0
  xfs_bmapi_write+0x598/0xcc0
  xfs_iomap_write_allocate+0x15a/0x330
  xfs_map_blocks+0x1cf/0x3f0
  xfs_do_writepage+0x15f/0x7b0
  write_cache_pages+0x1ca/0x540
  xfs_vm_writepages+0x65/0xa0
  do_writepages+0x48/0xf0
  __writeback_single_inode+0x58/0x730
  writeback_sb_inodes+0x249/0x5c0
  wb_writeback+0x11e/0x550
  wb_workfn+0xa3/0x670
  process_one_work+0x228/0x670
  worker_thread+0x3c/0x390
  kthread+0x11c/0x140
  ret_from_fork+0x3a/0x50

-> #0 (&xfs_nondir_ilock_class){++++}:
  down_read_nested+0x43/0x70
  xfs_free_eofblocks+0xa2/0x1e0
  xfs_fs_destroy_inode+0xac/0x270
  dispose_list+0x51/0x80
  prune_icache_sb+0x52/0x70
  super_cache_scan+0x127/0x1a0
  shrink_slab.part.47+0x1bd/0x590
  shrink_node+0x3b5/0x470
  balance_pgdat+0x158/0x3b0
  kswapd+0x1ba/0x600
  kthread+0x11c/0x140
  ret_from_fork+0x3a/0x50

other info that might help us debug this:

Chain exists of:
  &xfs_nondir_ilock_class --> &dmz->chunk_lock --> fs_reclaim

Possible unsafe locking scenario:

     CPU0                    CPU1
     ----                    ----
lock(fs_reclaim);
                             lock(&dmz->chunk_lock);
                             lock(fs_reclaim);
lock(&xfs_nondir_ilock_class);

---
 drivers/md/dm-zoned-target.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/md/dm-zoned-target.c
+++ b/drivers/md/dm-zoned-target.c
@@ -788,7 +788,7 @@ static int dmz_ctr(struct dm_target *ti,
 
 	/* Chunk BIO work */
 	mutex_init(&dmz->chunk_lock);
-	INIT_RADIX_TREE(&dmz->chunk_rxtree, GFP_KERNEL);
+	INIT_RADIX_TREE(&dmz->chunk_rxtree, GFP_NOIO);
 	dmz->chunk_wq = alloc_workqueue("dmz_cwq_%s", WQ_MEM_RECLAIM | WQ_UNBOUND,
 					0, dev->name);
 	if (!dmz->chunk_wq) {



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 219/220] dm thin: handle running out of data space vs concurrent discard
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (208 preceding siblings ...)
  2018-07-01 16:24 ` [PATCH 4.17 218/220] dm zoned: avoid triggering reclaim from inside dmz_map() Greg Kroah-Hartman
@ 2018-07-01 16:24 ` Greg Kroah-Hartman
  2018-07-01 16:24 ` [PATCH 4.17 220/220] virt: vbox: Only copy_from_user the request-header once Greg Kroah-Hartman
                   ` (2 subsequent siblings)
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:24 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dennis Yang, Mike Snitzer

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mike Snitzer <snitzer@redhat.com>

commit a685557fbbc3122ed11e8ad3fa63a11ebc5de8c3 upstream.

Discards issued to a DM thin device can complete to userspace (via
fstrim) _before_ the metadata changes associated with the discards is
reflected in the thinp superblock (e.g. free blocks).  As such, if a
user constructs a test that loops repeatedly over these steps, block
allocation can fail due to discards not having completed yet:
1) fill thin device via filesystem file
2) remove file
3) fstrim

>From initial report, here:
https://www.redhat.com/archives/dm-devel/2018-April/msg00022.html

"The root cause of this issue is that dm-thin will first remove
mapping and increase corresponding blocks' reference count to prevent
them from being reused before DISCARD bios get processed by the
underlying layers. However. increasing blocks' reference count could
also increase the nr_allocated_this_transaction in struct sm_disk
which makes smd->old_ll.nr_allocated +
smd->nr_allocated_this_transaction bigger than smd->old_ll.nr_blocks.
In this case, alloc_data_block() will never commit metadata to reset
the begin pointer of struct sm_disk, because sm_disk_get_nr_free()
always return an underflow value."

While there is room for improvement to the space-map accounting that
thinp is making use of: the reality is this test is inherently racey and
will result in the previous iteration's fstrim's discard(s) completing
vs concurrent block allocation, via dd, in the next iteration of the
loop.

No amount of space map accounting improvements will be able to allow
user's to use a block before a discard of that block has completed.

So the best we can really do is allow DM thinp to gracefully handle such
aggressive use of all the pool's data by degrading the pool into
out-of-data-space (OODS) mode.  We _should_ get that behaviour already
(if space map accounting didn't falsely cause alloc_data_block() to
believe free space was available).. but short of that we handle the
current reality that dm_pool_alloc_data_block() can return -ENOSPC.

Reported-by: Dennis Yang <dennisyang@qnap.com>
Cc: stable@vger.kernel.org
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/dm-thin.c |   11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

--- a/drivers/md/dm-thin.c
+++ b/drivers/md/dm-thin.c
@@ -1385,6 +1385,8 @@ static void schedule_external_copy(struc
 
 static void set_pool_mode(struct pool *pool, enum pool_mode new_mode);
 
+static void requeue_bios(struct pool *pool);
+
 static void check_for_space(struct pool *pool)
 {
 	int r;
@@ -1397,8 +1399,10 @@ static void check_for_space(struct pool
 	if (r)
 		return;
 
-	if (nr_free)
+	if (nr_free) {
 		set_pool_mode(pool, PM_WRITE);
+		requeue_bios(pool);
+	}
 }
 
 /*
@@ -1475,7 +1479,10 @@ static int alloc_data_block(struct thin_
 
 	r = dm_pool_alloc_data_block(pool->pmd, result);
 	if (r) {
-		metadata_operation_failed(pool, "dm_pool_alloc_data_block", r);
+		if (r == -ENOSPC)
+			set_pool_mode(pool, PM_OUT_OF_DATA_SPACE);
+		else
+			metadata_operation_failed(pool, "dm_pool_alloc_data_block", r);
 		return r;
 	}
 



^ permalink raw reply	[flat|nested] 219+ messages in thread

* [PATCH 4.17 220/220] virt: vbox: Only copy_from_user the request-header once
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (209 preceding siblings ...)
  2018-07-01 16:24 ` [PATCH 4.17 219/220] dm thin: handle running out of data space vs concurrent discard Greg Kroah-Hartman
@ 2018-07-01 16:24 ` Greg Kroah-Hartman
  2018-07-02 13:22 ` [PATCH 4.17 000/220] 4.17.4-stable review Naresh Kamboju
  2018-07-02 16:33 ` Guenter Roeck
  212 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-01 16:24 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wenwen Wang, Hans de Goede, Justin Forbes

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Wenwen Wang <wang6495@umn.edu>

commit bd23a7269834dc7c1f93e83535d16ebc44b75eba upstream.

In vbg_misc_device_ioctl(), the header of the ioctl argument is copied from
the userspace pointer 'arg' and saved to the kernel object 'hdr'. Then the
'version', 'size_in', and 'size_out' fields of 'hdr' are verified.

Before this commit, after the checks a buffer for the entire request would
be allocated and then all data including the verified header would be
copied from the userspace 'arg' pointer again.

Given that the 'arg' pointer resides in userspace, a malicious userspace
process can race to change the data pointed to by 'arg' between the two
copies. By doing so, the user can bypass the verifications on the ioctl
argument.

This commit fixes this by using the already checked copy of the header
to fill the header part of the allocated buffer and only copying the
remainder of the data from userspace.

Signed-off-by: Wenwen Wang <wang6495@umn.edu>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Cc: Justin Forbes <jmforbes@linuxtx.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/virt/vboxguest/vboxguest_linux.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/virt/vboxguest/vboxguest_linux.c
+++ b/drivers/virt/vboxguest/vboxguest_linux.c
@@ -121,7 +121,9 @@ static long vbg_misc_device_ioctl(struct
 	if (!buf)
 		return -ENOMEM;
 
-	if (copy_from_user(buf, (void *)arg, hdr.size_in)) {
+	*((struct vbg_ioctl_hdr *)buf) = hdr;
+	if (copy_from_user(buf + sizeof(hdr), (void *)arg + sizeof(hdr),
+			   hdr.size_in - sizeof(hdr))) {
 		ret = -EFAULT;
 		goto out;
 	}



^ permalink raw reply	[flat|nested] 219+ messages in thread

* Re: [PATCH 4.17 154/220] UBIFS: Fix potential integer overflow in allocation
  2018-07-01 16:22 ` [PATCH 4.17 154/220] UBIFS: Fix potential integer overflow in allocation Greg Kroah-Hartman
@ 2018-07-01 18:48   ` Richard Weinberger
  2018-07-02  6:32     ` Greg Kroah-Hartman
  0 siblings, 1 reply; 219+ messages in thread
From: Richard Weinberger @ 2018-07-01 18:48 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: LKML, stable, Silvio Cesare, Kees Cook

On Sun, Jul 1, 2018 at 6:22 PM, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
> 4.17-stable review patch.  If anyone has any objections, please let me know.
>
> ------------------
>
> From: Silvio Cesare <silvio.cesare@gmail.com>
>
> commit 353748a359f1821ee934afc579cf04572406b420 upstream.
>
> There is potential for the size and len fields in ubifs_data_node to be
> too large causing either a negative value for the length fields or an
> integer overflow leading to an incorrect memory allocation. Likewise,
> when the len field is small, an integer underflow may occur.
>
> Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
> Fixes: 1e51764a3c2ac ("UBIFS: add new flash file system")
> Cc: stable@vger.kernel.org
> Signed-off-by: Kees Cook <keescook@chromium.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Guys, this patch was never on linux-mtd nor was I CC'ed.
I don't see it so super security critical which argues to bypass the
whole community review process.

Anyway, I don't like this patch for two reasons.
1. Instead of doing the kmalloc_array() dance, just check whether size
is 0 > and <= UBIFS_BLOCK_SIZE, in the caller.
2. It will not apply to most stable kernels since it targets the code
path with UBIFS encryption available.

-- 
Thanks,
//richard

^ permalink raw reply	[flat|nested] 219+ messages in thread

* Re: [PATCH 4.17 154/220] UBIFS: Fix potential integer overflow in allocation
  2018-07-01 18:48   ` Richard Weinberger
@ 2018-07-02  6:32     ` Greg Kroah-Hartman
  2018-07-02  6:33       ` Greg Kroah-Hartman
  0 siblings, 1 reply; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-02  6:32 UTC (permalink / raw)
  To: Richard Weinberger; +Cc: LKML, stable, Silvio Cesare, Kees Cook

On Sun, Jul 01, 2018 at 08:48:07PM +0200, Richard Weinberger wrote:
> On Sun, Jul 1, 2018 at 6:22 PM, Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> > 4.17-stable review patch.  If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Silvio Cesare <silvio.cesare@gmail.com>
> >
> > commit 353748a359f1821ee934afc579cf04572406b420 upstream.
> >
> > There is potential for the size and len fields in ubifs_data_node to be
> > too large causing either a negative value for the length fields or an
> > integer overflow leading to an incorrect memory allocation. Likewise,
> > when the len field is small, an integer underflow may occur.
> >
> > Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
> > Fixes: 1e51764a3c2ac ("UBIFS: add new flash file system")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
> Guys, this patch was never on linux-mtd nor was I CC'ed.
> I don't see it so super security critical which argues to bypass the
> whole community review process.
> 
> Anyway, I don't like this patch for two reasons.
> 1. Instead of doing the kmalloc_array() dance, just check whether size
> is 0 > and <= UBIFS_BLOCK_SIZE, in the caller.
> 2. It will not apply to most stable kernels since it targets the code
> path with UBIFS encryption available.

Can you get a fix into Linus's tree that I can also queue up for a
stable release?

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 219+ messages in thread

* Re: [PATCH 4.17 154/220] UBIFS: Fix potential integer overflow in allocation
  2018-07-02  6:32     ` Greg Kroah-Hartman
@ 2018-07-02  6:33       ` Greg Kroah-Hartman
  0 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-02  6:33 UTC (permalink / raw)
  To: Richard Weinberger; +Cc: LKML, stable, Silvio Cesare, Kees Cook

On Mon, Jul 02, 2018 at 08:32:55AM +0200, Greg Kroah-Hartman wrote:
> On Sun, Jul 01, 2018 at 08:48:07PM +0200, Richard Weinberger wrote:
> > On Sun, Jul 1, 2018 at 6:22 PM, Greg Kroah-Hartman
> > <gregkh@linuxfoundation.org> wrote:
> > > 4.17-stable review patch.  If anyone has any objections, please let me know.
> > >
> > > ------------------
> > >
> > > From: Silvio Cesare <silvio.cesare@gmail.com>
> > >
> > > commit 353748a359f1821ee934afc579cf04572406b420 upstream.
> > >
> > > There is potential for the size and len fields in ubifs_data_node to be
> > > too large causing either a negative value for the length fields or an
> > > integer overflow leading to an incorrect memory allocation. Likewise,
> > > when the len field is small, an integer underflow may occur.
> > >
> > > Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
> > > Fixes: 1e51764a3c2ac ("UBIFS: add new flash file system")
> > > Cc: stable@vger.kernel.org
> > > Signed-off-by: Kees Cook <keescook@chromium.org>
> > > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > 
> > Guys, this patch was never on linux-mtd nor was I CC'ed.
> > I don't see it so super security critical which argues to bypass the
> > whole community review process.
> > 
> > Anyway, I don't like this patch for two reasons.
> > 1. Instead of doing the kmalloc_array() dance, just check whether size
> > is 0 > and <= UBIFS_BLOCK_SIZE, in the caller.
> > 2. It will not apply to most stable kernels since it targets the code
> > path with UBIFS encryption available.
> 
> Can you get a fix into Linus's tree that I can also queue up for a
> stable release?

Ah nevermind, I see your revert/add patch now, sorry for the noise.

greg k-h

^ permalink raw reply	[flat|nested] 219+ messages in thread

* Re: [PATCH 4.17 000/220] 4.17.4-stable review
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (210 preceding siblings ...)
  2018-07-01 16:24 ` [PATCH 4.17 220/220] virt: vbox: Only copy_from_user the request-header once Greg Kroah-Hartman
@ 2018-07-02 13:22 ` Naresh Kamboju
  2018-07-02 14:25   ` Greg Kroah-Hartman
  2018-07-02 16:33 ` Guenter Roeck
  212 siblings, 1 reply; 219+ messages in thread
From: Naresh Kamboju @ 2018-07-02 13:22 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: open list, Shuah Khan, patches, lkft-triage, Ben Hutchings,
	linux- stable, Andrew Morton, Linus Torvalds, Guenter Roeck

On 1 July 2018 at 21:50, Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
> This is the start of the stable review cycle for the 4.17.4 release.
> There are 220 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Tue Jul  3 16:08:27 UTC 2018.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
>         https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.17.4-rc1.gz
> or in the git tree and branch at:
>         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.17.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h

Results from Linaro’s test farm.
No regressions on arm64, arm and x86_64.

Summary
------------------------------------------------------------------------

kernel: 4.17.4-rc1
git repo:
 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-4.17.y
git commit: 7cde32fbe2ccb991623eb74b50c45abf51eec58f
git describe: v4.17.3-221-g7cde32fbe2cc
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-4.17-oe\
/build/v4.17.3-221-g7cde32fbe2cc
^please join url


No regressions (compared to build v4.17.3-222-g5cff622a798f)


Ran 11389 total tests in the following environments and test suites.

Environments
--------------
- dragonboard-410c - arm64
- hi6220-hikey - arm64
- juno-r2 - arm64
- qemu_arm
- qemu_arm64
- qemu_x86_64
- x15 - arm
- x86_64

Test Suites
-----------
* boot
* kselftest
* libhugetlbfs
* ltp-cap_bounds-tests
* ltp-containers-tests
* ltp-cve-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* ltp-timers-tests
* kselftest-vsyscall-mode-native
* kselftest-vsyscall-mode-none

-- 
Linaro LKFT
https://lkft.linaro.org

^ permalink raw reply	[flat|nested] 219+ messages in thread

* Re: [PATCH 4.17 000/220] 4.17.4-stable review
  2018-07-02 13:22 ` [PATCH 4.17 000/220] 4.17.4-stable review Naresh Kamboju
@ 2018-07-02 14:25   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-02 14:25 UTC (permalink / raw)
  To: Naresh Kamboju
  Cc: open list, Shuah Khan, patches, lkft-triage, Ben Hutchings,
	linux- stable, Andrew Morton, Linus Torvalds, Guenter Roeck

On Mon, Jul 02, 2018 at 06:52:25PM +0530, Naresh Kamboju wrote:
> On 1 July 2018 at 21:50, Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
> > This is the start of the stable review cycle for the 4.17.4 release.
> > There are 220 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Tue Jul  3 16:08:27 UTC 2018.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> >         https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.17.4-rc1.gz
> > or in the git tree and branch at:
> >         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.17.y
> > and the diffstat can be found below.
> >
> > thanks,
> >
> > greg k-h
> 
> Results from Linaro’s test farm.
> No regressions on arm64, arm and x86_64.

Great, thanks for testing 3 of these and letting me know.

greg k-h

^ permalink raw reply	[flat|nested] 219+ messages in thread

* Re: [PATCH 4.17 000/220] 4.17.4-stable review
  2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
                   ` (211 preceding siblings ...)
  2018-07-02 13:22 ` [PATCH 4.17 000/220] 4.17.4-stable review Naresh Kamboju
@ 2018-07-02 16:33 ` Guenter Roeck
  2018-07-03  6:31   ` Greg Kroah-Hartman
  212 siblings, 1 reply; 219+ messages in thread
From: Guenter Roeck @ 2018-07-02 16:33 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, shuah, patches, ben.hutchings,
	lkft-triage, stable

On Sun, Jul 01, 2018 at 06:20:24PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.17.4 release.
> There are 220 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Tue Jul  3 16:08:27 UTC 2018.
> Anything received after that time might be too late.
> 

Build results:
	total: 134 pass: 134 fail: 0
Qemu test results:
	total: 158 pass: 158 fail: 0

Details are available at http://kerneltests.org/builders.

Guenter

^ permalink raw reply	[flat|nested] 219+ messages in thread

* Re: [PATCH 4.17 000/220] 4.17.4-stable review
  2018-07-02 16:33 ` Guenter Roeck
@ 2018-07-03  6:31   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 219+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-03  6:31 UTC (permalink / raw)
  To: Guenter Roeck
  Cc: linux-kernel, torvalds, akpm, shuah, patches, ben.hutchings,
	lkft-triage, stable

On Mon, Jul 02, 2018 at 09:33:13AM -0700, Guenter Roeck wrote:
> On Sun, Jul 01, 2018 at 06:20:24PM +0200, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 4.17.4 release.
> > There are 220 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Tue Jul  3 16:08:27 UTC 2018.
> > Anything received after that time might be too late.
> > 
> 
> Build results:
> 	total: 134 pass: 134 fail: 0
> Qemu test results:
> 	total: 158 pass: 158 fail: 0
> 
> Details are available at http://kerneltests.org/builders.

Thanks for testing all of these and letting me know.

greg k-h

^ permalink raw reply	[flat|nested] 219+ messages in thread

end of thread, other threads:[~2018-07-03  6:32 UTC | newest]

Thread overview: 219+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-07-01 16:20 [PATCH 4.17 000/220] 4.17.4-stable review Greg Kroah-Hartman
2018-07-01 16:20 ` [PATCH 4.17 001/220] x86/spectre_v1: Disable compiler optimizations over array_index_mask_nospec() Greg Kroah-Hartman
2018-07-01 16:20 ` [PATCH 4.17 002/220] x86/xen: Add call of speculative_store_bypass_ht_init() to PV paths Greg Kroah-Hartman
2018-07-01 16:20 ` [PATCH 4.17 003/220] x86/platform/UV: Add adjustable set memory block size function Greg Kroah-Hartman
2018-07-01 16:20 ` [PATCH 4.17 004/220] x86/platform/UV: Use new " Greg Kroah-Hartman
2018-07-01 16:20 ` [PATCH 4.17 005/220] x86/platform/UV: Add kernel parameter to set memory block size Greg Kroah-Hartman
2018-07-01 16:20 ` [PATCH 4.17 006/220] x86/mce: Improve error message when kernel cannot recover Greg Kroah-Hartman
2018-07-01 16:20 ` [PATCH 4.17 007/220] x86/mce: Check for alternate indication of machine check recovery on Skylake Greg Kroah-Hartman
2018-07-01 16:20 ` [PATCH 4.17 008/220] x86/mce: Fix incorrect "Machine check from unknown source" message Greg Kroah-Hartman
2018-07-01 16:20 ` [PATCH 4.17 009/220] x86/mce: Do not overwrite MCi_STATUS in mce_no_way_out() Greg Kroah-Hartman
2018-07-01 16:20 ` [PATCH 4.17 010/220] x86: Call fixup_exception() before notify_die() in math_error() Greg Kroah-Hartman
2018-07-01 16:20 ` [PATCH 4.17 011/220] m68k/mm: Adjust VM area to be unmapped by gap size for __iounmap() Greg Kroah-Hartman
2018-07-01 16:20 ` [PATCH 4.17 012/220] m68k/mac: Fix SWIM memory resource end address Greg Kroah-Hartman
2018-07-01 16:20 ` [PATCH 4.17 013/220] platform/chrome: cros_ec_lpc: do not try DMI match when ACPI device found Greg Kroah-Hartman
2018-07-01 16:20 ` [PATCH 4.17 014/220] hwmon: (k10temp) Add support for Stoney Ridge and Bristol Ridge CPUs Greg Kroah-Hartman
2018-07-01 16:20 ` [PATCH 4.17 015/220] mtd: spi-nor: intel-spi: Fix atomic sequence handling Greg Kroah-Hartman
2018-07-01 16:20 ` [PATCH 4.17 016/220] serial: sh-sci: Use spin_{try}lock_irqsave instead of open coding version Greg Kroah-Hartman
2018-07-01 16:20 ` [PATCH 4.17 017/220] signal/xtensa: Consistenly use SIGBUS in do_unaligned_user Greg Kroah-Hartman
2018-07-01 16:20 ` [PATCH 4.17 018/220] PM / Domains: Fix error path during attach in genpd Greg Kroah-Hartman
2018-07-01 16:20 ` [PATCH 4.17 019/220] PCI / PM: Do not clear state_saved for devices that remain suspended Greg Kroah-Hartman
2018-07-01 16:20 ` [PATCH 4.17 020/220] ACPI / LPSS: Avoid PM quirks on suspend and resume from S3 Greg Kroah-Hartman
2018-07-01 16:20 ` [PATCH 4.17 021/220] PM / core: Fix supplier device runtime PM usage counter imbalance Greg Kroah-Hartman
2018-07-01 16:20 ` [PATCH 4.17 022/220] PM / OPP: Update voltage in case freq == old_freq Greg Kroah-Hartman
2018-07-01 16:20 ` [PATCH 4.17 023/220] mmc: renesas_sdhi: really fix WP logic regressions Greg Kroah-Hartman
2018-07-01 16:20 ` [PATCH 4.17 024/220] usb: do not reset if a low-speed or full-speed device timed out Greg Kroah-Hartman
2018-07-01 16:20 ` [PATCH 4.17 026/220] ASoC: dapm: delete dapm_kcontrol_data paths list before freeing it Greg Kroah-Hartman
2018-07-01 16:20 ` [PATCH 4.17 027/220] ASoC: cs35l35: Add use_single_rw to regmap config Greg Kroah-Hartman
2018-07-01 16:20 ` [PATCH 4.17 028/220] ASoC: mediatek: preallocate pages use platform device Greg Kroah-Hartman
2018-07-01 16:20 ` [PATCH 4.17 029/220] ASoC: cirrus: i2s: Fix LRCLK configuration Greg Kroah-Hartman
2018-07-01 16:20 ` [PATCH 4.17 031/220] thermal: bcm2835: Stop using printk format %pCr Greg Kroah-Hartman
2018-07-01 16:20 ` [PATCH 4.17 032/220] clk: renesas: cpg-mssr: " Greg Kroah-Hartman
2018-07-01 16:20 ` [PATCH 4.17 033/220] lib/vsprintf: Remove atomic-unsafe support for %pCr Greg Kroah-Hartman
2018-07-01 16:20 ` [PATCH 4.17 034/220] ftrace/selftest: Have the reset_trigger code be a bit more careful Greg Kroah-Hartman
2018-07-01 16:20 ` [PATCH 4.17 035/220] mips: ftrace: fix static function graph tracing Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 036/220] branch-check: fix long->int truncation when profiling branches Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 037/220] ipmi:bt: Set the timeout before doing a capabilities check Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 038/220] Bluetooth: hci_qca: Avoid missing rampatch failure with userspace fw loader Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 039/220] printk: fix possible reuse of va_list variable Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 040/220] fuse: fix congested state leak on aborted connections Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 041/220] fuse: atomic_o_trunc should truncate pagecache Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 042/220] fuse: dont keep dead fuse_conn at fuse_fill_super() Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 043/220] fuse: fix control dir setup and teardown Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 044/220] powerpc/mm/hash: Add missing isync prior to kernel stack SLB switch Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 045/220] powerpc/pkeys: Detach execute_only key on !PROT_EXEC Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 046/220] powerpc/ptrace: Fix setting 512B aligned breakpoints with PTRACE_SET_DEBUGREG Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 047/220] powerpc/perf: Fix memory allocation for core-imc based on num_possible_cpus() Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 048/220] powerpc/ptrace: Fix enforcement of DAWR constraints Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 049/220] powerpc/powernv/ioda2: Remove redundant free of TCE pages Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 050/220] powerpc/powernv: copy/paste - Mask SO bit in CR Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 051/220] powerpc/powernv/cpuidle: Init all present cpus for deep states Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 052/220] cpuidle: powernv: Fix promotion from snooze if next state disabled Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 053/220] powerpc/fadump: Unregister fadump on kexec down path Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 054/220] libnvdimm, pmem: Do not flush power-fail protected CPU caches Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 055/220] soc: rockchip: power-domain: Fix wrong value when power up pd with writemask Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 056/220] powerpc/64s/radix: Fix radix_kvm_prefetch_workaround paca access of not possible CPU Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 057/220] powerpc/e500mc: Set assembler machine type to e500mc Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 058/220] powerpc/64s: Fix DT CPU features Power9 DD2.1 logic Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 059/220] cxl: Configure PSL to not use APC virtual machines Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 060/220] cxl: Disable prefault_mode in Radix mode Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 061/220] ARM: 8764/1: kgdb: fix NUMREGBYTES so that gdb_regs[] is the correct size Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 062/220] ARM: dts: sun8i: h3: fix ALL-H3-CC H3 ver VDD-CPUX voltage Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 063/220] ARM: dts: sun8i: h3: fix ALL-H3-CC H3 ver VCC-1V2 regulator voltage Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 064/220] ARM: dts: Fix SPI node for Arria10 Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 065/220] ARM: dts: socfpga: Fix NAND controller node compatible Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 066/220] ARM: dts: socfpga: Fix NAND controller clock supply Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 067/220] ARM: dts: socfpga: Fix NAND controller node compatible for Arria10 Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 069/220] softirq: Reorder trace_softirqs_on to prevent lockdep splat Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 070/220] arm64: Fix syscall restarting around signal suppressed by tracer Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 071/220] crypto: arm64/aes-blk - fix and move skcipher_walk_done out of kernel_neon_begin, _end Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 072/220] arm64: kpti: Use early_param for kpti= command-line option Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 073/220] arm64: mm: Ensure writes to swapper are ordered wrt subsequent cache maintenance Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 074/220] arm64: dts: marvell: fix CP110 ICU node size Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 075/220] arm64: dts: stratix10: Fix SPI nodes for Stratix10 Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 076/220] ARM64: dts: meson: disable sd-uhs modes on the libretech-cc Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 077/220] ARM64: dts: meson-gx: fix ATF reserved memory region Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 078/220] of: overlay: validate offset from property fixups Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 079/220] of: unittest: for strings, account for trailing \0 in property length field Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 080/220] of: platform: stop accessing invalid dev in of_platform_device_destroy Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 081/220] tpm: fix use after free in tpm2_load_context() Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 082/220] tpm: fix race condition in tpm_common_write() Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 083/220] efi/libstub/tpm: Initialize efi_physical_addr_t vars to zero for mixed mode Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 084/220] IB/qib: Fix DMA api warning with debug kernel Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 085/220] IB/{hfi1, qib}: Add handling of kernel restart Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 086/220] IB/mlx4: Mark user MR as writable if actual virtual memory is writable Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 087/220] IB/core: Make testing MR flags for writability a static inline function Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 088/220] IB/mlx5: Fetch soft WQEs on fatal error state Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 089/220] IB/isert: Fix for lib/dma_debug check_sync warning Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 090/220] IB/isert: fix T10-pi check mask setting Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 091/220] IB/hfi1: Fix fault injection init/exit issues Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 092/220] IB/hfi1: Reorder incorrect send context disable Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 093/220] IB/hfi1: Optimize kthread pointer locking when queuing CQ entries Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 094/220] IB/hfi1: Fix user context tail allocation for DMA_RTAIL Greg Kroah-Hartman
2018-07-01 16:21 ` [PATCH 4.17 095/220] IB/uverbs: Fix ordering of ucontext check in ib_uverbs_write Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 096/220] RDMA/mlx4: Discard unknown SQP work requests Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 097/220] xprtrdma: Return -ENOBUFS when no pages are available Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 098/220] RDMA/core: Save kernel caller name when creating CQ using ib_create_cq() Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 099/220] mtd: rawnand: Do not check FAIL bit when executing a SET_FEATURES op Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 100/220] mtd: cfi_cmdset_0002: Change write buffer to check correct value Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 101/220] mtd: rawnand: denali_dt: set clk_x_rate to 200 MHz unconditionally Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 102/220] mtd: rawnand: fix return value check for bad block status Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 103/220] mtd: rawnand: mxc: set spare area size register explicitly Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 104/220] mtd: rawnand: micron: add ONFI_FEATURE_ON_DIE_ECC to supported features Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 105/220] mtd: rawnand: All AC chips have a broken GET_FEATURES(TIMINGS) Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 106/220] mtd: cfi_cmdset_0002: Use right chip in do_ppb_xxlock() Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 107/220] mtd: cfi_cmdset_0002: fix SEGV unlocking multiple chips Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 108/220] mtd: cfi_cmdset_0002: Fix unlocking requests crossing a chip boudary Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 109/220] mtd: cfi_cmdset_0002: Avoid walking all chips when unlocking Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 111/220] clk:aspeed: Fix reset bits for PCI/VGA and PECI Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 112/220] PCI: hv: Make sure the bus domain is really unique Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 113/220] PCI: Add ACS quirk for Intel 7th & 8th Gen mobile Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 114/220] PCI: Add ACS quirk for Intel 300 series Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 115/220] PCI: pciehp: Clear Presence Detect and Data Link Layer Status Changed on resume Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 116/220] PCI: Account for all bridges on bus when distributing bus numbers Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 117/220] auxdisplay: fix broken menu Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 118/220] pinctrl: armada-37xx: Fix spurious irq management Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 121/220] cpufreq: intel_pstate: Fix scaling max/min limits with Turbo 3.0 Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 122/220] MIPS: pb44: Fix i2c-gpio GPIO descriptor table Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 123/220] MIPS: io: Add barrier after register read in inX() Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 125/220] irqchip/gic-v3-its: Dont bind LPI to unavailable NUMA node Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 126/220] locking/rwsem: Fix up_read_non_owner() warning with DEBUG_RWSEMS Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 127/220] X.509: unpack RSA signatureValue field from BIT STRING Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 128/220] Btrfs: fix return value on rename exchange failure Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 129/220] iio: adc: ad7791: remove sample freq sysfs attributes Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 130/220] iio: sca3000: Fix an error handling path in sca3000_probe() Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 131/220] mm: fix __gup_device_huge vs unmap Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 132/220] scsi: scsi_debug: Fix memory leak on module unload Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 133/220] scsi: hpsa: disable device during shutdown Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 134/220] scsi: qla2xxx: Delete session for nport id change Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 135/220] scsi: qla2xxx: Fix setting lower transfer speed if GPSC fails Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 136/220] scsi: qla2xxx: Mask off Scope bits in retry delay Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 137/220] scsi: qla2xxx: Spinlock recursion in qla_target Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 138/220] scsi: zfcp: fix missing SCSI trace for result of eh_host_reset_handler Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 139/220] scsi: zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 140/220] scsi: zfcp: fix misleading REC trigger trace where erp_action setup failed Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 141/220] scsi: zfcp: fix missing REC trigger trace on terminate_rport_io early return Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 142/220] scsi: zfcp: fix missing REC trigger trace on terminate_rport_io for ERP_FAILED Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 143/220] scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 144/220] scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 145/220] linvdimm, pmem: Preserve read-only setting for pmem devices Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 146/220] libnvdimm, pmem: Unconditionally deep flush on *sync Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 147/220] clk: meson: meson8b: mark fclk_div2 gate clocks as CLK_IS_CRITICAL Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 148/220] clk: at91: PLL recalc_rate() now using cached MUL and DIV values Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 149/220] rtc: sun6i: Fix bit_idx value for clk_register_gate Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 150/220] md: fix two problems with setting the "re-add" device state Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 151/220] rpmsg: smd: do not use mananged resources for endpoints and channels Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 152/220] ubi: fastmap: Cancel work upon detach Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 153/220] ubi: fastmap: Correctly handle interrupted erasures in EBA Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 154/220] UBIFS: Fix potential integer overflow in allocation Greg Kroah-Hartman
2018-07-01 18:48   ` Richard Weinberger
2018-07-02  6:32     ` Greg Kroah-Hartman
2018-07-02  6:33       ` Greg Kroah-Hartman
2018-07-01 16:22 ` [PATCH 4.17 155/220] backlight: as3711_bl: Fix Device Tree node lookup Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 156/220] backlight: max8925_bl: " Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 157/220] backlight: tps65217_bl: " Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 159/220] f2fs: dont use GFP_ZERO for page caches Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 160/220] um: Fix initialization of vector queues Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 161/220] um: Fix raw interface options Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 162/220] mfd: twl-core: Fix clock initialization Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 163/220] mfd: intel-lpss: Program REMAP register in PIO mode Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 164/220] mfd: intel-lpss: Fix Intel Cannon Lake LPSS I2C input clock Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 165/220] remoteproc: Prevent incorrect rproc state on xfer mem ownership failure Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 166/220] arm: dts: mt7623: fix invalid memory node being generated Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 167/220] perf tools: Fix symbol and object code resolution for vdso32 and vdsox32 Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 168/220] perf intel-pt: Fix sync_switch INTEL_PT_SS_NOT_TRACING Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 169/220] perf intel-pt: Fix decoding to accept CBR between FUP and corresponding TIP Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 170/220] perf intel-pt: Fix MTC timing after overflow Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 171/220] perf intel-pt: Fix "Unexpected indirect branch" error Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 172/220] perf intel-pt: Fix packet decoding of CYC packets Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 173/220] media: vsp1: Release buffers for each video node Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 174/220] media: uvcvideo: Support realteks UVC 1.5 device Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 175/220] media: cx231xx: Ignore an i2c mux adapter Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 176/220] media: v4l2-compat-ioctl32: prevent go past max size Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 177/220] media: cx231xx: Add support for AverMedia DVD EZMaker 7 Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 178/220] media: rc: mce_kbd decoder: fix stuck keys Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 179/220] media: dvb_frontend: fix locking issues at dvb_frontend_get_event() Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 180/220] nfsd: restrict rd_maxcount to svc_max_payload in nfsd_encode_readdir Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 181/220] NFSv4: Fix possible 1-byte stack overflow in nfs_idmap_read_and_verify_message Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 182/220] NFSv4: Revert commit 5f83d86cf531d ("NFSv4.x: Fix wraparound issues..") Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 183/220] NFSv4: Fix a typo in nfs41_sequence_process Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 184/220] video: uvesafb: Fix integer overflow in allocation Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 185/220] ACPI / LPSS: Add missing prv_offset setting for byt/cht PWM devices Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 186/220] Input: silead - add MSSL0002 ACPI HID Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 187/220] Input: elan_i2c - add ELAN0618 (Lenovo v330 15IKB) ACPI ID Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 188/220] pwm: lpss: platform: Save/restore the ctrl register over a suspend/resume Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 189/220] rbd: flush rbd_dev->watch_dwork after watch is unregistered Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 190/220] mm/ksm.c: ignore STABLE_FLAG of rmap_item->address in rmap_walk_ksm() Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 191/220] mm: fix devmem_is_allowed() for sub-page System RAM intersections Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 192/220] tracing: Check for no filter when processing event filters Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 193/220] xen: Remove unnecessary BUG_ON from __unbind_from_irq() Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 194/220] net: ethernet: fix suspend/resume in davinci_emac Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 195/220] udf: Detect incorrect directory size Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 196/220] Input: xpad - fix GPD Win 2 controller name Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 197/220] Input: psmouse - fix button reporting for basic protocols Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 198/220] Input: elan_i2c_smbus - fix more potential stack buffer overflows Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 199/220] Input: elantech - enable middle button of touchpads on ThinkPad P52 Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 200/220] Input: elantech - fix V4 report decoding for module with middle key Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 201/220] ALSA: timer: Fix UBSAN warning at SNDRV_TIMER_IOCTL_NEXT_DEVICE ioctl Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 203/220] ALSA: hda/realtek - Fix pop noise on Lenovo P50 & co Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 204/220] ALSA: hda/realtek - Add a quirk for FSC ESPRIMO U9210 Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 205/220] ALSA: hda/realtek - Fix the problem of two front mics on more machines Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 206/220] Revert "i2c: algo-bit: init the bus to a known state" Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 207/220] i2c: gpio: initialize SCL to HIGH again Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 208/220] slub: fix failure when we delete and create a slab cache Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 209/220] kasan: depend on CONFIG_SLUB_DEBUG Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 210/220] dm: use bio_split() when splitting out the already processed bio Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 211/220] pmem: only set QUEUE_FLAG_DAX for fsdax mode Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 212/220] block: Fix transfer when chunk sectors exceeds max Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 213/220] block: Fix cloning of requests with a special payload Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 214/220] x86/e820: put !E820_TYPE_RAM regions into memblock.reserved Greg Kroah-Hartman
2018-07-01 16:23 ` [PATCH 4.17 215/220] selinux: move user accesses in selinuxfs out of locked regions Greg Kroah-Hartman
2018-07-01 16:24 ` [PATCH 4.17 216/220] x86/entry/64/compat: Fix "x86/entry/64/compat: Preserve r8-r11 in int $0x80" Greg Kroah-Hartman
2018-07-01 16:24 ` [PATCH 4.17 217/220] x86/efi: Fix efi_call_phys_epilog() with CONFIG_X86_5LEVEL=y Greg Kroah-Hartman
2018-07-01 16:24 ` [PATCH 4.17 218/220] dm zoned: avoid triggering reclaim from inside dmz_map() Greg Kroah-Hartman
2018-07-01 16:24 ` [PATCH 4.17 219/220] dm thin: handle running out of data space vs concurrent discard Greg Kroah-Hartman
2018-07-01 16:24 ` [PATCH 4.17 220/220] virt: vbox: Only copy_from_user the request-header once Greg Kroah-Hartman
2018-07-02 13:22 ` [PATCH 4.17 000/220] 4.17.4-stable review Naresh Kamboju
2018-07-02 14:25   ` Greg Kroah-Hartman
2018-07-02 16:33 ` Guenter Roeck
2018-07-03  6:31   ` Greg Kroah-Hartman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).