linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 4.4 00/80] 4.4.154-stable review
@ 2018-09-03 16:48 Greg Kroah-Hartman
  2018-09-03 16:48 ` [PATCH 4.4 01/80] sched/sysctl: Check user input value of sysctl_sched_time_avg Greg Kroah-Hartman
                   ` (80 more replies)
  0 siblings, 81 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	ben.hutchings, lkft-triage, stable

This is the start of the stable review cycle for the 4.4.154 release.
There are 80 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Wed Sep  5 16:49:18 UTC 2018.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.154-rc1.gz
or in the git tree and branch at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 4.4.154-rc1

Scott Bauer <scott.bauer@intel.com>
    cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status

Mike Christie <mchristi@redhat.com>
    iscsi target: fix session creation failure handling

Bart Van Assche <bart.vanassche@wdc.com>
    scsi: core: Avoid that SCSI device removal through sysfs triggers a deadlock

Bart Van Assche <bart.vanassche@wdc.com>
    scsi: sysfs: Introduce sysfs_{un,}break_active_protection()

Paul Burton <paul.burton@mips.com>
    MIPS: lib: Provide MIPS64r6 __multi3() for GCC < 7

Maciej W. Rozycki <macro@mips.com>
    MIPS: Correct the 64-bit DSP accumulator register size

Masami Hiramatsu <mhiramat@kernel.org>
    kprobes: Make list and blacklist root user read only

Sebastian Ott <sebott@linux.ibm.com>
    s390/pci: fix out of bounds access during irq setup

Julian Wiedmann <jwi@linux.ibm.com>
    s390/qdio: reset old sbal_state flags

Martin Schwidefsky <schwidefsky@de.ibm.com>
    s390: fix br_r1_trampoline for machines without exrl

Andi Kleen <ak@linux.intel.com>
    x86/spectre: Add missing family 6 check to microcode check

Nick Desaulniers <ndesaulniers@google.com>
    x86/irqflags: Mark native_restore_fl extern inline

Dan Carpenter <dan.carpenter@oracle.com>
    pinctrl: freescale: off by one in imx1_pinconf_group_dbg_show()

Gustavo A. R. Silva <gustavo@embeddedor.com>
    ASoC: sirf: Fix potential NULL pointer dereference

Jerome Brunet <jbrunet@baylibre.com>
    ASoC: dpcm: don't merge format from invalid codec dai

Mikulas Patocka <mpatocka@redhat.com>
    udl-kms: fix crash due to uninitialized memory

Mikulas Patocka <mpatocka@redhat.com>
    udl-kms: handle allocation failure

Mikulas Patocka <mpatocka@redhat.com>
    udl-kms: change down_interruptible to down

Kirill Tkhai <ktkhai@virtuozzo.com>
    fuse: Add missed unlock_page() to fuse_readpages_fill()

Miklos Szeredi <mszeredi@redhat.com>
    fuse: Fix oops at process_init_reply()

Miklos Szeredi <mszeredi@redhat.com>
    fuse: umount should wait for all requests

Miklos Szeredi <mszeredi@redhat.com>
    fuse: fix unlocked access to processing queue

Miklos Szeredi <mszeredi@redhat.com>
    fuse: fix double request_end()

Andrey Ryabinin <aryabinin@virtuozzo.com>
    fuse: Don't access pipe->buffers without pipe_lock()

Rian Hunter <rian@alum.mit.edu>
    x86/process: Re-export start_thread()

Vlastimil Babka <vbabka@suse.cz>
    x86/speculation/l1tf: Suggest what to do on systems with too much RAM

Vlastimil Babka <vbabka@suse.cz>
    x86/speculation/l1tf: Fix off-by-one error when warning that system has too much RAM

Vlastimil Babka <vbabka@suse.cz>
    x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit

Punit Agrawal <punit.agrawal@arm.com>
    KVM: arm/arm64: Skip updating PMD entry if no change

Punit Agrawal <punit.agrawal@arm.com>
    KVM: arm/arm64: Skip updating PTE entry if no change

Greg Hackmann <ghackmann@android.com>
    arm64: mm: check for upper PAGE_SHIFT bits in pfn_valid()

Eric Sandeen <sandeen@redhat.com>
    ext4: reset error code in ext4_find_entry in fallback

Arnd Bergmann <arnd@arndb.de>
    ext4: sysfs: print ext4_super_block fields as little-endian

Theodore Ts'o <tytso@mit.edu>
    ext4: check for NUL characters in extended attribute's name

Claudio Imbrenda <imbrenda@linux.vnet.ibm.com>
    s390/kvm: fix deadlock when killed by oom

Josef Bacik <josef@toxicpanda.com>
    btrfs: don't leak ret from do_chunk_alloc

Steve French <stfrench@microsoft.com>
    smb3: don't request leases in symlink creation and query

Steve French <stfrench@microsoft.com>
    smb3: Do not send SMB3 SET_INFO if nothing changed

Nicholas Mc Guire <hofrat@osadl.org>
    cifs: check kmalloc before use

Steve French <stfrench@microsoft.com>
    cifs: add missing debug entries for kconfig options

jie@chenjie6@huwei.com <jie@chenjie6@huwei.com>
    mm/memory.c: check return value of ioremap_prot

Jim Gill <jgill@vmware.com>
    scsi: vmw_pvscsi: Return DID_RESET for status SAM_STAT_COMMAND_TERMINATED

Johannes Thumshirn <jthumshirn@suse.de>
    scsi: fcoe: drop frames in ELS LOGO error path

Colin Ian King <colin.king@canonical.com>
    drivers: net: lmc: fix case value for target abort error

Randy Dunlap <rdunlap@infradead.org>
    arc: fix type warnings in arc/mm/cache.c

Randy Dunlap <rdunlap@infradead.org>
    arc: fix build errors in arc/include/asm/delay.h

Govindarajulu Varadarajan <gvaradar@cisco.com>
    enic: handle mtu change for vf properly

Rafał Miłecki <rafal@milecki.pl>
    Revert "MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum"

Calvin Walton <calvin.walton@kepstin.ca>
    tools/power turbostat: Read extended processor family from CPUID

Li Wang <liwang@redhat.com>
    zswap: re-check zswap_is_full() after do zswap_shrink()

Masami Hiramatsu <mhiramat@kernel.org>
    selftests/ftrace: Add snapshot and tracing_on test case

Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
    cachefiles: Wait rather than BUG'ing on "Unexpected object collision"

Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
    cachefiles: Fix refcounting bug in backing-file read monitoring

Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
    fscache: Allow cancelled operations to be enqueued

Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
    net: axienet: Fix double deregister of mdio

Sudarsana Reddy Kalluru <sudarsana.kalluru@cavium.com>
    bnx2x: Fix invalid memory access in rss hash config path.

Guenter Roeck <linux@roeck-us.net>
    media: staging: omap4iss: Include asm/cacheflush.h after generic includes

Alexander Sverdlin <alexander.sverdlin@nokia.com>
    i2c: davinci: Avoid zero value of CLKH

Nicholas Mc Guire <hofrat@osadl.org>
    can: mpc5xxx_can: check of_iomap return before use

Randy Dunlap <rdunlap@infradead.org>
    net: prevent ISA drivers from building on PPC32

Florian Westphal <fw@strlen.de>
    atl1c: reserve min skb headroom

Sudarsana Reddy Kalluru <sudarsana.kalluru@cavium.com>
    qed: Fix possible race for the link state value.

YueHaibing <yuehaibing@huawei.com>
    net: caif: Add a missing rcu_read_unlock() in caif_flow_cb

Len Brown <len.brown@intel.com>
    tools/power turbostat: fix -S on UP systems

Eugeniu Rosca <roscaeugeniu@gmail.com>
    usb: gadget: f_uac2: fix endianness of 'struct cntrl_*_lay3'

Peter Senna Tschudin <peter.senna@gmail.com>
    tools: usb: ffs-test: Fix build on big endian systems

Randy Dunlap <rdunlap@infradead.org>
    usb/phy: fix PPC64 build errors in phy-fsl-usb.c

Jia-Ju Bai <baijiaju1990@gmail.com>
    usb: gadget: r8a66597: Fix a possible sleep-in-atomic-context bugs in r8a66597_queue()

Jia-Ju Bai <baijiaju1990@gmail.com>
    usb: gadget: r8a66597: Fix two possible sleep-in-atomic-context bugs in init_controller()

Lucas Stach <l.stach@pengutronix.de>
    drm/imx: imx-ldb: check if channel is enabled before printing warning

Lucas Stach <l.stach@pengutronix.de>
    drm/imx: imx-ldb: disable LDB on driver bind

Varun Prakash <varun@chelsio.com>
    scsi: libiscsi: fix possible NULL pointer dereference in case of TMF

Sean Paul <seanpaul@chromium.org>
    drm/bridge: adv7511: Reset registers on hotplug

Bernd Edlinger <bernd.edlinger@hotmail.de>
    nl80211: Add a missing break in parse_station_flags

mpubbise@codeaurora.org <mpubbise@codeaurora.org>
    mac80211: add stations tied to AP_VLANs during hw reconfig

Florian Westphal <fw@strlen.de>
    xfrm: free skb if nlsk pointer is NULL

Tommi Rantala <tommi.t.rantala@nokia.com>
    xfrm: fix missing dst_release() after policy blocking lbcast and multicast

Eyal Birger <eyal.birger@gmail.com>
    vti6: fix PMTU caching and reporting on xmit

yujuan.qi <yujuan.qi@mediatek.com>
    Cipso: cipso_v4_optptr enter infinite loop

Ethan Zhao <ethan.zhao@oracle.com>
    sched/sysctl: Check user input value of sysctl_sched_time_avg


-------------

Diffstat:

 Makefile                                           |  4 +-
 arch/arc/include/asm/delay.h                       |  3 +
 arch/arc/mm/cache.c                                |  7 +-
 arch/arm/kvm/mmu.c                                 | 42 +++++++++---
 arch/arm64/mm/init.c                               |  6 +-
 arch/mips/bcm47xx/setup.c                          |  6 --
 arch/mips/include/asm/mipsregs.h                   |  3 -
 arch/mips/include/asm/processor.h                  |  2 +-
 arch/mips/kernel/ptrace.c                          |  2 +-
 arch/mips/kernel/ptrace32.c                        |  2 +-
 arch/mips/lib/multi3.c                             |  6 +-
 arch/s390/include/asm/qdio.h                       |  1 -
 arch/s390/mm/fault.c                               |  2 +
 arch/s390/net/bpf_jit_comp.c                       |  2 -
 arch/s390/pci/pci.c                                |  2 +
 arch/x86/include/asm/irqflags.h                    |  3 +-
 arch/x86/include/asm/processor.h                   |  4 +-
 arch/x86/kernel/cpu/bugs.c                         |  4 ++
 arch/x86/kernel/cpu/intel.c                        |  3 +
 arch/x86/kernel/process_64.c                       |  1 +
 arch/x86/mm/init.c                                 |  4 +-
 arch/x86/mm/mmap.c                                 |  2 +-
 drivers/cdrom/cdrom.c                              |  2 +-
 drivers/gpu/drm/i2c/adv7511.c                      | 12 ++++
 drivers/gpu/drm/imx/imx-ldb.c                      |  9 ++-
 drivers/gpu/drm/udl/udl_fb.c                       |  2 +-
 drivers/gpu/drm/udl/udl_main.c                     | 35 +++++-----
 drivers/i2c/busses/i2c-davinci.c                   |  8 ++-
 drivers/net/can/mscan/mpc5xxx_can.c                |  5 ++
 drivers/net/ethernet/3com/Kconfig                  |  2 +-
 drivers/net/ethernet/amd/Kconfig                   |  4 +-
 drivers/net/ethernet/atheros/atl1c/atl1c_main.c    |  1 +
 .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c    | 13 +++-
 drivers/net/ethernet/cirrus/Kconfig                |  1 +
 drivers/net/ethernet/cisco/enic/enic_main.c        | 78 ++++++++--------------
 drivers/net/ethernet/qlogic/qed/qed_mcp.c          |  1 +
 drivers/net/ethernet/xilinx/xilinx_axienet_mdio.c  |  1 +
 drivers/net/wan/lmc/lmc_main.c                     |  2 +-
 drivers/pinctrl/freescale/pinctrl-imx1-core.c      |  2 +-
 drivers/s390/cio/qdio_main.c                       |  5 +-
 drivers/scsi/fcoe/fcoe_ctlr.c                      |  4 +-
 drivers/scsi/libiscsi.c                            | 12 ++--
 drivers/scsi/scsi_sysfs.c                          | 20 +++++-
 drivers/scsi/vmw_pvscsi.c                          | 11 ++-
 drivers/staging/media/omap4iss/iss_video.c         |  3 +-
 drivers/target/iscsi/iscsi_target_login.c          | 35 ++++++----
 drivers/usb/gadget/function/f_uac2.c               | 20 +++---
 drivers/usb/gadget/udc/r8a66597-udc.c              |  6 +-
 drivers/usb/phy/phy-fsl-usb.c                      |  4 +-
 fs/btrfs/extent-tree.c                             |  2 +-
 fs/cachefiles/namei.c                              |  1 -
 fs/cachefiles/rdwr.c                               | 17 +++--
 fs/cifs/cifs_debug.c                               | 30 +++++++--
 fs/cifs/inode.c                                    |  2 +
 fs/cifs/link.c                                     |  4 +-
 fs/cifs/sess.c                                     |  6 ++
 fs/cifs/smb2inode.c                                |  2 +-
 fs/ext4/namei.c                                    |  1 +
 fs/ext4/sysfs.c                                    | 13 +++-
 fs/ext4/xattr.c                                    |  2 +
 fs/fscache/operation.c                             |  6 +-
 fs/fuse/dev.c                                      | 39 +++++++++--
 fs/fuse/file.c                                     |  1 +
 fs/fuse/fuse_i.h                                   |  1 +
 fs/fuse/inode.c                                    | 23 +++----
 fs/sysfs/file.c                                    | 44 ++++++++++++
 include/linux/sysfs.h                              | 14 ++++
 kernel/kprobes.c                                   |  4 +-
 kernel/sysctl.c                                    |  3 +-
 mm/memory.c                                        |  3 +
 mm/zswap.c                                         |  9 +++
 net/caif/caif_dev.c                                |  4 +-
 net/ipv4/cipso_ipv4.c                              | 12 +++-
 net/ipv6/ip6_vti.c                                 | 11 +--
 net/mac80211/util.c                                |  3 +-
 net/wireless/nl80211.c                             |  1 +
 net/xfrm/xfrm_policy.c                             |  3 +
 net/xfrm/xfrm_user.c                               | 10 +--
 sound/soc/sirf/sirf-usp.c                          |  7 +-
 sound/soc/soc-pcm.c                                |  8 +++
 tools/power/x86/turbostat/turbostat.c              |  8 +--
 .../selftests/ftrace/test.d/00basic/snapshot.tc    | 28 ++++++++
 tools/usb/ffs-test.c                               | 19 +++++-
 83 files changed, 514 insertions(+), 236 deletions(-)



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 01/80] sched/sysctl: Check user input value of sysctl_sched_time_avg
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
@ 2018-09-03 16:48 ` Greg Kroah-Hartman
  2018-09-03 16:48 ` [PATCH 4.4 02/80] Cipso: cipso_v4_optptr enter infinite loop Greg Kroah-Hartman
                   ` (79 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, James Puthukattukaran, Ethan Zhao,
	Peter Zijlstra (Intel),
	Linus Torvalds, Thomas Gleixner, efault, ethan.kernel, keescook,
	mcgrof, Ingo Molnar, Steve Muckle

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ethan Zhao <ethan.zhao@oracle.com>

commit 5ccba44ba118a5000cccc50076b0344632459779 upstream.

System will hang if user set sysctl_sched_time_avg to 0:

  [root@XXX ~]# sysctl kernel.sched_time_avg_ms=0

  Stack traceback for pid 0
  0xffff883f6406c600 0 0 1 3 R 0xffff883f6406cf50 *swapper/3
  ffff883f7ccc3ae8 0000000000000018 ffffffff810c4dd0 0000000000000000
  0000000000017800 ffff883f7ccc3d78 0000000000000003 ffff883f7ccc3bf8
  ffffffff810c4fc9 ffff883f7ccc3c08 00000000810c5043 ffff883f7ccc3c08
  Call Trace:
  <IRQ> [<ffffffff810c4dd0>] ? update_group_capacity+0x110/0x200
  [<ffffffff810c4fc9>] ? update_sd_lb_stats+0x109/0x600
  [<ffffffff810c5507>] ? find_busiest_group+0x47/0x530
  [<ffffffff810c5b84>] ? load_balance+0x194/0x900
  [<ffffffff810ad5ca>] ? update_rq_clock.part.83+0x1a/0xe0
  [<ffffffff810c6d42>] ? rebalance_domains+0x152/0x290
  [<ffffffff810c6f5c>] ? run_rebalance_domains+0xdc/0x1d0
  [<ffffffff8108a75b>] ? __do_softirq+0xfb/0x320
  [<ffffffff8108ac85>] ? irq_exit+0x125/0x130
  [<ffffffff810b3a17>] ? scheduler_ipi+0x97/0x160
  [<ffffffff81052709>] ? smp_reschedule_interrupt+0x29/0x30
  [<ffffffff8173a1be>] ? reschedule_interrupt+0x6e/0x80
   <EOI> [<ffffffff815bc83c>] ? cpuidle_enter_state+0xcc/0x230
  [<ffffffff815bc80c>] ? cpuidle_enter_state+0x9c/0x230
  [<ffffffff815bc9d7>] ? cpuidle_enter+0x17/0x20
  [<ffffffff810cd6dc>] ? cpu_startup_entry+0x38c/0x420
  [<ffffffff81053373>] ? start_secondary+0x173/0x1e0

Because divide-by-zero error happens in function:

update_group_capacity()
  update_cpu_capacity()
    scale_rt_capacity()
     {
          ...
          total = sched_avg_period() + delta;
          used = div_u64(avg, total);
          ...
     }

To fix this issue, check user input value of sysctl_sched_time_avg, keep
it unchanged when hitting invalid input, and set the minimum limit of
sysctl_sched_time_avg to 1 ms.

Reported-by: James Puthukattukaran <james.puthukattukaran@oracle.com>
Signed-off-by: Ethan Zhao <ethan.zhao@oracle.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: efault@gmx.de
Cc: ethan.kernel@gmail.com
Cc: keescook@chromium.org
Cc: mcgrof@kernel.org
Cc: <stable@vger.kernel.org>
Link: http://lkml.kernel.org/r/1504504774-18253-1-git-send-email-ethan.zhao@oracle.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: Steve Muckle <smuckle@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/sysctl.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -342,7 +342,8 @@ static struct ctl_table kern_table[] = {
 		.data		= &sysctl_sched_time_avg,
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
-		.proc_handler	= proc_dointvec,
+		.proc_handler	= proc_dointvec_minmax,
+		.extra1		= &one,
 	},
 	{
 		.procname	= "sched_shares_window_ns",



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 02/80] Cipso: cipso_v4_optptr enter infinite loop
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
  2018-09-03 16:48 ` [PATCH 4.4 01/80] sched/sysctl: Check user input value of sysctl_sched_time_avg Greg Kroah-Hartman
@ 2018-09-03 16:48 ` Greg Kroah-Hartman
  2018-09-03 16:48 ` [PATCH 4.4 03/80] vti6: fix PMTU caching and reporting on xmit Greg Kroah-Hartman
                   ` (78 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, yujuan.qi, Paul Moore, David S. Miller

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: yujuan.qi <yujuan.qi@mediatek.com>

commit 40413955ee265a5e42f710940ec78f5450d49149 upstream.

in for(),if((optlen > 0) && (optptr[1] == 0)), enter infinite loop.

Test: receive a packet which the ip length > 20 and the first byte of ip option is 0, produce this issue

Signed-off-by: yujuan.qi <yujuan.qi@mediatek.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/ipv4/cipso_ipv4.c |   12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -1593,9 +1593,17 @@ unsigned char *cipso_v4_optptr(const str
 	int taglen;
 
 	for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 0; ) {
-		if (optptr[0] == IPOPT_CIPSO)
+		switch (optptr[0]) {
+		case IPOPT_CIPSO:
 			return optptr;
-		taglen = optptr[1];
+		case IPOPT_END:
+			return NULL;
+		case IPOPT_NOOP:
+			taglen = 1;
+			break;
+		default:
+			taglen = optptr[1];
+		}
 		optlen -= taglen;
 		optptr += taglen;
 	}



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 03/80] vti6: fix PMTU caching and reporting on xmit
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
  2018-09-03 16:48 ` [PATCH 4.4 01/80] sched/sysctl: Check user input value of sysctl_sched_time_avg Greg Kroah-Hartman
  2018-09-03 16:48 ` [PATCH 4.4 02/80] Cipso: cipso_v4_optptr enter infinite loop Greg Kroah-Hartman
@ 2018-09-03 16:48 ` Greg Kroah-Hartman
  2018-09-11 23:22   ` Ben Hutchings
  2018-09-03 16:48 ` [PATCH 4.4 04/80] xfrm: fix missing dst_release() after policy blocking lbcast and multicast Greg Kroah-Hartman
                   ` (77 subsequent siblings)
  80 siblings, 1 reply; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eyal Birger, Steffen Klassert, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eyal Birger <eyal.birger@gmail.com>

[ Upstream commit d6990976af7c5d8f55903bfb4289b6fb030bf754 ]

When setting the skb->dst before doing the MTU check, the route PMTU
caching and reporting is done on the new dst which is about to be
released.

Instead, PMTU handling should be done using the original dst.

This is aligned with IPv4 VTI.

Fixes: ccd740cbc6 ("vti6: Add pmtu handling to vti6_xmit.")
Signed-off-by: Eyal Birger <eyal.birger@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv6/ip6_vti.c |   11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -469,10 +469,6 @@ vti6_xmit(struct sk_buff *skb, struct ne
 		goto tx_err_dst_release;
 	}
 
-	skb_scrub_packet(skb, !net_eq(t->net, dev_net(dev)));
-	skb_dst_set(skb, dst);
-	skb->dev = skb_dst(skb)->dev;
-
 	mtu = dst_mtu(dst);
 	if (!skb->ignore_df && skb->len > mtu) {
 		skb_dst(skb)->ops->update_pmtu(dst, NULL, skb, mtu);
@@ -487,9 +483,14 @@ vti6_xmit(struct sk_buff *skb, struct ne
 				  htonl(mtu));
 		}
 
-		return -EMSGSIZE;
+		err = -EMSGSIZE;
+		goto tx_err_dst_release;
 	}
 
+	skb_scrub_packet(skb, !net_eq(t->net, dev_net(dev)));
+	skb_dst_set(skb, dst);
+	skb->dev = skb_dst(skb)->dev;
+
 	err = dst_output(t->net, skb->sk, skb);
 	if (net_xmit_eval(err) == 0) {
 		struct pcpu_sw_netstats *tstats = this_cpu_ptr(dev->tstats);



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 04/80] xfrm: fix missing dst_release() after policy blocking lbcast and multicast
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2018-09-03 16:48 ` [PATCH 4.4 03/80] vti6: fix PMTU caching and reporting on xmit Greg Kroah-Hartman
@ 2018-09-03 16:48 ` Greg Kroah-Hartman
  2018-09-03 16:48 ` [PATCH 4.4 05/80] xfrm: free skb if nlsk pointer is NULL Greg Kroah-Hartman
                   ` (76 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tommi Rantala, Steffen Klassert, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tommi Rantala <tommi.t.rantala@nokia.com>

[ Upstream commit 8cc88773855f988d6a3bbf102bbd9dd9c828eb81 ]

Fix missing dst_release() when local broadcast or multicast traffic is
xfrm policy blocked.

For IPv4 this results to dst leak: ip_route_output_flow() allocates
dst_entry via __ip_route_output_key() and passes it to
xfrm_lookup_route(). xfrm_lookup returns ERR_PTR(-EPERM) that is
propagated. The dst that was allocated is never released.

IPv4 local broadcast testcase:
 ping -b 192.168.1.255 &
 sleep 1
 ip xfrm policy add src 0.0.0.0/0 dst 192.168.1.255/32 dir out action block

IPv4 multicast testcase:
 ping 224.0.0.1 &
 sleep 1
 ip xfrm policy add src 0.0.0.0/0 dst 224.0.0.1/32 dir out action block

For IPv6 the missing dst_release() causes trouble e.g. when used in netns:
 ip netns add TEST
 ip netns exec TEST ip link set lo up
 ip link add dummy0 type dummy
 ip link set dev dummy0 netns TEST
 ip netns exec TEST ip addr add fd00::1111 dev dummy0
 ip netns exec TEST ip link set dummy0 up
 ip netns exec TEST ping -6 -c 5 ff02::1%dummy0 &
 sleep 1
 ip netns exec TEST ip xfrm policy add src ::/0 dst ff02::1 dir out action block
 wait
 ip netns del TEST

After netns deletion we see:
[  258.239097] unregister_netdevice: waiting for lo to become free. Usage count = 2
[  268.279061] unregister_netdevice: waiting for lo to become free. Usage count = 2
[  278.367018] unregister_netdevice: waiting for lo to become free. Usage count = 2
[  288.375259] unregister_netdevice: waiting for lo to become free. Usage count = 2

Fixes: ac37e2515c1a ("xfrm: release dst_orig in case of error in xfrm_lookup()")
Signed-off-by: Tommi Rantala <tommi.t.rantala@nokia.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/xfrm/xfrm_policy.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -2326,6 +2326,9 @@ struct dst_entry *xfrm_lookup_route(stru
 	if (IS_ERR(dst) && PTR_ERR(dst) == -EREMOTE)
 		return make_blackhole(net, dst_orig->ops->family, dst_orig);
 
+	if (IS_ERR(dst))
+		dst_release(dst_orig);
+
 	return dst;
 }
 EXPORT_SYMBOL(xfrm_lookup_route);



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 05/80] xfrm: free skb if nlsk pointer is NULL
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2018-09-03 16:48 ` [PATCH 4.4 04/80] xfrm: fix missing dst_release() after policy blocking lbcast and multicast Greg Kroah-Hartman
@ 2018-09-03 16:48 ` Greg Kroah-Hartman
  2018-09-03 16:48 ` [PATCH 4.4 06/80] mac80211: add stations tied to AP_VLANs during hw reconfig Greg Kroah-Hartman
                   ` (75 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Florian Westphal, Steffen Klassert,
	Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Westphal <fw@strlen.de>

[ Upstream commit 86126b77dcd551ce223e7293bb55854e3df05646 ]

nlmsg_multicast() always frees the skb, so in case we cannot call
it we must do that ourselves.

Fixes: 21ee543edc0dea ("xfrm: fix race between netns cleanup and state expire notification")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/xfrm/xfrm_user.c |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -980,10 +980,12 @@ static inline int xfrm_nlmsg_multicast(s
 {
 	struct sock *nlsk = rcu_dereference(net->xfrm.nlsk);
 
-	if (nlsk)
-		return nlmsg_multicast(nlsk, skb, pid, group, GFP_ATOMIC);
-	else
-		return -1;
+	if (!nlsk) {
+		kfree_skb(skb);
+		return -EPIPE;
+	}
+
+	return nlmsg_multicast(nlsk, skb, pid, group, GFP_ATOMIC);
 }
 
 static inline size_t xfrm_spdinfo_msgsize(void)



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 06/80] mac80211: add stations tied to AP_VLANs during hw reconfig
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2018-09-03 16:48 ` [PATCH 4.4 05/80] xfrm: free skb if nlsk pointer is NULL Greg Kroah-Hartman
@ 2018-09-03 16:48 ` Greg Kroah-Hartman
  2018-09-03 16:48 ` [PATCH 4.4 07/80] nl80211: Add a missing break in parse_station_flags Greg Kroah-Hartman
                   ` (74 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Manikanta Pubbisetty, Johannes Berg,
	Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: "mpubbise@codeaurora.org" <mpubbise@codeaurora.org>

[ Upstream commit 19103a4bfb42f320395daa5616ece3e89e759d63 ]

As part of hw reconfig, only stations linked to AP interfaces are added
back to the driver ignoring those which are tied to AP_VLAN interfaces.

It is true that there could be stations tied to the AP_VLAN interface while
serving 4addr clients or when using AP_VLAN for VLAN operations; we should
be adding these stations back to the driver as part of hw reconfig, failing
to do so can cause functional issues.

In the case of ath10k driver, the following errors were observed.

ath10k_pci : failed to install key for non-existent peer XX:XX:XX:XX:XX:XX
Workqueue: events_freezable ieee80211_restart_work [mac80211]
(unwind_backtrace) from (show_stack+0x10/0x14)
(show_stack) (dump_stack+0x80/0xa0)
(dump_stack) (warn_slowpath_common+0x68/0x8c)
(warn_slowpath_common) (warn_slowpath_null+0x18/0x20)
(warn_slowpath_null) (ieee80211_enable_keys+0x88/0x154 [mac80211])
(ieee80211_enable_keys) (ieee80211_reconfig+0xc90/0x19c8 [mac80211])
(ieee80211_reconfig]) (ieee80211_restart_work+0x8c/0xa0 [mac80211])
(ieee80211_restart_work) (process_one_work+0x284/0x488)
(process_one_work) (worker_thread+0x228/0x360)
(worker_thread) (kthread+0xd8/0xec)
(kthread) (ret_from_fork+0x14/0x24)

Also while bringing down the AP VAP, WARN_ONs and errors related to peer
removal were observed.

ath10k_pci : failed to clear all peer wep keys for vdev 0: -2
ath10k_pci : failed to disassociate station: 8c:fd:f0:0a:8c:f5 vdev 0: -2
(unwind_backtrace) (show_stack+0x10/0x14)
(show_stack) (dump_stack+0x80/0xa0)
(dump_stack) (warn_slowpath_common+0x68/0x8c)
(warn_slowpath_common) (warn_slowpath_null+0x18/0x20)
(warn_slowpath_null) (sta_set_sinfo+0xb98/0xc9c [mac80211])
(sta_set_sinfo [mac80211]) (__sta_info_flush+0xf0/0x134 [mac80211])
(__sta_info_flush [mac80211]) (ieee80211_stop_ap+0xe8/0x390 [mac80211])
(ieee80211_stop_ap [mac80211]) (__cfg80211_stop_ap+0xe0/0x3dc [cfg80211])
(__cfg80211_stop_ap [cfg80211]) (cfg80211_stop_ap+0x30/0x44 [cfg80211])
(cfg80211_stop_ap [cfg80211]) (genl_rcv_msg+0x274/0x30c)
(genl_rcv_msg) (netlink_rcv_skb+0x58/0xac)
(netlink_rcv_skb) (genl_rcv+0x20/0x34)
(genl_rcv) (netlink_unicast+0x11c/0x204)
(netlink_unicast) (netlink_sendmsg+0x30c/0x370)
(netlink_sendmsg) (sock_sendmsg+0x70/0x84)
(sock_sendmsg) (___sys_sendmsg.part.3+0x188/0x228)
(___sys_sendmsg.part.3) (__sys_sendmsg+0x4c/0x70)
(__sys_sendmsg) (ret_fast_syscall+0x0/0x44)

These issues got fixed by adding the stations which are
tied to AP_VLANs back to the driver.

Signed-off-by: Manikanta Pubbisetty <mpubbise@codeaurora.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/mac80211/util.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -2006,7 +2006,8 @@ int ieee80211_reconfig(struct ieee80211_
 		if (!sta->uploaded)
 			continue;
 
-		if (sta->sdata->vif.type != NL80211_IFTYPE_AP)
+		if (sta->sdata->vif.type != NL80211_IFTYPE_AP &&
+		    sta->sdata->vif.type != NL80211_IFTYPE_AP_VLAN)
 			continue;
 
 		for (state = IEEE80211_STA_NOTEXIST;



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 07/80] nl80211: Add a missing break in parse_station_flags
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2018-09-03 16:48 ` [PATCH 4.4 06/80] mac80211: add stations tied to AP_VLANs during hw reconfig Greg Kroah-Hartman
@ 2018-09-03 16:48 ` Greg Kroah-Hartman
  2018-09-03 16:48 ` [PATCH 4.4 08/80] drm/bridge: adv7511: Reset registers on hotplug Greg Kroah-Hartman
                   ` (73 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bernd Edlinger, Johannes Berg, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Bernd Edlinger <bernd.edlinger@hotmail.de>

[ Upstream commit 5cf3006cc81d9aa09a10aa781fc065546b12919d ]

I was looking at usually suppressed gcc warnings,
[-Wimplicit-fallthrough=] in this case:

The code definitely looks like a break is missing here.
However I am not able to test the NL80211_IFTYPE_MESH_POINT,
nor do I actually know what might be :)
So please use this patch with caution and only if you are
able to do some testing.

Signed-off-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
[johannes: looks obvious enough to apply as is, interesting
 though that it never seems to have been a problem]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/wireless/nl80211.c |    1 +
 1 file changed, 1 insertion(+)

--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -3578,6 +3578,7 @@ static int parse_station_flags(struct ge
 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
 					 BIT(NL80211_STA_FLAG_MFP) |
 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
+		break;
 	default:
 		return -EINVAL;
 	}



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 08/80] drm/bridge: adv7511: Reset registers on hotplug
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2018-09-03 16:48 ` [PATCH 4.4 07/80] nl80211: Add a missing break in parse_station_flags Greg Kroah-Hartman
@ 2018-09-03 16:48 ` Greg Kroah-Hartman
  2018-09-03 16:48 ` [PATCH 4.4 09/80] scsi: libiscsi: fix possible NULL pointer dereference in case of TMF Greg Kroah-Hartman
                   ` (72 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rob Clark, Archit Taneja, Sean Paul,
	Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sean Paul <seanpaul@chromium.org>

[ Upstream commit 5f3417569165a8ee57654217f73e0160312f409c ]

The bridge loses its hw state when the cable is unplugged. If we detect
this case in the hpd handler, reset its state.

Reported-by: Rob Clark <robdclark@gmail.com>
Tested-by: Rob Clark <robdclark@gmail.com>
Reviewed-by: Archit Taneja <architt@codeaurora.org>
Signed-off-by: Sean Paul <seanpaul@chromium.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20180703165648.120401-1-seanpaul@chromium.org
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/i2c/adv7511.c |   12 ++++++++++++
 1 file changed, 12 insertions(+)

--- a/drivers/gpu/drm/i2c/adv7511.c
+++ b/drivers/gpu/drm/i2c/adv7511.c
@@ -450,6 +450,18 @@ static void adv7511_hpd_work(struct work
 	else
 		status = connector_status_disconnected;
 
+	/*
+	 * The bridge resets its registers on unplug. So when we get a plug
+	 * event and we're already supposed to be powered, cycle the bridge to
+	 * restore its state.
+	 */
+	if (status == connector_status_connected &&
+	    adv7511->connector.status == connector_status_disconnected &&
+	    adv7511->powered) {
+		regcache_mark_dirty(adv7511->regmap);
+		adv7511_power_on(adv7511);
+	}
+
 	if (adv7511->connector.status != status) {
 		adv7511->connector.status = status;
 		drm_kms_helper_hotplug_event(adv7511->connector.dev);



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 09/80] scsi: libiscsi: fix possible NULL pointer dereference in case of TMF
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2018-09-03 16:48 ` [PATCH 4.4 08/80] drm/bridge: adv7511: Reset registers on hotplug Greg Kroah-Hartman
@ 2018-09-03 16:48 ` Greg Kroah-Hartman
  2018-09-03 16:48 ` [PATCH 4.4 10/80] drm/imx: imx-ldb: disable LDB on driver bind Greg Kroah-Hartman
                   ` (71 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Varun Prakash, Martin K. Petersen,
	Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Varun Prakash <varun@chelsio.com>

[ Upstream commit a17037e7d59075053b522048742a08ac9500bde8 ]

In iscsi_check_tmf_restrictions() task->hdr is dereferenced to print the
opcode, it is possible that task->hdr is NULL.

There are two cases based on opcode argument:

1. ISCSI_OP_SCSI_CMD - In this case alloc_pdu() is called
after iscsi_check_tmf_restrictions()

iscsi_prep_scsi_cmd_pdu() -> iscsi_check_tmf_restrictions() -> alloc_pdu().

Transport drivers allocate memory for iSCSI hdr in alloc_pdu() and assign
it to task->hdr. In case of TMF task->hdr will be NULL resulting in NULL
pointer dereference.

2. ISCSI_OP_SCSI_DATA_OUT - In this case transport driver can free the
memory for iSCSI hdr after transmitting the pdu so task->hdr can be NULL or
invalid.

This patch fixes this issue by removing task->hdr->opcode from the printk
statement.

Signed-off-by: Varun Prakash <varun@chelsio.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/libiscsi.c |   12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

--- a/drivers/scsi/libiscsi.c
+++ b/drivers/scsi/libiscsi.c
@@ -283,11 +283,11 @@ static int iscsi_check_tmf_restrictions(
 		 */
 		if (opcode != ISCSI_OP_SCSI_DATA_OUT) {
 			iscsi_conn_printk(KERN_INFO, conn,
-					  "task [op %x/%x itt "
+					  "task [op %x itt "
 					  "0x%x/0x%x] "
 					  "rejected.\n",
-					  task->hdr->opcode, opcode,
-					  task->itt, task->hdr_itt);
+					  opcode, task->itt,
+					  task->hdr_itt);
 			return -EACCES;
 		}
 		/*
@@ -296,10 +296,10 @@ static int iscsi_check_tmf_restrictions(
 		 */
 		if (conn->session->fast_abort) {
 			iscsi_conn_printk(KERN_INFO, conn,
-					  "task [op %x/%x itt "
+					  "task [op %x itt "
 					  "0x%x/0x%x] fast abort.\n",
-					  task->hdr->opcode, opcode,
-					  task->itt, task->hdr_itt);
+					  opcode, task->itt,
+					  task->hdr_itt);
 			return -EACCES;
 		}
 		break;



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 10/80] drm/imx: imx-ldb: disable LDB on driver bind
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2018-09-03 16:48 ` [PATCH 4.4 09/80] scsi: libiscsi: fix possible NULL pointer dereference in case of TMF Greg Kroah-Hartman
@ 2018-09-03 16:48 ` Greg Kroah-Hartman
  2018-09-03 16:48 ` [PATCH 4.4 11/80] drm/imx: imx-ldb: check if channel is enabled before printing warning Greg Kroah-Hartman
                   ` (70 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lucas Stach, Philipp Zabel, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Lucas Stach <l.stach@pengutronix.de>

[ Upstream commit b58262396fabd43dc869b576e3defdd23b32fe94 ]

The LVDS signal integrity is only guaranteed when the correct enable
sequence (first IPU DI, then LDB) is used. If the LDB display output was
active before the imx-drm driver is loaded (like when a bootsplash was
active) the DI will be disabled by the full IPU reset we do when loading
the driver. The LDB control registers are not part of the IPU range and
thus will remain unchanged.

This leads to the LDB still being active when the DI is getting enabled,
effectively reversing the required enable sequence. Fix this by also
disabling the LDB on driver bind.

Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/imx/imx-ldb.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/gpu/drm/imx/imx-ldb.c
+++ b/drivers/gpu/drm/imx/imx-ldb.c
@@ -526,6 +526,9 @@ static int imx_ldb_bind(struct device *d
 		return PTR_ERR(imx_ldb->regmap);
 	}
 
+	/* disable LDB by resetting the control register to POR default */
+	regmap_write(imx_ldb->regmap, IOMUXC_GPR2, 0);
+
 	imx_ldb->dev = dev;
 
 	if (of_id)



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 11/80] drm/imx: imx-ldb: check if channel is enabled before printing warning
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2018-09-03 16:48 ` [PATCH 4.4 10/80] drm/imx: imx-ldb: disable LDB on driver bind Greg Kroah-Hartman
@ 2018-09-03 16:48 ` Greg Kroah-Hartman
  2018-09-03 16:48 ` [PATCH 4.4 12/80] usb: gadget: r8a66597: Fix two possible sleep-in-atomic-context bugs in init_controller() Greg Kroah-Hartman
                   ` (69 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lucas Stach, Philipp Zabel, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Lucas Stach <l.stach@pengutronix.de>

[ Upstream commit c80d673b91a6c81d765864e10f2b15110ee900ad ]

If the second LVDS channel has been disabled in the DT when using dual-channel
mode we should not print a warning.

Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/imx/imx-ldb.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/gpu/drm/imx/imx-ldb.c
+++ b/drivers/gpu/drm/imx/imx-ldb.c
@@ -569,14 +569,14 @@ static int imx_ldb_bind(struct device *d
 		if (ret || i < 0 || i > 1)
 			return -EINVAL;
 
+		if (!of_device_is_available(child))
+			continue;
+
 		if (dual && i > 0) {
 			dev_warn(dev, "dual-channel mode, ignoring second output\n");
 			continue;
 		}
 
-		if (!of_device_is_available(child))
-			continue;
-
 		channel = &imx_ldb->channel[i];
 		channel->ldb = imx_ldb;
 		channel->chno = i;



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 12/80] usb: gadget: r8a66597: Fix two possible sleep-in-atomic-context bugs in init_controller()
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2018-09-03 16:48 ` [PATCH 4.4 11/80] drm/imx: imx-ldb: check if channel is enabled before printing warning Greg Kroah-Hartman
@ 2018-09-03 16:48 ` Greg Kroah-Hartman
  2018-09-03 16:48 ` [PATCH 4.4 13/80] usb: gadget: r8a66597: Fix a possible sleep-in-atomic-context bugs in r8a66597_queue() Greg Kroah-Hartman
                   ` (68 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jia-Ju Bai, Felipe Balbi, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jia-Ju Bai <baijiaju1990@gmail.com>

[ Upstream commit 0602088b10a7c0b4e044a810678ef93d7cc5bf48 ]

The driver may sleep with holding a spinlock.
The function call paths (from bottom to top) in Linux-4.16.7 are:

[FUNC] msleep
drivers/usb/gadget/udc/r8a66597-udc.c, 839:
		msleep in init_controller
drivers/usb/gadget/udc/r8a66597-udc.c, 96:
		init_controller in r8a66597_usb_disconnect
drivers/usb/gadget/udc/r8a66597-udc.c, 93:
		spin_lock in r8a66597_usb_disconnect

[FUNC] msleep
drivers/usb/gadget/udc/r8a66597-udc.c, 835:
		msleep in init_controller
drivers/usb/gadget/udc/r8a66597-udc.c, 96:
		init_controller in r8a66597_usb_disconnect
drivers/usb/gadget/udc/r8a66597-udc.c, 93:
		spin_lock in r8a66597_usb_disconnect

To fix these bugs, msleep() is replaced with mdelay().

This bug is found by my static analysis tool (DSAC-2) and checked by
my code review.

Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/gadget/udc/r8a66597-udc.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/usb/gadget/udc/r8a66597-udc.c
+++ b/drivers/usb/gadget/udc/r8a66597-udc.c
@@ -835,11 +835,11 @@ static void init_controller(struct r8a66
 
 		r8a66597_bset(r8a66597, XCKE, SYSCFG0);
 
-		msleep(3);
+		mdelay(3);
 
 		r8a66597_bset(r8a66597, PLLC, SYSCFG0);
 
-		msleep(1);
+		mdelay(1);
 
 		r8a66597_bset(r8a66597, SCKE, SYSCFG0);
 



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 13/80] usb: gadget: r8a66597: Fix a possible sleep-in-atomic-context bugs in r8a66597_queue()
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2018-09-03 16:48 ` [PATCH 4.4 12/80] usb: gadget: r8a66597: Fix two possible sleep-in-atomic-context bugs in init_controller() Greg Kroah-Hartman
@ 2018-09-03 16:48 ` Greg Kroah-Hartman
  2018-09-03 16:48 ` [PATCH 4.4 14/80] usb/phy: fix PPC64 build errors in phy-fsl-usb.c Greg Kroah-Hartman
                   ` (67 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jia-Ju Bai, Felipe Balbi, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jia-Ju Bai <baijiaju1990@gmail.com>

[ Upstream commit f36b507c14c4b6e634463a610294e9cb0065c8ea ]

The driver may sleep in an interrupt handler.
The function call path (from bottom to top) in Linux-4.16.7 is:

[FUNC] r8a66597_queue(GFP_KERNEL)
drivers/usb/gadget/udc/r8a66597-udc.c, 1193:
		r8a66597_queue in get_status
drivers/usb/gadget/udc/r8a66597-udc.c, 1301:
		get_status in setup_packet
drivers/usb/gadget/udc/r8a66597-udc.c, 1381:
		setup_packet in irq_control_stage
drivers/usb/gadget/udc/r8a66597-udc.c, 1508:
		irq_control_stage in r8a66597_irq (interrupt handler)

To fix this bug, GFP_KERNEL is replaced with GFP_ATOMIC.

This bug is found by my static analysis tool (DSAC-2) and checked by
my code review.

Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/gadget/udc/r8a66597-udc.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/gadget/udc/r8a66597-udc.c
+++ b/drivers/usb/gadget/udc/r8a66597-udc.c
@@ -1193,7 +1193,7 @@ __acquires(r8a66597->lock)
 	r8a66597->ep0_req->length = 2;
 	/* AV: what happens if we get called again before that gets through? */
 	spin_unlock(&r8a66597->lock);
-	r8a66597_queue(r8a66597->gadget.ep0, r8a66597->ep0_req, GFP_KERNEL);
+	r8a66597_queue(r8a66597->gadget.ep0, r8a66597->ep0_req, GFP_ATOMIC);
 	spin_lock(&r8a66597->lock);
 }
 



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 14/80] usb/phy: fix PPC64 build errors in phy-fsl-usb.c
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2018-09-03 16:48 ` [PATCH 4.4 13/80] usb: gadget: r8a66597: Fix a possible sleep-in-atomic-context bugs in r8a66597_queue() Greg Kroah-Hartman
@ 2018-09-03 16:48 ` Greg Kroah-Hartman
  2018-09-03 16:48 ` [PATCH 4.4 16/80] usb: gadget: f_uac2: fix endianness of struct cntrl_*_lay3 Greg Kroah-Hartman
                   ` (66 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Randy Dunlap, Felipe Balbi,
	linux-usb, Michael Ellerman, linuxppc-dev, Felipe Balbi,
	Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Randy Dunlap <rdunlap@infradead.org>

[ Upstream commit a39ba90a1cc7010edb0a7132e1b67f3d80b994e9 ]

Fix build errors when built for PPC64:
These variables are only used on PPC32 so they don't need to be
initialized for PPC64.

../drivers/usb/phy/phy-fsl-usb.c: In function 'usb_otg_start':
../drivers/usb/phy/phy-fsl-usb.c:865:3: error: '_fsl_readl' undeclared (first use in this function); did you mean 'fsl_readl'?
   _fsl_readl = _fsl_readl_be;
../drivers/usb/phy/phy-fsl-usb.c:865:16: error: '_fsl_readl_be' undeclared (first use in this function); did you mean 'fsl_readl'?
   _fsl_readl = _fsl_readl_be;
../drivers/usb/phy/phy-fsl-usb.c:866:3: error: '_fsl_writel' undeclared (first use in this function); did you mean 'fsl_writel'?
   _fsl_writel = _fsl_writel_be;
../drivers/usb/phy/phy-fsl-usb.c:866:17: error: '_fsl_writel_be' undeclared (first use in this function); did you mean 'fsl_writel'?
   _fsl_writel = _fsl_writel_be;
../drivers/usb/phy/phy-fsl-usb.c:868:16: error: '_fsl_readl_le' undeclared (first use in this function); did you mean 'fsl_readl'?
   _fsl_readl = _fsl_readl_le;
../drivers/usb/phy/phy-fsl-usb.c:869:17: error: '_fsl_writel_le' undeclared (first use in this function); did you mean 'fsl_writel'?
   _fsl_writel = _fsl_writel_le;

and the sysfs "show" function return type should be ssize_t, not int:

../drivers/usb/phy/phy-fsl-usb.c:1042:49: error: initialization of 'ssize_t (*)(struct device *, struct device_attribute *, char *)' {aka 'long int (*)(struct device *, struct device_attribute *, char *)'} from incompatible pointer type 'int (*)(struct device *, struct device_attribute *, char *)' [-Werror=incompatible-pointer-types]
 static DEVICE_ATTR(fsl_usb2_otg_state, S_IRUGO, show_fsl_usb2_otg_state, NULL);

Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Cc: Felipe Balbi <balbi@kernel.org>
Cc: linux-usb@vger.kernel.org
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: linuxppc-dev@lists.ozlabs.org
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/phy/phy-fsl-usb.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/usb/phy/phy-fsl-usb.c
+++ b/drivers/usb/phy/phy-fsl-usb.c
@@ -879,6 +879,7 @@ int usb_otg_start(struct platform_device
 	if (pdata->init && pdata->init(pdev) != 0)
 		return -EINVAL;
 
+#ifdef CONFIG_PPC32
 	if (pdata->big_endian_mmio) {
 		_fsl_readl = _fsl_readl_be;
 		_fsl_writel = _fsl_writel_be;
@@ -886,6 +887,7 @@ int usb_otg_start(struct platform_device
 		_fsl_readl = _fsl_readl_le;
 		_fsl_writel = _fsl_writel_le;
 	}
+#endif
 
 	/* request irq */
 	p_otg->irq = platform_get_irq(pdev, 0);
@@ -976,7 +978,7 @@ int usb_otg_start(struct platform_device
 /*
  * state file in sysfs
  */
-static int show_fsl_usb2_otg_state(struct device *dev,
+static ssize_t show_fsl_usb2_otg_state(struct device *dev,
 				   struct device_attribute *attr, char *buf)
 {
 	struct otg_fsm *fsm = &fsl_otg_dev->fsm;



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 16/80] usb: gadget: f_uac2: fix endianness of struct cntrl_*_lay3
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2018-09-03 16:48 ` [PATCH 4.4 14/80] usb/phy: fix PPC64 build errors in phy-fsl-usb.c Greg Kroah-Hartman
@ 2018-09-03 16:48 ` Greg Kroah-Hartman
  2018-09-03 16:48 ` [PATCH 4.4 17/80] tools/power turbostat: fix -S on UP systems Greg Kroah-Hartman
                   ` (65 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eugeniu Rosca, Ruslan Bilovol,
	Felipe Balbi, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eugeniu Rosca <roscaeugeniu@gmail.com>

[ Upstream commit eec24f2a0d4dc3b1d95a3ccd2feb523ede3ba775 ]

The list [1] of commits doing endianness fixes in USB subsystem is long
due to below quote from USB spec Revision 2.0 from April 27, 2000:

------------
8.1 Byte/Bit Ordering

Multiple byte fields in standard descriptors, requests, and responses
are interpreted as and moved over the bus in little-endian order, i.e.
LSB to MSB.
------------

This commit belongs to the same family.

[1] Example of endianness fixes in USB subsystem:
commit 14e1d56cbea6 ("usb: gadget: f_uac2: endianness fixes.")
commit 42370b821168 ("usb: gadget: f_uac1: endianness fixes.")
commit 63afd5cc7877 ("USB: chaoskey: fix Alea quirk on big-endian hosts")
commit 74098c4ac782 ("usb: gadget: acm: fix endianness in notifications")
commit cdd7928df0d2 ("ACM gadget: fix endianness in notifications")
commit 323ece54e076 ("cdc-wdm: fix endianness bug in debug statements")
commit e102609f1072 ("usb: gadget: uvc: Fix endianness mismatches")
       list goes on

Fixes: 132fcb460839 ("usb: gadget: Add Audio Class 2.0 Driver")
Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
Reviewed-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>

Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/gadget/function/f_uac2.c |   20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

--- a/drivers/usb/gadget/function/f_uac2.c
+++ b/drivers/usb/gadget/function/f_uac2.c
@@ -941,14 +941,14 @@ static struct usb_descriptor_header *hs_
 };
 
 struct cntrl_cur_lay3 {
-	__u32	dCUR;
+	__le32	dCUR;
 };
 
 struct cntrl_range_lay3 {
-	__u16	wNumSubRanges;
-	__u32	dMIN;
-	__u32	dMAX;
-	__u32	dRES;
+	__le16	wNumSubRanges;
+	__le32	dMIN;
+	__le32	dMAX;
+	__le32	dRES;
 } __packed;
 
 static inline void
@@ -1296,9 +1296,9 @@ in_rq_cur(struct usb_function *fn, const
 		memset(&c, 0, sizeof(struct cntrl_cur_lay3));
 
 		if (entity_id == USB_IN_CLK_ID)
-			c.dCUR = p_srate;
+			c.dCUR = cpu_to_le32(p_srate);
 		else if (entity_id == USB_OUT_CLK_ID)
-			c.dCUR = c_srate;
+			c.dCUR = cpu_to_le32(c_srate);
 
 		value = min_t(unsigned, w_length, sizeof c);
 		memcpy(req->buf, &c, value);
@@ -1336,15 +1336,15 @@ in_rq_range(struct usb_function *fn, con
 
 	if (control_selector == UAC2_CS_CONTROL_SAM_FREQ) {
 		if (entity_id == USB_IN_CLK_ID)
-			r.dMIN = p_srate;
+			r.dMIN = cpu_to_le32(p_srate);
 		else if (entity_id == USB_OUT_CLK_ID)
-			r.dMIN = c_srate;
+			r.dMIN = cpu_to_le32(c_srate);
 		else
 			return -EOPNOTSUPP;
 
 		r.dMAX = r.dMIN;
 		r.dRES = 0;
-		r.wNumSubRanges = 1;
+		r.wNumSubRanges = cpu_to_le16(1);
 
 		value = min_t(unsigned, w_length, sizeof r);
 		memcpy(req->buf, &r, value);



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 17/80] tools/power turbostat: fix -S on UP systems
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2018-09-03 16:48 ` [PATCH 4.4 16/80] usb: gadget: f_uac2: fix endianness of struct cntrl_*_lay3 Greg Kroah-Hartman
@ 2018-09-03 16:48 ` Greg Kroah-Hartman
  2018-09-03 16:48 ` [PATCH 4.4 18/80] net: caif: Add a missing rcu_read_unlock() in caif_flow_cb Greg Kroah-Hartman
                   ` (64 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Artem Bityutskiy, Len Brown, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Len Brown <len.brown@intel.com>

[ Upstream commit 9d83601a9cc1884d1b5706ee2acc661d558c6838 ]

The -S (system summary) option failed to print any data on a 1-processor system.

Reported-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 tools/power/x86/turbostat/turbostat.c |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/tools/power/x86/turbostat/turbostat.c
+++ b/tools/power/x86/turbostat/turbostat.c
@@ -663,9 +663,7 @@ void format_all_counters(struct thread_d
 	if (!printed || !summary_only)
 		print_header();
 
-	if (topo.num_cpus > 1)
-		format_counters(&average.threads, &average.cores,
-			&average.packages);
+	format_counters(&average.threads, &average.cores, &average.packages);
 
 	printed = 1;
 



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 18/80] net: caif: Add a missing rcu_read_unlock() in caif_flow_cb
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2018-09-03 16:48 ` [PATCH 4.4 17/80] tools/power turbostat: fix -S on UP systems Greg Kroah-Hartman
@ 2018-09-03 16:48 ` Greg Kroah-Hartman
  2018-09-03 16:48 ` [PATCH 4.4 19/80] qed: Fix possible race for the link state value Greg Kroah-Hartman
                   ` (63 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, YueHaibing, David S. Miller, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: YueHaibing <yuehaibing@huawei.com>

[ Upstream commit 64119e05f7b31e83e2555f6782e6cdc8f81c63f4 ]

Add a missing rcu_read_unlock in the error path

Fixes: c95567c80352 ("caif: added check for potential null return")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/caif/caif_dev.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/net/caif/caif_dev.c
+++ b/net/caif/caif_dev.c
@@ -131,8 +131,10 @@ static void caif_flow_cb(struct sk_buff
 	caifd = caif_get(skb->dev);
 
 	WARN_ON(caifd == NULL);
-	if (caifd == NULL)
+	if (!caifd) {
+		rcu_read_unlock();
 		return;
+	}
 
 	caifd_hold(caifd);
 	rcu_read_unlock();



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 19/80] qed: Fix possible race for the link state value.
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2018-09-03 16:48 ` [PATCH 4.4 18/80] net: caif: Add a missing rcu_read_unlock() in caif_flow_cb Greg Kroah-Hartman
@ 2018-09-03 16:48 ` Greg Kroah-Hartman
  2018-09-03 16:48 ` [PATCH 4.4 20/80] atl1c: reserve min skb headroom Greg Kroah-Hartman
                   ` (62 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sudarsana Reddy Kalluru, Ariel Elior,
	Michal Kalderon, David S. Miller, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sudarsana Reddy Kalluru <sudarsana.kalluru@cavium.com>

[ Upstream commit 58874c7b246109d8efb2b0099d1aa296d6bfc3fa ]

There's a possible race where driver can read link status in mid-transition
and see that virtual-link is up yet speed is 0. Since in this
mid-transition we're guaranteed to see a mailbox from MFW soon, we can
afford to treat this as link down.

Fixes: cc875c2e ("qed: Add link support")
Signed-off-by: Sudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
Signed-off-by: Ariel Elior <ariel.elior@cavium.com>
Signed-off-by: Michal Kalderon <Michal.Kalderon@cavium.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/qlogic/qed/qed_mcp.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/net/ethernet/qlogic/qed/qed_mcp.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_mcp.c
@@ -420,6 +420,7 @@ static void qed_mcp_handle_link_change(s
 		break;
 	default:
 		p_link->speed = 0;
+		p_link->link_up = 0;
 	}
 
 	/* Correct speed according to bandwidth allocation */



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 20/80] atl1c: reserve min skb headroom
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2018-09-03 16:48 ` [PATCH 4.4 19/80] qed: Fix possible race for the link state value Greg Kroah-Hartman
@ 2018-09-03 16:48 ` Greg Kroah-Hartman
  2018-09-03 16:48 ` [PATCH 4.4 21/80] net: prevent ISA drivers from building on PPC32 Greg Kroah-Hartman
                   ` (61 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Florian Westphal, Eric Dumazet,
	David S. Miller, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Westphal <fw@strlen.de>

[ Upstream commit 6e56830776828d8ca9897fc4429eeab47c3bb432 ]

Got crash report with following backtrace:
BUG: unable to handle kernel paging request at ffff8801869daffe
RIP: 0010:[<ffffffff816429c4>]  [<ffffffff816429c4>] ip6_finish_output2+0x394/0x4c0
RSP: 0018:ffff880186c83a98  EFLAGS: 00010283
RAX: ffff8801869db00e ...
  [<ffffffff81644cdc>] ip6_finish_output+0x8c/0xf0
  [<ffffffff81644d97>] ip6_output+0x57/0x100
  [<ffffffff81643dc9>] ip6_forward+0x4b9/0x840
  [<ffffffff81645566>] ip6_rcv_finish+0x66/0xc0
  [<ffffffff81645db9>] ipv6_rcv+0x319/0x530
  [<ffffffff815892ac>] netif_receive_skb+0x1c/0x70
  [<ffffffffc0060bec>] atl1c_clean+0x1ec/0x310 [atl1c]
  ...

The bad access is in neigh_hh_output(), at skb->data - 16 (HH_DATA_MOD).
atl1c driver provided skb with no headroom, so 14 bytes (ethernet
header) got pulled, but then 16 are copied.

Reserve NET_SKB_PAD bytes headroom, like netdev_alloc_skb().

Compile tested only; I lack hardware.

Fixes: 7b7017642199 ("atl1c: Fix misuse of netdev_alloc_skb in refilling rx ring")
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/atheros/atl1c/atl1c_main.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
+++ b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
@@ -1683,6 +1683,7 @@ static struct sk_buff *atl1c_alloc_skb(s
 	skb = build_skb(page_address(page) + adapter->rx_page_offset,
 			adapter->rx_frag_size);
 	if (likely(skb)) {
+		skb_reserve(skb, NET_SKB_PAD);
 		adapter->rx_page_offset += adapter->rx_frag_size;
 		if (adapter->rx_page_offset >= PAGE_SIZE)
 			adapter->rx_page = NULL;



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 21/80] net: prevent ISA drivers from building on PPC32
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2018-09-03 16:48 ` [PATCH 4.4 20/80] atl1c: reserve min skb headroom Greg Kroah-Hartman
@ 2018-09-03 16:48 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 22/80] can: mpc5xxx_can: check of_iomap return before use Greg Kroah-Hartman
                   ` (60 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Randy Dunlap, Michael Ellerman,
	David S. Miller, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Randy Dunlap <rdunlap@infradead.org>

[ Upstream commit c9ce1fa1c24b08e13c2a3b5b1f94a19c9eaa982c ]

Prevent drivers from building on PPC32 if they use isa_bus_to_virt(),
isa_virt_to_bus(), or isa_page_to_bus(), which are not available and
thus cause build errors.

../drivers/net/ethernet/3com/3c515.c: In function 'corkscrew_open':
../drivers/net/ethernet/3com/3c515.c:824:9: error: implicit declaration of function 'isa_virt_to_bus'; did you mean 'virt_to_bus'? [-Werror=implicit-function-declaration]

../drivers/net/ethernet/amd/lance.c: In function 'lance_rx':
../drivers/net/ethernet/amd/lance.c:1203:23: error: implicit declaration of function 'isa_bus_to_virt'; did you mean 'bus_to_virt'? [-Werror=implicit-function-declaration]

../drivers/net/ethernet/amd/ni65.c: In function 'ni65_init_lance':
../drivers/net/ethernet/amd/ni65.c:585:20: error: implicit declaration of function 'isa_virt_to_bus'; did you mean 'virt_to_bus'? [-Werror=implicit-function-declaration]

../drivers/net/ethernet/cirrus/cs89x0.c: In function 'net_open':
../drivers/net/ethernet/cirrus/cs89x0.c:897:20: error: implicit declaration of function 'isa_virt_to_bus'; did you mean 'virt_to_bus'? [-Werror=implicit-function-declaration]

Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Suggested-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/3com/Kconfig   |    2 +-
 drivers/net/ethernet/amd/Kconfig    |    4 ++--
 drivers/net/ethernet/cirrus/Kconfig |    1 +
 3 files changed, 4 insertions(+), 3 deletions(-)

--- a/drivers/net/ethernet/3com/Kconfig
+++ b/drivers/net/ethernet/3com/Kconfig
@@ -32,7 +32,7 @@ config EL3
 
 config 3C515
 	tristate "3c515 ISA \"Fast EtherLink\""
-	depends on ISA && ISA_DMA_API
+	depends on ISA && ISA_DMA_API && !PPC32
 	---help---
 	  If you have a 3Com ISA EtherLink XL "Corkscrew" 3c515 Fast Ethernet
 	  network card, say Y here.
--- a/drivers/net/ethernet/amd/Kconfig
+++ b/drivers/net/ethernet/amd/Kconfig
@@ -44,7 +44,7 @@ config AMD8111_ETH
 
 config LANCE
 	tristate "AMD LANCE and PCnet (AT1500 and NE2100) support"
-	depends on ISA && ISA_DMA_API && !ARM
+	depends on ISA && ISA_DMA_API && !ARM && !PPC32
 	---help---
 	  If you have a network (Ethernet) card of this type, say Y here.
 	  Some LinkSys cards are of this type.
@@ -138,7 +138,7 @@ config PCMCIA_NMCLAN
 
 config NI65
 	tristate "NI6510 support"
-	depends on ISA && ISA_DMA_API && !ARM
+	depends on ISA && ISA_DMA_API && !ARM && !PPC32
 	---help---
 	  If you have a network (Ethernet) card of this type, say Y here.
 
--- a/drivers/net/ethernet/cirrus/Kconfig
+++ b/drivers/net/ethernet/cirrus/Kconfig
@@ -19,6 +19,7 @@ if NET_VENDOR_CIRRUS
 config CS89x0
 	tristate "CS89x0 support"
 	depends on ISA || EISA || ARM
+	depends on !PPC32
 	---help---
 	  Support for CS89x0 chipset based Ethernet cards. If you have a
 	  network (Ethernet) card of this type, say Y and read the file



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 22/80] can: mpc5xxx_can: check of_iomap return before use
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2018-09-03 16:48 ` [PATCH 4.4 21/80] net: prevent ISA drivers from building on PPC32 Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 23/80] i2c: davinci: Avoid zero value of CLKH Greg Kroah-Hartman
                   ` (59 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nicholas Mc Guire, Marc Kleine-Budde,
	Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nicholas Mc Guire <hofrat@osadl.org>

[ Upstream commit b5c1a23b17e563b656cc9bb76ce5323b997d90e8 ]

of_iomap() can return NULL so that return needs to be checked and NULL
treated as failure. While at it also take care of the missing
of_node_put() in the error path.

Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
Fixes: commit afa17a500a36 ("net/can: add driver for mscan family & mpc52xx_mscan")
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/can/mscan/mpc5xxx_can.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/net/can/mscan/mpc5xxx_can.c
+++ b/drivers/net/can/mscan/mpc5xxx_can.c
@@ -86,6 +86,11 @@ static u32 mpc52xx_can_get_clock(struct
 		return 0;
 	}
 	cdm = of_iomap(np_cdm, 0);
+	if (!cdm) {
+		of_node_put(np_cdm);
+		dev_err(&ofdev->dev, "can't map clock node!\n");
+		return 0;
+	}
 
 	if (in_8(&cdm->ipb_clk_sel) & 0x1)
 		freq *= 2;



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 23/80] i2c: davinci: Avoid zero value of CLKH
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 22/80] can: mpc5xxx_can: check of_iomap return before use Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 24/80] media: staging: omap4iss: Include asm/cacheflush.h after generic includes Greg Kroah-Hartman
                   ` (58 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexander Sverdlin, Sekhar Nori,
	Wolfram Sang, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alexander Sverdlin <alexander.sverdlin@nokia.com>

[ Upstream commit cc8de9a68599b261244ea453b38678229f06ada7 ]

If CLKH is set to 0 I2C clock is not generated at all, so avoid this value
and stretch the clock in this case.

Signed-off-by: Alexander Sverdlin <alexander.sverdlin@nokia.com>
Acked-by: Sekhar Nori <nsekhar@ti.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/i2c/busses/i2c-davinci.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/i2c/busses/i2c-davinci.c
+++ b/drivers/i2c/busses/i2c-davinci.c
@@ -234,12 +234,16 @@ static void i2c_davinci_calc_clk_divider
 	/*
 	 * It's not always possible to have 1 to 2 ratio when d=7, so fall back
 	 * to minimal possible clkh in this case.
+	 *
+	 * Note:
+	 * CLKH is not allowed to be 0, in this case I2C clock is not generated
+	 * at all
 	 */
-	if (clk >= clkl + d) {
+	if (clk > clkl + d) {
 		clkh = clk - clkl - d;
 		clkl -= d;
 	} else {
-		clkh = 0;
+		clkh = 1;
 		clkl = clk - (d << 1);
 	}
 



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 24/80] media: staging: omap4iss: Include asm/cacheflush.h after generic includes
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 23/80] i2c: davinci: Avoid zero value of CLKH Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 25/80] bnx2x: Fix invalid memory access in rss hash config path Greg Kroah-Hartman
                   ` (57 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Linus Torvalds, David S. Miller,
	Randy Dunlap, Guenter Roeck, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Guenter Roeck <linux@roeck-us.net>

[ Upstream commit 0894da849f145af51bde88a6b84f95b9c9e0bc66 ]

Including asm/cacheflush.h first results in the following build error
when trying to build sparc32:allmodconfig, because 'struct page' has not
been declared, and the function declaration ends up creating a separate
(private) declaration of struct page (as a result of function arguments
being in the scope of the function declaration and definition, not in
global scope).

The C scoping rules do not just affect variable visibility, they also
affect type declaration visibility.

The end result is that when the actual call site is seen in
<linux/highmem.h>, the 'struct page' type in the caller is not the same
'struct page' that the function was declared with, resulting in:

  In file included from arch/sparc/include/asm/page.h:10:0,
                   ...
                   from drivers/staging/media/omap4iss/iss_video.c:15:
  include/linux/highmem.h: In function 'clear_user_highpage':
  include/linux/highmem.h:137:31: error:
	passing argument 1 of 'sparc_flush_page_to_ram' from incompatible
	pointer type

Include generic includes files first to fix the problem.

Fixes: fc96d58c10162 ("[media] v4l: omap4iss: Add support for OMAP4 camera interface - Video devices")
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: David S. Miller <davem@davemloft.net>
Cc: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
[ Added explanation of C scope rules - Linus ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/staging/media/omap4iss/iss_video.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/staging/media/omap4iss/iss_video.c
+++ b/drivers/staging/media/omap4iss/iss_video.c
@@ -11,7 +11,6 @@
  * (at your option) any later version.
  */
 
-#include <asm/cacheflush.h>
 #include <linux/clk.h>
 #include <linux/mm.h>
 #include <linux/pagemap.h>
@@ -22,6 +21,8 @@
 #include <media/v4l2-dev.h>
 #include <media/v4l2-ioctl.h>
 
+#include <asm/cacheflush.h>
+
 #include "iss_video.h"
 #include "iss.h"
 



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 25/80] bnx2x: Fix invalid memory access in rss hash config path.
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 24/80] media: staging: omap4iss: Include asm/cacheflush.h after generic includes Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 26/80] net: axienet: Fix double deregister of mdio Greg Kroah-Hartman
                   ` (56 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sudarsana Reddy Kalluru,
	David S. Miller, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sudarsana Reddy Kalluru <sudarsana.kalluru@cavium.com>

[ Upstream commit ae2dcb28c24794a87e424a726a1cf1a61980f52d ]

Rx hash/filter table configuration uses rss_conf_obj to configure filters
in the hardware. This object is initialized only when the interface is
brought up.
This patch adds driver changes to configure rss params only when the device
is in opened state. In port disabled case, the config will be cached in the
driver structure which will be applied in the successive load path.

Please consider applying it to 'net' branch.

Signed-off-by: Sudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c |   13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c
@@ -3360,14 +3360,18 @@ static int bnx2x_set_rss_flags(struct bn
 			DP(BNX2X_MSG_ETHTOOL,
 			   "rss re-configured, UDP 4-tupple %s\n",
 			   udp_rss_requested ? "enabled" : "disabled");
-			return bnx2x_rss(bp, &bp->rss_conf_obj, false, true);
+			if (bp->state == BNX2X_STATE_OPEN)
+				return bnx2x_rss(bp, &bp->rss_conf_obj, false,
+						 true);
 		} else if ((info->flow_type == UDP_V6_FLOW) &&
 			   (bp->rss_conf_obj.udp_rss_v6 != udp_rss_requested)) {
 			bp->rss_conf_obj.udp_rss_v6 = udp_rss_requested;
 			DP(BNX2X_MSG_ETHTOOL,
 			   "rss re-configured, UDP 4-tupple %s\n",
 			   udp_rss_requested ? "enabled" : "disabled");
-			return bnx2x_rss(bp, &bp->rss_conf_obj, false, true);
+			if (bp->state == BNX2X_STATE_OPEN)
+				return bnx2x_rss(bp, &bp->rss_conf_obj, false,
+						 true);
 		}
 		return 0;
 
@@ -3481,7 +3485,10 @@ static int bnx2x_set_rxfh(struct net_dev
 		bp->rss_conf_obj.ind_table[i] = indir[i] + bp->fp->cl_id;
 	}
 
-	return bnx2x_config_rss_eth(bp, false);
+	if (bp->state == BNX2X_STATE_OPEN)
+		return bnx2x_config_rss_eth(bp, false);
+
+	return 0;
 }
 
 /**



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 26/80] net: axienet: Fix double deregister of mdio
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 25/80] bnx2x: Fix invalid memory access in rss hash config path Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 27/80] fscache: Allow cancelled operations to be enqueued Greg Kroah-Hartman
                   ` (55 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Shubhrajyoti Datta, David S. Miller,
	Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>

[ Upstream commit 03bc7cab7d7218088412a75e141696a89059ab00 ]

If the registration fails then mdio_unregister is called.
However at unbind the unregister ia attempted again resulting
in the below crash

[   73.544038] kernel BUG at drivers/net/phy/mdio_bus.c:415!
[   73.549362] Internal error: Oops - BUG: 0 [#1] SMP
[   73.554127] Modules linked in:
[   73.557168] CPU: 0 PID: 2249 Comm: sh Not tainted 4.14.0 #183
[   73.562895] Hardware name: xlnx,zynqmp (DT)
[   73.567062] task: ffffffc879e41180 task.stack: ffffff800cbe0000
[   73.572973] PC is at mdiobus_unregister+0x84/0x88
[   73.577656] LR is at axienet_mdio_teardown+0x18/0x30
[   73.582601] pc : [<ffffff80085fa4cc>] lr : [<ffffff8008616858>]
pstate: 20000145
[   73.589981] sp : ffffff800cbe3c30
[   73.593277] x29: ffffff800cbe3c30 x28: ffffffc879e41180
[   73.598573] x27: ffffff8008a21000 x26: 0000000000000040
[   73.603868] x25: 0000000000000124 x24: ffffffc879efe920
[   73.609164] x23: 0000000000000060 x22: ffffffc879e02000
[   73.614459] x21: ffffffc879e02800 x20: ffffffc87b0b8870
[   73.619754] x19: ffffffc879e02800 x18: 000000000000025d
[   73.625050] x17: 0000007f9a719ad0 x16: ffffff8008195bd8
[   73.630345] x15: 0000007f9a6b3d00 x14: 0000000000000010
[   73.635640] x13: 74656e7265687465 x12: 0000000000000030
[   73.640935] x11: 0000000000000030 x10: 0101010101010101
[   73.646231] x9 : 241f394f42533300 x8 : ffffffc8799f6e98
[   73.651526] x7 : ffffffc8799f6f18 x6 : ffffffc87b0ba318
[   73.656822] x5 : ffffffc87b0ba498 x4 : 0000000000000000
[   73.662117] x3 : 0000000000000000 x2 : 0000000000000008
[   73.667412] x1 : 0000000000000004 x0 : ffffffc8799f4000
[   73.672708] Process sh (pid: 2249, stack limit = 0xffffff800cbe0000)

Fix the same by making the bus NULL on unregister.

Signed-off-by: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/xilinx/xilinx_axienet_mdio.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/net/ethernet/xilinx/xilinx_axienet_mdio.c
+++ b/drivers/net/ethernet/xilinx/xilinx_axienet_mdio.c
@@ -218,6 +218,7 @@ issue:
 	ret = of_mdiobus_register(bus, np1);
 	if (ret) {
 		mdiobus_free(bus);
+		lp->mii_bus = NULL;
 		return ret;
 	}
 	return 0;



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 27/80] fscache: Allow cancelled operations to be enqueued
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 26/80] net: axienet: Fix double deregister of mdio Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 28/80] cachefiles: Fix refcounting bug in backing-file read monitoring Greg Kroah-Hartman
                   ` (54 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kiran Kumar Modukuri, David Howells,
	Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>

[ Upstream commit d0eb06afe712b7b103b6361f40a9a0c638524669 ]

Alter the state-check assertion in fscache_enqueue_operation() to allow
cancelled operations to be given processing time so they can be cleaned up.

Also fix a debugging statement that was requiring such operations to have
an object assigned.

Fixes: 9ae326a69004 ("CacheFiles: A cache that backs onto a mounted filesystem")
Reported-by: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/fscache/operation.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/fs/fscache/operation.c
+++ b/fs/fscache/operation.c
@@ -66,7 +66,8 @@ void fscache_enqueue_operation(struct fs
 	ASSERT(op->processor != NULL);
 	ASSERT(fscache_object_is_available(op->object));
 	ASSERTCMP(atomic_read(&op->usage), >, 0);
-	ASSERTCMP(op->state, ==, FSCACHE_OP_ST_IN_PROGRESS);
+	ASSERTIFCMP(op->state != FSCACHE_OP_ST_IN_PROGRESS,
+		    op->state, ==,  FSCACHE_OP_ST_CANCELLED);
 
 	fscache_stat(&fscache_n_op_enqueue);
 	switch (op->flags & FSCACHE_OP_TYPE) {
@@ -481,7 +482,8 @@ void fscache_put_operation(struct fscach
 	struct fscache_cache *cache;
 
 	_enter("{OBJ%x OP%x,%d}",
-	       op->object->debug_id, op->debug_id, atomic_read(&op->usage));
+	       op->object ? op->object->debug_id : 0,
+	       op->debug_id, atomic_read(&op->usage));
 
 	ASSERTCMP(atomic_read(&op->usage), >, 0);
 



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 28/80] cachefiles: Fix refcounting bug in backing-file read monitoring
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 27/80] fscache: Allow cancelled operations to be enqueued Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 29/80] cachefiles: Wait rather than BUGing on "Unexpected object collision" Greg Kroah-Hartman
                   ` (53 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lei Xue, Vegard Nossum,
	Anthony DeRobertis, NeilBrown, Daniel Axtens,
	Kiran Kumar Modukuri, David Howells, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>

[ Upstream commit 934140ab028713a61de8bca58c05332416d037d1 ]

cachefiles_read_waiter() has the right to access a 'monitor' object by
virtue of being called under the waitqueue lock for one of the pages in its
purview.  However, it has no ref on that monitor object or on the
associated operation.

What it is allowed to do is to move the monitor object to the operation's
to_do list, but once it drops the work_lock, it's actually no longer
permitted to access that object.  However, it is trying to enqueue the
retrieval operation for processing - but it can only do this via a pointer
in the monitor object, something it shouldn't be doing.

If it doesn't enqueue the operation, the operation may not get processed.
If the order is flipped so that the enqueue is first, then it's possible
for the work processor to look at the to_do list before the monitor is
enqueued upon it.

Fix this by getting a ref on the operation so that we can trust that it
will still be there once we've added the monitor to the to_do list and
dropped the work_lock.  The op can then be enqueued after the lock is
dropped.

The bug can manifest in one of a couple of ways.  The first manifestation
looks like:

 FS-Cache:
 FS-Cache: Assertion failed
 FS-Cache: 6 == 5 is false
 ------------[ cut here ]------------
 kernel BUG at fs/fscache/operation.c:494!
 RIP: 0010:fscache_put_operation+0x1e3/0x1f0
 ...
 fscache_op_work_func+0x26/0x50
 process_one_work+0x131/0x290
 worker_thread+0x45/0x360
 kthread+0xf8/0x130
 ? create_worker+0x190/0x190
 ? kthread_cancel_work_sync+0x10/0x10
 ret_from_fork+0x1f/0x30

This is due to the operation being in the DEAD state (6) rather than
INITIALISED, COMPLETE or CANCELLED (5) because it's already passed through
fscache_put_operation().

The bug can also manifest like the following:

 kernel BUG at fs/fscache/operation.c:69!
 ...
    [exception RIP: fscache_enqueue_operation+246]
 ...
 #7 [ffff883fff083c10] fscache_enqueue_operation at ffffffffa0b793c6
 #8 [ffff883fff083c28] cachefiles_read_waiter at ffffffffa0b15a48
 #9 [ffff883fff083c48] __wake_up_common at ffffffff810af028

I'm not entirely certain as to which is line 69 in Lei's kernel, so I'm not
entirely clear which assertion failed.

Fixes: 9ae326a69004 ("CacheFiles: A cache that backs onto a mounted filesystem")
Reported-by: Lei Xue <carmark.dlut@gmail.com>
Reported-by: Vegard Nossum <vegard.nossum@gmail.com>
Reported-by: Anthony DeRobertis <aderobertis@metrics.net>
Reported-by: NeilBrown <neilb@suse.com>
Reported-by: Daniel Axtens <dja@axtens.net>
Reported-by: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/cachefiles/rdwr.c |   17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

--- a/fs/cachefiles/rdwr.c
+++ b/fs/cachefiles/rdwr.c
@@ -27,6 +27,7 @@ static int cachefiles_read_waiter(wait_q
 	struct cachefiles_one_read *monitor =
 		container_of(wait, struct cachefiles_one_read, monitor);
 	struct cachefiles_object *object;
+	struct fscache_retrieval *op = monitor->op;
 	struct wait_bit_key *key = _key;
 	struct page *page = wait->private;
 
@@ -51,16 +52,22 @@ static int cachefiles_read_waiter(wait_q
 	list_del(&wait->task_list);
 
 	/* move onto the action list and queue for FS-Cache thread pool */
-	ASSERT(monitor->op);
+	ASSERT(op);
 
-	object = container_of(monitor->op->op.object,
-			      struct cachefiles_object, fscache);
+	/* We need to temporarily bump the usage count as we don't own a ref
+	 * here otherwise cachefiles_read_copier() may free the op between the
+	 * monitor being enqueued on the op->to_do list and the op getting
+	 * enqueued on the work queue.
+	 */
+	fscache_get_retrieval(op);
 
+	object = container_of(op->op.object, struct cachefiles_object, fscache);
 	spin_lock(&object->work_lock);
-	list_add_tail(&monitor->op_link, &monitor->op->to_do);
+	list_add_tail(&monitor->op_link, &op->to_do);
 	spin_unlock(&object->work_lock);
 
-	fscache_enqueue_retrieval(monitor->op);
+	fscache_enqueue_retrieval(op);
+	fscache_put_retrieval(op);
 	return 0;
 }
 



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 29/80] cachefiles: Wait rather than BUGing on "Unexpected object collision"
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 28/80] cachefiles: Fix refcounting bug in backing-file read monitoring Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 30/80] selftests/ftrace: Add snapshot and tracing_on test case Greg Kroah-Hartman
                   ` (52 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kiran Kumar Modukuri, David Howells,
	Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>

[ Upstream commit c2412ac45a8f8f1cd582723c1a139608694d410d ]

If we meet a conflicting object that is marked FSCACHE_OBJECT_IS_LIVE in
the active object tree, we have been emitting a BUG after logging
information about it and the new object.

Instead, we should wait for the CACHEFILES_OBJECT_ACTIVE flag to be cleared
on the old object (or return an error).  The ACTIVE flag should be cleared
after it has been removed from the active object tree.  A timeout of 60s is
used in the wait, so we shouldn't be able to get stuck there.

Fixes: 9ae326a69004 ("CacheFiles: A cache that backs onto a mounted filesystem")
Signed-off-by: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/cachefiles/namei.c |    1 -
 1 file changed, 1 deletion(-)

--- a/fs/cachefiles/namei.c
+++ b/fs/cachefiles/namei.c
@@ -194,7 +194,6 @@ wait_for_old_object:
 		pr_err("\n");
 		pr_err("Error: Unexpected object collision\n");
 		cachefiles_printk_object(object, xobject);
-		BUG();
 	}
 	atomic_inc(&xobject->usage);
 	write_unlock(&cache->active_lock);



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 30/80] selftests/ftrace: Add snapshot and tracing_on test case
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 29/80] cachefiles: Wait rather than BUGing on "Unexpected object collision" Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 31/80] zswap: re-check zswap_is_full() after do zswap_shrink() Greg Kroah-Hartman
                   ` (51 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tom Zanussi, Hiraku Toyooka,
	Masami Hiramatsu, Ingo Molnar, Shuah Khan, linux-kselftest,
	Steven Rostedt (VMware),
	Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Masami Hiramatsu <mhiramat@kernel.org>

[ Upstream commit 82f4f3e69c5c29bce940dd87a2c0f16c51d48d17 ]

Add a testcase for checking snapshot and tracing_on
relationship. This ensures that the snapshotting doesn't
affect current tracing on/off settings.

Link: http://lkml.kernel.org/r/153149932412.11274.15289227592627901488.stgit@devbox

Cc: Tom Zanussi <tom.zanussi@linux.intel.com>
Cc: Hiraku Toyooka <hiraku.toyooka@cybertrust.co.jp>
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Shuah Khan <shuah@kernel.org>
Cc: linux-kselftest@vger.kernel.org
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 tools/testing/selftests/ftrace/test.d/00basic/snapshot.tc |   28 ++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 tools/testing/selftests/ftrace/test.d/00basic/snapshot.tc

--- /dev/null
+++ b/tools/testing/selftests/ftrace/test.d/00basic/snapshot.tc
@@ -0,0 +1,28 @@
+#!/bin/sh
+# description: Snapshot and tracing setting
+# flags: instance
+
+[ ! -f snapshot ] && exit_unsupported
+
+echo "Set tracing off"
+echo 0 > tracing_on
+
+echo "Allocate and take a snapshot"
+echo 1 > snapshot
+
+# Since trace buffer is empty, snapshot is also empty, but allocated
+grep -q "Snapshot is allocated" snapshot
+
+echo "Ensure keep tracing off"
+test `cat tracing_on` -eq 0
+
+echo "Set tracing on"
+echo 1 > tracing_on
+
+echo "Take a snapshot again"
+echo 1 > snapshot
+
+echo "Ensure keep tracing on"
+test `cat tracing_on` -eq 1
+
+exit 0



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 31/80] zswap: re-check zswap_is_full() after do zswap_shrink()
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 30/80] selftests/ftrace: Add snapshot and tracing_on test case Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 32/80] tools/power turbostat: Read extended processor family from CPUID Greg Kroah-Hartman
                   ` (50 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Li Wang, Dan Streetman,
	Seth Jennings, Huang Ying, Yu Zhao, Andrew Morton,
	Linus Torvalds, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Li Wang <liwang@redhat.com>

[ Upstream commit 16e536ef47f567289a5699abee9ff7bb304bc12d ]

/sys/../zswap/stored_pages keeps rising in a zswap test with
"zswap.max_pool_percent=0" parameter.  But it should not compress or
store pages any more since there is no space in the compressed pool.

Reproduce steps:
  1. Boot kernel with "zswap.enabled=1"
  2. Set the max_pool_percent to 0
      # echo 0 > /sys/module/zswap/parameters/max_pool_percent
  3. Do memory stress test to see if some pages have been compressed
      # stress --vm 1 --vm-bytes $mem_available"M" --timeout 60s
  4. Watching the 'stored_pages' number increasing or not

The root cause is:

  When zswap_max_pool_percent is set to 0 via kernel parameter,
  zswap_is_full() will always return true due to zswap_shrink().  But if
  the shinking is able to reclain a page successfully the code then
  proceeds to compressing/storing another page, so the value of
  stored_pages will keep changing.

To solve the issue, this patch adds a zswap_is_full() check again after
  zswap_shrink() to make sure it's now under the max_pool_percent, and to
  not compress/store if we reached the limit.

Link: http://lkml.kernel.org/r/20180530103936.17812-1-liwang@redhat.com
Signed-off-by: Li Wang <liwang@redhat.com>
Acked-by: Dan Streetman <ddstreet@ieee.org>
Cc: Seth Jennings <sjenning@redhat.com>
Cc: Huang Ying <huang.ying.caritas@gmail.com>
Cc: Yu Zhao <yuzhao@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 mm/zswap.c |    9 +++++++++
 1 file changed, 9 insertions(+)

--- a/mm/zswap.c
+++ b/mm/zswap.c
@@ -1018,6 +1018,15 @@ static int zswap_frontswap_store(unsigne
 			ret = -ENOMEM;
 			goto reject;
 		}
+
+		/* A second zswap_is_full() check after
+		 * zswap_shrink() to make sure it's now
+		 * under the max_pool_percent
+		 */
+		if (zswap_is_full()) {
+			ret = -ENOMEM;
+			goto reject;
+		}
 	}
 
 	/* allocate entry */



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 32/80] tools/power turbostat: Read extended processor family from CPUID
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 31/80] zswap: re-check zswap_is_full() after do zswap_shrink() Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 34/80] enic: handle mtu change for vf properly Greg Kroah-Hartman
                   ` (49 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Calvin Walton, Len Brown, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Calvin Walton <calvin.walton@kepstin.ca>

[ Upstream commit 5aa3d1a20a233d4a5f1ec3d62da3f19d9afea682 ]

This fixes the reported family on modern AMD processors (e.g. Ryzen,
which is family 0x17). Previously these processors all showed up as
family 0xf.

See the document
https://support.amd.com/TechDocs/56255_OSRR.pdf
section CPUID_Fn00000001_EAX for how to calculate the family
from the BaseFamily and ExtFamily values.

This matches the code in arch/x86/lib/cpu.c

Signed-off-by: Calvin Walton <calvin.walton@kepstin.ca>
Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 tools/power/x86/turbostat/turbostat.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/tools/power/x86/turbostat/turbostat.c
+++ b/tools/power/x86/turbostat/turbostat.c
@@ -2691,7 +2691,9 @@ void process_cpuid()
 	family = (fms >> 8) & 0xf;
 	model = (fms >> 4) & 0xf;
 	stepping = fms & 0xf;
-	if (family == 6 || family == 0xf)
+	if (family == 0xf)
+		family += (fms >> 20) & 0xff;
+	if (family >= 6)
 		model += ((fms >> 16) & 0xf) << 4;
 
 	if (debug)



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 34/80] enic: handle mtu change for vf properly
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 32/80] tools/power turbostat: Read extended processor family from CPUID Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-12  1:03   ` Ben Hutchings
  2018-09-03 16:49 ` [PATCH 4.4 35/80] arc: fix build errors in arc/include/asm/delay.h Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  80 siblings, 1 reply; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Govindarajulu Varadarajan,
	David S. Miller, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Govindarajulu Varadarajan <gvaradar@cisco.com>

[ Upstream commit ab123fe071c9aa9680ecd62eb080eb26cff4892c ]

When driver gets notification for mtu change, driver does not handle it for
all RQs. It handles only RQ[0].

Fix is to use enic_change_mtu() interface to change mtu for vf.

Signed-off-by: Govindarajulu Varadarajan <gvaradar@cisco.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/cisco/enic/enic_main.c |   78 +++++++++-------------------
 1 file changed, 27 insertions(+), 51 deletions(-)

--- a/drivers/net/ethernet/cisco/enic/enic_main.c
+++ b/drivers/net/ethernet/cisco/enic/enic_main.c
@@ -1842,10 +1842,32 @@ static int enic_stop(struct net_device *
 	return 0;
 }
 
+static int _enic_change_mtu(struct net_device *netdev, int new_mtu)
+{
+	bool running = netif_running(netdev);
+	int err = 0;
+
+	ASSERT_RTNL();
+	if (running) {
+		err = enic_stop(netdev);
+		if (err)
+			return err;
+	}
+
+	netdev->mtu = new_mtu;
+
+	if (running) {
+		err = enic_open(netdev);
+		if (err)
+			return err;
+	}
+
+	return 0;
+}
+
 static int enic_change_mtu(struct net_device *netdev, int new_mtu)
 {
 	struct enic *enic = netdev_priv(netdev);
-	int running = netif_running(netdev);
 
 	if (new_mtu < ENIC_MIN_MTU || new_mtu > ENIC_MAX_MTU)
 		return -EINVAL;
@@ -1853,20 +1875,12 @@ static int enic_change_mtu(struct net_de
 	if (enic_is_dynamic(enic) || enic_is_sriov_vf(enic))
 		return -EOPNOTSUPP;
 
-	if (running)
-		enic_stop(netdev);
-
-	netdev->mtu = new_mtu;
-
 	if (netdev->mtu > enic->port_mtu)
 		netdev_warn(netdev,
-			"interface MTU (%d) set higher than port MTU (%d)\n",
-			netdev->mtu, enic->port_mtu);
-
-	if (running)
-		enic_open(netdev);
+			    "interface MTU (%d) set higher than port MTU (%d)\n",
+			    netdev->mtu, enic->port_mtu);
 
-	return 0;
+	return _enic_change_mtu(netdev, new_mtu);
 }
 
 static void enic_change_mtu_work(struct work_struct *work)
@@ -1874,47 +1888,9 @@ static void enic_change_mtu_work(struct
 	struct enic *enic = container_of(work, struct enic, change_mtu_work);
 	struct net_device *netdev = enic->netdev;
 	int new_mtu = vnic_dev_mtu(enic->vdev);
-	int err;
-	unsigned int i;
-
-	new_mtu = max_t(int, ENIC_MIN_MTU, min_t(int, ENIC_MAX_MTU, new_mtu));
 
 	rtnl_lock();
-
-	/* Stop RQ */
-	del_timer_sync(&enic->notify_timer);
-
-	for (i = 0; i < enic->rq_count; i++)
-		napi_disable(&enic->napi[i]);
-
-	vnic_intr_mask(&enic->intr[0]);
-	enic_synchronize_irqs(enic);
-	err = vnic_rq_disable(&enic->rq[0]);
-	if (err) {
-		rtnl_unlock();
-		netdev_err(netdev, "Unable to disable RQ.\n");
-		return;
-	}
-	vnic_rq_clean(&enic->rq[0], enic_free_rq_buf);
-	vnic_cq_clean(&enic->cq[0]);
-	vnic_intr_clean(&enic->intr[0]);
-
-	/* Fill RQ with new_mtu-sized buffers */
-	netdev->mtu = new_mtu;
-	vnic_rq_fill(&enic->rq[0], enic_rq_alloc_buf);
-	/* Need at least one buffer on ring to get going */
-	if (vnic_rq_desc_used(&enic->rq[0]) == 0) {
-		rtnl_unlock();
-		netdev_err(netdev, "Unable to alloc receive buffers.\n");
-		return;
-	}
-
-	/* Start RQ */
-	vnic_rq_enable(&enic->rq[0]);
-	napi_enable(&enic->napi[0]);
-	vnic_intr_unmask(&enic->intr[0]);
-	enic_notify_timer_start(enic);
-
+	(void)_enic_change_mtu(netdev, new_mtu);
 	rtnl_unlock();
 
 	netdev_info(netdev, "interface MTU set as %d\n", netdev->mtu);



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 35/80] arc: fix build errors in arc/include/asm/delay.h
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 34/80] enic: handle mtu change for vf properly Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 36/80] arc: fix type warnings in arc/mm/cache.c Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Randy Dunlap, Vineet Gupta,
	linux-snps-arc, Elad Kanfi, Leon Romanovsky, Ofer Levi,
	Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Randy Dunlap <rdunlap@infradead.org>

[ Upstream commit 2423665ec53f2a29191b35382075e9834288a975 ]

Fix build errors in arch/arc/'s delay.h:
- add "extern unsigned long loops_per_jiffy;"
- add <asm-generic/types.h> for "u64"

In file included from ../drivers/infiniband/hw/cxgb3/cxio_hal.c:32:
../arch/arc/include/asm/delay.h: In function '__udelay':
../arch/arc/include/asm/delay.h:61:12: error: 'u64' undeclared (first use in this function)
  loops = ((u64) usecs * 4295 * HZ * loops_per_jiffy) >> 32;
            ^~~

In file included from ../drivers/infiniband/hw/cxgb3/cxio_hal.c:32:
../arch/arc/include/asm/delay.h: In function '__udelay':
../arch/arc/include/asm/delay.h:63:37: error: 'loops_per_jiffy' undeclared (first use in this function)
  loops = ((u64) usecs * 4295 * HZ * loops_per_jiffy) >> 32;
                                     ^~~~~~~~~~~~~~~

Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Cc: Vineet Gupta <vgupta@synopsys.com>
Cc: linux-snps-arc@lists.infradead.org
Cc: Elad Kanfi <eladkan@mellanox.com>
Cc: Leon Romanovsky <leonro@mellanox.com>
Cc: Ofer Levi <oferle@mellanox.com>
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arc/include/asm/delay.h |    3 +++
 1 file changed, 3 insertions(+)

--- a/arch/arc/include/asm/delay.h
+++ b/arch/arc/include/asm/delay.h
@@ -17,8 +17,11 @@
 #ifndef __ASM_ARC_UDELAY_H
 #define __ASM_ARC_UDELAY_H
 
+#include <asm-generic/types.h>
 #include <asm/param.h>		/* HZ */
 
+extern unsigned long loops_per_jiffy;
+
 static inline void __delay(unsigned long loops)
 {
 	__asm__ __volatile__(



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 36/80] arc: fix type warnings in arc/mm/cache.c
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 35/80] arc: fix build errors in arc/include/asm/delay.h Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 37/80] drivers: net: lmc: fix case value for target abort error Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Randy Dunlap, Vineet Gupta,
	linux-snps-arc, Elad Kanfi, Leon Romanovsky, Ofer Levi,
	Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Randy Dunlap <rdunlap@infradead.org>

[ Upstream commit ec837d620c750c0d4996a907c8c4f7febe1bbeee ]

Fix type warnings in arch/arc/mm/cache.c.

../arch/arc/mm/cache.c: In function 'flush_anon_page':
../arch/arc/mm/cache.c:1062:55: warning: passing argument 2 of '__flush_dcache_page' makes integer from pointer without a cast [-Wint-conversion]
  __flush_dcache_page((phys_addr_t)page_address(page), page_address(page));
                                                       ^~~~~~~~~~~~~~~~~~
../arch/arc/mm/cache.c:1013:59: note: expected 'long unsigned int' but argument is of type 'void *'
 void __flush_dcache_page(phys_addr_t paddr, unsigned long vaddr)
                                             ~~~~~~~~~~~~~~^~~~~

Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Cc: Vineet Gupta <vgupta@synopsys.com>
Cc: linux-snps-arc@lists.infradead.org
Cc: Elad Kanfi <eladkan@mellanox.com>
Cc: Leon Romanovsky <leonro@mellanox.com>
Cc: Ofer Levi <oferle@mellanox.com>
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arc/mm/cache.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/arch/arc/mm/cache.c
+++ b/arch/arc/mm/cache.c
@@ -821,7 +821,7 @@ void flush_cache_mm(struct mm_struct *mm
 void flush_cache_page(struct vm_area_struct *vma, unsigned long u_vaddr,
 		      unsigned long pfn)
 {
-	unsigned int paddr = pfn << PAGE_SHIFT;
+	phys_addr_t paddr = pfn << PAGE_SHIFT;
 
 	u_vaddr &= PAGE_MASK;
 
@@ -841,8 +841,9 @@ void flush_anon_page(struct vm_area_stru
 		     unsigned long u_vaddr)
 {
 	/* TBD: do we really need to clear the kernel mapping */
-	__flush_dcache_page(page_address(page), u_vaddr);
-	__flush_dcache_page(page_address(page), page_address(page));
+	__flush_dcache_page((phys_addr_t)page_address(page), u_vaddr);
+	__flush_dcache_page((phys_addr_t)page_address(page),
+			    (phys_addr_t)page_address(page));
 
 }
 



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 37/80] drivers: net: lmc: fix case value for target abort error
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 36/80] arc: fix type warnings in arc/mm/cache.c Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 38/80] scsi: fcoe: drop frames in ELS LOGO error path Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Colin Ian King, David S. Miller, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Colin Ian King <colin.king@canonical.com>

[ Upstream commit afb41bb039656f0cecb54eeb8b2e2088201295f5 ]

Current value for a target abort error is 0x010, however, this value
should in fact be 0x002.  As it stands, the range of error is 0..7 so
it is currently never being detected.  This bug has been in the driver
since the early 2.6.12 days (or before).

Detected by CoverityScan, CID#744290 ("Logically dead code")

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/wan/lmc/lmc_main.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/wan/lmc/lmc_main.c
+++ b/drivers/net/wan/lmc/lmc_main.c
@@ -1385,7 +1385,7 @@ static irqreturn_t lmc_interrupt (int ir
             case 0x001:
                 printk(KERN_WARNING "%s: Master Abort (naughty)\n", dev->name);
                 break;
-            case 0x010:
+            case 0x002:
                 printk(KERN_WARNING "%s: Target Abort (not so naughty)\n", dev->name);
                 break;
             default:



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 38/80] scsi: fcoe: drop frames in ELS LOGO error path
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 37/80] drivers: net: lmc: fix case value for target abort error Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 39/80] scsi: vmw_pvscsi: Return DID_RESET for status SAM_STAT_COMMAND_TERMINATED Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johannes Thumshirn, Hannes Reinecke,
	Martin K. Petersen, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johannes Thumshirn <jthumshirn@suse.de>

[ Upstream commit 63d0e3dffda311e77b9a8c500d59084e960a824a ]

Drop the frames in the ELS LOGO error path instead of just returning an
error.

This fixes the following kmemleak report:
unreferenced object 0xffff880064cb1000 (size 424):
  comm "kworker/0:2", pid 24, jiffies 4294904293 (age 68.504s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<(____ptrval____)>] _fc_frame_alloc+0x2c/0x180 [libfc]
    [<(____ptrval____)>] fc_lport_enter_logo+0x106/0x360 [libfc]
    [<(____ptrval____)>] fc_fabric_logoff+0x8c/0xc0 [libfc]
    [<(____ptrval____)>] fcoe_if_destroy+0x79/0x3b0 [fcoe]
    [<(____ptrval____)>] fcoe_destroy_work+0xd2/0x170 [fcoe]
    [<(____ptrval____)>] process_one_work+0x7ff/0x1420
    [<(____ptrval____)>] worker_thread+0x87/0xef0
    [<(____ptrval____)>] kthread+0x2db/0x390
    [<(____ptrval____)>] ret_from_fork+0x35/0x40
    [<(____ptrval____)>] 0xffffffffffffffff

which can be triggered by issuing
echo eth0 > /sys/bus/fcoe/ctlr_destroy

Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
Reviewed-by: Hannes Reinecke <hare@suse.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/fcoe/fcoe_ctlr.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/scsi/fcoe/fcoe_ctlr.c
+++ b/drivers/scsi/fcoe/fcoe_ctlr.c
@@ -752,9 +752,9 @@ int fcoe_ctlr_els_send(struct fcoe_ctlr
 	case ELS_LOGO:
 		if (fip->mode == FIP_MODE_VN2VN) {
 			if (fip->state != FIP_ST_VNMP_UP)
-				return -EINVAL;
+				goto drop;
 			if (ntoh24(fh->fh_d_id) == FC_FID_FLOGI)
-				return -EINVAL;
+				goto drop;
 		} else {
 			if (fip->state != FIP_ST_ENABLED)
 				return 0;



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 39/80] scsi: vmw_pvscsi: Return DID_RESET for status SAM_STAT_COMMAND_TERMINATED
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 38/80] scsi: fcoe: drop frames in ELS LOGO error path Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 40/80] mm/memory.c: check return value of ioremap_prot Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jim Gill, Martin K. Petersen, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jim Gill <jgill@vmware.com>

[ Upstream commit e95153b64d03c2b6e8d62e51bdcc33fcad6e0856 ]

Commands that are reset are returned with status
SAM_STAT_COMMAND_TERMINATED. PVSCSI currently returns DID_OK |
SAM_STAT_COMMAND_TERMINATED which fails the command. Instead, set hostbyte
to DID_RESET to allow upper layers to retry.

Tested by copying a large file between two pvscsi disks on same adapter
while performing a bus reset at 1-second intervals. Before fix, commands
sometimes fail with DID_OK. After fix, commands observed to fail with
DID_RESET.

Signed-off-by: Jim Gill <jgill@vmware.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/vmw_pvscsi.c |   11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

--- a/drivers/scsi/vmw_pvscsi.c
+++ b/drivers/scsi/vmw_pvscsi.c
@@ -545,9 +545,14 @@ static void pvscsi_complete_request(stru
 	    (btstat == BTSTAT_SUCCESS ||
 	     btstat == BTSTAT_LINKED_COMMAND_COMPLETED ||
 	     btstat == BTSTAT_LINKED_COMMAND_COMPLETED_WITH_FLAG)) {
-		cmd->result = (DID_OK << 16) | sdstat;
-		if (sdstat == SAM_STAT_CHECK_CONDITION && cmd->sense_buffer)
-			cmd->result |= (DRIVER_SENSE << 24);
+		if (sdstat == SAM_STAT_COMMAND_TERMINATED) {
+			cmd->result = (DID_RESET << 16);
+		} else {
+			cmd->result = (DID_OK << 16) | sdstat;
+			if (sdstat == SAM_STAT_CHECK_CONDITION &&
+			    cmd->sense_buffer)
+				cmd->result |= (DRIVER_SENSE << 24);
+		}
 	} else
 		switch (btstat) {
 		case BTSTAT_SUCCESS:



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 40/80] mm/memory.c: check return value of ioremap_prot
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 39/80] scsi: vmw_pvscsi: Return DID_RESET for status SAM_STAT_COMMAND_TERMINATED Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 41/80] cifs: add missing debug entries for kconfig options Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, chen jie, Andrew Morton, Li Zefan,
	Yang Shi, Alexey Dobriyan, Linus Torvalds, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: "jie@chenjie6@huwei.com" <jie@chenjie6@huwei.com>

[ Upstream commit 24eee1e4c47977bdfb71d6f15f6011e7b6188d04 ]

ioremap_prot() can return NULL which could lead to an oops.

Link: http://lkml.kernel.org/r/1533195441-58594-1-git-send-email-chenjie6@huawei.com
Signed-off-by: chen jie <chenjie6@huawei.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Li Zefan <lizefan@huawei.com>
Cc: chenjie <chenjie6@huawei.com>
Cc: Yang Shi <shy828301@gmail.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 mm/memory.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/mm/memory.c
+++ b/mm/memory.c
@@ -3701,6 +3701,9 @@ int generic_access_phys(struct vm_area_s
 		return -EINVAL;
 
 	maddr = ioremap_prot(phys_addr, PAGE_ALIGN(len + offset), prot);
+	if (!maddr)
+		return -ENOMEM;
+
 	if (write)
 		memcpy_toio(maddr + offset, buf, len);
 	else



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 41/80] cifs: add missing debug entries for kconfig options
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 40/80] mm/memory.c: check return value of ioremap_prot Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 42/80] cifs: check kmalloc before use Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Steve French, Ronnie Sahlberg,
	Pavel Shilovsky, Paulo Alcantara

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Steve French <stfrench@microsoft.com>

commit 950132afd59385caf6e2b84e5235d069fa10681d upstream.

/proc/fs/cifs/DebugData displays the features (Kconfig options)
used to build cifs.ko but it was missing some, and needed comma
separator.  These can be useful in debugging certain problems
so we know which optional features were enabled in the user's build.
Also clarify them, by making them more closely match the
corresponding CONFIG_CIFS_* parm.

Old format:
Features: dfs fscache posix spnego xattr acl

New format:
Features: DFS,FSCACHE,SMB_DIRECT,STATS,DEBUG2,ALLOW_INSECURE_LEGACY,CIFS_POSIX,UPCALL(SPNEGO),XATTR,ACL

Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/cifs/cifs_debug.c |   30 +++++++++++++++++++++++-------
 1 file changed, 23 insertions(+), 7 deletions(-)

--- a/fs/cifs/cifs_debug.c
+++ b/fs/cifs/cifs_debug.c
@@ -123,25 +123,41 @@ static int cifs_debug_data_proc_show(str
 	seq_printf(m, "CIFS Version %s\n", CIFS_VERSION);
 	seq_printf(m, "Features:");
 #ifdef CONFIG_CIFS_DFS_UPCALL
-	seq_printf(m, " dfs");
+	seq_printf(m, " DFS");
 #endif
 #ifdef CONFIG_CIFS_FSCACHE
-	seq_printf(m, " fscache");
+	seq_printf(m, ",FSCACHE");
+#endif
+#ifdef CONFIG_CIFS_SMB_DIRECT
+	seq_printf(m, ",SMB_DIRECT");
+#endif
+#ifdef CONFIG_CIFS_STATS2
+	seq_printf(m, ",STATS2");
+#elif defined(CONFIG_CIFS_STATS)
+	seq_printf(m, ",STATS");
+#endif
+#ifdef CONFIG_CIFS_DEBUG2
+	seq_printf(m, ",DEBUG2");
+#elif defined(CONFIG_CIFS_DEBUG)
+	seq_printf(m, ",DEBUG");
+#endif
+#ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY
+	seq_printf(m, ",ALLOW_INSECURE_LEGACY");
 #endif
 #ifdef CONFIG_CIFS_WEAK_PW_HASH
-	seq_printf(m, " lanman");
+	seq_printf(m, ",WEAK_PW_HASH");
 #endif
 #ifdef CONFIG_CIFS_POSIX
-	seq_printf(m, " posix");
+	seq_printf(m, ",CIFS_POSIX");
 #endif
 #ifdef CONFIG_CIFS_UPCALL
-	seq_printf(m, " spnego");
+	seq_printf(m, ",UPCALL(SPNEGO)");
 #endif
 #ifdef CONFIG_CIFS_XATTR
-	seq_printf(m, " xattr");
+	seq_printf(m, ",XATTR");
 #endif
 #ifdef CONFIG_CIFS_ACL
-	seq_printf(m, " acl");
+	seq_printf(m, ",ACL");
 #endif
 	seq_putc(m, '\n');
 	seq_printf(m, "Active VFS Requests: %d\n", GlobalTotalActiveXid);



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 42/80] cifs: check kmalloc before use
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 41/80] cifs: add missing debug entries for kconfig options Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 43/80] smb3: Do not send SMB3 SET_INFO if nothing changed Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nicholas Mc Guire, Steve French,
	Pavel Shilovsky

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nicholas Mc Guire <hofrat@osadl.org>

commit 126c97f4d0d1b5b956e8b0740c81a2b2a2ae548c upstream.

The kmalloc was not being checked - if it fails issue a warning
and return -ENOMEM to the caller.

Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
Fixes: b8da344b74c8 ("cifs: dynamic allocation of ntlmssp blob")
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
cc: Stable <stable@vger.kernel.org>`
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/cifs/sess.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -398,6 +398,12 @@ int build_ntlmssp_auth_blob(unsigned cha
 		goto setup_ntlmv2_ret;
 	}
 	*pbuffer = kmalloc(size_of_ntlmssp_blob(ses), GFP_KERNEL);
+	if (!*pbuffer) {
+		rc = -ENOMEM;
+		cifs_dbg(VFS, "Error %d during NTLMSSP allocation\n", rc);
+		*buflen = 0;
+		goto setup_ntlmv2_ret;
+	}
 	sec_blob = (AUTHENTICATE_MESSAGE *)*pbuffer;
 
 	memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 43/80] smb3: Do not send SMB3 SET_INFO if nothing changed
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 42/80] cifs: check kmalloc before use Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 44/80] smb3: dont request leases in symlink creation and query Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pavel Shilovsky, Stefan Metzmacher,
	Steve French

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Steve French <stfrench@microsoft.com>

commit fd09b7d3b352105f08b8e02f7afecf7e816380ef upstream.

An earlier commit had a typo which prevented the
optimization from working:

commit 18dd8e1a65dd ("Do not send SMB3 SET_INFO request if nothing is changing")

Thank you to Metze for noticing this.  Also clear a
reserved field in the FILE_BASIC_INFO struct we send
that should be zero (all the other fields in that
struct were set or cleared explicitly already in
cifs_set_file_info).

Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
CC: Stable <stable@vger.kernel.org> # 4.9.x+
Reported-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/cifs/inode.c     |    2 ++
 fs/cifs/smb2inode.c |    2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

--- a/fs/cifs/inode.c
+++ b/fs/cifs/inode.c
@@ -1063,6 +1063,8 @@ cifs_set_file_info(struct inode *inode,
 	if (!server->ops->set_file_info)
 		return -ENOSYS;
 
+	info_buf.Pad = 0;
+
 	if (attrs->ia_valid & ATTR_ATIME) {
 		set_time = true;
 		info_buf.LastAccessTime =
--- a/fs/cifs/smb2inode.c
+++ b/fs/cifs/smb2inode.c
@@ -267,7 +267,7 @@ smb2_set_file_info(struct inode *inode,
 	int rc;
 
 	if ((buf->CreationTime == 0) && (buf->LastAccessTime == 0) &&
-	    (buf->LastWriteTime == 0) && (buf->ChangeTime) &&
+	    (buf->LastWriteTime == 0) && (buf->ChangeTime == 0) &&
 	    (buf->Attributes == 0))
 		return 0; /* would be a no op, no sense sending this */
 



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 44/80] smb3: dont request leases in symlink creation and query
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 43/80] smb3: Do not send SMB3 SET_INFO if nothing changed Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 45/80] btrfs: dont leak ret from do_chunk_alloc Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pavel Shilovsky, Steve French,
	Ronnie Sahlberg

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Steve French <stfrench@microsoft.com>

commit 22783155f4bf956c346a81624ec9258930a6fe06 upstream.

Fixes problem pointed out by Pavel in discussions about commit
729c0c9dd55204f0c9a823ac8a7bfa83d36c7e78

Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
CC: Stable <stable@vger.kernel.org> # 3.18.x+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/cifs/link.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/fs/cifs/link.c
+++ b/fs/cifs/link.c
@@ -419,7 +419,7 @@ smb3_query_mf_symlink(unsigned int xid,
 	struct cifs_io_parms io_parms;
 	int buf_type = CIFS_NO_BUFFER;
 	__le16 *utf16_path;
-	__u8 oplock = SMB2_OPLOCK_LEVEL_II;
+	__u8 oplock = SMB2_OPLOCK_LEVEL_NONE;
 	struct smb2_file_all_info *pfile_info = NULL;
 
 	oparms.tcon = tcon;
@@ -481,7 +481,7 @@ smb3_create_mf_symlink(unsigned int xid,
 	struct cifs_io_parms io_parms;
 	int create_options = CREATE_NOT_DIR;
 	__le16 *utf16_path;
-	__u8 oplock = SMB2_OPLOCK_LEVEL_EXCLUSIVE;
+	__u8 oplock = SMB2_OPLOCK_LEVEL_NONE;
 	struct kvec iov[2];
 
 	if (backup_cred(cifs_sb))



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 45/80] btrfs: dont leak ret from do_chunk_alloc
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 44/80] smb3: dont request leases in symlink creation and query Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 46/80] s390/kvm: fix deadlock when killed by oom Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Josef Bacik, Nikolay Borisov, David Sterba

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Josef Bacik <josef@toxicpanda.com>

commit 4559b0a71749c442d34f7cfb9e72c9e58db83948 upstream.

If we're trying to make a data reservation and we have to allocate a
data chunk we could leak ret == 1, as do_chunk_alloc() will return 1 if
it allocated a chunk.  Since the end of the function is the success path
just return 0.

CC: stable@vger.kernel.org # 4.4+
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/extent-tree.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -4128,7 +4128,7 @@ commit_trans:
 				      data_sinfo->flags, bytes, 1);
 	spin_unlock(&data_sinfo->lock);
 
-	return ret;
+	return 0;
 }
 
 /*



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 46/80] s390/kvm: fix deadlock when killed by oom
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 45/80] btrfs: dont leak ret from do_chunk_alloc Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 47/80] ext4: check for NUL characters in extended attributes name Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Claudio Imbrenda, Martin Schwidefsky

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Claudio Imbrenda <imbrenda@linux.vnet.ibm.com>

commit 306d6c49ac9ded11114cb53b0925da52f2c2ada1 upstream.

When the oom killer kills a userspace process in the page fault handler
while in guest context, the fault handler fails to release the mm_sem
if the FAULT_FLAG_RETRY_NOWAIT option is set. This leads to a deadlock
when tearing down the mm when the process terminates. This bug can only
happen when pfault is enabled, so only KVM clients are affected.

The problem arises in the rare cases in which handle_mm_fault does not
release the mm_sem. This patch fixes the issue by manually releasing
the mm_sem when needed.

Fixes: 24eb3a824c4f3 ("KVM: s390: Add FAULT_FLAG_RETRY_NOWAIT for guest fault")
Cc: <stable@vger.kernel.org> # 3.15+
Signed-off-by: Claudio Imbrenda <imbrenda@linux.vnet.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/s390/mm/fault.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/arch/s390/mm/fault.c
+++ b/arch/s390/mm/fault.c
@@ -459,6 +459,8 @@ retry:
 	/* No reason to continue if interrupted by SIGKILL. */
 	if ((fault & VM_FAULT_RETRY) && fatal_signal_pending(current)) {
 		fault = VM_FAULT_SIGNAL;
+		if (flags & FAULT_FLAG_RETRY_NOWAIT)
+			goto out_up;
 		goto out;
 	}
 	if (unlikely(fault & VM_FAULT_ERROR))



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 47/80] ext4: check for NUL characters in extended attributes name
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 46/80] s390/kvm: fix deadlock when killed by oom Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 48/80] ext4: sysfs: print ext4_super_block fields as little-endian Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Wen Xu, Theodore Tso

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <tytso@mit.edu>

commit 7d95178c77014dbd8dce36ee40bbbc5e6c121ff5 upstream.

Extended attribute names are defined to be NUL-terminated, so the name
must not contain a NUL character.  This is important because there are
places when remove extended attribute, the code uses strlen to
determine the length of the entry.  That should probably be fixed at
some point, but code is currently really messy, so the simplest fix
for now is to simply validate that the extended attributes are sane.

https://bugzilla.kernel.org/show_bug.cgi?id=200401

Reported-by: Wen Xu <wen.xu@gatech.edu>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/xattr.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -197,6 +197,8 @@ ext4_xattr_check_names(struct ext4_xattr
 		struct ext4_xattr_entry *next = EXT4_XATTR_NEXT(e);
 		if ((void *)next >= end)
 			return -EFSCORRUPTED;
+		if (strnlen(e->e_name, e->e_name_len) != e->e_name_len)
+			return -EFSCORRUPTED;
 		e = next;
 	}
 



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 48/80] ext4: sysfs: print ext4_super_block fields as little-endian
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 47/80] ext4: check for NUL characters in extended attributes name Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 49/80] ext4: reset error code in ext4_find_entry in fallback Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andreas Dilger, Arnd Bergmann, Theodore Tso

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit a4d2aadca184ece182418950d45ba4ffc7b652d2 upstream.

While working on extended rand for last_error/first_error timestamps,
I noticed that the endianess is wrong; we access the little-endian
fields in struct ext4_super_block as native-endian when we print them.

This adds a special case in ext4_attr_show() and ext4_attr_store()
to byteswap the superblock fields if needed.

In older kernels, this code was part of super.c, it got moved to
sysfs.c in linux-4.4.

Cc: stable@vger.kernel.org
Fixes: 52c198c6820f ("ext4: add sysfs entry showing whether the fs contains errors")
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/sysfs.c |   13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

--- a/fs/ext4/sysfs.c
+++ b/fs/ext4/sysfs.c
@@ -277,8 +277,12 @@ static ssize_t ext4_attr_show(struct kob
 	case attr_pointer_ui:
 		if (!ptr)
 			return 0;
-		return snprintf(buf, PAGE_SIZE, "%u\n",
-				*((unsigned int *) ptr));
+		if (a->attr_ptr == ptr_ext4_super_block_offset)
+			return snprintf(buf, PAGE_SIZE, "%u\n",
+					le32_to_cpup(ptr));
+		else
+			return snprintf(buf, PAGE_SIZE, "%u\n",
+					*((unsigned int *) ptr));
 	case attr_pointer_atomic:
 		if (!ptr)
 			return 0;
@@ -311,7 +315,10 @@ static ssize_t ext4_attr_store(struct ko
 		ret = kstrtoul(skip_spaces(buf), 0, &t);
 		if (ret)
 			return ret;
-		*((unsigned int *) ptr) = t;
+		if (a->attr_ptr == ptr_ext4_super_block_offset)
+			*((__le32 *) ptr) = cpu_to_le32(t);
+		else
+			*((unsigned int *) ptr) = t;
 		return len;
 	case attr_inode_readahead:
 		return inode_readahead_blks_store(a, sbi, buf, len);



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 49/80] ext4: reset error code in ext4_find_entry in fallback
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 48/80] ext4: sysfs: print ext4_super_block fields as little-endian Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 50/80] arm64: mm: check for upper PAGE_SHIFT bits in pfn_valid() Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Anatoly Trosinenko, Andreas Dilger,
	Eric Sandeen, Theodore Tso

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Sandeen <sandeen@redhat.com>

commit f39b3f45dbcb0343822cce31ea7636ad66e60bc2 upstream.

When ext4_find_entry() falls back to "searching the old fashioned
way" due to a corrupt dx dir, it needs to reset the error code
to NULL so that the nonstandard ERR_BAD_DX_DIR code isn't returned
to userspace.

https://bugzilla.kernel.org/show_bug.cgi?id=199947

Reported-by: Anatoly Trosinenko <anatoly.trosinenko@yandex.com>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/namei.c |    1 +
 1 file changed, 1 insertion(+)

--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -1401,6 +1401,7 @@ static struct buffer_head * ext4_find_en
 			goto cleanup_and_exit;
 		dxtrace(printk(KERN_DEBUG "ext4_find_entry: dx failed, "
 			       "falling back\n"));
+		ret = NULL;
 	}
 	nblocks = dir->i_size >> EXT4_BLOCK_SIZE_BITS(sb);
 	if (!nblocks) {



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 50/80] arm64: mm: check for upper PAGE_SHIFT bits in pfn_valid()
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 49/80] ext4: reset error code in ext4_find_entry in fallback Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 51/80] KVM: arm/arm64: Skip updating PTE entry if no change Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Greg Hackmann, Will Deacon

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Greg Hackmann <ghackmann@android.com>

commit 5ad356eabc47d26a92140a0c4b20eba471c10de3 upstream.

ARM64's pfn_valid() shifts away the upper PAGE_SHIFT bits of the input
before seeing if the PFN is valid.  This leads to false positives when
some of the upper bits are set, but the lower bits match a valid PFN.

For example, the following userspace code looks up a bogus entry in
/proc/kpageflags:

    int pagemap = open("/proc/self/pagemap", O_RDONLY);
    int pageflags = open("/proc/kpageflags", O_RDONLY);
    uint64_t pfn, val;

    lseek64(pagemap, [...], SEEK_SET);
    read(pagemap, &pfn, sizeof(pfn));
    if (pfn & (1UL << 63)) {        /* valid PFN */
        pfn &= ((1UL << 55) - 1);   /* clear flag bits */
        pfn |= (1UL << 55);
        lseek64(pageflags, pfn * sizeof(uint64_t), SEEK_SET);
        read(pageflags, &val, sizeof(val));
    }

On ARM64 this causes the userspace process to crash with SIGSEGV rather
than reading (1 << KPF_NOPAGE).  kpageflags_read() treats the offset as
valid, and stable_page_flags() will try to access an address between the
user and kernel address ranges.

Fixes: c1cc1552616d ("arm64: MMU initialisation")
Cc: stable@vger.kernel.org
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/mm/init.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/arch/arm64/mm/init.c
+++ b/arch/arm64/mm/init.c
@@ -120,7 +120,11 @@ static void __init zone_sizes_init(unsig
 #ifdef CONFIG_HAVE_ARCH_PFN_VALID
 int pfn_valid(unsigned long pfn)
 {
-	return memblock_is_memory(pfn << PAGE_SHIFT);
+	phys_addr_t addr = pfn << PAGE_SHIFT;
+
+	if ((addr >> PAGE_SHIFT) != pfn)
+		return 0;
+	return memblock_is_memory(addr);
 }
 EXPORT_SYMBOL(pfn_valid);
 #endif



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 51/80] KVM: arm/arm64: Skip updating PTE entry if no change
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 50/80] arm64: mm: check for upper PAGE_SHIFT bits in pfn_valid() Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 52/80] KVM: arm/arm64: Skip updating PMD " Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Suzuki Poulose, Christoffer Dall,
	Punit Agrawal, Marc Zyngier

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Punit Agrawal <punit.agrawal@arm.com>

commit 976d34e2dab10ece5ea8fe7090b7692913f89084 upstream.

When there is contention on faulting in a particular page table entry
at stage 2, the break-before-make requirement of the architecture can
lead to additional refaulting due to TLB invalidation.

Avoid this by skipping a page table update if the new value of the PTE
matches the previous value.

Cc: stable@vger.kernel.org
Fixes: d5d8184d35c9 ("KVM: ARM: Memory virtualization setup")
Reviewed-by: Suzuki Poulose <suzuki.poulose@arm.com>
Acked-by: Christoffer Dall <christoffer.dall@arm.com>
Signed-off-by: Punit Agrawal <punit.agrawal@arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/kvm/mmu.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/arch/arm/kvm/mmu.c
+++ b/arch/arm/kvm/mmu.c
@@ -961,6 +961,10 @@ static int stage2_set_pte(struct kvm *kv
 	/* Create 2nd stage page table mapping - Level 3 */
 	old_pte = *pte;
 	if (pte_present(old_pte)) {
+		/* Skip page table update if there is no change */
+		if (pte_val(old_pte) == pte_val(*new_pte))
+			return 0;
+
 		kvm_set_pte(pte, __pte(0));
 		kvm_tlb_flush_vmid_ipa(kvm, addr);
 	} else {



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 52/80] KVM: arm/arm64: Skip updating PMD entry if no change
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 51/80] KVM: arm/arm64: Skip updating PTE entry if no change Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 53/80] x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Suzuki Poulose, Christoffer Dall,
	Punit Agrawal, Marc Zyngier

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Punit Agrawal <punit.agrawal@arm.com>

commit 86658b819cd0a9aa584cd84453ed268a6f013770 upstream.

Contention on updating a PMD entry by a large number of vcpus can lead
to duplicate work when handling stage 2 page faults. As the page table
update follows the break-before-make requirement of the architecture,
it can lead to repeated refaults due to clearing the entry and
flushing the tlbs.

This problem is more likely when -

* there are large number of vcpus
* the mapping is large block mapping

such as when using PMD hugepages (512MB) with 64k pages.

Fix this by skipping the page table update if there is no change in
the entry being updated.

Cc: stable@vger.kernel.org
Fixes: ad361f093c1e ("KVM: ARM: Support hugetlbfs backed huge pages")
Reviewed-by: Suzuki Poulose <suzuki.poulose@arm.com>
Acked-by: Christoffer Dall <christoffer.dall@arm.com>
Signed-off-by: Punit Agrawal <punit.agrawal@arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>


---
 arch/arm/kvm/mmu.c |   38 +++++++++++++++++++++++++++-----------
 1 file changed, 27 insertions(+), 11 deletions(-)

--- a/arch/arm/kvm/mmu.c
+++ b/arch/arm/kvm/mmu.c
@@ -892,19 +892,35 @@ static int stage2_set_pmd_huge(struct kv
 	pmd = stage2_get_pmd(kvm, cache, addr);
 	VM_BUG_ON(!pmd);
 
-	/*
-	 * Mapping in huge pages should only happen through a fault.  If a
-	 * page is merged into a transparent huge page, the individual
-	 * subpages of that huge page should be unmapped through MMU
-	 * notifiers before we get here.
-	 *
-	 * Merging of CompoundPages is not supported; they should become
-	 * splitting first, unmapped, merged, and mapped back in on-demand.
-	 */
-	VM_BUG_ON(pmd_present(*pmd) && pmd_pfn(*pmd) != pmd_pfn(*new_pmd));
-
 	old_pmd = *pmd;
 	if (pmd_present(old_pmd)) {
+		/*
+		 * Multiple vcpus faulting on the same PMD entry, can
+		 * lead to them sequentially updating the PMD with the
+		 * same value. Following the break-before-make
+		 * (pmd_clear() followed by tlb_flush()) process can
+		 * hinder forward progress due to refaults generated
+		 * on missing translations.
+		 *
+		 * Skip updating the page table if the entry is
+		 * unchanged.
+		 */
+		if (pmd_val(old_pmd) == pmd_val(*new_pmd))
+			return 0;
+
+		/*
+		 * Mapping in huge pages should only happen through a
+		 * fault.  If a page is merged into a transparent huge
+		 * page, the individual subpages of that huge page
+		 * should be unmapped through MMU notifiers before we
+		 * get here.
+		 *
+		 * Merging of CompoundPages is not supported; they
+		 * should become splitting first, unmapped, merged,
+		 * and mapped back in on-demand.
+		 */
+		VM_BUG_ON(pmd_pfn(old_pmd) != pmd_pfn(*new_pmd));
+
 		pmd_clear(pmd);
 		kvm_tlb_flush_vmid_ipa(kvm, addr);
 	} else {



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 53/80] x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 52/80] KVM: arm/arm64: Skip updating PMD " Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 54/80] x86/speculation/l1tf: Fix off-by-one error when warning that system has too much RAM Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dominique Leuenberger,
	Adrian Schroeter, Vlastimil Babka, Thomas Gleixner, Andi Kleen,
	Michal Hocko, H . Peter Anvin, Linus Torvalds, Dave Hansen,
	Michal Hocko

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vlastimil Babka <vbabka@suse.cz>

commit 9df9516940a61d29aedf4d91b483ca6597e7d480 upstream.

On 32bit PAE kernels on 64bit hardware with enough physical bits,
l1tf_pfn_limit() will overflow unsigned long. This in turn affects
max_swapfile_size() and can lead to swapon returning -EINVAL. This has been
observed in a 32bit guest with 42 bits physical address size, where
max_swapfile_size() overflows exactly to 1 << 32, thus zero, and produces
the following warning to dmesg:

[    6.396845] Truncating oversized swap area, only using 0k out of 2047996k

Fix this by using unsigned long long instead.

Fixes: 17dbca119312 ("x86/speculation/l1tf: Add sysfs reporting for l1tf")
Fixes: 377eeaa8e11f ("x86/speculation/l1tf: Limit swap file size to MAX_PA/2")
Reported-by: Dominique Leuenberger <dimstar@suse.de>
Reported-by: Adrian Schroeter <adrian@suse.de>
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Andi Kleen <ak@linux.intel.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: "H . Peter Anvin" <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20180820095835.5298-1-vbabka@suse.cz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/include/asm/processor.h |    4 ++--
 arch/x86/mm/init.c               |    4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

--- a/arch/x86/include/asm/processor.h
+++ b/arch/x86/include/asm/processor.h
@@ -172,9 +172,9 @@ extern const struct seq_operations cpuin
 
 extern void cpu_detect(struct cpuinfo_x86 *c);
 
-static inline unsigned long l1tf_pfn_limit(void)
+static inline unsigned long long l1tf_pfn_limit(void)
 {
-	return BIT(boot_cpu_data.x86_phys_bits - 1 - PAGE_SHIFT) - 1;
+	return BIT_ULL(boot_cpu_data.x86_phys_bits - 1 - PAGE_SHIFT) - 1;
 }
 
 extern void early_cpu_init(void);
--- a/arch/x86/mm/init.c
+++ b/arch/x86/mm/init.c
@@ -779,7 +779,7 @@ unsigned long max_swapfile_size(void)
 
 	if (boot_cpu_has_bug(X86_BUG_L1TF)) {
 		/* Limit the swap file size to MAX_PA/2 for L1TF workaround */
-		unsigned long l1tf_limit = l1tf_pfn_limit() + 1;
+		unsigned long long l1tf_limit = l1tf_pfn_limit() + 1;
 		/*
 		 * We encode swap offsets also with 3 bits below those for pfn
 		 * which makes the usable limit higher.
@@ -787,7 +787,7 @@ unsigned long max_swapfile_size(void)
 #if CONFIG_PGTABLE_LEVELS > 2
 		l1tf_limit <<= PAGE_SHIFT - SWP_OFFSET_FIRST_BIT;
 #endif
-		pages = min_t(unsigned long, l1tf_limit, pages);
+		pages = min_t(unsigned long long, l1tf_limit, pages);
 	}
 	return pages;
 }



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 54/80] x86/speculation/l1tf: Fix off-by-one error when warning that system has too much RAM
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 53/80] x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 55/80] x86/speculation/l1tf: Suggest what to do on systems with " Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, xxxxxx xxxxxx, Christopher Snowhill,
	Vlastimil Babka, Thomas Gleixner, H . Peter Anvin,
	Linus Torvalds, Andi Kleen, Dave Hansen, Michal Hocko

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vlastimil Babka <vbabka@suse.cz>

commit b0a182f875689647b014bc01d36b340217792852 upstream.

Two users have reported [1] that they have an "extremely unlikely" system
with more than MAX_PA/2 memory and L1TF mitigation is not effective. In
fact it's a CPU with 36bits phys limit (64GB) and 32GB memory, but due to
holes in the e820 map, the main region is almost 500MB over the 32GB limit:

[    0.000000] BIOS-e820: [mem 0x0000000100000000-0x000000081effffff] usable

Suggestions to use 'mem=32G' to enable the L1TF mitigation while losing the
500MB revealed, that there's an off-by-one error in the check in
l1tf_select_mitigation().

l1tf_pfn_limit() returns the last usable pfn (inclusive) and the range
check in the mitigation path does not take this into account.

Instead of amending the range check, make l1tf_pfn_limit() return the first
PFN which is over the limit which is less error prone. Adjust the other
users accordingly.

[1] https://bugzilla.suse.com/show_bug.cgi?id=1105536

Fixes: 17dbca119312 ("x86/speculation/l1tf: Add sysfs reporting for l1tf")
Reported-by: xxxxxx xxxxxx <xxxxxx@xxxxxx.xxx>
Reported-by: Christopher Snowhill <kode54@gmail.com>
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: "H . Peter Anvin" <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20180823134418.17008-1-vbabka@suse.cz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/include/asm/processor.h |    2 +-
 arch/x86/mm/init.c               |    2 +-
 arch/x86/mm/mmap.c               |    2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

--- a/arch/x86/include/asm/processor.h
+++ b/arch/x86/include/asm/processor.h
@@ -174,7 +174,7 @@ extern void cpu_detect(struct cpuinfo_x8
 
 static inline unsigned long long l1tf_pfn_limit(void)
 {
-	return BIT_ULL(boot_cpu_data.x86_phys_bits - 1 - PAGE_SHIFT) - 1;
+	return BIT_ULL(boot_cpu_data.x86_phys_bits - 1 - PAGE_SHIFT);
 }
 
 extern void early_cpu_init(void);
--- a/arch/x86/mm/init.c
+++ b/arch/x86/mm/init.c
@@ -779,7 +779,7 @@ unsigned long max_swapfile_size(void)
 
 	if (boot_cpu_has_bug(X86_BUG_L1TF)) {
 		/* Limit the swap file size to MAX_PA/2 for L1TF workaround */
-		unsigned long long l1tf_limit = l1tf_pfn_limit() + 1;
+		unsigned long long l1tf_limit = l1tf_pfn_limit();
 		/*
 		 * We encode swap offsets also with 3 bits below those for pfn
 		 * which makes the usable limit higher.
--- a/arch/x86/mm/mmap.c
+++ b/arch/x86/mm/mmap.c
@@ -138,7 +138,7 @@ bool pfn_modify_allowed(unsigned long pf
 	/* If it's real memory always allow */
 	if (pfn_valid(pfn))
 		return true;
-	if (pfn > l1tf_pfn_limit() && !capable(CAP_SYS_ADMIN))
+	if (pfn >= l1tf_pfn_limit() && !capable(CAP_SYS_ADMIN))
 		return false;
 	return true;
 }



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 55/80] x86/speculation/l1tf: Suggest what to do on systems with too much RAM
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 54/80] x86/speculation/l1tf: Fix off-by-one error when warning that system has too much RAM Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 56/80] x86/process: Re-export start_thread() Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michal Hocko, Vlastimil Babka,
	H . Peter Anvin, Linus Torvalds, Andi Kleen, Dave Hansen

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vlastimil Babka <vbabka@suse.cz>

commit 6a012288d6906fee1dbc244050ade1dafe4a9c8d upstream.

Two users have reported [1] that they have an "extremely unlikely" system
with more than MAX_PA/2 memory and L1TF mitigation is not effective.

Make the warning more helpful by suggesting the proper mem=X kernel boot
parameter to make it effective and a link to the L1TF document to help
decide if the mitigation is worth the unusable RAM.

[1] https://bugzilla.suse.com/show_bug.cgi?id=1105536

Suggested-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: "H . Peter Anvin" <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/966571f0-9d7f-43dc-92c6-a10eec7a1254@suse.cz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/cpu/bugs.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -654,6 +654,10 @@ static void __init l1tf_select_mitigatio
 	half_pa = (u64)l1tf_pfn_limit() << PAGE_SHIFT;
 	if (e820_any_mapped(half_pa, ULLONG_MAX - half_pa, E820_RAM)) {
 		pr_warn("System has more than MAX_PA/2 memory. L1TF mitigation not effective.\n");
+		pr_info("You may make it effective by booting the kernel with mem=%llu parameter.\n",
+				half_pa);
+		pr_info("However, doing so will make a part of your RAM unusable.\n");
+		pr_info("Reading https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html might help you decide.\n");
 		return;
 	}
 



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 56/80] x86/process: Re-export start_thread()
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 55/80] x86/speculation/l1tf: Suggest what to do on systems with " Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 57/80] fuse: Dont access pipe->buffers without pipe_lock() Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rian Hunter, Thomas Gleixner,
	H. Peter Anvin, Andy Lutomirski, Borislav Petkov,
	Vitaly Kuznetsov, Joerg Roedel, Dmitry Safonov, Josh Poimboeuf

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Rian Hunter <rian@alum.mit.edu>

commit dc76803e57cc86589c4efcb5362918f9b0c0436f upstream.

The consolidation of the start_thread() functions removed the export
unintentionally. This breaks binfmt handlers built as a module.

Add it back.

Fixes: e634d8fc792c ("x86-64: merge the standard and compat start_thread() functions")
Signed-off-by: Rian Hunter <rian@alum.mit.edu>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bpetkov@suse.de>
Cc: Vitaly Kuznetsov <vkuznets@redhat.com>
Cc: Joerg Roedel <jroedel@suse.de>
Cc: Dmitry Safonov <dima@arista.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20180819230854.7275-1-rian@alum.mit.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/process_64.c |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/x86/kernel/process_64.c
+++ b/arch/x86/kernel/process_64.c
@@ -250,6 +250,7 @@ start_thread(struct pt_regs *regs, unsig
 	start_thread_common(regs, new_ip, new_sp,
 			    __USER_CS, __USER_DS, 0);
 }
+EXPORT_SYMBOL_GPL(start_thread);
 
 #ifdef CONFIG_COMPAT
 void compat_start_thread(struct pt_regs *regs, u32 new_ip, u32 new_sp)



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 57/80] fuse: Dont access pipe->buffers without pipe_lock()
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 56/80] x86/process: Re-export start_thread() Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 58/80] fuse: fix double request_end() Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Andrey Ryabinin, Miklos Szeredi

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Andrey Ryabinin <aryabinin@virtuozzo.com>

commit a2477b0e67c52f4364a47c3ad70902bc2a61bd4c upstream.

fuse_dev_splice_write() reads pipe->buffers to determine the size of
'bufs' array before taking the pipe_lock(). This is not safe as
another thread might change the 'pipe->buffers' between the allocation
and taking the pipe_lock(). So we end up with too small 'bufs' array.

Move the bufs allocations inside pipe_lock()/pipe_unlock() to fix this.

Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device")
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: <stable@vger.kernel.org> # v2.6.35
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/dev.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1991,11 +1991,14 @@ static ssize_t fuse_dev_splice_write(str
 	if (!fud)
 		return -EPERM;
 
+	pipe_lock(pipe);
+
 	bufs = kmalloc(pipe->buffers * sizeof(struct pipe_buffer), GFP_KERNEL);
-	if (!bufs)
+	if (!bufs) {
+		pipe_unlock(pipe);
 		return -ENOMEM;
+	}
 
-	pipe_lock(pipe);
 	nbuf = 0;
 	rem = 0;
 	for (idx = 0; idx < pipe->nrbufs && rem < len; idx++)



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 58/80] fuse: fix double request_end()
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 57/80] fuse: Dont access pipe->buffers without pipe_lock() Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 59/80] fuse: fix unlocked access to processing queue Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Miklos Szeredi

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Miklos Szeredi <mszeredi@redhat.com>

commit 87114373ea507895a62afb10d2910bd9adac35a8 upstream.

Refcounting of request is broken when fuse_abort_conn() is called and
request is on the fpq->io list:

 - ref is taken too late
 - then it is not dropped

Fixes: 0d8e84b0432b ("fuse: simplify request abort")
Cc: <stable@vger.kernel.org> # v4.2
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/dev.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -382,7 +382,7 @@ static void request_end(struct fuse_conn
 	struct fuse_iqueue *fiq = &fc->iq;
 
 	if (test_and_set_bit(FR_FINISHED, &req->flags))
-		return;
+		goto out_put_req;
 
 	spin_lock(&fiq->waitq.lock);
 	list_del_init(&req->intr_entry);
@@ -412,6 +412,7 @@ static void request_end(struct fuse_conn
 	wake_up(&req->waitq);
 	if (req->end)
 		req->end(fc, req);
+out_put_req:
 	fuse_put_request(fc, req);
 }
 
@@ -2154,6 +2155,7 @@ void fuse_abort_conn(struct fuse_conn *f
 				set_bit(FR_ABORTED, &req->flags);
 				if (!test_bit(FR_LOCKED, &req->flags)) {
 					set_bit(FR_PRIVATE, &req->flags);
+					__fuse_get_request(req);
 					list_move(&req->list, &to_end1);
 				}
 				spin_unlock(&req->waitq.lock);
@@ -2180,7 +2182,6 @@ void fuse_abort_conn(struct fuse_conn *f
 
 		while (!list_empty(&to_end1)) {
 			req = list_first_entry(&to_end1, struct fuse_req, list);
-			__fuse_get_request(req);
 			list_del_init(&req->list);
 			request_end(fc, req);
 		}



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 59/80] fuse: fix unlocked access to processing queue
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 58/80] fuse: fix double request_end() Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 60/80] fuse: umount should wait for all requests Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Miklos Szeredi

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Miklos Szeredi <mszeredi@redhat.com>

commit 45ff350bbd9d0f0977ff270a0d427c71520c0c37 upstream.

fuse_dev_release() assumes that it's the only one referencing the
fpq->processing list, but that's not true, since fuse_abort_conn() can be
doing the same without any serialization between the two.

Fixes: c3696046beb3 ("fuse: separate pqueue for clones")
Cc: <stable@vger.kernel.org> # v4.2
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/dev.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -2199,9 +2199,15 @@ int fuse_dev_release(struct inode *inode
 	if (fud) {
 		struct fuse_conn *fc = fud->fc;
 		struct fuse_pqueue *fpq = &fud->pq;
+		LIST_HEAD(to_end);
 
+		spin_lock(&fpq->lock);
 		WARN_ON(!list_empty(&fpq->io));
-		end_requests(fc, &fpq->processing);
+		list_splice_init(&fpq->processing, &to_end);
+		spin_unlock(&fpq->lock);
+
+		end_requests(fc, &to_end);
+
 		/* Are we the last open device? */
 		if (atomic_dec_and_test(&fc->dev_count)) {
 			WARN_ON(fc->iq.fasync != NULL);



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 60/80] fuse: umount should wait for all requests
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 59/80] fuse: fix unlocked access to processing queue Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 61/80] fuse: Fix oops at process_init_reply() Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Miklos Szeredi

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Miklos Szeredi <mszeredi@redhat.com>

commit b8f95e5d13f5f0191dcb4b9113113d241636e7cb upstream.

fuse_abort_conn() does not guarantee that all async requests have actually
finished aborting (i.e. their ->end() function is called).  This could
actually result in still used inodes after umount.

Add a helper to wait until all requests are fully done.  This is done by
looking at the "num_waiting" counter.  When this counter drops to zero, we
can be sure that no more requests are outstanding.

Fixes: 0d8e84b0432b ("fuse: simplify request abort")
Cc: <stable@vger.kernel.org> # v4.2
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/dev.c    |   23 +++++++++++++++++++----
 fs/fuse/fuse_i.h |    1 +
 fs/fuse/inode.c  |    2 ++
 3 files changed, 22 insertions(+), 4 deletions(-)

--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -143,6 +143,16 @@ static bool fuse_block_alloc(struct fuse
 	return !fc->initialized || (for_background && fc->blocked);
 }
 
+static void fuse_drop_waiting(struct fuse_conn *fc)
+{
+	if (fc->connected) {
+		atomic_dec(&fc->num_waiting);
+	} else if (atomic_dec_and_test(&fc->num_waiting)) {
+		/* wake up aborters */
+		wake_up_all(&fc->blocked_waitq);
+	}
+}
+
 static struct fuse_req *__fuse_get_req(struct fuse_conn *fc, unsigned npages,
 				       bool for_background)
 {
@@ -189,7 +199,7 @@ static struct fuse_req *__fuse_get_req(s
 	return req;
 
  out:
-	atomic_dec(&fc->num_waiting);
+	fuse_drop_waiting(fc);
 	return ERR_PTR(err);
 }
 
@@ -296,7 +306,7 @@ void fuse_put_request(struct fuse_conn *
 
 		if (test_bit(FR_WAITING, &req->flags)) {
 			__clear_bit(FR_WAITING, &req->flags);
-			atomic_dec(&fc->num_waiting);
+			fuse_drop_waiting(fc);
 		}
 
 		if (req->stolen_file)
@@ -382,7 +392,7 @@ static void request_end(struct fuse_conn
 	struct fuse_iqueue *fiq = &fc->iq;
 
 	if (test_and_set_bit(FR_FINISHED, &req->flags))
-		goto out_put_req;
+		goto put_request;
 
 	spin_lock(&fiq->waitq.lock);
 	list_del_init(&req->intr_entry);
@@ -412,7 +422,7 @@ static void request_end(struct fuse_conn
 	wake_up(&req->waitq);
 	if (req->end)
 		req->end(fc, req);
-out_put_req:
+put_request:
 	fuse_put_request(fc, req);
 }
 
@@ -2192,6 +2202,11 @@ void fuse_abort_conn(struct fuse_conn *f
 }
 EXPORT_SYMBOL_GPL(fuse_abort_conn);
 
+void fuse_wait_aborted(struct fuse_conn *fc)
+{
+	wait_event(fc->blocked_waitq, atomic_read(&fc->num_waiting) == 0);
+}
+
 int fuse_dev_release(struct inode *inode, struct file *file)
 {
 	struct fuse_dev *fud = fuse_get_dev(file);
--- a/fs/fuse/fuse_i.h
+++ b/fs/fuse/fuse_i.h
@@ -842,6 +842,7 @@ void fuse_request_send_background_locked
 
 /* Abort all requests */
 void fuse_abort_conn(struct fuse_conn *fc);
+void fuse_wait_aborted(struct fuse_conn *fc);
 
 /**
  * Invalidate inode attributes
--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -382,6 +382,8 @@ static void fuse_put_super(struct super_
 	fuse_send_destroy(fc);
 
 	fuse_abort_conn(fc);
+	fuse_wait_aborted(fc);
+
 	mutex_lock(&fuse_mutex);
 	list_del(&fc->entry);
 	fuse_ctl_remove_conn(fc);



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 61/80] fuse: Fix oops at process_init_reply()
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 60/80] fuse: umount should wait for all requests Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 62/80] fuse: Add missed unlock_page() to fuse_readpages_fill() Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, syzbot, Miklos Szeredi

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Miklos Szeredi <mszeredi@redhat.com>

commit e8f3bd773d22f488724dffb886a1618da85c2966 upstream.

syzbot is hitting NULL pointer dereference at process_init_reply().
This is because deactivate_locked_super() is called before response for
initial request is processed.

Fix this by aborting and waiting for all requests (including FUSE_INIT)
before resetting fc->sb.

Original patch by Tetsuo Handa <penguin-kernel@I-love.SKAURA.ne.jp>.

Reported-by: syzbot <syzbot+b62f08f4d5857755e3bc@syzkaller.appspotmail.com>
Fixes: e27c9d3877a0 ("fuse: fuse: add time_gran to INIT_OUT")
Cc: <stable@vger.kernel.org> # v3.19
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/inode.c |   25 +++++++++++--------------
 1 file changed, 11 insertions(+), 14 deletions(-)

--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -379,11 +379,6 @@ static void fuse_put_super(struct super_
 {
 	struct fuse_conn *fc = get_fuse_conn_super(sb);
 
-	fuse_send_destroy(fc);
-
-	fuse_abort_conn(fc);
-	fuse_wait_aborted(fc);
-
 	mutex_lock(&fuse_mutex);
 	list_del(&fc->entry);
 	fuse_ctl_remove_conn(fc);
@@ -1174,16 +1169,25 @@ static struct dentry *fuse_mount(struct
 	return mount_nodev(fs_type, flags, raw_data, fuse_fill_super);
 }
 
-static void fuse_kill_sb_anon(struct super_block *sb)
+static void fuse_sb_destroy(struct super_block *sb)
 {
 	struct fuse_conn *fc = get_fuse_conn_super(sb);
 
 	if (fc) {
+		fuse_send_destroy(fc);
+
+		fuse_abort_conn(fc);
+		fuse_wait_aborted(fc);
+
 		down_write(&fc->killsb);
 		fc->sb = NULL;
 		up_write(&fc->killsb);
 	}
+}
 
+static void fuse_kill_sb_anon(struct super_block *sb)
+{
+	fuse_sb_destroy(sb);
 	kill_anon_super(sb);
 }
 
@@ -1206,14 +1210,7 @@ static struct dentry *fuse_mount_blk(str
 
 static void fuse_kill_sb_blk(struct super_block *sb)
 {
-	struct fuse_conn *fc = get_fuse_conn_super(sb);
-
-	if (fc) {
-		down_write(&fc->killsb);
-		fc->sb = NULL;
-		up_write(&fc->killsb);
-	}
-
+	fuse_sb_destroy(sb);
 	kill_block_super(sb);
 }
 



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 62/80] fuse: Add missed unlock_page() to fuse_readpages_fill()
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 61/80] fuse: Fix oops at process_init_reply() Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 63/80] udl-kms: change down_interruptible to down Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kirill Tkhai, Miklos Szeredi

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kirill Tkhai <ktkhai@virtuozzo.com>

commit 109728ccc5933151c68d1106e4065478a487a323 upstream.

The above error path returns with page unlocked, so this place seems also
to behave the same.

Fixes: f8dbdf81821b ("fuse: rework fuse_readpages()")
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/file.c |    1 +
 1 file changed, 1 insertion(+)

--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -879,6 +879,7 @@ static int fuse_readpages_fill(void *_da
 	}
 
 	if (WARN_ON(req->num_pages >= req->max_pages)) {
+		unlock_page(page);
 		fuse_put_request(fc, req);
 		return -EIO;
 	}



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 63/80] udl-kms: change down_interruptible to down
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 62/80] fuse: Add missed unlock_page() to fuse_readpages_fill() Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 64/80] udl-kms: handle allocation failure Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mikulas Patocka, Dave Airlie

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mikulas Patocka <mpatocka@redhat.com>

commit 8456b99c16d193c4c3b7df305cf431e027f0189c upstream.

If we leave urbs around, it causes not only leak, but also memory
corruption. This patch fixes the function udl_free_urb_list, so that it
always waits for all urbs that are in progress.

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/udl/udl_main.c |    7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

--- a/drivers/gpu/drm/udl/udl_main.c
+++ b/drivers/gpu/drm/udl/udl_main.c
@@ -141,18 +141,13 @@ static void udl_free_urb_list(struct drm
 	struct list_head *node;
 	struct urb_node *unode;
 	struct urb *urb;
-	int ret;
 	unsigned long flags;
 
 	DRM_DEBUG("Waiting for completes and freeing all render urbs\n");
 
 	/* keep waiting and freeing, until we've got 'em all */
 	while (count--) {
-
-		/* Getting interrupted means a leak, but ok at shutdown*/
-		ret = down_interruptible(&udl->urbs.limit_sem);
-		if (ret)
-			break;
+		down(&udl->urbs.limit_sem);
 
 		spin_lock_irqsave(&udl->urbs.lock, flags);
 



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 64/80] udl-kms: handle allocation failure
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (60 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 63/80] udl-kms: change down_interruptible to down Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 65/80] udl-kms: fix crash due to uninitialized memory Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mikulas Patocka, Dave Airlie

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mikulas Patocka <mpatocka@redhat.com>

commit 542bb9788a1f485eb1a2229178f665d8ea166156 upstream.

Allocations larger than PAGE_ALLOC_COSTLY_ORDER are unreliable and they
may fail anytime. This patch fixes the udl kms driver so that when a large
alloactions fails, it tries to do multiple smaller allocations.

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/udl/udl_main.c |   28 ++++++++++++++++++----------
 1 file changed, 18 insertions(+), 10 deletions(-)

--- a/drivers/gpu/drm/udl/udl_main.c
+++ b/drivers/gpu/drm/udl/udl_main.c
@@ -171,17 +171,22 @@ static void udl_free_urb_list(struct drm
 static int udl_alloc_urb_list(struct drm_device *dev, int count, size_t size)
 {
 	struct udl_device *udl = dev->dev_private;
-	int i = 0;
 	struct urb *urb;
 	struct urb_node *unode;
 	char *buf;
+	size_t wanted_size = count * size;
 
 	spin_lock_init(&udl->urbs.lock);
 
+retry:
 	udl->urbs.size = size;
 	INIT_LIST_HEAD(&udl->urbs.list);
 
-	while (i < count) {
+	sema_init(&udl->urbs.limit_sem, 0);
+	udl->urbs.count = 0;
+	udl->urbs.available = 0;
+
+	while (udl->urbs.count * size < wanted_size) {
 		unode = kzalloc(sizeof(struct urb_node), GFP_KERNEL);
 		if (!unode)
 			break;
@@ -197,11 +202,16 @@ static int udl_alloc_urb_list(struct drm
 		}
 		unode->urb = urb;
 
-		buf = usb_alloc_coherent(udl->udev, MAX_TRANSFER, GFP_KERNEL,
+		buf = usb_alloc_coherent(udl->udev, size, GFP_KERNEL,
 					 &urb->transfer_dma);
 		if (!buf) {
 			kfree(unode);
 			usb_free_urb(urb);
+			if (size > PAGE_SIZE) {
+				size /= 2;
+				udl_free_urb_list(dev);
+				goto retry;
+			}
 			break;
 		}
 
@@ -212,16 +222,14 @@ static int udl_alloc_urb_list(struct drm
 
 		list_add_tail(&unode->entry, &udl->urbs.list);
 
-		i++;
+		up(&udl->urbs.limit_sem);
+		udl->urbs.count++;
+		udl->urbs.available++;
 	}
 
-	sema_init(&udl->urbs.limit_sem, i);
-	udl->urbs.count = i;
-	udl->urbs.available = i;
-
-	DRM_DEBUG("allocated %d %d byte urbs\n", i, (int) size);
+	DRM_DEBUG("allocated %d %d byte urbs\n", udl->urbs.count, (int) size);
 
-	return i;
+	return udl->urbs.count;
 }
 
 struct urb *udl_get_urb(struct drm_device *dev)



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 65/80] udl-kms: fix crash due to uninitialized memory
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (61 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 64/80] udl-kms: handle allocation failure Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 66/80] ASoC: dpcm: dont merge format from invalid codec dai Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mikulas Patocka, Dave Airlie

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mikulas Patocka <mpatocka@redhat.com>

commit 09a00abe3a9941c2715ca83eb88172cd2f54d8fd upstream.

We must use kzalloc when allocating the fb_deferred_io structure.
Otherwise, the field first_io is undefined and it causes a crash.

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/udl/udl_fb.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpu/drm/udl/udl_fb.c
+++ b/drivers/gpu/drm/udl/udl_fb.c
@@ -341,7 +341,7 @@ static int udl_fb_open(struct fb_info *i
 
 		struct fb_deferred_io *fbdefio;
 
-		fbdefio = kmalloc(sizeof(struct fb_deferred_io), GFP_KERNEL);
+		fbdefio = kzalloc(sizeof(struct fb_deferred_io), GFP_KERNEL);
 
 		if (fbdefio) {
 			fbdefio->delay = DL_DEFIO_WRITE_DELAY;



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 66/80] ASoC: dpcm: dont merge format from invalid codec dai
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (62 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 65/80] udl-kms: fix crash due to uninitialized memory Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 67/80] ASoC: sirf: Fix potential NULL pointer dereference Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jerome Brunet, Mark Brown

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jerome Brunet <jbrunet@baylibre.com>

commit 4febced15ac8ddb9cf3e603edb111842e4863d9a upstream.

When merging codec formats, dpcm_runtime_base_format() should skip
the codecs which are not supporting the current stream direction.

At the moment, if a BE link has more than one codec, and only one
of these codecs has no capture DAI, it becomes impossible to start
a capture stream because the merged format would be 0.

Skipping invalid codec DAI solves the problem.

Fixes: b073ed4e2126 ("ASoC: soc-pcm: DPCM cares BE format")
Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/soc/soc-pcm.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/sound/soc/soc-pcm.c
+++ b/sound/soc/soc-pcm.c
@@ -1570,6 +1570,14 @@ static u64 dpcm_runtime_base_format(stru
 		int i;
 
 		for (i = 0; i < be->num_codecs; i++) {
+			/*
+			 * Skip CODECs which don't support the current stream
+			 * type. See soc_pcm_init_runtime_hw() for more details
+			 */
+			if (!snd_soc_dai_stream_valid(be->codec_dais[i],
+						      stream))
+				continue;
+
 			codec_dai_drv = be->codec_dais[i]->driver;
 			if (stream == SNDRV_PCM_STREAM_PLAYBACK)
 				codec_stream = &codec_dai_drv->playback;



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 67/80] ASoC: sirf: Fix potential NULL pointer dereference
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (63 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 66/80] ASoC: dpcm: dont merge format from invalid codec dai Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 69/80] x86/irqflags: Mark native_restore_fl extern inline Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Gustavo A. R. Silva, Mark Brown

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Gustavo A. R. Silva <gustavo@embeddedor.com>

commit ae1c696a480c67c45fb23b35162183f72c6be0e1 upstream.

There is a potential execution path in which function
platform_get_resource() returns NULL. If this happens,
we will end up having a NULL pointer dereference.

Fix this by replacing devm_ioremap with devm_ioremap_resource,
which has the NULL check and the memory region request.

This code was detected with the help of Coccinelle.

Cc: stable@vger.kernel.org
Fixes: 2bd8d1d5cf89 ("ASoC: sirf: Add audio usp interface driver")
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/soc/sirf/sirf-usp.c |    7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

--- a/sound/soc/sirf/sirf-usp.c
+++ b/sound/soc/sirf/sirf-usp.c
@@ -367,10 +367,9 @@ static int sirf_usp_pcm_probe(struct pla
 	platform_set_drvdata(pdev, usp);
 
 	mem_res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
-	base = devm_ioremap(&pdev->dev, mem_res->start,
-		resource_size(mem_res));
-	if (base == NULL)
-		return -ENOMEM;
+	base = devm_ioremap_resource(&pdev->dev, mem_res);
+	if (IS_ERR(base))
+		return PTR_ERR(base);
 	usp->regmap = devm_regmap_init_mmio(&pdev->dev, base,
 					    &sirf_usp_regmap_config);
 	if (IS_ERR(usp->regmap))



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 69/80] x86/irqflags: Mark native_restore_fl extern inline
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (64 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 67/80] ASoC: sirf: Fix potential NULL pointer dereference Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 70/80] x86/spectre: Add missing family 6 check to microcode check Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ben Hutchings, Nick Desaulniers,
	Thomas Gleixner, Juergen Gross, H. Peter Anvin, Boris Ostrovsky

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nick Desaulniers <ndesaulniers@google.com>

commit 1f59a4581b5ecfe9b4f049a7a2cf904d8352842d upstream.

This should have been marked extern inline in order to pick up the out
of line definition in arch/x86/kernel/irqflags.S.

Fixes: 208cbb325589 ("x86/irqflags: Provide a declaration for native_save_fl")
Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Juergen Gross <jgross@suse.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20180827214011.55428-1-ndesaulniers@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/include/asm/irqflags.h |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/x86/include/asm/irqflags.h
+++ b/arch/x86/include/asm/irqflags.h
@@ -28,7 +28,8 @@ extern inline unsigned long native_save_
 	return flags;
 }
 
-static inline void native_restore_fl(unsigned long flags)
+extern inline void native_restore_fl(unsigned long flags);
+extern inline void native_restore_fl(unsigned long flags)
 {
 	asm volatile("push %0 ; popf"
 		     : /* no output */



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 70/80] x86/spectre: Add missing family 6 check to microcode check
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (65 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 69/80] x86/irqflags: Mark native_restore_fl extern inline Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 71/80] s390: fix br_r1_trampoline for machines without exrl Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Andi Kleen, Thomas Gleixner, x86

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Andi Kleen <ak@linux.intel.com>

commit 1ab534e85c93945f7862378d8c8adcf408205b19 upstream.

The check for Spectre microcodes does not check for family 6, only the
model numbers.

Add a family 6 check to avoid ambiguity with other families.

Fixes: a5b296636453 ("x86/cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early Spectre v2 microcodes")
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: x86@kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20180824170351.34874-2-andi@firstfloor.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/cpu/intel.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/arch/x86/kernel/cpu/intel.c
+++ b/arch/x86/kernel/cpu/intel.c
@@ -74,6 +74,9 @@ static bool bad_spectre_microcode(struct
 	if (cpu_has(c, X86_FEATURE_HYPERVISOR))
 		return false;
 
+	if (c->x86 != 6)
+		return false;
+
 	for (i = 0; i < ARRAY_SIZE(spectre_bad_microcodes); i++) {
 		if (c->x86_model == spectre_bad_microcodes[i].model &&
 		    c->x86_mask == spectre_bad_microcodes[i].stepping)



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 71/80] s390: fix br_r1_trampoline for machines without exrl
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (66 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 70/80] x86/spectre: Add missing family 6 check to microcode check Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 72/80] s390/qdio: reset old sbal_state flags Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Martin Schwidefsky

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Martin Schwidefsky <schwidefsky@de.ibm.com>

commit 26f843848bae973817b3587780ce6b7b0200d3e4 upstream.

For machines without the exrl instruction the BFP jit generates
code that uses an "br %r1" instruction located in the lowcore page.
Unfortunately there is a cut & paste error that puts an additional
"larl %r1,.+14" instruction in the code that clobbers the branch
target address in %r1. Remove the larl instruction.

Cc: <stable@vger.kernel.org> # v4.17+
Fixes: de5cb6eb51 ("s390: use expoline thunks in the BPF JIT")
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/s390/net/bpf_jit_comp.c |    2 --
 1 file changed, 2 deletions(-)

--- a/arch/s390/net/bpf_jit_comp.c
+++ b/arch/s390/net/bpf_jit_comp.c
@@ -522,8 +522,6 @@ static void bpf_jit_epilogue(struct bpf_
 			/* br %r1 */
 			_EMIT2(0x07f1);
 		} else {
-			/* larl %r1,.+14 */
-			EMIT6_PCREL_RILB(0xc0000000, REG_1, jit->prg + 14);
 			/* ex 0,S390_lowcore.br_r1_tampoline */
 			EMIT4_DISP(0x44000000, REG_0, REG_0,
 				   offsetof(struct _lowcore, br_r1_trampoline));



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 72/80] s390/qdio: reset old sbal_state flags
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (67 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 71/80] s390: fix br_r1_trampoline for machines without exrl Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 73/80] s390/pci: fix out of bounds access during irq setup Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Julian Wiedmann, Martin Schwidefsky

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Julian Wiedmann <jwi@linux.ibm.com>

commit 64e03ff72623b8c2ea89ca3cb660094e019ed4ae upstream.

When allocating a new AOB fails, handle_outbound() is still capable of
transmitting the selected buffer (just without async completion).

But if a previous transfer on this queue slot used async completion, its
sbal_state flags field is still set to QDIO_OUTBUF_STATE_FLAG_PENDING.
So when the upper layer driver sees this stale flag, it expects an async
completion that never happens.

Fix this by unconditionally clearing the flags field.

Fixes: 104ea556ee7f ("qdio: support asynchronous delivery of storage blocks")
Cc: <stable@vger.kernel.org> #v3.2+
Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/s390/include/asm/qdio.h |    1 -
 drivers/s390/cio/qdio_main.c |    5 ++---
 2 files changed, 2 insertions(+), 4 deletions(-)

--- a/arch/s390/include/asm/qdio.h
+++ b/arch/s390/include/asm/qdio.h
@@ -261,7 +261,6 @@ struct qdio_outbuf_state {
 	void *user;
 };
 
-#define QDIO_OUTBUF_STATE_FLAG_NONE	0x00
 #define QDIO_OUTBUF_STATE_FLAG_PENDING	0x01
 
 #define CHSC_AC1_INITIATE_INPUTQ	0x80
--- a/drivers/s390/cio/qdio_main.c
+++ b/drivers/s390/cio/qdio_main.c
@@ -640,21 +640,20 @@ static inline unsigned long qdio_aob_for
 	unsigned long phys_aob = 0;
 
 	if (!q->use_cq)
-		goto out;
+		return 0;
 
 	if (!q->aobs[bufnr]) {
 		struct qaob *aob = qdio_allocate_aob();
 		q->aobs[bufnr] = aob;
 	}
 	if (q->aobs[bufnr]) {
-		q->sbal_state[bufnr].flags = QDIO_OUTBUF_STATE_FLAG_NONE;
 		q->sbal_state[bufnr].aob = q->aobs[bufnr];
 		q->aobs[bufnr]->user1 = (u64) q->sbal_state[bufnr].user;
 		phys_aob = virt_to_phys(q->aobs[bufnr]);
 		WARN_ON_ONCE(phys_aob & 0xFF);
 	}
 
-out:
+	q->sbal_state[bufnr].flags = 0;
 	return phys_aob;
 }
 



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 73/80] s390/pci: fix out of bounds access during irq setup
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (68 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 72/80] s390/qdio: reset old sbal_state flags Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 74/80] kprobes: Make list and blacklist root user read only Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Sebastian Ott, Heiko Carstens

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sebastian Ott <sebott@linux.ibm.com>

commit 866f3576a72b2233a76dffb80290f8086dc49e17 upstream.

During interrupt setup we allocate interrupt vectors, walk the list of msi
descriptors, and fill in the message data. Requesting more interrupts than
supported on s390 can lead to an out of bounds access.

When we restrict the number of interrupts we should also stop walking the
msi list after all supported interrupts are handled.

Cc: stable@vger.kernel.org
Signed-off-by: Sebastian Ott <sebott@linux.ibm.com>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/s390/pci/pci.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/arch/s390/pci/pci.c
+++ b/arch/s390/pci/pci.c
@@ -412,6 +412,8 @@ int arch_setup_msi_irqs(struct pci_dev *
 	hwirq = 0;
 	for_each_pci_msi_entry(msi, pdev) {
 		rc = -EIO;
+		if (hwirq >= msi_vecs)
+			break;
 		irq = irq_alloc_desc(0);	/* Alloc irq on node 0 */
 		if (irq < 0)
 			goto out_msi;



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 74/80] kprobes: Make list and blacklist root user read only
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (69 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 73/80] s390/pci: fix out of bounds access during irq setup Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 75/80] MIPS: Correct the 64-bit DSP accumulator register size Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thomas Richter, Ingo Molnar,
	Masami Hiramatsu, Ananth N Mavinakayanahalli,
	Anil S Keshavamurthy, Arnd Bergmann, David Howells,
	David S . Miller, Heiko Carstens, Jon Medhurst, Linus Torvalds,
	Peter Zijlstra, Thomas Gleixner, Tobin C . Harding, Will Deacon,
	acme, akpm, brueckner, linux-arch, rostedt, schwidefsky

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Masami Hiramatsu <mhiramat@kernel.org>

commit f2a3ab36077222437b4826fc76111caa14562b7c upstream.

Since the blacklist and list files on debugfs indicates
a sensitive address information to reader, it should be
restricted to the root user.

Suggested-by: Thomas Richter <tmricht@linux.ibm.com>
Suggested-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Ananth N Mavinakayanahalli <ananth@in.ibm.com>
Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: David Howells <dhowells@redhat.com>
Cc: David S . Miller <davem@davemloft.net>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Jon Medhurst <tixy@linaro.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Tobin C . Harding <me@tobin.cc>
Cc: Will Deacon <will.deacon@arm.com>
Cc: acme@kernel.org
Cc: akpm@linux-foundation.org
Cc: brueckner@linux.vnet.ibm.com
Cc: linux-arch@vger.kernel.org
Cc: rostedt@goodmis.org
Cc: schwidefsky@de.ibm.com
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/lkml/152491890171.9916.5183693615601334087.stgit@devbox
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/kprobes.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -2441,7 +2441,7 @@ static int __init debugfs_kprobe_init(vo
 	if (!dir)
 		return -ENOMEM;
 
-	file = debugfs_create_file("list", 0444, dir, NULL,
+	file = debugfs_create_file("list", 0400, dir, NULL,
 				&debugfs_kprobes_operations);
 	if (!file)
 		goto error;
@@ -2451,7 +2451,7 @@ static int __init debugfs_kprobe_init(vo
 	if (!file)
 		goto error;
 
-	file = debugfs_create_file("blacklist", 0444, dir, NULL,
+	file = debugfs_create_file("blacklist", 0400, dir, NULL,
 				&debugfs_kprobe_blacklist_ops);
 	if (!file)
 		goto error;



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 75/80] MIPS: Correct the 64-bit DSP accumulator register size
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (70 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 74/80] kprobes: Make list and blacklist root user read only Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 76/80] MIPS: lib: Provide MIPS64r6 __multi3() for GCC < 7 Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maciej W. Rozycki, Paul Burton,
	Alexander Viro, James Hogan, Ralf Baechle, linux-fsdevel,
	linux-mips

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Maciej W. Rozycki <macro@mips.com>

commit f5958b4cf4fc38ed4583ab83fb7c4cd1ab05f47b upstream.

Use the `unsigned long' rather than `__u32' type for DSP accumulator
registers, like with the regular MIPS multiply/divide accumulator and
general-purpose registers, as all are 64-bit in 64-bit implementations
and using a 32-bit data type leads to contents truncation on context
saving.

Update `arch_ptrace' and `compat_arch_ptrace' accordingly, removing
casts that are similarly not used with multiply/divide accumulator or
general-purpose register accesses.

Signed-off-by: Maciej W. Rozycki <macro@mips.com>
Signed-off-by: Paul Burton <paul.burton@mips.com>
Fixes: e50c0a8fa60d ("Support the MIPS32 / MIPS64 DSP ASE.")
Patchwork: https://patchwork.linux-mips.org/patch/19329/
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: James Hogan <jhogan@kernel.org>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: linux-fsdevel@vger.kernel.org
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Cc: stable@vger.kernel.org # 2.6.15+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/mips/include/asm/processor.h |    2 +-
 arch/mips/kernel/ptrace.c         |    2 +-
 arch/mips/kernel/ptrace32.c       |    2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

--- a/arch/mips/include/asm/processor.h
+++ b/arch/mips/include/asm/processor.h
@@ -131,7 +131,7 @@ struct mips_fpu_struct {
 
 #define NUM_DSP_REGS   6
 
-typedef __u32 dspreg_t;
+typedef unsigned long dspreg_t;
 
 struct mips_dsp_state {
 	dspreg_t	dspr[NUM_DSP_REGS];
--- a/arch/mips/kernel/ptrace.c
+++ b/arch/mips/kernel/ptrace.c
@@ -879,7 +879,7 @@ long arch_ptrace(struct task_struct *chi
 				goto out;
 			}
 			dregs = __get_dsp_regs(child);
-			tmp = (unsigned long) (dregs[addr - DSP_BASE]);
+			tmp = dregs[addr - DSP_BASE];
 			break;
 		}
 		case DSP_CONTROL:
--- a/arch/mips/kernel/ptrace32.c
+++ b/arch/mips/kernel/ptrace32.c
@@ -140,7 +140,7 @@ long compat_arch_ptrace(struct task_stru
 				goto out;
 			}
 			dregs = __get_dsp_regs(child);
-			tmp = (unsigned long) (dregs[addr - DSP_BASE]);
+			tmp = dregs[addr - DSP_BASE];
 			break;
 		}
 		case DSP_CONTROL:



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 76/80] MIPS: lib: Provide MIPS64r6 __multi3() for GCC < 7
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (71 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 75/80] MIPS: Correct the 64-bit DSP accumulator register size Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 77/80] scsi: sysfs: Introduce sysfs_{un,}break_active_protection() Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Paul Burton, Vladimir Kondratiev,
	James Hogan, Ralf Baechle, linux-mips

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Paul Burton <paul.burton@mips.com>

commit 690d9163bf4b8563a2682e619f938e6a0443947f upstream.

Some versions of GCC suboptimally generate calls to the __multi3()
intrinsic for MIPS64r6 builds, resulting in link failures due to the
missing function:

    LD      vmlinux.o
    MODPOST vmlinux.o
  kernel/bpf/verifier.o: In function `kmalloc_array':
  include/linux/slab.h:631: undefined reference to `__multi3'
  fs/select.o: In function `kmalloc_array':
  include/linux/slab.h:631: undefined reference to `__multi3'
  ...

We already have a workaround for this in which we provide the
instrinsic, but we do so selectively for GCC 7 only. Unfortunately the
issue occurs with older GCC versions too - it has been observed with
both GCC 5.4.0 & GCC 6.4.0.

MIPSr6 support was introduced in GCC 5, so all major GCC versions prior
to GCC 8 are affected and we extend our workaround accordingly to all
MIPS64r6 builds using GCC versions older than GCC 8.

Signed-off-by: Paul Burton <paul.burton@mips.com>
Reported-by: Vladimir Kondratiev <vladimir.kondratiev@intel.com>
Fixes: ebabcf17bcd7 ("MIPS: Implement __multi3 for GCC7 MIPS64r6 builds")
Patchwork: https://patchwork.linux-mips.org/patch/20297/
Cc: James Hogan <jhogan@kernel.org>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: linux-mips@linux-mips.org
Cc: stable@vger.kernel.org # 4.15+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/mips/lib/multi3.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/arch/mips/lib/multi3.c
+++ b/arch/mips/lib/multi3.c
@@ -4,12 +4,12 @@
 #include "libgcc.h"
 
 /*
- * GCC 7 suboptimally generates __multi3 calls for mips64r6, so for that
- * specific case only we'll implement it here.
+ * GCC 7 & older can suboptimally generate __multi3 calls for mips64r6, so for
+ * that specific case only we implement that intrinsic here.
  *
  * See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82981
  */
-#if defined(CONFIG_64BIT) && defined(CONFIG_CPU_MIPSR6) && (__GNUC__ == 7)
+#if defined(CONFIG_64BIT) && defined(CONFIG_CPU_MIPSR6) && (__GNUC__ < 8)
 
 /* multiply 64-bit values, low 64-bits returned */
 static inline long long notrace dmulu(long long a, long long b)



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 77/80] scsi: sysfs: Introduce sysfs_{un,}break_active_protection()
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (72 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 76/80] MIPS: lib: Provide MIPS64r6 __multi3() for GCC < 7 Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 78/80] scsi: core: Avoid that SCSI device removal through sysfs triggers a deadlock Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bart Van Assche, Tejun Heo,
	Martin K. Petersen

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Bart Van Assche <bart.vanassche@wdc.com>

commit 2afc9166f79b8f6da5f347f48515215ceee4ae37 upstream.

Introduce these two functions and export them such that the next patch
can add calls to these functions from the SCSI core.

Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
Acked-by: Tejun Heo <tj@kernel.org>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/sysfs/file.c       |   44 ++++++++++++++++++++++++++++++++++++++++++++
 include/linux/sysfs.h |   14 ++++++++++++++
 2 files changed, 58 insertions(+)

--- a/fs/sysfs/file.c
+++ b/fs/sysfs/file.c
@@ -408,6 +408,50 @@ int sysfs_chmod_file(struct kobject *kob
 EXPORT_SYMBOL_GPL(sysfs_chmod_file);
 
 /**
+ * sysfs_break_active_protection - break "active" protection
+ * @kobj: The kernel object @attr is associated with.
+ * @attr: The attribute to break the "active" protection for.
+ *
+ * With sysfs, just like kernfs, deletion of an attribute is postponed until
+ * all active .show() and .store() callbacks have finished unless this function
+ * is called. Hence this function is useful in methods that implement self
+ * deletion.
+ */
+struct kernfs_node *sysfs_break_active_protection(struct kobject *kobj,
+						  const struct attribute *attr)
+{
+	struct kernfs_node *kn;
+
+	kobject_get(kobj);
+	kn = kernfs_find_and_get(kobj->sd, attr->name);
+	if (kn)
+		kernfs_break_active_protection(kn);
+	return kn;
+}
+EXPORT_SYMBOL_GPL(sysfs_break_active_protection);
+
+/**
+ * sysfs_unbreak_active_protection - restore "active" protection
+ * @kn: Pointer returned by sysfs_break_active_protection().
+ *
+ * Undo the effects of sysfs_break_active_protection(). Since this function
+ * calls kernfs_put() on the kernfs node that corresponds to the 'attr'
+ * argument passed to sysfs_break_active_protection() that attribute may have
+ * been removed between the sysfs_break_active_protection() and
+ * sysfs_unbreak_active_protection() calls, it is not safe to access @kn after
+ * this function has returned.
+ */
+void sysfs_unbreak_active_protection(struct kernfs_node *kn)
+{
+	struct kobject *kobj = kn->parent->priv;
+
+	kernfs_unbreak_active_protection(kn);
+	kernfs_put(kn);
+	kobject_put(kobj);
+}
+EXPORT_SYMBOL_GPL(sysfs_unbreak_active_protection);
+
+/**
  * sysfs_remove_file_ns - remove an object attribute with a custom ns tag
  * @kobj: object we're acting for
  * @attr: attribute descriptor
--- a/include/linux/sysfs.h
+++ b/include/linux/sysfs.h
@@ -238,6 +238,9 @@ int __must_check sysfs_create_files(stru
 				   const struct attribute **attr);
 int __must_check sysfs_chmod_file(struct kobject *kobj,
 				  const struct attribute *attr, umode_t mode);
+struct kernfs_node *sysfs_break_active_protection(struct kobject *kobj,
+						  const struct attribute *attr);
+void sysfs_unbreak_active_protection(struct kernfs_node *kn);
 void sysfs_remove_file_ns(struct kobject *kobj, const struct attribute *attr,
 			  const void *ns);
 bool sysfs_remove_file_self(struct kobject *kobj, const struct attribute *attr);
@@ -351,6 +354,17 @@ static inline int sysfs_chmod_file(struc
 	return 0;
 }
 
+static inline struct kernfs_node *
+sysfs_break_active_protection(struct kobject *kobj,
+			      const struct attribute *attr)
+{
+	return NULL;
+}
+
+static inline void sysfs_unbreak_active_protection(struct kernfs_node *kn)
+{
+}
+
 static inline void sysfs_remove_file_ns(struct kobject *kobj,
 					const struct attribute *attr,
 					const void *ns)



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 78/80] scsi: core: Avoid that SCSI device removal through sysfs triggers a deadlock
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (73 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 77/80] scsi: sysfs: Introduce sysfs_{un,}break_active_protection() Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 79/80] iscsi target: fix session creation failure handling Greg Kroah-Hartman
                   ` (5 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bart Van Assche, Tejun Heo,
	Johannes Thumshirn, Martin K. Petersen

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Bart Van Assche <bart.vanassche@wdc.com>

commit 0ee223b2e1f67cb2de9c0e3247c510d846e74d63 upstream.

A long time ago the unfortunate decision was taken to add a self-deletion
attribute to the sysfs SCSI device directory. That decision was unfortunate
because self-deletion is really tricky. We can't drop that attribute
because widely used user space software depends on it, namely the
rescan-scsi-bus.sh script. Hence this patch that avoids that writing into
that attribute triggers a deadlock. See also commit 7973cbd9fbd9 ("[PATCH]
add sysfs attributes to scan and delete scsi_devices").

This patch avoids that self-removal triggers the following deadlock:

======================================================
WARNING: possible circular locking dependency detected
4.18.0-rc2-dbg+ #5 Not tainted
------------------------------------------------------
modprobe/6539 is trying to acquire lock:
000000008323c4cd (kn->count#202){++++}, at: kernfs_remove_by_name_ns+0x45/0x90

but task is already holding lock:
00000000a6ec2c69 (&shost->scan_mutex){+.+.}, at: scsi_remove_host+0x21/0x150 [scsi_mod]

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-> #1 (&shost->scan_mutex){+.+.}:
       __mutex_lock+0xfe/0xc70
       mutex_lock_nested+0x1b/0x20
       scsi_remove_device+0x26/0x40 [scsi_mod]
       sdev_store_delete+0x27/0x30 [scsi_mod]
       dev_attr_store+0x3e/0x50
       sysfs_kf_write+0x87/0xa0
       kernfs_fop_write+0x190/0x230
       __vfs_write+0xd2/0x3b0
       vfs_write+0x101/0x270
       ksys_write+0xab/0x120
       __x64_sys_write+0x43/0x50
       do_syscall_64+0x77/0x230
       entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #0 (kn->count#202){++++}:
       lock_acquire+0xd2/0x260
       __kernfs_remove+0x424/0x4a0
       kernfs_remove_by_name_ns+0x45/0x90
       remove_files.isra.1+0x3a/0x90
       sysfs_remove_group+0x5c/0xc0
       sysfs_remove_groups+0x39/0x60
       device_remove_attrs+0x82/0xb0
       device_del+0x251/0x580
       __scsi_remove_device+0x19f/0x1d0 [scsi_mod]
       scsi_forget_host+0x37/0xb0 [scsi_mod]
       scsi_remove_host+0x9b/0x150 [scsi_mod]
       sdebug_driver_remove+0x4b/0x150 [scsi_debug]
       device_release_driver_internal+0x241/0x360
       device_release_driver+0x12/0x20
       bus_remove_device+0x1bc/0x290
       device_del+0x259/0x580
       device_unregister+0x1a/0x70
       sdebug_remove_adapter+0x8b/0xf0 [scsi_debug]
       scsi_debug_exit+0x76/0xe8 [scsi_debug]
       __x64_sys_delete_module+0x1c1/0x280
       do_syscall_64+0x77/0x230
       entry_SYSCALL_64_after_hwframe+0x49/0xbe

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&shost->scan_mutex);
                               lock(kn->count#202);
                               lock(&shost->scan_mutex);
  lock(kn->count#202);

 *** DEADLOCK ***

2 locks held by modprobe/6539:
 #0: 00000000efaf9298 (&dev->mutex){....}, at: device_release_driver_internal+0x68/0x360
 #1: 00000000a6ec2c69 (&shost->scan_mutex){+.+.}, at: scsi_remove_host+0x21/0x150 [scsi_mod]

stack backtrace:
CPU: 10 PID: 6539 Comm: modprobe Not tainted 4.18.0-rc2-dbg+ #5
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
Call Trace:
 dump_stack+0xa4/0xf5
 print_circular_bug.isra.34+0x213/0x221
 __lock_acquire+0x1a7e/0x1b50
 lock_acquire+0xd2/0x260
 __kernfs_remove+0x424/0x4a0
 kernfs_remove_by_name_ns+0x45/0x90
 remove_files.isra.1+0x3a/0x90
 sysfs_remove_group+0x5c/0xc0
 sysfs_remove_groups+0x39/0x60
 device_remove_attrs+0x82/0xb0
 device_del+0x251/0x580
 __scsi_remove_device+0x19f/0x1d0 [scsi_mod]
 scsi_forget_host+0x37/0xb0 [scsi_mod]
 scsi_remove_host+0x9b/0x150 [scsi_mod]
 sdebug_driver_remove+0x4b/0x150 [scsi_debug]
 device_release_driver_internal+0x241/0x360
 device_release_driver+0x12/0x20
 bus_remove_device+0x1bc/0x290
 device_del+0x259/0x580
 device_unregister+0x1a/0x70
 sdebug_remove_adapter+0x8b/0xf0 [scsi_debug]
 scsi_debug_exit+0x76/0xe8 [scsi_debug]
 __x64_sys_delete_module+0x1c1/0x280
 do_syscall_64+0x77/0x230
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

See also https://www.mail-archive.com/linux-scsi@vger.kernel.org/msg54525.html.

Fixes: ac0ece9174ac ("scsi: use device_remove_file_self() instead of device_schedule_callback()")
Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: Tejun Heo <tj@kernel.org>
Cc: Johannes Thumshirn <jthumshirn@suse.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

---
 drivers/scsi/scsi_sysfs.c |   20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

--- a/drivers/scsi/scsi_sysfs.c
+++ b/drivers/scsi/scsi_sysfs.c
@@ -678,8 +678,24 @@ static ssize_t
 sdev_store_delete(struct device *dev, struct device_attribute *attr,
 		  const char *buf, size_t count)
 {
-	if (device_remove_file_self(dev, attr))
-		scsi_remove_device(to_scsi_device(dev));
+	struct kernfs_node *kn;
+
+	kn = sysfs_break_active_protection(&dev->kobj, &attr->attr);
+	WARN_ON_ONCE(!kn);
+	/*
+	 * Concurrent writes into the "delete" sysfs attribute may trigger
+	 * concurrent calls to device_remove_file() and scsi_remove_device().
+	 * device_remove_file() handles concurrent removal calls by
+	 * serializing these and by ignoring the second and later removal
+	 * attempts.  Concurrent calls of scsi_remove_device() are
+	 * serialized. The second and later calls of scsi_remove_device() are
+	 * ignored because the first call of that function changes the device
+	 * state into SDEV_DEL.
+	 */
+	device_remove_file(dev, attr);
+	scsi_remove_device(to_scsi_device(dev));
+	if (kn)
+		sysfs_unbreak_active_protection(kn);
 	return count;
 };
 static DEVICE_ATTR(delete, S_IWUSR, NULL, sdev_store_delete);



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 79/80] iscsi target: fix session creation failure handling
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (74 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 78/80] scsi: core: Avoid that SCSI device removal through sysfs triggers a deadlock Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-03 16:49 ` [PATCH 4.4 80/80] cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status Greg Kroah-Hartman
                   ` (4 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mike Christie, Martin K. Petersen,
	Matthew Wilcox

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mike Christie <mchristi@redhat.com>

commit 26abc916a898d34c5ad159315a2f683def3c5555 upstream.

The problem is that iscsi_login_zero_tsih_s1 sets conn->sess early in
iscsi_login_set_conn_values. If the function fails later like when we
alloc the idr it does kfree(sess) and leaves the conn->sess pointer set.
iscsi_login_zero_tsih_s1 then returns -Exyz and we then call
iscsi_target_login_sess_out and access the freed memory.

This patch has iscsi_login_zero_tsih_s1 either completely setup the
session or completely tear it down, so later in
iscsi_target_login_sess_out we can just check for it being set to the
connection.

Cc: stable@vger.kernel.org
Fixes: 0957627a9960 ("iscsi-target: Fix sess allocation leak in...")
Signed-off-by: Mike Christie <mchristi@redhat.com>
Acked-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Matthew Wilcox <willy@infradead.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/target/iscsi/iscsi_target_login.c |   35 ++++++++++++++++++------------
 1 file changed, 21 insertions(+), 14 deletions(-)

--- a/drivers/target/iscsi/iscsi_target_login.c
+++ b/drivers/target/iscsi/iscsi_target_login.c
@@ -323,8 +323,7 @@ static int iscsi_login_zero_tsih_s1(
 		pr_err("idr_alloc() for sess_idr failed\n");
 		iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR,
 				ISCSI_LOGIN_STATUS_NO_RESOURCES);
-		kfree(sess);
-		return -ENOMEM;
+		goto free_sess;
 	}
 
 	sess->creation_time = get_jiffies_64();
@@ -340,20 +339,28 @@ static int iscsi_login_zero_tsih_s1(
 				ISCSI_LOGIN_STATUS_NO_RESOURCES);
 		pr_err("Unable to allocate memory for"
 				" struct iscsi_sess_ops.\n");
-		kfree(sess);
-		return -ENOMEM;
+		goto remove_idr;
 	}
 
 	sess->se_sess = transport_init_session(TARGET_PROT_NORMAL);
 	if (IS_ERR(sess->se_sess)) {
 		iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR,
 				ISCSI_LOGIN_STATUS_NO_RESOURCES);
-		kfree(sess->sess_ops);
-		kfree(sess);
-		return -ENOMEM;
+		goto free_ops;
 	}
 
 	return 0;
+
+free_ops:
+	kfree(sess->sess_ops);
+remove_idr:
+	spin_lock_bh(&sess_idr_lock);
+	idr_remove(&sess_idr, sess->session_index);
+	spin_unlock_bh(&sess_idr_lock);
+free_sess:
+	kfree(sess);
+	conn->sess = NULL;
+	return -ENOMEM;
 }
 
 static int iscsi_login_zero_tsih_s2(
@@ -1142,13 +1149,13 @@ void iscsi_target_login_sess_out(struct
 				   ISCSI_LOGIN_STATUS_INIT_ERR);
 	if (!zero_tsih || !conn->sess)
 		goto old_sess_out;
-	if (conn->sess->se_sess)
-		transport_free_session(conn->sess->se_sess);
-	if (conn->sess->session_index != 0) {
-		spin_lock_bh(&sess_idr_lock);
-		idr_remove(&sess_idr, conn->sess->session_index);
-		spin_unlock_bh(&sess_idr_lock);
-	}
+
+	transport_free_session(conn->sess->se_sess);
+
+	spin_lock_bh(&sess_idr_lock);
+	idr_remove(&sess_idr, conn->sess->session_index);
+	spin_unlock_bh(&sess_idr_lock);
+
 	kfree(conn->sess->sess_ops);
 	kfree(conn->sess);
 	conn->sess = NULL;



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 4.4 80/80] cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (75 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 79/80] iscsi target: fix session creation failure handling Greg Kroah-Hartman
@ 2018-09-03 16:49 ` Greg Kroah-Hartman
  2018-09-04  0:42 ` [PATCH 4.4 00/80] 4.4.154-stable review Nathan Chancellor
                   ` (3 subsequent siblings)
  80 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-03 16:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Scott Bauer, Scott Bauer, Jens Axboe

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Scott Bauer <scott.bauer@intel.com>

commit 8f3fafc9c2f0ece10832c25f7ffcb07c97a32ad4 upstream.

Like d88b6d04: "cdrom: information leak in cdrom_ioctl_media_changed()"

There is another cast from unsigned long to int which causes
a bounds check to fail with specially crafted input. The value is
then used as an index in the slot array in cdrom_slot_status().

Signed-off-by: Scott Bauer <scott.bauer@intel.com>
Signed-off-by: Scott Bauer <sbauer@plzdonthack.me>
Cc: stable@vger.kernel.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/cdrom/cdrom.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/cdrom/cdrom.c
+++ b/drivers/cdrom/cdrom.c
@@ -2526,7 +2526,7 @@ static int cdrom_ioctl_drive_status(stru
 	if (!CDROM_CAN(CDC_SELECT_DISC) ||
 	    (arg == CDSL_CURRENT || arg == CDSL_NONE))
 		return cdi->ops->drive_status(cdi, CDSL_CURRENT);
-	if (((int)arg >= cdi->capacity))
+	if (arg >= cdi->capacity)
 		return -EINVAL;
 	return cdrom_slot_status(cdi, arg);
 }



^ permalink raw reply	[flat|nested] 87+ messages in thread

* Re: [PATCH 4.4 00/80] 4.4.154-stable review
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (76 preceding siblings ...)
  2018-09-03 16:49 ` [PATCH 4.4 80/80] cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status Greg Kroah-Hartman
@ 2018-09-04  0:42 ` Nathan Chancellor
  2018-09-04  5:25   ` Greg Kroah-Hartman
  2018-09-04  8:23 ` Naresh Kamboju
                   ` (2 subsequent siblings)
  80 siblings, 1 reply; 87+ messages in thread
From: Nathan Chancellor @ 2018-09-04  0:42 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, linux, shuah, patches,
	ben.hutchings, lkft-triage, stable

On Mon, Sep 03, 2018 at 06:48:38PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.4.154 release.
> There are 80 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed Sep  5 16:49:18 UTC 2018.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.154-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

I get to trade 4.9 for 4.4 temporarily as my Pixel 2 XL back from
RMA and I lent my OnePlus 6 to a friend :P

Merged, compiled with -Werror, and installed onto said Pixel 2 XL.

No initial issues noticed in dmesg or general usage.

Thanks!
Nathan

^ permalink raw reply	[flat|nested] 87+ messages in thread

* Re: [PATCH 4.4 00/80] 4.4.154-stable review
  2018-09-04  0:42 ` [PATCH 4.4 00/80] 4.4.154-stable review Nathan Chancellor
@ 2018-09-04  5:25   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-04  5:25 UTC (permalink / raw)
  To: Nathan Chancellor
  Cc: linux-kernel, torvalds, akpm, linux, shuah, patches,
	ben.hutchings, lkft-triage, stable

On Mon, Sep 03, 2018 at 05:42:21PM -0700, Nathan Chancellor wrote:
> On Mon, Sep 03, 2018 at 06:48:38PM +0200, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 4.4.154 release.
> > There are 80 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Wed Sep  5 16:49:18 UTC 2018.
> > Anything received after that time might be too late.
> > 
> > The whole patch series can be found in one patch at:
> > 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.154-rc1.gz
> > or in the git tree and branch at:
> > 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
> > and the diffstat can be found below.
> > 
> > thanks,
> > 
> > greg k-h
> > 
> 
> I get to trade 4.9 for 4.4 temporarily as my Pixel 2 XL back from
> RMA and I lent my OnePlus 6 to a friend :P
> 
> Merged, compiled with -Werror, and installed onto said Pixel 2 XL.
> 
> No initial issues noticed in dmesg or general usage.

Thanks for testing these two kernels and letting me know.

greg k-h

^ permalink raw reply	[flat|nested] 87+ messages in thread

* Re: [PATCH 4.4 00/80] 4.4.154-stable review
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (77 preceding siblings ...)
  2018-09-04  0:42 ` [PATCH 4.4 00/80] 4.4.154-stable review Nathan Chancellor
@ 2018-09-04  8:23 ` Naresh Kamboju
  2018-09-04 19:26 ` Shuah Khan
  2018-09-04 22:51 ` Guenter Roeck
  80 siblings, 0 replies; 87+ messages in thread
From: Naresh Kamboju @ 2018-09-04  8:23 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: open list, Linus Torvalds, Andrew Morton, Guenter Roeck,
	Shuah Khan, patches, Ben Hutchings, lkft-triage, linux- stable

On 3 September 2018 at 22:18, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
> This is the start of the stable review cycle for the 4.4.154 release.
> There are 80 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed Sep  5 16:49:18 UTC 2018.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
>         https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.154-rc1.gz
> or in the git tree and branch at:
>         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h

Results from Linaro’s test farm.
No regressions on arm64, arm and x86_64.

x86_64 and i386 testing is still on going.
but qemu_x86_64 and qemu_i386 were finished.


Summary
------------------------------------------------------------------------

kernel: 4.4.154-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-4.4.y
git commit: c9eed05cd5dd6431baa46476df2cf05e3c7a36c8
git describe: v4.4.153-81-gc9eed05cd5dd
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-4.4-oe/build/v4.4.153-81-gc9eed05cd5dd


No regressions (compared to build v4.4.153-81-gcca2878104c8)


Ran 16784 total tests in the following environments and test suites.

Environments
--------------
- i386
- juno-r2 - arm64
- qemu_arm
- qemu_i386
- qemu_x86_64
- x15 - arm
- x86_64

Test Suites
-----------
* boot
* kselftest
* libhugetlbfs
* ltp-cap_bounds-tests
* ltp-containers-tests
* ltp-cve-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-nptl-tests
* ltp-open-posix-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* ltp-timers-tests
* kselftest-vsyscall-mode-native
* kselftest-vsyscall-mode-none

Summary
------------------------------------------------------------------------

kernel: 4.4.154-rc1
git repo: https://git.linaro.org/lkft/arm64-stable-rc.git
git branch: 4.4.154-rc1-hikey-20180903-275
git commit: 7048ee43ee3065e53fa65eeed32abe4959e136e3
git describe: 4.4.154-rc1-hikey-20180903-275
Test details: https://qa-reports.linaro.org/lkft/linaro-hikey-stable-rc-4.4-oe/build/4.4.154-rc1-hikey-20180903-275

No regressions (compared to build 4.4.154-rc1-hikey-20180903-274)


Ran 2722 total tests in the following environments and test suites.

Environments
--------------
- hi6220-hikey - arm64
- qemu_arm64

Test Suites
-----------
* boot
* kselftest
* libhugetlbfs
* ltp-cap_bounds-tests
* ltp-containers-tests
* ltp-cve-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* ltp-timers-tests

-- 
Linaro LKFT
https://lkft.linaro.org

^ permalink raw reply	[flat|nested] 87+ messages in thread

* Re: [PATCH 4.4 00/80] 4.4.154-stable review
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (78 preceding siblings ...)
  2018-09-04  8:23 ` Naresh Kamboju
@ 2018-09-04 19:26 ` Shuah Khan
  2018-09-04 22:51 ` Guenter Roeck
  80 siblings, 0 replies; 87+ messages in thread
From: Shuah Khan @ 2018-09-04 19:26 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, patches, ben.hutchings, lkft-triage,
	stable, Shuah Khan

On 09/03/2018 10:48 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.4.154 release.
> There are 80 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed Sep  5 16:49:18 UTC 2018.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.154-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

Compiled and booted on my test system. No dmesg regressions.

thanks,
-- Shuah


^ permalink raw reply	[flat|nested] 87+ messages in thread

* Re: [PATCH 4.4 00/80] 4.4.154-stable review
  2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
                   ` (79 preceding siblings ...)
  2018-09-04 19:26 ` Shuah Khan
@ 2018-09-04 22:51 ` Guenter Roeck
  80 siblings, 0 replies; 87+ messages in thread
From: Guenter Roeck @ 2018-09-04 22:51 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, shuah, patches, ben.hutchings, lkft-triage, stable

On 09/03/2018 09:48 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.4.154 release.
> There are 80 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed Sep  5 16:49:18 UTC 2018.
> Anything received after that time might be too late.
> 

Build results:
	total: 150 pass: 150 fail: 0
Qemu test results:
	total: 234 pass: 234 fail: 0

Details are available at https://kerneltests.org/builders/.

Guenter

^ permalink raw reply	[flat|nested] 87+ messages in thread

* Re: [PATCH 4.4 03/80] vti6: fix PMTU caching and reporting on xmit
  2018-09-03 16:48 ` [PATCH 4.4 03/80] vti6: fix PMTU caching and reporting on xmit Greg Kroah-Hartman
@ 2018-09-11 23:22   ` Ben Hutchings
  2018-09-13  7:07     ` Greg Kroah-Hartman
  0 siblings, 1 reply; 87+ messages in thread
From: Ben Hutchings @ 2018-09-11 23:22 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: stable, Eyal Birger, Steffen Klassert, Sasha Levin, Alexey Kodanev

On Mon, 2018-09-03 at 18:48 +0200, Greg Kroah-Hartman wrote:
> 4.4-stable review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: Eyal Birger <eyal.birger@gmail.com>
> 
> [ Upstream commit d6990976af7c5d8f55903bfb4289b6fb030bf754 ]
[...]

This caused a regression, fixed upstream by:

commit 9f2895461439fda2801a7906fb4c5fb3dbb37a0a
Author: Alexey Kodanev <alexey.kodanev@oracle.com>
Date:   Thu Aug 23 19:49:54 2018 +0300

    vti6: remove !skb->ignore_df check from vti6_xmit()

So I think that is now needed on the 4.4, 4.9, and 4.14 stable
branches.

Ben.

-- 
Ben Hutchings, Software Developer                         Codethink Ltd
https://www.codethink.co.uk/                 Dale House, 35 Dale Street
                                     Manchester, M1 2HF, United Kingdom

^ permalink raw reply	[flat|nested] 87+ messages in thread

* Re: [PATCH 4.4 34/80] enic: handle mtu change for vf properly
  2018-09-03 16:49 ` [PATCH 4.4 34/80] enic: handle mtu change for vf properly Greg Kroah-Hartman
@ 2018-09-12  1:03   ` Ben Hutchings
  2018-09-13  7:10     ` Greg Kroah-Hartman
  0 siblings, 1 reply; 87+ messages in thread
From: Ben Hutchings @ 2018-09-12  1:03 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: stable, Govindarajulu Varadarajan, David S. Miller, Sasha Levin

On Mon, 2018-09-03 at 18:49 +0200, Greg Kroah-Hartman wrote:
> 4.4-stable review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: Govindarajulu Varadarajan <gvaradar@cisco.com>
> 
> [ Upstream commit ab123fe071c9aa9680ecd62eb080eb26cff4892c ]
> 
> When driver gets notification for mtu change, driver does not handle it for
> all RQs. It handles only RQ[0].
> 
> Fix is to use enic_change_mtu() interface to change mtu for vf.
[...]

This causes a assertion failure (noisy error logging, but not an oops)
when the driver is probed.  This was fixed upstream by:

commit cb5c6568867325f9905e80c96531d963bec8e5ea
Author: Govindarajulu Varadarajan <gvaradar@cisco.com>
Date:   Mon Jul 30 09:56:54 2018 -0700

    enic: do not call enic_change_mtu in enic_probe

which is now needed on the 3.18, 4.4, and 4.9 stable branches.

Ben.

-- 
Ben Hutchings, Software Developer                         Codethink Ltd
https://www.codethink.co.uk/                 Dale House, 35 Dale Street
                                     Manchester, M1 2HF, United Kingdom

^ permalink raw reply	[flat|nested] 87+ messages in thread

* Re: [PATCH 4.4 03/80] vti6: fix PMTU caching and reporting on xmit
  2018-09-11 23:22   ` Ben Hutchings
@ 2018-09-13  7:07     ` Greg Kroah-Hartman
  0 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-13  7:07 UTC (permalink / raw)
  To: Ben Hutchings
  Cc: linux-kernel, stable, Eyal Birger, Steffen Klassert, Sasha Levin,
	Alexey Kodanev

On Wed, Sep 12, 2018 at 12:22:33AM +0100, Ben Hutchings wrote:
> On Mon, 2018-09-03 at 18:48 +0200, Greg Kroah-Hartman wrote:
> > 4.4-stable review patch.  If anyone has any objections, please let me know.
> > 
> > ------------------
> > 
> > From: Eyal Birger <eyal.birger@gmail.com>
> > 
> > [ Upstream commit d6990976af7c5d8f55903bfb4289b6fb030bf754 ]
> [...]
> 
> This caused a regression, fixed upstream by:
> 
> commit 9f2895461439fda2801a7906fb4c5fb3dbb37a0a
> Author: Alexey Kodanev <alexey.kodanev@oracle.com>
> Date:   Thu Aug 23 19:49:54 2018 +0300
> 
>     vti6: remove !skb->ignore_df check from vti6_xmit()
> 
> So I think that is now needed on the 4.4, 4.9, and 4.14 stable
> branches.

Already all queued up a few days ago :)

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 87+ messages in thread

* Re: [PATCH 4.4 34/80] enic: handle mtu change for vf properly
  2018-09-12  1:03   ` Ben Hutchings
@ 2018-09-13  7:10     ` Greg Kroah-Hartman
  0 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-13  7:10 UTC (permalink / raw)
  To: Ben Hutchings
  Cc: linux-kernel, stable, Govindarajulu Varadarajan, David S. Miller,
	Sasha Levin

On Wed, Sep 12, 2018 at 02:03:13AM +0100, Ben Hutchings wrote:
> On Mon, 2018-09-03 at 18:49 +0200, Greg Kroah-Hartman wrote:
> > 4.4-stable review patch.  If anyone has any objections, please let me know.
> > 
> > ------------------
> > 
> > From: Govindarajulu Varadarajan <gvaradar@cisco.com>
> > 
> > [ Upstream commit ab123fe071c9aa9680ecd62eb080eb26cff4892c ]
> > 
> > When driver gets notification for mtu change, driver does not handle it for
> > all RQs. It handles only RQ[0].
> > 
> > Fix is to use enic_change_mtu() interface to change mtu for vf.
> [...]
> 
> This causes a assertion failure (noisy error logging, but not an oops)
> when the driver is probed.  This was fixed upstream by:
> 
> commit cb5c6568867325f9905e80c96531d963bec8e5ea
> Author: Govindarajulu Varadarajan <gvaradar@cisco.com>
> Date:   Mon Jul 30 09:56:54 2018 -0700
> 
>     enic: do not call enic_change_mtu in enic_probe
> 
> which is now needed on the 3.18, 4.4, and 4.9 stable branches.

Ah, I didn't realize it was really needed on the older branches as well,
due to the lack of the mtu settings on those kernel trees in this
driver.

I've now backported it there, thanks.

greg k-h

^ permalink raw reply	[flat|nested] 87+ messages in thread

end of thread, other threads:[~2018-09-13  7:10 UTC | newest]

Thread overview: 87+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-09-03 16:48 [PATCH 4.4 00/80] 4.4.154-stable review Greg Kroah-Hartman
2018-09-03 16:48 ` [PATCH 4.4 01/80] sched/sysctl: Check user input value of sysctl_sched_time_avg Greg Kroah-Hartman
2018-09-03 16:48 ` [PATCH 4.4 02/80] Cipso: cipso_v4_optptr enter infinite loop Greg Kroah-Hartman
2018-09-03 16:48 ` [PATCH 4.4 03/80] vti6: fix PMTU caching and reporting on xmit Greg Kroah-Hartman
2018-09-11 23:22   ` Ben Hutchings
2018-09-13  7:07     ` Greg Kroah-Hartman
2018-09-03 16:48 ` [PATCH 4.4 04/80] xfrm: fix missing dst_release() after policy blocking lbcast and multicast Greg Kroah-Hartman
2018-09-03 16:48 ` [PATCH 4.4 05/80] xfrm: free skb if nlsk pointer is NULL Greg Kroah-Hartman
2018-09-03 16:48 ` [PATCH 4.4 06/80] mac80211: add stations tied to AP_VLANs during hw reconfig Greg Kroah-Hartman
2018-09-03 16:48 ` [PATCH 4.4 07/80] nl80211: Add a missing break in parse_station_flags Greg Kroah-Hartman
2018-09-03 16:48 ` [PATCH 4.4 08/80] drm/bridge: adv7511: Reset registers on hotplug Greg Kroah-Hartman
2018-09-03 16:48 ` [PATCH 4.4 09/80] scsi: libiscsi: fix possible NULL pointer dereference in case of TMF Greg Kroah-Hartman
2018-09-03 16:48 ` [PATCH 4.4 10/80] drm/imx: imx-ldb: disable LDB on driver bind Greg Kroah-Hartman
2018-09-03 16:48 ` [PATCH 4.4 11/80] drm/imx: imx-ldb: check if channel is enabled before printing warning Greg Kroah-Hartman
2018-09-03 16:48 ` [PATCH 4.4 12/80] usb: gadget: r8a66597: Fix two possible sleep-in-atomic-context bugs in init_controller() Greg Kroah-Hartman
2018-09-03 16:48 ` [PATCH 4.4 13/80] usb: gadget: r8a66597: Fix a possible sleep-in-atomic-context bugs in r8a66597_queue() Greg Kroah-Hartman
2018-09-03 16:48 ` [PATCH 4.4 14/80] usb/phy: fix PPC64 build errors in phy-fsl-usb.c Greg Kroah-Hartman
2018-09-03 16:48 ` [PATCH 4.4 16/80] usb: gadget: f_uac2: fix endianness of struct cntrl_*_lay3 Greg Kroah-Hartman
2018-09-03 16:48 ` [PATCH 4.4 17/80] tools/power turbostat: fix -S on UP systems Greg Kroah-Hartman
2018-09-03 16:48 ` [PATCH 4.4 18/80] net: caif: Add a missing rcu_read_unlock() in caif_flow_cb Greg Kroah-Hartman
2018-09-03 16:48 ` [PATCH 4.4 19/80] qed: Fix possible race for the link state value Greg Kroah-Hartman
2018-09-03 16:48 ` [PATCH 4.4 20/80] atl1c: reserve min skb headroom Greg Kroah-Hartman
2018-09-03 16:48 ` [PATCH 4.4 21/80] net: prevent ISA drivers from building on PPC32 Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 22/80] can: mpc5xxx_can: check of_iomap return before use Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 23/80] i2c: davinci: Avoid zero value of CLKH Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 24/80] media: staging: omap4iss: Include asm/cacheflush.h after generic includes Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 25/80] bnx2x: Fix invalid memory access in rss hash config path Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 26/80] net: axienet: Fix double deregister of mdio Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 27/80] fscache: Allow cancelled operations to be enqueued Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 28/80] cachefiles: Fix refcounting bug in backing-file read monitoring Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 29/80] cachefiles: Wait rather than BUGing on "Unexpected object collision" Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 30/80] selftests/ftrace: Add snapshot and tracing_on test case Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 31/80] zswap: re-check zswap_is_full() after do zswap_shrink() Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 32/80] tools/power turbostat: Read extended processor family from CPUID Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 34/80] enic: handle mtu change for vf properly Greg Kroah-Hartman
2018-09-12  1:03   ` Ben Hutchings
2018-09-13  7:10     ` Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 35/80] arc: fix build errors in arc/include/asm/delay.h Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 36/80] arc: fix type warnings in arc/mm/cache.c Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 37/80] drivers: net: lmc: fix case value for target abort error Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 38/80] scsi: fcoe: drop frames in ELS LOGO error path Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 39/80] scsi: vmw_pvscsi: Return DID_RESET for status SAM_STAT_COMMAND_TERMINATED Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 40/80] mm/memory.c: check return value of ioremap_prot Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 41/80] cifs: add missing debug entries for kconfig options Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 42/80] cifs: check kmalloc before use Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 43/80] smb3: Do not send SMB3 SET_INFO if nothing changed Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 44/80] smb3: dont request leases in symlink creation and query Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 45/80] btrfs: dont leak ret from do_chunk_alloc Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 46/80] s390/kvm: fix deadlock when killed by oom Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 47/80] ext4: check for NUL characters in extended attributes name Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 48/80] ext4: sysfs: print ext4_super_block fields as little-endian Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 49/80] ext4: reset error code in ext4_find_entry in fallback Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 50/80] arm64: mm: check for upper PAGE_SHIFT bits in pfn_valid() Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 51/80] KVM: arm/arm64: Skip updating PTE entry if no change Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 52/80] KVM: arm/arm64: Skip updating PMD " Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 53/80] x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 54/80] x86/speculation/l1tf: Fix off-by-one error when warning that system has too much RAM Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 55/80] x86/speculation/l1tf: Suggest what to do on systems with " Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 56/80] x86/process: Re-export start_thread() Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 57/80] fuse: Dont access pipe->buffers without pipe_lock() Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 58/80] fuse: fix double request_end() Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 59/80] fuse: fix unlocked access to processing queue Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 60/80] fuse: umount should wait for all requests Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 61/80] fuse: Fix oops at process_init_reply() Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 62/80] fuse: Add missed unlock_page() to fuse_readpages_fill() Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 63/80] udl-kms: change down_interruptible to down Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 64/80] udl-kms: handle allocation failure Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 65/80] udl-kms: fix crash due to uninitialized memory Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 66/80] ASoC: dpcm: dont merge format from invalid codec dai Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 67/80] ASoC: sirf: Fix potential NULL pointer dereference Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 69/80] x86/irqflags: Mark native_restore_fl extern inline Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 70/80] x86/spectre: Add missing family 6 check to microcode check Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 71/80] s390: fix br_r1_trampoline for machines without exrl Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 72/80] s390/qdio: reset old sbal_state flags Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 73/80] s390/pci: fix out of bounds access during irq setup Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 74/80] kprobes: Make list and blacklist root user read only Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 75/80] MIPS: Correct the 64-bit DSP accumulator register size Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 76/80] MIPS: lib: Provide MIPS64r6 __multi3() for GCC < 7 Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 77/80] scsi: sysfs: Introduce sysfs_{un,}break_active_protection() Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 78/80] scsi: core: Avoid that SCSI device removal through sysfs triggers a deadlock Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 79/80] iscsi target: fix session creation failure handling Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 4.4 80/80] cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status Greg Kroah-Hartman
2018-09-04  0:42 ` [PATCH 4.4 00/80] 4.4.154-stable review Nathan Chancellor
2018-09-04  5:25   ` Greg Kroah-Hartman
2018-09-04  8:23 ` Naresh Kamboju
2018-09-04 19:26 ` Shuah Khan
2018-09-04 22:51 ` Guenter Roeck

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).