linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 4.14 000/143] 4.14.79-stable review
@ 2018-11-02 18:33 Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 001/143] xfrm: Validate address prefix lengths in the xfrm selector Greg Kroah-Hartman
                   ` (144 more replies)
  0 siblings, 145 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	ben.hutchings, lkft-triage, stable

This is the start of the stable review cycle for the 4.14.79 release.
There are 143 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Sun Nov  4 18:27:59 UTC 2018.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.79-rc1.gz
or in the git tree and branch at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 4.14.79-rc1

Davide Caratti <dcaratti@redhat.com>
    net/sched: cls_api: add missing validation of netlink attributes

Florian Fainelli <f.fainelli@gmail.com>
    net: bcmgenet: Poll internal PHY for GENETv5

Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
    net: ipmr: fix unresolved entry dumps

Ido Schimmel <idosch@mellanox.com>
    rtnetlink: Disallow FDB configuration for non-Ethernet device

Eric Dumazet <edumazet@google.com>
    net/mlx5e: fix csum adjustments caused by RXFCS

Dimitris Michailidis <dmichail@google.com>
    net: fix pskb_trim_rcsum_slow() with odd trim offset

Cong Wang <xiyou.wangcong@gmail.com>
    net: drop skb on failure in ip_check_defrag()

Phil Sutter <phil@nwl.cc>
    net: sched: Fix for duplicate class dump

Huy Nguyen <huyn@mellanox.com>
    net/mlx5: Take only bit 24-26 of wqe.pftype_wq for page fault type

Jaime Caamaño Ruiz <jcaamano@suse.com>
    openvswitch: Fix push/pop ethernet validation

Stefano Brivio <sbrivio@redhat.com>
    ip6_tunnel: Fix encapsulation layout

Tobias Jungel <tobias.jungel@gmail.com>
    bonding: fix length of actor system

Wenwen Wang <wang6495@umn.edu>
    ethtool: fix a privilege escalation bug

Ake Koomsin <ake@igel.co.jp>
    virtio_net: avoid using netif_tx_disable() for serializing tx routine

Jason Wang <jasowang@redhat.com>
    vhost: Fix Spectre V1 vulnerability

Paolo Abeni <pabeni@redhat.com>
    udp6: fix encap return code for resubmitting

Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
    sctp: fix race on sctp_id2asoc

Heiner Kallweit <hkallweit1@gmail.com>
    r8169: fix NAPI handling under high load

Sean Tranchetti <stranche@codeaurora.org>
    net: udp: fix handling of CHECKSUM_COMPLETE packets

Niklas Cassel <niklas.cassel@linaro.org>
    net: stmmac: Fix stmmac_mdio_reset() when building stmmac as modules

Wenwen Wang <wang6495@umn.edu>
    net: socket: fix a missing-check bug

Jakub Kicinski <jakub.kicinski@netronome.com>
    net: sched: gred: pass the right attribute to gred_change_table_def()

David Ahern <dsahern@gmail.com>
    net/ipv6: Fix index counter for unicast addresses in in6_dump_addrs

Fugang Duan <fugang.duan@nxp.com>
    net: fec: don't dump RX FIFO register when not available

Cong Wang <xiyou.wangcong@gmail.com>
    llc: set SOCK_RCU_FREE in llc_sap_add_socket()

Stefano Brivio <sbrivio@redhat.com>
    ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are called

Eric Dumazet <edumazet@google.com>
    ipv6: mcast: fix a use-after-free in inet6_mc_check

Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
    net: bridge: remove ipv6 zero address check in mcast queries

Hangbin Liu <liuhangbin@gmail.com>
    bridge: do not add port to router list when receives query with source 0.0.0.0

Colin Ian King <colin.king@canonical.com>
    drm/i915/gvt: fix memory leak of a cmd_entry struct on error exit path

Rasmus Villemoes <linux@rasmusvillemoes.dk>
    perf tools: Disable parallelism for 'make clean'

Sasha Levin <sashal@kernel.org>
    Revert "netfilter: ipv6: nf_defrag: drop skb dst before queueing"

Takashi Iwai <tiwai@suse.de>
    ALSA: usx2y: Fix invalid stream URBs

Philipp Zabel <philipp.zabel@gmail.com>
    media: uvcvideo: Fix driver reference counting

Chris Paterson <chris.paterson2@renesas.com>
    ARM: dts: r8a7790: Correct critical CPU temperature

Peter Xu <peterx@redhat.com>
    kvm: x86: fix WARN due to uninitialized guest FPU state

Kimmo Rautkoski <ext-kimmo.rautkoski@vaisala.com>
    mtd: spi-nor: Add support for is25wp series chips

Christoph Paasch <cpaasch@apple.com>
    sch_netem: restore skb->dev after dequeuing from the rbtree

Khazhismel Kumykov <khazhy@google.com>
    fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters()

Paolo Abeni <pabeni@redhat.com>
    selftests: rtnetlink.sh explicitly requires bash.

Arthur Kiyanovski <akiyano@amazon.com>
    net: ena: fix NULL dereference due to untimely napi initialization

Arthur Kiyanovski <akiyano@amazon.com>
    net: ena: fix warning in rmmod caused by double iounmap

David Howells <dhowells@redhat.com>
    rxrpc: Fix connection-level abort handling

David Howells <dhowells@redhat.com>
    rxrpc: Only take the rwind and mtu values from latest ACK

David Howells <dhowells@redhat.com>
    rxrpc: Don't check RXRPC_CALL_TX_LAST after calling rxrpc_rotate_tx_window()

Arnaldo Carvalho de Melo <acme@redhat.com>
    perf python: Use -Wno-redundant-decls to build with PYTHON=python3

Sascha Hauer <s.hauer@pengutronix.de>
    ARM: dts: imx53-qsb: disable 1.2GHz OPP

Paul Burton <paul.burton@mips.com>
    compiler.h: Allow arch-specific asm/compiler.h

Sandipan Das <sandipan@linux.ibm.com>
    perf tests: Fix indexing when invoking subtests

Daniel Mack <daniel@zonque.org>
    libertas: call into generic suspend code before turning off power

Masahiro Yamada <yamada.masahiro@socionext.com>
    kconfig: fix the rule of mainmenu_stmt symbol

Arnd Bergmann <arnd@arndb.de>
    net: stmmac: mark PM functions as __maybe_unused

Dan Carpenter <dan.carpenter@oracle.com>
    x86/paravirt: Fix some warning messages

Florian Fainelli <f.fainelli@gmail.com>
    net: phy: phylink: Don't release NULL GPIO

Qu Wenruo <wqu@suse.com>
    btrfs: quota: Set rescan progress to (u64)-1 if we hit last leaf

Martin K. Petersen <martin.petersen@oracle.com>
    scsi: sd: Remember that READ CAPACITY(16) succeeded

Brian King <brking@linux.vnet.ibm.com>
    scsi: ibmvfc: Avoid unnecessary port relogin

Michael Neuling <mikey@neuling.org>
    selftests/powerpc: Add ptrace hw breakpoint test

Phil Reid <preid@electromag.com.au>
    iio: buffer: fix the function signature to match implementation

Govindarajulu Varadarajan <gvaradar@cisco.com>
    enic: do not overwrite error code

Phil Elwell <phil@raspberrypi.org>
    lan78xx: Don't reset the interface on open

Paul Burton <paul.burton@mips.com>
    MIPS: Workaround GCC __builtin_unreachable reordering bug

John Keeping <john@metanate.com>
    mmc: dw_mmc-rockchip: correct property names in debug

Jason Gunthorpe <jgg@mellanox.com>
    IB/usnic: Update with bug fixes from core code

Ross Lagerwall <ross.lagerwall@citrix.com>
    xen-netfront: Fix mismatched rtnl_unlock

Ross Lagerwall <ross.lagerwall@citrix.com>
    xen-netfront: Update features after registering netdev

Winkler, Tomas <tomas.winkler@intel.com>
    tpm: tpm_crb: relinquish locality on error path.

John Fastabend <john.fastabend@gmail.com>
    bpf: sockmap, map_release does not hold refcnt for pinned maps

Nayna Jain <nayna@linux.vnet.ibm.com>
    tpm: move the delay_msec increment after sleep in tpm_transmit()

David S. Miller <davem@davemloft.net>
    sparc64: Fix regression in pmdp_invalidate().

KarimAllah Ahmed <karahmed@amazon.de>
    KVM: x86: Update the exit_qualification access bits while walking an address

Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
    test_bpf: Fix testing with CONFIG_BPF_JIT_ALWAYS_ON=y on other arches

Geert Uytterhoeven <geert@linux-m68k.org>
    cifs: Use ULL suffix for 64-bit constant

James Chapman <jchapman@katalix.com>
    l2tp: remove configurable payload offset

Marcel Ziswiler <marcel.ziswiler@toradex.com>
    ARM: tegra: Fix ULPI regression on Tegra20

Noa Osherovich <noaos@mellanox.com>
    IB/mlx5: Avoid passing an invalid QP type to firmware

Stefan Agner <stefan@agner.ch>
    kbuild: set no-integrated-as before incl. arch Makefile

Ben Hutchings <ben.hutchings@codethink.co.uk>
    scsi: qla2xxx: Avoid double completion of abort command

Shay Agroskin <shayag@mellanox.com>
    net/mlx5e: Refine ets validation function

Kevin Hao <haokexin@gmail.com>
    net: phy: Add general dummy stubs for MMD register access

Kevin Hao <haokexin@gmail.com>
    net: phy: realtek: Use the dummy stubs for MMD register access for rtl8211b

Milan Broz <gmazyland@gmail.com>
    dm integrity: fail early if required HMAC key is not available

Corentin Labbe <clabbe@baylibre.com>
    powerpc/pseries: Add empty update_numa_cpu_lookup_table() for NUMA=n

Israel Rukshin <israelr@mellanox.com>
    net/mlx5: Fix mlx5_get_vector_affinity function

Julian Wiedmann <jwi@linux.vnet.ibm.com>
    s390/qeth: fix error handling in adapter command callbacks

Doug Ledford <dledford@redhat.com>
    IB/rxe: put the pool on allocation failure

Alex Vesker <valex@mellanox.com>
    IB/ipoib: Fix lockdep issue found on ipoib_ib_dev_heavy_flush

Arnd Bergmann <arnd@arndb.de>
    scsi: aacraid: address UBSAN warning regression

Shuah Khan <shuah@kernel.org>
    usbip: vhci_hcd: update 'status' file header and format

Dan Williams <dan.j.williams@intel.com>
    tools/testing/nvdimm: unit test clear-error commands

Andy Lutomirski <luto@kernel.org>
    x86/power: Fix some ordering bugs in __restore_processor_context()

Emmanuel Grumbach <emmanuel.grumbach@intel.com>
    iwlwifi: fix the ALIVE notification layout

Liad Kaufman <liad.kaufman@intel.com>
    iwlwifi: dbg: allow wrt collection before ALIVE

Sara Sharon <sara.sharon@intel.com>
    iwlwifi: mvm: check for short GI only for OFDM

Larry Chen <lchen@suse.com>
    ocfs2: fix crash in ocfs2_duplicate_clusters_by_page()

Wenwen Wang <wang6495@umn.edu>
    yam: fix a missing-check bug

Wenwen Wang <wang6495@umn.edu>
    net: cxgb3_main: fix a missing-check bug

Davide Caratti <dcaratti@redhat.com>
    be2net: don't flip hw_features when VXLANs are added/deleted

Guenter Roeck <linux@roeck-us.net>
    locking/ww_mutex: Fix runtime warning in the WW mutex selftest

Sean Tranchetti <stranche@codeaurora.org>
    net: qualcomm: rmnet: Skip processing loopback packets

Maciej W. Rozycki <macro@linux-mips.org>
    declance: Fix continuation with the adapter identification message

Rickard x Andersson <rickaran@axis.com>
    net: fec: fix rare tx timeout

Natarajan, Janakarajan <Janakarajan.Natarajan@amd.com>
    perf/x86/amd/uncore: Set ThreadMask and SliceMask for L3 Cache perf events

Kan Liang <kan.liang@linux.intel.com>
    perf/x86/intel/uncore: Fix PCI BDF address of M3UPI on SKX

Jiri Olsa <jolsa@redhat.com>
    perf/ring_buffer: Prevent concurent ring buffer access

Peter Zijlstra <peterz@infradead.org>
    perf/core: Fix perf_pmu_unregister() locking

Yu Zhao <yuzhao@google.com>
    cfg80211: fix use-after-free in reg_process_hint()

Florian Fainelli <f.fainelli@gmail.com>
    smsc95xx: Check for Wake-on-LAN modes

Florian Fainelli <f.fainelli@gmail.com>
    smsc75xx: Check for Wake-on-LAN modes

Florian Fainelli <f.fainelli@gmail.com>
    r8152: Check for supported Wake-on-LAN Modes

Florian Fainelli <f.fainelli@gmail.com>
    sr9800: Check for supported Wake-on-LAN modes

Florian Fainelli <f.fainelli@gmail.com>
    lan78xx: Check for supported Wake-on-LAN modes

Florian Fainelli <f.fainelli@gmail.com>
    ax88179_178a: Check for supported Wake-on-LAN modes

Florian Fainelli <f.fainelli@gmail.com>
    asix: Check for supported Wake-on-LAN modes

Masashi Honma <masashi.honma@gmail.com>
    nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds

Nathan Chancellor <natechancellor@gmail.com>
    qed: Avoid implicit enum conversion in qed_iwarp_parse_rx_pkt

Nathan Chancellor <natechancellor@gmail.com>
    qed: Avoid constant logical operation warning in qed_vf_pf_acquire

Nathan Chancellor <natechancellor@gmail.com>
    qed: Avoid implicit enum conversion in qed_roce_mode_to_flavor

Nathan Chancellor <natechancellor@gmail.com>
    qed: Fix mask parameter in qed_vf_prep_tunn_req_tlv

Nathan Chancellor <natechancellor@gmail.com>
    qed: Avoid implicit enum conversion in qed_set_tunn_cls_info

Lubomir Rintel <lkundrak@v3.sk>
    pxa168fb: prepare the clock

Matias Karhumaa <matias.karhumaa@gmail.com>
    Bluetooth: SMP: fix crash in unpairing

Martin Willi <martin@strongswan.org>
    mac80211_hwsim: do not omit multicast announce of first added radio

Masashi Honma <masashi.honma@gmail.com>
    nl80211: Fix possible Spectre-v1 for NL80211_TXRATE_HT

Zhao Qiang <qiang.zhao@nxp.com>
    soc: fsl: qe: Fix copy/paste bug in ucc_get_tdm_sync_shift()

Alexandre Belloni <alexandre.belloni@bootlin.com>
    soc: fsl: qbman: qman: avoid allocating from non existing gen_pool

Michal Simek <michal.simek@xilinx.com>
    net: macb: Clean 64b dma addresses if they are not detected

Florian Fainelli <f.fainelli@gmail.com>
    ARM: dts: BCM63xx: Fix incorrect interrupt specifiers

Steve Capper <steve.capper@arm.com>
    arm64: hugetlb: Fix handling of young ptes

David Ahern <dsahern@gmail.com>
    netfilter: bridge: Don't sabotage nf_hook calls from an l3mdev

Sean Tranchetti <stranche@codeaurora.org>
    xfrm: validate template mode

Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
    ARM: 8799/1: mm: fix pci_ioremap_io() offset check

Steffen Klassert <steffen.klassert@secunet.com>
    xfrm: Fix NULL pointer dereference when skb_dst_force clears the dst_entry.

Yuan-Chi Pang <fu3mo6goo@gmail.com>
    mac80211: fix TX status reporting for ieee80211s

Johannes Berg <johannes.berg@intel.com>
    mac80211: TDLS: fix skb queue/priority assignment

Jouni Malinen <jouni@codeaurora.org>
    cfg80211: Address some corner cases in scan result channel updating

Bob Copeland <me@bobcopeland.com>
    mac80211: fix pending queue hang due to TX_DROP

Andrei Otcheretianski <andrei.otcheretianski@intel.com>
    cfg80211: reg: Init wiphy_idx in regulatory_hint_core()

Andrei Otcheretianski <andrei.otcheretianski@intel.com>
    mac80211: Always report TX status

Sowmini Varadhan <sowmini.varadhan@oracle.com>
    xfrm: reset crypto_done when iterating over multiple input xfrms

Sowmini Varadhan <sowmini.varadhan@oracle.com>
    xfrm: reset transport header back to network header after all input transforms ahave been applied

Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
    xfrm6: call kfree_skb when skb is toobig

Steffen Klassert <steffen.klassert@secunet.com>
    xfrm: Validate address prefix lengths in the xfrm selector.


-------------

Diffstat:

 Makefile                                           |   8 +-
 arch/Kconfig                                       |   8 +
 arch/arm/boot/dts/bcm63138.dtsi                    |  14 +-
 arch/arm/boot/dts/imx53-qsb-common.dtsi            |  11 +
 arch/arm/boot/dts/r8a7790.dtsi                     |   2 +-
 arch/arm/boot/dts/tegra20.dtsi                     |   2 +-
 arch/arm/mm/ioremap.c                              |   2 +-
 arch/arm64/mm/hugetlbpage.c                        |  12 +-
 arch/mips/Kconfig                                  |   1 +
 arch/mips/include/asm/compiler.h                   |  35 +++
 arch/powerpc/include/asm/topology.h                |   3 +
 arch/sparc/mm/tlb.c                                |  19 +-
 arch/x86/events/amd/uncore.c                       |  10 +
 arch/x86/events/intel/uncore_snbep.c               |  12 +-
 arch/x86/include/asm/perf_event.h                  |   8 +
 arch/x86/kernel/paravirt.c                         |   4 +-
 arch/x86/kvm/paging_tmpl.h                         |  11 +-
 arch/x86/kvm/x86.c                                 |   6 +-
 arch/x86/power/cpu.c                               |  21 +-
 drivers/char/tpm/tpm-interface.c                   |   3 +-
 drivers/char/tpm/tpm_crb.c                         |  10 +-
 drivers/gpu/drm/i915/gvt/cmd_parser.c              |   1 +
 drivers/infiniband/hw/mlx5/main.c                  |   2 +-
 drivers/infiniband/hw/mlx5/qp.c                    |   7 +-
 drivers/infiniband/hw/usnic/usnic_ib_verbs.c       |   2 +-
 drivers/infiniband/hw/usnic/usnic_uiom.c           |  40 ++-
 drivers/infiniband/hw/usnic/usnic_uiom.h           |   5 +-
 drivers/infiniband/sw/rxe/rxe_pool.c               |  16 +-
 drivers/infiniband/ulp/ipoib/ipoib_ib.c            |   7 +-
 drivers/md/dm-integrity.c                          |   3 +
 drivers/media/usb/uvc/uvc_driver.c                 |  11 +-
 drivers/mmc/host/dw_mmc-rockchip.c                 |   4 +-
 drivers/mtd/spi-nor/spi-nor.c                      |   6 +
 drivers/net/bonding/bond_netlink.c                 |   3 +-
 drivers/net/ethernet/amazon/ena/ena_netdev.c       |  18 +-
 drivers/net/ethernet/amd/declance.c                |  10 +-
 drivers/net/ethernet/broadcom/genet/bcmmii.c       |   9 +-
 drivers/net/ethernet/cadence/macb_main.c           |   1 +
 drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c    |  17 +
 drivers/net/ethernet/cisco/enic/enic_main.c        |   9 +-
 drivers/net/ethernet/emulex/benet/be_main.c        |   5 +-
 drivers/net/ethernet/freescale/fec.h               |   4 +
 drivers/net/ethernet/freescale/fec_main.c          |  24 +-
 drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c |  17 +-
 drivers/net/ethernet/mellanox/mlx5/core/en_rx.c    |  45 +--
 drivers/net/ethernet/mellanox/mlx5/core/eq.c       |   2 +-
 drivers/net/ethernet/qlogic/qed/qed_iwarp.c        |   4 +-
 drivers/net/ethernet/qlogic/qed/qed_roce.c         |  15 +-
 drivers/net/ethernet/qlogic/qed/qed_sp_commands.c  |   2 +-
 drivers/net/ethernet/qlogic/qed/qed_vf.c           |   5 +-
 .../net/ethernet/qualcomm/rmnet/rmnet_handlers.c   |   3 +
 drivers/net/ethernet/realtek/r8169.c               |   8 +-
 drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c  |   2 +-
 drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c   |   4 +-
 drivers/net/hamradio/yam.c                         |   4 +
 drivers/net/phy/phy_device.c                       |  17 +
 drivers/net/phy/phylink.c                          |   2 +-
 drivers/net/phy/realtek.c                          |   2 +
 drivers/net/usb/asix_common.c                      |   3 +
 drivers/net/usb/ax88179_178a.c                     |   3 +
 drivers/net/usb/lan78xx.c                          |  21 +-
 drivers/net/usb/r8152.c                            |   3 +
 drivers/net/usb/smsc75xx.c                         |   3 +
 drivers/net/usb/smsc95xx.c                         |   3 +
 drivers/net/usb/sr9800.c                           |   3 +
 drivers/net/virtio_net.c                           |   5 +-
 drivers/net/wireless/intel/iwlwifi/fw/api/alive.h  |   4 +-
 drivers/net/wireless/intel/iwlwifi/fw/dbg.c        |  15 +-
 drivers/net/wireless/intel/iwlwifi/mvm/rx.c        |   3 +-
 drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c      |   4 +-
 drivers/net/wireless/mac80211_hwsim.c              |   3 +-
 drivers/net/wireless/marvell/libertas/if_sdio.c    |   4 +
 drivers/net/xen-netfront.c                         |  11 +-
 drivers/s390/net/qeth_core_main.c                  |  85 +++--
 drivers/scsi/aacraid/commsup.c                     |   8 +-
 drivers/scsi/ibmvscsi/ibmvfc.c                     |   6 +-
 drivers/scsi/qla2xxx/qla_init.c                    |   4 +-
 drivers/scsi/sd.c                                  |   2 +
 drivers/soc/fsl/qbman/qman.c                       |   3 +
 drivers/soc/fsl/qe/ucc.c                           |   2 +-
 drivers/usb/usbip/vhci_sysfs.c                     |  12 +-
 drivers/vhost/vhost.c                              |   2 +
 drivers/video/fbdev/pxa168fb.c                     |   6 +-
 fs/btrfs/qgroup.c                                  |   4 +-
 fs/cifs/inode.c                                    |   2 +-
 fs/fat/fatent.c                                    |   1 +
 fs/ocfs2/refcounttree.c                            |  16 +-
 include/linux/bpf.h                                |   2 +-
 include/linux/compiler_types.h                     |  12 +
 include/linux/iio/buffer-dma.h                     |   2 +-
 include/linux/mlx5/driver.h                        |  12 +-
 include/linux/phy.h                                |   4 +
 kernel/bpf/arraymap.c                              |   3 +-
 kernel/bpf/sockmap.c                               |   4 +-
 kernel/bpf/syscall.c                               |   4 +-
 kernel/events/core.c                               |  11 +-
 kernel/locking/test-ww_mutex.c                     |  10 +-
 lib/test_bpf.c                                     |   2 +-
 net/bluetooth/mgmt.c                               |   7 +-
 net/bluetooth/smp.c                                |  29 +-
 net/bluetooth/smp.h                                |   3 +-
 net/bridge/br_multicast.c                          |   9 +-
 net/bridge/br_netfilter_hooks.c                    |   3 +-
 net/core/datagram.c                                |   5 +-
 net/core/ethtool.c                                 |   8 +-
 net/core/rtnetlink.c                               |  10 +
 net/core/skbuff.c                                  |   5 +-
 net/ipv4/ip_fragment.c                             |  12 +-
 net/ipv4/ipmr.c                                    |   2 -
 net/ipv4/udp.c                                     |  20 +-
 net/ipv4/xfrm4_input.c                             |   1 +
 net/ipv4/xfrm4_mode_transport.c                    |   4 +-
 net/ipv6/addrconf.c                                |   6 +-
 net/ipv6/ip6_checksum.c                            |  20 +-
 net/ipv6/ip6_tunnel.c                              |   9 +-
 net/ipv6/mcast.c                                   |  16 +-
 net/ipv6/ndisc.c                                   |   3 +-
 net/ipv6/netfilter/nf_conntrack_reasm.c            |   2 -
 net/ipv6/udp.c                                     |   6 +-
 net/ipv6/xfrm6_input.c                             |   1 +
 net/ipv6/xfrm6_mode_transport.c                    |   4 +-
 net/ipv6/xfrm6_output.c                            |   2 +
 net/l2tp/l2tp_core.c                               |  14 +-
 net/l2tp/l2tp_core.h                               |   3 -
 net/l2tp/l2tp_debugfs.c                            |   4 +-
 net/l2tp/l2tp_netlink.c                            |   3 -
 net/llc/llc_conn.c                                 |   1 +
 net/mac80211/mesh.h                                |   3 +-
 net/mac80211/mesh_hwmp.c                           |   9 +-
 net/mac80211/status.c                              |  11 +-
 net/mac80211/tdls.c                                |   8 +-
 net/mac80211/tx.c                                  |   2 +-
 net/openvswitch/flow_netlink.c                     |   4 +-
 net/rxrpc/ar-internal.h                            |   4 +-
 net/rxrpc/call_accept.c                            |   4 +-
 net/rxrpc/conn_event.c                             |  26 +-
 net/rxrpc/input.c                                  |  54 ++--
 net/sched/cls_api.c                                |   7 +-
 net/sched/sch_api.c                                |   3 +-
 net/sched/sch_gred.c                               |   2 +-
 net/sched/sch_netem.c                              |   4 +
 net/sctp/socket.c                                  |   5 +-
 net/socket.c                                       |  11 +-
 net/wireless/nl80211.c                             |  20 +-
 net/wireless/reg.c                                 |   8 +-
 net/wireless/scan.c                                |  58 +++-
 net/xfrm/xfrm_input.c                              |   1 +
 net/xfrm/xfrm_output.c                             |   4 +
 net/xfrm/xfrm_policy.c                             |   4 +
 net/xfrm/xfrm_user.c                               |  15 +
 scripts/kconfig/zconf.y                            |   4 +-
 sound/usb/usx2y/usb_stream.c                       |  23 +-
 tools/perf/Makefile                                |   4 +-
 tools/perf/tests/builtin-test.c                    |   4 +-
 tools/perf/util/setup.py                           |   2 +-
 tools/testing/nvdimm/test/nfit.c                   |  18 ++
 tools/testing/selftests/net/rtnetlink.sh           |   2 +-
 tools/testing/selftests/powerpc/ptrace/.gitignore  |   1 +
 tools/testing/selftests/powerpc/ptrace/Makefile    |   2 +-
 .../selftests/powerpc/ptrace/ptrace-hwbreak.c      | 342 +++++++++++++++++++++
 160 files changed, 1231 insertions(+), 495 deletions(-)



^ permalink raw reply	[flat|nested] 166+ messages in thread

* [PATCH 4.14 001/143] xfrm: Validate address prefix lengths in the xfrm selector.
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 002/143] xfrm6: call kfree_skb when skb is toobig Greg Kroah-Hartman
                   ` (143 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Air Icy, Steffen Klassert, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 07bf7908950a8b14e81aa1807e3c667eab39287a ]

We don't validate the address prefix lengths in the xfrm
selector we got from userspace. This can lead to undefined
behaviour in the address matching functions if the prefix
is too big for the given address family. Fix this by checking
the prefixes and refuse SA/policy insertation when a prefix
is invalid.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Air Icy <icytxw@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/xfrm/xfrm_user.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 5554d28a32eb..4292347bf45e 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -151,10 +151,16 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
 	err = -EINVAL;
 	switch (p->family) {
 	case AF_INET:
+		if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
+			goto out;
+
 		break;
 
 	case AF_INET6:
 #if IS_ENABLED(CONFIG_IPV6)
+		if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128)
+			goto out;
+
 		break;
 #else
 		err = -EAFNOSUPPORT;
@@ -1353,10 +1359,16 @@ static int verify_newpolicy_info(struct xfrm_userpolicy_info *p)
 
 	switch (p->sel.family) {
 	case AF_INET:
+		if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
+			return -EINVAL;
+
 		break;
 
 	case AF_INET6:
 #if IS_ENABLED(CONFIG_IPV6)
+		if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128)
+			return -EINVAL;
+
 		break;
 #else
 		return  -EAFNOSUPPORT;
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 002/143] xfrm6: call kfree_skb when skb is toobig
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 001/143] xfrm: Validate address prefix lengths in the xfrm selector Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 003/143] xfrm: reset transport header back to network header after all input transforms ahave been applied Greg Kroah-Hartman
                   ` (142 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thadeu Lima de Souza Cascardo,
	Sabrina Dubroca, Steffen Klassert, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 215ab0f021c9fea3c18b75e7d522400ee6a49990 ]

After commit d6990976af7c5d8f55903bfb4289b6fb030bf754 ("vti6: fix PMTU caching
and reporting on xmit"), some too big skbs might be potentially passed down to
__xfrm6_output, causing it to fail to transmit but not free the skb, causing a
leak of skb, and consequentially a leak of dst references.

After running pmtu.sh, that shows as failure to unregister devices in a namespace:

[  311.397671] unregister_netdevice: waiting for veth_b to become free. Usage count = 1

The fix is to call kfree_skb in case of transmit failures.

Fixes: dd767856a36e ("xfrm6: Don't call icmpv6_send on local error")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ipv6/xfrm6_output.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
index 8ae87d4ec5ff..29dae7f2ff14 100644
--- a/net/ipv6/xfrm6_output.c
+++ b/net/ipv6/xfrm6_output.c
@@ -170,9 +170,11 @@ static int __xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
 
 	if (toobig && xfrm6_local_dontfrag(skb)) {
 		xfrm6_local_rxpmtu(skb, mtu);
+		kfree_skb(skb);
 		return -EMSGSIZE;
 	} else if (!skb->ignore_df && toobig && skb->sk) {
 		xfrm_local_error(skb, mtu);
+		kfree_skb(skb);
 		return -EMSGSIZE;
 	}
 
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 003/143] xfrm: reset transport header back to network header after all input transforms ahave been applied
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 001/143] xfrm: Validate address prefix lengths in the xfrm selector Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 002/143] xfrm6: call kfree_skb when skb is toobig Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 004/143] xfrm: reset crypto_done when iterating over multiple input xfrms Greg Kroah-Hartman
                   ` (141 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Steffen Klassert, Sowmini Varadhan,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit bfc0698bebcb16d19ecfc89574ad4d696955e5d3 ]

A policy may have been set up with multiple transforms (e.g., ESP
and ipcomp). In this situation, the ingress IPsec processing
iterates in xfrm_input() and applies each transform in turn,
processing the nexthdr to find any additional xfrm that may apply.

This patch resets the transport header back to network header
only after the last transformation so that subsequent xfrms
can find the correct transport header.

Fixes: 7785bba299a8 ("esp: Add a software GRO codepath")
Suggested-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ipv4/xfrm4_input.c          | 1 +
 net/ipv4/xfrm4_mode_transport.c | 4 +---
 net/ipv6/xfrm6_input.c          | 1 +
 net/ipv6/xfrm6_mode_transport.c | 4 +---
 4 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/net/ipv4/xfrm4_input.c b/net/ipv4/xfrm4_input.c
index bcfc00e88756..f8de2482a529 100644
--- a/net/ipv4/xfrm4_input.c
+++ b/net/ipv4/xfrm4_input.c
@@ -67,6 +67,7 @@ int xfrm4_transport_finish(struct sk_buff *skb, int async)
 
 	if (xo && (xo->flags & XFRM_GRO)) {
 		skb_mac_header_rebuild(skb);
+		skb_reset_transport_header(skb);
 		return 0;
 	}
 
diff --git a/net/ipv4/xfrm4_mode_transport.c b/net/ipv4/xfrm4_mode_transport.c
index 3d36644890bb..1ad2c2c4e250 100644
--- a/net/ipv4/xfrm4_mode_transport.c
+++ b/net/ipv4/xfrm4_mode_transport.c
@@ -46,7 +46,6 @@ static int xfrm4_transport_output(struct xfrm_state *x, struct sk_buff *skb)
 static int xfrm4_transport_input(struct xfrm_state *x, struct sk_buff *skb)
 {
 	int ihl = skb->data - skb_transport_header(skb);
-	struct xfrm_offload *xo = xfrm_offload(skb);
 
 	if (skb->transport_header != skb->network_header) {
 		memmove(skb_transport_header(skb),
@@ -54,8 +53,7 @@ static int xfrm4_transport_input(struct xfrm_state *x, struct sk_buff *skb)
 		skb->network_header = skb->transport_header;
 	}
 	ip_hdr(skb)->tot_len = htons(skb->len + ihl);
-	if (!xo || !(xo->flags & XFRM_GRO))
-		skb_reset_transport_header(skb);
+	skb_reset_transport_header(skb);
 	return 0;
 }
 
diff --git a/net/ipv6/xfrm6_input.c b/net/ipv6/xfrm6_input.c
index 841f4a07438e..9ef490dddcea 100644
--- a/net/ipv6/xfrm6_input.c
+++ b/net/ipv6/xfrm6_input.c
@@ -59,6 +59,7 @@ int xfrm6_transport_finish(struct sk_buff *skb, int async)
 
 	if (xo && (xo->flags & XFRM_GRO)) {
 		skb_mac_header_rebuild(skb);
+		skb_reset_transport_header(skb);
 		return -1;
 	}
 
diff --git a/net/ipv6/xfrm6_mode_transport.c b/net/ipv6/xfrm6_mode_transport.c
index 9ad07a91708e..3c29da5defe6 100644
--- a/net/ipv6/xfrm6_mode_transport.c
+++ b/net/ipv6/xfrm6_mode_transport.c
@@ -51,7 +51,6 @@ static int xfrm6_transport_output(struct xfrm_state *x, struct sk_buff *skb)
 static int xfrm6_transport_input(struct xfrm_state *x, struct sk_buff *skb)
 {
 	int ihl = skb->data - skb_transport_header(skb);
-	struct xfrm_offload *xo = xfrm_offload(skb);
 
 	if (skb->transport_header != skb->network_header) {
 		memmove(skb_transport_header(skb),
@@ -60,8 +59,7 @@ static int xfrm6_transport_input(struct xfrm_state *x, struct sk_buff *skb)
 	}
 	ipv6_hdr(skb)->payload_len = htons(skb->len + ihl -
 					   sizeof(struct ipv6hdr));
-	if (!xo || !(xo->flags & XFRM_GRO))
-		skb_reset_transport_header(skb);
+	skb_reset_transport_header(skb);
 	return 0;
 }
 
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 004/143] xfrm: reset crypto_done when iterating over multiple input xfrms
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 003/143] xfrm: reset transport header back to network header after all input transforms ahave been applied Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 005/143] mac80211: Always report TX status Greg Kroah-Hartman
                   ` (140 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sowmini Varadhan, Steffen Klassert,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 782710e333a526780d65918d669cb96646983ba2 ]

We only support one offloaded xfrm (we do not have devices that
can handle more than one offload), so reset crypto_done in
xfrm_input() when iterating over multiple transforms in xfrm_input,
so that we can invoke the appropriate x->type->input for the
non-offloaded transforms

Fixes: d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API")
Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/xfrm/xfrm_input.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 9f492dc417d5..8e75319dd9c0 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -453,6 +453,7 @@ resume:
 			XFRM_INC_STATS(net, LINUX_MIB_XFRMINHDRERROR);
 			goto drop;
 		}
+		crypto_done = false;
 	} while (!err);
 
 	err = xfrm_rcv_cb(skb, family, x->type->proto, 0);
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 005/143] mac80211: Always report TX status
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 004/143] xfrm: reset crypto_done when iterating over multiple input xfrms Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 006/143] cfg80211: reg: Init wiphy_idx in regulatory_hint_core() Greg Kroah-Hartman
                   ` (139 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andrei Otcheretianski, Luca Coelho,
	Johannes Berg, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 8682250b3c1b75a45feb7452bc413d004cfe3778 ]

If a frame is dropped for any reason, mac80211 wouldn't report the TX
status back to user space.

As the user space may rely on the TX_STATUS to kick its state
machines, resends etc, it's better to just report this frame as not
acked instead.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/mac80211/status.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/net/mac80211/status.c b/net/mac80211/status.c
index da7427a41529..ccac205e5853 100644
--- a/net/mac80211/status.c
+++ b/net/mac80211/status.c
@@ -470,11 +470,6 @@ static void ieee80211_report_ack_skb(struct ieee80211_local *local,
 	if (!skb)
 		return;
 
-	if (dropped) {
-		dev_kfree_skb_any(skb);
-		return;
-	}
-
 	if (info->flags & IEEE80211_TX_INTFL_NL80211_FRAME_TX) {
 		u64 cookie = IEEE80211_SKB_CB(skb)->ack.cookie;
 		struct ieee80211_sub_if_data *sdata;
@@ -495,6 +490,8 @@ static void ieee80211_report_ack_skb(struct ieee80211_local *local,
 		}
 		rcu_read_unlock();
 
+		dev_kfree_skb_any(skb);
+	} else if (dropped) {
 		dev_kfree_skb_any(skb);
 	} else {
 		/* consumes skb */
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 006/143] cfg80211: reg: Init wiphy_idx in regulatory_hint_core()
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 005/143] mac80211: Always report TX status Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 007/143] mac80211: fix pending queue hang due to TX_DROP Greg Kroah-Hartman
                   ` (138 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andrei Otcheretianski, Luca Coelho,
	Johannes Berg, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 24f33e64fcd0d50a4b1a8e5b41bd0257aa66b0e8 ]

Core regulatory hints didn't set wiphy_idx to WIPHY_IDX_INVALID. Since
the regulatory request is zeroed, wiphy_idx was always implicitly set to
0. This resulted in updating only phy #0.
Fix that.

Fixes: 806a9e39670b ("cfg80211: make regulatory_request use wiphy_idx instead of wiphy")
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
[add fixes tag]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/wireless/reg.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index 6e94f6934a0e..6f032c7b8732 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -2384,6 +2384,7 @@ static int regulatory_hint_core(const char *alpha2)
 	request->alpha2[0] = alpha2[0];
 	request->alpha2[1] = alpha2[1];
 	request->initiator = NL80211_REGDOM_SET_BY_CORE;
+	request->wiphy_idx = WIPHY_IDX_INVALID;
 
 	queue_regulatory_request(request);
 
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 007/143] mac80211: fix pending queue hang due to TX_DROP
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 006/143] cfg80211: reg: Init wiphy_idx in regulatory_hint_core() Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 008/143] cfg80211: Address some corner cases in scan result channel updating Greg Kroah-Hartman
                   ` (137 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bob Copeland,
	Toke Høiland-Jørgensen, Johannes Berg, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 6eae4a6c2be387fec41b0d2782c4fffb57159498 ]

In our environment running lots of mesh nodes, we are seeing the
pending queue hang periodically, with the debugfs queues file showing
lines such as:

    00: 0x00000000/348

i.e. there are a large number of frames but no stop reason set.

One way this could happen is if queue processing from the pending
tasklet exited early without processing all frames, and without having
some future event (incoming frame, stop reason flag, ...) to reschedule
it.

Exactly this can occur today if ieee80211_tx() returns false due to
packet drops or power-save buffering in the tx handlers.  In the
past, this function would return true in such cases, and the change
to false doesn't seem to be intentional.  Fix this case by reverting
to the previous behavior.

Fixes: bb42f2d13ffc ("mac80211: Move reorder-sensitive TX handlers to after TXQ dequeue")
Signed-off-by: Bob Copeland <bobcopeland@fb.com>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/mac80211/tx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index d8fddd88bf46..a17a56032a21 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1837,7 +1837,7 @@ static bool ieee80211_tx(struct ieee80211_sub_if_data *sdata,
 			sdata->vif.hw_queue[skb_get_queue_mapping(skb)];
 
 	if (invoke_tx_handlers_early(&tx))
-		return false;
+		return true;
 
 	if (ieee80211_queue_skb(local, sdata, tx.sta, tx.skb))
 		return true;
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 008/143] cfg80211: Address some corner cases in scan result channel updating
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 007/143] mac80211: fix pending queue hang due to TX_DROP Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 009/143] mac80211: TDLS: fix skb queue/priority assignment Greg Kroah-Hartman
                   ` (136 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jouni Malinen, Johannes Berg, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 119f94a6fefcc76d47075b83d2b73d04c895df78 ]

cfg80211_get_bss_channel() is used to update the RX channel based on the
available frame payload information (channel number from DSSS Parameter
Set element or HT Operation element). This is needed on 2.4 GHz channels
where frames may be received on neighboring channels due to overlapping
frequency range.

This might of some use on the 5 GHz band in some corner cases, but
things are more complex there since there is no n:1 or 1:n mapping
between channel numbers and frequencies due to multiple different
starting frequencies in different operating classes. This could result
in ieee80211_channel_to_frequency() returning incorrect frequency and
ieee80211_get_channel() returning incorrect channel information (or
indication of no match). In the previous implementation, this could
result in some scan results being dropped completely, e.g., for the 4.9
GHz channels. That prevented connection to such BSSs.

Fix this by using the driver-provided channel pointer if
ieee80211_get_channel() does not find matching channel data for the
channel number in the frame payload and if the scan is done with 5 MHz
or 10 MHz channel bandwidth. While doing this, also add comments
describing what the function is trying to achieve to make it easier to
understand what happens here and why.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/wireless/scan.c | 58 ++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 49 insertions(+), 9 deletions(-)

diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index f6c5fe482506..5ed0ed0559dc 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -1055,13 +1055,23 @@ cfg80211_bss_update(struct cfg80211_registered_device *rdev,
 	return NULL;
 }
 
+/*
+ * Update RX channel information based on the available frame payload
+ * information. This is mainly for the 2.4 GHz band where frames can be received
+ * from neighboring channels and the Beacon frames use the DSSS Parameter Set
+ * element to indicate the current (transmitting) channel, but this might also
+ * be needed on other bands if RX frequency does not match with the actual
+ * operating channel of a BSS.
+ */
 static struct ieee80211_channel *
 cfg80211_get_bss_channel(struct wiphy *wiphy, const u8 *ie, size_t ielen,
-			 struct ieee80211_channel *channel)
+			 struct ieee80211_channel *channel,
+			 enum nl80211_bss_scan_width scan_width)
 {
 	const u8 *tmp;
 	u32 freq;
 	int channel_number = -1;
+	struct ieee80211_channel *alt_channel;
 
 	tmp = cfg80211_find_ie(WLAN_EID_DS_PARAMS, ie, ielen);
 	if (tmp && tmp[1] == 1) {
@@ -1075,16 +1085,45 @@ cfg80211_get_bss_channel(struct wiphy *wiphy, const u8 *ie, size_t ielen,
 		}
 	}
 
-	if (channel_number < 0)
+	if (channel_number < 0) {
+		/* No channel information in frame payload */
 		return channel;
+	}
 
 	freq = ieee80211_channel_to_frequency(channel_number, channel->band);
-	channel = ieee80211_get_channel(wiphy, freq);
-	if (!channel)
-		return NULL;
-	if (channel->flags & IEEE80211_CHAN_DISABLED)
+	alt_channel = ieee80211_get_channel(wiphy, freq);
+	if (!alt_channel) {
+		if (channel->band == NL80211_BAND_2GHZ) {
+			/*
+			 * Better not allow unexpected channels when that could
+			 * be going beyond the 1-11 range (e.g., discovering
+			 * BSS on channel 12 when radio is configured for
+			 * channel 11.
+			 */
+			return NULL;
+		}
+
+		/* No match for the payload channel number - ignore it */
+		return channel;
+	}
+
+	if (scan_width == NL80211_BSS_CHAN_WIDTH_10 ||
+	    scan_width == NL80211_BSS_CHAN_WIDTH_5) {
+		/*
+		 * Ignore channel number in 5 and 10 MHz channels where there
+		 * may not be an n:1 or 1:n mapping between frequencies and
+		 * channel numbers.
+		 */
+		return channel;
+	}
+
+	/*
+	 * Use the channel determined through the payload channel number
+	 * instead of the RX channel reported by the driver.
+	 */
+	if (alt_channel->flags & IEEE80211_CHAN_DISABLED)
 		return NULL;
-	return channel;
+	return alt_channel;
 }
 
 /* Returned bss is reference counted and must be cleaned up appropriately. */
@@ -1109,7 +1148,8 @@ cfg80211_inform_bss_data(struct wiphy *wiphy,
 		    (data->signal < 0 || data->signal > 100)))
 		return NULL;
 
-	channel = cfg80211_get_bss_channel(wiphy, ie, ielen, data->chan);
+	channel = cfg80211_get_bss_channel(wiphy, ie, ielen, data->chan,
+					   data->scan_width);
 	if (!channel)
 		return NULL;
 
@@ -1207,7 +1247,7 @@ cfg80211_inform_bss_frame_data(struct wiphy *wiphy,
 		return NULL;
 
 	channel = cfg80211_get_bss_channel(wiphy, mgmt->u.beacon.variable,
-					   ielen, data->chan);
+					   ielen, data->chan, data->scan_width);
 	if (!channel)
 		return NULL;
 
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 009/143] mac80211: TDLS: fix skb queue/priority assignment
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 008/143] cfg80211: Address some corner cases in scan result channel updating Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 010/143] mac80211: fix TX status reporting for ieee80211s Greg Kroah-Hartman
                   ` (135 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johannes Berg, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit cb59bc14e830028d2244861216df038165d7625d ]

If the TDLS setup happens over a connection to an AP that
doesn't have QoS, we nevertheless assign a non-zero TID
(skb->priority) and queue mapping, which may confuse us or
drivers later.

Fix it by just assigning the special skb->priority and then
using ieee80211_select_queue() just like other data frames
would go through.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/mac80211/tdls.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c
index 91093d4a2f84..6e7aa65cf345 100644
--- a/net/mac80211/tdls.c
+++ b/net/mac80211/tdls.c
@@ -16,6 +16,7 @@
 #include "ieee80211_i.h"
 #include "driver-ops.h"
 #include "rate.h"
+#include "wme.h"
 
 /* give usermode some time for retries in setting up the TDLS session */
 #define TDLS_PEER_SETUP_TIMEOUT	(15 * HZ)
@@ -1006,14 +1007,13 @@ ieee80211_tdls_prep_mgmt_packet(struct wiphy *wiphy, struct net_device *dev,
 	switch (action_code) {
 	case WLAN_TDLS_SETUP_REQUEST:
 	case WLAN_TDLS_SETUP_RESPONSE:
-		skb_set_queue_mapping(skb, IEEE80211_AC_BK);
-		skb->priority = 2;
+		skb->priority = 256 + 2;
 		break;
 	default:
-		skb_set_queue_mapping(skb, IEEE80211_AC_VI);
-		skb->priority = 5;
+		skb->priority = 256 + 5;
 		break;
 	}
+	skb_set_queue_mapping(skb, ieee80211_select_queue(sdata, skb));
 
 	/*
 	 * Set the WLAN_TDLS_TEARDOWN flag to indicate a teardown in progress.
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 010/143] mac80211: fix TX status reporting for ieee80211s
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 009/143] mac80211: TDLS: fix skb queue/priority assignment Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 011/143] xfrm: Fix NULL pointer dereference when skb_dst_force clears the dst_entry Greg Kroah-Hartman
                   ` (134 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yuan-Chi Pang, Johannes Berg, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit c42055105785580563535e6d3143cad95c7ac7ee ]

TX status reporting to ieee80211s is through ieee80211s_update_metric.
There are two problems about ieee80211s_update_metric:

1. The purpose is to estimate the fail probability
to a specific link. No need to restrict to data frame.

2. Current implementation does not work if wireless driver does not
pass tx_status with skb.

Fix this by removing ieee80211_is_data condition, passing
ieee80211_tx_status directly to ieee80211s_update_metric, and
putting it in both __ieee80211_tx_status and ieee80211_tx_status_ext.

Signed-off-by: Yuan-Chi Pang <fu3mo6goo@gmail.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/mac80211/mesh.h      | 3 ++-
 net/mac80211/mesh_hwmp.c | 9 +++------
 net/mac80211/status.c    | 4 +++-
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/net/mac80211/mesh.h b/net/mac80211/mesh.h
index 7e5f271e3c30..4f1c61637ce3 100644
--- a/net/mac80211/mesh.h
+++ b/net/mac80211/mesh.h
@@ -217,7 +217,8 @@ void mesh_rmc_free(struct ieee80211_sub_if_data *sdata);
 int mesh_rmc_init(struct ieee80211_sub_if_data *sdata);
 void ieee80211s_init(void);
 void ieee80211s_update_metric(struct ieee80211_local *local,
-			      struct sta_info *sta, struct sk_buff *skb);
+			      struct sta_info *sta,
+			      struct ieee80211_tx_status *st);
 void ieee80211_mesh_init_sdata(struct ieee80211_sub_if_data *sdata);
 void ieee80211_mesh_teardown_sdata(struct ieee80211_sub_if_data *sdata);
 int ieee80211_start_mesh(struct ieee80211_sub_if_data *sdata);
diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c
index 055ea36ff27b..fab0764c315f 100644
--- a/net/mac80211/mesh_hwmp.c
+++ b/net/mac80211/mesh_hwmp.c
@@ -295,15 +295,12 @@ int mesh_path_error_tx(struct ieee80211_sub_if_data *sdata,
 }
 
 void ieee80211s_update_metric(struct ieee80211_local *local,
-		struct sta_info *sta, struct sk_buff *skb)
+			      struct sta_info *sta,
+			      struct ieee80211_tx_status *st)
 {
-	struct ieee80211_tx_info *txinfo = IEEE80211_SKB_CB(skb);
-	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
+	struct ieee80211_tx_info *txinfo = st->info;
 	int failed;
 
-	if (!ieee80211_is_data(hdr->frame_control))
-		return;
-
 	failed = !(txinfo->flags & IEEE80211_TX_STAT_ACK);
 
 	/* moving average, scaled to 100.
diff --git a/net/mac80211/status.c b/net/mac80211/status.c
index ccac205e5853..bdf131ed5ce8 100644
--- a/net/mac80211/status.c
+++ b/net/mac80211/status.c
@@ -797,7 +797,7 @@ static void __ieee80211_tx_status(struct ieee80211_hw *hw,
 
 		rate_control_tx_status(local, sband, status);
 		if (ieee80211_vif_is_mesh(&sta->sdata->vif))
-			ieee80211s_update_metric(local, sta, skb);
+			ieee80211s_update_metric(local, sta, status);
 
 		if (!(info->flags & IEEE80211_TX_CTL_INJECTED) && acked)
 			ieee80211_frame_acked(sta, skb);
@@ -958,6 +958,8 @@ void ieee80211_tx_status_ext(struct ieee80211_hw *hw,
 		}
 
 		rate_control_tx_status(local, sband, status);
+		if (ieee80211_vif_is_mesh(&sta->sdata->vif))
+			ieee80211s_update_metric(local, sta, status);
 	}
 
 	if (acked || noack_success) {
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 011/143] xfrm: Fix NULL pointer dereference when skb_dst_force clears the dst_entry.
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 010/143] mac80211: fix TX status reporting for ieee80211s Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 012/143] ARM: 8799/1: mm: fix pci_ioremap_io() offset check Greg Kroah-Hartman
                   ` (133 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tobias Hommel, Kristian Evensen,
	Wolfgang Walter, Steffen Klassert, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 9e1437937807b0122e8da1ca8765be2adca9aee6 ]

Since commit 222d7dbd258d ("net: prevent dst uses after free")
skb_dst_force() might clear the dst_entry attached to the skb.
The xfrm code don't expect this to happen, so we crash with
a NULL pointer dereference in this case. Fix it by checking
skb_dst(skb) for NULL after skb_dst_force() and drop the packet
in cast the dst_entry was cleared.

Fixes: 222d7dbd258d ("net: prevent dst uses after free")
Reported-by: Tobias Hommel <netdev-list@genoetigt.de>
Reported-by: Kristian Evensen <kristian.evensen@gmail.com>
Reported-by: Wolfgang Walter <linux@stwm.de>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/xfrm/xfrm_output.c | 4 ++++
 net/xfrm/xfrm_policy.c | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
index 35610cc881a9..c47660fba498 100644
--- a/net/xfrm/xfrm_output.c
+++ b/net/xfrm/xfrm_output.c
@@ -101,6 +101,10 @@ static int xfrm_output_one(struct sk_buff *skb, int err)
 		spin_unlock_bh(&x->lock);
 
 		skb_dst_force(skb);
+		if (!skb_dst(skb)) {
+			XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR);
+			goto error_nolock;
+		}
 
 		if (xfrm_offload(skb)) {
 			x->type_offload->encap(x, skb);
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 2fb7a78308e1..37c32e73aaef 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -2550,6 +2550,10 @@ int __xfrm_route_forward(struct sk_buff *skb, unsigned short family)
 	}
 
 	skb_dst_force(skb);
+	if (!skb_dst(skb)) {
+		XFRM_INC_STATS(net, LINUX_MIB_XFRMFWDHDRERROR);
+		return 0;
+	}
 
 	dst = xfrm_lookup(net, skb_dst(skb), &fl, NULL, XFRM_LOOKUP_QUEUE);
 	if (IS_ERR(dst)) {
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 012/143] ARM: 8799/1: mm: fix pci_ioremap_io() offset check
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 011/143] xfrm: Fix NULL pointer dereference when skb_dst_force clears the dst_entry Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 013/143] xfrm: validate template mode Greg Kroah-Hartman
                   ` (132 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thomas Petazzoni, Nicolas Pitre,
	Russell King, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 3a58ac65e2d7969bcdf1b6acb70fa4d12a88e53e ]

IO_SPACE_LIMIT is the ending address of the PCI IO space, i.e
something like 0xfffff (and not 0x100000).

Therefore, when offset = 0xf0000 is passed as argument, this function
fails even though the offset + SZ_64K fits below the
IO_SPACE_LIMIT. This makes the last chunk of 64 KB of the I/O space
not usable as it cannot be mapped.

This patch fixes that by substracing 1 to offset + SZ_64K, so that we
compare the addrss of the last byte of the I/O space against
IO_SPACE_LIMIT instead of the address of the first byte of what is
after the I/O space.

Fixes: c2794437091a4 ("ARM: Add fixed PCI i/o mapping")
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Acked-by: Nicolas Pitre <nico@linaro.org>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/mm/ioremap.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm/mm/ioremap.c b/arch/arm/mm/ioremap.c
index fc91205ff46c..5bf9443cfbaa 100644
--- a/arch/arm/mm/ioremap.c
+++ b/arch/arm/mm/ioremap.c
@@ -473,7 +473,7 @@ void pci_ioremap_set_mem_type(int mem_type)
 
 int pci_ioremap_io(unsigned int offset, phys_addr_t phys_addr)
 {
-	BUG_ON(offset + SZ_64K > IO_SPACE_LIMIT);
+	BUG_ON(offset + SZ_64K - 1 > IO_SPACE_LIMIT);
 
 	return ioremap_page_range(PCI_IO_VIRT_BASE + offset,
 				  PCI_IO_VIRT_BASE + offset + SZ_64K,
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 013/143] xfrm: validate template mode
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 012/143] ARM: 8799/1: mm: fix pci_ioremap_io() offset check Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 014/143] netfilter: bridge: Dont sabotage nf_hook calls from an l3mdev Greg Kroah-Hartman
                   ` (131 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sean Tranchetti, Steffen Klassert,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 32bf94fb5c2ec4ec842152d0e5937cd4bb6738fa ]

XFRM mode parameters passed as part of the user templates
in the IP_XFRM_POLICY are never properly validated. Passing
values other than valid XFRM modes can cause stack-out-of-bounds
reads to occur later in the XFRM processing:

[  140.535608] ================================================================
[  140.543058] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x17e4/0x1cc4
[  140.550306] Read of size 4 at addr ffffffc0238a7a58 by task repro/5148
[  140.557369]
[  140.558927] Call trace:
[  140.558936] dump_backtrace+0x0/0x388
[  140.558940] show_stack+0x24/0x30
[  140.558946] __dump_stack+0x24/0x2c
[  140.558949] dump_stack+0x8c/0xd0
[  140.558956] print_address_description+0x74/0x234
[  140.558960] kasan_report+0x240/0x264
[  140.558963] __asan_report_load4_noabort+0x2c/0x38
[  140.558967] xfrm_state_find+0x17e4/0x1cc4
[  140.558971] xfrm_resolve_and_create_bundle+0x40c/0x1fb8
[  140.558975] xfrm_lookup+0x238/0x1444
[  140.558977] xfrm_lookup_route+0x48/0x11c
[  140.558984] ip_route_output_flow+0x88/0xc4
[  140.558991] raw_sendmsg+0xa74/0x266c
[  140.558996] inet_sendmsg+0x258/0x3b0
[  140.559002] sock_sendmsg+0xbc/0xec
[  140.559005] SyS_sendto+0x3a8/0x5a8
[  140.559008] el0_svc_naked+0x34/0x38
[  140.559009]
[  140.592245] page dumped because: kasan: bad access detected
[  140.597981] page_owner info is not active (free page?)
[  140.603267]
[  140.653503] ================================================================

Signed-off-by: Sean Tranchetti <stranche@codeaurora.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/xfrm/xfrm_user.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 4292347bf45e..4e8319766f2b 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1449,6 +1449,9 @@ static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family)
 		    (ut[i].family != prev_family))
 			return -EINVAL;
 
+		if (ut[i].mode >= XFRM_MODE_MAX)
+			return -EINVAL;
+
 		prev_family = ut[i].family;
 
 		switch (ut[i].family) {
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 014/143] netfilter: bridge: Dont sabotage nf_hook calls from an l3mdev
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 013/143] xfrm: validate template mode Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 015/143] arm64: hugetlb: Fix handling of young ptes Greg Kroah-Hartman
                   ` (130 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, DSouza, Nelson, David Ahern,
	Pablo Neira Ayuso, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit a173f066c7cfc031acb8f541708041e009fc9812 ]

For starters, the bridge netfilter code registers operations that
are invoked any time nh_hook is called. Specifically, ip_sabotage_in
watches for nested calls for NF_INET_PRE_ROUTING when a bridge is in
the stack.

Packet wise, the bridge netfilter hook runs first. br_nf_pre_routing
allocates nf_bridge, sets in_prerouting to 1 and calls NF_HOOK for
NF_INET_PRE_ROUTING. It's finish function, br_nf_pre_routing_finish,
then resets in_prerouting flag to 0 and the packet continues up the
stack. The packet eventually makes it to the VRF driver and it invokes
nf_hook for NF_INET_PRE_ROUTING in case any rules have been added against
the vrf device.

Because of the registered operations the call to nf_hook causes
ip_sabotage_in to be invoked. That function sees the nf_bridge on the
skb and that in_prerouting is not set. Thinking it is an invalid nested
call it steals (drops) the packet.

Update ip_sabotage_in to recognize that the bridge or one of its upper
devices (e.g., vlan) can be enslaved to a VRF (L3 master device) and
allow the packet to go through the nf_hook a second time.

Fixes: 73e20b761acf ("net: vrf: Add support for PREROUTING rules on vrf device")
Reported-by: D'Souza, Nelson <ndsouza@ciena.com>
Signed-off-by: David Ahern <dsahern@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/bridge/br_netfilter_hooks.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index c2eea1b8737a..7582f28ab306 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -832,7 +832,8 @@ static unsigned int ip_sabotage_in(void *priv,
 				   struct sk_buff *skb,
 				   const struct nf_hook_state *state)
 {
-	if (skb->nf_bridge && !skb->nf_bridge->in_prerouting) {
+	if (skb->nf_bridge && !skb->nf_bridge->in_prerouting &&
+	    !netif_is_l3_master(skb->dev)) {
 		state->okfn(state->net, state->sk, skb);
 		return NF_STOLEN;
 	}
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 015/143] arm64: hugetlb: Fix handling of young ptes
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 014/143] netfilter: bridge: Dont sabotage nf_hook calls from an l3mdev Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 016/143] ARM: dts: BCM63xx: Fix incorrect interrupt specifiers Greg Kroah-Hartman
                   ` (129 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Steve Capper, Will Deacon, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 469ed9d823b7d240d6b9574f061ded7c3834c167 ]

In the contiguous bit hugetlb break-before-make code we assume that all
hugetlb pages are young.

In fact, remove_migration_pte is able to place an old hugetlb pte so
this assumption is not valid.

This patch fixes the contiguous hugetlb scanning code to preserve young
ptes.

Fixes: d8bdcff28764 ("arm64: hugetlb: Add break-before-make logic for contiguous entries")
Signed-off-by: Steve Capper <steve.capper@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm64/mm/hugetlbpage.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/arch/arm64/mm/hugetlbpage.c b/arch/arm64/mm/hugetlbpage.c
index 6cb0fa92a651..9f6ae9686dac 100644
--- a/arch/arm64/mm/hugetlbpage.c
+++ b/arch/arm64/mm/hugetlbpage.c
@@ -118,11 +118,14 @@ static pte_t get_clear_flush(struct mm_struct *mm,
 
 		/*
 		 * If HW_AFDBM is enabled, then the HW could turn on
-		 * the dirty bit for any page in the set, so check
-		 * them all.  All hugetlb entries are already young.
+		 * the dirty or accessed bit for any page in the set,
+		 * so check them all.
 		 */
 		if (pte_dirty(pte))
 			orig_pte = pte_mkdirty(orig_pte);
+
+		if (pte_young(pte))
+			orig_pte = pte_mkyoung(orig_pte);
 	}
 
 	if (valid)
@@ -347,10 +350,13 @@ int huge_ptep_set_access_flags(struct vm_area_struct *vma,
 	if (!pte_same(orig_pte, pte))
 		changed = 1;
 
-	/* Make sure we don't lose the dirty state */
+	/* Make sure we don't lose the dirty or young state */
 	if (pte_dirty(orig_pte))
 		pte = pte_mkdirty(pte);
 
+	if (pte_young(orig_pte))
+		pte = pte_mkyoung(pte);
+
 	hugeprot = pte_pgprot(pte);
 	for (i = 0; i < ncontig; i++, ptep++, addr += pgsize, pfn += dpfn)
 		set_pte_at(vma->vm_mm, addr, ptep, pfn_pte(pfn, hugeprot));
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 016/143] ARM: dts: BCM63xx: Fix incorrect interrupt specifiers
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 015/143] arm64: hugetlb: Fix handling of young ptes Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 017/143] net: macb: Clean 64b dma addresses if they are not detected Greg Kroah-Hartman
                   ` (128 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Florian Fainelli, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 3ab97942d0213b6583a5408630a8cbbfbf54730f ]

A number of our interrupts were incorrectly specified, fix both the PPI
and SPI interrupts to be correct.

Fixes: b5762cacc411 ("ARM: bcm63138: add NAND DT support")
Fixes: 46d4bca0445a ("ARM: BCM63XX: add BCM63138 minimal Device Tree")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/boot/dts/bcm63138.dtsi | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/arch/arm/boot/dts/bcm63138.dtsi b/arch/arm/boot/dts/bcm63138.dtsi
index 43ee992ccdcf..6df61518776f 100644
--- a/arch/arm/boot/dts/bcm63138.dtsi
+++ b/arch/arm/boot/dts/bcm63138.dtsi
@@ -106,21 +106,23 @@
 		global_timer: timer@1e200 {
 			compatible = "arm,cortex-a9-global-timer";
 			reg = <0x1e200 0x20>;
-			interrupts = <GIC_PPI 11 IRQ_TYPE_LEVEL_HIGH>;
+			interrupts = <GIC_PPI 11 IRQ_TYPE_EDGE_RISING>;
 			clocks = <&axi_clk>;
 		};
 
 		local_timer: local-timer@1e600 {
 			compatible = "arm,cortex-a9-twd-timer";
 			reg = <0x1e600 0x20>;
-			interrupts = <GIC_PPI 13 IRQ_TYPE_LEVEL_HIGH>;
+			interrupts = <GIC_PPI 13 (GIC_CPU_MASK_SIMPLE(2) |
+						  IRQ_TYPE_EDGE_RISING)>;
 			clocks = <&axi_clk>;
 		};
 
 		twd_watchdog: watchdog@1e620 {
 			compatible = "arm,cortex-a9-twd-wdt";
 			reg = <0x1e620 0x20>;
-			interrupts = <GIC_PPI 14 IRQ_TYPE_LEVEL_HIGH>;
+			interrupts = <GIC_PPI 14 (GIC_CPU_MASK_SIMPLE(2) |
+						  IRQ_TYPE_LEVEL_HIGH)>;
 		};
 
 		armpll: armpll {
@@ -158,7 +160,7 @@
 		serial0: serial@600 {
 			compatible = "brcm,bcm6345-uart";
 			reg = <0x600 0x1b>;
-			interrupts = <GIC_SPI 32 0>;
+			interrupts = <GIC_SPI 32 IRQ_TYPE_LEVEL_HIGH>;
 			clocks = <&periph_clk>;
 			clock-names = "periph";
 			status = "disabled";
@@ -167,7 +169,7 @@
 		serial1: serial@620 {
 			compatible = "brcm,bcm6345-uart";
 			reg = <0x620 0x1b>;
-			interrupts = <GIC_SPI 33 0>;
+			interrupts = <GIC_SPI 33 IRQ_TYPE_LEVEL_HIGH>;
 			clocks = <&periph_clk>;
 			clock-names = "periph";
 			status = "disabled";
@@ -180,7 +182,7 @@
 			reg = <0x2000 0x600>, <0xf0 0x10>;
 			reg-names = "nand", "nand-int-base";
 			status = "disabled";
-			interrupts = <GIC_SPI 38 0>;
+			interrupts = <GIC_SPI 38 IRQ_TYPE_LEVEL_HIGH>;
 			interrupt-names = "nand";
 		};
 
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 017/143] net: macb: Clean 64b dma addresses if they are not detected
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 016/143] ARM: dts: BCM63xx: Fix incorrect interrupt specifiers Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 018/143] soc: fsl: qbman: qman: avoid allocating from non existing gen_pool Greg Kroah-Hartman
                   ` (127 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michal Simek, Nicolas Ferre,
	David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit e1e5d8a9fe737d94ccc0ccbaf0c97f69a8f3e000 ]

Clear ADDR64 dma bit in DMACFG register in case that HW_DMA_CAP_64B is
not detected on 64bit system.
The issue was observed when bootloader(u-boot) does not check macb
feature at DCFG6 register (DAW64_OFFSET) and enabling 64bit dma support
by default. Then macb driver is reading DMACFG register back and only
adding 64bit dma configuration but not cleaning it out.

Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/cadence/macb_main.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
index b4f92de1efbd..d6f8d6c8b0f1 100644
--- a/drivers/net/ethernet/cadence/macb_main.c
+++ b/drivers/net/ethernet/cadence/macb_main.c
@@ -2000,6 +2000,7 @@ static void macb_configure_dma(struct macb *bp)
 		else
 			dmacfg &= ~GEM_BIT(TXCOEN);
 
+		dmacfg &= ~GEM_BIT(ADDR64);
 #ifdef CONFIG_ARCH_DMA_ADDR_T_64BIT
 		if (bp->hw_dma_cap & HW_DMA_CAP_64B)
 			dmacfg |= GEM_BIT(ADDR64);
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 018/143] soc: fsl: qbman: qman: avoid allocating from non existing gen_pool
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 017/143] net: macb: Clean 64b dma addresses if they are not detected Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 019/143] soc: fsl: qe: Fix copy/paste bug in ucc_get_tdm_sync_shift() Greg Kroah-Hartman
                   ` (126 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexandre Belloni, Roy Pledge,
	Li Yang, Olof Johansson, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 64e9e22e68512da8df3c9a7430f07621e48db3c2 ]

If the qman driver didn't probe, calling qman_alloc_fqid_range,
qman_alloc_pool_range or qman_alloc_cgrid_range (as done in dpaa_eth) will
pass a NULL pointer to gen_pool_alloc, leading to a NULL pointer
dereference.

Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Reviewed-by: Roy Pledge <roy.pledge@nxp.com>
Signed-off-by: Li Yang <leoyang.li@nxp.com>
(cherry picked from commit f72487a2788aa70c3aee1d0ebd5470de9bac953a)
Signed-off-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/soc/fsl/qbman/qman.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/soc/fsl/qbman/qman.c b/drivers/soc/fsl/qbman/qman.c
index 0c6065dba48a..4f27e95efcdd 100644
--- a/drivers/soc/fsl/qbman/qman.c
+++ b/drivers/soc/fsl/qbman/qman.c
@@ -2699,6 +2699,9 @@ static int qman_alloc_range(struct gen_pool *p, u32 *result, u32 cnt)
 {
 	unsigned long addr;
 
+	if (!p)
+		return -ENODEV;
+
 	addr = gen_pool_alloc(p, cnt);
 	if (!addr)
 		return -ENOMEM;
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 019/143] soc: fsl: qe: Fix copy/paste bug in ucc_get_tdm_sync_shift()
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 018/143] soc: fsl: qbman: qman: avoid allocating from non existing gen_pool Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 020/143] nl80211: Fix possible Spectre-v1 for NL80211_TXRATE_HT Greg Kroah-Hartman
                   ` (125 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Zhao Qiang, Li Yang,
	Olof Johansson, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 96fc74333f84cfdf8d434c6c07254e215e2aad00 ]

There is a copy and paste bug so we accidentally use the RX_ shift when
we're in TX_ mode.

Fixes: bb8b2062aff3 ("fsl/qe: setup clock source for TDM mode")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Zhao Qiang <qiang.zhao@nxp.com>
Signed-off-by: Li Yang <leoyang.li@nxp.com>
(cherry picked from commit 3cb31b634052ed458922e0c8e2b4b093d7fb60b9)
Signed-off-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/soc/fsl/qe/ucc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/soc/fsl/qe/ucc.c b/drivers/soc/fsl/qe/ucc.c
index c646d8713861..681f7d4b7724 100644
--- a/drivers/soc/fsl/qe/ucc.c
+++ b/drivers/soc/fsl/qe/ucc.c
@@ -626,7 +626,7 @@ static u32 ucc_get_tdm_sync_shift(enum comm_dir mode, u32 tdm_num)
 {
 	u32 shift;
 
-	shift = (mode == COMM_DIR_RX) ? RX_SYNC_SHIFT_BASE : RX_SYNC_SHIFT_BASE;
+	shift = (mode == COMM_DIR_RX) ? RX_SYNC_SHIFT_BASE : TX_SYNC_SHIFT_BASE;
 	shift -= tdm_num * 2;
 
 	return shift;
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 020/143] nl80211: Fix possible Spectre-v1 for NL80211_TXRATE_HT
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 019/143] soc: fsl: qe: Fix copy/paste bug in ucc_get_tdm_sync_shift() Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 021/143] mac80211_hwsim: do not omit multicast announce of first added radio Greg Kroah-Hartman
                   ` (124 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Masashi Honma, Johannes Berg, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 30fe6d50eb088783c8729c7d930f65296b2b3fa7 ]

Use array_index_nospec() to sanitize ridx with respect to speculation.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/wireless/nl80211.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 3de415bca391..5e7c9b361e8a 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -3480,6 +3480,7 @@ static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
 			return false;
 
 		/* check availability */
+		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
 			mcs[ridx] |= rbit;
 		else
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 021/143] mac80211_hwsim: do not omit multicast announce of first added radio
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 020/143] nl80211: Fix possible Spectre-v1 for NL80211_TXRATE_HT Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 022/143] Bluetooth: SMP: fix crash in unpairing Greg Kroah-Hartman
                   ` (123 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin Willi, Johannes Berg, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 28ef8b49a338dc1844e86b7954cfffc7dfa2660a ]

The allocation of hwsim radio identifiers uses a post-increment from 0,
so the first radio has idx 0. This idx is explicitly excluded from
multicast announcements ever since, but it is unclear why.

Drop that idx check and announce the first radio as well. This makes
userspace happy if it relies on these events.

Signed-off-by: Martin Willi <martin@strongswan.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/mac80211_hwsim.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
index aafa7aa18fbd..477f9f2f6626 100644
--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -2730,8 +2730,7 @@ static int mac80211_hwsim_new_radio(struct genl_info *info,
 	list_add_tail(&data->list, &hwsim_radios);
 	spin_unlock_bh(&hwsim_radio_lock);
 
-	if (idx > 0)
-		hwsim_mcast_new_radio(idx, info, param);
+	hwsim_mcast_new_radio(idx, info, param);
 
 	return idx;
 
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 022/143] Bluetooth: SMP: fix crash in unpairing
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 021/143] mac80211_hwsim: do not omit multicast announce of first added radio Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 023/143] pxa168fb: prepare the clock Greg Kroah-Hartman
                   ` (122 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pekka Oikarainen, Matias Karhumaa,
	Johan Hedberg, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit cb28c306b93b71f2741ce1a5a66289db26715f4d ]

In case unpair_device() was called through mgmt interface at the same time
when pairing was in progress, Bluetooth kernel module crash was seen.

[  600.351225] general protection fault: 0000 [#1] SMP PTI
[  600.351235] CPU: 1 PID: 11096 Comm: btmgmt Tainted: G           OE     4.19.0-rc1+ #1
[  600.351238] Hardware name: Dell Inc. Latitude E5440/08RCYC, BIOS A18 05/14/2017
[  600.351272] RIP: 0010:smp_chan_destroy.isra.10+0xce/0x2c0 [bluetooth]
[  600.351276] Code: c0 0f 84 b4 01 00 00 80 78 28 04 0f 84 53 01 00 00 4d 85 ed 0f 85 ab 00 00 00 48 8b 08 48 8b 50 08 be 10 00 00 00 48 89 51 08 <48> 89 0a 48 b9 00 02 00 00 00 00 ad de 48 89 48 08 48 8b 83 00 01
[  600.351279] RSP: 0018:ffffa9be839b3b50 EFLAGS: 00010246
[  600.351282] RAX: ffff9c999ac565a0 RBX: ffff9c9996e98c00 RCX: ffff9c999aa28b60
[  600.351285] RDX: dead000000000200 RSI: 0000000000000010 RDI: ffff9c999e403500
[  600.351287] RBP: ffffa9be839b3b70 R08: 0000000000000000 R09: ffffffff92a25c00
[  600.351290] R10: ffffa9be839b3ae8 R11: 0000000000000001 R12: ffff9c995375b800
[  600.351292] R13: 0000000000000000 R14: ffff9c99619a5000 R15: ffff9c9962a01c00
[  600.351295] FS:  00007fb2be27c700(0000) GS:ffff9c999e880000(0000) knlGS:0000000000000000
[  600.351298] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  600.351300] CR2: 00007fb2bdadbad0 CR3: 000000041c328001 CR4: 00000000001606e0
[  600.351302] Call Trace:
[  600.351325]  smp_failure+0x4f/0x70 [bluetooth]
[  600.351345]  smp_cancel_pairing+0x74/0x80 [bluetooth]
[  600.351370]  unpair_device+0x1c1/0x330 [bluetooth]
[  600.351399]  hci_sock_sendmsg+0x960/0x9f0 [bluetooth]
[  600.351409]  ? apparmor_socket_sendmsg+0x1e/0x20
[  600.351417]  sock_sendmsg+0x3e/0x50
[  600.351422]  sock_write_iter+0x85/0xf0
[  600.351429]  do_iter_readv_writev+0x12b/0x1b0
[  600.351434]  do_iter_write+0x87/0x1a0
[  600.351439]  vfs_writev+0x98/0x110
[  600.351443]  ? ep_poll+0x16d/0x3d0
[  600.351447]  ? ep_modify+0x73/0x170
[  600.351451]  do_writev+0x61/0xf0
[  600.351455]  ? do_writev+0x61/0xf0
[  600.351460]  __x64_sys_writev+0x1c/0x20
[  600.351465]  do_syscall_64+0x5a/0x110
[  600.351471]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  600.351474] RIP: 0033:0x7fb2bdb62fe0
[  600.351477] Code: 73 01 c3 48 8b 0d b8 6e 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 69 c7 2c 00 00 75 10 b8 14 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 de 80 01 00 48 89 04 24
[  600.351479] RSP: 002b:00007ffe062cb8f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
[  600.351484] RAX: ffffffffffffffda RBX: 000000000255b3d0 RCX: 00007fb2bdb62fe0
[  600.351487] RDX: 0000000000000001 RSI: 00007ffe062cb920 RDI: 0000000000000004
[  600.351490] RBP: 00007ffe062cb920 R08: 000000000255bd80 R09: 0000000000000000
[  600.351494] R10: 0000000000000353 R11: 0000000000000246 R12: 0000000000000001
[  600.351497] R13: 00007ffe062cbbe0 R14: 0000000000000000 R15: 0000000000000000
[  600.351501] Modules linked in: algif_hash algif_skcipher af_alg cmac ipt_MASQUERADE nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo iptable_nat nf_nat_ipv4 xt_addrtype iptable_filter ip_tables xt_conntrack x_tables nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c br_netfilter bridge stp llc overlay arc4 nls_iso8859_1 dm_crypt intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp dell_laptop kvm_intel crct10dif_pclmul dell_smm_hwmon crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd glue_helper intel_cstate intel_rapl_perf uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev media hid_multitouch input_leds joydev serio_raw dell_wmi snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic dell_smbios dcdbas sparse_keymap
[  600.351569]  snd_hda_intel btusb snd_hda_codec btrtl btbcm btintel snd_hda_core bluetooth(OE) snd_hwdep snd_pcm iwlmvm ecdh_generic wmi_bmof dell_wmi_descriptor snd_seq_midi mac80211 snd_seq_midi_event lpc_ich iwlwifi snd_rawmidi snd_seq snd_seq_device snd_timer cfg80211 snd soundcore mei_me mei dell_rbtn dell_smo8800 mac_hid parport_pc ppdev lp parport autofs4 hid_generic usbhid hid i915 nouveau kvmgt vfio_mdev mdev vfio_iommu_type1 vfio kvm irqbypass i2c_algo_bit ttm drm_kms_helper syscopyarea sysfillrect sysimgblt mxm_wmi psmouse ahci sdhci_pci cqhci libahci fb_sys_fops sdhci drm e1000e video wmi
[  600.351637] ---[ end trace e49e9f1df09c94fb ]---
[  600.351664] RIP: 0010:smp_chan_destroy.isra.10+0xce/0x2c0 [bluetooth]
[  600.351666] Code: c0 0f 84 b4 01 00 00 80 78 28 04 0f 84 53 01 00 00 4d 85 ed 0f 85 ab 00 00 00 48 8b 08 48 8b 50 08 be 10 00 00 00 48 89 51 08 <48> 89 0a 48 b9 00 02 00 00 00 00 ad de 48 89 48 08 48 8b 83 00 01
[  600.351669] RSP: 0018:ffffa9be839b3b50 EFLAGS: 00010246
[  600.351672] RAX: ffff9c999ac565a0 RBX: ffff9c9996e98c00 RCX: ffff9c999aa28b60
[  600.351674] RDX: dead000000000200 RSI: 0000000000000010 RDI: ffff9c999e403500
[  600.351676] RBP: ffffa9be839b3b70 R08: 0000000000000000 R09: ffffffff92a25c00
[  600.351679] R10: ffffa9be839b3ae8 R11: 0000000000000001 R12: ffff9c995375b800
[  600.351681] R13: 0000000000000000 R14: ffff9c99619a5000 R15: ffff9c9962a01c00
[  600.351684] FS:  00007fb2be27c700(0000) GS:ffff9c999e880000(0000) knlGS:0000000000000000
[  600.351686] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  600.351689] CR2: 00007fb2bdadbad0 CR3: 000000041c328001 CR4: 00000000001606e0

Crash happened because list_del_rcu() was called twice for smp->ltk. This
was possible if unpair_device was called right after ltk was generated
but before keys were distributed.

In this commit smp_cancel_pairing was refactored to cancel pairing if it
is in progress and otherwise just removes keys. Once keys are removed from
rcu list, pointers to smp context's keys are set to NULL to make sure
removed list items are not accessed later.

This commit also adjusts the functionality of mgmt unpair_device() little
bit. Previously pairing was canceled only if pairing was in state that
keys were already generated. With this commit unpair_device() cancels
pairing already in earlier states.

Bug was found by fuzzing kernel SMP implementation using Synopsys
Defensics.

Reported-by: Pekka Oikarainen <pekka.oikarainen@synopsys.com>
Signed-off-by: Matias Karhumaa <matias.karhumaa@gmail.com>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/bluetooth/mgmt.c |  7 ++-----
 net/bluetooth/smp.c  | 29 +++++++++++++++++++++++++----
 net/bluetooth/smp.h  |  3 ++-
 3 files changed, 29 insertions(+), 10 deletions(-)

diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 1fba2a03f8ae..ba24f613c0fc 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -2298,9 +2298,8 @@ static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
 	/* LE address type */
 	addr_type = le_addr_type(cp->addr.type);
 
-	hci_remove_irk(hdev, &cp->addr.bdaddr, addr_type);
-
-	err = hci_remove_ltk(hdev, &cp->addr.bdaddr, addr_type);
+	/* Abort any ongoing SMP pairing. Removes ltk and irk if they exist. */
+	err = smp_cancel_and_remove_pairing(hdev, &cp->addr.bdaddr, addr_type);
 	if (err < 0) {
 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
 					MGMT_STATUS_NOT_PAIRED, &rp,
@@ -2314,8 +2313,6 @@ static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
 		goto done;
 	}
 
-	/* Abort any ongoing SMP pairing */
-	smp_cancel_pairing(conn);
 
 	/* Defer clearing up the connection parameters until closing to
 	 * give a chance of keeping them if a repairing happens.
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index a27704ff13a9..dbcc439fc78b 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -2410,30 +2410,51 @@ unlock:
 	return ret;
 }
 
-void smp_cancel_pairing(struct hci_conn *hcon)
+int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
+				  u8 addr_type)
 {
-	struct l2cap_conn *conn = hcon->l2cap_data;
+	struct hci_conn *hcon;
+	struct l2cap_conn *conn;
 	struct l2cap_chan *chan;
 	struct smp_chan *smp;
+	int err;
+
+	err = hci_remove_ltk(hdev, bdaddr, addr_type);
+	hci_remove_irk(hdev, bdaddr, addr_type);
+
+	hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
+	if (!hcon)
+		goto done;
 
+	conn = hcon->l2cap_data;
 	if (!conn)
-		return;
+		goto done;
 
 	chan = conn->smp;
 	if (!chan)
-		return;
+		goto done;
 
 	l2cap_chan_lock(chan);
 
 	smp = chan->data;
 	if (smp) {
+		/* Set keys to NULL to make sure smp_failure() does not try to
+		 * remove and free already invalidated rcu list entries. */
+		smp->ltk = NULL;
+		smp->slave_ltk = NULL;
+		smp->remote_irk = NULL;
+
 		if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
 			smp_failure(conn, 0);
 		else
 			smp_failure(conn, SMP_UNSPECIFIED);
+		err = 0;
 	}
 
 	l2cap_chan_unlock(chan);
+
+done:
+	return err;
 }
 
 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
diff --git a/net/bluetooth/smp.h b/net/bluetooth/smp.h
index 0ff6247eaa6c..121edadd5f8d 100644
--- a/net/bluetooth/smp.h
+++ b/net/bluetooth/smp.h
@@ -181,7 +181,8 @@ enum smp_key_pref {
 };
 
 /* SMP Commands */
-void smp_cancel_pairing(struct hci_conn *hcon);
+int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
+				  u8 addr_type);
 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
 			     enum smp_key_pref key_pref);
 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level);
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 023/143] pxa168fb: prepare the clock
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 022/143] Bluetooth: SMP: fix crash in unpairing Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 024/143] qed: Avoid implicit enum conversion in qed_set_tunn_cls_info Greg Kroah-Hartman
                   ` (121 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lubomir Rintel,
	Bartlomiej Zolnierkiewicz, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit d85536cde91fcfed6fb8d983783bd2b92c843939 ]

Add missing prepare/unprepare operations for fbi->clk,
this fixes following kernel warning:

  ------------[ cut here ]------------
  WARNING: CPU: 0 PID: 1 at drivers/clk/clk.c:874 clk_core_enable+0x2c/0x1b0
  Enabling unprepared disp0_clk
  Modules linked in:
  CPU: 0 PID: 1 Comm: swapper Not tainted 4.18.0-rc8-00032-g02b43ddd4f21-dirty #25
  Hardware name: Marvell MMP2 (Device Tree Support)
  [<c010f7cc>] (unwind_backtrace) from [<c010cc6c>] (show_stack+0x10/0x14)
  [<c010cc6c>] (show_stack) from [<c011dab4>] (__warn+0xd8/0xf0)
  [<c011dab4>] (__warn) from [<c011db10>] (warn_slowpath_fmt+0x44/0x6c)
  [<c011db10>] (warn_slowpath_fmt) from [<c043898c>] (clk_core_enable+0x2c/0x1b0)
  [<c043898c>] (clk_core_enable) from [<c0439ec8>] (clk_core_enable_lock+0x18/0x2c)
  [<c0439ec8>] (clk_core_enable_lock) from [<c0436698>] (pxa168fb_probe+0x464/0x6ac)
  [<c0436698>] (pxa168fb_probe) from [<c04779a0>] (platform_drv_probe+0x48/0x94)
  [<c04779a0>] (platform_drv_probe) from [<c0475bec>] (driver_probe_device+0x328/0x470)
  [<c0475bec>] (driver_probe_device) from [<c0475de4>] (__driver_attach+0xb0/0x124)
  [<c0475de4>] (__driver_attach) from [<c0473c38>] (bus_for_each_dev+0x64/0xa0)
  [<c0473c38>] (bus_for_each_dev) from [<c0474ee0>] (bus_add_driver+0x1b8/0x230)
  [<c0474ee0>] (bus_add_driver) from [<c0476a20>] (driver_register+0xac/0xf0)
  [<c0476a20>] (driver_register) from [<c0102dd4>] (do_one_initcall+0xb8/0x1f0)
  [<c0102dd4>] (do_one_initcall) from [<c0b010a0>] (kernel_init_freeable+0x294/0x2e0)
  [<c0b010a0>] (kernel_init_freeable) from [<c07e9eb8>] (kernel_init+0x8/0x10c)
  [<c07e9eb8>] (kernel_init) from [<c01010e8>] (ret_from_fork+0x14/0x2c)
  Exception stack(0xd008bfb0 to 0xd008bff8)
  bfa0:                                     00000000 00000000 00000000 00000000
  bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
  bfe0: 00000000 00000000 00000000 00000000 00000013 00000000
  ---[ end trace c0af40f9e2ed7cb4 ]---

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
[b.zolnierkie: enhance patch description a bit]
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/video/fbdev/pxa168fb.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/video/fbdev/pxa168fb.c b/drivers/video/fbdev/pxa168fb.c
index def3a501acd6..d059d04c63ac 100644
--- a/drivers/video/fbdev/pxa168fb.c
+++ b/drivers/video/fbdev/pxa168fb.c
@@ -712,7 +712,7 @@ static int pxa168fb_probe(struct platform_device *pdev)
 	/*
 	 * enable controller clock
 	 */
-	clk_enable(fbi->clk);
+	clk_prepare_enable(fbi->clk);
 
 	pxa168fb_set_par(info);
 
@@ -767,7 +767,7 @@ static int pxa168fb_probe(struct platform_device *pdev)
 failed_free_cmap:
 	fb_dealloc_cmap(&info->cmap);
 failed_free_clk:
-	clk_disable(fbi->clk);
+	clk_disable_unprepare(fbi->clk);
 failed_free_fbmem:
 	dma_free_coherent(fbi->dev, info->fix.smem_len,
 			info->screen_base, fbi->fb_start_dma);
@@ -807,7 +807,7 @@ static int pxa168fb_remove(struct platform_device *pdev)
 	dma_free_wc(fbi->dev, PAGE_ALIGN(info->fix.smem_len),
 		    info->screen_base, info->fix.smem_start);
 
-	clk_disable(fbi->clk);
+	clk_disable_unprepare(fbi->clk);
 
 	framebuffer_release(info);
 
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 024/143] qed: Avoid implicit enum conversion in qed_set_tunn_cls_info
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 023/143] pxa168fb: prepare the clock Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 025/143] qed: Fix mask parameter in qed_vf_prep_tunn_req_tlv Greg Kroah-Hartman
                   ` (120 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nathan Chancellor, David S. Miller,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit a898fba32229efd5e6b6154f83fa86a7145156b9 ]

Clang warns when one enumerated type is implicitly converted to another.

drivers/net/ethernet/qlogic/qed/qed_sp_commands.c:163:25: warning:
implicit conversion from enumeration type 'enum tunnel_clss' to
different enumeration type 'enum qed_tunn_clss' [-Wenum-conversion]
        p_tun->vxlan.tun_cls = type;
                             ~ ^~~~
drivers/net/ethernet/qlogic/qed/qed_sp_commands.c:165:26: warning:
implicit conversion from enumeration type 'enum tunnel_clss' to
different enumeration type 'enum qed_tunn_clss' [-Wenum-conversion]
        p_tun->l2_gre.tun_cls = type;
                              ~ ^~~~
drivers/net/ethernet/qlogic/qed/qed_sp_commands.c:167:26: warning:
implicit conversion from enumeration type 'enum tunnel_clss' to
different enumeration type 'enum qed_tunn_clss' [-Wenum-conversion]
        p_tun->ip_gre.tun_cls = type;
                              ~ ^~~~
drivers/net/ethernet/qlogic/qed/qed_sp_commands.c:169:29: warning:
implicit conversion from enumeration type 'enum tunnel_clss' to
different enumeration type 'enum qed_tunn_clss' [-Wenum-conversion]
        p_tun->l2_geneve.tun_cls = type;
                                 ~ ^~~~
drivers/net/ethernet/qlogic/qed/qed_sp_commands.c:171:29: warning:
implicit conversion from enumeration type 'enum tunnel_clss' to
different enumeration type 'enum qed_tunn_clss' [-Wenum-conversion]
        p_tun->ip_geneve.tun_cls = type;
                                 ~ ^~~~
5 warnings generated.

Avoid this by changing type to an int.

Link: https://github.com/ClangBuiltLinux/linux/issues/125
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/qlogic/qed/qed_sp_commands.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/qlogic/qed/qed_sp_commands.c b/drivers/net/ethernet/qlogic/qed/qed_sp_commands.c
index 46d0c3cb83a5..d7c5965328be 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_sp_commands.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_sp_commands.c
@@ -154,7 +154,7 @@ qed_set_pf_update_tunn_mode(struct qed_tunnel_info *p_tun,
 static void qed_set_tunn_cls_info(struct qed_tunnel_info *p_tun,
 				  struct qed_tunnel_info *p_src)
 {
-	enum tunnel_clss type;
+	int type;
 
 	p_tun->b_update_rx_cls = p_src->b_update_rx_cls;
 	p_tun->b_update_tx_cls = p_src->b_update_tx_cls;
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 025/143] qed: Fix mask parameter in qed_vf_prep_tunn_req_tlv
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 024/143] qed: Avoid implicit enum conversion in qed_set_tunn_cls_info Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 026/143] qed: Avoid implicit enum conversion in qed_roce_mode_to_flavor Greg Kroah-Hartman
                   ` (119 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nathan Chancellor, David S. Miller,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit db803f36e56f23b5a2266807e190d1dc11554d54 ]

Clang complains when one enumerated type is implicitly converted to
another.

drivers/net/ethernet/qlogic/qed/qed_vf.c:686:6: warning: implicit
conversion from enumeration type 'enum qed_tunn_mode' to different
enumeration type 'enum qed_tunn_clss' [-Wenum-conversion]
                                 QED_MODE_L2GENEVE_TUNN,
                                 ^~~~~~~~~~~~~~~~~~~~~~

Update mask's parameter to expect qed_tunn_mode, which is what was
intended.

Link: https://github.com/ClangBuiltLinux/linux/issues/125
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/qlogic/qed/qed_vf.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/qlogic/qed/qed_vf.c b/drivers/net/ethernet/qlogic/qed/qed_vf.c
index 6eb85db69f9a..b8b1a791a4fa 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_vf.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_vf.c
@@ -572,7 +572,7 @@ free_p_iov:
 static void
 __qed_vf_prep_tunn_req_tlv(struct vfpf_update_tunn_param_tlv *p_req,
 			   struct qed_tunn_update_type *p_src,
-			   enum qed_tunn_clss mask, u8 *p_cls)
+			   enum qed_tunn_mode mask, u8 *p_cls)
 {
 	if (p_src->b_update_mode) {
 		p_req->tun_mode_update_mask |= BIT(mask);
@@ -587,7 +587,7 @@ __qed_vf_prep_tunn_req_tlv(struct vfpf_update_tunn_param_tlv *p_req,
 static void
 qed_vf_prep_tunn_req_tlv(struct vfpf_update_tunn_param_tlv *p_req,
 			 struct qed_tunn_update_type *p_src,
-			 enum qed_tunn_clss mask,
+			 enum qed_tunn_mode mask,
 			 u8 *p_cls, struct qed_tunn_update_udp_port *p_port,
 			 u8 *p_update_port, u16 *p_udp_port)
 {
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 026/143] qed: Avoid implicit enum conversion in qed_roce_mode_to_flavor
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 025/143] qed: Fix mask parameter in qed_vf_prep_tunn_req_tlv Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 027/143] qed: Avoid constant logical operation warning in qed_vf_pf_acquire Greg Kroah-Hartman
                   ` (118 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nathan Chancellor, David S. Miller,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit d3a315795b4ce8b105a64a90699103121bde04a8 ]

Clang warns when one enumerated type is implicitly converted to another.

drivers/net/ethernet/qlogic/qed/qed_roce.c:153:12: warning: implicit
conversion from enumeration type 'enum roce_mode' to different
enumeration type 'enum roce_flavor' [-Wenum-conversion]
                flavor = ROCE_V2_IPV6;
                       ~ ^~~~~~~~~~~~
drivers/net/ethernet/qlogic/qed/qed_roce.c:156:12: warning: implicit
conversion from enumeration type 'enum roce_mode' to different
enumeration type 'enum roce_flavor' [-Wenum-conversion]
                flavor = MAX_ROCE_MODE;
                       ~ ^~~~~~~~~~~~~
2 warnings generated.

Use the appropriate values from the expected type, roce_flavor:

ROCE_V2_IPV6 = RROCE_IPV6 = 2
MAX_ROCE_MODE = MAX_ROCE_FLAVOR = 3

While we're add it, ditch the local variable flavor, we can just return
the value directly from the switch statement.

Link: https://github.com/ClangBuiltLinux/linux/issues/125
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/qlogic/qed/qed_roce.c | 15 ++++-----------
 1 file changed, 4 insertions(+), 11 deletions(-)

diff --git a/drivers/net/ethernet/qlogic/qed/qed_roce.c b/drivers/net/ethernet/qlogic/qed/qed_roce.c
index fb7c2d1562ae..bedbf840fd7d 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_roce.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_roce.c
@@ -129,23 +129,16 @@ static void qed_rdma_copy_gids(struct qed_rdma_qp *qp, __le32 *src_gid,
 
 static enum roce_flavor qed_roce_mode_to_flavor(enum roce_mode roce_mode)
 {
-	enum roce_flavor flavor;
-
 	switch (roce_mode) {
 	case ROCE_V1:
-		flavor = PLAIN_ROCE;
-		break;
+		return PLAIN_ROCE;
 	case ROCE_V2_IPV4:
-		flavor = RROCE_IPV4;
-		break;
+		return RROCE_IPV4;
 	case ROCE_V2_IPV6:
-		flavor = ROCE_V2_IPV6;
-		break;
+		return RROCE_IPV6;
 	default:
-		flavor = MAX_ROCE_MODE;
-		break;
+		return MAX_ROCE_FLAVOR;
 	}
-	return flavor;
 }
 
 void qed_roce_free_cid_pair(struct qed_hwfn *p_hwfn, u16 cid)
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 027/143] qed: Avoid constant logical operation warning in qed_vf_pf_acquire
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 026/143] qed: Avoid implicit enum conversion in qed_roce_mode_to_flavor Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 028/143] qed: Avoid implicit enum conversion in qed_iwarp_parse_rx_pkt Greg Kroah-Hartman
                   ` (117 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nathan Chancellor, David S. Miller,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 1c492a9d55ba99079210ed901dd8a5423f980487 ]

Clang warns when a constant is used in a boolean context as it thinks a
bitwise operation may have been intended.

drivers/net/ethernet/qlogic/qed/qed_vf.c:415:27: warning: use of logical
'&&' with constant operand [-Wconstant-logical-operand]
        if (!p_iov->b_pre_fp_hsi &&
                                 ^
drivers/net/ethernet/qlogic/qed/qed_vf.c:415:27: note: use '&' for a
bitwise operation
        if (!p_iov->b_pre_fp_hsi &&
                                 ^~
                                 &
drivers/net/ethernet/qlogic/qed/qed_vf.c:415:27: note: remove constant
to silence this warning
        if (!p_iov->b_pre_fp_hsi &&
                                ~^~
1 warning generated.

This has been here since commit 1fe614d10f45 ("qed: Relax VF firmware
requirements") and I am not entirely sure why since 0 isn't a special
case. Just remove the statement causing Clang to warn since it isn't
required.

Link: https://github.com/ClangBuiltLinux/linux/issues/126
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/qlogic/qed/qed_vf.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/net/ethernet/qlogic/qed/qed_vf.c b/drivers/net/ethernet/qlogic/qed/qed_vf.c
index b8b1a791a4fa..dd8ebf6d380f 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_vf.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_vf.c
@@ -413,7 +413,6 @@ static int qed_vf_pf_acquire(struct qed_hwfn *p_hwfn)
 	}
 
 	if (!p_iov->b_pre_fp_hsi &&
-	    ETH_HSI_VER_MINOR &&
 	    (resp->pfdev_info.minor_fp_hsi < ETH_HSI_VER_MINOR)) {
 		DP_INFO(p_hwfn,
 			"PF is using older fastpath HSI; %02x.%02x is configured\n",
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 028/143] qed: Avoid implicit enum conversion in qed_iwarp_parse_rx_pkt
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 027/143] qed: Avoid constant logical operation warning in qed_vf_pf_acquire Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 029/143] nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds Greg Kroah-Hartman
                   ` (116 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nathan Chancellor, David S. Miller,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 77f2d753819b7d50c16abfb778caf1fe075faed0 ]

Clang warns when one enumerated type is implicitly converted to another.

drivers/net/ethernet/qlogic/qed/qed_iwarp.c:1713:25: warning: implicit
conversion from enumeration type 'enum tcp_ip_version' to different
enumeration type 'enum qed_tcp_ip_version' [-Wenum-conversion]
                cm_info->ip_version = TCP_IPV4;
                                    ~ ^~~~~~~~
drivers/net/ethernet/qlogic/qed/qed_iwarp.c:1733:25: warning: implicit
conversion from enumeration type 'enum tcp_ip_version' to different
enumeration type 'enum qed_tcp_ip_version' [-Wenum-conversion]
                cm_info->ip_version = TCP_IPV6;
                                    ~ ^~~~~~~~
2 warnings generated.

Use the appropriate values from the expected type, qed_tcp_ip_version:

TCP_IPV4 = QED_TCP_IPV4 = 0
TCP_IPV6 = QED_TCP_IPV6 = 1

Link: https://github.com/ClangBuiltLinux/linux/issues/125
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/qlogic/qed/qed_iwarp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/qlogic/qed/qed_iwarp.c b/drivers/net/ethernet/qlogic/qed/qed_iwarp.c
index e41f28602535..eb666877d1aa 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_iwarp.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_iwarp.c
@@ -1672,7 +1672,7 @@ qed_iwarp_parse_rx_pkt(struct qed_hwfn *p_hwfn,
 
 		cm_info->local_ip[0] = ntohl(iph->daddr);
 		cm_info->remote_ip[0] = ntohl(iph->saddr);
-		cm_info->ip_version = TCP_IPV4;
+		cm_info->ip_version = QED_TCP_IPV4;
 
 		ip_hlen = (iph->ihl) * sizeof(u32);
 		*payload_len = ntohs(iph->tot_len) - ip_hlen;
@@ -1692,7 +1692,7 @@ qed_iwarp_parse_rx_pkt(struct qed_hwfn *p_hwfn,
 			cm_info->remote_ip[i] =
 			    ntohl(ip6h->saddr.in6_u.u6_addr32[i]);
 		}
-		cm_info->ip_version = TCP_IPV6;
+		cm_info->ip_version = QED_TCP_IPV6;
 
 		ip_hlen = sizeof(*ip6h);
 		*payload_len = ntohs(ip6h->payload_len);
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 029/143] nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 028/143] qed: Avoid implicit enum conversion in qed_iwarp_parse_rx_pkt Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 030/143] asix: Check for supported Wake-on-LAN modes Greg Kroah-Hartman
                   ` (115 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Masashi Honma, Johannes Berg, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 1222a16014888ed9733c11e221730d4a8196222b ]

Use array_index_nospec() to sanitize i with respect to speculation.

Note that the user doesn't control i directly, but can make it out
of bounds by not finding a threshold in the array.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
[add note about user control, as explained by Masashi]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/wireless/nl80211.c | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 5e7c9b361e8a..46e9812d13c0 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -9720,7 +9720,7 @@ static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
 	struct wireless_dev *wdev = dev->ieee80211_ptr;
 	s32 last, low, high;
 	u32 hyst;
-	int i, n;
+	int i, n, low_index;
 	int err;
 
 	/* RSSI reporting disabled? */
@@ -9757,10 +9757,19 @@ static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
 		if (last < wdev->cqm_config->rssi_thresholds[i])
 			break;
 
-	low = i > 0 ?
-		(wdev->cqm_config->rssi_thresholds[i - 1] - hyst) : S32_MIN;
-	high = i < n ?
-		(wdev->cqm_config->rssi_thresholds[i] + hyst - 1) : S32_MAX;
+	low_index = i - 1;
+	if (low_index >= 0) {
+		low_index = array_index_nospec(low_index, n);
+		low = wdev->cqm_config->rssi_thresholds[low_index] - hyst;
+	} else {
+		low = S32_MIN;
+	}
+	if (i < n) {
+		i = array_index_nospec(i, n);
+		high = wdev->cqm_config->rssi_thresholds[i] + hyst - 1;
+	} else {
+		high = S32_MAX;
+	}
 
 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
 }
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 030/143] asix: Check for supported Wake-on-LAN modes
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 029/143] nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 031/143] ax88179_178a: " Greg Kroah-Hartman
                   ` (114 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Florian Fainelli, David S. Miller,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit c4ce446e33d7a0e978256ac6fea4c80e59d9de5f ]

The driver currently silently accepts unsupported Wake-on-LAN modes
(other than WAKE_PHY or WAKE_MAGIC) without reporting that to the user,
which is confusing.

Fixes: 2e55cc7210fe ("[PATCH] USB: usbnet (3/9) module for ASIX Ethernet adapters")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/usb/asix_common.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c
index 522d2900cd1d..e9fcf6ef716a 100644
--- a/drivers/net/usb/asix_common.c
+++ b/drivers/net/usb/asix_common.c
@@ -607,6 +607,9 @@ int asix_set_wol(struct net_device *net, struct ethtool_wolinfo *wolinfo)
 	struct usbnet *dev = netdev_priv(net);
 	u8 opt = 0;
 
+	if (wolinfo->wolopts & ~(WAKE_PHY | WAKE_MAGIC))
+		return -EINVAL;
+
 	if (wolinfo->wolopts & WAKE_PHY)
 		opt |= AX_MONITOR_LINK;
 	if (wolinfo->wolopts & WAKE_MAGIC)
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 031/143] ax88179_178a: Check for supported Wake-on-LAN modes
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 030/143] asix: Check for supported Wake-on-LAN modes Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 032/143] lan78xx: " Greg Kroah-Hartman
                   ` (113 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Florian Fainelli, David S. Miller,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 5ba6b4aa9a410c5e2c6417df52b5e2118ea9b467 ]

The driver currently silently accepts unsupported Wake-on-LAN modes
(other than WAKE_PHY or WAKE_MAGIC) without reporting that to the user,
which is confusing.

Fixes: e2ca90c276e1 ("ax88179_178a: ASIX AX88179_178A USB 3.0/2.0 to gigabit ethernet adapter driver")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/usb/ax88179_178a.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/net/usb/ax88179_178a.c b/drivers/net/usb/ax88179_178a.c
index f32261ecd215..0f69b77e8502 100644
--- a/drivers/net/usb/ax88179_178a.c
+++ b/drivers/net/usb/ax88179_178a.c
@@ -566,6 +566,9 @@ ax88179_set_wol(struct net_device *net, struct ethtool_wolinfo *wolinfo)
 	struct usbnet *dev = netdev_priv(net);
 	u8 opt = 0;
 
+	if (wolinfo->wolopts & ~(WAKE_PHY | WAKE_MAGIC))
+		return -EINVAL;
+
 	if (wolinfo->wolopts & WAKE_PHY)
 		opt |= AX_MONITOR_MODE_RWLC;
 	if (wolinfo->wolopts & WAKE_MAGIC)
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 032/143] lan78xx: Check for supported Wake-on-LAN modes
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 031/143] ax88179_178a: " Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 033/143] sr9800: " Greg Kroah-Hartman
                   ` (112 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Florian Fainelli, Woojung Huh,
	David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit eb9ad088f96653a26b340f7c447c44cf023d5cdc ]

The driver supports a fair amount of Wake-on-LAN modes, but is not
checking that the user specified one that is supported.

Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Reviewed-by: Woojung Huh <Woojung.Huh@Microchip.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/usb/lan78xx.c | 17 ++++-------------
 1 file changed, 4 insertions(+), 13 deletions(-)

diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
index 9e3f632e22f1..00ddcaf09014 100644
--- a/drivers/net/usb/lan78xx.c
+++ b/drivers/net/usb/lan78xx.c
@@ -1375,19 +1375,10 @@ static int lan78xx_set_wol(struct net_device *netdev,
 	if (ret < 0)
 		return ret;
 
-	pdata->wol = 0;
-	if (wol->wolopts & WAKE_UCAST)
-		pdata->wol |= WAKE_UCAST;
-	if (wol->wolopts & WAKE_MCAST)
-		pdata->wol |= WAKE_MCAST;
-	if (wol->wolopts & WAKE_BCAST)
-		pdata->wol |= WAKE_BCAST;
-	if (wol->wolopts & WAKE_MAGIC)
-		pdata->wol |= WAKE_MAGIC;
-	if (wol->wolopts & WAKE_PHY)
-		pdata->wol |= WAKE_PHY;
-	if (wol->wolopts & WAKE_ARP)
-		pdata->wol |= WAKE_ARP;
+	if (wol->wolopts & ~WAKE_ALL)
+		return -EINVAL;
+
+	pdata->wol = wol->wolopts;
 
 	device_set_wakeup_enable(&dev->udev->dev, (bool)wol->wolopts);
 
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 033/143] sr9800: Check for supported Wake-on-LAN modes
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 032/143] lan78xx: " Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 034/143] r8152: Check for supported Wake-on-LAN Modes Greg Kroah-Hartman
                   ` (111 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Florian Fainelli, David S. Miller,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit c5cb93e994ffb43b7b3b1ff10b9f928f54574a36 ]

The driver currently silently accepts unsupported Wake-on-LAN modes
(other than WAKE_PHY or WAKE_MAGIC) without reporting that to the user,
which is confusing.

Fixes: 19a38d8e0aa3 ("USB2NET : SR9800 : One chip USB2.0 USB2NET SR9800 Device Driver Support")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/usb/sr9800.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/net/usb/sr9800.c b/drivers/net/usb/sr9800.c
index 9277a0f228df..35f39f23d881 100644
--- a/drivers/net/usb/sr9800.c
+++ b/drivers/net/usb/sr9800.c
@@ -421,6 +421,9 @@ sr_set_wol(struct net_device *net, struct ethtool_wolinfo *wolinfo)
 	struct usbnet *dev = netdev_priv(net);
 	u8 opt = 0;
 
+	if (wolinfo->wolopts & ~(WAKE_PHY | WAKE_MAGIC))
+		return -EINVAL;
+
 	if (wolinfo->wolopts & WAKE_PHY)
 		opt |= SR_MONITOR_LINK;
 	if (wolinfo->wolopts & WAKE_MAGIC)
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 034/143] r8152: Check for supported Wake-on-LAN Modes
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 033/143] sr9800: " Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 035/143] smsc75xx: Check for Wake-on-LAN modes Greg Kroah-Hartman
                   ` (110 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Florian Fainelli, David S. Miller,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit f2750df1548bd8a2b060eb609fc43ca82811af4c ]

The driver does not check for Wake-on-LAN modes specified by an user,
but will conditionally set the device as wake-up enabled or not based on
that, which could be a very confusing user experience.

Fixes: 21ff2e8976b1 ("r8152: support WOL")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/usb/r8152.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
index 0fa64cc1a011..66beff4d7646 100644
--- a/drivers/net/usb/r8152.c
+++ b/drivers/net/usb/r8152.c
@@ -4497,6 +4497,9 @@ static int rtl8152_set_wol(struct net_device *dev, struct ethtool_wolinfo *wol)
 	if (!rtl_can_wakeup(tp))
 		return -EOPNOTSUPP;
 
+	if (wol->wolopts & ~WAKE_ANY)
+		return -EINVAL;
+
 	ret = usb_autopm_get_interface(tp->intf);
 	if (ret < 0)
 		goto out_set_wol;
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 035/143] smsc75xx: Check for Wake-on-LAN modes
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 034/143] r8152: Check for supported Wake-on-LAN Modes Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 036/143] smsc95xx: " Greg Kroah-Hartman
                   ` (109 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Florian Fainelli, David S. Miller,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 9c734b2769a73eea2e9e9767c0e0bf839ff23679 ]

The driver does not check for Wake-on-LAN modes specified by an user,
but will conditionally set the device as wake-up enabled or not based on
that, which could be a very confusing user experience.

Fixes: 6c636503260d ("smsc75xx: add wol magic packet support")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/usb/smsc75xx.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c
index b64b1ee56d2d..ec287c9741e8 100644
--- a/drivers/net/usb/smsc75xx.c
+++ b/drivers/net/usb/smsc75xx.c
@@ -731,6 +731,9 @@ static int smsc75xx_ethtool_set_wol(struct net_device *net,
 	struct smsc75xx_priv *pdata = (struct smsc75xx_priv *)(dev->data[0]);
 	int ret;
 
+	if (wolinfo->wolopts & ~SUPPORTED_WAKE)
+		return -EINVAL;
+
 	pdata->wolopts = wolinfo->wolopts & SUPPORTED_WAKE;
 
 	ret = device_set_wakeup_enable(&dev->udev->dev, pdata->wolopts);
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 036/143] smsc95xx: Check for Wake-on-LAN modes
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 035/143] smsc75xx: Check for Wake-on-LAN modes Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 037/143] cfg80211: fix use-after-free in reg_process_hint() Greg Kroah-Hartman
                   ` (108 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Florian Fainelli, David S. Miller,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit c530c471ba37bdd9fe1c7185b01455c00ae606fb ]

The driver does not check for Wake-on-LAN modes specified by an user,
but will conditionally set the device as wake-up enabled or not based on
that, which could be a very confusing user experience.

Fixes: e0e474a83c18 ("smsc95xx: add wol magic packet support")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/usb/smsc95xx.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c
index 309b88acd3d0..99e684e39d35 100644
--- a/drivers/net/usb/smsc95xx.c
+++ b/drivers/net/usb/smsc95xx.c
@@ -774,6 +774,9 @@ static int smsc95xx_ethtool_set_wol(struct net_device *net,
 	struct smsc95xx_priv *pdata = (struct smsc95xx_priv *)(dev->data[0]);
 	int ret;
 
+	if (wolinfo->wolopts & ~SUPPORTED_WAKE)
+		return -EINVAL;
+
 	pdata->wolopts = wolinfo->wolopts & SUPPORTED_WAKE;
 
 	ret = device_set_wakeup_enable(&dev->udev->dev, pdata->wolopts);
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 037/143] cfg80211: fix use-after-free in reg_process_hint()
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 036/143] smsc95xx: " Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 038/143] perf/core: Fix perf_pmu_unregister() locking Greg Kroah-Hartman
                   ` (107 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yu Zhao, Johannes Berg, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 1db58529454742f67ebd96e3588315e880b72837 ]

reg_process_hint_country_ie() can free regulatory_request and return
REG_REQ_ALREADY_SET. We shouldn't use regulatory_request after it's
called. KASAN error was observed when this happens.

BUG: KASAN: use-after-free in reg_process_hint+0x839/0x8aa [cfg80211]
Read of size 4 at addr ffff8800c430d434 by task kworker/1:3/89
<snipped>
Workqueue: events reg_todo [cfg80211]
Call Trace:
 dump_stack+0xc1/0x10c
 ? _atomic_dec_and_lock+0x1ad/0x1ad
 ? _raw_spin_lock_irqsave+0xa0/0xd2
 print_address_description+0x86/0x26f
 ? reg_process_hint+0x839/0x8aa [cfg80211]
 kasan_report+0x241/0x29b
 reg_process_hint+0x839/0x8aa [cfg80211]
 reg_todo+0x204/0x5b9 [cfg80211]
 process_one_work+0x55f/0x8d0
 ? worker_detach_from_pool+0x1b5/0x1b5
 ? _raw_spin_unlock_irq+0x65/0xdd
 ? _raw_spin_unlock_irqrestore+0xf3/0xf3
 worker_thread+0x5dd/0x841
 ? kthread_parkme+0x1d/0x1d
 kthread+0x270/0x285
 ? pr_cont_work+0xe3/0xe3
 ? rcu_read_unlock_sched_notrace+0xca/0xca
 ret_from_fork+0x22/0x40

Allocated by task 2718:
 set_track+0x63/0xfa
 __kmalloc+0x119/0x1ac
 regulatory_hint_country_ie+0x38/0x329 [cfg80211]
 __cfg80211_connect_result+0x854/0xadd [cfg80211]
 cfg80211_rx_assoc_resp+0x3bc/0x4f0 [cfg80211]
smsc95xx v1.0.6
 ieee80211_sta_rx_queued_mgmt+0x1803/0x7ed5 [mac80211]
 ieee80211_iface_work+0x411/0x696 [mac80211]
 process_one_work+0x55f/0x8d0
 worker_thread+0x5dd/0x841
 kthread+0x270/0x285
 ret_from_fork+0x22/0x40

Freed by task 89:
 set_track+0x63/0xfa
 kasan_slab_free+0x6a/0x87
 kfree+0xdc/0x470
 reg_process_hint+0x31e/0x8aa [cfg80211]
 reg_todo+0x204/0x5b9 [cfg80211]
 process_one_work+0x55f/0x8d0
 worker_thread+0x5dd/0x841
 kthread+0x270/0x285
 ret_from_fork+0x22/0x40
<snipped>

Signed-off-by: Yu Zhao <yuzhao@google.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/wireless/reg.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index 6f032c7b8732..bd91de416035 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -2170,11 +2170,12 @@ static void reg_process_hint(struct regulatory_request *reg_request)
 {
 	struct wiphy *wiphy = NULL;
 	enum reg_request_treatment treatment;
+	enum nl80211_reg_initiator initiator = reg_request->initiator;
 
 	if (reg_request->wiphy_idx != WIPHY_IDX_INVALID)
 		wiphy = wiphy_idx_to_wiphy(reg_request->wiphy_idx);
 
-	switch (reg_request->initiator) {
+	switch (initiator) {
 	case NL80211_REGDOM_SET_BY_CORE:
 		treatment = reg_process_hint_core(reg_request);
 		break;
@@ -2192,7 +2193,7 @@ static void reg_process_hint(struct regulatory_request *reg_request)
 		treatment = reg_process_hint_country_ie(wiphy, reg_request);
 		break;
 	default:
-		WARN(1, "invalid initiator %d\n", reg_request->initiator);
+		WARN(1, "invalid initiator %d\n", initiator);
 		goto out_free;
 	}
 
@@ -2207,7 +2208,7 @@ static void reg_process_hint(struct regulatory_request *reg_request)
 	 */
 	if (treatment == REG_REQ_ALREADY_SET && wiphy &&
 	    wiphy->regulatory_flags & REGULATORY_STRICT_REG) {
-		wiphy_update_regulatory(wiphy, reg_request->initiator);
+		wiphy_update_regulatory(wiphy, initiator);
 		wiphy_all_share_dfs_chan_state(wiphy);
 		reg_check_channels();
 	}
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 038/143] perf/core: Fix perf_pmu_unregister() locking
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 037/143] cfg80211: fix use-after-free in reg_process_hint() Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 039/143] perf/ring_buffer: Prevent concurent ring buffer access Greg Kroah-Hartman
                   ` (106 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Peter Zijlstra (Intel),
	Alexander Shishkin, Arnaldo Carvalho de Melo, Jiri Olsa,
	Linus Torvalds, Stephane Eranian, Thomas Gleixner, Vince Weaver,
	Ingo Molnar, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit a9f9772114c8b07ae75bcb3654bd017461248095 ]

When we unregister a PMU, we fail to serialize the @pmu_idr properly.
Fix that by doing the entire thing under pmu_lock.

Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Fixes: 2e80a82a49c4 ("perf: Dynamic pmu types")
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/events/core.c | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/kernel/events/core.c b/kernel/events/core.c
index 4dbce29a9313..ee1c07c0b833 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -9020,9 +9020,7 @@ static void free_pmu_context(struct pmu *pmu)
 	if (pmu->task_ctx_nr > perf_invalid_context)
 		return;
 
-	mutex_lock(&pmus_lock);
 	free_percpu(pmu->pmu_cpu_context);
-	mutex_unlock(&pmus_lock);
 }
 
 /*
@@ -9278,12 +9276,8 @@ EXPORT_SYMBOL_GPL(perf_pmu_register);
 
 void perf_pmu_unregister(struct pmu *pmu)
 {
-	int remove_device;
-
 	mutex_lock(&pmus_lock);
-	remove_device = pmu_bus_running;
 	list_del_rcu(&pmu->entry);
-	mutex_unlock(&pmus_lock);
 
 	/*
 	 * We dereference the pmu list under both SRCU and regular RCU, so
@@ -9295,13 +9289,14 @@ void perf_pmu_unregister(struct pmu *pmu)
 	free_percpu(pmu->pmu_disable_count);
 	if (pmu->type >= PERF_TYPE_MAX)
 		idr_remove(&pmu_idr, pmu->type);
-	if (remove_device) {
+	if (pmu_bus_running) {
 		if (pmu->nr_addr_filters)
 			device_remove_file(pmu->dev, &dev_attr_nr_addr_filters);
 		device_del(pmu->dev);
 		put_device(pmu->dev);
 	}
 	free_pmu_context(pmu);
+	mutex_unlock(&pmus_lock);
 }
 EXPORT_SYMBOL_GPL(perf_pmu_unregister);
 
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 039/143] perf/ring_buffer: Prevent concurent ring buffer access
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 038/143] perf/core: Fix perf_pmu_unregister() locking Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 040/143] perf/x86/intel/uncore: Fix PCI BDF address of M3UPI on SKX Greg Kroah-Hartman
                   ` (105 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jiri Olsa, Peter Zijlstra (Intel),
	Alexander Shishkin, Andrew Vagin, Arnaldo Carvalho de Melo,
	Arnaldo Carvalho de Melo, Jiri Olsa, Linus Torvalds,
	Namhyung Kim, Stephane Eranian, Thomas Gleixner, Vince Weaver,
	Ingo Molnar, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit cd6fb677ce7e460c25bdd66f689734102ec7d642 ]

Some of the scheduling tracepoints allow the perf_tp_event
code to write to ring buffer under different cpu than the
code is running on.

This results in corrupted ring buffer data demonstrated in
following perf commands:

  # perf record -e 'sched:sched_switch,sched:sched_wakeup' perf bench sched messaging
  # Running 'sched/messaging' benchmark:
  # 20 sender and receiver processes per group
  # 10 groups == 400 processes run

       Total time: 0.383 [sec]
  [ perf record: Woken up 8 times to write data ]
  0x42b890 [0]: failed to process type: -1765585640
  [ perf record: Captured and wrote 4.825 MB perf.data (29669 samples) ]

  # perf report --stdio
  0x42b890 [0]: failed to process type: -1765585640

The reason for the corruption are some of the scheduling tracepoints,
that have __perf_task dfined and thus allow to store data to another
cpu ring buffer:

  sched_waking
  sched_wakeup
  sched_wakeup_new
  sched_stat_wait
  sched_stat_sleep
  sched_stat_iowait
  sched_stat_blocked

The perf_tp_event function first store samples for current cpu
related events defined for tracepoint:

    hlist_for_each_entry_rcu(event, head, hlist_entry)
      perf_swevent_event(event, count, &data, regs);

And then iterates events of the 'task' and store the sample
for any task's event that passes tracepoint checks:

  ctx = rcu_dereference(task->perf_event_ctxp[perf_sw_context]);

  list_for_each_entry_rcu(event, &ctx->event_list, event_entry) {
    if (event->attr.type != PERF_TYPE_TRACEPOINT)
      continue;
    if (event->attr.config != entry->type)
      continue;

    perf_swevent_event(event, count, &data, regs);
  }

Above code can race with same code running on another cpu,
ending up with 2 cpus trying to store under the same ring
buffer, which is specifically not allowed.

This patch prevents the problem, by allowing only events with the same
current cpu to receive the event.

NOTE: this requires the use of (per-task-)per-cpu buffers for this
feature to work; perf-record does this.

Signed-off-by: Jiri Olsa <jolsa@kernel.org>
[peterz: small edits to Changelog]
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Andrew Vagin <avagin@openvz.org>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Fixes: e6dab5ffab59 ("perf/trace: Add ability to set a target task for events")
Link: http://lkml.kernel.org/r/20180923161343.GB15054@krava
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/events/core.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/kernel/events/core.c b/kernel/events/core.c
index ee1c07c0b833..991af683ef9e 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -8058,6 +8058,8 @@ void perf_tp_event(u16 event_type, u64 count, void *record, int entry_size,
 			goto unlock;
 
 		list_for_each_entry_rcu(event, &ctx->event_list, event_entry) {
+			if (event->cpu != smp_processor_id())
+				continue;
 			if (event->attr.type != PERF_TYPE_TRACEPOINT)
 				continue;
 			if (event->attr.config != entry->type)
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 040/143] perf/x86/intel/uncore: Fix PCI BDF address of M3UPI on SKX
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 039/143] perf/ring_buffer: Prevent concurent ring buffer access Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 041/143] perf/x86/amd/uncore: Set ThreadMask and SliceMask for L3 Cache perf events Greg Kroah-Hartman
                   ` (104 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kan Liang, Peter Zijlstra (Intel),
	Alexander Shishkin, Arnaldo Carvalho de Melo, Jiri Olsa,
	Linus Torvalds, Stephane Eranian, Thomas Gleixner, Vince Weaver,
	Ingo Molnar, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 9d92cfeaf5215158d26d2991be7f7ff865cb98f3 ]

The counters on M3UPI Link 0 and Link 3 don't count properly, and writing
0 to these counters may causes system crash on some machines.

The PCI BDF addresses of the M3UPI in the current code are incorrect.

The correct addresses should be:

  D18:F1	0x204D
  D18:F2	0x204E
  D18:F5	0x204D

Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Fixes: cd34cd97b7b4 ("perf/x86/intel/uncore: Add Skylake server uncore support")
Link: http://lkml.kernel.org/r/1537538826-55489-1-git-send-email-kan.liang@linux.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/events/intel/uncore_snbep.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c
index 2dae3f585c01..a68aba8a482f 100644
--- a/arch/x86/events/intel/uncore_snbep.c
+++ b/arch/x86/events/intel/uncore_snbep.c
@@ -3807,16 +3807,16 @@ static const struct pci_device_id skx_uncore_pci_ids[] = {
 		.driver_data = UNCORE_PCI_DEV_FULL_DATA(21, 5, SKX_PCI_UNCORE_M2PCIE, 3),
 	},
 	{ /* M3UPI0 Link 0 */
-		PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x204C),
-		.driver_data = UNCORE_PCI_DEV_FULL_DATA(18, 0, SKX_PCI_UNCORE_M3UPI, 0),
+		PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x204D),
+		.driver_data = UNCORE_PCI_DEV_FULL_DATA(18, 1, SKX_PCI_UNCORE_M3UPI, 0),
 	},
 	{ /* M3UPI0 Link 1 */
-		PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x204D),
-		.driver_data = UNCORE_PCI_DEV_FULL_DATA(18, 1, SKX_PCI_UNCORE_M3UPI, 1),
+		PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x204E),
+		.driver_data = UNCORE_PCI_DEV_FULL_DATA(18, 2, SKX_PCI_UNCORE_M3UPI, 1),
 	},
 	{ /* M3UPI1 Link 2 */
-		PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x204C),
-		.driver_data = UNCORE_PCI_DEV_FULL_DATA(18, 4, SKX_PCI_UNCORE_M3UPI, 2),
+		PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x204D),
+		.driver_data = UNCORE_PCI_DEV_FULL_DATA(18, 5, SKX_PCI_UNCORE_M3UPI, 2),
 	},
 	{ /* end: all zeroes */ }
 };
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 041/143] perf/x86/amd/uncore: Set ThreadMask and SliceMask for L3 Cache perf events
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 040/143] perf/x86/intel/uncore: Fix PCI BDF address of M3UPI on SKX Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 042/143] net: fec: fix rare tx timeout Greg Kroah-Hartman
                   ` (103 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Janakarajan Natarajan,
	Peter Zijlstra (Intel),
	Alexander Shishkin, Arnaldo Carvalho de Melo,
	Arnaldo Carvalho de Melo, Borislav Petkov, H . Peter Anvin,
	Jiri Olsa, Linus Torvalds, Namhyung Kim, Stephane Eranian,
	Suravee, Thomas Gleixner, Vince Weaver, Ingo Molnar, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit d7cbbe49a9304520181fb8c9272d1327deec8453 ]

In Family 17h, some L3 Cache Performance events require the ThreadMask
and SliceMask to be set. For other events, these fields do not affect
the count either way.

Set ThreadMask and SliceMask to 0xFF and 0xF respectively.

Signed-off-by: Janakarajan Natarajan <Janakarajan.Natarajan@amd.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: H . Peter Anvin <hpa@zytor.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Suravee <Suravee.Suthikulpanit@amd.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Link: http://lkml.kernel.org/r/Message-ID:
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/events/amd/uncore.c      | 10 ++++++++++
 arch/x86/include/asm/perf_event.h |  8 ++++++++
 2 files changed, 18 insertions(+)

diff --git a/arch/x86/events/amd/uncore.c b/arch/x86/events/amd/uncore.c
index f5cbbba99283..4e1d7483b78c 100644
--- a/arch/x86/events/amd/uncore.c
+++ b/arch/x86/events/amd/uncore.c
@@ -35,6 +35,7 @@
 
 static int num_counters_llc;
 static int num_counters_nb;
+static bool l3_mask;
 
 static HLIST_HEAD(uncore_unused_list);
 
@@ -208,6 +209,13 @@ static int amd_uncore_event_init(struct perf_event *event)
 	hwc->config = event->attr.config & AMD64_RAW_EVENT_MASK_NB;
 	hwc->idx = -1;
 
+	/*
+	 * SliceMask and ThreadMask need to be set for certain L3 events in
+	 * Family 17h. For other events, the two fields do not affect the count.
+	 */
+	if (l3_mask)
+		hwc->config |= (AMD64_L3_SLICE_MASK | AMD64_L3_THREAD_MASK);
+
 	if (event->cpu < 0)
 		return -EINVAL;
 
@@ -542,6 +550,7 @@ static int __init amd_uncore_init(void)
 		amd_llc_pmu.name	  = "amd_l3";
 		format_attr_event_df.show = &event_show_df;
 		format_attr_event_l3.show = &event_show_l3;
+		l3_mask			  = true;
 	} else {
 		num_counters_nb		  = NUM_COUNTERS_NB;
 		num_counters_llc	  = NUM_COUNTERS_L2;
@@ -549,6 +558,7 @@ static int __init amd_uncore_init(void)
 		amd_llc_pmu.name	  = "amd_l2";
 		format_attr_event_df	  = format_attr_event;
 		format_attr_event_l3	  = format_attr_event;
+		l3_mask			  = false;
 	}
 
 	amd_nb_pmu.attr_groups	= amd_uncore_attr_groups_df;
diff --git a/arch/x86/include/asm/perf_event.h b/arch/x86/include/asm/perf_event.h
index 12f54082f4c8..78241b736f2a 100644
--- a/arch/x86/include/asm/perf_event.h
+++ b/arch/x86/include/asm/perf_event.h
@@ -46,6 +46,14 @@
 #define INTEL_ARCH_EVENT_MASK	\
 	(ARCH_PERFMON_EVENTSEL_UMASK | ARCH_PERFMON_EVENTSEL_EVENT)
 
+#define AMD64_L3_SLICE_SHIFT				48
+#define AMD64_L3_SLICE_MASK				\
+	((0xFULL) << AMD64_L3_SLICE_SHIFT)
+
+#define AMD64_L3_THREAD_SHIFT				56
+#define AMD64_L3_THREAD_MASK				\
+	((0xFFULL) << AMD64_L3_THREAD_SHIFT)
+
 #define X86_RAW_EVENT_MASK		\
 	(ARCH_PERFMON_EVENTSEL_EVENT |	\
 	 ARCH_PERFMON_EVENTSEL_UMASK |	\
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 042/143] net: fec: fix rare tx timeout
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 041/143] perf/x86/amd/uncore: Set ThreadMask and SliceMask for L3 Cache perf events Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 043/143] declance: Fix continuation with the adapter identification message Greg Kroah-Hartman
                   ` (102 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rickard x Andersson, David S. Miller,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 657ade07df72847f591ccdb36bd9b91ed0edbac3 ]

During certain heavy network loads TX could time out
with TX ring dump.
TX is sometimes never restarted after reaching
"tx_stop_threshold" because function "fec_enet_tx_queue"
only tests the first queue.

In addition the TX timeout callback function failed to
recover because it also operated only on the first queue.

Signed-off-by: Rickard x Andersson <rickaran@axis.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/freescale/fec_main.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
index eb2ea231c7ca..8bfa6ef826a9 100644
--- a/drivers/net/ethernet/freescale/fec_main.c
+++ b/drivers/net/ethernet/freescale/fec_main.c
@@ -1155,7 +1155,7 @@ static void fec_enet_timeout_work(struct work_struct *work)
 		napi_disable(&fep->napi);
 		netif_tx_lock_bh(ndev);
 		fec_restart(ndev);
-		netif_wake_queue(ndev);
+		netif_tx_wake_all_queues(ndev);
 		netif_tx_unlock_bh(ndev);
 		napi_enable(&fep->napi);
 	}
@@ -1270,7 +1270,7 @@ skb_done:
 
 		/* Since we have freed up a buffer, the ring is no longer full
 		 */
-		if (netif_queue_stopped(ndev)) {
+		if (netif_tx_queue_stopped(nq)) {
 			entries_free = fec_enet_get_free_txdesc_num(txq);
 			if (entries_free >= txq->tx_wake_threshold)
 				netif_tx_wake_queue(nq);
@@ -1747,7 +1747,7 @@ static void fec_enet_adjust_link(struct net_device *ndev)
 			napi_disable(&fep->napi);
 			netif_tx_lock_bh(ndev);
 			fec_restart(ndev);
-			netif_wake_queue(ndev);
+			netif_tx_wake_all_queues(ndev);
 			netif_tx_unlock_bh(ndev);
 			napi_enable(&fep->napi);
 		}
@@ -2249,7 +2249,7 @@ static int fec_enet_set_pauseparam(struct net_device *ndev,
 		napi_disable(&fep->napi);
 		netif_tx_lock_bh(ndev);
 		fec_restart(ndev);
-		netif_wake_queue(ndev);
+		netif_tx_wake_all_queues(ndev);
 		netif_tx_unlock_bh(ndev);
 		napi_enable(&fep->napi);
 	}
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 043/143] declance: Fix continuation with the adapter identification message
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 042/143] net: fec: fix rare tx timeout Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 044/143] net: qualcomm: rmnet: Skip processing loopback packets Greg Kroah-Hartman
                   ` (101 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maciej W. Rozycki, David S. Miller,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit fe3a83af6a50199bf250fa331e94216912f79395 ]

Fix a commit 4bcc595ccd80 ("printk: reinstate KERN_CONT for printing
continuation lines") regression with the `declance' driver, which caused
the adapter identification message to be split between two lines, e.g.:

declance.c: v0.011 by Linux MIPS DECstation task force
tc6: PMAD-AA
, addr = 08:00:2b:1b:2a:6a, irq = 14
tc6: registered as eth0.

Address that properly, by printing identification with a single call,
making the messages now look like:

declance.c: v0.011 by Linux MIPS DECstation task force
tc6: PMAD-AA, addr = 08:00:2b:1b:2a:6a, irq = 14
tc6: registered as eth0.

Signed-off-by: Maciej W. Rozycki <macro@linux-mips.org>
Fixes: 4bcc595ccd80 ("printk: reinstate KERN_CONT for printing continuation lines")
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/amd/declance.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/drivers/net/ethernet/amd/declance.c b/drivers/net/ethernet/amd/declance.c
index 82cc81385033..c7cde58feaf7 100644
--- a/drivers/net/ethernet/amd/declance.c
+++ b/drivers/net/ethernet/amd/declance.c
@@ -1029,6 +1029,7 @@ static int dec_lance_probe(struct device *bdev, const int type)
 	int i, ret;
 	unsigned long esar_base;
 	unsigned char *esar;
+	const char *desc;
 
 	if (dec_lance_debug && version_printed++ == 0)
 		printk(version);
@@ -1214,19 +1215,20 @@ static int dec_lance_probe(struct device *bdev, const int type)
 	 */
 	switch (type) {
 	case ASIC_LANCE:
-		printk("%s: IOASIC onboard LANCE", name);
+		desc = "IOASIC onboard LANCE";
 		break;
 	case PMAD_LANCE:
-		printk("%s: PMAD-AA", name);
+		desc = "PMAD-AA";
 		break;
 	case PMAX_LANCE:
-		printk("%s: PMAX onboard LANCE", name);
+		desc = "PMAX onboard LANCE";
 		break;
 	}
 	for (i = 0; i < 6; i++)
 		dev->dev_addr[i] = esar[i * 4];
 
-	printk(", addr = %pM, irq = %d\n", dev->dev_addr, dev->irq);
+	printk("%s: %s, addr = %pM, irq = %d\n",
+	       name, desc, dev->dev_addr, dev->irq);
 
 	dev->netdev_ops = &lance_netdev_ops;
 	dev->watchdog_timeo = 5*HZ;
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 044/143] net: qualcomm: rmnet: Skip processing loopback packets
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 043/143] declance: Fix continuation with the adapter identification message Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 045/143] locking/ww_mutex: Fix runtime warning in the WW mutex selftest Greg Kroah-Hartman
                   ` (100 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sean Tranchetti,
	Subash Abhinov Kasiviswanathan, David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit a07f388e2cde2be74b263f85df6f672fea0305a1 ]

RMNET RX handler was processing invalid packets that were
originally sent on the real device and were looped back via
dev_loopback_xmit(). This was detected using syzkaller.

Fixes: ceed73a2cf4a ("drivers: net: ethernet: qualcomm: rmnet: Initial implementation")
Signed-off-by: Sean Tranchetti <stranche@codeaurora.org>
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/qualcomm/rmnet/rmnet_handlers.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/net/ethernet/qualcomm/rmnet/rmnet_handlers.c b/drivers/net/ethernet/qualcomm/rmnet/rmnet_handlers.c
index 929fb8d96ec0..8d979fef5fc7 100644
--- a/drivers/net/ethernet/qualcomm/rmnet/rmnet_handlers.c
+++ b/drivers/net/ethernet/qualcomm/rmnet/rmnet_handlers.c
@@ -205,6 +205,9 @@ rx_handler_result_t rmnet_rx_handler(struct sk_buff **pskb)
 	if (!skb)
 		return RX_HANDLER_CONSUMED;
 
+	if (skb->pkt_type == PACKET_LOOPBACK)
+		return RX_HANDLER_PASS;
+
 	dev = skb->dev;
 	port = rmnet_get_port(dev);
 
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 045/143] locking/ww_mutex: Fix runtime warning in the WW mutex selftest
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 044/143] net: qualcomm: rmnet: Skip processing loopback packets Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 046/143] be2net: dont flip hw_features when VXLANs are added/deleted Greg Kroah-Hartman
                   ` (99 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Guenter Roeck, Chris Wilson,
	Linus Torvalds, Peter Zijlstra, Thomas Gleixner, Will Deacon,
	Ingo Molnar, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit e4a02ed2aaf447fa849e3254bfdb3b9b01e1e520 ]

If CONFIG_WW_MUTEX_SELFTEST=y is enabled, booting an image
in an arm64 virtual machine results in the following
traceback if 8 CPUs are enabled:

  DEBUG_LOCKS_WARN_ON(__owner_task(owner) != current)
  WARNING: CPU: 2 PID: 537 at kernel/locking/mutex.c:1033 __mutex_unlock_slowpath+0x1a8/0x2e0
  ...
  Call trace:
   __mutex_unlock_slowpath()
   ww_mutex_unlock()
   test_cycle_work()
   process_one_work()
   worker_thread()
   kthread()
   ret_from_fork()

If requesting b_mutex fails with -EDEADLK, the error variable
is reassigned to the return value from calling ww_mutex_lock
on a_mutex again. If this call fails, a_mutex is not locked.
It is, however, unconditionally unlocked subsequently, causing
the reported warning. Fix the problem by using two error variables.

With this change, the selftest still fails as follows:

  cyclic deadlock not resolved, ret[7/8] = -35

However, the traceback is gone.

Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Will Deacon <will.deacon@arm.com>
Fixes: d1b42b800e5d0 ("locking/ww_mutex: Add kselftests for resolving ww_mutex cyclic deadlocks")
Link: http://lkml.kernel.org/r/1538516929-9734-1-git-send-email-linux@roeck-us.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/locking/test-ww_mutex.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/kernel/locking/test-ww_mutex.c b/kernel/locking/test-ww_mutex.c
index 0e4cd64ad2c0..654977862b06 100644
--- a/kernel/locking/test-ww_mutex.c
+++ b/kernel/locking/test-ww_mutex.c
@@ -260,7 +260,7 @@ static void test_cycle_work(struct work_struct *work)
 {
 	struct test_cycle *cycle = container_of(work, typeof(*cycle), work);
 	struct ww_acquire_ctx ctx;
-	int err;
+	int err, erra = 0;
 
 	ww_acquire_init(&ctx, &ww_class);
 	ww_mutex_lock(&cycle->a_mutex, &ctx);
@@ -270,17 +270,19 @@ static void test_cycle_work(struct work_struct *work)
 
 	err = ww_mutex_lock(cycle->b_mutex, &ctx);
 	if (err == -EDEADLK) {
+		err = 0;
 		ww_mutex_unlock(&cycle->a_mutex);
 		ww_mutex_lock_slow(cycle->b_mutex, &ctx);
-		err = ww_mutex_lock(&cycle->a_mutex, &ctx);
+		erra = ww_mutex_lock(&cycle->a_mutex, &ctx);
 	}
 
 	if (!err)
 		ww_mutex_unlock(cycle->b_mutex);
-	ww_mutex_unlock(&cycle->a_mutex);
+	if (!erra)
+		ww_mutex_unlock(&cycle->a_mutex);
 	ww_acquire_fini(&ctx);
 
-	cycle->result = err;
+	cycle->result = err ?: erra;
 }
 
 static int __test_cycle(unsigned int nthreads)
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 046/143] be2net: dont flip hw_features when VXLANs are added/deleted
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 045/143] locking/ww_mutex: Fix runtime warning in the WW mutex selftest Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 047/143] net: cxgb3_main: fix a missing-check bug Greg Kroah-Hartman
                   ` (98 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Davide Caratti, David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 2d52527e80c2dc0c5f43f50adf183781262ec565 ]

the be2net implementation of .ndo_tunnel_{add,del}() changes the value of
NETIF_F_GSO_UDP_TUNNEL bit in 'features' and 'hw_features', but it forgets
to call netdev_features_change(). Moreover, ethtool setting for that bit
can potentially be reverted after a tunnel is added or removed.

GSO already does software segmentation when 'hw_enc_features' is 0, even
if VXLAN offload is turned on. In addition, commit 096de2f83ebc ("benet:
stricter vxlan offloading check in be_features_check") avoids hardware
segmentation of non-VXLAN tunneled packets, or VXLAN packets having wrong
destination port. So, it's safe to avoid flipping the above feature on
addition/deletion of VXLAN tunnels.

Fixes: 630f4b70567f ("be2net: Export tunnel offloads only when a VxLAN tunnel is created")
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/emulex/benet/be_main.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c
index 7e2b70c2bba3..39f399741647 100644
--- a/drivers/net/ethernet/emulex/benet/be_main.c
+++ b/drivers/net/ethernet/emulex/benet/be_main.c
@@ -3900,8 +3900,6 @@ static int be_enable_vxlan_offloads(struct be_adapter *adapter)
 	netdev->hw_enc_features |= NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM |
 				   NETIF_F_TSO | NETIF_F_TSO6 |
 				   NETIF_F_GSO_UDP_TUNNEL;
-	netdev->hw_features |= NETIF_F_GSO_UDP_TUNNEL;
-	netdev->features |= NETIF_F_GSO_UDP_TUNNEL;
 
 	dev_info(dev, "Enabled VxLAN offloads for UDP port %d\n",
 		 be16_to_cpu(port));
@@ -3923,8 +3921,6 @@ static void be_disable_vxlan_offloads(struct be_adapter *adapter)
 	adapter->vxlan_port = 0;
 
 	netdev->hw_enc_features = 0;
-	netdev->hw_features &= ~(NETIF_F_GSO_UDP_TUNNEL);
-	netdev->features &= ~(NETIF_F_GSO_UDP_TUNNEL);
 }
 
 static void be_calculate_vf_res(struct be_adapter *adapter, u16 num_vfs,
@@ -5215,6 +5211,7 @@ static void be_netdev_init(struct net_device *netdev)
 	struct be_adapter *adapter = netdev_priv(netdev);
 
 	netdev->hw_features |= NETIF_F_SG | NETIF_F_TSO | NETIF_F_TSO6 |
+		NETIF_F_GSO_UDP_TUNNEL |
 		NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM | NETIF_F_RXCSUM |
 		NETIF_F_HW_VLAN_CTAG_TX;
 	if ((be_if_cap_flags(adapter) & BE_IF_FLAGS_RSS))
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 047/143] net: cxgb3_main: fix a missing-check bug
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 046/143] be2net: dont flip hw_features when VXLANs are added/deleted Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 048/143] yam: " Greg Kroah-Hartman
                   ` (97 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wenwen Wang, David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 2c05d88818ab6571816b93edce4d53703870d7ae ]

In cxgb_extension_ioctl(), the command of the ioctl is firstly copied from
the user-space buffer 'useraddr' to 'cmd' and checked through the
switch statement. If the command is not as expected, an error code
EOPNOTSUPP is returned. In the following execution, i.e., the cases of the
switch statement, the whole buffer of 'useraddr' is copied again to a
specific data structure, according to what kind of command is requested.
However, after the second copy, there is no re-check on the newly-copied
command. Given that the buffer 'useraddr' is in the user space, a malicious
user can race to change the command between the two copies. By doing so,
the attacker can supply malicious data to the kernel and cause undefined
behavior.

This patch adds a re-check in each case of the switch statement if there is
a second copy in that case, to re-check whether the command obtained in the
second copy is the same as the one in the first copy. If not, an error code
EINVAL is returned.

Signed-off-by: Wenwen Wang <wang6495@umn.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
index bf291e90cdb0..79053d2ce7a3 100644
--- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
+++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
@@ -2159,6 +2159,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
 			return -EPERM;
 		if (copy_from_user(&t, useraddr, sizeof(t)))
 			return -EFAULT;
+		if (t.cmd != CHELSIO_SET_QSET_PARAMS)
+			return -EINVAL;
 		if (t.qset_idx >= SGE_QSETS)
 			return -EINVAL;
 		if (!in_range(t.intr_lat, 0, M_NEWTIMER) ||
@@ -2258,6 +2260,9 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
 		if (copy_from_user(&t, useraddr, sizeof(t)))
 			return -EFAULT;
 
+		if (t.cmd != CHELSIO_GET_QSET_PARAMS)
+			return -EINVAL;
+
 		/* Display qsets for all ports when offload enabled */
 		if (test_bit(OFFLOAD_DEVMAP_BIT, &adapter->open_device_map)) {
 			q1 = 0;
@@ -2303,6 +2308,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
 			return -EBUSY;
 		if (copy_from_user(&edata, useraddr, sizeof(edata)))
 			return -EFAULT;
+		if (edata.cmd != CHELSIO_SET_QSET_NUM)
+			return -EINVAL;
 		if (edata.val < 1 ||
 			(edata.val > 1 && !(adapter->flags & USING_MSIX)))
 			return -EINVAL;
@@ -2343,6 +2350,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
 			return -EPERM;
 		if (copy_from_user(&t, useraddr, sizeof(t)))
 			return -EFAULT;
+		if (t.cmd != CHELSIO_LOAD_FW)
+			return -EINVAL;
 		/* Check t.len sanity ? */
 		fw_data = memdup_user(useraddr + sizeof(t), t.len);
 		if (IS_ERR(fw_data))
@@ -2366,6 +2375,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
 			return -EBUSY;
 		if (copy_from_user(&m, useraddr, sizeof(m)))
 			return -EFAULT;
+		if (m.cmd != CHELSIO_SETMTUTAB)
+			return -EINVAL;
 		if (m.nmtus != NMTUS)
 			return -EINVAL;
 		if (m.mtus[0] < 81)	/* accommodate SACK */
@@ -2407,6 +2418,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
 			return -EBUSY;
 		if (copy_from_user(&m, useraddr, sizeof(m)))
 			return -EFAULT;
+		if (m.cmd != CHELSIO_SET_PM)
+			return -EINVAL;
 		if (!is_power_of_2(m.rx_pg_sz) ||
 			!is_power_of_2(m.tx_pg_sz))
 			return -EINVAL;	/* not power of 2 */
@@ -2440,6 +2453,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
 			return -EIO;	/* need the memory controllers */
 		if (copy_from_user(&t, useraddr, sizeof(t)))
 			return -EFAULT;
+		if (t.cmd != CHELSIO_GET_MEM)
+			return -EINVAL;
 		if ((t.addr & 7) || (t.len & 7))
 			return -EINVAL;
 		if (t.mem_id == MEM_CM)
@@ -2492,6 +2507,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
 			return -EAGAIN;
 		if (copy_from_user(&t, useraddr, sizeof(t)))
 			return -EFAULT;
+		if (t.cmd != CHELSIO_SET_TRACE_FILTER)
+			return -EINVAL;
 
 		tp = (const struct trace_params *)&t.sip;
 		if (t.config_tx)
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 048/143] yam: fix a missing-check bug
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 047/143] net: cxgb3_main: fix a missing-check bug Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 049/143] ocfs2: fix crash in ocfs2_duplicate_clusters_by_page() Greg Kroah-Hartman
                   ` (96 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wenwen Wang, David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 0781168e23a2fc8dceb989f11fc5b39b3ccacc35 ]

In yam_ioctl(), the concrete ioctl command is firstly copied from the
user-space buffer 'ifr->ifr_data' to 'ioctl_cmd' and checked through the
following switch statement. If the command is not as expected, an error
code EINVAL is returned. In the following execution the buffer
'ifr->ifr_data' is copied again in the cases of the switch statement to
specific data structures according to what kind of ioctl command is
requested. However, after the second copy, no re-check is enforced on the
newly-copied command. Given that the buffer 'ifr->ifr_data' is in the user
space, a malicious user can race to change the command between the two
copies. This way, the attacker can inject inconsistent data and cause
undefined behavior.

This patch adds a re-check in each case of the switch statement if there is
a second copy in that case, to re-check whether the command obtained in the
second copy is the same as the one in the first copy. If not, an error code
EINVAL will be returned.

Signed-off-by: Wenwen Wang <wang6495@umn.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/hamradio/yam.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/net/hamradio/yam.c b/drivers/net/hamradio/yam.c
index 7a7c5224a336..16a6e1193912 100644
--- a/drivers/net/hamradio/yam.c
+++ b/drivers/net/hamradio/yam.c
@@ -980,6 +980,8 @@ static int yam_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
 				 sizeof(struct yamdrv_ioctl_mcs));
 		if (IS_ERR(ym))
 			return PTR_ERR(ym);
+		if (ym->cmd != SIOCYAMSMCS)
+			return -EINVAL;
 		if (ym->bitrate > YAM_MAXBITRATE) {
 			kfree(ym);
 			return -EINVAL;
@@ -995,6 +997,8 @@ static int yam_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
 		if (copy_from_user(&yi, ifr->ifr_data, sizeof(struct yamdrv_ioctl_cfg)))
 			 return -EFAULT;
 
+		if (yi.cmd != SIOCYAMSCFG)
+			return -EINVAL;
 		if ((yi.cfg.mask & YAM_IOBASE) && netif_running(dev))
 			return -EINVAL;		/* Cannot change this parameter when up */
 		if ((yi.cfg.mask & YAM_IRQ) && netif_running(dev))
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 049/143] ocfs2: fix crash in ocfs2_duplicate_clusters_by_page()
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 048/143] yam: " Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 050/143] iwlwifi: mvm: check for short GI only for OFDM Greg Kroah-Hartman
                   ` (95 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Larry Chen, Changwei Ge, Mark Fasheh,
	Joel Becker, Junxiao Bi, Joseph Qi, Andrew Morton, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 69eb7765b9c6902444c89c54e7043242faf981e5 ]

ocfs2_duplicate_clusters_by_page() may crash if one of the extent's pages
is dirty.  When a page has not been written back, it is still in dirty
state.  If ocfs2_duplicate_clusters_by_page() is called against the dirty
page, the crash happens.

To fix this bug, we can just unlock the page and wait until the page until
its not dirty.

The following is the backtrace:

kernel BUG at /root/code/ocfs2/refcounttree.c:2961!
[exception RIP: ocfs2_duplicate_clusters_by_page+822]
__ocfs2_move_extent+0x80/0x450 [ocfs2]
? __ocfs2_claim_clusters+0x130/0x250 [ocfs2]
ocfs2_defrag_extent+0x5b8/0x5e0 [ocfs2]
__ocfs2_move_extents_range+0x2a4/0x470 [ocfs2]
ocfs2_move_extents+0x180/0x3b0 [ocfs2]
? ocfs2_wait_for_recovery+0x13/0x70 [ocfs2]
ocfs2_ioctl_move_extents+0x133/0x2d0 [ocfs2]
ocfs2_ioctl+0x253/0x640 [ocfs2]
do_vfs_ioctl+0x90/0x5f0
SyS_ioctl+0x74/0x80
do_syscall_64+0x74/0x140
entry_SYSCALL_64_after_hwframe+0x3d/0xa2

Once we find the page is dirty, we do not wait until it's clean, rather we
use write_one_page() to write it back

Link: http://lkml.kernel.org/r/20180829074740.9438-1-lchen@suse.com
[lchen@suse.com: update comments]
  Link: http://lkml.kernel.org/r/20180830075041.14879-1-lchen@suse.com
[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Larry Chen <lchen@suse.com>
Acked-by: Changwei Ge <ge.changwei@h3c.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Joseph Qi <jiangqi903@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/ocfs2/refcounttree.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/fs/ocfs2/refcounttree.c b/fs/ocfs2/refcounttree.c
index 1b1283f07941..824f407df1db 100644
--- a/fs/ocfs2/refcounttree.c
+++ b/fs/ocfs2/refcounttree.c
@@ -2946,6 +2946,7 @@ int ocfs2_duplicate_clusters_by_page(handle_t *handle,
 		if (map_end & (PAGE_SIZE - 1))
 			to = map_end & (PAGE_SIZE - 1);
 
+retry:
 		page = find_or_create_page(mapping, page_index, GFP_NOFS);
 		if (!page) {
 			ret = -ENOMEM;
@@ -2954,11 +2955,18 @@ int ocfs2_duplicate_clusters_by_page(handle_t *handle,
 		}
 
 		/*
-		 * In case PAGE_SIZE <= CLUSTER_SIZE, This page
-		 * can't be dirtied before we CoW it out.
+		 * In case PAGE_SIZE <= CLUSTER_SIZE, we do not expect a dirty
+		 * page, so write it back.
 		 */
-		if (PAGE_SIZE <= OCFS2_SB(sb)->s_clustersize)
-			BUG_ON(PageDirty(page));
+		if (PAGE_SIZE <= OCFS2_SB(sb)->s_clustersize) {
+			if (PageDirty(page)) {
+				/*
+				 * write_on_page will unlock the page on return
+				 */
+				ret = write_one_page(page);
+				goto retry;
+			}
+		}
 
 		if (!PageUptodate(page)) {
 			ret = block_read_full_page(page, ocfs2_get_block);
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 050/143] iwlwifi: mvm: check for short GI only for OFDM
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 049/143] ocfs2: fix crash in ocfs2_duplicate_clusters_by_page() Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 051/143] iwlwifi: dbg: allow wrt collection before ALIVE Greg Kroah-Hartman
                   ` (94 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sara Sharon, Luca Coelho, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 4c59ff5a9a9c54cc26c807dc2fa6933f7e9fa4ef ]

This bit will be used in CCK to indicate short preamble.

Signed-off-by: Sara Sharon <sara.sharon@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/intel/iwlwifi/mvm/rx.c   | 3 ++-
 drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c | 4 +++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rx.c b/drivers/net/wireless/intel/iwlwifi/mvm/rx.c
index 2d14a58cbdd7..c73e4be9bde3 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/rx.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/rx.c
@@ -439,7 +439,8 @@ void iwl_mvm_rx_rx_mpdu(struct iwl_mvm *mvm, struct napi_struct *napi,
 		rx_status->bw = RATE_INFO_BW_160;
 		break;
 	}
-	if (rate_n_flags & RATE_MCS_SGI_MSK)
+	if (!(rate_n_flags & RATE_MCS_CCK_MSK) &&
+	    rate_n_flags & RATE_MCS_SGI_MSK)
 		rx_status->enc_flags |= RX_ENC_FLAG_SHORT_GI;
 	if (rate_n_flags & RATE_HT_MCS_GF_MSK)
 		rx_status->enc_flags |= RX_ENC_FLAG_HT_GF;
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
index e2196dc35dc6..8ba8c70571fb 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
@@ -981,7 +981,9 @@ void iwl_mvm_rx_mpdu_mq(struct iwl_mvm *mvm, struct napi_struct *napi,
 		rx_status->bw = RATE_INFO_BW_160;
 		break;
 	}
-	if (rate_n_flags & RATE_MCS_SGI_MSK)
+
+	if (!(rate_n_flags & RATE_MCS_CCK_MSK) &&
+	    rate_n_flags & RATE_MCS_SGI_MSK)
 		rx_status->enc_flags |= RX_ENC_FLAG_SHORT_GI;
 	if (rate_n_flags & RATE_HT_MCS_GF_MSK)
 		rx_status->enc_flags |= RX_ENC_FLAG_HT_GF;
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 051/143] iwlwifi: dbg: allow wrt collection before ALIVE
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 050/143] iwlwifi: mvm: check for short GI only for OFDM Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 052/143] iwlwifi: fix the ALIVE notification layout Greg Kroah-Hartman
                   ` (93 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Liad Kaufman, Luca Coelho, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit dfd4b08cf44f27587e2053e006e43a1603328006 ]

Even if no ALIVE was received, the WRT data can still
be collected. Add this.

Signed-off-by: Liad Kaufman <liad.kaufman@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
index 2fa7ec466275..839010417241 100644
--- a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
+++ b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
@@ -950,7 +950,20 @@ int iwl_fw_dbg_collect_desc(struct iwl_fw_runtime *fwrt,
 	if (trigger)
 		delay = msecs_to_jiffies(le32_to_cpu(trigger->stop_delay));
 
-	if (WARN(fwrt->trans->state == IWL_TRANS_NO_FW,
+	/*
+	 * If the loading of the FW completed successfully, the next step is to
+	 * get the SMEM config data. Thus, if fwrt->smem_cfg.num_lmacs is non
+	 * zero, the FW was already loaded successully. If the state is "NO_FW"
+	 * in such a case - WARN and exit, since FW may be dead. Otherwise, we
+	 * can try to collect the data, since FW might just not be fully
+	 * loaded (no "ALIVE" yet), and the debug data is accessible.
+	 *
+	 * Corner case: got the FW alive but crashed before getting the SMEM
+	 *	config. In such a case, due to HW access problems, we might
+	 *	collect garbage.
+	 */
+	if (WARN((fwrt->trans->state == IWL_TRANS_NO_FW) &&
+		 fwrt->smem_cfg.num_lmacs,
 		 "Can't collect dbg data when FW isn't alive\n"))
 		return -EIO;
 
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 052/143] iwlwifi: fix the ALIVE notification layout
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 051/143] iwlwifi: dbg: allow wrt collection before ALIVE Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:33 ` [PATCH 4.14 053/143] x86/power: Fix some ordering bugs in __restore_processor_context() Greg Kroah-Hartman
                   ` (92 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Emmanuel Grumbach, Luca Coelho, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 5cd2d8fc6c6bca979ac5dd8ad0e41153f1f982f9 ]

The ucode_major and ucode_minor were swapped. This has
no practical consequences since those fields are not used.
Same goes for umac_major and umac_minor which were only
printed under certain debug flags.

Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/intel/iwlwifi/fw/api/alive.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/intel/iwlwifi/fw/api/alive.h b/drivers/net/wireless/intel/iwlwifi/fw/api/alive.h
index 3684a3e180e5..007bfe7656a4 100644
--- a/drivers/net/wireless/intel/iwlwifi/fw/api/alive.h
+++ b/drivers/net/wireless/intel/iwlwifi/fw/api/alive.h
@@ -95,8 +95,8 @@ enum {
 #define IWL_ALIVE_FLG_RFKILL	BIT(0)
 
 struct iwl_lmac_alive {
-	__le32 ucode_minor;
 	__le32 ucode_major;
+	__le32 ucode_minor;
 	u8 ver_subtype;
 	u8 ver_type;
 	u8 mac;
@@ -113,8 +113,8 @@ struct iwl_lmac_alive {
 } __packed; /* UCODE_ALIVE_NTFY_API_S_VER_3 */
 
 struct iwl_umac_alive {
-	__le32 umac_minor;		/* UMAC version: minor */
 	__le32 umac_major;		/* UMAC version: major */
+	__le32 umac_minor;		/* UMAC version: minor */
 	__le32 error_info_addr;		/* SRAM address for UMAC error log */
 	__le32 dbg_print_buff_addr;
 } __packed; /* UMAC_ALIVE_DATA_API_S_VER_2 */
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 053/143] x86/power: Fix some ordering bugs in __restore_processor_context()
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 052/143] iwlwifi: fix the ALIVE notification layout Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 20:19   ` Sudip Mukherjee
  2018-11-02 18:33 ` [PATCH 4.14 054/143] tools/testing/nvdimm: unit test clear-error commands Greg Kroah-Hartman
                   ` (91 subsequent siblings)
  144 siblings, 1 reply; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jarkko Nikula, Andy Lutomirski,
	Thomas Gleixner, Peter Zijlstra, Borislav Petkov, Linus Torvalds,
	Ingo Molnar, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 5b06bbcfc2c621da3009da8decb7511500c293ed ]

__restore_processor_context() had a couple of ordering bugs.  It
restored GSBASE after calling load_gs_index(), and the latter can
call into tracing code.  It also tried to restore segment registers
before restoring the LDT, which is straight-up wrong.

Reorder the code so that we restore GSBASE, then the descriptor
tables, then the segments.

This fixes two bugs.  First, it fixes a regression that broke resume
under certain configurations due to irqflag tracing in
native_load_gs_index().  Second, it fixes resume when the userspace
process that initiated suspect had funny segments.  The latter can be
reproduced by compiling this:

// SPDX-License-Identifier: GPL-2.0
/*
 * ldt_echo.c - Echo argv[1] while using an LDT segment
 */

int main(int argc, char **argv)
{
	int ret;
	size_t len;
	char *buf;

	const struct user_desc desc = {
                .entry_number    = 0,
                .base_addr       = 0,
                .limit           = 0xfffff,
                .seg_32bit       = 1,
                .contents        = 0, /* Data, grow-up */
                .read_exec_only  = 0,
                .limit_in_pages  = 1,
                .seg_not_present = 0,
                .useable         = 0
        };

	if (argc != 2)
		errx(1, "Usage: %s STRING", argv[0]);

	len = asprintf(&buf, "%s\n", argv[1]);
	if (len < 0)
		errx(1, "Out of memory");

	ret = syscall(SYS_modify_ldt, 1, &desc, sizeof(desc));
	if (ret < -1)
		errno = -ret;
	if (ret)
		err(1, "modify_ldt");

	asm volatile ("movw %0, %%es" :: "rm" ((unsigned short)7));
	write(1, buf, len);
	return 0;
}

and running ldt_echo >/sys/power/mem

Without the fix, the latter causes a triple fault on resume.

Fixes: ca37e57bbe0c ("x86/entry/64: Add missing irqflags tracing to native_load_gs_index()")
Reported-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: https://lkml.kernel.org/r/6b31721ea92f51ea839e79bd97ade4a75b1eeea2.1512057304.git.luto@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/power/cpu.c | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/arch/x86/power/cpu.c b/arch/x86/power/cpu.c
index 04d5157fe7f8..a51d2dfb57d1 100644
--- a/arch/x86/power/cpu.c
+++ b/arch/x86/power/cpu.c
@@ -228,8 +228,20 @@ static void notrace __restore_processor_state(struct saved_context *ctxt)
 	load_idt((const struct desc_ptr *)&ctxt->idt_limit);
 #endif
 
+#ifdef CONFIG_X86_64
 	/*
-	 * segment registers
+	 * We need GSBASE restored before percpu access can work.
+	 * percpu access can happen in exception handlers or in complicated
+	 * helpers like load_gs_index().
+	 */
+	wrmsrl(MSR_GS_BASE, ctxt->gs_base);
+#endif
+
+	fix_processor_context();
+
+	/*
+	 * Restore segment registers.  This happens after restoring the GDT
+	 * and LDT, which happen in fix_processor_context().
 	 */
 #ifdef CONFIG_X86_32
 	loadsegment(es, ctxt->es);
@@ -250,13 +262,14 @@ static void notrace __restore_processor_state(struct saved_context *ctxt)
 	load_gs_index(ctxt->gs);
 	asm volatile ("movw %0, %%ss" :: "r" (ctxt->ss));
 
+	/*
+	 * Restore FSBASE and user GSBASE after reloading the respective
+	 * segment selectors.
+	 */
 	wrmsrl(MSR_FS_BASE, ctxt->fs_base);
-	wrmsrl(MSR_GS_BASE, ctxt->gs_base);
 	wrmsrl(MSR_KERNEL_GS_BASE, ctxt->gs_kernel_base);
 #endif
 
-	fix_processor_context();
-
 	do_fpu_end();
 	tsc_verify_tsc_adjust(true);
 	x86_platform.restore_sched_clock_state();
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 054/143] tools/testing/nvdimm: unit test clear-error commands
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 053/143] x86/power: Fix some ordering bugs in __restore_processor_context() Greg Kroah-Hartman
@ 2018-11-02 18:33 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 055/143] usbip: vhci_hcd: update status file header and format Greg Kroah-Hartman
                   ` (90 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vishal Verma, Dan Williams, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit fb2a1748355161e050e9f49f1ea9a0ae707a148b ]

Validate command parsing in acpi_nfit_ctl for the clear error command.
This tests for a crash condition introduced by commit 4b27db7e26cd
"acpi, nfit: add support for the _LSI, _LSR, and _LSW label methods".

Cc: Vishal Verma <vishal.l.verma@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/testing/nvdimm/test/nfit.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/tools/testing/nvdimm/test/nfit.c b/tools/testing/nvdimm/test/nfit.c
index bef419d4266d..3ad0b3a3317b 100644
--- a/tools/testing/nvdimm/test/nfit.c
+++ b/tools/testing/nvdimm/test/nfit.c
@@ -1589,6 +1589,7 @@ static int nfit_ctl_test(struct device *dev)
 	unsigned long mask, cmd_size, offset;
 	union {
 		struct nd_cmd_get_config_size cfg_size;
+		struct nd_cmd_clear_error clear_err;
 		struct nd_cmd_ars_status ars_stat;
 		struct nd_cmd_ars_cap ars_cap;
 		char buf[sizeof(struct nd_cmd_ars_status)
@@ -1767,6 +1768,23 @@ static int nfit_ctl_test(struct device *dev)
 		return -EIO;
 	}
 
+	/* test clear error */
+	cmd_size = sizeof(cmds.clear_err);
+	cmds.clear_err = (struct nd_cmd_clear_error) {
+		.length = 512,
+		.cleared = 512,
+	};
+	rc = setup_result(cmds.buf, cmd_size);
+	if (rc)
+		return rc;
+	rc = acpi_nfit_ctl(&acpi_desc->nd_desc, NULL, ND_CMD_CLEAR_ERROR,
+			cmds.buf, cmd_size, &cmd_rc);
+	if (rc < 0 || cmd_rc) {
+		dev_dbg(dev, "%s: failed at: %d rc: %d cmd_rc: %d\n",
+				__func__, __LINE__, rc, cmd_rc);
+		return -EIO;
+	}
+
 	return 0;
 }
 
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 055/143] usbip: vhci_hcd: update status file header and format
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2018-11-02 18:33 ` [PATCH 4.14 054/143] tools/testing/nvdimm: unit test clear-error commands Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 056/143] scsi: aacraid: address UBSAN warning regression Greg Kroah-Hartman
                   ` (89 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Shuah Khan, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 5468099c747240ed97dbb34340fece8ca87be34f ]

Commit 2f2d0088eb93
("usbip: prevent vhci_hcd driver from leaking a socket pointer address")
in the /sys/devices/platform/vhci_hcd/status.

Fix the header and field alignment to reflect the changes and make it
easier to read.

Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/usbip/vhci_sysfs.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/usb/usbip/vhci_sysfs.c b/drivers/usb/usbip/vhci_sysfs.c
index 4a22a9f06d96..eb7898353457 100644
--- a/drivers/usb/usbip/vhci_sysfs.c
+++ b/drivers/usb/usbip/vhci_sysfs.c
@@ -34,10 +34,10 @@
 
 /*
  * output example:
- * hub port sta spd dev       sockfd    local_busid
- * hs  0000 004 000 00000000  3         1-2.3
+ * hub port sta spd dev       sockfd local_busid
+ * hs  0000 004 000 00000000  000003 1-2.3
  * ................................................
- * ss  0008 004 000 00000000  4         2-3.4
+ * ss  0008 004 000 00000000  000004 2-3.4
  * ................................................
  *
  * Output includes socket fd instead of socket pointer address to avoid
@@ -61,13 +61,13 @@ static void port_show_vhci(char **out, int hub, int port, struct vhci_device *vd
 	if (vdev->ud.status == VDEV_ST_USED) {
 		*out += sprintf(*out, "%03u %08x ",
 				      vdev->speed, vdev->devid);
-		*out += sprintf(*out, "%u %s",
+		*out += sprintf(*out, "%06u %s",
 				      vdev->ud.sockfd,
 				      dev_name(&vdev->udev->dev));
 
 	} else {
 		*out += sprintf(*out, "000 00000000 ");
-		*out += sprintf(*out, "0000000000000000 0-0");
+		*out += sprintf(*out, "000000 0-0");
 	}
 
 	*out += sprintf(*out, "\n");
@@ -165,7 +165,7 @@ static ssize_t status_show(struct device *dev,
 	int pdev_nr;
 
 	out += sprintf(out,
-		       "hub port sta spd dev      socket           local_busid\n");
+		       "hub port sta spd dev      sockfd local_busid\n");
 
 	pdev_nr = status_name_to_id(attr->attr.name);
 	if (pdev_nr < 0)
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 056/143] scsi: aacraid: address UBSAN warning regression
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 055/143] usbip: vhci_hcd: update status file header and format Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 057/143] IB/ipoib: Fix lockdep issue found on ipoib_ib_dev_heavy_flush Greg Kroah-Hartman
                   ` (88 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Meelis Roos, Arnd Bergmann,
	Martin K. Petersen, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit d18539754d97876503275efc7d00a1901bb0cfad ]

As reported by Meelis Roos, my previous patch causes an incorrect
calculation of the timeout, through an undefined signed integer
overflow:

[   12.228155] UBSAN: Undefined behaviour in drivers/scsi/aacraid/commsup.c:2514:49
[   12.228229] signed integer overflow:
[   12.228283] 964297611 * 250 cannot be represented in type 'long int'

The problem is that doing a multiplication with HZ first and then
dividing by USEC_PER_SEC worked correctly for 32-bit microseconds,
but not for 32-bit nanoseconds, which would require up to 41 bits.

This reworks the calculation to first convert the nanoseconds into
jiffies, which should give us the same result as before and not overflow.

Unfortunately I did not understand the exact intention of the algorithm,
in particular the part where we add half a second, so it's possible that
there is still a preexisting problem in this function. I added a comment
that this would be handled more nicely using usleep_range(), which
generally works better for waking up at a particular time than the
current schedule_timeout() based implementation. I did not feel
comfortable trying to implement that without being sure what the
intent is here though.

Fixes: 820f18865912 ("scsi: aacraid: use timespec64 instead of timeval")
Tested-by: Meelis Roos <mroos@linux.ee>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/aacraid/commsup.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/scsi/aacraid/commsup.c b/drivers/scsi/aacraid/commsup.c
index 998788a967be..3e38bae6ecde 100644
--- a/drivers/scsi/aacraid/commsup.c
+++ b/drivers/scsi/aacraid/commsup.c
@@ -2506,8 +2506,8 @@ int aac_command_thread(void *data)
 			/* Synchronize our watches */
 			if (((NSEC_PER_SEC - (NSEC_PER_SEC / HZ)) > now.tv_nsec)
 			 && (now.tv_nsec > (NSEC_PER_SEC / HZ)))
-				difference = (((NSEC_PER_SEC - now.tv_nsec) * HZ)
-				  + NSEC_PER_SEC / 2) / NSEC_PER_SEC;
+				difference = HZ + HZ / 2 -
+					     now.tv_nsec / (NSEC_PER_SEC / HZ);
 			else {
 				if (now.tv_nsec > NSEC_PER_SEC / 2)
 					++now.tv_sec;
@@ -2531,6 +2531,10 @@ int aac_command_thread(void *data)
 		if (kthread_should_stop())
 			break;
 
+		/*
+		 * we probably want usleep_range() here instead of the
+		 * jiffies computation
+		 */
 		schedule_timeout(difference);
 
 		if (kthread_should_stop())
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 057/143] IB/ipoib: Fix lockdep issue found on ipoib_ib_dev_heavy_flush
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 056/143] scsi: aacraid: address UBSAN warning regression Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 058/143] IB/rxe: put the pool on allocation failure Greg Kroah-Hartman
                   ` (87 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alex Vesker, Leon Romanovsky,
	Jason Gunthorpe, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 1f80bd6a6cc8358b81194e1f5fc16449947396ec ]

The locking order of vlan_rwsem (LOCK A) and then rtnl (LOCK B),
contradicts other flows such as ipoib_open possibly causing a deadlock.
To prevent this deadlock heavy flush is called with RTNL locked and
only then tries to acquire vlan_rwsem.
This deadlock is possible only when there are child interfaces.

[  140.941758] ======================================================
[  140.946276] WARNING: possible circular locking dependency detected
[  140.950950] 4.15.0-rc1+ #9 Tainted: G           O
[  140.954797] ------------------------------------------------------
[  140.959424] kworker/u32:1/146 is trying to acquire lock:
[  140.963450]  (rtnl_mutex){+.+.}, at: [<ffffffffc083516a>] __ipoib_ib_dev_flush+0x2da/0x4e0 [ib_ipoib]
[  140.970006]
but task is already holding lock:
[  140.975141]  (&priv->vlan_rwsem){++++}, at: [<ffffffffc0834ee1>] __ipoib_ib_dev_flush+0x51/0x4e0 [ib_ipoib]
[  140.982105]
which lock already depends on the new lock.
[  140.990023]
the existing dependency chain (in reverse order) is:
[  140.998650]
-> #1 (&priv->vlan_rwsem){++++}:
[  141.005276]        down_read+0x4d/0xb0
[  141.009560]        ipoib_open+0xad/0x120 [ib_ipoib]
[  141.014400]        __dev_open+0xcb/0x140
[  141.017919]        __dev_change_flags+0x1a4/0x1e0
[  141.022133]        dev_change_flags+0x23/0x60
[  141.025695]        devinet_ioctl+0x704/0x7d0
[  141.029156]        sock_do_ioctl+0x20/0x50
[  141.032526]        sock_ioctl+0x221/0x300
[  141.036079]        do_vfs_ioctl+0xa6/0x6d0
[  141.039656]        SyS_ioctl+0x74/0x80
[  141.042811]        entry_SYSCALL_64_fastpath+0x1f/0x96
[  141.046891]
-> #0 (rtnl_mutex){+.+.}:
[  141.051701]        lock_acquire+0xd4/0x220
[  141.055212]        __mutex_lock+0x88/0x970
[  141.058631]        __ipoib_ib_dev_flush+0x2da/0x4e0 [ib_ipoib]
[  141.063160]        __ipoib_ib_dev_flush+0x71/0x4e0 [ib_ipoib]
[  141.067648]        process_one_work+0x1f5/0x610
[  141.071429]        worker_thread+0x4a/0x3f0
[  141.074890]        kthread+0x141/0x180
[  141.078085]        ret_from_fork+0x24/0x30
[  141.081559]

other info that might help us debug this:
[  141.088967]  Possible unsafe locking scenario:
[  141.094280]        CPU0                    CPU1
[  141.097953]        ----                    ----
[  141.101640]   lock(&priv->vlan_rwsem);
[  141.104771]                                lock(rtnl_mutex);
[  141.109207]                                lock(&priv->vlan_rwsem);
[  141.114032]   lock(rtnl_mutex);
[  141.116800]
 *** DEADLOCK ***

Fixes: b4b678b06f6e ("IB/ipoib: Grab rtnl lock on heavy flush when calling ndo_open/stop")
Signed-off-by: Alex Vesker <valex@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/infiniband/ulp/ipoib/ipoib_ib.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/drivers/infiniband/ulp/ipoib/ipoib_ib.c b/drivers/infiniband/ulp/ipoib/ipoib_ib.c
index c97384c914a4..d77e8e2ae05f 100644
--- a/drivers/infiniband/ulp/ipoib/ipoib_ib.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_ib.c
@@ -1203,13 +1203,10 @@ static void __ipoib_ib_dev_flush(struct ipoib_dev_priv *priv,
 		ipoib_ib_dev_down(dev);
 
 	if (level == IPOIB_FLUSH_HEAVY) {
-		rtnl_lock();
 		if (test_bit(IPOIB_FLAG_INITIALIZED, &priv->flags))
 			ipoib_ib_dev_stop(dev);
 
-		result = ipoib_ib_dev_open(dev);
-		rtnl_unlock();
-		if (result)
+		if (ipoib_ib_dev_open(dev))
 			return;
 
 		if (netif_queue_stopped(dev))
@@ -1249,7 +1246,9 @@ void ipoib_ib_dev_flush_heavy(struct work_struct *work)
 	struct ipoib_dev_priv *priv =
 		container_of(work, struct ipoib_dev_priv, flush_heavy);
 
+	rtnl_lock();
 	__ipoib_ib_dev_flush(priv, IPOIB_FLUSH_HEAVY, 0);
+	rtnl_unlock();
 }
 
 void ipoib_ib_dev_cleanup(struct net_device *dev)
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 058/143] IB/rxe: put the pool on allocation failure
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 057/143] IB/ipoib: Fix lockdep issue found on ipoib_ib_dev_heavy_flush Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 059/143] s390/qeth: fix error handling in adapter command callbacks Greg Kroah-Hartman
                   ` (86 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Leon Romanovsky, Doug Ledford, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 6b9f8970cd30929cb6b372fa44fa66da9e59c650 ]

If the allocation of elem fails, it is not sufficient to simply check
for NULL and return.  We need to also put our reference on the pool or
else we will leave the pool with a permanent ref count and we will never
be able to free it.

Fixes: 4831ca9e4a8e ("IB/rxe: check for allocation failure on elem")
Suggested-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/infiniband/sw/rxe/rxe_pool.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/drivers/infiniband/sw/rxe/rxe_pool.c b/drivers/infiniband/sw/rxe/rxe_pool.c
index 3b4916680018..b4a8acc7bb7d 100644
--- a/drivers/infiniband/sw/rxe/rxe_pool.c
+++ b/drivers/infiniband/sw/rxe/rxe_pool.c
@@ -394,23 +394,25 @@ void *rxe_alloc(struct rxe_pool *pool)
 
 	kref_get(&pool->rxe->ref_cnt);
 
-	if (atomic_inc_return(&pool->num_elem) > pool->max_elem) {
-		atomic_dec(&pool->num_elem);
-		rxe_dev_put(pool->rxe);
-		rxe_pool_put(pool);
-		return NULL;
-	}
+	if (atomic_inc_return(&pool->num_elem) > pool->max_elem)
+		goto out_put_pool;
 
 	elem = kmem_cache_zalloc(pool_cache(pool),
 				 (pool->flags & RXE_POOL_ATOMIC) ?
 				 GFP_ATOMIC : GFP_KERNEL);
 	if (!elem)
-		return NULL;
+		goto out_put_pool;
 
 	elem->pool = pool;
 	kref_init(&elem->ref_cnt);
 
 	return elem;
+
+out_put_pool:
+	atomic_dec(&pool->num_elem);
+	rxe_dev_put(pool->rxe);
+	rxe_pool_put(pool);
+	return NULL;
 }
 
 void rxe_elem_release(struct kref *kref)
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 059/143] s390/qeth: fix error handling in adapter command callbacks
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 058/143] IB/rxe: put the pool on allocation failure Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 060/143] net/mlx5: Fix mlx5_get_vector_affinity function Greg Kroah-Hartman
                   ` (85 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Julian Wiedmann, David S. Miller,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 686c97ee29c886ee07d17987d0059874c5c3b5af ]

Make sure to check both return code fields before(!) processing the
command response. Otherwise we risk operating on invalid data.

This matches an earlier fix for SETASSPARMS commands, see
commit ad3cbf613329 ("s390/qeth: fix error handling in checksum cmd callback").

Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/s390/net/qeth_core_main.c | 85 ++++++++++++++-----------------
 1 file changed, 37 insertions(+), 48 deletions(-)

diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c
index 4f2747cd15a6..169dd7127f9e 100644
--- a/drivers/s390/net/qeth_core_main.c
+++ b/drivers/s390/net/qeth_core_main.c
@@ -3001,28 +3001,23 @@ static int qeth_send_startlan(struct qeth_card *card)
 	return rc;
 }
 
-static int qeth_default_setadapterparms_cb(struct qeth_card *card,
-		struct qeth_reply *reply, unsigned long data)
+static int qeth_setadpparms_inspect_rc(struct qeth_ipa_cmd *cmd)
 {
-	struct qeth_ipa_cmd *cmd;
-
-	QETH_CARD_TEXT(card, 4, "defadpcb");
-
-	cmd = (struct qeth_ipa_cmd *) data;
-	if (cmd->hdr.return_code == 0)
+	if (!cmd->hdr.return_code)
 		cmd->hdr.return_code =
 			cmd->data.setadapterparms.hdr.return_code;
-	return 0;
+	return cmd->hdr.return_code;
 }
 
 static int qeth_query_setadapterparms_cb(struct qeth_card *card,
 		struct qeth_reply *reply, unsigned long data)
 {
-	struct qeth_ipa_cmd *cmd;
+	struct qeth_ipa_cmd *cmd = (struct qeth_ipa_cmd *) data;
 
 	QETH_CARD_TEXT(card, 3, "quyadpcb");
+	if (qeth_setadpparms_inspect_rc(cmd))
+		return 0;
 
-	cmd = (struct qeth_ipa_cmd *) data;
 	if (cmd->data.setadapterparms.data.query_cmds_supp.lan_type & 0x7f) {
 		card->info.link_type =
 		      cmd->data.setadapterparms.data.query_cmds_supp.lan_type;
@@ -3030,7 +3025,7 @@ static int qeth_query_setadapterparms_cb(struct qeth_card *card,
 	}
 	card->options.adp.supported_funcs =
 		cmd->data.setadapterparms.data.query_cmds_supp.supported_cmds;
-	return qeth_default_setadapterparms_cb(card, reply, (unsigned long)cmd);
+	return 0;
 }
 
 static struct qeth_cmd_buffer *qeth_get_adapter_cmd(struct qeth_card *card,
@@ -3122,22 +3117,20 @@ EXPORT_SYMBOL_GPL(qeth_query_ipassists);
 static int qeth_query_switch_attributes_cb(struct qeth_card *card,
 				struct qeth_reply *reply, unsigned long data)
 {
-	struct qeth_ipa_cmd *cmd;
-	struct qeth_switch_info *sw_info;
+	struct qeth_ipa_cmd *cmd = (struct qeth_ipa_cmd *) data;
 	struct qeth_query_switch_attributes *attrs;
+	struct qeth_switch_info *sw_info;
 
 	QETH_CARD_TEXT(card, 2, "qswiatcb");
-	cmd = (struct qeth_ipa_cmd *) data;
-	sw_info = (struct qeth_switch_info *)reply->param;
-	if (cmd->data.setadapterparms.hdr.return_code == 0) {
-		attrs = &cmd->data.setadapterparms.data.query_switch_attributes;
-		sw_info->capabilities = attrs->capabilities;
-		sw_info->settings = attrs->settings;
-		QETH_CARD_TEXT_(card, 2, "%04x%04x", sw_info->capabilities,
-							sw_info->settings);
-	}
-	qeth_default_setadapterparms_cb(card, reply, (unsigned long) cmd);
+	if (qeth_setadpparms_inspect_rc(cmd))
+		return 0;
 
+	sw_info = (struct qeth_switch_info *)reply->param;
+	attrs = &cmd->data.setadapterparms.data.query_switch_attributes;
+	sw_info->capabilities = attrs->capabilities;
+	sw_info->settings = attrs->settings;
+	QETH_CARD_TEXT_(card, 2, "%04x%04x", sw_info->capabilities,
+			sw_info->settings);
 	return 0;
 }
 
@@ -4188,16 +4181,13 @@ EXPORT_SYMBOL_GPL(qeth_do_send_packet);
 static int qeth_setadp_promisc_mode_cb(struct qeth_card *card,
 		struct qeth_reply *reply, unsigned long data)
 {
-	struct qeth_ipa_cmd *cmd;
+	struct qeth_ipa_cmd *cmd = (struct qeth_ipa_cmd *) data;
 	struct qeth_ipacmd_setadpparms *setparms;
 
 	QETH_CARD_TEXT(card, 4, "prmadpcb");
 
-	cmd = (struct qeth_ipa_cmd *) data;
 	setparms = &(cmd->data.setadapterparms);
-
-	qeth_default_setadapterparms_cb(card, reply, (unsigned long)cmd);
-	if (cmd->hdr.return_code) {
+	if (qeth_setadpparms_inspect_rc(cmd)) {
 		QETH_CARD_TEXT_(card, 4, "prmrc%x", cmd->hdr.return_code);
 		setparms->data.mode = SET_PROMISC_MODE_OFF;
 	}
@@ -4267,11 +4257,12 @@ EXPORT_SYMBOL_GPL(qeth_get_stats);
 static int qeth_setadpparms_change_macaddr_cb(struct qeth_card *card,
 		struct qeth_reply *reply, unsigned long data)
 {
-	struct qeth_ipa_cmd *cmd;
+	struct qeth_ipa_cmd *cmd = (struct qeth_ipa_cmd *) data;
 
 	QETH_CARD_TEXT(card, 4, "chgmaccb");
+	if (qeth_setadpparms_inspect_rc(cmd))
+		return 0;
 
-	cmd = (struct qeth_ipa_cmd *) data;
 	if (!card->options.layer2 ||
 	    !(card->info.mac_bits & QETH_LAYER2_MAC_READ)) {
 		memcpy(card->dev->dev_addr,
@@ -4279,7 +4270,6 @@ static int qeth_setadpparms_change_macaddr_cb(struct qeth_card *card,
 		       OSA_ADDR_LEN);
 		card->info.mac_bits |= QETH_LAYER2_MAC_READ;
 	}
-	qeth_default_setadapterparms_cb(card, reply, (unsigned long) cmd);
 	return 0;
 }
 
@@ -4310,13 +4300,15 @@ EXPORT_SYMBOL_GPL(qeth_setadpparms_change_macaddr);
 static int qeth_setadpparms_set_access_ctrl_cb(struct qeth_card *card,
 		struct qeth_reply *reply, unsigned long data)
 {
-	struct qeth_ipa_cmd *cmd;
+	struct qeth_ipa_cmd *cmd = (struct qeth_ipa_cmd *) data;
 	struct qeth_set_access_ctrl *access_ctrl_req;
 	int fallback = *(int *)reply->param;
 
 	QETH_CARD_TEXT(card, 4, "setaccb");
+	if (cmd->hdr.return_code)
+		return 0;
+	qeth_setadpparms_inspect_rc(cmd);
 
-	cmd = (struct qeth_ipa_cmd *) data;
 	access_ctrl_req = &cmd->data.setadapterparms.data.set_access_ctrl;
 	QETH_DBF_TEXT_(SETUP, 2, "setaccb");
 	QETH_DBF_TEXT_(SETUP, 2, "%s", card->gdev->dev.kobj.name);
@@ -4389,7 +4381,6 @@ static int qeth_setadpparms_set_access_ctrl_cb(struct qeth_card *card,
 			card->options.isolation = card->options.prev_isolation;
 		break;
 	}
-	qeth_default_setadapterparms_cb(card, reply, (unsigned long) cmd);
 	return 0;
 }
 
@@ -4677,14 +4668,15 @@ out:
 static int qeth_setadpparms_query_oat_cb(struct qeth_card *card,
 		struct qeth_reply *reply, unsigned long data)
 {
-	struct qeth_ipa_cmd *cmd;
+	struct qeth_ipa_cmd *cmd = (struct qeth_ipa_cmd *)data;
 	struct qeth_qoat_priv *priv;
 	char *resdata;
 	int resdatalen;
 
 	QETH_CARD_TEXT(card, 3, "qoatcb");
+	if (qeth_setadpparms_inspect_rc(cmd))
+		return 0;
 
-	cmd = (struct qeth_ipa_cmd *)data;
 	priv = (struct qeth_qoat_priv *)reply->param;
 	resdatalen = cmd->data.setadapterparms.hdr.cmdlength;
 	resdata = (char *)data + 28;
@@ -4778,21 +4770,18 @@ out:
 static int qeth_query_card_info_cb(struct qeth_card *card,
 				   struct qeth_reply *reply, unsigned long data)
 {
-	struct qeth_ipa_cmd *cmd;
+	struct carrier_info *carrier_info = (struct carrier_info *)reply->param;
+	struct qeth_ipa_cmd *cmd = (struct qeth_ipa_cmd *)data;
 	struct qeth_query_card_info *card_info;
-	struct carrier_info *carrier_info;
 
 	QETH_CARD_TEXT(card, 2, "qcrdincb");
-	carrier_info = (struct carrier_info *)reply->param;
-	cmd = (struct qeth_ipa_cmd *)data;
-	card_info = &cmd->data.setadapterparms.data.card_info;
-	if (cmd->data.setadapterparms.hdr.return_code == 0) {
-		carrier_info->card_type = card_info->card_type;
-		carrier_info->port_mode = card_info->port_mode;
-		carrier_info->port_speed = card_info->port_speed;
-	}
+	if (qeth_setadpparms_inspect_rc(cmd))
+		return 0;
 
-	qeth_default_setadapterparms_cb(card, reply, (unsigned long) cmd);
+	card_info = &cmd->data.setadapterparms.data.card_info;
+	carrier_info->card_type = card_info->card_type;
+	carrier_info->port_mode = card_info->port_mode;
+	carrier_info->port_speed = card_info->port_speed;
 	return 0;
 }
 
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 060/143] net/mlx5: Fix mlx5_get_vector_affinity function
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 059/143] s390/qeth: fix error handling in adapter command callbacks Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 19:59   ` Sudip Mukherjee
  2018-11-02 18:34 ` [PATCH 4.14 061/143] powerpc/pseries: Add empty update_numa_cpu_lookup_table() for NUMA=n Greg Kroah-Hartman
                   ` (84 subsequent siblings)
  144 siblings, 1 reply; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Israel Rukshin, Max Gurtovoy,
	Sagi Grimberg, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 6082d9c9c94a408d7409b5f2e4e42ac9e8b16d0d ]

Adding the vector offset when calling to mlx5_vector2eqn() is wrong.
This is because mlx5_vector2eqn() checks if EQ index is equal to vector number
and the fact that the internal completion vectors that mlx5 allocates
don't get an EQ index.

The second problem here is that using effective_affinity_mask gives the same
CPU for different vectors.
This leads to unmapped queues when calling it from blk_mq_rdma_map_queues().
This doesn't happen when using affinity_hint mask.

Fixes: 2572cf57d75a ("mlx5: fix mlx5_get_vector_affinity to start from completion vector 0")
Fixes: 05e0cc84e00c ("net/mlx5: Fix get vector affinity helper function")
Signed-off-by: Israel Rukshin <israelr@mellanox.com>
Reviewed-by: Max Gurtovoy <maxg@mellanox.com>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/infiniband/hw/mlx5/main.c |  2 +-
 include/linux/mlx5/driver.h       | 12 +++---------
 2 files changed, 4 insertions(+), 10 deletions(-)

diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
index ab70194a73db..c3a4f5d92391 100644
--- a/drivers/infiniband/hw/mlx5/main.c
+++ b/drivers/infiniband/hw/mlx5/main.c
@@ -3911,7 +3911,7 @@ mlx5_ib_get_vector_affinity(struct ib_device *ibdev, int comp_vector)
 {
 	struct mlx5_ib_dev *dev = to_mdev(ibdev);
 
-	return mlx5_get_vector_affinity(dev->mdev, comp_vector);
+	return mlx5_get_vector_affinity_hint(dev->mdev, comp_vector);
 }
 
 static void *mlx5_ib_add(struct mlx5_core_dev *mdev)
diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h
index c4d19e77fea8..5eff332092bc 100644
--- a/include/linux/mlx5/driver.h
+++ b/include/linux/mlx5/driver.h
@@ -1193,25 +1193,19 @@ enum {
 };
 
 static inline const struct cpumask *
-mlx5_get_vector_affinity(struct mlx5_core_dev *dev, int vector)
+mlx5_get_vector_affinity_hint(struct mlx5_core_dev *dev, int vector)
 {
-	const struct cpumask *mask;
 	struct irq_desc *desc;
 	unsigned int irq;
 	int eqn;
 	int err;
 
-	err = mlx5_vector2eqn(dev, MLX5_EQ_VEC_COMP_BASE + vector, &eqn, &irq);
+	err = mlx5_vector2eqn(dev, vector, &eqn, &irq);
 	if (err)
 		return NULL;
 
 	desc = irq_to_desc(irq);
-#ifdef CONFIG_GENERIC_IRQ_EFFECTIVE_AFF_MASK
-	mask = irq_data_get_effective_affinity_mask(&desc->irq_data);
-#else
-	mask = desc->irq_common_data.affinity;
-#endif
-	return mask;
+	return desc->affinity_hint;
 }
 
 #endif /* MLX5_DRIVER_H */
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 061/143] powerpc/pseries: Add empty update_numa_cpu_lookup_table() for NUMA=n
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 060/143] net/mlx5: Fix mlx5_get_vector_affinity function Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 062/143] dm integrity: fail early if required HMAC key is not available Greg Kroah-Hartman
                   ` (83 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Corentin Labbe, Michael Ellerman,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit c1e150ceb61e4a585bad156da15c33bfe89f5858 ]

When CONFIG_NUMA is not set, the build fails with:

  arch/powerpc/platforms/pseries/hotplug-cpu.c:335:4:
  error: déclaration implicite de la fonction « update_numa_cpu_lookup_table »

So we have to add update_numa_cpu_lookup_table() as an empty function
when CONFIG_NUMA is not set.

Fixes: 1d9a090783be ("powerpc/numa: Invalidate numa_cpu_lookup_table on cpu remove")
Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/include/asm/topology.h | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/arch/powerpc/include/asm/topology.h b/arch/powerpc/include/asm/topology.h
index d5f2ee882f74..66c72b356ac0 100644
--- a/arch/powerpc/include/asm/topology.h
+++ b/arch/powerpc/include/asm/topology.h
@@ -81,6 +81,9 @@ static inline int numa_update_cpu_topology(bool cpus_locked)
 {
 	return 0;
 }
+
+static inline void update_numa_cpu_lookup_table(unsigned int cpu, int node) {}
+
 #endif /* CONFIG_NUMA */
 
 #if defined(CONFIG_NUMA) && defined(CONFIG_PPC_SPLPAR)
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 062/143] dm integrity: fail early if required HMAC key is not available
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (60 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 061/143] powerpc/pseries: Add empty update_numa_cpu_lookup_table() for NUMA=n Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 063/143] net: phy: realtek: Use the dummy stubs for MMD register access for rtl8211b Greg Kroah-Hartman
                   ` (82 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Milan Broz, Mike Snitzer, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit e16b4f99f0f79682a7efe191a8ce694d87ca9fc8 ]

Since crypto API commit 9fa68f62004 ("crypto: hash - prevent using keyed
hashes without setting key") dm-integrity cannot use keyed algorithms
without the key being set.

The dm-integrity recognizes this too late (during use of HMAC), so it
allows creation and formatting of superblock, but the device is in fact
unusable.

Fix it by detecting the key requirement in integrity table constructor.

Signed-off-by: Milan Broz <gmazyland@gmail.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/md/dm-integrity.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/md/dm-integrity.c b/drivers/md/dm-integrity.c
index 898286ed47a1..b10e4c5641ea 100644
--- a/drivers/md/dm-integrity.c
+++ b/drivers/md/dm-integrity.c
@@ -2547,6 +2547,9 @@ static int get_mac(struct crypto_shash **hash, struct alg_spec *a, char **error,
 				*error = error_key;
 				return r;
 			}
+		} else if (crypto_shash_get_flags(*hash) & CRYPTO_TFM_NEED_KEY) {
+			*error = error_key;
+			return -ENOKEY;
 		}
 	}
 
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 063/143] net: phy: realtek: Use the dummy stubs for MMD register access for rtl8211b
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (61 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 062/143] dm integrity: fail early if required HMAC key is not available Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 064/143] net: phy: Add general dummy stubs for MMD register access Greg Kroah-Hartman
                   ` (81 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kevin Hao, David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 0231b1a074c672f8c00da00a57144072890d816b ]

The Ethernet on mpc8315erdb is broken since commit b6b5e8a69118
("gianfar: Disable EEE autoneg by default"). The reason is that
even though the rtl8211b doesn't support the MMD extended registers
access, it does return some random values if we trying to access
the MMD register via indirect method. This makes it seem that the
EEE is supported by this phy device. And the subsequent writing to
the MMD registers does cause the phy malfunction. So use the dummy
stubs for the MMD register access to fix this issue.

Fixes: b6b5e8a69118 ("gianfar: Disable EEE autoneg by default")
Signed-off-by: Kevin Hao <haokexin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/phy/realtek.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/net/phy/realtek.c b/drivers/net/phy/realtek.c
index 9cbe645e3d89..7d38af5ed4b5 100644
--- a/drivers/net/phy/realtek.c
+++ b/drivers/net/phy/realtek.c
@@ -138,6 +138,8 @@ static struct phy_driver realtek_drvs[] = {
 		.read_status	= &genphy_read_status,
 		.ack_interrupt	= &rtl821x_ack_interrupt,
 		.config_intr	= &rtl8211b_config_intr,
+		.read_mmd	= &genphy_read_mmd_unsupported,
+		.write_mmd	= &genphy_write_mmd_unsupported,
 	}, {
 		.phy_id		= 0x001cc914,
 		.name		= "RTL8211DN Gigabit Ethernet",
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 064/143] net: phy: Add general dummy stubs for MMD register access
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (62 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 063/143] net: phy: realtek: Use the dummy stubs for MMD register access for rtl8211b Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 065/143] net/mlx5e: Refine ets validation function Greg Kroah-Hartman
                   ` (80 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kevin Hao, David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 5df7af85ecd88e8b5f1f31d6456c3cf38a8bbdda ]

For some phy devices, even though they don't support the MMD extended
register access, it does have some side effect if we are trying to
read/write the MMD registers via indirect method. So introduce general
dummy stubs for MMD register access which these devices can use to avoid
such side effect.

Fixes: b6b5e8a69118 ("gianfar: Disable EEE autoneg by default")
Signed-off-by: Kevin Hao <haokexin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/phy/phy_device.c | 17 +++++++++++++++++
 include/linux/phy.h          |  4 ++++
 2 files changed, 21 insertions(+)

diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
index a174d05a9752..fe76e2c4022a 100644
--- a/drivers/net/phy/phy_device.c
+++ b/drivers/net/phy/phy_device.c
@@ -1641,6 +1641,23 @@ int genphy_config_init(struct phy_device *phydev)
 }
 EXPORT_SYMBOL(genphy_config_init);
 
+/* This is used for the phy device which doesn't support the MMD extended
+ * register access, but it does have side effect when we are trying to access
+ * the MMD register via indirect method.
+ */
+int genphy_read_mmd_unsupported(struct phy_device *phdev, int devad, u16 regnum)
+{
+	return -EOPNOTSUPP;
+}
+EXPORT_SYMBOL(genphy_read_mmd_unsupported);
+
+int genphy_write_mmd_unsupported(struct phy_device *phdev, int devnum,
+				 u16 regnum, u16 val)
+{
+	return -EOPNOTSUPP;
+}
+EXPORT_SYMBOL(genphy_write_mmd_unsupported);
+
 int genphy_suspend(struct phy_device *phydev)
 {
 	int value;
diff --git a/include/linux/phy.h b/include/linux/phy.h
index dca9e926b88f..efc04c2d92c9 100644
--- a/include/linux/phy.h
+++ b/include/linux/phy.h
@@ -879,6 +879,10 @@ static inline int genphy_no_soft_reset(struct phy_device *phydev)
 {
 	return 0;
 }
+int genphy_read_mmd_unsupported(struct phy_device *phdev, int devad,
+				u16 regnum);
+int genphy_write_mmd_unsupported(struct phy_device *phdev, int devnum,
+				 u16 regnum, u16 val);
 
 /* Clause 45 PHY */
 int genphy_c45_restart_aneg(struct phy_device *phydev);
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 065/143] net/mlx5e: Refine ets validation function
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (63 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 064/143] net: phy: Add general dummy stubs for MMD register access Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 066/143] scsi: qla2xxx: Avoid double completion of abort command Greg Kroah-Hartman
                   ` (79 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Shay Agroskin, Huy Nguyen,
	Eran Ben Elisha, Saeed Mahameed, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit e279d634f3d57452eb106a0c0e99a6add3fba1a6 ]

Removed an error message received when configuring ETS total
bandwidth to be zero.
Our hardware doesn't support such configuration, so we shall
reject it in the driver. Nevertheless, we removed the error message
in order to eliminate error messages caused by old userspace tools
who try to pass such configuration.

Fixes: ff0891915cd7 ("net/mlx5e: Fix ETS BW check")
Signed-off-by: Shay Agroskin <shayag@mellanox.com>
Reviewed-by: Huy Nguyen <huyn@mellanox.com>
Reviewed-by: Eran Ben Elisha <eranbe@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 .../net/ethernet/mellanox/mlx5/core/en_dcbnl.c  | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c b/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c
index 9d64d0759ee9..a5dd99aaf321 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c
@@ -257,7 +257,8 @@ int mlx5e_dcbnl_ieee_setets_core(struct mlx5e_priv *priv, struct ieee_ets *ets)
 }
 
 static int mlx5e_dbcnl_validate_ets(struct net_device *netdev,
-				    struct ieee_ets *ets)
+				    struct ieee_ets *ets,
+				    bool zero_sum_allowed)
 {
 	bool have_ets_tc = false;
 	int bw_sum = 0;
@@ -282,8 +283,9 @@ static int mlx5e_dbcnl_validate_ets(struct net_device *netdev,
 	}
 
 	if (have_ets_tc && bw_sum != 100) {
-		netdev_err(netdev,
-			   "Failed to validate ETS: BW sum is illegal\n");
+		if (bw_sum || (!bw_sum && !zero_sum_allowed))
+			netdev_err(netdev,
+				   "Failed to validate ETS: BW sum is illegal\n");
 		return -EINVAL;
 	}
 	return 0;
@@ -298,7 +300,7 @@ static int mlx5e_dcbnl_ieee_setets(struct net_device *netdev,
 	if (!MLX5_CAP_GEN(priv->mdev, ets))
 		return -EOPNOTSUPP;
 
-	err = mlx5e_dbcnl_validate_ets(netdev, ets);
+	err = mlx5e_dbcnl_validate_ets(netdev, ets, false);
 	if (err)
 		return err;
 
@@ -477,12 +479,9 @@ static u8 mlx5e_dcbnl_setall(struct net_device *netdev)
 		ets.prio_tc[i]  = cee_cfg->prio_to_pg_map[i];
 	}
 
-	err = mlx5e_dbcnl_validate_ets(netdev, &ets);
-	if (err) {
-		netdev_err(netdev,
-			   "%s, Failed to validate ETS: %d\n", __func__, err);
+	err = mlx5e_dbcnl_validate_ets(netdev, &ets, true);
+	if (err)
 		goto out;
-	}
 
 	err = mlx5e_dcbnl_ieee_setets_core(priv, &ets);
 	if (err) {
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 066/143] scsi: qla2xxx: Avoid double completion of abort command
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (64 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 065/143] net/mlx5e: Refine ets validation function Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 067/143] kbuild: set no-integrated-as before incl. arch Makefile Greg Kroah-Hartman
                   ` (78 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ben Hutchings, Himanshu Madhani,
	Martin K. Petersen, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 3a9910d7b686546dcc9986e790af17e148f1c888 ]

qla2x00_tmf_sp_done() now deletes the timer that will run
qla2x00_tmf_iocb_timeout(), but doesn't check whether the timer already
expired.  Check the return value from del_timer() to avoid calling
complete() a second time.

Fixes: 4440e46d5db7 ("[SCSI] qla2xxx: Add IOCB Abort command asynchronous ...")
Fixes: 1514839b3664 ("scsi: qla2xxx: Fix NULL pointer crash due to active ...")
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Acked-by: Himanshu Madhani <himanshu.madhani@cavium.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/qla2xxx/qla_init.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
index 1d42d38f5a45..0e19f6bc24ff 100644
--- a/drivers/scsi/qla2xxx/qla_init.c
+++ b/drivers/scsi/qla2xxx/qla_init.c
@@ -1365,8 +1365,8 @@ qla24xx_abort_sp_done(void *ptr, int res)
 	srb_t *sp = ptr;
 	struct srb_iocb *abt = &sp->u.iocb_cmd;
 
-	del_timer(&sp->u.iocb_cmd.timer);
-	complete(&abt->u.abt.comp);
+	if (del_timer(&sp->u.iocb_cmd.timer))
+		complete(&abt->u.abt.comp);
 }
 
 int
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 067/143] kbuild: set no-integrated-as before incl. arch Makefile
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (65 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 066/143] scsi: qla2xxx: Avoid double completion of abort command Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 068/143] IB/mlx5: Avoid passing an invalid QP type to firmware Greg Kroah-Hartman
                   ` (77 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stefan Agner, Masahiro Yamada, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 0f0e8de334c54c38818a4a5390a39aa09deff5bf ]

In order to make sure compiler flag detection for ARM works
correctly the no-integrated-as flags need to be set before
including the arch specific Makefile.

Fixes: cfe17c9bbe6a ("kbuild: move cc-option and cc-disable-warning after incl. arch Makefile")
Signed-off-by: Stefan Agner <stefan@agner.ch>
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index 16d1a18496fb..8cc08595b760 100644
--- a/Makefile
+++ b/Makefile
@@ -487,6 +487,8 @@ CLANG_GCC_TC	:= --gcc-toolchain=$(GCC_TOOLCHAIN)
 endif
 KBUILD_CFLAGS += $(CLANG_TARGET) $(CLANG_GCC_TC)
 KBUILD_AFLAGS += $(CLANG_TARGET) $(CLANG_GCC_TC)
+KBUILD_CFLAGS += $(call cc-option, -no-integrated-as)
+KBUILD_AFLAGS += $(call cc-option, -no-integrated-as)
 endif
 
 RETPOLINE_CFLAGS_GCC := -mindirect-branch=thunk-extern -mindirect-branch-register
@@ -721,8 +723,6 @@ KBUILD_CFLAGS += $(call cc-disable-warning, tautological-compare)
 # See modpost pattern 2
 KBUILD_CFLAGS += $(call cc-option, -mno-global-merge,)
 KBUILD_CFLAGS += $(call cc-option, -fcatch-undefined-behavior)
-KBUILD_CFLAGS += $(call cc-option, -no-integrated-as)
-KBUILD_AFLAGS += $(call cc-option, -no-integrated-as)
 else
 
 # These warnings generated too much noise in a regular build.
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 068/143] IB/mlx5: Avoid passing an invalid QP type to firmware
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (66 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 067/143] kbuild: set no-integrated-as before incl. arch Makefile Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 069/143] ARM: tegra: Fix ULPI regression on Tegra20 Greg Kroah-Hartman
                   ` (76 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ilya Lesokhin, Noa Osherovich,
	Leon Romanovsky, Jason Gunthorpe, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit e7b169f34403becd3c9fd3b6e46614ab788f2187 ]

During QP creation, the mlx5 driver translates the QP type to an
internal value which is passed on to FW. There was no check to make
sure that the translated value is valid, and -EINVAL was coerced into
the mailbox command.

Current firmware refuses this as an invalid QP type, but future/past
firmware may do something else.

Fixes: 09a7d9eca1a6c ('{net,IB}/mlx5: QP/XRCD commands via mlx5 ifc')
Reviewed-by: Ilya Lesokhin <ilyal@mellanox.com>
Signed-off-by: Noa Osherovich <noaos@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/infiniband/hw/mlx5/qp.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c
index ef9ee6c328a1..dfc190055167 100644
--- a/drivers/infiniband/hw/mlx5/qp.c
+++ b/drivers/infiniband/hw/mlx5/qp.c
@@ -1527,6 +1527,7 @@ static int create_qp_common(struct mlx5_ib_dev *dev, struct ib_pd *pd,
 	u32 uidx = MLX5_IB_DEFAULT_UIDX;
 	struct mlx5_ib_create_qp ucmd;
 	struct mlx5_ib_qp_base *base;
+	int mlx5_st;
 	void *qpc;
 	u32 *in;
 	int err;
@@ -1535,6 +1536,10 @@ static int create_qp_common(struct mlx5_ib_dev *dev, struct ib_pd *pd,
 	spin_lock_init(&qp->sq.lock);
 	spin_lock_init(&qp->rq.lock);
 
+	mlx5_st = to_mlx5_st(init_attr->qp_type);
+	if (mlx5_st < 0)
+		return -EINVAL;
+
 	if (init_attr->rwq_ind_tbl) {
 		if (!udata)
 			return -ENOSYS;
@@ -1688,7 +1693,7 @@ static int create_qp_common(struct mlx5_ib_dev *dev, struct ib_pd *pd,
 
 	qpc = MLX5_ADDR_OF(create_qp_in, in, qpc);
 
-	MLX5_SET(qpc, qpc, st, to_mlx5_st(init_attr->qp_type));
+	MLX5_SET(qpc, qpc, st, mlx5_st);
 	MLX5_SET(qpc, qpc, pm_state, MLX5_QP_PM_MIGRATED);
 
 	if (init_attr->qp_type != MLX5_IB_QPT_REG_UMR)
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 069/143] ARM: tegra: Fix ULPI regression on Tegra20
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (67 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 068/143] IB/mlx5: Avoid passing an invalid QP type to firmware Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 19:56   ` Sudip Mukherjee
  2018-11-02 18:34 ` [PATCH 4.14 070/143] l2tp: remove configurable payload offset Greg Kroah-Hartman
                   ` (75 subsequent siblings)
  144 siblings, 1 reply; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marcel Ziswiler, Dmitry Osipenko,
	Rob Herring, Thierry Reding, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 4c9a27a6c66d4427f3cba4019d4ba738fe99fa87 ]

Since commit f8f8f1d04494 ("clk: Don't touch hardware when reparenting
during registration") ULPI has been broken on Tegra20 leading to the
following error message during boot:

[    1.974698] ulpi_phy_power_on: ulpi write failed
[    1.979384] tegra-ehci c5004000.usb: Failed to power on the phy
[    1.985434] tegra-ehci: probe of c5004000.usb failed with error -110

Debugging through the changes and finally also consulting the TRM
revealed that rather than the CDEV2 clock off OSC requiring such pin
muxing actually the PLL_P_OUT4 clock is in use. It looks like so far it
just worked by chance of that one having been enabled which Stephen's
commit now changed when reparenting sclk away from pll_p_out4 leaving
that one disabled. Fix this by properly assigning the PLL_P_OUT4 clock
as the ULPI PHY clock.

Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
Reviewed-by: Dmitry Osipenko <digetx@gmail.com>
Reviewed-by: Rob Herring <robh@kernel.org>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/boot/dts/tegra20.dtsi | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm/boot/dts/tegra20.dtsi b/arch/arm/boot/dts/tegra20.dtsi
index 914f59166a99..2780e68a853b 100644
--- a/arch/arm/boot/dts/tegra20.dtsi
+++ b/arch/arm/boot/dts/tegra20.dtsi
@@ -706,7 +706,7 @@
 		phy_type = "ulpi";
 		clocks = <&tegra_car TEGRA20_CLK_USB2>,
 			 <&tegra_car TEGRA20_CLK_PLL_U>,
-			 <&tegra_car TEGRA20_CLK_CDEV2>;
+			 <&tegra_car TEGRA20_CLK_PLL_P_OUT4>;
 		clock-names = "reg", "pll_u", "ulpi-link";
 		resets = <&tegra_car 58>, <&tegra_car 22>;
 		reset-names = "usb", "utmi-pads";
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 070/143] l2tp: remove configurable payload offset
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (68 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 069/143] ARM: tegra: Fix ULPI regression on Tegra20 Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 071/143] cifs: Use ULL suffix for 64-bit constant Greg Kroah-Hartman
                   ` (74 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, James Chapman, David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 900631ee6a2651dc4fbaecb8ef9fa5f1e3378853 ]

If L2TP_ATTR_OFFSET is set to a non-zero value in L2TPv3 tunnels, it
results in L2TPv3 packets being transmitted which might not be
compliant with the L2TPv3 RFC. This patch has l2tp ignore the offset
setting and send all packets with no offset.

In more detail:

L2TPv2 supports a variable offset from the L2TPv2 header to the
payload. The offset value is indicated by an optional field in the
L2TP header.  Our L2TP implementation already detects the presence of
the optional offset and skips that many bytes when handling data
received packets. All transmitted packets are always transmitted with
no offset.

L2TPv3 has no optional offset field in the L2TPv3 packet
header. Instead, L2TPv3 defines optional fields in a "Layer-2 Specific
Sublayer". At the time when the original L2TP code was written, there
was talk at IETF of offset being implemented in a new Layer-2 Specific
Sublayer. A L2TP_ATTR_OFFSET netlink attribute was added so that this
offset could be configured and the intention was to allow it to be
also used to set the tx offset for L2TPv2. However, no L2TPv3 offset
was ever specified and the L2TP_ATTR_OFFSET parameter was forgotten
about.

Setting L2TP_ATTR_OFFSET results in L2TPv3 packets being transmitted
with the specified number of bytes padding between L2TPv3 header and
payload. This is not compliant with L2TPv3 RFC3931. This change
removes the configurable offset altogether while retaining
L2TP_ATTR_OFFSET for backwards compatibility. Any L2TP_ATTR_OFFSET
value is ignored.

Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/l2tp/l2tp_core.c    | 14 ++++----------
 net/l2tp/l2tp_core.h    |  3 ---
 net/l2tp/l2tp_debugfs.c |  4 ++--
 net/l2tp/l2tp_netlink.c |  3 ---
 4 files changed, 6 insertions(+), 18 deletions(-)

diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 5c87f1d3e525..33ea389ee015 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -808,10 +808,8 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
 		}
 	}
 
-	/* Session data offset is handled differently for L2TPv2 and
-	 * L2TPv3. For L2TPv2, there is an optional 16-bit value in
-	 * the header. For L2TPv3, the offset is negotiated using AVPs
-	 * in the session setup control protocol.
+	/* Session data offset is defined only for L2TPv2 and is
+	 * indicated by an optional 16-bit value in the header.
 	 */
 	if (tunnel->version == L2TP_HDR_VER_2) {
 		/* If offset bit set, skip it. */
@@ -819,8 +817,7 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
 			offset = ntohs(*(__be16 *)ptr);
 			ptr += 2 + offset;
 		}
-	} else
-		ptr += session->offset;
+	}
 
 	offset = ptr - optr;
 	if (!pskb_may_pull(skb, offset))
@@ -1104,8 +1101,6 @@ static int l2tp_build_l2tpv3_header(struct l2tp_session *session, void *buf)
 		}
 		bufp += session->l2specific_len;
 	}
-	if (session->offset)
-		bufp += session->offset;
 
 	return bufp - optr;
 }
@@ -1779,7 +1774,7 @@ void l2tp_session_set_header_len(struct l2tp_session *session, int version)
 		if (session->send_seq)
 			session->hdr_len += 4;
 	} else {
-		session->hdr_len = 4 + session->cookie_len + session->l2specific_len + session->offset;
+		session->hdr_len = 4 + session->cookie_len + session->l2specific_len;
 		if (session->tunnel->encap == L2TP_ENCAPTYPE_UDP)
 			session->hdr_len += 4;
 	}
@@ -1830,7 +1825,6 @@ struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunn
 			session->recv_seq = cfg->recv_seq;
 			session->lns_mode = cfg->lns_mode;
 			session->reorder_timeout = cfg->reorder_timeout;
-			session->offset = cfg->offset;
 			session->l2specific_type = cfg->l2specific_type;
 			session->l2specific_len = cfg->l2specific_len;
 			session->cookie_len = cfg->cookie_len;
diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h
index 9e2f1fda1b03..0a58c0754526 100644
--- a/net/l2tp/l2tp_core.h
+++ b/net/l2tp/l2tp_core.h
@@ -59,7 +59,6 @@ struct l2tp_session_cfg {
 	int			debug;		/* bitmask of debug message
 						 * categories */
 	u16			vlan_id;	/* VLAN pseudowire only */
-	u16			offset;		/* offset to payload */
 	u16			l2specific_len;	/* Layer 2 specific length */
 	u16			l2specific_type; /* Layer 2 specific type */
 	u8			cookie[8];	/* optional cookie */
@@ -86,8 +85,6 @@ struct l2tp_session {
 	int			cookie_len;
 	u8			peer_cookie[8];
 	int			peer_cookie_len;
-	u16			offset;		/* offset from end of L2TP header
-						   to beginning of data */
 	u16			l2specific_len;
 	u16			l2specific_type;
 	u16			hdr_len;
diff --git a/net/l2tp/l2tp_debugfs.c b/net/l2tp/l2tp_debugfs.c
index 53bae54c4d6e..534cad03b9e9 100644
--- a/net/l2tp/l2tp_debugfs.c
+++ b/net/l2tp/l2tp_debugfs.c
@@ -180,8 +180,8 @@ static void l2tp_dfs_seq_session_show(struct seq_file *m, void *v)
 		   session->lns_mode ? "LNS" : "LAC",
 		   session->debug,
 		   jiffies_to_msecs(session->reorder_timeout));
-	seq_printf(m, "   offset %hu l2specific %hu/%hu\n",
-		   session->offset, session->l2specific_type, session->l2specific_len);
+	seq_printf(m, "   offset 0 l2specific %hu/%hu\n",
+		   session->l2specific_type, session->l2specific_len);
 	if (session->cookie_len) {
 		seq_printf(m, "   cookie %02x%02x%02x%02x",
 			   session->cookie[0], session->cookie[1],
diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c
index c28223d8092b..001797ce4084 100644
--- a/net/l2tp/l2tp_netlink.c
+++ b/net/l2tp/l2tp_netlink.c
@@ -549,9 +549,6 @@ static int l2tp_nl_cmd_session_create(struct sk_buff *skb, struct genl_info *inf
 	}
 
 	if (tunnel->version > 2) {
-		if (info->attrs[L2TP_ATTR_OFFSET])
-			cfg.offset = nla_get_u16(info->attrs[L2TP_ATTR_OFFSET]);
-
 		if (info->attrs[L2TP_ATTR_DATA_SEQ])
 			cfg.data_seq = nla_get_u8(info->attrs[L2TP_ATTR_DATA_SEQ]);
 
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 071/143] cifs: Use ULL suffix for 64-bit constant
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (69 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 070/143] l2tp: remove configurable payload offset Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 072/143] test_bpf: Fix testing with CONFIG_BPF_JIT_ALWAYS_ON=y on other arches Greg Kroah-Hartman
                   ` (73 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Geert Uytterhoeven, Steve French,
	Aurelien Aptel, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 3995bbf53bd2047f2720c6fdd4bf38f6d942a0c0 ]

On 32-bit (e.g. with m68k-linux-gnu-gcc-4.1):

    fs/cifs/inode.c: In function ‘simple_hashstr’:
    fs/cifs/inode.c:713: warning: integer constant is too large for ‘long’ type

Fixes: 7ea884c77e5c97f1 ("smb3: Fix root directory when server returns inode number of zero")
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/cifs/inode.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c
index 2cd0b3053439..d01cbca84701 100644
--- a/fs/cifs/inode.c
+++ b/fs/cifs/inode.c
@@ -712,7 +712,7 @@ cgfi_exit:
 /* Simple function to return a 64 bit hash of string.  Rarely called */
 static __u64 simple_hashstr(const char *str)
 {
-	const __u64 hash_mult =  1125899906842597L; /* a big enough prime */
+	const __u64 hash_mult =  1125899906842597ULL; /* a big enough prime */
 	__u64 hash = 0;
 
 	while (*str)
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 072/143] test_bpf: Fix testing with CONFIG_BPF_JIT_ALWAYS_ON=y on other arches
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (70 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 071/143] cifs: Use ULL suffix for 64-bit constant Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 073/143] KVM: x86: Update the exit_qualification access bits while walking an address Greg Kroah-Hartman
                   ` (72 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thadeu Lima de Souza Cascardo,
	Yonghong Song, Daniel Borkmann, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 52fda36d63bfc8c8e8ae5eda8eb5ac6f52cd67ed ]

Function bpf_fill_maxinsns11 is designed to not be able to be JITed on
x86_64. So, it fails when CONFIG_BPF_JIT_ALWAYS_ON=y, and
commit 09584b406742 ("bpf: fix selftests/bpf test_kmod.sh failure when
CONFIG_BPF_JIT_ALWAYS_ON=y") makes sure that failure is detected on that
case.

However, it does not fail on other architectures, which have a different
JIT compiler design. So, test_bpf has started to fail to load on those.

After this fix, test_bpf loads fine on both x86_64 and ppc64el.

Fixes: 09584b406742 ("bpf: fix selftests/bpf test_kmod.sh failure when CONFIG_BPF_JIT_ALWAYS_ON=y")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Reviewed-by: Yonghong Song <yhs@fb.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 lib/test_bpf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/test_bpf.c b/lib/test_bpf.c
index 64701b4c9900..75ebf2bbc2ee 100644
--- a/lib/test_bpf.c
+++ b/lib/test_bpf.c
@@ -5427,7 +5427,7 @@ static struct bpf_test tests[] = {
 	{
 		"BPF_MAXINSNS: Jump, gap, jump, ...",
 		{ },
-#ifdef CONFIG_BPF_JIT_ALWAYS_ON
+#if defined(CONFIG_BPF_JIT_ALWAYS_ON) && defined(CONFIG_X86)
 		CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL,
 #else
 		CLASSIC | FLAG_NO_DATA,
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 073/143] KVM: x86: Update the exit_qualification access bits while walking an address
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (71 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 072/143] test_bpf: Fix testing with CONFIG_BPF_JIT_ALWAYS_ON=y on other arches Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 074/143] sparc64: Fix regression in pmdp_invalidate() Greg Kroah-Hartman
                   ` (71 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Paolo Bonzini,
	Radim Krčmář,
	Thomas Gleixner, Ingo Molnar, H. Peter Anvin, x86, kvm,
	KarimAllah Ahmed, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit ddd6f0e94d3153951580d5b88b9d97c7e26a0e00 ]

... to avoid having a stale value when handling an EPT misconfig for MMIO
regions.

MMIO regions that are not passed-through to the guest are handled through
EPT misconfigs. The first time a certain MMIO page is touched it causes an
EPT violation, then KVM marks the EPT entry to cause an EPT misconfig
instead. Any subsequent accesses to the entry will generate an EPT
misconfig.

Things gets slightly complicated with nested guest handling for MMIO
regions that are not passed through from L0 (i.e. emulated by L0
user-space).

An EPT violation for one of these MMIO regions from L2, exits to L0
hypervisor. L0 would then look at the EPT12 mapping for L1 hypervisor and
realize it is not present (or not sufficient to serve the request). Then L0
injects an EPT violation to L1. L1 would then update its EPT mappings. The
EXIT_QUALIFICATION value for L1 would come from exit_qualification variable
in "struct vcpu". The problem is that this variable is only updated on EPT
violation and not on EPT misconfig. So if an EPT violation because of a
read happened first, then an EPT misconfig because of a write happened
afterwards. The L0 hypervisor will still contain exit_qualification value
from the previous read instead of the write and end up injecting an EPT
violation to the L1 hypervisor with an out of date EXIT_QUALIFICATION.

The EPT violation that is injected from L0 to L1 needs to have the correct
EXIT_QUALIFICATION specially for the access bits because the individual
access bits for MMIO EPTs are updated only on actual access of this
specific type. So for the example above, the L1 hypervisor will keep
updating only the read bit in the EPT then resume the L2 guest. The L2
guest would end up causing another exit where the L0 *again* will inject
another EPT violation to L1 hypervisor with *again* an out of date
exit_qualification which indicates a read and not a write. Then this
ping-pong just keeps happening without making any forward progress.

The behavior of mapping MMIO regions changed in:

   commit a340b3e229b24 ("kvm: Map PFN-type memory regions as writable (if possible)")

... where an EPT violation for a read would also fixup the write bits to
avoid another EPT violation which by acciddent would fix the bug mentioned
above.

This commit fixes this situation and ensures that the access bits for the
exit_qualifcation is up to date. That ensures that even L1 hypervisor
running with a KVM version before the commit mentioned above would still
work.

( The description above assumes EPT to be available and used by L1
  hypervisor + the L1 hypervisor is passing through the MMIO region to the L2
  guest while this MMIO region is emulated by the L0 user-space ).

Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: x86@kernel.org
Cc: kvm@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: KarimAllah Ahmed <karahmed@amazon.de>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/kvm/paging_tmpl.h | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
index 5abae72266b7..6288e9d7068e 100644
--- a/arch/x86/kvm/paging_tmpl.h
+++ b/arch/x86/kvm/paging_tmpl.h
@@ -452,14 +452,21 @@ error:
 	 * done by is_rsvd_bits_set() above.
 	 *
 	 * We set up the value of exit_qualification to inject:
-	 * [2:0] - Derive from [2:0] of real exit_qualification at EPT violation
+	 * [2:0] - Derive from the access bits. The exit_qualification might be
+	 *         out of date if it is serving an EPT misconfiguration.
 	 * [5:3] - Calculated by the page walk of the guest EPT page tables
 	 * [7:8] - Derived from [7:8] of real exit_qualification
 	 *
 	 * The other bits are set to 0.
 	 */
 	if (!(errcode & PFERR_RSVD_MASK)) {
-		vcpu->arch.exit_qualification &= 0x187;
+		vcpu->arch.exit_qualification &= 0x180;
+		if (write_fault)
+			vcpu->arch.exit_qualification |= EPT_VIOLATION_ACC_WRITE;
+		if (user_fault)
+			vcpu->arch.exit_qualification |= EPT_VIOLATION_ACC_READ;
+		if (fetch_fault)
+			vcpu->arch.exit_qualification |= EPT_VIOLATION_ACC_INSTR;
 		vcpu->arch.exit_qualification |= (pte_access & 0x7) << 3;
 	}
 #endif
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 074/143] sparc64: Fix regression in pmdp_invalidate().
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (72 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 073/143] KVM: x86: Update the exit_qualification access bits while walking an address Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 075/143] tpm: move the delay_msec increment after sleep in tpm_transmit() Greg Kroah-Hartman
                   ` (70 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit cfb61b5e3e09f8b49bc4d685429df75f45127adc ]

pmdp_invalidate() was changed to update the pmd atomically
(to not lose dirty/access bits) and return the original pmd
value.

However, in doing so, we lost a lot of the essential work that
set_pmd_at() does, namely to update hugepage mapping counts and
queuing up the batched TLB flush entry.

Thus we were not flushing entries out of the TLB when making
such PMD changes.

Fix this by abstracting the accounting work of set_pmd_at() out into a
separate function, and call it from pmdp_establish().

Fixes: a8e654f01cb7 ("sparc64: update pmdp_invalidate() to return old pmd value")
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/sparc/mm/tlb.c | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/arch/sparc/mm/tlb.c b/arch/sparc/mm/tlb.c
index 847ddffbf38a..b5cfab711651 100644
--- a/arch/sparc/mm/tlb.c
+++ b/arch/sparc/mm/tlb.c
@@ -163,13 +163,10 @@ static void tlb_batch_pmd_scan(struct mm_struct *mm, unsigned long vaddr,
 	pte_unmap(pte);
 }
 
-void set_pmd_at(struct mm_struct *mm, unsigned long addr,
-		pmd_t *pmdp, pmd_t pmd)
-{
-	pmd_t orig = *pmdp;
-
-	*pmdp = pmd;
 
+static void __set_pmd_acct(struct mm_struct *mm, unsigned long addr,
+			   pmd_t orig, pmd_t pmd)
+{
 	if (mm == &init_mm)
 		return;
 
@@ -219,6 +216,15 @@ void set_pmd_at(struct mm_struct *mm, unsigned long addr,
 	}
 }
 
+void set_pmd_at(struct mm_struct *mm, unsigned long addr,
+		pmd_t *pmdp, pmd_t pmd)
+{
+	pmd_t orig = *pmdp;
+
+	*pmdp = pmd;
+	__set_pmd_acct(mm, addr, orig, pmd);
+}
+
 static inline pmd_t pmdp_establish(struct vm_area_struct *vma,
 		unsigned long address, pmd_t *pmdp, pmd_t pmd)
 {
@@ -227,6 +233,7 @@ static inline pmd_t pmdp_establish(struct vm_area_struct *vma,
 	do {
 		old = *pmdp;
 	} while (cmpxchg64(&pmdp->pmd, old.pmd, pmd.pmd) != old.pmd);
+	__set_pmd_acct(vma->vm_mm, address, old, pmd);
 
 	return old;
 }
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 075/143] tpm: move the delay_msec increment after sleep in tpm_transmit()
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (73 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 074/143] sparc64: Fix regression in pmdp_invalidate() Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 076/143] bpf: sockmap, map_release does not hold refcnt for pinned maps Greg Kroah-Hartman
                   ` (69 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nayna Jain, Mimi Zohar,
	Jarkko Sakkinen, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 92980756979a9c51be0275f395f4e89c42cf199a ]

Commit e2fb992d82c6 ("tpm: add retry logic") introduced a new loop to
handle the TPM2_RC_RETRY error. The loop retries the command after
sleeping for the specified time, which is incremented exponentially in
every iteration.

Unfortunately, the loop doubles the time before sleeping, causing the
initial sleep to be doubled. This patch fixes the initial sleep time.

Fixes: commit e2fb992d82c6 ("tpm: add retry logic")
Signed-off-by: Nayna Jain <nayna@linux.vnet.ibm.com>
Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/char/tpm/tpm-interface.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c
index a2070ab86c82..89d5915b1a3f 100644
--- a/drivers/char/tpm/tpm-interface.c
+++ b/drivers/char/tpm/tpm-interface.c
@@ -611,12 +611,13 @@ ssize_t tpm_transmit(struct tpm_chip *chip, struct tpm_space *space,
 		rc = be32_to_cpu(header->return_code);
 		if (rc != TPM2_RC_RETRY)
 			break;
-		delay_msec *= 2;
+
 		if (delay_msec > TPM2_DURATION_LONG) {
 			dev_err(&chip->dev, "TPM is in retry loop\n");
 			break;
 		}
 		tpm_msleep(delay_msec);
+		delay_msec *= 2;
 		memcpy(buf, save, save_size);
 	}
 	return ret;
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 076/143] bpf: sockmap, map_release does not hold refcnt for pinned maps
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (74 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 075/143] tpm: move the delay_msec increment after sleep in tpm_transmit() Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 077/143] tpm: tpm_crb: relinquish locality on error path Greg Kroah-Hartman
                   ` (68 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, John Fastabend, Daniel Borkmann, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit ba6b8de423f8d0dee48d6030288ed81c03ddf9f0 ]

Relying on map_release hook to decrement the reference counts when a
map is removed only works if the map is not being pinned. In the
pinned case the ref is decremented immediately and the BPF programs
released. After this BPF programs may not be in-use which is not
what the user would expect.

This patch moves the release logic into bpf_map_put_uref() and brings
sockmap in-line with how a similar case is handled in prog array maps.

Fixes: 3d9e952697de ("bpf: sockmap, fix leaking maps with attached but not detached progs")
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/linux/bpf.h   | 2 +-
 kernel/bpf/arraymap.c | 3 ++-
 kernel/bpf/sockmap.c  | 4 ++--
 kernel/bpf/syscall.c  | 4 ++--
 4 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index 5c5be80ce802..c9d2a1a3ef11 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -27,6 +27,7 @@ struct bpf_map_ops {
 	void (*map_release)(struct bpf_map *map, struct file *map_file);
 	void (*map_free)(struct bpf_map *map);
 	int (*map_get_next_key)(struct bpf_map *map, void *key, void *next_key);
+	void (*map_release_uref)(struct bpf_map *map);
 
 	/* funcs callable from userspace and from eBPF programs */
 	void *(*map_lookup_elem)(struct bpf_map *map, void *key);
@@ -300,7 +301,6 @@ int bpf_stackmap_copy(struct bpf_map *map, void *key, void *value);
 int bpf_fd_array_map_update_elem(struct bpf_map *map, struct file *map_file,
 				 void *key, void *value, u64 map_flags);
 int bpf_fd_array_map_lookup_elem(struct bpf_map *map, void *key, u32 *value);
-void bpf_fd_array_map_clear(struct bpf_map *map);
 int bpf_fd_htab_map_update_elem(struct bpf_map *map, struct file *map_file,
 				void *key, void *value, u64 map_flags);
 int bpf_fd_htab_map_lookup_elem(struct bpf_map *map, void *key, u32 *value);
diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c
index f57d0bdf3c9e..a8f55ea4146b 100644
--- a/kernel/bpf/arraymap.c
+++ b/kernel/bpf/arraymap.c
@@ -467,7 +467,7 @@ static u32 prog_fd_array_sys_lookup_elem(void *ptr)
 }
 
 /* decrement refcnt of all bpf_progs that are stored in this map */
-void bpf_fd_array_map_clear(struct bpf_map *map)
+static void bpf_fd_array_map_clear(struct bpf_map *map)
 {
 	struct bpf_array *array = container_of(map, struct bpf_array, map);
 	int i;
@@ -485,6 +485,7 @@ const struct bpf_map_ops prog_array_map_ops = {
 	.map_fd_get_ptr = prog_fd_array_get_ptr,
 	.map_fd_put_ptr = prog_fd_array_put_ptr,
 	.map_fd_sys_lookup_elem = prog_fd_array_sys_lookup_elem,
+	.map_release_uref = bpf_fd_array_map_clear,
 };
 
 static struct bpf_event_entry *bpf_event_entry_gen(struct file *perf_file,
diff --git a/kernel/bpf/sockmap.c b/kernel/bpf/sockmap.c
index 20eaddfa691c..22991e19c01c 100644
--- a/kernel/bpf/sockmap.c
+++ b/kernel/bpf/sockmap.c
@@ -875,7 +875,7 @@ static int sock_map_update_elem(struct bpf_map *map,
 	return err;
 }
 
-static void sock_map_release(struct bpf_map *map, struct file *map_file)
+static void sock_map_release(struct bpf_map *map)
 {
 	struct bpf_stab *stab = container_of(map, struct bpf_stab, map);
 	struct bpf_prog *orig;
@@ -895,7 +895,7 @@ const struct bpf_map_ops sock_map_ops = {
 	.map_get_next_key = sock_map_get_next_key,
 	.map_update_elem = sock_map_update_elem,
 	.map_delete_elem = sock_map_delete_elem,
-	.map_release = sock_map_release,
+	.map_release_uref = sock_map_release,
 };
 
 BPF_CALL_4(bpf_sock_map_update, struct bpf_sock_ops_kern *, bpf_sock,
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 4e933219fec6..ea22d0b6a9f0 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -214,8 +214,8 @@ static void bpf_map_free_deferred(struct work_struct *work)
 static void bpf_map_put_uref(struct bpf_map *map)
 {
 	if (atomic_dec_and_test(&map->usercnt)) {
-		if (map->map_type == BPF_MAP_TYPE_PROG_ARRAY)
-			bpf_fd_array_map_clear(map);
+		if (map->ops->map_release_uref)
+			map->ops->map_release_uref(map);
 	}
 }
 
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 077/143] tpm: tpm_crb: relinquish locality on error path.
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (75 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 076/143] bpf: sockmap, map_release does not hold refcnt for pinned maps Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 078/143] xen-netfront: Update features after registering netdev Greg Kroah-Hartman
                   ` (67 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tomas Winkler, Jarkko Sakkinen, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 1fbad3028664e114d210dc65d768947a3a553eaa ]

In crb_map_io() function, __crb_request_locality() is called prior
to crb_cmd_ready(), but if one of the consecutive function fails
the flow bails out instead of trying to relinquish locality.
This patch adds goto jump to __crb_relinquish_locality() on the error path.

Fixes: 888d867df441 (tpm: cmd_ready command can be issued only after granting locality)
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/char/tpm/tpm_crb.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c
index 5c7ce5aaaf6f..b4ad169836e9 100644
--- a/drivers/char/tpm/tpm_crb.c
+++ b/drivers/char/tpm/tpm_crb.c
@@ -520,8 +520,10 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv,
 
 	priv->regs_t = crb_map_res(dev, priv, &io_res, buf->control_address,
 				   sizeof(struct crb_regs_tail));
-	if (IS_ERR(priv->regs_t))
-		return PTR_ERR(priv->regs_t);
+	if (IS_ERR(priv->regs_t)) {
+		ret = PTR_ERR(priv->regs_t);
+		goto out_relinquish_locality;
+	}
 
 	/*
 	 * PTT HW bug w/a: wake up the device to access
@@ -529,7 +531,7 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv,
 	 */
 	ret = __crb_cmd_ready(dev, priv);
 	if (ret)
-		return ret;
+		goto out_relinquish_locality;
 
 	pa_high = ioread32(&priv->regs_t->ctrl_cmd_pa_high);
 	pa_low  = ioread32(&priv->regs_t->ctrl_cmd_pa_low);
@@ -574,6 +576,8 @@ out:
 
 	__crb_go_idle(dev, priv);
 
+out_relinquish_locality:
+
 	__crb_relinquish_locality(dev, priv, 0);
 
 	return ret;
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 078/143] xen-netfront: Update features after registering netdev
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (76 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 077/143] tpm: tpm_crb: relinquish locality on error path Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 079/143] xen-netfront: Fix mismatched rtnl_unlock Greg Kroah-Hartman
                   ` (66 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Liam Shepherd, Ross Lagerwall,
	Juergen Gross, David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 45c8184c1bed1ca8a7f02918552063a00b909bf5 ]

Update the features after calling register_netdev() otherwise the
device features are not set up correctly and it not possible to change
the MTU of the device. After this change, the features reported by
ethtool match the device's features before the commit which introduced
the issue and it is possible to change the device's MTU.

Fixes: f599c64fdf7d ("xen-netfront: Fix race between device setup and open")
Reported-by: Liam Shepherd <liam@dancer.es>
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/xen-netfront.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
index 1a40fc3517a8..ca239912c0e6 100644
--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -1964,10 +1964,6 @@ static int xennet_connect(struct net_device *dev)
 	/* talk_to_netback() sets the correct number of queues */
 	num_queues = dev->real_num_tx_queues;
 
-	rtnl_lock();
-	netdev_update_features(dev);
-	rtnl_unlock();
-
 	if (dev->reg_state == NETREG_UNINITIALIZED) {
 		err = register_netdev(dev);
 		if (err) {
@@ -1977,6 +1973,10 @@ static int xennet_connect(struct net_device *dev)
 		}
 	}
 
+	rtnl_lock();
+	netdev_update_features(dev);
+	rtnl_unlock();
+
 	/*
 	 * All public and private state should now be sane.  Get
 	 * ready to start sending and receiving packets and give the driver
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 079/143] xen-netfront: Fix mismatched rtnl_unlock
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (77 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 078/143] xen-netfront: Update features after registering netdev Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 080/143] IB/usnic: Update with bug fixes from core code Greg Kroah-Hartman
                   ` (65 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ben Hutchings, Ross Lagerwall,
	Juergen Gross, David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit cb257783c2927b73614b20f915a91ff78aa6f3e8 ]

Fixes: f599c64fdf7d ("xen-netfront: Fix race between device setup and open")
Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/xen-netfront.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
index ca239912c0e6..6ea95b316256 100644
--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -1824,7 +1824,7 @@ static int talk_to_netback(struct xenbus_device *dev,
 	err = xen_net_read_mac(dev, info->netdev->dev_addr);
 	if (err) {
 		xenbus_dev_fatal(dev, err, "parsing %s/mac", dev->nodename);
-		goto out;
+		goto out_unlocked;
 	}
 
 	rtnl_lock();
@@ -1939,6 +1939,7 @@ abort_transaction_no_dev_fatal:
 	xennet_destroy_queues(info);
  out:
 	rtnl_unlock();
+out_unlocked:
 	device_unregister(&dev->dev);
 	return err;
 }
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 080/143] IB/usnic: Update with bug fixes from core code
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (78 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 079/143] xen-netfront: Fix mismatched rtnl_unlock Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 081/143] mmc: dw_mmc-rockchip: correct property names in debug Greg Kroah-Hartman
                   ` (64 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jason Gunthorpe, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 43cbd64b1fdc1da89abdad88a022d9e87a98e9c6 ]

usnic has a modified version of the core codes' ib_umem_get() and
related, and the copy misses many of the bug fixes done over the years:

Commit bc3e53f682d9 ("mm: distinguish between mlocked and pinned pages")
Commit 87773dd56d54 ("IB: ib_umem_release() should decrement mm->pinned_vm
                      from ib_umem_get")
Commit 8494057ab5e4 ("IB/uverbs: Prevent integer overflow in ib_umem_get
                      address arithmetic")
Commit 8abaae62f3fd ("IB/core: disallow registering 0-sized memory region")
Commit 66578b0b2f69 ("IB/core: don't disallow registering region starting
                      at 0x0")
Commit 53376fedb9da ("RDMA/core: not to set page dirty bit if it's already
                      set.")
Commit 8e907ed48827 ("IB/umem: Use the correct mm during ib_umem_release")

Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/infiniband/hw/usnic/usnic_ib_verbs.c |  2 +-
 drivers/infiniband/hw/usnic/usnic_uiom.c     | 40 ++++++++++++++------
 drivers/infiniband/hw/usnic/usnic_uiom.h     |  5 ++-
 3 files changed, 33 insertions(+), 14 deletions(-)

diff --git a/drivers/infiniband/hw/usnic/usnic_ib_verbs.c b/drivers/infiniband/hw/usnic/usnic_ib_verbs.c
index e4113ef09315..3c3453d213dc 100644
--- a/drivers/infiniband/hw/usnic/usnic_ib_verbs.c
+++ b/drivers/infiniband/hw/usnic/usnic_ib_verbs.c
@@ -642,7 +642,7 @@ int usnic_ib_dereg_mr(struct ib_mr *ibmr)
 
 	usnic_dbg("va 0x%lx length 0x%zx\n", mr->umem->va, mr->umem->length);
 
-	usnic_uiom_reg_release(mr->umem, ibmr->pd->uobject->context->closing);
+	usnic_uiom_reg_release(mr->umem, ibmr->uobject->context);
 	kfree(mr);
 	return 0;
 }
diff --git a/drivers/infiniband/hw/usnic/usnic_uiom.c b/drivers/infiniband/hw/usnic/usnic_uiom.c
index 4381c0a9a873..9dd39daa602b 100644
--- a/drivers/infiniband/hw/usnic/usnic_uiom.c
+++ b/drivers/infiniband/hw/usnic/usnic_uiom.c
@@ -41,6 +41,7 @@
 #include <linux/workqueue.h>
 #include <linux/list.h>
 #include <linux/pci.h>
+#include <rdma/ib_verbs.h>
 
 #include "usnic_log.h"
 #include "usnic_uiom.h"
@@ -88,7 +89,7 @@ static void usnic_uiom_put_pages(struct list_head *chunk_list, int dirty)
 		for_each_sg(chunk->page_list, sg, chunk->nents, i) {
 			page = sg_page(sg);
 			pa = sg_phys(sg);
-			if (dirty)
+			if (!PageDirty(page) && dirty)
 				set_page_dirty_lock(page);
 			put_page(page);
 			usnic_dbg("pa: %pa\n", &pa);
@@ -114,6 +115,16 @@ static int usnic_uiom_get_pages(unsigned long addr, size_t size, int writable,
 	dma_addr_t pa;
 	unsigned int gup_flags;
 
+	/*
+	 * If the combination of the addr and size requested for this memory
+	 * region causes an integer overflow, return error.
+	 */
+	if (((addr + size) < addr) || PAGE_ALIGN(addr + size) < (addr + size))
+		return -EINVAL;
+
+	if (!size)
+		return -EINVAL;
+
 	if (!can_do_mlock())
 		return -EPERM;
 
@@ -127,7 +138,7 @@ static int usnic_uiom_get_pages(unsigned long addr, size_t size, int writable,
 
 	down_write(&current->mm->mmap_sem);
 
-	locked = npages + current->mm->locked_vm;
+	locked = npages + current->mm->pinned_vm;
 	lock_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
 
 	if ((locked > lock_limit) && !capable(CAP_IPC_LOCK)) {
@@ -143,7 +154,7 @@ static int usnic_uiom_get_pages(unsigned long addr, size_t size, int writable,
 	ret = 0;
 
 	while (npages) {
-		ret = get_user_pages(cur_base,
+		ret = get_user_pages_longterm(cur_base,
 					min_t(unsigned long, npages,
 					PAGE_SIZE / sizeof(struct page *)),
 					gup_flags, page_list, NULL);
@@ -186,7 +197,7 @@ out:
 	if (ret < 0)
 		usnic_uiom_put_pages(chunk_list, 0);
 	else
-		current->mm->locked_vm = locked;
+		current->mm->pinned_vm = locked;
 
 	up_write(&current->mm->mmap_sem);
 	free_page((unsigned long) page_list);
@@ -420,18 +431,22 @@ out_free_uiomr:
 	return ERR_PTR(err);
 }
 
-void usnic_uiom_reg_release(struct usnic_uiom_reg *uiomr, int closing)
+void usnic_uiom_reg_release(struct usnic_uiom_reg *uiomr,
+			    struct ib_ucontext *ucontext)
 {
+	struct task_struct *task;
 	struct mm_struct *mm;
 	unsigned long diff;
 
 	__usnic_uiom_reg_release(uiomr->pd, uiomr, 1);
 
-	mm = get_task_mm(current);
-	if (!mm) {
-		kfree(uiomr);
-		return;
-	}
+	task = get_pid_task(ucontext->tgid, PIDTYPE_PID);
+	if (!task)
+		goto out;
+	mm = get_task_mm(task);
+	put_task_struct(task);
+	if (!mm)
+		goto out;
 
 	diff = PAGE_ALIGN(uiomr->length + uiomr->offset) >> PAGE_SHIFT;
 
@@ -443,7 +458,7 @@ void usnic_uiom_reg_release(struct usnic_uiom_reg *uiomr, int closing)
 	 * up here and not be able to take the mmap_sem.  In that case
 	 * we defer the vm_locked accounting to the system workqueue.
 	 */
-	if (closing) {
+	if (ucontext->closing) {
 		if (!down_write_trylock(&mm->mmap_sem)) {
 			INIT_WORK(&uiomr->work, usnic_uiom_reg_account);
 			uiomr->mm = mm;
@@ -455,9 +470,10 @@ void usnic_uiom_reg_release(struct usnic_uiom_reg *uiomr, int closing)
 	} else
 		down_write(&mm->mmap_sem);
 
-	current->mm->locked_vm -= diff;
+	mm->pinned_vm -= diff;
 	up_write(&mm->mmap_sem);
 	mmput(mm);
+out:
 	kfree(uiomr);
 }
 
diff --git a/drivers/infiniband/hw/usnic/usnic_uiom.h b/drivers/infiniband/hw/usnic/usnic_uiom.h
index 431efe4143f4..8c096acff123 100644
--- a/drivers/infiniband/hw/usnic/usnic_uiom.h
+++ b/drivers/infiniband/hw/usnic/usnic_uiom.h
@@ -39,6 +39,8 @@
 
 #include "usnic_uiom_interval_tree.h"
 
+struct ib_ucontext;
+
 #define USNIC_UIOM_READ			(1)
 #define USNIC_UIOM_WRITE		(2)
 
@@ -89,7 +91,8 @@ void usnic_uiom_free_dev_list(struct device **devs);
 struct usnic_uiom_reg *usnic_uiom_reg_get(struct usnic_uiom_pd *pd,
 						unsigned long addr, size_t size,
 						int access, int dmasync);
-void usnic_uiom_reg_release(struct usnic_uiom_reg *uiomr, int closing);
+void usnic_uiom_reg_release(struct usnic_uiom_reg *uiomr,
+			    struct ib_ucontext *ucontext);
 int usnic_uiom_init(char *drv_name);
 void usnic_uiom_fini(void);
 #endif /* USNIC_UIOM_H_ */
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 081/143] mmc: dw_mmc-rockchip: correct property names in debug
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (79 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 080/143] IB/usnic: Update with bug fixes from core code Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 082/143] MIPS: Workaround GCC __builtin_unreachable reordering bug Greg Kroah-Hartman
                   ` (63 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, John Keeping, Robin Murphy,
	Shawn Lin, Ulf Hansson, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit e988867fd774d00aeaf5d3c332032bf5b97a4147 ]

Following up the device tree fixed in commits e78c637127ee ("ARM: dts:
rockchip: Fix DWMMC clocks") and ca9eee95a2de ("arm64: dts: rockchip:
Fix DWMMC clocks", 2018-02-15), avoid confusion by using the correct
property name in the debug output if clocks are not found.

Signed-off-by: John Keeping <john@metanate.com>
Reviewed-by: Robin Murphy <robin.murphy@arm.com>
Reviewed-by: Shawn Lin <shawn.lin@rock-chips.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/mmc/host/dw_mmc-rockchip.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/mmc/host/dw_mmc-rockchip.c b/drivers/mmc/host/dw_mmc-rockchip.c
index 339295212935..40d7de2eea12 100644
--- a/drivers/mmc/host/dw_mmc-rockchip.c
+++ b/drivers/mmc/host/dw_mmc-rockchip.c
@@ -282,11 +282,11 @@ static int dw_mci_rk3288_parse_dt(struct dw_mci *host)
 
 	priv->drv_clk = devm_clk_get(host->dev, "ciu-drive");
 	if (IS_ERR(priv->drv_clk))
-		dev_dbg(host->dev, "ciu_drv not available\n");
+		dev_dbg(host->dev, "ciu-drive not available\n");
 
 	priv->sample_clk = devm_clk_get(host->dev, "ciu-sample");
 	if (IS_ERR(priv->sample_clk))
-		dev_dbg(host->dev, "ciu_sample not available\n");
+		dev_dbg(host->dev, "ciu-sample not available\n");
 
 	host->priv = priv;
 
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 082/143] MIPS: Workaround GCC __builtin_unreachable reordering bug
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (80 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 081/143] mmc: dw_mmc-rockchip: correct property names in debug Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 083/143] lan78xx: Dont reset the interface on open Greg Kroah-Hartman
                   ` (62 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Paul Burton, James Hogan,
	Ralf Baechle, Arnd Bergmann, linux-mips, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 906d441febc0de974b2a6ef848a8f058f3bfada3 ]

Some versions of GCC for the MIPS architecture suffer from a bug which
can lead to instructions from beyond an unreachable statement being
incorrectly reordered into earlier branch delay slots if the unreachable
statement is the only content of a case in a switch statement. This can
lead to seemingly random behaviour, such as invalid memory accesses from
incorrectly reordered loads or stores, and link failures on microMIPS
builds.

See this potential GCC fix for details:

    https://gcc.gnu.org/ml/gcc-patches/2015-09/msg00360.html

Runtime problems resulting from this bug were initially observed using a
maltasmvp_defconfig v4.4 kernel built using GCC 4.9.2 (from a Codescape
SDK 2015.06-05 toolchain), with the result being an address exception
taken after log messages about the L1 caches (during probe of the L2
cache):

    Initmem setup node 0 [mem 0x0000000080000000-0x000000009fffffff]
    VPE topology {2,2} total 4
    Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
    Primary data cache 64kB, 4-way, PIPT, no aliases, linesize 32 bytes
    <AdEL exception here>

This is early enough that the kernel exception vectors are not in use,
so any further output depends upon the bootloader. This is reproducible
in QEMU where no further output occurs - ie. the system hangs here.
Given the nature of the bug it may potentially be hit with differing
symptoms. The bug is known to affect GCC versions as recent as 7.3, and
it is unclear whether GCC 8 fixed it or just happens not to encounter
the bug in the testcase found at the link above due to differing
optimizations.

This bug can be worked around by placing a volatile asm statement, which
GCC is prevented from reordering past, prior to the
__builtin_unreachable call.

That was actually done already for other reasons by commit 173a3efd3edb
("bug.h: work around GCC PR82365 in BUG()"), but creates problems for
microMIPS builds due to the lack of a .insn directive. The microMIPS ISA
allows for interlinking with regular MIPS32 code by repurposing bit 0 of
the program counter as an ISA mode bit. To switch modes one changes the
value of this bit in the PC. However typical branch instructions encode
their offsets as multiples of 2-byte instruction halfwords, which means
they cannot change ISA mode - this must be done using either an indirect
branch (a jump-register in MIPS terminology) or a dedicated jalx
instruction. In order to ensure that regular branches don't attempt to
target code in a different ISA which they can't actually switch to, the
linker will check that branch targets are code in the same ISA as the
branch.

Unfortunately our empty asm volatile statements don't qualify as code,
and the link for microMIPS builds fails with errors such as:

    arch/mips/mm/dma-default.s:3265: Error: branch to a symbol in another ISA mode
    arch/mips/mm/dma-default.s:5027: Error: branch to a symbol in another ISA mode

Resolve this by adding a .insn directive within the asm statement which
declares that what comes next is code. This may or may not be true,
since we don't really know what comes next, but as this code is in an
unreachable path anyway that doesn't matter since we won't execute it.

We do this in asm/compiler.h & select CONFIG_HAVE_ARCH_COMPILER_H in
order to have this included by linux/compiler_types.h after
linux/compiler-gcc.h. This will result in asm/compiler.h being included
in all C compilations via the -include linux/compiler_types.h argument
in c_flags, which should be harmless.

Signed-off-by: Paul Burton <paul.burton@mips.com>
Fixes: 173a3efd3edb ("bug.h: work around GCC PR82365 in BUG()")
Patchwork: https://patchwork.linux-mips.org/patch/20270/
Cc: James Hogan <jhogan@kernel.org>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: linux-mips@linux-mips.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/mips/Kconfig                |  1 +
 arch/mips/include/asm/compiler.h | 35 ++++++++++++++++++++++++++++++++
 2 files changed, 36 insertions(+)

diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig
index c82457b0e733..23e3d3e0ee5b 100644
--- a/arch/mips/Kconfig
+++ b/arch/mips/Kconfig
@@ -29,6 +29,7 @@ config MIPS
 	select GENERIC_SMP_IDLE_THREAD
 	select GENERIC_TIME_VSYSCALL
 	select HANDLE_DOMAIN_IRQ
+	select HAVE_ARCH_COMPILER_H
 	select HAVE_ARCH_JUMP_LABEL
 	select HAVE_ARCH_KGDB
 	select HAVE_ARCH_MMAP_RND_BITS if MMU
diff --git a/arch/mips/include/asm/compiler.h b/arch/mips/include/asm/compiler.h
index e081a265f422..cc2eb1b06050 100644
--- a/arch/mips/include/asm/compiler.h
+++ b/arch/mips/include/asm/compiler.h
@@ -8,6 +8,41 @@
 #ifndef _ASM_COMPILER_H
 #define _ASM_COMPILER_H
 
+/*
+ * With GCC 4.5 onwards we can use __builtin_unreachable to indicate to the
+ * compiler that a particular code path will never be hit. This allows it to be
+ * optimised out of the generated binary.
+ *
+ * Unfortunately at least GCC 4.6.3 through 7.3.0 inclusive suffer from a bug
+ * that can lead to instructions from beyond an unreachable statement being
+ * incorrectly reordered into earlier delay slots if the unreachable statement
+ * is the only content of a case in a switch statement. This can lead to
+ * seemingly random behaviour, such as invalid memory accesses from incorrectly
+ * reordered loads or stores. See this potential GCC fix for details:
+ *
+ *   https://gcc.gnu.org/ml/gcc-patches/2015-09/msg00360.html
+ *
+ * It is unclear whether GCC 8 onwards suffer from the same issue - nothing
+ * relevant is mentioned in GCC 8 release notes and nothing obviously relevant
+ * stands out in GCC commit logs, but these newer GCC versions generate very
+ * different code for the testcase which doesn't exhibit the bug.
+ *
+ * GCC also handles stack allocation suboptimally when calling noreturn
+ * functions or calling __builtin_unreachable():
+ *
+ *   https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82365
+ *
+ * We work around both of these issues by placing a volatile asm statement,
+ * which GCC is prevented from reordering past, prior to __builtin_unreachable
+ * calls.
+ *
+ * The .insn statement is required to ensure that any branches to the
+ * statement, which sadly must be kept due to the asm statement, are known to
+ * be branches to code and satisfy linker requirements for microMIPS kernels.
+ */
+#undef barrier_before_unreachable
+#define barrier_before_unreachable() asm volatile(".insn")
+
 #if __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ >= 4)
 #define GCC_IMM_ASM() "n"
 #define GCC_REG_ACCUM "$0"
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 083/143] lan78xx: Dont reset the interface on open
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (81 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 082/143] MIPS: Workaround GCC __builtin_unreachable reordering bug Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 084/143] enic: do not overwrite error code Greg Kroah-Hartman
                   ` (61 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Phil Elwell, David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 47b998653fea4ef69e3e89574956386f262bccca ]

Commit 92571a1aae40 ("lan78xx: Connect phy early") moves the PHY
initialisation into lan78xx_probe, but lan78xx_open subsequently calls
lan78xx_reset. As well as forcing a second round of link negotiation,
this reset frequently prevents the phy interrupt from being generated
(even though the link is up), rendering the interface unusable.

Fix this issue by removing the lan78xx_reset call from lan78xx_open.

Fixes: 92571a1aae40 ("lan78xx: Connect phy early")
Signed-off-by: Phil Elwell <phil@raspberrypi.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/usb/lan78xx.c |    4 ----
 1 file changed, 4 deletions(-)

--- a/drivers/net/usb/lan78xx.c
+++ b/drivers/net/usb/lan78xx.c
@@ -2508,10 +2508,6 @@ static int lan78xx_open(struct net_devic
 	if (ret < 0)
 		goto out;
 
-	ret = lan78xx_reset(dev);
-	if (ret < 0)
-		goto done;
-
 	phy_start(net->phydev);
 
 	netif_dbg(dev, ifup, dev->net, "phy initialised successfully");



^ permalink raw reply	[flat|nested] 166+ messages in thread

* [PATCH 4.14 084/143] enic: do not overwrite error code
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (82 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 083/143] lan78xx: Dont reset the interface on open Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 085/143] iio: buffer: fix the function signature to match implementation Greg Kroah-Hartman
                   ` (60 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ben Hutchings,
	Govindarajulu Varadarajan, David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 56f772279a762984f6e9ebbf24a7c829faba5712 ]

In failure path, we overwrite err to what vnic_rq_disable() returns. In
case it returns 0, enic_open() returns success in case of error.

Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Fixes: e8588e268509 ("enic: enable rq before updating rq descriptors")
Signed-off-by: Govindarajulu Varadarajan <gvaradar@cisco.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/cisco/enic/enic_main.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c
index 2bfaf3e118b1..03f4fee1bbc9 100644
--- a/drivers/net/ethernet/cisco/enic/enic_main.c
+++ b/drivers/net/ethernet/cisco/enic/enic_main.c
@@ -1879,7 +1879,7 @@ static int enic_open(struct net_device *netdev)
 {
 	struct enic *enic = netdev_priv(netdev);
 	unsigned int i;
-	int err;
+	int err, ret;
 
 	err = enic_request_intr(enic);
 	if (err) {
@@ -1936,10 +1936,9 @@ static int enic_open(struct net_device *netdev)
 
 err_out_free_rq:
 	for (i = 0; i < enic->rq_count; i++) {
-		err = vnic_rq_disable(&enic->rq[i]);
-		if (err)
-			return err;
-		vnic_rq_clean(&enic->rq[i], enic_free_rq_buf);
+		ret = vnic_rq_disable(&enic->rq[i]);
+		if (!ret)
+			vnic_rq_clean(&enic->rq[i], enic_free_rq_buf);
 	}
 	enic_dev_notify_unset(enic);
 err_out_free_intr:
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 085/143] iio: buffer: fix the function signature to match implementation
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (83 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 084/143] enic: do not overwrite error code Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 086/143] selftests/powerpc: Add ptrace hw breakpoint test Greg Kroah-Hartman
                   ` (59 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Phil Reid, Jonathan Cameron, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 92397a6c38d139d50fabbe9e2dc09b61d53b2377 ]

linux/iio/buffer-dma.h was not updated to when length was changed to
unsigned int.

Fixes: c043ec1ca5ba ("iio:buffer: make length types match kfifo types")
Signed-off-by: Phil Reid <preid@electromag.com.au>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/linux/iio/buffer-dma.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/linux/iio/buffer-dma.h b/include/linux/iio/buffer-dma.h
index 767467d886de..67c75372b691 100644
--- a/include/linux/iio/buffer-dma.h
+++ b/include/linux/iio/buffer-dma.h
@@ -141,7 +141,7 @@ int iio_dma_buffer_read(struct iio_buffer *buffer, size_t n,
 	char __user *user_buffer);
 size_t iio_dma_buffer_data_available(struct iio_buffer *buffer);
 int iio_dma_buffer_set_bytes_per_datum(struct iio_buffer *buffer, size_t bpd);
-int iio_dma_buffer_set_length(struct iio_buffer *buffer, int length);
+int iio_dma_buffer_set_length(struct iio_buffer *buffer, unsigned int length);
 int iio_dma_buffer_request_update(struct iio_buffer *buffer);
 
 int iio_dma_buffer_init(struct iio_dma_buffer_queue *queue,
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 086/143] selftests/powerpc: Add ptrace hw breakpoint test
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (84 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 085/143] iio: buffer: fix the function signature to match implementation Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 087/143] scsi: ibmvfc: Avoid unnecessary port relogin Greg Kroah-Hartman
                   ` (58 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael Neuling, Michael Ellerman,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 9c2ddfe55c42bf4b9bc336a0650ab78f9222a159 ]

This test the ptrace hw breakpoints via PTRACE_SET_DEBUGREG and
PPC_PTRACE_SETHWDEBUG.  This test was use to find the bugs fixed by
these recent commits:

  4f7c06e26e powerpc/ptrace: Fix setting 512B aligned breakpoints with PTRACE_SET_DEBUGREG
  cd6ef7eebf powerpc/ptrace: Fix enforcement of DAWR constraints

Signed-off-by: Michael Neuling <mikey@neuling.org>
[mpe: Add SPDX tag, clang format it]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 .../selftests/powerpc/ptrace/.gitignore       |   1 +
 .../testing/selftests/powerpc/ptrace/Makefile |   2 +-
 .../selftests/powerpc/ptrace/ptrace-hwbreak.c | 342 ++++++++++++++++++
 3 files changed, 344 insertions(+), 1 deletion(-)
 create mode 100644 tools/testing/selftests/powerpc/ptrace/ptrace-hwbreak.c

diff --git a/tools/testing/selftests/powerpc/ptrace/.gitignore b/tools/testing/selftests/powerpc/ptrace/.gitignore
index 349acfafc95b..9dcc16ea8179 100644
--- a/tools/testing/selftests/powerpc/ptrace/.gitignore
+++ b/tools/testing/selftests/powerpc/ptrace/.gitignore
@@ -8,3 +8,4 @@ ptrace-vsx
 ptrace-tm-vsx
 ptrace-tm-spd-vsx
 ptrace-tm-spr
+ptrace-hwbreak
diff --git a/tools/testing/selftests/powerpc/ptrace/Makefile b/tools/testing/selftests/powerpc/ptrace/Makefile
index 480305266504..0e2f4601d1a8 100644
--- a/tools/testing/selftests/powerpc/ptrace/Makefile
+++ b/tools/testing/selftests/powerpc/ptrace/Makefile
@@ -1,7 +1,7 @@
 # SPDX-License-Identifier: GPL-2.0
 TEST_PROGS := ptrace-gpr ptrace-tm-gpr ptrace-tm-spd-gpr \
               ptrace-tar ptrace-tm-tar ptrace-tm-spd-tar ptrace-vsx ptrace-tm-vsx \
-              ptrace-tm-spd-vsx ptrace-tm-spr
+              ptrace-tm-spd-vsx ptrace-tm-spr ptrace-hwbreak
 
 include ../../lib.mk
 
diff --git a/tools/testing/selftests/powerpc/ptrace/ptrace-hwbreak.c b/tools/testing/selftests/powerpc/ptrace/ptrace-hwbreak.c
new file mode 100644
index 000000000000..3066d310f32b
--- /dev/null
+++ b/tools/testing/selftests/powerpc/ptrace/ptrace-hwbreak.c
@@ -0,0 +1,342 @@
+// SPDX-License-Identifier: GPL-2.0+
+
+/*
+ * Ptrace test for hw breakpoints
+ *
+ * Based on tools/testing/selftests/breakpoints/breakpoint_test.c
+ *
+ * This test forks and the parent then traces the child doing various
+ * types of ptrace enabled breakpoints
+ *
+ * Copyright (C) 2018 Michael Neuling, IBM Corporation.
+ */
+
+#include <sys/ptrace.h>
+#include <unistd.h>
+#include <stddef.h>
+#include <sys/user.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <signal.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include "ptrace.h"
+
+/* Breakpoint access modes */
+enum {
+	BP_X = 1,
+	BP_RW = 2,
+	BP_W = 4,
+};
+
+static pid_t child_pid;
+static struct ppc_debug_info dbginfo;
+
+static void get_dbginfo(void)
+{
+	int ret;
+
+	ret = ptrace(PPC_PTRACE_GETHWDBGINFO, child_pid, NULL, &dbginfo);
+	if (ret) {
+		perror("Can't get breakpoint info\n");
+		exit(-1);
+	}
+}
+
+static bool hwbreak_present(void)
+{
+	return (dbginfo.num_data_bps != 0);
+}
+
+static bool dawr_present(void)
+{
+	return !!(dbginfo.features & PPC_DEBUG_FEATURE_DATA_BP_DAWR);
+}
+
+static void set_breakpoint_addr(void *addr)
+{
+	int ret;
+
+	ret = ptrace(PTRACE_SET_DEBUGREG, child_pid, 0, addr);
+	if (ret) {
+		perror("Can't set breakpoint addr\n");
+		exit(-1);
+	}
+}
+
+static int set_hwbreakpoint_addr(void *addr, int range)
+{
+	int ret;
+
+	struct ppc_hw_breakpoint info;
+
+	info.version = 1;
+	info.trigger_type = PPC_BREAKPOINT_TRIGGER_RW;
+	info.addr_mode = PPC_BREAKPOINT_MODE_EXACT;
+	if (range > 0)
+		info.addr_mode = PPC_BREAKPOINT_MODE_RANGE_INCLUSIVE;
+	info.condition_mode = PPC_BREAKPOINT_CONDITION_NONE;
+	info.addr = (__u64)addr;
+	info.addr2 = (__u64)addr + range;
+	info.condition_value = 0;
+
+	ret = ptrace(PPC_PTRACE_SETHWDEBUG, child_pid, 0, &info);
+	if (ret < 0) {
+		perror("Can't set breakpoint\n");
+		exit(-1);
+	}
+	return ret;
+}
+
+static int del_hwbreakpoint_addr(int watchpoint_handle)
+{
+	int ret;
+
+	ret = ptrace(PPC_PTRACE_DELHWDEBUG, child_pid, 0, watchpoint_handle);
+	if (ret < 0) {
+		perror("Can't delete hw breakpoint\n");
+		exit(-1);
+	}
+	return ret;
+}
+
+#define DAWR_LENGTH_MAX 512
+
+/* Dummy variables to test read/write accesses */
+static unsigned long long
+	dummy_array[DAWR_LENGTH_MAX / sizeof(unsigned long long)]
+	__attribute__((aligned(512)));
+static unsigned long long *dummy_var = dummy_array;
+
+static void write_var(int len)
+{
+	long long *plval;
+	char *pcval;
+	short *psval;
+	int *pival;
+
+	switch (len) {
+	case 1:
+		pcval = (char *)dummy_var;
+		*pcval = 0xff;
+		break;
+	case 2:
+		psval = (short *)dummy_var;
+		*psval = 0xffff;
+		break;
+	case 4:
+		pival = (int *)dummy_var;
+		*pival = 0xffffffff;
+		break;
+	case 8:
+		plval = (long long *)dummy_var;
+		*plval = 0xffffffffffffffffLL;
+		break;
+	}
+}
+
+static void read_var(int len)
+{
+	char cval __attribute__((unused));
+	short sval __attribute__((unused));
+	int ival __attribute__((unused));
+	long long lval __attribute__((unused));
+
+	switch (len) {
+	case 1:
+		cval = *(char *)dummy_var;
+		break;
+	case 2:
+		sval = *(short *)dummy_var;
+		break;
+	case 4:
+		ival = *(int *)dummy_var;
+		break;
+	case 8:
+		lval = *(long long *)dummy_var;
+		break;
+	}
+}
+
+/*
+ * Do the r/w accesses to trigger the breakpoints. And run
+ * the usual traps.
+ */
+static void trigger_tests(void)
+{
+	int len, ret;
+
+	ret = ptrace(PTRACE_TRACEME, 0, NULL, 0);
+	if (ret) {
+		perror("Can't be traced?\n");
+		return;
+	}
+
+	/* Wake up father so that it sets up the first test */
+	kill(getpid(), SIGUSR1);
+
+	/* Test write watchpoints */
+	for (len = 1; len <= sizeof(long); len <<= 1)
+		write_var(len);
+
+	/* Test read/write watchpoints (on read accesses) */
+	for (len = 1; len <= sizeof(long); len <<= 1)
+		read_var(len);
+
+	/* Test when breakpoint is unset */
+
+	/* Test write watchpoints */
+	for (len = 1; len <= sizeof(long); len <<= 1)
+		write_var(len);
+
+	/* Test read/write watchpoints (on read accesses) */
+	for (len = 1; len <= sizeof(long); len <<= 1)
+		read_var(len);
+}
+
+static void check_success(const char *msg)
+{
+	const char *msg2;
+	int status;
+
+	/* Wait for the child to SIGTRAP */
+	wait(&status);
+
+	msg2 = "Failed";
+
+	if (WIFSTOPPED(status) && WSTOPSIG(status) == SIGTRAP) {
+		msg2 = "Child process hit the breakpoint";
+	}
+
+	printf("%s Result: [%s]\n", msg, msg2);
+}
+
+static void launch_watchpoints(char *buf, int mode, int len,
+			       struct ppc_debug_info *dbginfo, bool dawr)
+{
+	const char *mode_str;
+	unsigned long data = (unsigned long)(dummy_var);
+	int wh, range;
+
+	data &= ~0x7UL;
+
+	if (mode == BP_W) {
+		data |= (1UL << 1);
+		mode_str = "write";
+	} else {
+		data |= (1UL << 0);
+		data |= (1UL << 1);
+		mode_str = "read";
+	}
+
+	/* Set DABR_TRANSLATION bit */
+	data |= (1UL << 2);
+
+	/* use PTRACE_SET_DEBUGREG breakpoints */
+	set_breakpoint_addr((void *)data);
+	ptrace(PTRACE_CONT, child_pid, NULL, 0);
+	sprintf(buf, "Test %s watchpoint with len: %d ", mode_str, len);
+	check_success(buf);
+	/* Unregister hw brkpoint */
+	set_breakpoint_addr(NULL);
+
+	data = (data & ~7); /* remove dabr control bits */
+
+	/* use PPC_PTRACE_SETHWDEBUG breakpoint */
+	if (!(dbginfo->features & PPC_DEBUG_FEATURE_DATA_BP_RANGE))
+		return; /* not supported */
+	wh = set_hwbreakpoint_addr((void *)data, 0);
+	ptrace(PTRACE_CONT, child_pid, NULL, 0);
+	sprintf(buf, "Test %s watchpoint with len: %d ", mode_str, len);
+	check_success(buf);
+	/* Unregister hw brkpoint */
+	del_hwbreakpoint_addr(wh);
+
+	/* try a wider range */
+	range = 8;
+	if (dawr)
+		range = 512 - ((int)data & (DAWR_LENGTH_MAX - 1));
+	wh = set_hwbreakpoint_addr((void *)data, range);
+	ptrace(PTRACE_CONT, child_pid, NULL, 0);
+	sprintf(buf, "Test %s watchpoint with len: %d ", mode_str, len);
+	check_success(buf);
+	/* Unregister hw brkpoint */
+	del_hwbreakpoint_addr(wh);
+}
+
+/* Set the breakpoints and check the child successfully trigger them */
+static int launch_tests(bool dawr)
+{
+	char buf[1024];
+	int len, i, status;
+
+	struct ppc_debug_info dbginfo;
+
+	i = ptrace(PPC_PTRACE_GETHWDBGINFO, child_pid, NULL, &dbginfo);
+	if (i) {
+		perror("Can't set breakpoint info\n");
+		exit(-1);
+	}
+	if (!(dbginfo.features & PPC_DEBUG_FEATURE_DATA_BP_RANGE))
+		printf("WARNING: Kernel doesn't support PPC_PTRACE_SETHWDEBUG\n");
+
+	/* Write watchpoint */
+	for (len = 1; len <= sizeof(long); len <<= 1)
+		launch_watchpoints(buf, BP_W, len, &dbginfo, dawr);
+
+	/* Read-Write watchpoint */
+	for (len = 1; len <= sizeof(long); len <<= 1)
+		launch_watchpoints(buf, BP_RW, len, &dbginfo, dawr);
+
+	ptrace(PTRACE_CONT, child_pid, NULL, 0);
+
+	/*
+	 * Now we have unregistered the breakpoint, access by child
+	 * should not cause SIGTRAP.
+	 */
+
+	wait(&status);
+
+	if (WIFSTOPPED(status) && WSTOPSIG(status) == SIGTRAP) {
+		printf("FAIL: Child process hit the breakpoint, which is not expected\n");
+		ptrace(PTRACE_CONT, child_pid, NULL, 0);
+		return TEST_FAIL;
+	}
+
+	if (WIFEXITED(status))
+		printf("Child exited normally\n");
+
+	return TEST_PASS;
+}
+
+static int ptrace_hwbreak(void)
+{
+	pid_t pid;
+	int ret;
+	bool dawr;
+
+	pid = fork();
+	if (!pid) {
+		trigger_tests();
+		return 0;
+	}
+
+	wait(NULL);
+
+	child_pid = pid;
+
+	get_dbginfo();
+	SKIP_IF(!hwbreak_present());
+	dawr = dawr_present();
+
+	ret = launch_tests(dawr);
+
+	wait(NULL);
+
+	return ret;
+}
+
+int main(int argc, char **argv, char **envp)
+{
+	return test_harness(ptrace_hwbreak, "ptrace-hwbreak");
+}
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 087/143] scsi: ibmvfc: Avoid unnecessary port relogin
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (85 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 086/143] selftests/powerpc: Add ptrace hw breakpoint test Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 088/143] scsi: sd: Remember that READ CAPACITY(16) succeeded Greg Kroah-Hartman
                   ` (57 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Brian King, Martin K. Petersen, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 09dd15e0d9547ca424de4043bcd429bab6f285c8 ]

Following an RSCN, ibmvfc will issue an ADISC to determine if the
underlying target has changed, comparing the SCSI ID, WWPN, and WWNN to
determine how to handle the rport in discovery. However, the comparison
of the WWPN and WWNN was performing a memcmp between a big endian field
against a CPU endian field, which resulted in the wrong answer on LE
systems. This was observed as unexpected errors getting logged at boot
time as targets were getting relogins when not needed.

Signed-off-by: Brian King <brking@linux.vnet.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/ibmvscsi/ibmvfc.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/drivers/scsi/ibmvscsi/ibmvfc.c b/drivers/scsi/ibmvscsi/ibmvfc.c
index b491af31a5f8..a06b24a61622 100644
--- a/drivers/scsi/ibmvscsi/ibmvfc.c
+++ b/drivers/scsi/ibmvscsi/ibmvfc.c
@@ -3580,11 +3580,9 @@ static void ibmvfc_tgt_implicit_logout(struct ibmvfc_target *tgt)
 static int ibmvfc_adisc_needs_plogi(struct ibmvfc_passthru_mad *mad,
 				    struct ibmvfc_target *tgt)
 {
-	if (memcmp(&mad->fc_iu.response[2], &tgt->ids.port_name,
-		   sizeof(tgt->ids.port_name)))
+	if (wwn_to_u64((u8 *)&mad->fc_iu.response[2]) != tgt->ids.port_name)
 		return 1;
-	if (memcmp(&mad->fc_iu.response[4], &tgt->ids.node_name,
-		   sizeof(tgt->ids.node_name)))
+	if (wwn_to_u64((u8 *)&mad->fc_iu.response[4]) != tgt->ids.node_name)
 		return 1;
 	if (be32_to_cpu(mad->fc_iu.response[6]) != tgt->scsi_id)
 		return 1;
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 088/143] scsi: sd: Remember that READ CAPACITY(16) succeeded
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (86 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 087/143] scsi: ibmvfc: Avoid unnecessary port relogin Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 089/143] btrfs: quota: Set rescan progress to (u64)-1 if we hit last leaf Greg Kroah-Hartman
                   ` (56 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Menion, Laurence Oberman,
	Martin K. Petersen, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 597d74005ba85e87c256cd732128ebf7faf54247 ]

The USB storage glue sets the try_rc_10_first flag in an attempt to
avoid wedging poorly implemented legacy USB devices.

If the device capacity is too large to be expressed in the provided
response buffer field of READ CAPACITY(10), a well-behaved device will
set the reported capacity to 0xFFFFFFFF. We will then attempt to issue a
READ CAPACITY(16) to obtain the real capacity.

Since this part of the discovery logic is not covered by the first_scan
flag, a warning will be printed a couple of times times per revalidate
attempt if we upgrade from READ CAPACITY(10) to READ CAPACITY(16).

Remember that we have successfully issued READ CAPACITY(16) so we can
take the fast path on subsequent revalidate attempts.

Reported-by: Menion <menion@gmail.com>
Reviewed-by: Laurence Oberman <loberman@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/sd.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -2498,6 +2498,8 @@ sd_read_capacity(struct scsi_disk *sdkp,
 				sector_size = old_sector_size;
 				goto got_data;
 			}
+			/* Remember that READ CAPACITY(16) succeeded */
+			sdp->try_rc_10_first = 0;
 		}
 	}
 



^ permalink raw reply	[flat|nested] 166+ messages in thread

* [PATCH 4.14 089/143] btrfs: quota: Set rescan progress to (u64)-1 if we hit last leaf
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (87 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 088/143] scsi: sd: Remember that READ CAPACITY(16) succeeded Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 090/143] net: phy: phylink: Dont release NULL GPIO Greg Kroah-Hartman
                   ` (55 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Misono Tomohiro, Qu Wenruo,
	David Sterba, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 6f7de19ed3d4d3526ca5eca428009f97cf969c2f ]

Commit ff3d27a048d9 ("btrfs: qgroup: Finish rescan when hit the last leaf
of extent tree") added a new exit for rescan finish.

However after finishing quota rescan, we set
fs_info->qgroup_rescan_progress to (u64)-1 before we exit through the
original exit path.
While we missed that assignment of (u64)-1 in the new exit path.

The end result is, the quota status item doesn't have the same value.
(-1 vs the last bytenr + 1)
Although it doesn't affect quota accounting, it's still better to keep
the original behavior.

Reported-by: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com>
Fixes: ff3d27a048d9 ("btrfs: qgroup: Finish rescan when hit the last leaf of extent tree")
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/btrfs/qgroup.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c
index 473ad5985aa3..47dec283628d 100644
--- a/fs/btrfs/qgroup.c
+++ b/fs/btrfs/qgroup.c
@@ -2603,8 +2603,10 @@ out:
 	}
 	btrfs_put_tree_mod_seq(fs_info, &tree_mod_seq_elem);
 
-	if (done && !ret)
+	if (done && !ret) {
 		ret = 1;
+		fs_info->qgroup_rescan_progress.objectid = (u64)-1;
+	}
 	return ret;
 }
 
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 090/143] net: phy: phylink: Dont release NULL GPIO
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (88 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 089/143] btrfs: quota: Set rescan progress to (u64)-1 if we hit last leaf Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 091/143] x86/paravirt: Fix some warning messages Greg Kroah-Hartman
                   ` (54 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Florian Fainelli, Andrew Lunn,
	David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 3bcd47726c3b744fd08781795cca905cc59a1382 ]

If CONFIG_GPIOLIB is disabled, gpiod_put() becomes a stub that produces a
warning, this helped identify that we could be attempting to release a NULL
pl->link_gpio GPIO descriptor, so guard against that.

Fixes: daab3349ad1a ("net: phy: phylink: Release link GPIO")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/phy/phylink.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/phy/phylink.c b/drivers/net/phy/phylink.c
index e4a6ed88b9cf..79f28b9186c6 100644
--- a/drivers/net/phy/phylink.c
+++ b/drivers/net/phy/phylink.c
@@ -561,7 +561,7 @@ void phylink_destroy(struct phylink *pl)
 {
 	if (pl->sfp_bus)
 		sfp_unregister_upstream(pl->sfp_bus);
-	if (!IS_ERR(pl->link_gpio))
+	if (!IS_ERR_OR_NULL(pl->link_gpio))
 		gpiod_put(pl->link_gpio);
 
 	cancel_work_sync(&pl->resolve);
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 091/143] x86/paravirt: Fix some warning messages
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (89 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 090/143] net: phy: phylink: Dont release NULL GPIO Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 092/143] net: stmmac: mark PM functions as __maybe_unused Greg Kroah-Hartman
                   ` (53 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Thomas Gleixner,
	Juergen Gross, Peter Zijlstra, Alok Kataria, H. Peter Anvin,
	virtualization, kernel-janitors, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 571d0563c8881595f4ab027aef9ed1c55e3e7b7c ]

The first argument to WARN_ONCE() is a condition.

Fixes: 5800dc5c19f3 ("x86/paravirt: Fix spectre-v2 mitigations for paravirt guests")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Juergen Gross <jgross@suse.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Alok Kataria <akataria@vmware.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: virtualization@lists.linux-foundation.org
Cc: kernel-janitors@vger.kernel.org
Link: https://lkml.kernel.org/r/20180919103553.GD9238@mwanda
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/kernel/paravirt.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/paravirt.c b/arch/x86/kernel/paravirt.c
index f3559b84cd75..04da826381c9 100644
--- a/arch/x86/kernel/paravirt.c
+++ b/arch/x86/kernel/paravirt.c
@@ -90,7 +90,7 @@ unsigned paravirt_patch_call(void *insnbuf,
 
 	if (len < 5) {
 #ifdef CONFIG_RETPOLINE
-		WARN_ONCE("Failing to patch indirect CALL in %ps\n", (void *)addr);
+		WARN_ONCE(1, "Failing to patch indirect CALL in %ps\n", (void *)addr);
 #endif
 		return len;	/* call too long for patch site */
 	}
@@ -110,7 +110,7 @@ unsigned paravirt_patch_jmp(void *insnbuf, const void *target,
 
 	if (len < 5) {
 #ifdef CONFIG_RETPOLINE
-		WARN_ONCE("Failing to patch indirect JMP in %ps\n", (void *)addr);
+		WARN_ONCE(1, "Failing to patch indirect JMP in %ps\n", (void *)addr);
 #endif
 		return len;	/* call too long for patch site */
 	}
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 092/143] net: stmmac: mark PM functions as __maybe_unused
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (90 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 091/143] x86/paravirt: Fix some warning messages Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 093/143] kconfig: fix the rule of mainmenu_stmt symbol Greg Kroah-Hartman
                   ` (52 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 81a8b0799632627b587af31ecd06112397e4ec36 ]

The newly added suspend/resume functions cause a build warning
when CONFIG_PM is disabled:

drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c:324:12: error: 'stmmac_pci_resume' defined but not used [-Werror=unused-function]
drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c:306:12: error: 'stmmac_pci_suspend' defined but not used [-Werror=unused-function]

Mark them as __maybe_unused so gcc can drop them silently.

Fixes: b7d0f08e9129 ("net: stmmac: Fix WoL for PCI-based setups")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
index 6a393b16a1fc..c54a50dbd5ac 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
@@ -303,7 +303,7 @@ static void stmmac_pci_remove(struct pci_dev *pdev)
 	pci_disable_device(pdev);
 }
 
-static int stmmac_pci_suspend(struct device *dev)
+static int __maybe_unused stmmac_pci_suspend(struct device *dev)
 {
 	struct pci_dev *pdev = to_pci_dev(dev);
 	int ret;
@@ -321,7 +321,7 @@ static int stmmac_pci_suspend(struct device *dev)
 	return 0;
 }
 
-static int stmmac_pci_resume(struct device *dev)
+static int __maybe_unused stmmac_pci_resume(struct device *dev)
 {
 	struct pci_dev *pdev = to_pci_dev(dev);
 	int ret;
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 093/143] kconfig: fix the rule of mainmenu_stmt symbol
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (91 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 092/143] net: stmmac: mark PM functions as __maybe_unused Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 094/143] libertas: call into generic suspend code before turning off power Greg Kroah-Hartman
                   ` (51 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Masahiro Yamada, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 56869d45e364244a721de34ce9c5dc9ed022779e ]

The rule of mainmenu_stmt does not have debug print of zconf_lineno(),
but if it had, it would print a wrong line number for the same reason
as commit b2d00d7c61c8 ("kconfig: fix line numbers for if-entries in
menu tree").

The mainmenu_stmt does not need to eat following empty lines because
they are reduced to common_stmt.

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 scripts/kconfig/zconf.y | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/kconfig/zconf.y b/scripts/kconfig/zconf.y
index 126e3f2e1ed7..2b0adeb5fc42 100644
--- a/scripts/kconfig/zconf.y
+++ b/scripts/kconfig/zconf.y
@@ -31,7 +31,7 @@ struct symbol *symbol_hash[SYMBOL_HASHSIZE];
 static struct menu *current_menu, *current_entry;
 
 %}
-%expect 31
+%expect 30
 
 %union
 {
@@ -112,7 +112,7 @@ start: mainmenu_stmt stmt_list | no_mainmenu_stmt stmt_list;
 
 /* mainmenu entry */
 
-mainmenu_stmt: T_MAINMENU prompt nl
+mainmenu_stmt: T_MAINMENU prompt T_EOL
 {
 	menu_add_prompt(P_MENU, $2, NULL);
 };
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 094/143] libertas: call into generic suspend code before turning off power
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (92 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 093/143] kconfig: fix the rule of mainmenu_stmt symbol Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 095/143] perf tests: Fix indexing when invoking subtests Greg Kroah-Hartman
                   ` (50 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Daniel Mack, Ulf Hansson, Kalle Valo,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 4f666675cdff0b986195413215eb062b7da6586f ]

When powering down a SDIO connected card during suspend, make sure to call
into the generic lbs_suspend() function before pulling the plug. This will
make sure the card is successfully deregistered from the system to avoid
communication to the card starving out.

Fixes: 7444a8092906 ("libertas: fix suspend and resume for SDIO connected cards")
Signed-off-by: Daniel Mack <daniel@zonque.org>
Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
Acked-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/marvell/libertas/if_sdio.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/net/wireless/marvell/libertas/if_sdio.c b/drivers/net/wireless/marvell/libertas/if_sdio.c
index 43743c26c071..39bf85d0ade0 100644
--- a/drivers/net/wireless/marvell/libertas/if_sdio.c
+++ b/drivers/net/wireless/marvell/libertas/if_sdio.c
@@ -1317,6 +1317,10 @@ static int if_sdio_suspend(struct device *dev)
 	if (priv->wol_criteria == EHS_REMOVE_WAKEUP) {
 		dev_info(dev, "Suspend without wake params -- powering down card\n");
 		if (priv->fw_ready) {
+			ret = lbs_suspend(priv);
+			if (ret)
+				return ret;
+
 			priv->power_up_on_resume = true;
 			if_sdio_power_off(card);
 		}
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 095/143] perf tests: Fix indexing when invoking subtests
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (93 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 094/143] libertas: call into generic suspend code before turning off power Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 096/143] compiler.h: Allow arch-specific asm/compiler.h Greg Kroah-Hartman
                   ` (49 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sandipan Das,
	Arnaldo Carvalho de Melo, Heiko Carstens, Hendrik Brueckner,
	Jiri Olsa, Martin Schwidefsky, Naveen N. Rao, Ravi Bangoria,
	Thomas Richter, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit aa90f9f9554616d5738f7bedb4a8f0e5e14d1bc6 ]

Recently, the subtest numbering was changed to start from 1.  While it
is fine for displaying results, this should not be the case when the
subtests are actually invoked.

Typically, the subtests are stored in zero-indexed arrays and invoked
based on the index passed to the main test function.  Since the index
now starts from 1, the second subtest in the array (index 1) gets
invoked instead of the first (index 0).  This applies to all of the
following subtests but for the last one, the subtest always fails
because it does not meet the boundary condition of the subtest index
being lesser than the number of subtests.

This can be observed on powerpc64 and x86_64 systems running Fedora 28
as shown below.

Before:

  # perf test "builtin clang support"
  55: builtin clang support                                 :
  55.1: builtin clang compile C source to IR                : Ok
  55.2: builtin clang compile C source to ELF object        : FAILED!

  # perf test "LLVM search and compile"
  38: LLVM search and compile                               :
  38.1: Basic BPF llvm compile                              : Ok
  38.2: kbuild searching                                    : Ok
  38.3: Compile source for BPF prologue generation          : Ok
  38.4: Compile source for BPF relocation                   : FAILED!

  # perf test "BPF filter"
  40: BPF filter                                            :
  40.1: Basic BPF filtering                                 : Ok
  40.2: BPF pinning                                         : Ok
  40.3: BPF prologue generation                             : Ok
  40.4: BPF relocation checker                              : FAILED!

After:

  # perf test "builtin clang support"
  55: builtin clang support                                 :
  55.1: builtin clang compile C source to IR                : Ok
  55.2: builtin clang compile C source to ELF object        : Ok

  # perf test "LLVM search and compile"
  38: LLVM search and compile                               :
  38.1: Basic BPF llvm compile                              : Ok
  38.2: kbuild searching                                    : Ok
  38.3: Compile source for BPF prologue generation          : Ok
  38.4: Compile source for BPF relocation                   : Ok

  # perf test "BPF filter"
  40: BPF filter                                            :
  40.1: Basic BPF filtering                                 : Ok
  40.2: BPF pinning                                         : Ok
  40.3: BPF prologue generation                             : Ok
  40.4: BPF relocation checker                              : Ok

Signed-off-by: Sandipan Das <sandipan@linux.ibm.com>
Reported-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Hendrik Brueckner <brueckner@linux.ibm.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Cc: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
Cc: Thomas Richter <tmricht@linux.ibm.com>
Fixes: 9ef0112442bd ("perf test: Fix subtest number when showing results")
Link: http://lkml.kernel.org/r/20180726171733.33208-1-sandipan@linux.ibm.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/perf/tests/builtin-test.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tools/perf/tests/builtin-test.c b/tools/perf/tests/builtin-test.c
index 5966f1f9b160..1c9bc3516f8b 100644
--- a/tools/perf/tests/builtin-test.c
+++ b/tools/perf/tests/builtin-test.c
@@ -375,7 +375,7 @@ static int test_and_print(struct test *t, bool force_skip, int subtest)
 	if (!t->subtest.get_nr)
 		pr_debug("%s:", t->desc);
 	else
-		pr_debug("%s subtest %d:", t->desc, subtest);
+		pr_debug("%s subtest %d:", t->desc, subtest + 1);
 
 	switch (err) {
 	case TEST_OK:
@@ -589,7 +589,7 @@ static int __cmd_test(int argc, const char *argv[], struct intlist *skiplist)
 			for (subi = 0; subi < subn; subi++) {
 				pr_info("%2d.%1d: %-*s:", i, subi + 1, subw,
 					t->subtest.get_desc(subi));
-				err = test_and_print(t, skip, subi + 1);
+				err = test_and_print(t, skip, subi);
 				if (err != TEST_OK && t->subtest.skip_if_fail)
 					skip = true;
 			}
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 096/143] compiler.h: Allow arch-specific asm/compiler.h
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (94 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 095/143] perf tests: Fix indexing when invoking subtests Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 097/143] ARM: dts: imx53-qsb: disable 1.2GHz OPP Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Paul Burton, Masahiro Yamada,
	Arnd Bergmann, James Hogan, Ralf Baechle, linux-arch,
	linux-kbuild, linux-mips, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 04f264d3a8b0eb25d378127bd78c3c9a0261c828 ]

We have a need to override the definition of
barrier_before_unreachable() for MIPS, which means we either need to add
architecture-specific code into linux/compiler-gcc.h or we need to allow
the architecture to provide a header that can define the macro before
the generic definition. The latter seems like the better approach.

A straightforward approach to the per-arch header is to make use of
asm-generic to provide a default empty header & adjust architectures
which don't need anything specific to make use of that by adding the
header to generic-y. Unfortunately this doesn't work so well due to
commit 28128c61e08e ("kconfig.h: Include compiler types to avoid missed
struct attributes") which caused linux/compiler_types.h to be included
in the compilation of every C file via the -include linux/kconfig.h flag
in c_flags.

Because the -include flag is present for all C files we compile, we need
the architecture-provided header to be present before any C files are
compiled. If any C files can be compiled prior to the asm-generic header
wrappers being generated then we hit a build failure due to missing
header. Such cases do exist - one pointed out by the kbuild test robot
is the compilation of arch/ia64/kernel/nr-irqs.c, which occurs as part
of the archprepare target [1].

This leaves us with a few options:

  1) Use generic-y & fix any build failures we find by enforcing
     ordering such that the asm-generic target occurs before any C
     compilation, such that linux/compiler_types.h can always include
     the generated asm-generic wrapper which in turn includes the empty
     asm-generic header. This would rely on us finding all the
     problematic cases - I don't know for sure that the ia64 issue is
     the only one.

  2) Add an actual empty header to each architecture, so that we don't
     need the generated asm-generic wrapper. This seems messy.

  3) Give up & add #ifdef CONFIG_MIPS or similar to
     linux/compiler_types.h. This seems messy too.

  4) Include the arch header only when it's actually needed, removing
     the need for the asm-generic wrapper for all other architectures.

This patch allows us to use approach 4, by including an asm/compiler.h
header from linux/compiler_types.h after the inclusion of the
compiler-specific linux/compiler-*.h header(s). We do this
conditionally, only when CONFIG_HAVE_ARCH_COMPILER_H is selected, in
order to avoid the need for asm-generic wrappers & the associated build
ordering issue described above. The asm/compiler.h header is included
after the generic linux/compiler-*.h header(s) for consistency with the
way linux/compiler-intel.h & linux/compiler-clang.h are included after
the linux/compiler-gcc.h header that they override.

[1] https://lists.01.org/pipermail/kbuild-all/2018-August/051175.html

Signed-off-by: Paul Burton <paul.burton@mips.com>
Reviewed-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Patchwork: https://patchwork.linux-mips.org/patch/20269/
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: James Hogan <jhogan@kernel.org>
Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: linux-arch@vger.kernel.org
Cc: linux-kbuild@vger.kernel.org
Cc: linux-mips@linux-mips.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/Kconfig                   |  8 ++++++++
 include/linux/compiler_types.h | 12 ++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/arch/Kconfig b/arch/Kconfig
index 40dc31fea90c..77b3e21c4844 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -965,4 +965,12 @@ config REFCOUNT_FULL
 	  against various use-after-free conditions that can be used in
 	  security flaw exploits.
 
+config HAVE_ARCH_COMPILER_H
+	bool
+	help
+	  An architecture can select this if it provides an
+	  asm/compiler.h header that should be included after
+	  linux/compiler-*.h in order to override macro definitions that those
+	  headers generally provide.
+
 source "kernel/gcov/Kconfig"
diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
index 6b79a9bba9a7..4be464a07612 100644
--- a/include/linux/compiler_types.h
+++ b/include/linux/compiler_types.h
@@ -78,6 +78,18 @@ extern void __chk_io_ptr(const volatile void __iomem *);
 #include <linux/compiler-clang.h>
 #endif
 
+/*
+ * Some architectures need to provide custom definitions of macros provided
+ * by linux/compiler-*.h, and can do so using asm/compiler.h. We include that
+ * conditionally rather than using an asm-generic wrapper in order to avoid
+ * build failures if any C compilation, which will include this file via an
+ * -include argument in c_flags, occurs prior to the asm-generic wrappers being
+ * generated.
+ */
+#ifdef CONFIG_HAVE_ARCH_COMPILER_H
+#include <asm/compiler.h>
+#endif
+
 /*
  * Generic compiler-dependent macros required for kernel
  * build go below this comment. Actual compiler/compiler version
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 097/143] ARM: dts: imx53-qsb: disable 1.2GHz OPP
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (95 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 096/143] compiler.h: Allow arch-specific asm/compiler.h Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 098/143] perf python: Use -Wno-redundant-decls to build with PYTHON=python3 Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sascha Hauer, Shawn Guo, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit eea96566c189c77e5272585984eb2729881a2f1d ]

The maximum CPU frequency for the i.MX53 QSB is 1GHz, so disable the
1.2GHz OPP. This makes the board work again with configs that have
cpufreq enabled like imx_v6_v7_defconfig on which the board stopped
working with the addition of cpufreq-dt support.

Fixes: 791f416608 ("ARM: dts: imx53: add cpufreq-dt support")

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/boot/dts/imx53-qsb-common.dtsi | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/arch/arm/boot/dts/imx53-qsb-common.dtsi b/arch/arm/boot/dts/imx53-qsb-common.dtsi
index 683dcbe27cbd..8c11190c5218 100644
--- a/arch/arm/boot/dts/imx53-qsb-common.dtsi
+++ b/arch/arm/boot/dts/imx53-qsb-common.dtsi
@@ -130,6 +130,17 @@
 	};
 };
 
+&cpu0 {
+	/* CPU rated to 1GHz, not 1.2GHz as per the default settings */
+	operating-points = <
+		/* kHz   uV */
+		166666  850000
+		400000  900000
+		800000  1050000
+		1000000 1200000
+	>;
+};
+
 &esdhc1 {
 	pinctrl-names = "default";
 	pinctrl-0 = <&pinctrl_esdhc1>;
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 098/143] perf python: Use -Wno-redundant-decls to build with PYTHON=python3
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (96 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 097/143] ARM: dts: imx53-qsb: disable 1.2GHz OPP Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 099/143] rxrpc: Dont check RXRPC_CALL_TX_LAST after calling rxrpc_rotate_tx_window() Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Adrian Hunter, David Ahern,
	Jiri Olsa, Namhyung Kim, Thiago Macieira, Wang Nan,
	Arnaldo Carvalho de Melo, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 05a2f54679861deb188750ba2a70187000b2c71f ]

When building in ClearLinux using 'make PYTHON=python3' with gcc 8.2.1
it fails with:

    GEN      /tmp/build/perf/python/perf.so
  In file included from /usr/include/python3.7m/Python.h:126,
                   from /git/linux/tools/perf/util/python.c:2:
  /usr/include/python3.7m/import.h:58:24: error: redundant redeclaration of ‘_PyImport_AddModuleObject’ [-Werror=redundant-decls]
   PyAPI_FUNC(PyObject *) _PyImport_AddModuleObject(PyObject *, PyObject *);
                          ^~~~~~~~~~~~~~~~~~~~~~~~~
  /usr/include/python3.7m/import.h:47:24: note: previous declaration of ‘_PyImport_AddModuleObject’ was here
   PyAPI_FUNC(PyObject *) _PyImport_AddModuleObject(PyObject *name,
                          ^~~~~~~~~~~~~~~~~~~~~~~~~
  cc1: all warnings being treated as errors
  error: command 'gcc' failed with exit status 1

And indeed there is a redundant declaration in that Python.h file, one
with parameter names and the other without, so just add
-Wno-error=redundant-decls to the python setup instructions.

Now perf builds with gcc in ClearLinux with the following Dockerfile:

  # docker.io/acmel/linux-perf-tools-build-clearlinux:latest
  FROM docker.io/clearlinux:latest
  MAINTAINER Arnaldo Carvalho de Melo <acme@kernel.org>
  RUN swupd update && \
      swupd bundle-add sysadmin-basic-dev
  RUN mkdir -m 777 -p /git /tmp/build/perf /tmp/build/objtool /tmp/build/linux && \
      groupadd -r perfbuilder && \
      useradd -m -r -g perfbuilder perfbuilder && \
      chown -R perfbuilder.perfbuilder /tmp/build/ /git/
  USER perfbuilder
  COPY rx_and_build.sh /
  ENV EXTRA_MAKE_ARGS=PYTHON=python3
  ENTRYPOINT ["/rx_and_build.sh"]

Now to figure out why the build fails with clang, that is present in the
above container as detected by the rx_and_build.sh script:

  clang version 6.0.1 (tags/RELEASE_601/final)
  Target: x86_64-unknown-linux-gnu
  Thread model: posix
  InstalledDir: /usr/sbin
  make: Entering directory '/git/linux/tools/perf'
    BUILD:   Doing 'make -j4' parallel build
    HOSTCC   /tmp/build/perf/fixdep.o
    HOSTLD   /tmp/build/perf/fixdep-in.o
    LINK     /tmp/build/perf/fixdep

  Auto-detecting system features:
  ...                         dwarf: [ OFF ]
  ...            dwarf_getlocations: [ OFF ]
  ...                         glibc: [ OFF ]
  ...                          gtk2: [ OFF ]
  ...                      libaudit: [ OFF ]
  ...                        libbfd: [ OFF ]
  ...                        libelf: [ OFF ]
  ...                       libnuma: [ OFF ]
  ...        numa_num_possible_cpus: [ OFF ]
  ...                       libperl: [ OFF ]
  ...                     libpython: [ OFF ]
  ...                      libslang: [ OFF ]
  ...                     libcrypto: [ OFF ]
  ...                     libunwind: [ OFF ]
  ...            libdw-dwarf-unwind: [ OFF ]
  ...                          zlib: [ OFF ]
  ...                          lzma: [ OFF ]
  ...                     get_cpuid: [ OFF ]
  ...                           bpf: [ OFF ]

  Makefile.config:331: *** No gnu/libc-version.h found, please install glibc-dev[el].  Stop.
  make[1]: *** [Makefile.perf:206: sub-make] Error 2
  make: *** [Makefile:70: all] Error 2
  make: Leaving directory '/git/linux/tools/perf'

Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Thiago Macieira <thiago.macieira@intel.com>
Cc: Wang Nan <wangnan0@huawei.com>
Link: https://lkml.kernel.org/n/tip-c3khb9ac86s00qxzjrueomme@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/perf/util/setup.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/perf/util/setup.py b/tools/perf/util/setup.py
index da4df7fd43a2..23f1bf175179 100644
--- a/tools/perf/util/setup.py
+++ b/tools/perf/util/setup.py
@@ -27,7 +27,7 @@ class install_lib(_install_lib):
 
 cflags = getenv('CFLAGS', '').split()
 # switch off several checks (need to be at the end of cflags list)
-cflags += ['-fno-strict-aliasing', '-Wno-write-strings', '-Wno-unused-parameter' ]
+cflags += ['-fno-strict-aliasing', '-Wno-write-strings', '-Wno-unused-parameter', '-Wno-redundant-decls' ]
 if cc != "clang":
     cflags += ['-Wno-cast-function-type' ]
 
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 099/143] rxrpc: Dont check RXRPC_CALL_TX_LAST after calling rxrpc_rotate_tx_window()
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (97 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 098/143] perf python: Use -Wno-redundant-decls to build with PYTHON=python3 Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 100/143] rxrpc: Only take the rwind and mtu values from latest ACK Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David Howells, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit c479d5f2c2e1ce609da08c075054440d97ddff52 ]

We should only call the function to end a call's Tx phase if we rotated the
marked-last packet out of the transmission buffer.

Make rxrpc_rotate_tx_window() return an indication of whether it just
rotated the packet marked as the last out of the transmit buffer, carrying
the information out of the locked section in that function.

We can then check the return value instead of examining RXRPC_CALL_TX_LAST.

Fixes: 70790dbe3f66 ("rxrpc: Pass the last Tx packet marker in the annotation buffer")
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/rxrpc/input.c | 35 +++++++++++++++++++----------------
 1 file changed, 19 insertions(+), 16 deletions(-)

diff --git a/net/rxrpc/input.c b/net/rxrpc/input.c
index 5edb636dbc4d..3a501bf0fc1a 100644
--- a/net/rxrpc/input.c
+++ b/net/rxrpc/input.c
@@ -216,10 +216,11 @@ static void rxrpc_send_ping(struct rxrpc_call *call, struct sk_buff *skb,
 /*
  * Apply a hard ACK by advancing the Tx window.
  */
-static void rxrpc_rotate_tx_window(struct rxrpc_call *call, rxrpc_seq_t to,
+static bool rxrpc_rotate_tx_window(struct rxrpc_call *call, rxrpc_seq_t to,
 				   struct rxrpc_ack_summary *summary)
 {
 	struct sk_buff *skb, *list = NULL;
+	bool rot_last = false;
 	int ix;
 	u8 annotation;
 
@@ -243,15 +244,17 @@ static void rxrpc_rotate_tx_window(struct rxrpc_call *call, rxrpc_seq_t to,
 		skb->next = list;
 		list = skb;
 
-		if (annotation & RXRPC_TX_ANNO_LAST)
+		if (annotation & RXRPC_TX_ANNO_LAST) {
 			set_bit(RXRPC_CALL_TX_LAST, &call->flags);
+			rot_last = true;
+		}
 		if ((annotation & RXRPC_TX_ANNO_MASK) != RXRPC_TX_ANNO_ACK)
 			summary->nr_rot_new_acks++;
 	}
 
 	spin_unlock(&call->lock);
 
-	trace_rxrpc_transmit(call, (test_bit(RXRPC_CALL_TX_LAST, &call->flags) ?
+	trace_rxrpc_transmit(call, (rot_last ?
 				    rxrpc_transmit_rotate_last :
 				    rxrpc_transmit_rotate));
 	wake_up(&call->waitq);
@@ -262,6 +265,8 @@ static void rxrpc_rotate_tx_window(struct rxrpc_call *call, rxrpc_seq_t to,
 		skb->next = NULL;
 		rxrpc_free_skb(skb, rxrpc_skb_tx_freed);
 	}
+
+	return rot_last;
 }
 
 /*
@@ -332,11 +337,11 @@ static bool rxrpc_receiving_reply(struct rxrpc_call *call)
 				ktime_get_real());
 	}
 
-	if (!test_bit(RXRPC_CALL_TX_LAST, &call->flags))
-		rxrpc_rotate_tx_window(call, top, &summary);
 	if (!test_bit(RXRPC_CALL_TX_LAST, &call->flags)) {
-		rxrpc_proto_abort("TXL", call, top);
-		return false;
+		if (!rxrpc_rotate_tx_window(call, top, &summary)) {
+			rxrpc_proto_abort("TXL", call, top);
+			return false;
+		}
 	}
 	if (!rxrpc_end_tx_phase(call, true, "ETD"))
 		return false;
@@ -837,8 +842,12 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb,
 	if (nr_acks > call->tx_top - hard_ack)
 		return rxrpc_proto_abort("AKN", call, 0);
 
-	if (after(hard_ack, call->tx_hard_ack))
-		rxrpc_rotate_tx_window(call, hard_ack, &summary);
+	if (after(hard_ack, call->tx_hard_ack)) {
+		if (rxrpc_rotate_tx_window(call, hard_ack, &summary)) {
+			rxrpc_end_tx_phase(call, false, "ETA");
+			return;
+		}
+	}
 
 	if (nr_acks > 0) {
 		if (skb_copy_bits(skb, offset, buf.acks, nr_acks) < 0)
@@ -847,11 +856,6 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb,
 				      &summary);
 	}
 
-	if (test_bit(RXRPC_CALL_TX_LAST, &call->flags)) {
-		rxrpc_end_tx_phase(call, false, "ETA");
-		return;
-	}
-
 	if (call->rxtx_annotations[call->tx_top & RXRPC_RXTX_BUFF_MASK] &
 	    RXRPC_TX_ANNO_LAST &&
 	    summary.nr_acks == call->tx_top - hard_ack &&
@@ -873,8 +877,7 @@ static void rxrpc_input_ackall(struct rxrpc_call *call, struct sk_buff *skb)
 
 	_proto("Rx ACKALL %%%u", sp->hdr.serial);
 
-	rxrpc_rotate_tx_window(call, call->tx_top, &summary);
-	if (test_bit(RXRPC_CALL_TX_LAST, &call->flags))
+	if (rxrpc_rotate_tx_window(call, call->tx_top, &summary))
 		rxrpc_end_tx_phase(call, false, "ETL");
 }
 
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 100/143] rxrpc: Only take the rwind and mtu values from latest ACK
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (98 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 099/143] rxrpc: Dont check RXRPC_CALL_TX_LAST after calling rxrpc_rotate_tx_window() Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 101/143] rxrpc: Fix connection-level abort handling Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David Howells, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 298bc15b2079c324e82d0a6fda39c3d762af7282 ]

Move the out-of-order and duplicate ACK packet check to before the call to
rxrpc_input_ackinfo() so that the receive window size and MTU size are only
checked in the latest ACK packet and don't regress.

Fixes: 248f219cb8bc ("rxrpc: Rewrite the data and ack handling code")
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/rxrpc/input.c | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/net/rxrpc/input.c b/net/rxrpc/input.c
index 3a501bf0fc1a..ea506a77f3c8 100644
--- a/net/rxrpc/input.c
+++ b/net/rxrpc/input.c
@@ -806,6 +806,16 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb,
 				  rxrpc_propose_ack_respond_to_ack);
 	}
 
+	/* Discard any out-of-order or duplicate ACKs. */
+	if (before_eq(sp->hdr.serial, call->acks_latest)) {
+		_debug("discard ACK %d <= %d",
+		       sp->hdr.serial, call->acks_latest);
+		return;
+	}
+	call->acks_latest_ts = skb->tstamp;
+	call->acks_latest = sp->hdr.serial;
+
+	/* Parse rwind and mtu sizes if provided. */
 	ioffset = offset + nr_acks + 3;
 	if (skb->len >= ioffset + sizeof(buf.info)) {
 		if (skb_copy_bits(skb, ioffset, &buf.info, sizeof(buf.info)) < 0)
@@ -827,15 +837,6 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb,
 		return;
 	}
 
-	/* Discard any out-of-order or duplicate ACKs. */
-	if (before_eq(sp->hdr.serial, call->acks_latest)) {
-		_debug("discard ACK %d <= %d",
-		       sp->hdr.serial, call->acks_latest);
-		return;
-	}
-	call->acks_latest_ts = skb->tstamp;
-	call->acks_latest = sp->hdr.serial;
-
 	if (before(hard_ack, call->tx_hard_ack) ||
 	    after(hard_ack, call->tx_top))
 		return rxrpc_proto_abort("AKW", call, 0);
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 101/143] rxrpc: Fix connection-level abort handling
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (99 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 100/143] rxrpc: Only take the rwind and mtu values from latest ACK Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 102/143] net: ena: fix warning in rmmod caused by double iounmap Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David Howells, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 647530924f47c93db472ee3cf43b7ef1425581b6 ]

Fix connection-level abort handling to cache the abort and error codes
properly so that a new incoming call can be properly aborted if it races
with the parent connection being aborted by another CPU.

The abort_code and error parameters can then be dropped from
rxrpc_abort_calls().

Fixes: f5c17aaeb2ae ("rxrpc: Calls should only have one terminal state")
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/rxrpc/ar-internal.h |  4 ++--
 net/rxrpc/call_accept.c |  4 ++--
 net/rxrpc/conn_event.c  | 26 +++++++++++++++-----------
 3 files changed, 19 insertions(+), 15 deletions(-)

diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h
index e6c2c4f56fb1..71c7f1dd4599 100644
--- a/net/rxrpc/ar-internal.h
+++ b/net/rxrpc/ar-internal.h
@@ -424,8 +424,7 @@ struct rxrpc_connection {
 	spinlock_t		state_lock;	/* state-change lock */
 	enum rxrpc_conn_cache_state cache_state;
 	enum rxrpc_conn_proto_state state;	/* current state of connection */
-	u32			local_abort;	/* local abort code */
-	u32			remote_abort;	/* remote abort code */
+	u32			abort_code;	/* Abort code of connection abort */
 	int			debug_id;	/* debug ID for printks */
 	atomic_t		serial;		/* packet serial number counter */
 	unsigned int		hi_serial;	/* highest serial number received */
@@ -435,6 +434,7 @@ struct rxrpc_connection {
 	u8			security_size;	/* security header size */
 	u8			security_ix;	/* security type */
 	u8			out_clientflag;	/* RXRPC_CLIENT_INITIATED if we are client */
+	short			error;		/* Local error code */
 };
 
 /*
diff --git a/net/rxrpc/call_accept.c b/net/rxrpc/call_accept.c
index 62b1581d44a5..2dd13f5c47c8 100644
--- a/net/rxrpc/call_accept.c
+++ b/net/rxrpc/call_accept.c
@@ -418,11 +418,11 @@ found_service:
 
 	case RXRPC_CONN_REMOTELY_ABORTED:
 		rxrpc_set_call_completion(call, RXRPC_CALL_REMOTELY_ABORTED,
-					  conn->remote_abort, -ECONNABORTED);
+					  conn->abort_code, conn->error);
 		break;
 	case RXRPC_CONN_LOCALLY_ABORTED:
 		rxrpc_abort_call("CON", call, sp->hdr.seq,
-				 conn->local_abort, -ECONNABORTED);
+				 conn->abort_code, conn->error);
 		break;
 	default:
 		BUG();
diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c
index 0435c4167a1a..75ec1ad595b7 100644
--- a/net/rxrpc/conn_event.c
+++ b/net/rxrpc/conn_event.c
@@ -117,7 +117,7 @@ static void rxrpc_conn_retransmit_call(struct rxrpc_connection *conn,
 
 	switch (chan->last_type) {
 	case RXRPC_PACKET_TYPE_ABORT:
-		_proto("Tx ABORT %%%u { %d } [re]", serial, conn->local_abort);
+		_proto("Tx ABORT %%%u { %d } [re]", serial, conn->abort_code);
 		break;
 	case RXRPC_PACKET_TYPE_ACK:
 		trace_rxrpc_tx_ack(NULL, serial, chan->last_seq, 0,
@@ -135,13 +135,12 @@ static void rxrpc_conn_retransmit_call(struct rxrpc_connection *conn,
  * pass a connection-level abort onto all calls on that connection
  */
 static void rxrpc_abort_calls(struct rxrpc_connection *conn,
-			      enum rxrpc_call_completion compl,
-			      u32 abort_code, int error)
+			      enum rxrpc_call_completion compl)
 {
 	struct rxrpc_call *call;
 	int i;
 
-	_enter("{%d},%x", conn->debug_id, abort_code);
+	_enter("{%d},%x", conn->debug_id, conn->abort_code);
 
 	spin_lock(&conn->channel_lock);
 
@@ -153,9 +152,11 @@ static void rxrpc_abort_calls(struct rxrpc_connection *conn,
 			if (compl == RXRPC_CALL_LOCALLY_ABORTED)
 				trace_rxrpc_abort("CON", call->cid,
 						  call->call_id, 0,
-						  abort_code, error);
+						  conn->abort_code,
+						  conn->error);
 			if (rxrpc_set_call_completion(call, compl,
-						      abort_code, error))
+						      conn->abort_code,
+						      conn->error))
 				rxrpc_notify_socket(call);
 		}
 	}
@@ -188,10 +189,12 @@ static int rxrpc_abort_connection(struct rxrpc_connection *conn,
 		return 0;
 	}
 
+	conn->error = error;
+	conn->abort_code = abort_code;
 	conn->state = RXRPC_CONN_LOCALLY_ABORTED;
 	spin_unlock_bh(&conn->state_lock);
 
-	rxrpc_abort_calls(conn, RXRPC_CALL_LOCALLY_ABORTED, abort_code, error);
+	rxrpc_abort_calls(conn, RXRPC_CALL_LOCALLY_ABORTED);
 
 	msg.msg_name	= &conn->params.peer->srx.transport;
 	msg.msg_namelen	= conn->params.peer->srx.transport_len;
@@ -210,7 +213,7 @@ static int rxrpc_abort_connection(struct rxrpc_connection *conn,
 	whdr._rsvd	= 0;
 	whdr.serviceId	= htons(conn->service_id);
 
-	word		= htonl(conn->local_abort);
+	word		= htonl(conn->abort_code);
 
 	iov[0].iov_base	= &whdr;
 	iov[0].iov_len	= sizeof(whdr);
@@ -221,7 +224,7 @@ static int rxrpc_abort_connection(struct rxrpc_connection *conn,
 
 	serial = atomic_inc_return(&conn->serial);
 	whdr.serial = htonl(serial);
-	_proto("Tx CONN ABORT %%%u { %d }", serial, conn->local_abort);
+	_proto("Tx CONN ABORT %%%u { %d }", serial, conn->abort_code);
 
 	ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 2, len);
 	if (ret < 0) {
@@ -289,9 +292,10 @@ static int rxrpc_process_event(struct rxrpc_connection *conn,
 		abort_code = ntohl(wtmp);
 		_proto("Rx ABORT %%%u { ac=%d }", sp->hdr.serial, abort_code);
 
+		conn->error = -ECONNABORTED;
+		conn->abort_code = abort_code;
 		conn->state = RXRPC_CONN_REMOTELY_ABORTED;
-		rxrpc_abort_calls(conn, RXRPC_CALL_REMOTELY_ABORTED,
-				  abort_code, -ECONNABORTED);
+		rxrpc_abort_calls(conn, RXRPC_CALL_REMOTELY_ABORTED);
 		return -ECONNABORTED;
 
 	case RXRPC_PACKET_TYPE_CHALLENGE:
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 102/143] net: ena: fix warning in rmmod caused by double iounmap
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (100 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 101/143] rxrpc: Fix connection-level abort handling Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 103/143] net: ena: fix NULL dereference due to untimely napi initialization Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arthur Kiyanovski, David S. Miller,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit d79c3888bde6581da7ff9f9d6f581900ecb5e632 ]

Memory mapped with devm_ioremap is automatically freed when the driver
is disconnected from the device. Therefore there is no need to
explicitly call devm_iounmap.

Fixes: 0857d92f71b6 ("net: ena: add missing unmap bars on device removal")
Fixes: 411838e7b41c ("net: ena: fix rare kernel crash when bar memory remap fails")
Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/amazon/ena/ena_netdev.c | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c
index 60b3ee29d82c..08c9c99a8331 100644
--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c
+++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c
@@ -3059,15 +3059,8 @@ err_rss_init:
 
 static void ena_release_bars(struct ena_com_dev *ena_dev, struct pci_dev *pdev)
 {
-	int release_bars;
+	int release_bars = pci_select_bars(pdev, IORESOURCE_MEM) & ENA_BAR_MASK;
 
-	if (ena_dev->mem_bar)
-		devm_iounmap(&pdev->dev, ena_dev->mem_bar);
-
-	if (ena_dev->reg_bar)
-		devm_iounmap(&pdev->dev, ena_dev->reg_bar);
-
-	release_bars = pci_select_bars(pdev, IORESOURCE_MEM) & ENA_BAR_MASK;
 	pci_release_selected_regions(pdev, release_bars);
 }
 
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 103/143] net: ena: fix NULL dereference due to untimely napi initialization
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (101 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 102/143] net: ena: fix warning in rmmod caused by double iounmap Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 104/143] selftests: rtnetlink.sh explicitly requires bash Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arthur Kiyanovski, David S. Miller,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 78a55d05def95144ca5fa9a64c49b2a0636a9866 ]

napi poll functions should be initialized before running request_irq(),
to handle a rare condition where there is a pending interrupt, causing
the ISR to fire immediately while the poll function wasn't set yet,
causing a NULL dereference.

Fixes: 1738cd3ed342 ("net: ena: Add a driver for Amazon Elastic Network Adapters (ENA)")
Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/amazon/ena/ena_netdev.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c
index 08c9c99a8331..3c7813f04962 100644
--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c
+++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c
@@ -1571,8 +1571,6 @@ static int ena_up_complete(struct ena_adapter *adapter)
 	if (rc)
 		return rc;
 
-	ena_init_napi(adapter);
-
 	ena_change_mtu(adapter->netdev, adapter->netdev->mtu);
 
 	ena_refill_all_rx_bufs(adapter);
@@ -1726,6 +1724,13 @@ static int ena_up(struct ena_adapter *adapter)
 
 	ena_setup_io_intr(adapter);
 
+	/* napi poll functions should be initialized before running
+	 * request_irq(), to handle a rare condition where there is a pending
+	 * interrupt, causing the ISR to fire immediately while the poll
+	 * function wasn't set yet, causing a null dereference
+	 */
+	ena_init_napi(adapter);
+
 	rc = ena_request_io_irq(adapter);
 	if (rc)
 		goto err_req_irq;
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 104/143] selftests: rtnetlink.sh explicitly requires bash.
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (102 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 103/143] net: ena: fix NULL dereference due to untimely napi initialization Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 105/143] fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters() Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Paolo Abeni, David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 3c718e677c2b35b449992adc36ecce883c467e98 ]

the script rtnetlink.sh requires a bash-only features (sleep with sub-second
precision). This may cause random test failure if the default shell is not
bash.
Address the above explicitly requiring bash as the script interpreter.

Fixes: 33b01b7b4f19 ("selftests: add rtnetlink test script")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/testing/selftests/net/rtnetlink.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/testing/selftests/net/rtnetlink.sh b/tools/testing/selftests/net/rtnetlink.sh
index 57b5ff576240..891130daac7c 100755
--- a/tools/testing/selftests/net/rtnetlink.sh
+++ b/tools/testing/selftests/net/rtnetlink.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 #
 # This test is for checking rtnetlink callpaths, and get as much coverage as possible.
 #
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 105/143] fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters()
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (103 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 104/143] selftests: rtnetlink.sh explicitly requires bash Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 106/143] sch_netem: restore skb->dev after dequeuing from the rbtree Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Khazhismel Kumykov, OGAWA Hirofumi,
	Andrew Morton, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit ac081c3be3fae6d0cc3e1862507fca3862d30b67 ]

On non-preempt kernels this loop can take a long time (more than 50 ticks)
processing through entries.

Link: http://lkml.kernel.org/r/20181010172623.57033-1-khazhy@google.com
Signed-off-by: Khazhismel Kumykov <khazhy@google.com>
Acked-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/fat/fatent.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/fat/fatent.c b/fs/fat/fatent.c
index a40f36b1b292..9635df94db7d 100644
--- a/fs/fat/fatent.c
+++ b/fs/fat/fatent.c
@@ -681,6 +681,7 @@ int fat_count_free_clusters(struct super_block *sb)
 			if (ops->ent_get(&fatent) == FAT_ENT_FREE)
 				free++;
 		} while (fat_ent_next(sbi, &fatent));
+		cond_resched();
 	}
 	sbi->free_clusters = free;
 	sbi->free_clus_valid = 1;
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 106/143] sch_netem: restore skb->dev after dequeuing from the rbtree
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (104 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 105/143] fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters() Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 23:28   ` Josh Hunt
  2018-11-02 18:34 ` [PATCH 4.14 107/143] mtd: spi-nor: Add support for is25wp series chips Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  144 siblings, 1 reply; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stephen Hemminger, Eric Dumazet,
	Soheil Hassas Yeganeh, Wei Wang, Willem de Bruijn,
	Christoph Paasch, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

Upstream commit bffa72cf7f9d ("net: sk_buff rbnode reorg") got
backported as commit 6b921536f170 ("net: sk_buff rbnode reorg") into the
v4.14.x-tree.

However, the backport does not include the changes in sch_netem.c

We need these, as otherwise the skb->dev pointer is not set when
dequeueing from the netem rbtree, resulting in a panic:

[   15.427748] BUG: unable to handle kernel NULL pointer dereference at 00000000000000d0
[   15.428863] IP: netif_skb_features+0x24/0x230
[   15.429402] PGD 0 P4D 0
[   15.429733] Oops: 0000 [#1] SMP PTI
[   15.430169] Modules linked in:
[   15.430614] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 4.14.77.mptcp #77
[   15.431497] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.5.1 01/01/2011
[   15.432568] task: ffff88042db19680 task.stack: ffffc90000070000
[   15.433356] RIP: 0010:netif_skb_features+0x24/0x230
[   15.433977] RSP: 0018:ffff88043fd83e70 EFLAGS: 00010286
[   15.434665] RAX: ffff880429ad80c0 RBX: ffff88042bd0e400 RCX: ffff880429ad8000
[   15.435585] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88042bd0e400
[   15.436551] RBP: ffff88042bd0e400 R08: ffff88042a4b6c9c R09: 0000000000000001
[   15.437485] R10: 0000000000000004 R11: 0000000000000000 R12: ffff88042c700000
[   15.438393] R13: ffff88042c700000 R14: ffff88042a4b6c00 R15: ffff88042c6bb000
[   15.439315] FS:  0000000000000000(0000) GS:ffff88043fd80000(0000) knlGS:0000000000000000
[   15.440314] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   15.441084] CR2: 00000000000000d0 CR3: 000000042c374000 CR4: 00000000000006e0
[   15.442016] Call Trace:
[   15.442333]  <IRQ>
[   15.442596]  validate_xmit_skb+0x17/0x270
[   15.443134]  validate_xmit_skb_list+0x38/0x60
[   15.443698]  sch_direct_xmit+0x102/0x190
[   15.444198]  __qdisc_run+0xe3/0x240
[   15.444671]  net_tx_action+0x121/0x140
[   15.445177]  __do_softirq+0xe2/0x224
[   15.445654]  irq_exit+0xbf/0xd0
[   15.446072]  smp_apic_timer_interrupt+0x5d/0x90
[   15.446654]  apic_timer_interrupt+0x7d/0x90
[   15.447185]  </IRQ>
[   15.447460] RIP: 0010:native_safe_halt+0x2/0x10
[   15.447992] RSP: 0018:ffffc90000073f10 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff10
[   15.449008] RAX: ffffffff816667d0 RBX: ffffffff820946b0 RCX: 0000000000000000
[   15.449895] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   15.450768] RBP: ffffffff82026940 R08: 00000004e858e5e1 R09: ffff88042a4b6d58
[   15.451643] R10: 0000000000000000 R11: 000000d0d56879bb R12: 0000000000000000
[   15.452478] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   15.453340]  ? __sched_text_end+0x2/0x2
[   15.453835]  default_idle+0xf/0x20
[   15.454259]  do_idle+0x170/0x200
[   15.454653]  cpu_startup_entry+0x14/0x20
[   15.455142]  secondary_startup_64+0xa5/0xb0
[   15.455715] Code: 1f 84 00 00 00 00 00 55 53 48 89 fd 48 83 ec 08 8b 87 bc 00 00 00 48 8b 8f c0 00 00 00 0f b6 97 81 00 00 00 48 8b 77 10 48 01 c8 <48> 8b 9
[   15.458138] RIP: netif_skb_features+0x24/0x230 RSP: ffff88043fd83e70
[   15.458933] CR2: 00000000000000d0
[   15.459352] ---[ end trace 083925903ae60570 ]---

Fixes: 6b921536f170 ("net: sk_buff rbnode reorg")
Cc: Stephen Hemminger <stephen@networkplumber.org>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Soheil Hassas Yeganeh <soheil@google.com>
Cc: Wei Wang <weiwan@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Signed-off-by: Christoph Paasch <cpaasch@apple.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/sched/sch_netem.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index 2a2ab6bfe5d8..3d325b840802 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -624,6 +624,10 @@ static struct sk_buff *netem_dequeue(struct Qdisc *sch)
 			skb->next = NULL;
 			skb->prev = NULL;
 			skb->tstamp = netem_skb_cb(skb)->tstamp_save;
+			/* skb->dev shares skb->rbnode area,
+			 * we need to restore its value.
+			 */
+			skb->dev = qdisc_dev(sch);
 
 #ifdef CONFIG_NET_CLS_ACT
 			/*
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 107/143] mtd: spi-nor: Add support for is25wp series chips
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (105 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 106/143] sch_netem: restore skb->dev after dequeuing from the rbtree Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 108/143] kvm: x86: fix WARN due to uninitialized guest FPU state Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kimmo Rautkoski, Marek Vasut,
	Boris Brezillon, Adrian Bunk, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit d616f81cdd2a21edfa90a595a4e9b143f5ba8414 ]

Added support for is25wp032, is25wp064 and is25wp128.

Signed-off-by: Kimmo Rautkoski <ext-kimmo.rautkoski@vaisala.com>
Reviewed-by: Marek Vasut <marek.vasut@gmail.com>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
[ Adrian Bunk: Trivial adaption to changed context. ]
Signed-off-by: Adrian Bunk <bunk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/mtd/spi-nor/spi-nor.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/mtd/spi-nor/spi-nor.c b/drivers/mtd/spi-nor/spi-nor.c
index 19c000722cbc..34ecc12ee3d9 100644
--- a/drivers/mtd/spi-nor/spi-nor.c
+++ b/drivers/mtd/spi-nor/spi-nor.c
@@ -1005,6 +1005,12 @@ static const struct flash_info spi_nor_ids[] = {
 
 	/* ISSI */
 	{ "is25cd512", INFO(0x7f9d20, 0, 32 * 1024,   2, SECT_4K) },
+	{ "is25wp032", INFO(0x9d7016, 0, 64 * 1024,  64,
+			SECT_4K | SPI_NOR_DUAL_READ | SPI_NOR_QUAD_READ) },
+	{ "is25wp064", INFO(0x9d7017, 0, 64 * 1024, 128,
+			SECT_4K | SPI_NOR_DUAL_READ | SPI_NOR_QUAD_READ) },
+	{ "is25wp128", INFO(0x9d7018, 0, 64 * 1024, 256,
+			SECT_4K | SPI_NOR_DUAL_READ | SPI_NOR_QUAD_READ) },
 
 	/* Macronix */
 	{ "mx25l512e",   INFO(0xc22010, 0, 64 * 1024,   1, SECT_4K) },
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 108/143] kvm: x86: fix WARN due to uninitialized guest FPU state
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (106 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 107/143] mtd: spi-nor: Add support for is25wp series chips Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 109/143] ARM: dts: r8a7790: Correct critical CPU temperature Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Peter Xu, Paolo Bonzini,
	Sudip Mukherjee, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

commit 5663d8f9bbe4bf15488f7351efb61ea20fa6de06 upstream

------------[ cut here ]------------
 Bad FPU state detected at kvm_put_guest_fpu+0xd8/0x2d0 [kvm], reinitializing FPU registers.
 WARNING: CPU: 1 PID: 4594 at arch/x86/mm/extable.c:103 ex_handler_fprestore+0x88/0x90
 CPU: 1 PID: 4594 Comm: qemu-system-x86 Tainted: G    B      OE    4.15.0-rc2+ #10
 RIP: 0010:ex_handler_fprestore+0x88/0x90
 Call Trace:
  fixup_exception+0x4e/0x60
  do_general_protection+0xff/0x270
  general_protection+0x22/0x30
 RIP: 0010:kvm_put_guest_fpu+0xd8/0x2d0 [kvm]
 RSP: 0018:ffff8803d5627810 EFLAGS: 00010246
  kvm_vcpu_reset+0x3b4/0x3c0 [kvm]
  kvm_apic_accept_events+0x1c0/0x240 [kvm]
  kvm_arch_vcpu_ioctl_run+0x1658/0x2fb0 [kvm]
  kvm_vcpu_ioctl+0x479/0x880 [kvm]
  do_vfs_ioctl+0x142/0x9a0
  SyS_ioctl+0x74/0x80
  do_syscall_64+0x15f/0x600

where kvm_put_guest_fpu is called without a prior kvm_load_guest_fpu.
To fix it, move kvm_load_guest_fpu to the very beginning of
kvm_arch_vcpu_ioctl_run.

Cc: stable@vger.kernel.org
Fixes: f775b13eedee2f7f3c6fdd4e90fb79090ce5d339
Signed-off-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/kvm/x86.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 3856828ee1dc..8d688b213504 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -7393,13 +7393,12 @@ static int complete_emulated_mmio(struct kvm_vcpu *vcpu)
 
 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
 {
-	struct fpu *fpu = &current->thread.fpu;
 	int r;
 
-	fpu__initialize(fpu);
-
 	kvm_sigset_activate(vcpu);
 
+	kvm_load_guest_fpu(vcpu);
+
 	if (unlikely(vcpu->arch.mp_state == KVM_MP_STATE_UNINITIALIZED)) {
 		if (kvm_run->immediate_exit) {
 			r = -EINTR;
@@ -7440,6 +7439,7 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
 		r = vcpu_run(vcpu);
 
 out:
+	kvm_put_guest_fpu(vcpu);
 	post_kvm_run_save(vcpu);
 	kvm_sigset_deactivate(vcpu);
 
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 109/143] ARM: dts: r8a7790: Correct critical CPU temperature
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (107 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 108/143] kvm: x86: fix WARN due to uninitialized guest FPU state Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 110/143] media: uvcvideo: Fix driver reference counting Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chris Paterson, Geert Uytterhoeven,
	Simon Horman, Sudip Mukherjee, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

commit fcab5651fae4258a993170b7aaf443adbd3d4d84 upstream

The R-Car H2 hardware manual states that Tc = –40°C to +105°C. The
thermal sensor has an accuracy of ±5°C and there can be a temperature
difference of 1 or 2 degrees between Tjmax and the thermal sensor due
to the location of the latter.

This means that 95°C is a safer value to use.

Fixes: a8b805f3606f7af7 ("ARM: dts: r8a7790: enable to use thermal-zone")
Signed-off-by: Chris Paterson <chris.paterson2@renesas.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Simon Horman <horms+renesas@verge.net.au>
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/boot/dts/r8a7790.dtsi | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm/boot/dts/r8a7790.dtsi b/arch/arm/boot/dts/r8a7790.dtsi
index 16358bf8d1db..97e8b9b0b750 100644
--- a/arch/arm/boot/dts/r8a7790.dtsi
+++ b/arch/arm/boot/dts/r8a7790.dtsi
@@ -153,7 +153,7 @@
 
 			trips {
 				cpu-crit {
-					temperature	= <115000>;
+					temperature	= <95000>;
 					hysteresis	= <0>;
 					type		= "critical";
 				};
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 110/143] media: uvcvideo: Fix driver reference counting
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (108 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 109/143] ARM: dts: r8a7790: Correct critical CPU temperature Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 111/143] ALSA: usx2y: Fix invalid stream URBs Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Philipp Zabel, Laurent Pinchart,
	Mauro Carvalho Chehab, Sudip Mukherjee, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

commit f9ffcb0a21e1fa8e64d09ed613d884e054ae8191 upstream

kref_init initializes the reference count to 1, not 0. This additional
reference is never released since the conversion to reference counters.
As a result, uvc_delete is not called anymore when UVC cameras are
disconnected.
Fix this by adding an additional kref_put in uvc_disconnect and in the
probe error path. This also allows to remove the temporary additional
reference in uvc_unregister_video.

Fixes: 9d15cd958c17 ("media: uvcvideo: Convert from using an atomic variable to a reference count")

Signed-off-by: Philipp Zabel <philipp.zabel@gmail.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/usb/uvc/uvc_driver.c | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c
index 6d22b22cb35b..064d88299adc 100644
--- a/drivers/media/usb/uvc/uvc_driver.c
+++ b/drivers/media/usb/uvc/uvc_driver.c
@@ -1865,13 +1865,6 @@ static void uvc_unregister_video(struct uvc_device *dev)
 {
 	struct uvc_streaming *stream;
 
-	/* Unregistering all video devices might result in uvc_delete() being
-	 * called from inside the loop if there's no open file handle. To avoid
-	 * that, increment the refcount before iterating over the streams and
-	 * decrement it when done.
-	 */
-	kref_get(&dev->ref);
-
 	list_for_each_entry(stream, &dev->streams, list) {
 		if (!video_is_registered(&stream->vdev))
 			continue;
@@ -1880,8 +1873,6 @@ static void uvc_unregister_video(struct uvc_device *dev)
 
 		uvc_debugfs_cleanup_stream(stream);
 	}
-
-	kref_put(&dev->ref, uvc_delete);
 }
 
 static int uvc_register_video(struct uvc_device *dev,
@@ -2129,6 +2120,7 @@ static int uvc_probe(struct usb_interface *intf,
 
 error:
 	uvc_unregister_video(dev);
+	kref_put(&dev->ref, uvc_delete);
 	return -ENODEV;
 }
 
@@ -2146,6 +2138,7 @@ static void uvc_disconnect(struct usb_interface *intf)
 		return;
 
 	uvc_unregister_video(dev);
+	kref_put(&dev->ref, uvc_delete);
 }
 
 static int uvc_suspend(struct usb_interface *intf, pm_message_t message)
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 111/143] ALSA: usx2y: Fix invalid stream URBs
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (109 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 110/143] media: uvcvideo: Fix driver reference counting Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 112/143] Revert "netfilter: ipv6: nf_defrag: drop skb dst before queueing" Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andrey Konovalov, Takashi Iwai,
	Sudip Mukherjee, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

commit f9a1c372299fed53d4b72bb601f7f3bfe6f9999c upstream

The us122l driver creates URBs per the fixed endpoints, and this may
end up with URBs with inconsistent pipes when a fuzzer or a malicious
program deals with the manipulated endpoints.  It ends up with a
kernel warning like:

  usb 1-1: BOGUS urb xfer, pipe 0 != type 3
  ------------[ cut here ]------------
  WARNING: CPU: 0 PID: 24 at drivers/usb/core/urb.c:471
  usb_submit_urb+0x113e/0x1400
  Call Trace:
   usb_stream_start+0x48a/0x9f0 sound/usb/usx2y/usb_stream.c:690
   us122l_start+0x116/0x290 sound/usb/usx2y/us122l.c:365
   us122l_create_card sound/usb/usx2y/us122l.c:502
   us122l_usb_probe sound/usb/usx2y/us122l.c:588
   ....

For avoiding the bad access, this patch adds a few sanity checks of
the validity of created URBs like previous similar fixes using the new
usb_urb_ep_type_check() helper function.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/usb/usx2y/usb_stream.c | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/sound/usb/usx2y/usb_stream.c b/sound/usb/usx2y/usb_stream.c
index e229abd21652..b0f8979ff2d2 100644
--- a/sound/usb/usx2y/usb_stream.c
+++ b/sound/usb/usx2y/usb_stream.c
@@ -56,7 +56,7 @@ static void playback_prep_freqn(struct usb_stream_kernel *sk, struct urb *urb)
 		    lb, s->period_size);
 }
 
-static void init_pipe_urbs(struct usb_stream_kernel *sk, unsigned use_packsize,
+static int init_pipe_urbs(struct usb_stream_kernel *sk, unsigned use_packsize,
 			   struct urb **urbs, char *transfer,
 			   struct usb_device *dev, int pipe)
 {
@@ -77,6 +77,8 @@ static void init_pipe_urbs(struct usb_stream_kernel *sk, unsigned use_packsize,
 		urb->interval = 1;
 		if (usb_pipeout(pipe))
 			continue;
+		if (usb_urb_ep_type_check(urb))
+			return -EINVAL;
 
 		urb->transfer_buffer_length = transfer_length;
 		desc = urb->iso_frame_desc;
@@ -87,9 +89,11 @@ static void init_pipe_urbs(struct usb_stream_kernel *sk, unsigned use_packsize,
 			desc[p].length = maxpacket;
 		}
 	}
+
+	return 0;
 }
 
-static void init_urbs(struct usb_stream_kernel *sk, unsigned use_packsize,
+static int init_urbs(struct usb_stream_kernel *sk, unsigned use_packsize,
 		      struct usb_device *dev, int in_pipe, int out_pipe)
 {
 	struct usb_stream	*s = sk->s;
@@ -103,9 +107,12 @@ static void init_urbs(struct usb_stream_kernel *sk, unsigned use_packsize,
 		sk->outurb[u] = usb_alloc_urb(sk->n_o_ps, GFP_KERNEL);
 	}
 
-	init_pipe_urbs(sk, use_packsize, sk->inurb, indata, dev, in_pipe);
-	init_pipe_urbs(sk, use_packsize, sk->outurb, sk->write_page, dev,
-		       out_pipe);
+	if (init_pipe_urbs(sk, use_packsize, sk->inurb, indata, dev, in_pipe) ||
+	    init_pipe_urbs(sk, use_packsize, sk->outurb, sk->write_page, dev,
+			   out_pipe))
+		return -EINVAL;
+
+	return 0;
 }
 
 
@@ -226,7 +233,11 @@ struct usb_stream *usb_stream_new(struct usb_stream_kernel *sk,
 	else
 		sk->freqn = get_usb_high_speed_rate(sample_rate);
 
-	init_urbs(sk, use_packsize, dev, in_pipe, out_pipe);
+	if (init_urbs(sk, use_packsize, dev, in_pipe, out_pipe) < 0) {
+		usb_stream_free(sk);
+		return NULL;
+	}
+
 	sk->s->state = usb_stream_stopped;
 out:
 	return sk->s;
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 112/143] Revert "netfilter: ipv6: nf_defrag: drop skb dst before queueing"
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (110 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 111/143] ALSA: usx2y: Fix invalid stream URBs Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 113/143] perf tools: Disable parallelism for make clean Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

This reverts commit 28c74ff85efd192aeca9005499ca50c24d795f61.

>From Florian Westphal <fw@strlen.de>:

	It causes kernel crash for locally generated ipv6 fragments
	when netfilter ipv6 defragmentation is used.

	The faulty commit is not essential for -stable, it only
	delays netns teardown for longer than needed when that netns
	still has ipv6 frags queued.  Much better than crash :-/

Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ipv6/netfilter/nf_conntrack_reasm.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index 2ed8536e10b6..611d406c4656 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -598,8 +598,6 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user)
 	    fq->q.meat == fq->q.len &&
 	    nf_ct_frag6_reasm(fq, skb, dev))
 		ret = 0;
-	else
-		skb_dst_drop(skb);
 
 out_unlock:
 	spin_unlock_bh(&fq->q.lock);
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 113/143] perf tools: Disable parallelism for make clean
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (111 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 112/143] Revert "netfilter: ipv6: nf_defrag: drop skb dst before queueing" Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:34 ` [PATCH 4.14 114/143] drm/i915/gvt: fix memory leak of a cmd_entry struct on error exit path Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rasmus Villemoes, Jiri Olsa,
	Alexander Shishkin, Namhyung Kim, Peter Zijlstra,
	Arnaldo Carvalho de Melo, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit da15fc2fa9c07b23db8f5e479bd8a9f0d741ca07 ]

The Yocto build system does a 'make clean' when rebuilding due to
changed dependencies, and that consistently fails for me (causing the
whole BSP build to fail) with errors such as

| find: '[...]/perf/1.0-r9/perf-1.0/plugin_mac80211.so': No such file or directory
| find: '[...]/perf/1.0-r9/perf-1.0/plugin_mac80211.so': No such file or directory
| find: find: '[...]/perf/1.0-r9/perf-1.0/libtraceevent.a''[...]/perf/1.0-r9/perf-1.0/libtraceevent.a': No such file or directory: No such file or directory
|
[...]
| find: cannot delete '/mnt/xfs/devel/pil/yocto/tmp-glibc/work/wandboard-oe-linux-gnueabi/perf/1.0-r9/perf-1.0/util/.pstack.o.cmd': No such file or directory

Apparently (despite the comment), 'make clean' ends up launching
multiple sub-makes that all want to remove the same things - perhaps
this only happens in combination with a O=... parameter. In any case, we
don't lose much by explicitly disabling the parallelism for the clean
target, and it makes automated builds much more reliable.

Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Acked-by: Jiri Olsa <jolsa@kernel.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: http://lkml.kernel.org/r/20180705131527.19749-1-linux@rasmusvillemoes.dk
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/perf/Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tools/perf/Makefile b/tools/perf/Makefile
index 225454416ed5..7902a5681fc8 100644
--- a/tools/perf/Makefile
+++ b/tools/perf/Makefile
@@ -84,10 +84,10 @@ endif # has_clean
 endif # MAKECMDGOALS
 
 #
-# The clean target is not really parallel, don't print the jobs info:
+# Explicitly disable parallelism for the clean target.
 #
 clean:
-	$(make)
+	$(make) -j1
 
 #
 # The build-test target is not really parallel, don't print the jobs info,
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 166+ messages in thread

* [PATCH 4.14 114/143] drm/i915/gvt: fix memory leak of a cmd_entry struct on error exit path
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (112 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 113/143] perf tools: Disable parallelism for make clean Greg Kroah-Hartman
@ 2018-11-02 18:34 ` Greg Kroah-Hartman
  2018-11-02 18:35 ` [PATCH 4.14 115/143] bridge: do not add port to router list when receives query with source 0.0.0.0 Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Colin Ian King, Chris Wilson,
	Zhenyu Wang, Sudip Mukherjee, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

commit ffdf16edfbbe77f5f5c3c87fe8d7387ecd16241b upstream

The error exit path when a duplicate is found does not kfree and cmd_entry
struct and hence there is a small memory leak.  Fix this by kfree'ing it.

Detected by CoverityScan, CID#1370198 ("Resource Leak")

Fixes: be1da7070aea ("drm/i915/gvt: vGPU command scanner")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Acked-by: Zhenyu Wang <zhenyuw@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/i915/gvt/cmd_parser.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/gpu/drm/i915/gvt/cmd_parser.c
+++ b/drivers/gpu/drm/i915/gvt/cmd_parser.c
@@ -2802,6 +2802,7 @@ static int init_cmd_table(struct intel_g
 		if (info) {
 			gvt_err("%s %s duplicated\n", e->info->name,
 					info->name);
+			kfree(e);
 			return -EEXIST;
 		}
 



^ permalink raw reply	[flat|nested] 166+ messages in thread

* [PATCH 4.14 115/143] bridge: do not add port to router list when receives query with source 0.0.0.0
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (113 preceding siblings ...)
  2018-11-02 18:34 ` [PATCH 4.14 114/143] drm/i915/gvt: fix memory leak of a cmd_entry struct on error exit path Greg Kroah-Hartman
@ 2018-11-02 18:35 ` Greg Kroah-Hartman
  2018-11-02 18:35 ` [PATCH 4.14 116/143] net: bridge: remove ipv6 zero address check in mcast queries Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ying Xu, Hangbin Liu,
	Nikolay Aleksandrov, Roopa Prabhu, David S. Miller

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Hangbin Liu <liuhangbin@gmail.com>

commit 5a2de63fd1a59c30c02526d427bc014b98adf508 upstream.

Based on RFC 4541, 2.1.1.  IGMP Forwarding Rules

  The switch supporting IGMP snooping must maintain a list of
  multicast routers and the ports on which they are attached.  This
  list can be constructed in any combination of the following ways:

  a) This list should be built by the snooping switch sending
     Multicast Router Solicitation messages as described in IGMP
     Multicast Router Discovery [MRDISC].  It may also snoop
     Multicast Router Advertisement messages sent by and to other
     nodes.

  b) The arrival port for IGMP Queries (sent by multicast routers)
     where the source address is not 0.0.0.0.

We should not add the port to router list when receives query with source
0.0.0.0.

Reported-by: Ying Xu <yinxu@redhat.com>
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Acked-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Acked-by: Roopa Prabhu <roopa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/bridge/br_multicast.c |   10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -1390,7 +1390,15 @@ static void br_multicast_query_received(
 		return;
 
 	br_multicast_update_query_timer(br, query, max_delay);
-	br_multicast_mark_router(br, port);
+
+	/* Based on RFC4541, section 2.1.1 IGMP Forwarding Rules,
+	 * the arrival port for IGMP Queries where the source address
+	 * is 0.0.0.0 should not be added to router port list.
+	 */
+	if ((saddr->proto == htons(ETH_P_IP) && saddr->u.ip4) ||
+	    (saddr->proto == htons(ETH_P_IPV6) &&
+	     !ipv6_addr_any(&saddr->u.ip6)))
+		br_multicast_mark_router(br, port);
 }
 
 static int br_ip4_multicast_query(struct net_bridge *br,



^ permalink raw reply	[flat|nested] 166+ messages in thread

* [PATCH 4.14 116/143] net: bridge: remove ipv6 zero address check in mcast queries
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (114 preceding siblings ...)
  2018-11-02 18:35 ` [PATCH 4.14 115/143] bridge: do not add port to router list when receives query with source 0.0.0.0 Greg Kroah-Hartman
@ 2018-11-02 18:35 ` Greg Kroah-Hartman
  2018-11-02 18:35 ` [PATCH 4.14 117/143] ipv6: mcast: fix a use-after-free in inet6_mc_check Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nikolay Aleksandrov, David S. Miller,
	Hangbin Liu

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>

commit 0fe5119e267f3e3d8ac206895f5922195ec55a8a upstream.

Recently a check was added which prevents marking of routers with zero
source address, but for IPv6 that cannot happen as the relevant RFCs
actually forbid such packets:
RFC 2710 (MLDv1):
"To be valid, the Query message MUST
 come from a link-local IPv6 Source Address, be at least 24 octets
 long, and have a correct MLD checksum."

Same goes for RFC 3810.

And also it can be seen as a requirement in ipv6_mc_check_mld_query()
which is used by the bridge to validate the message before processing
it. Thus any queries with :: source address won't be processed anyway.
So just remove the check for zero IPv6 source address from the query
processing function.

Fixes: 5a2de63fd1a5 ("bridge: do not add port to router list when receives query with source 0.0.0.0")
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/bridge/br_multicast.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -1396,8 +1396,7 @@ static void br_multicast_query_received(
 	 * is 0.0.0.0 should not be added to router port list.
 	 */
 	if ((saddr->proto == htons(ETH_P_IP) && saddr->u.ip4) ||
-	    (saddr->proto == htons(ETH_P_IPV6) &&
-	     !ipv6_addr_any(&saddr->u.ip6)))
+	    saddr->proto == htons(ETH_P_IPV6))
 		br_multicast_mark_router(br, port);
 }
 



^ permalink raw reply	[flat|nested] 166+ messages in thread

* [PATCH 4.14 117/143] ipv6: mcast: fix a use-after-free in inet6_mc_check
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (115 preceding siblings ...)
  2018-11-02 18:35 ` [PATCH 4.14 116/143] net: bridge: remove ipv6 zero address check in mcast queries Greg Kroah-Hartman
@ 2018-11-02 18:35 ` Greg Kroah-Hartman
  2018-11-02 18:35 ` [PATCH 4.14 118/143] ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are called Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, syzbot, David S. Miller

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit dc012f3628eaecfb5ba68404a5c30ef501daf63d ]

syzbot found a use-after-free in inet6_mc_check [1]

The problem here is that inet6_mc_check() uses rcu
and read_lock(&iml->sflock)

So the fact that ip6_mc_leave_src() is called under RTNL
and the socket lock does not help us, we need to acquire
iml->sflock in write mode.

In the future, we should convert all this stuff to RCU.

[1]
BUG: KASAN: use-after-free in ipv6_addr_equal include/net/ipv6.h:521 [inline]
BUG: KASAN: use-after-free in inet6_mc_check+0xae7/0xb40 net/ipv6/mcast.c:649
Read of size 8 at addr ffff8801ce7f2510 by task syz-executor0/22432

CPU: 1 PID: 22432 Comm: syz-executor0 Not tainted 4.19.0-rc7+ #280
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c4/0x2b4 lib/dump_stack.c:113
 print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 ipv6_addr_equal include/net/ipv6.h:521 [inline]
 inet6_mc_check+0xae7/0xb40 net/ipv6/mcast.c:649
 __raw_v6_lookup+0x320/0x3f0 net/ipv6/raw.c:98
 ipv6_raw_deliver net/ipv6/raw.c:183 [inline]
 raw6_local_deliver+0x3d3/0xcb0 net/ipv6/raw.c:240
 ip6_input_finish+0x467/0x1aa0 net/ipv6/ip6_input.c:345
 NF_HOOK include/linux/netfilter.h:289 [inline]
 ip6_input+0xe9/0x600 net/ipv6/ip6_input.c:426
 ip6_mc_input+0x48a/0xd20 net/ipv6/ip6_input.c:503
 dst_input include/net/dst.h:450 [inline]
 ip6_rcv_finish+0x17a/0x330 net/ipv6/ip6_input.c:76
 NF_HOOK include/linux/netfilter.h:289 [inline]
 ipv6_rcv+0x120/0x640 net/ipv6/ip6_input.c:271
 __netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4913
 __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:5023
 netif_receive_skb_internal+0x12c/0x620 net/core/dev.c:5126
 napi_frags_finish net/core/dev.c:5664 [inline]
 napi_gro_frags+0x75a/0xc90 net/core/dev.c:5737
 tun_get_user+0x3189/0x4250 drivers/net/tun.c:1923
 tun_chr_write_iter+0xb9/0x154 drivers/net/tun.c:1968
 call_write_iter include/linux/fs.h:1808 [inline]
 do_iter_readv_writev+0x8b0/0xa80 fs/read_write.c:680
 do_iter_write+0x185/0x5f0 fs/read_write.c:959
 vfs_writev+0x1f1/0x360 fs/read_write.c:1004
 do_writev+0x11a/0x310 fs/read_write.c:1039
 __do_sys_writev fs/read_write.c:1112 [inline]
 __se_sys_writev fs/read_write.c:1109 [inline]
 __x64_sys_writev+0x75/0xb0 fs/read_write.c:1109
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457421
Code: 75 14 b8 14 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 34 b5 fb ff c3 48 83 ec 08 e8 1a 2d 00 00 48 89 04 24 b8 14 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 63 2d 00 00 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007f2d30ecaba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 000000000000003e RCX: 0000000000457421
RDX: 0000000000000001 RSI: 00007f2d30ecabf0 RDI: 00000000000000f0
RBP: 0000000020000500 R08: 00000000000000f0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 00007f2d30ecb6d4
R13: 00000000004c4890 R14: 00000000004d7b90 R15: 00000000ffffffff

Allocated by task 22437:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553
 __do_kmalloc mm/slab.c:3718 [inline]
 __kmalloc+0x14e/0x760 mm/slab.c:3727
 kmalloc include/linux/slab.h:518 [inline]
 sock_kmalloc+0x15a/0x1f0 net/core/sock.c:1983
 ip6_mc_source+0x14dd/0x1960 net/ipv6/mcast.c:427
 do_ipv6_setsockopt.isra.9+0x3afb/0x45d0 net/ipv6/ipv6_sockglue.c:743
 ipv6_setsockopt+0xbd/0x170 net/ipv6/ipv6_sockglue.c:933
 rawv6_setsockopt+0x59/0x140 net/ipv6/raw.c:1069
 sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3038
 __sys_setsockopt+0x1ba/0x3c0 net/socket.c:1902
 __do_sys_setsockopt net/socket.c:1913 [inline]
 __se_sys_setsockopt net/socket.c:1910 [inline]
 __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1910
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 22430:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3498 [inline]
 kfree+0xcf/0x230 mm/slab.c:3813
 __sock_kfree_s net/core/sock.c:2004 [inline]
 sock_kfree_s+0x29/0x60 net/core/sock.c:2010
 ip6_mc_leave_src+0x11a/0x1d0 net/ipv6/mcast.c:2448
 __ipv6_sock_mc_close+0x20b/0x4e0 net/ipv6/mcast.c:310
 ipv6_sock_mc_close+0x158/0x1d0 net/ipv6/mcast.c:328
 inet6_release+0x40/0x70 net/ipv6/af_inet6.c:452
 __sock_release+0xd7/0x250 net/socket.c:579
 sock_close+0x19/0x20 net/socket.c:1141
 __fput+0x385/0xa30 fs/file_table.c:278
 ____fput+0x15/0x20 fs/file_table.c:309
 task_work_run+0x1e8/0x2a0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:193 [inline]
 exit_to_usermode_loop+0x318/0x380 arch/x86/entry/common.c:166
 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
 do_syscall_64+0x6be/0x820 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8801ce7f2500
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 16 bytes inside of
 192-byte region [ffff8801ce7f2500, ffff8801ce7f25c0)
The buggy address belongs to the page:
page:ffffea000739fc80 count:1 mapcount:0 mapping:ffff8801da800040 index:0x0
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffffea0006f6e548 ffffea000737b948 ffff8801da800040
raw: 0000000000000000 ffff8801ce7f2000 0000000100000010 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801ce7f2400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801ce7f2480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff8801ce7f2500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
 ffff8801ce7f2580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801ce7f2600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv6/mcast.c |   16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -2412,17 +2412,17 @@ static int ip6_mc_leave_src(struct sock
 {
 	int err;
 
-	/* callers have the socket lock and rtnl lock
-	 * so no other readers or writers of iml or its sflist
-	 */
+	write_lock_bh(&iml->sflock);
 	if (!iml->sflist) {
 		/* any-source empty exclude case */
-		return ip6_mc_del_src(idev, &iml->addr, iml->sfmode, 0, NULL, 0);
+		err = ip6_mc_del_src(idev, &iml->addr, iml->sfmode, 0, NULL, 0);
+	} else {
+		err = ip6_mc_del_src(idev, &iml->addr, iml->sfmode,
+				iml->sflist->sl_count, iml->sflist->sl_addr, 0);
+		sock_kfree_s(sk, iml->sflist, IP6_SFLSIZE(iml->sflist->sl_max));
+		iml->sflist = NULL;
 	}
-	err = ip6_mc_del_src(idev, &iml->addr, iml->sfmode,
-		iml->sflist->sl_count, iml->sflist->sl_addr, 0);
-	sock_kfree_s(sk, iml->sflist, IP6_SFLSIZE(iml->sflist->sl_max));
-	iml->sflist = NULL;
+	write_unlock_bh(&iml->sflock);
 	return err;
 }
 



^ permalink raw reply	[flat|nested] 166+ messages in thread

* [PATCH 4.14 118/143] ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are called
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (116 preceding siblings ...)
  2018-11-02 18:35 ` [PATCH 4.14 117/143] ipv6: mcast: fix a use-after-free in inet6_mc_check Greg Kroah-Hartman
@ 2018-11-02 18:35 ` Greg Kroah-Hartman
  2018-11-02 18:35 ` [PATCH 4.14 119/143] llc: set SOCK_RCU_FREE in llc_sap_add_socket() Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stefano Brivio, Sabrina Dubroca,
	David S. Miller

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Stefano Brivio <sbrivio@redhat.com>

[ Upstream commit ee1abcf689353f36d9322231b4320926096bdee0 ]

Commit a61bbcf28a8c ("[NET]: Store skb->timestamp as offset to a base
timestamp") introduces a neighbour control buffer and zeroes it out in
ndisc_rcv(), as ndisc_recv_ns() uses it.

Commit f2776ff04722 ("[IPV6]: Fix address/interface handling in UDP and
DCCP, according to the scoping architecture.") introduces the usage of the
IPv6 control buffer in protocol error handlers (e.g. inet6_iif() in
present-day __udp6_lib_err()).

Now, with commit b94f1c0904da ("ipv6: Use icmpv6_notify() to propagate
redirect, instead of rt6_redirect()."), we call protocol error handlers
from ndisc_redirect_rcv(), after the control buffer is already stolen and
some parts are already zeroed out. This implies that inet6_iif() on this
path will always return zero.

This gives unexpected results on UDP socket lookup in __udp6_lib_err(), as
we might actually need to match sockets for a given interface.

Instead of always claiming the control buffer in ndisc_rcv(), do that only
when needed.

Fixes: b94f1c0904da ("ipv6: Use icmpv6_notify() to propagate redirect, instead of rt6_redirect().")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv6/ndisc.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -1722,10 +1722,9 @@ int ndisc_rcv(struct sk_buff *skb)
 		return 0;
 	}
 
-	memset(NEIGH_CB(skb), 0, sizeof(struct neighbour_cb));
-
 	switch (msg->icmph.icmp6_type) {
 	case NDISC_NEIGHBOUR_SOLICITATION:
+		memset(NEIGH_CB(skb), 0, sizeof(struct neighbour_cb));
 		ndisc_recv_ns(skb);
 		break;
 



^ permalink raw reply	[flat|nested] 166+ messages in thread

* [PATCH 4.14 119/143] llc: set SOCK_RCU_FREE in llc_sap_add_socket()
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (117 preceding siblings ...)
  2018-11-02 18:35 ` [PATCH 4.14 118/143] ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are called Greg Kroah-Hartman
@ 2018-11-02 18:35 ` Greg Kroah-Hartman
  2018-11-02 18:35 ` [PATCH 4.14 120/143] net: fec: dont dump RX FIFO register when not available Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+11e05f04c15e03be5254,
	Cong Wang, David S. Miller

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Cong Wang <xiyou.wangcong@gmail.com>

[ Upstream commit 5a8e7aea953bdb6d4da13aff6f1e7f9c62023499 ]

WHen an llc sock is added into the sk_laddr_hash of an llc_sap,
it is not marked with SOCK_RCU_FREE.

This causes that the sock could be freed while it is still being
read by __llc_lookup_established() with RCU read lock. sock is
refcounted, but with RCU read lock, nothing prevents the readers
getting a zero refcnt.

Fix it by setting SOCK_RCU_FREE in llc_sap_add_socket().

Reported-by: syzbot+11e05f04c15e03be5254@syzkaller.appspotmail.com
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/llc/llc_conn.c |    1 +
 1 file changed, 1 insertion(+)

--- a/net/llc/llc_conn.c
+++ b/net/llc/llc_conn.c
@@ -734,6 +734,7 @@ void llc_sap_add_socket(struct llc_sap *
 	llc_sk(sk)->sap = sap;
 
 	spin_lock_bh(&sap->sk_lock);
+	sock_set_flag(sk, SOCK_RCU_FREE);
 	sap->sk_count++;
 	sk_nulls_add_node_rcu(sk, laddr_hb);
 	hlist_add_head(&llc->dev_hash_node, dev_hb);



^ permalink raw reply	[flat|nested] 166+ messages in thread

* [PATCH 4.14 120/143] net: fec: dont dump RX FIFO register when not available
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (118 preceding siblings ...)
  2018-11-02 18:35 ` [PATCH 4.14 119/143] llc: set SOCK_RCU_FREE in llc_sap_add_socket() Greg Kroah-Hartman
@ 2018-11-02 18:35 ` Greg Kroah-Hartman
  2018-11-02 18:35 ` [PATCH 4.14 121/143] net/ipv6: Fix index counter for unicast addresses in in6_dump_addrs Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Fugang Duan, David S. Miller

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Fugang Duan <fugang.duan@nxp.com>

[ Upstream commit ec20a63aa8b8ec3223fb25cdb2a49f9f9dfda88c ]

Commit db65f35f50e0 ("net: fec: add support of ethtool get_regs") introduce
ethool "--register-dump" interface to dump all FEC registers.

But not all silicon implementations of the Freescale FEC hardware module
have the FRBR (FIFO Receive Bound Register) and FRSR (FIFO Receive Start
Register) register, so we should not be trying to dump them on those that
don't.

To fix it we create a quirk flag, FEC_QUIRK_HAS_RFREG, and check it before
dump those RX FIFO registers.

Signed-off-by: Fugang Duan <fugang.duan@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/freescale/fec.h      |    4 ++++
 drivers/net/ethernet/freescale/fec_main.c |   16 ++++++++++++----
 2 files changed, 16 insertions(+), 4 deletions(-)

--- a/drivers/net/ethernet/freescale/fec.h
+++ b/drivers/net/ethernet/freescale/fec.h
@@ -451,6 +451,10 @@ struct bufdesc_ex {
  * initialisation.
  */
 #define FEC_QUIRK_MIB_CLEAR		(1 << 15)
+/* Only i.MX25/i.MX27/i.MX28 controller supports FRBR,FRSR registers,
+ * those FIFO receive registers are resolved in other platforms.
+ */
+#define FEC_QUIRK_HAS_FRREG		(1 << 16)
 
 struct bufdesc_prop {
 	int qid;
--- a/drivers/net/ethernet/freescale/fec_main.c
+++ b/drivers/net/ethernet/freescale/fec_main.c
@@ -89,14 +89,16 @@ static struct platform_device_id fec_dev
 		.driver_data = 0,
 	}, {
 		.name = "imx25-fec",
-		.driver_data = FEC_QUIRK_USE_GASKET | FEC_QUIRK_MIB_CLEAR,
+		.driver_data = FEC_QUIRK_USE_GASKET | FEC_QUIRK_MIB_CLEAR |
+			       FEC_QUIRK_HAS_FRREG,
 	}, {
 		.name = "imx27-fec",
-		.driver_data = FEC_QUIRK_MIB_CLEAR,
+		.driver_data = FEC_QUIRK_MIB_CLEAR | FEC_QUIRK_HAS_FRREG,
 	}, {
 		.name = "imx28-fec",
 		.driver_data = FEC_QUIRK_ENET_MAC | FEC_QUIRK_SWAP_FRAME |
-				FEC_QUIRK_SINGLE_MDIO | FEC_QUIRK_HAS_RACC,
+				FEC_QUIRK_SINGLE_MDIO | FEC_QUIRK_HAS_RACC |
+				FEC_QUIRK_HAS_FRREG,
 	}, {
 		.name = "imx6q-fec",
 		.driver_data = FEC_QUIRK_ENET_MAC | FEC_QUIRK_HAS_GBIT |
@@ -2166,7 +2168,13 @@ static void fec_enet_get_regs(struct net
 	memset(buf, 0, regs->len);
 
 	for (i = 0; i < ARRAY_SIZE(fec_enet_register_offset); i++) {
-		off = fec_enet_register_offset[i] / 4;
+		off = fec_enet_register_offset[i];
+
+		if ((off == FEC_R_BOUND || off == FEC_R_FSTART) &&
+		    !(fep->quirks & FEC_QUIRK_HAS_FRREG))
+			continue;
+
+		off >>= 2;
 		buf[off] = readl(&theregs[off]);
 	}
 }



^ permalink raw reply	[flat|nested] 166+ messages in thread

* [PATCH 4.14 121/143] net/ipv6: Fix index counter for unicast addresses in in6_dump_addrs
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (119 preceding siblings ...)
  2018-11-02 18:35 ` [PATCH 4.14 120/143] net: fec: dont dump RX FIFO register when not available Greg Kroah-Hartman
@ 2018-11-02 18:35 ` Greg Kroah-Hartman
  2018-11-02 18:35 ` [PATCH 4.14 122/143] net: sched: gred: pass the right attribute to gred_change_table_def() Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David Ahern, David S. Miller

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: David Ahern <dsahern@gmail.com>

[ Upstream commit 4ba4c566ba8448a05e6257e0b98a21f1a0d55315 ]

The loop wants to skip previously dumped addresses, so loops until
current index >= saved index. If the message fills it wants to save
the index for the next address to dump - ie., the one that did not
fit in the current message.

Currently, it is incrementing the index counter before comparing to the
saved index, and then the saved index is off by 1 - it assumes the
current address is going to fit in the message.

Change the index handling to increment only after a succesful dump.

Fixes: 502a2ffd7376a ("ipv6: convert idev_list to list macros")
Signed-off-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv6/addrconf.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -4793,8 +4793,8 @@ static int in6_dump_addrs(struct inet6_d
 
 		/* unicast address incl. temp addr */
 		list_for_each_entry(ifa, &idev->addr_list, if_list) {
-			if (++ip_idx < s_ip_idx)
-				continue;
+			if (ip_idx < s_ip_idx)
+				goto next;
 			err = inet6_fill_ifaddr(skb, ifa,
 						NETLINK_CB(cb->skb).portid,
 						cb->nlh->nlmsg_seq,
@@ -4803,6 +4803,8 @@ static int in6_dump_addrs(struct inet6_d
 			if (err < 0)
 				break;
 			nl_dump_check_consistent(cb, nlmsg_hdr(skb));
+next:
+			ip_idx++;
 		}
 		break;
 	}



^ permalink raw reply	[flat|nested] 166+ messages in thread

* [PATCH 4.14 122/143] net: sched: gred: pass the right attribute to gred_change_table_def()
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (120 preceding siblings ...)
  2018-11-02 18:35 ` [PATCH 4.14 121/143] net/ipv6: Fix index counter for unicast addresses in in6_dump_addrs Greg Kroah-Hartman
@ 2018-11-02 18:35 ` Greg Kroah-Hartman
  2018-11-02 18:35 ` [PATCH 4.14 123/143] net: socket: fix a missing-check bug Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jakub Kicinski, David S. Miller

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jakub Kicinski <jakub.kicinski@netronome.com>

[ Upstream commit 38b4f18d56372e1e21771ab7b0357b853330186c ]

gred_change_table_def() takes a pointer to TCA_GRED_DPS attribute,
and expects it will be able to interpret its contents as
struct tc_gred_sopt.  Pass the correct gred attribute, instead of
TCA_OPTIONS.

This bug meant the table definition could never be changed after
Qdisc was initialized (unless whatever TCA_OPTIONS contained both
passed netlink validation and was a valid struct tc_gred_sopt...).

Old behaviour:
$ ip link add type dummy
$ tc qdisc replace dev dummy0 parent root handle 7: \
     gred setup vqs 4 default 0
$ tc qdisc replace dev dummy0 parent root handle 7: \
     gred setup vqs 4 default 0
RTNETLINK answers: Invalid argument

Now:
$ ip link add type dummy
$ tc qdisc replace dev dummy0 parent root handle 7: \
     gred setup vqs 4 default 0
$ tc qdisc replace dev dummy0 parent root handle 7: \
     gred setup vqs 4 default 0
$ tc qdisc replace dev dummy0 parent root handle 7: \
     gred setup vqs 4 default 0

Fixes: f62d6b936df5 ("[PKT_SCHED]: GRED: Use central VQ change procedure")
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sched/sch_gred.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/sched/sch_gred.c
+++ b/net/sched/sch_gred.c
@@ -411,7 +411,7 @@ static int gred_change(struct Qdisc *sch
 	if (tb[TCA_GRED_PARMS] == NULL && tb[TCA_GRED_STAB] == NULL) {
 		if (tb[TCA_GRED_LIMIT] != NULL)
 			sch->limit = nla_get_u32(tb[TCA_GRED_LIMIT]);
-		return gred_change_table_def(sch, opt);
+		return gred_change_table_def(sch, tb[TCA_GRED_DPS]);
 	}
 
 	if (tb[TCA_GRED_PARMS] == NULL ||



^ permalink raw reply	[flat|nested] 166+ messages in thread

* [PATCH 4.14 123/143] net: socket: fix a missing-check bug
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (121 preceding siblings ...)
  2018-11-02 18:35 ` [PATCH 4.14 122/143] net: sched: gred: pass the right attribute to gred_change_table_def() Greg Kroah-Hartman
@ 2018-11-02 18:35 ` Greg Kroah-Hartman
  2018-11-02 18:35 ` [PATCH 4.14 124/143] net: stmmac: Fix stmmac_mdio_reset() when building stmmac as modules Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Wenwen Wang, David S. Miller

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Wenwen Wang <wang6495@umn.edu>

[ Upstream commit b6168562c8ce2bd5a30e213021650422e08764dc ]

In ethtool_ioctl(), the ioctl command 'ethcmd' is checked through a switch
statement to see whether it is necessary to pre-process the ethtool
structure, because, as mentioned in the comment, the structure
ethtool_rxnfc is defined with padding. If yes, a user-space buffer 'rxnfc'
is allocated through compat_alloc_user_space(). One thing to note here is
that, if 'ethcmd' is ETHTOOL_GRXCLSRLALL, the size of the buffer 'rxnfc' is
partially determined by 'rule_cnt', which is actually acquired from the
user-space buffer 'compat_rxnfc', i.e., 'compat_rxnfc->rule_cnt', through
get_user(). After 'rxnfc' is allocated, the data in the original user-space
buffer 'compat_rxnfc' is then copied to 'rxnfc' through copy_in_user(),
including the 'rule_cnt' field. However, after this copy, no check is
re-enforced on 'rxnfc->rule_cnt'. So it is possible that a malicious user
race to change the value in the 'compat_rxnfc->rule_cnt' between these two
copies. Through this way, the attacker can bypass the previous check on
'rule_cnt' and inject malicious data. This can cause undefined behavior of
the kernel and introduce potential security risk.

This patch avoids the above issue via copying the value acquired by
get_user() to 'rxnfc->rule_cn', if 'ethcmd' is ETHTOOL_GRXCLSRLALL.

Signed-off-by: Wenwen Wang <wang6495@umn.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/socket.c |   11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

--- a/net/socket.c
+++ b/net/socket.c
@@ -2879,9 +2879,14 @@ static int ethtool_ioctl(struct net *net
 		    copy_in_user(&rxnfc->fs.ring_cookie,
 				 &compat_rxnfc->fs.ring_cookie,
 				 (void __user *)(&rxnfc->fs.location + 1) -
-				 (void __user *)&rxnfc->fs.ring_cookie) ||
-		    copy_in_user(&rxnfc->rule_cnt, &compat_rxnfc->rule_cnt,
-				 sizeof(rxnfc->rule_cnt)))
+				 (void __user *)&rxnfc->fs.ring_cookie))
+			return -EFAULT;
+		if (ethcmd == ETHTOOL_GRXCLSRLALL) {
+			if (put_user(rule_cnt, &rxnfc->rule_cnt))
+				return -EFAULT;
+		} else if (copy_in_user(&rxnfc->rule_cnt,
+					&compat_rxnfc->rule_cnt,
+					sizeof(rxnfc->rule_cnt)))
 			return -EFAULT;
 	}
 



^ permalink raw reply	[flat|nested] 166+ messages in thread

* [PATCH 4.14 124/143] net: stmmac: Fix stmmac_mdio_reset() when building stmmac as modules
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (122 preceding siblings ...)
  2018-11-02 18:35 ` [PATCH 4.14 123/143] net: socket: fix a missing-check bug Greg Kroah-Hartman
@ 2018-11-02 18:35 ` Greg Kroah-Hartman
  2018-11-02 18:35 ` [PATCH 4.14 125/143] net: udp: fix handling of CHECKSUM_COMPLETE packets Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Niklas Cassel, David S. Miller

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Niklas Cassel <niklas.cassel@linaro.org>

[ Upstream commit 30549aab146ccb1275230c3b4b4bc6b4181fd54e ]

When building stmmac, it is only possible to select CONFIG_DWMAC_GENERIC,
or any of the glue drivers, when CONFIG_STMMAC_PLATFORM is set.
The only exception is CONFIG_STMMAC_PCI.

When calling of_mdiobus_register(), it will call our ->reset()
callback, which is set to stmmac_mdio_reset().

Most of the code in stmmac_mdio_reset() is protected by a
"#if defined(CONFIG_STMMAC_PLATFORM)", which will evaluate
to false when CONFIG_STMMAC_PLATFORM=m.

Because of this, the phy reset gpio will only be pulled when
stmmac is built as built-in, but not when built as modules.

Fix this by using "#if IS_ENABLED()" instead of "#if defined()".

Signed-off-by: Niklas Cassel <niklas.cassel@linaro.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c
@@ -133,7 +133,7 @@ static int stmmac_mdio_write(struct mii_
  */
 int stmmac_mdio_reset(struct mii_bus *bus)
 {
-#if defined(CONFIG_STMMAC_PLATFORM)
+#if IS_ENABLED(CONFIG_STMMAC_PLATFORM)
 	struct net_device *ndev = bus->priv;
 	struct stmmac_priv *priv = netdev_priv(ndev);
 	unsigned int mii_address = priv->hw->mii.addr;



^ permalink raw reply	[flat|nested] 166+ messages in thread

* [PATCH 4.14 125/143] net: udp: fix handling of CHECKSUM_COMPLETE packets
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (123 preceding siblings ...)
  2018-11-02 18:35 ` [PATCH 4.14 124/143] net: stmmac: Fix stmmac_mdio_reset() when building stmmac as modules Greg Kroah-Hartman
@ 2018-11-02 18:35 ` Greg Kroah-Hartman
  2018-11-02 18:35 ` [PATCH 4.14 126/143] r8169: fix NAPI handling under high load Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sam Kumar, Eric Dumazet,
	Sean Tranchetti, David S. Miller

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sean Tranchetti <stranche@codeaurora.org>

[ Upstream commit db4f1be3ca9b0ef7330763d07bf4ace83ad6f913 ]

Current handling of CHECKSUM_COMPLETE packets by the UDP stack is
incorrect for any packet that has an incorrect checksum value.

udp4/6_csum_init() will both make a call to
__skb_checksum_validate_complete() to initialize/validate the csum
field when receiving a CHECKSUM_COMPLETE packet. When this packet
fails validation, skb->csum will be overwritten with the pseudoheader
checksum so the packet can be fully validated by software, but the
skb->ip_summed value will be left as CHECKSUM_COMPLETE so that way
the stack can later warn the user about their hardware spewing bad
checksums. Unfortunately, leaving the SKB in this state can cause
problems later on in the checksum calculation.

Since the the packet is still marked as CHECKSUM_COMPLETE,
udp_csum_pull_header() will SUBTRACT the checksum of the UDP header
from skb->csum instead of adding it, leaving us with a garbage value
in that field. Once we try to copy the packet to userspace in the
udp4/6_recvmsg(), we'll make a call to skb_copy_and_csum_datagram_msg()
to checksum the packet data and add it in the garbage skb->csum value
to perform our final validation check.

Since the value we're validating is not the proper checksum, it's possible
that the folded value could come out to 0, causing us not to drop the
packet. Instead, we believe that the packet was checksummed incorrectly
by hardware since skb->ip_summed is still CHECKSUM_COMPLETE, and we attempt
to warn the user with netdev_rx_csum_fault(skb->dev);

Unfortunately, since this is the UDP path, skb->dev has been overwritten
by skb->dev_scratch and is no longer a valid pointer, so we end up
reading invalid memory.

This patch addresses this problem in two ways:
	1) Do not use the dev pointer when calling netdev_rx_csum_fault()
	   from skb_copy_and_csum_datagram_msg(). Since this gets called
	   from the UDP path where skb->dev has been overwritten, we have
	   no way of knowing if the pointer is still valid. Also for the
	   sake of consistency with the other uses of
	   netdev_rx_csum_fault(), don't attempt to call it if the
	   packet was checksummed by software.

	2) Add better CHECKSUM_COMPLETE handling to udp4/6_csum_init().
	   If we receive a packet that's CHECKSUM_COMPLETE that fails
	   verification (i.e. skb->csum_valid == 0), check who performed
	   the calculation. It's possible that the checksum was done in
	   software by the network stack earlier (such as Netfilter's
	   CONNTRACK module), and if that says the checksum is bad,
	   we can drop the packet immediately instead of waiting until
	   we try and copy it to userspace. Otherwise, we need to
	   mark the SKB as CHECKSUM_NONE, since the skb->csum field
	   no longer contains the full packet checksum after the
	   call to __skb_checksum_validate_complete().

Fixes: e6afc8ace6dd ("udp: remove headers from UDP packets before queueing")
Fixes: c84d949057ca ("udp: copy skb->truesize in the first cache line")
Cc: Sam Kumar <samanthakumar@google.com>
Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Sean Tranchetti <stranche@codeaurora.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/core/datagram.c     |    5 +++--
 net/ipv4/udp.c          |   20 ++++++++++++++++++--
 net/ipv6/ip6_checksum.c |   20 ++++++++++++++++++--
 3 files changed, 39 insertions(+), 6 deletions(-)

--- a/net/core/datagram.c
+++ b/net/core/datagram.c
@@ -810,8 +810,9 @@ int skb_copy_and_csum_datagram_msg(struc
 			return -EINVAL;
 		}
 
-		if (unlikely(skb->ip_summed == CHECKSUM_COMPLETE))
-			netdev_rx_csum_fault(skb->dev);
+		if (unlikely(skb->ip_summed == CHECKSUM_COMPLETE) &&
+		    !skb->csum_complete_sw)
+			netdev_rx_csum_fault(NULL);
 	}
 	return 0;
 fault:
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -2045,8 +2045,24 @@ static inline int udp4_csum_init(struct
 	/* Note, we are only interested in != 0 or == 0, thus the
 	 * force to int.
 	 */
-	return (__force int)skb_checksum_init_zero_check(skb, proto, uh->check,
-							 inet_compute_pseudo);
+	err = (__force int)skb_checksum_init_zero_check(skb, proto, uh->check,
+							inet_compute_pseudo);
+	if (err)
+		return err;
+
+	if (skb->ip_summed == CHECKSUM_COMPLETE && !skb->csum_valid) {
+		/* If SW calculated the value, we know it's bad */
+		if (skb->csum_complete_sw)
+			return 1;
+
+		/* HW says the value is bad. Let's validate that.
+		 * skb->csum is no longer the full packet checksum,
+		 * so don't treat it as such.
+		 */
+		skb_checksum_complete_unset(skb);
+	}
+
+	return 0;
 }
 
 /* wrapper for udp_queue_rcv_skb tacking care of csum conversion and
--- a/net/ipv6/ip6_checksum.c
+++ b/net/ipv6/ip6_checksum.c
@@ -88,8 +88,24 @@ int udp6_csum_init(struct sk_buff *skb,
 	 * Note, we are only interested in != 0 or == 0, thus the
 	 * force to int.
 	 */
-	return (__force int)skb_checksum_init_zero_check(skb, proto, uh->check,
-							 ip6_compute_pseudo);
+	err = (__force int)skb_checksum_init_zero_check(skb, proto, uh->check,
+							ip6_compute_pseudo);
+	if (err)
+		return err;
+
+	if (skb->ip_summed == CHECKSUM_COMPLETE && !skb->csum_valid) {
+		/* If SW calculated the value, we know it's bad */
+		if (skb->csum_complete_sw)
+			return 1;
+
+		/* HW says the value is bad. Let's validate that.
+		 * skb->csum is no longer the full packet checksum,
+		 * so don't treat is as such.
+		 */
+		skb_checksum_complete_unset(skb);
+	}
+
+	return 0;
 }
 EXPORT_SYMBOL(udp6_csum_init);
 



^ permalink raw reply	[flat|nested] 166+ messages in thread

* [PATCH 4.14 126/143] r8169: fix NAPI handling under high load
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (124 preceding siblings ...)
  2018-11-02 18:35 ` [PATCH 4.14 125/143] net: udp: fix handling of CHECKSUM_COMPLETE packets Greg Kroah-Hartman
@ 2018-11-02 18:35 ` Greg Kroah-Hartman
  2018-11-02 18:35 ` [PATCH 4.14 127/143] sctp: fix race on sctp_id2asoc Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Heiner Kallweit, David S. Miller

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Heiner Kallweit <hkallweit1@gmail.com>

[ Upstream commit 6b839b6cf9eada30b086effb51e5d6076bafc761 ]

rtl_rx() and rtl_tx() are called only if the respective bits are set
in the interrupt status register. Under high load NAPI may not be
able to process all data (work_done == budget) and it will schedule
subsequent calls to the poll callback.
rtl_ack_events() however resets the bits in the interrupt status
register, therefore subsequent calls to rtl8169_poll() won't call
rtl_rx() and rtl_tx() - chip interrupts are still disabled.

Fix this by calling rtl_rx() and rtl_tx() independent of the bits
set in the interrupt status register. Both functions will detect
if there's nothing to do for them.

Fixes: da78dbff2e05 ("r8169: remove work from irq handler.")
Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/realtek/r8169.c |    8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

--- a/drivers/net/ethernet/realtek/r8169.c
+++ b/drivers/net/ethernet/realtek/r8169.c
@@ -7579,17 +7579,15 @@ static int rtl8169_poll(struct napi_stru
 	struct rtl8169_private *tp = container_of(napi, struct rtl8169_private, napi);
 	struct net_device *dev = tp->dev;
 	u16 enable_mask = RTL_EVENT_NAPI | tp->event_slow;
-	int work_done= 0;
+	int work_done;
 	u16 status;
 
 	status = rtl_get_events(tp);
 	rtl_ack_events(tp, status & ~tp->event_slow);
 
-	if (status & RTL_EVENT_NAPI_RX)
-		work_done = rtl_rx(dev, tp, (u32) budget);
+	work_done = rtl_rx(dev, tp, (u32) budget);
 
-	if (status & RTL_EVENT_NAPI_TX)
-		rtl_tx(dev, tp);
+	rtl_tx(dev, tp);
 
 	if (status & tp->event_slow) {
 		enable_mask &= ~tp->event_slow;



^ permalink raw reply	[flat|nested] 166+ messages in thread

* [PATCH 4.14 127/143] sctp: fix race on sctp_id2asoc
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (125 preceding siblings ...)
  2018-11-02 18:35 ` [PATCH 4.14 126/143] r8169: fix NAPI handling under high load Greg Kroah-Hartman
@ 2018-11-02 18:35 ` Greg Kroah-Hartman
  2018-11-02 18:35 ` [PATCH 4.14 128/143] udp6: fix encap return code for resubmitting Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+c7dd55d7aec49d48e49a,
	Dmitry Vyukov, Marcelo Ricardo Leitner, Neil Horman,
	David S. Miller

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>

[ Upstream commit b336decab22158937975293aea79396525f92bb3 ]

syzbot reported an use-after-free involving sctp_id2asoc.  Dmitry Vyukov
helped to root cause it and it is because of reading the asoc after it
was freed:

        CPU 1                       CPU 2
(working on socket 1)            (working on socket 2)
	                         sctp_association_destroy
sctp_id2asoc
   spin lock
     grab the asoc from idr
   spin unlock
                                   spin lock
				     remove asoc from idr
				   spin unlock
				   free(asoc)
   if asoc->base.sk != sk ... [*]

This can only be hit if trying to fetch asocs from different sockets. As
we have a single IDR for all asocs, in all SCTP sockets, their id is
unique on the system. An application can try to send stuff on an id
that matches on another socket, and the if in [*] will protect from such
usage. But it didn't consider that as that asoc may belong to another
socket, it may be freed in parallel (read: under another socket lock).

We fix it by moving the checks in [*] into the protected region. This
fixes it because the asoc cannot be freed while the lock is held.

Reported-by: syzbot+c7dd55d7aec49d48e49a@syzkaller.appspotmail.com
Acked-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sctp/socket.c |    5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -250,11 +250,10 @@ struct sctp_association *sctp_id2assoc(s
 
 	spin_lock_bh(&sctp_assocs_id_lock);
 	asoc = (struct sctp_association *)idr_find(&sctp_assocs_id, (int)id);
+	if (asoc && (asoc->base.sk != sk || asoc->base.dead))
+		asoc = NULL;
 	spin_unlock_bh(&sctp_assocs_id_lock);
 
-	if (!asoc || (asoc->base.sk != sk) || asoc->base.dead)
-		return NULL;
-
 	return asoc;
 }
 



^ permalink raw reply	[flat|nested] 166+ messages in thread

* [PATCH 4.14 128/143] udp6: fix encap return code for resubmitting
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (126 preceding siblings ...)
  2018-11-02 18:35 ` [PATCH 4.14 127/143] sctp: fix race on sctp_id2asoc Greg Kroah-Hartman
@ 2018-11-02 18:35 ` Greg Kroah-Hartman
  2018-11-02 18:35 ` [PATCH 4.14 129/143] vhost: Fix Spectre V1 vulnerability Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Paolo Abeni, David S. Miller

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Paolo Abeni <pabeni@redhat.com>

[ Upstream commit 84dad55951b0d009372ec21760b650634246e144 ]

The commit eb63f2964dbe ("udp6: add missing checks on edumux packet
processing") used the same return code convention of the ipv4 counterpart,
but ipv6 uses the opposite one: positive values means resubmit.

This change addresses the issue, using positive return value for
resubmitting. Also update the related comment, which was broken, too.

Fixes: eb63f2964dbe ("udp6: add missing checks on edumux packet processing")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv6/udp.c |    6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -794,11 +794,9 @@ static int udp6_unicast_rcv_skb(struct s
 
 	ret = udpv6_queue_rcv_skb(sk, skb);
 
-	/* a return value > 0 means to resubmit the input, but
-	 * it wants the return to be -protocol, or 0
-	 */
+	/* a return value > 0 means to resubmit the input */
 	if (ret > 0)
-		return -ret;
+		return ret;
 	return 0;
 }
 



^ permalink raw reply	[flat|nested] 166+ messages in thread

* [PATCH 4.14 129/143] vhost: Fix Spectre V1 vulnerability
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (127 preceding siblings ...)
  2018-11-02 18:35 ` [PATCH 4.14 128/143] udp6: fix encap return code for resubmitting Greg Kroah-Hartman
@ 2018-11-02 18:35 ` Greg Kroah-Hartman
  2018-11-02 18:35 ` [PATCH 4.14 130/143] virtio_net: avoid using netif_tx_disable() for serializing tx routine Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael S. Tsirkin, Josh Poimboeuf,
	Andrea Arcangeli, Jason Wang, David S. Miller

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jason Wang <jasowang@redhat.com>

[ Upstream commit ff002269a4ee9c769dbf9365acef633ebcbd6cbe ]

The idx in vhost_vring_ioctl() was controlled by userspace, hence a
potential exploitation of the Spectre variant 1 vulnerability.

Fixing this by sanitizing idx before using it to index d->vqs.

Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/vhost/vhost.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -30,6 +30,7 @@
 #include <linux/sched/mm.h>
 #include <linux/sched/signal.h>
 #include <linux/interval_tree_generic.h>
+#include <linux/nospec.h>
 
 #include "vhost.h"
 
@@ -1366,6 +1367,7 @@ long vhost_vring_ioctl(struct vhost_dev
 	if (idx >= d->nvqs)
 		return -ENOBUFS;
 
+	idx = array_index_nospec(idx, d->nvqs);
 	vq = d->vqs[idx];
 
 	mutex_lock(&vq->mutex);



^ permalink raw reply	[flat|nested] 166+ messages in thread

* [PATCH 4.14 130/143] virtio_net: avoid using netif_tx_disable() for serializing tx routine
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (128 preceding siblings ...)
  2018-11-02 18:35 ` [PATCH 4.14 129/143] vhost: Fix Spectre V1 vulnerability Greg Kroah-Hartman
@ 2018-11-02 18:35 ` Greg Kroah-Hartman
  2018-11-02 18:35 ` [PATCH 4.14 131/143] ethtool: fix a privilege escalation bug Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ake Koomsin, Jason Wang,
	Michael S. Tsirkin, David S. Miller

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ake Koomsin <ake@igel.co.jp>

[ Upstream commit 05c998b738fdd3e5d6a257bcacc8f34b6284d795 ]

Commit 713a98d90c5e ("virtio-net: serialize tx routine during reset")
introduces netif_tx_disable() after netif_device_detach() in order to
avoid use-after-free of tx queues. However, there are two issues.

1) Its operation is redundant with netif_device_detach() in case the
   interface is running.
2) In case of the interface is not running before suspending and
   resuming, the tx does not get resumed by netif_device_attach().
   This results in losing network connectivity.

It is better to use netif_tx_lock_bh()/netif_tx_unlock_bh() instead for
serializing tx routine during reset. This also preserves the symmetry
of netif_device_detach() and netif_device_attach().

Fixes commit 713a98d90c5e ("virtio-net: serialize tx routine during reset")
Signed-off-by: Ake Koomsin <ake@igel.co.jp>
Acked-by: Jason Wang <jasowang@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/virtio_net.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -1872,8 +1872,9 @@ static void virtnet_freeze_down(struct v
 	/* Make sure no work handler is accessing the device */
 	flush_work(&vi->config_work);
 
+	netif_tx_lock_bh(vi->dev);
 	netif_device_detach(vi->dev);
-	netif_tx_disable(vi->dev);
+	netif_tx_unlock_bh(vi->dev);
 	cancel_delayed_work_sync(&vi->refill);
 
 	if (netif_running(vi->dev)) {
@@ -1909,7 +1910,9 @@ static int virtnet_restore_up(struct vir
 		}
 	}
 
+	netif_tx_lock_bh(vi->dev);
 	netif_device_attach(vi->dev);
+	netif_tx_unlock_bh(vi->dev);
 	return err;
 }
 



^ permalink raw reply	[flat|nested] 166+ messages in thread

* [PATCH 4.14 131/143] ethtool: fix a privilege escalation bug
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (129 preceding siblings ...)
  2018-11-02 18:35 ` [PATCH 4.14 130/143] virtio_net: avoid using netif_tx_disable() for serializing tx routine Greg Kroah-Hartman
@ 2018-11-02 18:35 ` Greg Kroah-Hartman
  2018-11-02 18:35 ` [PATCH 4.14 132/143] bonding: fix length of actor system Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wenwen Wang, Michal Kubecek, David S. Miller

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Wenwen Wang <wang6495@umn.edu>

[ Upstream commit 58f5bbe331c566f49c9559568f982202a278aa78 ]

In dev_ethtool(), the eth command 'ethcmd' is firstly copied from the
use-space buffer 'useraddr' and checked to see whether it is
ETHTOOL_PERQUEUE. If yes, the sub-command 'sub_cmd' is further copied from
the user space. Otherwise, 'sub_cmd' is the same as 'ethcmd'. Next,
according to 'sub_cmd', a permission check is enforced through the function
ns_capable(). For example, the permission check is required if 'sub_cmd' is
ETHTOOL_SCOALESCE, but it is not necessary if 'sub_cmd' is
ETHTOOL_GCOALESCE, as suggested in the comment "Allow some commands to be
done by anyone". The following execution invokes different handlers
according to 'ethcmd'. Specifically, if 'ethcmd' is ETHTOOL_PERQUEUE,
ethtool_set_per_queue() is called. In ethtool_set_per_queue(), the kernel
object 'per_queue_opt' is copied again from the user-space buffer
'useraddr' and 'per_queue_opt.sub_command' is used to determine which
operation should be performed. Given that the buffer 'useraddr' is in the
user space, a malicious user can race to change the sub-command between the
two copies. In particular, the attacker can supply ETHTOOL_PERQUEUE and
ETHTOOL_GCOALESCE to bypass the permission check in dev_ethtool(). Then
before ethtool_set_per_queue() is called, the attacker changes
ETHTOOL_GCOALESCE to ETHTOOL_SCOALESCE. In this way, the attacker can
bypass the permission check and execute ETHTOOL_SCOALESCE.

This patch enforces a check in ethtool_set_per_queue() after the second
copy from 'useraddr'. If the sub-command is different from the one obtained
in the first copy in dev_ethtool(), an error code EINVAL will be returned.

Fixes: f38d138a7da6 ("net/ethtool: support set coalesce per queue")
Signed-off-by: Wenwen Wang <wang6495@umn.edu>
Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/core/ethtool.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -2410,13 +2410,17 @@ roll_back:
 	return ret;
 }
 
-static int ethtool_set_per_queue(struct net_device *dev, void __user *useraddr)
+static int ethtool_set_per_queue(struct net_device *dev,
+				 void __user *useraddr, u32 sub_cmd)
 {
 	struct ethtool_per_queue_op per_queue_opt;
 
 	if (copy_from_user(&per_queue_opt, useraddr, sizeof(per_queue_opt)))
 		return -EFAULT;
 
+	if (per_queue_opt.sub_command != sub_cmd)
+		return -EINVAL;
+
 	switch (per_queue_opt.sub_command) {
 	case ETHTOOL_GCOALESCE:
 		return ethtool_get_per_queue_coalesce(dev, useraddr, &per_queue_opt);
@@ -2787,7 +2791,7 @@ int dev_ethtool(struct net *net, struct
 		rc = ethtool_get_phy_stats(dev, useraddr);
 		break;
 	case ETHTOOL_PERQUEUE:
-		rc = ethtool_set_per_queue(dev, useraddr);
+		rc = ethtool_set_per_queue(dev, useraddr, sub_cmd);
 		break;
 	case ETHTOOL_GLINKSETTINGS:
 		rc = ethtool_get_link_ksettings(dev, useraddr);



^ permalink raw reply	[flat|nested] 166+ messages in thread

* [PATCH 4.14 132/143] bonding: fix length of actor system
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (130 preceding siblings ...)
  2018-11-02 18:35 ` [PATCH 4.14 131/143] ethtool: fix a privilege escalation bug Greg Kroah-Hartman
@ 2018-11-02 18:35 ` Greg Kroah-Hartman
  2018-11-02 18:35 ` [PATCH 4.14 133/143] ip6_tunnel: Fix encapsulation layout Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Tobias Jungel, David S. Miller

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tobias Jungel <tobias.jungel@gmail.com>

[ Upstream commit 414dd6fb9a1a1b59983aea7bf0f79f0085ecc5b8 ]

The attribute IFLA_BOND_AD_ACTOR_SYSTEM is sent to user space having the
length of sizeof(bond->params.ad_actor_system) which is 8 byte. This
patch aligns the length to ETH_ALEN to have the same MAC address exposed
as using sysfs.

Fixes: f87fda00b6ed2 ("bonding: prevent out of bound accesses")
Signed-off-by: Tobias Jungel <tobias.jungel@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/bonding/bond_netlink.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/net/bonding/bond_netlink.c
+++ b/drivers/net/bonding/bond_netlink.c
@@ -638,8 +638,7 @@ static int bond_fill_info(struct sk_buff
 				goto nla_put_failure;
 
 			if (nla_put(skb, IFLA_BOND_AD_ACTOR_SYSTEM,
-				    sizeof(bond->params.ad_actor_system),
-				    &bond->params.ad_actor_system))
+				    ETH_ALEN, &bond->params.ad_actor_system))
 				goto nla_put_failure;
 		}
 		if (!bond_3ad_get_active_agg_info(bond, &info)) {



^ permalink raw reply	[flat|nested] 166+ messages in thread

* [PATCH 4.14 133/143] ip6_tunnel: Fix encapsulation layout
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (131 preceding siblings ...)
  2018-11-02 18:35 ` [PATCH 4.14 132/143] bonding: fix length of actor system Greg Kroah-Hartman
@ 2018-11-02 18:35 ` Greg Kroah-Hartman
  2018-11-02 18:35 ` [PATCH 4.14 134/143] openvswitch: Fix push/pop ethernet validation Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Stefano Brivio, David S. Miller

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Stefano Brivio <sbrivio@redhat.com>

[ Upstream commit d4d576f5ab7edcb757bb33e6a5600666a0b1232d ]

Commit 058214a4d1df ("ip6_tun: Add infrastructure for doing
encapsulation") added the ip6_tnl_encap() call in ip6_tnl_xmit(), before
the call to ipv6_push_frag_opts() to append the IPv6 Tunnel Encapsulation
Limit option (option 4, RFC 2473, par. 5.1) to the outer IPv6 header.

As long as the option didn't actually end up in generated packets, this
wasn't an issue. Then commit 89a23c8b528b ("ip6_tunnel: Fix missing tunnel
encapsulation limit option") fixed sending of this option, and the
resulting layout, e.g. for FoU, is:

.-------------------.------------.----------.-------------------.----- - -
| Outer IPv6 Header | UDP header | Option 4 | Inner IPv6 Header | Payload
'-------------------'------------'----------'-------------------'----- - -

Needless to say, FoU and GUE (at least) won't work over IPv6. The option
is appended by default, and I couldn't find a way to disable it with the
current iproute2.

Turn this into a more reasonable:

.-------------------.----------.------------.-------------------.----- - -
| Outer IPv6 Header | Option 4 | UDP header | Inner IPv6 Header | Payload
'-------------------'----------'------------'-------------------'----- - -

With this, and with 84dad55951b0 ("udp6: fix encap return code for
resubmitting"), FoU and GUE work again over IPv6.

Fixes: 058214a4d1df ("ip6_tun: Add infrastructure for doing encapsulation")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv6/ip6_tunnel.c |    9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1185,10 +1185,6 @@ route_lookup:
 	}
 	skb_dst_set(skb, dst);
 
-	if (encap_limit >= 0) {
-		init_tel_txopt(&opt, encap_limit);
-		ipv6_push_frag_opts(skb, &opt.ops, &proto);
-	}
 	hop_limit = hop_limit ? : ip6_dst_hoplimit(dst);
 
 	/* Calculate max headroom for all the headers and adjust
@@ -1203,6 +1199,11 @@ route_lookup:
 	if (err)
 		return err;
 
+	if (encap_limit >= 0) {
+		init_tel_txopt(&opt, encap_limit);
+		ipv6_push_frag_opts(skb, &opt.ops, &proto);
+	}
+
 	skb_push(skb, sizeof(struct ipv6hdr));
 	skb_reset_network_header(skb);
 	ipv6h = ipv6_hdr(skb);



^ permalink raw reply	[flat|nested] 166+ messages in thread

* [PATCH 4.14 134/143] openvswitch: Fix push/pop ethernet validation
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (132 preceding siblings ...)
  2018-11-02 18:35 ` [PATCH 4.14 133/143] ip6_tunnel: Fix encapsulation layout Greg Kroah-Hartman
@ 2018-11-02 18:35 ` Greg Kroah-Hartman
  2018-11-02 18:35 ` [PATCH 4.14 135/143] net/mlx5: Take only bit 24-26 of wqe.pftype_wq for page fault type Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jaime Caamaño Ruiz, Greg Rose,
	David S. Miller

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=UTF-8, Size: 1556 bytes --]

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: "Jaime Caamaño Ruiz" <jcaamano@suse.com>

[ Upstream commit 46ebe2834ba5b541f28ee72e556a3fed42c47570 ]

When there are both pop and push ethernet header actions among the
actions to be applied to a packet, an unexpected EINVAL (Invalid
argument) error is obtained. This is due to mac_proto not being reset
correctly when those actions are validated.

Reported-at:
https://mail.openvswitch.org/pipermail/ovs-discuss/2018-October/047554.html
Fixes: 91820da6ae85 ("openvswitch: add Ethernet push and pop actions")
Signed-off-by: Jaime Caamaño Ruiz <jcaamano@suse.com>
Tested-by: Greg Rose <gvrose8192@gmail.com>
Reviewed-by: Greg Rose <gvrose8192@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/openvswitch/flow_netlink.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/net/openvswitch/flow_netlink.c
+++ b/net/openvswitch/flow_netlink.c
@@ -2622,7 +2622,7 @@ static int __ovs_nla_copy_actions(struct
 			 * is already present */
 			if (mac_proto != MAC_PROTO_NONE)
 				return -EINVAL;
-			mac_proto = MAC_PROTO_NONE;
+			mac_proto = MAC_PROTO_ETHERNET;
 			break;
 
 		case OVS_ACTION_ATTR_POP_ETH:
@@ -2630,7 +2630,7 @@ static int __ovs_nla_copy_actions(struct
 				return -EINVAL;
 			if (vlan_tci & htons(VLAN_TAG_PRESENT))
 				return -EINVAL;
-			mac_proto = MAC_PROTO_ETHERNET;
+			mac_proto = MAC_PROTO_NONE;
 			break;
 
 		default:



^ permalink raw reply	[flat|nested] 166+ messages in thread

* [PATCH 4.14 135/143] net/mlx5: Take only bit 24-26 of wqe.pftype_wq for page fault type
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (133 preceding siblings ...)
  2018-11-02 18:35 ` [PATCH 4.14 134/143] openvswitch: Fix push/pop ethernet validation Greg Kroah-Hartman
@ 2018-11-02 18:35 ` Greg Kroah-Hartman
  2018-11-02 18:35 ` [PATCH 4.14 136/143] net: sched: Fix for duplicate class dump Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Huy Nguyen, Eli Cohen, Saeed Mahameed

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Huy Nguyen <huyn@mellanox.com>

[ Upstream commit a48bc513159d4767f9988f0d857b2b0c38a4d614 ]

The HW spec defines only bits 24-26 of pftype_wq as the page fault type,
use the required mask to ensure that.

Fixes: d9aaed838765 ("{net,IB}/mlx5: Refactor page fault handling")
Signed-off-by: Huy Nguyen <huyn@mellanox.com>
Signed-off-by: Eli Cohen <eli@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/mellanox/mlx5/core/eq.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/mellanox/mlx5/core/eq.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eq.c
@@ -262,7 +262,7 @@ static void eq_pf_process(struct mlx5_eq
 		case MLX5_PFAULT_SUBTYPE_WQE:
 			/* WQE based event */
 			pfault->type =
-				be32_to_cpu(pf_eqe->wqe.pftype_wq) >> 24;
+				(be32_to_cpu(pf_eqe->wqe.pftype_wq) >> 24) & 0x7;
 			pfault->token =
 				be32_to_cpu(pf_eqe->wqe.token);
 			pfault->wqe.wq_num =



^ permalink raw reply	[flat|nested] 166+ messages in thread

* [PATCH 4.14 136/143] net: sched: Fix for duplicate class dump
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (134 preceding siblings ...)
  2018-11-02 18:35 ` [PATCH 4.14 135/143] net/mlx5: Take only bit 24-26 of wqe.pftype_wq for page fault type Greg Kroah-Hartman
@ 2018-11-02 18:35 ` Greg Kroah-Hartman
  2018-11-02 18:35 ` [PATCH 4.14 137/143] net: drop skb on failure in ip_check_defrag() Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Phil Sutter, Jiri Pirko,
	Eric Dumazet, David S. Miller

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Phil Sutter <phil@nwl.cc>

[ Upstream commit 3c53ed8fef6881a864f0ee8240ed2793ef73ad0d ]

When dumping classes by parent, kernel would return classes twice:

| # tc qdisc add dev lo root prio
| # tc class show dev lo
| class prio 8001:1 parent 8001:
| class prio 8001:2 parent 8001:
| class prio 8001:3 parent 8001:
| # tc class show dev lo parent 8001:
| class prio 8001:1 parent 8001:
| class prio 8001:2 parent 8001:
| class prio 8001:3 parent 8001:
| class prio 8001:1 parent 8001:
| class prio 8001:2 parent 8001:
| class prio 8001:3 parent 8001:

This comes from qdisc_match_from_root() potentially returning the root
qdisc itself if its handle matched. Though in that case, root's classes
were already dumped a few lines above.

Fixes: cb395b2010879 ("net: sched: optimize class dumps")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Jiri Pirko <jiri@mellanox.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sched/sch_api.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/net/sched/sch_api.c
+++ b/net/sched/sch_api.c
@@ -1917,7 +1917,8 @@ static int tc_dump_tclass_root(struct Qd
 
 	if (tcm->tcm_parent) {
 		q = qdisc_match_from_root(root, TC_H_MAJ(tcm->tcm_parent));
-		if (q && tc_dump_tclass_qdisc(q, skb, tcm, cb, t_p, s_t) < 0)
+		if (q && q != root &&
+		    tc_dump_tclass_qdisc(q, skb, tcm, cb, t_p, s_t) < 0)
 			return -1;
 		return 0;
 	}



^ permalink raw reply	[flat|nested] 166+ messages in thread

* [PATCH 4.14 137/143] net: drop skb on failure in ip_check_defrag()
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (135 preceding siblings ...)
  2018-11-02 18:35 ` [PATCH 4.14 136/143] net: sched: Fix for duplicate class dump Greg Kroah-Hartman
@ 2018-11-02 18:35 ` Greg Kroah-Hartman
  2018-11-02 18:35 ` [PATCH 4.14 138/143] net: fix pskb_trim_rcsum_slow() with odd trim offset Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, Cong Wang, David S. Miller

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Cong Wang <xiyou.wangcong@gmail.com>

[ Upstream commit 7de414a9dd91426318df7b63da024b2b07e53df5 ]

Most callers of pskb_trim_rcsum() simply drop the skb when
it fails, however, ip_check_defrag() still continues to pass
the skb up to stack. This is suspicious.

In ip_check_defrag(), after we learn the skb is an IP fragment,
passing the skb to callers makes no sense, because callers expect
fragments are defrag'ed on success. So, dropping the skb when we
can't defrag it is reasonable.

Note, prior to commit 88078d98d1bb, this is not a big problem as
checksum will be fixed up anyway. After it, the checksum is not
correct on failure.

Found this during code review.

Fixes: 88078d98d1bb ("net: pskb_trim_rcsum() and CHECKSUM_COMPLETE are friends")
Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/ip_fragment.c |   12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -720,10 +720,14 @@ struct sk_buff *ip_check_defrag(struct n
 	if (ip_is_fragment(&iph)) {
 		skb = skb_share_check(skb, GFP_ATOMIC);
 		if (skb) {
-			if (!pskb_may_pull(skb, netoff + iph.ihl * 4))
-				return skb;
-			if (pskb_trim_rcsum(skb, netoff + len))
-				return skb;
+			if (!pskb_may_pull(skb, netoff + iph.ihl * 4)) {
+				kfree_skb(skb);
+				return NULL;
+			}
+			if (pskb_trim_rcsum(skb, netoff + len)) {
+				kfree_skb(skb);
+				return NULL;
+			}
 			memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
 			if (ip_defrag(net, skb, user))
 				return NULL;



^ permalink raw reply	[flat|nested] 166+ messages in thread

* [PATCH 4.14 138/143] net: fix pskb_trim_rcsum_slow() with odd trim offset
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (136 preceding siblings ...)
  2018-11-02 18:35 ` [PATCH 4.14 137/143] net: drop skb on failure in ip_check_defrag() Greg Kroah-Hartman
@ 2018-11-02 18:35 ` Greg Kroah-Hartman
  2018-11-02 18:35 ` [PATCH 4.14 139/143] net/mlx5e: fix csum adjustments caused by RXFCS Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dimitris Michailidis, Eric Dumazet,
	David S. Miller

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dimitris Michailidis <dmichail@google.com>

[ Upstream commit d55bef5059dd057bd077155375c581b49d25be7e ]

We've been getting checksum errors involving small UDP packets, usually
59B packets with 1 extra non-zero padding byte. netdev_rx_csum_fault()
has been complaining that HW is providing bad checksums. Turns out the
problem is in pskb_trim_rcsum_slow(), introduced in commit 88078d98d1bb
("net: pskb_trim_rcsum() and CHECKSUM_COMPLETE are friends").

The source of the problem is that when the bytes we are trimming start
at an odd address, as in the case of the 1 padding byte above,
skb_checksum() returns a byte-swapped value. We cannot just combine this
with skb->csum using csum_sub(). We need to use csum_block_sub() here
that takes into account the parity of the start address and handles the
swapping.

Matches existing code in __skb_postpull_rcsum() and esp_remove_trailer().

Fixes: 88078d98d1bb ("net: pskb_trim_rcsum() and CHECKSUM_COMPLETE are friends")
Signed-off-by: Dimitris Michailidis <dmichail@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/core/skbuff.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -1843,8 +1843,9 @@ int pskb_trim_rcsum_slow(struct sk_buff
 	if (skb->ip_summed == CHECKSUM_COMPLETE) {
 		int delta = skb->len - len;
 
-		skb->csum = csum_sub(skb->csum,
-				     skb_checksum(skb, len, delta, 0));
+		skb->csum = csum_block_sub(skb->csum,
+					   skb_checksum(skb, len, delta, 0),
+					   len);
 	}
 	return __pskb_trim(skb, len);
 }



^ permalink raw reply	[flat|nested] 166+ messages in thread

* [PATCH 4.14 139/143] net/mlx5e: fix csum adjustments caused by RXFCS
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (137 preceding siblings ...)
  2018-11-02 18:35 ` [PATCH 4.14 138/143] net: fix pskb_trim_rcsum_slow() with odd trim offset Greg Kroah-Hartman
@ 2018-11-02 18:35 ` Greg Kroah-Hartman
  2018-11-02 18:35 ` [PATCH 4.14 140/143] rtnetlink: Disallow FDB configuration for non-Ethernet device Greg Kroah-Hartman
                   ` (5 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Paweł Staszewski, Eric Dumazet,
	Eran Ben Elisha, Saeed Mahameed, Dimitris Michailidis, Cong Wang,
	Maria Pasechnik, David S. Miller

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit d48051c5b8376038c2b287c3b1bd55b8d391d567 ]

As shown by Dmitris, we need to use csum_block_add() instead of csum_add()
when adding the FCS contribution to skb csum.

Before 4.18 (more exactly commit 88078d98d1bb "net: pskb_trim_rcsum()
and CHECKSUM_COMPLETE are friends"), the whole skb csum was thrown away,
so RXFCS changes were ignored.

Then before commit d55bef5059dd ("net: fix pskb_trim_rcsum_slow() with
odd trim offset") both mlx5 and pskb_trim_rcsum_slow() bugs were canceling
each other.

Now we fixed pskb_trim_rcsum_slow() we need to fix mlx5.

Note that this patch also rewrites mlx5e_get_fcs() to :

- Use skb_header_pointer() instead of reinventing it.
- Use __get_unaligned_cpu32() to avoid possible non aligned accesses
  as Dmitris pointed out.

Fixes: 902a545904c7 ("net/mlx5e: When RXFCS is set, add FCS data into checksum calculation")
Reported-by: Paweł Staszewski <pstaszewski@itcare.pl>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Eran Ben Elisha <eranbe@mellanox.com>
Cc: Saeed Mahameed <saeedm@mellanox.com>
Cc: Dimitris Michailidis <dmichail@google.com>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Cc: Paweł Staszewski <pstaszewski@itcare.pl>
Reviewed-by: Eran Ben Elisha <eranbe@mellanox.com>
Tested-By: Maria Pasechnik <mariap@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/mellanox/mlx5/core/en_rx.c |   45 ++++--------------------
 1 file changed, 9 insertions(+), 36 deletions(-)

--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
@@ -635,43 +635,15 @@ static inline bool is_first_ethertype_ip
 	return (ethertype == htons(ETH_P_IP) || ethertype == htons(ETH_P_IPV6));
 }
 
-static __be32 mlx5e_get_fcs(struct sk_buff *skb)
+static u32 mlx5e_get_fcs(const struct sk_buff *skb)
 {
-	int last_frag_sz, bytes_in_prev, nr_frags;
-	u8 *fcs_p1, *fcs_p2;
-	skb_frag_t *last_frag;
-	__be32 fcs_bytes;
-
-	if (!skb_is_nonlinear(skb))
-		return *(__be32 *)(skb->data + skb->len - ETH_FCS_LEN);
-
-	nr_frags = skb_shinfo(skb)->nr_frags;
-	last_frag = &skb_shinfo(skb)->frags[nr_frags - 1];
-	last_frag_sz = skb_frag_size(last_frag);
-
-	/* If all FCS data is in last frag */
-	if (last_frag_sz >= ETH_FCS_LEN)
-		return *(__be32 *)(skb_frag_address(last_frag) +
-				   last_frag_sz - ETH_FCS_LEN);
-
-	fcs_p2 = (u8 *)skb_frag_address(last_frag);
-	bytes_in_prev = ETH_FCS_LEN - last_frag_sz;
-
-	/* Find where the other part of the FCS is - Linear or another frag */
-	if (nr_frags == 1) {
-		fcs_p1 = skb_tail_pointer(skb);
-	} else {
-		skb_frag_t *prev_frag = &skb_shinfo(skb)->frags[nr_frags - 2];
+	const void *fcs_bytes;
+	u32 _fcs_bytes;
 
-		fcs_p1 = skb_frag_address(prev_frag) +
-			    skb_frag_size(prev_frag);
-	}
-	fcs_p1 -= bytes_in_prev;
-
-	memcpy(&fcs_bytes, fcs_p1, bytes_in_prev);
-	memcpy(((u8 *)&fcs_bytes) + bytes_in_prev, fcs_p2, last_frag_sz);
+	fcs_bytes = skb_header_pointer(skb, skb->len - ETH_FCS_LEN,
+				       ETH_FCS_LEN, &_fcs_bytes);
 
-	return fcs_bytes;
+	return __get_unaligned_cpu32(fcs_bytes);
 }
 
 static inline void mlx5e_handle_csum(struct net_device *netdev,
@@ -693,8 +665,9 @@ static inline void mlx5e_handle_csum(str
 		skb->ip_summed = CHECKSUM_COMPLETE;
 		skb->csum = csum_unfold((__force __sum16)cqe->check_sum);
 		if (unlikely(netdev->features & NETIF_F_RXFCS))
-			skb->csum = csum_add(skb->csum,
-					     (__force __wsum)mlx5e_get_fcs(skb));
+			skb->csum = csum_block_add(skb->csum,
+						   (__force __wsum)mlx5e_get_fcs(skb),
+						   skb->len - ETH_FCS_LEN);
 		rq->stats.csum_complete++;
 		return;
 	}



^ permalink raw reply	[flat|nested] 166+ messages in thread

* [PATCH 4.14 140/143] rtnetlink: Disallow FDB configuration for non-Ethernet device
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (138 preceding siblings ...)
  2018-11-02 18:35 ` [PATCH 4.14 139/143] net/mlx5e: fix csum adjustments caused by RXFCS Greg Kroah-Hartman
@ 2018-11-02 18:35 ` Greg Kroah-Hartman
  2018-11-02 18:35 ` [PATCH 4.14 141/143] net: ipmr: fix unresolved entry dumps Greg Kroah-Hartman
                   ` (4 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ido Schimmel, Vlad Yasevich,
	David Ahern, David S. Miller

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ido Schimmel <idosch@mellanox.com>

[ Upstream commit da71577545a52be3e0e9225a946e5fd79cfab015 ]

When an FDB entry is configured, the address is validated to have the
length of an Ethernet address, but the device for which the address is
configured can be of any type.

The above can result in the use of uninitialized memory when the address
is later compared against existing addresses since 'dev->addr_len' is
used and it may be greater than ETH_ALEN, as with ip6tnl devices.

Fix this by making sure that FDB entries are only configured for
Ethernet devices.

BUG: KMSAN: uninit-value in memcmp+0x11d/0x180 lib/string.c:863
CPU: 1 PID: 4318 Comm: syz-executor998 Not tainted 4.19.0-rc3+ #49
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x14b/0x190 lib/dump_stack.c:113
  kmsan_report+0x183/0x2b0 mm/kmsan/kmsan.c:956
  __msan_warning+0x70/0xc0 mm/kmsan/kmsan_instr.c:645
  memcmp+0x11d/0x180 lib/string.c:863
  dev_uc_add_excl+0x165/0x7b0 net/core/dev_addr_lists.c:464
  ndo_dflt_fdb_add net/core/rtnetlink.c:3463 [inline]
  rtnl_fdb_add+0x1081/0x1270 net/core/rtnetlink.c:3558
  rtnetlink_rcv_msg+0xa0b/0x1530 net/core/rtnetlink.c:4715
  netlink_rcv_skb+0x36e/0x5f0 net/netlink/af_netlink.c:2454
  rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4733
  netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
  netlink_unicast+0x1638/0x1720 net/netlink/af_netlink.c:1343
  netlink_sendmsg+0x1205/0x1290 net/netlink/af_netlink.c:1908
  sock_sendmsg_nosec net/socket.c:621 [inline]
  sock_sendmsg net/socket.c:631 [inline]
  ___sys_sendmsg+0xe70/0x1290 net/socket.c:2114
  __sys_sendmsg net/socket.c:2152 [inline]
  __do_sys_sendmsg net/socket.c:2161 [inline]
  __se_sys_sendmsg+0x2a3/0x3d0 net/socket.c:2159
  __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2159
  do_syscall_64+0xb8/0x100 arch/x86/entry/common.c:291
  entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x440ee9
Code: e8 cc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 bb 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fff6a93b518 EFLAGS: 00000213 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440ee9
RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000003
RBP: 0000000000000000 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00000000004002c8 R11: 0000000000000213 R12: 000000000000b4b0
R13: 0000000000401ec0 R14: 0000000000000000 R15: 0000000000000000

Uninit was created at:
  kmsan_save_stack_with_flags mm/kmsan/kmsan.c:256 [inline]
  kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:181
  kmsan_kmalloc+0x98/0x100 mm/kmsan/kmsan_hooks.c:91
  kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan_hooks.c:100
  slab_post_alloc_hook mm/slab.h:446 [inline]
  slab_alloc_node mm/slub.c:2718 [inline]
  __kmalloc_node_track_caller+0x9e7/0x1160 mm/slub.c:4351
  __kmalloc_reserve net/core/skbuff.c:138 [inline]
  __alloc_skb+0x2f5/0x9e0 net/core/skbuff.c:206
  alloc_skb include/linux/skbuff.h:996 [inline]
  netlink_alloc_large_skb net/netlink/af_netlink.c:1189 [inline]
  netlink_sendmsg+0xb49/0x1290 net/netlink/af_netlink.c:1883
  sock_sendmsg_nosec net/socket.c:621 [inline]
  sock_sendmsg net/socket.c:631 [inline]
  ___sys_sendmsg+0xe70/0x1290 net/socket.c:2114
  __sys_sendmsg net/socket.c:2152 [inline]
  __do_sys_sendmsg net/socket.c:2161 [inline]
  __se_sys_sendmsg+0x2a3/0x3d0 net/socket.c:2159
  __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2159
  do_syscall_64+0xb8/0x100 arch/x86/entry/common.c:291
  entry_SYSCALL_64_after_hwframe+0x63/0xe7

v2:
* Make error message more specific (David)

Fixes: 090096bf3db1 ("net: generic fdb support for drivers without ndo_fdb_<op>")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Reported-and-tested-by: syzbot+3a288d5f5530b901310e@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+d53ab4e92a1db04110ff@syzkaller.appspotmail.com
Cc: Vlad Yasevich <vyasevich@gmail.com>
Cc: David Ahern <dsahern@gmail.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/core/rtnetlink.c |   10 ++++++++++
 1 file changed, 10 insertions(+)

--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -3080,6 +3080,11 @@ static int rtnl_fdb_add(struct sk_buff *
 		return -EINVAL;
 	}
 
+	if (dev->type != ARPHRD_ETHER) {
+		NL_SET_ERR_MSG(extack, "FDB add only supported for Ethernet devices");
+		return -EINVAL;
+	}
+
 	addr = nla_data(tb[NDA_LLADDR]);
 
 	err = fdb_vid_parse(tb[NDA_VLAN], &vid);
@@ -3184,6 +3189,11 @@ static int rtnl_fdb_del(struct sk_buff *
 		return -EINVAL;
 	}
 
+	if (dev->type != ARPHRD_ETHER) {
+		NL_SET_ERR_MSG(extack, "FDB delete only supported for Ethernet devices");
+		return -EINVAL;
+	}
+
 	addr = nla_data(tb[NDA_LLADDR]);
 
 	err = fdb_vid_parse(tb[NDA_VLAN], &vid);



^ permalink raw reply	[flat|nested] 166+ messages in thread

* [PATCH 4.14 141/143] net: ipmr: fix unresolved entry dumps
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (139 preceding siblings ...)
  2018-11-02 18:35 ` [PATCH 4.14 140/143] rtnetlink: Disallow FDB configuration for non-Ethernet device Greg Kroah-Hartman
@ 2018-11-02 18:35 ` Greg Kroah-Hartman
  2018-11-02 18:35 ` [PATCH 4.14 142/143] net: bcmgenet: Poll internal PHY for GENETv5 Greg Kroah-Hartman
                   ` (3 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Colin Ian King, Nikolay Aleksandrov,
	David S. Miller

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>

[ Upstream commit eddf016b910486d2123675a6b5fd7d64f77cdca8 ]

If the skb space ends in an unresolved entry while dumping we'll miss
some unresolved entries. The reason is due to zeroing the entry counter
between dumping resolved and unresolved mfc entries. We should just
keep counting until the whole table is dumped and zero when we move to
the next as we have a separate table counter.

Reported-by: Colin Ian King <colin.king@canonical.com>
Fixes: 8fb472c09b9d ("ipmr: improve hash scalability")
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/ipmr.c |    2 --
 1 file changed, 2 deletions(-)

--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -2499,8 +2499,6 @@ static int ipmr_rtm_dumproute(struct sk_
 next_entry:
 			e++;
 		}
-		e = 0;
-		s_e = 0;
 
 		spin_lock_bh(&mfc_unres_lock);
 		list_for_each_entry(mfc, &mrt->mfc_unres_queue, list) {



^ permalink raw reply	[flat|nested] 166+ messages in thread

* [PATCH 4.14 142/143] net: bcmgenet: Poll internal PHY for GENETv5
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (140 preceding siblings ...)
  2018-11-02 18:35 ` [PATCH 4.14 141/143] net: ipmr: fix unresolved entry dumps Greg Kroah-Hartman
@ 2018-11-02 18:35 ` Greg Kroah-Hartman
  2018-11-02 18:35 ` [PATCH 4.14 143/143] net/sched: cls_api: add missing validation of netlink attributes Greg Kroah-Hartman
                   ` (2 subsequent siblings)
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Florian Fainelli, David S. Miller

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Fainelli <f.fainelli@gmail.com>

[ Upstream commit 64bd9c8135751b561f27edaaffe93d07093f81af ]

On GENETv5, there is a hardware issue which prevents the GENET hardware
from generating a link UP interrupt when the link is operating at
10Mbits/sec. Since we do not have any way to configure the link
detection logic, fallback to polling in that case.

Fixes: 421380856d9c ("net: bcmgenet: add support for the GENETv5 hardware")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/broadcom/genet/bcmmii.c |    9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

--- a/drivers/net/ethernet/broadcom/genet/bcmmii.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c
@@ -339,9 +339,12 @@ int bcmgenet_mii_probe(struct net_device
 	phydev->advertising = phydev->supported;
 
 	/* The internal PHY has its link interrupts routed to the
-	 * Ethernet MAC ISRs
-	 */
-	if (priv->internal_phy)
+	 * Ethernet MAC ISRs. On GENETv5 there is a hardware issue
+	 * that prevents the signaling of link UP interrupts when
+	 * the link operates at 10Mbps, so fallback to polling for
+	 * those versions of GENET.
+ 	 */
+	if (priv->internal_phy && !GENET_IS_V5(priv))
 		priv->phydev->irq = PHY_IGNORE_INTERRUPT;
 
 	return 0;



^ permalink raw reply	[flat|nested] 166+ messages in thread

* [PATCH 4.14 143/143] net/sched: cls_api: add missing validation of netlink attributes
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (141 preceding siblings ...)
  2018-11-02 18:35 ` [PATCH 4.14 142/143] net: bcmgenet: Poll internal PHY for GENETv5 Greg Kroah-Hartman
@ 2018-11-02 18:35 ` Greg Kroah-Hartman
  2018-11-02 23:21 ` [PATCH 4.14 000/143] 4.14.79-stable review kernelci.org bot
  2018-11-03 14:31 ` Guenter Roeck
  144 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-02 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Davide Caratti, David S. Miller

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Davide Caratti <dcaratti@redhat.com>

[ Upstream commit e331473fee3d500bb0d2582a1fe598df3326d8cd ]

Similarly to what has been done in 8b4c3cdd9dd8 ("net: sched: Add policy
validation for tc attributes"), fix classifier code to add validation of
TCA_CHAIN and TCA_KIND netlink attributes.

tested with:
 # ./tdc.py -c filter

v2: Let sch_api and cls_api share nla_policy they have in common, thanks
    to David Ahern.
v3: Avoid EXPORT_SYMBOL(), as validation of those attributes is not done
    by TC modules, thanks to Cong Wang.
    While at it, restore the 'Delete / get qdisc' comment to its orginal
    position, just above tc_get_qdisc() function prototype.

Fixes: 5bc1701881e39 ("net: sched: introduce multichain support for filters")
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sched/cls_api.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -31,6 +31,8 @@
 #include <net/pkt_sched.h>
 #include <net/pkt_cls.h>
 
+extern const struct nla_policy rtm_tca_policy[TCA_MAX + 1];
+
 /* The list of all installed classifier types */
 static LIST_HEAD(tcf_proto_base);
 
@@ -559,7 +561,7 @@ static int tc_ctl_tfilter(struct sk_buff
 replay:
 	tp_created = 0;
 
-	err = nlmsg_parse(n, sizeof(*t), tca, TCA_MAX, NULL, extack);
+	err = nlmsg_parse(n, sizeof(*t), tca, TCA_MAX, rtm_tca_policy, extack);
 	if (err < 0)
 		return err;
 
@@ -836,7 +838,8 @@ static int tc_dump_tfilter(struct sk_buf
 	if (nlmsg_len(cb->nlh) < sizeof(*tcm))
 		return skb->len;
 
-	err = nlmsg_parse(cb->nlh, sizeof(*tcm), tca, TCA_MAX, NULL, NULL);
+	err = nlmsg_parse(cb->nlh, sizeof(*tcm), tca, TCA_MAX, rtm_tca_policy,
+			  NULL);
 	if (err)
 		return err;
 



^ permalink raw reply	[flat|nested] 166+ messages in thread

* Re: [PATCH 4.14 069/143] ARM: tegra: Fix ULPI regression on Tegra20
  2018-11-02 18:34 ` [PATCH 4.14 069/143] ARM: tegra: Fix ULPI regression on Tegra20 Greg Kroah-Hartman
@ 2018-11-02 19:56   ` Sudip Mukherjee
  2018-11-03  2:02     ` Sasha Levin
  0 siblings, 1 reply; 166+ messages in thread
From: Sudip Mukherjee @ 2018-11-02 19:56 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, Stable, marcel.ziswiler, digetx, Rob Herring,
	Thierry Reding, sashal

Hi Greg,

On Fri, Nov 2, 2018 at 6:53 PM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> 4.14-stable review patch.  If anyone has any objections, please let me know.

It seems this has already been reverted upstream:
9bf4e370048d ("ARM: dts: tegra20: Revert "Fix ULPI regression on Tegra20"")


-- 
Regards
Sudip

^ permalink raw reply	[flat|nested] 166+ messages in thread

* Re: [PATCH 4.14 060/143] net/mlx5: Fix mlx5_get_vector_affinity function
  2018-11-02 18:34 ` [PATCH 4.14 060/143] net/mlx5: Fix mlx5_get_vector_affinity function Greg Kroah-Hartman
@ 2018-11-02 19:59   ` Sudip Mukherjee
  2018-11-03  1:59     ` Sasha Levin
  0 siblings, 1 reply; 166+ messages in thread
From: Sudip Mukherjee @ 2018-11-02 19:59 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, Stable, israelr, maxg, Sagi Grimberg, sashal

Hi Greg,

On Fri, Nov 2, 2018 at 6:52 PM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> 4.14-stable review patch.  If anyone has any objections, please let me know.

There is another upstream patch which fixes this one.
e3ca34880652 ("net/mlx5: Fix build break when CONFIG_SMP=n")


-- 
Regards
Sudip

^ permalink raw reply	[flat|nested] 166+ messages in thread

* Re: [PATCH 4.14 053/143] x86/power: Fix some ordering bugs in __restore_processor_context()
  2018-11-02 18:33 ` [PATCH 4.14 053/143] x86/power: Fix some ordering bugs in __restore_processor_context() Greg Kroah-Hartman
@ 2018-11-02 20:19   ` Sudip Mukherjee
  2018-11-02 23:17     ` Sasha Levin
  0 siblings, 1 reply; 166+ messages in thread
From: Sudip Mukherjee @ 2018-11-02 20:19 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, Stable, Jarkko Nikula, Andy Lutomirski,
	Thomas Gleixner, a.p.zijlstra, Borislav Petkov, Linus Torvalds,
	Ingo Molnar, sashal

Hi Greg,

On Fri, Nov 2, 2018 at 6:51 PM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> 4.14-stable review patch.  If anyone has any objections, please let me know.

This has been fixed by another upstream commit:
7ee18d677989 ("x86/power: Make restore_processor_context() sane")

You can not directly apply it, will need backporting.

-- 
Regards
Sudip

^ permalink raw reply	[flat|nested] 166+ messages in thread

* Re: [PATCH 4.14 053/143] x86/power: Fix some ordering bugs in __restore_processor_context()
  2018-11-02 20:19   ` Sudip Mukherjee
@ 2018-11-02 23:17     ` Sasha Levin
  2018-11-03  8:40       ` Greg Kroah-Hartman
  0 siblings, 1 reply; 166+ messages in thread
From: Sasha Levin @ 2018-11-02 23:17 UTC (permalink / raw)
  To: Sudip Mukherjee
  Cc: Greg Kroah-Hartman, linux-kernel, Stable, Jarkko Nikula,
	Andy Lutomirski, Thomas Gleixner, a.p.zijlstra, Borislav Petkov,
	Linus Torvalds, Ingo Molnar

On Fri, Nov 02, 2018 at 08:19:36PM +0000, Sudip Mukherjee wrote:
>Hi Greg,
>
>On Fri, Nov 2, 2018 at 6:51 PM Greg Kroah-Hartman
><gregkh@linuxfoundation.org> wrote:
>>
>> 4.14-stable review patch.  If anyone has any objections, please let me know.
>
>This has been fixed by another upstream commit:
>7ee18d677989 ("x86/power: Make restore_processor_context() sane")
>
>You can not directly apply it, will need backporting.

It depends on the following commits:

5b06bbcfc2c6 x86/power: Fix some ordering bugs in __restore_processor_context()
090edbe23ff5 x86/power/64: Use struct desc_ptr for the IDT in struct saved_context
896c80bef4d3 x86/power/32: Move SYSENTER MSR restoration to fix_processor_context()
7ee18d677989 x86/power: Make restore_processor_context() sane

Greg, any objections to pulling them all in?

--
Thanks,
Sasha

^ permalink raw reply	[flat|nested] 166+ messages in thread

* Re: [PATCH 4.14 000/143] 4.14.79-stable review
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (142 preceding siblings ...)
  2018-11-02 18:35 ` [PATCH 4.14 143/143] net/sched: cls_api: add missing validation of netlink attributes Greg Kroah-Hartman
@ 2018-11-02 23:21 ` kernelci.org bot
  2018-11-03 14:31 ` Guenter Roeck
  144 siblings, 0 replies; 166+ messages in thread
From: kernelci.org bot @ 2018-11-02 23:21 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	ben.hutchings, lkft-triage, stable

stable-rc/linux-4.14.y boot: 125 boots: 0 failed, 110 passed with 13 offline, 2 untried/unknown (v4.14.78-144-ge862e4c85291)

Full Boot Summary: https://kernelci.org/boot/all/job/stable-rc/branch/linux-4.14.y/kernel/v4.14.78-144-ge862e4c85291/
Full Build Summary: https://kernelci.org/build/stable-rc/branch/linux-4.14.y/kernel/v4.14.78-144-ge862e4c85291/

Tree: stable-rc
Branch: linux-4.14.y
Git Describe: v4.14.78-144-ge862e4c85291
Git Commit: e862e4c85291ce6758f1aa05b05c54b1afce6844
Git URL: http://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
Tested: 63 unique boards, 24 SoC families, 15 builds out of 185

Offline Platforms:

arm:

    tegra_defconfig:
        tegra124-jetson-tk1: 1 offline lab

    bcm2835_defconfig:
        bcm2835-rpi-b: 1 offline lab

    sama5_defconfig:
        at91-sama5d4_xplained: 1 offline lab

    multi_v7_defconfig:
        alpine-db: 1 offline lab
        at91-sama5d4_xplained: 1 offline lab
        socfpga_cyclone5_de0_sockit: 1 offline lab
        sun5i-r8-chip: 1 offline lab
        tegra124-jetson-tk1: 1 offline lab

    sunxi_defconfig:
        sun5i-r8-chip: 1 offline lab

arm64:

    defconfig:
        apq8016-sbc: 1 offline lab
        juno-r2: 1 offline lab
        meson-gxl-s905d-p230: 1 offline lab
        mt7622-rfb1: 1 offline lab

---
For more info write to <info@kernelci.org>

^ permalink raw reply	[flat|nested] 166+ messages in thread

* Re: [PATCH 4.14 106/143] sch_netem: restore skb->dev after dequeuing from the rbtree
  2018-11-02 18:34 ` [PATCH 4.14 106/143] sch_netem: restore skb->dev after dequeuing from the rbtree Greg Kroah-Hartman
@ 2018-11-02 23:28   ` Josh Hunt
  2018-11-03  2:03     ` Sasha Levin
  0 siblings, 1 reply; 166+ messages in thread
From: Josh Hunt @ 2018-11-02 23:28 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: LKML, stable, stephen, Eric Dumazet, soheil, weiwan, willemb,
	cpaasch, sashal

On Fri, Nov 2, 2018 at 12:00 PM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> 4.14-stable review patch.  If anyone has any objections, please let me know.
>
> ------------------
>
> Upstream commit bffa72cf7f9d ("net: sk_buff rbnode reorg") got
> backported as commit 6b921536f170 ("net: sk_buff rbnode reorg") into the
> v4.14.x-tree.
>
> However, the backport does not include the changes in sch_netem.c
>
> We need these, as otherwise the skb->dev pointer is not set when
> dequeueing from the netem rbtree, resulting in a panic:
>
> [   15.427748] BUG: unable to handle kernel NULL pointer dereference at 00000000000000d0
> [   15.428863] IP: netif_skb_features+0x24/0x230
> [   15.429402] PGD 0 P4D 0
> [   15.429733] Oops: 0000 [#1] SMP PTI
> [   15.430169] Modules linked in:
> [   15.430614] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 4.14.77.mptcp #77
> [   15.431497] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.5.1 01/01/2011
> [   15.432568] task: ffff88042db19680 task.stack: ffffc90000070000
> [   15.433356] RIP: 0010:netif_skb_features+0x24/0x230
> [   15.433977] RSP: 0018:ffff88043fd83e70 EFLAGS: 00010286
> [   15.434665] RAX: ffff880429ad80c0 RBX: ffff88042bd0e400 RCX: ffff880429ad8000
> [   15.435585] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88042bd0e400
> [   15.436551] RBP: ffff88042bd0e400 R08: ffff88042a4b6c9c R09: 0000000000000001
> [   15.437485] R10: 0000000000000004 R11: 0000000000000000 R12: ffff88042c700000
> [   15.438393] R13: ffff88042c700000 R14: ffff88042a4b6c00 R15: ffff88042c6bb000
> [   15.439315] FS:  0000000000000000(0000) GS:ffff88043fd80000(0000) knlGS:0000000000000000
> [   15.440314] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   15.441084] CR2: 00000000000000d0 CR3: 000000042c374000 CR4: 00000000000006e0
> [   15.442016] Call Trace:
> [   15.442333]  <IRQ>
> [   15.442596]  validate_xmit_skb+0x17/0x270
> [   15.443134]  validate_xmit_skb_list+0x38/0x60
> [   15.443698]  sch_direct_xmit+0x102/0x190
> [   15.444198]  __qdisc_run+0xe3/0x240
> [   15.444671]  net_tx_action+0x121/0x140
> [   15.445177]  __do_softirq+0xe2/0x224
> [   15.445654]  irq_exit+0xbf/0xd0
> [   15.446072]  smp_apic_timer_interrupt+0x5d/0x90
> [   15.446654]  apic_timer_interrupt+0x7d/0x90
> [   15.447185]  </IRQ>
> [   15.447460] RIP: 0010:native_safe_halt+0x2/0x10
> [   15.447992] RSP: 0018:ffffc90000073f10 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff10
> [   15.449008] RAX: ffffffff816667d0 RBX: ffffffff820946b0 RCX: 0000000000000000
> [   15.449895] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
> [   15.450768] RBP: ffffffff82026940 R08: 00000004e858e5e1 R09: ffff88042a4b6d58
> [   15.451643] R10: 0000000000000000 R11: 000000d0d56879bb R12: 0000000000000000
> [   15.452478] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> [   15.453340]  ? __sched_text_end+0x2/0x2
> [   15.453835]  default_idle+0xf/0x20
> [   15.454259]  do_idle+0x170/0x200
> [   15.454653]  cpu_startup_entry+0x14/0x20
> [   15.455142]  secondary_startup_64+0xa5/0xb0
> [   15.455715] Code: 1f 84 00 00 00 00 00 55 53 48 89 fd 48 83 ec 08 8b 87 bc 00 00 00 48 8b 8f c0 00 00 00 0f b6 97 81 00 00 00 48 8b 77 10 48 01 c8 <48> 8b 9
> [   15.458138] RIP: netif_skb_features+0x24/0x230 RSP: ffff88043fd83e70
> [   15.458933] CR2: 00000000000000d0
> [   15.459352] ---[ end trace 083925903ae60570 ]---
>
> Fixes: 6b921536f170 ("net: sk_buff rbnode reorg")
> Cc: Stephen Hemminger <stephen@networkplumber.org>
> Cc: Eric Dumazet <edumazet@google.com>
> Cc: Soheil Hassas Yeganeh <soheil@google.com>
> Cc: Wei Wang <weiwan@google.com>
> Cc: Willem de Bruijn <willemb@google.com>
> Signed-off-by: Christoph Paasch <cpaasch@apple.com>
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
>  net/sched/sch_netem.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
> index 2a2ab6bfe5d8..3d325b840802 100644
> --- a/net/sched/sch_netem.c
> +++ b/net/sched/sch_netem.c
> @@ -624,6 +624,10 @@ static struct sk_buff *netem_dequeue(struct Qdisc *sch)
>                         skb->next = NULL;
>                         skb->prev = NULL;
>                         skb->tstamp = netem_skb_cb(skb)->tstamp_save;
> +                       /* skb->dev shares skb->rbnode area,
> +                        * we need to restore its value.
> +                        */
> +                       skb->dev = qdisc_dev(sch);
>
>  #ifdef CONFIG_NET_CLS_ACT
>                         /*
> --
> 2.17.1

I was seeing this crash on 4.14.78 and this patch fixes it.

Thanks!
-- 
Josh

^ permalink raw reply	[flat|nested] 166+ messages in thread

* Re: [PATCH 4.14 060/143] net/mlx5: Fix mlx5_get_vector_affinity function
  2018-11-02 19:59   ` Sudip Mukherjee
@ 2018-11-03  1:59     ` Sasha Levin
  0 siblings, 0 replies; 166+ messages in thread
From: Sasha Levin @ 2018-11-03  1:59 UTC (permalink / raw)
  To: Sudip Mukherjee
  Cc: Greg Kroah-Hartman, linux-kernel, Stable, israelr, maxg, Sagi Grimberg

On Fri, Nov 02, 2018 at 07:59:39PM +0000, Sudip Mukherjee wrote:
>Hi Greg,
>
>On Fri, Nov 2, 2018 at 6:52 PM Greg Kroah-Hartman
><gregkh@linuxfoundation.org> wrote:
>>
>> 4.14-stable review patch.  If anyone has any objections, please let me know.
>
>There is another upstream patch which fixes this one.
>e3ca34880652 ("net/mlx5: Fix build break when CONFIG_SMP=n")

I've queued the fix, thank you!

--
Thanks,
Sasha

^ permalink raw reply	[flat|nested] 166+ messages in thread

* Re: [PATCH 4.14 069/143] ARM: tegra: Fix ULPI regression on Tegra20
  2018-11-02 19:56   ` Sudip Mukherjee
@ 2018-11-03  2:02     ` Sasha Levin
  2018-11-05 14:05       ` Marcel Ziswiler
  0 siblings, 1 reply; 166+ messages in thread
From: Sasha Levin @ 2018-11-03  2:02 UTC (permalink / raw)
  To: Sudip Mukherjee
  Cc: Greg Kroah-Hartman, linux-kernel, Stable, marcel.ziswiler,
	digetx, Rob Herring, Thierry Reding

On Fri, Nov 02, 2018 at 07:56:57PM +0000, Sudip Mukherjee wrote:
>Hi Greg,
>
>On Fri, Nov 2, 2018 at 6:53 PM Greg Kroah-Hartman
><gregkh@linuxfoundation.org> wrote:
>>
>> 4.14-stable review patch.  If anyone has any objections, please let me know.
>
>It seems this has already been reverted upstream:
>9bf4e370048d ("ARM: dts: tegra20: Revert "Fix ULPI regression on Tegra20"")

The commit log of 9bf4e370048d suggests that this issue was fixed
somewhere else which made 9bf4e370048d unnecessary. Can someone point to
that fix? If not, I'll just revert this commit.

--
Thanks,
Sasha

^ permalink raw reply	[flat|nested] 166+ messages in thread

* Re: [PATCH 4.14 106/143] sch_netem: restore skb->dev after dequeuing from the rbtree
  2018-11-02 23:28   ` Josh Hunt
@ 2018-11-03  2:03     ` Sasha Levin
  0 siblings, 0 replies; 166+ messages in thread
From: Sasha Levin @ 2018-11-03  2:03 UTC (permalink / raw)
  To: Josh Hunt
  Cc: Greg Kroah-Hartman, LKML, stable, stephen, Eric Dumazet, soheil,
	weiwan, willemb, cpaasch

On Fri, Nov 02, 2018 at 04:28:04PM -0700, Josh Hunt wrote:
>On Fri, Nov 2, 2018 at 12:00 PM Greg Kroah-Hartman
><gregkh@linuxfoundation.org> wrote:
>>
>> 4.14-stable review patch.  If anyone has any objections, please let me know.
>>
>> ------------------
>>
>> Upstream commit bffa72cf7f9d ("net: sk_buff rbnode reorg") got
>> backported as commit 6b921536f170 ("net: sk_buff rbnode reorg") into the
>> v4.14.x-tree.
>>
>> However, the backport does not include the changes in sch_netem.c
>>
>> We need these, as otherwise the skb->dev pointer is not set when
>> dequeueing from the netem rbtree, resulting in a panic:
>>
>> [   15.427748] BUG: unable to handle kernel NULL pointer dereference at 00000000000000d0
>> [   15.428863] IP: netif_skb_features+0x24/0x230
>> [   15.429402] PGD 0 P4D 0
>> [   15.429733] Oops: 0000 [#1] SMP PTI
>> [   15.430169] Modules linked in:
>> [   15.430614] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 4.14.77.mptcp #77
>> [   15.431497] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.5.1 01/01/2011
>> [   15.432568] task: ffff88042db19680 task.stack: ffffc90000070000
>> [   15.433356] RIP: 0010:netif_skb_features+0x24/0x230
>> [   15.433977] RSP: 0018:ffff88043fd83e70 EFLAGS: 00010286
>> [   15.434665] RAX: ffff880429ad80c0 RBX: ffff88042bd0e400 RCX: ffff880429ad8000
>> [   15.435585] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88042bd0e400
>> [   15.436551] RBP: ffff88042bd0e400 R08: ffff88042a4b6c9c R09: 0000000000000001
>> [   15.437485] R10: 0000000000000004 R11: 0000000000000000 R12: ffff88042c700000
>> [   15.438393] R13: ffff88042c700000 R14: ffff88042a4b6c00 R15: ffff88042c6bb000
>> [   15.439315] FS:  0000000000000000(0000) GS:ffff88043fd80000(0000) knlGS:0000000000000000
>> [   15.440314] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> [   15.441084] CR2: 00000000000000d0 CR3: 000000042c374000 CR4: 00000000000006e0
>> [   15.442016] Call Trace:
>> [   15.442333]  <IRQ>
>> [   15.442596]  validate_xmit_skb+0x17/0x270
>> [   15.443134]  validate_xmit_skb_list+0x38/0x60
>> [   15.443698]  sch_direct_xmit+0x102/0x190
>> [   15.444198]  __qdisc_run+0xe3/0x240
>> [   15.444671]  net_tx_action+0x121/0x140
>> [   15.445177]  __do_softirq+0xe2/0x224
>> [   15.445654]  irq_exit+0xbf/0xd0
>> [   15.446072]  smp_apic_timer_interrupt+0x5d/0x90
>> [   15.446654]  apic_timer_interrupt+0x7d/0x90
>> [   15.447185]  </IRQ>
>> [   15.447460] RIP: 0010:native_safe_halt+0x2/0x10
>> [   15.447992] RSP: 0018:ffffc90000073f10 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff10
>> [   15.449008] RAX: ffffffff816667d0 RBX: ffffffff820946b0 RCX: 0000000000000000
>> [   15.449895] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
>> [   15.450768] RBP: ffffffff82026940 R08: 00000004e858e5e1 R09: ffff88042a4b6d58
>> [   15.451643] R10: 0000000000000000 R11: 000000d0d56879bb R12: 0000000000000000
>> [   15.452478] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
>> [   15.453340]  ? __sched_text_end+0x2/0x2
>> [   15.453835]  default_idle+0xf/0x20
>> [   15.454259]  do_idle+0x170/0x200
>> [   15.454653]  cpu_startup_entry+0x14/0x20
>> [   15.455142]  secondary_startup_64+0xa5/0xb0
>> [   15.455715] Code: 1f 84 00 00 00 00 00 55 53 48 89 fd 48 83 ec 08 8b 87 bc 00 00 00 48 8b 8f c0 00 00 00 0f b6 97 81 00 00 00 48 8b 77 10 48 01 c8 <48> 8b 9
>> [   15.458138] RIP: netif_skb_features+0x24/0x230 RSP: ffff88043fd83e70
>> [   15.458933] CR2: 00000000000000d0
>> [   15.459352] ---[ end trace 083925903ae60570 ]---
>>
>> Fixes: 6b921536f170 ("net: sk_buff rbnode reorg")
>> Cc: Stephen Hemminger <stephen@networkplumber.org>
>> Cc: Eric Dumazet <edumazet@google.com>
>> Cc: Soheil Hassas Yeganeh <soheil@google.com>
>> Cc: Wei Wang <weiwan@google.com>
>> Cc: Willem de Bruijn <willemb@google.com>
>> Signed-off-by: Christoph Paasch <cpaasch@apple.com>
>> Signed-off-by: Sasha Levin <sashal@kernel.org>
>> ---
>>  net/sched/sch_netem.c | 4 ++++
>>  1 file changed, 4 insertions(+)
>>
>> diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
>> index 2a2ab6bfe5d8..3d325b840802 100644
>> --- a/net/sched/sch_netem.c
>> +++ b/net/sched/sch_netem.c
>> @@ -624,6 +624,10 @@ static struct sk_buff *netem_dequeue(struct Qdisc *sch)
>>                         skb->next = NULL;
>>                         skb->prev = NULL;
>>                         skb->tstamp = netem_skb_cb(skb)->tstamp_save;
>> +                       /* skb->dev shares skb->rbnode area,
>> +                        * we need to restore its value.
>> +                        */
>> +                       skb->dev = qdisc_dev(sch);
>>
>>  #ifdef CONFIG_NET_CLS_ACT
>>                         /*
>> --
>> 2.17.1
>
>I was seeing this crash on 4.14.78 and this patch fixes it.
>
>Thanks!

Thanks for confirming Josh!

--
Thanks,
Sasha

^ permalink raw reply	[flat|nested] 166+ messages in thread

* Re: [PATCH 4.14 053/143] x86/power: Fix some ordering bugs in __restore_processor_context()
  2018-11-02 23:17     ` Sasha Levin
@ 2018-11-03  8:40       ` Greg Kroah-Hartman
  2018-11-03  8:41         ` Greg Kroah-Hartman
  0 siblings, 1 reply; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-03  8:40 UTC (permalink / raw)
  To: Sasha Levin
  Cc: Sudip Mukherjee, linux-kernel, Stable, Jarkko Nikula,
	Andy Lutomirski, Thomas Gleixner, a.p.zijlstra, Borislav Petkov,
	Linus Torvalds, Ingo Molnar

On Fri, Nov 02, 2018 at 07:17:34PM -0400, Sasha Levin wrote:
> On Fri, Nov 02, 2018 at 08:19:36PM +0000, Sudip Mukherjee wrote:
> > Hi Greg,
> > 
> > On Fri, Nov 2, 2018 at 6:51 PM Greg Kroah-Hartman
> > <gregkh@linuxfoundation.org> wrote:
> > > 
> > > 4.14-stable review patch.  If anyone has any objections, please let me know.
> > 
> > This has been fixed by another upstream commit:
> > 7ee18d677989 ("x86/power: Make restore_processor_context() sane")
> > 
> > You can not directly apply it, will need backporting.
> 
> It depends on the following commits:
> 
> 5b06bbcfc2c6 x86/power: Fix some ordering bugs in __restore_processor_context()
> 090edbe23ff5 x86/power/64: Use struct desc_ptr for the IDT in struct saved_context
> 896c80bef4d3 x86/power/32: Move SYSENTER MSR restoration to fix_processor_context()
> 7ee18d677989 x86/power: Make restore_processor_context() sane
> 
> Greg, any objections to pulling them all in?

No objection, but can I just drop this patch here (it's also in the 4.9
queue) and then all of these be added to your next round of patches to
be pulled in after this release?

That should make it easier, and more ovbious to test this all together.

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 166+ messages in thread

* Re: [PATCH 4.14 053/143] x86/power: Fix some ordering bugs in __restore_processor_context()
  2018-11-03  8:40       ` Greg Kroah-Hartman
@ 2018-11-03  8:41         ` Greg Kroah-Hartman
  2018-11-03 12:51           ` Sasha Levin
  0 siblings, 1 reply; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-03  8:41 UTC (permalink / raw)
  To: Sasha Levin
  Cc: Sudip Mukherjee, linux-kernel, Stable, Jarkko Nikula,
	Andy Lutomirski, Thomas Gleixner, a.p.zijlstra, Borislav Petkov,
	Linus Torvalds, Ingo Molnar

On Sat, Nov 03, 2018 at 09:40:16AM +0100, Greg Kroah-Hartman wrote:
> On Fri, Nov 02, 2018 at 07:17:34PM -0400, Sasha Levin wrote:
> > On Fri, Nov 02, 2018 at 08:19:36PM +0000, Sudip Mukherjee wrote:
> > > Hi Greg,
> > > 
> > > On Fri, Nov 2, 2018 at 6:51 PM Greg Kroah-Hartman
> > > <gregkh@linuxfoundation.org> wrote:
> > > > 
> > > > 4.14-stable review patch.  If anyone has any objections, please let me know.
> > > 
> > > This has been fixed by another upstream commit:
> > > 7ee18d677989 ("x86/power: Make restore_processor_context() sane")
> > > 
> > > You can not directly apply it, will need backporting.
> > 
> > It depends on the following commits:
> > 
> > 5b06bbcfc2c6 x86/power: Fix some ordering bugs in __restore_processor_context()
> > 090edbe23ff5 x86/power/64: Use struct desc_ptr for the IDT in struct saved_context
> > 896c80bef4d3 x86/power/32: Move SYSENTER MSR restoration to fix_processor_context()
> > 7ee18d677989 x86/power: Make restore_processor_context() sane
> > 
> > Greg, any objections to pulling them all in?
> 
> No objection, but can I just drop this patch here (it's also in the 4.9
> queue) and then all of these be added to your next round of patches to
> be pulled in after this release?
> 
> That should make it easier, and more ovbious to test this all together.

I've now dropped this patch from the 4.9 and 4.14 queues as that makes
sense here.

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 166+ messages in thread

* Re: [PATCH 4.14 053/143] x86/power: Fix some ordering bugs in __restore_processor_context()
  2018-11-03  8:41         ` Greg Kroah-Hartman
@ 2018-11-03 12:51           ` Sasha Levin
  0 siblings, 0 replies; 166+ messages in thread
From: Sasha Levin @ 2018-11-03 12:51 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: Sudip Mukherjee, linux-kernel, Stable, Jarkko Nikula,
	Andy Lutomirski, Thomas Gleixner, a.p.zijlstra, Borislav Petkov,
	Linus Torvalds, Ingo Molnar

On Sat, Nov 03, 2018 at 09:41:51AM +0100, Greg Kroah-Hartman wrote:
>On Sat, Nov 03, 2018 at 09:40:16AM +0100, Greg Kroah-Hartman wrote:
>> On Fri, Nov 02, 2018 at 07:17:34PM -0400, Sasha Levin wrote:
>> > On Fri, Nov 02, 2018 at 08:19:36PM +0000, Sudip Mukherjee wrote:
>> > > Hi Greg,
>> > >
>> > > On Fri, Nov 2, 2018 at 6:51 PM Greg Kroah-Hartman
>> > > <gregkh@linuxfoundation.org> wrote:
>> > > >
>> > > > 4.14-stable review patch.  If anyone has any objections, please let me know.
>> > >
>> > > This has been fixed by another upstream commit:
>> > > 7ee18d677989 ("x86/power: Make restore_processor_context() sane")
>> > >
>> > > You can not directly apply it, will need backporting.
>> >
>> > It depends on the following commits:
>> >
>> > 5b06bbcfc2c6 x86/power: Fix some ordering bugs in __restore_processor_context()
>> > 090edbe23ff5 x86/power/64: Use struct desc_ptr for the IDT in struct saved_context
>> > 896c80bef4d3 x86/power/32: Move SYSENTER MSR restoration to fix_processor_context()
>> > 7ee18d677989 x86/power: Make restore_processor_context() sane
>> >
>> > Greg, any objections to pulling them all in?
>>
>> No objection, but can I just drop this patch here (it's also in the 4.9
>> queue) and then all of these be added to your next round of patches to
>> be pulled in after this release?
>>
>> That should make it easier, and more ovbious to test this all together.
>
>I've now dropped this patch from the 4.9 and 4.14 queues as that makes
>sense here.

Thanks Greg, I'll prepare all 5 for the next cycle.

--
Thanks,
Sasha

^ permalink raw reply	[flat|nested] 166+ messages in thread

* Re: [PATCH 4.14 000/143] 4.14.79-stable review
  2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
                   ` (143 preceding siblings ...)
  2018-11-02 23:21 ` [PATCH 4.14 000/143] 4.14.79-stable review kernelci.org bot
@ 2018-11-03 14:31 ` Guenter Roeck
  2018-11-03 15:04   ` Greg Kroah-Hartman
  144 siblings, 1 reply; 166+ messages in thread
From: Guenter Roeck @ 2018-11-03 14:31 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, shuah, patches, ben.hutchings, lkft-triage, stable

On 11/2/18 11:33 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.14.79 release.
> There are 143 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Sun Nov  4 18:27:59 UTC 2018.
> Anything received after that time might be too late.
> 

Build results:
	total: 150 pass: 149 fail: 1
Failed builds:
	xtensa:allmodconfig
Qemu test results:
	total: 318 pass: 318 fail: 0\

Build failure:

In file included from include/linux/mlx5/port.h:36:0,
                  from include/linux/mlx5/driver.h: In function ‘mlx5_get_vector_affinity_hint’:
include/linux/mlx5/driver.h:1208:13: error:
	‘struct irq_desc’ has no member named ‘affinity_hint’

Caused by commit 19b743c448db ("net/mlx5: Fix mlx5_get_vector_affinity function").

Details are available at https://kerneltests.org/builders/.

Guenter


^ permalink raw reply	[flat|nested] 166+ messages in thread

* Re: [PATCH 4.14 000/143] 4.14.79-stable review
  2018-11-03 14:31 ` Guenter Roeck
@ 2018-11-03 15:04   ` Greg Kroah-Hartman
  2018-11-03 18:22     ` Guenter Roeck
                       ` (2 more replies)
  0 siblings, 3 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-03 15:04 UTC (permalink / raw)
  To: Guenter Roeck
  Cc: linux-kernel, torvalds, akpm, shuah, patches, ben.hutchings,
	lkft-triage, stable

On Sat, Nov 03, 2018 at 07:31:42AM -0700, Guenter Roeck wrote:
> On 11/2/18 11:33 AM, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 4.14.79 release.
> > There are 143 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Sun Nov  4 18:27:59 UTC 2018.
> > Anything received after that time might be too late.
> > 
> 
> Build results:
> 	total: 150 pass: 149 fail: 1
> Failed builds:
> 	xtensa:allmodconfig
> Qemu test results:
> 	total: 318 pass: 318 fail: 0\
> 
> Build failure:
> 
> In file included from include/linux/mlx5/port.h:36:0,
>                  from include/linux/mlx5/driver.h: In function ‘mlx5_get_vector_affinity_hint’:
> include/linux/mlx5/driver.h:1208:13: error:
> 	‘struct irq_desc’ has no member named ‘affinity_hint’
> 
> Caused by commit 19b743c448db ("net/mlx5: Fix mlx5_get_vector_affinity function").

Odd, this should be fixed by a later patch in the same queue, as 0 day
also reported this.

Yes, e3ca34880652 ("net/mlx5: Fix build break when CONFIG_SMP=n") in the
4.14 tree should resolve this.  Ah, Sasha added it at the "last minute"
after I did the -rc1 release.  So this should be resolved now, I'll push
out a -rc2 so that it can be verified...

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 166+ messages in thread

* Re: [PATCH 4.14 000/143] 4.14.79-stable review
  2018-11-03 15:04   ` Greg Kroah-Hartman
@ 2018-11-03 18:22     ` Guenter Roeck
  2018-11-04  7:10       ` Greg Kroah-Hartman
  2018-11-04  4:14     ` Naresh Kamboju
  2018-11-05 11:21     ` Jon Hunter
  2 siblings, 1 reply; 166+ messages in thread
From: Guenter Roeck @ 2018-11-03 18:22 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, shuah, patches, ben.hutchings,
	lkft-triage, stable

On 11/3/18 8:04 AM, Greg Kroah-Hartman wrote:
> On Sat, Nov 03, 2018 at 07:31:42AM -0700, Guenter Roeck wrote:
>> On 11/2/18 11:33 AM, Greg Kroah-Hartman wrote:
>>> This is the start of the stable review cycle for the 4.14.79 release.
>>> There are 143 patches in this series, all will be posted as a response
>>> to this one.  If anyone has any issues with these being applied, please
>>> let me know.
>>>
>>> Responses should be made by Sun Nov  4 18:27:59 UTC 2018.
>>> Anything received after that time might be too late.
>>>
>>
>> Build results:
>> 	total: 150 pass: 149 fail: 1
>> Failed builds:
>> 	xtensa:allmodconfig
>> Qemu test results:
>> 	total: 318 pass: 318 fail: 0\
>>
>> Build failure:
>>
>> In file included from include/linux/mlx5/port.h:36:0,
>>                   from include/linux/mlx5/driver.h: In function ‘mlx5_get_vector_affinity_hint’:
>> include/linux/mlx5/driver.h:1208:13: error:
>> 	‘struct irq_desc’ has no member named ‘affinity_hint’
>>
>> Caused by commit 19b743c448db ("net/mlx5: Fix mlx5_get_vector_affinity function").
> 
> Odd, this should be fixed by a later patch in the same queue, as 0 day
> also reported this.
> 
> Yes, e3ca34880652 ("net/mlx5: Fix build break when CONFIG_SMP=n") in the
> 4.14 tree should resolve this.  Ah, Sasha added it at the "last minute"
> after I did the -rc1 release.  So this should be resolved now, I'll push
> out a -rc2 so that it can be verified...
> 

v4.14.78-144-gb825fd9fbad5 builds fine.

Thanks,
Guenter

^ permalink raw reply	[flat|nested] 166+ messages in thread

* Re: [PATCH 4.14 000/143] 4.14.79-stable review
  2018-11-03 15:04   ` Greg Kroah-Hartman
  2018-11-03 18:22     ` Guenter Roeck
@ 2018-11-04  4:14     ` Naresh Kamboju
  2018-11-05 11:21     ` Jon Hunter
  2 siblings, 0 replies; 166+ messages in thread
From: Naresh Kamboju @ 2018-11-04  4:14 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: Guenter Roeck, Ben Hutchings, Linus Torvalds, open list,
	lkft-triage, patches, linux- stable, Andrew Morton, Shuah Khan

On Sat, 3 Nov 2018 at 20:34, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> On Sat, Nov 03, 2018 at 07:31:42AM -0700, Guenter Roeck wrote:
> > On 11/2/18 11:33 AM, Greg Kroah-Hartman wrote:
> > > This is the start of the stable review cycle for the 4.14.79 release.
> > > There are 143 patches in this series, all will be posted as a response
> > > to this one.  If anyone has any issues with these being applied, please
> > > let me know.
> > >
> > > Responses should be made by Sun Nov  4 18:27:59 UTC 2018.
> > > Anything received after that time might be too late.
> > >
> >
> > Build results:
> >       total: 150 pass: 149 fail: 1
> > Failed builds:
> >       xtensa:allmodconfig
> > Qemu test results:
> >       total: 318 pass: 318 fail: 0\
> >
> > Build failure:
> >
> > In file included from include/linux/mlx5/port.h:36:0,
> >                  from include/linux/mlx5/driver.h: In function ‘mlx5_get_vector_affinity_hint’:
> > include/linux/mlx5/driver.h:1208:13: error:
> >       ‘struct irq_desc’ has no member named ‘affinity_hint’
> >
> > Caused by commit 19b743c448db ("net/mlx5: Fix mlx5_get_vector_affinity function").
>
> Odd, this should be fixed by a later patch in the same queue, as 0 day
> also reported this.
>
> Yes, e3ca34880652 ("net/mlx5: Fix build break when CONFIG_SMP=n") in the
> 4.14 tree should resolve this.  Ah, Sasha added it at the "last minute"
> after I did the -rc1 release.  So this should be resolved now, I'll push
> out a -rc2 so that it can be verified...

Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64 and i386.

Summary
------------------------------------------------------------------------

kernel: 4.14.79-rc2
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-4.14.y
git commit: b825fd9fbad594b1eb7f4ba22588e33f00bca345
git describe: v4.14.78-144-gb825fd9fbad5
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-4.14-oe/build/v4.14.78-144-gb825fd9fbad5

No regressions (compared to build v4.14.78-144-g02f369a75b6e)


>
> thanks,
>
> greg k-h

^ permalink raw reply	[flat|nested] 166+ messages in thread

* Re: [PATCH 4.14 000/143] 4.14.79-stable review
  2018-11-03 18:22     ` Guenter Roeck
@ 2018-11-04  7:10       ` Greg Kroah-Hartman
  0 siblings, 0 replies; 166+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-04  7:10 UTC (permalink / raw)
  To: Guenter Roeck
  Cc: linux-kernel, torvalds, akpm, shuah, patches, ben.hutchings,
	lkft-triage, stable

On Sat, Nov 03, 2018 at 11:22:51AM -0700, Guenter Roeck wrote:
> On 11/3/18 8:04 AM, Greg Kroah-Hartman wrote:
> > On Sat, Nov 03, 2018 at 07:31:42AM -0700, Guenter Roeck wrote:
> > > On 11/2/18 11:33 AM, Greg Kroah-Hartman wrote:
> > > > This is the start of the stable review cycle for the 4.14.79 release.
> > > > There are 143 patches in this series, all will be posted as a response
> > > > to this one.  If anyone has any issues with these being applied, please
> > > > let me know.
> > > > 
> > > > Responses should be made by Sun Nov  4 18:27:59 UTC 2018.
> > > > Anything received after that time might be too late.
> > > > 
> > > 
> > > Build results:
> > > 	total: 150 pass: 149 fail: 1
> > > Failed builds:
> > > 	xtensa:allmodconfig
> > > Qemu test results:
> > > 	total: 318 pass: 318 fail: 0\
> > > 
> > > Build failure:
> > > 
> > > In file included from include/linux/mlx5/port.h:36:0,
> > >                   from include/linux/mlx5/driver.h: In function ‘mlx5_get_vector_affinity_hint’:
> > > include/linux/mlx5/driver.h:1208:13: error:
> > > 	‘struct irq_desc’ has no member named ‘affinity_hint’
> > > 
> > > Caused by commit 19b743c448db ("net/mlx5: Fix mlx5_get_vector_affinity function").
> > 
> > Odd, this should be fixed by a later patch in the same queue, as 0 day
> > also reported this.
> > 
> > Yes, e3ca34880652 ("net/mlx5: Fix build break when CONFIG_SMP=n") in the
> > 4.14 tree should resolve this.  Ah, Sasha added it at the "last minute"
> > after I did the -rc1 release.  So this should be resolved now, I'll push
> > out a -rc2 so that it can be verified...
> > 
> 
> v4.14.78-144-gb825fd9fbad5 builds fine.

Great!  Thanks for testing this, and the other two, and letting me know.

greg k-h

^ permalink raw reply	[flat|nested] 166+ messages in thread

* Re: [PATCH 4.14 000/143] 4.14.79-stable review
  2018-11-03 15:04   ` Greg Kroah-Hartman
  2018-11-03 18:22     ` Guenter Roeck
  2018-11-04  4:14     ` Naresh Kamboju
@ 2018-11-05 11:21     ` Jon Hunter
  2 siblings, 0 replies; 166+ messages in thread
From: Jon Hunter @ 2018-11-05 11:21 UTC (permalink / raw)
  To: Greg Kroah-Hartman, Guenter Roeck
  Cc: linux-kernel, torvalds, akpm, shuah, patches, ben.hutchings,
	lkft-triage, stable, linux-tegra


On 03/11/2018 15:04, Greg Kroah-Hartman wrote:
> On Sat, Nov 03, 2018 at 07:31:42AM -0700, Guenter Roeck wrote:
>> On 11/2/18 11:33 AM, Greg Kroah-Hartman wrote:
>>> This is the start of the stable review cycle for the 4.14.79 release.
>>> There are 143 patches in this series, all will be posted as a response
>>> to this one.  If anyone has any issues with these being applied, please
>>> let me know.
>>>
>>> Responses should be made by Sun Nov  4 18:27:59 UTC 2018.
>>> Anything received after that time might be too late.
>>>
>>
>> Build results:
>> 	total: 150 pass: 149 fail: 1
>> Failed builds:
>> 	xtensa:allmodconfig
>> Qemu test results:
>> 	total: 318 pass: 318 fail: 0\
>>
>> Build failure:
>>
>> In file included from include/linux/mlx5/port.h:36:0,
>>                  from include/linux/mlx5/driver.h: In function ‘mlx5_get_vector_affinity_hint’:
>> include/linux/mlx5/driver.h:1208:13: error:
>> 	‘struct irq_desc’ has no member named ‘affinity_hint’
>>
>> Caused by commit 19b743c448db ("net/mlx5: Fix mlx5_get_vector_affinity function").
> 
> Odd, this should be fixed by a later patch in the same queue, as 0 day
> also reported this.
> 
> Yes, e3ca34880652 ("net/mlx5: Fix build break when CONFIG_SMP=n") in the
> 4.14 tree should resolve this.  Ah, Sasha added it at the "last minute"
> after I did the -rc1 release.  So this should be resolved now, I'll push
> out a -rc2 so that it can be verified...

All tests are passing for Tegra ...

Test results for stable-v4.14:
    8 builds:	8 pass, 0 fail
    16 boots:	16 pass, 0 fail
    14 tests:	14 pass, 0 fail

Linux version:	4.14.79-rc2-gb825fd9
Boards tested:	tegra124-jetson-tk1, tegra20-ventana,
                tegra210-p2371-2180, tegra30-cardhu-a04

Cheers
Jon

-- 
nvpublic

^ permalink raw reply	[flat|nested] 166+ messages in thread

* Re: [PATCH 4.14 069/143] ARM: tegra: Fix ULPI regression on Tegra20
  2018-11-03  2:02     ` Sasha Levin
@ 2018-11-05 14:05       ` Marcel Ziswiler
  2018-11-06  6:31         ` Sasha Levin
  0 siblings, 1 reply; 166+ messages in thread
From: Marcel Ziswiler @ 2018-11-05 14:05 UTC (permalink / raw)
  To: sashal, sudipm.mukherjee
  Cc: robh, linux-kernel, digetx, gregkh, stable, treding

On Fri, 2018-11-02 at 22:02 -0400, Sasha Levin wrote:
> On Fri, Nov 02, 2018 at 07:56:57PM +0000, Sudip Mukherjee wrote:
> > Hi Greg,
> > 
> > On Fri, Nov 2, 2018 at 6:53 PM Greg Kroah-Hartman
> > <gregkh@linuxfoundation.org> wrote:
> > > 
> > > 4.14-stable review patch.  If anyone has any objections, please
> > > let me know.
> > 
> > It seems this has already been reverted upstream:
> > 9bf4e370048d ("ARM: dts: tegra20: Revert "Fix ULPI regression on
> > Tegra20"")
> 
> The commit log of 9bf4e370048d suggests that this issue was fixed
> somewhere else which made 9bf4e370048d unnecessary. Can someone point
> to
> that fix?

Yes, sorry. That got fixed properly by Dmitry in 5d797111afe1 ("clk:
tegra: Add quirk for getting CDEV1/2 clocks on Tegra20").

> If not, I'll just revert this commit.
> 
> --
> Thanks,
> Sasha

^ permalink raw reply	[flat|nested] 166+ messages in thread

* Re: [PATCH 4.14 069/143] ARM: tegra: Fix ULPI regression on Tegra20
  2018-11-05 14:05       ` Marcel Ziswiler
@ 2018-11-06  6:31         ` Sasha Levin
  2018-11-06  9:52           ` Marcel Ziswiler
  2018-11-06 10:55           ` Dmitry Osipenko
  0 siblings, 2 replies; 166+ messages in thread
From: Sasha Levin @ 2018-11-06  6:31 UTC (permalink / raw)
  To: Marcel Ziswiler
  Cc: sudipm.mukherjee, robh, linux-kernel, digetx, gregkh, stable, treding

On Mon, Nov 05, 2018 at 02:05:49PM +0000, Marcel Ziswiler wrote:
>On Fri, 2018-11-02 at 22:02 -0400, Sasha Levin wrote:
>> On Fri, Nov 02, 2018 at 07:56:57PM +0000, Sudip Mukherjee wrote:
>> > Hi Greg,
>> >
>> > On Fri, Nov 2, 2018 at 6:53 PM Greg Kroah-Hartman
>> > <gregkh@linuxfoundation.org> wrote:
>> > >
>> > > 4.14-stable review patch.  If anyone has any objections, please
>> > > let me know.
>> >
>> > It seems this has already been reverted upstream:
>> > 9bf4e370048d ("ARM: dts: tegra20: Revert "Fix ULPI regression on
>> > Tegra20"")
>>
>> The commit log of 9bf4e370048d suggests that this issue was fixed
>> somewhere else which made 9bf4e370048d unnecessary. Can someone point
>> to
>> that fix?
>
>Yes, sorry. That got fixed properly by Dmitry in 5d797111afe1 ("clk:
>tegra: Add quirk for getting CDEV1/2 clocks on Tegra20").

Thank you. I've replaced it for 4.14, but for 4.9 it seems there are
quite a few dependencies to pick 5d797111afe1 so I only removed
4c9a27a6c66d. If you have a backport for 4.9 I'll be happy to take it.

--
Thanks,
Sasha

^ permalink raw reply	[flat|nested] 166+ messages in thread

* Re: [PATCH 4.14 069/143] ARM: tegra: Fix ULPI regression on Tegra20
  2018-11-06  6:31         ` Sasha Levin
@ 2018-11-06  9:52           ` Marcel Ziswiler
  2018-11-06 10:55           ` Dmitry Osipenko
  1 sibling, 0 replies; 166+ messages in thread
From: Marcel Ziswiler @ 2018-11-06  9:52 UTC (permalink / raw)
  To: sashal
  Cc: robh, linux-kernel, sudipm.mukherjee, digetx, gregkh, treding, stable

On Tue, 2018-11-06 at 01:31 -0500, Sasha Levin wrote:
> On Mon, Nov 05, 2018 at 02:05:49PM +0000, Marcel Ziswiler wrote:
> > On Fri, 2018-11-02 at 22:02 -0400, Sasha Levin wrote:
> > > On Fri, Nov 02, 2018 at 07:56:57PM +0000, Sudip Mukherjee wrote:
> > > > Hi Greg,
> > > > 
> > > > On Fri, Nov 2, 2018 at 6:53 PM Greg Kroah-Hartman
> > > > <gregkh@linuxfoundation.org> wrote:
> > > > > 
> > > > > 4.14-stable review patch.  If anyone has any objections,
> > > > > please
> > > > > let me know.
> > > > 
> > > > It seems this has already been reverted upstream:
> > > > 9bf4e370048d ("ARM: dts: tegra20: Revert "Fix ULPI regression
> > > > on
> > > > Tegra20"")
> > > 
> > > The commit log of 9bf4e370048d suggests that this issue was fixed
> > > somewhere else which made 9bf4e370048d unnecessary. Can someone
> > > point
> > > to
> > > that fix?
> > 
> > Yes, sorry. That got fixed properly by Dmitry in 5d797111afe1
> > ("clk:
> > tegra: Add quirk for getting CDEV1/2 clocks on Tegra20").
> 
> Thank you. I've replaced it for 4.14, but for 4.9 it seems there are
> quite a few dependencies to pick 5d797111afe1 so I only removed
> 4c9a27a6c66d. If you have a backport for 4.9 I'll be happy to take
> it.

I believe the particular problem I was seeing did not exhibit itself
before much later than 4.9 or 4.14 and was caused by some re-work of
the clocking stuff which slightly changed order of things being
initialised.

> --
> Thanks,
> Sasha

^ permalink raw reply	[flat|nested] 166+ messages in thread

* Re: [PATCH 4.14 069/143] ARM: tegra: Fix ULPI regression on Tegra20
  2018-11-06  6:31         ` Sasha Levin
  2018-11-06  9:52           ` Marcel Ziswiler
@ 2018-11-06 10:55           ` Dmitry Osipenko
  1 sibling, 0 replies; 166+ messages in thread
From: Dmitry Osipenko @ 2018-11-06 10:55 UTC (permalink / raw)
  To: Sasha Levin, Marcel Ziswiler
  Cc: sudipm.mukherjee, robh, linux-kernel, gregkh, stable, treding

On 06.11.2018 9:31, Sasha Levin wrote:
> On Mon, Nov 05, 2018 at 02:05:49PM +0000, Marcel Ziswiler wrote:
>> On Fri, 2018-11-02 at 22:02 -0400, Sasha Levin wrote:
>>> On Fri, Nov 02, 2018 at 07:56:57PM +0000, Sudip Mukherjee wrote:
>>> > Hi Greg,
>>> >
>>> > On Fri, Nov 2, 2018 at 6:53 PM Greg Kroah-Hartman
>>> > <gregkh@linuxfoundation.org> wrote:
>>> > >
>>> > > 4.14-stable review patch.  If anyone has any objections, please
>>> > > let me know.
>>> >
>>> > It seems this has already been reverted upstream:
>>> > 9bf4e370048d ("ARM: dts: tegra20: Revert "Fix ULPI regression on
>>> > Tegra20"")
>>>
>>> The commit log of 9bf4e370048d suggests that this issue was fixed
>>> somewhere else which made 9bf4e370048d unnecessary. Can someone point
>>> to
>>> that fix?
>>
>> Yes, sorry. That got fixed properly by Dmitry in 5d797111afe1 ("clk:
>> tegra: Add quirk for getting CDEV1/2 clocks on Tegra20").
> 
> Thank you. I've replaced it for 4.14, but for 4.9 it seems there are
> quite a few dependencies to pick 5d797111afe1 so I only removed
> 4c9a27a6c66d. If you have a backport for 4.9 I'll be happy to take it.

The 5d797111afe1 is not enough, there is second half to it: c59487075659. IIRC, the original problem was gone while we were trying to fix it and we just firmed the clocks model to make sure that the problem won't repeat in the future, hence it shouldn't be necessary to backport any of the patches.

^ permalink raw reply	[flat|nested] 166+ messages in thread

end of thread, other threads:[~2018-11-06 10:56 UTC | newest]

Thread overview: 166+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-11-02 18:33 [PATCH 4.14 000/143] 4.14.79-stable review Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 001/143] xfrm: Validate address prefix lengths in the xfrm selector Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 002/143] xfrm6: call kfree_skb when skb is toobig Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 003/143] xfrm: reset transport header back to network header after all input transforms ahave been applied Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 004/143] xfrm: reset crypto_done when iterating over multiple input xfrms Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 005/143] mac80211: Always report TX status Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 006/143] cfg80211: reg: Init wiphy_idx in regulatory_hint_core() Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 007/143] mac80211: fix pending queue hang due to TX_DROP Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 008/143] cfg80211: Address some corner cases in scan result channel updating Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 009/143] mac80211: TDLS: fix skb queue/priority assignment Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 010/143] mac80211: fix TX status reporting for ieee80211s Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 011/143] xfrm: Fix NULL pointer dereference when skb_dst_force clears the dst_entry Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 012/143] ARM: 8799/1: mm: fix pci_ioremap_io() offset check Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 013/143] xfrm: validate template mode Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 014/143] netfilter: bridge: Dont sabotage nf_hook calls from an l3mdev Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 015/143] arm64: hugetlb: Fix handling of young ptes Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 016/143] ARM: dts: BCM63xx: Fix incorrect interrupt specifiers Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 017/143] net: macb: Clean 64b dma addresses if they are not detected Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 018/143] soc: fsl: qbman: qman: avoid allocating from non existing gen_pool Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 019/143] soc: fsl: qe: Fix copy/paste bug in ucc_get_tdm_sync_shift() Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 020/143] nl80211: Fix possible Spectre-v1 for NL80211_TXRATE_HT Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 021/143] mac80211_hwsim: do not omit multicast announce of first added radio Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 022/143] Bluetooth: SMP: fix crash in unpairing Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 023/143] pxa168fb: prepare the clock Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 024/143] qed: Avoid implicit enum conversion in qed_set_tunn_cls_info Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 025/143] qed: Fix mask parameter in qed_vf_prep_tunn_req_tlv Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 026/143] qed: Avoid implicit enum conversion in qed_roce_mode_to_flavor Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 027/143] qed: Avoid constant logical operation warning in qed_vf_pf_acquire Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 028/143] qed: Avoid implicit enum conversion in qed_iwarp_parse_rx_pkt Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 029/143] nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 030/143] asix: Check for supported Wake-on-LAN modes Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 031/143] ax88179_178a: " Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 032/143] lan78xx: " Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 033/143] sr9800: " Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 034/143] r8152: Check for supported Wake-on-LAN Modes Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 035/143] smsc75xx: Check for Wake-on-LAN modes Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 036/143] smsc95xx: " Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 037/143] cfg80211: fix use-after-free in reg_process_hint() Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 038/143] perf/core: Fix perf_pmu_unregister() locking Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 039/143] perf/ring_buffer: Prevent concurent ring buffer access Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 040/143] perf/x86/intel/uncore: Fix PCI BDF address of M3UPI on SKX Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 041/143] perf/x86/amd/uncore: Set ThreadMask and SliceMask for L3 Cache perf events Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 042/143] net: fec: fix rare tx timeout Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 043/143] declance: Fix continuation with the adapter identification message Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 044/143] net: qualcomm: rmnet: Skip processing loopback packets Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 045/143] locking/ww_mutex: Fix runtime warning in the WW mutex selftest Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 046/143] be2net: dont flip hw_features when VXLANs are added/deleted Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 047/143] net: cxgb3_main: fix a missing-check bug Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 048/143] yam: " Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 049/143] ocfs2: fix crash in ocfs2_duplicate_clusters_by_page() Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 050/143] iwlwifi: mvm: check for short GI only for OFDM Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 051/143] iwlwifi: dbg: allow wrt collection before ALIVE Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 052/143] iwlwifi: fix the ALIVE notification layout Greg Kroah-Hartman
2018-11-02 18:33 ` [PATCH 4.14 053/143] x86/power: Fix some ordering bugs in __restore_processor_context() Greg Kroah-Hartman
2018-11-02 20:19   ` Sudip Mukherjee
2018-11-02 23:17     ` Sasha Levin
2018-11-03  8:40       ` Greg Kroah-Hartman
2018-11-03  8:41         ` Greg Kroah-Hartman
2018-11-03 12:51           ` Sasha Levin
2018-11-02 18:33 ` [PATCH 4.14 054/143] tools/testing/nvdimm: unit test clear-error commands Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 055/143] usbip: vhci_hcd: update status file header and format Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 056/143] scsi: aacraid: address UBSAN warning regression Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 057/143] IB/ipoib: Fix lockdep issue found on ipoib_ib_dev_heavy_flush Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 058/143] IB/rxe: put the pool on allocation failure Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 059/143] s390/qeth: fix error handling in adapter command callbacks Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 060/143] net/mlx5: Fix mlx5_get_vector_affinity function Greg Kroah-Hartman
2018-11-02 19:59   ` Sudip Mukherjee
2018-11-03  1:59     ` Sasha Levin
2018-11-02 18:34 ` [PATCH 4.14 061/143] powerpc/pseries: Add empty update_numa_cpu_lookup_table() for NUMA=n Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 062/143] dm integrity: fail early if required HMAC key is not available Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 063/143] net: phy: realtek: Use the dummy stubs for MMD register access for rtl8211b Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 064/143] net: phy: Add general dummy stubs for MMD register access Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 065/143] net/mlx5e: Refine ets validation function Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 066/143] scsi: qla2xxx: Avoid double completion of abort command Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 067/143] kbuild: set no-integrated-as before incl. arch Makefile Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 068/143] IB/mlx5: Avoid passing an invalid QP type to firmware Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 069/143] ARM: tegra: Fix ULPI regression on Tegra20 Greg Kroah-Hartman
2018-11-02 19:56   ` Sudip Mukherjee
2018-11-03  2:02     ` Sasha Levin
2018-11-05 14:05       ` Marcel Ziswiler
2018-11-06  6:31         ` Sasha Levin
2018-11-06  9:52           ` Marcel Ziswiler
2018-11-06 10:55           ` Dmitry Osipenko
2018-11-02 18:34 ` [PATCH 4.14 070/143] l2tp: remove configurable payload offset Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 071/143] cifs: Use ULL suffix for 64-bit constant Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 072/143] test_bpf: Fix testing with CONFIG_BPF_JIT_ALWAYS_ON=y on other arches Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 073/143] KVM: x86: Update the exit_qualification access bits while walking an address Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 074/143] sparc64: Fix regression in pmdp_invalidate() Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 075/143] tpm: move the delay_msec increment after sleep in tpm_transmit() Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 076/143] bpf: sockmap, map_release does not hold refcnt for pinned maps Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 077/143] tpm: tpm_crb: relinquish locality on error path Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 078/143] xen-netfront: Update features after registering netdev Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 079/143] xen-netfront: Fix mismatched rtnl_unlock Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 080/143] IB/usnic: Update with bug fixes from core code Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 081/143] mmc: dw_mmc-rockchip: correct property names in debug Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 082/143] MIPS: Workaround GCC __builtin_unreachable reordering bug Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 083/143] lan78xx: Dont reset the interface on open Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 084/143] enic: do not overwrite error code Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 085/143] iio: buffer: fix the function signature to match implementation Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 086/143] selftests/powerpc: Add ptrace hw breakpoint test Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 087/143] scsi: ibmvfc: Avoid unnecessary port relogin Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 088/143] scsi: sd: Remember that READ CAPACITY(16) succeeded Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 089/143] btrfs: quota: Set rescan progress to (u64)-1 if we hit last leaf Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 090/143] net: phy: phylink: Dont release NULL GPIO Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 091/143] x86/paravirt: Fix some warning messages Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 092/143] net: stmmac: mark PM functions as __maybe_unused Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 093/143] kconfig: fix the rule of mainmenu_stmt symbol Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 094/143] libertas: call into generic suspend code before turning off power Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 095/143] perf tests: Fix indexing when invoking subtests Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 096/143] compiler.h: Allow arch-specific asm/compiler.h Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 097/143] ARM: dts: imx53-qsb: disable 1.2GHz OPP Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 098/143] perf python: Use -Wno-redundant-decls to build with PYTHON=python3 Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 099/143] rxrpc: Dont check RXRPC_CALL_TX_LAST after calling rxrpc_rotate_tx_window() Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 100/143] rxrpc: Only take the rwind and mtu values from latest ACK Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 101/143] rxrpc: Fix connection-level abort handling Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 102/143] net: ena: fix warning in rmmod caused by double iounmap Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 103/143] net: ena: fix NULL dereference due to untimely napi initialization Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 104/143] selftests: rtnetlink.sh explicitly requires bash Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 105/143] fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters() Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 106/143] sch_netem: restore skb->dev after dequeuing from the rbtree Greg Kroah-Hartman
2018-11-02 23:28   ` Josh Hunt
2018-11-03  2:03     ` Sasha Levin
2018-11-02 18:34 ` [PATCH 4.14 107/143] mtd: spi-nor: Add support for is25wp series chips Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 108/143] kvm: x86: fix WARN due to uninitialized guest FPU state Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 109/143] ARM: dts: r8a7790: Correct critical CPU temperature Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 110/143] media: uvcvideo: Fix driver reference counting Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 111/143] ALSA: usx2y: Fix invalid stream URBs Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 112/143] Revert "netfilter: ipv6: nf_defrag: drop skb dst before queueing" Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 113/143] perf tools: Disable parallelism for make clean Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.14 114/143] drm/i915/gvt: fix memory leak of a cmd_entry struct on error exit path Greg Kroah-Hartman
2018-11-02 18:35 ` [PATCH 4.14 115/143] bridge: do not add port to router list when receives query with source 0.0.0.0 Greg Kroah-Hartman
2018-11-02 18:35 ` [PATCH 4.14 116/143] net: bridge: remove ipv6 zero address check in mcast queries Greg Kroah-Hartman
2018-11-02 18:35 ` [PATCH 4.14 117/143] ipv6: mcast: fix a use-after-free in inet6_mc_check Greg Kroah-Hartman
2018-11-02 18:35 ` [PATCH 4.14 118/143] ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are called Greg Kroah-Hartman
2018-11-02 18:35 ` [PATCH 4.14 119/143] llc: set SOCK_RCU_FREE in llc_sap_add_socket() Greg Kroah-Hartman
2018-11-02 18:35 ` [PATCH 4.14 120/143] net: fec: dont dump RX FIFO register when not available Greg Kroah-Hartman
2018-11-02 18:35 ` [PATCH 4.14 121/143] net/ipv6: Fix index counter for unicast addresses in in6_dump_addrs Greg Kroah-Hartman
2018-11-02 18:35 ` [PATCH 4.14 122/143] net: sched: gred: pass the right attribute to gred_change_table_def() Greg Kroah-Hartman
2018-11-02 18:35 ` [PATCH 4.14 123/143] net: socket: fix a missing-check bug Greg Kroah-Hartman
2018-11-02 18:35 ` [PATCH 4.14 124/143] net: stmmac: Fix stmmac_mdio_reset() when building stmmac as modules Greg Kroah-Hartman
2018-11-02 18:35 ` [PATCH 4.14 125/143] net: udp: fix handling of CHECKSUM_COMPLETE packets Greg Kroah-Hartman
2018-11-02 18:35 ` [PATCH 4.14 126/143] r8169: fix NAPI handling under high load Greg Kroah-Hartman
2018-11-02 18:35 ` [PATCH 4.14 127/143] sctp: fix race on sctp_id2asoc Greg Kroah-Hartman
2018-11-02 18:35 ` [PATCH 4.14 128/143] udp6: fix encap return code for resubmitting Greg Kroah-Hartman
2018-11-02 18:35 ` [PATCH 4.14 129/143] vhost: Fix Spectre V1 vulnerability Greg Kroah-Hartman
2018-11-02 18:35 ` [PATCH 4.14 130/143] virtio_net: avoid using netif_tx_disable() for serializing tx routine Greg Kroah-Hartman
2018-11-02 18:35 ` [PATCH 4.14 131/143] ethtool: fix a privilege escalation bug Greg Kroah-Hartman
2018-11-02 18:35 ` [PATCH 4.14 132/143] bonding: fix length of actor system Greg Kroah-Hartman
2018-11-02 18:35 ` [PATCH 4.14 133/143] ip6_tunnel: Fix encapsulation layout Greg Kroah-Hartman
2018-11-02 18:35 ` [PATCH 4.14 134/143] openvswitch: Fix push/pop ethernet validation Greg Kroah-Hartman
2018-11-02 18:35 ` [PATCH 4.14 135/143] net/mlx5: Take only bit 24-26 of wqe.pftype_wq for page fault type Greg Kroah-Hartman
2018-11-02 18:35 ` [PATCH 4.14 136/143] net: sched: Fix for duplicate class dump Greg Kroah-Hartman
2018-11-02 18:35 ` [PATCH 4.14 137/143] net: drop skb on failure in ip_check_defrag() Greg Kroah-Hartman
2018-11-02 18:35 ` [PATCH 4.14 138/143] net: fix pskb_trim_rcsum_slow() with odd trim offset Greg Kroah-Hartman
2018-11-02 18:35 ` [PATCH 4.14 139/143] net/mlx5e: fix csum adjustments caused by RXFCS Greg Kroah-Hartman
2018-11-02 18:35 ` [PATCH 4.14 140/143] rtnetlink: Disallow FDB configuration for non-Ethernet device Greg Kroah-Hartman
2018-11-02 18:35 ` [PATCH 4.14 141/143] net: ipmr: fix unresolved entry dumps Greg Kroah-Hartman
2018-11-02 18:35 ` [PATCH 4.14 142/143] net: bcmgenet: Poll internal PHY for GENETv5 Greg Kroah-Hartman
2018-11-02 18:35 ` [PATCH 4.14 143/143] net/sched: cls_api: add missing validation of netlink attributes Greg Kroah-Hartman
2018-11-02 23:21 ` [PATCH 4.14 000/143] 4.14.79-stable review kernelci.org bot
2018-11-03 14:31 ` Guenter Roeck
2018-11-03 15:04   ` Greg Kroah-Hartman
2018-11-03 18:22     ` Guenter Roeck
2018-11-04  7:10       ` Greg Kroah-Hartman
2018-11-04  4:14     ` Naresh Kamboju
2018-11-05 11:21     ` Jon Hunter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).