linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 4.4 000/160] 4.4.164-stable review
@ 2018-11-19 16:27 Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 001/160] bcache: fix miss key refill->end in writeback Greg Kroah-Hartman
                   ` (163 more replies)
  0 siblings, 164 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	ben.hutchings, lkft-triage, stable

This is the start of the stable review cycle for the 4.4.164 release.
There are 160 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Wed Nov 21 16:25:20 UTC 2018.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.164-rc1.gz
or in the git tree and branch at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 4.4.164-rc1

Clint Taylor <clinton.a.taylor@intel.com>
    drm/i915/hdmi: Add HDMI 2.0 audio clock recovery N values

Stanislav Lisovskiy <stanislav.lisovskiy@intel.com>
    drm/dp_mst: Check if primary mstb is null

Marc Zyngier <marc.zyngier@arm.com>
    drm/rockchip: Allow driver to be shutdown on reboot/kexec

Mike Kravetz <mike.kravetz@oracle.com>
    mm: migration: fix migration of huge PMD shared pages

Mike Kravetz <mike.kravetz@oracle.com>
    hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:444!

Guenter Roeck <linux@roeck-us.net>
    configfs: replace strncpy with memcpy

Miklos Szeredi <mszeredi@redhat.com>
    fuse: fix leaked notify reply

Maciej W. Rozycki <macro@linux-mips.org>
    rtc: hctosys: Add missing range error reporting

Frank Sorenson <sorenson@redhat.com>
    sunrpc: correct the computation for page_ptr when truncating

Eric W. Biederman <ebiederm@xmission.com>
    mount: Prevent MNT_DETACH from disconnecting locked mounts

Eric W. Biederman <ebiederm@xmission.com>
    mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts

Eric W. Biederman <ebiederm@xmission.com>
    mount: Retest MNT_LOCKED in do_umount

Vasily Averin <vvs@virtuozzo.com>
    ext4: fix buffer leak in __ext4_read_dirblock() on error path

Vasily Averin <vvs@virtuozzo.com>
    ext4: fix buffer leak in ext4_xattr_move_to_block() on error path

Vasily Averin <vvs@virtuozzo.com>
    ext4: release bs.bh before re-using in ext4_xattr_block_find()

Theodore Ts'o <tytso@mit.edu>
    ext4: fix possible leak of sbi->s_group_desc_leak in error path

Theodore Ts'o <tytso@mit.edu>
    ext4: avoid possible double brelse() in add_new_gdb() on error path

Vasily Averin <vvs@virtuozzo.com>
    ext4: fix missing cleanup if ext4_alloc_flex_bg_array() fails while resizing

Vasily Averin <vvs@virtuozzo.com>
    ext4: avoid buffer leak in ext4_orphan_add() after prior errors

Vasily Averin <vvs@virtuozzo.com>
    ext4: fix possible inode leak in the retry loop of ext4_resize_fs()

Vasily Averin <vvs@virtuozzo.com>
    ext4: avoid potential extra brelse in setup_new_flex_group_blocks()

Vasily Averin <vvs@virtuozzo.com>
    ext4: add missing brelse() add_new_gdb_meta_bg()'s error path

Vasily Averin <vvs@virtuozzo.com>
    ext4: add missing brelse() in set_flexbg_block_bitmap()'s error path

Vasily Averin <vvs@virtuozzo.com>
    ext4: add missing brelse() update_backups()'s error path

Michael Kelley <mikelley@microsoft.com>
    clockevents/drivers/i8253: Add support for PIT shutdown quirk

Filipe Manana <fdmanana@suse.com>
    Btrfs: fix data corruption due to cloning of eof block

H. Peter Anvin (Intel) <hpa@zytor.com>
    arch/alpha, termios: implement BOTHER, IBSHIFT and termios2

H. Peter Anvin <hpa@zytor.com>
    termios, tty/tty_baudrate.c: fix buffer overrun

Arnd Bergmann <arnd@arndb.de>
    mtd: docg3: don't set conflicting BCH_CONST_PARAMS option

Andrea Arcangeli <aarcange@redhat.com>
    mm: thp: relax __GFP_THISNODE for MADV_HUGEPAGE mappings

Changwei Ge <ge.changwei@h3c.com>
    ocfs2: fix a misuse a of brelse after failing ocfs2_check_dir_entry

Greg Edwards <gedwards@ddn.com>
    vhost/scsi: truncate T10 PI iov_iter to prot_bytes

Mikulas Patocka <mpatocka@redhat.com>
    mach64: fix image corruption due to reading accelerator registers

Mikulas Patocka <mpatocka@redhat.com>
    mach64: fix display corruption on big endian machines

Ilya Dryomov <idryomov@gmail.com>
    libceph: bump CEPH_MSG_MAX_DATA_LEN

Krzysztof Kozlowski <krzk@kernel.org>
    clk: s2mps11: Fix matching when built as module and DT node contains compatible

Max Filippov <jcmvbkbc@gmail.com>
    xtensa: fix boot parameters address translation

Max Filippov <jcmvbkbc@gmail.com>
    xtensa: make sure bFLT stack is 16 byte aligned

Max Filippov <jcmvbkbc@gmail.com>
    xtensa: add NOTES section to the linker script

Huacai Chen <chenhc@lemote.com>
    MIPS: Loongson-3: Fix BRIDGE irq delivery problem

Huacai Chen <chenhc@lemote.com>
    MIPS: Loongson-3: Fix CPU UART irq delivery problem

Kees Cook <keescook@chromium.org>
    bna: ethtool: Avoid reading past end of buffer

Vincenzo Maffione <v.maffione@gmail.com>
    e1000: fix race condition between e1000_down() and e1000_watchdog

Colin Ian King <colin.king@canonical.com>
    e1000: avoid null pointer dereference on invalid stat type

Michal Hocko <mhocko@suse.com>
    mm: do not bug_on on incorrect length in __mm_populate()

Oscar Salvador <osalvador@suse.de>
    fs, elf: make sure to page align bss in load_elf_library

Kees Cook <keescook@chromium.org>
    mm: refuse wrapped vm_brk requests

Kees Cook <keescook@chromium.org>
    binfmt_elf: fix calculations for bss padding

Michal Hocko <mhocko@suse.com>
    mm, elf: handle vm_brk error

Miklos Szeredi <mszeredi@redhat.com>
    fuse: set FR_SENT while locked

Miklos Szeredi <mszeredi@redhat.com>
    fuse: fix blocked_waitq wakeup

Kirill Tkhai <ktkhai@virtuozzo.com>
    fuse: Fix use-after-free in fuse_dev_do_write()

Kirill Tkhai <ktkhai@virtuozzo.com>
    fuse: Fix use-after-free in fuse_dev_do_read()

Himanshu Madhani <himanshu.madhani@cavium.com>
    scsi: qla2xxx: Fix incorrect port speed being set for FC adapters

Young_X <YangX92@hotmail.com>
    cdrom: fix improper type cast, which can leat to information leak.

Dominique Martinet <dominique.martinet@cea.fr>
    9p: clear dangling pointers in p9stat_free

Dominique Martinet <dominique.martinet@cea.fr>
    9p locks: fix glock.client_id leak in do_lock

Marco Felsch <m.felsch@pengutronix.de>
    media: tvp5150: fix width alignment during set_selection()

Phil Elwell <phil@raspberrypi.org>
    sc16is7xx: Fix for multi-channel stall

Joel Stanley <joel@jms.id.au>
    powerpc/boot: Ensure _zimage_start is a weak symbol

Dengcheng Zhu <dzhu@wavecomp.com>
    MIPS: kexec: Mark CPU offline before disabling local IRQ

Nicholas Mc Guire <hofrat@osadl.org>
    media: pci: cx23885: handle adding to list failure

Tomi Valkeinen <tomi.valkeinen@ti.com>
    drm/omap: fix memory barrier bug in DMM driver

Daniel Axtens <dja@axtens.net>
    powerpc/nohash: fix undefined behaviour when testing page size support

Miles Chen <miles.chen@mediatek.com>
    tty: check name length in tty_find_polling_driver()

Shaohua Li <shli@fb.com>
    MD: fix invalid stored role for a disk - try2

Josef Bacik <jbacik@fb.com>
    btrfs: set max_extent_size properly

Filipe Manana <fdmanana@suse.com>
    Btrfs: fix null pointer dereference on compressed write path error

Qu Wenruo <wqu@suse.com>
    btrfs: qgroup: Dirty all qgroups before rescan

Filipe Manana <fdmanana@suse.com>
    Btrfs: fix wrong dentries after fsync of file that got its parent replaced

Josef Bacik <josef@toxicpanda.com>
    btrfs: make sure we create all new block groups

Josef Bacik <jbacik@fb.com>
    btrfs: reset max_extent_size on clear in a bitmap

Josef Bacik <josef@toxicpanda.com>
    btrfs: wait on caching when putting the bg cache

Jeff Mahoney <jeffm@suse.com>
    btrfs: don't attempt to trim devices that don't support it

Jeff Mahoney <jeffm@suse.com>
    btrfs: iterate all devices during trim, instead of fs_devices::alloc_list

Qu Wenruo <wqu@suse.com>
    btrfs: locking: Add extra check in btrfs_init_new_buffer() to avoid deadlock

Qu Wenruo <wqu@suse.com>
    btrfs: Handle owner mismatch gracefully when walking up tree

Johan Hovold <johan@kernel.org>
    soc/tegra: pmc: Fix child-node lookup

Thor Thayer <thor.thayer@linux.intel.com>
    arm64: dts: stratix10: Correct System Manager register size

Nicolas Pitre <nicolas.pitre@linaro.org>
    Cramfs: fix abad comparison when wrap-arounds occur

Theodore Ts'o <tytso@mit.edu>
    ext4: avoid running out of journal credits when appending to an inline file

Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
    media: em28xx: make v4l2-compliance happier by starting sequence on zero

Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
    media: em28xx: fix input name for Terratec AV 350

Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
    media: em28xx: use a default format if TRY_FMT fails

Juergen Gross <jgross@suse.com>
    xen: fix xen_qlock_wait()

He Zhe <zhe.he@windriver.com>
    kgdboc: Passing ekgdboc to command line causes panic

Maciej W. Rozycki <macro@linux-mips.org>
    TC: Set DMA masks for devices

Aaro Koskinen <aaro.koskinen@iki.fi>
    MIPS: OCTEON: fix out of bounds array access on CN68XX

Christophe Leroy <christophe.leroy@c-s.fr>
    powerpc/msi: Fix compile error on mpc83xx

Wenwen Wang <wang6495@umn.edu>
    dm ioctl: harden copy_params()'s copy_from_user() from malicious users

Amir Goldstein <amir73il@gmail.com>
    lockd: fix access beyond unterminated strings in prints

Trond Myklebust <trondmy@gmail.com>
    nfsd: Fix an Oops in free_session()

Trond Myklebust <trond.myklebust@hammerspace.com>
    NFSv4.1: Fix the r/wsize checking

Lukas Wunner <lukas@wunner.de>
    genirq: Fix race on spurious interrupt detection

He Zhe <zhe.he@windriver.com>
    printk: Fix panic caused by passing log_buf_len to command line

Steve French <stfrench@microsoft.com>
    smb3: on kerberos mount if server doesn't specify auth type use krb5

Steve French <stfrench@microsoft.com>
    smb3: do not attempt cifs operation in smb3 query info error path

Steve French <stfrench@microsoft.com>
    smb3: allow stats which track session and share reconnects to be reset

Andreas Kemnade <andreas@kemnade.info>
    w1: omap-hdq: fix missing bus unregister at removal

Eugen Hristev <eugen.hristev@microchip.com>
    iio: adc: at91: fix wrong channel number in triggered buffer mode

Eugen Hristev <eugen.hristev@microchip.com>
    iio: adc: at91: fix acking DRDY irq on simple conversions

Arnd Bergmann <arnd@arndb.de>
    kbuild: fix kernel/bounds.c 'W=1' warning

Mike Kravetz <mike.kravetz@oracle.com>
    hugetlbfs: dirty pages as they are added to pagecache

Eric Biggers <ebiggers@google.com>
    ima: fix showing large 'violations' or 'runtime_measurements_count'

Ondrej Mosnacek <omosnace@redhat.com>
    crypto: lrw - Fix out-of bounds access on counter overflow

Eric W. Biederman <ebiederm@xmission.com>
    signal/GenWQE: Fix sending of SIGKILL

Bin Meng <bmeng.cn@gmail.com>
    PCI: Add Device IDs for Intel GPU "spurious interrupt" quirk

Breno Leitao <leitao@debian.org>
    HID: hiddev: fix potential Spectre v1

Lukas Czerner <lczerner@redhat.com>
    ext4: initialize retries variable in ext4_da_write_inline_data_begin()

Al Viro <viro@zeniv.linux.org.uk>
    gfs2_meta: ->mount() can get NULL dev_name

Jan Kara <jack@suse.cz>
    jbd2: fix use after free in jbd2_log_do_checkpoint()

Alexander Duyck <alexander.h.duyck@linux.intel.com>
    libnvdimm: Hold reference on parent while scheduling async init

Stefan Nuernberger <snu@amazon.com>
    net/ipv4: defensive cipso option parsing

Juergen Gross <jgross@suse.com>
    xen: make xen_qlock_wait() nestable

Juergen Gross <jgross@suse.com>
    xen: fix race in xen_qlock_wait()

Dr. Greg Wettstein <greg@wind.enjellic.com>
    tpm: Restore functionality to xen vtpm driver.

Joe Jin <joe.jin@oracle.com>
    xen-swiotlb: use actually allocated size on check physical continuous

Takashi Iwai <tiwai@suse.de>
    ALSA: hda: Check the non-cached stream buffers more explicitly

Paul Cercueil <paul@crapouillou.net>
    dmaengine: dma-jz4780: Return error if not probed from DT

Eric W. Biederman <ebiederm@xmission.com>
    signal: Always deliver the kernel's SIGKILL and SIGSTOP to a pid namespace init

James Smart <jsmart2021@gmail.com>
    scsi: lpfc: Correct soft lockup when running mds diagnostics

Alexandre Belloni <alexandre.belloni@bootlin.com>
    uio: ensure class is registered before devices

Waiman Long <longman@redhat.com>
    driver/dma/ioat: Call del_timer_sync() without holding prep_lock

Loic Poulain <loic.poulain@linaro.org>
    usb: chipidea: Prevent unbalanced IRQ disable

Shaohua Li <shli@fb.com>
    MD: fix invalid stored role for a disk

Theodore Ts'o <tytso@mit.edu>
    ext4: fix argument checking in EXT4_IOC_MOVE_EXT

Javier Martinez Canillas <javierm@redhat.com>
    tpm: suppress transmit cmd error logs when TPM 1.2 is disabled/deactivated

Wenwen Wang <wang6495@umn.edu>
    scsi: megaraid_sas: fix a missing-check bug

Finn Thain <fthain@telegraphics.com.au>
    scsi: esp_scsi: Track residual for PIO transfers

Martin Willi <martin@strongswan.org>
    ath10k: schedule hardware restart if WMI command times out

Douglas Anderson <dianders@chromium.org>
    pinctrl: ssbi-gpio: Fix pm8xxx_pin_config_get() to be compliant

Douglas Anderson <dianders@chromium.org>
    pinctrl: spmi-mpp: Fix pmic_mpp_config_get() to be compliant

Stephen Boyd <swboyd@chromium.org>
    pinctrl: qcom: spmi-mpp: Fix drive strength setting

Hans de Goede <hdegoede@redhat.com>
    ACPI / LPSS: Add alternative ACPI HIDs for Cherry Trail DMA controllers

Masami Hiramatsu <mhiramat@kernel.org>
    kprobes: Return error if we fail to reuse kprobe instead of BUG_ON()

YueHaibing <yuehaibing@huawei.com>
    pinctrl: qcom: spmi-mpp: Fix err handling of pmic_mpp_set_mux

Ben Hutchings <ben@decadent.org.uk>
    x86: boot: Fix EFI stub alignment

Christian Hewitt <christianshewitt@gmail.com>
    Bluetooth: btbcm: Add entry for BCM4335C0 UART bluetooth

Yu Zhao <yuzhao@google.com>
    mmc: sdhci-pci-o2micro: Add quirk for O2 Micro dev 0x8620 rev 0x01

Sanskriti Sharma <sansharm@redhat.com>
    perf tools: Cleanup trace-event-info 'tdata' leak

Sanskriti Sharma <sansharm@redhat.com>
    perf tools: Free temporary 'sys' string in read_event_files()

Serhey Popovych <serhe.popovych@gmail.com>
    tun: Consistently configure generic netdev params via rtnetlink

Omar Sandoval <osandov@fb.com>
    swim: fix cleanup on setup error

Omar Sandoval <osandov@fb.com>
    ataflop: fix error handling during setup

Waiman Long <longman@redhat.com>
    locking/lockdep: Fix debug_locks off performance problem

Masami Hiramatsu <mhiramat@kernel.org>
    selftests: ftrace: Add synthetic event syntax testcase

Nathan Chancellor <natechancellor@gmail.com>
    net: qla3xxx: Remove overflowing shift statement

Sebastian Andrzej Siewior <bigeasy@linutronix.de>
    x86/fpu: Remove second definition of fpu in __fpu__restore_sig()

David S. Miller <davem@davemloft.net>
    sparc: Fix single-pcr perf event counter management.

Daniel Wagner <daniel.wagner@siemens.com>
    x86/kconfig: Fall back to ticket spinlocks

He Zhe <zhe.he@windriver.com>
    x86/corruption-check: Fix panic in memory_corruption_check() when boot option without value is provided

Alex Stanoev <alex@astanoev.com>
    ALSA: ca0106: Disable IZD on SB0570 DAC to fix audio pops

Jeremy Cline <jcline@redhat.com>
    ALSA: hda - Add mic quirk for the Lenovo G50-30 (17aa:3905)

Helge Deller <deller@gmx.de>
    parisc: Fix map_pages() to not overwrite existing pte entries

John David Anglin <dave.anglin@bell.net>
    parisc: Fix address in HPMC IVA

Jan Glauber <jglauber@cavium.com>
    ipmi: Fix timer race with module unload

Maciej S. Szmigiero <mail@maciej.szmigiero.name>
    pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges

Hou Tao <houtao1@huawei.com>
    jffs2: free jffs2_sb_info through jffs2_kill_sb()

Dmitry Bazhenov <bazhenov.dn@gmail.com>
    hwmon: (pmbus) Fix page count auto-detection.

Tang Junhui <tang.junhui.linux@gmail.com>
    bcache: fix miss key refill->end in writeback


-------------

Diffstat:

 Makefile                                           |  4 +-
 arch/alpha/include/asm/termios.h                   |  8 ++-
 arch/alpha/include/uapi/asm/ioctls.h               |  5 ++
 arch/alpha/include/uapi/asm/termbits.h             | 17 +++++
 arch/arm64/boot/dts/altera/socfpga_stratix10.dtsi  |  2 +-
 arch/mips/cavium-octeon/executive/cvmx-helper.c    |  2 +-
 arch/mips/include/asm/mach-loongson64/irq.h        |  2 +-
 arch/mips/kernel/crash.c                           |  3 +
 arch/mips/kernel/machine_kexec.c                   |  3 +
 arch/mips/loongson64/loongson-3/irq.c              | 56 ++-------------
 arch/parisc/kernel/entry.S                         |  2 +-
 arch/parisc/kernel/traps.c                         |  3 +-
 arch/parisc/mm/init.c                              |  8 +--
 arch/powerpc/boot/crt0.S                           |  4 +-
 arch/powerpc/include/asm/mpic.h                    |  7 ++
 arch/powerpc/mm/tlb_nohash.c                       |  3 +
 arch/sparc/kernel/perf_event.c                     | 17 +++--
 arch/x86/Kconfig                                   |  1 -
 arch/x86/boot/tools/build.c                        |  7 ++
 arch/x86/kernel/check.c                            | 15 ++++
 arch/x86/kernel/fpu/signal.c                       |  1 -
 arch/x86/xen/spinlock.c                            | 35 ++++------
 arch/xtensa/boot/Makefile                          |  2 +-
 arch/xtensa/include/asm/processor.h                |  6 +-
 arch/xtensa/kernel/head.S                          |  7 +-
 arch/xtensa/kernel/vmlinux.lds.S                   |  1 +
 crypto/lrw.c                                       |  7 +-
 drivers/acpi/acpi_lpss.c                           |  2 +
 drivers/block/ataflop.c                            | 25 ++++---
 drivers/block/swim.c                               | 13 +++-
 drivers/bluetooth/btbcm.c                          |  1 +
 drivers/cdrom/cdrom.c                              |  2 +-
 drivers/char/ipmi/ipmi_ssif.c                      | 10 +--
 drivers/char/tpm/tpm-interface.c                   |  3 +-
 drivers/char/tpm/xen-tpmfront.c                    |  2 +-
 drivers/clk/clk-s2mps11.c                          | 30 ++++++++
 drivers/clocksource/i8253.c                        | 14 +++-
 drivers/dma/dma-jz4780.c                           |  5 ++
 drivers/dma/ioat/init.c                            |  9 ++-
 drivers/gpu/drm/drm_dp_mst_topology.c              |  3 +
 drivers/gpu/drm/i915/intel_audio.c                 | 17 +++++
 drivers/gpu/drm/omapdrm/omap_dmm_tiler.c           | 11 +++
 drivers/gpu/drm/rockchip/rockchip_drm_drv.c        |  6 ++
 drivers/hid/usbhid/hiddev.c                        | 18 +++--
 drivers/hwmon/pmbus/pmbus.c                        |  2 +
 drivers/hwmon/pmbus/pmbus_core.c                   |  5 +-
 drivers/iio/adc/at91_adc.c                         |  6 +-
 drivers/md/bcache/btree.c                          |  2 +-
 drivers/md/dm-ioctl.c                              | 18 ++---
 drivers/md/raid1.c                                 |  1 +
 drivers/md/raid10.c                                |  1 +
 drivers/media/i2c/tvp5150.c                        | 14 ++--
 drivers/media/pci/cx23885/altera-ci.c              | 10 +++
 drivers/media/usb/em28xx/em28xx-cards.c            |  4 +-
 drivers/media/usb/em28xx/em28xx-video.c            |  8 ++-
 drivers/misc/genwqe/card_base.h                    |  2 +-
 drivers/misc/genwqe/card_dev.c                     |  9 +--
 drivers/mmc/host/sdhci-pci-o2micro.c               |  3 +
 drivers/mtd/devices/Kconfig                        |  2 +-
 drivers/net/ethernet/brocade/bna/bnad_ethtool.c    |  4 +-
 drivers/net/ethernet/intel/e1000/e1000_ethtool.c   |  9 ++-
 drivers/net/ethernet/intel/e1000/e1000_main.c      | 11 ++-
 drivers/net/ethernet/qlogic/qla3xxx.c              |  2 -
 drivers/net/tun.c                                  |  2 +
 drivers/net/wireless/ath/ath10k/wmi.c              |  6 ++
 drivers/nvdimm/bus.c                               |  4 ++
 drivers/pci/quirks.c                               |  4 ++
 drivers/pcmcia/ricoh.h                             | 35 ++++++++++
 drivers/pcmcia/yenta_socket.c                      |  3 +-
 drivers/pinctrl/qcom/pinctrl-spmi-mpp.c            | 27 +++++---
 drivers/pinctrl/qcom/pinctrl-ssbi-gpio.c           | 28 ++++++--
 drivers/rtc/hctosys.c                              |  4 +-
 drivers/scsi/esp_scsi.c                            |  1 +
 drivers/scsi/esp_scsi.h                            |  2 +
 drivers/scsi/lpfc/lpfc_sli.c                       |  7 ++
 drivers/scsi/mac_esp.c                             |  2 +
 drivers/scsi/megaraid/megaraid_sas_base.c          |  3 +
 drivers/scsi/qla2xxx/qla_mbx.c                     |  5 +-
 drivers/soc/tegra/pmc.c                            |  2 +-
 drivers/tc/tc.c                                    |  8 ++-
 drivers/tty/serial/kgdboc.c                        |  5 ++
 drivers/tty/serial/sc16is7xx.c                     | 19 +++--
 drivers/tty/tty_io.c                               |  2 +-
 drivers/tty/tty_ioctl.c                            |  4 +-
 drivers/uio/uio.c                                  |  9 +++
 drivers/usb/chipidea/otg.h                         |  3 +-
 drivers/vhost/scsi.c                               |  4 +-
 drivers/video/fbdev/aty/mach64_accel.c             | 28 ++++----
 drivers/w1/masters/omap_hdq.c                      |  2 +
 drivers/xen/swiotlb-xen.c                          |  6 ++
 fs/9p/vfs_file.c                                   | 16 ++++-
 fs/binfmt_elf.c                                    | 46 +++++++------
 fs/btrfs/extent-tree.c                             | 48 ++++++++++---
 fs/btrfs/free-space-cache.c                        | 32 ++++++---
 fs/btrfs/inode.c                                   |  1 +
 fs/btrfs/ioctl.c                                   | 12 +++-
 fs/btrfs/qgroup.c                                  |  1 +
 fs/btrfs/relocation.c                              |  2 +-
 fs/btrfs/tree-log.c                                | 30 +++++++-
 fs/cifs/cifs_debug.c                               |  3 +
 fs/cifs/cifs_spnego.c                              |  6 +-
 fs/cifs/inode.c                                    | 10 ++-
 fs/configfs/symlink.c                              |  2 +-
 fs/cramfs/inode.c                                  |  3 +-
 fs/ext4/ext4.h                                     |  3 -
 fs/ext4/inline.c                                   | 40 +----------
 fs/ext4/move_extent.c                              |  8 ++-
 fs/ext4/namei.c                                    |  5 +-
 fs/ext4/resize.c                                   | 28 ++++----
 fs/ext4/super.c                                    | 16 ++---
 fs/ext4/xattr.c                                    | 22 ++----
 fs/fuse/dev.c                                      | 29 ++++++--
 fs/gfs2/ops_fstype.c                               |  3 +
 fs/jbd2/checkpoint.c                               |  4 +-
 fs/jffs2/super.c                                   |  4 +-
 fs/lockd/host.c                                    |  2 +-
 fs/namespace.c                                     | 22 ++++--
 fs/nfs/nfs4client.c                                | 16 +++--
 fs/ocfs2/dir.c                                     |  3 +-
 include/linux/ceph/libceph.h                       |  8 ++-
 include/linux/hugetlb.h                            | 14 ++++
 include/linux/i8253.h                              |  1 +
 include/linux/mm.h                                 |  6 ++
 include/linux/tc.h                                 |  1 +
 kernel/bounds.c                                    |  4 +-
 kernel/irq/manage.c                                |  8 ++-
 kernel/kprobes.c                                   | 27 ++++++--
 kernel/locking/lockdep.c                           |  4 +-
 kernel/printk/printk.c                             |  7 +-
 kernel/signal.c                                    |  2 +-
 lib/debug_locks.c                                  |  2 +-
 mm/gup.c                                           |  2 -
 mm/hugetlb.c                                       | 66 ++++++++++++++++--
 mm/mempolicy.c                                     | 32 ++++++++-
 mm/mmap.c                                          | 13 ++--
 mm/rmap.c                                          | 56 +++++++++++++++
 net/9p/protocol.c                                  |  5 ++
 net/ipv4/cipso_ipv4.c                              | 11 +--
 net/sunrpc/svc_xprt.c                              |  2 +-
 net/sunrpc/xdr.c                                   |  5 +-
 security/integrity/ima/ima_fs.c                    |  6 +-
 sound/pci/ca0106/ca0106.h                          |  2 +-
 sound/pci/hda/hda_controller.h                     |  1 +
 sound/pci/hda/hda_intel.c                          | 11 ++-
 sound/pci/hda/patch_conexant.c                     |  1 +
 tools/perf/util/trace-event-info.c                 |  2 +
 tools/perf/util/trace-event-read.c                 |  5 +-
 .../inter-event/trigger-synthetic-event-syntax.tc  | 80 ++++++++++++++++++++++
 148 files changed, 1115 insertions(+), 423 deletions(-)



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 001/160] bcache: fix miss key refill->end in writeback
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 002/160] hwmon: (pmbus) Fix page count auto-detection Greg Kroah-Hartman
                   ` (162 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Tang Junhui, Coly Li, Jens Axboe

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tang Junhui <tang.junhui.linux@gmail.com>

commit 2d6cb6edd2c7fb4f40998895bda45006281b1ac5 upstream.

refill->end record the last key of writeback, for example, at the first
time, keys (1,128K) to (1,1024K) are flush to the backend device, but
the end key (1,1024K) is not included, since the bellow code:
	if (bkey_cmp(k, refill->end) >= 0) {
		ret = MAP_DONE;
		goto out;
	}
And in the next time when we refill writeback keybuf again, we searched
key start from (1,1024K), and got a key bigger than it, so the key
(1,1024K) missed.
This patch modify the above code, and let the end key to be included to
the writeback key buffer.

Signed-off-by: Tang Junhui <tang.junhui.linux@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Coly Li <colyli@suse.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/bcache/btree.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/md/bcache/btree.c
+++ b/drivers/md/bcache/btree.c
@@ -2372,7 +2372,7 @@ static int refill_keybuf_fn(struct btree
 	struct keybuf *buf = refill->buf;
 	int ret = MAP_CONTINUE;
 
-	if (bkey_cmp(k, refill->end) >= 0) {
+	if (bkey_cmp(k, refill->end) > 0) {
 		ret = MAP_DONE;
 		goto out;
 	}



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 002/160] hwmon: (pmbus) Fix page count auto-detection.
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 001/160] bcache: fix miss key refill->end in writeback Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 003/160] jffs2: free jffs2_sb_info through jffs2_kill_sb() Greg Kroah-Hartman
                   ` (161 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dmitry Bazhenov, Guenter Roeck

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry Bazhenov <bazhenov.dn@gmail.com>

commit e7c6a55606b5c46b449d76588968b4d8caae903f upstream.

Devices with compatible="pmbus" field have zero initial page count,
and pmbus_clear_faults() being called before the page count auto-
detection does not actually clear faults because it depends on the
page count. Non-cleared faults in its turn may fail the subsequent
page count auto-detection.

This patch fixes this problem by calling pmbus_clear_fault_page()
for currently set page and calling pmbus_clear_faults() after the
page count was detected.

Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Bazhenov <bazhenov.dn@gmail.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hwmon/pmbus/pmbus.c      |    2 ++
 drivers/hwmon/pmbus/pmbus_core.c |    5 ++++-
 2 files changed, 6 insertions(+), 1 deletion(-)

--- a/drivers/hwmon/pmbus/pmbus.c
+++ b/drivers/hwmon/pmbus/pmbus.c
@@ -117,6 +117,8 @@ static int pmbus_identify(struct i2c_cli
 		} else {
 			info->pages = 1;
 		}
+
+		pmbus_clear_faults(client);
 	}
 
 	if (pmbus_check_byte_register(client, 0, PMBUS_VOUT_MODE)) {
--- a/drivers/hwmon/pmbus/pmbus_core.c
+++ b/drivers/hwmon/pmbus/pmbus_core.c
@@ -1759,7 +1759,10 @@ static int pmbus_init_common(struct i2c_
 	if (ret >= 0 && (ret & PB_CAPABILITY_ERROR_CHECK))
 		client->flags |= I2C_CLIENT_PEC;
 
-	pmbus_clear_faults(client);
+	if (data->info->pages)
+		pmbus_clear_faults(client);
+	else
+		pmbus_clear_fault_page(client, -1);
 
 	if (info->identify) {
 		ret = (*info->identify)(client, info);



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 003/160] jffs2: free jffs2_sb_info through jffs2_kill_sb()
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 001/160] bcache: fix miss key refill->end in writeback Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 002/160] hwmon: (pmbus) Fix page count auto-detection Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 004/160] pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges Greg Kroah-Hartman
                   ` (160 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, stable, Hou Tao, Richard Weinberger,
	Boris Brezillon

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Hou Tao <houtao1@huawei.com>

commit 92e2921f7eee63450a5f953f4b15dc6210219430 upstream.

When an invalid mount option is passed to jffs2, jffs2_parse_options()
will fail and jffs2_sb_info will be freed, but then jffs2_sb_info will
be used (use-after-free) and freeed (double-free) in jffs2_kill_sb().

Fix it by removing the buggy invocation of kfree() when getting invalid
mount options.

Fixes: 92abc475d8de ("jffs2: implement mount option parsing and compression overriding")
Cc: stable@kernel.org
Signed-off-by: Hou Tao <houtao1@huawei.com>
Reviewed-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/jffs2/super.c |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/fs/jffs2/super.c
+++ b/fs/jffs2/super.c
@@ -285,10 +285,8 @@ static int jffs2_fill_super(struct super
 	sb->s_fs_info = c;
 
 	ret = jffs2_parse_options(c, data);
-	if (ret) {
-		kfree(c);
+	if (ret)
 		return -EINVAL;
-	}
 
 	/* Initialize JFFS2 superblock locks, the further initialization will
 	 * be done later */



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 004/160] pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 003/160] jffs2: free jffs2_sb_info through jffs2_kill_sb() Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 005/160] ipmi: Fix timer race with module unload Greg Kroah-Hartman
                   ` (159 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maciej S. Szmigiero, Dominik Brodowski

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Maciej S. Szmigiero <mail@maciej.szmigiero.name>

commit 95691e3eddc41da2d1cd3cca51fecdfb46bd85bc upstream.

Currently, "disable_clkrun" yenta_socket module parameter is only
implemented for TI CardBus bridges.
Add also an implementation for Ricoh bridges that have the necessary
setting documented in publicly available datasheets.

Tested on a RL5C476II with a Sunrich C-160 CardBus NIC that doesn't work
correctly unless the CLKRUN protocol is disabled.

Let's also make it clear in its description that the "disable_clkrun"
module parameter only works on these two previously mentioned brands of
CardBus bridges.

Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
Cc: stable@vger.kernel.org
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/pcmcia/ricoh.h        |   35 +++++++++++++++++++++++++++++++++++
 drivers/pcmcia/yenta_socket.c |    3 ++-
 2 files changed, 37 insertions(+), 1 deletion(-)

--- a/drivers/pcmcia/ricoh.h
+++ b/drivers/pcmcia/ricoh.h
@@ -119,6 +119,10 @@
 #define  RL5C4XX_MISC_CONTROL           0x2F /* 8 bit */
 #define  RL5C4XX_ZV_ENABLE              0x08
 
+/* Misc Control 3 Register */
+#define RL5C4XX_MISC3			0x00A2 /* 16 bit */
+#define  RL5C47X_MISC3_CB_CLKRUN_DIS	BIT(1)
+
 #ifdef __YENTA_H
 
 #define rl_misc(socket)		((socket)->private[0])
@@ -156,6 +160,35 @@ static void ricoh_set_zv(struct yenta_so
         }
 }
 
+static void ricoh_set_clkrun(struct yenta_socket *socket, bool quiet)
+{
+	u16 misc3;
+
+	/*
+	 * RL5C475II likely has this setting, too, however no datasheet
+	 * is publicly available for this chip
+	 */
+	if (socket->dev->device != PCI_DEVICE_ID_RICOH_RL5C476 &&
+	    socket->dev->device != PCI_DEVICE_ID_RICOH_RL5C478)
+		return;
+
+	if (socket->dev->revision < 0x80)
+		return;
+
+	misc3 = config_readw(socket, RL5C4XX_MISC3);
+	if (misc3 & RL5C47X_MISC3_CB_CLKRUN_DIS) {
+		if (!quiet)
+			dev_dbg(&socket->dev->dev,
+				"CLKRUN feature already disabled\n");
+	} else if (disable_clkrun) {
+		if (!quiet)
+			dev_info(&socket->dev->dev,
+				 "Disabling CLKRUN feature\n");
+		misc3 |= RL5C47X_MISC3_CB_CLKRUN_DIS;
+		config_writew(socket, RL5C4XX_MISC3, misc3);
+	}
+}
+
 static void ricoh_save_state(struct yenta_socket *socket)
 {
 	rl_misc(socket) = config_readw(socket, RL5C4XX_MISC);
@@ -172,6 +205,7 @@ static void ricoh_restore_state(struct y
 	config_writew(socket, RL5C4XX_16BIT_IO_0, rl_io(socket));
 	config_writew(socket, RL5C4XX_16BIT_MEM_0, rl_mem(socket));
 	config_writew(socket, RL5C4XX_CONFIG, rl_config(socket));
+	ricoh_set_clkrun(socket, true);
 }
 
 
@@ -197,6 +231,7 @@ static int ricoh_override(struct yenta_s
 	config_writew(socket, RL5C4XX_CONFIG, config);
 
 	ricoh_set_zv(socket);
+	ricoh_set_clkrun(socket, false);
 
 	return 0;
 }
--- a/drivers/pcmcia/yenta_socket.c
+++ b/drivers/pcmcia/yenta_socket.c
@@ -26,7 +26,8 @@
 
 static bool disable_clkrun;
 module_param(disable_clkrun, bool, 0444);
-MODULE_PARM_DESC(disable_clkrun, "If PC card doesn't function properly, please try this option");
+MODULE_PARM_DESC(disable_clkrun,
+		 "If PC card doesn't function properly, please try this option (TI and Ricoh bridges only)");
 
 static bool isa_probe = 1;
 module_param(isa_probe, bool, 0444);



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 005/160] ipmi: Fix timer race with module unload
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 004/160] pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 006/160] parisc: Fix address in HPMC IVA Greg Kroah-Hartman
                   ` (158 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jan Glauber, Corey Minyard

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jan Glauber <jglauber@cavium.com>

commit 0711e8c1b4572d076264e71b0002d223f2666ed7 upstream.

Please note that below oops is from an older kernel, but the same
race seems to be present in the upstream kernel too.

---8<---

The following panic was encountered during removing the ipmi_ssif
module:

[ 526.352555] Unable to handle kernel paging request at virtual address ffff000006923090
[ 526.360464] Mem abort info:
[ 526.363257] ESR = 0x86000007
[ 526.366304] Exception class = IABT (current EL), IL = 32 bits
[ 526.372221] SET = 0, FnV = 0
[ 526.375269] EA = 0, S1PTW = 0
[ 526.378405] swapper pgtable: 4k pages, 48-bit VAs, pgd = 000000008ae60416
[ 526.385185] [ffff000006923090] *pgd=000000bffcffe803, *pud=000000bffcffd803, *pmd=0000009f4731a003, *pte=0000000000000000
[ 526.396141] Internal error: Oops: 86000007 [#1] SMP
[ 526.401008] Modules linked in: nls_iso8859_1 ipmi_devintf joydev input_leds ipmi_msghandler shpchp sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear i2c_smbus hid_generic usbhid uas hid usb_storage ast aes_ce_blk i2c_algo_bit aes_ce_cipher qede ttm crc32_ce ptp crct10dif_ce drm_kms_helper ghash_ce syscopyarea sha2_ce sysfillrect sysimgblt pps_core fb_sys_fops sha256_arm64 sha1_ce mpt3sas qed drm raid_class ahci scsi_transport_sas libahci gpio_xlp i2c_xlp9xx aes_neon_bs aes_neon_blk crypto_simd cryptd aes_arm64 [last unloaded: ipmi_ssif]
[ 526.468085] CPU: 125 PID: 0 Comm: swapper/125 Not tainted 4.15.0-35-generic #38~lp1775396+build.1
[ 526.476942] Hardware name: To be filled by O.E.M. Saber/Saber, BIOS 0ACKL022 08/14/2018
[ 526.484932] pstate: 00400009 (nzcv daif +PAN -UAO)
[ 526.489713] pc : 0xffff000006923090
[ 526.493198] lr : call_timer_fn+0x34/0x178
[ 526.497194] sp : ffff000009b0bdd0
[ 526.500496] x29: ffff000009b0bdd0 x28: 0000000000000082
[ 526.505796] x27: 0000000000000002 x26: ffff000009515188
[ 526.511096] x25: ffff000009515180 x24: ffff0000090f1018
[ 526.516396] x23: ffff000009519660 x22: dead000000000200
[ 526.521696] x21: ffff000006923090 x20: 0000000000000100
[ 526.526995] x19: ffff809eeb466a40 x18: 0000000000000000
[ 526.532295] x17: 000000000000000e x16: 0000000000000007
[ 526.537594] x15: 0000000000000000 x14: 071c71c71c71c71c
[ 526.542894] x13: 0000000000000000 x12: 0000000000000000
[ 526.548193] x11: 0000000000000001 x10: ffff000009b0be88
[ 526.553493] x9 : 0000000000000000 x8 : 0000000000000005
[ 526.558793] x7 : ffff80befc1f8528 x6 : 0000000000000020
[ 526.564092] x5 : 0000000000000040 x4 : 0000000020001b20
[ 526.569392] x3 : 0000000000000000 x2 : ffff809eeb466a40
[ 526.574692] x1 : ffff000006923090 x0 : ffff809eeb466a40
[ 526.579992] Process swapper/125 (pid: 0, stack limit = 0x000000002eb50acc)
[ 526.586854] Call trace:
[ 526.589289] 0xffff000006923090
[ 526.592419] expire_timers+0xc8/0x130
[ 526.596070] run_timer_softirq+0xec/0x1b0
[ 526.600070] __do_softirq+0x134/0x328
[ 526.603726] irq_exit+0xc8/0xe0
[ 526.606857] __handle_domain_irq+0x6c/0xc0
[ 526.610941] gic_handle_irq+0x84/0x188
[ 526.614679] el1_irq+0xe8/0x180
[ 526.617822] cpuidle_enter_state+0xa0/0x328
[ 526.621993] cpuidle_enter+0x34/0x48
[ 526.625564] call_cpuidle+0x44/0x70
[ 526.629040] do_idle+0x1b8/0x1f0
[ 526.632256] cpu_startup_entry+0x2c/0x30
[ 526.636174] secondary_start_kernel+0x11c/0x130
[ 526.640694] Code: bad PC value
[ 526.643800] ---[ end trace d020b0b8417c2498 ]---
[ 526.648404] Kernel panic - not syncing: Fatal exception in interrupt
[ 526.654778] SMP: stopping secondary CPUs
[ 526.658734] Kernel Offset: disabled
[ 526.662211] CPU features: 0x5800c38
[ 526.665688] Memory Limit: none
[ 526.668768] ---[ end Kernel panic - not syncing: Fatal exception in interrupt

Prevent mod_timer from arming a timer that was already removed by
del_timer during module unload.

Signed-off-by: Jan Glauber <jglauber@cavium.com>
Cc: <stable@vger.kernel.org> # 3.19
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/char/ipmi/ipmi_ssif.c |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

--- a/drivers/char/ipmi/ipmi_ssif.c
+++ b/drivers/char/ipmi/ipmi_ssif.c
@@ -613,8 +613,9 @@ static void msg_done_handler(struct ssif
 			flags = ipmi_ssif_lock_cond(ssif_info, &oflags);
 			ssif_info->waiting_alert = true;
 			ssif_info->rtc_us_timer = SSIF_MSG_USEC;
-			mod_timer(&ssif_info->retry_timer,
-				  jiffies + SSIF_MSG_JIFFIES);
+			if (!ssif_info->stopping)
+				mod_timer(&ssif_info->retry_timer,
+					  jiffies + SSIF_MSG_JIFFIES);
 			ipmi_ssif_unlock_cond(ssif_info, flags);
 			return;
 		}
@@ -951,8 +952,9 @@ static void msg_written_handler(struct s
 			ssif_info->waiting_alert = true;
 			ssif_info->retries_left = SSIF_RECV_RETRIES;
 			ssif_info->rtc_us_timer = SSIF_MSG_PART_USEC;
-			mod_timer(&ssif_info->retry_timer,
-				  jiffies + SSIF_MSG_PART_JIFFIES);
+			if (!ssif_info->stopping)
+				mod_timer(&ssif_info->retry_timer,
+					  jiffies + SSIF_MSG_PART_JIFFIES);
 			ipmi_ssif_unlock_cond(ssif_info, flags);
 		}
 	}



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 006/160] parisc: Fix address in HPMC IVA
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 005/160] ipmi: Fix timer race with module unload Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 007/160] parisc: Fix map_pages() to not overwrite existing pte entries Greg Kroah-Hartman
                   ` (157 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, John David Anglin, Helge Deller

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: John David Anglin <dave.anglin@bell.net>

commit 1138b6718ff74d2a934459643e3754423d23b5e2 upstream.

Helge noticed that the address of the os_hpmc handler was not being
correctly calculated in the hpmc macro.  As a result, PDCE_CHECK would
fail to call os_hpmc:

<Cpu2> e800009802e00000  0000000000000000  CC_ERR_CHECK_HPMC
<Cpu2> 37000f7302e00000  8040004000000000  CC_ERR_CPU_CHECK_SUMMARY
<Cpu2> f600105e02e00000  fffffff0f0c00000  CC_MC_HPMC_MONARCH_SELECTED
<Cpu2> 140003b202e00000  000000000000000b  CC_ERR_HPMC_STATE_ENTRY
<Cpu2> 5600100b02e00000  00000000000001a0  CC_MC_OS_HPMC_LEN_ERR
<Cpu2> 5600106402e00000  fffffff0f0438e70  CC_MC_BR_TO_OS_HPMC_FAILED
<Cpu2> e800009802e00000  0000000000000000  CC_ERR_CHECK_HPMC
<Cpu2> 37000f7302e00000  8040004000000000  CC_ERR_CPU_CHECK_SUMMARY
<Cpu2> 4000109f02e00000  0000000000000000  CC_MC_HPMC_INITIATED
<Cpu2> 4000101902e00000  0000000000000000  CC_MC_MULTIPLE_HPMCS
<Cpu2> 030010d502e00000  0000000000000000  CC_CPU_STOP

The address problem can be seen by dumping the fault vector:

0000000040159000 <fault_vector_20>:
    40159000:   63 6f 77 73     stb r15,-2447(dp)
    40159004:   20 63 61 6e     ldil L%b747000,r3
    40159008:   20 66 6c 79     ldil L%-1c3b3000,r3
        ...
    40159020:   08 00 02 40     nop
    40159024:   20 6e 60 02     ldil L%15d000,r3
    40159028:   34 63 00 00     ldo 0(r3),r3
    4015902c:   e8 60 c0 02     bv,n r0(r3)
    40159030:   08 00 02 40     nop
    40159034:   00 00 00 00     break 0,0
    40159038:   c0 00 70 00     bb,*< r0,sar,40159840 <fault_vector_20+0x840>
    4015903c:   00 00 00 00     break 0,0

Location 40159038 should contain the physical address of os_hpmc:

000000004015d000 <os_hpmc>:
    4015d000:   08 1a 02 43     copy r26,r3
    4015d004:   01 c0 08 a4     mfctl iva,r4
    4015d008:   48 85 00 68     ldw 34(r4),r5

This patch moves the address setup into initialize_ivt to resolve the
above problem.  I tested the change by dumping the HPMC entry after setup:

0000000040209020:  8000240
0000000040209024: 206a2004
0000000040209028: 34630ac0
000000004020902c: e860c002
0000000040209030:  8000240
0000000040209034: 1bdddce6
0000000040209038:   15d000
000000004020903c:      1a0

Signed-off-by: John David Anglin <dave.anglin@bell.net>
Cc: <stable@vger.kernel.org>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/parisc/kernel/entry.S |    2 +-
 arch/parisc/kernel/traps.c |    3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

--- a/arch/parisc/kernel/entry.S
+++ b/arch/parisc/kernel/entry.S
@@ -185,7 +185,7 @@
 	bv,n	0(%r3)
 	nop
 	.word	0		/* checksum (will be patched) */
-	.word	PA(os_hpmc)	/* address of handler */
+	.word	0		/* address of handler */
 	.word	0		/* length of handler */
 	.endm
 
--- a/arch/parisc/kernel/traps.c
+++ b/arch/parisc/kernel/traps.c
@@ -829,7 +829,8 @@ void __init initialize_ivt(const void *i
 	for (i = 0; i < 8; i++)
 	    *ivap++ = 0;
 
-	/* Compute Checksum for HPMC handler */
+	/* Setup IVA and compute checksum for HPMC handler */
+	ivap[6] = (u32)__pa(os_hpmc);
 	length = os_hpmc_size;
 	ivap[7] = length;
 



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 007/160] parisc: Fix map_pages() to not overwrite existing pte entries
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 006/160] parisc: Fix address in HPMC IVA Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 008/160] ALSA: hda - Add mic quirk for the Lenovo G50-30 (17aa:3905) Greg Kroah-Hartman
                   ` (156 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Helge Deller

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Helge Deller <deller@gmx.de>

commit 3c229b3f2dd8133f61bb81d3cb018be92f4bba39 upstream.

Fix a long-existing small nasty bug in the map_pages() implementation which
leads to overwriting already written pte entries with zero, *if* map_pages() is
called a second time with an end address which isn't aligned on a pmd boundry.
This happens for example if we want to remap only the text segment read/write
in order to run alternative patching on the code. Exiting the loop when we
reach the end address fixes this.

Cc: stable@vger.kernel.org
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/parisc/mm/init.c |    8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

--- a/arch/parisc/mm/init.c
+++ b/arch/parisc/mm/init.c
@@ -491,12 +491,8 @@ static void __init map_pages(unsigned lo
 						pte = pte_mkhuge(pte);
 				}
 
-				if (address >= end_paddr) {
-					if (force)
-						break;
-					else
-						pte_val(pte) = 0;
-				}
+				if (address >= end_paddr)
+					break;
 
 				set_pte(pg_table, pte);
 



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 008/160] ALSA: hda - Add mic quirk for the Lenovo G50-30 (17aa:3905)
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 007/160] parisc: Fix map_pages() to not overwrite existing pte entries Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 009/160] ALSA: ca0106: Disable IZD on SB0570 DAC to fix audio pops Greg Kroah-Hartman
                   ` (155 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexander Ploumistos, Jeremy Cline,
	Takashi Iwai

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jeremy Cline <jcline@redhat.com>

commit e7bb6ad5685f05685dd8a6a5eda7bfcd14d5f95b upstream.

The Lenovo G50-30, like other G50 models, has a Conexant codec that
requires a quirk for its inverted stereo dmic.

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1249364
Reported-by: Alexander Ploumistos <alex.ploumistos@gmail.com>
Tested-by: Alexander Ploumistos <alex.ploumistos@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jeremy Cline <jcline@redhat.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_conexant.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_conexant.c
+++ b/sound/pci/hda/patch_conexant.c
@@ -867,6 +867,7 @@ static const struct snd_pci_quirk cxt506
 	SND_PCI_QUIRK(0x17aa, 0x21da, "Lenovo X220", CXT_PINCFG_LENOVO_TP410),
 	SND_PCI_QUIRK(0x17aa, 0x21db, "Lenovo X220-tablet", CXT_PINCFG_LENOVO_TP410),
 	SND_PCI_QUIRK(0x17aa, 0x38af, "Lenovo IdeaPad Z560", CXT_FIXUP_MUTE_LED_EAPD),
+	SND_PCI_QUIRK(0x17aa, 0x3905, "Lenovo G50-30", CXT_FIXUP_STEREO_DMIC),
 	SND_PCI_QUIRK(0x17aa, 0x390b, "Lenovo G50-80", CXT_FIXUP_STEREO_DMIC),
 	SND_PCI_QUIRK(0x17aa, 0x3975, "Lenovo U300s", CXT_FIXUP_STEREO_DMIC),
 	SND_PCI_QUIRK(0x17aa, 0x3977, "Lenovo IdeaPad U310", CXT_FIXUP_STEREO_DMIC),



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 009/160] ALSA: ca0106: Disable IZD on SB0570 DAC to fix audio pops
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 008/160] ALSA: hda - Add mic quirk for the Lenovo G50-30 (17aa:3905) Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 010/160] x86/corruption-check: Fix panic in memory_corruption_check() when boot option without value is provided Greg Kroah-Hartman
                   ` (154 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alex Stanoev, Takashi Iwai

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alex Stanoev <alex@astanoev.com>

commit ac237c28d5ac1b241d58b1b7b4b9fa10efb22fb5 upstream.

The Creative Audigy SE (SB0570) card currently exhibits an audible pop
whenever playback is stopped or resumed, or during silent periods of an
audio stream. Initialise the IZD bit to the 0 to eliminate these pops.

The Infinite Zero Detection (IZD) feature on the DAC causes the output
to be shunted to Vcap after 2048 samples of silence. This discharges the
AC coupling capacitor through the output and causes the aforementioned
pop/click noise.

The behaviour of the IZD bit is described on page 15 of the WM8768GEDS
datasheet: "With IZD=1, applying MUTE for 1024 consecutive input samples
will cause all outputs to be connected directly to VCAP. This also
happens if 2048 consecutive zero input samples are applied to all 6
channels, and IZD=0. It will be removed as soon as any channel receives
a non-zero input". I believe the second sentence might be referring to
IZD=1 instead of IZD=0 given the observed behaviour of the card.

This change should make the DAC initialisation consistent with
Creative's Windows driver, as this popping persists when initialising
the card in Linux and soft rebooting into Windows, but is not present on
a cold boot to Windows.

Signed-off-by: Alex Stanoev <alex@astanoev.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/ca0106/ca0106.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/pci/ca0106/ca0106.h
+++ b/sound/pci/ca0106/ca0106.h
@@ -582,7 +582,7 @@
 #define SPI_PL_BIT_R_R		(2<<7)	/* right channel = right */
 #define SPI_PL_BIT_R_C		(3<<7)	/* right channel = (L+R)/2 */
 #define SPI_IZD_REG		2
-#define SPI_IZD_BIT		(1<<4)	/* infinite zero detect */
+#define SPI_IZD_BIT		(0<<4)	/* infinite zero detect */
 
 #define SPI_FMT_REG		3
 #define SPI_FMT_BIT_RJ		(0<<0)	/* right justified mode */



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 010/160] x86/corruption-check: Fix panic in memory_corruption_check() when boot option without value is provided
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 009/160] ALSA: ca0106: Disable IZD on SB0570 DAC to fix audio pops Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 011/160] x86/kconfig: Fall back to ticket spinlocks Greg Kroah-Hartman
                   ` (153 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, He Zhe, Linus Torvalds,
	Peter Zijlstra, Thomas Gleixner, kstewart, pombredanne,
	Ingo Molnar

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: He Zhe <zhe.he@windriver.com>

commit ccde460b9ae5c2bd5e4742af0a7f623c2daad566 upstream.

memory_corruption_check[{_period|_size}]()'s handlers do not check input
argument before passing it to kstrtoul() or simple_strtoull(). The argument
would be a NULL pointer if each of the kernel parameters, without its
value, is set in command line and thus cause the following panic.

PANIC: early exception 0xe3 IP 10:ffffffff73587c22 error 0 cr2 0x0
[    0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.18-rc8+ #2
[    0.000000] RIP: 0010:kstrtoull+0x2/0x10
...
[    0.000000] Call Trace
[    0.000000]  ? set_corruption_check+0x21/0x49
[    0.000000]  ? do_early_param+0x4d/0x82
[    0.000000]  ? parse_args+0x212/0x330
[    0.000000]  ? rdinit_setup+0x26/0x26
[    0.000000]  ? parse_early_options+0x20/0x23
[    0.000000]  ? rdinit_setup+0x26/0x26
[    0.000000]  ? parse_early_param+0x2d/0x39
[    0.000000]  ? setup_arch+0x2f7/0xbf4
[    0.000000]  ? start_kernel+0x5e/0x4c2
[    0.000000]  ? load_ucode_bsp+0x113/0x12f
[    0.000000]  ? secondary_startup_64+0xa5/0xb0

This patch adds checks to prevent the panic.

Signed-off-by: He Zhe <zhe.he@windriver.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: gregkh@linuxfoundation.org
Cc: kstewart@linuxfoundation.org
Cc: pombredanne@nexb.com
Cc: stable@vger.kernel.org
Link: http://lkml.kernel.org/r/1534260823-87917-1-git-send-email-zhe.he@windriver.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/check.c |   15 +++++++++++++++
 1 file changed, 15 insertions(+)

--- a/arch/x86/kernel/check.c
+++ b/arch/x86/kernel/check.c
@@ -30,6 +30,11 @@ static __init int set_corruption_check(c
 	ssize_t ret;
 	unsigned long val;
 
+	if (!arg) {
+		pr_err("memory_corruption_check config string not provided\n");
+		return -EINVAL;
+	}
+
 	ret = kstrtoul(arg, 10, &val);
 	if (ret)
 		return ret;
@@ -44,6 +49,11 @@ static __init int set_corruption_check_p
 	ssize_t ret;
 	unsigned long val;
 
+	if (!arg) {
+		pr_err("memory_corruption_check_period config string not provided\n");
+		return -EINVAL;
+	}
+
 	ret = kstrtoul(arg, 10, &val);
 	if (ret)
 		return ret;
@@ -58,6 +68,11 @@ static __init int set_corruption_check_s
 	char *end;
 	unsigned size;
 
+	if (!arg) {
+		pr_err("memory_corruption_check_size config string not provided\n");
+		return -EINVAL;
+	}
+
 	size = memparse(arg, &end);
 
 	if (*end == '\0')



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 011/160] x86/kconfig: Fall back to ticket spinlocks
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 010/160] x86/corruption-check: Fix panic in memory_corruption_check() when boot option without value is provided Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 012/160] sparc: Fix single-pcr perf event counter management Greg Kroah-Hartman
                   ` (152 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sebastian Andrzej Siewior,
	Peter Zijlstra, Thomas Gleixner, Daniel Wagner

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Daniel Wagner <daniel.wagner@siemens.com>

Sebastian writes:

"""
We reproducibly observe cache line starvation on a Core2Duo E6850 (2
cores), a i5-6400 SKL (4 cores) and on a NXP LS2044A ARM Cortex-A72 (4
cores).

The problem can be triggered with a v4.9-RT kernel by starting

    cyclictest -S -p98 -m  -i2000 -b 200

and as "load"

    stress-ng --ptrace 4

The reported maximal latency is usually less than 60us. If the problem
triggers then values around 400us, 800us or even more are reported. The
upperlimit is the -i parameter.

Reproduction with 4.9-RT is almost immediate on Core2Duo, ARM64 and SKL,
but it took 7.5 hours to trigger on v4.14-RT on the Core2Duo.

Instrumentation show always the picture:

CPU0                                         CPU1
=> do_syscall_64                              => do_syscall_64
=> SyS_ptrace                                   => syscall_slow_exit_work
=> ptrace_check_attach                          => ptrace_do_notify / rt_read_unlock
=> wait_task_inactive                              rt_spin_lock_slowunlock()
   -> while task_running()                         __rt_mutex_unlock_common()
  /   check_task_state()                           mark_wakeup_next_waiter()
 |     raw_spin_lock_irq(&p->pi_lock);             raw_spin_lock(&current->pi_lock);
 |     .                                               .
 |     raw_spin_unlock_irq(&p->pi_lock);               .
  \  cpu_relax()                                       .
   -                                                   .
    *IRQ*                                          <lock acquired>

In the error case we observe that the while() loop is repeated more than
5000 times which indicates that the pi_lock can be acquired. CPU1 on the
other side does not make progress waiting for the same lock with interrupts
disabled.

This continues until an IRQ hits CPU0. Once CPU0 starts processing the IRQ
the other CPU is able to acquire pi_lock and the situation relaxes.
"""

This matches with the observeration for v4.4-rt on a Core2Duo E6850:

CPU 0:

- no progress for a very long time in rt_mutex_dequeue_pi):

stress-n-1931    0d..11  5060.891219: function:             __try_to_take_rt_mutex
stress-n-1931    0d..11  5060.891219: function:                rt_mutex_dequeue
stress-n-1931    0d..21  5060.891220: function:                rt_mutex_enqueue_pi
stress-n-1931    0....2  5060.891220: signal_generate:      sig=17 errno=0 code=262148 comm=stress-ng-ptrac pid=1928 grp=1 res=1
stress-n-1931    0d..21  5060.894114: function:             rt_mutex_dequeue_pi
stress-n-1931    0d.h11  5060.894115: local_timer_entry:    vector=239

CPU 1:

- IRQ at 5060.894114 on CPU 1 followed by the IRQ on CPU 0

stress-n-1928    1....0  5060.891215: sys_enter:            NR 101 (18, 78b, 0, 0, 17, 788)
stress-n-1928    1d..11  5060.891216: function:             __try_to_take_rt_mutex
stress-n-1928    1d..21  5060.891216: function:                rt_mutex_enqueue_pi
stress-n-1928    1d..21  5060.891217: function:             rt_mutex_dequeue_pi
stress-n-1928    1....1  5060.891217: function:             rt_mutex_adjust_prio
stress-n-1928    1d..11  5060.891218: function:                __rt_mutex_adjust_prio
stress-n-1928    1d.h10  5060.894114: local_timer_entry:    vector=239

Thomas writes:

"""
This has nothing to do with RT. RT is merily exposing the
problem in an observable way. The same issue happens with upstream, it's
harder to trigger and it's harder to observe for obvious reasons.

If you read through the discussions [see the links below] then you
really see that there is an upstream issue with the x86 qrlock
implementation and Peter has posted fixes which resolve it, both at
the practical and the theoretical level.
"""

Backporting all qspinlock related patches is very likely to introduce
regressions on v4.4. Therefore, the recommended solution by Peter and
Thomas is to drop back to ticket spinlocks for v4.4.

Link :https://lkml.kernel.org/r/20180921120226.6xjgr4oiho22ex75@linutronix.de
Link: https://lkml.kernel.org/r/20180926110117.405325143@infradead.org
Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Daniel Wagner <daniel.wagner@siemens.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

Thomas suggest following plan for fixing the issues on the varous
stable trees:

   4.4:  Trivial by switching back to ticket locks.

   4.9:  Decide whether bringing back ticket locks or backporting all qrlock
   	 fixes. Sebastian has done the latter already and it's probably the
   	 right solution

   4.14:
   4.18: Backporting the qrlock fixes

   4.19: Either the fix ends up in 4.19 final or it needs to be backported


 arch/x86/Kconfig |    1 -
 1 file changed, 1 deletion(-)

--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -41,7 +41,6 @@ config X86
 	select ARCH_USE_BUILTIN_BSWAP
 	select ARCH_USE_CMPXCHG_LOCKREF		if X86_64
 	select ARCH_USE_QUEUED_RWLOCKS
-	select ARCH_USE_QUEUED_SPINLOCKS
 	select ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH
 	select ARCH_WANTS_DYNAMIC_TASK_STRUCT
 	select ARCH_WANT_FRAME_POINTERS



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 012/160] sparc: Fix single-pcr perf event counter management.
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 011/160] x86/kconfig: Fall back to ticket spinlocks Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 013/160] x86/fpu: Remove second definition of fpu in __fpu__restore_sig() Greg Kroah-Hartman
                   ` (151 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David S. Miller, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: "David S. Miller" <davem@davemloft.net>

[ Upstream commit cfdc3170d214046b9509183fe9b9544dc644d40b ]

It is important to clear the hw->state value for non-stopped events
when they are added into the PMU.  Otherwise when the event is
scheduled out, we won't read the counter because HES_UPTODATE is still
set.  This breaks 'perf stat' and similar use cases, causing all the
events to show zero.

This worked for multi-pcr because we make explicit sparc_pmu_start()
calls in calculate_multiple_pcrs().  calculate_single_pcr() doesn't do
this because the idea there is to accumulate all of the counter
settings into the single pcr value.  So we have to add explicit
hw->state handling there.

Like x86, we use the PERF_HES_ARCH bit to track truly stopped events
so that we don't accidently start them on a reload.

Related to all of this, sparc_pmu_start() is missing a userpage update
so add it.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/sparc/kernel/perf_event.c |   17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

--- a/arch/sparc/kernel/perf_event.c
+++ b/arch/sparc/kernel/perf_event.c
@@ -926,6 +926,8 @@ static void read_in_all_counters(struct
 			sparc_perf_event_update(cp, &cp->hw,
 						cpuc->current_idx[i]);
 			cpuc->current_idx[i] = PIC_NO_INDEX;
+			if (cp->hw.state & PERF_HES_STOPPED)
+				cp->hw.state |= PERF_HES_ARCH;
 		}
 	}
 }
@@ -958,10 +960,12 @@ static void calculate_single_pcr(struct
 
 		enc = perf_event_get_enc(cpuc->events[i]);
 		cpuc->pcr[0] &= ~mask_for_index(idx);
-		if (hwc->state & PERF_HES_STOPPED)
+		if (hwc->state & PERF_HES_ARCH) {
 			cpuc->pcr[0] |= nop_for_index(idx);
-		else
+		} else {
 			cpuc->pcr[0] |= event_encoding(enc, idx);
+			hwc->state = 0;
+		}
 	}
 out:
 	cpuc->pcr[0] |= cpuc->event[0]->hw.config_base;
@@ -987,6 +991,9 @@ static void calculate_multiple_pcrs(stru
 
 		cpuc->current_idx[i] = idx;
 
+		if (cp->hw.state & PERF_HES_ARCH)
+			continue;
+
 		sparc_pmu_start(cp, PERF_EF_RELOAD);
 	}
 out:
@@ -1078,6 +1085,8 @@ static void sparc_pmu_start(struct perf_
 	event->hw.state = 0;
 
 	sparc_pmu_enable_event(cpuc, &event->hw, idx);
+
+	perf_event_update_userpage(event);
 }
 
 static void sparc_pmu_stop(struct perf_event *event, int flags)
@@ -1370,9 +1379,9 @@ static int sparc_pmu_add(struct perf_eve
 	cpuc->events[n0] = event->hw.event_base;
 	cpuc->current_idx[n0] = PIC_NO_INDEX;
 
-	event->hw.state = PERF_HES_UPTODATE;
+	event->hw.state = PERF_HES_UPTODATE | PERF_HES_STOPPED;
 	if (!(ef_flags & PERF_EF_START))
-		event->hw.state |= PERF_HES_STOPPED;
+		event->hw.state |= PERF_HES_ARCH;
 
 	/*
 	 * If group events scheduling transaction was started,



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 013/160] x86/fpu: Remove second definition of fpu in __fpu__restore_sig()
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 012/160] sparc: Fix single-pcr perf event counter management Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 014/160] net: qla3xxx: Remove overflowing shift statement Greg Kroah-Hartman
                   ` (150 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sebastian Andrzej Siewior,
	Andy Lutomirski, Borislav Petkov, Dave Hansen, Linus Torvalds,
	Peter Zijlstra, Thomas Gleixner, Ingo Molnar, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>

[ Upstream commit 6aa676761d4c1acfa31320e55fa1f83f3fcbbc7a ]

Commit:

  c5bedc6847c3b ("x86/fpu: Get rid of PF_USED_MATH usage, convert it to fpu->fpstate_active")

introduced the 'fpu' variable at top of __restore_xstate_sig(),
which now shadows the other definition:

  arch/x86/kernel/fpu/signal.c:318:28: warning: symbol 'fpu' shadows an earlier one
  arch/x86/kernel/fpu/signal.c:271:20: originally declared here

Remove the shadowed definition of 'fpu', as the two definitions are the same.

Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reviewed-by: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: c5bedc6847c3b ("x86/fpu: Get rid of PF_USED_MATH usage, convert it to fpu->fpstate_active")
Link: http://lkml.kernel.org/r/20181016202525.29437-3-bigeasy@linutronix.de
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kernel/fpu/signal.c |    1 -
 1 file changed, 1 deletion(-)

--- a/arch/x86/kernel/fpu/signal.c
+++ b/arch/x86/kernel/fpu/signal.c
@@ -294,7 +294,6 @@ static int __fpu__restore_sig(void __use
 		 * thread's fpu state, reconstruct fxstate from the fsave
 		 * header. Sanitize the copied state etc.
 		 */
-		struct fpu *fpu = &tsk->thread.fpu;
 		struct user_i387_ia32_struct env;
 		int err = 0;
 



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 014/160] net: qla3xxx: Remove overflowing shift statement
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 013/160] x86/fpu: Remove second definition of fpu in __fpu__restore_sig() Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 015/160] selftests: ftrace: Add synthetic event syntax testcase Greg Kroah-Hartman
                   ` (149 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nathan Chancellor, David S. Miller,
	Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nathan Chancellor <natechancellor@gmail.com>

[ Upstream commit 8c3bf9b62b667456a57aefcf1689e826df146159 ]

Clang currently warns:

drivers/net/ethernet/qlogic/qla3xxx.c:384:24: warning: signed shift
result (0xF00000000) requires 37 bits to represent, but 'int' only has
32 bits [-Wshift-overflow]
                    ((ISP_NVRAM_MASK << 16) | qdev->eeprom_cmd_data));
                      ~~~~~~~~~~~~~~ ^  ~~
1 warning generated.

The warning is certainly accurate since ISP_NVRAM_MASK is defined as
(0x000F << 16) which is then shifted by 16, resulting in 64424509440,
well above UINT_MAX.

Given that this is the only location in this driver where ISP_NVRAM_MASK
is shifted again, it seems likely that ISP_NVRAM_MASK was originally
defined without a shift and during the move of the shift to the
definition, this statement wasn't properly removed (since ISP_NVRAM_MASK
is used in the statenent right above this). Only the maintainers can
confirm this since this statment has been here since the driver was
first added to the kernel.

Link: https://github.com/ClangBuiltLinux/linux/issues/127
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/qlogic/qla3xxx.c |    2 --
 1 file changed, 2 deletions(-)

--- a/drivers/net/ethernet/qlogic/qla3xxx.c
+++ b/drivers/net/ethernet/qlogic/qla3xxx.c
@@ -380,8 +380,6 @@ static void fm93c56a_select(struct ql3_a
 
 	qdev->eeprom_cmd_data = AUBURN_EEPROM_CS_1;
 	ql_write_nvram_reg(qdev, spir, ISP_NVRAM_MASK | qdev->eeprom_cmd_data);
-	ql_write_nvram_reg(qdev, spir,
-			   ((ISP_NVRAM_MASK << 16) | qdev->eeprom_cmd_data));
 }
 
 /*



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 015/160] selftests: ftrace: Add synthetic event syntax testcase
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 014/160] net: qla3xxx: Remove overflowing shift statement Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 016/160] locking/lockdep: Fix debug_locks off performance problem Greg Kroah-Hartman
                   ` (148 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Shuah Khan, Masami Hiramatsu,
	Steven Rostedt (VMware),
	Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Masami Hiramatsu <mhiramat@kernel.org>

[ Upstream commit ba0e41ca81b935b958006c7120466e2217357827 ]

Add a testcase to check the syntax and field types for
synthetic_events interface.

Link: http://lkml.kernel.org/r/153986838264.18251.16627517536956299922.stgit@devbox

Acked-by: Shuah Khan <shuah@kernel.org>
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-synthetic-event-syntax.tc |   80 ++++++++++
 1 file changed, 80 insertions(+)
 create mode 100644 tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-synthetic-event-syntax.tc

--- /dev/null
+++ b/tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-synthetic-event-syntax.tc
@@ -0,0 +1,80 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0
+# description: event trigger - test synthetic_events syntax parser
+
+do_reset() {
+    reset_trigger
+    echo > set_event
+    clear_trace
+}
+
+fail() { #msg
+    do_reset
+    echo $1
+    exit_fail
+}
+
+if [ ! -f set_event ]; then
+    echo "event tracing is not supported"
+    exit_unsupported
+fi
+
+if [ ! -f synthetic_events ]; then
+    echo "synthetic event is not supported"
+    exit_unsupported
+fi
+
+reset_tracer
+do_reset
+
+echo "Test synthetic_events syntax parser"
+
+echo > synthetic_events
+
+# synthetic event must have a field
+! echo "myevent" >> synthetic_events
+echo "myevent u64 var1" >> synthetic_events
+
+# synthetic event must be found in synthetic_events
+grep "myevent[[:space:]]u64 var1" synthetic_events
+
+# it is not possible to add same name event
+! echo "myevent u64 var2" >> synthetic_events
+
+# Non-append open will cleanup all events and add new one
+echo "myevent u64 var2" > synthetic_events
+
+# multiple fields with different spaces
+echo "myevent u64 var1; u64 var2;" > synthetic_events
+grep "myevent[[:space:]]u64 var1; u64 var2" synthetic_events
+echo "myevent u64 var1 ; u64 var2 ;" > synthetic_events
+grep "myevent[[:space:]]u64 var1; u64 var2" synthetic_events
+echo "myevent u64 var1 ;u64 var2" > synthetic_events
+grep "myevent[[:space:]]u64 var1; u64 var2" synthetic_events
+
+# test field types
+echo "myevent u32 var" > synthetic_events
+echo "myevent u16 var" > synthetic_events
+echo "myevent u8 var" > synthetic_events
+echo "myevent s64 var" > synthetic_events
+echo "myevent s32 var" > synthetic_events
+echo "myevent s16 var" > synthetic_events
+echo "myevent s8 var" > synthetic_events
+
+echo "myevent char var" > synthetic_events
+echo "myevent int var" > synthetic_events
+echo "myevent long var" > synthetic_events
+echo "myevent pid_t var" > synthetic_events
+
+echo "myevent unsigned char var" > synthetic_events
+echo "myevent unsigned int var" > synthetic_events
+echo "myevent unsigned long var" > synthetic_events
+grep "myevent[[:space:]]unsigned long var" synthetic_events
+
+# test string type
+echo "myevent char var[10]" > synthetic_events
+grep "myevent[[:space:]]char\[10\] var" synthetic_events
+
+do_reset
+
+exit 0



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 016/160] locking/lockdep: Fix debug_locks off performance problem
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 015/160] selftests: ftrace: Add synthetic event syntax testcase Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 017/160] ataflop: fix error handling during setup Greg Kroah-Hartman
                   ` (147 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Waiman Long, Andrew Morton,
	Linus Torvalds, Paul E. McKenney, Peter Zijlstra,
	Thomas Gleixner, Will Deacon, Ingo Molnar, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Waiman Long <longman@redhat.com>

[ Upstream commit 9506a7425b094d2f1d9c877ed5a78f416669269b ]

It was found that when debug_locks was turned off because of a problem
found by the lockdep code, the system performance could drop quite
significantly when the lock_stat code was also configured into the
kernel. For instance, parallel kernel build time on a 4-socket x86-64
server nearly doubled.

Further analysis into the cause of the slowdown traced back to the
frequent call to debug_locks_off() from the __lock_acquired() function
probably due to some inconsistent lockdep states with debug_locks
off. The debug_locks_off() function did an unconditional atomic xchg
to write a 0 value into debug_locks which had already been set to 0.
This led to severe cacheline contention in the cacheline that held
debug_locks.  As debug_locks is being referenced in quite a few different
places in the kernel, this greatly slow down the system performance.

To prevent that trashing of debug_locks cacheline, lock_acquired()
and lock_contended() now checks the state of debug_locks before
proceeding. The debug_locks_off() function is also modified to check
debug_locks before calling __debug_locks_off().

Signed-off-by: Waiman Long <longman@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Will Deacon <will.deacon@arm.com>
Link: http://lkml.kernel.org/r/1539913518-15598-1-git-send-email-longman@redhat.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/locking/lockdep.c |    4 ++--
 lib/debug_locks.c        |    2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

--- a/kernel/locking/lockdep.c
+++ b/kernel/locking/lockdep.c
@@ -3826,7 +3826,7 @@ void lock_contended(struct lockdep_map *
 {
 	unsigned long flags;
 
-	if (unlikely(!lock_stat))
+	if (unlikely(!lock_stat || !debug_locks))
 		return;
 
 	if (unlikely(current->lockdep_recursion))
@@ -3846,7 +3846,7 @@ void lock_acquired(struct lockdep_map *l
 {
 	unsigned long flags;
 
-	if (unlikely(!lock_stat))
+	if (unlikely(!lock_stat || !debug_locks))
 		return;
 
 	if (unlikely(current->lockdep_recursion))
--- a/lib/debug_locks.c
+++ b/lib/debug_locks.c
@@ -37,7 +37,7 @@ EXPORT_SYMBOL_GPL(debug_locks_silent);
  */
 int debug_locks_off(void)
 {
-	if (__debug_locks_off()) {
+	if (debug_locks && __debug_locks_off()) {
 		if (!debug_locks_silent) {
 			console_verbose();
 			return 1;



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 017/160] ataflop: fix error handling during setup
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 016/160] locking/lockdep: Fix debug_locks off performance problem Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 018/160] swim: fix cleanup on setup error Greg Kroah-Hartman
                   ` (146 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Omar Sandoval, Jens Axboe, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Omar Sandoval <osandov@fb.com>

[ Upstream commit 71327f547ee3a46ec5c39fdbbd268401b2578d0e ]

Move queue allocation next to disk allocation to fix a couple of issues:

- If add_disk() hasn't been called, we should clear disk->queue before
  calling put_disk().
- If we fail to allocate a request queue, we still need to put all of
  the disks, not just the ones that we allocated queues for.

Signed-off-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/block/ataflop.c |   25 +++++++++++++++----------
 1 file changed, 15 insertions(+), 10 deletions(-)

--- a/drivers/block/ataflop.c
+++ b/drivers/block/ataflop.c
@@ -1933,6 +1933,11 @@ static int __init atari_floppy_init (voi
 		unit[i].disk = alloc_disk(1);
 		if (!unit[i].disk)
 			goto Enomem;
+
+		unit[i].disk->queue = blk_init_queue(do_fd_request,
+						     &ataflop_lock);
+		if (!unit[i].disk->queue)
+			goto Enomem;
 	}
 
 	if (UseTrackbuffer < 0)
@@ -1964,10 +1969,6 @@ static int __init atari_floppy_init (voi
 		sprintf(unit[i].disk->disk_name, "fd%d", i);
 		unit[i].disk->fops = &floppy_fops;
 		unit[i].disk->private_data = &unit[i];
-		unit[i].disk->queue = blk_init_queue(do_fd_request,
-					&ataflop_lock);
-		if (!unit[i].disk->queue)
-			goto Enomem;
 		set_capacity(unit[i].disk, MAX_DISK_SIZE * 2);
 		add_disk(unit[i].disk);
 	}
@@ -1982,13 +1983,17 @@ static int __init atari_floppy_init (voi
 
 	return 0;
 Enomem:
-	while (i--) {
-		struct request_queue *q = unit[i].disk->queue;
+	do {
+		struct gendisk *disk = unit[i].disk;
 
-		put_disk(unit[i].disk);
-		if (q)
-			blk_cleanup_queue(q);
-	}
+		if (disk) {
+			if (disk->queue) {
+				blk_cleanup_queue(disk->queue);
+				disk->queue = NULL;
+			}
+			put_disk(unit[i].disk);
+		}
+	} while (i--);
 
 	unregister_blkdev(FLOPPY_MAJOR, "fd");
 	return -ENOMEM;



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 018/160] swim: fix cleanup on setup error
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 017/160] ataflop: fix error handling during setup Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 019/160] tun: Consistently configure generic netdev params via rtnetlink Greg Kroah-Hartman
                   ` (145 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Omar Sandoval, Jens Axboe, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Omar Sandoval <osandov@fb.com>

[ Upstream commit 1448a2a5360ae06f25e2edc61ae070dff5c0beb4 ]

If we fail to allocate the request queue for a disk, we still need to
free that disk, not just the previous ones. Additionally, we need to
cleanup the previous request queues.

Signed-off-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/block/swim.c |   13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

--- a/drivers/block/swim.c
+++ b/drivers/block/swim.c
@@ -868,8 +868,17 @@ static int swim_floppy_init(struct swim_
 
 exit_put_disks:
 	unregister_blkdev(FLOPPY_MAJOR, "fd");
-	while (drive--)
-		put_disk(swd->unit[drive].disk);
+	do {
+		struct gendisk *disk = swd->unit[drive].disk;
+
+		if (disk) {
+			if (disk->queue) {
+				blk_cleanup_queue(disk->queue);
+				disk->queue = NULL;
+			}
+			put_disk(disk);
+		}
+	} while (drive--);
 	return err;
 }
 



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 019/160] tun: Consistently configure generic netdev params via rtnetlink
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 018/160] swim: fix cleanup on setup error Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 020/160] perf tools: Free temporary sys string in read_event_files() Greg Kroah-Hartman
                   ` (144 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Serhey Popovych, David S. Miller,
	Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Serhey Popovych <serhe.popovych@gmail.com>

[ Upstream commit df52eab23d703142c766ac00bdb8db19d71238d0 ]

Configuring generic network device parameters on tun will fail in
presence of IFLA_INFO_KIND attribute in IFLA_LINKINFO nested attribute
since tun_validate() always return failure.

This can be visualized with following ip-link(8) command sequences:

  # ip link set dev tun0 group 100
  # ip link set dev tun0 group 100 type tun
  RTNETLINK answers: Invalid argument

with contrast to dummy and veth drivers:

  # ip link set dev dummy0 group 100
  # ip link set dev dummy0 type dummy

  # ip link set dev veth0 group 100
  # ip link set dev veth0 group 100 type veth

Fix by returning zero in tun_validate() when @data is NULL that is
always in case since rtnl_link_ops->maxtype is zero in tun driver.

Fixes: f019a7a594d9 ("tun: Implement ip link del tunXXX")
Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/tun.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -1475,6 +1475,8 @@ static void tun_setup(struct net_device
  */
 static int tun_validate(struct nlattr *tb[], struct nlattr *data[])
 {
+	if (!data)
+		return 0;
 	return -EINVAL;
 }
 



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 020/160] perf tools: Free temporary sys string in read_event_files()
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 019/160] tun: Consistently configure generic netdev params via rtnetlink Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 021/160] perf tools: Cleanup trace-event-info tdata leak Greg Kroah-Hartman
                   ` (143 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sanskriti Sharma, Jiri Olsa,
	Joe Lawrence, Arnaldo Carvalho de Melo, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sanskriti Sharma <sansharm@redhat.com>

[ Upstream commit 1e44224fb0528b4c0cc176bde2bb31e9127eb14b ]

For each system in a given pevent, read_event_files() reads in a
temporary 'sys' string.  Be sure to free this string before moving onto
to the next system and/or leaving read_event_files().

Fixes the following coverity complaints:

  Error: RESOURCE_LEAK (CWE-772):

  tools/perf/util/trace-event-read.c:343: overwrite_var: Overwriting
  "sys" in "sys = read_string()" leaks the storage that "sys" points to.

  tools/perf/util/trace-event-read.c:353: leaked_storage: Variable "sys"
  going out of scope leaks the storage it points to.

Signed-off-by: Sanskriti Sharma <sansharm@redhat.com>
Reviewed-by: Jiri Olsa <jolsa@kernel.org>
Cc: Joe Lawrence <joe.lawrence@redhat.com>
Link: http://lkml.kernel.org/r/1538490554-8161-6-git-send-email-sansharm@redhat.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 tools/perf/util/trace-event-read.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/tools/perf/util/trace-event-read.c
+++ b/tools/perf/util/trace-event-read.c
@@ -334,9 +334,12 @@ static int read_event_files(struct peven
 		for (x=0; x < count; x++) {
 			size = read8(pevent);
 			ret = read_event_file(pevent, sys, size);
-			if (ret)
+			if (ret) {
+				free(sys);
 				return ret;
+			}
 		}
+		free(sys);
 	}
 	return 0;
 }



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 021/160] perf tools: Cleanup trace-event-info tdata leak
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 020/160] perf tools: Free temporary sys string in read_event_files() Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 022/160] mmc: sdhci-pci-o2micro: Add quirk for O2 Micro dev 0x8620 rev 0x01 Greg Kroah-Hartman
                   ` (142 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sanskriti Sharma, Jiri Olsa,
	Joe Lawrence, Arnaldo Carvalho de Melo, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sanskriti Sharma <sansharm@redhat.com>

[ Upstream commit faedbf3fd19f2511a39397f76359e4cc6ee93072 ]

Free tracing_data structure in tracing_data_get() error paths.

Fixes the following coverity complaint:

  Error: RESOURCE_LEAK (CWE-772):
  leaked_storage: Variable "tdata" going out of scope leaks the storage

Signed-off-by: Sanskriti Sharma <sansharm@redhat.com>
Reviewed-by: Jiri Olsa <jolsa@kernel.org>
Cc: Joe Lawrence <joe.lawrence@redhat.com>
Link: http://lkml.kernel.org/r/1538490554-8161-3-git-send-email-sansharm@redhat.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 tools/perf/util/trace-event-info.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/tools/perf/util/trace-event-info.c
+++ b/tools/perf/util/trace-event-info.c
@@ -507,12 +507,14 @@ struct tracing_data *tracing_data_get(st
 			 "/tmp/perf-XXXXXX");
 		if (!mkstemp(tdata->temp_file)) {
 			pr_debug("Can't make temp file");
+			free(tdata);
 			return NULL;
 		}
 
 		temp_fd = open(tdata->temp_file, O_RDWR);
 		if (temp_fd < 0) {
 			pr_debug("Can't read '%s'", tdata->temp_file);
+			free(tdata);
 			return NULL;
 		}
 



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 022/160] mmc: sdhci-pci-o2micro: Add quirk for O2 Micro dev 0x8620 rev 0x01
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 021/160] perf tools: Cleanup trace-event-info tdata leak Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 023/160] Bluetooth: btbcm: Add entry for BCM4335C0 UART bluetooth Greg Kroah-Hartman
                   ` (141 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yu Zhao, Ulf Hansson, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Yu Zhao <yuzhao@google.com>

[ Upstream commit 5169894982bb67486d93cc1e10151712bb86bcb6 ]

This device reports SDHCI_CLOCK_INT_STABLE even though it's not
ready to take SDHCI_CLOCK_CARD_EN. The symptom is that reading
SDHCI_CLOCK_CONTROL after enabling the clock shows absence of the
bit from the register (e.g. expecting 0x0000fa07 = 0x0000fa03 |
SDHCI_CLOCK_CARD_EN but only observed the first operand).

mmc1: Timeout waiting for hardware cmd interrupt.
mmc1: sdhci: ============ SDHCI REGISTER DUMP ===========
mmc1: sdhci: Sys addr:  0x00000000 | Version:  0x00000603
mmc1: sdhci: Blk size:  0x00000000 | Blk cnt:  0x00000000
mmc1: sdhci: Argument:  0x00000000 | Trn mode: 0x00000000
mmc1: sdhci: Present:   0x01ff0001 | Host ctl: 0x00000001
mmc1: sdhci: Power:     0x0000000f | Blk gap:  0x00000000
mmc1: sdhci: Wake-up:   0x00000000 | Clock:    0x0000fa03
mmc1: sdhci: Timeout:   0x00000000 | Int stat: 0x00000000
mmc1: sdhci: Int enab:  0x00ff0083 | Sig enab: 0x00ff0083
mmc1: sdhci: AC12 err:  0x00000000 | Slot int: 0x00000000
mmc1: sdhci: Caps:      0x25fcc8bf | Caps_1:   0x00002077
mmc1: sdhci: Cmd:       0x00000000 | Max curr: 0x005800c8
mmc1: sdhci: Resp[0]:   0x00000000 | Resp[1]:  0x00000000
mmc1: sdhci: Resp[2]:   0x00000000 | Resp[3]:  0x00000000
mmc1: sdhci: Host ctl2: 0x00000008
mmc1: sdhci: ADMA Err:  0x00000000 | ADMA Ptr: 0x00000000
mmc1: sdhci: ============================================

The problem happens during wakeup from S3. Adding a delay quirk
after power up reliably fixes the problem.

Signed-off-by: Yu Zhao <yuzhao@google.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/mmc/host/sdhci-pci-o2micro.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/mmc/host/sdhci-pci-o2micro.c
+++ b/drivers/mmc/host/sdhci-pci-o2micro.c
@@ -334,6 +334,9 @@ int sdhci_pci_o2_probe(struct sdhci_pci_
 		pci_write_config_byte(chip->pdev, O2_SD_LOCK_WP, scratch);
 		break;
 	case PCI_DEVICE_ID_O2_SEABIRD0:
+		if (chip->pdev->revision == 0x01)
+			chip->quirks |= SDHCI_QUIRK_DELAY_AFTER_POWER;
+		/* fall through */
 	case PCI_DEVICE_ID_O2_SEABIRD1:
 		/* UnLock WP */
 		ret = pci_read_config_byte(chip->pdev,



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 023/160] Bluetooth: btbcm: Add entry for BCM4335C0 UART bluetooth
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 022/160] mmc: sdhci-pci-o2micro: Add quirk for O2 Micro dev 0x8620 rev 0x01 Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 024/160] x86: boot: Fix EFI stub alignment Greg Kroah-Hartman
                   ` (140 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christian Hewitt, Marcel Holtmann,
	Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Christian Hewitt <christianshewitt@gmail.com>

[ Upstream commit a357ea098c9605f60d92a66a9073f56ce25726da ]

This patch adds the device ID for the AMPAK AP6335 combo module used
in the 1st generation WeTek Hub Android/LibreELEC HTPC box. The WiFI
chip identifies itself as BCM4339, while Bluetooth identifies itself
as BCM4335 (rev C0):

```
[    4.864248] Bluetooth: hci0: BCM: chip id 86
[    4.866388] Bluetooth: hci0: BCM: features 0x2f
[    4.889317] Bluetooth: hci0: BCM4335C0
[    4.889332] Bluetooth: hci0: BCM4335C0 (003.001.009) build 0000
[    9.778383] Bluetooth: hci0: BCM4335C0 (003.001.009) build 0268
```

Output from hciconfig:

```
hci0:	Type: Primary  Bus: UART
	BD Address: 43:39:00:00:1F:AC  ACL MTU: 1021:8  SCO MTU: 64:1
	UP RUNNING
	RX bytes:7567 acl:234 sco:0 events:386 errors:0
	TX bytes:53844 acl:77 sco:0 commands:304 errors:0
	Features: 0xbf 0xfe 0xcf 0xfe 0xdb 0xff 0x7b 0x87
	Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
	Link policy: RSWITCH SNIFF
	Link mode: SLAVE ACCEPT
	Name: 'HUB'
	Class: 0x0c0000
	Service Classes: Rendering, Capturing
	Device Class: Miscellaneous,
	HCI Version: 4.0 (0x6)  Revision: 0x10c
	LMP Version: 4.0 (0x6)  Subversion: 0x6109
	Manufacturer: Broadcom Corporation (15)
```

Signed-off-by: Christian Hewitt <christianshewitt@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/bluetooth/btbcm.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/bluetooth/btbcm.c
+++ b/drivers/bluetooth/btbcm.c
@@ -270,6 +270,7 @@ static const struct {
 	{ 0x4103, "BCM4330B1"	},	/* 002.001.003 */
 	{ 0x410e, "BCM43341B0"	},	/* 002.001.014 */
 	{ 0x4406, "BCM4324B3"	},	/* 002.004.006 */
+	{ 0x6109, "BCM4335C0"	},	/* 003.001.009 */
 	{ 0x610c, "BCM4354"	},	/* 003.001.012 */
 	{ }
 };



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 024/160] x86: boot: Fix EFI stub alignment
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 023/160] Bluetooth: btbcm: Add entry for BCM4335C0 UART bluetooth Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 025/160] pinctrl: qcom: spmi-mpp: Fix err handling of pmic_mpp_set_mux Greg Kroah-Hartman
                   ` (139 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ben Hutchings, Ard Biesheuvel, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <ben@decadent.org.uk>

[ Upstream commit 9c1442a9d039a1a3302fa93e9a11001c5f23b624 ]

We currently align the end of the compressed image to a multiple of
16.  However, the PE-COFF header included in the EFI stub says that
the file alignment is 32 bytes, and when adding an EFI signature to
the file it must first be padded to this alignment.

sbsigntool commands warn about this:

  warning: file-aligned section .text extends beyond end of file
  warning: checksum areas are greater than image size. Invalid section table?

Worse, pesign -at least when creating a detached signature- uses the
hash of the unpadded file, resulting in an invalid signature if
padding is required.

Avoid both these problems by increasing alignment to 32 bytes when
CONFIG_EFI_STUB is enabled.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/boot/tools/build.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/arch/x86/boot/tools/build.c
+++ b/arch/x86/boot/tools/build.c
@@ -391,6 +391,13 @@ int main(int argc, char ** argv)
 		die("Unable to mmap '%s': %m", argv[2]);
 	/* Number of 16-byte paragraphs, including space for a 4-byte CRC */
 	sys_size = (sz + 15 + 4) / 16;
+#ifdef CONFIG_EFI_STUB
+	/*
+	 * COFF requires minimum 32-byte alignment of sections, and
+	 * adding a signature is problematic without that alignment.
+	 */
+	sys_size = (sys_size + 1) & ~1;
+#endif
 
 	/* Patch the setup code with the appropriate size parameters */
 	buf[0x1f1] = setup_sectors-1;



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 025/160] pinctrl: qcom: spmi-mpp: Fix err handling of pmic_mpp_set_mux
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 024/160] x86: boot: Fix EFI stub alignment Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 026/160] kprobes: Return error if we fail to reuse kprobe instead of BUG_ON() Greg Kroah-Hartman
                   ` (138 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, YueHaibing, Linus Walleij, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: YueHaibing <yuehaibing@huawei.com>

[ Upstream commit 69f8455f6cc78fa6cdf80d0105d7a748106271dc ]

'ret' should be returned while pmic_mpp_write_mode_ctl fails.

Fixes: 0e948042c420 ("pinctrl: qcom: spmi-mpp: Implement support for sink mode")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/pinctrl/qcom/pinctrl-spmi-mpp.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/pinctrl/qcom/pinctrl-spmi-mpp.c
+++ b/drivers/pinctrl/qcom/pinctrl-spmi-mpp.c
@@ -321,6 +321,8 @@ static int pmic_mpp_set_mux(struct pinct
 	pad->function = function;
 
 	ret = pmic_mpp_write_mode_ctl(state, pad);
+	if (ret < 0)
+		return ret;
 
 	val = pad->is_enabled << PMIC_MPP_REG_MASTER_EN_SHIFT;
 



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 026/160] kprobes: Return error if we fail to reuse kprobe instead of BUG_ON()
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 025/160] pinctrl: qcom: spmi-mpp: Fix err handling of pmic_mpp_set_mux Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 027/160] ACPI / LPSS: Add alternative ACPI HIDs for Cherry Trail DMA controllers Greg Kroah-Hartman
                   ` (137 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Masami Hiramatsu,
	Anil S Keshavamurthy, David S . Miller, Linus Torvalds,
	Naveen N . Rao, Peter Zijlstra, Thomas Gleixner, Ingo Molnar,
	Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Masami Hiramatsu <mhiramat@kernel.org>

[ Upstream commit 819319fc93461c07b9cdb3064f154bd8cfd48172 ]

Make reuse_unused_kprobe() to return error code if
it fails to reuse unused kprobe for optprobe instead
of calling BUG_ON().

Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
Cc: David S . Miller <davem@davemloft.net>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Naveen N . Rao <naveen.n.rao@linux.vnet.ibm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/153666124040.21306.14150398706331307654.stgit@devbox
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/kprobes.c |   27 ++++++++++++++++++++-------
 1 file changed, 20 insertions(+), 7 deletions(-)

--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -665,9 +665,10 @@ static void unoptimize_kprobe(struct kpr
 }
 
 /* Cancel unoptimizing for reusing */
-static void reuse_unused_kprobe(struct kprobe *ap)
+static int reuse_unused_kprobe(struct kprobe *ap)
 {
 	struct optimized_kprobe *op;
+	int ret;
 
 	BUG_ON(!kprobe_unused(ap));
 	/*
@@ -681,8 +682,12 @@ static void reuse_unused_kprobe(struct k
 	/* Enable the probe again */
 	ap->flags &= ~KPROBE_FLAG_DISABLED;
 	/* Optimize it again (remove from op->list) */
-	BUG_ON(!kprobe_optready(ap));
+	ret = kprobe_optready(ap);
+	if (ret)
+		return ret;
+
 	optimize_kprobe(ap);
+	return 0;
 }
 
 /* Remove optimized instructions */
@@ -894,11 +899,16 @@ static void __disarm_kprobe(struct kprob
 #define kprobe_disarmed(p)			kprobe_disabled(p)
 #define wait_for_kprobe_optimizer()		do {} while (0)
 
-/* There should be no unused kprobes can be reused without optimization */
-static void reuse_unused_kprobe(struct kprobe *ap)
+static int reuse_unused_kprobe(struct kprobe *ap)
 {
+	/*
+	 * If the optimized kprobe is NOT supported, the aggr kprobe is
+	 * released at the same time that the last aggregated kprobe is
+	 * unregistered.
+	 * Thus there should be no chance to reuse unused kprobe.
+	 */
 	printk(KERN_ERR "Error: There should be no unused kprobe here.\n");
-	BUG_ON(kprobe_unused(ap));
+	return -EINVAL;
 }
 
 static void free_aggr_kprobe(struct kprobe *p)
@@ -1276,9 +1286,12 @@ static int register_aggr_kprobe(struct k
 			goto out;
 		}
 		init_aggr_kprobe(ap, orig_p);
-	} else if (kprobe_unused(ap))
+	} else if (kprobe_unused(ap)) {
 		/* This probe is going to die. Rescue it */
-		reuse_unused_kprobe(ap);
+		ret = reuse_unused_kprobe(ap);
+		if (ret)
+			goto out;
+	}
 
 	if (kprobe_gone(ap)) {
 		/*



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 027/160] ACPI / LPSS: Add alternative ACPI HIDs for Cherry Trail DMA controllers
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 026/160] kprobes: Return error if we fail to reuse kprobe instead of BUG_ON() Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 028/160] pinctrl: qcom: spmi-mpp: Fix drive strength setting Greg Kroah-Hartman
                   ` (136 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans de Goede, Andy Shevchenko,
	Rafael J. Wysocki, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Hans de Goede <hdegoede@redhat.com>

[ Upstream commit 240714061c58e6b1abfb3322398a7634151c06cb ]

Bay and Cherry Trail DSTDs represent a different set of devices depending
on which OS the device think it is booting. One set of decices for Windows
and another set of devices for Android which targets the Android-x86 Linux
kernel fork (which e.g. used to have its own display driver instead of
using the i915 driver).

Which set of devices we are actually going to get is out of our control,
this is controlled by the ACPI OSID variable, which gets either set through
an EFI setup option, or sometimes is autodetected. So we need to support
both.

This commit adds support for the 80862286 and 808622C0 ACPI HIDs which we
get for the first resp. second DMA controller on Cherry Trail devices when
OSID is set to Android.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/acpi/acpi_lpss.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/acpi/acpi_lpss.c
+++ b/drivers/acpi/acpi_lpss.c
@@ -235,9 +235,11 @@ static const struct acpi_device_id acpi_
 	{ "INT33FC", },
 
 	/* Braswell LPSS devices */
+	{ "80862286", LPSS_ADDR(lpss_dma_desc) },
 	{ "80862288", LPSS_ADDR(bsw_pwm_dev_desc) },
 	{ "8086228A", LPSS_ADDR(bsw_uart_dev_desc) },
 	{ "8086228E", LPSS_ADDR(bsw_spi_dev_desc) },
+	{ "808622C0", LPSS_ADDR(lpss_dma_desc) },
 	{ "808622C1", LPSS_ADDR(bsw_i2c_dev_desc) },
 
 	/* Broadwell LPSS devices */



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 028/160] pinctrl: qcom: spmi-mpp: Fix drive strength setting
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 027/160] ACPI / LPSS: Add alternative ACPI HIDs for Cherry Trail DMA controllers Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 029/160] pinctrl: spmi-mpp: Fix pmic_mpp_config_get() to be compliant Greg Kroah-Hartman
                   ` (135 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Doug Anderson, Stephen Boyd,
	Bjorn Andersson, Linus Walleij, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Stephen Boyd <swboyd@chromium.org>

[ Upstream commit 89c68b102f13f123aaef22b292526d6b92501334 ]

It looks like we parse the drive strength setting here, but never
actually write it into the hardware to update it. Parse the setting and
then write it at the end of the pinconf setting function so that it
actually sticks in the hardware.

Fixes: 0e948042c420 ("pinctrl: qcom: spmi-mpp: Implement support for sink mode")
Cc: Doug Anderson <dianders@chromium.org>
Signed-off-by: Stephen Boyd <swboyd@chromium.org>
Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/pinctrl/qcom/pinctrl-spmi-mpp.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/pinctrl/qcom/pinctrl-spmi-mpp.c
+++ b/drivers/pinctrl/qcom/pinctrl-spmi-mpp.c
@@ -459,7 +459,7 @@ static int pmic_mpp_config_set(struct pi
 			pad->dtest = arg;
 			break;
 		case PIN_CONFIG_DRIVE_STRENGTH:
-			arg = pad->drive_strength;
+			pad->drive_strength = arg;
 			break;
 		case PMIC_MPP_CONF_AMUX_ROUTE:
 			if (arg >= PMIC_MPP_AMUX_ROUTE_ABUS4)
@@ -503,6 +503,10 @@ static int pmic_mpp_config_set(struct pi
 	if (ret < 0)
 		return ret;
 
+	ret = pmic_mpp_write(state, pad, PMIC_MPP_REG_SINK_CTL, pad->drive_strength);
+	if (ret < 0)
+		return ret;
+
 	val = pad->is_enabled << PMIC_MPP_REG_MASTER_EN_SHIFT;
 
 	return pmic_mpp_write(state, pad, PMIC_MPP_REG_EN_CTL, val);



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 029/160] pinctrl: spmi-mpp: Fix pmic_mpp_config_get() to be compliant
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 028/160] pinctrl: qcom: spmi-mpp: Fix drive strength setting Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 030/160] pinctrl: ssbi-gpio: Fix pm8xxx_pin_config_get() " Greg Kroah-Hartman
                   ` (134 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Douglas Anderson, Stephen Boyd,
	Bjorn Andersson, Linus Walleij, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Douglas Anderson <dianders@chromium.org>

[ Upstream commit 0d5b476f8f57fcb06c45fe27681ac47254f63fd2 ]

If you look at "pinconf-groups" in debugfs for ssbi-mpp you'll notice
it looks like nonsense.

The problem is fairly well described in commit 1cf86bc21257 ("pinctrl:
qcom: spmi-gpio: Fix pmic_gpio_config_get() to be compliant") and
commit 05e0c828955c ("pinctrl: msm: Fix msm_config_group_get() to be
compliant"), but it was pointed out that ssbi-mpp has the same
problem.  Let's fix it there too.

NOTE: in case it's helpful to someone reading this, the way to tell
whether to do the -EINVAL or not is to look at the PCONFDUMP for a
given attribute.  If the last element (has_arg) is false then you need
to do the -EINVAL trick.

ALSO NOTE: it seems unlikely that the values returned when we try to
get PIN_CONFIG_BIAS_PULL_UP will actually be printed since "has_arg"
is false for that one, but I guess it's still fine to return different
values so I kept doing that.  It seems like another driver (ssbi-gpio)
uses a custom attribute (PM8XXX_QCOM_PULL_UP_STRENGTH) for something
similar so maybe a future change should do that here too.

Fixes: cfb24f6ebd38 ("pinctrl: Qualcomm SPMI PMIC MPP pin controller driver")
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Reviewed-by: Stephen Boyd <sboyd@kernel.org>
Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/pinctrl/qcom/pinctrl-spmi-mpp.c |   19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

--- a/drivers/pinctrl/qcom/pinctrl-spmi-mpp.c
+++ b/drivers/pinctrl/qcom/pinctrl-spmi-mpp.c
@@ -347,13 +347,12 @@ static int pmic_mpp_config_get(struct pi
 
 	switch (param) {
 	case PIN_CONFIG_BIAS_DISABLE:
-		arg = pad->pullup == PMIC_MPP_PULL_UP_OPEN;
+		if (pad->pullup != PMIC_MPP_PULL_UP_OPEN)
+			return -EINVAL;
+		arg = 1;
 		break;
 	case PIN_CONFIG_BIAS_PULL_UP:
 		switch (pad->pullup) {
-		case PMIC_MPP_PULL_UP_OPEN:
-			arg = 0;
-			break;
 		case PMIC_MPP_PULL_UP_0P6KOHM:
 			arg = 600;
 			break;
@@ -368,13 +367,17 @@ static int pmic_mpp_config_get(struct pi
 		}
 		break;
 	case PIN_CONFIG_BIAS_HIGH_IMPEDANCE:
-		arg = !pad->is_enabled;
+		if (pad->is_enabled)
+			return -EINVAL;
+		arg = 1;
 		break;
 	case PIN_CONFIG_POWER_SOURCE:
 		arg = pad->power_source;
 		break;
 	case PIN_CONFIG_INPUT_ENABLE:
-		arg = pad->input_enabled;
+		if (!pad->input_enabled)
+			return -EINVAL;
+		arg = 1;
 		break;
 	case PIN_CONFIG_OUTPUT:
 		arg = pad->out_value;
@@ -386,7 +389,9 @@ static int pmic_mpp_config_get(struct pi
 		arg = pad->amux_input;
 		break;
 	case PMIC_MPP_CONF_PAIRED:
-		arg = pad->paired;
+		if (!pad->paired)
+			return -EINVAL;
+		arg = 1;
 		break;
 	case PIN_CONFIG_DRIVE_STRENGTH:
 		arg = pad->drive_strength;



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 030/160] pinctrl: ssbi-gpio: Fix pm8xxx_pin_config_get() to be compliant
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 029/160] pinctrl: spmi-mpp: Fix pmic_mpp_config_get() to be compliant Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 031/160] ath10k: schedule hardware restart if WMI command times out Greg Kroah-Hartman
                   ` (133 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Douglas Anderson, Stephen Boyd,
	Bjorn Andersson, Linus Walleij, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Douglas Anderson <dianders@chromium.org>

[ Upstream commit b432414b996d32a1bd9afe2bd595bd5729c1477f ]

If you look at "pinconf-groups" in debugfs for ssbi-gpio you'll notice
it looks like nonsense.

The problem is fairly well described in commit 1cf86bc21257 ("pinctrl:
qcom: spmi-gpio: Fix pmic_gpio_config_get() to be compliant") and
commit 05e0c828955c ("pinctrl: msm: Fix msm_config_group_get() to be
compliant"), but it was pointed out that ssbi-gpio has the same
problem.  Let's fix it there too.

Fixes: b4c45fe974bc ("pinctrl: qcom: ssbi: Family A gpio & mpp drivers")
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Reviewed-by: Stephen Boyd <sboyd@kernel.org>
Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/pinctrl/qcom/pinctrl-ssbi-gpio.c |   28 +++++++++++++++++++++-------
 1 file changed, 21 insertions(+), 7 deletions(-)

--- a/drivers/pinctrl/qcom/pinctrl-ssbi-gpio.c
+++ b/drivers/pinctrl/qcom/pinctrl-ssbi-gpio.c
@@ -259,22 +259,32 @@ static int pm8xxx_pin_config_get(struct
 
 	switch (param) {
 	case PIN_CONFIG_BIAS_DISABLE:
-		arg = pin->bias == PM8XXX_GPIO_BIAS_NP;
+		if (pin->bias != PM8XXX_GPIO_BIAS_NP)
+			return -EINVAL;
+		arg = 1;
 		break;
 	case PIN_CONFIG_BIAS_PULL_DOWN:
-		arg = pin->bias == PM8XXX_GPIO_BIAS_PD;
+		if (pin->bias != PM8XXX_GPIO_BIAS_PD)
+			return -EINVAL;
+		arg = 1;
 		break;
 	case PIN_CONFIG_BIAS_PULL_UP:
-		arg = pin->bias <= PM8XXX_GPIO_BIAS_PU_1P5_30;
+		if (pin->bias > PM8XXX_GPIO_BIAS_PU_1P5_30)
+			return -EINVAL;
+		arg = 1;
 		break;
 	case PM8XXX_QCOM_PULL_UP_STRENGTH:
 		arg = pin->pull_up_strength;
 		break;
 	case PIN_CONFIG_BIAS_HIGH_IMPEDANCE:
-		arg = pin->disable;
+		if (!pin->disable)
+			return -EINVAL;
+		arg = 1;
 		break;
 	case PIN_CONFIG_INPUT_ENABLE:
-		arg = pin->mode == PM8XXX_GPIO_MODE_INPUT;
+		if (pin->mode != PM8XXX_GPIO_MODE_INPUT)
+			return -EINVAL;
+		arg = 1;
 		break;
 	case PIN_CONFIG_OUTPUT:
 		if (pin->mode & PM8XXX_GPIO_MODE_OUTPUT)
@@ -289,10 +299,14 @@ static int pm8xxx_pin_config_get(struct
 		arg = pin->output_strength;
 		break;
 	case PIN_CONFIG_DRIVE_PUSH_PULL:
-		arg = !pin->open_drain;
+		if (pin->open_drain)
+			return -EINVAL;
+		arg = 1;
 		break;
 	case PIN_CONFIG_DRIVE_OPEN_DRAIN:
-		arg = pin->open_drain;
+		if (!pin->open_drain)
+			return -EINVAL;
+		arg = 1;
 		break;
 	default:
 		return -EINVAL;



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 031/160] ath10k: schedule hardware restart if WMI command times out
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 030/160] pinctrl: ssbi-gpio: Fix pm8xxx_pin_config_get() " Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 032/160] scsi: esp_scsi: Track residual for PIO transfers Greg Kroah-Hartman
                   ` (132 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin Willi, Kalle Valo, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Martin Willi <martin@strongswan.org>

[ Upstream commit a9911937e7d332761e8c4fcbc7ba0426bdc3956f ]

When running in AP mode, ath10k sometimes suffers from TX credit
starvation. The issue is hard to reproduce and shows up once in a
few days, but has been repeatedly seen with QCA9882 and a large
range of firmwares, including 10.2.4.70.67.

Once the module is in this state, TX credits are never replenished,
which results in "SWBA overrun" errors, as no beacons can be sent.
Even worse, WMI commands run in a timeout while holding the conf
mutex for three seconds each, making any further operations slow
and the whole system unresponsive.

The firmware/driver never recovers from that state automatically,
and triggering TX flush or warm restarts won't work over WMI. So
issue a hardware restart if a WMI command times out due to missing
TX credits. This implies a connectivity outage of about 1.4s in AP
mode, but brings back the interface and the whole system to a usable
state. WMI command timeouts have not been seen in absent of this
specific issue, so taking such drastic actions seems legitimate.

Signed-off-by: Martin Willi <martin@strongswan.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/wireless/ath/ath10k/wmi.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/net/wireless/ath/ath10k/wmi.c
+++ b/drivers/net/wireless/ath/ath10k/wmi.c
@@ -1749,6 +1749,12 @@ int ath10k_wmi_cmd_send(struct ath10k *a
 	if (ret)
 		dev_kfree_skb_any(skb);
 
+	if (ret == -EAGAIN) {
+		ath10k_warn(ar, "wmi command %d timeout, restarting hardware\n",
+			    cmd_id);
+		queue_work(ar->workqueue, &ar->restart_work);
+	}
+
 	return ret;
 }
 



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 032/160] scsi: esp_scsi: Track residual for PIO transfers
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 031/160] ath10k: schedule hardware restart if WMI command times out Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 033/160] scsi: megaraid_sas: fix a missing-check bug Greg Kroah-Hartman
                   ` (131 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stan Johnson, Finn Thain,
	Michael Schmitz, Martin K. Petersen, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Finn Thain <fthain@telegraphics.com.au>

[ Upstream commit fd47d919d0c336e7c22862b51ee94927ffea227a ]

If a target disconnects during a PIO data transfer the command may fail
when the target reconnects:

scsi host1: DMA length is zero!
scsi host1: cur adr[04380000] len[00000000]

The scsi bus is then reset. This happens because the residual reached
zero before the transfer was completed.

The usual residual calculation relies on the Transfer Count registers.
That works for DMA transfers but not for PIO transfers. Fix the problem
by storing the PIO transfer residual and using that to correctly
calculate bytes_sent.

Fixes: 6fe07aaffbf0 ("[SCSI] m68k: new mac_esp scsi driver")
Tested-by: Stan Johnson <userm57@yahoo.com>
Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
Tested-by: Michael Schmitz <schmitzmic@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/esp_scsi.c |    1 +
 drivers/scsi/esp_scsi.h |    2 ++
 drivers/scsi/mac_esp.c  |    2 ++
 3 files changed, 5 insertions(+)

--- a/drivers/scsi/esp_scsi.c
+++ b/drivers/scsi/esp_scsi.c
@@ -1349,6 +1349,7 @@ static int esp_data_bytes_sent(struct es
 
 	bytes_sent = esp->data_dma_len;
 	bytes_sent -= ecount;
+	bytes_sent -= esp->send_cmd_residual;
 
 	/*
 	 * The am53c974 has a DMA 'pecularity'. The doc states:
--- a/drivers/scsi/esp_scsi.h
+++ b/drivers/scsi/esp_scsi.h
@@ -540,6 +540,8 @@ struct esp {
 
 	void			*dma;
 	int			dmarev;
+
+	u32			send_cmd_residual;
 };
 
 /* A front-end driver for the ESP chip should do the following in
--- a/drivers/scsi/mac_esp.c
+++ b/drivers/scsi/mac_esp.c
@@ -426,6 +426,8 @@ static void mac_esp_send_pio_cmd(struct
 			scsi_esp_cmd(esp, ESP_CMD_TI);
 		}
 	}
+
+	esp->send_cmd_residual = esp_count;
 }
 
 static int mac_esp_irq_pending(struct esp *esp)



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 033/160] scsi: megaraid_sas: fix a missing-check bug
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 032/160] scsi: esp_scsi: Track residual for PIO transfers Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 034/160] tpm: suppress transmit cmd error logs when TPM 1.2 is disabled/deactivated Greg Kroah-Hartman
                   ` (130 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wenwen Wang, Sumit Saxena,
	Martin K. Petersen, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Wenwen Wang <wang6495@umn.edu>

[ Upstream commit 47db7873136a9c57c45390a53b57019cf73c8259 ]

In megasas_mgmt_compat_ioctl_fw(), to handle the structure
compat_megasas_iocpacket 'cioc', a user-space structure megasas_iocpacket
'ioc' is allocated before megasas_mgmt_ioctl_fw() is invoked to handle
the packet. Since the two data structures have different fields, the data
is copied from 'cioc' to 'ioc' field by field. In the copy process,
'sense_ptr' is prepared if the field 'sense_len' is not null, because it
will be used in megasas_mgmt_ioctl_fw(). To prepare 'sense_ptr', the
user-space data 'ioc->sense_off' and 'cioc->sense_off' are copied and
saved to kernel-space variables 'local_sense_off' and 'user_sense_off'
respectively. Given that 'ioc->sense_off' is also copied from
'cioc->sense_off', 'local_sense_off' and 'user_sense_off' should have the
same value. However, 'cioc' is in the user space and a malicious user can
race to change the value of 'cioc->sense_off' after it is copied to
'ioc->sense_off' but before it is copied to 'user_sense_off'. By doing
so, the attacker can inject different values into 'local_sense_off' and
'user_sense_off'. This can cause undefined behavior in the following
execution, because the two variables are supposed to be same.

This patch enforces a check on the two kernel variables 'local_sense_off'
and 'user_sense_off' to make sure they are the same after the copy. In
case they are not, an error code EINVAL will be returned.

Signed-off-by: Wenwen Wang <wang6495@umn.edu>
Acked-by: Sumit Saxena <sumit.saxena@broadcom.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/megaraid/megaraid_sas_base.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/scsi/megaraid/megaraid_sas_base.c
+++ b/drivers/scsi/megaraid/megaraid_sas_base.c
@@ -6510,6 +6510,9 @@ static int megasas_mgmt_compat_ioctl_fw(
 		get_user(user_sense_off, &cioc->sense_off))
 		return -EFAULT;
 
+	if (local_sense_off != user_sense_off)
+		return -EINVAL;
+
 	if (local_sense_len) {
 		void __user **sense_ioc_ptr =
 			(void __user **)((u8 *)((unsigned long)&ioc->frame.raw) + local_sense_off);



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 034/160] tpm: suppress transmit cmd error logs when TPM 1.2 is disabled/deactivated
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 033/160] scsi: megaraid_sas: fix a missing-check bug Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 035/160] ext4: fix argument checking in EXT4_IOC_MOVE_EXT Greg Kroah-Hartman
                   ` (129 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans de Goede,
	Javier Martinez Canillas, Jarkko Sakkinen, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Javier Martinez Canillas <javierm@redhat.com>

[ Upstream commit 0d6d0d62d9505a9816716aa484ebd0b04c795063 ]

For TPM 1.2 chips the system setup utility allows to set the TPM device in
one of the following states:

  * Active: Security chip is functional
  * Inactive: Security chip is visible, but is not functional
  * Disabled: Security chip is hidden and is not functional

When choosing the "Inactive" state, the TPM 1.2 device is enumerated and
registered, but sending TPM commands fail with either TPM_DEACTIVATED or
TPM_DISABLED depending if the firmware deactivated or disabled the TPM.

Since these TPM 1.2 error codes don't have special treatment, inactivating
the TPM leads to a very noisy kernel log buffer that shows messages like
the following:

  tpm_tis 00:05: 1.2 TPM (device-id 0x0, rev-id 78)
  tpm tpm0: A TPM error (6) occurred attempting to read a pcr value
  tpm tpm0: TPM is disabled/deactivated (0x6)
  tpm tpm0: A TPM error (6) occurred attempting get random
  tpm tpm0: A TPM error (6) occurred attempting to read a pcr value
  ima: No TPM chip found, activating TPM-bypass! (rc=6)
  tpm tpm0: A TPM error (6) occurred attempting get random
  tpm tpm0: A TPM error (6) occurred attempting get random
  tpm tpm0: A TPM error (6) occurred attempting get random
  tpm tpm0: A TPM error (6) occurred attempting get random

Let's just suppress error log messages for the TPM_{DEACTIVATED,DISABLED}
return codes, since this is expected when the TPM 1.2 is set to Inactive.

In that case the kernel log is cleaner and less confusing for users, i.e:

  tpm_tis 00:05: 1.2 TPM (device-id 0x0, rev-id 78)
  tpm tpm0: TPM is disabled/deactivated (0x6)
  ima: No TPM chip found, activating TPM-bypass! (rc=6)

Reported-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/char/tpm/tpm-interface.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/char/tpm/tpm-interface.c
+++ b/drivers/char/tpm/tpm-interface.c
@@ -415,7 +415,8 @@ ssize_t tpm_transmit_cmd(struct tpm_chip
 	header = cmd;
 
 	err = be32_to_cpu(header->return_code);
-	if (err != 0 && desc)
+	if (err != 0 && err != TPM_ERR_DISABLED && err != TPM_ERR_DEACTIVATED
+	    && desc)
 		dev_err(&chip->dev, "A TPM error (%d) occurred %s\n", err,
 			desc);
 



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 035/160] ext4: fix argument checking in EXT4_IOC_MOVE_EXT
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 034/160] tpm: suppress transmit cmd error logs when TPM 1.2 is disabled/deactivated Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 036/160] MD: fix invalid stored role for a disk Greg Kroah-Hartman
                   ` (128 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+c61979f6f2cba5cb3c06,
	Theodore Tso, stable, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <tytso@mit.edu>

[ Upstream commit f18b2b83a727a3db208308057d2c7945f368e625 ]

If the starting block number of either the source or destination file
exceeds the EOF, EXT4_IOC_MOVE_EXT should return EINVAL.

Also fixed the helper function mext_check_coverage() so that if the
logical block is beyond EOF, make it return immediately, instead of
looping until the block number wraps all the away around.  This takes
long enough that if there are multiple threads trying to do pound on
an the same inode doing non-sensical things, it can end up triggering
the kernel's soft lockup detector.

Reported-by: syzbot+c61979f6f2cba5cb3c06@syzkaller.appspotmail.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/ext4/move_extent.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/fs/ext4/move_extent.c
+++ b/fs/ext4/move_extent.c
@@ -526,9 +526,13 @@ mext_check_arguments(struct inode *orig_
 			orig_inode->i_ino, donor_inode->i_ino);
 		return -EINVAL;
 	}
-	if (orig_eof < orig_start + *len - 1)
+	if (orig_eof <= orig_start)
+		*len = 0;
+	else if (orig_eof < orig_start + *len - 1)
 		*len = orig_eof - orig_start;
-	if (donor_eof < donor_start + *len - 1)
+	if (donor_eof <= donor_start)
+		*len = 0;
+	else if (donor_eof < donor_start + *len - 1)
 		*len = donor_eof - donor_start;
 	if (!*len) {
 		ext4_debug("ext4 move extent: len should not be 0 "



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 036/160] MD: fix invalid stored role for a disk
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 035/160] ext4: fix argument checking in EXT4_IOC_MOVE_EXT Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 037/160] usb: chipidea: Prevent unbalanced IRQ disable Greg Kroah-Hartman
                   ` (127 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gioh Kim, Guoqing Jiang, Shaohua Li,
	Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Shaohua Li <shli@fb.com>

[ Upstream commit d595567dc4f0c1d90685ec1e2e296e2cad2643ac ]

If we change the number of array's device after device is removed from array,
then add the device back to array, we can see that device is added as active
role instead of spare which we expected.

Please see the below link for details:
https://marc.info/?l=linux-raid&m=153736982015076&w=2

This is caused by that we prefer to use device's previous role which is
recorded by saved_raid_disk, but we should respect the new number of
conf->raid_disks since it could be changed after device is removed.

Reported-by: Gioh Kim <gi-oh.kim@profitbricks.com>
Tested-by: Gioh Kim <gi-oh.kim@profitbricks.com>
Acked-by: Guoqing Jiang <gqjiang@suse.com>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/md/md.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -1670,6 +1670,10 @@ static int super_1_validate(struct mddev
 			} else
 				set_bit(In_sync, &rdev->flags);
 			rdev->raid_disk = role;
+			if (role >= mddev->raid_disks) {
+				rdev->saved_raid_disk = -1;
+				rdev->raid_disk = -1;
+			}
 			break;
 		}
 		if (sb->devflags & WriteMostly1)



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 037/160] usb: chipidea: Prevent unbalanced IRQ disable
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 036/160] MD: fix invalid stored role for a disk Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 038/160] driver/dma/ioat: Call del_timer_sync() without holding prep_lock Greg Kroah-Hartman
                   ` (126 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Loic Poulain, Peter Chen, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Loic Poulain <loic.poulain@linaro.org>

[ Upstream commit 8b97d73c4d72a2abf58f8e49062a7ee1e5f1334e ]

The ChipIdea IRQ is disabled before scheduling the otg work and
re-enabled on otg work completion. However if the job is already
scheduled we have to undo the effect of disable_irq int order to
balance the IRQ disable-depth value.

Fixes: be6b0c1bd0be ("usb: chipidea: using one inline function to cover queue work operations")
Signed-off-by: Loic Poulain <loic.poulain@linaro.org>
Signed-off-by: Peter Chen <peter.chen@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/chipidea/otg.h |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/usb/chipidea/otg.h
+++ b/drivers/usb/chipidea/otg.h
@@ -20,7 +20,8 @@ void ci_handle_vbus_change(struct ci_hdr
 static inline void ci_otg_queue_work(struct ci_hdrc *ci)
 {
 	disable_irq_nosync(ci->irq);
-	queue_work(ci->wq, &ci->work);
+	if (queue_work(ci->wq, &ci->work) == false)
+		enable_irq(ci->irq);
 }
 
 #endif /* __DRIVERS_USB_CHIPIDEA_OTG_H */



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 038/160] driver/dma/ioat: Call del_timer_sync() without holding prep_lock
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 037/160] usb: chipidea: Prevent unbalanced IRQ disable Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 039/160] uio: ensure class is registered before devices Greg Kroah-Hartman
                   ` (125 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Waiman Long, Dave Jiang, Vinod Koul,
	Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Waiman Long <longman@redhat.com>

[ Upstream commit cfb03be6c7e8a1591285849c361d67b09f5149f7 ]

The following lockdep splat was observed:

[ 1222.241750] ======================================================
[ 1222.271301] WARNING: possible circular locking dependency detected
[ 1222.301060] 4.16.0-10.el8+5.x86_64+debug #1 Not tainted
[ 1222.326659] ------------------------------------------------------
[ 1222.356565] systemd-shutdow/1 is trying to acquire lock:
[ 1222.382660]  ((&ioat_chan->timer)){+.-.}, at: [<00000000f71e1a28>] del_timer_sync+0x5/0xf0
[ 1222.422928]
[ 1222.422928] but task is already holding lock:
[ 1222.451743]  (&(&ioat_chan->prep_lock)->rlock){+.-.}, at: [<000000008ea98b12>] ioat_shutdown+0x86/0x100 [ioatdma]
   :
[ 1223.524987] Chain exists of:
[ 1223.524987]   (&ioat_chan->timer) --> &(&ioat_chan->cleanup_lock)->rlock --> &(&ioat_chan->prep_lock)->rlock
[ 1223.524987]
[ 1223.594082]  Possible unsafe locking scenario:
[ 1223.594082]
[ 1223.622630]        CPU0                    CPU1
[ 1223.645080]        ----                    ----
[ 1223.667404]   lock(&(&ioat_chan->prep_lock)->rlock);
[ 1223.691535]                                lock(&(&ioat_chan->cleanup_lock)->rlock);
[ 1223.728657]                                lock(&(&ioat_chan->prep_lock)->rlock);
[ 1223.765122]   lock((&ioat_chan->timer));
[ 1223.784095]
[ 1223.784095]  *** DEADLOCK ***
[ 1223.784095]
[ 1223.813492] 4 locks held by systemd-shutdow/1:
[ 1223.834677]  #0:  (reboot_mutex){+.+.}, at: [<0000000056d33456>] SYSC_reboot+0x10f/0x300
[ 1223.873310]  #1:  (&dev->mutex){....}, at: [<00000000258dfdd7>] device_shutdown+0x1c8/0x660
[ 1223.913604]  #2:  (&dev->mutex){....}, at: [<0000000068331147>] device_shutdown+0x1d6/0x660
[ 1223.954000]  #3:  (&(&ioat_chan->prep_lock)->rlock){+.-.}, at: [<000000008ea98b12>] ioat_shutdown+0x86/0x100 [ioatdma]

In the ioat_shutdown() function:

	spin_lock_bh(&ioat_chan->prep_lock);
	set_bit(IOAT_CHAN_DOWN, &ioat_chan->state);
	del_timer_sync(&ioat_chan->timer);
	spin_unlock_bh(&ioat_chan->prep_lock);

According to the synchronization rule for the del_timer_sync() function,
the caller must not hold locks which would prevent completion of the
timer's handler.

The timer structure has its own lock that manages its synchronization.
Setting the IOAT_CHAN_DOWN bit should prevent other CPUs from
trying to use that device anyway, there is probably no need to call
del_timer_sync() while holding the prep_lock. So the del_timer_sync()
call is now moved outside of the prep_lock critical section to prevent
the circular lock dependency.

Signed-off-by: Waiman Long <longman@redhat.com>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/dma/ioat/init.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/drivers/dma/ioat/init.c
+++ b/drivers/dma/ioat/init.c
@@ -1210,8 +1210,15 @@ static void ioat_shutdown(struct pci_dev
 
 		spin_lock_bh(&ioat_chan->prep_lock);
 		set_bit(IOAT_CHAN_DOWN, &ioat_chan->state);
-		del_timer_sync(&ioat_chan->timer);
 		spin_unlock_bh(&ioat_chan->prep_lock);
+		/*
+		 * Synchronization rule for del_timer_sync():
+		 *  - The caller must not hold locks which would prevent
+		 *    completion of the timer's handler.
+		 * So prep_lock cannot be held before calling it.
+		 */
+		del_timer_sync(&ioat_chan->timer);
+
 		/* this should quiesce then reset */
 		ioat_reset_hw(ioat_chan);
 	}



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 039/160] uio: ensure class is registered before devices
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 038/160] driver/dma/ioat: Call del_timer_sync() without holding prep_lock Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:27 ` [PATCH 4.4 040/160] scsi: lpfc: Correct soft lockup when running mds diagnostics Greg Kroah-Hartman
                   ` (124 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alexandre Belloni, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alexandre Belloni <alexandre.belloni@bootlin.com>

[ Upstream commit ae61cf5b9913027c6953a79ed3894da4f47061bd ]

When both uio and the uio drivers are built in the kernel, it is possible
for a driver to register devices before the uio class is registered.

This may result in a NULL pointer dereference later on in
get_device_parent() when accessing the class glue_dirs spinlock.

The trace looks like that:

Unable to handle kernel NULL pointer dereference at virtual address 00000140
[...]
[<ffff0000089cc234>] _raw_spin_lock+0x14/0x48
[<ffff0000084f56bc>] device_add+0x154/0x6a0
[<ffff0000084f5e48>] device_create_groups_vargs+0x120/0x128
[<ffff0000084f5edc>] device_create+0x54/0x60
[<ffff0000086e72c0>] __uio_register_device+0x120/0x4a8
[<ffff000008528b7c>] jaguar2_pci_probe+0x2d4/0x558
[<ffff0000083fc18c>] local_pci_probe+0x3c/0xb8
[<ffff0000083fd81c>] pci_device_probe+0x11c/0x180
[<ffff0000084f88bc>] driver_probe_device+0x22c/0x2d8
[<ffff0000084f8a24>] __driver_attach+0xbc/0xc0
[<ffff0000084f69fc>] bus_for_each_dev+0x4c/0x98
[<ffff0000084f81b8>] driver_attach+0x20/0x28
[<ffff0000084f7d08>] bus_add_driver+0x1b8/0x228
[<ffff0000084f93c0>] driver_register+0x60/0xf8
[<ffff0000083fb918>] __pci_register_driver+0x40/0x48

Return EPROBE_DEFER in that case so the driver can register the device
later.

Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/uio/uio.c |    9 +++++++++
 1 file changed, 9 insertions(+)

--- a/drivers/uio/uio.c
+++ b/drivers/uio/uio.c
@@ -249,6 +249,8 @@ static struct class uio_class = {
 	.dev_groups = uio_groups,
 };
 
+bool uio_class_registered;
+
 /*
  * device functions
  */
@@ -772,6 +774,9 @@ static int init_uio_class(void)
 		printk(KERN_ERR "class_register failed for uio\n");
 		goto err_class_register;
 	}
+
+	uio_class_registered = true;
+
 	return 0;
 
 err_class_register:
@@ -782,6 +787,7 @@ exit:
 
 static void release_uio_class(void)
 {
+	uio_class_registered = false;
 	class_unregister(&uio_class);
 	uio_major_cleanup();
 }
@@ -801,6 +807,9 @@ int __uio_register_device(struct module
 	struct uio_device *idev;
 	int ret = 0;
 
+	if (!uio_class_registered)
+		return -EPROBE_DEFER;
+
 	if (!parent || !info || !info->name || !info->version)
 		return -EINVAL;
 



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 040/160] scsi: lpfc: Correct soft lockup when running mds diagnostics
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 039/160] uio: ensure class is registered before devices Greg Kroah-Hartman
@ 2018-11-19 16:27 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 041/160] signal: Always deliver the kernels SIGKILL and SIGSTOP to a pid namespace init Greg Kroah-Hartman
                   ` (123 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dick Kennedy, James Smart,
	Martin K. Petersen, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: James Smart <jsmart2021@gmail.com>

[ Upstream commit 0ef01a2d95fd62bb4f536e7ce4d5e8e74b97a244 ]

When running an mds diagnostic that passes frames with the switch, soft
lockups are detected. The driver is in a CQE processing loop and has
sufficient amount of traffic that it never exits the ring processing routine,
thus the "lockup".

Cap the number of elements in the work processing routine to 64 elements. This
ensures that the cpu will be given up and the handler reschedule to process
additional items.

Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
Signed-off-by: James Smart <james.smart@broadcom.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/lpfc/lpfc_sli.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/drivers/scsi/lpfc/lpfc_sli.c
+++ b/drivers/scsi/lpfc/lpfc_sli.c
@@ -3485,6 +3485,7 @@ lpfc_sli_handle_slow_ring_event_s4(struc
 	struct hbq_dmabuf *dmabuf;
 	struct lpfc_cq_event *cq_event;
 	unsigned long iflag;
+	int count = 0;
 
 	spin_lock_irqsave(&phba->hbalock, iflag);
 	phba->hba_flag &= ~HBA_SP_QUEUE_EVT;
@@ -3506,16 +3507,22 @@ lpfc_sli_handle_slow_ring_event_s4(struc
 			if (irspiocbq)
 				lpfc_sli_sp_handle_rspiocb(phba, pring,
 							   irspiocbq);
+			count++;
 			break;
 		case CQE_CODE_RECEIVE:
 		case CQE_CODE_RECEIVE_V1:
 			dmabuf = container_of(cq_event, struct hbq_dmabuf,
 					      cq_event);
 			lpfc_sli4_handle_received_buffer(phba, dmabuf);
+			count++;
 			break;
 		default:
 			break;
 		}
+
+		/* Limit the number of events to 64 to avoid soft lockups */
+		if (count == 64)
+			break;
 	}
 }
 



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 041/160] signal: Always deliver the kernels SIGKILL and SIGSTOP to a pid namespace init
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2018-11-19 16:27 ` [PATCH 4.4 040/160] scsi: lpfc: Correct soft lockup when running mds diagnostics Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 042/160] dmaengine: dma-jz4780: Return error if not probed from DT Greg Kroah-Hartman
                   ` (122 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thomas Gleixner, Eric W. Biederman,
	Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: "Eric W. Biederman" <ebiederm@xmission.com>

[ Upstream commit 3597dfe01d12f570bc739da67f857fd222a3ea66 ]

Instead of playing whack-a-mole and changing SEND_SIG_PRIV to
SEND_SIG_FORCED throughout the kernel to ensure a pid namespace init
gets signals sent by the kernel, stop allowing a pid namespace init to
ignore SIGKILL or SIGSTOP sent by the kernel.  A pid namespace init is
only supposed to be able to ignore signals sent from itself and
children with SIG_DFL.

Fixes: 921cf9f63089 ("signals: protect cinit from unblocked SIG_DFL signals")
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/signal.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -991,7 +991,7 @@ static int __send_signal(int sig, struct
 
 	result = TRACE_SIGNAL_IGNORED;
 	if (!prepare_signal(sig, t,
-			from_ancestor_ns || (info == SEND_SIG_FORCED)))
+			from_ancestor_ns || (info == SEND_SIG_PRIV) || (info == SEND_SIG_FORCED)))
 		goto ret;
 
 	pending = group ? &t->signal->shared_pending : &t->pending;



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 042/160] dmaengine: dma-jz4780: Return error if not probed from DT
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 041/160] signal: Always deliver the kernels SIGKILL and SIGSTOP to a pid namespace init Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 043/160] ALSA: hda: Check the non-cached stream buffers more explicitly Greg Kroah-Hartman
                   ` (121 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Paul Cercueil, Mathieu Malaterre,
	Vinod Koul, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Paul Cercueil <paul@crapouillou.net>

[ Upstream commit 54f919a04cf221bc1601d1193682d4379dacacbd ]

The driver calls clk_get() with the clock name set to NULL, which means
that the driver could only work when probed from devicetree. From now
on, we explicitly require the driver to be probed from devicetree.

Signed-off-by: Paul Cercueil <paul@crapouillou.net>
Tested-by: Mathieu Malaterre <malat@debian.org>
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/dma/dma-jz4780.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/dma/dma-jz4780.c
+++ b/drivers/dma/dma-jz4780.c
@@ -750,6 +750,11 @@ static int jz4780_dma_probe(struct platf
 	struct resource *res;
 	int i, ret;
 
+	if (!dev->of_node) {
+		dev_err(dev, "This driver must be probed from devicetree\n");
+		return -EINVAL;
+	}
+
 	jzdma = devm_kzalloc(dev, sizeof(*jzdma), GFP_KERNEL);
 	if (!jzdma)
 		return -ENOMEM;



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 043/160] ALSA: hda: Check the non-cached stream buffers more explicitly
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 042/160] dmaengine: dma-jz4780: Return error if not probed from DT Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 044/160] xen-swiotlb: use actually allocated size on check physical continuous Greg Kroah-Hartman
                   ` (120 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

[ Upstream commit 78c9be61c3a5cd9e2439fd27a5ffad73a81958c7 ]

Introduce a new flag, uc_buffer, to indicate that the controller
requires the non-cached pages for stream buffers, either as a
chip-specific requirement or specified via snoop=0 option.
This improves the code-readability.

Also, this patch fixes the incorrect behavior for C-Media chip where
the stream buffers were never handled as non-cached due to the check
of driver_type even if you pass snoop=0 option.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/pci/hda/hda_controller.h |    1 +
 sound/pci/hda/hda_intel.c      |   11 ++++++++---
 2 files changed, 9 insertions(+), 3 deletions(-)

--- a/sound/pci/hda/hda_controller.h
+++ b/sound/pci/hda/hda_controller.h
@@ -151,6 +151,7 @@ struct azx {
 	unsigned int msi:1;
 	unsigned int probing:1; /* codec probing phase */
 	unsigned int snoop:1;
+	unsigned int uc_buffer:1; /* non-cached pages for stream buffers */
 	unsigned int align_buffer_size:1;
 	unsigned int region_requested:1;
 	unsigned int disabled:1; /* disabled by vga_switcheroo */
--- a/sound/pci/hda/hda_intel.c
+++ b/sound/pci/hda/hda_intel.c
@@ -401,7 +401,7 @@ static void __mark_pages_wc(struct azx *
 #ifdef CONFIG_SND_DMA_SGBUF
 	if (dmab->dev.type == SNDRV_DMA_TYPE_DEV_SG) {
 		struct snd_sg_buf *sgbuf = dmab->private_data;
-		if (chip->driver_type == AZX_DRIVER_CMEDIA)
+		if (!chip->uc_buffer)
 			return; /* deal with only CORB/RIRB buffers */
 		if (on)
 			set_pages_array_wc(sgbuf->page_table, sgbuf->pages);
@@ -1538,6 +1538,7 @@ static void azx_check_snoop_available(st
 		dev_info(chip->card->dev, "Force to %s mode by module option\n",
 			 snoop ? "snoop" : "non-snoop");
 		chip->snoop = snoop;
+		chip->uc_buffer = !snoop;
 		return;
 	}
 
@@ -1558,8 +1559,12 @@ static void azx_check_snoop_available(st
 		snoop = false;
 
 	chip->snoop = snoop;
-	if (!snoop)
+	if (!snoop) {
 		dev_info(chip->card->dev, "Force to non-snoop mode\n");
+		/* C-Media requires non-cached pages only for CORB/RIRB */
+		if (chip->driver_type != AZX_DRIVER_CMEDIA)
+			chip->uc_buffer = true;
+	}
 }
 
 static void azx_probe_work(struct work_struct *work)
@@ -1958,7 +1963,7 @@ static void pcm_mmap_prepare(struct snd_
 #ifdef CONFIG_X86
 	struct azx_pcm *apcm = snd_pcm_substream_chip(substream);
 	struct azx *chip = apcm->chip;
-	if (!azx_snoop(chip) && chip->driver_type != AZX_DRIVER_CMEDIA)
+	if (chip->uc_buffer)
 		area->vm_page_prot = pgprot_writecombine(area->vm_page_prot);
 #endif
 }



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 044/160] xen-swiotlb: use actually allocated size on check physical continuous
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 043/160] ALSA: hda: Check the non-cached stream buffers more explicitly Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 045/160] tpm: Restore functionality to xen vtpm driver Greg Kroah-Hartman
                   ` (119 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Joe Jin, Konrad Rzeszutek Wilk,
	Boris Ostrovsky, Christoph Helwig, Dongli Zhang, John Sobecki

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Joe Jin <joe.jin@oracle.com>

commit 7250f422da0480d8512b756640f131b9b893ccda upstream.

xen_swiotlb_{alloc,free}_coherent() allocate/free memory based on the
order of the pages and not size argument (bytes). This is inconsistent with
range_straddles_page_boundary and memset which use the 'size' value,
which may lead to not exchanging memory with Xen (range_straddles_page_boundary()
returned true). And then the call to xen_swiotlb_free_coherent() would
actually try to exchange the memory with Xen, leading to the kernel
hitting an BUG (as the hypercall returned an error).

This patch fixes it by making the 'size' variable be of the same size
as the amount of memory allocated.

CC: stable@vger.kernel.org
Signed-off-by: Joe Jin <joe.jin@oracle.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Christoph Helwig <hch@lst.de>
Cc: Dongli Zhang <dongli.zhang@oracle.com>
Cc: John Sobecki <john.sobecki@oracle.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/xen/swiotlb-xen.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/xen/swiotlb-xen.c
+++ b/drivers/xen/swiotlb-xen.c
@@ -310,6 +310,9 @@ xen_swiotlb_alloc_coherent(struct device
 	*/
 	flags &= ~(__GFP_DMA | __GFP_HIGHMEM);
 
+	/* Convert the size to actually allocated. */
+	size = 1UL << (order + XEN_PAGE_SHIFT);
+
 	/* On ARM this function returns an ioremap'ped virtual address for
 	 * which virt_to_phys doesn't return the corresponding physical
 	 * address. In fact on ARM virt_to_phys only works for kernel direct
@@ -359,6 +362,9 @@ xen_swiotlb_free_coherent(struct device
 	 * physical address */
 	phys = xen_bus_to_phys(dev_addr);
 
+	/* Convert the size to actually allocated. */
+	size = 1UL << (order + XEN_PAGE_SHIFT);
+
 	if (((dev_addr + size - 1 <= dma_mask)) ||
 	    range_straddles_page_boundary(phys, size))
 		xen_destroy_contiguous_region(phys, order);



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 045/160] tpm: Restore functionality to xen vtpm driver.
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 044/160] xen-swiotlb: use actually allocated size on check physical continuous Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 046/160] xen: fix race in xen_qlock_wait() Greg Kroah-Hartman
                   ` (118 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dr. Greg Wettstein, Boris Ostrovsky,
	Jarkko Sakkinen

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dr. Greg Wettstein <greg@wind.enjellic.com>

commit e487a0f52301293152a6f8c4e217f2a11dd808e3 upstream.

Functionality of the xen-tpmfront driver was lost secondary to
the introduction of xenbus multi-page support in commit ccc9d90a9a8b
("xenbus_client: Extend interface to support multi-page ring").

In this commit pointer to location of where the shared page address
is stored was being passed to the xenbus_grant_ring() function rather
then the address of the shared page itself. This resulted in a situation
where the driver would attach to the vtpm-stubdom but any attempt
to send a command to the stub domain would timeout.

A diagnostic finding for this regression is the following error
message being generated when the xen-tpmfront driver probes for a
device:

<3>vtpm vtpm-0: tpm_transmit: tpm_send: error -62

<3>vtpm vtpm-0: A TPM error (-62) occurred attempting to determine
the timeouts

This fix is relevant to all kernels from 4.1 forward which is the
release in which multi-page xenbus support was introduced.

Daniel De Graaf formulated the fix by code inspection after the
regression point was located.

Fixes: ccc9d90a9a8b ("xenbus_client: Extend interface to support multi-page ring")
Signed-off-by: Dr. Greg Wettstein <greg@enjellic.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[boris: Updated commit message, added Fixes tag]
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: stable@vger.kernel.org # v4.1+
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

---
 drivers/char/tpm/xen-tpmfront.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/char/tpm/xen-tpmfront.c
+++ b/drivers/char/tpm/xen-tpmfront.c
@@ -201,7 +201,7 @@ static int setup_ring(struct xenbus_devi
 		return -ENOMEM;
 	}
 
-	rv = xenbus_grant_ring(dev, &priv->shr, 1, &gref);
+	rv = xenbus_grant_ring(dev, priv->shr, 1, &gref);
 	if (rv < 0)
 		return rv;
 



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 046/160] xen: fix race in xen_qlock_wait()
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 045/160] tpm: Restore functionality to xen vtpm driver Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 047/160] xen: make xen_qlock_wait() nestable Greg Kroah-Hartman
                   ` (117 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Waiman.Long, peterz, Juergen Gross,
	Jan Beulich

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Juergen Gross <jgross@suse.com>

commit 2ac2a7d4d9ff4e01e36f9c3d116582f6f655ab47 upstream.

In the following situation a vcpu waiting for a lock might not be
woken up from xen_poll_irq():

CPU 1:                CPU 2:                      CPU 3:
takes a spinlock
                      tries to get lock
                      -> xen_qlock_wait()
frees the lock
-> xen_qlock_kick(cpu2)
                        -> xen_clear_irq_pending()

takes lock again
                                                  tries to get lock
                                                  -> *lock = _Q_SLOW_VAL
                        -> *lock == _Q_SLOW_VAL ?
                        -> xen_poll_irq()
frees the lock
-> xen_qlock_kick(cpu3)

And cpu 2 will sleep forever.

This can be avoided easily by modifying xen_qlock_wait() to call
xen_poll_irq() only if the related irq was not pending and to call
xen_clear_irq_pending() only if it was pending.

Cc: stable@vger.kernel.org
Cc: Waiman.Long@hp.com
Cc: peterz@infradead.org
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/xen/spinlock.c |   15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

--- a/arch/x86/xen/spinlock.c
+++ b/arch/x86/xen/spinlock.c
@@ -47,17 +47,12 @@ static void xen_qlock_wait(u8 *byte, u8
 	if (irq == -1)
 		return;
 
-	/* clear pending */
-	xen_clear_irq_pending(irq);
-	barrier();
+	/* If irq pending already clear it and return. */
+	if (xen_test_irq_pending(irq)) {
+		xen_clear_irq_pending(irq);
+		return;
+	}
 
-	/*
-	 * We check the byte value after clearing pending IRQ to make sure
-	 * that we won't miss a wakeup event because of the clearing.
-	 *
-	 * The sync_clear_bit() call in xen_clear_irq_pending() is atomic.
-	 * So it is effectively a memory barrier for x86.
-	 */
 	if (READ_ONCE(*byte) != val)
 		return;
 



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 047/160] xen: make xen_qlock_wait() nestable
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 046/160] xen: fix race in xen_qlock_wait() Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 048/160] net/ipv4: defensive cipso option parsing Greg Kroah-Hartman
                   ` (116 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Waiman.Long, peterz, Juergen Gross,
	Jan Beulich

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Juergen Gross <jgross@suse.com>

commit a856531951dc8094359dfdac21d59cee5969c18e upstream.

xen_qlock_wait() isn't safe for nested calls due to interrupts. A call
of xen_qlock_kick() might be ignored in case a deeper nesting level
was active right before the call of xen_poll_irq():

CPU 1:                                   CPU 2:
spin_lock(lock1)
                                         spin_lock(lock1)
                                         -> xen_qlock_wait()
                                            -> xen_clear_irq_pending()
                                            Interrupt happens
spin_unlock(lock1)
-> xen_qlock_kick(CPU 2)
spin_lock_irqsave(lock2)
                                         spin_lock_irqsave(lock2)
                                         -> xen_qlock_wait()
                                            -> xen_clear_irq_pending()
                                               clears kick for lock1
                                            -> xen_poll_irq()
spin_unlock_irq_restore(lock2)
-> xen_qlock_kick(CPU 2)
                                            wakes up
                                         spin_unlock_irq_restore(lock2)
                                         IRET
                                           resumes in xen_qlock_wait()
                                           -> xen_poll_irq()
                                           never wakes up

The solution is to disable interrupts in xen_qlock_wait() and not to
poll for the irq in case xen_qlock_wait() is called in nmi context.

Cc: stable@vger.kernel.org
Cc: Waiman.Long@hp.com
Cc: peterz@infradead.org
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/xen/spinlock.c |   24 ++++++++++--------------
 1 file changed, 10 insertions(+), 14 deletions(-)

--- a/arch/x86/xen/spinlock.c
+++ b/arch/x86/xen/spinlock.c
@@ -41,29 +41,25 @@ static void xen_qlock_kick(int cpu)
  */
 static void xen_qlock_wait(u8 *byte, u8 val)
 {
+	unsigned long flags;
 	int irq = __this_cpu_read(lock_kicker_irq);
 
 	/* If kicker interrupts not initialized yet, just spin */
-	if (irq == -1)
+	if (irq == -1 || in_nmi())
 		return;
 
-	/* If irq pending already clear it and return. */
+	/* Guard against reentry. */
+	local_irq_save(flags);
+
+	/* If irq pending already clear it. */
 	if (xen_test_irq_pending(irq)) {
 		xen_clear_irq_pending(irq);
-		return;
+	} else if (READ_ONCE(*byte) == val) {
+		/* Block until irq becomes pending (or a spurious wakeup) */
+		xen_poll_irq(irq);
 	}
 
-	if (READ_ONCE(*byte) != val)
-		return;
-
-	/*
-	 * If an interrupt happens here, it will leave the wakeup irq
-	 * pending, which will cause xen_poll_irq() to return
-	 * immediately.
-	 */
-
-	/* Block until irq becomes pending (or perhaps a spurious wakeup) */
-	xen_poll_irq(irq);
+	local_irq_restore(flags);
 }
 
 #else /* CONFIG_QUEUED_SPINLOCKS */



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 048/160] net/ipv4: defensive cipso option parsing
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 047/160] xen: make xen_qlock_wait() nestable Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 049/160] libnvdimm: Hold reference on parent while scheduling async init Greg Kroah-Hartman
                   ` (115 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stefan Nuernberger, David Woodhouse,
	Simon Veith, Paul Moore, David S. Miller

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Stefan Nuernberger <snu@amazon.com>

commit 076ed3da0c9b2f88d9157dbe7044a45641ae369e upstream.

commit 40413955ee26 ("Cipso: cipso_v4_optptr enter infinite loop") fixed
a possible infinite loop in the IP option parsing of CIPSO. The fix
assumes that ip_options_compile filtered out all zero length options and
that no other one-byte options beside IPOPT_END and IPOPT_NOOP exist.
While this assumption currently holds true, add explicit checks for zero
length and invalid length options to be safe for the future. Even though
ip_options_compile should have validated the options, the introduction of
new one-byte options can still confuse this code without the additional
checks.

Signed-off-by: Stefan Nuernberger <snu@amazon.com>
Cc: David Woodhouse <dwmw@amazon.co.uk>
Cc: Simon Veith <sveith@amazon.de>
Cc: stable@vger.kernel.org
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/ipv4/cipso_ipv4.c |   11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -1582,7 +1582,7 @@ static int cipso_v4_parsetag_loc(const s
  *
  * Description:
  * Parse the packet's IP header looking for a CIPSO option.  Returns a pointer
- * to the start of the CIPSO option on success, NULL if one if not found.
+ * to the start of the CIPSO option on success, NULL if one is not found.
  *
  */
 unsigned char *cipso_v4_optptr(const struct sk_buff *skb)
@@ -1592,10 +1592,8 @@ unsigned char *cipso_v4_optptr(const str
 	int optlen;
 	int taglen;
 
-	for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 0; ) {
+	for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 1; ) {
 		switch (optptr[0]) {
-		case IPOPT_CIPSO:
-			return optptr;
 		case IPOPT_END:
 			return NULL;
 		case IPOPT_NOOP:
@@ -1604,6 +1602,11 @@ unsigned char *cipso_v4_optptr(const str
 		default:
 			taglen = optptr[1];
 		}
+		if (!taglen || taglen > optlen)
+			return NULL;
+		if (optptr[0] == IPOPT_CIPSO)
+			return optptr;
+
 		optlen -= taglen;
 		optptr += taglen;
 	}



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 049/160] libnvdimm: Hold reference on parent while scheduling async init
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 048/160] net/ipv4: defensive cipso option parsing Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 050/160] jbd2: fix use after free in jbd2_log_do_checkpoint() Greg Kroah-Hartman
                   ` (114 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alexander Duyck, Dan Williams

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alexander Duyck <alexander.h.duyck@linux.intel.com>

commit b6eae0f61db27748606cc00dafcfd1e2c032f0a5 upstream.

Unlike asynchronous initialization in the core we have not yet associated
the device with the parent, and as such the device doesn't hold a reference
to the parent.

In order to resolve that we should be holding a reference on the parent
until the asynchronous initialization has completed.

Cc: <stable@vger.kernel.org>
Fixes: 4d88a97aa9e8 ("libnvdimm: ...base ... infrastructure")
Signed-off-by: Alexander Duyck <alexander.h.duyck@linux.intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/nvdimm/bus.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/nvdimm/bus.c
+++ b/drivers/nvdimm/bus.c
@@ -158,6 +158,8 @@ static void nd_async_device_register(voi
 		put_device(dev);
 	}
 	put_device(dev);
+	if (dev->parent)
+		put_device(dev->parent);
 }
 
 static void nd_async_device_unregister(void *d, async_cookie_t cookie)
@@ -175,6 +177,8 @@ static void nd_async_device_unregister(v
 void __nd_device_register(struct device *dev)
 {
 	dev->bus = &nvdimm_bus_type;
+	if (dev->parent)
+		get_device(dev->parent);
 	get_device(dev);
 	async_schedule_domain(nd_async_device_register, dev,
 			&nd_async_domain);



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 050/160] jbd2: fix use after free in jbd2_log_do_checkpoint()
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 049/160] libnvdimm: Hold reference on parent while scheduling async init Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 051/160] gfs2_meta: ->mount() can get NULL dev_name Greg Kroah-Hartman
                   ` (113 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+7f4a27091759e2fe7453,
	Lukas Czerner, Jan Kara, Theodore Tso

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jan Kara <jack@suse.cz>

commit ccd3c4373eacb044eb3832966299d13d2631f66f upstream.

The code cleaning transaction's lists of checkpoint buffers has a bug
where it increases bh refcount only after releasing
journal->j_list_lock. Thus the following race is possible:

CPU0					CPU1
jbd2_log_do_checkpoint()
					jbd2_journal_try_to_free_buffers()
					  __journal_try_to_free_buffer(bh)
  ...
  while (transaction->t_checkpoint_io_list)
  ...
    if (buffer_locked(bh)) {

<-- IO completes now, buffer gets unlocked -->

      spin_unlock(&journal->j_list_lock);
					    spin_lock(&journal->j_list_lock);
					    __jbd2_journal_remove_checkpoint(jh);
					    spin_unlock(&journal->j_list_lock);
					  try_to_free_buffers(page);
      get_bh(bh) <-- accesses freed bh

Fix the problem by grabbing bh reference before unlocking
journal->j_list_lock.

Fixes: dc6e8d669cf5 ("jbd2: don't call get_bh() before calling __jbd2_journal_remove_checkpoint()")
Fixes: be1158cc615f ("jbd2: fold __process_buffer() into jbd2_log_do_checkpoint()")
Reported-by: syzbot+7f4a27091759e2fe7453@syzkaller.appspotmail.com
CC: stable@vger.kernel.org
Reviewed-by: Lukas Czerner <lczerner@redhat.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/jbd2/checkpoint.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/fs/jbd2/checkpoint.c
+++ b/fs/jbd2/checkpoint.c
@@ -254,8 +254,8 @@ restart:
 		bh = jh2bh(jh);
 
 		if (buffer_locked(bh)) {
-			spin_unlock(&journal->j_list_lock);
 			get_bh(bh);
+			spin_unlock(&journal->j_list_lock);
 			wait_on_buffer(bh);
 			/* the journal_head may have gone by now */
 			BUFFER_TRACE(bh, "brelse");
@@ -336,8 +336,8 @@ restart2:
 		jh = transaction->t_checkpoint_io_list;
 		bh = jh2bh(jh);
 		if (buffer_locked(bh)) {
-			spin_unlock(&journal->j_list_lock);
 			get_bh(bh);
+			spin_unlock(&journal->j_list_lock);
 			wait_on_buffer(bh);
 			/* the journal_head may have gone by now */
 			BUFFER_TRACE(bh, "brelse");



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 051/160] gfs2_meta: ->mount() can get NULL dev_name
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 050/160] jbd2: fix use after free in jbd2_log_do_checkpoint() Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 052/160] ext4: initialize retries variable in ext4_da_write_inline_data_begin() Greg Kroah-Hartman
                   ` (112 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+c54f8e94e6bba03b04e9, Al Viro

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Al Viro <viro@zeniv.linux.org.uk>

commit 3df629d873f8683af6f0d34dfc743f637966d483 upstream.

get in sync with mount_bdev() handling of the same

Reported-by: syzbot+c54f8e94e6bba03b04e9@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/gfs2/ops_fstype.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/fs/gfs2/ops_fstype.c
+++ b/fs/gfs2/ops_fstype.c
@@ -1353,6 +1353,9 @@ static struct dentry *gfs2_mount_meta(st
 	struct path path;
 	int error;
 
+	if (!dev_name || !*dev_name)
+		return ERR_PTR(-EINVAL);
+
 	error = kern_path(dev_name, LOOKUP_FOLLOW, &path);
 	if (error) {
 		pr_warn("path_lookup on %s returned error %d\n",



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 052/160] ext4: initialize retries variable in ext4_da_write_inline_data_begin()
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 051/160] gfs2_meta: ->mount() can get NULL dev_name Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 053/160] HID: hiddev: fix potential Spectre v1 Greg Kroah-Hartman
                   ` (111 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lukas Czerner, Theodore Tso, stable

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Lukas Czerner <lczerner@redhat.com>

commit 625ef8a3acd111d5f496d190baf99d1a815bd03e upstream.

Variable retries is not initialized in ext4_da_write_inline_data_begin()
which can lead to nondeterministic number of retries in case we hit
ENOSPC. Initialize retries to zero as we do everywhere else.

Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Fixes: bc0ca9df3b2a ("ext4: retry allocation when inline->extent conversion failed")
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/inline.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -859,7 +859,7 @@ int ext4_da_write_inline_data_begin(stru
 	handle_t *handle;
 	struct page *page;
 	struct ext4_iloc iloc;
-	int retries;
+	int retries = 0;
 
 	ret = ext4_get_inode_loc(inode, &iloc);
 	if (ret)



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 053/160] HID: hiddev: fix potential Spectre v1
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 052/160] ext4: initialize retries variable in ext4_da_write_inline_data_begin() Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 054/160] PCI: Add Device IDs for Intel GPU "spurious interrupt" quirk Greg Kroah-Hartman
                   ` (110 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Breno Leitao, Jiri Kosina

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Breno Leitao <leitao@debian.org>

commit f11274396a538b31bc010f782e05c2ce3f804c13 upstream.

uref->usage_index can be indirectly controlled by userspace, hence leading
to a potential exploitation of the Spectre variant 1 vulnerability.

This field is used as an array index by the hiddev_ioctl_usage() function,
when 'cmd' is either HIDIOCGCOLLECTIONINDEX, HIDIOCGUSAGES or
HIDIOCSUSAGES.

For cmd == HIDIOCGCOLLECTIONINDEX case, uref->usage_index is compared to
field->maxusage and then used as an index to dereference field->usage
array. The same thing happens to the cmd == HIDIOC{G,S}USAGES cases, where
uref->usage_index is checked against an array maximum value and then it is
used as an index in an array.

This is a summary of the HIDIOCGCOLLECTIONINDEX case, which matches the
traditional Spectre V1 first load:

	copy_from_user(uref, user_arg, sizeof(*uref))
	if (uref->usage_index >= field->maxusage)
		goto inval;
	i = field->usage[uref->usage_index].collection_index;
	return i;

This patch fixes this by sanitizing field uref->usage_index before using it
to index field->usage (HIDIOCGCOLLECTIONINDEX) or field->value in
HIDIOC{G,S}USAGES arrays, thus, avoiding speculation in the first load.

Cc: <stable@vger.kernel.org>
Signed-off-by: Breno Leitao <leitao@debian.org>
v2: Contemplate cmd == HIDIOC{G,S}USAGES case
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hid/usbhid/hiddev.c |   18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

--- a/drivers/hid/usbhid/hiddev.c
+++ b/drivers/hid/usbhid/hiddev.c
@@ -521,14 +521,24 @@ static noinline int hiddev_ioctl_usage(s
 			if (cmd == HIDIOCGCOLLECTIONINDEX) {
 				if (uref->usage_index >= field->maxusage)
 					goto inval;
+				uref->usage_index =
+					array_index_nospec(uref->usage_index,
+							   field->maxusage);
 			} else if (uref->usage_index >= field->report_count)
 				goto inval;
 		}
 
-		if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
-		    (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
-		     uref->usage_index + uref_multi->num_values > field->report_count))
-			goto inval;
+		if (cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) {
+			if (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
+			    uref->usage_index + uref_multi->num_values >
+			    field->report_count)
+				goto inval;
+
+			uref->usage_index =
+				array_index_nospec(uref->usage_index,
+						   field->report_count -
+						   uref_multi->num_values);
+		}
 
 		switch (cmd) {
 		case HIDIOCGUSAGE:



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 054/160] PCI: Add Device IDs for Intel GPU "spurious interrupt" quirk
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 053/160] HID: hiddev: fix potential Spectre v1 Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 055/160] signal/GenWQE: Fix sending of SIGKILL Greg Kroah-Hartman
                   ` (109 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Bin Meng, Bjorn Helgaas

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Bin Meng <bmeng.cn@gmail.com>

commit d0c9606b31a21028fb5b753c8ad79626292accfd upstream.

Add Device IDs to the Intel GPU "spurious interrupt" quirk table.

For these devices, unplugging the VGA cable and plugging it in again causes
spurious interrupts from the IGD.  Linux eventually disables the interrupt,
but of course that disables any other devices sharing the interrupt.

The theory is that this is a VGA BIOS defect: it should have disabled the
IGD interrupt but failed to do so.

See f67fd55fa96f ("PCI: Add quirk for still enabled interrupts on Intel
Sandy Bridge GPUs") and 7c82126a94e6 ("PCI: Add new ID for Intel GPU
"spurious interrupt" quirk") for some history.

[bhelgaas: See link below for discussion about how to fix this more
generically instead of adding device IDs for every new Intel GPU.  I hope
this is the last patch to add device IDs.]

Link: https://lore.kernel.org/linux-pci/1537974841-29928-1-git-send-email-bmeng.cn@gmail.com
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
[bhelgaas: changelog]
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Cc: stable@vger.kernel.org	# v3.4+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/pci/quirks.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c
@@ -3061,7 +3061,11 @@ static void disable_igfx_irq(struct pci_
 
 	pci_iounmap(dev, regs);
 }
+DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0042, disable_igfx_irq);
+DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0046, disable_igfx_irq);
+DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x004a, disable_igfx_irq);
 DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0102, disable_igfx_irq);
+DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0106, disable_igfx_irq);
 DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x010a, disable_igfx_irq);
 DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0152, disable_igfx_irq);
 



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 055/160] signal/GenWQE: Fix sending of SIGKILL
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 054/160] PCI: Add Device IDs for Intel GPU "spurious interrupt" quirk Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 056/160] crypto: lrw - Fix out-of bounds access on counter overflow Greg Kroah-Hartman
                   ` (108 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Frank Haverkamp, Joerg-Stephan Vogt,
	Michael Jung, Michael Ruettger, Kleber Sacilotto de Souza,
	Sebastian Ott, Eberhard S. Amann, Gabriel Krisman Bertazi,
	Guilherme G. Piccoli, Eric W. Biederman

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric W. Biederman <ebiederm@xmission.com>

commit 0ab93e9c99f8208c0a1a7b7170c827936268c996 upstream.

The genweq_add_file and genwqe_del_file by caching current without
using reference counting embed the assumption that a file descriptor
will never be passed from one process to another.  It even embeds the
assumption that the the thread that opened the file will be in
existence when the process terminates.   Neither of which are
guaranteed to be true.

Therefore replace caching the task_struct of the opener with
pid of the openers thread group id.  All the knowledge of the
opener is used for is as the target of SIGKILL and a SIGKILL
will kill the entire process group.

Rename genwqe_force_sig to genwqe_terminate, remove it's unncessary
signal argument, update it's ownly caller, and use kill_pid
instead of force_sig.

The work force_sig does in changing signal handling state is not
relevant to SIGKILL sent as SEND_SIG_PRIV.  The exact same processess
will be killed just with less work, and less confusion.  The work done
by force_sig is really only needed for handling syncrhonous
exceptions.

It will still be possible to cause genwqe_device_remove to wait
8 seconds by passing a file descriptor to another process but
the possible user after free is fixed.

Fixes: eaf4722d4645 ("GenWQE Character device and DDCB queue")
Cc: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Frank Haverkamp <haver@linux.vnet.ibm.com>
Cc: Joerg-Stephan Vogt <jsvogt@de.ibm.com>
Cc: Michael Jung <mijung@gmx.net>
Cc: Michael Ruettger <michael@ibmra.de>
Cc: Kleber Sacilotto de Souza <klebers@linux.vnet.ibm.com>
Cc: Sebastian Ott <sebott@linux.vnet.ibm.com>
Cc: Eberhard S. Amann <esa@linux.vnet.ibm.com>
Cc: Gabriel Krisman Bertazi <krisman@linux.vnet.ibm.com>
Cc: Guilherme G. Piccoli <gpiccoli@linux.vnet.ibm.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/misc/genwqe/card_base.h |    2 +-
 drivers/misc/genwqe/card_dev.c  |    9 +++++----
 2 files changed, 6 insertions(+), 5 deletions(-)

--- a/drivers/misc/genwqe/card_base.h
+++ b/drivers/misc/genwqe/card_base.h
@@ -404,7 +404,7 @@ struct genwqe_file {
 	struct file *filp;
 
 	struct fasync_struct *async_queue;
-	struct task_struct *owner;
+	struct pid *opener;
 	struct list_head list;		/* entry in list of open files */
 
 	spinlock_t map_lock;		/* lock for dma_mappings */
--- a/drivers/misc/genwqe/card_dev.c
+++ b/drivers/misc/genwqe/card_dev.c
@@ -52,7 +52,7 @@ static void genwqe_add_file(struct genwq
 {
 	unsigned long flags;
 
-	cfile->owner = current;
+	cfile->opener = get_pid(task_tgid(current));
 	spin_lock_irqsave(&cd->file_lock, flags);
 	list_add(&cfile->list, &cd->file_list);
 	spin_unlock_irqrestore(&cd->file_lock, flags);
@@ -65,6 +65,7 @@ static int genwqe_del_file(struct genwqe
 	spin_lock_irqsave(&cd->file_lock, flags);
 	list_del(&cfile->list);
 	spin_unlock_irqrestore(&cd->file_lock, flags);
+	put_pid(cfile->opener);
 
 	return 0;
 }
@@ -275,7 +276,7 @@ static int genwqe_kill_fasync(struct gen
 	return files;
 }
 
-static int genwqe_force_sig(struct genwqe_dev *cd, int sig)
+static int genwqe_terminate(struct genwqe_dev *cd)
 {
 	unsigned int files = 0;
 	unsigned long flags;
@@ -283,7 +284,7 @@ static int genwqe_force_sig(struct genwq
 
 	spin_lock_irqsave(&cd->file_lock, flags);
 	list_for_each_entry(cfile, &cd->file_list, list) {
-		force_sig(sig, cfile->owner);
+		kill_pid(cfile->opener, SIGKILL, 1);
 		files++;
 	}
 	spin_unlock_irqrestore(&cd->file_lock, flags);
@@ -1356,7 +1357,7 @@ static int genwqe_inform_and_stop_proces
 		dev_warn(&pci_dev->dev,
 			 "[%s] send SIGKILL and wait ...\n", __func__);
 
-		rc = genwqe_force_sig(cd, SIGKILL); /* force terminate */
+		rc = genwqe_terminate(cd);
 		if (rc) {
 			/* Give kill_timout more seconds to end processes */
 			for (i = 0; (i < genwqe_kill_timeout) &&



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 056/160] crypto: lrw - Fix out-of bounds access on counter overflow
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 055/160] signal/GenWQE: Fix sending of SIGKILL Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 057/160] ima: fix showing large violations or runtime_measurements_count Greg Kroah-Hartman
                   ` (107 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Biggers, Ondrej Mosnacek, Herbert Xu

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ondrej Mosnacek <omosnace@redhat.com>

commit fbe1a850b3b1522e9fc22319ccbbcd2ab05328d2 upstream.

When the LRW block counter overflows, the current implementation returns
128 as the index to the precomputed multiplication table, which has 128
entries. This patch fixes it to return the correct value (127).

Fixes: 64470f1b8510 ("[CRYPTO] lrw: Liskov Rivest Wagner, a tweakable narrow block cipher mode")
Cc: <stable@vger.kernel.org> # 2.6.20+
Reported-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 crypto/lrw.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/crypto/lrw.c
+++ b/crypto/lrw.c
@@ -132,7 +132,12 @@ static inline int get_index128(be128 *bl
 		return x + ffz(val);
 	}
 
-	return x;
+	/*
+	 * If we get here, then x == 128 and we are incrementing the counter
+	 * from all ones to all zeros. This means we must return index 127, i.e.
+	 * the one corresponding to key2*{ 1,...,1 }.
+	 */
+	return 127;
 }
 
 static int crypt(struct blkcipher_desc *d,



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 057/160] ima: fix showing large violations or runtime_measurements_count
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 056/160] crypto: lrw - Fix out-of bounds access on counter overflow Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 058/160] hugetlbfs: dirty pages as they are added to pagecache Greg Kroah-Hartman
                   ` (106 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eric Biggers, Mimi Zohar

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit 1e4c8dafbb6bf72fb5eca035b861e39c5896c2b7 upstream.

The 12 character temporary buffer is not necessarily long enough to hold
a 'long' value.  Increase it.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 security/integrity/ima/ima_fs.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -26,14 +26,14 @@
 #include "ima.h"
 
 static int valid_policy = 1;
-#define TMPBUFLEN 12
+
 static ssize_t ima_show_htable_value(char __user *buf, size_t count,
 				     loff_t *ppos, atomic_long_t *val)
 {
-	char tmpbuf[TMPBUFLEN];
+	char tmpbuf[32];	/* greater than largest 'long' string value */
 	ssize_t len;
 
-	len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
+	len = scnprintf(tmpbuf, sizeof(tmpbuf), "%li\n", atomic_long_read(val));
 	return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
 }
 



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 058/160] hugetlbfs: dirty pages as they are added to pagecache
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 057/160] ima: fix showing large violations or runtime_measurements_count Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 059/160] kbuild: fix kernel/bounds.c W=1 warning Greg Kroah-Hartman
                   ` (105 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mike Kravetz, Mihcla Hocko,
	Khalid Aziz, Hugh Dickins, Naoya Horiguchi, Aneesh Kumar K . V,
	Andrea Arcangeli, Kirill A . Shutemov, Davidlohr Bueso,
	Alexander Viro, Andrew Morton, Linus Torvalds

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mike Kravetz <mike.kravetz@oracle.com>

commit 22146c3ce98962436e401f7b7016a6f664c9ffb5 upstream.

Some test systems were experiencing negative huge page reserve counts and
incorrect file block counts.  This was traced to /proc/sys/vm/drop_caches
removing clean pages from hugetlbfs file pagecaches.  When non-hugetlbfs
explicit code removes the pages, the appropriate accounting is not
performed.

This can be recreated as follows:
 fallocate -l 2M /dev/hugepages/foo
 echo 1 > /proc/sys/vm/drop_caches
 fallocate -l 2M /dev/hugepages/foo
 grep -i huge /proc/meminfo
   AnonHugePages:         0 kB
   ShmemHugePages:        0 kB
   HugePages_Total:    2048
   HugePages_Free:     2047
   HugePages_Rsvd:    18446744073709551615
   HugePages_Surp:        0
   Hugepagesize:       2048 kB
   Hugetlb:         4194304 kB
 ls -lsh /dev/hugepages/foo
   4.0M -rw-r--r--. 1 root root 2.0M Oct 17 20:05 /dev/hugepages/foo

To address this issue, dirty pages as they are added to pagecache.  This
can easily be reproduced with fallocate as shown above.  Read faulted
pages will eventually end up being marked dirty.  But there is a window
where they are clean and could be impacted by code such as drop_caches.
So, just dirty them all as they are added to the pagecache.

Link: http://lkml.kernel.org/r/b5be45b8-5afe-56cd-9482-28384699a049@oracle.com
Fixes: 6bda666a03f0 ("hugepages: fold find_or_alloc_pages into huge_no_page()")
Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
Acked-by: Mihcla Hocko <mhocko@suse.com>
Reviewed-by: Khalid Aziz <khalid.aziz@oracle.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: "Aneesh Kumar K . V" <aneesh.kumar@linux.vnet.ibm.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/hugetlb.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -3537,6 +3537,12 @@ int huge_add_to_page_cache(struct page *
 		return err;
 	ClearPagePrivate(page);
 
+	/*
+	 * set page dirty so that it will not be removed from cache/file
+	 * by non-hugetlbfs specific code paths.
+	 */
+	set_page_dirty(page);
+
 	spin_lock(&inode->i_lock);
 	inode->i_blocks += blocks_per_huge_page(h);
 	spin_unlock(&inode->i_lock);



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 059/160] kbuild: fix kernel/bounds.c W=1 warning
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 058/160] hugetlbfs: dirty pages as they are added to pagecache Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 060/160] iio: adc: at91: fix acking DRDY irq on simple conversions Greg Kroah-Hartman
                   ` (104 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Kieran Bingham,
	David Laight, Masahiro Yamada, Andrew Morton, Linus Torvalds

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 6a32c2469c3fbfee8f25bcd20af647326650a6cf upstream.

Building any configuration with 'make W=1' produces a warning:

kernel/bounds.c:16:6: warning: no previous prototype for 'foo' [-Wmissing-prototypes]

When also passing -Werror, this prevents us from building any other files.
Nobody ever calls the function, but we can't make it 'static' either
since we want the compiler output.

Calling it 'main' instead however avoids the warning, because gcc
does not insist on having a declaration for main.

Link: http://lkml.kernel.org/r/20181005083313.2088252-1-arnd@arndb.de
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reported-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
Reviewed-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
Cc: David Laight <David.Laight@ACULAB.COM>
Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/bounds.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/kernel/bounds.c
+++ b/kernel/bounds.c
@@ -12,7 +12,7 @@
 #include <linux/log2.h>
 #include <linux/spinlock_types.h>
 
-void foo(void)
+int main(void)
 {
 	/* The enum constants to put into include/generated/bounds.h */
 	DEFINE(NR_PAGEFLAGS, __NR_PAGEFLAGS);
@@ -22,4 +22,6 @@ void foo(void)
 #endif
 	DEFINE(SPINLOCK_SIZE, sizeof(spinlock_t));
 	/* End of constants */
+
+	return 0;
 }



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 060/160] iio: adc: at91: fix acking DRDY irq on simple conversions
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 059/160] kbuild: fix kernel/bounds.c W=1 warning Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 061/160] iio: adc: at91: fix wrong channel number in triggered buffer mode Greg Kroah-Hartman
                   ` (103 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maxime Ripard, Eugen Hristev,
	Ludovic Desroches, Stable, Jonathan Cameron

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eugen Hristev <eugen.hristev@microchip.com>

commit bc1b45326223e7e890053cf6266357adfa61942d upstream.

When doing simple conversions, the driver did not acknowledge the DRDY irq.
If this irq status is not acked, it will be left pending, and as soon as a
trigger is enabled, the irq handler will be called, it doesn't know why
this status has occurred because no channel is pending, and then it will go
int a irq loop and board will hang.
To avoid this situation, read the LCDR after a raw conversion is done.

Fixes: 0e589d5fb ("ARM: AT91: IIO: Add AT91 ADC driver.")
Cc: Maxime Ripard <maxime.ripard@bootlin.com>
Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
Acked-by: Ludovic Desroches <ludovic.desroches@microchip.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/adc/at91_adc.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/iio/adc/at91_adc.c
+++ b/drivers/iio/adc/at91_adc.c
@@ -276,6 +276,8 @@ static void handle_adc_eoc_trigger(int i
 		iio_trigger_poll(idev->trig);
 	} else {
 		st->last_value = at91_adc_readl(st, AT91_ADC_CHAN(st, st->chnb));
+		/* Needed to ACK the DRDY interruption */
+		at91_adc_readl(st, AT91_ADC_LCDR);
 		st->done = true;
 		wake_up_interruptible(&st->wq_data_avail);
 	}



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 061/160] iio: adc: at91: fix wrong channel number in triggered buffer mode
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 060/160] iio: adc: at91: fix acking DRDY irq on simple conversions Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 062/160] w1: omap-hdq: fix missing bus unregister at removal Greg Kroah-Hartman
                   ` (102 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maxime Ripard, Eugen Hristev,
	Ludovic Desroches, Stable, Jonathan Cameron

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eugen Hristev <eugen.hristev@microchip.com>

commit aea835f2dc8a682942b859179c49ad1841a6c8b9 upstream.

When channels are registered, the hardware channel number is not the
actual iio channel number.
This is because the driver is probed with a certain number of accessible
channels. Some pins are routed and some not, depending on the description of
the board in the DT.
Because of that, channels 0,1,2,3 can correspond to hardware channels
2,3,4,5 for example.
In the buffered triggered case, we need to do the translation accordingly.
Fixed the channel number to stop reading the wrong channel.

Fixes: 0e589d5fb ("ARM: AT91: IIO: Add AT91 ADC driver.")
Cc: Maxime Ripard <maxime.ripard@bootlin.com>
Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
Acked-by: Ludovic Desroches <ludovic.desroches@microchip.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/adc/at91_adc.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/iio/adc/at91_adc.c
+++ b/drivers/iio/adc/at91_adc.c
@@ -245,12 +245,14 @@ static irqreturn_t at91_adc_trigger_hand
 	struct iio_poll_func *pf = p;
 	struct iio_dev *idev = pf->indio_dev;
 	struct at91_adc_state *st = iio_priv(idev);
+	struct iio_chan_spec const *chan;
 	int i, j = 0;
 
 	for (i = 0; i < idev->masklength; i++) {
 		if (!test_bit(i, idev->active_scan_mask))
 			continue;
-		st->buffer[j] = at91_adc_readl(st, AT91_ADC_CHAN(st, i));
+		chan = idev->channels + i;
+		st->buffer[j] = at91_adc_readl(st, AT91_ADC_CHAN(st, chan->channel));
 		j++;
 	}
 



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 062/160] w1: omap-hdq: fix missing bus unregister at removal
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (60 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 061/160] iio: adc: at91: fix wrong channel number in triggered buffer mode Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 063/160] smb3: allow stats which track session and share reconnects to be reset Greg Kroah-Hartman
                   ` (101 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Andreas Kemnade

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Andreas Kemnade <andreas@kemnade.info>

commit a007734618fee1bf35556c04fa498d41d42c7301 upstream.

The bus master was not removed after unloading the module
or unbinding the driver. That lead to oopses like this

[  127.842987] Unable to handle kernel paging request at virtual address bf01d04c
[  127.850646] pgd = 70e3cd9a
[  127.853698] [bf01d04c] *pgd=8f908811, *pte=00000000, *ppte=00000000
[  127.860412] Internal error: Oops: 80000007 [#1] PREEMPT SMP ARM
[  127.866668] Modules linked in: bq27xxx_battery overlay [last unloaded: omap_hdq]
[  127.874542] CPU: 0 PID: 1022 Comm: w1_bus_master1 Not tainted 4.19.0-rc4-00001-g2d51da718324 #12
[  127.883819] Hardware name: Generic OMAP36xx (Flattened Device Tree)
[  127.890441] PC is at 0xbf01d04c
[  127.893798] LR is at w1_search_process_cb+0x4c/0xfc
[  127.898956] pc : [<bf01d04c>]    lr : [<c05f9580>]    psr: a0070013
[  127.905609] sp : cf885f48  ip : bf01d04c  fp : ddf1e11c
[  127.911132] r10: cf8fe040  r9 : c05f8d00  r8 : cf8fe040
[  127.916656] r7 : 000000f0  r6 : cf8fe02c  r5 : cf8fe000  r4 : cf8fe01c
[  127.923553] r3 : c05f8d00  r2 : 000000f0  r1 : cf8fe000  r0 : dde1ef10
[  127.930450] Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
[  127.938018] Control: 10c5387d  Table: 8f8f0019  DAC: 00000051
[  127.944091] Process w1_bus_master1 (pid: 1022, stack limit = 0x9135699f)
[  127.951171] Stack: (0xcf885f48 to 0xcf886000)
[  127.955810] 5f40:                   cf8fe000 00000000 cf884000 cf8fe090 000003e8 c05f8d00
[  127.964477] 5f60: dde5fc34 c05f9700 ddf1e100 ddf1e540 cf884000 cf8fe000 c05f9694 00000000
[  127.973114] 5f80: dde5fc34 c01499a4 00000000 ddf1e540 c0149874 00000000 00000000 00000000
[  127.981781] 5fa0: 00000000 00000000 00000000 c01010e8 00000000 00000000 00000000 00000000
[  127.990447] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[  127.999114] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
[  128.007781] [<c05f9580>] (w1_search_process_cb) from [<c05f9700>] (w1_process+0x6c/0x118)
[  128.016479] [<c05f9700>] (w1_process) from [<c01499a4>] (kthread+0x130/0x148)
[  128.024047] [<c01499a4>] (kthread) from [<c01010e8>] (ret_from_fork+0x14/0x2c)
[  128.031677] Exception stack(0xcf885fb0 to 0xcf885ff8)
[  128.037017] 5fa0:                                     00000000 00000000 00000000 00000000
[  128.045684] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[  128.054351] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000
[  128.061340] Code: bad PC value
[  128.064697] ---[ end trace af066e33c0e14119 ]---

Cc: <stable@vger.kernel.org>
Signed-off-by: Andreas Kemnade <andreas@kemnade.info>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/w1/masters/omap_hdq.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/w1/masters/omap_hdq.c
+++ b/drivers/w1/masters/omap_hdq.c
@@ -785,6 +785,8 @@ static int omap_hdq_remove(struct platfo
 	/* remove module dependency */
 	pm_runtime_disable(&pdev->dev);
 
+	w1_remove_master_device(&omap_w1_master);
+
 	return 0;
 }
 



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 063/160] smb3: allow stats which track session and share reconnects to be reset
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (61 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 062/160] w1: omap-hdq: fix missing bus unregister at removal Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 064/160] smb3: do not attempt cifs operation in smb3 query info error path Greg Kroah-Hartman
                   ` (100 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Steve French, Aurelien Aptel

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Steve French <stfrench@microsoft.com>

commit 2c887635cd6ab3af619dc2be94e5bf8f2e172b78 upstream.

Currently, "echo 0 > /proc/fs/cifs/Stats" resets all of the stats
except the session and share reconnect counts.  Fix it to
reset those as well.

CC: Stable <stable@vger.kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/cifs/cifs_debug.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/fs/cifs/cifs_debug.c
+++ b/fs/cifs/cifs_debug.c
@@ -285,6 +285,9 @@ static ssize_t cifs_stats_proc_write(str
 		atomic_set(&totBufAllocCount, 0);
 		atomic_set(&totSmBufAllocCount, 0);
 #endif /* CONFIG_CIFS_STATS2 */
+		atomic_set(&tcpSesReconnectCount, 0);
+		atomic_set(&tconInfoReconnectCount, 0);
+
 		spin_lock(&GlobalMid_Lock);
 		GlobalMaxActiveXid = 0;
 		GlobalCurrentXid = 0;



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 064/160] smb3: do not attempt cifs operation in smb3 query info error path
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (62 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 063/160] smb3: allow stats which track session and share reconnects to be reset Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 065/160] smb3: on kerberos mount if server doesnt specify auth type use krb5 Greg Kroah-Hartman
                   ` (99 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Steve French, Ronnie Sahlberg

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Steve French <stfrench@microsoft.com>

commit 1e77a8c204c9d1b655c61751b8ad0fde22421dbb upstream.

If backupuid mount option is sent, we can incorrectly retry
(on access denied on query info) with a cifs (FindFirst) operation
on an smb3 mount which causes the server to force the session close.

We set backup intent on open so no need for this fallback.

See kernel bugzilla 201435

Signed-off-by: Steve French <stfrench@microsoft.com>
CC: Stable <stable@vger.kernel.org>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/cifs/inode.c |   10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

--- a/fs/cifs/inode.c
+++ b/fs/cifs/inode.c
@@ -756,7 +756,15 @@ cifs_get_inode_info(struct inode **inode
 	} else if (rc == -EREMOTE) {
 		cifs_create_dfs_fattr(&fattr, sb);
 		rc = 0;
-	} else if (rc == -EACCES && backup_cred(cifs_sb)) {
+	} else if ((rc == -EACCES) && backup_cred(cifs_sb) &&
+		   (strcmp(server->vals->version_string, SMB1_VERSION_STRING)
+		      == 0)) {
+			/*
+			 * For SMB2 and later the backup intent flag is already
+			 * sent if needed on open and there is no path based
+			 * FindFirst operation to use to retry with
+			 */
+
 			srchinf = kzalloc(sizeof(struct cifs_search_info),
 						GFP_KERNEL);
 			if (srchinf == NULL) {



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 065/160] smb3: on kerberos mount if server doesnt specify auth type use krb5
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (63 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 064/160] smb3: do not attempt cifs operation in smb3 query info error path Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 066/160] printk: Fix panic caused by passing log_buf_len to command line Greg Kroah-Hartman
                   ` (98 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Steve French, Ronnie Sahlberg

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Steve French <stfrench@microsoft.com>

commit 926674de6705f0f1dbf29a62fd758d0977f535d6 upstream.

Some servers (e.g. Azure) do not include a spnego blob in the SMB3
negotiate protocol response, so on kerberos mounts ("sec=krb5")
we can fail, as we expected the server to list its supported
auth types (OIDs in the spnego blob in the negprot response).
Change this so that on krb5 mounts we default to trying krb5 if the
server doesn't list its supported protocol mechanisms.

Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/cifs/cifs_spnego.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/fs/cifs/cifs_spnego.c
+++ b/fs/cifs/cifs_spnego.c
@@ -143,8 +143,10 @@ cifs_get_spnego_key(struct cifs_ses *ses
 		sprintf(dp, ";sec=krb5");
 	else if (server->sec_mskerberos)
 		sprintf(dp, ";sec=mskrb5");
-	else
-		goto out;
+	else {
+		cifs_dbg(VFS, "unknown or missing server auth type, use krb5\n");
+		sprintf(dp, ";sec=krb5");
+	}
 
 	dp = description + strlen(description);
 	sprintf(dp, ";uid=0x%x",



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 066/160] printk: Fix panic caused by passing log_buf_len to command line
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (64 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 065/160] smb3: on kerberos mount if server doesnt specify auth type use krb5 Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 067/160] genirq: Fix race on spurious interrupt detection Greg Kroah-Hartman
                   ` (97 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, rostedt, He Zhe, Sergey Senozhatsky,
	Petr Mladek

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: He Zhe <zhe.he@windriver.com>

commit 277fcdb2cfee38ccdbe07e705dbd4896ba0c9930 upstream.

log_buf_len_setup does not check input argument before passing it to
simple_strtoull. The argument would be a NULL pointer if "log_buf_len",
without its value, is set in command line and thus causes the following
panic.

PANIC: early exception 0xe3 IP 10:ffffffffaaeacd0d error 0 cr2 0x0
[    0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.19.0-rc4-yocto-standard+ #1
[    0.000000] RIP: 0010:_parse_integer_fixup_radix+0xd/0x70
...
[    0.000000] Call Trace:
[    0.000000]  simple_strtoull+0x29/0x70
[    0.000000]  memparse+0x26/0x90
[    0.000000]  log_buf_len_setup+0x17/0x22
[    0.000000]  do_early_param+0x57/0x8e
[    0.000000]  parse_args+0x208/0x320
[    0.000000]  ? rdinit_setup+0x30/0x30
[    0.000000]  parse_early_options+0x29/0x2d
[    0.000000]  ? rdinit_setup+0x30/0x30
[    0.000000]  parse_early_param+0x36/0x4d
[    0.000000]  setup_arch+0x336/0x99e
[    0.000000]  start_kernel+0x6f/0x4ee
[    0.000000]  x86_64_start_reservations+0x24/0x26
[    0.000000]  x86_64_start_kernel+0x6f/0x72
[    0.000000]  secondary_startup_64+0xa4/0xb0

This patch adds a check to prevent the panic.

Link: http://lkml.kernel.org/r/1538239553-81805-1-git-send-email-zhe.he@windriver.com
Cc: stable@vger.kernel.org
Cc: rostedt@goodmis.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: He Zhe <zhe.he@windriver.com>
Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Signed-off-by: Petr Mladek <pmladek@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/printk/printk.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/kernel/printk/printk.c
+++ b/kernel/printk/printk.c
@@ -881,7 +881,12 @@ static void __init log_buf_len_update(un
 /* save requested log_buf_len since it's too early to process it */
 static int __init log_buf_len_setup(char *str)
 {
-	unsigned size = memparse(str, &str);
+	unsigned int size;
+
+	if (!str)
+		return -EINVAL;
+
+	size = memparse(str, &str);
 
 	log_buf_len_update(size);
 



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 067/160] genirq: Fix race on spurious interrupt detection
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (65 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 066/160] printk: Fix panic caused by passing log_buf_len to command line Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 068/160] NFSv4.1: Fix the r/wsize checking Greg Kroah-Hartman
                   ` (96 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lukas Wunner, Thomas Gleixner,
	Mathias Duckeck, Akshay Bhat, Casey Fitzpatrick

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Lukas Wunner <lukas@wunner.de>

commit 746a923b863a1065ef77324e1e43f19b1a3eab5c upstream.

Commit 1e77d0a1ed74 ("genirq: Sanitize spurious interrupt detection of
threaded irqs") made detection of spurious interrupts work for threaded
handlers by:

a) incrementing a counter every time the thread returns IRQ_HANDLED, and
b) checking whether that counter has increased every time the thread is
   woken.

However for oneshot interrupts, the commit unmasks the interrupt before
incrementing the counter.  If another interrupt occurs right after
unmasking but before the counter is incremented, that interrupt is
incorrectly considered spurious:

time
 |  irq_thread()
 |    irq_thread_fn()
 |      action->thread_fn()
 |      irq_finalize_oneshot()
 |        unmask_threaded_irq()            /* interrupt is unmasked */
 |
 |                  /* interrupt fires, incorrectly deemed spurious */
 |
 |    atomic_inc(&desc->threads_handled); /* counter is incremented */
 v

This is observed with a hi3110 CAN controller receiving data at high volume
(from a separate machine sending with "cangen -g 0 -i -x"): The controller
signals a huge number of interrupts (hundreds of millions per day) and
every second there are about a dozen which are deemed spurious.

In theory with high CPU load and the presence of higher priority tasks, the
number of incorrectly detected spurious interrupts might increase beyond
the 99,900 threshold and cause disablement of the interrupt.

In practice it just increments the spurious interrupt count. But that can
cause people to waste time investigating it over and over.

Fix it by moving the accounting before the invocation of
irq_finalize_oneshot().

[ tglx: Folded change log update ]

Fixes: 1e77d0a1ed74 ("genirq: Sanitize spurious interrupt detection of threaded irqs")
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Mathias Duckeck <m.duckeck@kunbus.de>
Cc: Akshay Bhat <akshay.bhat@timesys.com>
Cc: Casey Fitzpatrick <casey.fitzpatrick@timesys.com>
Cc: stable@vger.kernel.org # v3.16+
Link: https://lkml.kernel.org/r/1dfd8bbd16163940648045495e3e9698e63b50ad.1539867047.git.lukas@wunner.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/irq/manage.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/kernel/irq/manage.c
+++ b/kernel/irq/manage.c
@@ -864,6 +864,9 @@ irq_forced_thread_fn(struct irq_desc *de
 
 	local_bh_disable();
 	ret = action->thread_fn(action->irq, action->dev_id);
+	if (ret == IRQ_HANDLED)
+		atomic_inc(&desc->threads_handled);
+
 	irq_finalize_oneshot(desc, action);
 	local_bh_enable();
 	return ret;
@@ -880,6 +883,9 @@ static irqreturn_t irq_thread_fn(struct
 	irqreturn_t ret;
 
 	ret = action->thread_fn(action->irq, action->dev_id);
+	if (ret == IRQ_HANDLED)
+		atomic_inc(&desc->threads_handled);
+
 	irq_finalize_oneshot(desc, action);
 	return ret;
 }
@@ -957,8 +963,6 @@ static int irq_thread(void *data)
 		irq_thread_check_affinity(desc, action);
 
 		action_ret = handler_fn(desc, action);
-		if (action_ret == IRQ_HANDLED)
-			atomic_inc(&desc->threads_handled);
 		if (action_ret == IRQ_WAKE_THREAD)
 			irq_wake_secondary(desc, action);
 



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 068/160] NFSv4.1: Fix the r/wsize checking
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (66 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 067/160] genirq: Fix race on spurious interrupt detection Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 069/160] nfsd: Fix an Oops in free_session() Greg Kroah-Hartman
                   ` (95 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Trond Myklebust

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Trond Myklebust <trond.myklebust@hammerspace.com>

commit 943cff67b842839f4f35364ba2db5c2d3f025d94 upstream.

The intention of nfs4_session_set_rwsize() was to cap the r/wsize to the
buffer sizes negotiated by the CREATE_SESSION. The initial code had a
bug whereby we would not check the values negotiated by nfs_probe_fsinfo()
(the assumption being that CREATE_SESSION will always negotiate buffer values
that are sane w.r.t. the server's preferred r/wsizes) but would only check
values set by the user in the 'mount' command.

The code was changed in 4.11 to _always_ set the r/wsize, meaning that we
now never use the server preferred r/wsizes. This is the regression that
this patch fixes.
Also rename the function to nfs4_session_limit_rwsize() in order to avoid
future confusion.

Fixes: 033853325fe3 (NFSv4.1 respect server's max size in CREATE_SESSION")
Cc: stable@vger.kernel.org # v4.11+
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/nfs/nfs4client.c |   16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

--- a/fs/nfs/nfs4client.c
+++ b/fs/nfs/nfs4client.c
@@ -879,10 +879,10 @@ EXPORT_SYMBOL_GPL(nfs4_set_ds_client);
 
 /*
  * Session has been established, and the client marked ready.
- * Set the mount rsize and wsize with negotiated fore channel
- * attributes which will be bound checked in nfs_server_set_fsinfo.
+ * Limit the mount rsize, wsize and dtsize using negotiated fore
+ * channel attributes.
  */
-static void nfs4_session_set_rwsize(struct nfs_server *server)
+static void nfs4_session_limit_rwsize(struct nfs_server *server)
 {
 #ifdef CONFIG_NFS_V4_1
 	struct nfs4_session *sess;
@@ -895,9 +895,11 @@ static void nfs4_session_set_rwsize(stru
 	server_resp_sz = sess->fc_attrs.max_resp_sz - nfs41_maxread_overhead;
 	server_rqst_sz = sess->fc_attrs.max_rqst_sz - nfs41_maxwrite_overhead;
 
-	if (!server->rsize || server->rsize > server_resp_sz)
+	if (server->dtsize > server_resp_sz)
+		server->dtsize = server_resp_sz;
+	if (server->rsize > server_resp_sz)
 		server->rsize = server_resp_sz;
-	if (!server->wsize || server->wsize > server_rqst_sz)
+	if (server->wsize > server_rqst_sz)
 		server->wsize = server_rqst_sz;
 #endif /* CONFIG_NFS_V4_1 */
 }
@@ -944,12 +946,12 @@ static int nfs4_server_common_setup(stru
 			(unsigned long long) server->fsid.minor);
 	nfs_display_fhandle(mntfh, "Pseudo-fs root FH");
 
-	nfs4_session_set_rwsize(server);
-
 	error = nfs_probe_fsinfo(server, mntfh, fattr);
 	if (error < 0)
 		goto out;
 
+	nfs4_session_limit_rwsize(server);
+
 	if (server->namelen == 0 || server->namelen > NFS4_MAXNAMLEN)
 		server->namelen = NFS4_MAXNAMLEN;
 



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 069/160] nfsd: Fix an Oops in free_session()
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (67 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 068/160] NFSv4.1: Fix the r/wsize checking Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 070/160] lockd: fix access beyond unterminated strings in prints Greg Kroah-Hartman
                   ` (94 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Trond Myklebust, J. Bruce Fields

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Trond Myklebust <trondmy@gmail.com>

commit bb6ad5572c0022e17e846b382d7413cdcf8055be upstream.

In call_xpt_users(), we delete the entry from the list, but we
do not reinitialise it. This triggers the list poisoning when
we later call unregister_xpt_user() in nfsd4_del_conns().

Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Cc: stable@vger.kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/sunrpc/svc_xprt.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/sunrpc/svc_xprt.c
+++ b/net/sunrpc/svc_xprt.c
@@ -945,7 +945,7 @@ static void call_xpt_users(struct svc_xp
 	spin_lock(&xprt->xpt_lock);
 	while (!list_empty(&xprt->xpt_users)) {
 		u = list_first_entry(&xprt->xpt_users, struct svc_xpt_user, list);
-		list_del(&u->list);
+		list_del_init(&u->list);
 		u->callback(u);
 	}
 	spin_unlock(&xprt->xpt_lock);



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 070/160] lockd: fix access beyond unterminated strings in prints
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (68 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 069/160] nfsd: Fix an Oops in free_session() Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 071/160] dm ioctl: harden copy_params()s copy_from_user() from malicious users Greg Kroah-Hartman
                   ` (93 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Amir Goldstein, J. Bruce Fields

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Amir Goldstein <amir73il@gmail.com>

commit 93f38b6fae0ea8987e22d9e6c38f8dfdccd867ee upstream.

printk format used %*s instead of %.*s, so hostname_len does not limit
the number of bytes accessed from hostname.

Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/lockd/host.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/lockd/host.c
+++ b/fs/lockd/host.c
@@ -340,7 +340,7 @@ struct nlm_host *nlmsvc_lookup_host(cons
 	};
 	struct lockd_net *ln = net_generic(net, lockd_net_id);
 
-	dprintk("lockd: %s(host='%*s', vers=%u, proto=%s)\n", __func__,
+	dprintk("lockd: %s(host='%.*s', vers=%u, proto=%s)\n", __func__,
 			(int)hostname_len, hostname, rqstp->rq_vers,
 			(rqstp->rq_prot == IPPROTO_UDP ? "udp" : "tcp"));
 



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 071/160] dm ioctl: harden copy_params()s copy_from_user() from malicious users
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (69 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 070/160] lockd: fix access beyond unterminated strings in prints Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 072/160] powerpc/msi: Fix compile error on mpc83xx Greg Kroah-Hartman
                   ` (92 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Wenwen Wang, Mike Snitzer

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Wenwen Wang <wang6495@umn.edu>

commit 800a7340ab7dd667edf95e74d8e4f23a17e87076 upstream.

In copy_params(), the struct 'dm_ioctl' is first copied from the user
space buffer 'user' to 'param_kernel' and the field 'data_size' is
checked against 'minimum_data_size' (size of 'struct dm_ioctl' payload
up to its 'data' member).  If the check fails, an error code EINVAL will be
returned.  Otherwise, param_kernel->data_size is used to do a second copy,
which copies from the same user-space buffer to 'dmi'.  After the second
copy, only 'dmi->data_size' is checked against 'param_kernel->data_size'.
Given that the buffer 'user' resides in the user space, a malicious
user-space process can race to change the content in the buffer between
the two copies.  This way, the attacker can inject inconsistent data
into 'dmi' (versus previously validated 'param_kernel').

Fix redundant copying of 'minimum_data_size' from user-space buffer by
using the first copy stored in 'param_kernel'.  Also remove the
'data_size' check after the second copy because it is now unnecessary.

Cc: stable@vger.kernel.org
Signed-off-by: Wenwen Wang <wang6495@umn.edu>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/dm-ioctl.c |   18 ++++++------------
 1 file changed, 6 insertions(+), 12 deletions(-)

--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -1685,8 +1685,7 @@ static void free_params(struct dm_ioctl
 }
 
 static int copy_params(struct dm_ioctl __user *user, struct dm_ioctl *param_kernel,
-		       int ioctl_flags,
-		       struct dm_ioctl **param, int *param_flags)
+		       int ioctl_flags, struct dm_ioctl **param, int *param_flags)
 {
 	struct dm_ioctl *dmi;
 	int secure_data;
@@ -1734,18 +1733,13 @@ static int copy_params(struct dm_ioctl _
 		return -ENOMEM;
 	}
 
-	if (copy_from_user(dmi, user, param_kernel->data_size))
-		goto bad;
+	/* Copy from param_kernel (which was already copied from user) */
+	memcpy(dmi, param_kernel, minimum_data_size);
 
-data_copied:
-	/*
-	 * Abort if something changed the ioctl data while it was being copied.
-	 */
-	if (dmi->data_size != param_kernel->data_size) {
-		DMERR("rejecting ioctl: data size modified while processing parameters");
+	if (copy_from_user(&dmi->data, (char __user *)user + minimum_data_size,
+			   param_kernel->data_size - minimum_data_size))
 		goto bad;
-	}
-
+data_copied:
 	/* Wipe the user buffer so we do not return it to userspace */
 	if (secure_data && clear_user(user, param_kernel->data_size))
 		goto bad;



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 072/160] powerpc/msi: Fix compile error on mpc83xx
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (70 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 071/160] dm ioctl: harden copy_params()s copy_from_user() from malicious users Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 073/160] MIPS: OCTEON: fix out of bounds array access on CN68XX Greg Kroah-Hartman
                   ` (91 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jia Hongtao, Scott Wood, Radu Rendec,
	Christophe Leroy, Michael Ellerman

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Christophe Leroy <christophe.leroy@c-s.fr>

commit 0f99153def98134403c9149128e59d3e1786cf04 upstream.

mpic_get_primary_version() is not defined when not using MPIC.
The compile error log like:

arch/powerpc/sysdev/built-in.o: In function `fsl_of_msi_probe':
fsl_msi.c:(.text+0x150c): undefined reference to `fsl_mpic_primary_get_version'

Signed-off-by: Jia Hongtao <hongtao.jia@freescale.com>
Signed-off-by: Scott Wood <scottwood@freescale.com>
Reported-by: Radu Rendec <radu.rendec@gmail.com>
Fixes: 807d38b73b6 ("powerpc/mpic: Add get_version API both for internal and external use")
Cc: stable@vger.kernel.org
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/include/asm/mpic.h |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/arch/powerpc/include/asm/mpic.h
+++ b/arch/powerpc/include/asm/mpic.h
@@ -392,7 +392,14 @@ extern struct bus_type mpic_subsys;
 #define	MPIC_REGSET_TSI108		MPIC_REGSET(1)	/* Tsi108/109 PIC */
 
 /* Get the version of primary MPIC */
+#ifdef CONFIG_MPIC
 extern u32 fsl_mpic_primary_get_version(void);
+#else
+static inline u32 fsl_mpic_primary_get_version(void)
+{
+	return 0;
+}
+#endif
 
 /* Allocate the controller structure and setup the linux irq descs
  * for the range if interrupts passed in. No HW initialization is



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 073/160] MIPS: OCTEON: fix out of bounds array access on CN68XX
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (71 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 072/160] powerpc/msi: Fix compile error on mpc83xx Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 074/160] TC: Set DMA masks for devices Greg Kroah-Hartman
                   ` (90 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Aaro Koskinen, Paul Burton,
	Ralf Baechle, linux-mips

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Aaro Koskinen <aaro.koskinen@iki.fi>

commit c0fae7e2452b90c31edd2d25eb3baf0c76b400ca upstream.

The maximum number of interfaces is returned by
cvmx_helper_get_number_of_interfaces(), and the value is used to access
interface_port_count[]. When CN68XX support was added, we forgot
to increase the array size. Fix that.

Fixes: 2c8c3f0201333 ("MIPS: Octeon: Support additional interfaces on CN68XX")
Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Signed-off-by: Paul Burton <paul.burton@mips.com>
Patchwork: https://patchwork.linux-mips.org/patch/20949/
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Cc: stable@vger.kernel.org # v4.3+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/mips/cavium-octeon/executive/cvmx-helper.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/mips/cavium-octeon/executive/cvmx-helper.c
+++ b/arch/mips/cavium-octeon/executive/cvmx-helper.c
@@ -67,7 +67,7 @@ void (*cvmx_override_pko_queue_priority)
 void (*cvmx_override_ipd_port_setup) (int ipd_port);
 
 /* Port count per interface */
-static int interface_port_count[5];
+static int interface_port_count[9];
 
 /* Port last configured link info index by IPD/PKO port */
 static cvmx_helper_link_info_t



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 074/160] TC: Set DMA masks for devices
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (72 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 073/160] MIPS: OCTEON: fix out of bounds array access on CN68XX Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 075/160] kgdboc: Passing ekgdboc to command line causes panic Greg Kroah-Hartman
                   ` (89 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maciej W. Rozycki, Paul Burton, Ralf Baechle

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Maciej W. Rozycki <macro@linux-mips.org>

commit 3f2aa244ee1a0d17ed5b6c86564d2c1b24d1c96b upstream.

Fix a TURBOchannel support regression with commit 205e1b7f51e4
("dma-mapping: warn when there is no coherent_dma_mask") that caused
coherent DMA allocations to produce a warning such as:

defxx: v1.11 2014/07/01  Lawrence V. Stefani and others
tc1: DEFTA at MMIO addr = 0x1e900000, IRQ = 20, Hardware addr = 08-00-2b-a3-a3-29
------------[ cut here ]------------
WARNING: CPU: 0 PID: 1 at ./include/linux/dma-mapping.h:516 dfx_dev_register+0x670/0x678
Modules linked in:
CPU: 0 PID: 1 Comm: swapper Not tainted 4.19.0-rc6 #2
Stack : ffffffff8009ffc0 fffffffffffffec0 0000000000000000 ffffffff80647650
        0000000000000000 0000000000000000 ffffffff806f5f80 ffffffffffffffff
        0000000000000000 0000000000000000 0000000000000001 ffffffff8065d4e8
        98000000031b6300 ffffffff80563478 ffffffff805685b0 ffffffffffffffff
        0000000000000000 ffffffff805d6720 0000000000000204 ffffffff80388df8
        0000000000000000 0000000000000009 ffffffff8053efd0 ffffffff806657d0
        0000000000000000 ffffffff803177f8 0000000000000000 ffffffff806d0000
        9800000003078000 980000000307b9e0 000000001e900000 ffffffff80067940
        0000000000000000 ffffffff805d6720 0000000000000204 ffffffff80388df8
        ffffffff805176c0 ffffffff8004dc78 0000000000000000 ffffffff80067940
        ...
Call Trace:
[<ffffffff8004dc78>] show_stack+0xa0/0x130
[<ffffffff80067940>] __warn+0x128/0x170
---[ end trace b1d1e094f67f3bb2 ]---

This is because the TURBOchannel bus driver fails to set the coherent
DMA mask for devices enumerated.

Set the regular and coherent DMA masks for TURBOchannel devices then,
observing that the bus protocol supports a 34-bit (16GiB) DMA address
space, by interpreting the value presented in the address cycle across
the 32 `ad' lines as a 32-bit word rather than byte address[1].  The
architectural size of the TURBOchannel DMA address space exceeds the
maximum amount of RAM any actual TURBOchannel system in existence may
have, hence both masks are the same.

This removes the warning shown above.

References:

[1] "TURBOchannel Hardware Specification", EK-369AA-OD-007B, Digital
    Equipment Corporation, January 1993, Section "DMA", pp. 1-15 -- 1-17

Signed-off-by: Maciej W. Rozycki <macro@linux-mips.org>
Signed-off-by: Paul Burton <paul.burton@mips.com>
Patchwork: https://patchwork.linux-mips.org/patch/20835/
Fixes: 205e1b7f51e4 ("dma-mapping: warn when there is no coherent_dma_mask")
Cc: stable@vger.kernel.org # 4.16+
Cc: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tc/tc.c    |    8 +++++++-
 include/linux/tc.h |    1 +
 2 files changed, 8 insertions(+), 1 deletion(-)

--- a/drivers/tc/tc.c
+++ b/drivers/tc/tc.c
@@ -2,7 +2,7 @@
  *	TURBOchannel bus services.
  *
  *	Copyright (c) Harald Koerfgen, 1998
- *	Copyright (c) 2001, 2003, 2005, 2006  Maciej W. Rozycki
+ *	Copyright (c) 2001, 2003, 2005, 2006, 2018  Maciej W. Rozycki
  *	Copyright (c) 2005  James Simmons
  *
  *	This file is subject to the terms and conditions of the GNU
@@ -10,6 +10,7 @@
  *	directory of this archive for more details.
  */
 #include <linux/compiler.h>
+#include <linux/dma-mapping.h>
 #include <linux/errno.h>
 #include <linux/init.h>
 #include <linux/ioport.h>
@@ -92,6 +93,11 @@ static void __init tc_bus_add_devices(st
 		tdev->dev.bus = &tc_bus_type;
 		tdev->slot = slot;
 
+		/* TURBOchannel has 34-bit DMA addressing (16GiB space). */
+		tdev->dma_mask = DMA_BIT_MASK(34);
+		tdev->dev.dma_mask = &tdev->dma_mask;
+		tdev->dev.coherent_dma_mask = DMA_BIT_MASK(34);
+
 		for (i = 0; i < 8; i++) {
 			tdev->firmware[i] =
 				readb(module + offset + TC_FIRM_VER + 4 * i);
--- a/include/linux/tc.h
+++ b/include/linux/tc.h
@@ -84,6 +84,7 @@ struct tc_dev {
 					   device. */
 	struct device	dev;		/* Generic device interface. */
 	struct resource	resource;	/* Address space of this device. */
+	u64		dma_mask;	/* DMA addressable range. */
 	char		vendor[9];
 	char		name[9];
 	char		firmware[9];



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 075/160] kgdboc: Passing ekgdboc to command line causes panic
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (73 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 074/160] TC: Set DMA masks for devices Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 076/160] xen: fix xen_qlock_wait() Greg Kroah-Hartman
                   ` (88 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, jason.wessel, jslaby, He Zhe,
	Daniel Thompson

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: He Zhe <zhe.he@windriver.com>

commit 1bd54d851f50dea6af30c3e6ff4f3e9aab5558f9 upstream.

kgdboc_option_setup does not check input argument before passing it
to strlen. The argument would be a NULL pointer if "ekgdboc", without
its value, is set in command line and thus cause the following panic.

PANIC: early exception 0xe3 IP 10:ffffffff8fbbb620 error 0 cr2 0x0
[    0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.18-rc8+ #1
[    0.000000] RIP: 0010:strlen+0x0/0x20
...
[    0.000000] Call Trace
[    0.000000]  ? kgdboc_option_setup+0x9/0xa0
[    0.000000]  ? kgdboc_early_init+0x6/0x1b
[    0.000000]  ? do_early_param+0x4d/0x82
[    0.000000]  ? parse_args+0x212/0x330
[    0.000000]  ? rdinit_setup+0x26/0x26
[    0.000000]  ? parse_early_options+0x20/0x23
[    0.000000]  ? rdinit_setup+0x26/0x26
[    0.000000]  ? parse_early_param+0x2d/0x39
[    0.000000]  ? setup_arch+0x2f7/0xbf4
[    0.000000]  ? start_kernel+0x5e/0x4c2
[    0.000000]  ? load_ucode_bsp+0x113/0x12f
[    0.000000]  ? secondary_startup_64+0xa5/0xb0

This patch adds a check to prevent the panic.

Cc: stable@vger.kernel.org
Cc: jason.wessel@windriver.com
Cc: gregkh@linuxfoundation.org
Cc: jslaby@suse.com
Signed-off-by: He Zhe <zhe.he@windriver.com>
Reviewed-by: Daniel Thompson <daniel.thompson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serial/kgdboc.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/tty/serial/kgdboc.c
+++ b/drivers/tty/serial/kgdboc.c
@@ -133,6 +133,11 @@ static void kgdboc_unregister_kbd(void)
 
 static int kgdboc_option_setup(char *opt)
 {
+	if (!opt) {
+		pr_err("kgdboc: config string not provided\n");
+		return -EINVAL;
+	}
+
 	if (strlen(opt) >= MAX_CONFIG_LEN) {
 		printk(KERN_ERR "kgdboc: config string too long\n");
 		return -ENOSPC;



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 076/160] xen: fix xen_qlock_wait()
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (74 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 075/160] kgdboc: Passing ekgdboc to command line causes panic Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 077/160] media: em28xx: use a default format if TRY_FMT fails Greg Kroah-Hartman
                   ` (87 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sander Eikelenboom, Juergen Gross,
	Boris Ostrovsky

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Juergen Gross <jgross@suse.com>

commit d3132b3860f6cf35ff7609a76bbcdbb814bd027c upstream.

Commit a856531951dc80 ("xen: make xen_qlock_wait() nestable")
introduced a regression for Xen guests running fully virtualized
(HVM or PVH mode). The Xen hypervisor wouldn't return from the poll
hypercall with interrupts disabled in case of an interrupt (for PV
guests it does).

So instead of disabling interrupts in xen_qlock_wait() use a nesting
counter to avoid calling xen_clear_irq_pending() in case
xen_qlock_wait() is nested.

Fixes: a856531951dc80 ("xen: make xen_qlock_wait() nestable")
Cc: stable@vger.kernel.org
Reported-by: Sander Eikelenboom <linux@eikelenboom.it>
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Tested-by: Sander Eikelenboom <linux@eikelenboom.it>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/xen/spinlock.c |   14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

--- a/arch/x86/xen/spinlock.c
+++ b/arch/x86/xen/spinlock.c
@@ -8,6 +8,7 @@
 #include <linux/log2.h>
 #include <linux/gfp.h>
 #include <linux/slab.h>
+#include <linux/atomic.h>
 
 #include <asm/paravirt.h>
 
@@ -19,6 +20,7 @@
 
 static DEFINE_PER_CPU(int, lock_kicker_irq) = -1;
 static DEFINE_PER_CPU(char *, irq_name);
+static DEFINE_PER_CPU(atomic_t, xen_qlock_wait_nest);
 static bool xen_pvspin = true;
 
 #ifdef CONFIG_QUEUED_SPINLOCKS
@@ -41,25 +43,25 @@ static void xen_qlock_kick(int cpu)
  */
 static void xen_qlock_wait(u8 *byte, u8 val)
 {
-	unsigned long flags;
 	int irq = __this_cpu_read(lock_kicker_irq);
+	atomic_t *nest_cnt = this_cpu_ptr(&xen_qlock_wait_nest);
 
 	/* If kicker interrupts not initialized yet, just spin */
 	if (irq == -1 || in_nmi())
 		return;
 
-	/* Guard against reentry. */
-	local_irq_save(flags);
+	/* Detect reentry. */
+	atomic_inc(nest_cnt);
 
-	/* If irq pending already clear it. */
-	if (xen_test_irq_pending(irq)) {
+	/* If irq pending already and no nested call clear it. */
+	if (atomic_read(nest_cnt) == 1 && xen_test_irq_pending(irq)) {
 		xen_clear_irq_pending(irq);
 	} else if (READ_ONCE(*byte) == val) {
 		/* Block until irq becomes pending (or a spurious wakeup) */
 		xen_poll_irq(irq);
 	}
 
-	local_irq_restore(flags);
+	atomic_dec(nest_cnt);
 }
 
 #else /* CONFIG_QUEUED_SPINLOCKS */



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 077/160] media: em28xx: use a default format if TRY_FMT fails
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (75 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 076/160] xen: fix xen_qlock_wait() Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 078/160] media: em28xx: fix input name for Terratec AV 350 Greg Kroah-Hartman
                   ` (86 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mauro Carvalho Chehab

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>

commit f823ce2a1202d47110a7ef86b65839f0be8adc38 upstream.

Follow the V4L2 spec, as warned by v4l2-compliance:

	warn: v4l2-test-formats.cpp(732): TRY_FMT cannot handle an invalid pixelformat.
	warn: v4l2-test-formats.cpp(733): This may or may not be a problem. For more information see:

warn: v4l2-test-formats.cpp(734): http://www.mail-archive.com/linux-media@vger.kernel.org/msg56550.html

Cc: stable@vger.kernel.org
Fixes: bddcf63313c6 ("V4L/DVB (9927): em28xx: use a more standard way to specify video formats")
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/usb/em28xx/em28xx-video.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/media/usb/em28xx/em28xx-video.c
+++ b/drivers/media/usb/em28xx/em28xx-video.c
@@ -1288,9 +1288,9 @@ static int vidioc_try_fmt_vid_cap(struct
 
 	fmt = format_by_fourcc(f->fmt.pix.pixelformat);
 	if (!fmt) {
-		em28xx_videodbg("Fourcc format (%08x) invalid.\n",
-				f->fmt.pix.pixelformat);
-		return -EINVAL;
+		fmt = &format[0];
+		em28xx_videodbg("Fourcc format (%08x) invalid. Using default (%08x).\n",
+				f->fmt.pix.pixelformat, fmt->fourcc);
 	}
 
 	if (dev->board.is_em2800) {



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 078/160] media: em28xx: fix input name for Terratec AV 350
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (76 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 077/160] media: em28xx: use a default format if TRY_FMT fails Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 079/160] media: em28xx: make v4l2-compliance happier by starting sequence on zero Greg Kroah-Hartman
                   ` (85 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mauro Carvalho Chehab

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>

commit 15644bfa195bd166d0a5ed76ae2d587f719c3dac upstream.

Instead of using a register value, use an AMUX name, as otherwise
VIDIOC_G_AUDIO would fail.

Cc: stable@vger.kernel.org
Fixes: 766ed64de554 ("V4L/DVB (11827): Add support for Terratec Grabster AV350")
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/usb/em28xx/em28xx-cards.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/media/usb/em28xx/em28xx-cards.c
+++ b/drivers/media/usb/em28xx/em28xx-cards.c
@@ -2021,13 +2021,13 @@ struct em28xx_board em28xx_boards[] = {
 		.input           = { {
 			.type     = EM28XX_VMUX_COMPOSITE1,
 			.vmux     = TVP5150_COMPOSITE1,
-			.amux     = EM28XX_AUDIO_SRC_LINE,
+			.amux     = EM28XX_AMUX_LINE_IN,
 			.gpio     = terratec_av350_unmute_gpio,
 
 		}, {
 			.type     = EM28XX_VMUX_SVIDEO,
 			.vmux     = TVP5150_SVIDEO,
-			.amux     = EM28XX_AUDIO_SRC_LINE,
+			.amux     = EM28XX_AMUX_LINE_IN,
 			.gpio     = terratec_av350_unmute_gpio,
 		} },
 	},



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 079/160] media: em28xx: make v4l2-compliance happier by starting sequence on zero
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (77 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 078/160] media: em28xx: fix input name for Terratec AV 350 Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 080/160] ext4: avoid running out of journal credits when appending to an inline file Greg Kroah-Hartman
                   ` (84 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mauro Carvalho Chehab

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>

commit afeaade90db4c5dab93f326d9582be1d5954a198 upstream.

The v4l2-compliance tool complains if a video doesn't start
with a zero sequence number.

While this shouldn't cause any real problem for apps, let's
make it happier, in order to better check the v4l2-compliance
differences before and after patchsets.

This is actually an old issue. It is there since at least its
videobuf2 conversion, e. g. changeset 3829fadc461 ("[media]
em28xx: convert to videobuf2"), if VB1 wouldn't suffer from
the same issue.

Cc: stable@vger.kernel.org
Fixes: d3829fadc461 ("[media] em28xx: convert to videobuf2")
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/usb/em28xx/em28xx-video.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/media/usb/em28xx/em28xx-video.c
+++ b/drivers/media/usb/em28xx/em28xx-video.c
@@ -1149,6 +1149,8 @@ static void em28xx_ctrl_notify(struct v4
 {
 	struct em28xx *dev = priv;
 
+	dev->v4l2->field_count = 0;
+
 	/*
 	 * In the case of non-AC97 volume controls, we still need
 	 * to do some setups at em28xx, in order to mute/unmute



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 080/160] ext4: avoid running out of journal credits when appending to an inline file
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (78 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 079/160] media: em28xx: make v4l2-compliance happier by starting sequence on zero Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 081/160] Cramfs: fix abad comparison when wrap-arounds occur Greg Kroah-Hartman
                   ` (83 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Theodore Tso, stable, Chenbo Feng

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <tytso@mit.edu>

commit 8bc1379b82b8e809eef77a9fedbb75c6c297be19 upstream.

Use a separate journal transaction if it turns out that we need to
convert an inline file to use an data block.  Otherwise we could end
up failing due to not having journal credits.

This addresses CVE-2018-10883.

https://bugzilla.kernel.org/show_bug.cgi?id=200071

Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
[fengc@google.com: 4.4 backport: adjust context]
Signed-off-by: Chenbo Feng <fengc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/ext4/ext4.h   |    3 ---
 fs/ext4/inline.c |   38 +-------------------------------------
 fs/ext4/xattr.c  |   18 ++----------------
 3 files changed, 3 insertions(+), 56 deletions(-)

--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -3039,9 +3039,6 @@ extern struct buffer_head *ext4_get_firs
 extern int ext4_inline_data_fiemap(struct inode *inode,
 				   struct fiemap_extent_info *fieinfo,
 				   int *has_inline, __u64 start, __u64 len);
-extern int ext4_try_to_evict_inline_data(handle_t *handle,
-					 struct inode *inode,
-					 int needed);
 extern void ext4_inline_data_truncate(struct inode *inode, int *has_inline);
 
 extern int ext4_convert_inline_data(struct inode *inode);
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -888,11 +888,11 @@ retry_journal:
 	flags |= AOP_FLAG_NOFS;
 
 	if (ret == -ENOSPC) {
+		ext4_journal_stop(handle);
 		ret = ext4_da_convert_inline_data_to_extent(mapping,
 							    inode,
 							    flags,
 							    fsdata);
-		ext4_journal_stop(handle);
 		if (ret == -ENOSPC &&
 		    ext4_should_retry_alloc(inode->i_sb, &retries))
 			goto retry_journal;
@@ -1867,42 +1867,6 @@ out:
 	return (error < 0 ? error : 0);
 }
 
-/*
- * Called during xattr set, and if we can sparse space 'needed',
- * just create the extent tree evict the data to the outer block.
- *
- * We use jbd2 instead of page cache to move data to the 1st block
- * so that the whole transaction can be committed as a whole and
- * the data isn't lost because of the delayed page cache write.
- */
-int ext4_try_to_evict_inline_data(handle_t *handle,
-				  struct inode *inode,
-				  int needed)
-{
-	int error;
-	struct ext4_xattr_entry *entry;
-	struct ext4_inode *raw_inode;
-	struct ext4_iloc iloc;
-
-	error = ext4_get_inode_loc(inode, &iloc);
-	if (error)
-		return error;
-
-	raw_inode = ext4_raw_inode(&iloc);
-	entry = (struct ext4_xattr_entry *)((void *)raw_inode +
-					    EXT4_I(inode)->i_inline_off);
-	if (EXT4_XATTR_LEN(entry->e_name_len) +
-	    EXT4_XATTR_SIZE(le32_to_cpu(entry->e_value_size)) < needed) {
-		error = -ENOSPC;
-		goto out;
-	}
-
-	error = ext4_convert_inline_data_nolock(handle, inode, &iloc);
-out:
-	brelse(iloc.bh);
-	return error;
-}
-
 void ext4_inline_data_truncate(struct inode *inode, int *has_inline)
 {
 	handle_t *handle;
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -1044,22 +1044,8 @@ int ext4_xattr_ibody_inline_set(handle_t
 	if (EXT4_I(inode)->i_extra_isize == 0)
 		return -ENOSPC;
 	error = ext4_xattr_set_entry(i, s, inode);
-	if (error) {
-		if (error == -ENOSPC &&
-		    ext4_has_inline_data(inode)) {
-			error = ext4_try_to_evict_inline_data(handle, inode,
-					EXT4_XATTR_LEN(strlen(i->name) +
-					EXT4_XATTR_SIZE(i->value_len)));
-			if (error)
-				return error;
-			error = ext4_xattr_ibody_find(inode, i, is);
-			if (error)
-				return error;
-			error = ext4_xattr_set_entry(i, s, inode);
-		}
-		if (error)
-			return error;
-	}
+	if (error)
+		return error;
 	header = IHDR(inode, ext4_raw_inode(&is->iloc));
 	if (!IS_LAST_ENTRY(s->first)) {
 		header->h_magic = cpu_to_le32(EXT4_XATTR_MAGIC);



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 081/160] Cramfs: fix abad comparison when wrap-arounds occur
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (79 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 080/160] ext4: avoid running out of journal credits when appending to an inline file Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 082/160] arm64: dts: stratix10: Correct System Manager register size Greg Kroah-Hartman
                   ` (82 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Anatoly Trosinenko, Nicolas Pitre

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nicolas Pitre <nicolas.pitre@linaro.org>

commit 672ca9dd13f1aca0c17516f76fc5b0e8344b3e46 upstream.

It is possible for corrupted filesystem images to produce very large
block offsets that may wrap when a length is added, and wrongly pass
the buffer size test.

Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
Signed-off-by: Nicolas Pitre <nico@linaro.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/cramfs/inode.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/fs/cramfs/inode.c
+++ b/fs/cramfs/inode.c
@@ -185,7 +185,8 @@ static void *cramfs_read(struct super_bl
 			continue;
 		blk_offset = (blocknr - buffer_blocknr[i]) << PAGE_CACHE_SHIFT;
 		blk_offset += offset;
-		if (blk_offset + len > BUFFER_SIZE)
+		if (blk_offset > BUFFER_SIZE ||
+		    blk_offset + len > BUFFER_SIZE)
 			continue;
 		return read_buffers[i] + blk_offset;
 	}



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 082/160] arm64: dts: stratix10: Correct System Manager register size
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (80 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 081/160] Cramfs: fix abad comparison when wrap-arounds occur Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 083/160] soc/tegra: pmc: Fix child-node lookup Greg Kroah-Hartman
                   ` (81 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Thor Thayer, Dinh Nguyen

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Thor Thayer <thor.thayer@linux.intel.com>

commit 74121b9aa3cd571ddfff014a9f47db36cae3cda9 upstream.

Correct the register size of the System Manager node.

Cc: stable@vger.kernel.org
Fixes: 78cd6a9d8e154 ("arm64: dts: Add base stratix 10 dtsi")
Signed-off-by: Thor Thayer <thor.thayer@linux.intel.com>
Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/boot/dts/altera/socfpga_stratix10.dtsi |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm64/boot/dts/altera/socfpga_stratix10.dtsi
+++ b/arch/arm64/boot/dts/altera/socfpga_stratix10.dtsi
@@ -249,7 +249,7 @@
 
 		sysmgr: sysmgr@ffd12000 {
 			compatible = "altr,sys-mgr", "syscon";
-			reg = <0xffd12000 0x1000>;
+			reg = <0xffd12000 0x228>;
 		};
 
 		/* Local timer */



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 083/160] soc/tegra: pmc: Fix child-node lookup
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (81 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 082/160] arm64: dts: stratix10: Correct System Manager register size Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 084/160] btrfs: Handle owner mismatch gracefully when walking up tree Greg Kroah-Hartman
                   ` (80 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mikko Perttunen, Johan Hovold,
	Thierry Reding

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 1dc6bd5e39a29453bdcc17348dd2a89f1aa4004e upstream.

Fix child-node lookup during probe, which ended up searching the whole
device tree depth-first starting at the parent rather than just matching
on its children.

To make things worse, the parent pmc node could end up being prematurely
freed as of_find_node_by_name() drops a reference to its first argument.

Fixes: 3568df3d31d6 ("soc: tegra: Add thermal reset (thermtrip) support to PMC")
Cc: stable <stable@vger.kernel.org>     # 4.0
Cc: Mikko Perttunen <mperttunen@nvidia.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Mikko Perttunen <mperttunen@nvidia.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/soc/tegra/pmc.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/soc/tegra/pmc.c
+++ b/drivers/soc/tegra/pmc.c
@@ -738,7 +738,7 @@ void tegra_pmc_init_tsense_reset(struct
 	if (!pmc->soc->has_tsense_reset)
 		return;
 
-	np = of_find_node_by_name(pmc->dev->of_node, "i2c-thermtrip");
+	np = of_get_child_by_name(pmc->dev->of_node, "i2c-thermtrip");
 	if (!np) {
 		dev_warn(dev, "i2c-thermtrip node not found, %s.\n", disabled);
 		return;



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 084/160] btrfs: Handle owner mismatch gracefully when walking up tree
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (82 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 083/160] soc/tegra: pmc: Fix child-node lookup Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 085/160] btrfs: locking: Add extra check in btrfs_init_new_buffer() to avoid deadlock Greg Kroah-Hartman
                   ` (79 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Xu Wen, Qu Wenruo, David Sterba

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Qu Wenruo <wqu@suse.com>

commit 65c6e82becec33731f48786e5a30f98662c86b16 upstream.

[BUG]
When mounting certain crafted image, btrfs will trigger kernel BUG_ON()
when trying to recover balance:

  kernel BUG at fs/btrfs/extent-tree.c:8956!
  invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
  CPU: 1 PID: 662 Comm: mount Not tainted 4.18.0-rc1-custom+ #10
  RIP: 0010:walk_up_proc+0x336/0x480 [btrfs]
  RSP: 0018:ffffb53540c9b890 EFLAGS: 00010202
  Call Trace:
   walk_up_tree+0x172/0x1f0 [btrfs]
   btrfs_drop_snapshot+0x3a4/0x830 [btrfs]
   merge_reloc_roots+0xe1/0x1d0 [btrfs]
   btrfs_recover_relocation+0x3ea/0x420 [btrfs]
   open_ctree+0x1af3/0x1dd0 [btrfs]
   btrfs_mount_root+0x66b/0x740 [btrfs]
   mount_fs+0x3b/0x16a
   vfs_kern_mount.part.9+0x54/0x140
   btrfs_mount+0x16d/0x890 [btrfs]
   mount_fs+0x3b/0x16a
   vfs_kern_mount.part.9+0x54/0x140
   do_mount+0x1fd/0xda0
   ksys_mount+0xba/0xd0
   __x64_sys_mount+0x21/0x30
   do_syscall_64+0x60/0x210
   entry_SYSCALL_64_after_hwframe+0x49/0xbe

[CAUSE]
Extent tree corruption.  In this particular case, reloc tree root's
owner is DATA_RELOC_TREE (should be TREE_RELOC), thus its backref is
corrupted and we failed the owner check in walk_up_tree().

[FIX]
It's pretty hard to take care of every extent tree corruption, but at
least we can remove such BUG_ON() and exit more gracefully.

And since in this particular image, DATA_RELOC_TREE and TREE_RELOC share
the same root (which is obviously invalid), we needs to make
__del_reloc_root() more robust to detect such invalid sharing to avoid
possible NULL dereference as root->node can be NULL in this case.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=200411
Reported-by: Xu Wen <wen.xu@gatech.edu>
CC: stable@vger.kernel.org # 4.4+
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/extent-tree.c |   18 ++++++++++++------
 fs/btrfs/relocation.c  |    2 +-
 2 files changed, 13 insertions(+), 7 deletions(-)

--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -8704,15 +8704,14 @@ static noinline int walk_up_proc(struct
 	if (eb == root->node) {
 		if (wc->flags[level] & BTRFS_BLOCK_FLAG_FULL_BACKREF)
 			parent = eb->start;
-		else
-			BUG_ON(root->root_key.objectid !=
-			       btrfs_header_owner(eb));
+		else if (root->root_key.objectid != btrfs_header_owner(eb))
+			goto owner_mismatch;
 	} else {
 		if (wc->flags[level + 1] & BTRFS_BLOCK_FLAG_FULL_BACKREF)
 			parent = path->nodes[level + 1]->start;
-		else
-			BUG_ON(root->root_key.objectid !=
-			       btrfs_header_owner(path->nodes[level + 1]));
+		else if (root->root_key.objectid !=
+			 btrfs_header_owner(path->nodes[level + 1]))
+			goto owner_mismatch;
 	}
 
 	btrfs_free_tree_block(trans, root, eb, parent, wc->refs[level] == 1);
@@ -8720,6 +8719,11 @@ out:
 	wc->refs[level] = 0;
 	wc->flags[level] = 0;
 	return 0;
+
+owner_mismatch:
+	btrfs_err_rl(root->fs_info, "unexpected tree owner, have %llu expect %llu",
+		     btrfs_header_owner(eb), root->root_key.objectid);
+	return -EUCLEAN;
 }
 
 static noinline int walk_down_tree(struct btrfs_trans_handle *trans,
@@ -8773,6 +8777,8 @@ static noinline int walk_up_tree(struct
 			ret = walk_up_proc(trans, root, path, wc);
 			if (ret > 0)
 				return 0;
+			if (ret < 0)
+				return ret;
 
 			if (path->locks[level]) {
 				btrfs_tree_unlock_rw(path->nodes[level],
--- a/fs/btrfs/relocation.c
+++ b/fs/btrfs/relocation.c
@@ -1318,7 +1318,7 @@ static void __del_reloc_root(struct btrf
 	struct mapping_node *node = NULL;
 	struct reloc_control *rc = root->fs_info->reloc_ctl;
 
-	if (rc) {
+	if (rc && root->node) {
 		spin_lock(&rc->reloc_root_tree.lock);
 		rb_node = tree_search(&rc->reloc_root_tree.rb_root,
 				      root->node->start);



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 085/160] btrfs: locking: Add extra check in btrfs_init_new_buffer() to avoid deadlock
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (83 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 084/160] btrfs: Handle owner mismatch gracefully when walking up tree Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 086/160] btrfs: iterate all devices during trim, instead of fs_devices::alloc_list Greg Kroah-Hartman
                   ` (78 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Xu Wen, Qu Wenruo, David Sterba

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Qu Wenruo <wqu@suse.com>

commit b72c3aba09a53fc7c1824250d71180ca154517a7 upstream.

[BUG]
For certain crafted image, whose csum root leaf has missing backref, if
we try to trigger write with data csum, it could cause deadlock with the
following kernel WARN_ON():

  WARNING: CPU: 1 PID: 41 at fs/btrfs/locking.c:230 btrfs_tree_lock+0x3e2/0x400
  CPU: 1 PID: 41 Comm: kworker/u4:1 Not tainted 4.18.0-rc1+ #8
  Workqueue: btrfs-endio-write btrfs_endio_write_helper
  RIP: 0010:btrfs_tree_lock+0x3e2/0x400
  Call Trace:
   btrfs_alloc_tree_block+0x39f/0x770
   __btrfs_cow_block+0x285/0x9e0
   btrfs_cow_block+0x191/0x2e0
   btrfs_search_slot+0x492/0x1160
   btrfs_lookup_csum+0xec/0x280
   btrfs_csum_file_blocks+0x2be/0xa60
   add_pending_csums+0xaf/0xf0
   btrfs_finish_ordered_io+0x74b/0xc90
   finish_ordered_fn+0x15/0x20
   normal_work_helper+0xf6/0x500
   btrfs_endio_write_helper+0x12/0x20
   process_one_work+0x302/0x770
   worker_thread+0x81/0x6d0
   kthread+0x180/0x1d0
   ret_from_fork+0x35/0x40

[CAUSE]
That crafted image has missing backref for csum tree root leaf.  And
when we try to allocate new tree block, since there is no
EXTENT/METADATA_ITEM for csum tree root, btrfs consider it's free slot
and use it.

The extent tree of the image looks like:

  Normal image                      |       This fuzzed image
  ----------------------------------+--------------------------------
  BG 29360128                       | BG 29360128
   One empty slot                   |  One empty slot
  29364224: backref to UUID tree    | 29364224: backref to UUID tree
   Two empty slots                  |  Two empty slots
  29376512: backref to CSUM tree    |  One empty slot (bad type) <<<
  29380608: backref to D_RELOC tree | 29380608: backref to D_RELOC tree
  ...                               | ...

Since bytenr 29376512 has no METADATA/EXTENT_ITEM, when btrfs try to
alloc tree block, it's an valid slot for btrfs.

And for finish_ordered_write, when we need to insert csum, we try to CoW
csum tree root.

By accident, empty slots at bytenr BG_OFFSET, BG_OFFSET + 8K,
BG_OFFSET + 12K is already used by tree block COW for other trees, the
next empty slot is BG_OFFSET + 16K, which should be the backref for CSUM
tree.

But due to the bad type, btrfs can recognize it and still consider it as
an empty slot, and will try to use it for csum tree CoW.

Then in the following call trace, we will try to lock the new tree
block, which turns out to be the old csum tree root which is already
locked:

btrfs_search_slot() called on csum tree root, which is at 29376512
|- btrfs_cow_block()
   |- btrfs_set_lock_block()
   |  |- Now locks tree block 29376512 (old csum tree root)
   |- __btrfs_cow_block()
      |- btrfs_alloc_tree_block()
         |- btrfs_reserve_extent()
            | Now it returns tree block 29376512, which extent tree
            | shows its empty slot, but it's already hold by csum tree
            |- btrfs_init_new_buffer()
               |- btrfs_tree_lock()
                  | Triggers WARN_ON(eb->lock_owner == current->pid)
                  |- wait_event()
                     Wait lock owner to release the lock, but it's
                     locked by ourself, so it will deadlock

[FIX]
This patch will do the lock_owner and current->pid check at
btrfs_init_new_buffer().
So above deadlock can be avoided.

Since such problem can only happen in crafted image, we will still
trigger kernel warning for later aborted transaction, but with a little
more meaningful warning message.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=200405
Reported-by: Xu Wen <wen.xu@gatech.edu>
CC: stable@vger.kernel.org # 4.4+
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/extent-tree.c |   14 ++++++++++++++
 1 file changed, 14 insertions(+)

--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -7835,6 +7835,20 @@ btrfs_init_new_buffer(struct btrfs_trans
 	buf = btrfs_find_create_tree_block(root, bytenr);
 	if (!buf)
 		return ERR_PTR(-ENOMEM);
+
+	/*
+	 * Extra safety check in case the extent tree is corrupted and extent
+	 * allocator chooses to use a tree block which is already used and
+	 * locked.
+	 */
+	if (buf->lock_owner == current->pid) {
+		btrfs_err_rl(root->fs_info,
+"tree block %llu owner %llu already locked by pid=%d, extent tree corruption detected",
+			buf->start, btrfs_header_owner(buf), current->pid);
+		free_extent_buffer(buf);
+		return ERR_PTR(-EUCLEAN);
+	}
+
 	btrfs_set_header_generation(buf, trans->transid);
 	btrfs_set_buffer_lockdep_class(root->root_key.objectid, buf, level);
 	btrfs_tree_lock(buf);



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 086/160] btrfs: iterate all devices during trim, instead of fs_devices::alloc_list
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (84 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 085/160] btrfs: locking: Add extra check in btrfs_init_new_buffer() to avoid deadlock Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 087/160] btrfs: dont attempt to trim devices that dont support it Greg Kroah-Hartman
                   ` (77 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jeff Mahoney, David Sterba

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jeff Mahoney <jeffm@suse.com>

commit d4e329de5e5e21594df2e0dd59da9acee71f133b upstream.

btrfs_trim_fs iterates over the fs_devices->alloc_list while holding the
device_list_mutex.  The problem is that ->alloc_list is protected by the
chunk mutex.  We don't want to hold the chunk mutex over the trim of the
entire file system.  Fortunately, the ->dev_list list is protected by
the dev_list mutex and while it will give us all devices, including
read-only devices, we already just skip the read-only devices.  Then we
can continue to take and release the chunk mutex while scanning each
device.

Fixes: 499f377f49f ("btrfs: iterate over unused chunk space in FITRIM")
CC: stable@vger.kernel.org # 4.4+
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/extent-tree.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -10751,8 +10751,8 @@ int btrfs_trim_fs(struct btrfs_root *roo
 	}
 
 	mutex_lock(&root->fs_info->fs_devices->device_list_mutex);
-	devices = &root->fs_info->fs_devices->alloc_list;
-	list_for_each_entry(device, devices, dev_alloc_list) {
+	devices = &root->fs_info->fs_devices->devices;
+	list_for_each_entry(device, devices, dev_list) {
 		ret = btrfs_trim_free_extents(device, range->minlen,
 					      &group_trimmed);
 		if (ret)



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 087/160] btrfs: dont attempt to trim devices that dont support it
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (85 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 086/160] btrfs: iterate all devices during trim, instead of fs_devices::alloc_list Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 088/160] btrfs: wait on caching when putting the bg cache Greg Kroah-Hartman
                   ` (76 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jeff Mahoney, David Sterba

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jeff Mahoney <jeffm@suse.com>

commit 0be88e367fd8fbdb45257615d691f4675dda062f upstream.

We check whether any device the file system is using supports discard in
the ioctl call, but then we attempt to trim free extents on every device
regardless of whether discard is supported.  Due to the way we mask off
EOPNOTSUPP, we can end up issuing the trim operations on each free range
on devices that don't support it, just wasting time.

Fixes: 499f377f49f08 ("btrfs: iterate over unused chunk space in FITRIM")
CC: stable@vger.kernel.org # 4.4+
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/extent-tree.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -10629,6 +10629,10 @@ static int btrfs_trim_free_extents(struc
 
 	*trimmed = 0;
 
+	/* Discard not supported = nothing to do. */
+	if (!blk_queue_discard(bdev_get_queue(device->bdev)))
+		return 0;
+
 	/* Not writeable = nothing to do. */
 	if (!device->writeable)
 		return 0;



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 088/160] btrfs: wait on caching when putting the bg cache
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (86 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 087/160] btrfs: dont attempt to trim devices that dont support it Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 089/160] btrfs: reset max_extent_size on clear in a bitmap Greg Kroah-Hartman
                   ` (75 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Josef Bacik, Omar Sandoval, David Sterba

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Josef Bacik <josef@toxicpanda.com>

commit 3aa7c7a31c26321696b92841d5103461c6f3f517 upstream.

While testing my backport I noticed there was a panic if I ran
generic/416 generic/417 generic/418 all in a row.  This just happened to
uncover a race where we had outstanding IO after we destroy all of our
workqueues, and then we'd go to queue the endio work on those free'd
workqueues.

This is because we aren't waiting for the caching threads to be done
before freeing everything up, so to fix this make sure we wait on any
outstanding caching that's being done before we free up the block group,
so we're sure to be done with all IO by the time we get to
btrfs_stop_all_workers().  This fixes the panic I was seeing
consistently in testing.

------------[ cut here ]------------
kernel BUG at fs/btrfs/volumes.c:6112!
SMP PTI
Modules linked in:
CPU: 1 PID: 27165 Comm: kworker/u4:7 Not tainted 4.16.0-02155-g3553e54a578d-dirty #875
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
Workqueue: btrfs-cache btrfs_cache_helper
RIP: 0010:btrfs_map_bio+0x346/0x370
RSP: 0000:ffffc900061e79d0 EFLAGS: 00010202
RAX: 0000000000000000 RBX: ffff880071542e00 RCX: 0000000000533000
RDX: ffff88006bb74380 RSI: 0000000000000008 RDI: ffff880078160000
RBP: 0000000000000001 R08: ffff8800781cd200 R09: 0000000000503000
R10: ffff88006cd21200 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: ffff8800781cd200 R15: ffff880071542e00
FS:  0000000000000000(0000) GS:ffff88007fd00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000817ffc4 CR3: 0000000078314000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 btree_submit_bio_hook+0x8a/0xd0
 submit_one_bio+0x5d/0x80
 read_extent_buffer_pages+0x18a/0x320
 btree_read_extent_buffer_pages+0xbc/0x200
 ? alloc_extent_buffer+0x359/0x3e0
 read_tree_block+0x3d/0x60
 read_block_for_search.isra.30+0x1a5/0x360
 btrfs_search_slot+0x41b/0xa10
 btrfs_next_old_leaf+0x212/0x470
 caching_thread+0x323/0x490
 normal_work_helper+0xc5/0x310
 process_one_work+0x141/0x340
 worker_thread+0x44/0x3c0
 kthread+0xf8/0x130
 ? process_one_work+0x340/0x340
 ? kthread_bind+0x10/0x10
 ret_from_fork+0x35/0x40
RIP: btrfs_map_bio+0x346/0x370 RSP: ffffc900061e79d0
---[ end trace 827eb13e50846033 ]---
Kernel panic - not syncing: Fatal exception
Kernel Offset: disabled
---[ end Kernel panic - not syncing: Fatal exception

CC: stable@vger.kernel.org # 4.4+
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/extent-tree.c |    1 +
 1 file changed, 1 insertion(+)

--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -9521,6 +9521,7 @@ void btrfs_put_block_group_cache(struct
 
 		block_group = btrfs_lookup_first_block_group(info, last);
 		while (block_group) {
+			wait_block_group_cache_done(block_group);
 			spin_lock(&block_group->lock);
 			if (block_group->iref)
 				break;



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 089/160] btrfs: reset max_extent_size on clear in a bitmap
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (87 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 088/160] btrfs: wait on caching when putting the bg cache Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 090/160] btrfs: make sure we create all new block groups Greg Kroah-Hartman
                   ` (74 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Liu Bo, Josef Bacik, David Sterba

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Josef Bacik <jbacik@fb.com>

commit 553cceb49681d60975d00892877d4c871bf220f9 upstream.

We need to clear the max_extent_size when we clear bits from a bitmap
since it could have been from the range that contains the
max_extent_size.

CC: stable@vger.kernel.org # 4.4+
Reviewed-by: Liu Bo <bo.liu@linux.alibaba.com>
Signed-off-by: Josef Bacik <jbacik@fb.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/free-space-cache.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/fs/btrfs/free-space-cache.c
+++ b/fs/btrfs/free-space-cache.c
@@ -1699,6 +1699,8 @@ static inline void __bitmap_clear_bits(s
 	bitmap_clear(info->bitmap, start, count);
 
 	info->bytes -= bytes;
+	if (info->max_extent_size > ctl->unit)
+		info->max_extent_size = 0;
 }
 
 static void bitmap_clear_bits(struct btrfs_free_space_ctl *ctl,



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 090/160] btrfs: make sure we create all new block groups
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (88 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 089/160] btrfs: reset max_extent_size on clear in a bitmap Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 091/160] Btrfs: fix wrong dentries after fsync of file that got its parent replaced Greg Kroah-Hartman
                   ` (73 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Omar Sandoval, Liu Bo, Josef Bacik,
	David Sterba

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Josef Bacik <josef@toxicpanda.com>

commit 545e3366db823dc3342ca9d7fea803f829c9062f upstream.

Allocating new chunks modifies both the extent and chunk tree, which can
trigger new chunk allocations.  So instead of doing list_for_each_safe,
just do while (!list_empty()) so we make sure we don't exit with other
pending bg's still on our list.

CC: stable@vger.kernel.org # 4.4+
Reviewed-by: Omar Sandoval <osandov@fb.com>
Reviewed-by: Liu Bo <bo.liu@linux.alibaba.com>
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/extent-tree.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -9912,7 +9912,7 @@ error:
 void btrfs_create_pending_block_groups(struct btrfs_trans_handle *trans,
 				       struct btrfs_root *root)
 {
-	struct btrfs_block_group_cache *block_group, *tmp;
+	struct btrfs_block_group_cache *block_group;
 	struct btrfs_root *extent_root = root->fs_info->extent_root;
 	struct btrfs_block_group_item item;
 	struct btrfs_key key;
@@ -9920,7 +9920,10 @@ void btrfs_create_pending_block_groups(s
 	bool can_flush_pending_bgs = trans->can_flush_pending_bgs;
 
 	trans->can_flush_pending_bgs = false;
-	list_for_each_entry_safe(block_group, tmp, &trans->new_bgs, bg_list) {
+	while (!list_empty(&trans->new_bgs)) {
+		block_group = list_first_entry(&trans->new_bgs,
+					       struct btrfs_block_group_cache,
+					       bg_list);
 		if (ret)
 			goto next;
 



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 091/160] Btrfs: fix wrong dentries after fsync of file that got its parent replaced
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (89 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 090/160] btrfs: make sure we create all new block groups Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 092/160] btrfs: qgroup: Dirty all qgroups before rescan Greg Kroah-Hartman
                   ` (72 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Filipe Manana, David Sterba

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Filipe Manana <fdmanana@suse.com>

commit 0f375eed92b5a407657532637ed9652611a682f5 upstream.

In a scenario like the following:

  mkdir /mnt/A               # inode 258
  mkdir /mnt/B               # inode 259
  touch /mnt/B/bar           # inode 260

  sync

  mv /mnt/B/bar /mnt/A/bar
  mv -T /mnt/A /mnt/B
  fsync /mnt/B/bar

  <power fail>

After replaying the log we end up with file bar having 2 hard links, both
with the name 'bar' and one in the directory with inode number 258 and the
other in the directory with inode number 259. Also, we end up with the
directory inode 259 still existing and with the directory inode 258 still
named as 'A', instead of 'B'. In this scenario, file 'bar' should only
have one hard link, located at directory inode 258, the directory inode
259 should not exist anymore and the name for directory inode 258 should
be 'B'.

This incorrect behaviour happens because when attempting to log the old
parents of an inode, we skip any parents that no longer exist. Fix this
by forcing a full commit if an old parent no longer exists.

A test case for fstests follows soon.

CC: stable@vger.kernel.org # 4.4+
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/tree-log.c |   30 +++++++++++++++++++++++++++---
 1 file changed, 27 insertions(+), 3 deletions(-)

--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -5240,9 +5240,33 @@ static int btrfs_log_all_parents(struct
 
 			dir_inode = btrfs_iget(root->fs_info->sb, &inode_key,
 					       root, NULL);
-			/* If parent inode was deleted, skip it. */
-			if (IS_ERR(dir_inode))
-				continue;
+			/*
+			 * If the parent inode was deleted, return an error to
+			 * fallback to a transaction commit. This is to prevent
+			 * getting an inode that was moved from one parent A to
+			 * a parent B, got its former parent A deleted and then
+			 * it got fsync'ed, from existing at both parents after
+			 * a log replay (and the old parent still existing).
+			 * Example:
+			 *
+			 * mkdir /mnt/A
+			 * mkdir /mnt/B
+			 * touch /mnt/B/bar
+			 * sync
+			 * mv /mnt/B/bar /mnt/A/bar
+			 * mv -T /mnt/A /mnt/B
+			 * fsync /mnt/B/bar
+			 * <power fail>
+			 *
+			 * If we ignore the old parent B which got deleted,
+			 * after a log replay we would have file bar linked
+			 * at both parents and the old parent B would still
+			 * exist.
+			 */
+			if (IS_ERR(dir_inode)) {
+				ret = PTR_ERR(dir_inode);
+				goto out;
+			}
 
 			ret = btrfs_log_inode(trans, root, dir_inode,
 					      LOG_INODE_ALL, 0, LLONG_MAX, ctx);



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 092/160] btrfs: qgroup: Dirty all qgroups before rescan
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (90 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 091/160] Btrfs: fix wrong dentries after fsync of file that got its parent replaced Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 093/160] Btrfs: fix null pointer dereference on compressed write path error Greg Kroah-Hartman
                   ` (71 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Misono Tomohiro, Qu Wenruo, David Sterba

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Qu Wenruo <wqu@suse.com>

commit 9c7b0c2e8dbfbcd80a71e2cbfe02704f26c185c6 upstream.

[BUG]
In the following case, rescan won't zero out the number of qgroup 1/0:

  $ mkfs.btrfs -fq $DEV
  $ mount $DEV /mnt

  $ btrfs quota enable /mnt
  $ btrfs qgroup create 1/0 /mnt
  $ btrfs sub create /mnt/sub
  $ btrfs qgroup assign 0/257 1/0 /mnt

  $ dd if=/dev/urandom of=/mnt/sub/file bs=1k count=1000
  $ btrfs sub snap /mnt/sub /mnt/snap
  $ btrfs quota rescan -w /mnt
  $ btrfs qgroup show -pcre /mnt
  qgroupid         rfer         excl     max_rfer     max_excl parent  child
  --------         ----         ----     --------     -------- ------  -----
  0/5          16.00KiB     16.00KiB         none         none ---     ---
  0/257      1016.00KiB     16.00KiB         none         none 1/0     ---
  0/258      1016.00KiB     16.00KiB         none         none ---     ---
  1/0        1016.00KiB     16.00KiB         none         none ---     0/257

So far so good, but:

  $ btrfs qgroup remove 0/257 1/0 /mnt
  WARNING: quotas may be inconsistent, rescan needed
  $ btrfs quota rescan -w /mnt
  $ btrfs qgroup show -pcre  /mnt
  qgoupid         rfer         excl     max_rfer     max_excl parent  child
  --------         ----         ----     --------     -------- ------  -----
  0/5          16.00KiB     16.00KiB         none         none ---     ---
  0/257      1016.00KiB     16.00KiB         none         none ---     ---
  0/258      1016.00KiB     16.00KiB         none         none ---     ---
  1/0        1016.00KiB     16.00KiB         none         none ---     ---
	     ^^^^^^^^^^     ^^^^^^^^ not cleared

[CAUSE]
Before rescan we call qgroup_rescan_zero_tracking() to zero out all
qgroups' accounting numbers.

However we don't mark all qgroups dirty, but rely on rescan to do so.

If we have any high level qgroup without children, it won't be marked
dirty during rescan, since we cannot reach that qgroup.

This will cause QGROUP_INFO items of childless qgroups never get updated
in the quota tree, thus their numbers will stay the same in "btrfs
qgroup show" output.

[FIX]
Just mark all qgroups dirty in qgroup_rescan_zero_tracking(), so even if
we have childless qgroups, their QGROUP_INFO items will still get
updated during rescan.

Reported-by: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com>
CC: stable@vger.kernel.org # 4.4+
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com>
Tested-by: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/qgroup.c |    1 +
 1 file changed, 1 insertion(+)

--- a/fs/btrfs/qgroup.c
+++ b/fs/btrfs/qgroup.c
@@ -2446,6 +2446,7 @@ qgroup_rescan_zero_tracking(struct btrfs
 		qgroup->rfer_cmpr = 0;
 		qgroup->excl = 0;
 		qgroup->excl_cmpr = 0;
+		qgroup_dirty(fs_info, qgroup);
 	}
 	spin_unlock(&fs_info->qgroup_lock);
 }



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 093/160] Btrfs: fix null pointer dereference on compressed write path error
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (91 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 092/160] btrfs: qgroup: Dirty all qgroups before rescan Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 094/160] btrfs: set max_extent_size properly Greg Kroah-Hartman
                   ` (70 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Liu Bo, Filipe Manana, David Sterba

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Filipe Manana <fdmanana@suse.com>

commit 3527a018c00e5dbada2f9d7ed5576437b6dd5cfb upstream.

At inode.c:compress_file_range(), under the "free_pages_out" label, we can
end up dereferencing the "pages" pointer when it has a NULL value. This
case happens when "start" has a value of 0 and we fail to allocate memory
for the "pages" pointer. When that happens we jump to the "cont" label and
then enter the "if (start == 0)" branch where we immediately call the
cow_file_range_inline() function. If that function returns 0 (success
creating an inline extent) or an error (like -ENOMEM for example) we jump
to the "free_pages_out" label and then access "pages[i]" leading to a NULL
pointer dereference, since "nr_pages" has a value greater than zero at
that point.

Fix this by setting "nr_pages" to 0 when we fail to allocate memory for
the "pages" pointer.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=201119
Fixes: 771ed689d2cd ("Btrfs: Optimize compressed writeback and reads")
CC: stable@vger.kernel.org # 4.4+
Reviewed-by: Liu Bo <bo.liu@linux.alibaba.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/inode.c |    1 +
 1 file changed, 1 insertion(+)

--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -481,6 +481,7 @@ again:
 		pages = kcalloc(nr_pages, sizeof(struct page *), GFP_NOFS);
 		if (!pages) {
 			/* just bail out to the uncompressed code */
+			nr_pages = 0;
 			goto cont;
 		}
 



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 094/160] btrfs: set max_extent_size properly
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (92 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 093/160] Btrfs: fix null pointer dereference on compressed write path error Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 095/160] MD: fix invalid stored role for a disk - try2 Greg Kroah-Hartman
                   ` (69 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Josef Bacik, David Sterba

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Josef Bacik <jbacik@fb.com>

commit ad22cf6ea47fa20fbe11ac324a0a15c0a9a4a2a9 upstream.

We can't use entry->bytes if our entry is a bitmap entry, we need to use
entry->max_extent_size in that case.  Fix up all the logic to make this
consistent.

CC: stable@vger.kernel.org # 4.4+
Signed-off-by: Josef Bacik <jbacik@fb.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/free-space-cache.c |   30 ++++++++++++++++++++----------
 1 file changed, 20 insertions(+), 10 deletions(-)

--- a/fs/btrfs/free-space-cache.c
+++ b/fs/btrfs/free-space-cache.c
@@ -1784,6 +1784,13 @@ static int search_bitmap(struct btrfs_fr
 	return -1;
 }
 
+static inline u64 get_max_extent_size(struct btrfs_free_space *entry)
+{
+	if (entry->bitmap)
+		return entry->max_extent_size;
+	return entry->bytes;
+}
+
 /* Cache the size of the max extent in bytes */
 static struct btrfs_free_space *
 find_free_space(struct btrfs_free_space_ctl *ctl, u64 *offset, u64 *bytes,
@@ -1805,8 +1812,8 @@ find_free_space(struct btrfs_free_space_
 	for (node = &entry->offset_index; node; node = rb_next(node)) {
 		entry = rb_entry(node, struct btrfs_free_space, offset_index);
 		if (entry->bytes < *bytes) {
-			if (entry->bytes > *max_extent_size)
-				*max_extent_size = entry->bytes;
+			*max_extent_size = max(get_max_extent_size(entry),
+					       *max_extent_size);
 			continue;
 		}
 
@@ -1824,8 +1831,8 @@ find_free_space(struct btrfs_free_space_
 		}
 
 		if (entry->bytes < *bytes + align_off) {
-			if (entry->bytes > *max_extent_size)
-				*max_extent_size = entry->bytes;
+			*max_extent_size = max(get_max_extent_size(entry),
+					       *max_extent_size);
 			continue;
 		}
 
@@ -1837,8 +1844,10 @@ find_free_space(struct btrfs_free_space_
 				*offset = tmp;
 				*bytes = size;
 				return entry;
-			} else if (size > *max_extent_size) {
-				*max_extent_size = size;
+			} else {
+				*max_extent_size =
+					max(get_max_extent_size(entry),
+					    *max_extent_size);
 			}
 			continue;
 		}
@@ -2696,8 +2705,8 @@ static u64 btrfs_alloc_from_bitmap(struc
 
 	err = search_bitmap(ctl, entry, &search_start, &search_bytes, true);
 	if (err) {
-		if (search_bytes > *max_extent_size)
-			*max_extent_size = search_bytes;
+		*max_extent_size = max(get_max_extent_size(entry),
+				       *max_extent_size);
 		return 0;
 	}
 
@@ -2734,8 +2743,9 @@ u64 btrfs_alloc_from_cluster(struct btrf
 
 	entry = rb_entry(node, struct btrfs_free_space, offset_index);
 	while (1) {
-		if (entry->bytes < bytes && entry->bytes > *max_extent_size)
-			*max_extent_size = entry->bytes;
+		if (entry->bytes < bytes)
+			*max_extent_size = max(get_max_extent_size(entry),
+					       *max_extent_size);
 
 		if (entry->bytes < bytes ||
 		    (!entry->bitmap && entry->offset < min_start)) {



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 095/160] MD: fix invalid stored role for a disk - try2
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (93 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 094/160] btrfs: set max_extent_size properly Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 096/160] tty: check name length in tty_find_polling_driver() Greg Kroah-Hartman
                   ` (68 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot, Gioh Kim,
	Guoqing Jiang, Shaohua Li

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Shaohua Li <shli@fb.com>

commit 9e753ba9b9b405e3902d9f08aec5f2ea58a0c317 upstream.

Commit d595567dc4f0 (MD: fix invalid stored role for a disk) broke linear
hotadd. Let's only fix the role for disks in raid1/10.
Based on Guoqing's original patch.

Reported-by: kernel test robot <rong.a.chen@intel.com>
Cc: Gioh Kim <gi-oh.kim@profitbricks.com>
Cc: Guoqing Jiang <gqjiang@suse.com>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/md.c     |    4 ----
 drivers/md/raid1.c  |    1 +
 drivers/md/raid10.c |    1 +
 3 files changed, 2 insertions(+), 4 deletions(-)

--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -1670,10 +1670,6 @@ static int super_1_validate(struct mddev
 			} else
 				set_bit(In_sync, &rdev->flags);
 			rdev->raid_disk = role;
-			if (role >= mddev->raid_disks) {
-				rdev->saved_raid_disk = -1;
-				rdev->raid_disk = -1;
-			}
 			break;
 		}
 		if (sb->devflags & WriteMostly1)
--- a/drivers/md/raid1.c
+++ b/drivers/md/raid1.c
@@ -1605,6 +1605,7 @@ static int raid1_add_disk(struct mddev *
 	 */
 	if (rdev->saved_raid_disk >= 0 &&
 	    rdev->saved_raid_disk >= first &&
+	    rdev->saved_raid_disk < conf->raid_disks &&
 	    conf->mirrors[rdev->saved_raid_disk].rdev == NULL)
 		first = last = rdev->saved_raid_disk;
 
--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
@@ -1737,6 +1737,7 @@ static int raid10_add_disk(struct mddev
 		first = last = rdev->raid_disk;
 
 	if (rdev->saved_raid_disk >= first &&
+	    rdev->saved_raid_disk < conf->geo.raid_disks &&
 	    conf->mirrors[rdev->saved_raid_disk].rdev == NULL)
 		mirror = rdev->saved_raid_disk;
 	else



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 096/160] tty: check name length in tty_find_polling_driver()
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (94 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 095/160] MD: fix invalid stored role for a disk - try2 Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 097/160] powerpc/nohash: fix undefined behaviour when testing page size support Greg Kroah-Hartman
                   ` (67 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Miles Chen, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Miles Chen <miles.chen@mediatek.com>

[ Upstream commit 33a1a7be198657c8ca26ad406c4d2a89b7162bcc ]

The issue is found by a fuzzing test.
If tty_find_polling_driver() recevies an incorrect input such as
',,' or '0b', the len becomes 0 and strncmp() always return 0.
In this case, a null p->ops->poll_init() is called and it causes a kernel
panic.

Fix this by checking name length against zero in tty_find_polling_driver().

$echo ,, > /sys/module/kgdboc/parameters/kgdboc
[   20.804451] WARNING: CPU: 1 PID: 104 at drivers/tty/serial/serial_core.c:457
uart_get_baud_rate+0xe8/0x190
[   20.804917] Modules linked in:
[   20.805317] CPU: 1 PID: 104 Comm: sh Not tainted 4.19.0-rc7ajb #8
[   20.805469] Hardware name: linux,dummy-virt (DT)
[   20.805732] pstate: 20000005 (nzCv daif -PAN -UAO)
[   20.805895] pc : uart_get_baud_rate+0xe8/0x190
[   20.806042] lr : uart_get_baud_rate+0xc0/0x190
[   20.806476] sp : ffffffc06acff940
[   20.806676] x29: ffffffc06acff940 x28: 0000000000002580
[   20.806977] x27: 0000000000009600 x26: 0000000000009600
[   20.807231] x25: ffffffc06acffad0 x24: 00000000ffffeff0
[   20.807576] x23: 0000000000000001 x22: 0000000000000000
[   20.807807] x21: 0000000000000001 x20: 0000000000000000
[   20.808049] x19: ffffffc06acffac8 x18: 0000000000000000
[   20.808277] x17: 0000000000000000 x16: 0000000000000000
[   20.808520] x15: ffffffffffffffff x14: ffffffff00000000
[   20.808757] x13: ffffffffffffffff x12: 0000000000000001
[   20.809011] x11: 0101010101010101 x10: ffffff880d59ff5f
[   20.809292] x9 : ffffff880d59ff5e x8 : ffffffc06acffaf3
[   20.809549] x7 : 0000000000000000 x6 : ffffff880d59ff5f
[   20.809803] x5 : 0000000080008001 x4 : 0000000000000003
[   20.810056] x3 : ffffff900853e6b4 x2 : dfffff9000000000
[   20.810693] x1 : ffffffc06acffad0 x0 : 0000000000000cb0
[   20.811005] Call trace:
[   20.811214]  uart_get_baud_rate+0xe8/0x190
[   20.811479]  serial8250_do_set_termios+0xe0/0x6f4
[   20.811719]  serial8250_set_termios+0x48/0x54
[   20.811928]  uart_set_options+0x138/0x1bc
[   20.812129]  uart_poll_init+0x114/0x16c
[   20.812330]  tty_find_polling_driver+0x158/0x200
[   20.812545]  configure_kgdboc+0xbc/0x1bc
[   20.812745]  param_set_kgdboc_var+0xb8/0x150
[   20.812960]  param_attr_store+0xbc/0x150
[   20.813160]  module_attr_store+0x40/0x58
[   20.813364]  sysfs_kf_write+0x8c/0xa8
[   20.813563]  kernfs_fop_write+0x154/0x290
[   20.813764]  vfs_write+0xf0/0x278
[   20.813951]  __arm64_sys_write+0x84/0xf4
[   20.814400]  el0_svc_common+0xf4/0x1dc
[   20.814616]  el0_svc_handler+0x98/0xbc
[   20.814804]  el0_svc+0x8/0xc
[   20.822005] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
[   20.826913] Mem abort info:
[   20.827103]   ESR = 0x84000006
[   20.827352]   Exception class = IABT (current EL), IL = 16 bits
[   20.827655]   SET = 0, FnV = 0
[   20.827855]   EA = 0, S1PTW = 0
[   20.828135] user pgtable: 4k pages, 39-bit VAs, pgdp = (____ptrval____)
[   20.828484] [0000000000000000] pgd=00000000aadee003, pud=00000000aadee003, pmd=0000000000000000
[   20.829195] Internal error: Oops: 84000006 [#1] SMP
[   20.829564] Modules linked in:
[   20.829890] CPU: 1 PID: 104 Comm: sh Tainted: G        W         4.19.0-rc7ajb #8
[   20.830545] Hardware name: linux,dummy-virt (DT)
[   20.830829] pstate: 60000085 (nZCv daIf -PAN -UAO)
[   20.831174] pc :           (null)
[   20.831457] lr : serial8250_do_set_termios+0x358/0x6f4
[   20.831727] sp : ffffffc06acff9b0
[   20.831936] x29: ffffffc06acff9b0 x28: ffffff9008d7c000
[   20.832267] x27: ffffff900969e16f x26: 0000000000000000
[   20.832589] x25: ffffff900969dfb0 x24: 0000000000000000
[   20.832906] x23: ffffffc06acffad0 x22: ffffff900969e160
[   20.833232] x21: 0000000000000000 x20: ffffffc06acffac8
[   20.833559] x19: ffffff900969df90 x18: 0000000000000000
[   20.833878] x17: 0000000000000000 x16: 0000000000000000
[   20.834491] x15: ffffffffffffffff x14: ffffffff00000000
[   20.834821] x13: ffffffffffffffff x12: 0000000000000001
[   20.835143] x11: 0101010101010101 x10: ffffff880d59ff5f
[   20.835467] x9 : ffffff880d59ff5e x8 : ffffffc06acffaf3
[   20.835790] x7 : 0000000000000000 x6 : ffffff880d59ff5f
[   20.836111] x5 : c06419717c314100 x4 : 0000000000000007
[   20.836419] x3 : 0000000000000000 x2 : 0000000000000000
[   20.836732] x1 : 0000000000000001 x0 : ffffff900969df90
[   20.837100] Process sh (pid: 104, stack limit = 0x(____ptrval____))
[   20.837396] Call trace:
[   20.837566]            (null)
[   20.837816]  serial8250_set_termios+0x48/0x54
[   20.838089]  uart_set_options+0x138/0x1bc
[   20.838570]  uart_poll_init+0x114/0x16c
[   20.838834]  tty_find_polling_driver+0x158/0x200
[   20.839119]  configure_kgdboc+0xbc/0x1bc
[   20.839380]  param_set_kgdboc_var+0xb8/0x150
[   20.839658]  param_attr_store+0xbc/0x150
[   20.839920]  module_attr_store+0x40/0x58
[   20.840183]  sysfs_kf_write+0x8c/0xa8
[   20.840183]  sysfs_kf_write+0x8c/0xa8
[   20.840440]  kernfs_fop_write+0x154/0x290
[   20.840702]  vfs_write+0xf0/0x278
[   20.840942]  __arm64_sys_write+0x84/0xf4
[   20.841209]  el0_svc_common+0xf4/0x1dc
[   20.841471]  el0_svc_handler+0x98/0xbc
[   20.841713]  el0_svc+0x8/0xc
[   20.842057] Code: bad PC value
[   20.842764] ---[ end trace a8835d7de79aaadf ]---
[   20.843134] Kernel panic - not syncing: Fatal exception
[   20.843515] SMP: stopping secondary CPUs
[   20.844289] Kernel Offset: disabled
[   20.844634] CPU features: 0x0,21806002
[   20.844857] Memory Limit: none
[   20.845172] ---[ end Kernel panic - not syncing: Fatal exception ]---

Signed-off-by: Miles Chen <miles.chen@mediatek.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/tty/tty_io.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
@@ -357,7 +357,7 @@ struct tty_driver *tty_find_polling_driv
 	mutex_lock(&tty_mutex);
 	/* Search through the tty devices to look for a match */
 	list_for_each_entry(p, &tty_drivers, tty_drivers) {
-		if (strncmp(name, p->name, len) != 0)
+		if (!len || strncmp(name, p->name, len) != 0)
 			continue;
 		stp = str;
 		if (*stp == ',')



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 097/160] powerpc/nohash: fix undefined behaviour when testing page size support
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (95 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 096/160] tty: check name length in tty_find_polling_driver() Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 098/160] drm/omap: fix memory barrier bug in DMM driver Greg Kroah-Hartman
                   ` (66 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Daniel Axtens, Michael Ellerman, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Daniel Axtens <dja@axtens.net>

[ Upstream commit f5e284803a7206d43e26f9ffcae5de9626d95e37 ]

When enumerating page size definitions to check hardware support,
we construct a constant which is (1U << (def->shift - 10)).

However, the array of page size definitions is only initalised for
various MMU_PAGE_* constants, so it contains a number of 0-initialised
elements with def->shift == 0. This means we end up shifting by a
very large number, which gives the following UBSan splat:

================================================================================
UBSAN: Undefined behaviour in /home/dja/dev/linux/linux/arch/powerpc/mm/tlb_nohash.c:506:21
shift exponent 4294967286 is too large for 32-bit type 'unsigned int'
CPU: 0 PID: 0 Comm: swapper Not tainted 4.19.0-rc3-00045-ga604f927b012-dirty #6
Call Trace:
[c00000000101bc20] [c000000000a13d54] .dump_stack+0xa8/0xec (unreliable)
[c00000000101bcb0] [c0000000004f20a8] .ubsan_epilogue+0x18/0x64
[c00000000101bd30] [c0000000004f2b10] .__ubsan_handle_shift_out_of_bounds+0x110/0x1a4
[c00000000101be20] [c000000000d21760] .early_init_mmu+0x1b4/0x5a0
[c00000000101bf10] [c000000000d1ba28] .early_setup+0x100/0x130
[c00000000101bf90] [c000000000000528] start_here_multiplatform+0x68/0x80
================================================================================

Fix this by first checking if the element exists (shift != 0) before
constructing the constant.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/mm/tlb_nohash.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/arch/powerpc/mm/tlb_nohash.c
+++ b/arch/powerpc/mm/tlb_nohash.c
@@ -487,6 +487,9 @@ static void setup_page_sizes(void)
 		for (psize = 0; psize < MMU_PAGE_COUNT; ++psize) {
 			struct mmu_psize_def *def = &mmu_psize_defs[psize];
 
+			if (!def->shift)
+				continue;
+
 			if (tlb1ps & (1U << (def->shift - 10))) {
 				def->flags |= MMU_PAGE_SIZE_DIRECT;
 



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 098/160] drm/omap: fix memory barrier bug in DMM driver
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (96 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 097/160] powerpc/nohash: fix undefined behaviour when testing page size support Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 099/160] media: pci: cx23885: handle adding to list failure Greg Kroah-Hartman
                   ` (65 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tomi Valkeinen, Peter Ujfalusi, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tomi Valkeinen <tomi.valkeinen@ti.com>

[ Upstream commit 538f66ba204944470a653a4cccc5f8befdf97c22 ]

A DMM timeout "timed out waiting for done" has been observed on DRA7
devices. The timeout happens rarely, and only when the system is under
heavy load.

Debugging showed that the timeout can be made to happen much more
frequently by optimizing the DMM driver, so that there's almost no code
between writing the last DMM descriptors to RAM, and writing to DMM
register which starts the DMM transaction.

The current theory is that a wmb() does not properly ensure that the
data written to RAM is observable by all the components in the system.

This DMM timeout has caused interesting (and rare) bugs as the error
handling was not functioning properly (the error handling has been fixed
in previous commits):

 * If a DMM timeout happened when a GEM buffer was being pinned for
   display on the screen, a timeout error would be shown, but the driver
   would continue programming DSS HW with broken buffer, leading to
   SYNCLOST floods and possible crashes.

 * If a DMM timeout happened when other user (say, video decoder) was
   pinning a GEM buffer, a timeout would be shown but if the user
   handled the error properly, no other issues followed.

 * If a DMM timeout happened when a GEM buffer was being released, the
   driver does not even notice the error, leading to crashes or hang
   later.

This patch adds wmb() and readl() calls after the last bit is written to
RAM, which should ensure that the execution proceeds only after the data
is actually in RAM, and thus observable by DMM.

The read-back should not be needed. Further study is required to understand
if DMM is somehow special case and read-back is ok, or if DRA7's memory
barriers do not work correctly.

Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/omapdrm/omap_dmm_tiler.c |   11 +++++++++++
 1 file changed, 11 insertions(+)

--- a/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
+++ b/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
@@ -262,6 +262,17 @@ static int dmm_txn_commit(struct dmm_txn
 	}
 
 	txn->last_pat->next_pa = 0;
+	/* ensure that the written descriptors are visible to DMM */
+	wmb();
+
+	/*
+	 * NOTE: the wmb() above should be enough, but there seems to be a bug
+	 * in OMAP's memory barrier implementation, which in some rare cases may
+	 * cause the writes not to be observable after wmb().
+	 */
+
+	/* read back to ensure the data is in RAM */
+	readl(&txn->last_pat->next_pa);
 
 	/* write to PAT_DESCR to clear out any pending transaction */
 	writel(0x0, dmm->base + reg[PAT_DESCR][engine->id]);



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 099/160] media: pci: cx23885: handle adding to list failure
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (97 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 098/160] drm/omap: fix memory barrier bug in DMM driver Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:28 ` [PATCH 4.4 100/160] MIPS: kexec: Mark CPU offline before disabling local IRQ Greg Kroah-Hartman
                   ` (64 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nicholas Mc Guire, Hans Verkuil,
	Mauro Carvalho Chehab, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nicholas Mc Guire <hofrat@osadl.org>

[ Upstream commit c5d59528e24ad22500347b199d52b9368e686a42 ]

altera_hw_filt_init() which calls append_internal() assumes
that the node was successfully linked in while in fact it can
silently fail. So the call-site needs to set return to -ENOMEM
on append_internal() returning NULL and exit through the err path.

Fixes: 349bcf02e361 ("[media] Altera FPGA based CI driver module")

Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/media/pci/cx23885/altera-ci.c |   10 ++++++++++
 1 file changed, 10 insertions(+)

--- a/drivers/media/pci/cx23885/altera-ci.c
+++ b/drivers/media/pci/cx23885/altera-ci.c
@@ -660,6 +660,10 @@ static int altera_hw_filt_init(struct al
 		}
 
 		temp_int = append_internal(inter);
+		if (!temp_int) {
+			ret = -ENOMEM;
+			goto err;
+		}
 		inter->filts_used = 1;
 		inter->dev = config->dev;
 		inter->fpga_rw = config->fpga_rw;
@@ -694,6 +698,7 @@ err:
 		     __func__, ret);
 
 	kfree(pid_filt);
+	kfree(inter);
 
 	return ret;
 }
@@ -728,6 +733,10 @@ int altera_ci_init(struct altera_ci_conf
 		}
 
 		temp_int = append_internal(inter);
+		if (!temp_int) {
+			ret = -ENOMEM;
+			goto err;
+		}
 		inter->cis_used = 1;
 		inter->dev = config->dev;
 		inter->fpga_rw = config->fpga_rw;
@@ -796,6 +805,7 @@ err:
 	ci_dbg_print("%s: Cannot initialize CI: Error %d.\n", __func__, ret);
 
 	kfree(state);
+	kfree(inter);
 
 	return ret;
 }



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 100/160] MIPS: kexec: Mark CPU offline before disabling local IRQ
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (98 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 099/160] media: pci: cx23885: handle adding to list failure Greg Kroah-Hartman
@ 2018-11-19 16:28 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 101/160] powerpc/boot: Ensure _zimage_start is a weak symbol Greg Kroah-Hartman
                   ` (63 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dengcheng Zhu, Paul Burton, pburton,
	ralf, linux-mips, rachel.mozes, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dengcheng Zhu <dzhu@wavecomp.com>

[ Upstream commit dc57aaf95a516f70e2d527d8287a0332c481a226 ]

After changing CPU online status, it will not be sent any IPIs such as in
__flush_cache_all() on software coherency systems. Do this before disabling
local IRQ.

Signed-off-by: Dengcheng Zhu <dzhu@wavecomp.com>
Signed-off-by: Paul Burton <paul.burton@mips.com>
Patchwork: https://patchwork.linux-mips.org/patch/20571/
Cc: pburton@wavecomp.com
Cc: ralf@linux-mips.org
Cc: linux-mips@linux-mips.org
Cc: rachel.mozes@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/mips/kernel/crash.c         |    3 +++
 arch/mips/kernel/machine_kexec.c |    3 +++
 2 files changed, 6 insertions(+)

--- a/arch/mips/kernel/crash.c
+++ b/arch/mips/kernel/crash.c
@@ -34,6 +34,9 @@ static void crash_shutdown_secondary(voi
 	if (!cpu_online(cpu))
 		return;
 
+	/* We won't be sent IPIs any more. */
+	set_cpu_online(cpu, false);
+
 	local_irq_disable();
 	if (!cpumask_test_cpu(cpu, &cpus_in_crash))
 		crash_save_cpu(regs, cpu);
--- a/arch/mips/kernel/machine_kexec.c
+++ b/arch/mips/kernel/machine_kexec.c
@@ -95,6 +95,9 @@ machine_kexec(struct kimage *image)
 			*ptr = (unsigned long) phys_to_virt(*ptr);
 	}
 
+	/* Mark offline BEFORE disabling local irq. */
+	set_cpu_online(smp_processor_id(), false);
+
 	/*
 	 * we do not want to be bothered.
 	 */



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 101/160] powerpc/boot: Ensure _zimage_start is a weak symbol
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (99 preceding siblings ...)
  2018-11-19 16:28 ` [PATCH 4.4 100/160] MIPS: kexec: Mark CPU offline before disabling local IRQ Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 102/160] sc16is7xx: Fix for multi-channel stall Greg Kroah-Hartman
                   ` (62 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Joel Stanley, Nick Desaulniers,
	Michael Ellerman, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Joel Stanley <joel@jms.id.au>

[ Upstream commit ee9d21b3b3583712029a0db65a4b7c081d08d3b3 ]

When building with clang crt0's _zimage_start is not marked weak, which
breaks the build when linking the kernel image:

 $ objdump -t arch/powerpc/boot/crt0.o |grep _zimage_start$
 0000000000000058 g       .text  0000000000000000 _zimage_start

 ld: arch/powerpc/boot/wrapper.a(crt0.o): in function '_zimage_start':
 (.text+0x58): multiple definition of '_zimage_start';
 arch/powerpc/boot/pseries-head.o:(.text+0x0): first defined here

Clang requires the .weak directive to appear after the symbol is
declared. The binutils manual says:

 This directive sets the weak attribute on the comma separated list of
 symbol names. If the symbols do not already exist, they will be
 created.

So it appears this is different with clang. The only reference I could
see for this was an OpenBSD mailing list post[1].

Changing it to be after the declaration fixes building with Clang, and
still works with GCC.

 $ objdump -t arch/powerpc/boot/crt0.o |grep _zimage_start$
 0000000000000058  w      .text	0000000000000000 _zimage_start

Reported to clang as https://bugs.llvm.org/show_bug.cgi?id=38921

[1] https://groups.google.com/forum/#!topic/fa.openbsd.tech/PAgKKen2YCY

Signed-off-by: Joel Stanley <joel@jms.id.au>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/boot/crt0.S |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/arch/powerpc/boot/crt0.S
+++ b/arch/powerpc/boot/crt0.S
@@ -47,8 +47,10 @@ p_end:		.long	_end
 p_pstack:	.long	_platform_stack_top
 #endif
 
-	.weak	_zimage_start
 	.globl	_zimage_start
+	/* Clang appears to require the .weak directive to be after the symbol
+	 * is defined. See https://bugs.llvm.org/show_bug.cgi?id=38921  */
+	.weak	_zimage_start
 _zimage_start:
 	.globl	_zimage_start_lib
 _zimage_start_lib:



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 102/160] sc16is7xx: Fix for multi-channel stall
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (100 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 101/160] powerpc/boot: Ensure _zimage_start is a weak symbol Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 103/160] media: tvp5150: fix width alignment during set_selection() Greg Kroah-Hartman
                   ` (61 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Phil Elwell, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Phil Elwell <phil@raspberrypi.org>

[ Upstream commit 8344498721059754e09d30fe255a12dab8fb03ef ]

The SC16IS752 is a dual-channel device. The two channels are largely
independent, but the IRQ signals are wired together as an open-drain,
active low signal which will be driven low while either of the
channels requires attention, which can be for significant periods of
time until operations complete and the interrupt can be acknowledged.
In that respect it is should be treated as a true level-sensitive IRQ.

The kernel, however, needs to be able to exit interrupt context in
order to use I2C or SPI to access the device registers (which may
involve sleeping).  Therefore the interrupt needs to be masked out or
paused in some way.

The usual way to manage sleeping from within an interrupt handler
is to use a threaded interrupt handler - a regular interrupt routine
does the minimum amount of work needed to triage the interrupt before
waking the interrupt service thread. If the threaded IRQ is marked as
IRQF_ONESHOT the kernel will automatically mask out the interrupt
until the thread runs to completion. The sc16is7xx driver used to
use a threaded IRQ, but a patch switched to using a kthread_worker
in order to set realtime priorities on the handler thread and for
other optimisations. The end result is non-threaded IRQ that
schedules some work then returns IRQ_HANDLED, making the kernel
think that all IRQ processing has completed.

The work-around to prevent a constant stream of interrupts is to
mark the interrupt as edge-sensitive rather than level-sensitive,
but interpreting an active-low source as a falling-edge source
requires care to prevent a total cessation of interrupts. Whereas
an edge-triggering source will generate a new edge for every interrupt
condition a level-triggering source will keep the signal at the
interrupting level until it no longer requires attention; in other
words, the host won't see another edge until all interrupt conditions
are cleared. It is therefore vital that the interrupt handler does not
exit with an outstanding interrupt condition, otherwise the kernel
will not receive another interrupt unless some other operation causes
the interrupt state on the device to be cleared.

The existing sc16is7xx driver has a very simple interrupt "thread"
(kthread_work job) that processes interrupts on each channel in turn
until there are no more. If both channels are active and the first
channel starts interrupting while the handler for the second channel
is running then it will not be detected and an IRQ stall ensues. This
could be handled easily if there was a shared IRQ status register, or
a convenient way to determine if the IRQ had been deasserted for any
length of time, but both appear to be lacking.

Avoid this problem (or at least make it much less likely to happen)
by reducing the granularity of per-channel interrupt processing
to one condition per iteration, only exiting the overall loop when
both channels are no longer interrupting.

Signed-off-by: Phil Elwell <phil@raspberrypi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/tty/serial/sc16is7xx.c |   19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

--- a/drivers/tty/serial/sc16is7xx.c
+++ b/drivers/tty/serial/sc16is7xx.c
@@ -648,7 +648,7 @@ static void sc16is7xx_handle_tx(struct u
 		uart_write_wakeup(port);
 }
 
-static void sc16is7xx_port_irq(struct sc16is7xx_port *s, int portno)
+static bool sc16is7xx_port_irq(struct sc16is7xx_port *s, int portno)
 {
 	struct uart_port *port = &s->p[portno].port;
 
@@ -657,7 +657,7 @@ static void sc16is7xx_port_irq(struct sc
 
 		iir = sc16is7xx_port_read(port, SC16IS7XX_IIR_REG);
 		if (iir & SC16IS7XX_IIR_NO_INT_BIT)
-			break;
+			return false;
 
 		iir &= SC16IS7XX_IIR_ID_MASK;
 
@@ -685,16 +685,23 @@ static void sc16is7xx_port_irq(struct sc
 					    port->line, iir);
 			break;
 		}
-	} while (1);
+	} while (0);
+	return true;
 }
 
 static void sc16is7xx_ist(struct kthread_work *ws)
 {
 	struct sc16is7xx_port *s = to_sc16is7xx_port(ws, irq_work);
-	int i;
 
-	for (i = 0; i < s->devtype->nr_uart; ++i)
-		sc16is7xx_port_irq(s, i);
+	while (1) {
+		bool keep_polling = false;
+		int i;
+
+		for (i = 0; i < s->devtype->nr_uart; ++i)
+			keep_polling |= sc16is7xx_port_irq(s, i);
+		if (!keep_polling)
+			break;
+	}
 }
 
 static irqreturn_t sc16is7xx_irq(int irq, void *dev_id)



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 103/160] media: tvp5150: fix width alignment during set_selection()
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (101 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 102/160] sc16is7xx: Fix for multi-channel stall Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 104/160] 9p locks: fix glock.client_id leak in do_lock Greg Kroah-Hartman
                   ` (60 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marco Felsch, Mauro Carvalho Chehab,
	Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Marco Felsch <m.felsch@pengutronix.de>

[ Upstream commit bd24db04101f45a9c1d874fe21b0c7eab7bcadec ]

The driver ignored the width alignment which exists due to the UYVY
colorspace format. Fix the width alignment and make use of the the
provided v4l2 helper function to set the width, height and all
alignments in one.

Fixes: 963ddc63e20d ("[media] media: tvp5150: Add cropping support")

Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/media/i2c/tvp5150.c |   14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

--- a/drivers/media/i2c/tvp5150.c
+++ b/drivers/media/i2c/tvp5150.c
@@ -870,9 +870,6 @@ static int tvp5150_s_crop(struct v4l2_su
 
 	/* tvp5150 has some special limits */
 	rect.left = clamp(rect.left, 0, TVP5150_MAX_CROP_LEFT);
-	rect.width = clamp_t(unsigned int, rect.width,
-			     TVP5150_H_MAX - TVP5150_MAX_CROP_LEFT - rect.left,
-			     TVP5150_H_MAX - rect.left);
 	rect.top = clamp(rect.top, 0, TVP5150_MAX_CROP_TOP);
 
 	/* Calculate height based on current standard */
@@ -886,9 +883,16 @@ static int tvp5150_s_crop(struct v4l2_su
 	else
 		hmax = TVP5150_V_MAX_OTHERS;
 
-	rect.height = clamp_t(unsigned int, rect.height,
+	/*
+	 * alignments:
+	 *  - width = 2 due to UYVY colorspace
+	 *  - height, image = no special alignment
+	 */
+	v4l_bound_align_image(&rect.width,
+			      TVP5150_H_MAX - TVP5150_MAX_CROP_LEFT - rect.left,
+			      TVP5150_H_MAX - rect.left, 1, &rect.height,
 			      hmax - TVP5150_MAX_CROP_TOP - rect.top,
-			      hmax - rect.top);
+			      hmax - rect.top, 0, 0);
 
 	tvp5150_write(sd, TVP5150_VERT_BLANKING_START, rect.top);
 	tvp5150_write(sd, TVP5150_VERT_BLANKING_STOP,



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 104/160] 9p locks: fix glock.client_id leak in do_lock
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (102 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 103/160] media: tvp5150: fix width alignment during set_selection() Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 105/160] 9p: clear dangling pointers in p9stat_free Greg Kroah-Hartman
                   ` (59 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dominique Martinet, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dominique Martinet <dominique.martinet@cea.fr>

[ Upstream commit b4dc44b3cac9e8327e0655f530ed0c46f2e6214c ]

the 9p client code overwrites our glock.client_id pointing to a static
buffer by an allocated string holding the network provided value which
we do not care about; free and reset the value as appropriate.

This is almost identical to the leak in v9fs_file_getlock() fixed by
Al Viro in commit ce85dd58ad5a6 ("9p: we are leaking glock.client_id
in v9fs_file_getlock()"), which was returned as an error by a coverity
false positive -- while we are here attempt to make the code slightly
more robust to future change of the net/9p/client code and hopefully
more clear to coverity that there is no problem.

Link: http://lkml.kernel.org/r/1536339057-21974-5-git-send-email-asmadeus@codewreck.org
Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/9p/vfs_file.c |   16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

--- a/fs/9p/vfs_file.c
+++ b/fs/9p/vfs_file.c
@@ -204,6 +204,14 @@ static int v9fs_file_do_lock(struct file
 			break;
 		if (schedule_timeout_interruptible(P9_LOCK_TIMEOUT) != 0)
 			break;
+		/*
+		 * p9_client_lock_dotl overwrites flock.client_id with the
+		 * server message, free and reuse the client name
+		 */
+		if (flock.client_id != fid->clnt->name) {
+			kfree(flock.client_id);
+			flock.client_id = fid->clnt->name;
+		}
 	}
 
 	/* map 9p status to VFS status */
@@ -235,6 +243,8 @@ out_unlock:
 		locks_lock_file_wait(filp, fl);
 		fl->fl_type = fl_type;
 	}
+	if (flock.client_id != fid->clnt->name)
+		kfree(flock.client_id);
 out:
 	return res;
 }
@@ -269,7 +279,7 @@ static int v9fs_file_getlock(struct file
 
 	res = p9_client_getlock_dotl(fid, &glock);
 	if (res < 0)
-		return res;
+		goto out;
 	/* map 9p lock type to os lock type */
 	switch (glock.type) {
 	case P9_LOCK_TYPE_RDLCK:
@@ -290,7 +300,9 @@ static int v9fs_file_getlock(struct file
 			fl->fl_end = glock.start + glock.length - 1;
 		fl->fl_pid = glock.proc_id;
 	}
-	kfree(glock.client_id);
+out:
+	if (glock.client_id != fid->clnt->name)
+		kfree(glock.client_id);
 	return res;
 }
 



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 105/160] 9p: clear dangling pointers in p9stat_free
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (103 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 104/160] 9p locks: fix glock.client_id leak in do_lock Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 106/160] cdrom: fix improper type cast, which can leat to information leak Greg Kroah-Hartman
                   ` (58 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dominique Martinet,
	syzbot+d4252148d198410b864f, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dominique Martinet <dominique.martinet@cea.fr>

[ Upstream commit 62e3941776fea8678bb8120607039410b1b61a65 ]

p9stat_free is more of a cleanup function than a 'free' function as it
only frees the content of the struct; there are chances of use-after-free
if it is improperly used (e.g. p9stat_free called twice as it used to be
possible to)

Clearing dangling pointers makes the function idempotent and safer to use.

Link: http://lkml.kernel.org/r/1535410108-20650-2-git-send-email-asmadeus@codewreck.org
Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
Reported-by: syzbot+d4252148d198410b864f@syzkaller.appspotmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/9p/protocol.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/net/9p/protocol.c
+++ b/net/9p/protocol.c
@@ -46,10 +46,15 @@ p9pdu_writef(struct p9_fcall *pdu, int p
 void p9stat_free(struct p9_wstat *stbuf)
 {
 	kfree(stbuf->name);
+	stbuf->name = NULL;
 	kfree(stbuf->uid);
+	stbuf->uid = NULL;
 	kfree(stbuf->gid);
+	stbuf->gid = NULL;
 	kfree(stbuf->muid);
+	stbuf->muid = NULL;
 	kfree(stbuf->extension);
+	stbuf->extension = NULL;
 }
 EXPORT_SYMBOL(p9stat_free);
 



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 106/160] cdrom: fix improper type cast, which can leat to information leak.
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (104 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 105/160] 9p: clear dangling pointers in p9stat_free Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 107/160] scsi: qla2xxx: Fix incorrect port speed being set for FC adapters Greg Kroah-Hartman
                   ` (57 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Young_X, Jens Axboe, Ben Hutchings

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Young_X <YangX92@hotmail.com>

commit e4f3aa2e1e67bb48dfbaaf1cad59013d5a5bc276 upstream.

There is another cast from unsigned long to int which causes
a bounds check to fail with specially crafted input. The value is
then used as an index in the slot array in cdrom_slot_status().

This issue is similar to CVE-2018-16658 and CVE-2018-10940.

Signed-off-by: Young_X <YangX92@hotmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/cdrom/cdrom.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/cdrom/cdrom.c
+++ b/drivers/cdrom/cdrom.c
@@ -2425,7 +2425,7 @@ static int cdrom_ioctl_select_disc(struc
 		return -ENOSYS;
 
 	if (arg != CDSL_CURRENT && arg != CDSL_NONE) {
-		if ((int)arg >= cdi->capacity)
+		if (arg >= cdi->capacity)
 			return -EINVAL;
 	}
 



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 107/160] scsi: qla2xxx: Fix incorrect port speed being set for FC adapters
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (105 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 106/160] cdrom: fix improper type cast, which can leat to information leak Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 108/160] fuse: Fix use-after-free in fuse_dev_do_read() Greg Kroah-Hartman
                   ` (56 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Himanshu Madhani, Martin K. Petersen

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Himanshu Madhani <himanshu.madhani@cavium.com>

commit 4c1458df9635c7e3ced155f594d2e7dfd7254e21 upstream.

Fixes: 6246b8a1d26c7c ("[SCSI] qla2xxx: Enhancements to support ISP83xx.")
Fixes: 1bb395485160d2 ("qla2xxx: Correct iiDMA-update calling conventions.")
Cc: <stable@vger.kernel.org>
Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/qla2xxx/qla_mbx.c |    5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

--- a/drivers/scsi/qla2xxx/qla_mbx.c
+++ b/drivers/scsi/qla2xxx/qla_mbx.c
@@ -3315,10 +3315,7 @@ qla2x00_set_idma_speed(scsi_qla_host_t *
 	mcp->mb[0] = MBC_PORT_PARAMS;
 	mcp->mb[1] = loop_id;
 	mcp->mb[2] = BIT_0;
-	if (IS_CNA_CAPABLE(vha->hw))
-		mcp->mb[3] = port_speed & (BIT_5|BIT_4|BIT_3|BIT_2|BIT_1|BIT_0);
-	else
-		mcp->mb[3] = port_speed & (BIT_2|BIT_1|BIT_0);
+	mcp->mb[3] = port_speed & (BIT_5|BIT_4|BIT_3|BIT_2|BIT_1|BIT_0);
 	mcp->mb[9] = vha->vp_idx;
 	mcp->out_mb = MBX_9|MBX_3|MBX_2|MBX_1|MBX_0;
 	mcp->in_mb = MBX_3|MBX_1|MBX_0;



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 108/160] fuse: Fix use-after-free in fuse_dev_do_read()
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (106 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 107/160] scsi: qla2xxx: Fix incorrect port speed being set for FC adapters Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 109/160] fuse: Fix use-after-free in fuse_dev_do_write() Greg Kroah-Hartman
                   ` (55 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+4e975615ca01f2277bdd,
	Kirill Tkhai, Miklos Szeredi

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kirill Tkhai <ktkhai@virtuozzo.com>

commit bc78abbd55dd28e2287ec6d6502b842321a17c87 upstream.

We may pick freed req in this way:

[cpu0]                                  [cpu1]
fuse_dev_do_read()                      fuse_dev_do_write()
   list_move_tail(&req->list, ...);     ...
   spin_unlock(&fpq->lock);             ...
   ...                                  request_end(fc, req);
   ...                                    fuse_put_request(fc, req);
   if (test_bit(FR_INTERRUPTED, ...))
         queue_interrupt(fiq, req);

Fix that by keeping req alive until we finish all manipulations.

Reported-by: syzbot+4e975615ca01f2277bdd@syzkaller.appspotmail.com
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Fixes: 46c34a348b0a ("fuse: no fc->lock for pqueue parts")
Cc: <stable@vger.kernel.org> # v4.2
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/dev.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1328,12 +1328,14 @@ static ssize_t fuse_dev_do_read(struct f
 		goto out_end;
 	}
 	list_move_tail(&req->list, &fpq->processing);
+	__fuse_get_request(req);
 	spin_unlock(&fpq->lock);
 	set_bit(FR_SENT, &req->flags);
 	/* matches barrier in request_wait_answer() */
 	smp_mb__after_atomic();
 	if (test_bit(FR_INTERRUPTED, &req->flags))
 		queue_interrupt(fiq, req);
+	fuse_put_request(fc, req);
 
 	return reqsize;
 



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 109/160] fuse: Fix use-after-free in fuse_dev_do_write()
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (107 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 108/160] fuse: Fix use-after-free in fuse_dev_do_read() Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 110/160] fuse: fix blocked_waitq wakeup Greg Kroah-Hartman
                   ` (54 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kirill Tkhai, Miklos Szeredi

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kirill Tkhai <ktkhai@virtuozzo.com>

commit d2d2d4fb1f54eff0f3faa9762d84f6446a4bc5d0 upstream.

After we found req in request_find() and released the lock,
everything may happen with the req in parallel:

cpu0                              cpu1
fuse_dev_do_write()               fuse_dev_do_write()
  req = request_find(fpq, ...)    ...
  spin_unlock(&fpq->lock)         ...
  ...                             req = request_find(fpq, oh.unique)
  ...                             spin_unlock(&fpq->lock)
  queue_interrupt(&fc->iq, req);   ...
  ...                              ...
  ...                              ...
  request_end(fc, req);
    fuse_put_request(fc, req);
  ...                              queue_interrupt(&fc->iq, req);


Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Fixes: 46c34a348b0a ("fuse: no fc->lock for pqueue parts")
Cc: <stable@vger.kernel.org> # v4.2
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/dev.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1924,16 +1924,20 @@ static ssize_t fuse_dev_do_write(struct
 
 	/* Is it an interrupt reply? */
 	if (req->intr_unique == oh.unique) {
+		__fuse_get_request(req);
 		spin_unlock(&fpq->lock);
 
 		err = -EINVAL;
-		if (nbytes != sizeof(struct fuse_out_header))
+		if (nbytes != sizeof(struct fuse_out_header)) {
+			fuse_put_request(fc, req);
 			goto err_finish;
+		}
 
 		if (oh.error == -ENOSYS)
 			fc->no_interrupt = 1;
 		else if (oh.error == -EAGAIN)
 			queue_interrupt(&fc->iq, req);
+		fuse_put_request(fc, req);
 
 		fuse_copy_finish(cs);
 		return nbytes;



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 110/160] fuse: fix blocked_waitq wakeup
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (108 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 109/160] fuse: Fix use-after-free in fuse_dev_do_write() Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 111/160] fuse: set FR_SENT while locked Greg Kroah-Hartman
                   ` (53 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Miklos Szeredi

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Miklos Szeredi <mszeredi@redhat.com>

commit 908a572b80f6e9577b45e81b3dfe2e22111286b8 upstream.

Using waitqueue_active() is racy.  Make sure we issue a wake_up()
unconditionally after storing into fc->blocked.  After that it's okay to
optimize with waitqueue_active() since the first wake up provides the
necessary barrier for all waiters, not the just the woken one.

Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Fixes: 3c18ef8117f0 ("fuse: optimize wake_up")
Cc: <stable@vger.kernel.org> # v3.10
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/dev.c |   15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -402,12 +402,19 @@ static void request_end(struct fuse_conn
 	if (test_bit(FR_BACKGROUND, &req->flags)) {
 		spin_lock(&fc->lock);
 		clear_bit(FR_BACKGROUND, &req->flags);
-		if (fc->num_background == fc->max_background)
+		if (fc->num_background == fc->max_background) {
 			fc->blocked = 0;
-
-		/* Wake up next waiter, if any */
-		if (!fc->blocked && waitqueue_active(&fc->blocked_waitq))
 			wake_up(&fc->blocked_waitq);
+		} else if (!fc->blocked) {
+			/*
+			 * Wake up next waiter, if any.  It's okay to use
+			 * waitqueue_active(), as we've already synced up
+			 * fc->blocked with waiters with the wake_up() call
+			 * above.
+			 */
+			if (waitqueue_active(&fc->blocked_waitq))
+				wake_up(&fc->blocked_waitq);
+		}
 
 		if (fc->num_background == fc->congestion_threshold &&
 		    fc->connected && fc->bdi_initialized) {



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 111/160] fuse: set FR_SENT while locked
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (109 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 110/160] fuse: fix blocked_waitq wakeup Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 112/160] mm, elf: handle vm_brk error Greg Kroah-Hartman
                   ` (52 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Miklos Szeredi, syzbot+ef054c4d3f64cd7f7cec

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Miklos Szeredi <mszeredi@redhat.com>

commit 4c316f2f3ff315cb48efb7435621e5bfb81df96d upstream.

Otherwise fuse_dev_do_write() could come in and finish off the request, and
the set_bit(FR_SENT, ...) could trigger the WARN_ON(test_bit(FR_SENT, ...))
in request_end().

Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Reported-by: syzbot+ef054c4d3f64cd7f7cec@syzkaller.appspotmai
Fixes: 46c34a348b0a ("fuse: no fc->lock for pqueue parts")
Cc: <stable@vger.kernel.org> # v4.2
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/dev.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1336,8 +1336,8 @@ static ssize_t fuse_dev_do_read(struct f
 	}
 	list_move_tail(&req->list, &fpq->processing);
 	__fuse_get_request(req);
-	spin_unlock(&fpq->lock);
 	set_bit(FR_SENT, &req->flags);
+	spin_unlock(&fpq->lock);
 	/* matches barrier in request_wait_answer() */
 	smp_mb__after_atomic();
 	if (test_bit(FR_INTERRUPTED, &req->flags))



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 112/160] mm, elf: handle vm_brk error
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (110 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 111/160] fuse: set FR_SENT while locked Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 113/160] binfmt_elf: fix calculations for bss padding Greg Kroah-Hartman
                   ` (51 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michal Hocko, Vlastimil Babka,
	Alexander Viro, Andrew Morton, Linus Torvalds, Ben Hutchings,
	Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

commit ecc2bc8ac03884266cf73f8a2a42b911465b2fbc upstream.

load_elf_library doesn't handle vm_brk failure although nothing really
indicates it cannot do that because the function is allowed to fail due
to vm_mmap failures already.  This might be not a problem now but later
patch will make vm_brk killable (resp.  mmap_sem for write waiting will
become killable) and so the failure will be more probable.

Signed-off-by: Michal Hocko <mhocko@suse.com>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/binfmt_elf.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index 62bc72001fce..70ea4b9c6dd9 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -1215,8 +1215,11 @@ static int load_elf_library(struct file *file)
 	len = ELF_PAGESTART(eppnt->p_filesz + eppnt->p_vaddr +
 			    ELF_MIN_ALIGN - 1);
 	bss = eppnt->p_memsz + eppnt->p_vaddr;
-	if (bss > len)
-		vm_brk(len, bss - len);
+	if (bss > len) {
+		error = vm_brk(len, bss - len);
+		if (BAD_ADDR(error))
+			goto out_free_ph;
+	}
 	error = 0;
 
 out_free_ph:
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 169+ messages in thread

* [PATCH 4.4 113/160] binfmt_elf: fix calculations for bss padding
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (111 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 112/160] mm, elf: handle vm_brk error Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 114/160] mm: refuse wrapped vm_brk requests Greg Kroah-Hartman
                   ` (50 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kees Cook, Hector Marco-Gisbert,
	Ismael Ripoll Ripoll, Alexander Viro, Kirill A. Shutemov,
	Oleg Nesterov, Chen Gang, Michal Hocko, Konstantin Khlebnikov,
	Andrea Arcangeli, Andrey Ryabinin, Andrew Morton, Linus Torvalds,
	Ben Hutchings, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

commit 0036d1f7eb95bcc52977f15507f00dd07018e7e2 upstream.

A double-bug exists in the bss calculation code, where an overflow can
happen in the "last_bss - elf_bss" calculation, but vm_brk internally
aligns the argument, underflowing it, wrapping back around safe.  We
shouldn't depend on these bugs staying in sync, so this cleans up the
bss padding handling to avoid the overflow.

This moves the bss padzero() before the last_bss > elf_bss case, since
the zero-filling of the ELF_PAGE should have nothing to do with the
relationship of last_bss and elf_bss: any trailing portion should be
zeroed, and a zero size is already handled by padzero().

Then it handles the math on elf_bss vs last_bss correctly.  These need
to both be ELF_PAGE aligned to get the comparison correct, since that's
the expected granularity of the mappings.  Since elf_bss already had
alignment-based padding happen in padzero(), the "start" of the new
vm_brk() should be moved forward as done in the original code.  However,
since the "end" of the vm_brk() area will already become PAGE_ALIGNed in
vm_brk() then last_bss should get aligned here to avoid hiding it as a
side-effect.

Additionally makes a cosmetic change to the initial last_bss calculation
so it's easier to read in comparison to the load_addr calculation above
it (i.e.  the only difference is p_filesz vs p_memsz).

Link: http://lkml.kernel.org/r/1468014494-25291-2-git-send-email-keescook@chromium.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Reported-by: Hector Marco-Gisbert <hecmargi@upv.es>
Cc: Ismael Ripoll Ripoll <iripoll@upv.es>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Chen Gang <gang.chen.5i5j@gmail.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Konstantin Khlebnikov <koct9i@gmail.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/binfmt_elf.c | 34 ++++++++++++++++++----------------
 1 file changed, 18 insertions(+), 16 deletions(-)

diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index 70ea4b9c6dd9..2963a23f7a80 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -604,28 +604,30 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
 			 * Do the same thing for the memory mapping - between
 			 * elf_bss and last_bss is the bss section.
 			 */
-			k = load_addr + eppnt->p_memsz + eppnt->p_vaddr;
+			k = load_addr + eppnt->p_vaddr + eppnt->p_memsz;
 			if (k > last_bss)
 				last_bss = k;
 		}
 	}
 
+	/*
+	 * Now fill out the bss section: first pad the last page from
+	 * the file up to the page boundary, and zero it from elf_bss
+	 * up to the end of the page.
+	 */
+	if (padzero(elf_bss)) {
+		error = -EFAULT;
+		goto out;
+	}
+	/*
+	 * Next, align both the file and mem bss up to the page size,
+	 * since this is where elf_bss was just zeroed up to, and where
+	 * last_bss will end after the vm_brk() below.
+	 */
+	elf_bss = ELF_PAGEALIGN(elf_bss);
+	last_bss = ELF_PAGEALIGN(last_bss);
+	/* Finally, if there is still more bss to allocate, do it. */
 	if (last_bss > elf_bss) {
-		/*
-		 * Now fill out the bss section.  First pad the last page up
-		 * to the page boundary, and then perform a mmap to make sure
-		 * that there are zero-mapped pages up to and including the
-		 * last bss page.
-		 */
-		if (padzero(elf_bss)) {
-			error = -EFAULT;
-			goto out;
-		}
-
-		/* What we have mapped so far */
-		elf_bss = ELF_PAGESTART(elf_bss + ELF_MIN_ALIGN - 1);
-
-		/* Map the last of the bss segment */
 		error = vm_brk(elf_bss, last_bss - elf_bss);
 		if (BAD_ADDR(error))
 			goto out;
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 169+ messages in thread

* [PATCH 4.4 114/160] mm: refuse wrapped vm_brk requests
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (112 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 113/160] binfmt_elf: fix calculations for bss padding Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 115/160] fs, elf: make sure to page align bss in load_elf_library Greg Kroah-Hartman
                   ` (49 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kees Cook, Hector Marco-Gisbert,
	Ismael Ripoll Ripoll, Alexander Viro, Kirill A. Shutemov,
	Oleg Nesterov, Chen Gang, Michal Hocko, Konstantin Khlebnikov,
	Andrea Arcangeli, Andrey Ryabinin, Andrew Morton, Linus Torvalds,
	Ben Hutchings, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

commit ba093a6d9397da8eafcfbaa7d95bd34255da39a0 upstream.

The vm_brk() alignment calculations should refuse to overflow.  The ELF
loader depending on this, but it has been fixed now.  No other unsafe
callers have been found.

Link: http://lkml.kernel.org/r/1468014494-25291-3-git-send-email-keescook@chromium.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Reported-by: Hector Marco-Gisbert <hecmargi@upv.es>
Cc: Ismael Ripoll Ripoll <iripoll@upv.es>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Chen Gang <gang.chen.5i5j@gmail.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Konstantin Khlebnikov <koct9i@gmail.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 4.4: adjust context]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 mm/mmap.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/mm/mmap.c b/mm/mmap.c
index 39f5fbd07486..dd9205542a86 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -2808,16 +2808,18 @@ static inline void verify_mm_writelocked(struct mm_struct *mm)
  *  anonymous maps.  eventually we may be able to do some
  *  brk-specific accounting here.
  */
-static unsigned long do_brk(unsigned long addr, unsigned long len)
+static unsigned long do_brk(unsigned long addr, unsigned long request)
 {
 	struct mm_struct *mm = current->mm;
 	struct vm_area_struct *vma, *prev;
-	unsigned long flags;
+	unsigned long flags, len;
 	struct rb_node **rb_link, *rb_parent;
 	pgoff_t pgoff = addr >> PAGE_SHIFT;
 	int error;
 
-	len = PAGE_ALIGN(len);
+	len = PAGE_ALIGN(request);
+	if (len < request)
+		return -ENOMEM;
 	if (!len)
 		return addr;
 
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 169+ messages in thread

* [PATCH 4.4 115/160] fs, elf: make sure to page align bss in load_elf_library
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (113 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 114/160] mm: refuse wrapped vm_brk requests Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 116/160] mm: do not bug_on on incorrect length in __mm_populate() Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Oscar Salvador,
	syzbot+5dcb560fe12aa5091c06, Tetsuo Handa, Kees Cook,
	Michal Hocko, Nicolas Pitre, Andrew Morton, Linus Torvalds,
	Ben Hutchings, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

commit 24962af7e1041b7e50c1bc71d8d10dc678c556b5 upstream.

The current code does not make sure to page align bss before calling
vm_brk(), and this can lead to a VM_BUG_ON() in __mm_populate() due to
the requested lenght not being correctly aligned.

Let us make sure to align it properly.

Kees: only applicable to CONFIG_USELIB kernels: 32-bit and configured
for libc5.

Link: http://lkml.kernel.org/r/20180705145539.9627-1-osalvador@techadventures.net
Signed-off-by: Oscar Salvador <osalvador@suse.de>
Reported-by: syzbot+5dcb560fe12aa5091c06@syzkaller.appspotmail.com
Tested-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Nicolas Pitre <nicolas.pitre@linaro.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/binfmt_elf.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index 2963a23f7a80..f010d6c8dd14 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -1214,9 +1214,8 @@ static int load_elf_library(struct file *file)
 		goto out_free_ph;
 	}
 
-	len = ELF_PAGESTART(eppnt->p_filesz + eppnt->p_vaddr +
-			    ELF_MIN_ALIGN - 1);
-	bss = eppnt->p_memsz + eppnt->p_vaddr;
+	len = ELF_PAGEALIGN(eppnt->p_filesz + eppnt->p_vaddr);
+	bss = ELF_PAGEALIGN(eppnt->p_memsz + eppnt->p_vaddr);
 	if (bss > len) {
 		error = vm_brk(len, bss - len);
 		if (BAD_ADDR(error))
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 169+ messages in thread

* [PATCH 4.4 116/160] mm: do not bug_on on incorrect length in __mm_populate()
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (114 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 115/160] fs, elf: make sure to page align bss in load_elf_library Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 117/160] e1000: avoid null pointer dereference on invalid stat type Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michal Hocko, syzbot, Tetsuo Handa,
	Oscar Salvador, Zi Yan, Aneesh Kumar K.V, Dan Williams,
	Kirill A. Shutemov, Michael S. Tsirkin, Al Viro, Huang, Ying,
	Andrew Morton, Linus Torvalds, Ben Hutchings, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

commit bb177a732c4369bb58a1fe1df8f552b6f0f7db5f upstream.

syzbot has noticed that a specially crafted library can easily hit
VM_BUG_ON in __mm_populate

  kernel BUG at mm/gup.c:1242!
  invalid opcode: 0000 [#1] SMP
  CPU: 2 PID: 9667 Comm: a.out Not tainted 4.18.0-rc3 #644
  Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/19/2017
  RIP: 0010:__mm_populate+0x1e2/0x1f0
  Code: 55 d0 65 48 33 14 25 28 00 00 00 89 d8 75 21 48 83 c4 20 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 75 18 f1 ff 0f 0b e8 6e 18 f1 ff <0f> 0b 31 db eb c9 e8 93 06 e0 ff 0f 1f 00 55 48 89 e5 53 48 89 fb
  Call Trace:
     vm_brk_flags+0xc3/0x100
     vm_brk+0x1f/0x30
     load_elf_library+0x281/0x2e0
     __ia32_sys_uselib+0x170/0x1e0
     do_fast_syscall_32+0xca/0x420
     entry_SYSENTER_compat+0x70/0x7f

The reason is that the length of the new brk is not page aligned when we
try to populate the it.  There is no reason to bug on that though.
do_brk_flags already aligns the length properly so the mapping is
expanded as it should.  All we need is to tell mm_populate about it.
Besides that there is absolutely no reason to to bug_on in the first
place.  The worst thing that could happen is that the last page wouldn't
get populated and that is far from putting system into an inconsistent
state.

Fix the issue by moving the length sanitization code from do_brk_flags
up to vm_brk_flags.  The only other caller of do_brk_flags is brk
syscall entry and it makes sure to provide the proper length so t here
is no need for sanitation and so we can use do_brk_flags without it.

Also remove the bogus BUG_ONs.

[osalvador@techadventures.net: fix up vm_brk_flags s@request@len@]
Link: http://lkml.kernel.org/r/20180706090217.GI32658@dhcp22.suse.cz
Signed-off-by: Michal Hocko <mhocko@suse.com>
Reported-by: syzbot <syzbot+5dcb560fe12aa5091c06@syzkaller.appspotmail.com>
Tested-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reviewed-by: Oscar Salvador <osalvador@suse.de>
Cc: Zi Yan <zi.yan@cs.rutgers.edu>
Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: "Huang, Ying" <ying.huang@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 4.4:
 - There is no do_brk_flags() function; update do_brk()
 - do_brk(), vm_brk() return the address on success
 - Adjust context]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 mm/gup.c  |  2 --
 mm/mmap.c | 19 ++++++++++---------
 2 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/mm/gup.c b/mm/gup.c
index b599526db9f7..018144c4b9ec 100644
--- a/mm/gup.c
+++ b/mm/gup.c
@@ -940,8 +940,6 @@ int __mm_populate(unsigned long start, unsigned long len, int ignore_errors)
 	int locked = 0;
 	long ret = 0;
 
-	VM_BUG_ON(start & ~PAGE_MASK);
-	VM_BUG_ON(len != PAGE_ALIGN(len));
 	end = start + len;
 
 	for (nstart = start; nstart < end; nstart = nend) {
diff --git a/mm/mmap.c b/mm/mmap.c
index dd9205542a86..3074dbcd9621 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -2808,21 +2808,15 @@ static inline void verify_mm_writelocked(struct mm_struct *mm)
  *  anonymous maps.  eventually we may be able to do some
  *  brk-specific accounting here.
  */
-static unsigned long do_brk(unsigned long addr, unsigned long request)
+static unsigned long do_brk(unsigned long addr, unsigned long len)
 {
 	struct mm_struct *mm = current->mm;
 	struct vm_area_struct *vma, *prev;
-	unsigned long flags, len;
+	unsigned long flags;
 	struct rb_node **rb_link, *rb_parent;
 	pgoff_t pgoff = addr >> PAGE_SHIFT;
 	int error;
 
-	len = PAGE_ALIGN(request);
-	if (len < request)
-		return -ENOMEM;
-	if (!len)
-		return addr;
-
 	flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
 
 	error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
@@ -2890,12 +2884,19 @@ out:
 	return addr;
 }
 
-unsigned long vm_brk(unsigned long addr, unsigned long len)
+unsigned long vm_brk(unsigned long addr, unsigned long request)
 {
 	struct mm_struct *mm = current->mm;
+	unsigned long len;
 	unsigned long ret;
 	bool populate;
 
+	len = PAGE_ALIGN(request);
+	if (len < request)
+		return -ENOMEM;
+	if (!len)
+		return addr;
+
 	down_write(&mm->mmap_sem);
 	ret = do_brk(addr, len);
 	populate = ((mm->def_flags & VM_LOCKED) != 0);
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 169+ messages in thread

* [PATCH 4.4 117/160] e1000: avoid null pointer dereference on invalid stat type
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (115 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 116/160] mm: do not bug_on on incorrect length in __mm_populate() Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 118/160] e1000: fix race condition between e1000_down() and e1000_watchdog Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Colin Ian King, Alexander Duyck,
	Aaron Brown, Jeff Kirsher, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 5983587c8c5ef00d6886477544ad67d495bc5479 ]

Currently if the stat type is invalid then data[i] is being set
either by dereferencing a null pointer p, or it is reading from
an incorrect previous location if we had a valid stat type
previously.  Fix this by skipping over the read of p on an invalid
stat type.

Detected by CoverityScan, CID#113385 ("Explicit null dereferenced")

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Reviewed-by: Alexander Duyck <alexander.h.duyck@intel.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/intel/e1000/e1000_ethtool.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
index 5ae8874bbf72..d70b2e5d5222 100644
--- a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
+++ b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
@@ -1826,11 +1826,12 @@ static void e1000_get_ethtool_stats(struct net_device *netdev,
 {
 	struct e1000_adapter *adapter = netdev_priv(netdev);
 	int i;
-	char *p = NULL;
 	const struct e1000_stats *stat = e1000_gstrings_stats;
 
 	e1000_update_stats(adapter);
-	for (i = 0; i < E1000_GLOBAL_STATS_LEN; i++) {
+	for (i = 0; i < E1000_GLOBAL_STATS_LEN; i++, stat++) {
+		char *p;
+
 		switch (stat->type) {
 		case NETDEV_STATS:
 			p = (char *)netdev + stat->stat_offset;
@@ -1841,15 +1842,13 @@ static void e1000_get_ethtool_stats(struct net_device *netdev,
 		default:
 			WARN_ONCE(1, "Invalid E1000 stat type: %u index %d\n",
 				  stat->type, i);
-			break;
+			continue;
 		}
 
 		if (stat->sizeof_stat == sizeof(u64))
 			data[i] = *(u64 *)p;
 		else
 			data[i] = *(u32 *)p;
-
-		stat++;
 	}
 /* BUG_ON(i != E1000_STATS_LEN); */
 }
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 169+ messages in thread

* [PATCH 4.4 118/160] e1000: fix race condition between e1000_down() and e1000_watchdog
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (116 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 117/160] e1000: avoid null pointer dereference on invalid stat type Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 119/160] bna: ethtool: Avoid reading past end of buffer Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vincenzo Maffione, Aaron Brown,
	Jeff Kirsher, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 44c445c3d1b4eacff23141fa7977c3b2ec3a45c9 ]

This patch fixes a race condition that can result into the interface being
up and carrier on, but with transmits disabled in the hardware.
The bug may show up by repeatedly IFF_DOWN+IFF_UP the interface, which
allows e1000_watchdog() interleave with e1000_down().

    CPU x                           CPU y
    --------------------------------------------------------------------
    e1000_down():
        netif_carrier_off()
                                    e1000_watchdog():
                                        if (carrier == off) {
                                            netif_carrier_on();
                                            enable_hw_transmit();
                                        }
        disable_hw_transmit();
                                    e1000_watchdog():
                                        /* carrier on, do nothing */

Signed-off-by: Vincenzo Maffione <v.maffione@gmail.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/intel/e1000/e1000_main.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c
index 2a1d4a9d3c19..1f84f2fa459f 100644
--- a/drivers/net/ethernet/intel/e1000/e1000_main.c
+++ b/drivers/net/ethernet/intel/e1000/e1000_main.c
@@ -521,8 +521,6 @@ void e1000_down(struct e1000_adapter *adapter)
 	struct net_device *netdev = adapter->netdev;
 	u32 rctl, tctl;
 
-	netif_carrier_off(netdev);
-
 	/* disable receives in the hardware */
 	rctl = er32(RCTL);
 	ew32(RCTL, rctl & ~E1000_RCTL_EN);
@@ -538,6 +536,15 @@ void e1000_down(struct e1000_adapter *adapter)
 	E1000_WRITE_FLUSH();
 	msleep(10);
 
+	/* Set the carrier off after transmits have been disabled in the
+	 * hardware, to avoid race conditions with e1000_watchdog() (which
+	 * may be running concurrently to us, checking for the carrier
+	 * bit to decide whether it should enable transmits again). Such
+	 * a race condition would result into transmission being disabled
+	 * in the hardware until the next IFF_DOWN+IFF_UP cycle.
+	 */
+	netif_carrier_off(netdev);
+
 	napi_disable(&adapter->napi);
 
 	e1000_irq_disable(adapter);
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 169+ messages in thread

* [PATCH 4.4 119/160] bna: ethtool: Avoid reading past end of buffer
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (117 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 118/160] e1000: fix race condition between e1000_down() and e1000_watchdog Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 120/160] MIPS: Loongson-3: Fix CPU UART irq delivery problem Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Daniel Micay, Kees Cook,
	David S. Miller, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 4dc69c1c1fff2f587f8e737e70b4a4e7565a5c94 ]

Using memcpy() from a string that is shorter than the length copied means
the destination buffer is being filled with arbitrary data from the kernel
rodata segment. Instead, use strncpy() which will fill the trailing bytes
with zeros.

This was found with the future CONFIG_FORTIFY_SOURCE feature.

Cc: Daniel Micay <danielmicay@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/brocade/bna/bnad_ethtool.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/brocade/bna/bnad_ethtool.c b/drivers/net/ethernet/brocade/bna/bnad_ethtool.c
index 0e4fdc3dd729..18672ad773fb 100644
--- a/drivers/net/ethernet/brocade/bna/bnad_ethtool.c
+++ b/drivers/net/ethernet/brocade/bna/bnad_ethtool.c
@@ -556,8 +556,8 @@ bnad_get_strings(struct net_device *netdev, u32 stringset, u8 *string)
 		for (i = 0; i < BNAD_ETHTOOL_STATS_NUM; i++) {
 			BUG_ON(!(strlen(bnad_net_stats_strings[i]) <
 				   ETH_GSTRING_LEN));
-			memcpy(string, bnad_net_stats_strings[i],
-			       ETH_GSTRING_LEN);
+			strncpy(string, bnad_net_stats_strings[i],
+				ETH_GSTRING_LEN);
 			string += ETH_GSTRING_LEN;
 		}
 		bmap = bna_tx_rid_mask(&bnad->bna);
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 169+ messages in thread

* [PATCH 4.4 120/160] MIPS: Loongson-3: Fix CPU UART irq delivery problem
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (118 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 119/160] bna: ethtool: Avoid reading past end of buffer Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 121/160] MIPS: Loongson-3: Fix BRIDGE " Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Huacai Chen, Paul Burton,
	Ralf Baechle, James Hogan, linux-mips, Fuxin Zhang, Zhangjin Wu,
	Huacai Chen, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit d06f8a2f1befb5a3d0aa660ab1c05e9b744456ea ]

Masking/unmasking the CPU UART irq in CP0_Status (and redirecting it to
other CPUs) may cause interrupts be lost, especially in multi-package
machines (Package-0's UART irq cannot be delivered to others). So make
mask_loongson_irq() and unmask_loongson_irq() be no-ops.

The original problem (UART IRQ may deliver to any core) is also because
of masking/unmasking the CPU UART irq in CP0_Status. So it is safe to
remove all of the stuff.

Signed-off-by: Huacai Chen <chenhc@lemote.com>
Signed-off-by: Paul Burton <paul.burton@mips.com>
Patchwork: https://patchwork.linux-mips.org/patch/20433/
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: James Hogan <jhogan@kernel.org>
Cc: linux-mips@linux-mips.org
Cc: Fuxin Zhang <zhangfx@lemote.com>
Cc: Zhangjin Wu <wuzhangjin@gmail.com>
Cc: Huacai Chen <chenhuacai@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/mips/loongson64/loongson-3/irq.c | 43 ++-------------------------
 1 file changed, 3 insertions(+), 40 deletions(-)

diff --git a/arch/mips/loongson64/loongson-3/irq.c b/arch/mips/loongson64/loongson-3/irq.c
index 0f75b6b3d218..53424f2a53f3 100644
--- a/arch/mips/loongson64/loongson-3/irq.c
+++ b/arch/mips/loongson64/loongson-3/irq.c
@@ -48,45 +48,8 @@ static struct irqaction cascade_irqaction = {
 	.name = "cascade",
 };
 
-static inline void mask_loongson_irq(struct irq_data *d)
-{
-	clear_c0_status(0x100 << (d->irq - MIPS_CPU_IRQ_BASE));
-	irq_disable_hazard();
-
-	/* Workaround: UART IRQ may deliver to any core */
-	if (d->irq == LOONGSON_UART_IRQ) {
-		int cpu = smp_processor_id();
-		int node_id = cpu_logical_map(cpu) / loongson_sysconf.cores_per_node;
-		int core_id = cpu_logical_map(cpu) % loongson_sysconf.cores_per_node;
-		u64 intenclr_addr = smp_group[node_id] |
-			(u64)(&LOONGSON_INT_ROUTER_INTENCLR);
-		u64 introuter_lpc_addr = smp_group[node_id] |
-			(u64)(&LOONGSON_INT_ROUTER_LPC);
-
-		*(volatile u32 *)intenclr_addr = 1 << 10;
-		*(volatile u8 *)introuter_lpc_addr = 0x10 + (1<<core_id);
-	}
-}
-
-static inline void unmask_loongson_irq(struct irq_data *d)
-{
-	/* Workaround: UART IRQ may deliver to any core */
-	if (d->irq == LOONGSON_UART_IRQ) {
-		int cpu = smp_processor_id();
-		int node_id = cpu_logical_map(cpu) / loongson_sysconf.cores_per_node;
-		int core_id = cpu_logical_map(cpu) % loongson_sysconf.cores_per_node;
-		u64 intenset_addr = smp_group[node_id] |
-			(u64)(&LOONGSON_INT_ROUTER_INTENSET);
-		u64 introuter_lpc_addr = smp_group[node_id] |
-			(u64)(&LOONGSON_INT_ROUTER_LPC);
-
-		*(volatile u32 *)intenset_addr = 1 << 10;
-		*(volatile u8 *)introuter_lpc_addr = 0x10 + (1<<core_id);
-	}
-
-	set_c0_status(0x100 << (d->irq - MIPS_CPU_IRQ_BASE));
-	irq_enable_hazard();
-}
+static inline void mask_loongson_irq(struct irq_data *d) { }
+static inline void unmask_loongson_irq(struct irq_data *d) { }
 
  /* For MIPS IRQs which shared by all cores */
 static struct irq_chip loongson_irq_chip = {
@@ -124,7 +87,7 @@ void __init mach_init_irq(void)
 	mips_cpu_irq_init();
 	init_i8259_irqs();
 	irq_set_chip_and_handler(LOONGSON_UART_IRQ,
-			&loongson_irq_chip, handle_level_irq);
+			&loongson_irq_chip, handle_percpu_irq);
 
 	/* setup HT1 irq */
 	setup_irq(LOONGSON_HT1_IRQ, &cascade_irqaction);
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 169+ messages in thread

* [PATCH 4.4 121/160] MIPS: Loongson-3: Fix BRIDGE irq delivery problem
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (119 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 120/160] MIPS: Loongson-3: Fix CPU UART irq delivery problem Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 122/160] xtensa: add NOTES section to the linker script Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Huacai Chen, Paul Burton,
	Ralf Baechle, James Hogan, linux-mips, Fuxin Zhang, Zhangjin Wu,
	Huacai Chen, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 360fe725f8849aaddc53475fef5d4a0c439b05ae ]

After commit e509bd7da149dc349160 ("genirq: Allow migration of chained
interrupts by installing default action") Loongson-3 fails at here:

setup_irq(LOONGSON_HT1_IRQ, &cascade_irqaction);

This is because both chained_action and cascade_irqaction don't have
IRQF_SHARED flag. This will cause Loongson-3 resume fails because HPET
timer interrupt can't be delivered during S3. So we set the irqchip of
the chained irq to loongson_irq_chip which doesn't disable the chained
irq in CP0.Status.

Cc: stable@vger.kernel.org
Signed-off-by: Huacai Chen <chenhc@lemote.com>
Signed-off-by: Paul Burton <paul.burton@mips.com>
Patchwork: https://patchwork.linux-mips.org/patch/20434/
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: James Hogan <jhogan@kernel.org>
Cc: linux-mips@linux-mips.org
Cc: Fuxin Zhang <zhangfx@lemote.com>
Cc: Zhangjin Wu <wuzhangjin@gmail.com>
Cc: Huacai Chen <chenhuacai@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/mips/include/asm/mach-loongson64/irq.h |  2 +-
 arch/mips/loongson64/loongson-3/irq.c       | 13 +++----------
 2 files changed, 4 insertions(+), 11 deletions(-)

diff --git a/arch/mips/include/asm/mach-loongson64/irq.h b/arch/mips/include/asm/mach-loongson64/irq.h
index d18c45c7c394..19ff9ce46c02 100644
--- a/arch/mips/include/asm/mach-loongson64/irq.h
+++ b/arch/mips/include/asm/mach-loongson64/irq.h
@@ -9,7 +9,7 @@
 #define MIPS_CPU_IRQ_BASE 56
 
 #define LOONGSON_UART_IRQ   (MIPS_CPU_IRQ_BASE + 2) /* UART */
-#define LOONGSON_HT1_IRQ    (MIPS_CPU_IRQ_BASE + 3) /* HT1 */
+#define LOONGSON_BRIDGE_IRQ (MIPS_CPU_IRQ_BASE + 3) /* CASCADE */
 #define LOONGSON_TIMER_IRQ  (MIPS_CPU_IRQ_BASE + 7) /* CPU Timer */
 
 #define LOONGSON_HT1_CFG_BASE		loongson_sysconf.ht_control_base
diff --git a/arch/mips/loongson64/loongson-3/irq.c b/arch/mips/loongson64/loongson-3/irq.c
index 53424f2a53f3..241cb88f9c03 100644
--- a/arch/mips/loongson64/loongson-3/irq.c
+++ b/arch/mips/loongson64/loongson-3/irq.c
@@ -42,12 +42,6 @@ void mach_irq_dispatch(unsigned int pending)
 	}
 }
 
-static struct irqaction cascade_irqaction = {
-	.handler = no_action,
-	.flags = IRQF_NO_SUSPEND,
-	.name = "cascade",
-};
-
 static inline void mask_loongson_irq(struct irq_data *d) { }
 static inline void unmask_loongson_irq(struct irq_data *d) { }
 
@@ -88,11 +82,10 @@ void __init mach_init_irq(void)
 	init_i8259_irqs();
 	irq_set_chip_and_handler(LOONGSON_UART_IRQ,
 			&loongson_irq_chip, handle_percpu_irq);
+	irq_set_chip_and_handler(LOONGSON_BRIDGE_IRQ,
+			&loongson_irq_chip, handle_percpu_irq);
 
-	/* setup HT1 irq */
-	setup_irq(LOONGSON_HT1_IRQ, &cascade_irqaction);
-
-	set_c0_status(STATUSF_IP2 | STATUSF_IP6);
+	set_c0_status(STATUSF_IP2 | STATUSF_IP3 | STATUSF_IP6);
 }
 
 #ifdef CONFIG_HOTPLUG_CPU
-- 
2.17.1




^ permalink raw reply related	[flat|nested] 169+ messages in thread

* [PATCH 4.4 122/160] xtensa: add NOTES section to the linker script
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (120 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 121/160] MIPS: Loongson-3: Fix BRIDGE " Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 123/160] xtensa: make sure bFLT stack is 16 byte aligned Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Max Filippov

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Max Filippov <jcmvbkbc@gmail.com>

commit 4119ba211bc4f1bf638f41e50b7a0f329f58aa16 upstream.

This section collects all source .note.* sections together in the
vmlinux image. Without it .note.Linux section may be placed at address
0, while the rest of the kernel is at its normal address, resulting in a
huge vmlinux.bin image that may not be linked into the xtensa Image.elf.

Cc: stable@vger.kernel.org
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/xtensa/boot/Makefile        |    2 +-
 arch/xtensa/kernel/vmlinux.lds.S |    1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

--- a/arch/xtensa/boot/Makefile
+++ b/arch/xtensa/boot/Makefile
@@ -31,7 +31,7 @@ $(bootdir-y): $(addprefix $(obj)/,$(subd
 	      $(addprefix $(obj)/,$(host-progs))
 	$(Q)$(MAKE) $(build)=$(obj)/$@ $(MAKECMDGOALS)
 
-OBJCOPYFLAGS = --strip-all -R .comment -R .note.gnu.build-id -O binary
+OBJCOPYFLAGS = --strip-all -R .comment -R .notes -O binary
 
 vmlinux.bin: vmlinux FORCE
 	$(call if_changed,objcopy)
--- a/arch/xtensa/kernel/vmlinux.lds.S
+++ b/arch/xtensa/kernel/vmlinux.lds.S
@@ -110,6 +110,7 @@ SECTIONS
   .fixup   : { *(.fixup) }
 
   EXCEPTION_TABLE(16)
+  NOTES
   /* Data section */
 
   _sdata = .;



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 123/160] xtensa: make sure bFLT stack is 16 byte aligned
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (121 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 122/160] xtensa: add NOTES section to the linker script Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 124/160] xtensa: fix boot parameters address translation Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Max Filippov

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Max Filippov <jcmvbkbc@gmail.com>

commit 0773495b1f5f1c5e23551843f87b5ff37e7af8f7 upstream.

Xtensa ABI requires stack alignment to be at least 16. In noMMU
configuration ARCH_SLAB_MINALIGN is used to align stack. Make it at
least 16.

This fixes the following runtime error in noMMU configuration, caused by
interaction between insufficiently aligned stack and alloca function,
that results in corruption of on-stack variable in the libc function
glob:

 Caught unhandled exception in 'sh' (pid = 47, pc = 0x02d05d65)
  - should not happen
  EXCCAUSE is 15

Cc: stable@vger.kernel.org
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/xtensa/include/asm/processor.h |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/arch/xtensa/include/asm/processor.h
+++ b/arch/xtensa/include/asm/processor.h
@@ -24,7 +24,11 @@
 # error Linux requires the Xtensa Windowed Registers Option.
 #endif
 
-#define ARCH_SLAB_MINALIGN	XCHAL_DATA_WIDTH
+/* Xtensa ABI requires stack alignment to be at least 16 */
+
+#define STACK_ALIGN (XCHAL_DATA_WIDTH > 16 ? XCHAL_DATA_WIDTH : 16)
+
+#define ARCH_SLAB_MINALIGN STACK_ALIGN
 
 /*
  * User space process size: 1 GB.



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 124/160] xtensa: fix boot parameters address translation
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (122 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 123/160] xtensa: make sure bFLT stack is 16 byte aligned Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 125/160] clk: s2mps11: Fix matching when built as module and DT node contains compatible Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Max Filippov

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Max Filippov <jcmvbkbc@gmail.com>

commit 40dc948f234b73497c3278875eb08a01d5854d3f upstream.

The bootloader may pass physical address of the boot parameters structure
to the MMUv3 kernel in the register a2. Code in the _SetupMMU block in
the arch/xtensa/kernel/head.S is supposed to map that physical address to
the virtual address in the configured virtual memory layout.

This code haven't been updated when additional 256+256 and 512+512
memory layouts were introduced and it may produce wrong addresses when
used with these layouts.

Cc: stable@vger.kernel.org
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/xtensa/kernel/head.S |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/arch/xtensa/kernel/head.S
+++ b/arch/xtensa/kernel/head.S
@@ -88,9 +88,12 @@ _SetupMMU:
 	initialize_mmu
 #if defined(CONFIG_MMU) && XCHAL_HAVE_PTP_MMU && XCHAL_HAVE_SPANNING_WAY
 	rsr	a2, excsave1
-	movi	a3, 0x08000000
+	movi	a3, XCHAL_KSEG_PADDR
+	bltu	a2, a3, 1f
+	sub	a2, a2, a3
+	movi	a3, XCHAL_KSEG_SIZE
 	bgeu	a2, a3, 1f
-	movi	a3, 0xd0000000
+	movi	a3, XCHAL_KSEG_CACHED_VADDR
 	add	a2, a2, a3
 	wsr	a2, excsave1
 1:



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 125/160] clk: s2mps11: Fix matching when built as module and DT node contains compatible
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (123 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 124/160] xtensa: fix boot parameters address translation Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 126/160] libceph: bump CEPH_MSG_MAX_DATA_LEN Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Krzysztof Kozlowski, Stephen Boyd

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Krzysztof Kozlowski <krzk@kernel.org>

commit 8985167ecf57f97061599a155bb9652c84ea4913 upstream.

When driver is built as module and DT node contains clocks compatible
(e.g. "samsung,s2mps11-clk"), the module will not be autoloaded because
module aliases won't match.

The modalias from uevent: of:NclocksT<NULL>Csamsung,s2mps11-clk
The modalias from driver: platform:s2mps11-clk

The devices are instantiated by parent's MFD.  However both Device Tree
bindings and parent define the compatible for clocks devices.  In case
of module matching this DT compatible will be used.

The issue will not happen if this is a built-in (no need for module
matching) or when clocks DT node does not contain compatible (not
correct from bindings perspective but working for driver).

Note when backporting to stable kernels: adjust the list of device ID
entries.

Cc: <stable@vger.kernel.org>
Fixes: 53c31b3437a6 ("mfd: sec-core: Add of_compatible strings for clock MFD cells")
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Acked-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/clk/clk-s2mps11.c |   30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

--- a/drivers/clk/clk-s2mps11.c
+++ b/drivers/clk/clk-s2mps11.c
@@ -297,6 +297,36 @@ static const struct platform_device_id s
 };
 MODULE_DEVICE_TABLE(platform, s2mps11_clk_id);
 
+#ifdef CONFIG_OF
+/*
+ * Device is instantiated through parent MFD device and device matching is done
+ * through platform_device_id.
+ *
+ * However if device's DT node contains proper clock compatible and driver is
+ * built as a module, then the *module* matching will be done trough DT aliases.
+ * This requires of_device_id table.  In the same time this will not change the
+ * actual *device* matching so do not add .of_match_table.
+ */
+static const struct of_device_id s2mps11_dt_match[] = {
+	{
+		.compatible = "samsung,s2mps11-clk",
+		.data = (void *)S2MPS11X,
+	}, {
+		.compatible = "samsung,s2mps13-clk",
+		.data = (void *)S2MPS13X,
+	}, {
+		.compatible = "samsung,s2mps14-clk",
+		.data = (void *)S2MPS14X,
+	}, {
+		.compatible = "samsung,s5m8767-clk",
+		.data = (void *)S5M8767X,
+	}, {
+		/* Sentinel */
+	},
+};
+MODULE_DEVICE_TABLE(of, s2mps11_dt_match);
+#endif
+
 static struct platform_driver s2mps11_clk_driver = {
 	.driver = {
 		.name  = "s2mps11-clk",



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 126/160] libceph: bump CEPH_MSG_MAX_DATA_LEN
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (124 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 125/160] clk: s2mps11: Fix matching when built as module and DT node contains compatible Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 127/160] mach64: fix display corruption on big endian machines Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ilya Dryomov

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ilya Dryomov <idryomov@gmail.com>

commit 94e6992bb560be8bffb47f287194adf070b57695 upstream.

If the read is large enough, we end up spinning in the messenger:

  libceph: osd0 192.168.122.1:6801 io error
  libceph: osd0 192.168.122.1:6801 io error
  libceph: osd0 192.168.122.1:6801 io error

This is a receive side limit, so only reads were affected.

Cc: stable@vger.kernel.org
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/ceph/libceph.h |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

--- a/include/linux/ceph/libceph.h
+++ b/include/linux/ceph/libceph.h
@@ -72,7 +72,13 @@ struct ceph_options {
 
 #define CEPH_MSG_MAX_FRONT_LEN	(16*1024*1024)
 #define CEPH_MSG_MAX_MIDDLE_LEN	(16*1024*1024)
-#define CEPH_MSG_MAX_DATA_LEN	(16*1024*1024)
+
+/*
+ * Handle the largest possible rbd object in one message.
+ * There is no limit on the size of cephfs objects, but it has to obey
+ * rsize and wsize mount options anyway.
+ */
+#define CEPH_MSG_MAX_DATA_LEN	(32*1024*1024)
 
 #define CEPH_AUTH_NAME_DEFAULT   "guest"
 



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 127/160] mach64: fix display corruption on big endian machines
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (125 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 126/160] libceph: bump CEPH_MSG_MAX_DATA_LEN Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 128/160] mach64: fix image corruption due to reading accelerator registers Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mikulas Patocka,
	Ville Syrjälä,
	Bartlomiej Zolnierkiewicz

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mikulas Patocka <mpatocka@redhat.com>

commit 3c6c6a7878d00a3ac997a779c5b9861ff25dfcc8 upstream.

The code for manual bit triple is not endian-clean. It builds the variable
"hostdword" using byte accesses, therefore we must read the variable with
"le32_to_cpu".

The patch also enables (hardware or software) bit triple only if the image
is monochrome (image->depth). If we want to blit full-color image, we
shouldn't use the triple code.

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Reviewed-by: Ville Syrjälä <syrjala@sci.fi>
Cc: stable@vger.kernel.org
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/video/fbdev/aty/mach64_accel.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/video/fbdev/aty/mach64_accel.c
+++ b/drivers/video/fbdev/aty/mach64_accel.c
@@ -344,7 +344,7 @@ void atyfb_imageblit(struct fb_info *inf
 		 * since Rage 3D IIc we have DP_HOST_TRIPLE_EN bit
 		 * this hwaccelerated triple has an issue with not aligned data
 		 */
-		if (M64_HAS(HW_TRIPLE) && image->width % 8 == 0)
+		if (image->depth == 1 && M64_HAS(HW_TRIPLE) && image->width % 8 == 0)
 			pix_width |= DP_HOST_TRIPLE_EN;
 	}
 
@@ -381,7 +381,7 @@ void atyfb_imageblit(struct fb_info *inf
 	src_bytes = (((image->width * image->depth) + 7) / 8) * image->height;
 
 	/* manual triple each pixel */
-	if (info->var.bits_per_pixel == 24 && !(pix_width & DP_HOST_TRIPLE_EN)) {
+	if (image->depth == 1 && info->var.bits_per_pixel == 24 && !(pix_width & DP_HOST_TRIPLE_EN)) {
 		int inbit, outbit, mult24, byte_id_in_dword, width;
 		u8 *pbitmapin = (u8*)image->data, *pbitmapout;
 		u32 hostdword;
@@ -414,7 +414,7 @@ void atyfb_imageblit(struct fb_info *inf
 				}
 			}
 			wait_for_fifo(1, par);
-			aty_st_le32(HOST_DATA0, hostdword, par);
+			aty_st_le32(HOST_DATA0, le32_to_cpu(hostdword), par);
 		}
 	} else {
 		u32 *pbitmap, dwords = (src_bytes + 3) / 4;



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 128/160] mach64: fix image corruption due to reading accelerator registers
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (126 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 127/160] mach64: fix display corruption on big endian machines Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 129/160] vhost/scsi: truncate T10 PI iov_iter to prot_bytes Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mikulas Patocka,
	Ville Syrjälä,
	Bartlomiej Zolnierkiewicz

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mikulas Patocka <mpatocka@redhat.com>

commit c09bcc91bb94ed91f1391bffcbe294963d605732 upstream.

Reading the registers without waiting for engine idle returns
unpredictable values. These unpredictable values result in display
corruption - if atyfb_imageblit reads the content of DP_PIX_WIDTH with the
bit DP_HOST_TRIPLE_EN set (from previous invocation), the driver would
never ever clear the bit, resulting in display corruption.

We don't want to wait for idle because it would degrade performance, so
this patch modifies the driver so that it never reads accelerator
registers.

HOST_CNTL doesn't have to be read, we can just write it with
HOST_BYTE_ALIGN because no other part of the driver cares if
HOST_BYTE_ALIGN is set.

DP_PIX_WIDTH is written in the functions atyfb_copyarea and atyfb_fillrect
with the default value and in atyfb_imageblit with the value set according
to the source image data.

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Reviewed-by: Ville Syrjälä <syrjala@sci.fi>
Cc: stable@vger.kernel.org
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/video/fbdev/aty/mach64_accel.c |   22 +++++++++-------------
 1 file changed, 9 insertions(+), 13 deletions(-)

--- a/drivers/video/fbdev/aty/mach64_accel.c
+++ b/drivers/video/fbdev/aty/mach64_accel.c
@@ -126,7 +126,7 @@ void aty_init_engine(struct atyfb_par *p
 
 	/* set host attributes */
 	wait_for_fifo(13, par);
-	aty_st_le32(HOST_CNTL, 0, par);
+	aty_st_le32(HOST_CNTL, HOST_BYTE_ALIGN, par);
 
 	/* set pattern attributes */
 	aty_st_le32(PAT_REG0, 0, par);
@@ -232,7 +232,8 @@ void atyfb_copyarea(struct fb_info *info
 		rotation = rotation24bpp(dx, direction);
 	}
 
-	wait_for_fifo(4, par);
+	wait_for_fifo(5, par);
+	aty_st_le32(DP_PIX_WIDTH, par->crtc.dp_pix_width, par);
 	aty_st_le32(DP_SRC, FRGD_SRC_BLIT, par);
 	aty_st_le32(SRC_Y_X, (sx << 16) | sy, par);
 	aty_st_le32(SRC_HEIGHT1_WIDTH1, (width << 16) | area->height, par);
@@ -268,7 +269,8 @@ void atyfb_fillrect(struct fb_info *info
 		rotation = rotation24bpp(dx, DST_X_LEFT_TO_RIGHT);
 	}
 
-	wait_for_fifo(3, par);
+	wait_for_fifo(4, par);
+	aty_st_le32(DP_PIX_WIDTH, par->crtc.dp_pix_width, par);
 	aty_st_le32(DP_FRGD_CLR, color, par);
 	aty_st_le32(DP_SRC,
 		    BKGD_SRC_BKGD_CLR | FRGD_SRC_FRGD_CLR | MONO_SRC_ONE,
@@ -283,7 +285,7 @@ void atyfb_imageblit(struct fb_info *inf
 {
 	struct atyfb_par *par = (struct atyfb_par *) info->par;
 	u32 src_bytes, dx = image->dx, dy = image->dy, width = image->width;
-	u32 pix_width_save, pix_width, host_cntl, rotation = 0, src, mix;
+	u32 pix_width, rotation = 0, src, mix;
 
 	if (par->asleep)
 		return;
@@ -295,8 +297,7 @@ void atyfb_imageblit(struct fb_info *inf
 		return;
 	}
 
-	pix_width = pix_width_save = aty_ld_le32(DP_PIX_WIDTH, par);
-	host_cntl = aty_ld_le32(HOST_CNTL, par) | HOST_BYTE_ALIGN;
+	pix_width = par->crtc.dp_pix_width;
 
 	switch (image->depth) {
 	case 1:
@@ -369,12 +370,11 @@ void atyfb_imageblit(struct fb_info *inf
 		mix = FRGD_MIX_D_XOR_S | BKGD_MIX_D;
 	}
 
-	wait_for_fifo(6, par);
-	aty_st_le32(DP_WRITE_MASK, 0xFFFFFFFF, par);
+	wait_for_fifo(5, par);
 	aty_st_le32(DP_PIX_WIDTH, pix_width, par);
 	aty_st_le32(DP_MIX, mix, par);
 	aty_st_le32(DP_SRC, src, par);
-	aty_st_le32(HOST_CNTL, host_cntl, par);
+	aty_st_le32(HOST_CNTL, HOST_BYTE_ALIGN, par);
 	aty_st_le32(DST_CNTL, DST_Y_TOP_TO_BOTTOM | DST_X_LEFT_TO_RIGHT | rotation, par);
 
 	draw_rect(dx, dy, width, image->height, par);
@@ -423,8 +423,4 @@ void atyfb_imageblit(struct fb_info *inf
 			aty_st_le32(HOST_DATA0, get_unaligned_le32(pbitmap), par);
 		}
 	}
-
-	/* restore pix_width */
-	wait_for_fifo(1, par);
-	aty_st_le32(DP_PIX_WIDTH, pix_width_save, par);
 }



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 129/160] vhost/scsi: truncate T10 PI iov_iter to prot_bytes
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (127 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 128/160] mach64: fix image corruption due to reading accelerator registers Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 130/160] ocfs2: fix a misuse a of brelse after failing ocfs2_check_dir_entry Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Greg Edwards, Michael S. Tsirkin,
	Paolo Bonzini

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Greg Edwards <gedwards@ddn.com>

commit 4542d623c7134bc1738f8a68ccb6dd546f1c264f upstream.

Commands with protection information included were not truncating the
protection iov_iter to the number of protection bytes in the command.
This resulted in vhost_scsi mis-calculating the size of the protection
SGL in vhost_scsi_calc_sgls(), and including both the protection and
data SG entries in the protection SGL.

Fixes: 09b13fa8c1a1 ("vhost/scsi: Add ANY_LAYOUT support in vhost_scsi_handle_vq")
Signed-off-by: Greg Edwards <gedwards@ddn.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Fixes: 09b13fa8c1a1093e9458549ac8bb203a7c65c62a
Cc: stable@vger.kernel.org
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/vhost/scsi.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/vhost/scsi.c
+++ b/drivers/vhost/scsi.c
@@ -1009,7 +1009,8 @@ vhost_scsi_handle_vq(struct vhost_scsi *
 				prot_bytes = vhost32_to_cpu(vq, v_req_pi.pi_bytesin);
 			}
 			/*
-			 * Set prot_iter to data_iter, and advance past any
+			 * Set prot_iter to data_iter and truncate it to
+			 * prot_bytes, and advance data_iter past any
 			 * preceeding prot_bytes that may be present.
 			 *
 			 * Also fix up the exp_data_len to reflect only the
@@ -1018,6 +1019,7 @@ vhost_scsi_handle_vq(struct vhost_scsi *
 			if (prot_bytes) {
 				exp_data_len -= prot_bytes;
 				prot_iter = data_iter;
+				iov_iter_truncate(&prot_iter, prot_bytes);
 				iov_iter_advance(&data_iter, prot_bytes);
 			}
 			tag = vhost64_to_cpu(vq, v_req_pi.tag);



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 130/160] ocfs2: fix a misuse a of brelse after failing ocfs2_check_dir_entry
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (128 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 129/160] vhost/scsi: truncate T10 PI iov_iter to prot_bytes Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 131/160] mm: thp: relax __GFP_THISNODE for MADV_HUGEPAGE mappings Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Changwei Ge, Changkuo Shi,
	Andrew Morton, Mark Fasheh, Joel Becker, Junxiao Bi, Joseph Qi,
	Linus Torvalds

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Changwei Ge <ge.changwei@h3c.com>

commit 29aa30167a0a2e6045a0d6d2e89d8168132333d5 upstream.

Somehow, file system metadata was corrupted, which causes
ocfs2_check_dir_entry() to fail in function ocfs2_dir_foreach_blk_el().

According to the original design intention, if above happens we should
skip the problematic block and continue to retrieve dir entry.  But
there is obviouse misuse of brelse around related code.

After failure of ocfs2_check_dir_entry(), current code just moves to
next position and uses the problematic buffer head again and again
during which the problematic buffer head is released for multiple times.
I suppose, this a serious issue which is long-lived in ocfs2.  This may
cause other file systems which is also used in a the same host insane.

So we should also consider about bakcporting this patch into linux
-stable.

Link: http://lkml.kernel.org/r/HK2PR06MB045211675B43EED794E597B6D56E0@HK2PR06MB0452.apcprd06.prod.outlook.com
Signed-off-by: Changwei Ge <ge.changwei@h3c.com>
Suggested-by: Changkuo Shi <shi.changkuo@h3c.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Joseph Qi <jiangqi903@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ocfs2/dir.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/fs/ocfs2/dir.c
+++ b/fs/ocfs2/dir.c
@@ -1896,8 +1896,7 @@ static int ocfs2_dir_foreach_blk_el(stru
 				/* On error, skip the f_pos to the
 				   next block. */
 				ctx->pos = (ctx->pos | (sb->s_blocksize - 1)) + 1;
-				brelse(bh);
-				continue;
+				break;
 			}
 			if (le64_to_cpu(de->inode)) {
 				unsigned char d_type = DT_UNKNOWN;



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 131/160] mm: thp: relax __GFP_THISNODE for MADV_HUGEPAGE mappings
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (129 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 130/160] ocfs2: fix a misuse a of brelse after failing ocfs2_check_dir_entry Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 22:16   ` David Rientjes
  2018-11-19 16:29 ` [PATCH 4.4 132/160] mtd: docg3: dont set conflicting BCH_CONST_PARAMS option Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  163 siblings, 1 reply; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andrea Arcangeli, Michal Hocko,
	Stefan Priebe, Alex Williamson, Mel Gorman, Zi Yan,
	Vlastimil Babka, David Rientjes, Kirill A. Shutemov,
	Andrew Morton, Linus Torvalds

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Andrea Arcangeli <aarcange@redhat.com>

commit ac5b2c18911ffe95c08d69273917f90212cf5659 upstream.

THP allocation might be really disruptive when allocated on NUMA system
with the local node full or hard to reclaim.  Stefan has posted an
allocation stall report on 4.12 based SLES kernel which suggests the
same issue:

  kvm: page allocation stalls for 194572ms, order:9, mode:0x4740ca(__GFP_HIGHMEM|__GFP_IO|__GFP_FS|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_THISNODE|__GFP_MOVABLE|__GFP_DIRECT_RECLAIM), nodemask=(null)
  kvm cpuset=/ mems_allowed=0-1
  CPU: 10 PID: 84752 Comm: kvm Tainted: G        W 4.12.0+98-ph <a href="/view.php?id=1" title="[geschlossen] Integration Ramdisk" class="resolved">0000001</a> SLE15 (unreleased)
  Hardware name: Supermicro SYS-1029P-WTRT/X11DDW-NT, BIOS 2.0 12/05/2017
  Call Trace:
   dump_stack+0x5c/0x84
   warn_alloc+0xe0/0x180
   __alloc_pages_slowpath+0x820/0xc90
   __alloc_pages_nodemask+0x1cc/0x210
   alloc_pages_vma+0x1e5/0x280
   do_huge_pmd_wp_page+0x83f/0xf00
   __handle_mm_fault+0x93d/0x1060
   handle_mm_fault+0xc6/0x1b0
   __do_page_fault+0x230/0x430
   do_page_fault+0x2a/0x70
   page_fault+0x7b/0x80
   [...]
  Mem-Info:
  active_anon:126315487 inactive_anon:1612476 isolated_anon:5
   active_file:60183 inactive_file:245285 isolated_file:0
   unevictable:15657 dirty:286 writeback:1 unstable:0
   slab_reclaimable:75543 slab_unreclaimable:2509111
   mapped:81814 shmem:31764 pagetables:370616 bounce:0
   free:32294031 free_pcp:6233 free_cma:0
  Node 0 active_anon:254680388kB inactive_anon:1112760kB active_file:240648kB inactive_file:981168kB unevictable:13368kB isolated(anon):0kB isolated(file):0kB mapped:280240kB dirty:1144kB writeback:0kB shmem:95832kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 81225728kB writeback_tmp:0kB unstable:0kB all_unreclaimable? no
  Node 1 active_anon:250583072kB inactive_anon:5337144kB active_file:84kB inactive_file:0kB unevictable:49260kB isolated(anon):20kB isolated(file):0kB mapped:47016kB dirty:0kB writeback:4kB shmem:31224kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 31897600kB writeback_tmp:0kB unstable:0kB all_unreclaimable? no

The defrag mode is "madvise" and from the above report it is clear that
the THP has been allocated for MADV_HUGEPAGA vma.

Andrea has identified that the main source of the problem is
__GFP_THISNODE usage:

: The problem is that direct compaction combined with the NUMA
: __GFP_THISNODE logic in mempolicy.c is telling reclaim to swap very
: hard the local node, instead of failing the allocation if there's no
: THP available in the local node.
:
: Such logic was ok until __GFP_THISNODE was added to the THP allocation
: path even with MPOL_DEFAULT.
:
: The idea behind the __GFP_THISNODE addition, is that it is better to
: provide local memory in PAGE_SIZE units than to use remote NUMA THP
: backed memory. That largely depends on the remote latency though, on
: threadrippers for example the overhead is relatively low in my
: experience.
:
: The combination of __GFP_THISNODE and __GFP_DIRECT_RECLAIM results in
: extremely slow qemu startup with vfio, if the VM is larger than the
: size of one host NUMA node. This is because it will try very hard to
: unsuccessfully swapout get_user_pages pinned pages as result of the
: __GFP_THISNODE being set, instead of falling back to PAGE_SIZE
: allocations and instead of trying to allocate THP on other nodes (it
: would be even worse without vfio type1 GUP pins of course, except it'd
: be swapping heavily instead).

Fix this by removing __GFP_THISNODE for THP requests which are
requesting the direct reclaim.  This effectivelly reverts 5265047ac301
on the grounds that the zone/node reclaim was known to be disruptive due
to premature reclaim when there was memory free.  While it made sense at
the time for HPC workloads without NUMA awareness on rare machines, it
was ultimately harmful in the majority of cases.  The existing behaviour
is similar, if not as widespare as it applies to a corner case but
crucially, it cannot be tuned around like zone_reclaim_mode can.  The
default behaviour should always be to cause the least harm for the
common case.

If there are specialised use cases out there that want zone_reclaim_mode
in specific cases, then it can be built on top.  Longterm we should
consider a memory policy which allows for the node reclaim like behavior
for the specific memory ranges which would allow a

[1] http://lkml.kernel.org/r/20180820032204.9591-1-aarcange@redhat.com

Mel said:

: Both patches look correct to me but I'm responding to this one because
: it's the fix.  The change makes sense and moves further away from the
: severe stalling behaviour we used to see with both THP and zone reclaim
: mode.
:
: I put together a basic experiment with usemem configured to reference a
: buffer multiple times that is 80% the size of main memory on a 2-socket
: box with symmetric node sizes and defrag set to "always".  The defrag
: setting is not the default but it would be functionally similar to
: accessing a buffer with madvise(MADV_HUGEPAGE).  Usemem is configured to
: reference the buffer multiple times and while it's not an interesting
: workload, it would be expected to complete reasonably quickly as it fits
: within memory.  The results were;
:
: usemem
:                                   vanilla           noreclaim-v1
: Amean     Elapsd-1       42.78 (   0.00%)       26.87 (  37.18%)
: Amean     Elapsd-3       27.55 (   0.00%)        7.44 (  73.00%)
: Amean     Elapsd-4        5.72 (   0.00%)        5.69 (   0.45%)
:
: This shows the elapsed time in seconds for 1 thread, 3 threads and 4
: threads referencing buffers 80% the size of memory.  With the patches
: applied, it's 37.18% faster for the single thread and 73% faster with two
: threads.  Note that 4 threads showing little difference does not indicate
: the problem is related to thread counts.  It's simply the case that 4
: threads gets spread so their workload mostly fits in one node.
:
: The overall view from /proc/vmstats is more startling
:
:                          4.19.0-rc1  4.19.0-rc1
:                             vanillanoreclaim-v1r1
: Minor Faults               35593425      708164
: Major Faults                 484088          36
: Swap Ins                    3772837           0
: Swap Outs                   3932295           0
:
: Massive amounts of swap in/out without the patch
:
: Direct pages scanned        6013214           0
: Kswapd pages scanned              0           0
: Kswapd pages reclaimed            0           0
: Direct pages reclaimed      4033009           0
:
: Lots of reclaim activity without the patch
:
: Kswapd efficiency              100%        100%
: Kswapd velocity               0.000       0.000
: Direct efficiency               67%        100%
: Direct velocity           11191.956       0.000
:
: Mostly from direct reclaim context as you'd expect without the patch.
:
: Page writes by reclaim  3932314.000       0.000
: Page writes file                 19           0
: Page writes anon            3932295           0
: Page reclaim immediate        42336           0
:
: Writes from reclaim context is never good but the patch eliminates it.
:
: We should never have default behaviour to thrash the system for such a
: basic workload.  If zone reclaim mode behaviour is ever desired but on a
: single task instead of a global basis then the sensible option is to build
: a mempolicy that enforces that behaviour.

This was a severe regression compared to previous kernels that made
important workloads unusable and it starts when __GFP_THISNODE was
added to THP allocations under MADV_HUGEPAGE.  It is not a significant
risk to go to the previous behavior before __GFP_THISNODE was added, it
worked like that for years.

This was simply an optimization to some lucky workloads that can fit in
a single node, but it ended up breaking the VM for others that can't
possibly fit in a single node, so going back is safe.

[mhocko@suse.com: rewrote the changelog based on the one from Andrea]
Link: http://lkml.kernel.org/r/20180925120326.24392-2-mhocko@kernel.org
Fixes: 5265047ac301 ("mm, thp: really limit transparent hugepage allocation to local node")
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: Michal Hocko <mhocko@suse.com>
Reported-by: Stefan Priebe <s.priebe@profihost.ag>
Debugged-by: Andrea Arcangeli <aarcange@redhat.com>
Reported-by: Alex Williamson <alex.williamson@redhat.com>
Reviewed-by: Mel Gorman <mgorman@techsingularity.net>
Tested-by: Mel Gorman <mgorman@techsingularity.net>
Cc: Zi Yan <zi.yan@cs.rutgers.edu>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: David Rientjes <rientjes@google.com>
Cc: "Kirill A. Shutemov" <kirill@shutemov.name>
Cc: <stable@vger.kernel.org>	[4.1+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/mempolicy.c |   32 ++++++++++++++++++++++++++++++--
 1 file changed, 30 insertions(+), 2 deletions(-)

--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -2010,8 +2010,36 @@ retry_cpuset:
 		nmask = policy_nodemask(gfp, pol);
 		if (!nmask || node_isset(hpage_node, *nmask)) {
 			mpol_cond_put(pol);
-			page = __alloc_pages_node(hpage_node,
-						gfp | __GFP_THISNODE, order);
+			/*
+			 * We cannot invoke reclaim if __GFP_THISNODE
+			 * is set. Invoking reclaim with
+			 * __GFP_THISNODE set, would cause THP
+			 * allocations to trigger heavy swapping
+			 * despite there may be tons of free memory
+			 * (including potentially plenty of THP
+			 * already available in the buddy) on all the
+			 * other NUMA nodes.
+			 *
+			 * At most we could invoke compaction when
+			 * __GFP_THISNODE is set (but we would need to
+			 * refrain from invoking reclaim even if
+			 * compaction returned COMPACT_SKIPPED because
+			 * there wasn't not enough memory to succeed
+			 * compaction). For now just avoid
+			 * __GFP_THISNODE instead of limiting the
+			 * allocation path to a strict and single
+			 * compaction invocation.
+			 *
+			 * Supposedly if direct reclaim was enabled by
+			 * the caller, the app prefers THP regardless
+			 * of the node it comes from so this would be
+			 * more desiderable behavior than only
+			 * providing THP originated from the local
+			 * node in such case.
+			 */
+			if (!(gfp & __GFP_DIRECT_RECLAIM))
+				gfp |= __GFP_THISNODE;
+			page = __alloc_pages_node(hpage_node, gfp, order);
 			goto out;
 		}
 	}



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 132/160] mtd: docg3: dont set conflicting BCH_CONST_PARAMS option
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (130 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 131/160] mm: thp: relax __GFP_THISNODE for MADV_HUGEPAGE mappings Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 133/160] termios, tty/tty_baudrate.c: fix buffer overrun Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Robert Jarzmik, Arnd Bergmann,
	Boris Brezillon

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit be2e1c9dcf76886a83fb1c433a316e26d4ca2550 upstream.

I noticed during the creation of another bugfix that the BCH_CONST_PARAMS
option that is set by DOCG3 breaks setting variable parameters for any
other users of the BCH library code.

The only other user we have today is the MTD_NAND software BCH
implementation (most flash controllers use hardware BCH these days
and are not affected). I considered removing BCH_CONST_PARAMS entirely
because of the inherent conflict, but according to the description in
lib/bch.c there is a significant performance benefit in keeping it.

To avoid the immediate problem of the conflict between MTD_NAND_BCH
and DOCG3, this only sets the constant parameters if MTD_NAND_BCH
is disabled, which should fix the problem for all cases that
are affected. This should also work for all stable kernels.

Note that there is only one machine that actually seems to use the
DOCG3 driver (arch/arm/mach-pxa/mioa701.c), so most users should have
the driver disabled, but it almost certainly shows up if we wanted
to test random kernels on machines that use software BCH in MTD.

Fixes: d13d19ece39f ("mtd: docg3: add ECC correction code")
Cc: stable@vger.kernel.org
Cc: Robert Jarzmik <robert.jarzmik@free.fr>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mtd/devices/Kconfig |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/mtd/devices/Kconfig
+++ b/drivers/mtd/devices/Kconfig
@@ -208,7 +208,7 @@ comment "Disk-On-Chip Device Drivers"
 config MTD_DOCG3
 	tristate "M-Systems Disk-On-Chip G3"
 	select BCH
-	select BCH_CONST_PARAMS
+	select BCH_CONST_PARAMS if !MTD_NAND_BCH
 	select BITREVERSE
 	---help---
 	  This provides an MTD device driver for the M-Systems DiskOnChip



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 133/160] termios, tty/tty_baudrate.c: fix buffer overrun
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (131 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 132/160] mtd: docg3: dont set conflicting BCH_CONST_PARAMS option Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 134/160] arch/alpha, termios: implement BOTHER, IBSHIFT and termios2 Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, H. Peter Anvin (Intel),
	Cc: Johan Hovold, Jiri Slaby, Al Viro, Richard Henderson,
	Ivan Kokshaysky, Matt Turner, Thomas Gleixner, Kate Stewart,
	Philippe Ombredanne, Eugene Syromiatnikov, Alan Cox

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: H. Peter Anvin <hpa@zytor.com>

commit 991a25194097006ec1e0d2e0814ff920e59e3465 upstream.

On architectures with CBAUDEX == 0 (Alpha and PowerPC), the code in tty_baudrate.c does
not do any limit checking on the tty_baudrate[] array, and in fact a
buffer overrun is possible on both architectures. Add a limit check to
prevent that situation.

This will be followed by a much bigger cleanup/simplification patch.

Signed-off-by: H. Peter Anvin (Intel) <hpa@zytor.com>
Requested-by: Cc: Johan Hovold <johan@kernel.org>
Cc: Jiri Slaby <jslaby@suse.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Cc: Matt Turner <mattst88@gmail.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Kate Stewart <kstewart@linuxfoundation.org>
Cc: Philippe Ombredanne <pombredanne@nexb.com>
Cc: Eugene Syromiatnikov <esyr@redhat.com>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/tty_ioctl.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/tty/tty_ioctl.c
+++ b/drivers/tty/tty_ioctl.c
@@ -330,7 +330,7 @@ speed_t tty_termios_baud_rate(struct kte
 		else
 			cbaud += 15;
 	}
-	return baud_table[cbaud];
+	return cbaud >= n_baud_table ? 0 : baud_table[cbaud];
 }
 EXPORT_SYMBOL(tty_termios_baud_rate);
 
@@ -366,7 +366,7 @@ speed_t tty_termios_input_baud_rate(stru
 		else
 			cbaud += 15;
 	}
-	return baud_table[cbaud];
+	return cbaud >= n_baud_table ? 0 : baud_table[cbaud];
 #else
 	return tty_termios_baud_rate(termios);
 #endif



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 134/160] arch/alpha, termios: implement BOTHER, IBSHIFT and termios2
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (132 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 133/160] termios, tty/tty_baudrate.c: fix buffer overrun Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 135/160] Btrfs: fix data corruption due to cloning of eof block Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, H. Peter Anvin (Intel),
	Jiri Slaby, Al Viro, Richard Henderson, Ivan Kokshaysky,
	Matt Turner, Thomas Gleixner, Kate Stewart, Philippe Ombredanne,
	Eugene Syromiatnikov, linux-alpha, linux-serial, Johan Hovold,
	Alan Cox

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: H. Peter Anvin (Intel) <hpa@zytor.com>

commit d0ffb805b729322626639336986bc83fc2e60871 upstream.

Alpha has had c_ispeed and c_ospeed, but still set speeds in c_cflags
using arbitrary flags. Because BOTHER is not defined, the general
Linux code doesn't allow setting arbitrary baud rates, and because
CBAUDEX == 0, we can have an array overrun of the baud_rate[] table in
drivers/tty/tty_baudrate.c if (c_cflags & CBAUD) == 037.

Resolve both problems by #defining BOTHER to 037 on Alpha.

However, userspace still needs to know if setting BOTHER is actually
safe given legacy kernels (does anyone actually care about that on
Alpha anymore?), so enable the TCGETS2/TCSETS*2 ioctls on Alpha, even
though they use the same structure. Define struct termios2 just for
compatibility; it is the exact same structure as struct termios. In a
future patchset, this will be cleaned up so the uapi headers are
usable from libc.

Signed-off-by: H. Peter Anvin (Intel) <hpa@zytor.com>
Cc: Jiri Slaby <jslaby@suse.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Cc: Matt Turner <mattst88@gmail.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Kate Stewart <kstewart@linuxfoundation.org>
Cc: Philippe Ombredanne <pombredanne@nexb.com>
Cc: Eugene Syromiatnikov <esyr@redhat.com>
Cc: <linux-alpha@vger.kernel.org>
Cc: <linux-serial@vger.kernel.org>
Cc: Johan Hovold <johan@kernel.org>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/alpha/include/asm/termios.h       |    8 +++++++-
 arch/alpha/include/uapi/asm/ioctls.h   |    5 +++++
 arch/alpha/include/uapi/asm/termbits.h |   17 +++++++++++++++++
 3 files changed, 29 insertions(+), 1 deletion(-)

--- a/arch/alpha/include/asm/termios.h
+++ b/arch/alpha/include/asm/termios.h
@@ -72,9 +72,15 @@
 })
 
 #define user_termios_to_kernel_termios(k, u) \
-	copy_from_user(k, u, sizeof(struct termios))
+	copy_from_user(k, u, sizeof(struct termios2))
 
 #define kernel_termios_to_user_termios(u, k) \
+	copy_to_user(u, k, sizeof(struct termios2))
+
+#define user_termios_to_kernel_termios_1(k, u) \
+	copy_from_user(k, u, sizeof(struct termios))
+
+#define kernel_termios_to_user_termios_1(u, k) \
 	copy_to_user(u, k, sizeof(struct termios))
 
 #endif	/* _ALPHA_TERMIOS_H */
--- a/arch/alpha/include/uapi/asm/ioctls.h
+++ b/arch/alpha/include/uapi/asm/ioctls.h
@@ -31,6 +31,11 @@
 #define TCXONC		_IO('t', 30)
 #define TCFLSH		_IO('t', 31)
 
+#define TCGETS2		_IOR('T', 42, struct termios2)
+#define TCSETS2		_IOW('T', 43, struct termios2)
+#define TCSETSW2	_IOW('T', 44, struct termios2)
+#define TCSETSF2	_IOW('T', 45, struct termios2)
+
 #define TIOCSWINSZ	_IOW('t', 103, struct winsize)
 #define TIOCGWINSZ	_IOR('t', 104, struct winsize)
 #define	TIOCSTART	_IO('t', 110)		/* start output, like ^Q */
--- a/arch/alpha/include/uapi/asm/termbits.h
+++ b/arch/alpha/include/uapi/asm/termbits.h
@@ -25,6 +25,19 @@ struct termios {
 	speed_t c_ospeed;		/* output speed */
 };
 
+/* Alpha has identical termios and termios2 */
+
+struct termios2 {
+	tcflag_t c_iflag;		/* input mode flags */
+	tcflag_t c_oflag;		/* output mode flags */
+	tcflag_t c_cflag;		/* control mode flags */
+	tcflag_t c_lflag;		/* local mode flags */
+	cc_t c_cc[NCCS];		/* control characters */
+	cc_t c_line;			/* line discipline (== c_cc[19]) */
+	speed_t c_ispeed;		/* input speed */
+	speed_t c_ospeed;		/* output speed */
+};
+
 /* Alpha has matching termios and ktermios */
 
 struct ktermios {
@@ -147,6 +160,7 @@ struct ktermios {
 #define B3000000  00034
 #define B3500000  00035
 #define B4000000  00036
+#define BOTHER    00037
 
 #define CSIZE	00001400
 #define   CS5	00000000
@@ -164,6 +178,9 @@ struct ktermios {
 #define CMSPAR	  010000000000		/* mark or space (stick) parity */
 #define CRTSCTS	  020000000000		/* flow control */
 
+#define CIBAUD	07600000
+#define IBSHIFT	16
+
 /* c_lflag bits */
 #define ISIG	0x00000080
 #define ICANON	0x00000100



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 135/160] Btrfs: fix data corruption due to cloning of eof block
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (133 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 134/160] arch/alpha, termios: implement BOTHER, IBSHIFT and termios2 Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 136/160] clockevents/drivers/i8253: Add support for PIT shutdown quirk Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Filipe Manana, David Sterba

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Filipe Manana <fdmanana@suse.com>

commit ac765f83f1397646c11092a032d4f62c3d478b81 upstream.

We currently allow cloning a range from a file which includes the last
block of the file even if the file's size is not aligned to the block
size. This is fine and useful when the destination file has the same size,
but when it does not and the range ends somewhere in the middle of the
destination file, it leads to corruption because the bytes between the EOF
and the end of the block have undefined data (when there is support for
discard/trimming they have a value of 0x00).

Example:

 $ mkfs.btrfs -f /dev/sdb
 $ mount /dev/sdb /mnt

 $ export foo_size=$((256 * 1024 + 100))
 $ xfs_io -f -c "pwrite -S 0x3c 0 $foo_size" /mnt/foo
 $ xfs_io -f -c "pwrite -S 0xb5 0 1M" /mnt/bar

 $ xfs_io -c "reflink /mnt/foo 0 512K $foo_size" /mnt/bar

 $ od -A d -t x1 /mnt/bar
 0000000 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5
 *
 0524288 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c
 *
 0786528 3c 3c 3c 3c 00 00 00 00 00 00 00 00 00 00 00 00
 0786544 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 *
 0790528 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5
 *
 1048576

The bytes in the range from 786532 (512Kb + 256Kb + 100 bytes) to 790527
(512Kb + 256Kb + 4Kb - 1) got corrupted, having now a value of 0x00 instead
of 0xb5.

This is similar to the problem we had for deduplication that got recently
fixed by commit de02b9f6bb65 ("Btrfs: fix data corruption when
deduplicating between different files").

Fix this by not allowing such operations to be performed and return the
errno -EINVAL to user space. This is what XFS is doing as well at the VFS
level. This change however now makes us return -EINVAL instead of
-EOPNOTSUPP for cases where the source range maps to an inline extent and
the destination range's end is smaller then the destination file's size,
since the detection of inline extents is done during the actual process of
dropping file extent items (at __btrfs_drop_extents()). Returning the
-EINVAL error is done early on and solely based on the input parameters
(offsets and length) and destination file's size. This makes us consistent
with XFS and anyone else supporting cloning since this case is now checked
at a higher level in the VFS and is where the -EINVAL will be returned
from starting with kernel 4.20 (the VFS changed was introduced in 4.20-rc1
by commit 07d19dc9fbe9 ("vfs: avoid problematic remapping requests into
partial EOF block"). So this change is more geared towards stable kernels,
as it's unlikely the new VFS checks get removed intentionally.

A test case for fstests follows soon, as well as an update to filter
existing tests that expect -EOPNOTSUPP to accept -EINVAL as well.

CC: <stable@vger.kernel.org> # 4.4+
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/ioctl.c |   12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -3950,9 +3950,17 @@ static noinline long btrfs_ioctl_clone(s
 		goto out_unlock;
 	if (len == 0)
 		olen = len = src->i_size - off;
-	/* if we extend to eof, continue to block boundary */
-	if (off + len == src->i_size)
+	/*
+	 * If we extend to eof, continue to block boundary if and only if the
+	 * destination end offset matches the destination file's size, otherwise
+	 * we would be corrupting data by placing the eof block into the middle
+	 * of a file.
+	 */
+	if (off + len == src->i_size) {
+		if (!IS_ALIGNED(len, bs) && destoff + len < inode->i_size)
+			goto out_unlock;
 		len = ALIGN(src->i_size, bs) - off;
+	}
 
 	if (len == 0) {
 		ret = 0;



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 136/160] clockevents/drivers/i8253: Add support for PIT shutdown quirk
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (134 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 135/160] Btrfs: fix data corruption due to cloning of eof block Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 137/160] ext4: add missing brelse() update_backups()s error path Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael Kelley, Thomas Gleixner,
	devel, daniel.lezcano, virtualization, jgross, akataria, olaf,
	apw, vkuznets, jasowang, marcelo.cerri, KY Srinivasan

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Michael Kelley <mikelley@microsoft.com>

commit 35b69a420bfb56b7b74cb635ea903db05e357bec upstream.

Add support for platforms where pit_shutdown() doesn't work because of a
quirk in the PIT emulation. On these platforms setting the counter register
to zero causes the PIT to start running again, negating the shutdown.

Provide a global variable that controls whether the counter register is
zero'ed, which platform specific code can override.

Signed-off-by: Michael Kelley <mikelley@microsoft.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
Cc: "devel@linuxdriverproject.org" <devel@linuxdriverproject.org>
Cc: "daniel.lezcano@linaro.org" <daniel.lezcano@linaro.org>
Cc: "virtualization@lists.linux-foundation.org" <virtualization@lists.linux-foundation.org>
Cc: "jgross@suse.com" <jgross@suse.com>
Cc: "akataria@vmware.com" <akataria@vmware.com>
Cc: "olaf@aepfle.de" <olaf@aepfle.de>
Cc: "apw@canonical.com" <apw@canonical.com>
Cc: vkuznets <vkuznets@redhat.com>
Cc: "jasowang@redhat.com" <jasowang@redhat.com>
Cc: "marcelo.cerri@canonical.com" <marcelo.cerri@canonical.com>
Cc: KY Srinivasan <kys@microsoft.com>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/1541303219-11142-2-git-send-email-mikelley@microsoft.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/clocksource/i8253.c |   14 ++++++++++++--
 include/linux/i8253.h       |    1 +
 2 files changed, 13 insertions(+), 2 deletions(-)

--- a/drivers/clocksource/i8253.c
+++ b/drivers/clocksource/i8253.c
@@ -19,6 +19,13 @@
 DEFINE_RAW_SPINLOCK(i8253_lock);
 EXPORT_SYMBOL(i8253_lock);
 
+/*
+ * Handle PIT quirk in pit_shutdown() where zeroing the counter register
+ * restarts the PIT, negating the shutdown. On platforms with the quirk,
+ * platform specific code can set this to false.
+ */
+bool i8253_clear_counter_on_shutdown = true;
+
 #ifdef CONFIG_CLKSRC_I8253
 /*
  * Since the PIT overflows every tick, its not very useful
@@ -108,8 +115,11 @@ static int pit_shutdown(struct clock_eve
 	raw_spin_lock(&i8253_lock);
 
 	outb_p(0x30, PIT_MODE);
-	outb_p(0, PIT_CH0);
-	outb_p(0, PIT_CH0);
+
+	if (i8253_clear_counter_on_shutdown) {
+		outb_p(0, PIT_CH0);
+		outb_p(0, PIT_CH0);
+	}
 
 	raw_spin_unlock(&i8253_lock);
 	return 0;
--- a/include/linux/i8253.h
+++ b/include/linux/i8253.h
@@ -21,6 +21,7 @@
 #define PIT_LATCH	((PIT_TICK_RATE + HZ/2) / HZ)
 
 extern raw_spinlock_t i8253_lock;
+extern bool i8253_clear_counter_on_shutdown;
 extern struct clock_event_device i8253_clockevent;
 extern void clockevent_i8253_init(bool oneshot);
 



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 137/160] ext4: add missing brelse() update_backups()s error path
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (135 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 136/160] clockevents/drivers/i8253: Add support for PIT shutdown quirk Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 138/160] ext4: add missing brelse() in set_flexbg_block_bitmap()s " Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vasily Averin, Theodore Tso, stable

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vasily Averin <vvs@virtuozzo.com>

commit ea0abbb648452cdb6e1734b702b6330a7448fcf8 upstream.

Fixes: ac27a0ec112a ("ext4: initial copy of files from ext3")
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org # 2.6.19
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/resize.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/fs/ext4/resize.c
+++ b/fs/ext4/resize.c
@@ -1095,8 +1095,10 @@ static void update_backups(struct super_
 			   backup_block, backup_block -
 			   ext4_group_first_block_no(sb, group));
 		BUFFER_TRACE(bh, "get_write_access");
-		if ((err = ext4_journal_get_write_access(handle, bh)))
+		if ((err = ext4_journal_get_write_access(handle, bh))) {
+			brelse(bh);
 			break;
+		}
 		lock_buffer(bh);
 		memcpy(bh->b_data, data, size);
 		if (rest)



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 138/160] ext4: add missing brelse() in set_flexbg_block_bitmap()s error path
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (136 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 137/160] ext4: add missing brelse() update_backups()s error path Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 139/160] ext4: add missing brelse() add_new_gdb_meta_bg()s " Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vasily Averin, Theodore Tso, stable

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vasily Averin <vvs@virtuozzo.com>

commit cea5794122125bf67559906a0762186cf417099c upstream.

Fixes: 33afdcc5402d ("ext4: add a function which sets up group blocks ...")
Cc: stable@kernel.org # 3.3
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/resize.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/fs/ext4/resize.c
+++ b/fs/ext4/resize.c
@@ -442,16 +442,18 @@ static int set_flexbg_block_bitmap(struc
 
 		BUFFER_TRACE(bh, "get_write_access");
 		err = ext4_journal_get_write_access(handle, bh);
-		if (err)
+		if (err) {
+			brelse(bh);
 			return err;
+		}
 		ext4_debug("mark block bitmap %#04llx (+%llu/%u)\n", block,
 			   block - start, count2);
 		ext4_set_bits(bh->b_data, block - start, count2);
 
 		err = ext4_handle_dirty_metadata(handle, NULL, bh);
+		brelse(bh);
 		if (unlikely(err))
 			return err;
-		brelse(bh);
 	}
 
 	return 0;



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 139/160] ext4: add missing brelse() add_new_gdb_meta_bg()s error path
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (137 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 138/160] ext4: add missing brelse() in set_flexbg_block_bitmap()s " Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 140/160] ext4: avoid potential extra brelse in setup_new_flex_group_blocks() Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vasily Averin, Theodore Tso, stable

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vasily Averin <vvs@virtuozzo.com>

commit 61a9c11e5e7a0dab5381afa5d9d4dd5ebf18f7a0 upstream.

Fixes: 01f795f9e0d6 ("ext4: add online resizing support for meta_bg ...")
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org # 3.7
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/resize.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/fs/ext4/resize.c
+++ b/fs/ext4/resize.c
@@ -899,6 +899,7 @@ static int add_new_gdb_meta_bg(struct su
 				     sizeof(struct buffer_head *),
 				     GFP_NOFS);
 	if (!n_group_desc) {
+		brelse(gdb_bh);
 		err = -ENOMEM;
 		ext4_warning(sb, "not enough memory for %lu groups",
 			     gdb_num + 1);
@@ -914,8 +915,6 @@ static int add_new_gdb_meta_bg(struct su
 	kvfree(o_group_desc);
 	BUFFER_TRACE(gdb_bh, "get_write_access");
 	err = ext4_journal_get_write_access(handle, gdb_bh);
-	if (unlikely(err))
-		brelse(gdb_bh);
 	return err;
 }
 



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 140/160] ext4: avoid potential extra brelse in setup_new_flex_group_blocks()
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (138 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 139/160] ext4: add missing brelse() add_new_gdb_meta_bg()s " Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 141/160] ext4: fix possible inode leak in the retry loop of ext4_resize_fs() Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vasily Averin, Theodore Tso, stable

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vasily Averin <vvs@virtuozzo.com>

commit 9e4028935cca3f9ef9b6a90df9da6f1f94853536 upstream.

Currently bh is set to NULL only during first iteration of for cycle,
then this pointer is not cleared after end of using.
Therefore rollback after errors can lead to extra brelse(bh) call,
decrements bh counter and later trigger an unexpected warning in __brelse()

Patch moves brelse() calls in body of cycle to exclude requirement of
brelse() call in rollback.

Fixes: 33afdcc5402d ("ext4: add a function which sets up group blocks ...")
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org # 3.3+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/resize.c |    8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

--- a/fs/ext4/resize.c
+++ b/fs/ext4/resize.c
@@ -590,7 +590,6 @@ handle_bb:
 		bh = bclean(handle, sb, block);
 		if (IS_ERR(bh)) {
 			err = PTR_ERR(bh);
-			bh = NULL;
 			goto out;
 		}
 		overhead = ext4_group_overhead_blocks(sb, group);
@@ -602,9 +601,9 @@ handle_bb:
 		ext4_mark_bitmap_end(group_data[i].blocks_count,
 				     sb->s_blocksize * 8, bh->b_data);
 		err = ext4_handle_dirty_metadata(handle, NULL, bh);
+		brelse(bh);
 		if (err)
 			goto out;
-		brelse(bh);
 
 handle_ib:
 		if (bg_flags[i] & EXT4_BG_INODE_UNINIT)
@@ -619,18 +618,16 @@ handle_ib:
 		bh = bclean(handle, sb, block);
 		if (IS_ERR(bh)) {
 			err = PTR_ERR(bh);
-			bh = NULL;
 			goto out;
 		}
 
 		ext4_mark_bitmap_end(EXT4_INODES_PER_GROUP(sb),
 				     sb->s_blocksize * 8, bh->b_data);
 		err = ext4_handle_dirty_metadata(handle, NULL, bh);
+		brelse(bh);
 		if (err)
 			goto out;
-		brelse(bh);
 	}
-	bh = NULL;
 
 	/* Mark group tables in block bitmap */
 	for (j = 0; j < GROUP_TABLE_COUNT; j++) {
@@ -661,7 +658,6 @@ handle_ib:
 	}
 
 out:
-	brelse(bh);
 	err2 = ext4_journal_stop(handle);
 	if (err2 && !err)
 		err = err2;



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 141/160] ext4: fix possible inode leak in the retry loop of ext4_resize_fs()
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (139 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 140/160] ext4: avoid potential extra brelse in setup_new_flex_group_blocks() Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 142/160] ext4: avoid buffer leak in ext4_orphan_add() after prior errors Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vasily Averin, Theodore Tso, stable

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vasily Averin <vvs@virtuozzo.com>

commit db6aee62406d9fbb53315fcddd81f1dc271d49fa upstream.

Fixes: 1c6bd7173d66 ("ext4: convert file system to meta_bg if needed ...")
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org # 3.7
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/resize.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/fs/ext4/resize.c
+++ b/fs/ext4/resize.c
@@ -2026,6 +2026,10 @@ retry:
 		n_blocks_count_retry = 0;
 		free_flex_gd(flex_gd);
 		flex_gd = NULL;
+		if (resize_inode) {
+			iput(resize_inode);
+			resize_inode = NULL;
+		}
 		goto retry;
 	}
 



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 142/160] ext4: avoid buffer leak in ext4_orphan_add() after prior errors
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (140 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 141/160] ext4: fix possible inode leak in the retry loop of ext4_resize_fs() Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 143/160] ext4: fix missing cleanup if ext4_alloc_flex_bg_array() fails while resizing Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dmitry Monakhov, Vasily Averin,
	Theodore Tso, stable

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vasily Averin <vvs@virtuozzo.com>

commit feaf264ce7f8d54582e2f66eb82dd9dd124c94f3 upstream.

Fixes: d745a8c20c1f ("ext4: reduce contention on s_orphan_lock")
Fixes: 6e3617e579e0 ("ext4: Handle non empty on-disk orphan link")
Cc: Dmitry Monakhov <dmonakhov@gmail.com>
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org # 2.6.34
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/namei.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -2830,7 +2830,9 @@ int ext4_orphan_add(handle_t *handle, st
 			list_del_init(&EXT4_I(inode)->i_orphan);
 			mutex_unlock(&sbi->s_orphan_lock);
 		}
-	}
+	} else
+		brelse(iloc.bh);
+
 	jbd_debug(4, "superblock will point to %lu\n", inode->i_ino);
 	jbd_debug(4, "orphan inode %lu will point to %d\n",
 			inode->i_ino, NEXT_ORPHAN(inode));



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 143/160] ext4: fix missing cleanup if ext4_alloc_flex_bg_array() fails while resizing
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (141 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 142/160] ext4: avoid buffer leak in ext4_orphan_add() after prior errors Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 144/160] ext4: avoid possible double brelse() in add_new_gdb() on error path Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vasily Averin, Theodore Tso, stable

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vasily Averin <vvs@virtuozzo.com>

commit f348e2241fb73515d65b5d77dd9c174128a7fbf2 upstream.

Fixes: 117fff10d7f1 ("ext4: grow the s_flex_groups array as needed ...")
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org # 3.7
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/resize.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/ext4/resize.c
+++ b/fs/ext4/resize.c
@@ -1990,7 +1990,7 @@ retry:
 
 	err = ext4_alloc_flex_bg_array(sb, n_group + 1);
 	if (err)
-		return err;
+		goto out;
 
 	err = ext4_mb_alloc_groupinfo(sb, n_group + 1);
 	if (err)



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 144/160] ext4: avoid possible double brelse() in add_new_gdb() on error path
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (142 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 143/160] ext4: fix missing cleanup if ext4_alloc_flex_bg_array() fails while resizing Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 145/160] ext4: fix possible leak of sbi->s_group_desc_leak in " Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vasily Averin, Theodore Tso, stable

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <tytso@mit.edu>

commit 4f32c38b4662312dd3c5f113d8bdd459887fb773 upstream.

Fixes: b40971426a83 ("ext4: add error checking to calls to ...")
Reported-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org # 2.6.38
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/resize.c |    1 +
 1 file changed, 1 insertion(+)

--- a/fs/ext4/resize.c
+++ b/fs/ext4/resize.c
@@ -844,6 +844,7 @@ static int add_new_gdb(handle_t *handle,
 	err = ext4_handle_dirty_metadata(handle, NULL, gdb_bh);
 	if (unlikely(err)) {
 		ext4_std_error(sb, err);
+		iloc.bh = NULL;
 		goto exit_inode;
 	}
 	brelse(dind);



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 145/160] ext4: fix possible leak of sbi->s_group_desc_leak in error path
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (143 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 144/160] ext4: avoid possible double brelse() in add_new_gdb() on error path Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 146/160] ext4: release bs.bh before re-using in ext4_xattr_block_find() Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vasily Averin, Theodore Tso, stable

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <tytso@mit.edu>

commit 9e463084cdb22e0b56b2dfbc50461020409a5fd3 upstream.

Fixes: bfe0a5f47ada ("ext4: add more mount time checks of the superblock")
Reported-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org # 4.18
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/super.c |   16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -3731,6 +3731,14 @@ static int ext4_fill_super(struct super_
 	sbi->s_groups_count = blocks_count;
 	sbi->s_blockfile_groups = min_t(ext4_group_t, sbi->s_groups_count,
 			(EXT4_MAX_BLOCK_FILE_PHYS / EXT4_BLOCKS_PER_GROUP(sb)));
+	if (((u64)sbi->s_groups_count * sbi->s_inodes_per_group) !=
+	    le32_to_cpu(es->s_inodes_count)) {
+		ext4_msg(sb, KERN_ERR, "inodes count not valid: %u vs %llu",
+			 le32_to_cpu(es->s_inodes_count),
+			 ((u64)sbi->s_groups_count * sbi->s_inodes_per_group));
+		ret = -EINVAL;
+		goto failed_mount;
+	}
 	db_count = (sbi->s_groups_count + EXT4_DESC_PER_BLOCK(sb) - 1) /
 		   EXT4_DESC_PER_BLOCK(sb);
 	if (ext4_has_feature_meta_bg(sb)) {
@@ -3750,14 +3758,6 @@ static int ext4_fill_super(struct super_
 		ret = -ENOMEM;
 		goto failed_mount;
 	}
-	if (((u64)sbi->s_groups_count * sbi->s_inodes_per_group) !=
-	    le32_to_cpu(es->s_inodes_count)) {
-		ext4_msg(sb, KERN_ERR, "inodes count not valid: %u vs %llu",
-			 le32_to_cpu(es->s_inodes_count),
-			 ((u64)sbi->s_groups_count * sbi->s_inodes_per_group));
-		ret = -EINVAL;
-		goto failed_mount;
-	}
 
 	bgl_lock_init(sbi->s_blockgroup_lock);
 



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 146/160] ext4: release bs.bh before re-using in ext4_xattr_block_find()
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (144 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 145/160] ext4: fix possible leak of sbi->s_group_desc_leak in " Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 147/160] ext4: fix buffer leak in ext4_xattr_move_to_block() on error path Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vasily Averin, Theodore Tso, stable

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vasily Averin <vvs@virtuozzo.com>

commit 45ae932d246f721e6584430017176cbcadfde610 upstream.

bs.bh was taken in previous ext4_xattr_block_find() call,
it should be released before re-using

Fixes: 7e01c8e5420b ("ext3/4: fix uninitialized bs in ...")
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org # 2.6.26
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/xattr.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -1161,6 +1161,8 @@ ext4_xattr_set_handle(handle_t *handle,
 			error = ext4_xattr_block_set(handle, inode, &i, &bs);
 		} else if (error == -ENOSPC) {
 			if (EXT4_I(inode)->i_file_acl && !bs.s.base) {
+				brelse(bs.bh);
+				bs.bh = NULL;
 				error = ext4_xattr_block_find(inode, &i, &bs);
 				if (error)
 					goto cleanup;



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 147/160] ext4: fix buffer leak in ext4_xattr_move_to_block() on error path
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (145 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 146/160] ext4: release bs.bh before re-using in ext4_xattr_block_find() Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 148/160] ext4: fix buffer leak in __ext4_read_dirblock() " Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jan Kara, Vasily Averin,
	Theodore Tso, stable

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vasily Averin <vvs@virtuozzo.com>

commit 6bdc9977fcdedf47118d2caf7270a19f4b6d8a8f upstream.

Fixes: 3f2571c1f91f ("ext4: factor out xattr moving")
Fixes: 6dd4ee7cab7e ("ext4: Expand extra_inodes space per ...")
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org # 2.6.23
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/xattr.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -1490,6 +1490,8 @@ cleanup:
 	kfree(buffer);
 	if (is)
 		brelse(is->iloc.bh);
+	if (bs)
+		brelse(bs->bh);
 	kfree(is);
 	kfree(bs);
 	brelse(bh);



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 148/160] ext4: fix buffer leak in __ext4_read_dirblock() on error path
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (146 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 147/160] ext4: fix buffer leak in ext4_xattr_move_to_block() on error path Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 149/160] mount: Retest MNT_LOCKED in do_umount Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vasily Averin, Theodore Tso, stable

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vasily Averin <vvs@virtuozzo.com>

commit de59fae0043f07de5d25e02ca360f7d57bfa5866 upstream.

Fixes: dc6982ff4db1 ("ext4: refactor code to read directory blocks ...")
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org # 3.9
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/namei.c |    1 +
 1 file changed, 1 insertion(+)

--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -124,6 +124,7 @@ static struct buffer_head *__ext4_read_d
 	if (!is_dx_block && type == INDEX) {
 		ext4_error_inode(inode, func, line, block,
 		       "directory leaf block found instead of index block");
+		brelse(bh);
 		return ERR_PTR(-EFSCORRUPTED);
 	}
 	if (!ext4_has_metadata_csum(inode->i_sb) ||



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 149/160] mount: Retest MNT_LOCKED in do_umount
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (147 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 148/160] ext4: fix buffer leak in __ext4_read_dirblock() " Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 150/160] mount: Dont allow copying MNT_UNBINDABLE|MNT_LOCKED mounts Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro, Eric W. Biederman

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric W. Biederman <ebiederm@xmission.com>

commit 25d202ed820ee347edec0bf3bf553544556bf64b upstream.

It was recently pointed out that the one instance of testing MNT_LOCKED
outside of the namespace_sem is in ksys_umount.

Fix that by adding a test inside of do_umount with namespace_sem and
the mount_lock held.  As it helps to fail fails the existing test is
maintained with an additional comment pointing out that it may be racy
because the locks are not held.

Cc: stable@vger.kernel.org
Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
Fixes: 5ff9d8a65ce8 ("vfs: Lock in place mounts from more privileged users")
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/namespace.c |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1584,8 +1584,13 @@ static int do_umount(struct mount *mnt,
 
 	namespace_lock();
 	lock_mount_hash();
-	event++;
 
+	/* Recheck MNT_LOCKED with the locks held */
+	retval = -EINVAL;
+	if (mnt->mnt.mnt_flags & MNT_LOCKED)
+		goto out;
+
+	event++;
 	if (flags & MNT_DETACH) {
 		if (!list_empty(&mnt->mnt_list))
 			umount_tree(mnt, UMOUNT_PROPAGATE);
@@ -1599,6 +1604,7 @@ static int do_umount(struct mount *mnt,
 			retval = 0;
 		}
 	}
+out:
 	unlock_mount_hash();
 	namespace_unlock();
 	return retval;
@@ -1681,7 +1687,7 @@ SYSCALL_DEFINE2(umount, char __user *, n
 		goto dput_and_out;
 	if (!check_mnt(mnt))
 		goto dput_and_out;
-	if (mnt->mnt.mnt_flags & MNT_LOCKED)
+	if (mnt->mnt.mnt_flags & MNT_LOCKED) /* Check optimistically */
 		goto dput_and_out;
 	retval = -EPERM;
 	if (flags & MNT_FORCE && !capable(CAP_SYS_ADMIN))



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 150/160] mount: Dont allow copying MNT_UNBINDABLE|MNT_LOCKED mounts
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (148 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 149/160] mount: Retest MNT_LOCKED in do_umount Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 151/160] mount: Prevent MNT_DETACH from disconnecting locked mounts Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jonathan Calmels, Eric W. Biederman

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric W. Biederman <ebiederm@xmission.com>

commit df7342b240185d58d3d9665c0bbf0a0f5570ec29 upstream.

Jonathan Calmels from NVIDIA reported that he's able to bypass the
mount visibility security check in place in the Linux kernel by using
a combination of the unbindable property along with the private mount
propagation option to allow a unprivileged user to see a path which
was purposefully hidden by the root user.

Reproducer:
  # Hide a path to all users using a tmpfs
  root@castiana:~# mount -t tmpfs tmpfs /sys/devices/
  root@castiana:~#

  # As an unprivileged user, unshare user namespace and mount namespace
  stgraber@castiana:~$ unshare -U -m -r

  # Confirm the path is still not accessible
  root@castiana:~# ls /sys/devices/

  # Make /sys recursively unbindable and private
  root@castiana:~# mount --make-runbindable /sys
  root@castiana:~# mount --make-private /sys

  # Recursively bind-mount the rest of /sys over to /mnnt
  root@castiana:~# mount --rbind /sys/ /mnt

  # Access our hidden /sys/device as an unprivileged user
  root@castiana:~# ls /mnt/devices/
  breakpoint cpu cstate_core cstate_pkg i915 intel_pt isa kprobe
  LNXSYSTM:00 msr pci0000:00 platform pnp0 power software system
  tracepoint uncore_arb uncore_cbox_0 uncore_cbox_1 uprobe virtual

Solve this by teaching copy_tree to fail if a mount turns out to be
both unbindable and locked.

Cc: stable@vger.kernel.org
Fixes: 5ff9d8a65ce8 ("vfs: Lock in place mounts from more privileged users")
Reported-by: Jonathan Calmels <jcalmels@nvidia.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/namespace.c |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1765,8 +1765,14 @@ struct mount *copy_tree(struct mount *mn
 		for (s = r; s; s = next_mnt(s, r)) {
 			if (!(flag & CL_COPY_UNBINDABLE) &&
 			    IS_MNT_UNBINDABLE(s)) {
-				s = skip_mnt_tree(s);
-				continue;
+				if (s->mnt.mnt_flags & MNT_LOCKED) {
+					/* Both unbindable and locked. */
+					q = ERR_PTR(-EPERM);
+					goto out;
+				} else {
+					s = skip_mnt_tree(s);
+					continue;
+				}
 			}
 			if (!(flag & CL_COPY_MNT_NS_FILE) &&
 			    is_mnt_ns_file(s->mnt.mnt_root)) {



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 151/160] mount: Prevent MNT_DETACH from disconnecting locked mounts
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (149 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 150/160] mount: Dont allow copying MNT_UNBINDABLE|MNT_LOCKED mounts Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 152/160] sunrpc: correct the computation for page_ptr when truncating Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Timothy Baldwin, Eric W. Biederman

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric W. Biederman <ebiederm@xmission.com>

commit 9c8e0a1b683525464a2abe9fb4b54404a50ed2b4 upstream.

Timothy Baldwin <timbaldwin@fastmail.co.uk> wrote:
> As per mount_namespaces(7) unprivileged users should not be able to look under mount points:
>
>   Mounts that come as a single unit from more privileged mount are locked
>   together and may not be separated in a less privileged mount namespace.
>
> However they can:
>
> 1. Create a mount namespace.
> 2. In the mount namespace open a file descriptor to the parent of a mount point.
> 3. Destroy the mount namespace.
> 4. Use the file descriptor to look under the mount point.
>
> I have reproduced this with Linux 4.16.18 and Linux 4.18-rc8.
>
> The setup:
>
> $ sudo sysctl kernel.unprivileged_userns_clone=1
> kernel.unprivileged_userns_clone = 1
> $ mkdir -p A/B/Secret
> $ sudo mount -t tmpfs hide A/B
>
>
> "Secret" is indeed hidden as expected:
>
> $ ls -lR A
> A:
> total 0
> drwxrwxrwt 2 root root 40 Feb 12 21:08 B
>
> A/B:
> total 0
>
>
> The attack revealing "Secret":
>
> $ unshare -Umr sh -c "exec unshare -m ls -lR /proc/self/fd/4/ 4<A"
> /proc/self/fd/4/:
> total 0
> drwxr-xr-x 3 root root 60 Feb 12 21:08 B
>
> /proc/self/fd/4/B:
> total 0
> drwxr-xr-x 2 root root 40 Feb 12 21:08 Secret
>
> /proc/self/fd/4/B/Secret:
> total 0

I tracked this down to put_mnt_ns running passing UMOUNT_SYNC and
disconnecting all of the mounts in a mount namespace.  Fix this by
factoring drop_mounts out of drop_collected_mounts and passing
0 instead of UMOUNT_SYNC.

There are two possible behavior differences that result from this.
- No longer setting UMOUNT_SYNC will no longer set MNT_SYNC_UMOUNT on
  the vfsmounts being unmounted.  This effects the lazy rcu walk by
  kicking the walk out of rcu mode and forcing it to be a non-lazy
  walk.
- No longer disconnecting locked mounts will keep some mounts around
  longer as they stay because the are locked to other mounts.

There are only two users of drop_collected mounts: audit_tree.c and
put_mnt_ns.

In audit_tree.c the mounts are private and there are no rcu lazy walks
only calls to iterate_mounts. So the changes should have no effect
except for a small timing effect as the connected mounts are disconnected.

In put_mnt_ns there may be references from process outside the mount
namespace to the mounts.  So the mounts remaining connected will
be the bug fix that is needed.  That rcu walks are allowed to continue
appears not to be a problem especially as the rcu walk change was about
an implementation detail not about semantics.

Cc: stable@vger.kernel.org
Fixes: 5ff9d8a65ce8 ("vfs: Lock in place mounts from more privileged users")
Reported-by: Timothy Baldwin <timbaldwin@fastmail.co.uk>
Tested-by: Timothy Baldwin <timbaldwin@fastmail.co.uk>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/namespace.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1825,7 +1825,7 @@ void drop_collected_mounts(struct vfsmou
 {
 	namespace_lock();
 	lock_mount_hash();
-	umount_tree(real_mount(mnt), UMOUNT_SYNC);
+	umount_tree(real_mount(mnt), 0);
 	unlock_mount_hash();
 	namespace_unlock();
 }



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 152/160] sunrpc: correct the computation for page_ptr when truncating
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (150 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 151/160] mount: Prevent MNT_DETACH from disconnecting locked mounts Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 153/160] rtc: hctosys: Add missing range error reporting Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Frank Sorenson, J. Bruce Fields

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Frank Sorenson <sorenson@redhat.com>

commit 5d7a5bcb67c70cbc904057ef52d3fcfeb24420bb upstream.

When truncating the encode buffer, the page_ptr is getting
advanced, causing the next page to be skipped while encoding.
The page is still included in the response, so the response
contains a page of bogus data.

We need to adjust the page_ptr backwards to ensure we encode
the next page into the correct place.

We saw this triggered when concurrent directory modifications caused
nfsd4_encode_direct_fattr() to return nfserr_noent, and the resulting
call to xdr_truncate_encode() corrupted the READDIR reply.

Signed-off-by: Frank Sorenson <sorenson@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/sunrpc/xdr.c |    5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

--- a/net/sunrpc/xdr.c
+++ b/net/sunrpc/xdr.c
@@ -639,11 +639,10 @@ void xdr_truncate_encode(struct xdr_stre
 		WARN_ON_ONCE(xdr->iov);
 		return;
 	}
-	if (fraglen) {
+	if (fraglen)
 		xdr->end = head->iov_base + head->iov_len;
-		xdr->page_ptr--;
-	}
 	/* (otherwise assume xdr->end is already set) */
+	xdr->page_ptr--;
 	head->iov_len = len;
 	buf->len = len;
 	xdr->p = head->iov_base + head->iov_len;



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 153/160] rtc: hctosys: Add missing range error reporting
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (151 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 152/160] sunrpc: correct the computation for page_ptr when truncating Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 154/160] fuse: fix leaked notify reply Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maciej W. Rozycki, Alexandre Belloni

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Maciej W. Rozycki <macro@linux-mips.org>

commit 7ce9a992ffde8ce93d5ae5767362a5c7389ae895 upstream.

Fix an issue with the 32-bit range error path in `rtc_hctosys' where no
error code is set and consequently the successful preceding call result
from `rtc_read_time' is propagated to `rtc_hctosys_ret'.  This in turn
makes any subsequent call to `hctosys_show' incorrectly report in sysfs
that the system time has been set from this RTC while it has not.

Set the error to ERANGE then if we can't express the result due to an
overflow.

Signed-off-by: Maciej W. Rozycki <macro@linux-mips.org>
Fixes: b3a5ac42ab18 ("rtc: hctosys: Ensure system time doesn't overflow time_t")
Cc: stable@vger.kernel.org # 4.17+
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/rtc/hctosys.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/rtc/hctosys.c
+++ b/drivers/rtc/hctosys.c
@@ -50,8 +50,10 @@ static int __init rtc_hctosys(void)
 	tv64.tv_sec = rtc_tm_to_time64(&tm);
 
 #if BITS_PER_LONG == 32
-	if (tv64.tv_sec > INT_MAX)
+	if (tv64.tv_sec > INT_MAX) {
+		err = -ERANGE;
 		goto err_read;
+	}
 #endif
 
 	err = do_settimeofday64(&tv64);



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 154/160] fuse: fix leaked notify reply
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (152 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 153/160] rtc: hctosys: Add missing range error reporting Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 155/160] configfs: replace strncpy with memcpy Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Miklos Szeredi

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Miklos Szeredi <mszeredi@redhat.com>

commit 7fabaf303458fcabb694999d6fa772cc13d4e217 upstream.

fuse_request_send_notify_reply() may fail if the connection was reset for
some reason (e.g. fs was unmounted).  Don't leak request reference in this
case.  Besides leaking memory, this resulted in fc->num_waiting not being
decremented and hence fuse_wait_aborted() left in a hanging and unkillable
state.

Fixes: 2d45ba381a74 ("fuse: add retrieve request")
Fixes: b8f95e5d13f5 ("fuse: umount should wait for all requests")
Reported-and-tested-by: syzbot+6339eda9cb4ebbc4c37b@syzkaller.appspotmail.com
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Cc: <stable@vger.kernel.org> #v2.6.36
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/dev.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1771,8 +1771,10 @@ static int fuse_retrieve(struct fuse_con
 	req->in.args[1].size = total_len;
 
 	err = fuse_request_send_notify_reply(fc, req, outarg->notify_unique);
-	if (err)
+	if (err) {
 		fuse_retrieve_end(fc, req);
+		fuse_put_request(fc, req);
+	}
 
 	return err;
 }



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 155/160] configfs: replace strncpy with memcpy
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (153 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 154/160] fuse: fix leaked notify reply Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 156/160] hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:444! Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Guenter Roeck, Christoph Hellwig,
	Nobuhiro Iwamatsu

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Guenter Roeck <linux@roeck-us.net>

commit 1823342a1f2b47a4e6f5667f67cd28ab6bc4d6cd upstream.

gcc 8.1.0 complains:

fs/configfs/symlink.c:67:3: warning:
	'strncpy' output truncated before terminating nul copying as many
	bytes from a string as its length
fs/configfs/symlink.c: In function 'configfs_get_link':
fs/configfs/symlink.c:63:13: note: length computed here

Using strncpy() is indeed less than perfect since the length of data to
be copied has already been determined with strlen(). Replace strncpy()
with memcpy() to address the warning and optimize the code a little.

Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Nobuhiro Iwamatsu <nobuhiro.iwamatsu@cybertrust.co.jp>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/configfs/symlink.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/configfs/symlink.c
+++ b/fs/configfs/symlink.c
@@ -64,7 +64,7 @@ static void fill_item_path(struct config
 
 		/* back up enough to print this bus id with '/' */
 		length -= cur;
-		strncpy(buffer + length,config_item_name(p),cur);
+		memcpy(buffer + length, config_item_name(p), cur);
 		*(buffer + --length) = '/';
 	}
 }



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 156/160] hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:444!
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (154 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 155/160] configfs: replace strncpy with memcpy Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 157/160] mm: migration: fix migration of huge PMD shared pages Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mike Kravetz, Naoya Horiguchi,
	Michal Hocko, Hugh Dickins, Andrea Arcangeli,
	Kirill A . Shutemov, Davidlohr Bueso, Prakash Sangappa,
	Andrew Morton, Linus Torvalds

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mike Kravetz <mike.kravetz@oracle.com>

commit 5e41540c8a0f0e98c337dda8b391e5dda0cde7cf upstream.

This bug has been experienced several times by the Oracle DB team.  The
BUG is in remove_inode_hugepages() as follows:

	/*
	 * If page is mapped, it was faulted in after being
	 * unmapped in caller.  Unmap (again) now after taking
	 * the fault mutex.  The mutex will prevent faults
	 * until we finish removing the page.
	 *
	 * This race can only happen in the hole punch case.
	 * Getting here in a truncate operation is a bug.
	 */
	if (unlikely(page_mapped(page))) {
		BUG_ON(truncate_op);

In this case, the elevated map count is not the result of a race.
Rather it was incorrectly incremented as the result of a bug in the huge
pmd sharing code.  Consider the following:

 - Process A maps a hugetlbfs file of sufficient size and alignment
   (PUD_SIZE) that a pmd page could be shared.

 - Process B maps the same hugetlbfs file with the same size and
   alignment such that a pmd page is shared.

 - Process B then calls mprotect() to change protections for the mapping
   with the shared pmd. As a result, the pmd is 'unshared'.

 - Process B then calls mprotect() again to chage protections for the
   mapping back to their original value. pmd remains unshared.

 - Process B then forks and process C is created. During the fork
   process, we do dup_mm -> dup_mmap -> copy_page_range to copy page
   tables. Copying page tables for hugetlb mappings is done in the
   routine copy_hugetlb_page_range.

In copy_hugetlb_page_range(), the destination pte is obtained by:

	dst_pte = huge_pte_alloc(dst, addr, sz);

If pmd sharing is possible, the returned pointer will be to a pte in an
existing page table.  In the situation above, process C could share with
either process A or process B.  Since process A is first in the list,
the returned pte is a pointer to a pte in process A's page table.

However, the check for pmd sharing in copy_hugetlb_page_range is:

	/* If the pagetables are shared don't copy or take references */
	if (dst_pte == src_pte)
		continue;

Since process C is sharing with process A instead of process B, the
above test fails.  The code in copy_hugetlb_page_range which follows
assumes dst_pte points to a huge_pte_none pte.  It copies the pte entry
from src_pte to dst_pte and increments this map count of the associated
page.  This is how we end up with an elevated map count.

To solve, check the dst_pte entry for huge_pte_none.  If !none, this
implies PMD sharing so do not copy.

Link: http://lkml.kernel.org/r/20181105212315.14125-1-mike.kravetz@oracle.com
Fixes: c5c99429fa57 ("fix hugepages leak due to pagetable page sharing")
Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
Reviewed-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Hugh Dickins <hughd@google.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Prakash Sangappa <prakash.sangappa@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/hugetlb.c |   23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -3103,7 +3103,7 @@ static int is_hugetlb_entry_hwpoisoned(p
 int copy_hugetlb_page_range(struct mm_struct *dst, struct mm_struct *src,
 			    struct vm_area_struct *vma)
 {
-	pte_t *src_pte, *dst_pte, entry;
+	pte_t *src_pte, *dst_pte, entry, dst_entry;
 	struct page *ptepage;
 	unsigned long addr;
 	int cow;
@@ -3131,15 +3131,30 @@ int copy_hugetlb_page_range(struct mm_st
 			break;
 		}
 
-		/* If the pagetables are shared don't copy or take references */
-		if (dst_pte == src_pte)
+		/*
+		 * If the pagetables are shared don't copy or take references.
+		 * dst_pte == src_pte is the common case of src/dest sharing.
+		 *
+		 * However, src could have 'unshared' and dst shares with
+		 * another vma.  If dst_pte !none, this implies sharing.
+		 * Check here before taking page table lock, and once again
+		 * after taking the lock below.
+		 */
+		dst_entry = huge_ptep_get(dst_pte);
+		if ((dst_pte == src_pte) || !huge_pte_none(dst_entry))
 			continue;
 
 		dst_ptl = huge_pte_lock(h, dst, dst_pte);
 		src_ptl = huge_pte_lockptr(h, src, src_pte);
 		spin_lock_nested(src_ptl, SINGLE_DEPTH_NESTING);
 		entry = huge_ptep_get(src_pte);
-		if (huge_pte_none(entry)) { /* skip none entry */
+		dst_entry = huge_ptep_get(dst_pte);
+		if (huge_pte_none(entry) || !huge_pte_none(dst_entry)) {
+			/*
+			 * Skip if src entry none.  Also, skip in the
+			 * unlikely case dst entry !none as this implies
+			 * sharing with another vma.
+			 */
 			;
 		} else if (unlikely(is_hugetlb_entry_migration(entry) ||
 				    is_hugetlb_entry_hwpoisoned(entry))) {



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 157/160] mm: migration: fix migration of huge PMD shared pages
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (155 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 156/160] hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:444! Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 158/160] drm/rockchip: Allow driver to be shutdown on reboot/kexec Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mike Kravetz, Kirill A. Shutemov,
	Naoya Horiguchi, Michal Hocko, Vlastimil Babka, Davidlohr Bueso,
	Jerome Glisse, Andrew Morton

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mike Kravetz <mike.kravetz@oracle.com>

commit 017b1660df89f5fb4bfe66c34e35f7d2031100c7 upstream.

The page migration code employs try_to_unmap() to try and unmap the source
page.  This is accomplished by using rmap_walk to find all vmas where the
page is mapped.  This search stops when page mapcount is zero.  For shared
PMD huge pages, the page map count is always 1 no matter the number of
mappings.  Shared mappings are tracked via the reference count of the PMD
page.  Therefore, try_to_unmap stops prematurely and does not completely
unmap all mappings of the source page.

This problem can result is data corruption as writes to the original
source page can happen after contents of the page are copied to the target
page.  Hence, data is lost.

This problem was originally seen as DB corruption of shared global areas
after a huge page was soft offlined due to ECC memory errors.  DB
developers noticed they could reproduce the issue by (hotplug) offlining
memory used to back huge pages.  A simple testcase can reproduce the
problem by creating a shared PMD mapping (note that this must be at least
PUD_SIZE in size and PUD_SIZE aligned (1GB on x86)), and using
migrate_pages() to migrate process pages between nodes while continually
writing to the huge pages being migrated.

To fix, have the try_to_unmap_one routine check for huge PMD sharing by
calling huge_pmd_unshare for hugetlbfs huge pages.  If it is a shared
mapping it will be 'unshared' which removes the page table entry and drops
the reference on the PMD page.  After this, flush caches and TLB.

mmu notifiers are called before locking page tables, but we can not be
sure of PMD sharing until page tables are locked.  Therefore, check for
the possibility of PMD sharing before locking so that notifiers can
prepare for the worst possible case.

Link: http://lkml.kernel.org/r/20180823205917.16297-2-mike.kravetz@oracle.com
[mike.kravetz@oracle.com: make _range_in_vma() a static inline]
  Link: http://lkml.kernel.org/r/6063f215-a5c8-2f0c-465a-2c515ddc952d@oracle.com
Fixes: 39dde65c9940 ("shared page table for hugetlb page")
Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reviewed-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Jerome Glisse <jglisse@redhat.com>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Reviewed-by: Jérôme Glisse <jglisse@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/hugetlb.h |   14 ++++++++++++
 include/linux/mm.h      |    6 +++++
 mm/hugetlb.c            |   37 ++++++++++++++++++++++++++++++-
 mm/rmap.c               |   56 ++++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 111 insertions(+), 2 deletions(-)

--- a/include/linux/hugetlb.h
+++ b/include/linux/hugetlb.h
@@ -110,6 +110,8 @@ pte_t *huge_pte_alloc(struct mm_struct *
 			unsigned long addr, unsigned long sz);
 pte_t *huge_pte_offset(struct mm_struct *mm, unsigned long addr);
 int huge_pmd_unshare(struct mm_struct *mm, unsigned long *addr, pte_t *ptep);
+void adjust_range_if_pmd_sharing_possible(struct vm_area_struct *vma,
+				unsigned long *start, unsigned long *end);
 struct page *follow_huge_addr(struct mm_struct *mm, unsigned long address,
 			      int write);
 struct page *follow_huge_pmd(struct mm_struct *mm, unsigned long address,
@@ -132,6 +134,18 @@ static inline unsigned long hugetlb_tota
 	return 0;
 }
 
+static inline int huge_pmd_unshare(struct mm_struct *mm, unsigned long *addr,
+						pte_t *ptep)
+{
+	return 0;
+}
+
+static inline void adjust_range_if_pmd_sharing_possible(
+				struct vm_area_struct *vma,
+				unsigned long *start, unsigned long *end)
+{
+}
+
 #define follow_hugetlb_page(m,v,p,vs,a,b,i,w)	({ BUG(); 0; })
 #define follow_huge_addr(mm, addr, write)	ERR_PTR(-EINVAL)
 #define copy_hugetlb_page_range(src, dst, vma)	({ BUG(); 0; })
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -2058,6 +2058,12 @@ static inline struct vm_area_struct *fin
 	return vma;
 }
 
+static inline bool range_in_vma(struct vm_area_struct *vma,
+				unsigned long start, unsigned long end)
+{
+	return (vma && vma->vm_start <= start && end <= vma->vm_end);
+}
+
 #ifdef CONFIG_MMU
 pgprot_t vm_get_page_prot(unsigned long vm_flags);
 void vma_set_page_prot(struct vm_area_struct *vma);
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -4216,13 +4216,41 @@ static bool vma_shareable(struct vm_area
 	/*
 	 * check on proper vm_flags and page table alignment
 	 */
-	if (vma->vm_flags & VM_MAYSHARE &&
-	    vma->vm_start <= base && end <= vma->vm_end)
+	if (vma->vm_flags & VM_MAYSHARE && range_in_vma(vma, base, end))
 		return true;
 	return false;
 }
 
 /*
+ * Determine if start,end range within vma could be mapped by shared pmd.
+ * If yes, adjust start and end to cover range associated with possible
+ * shared pmd mappings.
+ */
+void adjust_range_if_pmd_sharing_possible(struct vm_area_struct *vma,
+				unsigned long *start, unsigned long *end)
+{
+	unsigned long check_addr = *start;
+
+	if (!(vma->vm_flags & VM_MAYSHARE))
+		return;
+
+	for (check_addr = *start; check_addr < *end; check_addr += PUD_SIZE) {
+		unsigned long a_start = check_addr & PUD_MASK;
+		unsigned long a_end = a_start + PUD_SIZE;
+
+		/*
+		 * If sharing is possible, adjust start/end if necessary.
+		 */
+		if (range_in_vma(vma, a_start, a_end)) {
+			if (a_start < *start)
+				*start = a_start;
+			if (a_end > *end)
+				*end = a_end;
+		}
+	}
+}
+
+/*
  * Search for a shareable pmd page for hugetlb. In any case calls pmd_alloc()
  * and returns the corresponding pte. While this is not necessary for the
  * !shared pmd case because we can allocate the pmd later as well, it makes the
@@ -4318,6 +4346,11 @@ int huge_pmd_unshare(struct mm_struct *m
 {
 	return 0;
 }
+
+void adjust_range_if_pmd_sharing_possible(struct vm_area_struct *vma,
+				unsigned long *start, unsigned long *end)
+{
+}
 #define want_pmd_share()	(0)
 #endif /* CONFIG_ARCH_WANT_HUGE_PMD_SHARE */
 
--- a/mm/rmap.c
+++ b/mm/rmap.c
@@ -1324,12 +1324,41 @@ static int try_to_unmap_one(struct page
 	pte_t pteval;
 	spinlock_t *ptl;
 	int ret = SWAP_AGAIN;
+	unsigned long sh_address;
+	bool pmd_sharing_possible = false;
+	unsigned long spmd_start, spmd_end;
 	enum ttu_flags flags = (enum ttu_flags)arg;
 
 	/* munlock has nothing to gain from examining un-locked vmas */
 	if ((flags & TTU_MUNLOCK) && !(vma->vm_flags & VM_LOCKED))
 		goto out;
 
+	/*
+	 * Only use the range_start/end mmu notifiers if huge pmd sharing
+	 * is possible.  In the normal case, mmu_notifier_invalidate_page
+	 * is sufficient as we only unmap a page.  However, if we unshare
+	 * a pmd, we will unmap a PUD_SIZE range.
+	 */
+	if (PageHuge(page)) {
+		spmd_start = address;
+		spmd_end = spmd_start + vma_mmu_pagesize(vma);
+
+		/*
+		 * Check if pmd sharing is possible.  If possible, we could
+		 * unmap a PUD_SIZE range.  spmd_start/spmd_end will be
+		 * modified if sharing is possible.
+		 */
+		adjust_range_if_pmd_sharing_possible(vma, &spmd_start,
+								&spmd_end);
+		if (spmd_end - spmd_start != vma_mmu_pagesize(vma)) {
+			sh_address = address;
+
+			pmd_sharing_possible = true;
+			mmu_notifier_invalidate_range_start(vma->vm_mm,
+							spmd_start, spmd_end);
+		}
+	}
+
 	pte = page_check_address(page, mm, address, &ptl, 0);
 	if (!pte)
 		goto out;
@@ -1356,6 +1385,30 @@ static int try_to_unmap_one(struct page
 		}
   	}
 
+	/*
+	 * Call huge_pmd_unshare to potentially unshare a huge pmd.  Pass
+	 * sh_address as it will be modified if unsharing is successful.
+	 */
+	if (PageHuge(page) && huge_pmd_unshare(mm, &sh_address, pte)) {
+		/*
+		 * huge_pmd_unshare unmapped an entire PMD page.  There is
+		 * no way of knowing exactly which PMDs may be cached for
+		 * this mm, so flush them all.  spmd_start/spmd_end cover
+		 * this PUD_SIZE range.
+		 */
+		flush_cache_range(vma, spmd_start, spmd_end);
+		flush_tlb_range(vma, spmd_start, spmd_end);
+
+		/*
+		 * The ref count of the PMD page was dropped which is part
+		 * of the way map counting is done for shared PMDs.  When
+		 * there is no other sharing, huge_pmd_unshare returns false
+		 * and we will unmap the actual page and drop map count
+		 * to zero.
+		 */
+		goto out_unmap;
+	}
+
 	/* Nuke the page table entry. */
 	flush_cache_page(vma, address, page_to_pfn(page));
 	if (should_defer_flush(mm, flags)) {
@@ -1450,6 +1503,9 @@ out_unmap:
 	if (ret != SWAP_FAIL && ret != SWAP_MLOCK && !(flags & TTU_MUNLOCK))
 		mmu_notifier_invalidate_page(mm, address);
 out:
+	if (pmd_sharing_possible)
+		mmu_notifier_invalidate_range_end(vma->vm_mm,
+							spmd_start, spmd_end);
 	return ret;
 }
 



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 158/160] drm/rockchip: Allow driver to be shutdown on reboot/kexec
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (156 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 157/160] mm: migration: fix migration of huge PMD shared pages Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 159/160] drm/dp_mst: Check if primary mstb is null Greg Kroah-Hartman
                   ` (5 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marc Zyngier, Vicente Bergas, Heiko Stuebner

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Marc Zyngier <marc.zyngier@arm.com>

commit 7f3ef5dedb146e3d5063b6845781ad1bb59b92b5 upstream.

Leaving the DRM driver enabled on reboot or kexec has the annoying
effect of leaving the display generating transactions whilst the
IOMMU has been shut down.

In turn, the IOMMU driver (which shares its interrupt line with
the VOP) starts warning either on shutdown or when entering the
secondary kernel in the kexec case (nothing is expected on that
front).

A cheap way of ensuring that things are nicely shut down is to
register a shutdown callback in the platform driver.

Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Tested-by: Vicente Bergas <vicencb@gmail.com>
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20180805124807.18169-1-marc.zyngier@arm.com
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/rockchip/rockchip_drm_drv.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/gpu/drm/rockchip/rockchip_drm_drv.c
+++ b/drivers/gpu/drm/rockchip/rockchip_drm_drv.c
@@ -547,6 +547,11 @@ static int rockchip_drm_platform_remove(
 	return 0;
 }
 
+static void rockchip_drm_platform_shutdown(struct platform_device *pdev)
+{
+	rockchip_drm_platform_remove(pdev);
+}
+
 static const struct of_device_id rockchip_drm_dt_ids[] = {
 	{ .compatible = "rockchip,display-subsystem", },
 	{ /* sentinel */ },
@@ -556,6 +561,7 @@ MODULE_DEVICE_TABLE(of, rockchip_drm_dt_
 static struct platform_driver rockchip_drm_platform_driver = {
 	.probe = rockchip_drm_platform_probe,
 	.remove = rockchip_drm_platform_remove,
+	.shutdown = rockchip_drm_platform_shutdown,
 	.driver = {
 		.name = "rockchip-drm",
 		.of_match_table = rockchip_drm_dt_ids,



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 159/160] drm/dp_mst: Check if primary mstb is null
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (157 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 158/160] drm/rockchip: Allow driver to be shutdown on reboot/kexec Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-19 16:29 ` [PATCH 4.4 160/160] drm/i915/hdmi: Add HDMI 2.0 audio clock recovery N values Greg Kroah-Hartman
                   ` (4 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Lyude Paul, Stanislav Lisovskiy

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Stanislav Lisovskiy <stanislav.lisovskiy@intel.com>

commit 23d8003907d094f77cf959228e2248d6db819fa7 upstream.

Unfortunately drm_dp_get_mst_branch_device which is called from both
drm_dp_mst_handle_down_rep and drm_dp_mst_handle_up_rep seem to rely
on that mgr->mst_primary is not NULL, which seem to be wrong as it can be
cleared with simultaneous mode set, if probing fails or in other case.
mgr->lock mutex doesn't protect against that as it might just get
assigned to NULL right before, not simultaneously.

There are currently bugs 107738, 108616 bugs which crash in
drm_dp_get_mst_branch_device, caused by this issue.

v2: Refactored the code, as it was nicely noticed.
    Fixed Bugzilla bug numbers(second was 108616, but not 108816)
    and added links.

[changed title and added stable cc]
Signed-off-by: Lyude Paul <lyude@redhat.com>
Signed-off-by: Stanislav Lisovskiy <stanislav.lisovskiy@intel.com>
Cc: stable@vger.kernel.org
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=108616
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=107738
Link: https://patchwork.freedesktop.org/patch/msgid/20181109090012.24438-1-stanislav.lisovskiy@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/drm_dp_mst_topology.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/gpu/drm/drm_dp_mst_topology.c
+++ b/drivers/gpu/drm/drm_dp_mst_topology.c
@@ -1225,6 +1225,9 @@ static struct drm_dp_mst_branch *drm_dp_
 	mutex_lock(&mgr->lock);
 	mstb = mgr->mst_primary;
 
+	if (!mstb)
+		goto out;
+
 	for (i = 0; i < lct - 1; i++) {
 		int shift = (i % 2) ? 0 : 4;
 		int port_num = (rad[i / 2] >> shift) & 0xf;



^ permalink raw reply	[flat|nested] 169+ messages in thread

* [PATCH 4.4 160/160] drm/i915/hdmi: Add HDMI 2.0 audio clock recovery N values
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (158 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 159/160] drm/dp_mst: Check if primary mstb is null Greg Kroah-Hartman
@ 2018-11-19 16:29 ` Greg Kroah-Hartman
  2018-11-20  0:13 ` [PATCH 4.4 000/160] 4.4.164-stable review shuah
                   ` (3 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-19 16:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jani Nikula, Clint Taylor,
	Jani Nikula, Joonas Lahtinen

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Clint Taylor <clinton.a.taylor@intel.com>

commit 6503493145cba4413ecd3d4d153faeef4a1e9b85 upstream.

HDMI 2.0 594Mhz modes were incorrectly selecting 25.200Mhz Automatic N value
mode instead of HDMI specification values.

V2: Fix 88.2 Hz N value

Cc: Jani Nikula <jani.nikula@linux.intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Clint Taylor <clinton.a.taylor@intel.com>
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/1540493521-1746-2-git-send-email-clinton.a.taylor@intel.com
(cherry picked from commit 5a400aa3c562c4a726b4da286e63c96db905ade1)
Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/i915/intel_audio.c |   17 +++++++++++++++++
 1 file changed, 17 insertions(+)

--- a/drivers/gpu/drm/i915/intel_audio.c
+++ b/drivers/gpu/drm/i915/intel_audio.c
@@ -76,6 +76,9 @@ static const struct {
 /* HDMI N/CTS table */
 #define TMDS_297M 297000
 #define TMDS_296M 296703
+#define TMDS_594M 594000
+#define TMDS_593M 593407
+
 static const struct {
 	int sample_rate;
 	int clock;
@@ -96,6 +99,20 @@ static const struct {
 	{ 176400, TMDS_297M, 18816, 247500 },
 	{ 192000, TMDS_296M, 23296, 281250 },
 	{ 192000, TMDS_297M, 20480, 247500 },
+	{ 44100, TMDS_593M, 8918, 937500 },
+	{ 44100, TMDS_594M, 9408, 990000 },
+	{ 48000, TMDS_593M, 5824, 562500 },
+	{ 48000, TMDS_594M, 6144, 594000 },
+	{ 32000, TMDS_593M, 5824, 843750 },
+	{ 32000, TMDS_594M, 3072, 445500 },
+	{ 88200, TMDS_593M, 17836, 937500 },
+	{ 88200, TMDS_594M, 18816, 990000 },
+	{ 96000, TMDS_593M, 11648, 562500 },
+	{ 96000, TMDS_594M, 12288, 594000 },
+	{ 176400, TMDS_593M, 35672, 937500 },
+	{ 176400, TMDS_594M, 37632, 990000 },
+	{ 192000, TMDS_593M, 23296, 562500 },
+	{ 192000, TMDS_594M, 24576, 594000 },
 };
 
 /* get AUD_CONFIG_PIXEL_CLOCK_HDMI_* value for mode */



^ permalink raw reply	[flat|nested] 169+ messages in thread

* Re: [PATCH 4.4 131/160] mm: thp: relax __GFP_THISNODE for MADV_HUGEPAGE mappings
  2018-11-19 16:29 ` [PATCH 4.4 131/160] mm: thp: relax __GFP_THISNODE for MADV_HUGEPAGE mappings Greg Kroah-Hartman
@ 2018-11-19 22:16   ` David Rientjes
  2018-11-20  7:44     ` Michal Hocko
  0 siblings, 1 reply; 169+ messages in thread
From: David Rientjes @ 2018-11-19 22:16 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, stable, Andrea Arcangeli, Michal Hocko,
	Stefan Priebe, Alex Williamson, Mel Gorman, Zi Yan,
	Vlastimil Babka, Kirill A. Shutemov, Andrew Morton,
	Linus Torvalds

On Mon, 19 Nov 2018, Greg Kroah-Hartman wrote:

> 4.4-stable review patch.  If anyone has any objections, please let me know.
> 

As I noted when this patch was originally proposed and when I nacked it[*] 
because it causes a 13.9% increase in remote memory access latency and up 
to 40% increase in remote memory allocation latency on much of our 
software stack that uses MADV_HUGEPAGE after mremapping the text segment 
to memory backed by hugepages, I don't think this is stable material.

The 4.4 kernel is almost three years old and this changes the NUMA 
locality of any user of MADV_HUGEPAGE.

Although the page was merged even after my objection, we must revert it in 
our own kernel because there is no userspace workaround to restore the 
behavior previous to this patch absent using an MPOL_BIND mempolicy which 
would have unwanted side effect of oom killing if the node is out of 
memory for pages of the native size, which would be a non-starter.

 [*] https://marc.info/?l=linux-kernel&m=153868420126775

^ permalink raw reply	[flat|nested] 169+ messages in thread

* Re: [PATCH 4.4 000/160] 4.4.164-stable review
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (159 preceding siblings ...)
  2018-11-19 16:29 ` [PATCH 4.4 160/160] drm/i915/hdmi: Add HDMI 2.0 audio clock recovery N values Greg Kroah-Hartman
@ 2018-11-20  0:13 ` shuah
  2018-11-20  8:15 ` Naresh Kamboju
                   ` (2 subsequent siblings)
  163 siblings, 0 replies; 169+ messages in thread
From: shuah @ 2018-11-20  0:13 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, patches, ben.hutchings, lkft-triage,
	stable, shuah

On 11/19/18 9:27 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.4.164 release.
> There are 160 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed Nov 21 16:25:20 UTC 2018.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.164-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

Compiled and booted on my test system. No dmesg regressions.

thanks,
-- Shuah


^ permalink raw reply	[flat|nested] 169+ messages in thread

* Re: [PATCH 4.4 131/160] mm: thp: relax __GFP_THISNODE for MADV_HUGEPAGE mappings
  2018-11-19 22:16   ` David Rientjes
@ 2018-11-20  7:44     ` Michal Hocko
  2018-11-20 23:53       ` David Rientjes
  0 siblings, 1 reply; 169+ messages in thread
From: Michal Hocko @ 2018-11-20  7:44 UTC (permalink / raw)
  To: David Rientjes
  Cc: Greg Kroah-Hartman, linux-kernel, stable, Andrea Arcangeli,
	Stefan Priebe, Alex Williamson, Mel Gorman, Zi Yan,
	Vlastimil Babka, Kirill A. Shutemov, Andrew Morton,
	Linus Torvalds

On Mon 19-11-18 14:16:24, David Rientjes wrote:
> On Mon, 19 Nov 2018, Greg Kroah-Hartman wrote:
> 
> > 4.4-stable review patch.  If anyone has any objections, please let me know.
> > 
> 
> As I noted when this patch was originally proposed and when I nacked it[*] 
> because it causes a 13.9% increase in remote memory access latency and up 
> to 40% increase in remote memory allocation latency on much of our 
> software stack that uses MADV_HUGEPAGE after mremapping the text segment 
> to memory backed by hugepages, I don't think this is stable material.

There was a wider consensus that this is the most minimal fix for users
who see a regression introduced by 5265047ac301 ("mm, thp: really
limit transparent hugepage allocation to local node"). As it has been
discussed extensively there is no universal win but we should always opt
for the safer side which this patch is accomplishing. The changelog goes
in length explaining them along with numbers. I am not happy that your
particular workload is suffering but this area certainly requires much
more changes to satisfy wider range of users.

> The 4.4 kernel is almost three years old and this changes the NUMA 
> locality of any user of MADV_HUGEPAGE.

Yes and we have seen bug reports as we adopted this older kernel only
now.
-- 
Michal Hocko
SUSE Labs

^ permalink raw reply	[flat|nested] 169+ messages in thread

* Re: [PATCH 4.4 000/160] 4.4.164-stable review
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (160 preceding siblings ...)
  2018-11-20  0:13 ` [PATCH 4.4 000/160] 4.4.164-stable review shuah
@ 2018-11-20  8:15 ` Naresh Kamboju
  2018-11-20 10:52 ` Jon Hunter
  2018-11-20 20:39 ` Guenter Roeck
  163 siblings, 0 replies; 169+ messages in thread
From: Naresh Kamboju @ 2018-11-20  8:15 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: open list, Linus Torvalds, Andrew Morton, Guenter Roeck,
	Shuah Khan, patches, Ben Hutchings, lkft-triage, linux- stable

On Mon, 19 Nov 2018 at 22:27, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 4.4.164 release.
> There are 160 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed Nov 21 16:25:20 UTC 2018.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
>         https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.164-rc1.gz
> or in the git tree and branch at:
>         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h

Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.

Summary
------------------------------------------------------------------------

kernel: 4.4.164-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-4.4.y
git commit: 6c17c03ca5ac12e36d4d8d5eabc81b5076763046
git describe: v4.4.163-161-g6c17c03ca5ac
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-4.4-oe/build/v4.4.163-161-g6c17c03ca5ac

No regressions (compared to build v4.4.163-107-g3c957d7bc2fc)

^ permalink raw reply	[flat|nested] 169+ messages in thread

* Re: [PATCH 4.4 000/160] 4.4.164-stable review
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (161 preceding siblings ...)
  2018-11-20  8:15 ` Naresh Kamboju
@ 2018-11-20 10:52 ` Jon Hunter
  2018-11-20 20:39 ` Guenter Roeck
  163 siblings, 0 replies; 169+ messages in thread
From: Jon Hunter @ 2018-11-20 10:52 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, shuah, patches, ben.hutchings,
	lkft-triage, stable, linux-tegra


On 19/11/2018 16:27, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.4.164 release.
> There are 160 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed Nov 21 16:25:20 UTC 2018.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.164-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
All tests are passing for Tegra ...

Test results for stable-v4.4:
    6 builds:	6 pass, 0 fail
    12 boots:	12 pass, 0 fail
    10 tests:	10 pass, 0 fail

Linux version:	4.4.164-rc1-g6c17c03
Boards tested:	tegra124-jetson-tk1, tegra20-ventana,
                tegra30-cardhu-a04

Cheers
Jon

-- 
nvpublic

^ permalink raw reply	[flat|nested] 169+ messages in thread

* Re: [PATCH 4.4 000/160] 4.4.164-stable review
  2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
                   ` (162 preceding siblings ...)
  2018-11-20 10:52 ` Jon Hunter
@ 2018-11-20 20:39 ` Guenter Roeck
  163 siblings, 0 replies; 169+ messages in thread
From: Guenter Roeck @ 2018-11-20 20:39 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, shuah, patches, ben.hutchings,
	lkft-triage, stable

On Mon, Nov 19, 2018 at 05:27:19PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.4.164 release.
> There are 160 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed Nov 21 16:25:20 UTC 2018.
> Anything received after that time might be too late.
> 

Build results:
	total: 150 pass: 150 fail: 0
Qemu test results:
	total: 262 pass: 262 fail: 0

Details are available at https://kerneltests.org/builders/.

Guenter

^ permalink raw reply	[flat|nested] 169+ messages in thread

* Re: [PATCH 4.4 131/160] mm: thp: relax __GFP_THISNODE for MADV_HUGEPAGE mappings
  2018-11-20  7:44     ` Michal Hocko
@ 2018-11-20 23:53       ` David Rientjes
  2018-11-21  7:59         ` Michal Hocko
  0 siblings, 1 reply; 169+ messages in thread
From: David Rientjes @ 2018-11-20 23:53 UTC (permalink / raw)
  To: Michal Hocko
  Cc: Greg Kroah-Hartman, linux-kernel, stable, Andrea Arcangeli,
	Stefan Priebe, Alex Williamson, Mel Gorman, Zi Yan,
	Vlastimil Babka, Kirill A. Shutemov, Andrew Morton,
	Linus Torvalds

On Tue, 20 Nov 2018, Michal Hocko wrote:

> On Mon 19-11-18 14:16:24, David Rientjes wrote:
> > On Mon, 19 Nov 2018, Greg Kroah-Hartman wrote:
> > 
> > > 4.4-stable review patch.  If anyone has any objections, please let me know.
> > > 
> > 
> > As I noted when this patch was originally proposed and when I nacked it[*] 
> > because it causes a 13.9% increase in remote memory access latency and up 
> > to 40% increase in remote memory allocation latency on much of our 
> > software stack that uses MADV_HUGEPAGE after mremapping the text segment 
> > to memory backed by hugepages, I don't think this is stable material.
> 
> There was a wider consensus that this is the most minimal fix for users
> who see a regression introduced by 5265047ac301 ("mm, thp: really
> limit transparent hugepage allocation to local node"). As it has been
> discussed extensively there is no universal win but we should always opt
> for the safer side which this patch is accomplishing. The changelog goes
> in length explaining them along with numbers. I am not happy that your
> particular workload is suffering but this area certainly requires much
> more changes to satisfy wider range of users.
> 
> > The 4.4 kernel is almost three years old and this changes the NUMA 
> > locality of any user of MADV_HUGEPAGE.
> 
> Yes and we have seen bug reports as we adopted this older kernel only
> now.

I think the responsible thing to do would be allow users to remain on 
their stable kernel that they know works, whether that's 4.4 or any of the 
others this is proposed for, and downgrade from any current kernel release 
that causes their workloads to have such severe regressions once they try 
a kernel with this commit.

^ permalink raw reply	[flat|nested] 169+ messages in thread

* Re: [PATCH 4.4 131/160] mm: thp: relax __GFP_THISNODE for MADV_HUGEPAGE mappings
  2018-11-20 23:53       ` David Rientjes
@ 2018-11-21  7:59         ` Michal Hocko
  0 siblings, 0 replies; 169+ messages in thread
From: Michal Hocko @ 2018-11-21  7:59 UTC (permalink / raw)
  To: David Rientjes
  Cc: Greg Kroah-Hartman, linux-kernel, stable, Andrea Arcangeli,
	Stefan Priebe, Alex Williamson, Mel Gorman, Zi Yan,
	Vlastimil Babka, Kirill A. Shutemov, Andrew Morton,
	Linus Torvalds

On Tue 20-11-18 15:53:10, David Rientjes wrote:
> On Tue, 20 Nov 2018, Michal Hocko wrote:
> 
> > On Mon 19-11-18 14:16:24, David Rientjes wrote:
> > > On Mon, 19 Nov 2018, Greg Kroah-Hartman wrote:
> > > 
> > > > 4.4-stable review patch.  If anyone has any objections, please let me know.
> > > > 
> > > 
> > > As I noted when this patch was originally proposed and when I nacked it[*] 
> > > because it causes a 13.9% increase in remote memory access latency and up 
> > > to 40% increase in remote memory allocation latency on much of our 
> > > software stack that uses MADV_HUGEPAGE after mremapping the text segment 
> > > to memory backed by hugepages, I don't think this is stable material.
> > 
> > There was a wider consensus that this is the most minimal fix for users
> > who see a regression introduced by 5265047ac301 ("mm, thp: really
> > limit transparent hugepage allocation to local node"). As it has been
> > discussed extensively there is no universal win but we should always opt
> > for the safer side which this patch is accomplishing. The changelog goes
> > in length explaining them along with numbers. I am not happy that your
> > particular workload is suffering but this area certainly requires much
> > more changes to satisfy wider range of users.
> > 
> > > The 4.4 kernel is almost three years old and this changes the NUMA 
> > > locality of any user of MADV_HUGEPAGE.
> > 
> > Yes and we have seen bug reports as we adopted this older kernel only
> > now.
> 
> I think the responsible thing to do would be allow users to remain on 
> their stable kernel that they know works, whether that's 4.4 or any of the 
> others this is proposed for, and downgrade from any current kernel release 
> that causes their workloads to have such severe regressions once they try 
> a kernel with this commit.

But we do know that there are people affected on 4.4 kernel. Besides
that we can revert in the stable tree as soon as we see bug reports on
new stable tree releases.

Really, there is no single proper behavior. It was a mistake to merge
5265047ac301. Since then we are in an unfortunate situation that some
workload might have started to depend on the new behavior.

But rather than repeating the previous long discussion I would call for
a new one which actually deals with fallouts. AFAIR there is a patch
series to reduce the fragmentation issues by Mel with a zero feedback so
far. I also think we should start discussing a new memory policy to
establish the semantic you are after.

-- 
Michal Hocko
SUSE Labs

^ permalink raw reply	[flat|nested] 169+ messages in thread

end of thread, other threads:[~2018-11-21  7:59 UTC | newest]

Thread overview: 169+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-11-19 16:27 [PATCH 4.4 000/160] 4.4.164-stable review Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 001/160] bcache: fix miss key refill->end in writeback Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 002/160] hwmon: (pmbus) Fix page count auto-detection Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 003/160] jffs2: free jffs2_sb_info through jffs2_kill_sb() Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 004/160] pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 005/160] ipmi: Fix timer race with module unload Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 006/160] parisc: Fix address in HPMC IVA Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 007/160] parisc: Fix map_pages() to not overwrite existing pte entries Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 008/160] ALSA: hda - Add mic quirk for the Lenovo G50-30 (17aa:3905) Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 009/160] ALSA: ca0106: Disable IZD on SB0570 DAC to fix audio pops Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 010/160] x86/corruption-check: Fix panic in memory_corruption_check() when boot option without value is provided Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 011/160] x86/kconfig: Fall back to ticket spinlocks Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 012/160] sparc: Fix single-pcr perf event counter management Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 013/160] x86/fpu: Remove second definition of fpu in __fpu__restore_sig() Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 014/160] net: qla3xxx: Remove overflowing shift statement Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 015/160] selftests: ftrace: Add synthetic event syntax testcase Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 016/160] locking/lockdep: Fix debug_locks off performance problem Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 017/160] ataflop: fix error handling during setup Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 018/160] swim: fix cleanup on setup error Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 019/160] tun: Consistently configure generic netdev params via rtnetlink Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 020/160] perf tools: Free temporary sys string in read_event_files() Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 021/160] perf tools: Cleanup trace-event-info tdata leak Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 022/160] mmc: sdhci-pci-o2micro: Add quirk for O2 Micro dev 0x8620 rev 0x01 Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 023/160] Bluetooth: btbcm: Add entry for BCM4335C0 UART bluetooth Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 024/160] x86: boot: Fix EFI stub alignment Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 025/160] pinctrl: qcom: spmi-mpp: Fix err handling of pmic_mpp_set_mux Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 026/160] kprobes: Return error if we fail to reuse kprobe instead of BUG_ON() Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 027/160] ACPI / LPSS: Add alternative ACPI HIDs for Cherry Trail DMA controllers Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 028/160] pinctrl: qcom: spmi-mpp: Fix drive strength setting Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 029/160] pinctrl: spmi-mpp: Fix pmic_mpp_config_get() to be compliant Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 030/160] pinctrl: ssbi-gpio: Fix pm8xxx_pin_config_get() " Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 031/160] ath10k: schedule hardware restart if WMI command times out Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 032/160] scsi: esp_scsi: Track residual for PIO transfers Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 033/160] scsi: megaraid_sas: fix a missing-check bug Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 034/160] tpm: suppress transmit cmd error logs when TPM 1.2 is disabled/deactivated Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 035/160] ext4: fix argument checking in EXT4_IOC_MOVE_EXT Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 036/160] MD: fix invalid stored role for a disk Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 037/160] usb: chipidea: Prevent unbalanced IRQ disable Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 038/160] driver/dma/ioat: Call del_timer_sync() without holding prep_lock Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 039/160] uio: ensure class is registered before devices Greg Kroah-Hartman
2018-11-19 16:27 ` [PATCH 4.4 040/160] scsi: lpfc: Correct soft lockup when running mds diagnostics Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 041/160] signal: Always deliver the kernels SIGKILL and SIGSTOP to a pid namespace init Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 042/160] dmaengine: dma-jz4780: Return error if not probed from DT Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 043/160] ALSA: hda: Check the non-cached stream buffers more explicitly Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 044/160] xen-swiotlb: use actually allocated size on check physical continuous Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 045/160] tpm: Restore functionality to xen vtpm driver Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 046/160] xen: fix race in xen_qlock_wait() Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 047/160] xen: make xen_qlock_wait() nestable Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 048/160] net/ipv4: defensive cipso option parsing Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 049/160] libnvdimm: Hold reference on parent while scheduling async init Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 050/160] jbd2: fix use after free in jbd2_log_do_checkpoint() Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 051/160] gfs2_meta: ->mount() can get NULL dev_name Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 052/160] ext4: initialize retries variable in ext4_da_write_inline_data_begin() Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 053/160] HID: hiddev: fix potential Spectre v1 Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 054/160] PCI: Add Device IDs for Intel GPU "spurious interrupt" quirk Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 055/160] signal/GenWQE: Fix sending of SIGKILL Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 056/160] crypto: lrw - Fix out-of bounds access on counter overflow Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 057/160] ima: fix showing large violations or runtime_measurements_count Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 058/160] hugetlbfs: dirty pages as they are added to pagecache Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 059/160] kbuild: fix kernel/bounds.c W=1 warning Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 060/160] iio: adc: at91: fix acking DRDY irq on simple conversions Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 061/160] iio: adc: at91: fix wrong channel number in triggered buffer mode Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 062/160] w1: omap-hdq: fix missing bus unregister at removal Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 063/160] smb3: allow stats which track session and share reconnects to be reset Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 064/160] smb3: do not attempt cifs operation in smb3 query info error path Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 065/160] smb3: on kerberos mount if server doesnt specify auth type use krb5 Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 066/160] printk: Fix panic caused by passing log_buf_len to command line Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 067/160] genirq: Fix race on spurious interrupt detection Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 068/160] NFSv4.1: Fix the r/wsize checking Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 069/160] nfsd: Fix an Oops in free_session() Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 070/160] lockd: fix access beyond unterminated strings in prints Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 071/160] dm ioctl: harden copy_params()s copy_from_user() from malicious users Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 072/160] powerpc/msi: Fix compile error on mpc83xx Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 073/160] MIPS: OCTEON: fix out of bounds array access on CN68XX Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 074/160] TC: Set DMA masks for devices Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 075/160] kgdboc: Passing ekgdboc to command line causes panic Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 076/160] xen: fix xen_qlock_wait() Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 077/160] media: em28xx: use a default format if TRY_FMT fails Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 078/160] media: em28xx: fix input name for Terratec AV 350 Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 079/160] media: em28xx: make v4l2-compliance happier by starting sequence on zero Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 080/160] ext4: avoid running out of journal credits when appending to an inline file Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 081/160] Cramfs: fix abad comparison when wrap-arounds occur Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 082/160] arm64: dts: stratix10: Correct System Manager register size Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 083/160] soc/tegra: pmc: Fix child-node lookup Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 084/160] btrfs: Handle owner mismatch gracefully when walking up tree Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 085/160] btrfs: locking: Add extra check in btrfs_init_new_buffer() to avoid deadlock Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 086/160] btrfs: iterate all devices during trim, instead of fs_devices::alloc_list Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 087/160] btrfs: dont attempt to trim devices that dont support it Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 088/160] btrfs: wait on caching when putting the bg cache Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 089/160] btrfs: reset max_extent_size on clear in a bitmap Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 090/160] btrfs: make sure we create all new block groups Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 091/160] Btrfs: fix wrong dentries after fsync of file that got its parent replaced Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 092/160] btrfs: qgroup: Dirty all qgroups before rescan Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 093/160] Btrfs: fix null pointer dereference on compressed write path error Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 094/160] btrfs: set max_extent_size properly Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 095/160] MD: fix invalid stored role for a disk - try2 Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 096/160] tty: check name length in tty_find_polling_driver() Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 097/160] powerpc/nohash: fix undefined behaviour when testing page size support Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 098/160] drm/omap: fix memory barrier bug in DMM driver Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 099/160] media: pci: cx23885: handle adding to list failure Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.4 100/160] MIPS: kexec: Mark CPU offline before disabling local IRQ Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 101/160] powerpc/boot: Ensure _zimage_start is a weak symbol Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 102/160] sc16is7xx: Fix for multi-channel stall Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 103/160] media: tvp5150: fix width alignment during set_selection() Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 104/160] 9p locks: fix glock.client_id leak in do_lock Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 105/160] 9p: clear dangling pointers in p9stat_free Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 106/160] cdrom: fix improper type cast, which can leat to information leak Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 107/160] scsi: qla2xxx: Fix incorrect port speed being set for FC adapters Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 108/160] fuse: Fix use-after-free in fuse_dev_do_read() Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 109/160] fuse: Fix use-after-free in fuse_dev_do_write() Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 110/160] fuse: fix blocked_waitq wakeup Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 111/160] fuse: set FR_SENT while locked Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 112/160] mm, elf: handle vm_brk error Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 113/160] binfmt_elf: fix calculations for bss padding Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 114/160] mm: refuse wrapped vm_brk requests Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 115/160] fs, elf: make sure to page align bss in load_elf_library Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 116/160] mm: do not bug_on on incorrect length in __mm_populate() Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 117/160] e1000: avoid null pointer dereference on invalid stat type Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 118/160] e1000: fix race condition between e1000_down() and e1000_watchdog Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 119/160] bna: ethtool: Avoid reading past end of buffer Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 120/160] MIPS: Loongson-3: Fix CPU UART irq delivery problem Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 121/160] MIPS: Loongson-3: Fix BRIDGE " Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 122/160] xtensa: add NOTES section to the linker script Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 123/160] xtensa: make sure bFLT stack is 16 byte aligned Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 124/160] xtensa: fix boot parameters address translation Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 125/160] clk: s2mps11: Fix matching when built as module and DT node contains compatible Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 126/160] libceph: bump CEPH_MSG_MAX_DATA_LEN Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 127/160] mach64: fix display corruption on big endian machines Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 128/160] mach64: fix image corruption due to reading accelerator registers Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 129/160] vhost/scsi: truncate T10 PI iov_iter to prot_bytes Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 130/160] ocfs2: fix a misuse a of brelse after failing ocfs2_check_dir_entry Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 131/160] mm: thp: relax __GFP_THISNODE for MADV_HUGEPAGE mappings Greg Kroah-Hartman
2018-11-19 22:16   ` David Rientjes
2018-11-20  7:44     ` Michal Hocko
2018-11-20 23:53       ` David Rientjes
2018-11-21  7:59         ` Michal Hocko
2018-11-19 16:29 ` [PATCH 4.4 132/160] mtd: docg3: dont set conflicting BCH_CONST_PARAMS option Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 133/160] termios, tty/tty_baudrate.c: fix buffer overrun Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 134/160] arch/alpha, termios: implement BOTHER, IBSHIFT and termios2 Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 135/160] Btrfs: fix data corruption due to cloning of eof block Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 136/160] clockevents/drivers/i8253: Add support for PIT shutdown quirk Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 137/160] ext4: add missing brelse() update_backups()s error path Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 138/160] ext4: add missing brelse() in set_flexbg_block_bitmap()s " Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 139/160] ext4: add missing brelse() add_new_gdb_meta_bg()s " Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 140/160] ext4: avoid potential extra brelse in setup_new_flex_group_blocks() Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 141/160] ext4: fix possible inode leak in the retry loop of ext4_resize_fs() Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 142/160] ext4: avoid buffer leak in ext4_orphan_add() after prior errors Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 143/160] ext4: fix missing cleanup if ext4_alloc_flex_bg_array() fails while resizing Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 144/160] ext4: avoid possible double brelse() in add_new_gdb() on error path Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 145/160] ext4: fix possible leak of sbi->s_group_desc_leak in " Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 146/160] ext4: release bs.bh before re-using in ext4_xattr_block_find() Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 147/160] ext4: fix buffer leak in ext4_xattr_move_to_block() on error path Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 148/160] ext4: fix buffer leak in __ext4_read_dirblock() " Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 149/160] mount: Retest MNT_LOCKED in do_umount Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 150/160] mount: Dont allow copying MNT_UNBINDABLE|MNT_LOCKED mounts Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 151/160] mount: Prevent MNT_DETACH from disconnecting locked mounts Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 152/160] sunrpc: correct the computation for page_ptr when truncating Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 153/160] rtc: hctosys: Add missing range error reporting Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 154/160] fuse: fix leaked notify reply Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 155/160] configfs: replace strncpy with memcpy Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 156/160] hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:444! Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 157/160] mm: migration: fix migration of huge PMD shared pages Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 158/160] drm/rockchip: Allow driver to be shutdown on reboot/kexec Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 159/160] drm/dp_mst: Check if primary mstb is null Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.4 160/160] drm/i915/hdmi: Add HDMI 2.0 audio clock recovery N values Greg Kroah-Hartman
2018-11-20  0:13 ` [PATCH 4.4 000/160] 4.4.164-stable review shuah
2018-11-20  8:15 ` Naresh Kamboju
2018-11-20 10:52 ` Jon Hunter
2018-11-20 20:39 ` Guenter Roeck

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).