linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 4.19 000/134] 4.19.33-stable review
@ 2019-04-01 17:00 Greg Kroah-Hartman
  2019-04-01 17:00 ` [PATCH 4.19 001/134] Bluetooth: Check L2CAP option sizes returned from l2cap_get_conf_opt Greg Kroah-Hartman
                   ` (138 more replies)
  0 siblings, 139 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	ben.hutchings, lkft-triage, stable

This is the start of the stable review cycle for the 4.19.33 release.
There are 134 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Wed Apr  3 16:59:23 UTC 2019.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.33-rc1.gz
or in the git tree and branch at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 4.19.33-rc1

Heikki Krogerus <heikki.krogerus@linux.intel.com>
    platform: x86: intel_cht_int33fe: Remove the old connections for the muxes

Heikki Krogerus <heikki.krogerus@linux.intel.com>
    usb: typec: class: Don't use port parent for getting mux handles

Heikki Krogerus <heikki.krogerus@linux.intel.com>
    platform: x86: intel_cht_int33fe: Add connections for the USB Type-C port

Heikki Krogerus <heikki.krogerus@linux.intel.com>
    platform: x86: intel_cht_int33fe: Add connection for the DP alt mode

Heikki Krogerus <heikki.krogerus@linux.intel.com>
    platform: x86: intel_cht_int33fe: Register all connections at once

Heikki Krogerus <heikki.krogerus@linux.intel.com>
    drivers: base: Helpers for adding device connection descriptions

Xu Yu <xuyu@linux.alibaba.com>
    bpf: do not restore dst_reg when cur_state is freed

Gao Xiang <gaoxiang25@huawei.com>
    staging: erofs: keep corrupted fs from crashing kernel in erofs_readdir()

Gao Xiang <gaoxiang25@huawei.com>
    staging: erofs: fix error handling when failed to read compresssed data

Sean Christopherson <sean.j.christopherson@intel.com>
    KVM: x86: Emulate MSR_IA32_ARCH_CAPABILITIES on AMD hosts

Sean Christopherson <sean.j.christopherson@intel.com>
    KVM: x86: update %rip after emulating IO

Sean Christopherson <sean.j.christopherson@intel.com>
    KVM: Reject device ioctls from processes other than the VM's creator

Thomas Gleixner <tglx@linutronix.de>
    x86/smp: Enforce CONFIG_HOTPLUG_CPU when SMP=y

Thomas Gleixner <tglx@linutronix.de>
    cpu/hotplug: Prevent crash when CPU bringup fails on CONFIG_HOTPLUG_CPU=n

Thomas Gleixner <tglx@linutronix.de>
    watchdog: Respect watchdog cpumask on CPU hotplug

Michael Ellerman <mpe@ellerman.id.au>
    powerpc/64: Fix memcmp reading past the end of src/dest

Gautham R. Shenoy <ego@linux.vnet.ibm.com>
    powerpc/pseries/energy: Use OF accessor functions to read ibm,drc-indexes

Rolf Eike Beer <eb@emlix.com>
    objtool: Query pkg-config for libelf location

Adrian Hunter <adrian.hunter@intel.com>
    perf intel-pt: Fix TSC slip

Kan Liang <kan.liang@linux.intel.com>
    perf pmu: Fix parser error for uncore event alias

Lars Persson <lars.persson@axis.com>
    mm/migrate.c: add missing flush_dcache_page for non-mapped page migrate

Yang Shi <yang.shi@linux.alibaba.com>
    mm: mempolicy: make mbind() return -EIO when MPOL_MF_STRICT is specified

Nicolas Boichat <drinkcat@chromium.org>
    iommu/io-pgtable-arm-v7s: request DMA32 memory, and improve debugging

Nicolas Boichat <drinkcat@chromium.org>
    mm: add support for kmem caches in DMA32 zone

Romain Izard <romain.izard.pro@gmail.com>
    usb: cdc-acm: fix race during wakeup blocking TX traffic

Mathias Nyman <mathias.nyman@linux.intel.com>
    xhci: Don't let USB3 ports stuck in polling state prevent suspend

Mathias Nyman <mathias.nyman@linux.intel.com>
    usb: xhci: dbc: Don't free all memory with spinlock held

Mathias Nyman <mathias.nyman@linux.intel.com>
    xhci: Fix port resume done detection for SS ports with LPM enabled

Yasushi Asano <yasano@jp.adit-jv.com>
    usb: host: xhci-rcar: Add XHCI_TRUST_TX_LENGTH quirk

Fabrizio Castro <fabrizio.castro@bp.renesas.com>
    usb: common: Consider only available nodes for dr_mode

Radoslav Gerganov <rgerganov@vmware.com>
    USB: gadget: f_hid: fix deadlock in f_hidg_write()

Arnd Bergmann <arnd@arndb.de>
    usb: mtu3: fix EXTCON dependency

Chen-Yu Tsai <wens@csie.org>
    phy: sun4i-usb: Support set_mode to USB_HOST for non-OTG PHYs

Axel Lin <axel.lin@ingics.com>
    gpio: adnp: Fix testing wrong value in adnp_gpio_direction_input

Kangjie Lu <kjlu@umn.edu>
    gpio: exar: add a check for the return value of ida_simple_get fails

Zhenyu Wang <zhenyuw@linux.intel.com>
    drm/i915/gvt: Fix MI_FLUSH_DW parsing with correct index check

Eric Biggers <ebiggers@google.com>
    drm/vkms: fix use-after-free when drm_gem_handle_create() fails

Eric Biggers <ebiggers@google.com>
    drm/vgem: fix use-after-free when drm_gem_handle_create() fails

YueHaibing <yuehaibing@huawei.com>
    fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links

Wentao Wang <witallwang@gmail.com>
    Disable kgdboc failed by echo space to /sys/module/kgdboc/parameters/kgdboc

Bjørn Mork <bjorn@mork.no>
    USB: serial: option: add Olicard 600

Kristian Evensen <kristian.evensen@gmail.com>
    USB: serial: option: add support for Quectel EM12

Mans Rullgard <mans@mansr.com>
    USB: serial: option: set driver_info for SIM5218 and compatibles

Lin Yi <teroincn@163.com>
    USB: serial: mos7720: fix mos_parport refcount imbalance on error path

George McCollister <george.mccollister@gmail.com>
    USB: serial: ftdi_sio: add additional NovaTech products

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    USB: serial: cp210x: add new device id

Hoan Nguyen An <na-hoan@jinso.co.jp>
    serial: sh-sci: Fix setting SCSCR_TIE while transferring data

Aditya Pakki <pakki001@umn.edu>
    serial: mvebu-uart: Fix to avoid a potential NULL pointer dereference

Aditya Pakki <pakki001@umn.edu>
    serial: max310x: Fix to avoid potential NULL pointer dereference

Chao Yu <yuchao0@huawei.com>
    staging: erofs: fix to handle error path of erofs_vmap()

Malcolm Priestley <tvboxspy@gmail.com>
    staging: vt6655: Fix interrupt race condition on device start up.

Malcolm Priestley <tvboxspy@gmail.com>
    staging: vt6655: Remove vif check from vnt_interrupt

Samuel Thibault <samuel.thibault@ens-lyon.org>
    staging: speakup_soft: Fix alternate speech with other synths

Ian Abbott <abbotti@mev.co.uk>
    staging: comedi: ni_mio_common: Fix divide-by-zero for DIO cmdtest

Nathan Chancellor <natechancellor@gmail.com>
    tty: serial: qcom_geni_serial: Initialize baud in qcom_geni_console_setup

Kangjie Lu <kjlu@umn.edu>
    tty: atmel_serial: fix a potential NULL pointer dereference

Kangjie Lu <kjlu@umn.edu>
    tty: mxs-auart: fix a potential NULL pointer dereference

Jonas Karlman <jonas@kwiboo.se>
    drm/rockchip: vop: reset scale mode when win is disabled

Steffen Maier <maier@linux.ibm.com>
    scsi: zfcp: fix scsi_eh host reset with port_forced ERP for non-NPIV FCP devices

Steffen Maier <maier@linux.ibm.com>
    scsi: zfcp: fix rport unblock if deleted SCSI devices on Scsi_Host

Martin K. Petersen <martin.petersen@oracle.com>
    scsi: sd: Quiesce warning if device does not report optimal I/O size

Bart Van Assche <bvanassche@acm.org>
    scsi: sd: Fix a race between closing an sd device and sd I/O

Darrick J. Wong <darrick.wong@oracle.com>
    ocfs2: fix inode bh swapping mixup in ocfs2_reflink_inodes_lock

Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    fs/open.c: allow opening only regular files during execve()

Fredrik Noring <noring@nocrew.org>
    kbuild: modversions: Fix relative CRC byte order interpretation

Bernhard Rosenkraenzer <bero@lindev.ch>
    ALSA: hda/realtek - Fix speakers on Acer Predator Helios 500 Ryzen laptops

Jian-Hong Pan <jian-hong@endlessm.com>
    ALSA: hda/realtek: Enable headset MIC of ASUS X430UN and X512DK with ALC256

Chris Chiu <chiu@endlessm.com>
    ALSA: hda/realtek: Enable headset mic of ASUS P5440FF with ALC256

Jian-Hong Pan <jian-hong@endlessm.com>
    ALSA: hda/realtek: Enable ASUS X441MB and X705FD headset MIC with ALC256

Chris Chiu <chiu@endlessm.com>
    ALSA: hda/realtek - Add support for Acer Aspire E5-523G/ES1-432 headset mic

Jian-Hong Pan <jian-hong@endlessm.com>
    ALSA: hda/realtek: Enable headset MIC of Acer Aspire Z24-890 with ALC286

Jian-Hong Pan <jian-hong@endlessm.com>
    ALSA: hda/realtek: Enable headset MIC of Acer AIO with ALC286

Kailang Yang <kailang@realtek.com>
    ALSA: hda/realtek - Add support headset mode for New DELL WYSE NB

Kailang Yang <kailang@realtek.com>
    ALSA: hda/realtek - Add support headset mode for DELL WYSE AIO

Takashi Iwai <tiwai@suse.de>
    ALSA: pcm: Don't suspend stream in unrecoverable PCM state

Takashi Iwai <tiwai@suse.de>
    ALSA: pcm: Fix possible OOB access in PCM oss plugins

Gustavo A. R. Silva <gustavo@embeddedor.com>
    ALSA: seq: oss: Fix Spectre v1 vulnerability

Gustavo A. R. Silva <gustavo@embeddedor.com>
    ALSA: rawmidi: Fix potential Spectre v1 vulnerability

Christian Lamparter <chunkeey@gmail.com>
    net: dsa: qca8k: remove leftover phy accessors

Olga Kornievskaia <kolga@netapp.com>
    NFSv4.1 don't free interrupted slot on open

NeilBrown <neilb@suse.com>
    NFS: fix mount/umount race in nlmclnt.

Cornelia Huck <cohuck@redhat.com>
    vfio: ccw: only free cp on final interrupt

Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
    powerpc: bpf: Fix generation of load/store DW instructions

Kohji Okuno <okuno.kohji@jp.panasonic.com>
    ARM: imx6q: cpuidle: fix bug that CPU might not wake up at expected time

Filipe Manana <fdmanana@suse.com>
    Btrfs: fix assertion failure on fsync with NO_HOLES enabled

Nikolay Borisov <nborisov@suse.com>
    btrfs: Avoid possible qgroup_rsv_size overflow in btrfs_calculate_inode_block_rsv_size

Andrea Righi <andrea.righi@canonical.com>
    btrfs: raid56: properly unmap parity page in finish_parity_scrub()

David Sterba <dsterba@suse.com>
    btrfs: don't report readahead errors and don't update statistics

Josef Bacik <josef@toxicpanda.com>
    btrfs: remove WARN_ON in log_dir_items

Filipe Manana <fdmanana@suse.com>
    Btrfs: fix incorrect file size after shrinking truncate and fsync

Michael Ellerman <mpe@ellerman.id.au>
    powerpc/security: Fix spectre_v2 reporting

Christophe Leroy <christophe.leroy@c-s.fr>
    powerpc/fsl: Fix the flush of branch predictor.

Diana Craciun <diana.craciun@nxp.com>
    powerpc/fsl: Fixed warning: orphan section `__btb_flush_fixup'

Diana Craciun <diana.craciun@nxp.com>
    powerpc/fsl: Update Spectre v2 reporting

Diana Craciun <diana.craciun@nxp.com>
    powerpc/fsl: Enable runtime patching if nospectre_v2 boot arg is used

Diana Craciun <diana.craciun@nxp.com>
    powerpc/fsl: Flush branch predictor when entering KVM

Diana Craciun <diana.craciun@nxp.com>
    powerpc/fsl: Flush the branch predictor at each kernel entry (32 bit)

Diana Craciun <diana.craciun@nxp.com>
    powerpc/fsl: Flush the branch predictor at each kernel entry (64bit)

Diana Craciun <diana.craciun@nxp.com>
    powerpc/fsl: Add nospectre_v2 command line argument

Diana Craciun <diana.craciun@nxp.com>
    powerpc/fsl: Emulate SPRN_BUCSR register

Diana Craciun <diana.craciun@nxp.com>
    powerpc/fsl: Add macro to flush the branch predictor

Diana Craciun <diana.craciun@nxp.com>
    powerpc/fsl: Add infrastructure to fixup branch predictor flush

Eric Dumazet <edumazet@google.com>
    tun: add a missing rcu_read_unlock() in error path

Dean Nelson <dnelson@redhat.com>
    thunderx: eliminate extra calls to put_page() for pages held for recycling

Dean Nelson <dnelson@redhat.com>
    thunderx: enable page recycling for non-XDP case

John Hurley <john.hurley@netronome.com>
    net: sched: fix cleanup NULL pointer exception in act_mirr

Herbert Xu <herbert@gondor.apana.org.au>
    ila: Fix rhashtable walker list corruption

Zhiqiang Liu <liuzhiqiang26@huawei.com>
    vxlan: Don't call gro_cells_destroy() before device is unregistered

Sabrina Dubroca <sd@queasysnail.net>
    vrf: prevent adding upper devices

Eric Dumazet <edumazet@google.com>
    tun: properly test for IFF_UP

Erik Hugne <erik.hugne@gmail.com>
    tipc: fix cancellation of topology subscriptions

Xin Long <lucien.xin@gmail.com>
    tipc: change to check tipc_own_id to return in tipc_net_stop

Erik Hugne <erik.hugne@gmail.com>
    tipc: allow service ranges to be connect()'ed on RDM/DGRAM

Eric Dumazet <edumazet@google.com>
    tcp: do not use ipv6 header for ipv4 flow

Xin Long <lucien.xin@gmail.com>
    sctp: use memdup_user instead of vmemdup_user

Xin Long <lucien.xin@gmail.com>
    sctp: get sctphdr by offset in sctp_compute_cksum

Herbert Xu <herbert@gondor.apana.org.au>
    rhashtable: Still do rehash when we get EEXIST

Maxime Chevallier <maxime.chevallier@bootlin.com>
    packets: Always register packet sk in the same order

YueHaibing <yuehaibing@huawei.com>
    net-sysfs: call dev_hold if kobject_init_and_add success

Aaro Koskinen <aaro.koskinen@nokia.com>
    net: stmmac: fix memory corruption with large MTUs

Eric Dumazet <edumazet@google.com>
    net: rose: fix a possible stack overflow

Jerome Brunet <jbrunet@baylibre.com>
    net: phy: meson-gxl: fix interrupt support

Christoph Paasch <cpaasch@apple.com>
    net/packet: Set __GFP_NOWARN upon allocation in alloc_pg_vec

Paolo Abeni <pabeni@redhat.com>
    net: datagram: fix unbounded loop in __skb_try_recv_datagram()

Dmitry Bogdanov <dmitry.bogdanov@aquantia.com>
    net: aquantia: fix rx checksum offload for UDP/TCP over IPv6

Bjorn Helgaas <bhelgaas@google.com>
    mISDN: hfcpci: Test both vendor & device ID for Digium HFC4S

Finn Thain <fthain@telegraphics.com.au>
    mac8390: Fix mmio access size probe

Xin Long <lucien.xin@gmail.com>
    ipv6: make ip6_create_rt_rcu return ip6_null_entry instead of NULL

Matteo Croce <mcroce@redhat.com>
    gtp: change NET_UDP_TUNNEL dependency to select

YueHaibing <yuehaibing@huawei.com>
    genetlink: Fix a memory leak on error path

Eric Dumazet <edumazet@google.com>
    dccp: do not use ipv6 header for ipv4 flow

Corey Minyard <cminyard@mvista.com>
    ipmi_si: Fix crash when using hard-coded device

Marcel Holtmann <marcel@holtmann.org>
    Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer

Marcel Holtmann <marcel@holtmann.org>
    Bluetooth: Check L2CAP option sizes returned from l2cap_get_conf_opt


-------------

Diffstat:

 Documentation/virtual/kvm/api.txt                  |  16 +-
 Makefile                                           |   8 +-
 arch/arm/mach-imx/cpuidle-imx6q.c                  |  27 +--
 arch/powerpc/include/asm/feature-fixups.h          |  12 ++
 arch/powerpc/include/asm/ppc-opcode.h              |   2 +
 arch/powerpc/include/asm/ppc_asm.h                 |  10 +
 arch/powerpc/include/asm/setup.h                   |   7 +
 arch/powerpc/kernel/entry_64.S                     |   5 +
 arch/powerpc/kernel/exceptions-64e.S               |  27 ++-
 arch/powerpc/kernel/head_booke.h                   |  12 ++
 arch/powerpc/kernel/head_fsl_booke.S               |  15 ++
 arch/powerpc/kernel/security.c                     |  49 +++--
 arch/powerpc/kernel/setup-common.c                 |   1 +
 arch/powerpc/kernel/vmlinux.lds.S                  |   8 +
 arch/powerpc/kvm/bookehv_interrupts.S              |   4 +
 arch/powerpc/kvm/e500_emulate.c                    |   7 +
 arch/powerpc/lib/feature-fixups.c                  |  23 ++
 arch/powerpc/lib/memcmp_64.S                       |  17 +-
 arch/powerpc/mm/tlb_low_64e.S                      |   7 +
 arch/powerpc/net/bpf_jit.h                         |  17 +-
 arch/powerpc/net/bpf_jit32.h                       |   4 +
 arch/powerpc/net/bpf_jit64.h                       |  20 ++
 arch/powerpc/net/bpf_jit_comp64.c                  |  12 +-
 arch/powerpc/platforms/pseries/pseries_energy.c    |  27 ++-
 arch/x86/Kconfig                                   |   8 +-
 arch/x86/include/asm/kvm_host.h                    |   2 +
 arch/x86/kvm/vmx.c                                 |  14 --
 arch/x86/kvm/x86.c                                 |  48 ++++-
 drivers/char/ipmi/ipmi_si.h                        |   4 +-
 drivers/char/ipmi/ipmi_si_hardcode.c               | 236 +++++++++++++++------
 drivers/char/ipmi/ipmi_si_intf.c                   |  22 +-
 drivers/char/ipmi/ipmi_si_platform.c               |  30 ++-
 drivers/gpio/gpio-adnp.c                           |   6 +-
 drivers/gpio/gpio-exar.c                           |   2 +
 drivers/gpu/drm/i915/gvt/cmd_parser.c              |   2 +-
 drivers/gpu/drm/rockchip/rockchip_drm_vop.c        |  18 +-
 drivers/gpu/drm/vgem/vgem_drv.c                    |   6 +-
 drivers/gpu/drm/vkms/vkms_gem.c                    |   5 +-
 drivers/iommu/io-pgtable-arm-v7s.c                 |  19 +-
 drivers/isdn/hardware/mISDN/hfcmulti.c             |   3 +-
 drivers/net/Kconfig                                |   4 +-
 drivers/net/dsa/qca8k.c                            |  18 --
 drivers/net/ethernet/8390/mac8390.c                |  19 +-
 drivers/net/ethernet/aquantia/atlantic/aq_ring.c   |   5 +-
 drivers/net/ethernet/cavium/thunder/nicvf_queues.c |  30 ++-
 drivers/net/ethernet/stmicro/stmmac/ring_mode.c    |   5 +-
 drivers/net/phy/meson-gxl.c                        |   6 +
 drivers/net/tun.c                                  |  16 +-
 drivers/net/vrf.c                                  |   1 +
 drivers/net/vxlan.c                                |   4 +-
 drivers/phy/allwinner/phy-sun4i-usb.c              |   5 +-
 drivers/platform/x86/intel_cht_int33fe.c           |  27 ++-
 drivers/s390/cio/vfio_ccw_drv.c                    |   8 +-
 drivers/s390/scsi/zfcp_erp.c                       |  17 ++
 drivers/s390/scsi/zfcp_ext.h                       |   2 +
 drivers/s390/scsi/zfcp_scsi.c                      |   4 +
 drivers/scsi/sd.c                                  |  22 +-
 drivers/staging/comedi/comedidev.h                 |   2 +
 drivers/staging/comedi/drivers.c                   |  33 ++-
 drivers/staging/comedi/drivers/ni_mio_common.c     |  10 +-
 drivers/staging/erofs/dir.c                        |  45 ++--
 drivers/staging/erofs/unzip_vle.c                  |  46 ++--
 drivers/staging/erofs/unzip_vle_lz4.c              |   7 +-
 drivers/staging/speakup/speakup_soft.c             |  16 +-
 drivers/staging/speakup/spk_priv.h                 |   1 +
 drivers/staging/speakup/synth.c                    |   6 +
 drivers/staging/vt6655/device_main.c               |  11 +-
 drivers/tty/serial/atmel_serial.c                  |   4 +
 drivers/tty/serial/kgdboc.c                        |   4 +-
 drivers/tty/serial/max310x.c                       |   2 +
 drivers/tty/serial/mvebu-uart.c                    |   3 +
 drivers/tty/serial/mxs-auart.c                     |   4 +
 drivers/tty/serial/qcom_geni_serial.c              |   2 +-
 drivers/tty/serial/sh-sci.c                        |  12 +-
 drivers/usb/class/cdc-acm.c                        |   4 +-
 drivers/usb/common/common.c                        |   2 +
 drivers/usb/gadget/function/f_hid.c                |   6 +-
 drivers/usb/host/xhci-dbgcap.c                     |   5 +-
 drivers/usb/host/xhci-hub.c                        |  19 +-
 drivers/usb/host/xhci-rcar.c                       |   1 +
 drivers/usb/host/xhci-ring.c                       |   9 +-
 drivers/usb/host/xhci.h                            |   8 +
 drivers/usb/mtu3/Kconfig                           |   1 +
 drivers/usb/serial/cp210x.c                        |   1 +
 drivers/usb/serial/ftdi_sio.c                      |   2 +
 drivers/usb/serial/ftdi_sio_ids.h                  |   4 +-
 drivers/usb/serial/mos7720.c                       |   4 +-
 drivers/usb/serial/option.c                        |  17 +-
 drivers/usb/typec/class.c                          |  38 ++--
 fs/btrfs/extent-tree.c                             |   2 +-
 fs/btrfs/raid56.c                                  |   3 +-
 fs/btrfs/tree-log.c                                |  33 ++-
 fs/btrfs/volumes.c                                 |   2 +-
 fs/lockd/host.c                                    |   3 +-
 fs/nfs/nfs4proc.c                                  |   3 +-
 fs/ocfs2/refcounttree.c                            |  42 ++--
 fs/open.c                                          |   6 +
 fs/proc/proc_sysctl.c                              |   3 +-
 include/linux/device.h                             |  24 +++
 include/linux/slab.h                               |   2 +
 include/net/sctp/checksum.h                        |   2 +-
 include/net/sock.h                                 |   6 +
 kernel/bpf/verifier.c                              |   2 +-
 kernel/cpu.c                                       |  20 +-
 kernel/watchdog.c                                  |   6 +-
 lib/rhashtable.c                                   |   8 +-
 mm/mempolicy.c                                     |  40 +++-
 mm/migrate.c                                       |  11 +-
 mm/slab.c                                          |   2 +
 mm/slab.h                                          |   3 +-
 mm/slab_common.c                                   |   2 +-
 mm/slub.c                                          |   5 +
 net/bluetooth/l2cap_core.c                         |  83 +++++---
 net/core/datagram.c                                |   2 +-
 net/core/net-sysfs.c                               |   6 +-
 net/dccp/ipv6.c                                    |   4 +-
 net/ipv6/ila/ila_xlat.c                            |   1 +
 net/ipv6/route.c                                   |  18 +-
 net/ipv6/tcp_ipv6.c                                |   8 +-
 net/netlink/genetlink.c                            |   3 +-
 net/packet/af_packet.c                             |   4 +-
 net/rose/rose_subr.c                               |  21 +-
 net/sched/act_mirred.c                             |   3 +
 net/sctp/socket.c                                  |  12 +-
 net/tipc/net.c                                     |   5 +-
 net/tipc/socket.c                                  |  20 +-
 net/tipc/topsrv.c                                  |   1 +
 scripts/mod/modpost.c                              |   2 +-
 sound/core/oss/pcm_oss.c                           |  43 ++--
 sound/core/pcm_native.c                            |   9 +-
 sound/core/rawmidi.c                               |   2 +
 sound/core/seq/oss/seq_oss_synth.c                 |   7 +-
 sound/pci/hda/patch_realtek.c                      |  79 ++++++-
 tools/objtool/Makefile                             |   7 +-
 .../perf/util/intel-pt-decoder/intel-pt-decoder.c  |  20 +-
 tools/perf/util/pmu.c                              |  10 +
 virt/kvm/kvm_main.c                                |   3 +
 137 files changed, 1323 insertions(+), 564 deletions(-)



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 001/134] Bluetooth: Check L2CAP option sizes returned from l2cap_get_conf_opt
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
@ 2019-04-01 17:00 ` Greg Kroah-Hartman
  2019-04-01 17:00 ` [PATCH 4.19 002/134] Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer Greg Kroah-Hartman
                   ` (137 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:00 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Marcel Holtmann, Johan Hedberg

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Marcel Holtmann <marcel@holtmann.org>

commit af3d5d1c87664a4f150fcf3534c6567cb19909b0 upstream.

When doing option parsing for standard type values of 1, 2 or 4 octets,
the value is converted directly into a variable instead of a pointer. To
avoid being tricked into being a pointer, check that for these option
types that sizes actually match. In L2CAP every option is fixed size and
thus it is prudent anyway to ensure that the remote side sends us the
right option size along with option paramters.

If the option size is not matching the option type, then that option is
silently ignored. It is a protocol violation and instead of trying to
give the remote attacker any further hints just pretend that option is
not present and proceed with the default values. Implementation
following the specification and its qualification procedures will always
use the correct size and thus not being impacted here.

To keep the code readable and consistent accross all options, a few
cosmetic changes were also required.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/bluetooth/l2cap_core.c |   77 ++++++++++++++++++++++++++-------------------
 1 file changed, 46 insertions(+), 31 deletions(-)

--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -3342,10 +3342,14 @@ static int l2cap_parse_conf_req(struct l
 
 		switch (type) {
 		case L2CAP_CONF_MTU:
+			if (olen != 2)
+				break;
 			mtu = val;
 			break;
 
 		case L2CAP_CONF_FLUSH_TO:
+			if (olen != 2)
+				break;
 			chan->flush_to = val;
 			break;
 
@@ -3353,26 +3357,30 @@ static int l2cap_parse_conf_req(struct l
 			break;
 
 		case L2CAP_CONF_RFC:
-			if (olen == sizeof(rfc))
-				memcpy(&rfc, (void *) val, olen);
+			if (olen != sizeof(rfc))
+				break;
+			memcpy(&rfc, (void *) val, olen);
 			break;
 
 		case L2CAP_CONF_FCS:
+			if (olen != 1)
+				break;
 			if (val == L2CAP_FCS_NONE)
 				set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
 			break;
 
 		case L2CAP_CONF_EFS:
-			if (olen == sizeof(efs)) {
-				remote_efs = 1;
-				memcpy(&efs, (void *) val, olen);
-			}
+			if (olen != sizeof(efs))
+				break;
+			remote_efs = 1;
+			memcpy(&efs, (void *) val, olen);
 			break;
 
 		case L2CAP_CONF_EWS:
+			if (olen != 2)
+				break;
 			if (!(chan->conn->local_fixed_chan & L2CAP_FC_A2MP))
 				return -ECONNREFUSED;
-
 			set_bit(FLAG_EXT_CTRL, &chan->flags);
 			set_bit(CONF_EWS_RECV, &chan->conf_state);
 			chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
@@ -3382,7 +3390,6 @@ static int l2cap_parse_conf_req(struct l
 		default:
 			if (hint)
 				break;
-
 			result = L2CAP_CONF_UNKNOWN;
 			*((u8 *) ptr++) = type;
 			break;
@@ -3550,55 +3557,60 @@ static int l2cap_parse_conf_rsp(struct l
 
 		switch (type) {
 		case L2CAP_CONF_MTU:
+			if (olen != 2)
+				break;
 			if (val < L2CAP_DEFAULT_MIN_MTU) {
 				*result = L2CAP_CONF_UNACCEPT;
 				chan->imtu = L2CAP_DEFAULT_MIN_MTU;
 			} else
 				chan->imtu = val;
-			l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, endptr - ptr);
+			l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu,
+					   endptr - ptr);
 			break;
 
 		case L2CAP_CONF_FLUSH_TO:
+			if (olen != 2)
+				break;
 			chan->flush_to = val;
-			l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
-					   2, chan->flush_to, endptr - ptr);
+			l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2,
+					   chan->flush_to, endptr - ptr);
 			break;
 
 		case L2CAP_CONF_RFC:
-			if (olen == sizeof(rfc))
-				memcpy(&rfc, (void *)val, olen);
-
+			if (olen != sizeof(rfc))
+				break;
+			memcpy(&rfc, (void *)val, olen);
 			if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
 			    rfc.mode != chan->mode)
 				return -ECONNREFUSED;
-
 			chan->fcs = 0;
-
-			l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
-					   sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
+			l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
+					   (unsigned long) &rfc, endptr - ptr);
 			break;
 
 		case L2CAP_CONF_EWS:
+			if (olen != 2)
+				break;
 			chan->ack_win = min_t(u16, val, chan->ack_win);
 			l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
 					   chan->tx_win, endptr - ptr);
 			break;
 
 		case L2CAP_CONF_EFS:
-			if (olen == sizeof(efs)) {
-				memcpy(&efs, (void *)val, olen);
-
-				if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
-				    efs.stype != L2CAP_SERV_NOTRAFIC &&
-				    efs.stype != chan->local_stype)
-					return -ECONNREFUSED;
-
-				l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
-						   (unsigned long) &efs, endptr - ptr);
-			}
+			if (olen != sizeof(efs))
+				break;
+			memcpy(&efs, (void *)val, olen);
+			if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
+			    efs.stype != L2CAP_SERV_NOTRAFIC &&
+			    efs.stype != chan->local_stype)
+				return -ECONNREFUSED;
+			l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
+					   (unsigned long) &efs, endptr - ptr);
 			break;
 
 		case L2CAP_CONF_FCS:
+			if (olen != 1)
+				break;
 			if (*result == L2CAP_CONF_PENDING)
 				if (val == L2CAP_FCS_NONE)
 					set_bit(CONF_RECV_NO_FCS,
@@ -3730,10 +3742,13 @@ static void l2cap_conf_rfc_get(struct l2
 
 		switch (type) {
 		case L2CAP_CONF_RFC:
-			if (olen == sizeof(rfc))
-				memcpy(&rfc, (void *)val, olen);
+			if (olen != sizeof(rfc))
+				break;
+			memcpy(&rfc, (void *)val, olen);
 			break;
 		case L2CAP_CONF_EWS:
+			if (olen != 2)
+				break;
 			txwin_ext = val;
 			break;
 		}



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 002/134] Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
  2019-04-01 17:00 ` [PATCH 4.19 001/134] Bluetooth: Check L2CAP option sizes returned from l2cap_get_conf_opt Greg Kroah-Hartman
@ 2019-04-01 17:00 ` Greg Kroah-Hartman
  2019-04-01 17:00 ` [PATCH 4.19 003/134] ipmi_si: Fix crash when using hard-coded device Greg Kroah-Hartman
                   ` (136 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:00 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Marcel Holtmann, Johan Hedberg

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Marcel Holtmann <marcel@holtmann.org>

commit 7c9cbd0b5e38a1672fcd137894ace3b042dfbf69 upstream.

The function l2cap_get_conf_opt will return L2CAP_CONF_OPT_SIZE + opt->len
as length value. The opt->len however is in control over the remote user
and can be used by an attacker to gain access beyond the bounds of the
actual packet.

To prevent any potential leak of heap memory, it is enough to check that
the resulting len calculation after calling l2cap_get_conf_opt is not
below zero. A well formed packet will always return >= 0 here and will
end with the length value being zero after the last option has been
parsed. In case of malformed packets messing with the opt->len field the
length value will become negative. If that is the case, then just abort
and ignore the option.

In case an attacker uses a too short opt->len value, then garbage will
be parsed, but that is protected by the unknown option handling and also
the option parameter size checks.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/bluetooth/l2cap_core.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -3336,6 +3336,8 @@ static int l2cap_parse_conf_req(struct l
 
 	while (len >= L2CAP_CONF_OPT_SIZE) {
 		len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
+		if (len < 0)
+			break;
 
 		hint  = type & L2CAP_CONF_HINT;
 		type &= L2CAP_CONF_MASK;
@@ -3554,6 +3556,8 @@ static int l2cap_parse_conf_rsp(struct l
 
 	while (len >= L2CAP_CONF_OPT_SIZE) {
 		len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
+		if (len < 0)
+			break;
 
 		switch (type) {
 		case L2CAP_CONF_MTU:
@@ -3739,6 +3743,8 @@ static void l2cap_conf_rfc_get(struct l2
 
 	while (len >= L2CAP_CONF_OPT_SIZE) {
 		len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
+		if (len < 0)
+			break;
 
 		switch (type) {
 		case L2CAP_CONF_RFC:



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 003/134] ipmi_si: Fix crash when using hard-coded device
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
  2019-04-01 17:00 ` [PATCH 4.19 001/134] Bluetooth: Check L2CAP option sizes returned from l2cap_get_conf_opt Greg Kroah-Hartman
  2019-04-01 17:00 ` [PATCH 4.19 002/134] Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer Greg Kroah-Hartman
@ 2019-04-01 17:00 ` Greg Kroah-Hartman
  2019-04-01 17:00 ` [PATCH 4.19 004/134] dccp: do not use ipv6 header for ipv4 flow Greg Kroah-Hartman
                   ` (135 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yang Yingliang, Corey Minyard, Sasha Levin

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

Backport from 41b766d661bf94a364960862cfc248a78313dbd3

When excuting a command like:
  modprobe ipmi_si ports=0xffc0e3 type=bt
The system would get an oops.

The trouble here is that ipmi_si_hardcode_find_bmc() is called before
ipmi_si_platform_init(), but initialization of the hard-coded device
creates an IPMI platform device, which won't be initialized yet.

The real trouble is that hard-coded devices aren't created with
any device, and the fixup is done later.  So do it right, create the
hard-coded devices as normal platform devices.

This required adding some new resource types to the IPMI platform
code for passing information required by the hard-coded device
and adding some code to remove the hard-coded platform devices
on module removal.

To enforce the "hard-coded devices passed by the user take priority
over firmware devices" rule, some special code was added to check
and see if a hard-coded device already exists.

The backport required some minor fixups and adding the device
id table that had been added in another change and was used
in this one.

Reported-by: Yang Yingliang <yangyingliang@huawei.com>
Cc: stable@vger.kernel.org # v4.15+
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Tested-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/char/ipmi/ipmi_si.h          |    4 
 drivers/char/ipmi/ipmi_si_hardcode.c |  232 +++++++++++++++++++++++++----------
 drivers/char/ipmi/ipmi_si_intf.c     |   22 ++-
 drivers/char/ipmi/ipmi_si_platform.c |   30 +++-
 4 files changed, 216 insertions(+), 72 deletions(-)

--- a/drivers/char/ipmi/ipmi_si.h
+++ b/drivers/char/ipmi/ipmi_si.h
@@ -25,7 +25,9 @@ void ipmi_irq_finish_setup(struct si_sm_
 int ipmi_si_remove_by_dev(struct device *dev);
 void ipmi_si_remove_by_data(int addr_space, enum si_type si_type,
 			    unsigned long addr);
-int ipmi_si_hardcode_find_bmc(void);
+void ipmi_hardcode_init(void);
+void ipmi_si_hardcode_exit(void);
+int ipmi_si_hardcode_match(int addr_type, unsigned long addr);
 void ipmi_si_platform_init(void);
 void ipmi_si_platform_shutdown(void);
 
--- a/drivers/char/ipmi/ipmi_si_hardcode.c
+++ b/drivers/char/ipmi/ipmi_si_hardcode.c
@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0+
 
 #include <linux/moduleparam.h>
+#include <linux/platform_device.h>
 #include "ipmi_si.h"
 
 #define PFX "ipmi_hardcode: "
@@ -11,23 +12,22 @@
 
 #define SI_MAX_PARMS 4
 
-static char          *si_type[SI_MAX_PARMS];
 #define MAX_SI_TYPE_STR 30
-static char          si_type_str[MAX_SI_TYPE_STR];
+static char          si_type_str[MAX_SI_TYPE_STR] __initdata;
 static unsigned long addrs[SI_MAX_PARMS];
 static unsigned int num_addrs;
 static unsigned int  ports[SI_MAX_PARMS];
 static unsigned int num_ports;
-static int           irqs[SI_MAX_PARMS];
-static unsigned int num_irqs;
-static int           regspacings[SI_MAX_PARMS];
-static unsigned int num_regspacings;
-static int           regsizes[SI_MAX_PARMS];
-static unsigned int num_regsizes;
-static int           regshifts[SI_MAX_PARMS];
-static unsigned int num_regshifts;
-static int slave_addrs[SI_MAX_PARMS]; /* Leaving 0 chooses the default value */
-static unsigned int num_slave_addrs;
+static int           irqs[SI_MAX_PARMS] __initdata;
+static unsigned int num_irqs __initdata;
+static int           regspacings[SI_MAX_PARMS] __initdata;
+static unsigned int num_regspacings __initdata;
+static int           regsizes[SI_MAX_PARMS] __initdata;
+static unsigned int num_regsizes __initdata;
+static int           regshifts[SI_MAX_PARMS] __initdata;
+static unsigned int num_regshifts __initdata;
+static int slave_addrs[SI_MAX_PARMS] __initdata;
+static unsigned int num_slave_addrs __initdata;
 
 module_param_string(type, si_type_str, MAX_SI_TYPE_STR, 0);
 MODULE_PARM_DESC(type, "Defines the type of each interface, each"
@@ -72,12 +72,133 @@ MODULE_PARM_DESC(slave_addrs, "Set the d
 		 " overridden by this parm.  This is an array indexed"
 		 " by interface number.");
 
-int ipmi_si_hardcode_find_bmc(void)
+static struct platform_device *ipmi_hc_pdevs[SI_MAX_PARMS];
+
+static void __init ipmi_hardcode_init_one(const char *si_type_str,
+					  unsigned int i,
+					  unsigned long addr,
+					  unsigned int flags)
+{
+	struct platform_device *pdev;
+	unsigned int num_r = 1, size;
+	struct resource r[4];
+	struct property_entry p[6];
+	enum si_type si_type;
+	unsigned int regspacing, regsize;
+	int rv;
+
+	memset(p, 0, sizeof(p));
+	memset(r, 0, sizeof(r));
+
+	if (!si_type_str || !*si_type_str || strcmp(si_type_str, "kcs") == 0) {
+		size = 2;
+		si_type = SI_KCS;
+	} else if (strcmp(si_type_str, "smic") == 0) {
+		size = 2;
+		si_type = SI_SMIC;
+	} else if (strcmp(si_type_str, "bt") == 0) {
+		size = 3;
+		si_type = SI_BT;
+	} else if (strcmp(si_type_str, "invalid") == 0) {
+		/*
+		 * Allow a firmware-specified interface to be
+		 * disabled.
+		 */
+		size = 1;
+		si_type = SI_TYPE_INVALID;
+	} else {
+		pr_warn("Interface type specified for interface %d, was invalid: %s\n",
+			i, si_type_str);
+		return;
+	}
+
+	regsize = regsizes[i];
+	if (regsize == 0)
+		regsize = DEFAULT_REGSIZE;
+
+	p[0] = PROPERTY_ENTRY_U8("ipmi-type", si_type);
+	p[1] = PROPERTY_ENTRY_U8("slave-addr", slave_addrs[i]);
+	p[2] = PROPERTY_ENTRY_U8("addr-source", SI_HARDCODED);
+	p[3] = PROPERTY_ENTRY_U8("reg-shift", regshifts[i]);
+	p[4] = PROPERTY_ENTRY_U8("reg-size", regsize);
+	/* Last entry must be left NULL to terminate it. */
+
+	/*
+	 * Register spacing is derived from the resources in
+	 * the IPMI platform code.
+	 */
+	regspacing = regspacings[i];
+	if (regspacing == 0)
+		regspacing = regsize;
+
+	r[0].start = addr;
+	r[0].end = r[0].start + regsize - 1;
+	r[0].name = "IPMI Address 1";
+	r[0].flags = flags;
+
+	if (size > 1) {
+		r[1].start = r[0].start + regspacing;
+		r[1].end = r[1].start + regsize - 1;
+		r[1].name = "IPMI Address 2";
+		r[1].flags = flags;
+		num_r++;
+	}
+
+	if (size > 2) {
+		r[2].start = r[1].start + regspacing;
+		r[2].end = r[2].start + regsize - 1;
+		r[2].name = "IPMI Address 3";
+		r[2].flags = flags;
+		num_r++;
+	}
+
+	if (irqs[i]) {
+		r[num_r].start = irqs[i];
+		r[num_r].end = irqs[i];
+		r[num_r].name = "IPMI IRQ";
+		r[num_r].flags = IORESOURCE_IRQ;
+		num_r++;
+	}
+
+	pdev = platform_device_alloc("hardcode-ipmi-si", i);
+	if (!pdev) {
+		pr_err("Error allocating IPMI platform device %d\n", i);
+		return;
+	}
+
+	rv = platform_device_add_resources(pdev, r, num_r);
+	if (rv) {
+		dev_err(&pdev->dev,
+			"Unable to add hard-code resources: %d\n", rv);
+		goto err;
+	}
+
+	rv = platform_device_add_properties(pdev, p);
+	if (rv) {
+		dev_err(&pdev->dev,
+			"Unable to add hard-code properties: %d\n", rv);
+		goto err;
+	}
+
+	rv = platform_device_add(pdev);
+	if (rv) {
+		dev_err(&pdev->dev,
+			"Unable to add hard-code device: %d\n", rv);
+		goto err;
+	}
+
+	ipmi_hc_pdevs[i] = pdev;
+	return;
+
+err:
+	platform_device_put(pdev);
+}
+
+void __init ipmi_hardcode_init(void)
 {
-	int ret = -ENODEV;
-	int             i;
-	struct si_sm_io io;
+	unsigned int i;
 	char *str;
+	char *si_type[SI_MAX_PARMS];
 
 	/* Parse out the si_type string into its components. */
 	str = si_type_str;
@@ -94,54 +215,45 @@ int ipmi_si_hardcode_find_bmc(void)
 		}
 	}
 
-	memset(&io, 0, sizeof(io));
 	for (i = 0; i < SI_MAX_PARMS; i++) {
-		if (!ports[i] && !addrs[i])
-			continue;
-
-		io.addr_source = SI_HARDCODED;
-		pr_info(PFX "probing via hardcoded address\n");
+		if (i < num_ports && ports[i])
+			ipmi_hardcode_init_one(si_type[i], i, ports[i],
+					       IORESOURCE_IO);
+		if (i < num_addrs && addrs[i])
+			ipmi_hardcode_init_one(si_type[i], i, addrs[i],
+					       IORESOURCE_MEM);
+	}
+}
 
-		if (!si_type[i] || strcmp(si_type[i], "kcs") == 0) {
-			io.si_type = SI_KCS;
-		} else if (strcmp(si_type[i], "smic") == 0) {
-			io.si_type = SI_SMIC;
-		} else if (strcmp(si_type[i], "bt") == 0) {
-			io.si_type = SI_BT;
-		} else {
-			pr_warn(PFX "Interface type specified for interface %d, was invalid: %s\n",
-				i, si_type[i]);
-			continue;
-		}
+void ipmi_si_hardcode_exit(void)
+{
+	unsigned int i;
 
-		if (ports[i]) {
-			/* An I/O port */
-			io.addr_data = ports[i];
-			io.addr_type = IPMI_IO_ADDR_SPACE;
-		} else if (addrs[i]) {
-			/* A memory port */
-			io.addr_data = addrs[i];
-			io.addr_type = IPMI_MEM_ADDR_SPACE;
-		} else {
-			pr_warn(PFX "Interface type specified for interface %d, but port and address were not set or set to zero.\n",
-				i);
-			continue;
-		}
+	for (i = 0; i < SI_MAX_PARMS; i++) {
+		if (ipmi_hc_pdevs[i])
+			platform_device_unregister(ipmi_hc_pdevs[i]);
+	}
+}
 
-		io.addr = NULL;
-		io.regspacing = regspacings[i];
-		if (!io.regspacing)
-			io.regspacing = DEFAULT_REGSPACING;
-		io.regsize = regsizes[i];
-		if (!io.regsize)
-			io.regsize = DEFAULT_REGSIZE;
-		io.regshift = regshifts[i];
-		io.irq = irqs[i];
-		if (io.irq)
-			io.irq_setup = ipmi_std_irq_setup;
-		io.slave_addr = slave_addrs[i];
+/*
+ * Returns true of the given address exists as a hardcoded address,
+ * false if not.
+ */
+int ipmi_si_hardcode_match(int addr_type, unsigned long addr)
+{
+	unsigned int i;
 
-		ret = ipmi_si_add_smi(&io);
+	if (addr_type == IPMI_IO_ADDR_SPACE) {
+		for (i = 0; i < num_ports; i++) {
+			if (ports[i] == addr)
+				return 1;
+		}
+	} else {
+		for (i = 0; i < num_addrs; i++) {
+			if (addrs[i] == addr)
+				return 1;
+		}
 	}
-	return ret;
+
+	return 0;
 }
--- a/drivers/char/ipmi/ipmi_si_intf.c
+++ b/drivers/char/ipmi/ipmi_si_intf.c
@@ -1862,6 +1862,18 @@ int ipmi_si_add_smi(struct si_sm_io *io)
 	int rv = 0;
 	struct smi_info *new_smi, *dup;
 
+	/*
+	 * If the user gave us a hard-coded device at the same
+	 * address, they presumably want us to use it and not what is
+	 * in the firmware.
+	 */
+	if (io->addr_source != SI_HARDCODED &&
+	    ipmi_si_hardcode_match(io->addr_type, io->addr_data)) {
+		dev_info(io->dev,
+			 "Hard-coded device at this address already exists");
+		return -ENODEV;
+	}
+
 	if (!io->io_setup) {
 		if (io->addr_type == IPMI_IO_ADDR_SPACE) {
 			io->io_setup = ipmi_si_port_setup;
@@ -2094,7 +2106,7 @@ static int try_smi_init(struct smi_info
 	return rv;
 }
 
-static int init_ipmi_si(void)
+static int __init init_ipmi_si(void)
 {
 	struct smi_info *e;
 	enum ipmi_addr_src type = SI_INVALID;
@@ -2102,12 +2114,9 @@ static int init_ipmi_si(void)
 	if (initialized)
 		return 0;
 
+	ipmi_hardcode_init();
 	pr_info("IPMI System Interface driver.\n");
 
-	/* If the user gave us a device, they presumably want us to use it */
-	if (!ipmi_si_hardcode_find_bmc())
-		goto do_scan;
-
 	ipmi_si_platform_init();
 
 	ipmi_si_pci_init();
@@ -2118,7 +2127,6 @@ static int init_ipmi_si(void)
 	   with multiple BMCs we assume that there will be several instances
 	   of a given type so if we succeed in registering a type then also
 	   try to register everything else of the same type */
-do_scan:
 	mutex_lock(&smi_infos_lock);
 	list_for_each_entry(e, &smi_infos, link) {
 		/* Try to register a device if it has an IRQ and we either
@@ -2304,6 +2312,8 @@ static void cleanup_ipmi_si(void)
 	list_for_each_entry_safe(e, tmp_e, &smi_infos, link)
 		cleanup_one_si(e);
 	mutex_unlock(&smi_infos_lock);
+
+	ipmi_si_hardcode_exit();
 }
 module_exit(cleanup_ipmi_si);
 
--- a/drivers/char/ipmi/ipmi_si_platform.c
+++ b/drivers/char/ipmi/ipmi_si_platform.c
@@ -126,8 +126,6 @@ ipmi_get_info_from_resources(struct plat
 		if (res_second->start > io->addr_data)
 			io->regspacing = res_second->start - io->addr_data;
 	}
-	io->regsize = DEFAULT_REGSIZE;
-	io->regshift = 0;
 
 	return res;
 }
@@ -135,7 +133,7 @@ ipmi_get_info_from_resources(struct plat
 static int platform_ipmi_probe(struct platform_device *pdev)
 {
 	struct si_sm_io io;
-	u8 type, slave_addr, addr_source;
+	u8 type, slave_addr, addr_source, regsize, regshift;
 	int rv;
 
 	rv = device_property_read_u8(&pdev->dev, "addr-source", &addr_source);
@@ -147,7 +145,7 @@ static int platform_ipmi_probe(struct pl
 	if (addr_source == SI_SMBIOS) {
 		if (!si_trydmi)
 			return -ENODEV;
-	} else {
+	} else if (addr_source != SI_HARDCODED) {
 		if (!si_tryplatform)
 			return -ENODEV;
 	}
@@ -167,11 +165,23 @@ static int platform_ipmi_probe(struct pl
 	case SI_BT:
 		io.si_type = type;
 		break;
+	case SI_TYPE_INVALID: /* User disabled this in hardcode. */
+		return -ENODEV;
 	default:
 		dev_err(&pdev->dev, "ipmi-type property is invalid\n");
 		return -EINVAL;
 	}
 
+	io.regsize = DEFAULT_REGSIZE;
+	rv = device_property_read_u8(&pdev->dev, "reg-size", &regsize);
+	if (!rv)
+		io.regsize = regsize;
+
+	io.regshift = 0;
+	rv = device_property_read_u8(&pdev->dev, "reg-shift", &regshift);
+	if (!rv)
+		io.regshift = regshift;
+
 	if (!ipmi_get_info_from_resources(pdev, &io))
 		return -EINVAL;
 
@@ -191,7 +201,8 @@ static int platform_ipmi_probe(struct pl
 
 	io.dev = &pdev->dev;
 
-	pr_info("ipmi_si: SMBIOS: %s %#lx regsize %d spacing %d irq %d\n",
+	pr_info("ipmi_si: %s: %s %#lx regsize %d spacing %d irq %d\n",
+		ipmi_addr_src_to_str(addr_source),
 		(io.addr_type == IPMI_IO_ADDR_SPACE) ? "io" : "mem",
 		io.addr_data, io.regsize, io.regspacing, io.irq);
 
@@ -356,6 +367,9 @@ static int acpi_ipmi_probe(struct platfo
 		goto err_free;
 	}
 
+	io.regsize = DEFAULT_REGSIZE;
+	io.regshift = 0;
+
 	res = ipmi_get_info_from_resources(pdev, &io);
 	if (!res) {
 		rv = -EINVAL;
@@ -417,6 +431,11 @@ static int ipmi_remove(struct platform_d
 	return ipmi_si_remove_by_dev(&pdev->dev);
 }
 
+static const struct platform_device_id si_plat_ids[] = {
+    { "hardcode-ipmi-si", 0 },
+    { }
+};
+
 struct platform_driver ipmi_platform_driver = {
 	.driver = {
 		.name = DEVICE_NAME,
@@ -425,6 +444,7 @@ struct platform_driver ipmi_platform_dri
 	},
 	.probe		= ipmi_probe,
 	.remove		= ipmi_remove,
+	.id_table       = si_plat_ids
 };
 
 void ipmi_si_platform_init(void)



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 004/134] dccp: do not use ipv6 header for ipv4 flow
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2019-04-01 17:00 ` [PATCH 4.19 003/134] ipmi_si: Fix crash when using hard-coded device Greg Kroah-Hartman
@ 2019-04-01 17:00 ` Greg Kroah-Hartman
  2019-04-01 17:00 ` [PATCH 4.19 005/134] genetlink: Fix a memory leak on error path Greg Kroah-Hartman
                   ` (134 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:00 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eric Dumazet, David S. Miller

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit e0aa67709f89d08c8d8e5bdd9e0b649df61d0090 ]

When a dual stack dccp listener accepts an ipv4 flow,
it should not attempt to use an ipv6 header or
inet6_iif() helper.

Fixes: 3df80d9320bc ("[DCCP]: Introduce DCCPv6")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/dccp/ipv6.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -433,8 +433,8 @@ static struct sock *dccp_v6_request_recv
 		newnp->ipv6_mc_list = NULL;
 		newnp->ipv6_ac_list = NULL;
 		newnp->ipv6_fl_list = NULL;
-		newnp->mcast_oif   = inet6_iif(skb);
-		newnp->mcast_hops  = ipv6_hdr(skb)->hop_limit;
+		newnp->mcast_oif   = inet_iif(skb);
+		newnp->mcast_hops  = ip_hdr(skb)->ttl;
 
 		/*
 		 * No need to charge this sock to the relevant IPv6 refcnt debug socks count



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 005/134] genetlink: Fix a memory leak on error path
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2019-04-01 17:00 ` [PATCH 4.19 004/134] dccp: do not use ipv6 header for ipv4 flow Greg Kroah-Hartman
@ 2019-04-01 17:00 ` Greg Kroah-Hartman
  2019-04-01 17:00 ` [PATCH 4.19 006/134] gtp: change NET_UDP_TUNNEL dependency to select Greg Kroah-Hartman
                   ` (133 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, YueHaibing, Kirill Tkhai,
	David S. Miller

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: YueHaibing <yuehaibing@huawei.com>

[ Upstream commit ceabee6c59943bdd5e1da1a6a20dc7ee5f8113a2 ]

In genl_register_family(), when idr_alloc() fails,
we forget to free the memory we possibly allocate for
family->attrbuf.

Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: 2ae0f17df1cd ("genetlink: use idr to track families")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Reviewed-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/netlink/genetlink.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/net/netlink/genetlink.c
+++ b/net/netlink/genetlink.c
@@ -366,7 +366,7 @@ int genl_register_family(struct genl_fam
 			       start, end + 1, GFP_KERNEL);
 	if (family->id < 0) {
 		err = family->id;
-		goto errout_locked;
+		goto errout_free;
 	}
 
 	err = genl_validate_assign_mc_groups(family);
@@ -385,6 +385,7 @@ int genl_register_family(struct genl_fam
 
 errout_remove:
 	idr_remove(&genl_fam_idr, family->id);
+errout_free:
 	kfree(family->attrbuf);
 errout_locked:
 	genl_unlock_all();



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 006/134] gtp: change NET_UDP_TUNNEL dependency to select
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2019-04-01 17:00 ` [PATCH 4.19 005/134] genetlink: Fix a memory leak on error path Greg Kroah-Hartman
@ 2019-04-01 17:00 ` Greg Kroah-Hartman
  2019-04-01 17:00 ` [PATCH 4.19 007/134] ipv6: make ip6_create_rt_rcu return ip6_null_entry instead of NULL Greg Kroah-Hartman
                   ` (132 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:00 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Matteo Croce, David S. Miller

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Matteo Croce <mcroce@redhat.com>

[ Upstream commit c22da36688d6298f2e546dcc43fdc1ad35036467 ]

Similarly to commit a7603ac1fc8c ("geneve: change NET_UDP_TUNNEL
dependency to select"), GTP has a dependency on NET_UDP_TUNNEL which
makes impossible to compile it if no other protocol depending on
NET_UDP_TUNNEL is selected.

Fix this by changing the depends to a select, and drop NET_IP_TUNNEL from
the select list, as it already depends on NET_UDP_TUNNEL.

Signed-off-by: Matteo Croce <mcroce@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/Kconfig |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/net/Kconfig
+++ b/drivers/net/Kconfig
@@ -213,8 +213,8 @@ config GENEVE
 
 config GTP
 	tristate "GPRS Tunneling Protocol datapath (GTP-U)"
-	depends on INET && NET_UDP_TUNNEL
-	select NET_IP_TUNNEL
+	depends on INET
+	select NET_UDP_TUNNEL
 	---help---
 	  This allows one to create gtp virtual interfaces that provide
 	  the GPRS Tunneling Protocol datapath (GTP-U). This tunneling protocol



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 007/134] ipv6: make ip6_create_rt_rcu return ip6_null_entry instead of NULL
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2019-04-01 17:00 ` [PATCH 4.19 006/134] gtp: change NET_UDP_TUNNEL dependency to select Greg Kroah-Hartman
@ 2019-04-01 17:00 ` Greg Kroah-Hartman
  2019-04-01 17:00 ` [PATCH 4.19 008/134] mac8390: Fix mmio access size probe Greg Kroah-Hartman
                   ` (131 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jianlin Shi, Paolo Abeni, Xin Long,
	David Ahern, Wei Wang, David S. Miller

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Xin Long <lucien.xin@gmail.com>

[ Upstream commit 1c87e79a002f6a159396138cd3f3ab554a2a8887 ]

Jianlin reported a crash:

  [  381.484332] BUG: unable to handle kernel NULL pointer dereference at 0000000000000068
  [  381.619802] RIP: 0010:fib6_rule_lookup+0xa3/0x160
  [  382.009615] Call Trace:
  [  382.020762]  <IRQ>
  [  382.030174]  ip6_route_redirect.isra.52+0xc9/0xf0
  [  382.050984]  ip6_redirect+0xb6/0xf0
  [  382.066731]  icmpv6_notify+0xca/0x190
  [  382.083185]  ndisc_redirect_rcv+0x10f/0x160
  [  382.102569]  ndisc_rcv+0xfb/0x100
  [  382.117725]  icmpv6_rcv+0x3f2/0x520
  [  382.133637]  ip6_input_finish+0xbf/0x460
  [  382.151634]  ip6_input+0x3b/0xb0
  [  382.166097]  ipv6_rcv+0x378/0x4e0

It was caused by the lookup function __ip6_route_redirect() returns NULL in
fib6_rule_lookup() when ip6_create_rt_rcu() returns NULL.

So we fix it by simply making ip6_create_rt_rcu() return ip6_null_entry
instead of NULL.

v1->v2:
  - move down 'fallback:' to make it more readable.

Fixes: e873e4b9cc7e ("ipv6: use fib6_info_hold_safe() when necessary")
Reported-by: Jianlin Shi <jishi@redhat.com>
Suggested-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Acked-by: Wei Wang <weiwan@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv6/route.c |   18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1048,14 +1048,20 @@ static struct rt6_info *ip6_create_rt_rc
 	struct rt6_info *nrt;
 
 	if (!fib6_info_hold_safe(rt))
-		return NULL;
+		goto fallback;
 
 	nrt = ip6_dst_alloc(dev_net(dev), dev, flags);
-	if (nrt)
-		ip6_rt_copy_init(nrt, rt);
-	else
+	if (!nrt) {
 		fib6_info_release(rt);
+		goto fallback;
+	}
+
+	ip6_rt_copy_init(nrt, rt);
+	return nrt;
 
+fallback:
+	nrt = dev_net(dev)->ipv6.ip6_null_entry;
+	dst_hold(&nrt->dst);
 	return nrt;
 }
 
@@ -1104,10 +1110,6 @@ restart:
 		dst_hold(&rt->dst);
 	} else {
 		rt = ip6_create_rt_rcu(f6i);
-		if (!rt) {
-			rt = net->ipv6.ip6_null_entry;
-			dst_hold(&rt->dst);
-		}
 	}
 
 	rcu_read_unlock();



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 008/134] mac8390: Fix mmio access size probe
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2019-04-01 17:00 ` [PATCH 4.19 007/134] ipv6: make ip6_create_rt_rcu return ip6_null_entry instead of NULL Greg Kroah-Hartman
@ 2019-04-01 17:00 ` Greg Kroah-Hartman
  2019-04-01 17:00 ` [PATCH 4.19 009/134] mISDN: hfcpci: Test both vendor & device ID for Digium HFC4S Greg Kroah-Hartman
                   ` (130 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Finn Thain, David S. Miller, Stan Johnson

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Finn Thain <fthain@telegraphics.com.au>

[ Upstream commit bb9e5c5bcd76f4474eac3baf643d7a39f7bac7bb ]

The bug that Stan reported is as follows. After a restart, a 16-bit NIC
may be incorrectly identified as a 32-bit NIC and stop working.

mac8390 slot.E: Memory length resource not found, probing
mac8390 slot.E: Farallon EtherMac II-C (type farallon)
mac8390 slot.E: MAC 00:00:c5:30:c2:99, IRQ 61, 32 KB shared memory at 0xfeed0000, 32-bit access.

The bug never arises after a cold start and only intermittently after a
warm start. (I didn't investigate why the bug is intermittent.)

It turns out that memcpy_toio() is deprecated and memcmp_withio() also
has issues. Replacing these calls with mmio accessors fixes the problem.

Reported-and-tested-by: Stan Johnson <userm57@yahoo.com>
Fixes: 2964db0f5904 ("m68k: Mac DP8390 update")
Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/8390/mac8390.c |   19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

--- a/drivers/net/ethernet/8390/mac8390.c
+++ b/drivers/net/ethernet/8390/mac8390.c
@@ -153,8 +153,6 @@ static void dayna_block_input(struct net
 static void dayna_block_output(struct net_device *dev, int count,
 			       const unsigned char *buf, int start_page);
 
-#define memcmp_withio(a, b, c)	memcmp((a), (void *)(b), (c))
-
 /* Slow Sane (16-bit chunk memory read/write) Cabletron uses this */
 static void slow_sane_get_8390_hdr(struct net_device *dev,
 				   struct e8390_pkt_hdr *hdr, int ring_page);
@@ -233,19 +231,26 @@ static enum mac8390_type mac8390_ident(s
 
 static enum mac8390_access mac8390_testio(unsigned long membase)
 {
-	unsigned long outdata = 0xA5A0B5B0;
-	unsigned long indata =  0x00000000;
+	u32 outdata = 0xA5A0B5B0;
+	u32 indata = 0;
+
 	/* Try writing 32 bits */
-	memcpy_toio((void __iomem *)membase, &outdata, 4);
-	/* Now compare them */
-	if (memcmp_withio(&outdata, membase, 4) == 0)
+	nubus_writel(outdata, membase);
+	/* Now read it back */
+	indata = nubus_readl(membase);
+	if (outdata == indata)
 		return ACCESS_32;
+
+	outdata = 0xC5C0D5D0;
+	indata = 0;
+
 	/* Write 16 bit output */
 	word_memcpy_tocard(membase, &outdata, 4);
 	/* Now read it back */
 	word_memcpy_fromcard(&indata, membase, 4);
 	if (outdata == indata)
 		return ACCESS_16;
+
 	return ACCESS_UNKNOWN;
 }
 



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 009/134] mISDN: hfcpci: Test both vendor & device ID for Digium HFC4S
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2019-04-01 17:00 ` [PATCH 4.19 008/134] mac8390: Fix mmio access size probe Greg Kroah-Hartman
@ 2019-04-01 17:00 ` Greg Kroah-Hartman
  2019-04-01 17:00 ` [PATCH 4.19 010/134] net: aquantia: fix rx checksum offload for UDP/TCP over IPv6 Greg Kroah-Hartman
                   ` (129 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:00 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Bjorn Helgaas, David S. Miller

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Bjorn Helgaas <bhelgaas@google.com>

[ Upstream commit fae846e2b7124d4b076ef17791c73addf3b26350 ]

The device ID alone does not uniquely identify a device.  Test both the
vendor and device ID to make sure we don't mistakenly think some other
vendor's 0xB410 device is a Digium HFC4S.  Also, instead of the bare hex
ID, use the same constant (PCI_DEVICE_ID_DIGIUM_HFC4S) used in the device
ID table.

No functional change intended.

Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/isdn/hardware/mISDN/hfcmulti.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/isdn/hardware/mISDN/hfcmulti.c
+++ b/drivers/isdn/hardware/mISDN/hfcmulti.c
@@ -4365,7 +4365,8 @@ setup_pci(struct hfc_multi *hc, struct p
 	if (m->clock2)
 		test_and_set_bit(HFC_CHIP_CLOCK2, &hc->chip);
 
-	if (ent->device == 0xB410) {
+	if (ent->vendor == PCI_VENDOR_ID_DIGIUM &&
+	    ent->device == PCI_DEVICE_ID_DIGIUM_HFC4S) {
 		test_and_set_bit(HFC_CHIP_B410P, &hc->chip);
 		test_and_set_bit(HFC_CHIP_PCM_MASTER, &hc->chip);
 		test_and_clear_bit(HFC_CHIP_PCM_SLAVE, &hc->chip);



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 010/134] net: aquantia: fix rx checksum offload for UDP/TCP over IPv6
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2019-04-01 17:00 ` [PATCH 4.19 009/134] mISDN: hfcpci: Test both vendor & device ID for Digium HFC4S Greg Kroah-Hartman
@ 2019-04-01 17:00 ` Greg Kroah-Hartman
  2019-04-01 17:00 ` [PATCH 4.19 011/134] net: datagram: fix unbounded loop in __skb_try_recv_datagram() Greg Kroah-Hartman
                   ` (128 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Igor Russkikh, Nikita Danilov,
	Dmitry Bogdanov, David S. Miller

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry Bogdanov <dmitry.bogdanov@aquantia.com>

[ Upstream commit a7faaa0c5dc7d091cc9f72b870d7edcdd6f43f12 ]

TCP/UDP checksum validity was propagated to skb
only if IP checksum is valid.
But for IPv6 there is no validity as there is no checksum in IPv6.
This patch propagates TCP/UDP checksum validity regardless of IP checksum.

Fixes: 018423e90bee ("net: ethernet: aquantia: Add ring support code")
Signed-off-by: Igor Russkikh <igor.russkikh@aquantia.com>
Signed-off-by: Nikita Danilov <nikita.danilov@aquantia.com>
Signed-off-by: Dmitry Bogdanov <dmitry.bogdanov@aquantia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/aquantia/atlantic/aq_ring.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
@@ -186,11 +186,12 @@ static void aq_rx_checksum(struct aq_rin
 	}
 	if (buff->is_ip_cso) {
 		__skb_incr_checksum_unnecessary(skb);
-		if (buff->is_udp_cso || buff->is_tcp_cso)
-			__skb_incr_checksum_unnecessary(skb);
 	} else {
 		skb->ip_summed = CHECKSUM_NONE;
 	}
+
+	if (buff->is_udp_cso || buff->is_tcp_cso)
+		__skb_incr_checksum_unnecessary(skb);
 }
 
 #define AQ_SKB_ALIGN SKB_DATA_ALIGN(sizeof(struct skb_shared_info))



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 011/134] net: datagram: fix unbounded loop in __skb_try_recv_datagram()
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2019-04-01 17:00 ` [PATCH 4.19 010/134] net: aquantia: fix rx checksum offload for UDP/TCP over IPv6 Greg Kroah-Hartman
@ 2019-04-01 17:00 ` Greg Kroah-Hartman
  2019-04-01 17:00 ` [PATCH 4.19 012/134] net/packet: Set __GFP_NOWARN upon allocation in alloc_pg_vec Greg Kroah-Hartman
                   ` (127 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Paolo Abeni, David S. Miller,
	Christoph Paasch

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Paolo Abeni <pabeni@redhat.com>

[ Upstream commit 0b91bce1ebfc797ff3de60c8f4a1e6219a8a3187 ]

Christoph reported a stall while peeking datagram with an offset when
busy polling is enabled. __skb_try_recv_datagram() uses as the loop
termination condition 'queue empty'. When peeking, the socket
queue can be not empty, even when no additional packets are received.

Address the issue explicitly checking for receive queue changes,
as currently done by __skb_wait_for_more_packets().

Fixes: 2b5cd0dfa384 ("net: Change return type of sk_busy_loop from bool to void")
Reported-and-tested-by: Christoph Paasch <cpaasch@apple.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/core/datagram.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/core/datagram.c
+++ b/net/core/datagram.c
@@ -279,7 +279,7 @@ struct sk_buff *__skb_try_recv_datagram(
 			break;
 
 		sk_busy_loop(sk, flags & MSG_DONTWAIT);
-	} while (!skb_queue_empty(&sk->sk_receive_queue));
+	} while (sk->sk_receive_queue.prev != *last);
 
 	error = -EAGAIN;
 



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 012/134] net/packet: Set __GFP_NOWARN upon allocation in alloc_pg_vec
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2019-04-01 17:00 ` [PATCH 4.19 011/134] net: datagram: fix unbounded loop in __skb_try_recv_datagram() Greg Kroah-Hartman
@ 2019-04-01 17:00 ` Greg Kroah-Hartman
  2019-04-01 17:00 ` [PATCH 4.19 013/134] net: phy: meson-gxl: fix interrupt support Greg Kroah-Hartman
                   ` (126 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kal Conley, Andrey Konovalov,
	Christoph Paasch, David S. Miller

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Christoph Paasch <cpaasch@apple.com>

[ Upstream commit 398f0132c14754fcd03c1c4f8e7176d001ce8ea1 ]

Since commit fc62814d690c ("net/packet: fix 4gb buffer limit due to overflow check")
one can now allocate packet ring buffers >= UINT_MAX. However, syzkaller
found that that triggers a warning:

[   21.100000] WARNING: CPU: 2 PID: 2075 at mm/page_alloc.c:4584 __alloc_pages_nod0
[   21.101490] Modules linked in:
[   21.101921] CPU: 2 PID: 2075 Comm: syz-executor.0 Not tainted 5.0.0 #146
[   21.102784] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.5.1 01/01/2011
[   21.103887] RIP: 0010:__alloc_pages_nodemask+0x2a0/0x630
[   21.104640] Code: fe ff ff 65 48 8b 04 25 c0 de 01 00 48 05 90 0f 00 00 41 bd 01 00 00 00 48 89 44 24 48 e9 9c fe 3
[   21.107121] RSP: 0018:ffff88805e1cf920 EFLAGS: 00010246
[   21.107819] RAX: 0000000000000000 RBX: ffffffff85a488a0 RCX: 0000000000000000
[   21.108753] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 0000000000000000
[   21.109699] RBP: 1ffff1100bc39f28 R08: ffffed100bcefb67 R09: ffffed100bcefb67
[   21.110646] R10: 0000000000000001 R11: ffffed100bcefb66 R12: 000000000000000d
[   21.111623] R13: 0000000000000000 R14: ffff88805e77d888 R15: 000000000000000d
[   21.112552] FS:  00007f7c7de05700(0000) GS:ffff88806d100000(0000) knlGS:0000000000000000
[   21.113612] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   21.114405] CR2: 000000000065c000 CR3: 000000005e58e006 CR4: 00000000001606e0
[   21.115367] Call Trace:
[   21.115705]  ? __alloc_pages_slowpath+0x21c0/0x21c0
[   21.116362]  alloc_pages_current+0xac/0x1e0
[   21.116923]  kmalloc_order+0x18/0x70
[   21.117393]  kmalloc_order_trace+0x18/0x110
[   21.117949]  packet_set_ring+0x9d5/0x1770
[   21.118524]  ? packet_rcv_spkt+0x440/0x440
[   21.119094]  ? lock_downgrade+0x620/0x620
[   21.119646]  ? __might_fault+0x177/0x1b0
[   21.120177]  packet_setsockopt+0x981/0x2940
[   21.120753]  ? __fget+0x2fb/0x4b0
[   21.121209]  ? packet_release+0xab0/0xab0
[   21.121740]  ? sock_has_perm+0x1cd/0x260
[   21.122297]  ? selinux_secmark_relabel_packet+0xd0/0xd0
[   21.123013]  ? __fget+0x324/0x4b0
[   21.123451]  ? selinux_netlbl_socket_setsockopt+0x101/0x320
[   21.124186]  ? selinux_netlbl_sock_rcv_skb+0x3a0/0x3a0
[   21.124908]  ? __lock_acquire+0x529/0x3200
[   21.125453]  ? selinux_socket_setsockopt+0x5d/0x70
[   21.126075]  ? __sys_setsockopt+0x131/0x210
[   21.126533]  ? packet_release+0xab0/0xab0
[   21.127004]  __sys_setsockopt+0x131/0x210
[   21.127449]  ? kernel_accept+0x2f0/0x2f0
[   21.127911]  ? ret_from_fork+0x8/0x50
[   21.128313]  ? do_raw_spin_lock+0x11b/0x280
[   21.128800]  __x64_sys_setsockopt+0xba/0x150
[   21.129271]  ? lockdep_hardirqs_on+0x37f/0x560
[   21.129769]  do_syscall_64+0x9f/0x450
[   21.130182]  entry_SYSCALL_64_after_hwframe+0x49/0xbe

We should allocate with __GFP_NOWARN to handle this.

Cc: Kal Conley <kal.conley@dectris.com>
Cc: Andrey Konovalov <andreyknvl@google.com>
Fixes: fc62814d690c ("net/packet: fix 4gb buffer limit due to overflow check")
Signed-off-by: Christoph Paasch <cpaasch@apple.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/packet/af_packet.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -4194,7 +4194,7 @@ static struct pgv *alloc_pg_vec(struct t
 	struct pgv *pg_vec;
 	int i;
 
-	pg_vec = kcalloc(block_nr, sizeof(struct pgv), GFP_KERNEL);
+	pg_vec = kcalloc(block_nr, sizeof(struct pgv), GFP_KERNEL | __GFP_NOWARN);
 	if (unlikely(!pg_vec))
 		goto out;
 



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 013/134] net: phy: meson-gxl: fix interrupt support
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2019-04-01 17:00 ` [PATCH 4.19 012/134] net/packet: Set __GFP_NOWARN upon allocation in alloc_pg_vec Greg Kroah-Hartman
@ 2019-04-01 17:00 ` Greg Kroah-Hartman
  2019-04-01 17:00 ` [PATCH 4.19 014/134] net: rose: fix a possible stack overflow Greg Kroah-Hartman
                   ` (125 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:00 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jerome Brunet, David S. Miller

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jerome Brunet <jbrunet@baylibre.com>

[ Upstream commit daa5c4d0167a308306525fd5ab9a5e18e21f4f74 ]

If an interrupt is already pending when the interrupt is enabled on the
GXL phy, no IRQ will ever be triggered.

The fix is simply to make sure pending IRQs are cleared before setting
up the irq mask.

Fixes: cf127ff20af1 ("net: phy: meson-gxl: add interrupt support")
Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/phy/meson-gxl.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/net/phy/meson-gxl.c
+++ b/drivers/net/phy/meson-gxl.c
@@ -211,6 +211,7 @@ static int meson_gxl_ack_interrupt(struc
 static int meson_gxl_config_intr(struct phy_device *phydev)
 {
 	u16 val;
+	int ret;
 
 	if (phydev->interrupts == PHY_INTERRUPT_ENABLED) {
 		val = INTSRC_ANEG_PR
@@ -223,6 +224,11 @@ static int meson_gxl_config_intr(struct
 		val = 0;
 	}
 
+	/* Ack any pending IRQ */
+	ret = meson_gxl_ack_interrupt(phydev);
+	if (ret)
+		return ret;
+
 	return phy_write(phydev, INTSRC_MASK, val);
 }
 



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 014/134] net: rose: fix a possible stack overflow
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2019-04-01 17:00 ` [PATCH 4.19 013/134] net: phy: meson-gxl: fix interrupt support Greg Kroah-Hartman
@ 2019-04-01 17:00 ` Greg Kroah-Hartman
  2019-04-01 17:00 ` [PATCH 4.19 015/134] net: stmmac: fix memory corruption with large MTUs Greg Kroah-Hartman
                   ` (124 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, syzbot, David S. Miller

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit e5dcc0c3223c45c94100f05f28d8ef814db3d82c ]

rose_write_internal() uses a temp buffer of 100 bytes, but a manual
inspection showed that given arbitrary input, rose_create_facilities()
can fill up to 110 bytes.

Lets use a tailroom of 256 bytes for peace of mind, and remove
the bounce buffer : we can simply allocate a big enough skb
and adjust its length as needed.

syzbot report :

BUG: KASAN: stack-out-of-bounds in memcpy include/linux/string.h:352 [inline]
BUG: KASAN: stack-out-of-bounds in rose_create_facilities net/rose/rose_subr.c:521 [inline]
BUG: KASAN: stack-out-of-bounds in rose_write_internal+0x597/0x15d0 net/rose/rose_subr.c:116
Write of size 7 at addr ffff88808b1ffbef by task syz-executor.0/24854

CPU: 0 PID: 24854 Comm: syz-executor.0 Not tainted 5.0.0+ #97
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 check_memory_region_inline mm/kasan/generic.c:185 [inline]
 check_memory_region+0x123/0x190 mm/kasan/generic.c:191
 memcpy+0x38/0x50 mm/kasan/common.c:131
 memcpy include/linux/string.h:352 [inline]
 rose_create_facilities net/rose/rose_subr.c:521 [inline]
 rose_write_internal+0x597/0x15d0 net/rose/rose_subr.c:116
 rose_connect+0x7cb/0x1510 net/rose/af_rose.c:826
 __sys_connect+0x266/0x330 net/socket.c:1685
 __do_sys_connect net/socket.c:1696 [inline]
 __se_sys_connect net/socket.c:1693 [inline]
 __x64_sys_connect+0x73/0xb0 net/socket.c:1693
 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x458079
Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f47b8d9dc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458079
RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000004
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f47b8d9e6d4
R13: 00000000004be4a4 R14: 00000000004ceca8 R15: 00000000ffffffff

The buggy address belongs to the page:
page:ffffea00022c7fc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x1fffc0000000000()
raw: 01fffc0000000000 0000000000000000 ffffffff022c0101 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88808b1ffa80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88808b1ffb00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 03
>ffff88808b1ffb80: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 04 f3
                                                             ^
 ffff88808b1ffc00: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88808b1ffc80: 00 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1 01 f2 01

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/rose/rose_subr.c |   21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

--- a/net/rose/rose_subr.c
+++ b/net/rose/rose_subr.c
@@ -105,16 +105,17 @@ void rose_write_internal(struct sock *sk
 	struct sk_buff *skb;
 	unsigned char  *dptr;
 	unsigned char  lci1, lci2;
-	char buffer[100];
-	int len, faclen = 0;
+	int maxfaclen = 0;
+	int len, faclen;
+	int reserve;
 
-	len = AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + ROSE_MIN_LEN + 1;
+	reserve = AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + 1;
+	len = ROSE_MIN_LEN;
 
 	switch (frametype) {
 	case ROSE_CALL_REQUEST:
 		len   += 1 + ROSE_ADDR_LEN + ROSE_ADDR_LEN;
-		faclen = rose_create_facilities(buffer, rose);
-		len   += faclen;
+		maxfaclen = 256;
 		break;
 	case ROSE_CALL_ACCEPTED:
 	case ROSE_CLEAR_REQUEST:
@@ -123,15 +124,16 @@ void rose_write_internal(struct sock *sk
 		break;
 	}
 
-	if ((skb = alloc_skb(len, GFP_ATOMIC)) == NULL)
+	skb = alloc_skb(reserve + len + maxfaclen, GFP_ATOMIC);
+	if (!skb)
 		return;
 
 	/*
 	 *	Space for AX.25 header and PID.
 	 */
-	skb_reserve(skb, AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + 1);
+	skb_reserve(skb, reserve);
 
-	dptr = skb_put(skb, skb_tailroom(skb));
+	dptr = skb_put(skb, len);
 
 	lci1 = (rose->lci >> 8) & 0x0F;
 	lci2 = (rose->lci >> 0) & 0xFF;
@@ -146,7 +148,8 @@ void rose_write_internal(struct sock *sk
 		dptr   += ROSE_ADDR_LEN;
 		memcpy(dptr, &rose->source_addr, ROSE_ADDR_LEN);
 		dptr   += ROSE_ADDR_LEN;
-		memcpy(dptr, buffer, faclen);
+		faclen = rose_create_facilities(dptr, rose);
+		skb_put(skb, faclen);
 		dptr   += faclen;
 		break;
 



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 015/134] net: stmmac: fix memory corruption with large MTUs
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2019-04-01 17:00 ` [PATCH 4.19 014/134] net: rose: fix a possible stack overflow Greg Kroah-Hartman
@ 2019-04-01 17:00 ` Greg Kroah-Hartman
  2019-04-01 17:00 ` [PATCH 4.19 016/134] net-sysfs: call dev_hold if kobject_init_and_add success Greg Kroah-Hartman
                   ` (123 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Aaro Koskinen, Jose Abreu, David S. Miller

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Aaro Koskinen <aaro.koskinen@nokia.com>

[ Upstream commit 223a960c01227e4dbcb6f9fa06b47d73bda21274 ]

When using 16K DMA buffers and ring mode, the DES3 refill is not working
correctly as the function is using a bogus pointer for checking the
private data. As a result stale pointers will remain in the RX descriptor
ring, so DMA will now likely overwrite/corrupt some already freed memory.

As simple reproducer, just receive some UDP traffic:

	# ifconfig eth0 down; ifconfig eth0 mtu 9000; ifconfig eth0 up
	# iperf3 -c 192.168.253.40 -u -b 0 -R

If you didn't crash by now check the RX descriptors to find non-contiguous
RX buffers:

	cat /sys/kernel/debug/stmmaceth/eth0/descriptors_status
	[...]
	1 [0x2be5020]: 0xa3220321 0x9ffc1ffc 0x72d70082 0x130e207e
					     ^^^^^^^^^^^^^^^^^^^^^
	2 [0x2be5040]: 0xa3220321 0x9ffc1ffc 0x72998082 0x1311a07e
					     ^^^^^^^^^^^^^^^^^^^^^

A simple ping test will now report bad data:

	# ping -s 8200 192.168.253.40
	PING 192.168.253.40 (192.168.253.40) 8200(8228) bytes of data.
	8208 bytes from 192.168.253.40: icmp_seq=1 ttl=64 time=1.00 ms
	wrong data byte #8144 should be 0xd0 but was 0x88

Fix the wrong pointer. Also we must refill DES3 only if the DMA buffer
size is 16K.

Fixes: 54139cf3bb33 ("net: stmmac: adding multiple buffers for rx")
Signed-off-by: Aaro Koskinen <aaro.koskinen@nokia.com>
Acked-by: Jose Abreu <joabreu@synopsys.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/stmicro/stmmac/ring_mode.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/net/ethernet/stmicro/stmmac/ring_mode.c
+++ b/drivers/net/ethernet/stmicro/stmmac/ring_mode.c
@@ -111,10 +111,11 @@ static unsigned int is_jumbo_frm(int len
 
 static void refill_desc3(void *priv_ptr, struct dma_desc *p)
 {
-	struct stmmac_priv *priv = (struct stmmac_priv *)priv_ptr;
+	struct stmmac_rx_queue *rx_q = priv_ptr;
+	struct stmmac_priv *priv = rx_q->priv_data;
 
 	/* Fill DES3 in case of RING mode */
-	if (priv->dma_buf_sz >= BUF_SIZE_8KiB)
+	if (priv->dma_buf_sz == BUF_SIZE_16KiB)
 		p->des3 = cpu_to_le32(le32_to_cpu(p->des2) + BUF_SIZE_8KiB);
 }
 



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 016/134] net-sysfs: call dev_hold if kobject_init_and_add success
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2019-04-01 17:00 ` [PATCH 4.19 015/134] net: stmmac: fix memory corruption with large MTUs Greg Kroah-Hartman
@ 2019-04-01 17:00 ` Greg Kroah-Hartman
  2019-04-01 17:00 ` [PATCH 4.19 017/134] packets: Always register packet sk in the same order Greg Kroah-Hartman
                   ` (122 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, YueHaibing, David S. Miller

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: YueHaibing <yuehaibing@huawei.com>

[ Upstream commit a3e23f719f5c4a38ffb3d30c8d7632a4ed8ccd9e ]

In netdev_queue_add_kobject and rx_queue_add_kobject,
if sysfs_create_group failed, kobject_put will call
netdev_queue_release to decrease dev refcont, however
dev_hold has not be called. So we will see this while
unregistering dev:

unregister_netdevice: waiting for bcsh0 to become free. Usage count = -1

Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: d0d668371679 ("net: don't decrement kobj reference count on init failure")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/core/net-sysfs.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -934,6 +934,8 @@ static int rx_queue_add_kobject(struct n
 	if (error)
 		return error;
 
+	dev_hold(queue->dev);
+
 	if (dev->sysfs_rx_queue_group) {
 		error = sysfs_create_group(kobj, dev->sysfs_rx_queue_group);
 		if (error) {
@@ -943,7 +945,6 @@ static int rx_queue_add_kobject(struct n
 	}
 
 	kobject_uevent(kobj, KOBJ_ADD);
-	dev_hold(queue->dev);
 
 	return error;
 }
@@ -1472,6 +1473,8 @@ static int netdev_queue_add_kobject(stru
 	if (error)
 		return error;
 
+	dev_hold(queue->dev);
+
 #ifdef CONFIG_BQL
 	error = sysfs_create_group(kobj, &dql_group);
 	if (error) {
@@ -1481,7 +1484,6 @@ static int netdev_queue_add_kobject(stru
 #endif
 
 	kobject_uevent(kobj, KOBJ_ADD);
-	dev_hold(queue->dev);
 
 	return 0;
 }



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 017/134] packets: Always register packet sk in the same order
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2019-04-01 17:00 ` [PATCH 4.19 016/134] net-sysfs: call dev_hold if kobject_init_and_add success Greg Kroah-Hartman
@ 2019-04-01 17:00 ` Greg Kroah-Hartman
  2019-04-01 17:00 ` [PATCH 4.19 018/134] rhashtable: Still do rehash when we get EEXIST Greg Kroah-Hartman
                   ` (121 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maxime Chevallier, Willem de Bruijn,
	David S. Miller

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Maxime Chevallier <maxime.chevallier@bootlin.com>

[ Upstream commit a4dc6a49156b1f8d6e17251ffda17c9e6a5db78a ]

When using fanouts with AF_PACKET, the demux functions such as
fanout_demux_cpu will return an index in the fanout socket array, which
corresponds to the selected socket.

The ordering of this array depends on the order the sockets were added
to a given fanout group, so for FANOUT_CPU this means sockets are bound
to cpus in the order they are configured, which is OK.

However, when stopping then restarting the interface these sockets are
bound to, the sockets are reassigned to the fanout group in the reverse
order, due to the fact that they were inserted at the head of the
interface's AF_PACKET socket list.

This means that traffic that was directed to the first socket in the
fanout group is now directed to the last one after an interface restart.

In the case of FANOUT_CPU, traffic from CPU0 will be directed to the
socket that used to receive traffic from the last CPU after an interface
restart.

This commit introduces a helper to add a socket at the tail of a list,
then uses it to register AF_PACKET sockets.

Note that this changes the order in which sockets are listed in /proc and
with sock_diag.

Fixes: dc99f600698d ("packet: Add fanout support")
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Acked-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/net/sock.h     |    6 ++++++
 net/packet/af_packet.c |    2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -710,6 +710,12 @@ static inline void sk_add_node_rcu(struc
 		hlist_add_head_rcu(&sk->sk_node, list);
 }
 
+static inline void sk_add_node_tail_rcu(struct sock *sk, struct hlist_head *list)
+{
+	sock_hold(sk);
+	hlist_add_tail_rcu(&sk->sk_node, list);
+}
+
 static inline void __sk_nulls_add_node_rcu(struct sock *sk, struct hlist_nulls_head *list)
 {
 	hlist_nulls_add_head_rcu(&sk->sk_nulls_node, list);
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3245,7 +3245,7 @@ static int packet_create(struct net *net
 	}
 
 	mutex_lock(&net->packet.sklist_lock);
-	sk_add_node_rcu(sk, &net->packet.sklist);
+	sk_add_node_tail_rcu(sk, &net->packet.sklist);
 	mutex_unlock(&net->packet.sklist_lock);
 
 	preempt_disable();



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 018/134] rhashtable: Still do rehash when we get EEXIST
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2019-04-01 17:00 ` [PATCH 4.19 017/134] packets: Always register packet sk in the same order Greg Kroah-Hartman
@ 2019-04-01 17:00 ` Greg Kroah-Hartman
  2019-04-01 17:00 ` [PATCH 4.19 019/134] sctp: get sctphdr by offset in sctp_compute_cksum Greg Kroah-Hartman
                   ` (120 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Josh Elsasser, Herbert Xu, David S. Miller

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Herbert Xu <herbert@gondor.apana.org.au>

[ Upstream commit 408f13ef358aa5ad56dc6230c2c7deb92cf462b1 ]

As it stands if a shrink is delayed because of an outstanding
rehash, we will go into a rescheduling loop without ever doing
the rehash.

This patch fixes this by still carrying out the rehash and then
rescheduling so that we can shrink after the completion of the
rehash should it still be necessary.

The return value of EEXIST captures this case and other cases
(e.g., another thread expanded/rehashed the table at the same
time) where we should still proceed with the rehash.

Fixes: da20420f83ea ("rhashtable: Add nested tables")
Reported-by: Josh Elsasser <jelsasser@appneta.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Tested-by: Josh Elsasser <jelsasser@appneta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 lib/rhashtable.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/lib/rhashtable.c
+++ b/lib/rhashtable.c
@@ -416,8 +416,12 @@ static void rht_deferred_worker(struct w
 	else if (tbl->nest)
 		err = rhashtable_rehash_alloc(ht, tbl, tbl->size);
 
-	if (!err)
-		err = rhashtable_rehash_table(ht);
+	if (!err || err == -EEXIST) {
+		int nerr;
+
+		nerr = rhashtable_rehash_table(ht);
+		err = err ?: nerr;
+	}
 
 	mutex_unlock(&ht->mutex);
 



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 019/134] sctp: get sctphdr by offset in sctp_compute_cksum
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2019-04-01 17:00 ` [PATCH 4.19 018/134] rhashtable: Still do rehash when we get EEXIST Greg Kroah-Hartman
@ 2019-04-01 17:00 ` Greg Kroah-Hartman
  2019-04-01 17:00 ` [PATCH 4.19 020/134] sctp: use memdup_user instead of vmemdup_user Greg Kroah-Hartman
                   ` (119 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Li Shuang, Xin Long, David S. Miller

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Xin Long <lucien.xin@gmail.com>

[ Upstream commit 273160ffc6b993c7c91627f5a84799c66dfe4dee ]

sctp_hdr(skb) only works when skb->transport_header is set properly.

But in Netfilter, skb->transport_header for ipv6 is not guaranteed
to be right value for sctphdr. It would cause to fail to check the
checksum for sctp packets.

So fix it by using offset, which is always right in all places.

v1->v2:
  - Fix the changelog.

Fixes: e6d8b64b34aa ("net: sctp: fix and consolidate SCTP checksumming code")
Reported-by: Li Shuang <shuali@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/net/sctp/checksum.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/include/net/sctp/checksum.h
+++ b/include/net/sctp/checksum.h
@@ -61,7 +61,7 @@ static inline __wsum sctp_csum_combine(_
 static inline __le32 sctp_compute_cksum(const struct sk_buff *skb,
 					unsigned int offset)
 {
-	struct sctphdr *sh = sctp_hdr(skb);
+	struct sctphdr *sh = (struct sctphdr *)(skb->data + offset);
 	const struct skb_checksum_ops ops = {
 		.update  = sctp_csum_update,
 		.combine = sctp_csum_combine,



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 020/134] sctp: use memdup_user instead of vmemdup_user
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2019-04-01 17:00 ` [PATCH 4.19 019/134] sctp: get sctphdr by offset in sctp_compute_cksum Greg Kroah-Hartman
@ 2019-04-01 17:00 ` Greg Kroah-Hartman
  2019-04-01 17:00 ` [PATCH 4.19 021/134] tcp: do not use ipv6 header for ipv4 flow Greg Kroah-Hartman
                   ` (118 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+ec1b7575afef85a0e5ca,
	Xin Long, Neil Horman, David S. Miller

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Xin Long <lucien.xin@gmail.com>

[ Upstream commit ef82bcfa671b9a635bab5fa669005663d8b177c5 ]

In sctp_setsockopt_bindx()/__sctp_setsockopt_connectx(), it allocates
memory with addrs_size which is passed from userspace. We used flag
GFP_USER to put some more restrictions on it in Commit cacc06215271
("sctp: use GFP_USER for user-controlled kmalloc").

However, since Commit c981f254cc82 ("sctp: use vmemdup_user() rather
than badly open-coding memdup_user()"), vmemdup_user() has been used,
which doesn't check GFP_USER flag when goes to vmalloc_*(). So when
addrs_size is a huge value, it could exhaust memory and even trigger
oom killer.

This patch is to use memdup_user() instead, in which GFP_USER would
work to limit the memory allocation with a huge addrs_size.

Note we can't fix it by limiting 'addrs_size', as there's no demand
for it from RFC.

Reported-by: syzbot+ec1b7575afef85a0e5ca@syzkaller.appspotmail.com
Fixes: c981f254cc82 ("sctp: use vmemdup_user() rather than badly open-coding memdup_user()")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sctp/socket.c |   12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -1017,7 +1017,7 @@ static int sctp_setsockopt_bindx(struct
 	if (unlikely(addrs_size <= 0))
 		return -EINVAL;
 
-	kaddrs = vmemdup_user(addrs, addrs_size);
+	kaddrs = memdup_user(addrs, addrs_size);
 	if (unlikely(IS_ERR(kaddrs)))
 		return PTR_ERR(kaddrs);
 
@@ -1025,7 +1025,7 @@ static int sctp_setsockopt_bindx(struct
 	addr_buf = kaddrs;
 	while (walk_size < addrs_size) {
 		if (walk_size + sizeof(sa_family_t) > addrs_size) {
-			kvfree(kaddrs);
+			kfree(kaddrs);
 			return -EINVAL;
 		}
 
@@ -1036,7 +1036,7 @@ static int sctp_setsockopt_bindx(struct
 		 * causes the address buffer to overflow return EINVAL.
 		 */
 		if (!af || (walk_size + af->sockaddr_len) > addrs_size) {
-			kvfree(kaddrs);
+			kfree(kaddrs);
 			return -EINVAL;
 		}
 		addrcnt++;
@@ -1072,7 +1072,7 @@ static int sctp_setsockopt_bindx(struct
 	}
 
 out:
-	kvfree(kaddrs);
+	kfree(kaddrs);
 
 	return err;
 }
@@ -1347,7 +1347,7 @@ static int __sctp_setsockopt_connectx(st
 	if (unlikely(addrs_size <= 0))
 		return -EINVAL;
 
-	kaddrs = vmemdup_user(addrs, addrs_size);
+	kaddrs = memdup_user(addrs, addrs_size);
 	if (unlikely(IS_ERR(kaddrs)))
 		return PTR_ERR(kaddrs);
 
@@ -1367,7 +1367,7 @@ static int __sctp_setsockopt_connectx(st
 	err = __sctp_connect(sk, kaddrs, addrs_size, flags, assoc_id);
 
 out_free:
-	kvfree(kaddrs);
+	kfree(kaddrs);
 
 	return err;
 }



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 021/134] tcp: do not use ipv6 header for ipv4 flow
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2019-04-01 17:00 ` [PATCH 4.19 020/134] sctp: use memdup_user instead of vmemdup_user Greg Kroah-Hartman
@ 2019-04-01 17:00 ` Greg Kroah-Hartman
  2019-04-01 17:00 ` [PATCH 4.19 022/134] tipc: allow service ranges to be connect()ed on RDM/DGRAM Greg Kroah-Hartman
                   ` (117 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:00 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eric Dumazet, David S. Miller

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit 89e4130939a20304f4059ab72179da81f5347528 ]

When a dual stack tcp listener accepts an ipv4 flow,
it should not attempt to use an ipv6 header or tcp_v6_iif() helper.

Fixes: 1397ed35f22d ("ipv6: add flowinfo for tcp6 pkt_options for all cases")
Fixes: df3687ffc665 ("ipv6: add the IPV6_FL_F_REFLECT flag to IPV6_FL_A_GET")
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv6/tcp_ipv6.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1108,11 +1108,11 @@ static struct sock *tcp_v6_syn_recv_sock
 		newnp->ipv6_fl_list = NULL;
 		newnp->pktoptions  = NULL;
 		newnp->opt	   = NULL;
-		newnp->mcast_oif   = tcp_v6_iif(skb);
-		newnp->mcast_hops  = ipv6_hdr(skb)->hop_limit;
-		newnp->rcv_flowinfo = ip6_flowinfo(ipv6_hdr(skb));
+		newnp->mcast_oif   = inet_iif(skb);
+		newnp->mcast_hops  = ip_hdr(skb)->ttl;
+		newnp->rcv_flowinfo = 0;
 		if (np->repflow)
-			newnp->flow_label = ip6_flowlabel(ipv6_hdr(skb));
+			newnp->flow_label = 0;
 
 		/*
 		 * No need to charge this sock to the relevant IPv6 refcnt debug socks count



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 022/134] tipc: allow service ranges to be connect()ed on RDM/DGRAM
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2019-04-01 17:00 ` [PATCH 4.19 021/134] tcp: do not use ipv6 header for ipv4 flow Greg Kroah-Hartman
@ 2019-04-01 17:00 ` Greg Kroah-Hartman
  2019-04-01 17:00 ` [PATCH 4.19 023/134] tipc: change to check tipc_own_id to return in tipc_net_stop Greg Kroah-Hartman
                   ` (116 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Erik Hugne, Jon Maloy, David S. Miller

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Erik Hugne <erik.hugne@gmail.com>

[ Upstream commit ea239314fe42ace880bdd834256834679346c80e ]

We move the check that prevents connecting service ranges to after
the RDM/DGRAM check, and move address sanity control to a separate
function that also validates the service range.

Fixes: 23998835be98 ("tipc: improve address sanity check in tipc_connect()")
Signed-off-by: Erik Hugne <erik.hugne@gmail.com>
Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/tipc/socket.c |   20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -2310,6 +2310,16 @@ static int tipc_wait_for_connect(struct
 	return 0;
 }
 
+static bool tipc_sockaddr_is_sane(struct sockaddr_tipc *addr)
+{
+	if (addr->family != AF_TIPC)
+		return false;
+	if (addr->addrtype == TIPC_SERVICE_RANGE)
+		return (addr->addr.nameseq.lower <= addr->addr.nameseq.upper);
+	return (addr->addrtype == TIPC_SERVICE_ADDR ||
+		addr->addrtype == TIPC_SOCKET_ADDR);
+}
+
 /**
  * tipc_connect - establish a connection to another TIPC port
  * @sock: socket structure
@@ -2345,18 +2355,18 @@ static int tipc_connect(struct socket *s
 		if (!tipc_sk_type_connectionless(sk))
 			res = -EINVAL;
 		goto exit;
-	} else if (dst->family != AF_TIPC) {
-		res = -EINVAL;
 	}
-	if (dst->addrtype != TIPC_ADDR_ID && dst->addrtype != TIPC_ADDR_NAME)
+	if (!tipc_sockaddr_is_sane(dst)) {
 		res = -EINVAL;
-	if (res)
 		goto exit;
-
+	}
 	/* DGRAM/RDM connect(), just save the destaddr */
 	if (tipc_sk_type_connectionless(sk)) {
 		memcpy(&tsk->peer, dest, destlen);
 		goto exit;
+	} else if (dst->addrtype == TIPC_SERVICE_RANGE) {
+		res = -EINVAL;
+		goto exit;
 	}
 
 	previous = sk->sk_state;



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 023/134] tipc: change to check tipc_own_id to return in tipc_net_stop
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2019-04-01 17:00 ` [PATCH 4.19 022/134] tipc: allow service ranges to be connect()ed on RDM/DGRAM Greg Kroah-Hartman
@ 2019-04-01 17:00 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 024/134] tipc: fix cancellation of topology subscriptions Greg Kroah-Hartman
                   ` (115 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+a25307ad099309f1c2b9,
	Xin Long, Ying Xue, Jon Maloy, David S. Miller

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Xin Long <lucien.xin@gmail.com>

[ Upstream commit 9926cb5f8b0f0aea535735185600d74db7608550 ]

When running a syz script, a panic occurred:

[  156.088228] BUG: KASAN: use-after-free in tipc_disc_timeout+0x9c9/0xb20 [tipc]
[  156.094315] Call Trace:
[  156.094844]  <IRQ>
[  156.095306]  dump_stack+0x7c/0xc0
[  156.097346]  print_address_description+0x65/0x22e
[  156.100445]  kasan_report.cold.3+0x37/0x7a
[  156.102402]  tipc_disc_timeout+0x9c9/0xb20 [tipc]
[  156.106517]  call_timer_fn+0x19a/0x610
[  156.112749]  run_timer_softirq+0xb51/0x1090

It was caused by the netns freed without deleting the discoverer timer,
while later on the netns would be accessed in the timer handler.

The timer should have been deleted by tipc_net_stop() when cleaning up a
netns. However, tipc has been able to enable a bearer and start d->timer
without the local node_addr set since Commit 52dfae5c85a4 ("tipc: obtain
node identity from interface by default"), which caused the timer not to
be deleted in tipc_net_stop() then.

So fix it in tipc_net_stop() by changing to check local node_id instead
of local node_addr, as Jon suggested.

While at it, remove the calling of tipc_nametbl_withdraw() there, since
tipc_nametbl_stop() will take of the nametbl's freeing after.

Fixes: 52dfae5c85a4 ("tipc: obtain node identity from interface by default")
Reported-by: syzbot+a25307ad099309f1c2b9@syzkaller.appspotmail.com
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Ying Xue <ying.xue@windriver.com>
Acked-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/tipc/net.c |    5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

--- a/net/tipc/net.c
+++ b/net/tipc/net.c
@@ -163,12 +163,9 @@ void tipc_sched_net_finalize(struct net
 
 void tipc_net_stop(struct net *net)
 {
-	u32 self = tipc_own_addr(net);
-
-	if (!self)
+	if (!tipc_own_id(net))
 		return;
 
-	tipc_nametbl_withdraw(net, TIPC_CFG_SRV, self, self, self);
 	rtnl_lock();
 	tipc_bearer_stop(net);
 	tipc_node_stop(net);



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 024/134] tipc: fix cancellation of topology subscriptions
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2019-04-01 17:00 ` [PATCH 4.19 023/134] tipc: change to check tipc_own_id to return in tipc_net_stop Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 025/134] tun: properly test for IFF_UP Greg Kroah-Hartman
                   ` (114 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Erik Hugne, Jon Maloy, David S. Miller

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Erik Hugne <erik.hugne@gmail.com>

[ Upstream commit 33872d79f5d1cbedaaab79669cc38f16097a9450 ]

When cancelling a subscription, we have to clear the cancel bit in the
request before iterating over any established subscriptions with memcmp.
Otherwise no subscription will ever be found, and it will not be
possible to explicitly unsubscribe individual subscriptions.

Fixes: 8985ecc7c1e0 ("tipc: simplify endianness handling in topology subscriber")
Signed-off-by: Erik Hugne <erik.hugne@gmail.com>
Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/tipc/topsrv.c |    1 +
 1 file changed, 1 insertion(+)

--- a/net/tipc/topsrv.c
+++ b/net/tipc/topsrv.c
@@ -371,6 +371,7 @@ static int tipc_conn_rcv_sub(struct tipc
 	struct tipc_subscription *sub;
 
 	if (tipc_sub_read(s, filter) & TIPC_SUB_CANCEL) {
+		s->filter &= __constant_ntohl(~TIPC_SUB_CANCEL);
 		tipc_conn_delete_sub(con, s);
 		return 0;
 	}



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 025/134] tun: properly test for IFF_UP
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 024/134] tipc: fix cancellation of topology subscriptions Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 026/134] vrf: prevent adding upper devices Greg Kroah-Hartman
                   ` (113 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, syzbot, David S. Miller

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit 4477138fa0ae4e1b699786ef0600863ea6e6c61c ]

Same reasons than the ones explained in commit 4179cb5a4c92
("vxlan: test dev->flags & IFF_UP before calling netif_rx()")

netif_rx_ni() or napi_gro_frags() must be called under a strict contract.

At device dismantle phase, core networking clears IFF_UP
and flush_all_backlogs() is called after rcu grace period
to make sure no incoming packet might be in a cpu backlog
and still referencing the device.

A similar protocol is used for gro layer.

Most drivers call netif_rx() from their interrupt handler,
and since the interrupts are disabled at device dismantle,
netif_rx() does not have to check dev->flags & IFF_UP

Virtual drivers do not have this guarantee, and must
therefore make the check themselves.

Fixes: 1bd4978a88ac ("tun: honor IFF_UP in tun_get_user()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/tun.c |   15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -1718,9 +1718,6 @@ static ssize_t tun_get_user(struct tun_s
 	int skb_xdp = 1;
 	bool frags = tun_napi_frags_enabled(tfile);
 
-	if (!(tun->dev->flags & IFF_UP))
-		return -EIO;
-
 	if (!(tun->flags & IFF_NO_PI)) {
 		if (len < sizeof(pi))
 			return -EINVAL;
@@ -1822,6 +1819,8 @@ static ssize_t tun_get_user(struct tun_s
 			err = skb_copy_datagram_from_iter(skb, 0, from, len);
 
 		if (err) {
+			err = -EFAULT;
+drop:
 			this_cpu_inc(tun->pcpu_stats->rx_dropped);
 			kfree_skb(skb);
 			if (frags) {
@@ -1829,7 +1828,7 @@ static ssize_t tun_get_user(struct tun_s
 				mutex_unlock(&tfile->napi_mutex);
 			}
 
-			return -EFAULT;
+			return err;
 		}
 	}
 
@@ -1913,6 +1912,12 @@ static ssize_t tun_get_user(struct tun_s
 	    !tfile->detached)
 		rxhash = __skb_get_hash_symmetric(skb);
 
+	rcu_read_lock();
+	if (unlikely(!(tun->dev->flags & IFF_UP))) {
+		err = -EIO;
+		goto drop;
+	}
+
 	if (frags) {
 		/* Exercise flow dissector code path. */
 		u32 headlen = eth_get_headlen(skb->data, skb_headlen(skb));
@@ -1920,6 +1925,7 @@ static ssize_t tun_get_user(struct tun_s
 		if (unlikely(headlen > skb_headlen(skb))) {
 			this_cpu_inc(tun->pcpu_stats->rx_dropped);
 			napi_free_frags(&tfile->napi);
+			rcu_read_unlock();
 			mutex_unlock(&tfile->napi_mutex);
 			WARN_ON(1);
 			return -ENOMEM;
@@ -1947,6 +1953,7 @@ static ssize_t tun_get_user(struct tun_s
 	} else {
 		netif_rx_ni(skb);
 	}
+	rcu_read_unlock();
 
 	stats = get_cpu_ptr(tun->pcpu_stats);
 	u64_stats_update_begin(&stats->syncp);



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 026/134] vrf: prevent adding upper devices
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 025/134] tun: properly test for IFF_UP Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 027/134] vxlan: Dont call gro_cells_destroy() before device is unregistered Greg Kroah-Hartman
                   ` (112 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David Ahern, Sabrina Dubroca,
	David S. Miller

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sabrina Dubroca <sd@queasysnail.net>

[ Upstream commit 1017e0987117c32783ba7c10fe2e7ff1456ba1dc ]

VRF devices don't work with upper devices. Currently, it's possible to
add a VRF device to a bridge or team, and to create macvlan, macsec, or
ipvlan devices on top of a VRF (bond and vlan are prevented respectively
by the lack of an ndo_set_mac_address op and the NETIF_F_VLAN_CHALLENGED
feature flag).

Fix this by setting the IFF_NO_RX_HANDLER flag (introduced in commit
f5426250a6ec ("net: introduce IFF_NO_RX_HANDLER")).

Cc: David Ahern <dsahern@gmail.com>
Fixes: 193125dbd8eb ("net: Introduce VRF device driver")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Acked-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/vrf.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/net/vrf.c
+++ b/drivers/net/vrf.c
@@ -1262,6 +1262,7 @@ static void vrf_setup(struct net_device
 
 	/* default to no qdisc; user can add if desired */
 	dev->priv_flags |= IFF_NO_QUEUE;
+	dev->priv_flags |= IFF_NO_RX_HANDLER;
 }
 
 static int vrf_validate(struct nlattr *tb[], struct nlattr *data[],



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 027/134] vxlan: Dont call gro_cells_destroy() before device is unregistered
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 026/134] vrf: prevent adding upper devices Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 028/134] ila: Fix rhashtable walker list corruption Greg Kroah-Hartman
                   ` (111 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Suanming.Mou, Eric Dumazet,
	Stefano Brivio, Zhiqiang Liu, David S. Miller

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Zhiqiang Liu <liuzhiqiang26@huawei.com>

[ Upstream commit cc4807bb609230d8959fd732b0bf3bd4c2de8eac ]

Commit ad6c9986bcb62 ("vxlan: Fix GRO cells race condition between
receive and link delete") fixed a race condition for the typical case a vxlan
device is dismantled from the current netns. But if a netns is dismantled,
vxlan_destroy_tunnels() is called to schedule a unregister_netdevice_queue()
of all the vxlan tunnels that are related to this netns.

In vxlan_destroy_tunnels(), gro_cells_destroy() is called and finished before
unregister_netdevice_queue(). This means that the gro_cells_destroy() call is
done too soon, for the same reasons explained in above commit.

So we need to fully respect the RCU rules, and thus must remove the
gro_cells_destroy() call or risk use after-free.

Fixes: 58ce31cca1ff ("vxlan: GRO support at tunnel layer")
Signed-off-by: Suanming.Mou <mousuanming@huawei.com>
Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/vxlan.c |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -3798,10 +3798,8 @@ static void vxlan_destroy_tunnels(struct
 		/* If vxlan->dev is in the same netns, it has already been added
 		 * to the list by the previous loop.
 		 */
-		if (!net_eq(dev_net(vxlan->dev), net)) {
-			gro_cells_destroy(&vxlan->gro_cells);
+		if (!net_eq(dev_net(vxlan->dev), net))
 			unregister_netdevice_queue(vxlan->dev, head);
-		}
 	}
 
 	for (h = 0; h < PORT_HASH_SIZE; ++h)



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 028/134] ila: Fix rhashtable walker list corruption
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 027/134] vxlan: Dont call gro_cells_destroy() before device is unregistered Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 029/134] net: sched: fix cleanup NULL pointer exception in act_mirr Greg Kroah-Hartman
                   ` (110 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+dae72a112334aa65a159,
	Herbert Xu, David S. Miller

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Herbert Xu <herbert@gondor.apana.org.au>

[ Upstream commit b5f9bd15b88563b55a99ed588416881367a0ce5f ]

ila_xlat_nl_cmd_flush uses rhashtable walkers allocated from the
stack but it never frees them.  This corrupts the walker list of
the hash table.

This patch fixes it.

Reported-by: syzbot+dae72a112334aa65a159@syzkaller.appspotmail.com
Fixes: b6e71bdebb12 ("ila: Flush netlink command to clear xlat...")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv6/ila/ila_xlat.c |    1 +
 1 file changed, 1 insertion(+)

--- a/net/ipv6/ila/ila_xlat.c
+++ b/net/ipv6/ila/ila_xlat.c
@@ -420,6 +420,7 @@ int ila_xlat_nl_cmd_flush(struct sk_buff
 
 done:
 	rhashtable_walk_stop(&iter);
+	rhashtable_walk_exit(&iter);
 	return ret;
 }
 



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 029/134] net: sched: fix cleanup NULL pointer exception in act_mirr
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 028/134] ila: Fix rhashtable walker list corruption Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 030/134] thunderx: enable page recycling for non-XDP case Greg Kroah-Hartman
                   ` (109 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, John Hurley, Jakub Kicinski,
	Cong Wang, David S. Miller

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: John Hurley <john.hurley@netronome.com>

[ Upstream commit 064c5d6881e897077639e04973de26440ee205e6 ]

A new mirred action is created by the tcf_mirred_init function. This
contains a list head struct which is inserted into a global list on
successful creation of a new action. However, after a creation, it is
still possible to error out and call the tcf_idr_release function. This,
in turn, calls the act_mirr cleanup function via __tcf_idr_release and
__tcf_action_put. This cleanup function tries to delete the list entry
which is as yet uninitialised, leading to a NULL pointer exception.

Fix this by initialising the list entry on creation of a new action.

Bug report:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
PGD 8000000840c73067 P4D 8000000840c73067 PUD 858dcc067 PMD 0
Oops: 0002 [#1] SMP PTI
CPU: 32 PID: 5636 Comm: handler194 Tainted: G           OE     5.0.0+ #186
Hardware name: Dell Inc. PowerEdge R730/0599V5, BIOS 1.3.6 06/03/2015
RIP: 0010:tcf_mirred_release+0x42/0xa7 [act_mirred]
Code: f0 90 39 c0 e8 52 04 57 c8 48 c7 c7 b8 80 39 c0 e8 94 fa d4 c7 48 8b 93 d0 00 00 00 48 8b 83 d8 00 00 00 48 c7 c7 f0 90 39 c0 <48> 89 42 08 48 89 10 48 b8 00 01 00 00 00 00 ad de 48 89 83 d0 00
RSP: 0018:ffffac4aa059f688 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff9dcd1b214d00 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff9dcd1fa165f8 RDI: ffffffffc03990f0
RBP: ffff9dccf9c7af80 R08: 0000000000000a3b R09: 0000000000000000
R10: ffff9dccfa11f420 R11: 0000000000000000 R12: 0000000000000001
R13: ffff9dcd16b433c0 R14: ffff9dcd1b214d80 R15: 0000000000000000
FS:  00007f441bfff700(0000) GS:ffff9dcd1fa00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 0000000839e64004 CR4: 00000000001606e0
Call Trace:
tcf_action_cleanup+0x59/0xca
__tcf_action_put+0x54/0x6b
__tcf_idr_release.cold.33+0x9/0x12
tcf_mirred_init.cold.20+0x22e/0x3b0 [act_mirred]
tcf_action_init_1+0x3d0/0x4c0
tcf_action_init+0x9c/0x130
tcf_exts_validate+0xab/0xc0
fl_change+0x1ca/0x982 [cls_flower]
tc_new_tfilter+0x647/0x8d0
? load_balance+0x14b/0x9e0
rtnetlink_rcv_msg+0xe3/0x370
? __switch_to_asm+0x40/0x70
? __switch_to_asm+0x34/0x70
? _cond_resched+0x15/0x30
? __kmalloc_node_track_caller+0x1d4/0x2b0
? rtnl_calcit.isra.31+0xf0/0xf0
netlink_rcv_skb+0x49/0x110
netlink_unicast+0x16f/0x210
netlink_sendmsg+0x1df/0x390
sock_sendmsg+0x36/0x40
___sys_sendmsg+0x27b/0x2c0
? futex_wake+0x80/0x140
? do_futex+0x2b9/0xac0
? ep_scan_ready_list.constprop.22+0x1f2/0x210
? ep_poll+0x7a/0x430
__sys_sendmsg+0x47/0x80
do_syscall_64+0x55/0x100
entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: 4e232818bd32 ("net: sched: act_mirred: remove dependency on rtnl lock")
Signed-off-by: John Hurley <john.hurley@netronome.com>
Reviewed-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sched/act_mirred.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/net/sched/act_mirred.c
+++ b/net/sched/act_mirred.c
@@ -159,6 +159,9 @@ static int tcf_mirred_init(struct net *n
 	}
 	m = to_mirred(*a);
 
+	if (ret == ACT_P_CREATED)
+		INIT_LIST_HEAD(&m->tcfm_list);
+
 	spin_lock_bh(&m->tcf_lock);
 	m->tcf_action = parm->action;
 	m->tcfm_eaction = parm->eaction;



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 030/134] thunderx: enable page recycling for non-XDP case
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 029/134] net: sched: fix cleanup NULL pointer exception in act_mirr Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 031/134] thunderx: eliminate extra calls to put_page() for pages held for recycling Greg Kroah-Hartman
                   ` (108 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dean Nelson, David S. Miller

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dean Nelson <dnelson@redhat.com>

[ Upstream commit b3e208069477588c06f4d5d986164b435bb06e6d ]

Commit 773225388dae15e72790 ("net: thunderx: Optimize page recycling for XDP")
added code to nicvf_alloc_page() that inadvertently disables receive buffer
page recycling for the non-XDP case by always NULL'ng the page pointer.

This patch corrects two if-conditionals to allow for the recycling of non-XDP
mode pages by only setting the page pointer to NULL when the page is not ready
for recycling.

Fixes: 773225388dae ("net: thunderx: Optimize page recycling for XDP")
Signed-off-by: Dean Nelson <dnelson@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/cavium/thunder/nicvf_queues.c |   23 ++++++++++-----------
 1 file changed, 11 insertions(+), 12 deletions(-)

--- a/drivers/net/ethernet/cavium/thunder/nicvf_queues.c
+++ b/drivers/net/ethernet/cavium/thunder/nicvf_queues.c
@@ -105,20 +105,19 @@ static inline struct pgcache *nicvf_allo
 	/* Check if page can be recycled */
 	if (page) {
 		ref_count = page_ref_count(page);
-		/* Check if this page has been used once i.e 'put_page'
-		 * called after packet transmission i.e internal ref_count
-		 * and page's ref_count are equal i.e page can be recycled.
+		/* This page can be recycled if internal ref_count and page's
+		 * ref_count are equal, indicating that the page has been used
+		 * once for packet transmission. For non-XDP mode, internal
+		 * ref_count is always '1'.
 		 */
-		if (rbdr->is_xdp && (ref_count == pgcache->ref_count))
-			pgcache->ref_count--;
-		else
-			page = NULL;
-
-		/* In non-XDP mode, page's ref_count needs to be '1' for it
-		 * to be recycled.
-		 */
-		if (!rbdr->is_xdp && (ref_count != 1))
+		if (rbdr->is_xdp) {
+			if (ref_count == pgcache->ref_count)
+				pgcache->ref_count--;
+			else
+				page = NULL;
+		} else if (ref_count != 1) {
 			page = NULL;
+		}
 	}
 
 	if (!page) {



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 031/134] thunderx: eliminate extra calls to put_page() for pages held for recycling
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 030/134] thunderx: enable page recycling for non-XDP case Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 032/134] tun: add a missing rcu_read_unlock() in error path Greg Kroah-Hartman
                   ` (107 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dean Nelson, David S. Miller

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dean Nelson <dnelson@redhat.com>

[ Upstream commit cd35ef91490ad8049dd180bb060aff7ee192eda9 ]

For the non-XDP case, commit 773225388dae15e72790 ("net: thunderx: Optimize
page recycling for XDP") added code to nicvf_free_rbdr() that, when releasing
the additional receive buffer page reference held for recycling, repeatedly
calls put_page() until the page's _refcount goes to zero. Which results in
the page being freed.

This is not okay if the page's _refcount was greater than 1 (in the non-XDP
case), because nicvf_free_rbdr() should not be subtracting more than what
nicvf_alloc_page() had previously added to the page's _refcount, which was
only 1 (in the non-XDP case).

This can arise if a received packet is still being processed and the receive
buffer (i.e., skb->head) has not yet been freed via skb_free_head() when
nicvf_free_rbdr() is spinning through the aforementioned put_page() loop.

If this should occur, when the received packet finishes processing and
skb_free_head() is called, various problems can ensue. Exactly what, depends on
whether the page has already been reallocated or not, anything from "BUG: Bad
page state ... ", to "Unable to handle kernel NULL pointer dereference ..." or
"Unable to handle kernel paging request...".

So this patch changes nicvf_free_rbdr() to only call put_page() once for pages
held for recycling (in the non-XDP case).

Fixes: 773225388dae ("net: thunderx: Optimize page recycling for XDP")
Signed-off-by: Dean Nelson <dnelson@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/cavium/thunder/nicvf_queues.c |    7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

--- a/drivers/net/ethernet/cavium/thunder/nicvf_queues.c
+++ b/drivers/net/ethernet/cavium/thunder/nicvf_queues.c
@@ -364,11 +364,10 @@ static void nicvf_free_rbdr(struct nicvf
 	while (head < rbdr->pgcnt) {
 		pgcache = &rbdr->pgcache[head];
 		if (pgcache->page && page_ref_count(pgcache->page) != 0) {
-			if (!rbdr->is_xdp) {
-				put_page(pgcache->page);
-				continue;
+			if (rbdr->is_xdp) {
+				page_ref_sub(pgcache->page,
+					     pgcache->ref_count - 1);
 			}
-			page_ref_sub(pgcache->page, pgcache->ref_count - 1);
 			put_page(pgcache->page);
 		}
 		head++;



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 032/134] tun: add a missing rcu_read_unlock() in error path
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 031/134] thunderx: eliminate extra calls to put_page() for pages held for recycling Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 033/134] powerpc/fsl: Add infrastructure to fixup branch predictor flush Greg Kroah-Hartman
                   ` (106 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, syzbot, David S. Miller

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit 9180bb4f046064dfa4541488102703b402bb04e1 upstream.

In my latest patch I missed one rcu_read_unlock(), in case
device is down.

Fixes: 4477138fa0ae ("tun: properly test for IFF_UP")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/tun.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -1915,6 +1915,7 @@ drop:
 	rcu_read_lock();
 	if (unlikely(!(tun->dev->flags & IFF_UP))) {
 		err = -EIO;
+		rcu_read_unlock();
 		goto drop;
 	}
 



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 033/134] powerpc/fsl: Add infrastructure to fixup branch predictor flush
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 032/134] tun: add a missing rcu_read_unlock() in error path Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 034/134] powerpc/fsl: Add macro to flush the branch predictor Greg Kroah-Hartman
                   ` (105 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Diana Craciun, Michael Ellerman

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Diana Craciun <diana.craciun@nxp.com>

commit 76a5eaa38b15dda92cd6964248c39b5a6f3a4e9d upstream.

In order to protect against speculation attacks (Spectre
variant 2) on NXP PowerPC platforms, the branch predictor
should be flushed when the privillege level is changed.
This patch is adding the infrastructure to fixup at runtime
the code sections that are performing the branch predictor flush
depending on a boot arg parameter which is added later in a
separate patch.

Signed-off-by: Diana Craciun <diana.craciun@nxp.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/include/asm/feature-fixups.h |   12 ++++++++++++
 arch/powerpc/include/asm/setup.h          |    2 ++
 arch/powerpc/kernel/vmlinux.lds.S         |    8 ++++++++
 arch/powerpc/lib/feature-fixups.c         |   23 +++++++++++++++++++++++
 4 files changed, 45 insertions(+)

--- a/arch/powerpc/include/asm/feature-fixups.h
+++ b/arch/powerpc/include/asm/feature-fixups.h
@@ -221,6 +221,17 @@ label##3:					       	\
 	FTR_ENTRY_OFFSET 953b-954b;			\
 	.popsection;
 
+#define START_BTB_FLUSH_SECTION			\
+955:							\
+
+#define END_BTB_FLUSH_SECTION			\
+956:							\
+	.pushsection __btb_flush_fixup,"a";	\
+	.align 2;							\
+957:						\
+	FTR_ENTRY_OFFSET 955b-957b;			\
+	FTR_ENTRY_OFFSET 956b-957b;			\
+	.popsection;
 
 #ifndef __ASSEMBLY__
 #include <linux/types.h>
@@ -230,6 +241,7 @@ extern long __start___stf_entry_barrier_
 extern long __start___stf_exit_barrier_fixup, __stop___stf_exit_barrier_fixup;
 extern long __start___rfi_flush_fixup, __stop___rfi_flush_fixup;
 extern long __start___barrier_nospec_fixup, __stop___barrier_nospec_fixup;
+extern long __start__btb_flush_fixup, __stop__btb_flush_fixup;
 
 void apply_feature_fixups(void);
 void setup_feature_keys(void);
--- a/arch/powerpc/include/asm/setup.h
+++ b/arch/powerpc/include/asm/setup.h
@@ -67,6 +67,8 @@ void do_barrier_nospec_fixups_range(bool
 static inline void do_barrier_nospec_fixups_range(bool enable, void *start, void *end) { };
 #endif
 
+void do_btb_flush_fixups(void);
+
 #endif /* !__ASSEMBLY__ */
 
 #endif	/* _ASM_POWERPC_SETUP_H */
--- a/arch/powerpc/kernel/vmlinux.lds.S
+++ b/arch/powerpc/kernel/vmlinux.lds.S
@@ -164,6 +164,14 @@ SECTIONS
 	}
 #endif /* CONFIG_PPC_BARRIER_NOSPEC */
 
+#ifdef CONFIG_PPC_FSL_BOOK3E
+	. = ALIGN(8);
+	__spec_btb_flush_fixup : AT(ADDR(__spec_btb_flush_fixup) - LOAD_OFFSET) {
+		__start__btb_flush_fixup = .;
+		*(__btb_flush_fixup)
+		__stop__btb_flush_fixup = .;
+	}
+#endif
 	EXCEPTION_TABLE(0)
 
 	NOTES :kernel :notes
--- a/arch/powerpc/lib/feature-fixups.c
+++ b/arch/powerpc/lib/feature-fixups.c
@@ -347,6 +347,29 @@ void do_barrier_nospec_fixups_range(bool
 
 	printk(KERN_DEBUG "barrier-nospec: patched %d locations\n", i);
 }
+
+static void patch_btb_flush_section(long *curr)
+{
+	unsigned int *start, *end;
+
+	start = (void *)curr + *curr;
+	end = (void *)curr + *(curr + 1);
+	for (; start < end; start++) {
+		pr_devel("patching dest %lx\n", (unsigned long)start);
+		patch_instruction(start, PPC_INST_NOP);
+	}
+}
+
+void do_btb_flush_fixups(void)
+{
+	long *start, *end;
+
+	start = PTRRELOC(&__start__btb_flush_fixup);
+	end = PTRRELOC(&__stop__btb_flush_fixup);
+
+	for (; start < end; start += 2)
+		patch_btb_flush_section(start);
+}
 #endif /* CONFIG_PPC_FSL_BOOK3E */
 
 void do_lwsync_fixups(unsigned long value, void *fixup_start, void *fixup_end)



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 034/134] powerpc/fsl: Add macro to flush the branch predictor
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 033/134] powerpc/fsl: Add infrastructure to fixup branch predictor flush Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 035/134] powerpc/fsl: Emulate SPRN_BUCSR register Greg Kroah-Hartman
                   ` (104 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Diana Craciun, Michael Ellerman

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Diana Craciun <diana.craciun@nxp.com>

commit 1cbf8990d79ff69da8ad09e8a3df014e1494462b upstream.

The BUCSR register can be used to invalidate the entries in the
branch prediction mechanisms.

Signed-off-by: Diana Craciun <diana.craciun@nxp.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/include/asm/ppc_asm.h |   10 ++++++++++
 1 file changed, 10 insertions(+)

--- a/arch/powerpc/include/asm/ppc_asm.h
+++ b/arch/powerpc/include/asm/ppc_asm.h
@@ -821,4 +821,14 @@ END_FTR_SECTION_IFCLR(CPU_FTR_601)
 	stringify_in_c(.long (_target) - . ;)	\
 	stringify_in_c(.previous)
 
+#ifdef CONFIG_PPC_FSL_BOOK3E
+#define BTB_FLUSH(reg)			\
+	lis reg,BUCSR_INIT@h;		\
+	ori reg,reg,BUCSR_INIT@l;	\
+	mtspr SPRN_BUCSR,reg;		\
+	isync;
+#else
+#define BTB_FLUSH(reg)
+#endif /* CONFIG_PPC_FSL_BOOK3E */
+
 #endif /* _ASM_POWERPC_PPC_ASM_H */



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 035/134] powerpc/fsl: Emulate SPRN_BUCSR register
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 034/134] powerpc/fsl: Add macro to flush the branch predictor Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 036/134] powerpc/fsl: Add nospectre_v2 command line argument Greg Kroah-Hartman
                   ` (103 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Diana Craciun, Michael Ellerman

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Diana Craciun <diana.craciun@nxp.com>

commit 98518c4d8728656db349f875fcbbc7c126d4c973 upstream.

In order to flush the branch predictor the guest kernel performs
writes to the BUCSR register which is hypervisor privilleged. However,
the branch predictor is flushed at each KVM entry, so the branch
predictor has been already flushed, so just return as soon as possible
to guest.

Signed-off-by: Diana Craciun <diana.craciun@nxp.com>
[mpe: Tweak comment formatting]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/kvm/e500_emulate.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/arch/powerpc/kvm/e500_emulate.c
+++ b/arch/powerpc/kvm/e500_emulate.c
@@ -277,6 +277,13 @@ int kvmppc_core_emulate_mtspr_e500(struc
 		vcpu->arch.pwrmgtcr0 = spr_val;
 		break;
 
+	case SPRN_BUCSR:
+		/*
+		 * If we are here, it means that we have already flushed the
+		 * branch predictor, so just return to guest.
+		 */
+		break;
+
 	/* extra exceptions */
 #ifdef CONFIG_SPE_POSSIBLE
 	case SPRN_IVOR32:



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 036/134] powerpc/fsl: Add nospectre_v2 command line argument
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 035/134] powerpc/fsl: Emulate SPRN_BUCSR register Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 037/134] powerpc/fsl: Flush the branch predictor at each kernel entry (64bit) Greg Kroah-Hartman
                   ` (102 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Diana Craciun, Michael Ellerman

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Diana Craciun <diana.craciun@nxp.com>

commit f633a8ad636efb5d4bba1a047d4a0f1ef719aa06 upstream.

When the command line argument is present, the Spectre variant 2
mitigations are disabled.

Signed-off-by: Diana Craciun <diana.craciun@nxp.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/include/asm/setup.h |    5 +++++
 arch/powerpc/kernel/security.c   |   21 +++++++++++++++++++++
 2 files changed, 26 insertions(+)

--- a/arch/powerpc/include/asm/setup.h
+++ b/arch/powerpc/include/asm/setup.h
@@ -67,6 +67,11 @@ void do_barrier_nospec_fixups_range(bool
 static inline void do_barrier_nospec_fixups_range(bool enable, void *start, void *end) { };
 #endif
 
+#ifdef CONFIG_PPC_FSL_BOOK3E
+void setup_spectre_v2(void);
+#else
+static inline void setup_spectre_v2(void) {};
+#endif
 void do_btb_flush_fixups(void);
 
 #endif /* !__ASSEMBLY__ */
--- a/arch/powerpc/kernel/security.c
+++ b/arch/powerpc/kernel/security.c
@@ -26,6 +26,10 @@ static enum count_cache_flush_type count
 
 bool barrier_nospec_enabled;
 static bool no_nospec;
+static bool btb_flush_enabled;
+#ifdef CONFIG_PPC_FSL_BOOK3E
+static bool no_spectrev2;
+#endif
 
 static void enable_barrier_nospec(bool enable)
 {
@@ -101,6 +105,23 @@ static __init int barrier_nospec_debugfs
 device_initcall(barrier_nospec_debugfs_init);
 #endif /* CONFIG_DEBUG_FS */
 
+#ifdef CONFIG_PPC_FSL_BOOK3E
+static int __init handle_nospectre_v2(char *p)
+{
+	no_spectrev2 = true;
+
+	return 0;
+}
+early_param("nospectre_v2", handle_nospectre_v2);
+void setup_spectre_v2(void)
+{
+	if (no_spectrev2)
+		do_btb_flush_fixups();
+	else
+		btb_flush_enabled = true;
+}
+#endif /* CONFIG_PPC_FSL_BOOK3E */
+
 #ifdef CONFIG_PPC_BOOK3S_64
 ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf)
 {



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 037/134] powerpc/fsl: Flush the branch predictor at each kernel entry (64bit)
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 036/134] powerpc/fsl: Add nospectre_v2 command line argument Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 038/134] powerpc/fsl: Flush the branch predictor at each kernel entry (32 bit) Greg Kroah-Hartman
                   ` (101 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Diana Craciun, Michael Ellerman

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Diana Craciun <diana.craciun@nxp.com>

commit 10c5e83afd4a3f01712d97d3bb1ae34d5b74a185 upstream.

In order to protect against speculation attacks on
indirect branches, the branch predictor is flushed at
kernel entry to protect for the following situations:
- userspace process attacking another userspace process
- userspace process attacking the kernel
Basically when the privillege level change (i.e. the
kernel is entered), the branch predictor state is flushed.

Signed-off-by: Diana Craciun <diana.craciun@nxp.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/kernel/entry_64.S       |    5 +++++
 arch/powerpc/kernel/exceptions-64e.S |   26 +++++++++++++++++++++++++-
 arch/powerpc/mm/tlb_low_64e.S        |    7 +++++++
 3 files changed, 37 insertions(+), 1 deletion(-)

--- a/arch/powerpc/kernel/entry_64.S
+++ b/arch/powerpc/kernel/entry_64.S
@@ -80,6 +80,11 @@ END_FTR_SECTION_IFSET(CPU_FTR_TM)
 	std	r0,GPR0(r1)
 	std	r10,GPR1(r1)
 	beq	2f			/* if from kernel mode */
+#ifdef CONFIG_PPC_FSL_BOOK3E
+START_BTB_FLUSH_SECTION
+	BTB_FLUSH(r10)
+END_BTB_FLUSH_SECTION
+#endif
 	ACCOUNT_CPU_USER_ENTRY(r13, r10, r11)
 2:	std	r2,GPR2(r1)
 	std	r3,GPR3(r1)
--- a/arch/powerpc/kernel/exceptions-64e.S
+++ b/arch/powerpc/kernel/exceptions-64e.S
@@ -296,7 +296,8 @@ ret_from_mc_except:
 	andi.	r10,r11,MSR_PR;		/* save stack pointer */	    \
 	beq	1f;			/* branch around if supervisor */   \
 	ld	r1,PACAKSAVE(r13);	/* get kernel stack coming from usr */\
-1:	cmpdi	cr1,r1,0;		/* check if SP makes sense */	    \
+1:	type##_BTB_FLUSH		\
+	cmpdi	cr1,r1,0;		/* check if SP makes sense */	    \
 	bge-	cr1,exc_##n##_bad_stack;/* bad stack (TODO: out of line) */ \
 	mfspr	r10,SPRN_##type##_SRR0;	/* read SRR0 before touching stack */
 
@@ -328,6 +329,29 @@ ret_from_mc_except:
 #define SPRN_MC_SRR0	SPRN_MCSRR0
 #define SPRN_MC_SRR1	SPRN_MCSRR1
 
+#ifdef CONFIG_PPC_FSL_BOOK3E
+#define GEN_BTB_FLUSH			\
+	START_BTB_FLUSH_SECTION		\
+		beq 1f;			\
+		BTB_FLUSH(r10)			\
+		1:		\
+	END_BTB_FLUSH_SECTION
+
+#define CRIT_BTB_FLUSH			\
+	START_BTB_FLUSH_SECTION		\
+		BTB_FLUSH(r10)		\
+	END_BTB_FLUSH_SECTION
+
+#define DBG_BTB_FLUSH CRIT_BTB_FLUSH
+#define MC_BTB_FLUSH CRIT_BTB_FLUSH
+#define GDBELL_BTB_FLUSH GEN_BTB_FLUSH
+#else
+#define GEN_BTB_FLUSH
+#define CRIT_BTB_FLUSH
+#define DBG_BTB_FLUSH
+#define GDBELL_BTB_FLUSH
+#endif
+
 #define NORMAL_EXCEPTION_PROLOG(n, intnum, addition)			    \
 	EXCEPTION_PROLOG(n, intnum, GEN, addition##_GEN(n))
 
--- a/arch/powerpc/mm/tlb_low_64e.S
+++ b/arch/powerpc/mm/tlb_low_64e.S
@@ -70,6 +70,13 @@ END_FTR_SECTION_IFSET(CPU_FTR_EMB_HV)
 	std	r15,EX_TLB_R15(r12)
 	std	r10,EX_TLB_CR(r12)
 #ifdef CONFIG_PPC_FSL_BOOK3E
+START_BTB_FLUSH_SECTION
+	mfspr r11, SPRN_SRR1
+	andi. r10,r11,MSR_PR
+	beq 1f
+	BTB_FLUSH(r10)
+1:
+END_BTB_FLUSH_SECTION
 	std	r7,EX_TLB_R7(r12)
 #endif
 	TLB_MISS_PROLOG_STATS



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 038/134] powerpc/fsl: Flush the branch predictor at each kernel entry (32 bit)
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 037/134] powerpc/fsl: Flush the branch predictor at each kernel entry (64bit) Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 039/134] powerpc/fsl: Flush branch predictor when entering KVM Greg Kroah-Hartman
                   ` (100 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Diana Craciun, Michael Ellerman

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Diana Craciun <diana.craciun@nxp.com>

commit 7fef436295bf6c05effe682c8797dfcb0deb112a upstream.

In order to protect against speculation attacks on
indirect branches, the branch predictor is flushed at
kernel entry to protect for the following situations:
- userspace process attacking another userspace process
- userspace process attacking the kernel
Basically when the privillege level change (i.e.the kernel
is entered), the branch predictor state is flushed.

Signed-off-by: Diana Craciun <diana.craciun@nxp.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/kernel/head_booke.h     |    6 ++++++
 arch/powerpc/kernel/head_fsl_booke.S |   15 +++++++++++++++
 2 files changed, 21 insertions(+)

--- a/arch/powerpc/kernel/head_booke.h
+++ b/arch/powerpc/kernel/head_booke.h
@@ -43,6 +43,9 @@
 	andi.	r11, r11, MSR_PR;	/* check whether user or kernel    */\
 	mr	r11, r1;						     \
 	beq	1f;							     \
+START_BTB_FLUSH_SECTION					\
+	BTB_FLUSH(r11)						\
+END_BTB_FLUSH_SECTION					\
 	/* if from user, start at top of this thread's kernel stack */       \
 	lwz	r11, THREAD_INFO-THREAD(r10);				     \
 	ALLOC_STACK_FRAME(r11, THREAD_SIZE);				     \
@@ -128,6 +131,9 @@
 	stw	r9,_CCR(r8);		/* save CR on stack		   */\
 	mfspr	r11,exc_level_srr1;	/* check whether user or kernel    */\
 	DO_KVM	BOOKE_INTERRUPT_##intno exc_level_srr1;		             \
+START_BTB_FLUSH_SECTION								\
+	BTB_FLUSH(r10)									\
+END_BTB_FLUSH_SECTION								\
 	andi.	r11,r11,MSR_PR;						     \
 	mfspr	r11,SPRN_SPRG_THREAD;	/* if from user, start at top of   */\
 	lwz	r11,THREAD_INFO-THREAD(r11); /* this thread's kernel stack */\
--- a/arch/powerpc/kernel/head_fsl_booke.S
+++ b/arch/powerpc/kernel/head_fsl_booke.S
@@ -453,6 +453,13 @@ END_FTR_SECTION_IFSET(CPU_FTR_EMB_HV)
 	mfcr	r13
 	stw	r13, THREAD_NORMSAVE(3)(r10)
 	DO_KVM	BOOKE_INTERRUPT_DTLB_MISS SPRN_SRR1
+START_BTB_FLUSH_SECTION
+	mfspr r11, SPRN_SRR1
+	andi. r10,r11,MSR_PR
+	beq 1f
+	BTB_FLUSH(r10)
+1:
+END_BTB_FLUSH_SECTION
 	mfspr	r10, SPRN_DEAR		/* Get faulting address */
 
 	/* If we are faulting a kernel address, we have to use the
@@ -547,6 +554,14 @@ END_FTR_SECTION_IFSET(CPU_FTR_EMB_HV)
 	mfcr	r13
 	stw	r13, THREAD_NORMSAVE(3)(r10)
 	DO_KVM	BOOKE_INTERRUPT_ITLB_MISS SPRN_SRR1
+START_BTB_FLUSH_SECTION
+	mfspr r11, SPRN_SRR1
+	andi. r10,r11,MSR_PR
+	beq 1f
+	BTB_FLUSH(r10)
+1:
+END_BTB_FLUSH_SECTION
+
 	mfspr	r10, SPRN_SRR0		/* Get faulting address */
 
 	/* If we are faulting a kernel address, we have to use the



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 039/134] powerpc/fsl: Flush branch predictor when entering KVM
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 038/134] powerpc/fsl: Flush the branch predictor at each kernel entry (32 bit) Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 040/134] powerpc/fsl: Enable runtime patching if nospectre_v2 boot arg is used Greg Kroah-Hartman
                   ` (99 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Diana Craciun, Michael Ellerman

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Diana Craciun <diana.craciun@nxp.com>

commit e7aa61f47b23afbec41031bc47ca8d6cb6516abc upstream.

Switching from the guest to host is another place
where the speculative accesses can be exploited.
Flush the branch predictor when entering KVM.

Signed-off-by: Diana Craciun <diana.craciun@nxp.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/kvm/bookehv_interrupts.S |    4 ++++
 1 file changed, 4 insertions(+)

--- a/arch/powerpc/kvm/bookehv_interrupts.S
+++ b/arch/powerpc/kvm/bookehv_interrupts.S
@@ -75,6 +75,10 @@
 	PPC_LL	r1, VCPU_HOST_STACK(r4)
 	PPC_LL	r2, HOST_R2(r1)
 
+START_BTB_FLUSH_SECTION
+	BTB_FLUSH(r10)
+END_BTB_FLUSH_SECTION
+
 	mfspr	r10, SPRN_PID
 	lwz	r8, VCPU_HOST_PID(r4)
 	PPC_LL	r11, VCPU_SHARED(r4)



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 040/134] powerpc/fsl: Enable runtime patching if nospectre_v2 boot arg is used
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 039/134] powerpc/fsl: Flush branch predictor when entering KVM Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 041/134] powerpc/fsl: Update Spectre v2 reporting Greg Kroah-Hartman
                   ` (98 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Diana Craciun, Michael Ellerman

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Diana Craciun <diana.craciun@nxp.com>

commit 3bc8ea8603ae4c1e09aca8de229ad38b8091fcb3 upstream.

If the user choses not to use the mitigations, replace
the code sequence with nops.

Signed-off-by: Diana Craciun <diana.craciun@nxp.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/kernel/setup-common.c |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/powerpc/kernel/setup-common.c
+++ b/arch/powerpc/kernel/setup-common.c
@@ -973,6 +973,7 @@ void __init setup_arch(char **cmdline_p)
 		ppc_md.setup_arch();
 
 	setup_barrier_nospec();
+	setup_spectre_v2();
 
 	paging_init();
 



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 041/134] powerpc/fsl: Update Spectre v2 reporting
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 040/134] powerpc/fsl: Enable runtime patching if nospectre_v2 boot arg is used Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 042/134] powerpc/fsl: Fixed warning: orphan section `__btb_flush_fixup Greg Kroah-Hartman
                   ` (97 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Diana Craciun, Michael Ellerman

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Diana Craciun <diana.craciun@nxp.com>

commit dfa88658fb0583abb92e062c7a9cd5a5b94f2a46 upstream.

Report branch predictor state flush as a mitigation for
Spectre variant 2.

Signed-off-by: Diana Craciun <diana.craciun@nxp.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/kernel/security.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/arch/powerpc/kernel/security.c
+++ b/arch/powerpc/kernel/security.c
@@ -212,8 +212,11 @@ ssize_t cpu_show_spectre_v2(struct devic
 
 		if (count_cache_flush_type == COUNT_CACHE_FLUSH_HW)
 			seq_buf_printf(&s, "(hardware accelerated)");
-	} else
+	} else if (btb_flush_enabled) {
+		seq_buf_printf(&s, "Mitigation: Branch predictor state flush");
+	} else {
 		seq_buf_printf(&s, "Vulnerable");
+	}
 
 	seq_buf_printf(&s, "\n");
 



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 042/134] powerpc/fsl: Fixed warning: orphan section `__btb_flush_fixup
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 041/134] powerpc/fsl: Update Spectre v2 reporting Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 043/134] powerpc/fsl: Fix the flush of branch predictor Greg Kroah-Hartman
                   ` (96 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Diana Craciun, Michael Ellerman

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Diana Craciun <diana.craciun@nxp.com>

commit 039daac5526932ec731e4499613018d263af8b3e upstream.

Fixed the following build warning:
powerpc-linux-gnu-ld: warning: orphan section `__btb_flush_fixup' from
`arch/powerpc/kernel/head_44x.o' being placed in section
`__btb_flush_fixup'.

Signed-off-by: Diana Craciun <diana.craciun@nxp.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/kernel/head_booke.h |   18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

--- a/arch/powerpc/kernel/head_booke.h
+++ b/arch/powerpc/kernel/head_booke.h
@@ -32,6 +32,16 @@
  */
 #define THREAD_NORMSAVE(offset)	(THREAD_NORMSAVES + (offset * 4))
 
+#ifdef CONFIG_PPC_FSL_BOOK3E
+#define BOOKE_CLEAR_BTB(reg)									\
+START_BTB_FLUSH_SECTION								\
+	BTB_FLUSH(reg)									\
+END_BTB_FLUSH_SECTION
+#else
+#define BOOKE_CLEAR_BTB(reg)
+#endif
+
+
 #define NORMAL_EXCEPTION_PROLOG(intno)						     \
 	mtspr	SPRN_SPRG_WSCRATCH0, r10;	/* save one register */	     \
 	mfspr	r10, SPRN_SPRG_THREAD;					     \
@@ -43,9 +53,7 @@
 	andi.	r11, r11, MSR_PR;	/* check whether user or kernel    */\
 	mr	r11, r1;						     \
 	beq	1f;							     \
-START_BTB_FLUSH_SECTION					\
-	BTB_FLUSH(r11)						\
-END_BTB_FLUSH_SECTION					\
+	BOOKE_CLEAR_BTB(r11)						\
 	/* if from user, start at top of this thread's kernel stack */       \
 	lwz	r11, THREAD_INFO-THREAD(r10);				     \
 	ALLOC_STACK_FRAME(r11, THREAD_SIZE);				     \
@@ -131,9 +139,7 @@ END_BTB_FLUSH_SECTION					\
 	stw	r9,_CCR(r8);		/* save CR on stack		   */\
 	mfspr	r11,exc_level_srr1;	/* check whether user or kernel    */\
 	DO_KVM	BOOKE_INTERRUPT_##intno exc_level_srr1;		             \
-START_BTB_FLUSH_SECTION								\
-	BTB_FLUSH(r10)									\
-END_BTB_FLUSH_SECTION								\
+	BOOKE_CLEAR_BTB(r10)						\
 	andi.	r11,r11,MSR_PR;						     \
 	mfspr	r11,SPRN_SPRG_THREAD;	/* if from user, start at top of   */\
 	lwz	r11,THREAD_INFO-THREAD(r11); /* this thread's kernel stack */\



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 043/134] powerpc/fsl: Fix the flush of branch predictor.
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 042/134] powerpc/fsl: Fixed warning: orphan section `__btb_flush_fixup Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 044/134] powerpc/security: Fix spectre_v2 reporting Greg Kroah-Hartman
                   ` (95 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Diana Craciun, Christophe Leroy,
	Daniel Axtens, Michael Ellerman

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Christophe Leroy <christophe.leroy@c-s.fr>

commit 27da80719ef132cf8c80eb406d5aeb37dddf78cc upstream.

The commit identified below adds MC_BTB_FLUSH macro only when
CONFIG_PPC_FSL_BOOK3E is defined. This results in the following error
on some configs (seen several times with kisskb randconfig_defconfig)

arch/powerpc/kernel/exceptions-64e.S:576: Error: Unrecognized opcode: `mc_btb_flush'
make[3]: *** [scripts/Makefile.build:367: arch/powerpc/kernel/exceptions-64e.o] Error 1
make[2]: *** [scripts/Makefile.build:492: arch/powerpc/kernel] Error 2
make[1]: *** [Makefile:1043: arch/powerpc] Error 2
make: *** [Makefile:152: sub-make] Error 2

This patch adds a blank definition of MC_BTB_FLUSH for other cases.

Fixes: 10c5e83afd4a ("powerpc/fsl: Flush the branch predictor at each kernel entry (64bit)")
Cc: Diana Craciun <diana.craciun@nxp.com>
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Reviewed-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Diana Craciun <diana.craciun@nxp.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/kernel/exceptions-64e.S |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/powerpc/kernel/exceptions-64e.S
+++ b/arch/powerpc/kernel/exceptions-64e.S
@@ -349,6 +349,7 @@ ret_from_mc_except:
 #define GEN_BTB_FLUSH
 #define CRIT_BTB_FLUSH
 #define DBG_BTB_FLUSH
+#define MC_BTB_FLUSH
 #define GDBELL_BTB_FLUSH
 #endif
 



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 044/134] powerpc/security: Fix spectre_v2 reporting
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 043/134] powerpc/fsl: Fix the flush of branch predictor Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 045/134] Btrfs: fix incorrect file size after shrinking truncate and fsync Greg Kroah-Hartman
                   ` (94 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael Ellerman, Michael Neuling,
	Diana Craciun

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Michael Ellerman <mpe@ellerman.id.au>

commit 92edf8df0ff2ae86cc632eeca0e651fd8431d40d upstream.

When I updated the spectre_v2 reporting to handle software count cache
flush I got the logic wrong when there's no software count cache
enabled at all.

The result is that on systems with the software count cache flush
disabled we print:

  Mitigation: Indirect branch cache disabled, Software count cache flush

Which correctly indicates that the count cache is disabled, but
incorrectly says the software count cache flush is enabled.

The root of the problem is that we are trying to handle all
combinations of options. But we know now that we only expect to see
the software count cache flush enabled if the other options are false.

So split the two cases, which simplifies the logic and fixes the bug.
We were also missing a space before "(hardware accelerated)".

The result is we see one of:

  Mitigation: Indirect branch serialisation (kernel only)
  Mitigation: Indirect branch cache disabled
  Mitigation: Software count cache flush
  Mitigation: Software count cache flush (hardware accelerated)

Fixes: ee13cb249fab ("powerpc/64s: Add support for software count cache flush")
Cc: stable@vger.kernel.org # v4.19+
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Reviewed-by: Michael Neuling <mikey@neuling.org>
Reviewed-by: Diana Craciun <diana.craciun@nxp.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/kernel/security.c |   23 ++++++++---------------
 1 file changed, 8 insertions(+), 15 deletions(-)

--- a/arch/powerpc/kernel/security.c
+++ b/arch/powerpc/kernel/security.c
@@ -189,29 +189,22 @@ ssize_t cpu_show_spectre_v2(struct devic
 	bcs = security_ftr_enabled(SEC_FTR_BCCTRL_SERIALISED);
 	ccd = security_ftr_enabled(SEC_FTR_COUNT_CACHE_DISABLED);
 
-	if (bcs || ccd || count_cache_flush_type != COUNT_CACHE_FLUSH_NONE) {
-		bool comma = false;
+	if (bcs || ccd) {
 		seq_buf_printf(&s, "Mitigation: ");
 
-		if (bcs) {
+		if (bcs)
 			seq_buf_printf(&s, "Indirect branch serialisation (kernel only)");
-			comma = true;
-		}
 
-		if (ccd) {
-			if (comma)
-				seq_buf_printf(&s, ", ");
-			seq_buf_printf(&s, "Indirect branch cache disabled");
-			comma = true;
-		}
-
-		if (comma)
+		if (bcs && ccd)
 			seq_buf_printf(&s, ", ");
 
-		seq_buf_printf(&s, "Software count cache flush");
+		if (ccd)
+			seq_buf_printf(&s, "Indirect branch cache disabled");
+	} else if (count_cache_flush_type != COUNT_CACHE_FLUSH_NONE) {
+		seq_buf_printf(&s, "Mitigation: Software count cache flush");
 
 		if (count_cache_flush_type == COUNT_CACHE_FLUSH_HW)
-			seq_buf_printf(&s, "(hardware accelerated)");
+			seq_buf_printf(&s, " (hardware accelerated)");
 	} else if (btb_flush_enabled) {
 		seq_buf_printf(&s, "Mitigation: Branch predictor state flush");
 	} else {



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 045/134] Btrfs: fix incorrect file size after shrinking truncate and fsync
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 044/134] powerpc/security: Fix spectre_v2 reporting Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 046/134] btrfs: remove WARN_ON in log_dir_items Greg Kroah-Hartman
                   ` (93 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Seulbae Kim, Filipe Manana, David Sterba

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Filipe Manana <fdmanana@suse.com>

commit bf504110bc8aa05df48b0e5f0aa84bfb81e0574b upstream.

If we do a shrinking truncate against an inode which is already present
in the respective log tree and then rename it, as part of logging the new
name we end up logging an inode item that reflects the old size of the
file (the one which we previously logged) and not the new smaller size.
The decision to preserve the size previously logged was added by commit
1a4bcf470c886b ("Btrfs: fix fsync data loss after adding hard link to
inode") in order to avoid data loss after replaying the log. However that
decision is only needed for the case the logged inode size is smaller then
the current size of the inode, as explained in that commit's change log.
If the current size of the inode is smaller then the previously logged
size, we know a shrinking truncate happened and therefore need to use
that smaller size.

Example to trigger the problem:

  $ mkfs.btrfs -f /dev/sdb
  $ mount /dev/sdb /mnt

  $ xfs_io -f -c "pwrite -S 0xab 0 8000" /mnt/foo
  $ xfs_io -c "fsync" /mnt/foo
  $ xfs_io -c "truncate 3000" /mnt/foo

  $ mv /mnt/foo /mnt/bar
  $ xfs_io -c "fsync" /mnt/bar

  <power failure>

  $ mount /dev/sdb /mnt
  $ od -t x1 -A d /mnt/bar
  0000000 ab ab ab ab ab ab ab ab ab ab ab ab ab ab ab ab
  *
  0008000

Once we rename the file, we log its name (and inode item), and because
the inode was already logged before in the current transaction, we log it
with a size of 8000 bytes because that is the size we previously logged
(with the first fsync). As part of the rename, besides logging the inode,
we do also sync the log, which is done since commit d4682ba03ef618
("Btrfs: sync log after logging new name"), so the next fsync against our
inode is effectively a no-op, since no new changes happened since the
rename operation. Even if did not sync the log during the rename
operation, the same problem (fize size of 8000 bytes instead of 3000
bytes) would be visible after replaying the log if the log ended up
getting synced to disk through some other means, such as for example by
fsyncing some other modified file. In the example above the fsync after
the rename operation is there just because not every filesystem may
guarantee logging/journalling the inode (and syncing the log/journal)
during the rename operation, for example it is needed for f2fs, but not
for ext4 and xfs.

Fix this scenario by, when logging a new name (which is triggered by
rename and link operations), using the current size of the inode instead
of the previously logged inode size.

A test case for fstests follows soon.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=202695
CC: stable@vger.kernel.org # 4.4+
Reported-by: Seulbae Kim <seulbae@gatech.edu>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/tree-log.c |   13 +++++++++++++
 1 file changed, 13 insertions(+)

--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -4504,6 +4504,19 @@ static int logged_inode_size(struct btrf
 		item = btrfs_item_ptr(path->nodes[0], path->slots[0],
 				      struct btrfs_inode_item);
 		*size_ret = btrfs_inode_size(path->nodes[0], item);
+		/*
+		 * If the in-memory inode's i_size is smaller then the inode
+		 * size stored in the btree, return the inode's i_size, so
+		 * that we get a correct inode size after replaying the log
+		 * when before a power failure we had a shrinking truncate
+		 * followed by addition of a new name (rename / new hard link).
+		 * Otherwise return the inode size from the btree, to avoid
+		 * data loss when replaying a log due to previously doing a
+		 * write that expands the inode's size and logging a new name
+		 * immediately after.
+		 */
+		if (*size_ret > inode->vfs_inode.i_size)
+			*size_ret = inode->vfs_inode.i_size;
 	}
 
 	btrfs_release_path(path);



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 046/134] btrfs: remove WARN_ON in log_dir_items
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 045/134] Btrfs: fix incorrect file size after shrinking truncate and fsync Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 047/134] btrfs: dont report readahead errors and dont update statistics Greg Kroah-Hartman
                   ` (92 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Filipe Manana, Josef Bacik, David Sterba

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Josef Bacik <josef@toxicpanda.com>

commit 2cc8334270e281815c3850c3adea363c51f21e0d upstream.

When Filipe added the recursive directory logging stuff in
2f2ff0ee5e430 ("Btrfs: fix metadata inconsistencies after directory
fsync") he specifically didn't take the directory i_mutex for the
children directories that we need to log because of lockdep.  This is
generally fine, but can lead to this WARN_ON() tripping if we happen to
run delayed deletion's in between our first search and our second search
of dir_item/dir_indexes for this directory.  We expect this to happen,
so the WARN_ON() isn't necessary.  Drop the WARN_ON() and add a comment
so we know why this case can happen.

CC: stable@vger.kernel.org # 4.4+
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/tree-log.c |   11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -3532,9 +3532,16 @@ static noinline int log_dir_items(struct
 	}
 	btrfs_release_path(path);
 
-	/* find the first key from this transaction again */
+	/*
+	 * Find the first key from this transaction again.  See the note for
+	 * log_new_dir_dentries, if we're logging a directory recursively we
+	 * won't be holding its i_mutex, which means we can modify the directory
+	 * while we're logging it.  If we remove an entry between our first
+	 * search and this search we'll not find the key again and can just
+	 * bail.
+	 */
 	ret = btrfs_search_slot(NULL, root, &min_key, path, 0, 0);
-	if (WARN_ON(ret != 0))
+	if (ret != 0)
 		goto done;
 
 	/*



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 047/134] btrfs: dont report readahead errors and dont update statistics
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 046/134] btrfs: remove WARN_ON in log_dir_items Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 048/134] btrfs: raid56: properly unmap parity page in finish_parity_scrub() Greg Kroah-Hartman
                   ` (91 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, LimeTech, David Sterba

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: David Sterba <dsterba@suse.com>

commit 0cc068e6ee59c1fffbfa977d8bf868b7551d80ac upstream.

As readahead is an optimization, all errors are usually filtered out,
but still properly handled when the real read call is done. The commit
5e9d398240b2 ("btrfs: readpages() should submit IO as read-ahead") added
REQ_RAHEAD to readpages() because that's only used for readahead
(despite what one would expect from the callback name).

This causes a flood of messages and inflated read error stats, so skip
reporting in case it's readahead.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=202403
Reported-by: LimeTech <tomm@lime-technology.com>
Fixes: 5e9d398240b2 ("btrfs: readpages() should submit IO as read-ahead")
CC: stable@vger.kernel.org # 4.19+
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/volumes.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -6051,7 +6051,7 @@ static void btrfs_end_bio(struct bio *bi
 				if (bio_op(bio) == REQ_OP_WRITE)
 					btrfs_dev_stat_inc_and_print(dev,
 						BTRFS_DEV_STAT_WRITE_ERRS);
-				else
+				else if (!(bio->bi_opf & REQ_RAHEAD))
 					btrfs_dev_stat_inc_and_print(dev,
 						BTRFS_DEV_STAT_READ_ERRS);
 				if (bio->bi_opf & REQ_PREFLUSH)



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 048/134] btrfs: raid56: properly unmap parity page in finish_parity_scrub()
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 047/134] btrfs: dont report readahead errors and dont update statistics Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 049/134] btrfs: Avoid possible qgroup_rsv_size overflow in btrfs_calculate_inode_block_rsv_size Greg Kroah-Hartman
                   ` (90 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johannes Thumshirn, Andrea Righi,
	David Sterba

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Andrea Righi <andrea.righi@canonical.com>

commit 3897b6f0a859288c22fb793fad11ec2327e60fcd upstream.

Parity page is incorrectly unmapped in finish_parity_scrub(), triggering
a reference counter bug on i386, i.e.:

 [ 157.662401] kernel BUG at mm/highmem.c:349!
 [ 157.666725] invalid opcode: 0000 [#1] SMP PTI

The reason is that kunmap(p_page) was completely left out, so we never
did an unmap for the p_page and the loop unmapping the rbio page was
iterating over the wrong number of stripes: unmapping should be done
with nr_data instead of rbio->real_stripes.

Test case to reproduce the bug:

 - create a raid5 btrfs filesystem:
   # mkfs.btrfs -m raid5 -d raid5 /dev/sdb /dev/sdc /dev/sdd /dev/sde

 - mount it:
   # mount /dev/sdb /mnt

 - run btrfs scrub in a loop:
   # while :; do btrfs scrub start -BR /mnt; done

BugLink: https://bugs.launchpad.net/bugs/1812845
Fixes: 5a6ac9eacb49 ("Btrfs, raid56: support parity scrub on raid56")
CC: stable@vger.kernel.org # 4.4+
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/raid56.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/fs/btrfs/raid56.c
+++ b/fs/btrfs/raid56.c
@@ -2429,8 +2429,9 @@ static noinline void finish_parity_scrub
 			bitmap_clear(rbio->dbitmap, pagenr, 1);
 		kunmap(p);
 
-		for (stripe = 0; stripe < rbio->real_stripes; stripe++)
+		for (stripe = 0; stripe < nr_data; stripe++)
 			kunmap(page_in_rbio(rbio, stripe, pagenr, 0));
+		kunmap(p_page);
 	}
 
 	__free_page(p_page);



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 049/134] btrfs: Avoid possible qgroup_rsv_size overflow in btrfs_calculate_inode_block_rsv_size
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 048/134] btrfs: raid56: properly unmap parity page in finish_parity_scrub() Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 050/134] Btrfs: fix assertion failure on fsync with NO_HOLES enabled Greg Kroah-Hartman
                   ` (89 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Qu Wenruo, Nikolay Borisov, David Sterba

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nikolay Borisov <nborisov@suse.com>

commit 139a56170de67101791d6e6c8e940c6328393fe9 upstream.

qgroup_rsv_size is calculated as the product of
outstanding_extent * fs_info->nodesize. The product is calculated with
32 bit precision since both variables are defined as u32. Yet
qgroup_rsv_size expects a 64 bit result.

Avoid possible multiplication overflow by casting outstanding_extent to
u64. Such overflow would in the worst case (64K nodesize) require more
than 65536 extents, which is quite large and i'ts not likely that it
would happen in practice.

Fixes-coverity-id: 1435101
Fixes: ff6bc37eb7f6 ("btrfs: qgroup: Use independent and accurate per inode qgroup rsv")
CC: stable@vger.kernel.org # 4.19+
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Nikolay Borisov <nborisov@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/extent-tree.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -5872,7 +5872,7 @@ static void btrfs_calculate_inode_block_
 	 *
 	 * This is overestimating in most cases.
 	 */
-	qgroup_rsv_size = outstanding_extents * fs_info->nodesize;
+	qgroup_rsv_size = (u64)outstanding_extents * fs_info->nodesize;
 
 	spin_lock(&block_rsv->lock);
 	block_rsv->size = reserve_size;



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 050/134] Btrfs: fix assertion failure on fsync with NO_HOLES enabled
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 049/134] btrfs: Avoid possible qgroup_rsv_size overflow in btrfs_calculate_inode_block_rsv_size Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 051/134] ARM: imx6q: cpuidle: fix bug that CPU might not wake up at expected time Greg Kroah-Hartman
                   ` (88 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Filipe Manana, David Sterba

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Filipe Manana <fdmanana@suse.com>

commit 0ccc3876e4b2a1559a4dbe3126dda4459d38a83b upstream.

Back in commit a89ca6f24ffe4 ("Btrfs: fix fsync after truncate when
no_holes feature is enabled") I added an assertion that is triggered when
an inline extent is found to assert that the length of the (uncompressed)
data the extent represents is the same as the i_size of the inode, since
that is true most of the time I couldn't find or didn't remembered about
any exception at that time. Later on the assertion was expanded twice to
deal with a case of a compressed inline extent representing a range that
matches the sector size followed by an expanding truncate, and another
case where fallocate can update the i_size of the inode without adding
or updating existing extents (if the fallocate range falls entirely within
the first block of the file). These two expansion/fixes of the assertion
were done by commit 7ed586d0a8241 ("Btrfs: fix assertion on fsync of
regular file when using no-holes feature") and commit 6399fb5a0b69a
("Btrfs: fix assertion failure during fsync in no-holes mode").
These however missed the case where an falloc expands the i_size of an
inode to exactly the sector size and inline extent exists, for example:

 $ mkfs.btrfs -f -O no-holes /dev/sdc
 $ mount /dev/sdc /mnt

 $ xfs_io -f -c "pwrite -S 0xab 0 1096" /mnt/foobar
 wrote 1096/1096 bytes at offset 0
 1 KiB, 1 ops; 0.0002 sec (4.448 MiB/sec and 4255.3191 ops/sec)

 $ xfs_io -c "falloc 1096 3000" /mnt/foobar
 $ xfs_io -c "fsync" /mnt/foobar
 Segmentation fault

 $ dmesg
 [701253.602385] assertion failed: len == i_size || (len == fs_info->sectorsize && btrfs_file_extent_compression(leaf, extent) != BTRFS_COMPRESS_NONE) || (len < i_size && i_size < fs_info->sectorsize), file: fs/btrfs/tree-log.c, line: 4727
 [701253.602962] ------------[ cut here ]------------
 [701253.603224] kernel BUG at fs/btrfs/ctree.h:3533!
 [701253.603503] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC PTI
 [701253.603774] CPU: 2 PID: 7192 Comm: xfs_io Tainted: G        W         5.0.0-rc8-btrfs-next-45 #1
 [701253.604054] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.2-0-gf9626ccb91-prebuilt.qemu-project.org 04/01/2014
 [701253.604650] RIP: 0010:assfail.constprop.23+0x18/0x1a [btrfs]
 (...)
 [701253.605591] RSP: 0018:ffffbb48c186bc48 EFLAGS: 00010286
 [701253.605914] RAX: 00000000000000de RBX: ffff921d0a7afc08 RCX: 0000000000000000
 [701253.606244] RDX: 0000000000000000 RSI: ffff921d36b16868 RDI: ffff921d36b16868
 [701253.606580] RBP: ffffbb48c186bcf0 R08: 0000000000000000 R09: 0000000000000000
 [701253.606913] R10: 0000000000000003 R11: 0000000000000000 R12: ffff921d05d2de18
 [701253.607247] R13: ffff921d03b54000 R14: 0000000000000448 R15: ffff921d059ecf80
 [701253.607769] FS:  00007f14da906700(0000) GS:ffff921d36b00000(0000) knlGS:0000000000000000
 [701253.608163] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 [701253.608516] CR2: 000056087ea9f278 CR3: 00000002268e8001 CR4: 00000000003606e0
 [701253.608880] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 [701253.609250] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 [701253.609608] Call Trace:
 [701253.609994]  btrfs_log_inode+0xdfb/0xe40 [btrfs]
 [701253.610383]  btrfs_log_inode_parent+0x2be/0xa60 [btrfs]
 [701253.610770]  ? do_raw_spin_unlock+0x49/0xc0
 [701253.611150]  btrfs_log_dentry_safe+0x4a/0x70 [btrfs]
 [701253.611537]  btrfs_sync_file+0x3b2/0x440 [btrfs]
 [701253.612010]  ? do_sysinfo+0xb0/0xf0
 [701253.612552]  do_fsync+0x38/0x60
 [701253.612988]  __x64_sys_fsync+0x10/0x20
 [701253.613360]  do_syscall_64+0x60/0x1b0
 [701253.613733]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
 [701253.614103] RIP: 0033:0x7f14da4e66d0
 (...)
 [701253.615250] RSP: 002b:00007fffa670fdb8 EFLAGS: 00000246 ORIG_RAX: 000000000000004a
 [701253.615647] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f14da4e66d0
 [701253.616047] RDX: 000056087ea9c260 RSI: 000056087ea9c260 RDI: 0000000000000003
 [701253.616450] RBP: 0000000000000001 R08: 0000000000000020 R09: 0000000000000010
 [701253.616854] R10: 000000000000009b R11: 0000000000000246 R12: 000056087ea9c260
 [701253.617257] R13: 000056087ea9c240 R14: 0000000000000000 R15: 000056087ea9dd10
 (...)
 [701253.619941] ---[ end trace e088d74f132b6da5 ]---

Updating the assertion again to allow for this particular case would result
in a meaningless assertion, plus there is currently no risk of logging
content that would result in any corruption after a log replay if the size
of the data encoded in an inline extent is greater than the inode's i_size
(which is not currently possibe either with or without compression),
therefore just remove the assertion.

CC: stable@vger.kernel.org # 4.4+
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/tree-log.c |    9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -4685,15 +4685,8 @@ static int btrfs_log_trailing_hole(struc
 					struct btrfs_file_extent_item);
 
 		if (btrfs_file_extent_type(leaf, extent) ==
-		    BTRFS_FILE_EXTENT_INLINE) {
-			len = btrfs_file_extent_ram_bytes(leaf, extent);
-			ASSERT(len == i_size ||
-			       (len == fs_info->sectorsize &&
-				btrfs_file_extent_compression(leaf, extent) !=
-				BTRFS_COMPRESS_NONE) ||
-			       (len < i_size && i_size < fs_info->sectorsize));
+		    BTRFS_FILE_EXTENT_INLINE)
 			return 0;
-		}
 
 		len = btrfs_file_extent_num_bytes(leaf, extent);
 		/* Last extent goes beyond i_size, no need to log a hole. */



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 051/134] ARM: imx6q: cpuidle: fix bug that CPU might not wake up at expected time
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 050/134] Btrfs: fix assertion failure on fsync with NO_HOLES enabled Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 052/134] powerpc: bpf: Fix generation of load/store DW instructions Greg Kroah-Hartman
                   ` (87 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kohji Okuno, Shawn Guo

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kohji Okuno <okuno.kohji@jp.panasonic.com>

commit 91740fc8242b4f260cfa4d4536d8551804777fae upstream.

In the current cpuidle implementation for i.MX6q, the CPU that sets
'WAIT_UNCLOCKED' and the CPU that returns to 'WAIT_CLOCKED' are always
the same. While the CPU that sets 'WAIT_UNCLOCKED' is in IDLE state of
"WAIT", if the other CPU wakes up and enters IDLE state of "WFI"
istead of "WAIT", this CPU can not wake up at expired time.
 Because, in the case of "WFI", the CPU must be waked up by the local
timer interrupt. But, while 'WAIT_UNCLOCKED' is set, the local timer
is stopped, when all CPUs execute "wfi" instruction. As a result, the
local timer interrupt is not fired.
 In this situation, this CPU will wake up by IRQ different from local
timer. (e.g. broacast timer)

So, this fix changes CPU to return to 'WAIT_CLOCKED'.

Signed-off-by: Kohji Okuno <okuno.kohji@jp.panasonic.com>
Fixes: e5f9dec8ff5f ("ARM: imx6q: support WAIT mode using cpuidle")
Cc: <stable@vger.kernel.org>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/mach-imx/cpuidle-imx6q.c |   27 ++++++++++-----------------
 1 file changed, 10 insertions(+), 17 deletions(-)

--- a/arch/arm/mach-imx/cpuidle-imx6q.c
+++ b/arch/arm/mach-imx/cpuidle-imx6q.c
@@ -16,30 +16,23 @@
 #include "cpuidle.h"
 #include "hardware.h"
 
-static atomic_t master = ATOMIC_INIT(0);
-static DEFINE_SPINLOCK(master_lock);
+static int num_idle_cpus = 0;
+static DEFINE_SPINLOCK(cpuidle_lock);
 
 static int imx6q_enter_wait(struct cpuidle_device *dev,
 			    struct cpuidle_driver *drv, int index)
 {
-	if (atomic_inc_return(&master) == num_online_cpus()) {
-		/*
-		 * With this lock, we prevent other cpu to exit and enter
-		 * this function again and become the master.
-		 */
-		if (!spin_trylock(&master_lock))
-			goto idle;
+	spin_lock(&cpuidle_lock);
+	if (++num_idle_cpus == num_online_cpus())
 		imx6_set_lpm(WAIT_UNCLOCKED);
-		cpu_do_idle();
-		imx6_set_lpm(WAIT_CLOCKED);
-		spin_unlock(&master_lock);
-		goto done;
-	}
+	spin_unlock(&cpuidle_lock);
 
-idle:
 	cpu_do_idle();
-done:
-	atomic_dec(&master);
+
+	spin_lock(&cpuidle_lock);
+	if (num_idle_cpus-- == num_online_cpus())
+		imx6_set_lpm(WAIT_CLOCKED);
+	spin_unlock(&cpuidle_lock);
 
 	return index;
 }



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 052/134] powerpc: bpf: Fix generation of load/store DW instructions
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 051/134] ARM: imx6q: cpuidle: fix bug that CPU might not wake up at expected time Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 053/134] vfio: ccw: only free cp on final interrupt Greg Kroah-Hartman
                   ` (86 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yauheni Kaliuta, Naveen N. Rao,
	Daniel Borkmann

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>

commit 86be36f6502c52ddb4b85938145324fd07332da1 upstream.

Yauheni Kaliuta pointed out that PTR_TO_STACK store/load verifier test
was failing on powerpc64 BE, and rightfully indicated that the PPC_LD()
macro is not masking away the last two bits of the offset per the ISA,
resulting in the generation of 'lwa' instruction instead of the intended
'ld' instruction.

Segher also pointed out that we can't simply mask away the last two bits
as that will result in loading/storing from/to a memory location that
was not intended.

This patch addresses this by using ldx/stdx if the offset is not
word-aligned. We load the offset into a temporary register (TMP_REG_2)
and use that as the index register in a subsequent ldx/stdx. We fix
PPC_LD() macro to mask off the last two bits, but enhance PPC_BPF_LL()
and PPC_BPF_STL() to factor in the offset value and generate the proper
instruction sequence. We also convert all existing users of PPC_LD() and
PPC_STD() to use these macros. All existing uses of these macros have
been audited to ensure that TMP_REG_2 can be clobbered.

Fixes: 156d0e290e96 ("powerpc/ebpf/jit: Implement JIT compiler for extended BPF")
Cc: stable@vger.kernel.org # v4.9+

Reported-by: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/include/asm/ppc-opcode.h |    2 ++
 arch/powerpc/net/bpf_jit.h            |   17 +++++------------
 arch/powerpc/net/bpf_jit32.h          |    4 ++++
 arch/powerpc/net/bpf_jit64.h          |   20 ++++++++++++++++++++
 arch/powerpc/net/bpf_jit_comp64.c     |   12 ++++++------
 5 files changed, 37 insertions(+), 18 deletions(-)

--- a/arch/powerpc/include/asm/ppc-opcode.h
+++ b/arch/powerpc/include/asm/ppc-opcode.h
@@ -300,6 +300,7 @@
 /* Misc instructions for BPF compiler */
 #define PPC_INST_LBZ			0x88000000
 #define PPC_INST_LD			0xe8000000
+#define PPC_INST_LDX			0x7c00002a
 #define PPC_INST_LHZ			0xa0000000
 #define PPC_INST_LWZ			0x80000000
 #define PPC_INST_LHBRX			0x7c00062c
@@ -307,6 +308,7 @@
 #define PPC_INST_STB			0x98000000
 #define PPC_INST_STH			0xb0000000
 #define PPC_INST_STD			0xf8000000
+#define PPC_INST_STDX			0x7c00012a
 #define PPC_INST_STDU			0xf8000001
 #define PPC_INST_STW			0x90000000
 #define PPC_INST_STWU			0x94000000
--- a/arch/powerpc/net/bpf_jit.h
+++ b/arch/powerpc/net/bpf_jit.h
@@ -51,6 +51,8 @@
 #define PPC_LIS(r, i)		PPC_ADDIS(r, 0, i)
 #define PPC_STD(r, base, i)	EMIT(PPC_INST_STD | ___PPC_RS(r) |	      \
 				     ___PPC_RA(base) | ((i) & 0xfffc))
+#define PPC_STDX(r, base, b)	EMIT(PPC_INST_STDX | ___PPC_RS(r) |	      \
+				     ___PPC_RA(base) | ___PPC_RB(b))
 #define PPC_STDU(r, base, i)	EMIT(PPC_INST_STDU | ___PPC_RS(r) |	      \
 				     ___PPC_RA(base) | ((i) & 0xfffc))
 #define PPC_STW(r, base, i)	EMIT(PPC_INST_STW | ___PPC_RS(r) |	      \
@@ -65,7 +67,9 @@
 #define PPC_LBZ(r, base, i)	EMIT(PPC_INST_LBZ | ___PPC_RT(r) |	      \
 				     ___PPC_RA(base) | IMM_L(i))
 #define PPC_LD(r, base, i)	EMIT(PPC_INST_LD | ___PPC_RT(r) |	      \
-				     ___PPC_RA(base) | IMM_L(i))
+				     ___PPC_RA(base) | ((i) & 0xfffc))
+#define PPC_LDX(r, base, b)	EMIT(PPC_INST_LDX | ___PPC_RT(r) |	      \
+				     ___PPC_RA(base) | ___PPC_RB(b))
 #define PPC_LWZ(r, base, i)	EMIT(PPC_INST_LWZ | ___PPC_RT(r) |	      \
 				     ___PPC_RA(base) | IMM_L(i))
 #define PPC_LHZ(r, base, i)	EMIT(PPC_INST_LHZ | ___PPC_RT(r) |	      \
@@ -85,17 +89,6 @@
 					___PPC_RA(a) | ___PPC_RB(b))
 #define PPC_BPF_STDCX(s, a, b)	EMIT(PPC_INST_STDCX | ___PPC_RS(s) |	      \
 					___PPC_RA(a) | ___PPC_RB(b))
-
-#ifdef CONFIG_PPC64
-#define PPC_BPF_LL(r, base, i) do { PPC_LD(r, base, i); } while(0)
-#define PPC_BPF_STL(r, base, i) do { PPC_STD(r, base, i); } while(0)
-#define PPC_BPF_STLU(r, base, i) do { PPC_STDU(r, base, i); } while(0)
-#else
-#define PPC_BPF_LL(r, base, i) do { PPC_LWZ(r, base, i); } while(0)
-#define PPC_BPF_STL(r, base, i) do { PPC_STW(r, base, i); } while(0)
-#define PPC_BPF_STLU(r, base, i) do { PPC_STWU(r, base, i); } while(0)
-#endif
-
 #define PPC_CMPWI(a, i)		EMIT(PPC_INST_CMPWI | ___PPC_RA(a) | IMM_L(i))
 #define PPC_CMPDI(a, i)		EMIT(PPC_INST_CMPDI | ___PPC_RA(a) | IMM_L(i))
 #define PPC_CMPW(a, b)		EMIT(PPC_INST_CMPW | ___PPC_RA(a) |	      \
--- a/arch/powerpc/net/bpf_jit32.h
+++ b/arch/powerpc/net/bpf_jit32.h
@@ -123,6 +123,10 @@ DECLARE_LOAD_FUNC(sk_load_byte_msh);
 #define PPC_NTOHS_OFFS(r, base, i)	PPC_LHZ_OFFS(r, base, i)
 #endif
 
+#define PPC_BPF_LL(r, base, i) do { PPC_LWZ(r, base, i); } while(0)
+#define PPC_BPF_STL(r, base, i) do { PPC_STW(r, base, i); } while(0)
+#define PPC_BPF_STLU(r, base, i) do { PPC_STWU(r, base, i); } while(0)
+
 #define SEEN_DATAREF 0x10000 /* might call external helpers */
 #define SEEN_XREG    0x20000 /* X reg is used */
 #define SEEN_MEM     0x40000 /* SEEN_MEM+(1<<n) = use mem[n] for temporary
--- a/arch/powerpc/net/bpf_jit64.h
+++ b/arch/powerpc/net/bpf_jit64.h
@@ -68,6 +68,26 @@ static const int b2p[] = {
 /* PPC NVR range -- update this if we ever use NVRs below r27 */
 #define BPF_PPC_NVR_MIN		27
 
+/*
+ * WARNING: These can use TMP_REG_2 if the offset is not at word boundary,
+ * so ensure that it isn't in use already.
+ */
+#define PPC_BPF_LL(r, base, i) do {					      \
+				if ((i) % 4) {				      \
+					PPC_LI(b2p[TMP_REG_2], (i));	      \
+					PPC_LDX(r, base, b2p[TMP_REG_2]);     \
+				} else					      \
+					PPC_LD(r, base, i);		      \
+				} while(0)
+#define PPC_BPF_STL(r, base, i) do {					      \
+				if ((i) % 4) {				      \
+					PPC_LI(b2p[TMP_REG_2], (i));	      \
+					PPC_STDX(r, base, b2p[TMP_REG_2]);    \
+				} else					      \
+					PPC_STD(r, base, i);		      \
+				} while(0)
+#define PPC_BPF_STLU(r, base, i) do { PPC_STDU(r, base, i); } while(0)
+
 #define SEEN_FUNC	0x1000 /* might call external helpers */
 #define SEEN_STACK	0x2000 /* uses BPF stack */
 #define SEEN_TAILCALL	0x4000 /* uses tail calls */
--- a/arch/powerpc/net/bpf_jit_comp64.c
+++ b/arch/powerpc/net/bpf_jit_comp64.c
@@ -226,7 +226,7 @@ static void bpf_jit_emit_tail_call(u32 *
 	 * if (tail_call_cnt > MAX_TAIL_CALL_CNT)
 	 *   goto out;
 	 */
-	PPC_LD(b2p[TMP_REG_1], 1, bpf_jit_stack_tailcallcnt(ctx));
+	PPC_BPF_LL(b2p[TMP_REG_1], 1, bpf_jit_stack_tailcallcnt(ctx));
 	PPC_CMPLWI(b2p[TMP_REG_1], MAX_TAIL_CALL_CNT);
 	PPC_BCC(COND_GT, out);
 
@@ -239,7 +239,7 @@ static void bpf_jit_emit_tail_call(u32 *
 	/* prog = array->ptrs[index]; */
 	PPC_MULI(b2p[TMP_REG_1], b2p_index, 8);
 	PPC_ADD(b2p[TMP_REG_1], b2p[TMP_REG_1], b2p_bpf_array);
-	PPC_LD(b2p[TMP_REG_1], b2p[TMP_REG_1], offsetof(struct bpf_array, ptrs));
+	PPC_BPF_LL(b2p[TMP_REG_1], b2p[TMP_REG_1], offsetof(struct bpf_array, ptrs));
 
 	/*
 	 * if (prog == NULL)
@@ -249,7 +249,7 @@ static void bpf_jit_emit_tail_call(u32 *
 	PPC_BCC(COND_EQ, out);
 
 	/* goto *(prog->bpf_func + prologue_size); */
-	PPC_LD(b2p[TMP_REG_1], b2p[TMP_REG_1], offsetof(struct bpf_prog, bpf_func));
+	PPC_BPF_LL(b2p[TMP_REG_1], b2p[TMP_REG_1], offsetof(struct bpf_prog, bpf_func));
 #ifdef PPC64_ELF_ABI_v1
 	/* skip past the function descriptor */
 	PPC_ADDI(b2p[TMP_REG_1], b2p[TMP_REG_1],
@@ -573,7 +573,7 @@ bpf_alu32_trunc:
 				 * the instructions generated will remain the
 				 * same across all passes
 				 */
-				PPC_STD(dst_reg, 1, bpf_jit_stack_local(ctx));
+				PPC_BPF_STL(dst_reg, 1, bpf_jit_stack_local(ctx));
 				PPC_ADDI(b2p[TMP_REG_1], 1, bpf_jit_stack_local(ctx));
 				PPC_LDBRX(dst_reg, 0, b2p[TMP_REG_1]);
 				break;
@@ -629,7 +629,7 @@ emit_clear:
 				PPC_LI32(b2p[TMP_REG_1], imm);
 				src_reg = b2p[TMP_REG_1];
 			}
-			PPC_STD(src_reg, dst_reg, off);
+			PPC_BPF_STL(src_reg, dst_reg, off);
 			break;
 
 		/*
@@ -676,7 +676,7 @@ emit_clear:
 			break;
 		/* dst = *(u64 *)(ul) (src + off) */
 		case BPF_LDX | BPF_MEM | BPF_DW:
-			PPC_LD(dst_reg, src_reg, off);
+			PPC_BPF_LL(dst_reg, src_reg, off);
 			break;
 
 		/*



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 053/134] vfio: ccw: only free cp on final interrupt
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 052/134] powerpc: bpf: Fix generation of load/store DW instructions Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 054/134] NFS: fix mount/umount race in nlmclnt Greg Kroah-Hartman
                   ` (85 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eric Farman, Cornelia Huck

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Cornelia Huck <cohuck@redhat.com>

commit 50b7f1b7236bab08ebbbecf90521e84b068d7a17 upstream.

When we get an interrupt for a channel program, it is not
necessarily the final interrupt; for example, the issuing
guest may request an intermediate interrupt by specifying
the program-controlled-interrupt flag on a ccw.

We must not switch the state to idle if the interrupt is not
yet final; even more importantly, we must not free the translated
channel program if the interrupt is not yet final, or the host
can crash during cp rewind.

Fixes: e5f84dbaea59 ("vfio: ccw: return I/O results asynchronously")
Cc: stable@vger.kernel.org # v4.12+
Reviewed-by: Eric Farman <farman@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/s390/cio/vfio_ccw_drv.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/s390/cio/vfio_ccw_drv.c
+++ b/drivers/s390/cio/vfio_ccw_drv.c
@@ -72,20 +72,24 @@ static void vfio_ccw_sch_io_todo(struct
 {
 	struct vfio_ccw_private *private;
 	struct irb *irb;
+	bool is_final;
 
 	private = container_of(work, struct vfio_ccw_private, io_work);
 	irb = &private->irb;
 
+	is_final = !(scsw_actl(&irb->scsw) &
+		     (SCSW_ACTL_DEVACT | SCSW_ACTL_SCHACT));
 	if (scsw_is_solicited(&irb->scsw)) {
 		cp_update_scsw(&private->cp, &irb->scsw);
-		cp_free(&private->cp);
+		if (is_final)
+			cp_free(&private->cp);
 	}
 	memcpy(private->io_region->irb_area, irb, sizeof(*irb));
 
 	if (private->io_trigger)
 		eventfd_signal(private->io_trigger, 1);
 
-	if (private->mdev)
+	if (private->mdev && is_final)
 		private->state = VFIO_CCW_STATE_IDLE;
 }
 



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 054/134] NFS: fix mount/umount race in nlmclnt.
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 053/134] vfio: ccw: only free cp on final interrupt Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 055/134] NFSv4.1 dont free interrupted slot on open Greg Kroah-Hartman
                   ` (84 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, NeilBrown, Trond Myklebust

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: NeilBrown <neilb@suse.com>

commit 4a9be28c45bf02fa0436808bb6c0baeba30e120e upstream.

If the last NFSv3 unmount from a given host races with a mount from the
same host, we can destroy an nlm_host that is still in use.

Specifically nlmclnt_lookup_host() can increment h_count on
an nlm_host that nlmclnt_release_host() has just successfully called
refcount_dec_and_test() on.
Once nlmclnt_lookup_host() drops the mutex, nlm_destroy_host_lock()
will be called to destroy the nlmclnt which is now in use again.

The cause of the problem is that the dec_and_test happens outside the
locked region.  This is easily fixed by using
refcount_dec_and_mutex_lock().

Fixes: 8ea6ecc8b075 ("lockd: Create client-side nlm_host cache")
Cc: stable@vger.kernel.org (v2.6.38+)
Signed-off-by: NeilBrown <neilb@suse.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/lockd/host.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/fs/lockd/host.c
+++ b/fs/lockd/host.c
@@ -290,12 +290,11 @@ void nlmclnt_release_host(struct nlm_hos
 
 	WARN_ON_ONCE(host->h_server);
 
-	if (refcount_dec_and_test(&host->h_count)) {
+	if (refcount_dec_and_mutex_lock(&host->h_count, &nlm_host_mutex)) {
 		WARN_ON_ONCE(!list_empty(&host->h_lockowners));
 		WARN_ON_ONCE(!list_empty(&host->h_granted));
 		WARN_ON_ONCE(!list_empty(&host->h_reclaim));
 
-		mutex_lock(&nlm_host_mutex);
 		nlm_destroy_host_locked(host);
 		mutex_unlock(&nlm_host_mutex);
 	}



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 055/134] NFSv4.1 dont free interrupted slot on open
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 054/134] NFS: fix mount/umount race in nlmclnt Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 056/134] net: dsa: qca8k: remove leftover phy accessors Greg Kroah-Hartman
                   ` (83 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Olga Kornievskaia, Trond Myklebust

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Olga Kornievskaia <kolga@netapp.com>

commit 0cb98abb5bd13b9a636bde603d952d722688b428 upstream.

Allow the async rpc task for finish and update the open state if needed,
then free the slot. Otherwise, the async rpc unable to decode the reply.

Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
Fixes: ae55e59da0e4 ("pnfs: Don't release the sequence slot...")
Cc: stable@vger.kernel.org # v4.18+
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/nfs/nfs4proc.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -2909,7 +2909,8 @@ static int _nfs4_open_and_get_state(stru
 	}
 
 out:
-	nfs4_sequence_free_slot(&opendata->o_res.seq_res);
+	if (!opendata->cancelled)
+		nfs4_sequence_free_slot(&opendata->o_res.seq_res);
 	return ret;
 }
 



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 056/134] net: dsa: qca8k: remove leftover phy accessors
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 055/134] NFSv4.1 dont free interrupted slot on open Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 057/134] ALSA: rawmidi: Fix potential Spectre v1 vulnerability Greg Kroah-Hartman
                   ` (82 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christian Lamparter, David S. Miller

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Christian Lamparter <chunkeey@gmail.com>

commit 1eec7151ae0e134bd42e3f128066b2ff8da21393 upstream.

This belated patch implements Andrew Lunn's request of
"remove the phy_read() and phy_write() functions."
<https://lore.kernel.org/patchwork/comment/902734/>

While seemingly harmless, this causes the switch's user
port PHYs to get registered twice. This is because the
DSA subsystem will create a slave mdio-bus not knowing
that the qca8k_phy_(read|write) accessors operate on
the external mdio-bus. So the same "bus" gets effectively
duplicated.

Cc: stable@vger.kernel.org
Fixes: 6b93fb46480a ("net-next: dsa: add new driver for qca8xxx family")
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/dsa/qca8k.c |   18 ------------------
 1 file changed, 18 deletions(-)

--- a/drivers/net/dsa/qca8k.c
+++ b/drivers/net/dsa/qca8k.c
@@ -620,22 +620,6 @@ qca8k_adjust_link(struct dsa_switch *ds,
 	qca8k_port_set_status(priv, port, 1);
 }
 
-static int
-qca8k_phy_read(struct dsa_switch *ds, int phy, int regnum)
-{
-	struct qca8k_priv *priv = (struct qca8k_priv *)ds->priv;
-
-	return mdiobus_read(priv->bus, phy, regnum);
-}
-
-static int
-qca8k_phy_write(struct dsa_switch *ds, int phy, int regnum, u16 val)
-{
-	struct qca8k_priv *priv = (struct qca8k_priv *)ds->priv;
-
-	return mdiobus_write(priv->bus, phy, regnum, val);
-}
-
 static void
 qca8k_get_strings(struct dsa_switch *ds, int port, u32 stringset, uint8_t *data)
 {
@@ -876,8 +860,6 @@ static const struct dsa_switch_ops qca8k
 	.setup			= qca8k_setup,
 	.adjust_link            = qca8k_adjust_link,
 	.get_strings		= qca8k_get_strings,
-	.phy_read		= qca8k_phy_read,
-	.phy_write		= qca8k_phy_write,
 	.get_ethtool_stats	= qca8k_get_ethtool_stats,
 	.get_sset_count		= qca8k_get_sset_count,
 	.get_mac_eee		= qca8k_get_mac_eee,



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 057/134] ALSA: rawmidi: Fix potential Spectre v1 vulnerability
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 056/134] net: dsa: qca8k: remove leftover phy accessors Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 058/134] ALSA: seq: oss: Fix " Greg Kroah-Hartman
                   ` (81 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gustavo A. R. Silva, Takashi Iwai

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Gustavo A. R. Silva <gustavo@embeddedor.com>

commit 2b1d9c8f87235f593826b9cf46ec10247741fff9 upstream.

info->stream is indirectly controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:

sound/core/rawmidi.c:604 __snd_rawmidi_info_select() warn: potential spectre issue 'rmidi->streams' [r] (local cap)

Fix this by sanitizing info->stream before using it to index
rmidi->streams.

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/

Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/core/rawmidi.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/sound/core/rawmidi.c
+++ b/sound/core/rawmidi.c
@@ -30,6 +30,7 @@
 #include <linux/module.h>
 #include <linux/delay.h>
 #include <linux/mm.h>
+#include <linux/nospec.h>
 #include <sound/rawmidi.h>
 #include <sound/info.h>
 #include <sound/control.h>
@@ -601,6 +602,7 @@ static int __snd_rawmidi_info_select(str
 		return -ENXIO;
 	if (info->stream < 0 || info->stream > 1)
 		return -EINVAL;
+	info->stream = array_index_nospec(info->stream, 2);
 	pstr = &rmidi->streams[info->stream];
 	if (pstr->substream_count == 0)
 		return -ENOENT;



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 058/134] ALSA: seq: oss: Fix Spectre v1 vulnerability
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 057/134] ALSA: rawmidi: Fix potential Spectre v1 vulnerability Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 059/134] ALSA: pcm: Fix possible OOB access in PCM oss plugins Greg Kroah-Hartman
                   ` (80 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gustavo A. R. Silva, Takashi Iwai

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Gustavo A. R. Silva <gustavo@embeddedor.com>

commit c709f14f0616482b67f9fbcb965e1493a03ff30b upstream.

dev is indirectly controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:

sound/core/seq/oss/seq_oss_synth.c:626 snd_seq_oss_synth_make_info() warn: potential spectre issue 'dp->synths' [w] (local cap)

Fix this by sanitizing dev before using it to index dp->synths.

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/

Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/core/seq/oss/seq_oss_synth.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/sound/core/seq/oss/seq_oss_synth.c
+++ b/sound/core/seq/oss/seq_oss_synth.c
@@ -617,13 +617,14 @@ int
 snd_seq_oss_synth_make_info(struct seq_oss_devinfo *dp, int dev, struct synth_info *inf)
 {
 	struct seq_oss_synth *rec;
+	struct seq_oss_synthinfo *info = get_synthinfo_nospec(dp, dev);
 
-	if (dev < 0 || dev >= dp->max_synthdev)
+	if (!info)
 		return -ENXIO;
 
-	if (dp->synths[dev].is_midi) {
+	if (info->is_midi) {
 		struct midi_info minf;
-		snd_seq_oss_midi_make_info(dp, dp->synths[dev].midi_mapped, &minf);
+		snd_seq_oss_midi_make_info(dp, info->midi_mapped, &minf);
 		inf->synth_type = SYNTH_TYPE_MIDI;
 		inf->synth_subtype = 0;
 		inf->nr_voices = 16;



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 059/134] ALSA: pcm: Fix possible OOB access in PCM oss plugins
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 058/134] ALSA: seq: oss: Fix " Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 060/134] ALSA: pcm: Dont suspend stream in unrecoverable PCM state Greg Kroah-Hartman
                   ` (79 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+d4503ae45b65c5bc1194, Takashi Iwai

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit ca0214ee2802dd47239a4e39fb21c5b00ef61b22 upstream.

The PCM OSS emulation converts and transfers the data on the fly via
"plugins".  The data is converted over the dynamically allocated
buffer for each plugin, and recently syzkaller caught OOB in this
flow.

Although the bisection by syzbot pointed out to the commit
65766ee0bf7f ("ALSA: oss: Use kvzalloc() for local buffer
allocations"), this is merely a commit to replace vmalloc() with
kvmalloc(), hence it can't be the cause.  The further debug action
revealed that this happens in the case where a slave PCM doesn't
support only the stereo channels while the OSS stream is set up for a
mono channel.  Below is a brief explanation:

At each OSS parameter change, the driver sets up the PCM hw_params
again in snd_pcm_oss_change_params_lock().  This is also the place
where plugins are created and local buffers are allocated.  The
problem is that the plugins are created before the final hw_params is
determined.  Namely, two snd_pcm_hw_param_near() calls for setting the
period size and periods may influence on the final result of channels,
rates, etc, too, while the current code has already created plugins
beforehand with the premature values.  So, the plugin believes that
channels=1, while the actual I/O is with channels=2, which makes the
driver reading/writing over the allocated buffer size.

The fix is simply to move the plugin allocation code after the final
hw_params call.

Reported-by: syzbot+d4503ae45b65c5bc1194@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/core/oss/pcm_oss.c |   43 ++++++++++++++++++++++---------------------
 1 file changed, 22 insertions(+), 21 deletions(-)

--- a/sound/core/oss/pcm_oss.c
+++ b/sound/core/oss/pcm_oss.c
@@ -940,6 +940,28 @@ static int snd_pcm_oss_change_params_loc
 	oss_frame_size = snd_pcm_format_physical_width(params_format(params)) *
 			 params_channels(params) / 8;
 
+	err = snd_pcm_oss_period_size(substream, params, sparams);
+	if (err < 0)
+		goto failure;
+
+	n = snd_pcm_plug_slave_size(substream, runtime->oss.period_bytes / oss_frame_size);
+	err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, n, NULL);
+	if (err < 0)
+		goto failure;
+
+	err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIODS,
+				     runtime->oss.periods, NULL);
+	if (err < 0)
+		goto failure;
+
+	snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL);
+
+	err = snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_HW_PARAMS, sparams);
+	if (err < 0) {
+		pcm_dbg(substream->pcm, "HW_PARAMS failed: %i\n", err);
+		goto failure;
+	}
+
 #ifdef CONFIG_SND_PCM_OSS_PLUGINS
 	snd_pcm_oss_plugin_clear(substream);
 	if (!direct) {
@@ -974,27 +996,6 @@ static int snd_pcm_oss_change_params_loc
 	}
 #endif
 
-	err = snd_pcm_oss_period_size(substream, params, sparams);
-	if (err < 0)
-		goto failure;
-
-	n = snd_pcm_plug_slave_size(substream, runtime->oss.period_bytes / oss_frame_size);
-	err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, n, NULL);
-	if (err < 0)
-		goto failure;
-
-	err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIODS,
-				     runtime->oss.periods, NULL);
-	if (err < 0)
-		goto failure;
-
-	snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL);
-
-	if ((err = snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_HW_PARAMS, sparams)) < 0) {
-		pcm_dbg(substream->pcm, "HW_PARAMS failed: %i\n", err);
-		goto failure;
-	}
-
 	if (runtime->oss.trigger) {
 		sw_params->start_threshold = 1;
 	} else {



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 060/134] ALSA: pcm: Dont suspend stream in unrecoverable PCM state
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 059/134] ALSA: pcm: Fix possible OOB access in PCM oss plugins Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 061/134] ALSA: hda/realtek - Add support headset mode for DELL WYSE AIO Greg Kroah-Hartman
                   ` (78 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai, Jon Hunter

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 113ce08109f8e3b091399e7cc32486df1cff48e7 upstream.

Currently PCM core sets each opened stream forcibly to SUSPENDED state
via snd_pcm_suspend_all() call, and the user-space is responsible for
re-triggering the resume manually either via snd_pcm_resume() or
prepare call.  The scheme works fine usually, but there are corner
cases where the stream can't be resumed by that call: the streams
still in OPEN state before finishing hw_params.  When they are
suspended, user-space cannot perform resume or prepare because they
haven't been set up yet.  The only possible recovery is to re-open the
device, which isn't nice at all.  Similarly, when a stream is in
DISCONNECTED state, it makes no sense to change it to SUSPENDED
state.  Ditto for in SETUP state; which you can re-prepare directly.

So, this patch addresses these issues by filtering the PCM streams to
be suspended by checking the PCM state.  When a stream is in either
OPEN, SETUP or DISCONNECTED as well as already SUSPENDED, the suspend
action is skipped.

To be noted, this problem was originally reported for the PCM runtime
PM on HD-audio.  And, the runtime PM problem itself was already
addressed (although not intended) by the code refactoring commits
3d21ef0b49f8 ("ALSA: pcm: Suspend streams globally via device type PM
ops") and 17bc4815de58 ("ALSA: pci: Remove superfluous
snd_pcm_suspend*() calls").  These commits eliminated the
snd_pcm_suspend*() calls from the runtime PM suspend callback code
path, hence the racy OPEN state won't appear while runtime PM.
(FWIW, the race window is between snd_pcm_open_substream() and the
first power up in azx_pcm_open().)

Although the runtime PM issue was already "fixed", the same problem is
still present for the system PM, hence this patch is still needed.
And for stable trees, this patch alone should suffice for fixing the
runtime PM problem, too.

Reported-and-tested-by: Jon Hunter <jonathanh@nvidia.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/core/pcm_native.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/sound/core/pcm_native.c
+++ b/sound/core/pcm_native.c
@@ -1426,8 +1426,15 @@ static int snd_pcm_pause(struct snd_pcm_
 static int snd_pcm_pre_suspend(struct snd_pcm_substream *substream, int state)
 {
 	struct snd_pcm_runtime *runtime = substream->runtime;
-	if (runtime->status->state == SNDRV_PCM_STATE_SUSPENDED)
+	switch (runtime->status->state) {
+	case SNDRV_PCM_STATE_SUSPENDED:
 		return -EBUSY;
+	/* unresumable PCM state; return -EBUSY for skipping suspend */
+	case SNDRV_PCM_STATE_OPEN:
+	case SNDRV_PCM_STATE_SETUP:
+	case SNDRV_PCM_STATE_DISCONNECTED:
+		return -EBUSY;
+	}
 	runtime->trigger_master = substream;
 	return 0;
 }



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 061/134] ALSA: hda/realtek - Add support headset mode for DELL WYSE AIO
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 060/134] ALSA: pcm: Dont suspend stream in unrecoverable PCM state Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 062/134] ALSA: hda/realtek - Add support headset mode for New DELL WYSE NB Greg Kroah-Hartman
                   ` (77 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kailang Yang, Takashi Iwai

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kailang Yang <kailang@realtek.com>

commit 136824efaab2c095fc911048f7c7ddeda258c965 upstream.

This patch will enable WYSE AIO for Headset mode.

Signed-off-by: Kailang Yang <kailang@realtek.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |   26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -5613,6 +5613,9 @@ enum {
 	ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE,
 	ALC285_FIXUP_LENOVO_PC_BEEP_IN_NOISE,
 	ALC255_FIXUP_ACER_HEADSET_MIC,
+	ALC225_FIXUP_DELL_WYSE_AIO_MIC_NO_PRESENCE,
+	ALC225_FIXUP_WYSE_AUTO_MUTE,
+	ALC225_FIXUP_WYSE_DISABLE_MIC_VREF,
 };
 
 static const struct hda_fixup alc269_fixups[] = {
@@ -6567,6 +6570,28 @@ static const struct hda_fixup alc269_fix
 		.chained = true,
 		.chain_id = ALC255_FIXUP_HEADSET_MODE_NO_HP_MIC
 	},
+	[ALC225_FIXUP_DELL_WYSE_AIO_MIC_NO_PRESENCE] = {
+		.type = HDA_FIXUP_PINS,
+		.v.pins = (const struct hda_pintbl[]) {
+			{ 0x16, 0x01011020 }, /* Rear Line out */
+			{ 0x19, 0x01a1913c }, /* use as Front headset mic, without its own jack detect */
+			{ }
+		},
+		.chained = true,
+		.chain_id = ALC225_FIXUP_WYSE_AUTO_MUTE
+	},
+	[ALC225_FIXUP_WYSE_AUTO_MUTE] = {
+		.type = HDA_FIXUP_FUNC,
+		.v.func = alc_fixup_auto_mute_via_amp,
+		.chained = true,
+		.chain_id = ALC225_FIXUP_WYSE_DISABLE_MIC_VREF
+	},
+	[ALC225_FIXUP_WYSE_DISABLE_MIC_VREF] = {
+		.type = HDA_FIXUP_FUNC,
+		.v.func = alc_fixup_disable_mic_vref,
+		.chained = true,
+		.chain_id = ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC
+	},
 };
 
 static const struct snd_pci_quirk alc269_fixup_tbl[] = {
@@ -6631,6 +6656,7 @@ static const struct snd_pci_quirk alc269
 	SND_PCI_QUIRK(0x1028, 0x0871, "Dell Precision 3630", ALC255_FIXUP_DELL_HEADSET_MIC),
 	SND_PCI_QUIRK(0x1028, 0x0872, "Dell Precision 3630", ALC255_FIXUP_DELL_HEADSET_MIC),
 	SND_PCI_QUIRK(0x1028, 0x0873, "Dell Precision 3930", ALC255_FIXUP_DUMMY_LINEOUT_VERB),
+	SND_PCI_QUIRK(0x1028, 0x08ad, "Dell WYSE AIO", ALC225_FIXUP_DELL_WYSE_AIO_MIC_NO_PRESENCE),
 	SND_PCI_QUIRK(0x1028, 0x0935, "Dell", ALC274_FIXUP_DELL_AIO_LINEOUT_VERB),
 	SND_PCI_QUIRK(0x1028, 0x164a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
 	SND_PCI_QUIRK(0x1028, 0x164b, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 062/134] ALSA: hda/realtek - Add support headset mode for New DELL WYSE NB
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (60 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 061/134] ALSA: hda/realtek - Add support headset mode for DELL WYSE AIO Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 063/134] ALSA: hda/realtek: Enable headset MIC of Acer AIO with ALC286 Greg Kroah-Hartman
                   ` (76 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kailang Yang, Takashi Iwai

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kailang Yang <kailang@realtek.com>

commit da484d00f020af3dd7cfcc6c4b69a7f856832883 upstream.

Enable headset mode support for new WYSE NB platform.

Signed-off-by: Kailang Yang <kailang@realtek.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -6657,6 +6657,7 @@ static const struct snd_pci_quirk alc269
 	SND_PCI_QUIRK(0x1028, 0x0872, "Dell Precision 3630", ALC255_FIXUP_DELL_HEADSET_MIC),
 	SND_PCI_QUIRK(0x1028, 0x0873, "Dell Precision 3930", ALC255_FIXUP_DUMMY_LINEOUT_VERB),
 	SND_PCI_QUIRK(0x1028, 0x08ad, "Dell WYSE AIO", ALC225_FIXUP_DELL_WYSE_AIO_MIC_NO_PRESENCE),
+	SND_PCI_QUIRK(0x1028, 0x08ae, "Dell WYSE NB", ALC225_FIXUP_DELL1_MIC_NO_PRESENCE),
 	SND_PCI_QUIRK(0x1028, 0x0935, "Dell", ALC274_FIXUP_DELL_AIO_LINEOUT_VERB),
 	SND_PCI_QUIRK(0x1028, 0x164a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
 	SND_PCI_QUIRK(0x1028, 0x164b, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 063/134] ALSA: hda/realtek: Enable headset MIC of Acer AIO with ALC286
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (61 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 062/134] ALSA: hda/realtek - Add support headset mode for New DELL WYSE NB Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 064/134] ALSA: hda/realtek: Enable headset MIC of Acer Aspire Z24-890 " Greg Kroah-Hartman
                   ` (75 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jian-Hong Pan, Kailang Yang, Takashi Iwai

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jian-Hong Pan <jian-hong@endlessm.com>

commit 667a8f73753908c4d0171e52b71774f9be5d6713 upstream.

Some Acer AIO desktops like Veriton Z6860G, Z4860G and Z4660G cannot
record sound from headset MIC.  This patch adds the
ALC286_FIXUP_ACER_AIO_HEADSET_MIC quirk to fix this issue.

Fixes: 9f8aefed9623 ("ALSA: hda/realtek: Fix mic issue on Acer AIO Veriton Z4660G")
Fixes: b72f936f6b32 ("ALSA: hda/realtek: Fix mic issue on Acer AIO Veriton Z4860G/Z6860G")
Signed-off-by: Jian-Hong Pan <jian-hong@endlessm.com>
Reviewed-by: Kailang Yang <kailang@realtek.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |   17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -5616,6 +5616,7 @@ enum {
 	ALC225_FIXUP_DELL_WYSE_AIO_MIC_NO_PRESENCE,
 	ALC225_FIXUP_WYSE_AUTO_MUTE,
 	ALC225_FIXUP_WYSE_DISABLE_MIC_VREF,
+	ALC286_FIXUP_ACER_AIO_HEADSET_MIC,
 };
 
 static const struct hda_fixup alc269_fixups[] = {
@@ -6592,6 +6593,16 @@ static const struct hda_fixup alc269_fix
 		.chained = true,
 		.chain_id = ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC
 	},
+	[ALC286_FIXUP_ACER_AIO_HEADSET_MIC] = {
+		.type = HDA_FIXUP_VERBS,
+		.v.verbs = (const struct hda_verb[]) {
+			{ 0x20, AC_VERB_SET_COEF_INDEX, 0x4f },
+			{ 0x20, AC_VERB_SET_PROC_COEF, 0x5029 },
+			{ }
+		},
+		.chained = true,
+		.chain_id = ALC286_FIXUP_ACER_AIO_MIC_NO_PRESENCE
+	},
 };
 
 static const struct snd_pci_quirk alc269_fixup_tbl[] = {
@@ -6608,9 +6619,9 @@ static const struct snd_pci_quirk alc269
 	SND_PCI_QUIRK(0x1025, 0x079b, "Acer Aspire V5-573G", ALC282_FIXUP_ASPIRE_V5_PINS),
 	SND_PCI_QUIRK(0x1025, 0x102b, "Acer Aspire C24-860", ALC286_FIXUP_ACER_AIO_MIC_NO_PRESENCE),
 	SND_PCI_QUIRK(0x1025, 0x106d, "Acer Cloudbook 14", ALC283_FIXUP_CHROME_BOOK),
-	SND_PCI_QUIRK(0x1025, 0x128f, "Acer Veriton Z6860G", ALC286_FIXUP_ACER_AIO_MIC_NO_PRESENCE),
-	SND_PCI_QUIRK(0x1025, 0x1290, "Acer Veriton Z4860G", ALC286_FIXUP_ACER_AIO_MIC_NO_PRESENCE),
-	SND_PCI_QUIRK(0x1025, 0x1291, "Acer Veriton Z4660G", ALC286_FIXUP_ACER_AIO_MIC_NO_PRESENCE),
+	SND_PCI_QUIRK(0x1025, 0x128f, "Acer Veriton Z6860G", ALC286_FIXUP_ACER_AIO_HEADSET_MIC),
+	SND_PCI_QUIRK(0x1025, 0x1290, "Acer Veriton Z4860G", ALC286_FIXUP_ACER_AIO_HEADSET_MIC),
+	SND_PCI_QUIRK(0x1025, 0x1291, "Acer Veriton Z4660G", ALC286_FIXUP_ACER_AIO_HEADSET_MIC),
 	SND_PCI_QUIRK(0x1025, 0x1330, "Acer TravelMate X514-51T", ALC255_FIXUP_ACER_HEADSET_MIC),
 	SND_PCI_QUIRK(0x1028, 0x0470, "Dell M101z", ALC269_FIXUP_DELL_M101Z),
 	SND_PCI_QUIRK(0x1028, 0x054b, "Dell XPS one 2710", ALC275_FIXUP_DELL_XPS),



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 064/134] ALSA: hda/realtek: Enable headset MIC of Acer Aspire Z24-890 with ALC286
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (62 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 063/134] ALSA: hda/realtek: Enable headset MIC of Acer AIO with ALC286 Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 065/134] ALSA: hda/realtek - Add support for Acer Aspire E5-523G/ES1-432 headset mic Greg Kroah-Hartman
                   ` (74 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jian-Hong Pan, Daniel Drake, Takashi Iwai

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jian-Hong Pan <jian-hong@endlessm.com>

commit 2733ccebf4a937a0858e7d05a4a003b89715033f upstream.

The Acer Aspire Z24-890 cannot detect the headset MIC until
ALC286_FIXUP_ACER_AIO_HEADSET_MIC quirk applied.

Signed-off-by: Jian-Hong Pan <jian-hong@endlessm.com>
Signed-off-by: Daniel Drake <drake@endlessm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -6622,6 +6622,7 @@ static const struct snd_pci_quirk alc269
 	SND_PCI_QUIRK(0x1025, 0x128f, "Acer Veriton Z6860G", ALC286_FIXUP_ACER_AIO_HEADSET_MIC),
 	SND_PCI_QUIRK(0x1025, 0x1290, "Acer Veriton Z4860G", ALC286_FIXUP_ACER_AIO_HEADSET_MIC),
 	SND_PCI_QUIRK(0x1025, 0x1291, "Acer Veriton Z4660G", ALC286_FIXUP_ACER_AIO_HEADSET_MIC),
+	SND_PCI_QUIRK(0x1025, 0x1308, "Acer Aspire Z24-890", ALC286_FIXUP_ACER_AIO_HEADSET_MIC),
 	SND_PCI_QUIRK(0x1025, 0x1330, "Acer TravelMate X514-51T", ALC255_FIXUP_ACER_HEADSET_MIC),
 	SND_PCI_QUIRK(0x1028, 0x0470, "Dell M101z", ALC269_FIXUP_DELL_M101Z),
 	SND_PCI_QUIRK(0x1028, 0x054b, "Dell XPS one 2710", ALC275_FIXUP_DELL_XPS),



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 065/134] ALSA: hda/realtek - Add support for Acer Aspire E5-523G/ES1-432 headset mic
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (63 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 064/134] ALSA: hda/realtek: Enable headset MIC of Acer Aspire Z24-890 " Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 066/134] ALSA: hda/realtek: Enable ASUS X441MB and X705FD headset MIC with ALC256 Greg Kroah-Hartman
                   ` (73 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chris Chiu, Daniel Drake,
	Jian-Hong Pan, Takashi Iwai

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Chris Chiu <chiu@endlessm.com>

commit c7531e31c8a440b5fe6bd62664def5bcb6262f96 upstream.

The Acer laptop Aspire E5-523G and ES1-432 with ALC255 can't detect
the headset microphone until ALC255_FIXUP_ACER_MIC_NO_PRESENCE quirk
applied.

Signed-off-by: Chris Chiu <chiu@endlessm.com>
Signed-off-by: Daniel Drake <drake@endlessm.com>
Signed-off-by: Jian-Hong Pan <jian-hong@endlessm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -6619,6 +6619,8 @@ static const struct snd_pci_quirk alc269
 	SND_PCI_QUIRK(0x1025, 0x079b, "Acer Aspire V5-573G", ALC282_FIXUP_ASPIRE_V5_PINS),
 	SND_PCI_QUIRK(0x1025, 0x102b, "Acer Aspire C24-860", ALC286_FIXUP_ACER_AIO_MIC_NO_PRESENCE),
 	SND_PCI_QUIRK(0x1025, 0x106d, "Acer Cloudbook 14", ALC283_FIXUP_CHROME_BOOK),
+	SND_PCI_QUIRK(0x1025, 0x1099, "Acer Aspire E5-523G", ALC255_FIXUP_ACER_MIC_NO_PRESENCE),
+	SND_PCI_QUIRK(0x1025, 0x110e, "Acer Aspire ES1-432", ALC255_FIXUP_ACER_MIC_NO_PRESENCE),
 	SND_PCI_QUIRK(0x1025, 0x128f, "Acer Veriton Z6860G", ALC286_FIXUP_ACER_AIO_HEADSET_MIC),
 	SND_PCI_QUIRK(0x1025, 0x1290, "Acer Veriton Z4860G", ALC286_FIXUP_ACER_AIO_HEADSET_MIC),
 	SND_PCI_QUIRK(0x1025, 0x1291, "Acer Veriton Z4660G", ALC286_FIXUP_ACER_AIO_HEADSET_MIC),



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 066/134] ALSA: hda/realtek: Enable ASUS X441MB and X705FD headset MIC with ALC256
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (64 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 065/134] ALSA: hda/realtek - Add support for Acer Aspire E5-523G/ES1-432 headset mic Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 067/134] ALSA: hda/realtek: Enable headset mic of ASUS P5440FF " Greg Kroah-Hartman
                   ` (72 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chris Chiu, Daniel Drake,
	Jian-Hong Pan, Takashi Iwai

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jian-Hong Pan <jian-hong@endlessm.com>

commit e1037354a0a75acdea2b27043c0a371ed85cf262 upstream.

The ASUS laptop X441MB and X705FD with ALC256 cannot detect the headset
MIC until ALC256_FIXUP_ASUS_MIC_NO_PRESENCE quirk applied.

Signed-off-by: Chris Chiu <chiu@endlessm.com>
Signed-off-by: Daniel Drake <drake@endlessm.com>
Signed-off-by: Jian-Hong Pan <jian-hong@endlessm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |   14 ++++++++++++++
 1 file changed, 14 insertions(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -5617,6 +5617,7 @@ enum {
 	ALC225_FIXUP_WYSE_AUTO_MUTE,
 	ALC225_FIXUP_WYSE_DISABLE_MIC_VREF,
 	ALC286_FIXUP_ACER_AIO_HEADSET_MIC,
+	ALC256_FIXUP_ASUS_MIC_NO_PRESENCE,
 };
 
 static const struct hda_fixup alc269_fixups[] = {
@@ -6603,6 +6604,15 @@ static const struct hda_fixup alc269_fix
 		.chained = true,
 		.chain_id = ALC286_FIXUP_ACER_AIO_MIC_NO_PRESENCE
 	},
+	[ALC256_FIXUP_ASUS_MIC_NO_PRESENCE] = {
+		.type = HDA_FIXUP_PINS,
+		.v.pins = (const struct hda_pintbl[]) {
+			{ 0x19, 0x04a11120 }, /* use as headset mic, without its own jack detect */
+			{ }
+		},
+		.chained = true,
+		.chain_id = ALC256_FIXUP_ASUS_HEADSET_MODE
+	},
 };
 
 static const struct snd_pci_quirk alc269_fixup_tbl[] = {
@@ -7237,6 +7247,10 @@ static const struct snd_hda_pin_quirk al
 		{0x14, 0x90170110},
 		{0x1b, 0x90a70130},
 		{0x21, 0x03211020}),
+	SND_HDA_PIN_QUIRK(0x10ec0256, 0x1043, "ASUS", ALC256_FIXUP_ASUS_MIC_NO_PRESENCE,
+		{0x1a, 0x90a70130},
+		{0x1b, 0x90170110},
+		{0x21, 0x03211020}),
 	SND_HDA_PIN_QUIRK(0x10ec0274, 0x1028, "Dell", ALC274_FIXUP_DELL_AIO_LINEOUT_VERB,
 		{0x12, 0xb7a60130},
 		{0x13, 0xb8a61140},



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 067/134] ALSA: hda/realtek: Enable headset mic of ASUS P5440FF with ALC256
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (65 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 066/134] ALSA: hda/realtek: Enable ASUS X441MB and X705FD headset MIC with ALC256 Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 068/134] ALSA: hda/realtek: Enable headset MIC of ASUS X430UN and X512DK " Greg Kroah-Hartman
                   ` (71 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chris Chiu, Daniel Drake,
	Jian-Hong Pan, Takashi Iwai

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Chris Chiu <chiu@endlessm.com>

commit a806ef1cf3bbc0baadc6cdeb11f12b5dd27e91c2 upstream.

The ASUS laptop P5440FF with ALC256 can't detect the headset microphone
until ALC256_FIXUP_ASUS_MIC_NO_PRESENCE quirk applied.

Signed-off-by: Chris Chiu <chiu@endlessm.com>
Signed-off-by: Daniel Drake <drake@endlessm.com>
Signed-off-by: Jian-Hong Pan <jian-hong@endlessm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -7248,6 +7248,10 @@ static const struct snd_hda_pin_quirk al
 		{0x1b, 0x90a70130},
 		{0x21, 0x03211020}),
 	SND_HDA_PIN_QUIRK(0x10ec0256, 0x1043, "ASUS", ALC256_FIXUP_ASUS_MIC_NO_PRESENCE,
+		{0x12, 0x90a60130},
+		{0x14, 0x90170110},
+		{0x21, 0x03211020}),
+	SND_HDA_PIN_QUIRK(0x10ec0256, 0x1043, "ASUS", ALC256_FIXUP_ASUS_MIC_NO_PRESENCE,
 		{0x1a, 0x90a70130},
 		{0x1b, 0x90170110},
 		{0x21, 0x03211020}),



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 068/134] ALSA: hda/realtek: Enable headset MIC of ASUS X430UN and X512DK with ALC256
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (66 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 067/134] ALSA: hda/realtek: Enable headset mic of ASUS P5440FF " Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 069/134] ALSA: hda/realtek - Fix speakers on Acer Predator Helios 500 Ryzen laptops Greg Kroah-Hartman
                   ` (70 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jian-Hong Pan, Daniel Drake, Takashi Iwai

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jian-Hong Pan <jian-hong@endlessm.com>

commit 6ac371aa1a74240fb910c98aa3484d5ece8473d3 upstream.

The ASUS X430UN and X512DK with ALC256 cannot detect the headset MIC
until ALC256_FIXUP_ASUS_MIC_NO_PRESENCE quirk applied.

Signed-off-by: Jian-Hong Pan <jian-hong@endlessm.com>
Signed-off-by: Daniel Drake <drake@endlessm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -7252,6 +7252,10 @@ static const struct snd_hda_pin_quirk al
 		{0x14, 0x90170110},
 		{0x21, 0x03211020}),
 	SND_HDA_PIN_QUIRK(0x10ec0256, 0x1043, "ASUS", ALC256_FIXUP_ASUS_MIC_NO_PRESENCE,
+		{0x12, 0x90a60130},
+		{0x14, 0x90170110},
+		{0x21, 0x04211020}),
+	SND_HDA_PIN_QUIRK(0x10ec0256, 0x1043, "ASUS", ALC256_FIXUP_ASUS_MIC_NO_PRESENCE,
 		{0x1a, 0x90a70130},
 		{0x1b, 0x90170110},
 		{0x21, 0x03211020}),



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 069/134] ALSA: hda/realtek - Fix speakers on Acer Predator Helios 500 Ryzen laptops
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (67 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 068/134] ALSA: hda/realtek: Enable headset MIC of ASUS X430UN and X512DK " Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 070/134] kbuild: modversions: Fix relative CRC byte order interpretation Greg Kroah-Hartman
                   ` (69 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bernhard Rosenkraenzer, Takashi Iwai

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Bernhard Rosenkraenzer <bero@lindev.ch>

commit e2a829b3da01b9b32c4d0291d042b8a6e2a98ca3 upstream.

On an Acer Predator Helios 500 (Ryzen version), the laptop's speakers
don't work out of the box.

The problem can be worked around with hdajackretask, remapping the
"Black Headphone, Right side" pin (0x21) to the Internal speaker.

This patch adds a quirk to change this mapping by default.

[ corrected ALC299_FIXUP_PREDATOR_SPK definition and adapted for the
  latest tree by tiwai ]

Signed-off-by: Bernhard Rosenkraenzer <bero@lindev.ch>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |   10 ++++++++++
 1 file changed, 10 insertions(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -5618,6 +5618,7 @@ enum {
 	ALC225_FIXUP_WYSE_DISABLE_MIC_VREF,
 	ALC286_FIXUP_ACER_AIO_HEADSET_MIC,
 	ALC256_FIXUP_ASUS_MIC_NO_PRESENCE,
+	ALC299_FIXUP_PREDATOR_SPK,
 };
 
 static const struct hda_fixup alc269_fixups[] = {
@@ -6613,6 +6614,13 @@ static const struct hda_fixup alc269_fix
 		.chained = true,
 		.chain_id = ALC256_FIXUP_ASUS_HEADSET_MODE
 	},
+	[ALC299_FIXUP_PREDATOR_SPK] = {
+		.type = HDA_FIXUP_PINS,
+		.v.pins = (const struct hda_pintbl[]) {
+			{ 0x21, 0x90170150 }, /* use as headset mic, without its own jack detect */
+			{ }
+		}
+	},
 };
 
 static const struct snd_pci_quirk alc269_fixup_tbl[] = {
@@ -6631,6 +6639,7 @@ static const struct snd_pci_quirk alc269
 	SND_PCI_QUIRK(0x1025, 0x106d, "Acer Cloudbook 14", ALC283_FIXUP_CHROME_BOOK),
 	SND_PCI_QUIRK(0x1025, 0x1099, "Acer Aspire E5-523G", ALC255_FIXUP_ACER_MIC_NO_PRESENCE),
 	SND_PCI_QUIRK(0x1025, 0x110e, "Acer Aspire ES1-432", ALC255_FIXUP_ACER_MIC_NO_PRESENCE),
+	SND_PCI_QUIRK(0x1025, 0x1246, "Acer Predator Helios 500", ALC299_FIXUP_PREDATOR_SPK),
 	SND_PCI_QUIRK(0x1025, 0x128f, "Acer Veriton Z6860G", ALC286_FIXUP_ACER_AIO_HEADSET_MIC),
 	SND_PCI_QUIRK(0x1025, 0x1290, "Acer Veriton Z4860G", ALC286_FIXUP_ACER_AIO_HEADSET_MIC),
 	SND_PCI_QUIRK(0x1025, 0x1291, "Acer Veriton Z4660G", ALC286_FIXUP_ACER_AIO_HEADSET_MIC),
@@ -7027,6 +7036,7 @@ static const struct hda_model_fixup alc2
 	{.id = ALC255_FIXUP_DUMMY_LINEOUT_VERB, .name = "alc255-dummy-lineout"},
 	{.id = ALC255_FIXUP_DELL_HEADSET_MIC, .name = "alc255-dell-headset"},
 	{.id = ALC295_FIXUP_HP_X360, .name = "alc295-hp-x360"},
+	{.id = ALC299_FIXUP_PREDATOR_SPK, .name = "predator-spk"},
 	{}
 };
 #define ALC225_STANDARD_PINS \



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 070/134] kbuild: modversions: Fix relative CRC byte order interpretation
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (68 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 069/134] ALSA: hda/realtek - Fix speakers on Acer Predator Helios 500 Ryzen laptops Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 071/134] fs/open.c: allow opening only regular files during execve() Greg Kroah-Hartman
                   ` (68 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Fredrik Noring, Masahiro Yamada

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Fredrik Noring <noring@nocrew.org>

commit 54a7151b1496cddbb7a83546b7998103e98edc88 upstream.

Fix commit 56067812d5b0 ("kbuild: modversions: add infrastructure for
emitting relative CRCs") where CRCs are interpreted in host byte order
rather than proper kernel byte order. The bug is conditional on
CONFIG_MODULE_REL_CRCS.

For example, when loading a BE module into a BE kernel compiled with a LE
system, the error "disagrees about version of symbol module_layout" is
produced. A message such as "Found checksum D7FA6856 vs module 5668FAD7"
will be given with debug enabled, which indicates an obvious endian
problem within __kcrctab within the kernel image.

The general solution is to use the macro TO_NATIVE, as is done in
similar cases throughout modpost.c. With this correction it has been
verified that a BE kernel compiled with a LE system accepts BE modules.

This change has also been verified with a LE kernel compiled with a LE
system, in which case TO_NATIVE returns its value unmodified since the
byte orders match. This is by far the common case.

Fixes: 56067812d5b0 ("kbuild: modversions: add infrastructure for emitting relative CRCs")
Signed-off-by: Fredrik Noring <noring@nocrew.org>
Cc: stable@vger.kernel.org
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 scripts/mod/modpost.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/scripts/mod/modpost.c
+++ b/scripts/mod/modpost.c
@@ -640,7 +640,7 @@ static void handle_modversions(struct mo
 			       info->sechdrs[sym->st_shndx].sh_offset -
 			       (info->hdr->e_type != ET_REL ?
 				info->sechdrs[sym->st_shndx].sh_addr : 0);
-			crc = *crcp;
+			crc = TO_NATIVE(*crcp);
 		}
 		sym_update_crc(symname + strlen("__crc_"), mod, crc,
 				export);



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 071/134] fs/open.c: allow opening only regular files during execve()
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (69 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 070/134] kbuild: modversions: Fix relative CRC byte order interpretation Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 072/134] ocfs2: fix inode bh swapping mixup in ocfs2_reflink_inodes_lock Greg Kroah-Hartman
                   ` (67 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot, Tetsuo Handa, Kees Cook,
	Al Viro, Eric Biggers, Dmitry Vyukov, Andrew Morton,
	Linus Torvalds

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>

commit 73601ea5b7b18eb234219ae2adf77530f389da79 upstream.

syzbot is hitting lockdep warning [1] due to trying to open a fifo
during an execve() operation.  But we don't need to open non regular
files during an execve() operation, for all files which we will need are
the executable file itself and the interpreter programs like /bin/sh and
ld-linux.so.2 .

Since the manpage for execve(2) says that execve() returns EACCES when
the file or a script interpreter is not a regular file, and the manpage
for uselib(2) says that uselib() can return EACCES, and we use
FMODE_EXEC when opening for execve()/uselib(), we can bail out if a non
regular file is requested with FMODE_EXEC set.

Since this deadlock followed by khungtaskd warnings is trivially
reproducible by a local unprivileged user, and syzbot's frequent crash
due to this deadlock defers finding other bugs, let's workaround this
deadlock until we get a chance to find a better solution.

[1] https://syzkaller.appspot.com/bug?id=b5095bfec44ec84213bac54742a82483aad578ce

Link: http://lkml.kernel.org/r/1552044017-7890-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp
Reported-by: syzbot <syzbot+e93a80c1bb7c5c56e522461c149f8bf55eab1b2b@syzkaller.appspotmail.com>
Fixes: 8924feff66f35fe2 ("splice: lift pipe_lock out of splice_to_pipe()")
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Eric Biggers <ebiggers3@gmail.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>	[4.9+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/open.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/fs/open.c
+++ b/fs/open.c
@@ -733,6 +733,12 @@ static int do_dentry_open(struct file *f
 		return 0;
 	}
 
+	/* Any file opened for execve()/uselib() has to be a regular file. */
+	if (unlikely(f->f_flags & FMODE_EXEC && !S_ISREG(inode->i_mode))) {
+		error = -EACCES;
+		goto cleanup_file;
+	}
+
 	if (f->f_mode & FMODE_WRITE && !special_file(inode->i_mode)) {
 		error = get_write_access(inode);
 		if (unlikely(error))



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 072/134] ocfs2: fix inode bh swapping mixup in ocfs2_reflink_inodes_lock
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (70 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 071/134] fs/open.c: allow opening only regular files during execve() Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 073/134] scsi: sd: Fix a race between closing an sd device and sd I/O Greg Kroah-Hartman
                   ` (66 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Darrick J. Wong, Joseph Qi,
	Mark Fasheh, Joel Becker, Junxiao Bi, Joseph Qi, Andrew Morton,
	Linus Torvalds

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Darrick J. Wong <darrick.wong@oracle.com>

commit e6a9467ea14bae8691b0f72c500510c42ea8edb8 upstream.

ocfs2_reflink_inodes_lock() can swap the inode1/inode2 variables so that
we always grab cluster locks in order of increasing inode number.

Unfortunately, we forget to swap the inode record buffer head pointers
when we've done this, which leads to incorrect bookkeepping when we're
trying to make the two inodes have the same refcount tree.

This has the effect of causing filesystem shutdowns if you're trying to
reflink data from inode 100 into inode 97, where inode 100 already has a
refcount tree attached and inode 97 doesn't.  The reflink code decides
to copy the refcount tree pointer from 100 to 97, but uses inode 97's
inode record to open the tree root (which it doesn't have) and blows up.
This issue causes filesystem shutdowns and metadata corruption!

Link: http://lkml.kernel.org/r/20190312214910.GK20533@magnolia
Fixes: 29ac8e856cb369 ("ocfs2: implement the VFS clone_range, copy_range, and dedupe_range features")
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Joseph Qi <jiangqi903@gmail.com>
Cc: Mark Fasheh <mfasheh@versity.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Joseph Qi <joseph.qi@huawei.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ocfs2/refcounttree.c |   42 ++++++++++++++++++++++++------------------
 1 file changed, 24 insertions(+), 18 deletions(-)

--- a/fs/ocfs2/refcounttree.c
+++ b/fs/ocfs2/refcounttree.c
@@ -4716,22 +4716,23 @@ out:
 
 /* Lock an inode and grab a bh pointing to the inode. */
 static int ocfs2_reflink_inodes_lock(struct inode *s_inode,
-				     struct buffer_head **bh1,
+				     struct buffer_head **bh_s,
 				     struct inode *t_inode,
-				     struct buffer_head **bh2)
+				     struct buffer_head **bh_t)
 {
-	struct inode *inode1;
-	struct inode *inode2;
+	struct inode *inode1 = s_inode;
+	struct inode *inode2 = t_inode;
 	struct ocfs2_inode_info *oi1;
 	struct ocfs2_inode_info *oi2;
+	struct buffer_head *bh1 = NULL;
+	struct buffer_head *bh2 = NULL;
 	bool same_inode = (s_inode == t_inode);
+	bool need_swap = (inode1->i_ino > inode2->i_ino);
 	int status;
 
 	/* First grab the VFS and rw locks. */
 	lock_two_nondirectories(s_inode, t_inode);
-	inode1 = s_inode;
-	inode2 = t_inode;
-	if (inode1->i_ino > inode2->i_ino)
+	if (need_swap)
 		swap(inode1, inode2);
 
 	status = ocfs2_rw_lock(inode1, 1);
@@ -4754,17 +4755,13 @@ static int ocfs2_reflink_inodes_lock(str
 	trace_ocfs2_double_lock((unsigned long long)oi1->ip_blkno,
 				(unsigned long long)oi2->ip_blkno);
 
-	if (*bh1)
-		*bh1 = NULL;
-	if (*bh2)
-		*bh2 = NULL;
-
 	/* We always want to lock the one with the lower lockid first. */
 	if (oi1->ip_blkno > oi2->ip_blkno)
 		mlog_errno(-ENOLCK);
 
 	/* lock id1 */
-	status = ocfs2_inode_lock_nested(inode1, bh1, 1, OI_LS_REFLINK_TARGET);
+	status = ocfs2_inode_lock_nested(inode1, &bh1, 1,
+					 OI_LS_REFLINK_TARGET);
 	if (status < 0) {
 		if (status != -ENOENT)
 			mlog_errno(status);
@@ -4773,15 +4770,25 @@ static int ocfs2_reflink_inodes_lock(str
 
 	/* lock id2 */
 	if (!same_inode) {
-		status = ocfs2_inode_lock_nested(inode2, bh2, 1,
+		status = ocfs2_inode_lock_nested(inode2, &bh2, 1,
 						 OI_LS_REFLINK_TARGET);
 		if (status < 0) {
 			if (status != -ENOENT)
 				mlog_errno(status);
 			goto out_cl1;
 		}
-	} else
-		*bh2 = *bh1;
+	} else {
+		bh2 = bh1;
+	}
+
+	/*
+	 * If we swapped inode order above, we have to swap the buffer heads
+	 * before passing them back to the caller.
+	 */
+	if (need_swap)
+		swap(bh1, bh2);
+	*bh_s = bh1;
+	*bh_t = bh2;
 
 	trace_ocfs2_double_lock_end(
 			(unsigned long long)oi1->ip_blkno,
@@ -4791,8 +4798,7 @@ static int ocfs2_reflink_inodes_lock(str
 
 out_cl1:
 	ocfs2_inode_unlock(inode1, 1);
-	brelse(*bh1);
-	*bh1 = NULL;
+	brelse(bh1);
 out_rw2:
 	ocfs2_rw_unlock(inode2, 1);
 out_i2:



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 073/134] scsi: sd: Fix a race between closing an sd device and sd I/O
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (71 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 072/134] ocfs2: fix inode bh swapping mixup in ocfs2_reflink_inodes_lock Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 074/134] scsi: sd: Quiesce warning if device does not report optimal I/O size Greg Kroah-Hartman
                   ` (65 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christoph Hellwig, Ming Lei,
	Hannes Reinecke, Johannes Thumshirn, Jason Yan, Bart Van Assche,
	Martin K. Petersen

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Bart Van Assche <bvanassche@acm.org>

commit c14a57264399efd39514a2329c591a4b954246d8 upstream.

The scsi_end_request() function calls scsi_cmd_to_driver() indirectly and
hence needs the disk->private_data pointer. Avoid that that pointer is
cleared before all affected I/O requests have finished. This patch avoids
that the following crash occurs:

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
Call trace:
 scsi_mq_uninit_cmd+0x1c/0x30
 scsi_end_request+0x7c/0x1b8
 scsi_io_completion+0x464/0x668
 scsi_finish_command+0xbc/0x160
 scsi_eh_flush_done_q+0x10c/0x170
 sas_scsi_recover_host+0x84c/0xa98 [libsas]
 scsi_error_handler+0x140/0x5b0
 kthread+0x100/0x12c
 ret_from_fork+0x10/0x18

Cc: Christoph Hellwig <hch@lst.de>
Cc: Ming Lei <ming.lei@redhat.com>
Cc: Hannes Reinecke <hare@suse.com>
Cc: Johannes Thumshirn <jthumshirn@suse.de>
Cc: Jason Yan <yanaijie@huawei.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Reported-by: Jason Yan <yanaijie@huawei.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/sd.c |   19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -1408,11 +1408,6 @@ static void sd_release(struct gendisk *d
 			scsi_set_medium_removal(sdev, SCSI_REMOVAL_ALLOW);
 	}
 
-	/*
-	 * XXX and what if there are packets in flight and this close()
-	 * XXX is followed by a "rmmod sd_mod"?
-	 */
-
 	scsi_disk_put(sdkp);
 }
 
@@ -3509,9 +3504,21 @@ static void scsi_disk_release(struct dev
 {
 	struct scsi_disk *sdkp = to_scsi_disk(dev);
 	struct gendisk *disk = sdkp->disk;
-	
+	struct request_queue *q = disk->queue;
+
 	ida_free(&sd_index_ida, sdkp->index);
 
+	/*
+	 * Wait until all requests that are in progress have completed.
+	 * This is necessary to avoid that e.g. scsi_end_request() crashes
+	 * due to clearing the disk->private_data pointer. Wait from inside
+	 * scsi_disk_release() instead of from sd_release() to avoid that
+	 * freezing and unfreezing the request queue affects user space I/O
+	 * in case multiple processes open a /dev/sd... node concurrently.
+	 */
+	blk_mq_freeze_queue(q);
+	blk_mq_unfreeze_queue(q);
+
 	disk->private_data = NULL;
 	put_disk(disk);
 	put_device(&sdkp->device->sdev_gendev);



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 074/134] scsi: sd: Quiesce warning if device does not report optimal I/O size
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (72 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 073/134] scsi: sd: Fix a race between closing an sd device and sd I/O Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 075/134] scsi: zfcp: fix rport unblock if deleted SCSI devices on Scsi_Host Greg Kroah-Hartman
                   ` (64 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Randy Dunlap, Hussam Al-Tayeb,
	Bart Van Assche, Martin K. Petersen

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Martin K. Petersen <martin.petersen@oracle.com>

commit 1d5de5bd311be7cd54f02f7cd164f0349a75c876 upstream.

Commit a83da8a4509d ("scsi: sd: Optimal I/O size should be a multiple
of physical block size") split one conditional into several separate
statements in an effort to provide more accurate warning messages when
a device reports a nonsensical value. However, this reorganization
accidentally dropped the precondition of the reported value being
larger than zero. This lead to a warning getting emitted on devices
that do not report an optimal I/O size at all.

Remain silent if a device does not report an optimal I/O size.

Fixes: a83da8a4509d ("scsi: sd: Optimal I/O size should be a multiple of physical block size")
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: <stable@vger.kernel.org>
Reported-by: Hussam Al-Tayeb <ht990332@gmx.com>
Tested-by: Hussam Al-Tayeb <ht990332@gmx.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/sd.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -3073,6 +3073,9 @@ static bool sd_validate_opt_xfer_size(st
 	unsigned int opt_xfer_bytes =
 		logical_to_bytes(sdp, sdkp->opt_xfer_blocks);
 
+	if (sdkp->opt_xfer_blocks == 0)
+		return false;
+
 	if (sdkp->opt_xfer_blocks > dev_max) {
 		sd_first_printk(KERN_WARNING, sdkp,
 				"Optimal transfer size %u logical blocks " \



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 075/134] scsi: zfcp: fix rport unblock if deleted SCSI devices on Scsi_Host
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (73 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 074/134] scsi: sd: Quiesce warning if device does not report optimal I/O size Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 076/134] scsi: zfcp: fix scsi_eh host reset with port_forced ERP for non-NPIV FCP devices Greg Kroah-Hartman
                   ` (63 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Steffen Maier, Jens Remus,
	Benjamin Block, Martin K. Petersen

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Steffen Maier <maier@linux.ibm.com>

commit fe67888fc007a76b81e37da23ce5bd8fb95890b0 upstream.

An already deleted SCSI device can exist on the Scsi_Host and remain there
because something still holds a reference.  A new SCSI device with the same
H:C:T:L and FCP device, target port WWPN, and FCP LUN can be created.  When
we try to unblock an rport, we still find the deleted SCSI device and
return early because the zfcp_scsi_dev of that SCSI device is not
ZFCP_STATUS_COMMON_UNBLOCKED. Hence we miss to unblock the rport, even if
the new proper SCSI device would be in good state.

Therefore, skip deleted SCSI devices when iterating the sdevs of the shost.
[cf. __scsi_device_lookup{_by_target}() or scsi_device_get()]

The following abbreviated trace sequence can indicate such problem:

Area           : REC
Tag            : ersfs_3
LUN            : 0x4045400300000000
WWPN           : 0x50050763031bd327
LUN status     : 0x40000000     not ZFCP_STATUS_COMMON_UNBLOCKED
Ready count    : n		not incremented yet
Running count  : 0x00000000
ERP want       : 0x01
ERP need       : 0xc1		ZFCP_ERP_ACTION_NONE

Area           : REC
Tag            : ersfs_3
LUN            : 0x4045400300000000
WWPN           : 0x50050763031bd327
LUN status     : 0x41000000
Ready count    : n+1
Running count  : 0x00000000
ERP want       : 0x01
ERP need       : 0x01

...

Area           : REC
Level          : 4		only with increased trace level
Tag            : ertru_l
LUN            : 0x4045400300000000
WWPN           : 0x50050763031bd327
LUN status     : 0x40000000
Request ID     : 0x0000000000000000
ERP status     : 0x01800000
ERP step       : 0x1000
ERP action     : 0x01
ERP count      : 0x00

NOT followed by a trace record with tag "scpaddy"
for WWPN 0x50050763031bd327.

Signed-off-by: Steffen Maier <maier@linux.ibm.com>
Fixes: 6f2ce1c6af37 ("scsi: zfcp: fix rport unblock race with LUN recovery")
Cc: <stable@vger.kernel.org> #2.6.32+
Reviewed-by: Jens Remus <jremus@linux.ibm.com>
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/s390/scsi/zfcp_erp.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/s390/scsi/zfcp_erp.c
+++ b/drivers/s390/scsi/zfcp_erp.c
@@ -1297,6 +1297,9 @@ static void zfcp_erp_try_rport_unblock(s
 		struct zfcp_scsi_dev *zsdev = sdev_to_zfcp(sdev);
 		int lun_status;
 
+		if (sdev->sdev_state == SDEV_DEL ||
+		    sdev->sdev_state == SDEV_CANCEL)
+			continue;
 		if (zsdev->port != port)
 			continue;
 		/* LUN under port of interest */



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 076/134] scsi: zfcp: fix scsi_eh host reset with port_forced ERP for non-NPIV FCP devices
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (74 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 075/134] scsi: zfcp: fix rport unblock if deleted SCSI devices on Scsi_Host Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 077/134] drm/rockchip: vop: reset scale mode when win is disabled Greg Kroah-Hartman
                   ` (62 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Steffen Maier, Jens Remus,
	Benjamin Block, Martin K. Petersen

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Steffen Maier <maier@linux.ibm.com>

commit 242ec1455151267fe35a0834aa9038e4c4670884 upstream.

Suppose more than one non-NPIV FCP device is active on the same channel.
Send I/O to storage and have some of the pending I/O run into a SCSI
command timeout, e.g. due to bit errors on the fibre. Now the error
situation stops. However, we saw FCP requests continue to timeout in the
channel. The abort will be successful, but the subsequent TUR fails.
Scsi_eh starts. The LUN reset fails. The target reset fails.  The host
reset only did an FCP device recovery. However, for non-NPIV FCP devices,
this does not close and reopen ports on the SAN-side if other non-NPIV FCP
device(s) share the same open ports.

In order to resolve the continuing FCP request timeouts, we need to
explicitly close and reopen ports on the SAN-side.

This was missing since the beginning of zfcp in v2.6.0 history commit
ea127f975424 ("[PATCH] s390 (7/7): zfcp host adapter.").

Note: The FSF requests for forced port reopen could run into FSF request
timeouts due to other reasons. This would trigger an internal FCP device
recovery. Pending forced port reopen recoveries would get dismissed. So
some ports might not get fully reopened during this host reset handler.
However, subsequent I/O would trigger the above described escalation and
eventually all ports would be forced reopen to resolve any continuing FCP
request timeouts due to earlier bit errors.

Signed-off-by: Steffen Maier <maier@linux.ibm.com>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: <stable@vger.kernel.org> #3.0+
Reviewed-by: Jens Remus <jremus@linux.ibm.com>
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/s390/scsi/zfcp_erp.c  |   14 ++++++++++++++
 drivers/s390/scsi/zfcp_ext.h  |    2 ++
 drivers/s390/scsi/zfcp_scsi.c |    4 ++++
 3 files changed, 20 insertions(+)

--- a/drivers/s390/scsi/zfcp_erp.c
+++ b/drivers/s390/scsi/zfcp_erp.c
@@ -643,6 +643,20 @@ static void zfcp_erp_strategy_memwait(st
 	add_timer(&erp_action->timer);
 }
 
+void zfcp_erp_port_forced_reopen_all(struct zfcp_adapter *adapter,
+				     int clear, char *dbftag)
+{
+	unsigned long flags;
+	struct zfcp_port *port;
+
+	write_lock_irqsave(&adapter->erp_lock, flags);
+	read_lock(&adapter->port_list_lock);
+	list_for_each_entry(port, &adapter->port_list, list)
+		_zfcp_erp_port_forced_reopen(port, clear, dbftag);
+	read_unlock(&adapter->port_list_lock);
+	write_unlock_irqrestore(&adapter->erp_lock, flags);
+}
+
 static void _zfcp_erp_port_reopen_all(struct zfcp_adapter *adapter,
 				      int clear, char *id)
 {
--- a/drivers/s390/scsi/zfcp_ext.h
+++ b/drivers/s390/scsi/zfcp_ext.h
@@ -69,6 +69,8 @@ extern void zfcp_erp_clear_port_status(s
 extern void zfcp_erp_port_reopen(struct zfcp_port *port, int clear, char *id);
 extern void zfcp_erp_port_shutdown(struct zfcp_port *, int, char *);
 extern void zfcp_erp_port_forced_reopen(struct zfcp_port *, int, char *);
+extern void zfcp_erp_port_forced_reopen_all(struct zfcp_adapter *adapter,
+					    int clear, char *dbftag);
 extern void zfcp_erp_set_lun_status(struct scsi_device *, u32);
 extern void zfcp_erp_clear_lun_status(struct scsi_device *, u32);
 extern void zfcp_erp_lun_reopen(struct scsi_device *, int, char *);
--- a/drivers/s390/scsi/zfcp_scsi.c
+++ b/drivers/s390/scsi/zfcp_scsi.c
@@ -362,6 +362,10 @@ static int zfcp_scsi_eh_host_reset_handl
 	struct zfcp_adapter *adapter = zfcp_sdev->port->adapter;
 	int ret = SUCCESS, fc_ret;
 
+	if (!(adapter->connection_features & FSF_FEATURE_NPIV_MODE)) {
+		zfcp_erp_port_forced_reopen_all(adapter, 0, "schrh_p");
+		zfcp_erp_wait(adapter);
+	}
 	zfcp_erp_adapter_reopen(adapter, 0, "schrh_1");
 	zfcp_erp_wait(adapter);
 	fc_ret = fc_block_scsi_eh(scpnt);



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 077/134] drm/rockchip: vop: reset scale mode when win is disabled
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (75 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 076/134] scsi: zfcp: fix scsi_eh host reset with port_forced ERP for non-NPIV FCP devices Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 078/134] tty: mxs-auart: fix a potential NULL pointer dereference Greg Kroah-Hartman
                   ` (61 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jonas Karlman, Heiko Stuebner

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jonas Karlman <jonas@kwiboo.se>

commit e9abc611a941d4051cde1d94b2ab7473fdb50102 upstream.

NV12 framebuffers produced by the VPU shows distorted on RK3288
after win has been disabled when scaling is active.

This issue can be reproduced using a 1080p modeset by:
- Scale a 1280x720 NV12 framebuffer to 1920x1080 on win0
- Disable win0
- Display a 1920x1080 NV12 framebuffer without scaling on win0
- Output will now show the framebuffer distorted

And by:
- Scale a 1280x720 NV12 framebuffer to 1920x1080
- Change to a 720p modeset (win gets disabled and scaling reset to none)
- Output will now show the framebuffer distorted

Fix this by setting scale mode to none when win is disabled.

Fixes: 4c156c21c794 ("drm/rockchip: vop: support plane scale")
Cc: stable@vger.kernel.org
Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Link: https://patchwork.freedesktop.org/patch/msgid/AM3PR03MB0966DE3E19BACE07328CD637AC7D0@AM3PR03MB0966.eurprd03.prod.outlook.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/rockchip/rockchip_drm_vop.c |   18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
+++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
@@ -505,6 +505,18 @@ static void vop_core_clks_disable(struct
 	clk_disable(vop->hclk);
 }
 
+static void vop_win_disable(struct vop *vop, const struct vop_win_data *win)
+{
+	if (win->phy->scl && win->phy->scl->ext) {
+		VOP_SCL_SET_EXT(vop, win, yrgb_hor_scl_mode, SCALE_NONE);
+		VOP_SCL_SET_EXT(vop, win, yrgb_ver_scl_mode, SCALE_NONE);
+		VOP_SCL_SET_EXT(vop, win, cbcr_hor_scl_mode, SCALE_NONE);
+		VOP_SCL_SET_EXT(vop, win, cbcr_ver_scl_mode, SCALE_NONE);
+	}
+
+	VOP_WIN_SET(vop, win, enable, 0);
+}
+
 static int vop_enable(struct drm_crtc *crtc)
 {
 	struct vop *vop = to_vop(crtc);
@@ -550,7 +562,7 @@ static int vop_enable(struct drm_crtc *c
 		struct vop_win *vop_win = &vop->win[i];
 		const struct vop_win_data *win = vop_win->data;
 
-		VOP_WIN_SET(vop, win, enable, 0);
+		vop_win_disable(vop, win);
 	}
 	spin_unlock(&vop->reg_lock);
 
@@ -694,7 +706,7 @@ static void vop_plane_atomic_disable(str
 
 	spin_lock(&vop->reg_lock);
 
-	VOP_WIN_SET(vop, win, enable, 0);
+	vop_win_disable(vop, win);
 
 	spin_unlock(&vop->reg_lock);
 }
@@ -1449,7 +1461,7 @@ static int vop_initial(struct vop *vop)
 		int channel = i * 2 + 1;
 
 		VOP_WIN_SET(vop, win, channel, (channel + 1) << 4 | channel);
-		VOP_WIN_SET(vop, win, enable, 0);
+		vop_win_disable(vop, win);
 		VOP_WIN_SET(vop, win, gate, 1);
 	}
 



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 078/134] tty: mxs-auart: fix a potential NULL pointer dereference
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (76 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 077/134] drm/rockchip: vop: reset scale mode when win is disabled Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 079/134] tty: atmel_serial: " Greg Kroah-Hartman
                   ` (60 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kangjie Lu

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kangjie Lu <kjlu@umn.edu>

commit 6734330654dac550f12e932996b868c6d0dcb421 upstream.

In case ioremap fails, the fix returns -ENOMEM to avoid NULL
pointer dereferences.
Multiple places use port.membase.

Signed-off-by: Kangjie Lu <kjlu@umn.edu>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serial/mxs-auart.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/tty/serial/mxs-auart.c
+++ b/drivers/tty/serial/mxs-auart.c
@@ -1685,6 +1685,10 @@ static int mxs_auart_probe(struct platfo
 
 	s->port.mapbase = r->start;
 	s->port.membase = ioremap(r->start, resource_size(r));
+	if (!s->port.membase) {
+		ret = -ENOMEM;
+		goto out_disable_clks;
+	}
 	s->port.ops = &mxs_auart_ops;
 	s->port.iotype = UPIO_MEM;
 	s->port.fifosize = MXS_AUART_FIFO_SIZE;



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 079/134] tty: atmel_serial: fix a potential NULL pointer dereference
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (77 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 078/134] tty: mxs-auart: fix a potential NULL pointer dereference Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 080/134] tty: serial: qcom_geni_serial: Initialize baud in qcom_geni_console_setup Greg Kroah-Hartman
                   ` (59 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kangjie Lu, Richard Genoud

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kangjie Lu <kjlu@umn.edu>

commit c85be041065c0be8bc48eda4c45e0319caf1d0e5 upstream.

In case dmaengine_prep_dma_cyclic fails, the fix returns a proper
error code to avoid NULL pointer dereference.

Signed-off-by: Kangjie Lu <kjlu@umn.edu>
Fixes: 34df42f59a60 ("serial: at91: add rx dma support")
Acked-by: Richard Genoud <richard.genoud@gmail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serial/atmel_serial.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/tty/serial/atmel_serial.c
+++ b/drivers/tty/serial/atmel_serial.c
@@ -1156,6 +1156,10 @@ static int atmel_prepare_rx_dma(struct u
 					 sg_dma_len(&atmel_port->sg_rx)/2,
 					 DMA_DEV_TO_MEM,
 					 DMA_PREP_INTERRUPT);
+	if (!desc) {
+		dev_err(port->dev, "Preparing DMA cyclic failed\n");
+		goto chan_err;
+	}
 	desc->callback = atmel_complete_rx_dma;
 	desc->callback_param = port;
 	atmel_port->desc_rx = desc;



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 080/134] tty: serial: qcom_geni_serial: Initialize baud in qcom_geni_console_setup
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (78 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 079/134] tty: atmel_serial: " Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 081/134] staging: comedi: ni_mio_common: Fix divide-by-zero for DIO cmdtest Greg Kroah-Hartman
                   ` (58 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nathan Chancellor, Nick Desaulniers

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nathan Chancellor <natechancellor@gmail.com>

commit c5cbc78acf693f5605d4a85b1327fa7933daf092 upstream.

When building with -Wsometimes-uninitialized, Clang warns:

drivers/tty/serial/qcom_geni_serial.c:1079:6: warning: variable 'baud'
is used uninitialized whenever 'if' condition is false
[-Wsometimes-uninitialized]

It's not wrong; when options is NULL, baud has no default value. Use
9600 as that is a sane default.

Link: https://github.com/ClangBuiltLinux/linux/issues/395
Suggested-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serial/qcom_geni_serial.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/tty/serial/qcom_geni_serial.c
+++ b/drivers/tty/serial/qcom_geni_serial.c
@@ -1052,7 +1052,7 @@ static int __init qcom_geni_console_setu
 {
 	struct uart_port *uport;
 	struct qcom_geni_serial_port *port;
-	int baud;
+	int baud = 9600;
 	int bits = 8;
 	int parity = 'n';
 	int flow = 'n';



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 081/134] staging: comedi: ni_mio_common: Fix divide-by-zero for DIO cmdtest
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (79 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 080/134] tty: serial: qcom_geni_serial: Initialize baud in qcom_geni_console_setup Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 082/134] staging: speakup_soft: Fix alternate speech with other synths Greg Kroah-Hartman
                   ` (57 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ivan Vasilyev, Spencer E. Olson, Ian Abbott

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ian Abbott <abbotti@mev.co.uk>

commit bafd9c64056cd034a1174dcadb65cd3b294ff8f6 upstream.

`ni_cdio_cmdtest()` validates Comedi asynchronous commands for the DIO
subdevice (subdevice 2) of supported National Instruments M-series
cards.  It is called when handling the `COMEDI_CMD` and `COMEDI_CMDTEST`
ioctls for this subdevice.  There are two causes for a possible
divide-by-zero error when validating that the `stop_arg` member of the
passed-in command is not too large.

The first cause for the divide-by-zero is that calls to
`comedi_bytes_per_scan()` are only valid once the command has been
copied to `s->async->cmd`, but that copy is only done for the
`COMEDI_CMD` ioctl.  For the `COMEDI_CMDTEST` ioctl, it will use
whatever was left there by the previous `COMEDI_CMD` ioctl, if any.
(This is very likely, as it is usual for the application to use
`COMEDI_CMDTEST` before `COMEDI_CMD`.) If there has been no previous,
valid `COMEDI_CMD` for this subdevice, then `comedi_bytes_per_scan()`
will return 0, so the subsequent division in `ni_cdio_cmdtest()` of
`s->async->prealloc_bufsz / comedi_bytes_per_scan(s)` will be a
divide-by-zero error.  To fix this error, call a new function
`comedi_bytes_per_scan_cmd(s, cmd)`, based on the existing
`comedi_bytes_per_scan(s)` but using a specified `struct comedi_cmd` for
its calculations.  (Also refactor `comedi_bytes_per_scan()` to call the
new function.)

Once the first cause for the divide-by-zero has been fixed, the second
cause is that `comedi_bytes_per_scan_cmd()` can legitimately return 0 if
the `scan_end_arg` member of the `struct comedi_cmd` being tested is 0.
Fix it by only performing the division (and validating that `stop_arg`
is no more than the maximum value) if `comedi_bytes_per_scan_cmd()`
returns a non-zero value.

The problem was reported on the COMEDI mailing list here:
https://groups.google.com/forum/#!topic/comedi_list/4t9WlHzMhKM

Reported-by: Ivan Vasilyev <grabesstimme@gmail.com>
Tested-by: Ivan Vasilyev <grabesstimme@gmail.com>
Fixes: f164cbf98fa8 ("staging: comedi: ni_mio_common: add finite regeneration to dio output")
Cc: <stable@vger.kernel.org> # 4.6+
Cc: Spencer E. Olson <olsonse@umich.edu>
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/comedi/comedidev.h             |    2 +
 drivers/staging/comedi/drivers.c               |   33 +++++++++++++++++++++----
 drivers/staging/comedi/drivers/ni_mio_common.c |   10 +++++--
 3 files changed, 38 insertions(+), 7 deletions(-)

--- a/drivers/staging/comedi/comedidev.h
+++ b/drivers/staging/comedi/comedidev.h
@@ -987,6 +987,8 @@ int comedi_dio_insn_config(struct comedi
 			   unsigned int mask);
 unsigned int comedi_dio_update_state(struct comedi_subdevice *s,
 				     unsigned int *data);
+unsigned int comedi_bytes_per_scan_cmd(struct comedi_subdevice *s,
+				       struct comedi_cmd *cmd);
 unsigned int comedi_bytes_per_scan(struct comedi_subdevice *s);
 unsigned int comedi_nscans_left(struct comedi_subdevice *s,
 				unsigned int nscans);
--- a/drivers/staging/comedi/drivers.c
+++ b/drivers/staging/comedi/drivers.c
@@ -381,11 +381,13 @@ unsigned int comedi_dio_update_state(str
 EXPORT_SYMBOL_GPL(comedi_dio_update_state);
 
 /**
- * comedi_bytes_per_scan() - Get length of asynchronous command "scan" in bytes
+ * comedi_bytes_per_scan_cmd() - Get length of asynchronous command "scan" in
+ * bytes
  * @s: COMEDI subdevice.
+ * @cmd: COMEDI command.
  *
  * Determines the overall scan length according to the subdevice type and the
- * number of channels in the scan.
+ * number of channels in the scan for the specified command.
  *
  * For digital input, output or input/output subdevices, samples for
  * multiple channels are assumed to be packed into one or more unsigned
@@ -395,9 +397,9 @@ EXPORT_SYMBOL_GPL(comedi_dio_update_stat
  *
  * Returns the overall scan length in bytes.
  */
-unsigned int comedi_bytes_per_scan(struct comedi_subdevice *s)
+unsigned int comedi_bytes_per_scan_cmd(struct comedi_subdevice *s,
+				       struct comedi_cmd *cmd)
 {
-	struct comedi_cmd *cmd = &s->async->cmd;
 	unsigned int num_samples;
 	unsigned int bits_per_sample;
 
@@ -414,6 +416,29 @@ unsigned int comedi_bytes_per_scan(struc
 	}
 	return comedi_samples_to_bytes(s, num_samples);
 }
+EXPORT_SYMBOL_GPL(comedi_bytes_per_scan_cmd);
+
+/**
+ * comedi_bytes_per_scan() - Get length of asynchronous command "scan" in bytes
+ * @s: COMEDI subdevice.
+ *
+ * Determines the overall scan length according to the subdevice type and the
+ * number of channels in the scan for the current command.
+ *
+ * For digital input, output or input/output subdevices, samples for
+ * multiple channels are assumed to be packed into one or more unsigned
+ * short or unsigned int values according to the subdevice's %SDF_LSAMPL
+ * flag.  For other types of subdevice, samples are assumed to occupy a
+ * whole unsigned short or unsigned int according to the %SDF_LSAMPL flag.
+ *
+ * Returns the overall scan length in bytes.
+ */
+unsigned int comedi_bytes_per_scan(struct comedi_subdevice *s)
+{
+	struct comedi_cmd *cmd = &s->async->cmd;
+
+	return comedi_bytes_per_scan_cmd(s, cmd);
+}
 EXPORT_SYMBOL_GPL(comedi_bytes_per_scan);
 
 static unsigned int __comedi_nscans_left(struct comedi_subdevice *s,
--- a/drivers/staging/comedi/drivers/ni_mio_common.c
+++ b/drivers/staging/comedi/drivers/ni_mio_common.c
@@ -3516,6 +3516,7 @@ static int ni_cdio_check_chanlist(struct
 static int ni_cdio_cmdtest(struct comedi_device *dev,
 			   struct comedi_subdevice *s, struct comedi_cmd *cmd)
 {
+	unsigned int bytes_per_scan;
 	int err = 0;
 	int tmp;
 
@@ -3545,9 +3546,12 @@ static int ni_cdio_cmdtest(struct comedi
 	err |= comedi_check_trigger_arg_is(&cmd->convert_arg, 0);
 	err |= comedi_check_trigger_arg_is(&cmd->scan_end_arg,
 					   cmd->chanlist_len);
-	err |= comedi_check_trigger_arg_max(&cmd->stop_arg,
-					    s->async->prealloc_bufsz /
-					    comedi_bytes_per_scan(s));
+	bytes_per_scan = comedi_bytes_per_scan_cmd(s, cmd);
+	if (bytes_per_scan) {
+		err |= comedi_check_trigger_arg_max(&cmd->stop_arg,
+						    s->async->prealloc_bufsz /
+						    bytes_per_scan);
+	}
 
 	if (err)
 		return 3;



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 082/134] staging: speakup_soft: Fix alternate speech with other synths
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (80 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 081/134] staging: comedi: ni_mio_common: Fix divide-by-zero for DIO cmdtest Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:01 ` [PATCH 4.19 083/134] staging: vt6655: Remove vif check from vnt_interrupt Greg Kroah-Hartman
                   ` (56 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Samuel Thibault

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Samuel Thibault <samuel.thibault@ens-lyon.org>

commit 45ac7b31bc6c4af885cc5b5d6c534c15bcbe7643 upstream.

When switching from speakup_soft to another synth, speakup_soft would
keep calling synth_buffer_getc() from softsynthx_read.

Let's thus make synth.c export the knowledge of the current synth, so
that speakup_soft can determine whether it should be running.

speakup_soft also needs to set itself alive, otherwise the switch would
let it remain silent.

Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/speakup/speakup_soft.c |   16 +++++++++++-----
 drivers/staging/speakup/spk_priv.h     |    1 +
 drivers/staging/speakup/synth.c        |    6 ++++++
 3 files changed, 18 insertions(+), 5 deletions(-)

--- a/drivers/staging/speakup/speakup_soft.c
+++ b/drivers/staging/speakup/speakup_soft.c
@@ -208,12 +208,15 @@ static ssize_t softsynthx_read(struct fi
 		return -EINVAL;
 
 	spin_lock_irqsave(&speakup_info.spinlock, flags);
+	synth_soft.alive = 1;
 	while (1) {
 		prepare_to_wait(&speakup_event, &wait, TASK_INTERRUPTIBLE);
-		if (!unicode)
-			synth_buffer_skip_nonlatin1();
-		if (!synth_buffer_empty() || speakup_info.flushing)
-			break;
+		if (synth_current() == &synth_soft) {
+			if (!unicode)
+				synth_buffer_skip_nonlatin1();
+			if (!synth_buffer_empty() || speakup_info.flushing)
+				break;
+		}
 		spin_unlock_irqrestore(&speakup_info.spinlock, flags);
 		if (fp->f_flags & O_NONBLOCK) {
 			finish_wait(&speakup_event, &wait);
@@ -233,6 +236,8 @@ static ssize_t softsynthx_read(struct fi
 
 	/* Keep 3 bytes available for a 16bit UTF-8-encoded character */
 	while (chars_sent <= count - bytes_per_ch) {
+		if (synth_current() != &synth_soft)
+			break;
 		if (speakup_info.flushing) {
 			speakup_info.flushing = 0;
 			ch = '\x18';
@@ -329,7 +334,8 @@ static __poll_t softsynth_poll(struct fi
 	poll_wait(fp, &speakup_event, wait);
 
 	spin_lock_irqsave(&speakup_info.spinlock, flags);
-	if (!synth_buffer_empty() || speakup_info.flushing)
+	if (synth_current() == &synth_soft &&
+	    (!synth_buffer_empty() || speakup_info.flushing))
 		ret = EPOLLIN | EPOLLRDNORM;
 	spin_unlock_irqrestore(&speakup_info.spinlock, flags);
 	return ret;
--- a/drivers/staging/speakup/spk_priv.h
+++ b/drivers/staging/speakup/spk_priv.h
@@ -72,6 +72,7 @@ int synth_request_region(unsigned long s
 int synth_release_region(unsigned long start, unsigned long n);
 int synth_add(struct spk_synth *in_synth);
 void synth_remove(struct spk_synth *in_synth);
+struct spk_synth *synth_current(void);
 
 extern struct speakup_info_t speakup_info;
 
--- a/drivers/staging/speakup/synth.c
+++ b/drivers/staging/speakup/synth.c
@@ -481,4 +481,10 @@ void synth_remove(struct spk_synth *in_s
 }
 EXPORT_SYMBOL_GPL(synth_remove);
 
+struct spk_synth *synth_current(void)
+{
+	return synth;
+}
+EXPORT_SYMBOL_GPL(synth_current);
+
 short spk_punc_masks[] = { 0, SOME, MOST, PUNC, PUNC | B_SYM };



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 083/134] staging: vt6655: Remove vif check from vnt_interrupt
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (81 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 082/134] staging: speakup_soft: Fix alternate speech with other synths Greg Kroah-Hartman
@ 2019-04-01 17:01 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 084/134] staging: vt6655: Fix interrupt race condition on device start up Greg Kroah-Hartman
                   ` (55 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Malcolm Priestley

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Malcolm Priestley <tvboxspy@gmail.com>

commit cc26358f89c3e493b54766b1ca56cfc6b14db78a upstream.

A check for vif is made in vnt_interrupt_work.

There is a small chance of leaving interrupt disabled while vif
is NULL and the work hasn't been scheduled.

Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
CC: stable@vger.kernel.org # v4.2+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/vt6655/device_main.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/staging/vt6655/device_main.c
+++ b/drivers/staging/vt6655/device_main.c
@@ -1146,8 +1146,7 @@ static irqreturn_t vnt_interrupt(int irq
 {
 	struct vnt_private *priv = arg;
 
-	if (priv->vif)
-		schedule_work(&priv->interrupt_work);
+	schedule_work(&priv->interrupt_work);
 
 	return IRQ_HANDLED;
 }



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 084/134] staging: vt6655: Fix interrupt race condition on device start up.
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (82 preceding siblings ...)
  2019-04-01 17:01 ` [PATCH 4.19 083/134] staging: vt6655: Remove vif check from vnt_interrupt Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 085/134] staging: erofs: fix to handle error path of erofs_vmap() Greg Kroah-Hartman
                   ` (54 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Malcolm Priestley

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Malcolm Priestley <tvboxspy@gmail.com>

commit 3b9c2f2e0e99bb67c96abcb659b3465efe3bee1f upstream.

It appears on some slower systems that the driver can find its way
out of the workqueue while the interrupt is disabled by continuous polling
by it.

Move MACvIntEnable to vnt_interrupt_work so that it is always enabled
on all routes out of vnt_interrupt_process.

Move MACvIntDisable so that the device doesn't keep polling the system
while the workqueue is being processed.

Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
CC: stable@vger.kernel.org # v4.2+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/vt6655/device_main.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/staging/vt6655/device_main.c
+++ b/drivers/staging/vt6655/device_main.c
@@ -1040,8 +1040,6 @@ static void vnt_interrupt_process(struct
 		return;
 	}
 
-	MACvIntDisable(priv->PortOffset);
-
 	spin_lock_irqsave(&priv->lock, flags);
 
 	/* Read low level stats */
@@ -1129,8 +1127,6 @@ static void vnt_interrupt_process(struct
 	}
 
 	spin_unlock_irqrestore(&priv->lock, flags);
-
-	MACvIntEnable(priv->PortOffset, IMR_MASK_VALUE);
 }
 
 static void vnt_interrupt_work(struct work_struct *work)
@@ -1140,6 +1136,8 @@ static void vnt_interrupt_work(struct wo
 
 	if (priv->vif)
 		vnt_interrupt_process(priv);
+
+	MACvIntEnable(priv->PortOffset, IMR_MASK_VALUE);
 }
 
 static irqreturn_t vnt_interrupt(int irq,  void *arg)
@@ -1148,6 +1146,8 @@ static irqreturn_t vnt_interrupt(int irq
 
 	schedule_work(&priv->interrupt_work);
 
+	MACvIntDisable(priv->PortOffset);
+
 	return IRQ_HANDLED;
 }
 



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 085/134] staging: erofs: fix to handle error path of erofs_vmap()
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (83 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 084/134] staging: vt6655: Fix interrupt race condition on device start up Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 086/134] serial: max310x: Fix to avoid potential NULL pointer dereference Greg Kroah-Hartman
                   ` (53 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Gao Xiang, Chao Yu

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Chao Yu <yuchao0@huawei.com>

commit 8bce6dcede65139a087ff240127e3f3c01363eed upstream.

erofs_vmap() wrapped vmap() and vm_map_ram() to return virtual
continuous memory, but both of them can failed due to a lot of
reason, previously, erofs_vmap()'s callers didn't handle them,
which can potentially cause NULL pointer access, fix it.

Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support")
Fixes: 0d40d6e399c1 ("staging: erofs: add a generic z_erofs VLE decompressor")
Cc: <stable@vger.kernel.org> # 4.19+
Signed-off-by: Gao Xiang <gaoxiang25@huawei.com>
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/erofs/unzip_vle.c     |    4 ++++
 drivers/staging/erofs/unzip_vle_lz4.c |    7 +++++--
 2 files changed, 9 insertions(+), 2 deletions(-)

--- a/drivers/staging/erofs/unzip_vle.c
+++ b/drivers/staging/erofs/unzip_vle.c
@@ -942,6 +942,10 @@ repeat:
 
 skip_allocpage:
 	vout = erofs_vmap(pages, nr_pages);
+	if (!vout) {
+		err = -ENOMEM;
+		goto out;
+	}
 
 	err = z_erofs_vle_unzip_vmap(compressed_pages,
 		clusterpages, vout, llen, work->pageofs, overlapped);
--- a/drivers/staging/erofs/unzip_vle_lz4.c
+++ b/drivers/staging/erofs/unzip_vle_lz4.c
@@ -116,10 +116,13 @@ int z_erofs_vle_unzip_fast_percpu(struct
 
 	nr_pages = DIV_ROUND_UP(outlen + pageofs, PAGE_SIZE);
 
-	if (clusterpages == 1)
+	if (clusterpages == 1) {
 		vin = kmap_atomic(compressed_pages[0]);
-	else
+	} else {
 		vin = erofs_vmap(compressed_pages, clusterpages);
+		if (!vin)
+			return -ENOMEM;
+	}
 
 	preempt_disable();
 	vout = erofs_pcpubuf[smp_processor_id()].data;



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 086/134] serial: max310x: Fix to avoid potential NULL pointer dereference
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (84 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 085/134] staging: erofs: fix to handle error path of erofs_vmap() Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 087/134] serial: mvebu-uart: Fix to avoid a " Greg Kroah-Hartman
                   ` (52 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Aditya Pakki

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Aditya Pakki <pakki001@umn.edu>

commit 3a10e3dd52e80b9a97a3346020024d17b2c272d6 upstream.

of_match_device can return a NULL pointer when matching device is not
found. This patch avoids a scenario causing NULL pointer derefernce.

Signed-off-by: Aditya Pakki <pakki001@umn.edu>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serial/max310x.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/tty/serial/max310x.c
+++ b/drivers/tty/serial/max310x.c
@@ -1419,6 +1419,8 @@ static int max310x_spi_probe(struct spi_
 	if (spi->dev.of_node) {
 		const struct of_device_id *of_id =
 			of_match_device(max310x_dt_ids, &spi->dev);
+		if (!of_id)
+			return -ENODEV;
 
 		devtype = (struct max310x_devtype *)of_id->data;
 	} else {



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 087/134] serial: mvebu-uart: Fix to avoid a potential NULL pointer dereference
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (85 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 086/134] serial: max310x: Fix to avoid potential NULL pointer dereference Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 088/134] serial: sh-sci: Fix setting SCSCR_TIE while transferring data Greg Kroah-Hartman
                   ` (51 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Aditya Pakki

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Aditya Pakki <pakki001@umn.edu>

commit 32f47179833b63de72427131169809065db6745e upstream.

of_match_device on failure to find a matching device can return a NULL
pointer. The patch checks for such a scenrio and passes the error upstream.

Signed-off-by: Aditya Pakki <pakki001@umn.edu>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serial/mvebu-uart.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/tty/serial/mvebu-uart.c
+++ b/drivers/tty/serial/mvebu-uart.c
@@ -799,6 +799,9 @@ static int mvebu_uart_probe(struct platf
 		return -EINVAL;
 	}
 
+	if (!match)
+		return -ENODEV;
+
 	/* Assume that all UART ports have a DT alias or none has */
 	id = of_alias_get_id(pdev->dev.of_node, "serial");
 	if (!pdev->dev.of_node || id < 0)



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 088/134] serial: sh-sci: Fix setting SCSCR_TIE while transferring data
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (86 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 087/134] serial: mvebu-uart: Fix to avoid a " Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 089/134] USB: serial: cp210x: add new device id Greg Kroah-Hartman
                   ` (50 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Hoan Nguyen An

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Hoan Nguyen An <na-hoan@jinso.co.jp>

commit 93bcefd4c6bad4c69dbc4edcd3fbf774b24d930d upstream.

We disable transmission interrupt (clear SCSCR_TIE) after all data has been transmitted
(if uart_circ_empty(xmit)). While transmitting, if the data is still in the tty buffer,
re-enable the SCSCR_TIE bit, which was done at sci_start_tx().
This is unnecessary processing, wasting CPU operation if the data transmission length is large.
And further, transmit end, FIFO empty bits disabling have also been performed in the step above.

Signed-off-by: Hoan Nguyen An <na-hoan@jinso.co.jp>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serial/sh-sci.c |   12 +-----------
 1 file changed, 1 insertion(+), 11 deletions(-)

--- a/drivers/tty/serial/sh-sci.c
+++ b/drivers/tty/serial/sh-sci.c
@@ -838,19 +838,9 @@ static void sci_transmit_chars(struct ua
 
 	if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS)
 		uart_write_wakeup(port);
-	if (uart_circ_empty(xmit)) {
+	if (uart_circ_empty(xmit))
 		sci_stop_tx(port);
-	} else {
-		ctrl = serial_port_in(port, SCSCR);
 
-		if (port->type != PORT_SCI) {
-			serial_port_in(port, SCxSR); /* Dummy read */
-			sci_clear_SCxSR(port, SCxSR_TDxE_CLEAR(port));
-		}
-
-		ctrl |= SCSCR_TIE;
-		serial_port_out(port, SCSCR, ctrl);
-	}
 }
 
 /* On SH3, SCIF may read end-of-break as a space->mark char */



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 089/134] USB: serial: cp210x: add new device id
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (87 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 088/134] serial: sh-sci: Fix setting SCSCR_TIE while transferring data Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 090/134] USB: serial: ftdi_sio: add additional NovaTech products Greg Kroah-Hartman
                   ` (49 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Uli, Johan Hovold

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a595ecdd5f60b2d93863cebb07eec7f935839b54 upstream.

Lorenz Messtechnik has a device that is controlled by the cp210x driver,
so add the device id to the driver.  The device id was provided by
Silicon-Labs for the devices from this vendor.

Reported-by: Uli <t9cpu@web.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/cp210x.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -80,6 +80,7 @@ static const struct usb_device_id id_tab
 	{ USB_DEVICE(0x10C4, 0x804E) }, /* Software Bisque Paramount ME build-in converter */
 	{ USB_DEVICE(0x10C4, 0x8053) }, /* Enfora EDG1228 */
 	{ USB_DEVICE(0x10C4, 0x8054) }, /* Enfora GSM2228 */
+	{ USB_DEVICE(0x10C4, 0x8056) }, /* Lorenz Messtechnik devices */
 	{ USB_DEVICE(0x10C4, 0x8066) }, /* Argussoft In-System Programmer */
 	{ USB_DEVICE(0x10C4, 0x806F) }, /* IMS USB to RS422 Converter Cable */
 	{ USB_DEVICE(0x10C4, 0x807A) }, /* Crumb128 board */



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 090/134] USB: serial: ftdi_sio: add additional NovaTech products
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (88 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 089/134] USB: serial: cp210x: add new device id Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 091/134] USB: serial: mos7720: fix mos_parport refcount imbalance on error path Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, George McCollister, Johan Hovold

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: George McCollister <george.mccollister@gmail.com>

commit 422c2537ba9d42320f8ab6573940269f87095320 upstream.

Add PIDs for the NovaTech OrionLX+ and Orion I/O so they can be
automatically detected.

Signed-off-by: George McCollister <george.mccollister@gmail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/ftdi_sio.c     |    2 ++
 drivers/usb/serial/ftdi_sio_ids.h |    4 +++-
 2 files changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -599,6 +599,8 @@ static const struct usb_device_id id_tab
 		.driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
 	{ USB_DEVICE(FTDI_VID, FTDI_NT_ORIONLXM_PID),
 		.driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+	{ USB_DEVICE(FTDI_VID, FTDI_NT_ORIONLX_PLUS_PID) },
+	{ USB_DEVICE(FTDI_VID, FTDI_NT_ORION_IO_PID) },
 	{ USB_DEVICE(FTDI_VID, FTDI_SYNAPSE_SS200_PID) },
 	{ USB_DEVICE(FTDI_VID, FTDI_CUSTOMWARE_MINIPLEX_PID) },
 	{ USB_DEVICE(FTDI_VID, FTDI_CUSTOMWARE_MINIPLEX2_PID) },
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -567,7 +567,9 @@
 /*
  * NovaTech product ids (FTDI_VID)
  */
-#define FTDI_NT_ORIONLXM_PID	0x7c90	/* OrionLXm Substation Automation Platform */
+#define FTDI_NT_ORIONLXM_PID		0x7c90	/* OrionLXm Substation Automation Platform */
+#define FTDI_NT_ORIONLX_PLUS_PID	0x7c91	/* OrionLX+ Substation Automation Platform */
+#define FTDI_NT_ORION_IO_PID		0x7c92	/* Orion I/O */
 
 /*
  * Synapse Wireless product ids (FTDI_VID)



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 091/134] USB: serial: mos7720: fix mos_parport refcount imbalance on error path
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (89 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 090/134] USB: serial: ftdi_sio: add additional NovaTech products Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 092/134] USB: serial: option: set driver_info for SIM5218 and compatibles Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Lin Yi, Johan Hovold

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Lin Yi <teroincn@163.com>

commit 2908b076f5198d231de62713cb2b633a3a4b95ac upstream.

The write_parport_reg_nonblock() helper takes a reference to the struct
mos_parport, but failed to release it in a couple of error paths after
allocation failures, leading to a memory leak.

Johan said that move the kref_get() and mos_parport assignment to the
end of urbtrack initialisation is a better way, so move it. and
mos_parport do not used until urbtrack initialisation.

Signed-off-by: Lin Yi <teroincn@163.com>
Fixes: b69578df7e98 ("USB: usbserial: mos7720: add support for parallel port on moschip 7715")
Cc: stable <stable@vger.kernel.org>     # 2.6.35
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/mos7720.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/usb/serial/mos7720.c
+++ b/drivers/usb/serial/mos7720.c
@@ -366,8 +366,6 @@ static int write_parport_reg_nonblock(st
 	if (!urbtrack)
 		return -ENOMEM;
 
-	kref_get(&mos_parport->ref_count);
-	urbtrack->mos_parport = mos_parport;
 	urbtrack->urb = usb_alloc_urb(0, GFP_ATOMIC);
 	if (!urbtrack->urb) {
 		kfree(urbtrack);
@@ -388,6 +386,8 @@ static int write_parport_reg_nonblock(st
 			     usb_sndctrlpipe(usbdev, 0),
 			     (unsigned char *)urbtrack->setup,
 			     NULL, 0, async_complete, urbtrack);
+	kref_get(&mos_parport->ref_count);
+	urbtrack->mos_parport = mos_parport;
 	kref_init(&urbtrack->ref_count);
 	INIT_LIST_HEAD(&urbtrack->urblist_entry);
 



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 092/134] USB: serial: option: set driver_info for SIM5218 and compatibles
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (90 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 091/134] USB: serial: mos7720: fix mos_parport refcount imbalance on error path Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 093/134] USB: serial: option: add support for Quectel EM12 Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mans Rullgard, Johan Hovold

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mans Rullgard <mans@mansr.com>

commit f8df5c2c3e2df5ffaf9fb5503da93d477a8c7db4 upstream.

The SIMCom SIM5218 and compatible devices have 5 USB interfaces, only 4
of which are serial ports.  The fifth is a network interface supported
by the qmi-wwan driver.  Furthermore, the serial ports do not support
modem control signals.  Add driver_info flags to reflect this.

Signed-off-by: Mans Rullgard <mans@mansr.com>
Fixes: ec0cd94d881c ("usb: option: add SIMCom SIM5218")
Cc: stable <stable@vger.kernel.org>	# 3.2
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/option.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1066,7 +1066,8 @@ static const struct usb_device_id option
 	  .driver_info = RSVD(3) },
 	{ USB_DEVICE(QUALCOMM_VENDOR_ID, 0x6613)}, /* Onda H600/ZTE MF330 */
 	{ USB_DEVICE(QUALCOMM_VENDOR_ID, 0x0023)}, /* ONYX 3G device */
-	{ USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9000)}, /* SIMCom SIM5218 */
+	{ USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9000), /* SIMCom SIM5218 */
+	  .driver_info = NCTRL(0) | NCTRL(1) | NCTRL(2) | NCTRL(3) | RSVD(4) },
 	/* Quectel products using Qualcomm vendor ID */
 	{ USB_DEVICE(QUALCOMM_VENDOR_ID, QUECTEL_PRODUCT_UC15)},
 	{ USB_DEVICE(QUALCOMM_VENDOR_ID, QUECTEL_PRODUCT_UC20),



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 093/134] USB: serial: option: add support for Quectel EM12
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (91 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 092/134] USB: serial: option: set driver_info for SIM5218 and compatibles Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 094/134] USB: serial: option: add Olicard 600 Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kristian Evensen, Johan Hovold

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kristian Evensen <kristian.evensen@gmail.com>

commit d1252f0237238b912c3e7a51bf237acf34c97983 upstream.

The Quectel EM12 is a Cat. 12 LTE modem. It behaves in the exactly the
same way as the EP06 (including the dynamic configuration behavior), so
the same checks on reserved interfaces, etc. are needed.

Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/option.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -246,6 +246,7 @@ static void option_instat_callback(struc
 #define QUECTEL_PRODUCT_EC25			0x0125
 #define QUECTEL_PRODUCT_BG96			0x0296
 #define QUECTEL_PRODUCT_EP06			0x0306
+#define QUECTEL_PRODUCT_EM12			0x0512
 
 #define CMOTECH_VENDOR_ID			0x16d8
 #define CMOTECH_PRODUCT_6001			0x6001
@@ -1088,6 +1089,9 @@ static const struct usb_device_id option
 	{ USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EP06, 0xff, 0xff, 0xff),
 	  .driver_info = RSVD(1) | RSVD(2) | RSVD(3) | RSVD(4) | NUMEP2 },
 	{ USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EP06, 0xff, 0, 0) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM12, 0xff, 0xff, 0xff),
+	  .driver_info = RSVD(1) | RSVD(2) | RSVD(3) | RSVD(4) | NUMEP2 },
+	{ USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM12, 0xff, 0, 0) },
 	{ USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) },
 	{ USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CMU_300) },
 	{ USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6003),



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 094/134] USB: serial: option: add Olicard 600
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (92 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 093/134] USB: serial: option: add support for Quectel EM12 Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 095/134] Disable kgdboc failed by echo space to /sys/module/kgdboc/parameters/kgdboc Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Bjørn Mork, Johan Hovold

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Bjørn Mork <bjorn@mork.no>

commit 84f3b43f7378b98b7e3096d5499de75183d4347c upstream.

This is a Qualcomm based device with a QMI function on interface 4.
It is mode switched from 2020:2030 using a standard eject message.

T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  6 Spd=480  MxCh= 0
D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
P:  Vendor=2020 ProdID=2031 Rev= 2.32
S:  Manufacturer=Mobile Connect
S:  Product=Mobile Connect
S:  SerialNumber=0123456789ABCDEF
C:* #Ifs= 6 Cfg#= 1 Atr=80 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
E:  Ad=83(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
E:  Ad=85(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
E:  Ad=87(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E:  Ad=89(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
E:  Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 5 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=(none)
E:  Ad=8a(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=125us

Cc: stable@vger.kernel.org
Signed-off-by: Bjørn Mork <bjorn@mork.no>
[ johan: use tabs to align comments in adjacent lines ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/option.c |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1945,10 +1945,12 @@ static const struct usb_device_id option
 	  .driver_info = RSVD(4) },
 	{ USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7e35, 0xff),			/* D-Link DWM-222 */
 	  .driver_info = RSVD(4) },
-	{ USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e01, 0xff, 0xff, 0xff) }, /* D-Link DWM-152/C1 */
-	{ USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e02, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/C1 */
-	{ USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x7e11, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/A3 */
-	{ USB_DEVICE_INTERFACE_CLASS(0x2020, 0x4000, 0xff) },                /* OLICARD300 - MT6225 */
+	{ USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e01, 0xff, 0xff, 0xff) },	/* D-Link DWM-152/C1 */
+	{ USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e02, 0xff, 0xff, 0xff) },	/* D-Link DWM-156/C1 */
+	{ USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x7e11, 0xff, 0xff, 0xff) },	/* D-Link DWM-156/A3 */
+	{ USB_DEVICE_INTERFACE_CLASS(0x2020, 0x2031, 0xff),			/* Olicard 600 */
+	  .driver_info = RSVD(4) },
+	{ USB_DEVICE_INTERFACE_CLASS(0x2020, 0x4000, 0xff) },			/* OLICARD300 - MT6225 */
 	{ USB_DEVICE(INOVIA_VENDOR_ID, INOVIA_SEW858) },
 	{ USB_DEVICE(VIATELECOM_VENDOR_ID, VIATELECOM_PRODUCT_CDS7) },
 	{ USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_WMD200, 0xff, 0xff, 0xff) },



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 095/134] Disable kgdboc failed by echo space to /sys/module/kgdboc/parameters/kgdboc
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (93 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 094/134] USB: serial: option: add Olicard 600 Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 096/134] fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Wentao Wang, Daniel Thompson

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Wentao Wang <witallwang@gmail.com>

commit 3ec8002951ea173e24b466df1ea98c56b7920e63 upstream.

Echo "" to /sys/module/kgdboc/parameters/kgdboc will fail with "No such
device” error.

This is caused by function "configure_kgdboc" who init err to ENODEV
when the config is empty (legal input) the code go out with ENODEV
returned.

Fixes: 2dd453168643 ("kgdboc: Fix restrict error")
Signed-off-by: Wentao Wang <witallwang@gmail.com>
Cc: stable <stable@vger.kernel.org>
Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serial/kgdboc.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/tty/serial/kgdboc.c
+++ b/drivers/tty/serial/kgdboc.c
@@ -145,8 +145,10 @@ static int configure_kgdboc(void)
 	char *cptr = config;
 	struct console *cons;
 
-	if (!strlen(config) || isspace(config[0]))
+	if (!strlen(config) || isspace(config[0])) {
+		err = 0;
 		goto noconfig;
+	}
 
 	kgdboc_io_ops.is_console = 0;
 	kgdb_tty_driver = NULL;



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 096/134] fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (94 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 095/134] Disable kgdboc failed by echo space to /sys/module/kgdboc/parameters/kgdboc Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 097/134] drm/vgem: fix use-after-free when drm_gem_handle_create() fails Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, YueHaibing, Hulk Robot,
	Luis Chamberlain, Kees Cook, Alexey Dobriyan, Alexei Starovoitov,
	Daniel Borkmann, Al Viro, Eric W. Biederman, Andrew Morton,
	Linus Torvalds

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: YueHaibing <yuehaibing@huawei.com>

commit 23da9588037ecdd4901db76a5b79a42b529c4ec3 upstream.

Syzkaller reports:

kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN PTI
CPU: 1 PID: 5373 Comm: syz-executor.0 Not tainted 5.0.0-rc8+ #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
RIP: 0010:put_links+0x101/0x440 fs/proc/proc_sysctl.c:1599
Code: 00 0f 85 3a 03 00 00 48 8b 43 38 48 89 44 24 20 48 83 c0 38 48 89 c2 48 89 44 24 28 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 fe 02 00 00 48 8b 74 24 20 48 c7 c7 60 2a 9d 91
RSP: 0018:ffff8881d828f238 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff8881e01b1140 RCX: ffffffff8ee98267
RDX: 0000000000000007 RSI: ffffc90001479000 RDI: ffff8881e01b1178
RBP: dffffc0000000000 R08: ffffed103ee27259 R09: ffffed103ee27259
R10: 0000000000000001 R11: ffffed103ee27258 R12: fffffffffffffff4
R13: 0000000000000006 R14: ffff8881f59838c0 R15: dffffc0000000000
FS:  00007f072254f700(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fff8b286668 CR3: 00000001f0542002 CR4: 00000000007606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 drop_sysctl_table+0x152/0x9f0 fs/proc/proc_sysctl.c:1629
 get_subdir fs/proc/proc_sysctl.c:1022 [inline]
 __register_sysctl_table+0xd65/0x1090 fs/proc/proc_sysctl.c:1335
 br_netfilter_init+0xbc/0x1000 [br_netfilter]
 do_one_initcall+0xfa/0x5ca init/main.c:887
 do_init_module+0x204/0x5f6 kernel/module.c:3460
 load_module+0x66b2/0x8570 kernel/module.c:3808
 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x462e99
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f072254ec58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003
RBP: 00007f072254ec70 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f072254f6bc
R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004
Modules linked in: br_netfilter(+) dvb_usb_dibusb_mc_common dib3000mc dibx000_common dvb_usb_dibusb_common dvb_usb_dw2102 dvb_usb classmate_laptop palmas_regulator cn videobuf2_v4l2 v4l2_common snd_soc_bd28623 mptbase snd_usb_usx2y snd_usbmidi_lib snd_rawmidi wmi libnvdimm lockd sunrpc grace rc_kworld_pc150u rc_core rtc_da9063 sha1_ssse3 i2c_cros_ec_tunnel adxl34x_spi adxl34x nfnetlink lib80211 i5500_temp dvb_as102 dvb_core videobuf2_common videodev media videobuf2_vmalloc videobuf2_memops udc_core lnbp22 leds_lp3952 hid_roccat_ryos s1d13xxxfb mtd vport_geneve openvswitch nf_conncount nf_nat_ipv6 nsh geneve udp_tunnel ip6_udp_tunnel snd_soc_mt6351 sis_agp phylink snd_soc_adau1761_spi snd_soc_adau1761 snd_soc_adau17x1 snd_soc_core snd_pcm_dmaengine ac97_bus snd_compress snd_soc_adau_utils snd_soc_sigmadsp_regmap snd_soc_sigmadsp raid_class hid_roccat_konepure hid_roccat_common hid_roccat c2port_duramar2150 core mdio_bcm_unimac iptable_security iptable_raw iptable_mangle
 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_vti ip_gre ipip sit tunnel4 ip_tunnel hsr veth netdevsim devlink vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon dummy team bonding vcan bridge stp llc ip6_gre gre ip6_tunnel tunnel6 tun crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel joydev mousedev ide_pci_generic piix aesni_intel aes_x86_64 ide_core crypto_simd atkbd cryptd glue_helper serio_raw ata_generic pata_acpi i2c_piix4 floppy sch_fq_codel ip_tables x_tables ipv6 [last unloaded: lm73]
Dumping ftrace buffer:
   (ftrace buffer empty)
---[ end trace 770020de38961fd0 ]---

A new dir entry can be created in get_subdir and its 'header->parent' is
set to NULL.  Only after insert_header success, it will be set to 'dir',
otherwise 'header->parent' is set to NULL and drop_sysctl_table is called.
However in err handling path of get_subdir, drop_sysctl_table also be
called on 'new->header' regardless its value of parent pointer.  Then
put_links is called, which triggers NULL-ptr deref when access member of
header->parent.

In fact we have multiple error paths which call drop_sysctl_table() there,
upon failure on insert_links() we also call drop_sysctl_table().And even
in the successful case on __register_sysctl_table() we still always call
drop_sysctl_table().This patch fix it.

Link: http://lkml.kernel.org/r/20190314085527.13244-1-yuehaibing@huawei.com
Fixes: 0e47c99d7fe25 ("sysctl: Replace root_list with links between sysctl_table_sets")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Reported-by: Hulk Robot <hulkci@huawei.com>
Acked-by: Luis Chamberlain <mcgrof@kernel.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: <stable@vger.kernel.org>    [3.4+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/proc/proc_sysctl.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/fs/proc/proc_sysctl.c
+++ b/fs/proc/proc_sysctl.c
@@ -1626,7 +1626,8 @@ static void drop_sysctl_table(struct ctl
 	if (--header->nreg)
 		return;
 
-	put_links(header);
+	if (parent)
+		put_links(header);
 	start_unregistering(header);
 	if (!--header->count)
 		kfree_rcu(header, rcu);



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 097/134] drm/vgem: fix use-after-free when drm_gem_handle_create() fails
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (95 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 096/134] fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 098/134] drm/vkms: " Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+e73f2fb5ed5a5df36d33,
	Chris Wilson, Laura Abbott, Daniel Vetter, Eric Biggers,
	Rodrigo Siqueira, Maxime Ripard

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit 21d2b122732318b48c10b7262e15595ce54511d3 upstream.

If drm_gem_handle_create() fails in vgem_gem_create(), then the
drm_vgem_gem_object is freed twice: once when the reference is dropped
by drm_gem_object_put_unlocked(), and again by __vgem_gem_destroy().

This was hit by syzkaller using fault injection.

Fix it by skipping the second free.

Reported-by: syzbot+e73f2fb5ed5a5df36d33@syzkaller.appspotmail.com
Fixes: af33a9190d02 ("drm/vgem: Enable dmabuf import interfaces")
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Laura Abbott <labbott@redhat.com>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Laura Abbott <labbott@redhat.com>
Signed-off-by: Rodrigo Siqueira <rodrigosiqueiramelo@gmail.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20190226214451.195123-1-ebiggers@kernel.org
Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/vgem/vgem_drv.c |    6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

--- a/drivers/gpu/drm/vgem/vgem_drv.c
+++ b/drivers/gpu/drm/vgem/vgem_drv.c
@@ -191,13 +191,9 @@ static struct drm_gem_object *vgem_gem_c
 	ret = drm_gem_handle_create(file, &obj->base, handle);
 	drm_gem_object_put_unlocked(&obj->base);
 	if (ret)
-		goto err;
+		return ERR_PTR(ret);
 
 	return &obj->base;
-
-err:
-	__vgem_gem_destroy(obj);
-	return ERR_PTR(ret);
 }
 
 static int vgem_gem_dumb_create(struct drm_file *file, struct drm_device *dev,



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 098/134] drm/vkms: fix use-after-free when drm_gem_handle_create() fails
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (96 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 097/134] drm/vgem: fix use-after-free when drm_gem_handle_create() fails Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 099/134] drm/i915/gvt: Fix MI_FLUSH_DW parsing with correct index check Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rodrigo Siqueira, Haneen Mohammed,
	Daniel Vetter, Chris Wilson, Eric Biggers, Maxime Ripard

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit 36b6c9ed45afe89045973e8dee1b004dd5372d40 upstream.

If drm_gem_handle_create() fails in vkms_gem_create(), then the
vkms_gem_object is freed twice: once when the reference is dropped by
drm_gem_object_put_unlocked(), and again by the extra calls to
drm_gem_object_release() and kfree().

Fix it by skipping the second release and free.

This bug was originally found in the vgem driver by syzkaller using
fault injection, but I noticed it's also present in the vkms driver.

Fixes: 559e50fd34d1 ("drm/vkms: Add dumb operations")
Cc: Rodrigo Siqueira <rodrigosiqueiramelo@gmail.com>
Cc: Haneen Mohammed <hamohammed.sa@gmail.com>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Reviewed-by: Rodrigo Siqueira <rodrigosiqueiramelo@gmail.com>
Signed-off-by: Rodrigo Siqueira <rodrigosiqueiramelo@gmail.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20190226220858.214438-1-ebiggers@kernel.org
Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/vkms/vkms_gem.c |    5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

--- a/drivers/gpu/drm/vkms/vkms_gem.c
+++ b/drivers/gpu/drm/vkms/vkms_gem.c
@@ -110,11 +110,8 @@ struct drm_gem_object *vkms_gem_create(s
 
 	ret = drm_gem_handle_create(file, &obj->gem, handle);
 	drm_gem_object_put_unlocked(&obj->gem);
-	if (ret) {
-		drm_gem_object_release(&obj->gem);
-		kfree(obj);
+	if (ret)
 		return ERR_PTR(ret);
-	}
 
 	return &obj->gem;
 }



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 099/134] drm/i915/gvt: Fix MI_FLUSH_DW parsing with correct index check
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (97 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 098/134] drm/vkms: " Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 100/134] gpio: exar: add a check for the return value of ida_simple_get fails Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Zhao, Yan Y, Zhenyu Wang

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Zhenyu Wang <zhenyuw@linux.intel.com>

commit 13bcb80b7ee79431fce361e060611134cb19e209 upstream.

When MI_FLUSH_DW post write hw status page in index mode, the index
value is in dword step and turned into address offset in cmd dword1.
As status page size is 4K, so can't exceed that.

This fixed upper bound check in cmd parser code which incorrectly
stopped VM for reason of invalid MI_FLUSH_DW write index.

v2:
- Fix upper bound as 4K page size because index value is address offset.

Fixes: be1da7070aea ("drm/i915/gvt: vGPU command scanner")
Cc: stable@vger.kernel.org # v4.10+
Cc: "Zhao, Yan Y" <yan.y.zhao@intel.com>
Reviewed-by: Yan Zhao <yan.y.zhao@intel.com>
Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/i915/gvt/cmd_parser.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpu/drm/i915/gvt/cmd_parser.c
+++ b/drivers/gpu/drm/i915/gvt/cmd_parser.c
@@ -1446,7 +1446,7 @@ static inline int cmd_address_audit(stru
 	}
 
 	if (index_mode)	{
-		if (guest_gma >= I915_GTT_PAGE_SIZE / sizeof(u64)) {
+		if (guest_gma >= I915_GTT_PAGE_SIZE) {
 			ret = -EFAULT;
 			goto err;
 		}



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 100/134] gpio: exar: add a check for the return value of ida_simple_get fails
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (98 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 099/134] drm/i915/gvt: Fix MI_FLUSH_DW parsing with correct index check Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 101/134] gpio: adnp: Fix testing wrong value in adnp_gpio_direction_input Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kangjie Lu, Bartosz Golaszewski

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kangjie Lu <kjlu@umn.edu>

commit 7ecced0934e574b528a1ba6c237731e682216a74 upstream.

ida_simple_get may fail and return a negative error number.
The fix checks its return value; if it fails, go to err_destroy.

Cc: <stable@vger.kernel.org>
Signed-off-by: Kangjie Lu <kjlu@umn.edu>
Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpio/gpio-exar.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/gpio/gpio-exar.c
+++ b/drivers/gpio/gpio-exar.c
@@ -148,6 +148,8 @@ static int gpio_exar_probe(struct platfo
 	mutex_init(&exar_gpio->lock);
 
 	index = ida_simple_get(&ida_index, 0, 0, GFP_KERNEL);
+	if (index < 0)
+		goto err_destroy;
 
 	sprintf(exar_gpio->name, "exar_gpio%d", index);
 	exar_gpio->gpio_chip.label = exar_gpio->name;



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 101/134] gpio: adnp: Fix testing wrong value in adnp_gpio_direction_input
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (99 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 100/134] gpio: exar: add a check for the return value of ida_simple_get fails Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 102/134] phy: sun4i-usb: Support set_mode to USB_HOST for non-OTG PHYs Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Axel Lin, Thierry Reding,
	Bartosz Golaszewski

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Axel Lin <axel.lin@ingics.com>

commit c5bc6e526d3f217ed2cc3681d256dc4a2af4cc2b upstream.

Current code test wrong value so it does not verify if the written
data is correctly read back. Fix it.
Also make it return -EPERM if read value does not match written bit,
just like it done for adnp_gpio_direction_output().

Fixes: 5e969a401a01 ("gpio: Add Avionic Design N-bit GPIO expander support")
Cc: <stable@vger.kernel.org>
Signed-off-by: Axel Lin <axel.lin@ingics.com>
Reviewed-by: Thierry Reding <thierry.reding@gmail.com>
Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpio/gpio-adnp.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/gpio/gpio-adnp.c
+++ b/drivers/gpio/gpio-adnp.c
@@ -132,8 +132,10 @@ static int adnp_gpio_direction_input(str
 	if (err < 0)
 		goto out;
 
-	if (err & BIT(pos))
-		err = -EACCES;
+	if (value & BIT(pos)) {
+		err = -EPERM;
+		goto out;
+	}
 
 	err = 0;
 



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 102/134] phy: sun4i-usb: Support set_mode to USB_HOST for non-OTG PHYs
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (100 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 101/134] gpio: adnp: Fix testing wrong value in adnp_gpio_direction_input Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 103/134] usb: mtu3: fix EXTCON dependency Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Chen-Yu Tsai

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Chen-Yu Tsai <wens@csie.org>

commit 1396929e8a903db80425343cacca766a18ad6409 upstream.

While only the first PHY supports mode switching, the remaining PHYs
work in USB host mode. They should support set_mode with mode=USB_HOST
instead of failing. This is especially needed now that the USB core does
set_mode for all USB ports, which was added in commit b97a31348379 ("usb:
core: comply to PHY framework").

Make set_mode with mode=USB_HOST a no-op instead of failing for the
non-OTG USB PHYs.

Fixes: 6ba43c291961 ("phy-sun4i-usb: Add support for phy_set_mode")
Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/phy/allwinner/phy-sun4i-usb.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/phy/allwinner/phy-sun4i-usb.c
+++ b/drivers/phy/allwinner/phy-sun4i-usb.c
@@ -481,8 +481,11 @@ static int sun4i_usb_phy_set_mode(struct
 	struct sun4i_usb_phy_data *data = to_sun4i_usb_phy_data(phy);
 	int new_mode;
 
-	if (phy->index != 0)
+	if (phy->index != 0) {
+		if (mode == PHY_MODE_USB_HOST)
+			return 0;
 		return -EINVAL;
+	}
 
 	switch (mode) {
 	case PHY_MODE_USB_HOST:



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 103/134] usb: mtu3: fix EXTCON dependency
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (101 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 102/134] phy: sun4i-usb: Support set_mode to USB_HOST for non-OTG PHYs Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 104/134] USB: gadget: f_hid: fix deadlock in f_hidg_write() Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Arnd Bergmann

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 3d54d10c6afed34fd45b852bf76f55e8da31d8ef upstream.

When EXTCON is a loadable module, mtu3 fails to link as built-in:

drivers/usb/mtu3/mtu3_plat.o: In function `mtu3_probe':
mtu3_plat.c:(.text+0x690): undefined reference to `extcon_get_edev_by_phandle'

Add a Kconfig dependency to force mtu3 also to be a loadable module
if extconn is, but still allow it to be built without extcon.

Fixes: d0ed062a8b75 ("usb: mtu3: dual-role mode support")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/mtu3/Kconfig |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/mtu3/Kconfig
+++ b/drivers/usb/mtu3/Kconfig
@@ -4,6 +4,7 @@ config USB_MTU3
 	tristate "MediaTek USB3 Dual Role controller"
 	depends on USB || USB_GADGET
 	depends on ARCH_MEDIATEK || COMPILE_TEST
+	depends on EXTCON || !EXTCON
 	select USB_XHCI_MTK if USB_SUPPORT && USB_XHCI_HCD
 	help
 	  Say Y or M here if your system runs on MediaTek SoCs with



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 104/134] USB: gadget: f_hid: fix deadlock in f_hidg_write()
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (102 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 103/134] usb: mtu3: fix EXTCON dependency Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 105/134] usb: common: Consider only available nodes for dr_mode Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, James Bottomley, Radoslav Gerganov,
	Felipe Balbi

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Radoslav Gerganov <rgerganov@vmware.com>

commit 072684e8c58d17e853f8e8b9f6d9ce2e58d2b036 upstream.

In f_hidg_write() the write_spinlock is acquired before calling
usb_ep_queue() which causes a deadlock when dummy_hcd is being used.
This is because dummy_queue() callbacks into f_hidg_req_complete() which
tries to acquire the same spinlock. This is (part of) the backtrace when
the deadlock occurs:

  0xffffffffc06b1410 in f_hidg_req_complete
  0xffffffffc06a590a in usb_gadget_giveback_request
  0xffffffffc06cfff2 in dummy_queue
  0xffffffffc06a4b96 in usb_ep_queue
  0xffffffffc06b1eb6 in f_hidg_write
  0xffffffff8127730b in __vfs_write
  0xffffffff812774d1 in vfs_write
  0xffffffff81277725 in SYSC_write

Fix this by releasing the write_spinlock before calling usb_ep_queue()

Reviewed-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Tested-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: stable@vger.kernel.org # 4.11+
Fixes: 749494b6bdbb ("usb: gadget: f_hid: fix: Move IN request allocation to set_alt()")
Signed-off-by: Radoslav Gerganov <rgerganov@vmware.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/gadget/function/f_hid.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/usb/gadget/function/f_hid.c
+++ b/drivers/usb/gadget/function/f_hid.c
@@ -391,20 +391,20 @@ try_again:
 	req->complete = f_hidg_req_complete;
 	req->context  = hidg;
 
+	spin_unlock_irqrestore(&hidg->write_spinlock, flags);
+
 	status = usb_ep_queue(hidg->in_ep, req, GFP_ATOMIC);
 	if (status < 0) {
 		ERROR(hidg->func.config->cdev,
 			"usb_ep_queue error on int endpoint %zd\n", status);
-		goto release_write_pending_unlocked;
+		goto release_write_pending;
 	} else {
 		status = count;
 	}
-	spin_unlock_irqrestore(&hidg->write_spinlock, flags);
 
 	return status;
 release_write_pending:
 	spin_lock_irqsave(&hidg->write_spinlock, flags);
-release_write_pending_unlocked:
 	hidg->write_pending = 0;
 	spin_unlock_irqrestore(&hidg->write_spinlock, flags);
 



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 105/134] usb: common: Consider only available nodes for dr_mode
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (103 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 104/134] USB: gadget: f_hid: fix deadlock in f_hidg_write() Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 106/134] usb: host: xhci-rcar: Add XHCI_TRUST_TX_LENGTH quirk Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Fabrizio Castro

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Fabrizio Castro <fabrizio.castro@bp.renesas.com>

commit 238e0268c82789e4c107a37045d529a6dbce51a9 upstream.

There are cases where multiple device tree nodes point to the
same phy node by means of the "phys" property, but we should
only consider those nodes that are marked as available rather
than just any node.

Fixes: 98bfb3946695 ("usb: of: add an api to get dr_mode by the phy node")
Cc: stable@vger.kernel.org # v4.4+
Signed-off-by: Fabrizio Castro <fabrizio.castro@bp.renesas.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/common/common.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/usb/common/common.c
+++ b/drivers/usb/common/common.c
@@ -145,6 +145,8 @@ enum usb_dr_mode of_usb_get_dr_mode_by_p
 
 	do {
 		controller = of_find_node_with_property(controller, "phys");
+		if (!of_device_is_available(controller))
+			continue;
 		index = 0;
 		do {
 			if (arg0 == -1) {



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 106/134] usb: host: xhci-rcar: Add XHCI_TRUST_TX_LENGTH quirk
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (104 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 105/134] usb: common: Consider only available nodes for dr_mode Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 107/134] xhci: Fix port resume done detection for SS ports with LPM enabled Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yasushi Asano, Spyridon Papageorgiou,
	Yoshihiro Shimoda

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Yasushi Asano <yasano@jp.adit-jv.com>

commit 40fc165304f0faaae78b761f8ee30b5d216b1850 upstream.

When plugging BUFFALO LUA4-U3-AGT USB3.0 to Gigabit Ethernet LAN
Adapter, warning messages filled up dmesg.

[  101.098287] xhci-hcd ee000000.usb: WARN Successful completion on short TX for slot 1 ep 4: needs XHCI_TRUST_TX_LENGTH quirk?
[  101.117463] xhci-hcd ee000000.usb: WARN Successful completion on short TX for slot 1 ep 4: needs XHCI_TRUST_TX_LENGTH quirk?
[  101.136513] xhci-hcd ee000000.usb: WARN Successful completion on short TX for slot 1 ep 4: needs XHCI_TRUST_TX_LENGTH quirk?

Adding the XHCI_TRUST_TX_LENGTH quirk resolves the issue.

Signed-off-by: Yasushi Asano <yasano@jp.adit-jv.com>
Signed-off-by: Spyridon Papageorgiou <spapageorgiou@de.adit-jv.com>
Acked-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/host/xhci-rcar.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/host/xhci-rcar.c
+++ b/drivers/usb/host/xhci-rcar.c
@@ -246,6 +246,7 @@ int xhci_rcar_init_quirk(struct usb_hcd
 	if (!xhci_rcar_wait_for_pll_active(hcd))
 		return -ETIMEDOUT;
 
+	xhci->quirks |= XHCI_TRUST_TX_LENGTH;
 	return xhci_rcar_download_firmware(hcd);
 }
 



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 107/134] xhci: Fix port resume done detection for SS ports with LPM enabled
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (105 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 106/134] usb: host: xhci-rcar: Add XHCI_TRUST_TX_LENGTH quirk Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 108/134] usb: xhci: dbc: Dont free all memory with spinlock held Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mathias Nyman

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mathias Nyman <mathias.nyman@linux.intel.com>

commit 6cbcf596934c8e16d6288c7cc62dfb7ad8eadf15 upstream.

A suspended SS port in U3 link state will go to U0 when resumed, but
can almost immediately after that enter U1 or U2 link power save
states before host controller driver reads the port status.

Host controller driver only checks for U0 state, and might miss
the finished resume, leaving flags unclear and skip notifying usb
code of the wake.

Add U1 and U2 to the possible link states when checking for finished
port resume.

Cc: stable <stable@vger.kernel.org>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/host/xhci-ring.c |    9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -1643,10 +1643,13 @@ static void handle_port_status(struct xh
 		}
 	}
 
-	if ((portsc & PORT_PLC) && (portsc & PORT_PLS_MASK) == XDEV_U0 &&
-			DEV_SUPERSPEED_ANY(portsc)) {
+	if ((portsc & PORT_PLC) &&
+	    DEV_SUPERSPEED_ANY(portsc) &&
+	    ((portsc & PORT_PLS_MASK) == XDEV_U0 ||
+	     (portsc & PORT_PLS_MASK) == XDEV_U1 ||
+	     (portsc & PORT_PLS_MASK) == XDEV_U2)) {
 		xhci_dbg(xhci, "resume SS port %d finished\n", port_id);
-		/* We've just brought the device into U0 through either the
+		/* We've just brought the device into U0/1/2 through either the
 		 * Resume state after a device remote wakeup, or through the
 		 * U3Exit state after a host-initiated resume.  If it's a device
 		 * initiated remote wake, don't pass up the link state change,



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 108/134] usb: xhci: dbc: Dont free all memory with spinlock held
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (106 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 107/134] xhci: Fix port resume done detection for SS ports with LPM enabled Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 109/134] xhci: Dont let USB3 ports stuck in polling state prevent suspend Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mathias Nyman

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mathias Nyman <mathias.nyman@linux.intel.com>

commit 8867ea262196a6945c24a0fb739575af646ec0e9 upstream.

The xhci debug capability (DbC) feature did its memory cleanup with
spinlock held. dma_free_coherent() warns if called with interrupts
disabled

move the memory cleanup outside the spinlock

Cc: stable <stable@vger.kernel.org>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/host/xhci-dbgcap.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/usb/host/xhci-dbgcap.c
+++ b/drivers/usb/host/xhci-dbgcap.c
@@ -516,7 +516,6 @@ static int xhci_do_dbc_stop(struct xhci_
 		return -1;
 
 	writel(0, &dbc->regs->control);
-	xhci_dbc_mem_cleanup(xhci);
 	dbc->state = DS_DISABLED;
 
 	return 0;
@@ -562,8 +561,10 @@ static void xhci_dbc_stop(struct xhci_hc
 	ret = xhci_do_dbc_stop(xhci);
 	spin_unlock_irqrestore(&dbc->lock, flags);
 
-	if (!ret)
+	if (!ret) {
+		xhci_dbc_mem_cleanup(xhci);
 		pm_runtime_put_sync(xhci_to_hcd(xhci)->self.controller);
+	}
 }
 
 static void



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 109/134] xhci: Dont let USB3 ports stuck in polling state prevent suspend
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (107 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 108/134] usb: xhci: dbc: Dont free all memory with spinlock held Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 110/134] usb: cdc-acm: fix race during wakeup blocking TX traffic Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mathias Nyman

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mathias Nyman <mathias.nyman@linux.intel.com>

commit d92f2c59cc2cbca6bfb2cc54882b58ba76b15fd4 upstream.

Commit 2f31a67f01a8 ("usb: xhci: Prevent bus suspend if a port connect
change or polling state is detected") was intended to prevent ports that
were still link training from being forced to U3 suspend state mid
enumeration.
This solved enumeration issues for devices with slow link training.

Turns out some devices are stuck in the link training/polling state,
and thus that patch will prevent suspend completely for these devices.
This is seen with USB3 card readers in some MacBooks.

Instead of preventing suspend, give some time to complete the link
training. On successful training the port will end up as connected
and enabled.
If port instead is stuck in link training the bus suspend will continue
suspending after 360ms (10 * 36ms) timeout (tPollingLFPSTimeout).

Original patch was sent to stable, this one should go there as well

Fixes: 2f31a67f01a8 ("usb: xhci: Prevent bus suspend if a port connect change or polling state is detected")
Cc: stable@vger.kernel.org
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/host/xhci-hub.c |   19 ++++++++++++-------
 drivers/usb/host/xhci.h     |    8 ++++++++
 2 files changed, 20 insertions(+), 7 deletions(-)

--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -1501,20 +1501,25 @@ int xhci_bus_suspend(struct usb_hcd *hcd
 	port_index = max_ports;
 	while (port_index--) {
 		u32 t1, t2;
-
+		int retries = 10;
+retry:
 		t1 = readl(ports[port_index]->addr);
 		t2 = xhci_port_state_to_neutral(t1);
 		portsc_buf[port_index] = 0;
 
-		/* Bail out if a USB3 port has a new device in link training */
-		if ((hcd->speed >= HCD_USB3) &&
+		/*
+		 * Give a USB3 port in link training time to finish, but don't
+		 * prevent suspend as port might be stuck
+		 */
+		if ((hcd->speed >= HCD_USB3) && retries-- &&
 		    (t1 & PORT_PLS_MASK) == XDEV_POLLING) {
-			bus_state->bus_suspended = 0;
 			spin_unlock_irqrestore(&xhci->lock, flags);
-			xhci_dbg(xhci, "Bus suspend bailout, port in polling\n");
-			return -EBUSY;
+			msleep(XHCI_PORT_POLLING_LFPS_TIME);
+			spin_lock_irqsave(&xhci->lock, flags);
+			xhci_dbg(xhci, "port %d polling in bus suspend, waiting\n",
+				 port_index);
+			goto retry;
 		}
-
 		/* suspend ports in U0, or bail out for new connect changes */
 		if ((t1 & PORT_PE) && (t1 & PORT_PLS_MASK) == XDEV_U0) {
 			if ((t1 & PORT_CSC) && wake_enabled) {
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -452,6 +452,14 @@ struct xhci_op_regs {
  */
 #define XHCI_DEFAULT_BESL	4
 
+/*
+ * USB3 specification define a 360ms tPollingLFPSTiemout for USB3 ports
+ * to complete link training. usually link trainig completes much faster
+ * so check status 10 times with 36ms sleep in places we need to wait for
+ * polling to complete.
+ */
+#define XHCI_PORT_POLLING_LFPS_TIME  36
+
 /**
  * struct xhci_intr_reg - Interrupt Register Set
  * @irq_pending:	IMAN - Interrupt Management Register.  Used to enable



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 110/134] usb: cdc-acm: fix race during wakeup blocking TX traffic
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (108 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 109/134] xhci: Dont let USB3 ports stuck in polling state prevent suspend Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 111/134] mm: add support for kmem caches in DMA32 zone Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Romain Izard, Oliver Neukum

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Romain Izard <romain.izard.pro@gmail.com>

commit 93e1c8a638308980309e009cc40b5a57ef87caf1 upstream.

When the kernel is compiled with preemption enabled, the URB completion
handler can run in parallel with the work responsible for waking up the
tty layer. If the URB handler sets the EVENT_TTY_WAKEUP bit during the
call to tty_port_tty_wakeup() to signal that there is room for additional
input, it will be cleared at the end of this call. As a result, TX traffic
on the upper layer will be blocked.

This can be seen with a kernel configured with CONFIG_PREEMPT, and a fast
modem connected with PPP running over a USB CDC-ACM port.

Use test_and_clear_bit() instead, which ensures that each wakeup requested
by the URB completion code will trigger a call to tty_port_tty_wakeup().

Fixes: 1aba579f3cf5 cdc-acm: handle read pipe errors
Signed-off-by: Romain Izard <romain.izard.pro@gmail.com>
Cc: stable <stable@vger.kernel.org>
Acked-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/class/cdc-acm.c |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -558,10 +558,8 @@ static void acm_softint(struct work_stru
 		clear_bit(EVENT_RX_STALL, &acm->flags);
 	}
 
-	if (test_bit(EVENT_TTY_WAKEUP, &acm->flags)) {
+	if (test_and_clear_bit(EVENT_TTY_WAKEUP, &acm->flags))
 		tty_port_tty_wakeup(&acm->port);
-		clear_bit(EVENT_TTY_WAKEUP, &acm->flags);
-	}
 }
 
 /*



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 111/134] mm: add support for kmem caches in DMA32 zone
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (109 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 110/134] usb: cdc-acm: fix race during wakeup blocking TX traffic Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 112/134] iommu/io-pgtable-arm-v7s: request DMA32 memory, and improve debugging Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nicolas Boichat, Vlastimil Babka,
	Will Deacon, Robin Murphy, Joerg Roedel, Christoph Lameter,
	Pekka Enberg, David Rientjes, Joonsoo Kim, Michal Hocko,
	Mel Gorman, Sasha Levin, Huaisheng Ye, Mike Rapoport, Yong Wu,
	Matthias Brugger, Tomasz Figa, Yingjoe Chen, Christoph Hellwig,
	Matthew Wilcox, Hsin-Yi Wang, Andrew Morton, Linus Torvalds

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nicolas Boichat <drinkcat@chromium.org>

commit 6d6ea1e967a246f12cfe2f5fb743b70b2e608d4a upstream.

Patch series "iommu/io-pgtable-arm-v7s: Use DMA32 zone for page tables",
v6.

This is a followup to the discussion in [1], [2].

IOMMUs using ARMv7 short-descriptor format require page tables (level 1
and 2) to be allocated within the first 4GB of RAM, even on 64-bit
systems.

For L1 tables that are bigger than a page, we can just use
__get_free_pages with GFP_DMA32 (on arm64 systems only, arm would still
use GFP_DMA).

For L2 tables that only take 1KB, it would be a waste to allocate a full
page, so we considered 3 approaches:
 1. This series, adding support for GFP_DMA32 slab caches.
 2. genalloc, which requires pre-allocating the maximum number of L2 page
    tables (4096, so 4MB of memory).
 3. page_frag, which is not very memory-efficient as it is unable to reuse
    freed fragments until the whole page is freed. [3]

This series is the most memory-efficient approach.

stable@ note:
  We confirmed that this is a regression, and IOMMU errors happen on 4.19
  and linux-next/master on MT8173 (elm, Acer Chromebook R13). The issue
  most likely starts from commit ad67f5a6545f ("arm64: replace ZONE_DMA
  with ZONE_DMA32"), i.e. 4.15, and presumably breaks a number of Mediatek
  platforms (and maybe others?).

[1] https://lists.linuxfoundation.org/pipermail/iommu/2018-November/030876.html
[2] https://lists.linuxfoundation.org/pipermail/iommu/2018-December/031696.html
[3] https://patchwork.codeaurora.org/patch/671639/

This patch (of 3):

IOMMUs using ARMv7 short-descriptor format require page tables to be
allocated within the first 4GB of RAM, even on 64-bit systems.  On arm64,
this is done by passing GFP_DMA32 flag to memory allocation functions.

For IOMMU L2 tables that only take 1KB, it would be a waste to allocate
a full page using get_free_pages, so we considered 3 approaches:
 1. This patch, adding support for GFP_DMA32 slab caches.
 2. genalloc, which requires pre-allocating the maximum number of L2
    page tables (4096, so 4MB of memory).
 3. page_frag, which is not very memory-efficient as it is unable
    to reuse freed fragments until the whole page is freed.

This change makes it possible to create a custom cache in DMA32 zone using
kmem_cache_create, then allocate memory using kmem_cache_alloc.

We do not create a DMA32 kmalloc cache array, as there are currently no
users of kmalloc(..., GFP_DMA32).  These calls will continue to trigger a
warning, as we keep GFP_DMA32 in GFP_SLAB_BUG_MASK.

This implies that calls to kmem_cache_*alloc on a SLAB_CACHE_DMA32
kmem_cache must _not_ use GFP_DMA32 (it is anyway redundant and
unnecessary).

Link: http://lkml.kernel.org/r/20181210011504.122604-2-drinkcat@chromium.org
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Acked-by: Will Deacon <will.deacon@arm.com>
Cc: Robin Murphy <robin.murphy@arm.com>
Cc: Joerg Roedel <joro@8bytes.org>
Cc: Christoph Lameter <cl@linux.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mel Gorman <mgorman@techsingularity.net>
Cc: Sasha Levin <Alexander.Levin@microsoft.com>
Cc: Huaisheng Ye <yehs1@lenovo.com>
Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
Cc: Yong Wu <yong.wu@mediatek.com>
Cc: Matthias Brugger <matthias.bgg@gmail.com>
Cc: Tomasz Figa <tfiga@google.com>
Cc: Yingjoe Chen <yingjoe.chen@mediatek.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Hsin-Yi Wang <hsinyi@chromium.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/slab.h |    2 ++
 mm/slab.c            |    2 ++
 mm/slab.h            |    3 ++-
 mm/slab_common.c     |    2 +-
 mm/slub.c            |    5 +++++
 5 files changed, 12 insertions(+), 2 deletions(-)

--- a/include/linux/slab.h
+++ b/include/linux/slab.h
@@ -32,6 +32,8 @@
 #define SLAB_HWCACHE_ALIGN	((slab_flags_t __force)0x00002000U)
 /* Use GFP_DMA memory */
 #define SLAB_CACHE_DMA		((slab_flags_t __force)0x00004000U)
+/* Use GFP_DMA32 memory */
+#define SLAB_CACHE_DMA32	((slab_flags_t __force)0x00008000U)
 /* DEBUG: Store the last owner for bug hunting */
 #define SLAB_STORE_USER		((slab_flags_t __force)0x00010000U)
 /* Panic if kmem_cache_create() fails */
--- a/mm/slab.c
+++ b/mm/slab.c
@@ -2124,6 +2124,8 @@ done:
 	cachep->allocflags = __GFP_COMP;
 	if (flags & SLAB_CACHE_DMA)
 		cachep->allocflags |= GFP_DMA;
+	if (flags & SLAB_CACHE_DMA32)
+		cachep->allocflags |= GFP_DMA32;
 	if (flags & SLAB_RECLAIM_ACCOUNT)
 		cachep->allocflags |= __GFP_RECLAIMABLE;
 	cachep->size = size;
--- a/mm/slab.h
+++ b/mm/slab.h
@@ -127,7 +127,8 @@ static inline slab_flags_t kmem_cache_fl
 
 
 /* Legal flag mask for kmem_cache_create(), for various configurations */
-#define SLAB_CORE_FLAGS (SLAB_HWCACHE_ALIGN | SLAB_CACHE_DMA | SLAB_PANIC | \
+#define SLAB_CORE_FLAGS (SLAB_HWCACHE_ALIGN | SLAB_CACHE_DMA | \
+			 SLAB_CACHE_DMA32 | SLAB_PANIC | \
 			 SLAB_TYPESAFE_BY_RCU | SLAB_DEBUG_OBJECTS )
 
 #if defined(CONFIG_DEBUG_SLAB)
--- a/mm/slab_common.c
+++ b/mm/slab_common.c
@@ -53,7 +53,7 @@ static DECLARE_WORK(slab_caches_to_rcu_d
 		SLAB_FAILSLAB | SLAB_KASAN)
 
 #define SLAB_MERGE_SAME (SLAB_RECLAIM_ACCOUNT | SLAB_CACHE_DMA | \
-			 SLAB_ACCOUNT)
+			 SLAB_CACHE_DMA32 | SLAB_ACCOUNT)
 
 /*
  * Merge control. If this is set then no merging of slab caches will occur.
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -3539,6 +3539,9 @@ static int calculate_sizes(struct kmem_c
 	if (s->flags & SLAB_CACHE_DMA)
 		s->allocflags |= GFP_DMA;
 
+	if (s->flags & SLAB_CACHE_DMA32)
+		s->allocflags |= GFP_DMA32;
+
 	if (s->flags & SLAB_RECLAIM_ACCOUNT)
 		s->allocflags |= __GFP_RECLAIMABLE;
 
@@ -5633,6 +5636,8 @@ static char *create_unique_id(struct kme
 	 */
 	if (s->flags & SLAB_CACHE_DMA)
 		*p++ = 'd';
+	if (s->flags & SLAB_CACHE_DMA32)
+		*p++ = 'D';
 	if (s->flags & SLAB_RECLAIM_ACCOUNT)
 		*p++ = 'a';
 	if (s->flags & SLAB_CONSISTENCY_CHECKS)



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 112/134] iommu/io-pgtable-arm-v7s: request DMA32 memory, and improve debugging
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (110 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 111/134] mm: add support for kmem caches in DMA32 zone Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 113/134] mm: mempolicy: make mbind() return -EIO when MPOL_MF_STRICT is specified Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nicolas Boichat, Will Deacon,
	Christoph Hellwig, Christoph Lameter, David Rientjes,
	Hsin-Yi Wang, Huaisheng Ye, Joerg Roedel, Joonsoo Kim,
	Matthew Wilcox, Matthias Brugger, Mel Gorman, Michal Hocko,
	Mike Rapoport, Pekka Enberg, Robin Murphy, Sasha Levin,
	Tomasz Figa, Vlastimil Babka, Yingjoe Chen, Yong Wu,
	Andrew Morton, Linus Torvalds

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nicolas Boichat <drinkcat@chromium.org>

commit 0a352554da69b02f75ca3389c885c741f1f63235 upstream.

IOMMUs using ARMv7 short-descriptor format require page tables (level 1
and 2) to be allocated within the first 4GB of RAM, even on 64-bit
systems.

For level 1/2 pages, ensure GFP_DMA32 is used if CONFIG_ZONE_DMA32 is
defined (e.g.  on arm64 platforms).

For level 2 pages, allocate a slab cache in SLAB_CACHE_DMA32.  Note that
we do not explicitly pass GFP_DMA[32] to kmem_cache_zalloc, as this is
not strictly necessary, and would cause a warning in mm/sl*b.c, as we
did not update GFP_SLAB_BUG_MASK.

Also, print an error when the physical address does not fit in
32-bit, to make debugging easier in the future.

Link: http://lkml.kernel.org/r/20181210011504.122604-3-drinkcat@chromium.org
Fixes: ad67f5a6545f ("arm64: replace ZONE_DMA with ZONE_DMA32")
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Acked-by: Will Deacon <will.deacon@arm.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Christoph Lameter <cl@linux.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Hsin-Yi Wang <hsinyi@chromium.org>
Cc: Huaisheng Ye <yehs1@lenovo.com>
Cc: Joerg Roedel <joro@8bytes.org>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Matthias Brugger <matthias.bgg@gmail.com>
Cc: Mel Gorman <mgorman@techsingularity.net>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: Robin Murphy <robin.murphy@arm.com>
Cc: Sasha Levin <Alexander.Levin@microsoft.com>
Cc: Tomasz Figa <tfiga@google.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Yingjoe Chen <yingjoe.chen@mediatek.com>
Cc: Yong Wu <yong.wu@mediatek.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iommu/io-pgtable-arm-v7s.c |   19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

--- a/drivers/iommu/io-pgtable-arm-v7s.c
+++ b/drivers/iommu/io-pgtable-arm-v7s.c
@@ -161,6 +161,14 @@
 
 #define ARM_V7S_TCR_PD1			BIT(5)
 
+#ifdef CONFIG_ZONE_DMA32
+#define ARM_V7S_TABLE_GFP_DMA GFP_DMA32
+#define ARM_V7S_TABLE_SLAB_FLAGS SLAB_CACHE_DMA32
+#else
+#define ARM_V7S_TABLE_GFP_DMA GFP_DMA
+#define ARM_V7S_TABLE_SLAB_FLAGS SLAB_CACHE_DMA
+#endif
+
 typedef u32 arm_v7s_iopte;
 
 static bool selftest_running;
@@ -198,13 +206,16 @@ static void *__arm_v7s_alloc_table(int l
 	void *table = NULL;
 
 	if (lvl == 1)
-		table = (void *)__get_dma_pages(__GFP_ZERO, get_order(size));
+		table = (void *)__get_free_pages(
+			__GFP_ZERO | ARM_V7S_TABLE_GFP_DMA, get_order(size));
 	else if (lvl == 2)
-		table = kmem_cache_zalloc(data->l2_tables, gfp | GFP_DMA);
+		table = kmem_cache_zalloc(data->l2_tables, gfp);
 	phys = virt_to_phys(table);
-	if (phys != (arm_v7s_iopte)phys)
+	if (phys != (arm_v7s_iopte)phys) {
 		/* Doesn't fit in PTE */
+		dev_err(dev, "Page table does not fit in PTE: %pa", &phys);
 		goto out_free;
+	}
 	if (table && !(cfg->quirks & IO_PGTABLE_QUIRK_NO_DMA)) {
 		dma = dma_map_single(dev, table, size, DMA_TO_DEVICE);
 		if (dma_mapping_error(dev, dma))
@@ -728,7 +739,7 @@ static struct io_pgtable *arm_v7s_alloc_
 	data->l2_tables = kmem_cache_create("io-pgtable_armv7s_l2",
 					    ARM_V7S_TABLE_SIZE(2),
 					    ARM_V7S_TABLE_SIZE(2),
-					    SLAB_CACHE_DMA, NULL);
+					    ARM_V7S_TABLE_SLAB_FLAGS, NULL);
 	if (!data->l2_tables)
 		goto out_free_data;
 



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 113/134] mm: mempolicy: make mbind() return -EIO when MPOL_MF_STRICT is specified
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (111 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 112/134] iommu/io-pgtable-arm-v7s: request DMA32 memory, and improve debugging Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 114/134] mm/migrate.c: add missing flush_dcache_page for non-mapped page migrate Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yang Shi, Oscar Salvador,
	Cyril Hrubis, Kirill A. Shutemov, Rafael Aquini, David Rientjes,
	Vlastimil Babka, Andrew Morton, Linus Torvalds

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Yang Shi <yang.shi@linux.alibaba.com>

commit a7f40cfe3b7ada57af9b62fd28430eeb4a7cfcb7 upstream.

When MPOL_MF_STRICT was specified and an existing page was already on a
node that does not follow the policy, mbind() should return -EIO.  But
commit 6f4576e3687b ("mempolicy: apply page table walker on
queue_pages_range()") broke the rule.

And commit c8633798497c ("mm: mempolicy: mbind and migrate_pages support
thp migration") didn't return the correct value for THP mbind() too.

If MPOL_MF_STRICT is set, ignore vma_migratable() to make sure it
reaches queue_pages_to_pte_range() or queue_pages_pmd() to check if an
existing page was already on a node that does not follow the policy.
And, non-migratable vma may be used, return -EIO too if MPOL_MF_MOVE or
MPOL_MF_MOVE_ALL was specified.

Tested with https://github.com/metan-ucw/ltp/blob/master/testcases/kernel/syscalls/mbind/mbind02.c

[akpm@linux-foundation.org: tweak code comment]
Link: http://lkml.kernel.org/r/1553020556-38583-1-git-send-email-yang.shi@linux.alibaba.com
Fixes: 6f4576e3687b ("mempolicy: apply page table walker on queue_pages_range()")
Signed-off-by: Yang Shi <yang.shi@linux.alibaba.com>
Signed-off-by: Oscar Salvador <osalvador@suse.de>
Reported-by: Cyril Hrubis <chrubis@suse.cz>
Suggested-by: Kirill A. Shutemov <kirill@shutemov.name>
Acked-by: Rafael Aquini <aquini@redhat.com>
Reviewed-by: Oscar Salvador <osalvador@suse.de>
Acked-by: David Rientjes <rientjes@google.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/mempolicy.c |   40 +++++++++++++++++++++++++++++++++-------
 1 file changed, 33 insertions(+), 7 deletions(-)

--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -428,6 +428,13 @@ static inline bool queue_pages_required(
 	return node_isset(nid, *qp->nmask) == !(flags & MPOL_MF_INVERT);
 }
 
+/*
+ * queue_pages_pmd() has three possible return values:
+ * 1 - pages are placed on the right node or queued successfully.
+ * 0 - THP was split.
+ * -EIO - is migration entry or MPOL_MF_STRICT was specified and an existing
+ *        page was already on a node that does not follow the policy.
+ */
 static int queue_pages_pmd(pmd_t *pmd, spinlock_t *ptl, unsigned long addr,
 				unsigned long end, struct mm_walk *walk)
 {
@@ -437,7 +444,7 @@ static int queue_pages_pmd(pmd_t *pmd, s
 	unsigned long flags;
 
 	if (unlikely(is_pmd_migration_entry(*pmd))) {
-		ret = 1;
+		ret = -EIO;
 		goto unlock;
 	}
 	page = pmd_page(*pmd);
@@ -454,8 +461,15 @@ static int queue_pages_pmd(pmd_t *pmd, s
 	ret = 1;
 	flags = qp->flags;
 	/* go to thp migration */
-	if (flags & (MPOL_MF_MOVE | MPOL_MF_MOVE_ALL))
+	if (flags & (MPOL_MF_MOVE | MPOL_MF_MOVE_ALL)) {
+		if (!vma_migratable(walk->vma)) {
+			ret = -EIO;
+			goto unlock;
+		}
+
 		migrate_page_add(page, qp->pagelist, flags);
+	} else
+		ret = -EIO;
 unlock:
 	spin_unlock(ptl);
 out:
@@ -480,8 +494,10 @@ static int queue_pages_pte_range(pmd_t *
 	ptl = pmd_trans_huge_lock(pmd, vma);
 	if (ptl) {
 		ret = queue_pages_pmd(pmd, ptl, addr, end, walk);
-		if (ret)
+		if (ret > 0)
 			return 0;
+		else if (ret < 0)
+			return ret;
 	}
 
 	if (pmd_trans_unstable(pmd))
@@ -502,11 +518,16 @@ static int queue_pages_pte_range(pmd_t *
 			continue;
 		if (!queue_pages_required(page, qp))
 			continue;
-		migrate_page_add(page, qp->pagelist, flags);
+		if (flags & (MPOL_MF_MOVE | MPOL_MF_MOVE_ALL)) {
+			if (!vma_migratable(vma))
+				break;
+			migrate_page_add(page, qp->pagelist, flags);
+		} else
+			break;
 	}
 	pte_unmap_unlock(pte - 1, ptl);
 	cond_resched();
-	return 0;
+	return addr != end ? -EIO : 0;
 }
 
 static int queue_pages_hugetlb(pte_t *pte, unsigned long hmask,
@@ -576,7 +597,12 @@ static int queue_pages_test_walk(unsigne
 	unsigned long endvma = vma->vm_end;
 	unsigned long flags = qp->flags;
 
-	if (!vma_migratable(vma))
+	/*
+	 * Need check MPOL_MF_STRICT to return -EIO if possible
+	 * regardless of vma_migratable
+	 */
+	if (!vma_migratable(vma) &&
+	    !(flags & MPOL_MF_STRICT))
 		return 1;
 
 	if (endvma > end)
@@ -603,7 +629,7 @@ static int queue_pages_test_walk(unsigne
 	}
 
 	/* queue pages from current vma */
-	if (flags & (MPOL_MF_MOVE | MPOL_MF_MOVE_ALL))
+	if (flags & MPOL_MF_VALID)
 		return 0;
 	return 1;
 }



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 114/134] mm/migrate.c: add missing flush_dcache_page for non-mapped page migrate
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (112 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 113/134] mm: mempolicy: make mbind() return -EIO when MPOL_MF_STRICT is specified Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 115/134] perf pmu: Fix parser error for uncore event alias Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lars Persson, Paul Burton,
	Mel Gorman, Ralf Baechle, Andrew Morton, Linus Torvalds

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Lars Persson <lars.persson@axis.com>

commit d2b2c6dd227ba5b8a802858748ec9a780cb75b47 upstream.

Our MIPS 1004Kc SoCs were seeing random userspace crashes with SIGILL
and SIGSEGV that could not be traced back to a userspace code bug.  They
had all the magic signs of an I/D cache coherency issue.

Now recently we noticed that the /proc/sys/vm/compact_memory interface
was quite efficient at provoking this class of userspace crashes.

Studying the code in mm/migrate.c there is a distinction made between
migrating a page that is mapped at the instant of migration and one that
is not mapped.  Our problem turned out to be the non-mapped pages.

For the non-mapped page the code performs a copy of the page content and
all relevant meta-data of the page without doing the required D-cache
maintenance.  This leaves dirty data in the D-cache of the CPU and on
the 1004K cores this data is not visible to the I-cache.  A subsequent
page-fault that triggers a mapping of the page will happily serve the
process with potentially stale code.

What about ARM then, this bug should have seen greater exposure? Well
ARM became immune to this flaw back in 2010, see commit c01778001a4f
("ARM: 6379/1: Assume new page cache pages have dirty D-cache").

My proposed fix moves the D-cache maintenance inside move_to_new_page to
make it common for both cases.

Link: http://lkml.kernel.org/r/20190315083502.11849-1-larper@axis.com
Fixes: 97ee0524614 ("flush cache before installing new page at migraton")
Signed-off-by: Lars Persson <larper@axis.com>
Reviewed-by: Paul Burton <paul.burton@mips.com>
Acked-by: Mel Gorman <mgorman@techsingularity.net>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/migrate.c |   11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

--- a/mm/migrate.c
+++ b/mm/migrate.c
@@ -248,10 +248,8 @@ static bool remove_migration_pte(struct
 				pte = swp_entry_to_pte(entry);
 			} else if (is_device_public_page(new)) {
 				pte = pte_mkdevmap(pte);
-				flush_dcache_page(new);
 			}
-		} else
-			flush_dcache_page(new);
+		}
 
 #ifdef CONFIG_HUGETLB_PAGE
 		if (PageHuge(new)) {
@@ -983,6 +981,13 @@ static int move_to_new_page(struct page
 		 */
 		if (!PageMappingFlags(page))
 			page->mapping = NULL;
+
+		if (unlikely(is_zone_device_page(newpage))) {
+			if (is_device_public_page(newpage))
+				flush_dcache_page(newpage);
+		} else
+			flush_dcache_page(newpage);
+
 	}
 out:
 	return rc;



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 115/134] perf pmu: Fix parser error for uncore event alias
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (113 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 114/134] mm/migrate.c: add missing flush_dcache_page for non-mapped page migrate Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 116/134] perf intel-pt: Fix TSC slip Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kan Liang, Jiri Olsa, Andi Kleen,
	Thomas Richter, Arnaldo Carvalho de Melo

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kan Liang <kan.liang@linux.intel.com>

commit e94d6b7f615e6dfbaf9fba7db6011db561461d0c upstream.

Perf fails to parse uncore event alias, for example:

  # perf stat -e unc_m_clockticks -a --no-merge sleep 1
  event syntax error: 'unc_m_clockticks'
                       \___ parser error

Current code assumes that the event alias is from one specific PMU.

To find the PMU, perf strcmps the PMU name of event alias with the real
PMU name on the system.

However, the uncore event alias may be from multiple PMUs with common
prefix. The PMU name of uncore event alias is the common prefix.

For example, UNC_M_CLOCKTICKS is clock event for iMC, which include 6
PMUs with the same prefix "uncore_imc" on a skylake server.

The real PMU names on the system for iMC are uncore_imc_0 ...
uncore_imc_5.

The strncmp is used to only check the common prefix for uncore event
alias.

With the patch:

  # perf stat -e unc_m_clockticks -a --no-merge sleep 1
  Performance counter stats for 'system wide':

       723,594,722      unc_m_clockticks [uncore_imc_5]
       724,001,954      unc_m_clockticks [uncore_imc_3]
       724,042,655      unc_m_clockticks [uncore_imc_1]
       724,161,001      unc_m_clockticks [uncore_imc_4]
       724,293,713      unc_m_clockticks [uncore_imc_2]
       724,340,901      unc_m_clockticks [uncore_imc_0]

       1.002090060 seconds time elapsed

Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
Acked-by: Jiri Olsa <jolsa@kernel.org>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Thomas Richter <tmricht@linux.ibm.com>
Cc: stable@vger.kernel.org
Fixes: ea1fa48c055f ("perf stat: Handle different PMU names with common prefix")
Link: http://lkml.kernel.org/r/1552672814-156173-1-git-send-email-kan.liang@linux.intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/perf/util/pmu.c |   10 ++++++++++
 1 file changed, 10 insertions(+)

--- a/tools/perf/util/pmu.c
+++ b/tools/perf/util/pmu.c
@@ -773,10 +773,20 @@ static void pmu_add_cpu_aliases(struct l
 
 		if (!is_arm_pmu_core(name)) {
 			pname = pe->pmu ? pe->pmu : "cpu";
+
+			/*
+			 * uncore alias may be from different PMU
+			 * with common prefix
+			 */
+			if (pmu_is_uncore(name) &&
+			    !strncmp(pname, name, strlen(pname)))
+				goto new_alias;
+
 			if (strcmp(pname, name))
 				continue;
 		}
 
+new_alias:
 		/* need type casts to override 'const' */
 		__perf_pmu__new_alias(head, NULL, (char *)pe->name,
 				(char *)pe->desc, (char *)pe->event,



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 116/134] perf intel-pt: Fix TSC slip
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (114 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 115/134] perf pmu: Fix parser error for uncore event alias Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 117/134] objtool: Query pkg-config for libelf location Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Adrian Hunter, Jiri Olsa,
	Arnaldo Carvalho de Melo

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Adrian Hunter <adrian.hunter@intel.com>

commit f3b4e06b3bda759afd042d3d5fa86bea8f1fe278 upstream.

A TSC packet can slip past MTC packets so that the timestamp appears to
go backwards. One estimate is that can be up to about 40 CPU cycles,
which is certainly less than 0x1000 TSC ticks, but accept slippage an
order of magnitude more to be on the safe side.

Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: stable@vger.kernel.org
Fixes: 79b58424b821c ("perf tools: Add Intel PT support for decoding MTC packets")
Link: http://lkml.kernel.org/r/20190325135135.18348-1-adrian.hunter@intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/perf/util/intel-pt-decoder/intel-pt-decoder.c |   20 ++++++++------------
 1 file changed, 8 insertions(+), 12 deletions(-)

--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
+++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
@@ -251,19 +251,15 @@ struct intel_pt_decoder *intel_pt_decode
 		if (!(decoder->tsc_ctc_ratio_n % decoder->tsc_ctc_ratio_d))
 			decoder->tsc_ctc_mult = decoder->tsc_ctc_ratio_n /
 						decoder->tsc_ctc_ratio_d;
-
-		/*
-		 * Allow for timestamps appearing to backwards because a TSC
-		 * packet has slipped past a MTC packet, so allow 2 MTC ticks
-		 * or ...
-		 */
-		decoder->tsc_slip = multdiv(2 << decoder->mtc_shift,
-					decoder->tsc_ctc_ratio_n,
-					decoder->tsc_ctc_ratio_d);
 	}
-	/* ... or 0x100 paranoia */
-	if (decoder->tsc_slip < 0x100)
-		decoder->tsc_slip = 0x100;
+
+	/*
+	 * A TSC packet can slip past MTC packets so that the timestamp appears
+	 * to go backwards. One estimate is that can be up to about 40 CPU
+	 * cycles, which is certainly less than 0x1000 TSC ticks, but accept
+	 * slippage an order of magnitude more to be on the safe side.
+	 */
+	decoder->tsc_slip = 0x10000;
 
 	intel_pt_log("timestamp: mtc_shift %u\n", decoder->mtc_shift);
 	intel_pt_log("timestamp: tsc_ctc_ratio_n %u\n", decoder->tsc_ctc_ratio_n);



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 117/134] objtool: Query pkg-config for libelf location
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (115 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 116/134] perf intel-pt: Fix TSC slip Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 118/134] powerpc/pseries/energy: Use OF accessor functions to read ibm,drc-indexes Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rolf Eike Beer, Josh Poimboeuf,
	Thomas Gleixner

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Rolf Eike Beer <eb@emlix.com>

commit 056d28d135bca0b1d0908990338e00e9dadaf057 upstream.

If it is not in the default location, compilation fails at several points.

Signed-off-by: Rolf Eike Beer <eb@emlix.com>
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/91a25e992566a7968fedc89ec80e7f4c83ad0548.1553622500.git.jpoimboe@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 Makefile               |    4 +++-
 tools/objtool/Makefile |    7 +++++--
 2 files changed, 8 insertions(+), 3 deletions(-)

--- a/Makefile
+++ b/Makefile
@@ -948,9 +948,11 @@ mod_sign_cmd = true
 endif
 export mod_sign_cmd
 
+HOST_LIBELF_LIBS = $(shell pkg-config libelf --libs 2>/dev/null || echo -lelf)
+
 ifdef CONFIG_STACK_VALIDATION
   has_libelf := $(call try-run,\
-		echo "int main() {}" | $(HOSTCC) -xc -o /dev/null -lelf -,1,0)
+		echo "int main() {}" | $(HOSTCC) -xc -o /dev/null $(HOST_LIBELF_LIBS) -,1,0)
   ifeq ($(has_libelf),1)
     objtool_target := tools/objtool FORCE
   else
--- a/tools/objtool/Makefile
+++ b/tools/objtool/Makefile
@@ -25,14 +25,17 @@ LIBSUBCMD		= $(LIBSUBCMD_OUTPUT)libsubcm
 OBJTOOL    := $(OUTPUT)objtool
 OBJTOOL_IN := $(OBJTOOL)-in.o
 
+LIBELF_FLAGS := $(shell pkg-config libelf --cflags 2>/dev/null)
+LIBELF_LIBS  := $(shell pkg-config libelf --libs 2>/dev/null || echo -lelf)
+
 all: $(OBJTOOL)
 
 INCLUDES := -I$(srctree)/tools/include \
 	    -I$(srctree)/tools/arch/$(HOSTARCH)/include/uapi \
 	    -I$(srctree)/tools/objtool/arch/$(ARCH)/include
 WARNINGS := $(EXTRA_WARNINGS) -Wno-switch-default -Wno-switch-enum -Wno-packed
-CFLAGS   += -Werror $(WARNINGS) $(KBUILD_HOSTCFLAGS) -g $(INCLUDES)
-LDFLAGS  += -lelf $(LIBSUBCMD) $(KBUILD_HOSTLDFLAGS)
+CFLAGS   += -Werror $(WARNINGS) $(KBUILD_HOSTCFLAGS) -g $(INCLUDES) $(LIBELF_FLAGS)
+LDFLAGS  += $(LIBELF_LIBS) $(LIBSUBCMD) $(KBUILD_HOSTLDFLAGS)
 
 # Allow old libelf to be used:
 elfshdr := $(shell echo '$(pound)include <libelf.h>' | $(CC) $(CFLAGS) -x c -E - | grep elf_getshdr)



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 118/134] powerpc/pseries/energy: Use OF accessor functions to read ibm,drc-indexes
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (116 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 117/134] objtool: Query pkg-config for libelf location Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 119/134] powerpc/64: Fix memcmp reading past the end of src/dest Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pavithra R. Prakash,
	Gautham R. Shenoy, Vaidyanathan Srinivasan, Michael Ellerman

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Gautham R. Shenoy <ego@linux.vnet.ibm.com>

commit ce9afe08e71e3f7d64f337a6e932e50849230fc2 upstream.

In cpu_to_drc_index() in the case when FW_FEATURE_DRC_INFO is absent,
we currently use of_read_property() to obtain the pointer to the array
corresponding to the property "ibm,drc-indexes". The elements of this
array are of type __be32, but are accessed without any conversion to
the OS-endianness, which is buggy on a Little Endian OS.

Fix this by using of_property_read_u32_index() accessor function to
safely read the elements of the array.

Fixes: e83636ac3334 ("pseries/drc-info: Search DRC properties for CPU indexes")
Cc: stable@vger.kernel.org # v4.16+
Reported-by: Pavithra R. Prakash <pavrampu@in.ibm.com>
Signed-off-by: Gautham R. Shenoy <ego@linux.vnet.ibm.com>
Reviewed-by: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
[mpe: Make the WARN_ON a WARN_ON_ONCE so it's not retriggerable]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/platforms/pseries/pseries_energy.c |   27 ++++++++++++++++--------
 1 file changed, 18 insertions(+), 9 deletions(-)

--- a/arch/powerpc/platforms/pseries/pseries_energy.c
+++ b/arch/powerpc/platforms/pseries/pseries_energy.c
@@ -77,18 +77,27 @@ static u32 cpu_to_drc_index(int cpu)
 
 		ret = drc.drc_index_start + (thread_index * drc.sequential_inc);
 	} else {
-		const __be32 *indexes;
-
-		indexes = of_get_property(dn, "ibm,drc-indexes", NULL);
-		if (indexes == NULL)
-			goto err_of_node_put;
+		u32 nr_drc_indexes, thread_drc_index;
 
 		/*
-		 * The first element indexes[0] is the number of drc_indexes
-		 * returned in the list.  Hence thread_index+1 will get the
-		 * drc_index corresponding to core number thread_index.
+		 * The first element of ibm,drc-indexes array is the
+		 * number of drc_indexes returned in the list.  Hence
+		 * thread_index+1 will get the drc_index corresponding
+		 * to core number thread_index.
 		 */
-		ret = indexes[thread_index + 1];
+		rc = of_property_read_u32_index(dn, "ibm,drc-indexes",
+						0, &nr_drc_indexes);
+		if (rc)
+			goto err_of_node_put;
+
+		WARN_ON_ONCE(thread_index > nr_drc_indexes);
+		rc = of_property_read_u32_index(dn, "ibm,drc-indexes",
+						thread_index + 1,
+						&thread_drc_index);
+		if (rc)
+			goto err_of_node_put;
+
+		ret = thread_drc_index;
 	}
 
 	rc = 0;



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 119/134] powerpc/64: Fix memcmp reading past the end of src/dest
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (117 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 118/134] powerpc/pseries/energy: Use OF accessor functions to read ibm,drc-indexes Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 120/134] watchdog: Respect watchdog cpumask on CPU hotplug Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chandan Rajendra, Michael Ellerman,
	Segher Boessenkool

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Michael Ellerman <mpe@ellerman.id.au>

commit d9470757398a700d9450a43508000bcfd010c7a4 upstream.

Chandan reported that fstests' generic/026 test hit a crash:

  BUG: Unable to handle kernel data access at 0xc00000062ac40000
  Faulting instruction address: 0xc000000000092240
  Oops: Kernel access of bad area, sig: 11 [#1]
  LE SMP NR_CPUS=2048 DEBUG_PAGEALLOC NUMA pSeries
  CPU: 0 PID: 27828 Comm: chacl Not tainted 5.0.0-rc2-next-20190115-00001-g6de6dba64dda #1
  NIP:  c000000000092240 LR: c00000000066a55c CTR: 0000000000000000
  REGS: c00000062c0c3430 TRAP: 0300   Not tainted  (5.0.0-rc2-next-20190115-00001-g6de6dba64dda)
  MSR:  8000000002009033 <SF,VEC,EE,ME,IR,DR,RI,LE>  CR: 44000842  XER: 20000000
  CFAR: 00007fff7f3108ac DAR: c00000062ac40000 DSISR: 40000000 IRQMASK: 0
  GPR00: 0000000000000000 c00000062c0c36c0 c0000000017f4c00 c00000000121a660
  GPR04: c00000062ac3fff9 0000000000000004 0000000000000020 00000000275b19c4
  GPR08: 000000000000000c 46494c4500000000 5347495f41434c5f c0000000026073a0
  GPR12: 0000000000000000 c0000000027a0000 0000000000000000 0000000000000000
  GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
  GPR20: c00000062ea70020 c00000062c0c38d0 0000000000000002 0000000000000002
  GPR24: c00000062ac3ffe8 00000000275b19c4 0000000000000001 c00000062ac30000
  GPR28: c00000062c0c38d0 c00000062ac30050 c00000062ac30058 0000000000000000
  NIP memcmp+0x120/0x690
  LR  xfs_attr3_leaf_lookup_int+0x53c/0x5b0
  Call Trace:
    xfs_attr3_leaf_lookup_int+0x78/0x5b0 (unreliable)
    xfs_da3_node_lookup_int+0x32c/0x5a0
    xfs_attr_node_addname+0x170/0x6b0
    xfs_attr_set+0x2ac/0x340
    __xfs_set_acl+0xf0/0x230
    xfs_set_acl+0xd0/0x160
    set_posix_acl+0xc0/0x130
    posix_acl_xattr_set+0x68/0x110
    __vfs_setxattr+0xa4/0x110
    __vfs_setxattr_noperm+0xac/0x240
    vfs_setxattr+0x128/0x130
    setxattr+0x248/0x600
    path_setxattr+0x108/0x120
    sys_setxattr+0x28/0x40
    system_call+0x5c/0x70
  Instruction dump:
  7d201c28 7d402428 7c295040 38630008 38840008 408201f0 4200ffe8 2c050000
  4182ff6c 20c50008 54c61838 7d201c28 <7d402428> 7d293436 7d4a3436 7c295040

The instruction dump decodes as:
  subfic  r6,r5,8
  rlwinm  r6,r6,3,0,28
  ldbrx   r9,0,r3
  ldbrx   r10,0,r4      <-

Which shows us doing an 8 byte load from c00000062ac3fff9, which
crosses the page boundary at c00000062ac40000 and faults.

It's not OK for memcmp to read past the end of the source or
destination buffers if that would cross a page boundary, because we
don't know that the next page is mapped.

As pointed out by Segher, we can read past the end of the source or
destination as long as we don't cross a 4K boundary, because that's
our minimum page size on all platforms.

The bug is in the code at the .Lcmp_rest_lt8bytes label. When we get
there we know that s1 is 8-byte aligned and we have at least 1 byte to
read, so a single 8-byte load won't read past the end of s1 and cross
a page boundary.

But we have to be more careful with s2. So check if it's within 8
bytes of a 4K boundary and if so go to the byte-by-byte loop.

Fixes: 2d9ee327adce ("powerpc/64: Align bytes before fall back to .Lshort in powerpc64 memcmp()")
Cc: stable@vger.kernel.org # v4.19+
Reported-by: Chandan Rajendra <chandan@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Reviewed-by: Segher Boessenkool <segher@kernel.crashing.org>
Tested-by: Chandan Rajendra <chandan@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/lib/memcmp_64.S |   17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

--- a/arch/powerpc/lib/memcmp_64.S
+++ b/arch/powerpc/lib/memcmp_64.S
@@ -215,11 +215,20 @@ _GLOBAL_TOC(memcmp)
 	beq	.Lzero
 
 .Lcmp_rest_lt8bytes:
-	/* Here we have only less than 8 bytes to compare with. at least s1
-	 * Address is aligned with 8 bytes.
-	 * The next double words are load and shift right with appropriate
-	 * bits.
+	/*
+	 * Here we have less than 8 bytes to compare. At least s1 is aligned to
+	 * 8 bytes, but s2 may not be. We must make sure s2 + 7 doesn't cross a
+	 * page boundary, otherwise we might read past the end of the buffer and
+	 * trigger a page fault. We use 4K as the conservative minimum page
+	 * size. If we detect that case we go to the byte-by-byte loop.
+	 *
+	 * Otherwise the next double word is loaded from s1 and s2, and shifted
+	 * right to compare the appropriate bits.
 	 */
+	clrldi	r6,r4,(64-12)	// r6 = r4 & 0xfff
+	cmpdi	r6,0xff8
+	bgt	.Lshort
+
 	subfic  r6,r5,8
 	slwi	r6,r6,3
 	LD	rA,0,r3



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 120/134] watchdog: Respect watchdog cpumask on CPU hotplug
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (118 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 119/134] powerpc/64: Fix memcmp reading past the end of src/dest Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 121/134] cpu/hotplug: Prevent crash when CPU bringup fails on CONFIG_HOTPLUG_CPU=n Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maxime Coquelin, Thomas Gleixner,
	Peter Zijlstra, Oleg Nesterov, Michael Ellerman, Nicholas Piggin,
	Don Zickus, Ricardo Neri

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Thomas Gleixner <tglx@linutronix.de>

commit 7dd47617114921fdd8c095509e5e7b4373cc44a1 upstream.

The rework of the watchdog core to use cpu_stop_work broke the watchdog
cpumask on CPU hotplug.

The watchdog_enable/disable() functions are now called unconditionally from
the hotplug callback, i.e. even on CPUs which are not in the watchdog
cpumask. As a consequence the watchdog can become unstoppable.

Only invoke them when the plugged CPU is in the watchdog cpumask.

Fixes: 9cf57731b63e ("watchdog/softlockup: Replace "watchdog/%u" threads with cpu_stop_work")
Reported-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: Don Zickus <dzickus@redhat.com>
Cc: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1903262245490.1789@nanos.tec.linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/watchdog.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/kernel/watchdog.c
+++ b/kernel/watchdog.c
@@ -547,13 +547,15 @@ static void softlockup_start_all(void)
 
 int lockup_detector_online_cpu(unsigned int cpu)
 {
-	watchdog_enable(cpu);
+	if (cpumask_test_cpu(cpu, &watchdog_allowed_mask))
+		watchdog_enable(cpu);
 	return 0;
 }
 
 int lockup_detector_offline_cpu(unsigned int cpu)
 {
-	watchdog_disable(cpu);
+	if (cpumask_test_cpu(cpu, &watchdog_allowed_mask))
+		watchdog_disable(cpu);
 	return 0;
 }
 



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 121/134] cpu/hotplug: Prevent crash when CPU bringup fails on CONFIG_HOTPLUG_CPU=n
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (119 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 120/134] watchdog: Respect watchdog cpumask on CPU hotplug Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 122/134] x86/smp: Enforce CONFIG_HOTPLUG_CPU when SMP=y Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tianyu Lan, Thomas Gleixner,
	Konrad Wilk, Josh Poimboeuf, Mukesh Ojha, Peter Zijlstra,
	Jiri Kosina, Rik van Riel, Andy Lutomirski, Micheal Kelley,
	K. Y. Srinivasan, Linus Torvalds, Borislav Petkov

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Thomas Gleixner <tglx@linutronix.de>

commit 206b92353c839c0b27a0b9bec24195f93fd6cf7a upstream.

Tianyu reported a crash in a CPU hotplug teardown callback when booting a
kernel which has CONFIG_HOTPLUG_CPU disabled with the 'nosmt' boot
parameter.

It turns out that the SMP=y CONFIG_HOTPLUG_CPU=n case has been broken
forever in case that a bringup callback fails. Unfortunately this issue was
not recognized when the CPU hotplug code was reworked, so the shortcoming
just stayed in place.

When a bringup callback fails, the CPU hotplug code rolls back the
operation and takes the CPU offline.

The 'nosmt' command line argument uses a bringup failure to abort the
bringup of SMT sibling CPUs. This partial bringup is required due to the
MCE misdesign on Intel CPUs.

With CONFIG_HOTPLUG_CPU=y the rollback works perfectly fine, but
CONFIG_HOTPLUG_CPU=n lacks essential mechanisms to exercise the low level
teardown of a CPU including the synchronizations in various facilities like
RCU, NOHZ and others.

As a consequence the teardown callbacks which must be executed on the
outgoing CPU within stop machine with interrupts disabled are executed on
the control CPU in interrupt enabled and preemptible context causing the
kernel to crash and burn. The pre state machine code has a different
failure mode which is more subtle and resulting in a less obvious use after
free crash because the control side frees resources which are still in use
by the undead CPU.

But this is not a x86 only problem. Any architecture which supports the
SMP=y HOTPLUG_CPU=n combination suffers from the same issue. It's just less
likely to be triggered because in 99.99999% of the cases all bringup
callbacks succeed.

The easy solution of making HOTPLUG_CPU mandatory for SMP is not working on
all architectures as the following architectures have either no hotplug
support at all or not all subarchitectures support it:

 alpha, arc, hexagon, openrisc, riscv, sparc (32bit), mips (partial).

Crashing the kernel in such a situation is not an acceptable state
either.

Implement a minimal rollback variant by limiting the teardown to the point
where all regular teardown callbacks have been invoked and leave the CPU in
the 'dead' idle state. This has the following consequences:

 - the CPU is brought down to the point where the stop_machine takedown
   would happen.

 - the CPU stays there forever and is idle

 - The CPU is cleared in the CPU active mask, but not in the CPU online
   mask which is a legit state.

 - Interrupts are not forced away from the CPU

 - All facilities which only look at online mask would still see it, but
   that is the case during normal hotplug/unplug operations as well. It's
   just a (way) longer time frame.

This will expose issues, which haven't been exposed before or only seldom,
because now the normally transient state of being non active but online is
a permanent state. In testing this exposed already an issue vs. work queues
where the vmstat code schedules work on the almost dead CPU which ends up
in an unbound workqueue and triggers 'preemtible context' warnings. This is
not a problem of this change, it merily exposes an already existing issue.
Still this is better than crashing fully without a chance to debug it.

This is mainly thought as workaround for those architectures which do not
support HOTPLUG_CPU. All others should enforce HOTPLUG_CPU for SMP.

Fixes: 2e1a3483ce74 ("cpu/hotplug: Split out the state walk into functions")
Reported-by: Tianyu Lan <Tianyu.Lan@microsoft.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Tianyu Lan <Tianyu.Lan@microsoft.com>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Konrad Wilk <konrad.wilk@oracle.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Mukesh Ojha <mojha@codeaurora.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Jiri Kosina <jkosina@suse.cz>
Cc: Rik van Riel <riel@surriel.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Micheal Kelley <michael.h.kelley@microsoft.com>
Cc: "K. Y. Srinivasan" <kys@microsoft.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: K. Y. Srinivasan <kys@microsoft.com>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20190326163811.503390616@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/cpu.c |   20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -533,6 +533,20 @@ static void undo_cpu_up(unsigned int cpu
 		cpuhp_invoke_callback(cpu, st->state, false, NULL, NULL);
 }
 
+static inline bool can_rollback_cpu(struct cpuhp_cpu_state *st)
+{
+	if (IS_ENABLED(CONFIG_HOTPLUG_CPU))
+		return true;
+	/*
+	 * When CPU hotplug is disabled, then taking the CPU down is not
+	 * possible because takedown_cpu() and the architecture and
+	 * subsystem specific mechanisms are not available. So the CPU
+	 * which would be completely unplugged again needs to stay around
+	 * in the current state.
+	 */
+	return st->state <= CPUHP_BRINGUP_CPU;
+}
+
 static int cpuhp_up_callbacks(unsigned int cpu, struct cpuhp_cpu_state *st,
 			      enum cpuhp_state target)
 {
@@ -543,8 +557,10 @@ static int cpuhp_up_callbacks(unsigned i
 		st->state++;
 		ret = cpuhp_invoke_callback(cpu, st->state, true, NULL, NULL);
 		if (ret) {
-			st->target = prev_state;
-			undo_cpu_up(cpu, st);
+			if (can_rollback_cpu(st)) {
+				st->target = prev_state;
+				undo_cpu_up(cpu, st);
+			}
 			break;
 		}
 	}



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 122/134] x86/smp: Enforce CONFIG_HOTPLUG_CPU when SMP=y
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (120 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 121/134] cpu/hotplug: Prevent crash when CPU bringup fails on CONFIG_HOTPLUG_CPU=n Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 123/134] KVM: Reject device ioctls from processes other than the VMs creator Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tianyu Lan, Thomas Gleixner,
	Konrad Wilk, Josh Poimboeuf, Mukesh Ojha, Peter Zijlstra,
	Jiri Kosina, Rik van Riel, Andy Lutomirski, Micheal Kelley,
	K. Y. Srinivasan, Linus Torvalds, Borislav Petkov

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Thomas Gleixner <tglx@linutronix.de>

commit bebd024e4815b1a170fcd21ead9c2222b23ce9e6 upstream.

The SMT disable 'nosmt' command line argument is not working properly when
CONFIG_HOTPLUG_CPU is disabled. The teardown of the sibling CPUs which are
required to be brought up due to the MCE issues, cannot work. The CPUs are
then kept in a half dead state.

As the 'nosmt' functionality has become popular due to the speculative
hardware vulnerabilities, the half torn down state is not a proper solution
to the problem.

Enforce CONFIG_HOTPLUG_CPU=y when SMP is enabled so the full operation is
possible.

Reported-by: Tianyu Lan <Tianyu.Lan@microsoft.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Konrad Wilk <konrad.wilk@oracle.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Mukesh Ojha <mojha@codeaurora.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Jiri Kosina <jkosina@suse.cz>
Cc: Rik van Riel <riel@surriel.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Micheal Kelley <michael.h.kelley@microsoft.com>
Cc: "K. Y. Srinivasan" <kys@microsoft.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: K. Y. Srinivasan <kys@microsoft.com>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20190326163811.598166056@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/Kconfig |    8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -2199,14 +2199,8 @@ config RANDOMIZE_MEMORY_PHYSICAL_PADDING
 	   If unsure, leave at the default value.
 
 config HOTPLUG_CPU
-	bool "Support for hot-pluggable CPUs"
+	def_bool y
 	depends on SMP
-	---help---
-	  Say Y here to allow turning CPUs off and on. CPUs can be
-	  controlled through /sys/devices/system/cpu.
-	  ( Note: power management support will enable this option
-	    automatically on SMP systems. )
-	  Say N if you want to disable CPU hotplug.
 
 config BOOTPARAM_HOTPLUG_CPU0
 	bool "Set default setting of cpu0_hotpluggable"



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 123/134] KVM: Reject device ioctls from processes other than the VMs creator
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (121 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 122/134] x86/smp: Enforce CONFIG_HOTPLUG_CPU when SMP=y Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 124/134] KVM: x86: update %rip after emulating IO Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sean Christopherson, Paolo Bonzini

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sean Christopherson <sean.j.christopherson@intel.com>

commit ddba91801aeb5c160b660caed1800eb3aef403f8 upstream.

KVM's API requires thats ioctls must be issued from the same process
that created the VM.  In other words, userspace can play games with a
VM's file descriptors, e.g. fork(), SCM_RIGHTS, etc..., but only the
creator can do anything useful.  Explicitly reject device ioctls that
are issued by a process other than the VM's creator, and update KVM's
API documentation to extend its requirements to device ioctls.

Fixes: 852b6d57dc7f ("kvm: add device control API")
Cc: <stable@vger.kernel.org>
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 Documentation/virtual/kvm/api.txt |   16 +++++++++++-----
 virt/kvm/kvm_main.c               |    3 +++
 2 files changed, 14 insertions(+), 5 deletions(-)

--- a/Documentation/virtual/kvm/api.txt
+++ b/Documentation/virtual/kvm/api.txt
@@ -13,7 +13,7 @@ of a virtual machine.  The ioctls belong
 
  - VM ioctls: These query and set attributes that affect an entire virtual
    machine, for example memory layout.  In addition a VM ioctl is used to
-   create virtual cpus (vcpus).
+   create virtual cpus (vcpus) and devices.
 
    Only run VM ioctls from the same process (address space) that was used
    to create the VM.
@@ -24,6 +24,11 @@ of a virtual machine.  The ioctls belong
    Only run vcpu ioctls from the same thread that was used to create the
    vcpu.
 
+ - device ioctls: These query and set attributes that control the operation
+   of a single device.
+
+   device ioctls must be issued from the same process (address space) that
+   was used to create the VM.
 
 2. File descriptors
 -------------------
@@ -32,10 +37,11 @@ The kvm API is centered around file desc
 open("/dev/kvm") obtains a handle to the kvm subsystem; this handle
 can be used to issue system ioctls.  A KVM_CREATE_VM ioctl on this
 handle will create a VM file descriptor which can be used to issue VM
-ioctls.  A KVM_CREATE_VCPU ioctl on a VM fd will create a virtual cpu
-and return a file descriptor pointing to it.  Finally, ioctls on a vcpu
-fd can be used to control the vcpu, including the important task of
-actually running guest code.
+ioctls.  A KVM_CREATE_VCPU or KVM_CREATE_DEVICE ioctl on a VM fd will
+create a virtual cpu or device and return a file descriptor pointing to
+the new resource.  Finally, ioctls on a vcpu or device fd can be used
+to control the vcpu or device.  For vcpus, this includes the important
+task of actually running guest code.
 
 In general file descriptors can be migrated among processes by means
 of fork() and the SCM_RIGHTS facility of unix domain socket.  These
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -2815,6 +2815,9 @@ static long kvm_device_ioctl(struct file
 {
 	struct kvm_device *dev = filp->private_data;
 
+	if (dev->kvm->mm != current->mm)
+		return -EIO;
+
 	switch (ioctl) {
 	case KVM_SET_DEVICE_ATTR:
 		return kvm_device_ioctl_attr(dev, dev->ops->set_attr, arg);



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 124/134] KVM: x86: update %rip after emulating IO
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (122 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 123/134] KVM: Reject device ioctls from processes other than the VMs creator Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 125/134] KVM: x86: Emulate MSR_IA32_ARCH_CAPABILITIES on AMD hosts Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jim Mattson, Sean Christopherson,
	Paolo Bonzini

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sean Christopherson <sean.j.christopherson@intel.com>

commit 45def77ebf79e2e8942b89ed79294d97ce914fa0 upstream.

Most (all?) x86 platforms provide a port IO based reset mechanism, e.g.
OUT 92h or CF9h.  Userspace may emulate said mechanism, i.e. reset a
vCPU in response to KVM_EXIT_IO, without explicitly announcing to KVM
that it is doing a reset, e.g. Qemu jams vCPU state and resumes running.

To avoid corruping %rip after such a reset, commit 0967b7bf1c22 ("KVM:
Skip pio instruction when it is emulated, not executed") changed the
behavior of PIO handlers, i.e. today's "fast" PIO handling to skip the
instruction prior to exiting to userspace.  Full emulation doesn't need
such tricks becase re-emulating the instruction will naturally handle
%rip being changed to point at the reset vector.

Updating %rip prior to executing to userspace has several drawbacks:

  - Userspace sees the wrong %rip on the exit, e.g. if PIO emulation
    fails it will likely yell about the wrong address.
  - Single step exits to userspace for are effectively dropped as
    KVM_EXIT_DEBUG is overwritten with KVM_EXIT_IO.
  - Behavior of PIO emulation is different depending on whether it
    goes down the fast path or the slow path.

Rather than skip the PIO instruction before exiting to userspace,
snapshot the linear %rip and cancel PIO completion if the current
value does not match the snapshot.  For a 64-bit vCPU, i.e. the most
common scenario, the snapshot and comparison has negligible overhead
as VMCS.GUEST_RIP will be cached regardless, i.e. there is no extra
VMREAD in this case.

All other alternatives to snapshotting the linear %rip that don't
rely on an explicit reset announcenment suffer from one corner case
or another.  For example, canceling PIO completion on any write to
%rip fails if userspace does a save/restore of %rip, and attempting to
avoid that issue by canceling PIO only if %rip changed then fails if PIO
collides with the reset %rip.  Attempting to zero in on the exact reset
vector won't work for APs, which means adding more hooks such as the
vCPU's MP_STATE, and so on and so forth.

Checking for a linear %rip match technically suffers from corner cases,
e.g. userspace could theoretically rewrite the underlying code page and
expect a different instruction to execute, or the guest hardcodes a PIO
reset at 0xfffffff0, but those are far, far outside of what can be
considered normal operation.

Fixes: 432baf60eee3 ("KVM: VMX: use kvm_fast_pio_in for handling IN I/O")
Cc: <stable@vger.kernel.org>
Reported-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/include/asm/kvm_host.h |    1 +
 arch/x86/kvm/x86.c              |   36 ++++++++++++++++++++++++++----------
 2 files changed, 27 insertions(+), 10 deletions(-)

--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -315,6 +315,7 @@ struct kvm_mmu_page {
 };
 
 struct kvm_pio_request {
+	unsigned long linear_rip;
 	unsigned long count;
 	int in;
 	int port;
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -6317,14 +6317,27 @@ int kvm_emulate_instruction_from_buffer(
 }
 EXPORT_SYMBOL_GPL(kvm_emulate_instruction_from_buffer);
 
+static int complete_fast_pio_out(struct kvm_vcpu *vcpu)
+{
+	vcpu->arch.pio.count = 0;
+
+	if (unlikely(!kvm_is_linear_rip(vcpu, vcpu->arch.pio.linear_rip)))
+		return 1;
+
+	return kvm_skip_emulated_instruction(vcpu);
+}
+
 static int kvm_fast_pio_out(struct kvm_vcpu *vcpu, int size,
 			    unsigned short port)
 {
 	unsigned long val = kvm_register_read(vcpu, VCPU_REGS_RAX);
 	int ret = emulator_pio_out_emulated(&vcpu->arch.emulate_ctxt,
 					    size, port, &val, 1);
-	/* do not return to emulator after return from userspace */
-	vcpu->arch.pio.count = 0;
+
+	if (!ret) {
+		vcpu->arch.pio.linear_rip = kvm_get_linear_rip(vcpu);
+		vcpu->arch.complete_userspace_io = complete_fast_pio_out;
+	}
 	return ret;
 }
 
@@ -6335,6 +6348,11 @@ static int complete_fast_pio_in(struct k
 	/* We should only ever be called with arch.pio.count equal to 1 */
 	BUG_ON(vcpu->arch.pio.count != 1);
 
+	if (unlikely(!kvm_is_linear_rip(vcpu, vcpu->arch.pio.linear_rip))) {
+		vcpu->arch.pio.count = 0;
+		return 1;
+	}
+
 	/* For size less than 4 we merge, else we zero extend */
 	val = (vcpu->arch.pio.size < 4) ? kvm_register_read(vcpu, VCPU_REGS_RAX)
 					: 0;
@@ -6347,7 +6365,7 @@ static int complete_fast_pio_in(struct k
 				 vcpu->arch.pio.port, &val, 1);
 	kvm_register_write(vcpu, VCPU_REGS_RAX, val);
 
-	return 1;
+	return kvm_skip_emulated_instruction(vcpu);
 }
 
 static int kvm_fast_pio_in(struct kvm_vcpu *vcpu, int size,
@@ -6366,6 +6384,7 @@ static int kvm_fast_pio_in(struct kvm_vc
 		return ret;
 	}
 
+	vcpu->arch.pio.linear_rip = kvm_get_linear_rip(vcpu);
 	vcpu->arch.complete_userspace_io = complete_fast_pio_in;
 
 	return 0;
@@ -6373,16 +6392,13 @@ static int kvm_fast_pio_in(struct kvm_vc
 
 int kvm_fast_pio(struct kvm_vcpu *vcpu, int size, unsigned short port, int in)
 {
-	int ret = kvm_skip_emulated_instruction(vcpu);
+	int ret;
 
-	/*
-	 * TODO: we might be squashing a KVM_GUESTDBG_SINGLESTEP-triggered
-	 * KVM_EXIT_DEBUG here.
-	 */
 	if (in)
-		return kvm_fast_pio_in(vcpu, size, port) && ret;
+		ret = kvm_fast_pio_in(vcpu, size, port);
 	else
-		return kvm_fast_pio_out(vcpu, size, port) && ret;
+		ret = kvm_fast_pio_out(vcpu, size, port);
+	return ret && kvm_skip_emulated_instruction(vcpu);
 }
 EXPORT_SYMBOL_GPL(kvm_fast_pio);
 



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 125/134] KVM: x86: Emulate MSR_IA32_ARCH_CAPABILITIES on AMD hosts
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (123 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 124/134] KVM: x86: update %rip after emulating IO Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 126/134] staging: erofs: fix error handling when failed to read compresssed data Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Xiaoyao Li, Jim Mattson,
	Sean Christopherson, Paolo Bonzini

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sean Christopherson <sean.j.christopherson@intel.com>

commit 0cf9135b773bf32fba9dd8e6699c1b331ee4b749 upstream.

The CPUID flag ARCH_CAPABILITIES is unconditioinally exposed to host
userspace for all x86 hosts, i.e. KVM advertises ARCH_CAPABILITIES
regardless of hardware support under the pretense that KVM fully
emulates MSR_IA32_ARCH_CAPABILITIES.  Unfortunately, only VMX hosts
handle accesses to MSR_IA32_ARCH_CAPABILITIES (despite KVM_GET_MSRS
also reporting MSR_IA32_ARCH_CAPABILITIES for all hosts).

Move the MSR_IA32_ARCH_CAPABILITIES handling to common x86 code so
that it's emulated on AMD hosts.

Fixes: 1eaafe91a0df4 ("kvm: x86: IA32_ARCH_CAPABILITIES is always supported")
Cc: stable@vger.kernel.org
Reported-by: Xiaoyao Li <xiaoyao.li@linux.intel.com>
Cc: Jim Mattson <jmattson@google.com>
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/include/asm/kvm_host.h |    1 +
 arch/x86/kvm/vmx.c              |   14 --------------
 arch/x86/kvm/x86.c              |   12 ++++++++++++
 3 files changed, 13 insertions(+), 14 deletions(-)

--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -528,6 +528,7 @@ struct kvm_vcpu_arch {
 	bool tpr_access_reporting;
 	u64 ia32_xss;
 	u64 microcode_version;
+	u64 arch_capabilities;
 
 	/*
 	 * Paging state of the vcpu
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -970,7 +970,6 @@ struct vcpu_vmx {
 	u64 		      msr_guest_kernel_gs_base;
 #endif
 
-	u64 		      arch_capabilities;
 	u64 		      spec_ctrl;
 
 	u32 vm_entry_controls_shadow;
@@ -4104,12 +4103,6 @@ static int vmx_get_msr(struct kvm_vcpu *
 
 		msr_info->data = to_vmx(vcpu)->spec_ctrl;
 		break;
-	case MSR_IA32_ARCH_CAPABILITIES:
-		if (!msr_info->host_initiated &&
-		    !guest_cpuid_has(vcpu, X86_FEATURE_ARCH_CAPABILITIES))
-			return 1;
-		msr_info->data = to_vmx(vcpu)->arch_capabilities;
-		break;
 	case MSR_IA32_SYSENTER_CS:
 		msr_info->data = vmcs_read32(GUEST_SYSENTER_CS);
 		break;
@@ -4271,11 +4264,6 @@ static int vmx_set_msr(struct kvm_vcpu *
 		vmx_disable_intercept_for_msr(vmx->vmcs01.msr_bitmap, MSR_IA32_PRED_CMD,
 					      MSR_TYPE_W);
 		break;
-	case MSR_IA32_ARCH_CAPABILITIES:
-		if (!msr_info->host_initiated)
-			return 1;
-		vmx->arch_capabilities = data;
-		break;
 	case MSR_IA32_CR_PAT:
 		if (vmcs_config.vmentry_ctrl & VM_ENTRY_LOAD_IA32_PAT) {
 			if (!kvm_mtrr_valid(vcpu, MSR_IA32_CR_PAT, data))
@@ -6666,8 +6654,6 @@ static void vmx_vcpu_setup(struct vcpu_v
 		++vmx->nmsrs;
 	}
 
-	vmx->arch_capabilities = kvm_get_arch_capabilities();
-
 	vm_exit_controls_init(vmx, vmcs_config.vmexit_ctrl);
 
 	/* 22.2.1, 20.8.1 */
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -2350,6 +2350,11 @@ int kvm_set_msr_common(struct kvm_vcpu *
 		if (msr_info->host_initiated)
 			vcpu->arch.microcode_version = data;
 		break;
+	case MSR_IA32_ARCH_CAPABILITIES:
+		if (!msr_info->host_initiated)
+			return 1;
+		vcpu->arch.arch_capabilities = data;
+		break;
 	case MSR_EFER:
 		return set_efer(vcpu, data);
 	case MSR_K7_HWCR:
@@ -2654,6 +2659,12 @@ int kvm_get_msr_common(struct kvm_vcpu *
 	case MSR_IA32_UCODE_REV:
 		msr_info->data = vcpu->arch.microcode_version;
 		break;
+	case MSR_IA32_ARCH_CAPABILITIES:
+		if (!msr_info->host_initiated &&
+		    !guest_cpuid_has(vcpu, X86_FEATURE_ARCH_CAPABILITIES))
+			return 1;
+		msr_info->data = vcpu->arch.arch_capabilities;
+		break;
 	case MSR_IA32_TSC:
 		msr_info->data = kvm_scale_tsc(vcpu, rdtsc()) + vcpu->arch.tsc_offset;
 		break;
@@ -8501,6 +8512,7 @@ struct kvm_vcpu *kvm_arch_vcpu_create(st
 
 int kvm_arch_vcpu_setup(struct kvm_vcpu *vcpu)
 {
+	vcpu->arch.arch_capabilities = kvm_get_arch_capabilities();
 	kvm_vcpu_mtrr_init(vcpu);
 	vcpu_load(vcpu);
 	kvm_vcpu_reset(vcpu, false);



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 126/134] staging: erofs: fix error handling when failed to read compresssed data
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (124 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 125/134] KVM: x86: Emulate MSR_IA32_ARCH_CAPABILITIES on AMD hosts Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 127/134] staging: erofs: keep corrupted fs from crashing kernel in erofs_readdir() Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Chao Yu, Gao Xiang

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Gao Xiang <gaoxiang25@huawei.com>

commit b6391ac73400eff38377a4a7364bd3df5efb5178 upstream.

Complete read error handling paths for all three kinds of
compressed pages:

 1) For cache-managed pages, PG_uptodate will be checked since
    read_endio will unlock and SetPageUptodate for these pages;

 2) For inplaced pages, read_endio cannot SetPageUptodate directly
    since it should be used to mark the final decompressed data,
    PG_error will be set with page locked for IO error instead;

 3) For staging pages, PG_error is used, which is similar to
    what we do for inplaced pages.

Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support")
Cc: <stable@vger.kernel.org> # 4.19+
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Gao Xiang <gaoxiang25@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>


---
 drivers/staging/erofs/unzip_vle.c |   42 ++++++++++++++++++++++++++------------
 1 file changed, 29 insertions(+), 13 deletions(-)

--- a/drivers/staging/erofs/unzip_vle.c
+++ b/drivers/staging/erofs/unzip_vle.c
@@ -885,6 +885,7 @@ repeat:
 	overlapped = false;
 	compressed_pages = grp->compressed_pages;
 
+	err = 0;
 	for (i = 0; i < clusterpages; ++i) {
 		unsigned pagenr;
 
@@ -894,26 +895,39 @@ repeat:
 		DBG_BUGON(page == NULL);
 		DBG_BUGON(page->mapping == NULL);
 
-		if (z_erofs_is_stagingpage(page))
-			continue;
+		if (!z_erofs_is_stagingpage(page)) {
 #ifdef EROFS_FS_HAS_MANAGED_CACHE
-		if (page->mapping == mngda) {
-			DBG_BUGON(!PageUptodate(page));
-			continue;
-		}
+			if (page->mapping == mngda) {
+				if (unlikely(!PageUptodate(page)))
+					err = -EIO;
+				continue;
+			}
 #endif
 
-		/* only non-head page could be reused as a compressed page */
-		pagenr = z_erofs_onlinepage_index(page);
+			/*
+			 * only if non-head page can be selected
+			 * for inplace decompression
+			 */
+			pagenr = z_erofs_onlinepage_index(page);
+
+			DBG_BUGON(pagenr >= nr_pages);
+			DBG_BUGON(pages[pagenr]);
+			++sparsemem_pages;
+			pages[pagenr] = page;
 
-		DBG_BUGON(pagenr >= nr_pages);
-		DBG_BUGON(pages[pagenr]);
-		++sparsemem_pages;
-		pages[pagenr] = page;
+			overlapped = true;
+		}
 
-		overlapped = true;
+		/* PG_error needs checking for inplaced and staging pages */
+		if (unlikely(PageError(page))) {
+			DBG_BUGON(PageUptodate(page));
+			err = -EIO;
+		}
 	}
 
+	if (unlikely(err))
+		goto out;
+
 	llen = (nr_pages << PAGE_SHIFT) - work->pageofs;
 
 	if (z_erofs_vle_workgrp_fmt(grp) == Z_EROFS_VLE_WORKGRP_FMT_PLAIN) {
@@ -1082,6 +1096,8 @@ static inline bool recover_managed_page(
 		return true;
 
 	lock_page(page);
+	ClearPageError(page);
+
 	if (unlikely(!PagePrivate(page))) {
 		set_page_private(page, (unsigned long)grp);
 		SetPagePrivate(page);



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 127/134] staging: erofs: keep corrupted fs from crashing kernel in erofs_readdir()
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (125 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 126/134] staging: erofs: fix error handling when failed to read compresssed data Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 128/134] bpf: do not restore dst_reg when cur_state is freed Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Gao Xiang, Chao Yu

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Gao Xiang <gaoxiang25@huawei.com>

commit 33bac912840fe64dbc15556302537dc6a17cac63 upstream.

After commit 419d6efc50e9, kernel cannot be crashed in the namei
path. However, corrupted nameoff can do harm in the process of
readdir for scenerios without dm-verity as well. Fix it now.

Fixes: 3aa8ec716e52 ("staging: erofs: add directory operations")
Cc: <stable@vger.kernel.org> # 4.19+
Signed-off-by: Gao Xiang <gaoxiang25@huawei.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>


---
 drivers/staging/erofs/dir.c |   45 ++++++++++++++++++++++++--------------------
 1 file changed, 25 insertions(+), 20 deletions(-)

--- a/drivers/staging/erofs/dir.c
+++ b/drivers/staging/erofs/dir.c
@@ -23,6 +23,21 @@ static const unsigned char erofs_filetyp
 	[EROFS_FT_SYMLINK]	= DT_LNK,
 };
 
+static void debug_one_dentry(unsigned char d_type, const char *de_name,
+			     unsigned int de_namelen)
+{
+#ifdef CONFIG_EROFS_FS_DEBUG
+	/* since the on-disk name could not have the trailing '\0' */
+	unsigned char dbg_namebuf[EROFS_NAME_LEN + 1];
+
+	memcpy(dbg_namebuf, de_name, de_namelen);
+	dbg_namebuf[de_namelen] = '\0';
+
+	debugln("found dirent %s de_len %u d_type %d", dbg_namebuf,
+		de_namelen, d_type);
+#endif
+}
+
 static int erofs_fill_dentries(struct dir_context *ctx,
 	void *dentry_blk, unsigned *ofs,
 	unsigned nameoff, unsigned maxsize)
@@ -33,14 +48,10 @@ static int erofs_fill_dentries(struct di
 	de = dentry_blk + *ofs;
 	while (de < end) {
 		const char *de_name;
-		int de_namelen;
+		unsigned int de_namelen;
 		unsigned char d_type;
-#ifdef CONFIG_EROFS_FS_DEBUG
-		unsigned dbg_namelen;
-		unsigned char dbg_namebuf[EROFS_NAME_LEN];
-#endif
 
-		if (unlikely(de->file_type < EROFS_FT_MAX))
+		if (de->file_type < EROFS_FT_MAX)
 			d_type = erofs_filetype_table[de->file_type];
 		else
 			d_type = DT_UNKNOWN;
@@ -48,26 +59,20 @@ static int erofs_fill_dentries(struct di
 		nameoff = le16_to_cpu(de->nameoff);
 		de_name = (char *)dentry_blk + nameoff;
 
-		de_namelen = unlikely(de + 1 >= end) ?
-			/* last directory entry */
-			strnlen(de_name, maxsize - nameoff) :
-			le16_to_cpu(de[1].nameoff) - nameoff;
+		/* the last dirent in the block? */
+		if (de + 1 >= end)
+			de_namelen = strnlen(de_name, maxsize - nameoff);
+		else
+			de_namelen = le16_to_cpu(de[1].nameoff) - nameoff;
 
 		/* a corrupted entry is found */
-		if (unlikely(de_namelen < 0)) {
+		if (unlikely(nameoff + de_namelen > maxsize ||
+			     de_namelen > EROFS_NAME_LEN)) {
 			DBG_BUGON(1);
 			return -EIO;
 		}
 
-#ifdef CONFIG_EROFS_FS_DEBUG
-		dbg_namelen = min(EROFS_NAME_LEN - 1, de_namelen);
-		memcpy(dbg_namebuf, de_name, dbg_namelen);
-		dbg_namebuf[dbg_namelen] = '\0';
-
-		debugln("%s, found de_name %s de_len %d d_type %d", __func__,
-			dbg_namebuf, de_namelen, d_type);
-#endif
-
+		debug_one_dentry(d_type, de_name, de_namelen);
 		if (!dir_emit(ctx, de_name, de_namelen,
 					le64_to_cpu(de->nid), d_type))
 			/* stoped by some reason */



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 128/134] bpf: do not restore dst_reg when cur_state is freed
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (126 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 127/134] staging: erofs: keep corrupted fs from crashing kernel in erofs_readdir() Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 129/134] drivers: base: Helpers for adding device connection descriptions Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Xu Yu, Daniel Borkmann

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Xu Yu <xuyu@linux.alibaba.com>

commit 0803278b0b4d8eeb2b461fb698785df65a725d9e upstream.

Syzkaller hit 'KASAN: use-after-free Write in sanitize_ptr_alu' bug.

Call trace:

  dump_stack+0xbf/0x12e
  print_address_description+0x6a/0x280
  kasan_report+0x237/0x360
  sanitize_ptr_alu+0x85a/0x8d0
  adjust_ptr_min_max_vals+0x8f2/0x1ca0
  adjust_reg_min_max_vals+0x8ed/0x22e0
  do_check+0x1ca6/0x5d00
  bpf_check+0x9ca/0x2570
  bpf_prog_load+0xc91/0x1030
  __se_sys_bpf+0x61e/0x1f00
  do_syscall_64+0xc8/0x550
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

Fault injection trace:

  kfree+0xea/0x290
  free_func_state+0x4a/0x60
  free_verifier_state+0x61/0xe0
  push_stack+0x216/0x2f0	          <- inject failslab
  sanitize_ptr_alu+0x2b1/0x8d0
  adjust_ptr_min_max_vals+0x8f2/0x1ca0
  adjust_reg_min_max_vals+0x8ed/0x22e0
  do_check+0x1ca6/0x5d00
  bpf_check+0x9ca/0x2570
  bpf_prog_load+0xc91/0x1030
  __se_sys_bpf+0x61e/0x1f00
  do_syscall_64+0xc8/0x550
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

When kzalloc() fails in push_stack(), free_verifier_state() will free
current verifier state. As push_stack() returns, dst_reg was restored
if ptr_is_dst_reg is false. However, as member of the cur_state,
dst_reg is also freed, and error occurs when dereferencing dst_reg.
Simply fix it by testing ret of push_stack() before restoring dst_reg.

Fixes: 979d63d50c0c ("bpf: prevent out of bounds speculation on pointer arithmetic")
Signed-off-by: Xu Yu <xuyu@linux.alibaba.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/bpf/verifier.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -2815,7 +2815,7 @@ do_sim:
 		*dst_reg = *ptr_reg;
 	}
 	ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true);
-	if (!ptr_is_dst_reg)
+	if (!ptr_is_dst_reg && ret)
 		*dst_reg = tmp;
 	return !ret ? -EFAULT : 0;
 }



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 129/134] drivers: base: Helpers for adding device connection descriptions
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (127 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 128/134] bpf: do not restore dst_reg when cur_state is freed Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 130/134] platform: x86: intel_cht_int33fe: Register all connections at once Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Hans de Goede, Heikki Krogerus

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Heikki Krogerus <heikki.krogerus@linux.intel.com>

commit cd7753d371388e712e3ee52b693459f9b71aaac2 upstream.

Introducing helpers for adding and removing multiple device
connection descriptions at once.

Acked-by: Hans de Goede <hdegoede@redhat.com>
Tested-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/device.h |   24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

--- a/include/linux/device.h
+++ b/include/linux/device.h
@@ -774,6 +774,30 @@ void device_connection_add(struct device
 void device_connection_remove(struct device_connection *con);
 
 /**
+ * device_connections_add - Add multiple device connections at once
+ * @cons: Zero terminated array of device connection descriptors
+ */
+static inline void device_connections_add(struct device_connection *cons)
+{
+	struct device_connection *c;
+
+	for (c = cons; c->endpoint[0]; c++)
+		device_connection_add(c);
+}
+
+/**
+ * device_connections_remove - Remove multiple device connections at once
+ * @cons: Zero terminated array of device connection descriptors
+ */
+static inline void device_connections_remove(struct device_connection *cons)
+{
+	struct device_connection *c;
+
+	for (c = cons; c->endpoint[0]; c++)
+		device_connection_remove(c);
+}
+
+/**
  * enum device_link_state - Device link states.
  * @DL_STATE_NONE: The presence of the drivers is not being tracked.
  * @DL_STATE_DORMANT: None of the supplier/consumer drivers is present.



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 130/134] platform: x86: intel_cht_int33fe: Register all connections at once
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (128 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 129/134] drivers: base: Helpers for adding device connection descriptions Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 131/134] platform: x86: intel_cht_int33fe: Add connection for the DP alt mode Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andy Shevchenko, Hans de Goede,
	Heikki Krogerus

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Heikki Krogerus <heikki.krogerus@linux.intel.com>

commit 140a4ec4adddda615b4e8e8055ca37a30c7fe5e8 upstream.

We can register all device connection descriptors with a
single call to device_connections_add().

Acked-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Acked-by: Hans de Goede <hdegoede@redhat.com>
Tested-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/platform/x86/intel_cht_int33fe.c |   14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

--- a/drivers/platform/x86/intel_cht_int33fe.c
+++ b/drivers/platform/x86/intel_cht_int33fe.c
@@ -34,7 +34,7 @@ struct cht_int33fe_data {
 	struct i2c_client *fusb302;
 	struct i2c_client *pi3usb30532;
 	/* Contain a list-head must be per device */
-	struct device_connection connections[3];
+	struct device_connection connections[4];
 };
 
 /*
@@ -184,9 +184,7 @@ static int cht_int33fe_probe(struct i2c_
 	data->connections[2].endpoint[1] = "intel_xhci_usb_sw-role-switch";
 	data->connections[2].id = "usb-role-switch";
 
-	device_connection_add(&data->connections[0]);
-	device_connection_add(&data->connections[1]);
-	device_connection_add(&data->connections[2]);
+	device_connections_add(data->connections);
 
 	memset(&board_info, 0, sizeof(board_info));
 	strlcpy(board_info.type, "typec_fusb302", I2C_NAME_SIZE);
@@ -217,9 +215,7 @@ out_unregister_max17047:
 	if (data->max17047)
 		i2c_unregister_device(data->max17047);
 
-	device_connection_remove(&data->connections[2]);
-	device_connection_remove(&data->connections[1]);
-	device_connection_remove(&data->connections[0]);
+	device_connections_remove(data->connections);
 
 	return -EPROBE_DEFER; /* Wait for the i2c-adapter to load */
 }
@@ -233,9 +229,7 @@ static int cht_int33fe_remove(struct i2c
 	if (data->max17047)
 		i2c_unregister_device(data->max17047);
 
-	device_connection_remove(&data->connections[2]);
-	device_connection_remove(&data->connections[1]);
-	device_connection_remove(&data->connections[0]);
+	device_connections_remove(data->connections);
 
 	return 0;
 }



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 131/134] platform: x86: intel_cht_int33fe: Add connection for the DP alt mode
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (129 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 130/134] platform: x86: intel_cht_int33fe: Register all connections at once Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 132/134] platform: x86: intel_cht_int33fe: Add connections for the USB Type-C port Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andy Shevchenko, Hans de Goede,
	Heikki Krogerus

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Heikki Krogerus <heikki.krogerus@linux.intel.com>

commit 78d2b54b134ea6059e2b1554ad53fab2300a4cc6 upstream.

Adding a connection for the DisplayPort alternate mode.
PI3USB30532 is used for muxing the port to DisplayPort on
CHT platforms. The connection allows the alternate mode
device to get handle to the mux, and therefore make it
possible to use the USB Type-C connector as DisplayPort.

Acked-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Acked-by: Hans de Goede <hdegoede@redhat.com>
Tested-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/platform/x86/intel_cht_int33fe.c |    9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

--- a/drivers/platform/x86/intel_cht_int33fe.c
+++ b/drivers/platform/x86/intel_cht_int33fe.c
@@ -34,7 +34,7 @@ struct cht_int33fe_data {
 	struct i2c_client *fusb302;
 	struct i2c_client *pi3usb30532;
 	/* Contain a list-head must be per device */
-	struct device_connection connections[4];
+	struct device_connection connections[5];
 };
 
 /*
@@ -181,8 +181,11 @@ static int cht_int33fe_probe(struct i2c_
 	data->connections[1].endpoint[1] = "i2c-pi3usb30532";
 	data->connections[1].id = "typec-mux";
 	data->connections[2].endpoint[0] = "i2c-fusb302";
-	data->connections[2].endpoint[1] = "intel_xhci_usb_sw-role-switch";
-	data->connections[2].id = "usb-role-switch";
+	data->connections[2].endpoint[1] = "i2c-pi3usb30532";
+	data->connections[2].id = "idff01m01";
+	data->connections[3].endpoint[0] = "i2c-fusb302";
+	data->connections[3].endpoint[1] = "intel_xhci_usb_sw-role-switch";
+	data->connections[3].id = "usb-role-switch";
 
 	device_connections_add(data->connections);
 



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 132/134] platform: x86: intel_cht_int33fe: Add connections for the USB Type-C port
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (130 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 131/134] platform: x86: intel_cht_int33fe: Add connection for the DP alt mode Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 133/134] usb: typec: class: Dont use port parent for getting mux handles Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andy Shevchenko, Hans de Goede,
	Heikki Krogerus

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Heikki Krogerus <heikki.krogerus@linux.intel.com>

commit 495965a1002a0b301bf4fbfd1aed3233f3e7db1b upstream.

Assigning the mux to the USB Type-C port on top of fusb302.
That will prepare this driver for the change in the USB
Type-C class code, where the class driver will assume the
muxes to be always assigned to the ports and not the
controllers.

Once the USB Type-C class driver has been updated, the
connections between the mux and fusb302 can be dropped.

Acked-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Acked-by: Hans de Goede <hdegoede@redhat.com>
Tested-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/platform/x86/intel_cht_int33fe.c |   12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

--- a/drivers/platform/x86/intel_cht_int33fe.c
+++ b/drivers/platform/x86/intel_cht_int33fe.c
@@ -34,7 +34,7 @@ struct cht_int33fe_data {
 	struct i2c_client *fusb302;
 	struct i2c_client *pi3usb30532;
 	/* Contain a list-head must be per device */
-	struct device_connection connections[5];
+	struct device_connection connections[8];
 };
 
 /*
@@ -187,6 +187,16 @@ static int cht_int33fe_probe(struct i2c_
 	data->connections[3].endpoint[1] = "intel_xhci_usb_sw-role-switch";
 	data->connections[3].id = "usb-role-switch";
 
+	data->connections[4].endpoint[0] = "port0";
+	data->connections[4].endpoint[1] = "i2c-pi3usb30532";
+	data->connections[4].id = "typec-switch";
+	data->connections[5].endpoint[0] = "port0";
+	data->connections[5].endpoint[1] = "i2c-pi3usb30532";
+	data->connections[5].id = "typec-mux";
+	data->connections[6].endpoint[0] = "port0";
+	data->connections[6].endpoint[1] = "i2c-pi3usb30532";
+	data->connections[6].id = "idff01m01";
+
 	device_connections_add(data->connections);
 
 	memset(&board_info, 0, sizeof(board_info));



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 133/134] usb: typec: class: Dont use port parent for getting mux handles
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (131 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 132/134] platform: x86: intel_cht_int33fe: Add connections for the USB Type-C port Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 17:02 ` [PATCH 4.19 134/134] platform: x86: intel_cht_int33fe: Remove the old connections for the muxes Greg Kroah-Hartman
                   ` (5 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Hans de Goede, Heikki Krogerus

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Heikki Krogerus <heikki.krogerus@linux.intel.com>

commit 23481121c81d984193edf1532f5e123637e50903 upstream.

It is not possible to use the parent of the port device when
requesting mux handles as the parent may be a multiport USB
Type-C or PD controller. The muxes must be assigned to the
ports, not the controllers.

This will also move the requesting of the muxes after the
port device is initialized.

Acked-by: Hans de Goede <hdegoede@redhat.com>
Tested-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>


---
 drivers/usb/typec/class.c |   38 +++++++++++++++-----------------------
 1 file changed, 15 insertions(+), 23 deletions(-)

--- a/drivers/usb/typec/class.c
+++ b/drivers/usb/typec/class.c
@@ -1500,7 +1500,7 @@ typec_port_register_altmode(struct typec
 
 	sprintf(id, "id%04xm%02x", desc->svid, desc->mode);
 
-	mux = typec_mux_get(port->dev.parent, id);
+	mux = typec_mux_get(&port->dev, id);
 	if (IS_ERR(mux))
 		return ERR_CAST(mux);
 
@@ -1540,18 +1540,6 @@ struct typec_port *typec_register_port(s
 		return ERR_PTR(id);
 	}
 
-	port->sw = typec_switch_get(cap->fwnode ? &port->dev : parent);
-	if (IS_ERR(port->sw)) {
-		ret = PTR_ERR(port->sw);
-		goto err_switch;
-	}
-
-	port->mux = typec_mux_get(parent, "typec-mux");
-	if (IS_ERR(port->mux)) {
-		ret = PTR_ERR(port->mux);
-		goto err_mux;
-	}
-
 	switch (cap->type) {
 	case TYPEC_PORT_SRC:
 		port->pwr_role = TYPEC_SOURCE;
@@ -1592,13 +1580,26 @@ struct typec_port *typec_register_port(s
 	port->port_type = cap->type;
 	port->prefer_role = cap->prefer_role;
 
+	device_initialize(&port->dev);
 	port->dev.class = typec_class;
 	port->dev.parent = parent;
 	port->dev.fwnode = cap->fwnode;
 	port->dev.type = &typec_port_dev_type;
 	dev_set_name(&port->dev, "port%d", id);
 
-	ret = device_register(&port->dev);
+	port->sw = typec_switch_get(&port->dev);
+	if (IS_ERR(port->sw)) {
+		put_device(&port->dev);
+		return ERR_CAST(port->sw);
+	}
+
+	port->mux = typec_mux_get(&port->dev, "typec-mux");
+	if (IS_ERR(port->mux)) {
+		put_device(&port->dev);
+		return ERR_CAST(port->mux);
+	}
+
+	ret = device_add(&port->dev);
 	if (ret) {
 		dev_err(parent, "failed to register port (%d)\n", ret);
 		put_device(&port->dev);
@@ -1606,15 +1607,6 @@ struct typec_port *typec_register_port(s
 	}
 
 	return port;
-
-err_mux:
-	typec_switch_put(port->sw);
-
-err_switch:
-	ida_simple_remove(&typec_index_ida, port->id);
-	kfree(port);
-
-	return ERR_PTR(ret);
 }
 EXPORT_SYMBOL_GPL(typec_register_port);
 



^ permalink raw reply	[flat|nested] 140+ messages in thread

* [PATCH 4.19 134/134] platform: x86: intel_cht_int33fe: Remove the old connections for the muxes
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (132 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 133/134] usb: typec: class: Dont use port parent for getting mux handles Greg Kroah-Hartman
@ 2019-04-01 17:02 ` Greg Kroah-Hartman
  2019-04-01 21:03 ` [PATCH 4.19 000/134] 4.19.33-stable review kernelci.org bot
                   ` (4 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-01 17:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andy Shevchenko, Hans de Goede,
	Heikki Krogerus

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Heikki Krogerus <heikki.krogerus@linux.intel.com>

commit 148b0aa78e4e1077e38f928124bbc9c2d2d24006 upstream.

USB Type-C class driver now expects the muxes to be always
assigned to the ports and not controllers, so the
connections for the mux and fusb302 can be removed.

Acked-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Acked-by: Hans de Goede <hdegoede@redhat.com>
Tested-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/platform/x86/intel_cht_int33fe.c |   18 ++++--------------
 1 file changed, 4 insertions(+), 14 deletions(-)

--- a/drivers/platform/x86/intel_cht_int33fe.c
+++ b/drivers/platform/x86/intel_cht_int33fe.c
@@ -34,7 +34,7 @@ struct cht_int33fe_data {
 	struct i2c_client *fusb302;
 	struct i2c_client *pi3usb30532;
 	/* Contain a list-head must be per device */
-	struct device_connection connections[8];
+	struct device_connection connections[5];
 };
 
 /*
@@ -174,29 +174,19 @@ static int cht_int33fe_probe(struct i2c_
 			return -EPROBE_DEFER; /* Wait for i2c-adapter to load */
 	}
 
-	data->connections[0].endpoint[0] = "i2c-fusb302";
+	data->connections[0].endpoint[0] = "port0";
 	data->connections[0].endpoint[1] = "i2c-pi3usb30532";
 	data->connections[0].id = "typec-switch";
-	data->connections[1].endpoint[0] = "i2c-fusb302";
+	data->connections[1].endpoint[0] = "port0";
 	data->connections[1].endpoint[1] = "i2c-pi3usb30532";
 	data->connections[1].id = "typec-mux";
-	data->connections[2].endpoint[0] = "i2c-fusb302";
+	data->connections[2].endpoint[0] = "port0";
 	data->connections[2].endpoint[1] = "i2c-pi3usb30532";
 	data->connections[2].id = "idff01m01";
 	data->connections[3].endpoint[0] = "i2c-fusb302";
 	data->connections[3].endpoint[1] = "intel_xhci_usb_sw-role-switch";
 	data->connections[3].id = "usb-role-switch";
 
-	data->connections[4].endpoint[0] = "port0";
-	data->connections[4].endpoint[1] = "i2c-pi3usb30532";
-	data->connections[4].id = "typec-switch";
-	data->connections[5].endpoint[0] = "port0";
-	data->connections[5].endpoint[1] = "i2c-pi3usb30532";
-	data->connections[5].id = "typec-mux";
-	data->connections[6].endpoint[0] = "port0";
-	data->connections[6].endpoint[1] = "i2c-pi3usb30532";
-	data->connections[6].id = "idff01m01";
-
 	device_connections_add(data->connections);
 
 	memset(&board_info, 0, sizeof(board_info));



^ permalink raw reply	[flat|nested] 140+ messages in thread

* Re: [PATCH 4.19 000/134] 4.19.33-stable review
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (133 preceding siblings ...)
  2019-04-01 17:02 ` [PATCH 4.19 134/134] platform: x86: intel_cht_int33fe: Remove the old connections for the muxes Greg Kroah-Hartman
@ 2019-04-01 21:03 ` kernelci.org bot
  2019-04-02  9:03 ` Jon Hunter
                   ` (3 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: kernelci.org bot @ 2019-04-01 21:03 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	ben.hutchings, lkft-triage, stable

stable-rc/linux-4.19.y boot: 119 boots: 0 failed, 101 passed with 16 offline, 2 untried/unknown (v4.19.32-135-g64b7b716f98c)

Full Boot Summary: https://kernelci.org/boot/all/job/stable-rc/branch/linux-4.19.y/kernel/v4.19.32-135-g64b7b716f98c/
Full Build Summary: https://kernelci.org/build/stable-rc/branch/linux-4.19.y/kernel/v4.19.32-135-g64b7b716f98c/

Tree: stable-rc
Branch: linux-4.19.y
Git Describe: v4.19.32-135-g64b7b716f98c
Git Commit: 64b7b716f98c53b01d6f52f160cd50a281fc0612
Git URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
Tested: 66 unique boards, 24 SoC families, 14 builds out of 206

Offline Platforms:

arm:

    bcm2835_defconfig:
        gcc-7
            bcm2835-rpi-b: 1 offline lab

    multi_v7_defconfig:
        gcc-7
            alpine-db: 1 offline lab
            at91-sama5d4_xplained: 1 offline lab
            qcom-apq8064-cm-qs600: 1 offline lab
            qcom-apq8064-ifc6410: 1 offline lab
            socfpga_cyclone5_de0_sockit: 1 offline lab
            sun5i-r8-chip: 1 offline lab
            tegra124-jetson-tk1: 1 offline lab

    tegra_defconfig:
        gcc-7
            tegra124-jetson-tk1: 1 offline lab

    sunxi_defconfig:
        gcc-7
            sun5i-r8-chip: 1 offline lab

    sama5_defconfig:
        gcc-7
            at91-sama5d4_xplained: 1 offline lab

    qcom_defconfig:
        gcc-7
            qcom-apq8064-cm-qs600: 1 offline lab
            qcom-apq8064-ifc6410: 1 offline lab

arm64:

    defconfig:
        gcc-7
            apq8016-sbc: 1 offline lab
            juno-r2: 1 offline lab
            mt7622-rfb1: 1 offline lab

---
For more info write to <info@kernelci.org>

^ permalink raw reply	[flat|nested] 140+ messages in thread

* Re: [PATCH 4.19 000/134] 4.19.33-stable review
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (134 preceding siblings ...)
  2019-04-01 21:03 ` [PATCH 4.19 000/134] 4.19.33-stable review kernelci.org bot
@ 2019-04-02  9:03 ` Jon Hunter
  2019-04-02 11:02 ` Naresh Kamboju
                   ` (2 subsequent siblings)
  138 siblings, 0 replies; 140+ messages in thread
From: Jon Hunter @ 2019-04-02  9:03 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, shuah, patches, ben.hutchings,
	lkft-triage, stable, linux-tegra


On 01/04/2019 18:00, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.19.33 release.
> There are 134 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed Apr  3 16:59:23 UTC 2019.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.33-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h

All tests are passing for Tegra ...

Test results for stable-v4.19:
    11 builds:	11 pass, 0 fail
    22 boots:	22 pass, 0 fail
    30 tests:	30 pass, 0 fail

Linux version:	4.19.33-rc1-g01a3983
Boards tested:	tegra124-jetson-tk1, tegra186-p2771-0000,
                tegra194-p2972-0000, tegra20-ventana,
                tegra210-p2371-2180, tegra30-cardhu-a04

Cheers
Jon

-- 
nvpublic

^ permalink raw reply	[flat|nested] 140+ messages in thread

* Re: [PATCH 4.19 000/134] 4.19.33-stable review
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (135 preceding siblings ...)
  2019-04-02  9:03 ` Jon Hunter
@ 2019-04-02 11:02 ` Naresh Kamboju
  2019-04-02 19:05 ` Guenter Roeck
  2019-04-02 23:34 ` shuah
  138 siblings, 0 replies; 140+ messages in thread
From: Naresh Kamboju @ 2019-04-02 11:02 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: open list, Shuah Khan, patches, lkft-triage, Ben Hutchings,
	linux- stable, Andrew Morton, Linus Torvalds, Guenter Roeck

On Mon, 1 Apr 2019 at 22:44, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 4.19.33 release.
> There are 134 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed Apr  3 16:59:23 UTC 2019.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
>         https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.33-rc1.gz
> or in the git tree and branch at:
>         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h

Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.

Summary
------------------------------------------------------------------------

kernel: 4.19.33-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-4.19.y
git commit: 01a3983fac4e760561475e7fa8908721c63be26b
git describe: v4.19.32-135-g01a3983fac4e
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-4.19-oe/build/v4.19.32-135-g01a3983fac4e


No regressions (compared to build v4.19.32)


No fixes (compared to build v4.19.32)

Ran 20417 total tests in the following environments and test suites.

Environments
--------------
- dragonboard-410c - arm64
- hi6220-hikey - arm64
- i386
- juno-r2 - arm64
- qemu_arm
- qemu_arm64
- qemu_i386
- qemu_x86_64
- x15 - arm
- x86_64

Test Suites
-----------
* boot
* install-android-platform-tools-r2600
* kselftest
* libhugetlbfs
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-cpuhotplug-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* ltp-timers-tests
* perf
* spectre-meltdown-checker-test
* v4l2-compliance
* ltp-open-posix-tests
* kselftest-vsyscall-mode-native
* kselftest-vsyscall-mode-none

-- 
Linaro LKFT
https://lkft.linaro.org

^ permalink raw reply	[flat|nested] 140+ messages in thread

* Re: [PATCH 4.19 000/134] 4.19.33-stable review
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (136 preceding siblings ...)
  2019-04-02 11:02 ` Naresh Kamboju
@ 2019-04-02 19:05 ` Guenter Roeck
  2019-04-02 23:34 ` shuah
  138 siblings, 0 replies; 140+ messages in thread
From: Guenter Roeck @ 2019-04-02 19:05 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, shuah, patches, ben.hutchings,
	lkft-triage, stable

On Mon, Apr 01, 2019 at 07:00:36PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.19.33 release.
> There are 134 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed Apr  3 16:59:23 UTC 2019.
> Anything received after that time might be too late.
> 

Build results:
	total: 156 pass: 156 fail: 0
Qemu test results:
	total: 345 pass: 345 fail: 0

Guenter

^ permalink raw reply	[flat|nested] 140+ messages in thread

* Re: [PATCH 4.19 000/134] 4.19.33-stable review
  2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
                   ` (137 preceding siblings ...)
  2019-04-02 19:05 ` Guenter Roeck
@ 2019-04-02 23:34 ` shuah
  138 siblings, 0 replies; 140+ messages in thread
From: shuah @ 2019-04-02 23:34 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, patches, ben.hutchings, lkft-triage,
	stable, shuah

On 4/1/19 11:00 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.19.33 release.
> There are 134 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed Apr  3 16:59:23 UTC 2019.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.33-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

Compiled and booted on my test system. No dmesg regressions.

thanks,
-- Shuah

^ permalink raw reply	[flat|nested] 140+ messages in thread

end of thread, other threads:[~2019-04-02 23:35 UTC | newest]

Thread overview: 140+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-01 17:00 [PATCH 4.19 000/134] 4.19.33-stable review Greg Kroah-Hartman
2019-04-01 17:00 ` [PATCH 4.19 001/134] Bluetooth: Check L2CAP option sizes returned from l2cap_get_conf_opt Greg Kroah-Hartman
2019-04-01 17:00 ` [PATCH 4.19 002/134] Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer Greg Kroah-Hartman
2019-04-01 17:00 ` [PATCH 4.19 003/134] ipmi_si: Fix crash when using hard-coded device Greg Kroah-Hartman
2019-04-01 17:00 ` [PATCH 4.19 004/134] dccp: do not use ipv6 header for ipv4 flow Greg Kroah-Hartman
2019-04-01 17:00 ` [PATCH 4.19 005/134] genetlink: Fix a memory leak on error path Greg Kroah-Hartman
2019-04-01 17:00 ` [PATCH 4.19 006/134] gtp: change NET_UDP_TUNNEL dependency to select Greg Kroah-Hartman
2019-04-01 17:00 ` [PATCH 4.19 007/134] ipv6: make ip6_create_rt_rcu return ip6_null_entry instead of NULL Greg Kroah-Hartman
2019-04-01 17:00 ` [PATCH 4.19 008/134] mac8390: Fix mmio access size probe Greg Kroah-Hartman
2019-04-01 17:00 ` [PATCH 4.19 009/134] mISDN: hfcpci: Test both vendor & device ID for Digium HFC4S Greg Kroah-Hartman
2019-04-01 17:00 ` [PATCH 4.19 010/134] net: aquantia: fix rx checksum offload for UDP/TCP over IPv6 Greg Kroah-Hartman
2019-04-01 17:00 ` [PATCH 4.19 011/134] net: datagram: fix unbounded loop in __skb_try_recv_datagram() Greg Kroah-Hartman
2019-04-01 17:00 ` [PATCH 4.19 012/134] net/packet: Set __GFP_NOWARN upon allocation in alloc_pg_vec Greg Kroah-Hartman
2019-04-01 17:00 ` [PATCH 4.19 013/134] net: phy: meson-gxl: fix interrupt support Greg Kroah-Hartman
2019-04-01 17:00 ` [PATCH 4.19 014/134] net: rose: fix a possible stack overflow Greg Kroah-Hartman
2019-04-01 17:00 ` [PATCH 4.19 015/134] net: stmmac: fix memory corruption with large MTUs Greg Kroah-Hartman
2019-04-01 17:00 ` [PATCH 4.19 016/134] net-sysfs: call dev_hold if kobject_init_and_add success Greg Kroah-Hartman
2019-04-01 17:00 ` [PATCH 4.19 017/134] packets: Always register packet sk in the same order Greg Kroah-Hartman
2019-04-01 17:00 ` [PATCH 4.19 018/134] rhashtable: Still do rehash when we get EEXIST Greg Kroah-Hartman
2019-04-01 17:00 ` [PATCH 4.19 019/134] sctp: get sctphdr by offset in sctp_compute_cksum Greg Kroah-Hartman
2019-04-01 17:00 ` [PATCH 4.19 020/134] sctp: use memdup_user instead of vmemdup_user Greg Kroah-Hartman
2019-04-01 17:00 ` [PATCH 4.19 021/134] tcp: do not use ipv6 header for ipv4 flow Greg Kroah-Hartman
2019-04-01 17:00 ` [PATCH 4.19 022/134] tipc: allow service ranges to be connect()ed on RDM/DGRAM Greg Kroah-Hartman
2019-04-01 17:00 ` [PATCH 4.19 023/134] tipc: change to check tipc_own_id to return in tipc_net_stop Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 024/134] tipc: fix cancellation of topology subscriptions Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 025/134] tun: properly test for IFF_UP Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 026/134] vrf: prevent adding upper devices Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 027/134] vxlan: Dont call gro_cells_destroy() before device is unregistered Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 028/134] ila: Fix rhashtable walker list corruption Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 029/134] net: sched: fix cleanup NULL pointer exception in act_mirr Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 030/134] thunderx: enable page recycling for non-XDP case Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 031/134] thunderx: eliminate extra calls to put_page() for pages held for recycling Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 032/134] tun: add a missing rcu_read_unlock() in error path Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 033/134] powerpc/fsl: Add infrastructure to fixup branch predictor flush Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 034/134] powerpc/fsl: Add macro to flush the branch predictor Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 035/134] powerpc/fsl: Emulate SPRN_BUCSR register Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 036/134] powerpc/fsl: Add nospectre_v2 command line argument Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 037/134] powerpc/fsl: Flush the branch predictor at each kernel entry (64bit) Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 038/134] powerpc/fsl: Flush the branch predictor at each kernel entry (32 bit) Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 039/134] powerpc/fsl: Flush branch predictor when entering KVM Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 040/134] powerpc/fsl: Enable runtime patching if nospectre_v2 boot arg is used Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 041/134] powerpc/fsl: Update Spectre v2 reporting Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 042/134] powerpc/fsl: Fixed warning: orphan section `__btb_flush_fixup Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 043/134] powerpc/fsl: Fix the flush of branch predictor Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 044/134] powerpc/security: Fix spectre_v2 reporting Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 045/134] Btrfs: fix incorrect file size after shrinking truncate and fsync Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 046/134] btrfs: remove WARN_ON in log_dir_items Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 047/134] btrfs: dont report readahead errors and dont update statistics Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 048/134] btrfs: raid56: properly unmap parity page in finish_parity_scrub() Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 049/134] btrfs: Avoid possible qgroup_rsv_size overflow in btrfs_calculate_inode_block_rsv_size Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 050/134] Btrfs: fix assertion failure on fsync with NO_HOLES enabled Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 051/134] ARM: imx6q: cpuidle: fix bug that CPU might not wake up at expected time Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 052/134] powerpc: bpf: Fix generation of load/store DW instructions Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 053/134] vfio: ccw: only free cp on final interrupt Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 054/134] NFS: fix mount/umount race in nlmclnt Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 055/134] NFSv4.1 dont free interrupted slot on open Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 056/134] net: dsa: qca8k: remove leftover phy accessors Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 057/134] ALSA: rawmidi: Fix potential Spectre v1 vulnerability Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 058/134] ALSA: seq: oss: Fix " Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 059/134] ALSA: pcm: Fix possible OOB access in PCM oss plugins Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 060/134] ALSA: pcm: Dont suspend stream in unrecoverable PCM state Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 061/134] ALSA: hda/realtek - Add support headset mode for DELL WYSE AIO Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 062/134] ALSA: hda/realtek - Add support headset mode for New DELL WYSE NB Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 063/134] ALSA: hda/realtek: Enable headset MIC of Acer AIO with ALC286 Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 064/134] ALSA: hda/realtek: Enable headset MIC of Acer Aspire Z24-890 " Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 065/134] ALSA: hda/realtek - Add support for Acer Aspire E5-523G/ES1-432 headset mic Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 066/134] ALSA: hda/realtek: Enable ASUS X441MB and X705FD headset MIC with ALC256 Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 067/134] ALSA: hda/realtek: Enable headset mic of ASUS P5440FF " Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 068/134] ALSA: hda/realtek: Enable headset MIC of ASUS X430UN and X512DK " Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 069/134] ALSA: hda/realtek - Fix speakers on Acer Predator Helios 500 Ryzen laptops Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 070/134] kbuild: modversions: Fix relative CRC byte order interpretation Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 071/134] fs/open.c: allow opening only regular files during execve() Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 072/134] ocfs2: fix inode bh swapping mixup in ocfs2_reflink_inodes_lock Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 073/134] scsi: sd: Fix a race between closing an sd device and sd I/O Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 074/134] scsi: sd: Quiesce warning if device does not report optimal I/O size Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 075/134] scsi: zfcp: fix rport unblock if deleted SCSI devices on Scsi_Host Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 076/134] scsi: zfcp: fix scsi_eh host reset with port_forced ERP for non-NPIV FCP devices Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 077/134] drm/rockchip: vop: reset scale mode when win is disabled Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 078/134] tty: mxs-auart: fix a potential NULL pointer dereference Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 079/134] tty: atmel_serial: " Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 080/134] tty: serial: qcom_geni_serial: Initialize baud in qcom_geni_console_setup Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 081/134] staging: comedi: ni_mio_common: Fix divide-by-zero for DIO cmdtest Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 082/134] staging: speakup_soft: Fix alternate speech with other synths Greg Kroah-Hartman
2019-04-01 17:01 ` [PATCH 4.19 083/134] staging: vt6655: Remove vif check from vnt_interrupt Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 084/134] staging: vt6655: Fix interrupt race condition on device start up Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 085/134] staging: erofs: fix to handle error path of erofs_vmap() Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 086/134] serial: max310x: Fix to avoid potential NULL pointer dereference Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 087/134] serial: mvebu-uart: Fix to avoid a " Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 088/134] serial: sh-sci: Fix setting SCSCR_TIE while transferring data Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 089/134] USB: serial: cp210x: add new device id Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 090/134] USB: serial: ftdi_sio: add additional NovaTech products Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 091/134] USB: serial: mos7720: fix mos_parport refcount imbalance on error path Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 092/134] USB: serial: option: set driver_info for SIM5218 and compatibles Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 093/134] USB: serial: option: add support for Quectel EM12 Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 094/134] USB: serial: option: add Olicard 600 Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 095/134] Disable kgdboc failed by echo space to /sys/module/kgdboc/parameters/kgdboc Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 096/134] fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 097/134] drm/vgem: fix use-after-free when drm_gem_handle_create() fails Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 098/134] drm/vkms: " Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 099/134] drm/i915/gvt: Fix MI_FLUSH_DW parsing with correct index check Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 100/134] gpio: exar: add a check for the return value of ida_simple_get fails Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 101/134] gpio: adnp: Fix testing wrong value in adnp_gpio_direction_input Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 102/134] phy: sun4i-usb: Support set_mode to USB_HOST for non-OTG PHYs Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 103/134] usb: mtu3: fix EXTCON dependency Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 104/134] USB: gadget: f_hid: fix deadlock in f_hidg_write() Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 105/134] usb: common: Consider only available nodes for dr_mode Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 106/134] usb: host: xhci-rcar: Add XHCI_TRUST_TX_LENGTH quirk Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 107/134] xhci: Fix port resume done detection for SS ports with LPM enabled Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 108/134] usb: xhci: dbc: Dont free all memory with spinlock held Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 109/134] xhci: Dont let USB3 ports stuck in polling state prevent suspend Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 110/134] usb: cdc-acm: fix race during wakeup blocking TX traffic Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 111/134] mm: add support for kmem caches in DMA32 zone Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 112/134] iommu/io-pgtable-arm-v7s: request DMA32 memory, and improve debugging Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 113/134] mm: mempolicy: make mbind() return -EIO when MPOL_MF_STRICT is specified Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 114/134] mm/migrate.c: add missing flush_dcache_page for non-mapped page migrate Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 115/134] perf pmu: Fix parser error for uncore event alias Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 116/134] perf intel-pt: Fix TSC slip Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 117/134] objtool: Query pkg-config for libelf location Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 118/134] powerpc/pseries/energy: Use OF accessor functions to read ibm,drc-indexes Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 119/134] powerpc/64: Fix memcmp reading past the end of src/dest Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 120/134] watchdog: Respect watchdog cpumask on CPU hotplug Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 121/134] cpu/hotplug: Prevent crash when CPU bringup fails on CONFIG_HOTPLUG_CPU=n Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 122/134] x86/smp: Enforce CONFIG_HOTPLUG_CPU when SMP=y Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 123/134] KVM: Reject device ioctls from processes other than the VMs creator Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 124/134] KVM: x86: update %rip after emulating IO Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 125/134] KVM: x86: Emulate MSR_IA32_ARCH_CAPABILITIES on AMD hosts Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 126/134] staging: erofs: fix error handling when failed to read compresssed data Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 127/134] staging: erofs: keep corrupted fs from crashing kernel in erofs_readdir() Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 128/134] bpf: do not restore dst_reg when cur_state is freed Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 129/134] drivers: base: Helpers for adding device connection descriptions Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 130/134] platform: x86: intel_cht_int33fe: Register all connections at once Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 131/134] platform: x86: intel_cht_int33fe: Add connection for the DP alt mode Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 132/134] platform: x86: intel_cht_int33fe: Add connections for the USB Type-C port Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 133/134] usb: typec: class: Dont use port parent for getting mux handles Greg Kroah-Hartman
2019-04-01 17:02 ` [PATCH 4.19 134/134] platform: x86: intel_cht_int33fe: Remove the old connections for the muxes Greg Kroah-Hartman
2019-04-01 21:03 ` [PATCH 4.19 000/134] 4.19.33-stable review kernelci.org bot
2019-04-02  9:03 ` Jon Hunter
2019-04-02 11:02 ` Naresh Kamboju
2019-04-02 19:05 ` Guenter Roeck
2019-04-02 23:34 ` shuah

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).