linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 5.1 00/85] 5.1.8-stable review
@ 2019-06-07 15:38 Greg Kroah-Hartman
  2019-06-07 15:38 ` [PATCH 5.1 01/85] sparc64: Fix regression in non-hypervisor TLB flush xcall Greg Kroah-Hartman
                   ` (88 more replies)
  0 siblings, 89 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	ben.hutchings, lkft-triage, stable

This is the start of the stable review cycle for the 5.1.8 release.
There are 85 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Sun 09 Jun 2019 03:37:09 PM UTC.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.1.8-rc1.gz
or in the git tree and branch at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.1.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 5.1.8-rc1

Nadav Amit <namit@vmware.com>
    x86/kprobes: Set instruction page as executable

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Revert "x86/build: Move _etext to actual end of .text"

Noralf Trønnes <noralf@tronnes.org>
    drm/cma-helper: Fix drm_gem_cma_free_object()

Daniel Vetter <daniel.vetter@ffwll.ch>
    drm/lease: Make sure implicit planes are leased

Vicente Bergas <vicencb@gmail.com>
    drm/rockchip: shutdown drm subsystem on shutdown

Deepak Rawat <drawat@vmware.com>
    drm: Expose "FB_DAMAGE_CLIPS" property to atomic aware user-space only

Daniel Vetter <daniel.vetter@ffwll.ch>
    drm/atomic: Wire file_priv through for property changes

Noralf Trønnes <noralf@tronnes.org>
    drm/fb-helper: generic: Call drm_client_add() after setup is done

Philipp Zabel <p.zabel@pengutronix.de>
    drm/imx: ipuv3-plane: fix atomic update status query for non-plus i.MX6Q

Jernej Skrabec <jernej.skrabec@siol.net>
    drm/sun4i: Fix sun8i HDMI PHY configuration for > 148.5 MHz

Jernej Skrabec <jernej.skrabec@siol.net>
    drm/sun4i: Fix sun8i HDMI PHY clock initialization

Thomas Hellstrom <thellstrom@vmware.com>
    drm/vmwgfx: Don't send drm sysfs hotplug events on initial master set

Thomas Hellstrom <thellstrom@vmware.com>
    drm/vmwgfx: Fix compat mode shader operation

Thomas Hellstrom <thellstrom@vmware.com>
    drm/vmwgfx: Fix user space handle equal to zero

Dmitry Osipenko <digetx@gmail.com>
    drm/tegra: gem: Fix CPU-cache maintenance for BO's allocated using get_pages()

Kees Cook <keescook@chromium.org>
    gcc-plugins: Fix build failures under Darwin host

Benjamin Coddington <bcodding@redhat.com>
    Revert "lockd: Show pid of lockd for remote locks"

Roberto Bergantinos Corpas <rbergant@redhat.com>
    CIFS: cifs_read_allocate_pages: don't iterate through whole page array on ENOMEM

Colin Ian King <colin.king@canonical.com>
    cifs: fix memory leak of pneg_inbuf on -EOPNOTSUPP ioctl case

Tim Collier <osdevtc@gmail.com>
    staging: wlan-ng: fix adapter initialization failure

Dan Carpenter <dan.carpenter@oracle.com>
    staging: vc04_services: prevent integer overflow in create_pagelist()

George G. Davis <george_davis@mentor.com>
    serial: sh-sci: disable DMA for uart_console

Grzegorz Halat <ghalat@redhat.com>
    vt/fbcon: deinitialize resources in visual_init() after failed memory allocation

Peng Fan <peng.fan@nxp.com>
    clk: imx: imx8mm: fix int pll clk gate

Roberto Sassu <roberto.sassu@huawei.com>
    evm: check hash algorithm passed to init_desc()

Roberto Sassu <roberto.sassu@huawei.com>
    ima: show rules with IMA_INMASK correctly

Petr Vorel <pvorel@suse.cz>
    ima: fix wrong signed policy requirement when not appraising

Scott Wood <swood@redhat.com>
    x86/ima: Check EFI_RUNTIME_SERVICES before using

Jonathan Corbet <corbet@lwn.net>
    doc: Cope with Sphinx logging deprecations

Jonathan Corbet <corbet@lwn.net>
    doc: Cope with the deprecation of AutoReporter

Jonathan Corbet <corbet@lwn.net>
    docs: Fix conf.py for Sphinx 2.0

Catalin Marinas <catalin.marinas@arm.com>
    arm64: Fix the arm64_personality() syscall wrapper redirection

Suzuki K Poulose <suzuki.poulose@arm.com>
    mm, compaction: make sure we isolate a valid PFN

Eric W. Biederman <ebiederm@xmission.com>
    signal/arm64: Use force_sig not force_sig_fault for SIGKILL

Zhenliang Wei <weizhenliang@huawei.com>
    kernel/signal.c: trace_signal_deliver when signal_group_exit

Nathan Chancellor <natechancellor@gmail.com>
    kasan: initialize tag to 0xff in __kasan_kmalloc

Jiri Slaby <jslaby@suse.cz>
    memcg: make it work on sparse non-0-node systems

Chris Down <chris@chrisdown.name>
    mm, memcg: consider subtrees in memory.events

Joe Burmeister <joe.burmeister@devtank.co.uk>
    tty: max310x: Fix external crystal register setup

Jorge Ramirez-Ortiz <jorge.ramirez-ortiz@linaro.org>
    tty: serial: msm_serial: Fix XON/XOFF

Masahisa Kojima <masahisa.kojima@linaro.org>
    i2c: synquacer: fix synquacer_i2c_doxfer() return value

Vadim Pasternak <vadimp@mellanox.com>
    i2c: mlxcpld: Fix wrong initialization order in probe

Lyude Paul <lyude@redhat.com>
    drm/nouveau/i2c: Disable i2c bus access after ->fini()

Thomas Huth <thuth@redhat.com>
    KVM: s390: Do not report unusabled IDs via KVM_CAP_MAX_VCPU_ID

Hui Wang <hui.wang@canonical.com>
    ALSA: hda/realtek - Improve the headset mic for Acer Aspire laptops

Kailang Yang <kailang@realtek.com>
    ALSA: hda/realtek - Set default power save node to 0

Takashi Iwai <tiwai@suse.de>
    ALSA: line6: Assure canceling delayed work at disconnection

Thiago Jung Bauermann <bauerman@linux.ibm.com>
    powerpc/kexec: Fix loading of kernel + initramfs with kexec_file_load()

Ravi Bangoria <ravi.bangoria@linux.ibm.com>
    powerpc/perf: Fix MMCRA corruption by bhrb_filter

Suraj Jitindar Singh <sjitindarsingh@gmail.com>
    KVM: PPC: Book3S HV: Restore SPRG3 in kvmhv_p9_guest_entry()

Paul Mackerras <paulus@ozlabs.org>
    KVM: PPC: Book3S HV: Fix lockdep warning when entering guest on POWER9

Cédric Le Goater <clg@kaod.org>
    KVM: PPC: Book3S HV: XIVE: Do not clear IRQ data of passthrough interrupts

Harald Freudenberger <freude@linux.ibm.com>
    s390/crypto: fix possible sleep during spinlock aquired

Harald Freudenberger <freude@linux.ibm.com>
    s390/crypto: fix gcm-aes-s390 selftest failures

Sean Nyekjaer <sean@geanix.com>
    iio: adc: ti-ads8688: fix timestamp is not updated in buffer

Tomer Maimon <tmaimon77@gmail.com>
    iio: adc: modify NPCM ADC read reference voltage

Vincent Stehlé <vincent.stehle@laposte.net>
    iio: adc: ads124: avoid buffer overflow

Ruslan Babayev <ruslan@babayev.com>
    iio: dac: ds4422/ds4424 fix chip verification

Qu Wenruo <wqu@suse.com>
    btrfs: reloc: Also queue orphan reloc tree for cleanup to avoid BUG_ON()

Filipe Manana <fdmanana@suse.com>
    Btrfs: incremental send, fix file corruption when no-holes feature is enabled

Qu Wenruo <wqu@suse.com>
    btrfs: qgroup: Check bg while resuming relocation to avoid NULL pointer dereference

Dennis Zhou <dennis@kernel.org>
    btrfs: correct zstd workspace manager lock to use spin_lock_bh()

Filipe Manana <fdmanana@suse.com>
    Btrfs: fix fsync not persisting changed attributes of a directory

Filipe Manana <fdmanana@suse.com>
    Btrfs: fix race updating log root item during fsync

Filipe Manana <fdmanana@suse.com>
    Btrfs: fix wrong ctime and mtime of a directory after log replay

Tomas Bortoli <tomasbortoli@gmail.com>
    tracing: Avoid memory leak in predicate_parse()

Steffen Maier <maier@linux.ibm.com>
    scsi: zfcp: fix to prevent port_remove with pure auto scan LUNs (only sdevs)

Steffen Maier <maier@linux.ibm.com>
    scsi: zfcp: fix missing zfcp_port reference put on -EBUSY from port_remove

Piotr Figiel <p.figiel@camlintechnologies.com>
    brcmfmac: fix NULL pointer derefence during USB disconnect

Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
    media: smsusb: better handle optional alignment

Alan Stern <stern@rowland.harvard.edu>
    media: usb: siano: Fix false-positive "uninitialized variable" warning

Alan Stern <stern@rowland.harvard.edu>
    media: usb: siano: Fix general protection fault in smsusb

Oliver Neukum <oneukum@suse.com>
    USB: rio500: fix memory leak in close after disconnect

Oliver Neukum <oneukum@suse.com>
    USB: rio500: refuse more than one device at a time

Maximilian Luz <luzmaximilian@gmail.com>
    USB: Add LPM quirk for Surface Dock GigE adapter

Oliver Neukum <oneukum@suse.com>
    USB: sisusbvga: fix oops in error path of sisusb_probe

Alan Stern <stern@rowland.harvard.edu>
    USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor

Shuah Khan <skhan@linuxfoundation.org>
    usbip: usbip_host: fix stub_dev lock context imbalance regression

Shuah Khan <skhan@linuxfoundation.org>
    usbip: usbip_host: fix BUG: sleeping function called from invalid context

Carsten Schmid <carsten_schmid@mentor.com>
    usb: xhci: avoid null pointer deref when bos field is NULL

Andrey Smirnov <andrew.smirnov@gmail.com>
    xhci: Convert xhci_handshake() to use readl_poll_timeout_atomic()

Fabio Estevam <festevam@gmail.com>
    xhci: Use %zu for printing size_t type

Henry Lin <henryl@nvidia.com>
    xhci: update bounce buffer with correct sg num

Rasmus Villemoes <linux@rasmusvillemoes.dk>
    include/linux/bitops.h: sanitize rotate primitives

James Clarke <jrtc27@jrtc27.com>
    sparc64: Fix regression in non-hypervisor TLB flush xcall


-------------

Diffstat:

 Documentation/admin-guide/cgroup-v2.rst            |   9 ++
 Documentation/conf.py                              |   2 +-
 Documentation/sphinx/kerneldoc.py                  |  44 ++++--
 Documentation/sphinx/kernellog.py                  |  28 ++++
 Documentation/sphinx/kfigure.py                    |  40 +++---
 Makefile                                           |   4 +-
 arch/arm64/kernel/sys.c                            |   2 +-
 arch/arm64/kernel/traps.c                          |   5 +-
 arch/mips/kvm/mips.c                               |   3 +
 arch/powerpc/kernel/kexec_elf_64.c                 |   6 +-
 arch/powerpc/kvm/book3s_hv.c                       |   8 +-
 arch/powerpc/kvm/book3s_xive.c                     |   4 +-
 arch/powerpc/kvm/powerpc.c                         |   3 +
 arch/powerpc/perf/core-book3s.c                    |   6 +-
 arch/powerpc/perf/power8-pmu.c                     |   3 +
 arch/powerpc/perf/power9-pmu.c                     |   3 +
 arch/s390/crypto/aes_s390.c                        | 156 +++++++++++++++------
 arch/s390/crypto/des_s390.c                        |   7 +-
 arch/s390/kvm/kvm-s390.c                           |   1 +
 arch/sparc/mm/ultra.S                              |   4 +-
 arch/x86/kernel/ima_arch.c                         |   5 +
 arch/x86/kernel/kprobes/core.c                     |  24 +++-
 arch/x86/kernel/vmlinux.lds.S                      |   6 +-
 arch/x86/kvm/x86.c                                 |   3 +
 drivers/clk/imx/clk-imx8mm.c                       |  12 +-
 drivers/gpu/drm/drm_atomic_uapi.c                  |  32 +++--
 drivers/gpu/drm/drm_crtc.c                         |   4 +
 drivers/gpu/drm/drm_crtc_internal.h                |   1 +
 drivers/gpu/drm/drm_fb_helper.c                    |   4 +-
 drivers/gpu/drm/drm_gem_cma_helper.c               |   8 +-
 drivers/gpu/drm/drm_mode_config.c                  |   5 +-
 drivers/gpu/drm/drm_mode_object.c                  |   5 +-
 drivers/gpu/drm/drm_plane.c                        |   8 ++
 drivers/gpu/drm/imx/ipuv3-plane.c                  |  13 +-
 drivers/gpu/drm/imx/ipuv3-plane.h                  |   1 -
 drivers/gpu/drm/nouveau/include/nvkm/subdev/i2c.h  |   2 +
 drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.c      |  26 +++-
 drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.h      |   2 +
 drivers/gpu/drm/nouveau/nvkm/subdev/i2c/base.c     |  15 ++
 drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.c      |  21 ++-
 drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.h      |   1 +
 drivers/gpu/drm/rockchip/rockchip_drm_drv.c        |   9 ++
 drivers/gpu/drm/sun4i/sun8i_hdmi_phy.c             |  29 ++--
 drivers/gpu/drm/tegra/gem.c                        |   4 +-
 drivers/gpu/drm/vmwgfx/ttm_object.c                |   2 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_drv.c                |   8 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c            |  13 ++
 drivers/i2c/busses/i2c-mlxcpld.c                   |   2 +-
 drivers/i2c/busses/i2c-synquacer.c                 |   2 +-
 drivers/iio/adc/npcm_adc.c                         |   2 +-
 drivers/iio/adc/ti-ads124s08.c                     |   2 +-
 drivers/iio/adc/ti-ads8688.c                       |   2 +-
 drivers/iio/dac/ds4424.c                           |   2 +-
 drivers/media/usb/siano/smsusb.c                   |  33 +++--
 .../wireless/broadcom/brcm80211/brcmfmac/bcdc.c    |  11 +-
 .../wireless/broadcom/brcm80211/brcmfmac/bcdc.h    |   6 +-
 .../wireless/broadcom/brcm80211/brcmfmac/core.c    |   4 +-
 .../broadcom/brcm80211/brcmfmac/fwsignal.c         |  16 ++-
 .../broadcom/brcm80211/brcmfmac/fwsignal.h         |   3 +-
 .../wireless/broadcom/brcm80211/brcmfmac/proto.c   |  10 +-
 .../wireless/broadcom/brcm80211/brcmfmac/proto.h   |   3 +-
 drivers/s390/scsi/zfcp_ext.h                       |   1 +
 drivers/s390/scsi/zfcp_scsi.c                      |   9 ++
 drivers/s390/scsi/zfcp_sysfs.c                     |  55 +++++++-
 drivers/s390/scsi/zfcp_unit.c                      |   8 +-
 .../interface/vchiq_arm/vchiq_2835_arm.c           |   9 ++
 drivers/staging/wlan-ng/hfa384x_usb.c              |   3 +-
 drivers/tty/serial/max310x.c                       |   2 +-
 drivers/tty/serial/msm_serial.c                    |   5 +-
 drivers/tty/serial/sh-sci.c                        |   7 +
 drivers/tty/vt/vt.c                                |  11 +-
 drivers/usb/core/config.c                          |   4 +-
 drivers/usb/core/quirks.c                          |   3 +
 drivers/usb/host/xhci-ring.c                       |  17 ++-
 drivers/usb/host/xhci.c                            |  24 ++--
 drivers/usb/misc/rio500.c                          |  41 ++++--
 drivers/usb/misc/sisusbvga/sisusb.c                |  15 +-
 drivers/usb/usbip/stub_dev.c                       |  75 +++++++---
 drivers/video/fbdev/core/fbcon.c                   |   2 +-
 fs/btrfs/inode.c                                   |  14 +-
 fs/btrfs/qgroup.c                                  |   8 +-
 fs/btrfs/relocation.c                              |  27 ++--
 fs/btrfs/send.c                                    |   6 +
 fs/btrfs/tree-log.c                                |  20 +--
 fs/btrfs/zstd.c                                    |  20 +--
 fs/cifs/file.c                                     |   4 +-
 fs/cifs/smb2pdu.c                                  |   3 +-
 fs/lockd/xdr.c                                     |   4 +-
 fs/lockd/xdr4.c                                    |   4 +-
 include/linux/bitops.h                             |  16 +--
 include/linux/cgroup-defs.h                        |   5 +
 include/linux/list_lru.h                           |   1 +
 include/linux/memcontrol.h                         |  10 +-
 kernel/cgroup/cgroup.c                             |  16 ++-
 kernel/signal.c                                    |   2 +
 kernel/trace/trace_events_filter.c                 |   8 +-
 mm/compaction.c                                    |   2 +-
 mm/kasan/common.c                                  |   2 +-
 mm/list_lru.c                                      |   8 +-
 scripts/gcc-plugins/gcc-common.h                   |   4 +
 security/integrity/evm/evm_crypto.c                |   3 +
 security/integrity/ima/ima_policy.c                |  28 ++--
 sound/pci/hda/patch_realtek.c                      |  18 ++-
 sound/usb/line6/driver.c                           |  12 ++
 sound/usb/line6/driver.h                           |   4 +
 sound/usb/line6/toneport.c                         |  15 +-
 virt/kvm/arm/arm.c                                 |   3 +
 virt/kvm/kvm_main.c                                |   2 -
 108 files changed, 913 insertions(+), 346 deletions(-)



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 01/85] sparc64: Fix regression in non-hypervisor TLB flush xcall
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
@ 2019-06-07 15:38 ` Greg Kroah-Hartman
  2019-06-07 15:38 ` [PATCH 5.1 02/85] include/linux/bitops.h: sanitize rotate primitives Greg Kroah-Hartman
                   ` (87 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Meelis Roos, James Clarke, David S. Miller

From: James Clarke <jrtc27@jrtc27.com>

commit d3c976c14ad8af421134c428b0a89ff8dd3bd8f8 upstream.

Previously, %g2 would end up with the value PAGE_SIZE, but after the
commit mentioned below it ends up with the value 1 due to being reused
for a different purpose. We need it to be PAGE_SIZE as we use it to step
through pages in our demap loop, otherwise we set different flags in the
low 12 bits of the address written to, thereby doing things other than a
nucleus page flush.

Fixes: a74ad5e660a9 ("sparc64: Handle extremely large kernel TLB range flushes more gracefully.")
Reported-by: Meelis Roos <mroos@linux.ee>
Tested-by: Meelis Roos <mroos@linux.ee>
Signed-off-by: James Clarke <jrtc27@jrtc27.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/sparc/mm/ultra.S |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/sparc/mm/ultra.S
+++ b/arch/sparc/mm/ultra.S
@@ -587,7 +587,7 @@ xcall_flush_tlb_kernel_range:	/* 44 insn
 	sub		%g7, %g1, %g3
 	srlx		%g3, 18, %g2
 	brnz,pn		%g2, 2f
-	 add		%g2, 1, %g2
+	 sethi		%hi(PAGE_SIZE), %g2
 	sub		%g3, %g2, %g3
 	or		%g1, 0x20, %g1		! Nucleus
 1:	stxa		%g0, [%g1 + %g3] ASI_DMMU_DEMAP
@@ -751,7 +751,7 @@ __cheetah_xcall_flush_tlb_kernel_range:
 	sub		%g7, %g1, %g3
 	srlx		%g3, 18, %g2
 	brnz,pn		%g2, 2f
-	 add		%g2, 1, %g2
+	 sethi		%hi(PAGE_SIZE), %g2
 	sub		%g3, %g2, %g3
 	or		%g1, 0x20, %g1		! Nucleus
 1:	stxa		%g0, [%g1 + %g3] ASI_DMMU_DEMAP



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 02/85] include/linux/bitops.h: sanitize rotate primitives
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
  2019-06-07 15:38 ` [PATCH 5.1 01/85] sparc64: Fix regression in non-hypervisor TLB flush xcall Greg Kroah-Hartman
@ 2019-06-07 15:38 ` Greg Kroah-Hartman
  2019-06-07 15:38 ` [PATCH 5.1 03/85] xhci: update bounce buffer with correct sg num Greg Kroah-Hartman
                   ` (86 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rasmus Villemoes, Ido Schimmel,
	Will Deacon, Vadim Pasternak, Andrey Ryabinin, Jacek Anaszewski,
	Pavel Machek, Andrew Morton, Linus Torvalds

From: Rasmus Villemoes <linux@rasmusvillemoes.dk>

commit ef4d6f6b275c498f8e5626c99dbeefdc5027f843 upstream.

The ror32 implementation (word >> shift) | (word << (32 - shift) has
undefined behaviour if shift is outside the [1, 31] range.  Similarly
for the 64 bit variants.  Most callers pass a compile-time constant
(naturally in that range), but there's an UBSAN report that these may
actually be called with a shift count of 0.

Instead of special-casing that, we can make them DTRT for all values of
shift while also avoiding UB.  For some reason, this was already partly
done for rol32 (which was well-defined for [0, 31]).  gcc 8 recognizes
these patterns as rotates, so for example

  __u32 rol32(__u32 word, unsigned int shift)
  {
	return (word << (shift & 31)) | (word >> ((-shift) & 31));
  }

compiles to

0000000000000020 <rol32>:
  20:   89 f8                   mov    %edi,%eax
  22:   89 f1                   mov    %esi,%ecx
  24:   d3 c0                   rol    %cl,%eax
  26:   c3                      retq

Older compilers unfortunately do not do as well, but this only affects
the small minority of users that don't pass constants.

Due to integer promotions, ro[lr]8 were already well-defined for shifts
in [0, 8], and ro[lr]16 were mostly well-defined for shifts in [0, 16]
(only mostly - u16 gets promoted to _signed_ int, so if bit 15 is set,
word << 16 is undefined).  For consistency, update those as well.

Link: http://lkml.kernel.org/r/20190410211906.2190-1-linux@rasmusvillemoes.dk
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Reported-by: Ido Schimmel <idosch@mellanox.com>
Tested-by: Ido Schimmel <idosch@mellanox.com>
Reviewed-by: Will Deacon <will.deacon@arm.com>
Cc: Vadim Pasternak <vadimp@mellanox.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Jacek Anaszewski <jacek.anaszewski@gmail.com>
Cc: Pavel Machek <pavel@ucw.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/bitops.h |   16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

--- a/include/linux/bitops.h
+++ b/include/linux/bitops.h
@@ -60,7 +60,7 @@ static __always_inline unsigned long hwe
  */
 static inline __u64 rol64(__u64 word, unsigned int shift)
 {
-	return (word << shift) | (word >> (64 - shift));
+	return (word << (shift & 63)) | (word >> ((-shift) & 63));
 }
 
 /**
@@ -70,7 +70,7 @@ static inline __u64 rol64(__u64 word, un
  */
 static inline __u64 ror64(__u64 word, unsigned int shift)
 {
-	return (word >> shift) | (word << (64 - shift));
+	return (word >> (shift & 63)) | (word << ((-shift) & 63));
 }
 
 /**
@@ -80,7 +80,7 @@ static inline __u64 ror64(__u64 word, un
  */
 static inline __u32 rol32(__u32 word, unsigned int shift)
 {
-	return (word << shift) | (word >> ((-shift) & 31));
+	return (word << (shift & 31)) | (word >> ((-shift) & 31));
 }
 
 /**
@@ -90,7 +90,7 @@ static inline __u32 rol32(__u32 word, un
  */
 static inline __u32 ror32(__u32 word, unsigned int shift)
 {
-	return (word >> shift) | (word << (32 - shift));
+	return (word >> (shift & 31)) | (word << ((-shift) & 31));
 }
 
 /**
@@ -100,7 +100,7 @@ static inline __u32 ror32(__u32 word, un
  */
 static inline __u16 rol16(__u16 word, unsigned int shift)
 {
-	return (word << shift) | (word >> (16 - shift));
+	return (word << (shift & 15)) | (word >> ((-shift) & 15));
 }
 
 /**
@@ -110,7 +110,7 @@ static inline __u16 rol16(__u16 word, un
  */
 static inline __u16 ror16(__u16 word, unsigned int shift)
 {
-	return (word >> shift) | (word << (16 - shift));
+	return (word >> (shift & 15)) | (word << ((-shift) & 15));
 }
 
 /**
@@ -120,7 +120,7 @@ static inline __u16 ror16(__u16 word, un
  */
 static inline __u8 rol8(__u8 word, unsigned int shift)
 {
-	return (word << shift) | (word >> (8 - shift));
+	return (word << (shift & 7)) | (word >> ((-shift) & 7));
 }
 
 /**
@@ -130,7 +130,7 @@ static inline __u8 rol8(__u8 word, unsig
  */
 static inline __u8 ror8(__u8 word, unsigned int shift)
 {
-	return (word >> shift) | (word << (8 - shift));
+	return (word >> (shift & 7)) | (word << ((-shift) & 7));
 }
 
 /**



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 03/85] xhci: update bounce buffer with correct sg num
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
  2019-06-07 15:38 ` [PATCH 5.1 01/85] sparc64: Fix regression in non-hypervisor TLB flush xcall Greg Kroah-Hartman
  2019-06-07 15:38 ` [PATCH 5.1 02/85] include/linux/bitops.h: sanitize rotate primitives Greg Kroah-Hartman
@ 2019-06-07 15:38 ` Greg Kroah-Hartman
  2019-06-07 15:38 ` [PATCH 5.1 04/85] xhci: Use %zu for printing size_t type Greg Kroah-Hartman
                   ` (85 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Henry Lin, Mathias Nyman

From: Henry Lin <henryl@nvidia.com>

commit 597c56e372dab2c7f79b8d700aad3a5deebf9d1b upstream.

This change fixes a data corruption issue occurred on USB hard disk for
the case that bounce buffer is used during transferring data.

While updating data between sg list and bounce buffer, current
implementation passes mapped sg number (urb->num_mapped_sgs) to
sg_pcopy_from_buffer() and sg_pcopy_to_buffer(). This causes data
not get copied if target buffer is located in the elements after
mapped sg elements. This change passes sg number for full list to
fix issue.

Besides, for copying data from bounce buffer, calling dma_unmap_single()
on the bounce buffer before copying data to sg list can avoid cache issue.

Fixes: f9c589e142d0 ("xhci: TD-fragment, align the unsplittable case with a bounce buffer")
Cc: <stable@vger.kernel.org> # v4.8+
Signed-off-by: Henry Lin <henryl@nvidia.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/host/xhci-ring.c |   17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -656,6 +656,7 @@ static void xhci_unmap_td_bounce_buffer(
 	struct device *dev = xhci_to_hcd(xhci)->self.controller;
 	struct xhci_segment *seg = td->bounce_seg;
 	struct urb *urb = td->urb;
+	size_t len;
 
 	if (!ring || !seg || !urb)
 		return;
@@ -666,11 +667,14 @@ static void xhci_unmap_td_bounce_buffer(
 		return;
 	}
 
-	/* for in tranfers we need to copy the data from bounce to sg */
-	sg_pcopy_from_buffer(urb->sg, urb->num_mapped_sgs, seg->bounce_buf,
-			     seg->bounce_len, seg->bounce_offs);
 	dma_unmap_single(dev, seg->bounce_dma, ring->bounce_buf_len,
 			 DMA_FROM_DEVICE);
+	/* for in tranfers we need to copy the data from bounce to sg */
+	len = sg_pcopy_from_buffer(urb->sg, urb->num_sgs, seg->bounce_buf,
+			     seg->bounce_len, seg->bounce_offs);
+	if (len != seg->bounce_len)
+		xhci_warn(xhci, "WARN Wrong bounce buffer read length: %ld != %d\n",
+				len, seg->bounce_len);
 	seg->bounce_len = 0;
 	seg->bounce_offs = 0;
 }
@@ -3123,6 +3127,7 @@ static int xhci_align_td(struct xhci_hcd
 	unsigned int unalign;
 	unsigned int max_pkt;
 	u32 new_buff_len;
+	size_t len;
 
 	max_pkt = usb_endpoint_maxp(&urb->ep->desc);
 	unalign = (enqd_len + *trb_buff_len) % max_pkt;
@@ -3153,8 +3158,12 @@ static int xhci_align_td(struct xhci_hcd
 
 	/* create a max max_pkt sized bounce buffer pointed to by last trb */
 	if (usb_urb_dir_out(urb)) {
-		sg_pcopy_to_buffer(urb->sg, urb->num_mapped_sgs,
+		len = sg_pcopy_to_buffer(urb->sg, urb->num_sgs,
 				   seg->bounce_buf, new_buff_len, enqd_len);
+		if (len != seg->bounce_len)
+			xhci_warn(xhci,
+				"WARN Wrong bounce buffer write length: %ld != %d\n",
+				len, seg->bounce_len);
 		seg->bounce_dma = dma_map_single(dev, seg->bounce_buf,
 						 max_pkt, DMA_TO_DEVICE);
 	} else {



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 04/85] xhci: Use %zu for printing size_t type
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2019-06-07 15:38 ` [PATCH 5.1 03/85] xhci: update bounce buffer with correct sg num Greg Kroah-Hartman
@ 2019-06-07 15:38 ` Greg Kroah-Hartman
  2019-06-07 15:38 ` [PATCH 5.1 05/85] xhci: Convert xhci_handshake() to use readl_poll_timeout_atomic() Greg Kroah-Hartman
                   ` (84 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kbuild test robot, Fabio Estevam,
	Mathias Nyman

From: Fabio Estevam <festevam@gmail.com>

commit c1a145a3ed9a40f3b6145feb97789e8eb49c5566 upstream.

Commit 597c56e372da ("xhci: update bounce buffer with correct sg num")
caused the following build warnings:

drivers/usb/host/xhci-ring.c:676:19: warning: format '%ld' expects argument of type 'long int', but argument 3 has type 'size_t {aka unsigned int}' [-Wformat=]

Use %zu for printing size_t type in order to fix the warnings.

Fixes: 597c56e372da ("xhci: update bounce buffer with correct sg num")
Reported-by: kbuild test robot <lkp@intel.com>
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Cc: stable <stable@vger.kernel.org>
Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/host/xhci-ring.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -673,7 +673,7 @@ static void xhci_unmap_td_bounce_buffer(
 	len = sg_pcopy_from_buffer(urb->sg, urb->num_sgs, seg->bounce_buf,
 			     seg->bounce_len, seg->bounce_offs);
 	if (len != seg->bounce_len)
-		xhci_warn(xhci, "WARN Wrong bounce buffer read length: %ld != %d\n",
+		xhci_warn(xhci, "WARN Wrong bounce buffer read length: %zu != %d\n",
 				len, seg->bounce_len);
 	seg->bounce_len = 0;
 	seg->bounce_offs = 0;
@@ -3162,7 +3162,7 @@ static int xhci_align_td(struct xhci_hcd
 				   seg->bounce_buf, new_buff_len, enqd_len);
 		if (len != seg->bounce_len)
 			xhci_warn(xhci,
-				"WARN Wrong bounce buffer write length: %ld != %d\n",
+				"WARN Wrong bounce buffer write length: %zu != %d\n",
 				len, seg->bounce_len);
 		seg->bounce_dma = dma_map_single(dev, seg->bounce_buf,
 						 max_pkt, DMA_TO_DEVICE);



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 05/85] xhci: Convert xhci_handshake() to use readl_poll_timeout_atomic()
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2019-06-07 15:38 ` [PATCH 5.1 04/85] xhci: Use %zu for printing size_t type Greg Kroah-Hartman
@ 2019-06-07 15:38 ` Greg Kroah-Hartman
  2019-06-07 15:38 ` [PATCH 5.1 06/85] usb: xhci: avoid null pointer deref when bos field is NULL Greg Kroah-Hartman
                   ` (83 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andrey Smirnov, Raul E Rangel, Mathias Nyman

From: Andrey Smirnov <andrew.smirnov@gmail.com>

commit f7fac17ca925faa03fc5eb854c081a24075f8bad upstream.

Xhci_handshake() implements the algorithm already captured by
readl_poll_timeout_atomic(). Convert the former to use the latter to
avoid repetition.

Turned out this patch also fixes a bug on the AMD Stoneyridge platform
where usleep(1) sometimes takes over 10ms.
This means a 5 second timeout can easily take over 15 seconds which will
trigger the watchdog and reboot the system.

[Add info about patch fixing a bug to commit message -Mathias]
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Tested-by: Raul E Rangel <rrangel@chromium.org>
Reviewed-by: Raul E Rangel <rrangel@chromium.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/host/xhci.c |   22 ++++++++++------------
 1 file changed, 10 insertions(+), 12 deletions(-)

--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -9,6 +9,7 @@
  */
 
 #include <linux/pci.h>
+#include <linux/iopoll.h>
 #include <linux/irq.h>
 #include <linux/log2.h>
 #include <linux/module.h>
@@ -52,7 +53,6 @@ static bool td_on_ring(struct xhci_td *t
 	return false;
 }
 
-/* TODO: copied from ehci-hcd.c - can this be refactored? */
 /*
  * xhci_handshake - spin reading hc until handshake completes or fails
  * @ptr: address of hc register to be read
@@ -69,18 +69,16 @@ static bool td_on_ring(struct xhci_td *t
 int xhci_handshake(void __iomem *ptr, u32 mask, u32 done, int usec)
 {
 	u32	result;
+	int	ret;
 
-	do {
-		result = readl(ptr);
-		if (result == ~(u32)0)		/* card removed */
-			return -ENODEV;
-		result &= mask;
-		if (result == done)
-			return 0;
-		udelay(1);
-		usec--;
-	} while (usec > 0);
-	return -ETIMEDOUT;
+	ret = readl_poll_timeout_atomic(ptr, result,
+					(result & mask) == done ||
+					result == U32_MAX,
+					1, usec);
+	if (result == U32_MAX)		/* card removed */
+		return -ENODEV;
+
+	return ret;
 }
 
 /*



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 06/85] usb: xhci: avoid null pointer deref when bos field is NULL
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2019-06-07 15:38 ` [PATCH 5.1 05/85] xhci: Convert xhci_handshake() to use readl_poll_timeout_atomic() Greg Kroah-Hartman
@ 2019-06-07 15:38 ` Greg Kroah-Hartman
  2019-06-07 15:38 ` [PATCH 5.1 07/85] usbip: usbip_host: fix BUG: sleeping function called from invalid context Greg Kroah-Hartman
                   ` (82 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Carsten Schmid, Mathias Nyman

From: Carsten Schmid <carsten_schmid@mentor.com>

commit 7aa1bb2ffd84d6b9b5f546b079bb15cd0ab6e76e upstream.

With defective USB sticks we see the following error happen:
usb 1-3: new high-speed USB device number 6 using xhci_hcd
usb 1-3: device descriptor read/64, error -71
usb 1-3: device descriptor read/64, error -71
usb 1-3: new high-speed USB device number 7 using xhci_hcd
usb 1-3: device descriptor read/64, error -71
usb 1-3: unable to get BOS descriptor set
usb 1-3: New USB device found, idVendor=0781, idProduct=5581
usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
...
BUG: unable to handle kernel NULL pointer dereference at 0000000000000008

This comes from the following place:
[ 1660.215380] IP: xhci_set_usb2_hardware_lpm+0xdf/0x3d0 [xhci_hcd]
[ 1660.222092] PGD 0 P4D 0
[ 1660.224918] Oops: 0000 [#1] PREEMPT SMP NOPTI
[ 1660.425520] CPU: 1 PID: 38 Comm: kworker/1:1 Tainted: P     U  W  O    4.14.67-apl #1
[ 1660.434277] Workqueue: usb_hub_wq hub_event [usbcore]
[ 1660.439918] task: ffffa295b6ae4c80 task.stack: ffffad4580150000
[ 1660.446532] RIP: 0010:xhci_set_usb2_hardware_lpm+0xdf/0x3d0 [xhci_hcd]
[ 1660.453821] RSP: 0018:ffffad4580153c70 EFLAGS: 00010046
[ 1660.459655] RAX: 0000000000000000 RBX: ffffa295b4d7c000 RCX: 0000000000000002
[ 1660.467625] RDX: 0000000000000002 RSI: ffffffff984a55b2 RDI: ffffffff984a55b2
[ 1660.475586] RBP: ffffad4580153cc8 R08: 0000000000d6520a R09: 0000000000000001
[ 1660.483556] R10: ffffad4580a004a0 R11: 0000000000000286 R12: ffffa295b4d7c000
[ 1660.491525] R13: 0000000000010648 R14: ffffa295a84e1800 R15: 0000000000000000
[ 1660.499494] FS:  0000000000000000(0000) GS:ffffa295bfc80000(0000) knlGS:0000000000000000
[ 1660.508530] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1660.514947] CR2: 0000000000000008 CR3: 000000025a114000 CR4: 00000000003406a0
[ 1660.522917] Call Trace:
[ 1660.525657]  usb_set_usb2_hardware_lpm+0x3d/0x70 [usbcore]
[ 1660.531792]  usb_disable_device+0x242/0x260 [usbcore]
[ 1660.537439]  usb_disconnect+0xc1/0x2b0 [usbcore]
[ 1660.542600]  hub_event+0x596/0x18f0 [usbcore]
[ 1660.547467]  ? trace_preempt_on+0xdf/0x100
[ 1660.552040]  ? process_one_work+0x1c1/0x410
[ 1660.556708]  process_one_work+0x1d2/0x410
[ 1660.561184]  ? preempt_count_add.part.3+0x21/0x60
[ 1660.566436]  worker_thread+0x2d/0x3f0
[ 1660.570522]  kthread+0x122/0x140
[ 1660.574123]  ? process_one_work+0x410/0x410
[ 1660.578792]  ? kthread_create_on_node+0x60/0x60
[ 1660.583849]  ret_from_fork+0x3a/0x50
[ 1660.587839] Code: 00 49 89 c3 49 8b 84 24 50 16 00 00 8d 4a ff 48 8d 04 c8 48 89 ca 4c 8b 10 45 8b 6a 04 48 8b 00 48 89 45 c0 49 8b 86 80 03 00 00 <48> 8b 40 08 8b 40 03 0f 1f 44 00 00 45 85 ff 0f 84 81 01 00 00
[ 1660.608980] RIP: xhci_set_usb2_hardware_lpm+0xdf/0x3d0 [xhci_hcd] RSP: ffffad4580153c70
[ 1660.617921] CR2: 0000000000000008

Tracking this down shows that udev->bos is NULL in the following code:
(xhci.c, in xhci_set_usb2_hardware_lpm)
	field = le32_to_cpu(udev->bos->ext_cap->bmAttributes);  <<<<<<< here

	xhci_dbg(xhci, "%s port %d USB2 hardware LPM\n",
			enable ? "enable" : "disable", port_num + 1);

	if (enable) {
		/* Host supports BESL timeout instead of HIRD */
		if (udev->usb2_hw_lpm_besl_capable) {
			/* if device doesn't have a preferred BESL value use a
			 * default one which works with mixed HIRD and BESL
			 * systems. See XHCI_DEFAULT_BESL definition in xhci.h
			 */
			if ((field & USB_BESL_SUPPORT) &&
			    (field & USB_BESL_BASELINE_VALID))
				hird = USB_GET_BESL_BASELINE(field);
			else
				hird = udev->l1_params.besl;

The failing case is when disabling LPM. So it is sufficient to avoid
access to udev->bos by moving the instruction into the "enable" clause.

Cc: Stable <stable@vger.kernel.org>
Signed-off-by: Carsten Schmid <carsten_schmid@mentor.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/host/xhci.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -4287,7 +4287,6 @@ static int xhci_set_usb2_hardware_lpm(st
 	pm_addr = ports[port_num]->addr + PORTPMSC;
 	pm_val = readl(pm_addr);
 	hlpm_addr = ports[port_num]->addr + PORTHLPMC;
-	field = le32_to_cpu(udev->bos->ext_cap->bmAttributes);
 
 	xhci_dbg(xhci, "%s port %d USB2 hardware LPM\n",
 			enable ? "enable" : "disable", port_num + 1);
@@ -4299,6 +4298,7 @@ static int xhci_set_usb2_hardware_lpm(st
 			 * default one which works with mixed HIRD and BESL
 			 * systems. See XHCI_DEFAULT_BESL definition in xhci.h
 			 */
+			field = le32_to_cpu(udev->bos->ext_cap->bmAttributes);
 			if ((field & USB_BESL_SUPPORT) &&
 			    (field & USB_BESL_BASELINE_VALID))
 				hird = USB_GET_BESL_BASELINE(field);



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 07/85] usbip: usbip_host: fix BUG: sleeping function called from invalid context
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2019-06-07 15:38 ` [PATCH 5.1 06/85] usb: xhci: avoid null pointer deref when bos field is NULL Greg Kroah-Hartman
@ 2019-06-07 15:38 ` Greg Kroah-Hartman
  2019-06-07 15:38 ` [PATCH 5.1 08/85] usbip: usbip_host: fix stub_dev lock context imbalance regression Greg Kroah-Hartman
                   ` (81 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Shuah Khan

From: Shuah Khan <skhan@linuxfoundation.org>

commit 0c9e8b3cad654bfc499c10b652fbf8f0b890af8f upstream.

stub_probe() and stub_disconnect() call functions which could call
sleeping function in invalid context whil holding busid_lock.

Fix the problem by refining the lock holds to short critical sections
to change the busid_priv fields. This fix restructures the code to
limit the lock holds in stub_probe() and stub_disconnect().

stub_probe():

[15217.927028] BUG: sleeping function called from invalid context at mm/slab.h:418
[15217.927038] in_atomic(): 1, irqs_disabled(): 0, pid: 29087, name: usbip
[15217.927044] 5 locks held by usbip/29087:
[15217.927047]  #0: 0000000091647f28 (sb_writers#6){....}, at: vfs_write+0x191/0x1c0
[15217.927062]  #1: 000000008f9ba75b (&of->mutex){....}, at: kernfs_fop_write+0xf7/0x1b0
[15217.927072]  #2: 00000000872e5b4b (&dev->mutex){....}, at: __device_driver_lock+0x3b/0x50
[15217.927082]  #3: 00000000e74ececc (&dev->mutex){....}, at: __device_driver_lock+0x46/0x50
[15217.927090]  #4: 00000000b20abbe0 (&(&busid_table[i].busid_lock)->rlock){....}, at: get_busid_priv+0x48/0x60 [usbip_host]
[15217.927103] CPU: 3 PID: 29087 Comm: usbip Tainted: G        W         5.1.0-rc6+ #40
[15217.927106] Hardware name: Dell Inc. OptiPlex 790/0HY9JP, BIOS A18 09/24/2013
[15217.927109] Call Trace:
[15217.927118]  dump_stack+0x63/0x85
[15217.927127]  ___might_sleep+0xff/0x120
[15217.927133]  __might_sleep+0x4a/0x80
[15217.927143]  kmem_cache_alloc_trace+0x1aa/0x210
[15217.927156]  stub_probe+0xe8/0x440 [usbip_host]
[15217.927171]  usb_probe_device+0x34/0x70

stub_disconnect():

[15279.182478] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:908
[15279.182487] in_atomic(): 1, irqs_disabled(): 0, pid: 29114, name: usbip
[15279.182492] 5 locks held by usbip/29114:
[15279.182494]  #0: 0000000091647f28 (sb_writers#6){....}, at: vfs_write+0x191/0x1c0
[15279.182506]  #1: 00000000702cf0f3 (&of->mutex){....}, at: kernfs_fop_write+0xf7/0x1b0
[15279.182514]  #2: 00000000872e5b4b (&dev->mutex){....}, at: __device_driver_lock+0x3b/0x50
[15279.182522]  #3: 00000000e74ececc (&dev->mutex){....}, at: __device_driver_lock+0x46/0x50
[15279.182529]  #4: 00000000b20abbe0 (&(&busid_table[i].busid_lock)->rlock){....}, at: get_busid_priv+0x48/0x60 [usbip_host]
[15279.182541] CPU: 0 PID: 29114 Comm: usbip Tainted: G        W         5.1.0-rc6+ #40
[15279.182543] Hardware name: Dell Inc. OptiPlex 790/0HY9JP, BIOS A18 09/24/2013
[15279.182546] Call Trace:
[15279.182554]  dump_stack+0x63/0x85
[15279.182561]  ___might_sleep+0xff/0x120
[15279.182566]  __might_sleep+0x4a/0x80
[15279.182574]  __mutex_lock+0x55/0x950
[15279.182582]  ? get_busid_priv+0x48/0x60 [usbip_host]
[15279.182587]  ? reacquire_held_locks+0xec/0x1a0
[15279.182591]  ? get_busid_priv+0x48/0x60 [usbip_host]
[15279.182597]  ? find_held_lock+0x94/0xa0
[15279.182609]  mutex_lock_nested+0x1b/0x20
[15279.182614]  ? mutex_lock_nested+0x1b/0x20
[15279.182618]  kernfs_remove_by_name_ns+0x2a/0x90
[15279.182625]  sysfs_remove_file_ns+0x15/0x20
[15279.182629]  device_remove_file+0x19/0x20
[15279.182634]  stub_disconnect+0x6d/0x180 [usbip_host]
[15279.182643]  usb_unbind_device+0x27/0x60

Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/usbip/stub_dev.c |   65 ++++++++++++++++++++++++++++---------------
 1 file changed, 43 insertions(+), 22 deletions(-)

--- a/drivers/usb/usbip/stub_dev.c
+++ b/drivers/usb/usbip/stub_dev.c
@@ -301,9 +301,17 @@ static int stub_probe(struct usb_device
 	const char *udev_busid = dev_name(&udev->dev);
 	struct bus_id_priv *busid_priv;
 	int rc = 0;
+	char save_status;
 
 	dev_dbg(&udev->dev, "Enter probe\n");
 
+	/* Not sure if this is our device. Allocate here to avoid
+	 * calling alloc while holding busid_table lock.
+	 */
+	sdev = stub_device_alloc(udev);
+	if (!sdev)
+		return -ENOMEM;
+
 	/* check we should claim or not by busid_table */
 	busid_priv = get_busid_priv(udev_busid);
 	if (!busid_priv || (busid_priv->status == STUB_BUSID_REMOV) ||
@@ -318,14 +326,14 @@ static int stub_probe(struct usb_device
 		 * See driver_probe_device() in driver/base/dd.c
 		 */
 		rc = -ENODEV;
-		goto call_put_busid_priv;
+		goto sdev_free;
 	}
 
 	if (udev->descriptor.bDeviceClass == USB_CLASS_HUB) {
 		dev_dbg(&udev->dev, "%s is a usb hub device... skip!\n",
 			 udev_busid);
 		rc = -ENODEV;
-		goto call_put_busid_priv;
+		goto sdev_free;
 	}
 
 	if (!strcmp(udev->bus->bus_name, "vhci_hcd")) {
@@ -334,15 +342,9 @@ static int stub_probe(struct usb_device
 			udev_busid);
 
 		rc = -ENODEV;
-		goto call_put_busid_priv;
+		goto sdev_free;
 	}
 
-	/* ok, this is my device */
-	sdev = stub_device_alloc(udev);
-	if (!sdev) {
-		rc = -ENOMEM;
-		goto call_put_busid_priv;
-	}
 
 	dev_info(&udev->dev,
 		"usbip-host: register new device (bus %u dev %u)\n",
@@ -352,9 +354,13 @@ static int stub_probe(struct usb_device
 
 	/* set private data to usb_device */
 	dev_set_drvdata(&udev->dev, sdev);
+
 	busid_priv->sdev = sdev;
 	busid_priv->udev = udev;
 
+	save_status = busid_priv->status;
+	busid_priv->status = STUB_BUSID_ALLOC;
+
 	/*
 	 * Claim this hub port.
 	 * It doesn't matter what value we pass as owner
@@ -367,15 +373,16 @@ static int stub_probe(struct usb_device
 		goto err_port;
 	}
 
+	/* release the busid_lock */
+	put_busid_priv(busid_priv);
+
 	rc = stub_add_files(&udev->dev);
 	if (rc) {
 		dev_err(&udev->dev, "stub_add_files for %s\n", udev_busid);
 		goto err_files;
 	}
-	busid_priv->status = STUB_BUSID_ALLOC;
 
-	rc = 0;
-	goto call_put_busid_priv;
+	return 0;
 
 err_files:
 	usb_hub_release_port(udev->parent, udev->portnum,
@@ -384,23 +391,24 @@ err_port:
 	dev_set_drvdata(&udev->dev, NULL);
 	usb_put_dev(udev);
 
+	/* we already have busid_priv, just lock busid_lock */
+	spin_lock(&busid_priv->busid_lock);
 	busid_priv->sdev = NULL;
+	busid_priv->status = save_status;
+sdev_free:
 	stub_device_free(sdev);
-
-call_put_busid_priv:
+	/* release the busid_lock */
 	put_busid_priv(busid_priv);
+
 	return rc;
 }
 
 static void shutdown_busid(struct bus_id_priv *busid_priv)
 {
-	if (busid_priv->sdev && !busid_priv->shutdown_busid) {
-		busid_priv->shutdown_busid = 1;
-		usbip_event_add(&busid_priv->sdev->ud, SDEV_EVENT_REMOVED);
+	usbip_event_add(&busid_priv->sdev->ud, SDEV_EVENT_REMOVED);
 
-		/* wait for the stop of the event handler */
-		usbip_stop_eh(&busid_priv->sdev->ud);
-	}
+	/* wait for the stop of the event handler */
+	usbip_stop_eh(&busid_priv->sdev->ud);
 }
 
 /*
@@ -432,6 +440,9 @@ static void stub_disconnect(struct usb_d
 
 	dev_set_drvdata(&udev->dev, NULL);
 
+	/* release busid_lock before call to remove device files */
+	put_busid_priv(busid_priv);
+
 	/*
 	 * NOTE: rx/tx threads are invoked for each usb_device.
 	 */
@@ -442,18 +453,27 @@ static void stub_disconnect(struct usb_d
 				  (struct usb_dev_state *) udev);
 	if (rc) {
 		dev_dbg(&udev->dev, "unable to release port\n");
-		goto call_put_busid_priv;
+		return;
 	}
 
 	/* If usb reset is called from event handler */
 	if (usbip_in_eh(current))
-		goto call_put_busid_priv;
+		return;
+
+	/* we already have busid_priv, just lock busid_lock */
+	spin_lock(&busid_priv->busid_lock);
+	if (!busid_priv->shutdown_busid)
+		busid_priv->shutdown_busid = 1;
+	/* release busid_lock */
+	put_busid_priv(busid_priv);
 
 	/* shutdown the current connection */
 	shutdown_busid(busid_priv);
 
 	usb_put_dev(sdev->udev);
 
+	/* we already have busid_priv, just lock busid_lock */
+	spin_lock(&busid_priv->busid_lock);
 	/* free sdev */
 	busid_priv->sdev = NULL;
 	stub_device_free(sdev);
@@ -462,6 +482,7 @@ static void stub_disconnect(struct usb_d
 		busid_priv->status = STUB_BUSID_ADDED;
 
 call_put_busid_priv:
+	/* release busid_lock */
 	put_busid_priv(busid_priv);
 }
 



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 08/85] usbip: usbip_host: fix stub_dev lock context imbalance regression
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2019-06-07 15:38 ` [PATCH 5.1 07/85] usbip: usbip_host: fix BUG: sleeping function called from invalid context Greg Kroah-Hartman
@ 2019-06-07 15:38 ` Greg Kroah-Hartman
  2019-06-07 15:38 ` [PATCH 5.1 09/85] USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor Greg Kroah-Hartman
                   ` (80 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Shuah Khan

From: Shuah Khan <skhan@linuxfoundation.org>

commit 3ea3091f1bd8586125848c62be295910e9802af0 upstream.

Fix the following sparse context imbalance regression introduced in
a patch that fixed sleeping function called from invalid context bug.

kbuild test robot reported on:

tree/branch: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git  usb-linus

Regressions in current branch:

drivers/usb/usbip/stub_dev.c:399:9: sparse: sparse: context imbalance in 'stub_probe' - different lock contexts for basic block
drivers/usb/usbip/stub_dev.c:418:13: sparse: sparse: context imbalance in 'stub_disconnect' - different lock contexts for basic block
drivers/usb/usbip/stub_dev.c:464:1-10: second lock on line 476

Error ids grouped by kconfigs:

recent_errors
├── i386-allmodconfig
│   └── drivers-usb-usbip-stub_dev.c:second-lock-on-line
├── x86_64-allmodconfig
│   ├── drivers-usb-usbip-stub_dev.c:sparse:sparse:context-imbalance-in-stub_disconnect-different-lock-contexts-for-basic-block
│   └── drivers-usb-usbip-stub_dev.c:sparse:sparse:context-imbalance-in-stub_probe-different-lock-contexts-for-basic-block
└── x86_64-allyesconfig
    └── drivers-usb-usbip-stub_dev.c:second-lock-on-line

This is a real problem in an error leg where spin_lock() is called on an
already held lock.

Fix the imbalance in stub_probe() and stub_disconnect().

Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Fixes: 0c9e8b3cad65 ("usbip: usbip_host: fix BUG: sleeping function called from invalid context")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/usbip/stub_dev.c |   36 +++++++++++++++++++++++-------------
 1 file changed, 23 insertions(+), 13 deletions(-)

--- a/drivers/usb/usbip/stub_dev.c
+++ b/drivers/usb/usbip/stub_dev.c
@@ -326,14 +326,17 @@ static int stub_probe(struct usb_device
 		 * See driver_probe_device() in driver/base/dd.c
 		 */
 		rc = -ENODEV;
-		goto sdev_free;
+		if (!busid_priv)
+			goto sdev_free;
+
+		goto call_put_busid_priv;
 	}
 
 	if (udev->descriptor.bDeviceClass == USB_CLASS_HUB) {
 		dev_dbg(&udev->dev, "%s is a usb hub device... skip!\n",
 			 udev_busid);
 		rc = -ENODEV;
-		goto sdev_free;
+		goto call_put_busid_priv;
 	}
 
 	if (!strcmp(udev->bus->bus_name, "vhci_hcd")) {
@@ -342,7 +345,7 @@ static int stub_probe(struct usb_device
 			udev_busid);
 
 		rc = -ENODEV;
-		goto sdev_free;
+		goto call_put_busid_priv;
 	}
 
 
@@ -361,6 +364,9 @@ static int stub_probe(struct usb_device
 	save_status = busid_priv->status;
 	busid_priv->status = STUB_BUSID_ALLOC;
 
+	/* release the busid_lock */
+	put_busid_priv(busid_priv);
+
 	/*
 	 * Claim this hub port.
 	 * It doesn't matter what value we pass as owner
@@ -373,9 +379,6 @@ static int stub_probe(struct usb_device
 		goto err_port;
 	}
 
-	/* release the busid_lock */
-	put_busid_priv(busid_priv);
-
 	rc = stub_add_files(&udev->dev);
 	if (rc) {
 		dev_err(&udev->dev, "stub_add_files for %s\n", udev_busid);
@@ -395,11 +398,17 @@ err_port:
 	spin_lock(&busid_priv->busid_lock);
 	busid_priv->sdev = NULL;
 	busid_priv->status = save_status;
-sdev_free:
-	stub_device_free(sdev);
+	spin_unlock(&busid_priv->busid_lock);
+	/* lock is released - go to free */
+	goto sdev_free;
+
+call_put_busid_priv:
 	/* release the busid_lock */
 	put_busid_priv(busid_priv);
 
+sdev_free:
+	stub_device_free(sdev);
+
 	return rc;
 }
 
@@ -435,7 +444,9 @@ static void stub_disconnect(struct usb_d
 	/* get stub_device */
 	if (!sdev) {
 		dev_err(&udev->dev, "could not get device");
-		goto call_put_busid_priv;
+		/* release busid_lock */
+		put_busid_priv(busid_priv);
+		return;
 	}
 
 	dev_set_drvdata(&udev->dev, NULL);
@@ -465,7 +476,7 @@ static void stub_disconnect(struct usb_d
 	if (!busid_priv->shutdown_busid)
 		busid_priv->shutdown_busid = 1;
 	/* release busid_lock */
-	put_busid_priv(busid_priv);
+	spin_unlock(&busid_priv->busid_lock);
 
 	/* shutdown the current connection */
 	shutdown_busid(busid_priv);
@@ -480,10 +491,9 @@ static void stub_disconnect(struct usb_d
 
 	if (busid_priv->status == STUB_BUSID_ALLOC)
 		busid_priv->status = STUB_BUSID_ADDED;
-
-call_put_busid_priv:
 	/* release busid_lock */
-	put_busid_priv(busid_priv);
+	spin_unlock(&busid_priv->busid_lock);
+	return;
 }
 
 #ifdef CONFIG_PM



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 09/85] USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2019-06-07 15:38 ` [PATCH 5.1 08/85] usbip: usbip_host: fix stub_dev lock context imbalance regression Greg Kroah-Hartman
@ 2019-06-07 15:38 ` Greg Kroah-Hartman
  2019-06-07 15:38 ` [PATCH 5.1 10/85] USB: sisusbvga: fix oops in error path of sisusb_probe Greg Kroah-Hartman
                   ` (79 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alan Stern, syzbot+71f1e64501a309fcc012

From: Alan Stern <stern@rowland.harvard.edu>

commit a03ff54460817c76105f81f3aa8ef655759ccc9a upstream.

The syzkaller USB fuzzer found a slab-out-of-bounds write bug in the
USB core, caused by a failure to check the actual size of a BOS
descriptor.  This patch adds a check to make sure the descriptor is at
least as large as it is supposed to be, so that the code doesn't
inadvertently access memory beyond the end of the allocated region
when assigning to dev->bos->desc->bNumDeviceCaps later on.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-and-tested-by: syzbot+71f1e64501a309fcc012@syzkaller.appspotmail.com
CC: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/core/config.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -932,8 +932,8 @@ int usb_get_bos_descriptor(struct usb_de
 
 	/* Get BOS descriptor */
 	ret = usb_get_descriptor(dev, USB_DT_BOS, 0, bos, USB_DT_BOS_SIZE);
-	if (ret < USB_DT_BOS_SIZE) {
-		dev_err(ddev, "unable to get BOS descriptor\n");
+	if (ret < USB_DT_BOS_SIZE || bos->bLength < USB_DT_BOS_SIZE) {
+		dev_err(ddev, "unable to get BOS descriptor or descriptor too short\n");
 		if (ret >= 0)
 			ret = -ENOMSG;
 		kfree(bos);



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 10/85] USB: sisusbvga: fix oops in error path of sisusb_probe
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2019-06-07 15:38 ` [PATCH 5.1 09/85] USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor Greg Kroah-Hartman
@ 2019-06-07 15:38 ` Greg Kroah-Hartman
  2019-06-07 15:38 ` [PATCH 5.1 11/85] USB: Add LPM quirk for Surface Dock GigE adapter Greg Kroah-Hartman
                   ` (78 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, oliver Neukum, syzbot+a0cbdbd6d169020c8959

From: Oliver Neukum <oneukum@suse.com>

commit 9a5729f68d3a82786aea110b1bfe610be318f80a upstream.

The pointer used to log a failure of usb_register_dev() must
be set before the error is logged.

v2: fix that minor is not available before registration

Signed-off-by: oliver Neukum <oneukum@suse.com>
Reported-by: syzbot+a0cbdbd6d169020c8959@syzkaller.appspotmail.com
Fixes: 7b5cd5fefbe02 ("USB: SisUSB2VGA: Convert printk to dev_* macros")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/misc/sisusbvga/sisusb.c |   15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

--- a/drivers/usb/misc/sisusbvga/sisusb.c
+++ b/drivers/usb/misc/sisusbvga/sisusb.c
@@ -3029,6 +3029,13 @@ static int sisusb_probe(struct usb_inter
 
 	mutex_init(&(sisusb->lock));
 
+	sisusb->sisusb_dev = dev;
+	sisusb->vrambase   = SISUSB_PCI_MEMBASE;
+	sisusb->mmiobase   = SISUSB_PCI_MMIOBASE;
+	sisusb->mmiosize   = SISUSB_PCI_MMIOSIZE;
+	sisusb->ioportbase = SISUSB_PCI_IOPORTBASE;
+	/* Everything else is zero */
+
 	/* Register device */
 	retval = usb_register_dev(intf, &usb_sisusb_class);
 	if (retval) {
@@ -3039,13 +3046,7 @@ static int sisusb_probe(struct usb_inter
 		goto error_1;
 	}
 
-	sisusb->sisusb_dev = dev;
-	sisusb->minor      = intf->minor;
-	sisusb->vrambase   = SISUSB_PCI_MEMBASE;
-	sisusb->mmiobase   = SISUSB_PCI_MMIOBASE;
-	sisusb->mmiosize   = SISUSB_PCI_MMIOSIZE;
-	sisusb->ioportbase = SISUSB_PCI_IOPORTBASE;
-	/* Everything else is zero */
+	sisusb->minor = intf->minor;
 
 	/* Allocate buffers */
 	sisusb->ibufsize = SISUSB_IBUF_SIZE;



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 11/85] USB: Add LPM quirk for Surface Dock GigE adapter
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2019-06-07 15:38 ` [PATCH 5.1 10/85] USB: sisusbvga: fix oops in error path of sisusb_probe Greg Kroah-Hartman
@ 2019-06-07 15:38 ` Greg Kroah-Hartman
  2019-06-07 15:38 ` [PATCH 5.1 12/85] USB: rio500: refuse more than one device at a time Greg Kroah-Hartman
                   ` (77 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Maximilian Luz

From: Maximilian Luz <luzmaximilian@gmail.com>

commit ea261113385ac0a71c2838185f39e8452d54b152 upstream.

Without USB_QUIRK_NO_LPM ethernet will not work and rtl8152 will
complain with

    r8152 <device...>: Stop submitting intr, status -71

Adding the quirk resolves this. As the dock is externally powered, this
should not have any drawbacks.

Signed-off-by: Maximilian Luz <luzmaximilian@gmail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/core/quirks.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -209,6 +209,9 @@ static const struct usb_device_id usb_qu
 	/* Microsoft LifeCam-VX700 v2.0 */
 	{ USB_DEVICE(0x045e, 0x0770), .driver_info = USB_QUIRK_RESET_RESUME },
 
+	/* Microsoft Surface Dock Ethernet (RTL8153 GigE) */
+	{ USB_DEVICE(0x045e, 0x07c6), .driver_info = USB_QUIRK_NO_LPM },
+
 	/* Cherry Stream G230 2.0 (G85-231) and 3.0 (G85-232) */
 	{ USB_DEVICE(0x046a, 0x0023), .driver_info = USB_QUIRK_RESET_RESUME },
 



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 12/85] USB: rio500: refuse more than one device at a time
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2019-06-07 15:38 ` [PATCH 5.1 11/85] USB: Add LPM quirk for Surface Dock GigE adapter Greg Kroah-Hartman
@ 2019-06-07 15:38 ` Greg Kroah-Hartman
  2019-06-07 15:38 ` [PATCH 5.1 13/85] USB: rio500: fix memory leak in close after disconnect Greg Kroah-Hartman
                   ` (76 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Oliver Neukum, syzbot+35f04d136fc975a70da4

From: Oliver Neukum <oneukum@suse.com>

commit 3864d33943b4a76c6e64616280e98d2410b1190f upstream.

This driver is using a global variable. It cannot handle more than
one device at a time. The issue has been existing since the dawn
of the driver.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
Reported-by: syzbot+35f04d136fc975a70da4@syzkaller.appspotmail.com
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/misc/rio500.c |   24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

--- a/drivers/usb/misc/rio500.c
+++ b/drivers/usb/misc/rio500.c
@@ -447,15 +447,23 @@ static int probe_rio(struct usb_interfac
 {
 	struct usb_device *dev = interface_to_usbdev(intf);
 	struct rio_usb_data *rio = &rio_instance;
-	int retval;
+	int retval = 0;
 
-	dev_info(&intf->dev, "USB Rio found at address %d\n", dev->devnum);
+	mutex_lock(&rio500_mutex);
+	if (rio->present) {
+		dev_info(&intf->dev, "Second USB Rio at address %d refused\n", dev->devnum);
+		retval = -EBUSY;
+		goto bail_out;
+	} else {
+		dev_info(&intf->dev, "USB Rio found at address %d\n", dev->devnum);
+	}
 
 	retval = usb_register_dev(intf, &usb_rio_class);
 	if (retval) {
 		dev_err(&dev->dev,
 			"Not able to get a minor for this device.\n");
-		return -ENOMEM;
+		retval = -ENOMEM;
+		goto bail_out;
 	}
 
 	rio->rio_dev = dev;
@@ -464,7 +472,8 @@ static int probe_rio(struct usb_interfac
 		dev_err(&dev->dev,
 			"probe_rio: Not enough memory for the output buffer\n");
 		usb_deregister_dev(intf, &usb_rio_class);
-		return -ENOMEM;
+		retval = -ENOMEM;
+		goto bail_out;
 	}
 	dev_dbg(&intf->dev, "obuf address:%p\n", rio->obuf);
 
@@ -473,7 +482,8 @@ static int probe_rio(struct usb_interfac
 			"probe_rio: Not enough memory for the input buffer\n");
 		usb_deregister_dev(intf, &usb_rio_class);
 		kfree(rio->obuf);
-		return -ENOMEM;
+		retval = -ENOMEM;
+		goto bail_out;
 	}
 	dev_dbg(&intf->dev, "ibuf address:%p\n", rio->ibuf);
 
@@ -481,8 +491,10 @@ static int probe_rio(struct usb_interfac
 
 	usb_set_intfdata (intf, rio);
 	rio->present = 1;
+bail_out:
+	mutex_unlock(&rio500_mutex);
 
-	return 0;
+	return retval;
 }
 
 static void disconnect_rio(struct usb_interface *intf)



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 13/85] USB: rio500: fix memory leak in close after disconnect
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2019-06-07 15:38 ` [PATCH 5.1 12/85] USB: rio500: refuse more than one device at a time Greg Kroah-Hartman
@ 2019-06-07 15:38 ` Greg Kroah-Hartman
  2019-06-07 15:38 ` [PATCH 5.1 14/85] media: usb: siano: Fix general protection fault in smsusb Greg Kroah-Hartman
                   ` (75 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Oliver Neukum

From: Oliver Neukum <oneukum@suse.com>

commit e0feb73428b69322dd5caae90b0207de369b5575 upstream.

If a disconnected device is closed, rio_close() must free
the buffers.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/misc/rio500.c |   17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

--- a/drivers/usb/misc/rio500.c
+++ b/drivers/usb/misc/rio500.c
@@ -86,9 +86,22 @@ static int close_rio(struct inode *inode
 {
 	struct rio_usb_data *rio = &rio_instance;
 
-	rio->isopen = 0;
+	/* against disconnect() */
+	mutex_lock(&rio500_mutex);
+	mutex_lock(&(rio->lock));
 
-	dev_info(&rio->rio_dev->dev, "Rio closed.\n");
+	rio->isopen = 0;
+	if (!rio->present) {
+		/* cleanup has been delayed */
+		kfree(rio->ibuf);
+		kfree(rio->obuf);
+		rio->ibuf = NULL;
+		rio->obuf = NULL;
+	} else {
+		dev_info(&rio->rio_dev->dev, "Rio closed.\n");
+	}
+	mutex_unlock(&(rio->lock));
+	mutex_unlock(&rio500_mutex);
 	return 0;
 }
 



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 14/85] media: usb: siano: Fix general protection fault in smsusb
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2019-06-07 15:38 ` [PATCH 5.1 13/85] USB: rio500: fix memory leak in close after disconnect Greg Kroah-Hartman
@ 2019-06-07 15:38 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 15/85] media: usb: siano: Fix false-positive "uninitialized variable" warning Greg Kroah-Hartman
                   ` (74 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alan Stern, Johan Hovold,
	syzbot+53f029db71c19a47325a

From: Alan Stern <stern@rowland.harvard.edu>

commit 31e0456de5be379b10fea0fa94a681057114a96e upstream.

The syzkaller USB fuzzer found a general-protection-fault bug in the
smsusb part of the Siano DVB driver.  The fault occurs during probe
because the driver assumes without checking that the device has both
IN and OUT endpoints and the IN endpoint is ep1.

By slightly rearranging the driver's initialization code, we can make
the appropriate checks early on and thus avoid the problem.  If the
expected endpoints aren't present, the new code safely returns -ENODEV
from the probe routine.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-and-tested-by: syzbot+53f029db71c19a47325a@syzkaller.appspotmail.com
CC: <stable@vger.kernel.org>
Reviewed-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/usb/siano/smsusb.c |   33 ++++++++++++++++++++-------------
 1 file changed, 20 insertions(+), 13 deletions(-)

--- a/drivers/media/usb/siano/smsusb.c
+++ b/drivers/media/usb/siano/smsusb.c
@@ -400,6 +400,7 @@ static int smsusb_init_device(struct usb
 	struct smsusb_device_t *dev;
 	void *mdev;
 	int i, rc;
+	int in_maxp;
 
 	/* create device object */
 	dev = kzalloc(sizeof(struct smsusb_device_t), GFP_KERNEL);
@@ -411,6 +412,24 @@ static int smsusb_init_device(struct usb
 	dev->udev = interface_to_usbdev(intf);
 	dev->state = SMSUSB_DISCONNECTED;
 
+	for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) {
+		struct usb_endpoint_descriptor *desc =
+				&intf->cur_altsetting->endpoint[i].desc;
+
+		if (desc->bEndpointAddress & USB_DIR_IN) {
+			dev->in_ep = desc->bEndpointAddress;
+			in_maxp = usb_endpoint_maxp(desc);
+		} else {
+			dev->out_ep = desc->bEndpointAddress;
+		}
+	}
+
+	pr_debug("in_ep = %02x, out_ep = %02x\n", dev->in_ep, dev->out_ep);
+	if (!dev->in_ep || !dev->out_ep) {	/* Missing endpoints? */
+		smsusb_term_device(intf);
+		return -ENODEV;
+	}
+
 	params.device_type = sms_get_board(board_id)->type;
 
 	switch (params.device_type) {
@@ -425,24 +444,12 @@ static int smsusb_init_device(struct usb
 		/* fall-thru */
 	default:
 		dev->buffer_size = USB2_BUFFER_SIZE;
-		dev->response_alignment =
-		    le16_to_cpu(dev->udev->ep_in[1]->desc.wMaxPacketSize) -
-		    sizeof(struct sms_msg_hdr);
+		dev->response_alignment = in_maxp - sizeof(struct sms_msg_hdr);
 
 		params.flags |= SMS_DEVICE_FAMILY2;
 		break;
 	}
 
-	for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) {
-		if (intf->cur_altsetting->endpoint[i].desc. bEndpointAddress & USB_DIR_IN)
-			dev->in_ep = intf->cur_altsetting->endpoint[i].desc.bEndpointAddress;
-		else
-			dev->out_ep = intf->cur_altsetting->endpoint[i].desc.bEndpointAddress;
-	}
-
-	pr_debug("in_ep = %02x, out_ep = %02x\n",
-		dev->in_ep, dev->out_ep);
-
 	params.device = &dev->udev->dev;
 	params.usb_device = dev->udev;
 	params.buffer_size = dev->buffer_size;



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 15/85] media: usb: siano: Fix false-positive "uninitialized variable" warning
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2019-06-07 15:38 ` [PATCH 5.1 14/85] media: usb: siano: Fix general protection fault in smsusb Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 16/85] media: smsusb: better handle optional alignment Greg Kroah-Hartman
                   ` (73 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alan Stern, kbuild test robot

From: Alan Stern <stern@rowland.harvard.edu>

commit 45457c01171fd1488a7000d1751c06ed8560ee38 upstream.

GCC complains about an apparently uninitialized variable recently
added to smsusb_init_device().  It's a false positive, but to silence
the warning this patch adds a trivial initialization.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: kbuild test robot <lkp@intel.com>
CC: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/usb/siano/smsusb.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/media/usb/siano/smsusb.c
+++ b/drivers/media/usb/siano/smsusb.c
@@ -400,7 +400,7 @@ static int smsusb_init_device(struct usb
 	struct smsusb_device_t *dev;
 	void *mdev;
 	int i, rc;
-	int in_maxp;
+	int in_maxp = 0;
 
 	/* create device object */
 	dev = kzalloc(sizeof(struct smsusb_device_t), GFP_KERNEL);



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 16/85] media: smsusb: better handle optional alignment
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 15/85] media: usb: siano: Fix false-positive "uninitialized variable" warning Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 17/85] brcmfmac: fix NULL pointer derefence during USB disconnect Greg Kroah-Hartman
                   ` (72 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mauro Carvalho Chehab

From: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>

commit a47686636d84eaec5c9c6e84bd5f96bed34d526d upstream.

Most Siano devices require an alignment for the response.

Changeset f3be52b0056a ("media: usb: siano: Fix general protection fault in smsusb")
changed the logic with gets such aligment, but it now produces a
sparce warning:

drivers/media/usb/siano/smsusb.c: In function 'smsusb_init_device':
drivers/media/usb/siano/smsusb.c:447:37: warning: 'in_maxp' may be used uninitialized in this function [-Wmaybe-uninitialized]
  447 |   dev->response_alignment = in_maxp - sizeof(struct sms_msg_hdr);
      |                             ~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~

The sparse message itself is bogus, but a broken (or fake) USB
eeprom could produce a negative value for response_alignment.

So, change the code in order to check if the result is not
negative.

Fixes: 31e0456de5be ("media: usb: siano: Fix general protection fault in smsusb")
CC: <stable@vger.kernel.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/usb/siano/smsusb.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/media/usb/siano/smsusb.c
+++ b/drivers/media/usb/siano/smsusb.c
@@ -400,7 +400,7 @@ static int smsusb_init_device(struct usb
 	struct smsusb_device_t *dev;
 	void *mdev;
 	int i, rc;
-	int in_maxp = 0;
+	int align = 0;
 
 	/* create device object */
 	dev = kzalloc(sizeof(struct smsusb_device_t), GFP_KERNEL);
@@ -418,14 +418,14 @@ static int smsusb_init_device(struct usb
 
 		if (desc->bEndpointAddress & USB_DIR_IN) {
 			dev->in_ep = desc->bEndpointAddress;
-			in_maxp = usb_endpoint_maxp(desc);
+			align = usb_endpoint_maxp(desc) - sizeof(struct sms_msg_hdr);
 		} else {
 			dev->out_ep = desc->bEndpointAddress;
 		}
 	}
 
 	pr_debug("in_ep = %02x, out_ep = %02x\n", dev->in_ep, dev->out_ep);
-	if (!dev->in_ep || !dev->out_ep) {	/* Missing endpoints? */
+	if (!dev->in_ep || !dev->out_ep || align < 0) {  /* Missing endpoints? */
 		smsusb_term_device(intf);
 		return -ENODEV;
 	}
@@ -444,7 +444,7 @@ static int smsusb_init_device(struct usb
 		/* fall-thru */
 	default:
 		dev->buffer_size = USB2_BUFFER_SIZE;
-		dev->response_alignment = in_maxp - sizeof(struct sms_msg_hdr);
+		dev->response_alignment = align;
 
 		params.flags |= SMS_DEVICE_FAMILY2;
 		break;



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 17/85] brcmfmac: fix NULL pointer derefence during USB disconnect
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 16/85] media: smsusb: better handle optional alignment Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 18/85] scsi: zfcp: fix missing zfcp_port reference put on -EBUSY from port_remove Greg Kroah-Hartman
                   ` (71 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Piotr Figiel, Kalle Valo

From: Piotr Figiel <p.figiel@camlintechnologies.com>

commit 5cdb0ef6144f47440850553579aa923c20a63f23 upstream.

In case USB disconnect happens at the moment transmitting workqueue is in
progress the underlying interface may be gone causing a NULL pointer
dereference. Add synchronization of the workqueue destruction with the
detach implementation in core so that the transmitting workqueue is stopped
during detach before the interfaces are removed.

Fix following Oops:

Unable to handle kernel NULL pointer dereference at virtual address 00000008
pgd = 9e6a802d
[00000008] *pgd=00000000
Internal error: Oops: 5 [#1] PREEMPT SMP ARM
Modules linked in: nf_log_ipv4 nf_log_common xt_LOG xt_limit iptable_mangle
xt_connmark xt_tcpudp xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4
iptable_filter ip_tables x_tables usb_f_mass_storage usb_f_rndis u_ether
usb_serial_simple usbserial cdc_acm brcmfmac brcmutil smsc95xx usbnet
ci_hdrc_imx ci_hdrc ulpi usbmisc_imx 8250_exar 8250_pci 8250 8250_base
libcomposite configfs udc_core
CPU: 0 PID: 7 Comm: kworker/u8:0 Not tainted 4.19.23-00076-g03740aa-dirty #102
Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
Workqueue: brcmf_fws_wq brcmf_fws_dequeue_worker [brcmfmac]
PC is at brcmf_txfinalize+0x34/0x90 [brcmfmac]
LR is at brcmf_fws_dequeue_worker+0x218/0x33c [brcmfmac]
pc : [<7f0dee64>]    lr : [<7f0e4140>]    psr: 60010093
sp : ee8abef0  ip : 00000000  fp : edf38000
r10: ffffffed  r9 : edf38970  r8 : edf38004
r7 : edf3e970  r6 : 00000000  r5 : ede69000  r4 : 00000000
r3 : 00000a97  r2 : 00000000  r1 : 0000888e  r0 : ede69000
Flags: nZCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 10c5387d  Table: 7d03c04a  DAC: 00000051
Process kworker/u8:0 (pid: 7, stack limit = 0x24ec3e04)
Stack: (0xee8abef0 to 0xee8ac000)
bee0:                                     ede69000 00000000 ed56c3e0 7f0e4140
bf00: 00000001 00000000 edf38004 edf3e99c ed56c3e0 80d03d00 edfea43a edf3e970
bf20: ee809880 ee804200 ee971100 00000000 edf3e974 00000000 ee804200 80135a70
bf40: 80d03d00 ee804218 ee809880 ee809894 ee804200 80d03d00 ee804218 ee8aa000
bf60: 00000088 80135d5c 00000000 ee829f00 ee829dc0 00000000 ee809880 80135d30
bf80: ee829f1c ee873eac 00000000 8013b1a0 ee829dc0 8013b07c 00000000 00000000
bfa0: 00000000 00000000 00000000 801010e8 00000000 00000000 00000000 00000000
bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
bfe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
[<7f0dee64>] (brcmf_txfinalize [brcmfmac]) from [<7f0e4140>] (brcmf_fws_dequeue_worker+0x218/0x33c [brcmfmac])
[<7f0e4140>] (brcmf_fws_dequeue_worker [brcmfmac]) from [<80135a70>] (process_one_work+0x138/0x3f8)
[<80135a70>] (process_one_work) from [<80135d5c>] (worker_thread+0x2c/0x554)
[<80135d5c>] (worker_thread) from [<8013b1a0>] (kthread+0x124/0x154)
[<8013b1a0>] (kthread) from [<801010e8>] (ret_from_fork+0x14/0x2c)
Exception stack(0xee8abfb0 to 0xee8abff8)
bfa0:                                     00000000 00000000 00000000 00000000
bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
bfe0: 00000000 00000000 00000000 00000000 00000013 00000000
Code: e1530001 0a000007 e3560000 e1a00005 (05942008)
---[ end trace 079239dd31c86e90 ]---

Signed-off-by: Piotr Figiel <p.figiel@camlintechnologies.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.c     |   11 ++++++--
 drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.h     |    6 +++-
 drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c     |    4 ++-
 drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c |   16 +++++++++---
 drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.h |    3 +-
 drivers/net/wireless/broadcom/brcm80211/brcmfmac/proto.c    |   10 ++++++-
 drivers/net/wireless/broadcom/brcm80211/brcmfmac/proto.h    |    3 +-
 7 files changed, 40 insertions(+), 13 deletions(-)

--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.c
@@ -490,11 +490,18 @@ fail:
 	return -ENOMEM;
 }
 
-void brcmf_proto_bcdc_detach(struct brcmf_pub *drvr)
+void brcmf_proto_bcdc_detach_pre_delif(struct brcmf_pub *drvr)
+{
+	struct brcmf_bcdc *bcdc = drvr->proto->pd;
+
+	brcmf_fws_detach_pre_delif(bcdc->fws);
+}
+
+void brcmf_proto_bcdc_detach_post_delif(struct brcmf_pub *drvr)
 {
 	struct brcmf_bcdc *bcdc = drvr->proto->pd;
 
 	drvr->proto->pd = NULL;
-	brcmf_fws_detach(bcdc->fws);
+	brcmf_fws_detach_post_delif(bcdc->fws);
 	kfree(bcdc);
 }
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.h
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.h
@@ -18,14 +18,16 @@
 
 #ifdef CONFIG_BRCMFMAC_PROTO_BCDC
 int brcmf_proto_bcdc_attach(struct brcmf_pub *drvr);
-void brcmf_proto_bcdc_detach(struct brcmf_pub *drvr);
+void brcmf_proto_bcdc_detach_pre_delif(struct brcmf_pub *drvr);
+void brcmf_proto_bcdc_detach_post_delif(struct brcmf_pub *drvr);
 void brcmf_proto_bcdc_txflowblock(struct device *dev, bool state);
 void brcmf_proto_bcdc_txcomplete(struct device *dev, struct sk_buff *txp,
 				 bool success);
 struct brcmf_fws_info *drvr_to_fws(struct brcmf_pub *drvr);
 #else
 static inline int brcmf_proto_bcdc_attach(struct brcmf_pub *drvr) { return 0; }
-static inline void brcmf_proto_bcdc_detach(struct brcmf_pub *drvr) {}
+static void brcmf_proto_bcdc_detach_pre_delif(struct brcmf_pub *drvr) {};
+static inline void brcmf_proto_bcdc_detach_post_delif(struct brcmf_pub *drvr) {}
 #endif
 
 #endif /* BRCMFMAC_BCDC_H */
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
@@ -1303,6 +1303,8 @@ void brcmf_detach(struct device *dev)
 
 	brcmf_bus_change_state(bus_if, BRCMF_BUS_DOWN);
 
+	brcmf_proto_detach_pre_delif(drvr);
+
 	/* make sure primary interface removed last */
 	for (i = BRCMF_MAX_IFS-1; i > -1; i--)
 		brcmf_remove_interface(drvr->iflist[i], false);
@@ -1312,7 +1314,7 @@ void brcmf_detach(struct device *dev)
 
 	brcmf_bus_stop(drvr->bus_if);
 
-	brcmf_proto_detach(drvr);
+	brcmf_proto_detach_post_delif(drvr);
 
 	bus_if->drvr = NULL;
 	wiphy_free(drvr->wiphy);
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
@@ -2443,17 +2443,25 @@ struct brcmf_fws_info *brcmf_fws_attach(
 	return fws;
 
 fail:
-	brcmf_fws_detach(fws);
+	brcmf_fws_detach_pre_delif(fws);
+	brcmf_fws_detach_post_delif(fws);
 	return ERR_PTR(rc);
 }
 
-void brcmf_fws_detach(struct brcmf_fws_info *fws)
+void brcmf_fws_detach_pre_delif(struct brcmf_fws_info *fws)
 {
 	if (!fws)
 		return;
-
-	if (fws->fws_wq)
+	if (fws->fws_wq) {
 		destroy_workqueue(fws->fws_wq);
+		fws->fws_wq = NULL;
+	}
+}
+
+void brcmf_fws_detach_post_delif(struct brcmf_fws_info *fws)
+{
+	if (!fws)
+		return;
 
 	/* cleanup */
 	brcmf_fws_lock(fws);
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.h
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.h
@@ -19,7 +19,8 @@
 #define FWSIGNAL_H_
 
 struct brcmf_fws_info *brcmf_fws_attach(struct brcmf_pub *drvr);
-void brcmf_fws_detach(struct brcmf_fws_info *fws);
+void brcmf_fws_detach_pre_delif(struct brcmf_fws_info *fws);
+void brcmf_fws_detach_post_delif(struct brcmf_fws_info *fws);
 void brcmf_fws_debugfs_create(struct brcmf_pub *drvr);
 bool brcmf_fws_queue_skbs(struct brcmf_fws_info *fws);
 bool brcmf_fws_fc_active(struct brcmf_fws_info *fws);
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/proto.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/proto.c
@@ -67,16 +67,22 @@ fail:
 	return -ENOMEM;
 }
 
-void brcmf_proto_detach(struct brcmf_pub *drvr)
+void brcmf_proto_detach_post_delif(struct brcmf_pub *drvr)
 {
 	brcmf_dbg(TRACE, "Enter\n");
 
 	if (drvr->proto) {
 		if (drvr->bus_if->proto_type == BRCMF_PROTO_BCDC)
-			brcmf_proto_bcdc_detach(drvr);
+			brcmf_proto_bcdc_detach_post_delif(drvr);
 		else if (drvr->bus_if->proto_type == BRCMF_PROTO_MSGBUF)
 			brcmf_proto_msgbuf_detach(drvr);
 		kfree(drvr->proto);
 		drvr->proto = NULL;
 	}
 }
+
+void brcmf_proto_detach_pre_delif(struct brcmf_pub *drvr)
+{
+	if (drvr->proto && drvr->bus_if->proto_type == BRCMF_PROTO_BCDC)
+		brcmf_proto_bcdc_detach_pre_delif(drvr);
+}
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/proto.h
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/proto.h
@@ -54,7 +54,8 @@ struct brcmf_proto {
 
 
 int brcmf_proto_attach(struct brcmf_pub *drvr);
-void brcmf_proto_detach(struct brcmf_pub *drvr);
+void brcmf_proto_detach_pre_delif(struct brcmf_pub *drvr);
+void brcmf_proto_detach_post_delif(struct brcmf_pub *drvr);
 
 static inline int brcmf_proto_hdrpull(struct brcmf_pub *drvr, bool do_fws,
 				      struct sk_buff *skb,



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 18/85] scsi: zfcp: fix missing zfcp_port reference put on -EBUSY from port_remove
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 17/85] brcmfmac: fix NULL pointer derefence during USB disconnect Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 19/85] scsi: zfcp: fix to prevent port_remove with pure auto scan LUNs (only sdevs) Greg Kroah-Hartman
                   ` (70 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Steffen Maier, Jens Remus,
	Benjamin Block, Martin K. Petersen

From: Steffen Maier <maier@linux.ibm.com>

commit d27e5e07f9c49bf2a6a4ef254ce531c1b4fb5a38 upstream.

With this early return due to zfcp_unit child(ren), we don't use the
zfcp_port reference from the earlier zfcp_get_port_by_wwpn() anymore and
need to put it.

Signed-off-by: Steffen Maier <maier@linux.ibm.com>
Fixes: d99b601b6338 ("[SCSI] zfcp: restore refcount check on port_remove")
Cc: <stable@vger.kernel.org> #3.7+
Reviewed-by: Jens Remus <jremus@linux.ibm.com>
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/s390/scsi/zfcp_sysfs.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/s390/scsi/zfcp_sysfs.c
+++ b/drivers/s390/scsi/zfcp_sysfs.c
@@ -261,6 +261,7 @@ static ssize_t zfcp_sysfs_port_remove_st
 	if (atomic_read(&port->units) > 0) {
 		retval = -EBUSY;
 		mutex_unlock(&zfcp_sysfs_port_units_mutex);
+		put_device(&port->dev); /* undo zfcp_get_port_by_wwpn() */
 		goto out;
 	}
 	/* port is about to be removed, so no more unit_add */



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 19/85] scsi: zfcp: fix to prevent port_remove with pure auto scan LUNs (only sdevs)
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 18/85] scsi: zfcp: fix missing zfcp_port reference put on -EBUSY from port_remove Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 20/85] tracing: Avoid memory leak in predicate_parse() Greg Kroah-Hartman
                   ` (69 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Steffen Maier, Benjamin Block,
	Martin K. Petersen

From: Steffen Maier <maier@linux.ibm.com>

commit ef4021fe5fd77ced0323cede27979d80a56211ca upstream.

When the user tries to remove a zfcp port via sysfs, we only rejected it if
there are zfcp unit children under the port. With purely automatically
scanned LUNs there are no zfcp units but only SCSI devices. In such cases,
the port_remove erroneously continued. We close the port and this
implicitly closes all LUNs under the port. The SCSI devices survive with
their private zfcp_scsi_dev still holding a reference to the "removed"
zfcp_port (still allocated but invisible in sysfs) [zfcp_get_port_by_wwpn
in zfcp_scsi_slave_alloc]. This is not a problem as long as the fc_rport
stays blocked. Once (auto) port scan brings back the removed port, we
unblock its fc_rport again by design.  However, there is no mechanism that
would recover (open) the LUNs under the port (no "ersfs_3" without
zfcp_unit [zfcp_erp_strategy_followup_success]).  Any pending or new I/O to
such LUN leads to repeated:

  Done: NEEDS_RETRY Result: hostbyte=DID_IMM_RETRY driverbyte=DRIVER_OK

See also v4.10 commit 6f2ce1c6af37 ("scsi: zfcp: fix rport unblock race
with LUN recovery"). Even a manual LUN recovery
(echo 0 > /sys/bus/scsi/devices/H:C:T:L/zfcp_failed)
does not help, as the LUN links to the old "removed" port which remains
to lack ZFCP_STATUS_COMMON_RUNNING [zfcp_erp_required_act].
The only workaround is to first ensure that the fc_rport is blocked
(e.g. port_remove again in case it was re-discovered by (auto) port scan),
then delete the SCSI devices, and finally re-discover by (auto) port scan.
The port scan includes an fc_rport unblock, which in turn triggers
a new scan on the scsi target to freshly get new pure auto scan LUNs.

Fix this by rejecting port_remove also if there are SCSI devices
(even without any zfcp_unit) under this port. Re-use mechanics from v3.7
commit d99b601b6338 ("[SCSI] zfcp: restore refcount check on port_remove").
However, we have to give up zfcp_sysfs_port_units_mutex earlier in unit_add
to prevent a deadlock with scsi_host scan taking shost->scan_mutex first
and then zfcp_sysfs_port_units_mutex now in our zfcp_scsi_slave_alloc().

Signed-off-by: Steffen Maier <maier@linux.ibm.com>
Fixes: b62a8d9b45b9 ("[SCSI] zfcp: Use SCSI device data zfcp scsi dev instead of zfcp unit")
Fixes: f8210e34887e ("[SCSI] zfcp: Allow midlayer to scan for LUNs when running in NPIV mode")
Cc: <stable@vger.kernel.org> #2.6.37+
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/s390/scsi/zfcp_ext.h   |    1 
 drivers/s390/scsi/zfcp_scsi.c  |    9 ++++++
 drivers/s390/scsi/zfcp_sysfs.c |   54 ++++++++++++++++++++++++++++++++++++-----
 drivers/s390/scsi/zfcp_unit.c  |    8 +++++-
 4 files changed, 65 insertions(+), 7 deletions(-)

--- a/drivers/s390/scsi/zfcp_ext.h
+++ b/drivers/s390/scsi/zfcp_ext.h
@@ -167,6 +167,7 @@ extern const struct attribute_group *zfc
 extern struct mutex zfcp_sysfs_port_units_mutex;
 extern struct device_attribute *zfcp_sysfs_sdev_attrs[];
 extern struct device_attribute *zfcp_sysfs_shost_attrs[];
+bool zfcp_sysfs_port_is_removing(const struct zfcp_port *const port);
 
 /* zfcp_unit.c */
 extern int zfcp_unit_add(struct zfcp_port *, u64);
--- a/drivers/s390/scsi/zfcp_scsi.c
+++ b/drivers/s390/scsi/zfcp_scsi.c
@@ -129,6 +129,15 @@ static int zfcp_scsi_slave_alloc(struct
 
 	zfcp_sdev->erp_action.port = port;
 
+	mutex_lock(&zfcp_sysfs_port_units_mutex);
+	if (zfcp_sysfs_port_is_removing(port)) {
+		/* port is already gone */
+		mutex_unlock(&zfcp_sysfs_port_units_mutex);
+		put_device(&port->dev); /* undo zfcp_get_port_by_wwpn() */
+		return -ENXIO;
+	}
+	mutex_unlock(&zfcp_sysfs_port_units_mutex);
+
 	unit = zfcp_unit_find(port, zfcp_scsi_dev_lun(sdev));
 	if (unit)
 		put_device(&unit->dev);
--- a/drivers/s390/scsi/zfcp_sysfs.c
+++ b/drivers/s390/scsi/zfcp_sysfs.c
@@ -235,6 +235,53 @@ static ZFCP_DEV_ATTR(adapter, port_resca
 
 DEFINE_MUTEX(zfcp_sysfs_port_units_mutex);
 
+static void zfcp_sysfs_port_set_removing(struct zfcp_port *const port)
+{
+	lockdep_assert_held(&zfcp_sysfs_port_units_mutex);
+	atomic_set(&port->units, -1);
+}
+
+bool zfcp_sysfs_port_is_removing(const struct zfcp_port *const port)
+{
+	lockdep_assert_held(&zfcp_sysfs_port_units_mutex);
+	return atomic_read(&port->units) == -1;
+}
+
+static bool zfcp_sysfs_port_in_use(struct zfcp_port *const port)
+{
+	struct zfcp_adapter *const adapter = port->adapter;
+	unsigned long flags;
+	struct scsi_device *sdev;
+	bool in_use = true;
+
+	mutex_lock(&zfcp_sysfs_port_units_mutex);
+	if (atomic_read(&port->units) > 0)
+		goto unlock_port_units_mutex; /* zfcp_unit(s) under port */
+
+	spin_lock_irqsave(adapter->scsi_host->host_lock, flags);
+	__shost_for_each_device(sdev, adapter->scsi_host) {
+		const struct zfcp_scsi_dev *zsdev = sdev_to_zfcp(sdev);
+
+		if (sdev->sdev_state == SDEV_DEL ||
+		    sdev->sdev_state == SDEV_CANCEL)
+			continue;
+		if (zsdev->port != port)
+			continue;
+		/* alive scsi_device under port of interest */
+		goto unlock_host_lock;
+	}
+
+	/* port is about to be removed, so no more unit_add or slave_alloc */
+	zfcp_sysfs_port_set_removing(port);
+	in_use = false;
+
+unlock_host_lock:
+	spin_unlock_irqrestore(adapter->scsi_host->host_lock, flags);
+unlock_port_units_mutex:
+	mutex_unlock(&zfcp_sysfs_port_units_mutex);
+	return in_use;
+}
+
 static ssize_t zfcp_sysfs_port_remove_store(struct device *dev,
 					    struct device_attribute *attr,
 					    const char *buf, size_t count)
@@ -257,16 +304,11 @@ static ssize_t zfcp_sysfs_port_remove_st
 	else
 		retval = 0;
 
-	mutex_lock(&zfcp_sysfs_port_units_mutex);
-	if (atomic_read(&port->units) > 0) {
+	if (zfcp_sysfs_port_in_use(port)) {
 		retval = -EBUSY;
-		mutex_unlock(&zfcp_sysfs_port_units_mutex);
 		put_device(&port->dev); /* undo zfcp_get_port_by_wwpn() */
 		goto out;
 	}
-	/* port is about to be removed, so no more unit_add */
-	atomic_set(&port->units, -1);
-	mutex_unlock(&zfcp_sysfs_port_units_mutex);
 
 	write_lock_irq(&adapter->port_list_lock);
 	list_del(&port->list);
--- a/drivers/s390/scsi/zfcp_unit.c
+++ b/drivers/s390/scsi/zfcp_unit.c
@@ -124,7 +124,7 @@ int zfcp_unit_add(struct zfcp_port *port
 	int retval = 0;
 
 	mutex_lock(&zfcp_sysfs_port_units_mutex);
-	if (atomic_read(&port->units) == -1) {
+	if (zfcp_sysfs_port_is_removing(port)) {
 		/* port is already gone */
 		retval = -ENODEV;
 		goto out;
@@ -168,8 +168,14 @@ int zfcp_unit_add(struct zfcp_port *port
 	write_lock_irq(&port->unit_list_lock);
 	list_add_tail(&unit->list, &port->unit_list);
 	write_unlock_irq(&port->unit_list_lock);
+	/*
+	 * lock order: shost->scan_mutex before zfcp_sysfs_port_units_mutex
+	 * due to      zfcp_unit_scsi_scan() => zfcp_scsi_slave_alloc()
+	 */
+	mutex_unlock(&zfcp_sysfs_port_units_mutex);
 
 	zfcp_unit_scsi_scan(unit);
+	return retval;
 
 out:
 	mutex_unlock(&zfcp_sysfs_port_units_mutex);



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 20/85] tracing: Avoid memory leak in predicate_parse()
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 19/85] scsi: zfcp: fix to prevent port_remove with pure auto scan LUNs (only sdevs) Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 21/85] Btrfs: fix wrong ctime and mtime of a directory after log replay Greg Kroah-Hartman
                   ` (68 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+6b8e0fb820e570c59e19,
	Tomas Bortoli, Steven Rostedt (VMware)

From: Tomas Bortoli <tomasbortoli@gmail.com>

commit dfb4a6f2191a80c8b790117d0ff592fd712d3296 upstream.

In case of errors, predicate_parse() goes to the out_free label
to free memory and to return an error code.

However, predicate_parse() does not free the predicates of the
temporary prog_stack array, thence leaking them.

Link: http://lkml.kernel.org/r/20190528154338.29976-1-tomasbortoli@gmail.com

Cc: stable@vger.kernel.org
Fixes: 80765597bc587 ("tracing: Rewrite filter logic to be simpler and faster")
Reported-by: syzbot+6b8e0fb820e570c59e19@syzkaller.appspotmail.com
Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
[ Added protection around freeing prog_stack[i].pred ]
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/trace/trace_events_filter.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/kernel/trace/trace_events_filter.c
+++ b/kernel/trace/trace_events_filter.c
@@ -427,7 +427,7 @@ predicate_parse(const char *str, int nr_
 	op_stack = kmalloc_array(nr_parens, sizeof(*op_stack), GFP_KERNEL);
 	if (!op_stack)
 		return ERR_PTR(-ENOMEM);
-	prog_stack = kmalloc_array(nr_preds, sizeof(*prog_stack), GFP_KERNEL);
+	prog_stack = kcalloc(nr_preds, sizeof(*prog_stack), GFP_KERNEL);
 	if (!prog_stack) {
 		parse_error(pe, -ENOMEM, 0);
 		goto out_free;
@@ -578,7 +578,11 @@ predicate_parse(const char *str, int nr_
 out_free:
 	kfree(op_stack);
 	kfree(inverts);
-	kfree(prog_stack);
+	if (prog_stack) {
+		for (i = 0; prog_stack[i].pred; i++)
+			kfree(prog_stack[i].pred);
+		kfree(prog_stack);
+	}
 	return ERR_PTR(ret);
 }
 



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 21/85] Btrfs: fix wrong ctime and mtime of a directory after log replay
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 20/85] tracing: Avoid memory leak in predicate_parse() Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 22/85] Btrfs: fix race updating log root item during fsync Greg Kroah-Hartman
                   ` (67 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nikolay Borisov, Filipe Manana, David Sterba

From: Filipe Manana <fdmanana@suse.com>

commit 5338e43abbab13791144d37fd8846847062351c6 upstream.

When replaying a log that contains a new file or directory name that needs
to be added to its parent directory, we end up updating the mtime and the
ctime of the parent directory to the current time after we have set their
values to the correct ones (set at fsync time), efectivelly losing them.

Sample reproducer:

  $ mkfs.btrfs -f /dev/sdb
  $ mount /dev/sdb /mnt

  $ mkdir /mnt/dir
  $ touch /mnt/dir/file

  # fsync of the directory is optional, not needed
  $ xfs_io -c fsync /mnt/dir
  $ xfs_io -c fsync /mnt/dir/file

  $ stat -c %Y /mnt/dir
  1557856079

  <power failure>

  $ sleep 3
  $ mount /dev/sdb /mnt
  $ stat -c %Y /mnt/dir
  1557856082

    --> should have been 1557856079, the mtime is updated to the current
        time when replaying the log

Fix this by not updating the mtime and ctime to the current time at
btrfs_add_link() when we are replaying a log tree.

This could be triggered by my recent fsync fuzz tester for fstests, for
which an fstests patch exists titled "fstests: generic, fsync fuzz tester
with fsstress".

Fixes: e02119d5a7b43 ("Btrfs: Add a write ahead tree log to optimize synchronous operations")
CC: stable@vger.kernel.org # 4.4+
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/inode.c |   14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -6396,8 +6396,18 @@ int btrfs_add_link(struct btrfs_trans_ha
 	btrfs_i_size_write(parent_inode, parent_inode->vfs_inode.i_size +
 			   name_len * 2);
 	inode_inc_iversion(&parent_inode->vfs_inode);
-	parent_inode->vfs_inode.i_mtime = parent_inode->vfs_inode.i_ctime =
-		current_time(&parent_inode->vfs_inode);
+	/*
+	 * If we are replaying a log tree, we do not want to update the mtime
+	 * and ctime of the parent directory with the current time, since the
+	 * log replay procedure is responsible for setting them to their correct
+	 * values (the ones it had when the fsync was done).
+	 */
+	if (!test_bit(BTRFS_FS_LOG_RECOVERING, &root->fs_info->flags)) {
+		struct timespec64 now = current_time(&parent_inode->vfs_inode);
+
+		parent_inode->vfs_inode.i_mtime = now;
+		parent_inode->vfs_inode.i_ctime = now;
+	}
 	ret = btrfs_update_inode(trans, root, &parent_inode->vfs_inode);
 	if (ret)
 		btrfs_abort_transaction(trans, ret);



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 22/85] Btrfs: fix race updating log root item during fsync
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 21/85] Btrfs: fix wrong ctime and mtime of a directory after log replay Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 23/85] Btrfs: fix fsync not persisting changed attributes of a directory Greg Kroah-Hartman
                   ` (66 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Filipe Manana, David Sterba

From: Filipe Manana <fdmanana@suse.com>

commit 06989c799f04810f6876900d4760c0edda369cf7 upstream.

When syncing the log, the final phase of a fsync operation, we need to
either create a log root's item or update the existing item in the log
tree of log roots, and that depends on the current value of the log
root's log_transid - if it's 1 we need to create the log root item,
otherwise it must exist already and we update it. Since there is no
synchronization between updating the log_transid and checking it for
deciding whether the log root's item needs to be created or updated, we
end up with a tiny race window that results in attempts to update the
item to fail because the item was not yet created:

              CPU 1                                    CPU 2

  btrfs_sync_log()

    lock root->log_mutex

    set log root's log_transid to 1

    unlock root->log_mutex

                                               btrfs_sync_log()

                                                 lock root->log_mutex

                                                 sets log root's
                                                 log_transid to 2

                                                 unlock root->log_mutex

    update_log_root()

      sees log root's log_transid
      with a value of 2

        calls btrfs_update_root(),
        which fails with -EUCLEAN
        and causes transaction abort

Until recently the race lead to a BUG_ON at btrfs_update_root(), but after
the recent commit 7ac1e464c4d47 ("btrfs: Don't panic when we can't find a
root key") we just abort the current transaction.

A sample trace of the BUG_ON() on a SLE12 kernel:

  ------------[ cut here ]------------
  kernel BUG at ../fs/btrfs/root-tree.c:157!
  Oops: Exception in kernel mode, sig: 5 [#1]
  SMP NR_CPUS=2048 NUMA pSeries
  (...)
  Supported: Yes, External
  CPU: 78 PID: 76303 Comm: rtas_errd Tainted: G                 X 4.4.156-94.57-default #1
  task: c00000ffa906d010 ti: c00000ff42b08000 task.ti: c00000ff42b08000
  NIP: d000000036ae5cdc LR: d000000036ae5cd8 CTR: 0000000000000000
  REGS: c00000ff42b0b860 TRAP: 0700   Tainted: G                 X  (4.4.156-94.57-default)
  MSR: 8000000002029033 <SF,VEC,EE,ME,IR,DR,RI,LE>  CR: 22444484  XER: 20000000
  CFAR: d000000036aba66c SOFTE: 1
  GPR00: d000000036ae5cd8 c00000ff42b0bae0 d000000036bda220 0000000000000054
  GPR04: 0000000000000001 0000000000000000 c00007ffff8d37c8 0000000000000000
  GPR08: c000000000e19c00 0000000000000000 0000000000000000 3736343438312079
  GPR12: 3930373337303434 c000000007a3a800 00000000007fffff 0000000000000023
  GPR16: c00000ffa9d26028 c00000ffa9d261f8 0000000000000010 c00000ffa9d2ab28
  GPR20: c00000ff42b0bc48 0000000000000001 c00000ff9f0d9888 0000000000000001
  GPR24: c00000ffa9d26000 c00000ffa9d261e8 c00000ffa9d2a800 c00000ff9f0d9888
  GPR28: c00000ffa9d26028 c00000ffa9d2aa98 0000000000000001 c00000ffa98f5b20
  NIP [d000000036ae5cdc] btrfs_update_root+0x25c/0x4e0 [btrfs]
  LR [d000000036ae5cd8] btrfs_update_root+0x258/0x4e0 [btrfs]
  Call Trace:
  [c00000ff42b0bae0] [d000000036ae5cd8] btrfs_update_root+0x258/0x4e0 [btrfs] (unreliable)
  [c00000ff42b0bba0] [d000000036b53610] btrfs_sync_log+0x2d0/0xc60 [btrfs]
  [c00000ff42b0bce0] [d000000036b1785c] btrfs_sync_file+0x44c/0x4e0 [btrfs]
  [c00000ff42b0bd80] [c00000000032e300] vfs_fsync_range+0x70/0x120
  [c00000ff42b0bdd0] [c00000000032e44c] do_fsync+0x5c/0xb0
  [c00000ff42b0be10] [c00000000032e8dc] SyS_fdatasync+0x2c/0x40
  [c00000ff42b0be30] [c000000000009488] system_call+0x3c/0x100
  Instruction dump:
  7f43d378 4bffebb9 60000000 88d90008 3d220000 e8b90000 3b390009 e87a01f0
  e8898e08 e8f90000 4bfd48e5 60000000 <0fe00000> e95b0060 39200004 394a0ea0
  ---[ end trace 8f2dc8f919cabab8 ]---

So fix this by doing the check of log_transid and updating or creating the
log root's item while holding the root's log_mutex.

Fixes: 7237f1833601d ("Btrfs: fix tree logs parallel sync")
CC: stable@vger.kernel.org # 4.4+
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/tree-log.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -3096,6 +3096,12 @@ int btrfs_sync_log(struct btrfs_trans_ha
 	log->log_transid = root->log_transid;
 	root->log_start_pid = 0;
 	/*
+	 * Update or create log root item under the root's log_mutex to prevent
+	 * races with concurrent log syncs that can lead to failure to update
+	 * log root item because it was not created yet.
+	 */
+	ret = update_log_root(trans, log);
+	/*
 	 * IO has been started, blocks of the log tree have WRITTEN flag set
 	 * in their headers. new modifications of the log will be written to
 	 * new positions. so it's safe to allow log writers to go in.
@@ -3114,8 +3120,6 @@ int btrfs_sync_log(struct btrfs_trans_ha
 
 	mutex_unlock(&log_root_tree->log_mutex);
 
-	ret = update_log_root(trans, log);
-
 	mutex_lock(&log_root_tree->log_mutex);
 	if (atomic_dec_and_test(&log_root_tree->log_writers)) {
 		/* atomic_dec_and_test implies a barrier */



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 23/85] Btrfs: fix fsync not persisting changed attributes of a directory
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 22/85] Btrfs: fix race updating log root item during fsync Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 24/85] btrfs: correct zstd workspace manager lock to use spin_lock_bh() Greg Kroah-Hartman
                   ` (65 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Filipe Manana, David Sterba

From: Filipe Manana <fdmanana@suse.com>

commit 60d9f50308e5df19bc18c2fefab0eba4a843900a upstream.

While logging an inode we follow its ancestors and for each one we mark
it as logged in the current transaction, even if we have not logged it.
As a consequence if we change an attribute of an ancestor, such as the
UID or GID for example, and then explicitly fsync it, we end up not
logging the inode at all despite returning success to user space, which
results in the attribute being lost if a power failure happens after
the fsync.

Sample reproducer:

  $ mkfs.btrfs -f /dev/sdb
  $ mount /dev/sdb /mnt

  $ mkdir /mnt/dir
  $ chown 6007:6007 /mnt/dir

  $ sync

  $ chown 9003:9003 /mnt/dir
  $ touch /mnt/dir/file
  $ xfs_io -c fsync /mnt/dir/file

  # fsync our directory after fsync'ing the new file, should persist the
  # new values for the uid and gid.
  $ xfs_io -c fsync /mnt/dir

  <power failure>

  $ mount /dev/sdb /mnt
  $ stat -c %u:%g /mnt/dir
  6007:6007

    --> should be 9003:9003, the uid and gid were not persisted, despite
        the explicit fsync on the directory prior to the power failure

Fix this by not updating the logged_trans field of ancestor inodes when
logging an inode, since we have not logged them. Let only future calls to
btrfs_log_inode() to mark inodes as logged.

This could be triggered by my recent fsync fuzz tester for fstests, for
which an fstests patch exists titled "fstests: generic, fsync fuzz tester
with fsstress".

Fixes: 12fcfd22fe5b ("Btrfs: tree logging unlink/rename fixes")
CC: stable@vger.kernel.org # 4.4+
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/tree-log.c |   12 ------------
 1 file changed, 12 deletions(-)

--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -5469,7 +5469,6 @@ static noinline int check_parent_dirs_fo
 {
 	int ret = 0;
 	struct dentry *old_parent = NULL;
-	struct btrfs_inode *orig_inode = inode;
 
 	/*
 	 * for regular files, if its inode is already on disk, we don't
@@ -5489,16 +5488,6 @@ static noinline int check_parent_dirs_fo
 	}
 
 	while (1) {
-		/*
-		 * If we are logging a directory then we start with our inode,
-		 * not our parent's inode, so we need to skip setting the
-		 * logged_trans so that further down in the log code we don't
-		 * think this inode has already been logged.
-		 */
-		if (inode != orig_inode)
-			inode->logged_trans = trans->transid;
-		smp_mb();
-
 		if (btrfs_must_commit_transaction(trans, inode)) {
 			ret = 1;
 			break;
@@ -6227,7 +6216,6 @@ void btrfs_record_unlink_dir(struct btrf
 	 * if this directory was already logged any new
 	 * names for this file/dir will get recorded
 	 */
-	smp_mb();
 	if (dir->logged_trans == trans->transid)
 		return;
 



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 24/85] btrfs: correct zstd workspace manager lock to use spin_lock_bh()
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 23/85] Btrfs: fix fsync not persisting changed attributes of a directory Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 25/85] btrfs: qgroup: Check bg while resuming relocation to avoid NULL pointer dereference Greg Kroah-Hartman
                   ` (64 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dennis Zhou, David Sterba

From: Dennis Zhou <dennis@kernel.org>

commit fee13fe96529523a709d1fff487f14a5e0d56d34 upstream.

The btrfs zstd workspace manager uses a background timer to reclaim not
recently used workspaces. I used spin_lock() from this context which
should have been caught with lockdep, but was not. This deadlock was
reported in bugzilla. The fix is to switch the zstd wsm lock to use
spin_lock_bh() from the softirq context.

This happened quite relibably on ppc64, unlike on other architectures.

  [  313.402874] ================================
  [  313.402875] WARNING: inconsistent lock state
  [  313.402879] 5.1.0-rc7 #1 Not tainted
  [  313.402880] --------------------------------
  [  313.402882] inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
  [  313.402885] swapper/5/0 [HC0[0]:SC1[1]:HE1:SE0] takes:
  [  313.402888] 0000000080d1120c (&(&wsm.lock)->rlock){+.?.}, at: .zstd_reclaim_timer_fn+0x40/0x230
  [  313.402895] {SOFTIRQ-ON-W} state was registered at:
  [  313.402899]   .lock_acquire+0xd0/0x240
  [  313.402903]   ._raw_spin_lock+0x34/0x60
  [  313.402906]   .zstd_get_workspace+0xd0/0x360
  [  313.402908]   .end_compressed_bio_read+0x3b8/0x540
  [  313.402911]   .bio_endio+0x174/0x2c0
  [  313.402914]   .end_workqueue_fn+0x4c/0x70
  [  313.402917]   .normal_work_helper+0x138/0x7e0
  [  313.402920]   .process_one_work+0x324/0x790
  [  313.402922]   .worker_thread+0x68/0x570
  [  313.402925]   .kthread+0x19c/0x1b0
  [  313.402928]   .ret_from_kernel_thread+0x58/0x78
  [  313.402930] irq event stamp: 2629216
  [  313.402933] hardirqs last  enabled at (2629216): [<c0000000009da738>] ._raw_spin_unlock_irq+0x38/0x60
  [  313.402936] hardirqs last disabled at (2629215): [<c0000000009da4c4>] ._raw_spin_lock_irq+0x24/0x70
  [  313.402939] softirqs last  enabled at (2629212): [<c0000000000af9fc>] .irq_enter+0x8c/0xd0
  [  313.402942] softirqs last disabled at (2629213): [<c0000000000afb58>] .irq_exit+0x118/0x170
  [  313.402944]
		 other info that might help us debug this:
  [  313.402945]  Possible unsafe locking scenario:

  [  313.402947]        CPU0
  [  313.402948]        ----
  [  313.402949]   lock(&(&wsm.lock)->rlock);
  [  313.402951]   <Interrupt>
  [  313.402952]     lock(&(&wsm.lock)->rlock);
  [  313.402954]
		  *** DEADLOCK ***

  [  313.402957] 1 lock held by swapper/5/0:
  [  313.402958]  #0: 000000004b612042 ((&wsm.timer)){+.-.}, at: .call_timer_fn+0x0/0x3c0
  [  313.402963]
		 stack backtrace:
  [  313.402967] CPU: 5 PID: 0 Comm: swapper/5 Not tainted 5.1.0-rc7 #1
  [  313.402968] Call Trace:
  [  313.402972] [c0000007fa262e70] [c0000000009b3294] .dump_stack+0xe0/0x15c (unreliable)
  [  313.402975] [c0000007fa262f10] [c000000000125548] .print_usage_bug+0x348/0x390
  [  313.402978] [c0000007fa262fd0] [c000000000125cb4] .mark_lock+0x724/0x930
  [  313.402981] [c0000007fa263080] [c000000000126c20] .__lock_acquire+0xc90/0x16a0
  [  313.402984] [c0000007fa2631b0] [c000000000128040] .lock_acquire+0xd0/0x240
  [  313.402987] [c0000007fa263280] [c0000000009da2b4] ._raw_spin_lock+0x34/0x60
  [  313.402990] [c0000007fa263300] [c00000000054b0b0] .zstd_reclaim_timer_fn+0x40/0x230
  [  313.402993] [c0000007fa2633d0] [c000000000158b38] .call_timer_fn+0xc8/0x3c0
  [  313.402996] [c0000007fa2634a0] [c000000000158f74] .expire_timers+0x144/0x260
  [  313.402999] [c0000007fa263550] [c000000000159178] .run_timer_softirq+0xe8/0x230
  [  313.403002] [c0000007fa263680] [c0000000009db288] .__do_softirq+0x188/0x5d4
  [  313.403004] [c0000007fa263790] [c0000000000afb58] .irq_exit+0x118/0x170
  [  313.403008] [c0000007fa263800] [c000000000028d88] .timer_interrupt+0x158/0x430
  [  313.403012] [c0000007fa2638b0] [c0000000000091d4] decrementer_common+0x134/0x140
  [  313.403017] --- interrupt: 901 at replay_interrupt_return+0x0/0x4
		     LR = .arch_local_irq_restore.part.0+0x68/0x80
  [  313.403020] [c0000007fa263bb0] [c00000000001a3ac] .arch_local_irq_restore.part.0+0x2c/0x80 (unreliable)
  [  313.403024] [c0000007fa263c30] [c0000000007bbbcc] .cpuidle_enter_state+0xec/0x670
  [  313.403027] [c0000007fa263d00] [c0000000000f5130] .call_cpuidle+0x40/0x90
  [  313.403031] [c0000007fa263d70] [c0000000000f554c] .do_idle+0x2dc/0x3a0
  [  313.403034] [c0000007fa263e30] [c0000000000f59ac] .cpu_startup_entry+0x2c/0x30
  [  313.403037] [c0000007fa263ea0] [c000000000045674] .start_secondary+0x644/0x650
  [  313.403041] [c0000007fa263f90] [c00000000000ad5c] start_secondary_prolog+0x10/0x14

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=203517
Fixes: 3f93aef535c8 ("btrfs: add zstd compression level support")
CC: stable@vger.kernel.org # 5.1+
Signed-off-by: Dennis Zhou <dennis@kernel.org>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/zstd.c |   20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

--- a/fs/btrfs/zstd.c
+++ b/fs/btrfs/zstd.c
@@ -102,10 +102,10 @@ static void zstd_reclaim_timer_fn(struct
 	unsigned long reclaim_threshold = jiffies - ZSTD_BTRFS_RECLAIM_JIFFIES;
 	struct list_head *pos, *next;
 
-	spin_lock(&wsm.lock);
+	spin_lock_bh(&wsm.lock);
 
 	if (list_empty(&wsm.lru_list)) {
-		spin_unlock(&wsm.lock);
+		spin_unlock_bh(&wsm.lock);
 		return;
 	}
 
@@ -134,7 +134,7 @@ static void zstd_reclaim_timer_fn(struct
 	if (!list_empty(&wsm.lru_list))
 		mod_timer(&wsm.timer, jiffies + ZSTD_BTRFS_RECLAIM_JIFFIES);
 
-	spin_unlock(&wsm.lock);
+	spin_unlock_bh(&wsm.lock);
 }
 
 /*
@@ -195,7 +195,7 @@ static void zstd_cleanup_workspace_manag
 	struct workspace *workspace;
 	int i;
 
-	spin_lock(&wsm.lock);
+	spin_lock_bh(&wsm.lock);
 	for (i = 0; i < ZSTD_BTRFS_MAX_LEVEL; i++) {
 		while (!list_empty(&wsm.idle_ws[i])) {
 			workspace = container_of(wsm.idle_ws[i].next,
@@ -205,7 +205,7 @@ static void zstd_cleanup_workspace_manag
 			wsm.ops->free_workspace(&workspace->list);
 		}
 	}
-	spin_unlock(&wsm.lock);
+	spin_unlock_bh(&wsm.lock);
 
 	del_timer_sync(&wsm.timer);
 }
@@ -227,7 +227,7 @@ static struct list_head *zstd_find_works
 	struct workspace *workspace;
 	int i = level - 1;
 
-	spin_lock(&wsm.lock);
+	spin_lock_bh(&wsm.lock);
 	for_each_set_bit_from(i, &wsm.active_map, ZSTD_BTRFS_MAX_LEVEL) {
 		if (!list_empty(&wsm.idle_ws[i])) {
 			ws = wsm.idle_ws[i].next;
@@ -239,11 +239,11 @@ static struct list_head *zstd_find_works
 				list_del(&workspace->lru_list);
 			if (list_empty(&wsm.idle_ws[i]))
 				clear_bit(i, &wsm.active_map);
-			spin_unlock(&wsm.lock);
+			spin_unlock_bh(&wsm.lock);
 			return ws;
 		}
 	}
-	spin_unlock(&wsm.lock);
+	spin_unlock_bh(&wsm.lock);
 
 	return NULL;
 }
@@ -302,7 +302,7 @@ static void zstd_put_workspace(struct li
 {
 	struct workspace *workspace = list_to_workspace(ws);
 
-	spin_lock(&wsm.lock);
+	spin_lock_bh(&wsm.lock);
 
 	/* A node is only taken off the lru if we are the corresponding level */
 	if (workspace->req_level == workspace->level) {
@@ -322,7 +322,7 @@ static void zstd_put_workspace(struct li
 	list_add(&workspace->list, &wsm.idle_ws[workspace->level - 1]);
 	workspace->req_level = 0;
 
-	spin_unlock(&wsm.lock);
+	spin_unlock_bh(&wsm.lock);
 
 	if (workspace->level == ZSTD_BTRFS_MAX_LEVEL)
 		cond_wake_up(&wsm.wait);



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 25/85] btrfs: qgroup: Check bg while resuming relocation to avoid NULL pointer dereference
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 24/85] btrfs: correct zstd workspace manager lock to use spin_lock_bh() Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 26/85] Btrfs: incremental send, fix file corruption when no-holes feature is enabled Greg Kroah-Hartman
                   ` (63 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Juan Erbes, Qu Wenruo, David Sterba

From: Qu Wenruo <wqu@suse.com>

commit 57949d033a09c57d77be218b5bec07af6878ab32 upstream.

[BUG]
When mounting a fs with reloc tree and has qgroup enabled, it can cause
NULL pointer dereference at mount time:

  BUG: kernel NULL pointer dereference, address: 00000000000000a8
  #PF: supervisor read access in kernel mode
  #PF: error_code(0x0000) - not-present page
  PGD 0 P4D 0
  Oops: 0000 [#1] PREEMPT SMP NOPTI
  RIP: 0010:btrfs_qgroup_add_swapped_blocks+0x186/0x300 [btrfs]
  Call Trace:
   replace_path.isra.23+0x685/0x900 [btrfs]
   merge_reloc_root+0x26e/0x5f0 [btrfs]
   merge_reloc_roots+0x10a/0x1a0 [btrfs]
   btrfs_recover_relocation+0x3cd/0x420 [btrfs]
   open_ctree+0x1bc8/0x1ed0 [btrfs]
   btrfs_mount_root+0x544/0x680 [btrfs]
   legacy_get_tree+0x34/0x60
   vfs_get_tree+0x2d/0xf0
   fc_mount+0x12/0x40
   vfs_kern_mount.part.12+0x61/0xa0
   vfs_kern_mount+0x13/0x20
   btrfs_mount+0x16f/0x860 [btrfs]
   legacy_get_tree+0x34/0x60
   vfs_get_tree+0x2d/0xf0
   do_mount+0x81f/0xac0
   ksys_mount+0xbf/0xe0
   __x64_sys_mount+0x25/0x30
   do_syscall_64+0x65/0x240
   entry_SYSCALL_64_after_hwframe+0x49/0xbe

[CAUSE]
In btrfs_recover_relocation(), we don't have enough info to determine
which block group we're relocating, but only to merge existing reloc
trees.

Thus in btrfs_recover_relocation(), rc->block_group is NULL.
btrfs_qgroup_add_swapped_blocks() hasn't taken this into consideration,
and causes a NULL pointer dereference.

The bug is introduced by commit 3d0174f78e72 ("btrfs: qgroup: Only trace
data extents in leaves if we're relocating data block group"), and
later qgroup refactoring still keeps this optimization.

[FIX]
Thankfully in the context of btrfs_recover_relocation(), there is no
other progress can modify tree blocks, thus those swapped tree blocks
pair will never affect qgroup numbers, no matter whatever we set for
block->trace_leaf.

So we only need to check if @bg is NULL before accessing @bg->flags.

Reported-by: Juan Erbes <jerbes@gmail.com>
Link: https://bugzilla.opensuse.org/show_bug.cgi?id=1134806
Fixes: 3d0174f78e72 ("btrfs: qgroup: Only trace data extents in leaves if we're relocating data block group")
CC: stable@vger.kernel.org # 4.20+
Signed-off-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/qgroup.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

--- a/fs/btrfs/qgroup.c
+++ b/fs/btrfs/qgroup.c
@@ -3831,7 +3831,13 @@ int btrfs_qgroup_add_swapped_blocks(stru
 							    subvol_slot);
 	block->last_snapshot = last_snapshot;
 	block->level = level;
-	if (bg->flags & BTRFS_BLOCK_GROUP_DATA)
+
+	/*
+	 * If we have bg == NULL, we're called from btrfs_recover_relocation(),
+	 * no one else can modify tree blocks thus we qgroup will not change
+	 * no matter the value of trace_leaf.
+	 */
+	if (bg && bg->flags & BTRFS_BLOCK_GROUP_DATA)
 		block->trace_leaf = true;
 	else
 		block->trace_leaf = false;



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 26/85] Btrfs: incremental send, fix file corruption when no-holes feature is enabled
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 25/85] btrfs: qgroup: Check bg while resuming relocation to avoid NULL pointer dereference Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 27/85] btrfs: reloc: Also queue orphan reloc tree for cleanup to avoid BUG_ON() Greg Kroah-Hartman
                   ` (62 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Filipe Manana, David Sterba

From: Filipe Manana <fdmanana@suse.com>

commit 6b1f72e5b82a5c2a4da4d1ebb8cc01913ddbea21 upstream.

When using the no-holes feature, if we have a file with prealloc extents
with a start offset beyond the file's eof, doing an incremental send can
cause corruption of the file due to incorrect hole detection. Such case
requires that the prealloc extent(s) exist in both the parent and send
snapshots, and that a hole is punched into the file that covers all its
extents that do not cross the eof boundary.

Example reproducer:

  $ mkfs.btrfs -f -O no-holes /dev/sdb
  $ mount /dev/sdb /mnt/sdb

  $ xfs_io -f -c "pwrite -S 0xab 0 500K" /mnt/sdb/foobar
  $ xfs_io -c "falloc -k 1200K 800K" /mnt/sdb/foobar

  $ btrfs subvolume snapshot -r /mnt/sdb /mnt/sdb/base

  $ btrfs send -f /tmp/base.snap /mnt/sdb/base

  $ xfs_io -c "fpunch 0 500K" /mnt/sdb/foobar

  $ btrfs subvolume snapshot -r /mnt/sdb /mnt/sdb/incr

  $ btrfs send -p /mnt/sdb/base -f /tmp/incr.snap /mnt/sdb/incr

  $ md5sum /mnt/sdb/incr/foobar
  816df6f64deba63b029ca19d880ee10a   /mnt/sdb/incr/foobar

  $ mkfs.btrfs -f /dev/sdc
  $ mount /dev/sdc /mnt/sdc

  $ btrfs receive -f /tmp/base.snap /mnt/sdc
  $ btrfs receive -f /tmp/incr.snap /mnt/sdc

  $ md5sum /mnt/sdc/incr/foobar
  cf2ef71f4a9e90c2f6013ba3b2257ed2   /mnt/sdc/incr/foobar

    --> Different checksum, because the prealloc extent beyond the
        file's eof confused the hole detection code and it assumed
        a hole starting at offset 0 and ending at the offset of the
        prealloc extent (1200Kb) instead of ending at the offset
        500Kb (the file's size).

Fix this by ensuring we never cross the file's size when issuing the
write operations for a hole.

Fixes: 16e7549f045d33 ("Btrfs: incompatible format change to remove hole extents")
CC: stable@vger.kernel.org # 3.14+
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/send.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/fs/btrfs/send.c
+++ b/fs/btrfs/send.c
@@ -5017,6 +5017,12 @@ static int send_hole(struct send_ctx *sc
 	if (offset >= sctx->cur_inode_size)
 		return 0;
 
+	/*
+	 * Don't go beyond the inode's i_size due to prealloc extents that start
+	 * after the i_size.
+	 */
+	end = min_t(u64, end, sctx->cur_inode_size);
+
 	if (sctx->flags & BTRFS_SEND_FLAG_NO_FILE_DATA)
 		return send_update_extent(sctx, offset, end - offset);
 



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 27/85] btrfs: reloc: Also queue orphan reloc tree for cleanup to avoid BUG_ON()
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 26/85] Btrfs: incremental send, fix file corruption when no-holes feature is enabled Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 28/85] iio: dac: ds4422/ds4424 fix chip verification Greg Kroah-Hartman
                   ` (61 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Qu Wenruo, David Sterba

From: Qu Wenruo <wqu@suse.com>

commit 30d40577e322b670551ad7e2faa9570b6e23eb2b upstream.

[BUG]
When a fs has orphan reloc tree along with unfinished balance:
  ...
        item 16 key (TREE_RELOC ROOT_ITEM FS_TREE) itemoff 12090 itemsize 439
                generation 12 root_dirid 256 bytenr 300400640 level 1 refs 0 <<<
                lastsnap 8 byte_limit 0 bytes_used 1359872 flags 0x0(none)
                uuid 7c48d938-33a3-4aae-ab19-6e5c9d406e46
        item 17 key (BALANCE TEMPORARY_ITEM 0) itemoff 11642 itemsize 448
                temporary item objectid BALANCE offset 0
                balance status flags 14

Then at mount time, we can hit the following kernel BUG_ON():
  BTRFS info (device dm-3): relocating block group 298844160 flags metadata|dup
  ------------[ cut here ]------------
  kernel BUG at fs/btrfs/relocation.c:1413!
  invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
  CPU: 1 PID: 897 Comm: btrfs-balance Tainted: G           O      5.2.0-rc1-custom #15
  RIP: 0010:create_reloc_root+0x1eb/0x200 [btrfs]
  Call Trace:
   btrfs_init_reloc_root+0x96/0xb0 [btrfs]
   record_root_in_trans+0xb2/0xe0 [btrfs]
   btrfs_record_root_in_trans+0x55/0x70 [btrfs]
   select_reloc_root+0x7e/0x230 [btrfs]
   do_relocation+0xc4/0x620 [btrfs]
   relocate_tree_blocks+0x592/0x6a0 [btrfs]
   relocate_block_group+0x47b/0x5d0 [btrfs]
   btrfs_relocate_block_group+0x183/0x2f0 [btrfs]
   btrfs_relocate_chunk+0x4e/0xe0 [btrfs]
   btrfs_balance+0x864/0xfa0 [btrfs]
   balance_kthread+0x3b/0x50 [btrfs]
   kthread+0x123/0x140
   ret_from_fork+0x27/0x50

[CAUSE]
In btrfs, reloc trees are used to record swapped tree blocks during
balance.
Reloc tree either get merged (replace old tree blocks of its parent
subvolume) in next transaction if its ref is 1 (fresh).
Or is already merged and will be cleaned up if its ref is 0 (orphan).

After commit d2311e698578 ("btrfs: relocation: Delay reloc tree deletion
after merge_reloc_roots"), reloc tree cleanup is delayed until one block
group is balanced.

Since fresh reloc roots are recorded during merge, as long as there
is no power loss, those orphan reloc roots converted from fresh ones are
handled without problem.

However when power loss happens, orphan reloc roots can be recorded
on-disk, thus at next mount time, we will have orphan reloc roots from
on-disk data directly, and ignored by clean_dirty_subvols() routine.

Then when background balance starts to balance another block group, and
needs to create new reloc root for the same root, btrfs_insert_item()
returns -EEXIST, and trigger that BUG_ON().

[FIX]
For orphan reloc roots, also queue them to rc->dirty_subvol_roots, so
all reloc roots no matter orphan or not, can be cleaned up properly and
avoid above BUG_ON().

And to cooperate with above change, clean_dirty_subvols() will check if
the queued root is a reloc root or a subvol root.
For a subvol root, do the old work, and for a orphan reloc root, clean it
up.

Fixes: d2311e698578 ("btrfs: relocation: Delay reloc tree deletion after merge_reloc_roots")
CC: stable@vger.kernel.org # 5.1
Signed-off-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/relocation.c |   31 +++++++++++++++++++++----------
 1 file changed, 21 insertions(+), 10 deletions(-)

--- a/fs/btrfs/relocation.c
+++ b/fs/btrfs/relocation.c
@@ -2161,22 +2161,30 @@ static int clean_dirty_subvols(struct re
 	struct btrfs_root *root;
 	struct btrfs_root *next;
 	int ret = 0;
+	int ret2;
 
 	list_for_each_entry_safe(root, next, &rc->dirty_subvol_roots,
 				 reloc_dirty_list) {
-		struct btrfs_root *reloc_root = root->reloc_root;
-
-		clear_bit(BTRFS_ROOT_DEAD_RELOC_TREE, &root->state);
-		list_del_init(&root->reloc_dirty_list);
-		root->reloc_root = NULL;
-		if (reloc_root) {
-			int ret2;
-
-			ret2 = btrfs_drop_snapshot(reloc_root, NULL, 0, 1);
+		if (root->root_key.objectid != BTRFS_TREE_RELOC_OBJECTID) {
+			/* Merged subvolume, cleanup its reloc root */
+			struct btrfs_root *reloc_root = root->reloc_root;
+
+			clear_bit(BTRFS_ROOT_DEAD_RELOC_TREE, &root->state);
+			list_del_init(&root->reloc_dirty_list);
+			root->reloc_root = NULL;
+			if (reloc_root) {
+
+				ret2 = btrfs_drop_snapshot(reloc_root, NULL, 0, 1);
+				if (ret2 < 0 && !ret)
+					ret = ret2;
+			}
+			btrfs_put_fs_root(root);
+		} else {
+			/* Orphan reloc tree, just clean it up */
+			ret2 = btrfs_drop_snapshot(root, NULL, 0, 1);
 			if (ret2 < 0 && !ret)
 				ret = ret2;
 		}
-		btrfs_put_fs_root(root);
 	}
 	return ret;
 }
@@ -2464,6 +2472,9 @@ again:
 			}
 		} else {
 			list_del_init(&reloc_root->root_list);
+			/* Don't forget to queue this reloc root for cleanup */
+			list_add_tail(&reloc_root->reloc_dirty_list,
+				      &rc->dirty_subvol_roots);
 		}
 	}
 



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 28/85] iio: dac: ds4422/ds4424 fix chip verification
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 27/85] btrfs: reloc: Also queue orphan reloc tree for cleanup to avoid BUG_ON() Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 29/85] iio: adc: ads124: avoid buffer overflow Greg Kroah-Hartman
                   ` (60 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ruslan Babayev, xe-linux-external,
	Stable, Jonathan Cameron

From: Ruslan Babayev <ruslan@babayev.com>

commit 60f2208699ec08ff9fdf1f97639a661a92a18f1c upstream.

The ds4424_get_value function takes channel number as it's 3rd
argument and translates it internally into I2C address using
DS4424_DAC_ADDR macro. The caller ds4424_verify_chip was passing an
already translated I2C address as its last argument.

Signed-off-by: Ruslan Babayev <ruslan@babayev.com>
Cc: xe-linux-external@cisco.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/dac/ds4424.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/iio/dac/ds4424.c
+++ b/drivers/iio/dac/ds4424.c
@@ -166,7 +166,7 @@ static int ds4424_verify_chip(struct iio
 {
 	int ret, val;
 
-	ret = ds4424_get_value(indio_dev, &val, DS4424_DAC_ADDR(0));
+	ret = ds4424_get_value(indio_dev, &val, 0);
 	if (ret < 0)
 		dev_err(&indio_dev->dev,
 				"%s failed. ret: %d\n", __func__, ret);



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 29/85] iio: adc: ads124: avoid buffer overflow
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 28/85] iio: dac: ds4422/ds4424 fix chip verification Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 30/85] iio: adc: modify NPCM ADC read reference voltage Greg Kroah-Hartman
                   ` (59 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vincent Stehlé,
	Mukesh Ojha, Dan Murphy, Stable, Jonathan Cameron

From: Vincent Stehlé <vincent.stehle@laposte.net>

commit 0db8aa49a97e7f40852a64fd35abcc1292a7c365 upstream.

When initializing the priv->data array starting from index 1, there is one
less element to consider than when initializing the full array.

Fixes: e717f8c6dfec8f76 ("iio: adc: Add the TI ads124s08 ADC code")
Signed-off-by: Vincent Stehlé <vincent.stehle@laposte.net>
Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
Reviewed-by: Dan Murphy <dmurphy@ti.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/adc/ti-ads124s08.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/iio/adc/ti-ads124s08.c
+++ b/drivers/iio/adc/ti-ads124s08.c
@@ -202,7 +202,7 @@ static int ads124s_read(struct iio_dev *
 	};
 
 	priv->data[0] = ADS124S08_CMD_RDATA;
-	memset(&priv->data[1], ADS124S08_CMD_NOP, sizeof(priv->data));
+	memset(&priv->data[1], ADS124S08_CMD_NOP, sizeof(priv->data) - 1);
 
 	ret = spi_sync_transfer(priv->spi, t, ARRAY_SIZE(t));
 	if (ret < 0)



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 30/85] iio: adc: modify NPCM ADC read reference voltage
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 29/85] iio: adc: ads124: avoid buffer overflow Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 31/85] iio: adc: ti-ads8688: fix timestamp is not updated in buffer Greg Kroah-Hartman
                   ` (58 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tomer Maimon, Stable, Jonathan Cameron

From: Tomer Maimon <tmaimon77@gmail.com>

commit 4e63ed6b90803eeb400c392e9ff493200d926b06 upstream.

Checking if regulator is valid before reading
NPCM ADC regulator voltage to avoid system crash
in a case the regulator is not valid.

Signed-off-by: Tomer Maimon <tmaimon77@gmail.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/adc/npcm_adc.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/iio/adc/npcm_adc.c
+++ b/drivers/iio/adc/npcm_adc.c
@@ -149,7 +149,7 @@ static int npcm_adc_read_raw(struct iio_
 		}
 		return IIO_VAL_INT;
 	case IIO_CHAN_INFO_SCALE:
-		if (info->vref) {
+		if (!IS_ERR(info->vref)) {
 			vref_uv = regulator_get_voltage(info->vref);
 			*val = vref_uv / 1000;
 		} else {



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 31/85] iio: adc: ti-ads8688: fix timestamp is not updated in buffer
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 30/85] iio: adc: modify NPCM ADC read reference voltage Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 32/85] s390/crypto: fix gcm-aes-s390 selftest failures Greg Kroah-Hartman
                   ` (57 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sean Nyekjaer, Stable, Jonathan Cameron

From: Sean Nyekjaer <sean@geanix.com>

commit e6d12298310fa1dc11f1d747e05b168016057fdd upstream.

When using the hrtimer iio trigger timestamp isn't updated.
If we use iio_get_time_ns it is updated correctly.

Fixes: 2a86487786b5c ("iio: adc: ti-ads8688: add trigger and buffer support")
Signed-off-by: Sean Nyekjaer <sean@geanix.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/adc/ti-ads8688.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/iio/adc/ti-ads8688.c
+++ b/drivers/iio/adc/ti-ads8688.c
@@ -397,7 +397,7 @@ static irqreturn_t ads8688_trigger_handl
 	}
 
 	iio_push_to_buffers_with_timestamp(indio_dev, buffer,
-			pf->timestamp);
+			iio_get_time_ns(indio_dev));
 
 	iio_trigger_notify_done(indio_dev->trig);
 



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 32/85] s390/crypto: fix gcm-aes-s390 selftest failures
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 31/85] iio: adc: ti-ads8688: fix timestamp is not updated in buffer Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 33/85] s390/crypto: fix possible sleep during spinlock aquired Greg Kroah-Hartman
                   ` (56 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Julian Wiedmann, Patrick Steuer,
	Harald Freudenberger, Heiko Carstens

From: Harald Freudenberger <freude@linux.ibm.com>

commit bef9f0ba300a55d79a69aa172156072182176515 upstream.

The current kernel uses improved crypto selftests. These
tests showed that the current implementation of gcm-aes-s390
is not able to deal with chunks of output buffers which are
not a multiple of 16 bytes. This patch introduces a rework
of the gcm aes s390 scatter walk handling which now is able
to handle any input and output scatter list chunk sizes
correctly.

Code has been verified by the crypto selftests, the tcrypt
kernel module and additional tests ran via the af_alg interface.

Cc: <stable@vger.kernel.org>
Reported-by: Julian Wiedmann <jwi@linux.ibm.com>
Reviewed-by: Patrick Steuer <steuer@linux.ibm.com>
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/s390/crypto/aes_s390.c |  148 +++++++++++++++++++++++++++++++-------------
 1 file changed, 107 insertions(+), 41 deletions(-)

--- a/arch/s390/crypto/aes_s390.c
+++ b/arch/s390/crypto/aes_s390.c
@@ -826,19 +826,45 @@ static int gcm_aes_setauthsize(struct cr
 	return 0;
 }
 
-static void gcm_sg_walk_start(struct gcm_sg_walk *gw, struct scatterlist *sg,
-			      unsigned int len)
+static void gcm_walk_start(struct gcm_sg_walk *gw, struct scatterlist *sg,
+			   unsigned int len)
 {
 	memset(gw, 0, sizeof(*gw));
 	gw->walk_bytes_remain = len;
 	scatterwalk_start(&gw->walk, sg);
 }
 
-static int gcm_sg_walk_go(struct gcm_sg_walk *gw, unsigned int minbytesneeded)
+static inline unsigned int _gcm_sg_clamp_and_map(struct gcm_sg_walk *gw)
+{
+	struct scatterlist *nextsg;
+
+	gw->walk_bytes = scatterwalk_clamp(&gw->walk, gw->walk_bytes_remain);
+	while (!gw->walk_bytes) {
+		nextsg = sg_next(gw->walk.sg);
+		if (!nextsg)
+			return 0;
+		scatterwalk_start(&gw->walk, nextsg);
+		gw->walk_bytes = scatterwalk_clamp(&gw->walk,
+						   gw->walk_bytes_remain);
+	}
+	gw->walk_ptr = scatterwalk_map(&gw->walk);
+	return gw->walk_bytes;
+}
+
+static inline void _gcm_sg_unmap_and_advance(struct gcm_sg_walk *gw,
+					     unsigned int nbytes)
+{
+	gw->walk_bytes_remain -= nbytes;
+	scatterwalk_unmap(&gw->walk);
+	scatterwalk_advance(&gw->walk, nbytes);
+	scatterwalk_done(&gw->walk, 0, gw->walk_bytes_remain);
+	gw->walk_ptr = NULL;
+}
+
+static int gcm_in_walk_go(struct gcm_sg_walk *gw, unsigned int minbytesneeded)
 {
 	int n;
 
-	/* minbytesneeded <= AES_BLOCK_SIZE */
 	if (gw->buf_bytes && gw->buf_bytes >= minbytesneeded) {
 		gw->ptr = gw->buf;
 		gw->nbytes = gw->buf_bytes;
@@ -851,13 +877,11 @@ static int gcm_sg_walk_go(struct gcm_sg_
 		goto out;
 	}
 
-	gw->walk_bytes = scatterwalk_clamp(&gw->walk, gw->walk_bytes_remain);
-	if (!gw->walk_bytes) {
-		scatterwalk_start(&gw->walk, sg_next(gw->walk.sg));
-		gw->walk_bytes = scatterwalk_clamp(&gw->walk,
-						   gw->walk_bytes_remain);
+	if (!_gcm_sg_clamp_and_map(gw)) {
+		gw->ptr = NULL;
+		gw->nbytes = 0;
+		goto out;
 	}
-	gw->walk_ptr = scatterwalk_map(&gw->walk);
 
 	if (!gw->buf_bytes && gw->walk_bytes >= minbytesneeded) {
 		gw->ptr = gw->walk_ptr;
@@ -869,51 +893,90 @@ static int gcm_sg_walk_go(struct gcm_sg_
 		n = min(gw->walk_bytes, AES_BLOCK_SIZE - gw->buf_bytes);
 		memcpy(gw->buf + gw->buf_bytes, gw->walk_ptr, n);
 		gw->buf_bytes += n;
-		gw->walk_bytes_remain -= n;
-		scatterwalk_unmap(&gw->walk);
-		scatterwalk_advance(&gw->walk, n);
-		scatterwalk_done(&gw->walk, 0, gw->walk_bytes_remain);
-
+		_gcm_sg_unmap_and_advance(gw, n);
 		if (gw->buf_bytes >= minbytesneeded) {
 			gw->ptr = gw->buf;
 			gw->nbytes = gw->buf_bytes;
 			goto out;
 		}
-
-		gw->walk_bytes = scatterwalk_clamp(&gw->walk,
-						   gw->walk_bytes_remain);
-		if (!gw->walk_bytes) {
-			scatterwalk_start(&gw->walk, sg_next(gw->walk.sg));
-			gw->walk_bytes = scatterwalk_clamp(&gw->walk,
-							gw->walk_bytes_remain);
+		if (!_gcm_sg_clamp_and_map(gw)) {
+			gw->ptr = NULL;
+			gw->nbytes = 0;
+			goto out;
 		}
-		gw->walk_ptr = scatterwalk_map(&gw->walk);
 	}
 
 out:
 	return gw->nbytes;
 }
 
-static void gcm_sg_walk_done(struct gcm_sg_walk *gw, unsigned int bytesdone)
+static int gcm_out_walk_go(struct gcm_sg_walk *gw, unsigned int minbytesneeded)
 {
-	int n;
+	if (gw->walk_bytes_remain == 0) {
+		gw->ptr = NULL;
+		gw->nbytes = 0;
+		goto out;
+	}
+
+	if (!_gcm_sg_clamp_and_map(gw)) {
+		gw->ptr = NULL;
+		gw->nbytes = 0;
+		goto out;
+	}
 
+	if (gw->walk_bytes >= minbytesneeded) {
+		gw->ptr = gw->walk_ptr;
+		gw->nbytes = gw->walk_bytes;
+		goto out;
+	}
+
+	scatterwalk_unmap(&gw->walk);
+	gw->walk_ptr = NULL;
+
+	gw->ptr = gw->buf;
+	gw->nbytes = sizeof(gw->buf);
+
+out:
+	return gw->nbytes;
+}
+
+static int gcm_in_walk_done(struct gcm_sg_walk *gw, unsigned int bytesdone)
+{
 	if (gw->ptr == NULL)
-		return;
+		return 0;
 
 	if (gw->ptr == gw->buf) {
-		n = gw->buf_bytes - bytesdone;
+		int n = gw->buf_bytes - bytesdone;
 		if (n > 0) {
 			memmove(gw->buf, gw->buf + bytesdone, n);
-			gw->buf_bytes -= n;
+			gw->buf_bytes = n;
 		} else
 			gw->buf_bytes = 0;
-	} else {
-		gw->walk_bytes_remain -= bytesdone;
-		scatterwalk_unmap(&gw->walk);
-		scatterwalk_advance(&gw->walk, bytesdone);
-		scatterwalk_done(&gw->walk, 0, gw->walk_bytes_remain);
-	}
+	} else
+		_gcm_sg_unmap_and_advance(gw, bytesdone);
+
+	return bytesdone;
+}
+
+static int gcm_out_walk_done(struct gcm_sg_walk *gw, unsigned int bytesdone)
+{
+	int i, n;
+
+	if (gw->ptr == NULL)
+		return 0;
+
+	if (gw->ptr == gw->buf) {
+		for (i = 0; i < bytesdone; i += n) {
+			if (!_gcm_sg_clamp_and_map(gw))
+				return i;
+			n = min(gw->walk_bytes, bytesdone - i);
+			memcpy(gw->walk_ptr, gw->buf + i, n);
+			_gcm_sg_unmap_and_advance(gw, n);
+		}
+	} else
+		_gcm_sg_unmap_and_advance(gw, bytesdone);
+
+	return bytesdone;
 }
 
 static int gcm_aes_crypt(struct aead_request *req, unsigned int flags)
@@ -926,7 +989,7 @@ static int gcm_aes_crypt(struct aead_req
 	unsigned int pclen = req->cryptlen;
 	int ret = 0;
 
-	unsigned int len, in_bytes, out_bytes,
+	unsigned int n, len, in_bytes, out_bytes,
 		     min_bytes, bytes, aad_bytes, pc_bytes;
 	struct gcm_sg_walk gw_in, gw_out;
 	u8 tag[GHASH_DIGEST_SIZE];
@@ -963,14 +1026,14 @@ static int gcm_aes_crypt(struct aead_req
 	*(u32 *)(param.j0 + ivsize) = 1;
 	memcpy(param.k, ctx->key, ctx->key_len);
 
-	gcm_sg_walk_start(&gw_in, req->src, len);
-	gcm_sg_walk_start(&gw_out, req->dst, len);
+	gcm_walk_start(&gw_in, req->src, len);
+	gcm_walk_start(&gw_out, req->dst, len);
 
 	do {
 		min_bytes = min_t(unsigned int,
 				  aadlen > 0 ? aadlen : pclen, AES_BLOCK_SIZE);
-		in_bytes = gcm_sg_walk_go(&gw_in, min_bytes);
-		out_bytes = gcm_sg_walk_go(&gw_out, min_bytes);
+		in_bytes = gcm_in_walk_go(&gw_in, min_bytes);
+		out_bytes = gcm_out_walk_go(&gw_out, min_bytes);
 		bytes = min(in_bytes, out_bytes);
 
 		if (aadlen + pclen <= bytes) {
@@ -997,8 +1060,11 @@ static int gcm_aes_crypt(struct aead_req
 			  gw_in.ptr + aad_bytes, pc_bytes,
 			  gw_in.ptr, aad_bytes);
 
-		gcm_sg_walk_done(&gw_in, aad_bytes + pc_bytes);
-		gcm_sg_walk_done(&gw_out, aad_bytes + pc_bytes);
+		n = aad_bytes + pc_bytes;
+		if (gcm_in_walk_done(&gw_in, n) != n)
+			return -ENOMEM;
+		if (gcm_out_walk_done(&gw_out, n) != n)
+			return -ENOMEM;
 		aadlen -= aad_bytes;
 		pclen -= pc_bytes;
 	} while (aadlen + pclen > 0);



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 33/85] s390/crypto: fix possible sleep during spinlock aquired
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 32/85] s390/crypto: fix gcm-aes-s390 selftest failures Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 34/85] KVM: PPC: Book3S HV: XIVE: Do not clear IRQ data of passthrough interrupts Greg Kroah-Hartman
                   ` (55 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Harald Freudenberger,
	Julian Wiedmann, Heiko Carstens

From: Harald Freudenberger <freude@linux.ibm.com>

commit 1c2c7029c008922d4d48902cc386250502e73d51 upstream.

This patch fixes a complain about possible sleep during
spinlock aquired
"BUG: sleeping function called from invalid context at
include/crypto/algapi.h:426"
for the ctr(aes) and ctr(des) s390 specific ciphers.

Instead of using a spinlock this patch introduces a mutex
which is save to be held in sleeping context. Please note
a deadlock is not possible as mutex_trylock() is used.

Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Reported-by: Julian Wiedmann <jwi@linux.ibm.com>
Cc: stable@vger.kernel.org
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/s390/crypto/aes_s390.c |    8 ++++----
 arch/s390/crypto/des_s390.c |    7 ++++---
 2 files changed, 8 insertions(+), 7 deletions(-)

--- a/arch/s390/crypto/aes_s390.c
+++ b/arch/s390/crypto/aes_s390.c
@@ -27,14 +27,14 @@
 #include <linux/module.h>
 #include <linux/cpufeature.h>
 #include <linux/init.h>
-#include <linux/spinlock.h>
+#include <linux/mutex.h>
 #include <linux/fips.h>
 #include <linux/string.h>
 #include <crypto/xts.h>
 #include <asm/cpacf.h>
 
 static u8 *ctrblk;
-static DEFINE_SPINLOCK(ctrblk_lock);
+static DEFINE_MUTEX(ctrblk_lock);
 
 static cpacf_mask_t km_functions, kmc_functions, kmctr_functions,
 		    kma_functions;
@@ -698,7 +698,7 @@ static int ctr_aes_crypt(struct blkciphe
 	unsigned int n, nbytes;
 	int ret, locked;
 
-	locked = spin_trylock(&ctrblk_lock);
+	locked = mutex_trylock(&ctrblk_lock);
 
 	ret = blkcipher_walk_virt_block(desc, walk, AES_BLOCK_SIZE);
 	while ((nbytes = walk->nbytes) >= AES_BLOCK_SIZE) {
@@ -716,7 +716,7 @@ static int ctr_aes_crypt(struct blkciphe
 		ret = blkcipher_walk_done(desc, walk, nbytes - n);
 	}
 	if (locked)
-		spin_unlock(&ctrblk_lock);
+		mutex_unlock(&ctrblk_lock);
 	/*
 	 * final block may be < AES_BLOCK_SIZE, copy only nbytes
 	 */
--- a/arch/s390/crypto/des_s390.c
+++ b/arch/s390/crypto/des_s390.c
@@ -14,6 +14,7 @@
 #include <linux/cpufeature.h>
 #include <linux/crypto.h>
 #include <linux/fips.h>
+#include <linux/mutex.h>
 #include <crypto/algapi.h>
 #include <crypto/des.h>
 #include <asm/cpacf.h>
@@ -21,7 +22,7 @@
 #define DES3_KEY_SIZE	(3 * DES_KEY_SIZE)
 
 static u8 *ctrblk;
-static DEFINE_SPINLOCK(ctrblk_lock);
+static DEFINE_MUTEX(ctrblk_lock);
 
 static cpacf_mask_t km_functions, kmc_functions, kmctr_functions;
 
@@ -387,7 +388,7 @@ static int ctr_desall_crypt(struct blkci
 	unsigned int n, nbytes;
 	int ret, locked;
 
-	locked = spin_trylock(&ctrblk_lock);
+	locked = mutex_trylock(&ctrblk_lock);
 
 	ret = blkcipher_walk_virt_block(desc, walk, DES_BLOCK_SIZE);
 	while ((nbytes = walk->nbytes) >= DES_BLOCK_SIZE) {
@@ -404,7 +405,7 @@ static int ctr_desall_crypt(struct blkci
 		ret = blkcipher_walk_done(desc, walk, nbytes - n);
 	}
 	if (locked)
-		spin_unlock(&ctrblk_lock);
+		mutex_unlock(&ctrblk_lock);
 	/* final block may be < DES_BLOCK_SIZE, copy only nbytes */
 	if (nbytes) {
 		cpacf_kmctr(fc, ctx->key, buf, walk->src.virt.addr,



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 34/85] KVM: PPC: Book3S HV: XIVE: Do not clear IRQ data of passthrough interrupts
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 33/85] s390/crypto: fix possible sleep during spinlock aquired Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 35/85] KVM: PPC: Book3S HV: Fix lockdep warning when entering guest on POWER9 Greg Kroah-Hartman
                   ` (54 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Cédric Le Goater, Greg Kurz,
	Paul Mackerras

From: Cédric Le Goater <clg@kaod.org>

commit ef9740204051d0e00f5402fe96cf3a43ddd2bbbf upstream.

The passthrough interrupts are defined at the host level and their IRQ
data should not be cleared unless specifically deconfigured (shutdown)
by the host. They differ from the IPI interrupts which are allocated
by the XIVE KVM device and reserved to the guest usage only.

This fixes a host crash when destroying a VM in which a PCI adapter
was passed-through. In this case, the interrupt is cleared and freed
by the KVM device and then shutdown by vfio at the host level.

[ 1007.360265] BUG: Kernel NULL pointer dereference at 0x00000d00
[ 1007.360285] Faulting instruction address: 0xc00000000009da34
[ 1007.360296] Oops: Kernel access of bad area, sig: 7 [#1]
[ 1007.360303] LE PAGE_SIZE=64K MMU=Radix MMU=Hash SMP NR_CPUS=2048 NUMA PowerNV
[ 1007.360314] Modules linked in: vhost_net vhost iptable_mangle ipt_MASQUERADE iptable_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv4 ipt_REJECT nf_reject_ipv4 tun bridge stp llc kvm_hv kvm xt_tcpudp iptable_filter squashfs fuse binfmt_misc vmx_crypto ib_iser rdma_cm iw_cm ib_cm libiscsi scsi_transport_iscsi nfsd ip_tables x_tables autofs4 btrfs zstd_decompress zstd_compress lzo_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq multipath mlx5_ib ib_uverbs ib_core crc32c_vpmsum mlx5_core
[ 1007.360425] CPU: 9 PID: 15576 Comm: CPU 18/KVM Kdump: loaded Not tainted 5.1.0-gad7e7d0ef #4
[ 1007.360454] NIP:  c00000000009da34 LR: c00000000009e50c CTR: c00000000009e5d0
[ 1007.360482] REGS: c000007f24ccf330 TRAP: 0300   Not tainted  (5.1.0-gad7e7d0ef)
[ 1007.360500] MSR:  900000000280b033 <SF,HV,VEC,VSX,EE,FP,ME,IR,DR,RI,LE>  CR: 24002484  XER: 00000000
[ 1007.360532] CFAR: c00000000009da10 DAR: 0000000000000d00 DSISR: 00080000 IRQMASK: 1
[ 1007.360532] GPR00: c00000000009e62c c000007f24ccf5c0 c000000001510600 c000007fe7f947c0
[ 1007.360532] GPR04: 0000000000000d00 0000000000000000 0000000000000000 c000005eff02d200
[ 1007.360532] GPR08: 0000000000400000 0000000000000000 0000000000000000 fffffffffffffffd
[ 1007.360532] GPR12: c00000000009e5d0 c000007fffff7b00 0000000000000031 000000012c345718
[ 1007.360532] GPR16: 0000000000000000 0000000000000008 0000000000418004 0000000000040100
[ 1007.360532] GPR20: 0000000000000000 0000000008430000 00000000003c0000 0000000000000027
[ 1007.360532] GPR24: 00000000000000ff 0000000000000000 00000000000000ff c000007faa90d98c
[ 1007.360532] GPR28: c000007faa90da40 00000000000fe040 ffffffffffffffff c000007fe7f947c0
[ 1007.360689] NIP [c00000000009da34] xive_esb_read+0x34/0x120
[ 1007.360706] LR [c00000000009e50c] xive_do_source_set_mask.part.0+0x2c/0x50
[ 1007.360732] Call Trace:
[ 1007.360738] [c000007f24ccf5c0] [c000000000a6383c] snooze_loop+0x15c/0x270 (unreliable)
[ 1007.360775] [c000007f24ccf5f0] [c00000000009e62c] xive_irq_shutdown+0x5c/0xe0
[ 1007.360795] [c000007f24ccf630] [c00000000019e4a0] irq_shutdown+0x60/0xe0
[ 1007.360813] [c000007f24ccf660] [c000000000198c44] __free_irq+0x3a4/0x420
[ 1007.360831] [c000007f24ccf700] [c000000000198dc8] free_irq+0x78/0xe0
[ 1007.360849] [c000007f24ccf730] [c00000000096c5a8] vfio_msi_set_vector_signal+0xa8/0x350
[ 1007.360878] [c000007f24ccf7f0] [c00000000096c938] vfio_msi_set_block+0xe8/0x1e0
[ 1007.360899] [c000007f24ccf850] [c00000000096cae0] vfio_msi_disable+0xb0/0x110
[ 1007.360912] [c000007f24ccf8a0] [c00000000096cd04] vfio_pci_set_msi_trigger+0x1c4/0x3d0
[ 1007.360922] [c000007f24ccf910] [c00000000096d910] vfio_pci_set_irqs_ioctl+0xa0/0x170
[ 1007.360941] [c000007f24ccf930] [c00000000096b400] vfio_pci_disable+0x80/0x5e0
[ 1007.360963] [c000007f24ccfa10] [c00000000096b9bc] vfio_pci_release+0x5c/0x90
[ 1007.360991] [c000007f24ccfa40] [c000000000963a9c] vfio_device_fops_release+0x3c/0x70
[ 1007.361012] [c000007f24ccfa70] [c0000000003b5668] __fput+0xc8/0x2b0
[ 1007.361040] [c000007f24ccfac0] [c0000000001409b0] task_work_run+0x140/0x1b0
[ 1007.361059] [c000007f24ccfb20] [c000000000118f8c] do_exit+0x3ac/0xd00
[ 1007.361076] [c000007f24ccfc00] [c0000000001199b0] do_group_exit+0x60/0x100
[ 1007.361094] [c000007f24ccfc40] [c00000000012b514] get_signal+0x1a4/0x8f0
[ 1007.361112] [c000007f24ccfd30] [c000000000021cc8] do_notify_resume+0x1a8/0x430
[ 1007.361141] [c000007f24ccfe20] [c00000000000e444] ret_from_except_lite+0x70/0x74
[ 1007.361159] Instruction dump:
[ 1007.361175] 38422c00 e9230000 712a0004 41820010 548a2036 7d442378 78840020 71290020
[ 1007.361194] 4082004c e9230010 7c892214 7c0004ac <e9240000> 0c090000 4c00012c 792a0022

Cc: stable@vger.kernel.org # v4.12+
Fixes: 5af50993850a ("KVM: PPC: Book3S HV: Native usage of the XIVE interrupt controller")
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: Greg Kurz <groug@kaod.org>
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/kvm/book3s_xive.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/powerpc/kvm/book3s_xive.c
+++ b/arch/powerpc/kvm/book3s_xive.c
@@ -1786,7 +1786,6 @@ static void kvmppc_xive_cleanup_irq(u32
 {
 	xive_vm_esb_load(xd, XIVE_ESB_SET_PQ_01);
 	xive_native_configure_irq(hw_num, 0, MASKED, 0);
-	xive_cleanup_irq_data(xd);
 }
 
 static void kvmppc_xive_free_sources(struct kvmppc_xive_src_block *sb)
@@ -1800,9 +1799,10 @@ static void kvmppc_xive_free_sources(str
 			continue;
 
 		kvmppc_xive_cleanup_irq(state->ipi_number, &state->ipi_data);
+		xive_cleanup_irq_data(&state->ipi_data);
 		xive_native_free_irq(state->ipi_number);
 
-		/* Pass-through, cleanup too */
+		/* Pass-through, cleanup too but keep IRQ hw data */
 		if (state->pt_number)
 			kvmppc_xive_cleanup_irq(state->pt_number, state->pt_data);
 



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 35/85] KVM: PPC: Book3S HV: Fix lockdep warning when entering guest on POWER9
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 34/85] KVM: PPC: Book3S HV: XIVE: Do not clear IRQ data of passthrough interrupts Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 36/85] KVM: PPC: Book3S HV: Restore SPRG3 in kvmhv_p9_guest_entry() Greg Kroah-Hartman
                   ` (53 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Paul Mackerras, Cédric Le Goater

From: Paul Mackerras <paulus@ozlabs.org>

commit 1b28d5531e446a87bbefa5ced191c4cbd316576c upstream.

Commit 3309bec85e60 ("KVM: PPC: Book3S HV: Fix lockdep warning when
entering the guest") moved calls to trace_hardirqs_{on,off} in the
entry path used for HPT guests.  Similar code exists in the new
streamlined entry path used for radix guests on POWER9.  This makes
the same change there, so as to avoid lockdep warnings such as this:

[  228.686461] DEBUG_LOCKS_WARN_ON(current->hardirqs_enabled)
[  228.686480] WARNING: CPU: 116 PID: 3803 at ../kernel/locking/lockdep.c:4219 check_flags.part.23+0x21c/0x270
[  228.686544] Modules linked in: vhost_net vhost xt_CHECKSUM iptable_mangle xt_MASQUERADE iptable_nat nf_nat
+xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ipt_REJECT nf_reject_ipv4 tun bridge stp llc ebtable_filter
+ebtables ip6table_filter ip6_tables iptable_filter fuse kvm_hv kvm at24 ipmi_powernv regmap_i2c ipmi_devintf
+uio_pdrv_genirq ofpart ipmi_msghandler uio powernv_flash mtd ibmpowernv opal_prd ip_tables ext4 mbcache jbd2 btrfs
+zstd_decompress zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx libcrc32c xor
+raid6_pq raid1 raid0 ses sd_mod enclosure scsi_transport_sas ast i2c_opal i2c_algo_bit drm_kms_helper syscopyarea
+sysfillrect sysimgblt fb_sys_fops ttm drm i40e e1000e cxl aacraid tg3 drm_panel_orientation_quirks i2c_core
[  228.686859] CPU: 116 PID: 3803 Comm: qemu-system-ppc Kdump: loaded Not tainted 5.2.0-rc1-xive+ #42
[  228.686911] NIP:  c0000000001b394c LR: c0000000001b3948 CTR: c000000000bfad20
[  228.686963] REGS: c000200cdb50f570 TRAP: 0700   Not tainted  (5.2.0-rc1-xive+)
[  228.687001] MSR:  9000000002823033 <SF,HV,VEC,VSX,FP,ME,IR,DR,RI,LE>  CR: 48222222  XER: 20040000
[  228.687060] CFAR: c000000000116db0 IRQMASK: 1
[  228.687060] GPR00: c0000000001b3948 c000200cdb50f800 c0000000015e7600 000000000000002e
[  228.687060] GPR04: 0000000000000001 c0000000001c71a0 000000006e655f73 72727563284e4f5f
[  228.687060] GPR08: 0000200e60680000 0000000000000000 c000200cdb486180 0000000000000000
[  228.687060] GPR12: 0000000000002000 c000200fff61a680 0000000000000000 00007fffb75c0000
[  228.687060] GPR16: 0000000000000000 0000000000000000 c0000000017d6900 c000000001124900
[  228.687060] GPR20: 0000000000000074 c008000006916f68 0000000000000074 0000000000000074
[  228.687060] GPR24: ffffffffffffffff ffffffffffffffff 0000000000000003 c000200d4b600000
[  228.687060] GPR28: c000000001627e58 c000000001489908 c000000001627e58 c000000002304de0
[  228.687377] NIP [c0000000001b394c] check_flags.part.23+0x21c/0x270
[  228.687415] LR [c0000000001b3948] check_flags.part.23+0x218/0x270
[  228.687466] Call Trace:
[  228.687488] [c000200cdb50f800] [c0000000001b3948] check_flags.part.23+0x218/0x270 (unreliable)
[  228.687542] [c000200cdb50f870] [c0000000001b6548] lock_is_held_type+0x188/0x1c0
[  228.687595] [c000200cdb50f8d0] [c0000000001d939c] rcu_read_lock_sched_held+0xdc/0x100
[  228.687646] [c000200cdb50f900] [c0000000001dd704] rcu_note_context_switch+0x304/0x340
[  228.687701] [c000200cdb50f940] [c0080000068fcc58] kvmhv_run_single_vcpu+0xdb0/0x1120 [kvm_hv]
[  228.687756] [c000200cdb50fa20] [c0080000068fd5b0] kvmppc_vcpu_run_hv+0x5e8/0xe40 [kvm_hv]
[  228.687816] [c000200cdb50faf0] [c0080000071797dc] kvmppc_vcpu_run+0x34/0x48 [kvm]
[  228.687863] [c000200cdb50fb10] [c0080000071755dc] kvm_arch_vcpu_ioctl_run+0x244/0x420 [kvm]
[  228.687916] [c000200cdb50fba0] [c008000007165ccc] kvm_vcpu_ioctl+0x424/0x838 [kvm]
[  228.687957] [c000200cdb50fd10] [c000000000433a24] do_vfs_ioctl+0xd4/0xcd0
[  228.687995] [c000200cdb50fdb0] [c000000000434724] ksys_ioctl+0x104/0x120
[  228.688033] [c000200cdb50fe00] [c000000000434768] sys_ioctl+0x28/0x80
[  228.688072] [c000200cdb50fe20] [c00000000000b888] system_call+0x5c/0x70
[  228.688109] Instruction dump:
[  228.688142] 4bf6342d 60000000 0fe00000 e8010080 7c0803a6 4bfffe60 3c82ff87 3c62ff87
[  228.688196] 388472d0 3863d738 4bf63405 60000000 <0fe00000> 4bffff4c 3c82ff87 3c62ff87
[  228.688251] irq event stamp: 205
[  228.688287] hardirqs last  enabled at (205): [<c0080000068fc1b4>] kvmhv_run_single_vcpu+0x30c/0x1120 [kvm_hv]
[  228.688344] hardirqs last disabled at (204): [<c0080000068fbff0>] kvmhv_run_single_vcpu+0x148/0x1120 [kvm_hv]
[  228.688412] softirqs last  enabled at (180): [<c000000000c0b2ac>] __do_softirq+0x4ac/0x5d4
[  228.688464] softirqs last disabled at (169): [<c000000000122aa8>] irq_exit+0x1f8/0x210
[  228.688513] ---[ end trace eb16f6260022a812 ]---
[  228.688548] possible reason: unannotated irqs-off.
[  228.688571] irq event stamp: 205
[  228.688607] hardirqs last  enabled at (205): [<c0080000068fc1b4>] kvmhv_run_single_vcpu+0x30c/0x1120 [kvm_hv]
[  228.688664] hardirqs last disabled at (204): [<c0080000068fbff0>] kvmhv_run_single_vcpu+0x148/0x1120 [kvm_hv]
[  228.688719] softirqs last  enabled at (180): [<c000000000c0b2ac>] __do_softirq+0x4ac/0x5d4
[  228.688758] softirqs last disabled at (169): [<c000000000122aa8>] irq_exit+0x1f8/0x210

Cc: stable@vger.kernel.org # v4.20+
Fixes: 95a6432ce903 ("KVM: PPC: Book3S HV: Streamlined guest entry/exit path on P9 for radix guests")
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Tested-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/kvm/book3s_hv.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/arch/powerpc/kvm/book3s_hv.c
+++ b/arch/powerpc/kvm/book3s_hv.c
@@ -4048,16 +4048,20 @@ int kvmhv_run_single_vcpu(struct kvm_run
 	if (cpu_has_feature(CPU_FTR_HVMODE))
 		kvmppc_radix_check_need_tlb_flush(kvm, pcpu, nested);
 
-	trace_hardirqs_on();
 	guest_enter_irqoff();
 
 	srcu_idx = srcu_read_lock(&kvm->srcu);
 
 	this_cpu_disable_ftrace();
 
+	/* Tell lockdep that we're about to enable interrupts */
+	trace_hardirqs_on();
+
 	trap = kvmhv_p9_guest_entry(vcpu, time_limit, lpcr);
 	vcpu->arch.trap = trap;
 
+	trace_hardirqs_off();
+
 	this_cpu_enable_ftrace();
 
 	srcu_read_unlock(&kvm->srcu, srcu_idx);
@@ -4067,7 +4071,6 @@ int kvmhv_run_single_vcpu(struct kvm_run
 		isync();
 	}
 
-	trace_hardirqs_off();
 	set_irq_happened(trap);
 
 	kvmppc_set_host_core(pcpu);



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 36/85] KVM: PPC: Book3S HV: Restore SPRG3 in kvmhv_p9_guest_entry()
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 35/85] KVM: PPC: Book3S HV: Fix lockdep warning when entering guest on POWER9 Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 37/85] powerpc/perf: Fix MMCRA corruption by bhrb_filter Greg Kroah-Hartman
                   ` (52 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Suraj Jitindar Singh, Paul Mackerras

From: Suraj Jitindar Singh <sjitindarsingh@gmail.com>

commit d724c9e54939a597592de3659541da11fc7aa112 upstream.

The sprgs are a set of 4 general purpose sprs provided for software use.
SPRG3 is special in that it can also be read from userspace. Thus it is
used on linux to store the cpu and numa id of the process to speed up
syscall access to this information.

This register is overwritten with the guest value on kvm guest entry,
and so needs to be restored on exit again. Thus restore the value on
the guest exit path in kvmhv_p9_guest_entry().

Cc: stable@vger.kernel.org # v4.20+
Fixes: 95a6432ce9038 ("KVM: PPC: Book3S HV: Streamlined guest entry/exit path on P9 for radix guests")

Signed-off-by: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/kvm/book3s_hv.c |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/powerpc/kvm/book3s_hv.c
+++ b/arch/powerpc/kvm/book3s_hv.c
@@ -3624,6 +3624,7 @@ int kvmhv_p9_guest_entry(struct kvm_vcpu
 	vc->in_guest = 0;
 
 	mtspr(SPRN_DEC, local_paca->kvm_hstate.dec_expires - mftb());
+	mtspr(SPRN_SPRG_VDSO_WRITE, local_paca->sprg_vdso);
 
 	kvmhv_load_host_pmu();
 



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 37/85] powerpc/perf: Fix MMCRA corruption by bhrb_filter
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 36/85] KVM: PPC: Book3S HV: Restore SPRG3 in kvmhv_p9_guest_entry() Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 38/85] powerpc/kexec: Fix loading of kernel + initramfs with kexec_file_load() Greg Kroah-Hartman
                   ` (51 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ravi Bangoria, Madhavan Srinivasan,
	Michael Ellerman

From: Ravi Bangoria <ravi.bangoria@linux.ibm.com>

commit 3202e35ec1c8fc19cea24253ff83edf702a60a02 upstream.

Consider a scenario where user creates two events:

  1st event:
    attr.sample_type |= PERF_SAMPLE_BRANCH_STACK;
    attr.branch_sample_type = PERF_SAMPLE_BRANCH_ANY;
    fd = perf_event_open(attr, 0, 1, -1, 0);

  This sets cpuhw->bhrb_filter to 0 and returns valid fd.

  2nd event:
    attr.sample_type |= PERF_SAMPLE_BRANCH_STACK;
    attr.branch_sample_type = PERF_SAMPLE_BRANCH_CALL;
    fd = perf_event_open(attr, 0, 1, -1, 0);

  It overrides cpuhw->bhrb_filter to -1 and returns with error.

Now if power_pmu_enable() gets called by any path other than
power_pmu_add(), ppmu->config_bhrb(-1) will set MMCRA to -1.

Fixes: 3925f46bb590 ("powerpc/perf: Enable branch stack sampling framework")
Cc: stable@vger.kernel.org # v3.10+
Signed-off-by: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
Reviewed-by: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/perf/core-book3s.c |    6 ++++--
 arch/powerpc/perf/power8-pmu.c  |    3 +++
 arch/powerpc/perf/power9-pmu.c  |    3 +++
 3 files changed, 10 insertions(+), 2 deletions(-)

--- a/arch/powerpc/perf/core-book3s.c
+++ b/arch/powerpc/perf/core-book3s.c
@@ -1846,6 +1846,7 @@ static int power_pmu_event_init(struct p
 	int n;
 	int err;
 	struct cpu_hw_events *cpuhw;
+	u64 bhrb_filter;
 
 	if (!ppmu)
 		return -ENOENT;
@@ -1951,13 +1952,14 @@ static int power_pmu_event_init(struct p
 	err = power_check_constraints(cpuhw, events, cflags, n + 1);
 
 	if (has_branch_stack(event)) {
-		cpuhw->bhrb_filter = ppmu->bhrb_filter_map(
+		bhrb_filter = ppmu->bhrb_filter_map(
 					event->attr.branch_sample_type);
 
-		if (cpuhw->bhrb_filter == -1) {
+		if (bhrb_filter == -1) {
 			put_cpu_var(cpu_hw_events);
 			return -EOPNOTSUPP;
 		}
+		cpuhw->bhrb_filter = bhrb_filter;
 	}
 
 	put_cpu_var(cpu_hw_events);
--- a/arch/powerpc/perf/power8-pmu.c
+++ b/arch/powerpc/perf/power8-pmu.c
@@ -29,6 +29,7 @@ enum {
 #define	POWER8_MMCRA_IFM1		0x0000000040000000UL
 #define	POWER8_MMCRA_IFM2		0x0000000080000000UL
 #define	POWER8_MMCRA_IFM3		0x00000000C0000000UL
+#define	POWER8_MMCRA_BHRB_MASK		0x00000000C0000000UL
 
 /*
  * Raw event encoding for PowerISA v2.07 (Power8):
@@ -243,6 +244,8 @@ static u64 power8_bhrb_filter_map(u64 br
 
 static void power8_config_bhrb(u64 pmu_bhrb_filter)
 {
+	pmu_bhrb_filter &= POWER8_MMCRA_BHRB_MASK;
+
 	/* Enable BHRB filter in PMU */
 	mtspr(SPRN_MMCRA, (mfspr(SPRN_MMCRA) | pmu_bhrb_filter));
 }
--- a/arch/powerpc/perf/power9-pmu.c
+++ b/arch/powerpc/perf/power9-pmu.c
@@ -92,6 +92,7 @@ enum {
 #define POWER9_MMCRA_IFM1		0x0000000040000000UL
 #define POWER9_MMCRA_IFM2		0x0000000080000000UL
 #define POWER9_MMCRA_IFM3		0x00000000C0000000UL
+#define POWER9_MMCRA_BHRB_MASK		0x00000000C0000000UL
 
 /* Nasty Power9 specific hack */
 #define PVR_POWER9_CUMULUS		0x00002000
@@ -300,6 +301,8 @@ static u64 power9_bhrb_filter_map(u64 br
 
 static void power9_config_bhrb(u64 pmu_bhrb_filter)
 {
+	pmu_bhrb_filter &= POWER9_MMCRA_BHRB_MASK;
+
 	/* Enable BHRB filter in PMU */
 	mtspr(SPRN_MMCRA, (mfspr(SPRN_MMCRA) | pmu_bhrb_filter));
 }



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 38/85] powerpc/kexec: Fix loading of kernel + initramfs with kexec_file_load()
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 37/85] powerpc/perf: Fix MMCRA corruption by bhrb_filter Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 39/85] ALSA: line6: Assure canceling delayed work at disconnection Greg Kroah-Hartman
                   ` (50 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thiago Jung Bauermann, Dave Young,
	Michael Ellerman

From: Thiago Jung Bauermann <bauerman@linux.ibm.com>

commit 8b909e3548706cbebc0a676067b81aadda57f47e upstream.

Commit b6664ba42f14 ("s390, kexec_file: drop arch_kexec_mem_walk()")
changed kexec_add_buffer() to skip searching for a memory location if
kexec_buf.mem is already set, and use the address that is there.

In powerpc code we reuse a kexec_buf variable for loading both the
kernel and the initramfs by resetting some of the fields between those
uses, but not mem. This causes kexec_add_buffer() to try to load the
kernel at the same address where initramfs will be loaded, which is
naturally rejected:

  # kexec -s -l --initrd initramfs vmlinuz
  kexec_file_load failed: Invalid argument

Setting the mem field before every call to kexec_add_buffer() fixes
this regression.

Fixes: b6664ba42f14 ("s390, kexec_file: drop arch_kexec_mem_walk()")
Cc: stable@vger.kernel.org # v5.0+
Signed-off-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
Reviewed-by: Dave Young <dyoung@redhat.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/kernel/kexec_elf_64.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/arch/powerpc/kernel/kexec_elf_64.c
+++ b/arch/powerpc/kernel/kexec_elf_64.c
@@ -547,6 +547,7 @@ static int elf_exec_load(struct kimage *
 		kbuf.memsz = phdr->p_memsz;
 		kbuf.buf_align = phdr->p_align;
 		kbuf.buf_min = phdr->p_paddr + base;
+		kbuf.mem = KEXEC_BUF_MEM_UNKNOWN;
 		ret = kexec_add_buffer(&kbuf);
 		if (ret)
 			goto out;
@@ -581,7 +582,8 @@ static void *elf64_load(struct kimage *i
 	struct kexec_buf kbuf = { .image = image, .buf_min = 0,
 				  .buf_max = ppc64_rma_size };
 	struct kexec_buf pbuf = { .image = image, .buf_min = 0,
-				  .buf_max = ppc64_rma_size, .top_down = true };
+				  .buf_max = ppc64_rma_size, .top_down = true,
+				  .mem = KEXEC_BUF_MEM_UNKNOWN };
 
 	ret = build_elf_exec_info(kernel_buf, kernel_len, &ehdr, &elf_info);
 	if (ret)
@@ -606,6 +608,7 @@ static void *elf64_load(struct kimage *i
 		kbuf.bufsz = kbuf.memsz = initrd_len;
 		kbuf.buf_align = PAGE_SIZE;
 		kbuf.top_down = false;
+		kbuf.mem = KEXEC_BUF_MEM_UNKNOWN;
 		ret = kexec_add_buffer(&kbuf);
 		if (ret)
 			goto out;
@@ -638,6 +641,7 @@ static void *elf64_load(struct kimage *i
 	kbuf.bufsz = kbuf.memsz = fdt_size;
 	kbuf.buf_align = PAGE_SIZE;
 	kbuf.top_down = true;
+	kbuf.mem = KEXEC_BUF_MEM_UNKNOWN;
 	ret = kexec_add_buffer(&kbuf);
 	if (ret)
 		goto out;



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 39/85] ALSA: line6: Assure canceling delayed work at disconnection
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 38/85] powerpc/kexec: Fix loading of kernel + initramfs with kexec_file_load() Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 40/85] ALSA: hda/realtek - Set default power save node to 0 Greg Kroah-Hartman
                   ` (49 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+5255458d5e0a2b10bbb9, Takashi Iwai

From: Takashi Iwai <tiwai@suse.de>

commit 0b074ab7fc0d575247b9cc9f93bb7e007ca38840 upstream.

The current code performs the cancel of a delayed work at the late
stage of disconnection procedure, which may lead to the access to the
already cleared state.

This patch assures to call cancel_delayed_work_sync() at the beginning
of the disconnection procedure for avoiding that race.  The delayed
work object is now assigned in the common line6 object instead of its
derivative, so that we can call cancel_delayed_work_sync().

Along with the change, the startup function is called via the new
callback instead.  This will make it easier to port other LINE6
drivers to use the delayed work for startup in later patches.

Reported-by: syzbot+5255458d5e0a2b10bbb9@syzkaller.appspotmail.com
Fixes: 7f84ff68be05 ("ALSA: line6: toneport: Fix broken usage of timer for delayed execution")
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/usb/line6/driver.c   |   12 ++++++++++++
 sound/usb/line6/driver.h   |    4 ++++
 sound/usb/line6/toneport.c |   15 +++------------
 3 files changed, 19 insertions(+), 12 deletions(-)

--- a/sound/usb/line6/driver.c
+++ b/sound/usb/line6/driver.c
@@ -720,6 +720,15 @@ static int line6_init_cap_control(struct
 	return 0;
 }
 
+static void line6_startup_work(struct work_struct *work)
+{
+	struct usb_line6 *line6 =
+		container_of(work, struct usb_line6, startup_work.work);
+
+	if (line6->startup)
+		line6->startup(line6);
+}
+
 /*
 	Probe USB device.
 */
@@ -755,6 +764,7 @@ int line6_probe(struct usb_interface *in
 	line6->properties = properties;
 	line6->usbdev = usbdev;
 	line6->ifcdev = &interface->dev;
+	INIT_DELAYED_WORK(&line6->startup_work, line6_startup_work);
 
 	strcpy(card->id, properties->id);
 	strcpy(card->driver, driver_name);
@@ -825,6 +835,8 @@ void line6_disconnect(struct usb_interfa
 	if (WARN_ON(usbdev != line6->usbdev))
 		return;
 
+	cancel_delayed_work(&line6->startup_work);
+
 	if (line6->urb_listen != NULL)
 		line6_stop_listen(line6);
 
--- a/sound/usb/line6/driver.h
+++ b/sound/usb/line6/driver.h
@@ -178,11 +178,15 @@ struct usb_line6 {
 			fifo;
 	} messages;
 
+	/* Work for delayed PCM startup */
+	struct delayed_work startup_work;
+
 	/* If MIDI is supported, buffer_message contains the pre-processed data;
 	 * otherwise the data is only in urb_listen (buffer_incoming).
 	 */
 	void (*process_message)(struct usb_line6 *);
 	void (*disconnect)(struct usb_line6 *line6);
+	void (*startup)(struct usb_line6 *line6);
 };
 
 extern char *line6_alloc_sysex_buffer(struct usb_line6 *line6, int code1,
--- a/sound/usb/line6/toneport.c
+++ b/sound/usb/line6/toneport.c
@@ -54,9 +54,6 @@ struct usb_line6_toneport {
 	/* Firmware version (x 100) */
 	u8 firmware_version;
 
-	/* Work for delayed PCM startup */
-	struct delayed_work pcm_work;
-
 	/* Device type */
 	enum line6_device_type type;
 
@@ -241,12 +238,8 @@ static int snd_toneport_source_put(struc
 	return 1;
 }
 
-static void toneport_start_pcm(struct work_struct *work)
+static void toneport_startup(struct usb_line6 *line6)
 {
-	struct usb_line6_toneport *toneport =
-		container_of(work, struct usb_line6_toneport, pcm_work.work);
-	struct usb_line6 *line6 = &toneport->line6;
-
 	line6_pcm_acquire(line6->line6pcm, LINE6_STREAM_MONITOR, true);
 }
 
@@ -394,7 +387,7 @@ static int toneport_setup(struct usb_lin
 	if (toneport_has_led(toneport))
 		toneport_update_led(toneport);
 
-	schedule_delayed_work(&toneport->pcm_work,
+	schedule_delayed_work(&toneport->line6.startup_work,
 			      msecs_to_jiffies(TONEPORT_PCM_DELAY * 1000));
 	return 0;
 }
@@ -407,8 +400,6 @@ static void line6_toneport_disconnect(st
 	struct usb_line6_toneport *toneport =
 		(struct usb_line6_toneport *)line6;
 
-	cancel_delayed_work_sync(&toneport->pcm_work);
-
 	if (toneport_has_led(toneport))
 		toneport_remove_leds(toneport);
 }
@@ -424,9 +415,9 @@ static int toneport_init(struct usb_line
 	struct usb_line6_toneport *toneport =  (struct usb_line6_toneport *) line6;
 
 	toneport->type = id->driver_info;
-	INIT_DELAYED_WORK(&toneport->pcm_work, toneport_start_pcm);
 
 	line6->disconnect = line6_toneport_disconnect;
+	line6->startup = toneport_startup;
 
 	/* initialize PCM subsystem: */
 	err = line6_init_pcm(line6, &toneport_pcm_properties);



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 40/85] ALSA: hda/realtek - Set default power save node to 0
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 39/85] ALSA: line6: Assure canceling delayed work at disconnection Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 41/85] ALSA: hda/realtek - Improve the headset mic for Acer Aspire laptops Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kailang Yang, Takashi Iwai

From: Kailang Yang <kailang@realtek.com>

commit 317d9313925cd8388304286c0d3c8dda7f060a2d upstream.

I measured power consumption between power_save_node=1 and power_save_node=0.
It's almost the same.
Codec will enter to runtime suspend and suspend.
That pin also will enter to D3. Don't need to enter to D3 by single pin.
So, Disable power_save_node as default. It will avoid more issues.
Windows Driver also has not this option at runtime PM.

Signed-off-by: Kailang Yang <kailang@realtek.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -7654,7 +7654,7 @@ static int patch_alc269(struct hda_codec
 
 	spec = codec->spec;
 	spec->gen.shared_mic_vref_pin = 0x18;
-	codec->power_save_node = 1;
+	codec->power_save_node = 0;
 
 #ifdef CONFIG_PM
 	codec->patch_ops.suspend = alc269_suspend;



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 41/85] ALSA: hda/realtek - Improve the headset mic for Acer Aspire laptops
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 40/85] ALSA: hda/realtek - Set default power save node to 0 Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 42/85] KVM: s390: Do not report unusabled IDs via KVM_CAP_MAX_VCPU_ID Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chris Chiu, Daniel Drake,
	Kailang Yang, Hui Wang, Takashi Iwai

From: Hui Wang <hui.wang@canonical.com>

commit 9cb40eb184c4220d244a532bd940c6345ad9dbd9 upstream.

We met another Acer Aspire laptop which has the problem on the
headset-mic, the Pin 0x19 is not set the corret configuration for a
mic and the pin presence can't be detected too after plugging a
headset. Kailang suggested that we should set the coeff to enable the
mic and apply the ALC269_FIXUP_LIFEBOOK_EXTMIC. After doing that,
both headset-mic presence and headset-mic work well.

The existing ALC255_FIXUP_ACER_MIC_NO_PRESENCE set the headset-mic
jack to be a phantom jack. Now since the jack can support presence
unsol event, let us imporve it to set the jack to be a normal jack.

https://bugs.launchpad.net/bugs/1821269
Fixes: 5824ce8de7b1c ("ALSA: hda/realtek - Add support for Acer Aspire E5-475 headset mic")
Cc: Chris Chiu <chiu@endlessm.com>
CC: Daniel Drake <drake@endlessm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Kailang Yang <kailang@realtek.com>
Signed-off-by: Hui Wang <hui.wang@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |   16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -6166,13 +6166,15 @@ static const struct hda_fixup alc269_fix
 		.chain_id = ALC269_FIXUP_THINKPAD_ACPI,
 	},
 	[ALC255_FIXUP_ACER_MIC_NO_PRESENCE] = {
-		.type = HDA_FIXUP_PINS,
-		.v.pins = (const struct hda_pintbl[]) {
-			{ 0x19, 0x01a1913c }, /* use as headset mic, without its own jack detect */
-			{ }
+		.type = HDA_FIXUP_VERBS,
+		.v.verbs = (const struct hda_verb[]) {
+			/* Enable the Mic */
+			{ 0x20, AC_VERB_SET_COEF_INDEX, 0x45 },
+			{ 0x20, AC_VERB_SET_PROC_COEF, 0x5089 },
+			{}
 		},
 		.chained = true,
-		.chain_id = ALC255_FIXUP_HEADSET_MODE
+		.chain_id = ALC269_FIXUP_LIFEBOOK_EXTMIC
 	},
 	[ALC255_FIXUP_ASUS_MIC_NO_PRESENCE] = {
 		.type = HDA_FIXUP_PINS,
@@ -7218,6 +7220,10 @@ static const struct snd_hda_pin_quirk al
 		{0x19, 0x0181303F},
 		{0x21, 0x0221102f}),
 	SND_HDA_PIN_QUIRK(0x10ec0255, 0x1025, "Acer", ALC255_FIXUP_ACER_MIC_NO_PRESENCE,
+		{0x12, 0x90a60140},
+		{0x14, 0x90170120},
+		{0x21, 0x02211030}),
+	SND_HDA_PIN_QUIRK(0x10ec0255, 0x1025, "Acer", ALC255_FIXUP_ACER_MIC_NO_PRESENCE,
 		{0x12, 0x90a601c0},
 		{0x14, 0x90171120},
 		{0x21, 0x02211030}),



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 42/85] KVM: s390: Do not report unusabled IDs via KVM_CAP_MAX_VCPU_ID
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 41/85] ALSA: hda/realtek - Improve the headset mic for Acer Aspire laptops Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 43/85] drm/nouveau/i2c: Disable i2c bus access after ->fini() Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andrew Jones, Cornelia Huck,
	David Hildenbrand, Thomas Huth, Christian Borntraeger

From: Thomas Huth <thuth@redhat.com>

commit a86cb413f4bf273a9d341a3ab2c2ca44e12eb317 upstream.

KVM_CAP_MAX_VCPU_ID is currently always reporting KVM_MAX_VCPU_ID on all
architectures. However, on s390x, the amount of usable CPUs is determined
during runtime - it is depending on the features of the machine the code
is running on. Since we are using the vcpu_id as an index into the SCA
structures that are defined by the hardware (see e.g. the sca_add_vcpu()
function), it is not only the amount of CPUs that is limited by the hard-
ware, but also the range of IDs that we can use.
Thus KVM_CAP_MAX_VCPU_ID must be determined during runtime on s390x, too.
So the handling of KVM_CAP_MAX_VCPU_ID has to be moved from the common
code into the architecture specific code, and on s390x we have to return
the same value here as for KVM_CAP_MAX_VCPUS.
This problem has been discovered with the kvm_create_max_vcpus selftest.
With this change applied, the selftest now passes on s390x, too.

Reviewed-by: Andrew Jones <drjones@redhat.com>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20190523164309.13345-9-thuth@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>


---
 arch/mips/kvm/mips.c       |    3 +++
 arch/powerpc/kvm/powerpc.c |    3 +++
 arch/s390/kvm/kvm-s390.c   |    1 +
 arch/x86/kvm/x86.c         |    3 +++
 virt/kvm/arm/arm.c         |    3 +++
 virt/kvm/kvm_main.c        |    2 --
 6 files changed, 13 insertions(+), 2 deletions(-)

--- a/arch/mips/kvm/mips.c
+++ b/arch/mips/kvm/mips.c
@@ -1122,6 +1122,9 @@ int kvm_vm_ioctl_check_extension(struct
 	case KVM_CAP_MAX_VCPUS:
 		r = KVM_MAX_VCPUS;
 		break;
+	case KVM_CAP_MAX_VCPU_ID:
+		r = KVM_MAX_VCPU_ID;
+		break;
 	case KVM_CAP_MIPS_FPU:
 		/* We don't handle systems with inconsistent cpu_has_fpu */
 		r = !!raw_cpu_has_fpu;
--- a/arch/powerpc/kvm/powerpc.c
+++ b/arch/powerpc/kvm/powerpc.c
@@ -650,6 +650,9 @@ int kvm_vm_ioctl_check_extension(struct
 	case KVM_CAP_MAX_VCPUS:
 		r = KVM_MAX_VCPUS;
 		break;
+	case KVM_CAP_MAX_VCPU_ID:
+		r = KVM_MAX_VCPU_ID;
+		break;
 #ifdef CONFIG_PPC_BOOK3S_64
 	case KVM_CAP_PPC_GET_SMMU_INFO:
 		r = 1;
--- a/arch/s390/kvm/kvm-s390.c
+++ b/arch/s390/kvm/kvm-s390.c
@@ -507,6 +507,7 @@ int kvm_vm_ioctl_check_extension(struct
 		break;
 	case KVM_CAP_NR_VCPUS:
 	case KVM_CAP_MAX_VCPUS:
+	case KVM_CAP_MAX_VCPU_ID:
 		r = KVM_S390_BSCA_CPU_SLOTS;
 		if (!kvm_s390_use_sca_entries())
 			r = KVM_MAX_VCPUS;
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -3090,6 +3090,9 @@ int kvm_vm_ioctl_check_extension(struct
 	case KVM_CAP_MAX_VCPUS:
 		r = KVM_MAX_VCPUS;
 		break;
+	case KVM_CAP_MAX_VCPU_ID:
+		r = KVM_MAX_VCPU_ID;
+		break;
 	case KVM_CAP_NR_MEMSLOTS:
 		r = KVM_USER_MEM_SLOTS;
 		break;
--- a/virt/kvm/arm/arm.c
+++ b/virt/kvm/arm/arm.c
@@ -224,6 +224,9 @@ int kvm_vm_ioctl_check_extension(struct
 	case KVM_CAP_MAX_VCPUS:
 		r = KVM_MAX_VCPUS;
 		break;
+	case KVM_CAP_MAX_VCPU_ID:
+		r = KVM_MAX_VCPU_ID;
+		break;
 	case KVM_CAP_NR_MEMSLOTS:
 		r = KVM_USER_MEM_SLOTS;
 		break;
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -3062,8 +3062,6 @@ static long kvm_vm_ioctl_check_extension
 	case KVM_CAP_MULTI_ADDRESS_SPACE:
 		return KVM_ADDRESS_SPACE_NUM;
 #endif
-	case KVM_CAP_MAX_VCPU_ID:
-		return KVM_MAX_VCPU_ID;
 	default:
 		break;
 	}



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 43/85] drm/nouveau/i2c: Disable i2c bus access after ->fini()
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 42/85] KVM: s390: Do not report unusabled IDs via KVM_CAP_MAX_VCPU_ID Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 44/85] i2c: mlxcpld: Fix wrong initialization order in probe Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Lyude Paul, Ben Skeggs

From: Lyude Paul <lyude@redhat.com>

commit 342406e4fbba9a174125fbfe6aeac3d64ef90f76 upstream.

For a while, we've had the problem of i2c bus access not grabbing
a runtime PM ref when it's being used in userspace by i2c-dev, resulting
in nouveau spamming the kernel log with errors if anything attempts to
access the i2c bus while the GPU is in runtime suspend. An example:

[  130.078386] nouveau 0000:01:00.0: i2c: aux 000d: begin idle timeout ffffffff

Since the GPU is in runtime suspend, the MMIO region that the i2c bus is
on isn't accessible. On x86, the standard behavior for accessing an
unavailable MMIO region is to just return ~0.

Except, that turned out to be a lie. While computers with a clean
concious will return ~0 in this scenario, some machines will actually
completely hang a CPU on certian bad MMIO accesses. This was witnessed
with someone's Lenovo ThinkPad P50, where sensors-detect attempting to
access the i2c bus while the GPU was suspended would result in a CPU
hang:

  CPU: 5 PID: 12438 Comm: sensors-detect Not tainted 5.0.0-0.rc4.git3.1.fc30.x86_64 #1
  Hardware name: LENOVO 20EQS64N17/20EQS64N17, BIOS N1EET74W (1.47 ) 11/21/2017
  RIP: 0010:ioread32+0x2b/0x30
  Code: 81 ff ff ff 03 00 77 20 48 81 ff 00 00 01 00 76 05 0f b7 d7 ed c3
  48 c7 c6 e1 0c 36 96 e8 2d ff ff ff b8 ff ff ff ff c3 8b 07 <c3> 0f 1f
  40 00 49 89 f0 48 81 fe ff ff 03 00 76 04 40 88 3e c3 48
  RSP: 0018:ffffaac3c5007b48 EFLAGS: 00000292 ORIG_RAX: ffffffffffffff13
  RAX: 0000000001111000 RBX: 0000000001111000 RCX: 0000043017a97186
  RDX: 0000000000000aaa RSI: 0000000000000005 RDI: ffffaac3c400e4e4
  RBP: ffff9e6443902c00 R08: ffffaac3c400e4e4 R09: ffffaac3c5007be7
  R10: 0000000000000004 R11: 0000000000000001 R12: ffff9e6445dd0000
  R13: 000000000000e4e4 R14: 00000000000003c4 R15: 0000000000000000
  FS:  00007f253155a740(0000) GS:ffff9e644f600000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00005630d1500358 CR3: 0000000417c44006 CR4: 00000000003606e0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
  Call Trace:
   g94_i2c_aux_xfer+0x326/0x850 [nouveau]
   nvkm_i2c_aux_i2c_xfer+0x9e/0x140 [nouveau]
   __i2c_transfer+0x14b/0x620
   i2c_smbus_xfer_emulated+0x159/0x680
   ? _raw_spin_unlock_irqrestore+0x1/0x60
   ? rt_mutex_slowlock.constprop.0+0x13d/0x1e0
   ? __lock_is_held+0x59/0xa0
   __i2c_smbus_xfer+0x138/0x5a0
   i2c_smbus_xfer+0x4f/0x80
   i2cdev_ioctl_smbus+0x162/0x2d0 [i2c_dev]
   i2cdev_ioctl+0x1db/0x2c0 [i2c_dev]
   do_vfs_ioctl+0x408/0x750
   ksys_ioctl+0x5e/0x90
   __x64_sys_ioctl+0x16/0x20
   do_syscall_64+0x60/0x1e0
   entry_SYSCALL_64_after_hwframe+0x49/0xbe
  RIP: 0033:0x7f25317f546b
  Code: 0f 1e fa 48 8b 05 1d da 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff
  ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01
  f0 ff ff 73 01 c3 48 8b 0d ed d9 0c 00 f7 d8 64 89 01 48
  RSP: 002b:00007ffc88caab68 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
  RAX: ffffffffffffffda RBX: 00005630d0fe7260 RCX: 00007f25317f546b
  RDX: 00005630d1598e80 RSI: 0000000000000720 RDI: 0000000000000003
  RBP: 00005630d155b968 R08: 0000000000000001 R09: 00005630d15a1da0
  R10: 0000000000000070 R11: 0000000000000246 R12: 00005630d1598e80
  R13: 00005630d12f3d28 R14: 0000000000000720 R15: 00005630d12f3ce0
  watchdog: BUG: soft lockup - CPU#5 stuck for 23s! [sensors-detect:12438]

Yikes! While I wanted to try to make it so that accessing an i2c bus on
nouveau would wake up the GPU as needed, airlied pointed out that pretty
much any usecase for userspace accessing an i2c bus on a GPU (mainly for
the DDC brightness control that some displays have) is going to only be
useful while there's at least one display enabled on the GPU anyway, and
the GPU never sleeps while there's displays running.

Since teaching the i2c bus to wake up the GPU on userspace accesses is a
good deal more difficult than it might seem, mostly due to the fact that
we have to use the i2c bus during runtime resume of the GPU, we instead
opt for the easiest solution: don't let userspace access i2c busses on
the GPU at all while it's in runtime suspend.

Changes since v1:
* Also disable i2c busses that run over DP AUX

Signed-off-by: Lyude Paul <lyude@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/nouveau/include/nvkm/subdev/i2c.h |    2 +
 drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.c     |   26 +++++++++++++++++++++-
 drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.h     |    2 +
 drivers/gpu/drm/nouveau/nvkm/subdev/i2c/base.c    |   15 ++++++++++++
 drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.c     |   21 ++++++++++++++++-
 drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.h     |    1 
 6 files changed, 65 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/nouveau/include/nvkm/subdev/i2c.h
+++ b/drivers/gpu/drm/nouveau/include/nvkm/subdev/i2c.h
@@ -38,6 +38,7 @@ struct nvkm_i2c_bus {
 	struct mutex mutex;
 	struct list_head head;
 	struct i2c_adapter i2c;
+	u8 enabled;
 };
 
 int nvkm_i2c_bus_acquire(struct nvkm_i2c_bus *);
@@ -57,6 +58,7 @@ struct nvkm_i2c_aux {
 	struct mutex mutex;
 	struct list_head head;
 	struct i2c_adapter i2c;
+	u8 enabled;
 
 	u32 intr;
 };
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.c
@@ -105,9 +105,15 @@ nvkm_i2c_aux_acquire(struct nvkm_i2c_aux
 {
 	struct nvkm_i2c_pad *pad = aux->pad;
 	int ret;
+
 	AUX_TRACE(aux, "acquire");
 	mutex_lock(&aux->mutex);
-	ret = nvkm_i2c_pad_acquire(pad, NVKM_I2C_PAD_AUX);
+
+	if (aux->enabled)
+		ret = nvkm_i2c_pad_acquire(pad, NVKM_I2C_PAD_AUX);
+	else
+		ret = -EIO;
+
 	if (ret)
 		mutex_unlock(&aux->mutex);
 	return ret;
@@ -145,6 +151,24 @@ nvkm_i2c_aux_del(struct nvkm_i2c_aux **p
 	}
 }
 
+void
+nvkm_i2c_aux_init(struct nvkm_i2c_aux *aux)
+{
+	AUX_TRACE(aux, "init");
+	mutex_lock(&aux->mutex);
+	aux->enabled = true;
+	mutex_unlock(&aux->mutex);
+}
+
+void
+nvkm_i2c_aux_fini(struct nvkm_i2c_aux *aux)
+{
+	AUX_TRACE(aux, "fini");
+	mutex_lock(&aux->mutex);
+	aux->enabled = false;
+	mutex_unlock(&aux->mutex);
+}
+
 int
 nvkm_i2c_aux_ctor(const struct nvkm_i2c_aux_func *func,
 		  struct nvkm_i2c_pad *pad, int id,
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.h
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.h
@@ -16,6 +16,8 @@ int nvkm_i2c_aux_ctor(const struct nvkm_
 int nvkm_i2c_aux_new_(const struct nvkm_i2c_aux_func *, struct nvkm_i2c_pad *,
 		      int id, struct nvkm_i2c_aux **);
 void nvkm_i2c_aux_del(struct nvkm_i2c_aux **);
+void nvkm_i2c_aux_init(struct nvkm_i2c_aux *);
+void nvkm_i2c_aux_fini(struct nvkm_i2c_aux *);
 int nvkm_i2c_aux_xfer(struct nvkm_i2c_aux *, bool retry, u8 type,
 		      u32 addr, u8 *data, u8 *size);
 
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/base.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/base.c
@@ -160,8 +160,18 @@ nvkm_i2c_fini(struct nvkm_subdev *subdev
 {
 	struct nvkm_i2c *i2c = nvkm_i2c(subdev);
 	struct nvkm_i2c_pad *pad;
+	struct nvkm_i2c_bus *bus;
+	struct nvkm_i2c_aux *aux;
 	u32 mask;
 
+	list_for_each_entry(aux, &i2c->aux, head) {
+		nvkm_i2c_aux_fini(aux);
+	}
+
+	list_for_each_entry(bus, &i2c->bus, head) {
+		nvkm_i2c_bus_fini(bus);
+	}
+
 	if ((mask = (1 << i2c->func->aux) - 1), i2c->func->aux_stat) {
 		i2c->func->aux_mask(i2c, NVKM_I2C_ANY, mask, 0);
 		i2c->func->aux_stat(i2c, &mask, &mask, &mask, &mask);
@@ -180,6 +190,7 @@ nvkm_i2c_init(struct nvkm_subdev *subdev
 	struct nvkm_i2c *i2c = nvkm_i2c(subdev);
 	struct nvkm_i2c_bus *bus;
 	struct nvkm_i2c_pad *pad;
+	struct nvkm_i2c_aux *aux;
 
 	list_for_each_entry(pad, &i2c->pad, head) {
 		nvkm_i2c_pad_init(pad);
@@ -189,6 +200,10 @@ nvkm_i2c_init(struct nvkm_subdev *subdev
 		nvkm_i2c_bus_init(bus);
 	}
 
+	list_for_each_entry(aux, &i2c->aux, head) {
+		nvkm_i2c_aux_init(aux);
+	}
+
 	return 0;
 }
 
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.c
@@ -110,6 +110,19 @@ nvkm_i2c_bus_init(struct nvkm_i2c_bus *b
 	BUS_TRACE(bus, "init");
 	if (bus->func->init)
 		bus->func->init(bus);
+
+	mutex_lock(&bus->mutex);
+	bus->enabled = true;
+	mutex_unlock(&bus->mutex);
+}
+
+void
+nvkm_i2c_bus_fini(struct nvkm_i2c_bus *bus)
+{
+	BUS_TRACE(bus, "fini");
+	mutex_lock(&bus->mutex);
+	bus->enabled = false;
+	mutex_unlock(&bus->mutex);
 }
 
 void
@@ -126,9 +139,15 @@ nvkm_i2c_bus_acquire(struct nvkm_i2c_bus
 {
 	struct nvkm_i2c_pad *pad = bus->pad;
 	int ret;
+
 	BUS_TRACE(bus, "acquire");
 	mutex_lock(&bus->mutex);
-	ret = nvkm_i2c_pad_acquire(pad, NVKM_I2C_PAD_I2C);
+
+	if (bus->enabled)
+		ret = nvkm_i2c_pad_acquire(pad, NVKM_I2C_PAD_I2C);
+	else
+		ret = -EIO;
+
 	if (ret)
 		mutex_unlock(&bus->mutex);
 	return ret;
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.h
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.h
@@ -18,6 +18,7 @@ int nvkm_i2c_bus_new_(const struct nvkm_
 		      int id, struct nvkm_i2c_bus **);
 void nvkm_i2c_bus_del(struct nvkm_i2c_bus **);
 void nvkm_i2c_bus_init(struct nvkm_i2c_bus *);
+void nvkm_i2c_bus_fini(struct nvkm_i2c_bus *);
 
 int nvkm_i2c_bit_xfer(struct nvkm_i2c_bus *, struct i2c_msg *, int);
 



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 44/85] i2c: mlxcpld: Fix wrong initialization order in probe
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 43/85] drm/nouveau/i2c: Disable i2c bus access after ->fini() Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 45/85] i2c: synquacer: fix synquacer_i2c_doxfer() return value Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vadim Pasternak, Wolfram Sang, stable

From: Vadim Pasternak <vadimp@mellanox.com>

commit 13067ef73f337336e3149f5bb9f3fd05fe7f87a0 upstream.

Fix wrong order in probing routine initialization - field `base_addr'
is used before it's initialized. Move assignment of 'priv->base_addr`
to the beginning, prior the call to mlxcpld_i2c_read_comm().
Wrong order caused the first read of capability register to be executed
at wrong offset 0x0 instead of 0x2000. By chance it was a "good
garbage" at 0x0 offset.

Fixes: 313ce648b5a4 ("i2c: mlxcpld: Add support for extended transaction length for i2c-mlxcpld")
Signed-off-by: Vadim Pasternak <vadimp@mellanox.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/i2c/busses/i2c-mlxcpld.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/i2c/busses/i2c-mlxcpld.c
+++ b/drivers/i2c/busses/i2c-mlxcpld.c
@@ -503,6 +503,7 @@ static int mlxcpld_i2c_probe(struct plat
 	platform_set_drvdata(pdev, priv);
 
 	priv->dev = &pdev->dev;
+	priv->base_addr = MLXPLAT_CPLD_LPC_I2C_BASE_ADDR;
 
 	/* Register with i2c layer */
 	mlxcpld_i2c_adapter.timeout = usecs_to_jiffies(MLXCPLD_I2C_XFER_TO);
@@ -518,7 +519,6 @@ static int mlxcpld_i2c_probe(struct plat
 		mlxcpld_i2c_adapter.nr = pdev->id;
 	priv->adap = mlxcpld_i2c_adapter;
 	priv->adap.dev.parent = &pdev->dev;
-	priv->base_addr = MLXPLAT_CPLD_LPC_I2C_BASE_ADDR;
 	i2c_set_adapdata(&priv->adap, priv);
 
 	err = i2c_add_numbered_adapter(&priv->adap);



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 45/85] i2c: synquacer: fix synquacer_i2c_doxfer() return value
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 44/85] i2c: mlxcpld: Fix wrong initialization order in probe Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 46/85] tty: serial: msm_serial: Fix XON/XOFF Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Okamoto Satoru, Masahisa Kojima,
	Ard Biesheuvel, Wolfram Sang

From: Masahisa Kojima <masahisa.kojima@linaro.org>

commit ff9378904d9d7a3fcb8406604e089e535e357b1d upstream.

master_xfer should return the number of messages successfully
processed.

Fixes: 0d676a6c4390 ("i2c: add support for Socionext SynQuacer I2C controller")
Cc: <stable@vger.kernel.org> # v4.19+
Signed-off-by: Okamoto Satoru <okamoto.satoru@socionext.com>
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/i2c/busses/i2c-synquacer.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/i2c/busses/i2c-synquacer.c
+++ b/drivers/i2c/busses/i2c-synquacer.c
@@ -351,7 +351,7 @@ static int synquacer_i2c_doxfer(struct s
 	/* wait 2 clock periods to ensure the stop has been through the bus */
 	udelay(DIV_ROUND_UP(2 * 1000, i2c->speed_khz));
 
-	return 0;
+	return ret;
 }
 
 static irqreturn_t synquacer_i2c_isr(int irq, void *dev_id)



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 46/85] tty: serial: msm_serial: Fix XON/XOFF
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 45/85] i2c: synquacer: fix synquacer_i2c_doxfer() return value Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 47/85] tty: max310x: Fix external crystal register setup Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jorge Ramirez-Ortiz, Bjorn Andersson,
	Stephen Boyd

From: Jorge Ramirez-Ortiz <jorge.ramirez-ortiz@linaro.org>

commit 61c0e37950b88bad590056286c1d766b1f167f4e upstream.

When the tty layer requests the uart to throttle, the current code
executing in msm_serial will trigger "Bad mode in Error Handler" and
generate an invalid stack frame in pstore before rebooting (that is if
pstore is indeed configured: otherwise the user shall just notice a
reboot with no further information dumped to the console).

This patch replaces the PIO byte accessor with the word accessor
already used in PIO mode.

Fixes: 68252424a7c7 ("tty: serial: msm: Support big-endian CPUs")
Cc: stable@vger.kernel.org
Signed-off-by: Jorge Ramirez-Ortiz <jorge.ramirez-ortiz@linaro.org>
Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Reviewed-by: Stephen Boyd <swboyd@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serial/msm_serial.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/tty/serial/msm_serial.c
+++ b/drivers/tty/serial/msm_serial.c
@@ -860,6 +860,7 @@ static void msm_handle_tx(struct uart_po
 	struct circ_buf *xmit = &msm_port->uart.state->xmit;
 	struct msm_dma *dma = &msm_port->tx_dma;
 	unsigned int pio_count, dma_count, dma_min;
+	char buf[4] = { 0 };
 	void __iomem *tf;
 	int err = 0;
 
@@ -869,10 +870,12 @@ static void msm_handle_tx(struct uart_po
 		else
 			tf = port->membase + UART_TF;
 
+		buf[0] = port->x_char;
+
 		if (msm_port->is_uartdm)
 			msm_reset_dm_count(port, 1);
 
-		iowrite8_rep(tf, &port->x_char, 1);
+		iowrite32_rep(tf, buf, 1);
 		port->icount.tx++;
 		port->x_char = 0;
 		return;



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 47/85] tty: max310x: Fix external crystal register setup
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 46/85] tty: serial: msm_serial: Fix XON/XOFF Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 48/85] mm, memcg: consider subtrees in memory.events Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Joe Burmeister

From: Joe Burmeister <joe.burmeister@devtank.co.uk>

commit 5d24f455c182d5116dd5db8e1dc501115ecc9c2c upstream.

The datasheet states:

  Bit 4: ClockEnSet the ClockEn bit high to enable an external clocking
(crystal or clock generator at XIN). Set the ClockEn bit to 0 to disable
clocking
  Bit 1: CrystalEnSet the CrystalEn bit high to enable the crystal
oscillator. When using an external clock source at XIN, CrystalEn must
be set low.

The bit 4, MAX310X_CLKSRC_EXTCLK_BIT, should be set and was not.

This was required to make the MAX3107 with an external crystal on our
board able to send or receive data.

Signed-off-by: Joe Burmeister <joe.burmeister@devtank.co.uk>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serial/max310x.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/tty/serial/max310x.c
+++ b/drivers/tty/serial/max310x.c
@@ -581,7 +581,7 @@ static int max310x_set_ref_clk(struct de
 	}
 
 	/* Configure clock source */
-	clksrc = xtal ? MAX310X_CLKSRC_CRYST_BIT : MAX310X_CLKSRC_EXTCLK_BIT;
+	clksrc = MAX310X_CLKSRC_EXTCLK_BIT | (xtal ? MAX310X_CLKSRC_CRYST_BIT : 0);
 
 	/* Configure PLL */
 	if (pllcfg) {



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 48/85] mm, memcg: consider subtrees in memory.events
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 47/85] tty: max310x: Fix external crystal register setup Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 49/85] memcg: make it work on sparse non-0-node systems Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chris Down, Johannes Weiner,
	Shakeel Butt, Michal Hocko, Tejun Heo, Roman Gushchin,
	Dennis Zhou, Suren Baghdasaryan, Andrew Morton, Linus Torvalds

From: Chris Down <chris@chrisdown.name>

commit 9852ae3fe5293264f01c49f2571ef7688f7823ce upstream.

memory.stat and other files already consider subtrees in their output, and
we should too in order to not present an inconsistent interface.

The current situation is fairly confusing, because people interacting with
cgroups expect hierarchical behaviour in the vein of memory.stat,
cgroup.events, and other files.  For example, this causes confusion when
debugging reclaim events under low, as currently these always read "0" at
non-leaf memcg nodes, which frequently causes people to misdiagnose breach
behaviour.  The same confusion applies to other counters in this file when
debugging issues.

Aggregation is done at write time instead of at read-time since these
counters aren't hot (unlike memory.stat which is per-page, so it does it
at read time), and it makes sense to bundle this with the file
notifications.

After this patch, events are propagated up the hierarchy:

    [root@ktst ~]# cat /sys/fs/cgroup/system.slice/memory.events
    low 0
    high 0
    max 0
    oom 0
    oom_kill 0
    [root@ktst ~]# systemd-run -p MemoryMax=1 true
    Running as unit: run-r251162a189fb4562b9dabfdc9b0422f5.service
    [root@ktst ~]# cat /sys/fs/cgroup/system.slice/memory.events
    low 0
    high 0
    max 7
    oom 1
    oom_kill 1

As this is a change in behaviour, this can be reverted to the old
behaviour by mounting with the `memory_localevents' flag set.  However, we
use the new behaviour by default as there's a lack of evidence that there
are any current users of memory.events that would find this change
undesirable.

akpm: this is a behaviour change, so Cc:stable.  THis is so that
forthcoming distros which use cgroup v2 are more likely to pick up the
revised behaviour.

Link: http://lkml.kernel.org/r/20190208224419.GA24772@chrisdown.name
Signed-off-by: Chris Down <chris@chrisdown.name>
Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Reviewed-by: Shakeel Butt <shakeelb@google.com>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Tejun Heo <tj@kernel.org>
Cc: Roman Gushchin <guro@fb.com>
Cc: Dennis Zhou <dennis@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 Documentation/admin-guide/cgroup-v2.rst |    9 +++++++++
 include/linux/cgroup-defs.h             |    5 +++++
 include/linux/memcontrol.h              |   10 ++++++++--
 kernel/cgroup/cgroup.c                  |   16 ++++++++++++++--
 4 files changed, 36 insertions(+), 4 deletions(-)

--- a/Documentation/admin-guide/cgroup-v2.rst
+++ b/Documentation/admin-guide/cgroup-v2.rst
@@ -177,6 +177,15 @@ cgroup v2 currently supports the followi
 	ignored on non-init namespace mounts.  Please refer to the
 	Delegation section for details.
 
+  memory_localevents
+
+        Only populate memory.events with data for the current cgroup,
+        and not any subtrees. This is legacy behaviour, the default
+        behaviour without this option is to include subtree counts.
+        This option is system wide and can only be set on mount or
+        modified through remount from the init namespace. The mount
+        option is ignored on non-init namespace mounts.
+
 
 Organizing Processes and Threads
 --------------------------------
--- a/include/linux/cgroup-defs.h
+++ b/include/linux/cgroup-defs.h
@@ -83,6 +83,11 @@ enum {
 	 * Enable cpuset controller in v1 cgroup to use v2 behavior.
 	 */
 	CGRP_ROOT_CPUSET_V2_MODE = (1 << 4),
+
+	/*
+	 * Enable legacy local memory.events.
+	 */
+	CGRP_ROOT_MEMORY_LOCAL_EVENTS = (1 << 5),
 };
 
 /* cftype->flags */
--- a/include/linux/memcontrol.h
+++ b/include/linux/memcontrol.h
@@ -777,8 +777,14 @@ static inline void count_memcg_event_mm(
 static inline void memcg_memory_event(struct mem_cgroup *memcg,
 				      enum memcg_memory_event event)
 {
-	atomic_long_inc(&memcg->memory_events[event]);
-	cgroup_file_notify(&memcg->events_file);
+	do {
+		atomic_long_inc(&memcg->memory_events[event]);
+		cgroup_file_notify(&memcg->events_file);
+
+		if (cgrp_dfl_root.flags & CGRP_ROOT_MEMORY_LOCAL_EVENTS)
+			break;
+	} while ((memcg = parent_mem_cgroup(memcg)) &&
+		 !mem_cgroup_is_root(memcg));
 }
 
 static inline void memcg_memory_event_mm(struct mm_struct *mm,
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -1775,11 +1775,13 @@ int cgroup_show_path(struct seq_file *sf
 
 enum cgroup2_param {
 	Opt_nsdelegate,
+	Opt_memory_localevents,
 	nr__cgroup2_params
 };
 
 static const struct fs_parameter_spec cgroup2_param_specs[] = {
-	fsparam_flag  ("nsdelegate",		Opt_nsdelegate),
+	fsparam_flag("nsdelegate",		Opt_nsdelegate),
+	fsparam_flag("memory_localevents",	Opt_memory_localevents),
 	{}
 };
 
@@ -1802,6 +1804,9 @@ static int cgroup2_parse_param(struct fs
 	case Opt_nsdelegate:
 		ctx->flags |= CGRP_ROOT_NS_DELEGATE;
 		return 0;
+	case Opt_memory_localevents:
+		ctx->flags |= CGRP_ROOT_MEMORY_LOCAL_EVENTS;
+		return 0;
 	}
 	return -EINVAL;
 }
@@ -1813,6 +1818,11 @@ static void apply_cgroup_root_flags(unsi
 			cgrp_dfl_root.flags |= CGRP_ROOT_NS_DELEGATE;
 		else
 			cgrp_dfl_root.flags &= ~CGRP_ROOT_NS_DELEGATE;
+
+		if (root_flags & CGRP_ROOT_MEMORY_LOCAL_EVENTS)
+			cgrp_dfl_root.flags |= CGRP_ROOT_MEMORY_LOCAL_EVENTS;
+		else
+			cgrp_dfl_root.flags &= ~CGRP_ROOT_MEMORY_LOCAL_EVENTS;
 	}
 }
 
@@ -1820,6 +1830,8 @@ static int cgroup_show_options(struct se
 {
 	if (cgrp_dfl_root.flags & CGRP_ROOT_NS_DELEGATE)
 		seq_puts(seq, ",nsdelegate");
+	if (cgrp_dfl_root.flags & CGRP_ROOT_MEMORY_LOCAL_EVENTS)
+		seq_puts(seq, ",memory_localevents");
 	return 0;
 }
 
@@ -6122,7 +6134,7 @@ static struct kobj_attribute cgroup_dele
 static ssize_t features_show(struct kobject *kobj, struct kobj_attribute *attr,
 			     char *buf)
 {
-	return snprintf(buf, PAGE_SIZE, "nsdelegate\n");
+	return snprintf(buf, PAGE_SIZE, "nsdelegate\nmemory_localevents\n");
 }
 static struct kobj_attribute cgroup_features_attr = __ATTR_RO(features);
 



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 49/85] memcg: make it work on sparse non-0-node systems
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 48/85] mm, memcg: consider subtrees in memory.events Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 50/85] kasan: initialize tag to 0xff in __kasan_kmalloc Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jiri Slaby, Michal Hocko,
	Vladimir Davydov, Shakeel Butt, Johannes Weiner, Raghavendra K T,
	Andrew Morton, Linus Torvalds

From: Jiri Slaby <jslaby@suse.cz>

commit 3e8589963773a5c23e2f1fe4bcad0e9a90b7f471 upstream.

We have a single node system with node 0 disabled:
  Scanning NUMA topology in Northbridge 24
  Number of physical nodes 2
  Skipping disabled node 0
  Node 1 MemBase 0000000000000000 Limit 00000000fbff0000
  NODE_DATA(1) allocated [mem 0xfbfda000-0xfbfeffff]

This causes crashes in memcg when system boots:
  BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
  #PF error: [normal kernel read fault]
...
  RIP: 0010:list_lru_add+0x94/0x170
...
  Call Trace:
   d_lru_add+0x44/0x50
   dput.part.34+0xfc/0x110
   __fput+0x108/0x230
   task_work_run+0x9f/0xc0
   exit_to_usermode_loop+0xf5/0x100

It is reproducible as far as 4.12.  I did not try older kernels.  You have
to have a new enough systemd, e.g.  241 (the reason is unknown -- was not
investigated).  Cannot be reproduced with systemd 234.

The system crashes because the size of lru array is never updated in
memcg_update_all_list_lrus and the reads are past the zero-sized array,
causing dereferences of random memory.

The root cause are list_lru_memcg_aware checks in the list_lru code.  The
test in list_lru_memcg_aware is broken: it assumes node 0 is always
present, but it is not true on some systems as can be seen above.

So fix this by avoiding checks on node 0.  Remember the memcg-awareness by
a bool flag in struct list_lru.

Link: http://lkml.kernel.org/r/20190522091940.3615-1-jslaby@suse.cz
Fixes: 60d3fd32a7a9 ("list_lru: introduce per-memcg lists")
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Acked-by: Michal Hocko <mhocko@suse.com>
Suggested-by: Vladimir Davydov <vdavydov.dev@gmail.com>
Acked-by: Vladimir Davydov <vdavydov.dev@gmail.com>
Reviewed-by: Shakeel Butt <shakeelb@google.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Raghavendra K T <raghavendra.kt@linux.vnet.ibm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/list_lru.h |    1 +
 mm/list_lru.c            |    8 +++-----
 2 files changed, 4 insertions(+), 5 deletions(-)

--- a/include/linux/list_lru.h
+++ b/include/linux/list_lru.h
@@ -54,6 +54,7 @@ struct list_lru {
 #ifdef CONFIG_MEMCG_KMEM
 	struct list_head	list;
 	int			shrinker_id;
+	bool			memcg_aware;
 #endif
 };
 
--- a/mm/list_lru.c
+++ b/mm/list_lru.c
@@ -37,11 +37,7 @@ static int lru_shrinker_id(struct list_l
 
 static inline bool list_lru_memcg_aware(struct list_lru *lru)
 {
-	/*
-	 * This needs node 0 to be always present, even
-	 * in the systems supporting sparse numa ids.
-	 */
-	return !!lru->node[0].memcg_lrus;
+	return lru->memcg_aware;
 }
 
 static inline struct list_lru_one *
@@ -451,6 +447,8 @@ static int memcg_init_list_lru(struct li
 {
 	int i;
 
+	lru->memcg_aware = memcg_aware;
+
 	if (!memcg_aware)
 		return 0;
 



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 50/85] kasan: initialize tag to 0xff in __kasan_kmalloc
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 49/85] memcg: make it work on sparse non-0-node systems Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 51/85] kernel/signal.c: trace_signal_deliver when signal_group_exit Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nathan Chancellor, Andrey Konovalov,
	Andrey Ryabinin, Alexander Potapenko, Dmitry Vyukov,
	Nick Desaulniers, Andrew Morton, Linus Torvalds

From: Nathan Chancellor <natechancellor@gmail.com>

commit 0600597c854e53d2f9b7a6a718c1da2b8b4cb4db upstream.

When building with -Wuninitialized and CONFIG_KASAN_SW_TAGS unset, Clang
warns:

mm/kasan/common.c:484:40: warning: variable 'tag' is uninitialized when
used here [-Wuninitialized]
        kasan_unpoison_shadow(set_tag(object, tag), size);
                                              ^~~

set_tag ignores tag in this configuration but clang doesn't realize it at
this point in its pipeline, as it points to arch_kasan_set_tag as being
the point where it is used, which will later be expanded to (void
*)(object) without a use of tag.  Initialize tag to 0xff, as it removes
this warning and doesn't change the meaning of the code.

Link: https://github.com/ClangBuiltLinux/linux/issues/465
Link: http://lkml.kernel.org/r/20190502163057.6603-1-natechancellor@gmail.com
Fixes: 7f94ffbc4c6a ("kasan: add hooks implementation for tag-based mode")
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Reviewed-by: Andrey Konovalov <andreyknvl@google.com>
Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/kasan/common.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/mm/kasan/common.c
+++ b/mm/kasan/common.c
@@ -472,7 +472,7 @@ static void *__kasan_kmalloc(struct kmem
 {
 	unsigned long redzone_start;
 	unsigned long redzone_end;
-	u8 tag;
+	u8 tag = 0xff;
 
 	if (gfpflags_allow_blocking(flags))
 		quarantine_reduce();



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 51/85] kernel/signal.c: trace_signal_deliver when signal_group_exit
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 50/85] kasan: initialize tag to 0xff in __kasan_kmalloc Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 52/85] signal/arm64: Use force_sig not force_sig_fault for SIGKILL Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Zhenliang Wei, Christian Brauner,
	Oleg Nesterov, Eric W. Biederman, Ivan Delalande, Arnd Bergmann,
	Thomas Gleixner, Deepa Dinamani, Andrew Morton, Linus Torvalds

From: Zhenliang Wei <weizhenliang@huawei.com>

commit 98af37d624ed8c83f1953b1b6b2f6866011fc064 upstream.

In the fixes commit, removing SIGKILL from each thread signal mask and
executing "goto fatal" directly will skip the call to
"trace_signal_deliver".  At this point, the delivery tracking of the
SIGKILL signal will be inaccurate.

Therefore, we need to add trace_signal_deliver before "goto fatal" after
executing sigdelset.

Note: SEND_SIG_NOINFO matches the fact that SIGKILL doesn't have any info.

Link: http://lkml.kernel.org/r/20190425025812.91424-1-weizhenliang@huawei.com
Fixes: cf43a757fd4944 ("signal: Restore the stop PTRACE_EVENT_EXIT")
Signed-off-by: Zhenliang Wei <weizhenliang@huawei.com>
Reviewed-by: Christian Brauner <christian@brauner.io>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Ivan Delalande <colona@arista.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Deepa Dinamani <deepa.kernel@gmail.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/signal.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -2441,6 +2441,8 @@ relock:
 	if (signal_group_exit(signal)) {
 		ksig->info.si_signo = signr = SIGKILL;
 		sigdelset(&current->pending.signal, SIGKILL);
+		trace_signal_deliver(SIGKILL, SEND_SIG_NOINFO,
+				&sighand->action[SIGKILL - 1]);
 		recalc_sigpending();
 		goto fatal;
 	}



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 52/85] signal/arm64: Use force_sig not force_sig_fault for SIGKILL
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 51/85] kernel/signal.c: trace_signal_deliver when signal_group_exit Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 53/85] mm, compaction: make sure we isolate a valid PFN Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dave Martin, James Morse,
	Will Deacon, Eric W. Biederman

From: Eric W. Biederman <ebiederm@xmission.com>

commit d76cac67db40c172791ce07948367b96a758e45b upstream.

I don't think this is userspace visible but SIGKILL does not have
any si_codes that use the fault member of the siginfo union.  Correct
this the simple way and call force_sig instead of force_sig_fault when
the signal is SIGKILL.

The two know places where synchronous SIGKILL are generated are
do_bad_area and fpsimd_save.  The call paths to force_sig_fault are:
do_bad_area
  arm64_force_sig_fault
    force_sig_fault
force_signal_inject
  arm64_notify_die
    arm64_force_sig_fault
       force_sig_fault

Which means correcting this in arm64_force_sig_fault is enough
to ensure the arm64 code is not misusing the generic code, which
could lead to maintenance problems later.

Cc: stable@vger.kernel.org
Cc: Dave Martin <Dave.Martin@arm.com>
Cc: James Morse <james.morse@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Fixes: af40ff687bc9 ("arm64: signal: Ensure si_code is valid for all fault signals")
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/kernel/traps.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/arch/arm64/kernel/traps.c
+++ b/arch/arm64/kernel/traps.c
@@ -256,7 +256,10 @@ void arm64_force_sig_fault(int signo, in
 			   const char *str)
 {
 	arm64_show_signal(signo, str);
-	force_sig_fault(signo, code, addr, current);
+	if (signo == SIGKILL)
+		force_sig(SIGKILL, current);
+	else
+		force_sig_fault(signo, code, addr, current);
 }
 
 void arm64_force_sig_mceerr(int code, void __user *addr, short lsb,



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 53/85] mm, compaction: make sure we isolate a valid PFN
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 52/85] signal/arm64: Use force_sig not force_sig_fault for SIGKILL Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 54/85] arm64: Fix the arm64_personality() syscall wrapper redirection Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Suzuki K Poulose, Marc Zyngier,
	Mel Gorman, Anshuman Khandual, Michal Hocko, Qian Cai,
	Andrew Morton, Linus Torvalds

From: Suzuki K Poulose <suzuki.poulose@arm.com>

commit e577c8b64d58fe307ea4d5149d31615df2d90861 upstream.

When we have holes in a normal memory zone, we could endup having
cached_migrate_pfns which may not necessarily be valid, under heavy memory
pressure with swapping enabled ( via __reset_isolation_suitable(),
triggered by kswapd).

Later if we fail to find a page via fast_isolate_freepages(), we may end
up using the migrate_pfn we started the search with, as valid page.  This
could lead to accessing NULL pointer derefernces like below, due to an
invalid mem_section pointer.

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 [47/1825]
 Mem abort info:
   ESR = 0x96000004
   Exception class = DABT (current EL), IL = 32 bits
   SET = 0, FnV = 0
   EA = 0, S1PTW = 0
 Data abort info:
   ISV = 0, ISS = 0x00000004
   CM = 0, WnR = 0
 user pgtable: 4k pages, 48-bit VAs, pgdp = 0000000082f94ae9
 [0000000000000008] pgd=0000000000000000
 Internal error: Oops: 96000004 [#1] SMP
 ...
 CPU: 10 PID: 6080 Comm: qemu-system-aar Not tainted 510-rc1+ #6
 Hardware name: AmpereComputing(R) OSPREY EV-883832-X3-0001/OSPREY, BIOS 4819 09/25/2018
 pstate: 60000005 (nZCv daif -PAN -UAO)
 pc : set_pfnblock_flags_mask+0x58/0xe8
 lr : compaction_alloc+0x300/0x950
 [...]
 Process qemu-system-aar (pid: 6080, stack limit = 0x0000000095070da5)
 Call trace:
  set_pfnblock_flags_mask+0x58/0xe8
  compaction_alloc+0x300/0x950
  migrate_pages+0x1a4/0xbb0
  compact_zone+0x750/0xde8
  compact_zone_order+0xd8/0x118
  try_to_compact_pages+0xb4/0x290
  __alloc_pages_direct_compact+0x84/0x1e0
  __alloc_pages_nodemask+0x5e0/0xe18
  alloc_pages_vma+0x1cc/0x210
  do_huge_pmd_anonymous_page+0x108/0x7c8
  __handle_mm_fault+0xdd4/0x1190
  handle_mm_fault+0x114/0x1c0
  __get_user_pages+0x198/0x3c0
  get_user_pages_unlocked+0xb4/0x1d8
  __gfn_to_pfn_memslot+0x12c/0x3b8
  gfn_to_pfn_prot+0x4c/0x60
  kvm_handle_guest_abort+0x4b0/0xcd8
  handle_exit+0x140/0x1b8
  kvm_arch_vcpu_ioctl_run+0x260/0x768
  kvm_vcpu_ioctl+0x490/0x898
  do_vfs_ioctl+0xc4/0x898
  ksys_ioctl+0x8c/0xa0
  __arm64_sys_ioctl+0x28/0x38
  el0_svc_common+0x74/0x118
  el0_svc_handler+0x38/0x78
  el0_svc+0x8/0xc
 Code: f8607840 f100001f 8b011401 9a801020 (f9400400)
 ---[ end trace af6a35219325a9b6 ]---

The issue was reported on an arm64 server with 128GB with holes in the
zone (e.g, [32GB@4GB, 96GB@544GB]), with a swap device enabled, while
running 100 KVM guest instances.

This patch fixes the issue by ensuring that the page belongs to a valid
PFN when we fallback to using the lower limit of the scan range upon
failure in fast_isolate_freepages().

Link: http://lkml.kernel.org/r/1558711908-15688-1-git-send-email-suzuki.poulose@arm.com
Fixes: 5a811889de10f1eb ("mm, compaction: use free lists to quickly locate a migration target")
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Reported-by: Marc Zyngier <marc.zyngier@arm.com>
Reviewed-by: Mel Gorman <mgorman@techsingularity.net>
Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Qian Cai <cai@lca.pw>
Cc: Marc Zyngier <marc.zyngier@arm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/compaction.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/mm/compaction.c
+++ b/mm/compaction.c
@@ -1397,7 +1397,7 @@ fast_isolate_freepages(struct compact_co
 				page = pfn_to_page(highest);
 				cc->free_pfn = highest;
 			} else {
-				if (cc->direct_compaction) {
+				if (cc->direct_compaction && pfn_valid(min_pfn)) {
 					page = pfn_to_page(min_pfn);
 					cc->free_pfn = min_pfn;
 				}



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 54/85] arm64: Fix the arm64_personality() syscall wrapper redirection
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 53/85] mm, compaction: make sure we isolate a valid PFN Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 55/85] docs: Fix conf.py for Sphinx 2.0 Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mark Rutland, Catalin Marinas, Will Deacon

From: Catalin Marinas <catalin.marinas@arm.com>

commit 00377277166bac6939d8f72b429301369acaf2d8 upstream.

Following commit 4378a7d4be30 ("arm64: implement syscall wrappers"), the
syscall function names gained the '__arm64_' prefix. Ensure that we
have the correct #define for redirecting a default syscall through a
wrapper.

Fixes: 4378a7d4be30 ("arm64: implement syscall wrappers")
Cc: <stable@vger.kernel.org> # 4.19.x-
Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/kernel/sys.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm64/kernel/sys.c
+++ b/arch/arm64/kernel/sys.c
@@ -50,7 +50,7 @@ SYSCALL_DEFINE1(arm64_personality, unsig
 /*
  * Wrappers to pass the pt_regs argument.
  */
-#define sys_personality		sys_arm64_personality
+#define __arm64_sys_personality		__arm64_sys_arm64_personality
 
 asmlinkage long sys_ni_syscall(const struct pt_regs *);
 #define __arm64_sys_ni_syscall	sys_ni_syscall



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 55/85] docs: Fix conf.py for Sphinx 2.0
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 54/85] arm64: Fix the arm64_personality() syscall wrapper redirection Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 56/85] doc: Cope with the deprecation of AutoReporter Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jonathan Corbet

From: Jonathan Corbet <corbet@lwn.net>

commit 3bc8088464712fdcb078eefb68837ccfcc413c88 upstream.

Our version check in Documentation/conf.py never envisioned a world where
Sphinx moved beyond 1.x.  Now that the unthinkable has happened, fix our
version check to handle higher version numbers correctly.

Cc: stable@vger.kernel.org
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 Documentation/conf.py |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/Documentation/conf.py
+++ b/Documentation/conf.py
@@ -37,7 +37,7 @@ needs_sphinx = '1.3'
 extensions = ['kerneldoc', 'rstFlatTable', 'kernel_include', 'cdomain', 'kfigure', 'sphinx.ext.ifconfig']
 
 # The name of the math extension changed on Sphinx 1.4
-if major == 1 and minor > 3:
+if (major == 1 and minor > 3) or (major > 1):
     extensions.append("sphinx.ext.imgmath")
 else:
     extensions.append("sphinx.ext.pngmath")



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 56/85] doc: Cope with the deprecation of AutoReporter
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 55/85] docs: Fix conf.py for Sphinx 2.0 Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-10  6:27   ` Jiri Slaby
  2019-06-07 15:39 ` [PATCH 5.1 57/85] doc: Cope with Sphinx logging deprecations Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  88 siblings, 1 reply; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jonathan Corbet

From: Jonathan Corbet <corbet@lwn.net>

commit 2404dad1f67f8917e30fc22a85e0dbcc85b99955 upstream.

AutoReporter is going away; recent versions of sphinx emit a warning like:

  Documentation/sphinx/kerneldoc.py:125:
      RemovedInSphinx20Warning: AutodocReporter is now deprecated.
      Use sphinx.util.docutils.switch_source_input() instead.

Make the switch.  But switch_source_input() only showed up in 1.7, so we
have to do ugly version checks to keep things working in older versions.

Cc: stable@vger.kernel.org
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 Documentation/sphinx/kerneldoc.py |   34 ++++++++++++++++++++++++++--------
 1 file changed, 26 insertions(+), 8 deletions(-)

--- a/Documentation/sphinx/kerneldoc.py
+++ b/Documentation/sphinx/kerneldoc.py
@@ -37,7 +37,17 @@ import glob
 from docutils import nodes, statemachine
 from docutils.statemachine import ViewList
 from docutils.parsers.rst import directives, Directive
-from sphinx.ext.autodoc import AutodocReporter
+
+#
+# AutodocReporter is only good up to Sphinx 1.7
+#
+import sphinx
+
+Use_SSI = sphinx.__version__[:3] >= '1.7'
+if Use_SSI:
+    from sphinx.util.docutils import switch_source_input
+else:
+    from sphinx.ext.autodoc import AutodocReporter
 
 __version__  = '1.0'
 
@@ -121,13 +131,7 @@ class KernelDocDirective(Directive):
                     lineoffset += 1
 
             node = nodes.section()
-            buf = self.state.memo.title_styles, self.state.memo.section_level, self.state.memo.reporter
-            self.state.memo.reporter = AutodocReporter(result, self.state.memo.reporter)
-            self.state.memo.title_styles, self.state.memo.section_level = [], 0
-            try:
-                self.state.nested_parse(result, 0, node, match_titles=1)
-            finally:
-                self.state.memo.title_styles, self.state.memo.section_level, self.state.memo.reporter = buf
+            self.do_parse(result, node)
 
             return node.children
 
@@ -136,6 +140,20 @@ class KernelDocDirective(Directive):
                          (" ".join(cmd), str(e)))
             return [nodes.error(None, nodes.paragraph(text = "kernel-doc missing"))]
 
+    def do_parse(self, result, node):
+        if Use_SSI:
+            with switch_source_input(self.state, result):
+                self.state.nested_parse(result, 0, node, match_titles=1)
+        else:
+            save = self.state.memo.title_styles, self.state.memo.section_level, self.state.memo.reporter
+            self.state.memo.reporter = AutodocReporter(result, self.state.memo.reporter)
+            self.state.memo.title_styles, self.state.memo.section_level = [], 0
+            try:
+                self.state.nested_parse(result, 0, node, match_titles=1)
+            finally:
+                self.state.memo.title_styles, self.state.memo.section_level, self.state.memo.reporter = save
+
+
 def setup(app):
     app.add_config_value('kerneldoc_bin', None, 'env')
     app.add_config_value('kerneldoc_srctree', None, 'env')



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 57/85] doc: Cope with Sphinx logging deprecations
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 56/85] doc: Cope with the deprecation of AutoReporter Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 58/85] x86/ima: Check EFI_RUNTIME_SERVICES before using Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jonathan Corbet

From: Jonathan Corbet <corbet@lwn.net>

commit 096ea522e84ea68f8e6c41e5e7294731a81e29bc upstream.

Recent versions of sphinx will emit messages like:

  Documentation/sphinx/kerneldoc.py:103:
     RemovedInSphinx20Warning: app.warning() is now deprecated.
     Use sphinx.util.logging instead.

Switch to sphinx.util.logging to make this unsightly message go away.
Alas, that interface was only added in version 1.6, so we have to add a
version check to keep things working with older sphinxes.

Cc: stable@vger.kernel.org
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 Documentation/sphinx/kerneldoc.py |   12 +++++++----
 Documentation/sphinx/kernellog.py |   28 ++++++++++++++++++++++++++
 Documentation/sphinx/kfigure.py   |   40 +++++++++++++++++++++-----------------
 3 files changed, 59 insertions(+), 21 deletions(-)

--- a/Documentation/sphinx/kerneldoc.py
+++ b/Documentation/sphinx/kerneldoc.py
@@ -49,6 +49,8 @@ if Use_SSI:
 else:
     from sphinx.ext.autodoc import AutodocReporter
 
+import kernellog
+
 __version__  = '1.0'
 
 class KernelDocDirective(Directive):
@@ -100,7 +102,8 @@ class KernelDocDirective(Directive):
         cmd += [filename]
 
         try:
-            env.app.verbose('calling kernel-doc \'%s\'' % (" ".join(cmd)))
+            kernellog.verbose(env.app,
+                              'calling kernel-doc \'%s\'' % (" ".join(cmd)))
 
             p = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
             out, err = p.communicate()
@@ -110,7 +113,8 @@ class KernelDocDirective(Directive):
             if p.returncode != 0:
                 sys.stderr.write(err)
 
-                env.app.warn('kernel-doc \'%s\' failed with return code %d' % (" ".join(cmd), p.returncode))
+                kernellog.warn(env.app,
+                               'kernel-doc \'%s\' failed with return code %d' % (" ".join(cmd), p.returncode))
                 return [nodes.error(None, nodes.paragraph(text = "kernel-doc missing"))]
             elif env.config.kerneldoc_verbosity > 0:
                 sys.stderr.write(err)
@@ -136,8 +140,8 @@ class KernelDocDirective(Directive):
             return node.children
 
         except Exception as e:  # pylint: disable=W0703
-            env.app.warn('kernel-doc \'%s\' processing failed with: %s' %
-                         (" ".join(cmd), str(e)))
+            kernellog.warn(env.app, 'kernel-doc \'%s\' processing failed with: %s' %
+                           (" ".join(cmd), str(e)))
             return [nodes.error(None, nodes.paragraph(text = "kernel-doc missing"))]
 
     def do_parse(self, result, node):
--- /dev/null
+++ b/Documentation/sphinx/kernellog.py
@@ -0,0 +1,28 @@
+# SPDX-License-Identifier: GPL-2.0
+#
+# Sphinx has deprecated its older logging interface, but the replacement
+# only goes back to 1.6.  So here's a wrapper layer to keep around for
+# as long as we support 1.4.
+#
+import sphinx
+
+if sphinx.__version__[:3] >= '1.6':
+    UseLogging = True
+    from sphinx.util import logging
+    logger = logging.getLogger('kerneldoc')
+else:
+    UseLogging = False
+
+def warn(app, message):
+    if UseLogging:
+        logger.warning(message)
+    else:
+        app.warn(message)
+
+def verbose(app, message):
+    if UseLogging:
+        logger.verbose(message)
+    else:
+        app.verbose(message)
+
+
--- a/Documentation/sphinx/kfigure.py
+++ b/Documentation/sphinx/kfigure.py
@@ -60,6 +60,8 @@ import sphinx
 from sphinx.util.nodes import clean_astext
 from six import iteritems
 
+import kernellog
+
 PY3 = sys.version_info[0] == 3
 
 if PY3:
@@ -171,20 +173,20 @@ def setupTools(app):
     This function is called once, when the builder is initiated.
     """
     global dot_cmd, convert_cmd   # pylint: disable=W0603
-    app.verbose("kfigure: check installed tools ...")
+    kernellog.verbose(app, "kfigure: check installed tools ...")
 
     dot_cmd = which('dot')
     convert_cmd = which('convert')
 
     if dot_cmd:
-        app.verbose("use dot(1) from: " + dot_cmd)
+        kernellog.verbose(app, "use dot(1) from: " + dot_cmd)
     else:
-        app.warn("dot(1) not found, for better output quality install "
-                 "graphviz from http://www.graphviz.org")
+        kernellog.warn(app, "dot(1) not found, for better output quality install "
+                       "graphviz from http://www.graphviz.org")
     if convert_cmd:
-        app.verbose("use convert(1) from: " + convert_cmd)
+        kernellog.verbose(app, "use convert(1) from: " + convert_cmd)
     else:
-        app.warn(
+        kernellog.warn(app,
             "convert(1) not found, for SVG to PDF conversion install "
             "ImageMagick (https://www.imagemagick.org)")
 
@@ -220,12 +222,13 @@ def convert_image(img_node, translator,
 
     # in kernel builds, use 'make SPHINXOPTS=-v' to see verbose messages
 
-    app.verbose('assert best format for: ' + img_node['uri'])
+    kernellog.verbose(app, 'assert best format for: ' + img_node['uri'])
 
     if in_ext == '.dot':
 
         if not dot_cmd:
-            app.verbose("dot from graphviz not available / include DOT raw.")
+            kernellog.verbose(app,
+                              "dot from graphviz not available / include DOT raw.")
             img_node.replace_self(file2literal(src_fname))
 
         elif translator.builder.format == 'latex':
@@ -252,7 +255,8 @@ def convert_image(img_node, translator,
 
         if translator.builder.format == 'latex':
             if convert_cmd is None:
-                app.verbose("no SVG to PDF conversion available / include SVG raw.")
+                kernellog.verbose(app,
+                                  "no SVG to PDF conversion available / include SVG raw.")
                 img_node.replace_self(file2literal(src_fname))
             else:
                 dst_fname = path.join(translator.builder.outdir, fname + '.pdf')
@@ -265,18 +269,19 @@ def convert_image(img_node, translator,
         _name = dst_fname[len(translator.builder.outdir) + 1:]
 
         if isNewer(dst_fname, src_fname):
-            app.verbose("convert: {out}/%s already exists and is newer" % _name)
+            kernellog.verbose(app,
+                              "convert: {out}/%s already exists and is newer" % _name)
 
         else:
             ok = False
             mkdir(path.dirname(dst_fname))
 
             if in_ext == '.dot':
-                app.verbose('convert DOT to: {out}/' + _name)
+                kernellog.verbose(app, 'convert DOT to: {out}/' + _name)
                 ok = dot2format(app, src_fname, dst_fname)
 
             elif in_ext == '.svg':
-                app.verbose('convert SVG to: {out}/' + _name)
+                kernellog.verbose(app, 'convert SVG to: {out}/' + _name)
                 ok = svg2pdf(app, src_fname, dst_fname)
 
             if not ok:
@@ -305,7 +310,8 @@ def dot2format(app, dot_fname, out_fname
     with open(out_fname, "w") as out:
         exit_code = subprocess.call(cmd, stdout = out)
         if exit_code != 0:
-            app.warn("Error #%d when calling: %s" % (exit_code, " ".join(cmd)))
+            kernellog.warn(app,
+                          "Error #%d when calling: %s" % (exit_code, " ".join(cmd)))
     return bool(exit_code == 0)
 
 def svg2pdf(app, svg_fname, pdf_fname):
@@ -322,7 +328,7 @@ def svg2pdf(app, svg_fname, pdf_fname):
     # use stdout and stderr from parent
     exit_code = subprocess.call(cmd)
     if exit_code != 0:
-        app.warn("Error #%d when calling: %s" % (exit_code, " ".join(cmd)))
+        kernellog.warn(app, "Error #%d when calling: %s" % (exit_code, " ".join(cmd)))
     return bool(exit_code == 0)
 
 
@@ -415,15 +421,15 @@ def visit_kernel_render(self, node):
     app = self.builder.app
     srclang = node.get('srclang')
 
-    app.verbose('visit kernel-render node lang: "%s"' % (srclang))
+    kernellog.verbose(app, 'visit kernel-render node lang: "%s"' % (srclang))
 
     tmp_ext = RENDER_MARKUP_EXT.get(srclang, None)
     if tmp_ext is None:
-        app.warn('kernel-render: "%s" unknown / include raw.' % (srclang))
+        kernellog.warn(app, 'kernel-render: "%s" unknown / include raw.' % (srclang))
         return
 
     if not dot_cmd and tmp_ext == '.dot':
-        app.verbose("dot from graphviz not available / include raw.")
+        kernellog.verbose(app, "dot from graphviz not available / include raw.")
         return
 
     literal_block = node[0]



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 58/85] x86/ima: Check EFI_RUNTIME_SERVICES before using
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 57/85] doc: Cope with Sphinx logging deprecations Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 59/85] ima: fix wrong signed policy requirement when not appraising Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Scott Wood, Mimi Zohar

From: Scott Wood <swood@redhat.com>

commit 558b523d46289f111d53d7c42211069063be5985 upstream.

Checking efi_enabled(EFI_BOOT) is not sufficient to ensure that
EFI runtime services are available, e.g. if efi=noruntime is used.

Without this, I get an oops on a PREEMPT_RT kernel where efi=noruntime is
the default.

Fixes: 399574c64eaf94e8 ("x86/ima: retry detecting secure boot mode")
Cc: stable@vger.kernel.org  (linux-5.0)
Signed-off-by: Scott Wood <swood@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/ima_arch.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/arch/x86/kernel/ima_arch.c
+++ b/arch/x86/kernel/ima_arch.c
@@ -17,6 +17,11 @@ static enum efi_secureboot_mode get_sb_m
 
 	size = sizeof(secboot);
 
+	if (!efi_enabled(EFI_RUNTIME_SERVICES)) {
+		pr_info("ima: secureboot mode unknown, no efi\n");
+		return efi_secureboot_mode_unknown;
+	}
+
 	/* Get variable contents into buffer */
 	status = efi.get_variable(efi_SecureBoot_name, &efi_variable_guid,
 				  NULL, &size, &secboot);



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 59/85] ima: fix wrong signed policy requirement when not appraising
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 58/85] x86/ima: Check EFI_RUNTIME_SERVICES before using Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 60/85] ima: show rules with IMA_INMASK correctly Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Petr Vorel, Mimi Zohar

From: Petr Vorel <pvorel@suse.cz>

commit f40019475bbbe9b455e7fd4385fcf13896c492ca upstream.

Kernel booted just with ima_policy=tcb (not with
ima_policy=appraise_tcb) shouldn't require signed policy.

Regression found with LTP test ima_policy.sh.

Fixes: c52657d93b05 ("ima: refactor ima_init_policy()")
Cc: stable@vger.kernel.org  (linux-5.0)
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 security/integrity/ima/ima_policy.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -498,10 +498,11 @@ static void add_rules(struct ima_rule_en
 
 			list_add_tail(&entry->list, &ima_policy_rules);
 		}
-		if (entries[i].action == APPRAISE)
+		if (entries[i].action == APPRAISE) {
 			temp_ima_appraise |= ima_appraise_flag(entries[i].func);
-		if (entries[i].func == POLICY_CHECK)
-			temp_ima_appraise |= IMA_APPRAISE_POLICY;
+			if (entries[i].func == POLICY_CHECK)
+				temp_ima_appraise |= IMA_APPRAISE_POLICY;
+		}
 	}
 }
 



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 60/85] ima: show rules with IMA_INMASK correctly
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 59/85] ima: fix wrong signed policy requirement when not appraising Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 61/85] evm: check hash algorithm passed to init_desc() Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Roberto Sassu, Mimi Zohar

From: Roberto Sassu <roberto.sassu@huawei.com>

commit 8cdc23a3d9ec0944000ad43bad588e36afdc38cd upstream.

Show the '^' character when a policy rule has flag IMA_INMASK.

Fixes: 80eae209d63ac ("IMA: allow reading back the current IMA policy")
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Cc: stable@vger.kernel.org
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 security/integrity/ima/ima_policy.c |   21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -1147,10 +1147,10 @@ enum {
 };
 
 static const char *const mask_tokens[] = {
-	"MAY_EXEC",
-	"MAY_WRITE",
-	"MAY_READ",
-	"MAY_APPEND"
+	"^MAY_EXEC",
+	"^MAY_WRITE",
+	"^MAY_READ",
+	"^MAY_APPEND"
 };
 
 #define __ima_hook_stringify(str)	(#str),
@@ -1210,6 +1210,7 @@ int ima_policy_show(struct seq_file *m,
 	struct ima_rule_entry *entry = v;
 	int i;
 	char tbuf[64] = {0,};
+	int offset = 0;
 
 	rcu_read_lock();
 
@@ -1233,15 +1234,17 @@ int ima_policy_show(struct seq_file *m,
 	if (entry->flags & IMA_FUNC)
 		policy_func_show(m, entry->func);
 
-	if (entry->flags & IMA_MASK) {
+	if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) {
+		if (entry->flags & IMA_MASK)
+			offset = 1;
 		if (entry->mask & MAY_EXEC)
-			seq_printf(m, pt(Opt_mask), mt(mask_exec));
+			seq_printf(m, pt(Opt_mask), mt(mask_exec) + offset);
 		if (entry->mask & MAY_WRITE)
-			seq_printf(m, pt(Opt_mask), mt(mask_write));
+			seq_printf(m, pt(Opt_mask), mt(mask_write) + offset);
 		if (entry->mask & MAY_READ)
-			seq_printf(m, pt(Opt_mask), mt(mask_read));
+			seq_printf(m, pt(Opt_mask), mt(mask_read) + offset);
 		if (entry->mask & MAY_APPEND)
-			seq_printf(m, pt(Opt_mask), mt(mask_append));
+			seq_printf(m, pt(Opt_mask), mt(mask_append) + offset);
 		seq_puts(m, " ");
 	}
 



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 61/85] evm: check hash algorithm passed to init_desc()
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 60/85] ima: show rules with IMA_INMASK correctly Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 62/85] clk: imx: imx8mm: fix int pll clk gate Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Roberto Sassu, Mimi Zohar

From: Roberto Sassu <roberto.sassu@huawei.com>

commit 221be106d75c1b511973301542f47d6000d0b63e upstream.

This patch prevents memory access beyond the evm_tfm array by checking the
validity of the index (hash algorithm) passed to init_desc(). The hash
algorithm can be arbitrarily set if the security.ima xattr type is not
EVM_XATTR_HMAC.

Fixes: 5feeb61183dde ("evm: Allow non-SHA1 digital signatures")
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Cc: stable@vger.kernel.org
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 security/integrity/evm/evm_crypto.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -89,6 +89,9 @@ static struct shash_desc *init_desc(char
 		tfm = &hmac_tfm;
 		algo = evm_hmac;
 	} else {
+		if (hash_algo >= HASH_ALGO__LAST)
+			return ERR_PTR(-EINVAL);
+
 		tfm = &evm_tfm[hash_algo];
 		algo = hash_algo_name[hash_algo];
 	}



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 62/85] clk: imx: imx8mm: fix int pll clk gate
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (60 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 61/85] evm: check hash algorithm passed to init_desc() Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 63/85] vt/fbcon: deinitialize resources in visual_init() after failed memory allocation Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Peng Fan, Fabio Estevam, Jacky Bai,
	Stephen Boyd

From: Peng Fan <peng.fan@nxp.com>

commit b3fddd5b100e4aee4f7ec58360435024971dea47 upstream.

To Frac pll, the gate shift is 13, however to Int PLL the gate shift
is 11.

Cc: <stable@vger.kernel.org>
Fixes: ba5625c3e27 ("clk: imx: Add clock driver support for imx8mm")
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Fabio Estevam <festevam@gmail.com>
Reviewed-by: Jacky Bai <ping.bai@nxp.com>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/clk/imx/clk-imx8mm.c |   12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

--- a/drivers/clk/imx/clk-imx8mm.c
+++ b/drivers/clk/imx/clk-imx8mm.c
@@ -449,12 +449,12 @@ static int __init imx8mm_clocks_init(str
 	clks[IMX8MM_AUDIO_PLL2_OUT] = imx_clk_gate("audio_pll2_out", "audio_pll2_bypass", base + 0x14, 13);
 	clks[IMX8MM_VIDEO_PLL1_OUT] = imx_clk_gate("video_pll1_out", "video_pll1_bypass", base + 0x28, 13);
 	clks[IMX8MM_DRAM_PLL_OUT] = imx_clk_gate("dram_pll_out", "dram_pll_bypass", base + 0x50, 13);
-	clks[IMX8MM_GPU_PLL_OUT] = imx_clk_gate("gpu_pll_out", "gpu_pll_bypass", base + 0x64, 13);
-	clks[IMX8MM_VPU_PLL_OUT] = imx_clk_gate("vpu_pll_out", "vpu_pll_bypass", base + 0x74, 13);
-	clks[IMX8MM_ARM_PLL_OUT] = imx_clk_gate("arm_pll_out", "arm_pll_bypass", base + 0x84, 13);
-	clks[IMX8MM_SYS_PLL1_OUT] = imx_clk_gate("sys_pll1_out", "sys_pll1_bypass", base + 0x94, 13);
-	clks[IMX8MM_SYS_PLL2_OUT] = imx_clk_gate("sys_pll2_out", "sys_pll2_bypass", base + 0x104, 13);
-	clks[IMX8MM_SYS_PLL3_OUT] = imx_clk_gate("sys_pll3_out", "sys_pll3_bypass", base + 0x114, 13);
+	clks[IMX8MM_GPU_PLL_OUT] = imx_clk_gate("gpu_pll_out", "gpu_pll_bypass", base + 0x64, 11);
+	clks[IMX8MM_VPU_PLL_OUT] = imx_clk_gate("vpu_pll_out", "vpu_pll_bypass", base + 0x74, 11);
+	clks[IMX8MM_ARM_PLL_OUT] = imx_clk_gate("arm_pll_out", "arm_pll_bypass", base + 0x84, 11);
+	clks[IMX8MM_SYS_PLL1_OUT] = imx_clk_gate("sys_pll1_out", "sys_pll1_bypass", base + 0x94, 11);
+	clks[IMX8MM_SYS_PLL2_OUT] = imx_clk_gate("sys_pll2_out", "sys_pll2_bypass", base + 0x104, 11);
+	clks[IMX8MM_SYS_PLL3_OUT] = imx_clk_gate("sys_pll3_out", "sys_pll3_bypass", base + 0x114, 11);
 
 	/* SYS PLL fixed output */
 	clks[IMX8MM_SYS_PLL1_40M] = imx_clk_fixed_factor("sys_pll1_40m", "sys_pll1_out", 1, 20);



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 63/85] vt/fbcon: deinitialize resources in visual_init() after failed memory allocation
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (61 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 62/85] clk: imx: imx8mm: fix int pll clk gate Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 64/85] serial: sh-sci: disable DMA for uart_console Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Grzegorz Halat, Oleksandr Natalenko,
	Bartlomiej Zolnierkiewicz

From: Grzegorz Halat <ghalat@redhat.com>

commit a1ad1cc9704f64c169261a76e1aee1cf1ae51832 upstream.

After memory allocation failure vc_allocate() doesn't clean up data
which has been initialized in visual_init(). In case of fbcon this
leads to divide-by-0 in fbcon_init() on next open of the same tty.

memory allocation in vc_allocate() may fail here:
1097:     vc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_KERNEL);

on next open() fbcon_init() skips vc_font.data initialization:
1088:     if (!p->fontdata) {

division by zero in fbcon_init() happens here:
1149:     new_cols /= vc->vc_font.width;

Additional check is needed in fbcon_deinit() to prevent
usage of uninitialized vc_screenbuf:

1251:        if (vc->vc_hi_font_mask && vc->vc_screenbuf)
1252:                set_vc_hi_font(vc, false);

Crash:

 #6 [ffffc90001eafa60] divide_error at ffffffff81a00be4
    [exception RIP: fbcon_init+463]
    RIP: ffffffff814b860f  RSP: ffffc90001eafb18  RFLAGS: 00010246
...
 #7 [ffffc90001eafb60] visual_init at ffffffff8154c36e
 #8 [ffffc90001eafb80] vc_allocate at ffffffff8154f53c
 #9 [ffffc90001eafbc8] con_install at ffffffff8154f624
...

Signed-off-by: Grzegorz Halat <ghalat@redhat.com>
Reviewed-by: Oleksandr Natalenko <oleksandr@redhat.com>
Acked-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/vt/vt.c              |   11 +++++++++--
 drivers/video/fbdev/core/fbcon.c |    2 +-
 2 files changed, 10 insertions(+), 3 deletions(-)

--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -1056,6 +1056,13 @@ static void visual_init(struct vc_data *
 	vc->vc_screenbuf_size = vc->vc_rows * vc->vc_size_row;
 }
 
+
+static void visual_deinit(struct vc_data *vc)
+{
+	vc->vc_sw->con_deinit(vc);
+	module_put(vc->vc_sw->owner);
+}
+
 int vc_allocate(unsigned int currcons)	/* return 0 on success */
 {
 	struct vt_notifier_param param;
@@ -1103,6 +1110,7 @@ int vc_allocate(unsigned int currcons)	/
 
 	return 0;
 err_free:
+	visual_deinit(vc);
 	kfree(vc);
 	vc_cons[currcons].d = NULL;
 	return -ENOMEM;
@@ -1331,9 +1339,8 @@ struct vc_data *vc_deallocate(unsigned i
 		param.vc = vc = vc_cons[currcons].d;
 		atomic_notifier_call_chain(&vt_notifier_list, VT_DEALLOCATE, &param);
 		vcs_remove_sysfs(currcons);
-		vc->vc_sw->con_deinit(vc);
+		visual_deinit(vc);
 		put_pid(vc->vt_pid);
-		module_put(vc->vc_sw->owner);
 		vc_uniscr_set(vc, NULL);
 		kfree(vc->vc_screenbuf);
 		vc_cons[currcons].d = NULL;
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -1248,7 +1248,7 @@ finished:
 	if (free_font)
 		vc->vc_font.data = NULL;
 
-	if (vc->vc_hi_font_mask)
+	if (vc->vc_hi_font_mask && vc->vc_screenbuf)
 		set_vc_hi_font(vc, false);
 
 	if (!con_is_bound(&fb_con))



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 64/85] serial: sh-sci: disable DMA for uart_console
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (62 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 63/85] vt/fbcon: deinitialize resources in visual_init() after failed memory allocation Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 65/85] staging: vc04_services: prevent integer overflow in create_pagelist() Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael Rodin, Eugeniu Rosca,
	Simon Horman, Wolfram Sang, Geert Uytterhoeven, George G. Davis

From: George G. Davis <george_davis@mentor.com>

commit 099506cbbc79c0bd52b19cb6b930f256dabc3950 upstream.

As noted in commit 84b40e3b57ee ("serial: 8250: omap: Disable DMA for
console UART"), UART console lines use low-level PIO only access functions
which will conflict with use of the line when DMA is enabled, e.g. when
the console line is also used for systemd messages. So disable DMA
support for UART console lines.

Reported-by: Michael Rodin <mrodin@de.adit-jv.com>
Link: https://patchwork.kernel.org/patch/10929511/
Tested-by: Eugeniu Rosca <erosca@de.adit-jv.com>
Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Cc: stable@vger.kernel.org
Signed-off-by: George G. Davis <george_davis@mentor.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serial/sh-sci.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/drivers/tty/serial/sh-sci.c
+++ b/drivers/tty/serial/sh-sci.c
@@ -1557,6 +1557,13 @@ static void sci_request_dma(struct uart_
 
 	dev_dbg(port->dev, "%s: port %d\n", __func__, port->line);
 
+	/*
+	 * DMA on console may interfere with Kernel log messages which use
+	 * plain putchar(). So, simply don't use it with a console.
+	 */
+	if (uart_console(port))
+		return;
+
 	if (!port->dev->of_node)
 		return;
 



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 65/85] staging: vc04_services: prevent integer overflow in create_pagelist()
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (63 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 64/85] serial: sh-sci: disable DMA for uart_console Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 66/85] staging: wlan-ng: fix adapter initialization failure Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dan Carpenter

From: Dan Carpenter <dan.carpenter@oracle.com>

commit ca641bae6da977d638458e78cd1487b6160a2718 upstream.

The create_pagelist() "count" parameter comes from the user in
vchiq_ioctl() and it could overflow.  If you look at how create_page()
is called in vchiq_prepare_bulk_data(), then the "size" variable is an
int so it doesn't make sense to allow negatives or larger than INT_MAX.

I don't know this code terribly well, but I believe that typical values
of "count" are typically quite low and I don't think this check will
affect normal valid uses at all.

The "pagelist_size" calculation can also overflow on 32 bit systems, but
not on 64 bit systems.  I have added an integer overflow check for that
as well.

The Raspberry PI doesn't offer the same level of memory protection that
x86 does so these sorts of bugs are probably not super critical to fix.

Fixes: 71bad7f08641 ("staging: add bcm2708 vchiq driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c |    9 +++++++++
 1 file changed, 9 insertions(+)

--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c
+++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c
@@ -398,9 +398,18 @@ create_pagelist(char __user *buf, size_t
 	int dma_buffers;
 	dma_addr_t dma_addr;
 
+	if (count >= INT_MAX - PAGE_SIZE)
+		return NULL;
+
 	offset = ((unsigned int)(unsigned long)buf & (PAGE_SIZE - 1));
 	num_pages = DIV_ROUND_UP(count + offset, PAGE_SIZE);
 
+	if (num_pages > (SIZE_MAX - sizeof(struct pagelist) -
+			 sizeof(struct vchiq_pagelist_info)) /
+			(sizeof(u32) + sizeof(pages[0]) +
+			 sizeof(struct scatterlist)))
+		return NULL;
+
 	pagelist_size = sizeof(struct pagelist) +
 			(num_pages * sizeof(u32)) +
 			(num_pages * sizeof(pages[0]) +



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 66/85] staging: wlan-ng: fix adapter initialization failure
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (64 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 65/85] staging: vc04_services: prevent integer overflow in create_pagelist() Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 67/85] cifs: fix memory leak of pneg_inbuf on -EOPNOTSUPP ioctl case Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Tim Collier

From: Tim Collier <osdevtc@gmail.com>

commit a67fedd788182764dc8ed59037c604b7e60349f1 upstream.

Commit e895f00a8496 ("Staging: wlan-ng: hfa384x_usb.c Fixed too long
code line warnings.") moved the retrieval of the transfer buffer from
the URB from the top of function hfa384x_usbin_callback to a point
after reposting of the URB via a call to submit_rx_urb. The reposting
of the URB allocates a new transfer buffer so the new buffer is
retrieved instead of the buffer containing the response passed into
the callback. This results in failure to initialize the adapter with
an error reported in the system log (something like "CTLX[1] error:
state(Request failed)").

This change moves the retrieval to just before the point where the URB
is reposted so that the correct transfer buffer is retrieved and
initialization of the device succeeds.

Signed-off-by: Tim Collier <osdevtc@gmail.com>
Fixes: e895f00a8496 ("Staging: wlan-ng: hfa384x_usb.c Fixed too long code line warnings.")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/wlan-ng/hfa384x_usb.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/staging/wlan-ng/hfa384x_usb.c
+++ b/drivers/staging/wlan-ng/hfa384x_usb.c
@@ -3119,7 +3119,9 @@ static void hfa384x_usbin_callback(struc
 		break;
 	}
 
+	/* Save values from the RX URB before reposting overwrites it. */
 	urb_status = urb->status;
+	usbin = (union hfa384x_usbin *)urb->transfer_buffer;
 
 	if (action != ABORT) {
 		/* Repost the RX URB */
@@ -3136,7 +3138,6 @@ static void hfa384x_usbin_callback(struc
 	/* Note: the check of the sw_support field, the type field doesn't
 	 *       have bit 12 set like the docs suggest.
 	 */
-	usbin = (union hfa384x_usbin *)urb->transfer_buffer;
 	type = le16_to_cpu(usbin->type);
 	if (HFA384x_USB_ISRXFRM(type)) {
 		if (action == HANDLE) {



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 67/85] cifs: fix memory leak of pneg_inbuf on -EOPNOTSUPP ioctl case
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (65 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 66/85] staging: wlan-ng: fix adapter initialization failure Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 68/85] CIFS: cifs_read_allocate_pages: dont iterate through whole page array on ENOMEM Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Colin Ian King, Steve French

From: Colin Ian King <colin.king@canonical.com>

commit 210782038b54ec8e9059a3c12d6f6ae173efa3a9 upstream.

Currently in the case where SMB2_ioctl returns the -EOPNOTSUPP error
there is a memory leak of pneg_inbuf. Fix this by returning via
the out_free_inbuf exit path that will perform the relevant kfree.

Addresses-Coverity: ("Resource leak")
Fixes: 969ae8e8d4ee ("cifs: Accept validate negotiate if server return NT_STATUS_NOT_SUPPORTED")
CC: Stable <stable@vger.kernel.org> # v5.1+
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/cifs/smb2pdu.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -1013,7 +1013,8 @@ int smb3_validate_negotiate(const unsign
 		 * not supported error. Client should accept it.
 		 */
 		cifs_dbg(VFS, "Server does not support validate negotiate\n");
-		return 0;
+		rc = 0;
+		goto out_free_inbuf;
 	} else if (rc != 0) {
 		cifs_dbg(VFS, "validate protocol negotiate failed: %d\n", rc);
 		rc = -EIO;



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 68/85] CIFS: cifs_read_allocate_pages: dont iterate through whole page array on ENOMEM
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (66 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 67/85] cifs: fix memory leak of pneg_inbuf on -EOPNOTSUPP ioctl case Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 69/85] Revert "lockd: Show pid of lockd for remote locks" Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Roberto Bergantinos Corpas,
	Pavel Shilovsky, Steve French

From: Roberto Bergantinos Corpas <rbergant@redhat.com>

commit 31fad7d41e73731f05b8053d17078638cf850fa6 upstream.

 In cifs_read_allocate_pages, in case of ENOMEM, we go through
whole rdata->pages array but we have failed the allocation before
nr_pages, therefore we may end up calling put_page with NULL
pointer, causing oops

Signed-off-by: Roberto Bergantinos Corpas <rbergant@redhat.com>
Acked-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/cifs/file.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/fs/cifs/file.c
+++ b/fs/cifs/file.c
@@ -3221,7 +3221,9 @@ cifs_read_allocate_pages(struct cifs_rea
 	}
 
 	if (rc) {
-		for (i = 0; i < nr_pages; i++) {
+		unsigned int nr_page_failed = i;
+
+		for (i = 0; i < nr_page_failed; i++) {
 			put_page(rdata->pages[i]);
 			rdata->pages[i] = NULL;
 		}



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 69/85] Revert "lockd: Show pid of lockd for remote locks"
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (67 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 68/85] CIFS: cifs_read_allocate_pages: dont iterate through whole page array on ENOMEM Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 70/85] gcc-plugins: Fix build failures under Darwin host Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Benjamin Coddington, XueWei Zhang,
	J. Bruce Fields

From: Benjamin Coddington <bcodding@redhat.com>

commit 141731d15d6eb2fd9aaefbf9b935ce86ae243074 upstream.

This reverts most of commit b8eee0e90f97 ("lockd: Show pid of lockd for
remote locks"), which caused remote locks to not be differentiated between
remote processes for NLM.

We retain the fixup for setting the client's fl_pid to a negative value.

Fixes: b8eee0e90f97 ("lockd: Show pid of lockd for remote locks")
Cc: stable@vger.kernel.org

Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
Reviewed-by: XueWei Zhang <xueweiz@google.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/lockd/xdr.c  |    4 ++--
 fs/lockd/xdr4.c |    4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

--- a/fs/lockd/xdr.c
+++ b/fs/lockd/xdr.c
@@ -127,7 +127,7 @@ nlm_decode_lock(__be32 *p, struct nlm_lo
 
 	locks_init_lock(fl);
 	fl->fl_owner = current->files;
-	fl->fl_pid   = current->tgid;
+	fl->fl_pid   = (pid_t)lock->svid;
 	fl->fl_flags = FL_POSIX;
 	fl->fl_type  = F_RDLCK;		/* as good as anything else */
 	start = ntohl(*p++);
@@ -269,7 +269,7 @@ nlmsvc_decode_shareargs(struct svc_rqst
 	memset(lock, 0, sizeof(*lock));
 	locks_init_lock(&lock->fl);
 	lock->svid = ~(u32) 0;
-	lock->fl.fl_pid = current->tgid;
+	lock->fl.fl_pid = (pid_t)lock->svid;
 
 	if (!(p = nlm_decode_cookie(p, &argp->cookie))
 	 || !(p = xdr_decode_string_inplace(p, &lock->caller,
--- a/fs/lockd/xdr4.c
+++ b/fs/lockd/xdr4.c
@@ -119,7 +119,7 @@ nlm4_decode_lock(__be32 *p, struct nlm_l
 
 	locks_init_lock(fl);
 	fl->fl_owner = current->files;
-	fl->fl_pid   = current->tgid;
+	fl->fl_pid   = (pid_t)lock->svid;
 	fl->fl_flags = FL_POSIX;
 	fl->fl_type  = F_RDLCK;		/* as good as anything else */
 	p = xdr_decode_hyper(p, &start);
@@ -266,7 +266,7 @@ nlm4svc_decode_shareargs(struct svc_rqst
 	memset(lock, 0, sizeof(*lock));
 	locks_init_lock(&lock->fl);
 	lock->svid = ~(u32) 0;
-	lock->fl.fl_pid = current->tgid;
+	lock->fl.fl_pid = (pid_t)lock->svid;
 
 	if (!(p = nlm4_decode_cookie(p, &argp->cookie))
 	 || !(p = xdr_decode_string_inplace(p, &lock->caller,



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 70/85] gcc-plugins: Fix build failures under Darwin host
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (68 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 69/85] Revert "lockd: Show pid of lockd for remote locks" Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 71/85] drm/tegra: gem: Fix CPU-cache maintenance for BOs allocated using get_pages() Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kees Cook, H. Nikolaus Schaller

From: Kees Cook <keescook@chromium.org>

commit 7210e060155b9cf557fb13128353c3e494fa5ed3 upstream.

The gcc-common.h file did not take into account certain macros that
might have already been defined in the build environment. This updates
the header to avoid redefining the macros, as seen on a Darwin host
using gcc 4.9.2:

 HOSTCXX -fPIC scripts/gcc-plugins/arm_ssp_per_task_plugin.o - due to: scripts/gcc-plugins/gcc-common.h
In file included from scripts/gcc-plugins/arm_ssp_per_task_plugin.c:3:0:
scripts/gcc-plugins/gcc-common.h:153:0: warning: "__unused" redefined
^
In file included from /usr/include/stdio.h:64:0,
                from /Users/hns/Documents/Projects/QuantumSTEP/System/Library/Frameworks/System.framework/Versions-jessie/x86_64-apple-darwin15.0.0/gcc/arm-linux-gnueabi/bin/../lib/gcc/arm-linux-gnueabi/4.9.2/plugin/include/system.h:40,
                from /Users/hns/Documents/Projects/QuantumSTEP/System/Library/Frameworks/System.framework/Versions-jessie/x86_64-apple-darwin15.0.0/gcc/arm-linux-gnueabi/bin/../lib/gcc/arm-linux-gnueabi/4.9.2/plugin/include/gcc-plugin.h:28,
                from /Users/hns/Documents/Projects/QuantumSTEP/System/Library/Frameworks/System.framework/Versions-jessie/x86_64-apple-darwin15.0.0/gcc/arm-linux-gnueabi/bin/../lib/gcc/arm-linux-gnueabi/4.9.2/plugin/include/plugin.h:23,
                from scripts/gcc-plugins/gcc-common.h:9,
                from scripts/gcc-plugins/arm_ssp_per_task_plugin.c:3:
/usr/include/sys/cdefs.h:161:0: note: this is the location of the previous definition
^

Reported-and-tested-by: "H. Nikolaus Schaller" <hns@goldelico.com>
Fixes: 189af4657186 ("ARM: smp: add support for per-task stack canaries")
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 scripts/gcc-plugins/gcc-common.h |    4 ++++
 1 file changed, 4 insertions(+)

--- a/scripts/gcc-plugins/gcc-common.h
+++ b/scripts/gcc-plugins/gcc-common.h
@@ -150,8 +150,12 @@ void print_gimple_expr(FILE *, gimple, i
 void dump_gimple_stmt(pretty_printer *, gimple, int, int);
 #endif
 
+#ifndef __unused
 #define __unused __attribute__((__unused__))
+#endif
+#ifndef __visible
 #define __visible __attribute__((visibility("default")))
+#endif
 
 #define DECL_NAME_POINTER(node) IDENTIFIER_POINTER(DECL_NAME(node))
 #define DECL_NAME_LENGTH(node) IDENTIFIER_LENGTH(DECL_NAME(node))



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 71/85] drm/tegra: gem: Fix CPU-cache maintenance for BOs allocated using get_pages()
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (69 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 70/85] gcc-plugins: Fix build failures under Darwin host Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 72/85] drm/vmwgfx: Fix user space handle equal to zero Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dmitry Osipenko, Thierry Reding

From: Dmitry Osipenko <digetx@gmail.com>

commit 61b51fb51c01a519a249d28ec55c6513a13be5a3 upstream.

The allocated pages need to be invalidated in CPU caches. On ARM32 the
DMA_BIDIRECTIONAL flag only ensures that data is written-back to DRAM and
the data stays in CPU cache lines. While the DMA_FROM_DEVICE flag ensures
that the corresponding CPU cache lines are getting invalidated and nothing
more, that's exactly what is needed for a newly allocated pages.

This fixes randomly failing rendercheck tests on Tegra30 using the
Opentegra driver for tests that use small-sized pixmaps (10x10 and less,
i.e. 1-2 memory pages) because apparently CPU reads out stale data from
caches and/or that data is getting evicted to DRAM at the time of HW job
execution.

Fixes: bd43c9f0fa1f ("drm/tegra: gem: Map pages via the DMA API")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/tegra/gem.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/tegra/gem.c
+++ b/drivers/gpu/drm/tegra/gem.c
@@ -204,7 +204,7 @@ static void tegra_bo_free(struct drm_dev
 {
 	if (bo->pages) {
 		dma_unmap_sg(drm->dev, bo->sgt->sgl, bo->sgt->nents,
-			     DMA_BIDIRECTIONAL);
+			     DMA_FROM_DEVICE);
 		drm_gem_put_pages(&bo->gem, bo->pages, true, true);
 		sg_free_table(bo->sgt);
 		kfree(bo->sgt);
@@ -230,7 +230,7 @@ static int tegra_bo_get_pages(struct drm
 	}
 
 	err = dma_map_sg(drm->dev, bo->sgt->sgl, bo->sgt->nents,
-			 DMA_BIDIRECTIONAL);
+			 DMA_FROM_DEVICE);
 	if (err == 0) {
 		err = -EFAULT;
 		goto free_sgt;



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 72/85] drm/vmwgfx: Fix user space handle equal to zero
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (70 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 71/85] drm/tegra: gem: Fix CPU-cache maintenance for BOs allocated using get_pages() Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 73/85] drm/vmwgfx: Fix compat mode shader operation Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Thomas Hellstrom, Deepak Rawat

From: Thomas Hellstrom <thellstrom@vmware.com>

commit 8407f8a1d940fe28c4243ad4f0cb6a44dcee88f6 upstream.

User-space handles equal to zero are interpreted as uninitialized or
illegal by some drm systems (most notably kms). This means that a
dumb buffer or surface with a zero user-space handle can never be
used as a kms frame-buffer.

Cc: <stable@vger.kernel.org>
Fixes: c7eae62666ad ("drm/vmwgfx: Make the object handles idr-generated")
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Deepak Rawat <drawat@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/vmwgfx/ttm_object.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpu/drm/vmwgfx/ttm_object.c
+++ b/drivers/gpu/drm/vmwgfx/ttm_object.c
@@ -174,7 +174,7 @@ int ttm_base_object_init(struct ttm_obje
 	kref_init(&base->refcount);
 	idr_preload(GFP_KERNEL);
 	spin_lock(&tdev->object_lock);
-	ret = idr_alloc(&tdev->idr, base, 0, 0, GFP_NOWAIT);
+	ret = idr_alloc(&tdev->idr, base, 1, 0, GFP_NOWAIT);
 	spin_unlock(&tdev->object_lock);
 	idr_preload_end();
 	if (ret < 0)



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 73/85] drm/vmwgfx: Fix compat mode shader operation
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (71 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 72/85] drm/vmwgfx: Fix user space handle equal to zero Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:39 ` [PATCH 5.1 74/85] drm/vmwgfx: Dont send drm sysfs hotplug events on initial master set Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Thomas Hellstrom, Brian Paul

From: Thomas Hellstrom <thellstrom@vmware.com>

commit e41c20cf50a8a7d0dfa337a7530590aacef4193b upstream.

In compat mode, we allowed host-backed user-space with guest-backed
kernel / device. In this mode, set shader commands was broken since
no relocations were emitted. Fix this.

Cc: <stable@vger.kernel.org>
Fixes: e8c66efbfe3a ("drm/vmwgfx: Make user resource lookups reference-free during validation")
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c |   13 +++++++++++++
 1 file changed, 13 insertions(+)

--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
@@ -2129,6 +2129,11 @@ static int vmw_cmd_set_shader(struct vmw
 		return 0;
 
 	if (cmd->body.shid != SVGA3D_INVALID_ID) {
+		/*
+		 * This is the compat shader path - Per device guest-backed
+		 * shaders, but user-space thinks it's per context host-
+		 * backed shaders.
+		 */
 		res = vmw_shader_lookup(vmw_context_res_man(ctx),
 					cmd->body.shid,
 					cmd->body.type);
@@ -2137,6 +2142,14 @@ static int vmw_cmd_set_shader(struct vmw
 			ret = vmw_execbuf_res_noctx_val_add(sw_context, res);
 			if (unlikely(ret != 0))
 				return ret;
+
+			ret = vmw_resource_relocation_add
+				(sw_context, res,
+				 vmw_ptr_diff(sw_context->buf_start,
+					      &cmd->body.shid),
+				 vmw_res_rel_normal);
+			if (unlikely(ret != 0))
+				return ret;
 		}
 	}
 



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 74/85] drm/vmwgfx: Dont send drm sysfs hotplug events on initial master set
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (72 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 73/85] drm/vmwgfx: Fix compat mode shader operation Greg Kroah-Hartman
@ 2019-06-07 15:39 ` Greg Kroah-Hartman
  2019-06-07 15:40 ` [PATCH 5.1 75/85] drm/sun4i: Fix sun8i HDMI PHY clock initialization Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Thomas Hellstrom, Deepak Rawat

From: Thomas Hellstrom <thellstrom@vmware.com>

commit 63cb44441826e842b7285575b96db631cc9f2505 upstream.

This may confuse user-space clients like plymouth that opens a drm
file descriptor as a result of a hotplug event and then generates a
new event...

Cc: <stable@vger.kernel.org>
Fixes: 5ea1734827bb ("drm/vmwgfx: Send a hotplug event at master_set")
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Deepak Rawat <drawat@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/vmwgfx/vmwgfx_drv.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
@@ -1240,7 +1240,13 @@ static int vmw_master_set(struct drm_dev
 	}
 
 	dev_priv->active_master = vmaster;
-	drm_sysfs_hotplug_event(dev);
+
+	/*
+	 * Inform a new master that the layout may have changed while
+	 * it was gone.
+	 */
+	if (!from_open)
+		drm_sysfs_hotplug_event(dev);
 
 	return 0;
 }



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 75/85] drm/sun4i: Fix sun8i HDMI PHY clock initialization
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (73 preceding siblings ...)
  2019-06-07 15:39 ` [PATCH 5.1 74/85] drm/vmwgfx: Dont send drm sysfs hotplug events on initial master set Greg Kroah-Hartman
@ 2019-06-07 15:40 ` Greg Kroah-Hartman
  2019-06-07 15:40 ` [PATCH 5.1 76/85] drm/sun4i: Fix sun8i HDMI PHY configuration for > 148.5 MHz Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:40 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jernej Skrabec, Maxime Ripard

From: Jernej Skrabec <jernej.skrabec@siol.net>

commit 8a943c6021ba8b95a36c842327e468df1fddd4a7 upstream.

Current code initializes HDMI PHY clock driver before reset line is
deasserted and clocks enabled. Because of that, initial readout of
clock divider is incorrect (0 instead of 2). This causes any clock
rate with divider 1 (register value 0) to be set incorrectly.

Fix this by moving initialization of HDMI PHY clock driver after reset
line is deasserted and clocks enabled.

Cc: stable@vger.kernel.org # 4.17+
Fixes: 4f86e81748fe ("drm/sun4i: Add support for H3 HDMI PHY variant")
Signed-off-by: Jernej Skrabec <jernej.skrabec@siol.net>
Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20190514204337.11068-2-jernej.skrabec@siol.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/sun4i/sun8i_hdmi_phy.c |   26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

--- a/drivers/gpu/drm/sun4i/sun8i_hdmi_phy.c
+++ b/drivers/gpu/drm/sun4i/sun8i_hdmi_phy.c
@@ -672,22 +672,13 @@ int sun8i_hdmi_phy_probe(struct sun8i_dw
 				goto err_put_clk_pll0;
 			}
 		}
-
-		ret = sun8i_phy_clk_create(phy, dev,
-					   phy->variant->has_second_pll);
-		if (ret) {
-			dev_err(dev, "Couldn't create the PHY clock\n");
-			goto err_put_clk_pll1;
-		}
-
-		clk_prepare_enable(phy->clk_phy);
 	}
 
 	phy->rst_phy = of_reset_control_get_shared(node, "phy");
 	if (IS_ERR(phy->rst_phy)) {
 		dev_err(dev, "Could not get phy reset control\n");
 		ret = PTR_ERR(phy->rst_phy);
-		goto err_disable_clk_phy;
+		goto err_put_clk_pll1;
 	}
 
 	ret = reset_control_deassert(phy->rst_phy);
@@ -708,18 +699,29 @@ int sun8i_hdmi_phy_probe(struct sun8i_dw
 		goto err_disable_clk_bus;
 	}
 
+	if (phy->variant->has_phy_clk) {
+		ret = sun8i_phy_clk_create(phy, dev,
+					   phy->variant->has_second_pll);
+		if (ret) {
+			dev_err(dev, "Couldn't create the PHY clock\n");
+			goto err_disable_clk_mod;
+		}
+
+		clk_prepare_enable(phy->clk_phy);
+	}
+
 	hdmi->phy = phy;
 
 	return 0;
 
+err_disable_clk_mod:
+	clk_disable_unprepare(phy->clk_mod);
 err_disable_clk_bus:
 	clk_disable_unprepare(phy->clk_bus);
 err_deassert_rst_phy:
 	reset_control_assert(phy->rst_phy);
 err_put_rst_phy:
 	reset_control_put(phy->rst_phy);
-err_disable_clk_phy:
-	clk_disable_unprepare(phy->clk_phy);
 err_put_clk_pll1:
 	clk_put(phy->clk_pll1);
 err_put_clk_pll0:



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 76/85] drm/sun4i: Fix sun8i HDMI PHY configuration for > 148.5 MHz
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (74 preceding siblings ...)
  2019-06-07 15:40 ` [PATCH 5.1 75/85] drm/sun4i: Fix sun8i HDMI PHY clock initialization Greg Kroah-Hartman
@ 2019-06-07 15:40 ` Greg Kroah-Hartman
  2019-06-07 15:40 ` [PATCH 5.1 77/85] drm/imx: ipuv3-plane: fix atomic update status query for non-plus i.MX6Q Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:40 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jernej Skrabec, Maxime Ripard

From: Jernej Skrabec <jernej.skrabec@siol.net>

commit 831adffb3b7b8df4c8e20b7b00843129fb87a166 upstream.

Vendor provided documentation says that EMP bits should be set to 3 for
pixel clocks greater than 148.5 MHz.

Fix that.

Cc: stable@vger.kernel.org # 4.17+
Fixes: 4f86e81748fe ("drm/sun4i: Add support for H3 HDMI PHY variant")
Signed-off-by: Jernej Skrabec <jernej.skrabec@siol.net>
Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20190514204337.11068-3-jernej.skrabec@siol.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/sun4i/sun8i_hdmi_phy.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/gpu/drm/sun4i/sun8i_hdmi_phy.c
+++ b/drivers/gpu/drm/sun4i/sun8i_hdmi_phy.c
@@ -293,7 +293,8 @@ static int sun8i_hdmi_phy_config_h3(stru
 				 SUN8I_HDMI_PHY_ANA_CFG2_REG_BIGSW |
 				 SUN8I_HDMI_PHY_ANA_CFG2_REG_SLV(4);
 		ana_cfg3_init |= SUN8I_HDMI_PHY_ANA_CFG3_REG_AMPCK(9) |
-				 SUN8I_HDMI_PHY_ANA_CFG3_REG_AMP(13);
+				 SUN8I_HDMI_PHY_ANA_CFG3_REG_AMP(13) |
+				 SUN8I_HDMI_PHY_ANA_CFG3_REG_EMP(3);
 	}
 
 	regmap_update_bits(phy->regs, SUN8I_HDMI_PHY_ANA_CFG1_REG,



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 77/85] drm/imx: ipuv3-plane: fix atomic update status query for non-plus i.MX6Q
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (75 preceding siblings ...)
  2019-06-07 15:40 ` [PATCH 5.1 76/85] drm/sun4i: Fix sun8i HDMI PHY configuration for > 148.5 MHz Greg Kroah-Hartman
@ 2019-06-07 15:40 ` Greg Kroah-Hartman
  2019-06-07 15:40 ` [PATCH 5.1 78/85] drm/fb-helper: generic: Call drm_client_add() after setup is done Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:40 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Marco Felsch, Philipp Zabel

From: Philipp Zabel <p.zabel@pengutronix.de>

commit 137caa702f2308f7ef03876e164b0d0f3300712a upstream.

The current buffer check halves the frame rate on non-plus i.MX6Q,
as the IDMAC current buffer pointer is not yet updated when
ipu_plane_atomic_update_pending is called from the EOF irq handler.

Fixes: 70e8a0c71e9 ("drm/imx: ipuv3-plane: add function to query atomic update status")
Tested-by: Marco Felsch <m.felsch@pengutronix.de>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/imx/ipuv3-plane.c |   13 ++++++++-----
 drivers/gpu/drm/imx/ipuv3-plane.h |    1 -
 2 files changed, 8 insertions(+), 6 deletions(-)

--- a/drivers/gpu/drm/imx/ipuv3-plane.c
+++ b/drivers/gpu/drm/imx/ipuv3-plane.c
@@ -605,7 +605,6 @@ static void ipu_plane_atomic_update(stru
 		active = ipu_idmac_get_current_buffer(ipu_plane->ipu_ch);
 		ipu_cpmem_set_buffer(ipu_plane->ipu_ch, !active, eba);
 		ipu_idmac_select_buffer(ipu_plane->ipu_ch, !active);
-		ipu_plane->next_buf = !active;
 		if (ipu_plane_separate_alpha(ipu_plane)) {
 			active = ipu_idmac_get_current_buffer(ipu_plane->alpha_ch);
 			ipu_cpmem_set_buffer(ipu_plane->alpha_ch, !active,
@@ -710,7 +709,6 @@ static void ipu_plane_atomic_update(stru
 	ipu_cpmem_set_buffer(ipu_plane->ipu_ch, 1, eba);
 	ipu_idmac_lock_enable(ipu_plane->ipu_ch, num_bursts);
 	ipu_plane_enable(ipu_plane);
-	ipu_plane->next_buf = -1;
 }
 
 static const struct drm_plane_helper_funcs ipu_plane_helper_funcs = {
@@ -732,10 +730,15 @@ bool ipu_plane_atomic_update_pending(str
 
 	if (ipu_state->use_pre)
 		return ipu_prg_channel_configure_pending(ipu_plane->ipu_ch);
-	else if (ipu_plane->next_buf >= 0)
-		return ipu_idmac_get_current_buffer(ipu_plane->ipu_ch) !=
-		       ipu_plane->next_buf;
 
+	/*
+	 * Pretend no update is pending in the non-PRE/PRG case. For this to
+	 * happen, an atomic update would have to be deferred until after the
+	 * start of the next frame and simultaneously interrupt latency would
+	 * have to be high enough to let the atomic update finish and issue an
+	 * event before the previous end of frame interrupt handler can be
+	 * executed.
+	 */
 	return false;
 }
 int ipu_planes_assign_pre(struct drm_device *dev,
--- a/drivers/gpu/drm/imx/ipuv3-plane.h
+++ b/drivers/gpu/drm/imx/ipuv3-plane.h
@@ -27,7 +27,6 @@ struct ipu_plane {
 	int			dp_flow;
 
 	bool			disabling;
-	int			next_buf;
 };
 
 struct ipu_plane *ipu_plane_init(struct drm_device *dev, struct ipu_soc *ipu,



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 78/85] drm/fb-helper: generic: Call drm_client_add() after setup is done
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (76 preceding siblings ...)
  2019-06-07 15:40 ` [PATCH 5.1 77/85] drm/imx: ipuv3-plane: fix atomic update status query for non-plus i.MX6Q Greg Kroah-Hartman
@ 2019-06-07 15:40 ` Greg Kroah-Hartman
  2019-06-07 15:40 ` [PATCH 5.1 79/85] drm/atomic: Wire file_priv through for property changes Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:40 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Daniel Vetter, Noralf Trønnes

From: Noralf Trønnes <noralf@tronnes.org>

commit 6e3f17ee73f7e3c2ef0e2c8fd8624b2ece8ef2c9 upstream.

Hotplug can happen while drm_fbdev_generic_setup() is running so move
drm_client_add() call after setup is done to avoid
drm_fbdev_client_hotplug() running in two threads at the same time.

Fixes: 9060d7f49376 ("drm/fb-helper: Finish the generic fbdev emulation")
Cc: stable@vger.kernel.org
Reported-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Noralf Trønnes <noralf@tronnes.org>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20190401141358.25309-1-noralf@tronnes.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/drm_fb_helper.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/drm_fb_helper.c
+++ b/drivers/gpu/drm/drm_fb_helper.c
@@ -3317,8 +3317,6 @@ int drm_fbdev_generic_setup(struct drm_d
 		return ret;
 	}
 
-	drm_client_add(&fb_helper->client);
-
 	if (!preferred_bpp)
 		preferred_bpp = dev->mode_config.preferred_depth;
 	if (!preferred_bpp)
@@ -3329,6 +3327,8 @@ int drm_fbdev_generic_setup(struct drm_d
 	if (ret)
 		DRM_DEV_DEBUG(dev->dev, "client hotplug ret=%d\n", ret);
 
+	drm_client_add(&fb_helper->client);
+
 	return 0;
 }
 EXPORT_SYMBOL(drm_fbdev_generic_setup);



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 79/85] drm/atomic: Wire file_priv through for property changes
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (77 preceding siblings ...)
  2019-06-07 15:40 ` [PATCH 5.1 78/85] drm/fb-helper: generic: Call drm_client_add() after setup is done Greg Kroah-Hartman
@ 2019-06-07 15:40 ` Greg Kroah-Hartman
  2019-06-07 15:40 ` [PATCH 5.1 80/85] drm: Expose "FB_DAMAGE_CLIPS" property to atomic aware user-space only Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:40 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Keith Packard, Dave Airlie, Daniel Vetter

From: Daniel Vetter <daniel.vetter@ffwll.ch>

commit 36e4523aaf4a35de963e190064b53839fa131653 upstream.

We need this to make sure lessees can only connect their
plane/connectors to crtc objects they own. And note that this is
irrespective of whether the lessor is atomic or not, lessor cannot
prevent lessees from enabling atomic.

Cc: stable@vger.kernel.org
Cc: Keith Packard <keithp@keithp.com>
Reviewed-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20190228144910.26488-7-daniel.vetter@ffwll.ch
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/drm_atomic_uapi.c   |   32 +++++++++++++++++++-------------
 drivers/gpu/drm/drm_crtc_internal.h |    1 +
 drivers/gpu/drm/drm_mode_object.c   |    5 +++--
 3 files changed, 23 insertions(+), 15 deletions(-)

--- a/drivers/gpu/drm/drm_atomic_uapi.c
+++ b/drivers/gpu/drm/drm_atomic_uapi.c
@@ -512,8 +512,8 @@ drm_atomic_crtc_get_property(struct drm_
 }
 
 static int drm_atomic_plane_set_property(struct drm_plane *plane,
-		struct drm_plane_state *state, struct drm_property *property,
-		uint64_t val)
+		struct drm_plane_state *state, struct drm_file *file_priv,
+		struct drm_property *property, uint64_t val)
 {
 	struct drm_device *dev = plane->dev;
 	struct drm_mode_config *config = &dev->mode_config;
@@ -521,7 +521,8 @@ static int drm_atomic_plane_set_property
 	int ret;
 
 	if (property == config->prop_fb_id) {
-		struct drm_framebuffer *fb = drm_framebuffer_lookup(dev, NULL, val);
+		struct drm_framebuffer *fb;
+		fb = drm_framebuffer_lookup(dev, file_priv, val);
 		drm_atomic_set_fb_for_plane(state, fb);
 		if (fb)
 			drm_framebuffer_put(fb);
@@ -537,7 +538,7 @@ static int drm_atomic_plane_set_property
 			return -EINVAL;
 
 	} else if (property == config->prop_crtc_id) {
-		struct drm_crtc *crtc = drm_crtc_find(dev, NULL, val);
+		struct drm_crtc *crtc = drm_crtc_find(dev, file_priv, val);
 		return drm_atomic_set_crtc_for_plane(state, crtc);
 	} else if (property == config->prop_crtc_x) {
 		state->crtc_x = U642I64(val);
@@ -681,14 +682,14 @@ static int drm_atomic_set_writeback_fb_f
 }
 
 static int drm_atomic_connector_set_property(struct drm_connector *connector,
-		struct drm_connector_state *state, struct drm_property *property,
-		uint64_t val)
+		struct drm_connector_state *state, struct drm_file *file_priv,
+		struct drm_property *property, uint64_t val)
 {
 	struct drm_device *dev = connector->dev;
 	struct drm_mode_config *config = &dev->mode_config;
 
 	if (property == config->prop_crtc_id) {
-		struct drm_crtc *crtc = drm_crtc_find(dev, NULL, val);
+		struct drm_crtc *crtc = drm_crtc_find(dev, file_priv, val);
 		return drm_atomic_set_crtc_for_connector(state, crtc);
 	} else if (property == config->dpms_property) {
 		/* setting DPMS property requires special handling, which
@@ -747,8 +748,10 @@ static int drm_atomic_connector_set_prop
 		}
 		state->content_protection = val;
 	} else if (property == config->writeback_fb_id_property) {
-		struct drm_framebuffer *fb = drm_framebuffer_lookup(dev, NULL, val);
-		int ret = drm_atomic_set_writeback_fb_for_connector(state, fb);
+		struct drm_framebuffer *fb;
+		int ret;
+		fb = drm_framebuffer_lookup(dev, file_priv, val);
+		ret = drm_atomic_set_writeback_fb_for_connector(state, fb);
 		if (fb)
 			drm_framebuffer_put(fb);
 		return ret;
@@ -943,6 +946,7 @@ out:
 }
 
 int drm_atomic_set_property(struct drm_atomic_state *state,
+			    struct drm_file *file_priv,
 			    struct drm_mode_object *obj,
 			    struct drm_property *prop,
 			    uint64_t prop_value)
@@ -965,7 +969,8 @@ int drm_atomic_set_property(struct drm_a
 		}
 
 		ret = drm_atomic_connector_set_property(connector,
-				connector_state, prop, prop_value);
+				connector_state, file_priv,
+				prop, prop_value);
 		break;
 	}
 	case DRM_MODE_OBJECT_CRTC: {
@@ -993,7 +998,8 @@ int drm_atomic_set_property(struct drm_a
 		}
 
 		ret = drm_atomic_plane_set_property(plane,
-				plane_state, prop, prop_value);
+				plane_state, file_priv,
+				prop, prop_value);
 		break;
 	}
 	default:
@@ -1365,8 +1371,8 @@ retry:
 				goto out;
 			}
 
-			ret = drm_atomic_set_property(state, obj, prop,
-						      prop_value);
+			ret = drm_atomic_set_property(state, file_priv,
+						      obj, prop, prop_value);
 			if (ret) {
 				drm_mode_object_put(obj);
 				goto out;
--- a/drivers/gpu/drm/drm_crtc_internal.h
+++ b/drivers/gpu/drm/drm_crtc_internal.h
@@ -214,6 +214,7 @@ int drm_atomic_connector_commit_dpms(str
 				     struct drm_connector *connector,
 				     int mode);
 int drm_atomic_set_property(struct drm_atomic_state *state,
+			    struct drm_file *file_priv,
 			    struct drm_mode_object *obj,
 			    struct drm_property *prop,
 			    uint64_t prop_value);
--- a/drivers/gpu/drm/drm_mode_object.c
+++ b/drivers/gpu/drm/drm_mode_object.c
@@ -451,6 +451,7 @@ static int set_property_legacy(struct dr
 }
 
 static int set_property_atomic(struct drm_mode_object *obj,
+			       struct drm_file *file_priv,
 			       struct drm_property *prop,
 			       uint64_t prop_value)
 {
@@ -477,7 +478,7 @@ retry:
 						       obj_to_connector(obj),
 						       prop_value);
 	} else {
-		ret = drm_atomic_set_property(state, obj, prop, prop_value);
+		ret = drm_atomic_set_property(state, file_priv, obj, prop, prop_value);
 		if (ret)
 			goto out;
 		ret = drm_atomic_commit(state);
@@ -520,7 +521,7 @@ int drm_mode_obj_set_property_ioctl(stru
 		goto out_unref;
 
 	if (drm_drv_uses_atomic_modeset(property->dev))
-		ret = set_property_atomic(arg_obj, property, arg->value);
+		ret = set_property_atomic(arg_obj, file_priv, property, arg->value);
 	else
 		ret = set_property_legacy(arg_obj, property, arg->value);
 



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 80/85] drm: Expose "FB_DAMAGE_CLIPS" property to atomic aware user-space only
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (78 preceding siblings ...)
  2019-06-07 15:40 ` [PATCH 5.1 79/85] drm/atomic: Wire file_priv through for property changes Greg Kroah-Hartman
@ 2019-06-07 15:40 ` Greg Kroah-Hartman
  2019-06-07 15:40 ` [PATCH 5.1 81/85] drm/rockchip: shutdown drm subsystem on shutdown Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:40 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Deepak Rawat, Daniel Vetter

From: Deepak Rawat <drawat@vmware.com>

commit c8f005684c98f4d9942baec13ad98054dbf312a0 upstream.

Plane property "FB_DAMAGE_CLIPS" can only be used by atomic aware
user-space, so no point exposing it otherwise.

Cc: <stable@vger.kernel.org>
Signed-off-by: Deepak Rawat <drawat@vmware.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Fixes: d3b21767821e ("drm: Add a new plane property to send damage during plane update")
Link: https://patchwork.freedesktop.org/patch/msgid/20190415172814.9840-1-drawat@vmware.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/drm_mode_config.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/drm_mode_config.c
+++ b/drivers/gpu/drm/drm_mode_config.c
@@ -297,8 +297,9 @@ static int drm_mode_create_standard_prop
 		return -ENOMEM;
 	dev->mode_config.prop_crtc_id = prop;
 
-	prop = drm_property_create(dev, DRM_MODE_PROP_BLOB, "FB_DAMAGE_CLIPS",
-				   0);
+	prop = drm_property_create(dev,
+			DRM_MODE_PROP_ATOMIC | DRM_MODE_PROP_BLOB,
+			"FB_DAMAGE_CLIPS", 0);
 	if (!prop)
 		return -ENOMEM;
 	dev->mode_config.prop_fb_damage_clips = prop;



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 81/85] drm/rockchip: shutdown drm subsystem on shutdown
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (79 preceding siblings ...)
  2019-06-07 15:40 ` [PATCH 5.1 80/85] drm: Expose "FB_DAMAGE_CLIPS" property to atomic aware user-space only Greg Kroah-Hartman
@ 2019-06-07 15:40 ` Greg Kroah-Hartman
  2019-06-07 15:40 ` [PATCH 5.1 82/85] drm/lease: Make sure implicit planes are leased Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:40 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jeffy Chen, Robin Murphy,
	Marc Zyngier, Brian Norris, Doug Anderson, Vicente Bergas,
	Heiko Stuebner

From: Vicente Bergas <vicencb@gmail.com>

commit b8f9d7f37b6af829c34c49d1a4f73ce6ed58e403 upstream.

As explained by Robin Murphy:
> the IOMMU shutdown disables paging, so if the VOP is still
> scanning out then that will result in whatever IOVAs it was using now going
> straight out onto the bus as physical addresses.

We had a more radical approach before in commit
7f3ef5dedb14 ("drm/rockchip: Allow driver to be shutdown on reboot/kexec")
but that resulted in new warnings and oopses on shutdown on rk3399
chromeos devices.

So second try is resurrecting Vicentes shutdown change which should
achieve the same result but in a less drastic way.

Fixes: 63238173b2fa ("Revert "drm/rockchip: Allow driver to be shutdown on reboot/kexec"")
Cc: Jeffy Chen <jeffy.chen@rock-chips.com>
Cc: Robin Murphy <robin.murphy@arm.com>
Cc: Marc Zyngier <marc.zyngier@arm.com>
Cc: Brian Norris <briannorris@chromium.org>
Cc: Doug Anderson <dianders@chromium.org>
Cc: stable@vger.kernel.org
Suggested-by: JeffyChen <jeffy.chen@rock-chips.com>
Suggested-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Vicente Bergas <vicencb@gmail.com>
[adapted commit message to explain the history]
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Tested-by: Brian Norris <briannorris@chromium.org>
Tested-by: Douglas Anderson <dianders@chromium.org>
Acked-by: Marc Zyngier <marc.zyngier@arm.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20190402113753.10118-1-heiko@sntech.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/rockchip/rockchip_drm_drv.c |    9 +++++++++
 1 file changed, 9 insertions(+)

--- a/drivers/gpu/drm/rockchip/rockchip_drm_drv.c
+++ b/drivers/gpu/drm/rockchip/rockchip_drm_drv.c
@@ -448,6 +448,14 @@ static int rockchip_drm_platform_remove(
 	return 0;
 }
 
+static void rockchip_drm_platform_shutdown(struct platform_device *pdev)
+{
+	struct drm_device *drm = platform_get_drvdata(pdev);
+
+	if (drm)
+		drm_atomic_helper_shutdown(drm);
+}
+
 static const struct of_device_id rockchip_drm_dt_ids[] = {
 	{ .compatible = "rockchip,display-subsystem", },
 	{ /* sentinel */ },
@@ -457,6 +465,7 @@ MODULE_DEVICE_TABLE(of, rockchip_drm_dt_
 static struct platform_driver rockchip_drm_platform_driver = {
 	.probe = rockchip_drm_platform_probe,
 	.remove = rockchip_drm_platform_remove,
+	.shutdown = rockchip_drm_platform_shutdown,
 	.driver = {
 		.name = "rockchip-drm",
 		.of_match_table = rockchip_drm_dt_ids,



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 82/85] drm/lease: Make sure implicit planes are leased
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (80 preceding siblings ...)
  2019-06-07 15:40 ` [PATCH 5.1 81/85] drm/rockchip: shutdown drm subsystem on shutdown Greg Kroah-Hartman
@ 2019-06-07 15:40 ` Greg Kroah-Hartman
  2019-06-07 15:40 ` [PATCH 5.1 83/85] drm/cma-helper: Fix drm_gem_cma_free_object() Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:40 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Keith Packard, Boris Brezillon,
	Daniel Vetter

From: Daniel Vetter <daniel.vetter@ffwll.ch>

commit 204f640da6914844b3270b41b29c84f6e3b74083 upstream.

If userspace doesn't enable universal planes, then we automatically
add the primary and cursor planes. But for universal userspace there's
no such check (and maybe we only want to give the lessee one plane,
maybe not even the primary one), hence we need to check for the
implied plane.

v2: don't forget setcrtc ioctl.

v3: Still allow disabling of the crtc in SETCRTC.

Cc: stable@vger.kernel.org
Cc: Keith Packard <keithp@keithp.com>
Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20190228144910.26488-6-daniel.vetter@ffwll.ch
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/drm_crtc.c  |    4 ++++
 drivers/gpu/drm/drm_plane.c |    8 ++++++++
 2 files changed, 12 insertions(+)

--- a/drivers/gpu/drm/drm_crtc.c
+++ b/drivers/gpu/drm/drm_crtc.c
@@ -559,6 +559,10 @@ int drm_mode_setcrtc(struct drm_device *
 
 	plane = crtc->primary;
 
+	/* allow disabling with the primary plane leased */
+	if (crtc_req->mode_valid && !drm_lease_held(file_priv, plane->base.id))
+		return -EACCES;
+
 	mutex_lock(&crtc->dev->mode_config.mutex);
 	DRM_MODESET_LOCK_ALL_BEGIN(dev, ctx,
 				   DRM_MODESET_ACQUIRE_INTERRUPTIBLE, ret);
--- a/drivers/gpu/drm/drm_plane.c
+++ b/drivers/gpu/drm/drm_plane.c
@@ -960,6 +960,11 @@ retry:
 		if (ret)
 			goto out;
 
+		if (!drm_lease_held(file_priv, crtc->cursor->base.id)) {
+			ret = -EACCES;
+			goto out;
+		}
+
 		ret = drm_mode_cursor_universal(crtc, req, file_priv, &ctx);
 		goto out;
 	}
@@ -1062,6 +1067,9 @@ int drm_mode_page_flip_ioctl(struct drm_
 
 	plane = crtc->primary;
 
+	if (!drm_lease_held(file_priv, plane->base.id))
+		return -EACCES;
+
 	if (crtc->funcs->page_flip_target) {
 		u32 current_vblank;
 		int r;



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 83/85] drm/cma-helper: Fix drm_gem_cma_free_object()
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (81 preceding siblings ...)
  2019-06-07 15:40 ` [PATCH 5.1 82/85] drm/lease: Make sure implicit planes are leased Greg Kroah-Hartman
@ 2019-06-07 15:40 ` Greg Kroah-Hartman
  2019-06-07 15:40 ` [PATCH 5.1 84/85] Revert "x86/build: Move _etext to actual end of .text" Greg Kroah-Hartman
                   ` (5 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:40 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Li, Tingqian, Noralf Trønnes,
	Oleksandr Andrushchenko

From: Noralf Trønnes <noralf@tronnes.org>

commit 23e35c0eb81a23d40c079a7eb187fc321fa1deb7 upstream.

The logic for freeing an imported buffer with a virtual address is
broken. It will free the buffer instead of unmapping the dma buf.
Fix by reversing the if ladder and first check if the buffer is imported.

Fixes: b9068cde51ee ("drm/cma-helper: Add DRM_GEM_CMA_VMAP_DRIVER_OPS")
Cc: stable@vger.kernel.org
Reported-by: "Li, Tingqian" <tingqian.li@intel.com>
Signed-off-by: Noralf Trønnes <noralf@tronnes.org>
Reviewed-by: Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20190426124753.53722-1-noralf@tronnes.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/drm_gem_cma_helper.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/gpu/drm/drm_gem_cma_helper.c
+++ b/drivers/gpu/drm/drm_gem_cma_helper.c
@@ -186,13 +186,13 @@ void drm_gem_cma_free_object(struct drm_
 
 	cma_obj = to_drm_gem_cma_obj(gem_obj);
 
-	if (cma_obj->vaddr) {
-		dma_free_wc(gem_obj->dev->dev, cma_obj->base.size,
-			    cma_obj->vaddr, cma_obj->paddr);
-	} else if (gem_obj->import_attach) {
+	if (gem_obj->import_attach) {
 		if (cma_obj->vaddr)
 			dma_buf_vunmap(gem_obj->import_attach->dmabuf, cma_obj->vaddr);
 		drm_prime_gem_destroy(gem_obj, cma_obj->sgt);
+	} else if (cma_obj->vaddr) {
+		dma_free_wc(gem_obj->dev->dev, cma_obj->base.size,
+			    cma_obj->vaddr, cma_obj->paddr);
 	}
 
 	drm_gem_object_release(gem_obj);



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 84/85] Revert "x86/build: Move _etext to actual end of .text"
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (82 preceding siblings ...)
  2019-06-07 15:40 ` [PATCH 5.1 83/85] drm/cma-helper: Fix drm_gem_cma_free_object() Greg Kroah-Hartman
@ 2019-06-07 15:40 ` Greg Kroah-Hartman
  2019-06-07 15:40 ` [PATCH 5.1 85/85] x86/kprobes: Set instruction page as executable Greg Kroah-Hartman
                   ` (4 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:40 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sami Tolvanen, Kees Cook,
	Borislav Petkov, Linus Torvalds, Peter Zijlstra, Thomas Gleixner,
	Alec Ari, Ingo Molnar

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

This reverts commit 392bef709659abea614abfe53cf228e7a59876a4.

It seems to cause lots of problems when using the gold linker, and no
one really needs this at the moment, so just revert it from the stable
trees.

Cc: Sami Tolvanen <samitolvanen@google.com>
Reported-by: Kees Cook <keescook@chromium.org>
Cc: Borislav Petkov <bp@suse.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Reported-by: Alec Ari <neotheuser@gmail.com>
Cc: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kernel/vmlinux.lds.S |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/arch/x86/kernel/vmlinux.lds.S
+++ b/arch/x86/kernel/vmlinux.lds.S
@@ -141,10 +141,10 @@ SECTIONS
 		*(.text.__x86.indirect_thunk)
 		__indirect_thunk_end = .;
 #endif
-	} :text = 0x9090
 
-	/* End of text section */
-	_etext = .;
+		/* End of text section */
+		_etext = .;
+	} :text = 0x9090
 
 	NOTES :text :note
 



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.1 85/85] x86/kprobes: Set instruction page as executable
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (83 preceding siblings ...)
  2019-06-07 15:40 ` [PATCH 5.1 84/85] Revert "x86/build: Move _etext to actual end of .text" Greg Kroah-Hartman
@ 2019-06-07 15:40 ` Greg Kroah-Hartman
  2019-06-07 19:29 ` [PATCH 5.1 00/85] 5.1.8-stable review kernelci.org bot
                   ` (3 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-07 15:40 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nadav Amit, Rick Edgecombe,
	Peter Zijlstra (Intel),
	akpm, ard.biesheuvel, deneen.t.dock, kernel-hardening, kristen,
	linux_dti, will.deacon, Andy Lutomirski, Borislav Petkov,
	Dave Hansen, H. Peter Anvin, Linus Torvalds, Rik van Riel,
	Thomas Gleixner, Ingo Molnar, Sasha Levin

[ Upstream commit 7298e24f904224fa79eb8fd7e0fbd78950ccf2db ]

Set the page as executable after allocation.  This patch is a
preparatory patch for a following patch that makes module allocated
pages non-executable.

While at it, do some small cleanup of what appears to be unnecessary
masking.

Signed-off-by: Nadav Amit <namit@vmware.com>
Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: <akpm@linux-foundation.org>
Cc: <ard.biesheuvel@linaro.org>
Cc: <deneen.t.dock@intel.com>
Cc: <kernel-hardening@lists.openwall.com>
Cc: <kristen@linux.intel.com>
Cc: <linux_dti@icloud.com>
Cc: <will.deacon@arm.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Rik van Riel <riel@surriel.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/20190426001143.4983-11-namit@vmware.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/kernel/kprobes/core.c | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
index fed46ddb1eef..06058c44ab57 100644
--- a/arch/x86/kernel/kprobes/core.c
+++ b/arch/x86/kernel/kprobes/core.c
@@ -431,8 +431,20 @@ void *alloc_insn_page(void)
 	void *page;
 
 	page = module_alloc(PAGE_SIZE);
-	if (page)
-		set_memory_ro((unsigned long)page & PAGE_MASK, 1);
+	if (!page)
+		return NULL;
+
+	/*
+	 * First make the page read-only, and only then make it executable to
+	 * prevent it from being W+X in between.
+	 */
+	set_memory_ro((unsigned long)page, 1);
+
+	/*
+	 * TODO: Once additional kernel code protection mechanisms are set, ensure
+	 * that the page was not maliciously altered and it is still zeroed.
+	 */
+	set_memory_x((unsigned long)page, 1);
 
 	return page;
 }
@@ -440,8 +452,12 @@ void *alloc_insn_page(void)
 /* Recover page to RW mode before releasing it */
 void free_insn_page(void *page)
 {
-	set_memory_nx((unsigned long)page & PAGE_MASK, 1);
-	set_memory_rw((unsigned long)page & PAGE_MASK, 1);
+	/*
+	 * First make the page non-executable, and only then make it writable to
+	 * prevent it from being W+X in between.
+	 */
+	set_memory_nx((unsigned long)page, 1);
+	set_memory_rw((unsigned long)page, 1);
 	module_memfree(page);
 }
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 103+ messages in thread

* Re: [PATCH 5.1 00/85] 5.1.8-stable review
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (84 preceding siblings ...)
  2019-06-07 15:40 ` [PATCH 5.1 85/85] x86/kprobes: Set instruction page as executable Greg Kroah-Hartman
@ 2019-06-07 19:29 ` kernelci.org bot
  2019-06-07 20:19 ` Jiunn Chang
                   ` (2 subsequent siblings)
  88 siblings, 0 replies; 103+ messages in thread
From: kernelci.org bot @ 2019-06-07 19:29 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	ben.hutchings, lkft-triage, stable

stable-rc/linux-5.1.y boot: 131 boots: 1 failed, 117 passed with 12 offline, 1 conflict (v5.1.7-86-g0765c25688d0)

Full Boot Summary: https://kernelci.org/boot/all/job/stable-rc/branch/linux-5.1.y/kernel/v5.1.7-86-g0765c25688d0/
Full Build Summary: https://kernelci.org/build/stable-rc/branch/linux-5.1.y/kernel/v5.1.7-86-g0765c25688d0/

Tree: stable-rc
Branch: linux-5.1.y
Git Describe: v5.1.7-86-g0765c25688d0
Git Commit: 0765c25688d0a4d2e117d61e5771cea2fff45a98
Git URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
Tested: 74 unique boards, 23 SoC families, 14 builds out of 209

Boot Regressions Detected:

arm64:

    defconfig:
        gcc-8:
          meson-gxl-s905x-khadas-vim:
              lab-baylibre-seattle: new failure (last pass: v5.1.7)

Boot Failure Detected:

arm:
    multi_v7_defconfig:
        gcc-8:
            bcm4708-smartrg-sr400ac: 1 failed lab

Offline Platforms:

arm:

    bcm2835_defconfig:
        gcc-8
            bcm2835-rpi-b: 1 offline lab

    sama5_defconfig:
        gcc-8
            at91-sama5d4_xplained: 1 offline lab
            at91-sama5d4ek: 1 offline lab

    multi_v7_defconfig:
        gcc-8
            alpine-db: 1 offline lab
            at91-sama5d4_xplained: 1 offline lab
            at91-sama5d4ek: 1 offline lab
            sun5i-r8-chip: 1 offline lab

    sunxi_defconfig:
        gcc-8
            sun5i-r8-chip: 1 offline lab

    davinci_all_defconfig:
        gcc-8
            dm365evm,legacy: 1 offline lab

arm64:

    defconfig:
        gcc-8
            apq8016-sbc: 1 offline lab
            juno-r2: 1 offline lab
            mt7622-rfb1: 1 offline lab

Conflicting Boot Failure Detected: (These likely are not failures as other labs are reporting PASS. Needs review.)

arm64:
    defconfig:
        meson-gxl-s905x-khadas-vim:
            lab-baylibre-seattle: FAIL (gcc-8)
            lab-baylibre: PASS (gcc-8)

---
For more info write to <info@kernelci.org>

^ permalink raw reply	[flat|nested] 103+ messages in thread

* Re: [PATCH 5.1 00/85] 5.1.8-stable review
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (85 preceding siblings ...)
  2019-06-07 19:29 ` [PATCH 5.1 00/85] 5.1.8-stable review kernelci.org bot
@ 2019-06-07 20:19 ` Jiunn Chang
  2019-06-08  9:31   ` Greg Kroah-Hartman
  2019-06-08  7:54 ` Naresh Kamboju
  2019-06-08 18:50 ` Guenter Roeck
  88 siblings, 1 reply; 103+ messages in thread
From: Jiunn Chang @ 2019-06-07 20:19 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, linux, shuah, patches,
	ben.hutchings, lkft-triage, stable

On Fri, Jun 07, 2019 at 05:38:45PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.1.8 release.
> There are 85 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Sun 09 Jun 2019 03:37:09 PM UTC.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.1.8-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.1.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 
> -------------

Compiled and booted.  No regessions on x86_64.

THX

^ permalink raw reply	[flat|nested] 103+ messages in thread

* Re: [PATCH 5.1 00/85] 5.1.8-stable review
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (86 preceding siblings ...)
  2019-06-07 20:19 ` Jiunn Chang
@ 2019-06-08  7:54 ` Naresh Kamboju
  2019-06-08  9:34   ` Greg Kroah-Hartman
  2019-06-08 18:50 ` Guenter Roeck
  88 siblings, 1 reply; 103+ messages in thread
From: Naresh Kamboju @ 2019-06-08  7:54 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: open list, Linus Torvalds, Andrew Morton, Guenter Roeck,
	Shuah Khan, patches, Ben Hutchings, lkft-triage, linux- stable

On Fri, 7 Jun 2019 at 21:18, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 5.1.8 release.
> There are 85 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sun 09 Jun 2019 03:37:09 PM UTC.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
>         https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.1.8-rc1.gz
> or in the git tree and branch at:
>         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.1.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>

Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.

NOTE:
selftest sources version updated to 5.1
Following test cases reported pass after upgrade
  kselftest:
    * bpf_test_libbpf.sh
    * bpf_test_select_reuseport
    * bpf_test_tcpbpf_user
    * bpf_test_verifier
    * seccomp_seccomp_bpf
    * timers_set-timer-lat

Few kselftest test cases reported failure and we are investigating.
    * bpf_test_netcnt
    * net_ip_defrag.sh
    * net_xfrm_policy.sh
    * timestamping_txtimestamp.sh
    * tpm2_test_smoke.sh
    * tpm2_test_space.sh
    * ...

LTP version upgrade to 20190517
New test case tgkill03 is an intermittent failure reported on qemu devices.
Following test cases reported failures and we are investigating
    * ioctl_ns05
    * ioctl_ns06
    * aio02
    * acct01

Summary
------------------------------------------------------------------------

kernel: 5.1.8-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-5.1.y
git commit: cef30fd8e063aacee3601ac8df2c4d1c5980b759
git describe: v5.1.7-86-gcef30fd8e063
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-5.1-oe/build/v5.1.7-86-gcef30fd8e063

No regressions (compared to build v5.1.7)


Fixes (compared to build v5.1.7)
------------------------------------------------------------------------
  kselftest:
    * bpf_test_libbpf.sh
    * bpf_test_select_reuseport
    * bpf_test_tcpbpf_user
    * bpf_test_verifier
    * seccomp_seccomp_bpf
    * timers_set-timer-lat

Ran 16135 total tests in the following environments and test suites.

Environments
--------------
- dragonboard-410c
- hi6220-hikey
- i386
- juno-r2
- qemu_arm
- qemu_arm64
- qemu_i386
- qemu_x86_64
- x15
- x86

Test Suites
-----------
* build
* install-android-platform-tools-r2600
* kselftest
* libgpiod
* libhugetlbfs
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-cpuhotplug-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* ltp-timers-tests
* network-basic-tests
* perf
* spectre-meltdown-checker-test
* v4l2-compliance
* ltp-fs-tests
* ltp-open-posix-tests
* kselftest-vsyscall-mode-native
* kselftest-vsyscall-mode-none
* kvm-unit-tests

-- 
Linaro LKFT
https://lkft.linaro.org

^ permalink raw reply	[flat|nested] 103+ messages in thread

* Re: [PATCH 5.1 00/85] 5.1.8-stable review
  2019-06-07 20:19 ` Jiunn Chang
@ 2019-06-08  9:31   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-08  9:31 UTC (permalink / raw)
  To: Jiunn Chang
  Cc: linux-kernel, torvalds, akpm, linux, shuah, patches,
	ben.hutchings, lkft-triage, stable

On Fri, Jun 07, 2019 at 03:19:17PM -0500, Jiunn Chang wrote:
> On Fri, Jun 07, 2019 at 05:38:45PM +0200, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 5.1.8 release.
> > There are 85 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Sun 09 Jun 2019 03:37:09 PM UTC.
> > Anything received after that time might be too late.
> > 
> > The whole patch series can be found in one patch at:
> > 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.1.8-rc1.gz
> > or in the git tree and branch at:
> > 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.1.y
> > and the diffstat can be found below.
> > 
> > thanks,
> > 
> > greg k-h
> > 
> > -------------
> 
> Compiled and booted.  No regessions on x86_64.

thanks for testing and letting me know.

greg k-h

^ permalink raw reply	[flat|nested] 103+ messages in thread

* Re: [PATCH 5.1 00/85] 5.1.8-stable review
  2019-06-08  7:54 ` Naresh Kamboju
@ 2019-06-08  9:34   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-08  9:34 UTC (permalink / raw)
  To: Naresh Kamboju
  Cc: open list, Linus Torvalds, Andrew Morton, Guenter Roeck,
	Shuah Khan, patches, Ben Hutchings, lkft-triage, linux- stable

On Sat, Jun 08, 2019 at 01:24:41PM +0530, Naresh Kamboju wrote:
> On Fri, 7 Jun 2019 at 21:18, Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> >
> > This is the start of the stable review cycle for the 5.1.8 release.
> > There are 85 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Sun 09 Jun 2019 03:37:09 PM UTC.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> >         https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.1.8-rc1.gz
> > or in the git tree and branch at:
> >         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.1.y
> > and the diffstat can be found below.
> >
> > thanks,
> >
> > greg k-h
> >
> 
> Results from Linaro’s test farm.
> No regressions on arm64, arm, x86_64, and i386.
> 
> NOTE:
> selftest sources version updated to 5.1
> Following test cases reported pass after upgrade
>   kselftest:
>     * bpf_test_libbpf.sh
>     * bpf_test_select_reuseport
>     * bpf_test_tcpbpf_user
>     * bpf_test_verifier
>     * seccomp_seccomp_bpf
>     * timers_set-timer-lat
> 
> Few kselftest test cases reported failure and we are investigating.
>     * bpf_test_netcnt
>     * net_ip_defrag.sh
>     * net_xfrm_policy.sh
>     * timestamping_txtimestamp.sh
>     * tpm2_test_smoke.sh
>     * tpm2_test_space.sh
>     * ...
> 
> LTP version upgrade to 20190517
> New test case tgkill03 is an intermittent failure reported on qemu devices.
> Following test cases reported failures and we are investigating
>     * ioctl_ns05
>     * ioctl_ns06
>     * aio02
>     * acct01

Thanks for testing and letting me know.

greg k-h

^ permalink raw reply	[flat|nested] 103+ messages in thread

* Re: [PATCH 5.1 00/85] 5.1.8-stable review
  2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
                   ` (87 preceding siblings ...)
  2019-06-08  7:54 ` Naresh Kamboju
@ 2019-06-08 18:50 ` Guenter Roeck
  2019-06-09  7:16   ` Greg Kroah-Hartman
  88 siblings, 1 reply; 103+ messages in thread
From: Guenter Roeck @ 2019-06-08 18:50 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, shuah, patches, ben.hutchings, lkft-triage, stable

On 6/7/19 8:38 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.1.8 release.
> There are 85 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Sun 09 Jun 2019 03:37:09 PM UTC.
> Anything received after that time might be too late.
> 

Build results:
	total: 159 pass: 159 fail: 0
Qemu test results:
	total: 351 pass: 351 fail: 0

Guenter

^ permalink raw reply	[flat|nested] 103+ messages in thread

* Re: [PATCH 5.1 00/85] 5.1.8-stable review
  2019-06-08 18:50 ` Guenter Roeck
@ 2019-06-09  7:16   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09  7:16 UTC (permalink / raw)
  To: Guenter Roeck
  Cc: linux-kernel, torvalds, akpm, shuah, patches, ben.hutchings,
	lkft-triage, stable

On Sat, Jun 08, 2019 at 11:50:30AM -0700, Guenter Roeck wrote:
> On 6/7/19 8:38 AM, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 5.1.8 release.
> > There are 85 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Sun 09 Jun 2019 03:37:09 PM UTC.
> > Anything received after that time might be too late.
> > 
> 
> Build results:
> 	total: 159 pass: 159 fail: 0
> Qemu test results:
> 	total: 351 pass: 351 fail: 0

Wonderful, thanks for testing all of these and letting me know.

greg k-h

^ permalink raw reply	[flat|nested] 103+ messages in thread

* Re: [PATCH 5.1 56/85] doc: Cope with the deprecation of AutoReporter
  2019-06-07 15:39 ` [PATCH 5.1 56/85] doc: Cope with the deprecation of AutoReporter Greg Kroah-Hartman
@ 2019-06-10  6:27   ` Jiri Slaby
  2019-06-10  7:31     ` Greg Kroah-Hartman
  0 siblings, 1 reply; 103+ messages in thread
From: Jiri Slaby @ 2019-06-10  6:27 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel; +Cc: stable, Jonathan Corbet

On 07. 06. 19, 17:39, Greg Kroah-Hartman wrote:
> From: Jonathan Corbet <corbet@lwn.net>
> 
> commit 2404dad1f67f8917e30fc22a85e0dbcc85b99955 upstream.
> 
> AutoReporter is going away; recent versions of sphinx emit a warning like:
> 
>   Documentation/sphinx/kerneldoc.py:125:
>       RemovedInSphinx20Warning: AutodocReporter is now deprecated.
>       Use sphinx.util.docutils.switch_source_input() instead.
> 
> Make the switch.  But switch_source_input() only showed up in 1.7, so we
> have to do ugly version checks to keep things working in older versions.

Hi,

this patch breaks our build of kernel-docs on 5.1.*:
https://build.opensuse.org/package/live_build_log/Kernel:stable/kernel-docs/standard/x86_64

The error is:
[  250s] reST markup error:
[  250s]
/home/abuild/rpmbuild/BUILD/kernel-docs-5.1.8/linux-5.1/Documentation/gpu/i915.rst:403:
(SEVERE/4) Title level inconsistent:
[  250s]
[  250s] Global GTT Fence Handling
[  250s] ~~~~~~~~~~~~~~~~~~~~~~~~~

Reverting the patch from 5.1.* makes it work again.

5.2-rc3 (includes the patch) is OK:
https://build.opensuse.org/package/live_build_log/Kernel:HEAD/kernel-docs/standard/x86_64

So 5.1.* must be missing something now.

> Cc: stable@vger.kernel.org
> Signed-off-by: Jonathan Corbet <corbet@lwn.net>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
> ---
>  Documentation/sphinx/kerneldoc.py |   34 ++++++++++++++++++++++++++--------
>  1 file changed, 26 insertions(+), 8 deletions(-)
> 
> --- a/Documentation/sphinx/kerneldoc.py
> +++ b/Documentation/sphinx/kerneldoc.py
> @@ -37,7 +37,17 @@ import glob
>  from docutils import nodes, statemachine
>  from docutils.statemachine import ViewList
>  from docutils.parsers.rst import directives, Directive
> -from sphinx.ext.autodoc import AutodocReporter
> +
> +#
> +# AutodocReporter is only good up to Sphinx 1.7
> +#
> +import sphinx
> +
> +Use_SSI = sphinx.__version__[:3] >= '1.7'
> +if Use_SSI:
> +    from sphinx.util.docutils import switch_source_input
> +else:
> +    from sphinx.ext.autodoc import AutodocReporter
>  
>  __version__  = '1.0'

thanks,
-- 
js
suse labs

^ permalink raw reply	[flat|nested] 103+ messages in thread

* Re: [PATCH 5.1 56/85] doc: Cope with the deprecation of AutoReporter
  2019-06-10  6:27   ` Jiri Slaby
@ 2019-06-10  7:31     ` Greg Kroah-Hartman
  2019-06-10  7:34       ` Jiri Slaby
  0 siblings, 1 reply; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-10  7:31 UTC (permalink / raw)
  To: Jiri Slaby; +Cc: linux-kernel, stable, Jonathan Corbet

On Mon, Jun 10, 2019 at 08:27:30AM +0200, Jiri Slaby wrote:
> On 07. 06. 19, 17:39, Greg Kroah-Hartman wrote:
> > From: Jonathan Corbet <corbet@lwn.net>
> > 
> > commit 2404dad1f67f8917e30fc22a85e0dbcc85b99955 upstream.
> > 
> > AutoReporter is going away; recent versions of sphinx emit a warning like:
> > 
> >   Documentation/sphinx/kerneldoc.py:125:
> >       RemovedInSphinx20Warning: AutodocReporter is now deprecated.
> >       Use sphinx.util.docutils.switch_source_input() instead.
> > 
> > Make the switch.  But switch_source_input() only showed up in 1.7, so we
> > have to do ugly version checks to keep things working in older versions.
> 
> Hi,
> 
> this patch breaks our build of kernel-docs on 5.1.*:
> https://build.opensuse.org/package/live_build_log/Kernel:stable/kernel-docs/standard/x86_64
> 
> The error is:
> [  250s] reST markup error:
> [  250s]
> /home/abuild/rpmbuild/BUILD/kernel-docs-5.1.8/linux-5.1/Documentation/gpu/i915.rst:403:
> (SEVERE/4) Title level inconsistent:
> [  250s]
> [  250s] Global GTT Fence Handling
> [  250s] ~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> Reverting the patch from 5.1.* makes it work again.
> 
> 5.2-rc3 (includes the patch) is OK:
> https://build.opensuse.org/package/live_build_log/Kernel:HEAD/kernel-docs/standard/x86_64
> 
> So 5.1.* must be missing something now.

Odd.  running 'make htmldocs' on 5.1 with these patches applied works
for me here.

What version of sphinx are you using to build the package with?

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 103+ messages in thread

* Re: [PATCH 5.1 56/85] doc: Cope with the deprecation of AutoReporter
  2019-06-10  7:31     ` Greg Kroah-Hartman
@ 2019-06-10  7:34       ` Jiri Slaby
  2019-06-10  7:48         ` Greg Kroah-Hartman
  0 siblings, 1 reply; 103+ messages in thread
From: Jiri Slaby @ 2019-06-10  7:34 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: linux-kernel, stable, Jonathan Corbet

On 10. 06. 19, 9:31, Greg Kroah-Hartman wrote:
> On Mon, Jun 10, 2019 at 08:27:30AM +0200, Jiri Slaby wrote:
>> On 07. 06. 19, 17:39, Greg Kroah-Hartman wrote:
>>> From: Jonathan Corbet <corbet@lwn.net>
>>>
>>> commit 2404dad1f67f8917e30fc22a85e0dbcc85b99955 upstream.
>>>
>>> AutoReporter is going away; recent versions of sphinx emit a warning like:
>>>
>>>   Documentation/sphinx/kerneldoc.py:125:
>>>       RemovedInSphinx20Warning: AutodocReporter is now deprecated.
>>>       Use sphinx.util.docutils.switch_source_input() instead.
>>>
>>> Make the switch.  But switch_source_input() only showed up in 1.7, so we
>>> have to do ugly version checks to keep things working in older versions.
>>
>> Hi,
>>
>> this patch breaks our build of kernel-docs on 5.1.*:
>> https://build.opensuse.org/package/live_build_log/Kernel:stable/kernel-docs/standard/x86_64
>>
>> The error is:
>> [  250s] reST markup error:
>> [  250s]
>> /home/abuild/rpmbuild/BUILD/kernel-docs-5.1.8/linux-5.1/Documentation/gpu/i915.rst:403:
>> (SEVERE/4) Title level inconsistent:
>> [  250s]
>> [  250s] Global GTT Fence Handling
>> [  250s] ~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> Reverting the patch from 5.1.* makes it work again.
>>
>> 5.2-rc3 (includes the patch) is OK:
>> https://build.opensuse.org/package/live_build_log/Kernel:HEAD/kernel-docs/standard/x86_64
>>
>> So 5.1.* must be missing something now.
> 
> Odd.  running 'make htmldocs' on 5.1 with these patches applied works
> for me here.
> 
> What version of sphinx are you using to build the package with?

From the log, it looks like 1.8.5 (it's tumbleweed):

$ osc rbl Kernel:stable/kernel-docs/standard/x86_64|grep -i sphinx
[   11s] cycle: python3-sphinx_rtd_theme -> python3-Sphinx
[   11s]   breaking dependency python3-Sphinx -> python3-sphinx_rtd_theme
[   32s] [226/263] cumulate python3-sphinxcontrib-websupport-1.1.0-1.2
[   32s] [239/263] cumulate python3-Sphinx-1.8.5-2.2
[   32s] [242/263] cumulate python3-sphinx_rtd_theme-0.4.1-1.3
[   72s]
python3-sphinxcontrib-websupport-1.1.0########################################
[   72s] python3-sphinx_rtd_theme-0.4.1-1.3
########################################
[   73s] python3-Sphinx-1.8.5-2.2
########################################
[   73s] update-alternatives: using /usr/bin/sphinx-apidoc-3.7 to
provide /usr/bin/sphinx-apidoc (sphinx-apidoc) in auto mode
[  101s] + patch -s -F0 -E -p1 --no-backup-if-mismatch -i
/home/abuild/rpmbuild/BUILD/kernel-docs-5.1.8/patches.kernel.org/5.1.8-055-docs-Fix-conf.py-for-Sphin-2.0.patch
[  101s] + patch -s -F0 -E -p1 --no-backup-if-mismatch -i
/home/abuild/rpmbuild/BUILD/kernel-docs-5.1.8/patches.kernel.org/5.1.8-057-doc-Cope-with-Sphinx-logging-deprecations.patch
[  102s]   SPHINX  htmldocs -->
file:///home/abuild/rpmbuild/BUILD/kernel-docs-5.1.8/linux-5.1/html/Documentation/output
[  103s] Running Sphinx v1.8.5

thanks,
-- 
js
suse labs

^ permalink raw reply	[flat|nested] 103+ messages in thread

* Re: [PATCH 5.1 56/85] doc: Cope with the deprecation of AutoReporter
  2019-06-10  7:34       ` Jiri Slaby
@ 2019-06-10  7:48         ` Greg Kroah-Hartman
  2019-06-10  7:56           ` Jiri Slaby
  2019-06-10 12:33           ` Jonathan Corbet
  0 siblings, 2 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-10  7:48 UTC (permalink / raw)
  To: Jiri Slaby; +Cc: linux-kernel, stable, Jonathan Corbet

On Mon, Jun 10, 2019 at 09:34:10AM +0200, Jiri Slaby wrote:
> On 10. 06. 19, 9:31, Greg Kroah-Hartman wrote:
> > On Mon, Jun 10, 2019 at 08:27:30AM +0200, Jiri Slaby wrote:
> >> On 07. 06. 19, 17:39, Greg Kroah-Hartman wrote:
> >>> From: Jonathan Corbet <corbet@lwn.net>
> >>>
> >>> commit 2404dad1f67f8917e30fc22a85e0dbcc85b99955 upstream.
> >>>
> >>> AutoReporter is going away; recent versions of sphinx emit a warning like:
> >>>
> >>>   Documentation/sphinx/kerneldoc.py:125:
> >>>       RemovedInSphinx20Warning: AutodocReporter is now deprecated.
> >>>       Use sphinx.util.docutils.switch_source_input() instead.
> >>>
> >>> Make the switch.  But switch_source_input() only showed up in 1.7, so we
> >>> have to do ugly version checks to keep things working in older versions.
> >>
> >> Hi,
> >>
> >> this patch breaks our build of kernel-docs on 5.1.*:
> >> https://build.opensuse.org/package/live_build_log/Kernel:stable/kernel-docs/standard/x86_64
> >>
> >> The error is:
> >> [  250s] reST markup error:
> >> [  250s]
> >> /home/abuild/rpmbuild/BUILD/kernel-docs-5.1.8/linux-5.1/Documentation/gpu/i915.rst:403:
> >> (SEVERE/4) Title level inconsistent:
> >> [  250s]
> >> [  250s] Global GTT Fence Handling
> >> [  250s] ~~~~~~~~~~~~~~~~~~~~~~~~~
> >>
> >> Reverting the patch from 5.1.* makes it work again.
> >>
> >> 5.2-rc3 (includes the patch) is OK:
> >> https://build.opensuse.org/package/live_build_log/Kernel:HEAD/kernel-docs/standard/x86_64
> >>
> >> So 5.1.* must be missing something now.
> > 
> > Odd.  running 'make htmldocs' on 5.1 with these patches applied works
> > for me here.
> > 
> > What version of sphinx are you using to build the package with?
> 
> >From the log, it looks like 1.8.5 (it's tumbleweed):
> 
> $ osc rbl Kernel:stable/kernel-docs/standard/x86_64|grep -i sphinx
> [   11s] cycle: python3-sphinx_rtd_theme -> python3-Sphinx
> [   11s]   breaking dependency python3-Sphinx -> python3-sphinx_rtd_theme
> [   32s] [226/263] cumulate python3-sphinxcontrib-websupport-1.1.0-1.2
> [   32s] [239/263] cumulate python3-Sphinx-1.8.5-2.2
> [   32s] [242/263] cumulate python3-sphinx_rtd_theme-0.4.1-1.3
> [   72s]
> python3-sphinxcontrib-websupport-1.1.0########################################
> [   72s] python3-sphinx_rtd_theme-0.4.1-1.3
> ########################################
> [   73s] python3-Sphinx-1.8.5-2.2
> ########################################
> [   73s] update-alternatives: using /usr/bin/sphinx-apidoc-3.7 to
> provide /usr/bin/sphinx-apidoc (sphinx-apidoc) in auto mode
> [  101s] + patch -s -F0 -E -p1 --no-backup-if-mismatch -i
> /home/abuild/rpmbuild/BUILD/kernel-docs-5.1.8/patches.kernel.org/5.1.8-055-docs-Fix-conf.py-for-Sphin-2.0.patch
> [  101s] + patch -s -F0 -E -p1 --no-backup-if-mismatch -i
> /home/abuild/rpmbuild/BUILD/kernel-docs-5.1.8/patches.kernel.org/5.1.8-057-doc-Cope-with-Sphinx-logging-deprecations.patch
> [  102s]   SPHINX  htmldocs -->
> file:///home/abuild/rpmbuild/BUILD/kernel-docs-5.1.8/linux-5.1/html/Documentation/output
> [  103s] Running Sphinx v1.8.5

Hm, 2.1 here:
	Running Sphinx v2.1.0
perhaps Tumbleweed needs to update?  :)

Anyway, this should not be breaking, if Jon doesn't have any ideas, I'll
just drop these changes.

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 103+ messages in thread

* Re: [PATCH 5.1 56/85] doc: Cope with the deprecation of AutoReporter
  2019-06-10  7:48         ` Greg Kroah-Hartman
@ 2019-06-10  7:56           ` Jiri Slaby
  2019-06-10 12:33           ` Jonathan Corbet
  1 sibling, 0 replies; 103+ messages in thread
From: Jiri Slaby @ 2019-06-10  7:56 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: linux-kernel, stable, Jonathan Corbet

On 10. 06. 19, 9:48, Greg Kroah-Hartman wrote:
>> [  103s] Running Sphinx v1.8.5
> 
> Hm, 2.1 here:
> 	Running Sphinx v2.1.0
> perhaps Tumbleweed needs to update?  :)

Heh, it was submitted 3 days ago :):
  https://build.opensuse.org/request/show/708276
(And is blocked by a failing sphinx-test AFAICT.)

> Anyway, this should not be breaking, if Jon doesn't have any ideas, I'll
> just drop these changes.

OK. In the meantime, I have reverted the commit in Kernel:stable for the
time being.

thanks,
-- 
js
suse labs

^ permalink raw reply	[flat|nested] 103+ messages in thread

* Re: [PATCH 5.1 56/85] doc: Cope with the deprecation of AutoReporter
  2019-06-10  7:48         ` Greg Kroah-Hartman
  2019-06-10  7:56           ` Jiri Slaby
@ 2019-06-10 12:33           ` Jonathan Corbet
  2019-06-10 14:05             ` Greg Kroah-Hartman
  1 sibling, 1 reply; 103+ messages in thread
From: Jonathan Corbet @ 2019-06-10 12:33 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: Jiri Slaby, linux-kernel, stable

On Mon, 10 Jun 2019 09:48:40 +0200
Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:

> Hm, 2.1 here:
> 	Running Sphinx v2.1.0
> perhaps Tumbleweed needs to update?  :)

Heh...trying 2.1 is still on my list of things to do ... :)

> Anyway, this should not be breaking, if Jon doesn't have any ideas, I'll
> just drop these changes.

The fix for that is 551bd3368a7b (drm/i915: Maintain consistent
documentation subsection ordering) which was also marked for stable.  Jiri,
do you somehow not have that one?

Thanks,

jon

^ permalink raw reply	[flat|nested] 103+ messages in thread

* Re: [PATCH 5.1 56/85] doc: Cope with the deprecation of AutoReporter
  2019-06-10 12:33           ` Jonathan Corbet
@ 2019-06-10 14:05             ` Greg Kroah-Hartman
  2019-06-10 14:27               ` Thomas Backlund
  0 siblings, 1 reply; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-10 14:05 UTC (permalink / raw)
  To: Jonathan Corbet; +Cc: Jiri Slaby, linux-kernel, stable

On Mon, Jun 10, 2019 at 06:33:40AM -0600, Jonathan Corbet wrote:
> On Mon, 10 Jun 2019 09:48:40 +0200
> Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
> 
> > Hm, 2.1 here:
> > 	Running Sphinx v2.1.0
> > perhaps Tumbleweed needs to update?  :)
> 
> Heh...trying 2.1 is still on my list of things to do ... :)
> 
> > Anyway, this should not be breaking, if Jon doesn't have any ideas, I'll
> > just drop these changes.
> 
> The fix for that is 551bd3368a7b (drm/i915: Maintain consistent
> documentation subsection ordering) which was also marked for stable.  Jiri,
> do you somehow not have that one?

It's part of this series, which is probably why it works for me.  Don't
know why it doesn't work for Jiri, unless he is cherry-picking things?

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 103+ messages in thread

* Re: [PATCH 5.1 56/85] doc: Cope with the deprecation of AutoReporter
  2019-06-10 14:05             ` Greg Kroah-Hartman
@ 2019-06-10 14:27               ` Thomas Backlund
  2019-06-10 14:39                 ` Greg Kroah-Hartman
  0 siblings, 1 reply; 103+ messages in thread
From: Thomas Backlund @ 2019-06-10 14:27 UTC (permalink / raw)
  To: Greg Kroah-Hartman, Jonathan Corbet; +Cc: Jiri Slaby, linux-kernel, stable

Den 10-06-2019 kl. 17:05, skrev Greg Kroah-Hartman:
> On Mon, Jun 10, 2019 at 06:33:40AM -0600, Jonathan Corbet wrote:
>> On Mon, 10 Jun 2019 09:48:40 +0200
>> Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
>>
>>> Hm, 2.1 here:
>>> 	Running Sphinx v2.1.0
>>> perhaps Tumbleweed needs to update?  :)
>>
>> Heh...trying 2.1 is still on my list of things to do ... :)
>>
>>> Anyway, this should not be breaking, if Jon doesn't have any ideas, I'll
>>> just drop these changes.
>>
>> The fix for that is 551bd3368a7b (drm/i915: Maintain consistent
>> documentation subsection ordering) which was also marked for stable.  Jiri,
>> do you somehow not have that one?
> 
> It's part of this series, which is probably why it works for me.  Don't
> know why it doesn't work for Jiri, unless he is cherry-picking things?
> 

Actualliy it is not.

This patch Jiri responded to / points out to break stuff is part of 
5.1.8, but the fix in in review queue for 5.1.9 :

https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/diff/queue-5.1/drm-i915-maintain-consistent-documentation-subsection-ordering.patch?id=29167bff7a1c0d79dda104c44c262b0bc4cd6644

--
Thomas

^ permalink raw reply	[flat|nested] 103+ messages in thread

* Re: [PATCH 5.1 56/85] doc: Cope with the deprecation of AutoReporter
  2019-06-10 14:27               ` Thomas Backlund
@ 2019-06-10 14:39                 ` Greg Kroah-Hartman
  2019-06-11  8:50                   ` Jiri Slaby
  0 siblings, 1 reply; 103+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-10 14:39 UTC (permalink / raw)
  To: Thomas Backlund; +Cc: Jonathan Corbet, Jiri Slaby, linux-kernel, stable

On Mon, Jun 10, 2019 at 05:27:39PM +0300, Thomas Backlund wrote:
> Den 10-06-2019 kl. 17:05, skrev Greg Kroah-Hartman:
> > On Mon, Jun 10, 2019 at 06:33:40AM -0600, Jonathan Corbet wrote:
> > > On Mon, 10 Jun 2019 09:48:40 +0200
> > > Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
> > > 
> > > > Hm, 2.1 here:
> > > > 	Running Sphinx v2.1.0
> > > > perhaps Tumbleweed needs to update?  :)
> > > 
> > > Heh...trying 2.1 is still on my list of things to do ... :)
> > > 
> > > > Anyway, this should not be breaking, if Jon doesn't have any ideas, I'll
> > > > just drop these changes.
> > > 
> > > The fix for that is 551bd3368a7b (drm/i915: Maintain consistent
> > > documentation subsection ordering) which was also marked for stable.  Jiri,
> > > do you somehow not have that one?
> > 
> > It's part of this series, which is probably why it works for me.  Don't
> > know why it doesn't work for Jiri, unless he is cherry-picking things?
> > 
> 
> Actualliy it is not.
> 
> This patch Jiri responded to / points out to break stuff is part of 5.1.8,
> but the fix in in review queue for 5.1.9 :
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/diff/queue-5.1/drm-i915-maintain-consistent-documentation-subsection-ordering.patch?id=29167bff7a1c0d79dda104c44c262b0bc4cd6644

Ah, that makes more sense, and is why my build works for me :)

Jiri, wait a few days and this will get fixed...

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 103+ messages in thread

* Re: [PATCH 5.1 56/85] doc: Cope with the deprecation of AutoReporter
  2019-06-10 14:39                 ` Greg Kroah-Hartman
@ 2019-06-11  8:50                   ` Jiri Slaby
  0 siblings, 0 replies; 103+ messages in thread
From: Jiri Slaby @ 2019-06-11  8:50 UTC (permalink / raw)
  To: Greg Kroah-Hartman, Thomas Backlund; +Cc: Jonathan Corbet, linux-kernel, stable

On 10. 06. 19, 16:39, Greg Kroah-Hartman wrote:
>>>> The fix for that is 551bd3368a7b (drm/i915: Maintain consistent
>>>> documentation subsection ordering) which was also marked for stable.  Jiri,
>>>> do you somehow not have that one?
>>>
>>> It's part of this series, which is probably why it works for me.  Don't
>>> know why it doesn't work for Jiri, unless he is cherry-picking things?
>>>
>>
>> Actualliy it is not.
>>
>> This patch Jiri responded to / points out to break stuff is part of 5.1.8,
>> but the fix in in review queue for 5.1.9 :
>>
>> https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/diff/queue-5.1/drm-i915-maintain-consistent-documentation-subsection-ordering.patch?id=29167bff7a1c0d79dda104c44c262b0bc4cd6644
> 
> Ah, that makes more sense, and is why my build works for me :)
> 
> Jiri, wait a few days and this will get fixed...

No problem. I just pushed this one and 5.1.9 will dispose it later.

thanks,
-- 
js
suse labs

^ permalink raw reply	[flat|nested] 103+ messages in thread

end of thread, other threads:[~2019-06-11  8:50 UTC | newest]

Thread overview: 103+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-07 15:38 [PATCH 5.1 00/85] 5.1.8-stable review Greg Kroah-Hartman
2019-06-07 15:38 ` [PATCH 5.1 01/85] sparc64: Fix regression in non-hypervisor TLB flush xcall Greg Kroah-Hartman
2019-06-07 15:38 ` [PATCH 5.1 02/85] include/linux/bitops.h: sanitize rotate primitives Greg Kroah-Hartman
2019-06-07 15:38 ` [PATCH 5.1 03/85] xhci: update bounce buffer with correct sg num Greg Kroah-Hartman
2019-06-07 15:38 ` [PATCH 5.1 04/85] xhci: Use %zu for printing size_t type Greg Kroah-Hartman
2019-06-07 15:38 ` [PATCH 5.1 05/85] xhci: Convert xhci_handshake() to use readl_poll_timeout_atomic() Greg Kroah-Hartman
2019-06-07 15:38 ` [PATCH 5.1 06/85] usb: xhci: avoid null pointer deref when bos field is NULL Greg Kroah-Hartman
2019-06-07 15:38 ` [PATCH 5.1 07/85] usbip: usbip_host: fix BUG: sleeping function called from invalid context Greg Kroah-Hartman
2019-06-07 15:38 ` [PATCH 5.1 08/85] usbip: usbip_host: fix stub_dev lock context imbalance regression Greg Kroah-Hartman
2019-06-07 15:38 ` [PATCH 5.1 09/85] USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor Greg Kroah-Hartman
2019-06-07 15:38 ` [PATCH 5.1 10/85] USB: sisusbvga: fix oops in error path of sisusb_probe Greg Kroah-Hartman
2019-06-07 15:38 ` [PATCH 5.1 11/85] USB: Add LPM quirk for Surface Dock GigE adapter Greg Kroah-Hartman
2019-06-07 15:38 ` [PATCH 5.1 12/85] USB: rio500: refuse more than one device at a time Greg Kroah-Hartman
2019-06-07 15:38 ` [PATCH 5.1 13/85] USB: rio500: fix memory leak in close after disconnect Greg Kroah-Hartman
2019-06-07 15:38 ` [PATCH 5.1 14/85] media: usb: siano: Fix general protection fault in smsusb Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 15/85] media: usb: siano: Fix false-positive "uninitialized variable" warning Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 16/85] media: smsusb: better handle optional alignment Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 17/85] brcmfmac: fix NULL pointer derefence during USB disconnect Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 18/85] scsi: zfcp: fix missing zfcp_port reference put on -EBUSY from port_remove Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 19/85] scsi: zfcp: fix to prevent port_remove with pure auto scan LUNs (only sdevs) Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 20/85] tracing: Avoid memory leak in predicate_parse() Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 21/85] Btrfs: fix wrong ctime and mtime of a directory after log replay Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 22/85] Btrfs: fix race updating log root item during fsync Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 23/85] Btrfs: fix fsync not persisting changed attributes of a directory Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 24/85] btrfs: correct zstd workspace manager lock to use spin_lock_bh() Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 25/85] btrfs: qgroup: Check bg while resuming relocation to avoid NULL pointer dereference Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 26/85] Btrfs: incremental send, fix file corruption when no-holes feature is enabled Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 27/85] btrfs: reloc: Also queue orphan reloc tree for cleanup to avoid BUG_ON() Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 28/85] iio: dac: ds4422/ds4424 fix chip verification Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 29/85] iio: adc: ads124: avoid buffer overflow Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 30/85] iio: adc: modify NPCM ADC read reference voltage Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 31/85] iio: adc: ti-ads8688: fix timestamp is not updated in buffer Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 32/85] s390/crypto: fix gcm-aes-s390 selftest failures Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 33/85] s390/crypto: fix possible sleep during spinlock aquired Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 34/85] KVM: PPC: Book3S HV: XIVE: Do not clear IRQ data of passthrough interrupts Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 35/85] KVM: PPC: Book3S HV: Fix lockdep warning when entering guest on POWER9 Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 36/85] KVM: PPC: Book3S HV: Restore SPRG3 in kvmhv_p9_guest_entry() Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 37/85] powerpc/perf: Fix MMCRA corruption by bhrb_filter Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 38/85] powerpc/kexec: Fix loading of kernel + initramfs with kexec_file_load() Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 39/85] ALSA: line6: Assure canceling delayed work at disconnection Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 40/85] ALSA: hda/realtek - Set default power save node to 0 Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 41/85] ALSA: hda/realtek - Improve the headset mic for Acer Aspire laptops Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 42/85] KVM: s390: Do not report unusabled IDs via KVM_CAP_MAX_VCPU_ID Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 43/85] drm/nouveau/i2c: Disable i2c bus access after ->fini() Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 44/85] i2c: mlxcpld: Fix wrong initialization order in probe Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 45/85] i2c: synquacer: fix synquacer_i2c_doxfer() return value Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 46/85] tty: serial: msm_serial: Fix XON/XOFF Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 47/85] tty: max310x: Fix external crystal register setup Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 48/85] mm, memcg: consider subtrees in memory.events Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 49/85] memcg: make it work on sparse non-0-node systems Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 50/85] kasan: initialize tag to 0xff in __kasan_kmalloc Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 51/85] kernel/signal.c: trace_signal_deliver when signal_group_exit Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 52/85] signal/arm64: Use force_sig not force_sig_fault for SIGKILL Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 53/85] mm, compaction: make sure we isolate a valid PFN Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 54/85] arm64: Fix the arm64_personality() syscall wrapper redirection Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 55/85] docs: Fix conf.py for Sphinx 2.0 Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 56/85] doc: Cope with the deprecation of AutoReporter Greg Kroah-Hartman
2019-06-10  6:27   ` Jiri Slaby
2019-06-10  7:31     ` Greg Kroah-Hartman
2019-06-10  7:34       ` Jiri Slaby
2019-06-10  7:48         ` Greg Kroah-Hartman
2019-06-10  7:56           ` Jiri Slaby
2019-06-10 12:33           ` Jonathan Corbet
2019-06-10 14:05             ` Greg Kroah-Hartman
2019-06-10 14:27               ` Thomas Backlund
2019-06-10 14:39                 ` Greg Kroah-Hartman
2019-06-11  8:50                   ` Jiri Slaby
2019-06-07 15:39 ` [PATCH 5.1 57/85] doc: Cope with Sphinx logging deprecations Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 58/85] x86/ima: Check EFI_RUNTIME_SERVICES before using Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 59/85] ima: fix wrong signed policy requirement when not appraising Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 60/85] ima: show rules with IMA_INMASK correctly Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 61/85] evm: check hash algorithm passed to init_desc() Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 62/85] clk: imx: imx8mm: fix int pll clk gate Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 63/85] vt/fbcon: deinitialize resources in visual_init() after failed memory allocation Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 64/85] serial: sh-sci: disable DMA for uart_console Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 65/85] staging: vc04_services: prevent integer overflow in create_pagelist() Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 66/85] staging: wlan-ng: fix adapter initialization failure Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 67/85] cifs: fix memory leak of pneg_inbuf on -EOPNOTSUPP ioctl case Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 68/85] CIFS: cifs_read_allocate_pages: dont iterate through whole page array on ENOMEM Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 69/85] Revert "lockd: Show pid of lockd for remote locks" Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 70/85] gcc-plugins: Fix build failures under Darwin host Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 71/85] drm/tegra: gem: Fix CPU-cache maintenance for BOs allocated using get_pages() Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 72/85] drm/vmwgfx: Fix user space handle equal to zero Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 73/85] drm/vmwgfx: Fix compat mode shader operation Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 5.1 74/85] drm/vmwgfx: Dont send drm sysfs hotplug events on initial master set Greg Kroah-Hartman
2019-06-07 15:40 ` [PATCH 5.1 75/85] drm/sun4i: Fix sun8i HDMI PHY clock initialization Greg Kroah-Hartman
2019-06-07 15:40 ` [PATCH 5.1 76/85] drm/sun4i: Fix sun8i HDMI PHY configuration for > 148.5 MHz Greg Kroah-Hartman
2019-06-07 15:40 ` [PATCH 5.1 77/85] drm/imx: ipuv3-plane: fix atomic update status query for non-plus i.MX6Q Greg Kroah-Hartman
2019-06-07 15:40 ` [PATCH 5.1 78/85] drm/fb-helper: generic: Call drm_client_add() after setup is done Greg Kroah-Hartman
2019-06-07 15:40 ` [PATCH 5.1 79/85] drm/atomic: Wire file_priv through for property changes Greg Kroah-Hartman
2019-06-07 15:40 ` [PATCH 5.1 80/85] drm: Expose "FB_DAMAGE_CLIPS" property to atomic aware user-space only Greg Kroah-Hartman
2019-06-07 15:40 ` [PATCH 5.1 81/85] drm/rockchip: shutdown drm subsystem on shutdown Greg Kroah-Hartman
2019-06-07 15:40 ` [PATCH 5.1 82/85] drm/lease: Make sure implicit planes are leased Greg Kroah-Hartman
2019-06-07 15:40 ` [PATCH 5.1 83/85] drm/cma-helper: Fix drm_gem_cma_free_object() Greg Kroah-Hartman
2019-06-07 15:40 ` [PATCH 5.1 84/85] Revert "x86/build: Move _etext to actual end of .text" Greg Kroah-Hartman
2019-06-07 15:40 ` [PATCH 5.1 85/85] x86/kprobes: Set instruction page as executable Greg Kroah-Hartman
2019-06-07 19:29 ` [PATCH 5.1 00/85] 5.1.8-stable review kernelci.org bot
2019-06-07 20:19 ` Jiunn Chang
2019-06-08  9:31   ` Greg Kroah-Hartman
2019-06-08  7:54 ` Naresh Kamboju
2019-06-08  9:34   ` Greg Kroah-Hartman
2019-06-08 18:50 ` Guenter Roeck
2019-06-09  7:16   ` Greg Kroah-Hartman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).