LKML Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH 5.2 000/144] 5.2.9-stable review
@ 2019-08-14 16:59 Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 001/144] Revert "PCI: Add missing link delays required by the PCIe spec" Greg Kroah-Hartman
                   ` (148 more replies)
  0 siblings, 149 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	ben.hutchings, lkft-triage, stable

This is the start of the stable review cycle for the 5.2.9 release.
There are 144 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Fri 16 Aug 2019 04:55:34 PM UTC.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.2.9-rc1.gz
or in the git tree and branch at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.2.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 5.2.9-rc1

Luca Coelho <luciano.coelho@intel.com>
    iwlwifi: mvm: fix version check for GEO_TX_POWER_LIMIT support

Luca Coelho <luciano.coelho@intel.com>
    iwlwifi: mvm: don't send GEO_TX_POWER_LIMIT on version < 41

Emmanuel Grumbach <emmanuel.grumbach@intel.com>
    iwlwifi: mvm: fix a use-after-free bug in iwl_mvm_tx_tso_segment

Emmanuel Grumbach <emmanuel.grumbach@intel.com>
    iwlwifi: mvm: fix an out-of-bound access

Emmanuel Grumbach <emmanuel.grumbach@intel.com>
    iwlwifi: don't unmap as page memory that was mapped as single

Brian Norris <briannorris@chromium.org>
    mwifiex: fix 802.11n/WPA detection

Marc Zyngier <maz@kernel.org>
    KVM: arm/arm64: Sync ICH_VMCR_EL2 back when about to block

Wanpeng Li <wanpengli@tencent.com>
    KVM: Fix leak vCPU's VMCS value into other pCPU

Trond Myklebust <trond.myklebust@hammerspace.com>
    NFSv4: Fix an Oops in nfs4_do_setattr

Trond Myklebust <trond.myklebust@hammerspace.com>
    NFSv4: Check the return value of update_open_stateid()

Trond Myklebust <trond.myklebust@hammerspace.com>
    NFSv4: Fix delegation state recovery

Steve French <stfrench@microsoft.com>
    smb3: send CAP_DFS capability during session setup

Pavel Shilovsky <pshilov@microsoft.com>
    SMB3: Fix deadlock in validate negotiate hits reconnect

Vivek Goyal <vgoyal@redhat.com>
    dax: dax_layout_busy_page() should not unmap cow pages

Brian Norris <briannorris@chromium.org>
    mac80211: don't WARN on short WMM parameters from AP

Takashi Iwai <tiwai@suse.de>
    ALSA: hda - Workaround for crackled sound on AMD controller (1022:1457)

Takashi Iwai <tiwai@suse.de>
    ALSA: hda - Don't override global PCM hw info flag

Wenwen Wang <wenwen@cs.uga.edu>
    ALSA: hiface: fix multiple memory leak bugs

Wenwen Wang <wenwen@cs.uga.edu>
    ALSA: firewire: fix a memory leak bug

Stanislav Lisovskiy <stanislav.lisovskiy@intel.com>
    drm/i915: Fix wrong escape clock divisor init for GLK

Iker Perez del Palomar Sustatxa <iker.perez@codethink.co.uk>
    hwmon: (lm75) Fixup tmp75b clr_mask

Guenter Roeck <linux@roeck-us.net>
    hwmon: (nct7802) Fix wrong detection of in4 presence

Tomas Bortoli <tomasbortoli@gmail.com>
    can: peak_usb: pcan_usb_fd: Fix info-leaks to USB devices

Tomas Bortoli <tomasbortoli@gmail.com>
    can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices

Vitaly Kuznetsov <vkuznets@redhat.com>
    KVM/nSVM: properly map nested VMCB

Wenwen Wang <wenwen@cs.uga.edu>
    ALSA: usb-audio: fix a memory leak bug

Roderick Colenbrander <roderick@gaikai.com>
    HID: sony: Fix race condition between rumble and device remove.

Masahiro Yamada <yamada.masahiro@socionext.com>
    gen_compile_commands: lower the entry count threshold

Halil Pasic <pasic@linux.ibm.com>
    s390/dma: provide proper ARCH_ZONE_DMA_BITS value

Leonard Crestez <leonard.crestez@nxp.com>
    perf/core: Fix creating kernel counters for PMUs that override event->cpu

Zhenzhong Duan <zhenzhong.duan@oracle.com>
    perf/x86: Apply more accurate check on hypervisor platform

Yunying Sun <yunying.sun@intel.com>
    perf/x86/intel: Fix invalid Bit 13 for Icelake MSR_OFFCORE_RSP_x register

Kan Liang <kan.liang@linux.intel.com>
    perf/x86/intel: Fix SLOTS PEBS event constraint

Peter Zijlstra <peterz@infradead.org>
    tty/ldsem, locking/rwsem: Add missing ACQUIRE to read_failed sleep loop

Wenwen Wang <wenwen@cs.uga.edu>
    test_firmware: fix a memory leak bug

Hannes Reinecke <hare@suse.de>
    scsi: scsi_dh_alua: always use a 2 second delay before retrying RTPG

Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
    scsi: ibmvfc: fix WARN_ON during event pool release

Junxiao Bi <junxiao.bi@oracle.com>
    scsi: megaraid_sas: fix panic on loading firmware crashdump

Arnd Bergmann <arnd@arndb.de>
    ARM: dts: bcm: bcm47094: add missing #cells for mdio-bus-mux

Arnd Bergmann <arnd@arndb.de>
    ARM: davinci: fix sleep.S build error on ARMv4

Logan Gunthorpe <logang@deltatee.com>
    nvme: fix memory leak caused by incorrect subsystem free

Misha Nasledov <misha@nasledov.com>
    nvme: ignore subnqn for ADATA SX6000LNP

Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
    ACPI/IORT: Fix off-by-one check in iort_dev_find_its_id()

Arnd Bergmann <arnd@arndb.de>
    drbd: dynamically allocate shash descriptor

Arnaldo Carvalho de Melo <acme@redhat.com>
    perf probe: Avoid calling freeing routine multiple times for same pointer

Alexey Budankov <alexey.budankov@linux.intel.com>
    perf session: Fix loading of compressed data split across adjacent records

Jiri Olsa <jolsa@redhat.com>
    perf stat: Fix segfault for event group in repeat mode

Jiri Olsa <jolsa@kernel.org>
    perf tools: Fix proper buffer size for feature processing

Andi Kleen <ak@linux.intel.com>
    perf script: Fix off by one in brstackinsn IPC computation

Charles Keepax <ckeepax@opensource.cirrus.com>
    ALSA: compress: Be more restrictive about when a drain is allowed

Charles Keepax <ckeepax@opensource.cirrus.com>
    ALSA: compress: Don't allow paritial drain operations on capture streams

Charles Keepax <ckeepax@opensource.cirrus.com>
    ALSA: compress: Prevent bypasses of set_params

Charles Keepax <ckeepax@opensource.cirrus.com>
    ALSA: compress: Fix regression on compressed capture streams

Julian Wiedmann <jwi@linux.ibm.com>
    s390/qdio: add sanity checks to the fast-requeue path

Wen Yang <wen.yang99@zte.com.cn>
    cpufreq/pasemi: fix use-after-free in pas_cpufreq_cpu_init()

Lucas Stach <l.stach@pengutronix.de>
    arm64: dts: imx8mq: fix SAI compatible

Anson Huang <Anson.Huang@nxp.com>
    arm64: dts: imx8mm: Correct SAI3 RXC/TXFS pin's mux option #1

Qian Cai <cai@lca.pw>
    drm: silence variable 'conn' set but not used

Shubhashree Dhar <dhar@codeaurora.org>
    drm/msm/dpu: Correct dpu encoder spinlock initialization

Dmitry Safonov <dima@arista.com>
    iommu/vt-d: Check if domain->pgd was allocated

James Morse <james.morse@arm.com>
    arm64: entry: SP Alignment Fault doesn't write to FAR_EL1

Marc Zyngier <marc.zyngier@arm.com>
    arm64: Force SSBS on context switch

Vaibhav Jain <vaibhav@linux.ibm.com>
    powerpc/papr_scm: Force a scm-unbind if initial scm-bind fails

Sébastien Szymanski <sebastien.szymanski@armadeus.com>
    ARM: dts: imx6ul: fix clock frequency property name of I2C buses

Björn Gerhart <gerhart@posteo.de>
    hwmon: (nct6775) Fix register address and added missed tolerance for nct6106

Lei YU <mine260309@gmail.com>
    hwmon: (occ) Fix division by zero issue

Navid Emamdoost <navid.emamdoost@gmail.com>
    allocate_flower_entry: should check for null deref

Brian Norris <briannorris@chromium.org>
    mac80211: don't warn about CW params when not using them

Lorenzo Bianconi <lorenzo@kernel.org>
    mac80211: fix possible memory leak in ieee80211_assign_beacon

John Crispin <john@phrozen.org>
    nl80211: fix NL80211_HE_MAX_CAPABILITY_LEN

Thomas Tai <thomas.tai@oracle.com>
    iscsi_ibft: make ISCSI_IBFT dependson ACPI instead of ISCSI_IBFT_FIND

Tai Man <taiman.wong@amd.com>
    drm/amd/display: Increase size of audios array

Alvin Lee <alvin.lee2@amd.com>
    drm/amd/display: Only enable audio if speaker allocation exists

Julian Parkin <julian.parkin@amd.com>
    drm/amd/display: Fix dc_create failure handling and 666 color depths

Derek Lai <Derek.Lai@amd.com>
    drm/amd/display: allocate 4 ddc engines for RV2

Eric Yang <Eric.Yang2@amd.com>
    drm/amd/display: put back front end initialization sequence

Tai Man <taiman.wong@amd.com>
    drm/amd/display: use encoder's engine id to find matched free audio device

Zi Yu Liao <ziyu.liao@amd.com>
    drm/amd/display: fix DMCU hang when going into Modern Standby

SivapiriyanKumarasamy <sivapiriyan.kumarasamy@amd.com>
    drm/amd/display: Wait for backlight programming completion in set backlight level

Murton Liu <murton.liu@amd.com>
    drm/amd/display: Clock does not lower in Updateplanes

Harmanprit Tatla <harmanprit.tatla@amd.com>
    drm/amd/display: No audio endpoint for Dell MST display

Phil Sutter <phil@nwl.cc>
    netfilter: nf_tables: Support auto-loading for inet nat

Josef Bacik <josef@toxicpanda.com>
    rq-qos: use a mb for got_token

Josef Bacik <josef@toxicpanda.com>
    rq-qos: set ourself TASK_UNINTERRUPTIBLE after we schedule

Josef Bacik <josef@toxicpanda.com>
    rq-qos: don't reset has_sleepers on spurious wakeups

Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
    scripts/sphinx-pre-install: fix latexmk dependencies

Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
    scripts/sphinx-pre-install: don't use LaTeX with CentOS 7

Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
    scripts/sphinx-pre-install: fix script for RHEL/CentOS

Laura Garcia Liebana <nevola@gmail.com>
    netfilter: nft_hash: fix symhash with modulus one

Florian Westphal <fw@strlen.de>
    netfilter: conntrack: always store window size un-scaled

Christian Hesse <mail@eworm.de>
    netfilter: nf_tables: fix module autoload for redir

Miaohe Lin <linmiaohe@huawei.com>
    netfilter: Fix rpfilter dropping vrf packets by mistake

Farhan Ali <alifm@linux.ibm.com>
    vfio-ccw: Don't call cp_free if we are processing a channel program

Farhan Ali <alifm@linux.ibm.com>
    vfio-ccw: Set pa_nr to 0 if memory allocation fails for pa_iova_pfn

Florian Westphal <fw@strlen.de>
    netfilter: nfnetlink: avoid deadlock due to synchronous request_module

Andrea Arcangeli <aarcange@redhat.com>
    powerpc: fix off by one in max_zone_pfn initialization for ZONE_DMA

Stephane Grosjean <s.grosjean@peak-system.com>
    can: peak_usb: fix potential double kfree_skb()

Wen Yang <wen.yang99@zte.com.cn>
    can: flexcan: fix an use-after-free in flexcan_setup_stop_mode()

Joakim Zhang <qiangqing.zhang@nxp.com>
    can: flexcan: fix stop mode acknowledgment

Nikita Yushchenko <nikita.yoush@cogentembedded.com>
    can: rcar_canfd: fix possible IRQ storm on high load

Guenter Roeck <linux@roeck-us.net>
    usb: typec: tcpm: Ignore unsupported/unknown alternate mode requests

Guenter Roeck <linux@roeck-us.net>
    usb: typec: tcpm: Add NULL check before dereferencing config

Li Jun <jun.li@nxp.com>
    usb: typec: tcpm: remove tcpm dir if no children

Li Jun <jun.li@nxp.com>
    usb: typec: tcpm: free log buf memory when remove debug file

Heikki Krogerus <heikki.krogerus@linux.intel.com>
    usb: typec: ucsi: ccg: Fix uninitilized symbol error

Suzuki K Poulose <suzuki.poulose@arm.com>
    usb: yurex: Fix use-after-free in yurex_delete

Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
    usb: host: xhci-rcar: Fix timeout in xhci_suspend()

Andreas Gruenbacher <agruenba@redhat.com>
    gfs2: gfs2_walk_metadata fix

Ming Lei <ming.lei@redhat.com>
    genirq/affinity: Create affinity mask for single vector

Nick Desaulniers <ndesaulniers@google.com>
    x86/purgatory: Use CFLAGS_REMOVE rather than reset KBUILD_CFLAGS

Nick Desaulniers <ndesaulniers@google.com>
    x86/purgatory: Do not use __builtin_memcpy and __builtin_memset

Thomas Richter <tmricht@linux.ibm.com>
    perf record: Fix module size on s390

Adrian Hunter <adrian.hunter@intel.com>
    perf db-export: Fix thread__exec_comm()

Thomas Richter <tmricht@linux.ibm.com>
    perf annotate: Fix s390 gap between kernel end and module start

Suzuki K Poulose <suzuki.poulose@arm.com>
    coresight: Fix DEBUG_LOCKS_WARN_ON for uninitialized attribute

Joerg Roedel <jroedel@suse.de>
    mm/vmalloc: Sync unmappings in __purge_vmap_area_lazy()

Joerg Roedel <jroedel@suse.de>
    x86/mm: Sync also unmappings in vmalloc_sync_all()

Joerg Roedel <jroedel@suse.de>
    x86/mm: Check for pfn instead of page in vmalloc_sync_one()

Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Input: synaptics - enable RMI mode for HP Spectre X360

Kai-Heng Feng <kai.heng.feng@canonical.com>
    Input: elantech - enable SMBus on new (2018+) systems

Oliver Neukum <oneukum@suse.com>
    Input: usbtouchscreen - initialize PM mutex before using it

Jan Kara <jack@suse.cz>
    bdev: Fixup error handling in blkdev_get()

Mikulas Patocka <mpatocka@redhat.com>
    loop: set PF_MEMALLOC_NOIO for the worker thread

Kevin Hao <haokexin@gmail.com>
    mmc: cavium: Add the missing dma unmap when the dma has finished.

Kevin Hao <haokexin@gmail.com>
    mmc: cavium: Set the correct dma max segment size for mmc_host

Wenwen Wang <wenwen@cs.uga.edu>
    sound: fix a memory leak bug

Oliver Neukum <oneukum@suse.com>
    usb: iowarrior: fix deadlock on disconnect

Oliver Neukum <oneukum@suse.com>
    Revert "USB: rio500: simplify locking"

Gavin Li <git@thegavinli.com>
    usb: usbfs: fix double-free of usb memory upon submiturb error

Brian Norris <briannorris@chromium.org>
    driver core: platform: return -ENXIO for missing GpioInt

Gary R Hook <gary.hook@amd.com>
    crypto: ccp - Ignore tag length when decrypting GCM ciphertext

Gary R Hook <gary.hook@amd.com>
    crypto: ccp - Add support for valid authsize values less than 16

Gary R Hook <gary.hook@amd.com>
    crypto: ccp - Fix oops by properly managing allocated structures

Phil Reid <preid@electromag.com.au>
    Staging: fbtft: Fix reset assertion when using gpio descriptor

Phil Reid <preid@electromag.com.au>
    Staging: fbtft: Fix probing of gpio descriptor

Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    staging: android: ion: Bail out upon SIGKILL when allocating memory.

Adham Abozaeid <adham.abozaeid@microchip.com>
    staging: wilc1000: flush the workqueue before deinit the host

Ivan Bornyakov <brnkv.i1@gmail.com>
    staging: gasket: apex: fix copy-paste typo

Joe Perches <joe@perches.com>
    iio: adc: max9611: Fix misuse of GENMASK macro

Arnd Bergmann <arnd@arndb.de>
    iio: adc: gyroadc: fix uninitialized return code

Jean-Baptiste Maneyrol <JManeyrol@invensense.com>
    iio: imu: mpu6050: add missing available scan masks

Gwendal Grignou <gwendal@chromium.org>
    iio: cros_ec_accel_legacy: Fix incorrect channel setting

Maarten ter Huurne <maarten@treewalker.org>
    IIO: Ingenic JZ47xx: Set clock divider on probe

Mika Westerberg <mika.westerberg@linux.intel.com>
    Revert "PCI: Add missing link delays required by the PCIe spec"


-------------

Diffstat:

 Makefile                                           |   4 +-
 arch/arm/boot/dts/bcm47094-linksys-panamera.dts    |   3 +
 arch/arm/boot/dts/imx6ul-14x14-evk.dtsi            |   2 +-
 arch/arm/boot/dts/imx6ul-geam.dts                  |   2 +-
 arch/arm/boot/dts/imx6ul-isiot.dtsi                |   2 +-
 arch/arm/boot/dts/imx6ul-pico-hobbit.dts           |   2 +-
 arch/arm/boot/dts/imx6ul-pico-pi.dts               |   4 +-
 arch/arm/mach-davinci/sleep.S                      |   1 +
 arch/arm64/boot/dts/freescale/imx8mm-pinfunc.h     |   4 +-
 arch/arm64/boot/dts/freescale/imx8mq.dtsi          |   3 +-
 arch/arm64/include/asm/processor.h                 |  14 +-
 arch/arm64/kernel/entry.S                          |  22 +--
 arch/arm64/kernel/process.c                        |  29 +++-
 arch/powerpc/kvm/powerpc.c                         |   5 +
 arch/powerpc/mm/mem.c                              |   2 +-
 arch/powerpc/platforms/pseries/papr_scm.c          |  15 +-
 arch/s390/include/asm/page.h                       |   2 +
 arch/x86/boot/string.c                             |   8 +
 arch/x86/events/intel/core.c                       |   7 +-
 arch/x86/events/intel/ds.c                         |   2 +-
 arch/x86/include/asm/kvm_host.h                    |   1 +
 arch/x86/kvm/svm.c                                 |  10 +-
 arch/x86/kvm/vmx/vmx.c                             |   6 +
 arch/x86/kvm/x86.c                                 |  16 ++
 arch/x86/mm/fault.c                                |  15 +-
 arch/x86/purgatory/Makefile                        |  36 ++++-
 arch/x86/purgatory/purgatory.c                     |   6 +
 arch/x86/purgatory/string.c                        |  23 ---
 block/blk-rq-qos.c                                 |   6 +-
 drivers/acpi/arm64/iort.c                          |   4 +-
 drivers/base/platform.c                            |   9 +-
 drivers/block/drbd/drbd_receiver.c                 |  14 +-
 drivers/block/loop.c                               |   2 +-
 drivers/cpufreq/pasemi-cpufreq.c                   |  23 ++-
 drivers/crypto/ccp/ccp-crypto-aes-galois.c         |  14 ++
 drivers/crypto/ccp/ccp-ops.c                       |  33 +++--
 drivers/firmware/Kconfig                           |   5 +-
 drivers/firmware/iscsi_ibft.c                      |   4 +
 drivers/gpu/drm/amd/display/dc/core/dc.c           |   6 +-
 drivers/gpu/drm/amd/display/dc/core/dc_link.c      |   9 +-
 drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c   |   9 +-
 drivers/gpu/drm/amd/display/dc/core/dc_resource.c  |  11 +-
 drivers/gpu/drm/amd/display/dc/dce/dce_abm.c       |   4 +
 .../drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c  |  21 +--
 .../gpu/drm/amd/display/dc/dcn10/dcn10_resource.c  |   2 +-
 drivers/gpu/drm/amd/display/dc/inc/core_types.h    |   2 +-
 drivers/gpu/drm/amd/display/dc/inc/hw/hw_shared.h  |   1 +
 drivers/gpu/drm/drm_framebuffer.c                  |   2 +-
 drivers/gpu/drm/i915/vlv_dsi_pll.c                 |   4 +-
 drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c        |   3 +-
 drivers/hid/hid-sony.c                             |  15 +-
 drivers/hwmon/lm75.c                               |   2 +-
 drivers/hwmon/nct6775.c                            |   3 +-
 drivers/hwmon/nct7802.c                            |   6 +-
 drivers/hwmon/occ/common.c                         |   6 +-
 drivers/hwtracing/coresight/coresight-etm-perf.c   |   1 +
 drivers/iio/accel/cros_ec_accel_legacy.c           |   1 -
 drivers/iio/adc/ingenic-adc.c                      |  54 +++++++
 drivers/iio/adc/max9611.c                          |   2 +-
 drivers/iio/adc/rcar-gyroadc.c                     |   4 +-
 drivers/iio/imu/inv_mpu6050/inv_mpu_core.c         |  43 ++++++
 drivers/input/mouse/elantech.c                     |  54 ++++---
 drivers/input/mouse/synaptics.c                    |   1 +
 drivers/input/touchscreen/usbtouchscreen.c         |   2 +
 drivers/iommu/intel-iommu.c                        |   8 +-
 drivers/mmc/host/cavium.c                          |   4 +-
 drivers/net/can/flexcan.c                          |  39 ++++-
 drivers/net/can/rcar/rcar_canfd.c                  |   9 +-
 drivers/net/can/usb/peak_usb/pcan_usb_core.c       |   8 +-
 drivers/net/can/usb/peak_usb/pcan_usb_fd.c         |   2 +-
 drivers/net/can/usb/peak_usb/pcan_usb_pro.c        |   2 +-
 .../net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c   |   3 +-
 drivers/net/wireless/intel/iwlwifi/mvm/fw.c        |  29 +++-
 drivers/net/wireless/intel/iwlwifi/mvm/tx.c        |   3 +-
 drivers/net/wireless/intel/iwlwifi/pcie/tx.c       |   2 +
 drivers/net/wireless/marvell/mwifiex/main.h        |   1 +
 drivers/net/wireless/marvell/mwifiex/scan.c        |   3 +-
 drivers/nvme/host/core.c                           |  12 +-
 drivers/nvme/host/pci.c                            |   2 +
 drivers/pci/pci.c                                  |  29 ++--
 drivers/pci/pci.h                                  |   1 -
 drivers/pci/pcie/portdrv_core.c                    |  66 ---------
 drivers/s390/cio/qdio_main.c                       |  12 +-
 drivers/s390/cio/vfio_ccw_cp.c                     |   4 +-
 drivers/s390/cio/vfio_ccw_drv.c                    |   2 +-
 drivers/scsi/device_handler/scsi_dh_alua.c         |   7 +-
 drivers/scsi/ibmvscsi/ibmvfc.c                     |   2 +-
 drivers/scsi/megaraid/megaraid_sas_base.c          |   3 +
 drivers/staging/android/ion/ion_page_pool.c        |   3 +
 drivers/staging/fbtft/fbtft-core.c                 |  43 +++---
 drivers/staging/gasket/apex_driver.c               |   2 +-
 drivers/staging/wilc1000/wilc_wfi_cfgoperations.c  |   1 +
 drivers/tty/tty_ldsem.c                            |   5 +-
 drivers/usb/core/devio.c                           |   2 -
 drivers/usb/host/xhci-rcar.c                       |   9 +-
 drivers/usb/misc/iowarrior.c                       |   7 +-
 drivers/usb/misc/rio500.c                          |  43 ++++--
 drivers/usb/misc/yurex.c                           |   2 +-
 drivers/usb/typec/tcpm/tcpm.c                      |  58 +++++---
 drivers/usb/typec/ucsi/ucsi_ccg.c                  |   2 +-
 fs/block_dev.c                                     |   5 +-
 fs/cifs/smb2pdu.c                                  |   7 +-
 fs/dax.c                                           |   2 +-
 fs/gfs2/bmap.c                                     | 164 +++++++++++++--------
 fs/nfs/delegation.c                                |   2 +-
 fs/nfs/delegation.h                                |   2 +-
 fs/nfs/nfs4proc.c                                  |  39 ++---
 include/kvm/arm_vgic.h                             |   1 +
 include/linux/ccp.h                                |   2 +
 include/linux/kvm_host.h                           |   1 +
 include/sound/compress_driver.h                    |   5 +-
 include/uapi/linux/nl80211.h                       |   2 +-
 kernel/events/core.c                               |   2 +-
 kernel/irq/affinity.c                              |   6 +-
 lib/test_firmware.c                                |   5 +-
 mm/vmalloc.c                                       |   9 ++
 net/ipv4/netfilter/ipt_rpfilter.c                  |   1 +
 net/ipv6/netfilter/ip6t_rpfilter.c                 |   8 +-
 net/mac80211/cfg.c                                 |   8 +-
 net/mac80211/driver-ops.c                          |  13 +-
 net/mac80211/mlme.c                                |  10 ++
 net/netfilter/nf_conntrack_proto_tcp.c             |   8 +-
 net/netfilter/nfnetlink.c                          |   2 +-
 net/netfilter/nft_chain_nat.c                      |   3 +
 net/netfilter/nft_hash.c                           |   2 +-
 net/netfilter/nft_redir.c                          |   2 +-
 scripts/gen_compile_commands.py                    |   4 +-
 scripts/sphinx-pre-install                         |  74 +++++++---
 sound/core/compress_offload.c                      |  60 ++++++--
 sound/firewire/packets-buffer.c                    |   2 +-
 sound/pci/hda/hda_controller.c                     |  13 +-
 sound/pci/hda/hda_controller.h                     |   2 +-
 sound/pci/hda/hda_intel.c                          |  63 +++++++-
 sound/sound_core.c                                 |   3 +-
 sound/usb/hiface/pcm.c                             |  11 +-
 sound/usb/stream.c                                 |   1 +
 tools/perf/arch/s390/util/machine.c                |  31 +++-
 tools/perf/builtin-probe.c                         |  10 ++
 tools/perf/builtin-script.c                        |   2 +-
 tools/perf/builtin-stat.c                          |   9 +-
 tools/perf/util/evsel.c                            |   2 +
 tools/perf/util/header.c                           |   2 +-
 tools/perf/util/machine.c                          |   3 +-
 tools/perf/util/machine.h                          |   2 +-
 tools/perf/util/session.c                          |  22 ++-
 tools/perf/util/session.h                          |   1 +
 tools/perf/util/symbol.c                           |   7 +-
 tools/perf/util/symbol.h                           |   1 +
 tools/perf/util/thread.c                           |  12 +-
 tools/perf/util/zstd.c                             |   4 +-
 virt/kvm/arm/arm.c                                 |  11 ++
 virt/kvm/arm/vgic/vgic-v2.c                        |   9 +-
 virt/kvm/arm/vgic/vgic-v3.c                        |   7 +-
 virt/kvm/arm/vgic/vgic.c                           |  11 ++
 virt/kvm/arm/vgic/vgic.h                           |   2 +
 virt/kvm/kvm_main.c                                |  25 +++-
 156 files changed, 1223 insertions(+), 552 deletions(-)



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 001/144] Revert "PCI: Add missing link delays required by the PCIe spec"
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 002/144] IIO: Ingenic JZ47xx: Set clock divider on probe Greg Kroah-Hartman
                   ` (147 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matthias Andree, Paul Menzel,
	Nicholas Johnson, Mika Westerberg, Rafael J. Wysocki

From: Mika Westerberg <mika.westerberg@linux.intel.com>

commit 0617bdede5114a0002298b12cd0ca2b0cfd0395d upstream.

Commit c2bf1fc212f7 ("PCI: Add missing link delays required by the PCIe
spec") turned out causing issues with some systems either by making them
unresponsive or slowing down runtime and system wide resume of PCIe
devices. While root cause for the unresponsiveness is still under
investigation given the amount of issues reported better to revert it
for now.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=204413
Link: https://lore.kernel.org/linux-pci/SL2P216MB01878BBCD75F21D882AEEA2880C60@SL2P216MB0187.KORP216.PROD.OUTLOOK.COM/
Link: https://lore.kernel.org/linux-pci/2857501d-c167-547d-c57d-d5d24ea1f1dc@molgen.mpg.de/
Reported-by: Matthias Andree <matthias.andree@gmx.de>
Reported-by: Paul Menzel <pmenzel@molgen.mpg.de>
Reported-by: Nicholas Johnson <nicholas.johnson-opensource@outlook.com.au>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/pci/pci.c               |   29 ++++++-----------
 drivers/pci/pci.h               |    1 
 drivers/pci/pcie/portdrv_core.c |   66 ----------------------------------------
 3 files changed, 10 insertions(+), 86 deletions(-)

--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -1004,10 +1004,15 @@ static void __pci_start_power_transition
 	if (state == PCI_D0) {
 		pci_platform_power_transition(dev, PCI_D0);
 		/*
-		 * Mandatory power management transition delays are
-		 * handled in the PCIe portdrv resume hooks.
+		 * Mandatory power management transition delays, see
+		 * PCI Express Base Specification Revision 2.0 Section
+		 * 6.6.1: Conventional Reset.  Do not delay for
+		 * devices powered on/off by corresponding bridge,
+		 * because have already delayed for the bridge.
 		 */
 		if (dev->runtime_d3cold) {
+			if (dev->d3cold_delay && !dev->imm_ready)
+				msleep(dev->d3cold_delay);
 			/*
 			 * When powering on a bridge from D3cold, the
 			 * whole hierarchy may be powered on into
@@ -4570,16 +4575,14 @@ static int pci_pm_reset(struct pci_dev *
 
 	return pci_dev_wait(dev, "PM D3->D0", PCIE_RESET_READY_POLL_MS);
 }
-
 /**
- * pcie_wait_for_link_delay - Wait until link is active or inactive
+ * pcie_wait_for_link - Wait until link is active or inactive
  * @pdev: Bridge device
  * @active: waiting for active or inactive?
- * @delay: Delay to wait after link has become active (in ms)
  *
  * Use this to wait till link becomes active or inactive.
  */
-bool pcie_wait_for_link_delay(struct pci_dev *pdev, bool active, int delay)
+bool pcie_wait_for_link(struct pci_dev *pdev, bool active)
 {
 	int timeout = 1000;
 	bool ret;
@@ -4616,25 +4619,13 @@ bool pcie_wait_for_link_delay(struct pci
 		timeout -= 10;
 	}
 	if (active && ret)
-		msleep(delay);
+		msleep(100);
 	else if (ret != active)
 		pci_info(pdev, "Data Link Layer Link Active not %s in 1000 msec\n",
 			active ? "set" : "cleared");
 	return ret == active;
 }
 
-/**
- * pcie_wait_for_link - Wait until link is active or inactive
- * @pdev: Bridge device
- * @active: waiting for active or inactive?
- *
- * Use this to wait till link becomes active or inactive.
- */
-bool pcie_wait_for_link(struct pci_dev *pdev, bool active)
-{
-	return pcie_wait_for_link_delay(pdev, active, 100);
-}
-
 void pci_reset_secondary_bus(struct pci_dev *dev)
 {
 	u16 ctrl;
--- a/drivers/pci/pci.h
+++ b/drivers/pci/pci.h
@@ -493,7 +493,6 @@ static inline int pci_dev_specific_disab
 void pcie_do_recovery(struct pci_dev *dev, enum pci_channel_state state,
 		      u32 service);
 
-bool pcie_wait_for_link_delay(struct pci_dev *pdev, bool active, int delay);
 bool pcie_wait_for_link(struct pci_dev *pdev, bool active);
 #ifdef CONFIG_PCIEASPM
 void pcie_aspm_init_link_state(struct pci_dev *pdev);
--- a/drivers/pci/pcie/portdrv_core.c
+++ b/drivers/pci/pcie/portdrv_core.c
@@ -9,7 +9,6 @@
 #include <linux/module.h>
 #include <linux/pci.h>
 #include <linux/kernel.h>
-#include <linux/delay.h>
 #include <linux/errno.h>
 #include <linux/pm.h>
 #include <linux/pm_runtime.h>
@@ -379,67 +378,6 @@ static int pm_iter(struct device *dev, v
 	return 0;
 }
 
-static int get_downstream_delay(struct pci_bus *bus)
-{
-	struct pci_dev *pdev;
-	int min_delay = 100;
-	int max_delay = 0;
-
-	list_for_each_entry(pdev, &bus->devices, bus_list) {
-		if (!pdev->imm_ready)
-			min_delay = 0;
-		else if (pdev->d3cold_delay < min_delay)
-			min_delay = pdev->d3cold_delay;
-		if (pdev->d3cold_delay > max_delay)
-			max_delay = pdev->d3cold_delay;
-	}
-
-	return max(min_delay, max_delay);
-}
-
-/*
- * wait_for_downstream_link - Wait for downstream link to establish
- * @pdev: PCIe port whose downstream link is waited
- *
- * Handle delays according to PCIe 4.0 section 6.6.1 before configuration
- * access to the downstream component is permitted.
- *
- * This blocks PCI core resume of the hierarchy below this port until the
- * link is trained. Should be called before resuming port services to
- * prevent pciehp from starting to tear-down the hierarchy too soon.
- */
-static void wait_for_downstream_link(struct pci_dev *pdev)
-{
-	int delay;
-
-	if (pci_pcie_type(pdev) != PCI_EXP_TYPE_ROOT_PORT &&
-	    pci_pcie_type(pdev) != PCI_EXP_TYPE_DOWNSTREAM)
-		return;
-
-	if (pci_dev_is_disconnected(pdev))
-		return;
-
-	if (!pdev->subordinate || list_empty(&pdev->subordinate->devices) ||
-	    !pdev->bridge_d3)
-		return;
-
-	delay = get_downstream_delay(pdev->subordinate);
-	if (!delay)
-		return;
-
-	dev_dbg(&pdev->dev, "waiting downstream link for %d ms\n", delay);
-
-	/*
-	 * If downstream port does not support speeds greater than 5 GT/s
-	 * need to wait 100ms. For higher speeds (gen3) we need to wait
-	 * first for the data link layer to become active.
-	 */
-	if (pcie_get_speed_cap(pdev) <= PCIE_SPEED_5_0GT)
-		msleep(delay);
-	else
-		pcie_wait_for_link_delay(pdev, true, delay);
-}
-
 /**
  * pcie_port_device_suspend - suspend port services associated with a PCIe port
  * @dev: PCI Express port to handle
@@ -453,8 +391,6 @@ int pcie_port_device_suspend(struct devi
 int pcie_port_device_resume_noirq(struct device *dev)
 {
 	size_t off = offsetof(struct pcie_port_service_driver, resume_noirq);
-
-	wait_for_downstream_link(to_pci_dev(dev));
 	return device_for_each_child(dev, &off, pm_iter);
 }
 
@@ -485,8 +421,6 @@ int pcie_port_device_runtime_suspend(str
 int pcie_port_device_runtime_resume(struct device *dev)
 {
 	size_t off = offsetof(struct pcie_port_service_driver, runtime_resume);
-
-	wait_for_downstream_link(to_pci_dev(dev));
 	return device_for_each_child(dev, &off, pm_iter);
 }
 #endif /* PM */



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 002/144] IIO: Ingenic JZ47xx: Set clock divider on probe
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 001/144] Revert "PCI: Add missing link delays required by the PCIe spec" Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 003/144] iio: cros_ec_accel_legacy: Fix incorrect channel setting Greg Kroah-Hartman
                   ` (146 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maarten ter Huurne, Artur Rojek,
	Stable, Jonathan Cameron

From: Maarten ter Huurne <maarten@treewalker.org>

commit 5a304e1a4ea000177cf25f5ecf26e786dda25b98 upstream.

The SADC component can run at up to 8 MHz on JZ4725B, but is fed
a 12 MHz input clock (EXT). Divide it by two to get 6 MHz, then
set up another divider to match, to produce a 10us clock.

If the clock dividers are left on their power-on defaults (a divider
of 1), the SADC mostly works, but will occasionally produce erroneous
readings. This led to button presses being detected out of nowhere on
the RS90 every few minutes. With this change, no ghost button presses
were logged in almost a day worth of testing.

The ADCLK register for configuring clock dividers doesn't exist on
JZ4740, so avoid writing it there.

A function has been introduced rather than a flag because there is a lot
of variation between the ADCLK registers on JZ47xx SoCs, both in
the internal layout of the register and in the frequency range
supported by the SADC. So this solution should make it easier
to add support for other JZ47xx SoCs later.

Fixes: 1a78daea107d ("iio: adc: probe should set clock divider")
Signed-off-by: Maarten ter Huurne <maarten@treewalker.org>
Signed-off-by: Artur Rojek <contact@artur-rojek.eu>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/adc/ingenic-adc.c |   54 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)

--- a/drivers/iio/adc/ingenic-adc.c
+++ b/drivers/iio/adc/ingenic-adc.c
@@ -11,6 +11,7 @@
 #include <linux/iio/iio.h>
 #include <linux/io.h>
 #include <linux/iopoll.h>
+#include <linux/kernel.h>
 #include <linux/module.h>
 #include <linux/mutex.h>
 #include <linux/platform_device.h>
@@ -22,8 +23,11 @@
 #define JZ_ADC_REG_ADTCH		0x18
 #define JZ_ADC_REG_ADBDAT		0x1c
 #define JZ_ADC_REG_ADSDAT		0x20
+#define JZ_ADC_REG_ADCLK		0x28
 
 #define JZ_ADC_REG_CFG_BAT_MD		BIT(4)
+#define JZ_ADC_REG_ADCLK_CLKDIV_LSB	0
+#define JZ_ADC_REG_ADCLK_CLKDIV10US_LSB	16
 
 #define JZ_ADC_AUX_VREF				3300
 #define JZ_ADC_AUX_VREF_BITS			12
@@ -34,6 +38,8 @@
 #define JZ4740_ADC_BATTERY_HIGH_VREF		(7500 * 0.986)
 #define JZ4740_ADC_BATTERY_HIGH_VREF_BITS	12
 
+struct ingenic_adc;
+
 struct ingenic_adc_soc_data {
 	unsigned int battery_high_vref;
 	unsigned int battery_high_vref_bits;
@@ -41,6 +47,7 @@ struct ingenic_adc_soc_data {
 	size_t battery_raw_avail_size;
 	const int *battery_scale_avail;
 	size_t battery_scale_avail_size;
+	int (*init_clk_div)(struct device *dev, struct ingenic_adc *adc);
 };
 
 struct ingenic_adc {
@@ -151,6 +158,42 @@ static const int jz4740_adc_battery_scal
 	JZ_ADC_BATTERY_LOW_VREF, JZ_ADC_BATTERY_LOW_VREF_BITS,
 };
 
+static int jz4725b_adc_init_clk_div(struct device *dev, struct ingenic_adc *adc)
+{
+	struct clk *parent_clk;
+	unsigned long parent_rate, rate;
+	unsigned int div_main, div_10us;
+
+	parent_clk = clk_get_parent(adc->clk);
+	if (!parent_clk) {
+		dev_err(dev, "ADC clock has no parent\n");
+		return -ENODEV;
+	}
+	parent_rate = clk_get_rate(parent_clk);
+
+	/*
+	 * The JZ4725B ADC works at 500 kHz to 8 MHz.
+	 * We pick the highest rate possible.
+	 * In practice we typically get 6 MHz, half of the 12 MHz EXT clock.
+	 */
+	div_main = DIV_ROUND_UP(parent_rate, 8000000);
+	div_main = clamp(div_main, 1u, 64u);
+	rate = parent_rate / div_main;
+	if (rate < 500000 || rate > 8000000) {
+		dev_err(dev, "No valid divider for ADC main clock\n");
+		return -EINVAL;
+	}
+
+	/* We also need a divider that produces a 10us clock. */
+	div_10us = DIV_ROUND_UP(rate, 100000);
+
+	writel(((div_10us - 1) << JZ_ADC_REG_ADCLK_CLKDIV10US_LSB) |
+	       (div_main - 1) << JZ_ADC_REG_ADCLK_CLKDIV_LSB,
+	       adc->base + JZ_ADC_REG_ADCLK);
+
+	return 0;
+}
+
 static const struct ingenic_adc_soc_data jz4725b_adc_soc_data = {
 	.battery_high_vref = JZ4725B_ADC_BATTERY_HIGH_VREF,
 	.battery_high_vref_bits = JZ4725B_ADC_BATTERY_HIGH_VREF_BITS,
@@ -158,6 +201,7 @@ static const struct ingenic_adc_soc_data
 	.battery_raw_avail_size = ARRAY_SIZE(jz4725b_adc_battery_raw_avail),
 	.battery_scale_avail = jz4725b_adc_battery_scale_avail,
 	.battery_scale_avail_size = ARRAY_SIZE(jz4725b_adc_battery_scale_avail),
+	.init_clk_div = jz4725b_adc_init_clk_div,
 };
 
 static const struct ingenic_adc_soc_data jz4740_adc_soc_data = {
@@ -167,6 +211,7 @@ static const struct ingenic_adc_soc_data
 	.battery_raw_avail_size = ARRAY_SIZE(jz4740_adc_battery_raw_avail),
 	.battery_scale_avail = jz4740_adc_battery_scale_avail,
 	.battery_scale_avail_size = ARRAY_SIZE(jz4740_adc_battery_scale_avail),
+	.init_clk_div = NULL, /* no ADCLK register on JZ4740 */
 };
 
 static int ingenic_adc_read_avail(struct iio_dev *iio_dev,
@@ -317,6 +362,15 @@ static int ingenic_adc_probe(struct plat
 		return ret;
 	}
 
+	/* Set clock dividers. */
+	if (soc_data->init_clk_div) {
+		ret = soc_data->init_clk_div(dev, adc);
+		if (ret) {
+			clk_disable_unprepare(adc->clk);
+			return ret;
+		}
+	}
+
 	/* Put hardware in a known passive state. */
 	writeb(0x00, adc->base + JZ_ADC_REG_ENABLE);
 	writeb(0xff, adc->base + JZ_ADC_REG_CTRL);



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 003/144] iio: cros_ec_accel_legacy: Fix incorrect channel setting
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 001/144] Revert "PCI: Add missing link delays required by the PCIe spec" Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 002/144] IIO: Ingenic JZ47xx: Set clock divider on probe Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 004/144] iio: imu: mpu6050: add missing available scan masks Greg Kroah-Hartman
                   ` (145 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gwendal Grignou, Stable, Jonathan Cameron

From: Gwendal Grignou <gwendal@chromium.org>

commit 6cdff99c9f7d7d28b87cf05dd464f7c7736332ae upstream.

INFO_SCALE is set both for each channel and all channels.
iio is using all channel setting, so the error was not user visible.

Signed-off-by: Gwendal Grignou <gwendal@chromium.org>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/accel/cros_ec_accel_legacy.c |    1 -
 1 file changed, 1 deletion(-)

--- a/drivers/iio/accel/cros_ec_accel_legacy.c
+++ b/drivers/iio/accel/cros_ec_accel_legacy.c
@@ -319,7 +319,6 @@ static const struct iio_chan_spec_ext_in
 		.modified = 1,					        \
 		.info_mask_separate =					\
 			BIT(IIO_CHAN_INFO_RAW) |			\
-			BIT(IIO_CHAN_INFO_SCALE) |			\
 			BIT(IIO_CHAN_INFO_CALIBBIAS),			\
 		.info_mask_shared_by_all = BIT(IIO_CHAN_INFO_SCALE),	\
 		.ext_info = cros_ec_accel_legacy_ext_info,		\



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 004/144] iio: imu: mpu6050: add missing available scan masks
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 003/144] iio: cros_ec_accel_legacy: Fix incorrect channel setting Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 005/144] iio: adc: gyroadc: fix uninitialized return code Greg Kroah-Hartman
                   ` (144 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jean-Baptiste Maneyrol, Stable,
	Jonathan Cameron

From: Jean-Baptiste Maneyrol <JManeyrol@invensense.com>

commit 1244a720572fd1680ac8d6b8a4235f2e8557b810 upstream.

Driver only supports 3-axis gyro and/or 3-axis accel.
For icm20602, temp data is mandatory for all configurations.

Fix all single and double axis configurations (almost never used) and more
importantly fix 3-axis gyro and 6-axis accel+gyro buffer on icm20602 when
temp data is not enabled.

Signed-off-by: Jean-Baptiste Maneyrol <jmaneyrol@invensense.com>
Fixes: 1615fe41a195 ("iio: imu: mpu6050: Fix FIFO layout for ICM20602")
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/imu/inv_mpu6050/inv_mpu_core.c |   43 +++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

--- a/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c
+++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c
@@ -845,6 +845,25 @@ static const struct iio_chan_spec inv_mp
 	INV_MPU6050_CHAN(IIO_ACCEL, IIO_MOD_Z, INV_MPU6050_SCAN_ACCL_Z),
 };
 
+static const unsigned long inv_mpu_scan_masks[] = {
+	/* 3-axis accel */
+	BIT(INV_MPU6050_SCAN_ACCL_X)
+		| BIT(INV_MPU6050_SCAN_ACCL_Y)
+		| BIT(INV_MPU6050_SCAN_ACCL_Z),
+	/* 3-axis gyro */
+	BIT(INV_MPU6050_SCAN_GYRO_X)
+		| BIT(INV_MPU6050_SCAN_GYRO_Y)
+		| BIT(INV_MPU6050_SCAN_GYRO_Z),
+	/* 6-axis accel + gyro */
+	BIT(INV_MPU6050_SCAN_ACCL_X)
+		| BIT(INV_MPU6050_SCAN_ACCL_Y)
+		| BIT(INV_MPU6050_SCAN_ACCL_Z)
+		| BIT(INV_MPU6050_SCAN_GYRO_X)
+		| BIT(INV_MPU6050_SCAN_GYRO_Y)
+		| BIT(INV_MPU6050_SCAN_GYRO_Z),
+	0,
+};
+
 static const struct iio_chan_spec inv_icm20602_channels[] = {
 	IIO_CHAN_SOFT_TIMESTAMP(INV_ICM20602_SCAN_TIMESTAMP),
 	{
@@ -871,6 +890,28 @@ static const struct iio_chan_spec inv_ic
 	INV_MPU6050_CHAN(IIO_ACCEL, IIO_MOD_Z, INV_ICM20602_SCAN_ACCL_Z),
 };
 
+static const unsigned long inv_icm20602_scan_masks[] = {
+	/* 3-axis accel + temp (mandatory) */
+	BIT(INV_ICM20602_SCAN_ACCL_X)
+		| BIT(INV_ICM20602_SCAN_ACCL_Y)
+		| BIT(INV_ICM20602_SCAN_ACCL_Z)
+		| BIT(INV_ICM20602_SCAN_TEMP),
+	/* 3-axis gyro + temp (mandatory) */
+	BIT(INV_ICM20602_SCAN_GYRO_X)
+		| BIT(INV_ICM20602_SCAN_GYRO_Y)
+		| BIT(INV_ICM20602_SCAN_GYRO_Z)
+		| BIT(INV_ICM20602_SCAN_TEMP),
+	/* 6-axis accel + gyro + temp (mandatory) */
+	BIT(INV_ICM20602_SCAN_ACCL_X)
+		| BIT(INV_ICM20602_SCAN_ACCL_Y)
+		| BIT(INV_ICM20602_SCAN_ACCL_Z)
+		| BIT(INV_ICM20602_SCAN_GYRO_X)
+		| BIT(INV_ICM20602_SCAN_GYRO_Y)
+		| BIT(INV_ICM20602_SCAN_GYRO_Z)
+		| BIT(INV_ICM20602_SCAN_TEMP),
+	0,
+};
+
 /*
  * The user can choose any frequency between INV_MPU6050_MIN_FIFO_RATE and
  * INV_MPU6050_MAX_FIFO_RATE, but only these frequencies are matched by the
@@ -1130,9 +1171,11 @@ int inv_mpu_core_probe(struct regmap *re
 	if (chip_type == INV_ICM20602) {
 		indio_dev->channels = inv_icm20602_channels;
 		indio_dev->num_channels = ARRAY_SIZE(inv_icm20602_channels);
+		indio_dev->available_scan_masks = inv_icm20602_scan_masks;
 	} else {
 		indio_dev->channels = inv_mpu_channels;
 		indio_dev->num_channels = ARRAY_SIZE(inv_mpu_channels);
+		indio_dev->available_scan_masks = inv_mpu_scan_masks;
 	}
 
 	indio_dev->info = &mpu_info;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 005/144] iio: adc: gyroadc: fix uninitialized return code
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 004/144] iio: imu: mpu6050: add missing available scan masks Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 006/144] iio: adc: max9611: Fix misuse of GENMASK macro Greg Kroah-Hartman
                   ` (143 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Wolfram Sang,
	Jonathan Cameron

From: Arnd Bergmann <arnd@arndb.de>

commit 90c6260c1905a68fb596844087f2223bd4657fee upstream.

gcc-9 complains about a blatant uninitialized variable use that
all earlier compiler versions missed:

drivers/iio/adc/rcar-gyroadc.c:510:5: warning: 'ret' may be used uninitialized in this function [-Wmaybe-uninitialized]

Return -EINVAL instead here and a few lines above it where
we accidentally return 0 on failure.

Cc: stable@vger.kernel.org
Fixes: 059c53b32329 ("iio: adc: Add Renesas GyroADC driver")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/adc/rcar-gyroadc.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/iio/adc/rcar-gyroadc.c
+++ b/drivers/iio/adc/rcar-gyroadc.c
@@ -382,7 +382,7 @@ static int rcar_gyroadc_parse_subdevs(st
 				dev_err(dev,
 					"Only %i channels supported with %pOFn, but reg = <%i>.\n",
 					num_channels, child, reg);
-				return ret;
+				return -EINVAL;
 			}
 		}
 
@@ -391,7 +391,7 @@ static int rcar_gyroadc_parse_subdevs(st
 			dev_err(dev,
 				"Channel %i uses different ADC mode than the rest.\n",
 				reg);
-			return ret;
+			return -EINVAL;
 		}
 
 		/* Channel is valid, grab the regulator. */



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 006/144] iio: adc: max9611: Fix misuse of GENMASK macro
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 005/144] iio: adc: gyroadc: fix uninitialized return code Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 007/144] staging: gasket: apex: fix copy-paste typo Greg Kroah-Hartman
                   ` (142 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Joe Perches, Stable, Jonathan Cameron

From: Joe Perches <joe@perches.com>

commit ae8cc91a7d85e018c0c267f580820b2bb558cd48 upstream.

Arguments are supposed to be ordered high then low.

Signed-off-by: Joe Perches <joe@perches.com>
Fixes: 69780a3bbc0b ("iio: adc: Add Maxim max9611 ADC driver")
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/adc/max9611.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/iio/adc/max9611.c
+++ b/drivers/iio/adc/max9611.c
@@ -83,7 +83,7 @@
 #define MAX9611_TEMP_MAX_POS		0x7f80
 #define MAX9611_TEMP_MAX_NEG		0xff80
 #define MAX9611_TEMP_MIN_NEG		0xd980
-#define MAX9611_TEMP_MASK		GENMASK(7, 15)
+#define MAX9611_TEMP_MASK		GENMASK(15, 7)
 #define MAX9611_TEMP_SHIFT		0x07
 #define MAX9611_TEMP_RAW(_r)		((_r) >> MAX9611_TEMP_SHIFT)
 #define MAX9611_TEMP_SCALE_NUM		1000000



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 007/144] staging: gasket: apex: fix copy-paste typo
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 006/144] iio: adc: max9611: Fix misuse of GENMASK macro Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 008/144] staging: wilc1000: flush the workqueue before deinit the host Greg Kroah-Hartman
                   ` (141 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ivan Bornyakov

From: Ivan Bornyakov <brnkv.i1@gmail.com>

commit 66665bb9979246729562a09fcdbb101c83127989 upstream.

In sysfs_show() case-branches ATTR_KERNEL_HIB_PAGE_TABLE_SIZE and
ATTR_KERNEL_HIB_SIMPLE_PAGE_TABLE_SIZE do the same. It looks like
copy-paste mistake.

Signed-off-by: Ivan Bornyakov <brnkv.i1@gmail.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20190710204518.16814-1-brnkv.i1@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/gasket/apex_driver.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/gasket/apex_driver.c
+++ b/drivers/staging/gasket/apex_driver.c
@@ -532,7 +532,7 @@ static ssize_t sysfs_show(struct device
 		break;
 	case ATTR_KERNEL_HIB_SIMPLE_PAGE_TABLE_SIZE:
 		ret = scnprintf(buf, PAGE_SIZE, "%u\n",
-				gasket_page_table_num_entries(
+				gasket_page_table_num_simple_entries(
 					gasket_dev->page_table[0]));
 		break;
 	case ATTR_KERNEL_HIB_NUM_ACTIVE_PAGES:



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 008/144] staging: wilc1000: flush the workqueue before deinit the host
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 007/144] staging: gasket: apex: fix copy-paste typo Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 009/144] staging: android: ion: Bail out upon SIGKILL when allocating memory Greg Kroah-Hartman
                   ` (140 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Adham Abozaeid

From: Adham Abozaeid <adham.abozaeid@microchip.com>

commit fb2b055b7e6e44efda737c7c92f46c0868bb04e5 upstream.

Before deinitializing the host interface, the workqueue should be flushed
to handle any pending deferred work

Signed-off-by: Adham Abozaeid <adham.abozaeid@microchip.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20190722213837.21952-1-adham.abozaeid@microchip.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/wilc1000/wilc_wfi_cfgoperations.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/staging/wilc1000/wilc_wfi_cfgoperations.c
+++ b/drivers/staging/wilc1000/wilc_wfi_cfgoperations.c
@@ -1789,6 +1789,7 @@ void wilc_deinit_host_int(struct net_dev
 
 	priv->p2p_listen_state = false;
 
+	flush_workqueue(vif->wilc->hif_workqueue);
 	mutex_destroy(&priv->scan_req_lock);
 	ret = wilc_deinit(vif);
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 009/144] staging: android: ion: Bail out upon SIGKILL when allocating memory.
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 008/144] staging: wilc1000: flush the workqueue before deinit the host Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 010/144] Staging: fbtft: Fix probing of gpio descriptor Greg Kroah-Hartman
                   ` (139 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tetsuo Handa, syzbot, Laura Abbott,
	Sumit Semwal

From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>

commit 8f9e86ee795971eabbf372e6d804d6b8578287a7 upstream.

syzbot found that a thread can stall for minutes inside
ion_system_heap_allocate() after that thread was killed by SIGKILL [1].
Let's check for SIGKILL before doing memory allocation.

[1] https://syzkaller.appspot.com/bug?id=a0e3436829698d5824231251fad9d8e998f94f5e

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: stable <stable@vger.kernel.org>
Reported-by: syzbot <syzbot+8ab2d0f39fb79fe6ca40@syzkaller.appspotmail.com>
Acked-by: Laura Abbott <labbott@redhat.com>
Acked-by: Sumit Semwal <sumit.semwal@linaro.org>
Link: https://lore.kernel.org/r/d088f188-5f32-d8fc-b9a0-0b404f7501cc@I-love.SAKURA.ne.jp
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/android/ion/ion_page_pool.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/staging/android/ion/ion_page_pool.c
+++ b/drivers/staging/android/ion/ion_page_pool.c
@@ -8,11 +8,14 @@
 #include <linux/list.h>
 #include <linux/slab.h>
 #include <linux/swap.h>
+#include <linux/sched/signal.h>
 
 #include "ion.h"
 
 static inline struct page *ion_page_pool_alloc_pages(struct ion_page_pool *pool)
 {
+	if (fatal_signal_pending(current))
+		return NULL;
 	return alloc_pages(pool->gfp_mask, pool->order);
 }
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 010/144] Staging: fbtft: Fix probing of gpio descriptor
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 009/144] staging: android: ion: Bail out upon SIGKILL when allocating memory Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 011/144] Staging: fbtft: Fix reset assertion when using " Greg Kroah-Hartman
                   ` (138 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nicolas Saenz Julienne,
	Jan Sebastian Götte, Phil Reid

From: Phil Reid <preid@electromag.com.au>

commit dbc4f989c878fe101fb7920e9609e8ec44e097cd upstream.

Conversion to use gpio descriptors broke all gpio lookups as
devm_gpiod_get_index was converted to use dev->driver->name for
the gpio name lookup. Fix this by using the name param. In
addition gpiod_get post-fixes the -gpios to the name so that
shouldn't be included in the call. However this then breaks the
of_find_property call to see if the gpio entry exists as all
fbtft treats all gpios as optional. So use devm_gpiod_get_index_optional
instead which achieves the same thing and is simpler.

Nishad confirmed the changes where only ever compile tested.

Fixes: c440eee1a7a1 ("Staging: fbtft: Switch to the gpio descriptor interface")
Reviewed-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
Tested-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
Tested-by: Jan Sebastian Götte <linux@jaseg.net>
Signed-off-by: Phil Reid <preid@electromag.com.au>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/1563236677-5045-2-git-send-email-preid@electromag.com.au
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/fbtft/fbtft-core.c |   39 +++++++++++++++++--------------------
 1 file changed, 18 insertions(+), 21 deletions(-)

--- a/drivers/staging/fbtft/fbtft-core.c
+++ b/drivers/staging/fbtft/fbtft-core.c
@@ -76,21 +76,18 @@ static int fbtft_request_one_gpio(struct
 				  struct gpio_desc **gpiop)
 {
 	struct device *dev = par->info->device;
-	struct device_node *node = dev->of_node;
 	int ret = 0;
 
-	if (of_find_property(node, name, NULL)) {
-		*gpiop = devm_gpiod_get_index(dev, dev->driver->name, index,
-					      GPIOD_OUT_HIGH);
-		if (IS_ERR(*gpiop)) {
-			ret = PTR_ERR(*gpiop);
-			dev_err(dev,
-				"Failed to request %s GPIO:%d\n", name, ret);
-			return ret;
-		}
-		fbtft_par_dbg(DEBUG_REQUEST_GPIOS, par, "%s: '%s' GPIO\n",
-			      __func__, name);
+	*gpiop = devm_gpiod_get_index_optional(dev, name, index,
+					       GPIOD_OUT_HIGH);
+	if (IS_ERR(*gpiop)) {
+		ret = PTR_ERR(*gpiop);
+		dev_err(dev,
+			"Failed to request %s GPIO: %d\n", name, ret);
+		return ret;
 	}
+	fbtft_par_dbg(DEBUG_REQUEST_GPIOS, par, "%s: '%s' GPIO\n",
+		      __func__, name);
 
 	return ret;
 }
@@ -103,34 +100,34 @@ static int fbtft_request_gpios_dt(struct
 	if (!par->info->device->of_node)
 		return -EINVAL;
 
-	ret = fbtft_request_one_gpio(par, "reset-gpios", 0, &par->gpio.reset);
+	ret = fbtft_request_one_gpio(par, "reset", 0, &par->gpio.reset);
 	if (ret)
 		return ret;
-	ret = fbtft_request_one_gpio(par, "dc-gpios", 0, &par->gpio.dc);
+	ret = fbtft_request_one_gpio(par, "dc", 0, &par->gpio.dc);
 	if (ret)
 		return ret;
-	ret = fbtft_request_one_gpio(par, "rd-gpios", 0, &par->gpio.rd);
+	ret = fbtft_request_one_gpio(par, "rd", 0, &par->gpio.rd);
 	if (ret)
 		return ret;
-	ret = fbtft_request_one_gpio(par, "wr-gpios", 0, &par->gpio.wr);
+	ret = fbtft_request_one_gpio(par, "wr", 0, &par->gpio.wr);
 	if (ret)
 		return ret;
-	ret = fbtft_request_one_gpio(par, "cs-gpios", 0, &par->gpio.cs);
+	ret = fbtft_request_one_gpio(par, "cs", 0, &par->gpio.cs);
 	if (ret)
 		return ret;
-	ret = fbtft_request_one_gpio(par, "latch-gpios", 0, &par->gpio.latch);
+	ret = fbtft_request_one_gpio(par, "latch", 0, &par->gpio.latch);
 	if (ret)
 		return ret;
 	for (i = 0; i < 16; i++) {
-		ret = fbtft_request_one_gpio(par, "db-gpios", i,
+		ret = fbtft_request_one_gpio(par, "db", i,
 					     &par->gpio.db[i]);
 		if (ret)
 			return ret;
-		ret = fbtft_request_one_gpio(par, "led-gpios", i,
+		ret = fbtft_request_one_gpio(par, "led", i,
 					     &par->gpio.led[i]);
 		if (ret)
 			return ret;
-		ret = fbtft_request_one_gpio(par, "aux-gpios", i,
+		ret = fbtft_request_one_gpio(par, "aux", i,
 					     &par->gpio.aux[i]);
 		if (ret)
 			return ret;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 011/144] Staging: fbtft: Fix reset assertion when using gpio descriptor
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 010/144] Staging: fbtft: Fix probing of gpio descriptor Greg Kroah-Hartman
@ 2019-08-14 16:59 ` " Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 012/144] crypto: ccp - Fix oops by properly managing allocated structures Greg Kroah-Hartman
                   ` (137 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nicolas Saenz Julienne,
	Jan Sebastian Götte, Phil Reid

From: Phil Reid <preid@electromag.com.au>

commit b918d1c2706619cb0712a61cc8c05148b68b24b2 upstream.

Typically gpiod_set_value calls would assert the reset line and
then release it using the symantics of:
	gpiod_set_value(par->gpio.reset, 0);
	... delay
	gpiod_set_value(par->gpio.reset, 1);
And the gpio binding would specify the polarity.

Prior to conversion to gpiod calls the polarity in the DT
was ignored and assumed to be active low. Fix it so that
DT polarity is respected.

Fixes: c440eee1a7a1 ("Staging: fbtft: Switch to the gpio descriptor interface")
Reviewed-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
Tested-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
Tested-by: Jan Sebastian Götte <linux@jaseg.net>
Signed-off-by: Phil Reid <preid@electromag.com.au>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/1563236677-5045-3-git-send-email-preid@electromag.com.au
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/fbtft/fbtft-core.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/staging/fbtft/fbtft-core.c
+++ b/drivers/staging/fbtft/fbtft-core.c
@@ -231,9 +231,9 @@ static void fbtft_reset(struct fbtft_par
 	if (!par->gpio.reset)
 		return;
 	fbtft_par_dbg(DEBUG_RESET, par, "%s()\n", __func__);
-	gpiod_set_value_cansleep(par->gpio.reset, 0);
-	usleep_range(20, 40);
 	gpiod_set_value_cansleep(par->gpio.reset, 1);
+	usleep_range(20, 40);
+	gpiod_set_value_cansleep(par->gpio.reset, 0);
 	msleep(120);
 }
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 012/144] crypto: ccp - Fix oops by properly managing allocated structures
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 011/144] Staging: fbtft: Fix reset assertion when using " Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 013/144] crypto: ccp - Add support for valid authsize values less than 16 Greg Kroah-Hartman
                   ` (136 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Gary R Hook, Herbert Xu

From: Gary R Hook <gary.hook@amd.com>

commit 25e44338321af545ab34243a6081c3f0fc6107d0 upstream.

A plaintext or ciphertext length of 0 is allowed in AES, in which case
no encryption occurs. Ensure that we don't clean up data structures
that were never allocated.

Fixes: 36cf515b9bbe2 ("crypto: ccp - Enable support for AES GCM on v5 CCPs")
Cc: <stable@vger.kernel.org>
Signed-off-by: Gary R Hook <gary.hook@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/crypto/ccp/ccp-ops.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/crypto/ccp/ccp-ops.c
+++ b/drivers/crypto/ccp/ccp-ops.c
@@ -859,11 +859,11 @@ e_tag:
 	ccp_dm_free(&final_wa);
 
 e_dst:
-	if (aes->src_len && !in_place)
+	if (ilen > 0 && !in_place)
 		ccp_free_data(&dst, cmd_q);
 
 e_src:
-	if (aes->src_len)
+	if (ilen > 0)
 		ccp_free_data(&src, cmd_q);
 
 e_aad:



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 013/144] crypto: ccp - Add support for valid authsize values less than 16
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 012/144] crypto: ccp - Fix oops by properly managing allocated structures Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 014/144] crypto: ccp - Ignore tag length when decrypting GCM ciphertext Greg Kroah-Hartman
                   ` (135 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Gary R Hook, Herbert Xu

From: Gary R Hook <gary.hook@amd.com>

commit 9f00baf74e4b6f79a3a3dfab44fb7bb2e797b551 upstream.

AES GCM encryption allows for authsize values of 4, 8, and 12-16 bytes.
Validate the requested authsize, and retain it to save in the request
context.

Fixes: 36cf515b9bbe2 ("crypto: ccp - Enable support for AES GCM on v5 CCPs")
Cc: <stable@vger.kernel.org>
Signed-off-by: Gary R Hook <gary.hook@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/crypto/ccp/ccp-crypto-aes-galois.c |   14 ++++++++++++++
 drivers/crypto/ccp/ccp-ops.c               |   26 +++++++++++++++++++++-----
 include/linux/ccp.h                        |    2 ++
 3 files changed, 37 insertions(+), 5 deletions(-)

--- a/drivers/crypto/ccp/ccp-crypto-aes-galois.c
+++ b/drivers/crypto/ccp/ccp-crypto-aes-galois.c
@@ -58,6 +58,19 @@ static int ccp_aes_gcm_setkey(struct cry
 static int ccp_aes_gcm_setauthsize(struct crypto_aead *tfm,
 				   unsigned int authsize)
 {
+	switch (authsize) {
+	case 16:
+	case 15:
+	case 14:
+	case 13:
+	case 12:
+	case 8:
+	case 4:
+		break;
+	default:
+		return -EINVAL;
+	}
+
 	return 0;
 }
 
@@ -104,6 +117,7 @@ static int ccp_aes_gcm_crypt(struct aead
 	memset(&rctx->cmd, 0, sizeof(rctx->cmd));
 	INIT_LIST_HEAD(&rctx->cmd.entry);
 	rctx->cmd.engine = CCP_ENGINE_AES;
+	rctx->cmd.u.aes.authsize = crypto_aead_authsize(tfm);
 	rctx->cmd.u.aes.type = ctx->u.aes.type;
 	rctx->cmd.u.aes.mode = ctx->u.aes.mode;
 	rctx->cmd.u.aes.action = encrypt;
--- a/drivers/crypto/ccp/ccp-ops.c
+++ b/drivers/crypto/ccp/ccp-ops.c
@@ -622,6 +622,7 @@ static int ccp_run_aes_gcm_cmd(struct cc
 
 	unsigned long long *final;
 	unsigned int dm_offset;
+	unsigned int authsize;
 	unsigned int jobid;
 	unsigned int ilen;
 	bool in_place = true; /* Default value */
@@ -643,6 +644,21 @@ static int ccp_run_aes_gcm_cmd(struct cc
 	if (!aes->key) /* Gotta have a key SGL */
 		return -EINVAL;
 
+	/* Zero defaults to 16 bytes, the maximum size */
+	authsize = aes->authsize ? aes->authsize : AES_BLOCK_SIZE;
+	switch (authsize) {
+	case 16:
+	case 15:
+	case 14:
+	case 13:
+	case 12:
+	case 8:
+	case 4:
+		break;
+	default:
+		return -EINVAL;
+	}
+
 	/* First, decompose the source buffer into AAD & PT,
 	 * and the destination buffer into AAD, CT & tag, or
 	 * the input into CT & tag.
@@ -657,7 +673,7 @@ static int ccp_run_aes_gcm_cmd(struct cc
 		p_tag = scatterwalk_ffwd(sg_tag, p_outp, ilen);
 	} else {
 		/* Input length for decryption includes tag */
-		ilen = aes->src_len - AES_BLOCK_SIZE;
+		ilen = aes->src_len - authsize;
 		p_tag = scatterwalk_ffwd(sg_tag, p_inp, ilen);
 	}
 
@@ -839,19 +855,19 @@ static int ccp_run_aes_gcm_cmd(struct cc
 
 	if (aes->action == CCP_AES_ACTION_ENCRYPT) {
 		/* Put the ciphered tag after the ciphertext. */
-		ccp_get_dm_area(&final_wa, 0, p_tag, 0, AES_BLOCK_SIZE);
+		ccp_get_dm_area(&final_wa, 0, p_tag, 0, authsize);
 	} else {
 		/* Does this ciphered tag match the input? */
-		ret = ccp_init_dm_workarea(&tag, cmd_q, AES_BLOCK_SIZE,
+		ret = ccp_init_dm_workarea(&tag, cmd_q, authsize,
 					   DMA_BIDIRECTIONAL);
 		if (ret)
 			goto e_tag;
-		ret = ccp_set_dm_area(&tag, 0, p_tag, 0, AES_BLOCK_SIZE);
+		ret = ccp_set_dm_area(&tag, 0, p_tag, 0, authsize);
 		if (ret)
 			goto e_tag;
 
 		ret = crypto_memneq(tag.address, final_wa.address,
-				    AES_BLOCK_SIZE) ? -EBADMSG : 0;
+				    authsize) ? -EBADMSG : 0;
 		ccp_dm_free(&tag);
 	}
 
--- a/include/linux/ccp.h
+++ b/include/linux/ccp.h
@@ -170,6 +170,8 @@ struct ccp_aes_engine {
 	enum ccp_aes_mode mode;
 	enum ccp_aes_action action;
 
+	u32 authsize;
+
 	struct scatterlist *key;
 	u32 key_len;		/* In bytes */
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 014/144] crypto: ccp - Ignore tag length when decrypting GCM ciphertext
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 013/144] crypto: ccp - Add support for valid authsize values less than 16 Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 015/144] driver core: platform: return -ENXIO for missing GpioInt Greg Kroah-Hartman
                   ` (134 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Gary R Hook, Herbert Xu

From: Gary R Hook <gary.hook@amd.com>

commit e2664ecbb2f26225ac6646876f2899558ffb2604 upstream.

AES GCM input buffers for decryption contain AAD+CTEXT+TAG. Only
decrypt the ciphertext, and use the tag for comparison.

Fixes: 36cf515b9bbe2 ("crypto: ccp - Enable support for AES GCM on v5 CCPs")
Cc: <stable@vger.kernel.org>
Signed-off-by: Gary R Hook <gary.hook@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/crypto/ccp/ccp-ops.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/crypto/ccp/ccp-ops.c
+++ b/drivers/crypto/ccp/ccp-ops.c
@@ -782,8 +782,7 @@ static int ccp_run_aes_gcm_cmd(struct cc
 		while (src.sg_wa.bytes_left) {
 			ccp_prepare_data(&src, &dst, &op, AES_BLOCK_SIZE, true);
 			if (!src.sg_wa.bytes_left) {
-				unsigned int nbytes = aes->src_len
-						      % AES_BLOCK_SIZE;
+				unsigned int nbytes = ilen % AES_BLOCK_SIZE;
 
 				if (nbytes) {
 					op.eom = 1;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 015/144] driver core: platform: return -ENXIO for missing GpioInt
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 014/144] crypto: ccp - Ignore tag length when decrypting GCM ciphertext Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 016/144] usb: usbfs: fix double-free of usb memory upon submiturb error Greg Kroah-Hartman
                   ` (133 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Brian Norris, Salvatore Bellizzi,
	Enrico Granata, Andy Shevchenko, Enrico Granata

From: Brian Norris <briannorris@chromium.org>

commit 46c42d844211ef5902e32aa507beac0817c585e9 upstream.

Commit daaef255dc96 ("driver: platform: Support parsing GpioInt 0 in
platform_get_irq()") broke the Embedded Controller driver on most LPC
Chromebooks (i.e., most x86 Chromebooks), because cros_ec_lpc expects
platform_get_irq() to return -ENXIO for non-existent IRQs.
Unfortunately, acpi_dev_gpio_irq_get() doesn't follow this convention
and returns -ENOENT instead. So we get this error from cros_ec_lpc:

   couldn't retrieve IRQ number (-2)

I see a variety of drivers that treat -ENXIO specially, so rather than
fix all of them, let's fix up the API to restore its previous behavior.

I reported this on v2 of this patch:

https://lore.kernel.org/lkml/20190220180538.GA42642@google.com/

but apparently the patch had already been merged before v3 got sent out:

https://lore.kernel.org/lkml/20190221193429.161300-1-egranata@chromium.org/

and the result is that the bug landed and remains unfixed.

I differ from the v3 patch by:
 * allowing for ret==0, even though acpi_dev_gpio_irq_get() specifically
   documents (and enforces) that 0 is not a valid return value (noted on
   the v3 review)
 * adding a small comment

Reported-by: Brian Norris <briannorris@chromium.org>
Reported-by: Salvatore Bellizzi <salvatore.bellizzi@linux.seppia.net>
Cc: Enrico Granata <egranata@chromium.org>
Cc: <stable@vger.kernel.org>
Fixes: daaef255dc96 ("driver: platform: Support parsing GpioInt 0 in platform_get_irq()")
Signed-off-by: Brian Norris <briannorris@chromium.org>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Acked-by: Enrico Granata <egranata@google.com>
Link: https://lore.kernel.org/r/20190729204954.25510-1-briannorris@chromium.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/base/platform.c |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/drivers/base/platform.c
+++ b/drivers/base/platform.c
@@ -157,8 +157,13 @@ int platform_get_irq(struct platform_dev
 	 * the device will only expose one IRQ, and this fallback
 	 * allows a common code path across either kind of resource.
 	 */
-	if (num == 0 && has_acpi_companion(&dev->dev))
-		return acpi_dev_gpio_irq_get(ACPI_COMPANION(&dev->dev), num);
+	if (num == 0 && has_acpi_companion(&dev->dev)) {
+		int ret = acpi_dev_gpio_irq_get(ACPI_COMPANION(&dev->dev), num);
+
+		/* Our callers expect -ENXIO for missing IRQs. */
+		if (ret >= 0 || ret == -EPROBE_DEFER)
+			return ret;
+	}
 
 	return -ENXIO;
 #endif



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 016/144] usb: usbfs: fix double-free of usb memory upon submiturb error
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 015/144] driver core: platform: return -ENXIO for missing GpioInt Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 017/144] Revert "USB: rio500: simplify locking" Greg Kroah-Hartman
                   ` (132 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Gavin Li, Alan Stern

From: Gavin Li <git@thegavinli.com>

commit c43f28dfdc4654e738aa6d3fd08a105b2bee758d upstream.

Upon an error within proc_do_submiturb(), dec_usb_memory_use_count()
gets called once by the error handling tail and again by free_async().
Remove the first call.

Signed-off-by: Gavin Li <git@thegavinli.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20190804235044.22327-1-gavinli@thegavinli.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/core/devio.c |    2 --
 1 file changed, 2 deletions(-)

--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -1788,8 +1788,6 @@ static int proc_do_submiturb(struct usb_
 	return 0;
 
  error:
-	if (as && as->usbm)
-		dec_usb_memory_use_count(as->usbm, &as->usbm->urb_use_count);
 	kfree(isopkt);
 	kfree(dr);
 	if (as)



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 017/144] Revert "USB: rio500: simplify locking"
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 016/144] usb: usbfs: fix double-free of usb memory upon submiturb error Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 018/144] usb: iowarrior: fix deadlock on disconnect Greg Kroah-Hartman
                   ` (131 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+7bbcbe9c9ff0cd49592a, Oliver Neukum

From: Oliver Neukum <oneukum@suse.com>

commit 2ca359f4f8b954b3a9d15a89f22a8b7283e7669f upstream.

This reverts commit d710734b06770814de2bfa2819420fb5df7f3a81.
This simplification causes a deadlock.

Reported-by: syzbot+7bbcbe9c9ff0cd49592a@syzkaller.appspotmail.com
Fixes: d710734b0677 ("USB: rio500: simplify locking")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Link: https://lore.kernel.org/r/20190808092854.23519-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/misc/rio500.c |   43 +++++++++++++++++++++++++++----------------
 1 file changed, 27 insertions(+), 16 deletions(-)

--- a/drivers/usb/misc/rio500.c
+++ b/drivers/usb/misc/rio500.c
@@ -51,6 +51,7 @@ struct rio_usb_data {
         char *obuf, *ibuf;              /* transfer buffers */
         char bulk_in_ep, bulk_out_ep;   /* Endpoint assignments */
         wait_queue_head_t wait_q;       /* for timeouts */
+	struct mutex lock;          /* general race avoidance */
 };
 
 static DEFINE_MUTEX(rio500_mutex);
@@ -62,8 +63,10 @@ static int open_rio(struct inode *inode,
 
 	/* against disconnect() */
 	mutex_lock(&rio500_mutex);
+	mutex_lock(&(rio->lock));
 
 	if (rio->isopen || !rio->present) {
+		mutex_unlock(&(rio->lock));
 		mutex_unlock(&rio500_mutex);
 		return -EBUSY;
 	}
@@ -71,6 +74,7 @@ static int open_rio(struct inode *inode,
 
 	init_waitqueue_head(&rio->wait_q);
 
+	mutex_unlock(&(rio->lock));
 
 	dev_info(&rio->rio_dev->dev, "Rio opened.\n");
 	mutex_unlock(&rio500_mutex);
@@ -84,6 +88,7 @@ static int close_rio(struct inode *inode
 
 	/* against disconnect() */
 	mutex_lock(&rio500_mutex);
+	mutex_lock(&(rio->lock));
 
 	rio->isopen = 0;
 	if (!rio->present) {
@@ -95,6 +100,7 @@ static int close_rio(struct inode *inode
 	} else {
 		dev_info(&rio->rio_dev->dev, "Rio closed.\n");
 	}
+	mutex_unlock(&(rio->lock));
 	mutex_unlock(&rio500_mutex);
 	return 0;
 }
@@ -109,7 +115,7 @@ static long ioctl_rio(struct file *file,
 	int retries;
 	int retval=0;
 
-	mutex_lock(&rio500_mutex);
+	mutex_lock(&(rio->lock));
         /* Sanity check to make sure rio is connected, powered, etc */
         if (rio->present == 0 || rio->rio_dev == NULL) {
 		retval = -ENODEV;
@@ -253,7 +259,7 @@ static long ioctl_rio(struct file *file,
 
 
 err_out:
-	mutex_unlock(&rio500_mutex);
+	mutex_unlock(&(rio->lock));
 	return retval;
 }
 
@@ -273,12 +279,12 @@ write_rio(struct file *file, const char
 	int errn = 0;
 	int intr;
 
-	intr = mutex_lock_interruptible(&rio500_mutex);
+	intr = mutex_lock_interruptible(&(rio->lock));
 	if (intr)
 		return -EINTR;
         /* Sanity check to make sure rio is connected, powered, etc */
         if (rio->present == 0 || rio->rio_dev == NULL) {
-		mutex_unlock(&rio500_mutex);
+		mutex_unlock(&(rio->lock));
 		return -ENODEV;
 	}
 
@@ -301,7 +307,7 @@ write_rio(struct file *file, const char
 				goto error;
 			}
 			if (signal_pending(current)) {
-				mutex_unlock(&rio500_mutex);
+				mutex_unlock(&(rio->lock));
 				return bytes_written ? bytes_written : -EINTR;
 			}
 
@@ -339,12 +345,12 @@ write_rio(struct file *file, const char
 		buffer += copy_size;
 	} while (count > 0);
 
-	mutex_unlock(&rio500_mutex);
+	mutex_unlock(&(rio->lock));
 
 	return bytes_written ? bytes_written : -EIO;
 
 error:
-	mutex_unlock(&rio500_mutex);
+	mutex_unlock(&(rio->lock));
 	return errn;
 }
 
@@ -361,12 +367,12 @@ read_rio(struct file *file, char __user
 	char *ibuf;
 	int intr;
 
-	intr = mutex_lock_interruptible(&rio500_mutex);
+	intr = mutex_lock_interruptible(&(rio->lock));
 	if (intr)
 		return -EINTR;
 	/* Sanity check to make sure rio is connected, powered, etc */
         if (rio->present == 0 || rio->rio_dev == NULL) {
-		mutex_unlock(&rio500_mutex);
+		mutex_unlock(&(rio->lock));
 		return -ENODEV;
 	}
 
@@ -377,11 +383,11 @@ read_rio(struct file *file, char __user
 
 	while (count > 0) {
 		if (signal_pending(current)) {
-			mutex_unlock(&rio500_mutex);
+			mutex_unlock(&(rio->lock));
 			return read_count ? read_count : -EINTR;
 		}
 		if (!rio->rio_dev) {
-			mutex_unlock(&rio500_mutex);
+			mutex_unlock(&(rio->lock));
 			return -ENODEV;
 		}
 		this_read = (count >= IBUF_SIZE) ? IBUF_SIZE : count;
@@ -399,7 +405,7 @@ read_rio(struct file *file, char __user
 			count = this_read = partial;
 		} else if (result == -ETIMEDOUT || result == 15) {	/* FIXME: 15 ??? */
 			if (!maxretry--) {
-				mutex_unlock(&rio500_mutex);
+				mutex_unlock(&(rio->lock));
 				dev_err(&rio->rio_dev->dev,
 					"read_rio: maxretry timeout\n");
 				return -ETIME;
@@ -409,19 +415,19 @@ read_rio(struct file *file, char __user
 			finish_wait(&rio->wait_q, &wait);
 			continue;
 		} else if (result != -EREMOTEIO) {
-			mutex_unlock(&rio500_mutex);
+			mutex_unlock(&(rio->lock));
 			dev_err(&rio->rio_dev->dev,
 				"Read Whoops - result:%d partial:%u this_read:%u\n",
 				result, partial, this_read);
 			return -EIO;
 		} else {
-			mutex_unlock(&rio500_mutex);
+			mutex_unlock(&(rio->lock));
 			return (0);
 		}
 
 		if (this_read) {
 			if (copy_to_user(buffer, ibuf, this_read)) {
-				mutex_unlock(&rio500_mutex);
+				mutex_unlock(&(rio->lock));
 				return -EFAULT;
 			}
 			count -= this_read;
@@ -429,7 +435,7 @@ read_rio(struct file *file, char __user
 			buffer += this_read;
 		}
 	}
-	mutex_unlock(&rio500_mutex);
+	mutex_unlock(&(rio->lock));
 	return read_count;
 }
 
@@ -494,6 +500,8 @@ static int probe_rio(struct usb_interfac
 	}
 	dev_dbg(&intf->dev, "ibuf address:%p\n", rio->ibuf);
 
+	mutex_init(&(rio->lock));
+
 	usb_set_intfdata (intf, rio);
 	rio->present = 1;
 bail_out:
@@ -511,10 +519,12 @@ static void disconnect_rio(struct usb_in
 	if (rio) {
 		usb_deregister_dev(intf, &usb_rio_class);
 
+		mutex_lock(&(rio->lock));
 		if (rio->isopen) {
 			rio->isopen = 0;
 			/* better let it finish - the release will do whats needed */
 			rio->rio_dev = NULL;
+			mutex_unlock(&(rio->lock));
 			mutex_unlock(&rio500_mutex);
 			return;
 		}
@@ -524,6 +534,7 @@ static void disconnect_rio(struct usb_in
 		dev_info(&intf->dev, "USB Rio disconnected.\n");
 
 		rio->present = 0;
+		mutex_unlock(&(rio->lock));
 	}
 	mutex_unlock(&rio500_mutex);
 }



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 018/144] usb: iowarrior: fix deadlock on disconnect
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 017/144] Revert "USB: rio500: simplify locking" Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 019/144] sound: fix a memory leak bug Greg Kroah-Hartman
                   ` (130 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+a64a382964bf6c71a9c0, Oliver Neukum

From: Oliver Neukum <oneukum@suse.com>

commit c468a8aa790e0dfe0a7f8a39db282d39c2c00b46 upstream.

We have to drop the mutex before we close() upon disconnect()
as close() needs the lock. This is safe to do by dropping the
mutex as intfdata is already set to NULL, so open() will fail.

Fixes: 03f36e885fc26 ("USB: open disconnect race in iowarrior")
Reported-by: syzbot+a64a382964bf6c71a9c0@syzkaller.appspotmail.com
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Link: https://lore.kernel.org/r/20190808092728.23417-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/misc/iowarrior.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/drivers/usb/misc/iowarrior.c
+++ b/drivers/usb/misc/iowarrior.c
@@ -866,19 +866,20 @@ static void iowarrior_disconnect(struct
 	dev = usb_get_intfdata(interface);
 	mutex_lock(&iowarrior_open_disc_lock);
 	usb_set_intfdata(interface, NULL);
+	/* prevent device read, write and ioctl */
+	dev->present = 0;
 
 	minor = dev->minor;
+	mutex_unlock(&iowarrior_open_disc_lock);
+	/* give back our minor - this will call close() locks need to be dropped at this point*/
 
-	/* give back our minor */
 	usb_deregister_dev(interface, &iowarrior_class);
 
 	mutex_lock(&dev->mutex);
 
 	/* prevent device read, write and ioctl */
-	dev->present = 0;
 
 	mutex_unlock(&dev->mutex);
-	mutex_unlock(&iowarrior_open_disc_lock);
 
 	if (dev->opened) {
 		/* There is a process that holds a filedescriptor to the device ,



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 019/144] sound: fix a memory leak bug
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 018/144] usb: iowarrior: fix deadlock on disconnect Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 020/144] mmc: cavium: Set the correct dma max segment size for mmc_host Greg Kroah-Hartman
                   ` (129 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Wenwen Wang, Takashi Iwai

From: Wenwen Wang <wenwen@cs.uga.edu>

commit c7cd7c748a3250ca33509f9235efab9c803aca09 upstream.

In sound_insert_unit(), the controlling structure 's' is allocated through
kmalloc(). Then it is added to the sound driver list by invoking
__sound_insert_unit(). Later on, if __register_chrdev() fails, 's' is
removed from the list through __sound_remove_unit(). If 'index' is not less
than 0, -EBUSY is returned to indicate the error. However, 's' is not
deallocated on this execution path, leading to a memory leak bug.

To fix the above issue, free 's' before -EBUSY is returned.

Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/sound_core.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/sound/sound_core.c
+++ b/sound/sound_core.c
@@ -275,7 +275,8 @@ retry:
 				goto retry;
 			}
 			spin_unlock(&sound_loader_lock);
-			return -EBUSY;
+			r = -EBUSY;
+			goto fail;
 		}
 	}
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 020/144] mmc: cavium: Set the correct dma max segment size for mmc_host
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 019/144] sound: fix a memory leak bug Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 021/144] mmc: cavium: Add the missing dma unmap when the dma has finished Greg Kroah-Hartman
                   ` (128 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kevin Hao, Ulf Hansson

From: Kevin Hao <haokexin@gmail.com>

commit fa25eba6993b3750f417baabba169afaba076178 upstream.

We have set the mmc_host.max_seg_size to 8M, but the dma max segment
size of PCI device is set to 64K by default in function pci_device_add().
The mmc_host.max_seg_size is used to set the max segment size of
the blk queue. Then this mismatch will trigger a calltrace like below
when a bigger than 64K segment request arrives at mmc dev. So we should
consider the limitation of the cvm_mmc_host when setting the
mmc_host.max_seg_size.
  DMA-API: thunderx_mmc 0000:01:01.4: mapping sg segment longer than device claims to support [len=131072] [max=65536]
  WARNING: CPU: 6 PID: 238 at kernel/dma/debug.c:1221 debug_dma_map_sg+0x2b8/0x350
  Modules linked in:
  CPU: 6 PID: 238 Comm: kworker/6:1H Not tainted 5.3.0-rc1-next-20190724-yocto-standard+ #62
  Hardware name: Marvell OcteonTX CN96XX board (DT)
  Workqueue: kblockd blk_mq_run_work_fn
  pstate: 80c00009 (Nzcv daif +PAN +UAO)
  pc : debug_dma_map_sg+0x2b8/0x350
  lr : debug_dma_map_sg+0x2b8/0x350
  sp : ffff00001770f9e0
  x29: ffff00001770f9e0 x28: ffffffff00000000
  x27: 00000000ffffffff x26: ffff800bc2c73180
  x25: ffff000010e83700 x24: 0000000000000002
  x23: 0000000000000001 x22: 0000000000000001
  x21: 0000000000000000 x20: ffff800bc48ba0b0
  x19: ffff800bc97e8c00 x18: ffffffffffffffff
  x17: 0000000000000000 x16: 0000000000000000
  x15: ffff000010e835c8 x14: 6874207265676e6f
  x13: 6c20746e656d6765 x12: 7320677320676e69
  x11: 7070616d203a342e x10: 31303a31303a3030
  x9 : 303020636d6d5f78 x8 : 35363d78616d5b20
  x7 : 00000000000002fd x6 : ffff000010fd57dc
  x5 : 0000000000000000 x4 : ffff0000106c61f0
  x3 : 00000000ffffffff x2 : 0000800bee060000
  x1 : 7010678df3041a00 x0 : 0000000000000000
  Call trace:
   debug_dma_map_sg+0x2b8/0x350
   cvm_mmc_request+0x3c4/0x988
   __mmc_start_request+0x9c/0x1f8
   mmc_start_request+0x7c/0xb0
   mmc_blk_mq_issue_rq+0x5c4/0x7b8
   mmc_mq_queue_rq+0x11c/0x278
   blk_mq_dispatch_rq_list+0xb0/0x568
   blk_mq_do_dispatch_sched+0x6c/0x108
   blk_mq_sched_dispatch_requests+0x110/0x1b8
   __blk_mq_run_hw_queue+0xb0/0x118
   blk_mq_run_work_fn+0x28/0x38
   process_one_work+0x210/0x490
   worker_thread+0x48/0x458
   kthread+0x130/0x138
   ret_from_fork+0x10/0x1c

Signed-off-by: Kevin Hao <haokexin@gmail.com>
Fixes: ba3869ff32e4 ("mmc: cavium: Add core MMC driver for Cavium SOCs")
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mmc/host/cavium.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/mmc/host/cavium.c
+++ b/drivers/mmc/host/cavium.c
@@ -1046,7 +1046,8 @@ int cvm_mmc_of_slot_probe(struct device
 		mmc->max_segs = 1;
 
 	/* DMA size field can address up to 8 MB */
-	mmc->max_seg_size = 8 * 1024 * 1024;
+	mmc->max_seg_size = min_t(unsigned int, 8 * 1024 * 1024,
+				  dma_get_max_seg_size(host->dev));
 	mmc->max_req_size = mmc->max_seg_size;
 	/* External DMA is in 512 byte blocks */
 	mmc->max_blk_size = 512;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 021/144] mmc: cavium: Add the missing dma unmap when the dma has finished.
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 020/144] mmc: cavium: Set the correct dma max segment size for mmc_host Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 022/144] loop: set PF_MEMALLOC_NOIO for the worker thread Greg Kroah-Hartman
                   ` (127 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kevin Hao, Ulf Hansson

From: Kevin Hao <haokexin@gmail.com>

commit b803974a86039913d5280add083d730b2b9ed8ec upstream.

This fixes the below calltrace when the CONFIG_DMA_API_DEBUG is enabled.
  DMA-API: thunderx_mmc 0000:01:01.4: cpu touching an active dma mapped cacheline [cln=0x000000002fdf9800]
  WARNING: CPU: 21 PID: 1 at kernel/dma/debug.c:596 debug_dma_assert_idle+0x1f8/0x270
  Modules linked in:
  CPU: 21 PID: 1 Comm: init Not tainted 5.3.0-rc1-next-20190725-yocto-standard+ #64
  Hardware name: Marvell OcteonTX CN96XX board (DT)
  pstate: 80400009 (Nzcv daif +PAN -UAO)
  pc : debug_dma_assert_idle+0x1f8/0x270
  lr : debug_dma_assert_idle+0x1f8/0x270
  sp : ffff0000113cfc10
  x29: ffff0000113cfc10 x28: 0000ffff8c880000
  x27: ffff800bc72a0000 x26: ffff000010ff8000
  x25: ffff000010ff8940 x24: ffff000010ff8968
  x23: 0000000000000000 x22: ffff000010e83700
  x21: ffff000010ea2000 x20: ffff000010e835c8
  x19: ffff800bc2c73300 x18: ffffffffffffffff
  x17: 0000000000000000 x16: 0000000000000000
  x15: ffff000010e835c8 x14: 6d20616d64206576
  x13: 69746361206e6120 x12: 676e696863756f74
  x11: 20757063203a342e x10: 31303a31303a3030
  x9 : 303020636d6d5f78 x8 : 3230303030303030
  x7 : 00000000000002fd x6 : ffff000010fd57d0
  x5 : 0000000000000000 x4 : ffff0000106c5210
  x3 : 00000000ffffffff x2 : 0000800bee9c0000
  x1 : 57d5843f4aa62800 x0 : 0000000000000000
  Call trace:
   debug_dma_assert_idle+0x1f8/0x270
   wp_page_copy+0xb0/0x688
   do_wp_page+0xa8/0x5b8
   __handle_mm_fault+0x600/0xd00
   handle_mm_fault+0x118/0x1e8
   do_page_fault+0x200/0x500
   do_mem_abort+0x50/0xb0
   el0_da+0x20/0x24
  ---[ end trace a005534bd23e109f ]---
  DMA-API: Mapped at:
   debug_dma_map_sg+0x94/0x350
   cvm_mmc_request+0x3c4/0x988
   __mmc_start_request+0x9c/0x1f8
   mmc_start_request+0x7c/0xb0
   mmc_blk_mq_issue_rq+0x5c4/0x7b8

Signed-off-by: Kevin Hao <haokexin@gmail.com>
Fixes: ba3869ff32e4 ("mmc: cavium: Add core MMC driver for Cavium SOCs")
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mmc/host/cavium.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/mmc/host/cavium.c
+++ b/drivers/mmc/host/cavium.c
@@ -374,6 +374,7 @@ static int finish_dma_single(struct cvm_
 {
 	data->bytes_xfered = data->blocks * data->blksz;
 	data->error = 0;
+	dma_unmap_sg(host->dev, data->sg, data->sg_len, get_dma_dir(data));
 	return 1;
 }
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 022/144] loop: set PF_MEMALLOC_NOIO for the worker thread
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 021/144] mmc: cavium: Add the missing dma unmap when the dma has finished Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 023/144] bdev: Fixup error handling in blkdev_get() Greg Kroah-Hartman
                   ` (126 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mikulas Patocka, Jens Axboe

From: Mikulas Patocka <mpatocka@redhat.com>

commit d0a255e795ab976481565f6ac178314b34fbf891 upstream.

A deadlock with this stacktrace was observed.

The loop thread does a GFP_KERNEL allocation, it calls into dm-bufio
shrinker and the shrinker depends on I/O completion in the dm-bufio
subsystem.

In order to fix the deadlock (and other similar ones), we set the flag
PF_MEMALLOC_NOIO at loop thread entry.

PID: 474    TASK: ffff8813e11f4600  CPU: 10  COMMAND: "kswapd0"
   #0 [ffff8813dedfb938] __schedule at ffffffff8173f405
   #1 [ffff8813dedfb990] schedule at ffffffff8173fa27
   #2 [ffff8813dedfb9b0] schedule_timeout at ffffffff81742fec
   #3 [ffff8813dedfba60] io_schedule_timeout at ffffffff8173f186
   #4 [ffff8813dedfbaa0] bit_wait_io at ffffffff8174034f
   #5 [ffff8813dedfbac0] __wait_on_bit at ffffffff8173fec8
   #6 [ffff8813dedfbb10] out_of_line_wait_on_bit at ffffffff8173ff81
   #7 [ffff8813dedfbb90] __make_buffer_clean at ffffffffa038736f [dm_bufio]
   #8 [ffff8813dedfbbb0] __try_evict_buffer at ffffffffa0387bb8 [dm_bufio]
   #9 [ffff8813dedfbbd0] dm_bufio_shrink_scan at ffffffffa0387cc3 [dm_bufio]
  #10 [ffff8813dedfbc40] shrink_slab at ffffffff811a87ce
  #11 [ffff8813dedfbd30] shrink_zone at ffffffff811ad778
  #12 [ffff8813dedfbdc0] kswapd at ffffffff811ae92f
  #13 [ffff8813dedfbec0] kthread at ffffffff810a8428
  #14 [ffff8813dedfbf50] ret_from_fork at ffffffff81745242

  PID: 14127  TASK: ffff881455749c00  CPU: 11  COMMAND: "loop1"
   #0 [ffff88272f5af228] __schedule at ffffffff8173f405
   #1 [ffff88272f5af280] schedule at ffffffff8173fa27
   #2 [ffff88272f5af2a0] schedule_preempt_disabled at ffffffff8173fd5e
   #3 [ffff88272f5af2b0] __mutex_lock_slowpath at ffffffff81741fb5
   #4 [ffff88272f5af330] mutex_lock at ffffffff81742133
   #5 [ffff88272f5af350] dm_bufio_shrink_count at ffffffffa03865f9 [dm_bufio]
   #6 [ffff88272f5af380] shrink_slab at ffffffff811a86bd
   #7 [ffff88272f5af470] shrink_zone at ffffffff811ad778
   #8 [ffff88272f5af500] do_try_to_free_pages at ffffffff811adb34
   #9 [ffff88272f5af590] try_to_free_pages at ffffffff811adef8
  #10 [ffff88272f5af610] __alloc_pages_nodemask at ffffffff811a09c3
  #11 [ffff88272f5af710] alloc_pages_current at ffffffff811e8b71
  #12 [ffff88272f5af760] new_slab at ffffffff811f4523
  #13 [ffff88272f5af7b0] __slab_alloc at ffffffff8173a1b5
  #14 [ffff88272f5af880] kmem_cache_alloc at ffffffff811f484b
  #15 [ffff88272f5af8d0] do_blockdev_direct_IO at ffffffff812535b3
  #16 [ffff88272f5afb00] __blockdev_direct_IO at ffffffff81255dc3
  #17 [ffff88272f5afb30] xfs_vm_direct_IO at ffffffffa01fe3fc [xfs]
  #18 [ffff88272f5afb90] generic_file_read_iter at ffffffff81198994
  #19 [ffff88272f5afc50] __dta_xfs_file_read_iter_2398 at ffffffffa020c970 [xfs]
  #20 [ffff88272f5afcc0] lo_rw_aio at ffffffffa0377042 [loop]
  #21 [ffff88272f5afd70] loop_queue_work at ffffffffa0377c3b [loop]
  #22 [ffff88272f5afe60] kthread_worker_fn at ffffffff810a8a0c
  #23 [ffff88272f5afec0] kthread at ffffffff810a8428
  #24 [ffff88272f5aff50] ret_from_fork at ffffffff81745242

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/block/loop.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -893,7 +893,7 @@ static void loop_unprepare_queue(struct
 
 static int loop_kthread_worker_fn(void *worker_ptr)
 {
-	current->flags |= PF_LESS_THROTTLE;
+	current->flags |= PF_LESS_THROTTLE | PF_MEMALLOC_NOIO;
 	return kthread_worker_fn(worker_ptr);
 }
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 023/144] bdev: Fixup error handling in blkdev_get()
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 022/144] loop: set PF_MEMALLOC_NOIO for the worker thread Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 024/144] Input: usbtouchscreen - initialize PM mutex before using it Greg Kroah-Hartman
                   ` (125 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jan Kara, Jens Axboe

From: Jan Kara <jack@suse.cz>

commit e91455bad5cff40a8c232f2204a5104127e3fec2 upstream.

Commit 89e524c04fa9 ("loop: Fix mount(2) failure due to race with
LOOP_SET_FD") converted blkdev_get() to use the new helpers for
finishing claiming of a block device. However the conversion botched the
error handling in blkdev_get() and thus the bdev has been marked as held
even in case __blkdev_get() returned error. This led to occasional
warnings with block/001 test from blktests like:

kernel: WARNING: CPU: 5 PID: 907 at fs/block_dev.c:1899 __blkdev_put+0x396/0x3a0

Correct the error handling.

CC: stable@vger.kernel.org
Fixes: 89e524c04fa9 ("loop: Fix mount(2) failure due to race with LOOP_SET_FD")
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/block_dev.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/fs/block_dev.c
+++ b/fs/block_dev.c
@@ -1723,7 +1723,10 @@ int blkdev_get(struct block_device *bdev
 
 		/* finish claiming */
 		mutex_lock(&bdev->bd_mutex);
-		bd_finish_claiming(bdev, whole, holder);
+		if (!res)
+			bd_finish_claiming(bdev, whole, holder);
+		else
+			bd_abort_claiming(bdev, whole, holder);
 		/*
 		 * Block event polling for write claims if requested.  Any
 		 * write holder makes the write_holder state stick until



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 024/144] Input: usbtouchscreen - initialize PM mutex before using it
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 023/144] bdev: Fixup error handling in blkdev_get() Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 025/144] Input: elantech - enable SMBus on new (2018+) systems Greg Kroah-Hartman
                   ` (124 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+199ea16c7f26418b4365,
	Oliver Neukum, Dmitry Torokhov

From: Oliver Neukum <oneukum@suse.com>

commit b55d996f057bf2e7ba9422a80b5e17e99860cb0b upstream.

Mutexes shall be initialized before they are used.

Fixes: 12e510dbc57b2 ("Input: usbtouchscreen - fix deadlock in autosuspend")
Reported-by: syzbot+199ea16c7f26418b4365@syzkaller.appspotmail.com
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/touchscreen/usbtouchscreen.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/input/touchscreen/usbtouchscreen.c
+++ b/drivers/input/touchscreen/usbtouchscreen.c
@@ -1659,6 +1659,8 @@ static int usbtouch_probe(struct usb_int
 	if (!usbtouch || !input_dev)
 		goto out_free;
 
+	mutex_init(&usbtouch->pm_mutex);
+
 	type = &usbtouch_dev_info[id->driver_info];
 	usbtouch->type = type;
 	if (!type->process_pkt)



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 025/144] Input: elantech - enable SMBus on new (2018+) systems
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 024/144] Input: usbtouchscreen - initialize PM mutex before using it Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 026/144] Input: synaptics - enable RMI mode for HP Spectre X360 Greg Kroah-Hartman
                   ` (123 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kai-Heng Feng, Benjamin Tissoires,
	Dmitry Torokhov

From: Kai-Heng Feng <kai.heng.feng@canonical.com>

commit 883a2a80f79ca5c0c105605fafabd1f3df99b34c upstream.

There are some new HP laptops with Elantech touchpad that don't support
multitouch.

Currently we use ETP_NEW_IC_SMBUS_HOST_NOTIFY() to check if SMBus is supported,
but in addition to firmware version, the bus type also informs us whether the IC
can support SMBus. To avoid breaking old ICs, we will only enable SMbus support
based the bus type on systems manufactured after 2018.

Lastly, let's consolidate all checks into elantech_use_host_notify() and use it
to determine whether to use PS/2 or SMBus.

Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/mouse/elantech.c |   54 ++++++++++++++++++-----------------------
 1 file changed, 25 insertions(+), 29 deletions(-)

--- a/drivers/input/mouse/elantech.c
+++ b/drivers/input/mouse/elantech.c
@@ -1807,6 +1807,30 @@ static int elantech_create_smbus(struct
 				  leave_breadcrumbs);
 }
 
+static bool elantech_use_host_notify(struct psmouse *psmouse,
+				     struct elantech_device_info *info)
+{
+	if (ETP_NEW_IC_SMBUS_HOST_NOTIFY(info->fw_version))
+		return true;
+
+	switch (info->bus) {
+	case ETP_BUS_PS2_ONLY:
+		/* expected case */
+		break;
+	case ETP_BUS_SMB_HST_NTFY_ONLY:
+	case ETP_BUS_PS2_SMB_HST_NTFY:
+		/* SMbus implementation is stable since 2018 */
+		if (dmi_get_bios_year() >= 2018)
+			return true;
+	default:
+		psmouse_dbg(psmouse,
+			    "Ignoring SMBus bus provider %d\n", info->bus);
+		break;
+	}
+
+	return false;
+}
+
 /**
  * elantech_setup_smbus - called once the PS/2 devices are enumerated
  * and decides to instantiate a SMBus InterTouch device.
@@ -1826,7 +1850,7 @@ static int elantech_setup_smbus(struct p
 		 * i2c_blacklist_pnp_ids.
 		 * Old ICs are up to the user to decide.
 		 */
-		if (!ETP_NEW_IC_SMBUS_HOST_NOTIFY(info->fw_version) ||
+		if (!elantech_use_host_notify(psmouse, info) ||
 		    psmouse_matches_pnp_id(psmouse, i2c_blacklist_pnp_ids))
 			return -ENXIO;
 	}
@@ -1846,34 +1870,6 @@ static int elantech_setup_smbus(struct p
 	return 0;
 }
 
-static bool elantech_use_host_notify(struct psmouse *psmouse,
-				     struct elantech_device_info *info)
-{
-	if (ETP_NEW_IC_SMBUS_HOST_NOTIFY(info->fw_version))
-		return true;
-
-	switch (info->bus) {
-	case ETP_BUS_PS2_ONLY:
-		/* expected case */
-		break;
-	case ETP_BUS_SMB_ALERT_ONLY:
-		/* fall-through  */
-	case ETP_BUS_PS2_SMB_ALERT:
-		psmouse_dbg(psmouse, "Ignoring SMBus provider through alert protocol.\n");
-		break;
-	case ETP_BUS_SMB_HST_NTFY_ONLY:
-		/* fall-through  */
-	case ETP_BUS_PS2_SMB_HST_NTFY:
-		return true;
-	default:
-		psmouse_dbg(psmouse,
-			    "Ignoring SMBus bus provider %d.\n",
-			    info->bus);
-	}
-
-	return false;
-}
-
 int elantech_init_smbus(struct psmouse *psmouse)
 {
 	struct elantech_device_info info;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 026/144] Input: synaptics - enable RMI mode for HP Spectre X360
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 025/144] Input: elantech - enable SMBus on new (2018+) systems Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 027/144] x86/mm: Check for pfn instead of page in vmalloc_sync_one() Greg Kroah-Hartman
                   ` (122 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Nate Graham, Dmitry Torokhov

From: Dmitry Torokhov <dmitry.torokhov@gmail.com>

commit 25f8c834e2a6871920cc1ca113f02fb301d007c3 upstream.

The 2016 kabylake HP Spectre X360 (model number 13-w013dx) works much better
with psmouse.synaptics_intertouch=1 kernel parameter, so let's enable RMI4
mode automatically.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=204115
Reported-by: Nate Graham <pointedstick@zoho.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/mouse/synaptics.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/input/mouse/synaptics.c
+++ b/drivers/input/mouse/synaptics.c
@@ -182,6 +182,7 @@ static const char * const smbus_pnp_ids[
 	"LEN2055", /* E580 */
 	"SYN3052", /* HP EliteBook 840 G4 */
 	"SYN3221", /* HP 15-ay000 */
+	"SYN323d", /* HP Spectre X360 13-w013dx */
 	NULL
 };
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 027/144] x86/mm: Check for pfn instead of page in vmalloc_sync_one()
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 026/144] Input: synaptics - enable RMI mode for HP Spectre X360 Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 028/144] x86/mm: Sync also unmappings in vmalloc_sync_all() Greg Kroah-Hartman
                   ` (121 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Joerg Roedel, Thomas Gleixner, Dave Hansen

From: Joerg Roedel <jroedel@suse.de>

commit 51b75b5b563a2637f9d8dc5bd02a31b2ff9e5ea0 upstream.

Do not require a struct page for the mapped memory location because it
might not exist. This can happen when an ioremapped region is mapped with
2MB pages.

Fixes: 5d72b4fba40ef ('x86, mm: support huge I/O mapping capability I/F')
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Dave Hansen <dave.hansen@linux.intel.com>
Link: https://lkml.kernel.org/r/20190719184652.11391-2-joro@8bytes.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/mm/fault.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -200,7 +200,7 @@ static inline pmd_t *vmalloc_sync_one(pg
 	if (!pmd_present(*pmd))
 		set_pmd(pmd, *pmd_k);
 	else
-		BUG_ON(pmd_page(*pmd) != pmd_page(*pmd_k));
+		BUG_ON(pmd_pfn(*pmd) != pmd_pfn(*pmd_k));
 
 	return pmd_k;
 }



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 028/144] x86/mm: Sync also unmappings in vmalloc_sync_all()
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 027/144] x86/mm: Check for pfn instead of page in vmalloc_sync_one() Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 029/144] mm/vmalloc: Sync unmappings in __purge_vmap_area_lazy() Greg Kroah-Hartman
                   ` (120 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Joerg Roedel, Thomas Gleixner, Dave Hansen

From: Joerg Roedel <jroedel@suse.de>

commit 8e998fc24de47c55b47a887f6c95ab91acd4a720 upstream.

With huge-page ioremap areas the unmappings also need to be synced between
all page-tables. Otherwise it can cause data corruption when a region is
unmapped and later re-used.

Make the vmalloc_sync_one() function ready to sync unmappings and make sure
vmalloc_sync_all() iterates over all page-tables even when an unmapped PMD
is found.

Fixes: 5d72b4fba40ef ('x86, mm: support huge I/O mapping capability I/F')
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Dave Hansen <dave.hansen@linux.intel.com>
Link: https://lkml.kernel.org/r/20190719184652.11391-3-joro@8bytes.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/mm/fault.c |   13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -194,11 +194,12 @@ static inline pmd_t *vmalloc_sync_one(pg
 
 	pmd = pmd_offset(pud, address);
 	pmd_k = pmd_offset(pud_k, address);
-	if (!pmd_present(*pmd_k))
-		return NULL;
 
-	if (!pmd_present(*pmd))
+	if (pmd_present(*pmd) != pmd_present(*pmd_k))
 		set_pmd(pmd, *pmd_k);
+
+	if (!pmd_present(*pmd_k))
+		return NULL;
 	else
 		BUG_ON(pmd_pfn(*pmd) != pmd_pfn(*pmd_k));
 
@@ -220,17 +221,13 @@ void vmalloc_sync_all(void)
 		spin_lock(&pgd_lock);
 		list_for_each_entry(page, &pgd_list, lru) {
 			spinlock_t *pgt_lock;
-			pmd_t *ret;
 
 			/* the pgt_lock only for Xen */
 			pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
 
 			spin_lock(pgt_lock);
-			ret = vmalloc_sync_one(page_address(page), address);
+			vmalloc_sync_one(page_address(page), address);
 			spin_unlock(pgt_lock);
-
-			if (!ret)
-				break;
 		}
 		spin_unlock(&pgd_lock);
 	}



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 029/144] mm/vmalloc: Sync unmappings in __purge_vmap_area_lazy()
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 028/144] x86/mm: Sync also unmappings in vmalloc_sync_all() Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 030/144] coresight: Fix DEBUG_LOCKS_WARN_ON for uninitialized attribute Greg Kroah-Hartman
                   ` (119 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Joerg Roedel, Thomas Gleixner, Dave Hansen

From: Joerg Roedel <jroedel@suse.de>

commit 3f8fd02b1bf1d7ba964485a56f2f4b53ae88c167 upstream.

On x86-32 with PTI enabled, parts of the kernel page-tables are not shared
between processes. This can cause mappings in the vmalloc/ioremap area to
persist in some page-tables after the region is unmapped and released.

When the region is re-used the processes with the old mappings do not fault
in the new mappings but still access the old ones.

This causes undefined behavior, in reality often data corruption, kernel
oopses and panics and even spontaneous reboots.

Fix this problem by activly syncing unmaps in the vmalloc/ioremap area to
all page-tables in the system before the regions can be re-used.

Fixes: 5d72b4fba40ef ('x86, mm: support huge I/O mapping capability I/F')
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Dave Hansen <dave.hansen@linux.intel.com>
Link: https://lkml.kernel.org/r/20190719184652.11391-4-joro@8bytes.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/vmalloc.c |    9 +++++++++
 1 file changed, 9 insertions(+)

--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -1214,6 +1214,12 @@ static bool __purge_vmap_area_lazy(unsig
 		return false;
 
 	/*
+	 * First make sure the mappings are removed from all page-tables
+	 * before they are freed.
+	 */
+	vmalloc_sync_all();
+
+	/*
 	 * TODO: to calculate a flush range without looping.
 	 * The list can be up to lazy_max_pages() elements.
 	 */
@@ -3001,6 +3007,9 @@ EXPORT_SYMBOL(remap_vmalloc_range);
 /*
  * Implement a stub for vmalloc_sync_all() if the architecture chose not to
  * have one.
+ *
+ * The purpose of this function is to make sure the vmalloc area
+ * mappings are identical in all page-tables in the system.
  */
 void __weak vmalloc_sync_all(void)
 {



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 030/144] coresight: Fix DEBUG_LOCKS_WARN_ON for uninitialized attribute
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 029/144] mm/vmalloc: Sync unmappings in __purge_vmap_area_lazy() Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 031/144] perf annotate: Fix s390 gap between kernel end and module start Greg Kroah-Hartman
                   ` (118 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mathieu Poirier, Suzuki K Poulose

From: Suzuki K Poulose <suzuki.poulose@arm.com>

commit 5511c0c309db4c526a6e9f8b2b8a1483771574bc upstream.

While running the linux-next with CONFIG_DEBUG_LOCKS_ALLOC enabled,
I get the following splat.

 BUG: key ffffcb5636929298 has not been registered!
 ------------[ cut here ]------------
 DEBUG_LOCKS_WARN_ON(1)
 WARNING: CPU: 1 PID: 53 at kernel/locking/lockdep.c:3669 lockdep_init_map+0x164/0x1f0
 CPU: 1 PID: 53 Comm: kworker/1:1 Tainted: G        W         5.2.0-next-20190712-00015-g00ad4634222e-dirty #603
 Workqueue: events amba_deferred_retry_func
 pstate: 60c00005 (nZCv daif +PAN +UAO)
 pc : lockdep_init_map+0x164/0x1f0
 lr : lockdep_init_map+0x164/0x1f0

 [ trimmed ]

 Call trace:
  lockdep_init_map+0x164/0x1f0
  __kernfs_create_file+0x9c/0x158
  sysfs_add_file_mode_ns+0xa8/0x1d0
  sysfs_add_file_to_group+0x88/0xd8
  etm_perf_add_symlink_sink+0xcc/0x138
  coresight_register+0x110/0x280
  tmc_probe+0x160/0x420

 [ trimmed ]

 ---[ end trace ab4cc669615ba1b0 ]---

Fix this by initialising the dynamically allocated attribute properly.

Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
Fixes: bb8e370bdc14 ("coresight: perf: Add "sinks" group to PMU directory")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
[Fixed a typograhic error in the changelog]
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Link: https://lore.kernel.org/r/20190801172323.18359-2-mathieu.poirier@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>


---
 drivers/hwtracing/coresight/coresight-etm-perf.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/hwtracing/coresight/coresight-etm-perf.c
+++ b/drivers/hwtracing/coresight/coresight-etm-perf.c
@@ -544,6 +544,7 @@ int etm_perf_add_symlink_sink(struct cor
 	/* See function coresight_get_sink_by_id() to know where this is used */
 	hash = hashlen_hash(hashlen_string(NULL, name));
 
+	sysfs_attr_init(&ea->attr.attr);
 	ea->attr.attr.name = devm_kstrdup(pdev, name, GFP_KERNEL);
 	if (!ea->attr.attr.name)
 		return -ENOMEM;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 031/144] perf annotate: Fix s390 gap between kernel end and module start
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 030/144] coresight: Fix DEBUG_LOCKS_WARN_ON for uninitialized attribute Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 032/144] perf db-export: Fix thread__exec_comm() Greg Kroah-Hartman
                   ` (117 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Klaus Theurich, Thomas Richter,
	Heiko Carstens, Hendrik Brueckner, Vasily Gorbik,
	Arnaldo Carvalho de Melo

From: Thomas Richter <tmricht@linux.ibm.com>

commit b9c0a64901d5bdec6eafd38d1dc8fa0e2974fccb upstream.

During execution of command 'perf top' the error message:

   Not enough memory for annotating '__irf_end' symbol!)

is emitted from this call sequence:
  __cmd_top
    perf_top__mmap_read
      perf_top__mmap_read_idx
        perf_event__process_sample
          hist_entry_iter__add
            hist_iter__top_callback
              perf_top__record_precise_ip
                hist_entry__inc_addr_samples
                  symbol__inc_addr_samples
                    symbol__get_annotation
                      symbol__alloc_hist

In this function the size of symbol __irf_end is calculated. The size of
a symbol is the difference between its start and end address.

When the symbol was read the first time, its start and end was set to:

   symbol__new: __irf_end 0xe954d0-0xe954d0

which is correct and maps with /proc/kallsyms:

   root@s8360046:~/linux-4.15.0/tools/perf# fgrep _irf_end /proc/kallsyms
   0000000000e954d0 t __irf_end
   root@s8360046:~/linux-4.15.0/tools/perf#

In function symbol__alloc_hist() the end of symbol __irf_end is

  symbol__alloc_hist sym:__irf_end start:0xe954d0 end:0x3ff80045a8

which is identical with the first module entry in /proc/kallsyms

This results in a symbol size of __irf_req for histogram analyses of
70334140059072 bytes and a malloc() for this requested size fails.

The root cause of this is function
  __dso__load_kallsyms()
  +-> symbols__fixup_end()

Function symbols__fixup_end() enlarges the last symbol in the kallsyms
map:

   # fgrep __irf_end /proc/kallsyms
   0000000000e954d0 t __irf_end
   #

to the start address of the first module:
   # cat /proc/kallsyms | sort  | egrep ' [tT] '
   ....
   0000000000e952d0 T __security_initcall_end
   0000000000e954d0 T __initramfs_size
   0000000000e954d0 t __irf_end
   000003ff800045a8 T fc_get_event_number       [scsi_transport_fc]
   000003ff800045d0 t store_fc_vport_disable    [scsi_transport_fc]
   000003ff800046a8 T scsi_is_fc_rport  [scsi_transport_fc]
   000003ff800046d0 t fc_target_setup   [scsi_transport_fc]

On s390 the kernel is located around memory address 0x200, 0x10000 or
0x100000, depending on linux version. Modules however start some- where
around 0x3ff xxxx xxxx.

This is different than x86 and produces a large gap for which histogram
allocation fails.

Fix this by detecting the kernel's last symbol and do no adjustment for
it. Introduce a weak function and handle s390 specifics.

Reported-by: Klaus Theurich <klaus.theurich@de.ibm.com>
Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
Acked-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Hendrik Brueckner <brueckner@linux.ibm.com>
Cc: Vasily Gorbik <gor@linux.ibm.com>
Cc: stable@vger.kernel.org
Link: http://lkml.kernel.org/r/20190724122703.3996-2-tmricht@linux.ibm.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/perf/arch/s390/util/machine.c |   17 +++++++++++++++++
 tools/perf/util/symbol.c            |    7 ++++++-
 tools/perf/util/symbol.h            |    1 +
 3 files changed, 24 insertions(+), 1 deletion(-)

--- a/tools/perf/arch/s390/util/machine.c
+++ b/tools/perf/arch/s390/util/machine.c
@@ -6,6 +6,7 @@
 #include "machine.h"
 #include "api/fs/fs.h"
 #include "debug.h"
+#include "symbol.h"
 
 int arch__fix_module_text_start(u64 *start, const char *name)
 {
@@ -21,3 +22,19 @@ int arch__fix_module_text_start(u64 *sta
 
 	return 0;
 }
+
+/* On s390 kernel text segment start is located at very low memory addresses,
+ * for example 0x10000. Modules are located at very high memory addresses,
+ * for example 0x3ff xxxx xxxx. The gap between end of kernel text segment
+ * and beginning of first module's text segment is very big.
+ * Therefore do not fill this gap and do not assign it to the kernel dso map.
+ */
+void arch__symbols__fixup_end(struct symbol *p, struct symbol *c)
+{
+	if (strchr(p->name, '[') == NULL && strchr(c->name, '['))
+		/* Last kernel symbol mapped to end of page */
+		p->end = roundup(p->end, page_size);
+	else
+		p->end = c->start;
+	pr_debug4("%s sym:%s end:%#lx\n", __func__, p->name, p->end);
+}
--- a/tools/perf/util/symbol.c
+++ b/tools/perf/util/symbol.c
@@ -91,6 +91,11 @@ static int prefix_underscores_count(cons
 	return tail - str;
 }
 
+void __weak arch__symbols__fixup_end(struct symbol *p, struct symbol *c)
+{
+	p->end = c->start;
+}
+
 const char * __weak arch__normalize_symbol_name(const char *name)
 {
 	return name;
@@ -217,7 +222,7 @@ void symbols__fixup_end(struct rb_root_c
 		curr = rb_entry(nd, struct symbol, rb_node);
 
 		if (prev->end == prev->start && prev->end != curr->start)
-			prev->end = curr->start;
+			arch__symbols__fixup_end(prev, curr);
 	}
 
 	/* Last entry */
--- a/tools/perf/util/symbol.h
+++ b/tools/perf/util/symbol.h
@@ -277,6 +277,7 @@ const char *arch__normalize_symbol_name(
 #define SYMBOL_A 0
 #define SYMBOL_B 1
 
+void arch__symbols__fixup_end(struct symbol *p, struct symbol *c);
 int arch__compare_symbol_names(const char *namea, const char *nameb);
 int arch__compare_symbol_names_n(const char *namea, const char *nameb,
 				 unsigned int n);



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 032/144] perf db-export: Fix thread__exec_comm()
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 031/144] perf annotate: Fix s390 gap between kernel end and module start Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 033/144] perf record: Fix module size on s390 Greg Kroah-Hartman
                   ` (116 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Adrian Hunter, Jiri Olsa,
	Arnaldo Carvalho de Melo

From: Adrian Hunter <adrian.hunter@intel.com>

commit 3de7ae0b2a1d86dbb23d0cb135150534fdb2e836 upstream.

Threads synthesized from /proc have comms with a start time of zero, and
not marked as "exec". Currently, there can be 2 such comms. The first is
created by processing a synthesized fork event and is set to the
parent's comm string, and the second by processing a synthesized comm
event set to the thread's current comm string.

In the absence of an "exec" comm, thread__exec_comm() picks the last
(oldest) comm, which, in the case above, is the parent's comm string.
For a main thread, that is very probably wrong. Use the second-to-last
in that case.

This affects only db-export because it is the only user of
thread__exec_comm().

Example:

  $ sudo perf record -a -o pt-a-sleep-1 -e intel_pt//u -- sleep 1
  $ sudo chown ahunter pt-a-sleep-1

Before:

  $ perf script -i pt-a-sleep-1 --itrace=bep -s tools/perf/scripts/python/export-to-sqlite.py pt-a-sleep-1.db branches calls
  $ sqlite3 -header -column pt-a-sleep-1.db 'select * from comm_threads_view'
  comm_id     command     thread_id   pid         tid
  ----------  ----------  ----------  ----------  ----------
  1           swapper     1           0           0
  2           rcu_sched   2           10          10
  3           kthreadd    3           78          78
  5           sudo        4           15180       15180
  5           sudo        5           15180       15182
  7           kworker/4:  6           10335       10335
  8           kthreadd    7           55          55
  10          systemd     8           865         865
  10          systemd     9           865         875
  13          perf        10          15181       15181
  15          sleep       10          15181       15181
  16          kworker/3:  11          14179       14179
  17          kthreadd    12          29376       29376
  19          systemd     13          746         746
  21          systemd     14          401         401
  23          systemd     15          879         879
  23          systemd     16          879         945
  25          kthreadd    17          556         556
  27          kworker/u1  18          14136       14136
  28          kworker/u1  19          15021       15021
  29          kthreadd    20          509         509
  31          systemd     21          836         836
  31          systemd     22          836         967
  33          systemd     23          1148        1148
  33          systemd     24          1148        1163
  35          kworker/2:  25          17988       17988
  36          kworker/0:  26          13478       13478

After:

  $ perf script -i pt-a-sleep-1 --itrace=bep -s tools/perf/scripts/python/export-to-sqlite.py pt-a-sleep-1b.db branches calls
  $ sqlite3 -header -column pt-a-sleep-1b.db 'select * from comm_threads_view'
  comm_id     command     thread_id   pid         tid
  ----------  ----------  ----------  ----------  ----------
  1           swapper     1           0           0
  2           rcu_sched   2           10          10
  3           kswapd0     3           78          78
  4           perf        4           15180       15180
  4           perf        5           15180       15182
  6           kworker/4:  6           10335       10335
  7           kcompactd0  7           55          55
  8           accounts-d  8           865         865
  8           accounts-d  9           865         875
  10          perf        10          15181       15181
  12          sleep       10          15181       15181
  13          kworker/3:  11          14179       14179
  14          kworker/1:  12          29376       29376
  15          haveged     13          746         746
  16          systemd-jo  14          401         401
  17          NetworkMan  15          879         879
  17          NetworkMan  16          879         945
  19          irq/131-iw  17          556         556
  20          kworker/u1  18          14136       14136
  21          kworker/u1  19          15021       15021
  22          kworker/u1  20          509         509
  23          thermald    21          836         836
  23          thermald    22          836         967
  25          unity-sett  23          1148        1148
  25          unity-sett  24          1148        1163
  27          kworker/2:  25          17988       17988
  28          kworker/0:  26          13478       13478

Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: stable@vger.kernel.org
Fixes: 65de51f93ebf ("perf tools: Identify which comms are from exec")
Link: http://lkml.kernel.org/r/20190808064823.14846-1-adrian.hunter@intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/perf/util/thread.c |   12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

--- a/tools/perf/util/thread.c
+++ b/tools/perf/util/thread.c
@@ -197,14 +197,24 @@ struct comm *thread__comm(const struct t
 
 struct comm *thread__exec_comm(const struct thread *thread)
 {
-	struct comm *comm, *last = NULL;
+	struct comm *comm, *last = NULL, *second_last = NULL;
 
 	list_for_each_entry(comm, &thread->comm_list, list) {
 		if (comm->exec)
 			return comm;
+		second_last = last;
 		last = comm;
 	}
 
+	/*
+	 * 'last' with no start time might be the parent's comm of a synthesized
+	 * thread (created by processing a synthesized fork event). For a main
+	 * thread, that is very probably wrong. Prefer a later comm to avoid
+	 * that case.
+	 */
+	if (second_last && !last->start && thread->pid_ == thread->tid)
+		return second_last;
+
 	return last;
 }
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 033/144] perf record: Fix module size on s390
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 032/144] perf db-export: Fix thread__exec_comm() Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 034/144] x86/purgatory: Do not use __builtin_memcpy and __builtin_memset Greg Kroah-Hartman
                   ` (115 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stefan Liebler, Thomas Richter,
	Heiko Carstens, Hendrik Brueckner, Vasily Gorbik,
	Arnaldo Carvalho de Melo

From: Thomas Richter <tmricht@linux.ibm.com>

commit 12a6d2940b5f02b4b9f71ce098e3bb02bc24a9ea upstream.

On s390 the modules loaded in memory have the text segment located after
the GOT and Relocation table. This can be seen with this output:

  [root@m35lp76 perf]# fgrep qeth /proc/modules
  qeth 151552 1 qeth_l2, Live 0x000003ff800b2000
  ...
  [root@m35lp76 perf]# cat /sys/module/qeth/sections/.text
  0x000003ff800b3990
  [root@m35lp76 perf]#

There is an offset of 0x1990 bytes. The size of the qeth module is
151552 bytes (0x25000 in hex).

The location of the GOT/relocation table at the beginning of a module is
unique to s390.

commit 203d8a4aa6ed ("perf s390: Fix 'start' address of module's map")
adjusts the start address of a module in the map structures, but does
not adjust the size of the modules. This leads to overlapping of module
maps as this example shows:

[root@m35lp76 perf] # ./perf report -D
     0 0 0xfb0 [0xa0]: PERF_RECORD_MMAP -1/0: [0x3ff800b3990(0x25000)
          @ 0]:  x /lib/modules/.../qeth.ko.xz
     0 0 0x1050 [0xb0]: PERF_RECORD_MMAP -1/0: [0x3ff800d85a0(0x8000)
          @ 0]:  x /lib/modules/.../ip6_tables.ko.xz

The module qeth.ko has an adjusted start address modified to b3990, but
its size is unchanged and the module ends at 0x3ff800d8990.  This end
address overlaps with the next modules start address of 0x3ff800d85a0.

When the size of the leading GOT/Relocation table stored in the
beginning of the text segment (0x1990 bytes) is subtracted from module
qeth end address, there are no overlaps anymore:

   0x3ff800d8990 - 0x1990 = 0x0x3ff800d7000

which is the same as

   0x3ff800b2000 + 0x25000 = 0x0x3ff800d7000.

To fix this issue, also adjust the modules size in function
arch__fix_module_text_start(). Add another function parameter named size
and reduce the size of the module when the text segment start address is
changed.

Output after:
     0 0 0xfb0 [0xa0]: PERF_RECORD_MMAP -1/0: [0x3ff800b3990(0x23670)
          @ 0]:  x /lib/modules/.../qeth.ko.xz
     0 0 0x1050 [0xb0]: PERF_RECORD_MMAP -1/0: [0x3ff800d85a0(0x7a60)
          @ 0]:  x /lib/modules/.../ip6_tables.ko.xz

Reported-by: Stefan Liebler <stli@linux.ibm.com>
Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
Acked-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Hendrik Brueckner <brueckner@linux.ibm.com>
Cc: Vasily Gorbik <gor@linux.ibm.com>
Cc: stable@vger.kernel.org
Fixes: 203d8a4aa6ed ("perf s390: Fix 'start' address of module's map")
Link: http://lkml.kernel.org/r/20190724122703.3996-1-tmricht@linux.ibm.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/perf/arch/s390/util/machine.c |   14 +++++++++++++-
 tools/perf/util/machine.c           |    3 ++-
 tools/perf/util/machine.h           |    2 +-
 3 files changed, 16 insertions(+), 3 deletions(-)

--- a/tools/perf/arch/s390/util/machine.c
+++ b/tools/perf/arch/s390/util/machine.c
@@ -8,7 +8,7 @@
 #include "debug.h"
 #include "symbol.h"
 
-int arch__fix_module_text_start(u64 *start, const char *name)
+int arch__fix_module_text_start(u64 *start, u64 *size, const char *name)
 {
 	u64 m_start = *start;
 	char path[PATH_MAX];
@@ -18,6 +18,18 @@ int arch__fix_module_text_start(u64 *sta
 	if (sysfs__read_ull(path, (unsigned long long *)start) < 0) {
 		pr_debug2("Using module %s start:%#lx\n", path, m_start);
 		*start = m_start;
+	} else {
+		/* Successful read of the modules segment text start address.
+		 * Calculate difference between module start address
+		 * in memory and module text segment start address.
+		 * For example module load address is 0x3ff8011b000
+		 * (from /proc/modules) and module text segment start
+		 * address is 0x3ff8011b870 (from file above).
+		 *
+		 * Adjust the module size and subtract the GOT table
+		 * size located at the beginning of the module.
+		 */
+		*size -= (*start - m_start);
 	}
 
 	return 0;
--- a/tools/perf/util/machine.c
+++ b/tools/perf/util/machine.c
@@ -1365,6 +1365,7 @@ static int machine__set_modules_path(str
 	return map_groups__set_modules_path_dir(&machine->kmaps, modules_path, 0);
 }
 int __weak arch__fix_module_text_start(u64 *start __maybe_unused,
+				u64 *size __maybe_unused,
 				const char *name __maybe_unused)
 {
 	return 0;
@@ -1376,7 +1377,7 @@ static int machine__create_module(void *
 	struct machine *machine = arg;
 	struct map *map;
 
-	if (arch__fix_module_text_start(&start, name) < 0)
+	if (arch__fix_module_text_start(&start, &size, name) < 0)
 		return -1;
 
 	map = machine__findnew_module_map(machine, start, name);
--- a/tools/perf/util/machine.h
+++ b/tools/perf/util/machine.h
@@ -222,7 +222,7 @@ struct symbol *machine__find_kernel_symb
 
 struct map *machine__findnew_module_map(struct machine *machine, u64 start,
 					const char *filename);
-int arch__fix_module_text_start(u64 *start, const char *name);
+int arch__fix_module_text_start(u64 *start, u64 *size, const char *name);
 
 int machine__load_kallsyms(struct machine *machine, const char *filename);
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 034/144] x86/purgatory: Do not use __builtin_memcpy and __builtin_memset
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 033/144] perf record: Fix module size on s390 Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 035/144] x86/purgatory: Use CFLAGS_REMOVE rather than reset KBUILD_CFLAGS Greg Kroah-Hartman
                   ` (114 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vaibhav Rustagi, Alistair Delva,
	Nick Desaulniers, Thomas Gleixner, Manoj Gupta

From: Nick Desaulniers <ndesaulniers@google.com>

commit 4ce97317f41d38584fb93578e922fcd19e535f5b upstream.

Implementing memcpy and memset in terms of __builtin_memcpy and
__builtin_memset is problematic.

GCC at -O2 will replace calls to the builtins with calls to memcpy and
memset (but will generate an inline implementation at -Os).  Clang will
replace the builtins with these calls regardless of optimization level.
$ llvm-objdump -dr arch/x86/purgatory/string.o | tail

0000000000000339 memcpy:
     339: 48 b8 00 00 00 00 00 00 00 00 movabsq $0, %rax
                000000000000033b:  R_X86_64_64  memcpy
     343: ff e0                         jmpq    *%rax

0000000000000345 memset:
     345: 48 b8 00 00 00 00 00 00 00 00 movabsq $0, %rax
                0000000000000347:  R_X86_64_64  memset
     34f: ff e0

Such code results in infinite recursion at runtime. This is observed
when doing kexec.

Instead, reuse an implementation from arch/x86/boot/compressed/string.c.
This requires to implement a stub function for warn(). Also, Clang may
lower memcmp's that compare against 0 to bcmp's, so add a small definition,
too. See also: commit 5f074f3e192f ("lib/string.c: implement a basic bcmp")

Fixes: 8fc5b4d4121c ("purgatory: core purgatory functionality")
Reported-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
Debugged-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
Debugged-by: Manoj Gupta <manojgupta@google.com>
Suggested-by: Alistair Delva <adelva@google.com>
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
Cc: stable@vger.kernel.org
Link: https://bugs.chromium.org/p/chromium/issues/detail?id=984056
Link: https://lkml.kernel.org/r/20190807221539.94583-1-ndesaulniers@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/boot/string.c         |    8 ++++++++
 arch/x86/purgatory/Makefile    |    3 +++
 arch/x86/purgatory/purgatory.c |    6 ++++++
 arch/x86/purgatory/string.c    |   23 -----------------------
 4 files changed, 17 insertions(+), 23 deletions(-)

--- a/arch/x86/boot/string.c
+++ b/arch/x86/boot/string.c
@@ -37,6 +37,14 @@ int memcmp(const void *s1, const void *s
 	return diff;
 }
 
+/*
+ * Clang may lower `memcmp == 0` to `bcmp == 0`.
+ */
+int bcmp(const void *s1, const void *s2, size_t len)
+{
+	return memcmp(s1, s2, len);
+}
+
 int strcmp(const char *str1, const char *str2)
 {
 	const unsigned char *s1 = (const unsigned char *)str1;
--- a/arch/x86/purgatory/Makefile
+++ b/arch/x86/purgatory/Makefile
@@ -6,6 +6,9 @@ purgatory-y := purgatory.o stack.o setup
 targets += $(purgatory-y)
 PURGATORY_OBJS = $(addprefix $(obj)/,$(purgatory-y))
 
+$(obj)/string.o: $(srctree)/arch/x86/boot/compressed/string.c FORCE
+	$(call if_changed_rule,cc_o_c)
+
 $(obj)/sha256.o: $(srctree)/lib/sha256.c FORCE
 	$(call if_changed_rule,cc_o_c)
 
--- a/arch/x86/purgatory/purgatory.c
+++ b/arch/x86/purgatory/purgatory.c
@@ -68,3 +68,9 @@ void purgatory(void)
 	}
 	copy_backup_region();
 }
+
+/*
+ * Defined in order to reuse memcpy() and memset() from
+ * arch/x86/boot/compressed/string.c
+ */
+void warn(const char *msg) {}
--- a/arch/x86/purgatory/string.c
+++ /dev/null
@@ -1,23 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0-only
-/*
- * Simple string functions.
- *
- * Copyright (C) 2014 Red Hat Inc.
- *
- * Author:
- *       Vivek Goyal <vgoyal@redhat.com>
- */
-
-#include <linux/types.h>
-
-#include "../boot/string.c"
-
-void *memcpy(void *dst, const void *src, size_t len)
-{
-	return __builtin_memcpy(dst, src, len);
-}
-
-void *memset(void *dst, int c, size_t len)
-{
-	return __builtin_memset(dst, c, len);
-}



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 035/144] x86/purgatory: Use CFLAGS_REMOVE rather than reset KBUILD_CFLAGS
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 034/144] x86/purgatory: Do not use __builtin_memcpy and __builtin_memset Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 036/144] genirq/affinity: Create affinity mask for single vector Greg Kroah-Hartman
                   ` (113 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vaibhav Rustagi, Peter Zijlstra,
	Thomas Gleixner, Nick Desaulniers

From: Nick Desaulniers <ndesaulniers@google.com>

commit b059f801a937d164e03b33c1848bb3dca67c0b04 upstream.

KBUILD_CFLAGS is very carefully built up in the top level Makefile,
particularly when cross compiling or using different build tools.
Resetting KBUILD_CFLAGS via := assignment is an antipattern.

The comment above the reset mentions that -pg is problematic.  Other
Makefiles use `CFLAGS_REMOVE_file.o = $(CC_FLAGS_FTRACE)` when
CONFIG_FUNCTION_TRACER is set. Prefer that pattern to wiping out all of
the important KBUILD_CFLAGS then manually having to re-add them. Seems
also that __stack_chk_fail references are generated when using
CONFIG_STACKPROTECTOR or CONFIG_STACKPROTECTOR_STRONG.

Fixes: 8fc5b4d4121c ("purgatory: core purgatory functionality")
Reported-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
Suggested-by: Peter Zijlstra <peterz@infradead.org>
Suggested-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20190807221539.94583-2-ndesaulniers@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/purgatory/Makefile |   31 +++++++++++++++++++++++++++----
 1 file changed, 27 insertions(+), 4 deletions(-)

--- a/arch/x86/purgatory/Makefile
+++ b/arch/x86/purgatory/Makefile
@@ -20,11 +20,34 @@ KCOV_INSTRUMENT := n
 
 # Default KBUILD_CFLAGS can have -pg option set when FTRACE is enabled. That
 # in turn leaves some undefined symbols like __fentry__ in purgatory and not
-# sure how to relocate those. Like kexec-tools, use custom flags.
+# sure how to relocate those.
+ifdef CONFIG_FUNCTION_TRACER
+CFLAGS_REMOVE_sha256.o		+= $(CC_FLAGS_FTRACE)
+CFLAGS_REMOVE_purgatory.o	+= $(CC_FLAGS_FTRACE)
+CFLAGS_REMOVE_string.o		+= $(CC_FLAGS_FTRACE)
+CFLAGS_REMOVE_kexec-purgatory.o	+= $(CC_FLAGS_FTRACE)
+endif
 
-KBUILD_CFLAGS := -fno-strict-aliasing -Wall -Wstrict-prototypes -fno-zero-initialized-in-bss -fno-builtin -ffreestanding -c -Os -mcmodel=large
-KBUILD_CFLAGS += -m$(BITS)
-KBUILD_CFLAGS += $(call cc-option,-fno-PIE)
+ifdef CONFIG_STACKPROTECTOR
+CFLAGS_REMOVE_sha256.o		+= -fstack-protector
+CFLAGS_REMOVE_purgatory.o	+= -fstack-protector
+CFLAGS_REMOVE_string.o		+= -fstack-protector
+CFLAGS_REMOVE_kexec-purgatory.o	+= -fstack-protector
+endif
+
+ifdef CONFIG_STACKPROTECTOR_STRONG
+CFLAGS_REMOVE_sha256.o		+= -fstack-protector-strong
+CFLAGS_REMOVE_purgatory.o	+= -fstack-protector-strong
+CFLAGS_REMOVE_string.o		+= -fstack-protector-strong
+CFLAGS_REMOVE_kexec-purgatory.o	+= -fstack-protector-strong
+endif
+
+ifdef CONFIG_RETPOLINE
+CFLAGS_REMOVE_sha256.o		+= $(RETPOLINE_CFLAGS)
+CFLAGS_REMOVE_purgatory.o	+= $(RETPOLINE_CFLAGS)
+CFLAGS_REMOVE_string.o		+= $(RETPOLINE_CFLAGS)
+CFLAGS_REMOVE_kexec-purgatory.o	+= $(RETPOLINE_CFLAGS)
+endif
 
 $(obj)/purgatory.ro: $(PURGATORY_OBJS) FORCE
 		$(call if_changed,ld)



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 036/144] genirq/affinity: Create affinity mask for single vector
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 035/144] x86/purgatory: Use CFLAGS_REMOVE rather than reset KBUILD_CFLAGS Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 037/144] gfs2: gfs2_walk_metadata fix Greg Kroah-Hartman
                   ` (112 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ming Lei, Thomas Gleixner

From: Ming Lei <ming.lei@redhat.com>

commit 491beed3b102b6e6c0e7734200661242226e3933 upstream.

Since commit c66d4bd110a1f8 ("genirq/affinity: Add new callback for
(re)calculating interrupt sets"), irq_create_affinity_masks() returns
NULL in case of single vector. This change has caused regression on some
drivers, such as lpfc.

The problem is that single vector requests can happen in some generic cases:

  1) kdump kernel

  2) irq vectors resource is close to exhaustion.

If in that situation the affinity mask for a single vector is not created,
every caller has to handle the special case.

There is no reason why the mask cannot be created, so remove the check for
a single vector and create the mask.

Fixes: c66d4bd110a1f8 ("genirq/affinity: Add new callback for (re)calculating interrupt sets")
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20190805011906.5020-1-ming.lei@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/irq/affinity.c |    6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

--- a/kernel/irq/affinity.c
+++ b/kernel/irq/affinity.c
@@ -253,11 +253,9 @@ irq_create_affinity_masks(unsigned int n
 	 * Determine the number of vectors which need interrupt affinities
 	 * assigned. If the pre/post request exhausts the available vectors
 	 * then nothing to do here except for invoking the calc_sets()
-	 * callback so the device driver can adjust to the situation. If there
-	 * is only a single vector, then managing the queue is pointless as
-	 * well.
+	 * callback so the device driver can adjust to the situation.
 	 */
-	if (nvecs > 1 && nvecs > affd->pre_vectors + affd->post_vectors)
+	if (nvecs > affd->pre_vectors + affd->post_vectors)
 		affvecs = nvecs - affd->pre_vectors - affd->post_vectors;
 	else
 		affvecs = 0;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 037/144] gfs2: gfs2_walk_metadata fix
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 036/144] genirq/affinity: Create affinity mask for single vector Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 038/144] usb: host: xhci-rcar: Fix timeout in xhci_suspend() Greg Kroah-Hartman
                   ` (111 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andreas Gruenbacher, Bob Peterson

From: Andreas Gruenbacher <agruenba@redhat.com>

commit a27a0c9b6a208722016c8ec5ad31ec96082b91ec upstream.

It turns out that the current version of gfs2_metadata_walker suffers
from multiple problems that can cause gfs2_hole_size to report an
incorrect size.  This will confuse fiemap as well as lseek with the
SEEK_DATA flag.

Fix that by changing gfs2_hole_walker to compute the metapath to the
first data block after the hole (if any), and compute the hole size
based on that.

Fixes xfstest generic/490.

Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Reviewed-by: Bob Peterson <rpeterso@redhat.com>
Cc: stable@vger.kernel.org # v4.18+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/gfs2/bmap.c |  168 ++++++++++++++++++++++++++++++++++-----------------------
 1 file changed, 103 insertions(+), 65 deletions(-)

--- a/fs/gfs2/bmap.c
+++ b/fs/gfs2/bmap.c
@@ -390,6 +390,19 @@ static int fillup_metapath(struct gfs2_i
 	return mp->mp_aheight - x - 1;
 }
 
+static sector_t metapath_to_block(struct gfs2_sbd *sdp, struct metapath *mp)
+{
+	sector_t factor = 1, block = 0;
+	int hgt;
+
+	for (hgt = mp->mp_fheight - 1; hgt >= 0; hgt--) {
+		if (hgt < mp->mp_aheight)
+			block += mp->mp_list[hgt] * factor;
+		factor *= sdp->sd_inptrs;
+	}
+	return block;
+}
+
 static void release_metapath(struct metapath *mp)
 {
 	int i;
@@ -430,60 +443,84 @@ static inline unsigned int gfs2_extent_l
 	return ptr - first;
 }
 
-typedef const __be64 *(*gfs2_metadata_walker)(
-		struct metapath *mp,
-		const __be64 *start, const __be64 *end,
-		u64 factor, void *data);
-
-#define WALK_STOP ((__be64 *)0)
-#define WALK_NEXT ((__be64 *)1)
-
-static int gfs2_walk_metadata(struct inode *inode, sector_t lblock,
-		u64 len, struct metapath *mp, gfs2_metadata_walker walker,
-		void *data)
+enum walker_status { WALK_STOP, WALK_FOLLOW, WALK_CONTINUE };
+
+/*
+ * gfs2_metadata_walker - walk an indirect block
+ * @mp: Metapath to indirect block
+ * @ptrs: Number of pointers to look at
+ *
+ * When returning WALK_FOLLOW, the walker must update @mp to point at the right
+ * indirect block to follow.
+ */
+typedef enum walker_status (*gfs2_metadata_walker)(struct metapath *mp,
+						   unsigned int ptrs);
+
+/*
+ * gfs2_walk_metadata - walk a tree of indirect blocks
+ * @inode: The inode
+ * @mp: Starting point of walk
+ * @max_len: Maximum number of blocks to walk
+ * @walker: Called during the walk
+ *
+ * Returns 1 if the walk was stopped by @walker, 0 if we went past @max_len or
+ * past the end of metadata, and a negative error code otherwise.
+ */
+
+static int gfs2_walk_metadata(struct inode *inode, struct metapath *mp,
+		u64 max_len, gfs2_metadata_walker walker)
 {
-	struct metapath clone;
 	struct gfs2_inode *ip = GFS2_I(inode);
 	struct gfs2_sbd *sdp = GFS2_SB(inode);
-	const __be64 *start, *end, *ptr;
 	u64 factor = 1;
 	unsigned int hgt;
-	int ret = 0;
+	int ret;
 
-	for (hgt = ip->i_height - 1; hgt >= mp->mp_aheight; hgt--)
+	/*
+	 * The walk starts in the lowest allocated indirect block, which may be
+	 * before the position indicated by @mp.  Adjust @max_len accordingly
+	 * to avoid a short walk.
+	 */
+	for (hgt = mp->mp_fheight - 1; hgt >= mp->mp_aheight; hgt--) {
+		max_len += mp->mp_list[hgt] * factor;
+		mp->mp_list[hgt] = 0;
 		factor *= sdp->sd_inptrs;
+	}
 
 	for (;;) {
-		u64 step;
+		u16 start = mp->mp_list[hgt];
+		enum walker_status status;
+		unsigned int ptrs;
+		u64 len;
 
 		/* Walk indirect block. */
-		start = metapointer(hgt, mp);
-		end = metaend(hgt, mp);
-
-		step = (end - start) * factor;
-		if (step > len)
-			end = start + DIV_ROUND_UP_ULL(len, factor);
-
-		ptr = walker(mp, start, end, factor, data);
-		if (ptr == WALK_STOP)
+		ptrs = (hgt >= 1 ? sdp->sd_inptrs : sdp->sd_diptrs) - start;
+		len = ptrs * factor;
+		if (len > max_len)
+			ptrs = DIV_ROUND_UP_ULL(max_len, factor);
+		status = walker(mp, ptrs);
+		switch (status) {
+		case WALK_STOP:
+			return 1;
+		case WALK_FOLLOW:
+			BUG_ON(mp->mp_aheight == mp->mp_fheight);
+			ptrs = mp->mp_list[hgt] - start;
+			len = ptrs * factor;
 			break;
-		if (step >= len)
+		case WALK_CONTINUE:
 			break;
-		len -= step;
-		if (ptr != WALK_NEXT) {
-			BUG_ON(!*ptr);
-			mp->mp_list[hgt] += ptr - start;
-			goto fill_up_metapath;
 		}
+		if (len >= max_len)
+			break;
+		max_len -= len;
+		if (status == WALK_FOLLOW)
+			goto fill_up_metapath;
 
 lower_metapath:
 		/* Decrease height of metapath. */
-		if (mp != &clone) {
-			clone_metapath(&clone, mp);
-			mp = &clone;
-		}
 		brelse(mp->mp_bh[hgt]);
 		mp->mp_bh[hgt] = NULL;
+		mp->mp_list[hgt] = 0;
 		if (!hgt)
 			break;
 		hgt--;
@@ -491,10 +528,7 @@ lower_metapath:
 
 		/* Advance in metadata tree. */
 		(mp->mp_list[hgt])++;
-		start = metapointer(hgt, mp);
-		end = metaend(hgt, mp);
-		if (start >= end) {
-			mp->mp_list[hgt] = 0;
+		if (mp->mp_list[hgt] >= sdp->sd_inptrs) {
 			if (!hgt)
 				break;
 			goto lower_metapath;
@@ -502,44 +536,36 @@ lower_metapath:
 
 fill_up_metapath:
 		/* Increase height of metapath. */
-		if (mp != &clone) {
-			clone_metapath(&clone, mp);
-			mp = &clone;
-		}
 		ret = fillup_metapath(ip, mp, ip->i_height - 1);
 		if (ret < 0)
-			break;
+			return ret;
 		hgt += ret;
 		for (; ret; ret--)
 			do_div(factor, sdp->sd_inptrs);
 		mp->mp_aheight = hgt + 1;
 	}
-	if (mp == &clone)
-		release_metapath(mp);
-	return ret;
+	return 0;
 }
 
-struct gfs2_hole_walker_args {
-	u64 blocks;
-};
-
-static const __be64 *gfs2_hole_walker(struct metapath *mp,
-		const __be64 *start, const __be64 *end,
-		u64 factor, void *data)
+static enum walker_status gfs2_hole_walker(struct metapath *mp,
+					   unsigned int ptrs)
 {
-	struct gfs2_hole_walker_args *args = data;
-	const __be64 *ptr;
+	const __be64 *start, *ptr, *end;
+	unsigned int hgt;
+
+	hgt = mp->mp_aheight - 1;
+	start = metapointer(hgt, mp);
+	end = start + ptrs;
 
 	for (ptr = start; ptr < end; ptr++) {
 		if (*ptr) {
-			args->blocks += (ptr - start) * factor;
+			mp->mp_list[hgt] += ptr - start;
 			if (mp->mp_aheight == mp->mp_fheight)
 				return WALK_STOP;
-			return ptr;  /* increase height */
+			return WALK_FOLLOW;
 		}
 	}
-	args->blocks += (end - start) * factor;
-	return WALK_NEXT;
+	return WALK_CONTINUE;
 }
 
 /**
@@ -557,12 +583,24 @@ static const __be64 *gfs2_hole_walker(st
 static int gfs2_hole_size(struct inode *inode, sector_t lblock, u64 len,
 			  struct metapath *mp, struct iomap *iomap)
 {
-	struct gfs2_hole_walker_args args = { };
-	int ret = 0;
+	struct metapath clone;
+	u64 hole_size;
+	int ret;
+
+	clone_metapath(&clone, mp);
+	ret = gfs2_walk_metadata(inode, &clone, len, gfs2_hole_walker);
+	if (ret < 0)
+		goto out;
+
+	if (ret == 1)
+		hole_size = metapath_to_block(GFS2_SB(inode), &clone) - lblock;
+	else
+		hole_size = len;
+	iomap->length = hole_size << inode->i_blkbits;
+	ret = 0;
 
-	ret = gfs2_walk_metadata(inode, lblock, len, mp, gfs2_hole_walker, &args);
-	if (!ret)
-		iomap->length = args.blocks << inode->i_blkbits;
+out:
+	release_metapath(&clone);
 	return ret;
 }
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 038/144] usb: host: xhci-rcar: Fix timeout in xhci_suspend()
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 037/144] gfs2: gfs2_walk_metadata fix Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 039/144] usb: yurex: Fix use-after-free in yurex_delete Greg Kroah-Hartman
                   ` (110 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Yoshihiro Shimoda

From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>

commit 783bda5e41acc71f98336e1a402c180f9748e5dc upstream.

When a USB device is connected to the host controller and
the system enters suspend, the following error happens
in xhci_suspend():

	xhci-hcd ee000000.usb: WARN: xHC CMD_RUN timeout

Since the firmware/internal CPU control the USBSTS.STS_HALT
and the process speed is down when the roothub port enters U3,
long delay for the handshake of STS_HALT is neeed in xhci_suspend().
So, this patch adds to set the XHCI_SLOW_SUSPEND.

Fixes: 435cc1138ec9 ("usb: host: xhci-plat: set resume_quirk() for R-Car controllers")
Cc: <stable@vger.kernel.org> # v4.12+
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Link: https://lore.kernel.org/r/1564734815-17964-1-git-send-email-yoshihiro.shimoda.uh@renesas.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/host/xhci-rcar.c |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/drivers/usb/host/xhci-rcar.c
+++ b/drivers/usb/host/xhci-rcar.c
@@ -238,10 +238,15 @@ int xhci_rcar_init_quirk(struct usb_hcd
 	 * pointers. So, this driver clears the AC64 bit of xhci->hcc_params
 	 * to call dma_set_coherent_mask(dev, DMA_BIT_MASK(32)) in
 	 * xhci_gen_setup().
+	 *
+	 * And, since the firmware/internal CPU control the USBSTS.STS_HALT
+	 * and the process speed is down when the roothub port enters U3,
+	 * long delay for the handshake of STS_HALT is neeed in xhci_suspend().
 	 */
 	if (xhci_rcar_is_gen2(hcd->self.controller) ||
-			xhci_rcar_is_gen3(hcd->self.controller))
-		xhci->quirks |= XHCI_NO_64BIT_SUPPORT;
+			xhci_rcar_is_gen3(hcd->self.controller)) {
+		xhci->quirks |= XHCI_NO_64BIT_SUPPORT | XHCI_SLOW_SUSPEND;
+	}
 
 	if (!xhci_rcar_wait_for_pll_active(hcd))
 		return -ETIMEDOUT;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 039/144] usb: yurex: Fix use-after-free in yurex_delete
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 038/144] usb: host: xhci-rcar: Fix timeout in xhci_suspend() Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 040/144] usb: typec: ucsi: ccg: Fix uninitilized symbol error Greg Kroah-Hartman
                   ` (109 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jiri Kosina, Tomoki Sekiyama,
	Oliver Neukum, andreyknvl, Alan Stern, syzkaller-bugs, dtor,
	syzbot+d1fedb1c1fdb07fca507, Suzuki K Poulose

From: Suzuki K Poulose <suzuki.poulose@arm.com>

commit fc05481b2fcabaaeccf63e32ac1baab54e5b6963 upstream.

syzbot reported the following crash [0]:

BUG: KASAN: use-after-free in usb_free_coherent+0x79/0x80
drivers/usb/core/usb.c:928
Read of size 8 at addr ffff8881b18599c8 by task syz-executor.4/16007

CPU: 0 PID: 16007 Comm: syz-executor.4 Not tainted 5.3.0-rc2+ #23
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0xca/0x13e lib/dump_stack.c:113
  print_address_description+0x6a/0x32c mm/kasan/report.c:351
  __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
  kasan_report+0xe/0x12 mm/kasan/common.c:612
  usb_free_coherent+0x79/0x80 drivers/usb/core/usb.c:928
  yurex_delete+0x138/0x330 drivers/usb/misc/yurex.c:100
  kref_put include/linux/kref.h:65 [inline]
  yurex_release+0x66/0x90 drivers/usb/misc/yurex.c:392
  __fput+0x2d7/0x840 fs/file_table.c:280
  task_work_run+0x13f/0x1c0 kernel/task_work.c:113
  tracehook_notify_resume include/linux/tracehook.h:188 [inline]
  exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
  prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
  syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
  do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x413511
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48
83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48
89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffc424ea2e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000007 RCX: 0000000000413511
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000006
RBP: 0000000000000001 R08: 0000000029a2fc22 R09: 0000000029a2fc26
R10: 00007ffc424ea3c0 R11: 0000000000000293 R12: 000000000075c9a0
R13: 000000000075c9a0 R14: 0000000000761938 R15: ffffffffffffffff

Allocated by task 2776:
  save_stack+0x1b/0x80 mm/kasan/common.c:69
  set_track mm/kasan/common.c:77 [inline]
  __kasan_kmalloc mm/kasan/common.c:487 [inline]
  __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:460
  kmalloc include/linux/slab.h:552 [inline]
  kzalloc include/linux/slab.h:748 [inline]
  usb_alloc_dev+0x51/0xf95 drivers/usb/core/usb.c:583
  hub_port_connect drivers/usb/core/hub.c:5004 [inline]
  hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
  port_event drivers/usb/core/hub.c:5359 [inline]
  hub_event+0x15c0/0x3640 drivers/usb/core/hub.c:5441
  process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
  worker_thread+0x96/0xe20 kernel/workqueue.c:2415
  kthread+0x318/0x420 kernel/kthread.c:255
  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Freed by task 16007:
  save_stack+0x1b/0x80 mm/kasan/common.c:69
  set_track mm/kasan/common.c:77 [inline]
  __kasan_slab_free+0x130/0x180 mm/kasan/common.c:449
  slab_free_hook mm/slub.c:1423 [inline]
  slab_free_freelist_hook mm/slub.c:1470 [inline]
  slab_free mm/slub.c:3012 [inline]
  kfree+0xe4/0x2f0 mm/slub.c:3953
  device_release+0x71/0x200 drivers/base/core.c:1064
  kobject_cleanup lib/kobject.c:693 [inline]
  kobject_release lib/kobject.c:722 [inline]
  kref_put include/linux/kref.h:65 [inline]
  kobject_put+0x171/0x280 lib/kobject.c:739
  put_device+0x1b/0x30 drivers/base/core.c:2213
  usb_put_dev+0x1f/0x30 drivers/usb/core/usb.c:725
  yurex_delete+0x40/0x330 drivers/usb/misc/yurex.c:95
  kref_put include/linux/kref.h:65 [inline]
  yurex_release+0x66/0x90 drivers/usb/misc/yurex.c:392
  __fput+0x2d7/0x840 fs/file_table.c:280
  task_work_run+0x13f/0x1c0 kernel/task_work.c:113
  tracehook_notify_resume include/linux/tracehook.h:188 [inline]
  exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
  prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
  syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
  do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8881b1859980
  which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 72 bytes inside of
  2048-byte region [ffff8881b1859980, ffff8881b185a180)
The buggy address belongs to the page:
page:ffffea0006c61600 refcount:1 mapcount:0 mapping:ffff8881da00c000
index:0x0 compound_mapcount: 0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 0000000000000000 0000000100000001 ffff8881da00c000
raw: 0000000000000000 00000000000f000f 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
  ffff8881b1859880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  ffff8881b1859900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8881b1859980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                               ^
  ffff8881b1859a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff8881b1859a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

A quick look at the yurex_delete() shows that we drop the reference
to the usb_device before releasing any buffers associated with the
device. Delay the reference drop until we have finished the cleanup.

[0] https://lore.kernel.org/lkml/0000000000003f86d8058f0bd671@google.com/

Fixes: 6bc235a2e24a5e ("USB: add driver for Meywa-Denki & Kayac YUREX")
Cc: Jiri Kosina <jkosina@suse.cz>
Cc: Tomoki Sekiyama <tomoki.sekiyama@gmail.com>
Cc: Oliver Neukum <oneukum@suse.com>
Cc: andreyknvl@google.com
Cc: gregkh@linuxfoundation.org
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: syzkaller-bugs@googlegroups.com
Cc: dtor@chromium.org
Reported-by: syzbot+d1fedb1c1fdb07fca507@syzkaller.appspotmail.com
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20190805111528.6758-1-suzuki.poulose@arm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/misc/yurex.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/misc/yurex.c
+++ b/drivers/usb/misc/yurex.c
@@ -92,7 +92,6 @@ static void yurex_delete(struct kref *kr
 
 	dev_dbg(&dev->interface->dev, "%s\n", __func__);
 
-	usb_put_dev(dev->udev);
 	if (dev->cntl_urb) {
 		usb_kill_urb(dev->cntl_urb);
 		kfree(dev->cntl_req);
@@ -108,6 +107,7 @@ static void yurex_delete(struct kref *kr
 				dev->int_buffer, dev->urb->transfer_dma);
 		usb_free_urb(dev->urb);
 	}
+	usb_put_dev(dev->udev);
 	kfree(dev);
 }
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 040/144] usb: typec: ucsi: ccg: Fix uninitilized symbol error
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 039/144] usb: yurex: Fix use-after-free in yurex_delete Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 041/144] usb: typec: tcpm: free log buf memory when remove debug file Greg Kroah-Hartman
                   ` (108 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kbuild test robot, Heikki Krogerus

From: Heikki Krogerus <heikki.krogerus@linux.intel.com>

commit a29d56c2ed24ad33062bfdafdec9e34149715320 upstream.

Fix smatch error:
drivers/usb/typec/ucsi/ucsi_ccg.c:975 ccg_fw_update() error: uninitialized symbol 'err'.

Fixes: 5c9ae5a87573 ("usb: typec: ucsi: ccg: add firmware flashing support")
Cc: stable@vger.kernel.org
Reported-by: kbuild test robot <lkp@intel.com>
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://lore.kernel.org/r/20190801075512.24354-1-heikki.krogerus@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/typec/ucsi/ucsi_ccg.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/typec/ucsi/ucsi_ccg.c
+++ b/drivers/usb/typec/ucsi/ucsi_ccg.c
@@ -963,7 +963,7 @@ release_fw:
  ******************************************************************************/
 static int ccg_fw_update(struct ucsi_ccg *uc, enum enum_flash_mode flash_mode)
 {
-	int err;
+	int err = 0;
 
 	while (flash_mode != FLASH_NOT_NEEDED) {
 		err = do_flash(uc, flash_mode);



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 041/144] usb: typec: tcpm: free log buf memory when remove debug file
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 040/144] usb: typec: ucsi: ccg: Fix uninitilized symbol error Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 042/144] usb: typec: tcpm: remove tcpm dir if no children Greg Kroah-Hartman
                   ` (107 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Li Jun, Guenter Roeck

From: Li Jun <jun.li@nxp.com>

commit fd5da3e2cc61b4a7c877172fdc9348c82cf6ccfc upstream.

The logbuffer memory should be freed when remove debug file.

Cc: stable@vger.kernel.org # v4.15+
Fixes: 4b4e02c83167 ("typec: tcpm: Move out of staging")
Signed-off-by: Li Jun <jun.li@nxp.com>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Link: https://lore.kernel.org/r/20190717080646.30421-1-jun.li@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/typec/tcpm/tcpm.c |    9 +++++++++
 1 file changed, 9 insertions(+)

--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -586,6 +586,15 @@ static void tcpm_debugfs_init(struct tcp
 
 static void tcpm_debugfs_exit(struct tcpm_port *port)
 {
+	int i;
+
+	mutex_lock(&port->logbuffer_lock);
+	for (i = 0; i < LOG_BUFFER_ENTRIES; i++) {
+		kfree(port->logbuffer[i]);
+		port->logbuffer[i] = NULL;
+	}
+	mutex_unlock(&port->logbuffer_lock);
+
 	debugfs_remove(port->dentry);
 }
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 042/144] usb: typec: tcpm: remove tcpm dir if no children
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 041/144] usb: typec: tcpm: free log buf memory when remove debug file Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 16:59 ` [PATCH 5.2 043/144] usb: typec: tcpm: Add NULL check before dereferencing config Greg Kroah-Hartman
                   ` (106 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Li Jun, Guenter Roeck

From: Li Jun <jun.li@nxp.com>

commit 12ca7297b8855c0af1848503d37196159b24e6b9 upstream.

If config tcpm as module, module unload will not remove tcpm dir,
then the next module load will have problem: the rootdir is NULL
but tcpm dir is still there, so tcpm_debugfs_init() will create
tcpm dir again with failure, fix it by remove the tcpm dir if no
children.

Cc: stable@vger.kernel.org # v4.15+
Fixes: 4b4e02c83167 ("typec: tcpm: Move out of staging")
Signed-off-by: Li Jun <jun.li@nxp.com>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Link: https://lore.kernel.org/r/20190717080646.30421-2-jun.li@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/typec/tcpm/tcpm.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -596,6 +596,10 @@ static void tcpm_debugfs_exit(struct tcp
 	mutex_unlock(&port->logbuffer_lock);
 
 	debugfs_remove(port->dentry);
+	if (list_empty(&rootdir->d_subdirs)) {
+		debugfs_remove(rootdir);
+		rootdir = NULL;
+	}
 }
 
 #else



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 043/144] usb: typec: tcpm: Add NULL check before dereferencing config
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 042/144] usb: typec: tcpm: remove tcpm dir if no children Greg Kroah-Hartman
@ 2019-08-14 16:59 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 044/144] usb: typec: tcpm: Ignore unsupported/unknown alternate mode requests Greg Kroah-Hartman
                   ` (105 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 16:59 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Douglas Gilbert, Guenter Roeck,
	Jun Li, Heikki Krogerus

From: Guenter Roeck <linux@roeck-us.net>

commit 1957de95d425d1c06560069dc7277a73a8b28683 upstream.

When instantiating tcpm on an NXP OM 13588 board with NXP PTN5110,
the following crash is seen when writing into the 'preferred_role'
sysfs attribute.

Unable to handle kernel NULL pointer dereference at virtual address 00000028
pgd = f69149ad
[00000028] *pgd=00000000
Internal error: Oops: 5 [#1] THUMB2
Modules linked in: tcpci tcpm
CPU: 0 PID: 1882 Comm: bash Not tainted 5.1.18-sama5-armv7-r2 #4
Hardware name: Atmel SAMA5
PC is at tcpm_try_role+0x3a/0x4c [tcpm]
LR is at tcpm_try_role+0x15/0x4c [tcpm]
pc : [<bf8000e2>]    lr : [<bf8000bd>]    psr: 60030033
sp : dc1a1e88  ip : c03fb47d  fp : 00000000
r10: dc216190  r9 : dc1a1f78  r8 : 00000001
r7 : df4ae044  r6 : dd032e90  r5 : dd1ce340  r4 : df4ae054
r3 : 00000000  r2 : 00000000  r1 : 00000000  r0 : df4ae044
Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA Thumb  Segment none
Control: 50c53c7d  Table: 3efec059  DAC: 00000051
Process bash (pid: 1882, stack limit = 0x6a6d4aa5)
Stack: (0xdc1a1e88 to 0xdc1a2000)
1e80:                   dd05d808 dd1ce340 00000001 00000007 dd1ce340 c03fb4a7
1ea0: 00000007 00000007 dc216180 00000000 00000000 c01e1e03 00000000 00000000
1ec0: c0907008 dee98b40 c01e1d5d c06106c4 00000000 00000000 00000007 c0194e8b
1ee0: 0000000a 00000400 00000000 c01a97db dc22bf00 ffffe000 df4b6a00 df745900
1f00: 00000001 00000001 000000dd c01a9c2f 7aeab3be c0907008 00000000 dc22bf00
1f20: c0907008 00000000 00000000 00000000 00000000 7aeab3be 00000007 dee98b40
1f40: 005dc318 dc1a1f78 00000000 00000000 00000007 c01969f7 0000000a c01a20cb
1f60: dee98b40 c0907008 dee98b40 005dc318 00000000 c0196b9b 00000000 00000000
1f80: dee98b40 7aeab3be 00000074 005dc318 b6f3bdb0 00000004 c0101224 dc1a0000
1fa0: 00000004 c0101001 00000074 005dc318 00000001 005dc318 00000007 00000000
1fc0: 00000074 005dc318 b6f3bdb0 00000004 00000007 00000007 00000000 00000000
1fe0: 00000004 be800880 b6ed35b3 b6e5c746 60030030 00000001 00000000 00000000
[<bf8000e2>] (tcpm_try_role [tcpm]) from [<c03fb4a7>] (preferred_role_store+0x2b/0x5c)
[<c03fb4a7>] (preferred_role_store) from [<c01e1e03>] (kernfs_fop_write+0xa7/0x150)
[<c01e1e03>] (kernfs_fop_write) from [<c0194e8b>] (__vfs_write+0x1f/0x104)
[<c0194e8b>] (__vfs_write) from [<c01969f7>] (vfs_write+0x6b/0x104)
[<c01969f7>] (vfs_write) from [<c0196b9b>] (ksys_write+0x43/0x94)
[<c0196b9b>] (ksys_write) from [<c0101001>] (ret_fast_syscall+0x1/0x62)

Since commit 96232cbc6c994 ("usb: typec: tcpm: support get typec and pd
config from device properties"), the 'config' pointer in struct tcpc_dev
is optional when registering a Type-C port. Since it is optional, we have
to check if it is NULL before dereferencing it.

Reported-by: Douglas Gilbert <dgilbert@interlog.com>
Cc: Douglas Gilbert <dgilbert@interlog.com>
Fixes: 96232cbc6c994 ("usb: typec: tcpm: support get typec and pd config from device properties")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Cc: stable <stable@vger.kernel.org>
Reviewed-by: Jun Li <jun.li@nxp.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://lore.kernel.org/r/1563979112-22483-1-git-send-email-linux@roeck-us.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/typec/tcpm/tcpm.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -379,7 +379,8 @@ static enum tcpm_state tcpm_default_stat
 			return SNK_UNATTACHED;
 		else if (port->try_role == TYPEC_SOURCE)
 			return SRC_UNATTACHED;
-		else if (port->tcpc->config->default_role == TYPEC_SINK)
+		else if (port->tcpc->config &&
+			 port->tcpc->config->default_role == TYPEC_SINK)
 			return SNK_UNATTACHED;
 		/* Fall through to return SRC_UNATTACHED */
 	} else if (port->port_type == TYPEC_PORT_SNK) {
@@ -4127,7 +4128,7 @@ static int tcpm_try_role(const struct ty
 	mutex_lock(&port->lock);
 	if (tcpc->try_role)
 		ret = tcpc->try_role(tcpc, role);
-	if (!ret && !tcpc->config->try_role_hw)
+	if (!ret && (!tcpc->config || !tcpc->config->try_role_hw))
 		port->try_role = role;
 	port->try_src_count = 0;
 	port->try_snk_count = 0;
@@ -4714,7 +4715,7 @@ static int tcpm_copy_caps(struct tcpm_po
 	port->typec_caps.prefer_role = tcfg->default_role;
 	port->typec_caps.type = tcfg->type;
 	port->typec_caps.data = tcfg->data;
-	port->self_powered = port->tcpc->config->self_powered;
+	port->self_powered = tcfg->self_powered;
 
 	return 0;
 }



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 044/144] usb: typec: tcpm: Ignore unsupported/unknown alternate mode requests
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2019-08-14 16:59 ` [PATCH 5.2 043/144] usb: typec: tcpm: Add NULL check before dereferencing config Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 045/144] can: rcar_canfd: fix possible IRQ storm on high load Greg Kroah-Hartman
                   ` (104 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Douglas Gilbert, Heikki Krogerus,
	Guenter Roeck

From: Guenter Roeck <linux@roeck-us.net>

commit 88d02c9ba2e83fc22d37ccb1f11c62ea6fc9ae50 upstream.

TCPM may receive PD messages associated with unknown or unsupported
alternate modes. If that happens, calls to typec_match_altmode()
will return NULL. The tcpm code does not currently take this into
account. This results in crashes.

Unable to handle kernel NULL pointer dereference at virtual address 000001f0
pgd = 41dad9a1
[000001f0] *pgd=00000000
Internal error: Oops: 5 [#1] THUMB2
Modules linked in: tcpci tcpm
CPU: 0 PID: 2338 Comm: kworker/u2:0 Not tainted 5.1.18-sama5-armv7-r2 #6
Hardware name: Atmel SAMA5
Workqueue: 2-0050 tcpm_pd_rx_handler [tcpm]
PC is at typec_altmode_attention+0x0/0x14
LR is at tcpm_pd_rx_handler+0xa3b/0xda0 [tcpm]
...
[<c03fbee8>] (typec_altmode_attention) from [<bf8030fb>]
				(tcpm_pd_rx_handler+0xa3b/0xda0 [tcpm])
[<bf8030fb>] (tcpm_pd_rx_handler [tcpm]) from [<c012082b>]
				(process_one_work+0x123/0x2a8)
[<c012082b>] (process_one_work) from [<c0120a6d>]
				(worker_thread+0xbd/0x3b0)
[<c0120a6d>] (worker_thread) from [<c012431f>] (kthread+0xcf/0xf4)
[<c012431f>] (kthread) from [<c01010f9>] (ret_from_fork+0x11/0x38)

Ignore PD messages if the associated alternate mode is not supported.

Fixes: e9576fe8e605c ("usb: typec: tcpm: Support for Alternate Modes")
Cc: stable <stable@vger.kernel.org>
Reported-by: Douglas Gilbert <dgilbert@interlog.com>
Cc: Douglas Gilbert <dgilbert@interlog.com>
Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Tested-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Link: https://lore.kernel.org/r/1564761822-13984-1-git-send-email-linux@roeck-us.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/typec/tcpm/tcpm.c |   36 +++++++++++++++++++++++-------------
 1 file changed, 23 insertions(+), 13 deletions(-)

--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -1109,7 +1109,8 @@ static int tcpm_pd_svdm(struct tcpm_port
 			break;
 		case CMD_ATTENTION:
 			/* Attention command does not have response */
-			typec_altmode_attention(adev, p[1]);
+			if (adev)
+				typec_altmode_attention(adev, p[1]);
 			return 0;
 		default:
 			break;
@@ -1161,20 +1162,26 @@ static int tcpm_pd_svdm(struct tcpm_port
 			}
 			break;
 		case CMD_ENTER_MODE:
-			typec_altmode_update_active(pdev, true);
+			if (adev && pdev) {
+				typec_altmode_update_active(pdev, true);
 
-			if (typec_altmode_vdm(adev, p[0], &p[1], cnt)) {
-				response[0] = VDO(adev->svid, 1, CMD_EXIT_MODE);
-				response[0] |= VDO_OPOS(adev->mode);
-				return 1;
+				if (typec_altmode_vdm(adev, p[0], &p[1], cnt)) {
+					response[0] = VDO(adev->svid, 1,
+							  CMD_EXIT_MODE);
+					response[0] |= VDO_OPOS(adev->mode);
+					return 1;
+				}
 			}
 			return 0;
 		case CMD_EXIT_MODE:
-			typec_altmode_update_active(pdev, false);
+			if (adev && pdev) {
+				typec_altmode_update_active(pdev, false);
 
-			/* Back to USB Operation */
-			WARN_ON(typec_altmode_notify(adev, TYPEC_STATE_USB,
-						     NULL));
+				/* Back to USB Operation */
+				WARN_ON(typec_altmode_notify(adev,
+							     TYPEC_STATE_USB,
+							     NULL));
+			}
 			break;
 		default:
 			break;
@@ -1184,8 +1191,10 @@ static int tcpm_pd_svdm(struct tcpm_port
 		switch (cmd) {
 		case CMD_ENTER_MODE:
 			/* Back to USB Operation */
-			WARN_ON(typec_altmode_notify(adev, TYPEC_STATE_USB,
-						     NULL));
+			if (adev)
+				WARN_ON(typec_altmode_notify(adev,
+							     TYPEC_STATE_USB,
+							     NULL));
 			break;
 		default:
 			break;
@@ -1196,7 +1205,8 @@ static int tcpm_pd_svdm(struct tcpm_port
 	}
 
 	/* Informing the alternate mode drivers about everything */
-	typec_altmode_vdm(adev, p[0], &p[1], cnt);
+	if (adev)
+		typec_altmode_vdm(adev, p[0], &p[1], cnt);
 
 	return rlen;
 }



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 045/144] can: rcar_canfd: fix possible IRQ storm on high load
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 044/144] usb: typec: tcpm: Ignore unsupported/unknown alternate mode requests Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 046/144] can: flexcan: fix stop mode acknowledgment Greg Kroah-Hartman
                   ` (103 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nikita Yushchenko, Marc Kleine-Budde

From: Nikita Yushchenko <nikita.yoush@cogentembedded.com>

commit d4b890aec4bea7334ca2ca56fd3b12fb48a00cd1 upstream.

We have observed rcar_canfd driver entering IRQ storm under high load,
with following scenario:
- rcar_canfd_global_interrupt() in entered due to Rx available,
- napi_schedule_prep() is called, and sets NAPIF_STATE_SCHED in state
- Rx fifo interrupts are masked,
- rcar_canfd_global_interrupt() is entered again, this time due to
  error interrupt (e.g. due to overflow),
- since scheduled napi poller has not yet executed, condition for calling
  napi_schedule_prep() from rcar_canfd_global_interrupt() remains true,
  thus napi_schedule_prep() gets called and sets NAPIF_STATE_MISSED flag
  in state,
- later, napi poller function rcar_canfd_rx_poll() gets executed, and
  calls napi_complete_done(),
- due to NAPIF_STATE_MISSED flag in state, this call does not clear
  NAPIF_STATE_SCHED flag from state,
- on return from napi_complete_done(), rcar_canfd_rx_poll() unmasks Rx
  interrutps,
- Rx interrupt happens, rcar_canfd_global_interrupt() gets called
  and calls napi_schedule_prep(),
- since NAPIF_STATE_SCHED is set in state at this time, this call
  returns false,
- due to that false return, rcar_canfd_global_interrupt() returns
  without masking Rx interrupt
- and this results into IRQ storm: unmasked Rx interrupt happens again
  and again is misprocessed in the same way.

This patch fixes that scenario by unmasking Rx interrupts only when
napi_complete_done() returns true, which means it has cleared
NAPIF_STATE_SCHED in state.

Fixes: dd3bd23eb438 ("can: rcar_canfd: Add Renesas R-Car CAN FD driver")
Signed-off-by: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/rcar/rcar_canfd.c |    9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/drivers/net/can/rcar/rcar_canfd.c
+++ b/drivers/net/can/rcar/rcar_canfd.c
@@ -1508,10 +1508,11 @@ static int rcar_canfd_rx_poll(struct nap
 
 	/* All packets processed */
 	if (num_pkts < quota) {
-		napi_complete_done(napi, num_pkts);
-		/* Enable Rx FIFO interrupts */
-		rcar_canfd_set_bit(priv->base, RCANFD_RFCC(ridx),
-				   RCANFD_RFCC_RFIE);
+		if (napi_complete_done(napi, num_pkts)) {
+			/* Enable Rx FIFO interrupts */
+			rcar_canfd_set_bit(priv->base, RCANFD_RFCC(ridx),
+					   RCANFD_RFCC_RFIE);
+		}
 	}
 	return num_pkts;
 }



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 046/144] can: flexcan: fix stop mode acknowledgment
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 045/144] can: rcar_canfd: fix possible IRQ storm on high load Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 047/144] can: flexcan: fix an use-after-free in flexcan_setup_stop_mode() Greg Kroah-Hartman
                   ` (102 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Marc Kleine-Budde, Joakim Zhang

From: Joakim Zhang <qiangqing.zhang@nxp.com>

commit 5f186c257fa4808bb7f14e643b9fba3e11f08a30 upstream.

To enter stop mode, the CPU should manually assert a global Stop Mode
request and check the acknowledgment asserted by FlexCAN. The CPU must
only consider the FlexCAN in stop mode when both request and
acknowledgment conditions are satisfied.

Fixes: de3578c198c6 ("can: flexcan: add self wakeup support")
Reported-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Joakim Zhang <qiangqing.zhang@nxp.com>
Cc: linux-stable <stable@vger.kernel.org> # >= v5.0
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/flexcan.c |   31 +++++++++++++++++++++++++++----
 1 file changed, 27 insertions(+), 4 deletions(-)

--- a/drivers/net/can/flexcan.c
+++ b/drivers/net/can/flexcan.c
@@ -400,9 +400,10 @@ static void flexcan_enable_wakeup_irq(st
 	priv->write(reg_mcr, &regs->mcr);
 }
 
-static inline void flexcan_enter_stop_mode(struct flexcan_priv *priv)
+static inline int flexcan_enter_stop_mode(struct flexcan_priv *priv)
 {
 	struct flexcan_regs __iomem *regs = priv->regs;
+	unsigned int ackval;
 	u32 reg_mcr;
 
 	reg_mcr = priv->read(&regs->mcr);
@@ -412,20 +413,37 @@ static inline void flexcan_enter_stop_mo
 	/* enable stop request */
 	regmap_update_bits(priv->stm.gpr, priv->stm.req_gpr,
 			   1 << priv->stm.req_bit, 1 << priv->stm.req_bit);
+
+	/* get stop acknowledgment */
+	if (regmap_read_poll_timeout(priv->stm.gpr, priv->stm.ack_gpr,
+				     ackval, ackval & (1 << priv->stm.ack_bit),
+				     0, FLEXCAN_TIMEOUT_US))
+		return -ETIMEDOUT;
+
+	return 0;
 }
 
-static inline void flexcan_exit_stop_mode(struct flexcan_priv *priv)
+static inline int flexcan_exit_stop_mode(struct flexcan_priv *priv)
 {
 	struct flexcan_regs __iomem *regs = priv->regs;
+	unsigned int ackval;
 	u32 reg_mcr;
 
 	/* remove stop request */
 	regmap_update_bits(priv->stm.gpr, priv->stm.req_gpr,
 			   1 << priv->stm.req_bit, 0);
 
+	/* get stop acknowledgment */
+	if (regmap_read_poll_timeout(priv->stm.gpr, priv->stm.ack_gpr,
+				     ackval, !(ackval & (1 << priv->stm.ack_bit)),
+				     0, FLEXCAN_TIMEOUT_US))
+		return -ETIMEDOUT;
+
 	reg_mcr = priv->read(&regs->mcr);
 	reg_mcr &= ~FLEXCAN_MCR_SLF_WAK;
 	priv->write(reg_mcr, &regs->mcr);
+
+	return 0;
 }
 
 static inline void flexcan_error_irq_enable(const struct flexcan_priv *priv)
@@ -1612,7 +1630,9 @@ static int __maybe_unused flexcan_suspen
 		 */
 		if (device_may_wakeup(device)) {
 			enable_irq_wake(dev->irq);
-			flexcan_enter_stop_mode(priv);
+			err = flexcan_enter_stop_mode(priv);
+			if (err)
+				return err;
 		} else {
 			err = flexcan_chip_disable(priv);
 			if (err)
@@ -1662,10 +1682,13 @@ static int __maybe_unused flexcan_noirq_
 {
 	struct net_device *dev = dev_get_drvdata(device);
 	struct flexcan_priv *priv = netdev_priv(dev);
+	int err;
 
 	if (netif_running(dev) && device_may_wakeup(device)) {
 		flexcan_enable_wakeup_irq(priv, false);
-		flexcan_exit_stop_mode(priv);
+		err = flexcan_exit_stop_mode(priv);
+		if (err)
+			return err;
 	}
 
 	return 0;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 047/144] can: flexcan: fix an use-after-free in flexcan_setup_stop_mode()
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 046/144] can: flexcan: fix stop mode acknowledgment Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 048/144] can: peak_usb: fix potential double kfree_skb() Greg Kroah-Hartman
                   ` (101 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Wen Yang, Marc Kleine-Budde

From: Wen Yang <wen.yang99@zte.com.cn>

commit e9f2a856e102fa27715b94bcc2240f686536d29b upstream.

The gpr_np variable is still being used in dev_dbg() after the
of_node_put() call, which may result in use-after-free.

Fixes: de3578c198c6 ("can: flexcan: add self wakeup support")
Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
Cc: linux-stable <stable@vger.kernel.org> # >= v5.0
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/flexcan.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/drivers/net/can/flexcan.c
+++ b/drivers/net/can/flexcan.c
@@ -1455,10 +1455,10 @@ static int flexcan_setup_stop_mode(struc
 
 	priv = netdev_priv(dev);
 	priv->stm.gpr = syscon_node_to_regmap(gpr_np);
-	of_node_put(gpr_np);
 	if (IS_ERR(priv->stm.gpr)) {
 		dev_dbg(&pdev->dev, "could not find gpr regmap\n");
-		return PTR_ERR(priv->stm.gpr);
+		ret = PTR_ERR(priv->stm.gpr);
+		goto out_put_node;
 	}
 
 	priv->stm.req_gpr = out_val[1];
@@ -1473,7 +1473,9 @@ static int flexcan_setup_stop_mode(struc
 
 	device_set_wakeup_capable(&pdev->dev, true);
 
-	return 0;
+out_put_node:
+	of_node_put(gpr_np);
+	return ret;
 }
 
 static const struct of_device_id flexcan_of_match[] = {



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 048/144] can: peak_usb: fix potential double kfree_skb()
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 047/144] can: flexcan: fix an use-after-free in flexcan_setup_stop_mode() Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 049/144] powerpc: fix off by one in max_zone_pfn initialization for ZONE_DMA Greg Kroah-Hartman
                   ` (100 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stephane Grosjean, Marc Kleine-Budde

From: Stephane Grosjean <s.grosjean@peak-system.com>

commit fee6a8923ae0d318a7f7950c6c6c28a96cea099b upstream.

When closing the CAN device while tx skbs are inflight, echo skb could
be released twice. By calling close_candev() before unlinking all
pending tx urbs, then the internal echo_skb[] array is fully and
correctly cleared before the USB write callback and, therefore,
can_get_echo_skb() are called, for each aborted URB.

Fixes: bb4785551f64 ("can: usb: PEAK-System Technik USB adapters driver core")
Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/usb/peak_usb/pcan_usb_core.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c
+++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
@@ -568,16 +568,16 @@ static int peak_usb_ndo_stop(struct net_
 	dev->state &= ~PCAN_USB_STATE_STARTED;
 	netif_stop_queue(netdev);
 
+	close_candev(netdev);
+
+	dev->can.state = CAN_STATE_STOPPED;
+
 	/* unlink all pending urbs and free used memory */
 	peak_usb_unlink_all_urbs(dev);
 
 	if (dev->adapter->dev_stop)
 		dev->adapter->dev_stop(dev);
 
-	close_candev(netdev);
-
-	dev->can.state = CAN_STATE_STOPPED;
-
 	/* can set bus off now */
 	if (dev->adapter->dev_set_bus) {
 		int err = dev->adapter->dev_set_bus(dev, 0);



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 049/144] powerpc: fix off by one in max_zone_pfn initialization for ZONE_DMA
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 048/144] can: peak_usb: fix potential double kfree_skb() Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 050/144] netfilter: nfnetlink: avoid deadlock due to synchronous request_module Greg Kroah-Hartman
                   ` (99 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Zorro Lang, Andrea Arcangeli,
	Christoph Hellwig, Michael Ellerman, Sasha Levin

[ Upstream commit 03800e0526ee25ed7c843ca1e57b69ac2a5af642 ]

25078dc1f74be16b858e914f52cc8f4d03c2271a first introduced an off by
one error in the ZONE_DMA initialization of PPC_BOOK3E_64=y and since
9739ab7eda459f0669ec9807e0d9be5020bab88c the off by one applies to
PPC32=y too. This simply corrects the off by one and should resolve
crashes like below:

[   65.179101] page 0x7fff outside node 0 zone DMA [ 0x0 - 0x7fff ]

Unfortunately in various MM places "max" means a non inclusive end of
range. free_area_init_nodes max_zone_pfn parameter is one case and
MAX_ORDER is another one (unrelated) that comes by memory.

Reported-by: Zorro Lang <zlang@redhat.com>
Fixes: 25078dc1f74b ("powerpc: use mm zones more sensibly")
Fixes: 9739ab7eda45 ("powerpc: enable a 30-bit ZONE_DMA for 32-bit pmac")
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20190625141727.2883-1-aarcange@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/mm/mem.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/powerpc/mm/mem.c b/arch/powerpc/mm/mem.c
index 2540d3b2588c3..2eda1ec36f552 100644
--- a/arch/powerpc/mm/mem.c
+++ b/arch/powerpc/mm/mem.c
@@ -249,7 +249,7 @@ void __init paging_init(void)
 
 #ifdef CONFIG_ZONE_DMA
 	max_zone_pfns[ZONE_DMA]	= min(max_low_pfn,
-			((1UL << ARCH_ZONE_DMA_BITS) - 1) >> PAGE_SHIFT);
+				      1UL << (ARCH_ZONE_DMA_BITS - PAGE_SHIFT));
 #endif
 	max_zone_pfns[ZONE_NORMAL] = max_low_pfn;
 #ifdef CONFIG_HIGHMEM
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 050/144] netfilter: nfnetlink: avoid deadlock due to synchronous request_module
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 049/144] powerpc: fix off by one in max_zone_pfn initialization for ZONE_DMA Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 051/144] vfio-ccw: Set pa_nr to 0 if memory allocation fails for pa_iova_pfn Greg Kroah-Hartman
                   ` (98 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thomas Jarosch, Juliana Rodrigueiro,
	Florian Westphal, Pablo Neira Ayuso, Sasha Levin

[ Upstream commit 1b0890cd60829bd51455dc5ad689ed58c4408227 ]

Thomas and Juliana report a deadlock when running:

(rmmod nf_conntrack_netlink/xfrm_user)

  conntrack -e NEW -E &
  modprobe -v xfrm_user

They provided following analysis:

conntrack -e NEW -E
    netlink_bind()
        netlink_lock_table() -> increases "nl_table_users"
            nfnetlink_bind()
            # does not unlock the table as it's locked by netlink_bind()
                __request_module()
                    call_usermodehelper_exec()

This triggers "modprobe nf_conntrack_netlink" from kernel, netlink_bind()
won't return until modprobe process is done.

"modprobe xfrm_user":
    xfrm_user_init()
        register_pernet_subsys()
            -> grab pernet_ops_rwsem
                ..
                netlink_table_grab()
                    calls schedule() as "nl_table_users" is non-zero

so modprobe is blocked because netlink_bind() increased
nl_table_users while also holding pernet_ops_rwsem.

"modprobe nf_conntrack_netlink" runs and inits nf_conntrack_netlink:
    ctnetlink_init()
        register_pernet_subsys()
            -> blocks on "pernet_ops_rwsem" thanks to xfrm_user module

both modprobe processes wait on one another -- neither can make
progress.

Switch netlink_bind() to "nowait" modprobe -- this releases the netlink
table lock, which then allows both modprobe instances to complete.

Reported-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Reported-by: Juliana Rodrigueiro <juliana.rodrigueiro@intra2net.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/netfilter/nfnetlink.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index 92077d4591090..4abbb452cf6c6 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -578,7 +578,7 @@ static int nfnetlink_bind(struct net *net, int group)
 	ss = nfnetlink_get_subsys(type << 8);
 	rcu_read_unlock();
 	if (!ss)
-		request_module("nfnetlink-subsys-%d", type);
+		request_module_nowait("nfnetlink-subsys-%d", type);
 	return 0;
 }
 #endif
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 051/144] vfio-ccw: Set pa_nr to 0 if memory allocation fails for pa_iova_pfn
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 050/144] netfilter: nfnetlink: avoid deadlock due to synchronous request_module Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 052/144] vfio-ccw: Dont call cp_free if we are processing a channel program Greg Kroah-Hartman
                   ` (97 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Farhan Ali, Eric Farman,
	Cornelia Huck, Sasha Levin

[ Upstream commit c1ab69268d124ebdbb3864580808188ccd3ea355 ]

So we don't call try to call vfio_unpin_pages() incorrectly.

Fixes: 0a19e61e6d4c ("vfio: ccw: introduce channel program interfaces")
Signed-off-by: Farhan Ali <alifm@linux.ibm.com>
Reviewed-by: Eric Farman <farman@linux.ibm.com>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Message-Id: <33a89467ad6369196ae6edf820cbcb1e2d8d050c.1562854091.git.alifm@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/s390/cio/vfio_ccw_cp.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/s390/cio/vfio_ccw_cp.c b/drivers/s390/cio/vfio_ccw_cp.c
index 0e79799e9a719..79eb40bdaf9f4 100644
--- a/drivers/s390/cio/vfio_ccw_cp.c
+++ b/drivers/s390/cio/vfio_ccw_cp.c
@@ -89,8 +89,10 @@ static int pfn_array_alloc_pin(struct pfn_array *pa, struct device *mdev,
 				  sizeof(*pa->pa_iova_pfn) +
 				  sizeof(*pa->pa_pfn),
 				  GFP_KERNEL);
-	if (unlikely(!pa->pa_iova_pfn))
+	if (unlikely(!pa->pa_iova_pfn)) {
+		pa->pa_nr = 0;
 		return -ENOMEM;
+	}
 	pa->pa_pfn = pa->pa_iova_pfn + pa->pa_nr;
 
 	pa->pa_iova_pfn[0] = pa->pa_iova >> PAGE_SHIFT;
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 052/144] vfio-ccw: Dont call cp_free if we are processing a channel program
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 051/144] vfio-ccw: Set pa_nr to 0 if memory allocation fails for pa_iova_pfn Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 053/144] netfilter: Fix rpfilter dropping vrf packets by mistake Greg Kroah-Hartman
                   ` (96 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Farhan Ali, Cornelia Huck,
	Eric Farman, Sasha Levin

[ Upstream commit f4c9939433bd396d0b08e803b2b880a9d02682b9 ]

There is a small window where it's possible that we could be working
on an interrupt (queued in the workqueue) and setting up a channel
program (i.e allocating memory, pinning pages, translating address).
This can lead to allocating and freeing the channel program at the
same time and can cause memory corruption.

Let's not call cp_free if we are currently processing a channel program.
The only way we know for sure that we don't have a thread setting
up a channel program is when the state is set to VFIO_CCW_STATE_CP_PENDING.

Fixes: d5afd5d135c8 ("vfio-ccw: add handling for async channel instructions")
Signed-off-by: Farhan Ali <alifm@linux.ibm.com>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Message-Id: <62e87bf67b38dc8d5760586e7c96d400db854ebe.1562854091.git.alifm@linux.ibm.com>
Reviewed-by: Eric Farman <farman@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/s390/cio/vfio_ccw_drv.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/s390/cio/vfio_ccw_drv.c b/drivers/s390/cio/vfio_ccw_drv.c
index 9125f7f4e64c9..8a8fbde7e1867 100644
--- a/drivers/s390/cio/vfio_ccw_drv.c
+++ b/drivers/s390/cio/vfio_ccw_drv.c
@@ -88,7 +88,7 @@ static void vfio_ccw_sch_io_todo(struct work_struct *work)
 		     (SCSW_ACTL_DEVACT | SCSW_ACTL_SCHACT));
 	if (scsw_is_solicited(&irb->scsw)) {
 		cp_update_scsw(&private->cp, &irb->scsw);
-		if (is_final)
+		if (is_final && private->state == VFIO_CCW_STATE_CP_PENDING)
 			cp_free(&private->cp);
 	}
 	mutex_lock(&private->io_mutex);
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 053/144] netfilter: Fix rpfilter dropping vrf packets by mistake
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 052/144] vfio-ccw: Dont call cp_free if we are processing a channel program Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 054/144] netfilter: nf_tables: fix module autoload for redir Greg Kroah-Hartman
                   ` (95 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Miaohe Lin, Pablo Neira Ayuso, Sasha Levin

[ Upstream commit b575b24b8eee37f10484e951b62ce2a31c579775 ]

When firewalld is enabled with ipv4/ipv6 rpfilter, vrf
ipv4/ipv6 packets will be dropped. Vrf device will pass
through netfilter hook twice. One with enslaved device
and another one with l3 master device. So in device may
dismatch witch out device because out device is always
enslaved device.So failed with the check of the rpfilter
and drop the packets by mistake.

Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ipv4/netfilter/ipt_rpfilter.c  | 1 +
 net/ipv6/netfilter/ip6t_rpfilter.c | 8 ++++++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/netfilter/ipt_rpfilter.c b/net/ipv4/netfilter/ipt_rpfilter.c
index 59031670b16a0..cc23f1ce239c2 100644
--- a/net/ipv4/netfilter/ipt_rpfilter.c
+++ b/net/ipv4/netfilter/ipt_rpfilter.c
@@ -78,6 +78,7 @@ static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
 	flow.flowi4_mark = info->flags & XT_RPFILTER_VALID_MARK ? skb->mark : 0;
 	flow.flowi4_tos = RT_TOS(iph->tos);
 	flow.flowi4_scope = RT_SCOPE_UNIVERSE;
+	flow.flowi4_oif = l3mdev_master_ifindex_rcu(xt_in(par));
 
 	return rpfilter_lookup_reverse(xt_net(par), &flow, xt_in(par), info->flags) ^ invert;
 }
diff --git a/net/ipv6/netfilter/ip6t_rpfilter.c b/net/ipv6/netfilter/ip6t_rpfilter.c
index 6bcaf73571834..d800801a5dd27 100644
--- a/net/ipv6/netfilter/ip6t_rpfilter.c
+++ b/net/ipv6/netfilter/ip6t_rpfilter.c
@@ -55,7 +55,9 @@ static bool rpfilter_lookup_reverse6(struct net *net, const struct sk_buff *skb,
 	if (rpfilter_addr_linklocal(&iph->saddr)) {
 		lookup_flags |= RT6_LOOKUP_F_IFACE;
 		fl6.flowi6_oif = dev->ifindex;
-	} else if ((flags & XT_RPFILTER_LOOSE) == 0)
+	/* Set flowi6_oif for vrf devices to lookup route in l3mdev domain. */
+	} else if (netif_is_l3_master(dev) || netif_is_l3_slave(dev) ||
+		  (flags & XT_RPFILTER_LOOSE) == 0)
 		fl6.flowi6_oif = dev->ifindex;
 
 	rt = (void *)ip6_route_lookup(net, &fl6, skb, lookup_flags);
@@ -70,7 +72,9 @@ static bool rpfilter_lookup_reverse6(struct net *net, const struct sk_buff *skb,
 		goto out;
 	}
 
-	if (rt->rt6i_idev->dev == dev || (flags & XT_RPFILTER_LOOSE))
+	if (rt->rt6i_idev->dev == dev ||
+	    l3mdev_master_ifindex_rcu(rt->rt6i_idev->dev) == dev->ifindex ||
+	    (flags & XT_RPFILTER_LOOSE))
 		ret = true;
  out:
 	ip6_rt_put(rt);
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 054/144] netfilter: nf_tables: fix module autoload for redir
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 053/144] netfilter: Fix rpfilter dropping vrf packets by mistake Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 055/144] netfilter: conntrack: always store window size un-scaled Greg Kroah-Hartman
                   ` (94 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christian Hesse, Pablo Neira Ayuso,
	Sasha Levin

[ Upstream commit f41828ee10b36644bb2b2bfa9dd1d02f55aa0516 ]

Fix expression for autoloading.

Fixes: 5142967ab524 ("netfilter: nf_tables: fix module autoload with inet family")
Signed-off-by: Christian Hesse <mail@eworm.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/netfilter/nft_redir.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nft_redir.c b/net/netfilter/nft_redir.c
index 8487eeff5c0ec..43eeb1f609f13 100644
--- a/net/netfilter/nft_redir.c
+++ b/net/netfilter/nft_redir.c
@@ -291,4 +291,4 @@ module_exit(nft_redir_module_exit);
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo@debian.org>");
-MODULE_ALIAS_NFT_EXPR("nat");
+MODULE_ALIAS_NFT_EXPR("redir");
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 055/144] netfilter: conntrack: always store window size un-scaled
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 054/144] netfilter: nf_tables: fix module autoload for redir Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 056/144] netfilter: nft_hash: fix symhash with modulus one Greg Kroah-Hartman
                   ` (93 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jakub Jankowski, Florian Westphal,
	Jozsef Kadlecsik, Pablo Neira Ayuso, Sasha Levin

[ Upstream commit 959b69ef57db00cb33e9c4777400ae7183ebddd3 ]

Jakub Jankowski reported following oddity:

After 3 way handshake completes, timeout of new connection is set to
max_retrans (300s) instead of established (5 days).

shortened excerpt from pcap provided:
25.070622 IP (flags [DF], proto TCP (6), length 52)
10.8.5.4.1025 > 10.8.1.2.80: Flags [S], seq 11, win 64240, [wscale 8]
26.070462 IP (flags [DF], proto TCP (6), length 48)
10.8.1.2.80 > 10.8.5.4.1025: Flags [S.], seq 82, ack 12, win 65535, [wscale 3]
27.070449 IP (flags [DF], proto TCP (6), length 40)
10.8.5.4.1025 > 10.8.1.2.80: Flags [.], ack 83, win 512, length 0

Turns out the last_win is of u16 type, but we store the scaled value:
512 << 8 (== 0x20000) becomes 0 window.

The Fixes tag is not correct, as the bug has existed forever, but
without that change all that this causes might cause is to mistake a
window update (to-nonzero-from-zero) for a retransmit.

Fixes: fbcd253d2448b8 ("netfilter: conntrack: lower timeout to RETRANS seconds if window is 0")
Reported-by: Jakub Jankowski <shasta@toxcorp.com>
Tested-by: Jakub Jankowski <shasta@toxcorp.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/netfilter/nf_conntrack_proto_tcp.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 1e2cc83ff5da8..ae1f8c6b3a974 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -472,6 +472,7 @@ static bool tcp_in_window(const struct nf_conn *ct,
 	struct ip_ct_tcp_state *receiver = &state->seen[!dir];
 	const struct nf_conntrack_tuple *tuple = &ct->tuplehash[dir].tuple;
 	__u32 seq, ack, sack, end, win, swin;
+	u16 win_raw;
 	s32 receiver_offset;
 	bool res, in_recv_win;
 
@@ -480,7 +481,8 @@ static bool tcp_in_window(const struct nf_conn *ct,
 	 */
 	seq = ntohl(tcph->seq);
 	ack = sack = ntohl(tcph->ack_seq);
-	win = ntohs(tcph->window);
+	win_raw = ntohs(tcph->window);
+	win = win_raw;
 	end = segment_seq_plus_len(seq, skb->len, dataoff, tcph);
 
 	if (receiver->flags & IP_CT_TCP_FLAG_SACK_PERM)
@@ -655,14 +657,14 @@ static bool tcp_in_window(const struct nf_conn *ct,
 			    && state->last_seq == seq
 			    && state->last_ack == ack
 			    && state->last_end == end
-			    && state->last_win == win)
+			    && state->last_win == win_raw)
 				state->retrans++;
 			else {
 				state->last_dir = dir;
 				state->last_seq = seq;
 				state->last_ack = ack;
 				state->last_end = end;
-				state->last_win = win;
+				state->last_win = win_raw;
 				state->retrans = 0;
 			}
 		}
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 056/144] netfilter: nft_hash: fix symhash with modulus one
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 055/144] netfilter: conntrack: always store window size un-scaled Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 057/144] scripts/sphinx-pre-install: fix script for RHEL/CentOS Greg Kroah-Hartman
                   ` (92 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Laura Garcia Liebana,
	Pablo Neira Ayuso, Sasha Levin

[ Upstream commit 28b1d6ef53e3303b90ca8924bb78f31fa527cafb ]

The rule below doesn't work as the kernel raises -ERANGE.

nft add rule netdev nftlb lb01 ip daddr set \
	symhash mod 1 map { 0 : 192.168.0.10 } fwd to "eth0"

This patch allows to use the symhash modulus with one
element, in the same way that the other types of hashes and
algorithms that uses the modulus parameter.

Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/netfilter/nft_hash.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c
index fe93e731dc7fb..b836d550b9199 100644
--- a/net/netfilter/nft_hash.c
+++ b/net/netfilter/nft_hash.c
@@ -129,7 +129,7 @@ static int nft_symhash_init(const struct nft_ctx *ctx,
 	priv->dreg = nft_parse_register(tb[NFTA_HASH_DREG]);
 
 	priv->modulus = ntohl(nla_get_be32(tb[NFTA_HASH_MODULUS]));
-	if (priv->modulus <= 1)
+	if (priv->modulus < 1)
 		return -ERANGE;
 
 	if (priv->offset + priv->modulus - 1 < priv->offset)
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 057/144] scripts/sphinx-pre-install: fix script for RHEL/CentOS
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 056/144] netfilter: nft_hash: fix symhash with modulus one Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 058/144] scripts/sphinx-pre-install: dont use LaTeX with CentOS 7 Greg Kroah-Hartman
                   ` (91 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mauro Carvalho Chehab, Sasha Levin

[ Upstream commit b308467c916aa7acc5069802ab76a9f657434701 ]

There's a missing parenthesis at the script, with causes it to
fail to detect non-Fedora releases (e. g. RHEL/CentOS).

Tested with Centos 7.6.1810.

Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 scripts/sphinx-pre-install | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/sphinx-pre-install b/scripts/sphinx-pre-install
index 9be208db88d3a..778f3ae918775 100755
--- a/scripts/sphinx-pre-install
+++ b/scripts/sphinx-pre-install
@@ -364,7 +364,7 @@ sub give_redhat_hints()
 	#
 	# Checks valid for RHEL/CentOS version 7.x.
 	#
-	if (! $system_release =~ /Fedora/) {
+	if (!($system_release =~ /Fedora/)) {
 		$map{"virtualenv"} = "python-virtualenv";
 	}
 
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 058/144] scripts/sphinx-pre-install: dont use LaTeX with CentOS 7
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 057/144] scripts/sphinx-pre-install: fix script for RHEL/CentOS Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 059/144] scripts/sphinx-pre-install: fix latexmk dependencies Greg Kroah-Hartman
                   ` (90 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mauro Carvalho Chehab, Sasha Levin

[ Upstream commit 56e5a633923793b31515795ad30156a307572c1e ]

There aren't enough texlive packages for LaTeX-based builds
to work on CentOS/RHEL <= 7.

Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 scripts/sphinx-pre-install | 68 ++++++++++++++++++++++++++++----------
 1 file changed, 50 insertions(+), 18 deletions(-)

diff --git a/scripts/sphinx-pre-install b/scripts/sphinx-pre-install
index 778f3ae918775..4cc2b3ee5209f 100755
--- a/scripts/sphinx-pre-install
+++ b/scripts/sphinx-pre-install
@@ -77,6 +77,17 @@ sub check_missing(%)
 	foreach my $prog (sort keys %missing) {
 		my $is_optional = $missing{$prog};
 
+		# At least on some LTS distros like CentOS 7, texlive doesn't
+		# provide all packages we need. When such distros are
+		# detected, we have to disable PDF output.
+		#
+		# So, we need to ignore the packages that distros would
+		# need for LaTeX to work
+		if ($is_optional == 2 && !$pdf) {
+			$optional--;
+			next;
+		}
+
 		if ($is_optional) {
 			print "Warning: better to also install \"$prog\".\n";
 		} else {
@@ -326,10 +337,10 @@ sub give_debian_hints()
 
 	if ($pdf) {
 		check_missing_file("/usr/share/fonts/truetype/dejavu/DejaVuSans.ttf",
-				   "fonts-dejavu", 1);
+				   "fonts-dejavu", 2);
 	}
 
-	check_program("dvipng", 1) if ($pdf);
+	check_program("dvipng", 2) if ($pdf);
 	check_missing(\%map);
 
 	return if (!$need && !$optional);
@@ -364,22 +375,40 @@ sub give_redhat_hints()
 	#
 	# Checks valid for RHEL/CentOS version 7.x.
 	#
+	my $old = 0;
+	my $rel;
+	$rel = $1 if ($system_release =~ /release\s+(\d+)/);
+
 	if (!($system_release =~ /Fedora/)) {
 		$map{"virtualenv"} = "python-virtualenv";
-	}
 
-	my $release;
+		if ($rel && $rel < 8) {
+			$old = 1;
+			$pdf = 0;
 
-	$release = $1 if ($system_release =~ /Fedora\s+release\s+(\d+)/);
+			printf("Note: texlive packages on RHEL/CENTOS <= 7 are incomplete. Can't support PDF output\n");
+			printf("If you want to build PDF, please read:\n");
+			printf("\thttps://www.systutorials.com/241660/how-to-install-tex-live-on-centos-7-linux/\n");
+		}
+	} else {
+		if ($rel && $rel < 26) {
+			$old = 1;
+		}
+	}
+	if (!$rel) {
+		printf("Couldn't identify release number\n");
+		$old = 1;
+		$pdf = 0;
+	}
 
-	check_rpm_missing(\@fedora26_opt_pkgs, 1) if ($pdf && $release >= 26);
-	check_rpm_missing(\@fedora_tex_pkgs, 1) if ($pdf);
-	check_missing_tex(1) if ($pdf);
+	check_rpm_missing(\@fedora26_opt_pkgs, 2) if ($pdf && !$old);
+	check_rpm_missing(\@fedora_tex_pkgs, 2) if ($pdf);
+	check_missing_tex(2) if ($pdf);
 	check_missing(\%map);
 
 	return if (!$need && !$optional);
 
-	if ($release >= 18) {
+	if (!$old) {
 		# dnf, for Fedora 18+
 		printf("You should run:\n\n\tsudo dnf install -y $install\n");
 	} else {
@@ -418,8 +447,8 @@ sub give_opensuse_hints()
 		"texlive-zapfding",
 	);
 
-	check_rpm_missing(\@suse_tex_pkgs, 1) if ($pdf);
-	check_missing_tex(1) if ($pdf);
+	check_rpm_missing(\@suse_tex_pkgs, 2) if ($pdf);
+	check_missing_tex(2) if ($pdf);
 	check_missing(\%map);
 
 	return if (!$need && !$optional);
@@ -443,7 +472,7 @@ sub give_mageia_hints()
 		"texlive-fontsextra",
 	);
 
-	check_rpm_missing(\@tex_pkgs, 1) if ($pdf);
+	check_rpm_missing(\@tex_pkgs, 2) if ($pdf);
 	check_missing(\%map);
 
 	return if (!$need && !$optional);
@@ -466,7 +495,8 @@ sub give_arch_linux_hints()
 		"texlive-latexextra",
 		"ttf-dejavu",
 	);
-	check_pacman_missing(\@archlinux_tex_pkgs, 1) if ($pdf);
+	check_pacman_missing(\@archlinux_tex_pkgs, 2) if ($pdf);
+
 	check_missing(\%map);
 
 	return if (!$need && !$optional);
@@ -485,7 +515,7 @@ sub give_gentoo_hints()
 	);
 
 	check_missing_file("/usr/share/fonts/dejavu/DejaVuSans.ttf",
-			   "media-fonts/dejavu", 1) if ($pdf);
+			   "media-fonts/dejavu", 2) if ($pdf);
 
 	check_missing(\%map);
 
@@ -553,7 +583,7 @@ sub check_distros()
 	my %map = (
 		"sphinx-build" => "sphinx"
 	);
-	check_missing_tex(1) if ($pdf);
+	check_missing_tex(2) if ($pdf);
 	check_missing(\%map);
 	print "I don't know distro $system_release.\n";
 	print "So, I can't provide you a hint with the install procedure.\n";
@@ -591,11 +621,13 @@ sub check_needs()
 	check_program("make", 0);
 	check_program("gcc", 0);
 	check_python_module("sphinx_rtd_theme", 1) if (!$virtualenv);
-	check_program("xelatex", 1) if ($pdf);
 	check_program("dot", 1);
 	check_program("convert", 1);
-	check_program("rsvg-convert", 1) if ($pdf);
-	check_program("latexmk", 1) if ($pdf);
+
+	# Extra PDF files - should use 2 for is_optional
+	check_program("xelatex", 2) if ($pdf);
+	check_program("rsvg-convert", 2) if ($pdf);
+	check_program("latexmk", 2) if ($pdf);
 
 	check_distros();
 
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 059/144] scripts/sphinx-pre-install: fix latexmk dependencies
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 058/144] scripts/sphinx-pre-install: dont use LaTeX with CentOS 7 Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 060/144] rq-qos: dont reset has_sleepers on spurious wakeups Greg Kroah-Hartman
                   ` (89 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mauro Carvalho Chehab, Sasha Levin

[ Upstream commit 353290a9eb5362a80bc8e52fcd7eb77a30f48afc ]

The name of the package with carries latexmk is different
on two distros:

- On OpenSUSE, latexmk is packaged as "texlive-latexmk-bin"
- On Mageia, latexmk is packaged at "texlive-collection-basic"

Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 scripts/sphinx-pre-install | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/scripts/sphinx-pre-install b/scripts/sphinx-pre-install
index 4cc2b3ee5209f..1f9f0a334c24f 100755
--- a/scripts/sphinx-pre-install
+++ b/scripts/sphinx-pre-install
@@ -447,6 +447,8 @@ sub give_opensuse_hints()
 		"texlive-zapfding",
 	);
 
+	$map{"latexmk"} = "texlive-latexmk-bin";
+
 	check_rpm_missing(\@suse_tex_pkgs, 2) if ($pdf);
 	check_missing_tex(2) if ($pdf);
 	check_missing(\%map);
@@ -472,6 +474,8 @@ sub give_mageia_hints()
 		"texlive-fontsextra",
 	);
 
+	$map{"latexmk"} = "texlive-collection-basic";
+
 	check_rpm_missing(\@tex_pkgs, 2) if ($pdf);
 	check_missing(\%map);
 
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 060/144] rq-qos: dont reset has_sleepers on spurious wakeups
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 059/144] scripts/sphinx-pre-install: fix latexmk dependencies Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 061/144] rq-qos: set ourself TASK_UNINTERRUPTIBLE after we schedule Greg Kroah-Hartman
                   ` (88 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Oleg Nesterov, Josef Bacik,
	Jens Axboe, Sasha Levin

[ Upstream commit 64e7ea875ef63b2801be7954cf7257d1bfccc266 ]

If we raced with somebody else getting an inflight counter we could fail
to get an inflight counter with no sleepers on the list, and thus need
to go to sleep.  In this case has_sleepers should be true because we are
now relying on the waker to get our inflight counter for us.  And in the
case of spurious wakeups we'd still want this to be the case.  So set
has_sleepers to true if we went to sleep to make sure we're woken up the
proper way.

Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 block/blk-rq-qos.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/block/blk-rq-qos.c b/block/blk-rq-qos.c
index 659ccb8b693fa..e5d75280b431e 100644
--- a/block/blk-rq-qos.c
+++ b/block/blk-rq-qos.c
@@ -260,7 +260,7 @@ void rq_qos_wait(struct rq_wait *rqw, void *private_data,
 			break;
 		}
 		io_schedule();
-		has_sleeper = false;
+		has_sleeper = true;
 	} while (1);
 	finish_wait(&rqw->wait, &data.wq);
 }
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 061/144] rq-qos: set ourself TASK_UNINTERRUPTIBLE after we schedule
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 060/144] rq-qos: dont reset has_sleepers on spurious wakeups Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 062/144] rq-qos: use a mb for got_token Greg Kroah-Hartman
                   ` (87 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Oleg Nesterov, Josef Bacik,
	Jens Axboe, Sasha Levin

[ Upstream commit d14a9b389a86a5154b704bc88ce8dd37c701456a ]

In case we get a spurious wakeup we need to make sure to re-set
ourselves to TASK_UNINTERRUPTIBLE so we don't busy wait.

Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 block/blk-rq-qos.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/block/blk-rq-qos.c b/block/blk-rq-qos.c
index e5d75280b431e..e3ab75e4df9ea 100644
--- a/block/blk-rq-qos.c
+++ b/block/blk-rq-qos.c
@@ -261,6 +261,7 @@ void rq_qos_wait(struct rq_wait *rqw, void *private_data,
 		}
 		io_schedule();
 		has_sleeper = true;
+		set_current_state(TASK_UNINTERRUPTIBLE);
 	} while (1);
 	finish_wait(&rqw->wait, &data.wq);
 }
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 062/144] rq-qos: use a mb for got_token
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (60 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 061/144] rq-qos: set ourself TASK_UNINTERRUPTIBLE after we schedule Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 063/144] netfilter: nf_tables: Support auto-loading for inet nat Greg Kroah-Hartman
                   ` (86 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Oleg Nesterov, Josef Bacik,
	Jens Axboe, Sasha Levin

[ Upstream commit ac38297f7038cd5b80d66f8809c7bbf5b70031f3 ]

Oleg noticed that our checking of data.got_token is unsafe in the
cleanup case, and should really use a memory barrier.  Use a wmb on the
write side, and a rmb() on the read side.  We don't need one in the main
loop since we're saved by set_current_state().

Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 block/blk-rq-qos.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/block/blk-rq-qos.c b/block/blk-rq-qos.c
index e3ab75e4df9ea..06d024204f504 100644
--- a/block/blk-rq-qos.c
+++ b/block/blk-rq-qos.c
@@ -202,6 +202,7 @@ static int rq_qos_wake_function(struct wait_queue_entry *curr,
 		return -1;
 
 	data->got_token = true;
+	smp_wmb();
 	list_del_init(&curr->entry);
 	wake_up_process(data->task);
 	return 1;
@@ -245,6 +246,7 @@ void rq_qos_wait(struct rq_wait *rqw, void *private_data,
 
 	prepare_to_wait_exclusive(&rqw->wait, &data.wq, TASK_UNINTERRUPTIBLE);
 	do {
+		/* The memory barrier in set_task_state saves us here. */
 		if (data.got_token)
 			break;
 		if (!has_sleeper && acquire_inflight_cb(rqw, private_data)) {
@@ -255,6 +257,7 @@ void rq_qos_wait(struct rq_wait *rqw, void *private_data,
 			 * which means we now have two. Put our local token
 			 * and wake anyone else potentially waiting for one.
 			 */
+			smp_rmb();
 			if (data.got_token)
 				cleanup_cb(rqw, private_data);
 			break;
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 063/144] netfilter: nf_tables: Support auto-loading for inet nat
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (61 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 062/144] rq-qos: use a mb for got_token Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 064/144] drm/amd/display: No audio endpoint for Dell MST display Greg Kroah-Hartman
                   ` (85 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Phil Sutter, Pablo Neira Ayuso, Sasha Levin

[ Upstream commit b4f1483cbfa5fafca4874e90063f75603edbc210 ]

Trying to create an inet family nat chain would not cause
nft_chain_nat.ko module to auto-load due to missing module alias. Add a
proper one with hard-coded family value 1 for the pseudo-family
NFPROTO_INET.

Fixes: d164385ec572 ("netfilter: nat: add inet family nat support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/netfilter/nft_chain_nat.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/netfilter/nft_chain_nat.c b/net/netfilter/nft_chain_nat.c
index 2f89bde3c61cb..ff9ac8ae0031f 100644
--- a/net/netfilter/nft_chain_nat.c
+++ b/net/netfilter/nft_chain_nat.c
@@ -142,3 +142,6 @@ MODULE_ALIAS_NFT_CHAIN(AF_INET, "nat");
 #ifdef CONFIG_NF_TABLES_IPV6
 MODULE_ALIAS_NFT_CHAIN(AF_INET6, "nat");
 #endif
+#ifdef CONFIG_NF_TABLES_INET
+MODULE_ALIAS_NFT_CHAIN(1, "nat");	/* NFPROTO_INET */
+#endif
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 064/144] drm/amd/display: No audio endpoint for Dell MST display
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (62 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 063/144] netfilter: nf_tables: Support auto-loading for inet nat Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 065/144] drm/amd/display: Clock does not lower in Updateplanes Greg Kroah-Hartman
                   ` (84 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Harmanprit Tatla, Aric Cyr,
	Anthony Koo, Leo Li, Alex Deucher, Sasha Levin

[ Upstream commit 5b25e5f1a97284020abee7348427f89abdb674e8 ]

[Why]
There are certain MST displays (i.e. Dell P2715Q)
that although have the MST feature set to off may still
report it is a branch device and a non-zero
value for downstream port present.
This can lead to us incorrectly classifying a
dp dongle connection as being active and
disabling the audio endpoint for the display.

[How]
Modified the placement and
condition used to assign
the is_branch_dev bit.

Signed-off-by: Harmanprit Tatla <harmanprit.tatla@amd.com>
Reviewed-by: Aric Cyr <aric.cyr@amd.com>
Acked-by: Anthony Koo <Anthony.Koo@amd.com>
Acked-by: Leo Li <sunpeng.li@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c b/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c
index 253311864cdd5..966aa3b754c5b 100644
--- a/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c
@@ -2218,11 +2218,18 @@ static void get_active_converter_info(
 		link->dpcd_caps.dongle_type = DISPLAY_DONGLE_NONE;
 		ddc_service_set_dongle_type(link->ddc,
 				link->dpcd_caps.dongle_type);
+		link->dpcd_caps.is_branch_dev = false;
 		return;
 	}
 
 	/* DPCD 0x5 bit 0 = 1, it indicate it's branch device */
-	link->dpcd_caps.is_branch_dev = ds_port.fields.PORT_PRESENT;
+	if (ds_port.fields.PORT_TYPE == DOWNSTREAM_DP) {
+		link->dpcd_caps.is_branch_dev = false;
+	}
+
+	else {
+		link->dpcd_caps.is_branch_dev = ds_port.fields.PORT_PRESENT;
+	}
 
 	switch (ds_port.fields.PORT_TYPE) {
 	case DOWNSTREAM_VGA:
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 065/144] drm/amd/display: Clock does not lower in Updateplanes
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (63 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 064/144] drm/amd/display: No audio endpoint for Dell MST display Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 066/144] drm/amd/display: Wait for backlight programming completion in set backlight level Greg Kroah-Hartman
                   ` (83 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Murton Liu, Tony Cheng, Leo Li,
	Alex Deucher, Sasha Levin

[ Upstream commit 492d9ec244923420af96db6b69ad7d575859aa92 ]

[why]
We reset the optimized_required in atomic_plane_disable
flag immediately after it is set in atomic_plane_disconnect, causing us to
never have flag set during next flip in UpdatePlanes.

[how]
Optimize directly after each time plane is removed.

Signed-off-by: Murton Liu <murton.liu@amd.com>
Reviewed-by: Tony Cheng <Tony.Cheng@amd.com>
Acked-by: Leo Li <sunpeng.li@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c
index 9e4d70a0055e1..c7b4c3048b71d 100644
--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c
@@ -2416,6 +2416,12 @@ static void dcn10_apply_ctx_for_surface(
 		if (removed_pipe[i])
 			dcn10_disable_plane(dc, &dc->current_state->res_ctx.pipe_ctx[i]);
 
+	for (i = 0; i < dc->res_pool->pipe_count; i++)
+		if (removed_pipe[i]) {
+			dc->hwss.optimize_bandwidth(dc, context);
+			break;
+		}
+
 	if (dc->hwseq->wa.DEGVIDCN10_254)
 		hubbub1_wm_change_req_wa(dc->res_pool->hubbub);
 }
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 066/144] drm/amd/display: Wait for backlight programming completion in set backlight level
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (64 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 065/144] drm/amd/display: Clock does not lower in Updateplanes Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 067/144] drm/amd/display: fix DMCU hang when going into Modern Standby Greg Kroah-Hartman
                   ` (82 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, SivapiriyanKumarasamy, Anthony Koo,
	Leo Li, Alex Deucher, Sasha Levin

[ Upstream commit c7990daebe71d11a9e360b5c3b0ecd1846a3a4bb ]

[WHY]
Currently we don't wait for blacklight programming completion in DMCU
when setting backlight level. Some sequences such as PSR static screen
event trigger reprogramming requires it to be complete.

[How]
Add generic wait for dmcu command completion in set backlight level.

Signed-off-by: SivapiriyanKumarasamy <sivapiriyan.kumarasamy@amd.com>
Reviewed-by: Anthony Koo <Anthony.Koo@amd.com>
Acked-by: Leo Li <sunpeng.li@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/amd/display/dc/dce/dce_abm.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/gpu/drm/amd/display/dc/dce/dce_abm.c b/drivers/gpu/drm/amd/display/dc/dce/dce_abm.c
index 2959c3c9390b9..da30ae04e82bb 100644
--- a/drivers/gpu/drm/amd/display/dc/dce/dce_abm.c
+++ b/drivers/gpu/drm/amd/display/dc/dce/dce_abm.c
@@ -234,6 +234,10 @@ static void dmcu_set_backlight_level(
 	s2 |= (backlight_8_bit << ATOM_S2_CURRENT_BL_LEVEL_SHIFT);
 
 	REG_WRITE(BIOS_SCRATCH_2, s2);
+
+	/* waitDMCUReadyForCmd */
+	REG_WAIT(MASTER_COMM_CNTL_REG, MASTER_COMM_INTERRUPT,
+			0, 1, 80000);
 }
 
 static void dce_abm_init(struct abm *abm)
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 067/144] drm/amd/display: fix DMCU hang when going into Modern Standby
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (65 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 066/144] drm/amd/display: Wait for backlight programming completion in set backlight level Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 068/144] drm/amd/display: use encoders engine id to find matched free audio device Greg Kroah-Hartman
                   ` (81 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Zi Yu Liao, Eric Yang, Anthony Koo,
	Leo Li, Alex Deucher, Sasha Levin

[ Upstream commit 1ca068ed34d6b39d336c1b0d618ed73ba8f04548 ]

[why]
When the system is going into suspend, set_backlight gets called
after the eDP got blanked. Since smooth brightness is enabled,
the driver will make a call into the DMCU to ramp the brightness.
The DMCU would try to enable ABM to do so. But since the display is
blanked, this ends up causing ABM1_ACE_DBUF_REG_UPDATE_PENDING to
get stuck at 1, which results in a dead lock in the DMCU firmware.

[how]
Disable brightness ramping when the eDP display is blanked.

Signed-off-by: Zi Yu Liao <ziyu.liao@amd.com>
Reviewed-by: Eric Yang <eric.yang2@amd.com>
Acked-by: Anthony Koo <Anthony.Koo@amd.com>
Acked-by: Leo Li <sunpeng.li@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/amd/display/dc/core/dc_link.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link.c b/drivers/gpu/drm/amd/display/dc/core/dc_link.c
index a3ff33ff6da16..adf39e3b8d29d 100644
--- a/drivers/gpu/drm/amd/display/dc/core/dc_link.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc_link.c
@@ -2284,7 +2284,7 @@ bool dc_link_set_backlight_level(const struct dc_link *link,
 			if (core_dc->current_state->res_ctx.pipe_ctx[i].stream) {
 				if (core_dc->current_state->res_ctx.
 						pipe_ctx[i].stream->link
-						== link)
+						== link) {
 					/* DMCU -1 for all controller id values,
 					 * therefore +1 here
 					 */
@@ -2292,6 +2292,13 @@ bool dc_link_set_backlight_level(const struct dc_link *link,
 						core_dc->current_state->
 						res_ctx.pipe_ctx[i].stream_res.tg->inst +
 						1;
+
+					/* Disable brightness ramping when the display is blanked
+					 * as it can hang the DMCU
+					 */
+					if (core_dc->current_state->res_ctx.pipe_ctx[i].plane_state == NULL)
+						frame_ramp = 0;
+				}
 			}
 		}
 		abm->funcs->set_backlight_level_pwm(
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 068/144] drm/amd/display: use encoders engine id to find matched free audio device
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (66 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 067/144] drm/amd/display: fix DMCU hang when going into Modern Standby Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 069/144] drm/amd/display: put back front end initialization sequence Greg Kroah-Hartman
                   ` (80 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tai Man, Charlene Liu, Leo Li,
	Alex Deucher, Sasha Levin

[ Upstream commit 74eda776d7a4e69ec7aa1ce30a87636f14220fbb ]

[Why]
On some platforms, the encoder id 3 is not populated. So the encoders
are not stored in right order as index (id: 0, 1, 2, 4, 5) at pool. This
would cause encoders id 4 & id 5 to fail when finding corresponding
audio device, defaulting to the first available audio device. As result,
we cannot stream audio into two DP ports with encoders id 4 & id 5.

[How]
It need to create enough audio device objects (0 - 5) to perform matching.
Then use encoder engine id to find matched audio device.

Signed-off-by: Tai Man <taiman.wong@amd.com>
Reviewed-by: Charlene Liu <Charlene.Liu@amd.com>
Acked-by: Leo Li <sunpeng.li@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
index 12142d13f22f2..6ad7b54812f1c 100644
--- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
@@ -254,7 +254,7 @@ bool resource_construct(
 		 * PORT_CONNECTIVITY == 1 (as instructed by HW team).
 		 */
 		update_num_audio(&straps, &num_audio, &pool->audio_support);
-		for (i = 0; i < pool->pipe_count && i < num_audio; i++) {
+		for (i = 0; i < caps->num_audio; i++) {
 			struct audio *aud = create_funcs->create_audio(ctx, i);
 
 			if (aud == NULL) {
@@ -1702,6 +1702,12 @@ static struct audio *find_first_free_audio(
 			return pool->audios[i];
 		}
 	}
+
+    /* use engine id to find free audio */
+	if ((id < pool->audio_count) && (res_ctx->is_audio_acquired[id] == false)) {
+		return pool->audios[id];
+	}
+
 	/*not found the matching one, first come first serve*/
 	for (i = 0; i < pool->audio_count; i++) {
 		if (res_ctx->is_audio_acquired[i] == false) {
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 069/144] drm/amd/display: put back front end initialization sequence
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (67 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 068/144] drm/amd/display: use encoders engine id to find matched free audio device Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 070/144] drm/amd/display: allocate 4 ddc engines for RV2 Greg Kroah-Hartman
                   ` (79 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Yang, Anthony Koo, Leo Li,
	Tony Cheng, Alex Deucher, Sasha Levin

[ Upstream commit feb7eb522e0a7a22c1e60d386bd3c3bfa1d5e4f7 ]

[Why]
Seamless boot optimization removed proper front end power off sequence.
In driver disable enable case, this causes driver to power gate hubp
and dpp while there is still memory fetching going on, this can cause
invalid memory requests to be generated which will hang data fabric.

[How]
Put back proper front end power off sequence

Signed-off-by: Eric Yang <Eric.Yang2@amd.com>
Reviewed-by: Anthony Koo <Anthony.Koo@amd.com>
Acked-by: Leo Li <sunpeng.li@amd.com>
Acked-by: Tony Cheng <Tony.Cheng@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 .../drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c | 15 +--------------
 1 file changed, 1 insertion(+), 14 deletions(-)

diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c
index c7b4c3048b71d..5cc5dabf4d652 100644
--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c
@@ -1120,16 +1120,7 @@ static void dcn10_init_hw(struct dc *dc)
 	 * everything down.
 	 */
 	if (dcb->funcs->is_accelerated_mode(dcb) || dc->config.power_down_display_on_boot) {
-		for (i = 0; i < dc->res_pool->pipe_count; i++) {
-			struct hubp *hubp = dc->res_pool->hubps[i];
-			struct dpp *dpp = dc->res_pool->dpps[i];
-
-			hubp->funcs->hubp_init(hubp);
-			dc->res_pool->opps[i]->mpc_tree_params.opp_id = dc->res_pool->opps[i]->inst;
-			plane_atomic_power_down(dc, dpp, hubp);
-		}
-
-		apply_DEGVIDCN10_253_wa(dc);
+		dc->hwss.init_pipes(dc, dc->current_state);
 	}
 
 	for (i = 0; i < dc->res_pool->audio_count; i++) {
@@ -1298,10 +1289,6 @@ static bool dcn10_set_input_transfer_func(struct pipe_ctx *pipe_ctx,
 	return result;
 }
 
-
-
-
-
 static bool
 dcn10_set_output_transfer_func(struct pipe_ctx *pipe_ctx,
 			       const struct dc_stream_state *stream)
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 070/144] drm/amd/display: allocate 4 ddc engines for RV2
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (68 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 069/144] drm/amd/display: put back front end initialization sequence Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 071/144] drm/amd/display: Fix dc_create failure handling and 666 color depths Greg Kroah-Hartman
                   ` (78 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Derek Lai, Aric Cyr, Leo Li,
	Alex Deucher, Sasha Levin

[ Upstream commit 67fd6c0d2de8e51e84ff3fa6e68bbd524f823e49 ]

[Why]
Driver will create 0, 1, and 2 ddc engines for RV2,
but some platforms used 0, 1, and 3.

[How]
Still allocate 4 ddc engines for RV2.

Signed-off-by: Derek Lai <Derek.Lai@amd.com>
Reviewed-by: Aric Cyr <Aric.Cyr@amd.com>
Acked-by: Leo Li <sunpeng.li@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c
index 7eccb54c421d9..aac52eed6b2aa 100644
--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c
@@ -512,7 +512,7 @@ static const struct resource_caps rv2_res_cap = {
 		.num_audio = 3,
 		.num_stream_encoder = 3,
 		.num_pll = 3,
-		.num_ddc = 3,
+		.num_ddc = 4,
 };
 #endif
 
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 071/144] drm/amd/display: Fix dc_create failure handling and 666 color depths
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (69 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 070/144] drm/amd/display: allocate 4 ddc engines for RV2 Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 072/144] drm/amd/display: Only enable audio if speaker allocation exists Greg Kroah-Hartman
                   ` (77 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Julian Parkin, Charlene Liu, Leo Li,
	Alex Deucher, Sasha Levin

[ Upstream commit 0905f32977268149f06e3ce6ea4bd6d374dd891f ]

[Why]
It is possible (but very unlikely) that constructing dc fails
before current_state is created.

We support 666 color depth in some scenarios, but this
isn't handled in get_norm_pix_clk. It uses exactly the
same pixel clock as the 888 case.

[How]
Check for non null current_state before destructing.

Add case for 666 color depth to get_norm_pix_clk to
avoid assertion.

Signed-off-by: Julian Parkin <julian.parkin@amd.com>
Reviewed-by: Charlene Liu <Charlene.Liu@amd.com>
Acked-by: Leo Li <sunpeng.li@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/amd/display/dc/core/dc.c          | 6 ++++--
 drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 1 +
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c
index ee6b646180b66..0a7adc2925e35 100644
--- a/drivers/gpu/drm/amd/display/dc/core/dc.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc.c
@@ -608,8 +608,10 @@ const struct dc_link_settings *dc_link_get_link_cap(
 
 static void destruct(struct dc *dc)
 {
-	dc_release_state(dc->current_state);
-	dc->current_state = NULL;
+	if (dc->current_state) {
+		dc_release_state(dc->current_state);
+		dc->current_state = NULL;
+	}
 
 	destroy_links(dc);
 
diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
index 6ad7b54812f1c..b2525ab8a95f6 100644
--- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
@@ -1872,6 +1872,7 @@ static int get_norm_pix_clk(const struct dc_crtc_timing *timing)
 		pix_clk /= 2;
 	if (timing->pixel_encoding != PIXEL_ENCODING_YCBCR422) {
 		switch (timing->display_color_depth) {
+		case COLOR_DEPTH_666:
 		case COLOR_DEPTH_888:
 			normalized_pix_clk = pix_clk;
 			break;
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 072/144] drm/amd/display: Only enable audio if speaker allocation exists
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (70 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 071/144] drm/amd/display: Fix dc_create failure handling and 666 color depths Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 073/144] drm/amd/display: Increase size of audios array Greg Kroah-Hartman
                   ` (76 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alvin Lee, Jun Lei, Leo Li,
	Alex Deucher, Sasha Levin

[ Upstream commit 6ac25e6d5b2fbf251e9fa2f4131d42c815b43867 ]

[Why]

In dm_helpers_parse_edid_caps, there is a corner case where no speakers
can be allocated even though the audio mode count is greater than 0.
Enabling audio when no speaker allocations exists can cause issues in
the video stream.

[How]

Add a check to not enable audio unless one or more speaker allocations
exist (since doing this can cause issues in the video stream).

Signed-off-by: Alvin Lee <alvin.lee2@amd.com>
Reviewed-by: Jun Lei <Jun.Lei@amd.com>
Acked-by: Leo Li <sunpeng.li@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
index b2525ab8a95f6..b459ce056b609 100644
--- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
@@ -2019,7 +2019,7 @@ enum dc_status resource_map_pool_resources(
 	/* TODO: Add check if ASIC support and EDID audio */
 	if (!stream->converter_disable_audio &&
 	    dc_is_audio_capable_signal(pipe_ctx->stream->signal) &&
-	    stream->audio_info.mode_count) {
+	    stream->audio_info.mode_count && stream->audio_info.flags.all) {
 		pipe_ctx->stream_res.audio = find_first_free_audio(
 		&context->res_ctx, pool, pipe_ctx->stream_res.stream_enc->id);
 
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 073/144] drm/amd/display: Increase size of audios array
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (71 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 072/144] drm/amd/display: Only enable audio if speaker allocation exists Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 074/144] iscsi_ibft: make ISCSI_IBFT dependson ACPI instead of ISCSI_IBFT_FIND Greg Kroah-Hartman
                   ` (75 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tai Man, Joshua Aberback, Leo Li,
	Alex Deucher, Sasha Levin

[ Upstream commit 7352193a33dfc9b69ba3bf6a8caea925b96243b1 ]

[Why]
The audios array defined in "struct resource_pool" is only 6 (MAX_PIPES)
but the max number of audio devices (num_audio) is 7. In some projects,
it will run out of audios array.

[How]
Incraese the audios array size to 7.

Signed-off-by: Tai Man <taiman.wong@amd.com>
Reviewed-by: Joshua Aberback <Joshua.Aberback@amd.com>
Acked-by: Leo Li <sunpeng.li@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/amd/display/dc/inc/core_types.h   | 2 +-
 drivers/gpu/drm/amd/display/dc/inc/hw/hw_shared.h | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/amd/display/dc/inc/core_types.h b/drivers/gpu/drm/amd/display/dc/inc/core_types.h
index 6f5ab05d64677..6f0cc718fbd75 100644
--- a/drivers/gpu/drm/amd/display/dc/inc/core_types.h
+++ b/drivers/gpu/drm/amd/display/dc/inc/core_types.h
@@ -169,7 +169,7 @@ struct resource_pool {
 	struct clock_source *clock_sources[MAX_CLOCK_SOURCES];
 	unsigned int clk_src_count;
 
-	struct audio *audios[MAX_PIPES];
+	struct audio *audios[MAX_AUDIOS];
 	unsigned int audio_count;
 	struct audio_support audio_support;
 
diff --git a/drivers/gpu/drm/amd/display/dc/inc/hw/hw_shared.h b/drivers/gpu/drm/amd/display/dc/inc/hw/hw_shared.h
index 4c8e2c6fb6dbc..72266efd826cf 100644
--- a/drivers/gpu/drm/amd/display/dc/inc/hw/hw_shared.h
+++ b/drivers/gpu/drm/amd/display/dc/inc/hw/hw_shared.h
@@ -34,6 +34,7 @@
  * Data types shared between different Virtual HW blocks
  ******************************************************************************/
 
+#define MAX_AUDIOS 7
 #define MAX_PIPES 6
 
 struct gamma_curve {
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 074/144] iscsi_ibft: make ISCSI_IBFT dependson ACPI instead of ISCSI_IBFT_FIND
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (72 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 073/144] drm/amd/display: Increase size of audios array Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 075/144] nl80211: fix NL80211_HE_MAX_CAPABILITY_LEN Greg Kroah-Hartman
                   ` (74 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thomas Tai, Konrad Rzeszutek Wilk,
	Sasha Levin

[ Upstream commit 94bccc34071094c165c79b515d21b63c78f7e968 ]

iscsi_ibft can use ACPI to find the iBFT entry during bootup,
currently, ISCSI_IBFT depends on ISCSI_IBFT_FIND which is
a X86 legacy way to find the iBFT by searching through the
low memory. This patch changes the dependency so that other
arch like ARM64 can use ISCSI_IBFT as long as the arch supports
ACPI.

ibft_init() needs to use the global variable ibft_addr declared
in iscsi_ibft_find.c. A #ifndef CONFIG_ISCSI_IBFT_FIND is needed
to declare the variable if CONFIG_ISCSI_IBFT_FIND is not selected.
Moving ibft_addr into the iscsi_ibft.c does not work because if
ISCSI_IBFT is selected as a module, the arch/x86/kernel/setup.c won't
be able to find the variable at compile time.

Signed-off-by: Thomas Tai <thomas.tai@oracle.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/firmware/Kconfig      | 5 +++--
 drivers/firmware/iscsi_ibft.c | 4 ++++
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/firmware/Kconfig b/drivers/firmware/Kconfig
index d40ccc3af9e26..fa7ed01415b72 100644
--- a/drivers/firmware/Kconfig
+++ b/drivers/firmware/Kconfig
@@ -157,7 +157,7 @@ config DMI_SCAN_MACHINE_NON_EFI_FALLBACK
 
 config ISCSI_IBFT_FIND
 	bool "iSCSI Boot Firmware Table Attributes"
-	depends on X86 && ACPI
+	depends on X86 && ISCSI_IBFT
 	default n
 	help
 	  This option enables the kernel to find the region of memory
@@ -168,7 +168,8 @@ config ISCSI_IBFT_FIND
 config ISCSI_IBFT
 	tristate "iSCSI Boot Firmware Table Attributes module"
 	select ISCSI_BOOT_SYSFS
-	depends on ISCSI_IBFT_FIND && SCSI && SCSI_LOWLEVEL
+	select ISCSI_IBFT_FIND if X86
+	depends on ACPI && SCSI && SCSI_LOWLEVEL
 	default	n
 	help
 	  This option enables support for detection and exposing of iSCSI
diff --git a/drivers/firmware/iscsi_ibft.c b/drivers/firmware/iscsi_ibft.c
index ab3aa39838338..7e12cbdf957cc 100644
--- a/drivers/firmware/iscsi_ibft.c
+++ b/drivers/firmware/iscsi_ibft.c
@@ -84,6 +84,10 @@ MODULE_DESCRIPTION("sysfs interface to BIOS iBFT information");
 MODULE_LICENSE("GPL");
 MODULE_VERSION(IBFT_ISCSI_VERSION);
 
+#ifndef CONFIG_ISCSI_IBFT_FIND
+struct acpi_table_ibft *ibft_addr;
+#endif
+
 struct ibft_hdr {
 	u8 id;
 	u8 version;
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 075/144] nl80211: fix NL80211_HE_MAX_CAPABILITY_LEN
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (73 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 074/144] iscsi_ibft: make ISCSI_IBFT dependson ACPI instead of ISCSI_IBFT_FIND Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 076/144] mac80211: fix possible memory leak in ieee80211_assign_beacon Greg Kroah-Hartman
                   ` (73 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, John Crispin, Johannes Berg, Sasha Levin

[ Upstream commit 5edaac063bbf1267260ad2a5b9bb803399343e58 ]

NL80211_HE_MAX_CAPABILITY_LEN has changed between D2.0 and D4.0. It is now
MAC (6) + PHY (11) + MCS (12) + PPE (25) = 54.

Signed-off-by: John Crispin <john@phrozen.org>
Link: https://lore.kernel.org/r/20190627095832.19445-1-john@phrozen.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/uapi/linux/nl80211.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
index 6f09d1500960d..70da1c6cdd073 100644
--- a/include/uapi/linux/nl80211.h
+++ b/include/uapi/linux/nl80211.h
@@ -2844,7 +2844,7 @@ enum nl80211_attrs {
 #define NL80211_HT_CAPABILITY_LEN		26
 #define NL80211_VHT_CAPABILITY_LEN		12
 #define NL80211_HE_MIN_CAPABILITY_LEN           16
-#define NL80211_HE_MAX_CAPABILITY_LEN           51
+#define NL80211_HE_MAX_CAPABILITY_LEN           54
 #define NL80211_MAX_NR_CIPHER_SUITES		5
 #define NL80211_MAX_NR_AKM_SUITES		2
 
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 076/144] mac80211: fix possible memory leak in ieee80211_assign_beacon
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (74 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 075/144] nl80211: fix NL80211_HE_MAX_CAPABILITY_LEN Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 077/144] mac80211: dont warn about CW params when not using them Greg Kroah-Hartman
                   ` (72 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lorenzo Bianconi, Johannes Berg, Sasha Levin

[ Upstream commit bcc27fab8cc673ddc95452674373cce618ccb3a3 ]

Free new beacon_data in ieee80211_assign_beacon whenever
ieee80211_assign_beacon fails

Fixes: 8860020e0be1 ("cfg80211: restructure AP/GO mode API")
Fixes: bc847970f432 ("mac80211: support FTM responder configuration/statistic")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://lore.kernel.org/r/770285772543c9fca33777bb4ad4760239e56256.1562105631.git.lorenzo@kernel.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/mac80211/cfg.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index a1973a26c7fc4..b8288125e05db 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -935,8 +935,10 @@ static int ieee80211_assign_beacon(struct ieee80211_sub_if_data *sdata,
 
 	err = ieee80211_set_probe_resp(sdata, params->probe_resp,
 				       params->probe_resp_len, csa);
-	if (err < 0)
+	if (err < 0) {
+		kfree(new);
 		return err;
+	}
 	if (err == 0)
 		changed |= BSS_CHANGED_AP_PROBE_RESP;
 
@@ -948,8 +950,10 @@ static int ieee80211_assign_beacon(struct ieee80211_sub_if_data *sdata,
 							 params->civicloc,
 							 params->civicloc_len);
 
-		if (err < 0)
+		if (err < 0) {
+			kfree(new);
 			return err;
+		}
 
 		changed |= BSS_CHANGED_FTM_RESPONDER;
 	}
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 077/144] mac80211: dont warn about CW params when not using them
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (75 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 076/144] mac80211: fix possible memory leak in ieee80211_assign_beacon Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 078/144] allocate_flower_entry: should check for null deref Greg Kroah-Hartman
                   ` (71 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Brian Norris, Johannes Berg, Sasha Levin

[ Upstream commit d2b3fe42bc629c2d4002f652b3abdfb2e72991c7 ]

ieee80211_set_wmm_default() normally sets up the initial CW min/max for
each queue, except that it skips doing this if the driver doesn't
support ->conf_tx. We still end up calling drv_conf_tx() in some cases
(e.g., ieee80211_reconfig()), which also still won't do anything
useful...except it complains here about the invalid CW parameters.

Let's just skip the WARN if we weren't going to do anything useful with
the parameters.

Signed-off-by: Brian Norris <briannorris@chromium.org>
Link: https://lore.kernel.org/r/20190718015712.197499-1-briannorris@chromium.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/mac80211/driver-ops.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/net/mac80211/driver-ops.c b/net/mac80211/driver-ops.c
index acd4afb4944b8..c9a8a2433e8ac 100644
--- a/net/mac80211/driver-ops.c
+++ b/net/mac80211/driver-ops.c
@@ -187,11 +187,16 @@ int drv_conf_tx(struct ieee80211_local *local,
 	if (!check_sdata_in_driver(sdata))
 		return -EIO;
 
-	if (WARN_ONCE(params->cw_min == 0 ||
-		      params->cw_min > params->cw_max,
-		      "%s: invalid CW_min/CW_max: %d/%d\n",
-		      sdata->name, params->cw_min, params->cw_max))
+	if (params->cw_min == 0 || params->cw_min > params->cw_max) {
+		/*
+		 * If we can't configure hardware anyway, don't warn. We may
+		 * never have initialized the CW parameters.
+		 */
+		WARN_ONCE(local->ops->conf_tx,
+			  "%s: invalid CW_min/CW_max: %d/%d\n",
+			  sdata->name, params->cw_min, params->cw_max);
 		return -EINVAL;
+	}
 
 	trace_drv_conf_tx(local, sdata, ac, params);
 	if (local->ops->conf_tx)
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 078/144] allocate_flower_entry: should check for null deref
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (76 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 077/144] mac80211: dont warn about CW params when not using them Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 079/144] hwmon: (occ) Fix division by zero issue Greg Kroah-Hartman
                   ` (70 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Navid Emamdoost, David S. Miller,
	Sasha Levin

[ Upstream commit bb1320834b8a80c6ac2697ab418d066981ea08ba ]

allocate_flower_entry does not check for allocation success, but tries
to deref the result. I only moved the spin_lock under null check, because
 the caller is checking allocation's status at line 652.

Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c
index cfaf8f618d1f3..56742fa0c1af6 100644
--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c
+++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c
@@ -67,7 +67,8 @@ static struct ch_tc_pedit_fields pedits[] = {
 static struct ch_tc_flower_entry *allocate_flower_entry(void)
 {
 	struct ch_tc_flower_entry *new = kzalloc(sizeof(*new), GFP_KERNEL);
-	spin_lock_init(&new->lock);
+	if (new)
+		spin_lock_init(&new->lock);
 	return new;
 }
 
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 079/144] hwmon: (occ) Fix division by zero issue
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (77 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 078/144] allocate_flower_entry: should check for null deref Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 080/144] hwmon: (nct6775) Fix register address and added missed tolerance for nct6106 Greg Kroah-Hartman
                   ` (69 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lei YU, Eddie James, Guenter Roeck,
	Sasha Levin

[ Upstream commit 211186cae14de09573b062e478eb9fe215aed8d9 ]

The code in occ_get_powr_avg() invokes div64_u64() without checking the
divisor. In case the divisor is zero, kernel gets an "Division by zero
in kernel" error.

Check the divisor and make it return 0 if the divisor is 0.

Fixes: c10e753d43eb ("hwmon (occ): Add sensor types and versions")
Signed-off-by: Lei YU <mine260309@gmail.com>
Reviewed-by: Eddie James <eajames@linux.ibm.com>
Link: https://lore.kernel.org/r/1562813088-23708-1-git-send-email-mine260309@gmail.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/hwmon/occ/common.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/hwmon/occ/common.c b/drivers/hwmon/occ/common.c
index 13a6290c8d254..f02aa403332c2 100644
--- a/drivers/hwmon/occ/common.c
+++ b/drivers/hwmon/occ/common.c
@@ -402,8 +402,10 @@ static ssize_t occ_show_power_1(struct device *dev,
 
 static u64 occ_get_powr_avg(u64 *accum, u32 *samples)
 {
-	return div64_u64(get_unaligned_be64(accum) * 1000000ULL,
-			 get_unaligned_be32(samples));
+	u64 divisor = get_unaligned_be32(samples);
+
+	return (divisor == 0) ? 0 :
+		div64_u64(get_unaligned_be64(accum) * 1000000ULL, divisor);
 }
 
 static ssize_t occ_show_power_2(struct device *dev,
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 080/144] hwmon: (nct6775) Fix register address and added missed tolerance for nct6106
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (78 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 079/144] hwmon: (occ) Fix division by zero issue Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 081/144] ARM: dts: imx6ul: fix clock frequency property name of I2C buses Greg Kroah-Hartman
                   ` (68 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bjoern Gerhart, Guenter Roeck, Sasha Levin

[ Upstream commit f3d43e2e45fd9d44ba52d20debd12cd4ee9c89bf ]

Fixed address of third NCT6106_REG_WEIGHT_DUTY_STEP, and
added missed NCT6106_REG_TOLERANCE_H.

Fixes: 6c009501ff200 ("hwmon: (nct6775) Add support for NCT6102D/6106D")
Signed-off-by: Bjoern Gerhart <gerhart@posteo.de>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/hwmon/nct6775.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/hwmon/nct6775.c b/drivers/hwmon/nct6775.c
index e7dff5febe161..d42bc0883a32b 100644
--- a/drivers/hwmon/nct6775.c
+++ b/drivers/hwmon/nct6775.c
@@ -852,7 +852,7 @@ static const u16 NCT6106_REG_TARGET[] = { 0x111, 0x121, 0x131 };
 static const u16 NCT6106_REG_WEIGHT_TEMP_SEL[] = { 0x168, 0x178, 0x188 };
 static const u16 NCT6106_REG_WEIGHT_TEMP_STEP[] = { 0x169, 0x179, 0x189 };
 static const u16 NCT6106_REG_WEIGHT_TEMP_STEP_TOL[] = { 0x16a, 0x17a, 0x18a };
-static const u16 NCT6106_REG_WEIGHT_DUTY_STEP[] = { 0x16b, 0x17b, 0x17c };
+static const u16 NCT6106_REG_WEIGHT_DUTY_STEP[] = { 0x16b, 0x17b, 0x18b };
 static const u16 NCT6106_REG_WEIGHT_TEMP_BASE[] = { 0x16c, 0x17c, 0x18c };
 static const u16 NCT6106_REG_WEIGHT_DUTY_BASE[] = { 0x16d, 0x17d, 0x18d };
 
@@ -3764,6 +3764,7 @@ static int nct6775_probe(struct platform_device *pdev)
 		data->REG_FAN_TIME[0] = NCT6106_REG_FAN_STOP_TIME;
 		data->REG_FAN_TIME[1] = NCT6106_REG_FAN_STEP_UP_TIME;
 		data->REG_FAN_TIME[2] = NCT6106_REG_FAN_STEP_DOWN_TIME;
+		data->REG_TOLERANCE_H = NCT6106_REG_TOLERANCE_H;
 		data->REG_PWM[0] = NCT6106_REG_PWM;
 		data->REG_PWM[1] = NCT6106_REG_FAN_START_OUTPUT;
 		data->REG_PWM[2] = NCT6106_REG_FAN_STOP_OUTPUT;
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 081/144] ARM: dts: imx6ul: fix clock frequency property name of I2C buses
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (79 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 080/144] hwmon: (nct6775) Fix register address and added missed tolerance for nct6106 Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 082/144] powerpc/papr_scm: Force a scm-unbind if initial scm-bind fails Greg Kroah-Hartman
                   ` (67 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sébastien Szymanski,
	Fabio Estevam, Shawn Guo, Sasha Levin

[ Upstream commit 2ca99396333999b9b5c5b91b36cbccacfe571aaf ]

A few boards set clock frequency of their I2C buses with
"clock_frequency" property. The right property is "clock-frequency".

Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
Reviewed-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/boot/dts/imx6ul-14x14-evk.dtsi  | 2 +-
 arch/arm/boot/dts/imx6ul-geam.dts        | 2 +-
 arch/arm/boot/dts/imx6ul-isiot.dtsi      | 2 +-
 arch/arm/boot/dts/imx6ul-pico-hobbit.dts | 2 +-
 arch/arm/boot/dts/imx6ul-pico-pi.dts     | 4 ++--
 5 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/arch/arm/boot/dts/imx6ul-14x14-evk.dtsi b/arch/arm/boot/dts/imx6ul-14x14-evk.dtsi
index 9207d5d071f11..d556f7c541ce6 100644
--- a/arch/arm/boot/dts/imx6ul-14x14-evk.dtsi
+++ b/arch/arm/boot/dts/imx6ul-14x14-evk.dtsi
@@ -112,7 +112,7 @@
 };
 
 &i2c2 {
-	clock_frequency = <100000>;
+	clock-frequency = <100000>;
 	pinctrl-names = "default";
 	pinctrl-0 = <&pinctrl_i2c2>;
 	status = "okay";
diff --git a/arch/arm/boot/dts/imx6ul-geam.dts b/arch/arm/boot/dts/imx6ul-geam.dts
index bc77f26a2f1de..6157a058feec9 100644
--- a/arch/arm/boot/dts/imx6ul-geam.dts
+++ b/arch/arm/boot/dts/imx6ul-geam.dts
@@ -156,7 +156,7 @@
 };
 
 &i2c2 {
-	clock_frequency = <100000>;
+	clock-frequency = <100000>;
 	pinctrl-names = "default";
 	pinctrl-0 = <&pinctrl_i2c2>;
 	status = "okay";
diff --git a/arch/arm/boot/dts/imx6ul-isiot.dtsi b/arch/arm/boot/dts/imx6ul-isiot.dtsi
index 213e802bf35c5..23e6e2e7ace9d 100644
--- a/arch/arm/boot/dts/imx6ul-isiot.dtsi
+++ b/arch/arm/boot/dts/imx6ul-isiot.dtsi
@@ -148,7 +148,7 @@
 };
 
 &i2c2 {
-	clock_frequency = <100000>;
+	clock-frequency = <100000>;
 	pinctrl-names = "default";
 	pinctrl-0 = <&pinctrl_i2c2>;
 	status = "okay";
diff --git a/arch/arm/boot/dts/imx6ul-pico-hobbit.dts b/arch/arm/boot/dts/imx6ul-pico-hobbit.dts
index 39eeeddac39e3..09f7ffa9ad8c4 100644
--- a/arch/arm/boot/dts/imx6ul-pico-hobbit.dts
+++ b/arch/arm/boot/dts/imx6ul-pico-hobbit.dts
@@ -43,7 +43,7 @@
 };
 
 &i2c2 {
-	clock_frequency = <100000>;
+	clock-frequency = <100000>;
 	pinctrl-names = "default";
 	pinctrl-0 = <&pinctrl_i2c2>;
 	status = "okay";
diff --git a/arch/arm/boot/dts/imx6ul-pico-pi.dts b/arch/arm/boot/dts/imx6ul-pico-pi.dts
index de07357b27fc2..6cd7d5877d20c 100644
--- a/arch/arm/boot/dts/imx6ul-pico-pi.dts
+++ b/arch/arm/boot/dts/imx6ul-pico-pi.dts
@@ -43,7 +43,7 @@
 };
 
 &i2c2 {
-	clock_frequency = <100000>;
+	clock-frequency = <100000>;
 	pinctrl-names = "default";
 	pinctrl-0 = <&pinctrl_i2c2>;
 	status = "okay";
@@ -58,7 +58,7 @@
 };
 
 &i2c3 {
-	clock_frequency = <100000>;
+	clock-frequency = <100000>;
 	pinctrl-names = "default";
 	pinctrl-0 = <&pinctrl_i2c3>;
 	status = "okay";
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 082/144] powerpc/papr_scm: Force a scm-unbind if initial scm-bind fails
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (80 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 081/144] ARM: dts: imx6ul: fix clock frequency property name of I2C buses Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 083/144] arm64: Force SSBS on context switch Greg Kroah-Hartman
                   ` (66 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Oliver OHalloran, Vaibhav Jain,
	Michael Ellerman, Sasha Levin

[ Upstream commit 3a855b7ac7d5021674aa3e1cc9d3bfd6b604e9c0 ]

In some cases initial bind of scm memory for an lpar can fail if
previously it wasn't released using a scm-unbind hcall. This situation
can arise due to panic of the previous kernel or forced lpar
fadump. In such cases the H_SCM_BIND_MEM return a H_OVERLAP error.

To mitigate such cases the patch updates papr_scm_probe() to force a
call to drc_pmem_unbind() in case the initial bind of scm memory fails
with EBUSY error. In case scm-bind operation again fails after the
forced scm-unbind then we follow the existing error path. We also
update drc_pmem_bind() to handle the H_OVERLAP error returned by phyp
and indicate it as a EBUSY error back to the caller.

Suggested-by: "Oliver O'Halloran" <oohall@gmail.com>
Signed-off-by: Vaibhav Jain <vaibhav@linux.ibm.com>
Reviewed-by: Oliver O'Halloran <oohall@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20190629160610.23402-4-vaibhav@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/platforms/pseries/papr_scm.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/arch/powerpc/platforms/pseries/papr_scm.c b/arch/powerpc/platforms/pseries/papr_scm.c
index 96c53b23e58f9..dad9825e40874 100644
--- a/arch/powerpc/platforms/pseries/papr_scm.c
+++ b/arch/powerpc/platforms/pseries/papr_scm.c
@@ -42,8 +42,9 @@ struct papr_scm_priv {
 static int drc_pmem_bind(struct papr_scm_priv *p)
 {
 	unsigned long ret[PLPAR_HCALL_BUFSIZE];
-	uint64_t rc, token;
 	uint64_t saved = 0;
+	uint64_t token;
+	int64_t rc;
 
 	/*
 	 * When the hypervisor cannot map all the requested memory in a single
@@ -63,6 +64,10 @@ static int drc_pmem_bind(struct papr_scm_priv *p)
 	} while (rc == H_BUSY);
 
 	if (rc) {
+		/* H_OVERLAP needs a separate error path */
+		if (rc == H_OVERLAP)
+			return -EBUSY;
+
 		dev_err(&p->pdev->dev, "bind err: %lld\n", rc);
 		return -ENXIO;
 	}
@@ -316,6 +321,14 @@ static int papr_scm_probe(struct platform_device *pdev)
 
 	/* request the hypervisor to bind this region to somewhere in memory */
 	rc = drc_pmem_bind(p);
+
+	/* If phyp says drc memory still bound then force unbound and retry */
+	if (rc == -EBUSY) {
+		dev_warn(&pdev->dev, "Retrying bind after unbinding\n");
+		drc_pmem_unbind(p);
+		rc = drc_pmem_bind(p);
+	}
+
 	if (rc)
 		goto err;
 
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 083/144] arm64: Force SSBS on context switch
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (81 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 082/144] powerpc/papr_scm: Force a scm-unbind if initial scm-bind fails Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 084/144] arm64: entry: SP Alignment Fault doesnt write to FAR_EL1 Greg Kroah-Hartman
                   ` (65 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marc Zyngier, Will Deacon, Sasha Levin

[ Upstream commit cbdf8a189a66001c36007bf0f5c975d0376c5c3a ]

On a CPU that doesn't support SSBS, PSTATE[12] is RES0.  In a system
where only some of the CPUs implement SSBS, we end-up losing track of
the SSBS bit across task migration.

To address this issue, let's force the SSBS bit on context switch.

Fixes: 8f04e8e6e29c ("arm64: ssbd: Add support for PSTATE.SSBS rather than trapping to EL3")
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
[will: inverted logic and added comments]
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm64/include/asm/processor.h | 14 ++++++++++++--
 arch/arm64/kernel/process.c        | 29 ++++++++++++++++++++++++++++-
 2 files changed, 40 insertions(+), 3 deletions(-)

diff --git a/arch/arm64/include/asm/processor.h b/arch/arm64/include/asm/processor.h
index fd5b1a4efc70e..844e2964b0f5e 100644
--- a/arch/arm64/include/asm/processor.h
+++ b/arch/arm64/include/asm/processor.h
@@ -193,6 +193,16 @@ static inline void start_thread_common(struct pt_regs *regs, unsigned long pc)
 		regs->pmr_save = GIC_PRIO_IRQON;
 }
 
+static inline void set_ssbs_bit(struct pt_regs *regs)
+{
+	regs->pstate |= PSR_SSBS_BIT;
+}
+
+static inline void set_compat_ssbs_bit(struct pt_regs *regs)
+{
+	regs->pstate |= PSR_AA32_SSBS_BIT;
+}
+
 static inline void start_thread(struct pt_regs *regs, unsigned long pc,
 				unsigned long sp)
 {
@@ -200,7 +210,7 @@ static inline void start_thread(struct pt_regs *regs, unsigned long pc,
 	regs->pstate = PSR_MODE_EL0t;
 
 	if (arm64_get_ssbd_state() != ARM64_SSBD_FORCE_ENABLE)
-		regs->pstate |= PSR_SSBS_BIT;
+		set_ssbs_bit(regs);
 
 	regs->sp = sp;
 }
@@ -219,7 +229,7 @@ static inline void compat_start_thread(struct pt_regs *regs, unsigned long pc,
 #endif
 
 	if (arm64_get_ssbd_state() != ARM64_SSBD_FORCE_ENABLE)
-		regs->pstate |= PSR_AA32_SSBS_BIT;
+		set_compat_ssbs_bit(regs);
 
 	regs->compat_sp = sp;
 }
diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c
index 6a869d9f304f7..b0c859ca63201 100644
--- a/arch/arm64/kernel/process.c
+++ b/arch/arm64/kernel/process.c
@@ -398,7 +398,7 @@ int copy_thread(unsigned long clone_flags, unsigned long stack_start,
 			childregs->pstate |= PSR_UAO_BIT;
 
 		if (arm64_get_ssbd_state() == ARM64_SSBD_FORCE_DISABLE)
-			childregs->pstate |= PSR_SSBS_BIT;
+			set_ssbs_bit(childregs);
 
 		if (system_uses_irq_prio_masking())
 			childregs->pmr_save = GIC_PRIO_IRQON;
@@ -442,6 +442,32 @@ void uao_thread_switch(struct task_struct *next)
 	}
 }
 
+/*
+ * Force SSBS state on context-switch, since it may be lost after migrating
+ * from a CPU which treats the bit as RES0 in a heterogeneous system.
+ */
+static void ssbs_thread_switch(struct task_struct *next)
+{
+	struct pt_regs *regs = task_pt_regs(next);
+
+	/*
+	 * Nothing to do for kernel threads, but 'regs' may be junk
+	 * (e.g. idle task) so check the flags and bail early.
+	 */
+	if (unlikely(next->flags & PF_KTHREAD))
+		return;
+
+	/* If the mitigation is enabled, then we leave SSBS clear. */
+	if ((arm64_get_ssbd_state() == ARM64_SSBD_FORCE_ENABLE) ||
+	    test_tsk_thread_flag(next, TIF_SSBD))
+		return;
+
+	if (compat_user_mode(regs))
+		set_compat_ssbs_bit(regs);
+	else if (user_mode(regs))
+		set_ssbs_bit(regs);
+}
+
 /*
  * We store our current task in sp_el0, which is clobbered by userspace. Keep a
  * shadow copy so that we can restore this upon entry from userspace.
@@ -471,6 +497,7 @@ __notrace_funcgraph struct task_struct *__switch_to(struct task_struct *prev,
 	entry_task_switch(next);
 	uao_thread_switch(next);
 	ptrauth_thread_switch(next);
+	ssbs_thread_switch(next);
 
 	/*
 	 * Complete any pending TLB or cache maintenance on this CPU in case
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 084/144] arm64: entry: SP Alignment Fault doesnt write to FAR_EL1
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (82 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 083/144] arm64: Force SSBS on context switch Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 085/144] iommu/vt-d: Check if domain->pgd was allocated Greg Kroah-Hartman
                   ` (64 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, James Morse, Will Deacon, Sasha Levin

[ Upstream commit 40ca0ce56d4bb889dc43b455c55398468115569a ]

Comparing the arm-arm's  pseudocode for AArch64.PCAlignmentFault() with
AArch64.SPAlignmentFault() shows that SP faults don't copy the faulty-SP
to FAR_EL1, but this is where we read from, and the address we provide
to user-space with the BUS_ADRALN signal.

For user-space this value will be UNKNOWN due to the previous ERET to
user-space. If the last value is preserved, on systems with KASLR or KPTI
this will be the user-space link-register left in FAR_EL1 by tramp_exit().
Fix this to retrieve the original sp_el0 value, and pass this to
do_sp_pc_fault().

SP alignment faults from EL1 will cause us to take the fault again when
trying to store the pt_regs. This eventually takes us to the overflow
stack. Remove the ESR_ELx_EC_SP_ALIGN check as we will never make it
this far.

Fixes: 60ffc30d5652 ("arm64: Exception handling")
Signed-off-by: James Morse <james.morse@arm.com>
[will: change label name and fleshed out comment]
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm64/kernel/entry.S | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index 9cdc4592da3ef..320a30dbe35ef 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -586,10 +586,8 @@ el1_sync:
 	b.eq	el1_ia
 	cmp	x24, #ESR_ELx_EC_SYS64		// configurable trap
 	b.eq	el1_undef
-	cmp	x24, #ESR_ELx_EC_SP_ALIGN	// stack alignment exception
-	b.eq	el1_sp_pc
 	cmp	x24, #ESR_ELx_EC_PC_ALIGN	// pc alignment exception
-	b.eq	el1_sp_pc
+	b.eq	el1_pc
 	cmp	x24, #ESR_ELx_EC_UNKNOWN	// unknown exception in EL1
 	b.eq	el1_undef
 	cmp	x24, #ESR_ELx_EC_BREAKPT_CUR	// debug exception in EL1
@@ -611,9 +609,11 @@ el1_da:
 	bl	do_mem_abort
 
 	kernel_exit 1
-el1_sp_pc:
+el1_pc:
 	/*
-	 * Stack or PC alignment exception handling
+	 * PC alignment exception handling. We don't handle SP alignment faults,
+	 * since we will have hit a recursive exception when trying to push the
+	 * initial pt_regs.
 	 */
 	mrs	x0, far_el1
 	inherit_daif	pstate=x23, tmp=x2
@@ -732,9 +732,9 @@ el0_sync:
 	ccmp	x24, #ESR_ELx_EC_WFx, #4, ne
 	b.eq	el0_sys
 	cmp	x24, #ESR_ELx_EC_SP_ALIGN	// stack alignment exception
-	b.eq	el0_sp_pc
+	b.eq	el0_sp
 	cmp	x24, #ESR_ELx_EC_PC_ALIGN	// pc alignment exception
-	b.eq	el0_sp_pc
+	b.eq	el0_pc
 	cmp	x24, #ESR_ELx_EC_UNKNOWN	// unknown exception in EL0
 	b.eq	el0_undef
 	cmp	x24, #ESR_ELx_EC_BREAKPT_LOW	// debug exception in EL0
@@ -758,7 +758,7 @@ el0_sync_compat:
 	cmp	x24, #ESR_ELx_EC_FP_EXC32	// FP/ASIMD exception
 	b.eq	el0_fpsimd_exc
 	cmp	x24, #ESR_ELx_EC_PC_ALIGN	// pc alignment exception
-	b.eq	el0_sp_pc
+	b.eq	el0_pc
 	cmp	x24, #ESR_ELx_EC_UNKNOWN	// unknown exception in EL0
 	b.eq	el0_undef
 	cmp	x24, #ESR_ELx_EC_CP15_32	// CP15 MRC/MCR trap
@@ -858,11 +858,15 @@ el0_fpsimd_exc:
 	mov	x1, sp
 	bl	do_fpsimd_exc
 	b	ret_to_user
+el0_sp:
+	ldr	x26, [sp, #S_SP]
+	b	el0_sp_pc
+el0_pc:
+	mrs	x26, far_el1
 el0_sp_pc:
 	/*
 	 * Stack or PC alignment exception handling
 	 */
-	mrs	x26, far_el1
 	gic_prio_kentry_setup tmp=x0
 	enable_da_f
 #ifdef CONFIG_TRACE_IRQFLAGS
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 085/144] iommu/vt-d: Check if domain->pgd was allocated
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (83 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 084/144] arm64: entry: SP Alignment Fault doesnt write to FAR_EL1 Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 086/144] drm/msm/dpu: Correct dpu encoder spinlock initialization Greg Kroah-Hartman
                   ` (63 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David Woodhouse, Joerg Roedel,
	Lu Baolu, iommu, Dmitry Safonov, Joerg Roedel, Sasha Levin

[ Upstream commit 3ee9eca760e7d0b68c55813243de66bbb499dc3b ]

There is a couple of places where on domain_init() failure domain_exit()
is called. While currently domain_init() can fail only if
alloc_pgtable_page() has failed.

Make domain_exit() check if domain->pgd present, before calling
domain_unmap(), as it theoretically should crash on clearing pte entries
in dma_pte_clear_level().

Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Joerg Roedel <joro@8bytes.org>
Cc: Lu Baolu <baolu.lu@linux.intel.com>
Cc: iommu@lists.linux-foundation.org
Signed-off-by: Dmitry Safonov <dima@arista.com>
Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/iommu/intel-iommu.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
index 2101601adf57d..1ad24367373f4 100644
--- a/drivers/iommu/intel-iommu.c
+++ b/drivers/iommu/intel-iommu.c
@@ -1900,7 +1900,6 @@ static int domain_init(struct dmar_domain *domain, struct intel_iommu *iommu,
 
 static void domain_exit(struct dmar_domain *domain)
 {
-	struct page *freelist;
 
 	/* Remove associated devices and clear attached or cached domains */
 	rcu_read_lock();
@@ -1910,9 +1909,12 @@ static void domain_exit(struct dmar_domain *domain)
 	/* destroy iovas */
 	put_iova_domain(&domain->iovad);
 
-	freelist = domain_unmap(domain, 0, DOMAIN_MAX_PFN(domain->gaw));
+	if (domain->pgd) {
+		struct page *freelist;
 
-	dma_free_pagelist(freelist);
+		freelist = domain_unmap(domain, 0, DOMAIN_MAX_PFN(domain->gaw));
+		dma_free_pagelist(freelist);
+	}
 
 	free_domain_mem(domain);
 }
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 086/144] drm/msm/dpu: Correct dpu encoder spinlock initialization
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (84 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 085/144] iommu/vt-d: Check if domain->pgd was allocated Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 087/144] drm: silence variable conn set but not used Greg Kroah-Hartman
                   ` (62 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Shubhashree Dhar, Sean Paul, Sasha Levin

[ Upstream commit 2e7b801eadbf327bf61041c943e5c44a5de4b0e5 ]

dpu encoder spinlock should be initialized during dpu encoder
init instead of dpu encoder setup which is part of modeset init.

Signed-off-by: Shubhashree Dhar <dhar@codeaurora.org>
[seanpaul resolved conflict in old init removal and revised the commit message]
Signed-off-by: Sean Paul <seanpaul@chromium.org>
Link: https://patchwork.freedesktop.org/patch/msgid/1561357632-15361-1-git-send-email-dhar@codeaurora.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
index 0ea1501966594..c62f7abcf509c 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
@@ -2226,8 +2226,6 @@ int dpu_encoder_setup(struct drm_device *dev, struct drm_encoder *enc,
 	if (ret)
 		goto fail;
 
-	spin_lock_init(&dpu_enc->enc_spinlock);
-
 	atomic_set(&dpu_enc->frame_done_timeout_ms, 0);
 	timer_setup(&dpu_enc->frame_done_timer,
 			dpu_encoder_frame_done_timeout, 0);
@@ -2281,6 +2279,7 @@ struct drm_encoder *dpu_encoder_init(struct drm_device *dev,
 
 	drm_encoder_helper_add(&dpu_enc->base, &dpu_encoder_helper_funcs);
 
+	spin_lock_init(&dpu_enc->enc_spinlock);
 	dpu_enc->enabled = false;
 
 	return &dpu_enc->base;
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 087/144] drm: silence variable conn set but not used
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (85 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 086/144] drm/msm/dpu: Correct dpu encoder spinlock initialization Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 088/144] arm64: dts: imx8mm: Correct SAI3 RXC/TXFS pins mux option #1 Greg Kroah-Hartman
                   ` (61 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Qian Cai, Sean Paul, Sasha Levin

[ Upstream commit bbb6fc43f131f77fcb7ae8081f6d7c51396a2120 ]

The "struct drm_connector" iteration cursor from
"for_each_new_connector_in_state" is never used in atomic_remove_fb()
which generates a compilation warning,

drivers/gpu/drm/drm_framebuffer.c: In function 'atomic_remove_fb':
drivers/gpu/drm/drm_framebuffer.c:838:24: warning: variable 'conn' set
but not used [-Wunused-but-set-variable]

Silence it by marking "conn" __maybe_unused.

Signed-off-by: Qian Cai <cai@lca.pw>
Signed-off-by: Sean Paul <seanpaul@chromium.org>
Link: https://patchwork.freedesktop.org/patch/msgid/1563822886-13570-1-git-send-email-cai@lca.pw
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/drm_framebuffer.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/drm_framebuffer.c b/drivers/gpu/drm/drm_framebuffer.c
index d8d75e25f6fb8..45f6f11a88a74 100644
--- a/drivers/gpu/drm/drm_framebuffer.c
+++ b/drivers/gpu/drm/drm_framebuffer.c
@@ -830,7 +830,7 @@ static int atomic_remove_fb(struct drm_framebuffer *fb)
 	struct drm_device *dev = fb->dev;
 	struct drm_atomic_state *state;
 	struct drm_plane *plane;
-	struct drm_connector *conn;
+	struct drm_connector *conn __maybe_unused;
 	struct drm_connector_state *conn_state;
 	int i, ret;
 	unsigned plane_mask;
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 088/144] arm64: dts: imx8mm: Correct SAI3 RXC/TXFS pins mux option #1
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (86 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 087/144] drm: silence variable conn set but not used Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 089/144] arm64: dts: imx8mq: fix SAI compatible Greg Kroah-Hartman
                   ` (60 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Anson Huang, Shawn Guo, Sasha Levin

[ Upstream commit 52d09014bb104a9157c0f5530700291052d2955c ]

According to i.MX8MM reference manual Rev.1, 03/2019:

SAI3_RXC pin's mux option #1 should be GPT1_CLK, NOT GPT1_CAPTURE2;
SAI3_TXFS pin's mux option #1 should be GPT1_CAPTURE2, NOT GPT1_CLK.

Fixes: c1c9d41319c3 ("dt-bindings: imx: Add pinctrl binding doc for imx8mm")
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm64/boot/dts/freescale/imx8mm-pinfunc.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/arm64/boot/dts/freescale/imx8mm-pinfunc.h b/arch/arm64/boot/dts/freescale/imx8mm-pinfunc.h
index e25f7fcd79975..cffa8991880d1 100644
--- a/arch/arm64/boot/dts/freescale/imx8mm-pinfunc.h
+++ b/arch/arm64/boot/dts/freescale/imx8mm-pinfunc.h
@@ -462,7 +462,7 @@
 #define MX8MM_IOMUXC_SAI3_RXFS_GPIO4_IO28                                   0x1CC 0x434 0x000 0x5 0x0
 #define MX8MM_IOMUXC_SAI3_RXFS_TPSMP_HTRANS0                                0x1CC 0x434 0x000 0x7 0x0
 #define MX8MM_IOMUXC_SAI3_RXC_SAI3_RX_BCLK                                  0x1D0 0x438 0x000 0x0 0x0
-#define MX8MM_IOMUXC_SAI3_RXC_GPT1_CAPTURE2                                 0x1D0 0x438 0x000 0x1 0x0
+#define MX8MM_IOMUXC_SAI3_RXC_GPT1_CLK                                      0x1D0 0x438 0x000 0x1 0x0
 #define MX8MM_IOMUXC_SAI3_RXC_SAI5_RX_BCLK                                  0x1D0 0x438 0x4D0 0x2 0x2
 #define MX8MM_IOMUXC_SAI3_RXC_GPIO4_IO29                                    0x1D0 0x438 0x000 0x5 0x0
 #define MX8MM_IOMUXC_SAI3_RXC_TPSMP_HTRANS1                                 0x1D0 0x438 0x000 0x7 0x0
@@ -472,7 +472,7 @@
 #define MX8MM_IOMUXC_SAI3_RXD_GPIO4_IO30                                    0x1D4 0x43C 0x000 0x5 0x0
 #define MX8MM_IOMUXC_SAI3_RXD_TPSMP_HDATA0                                  0x1D4 0x43C 0x000 0x7 0x0
 #define MX8MM_IOMUXC_SAI3_TXFS_SAI3_TX_SYNC                                 0x1D8 0x440 0x000 0x0 0x0
-#define MX8MM_IOMUXC_SAI3_TXFS_GPT1_CLK                                     0x1D8 0x440 0x000 0x1 0x0
+#define MX8MM_IOMUXC_SAI3_TXFS_GPT1_CAPTURE2                                0x1D8 0x440 0x000 0x1 0x0
 #define MX8MM_IOMUXC_SAI3_TXFS_SAI5_RX_DATA1                                0x1D8 0x440 0x4D8 0x2 0x2
 #define MX8MM_IOMUXC_SAI3_TXFS_GPIO4_IO31                                   0x1D8 0x440 0x000 0x5 0x0
 #define MX8MM_IOMUXC_SAI3_TXFS_TPSMP_HDATA1                                 0x1D8 0x440 0x000 0x7 0x0
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 089/144] arm64: dts: imx8mq: fix SAI compatible
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (87 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 088/144] arm64: dts: imx8mm: Correct SAI3 RXC/TXFS pins mux option #1 Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 090/144] cpufreq/pasemi: fix use-after-free in pas_cpufreq_cpu_init() Greg Kroah-Hartman
                   ` (59 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lucas Stach, Daniel Baluta,
	Shawn Guo, Sasha Levin

[ Upstream commit 8d0148473dece51675d11dd59b8db5fe4b5d2e7e ]

The i.MX8M SAI block is not compatible with the i.MX6SX one, as the
register layout has changed due to two version registers being added
at the beginning of the address map. Remove the bogus compatible.

Fixes: 8c61538dc945 ("arm64: dts: imx8mq: Add SAI2 node")
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Reviewed-by: Daniel Baluta <daniel.baluta@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm64/boot/dts/freescale/imx8mq.dtsi | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/arch/arm64/boot/dts/freescale/imx8mq.dtsi b/arch/arm64/boot/dts/freescale/imx8mq.dtsi
index 6d635ba0904c5..6632cbd88bed3 100644
--- a/arch/arm64/boot/dts/freescale/imx8mq.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mq.dtsi
@@ -675,8 +675,7 @@
 
 			sai2: sai@308b0000 {
 				#sound-dai-cells = <0>;
-				compatible = "fsl,imx8mq-sai",
-					     "fsl,imx6sx-sai";
+				compatible = "fsl,imx8mq-sai";
 				reg = <0x308b0000 0x10000>;
 				interrupts = <GIC_SPI 96 IRQ_TYPE_LEVEL_HIGH>;
 				clocks = <&clk IMX8MQ_CLK_SAI2_IPG>,
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 090/144] cpufreq/pasemi: fix use-after-free in pas_cpufreq_cpu_init()
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (88 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 089/144] arm64: dts: imx8mq: fix SAI compatible Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 091/144] s390/qdio: add sanity checks to the fast-requeue path Greg Kroah-Hartman
                   ` (58 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wen Yang, Viresh Kumar,
	Rafael J. Wysocki, Sasha Levin

[ Upstream commit e0a12445d1cb186d875410d093a00d215bec6a89 ]

The cpu variable is still being used in the of_get_property() call
after the of_node_put() call, which may result in use-after-free.

Fixes: a9acc26b75f6 ("cpufreq/pasemi: fix possible object reference leak")
Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/cpufreq/pasemi-cpufreq.c | 23 +++++++++--------------
 1 file changed, 9 insertions(+), 14 deletions(-)

diff --git a/drivers/cpufreq/pasemi-cpufreq.c b/drivers/cpufreq/pasemi-cpufreq.c
index 6b1e4abe32483..d2f061015323d 100644
--- a/drivers/cpufreq/pasemi-cpufreq.c
+++ b/drivers/cpufreq/pasemi-cpufreq.c
@@ -131,10 +131,18 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy *policy)
 	int err = -ENODEV;
 
 	cpu = of_get_cpu_node(policy->cpu, NULL);
+	if (!cpu)
+		goto out;
 
+	max_freqp = of_get_property(cpu, "clock-frequency", NULL);
 	of_node_put(cpu);
-	if (!cpu)
+	if (!max_freqp) {
+		err = -EINVAL;
 		goto out;
+	}
+
+	/* we need the freq in kHz */
+	max_freq = *max_freqp / 1000;
 
 	dn = of_find_compatible_node(NULL, NULL, "1682m-sdc");
 	if (!dn)
@@ -171,16 +179,6 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy *policy)
 	}
 
 	pr_debug("init cpufreq on CPU %d\n", policy->cpu);
-
-	max_freqp = of_get_property(cpu, "clock-frequency", NULL);
-	if (!max_freqp) {
-		err = -EINVAL;
-		goto out_unmap_sdcpwr;
-	}
-
-	/* we need the freq in kHz */
-	max_freq = *max_freqp / 1000;
-
 	pr_debug("max clock-frequency is at %u kHz\n", max_freq);
 	pr_debug("initializing frequency table\n");
 
@@ -198,9 +196,6 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy *policy)
 
 	return cpufreq_generic_init(policy, pas_freqs, get_gizmo_latency());
 
-out_unmap_sdcpwr:
-	iounmap(sdcpwr_mapbase);
-
 out_unmap_sdcasr:
 	iounmap(sdcasr_mapbase);
 out:
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 091/144] s390/qdio: add sanity checks to the fast-requeue path
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (89 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 090/144] cpufreq/pasemi: fix use-after-free in pas_cpufreq_cpu_init() Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 092/144] ALSA: compress: Fix regression on compressed capture streams Greg Kroah-Hartman
                   ` (57 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Julian Wiedmann, Jens Remus,
	Heiko Carstens, Sasha Levin

[ Upstream commit a6ec414a4dd529eeac5c3ea51c661daba3397108 ]

If the device driver were to send out a full queue's worth of SBALs,
current code would end up discovering the last of those SBALs as PRIMED
and erroneously skip the SIGA-w. This immediately stalls the queue.

Add a check to not attempt fast-requeue in this case. While at it also
make sure that the state of the previous SBAL was successfully extracted
before inspecting it.

Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Reviewed-by: Jens Remus <jremus@linux.ibm.com>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/s390/cio/qdio_main.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/s390/cio/qdio_main.c b/drivers/s390/cio/qdio_main.c
index 730c4e68094ba..7f5adf02f0959 100644
--- a/drivers/s390/cio/qdio_main.c
+++ b/drivers/s390/cio/qdio_main.c
@@ -1558,13 +1558,13 @@ static int handle_outbound(struct qdio_q *q, unsigned int callflags,
 		rc = qdio_kick_outbound_q(q, phys_aob);
 	} else if (need_siga_sync(q)) {
 		rc = qdio_siga_sync_q(q);
+	} else if (count < QDIO_MAX_BUFFERS_PER_Q &&
+		   get_buf_state(q, prev_buf(bufnr), &state, 0) > 0 &&
+		   state == SLSB_CU_OUTPUT_PRIMED) {
+		/* The previous buffer is not processed yet, tack on. */
+		qperf_inc(q, fast_requeue);
 	} else {
-		/* try to fast requeue buffers */
-		get_buf_state(q, prev_buf(bufnr), &state, 0);
-		if (state != SLSB_CU_OUTPUT_PRIMED)
-			rc = qdio_kick_outbound_q(q, 0);
-		else
-			qperf_inc(q, fast_requeue);
+		rc = qdio_kick_outbound_q(q, 0);
 	}
 
 	/* in case of SIGA errors we must process the error immediately */
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 092/144] ALSA: compress: Fix regression on compressed capture streams
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (90 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 091/144] s390/qdio: add sanity checks to the fast-requeue path Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 093/144] ALSA: compress: Prevent bypasses of set_params Greg Kroah-Hartman
                   ` (56 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Charles Keepax, Vinod Koul,
	Takashi Iwai, Sasha Levin

[ Upstream commit 4475f8c4ab7b248991a60d9c02808dbb813d6be8 ]

A previous fix to the stop handling on compressed capture streams causes
some knock on issues. The previous fix updated snd_compr_drain_notify to
set the state back to PREPARED for capture streams. This causes some
issues however as the handling for snd_compr_poll differs between the
two states and some user-space applications were relying on the poll
failing after the stream had been stopped.

To correct this regression whilst still fixing the original problem the
patch was addressing, update the capture handling to skip the PREPARED
state rather than skipping the SETUP state as it has done until now.

Fixes: 4f2ab5e1d13d ("ALSA: compress: Fix stop handling on compressed capture streams")
Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Acked-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/sound/compress_driver.h |  5 +----
 sound/core/compress_offload.c   | 16 +++++++++++-----
 2 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/include/sound/compress_driver.h b/include/sound/compress_driver.h
index c5188ff724d12..bc88d6f964da9 100644
--- a/include/sound/compress_driver.h
+++ b/include/sound/compress_driver.h
@@ -173,10 +173,7 @@ static inline void snd_compr_drain_notify(struct snd_compr_stream *stream)
 	if (snd_BUG_ON(!stream))
 		return;
 
-	if (stream->direction == SND_COMPRESS_PLAYBACK)
-		stream->runtime->state = SNDRV_PCM_STATE_SETUP;
-	else
-		stream->runtime->state = SNDRV_PCM_STATE_PREPARED;
+	stream->runtime->state = SNDRV_PCM_STATE_SETUP;
 
 	wake_up(&stream->runtime->sleep);
 }
diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
index 99b8821587053..d79aee6b9edd2 100644
--- a/sound/core/compress_offload.c
+++ b/sound/core/compress_offload.c
@@ -574,10 +574,7 @@ snd_compr_set_params(struct snd_compr_stream *stream, unsigned long arg)
 		stream->metadata_set = false;
 		stream->next_track = false;
 
-		if (stream->direction == SND_COMPRESS_PLAYBACK)
-			stream->runtime->state = SNDRV_PCM_STATE_SETUP;
-		else
-			stream->runtime->state = SNDRV_PCM_STATE_PREPARED;
+		stream->runtime->state = SNDRV_PCM_STATE_SETUP;
 	} else {
 		return -EPERM;
 	}
@@ -693,8 +690,17 @@ static int snd_compr_start(struct snd_compr_stream *stream)
 {
 	int retval;
 
-	if (stream->runtime->state != SNDRV_PCM_STATE_PREPARED)
+	switch (stream->runtime->state) {
+	case SNDRV_PCM_STATE_SETUP:
+		if (stream->direction != SND_COMPRESS_CAPTURE)
+			return -EPERM;
+		break;
+	case SNDRV_PCM_STATE_PREPARED:
+		break;
+	default:
 		return -EPERM;
+	}
+
 	retval = stream->ops->trigger(stream, SNDRV_PCM_TRIGGER_START);
 	if (!retval)
 		stream->runtime->state = SNDRV_PCM_STATE_RUNNING;
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 093/144] ALSA: compress: Prevent bypasses of set_params
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (91 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 092/144] ALSA: compress: Fix regression on compressed capture streams Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 094/144] ALSA: compress: Dont allow paritial drain operations on capture streams Greg Kroah-Hartman
                   ` (55 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Charles Keepax, Vinod Koul,
	Takashi Iwai, Sasha Levin

[ Upstream commit 26c3f1542f5064310ad26794c09321780d00c57d ]

Currently, whilst in SNDRV_PCM_STATE_OPEN it is possible to call
snd_compr_stop, snd_compr_drain and snd_compr_partial_drain, which
allow a transition to SNDRV_PCM_STATE_SETUP. The stream should
only be able to move to the setup state once it has received a
SNDRV_COMPRESS_SET_PARAMS ioctl. Fix this issue by not allowing
those ioctls whilst in the open state.

Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Acked-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/core/compress_offload.c | 30 ++++++++++++++++++++++++------
 1 file changed, 24 insertions(+), 6 deletions(-)

diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
index d79aee6b9edd2..40dae723c59db 100644
--- a/sound/core/compress_offload.c
+++ b/sound/core/compress_offload.c
@@ -711,9 +711,15 @@ static int snd_compr_stop(struct snd_compr_stream *stream)
 {
 	int retval;
 
-	if (stream->runtime->state == SNDRV_PCM_STATE_PREPARED ||
-			stream->runtime->state == SNDRV_PCM_STATE_SETUP)
+	switch (stream->runtime->state) {
+	case SNDRV_PCM_STATE_OPEN:
+	case SNDRV_PCM_STATE_SETUP:
+	case SNDRV_PCM_STATE_PREPARED:
 		return -EPERM;
+	default:
+		break;
+	}
+
 	retval = stream->ops->trigger(stream, SNDRV_PCM_TRIGGER_STOP);
 	if (!retval) {
 		snd_compr_drain_notify(stream);
@@ -801,9 +807,14 @@ static int snd_compr_drain(struct snd_compr_stream *stream)
 {
 	int retval;
 
-	if (stream->runtime->state == SNDRV_PCM_STATE_PREPARED ||
-			stream->runtime->state == SNDRV_PCM_STATE_SETUP)
+	switch (stream->runtime->state) {
+	case SNDRV_PCM_STATE_OPEN:
+	case SNDRV_PCM_STATE_SETUP:
+	case SNDRV_PCM_STATE_PREPARED:
 		return -EPERM;
+	default:
+		break;
+	}
 
 	retval = stream->ops->trigger(stream, SND_COMPR_TRIGGER_DRAIN);
 	if (retval) {
@@ -840,9 +851,16 @@ static int snd_compr_next_track(struct snd_compr_stream *stream)
 static int snd_compr_partial_drain(struct snd_compr_stream *stream)
 {
 	int retval;
-	if (stream->runtime->state == SNDRV_PCM_STATE_PREPARED ||
-			stream->runtime->state == SNDRV_PCM_STATE_SETUP)
+
+	switch (stream->runtime->state) {
+	case SNDRV_PCM_STATE_OPEN:
+	case SNDRV_PCM_STATE_SETUP:
+	case SNDRV_PCM_STATE_PREPARED:
 		return -EPERM;
+	default:
+		break;
+	}
+
 	/* stream can be drained only when next track has been signalled */
 	if (stream->next_track == false)
 		return -EPERM;
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 094/144] ALSA: compress: Dont allow paritial drain operations on capture streams
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (92 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 093/144] ALSA: compress: Prevent bypasses of set_params Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 095/144] ALSA: compress: Be more restrictive about when a drain is allowed Greg Kroah-Hartman
                   ` (54 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Charles Keepax, Vinod Koul,
	Takashi Iwai, Sasha Levin

[ Upstream commit a70ab8a8645083f3700814e757f2940a88b7ef88 ]

Partial drain and next track are intended for gapless playback and
don't really have an obvious interpretation for a capture stream, so
makes sense to not allow those operations on capture streams.

Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Acked-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/core/compress_offload.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
index 40dae723c59db..6cf5b8440cf30 100644
--- a/sound/core/compress_offload.c
+++ b/sound/core/compress_offload.c
@@ -834,6 +834,10 @@ static int snd_compr_next_track(struct snd_compr_stream *stream)
 	if (stream->runtime->state != SNDRV_PCM_STATE_RUNNING)
 		return -EPERM;
 
+	/* next track doesn't have any meaning for capture streams */
+	if (stream->direction == SND_COMPRESS_CAPTURE)
+		return -EPERM;
+
 	/* you can signal next track if this is intended to be a gapless stream
 	 * and current track metadata is set
 	 */
@@ -861,6 +865,10 @@ static int snd_compr_partial_drain(struct snd_compr_stream *stream)
 		break;
 	}
 
+	/* partial drain doesn't have any meaning for capture streams */
+	if (stream->direction == SND_COMPRESS_CAPTURE)
+		return -EPERM;
+
 	/* stream can be drained only when next track has been signalled */
 	if (stream->next_track == false)
 		return -EPERM;
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 095/144] ALSA: compress: Be more restrictive about when a drain is allowed
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (93 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 094/144] ALSA: compress: Dont allow paritial drain operations on capture streams Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 096/144] perf script: Fix off by one in brstackinsn IPC computation Greg Kroah-Hartman
                   ` (53 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Charles Keepax, Vinod Koul,
	Takashi Iwai, Sasha Levin

[ Upstream commit 3b8179944cb0dd53e5223996966746cdc8a60657 ]

Draining makes little sense in the situation of hardware overrun, as the
hardware will have consumed all its available samples. Additionally,
draining whilst the stream is paused would presumably get stuck as no
data is being consumed on the DSP side.

Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Acked-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/core/compress_offload.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
index 6cf5b8440cf30..41905afada63f 100644
--- a/sound/core/compress_offload.c
+++ b/sound/core/compress_offload.c
@@ -811,7 +811,10 @@ static int snd_compr_drain(struct snd_compr_stream *stream)
 	case SNDRV_PCM_STATE_OPEN:
 	case SNDRV_PCM_STATE_SETUP:
 	case SNDRV_PCM_STATE_PREPARED:
+	case SNDRV_PCM_STATE_PAUSED:
 		return -EPERM;
+	case SNDRV_PCM_STATE_XRUN:
+		return -EPIPE;
 	default:
 		break;
 	}
@@ -860,7 +863,10 @@ static int snd_compr_partial_drain(struct snd_compr_stream *stream)
 	case SNDRV_PCM_STATE_OPEN:
 	case SNDRV_PCM_STATE_SETUP:
 	case SNDRV_PCM_STATE_PREPARED:
+	case SNDRV_PCM_STATE_PAUSED:
 		return -EPERM;
+	case SNDRV_PCM_STATE_XRUN:
+		return -EPIPE;
 	default:
 		break;
 	}
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 096/144] perf script: Fix off by one in brstackinsn IPC computation
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (94 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 095/144] ALSA: compress: Be more restrictive about when a drain is allowed Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 097/144] perf tools: Fix proper buffer size for feature processing Greg Kroah-Hartman
                   ` (52 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Denis Bakhvalov, Andi Kleen,
	Jiri Olsa, Arnaldo Carvalho de Melo, Sasha Levin

[ Upstream commit dde4e732a5b02fa5599c2c0e6c48a0c11789afc4 ]

When we hit the end of a program block, need to count the last
instruction too for the IPC computation. This caused large errors for
small blocks.

  % perf script -b ls / > /dev/null

Before:

  % perf script -F +brstackinsn --xed
  ...
        00007f94c9ac70d8                        jz 0x7f94c9ac70e3                       # PRED 3 cycles [36] 4.33 IPC
        00007f94c9ac70e3                        testb  $0x20, 0x31d(%rbx)
        00007f94c9ac70ea                        jnz 0x7f94c9ac70b0
        00007f94c9ac70ec                        testb  $0x8, 0x205ad(%rip)
        00007f94c9ac70f3                        jz 0x7f94c9ac6ff0               # PRED 1 cycles [37] 3.00 IPC

After:

  % perf script -F +brstackinsn --xed
  ...
        00007f94c9ac70d8                        jz 0x7f94c9ac70e3                       # PRED 3 cycles [15] 4.67 IPC
        00007f94c9ac70e3                        testb  $0x20, 0x31d(%rbx)
        00007f94c9ac70ea                        jnz 0x7f94c9ac70b0
        00007f94c9ac70ec                        testb  $0x8, 0x205ad(%rip)
        00007f94c9ac70f3                        jz 0x7f94c9ac6ff0               # PRED 1 cycles [16] 4.00 IPC

Suggested-by: Denis Bakhvalov <denis.bakhvalov@intel.com>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Link: http://lkml.kernel.org/r/20190711181922.18765-2-andi@firstfloor.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/perf/builtin-script.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/perf/builtin-script.c b/tools/perf/builtin-script.c
index d089eb706d188..4380474c8c35a 100644
--- a/tools/perf/builtin-script.c
+++ b/tools/perf/builtin-script.c
@@ -1057,7 +1057,7 @@ static int perf_sample__fprintf_brstackinsn(struct perf_sample *sample,
 
 			printed += ip__fprintf_sym(ip, thread, x.cpumode, x.cpu, &lastsym, attr, fp);
 			if (ip == end) {
-				printed += ip__fprintf_jump(ip, &br->entries[i], &x, buffer + off, len - off, insn, fp,
+				printed += ip__fprintf_jump(ip, &br->entries[i], &x, buffer + off, len - off, ++insn, fp,
 							    &total_cycles);
 				if (PRINT_FIELD(SRCCODE))
 					printed += print_srccode(thread, x.cpumode, ip);
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 097/144] perf tools: Fix proper buffer size for feature processing
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (95 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 096/144] perf script: Fix off by one in brstackinsn IPC computation Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 098/144] perf stat: Fix segfault for event group in repeat mode Greg Kroah-Hartman
                   ` (51 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arnaldo Carvalho de Melo, Jiri Olsa,
	Alexander Shishkin, David Carrillo-Cisneros, Kan Liang,
	Namhyung Kim, Peter Zijlstra, Song Liu, Sasha Levin

[ Upstream commit 79b2fe5e756163897175a8f57d66b26cd9befd59 ]

After Song Liu's segfault fix for pipe mode, Arnaldo reported following
error:

  # perf record -o - | perf script
  0x514 [0x1ac]: failed to process type: 80

It's caused by wrong buffer size setup in feature processing, which
makes cpu topology feature fail, because it's using buffer size to
recognize its header version.

Reported-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: David Carrillo-Cisneros <davidcc@google.com>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Song Liu <songliubraving@fb.com>
Fixes: e9def1b2e74e ("perf tools: Add feature header record to pipe-mode")
Link: http://lkml.kernel.org/r/20190715140426.32509-1-jolsa@kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/perf/util/header.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
index b82d4577d9694..e84b70be3fc11 100644
--- a/tools/perf/util/header.c
+++ b/tools/perf/util/header.c
@@ -3666,7 +3666,7 @@ int perf_event__process_feature(struct perf_session *session,
 		return 0;
 
 	ff.buf  = (void *)fe->data;
-	ff.size = event->header.size - sizeof(event->header);
+	ff.size = event->header.size - sizeof(*fe);
 	ff.ph = &session->header;
 
 	if (feat_ops[feat].process(&ff, NULL))
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 098/144] perf stat: Fix segfault for event group in repeat mode
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (96 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 097/144] perf tools: Fix proper buffer size for feature processing Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 099/144] perf session: Fix loading of compressed data split across adjacent records Greg Kroah-Hartman
                   ` (50 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Numfor Mbiziwo-Tiapo, Jiri Olsa,
	Alexander Shishkin, Ian Rogers, Mark Drayton, Namhyung Kim,
	Peter Zijlstra, Song Liu, Stephane Eranian,
	Arnaldo Carvalho de Melo, Sasha Levin

[ Upstream commit 08ef3af1579d0446db1c1bd08e2c42565addf10f ]

Numfor Mbiziwo-Tiapo reported segfault on stat of event group in repeat
mode:

  # perf stat -e '{cycles,instructions}' -r 10 ls

It's caused by memory corruption due to not cleaned evsel's id array and
index, which needs to be rebuilt in every stat iteration. Currently the
ids index grows, while the array (which is also not freed) has the same
size.

Fixing this by releasing id array and zeroing ids index in
perf_evsel__close function.

We also need to keep the evsel_list alive for stat record (which is
disabled in repeat mode).

Reported-by: Numfor Mbiziwo-Tiapo <nums@google.com>
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Mark Drayton <mbd@fb.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Song Liu <songliubraving@fb.com>
Cc: Stephane Eranian <eranian@google.com>
Link: http://lkml.kernel.org/r/20190715142121.GC6032@krava
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/perf/builtin-stat.c | 9 ++++++++-
 tools/perf/util/evsel.c   | 2 ++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/tools/perf/builtin-stat.c b/tools/perf/builtin-stat.c
index e28002d905738..c6c550dbb9479 100644
--- a/tools/perf/builtin-stat.c
+++ b/tools/perf/builtin-stat.c
@@ -607,7 +607,13 @@ static int __run_perf_stat(int argc, const char **argv, int run_idx)
 	 * group leaders.
 	 */
 	read_counters(&(struct timespec) { .tv_nsec = t1-t0 });
-	perf_evlist__close(evsel_list);
+
+	/*
+	 * We need to keep evsel_list alive, because it's processed
+	 * later the evsel_list will be closed after.
+	 */
+	if (!STAT_RECORD)
+		perf_evlist__close(evsel_list);
 
 	return WEXITSTATUS(status);
 }
@@ -1922,6 +1928,7 @@ int cmd_stat(int argc, const char **argv)
 			perf_session__write_header(perf_stat.session, evsel_list, fd, true);
 		}
 
+		perf_evlist__close(evsel_list);
 		perf_session__delete(perf_stat.session);
 	}
 
diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
index 2c46f9aa416c6..b854541604df5 100644
--- a/tools/perf/util/evsel.c
+++ b/tools/perf/util/evsel.c
@@ -1282,6 +1282,7 @@ static void perf_evsel__free_id(struct perf_evsel *evsel)
 	xyarray__delete(evsel->sample_id);
 	evsel->sample_id = NULL;
 	zfree(&evsel->id);
+	evsel->ids = 0;
 }
 
 static void perf_evsel__free_config_terms(struct perf_evsel *evsel)
@@ -2074,6 +2075,7 @@ void perf_evsel__close(struct perf_evsel *evsel)
 
 	perf_evsel__close_fd(evsel);
 	perf_evsel__free_fd(evsel);
+	perf_evsel__free_id(evsel);
 }
 
 int perf_evsel__open_per_cpu(struct perf_evsel *evsel,
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 099/144] perf session: Fix loading of compressed data split across adjacent records
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (97 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 098/144] perf stat: Fix segfault for event group in repeat mode Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 100/144] perf probe: Avoid calling freeing routine multiple times for same pointer Greg Kroah-Hartman
                   ` (49 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexey Budankov, Jiri Olsa,
	Alexander Shishkin, Andi Kleen, Namhyung Kim, Peter Zijlstra,
	Arnaldo Carvalho de Melo, Sasha Levin

[ Upstream commit 872c8ee8f0f47222f7b10da96eea84d0486540a3 ]

Fix decompression failure found during the loading of compressed trace
collected on larger scale systems (>48 cores).

The error happened due to lack of decompression space for a mmaped
buffer data chunk split across adjacent PERF_RECORD_COMPRESSED records.

  $ perf report -i bt.16384.data --stats
  failed to decompress (B): 63869 -> 0 : Destination buffer is too small
  user stack dump failure
  Can't parse sample, err = -14
  0x2637e436 [0x4080]: failed to process type: 9
  Error:
  failed to process sample

  $ perf test 71
  71: Zstd perf.data compression/decompression              : Ok

Signed-off-by: Alexey Budankov <alexey.budankov@linux.intel.com>
Acked-by: Jiri Olsa <jolsa@kernel.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: http://lkml.kernel.org/r/4d839e1b-9c48-89c4-9702-a12217420611@linux.intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/perf/util/session.c | 22 ++++++++++++++--------
 tools/perf/util/session.h |  1 +
 tools/perf/util/zstd.c    |  4 ++--
 3 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/tools/perf/util/session.c b/tools/perf/util/session.c
index 2e61dd6a3574e..d789840960444 100644
--- a/tools/perf/util/session.c
+++ b/tools/perf/util/session.c
@@ -36,10 +36,16 @@ static int perf_session__process_compressed_event(struct perf_session *session,
 	void *src;
 	size_t decomp_size, src_size;
 	u64 decomp_last_rem = 0;
-	size_t decomp_len = session->header.env.comp_mmap_len;
+	size_t mmap_len, decomp_len = session->header.env.comp_mmap_len;
 	struct decomp *decomp, *decomp_last = session->decomp_last;
 
-	decomp = mmap(NULL, sizeof(struct decomp) + decomp_len, PROT_READ|PROT_WRITE,
+	if (decomp_last) {
+		decomp_last_rem = decomp_last->size - decomp_last->head;
+		decomp_len += decomp_last_rem;
+	}
+
+	mmap_len = sizeof(struct decomp) + decomp_len;
+	decomp = mmap(NULL, mmap_len, PROT_READ|PROT_WRITE,
 		      MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
 	if (decomp == MAP_FAILED) {
 		pr_err("Couldn't allocate memory for decompression\n");
@@ -47,10 +53,10 @@ static int perf_session__process_compressed_event(struct perf_session *session,
 	}
 
 	decomp->file_pos = file_offset;
+	decomp->mmap_len = mmap_len;
 	decomp->head = 0;
 
-	if (decomp_last) {
-		decomp_last_rem = decomp_last->size - decomp_last->head;
+	if (decomp_last_rem) {
 		memcpy(decomp->data, &(decomp_last->data[decomp_last->head]), decomp_last_rem);
 		decomp->size = decomp_last_rem;
 	}
@@ -61,7 +67,7 @@ static int perf_session__process_compressed_event(struct perf_session *session,
 	decomp_size = zstd_decompress_stream(&(session->zstd_data), src, src_size,
 				&(decomp->data[decomp_last_rem]), decomp_len - decomp_last_rem);
 	if (!decomp_size) {
-		munmap(decomp, sizeof(struct decomp) + decomp_len);
+		munmap(decomp, mmap_len);
 		pr_err("Couldn't decompress data\n");
 		return -1;
 	}
@@ -255,15 +261,15 @@ static void perf_session__delete_threads(struct perf_session *session)
 static void perf_session__release_decomp_events(struct perf_session *session)
 {
 	struct decomp *next, *decomp;
-	size_t decomp_len;
+	size_t mmap_len;
 	next = session->decomp;
-	decomp_len = session->header.env.comp_mmap_len;
 	do {
 		decomp = next;
 		if (decomp == NULL)
 			break;
 		next = decomp->next;
-		munmap(decomp, decomp_len + sizeof(struct decomp));
+		mmap_len = decomp->mmap_len;
+		munmap(decomp, mmap_len);
 	} while (1);
 }
 
diff --git a/tools/perf/util/session.h b/tools/perf/util/session.h
index dd8920b745bce..863dbad878496 100644
--- a/tools/perf/util/session.h
+++ b/tools/perf/util/session.h
@@ -46,6 +46,7 @@ struct perf_session {
 struct decomp {
 	struct decomp *next;
 	u64 file_pos;
+	size_t mmap_len;
 	u64 head;
 	size_t size;
 	char data[];
diff --git a/tools/perf/util/zstd.c b/tools/perf/util/zstd.c
index 23bdb98845760..d2202392ffdbb 100644
--- a/tools/perf/util/zstd.c
+++ b/tools/perf/util/zstd.c
@@ -99,8 +99,8 @@ size_t zstd_decompress_stream(struct zstd_data *data, void *src, size_t src_size
 	while (input.pos < input.size) {
 		ret = ZSTD_decompressStream(data->dstream, &output, &input);
 		if (ZSTD_isError(ret)) {
-			pr_err("failed to decompress (B): %ld -> %ld : %s\n",
-			       src_size, output.size, ZSTD_getErrorName(ret));
+			pr_err("failed to decompress (B): %ld -> %ld, dst_size %ld : %s\n",
+			       src_size, output.size, dst_size, ZSTD_getErrorName(ret));
 			break;
 		}
 		output.dst  = dst + output.pos;
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 100/144] perf probe: Avoid calling freeing routine multiple times for same pointer
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (98 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 099/144] perf session: Fix loading of compressed data split across adjacent records Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 101/144] drbd: dynamically allocate shash descriptor Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Adrian Hunter, Jiri Olsa,
	Masami Hiramatsu, Namhyung Kim, Arnaldo Carvalho de Melo,
	Sasha Levin

[ Upstream commit d95daf5accf4a72005daa13fbb1d1bd8709f2861 ]

When perf_add_probe_events() we call cleanup_perf_probe_events() for the
pev pointer it receives, then, as part of handling this failure the main
'perf probe' goes on and calls cleanup_params() and that will again call
cleanup_perf_probe_events()for the same pointer, so just set nevents to
zero when handling the failure of perf_add_probe_events() to avoid the
double free.

Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Link: https://lkml.kernel.org/n/tip-x8qgma4g813z96dvtw9w219q@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/perf/builtin-probe.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/tools/perf/builtin-probe.c b/tools/perf/builtin-probe.c
index 8bb124e55c6d2..2c376f5b21200 100644
--- a/tools/perf/builtin-probe.c
+++ b/tools/perf/builtin-probe.c
@@ -698,6 +698,16 @@ __cmd_probe(int argc, const char **argv)
 
 		ret = perf_add_probe_events(params.events, params.nevents);
 		if (ret < 0) {
+
+			/*
+			 * When perf_add_probe_events() fails it calls
+			 * cleanup_perf_probe_events(pevs, npevs), i.e.
+			 * cleanup_perf_probe_events(params.events, params.nevents), which
+			 * will call clear_perf_probe_event(), so set nevents to zero
+			 * to avoid cleanup_params() to call clear_perf_probe_event() again
+			 * on the same pevs.
+			 */
+			params.nevents = 0;
 			pr_err_with_code("  Error: Failed to add events.", ret);
 			return ret;
 		}
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 101/144] drbd: dynamically allocate shash descriptor
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (99 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 100/144] perf probe: Avoid calling freeing routine multiple times for same pointer Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 102/144] ACPI/IORT: Fix off-by-one check in iort_dev_find_its_id() Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kees Cook, Roland Kammerer,
	Arnd Bergmann, Jens Axboe, Sasha Levin

[ Upstream commit 77ce56e2bfaa64127ae5e23ef136c0168b818777 ]

Building with clang and KASAN, we get a warning about an overly large
stack frame on 32-bit architectures:

drivers/block/drbd/drbd_receiver.c:921:31: error: stack frame size of 1280 bytes in function 'conn_connect'
      [-Werror,-Wframe-larger-than=]

We already allocate other data dynamically in this function, so
just do the same for the shash descriptor, which makes up most of
this memory.

Link: https://lore.kernel.org/lkml/20190617132440.2721536-1-arnd@arndb.de/
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Roland Kammerer <roland.kammerer@linbit.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/block/drbd/drbd_receiver.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c
index 90ebfcae0ce6e..2b3103c308573 100644
--- a/drivers/block/drbd/drbd_receiver.c
+++ b/drivers/block/drbd/drbd_receiver.c
@@ -5417,7 +5417,7 @@ static int drbd_do_auth(struct drbd_connection *connection)
 	unsigned int key_len;
 	char secret[SHARED_SECRET_MAX]; /* 64 byte */
 	unsigned int resp_size;
-	SHASH_DESC_ON_STACK(desc, connection->cram_hmac_tfm);
+	struct shash_desc *desc;
 	struct packet_info pi;
 	struct net_conf *nc;
 	int err, rv;
@@ -5430,6 +5430,13 @@ static int drbd_do_auth(struct drbd_connection *connection)
 	memcpy(secret, nc->shared_secret, key_len);
 	rcu_read_unlock();
 
+	desc = kmalloc(sizeof(struct shash_desc) +
+		       crypto_shash_descsize(connection->cram_hmac_tfm),
+		       GFP_KERNEL);
+	if (!desc) {
+		rv = -1;
+		goto fail;
+	}
 	desc->tfm = connection->cram_hmac_tfm;
 
 	rv = crypto_shash_setkey(connection->cram_hmac_tfm, (u8 *)secret, key_len);
@@ -5571,7 +5578,10 @@ static int drbd_do_auth(struct drbd_connection *connection)
 	kfree(peers_ch);
 	kfree(response);
 	kfree(right_response);
-	shash_desc_zero(desc);
+	if (desc) {
+		shash_desc_zero(desc);
+		kfree(desc);
+	}
 
 	return rv;
 }
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 102/144] ACPI/IORT: Fix off-by-one check in iort_dev_find_its_id()
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (100 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 101/144] drbd: dynamically allocate shash descriptor Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:00 ` [PATCH 5.2 103/144] nvme: ignore subnqn for ADATA SX6000LNP Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hanjun Guo, Dan Carpenter,
	Lorenzo Pieralisi, Will Deacon, Sudeep Holla, Catalin Marinas,
	Robin Murphy, Sasha Levin

[ Upstream commit 5a46d3f71d5e5a9f82eabc682f996f1281705ac7 ]

Static analysis identified that index comparison against ITS entries in
iort_dev_find_its_id() is off by one.

Update the comparison condition and clarify the resulting error
message.

Fixes: 4bf2efd26d76 ("ACPI: Add new IORT functions to support MSI domain handling")
Link: https://lore.kernel.org/linux-arm-kernel/20190613065410.GB16334@mwanda/
Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Will Deacon <will@kernel.org>
Cc: Hanjun Guo <guohanjun@huawei.com>
Cc: Sudeep Holla <sudeep.holla@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/acpi/arm64/iort.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/acpi/arm64/iort.c b/drivers/acpi/arm64/iort.c
index d4551e33fa716..8569b79e8b581 100644
--- a/drivers/acpi/arm64/iort.c
+++ b/drivers/acpi/arm64/iort.c
@@ -611,8 +611,8 @@ static int iort_dev_find_its_id(struct device *dev, u32 req_id,
 
 	/* Move to ITS specific data */
 	its = (struct acpi_iort_its_group *)node->node_data;
-	if (idx > its->its_count) {
-		dev_err(dev, "requested ITS ID index [%d] is greater than available [%d]\n",
+	if (idx >= its->its_count) {
+		dev_err(dev, "requested ITS ID index [%d] overruns ITS entries [%d]\n",
 			idx, its->its_count);
 		return -ENXIO;
 	}
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 103/144] nvme: ignore subnqn for ADATA SX6000LNP
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (101 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 102/144] ACPI/IORT: Fix off-by-one check in iort_dev_find_its_id() Greg Kroah-Hartman
@ 2019-08-14 17:00 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 104/144] nvme: fix memory leak caused by incorrect subsystem free Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Misha Nasledov, Christoph Hellwig,
	Sasha Levin

[ Upstream commit 08b903b5fd0c49e5f224a9bf085b6329ec3c55c0 ]

The ADATA SX6000LNP NVMe SSDs have the same subnqn and, due to this, a
system with more than one of these SSDs will only have one usable.

[ 0.942706] nvme nvme1: ignoring ctrl due to duplicate subnqn (nqn.2018-05.com.example:nvme:nvm-subsystem-OUI00E04C).
[ 0.943017] nvme nvme1: Removing after probe failure status: -22

02:00.0 Non-Volatile memory controller [0108]: Realtek Semiconductor Co., Ltd. Device [10ec:5762] (rev 01)
71:00.0 Non-Volatile memory controller [0108]: Realtek Semiconductor Co., Ltd. Device [10ec:5762] (rev 01)

There are no firmware updates available from the vendor, unfortunately.
Applying the NVME_QUIRK_IGNORE_DEV_SUBNQN quirk for these SSDs resolves
the issue, and they all work after this patch:

/dev/nvme0n1     2J1120050420         ADATA SX6000LNP [...]
/dev/nvme1n1     2J1120050540         ADATA SX6000LNP [...]

Signed-off-by: Misha Nasledov <misha@nasledov.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/nvme/host/pci.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index 7fbcd72c438f6..f9959eaaa185e 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -2959,6 +2959,8 @@ static const struct pci_device_id nvme_id_table[] = {
 		.driver_data = NVME_QUIRK_LIGHTNVM, },
 	{ PCI_DEVICE(0x1d1d, 0x2601),	/* CNEX Granby */
 		.driver_data = NVME_QUIRK_LIGHTNVM, },
+	{ PCI_DEVICE(0x10ec, 0x5762),   /* ADATA SX6000LNP */
+		.driver_data = NVME_QUIRK_IGNORE_DEV_SUBNQN, },
 	{ PCI_DEVICE_CLASS(PCI_CLASS_STORAGE_EXPRESS, 0xffffff) },
 	{ PCI_DEVICE(PCI_VENDOR_ID_APPLE, 0x2001) },
 	{ PCI_DEVICE(PCI_VENDOR_ID_APPLE, 0x2003) },
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 104/144] nvme: fix memory leak caused by incorrect subsystem free
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (102 preceding siblings ...)
  2019-08-14 17:00 ` [PATCH 5.2 103/144] nvme: ignore subnqn for ADATA SX6000LNP Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 105/144] ARM: davinci: fix sleep.S build error on ARMv4 Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Logan Gunthorpe, Sagi Grimberg,
	Christoph Hellwig, Sasha Levin

[ Upstream commit e654dfd38c1ecf58d8d019f3c053189413484a5b ]

When freeing the subsystem after finding another match with
__nvme_find_get_subsystem(), use put_device() instead of
__nvme_release_subsystem() which calls kfree() directly.

Per the documentation, put_device() should always be used
after device_initialization() is called. Otherwise, leaks
like the one below which was detected by kmemleak may occur.

Once the call of __nvme_release_subsystem() is removed it no
longer makes sense to keep the helper, so fold it back
into nvme_release_subsystem().

unreferenced object 0xffff8883d12bfbc0 (size 16):
  comm "nvme", pid 2635, jiffies 4294933602 (age 739.952s)
  hex dump (first 16 bytes):
    6e 76 6d 65 2d 73 75 62 73 79 73 32 00 88 ff ff  nvme-subsys2....
  backtrace:
    [<000000007d8fc208>] __kmalloc_track_caller+0x16d/0x2a0
    [<0000000081169e5f>] kvasprintf+0xad/0x130
    [<0000000025626f25>] kvasprintf_const+0x47/0x120
    [<00000000fa66ad36>] kobject_set_name_vargs+0x44/0x120
    [<000000004881f8b3>] dev_set_name+0x98/0xc0
    [<000000007124dae3>] nvme_init_identify+0x1995/0x38e0
    [<000000009315020a>] nvme_loop_configure_admin_queue+0x4fa/0x5e0
    [<000000001a63e766>] nvme_loop_create_ctrl+0x489/0xf80
    [<00000000a46ecc23>] nvmf_dev_write+0x1a12/0x2220
    [<000000002259b3d5>] __vfs_write+0x66/0x120
    [<000000002f6df81e>] vfs_write+0x154/0x490
    [<000000007e8cfc19>] ksys_write+0x10a/0x240
    [<00000000ff5c7b85>] __x64_sys_write+0x73/0xb0
    [<00000000fee6d692>] do_syscall_64+0xaa/0x470
    [<00000000997e1ede>] entry_SYSCALL_64_after_hwframe+0x49/0xbe

Fixes: ab9e00cc72fa ("nvme: track subsystems")
Signed-off-by: Logan Gunthorpe <logang@deltatee.com>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/nvme/host/core.c | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index 4a1d2ab4d1612..5deb4deb38209 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -2264,17 +2264,15 @@ static void nvme_init_subnqn(struct nvme_subsystem *subsys, struct nvme_ctrl *ct
 	memset(subsys->subnqn + off, 0, sizeof(subsys->subnqn) - off);
 }
 
-static void __nvme_release_subsystem(struct nvme_subsystem *subsys)
+static void nvme_release_subsystem(struct device *dev)
 {
+	struct nvme_subsystem *subsys =
+		container_of(dev, struct nvme_subsystem, dev);
+
 	ida_simple_remove(&nvme_subsystems_ida, subsys->instance);
 	kfree(subsys);
 }
 
-static void nvme_release_subsystem(struct device *dev)
-{
-	__nvme_release_subsystem(container_of(dev, struct nvme_subsystem, dev));
-}
-
 static void nvme_destroy_subsystem(struct kref *ref)
 {
 	struct nvme_subsystem *subsys =
@@ -2429,7 +2427,7 @@ static int nvme_init_subsystem(struct nvme_ctrl *ctrl, struct nvme_id_ctrl *id)
 	mutex_lock(&nvme_subsystems_lock);
 	found = __nvme_find_get_subsystem(subsys->subnqn);
 	if (found) {
-		__nvme_release_subsystem(subsys);
+		put_device(&subsys->dev);
 		subsys = found;
 
 		if (!nvme_validate_cntlid(subsys, ctrl, id)) {
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 105/144] ARM: davinci: fix sleep.S build error on ARMv4
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (103 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 104/144] nvme: fix memory leak caused by incorrect subsystem free Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 106/144] ARM: dts: bcm: bcm47094: add missing #cells for mdio-bus-mux Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sekhar Nori, Arnd Bergmann,
	Olof Johansson, Sasha Levin

[ Upstream commit d64b212ea960db4276a1d8372bd98cb861dfcbb0 ]

When building a multiplatform kernel that includes armv4 support,
the default target CPU does not support the blx instruction,
which leads to a build failure:

arch/arm/mach-davinci/sleep.S: Assembler messages:
arch/arm/mach-davinci/sleep.S:56: Error: selected processor does not support `blx ip' in ARM mode

Add a .arch statement in the sources to make this file build.

Link: https://lore.kernel.org/r/20190722145211.1154785-1-arnd@arndb.de
Acked-by: Sekhar Nori <nsekhar@ti.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/mach-davinci/sleep.S | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/arm/mach-davinci/sleep.S b/arch/arm/mach-davinci/sleep.S
index 05d03f09ff54b..71262dcdbca32 100644
--- a/arch/arm/mach-davinci/sleep.S
+++ b/arch/arm/mach-davinci/sleep.S
@@ -24,6 +24,7 @@
 #define DEEPSLEEP_SLEEPENABLE_BIT	BIT(31)
 
 	.text
+	.arch	armv5te
 /*
  * Move DaVinci into deep sleep state
  *
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 106/144] ARM: dts: bcm: bcm47094: add missing #cells for mdio-bus-mux
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (104 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 105/144] ARM: davinci: fix sleep.S build error on ARMv4 Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 107/144] scsi: megaraid_sas: fix panic on loading firmware crashdump Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Olof Johansson, Sasha Levin

[ Upstream commit 3a9d2569e45cb02769cda26fee4a02126867c934 ]

The mdio-bus-mux has no #address-cells/#size-cells property,
which causes a few dtc warnings:

arch/arm/boot/dts/bcm47094-linksys-panamera.dts:129.4-18: Warning (reg_format): /mdio-bus-mux/mdio@200:reg: property has invalid length (4 bytes) (#address-cells == 2, #size-cells == 1)
arch/arm/boot/dts/bcm47094-linksys-panamera.dtb: Warning (pci_device_bus_num): Failed prerequisite 'reg_format'
arch/arm/boot/dts/bcm47094-linksys-panamera.dtb: Warning (i2c_bus_reg): Failed prerequisite 'reg_format'
arch/arm/boot/dts/bcm47094-linksys-panamera.dtb: Warning (spi_bus_reg): Failed prerequisite 'reg_format'
arch/arm/boot/dts/bcm47094-linksys-panamera.dts:128.22-132.5: Warning (avoid_default_addr_size): /mdio-bus-mux/mdio@200: Relying on default #address-cells value
arch/arm/boot/dts/bcm47094-linksys-panamera.dts:128.22-132.5: Warning (avoid_default_addr_size): /mdio-bus-mux/mdio@200: Relying on default #size-cells value

Add the normal cell numbers.

Link: https://lore.kernel.org/r/20190722145618.1155492-1-arnd@arndb.de
Fixes: 2bebdfcdcd0f ("ARM: dts: BCM5301X: Add support for Linksys EA9500")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/boot/dts/bcm47094-linksys-panamera.dts | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/arch/arm/boot/dts/bcm47094-linksys-panamera.dts b/arch/arm/boot/dts/bcm47094-linksys-panamera.dts
index 5fd47eec4407e..1679959a3654d 100644
--- a/arch/arm/boot/dts/bcm47094-linksys-panamera.dts
+++ b/arch/arm/boot/dts/bcm47094-linksys-panamera.dts
@@ -126,6 +126,9 @@
 	};
 
 	mdio-bus-mux {
+		#address-cells = <1>;
+		#size-cells = <0>;
+
 		/* BIT(9) = 1 => external mdio */
 		mdio_ext: mdio@200 {
 			reg = <0x200>;
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 107/144] scsi: megaraid_sas: fix panic on loading firmware crashdump
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (105 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 106/144] ARM: dts: bcm: bcm47094: add missing #cells for mdio-bus-mux Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 108/144] scsi: ibmvfc: fix WARN_ON during event pool release Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Junxiao Bi, Sumit Saxena,
	Martin K. Petersen, Sasha Levin

[ Upstream commit 3b5f307ef3cb5022bfe3c8ca5b8f2114d5bf6c29 ]

While loading fw crashdump in function fw_crash_buffer_show(), left bytes
in one dma chunk was not checked, if copying size over it, overflow access
will cause kernel panic.

Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
Acked-by: Sumit Saxena <sumit.saxena@broadcom.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/megaraid/megaraid_sas_base.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c
index 7237114a1d534..5f30016e9b64f 100644
--- a/drivers/scsi/megaraid/megaraid_sas_base.c
+++ b/drivers/scsi/megaraid/megaraid_sas_base.c
@@ -3045,6 +3045,7 @@ megasas_fw_crash_buffer_show(struct device *cdev,
 	u32 size;
 	unsigned long buff_addr;
 	unsigned long dmachunk = CRASH_DMA_BUF_SIZE;
+	unsigned long chunk_left_bytes;
 	unsigned long src_addr;
 	unsigned long flags;
 	u32 buff_offset;
@@ -3070,6 +3071,8 @@ megasas_fw_crash_buffer_show(struct device *cdev,
 	}
 
 	size = (instance->fw_crash_buffer_size * dmachunk) - buff_offset;
+	chunk_left_bytes = dmachunk - (buff_offset % dmachunk);
+	size = (size > chunk_left_bytes) ? chunk_left_bytes : size;
 	size = (size >= PAGE_SIZE) ? (PAGE_SIZE - 1) : size;
 
 	src_addr = (unsigned long)instance->crash_buf[buff_offset / dmachunk] +
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 108/144] scsi: ibmvfc: fix WARN_ON during event pool release
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (106 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 107/144] scsi: megaraid_sas: fix panic on loading firmware crashdump Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 109/144] scsi: scsi_dh_alua: always use a 2 second delay before retrying RTPG Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Abdul Haleem, Tyrel Datwyler,
	Martin K. Petersen, Sasha Levin

[ Upstream commit 5578257ca0e21056821e6481bd534ba267b84e58 ]

While removing an ibmvfc client adapter a WARN_ON like the following
WARN_ON is seen in the kernel log:

WARNING: CPU: 6 PID: 5421 at ./include/linux/dma-mapping.h:541
ibmvfc_free_event_pool+0x12c/0x1f0 [ibmvfc]
CPU: 6 PID: 5421 Comm: rmmod Tainted: G            E     4.17.0-rc1-next-20180419-autotest #1
NIP:  d00000000290328c LR: d00000000290325c CTR: c00000000036ee20
REGS: c000000288d1b7e0 TRAP: 0700   Tainted: G            E      (4.17.0-rc1-next-20180419-autotest)
MSR:  800000010282b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE,TM[E]>  CR: 44008828  XER: 20000000
CFAR: c00000000036e408 SOFTE: 1
GPR00: d00000000290325c c000000288d1ba60 d000000002917900 c000000289d75448
GPR04: 0000000000000071 c0000000ff870000 0000000018040000 0000000000000001
GPR08: 0000000000000000 c00000000156e838 0000000000000001 d00000000290c640
GPR12: c00000000036ee20 c00000001ec4dc00 0000000000000000 0000000000000000
GPR16: 0000000000000000 0000000000000000 00000100276901e0 0000000010020598
GPR20: 0000000010020550 0000000010020538 0000000010020578 00000000100205b0
GPR24: 0000000000000000 0000000000000000 0000000010020590 5deadbeef0000100
GPR28: 5deadbeef0000200 d000000002910b00 0000000000000071 c0000002822f87d8
NIP [d00000000290328c] ibmvfc_free_event_pool+0x12c/0x1f0 [ibmvfc]
LR [d00000000290325c] ibmvfc_free_event_pool+0xfc/0x1f0 [ibmvfc]
Call Trace:
[c000000288d1ba60] [d00000000290325c] ibmvfc_free_event_pool+0xfc/0x1f0 [ibmvfc] (unreliable)
[c000000288d1baf0] [d000000002909390] ibmvfc_abort_task_set+0x7b0/0x8b0 [ibmvfc]
[c000000288d1bb70] [c0000000000d8c68] vio_bus_remove+0x68/0x100
[c000000288d1bbb0] [c0000000007da7c4] device_release_driver_internal+0x1f4/0x2d0
[c000000288d1bc00] [c0000000007da95c] driver_detach+0x7c/0x100
[c000000288d1bc40] [c0000000007d8af4] bus_remove_driver+0x84/0x140
[c000000288d1bcb0] [c0000000007db6ac] driver_unregister+0x4c/0xa0
[c000000288d1bd20] [c0000000000d6e7c] vio_unregister_driver+0x2c/0x50
[c000000288d1bd50] [d00000000290ba0c] cleanup_module+0x24/0x15e0 [ibmvfc]
[c000000288d1bd70] [c0000000001dadb0] sys_delete_module+0x220/0x2d0
[c000000288d1be30] [c00000000000b284] system_call+0x58/0x6c
Instruction dump:
e8410018 e87f0068 809f0078 e8bf0080 e8df0088 2fa30000 419e008c e9230200
2fa90000 419e0080 894d098a 794a07e0 <0b0a0000> e9290008 2fa90000 419e0028

This is tripped as a result of irqs being disabled during the call to
dma_free_coherent() by ibmvfc_free_event_pool(). At this point in the code path
we have quiesced the adapter and its overly paranoid anyways to be holding the
host lock.

Reported-by: Abdul Haleem <abdhalee@linux.vnet.ibm.com>
Signed-off-by: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/ibmvscsi/ibmvfc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/ibmvscsi/ibmvfc.c b/drivers/scsi/ibmvscsi/ibmvfc.c
index acd16e0d52cfe..8cdbac076a1b6 100644
--- a/drivers/scsi/ibmvscsi/ibmvfc.c
+++ b/drivers/scsi/ibmvscsi/ibmvfc.c
@@ -4864,8 +4864,8 @@ static int ibmvfc_remove(struct vio_dev *vdev)
 
 	spin_lock_irqsave(vhost->host->host_lock, flags);
 	ibmvfc_purge_requests(vhost, DID_ERROR);
-	ibmvfc_free_event_pool(vhost);
 	spin_unlock_irqrestore(vhost->host->host_lock, flags);
+	ibmvfc_free_event_pool(vhost);
 
 	ibmvfc_free_mem(vhost);
 	spin_lock(&ibmvfc_driver_lock);
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 109/144] scsi: scsi_dh_alua: always use a 2 second delay before retrying RTPG
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (107 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 108/144] scsi: ibmvfc: fix WARN_ON during event pool release Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 110/144] test_firmware: fix a memory leak bug Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hannes Reinecke, Zhangguanghui,
	Martin K. Petersen, Sasha Levin

[ Upstream commit 20122994e38aef0ae50555884d287adde6641c94 ]

Retrying immediately after we've received a 'transitioning' sense code is
pretty much pointless, we should always use a delay before retrying.  So
ensure the default delay is applied before retrying.

Signed-off-by: Hannes Reinecke <hare@suse.com>
Tested-by: Zhangguanghui <zhang.guanghui@h3c.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/device_handler/scsi_dh_alua.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/scsi/device_handler/scsi_dh_alua.c b/drivers/scsi/device_handler/scsi_dh_alua.c
index f0066f8a17864..4971104b1817b 100644
--- a/drivers/scsi/device_handler/scsi_dh_alua.c
+++ b/drivers/scsi/device_handler/scsi_dh_alua.c
@@ -40,6 +40,7 @@
 #define ALUA_FAILOVER_TIMEOUT		60
 #define ALUA_FAILOVER_RETRIES		5
 #define ALUA_RTPG_DELAY_MSECS		5
+#define ALUA_RTPG_RETRY_DELAY		2
 
 /* device handler flags */
 #define ALUA_OPTIMIZE_STPG		0x01
@@ -682,7 +683,7 @@ static int alua_rtpg(struct scsi_device *sdev, struct alua_port_group *pg)
 	case SCSI_ACCESS_STATE_TRANSITIONING:
 		if (time_before(jiffies, pg->expiry)) {
 			/* State transition, retry */
-			pg->interval = 2;
+			pg->interval = ALUA_RTPG_RETRY_DELAY;
 			err = SCSI_DH_RETRY;
 		} else {
 			struct alua_dh_data *h;
@@ -807,6 +808,8 @@ static void alua_rtpg_work(struct work_struct *work)
 				spin_lock_irqsave(&pg->lock, flags);
 				pg->flags &= ~ALUA_PG_RUNNING;
 				pg->flags |= ALUA_PG_RUN_RTPG;
+				if (!pg->interval)
+					pg->interval = ALUA_RTPG_RETRY_DELAY;
 				spin_unlock_irqrestore(&pg->lock, flags);
 				queue_delayed_work(kaluad_wq, &pg->rtpg_work,
 						   pg->interval * HZ);
@@ -818,6 +821,8 @@ static void alua_rtpg_work(struct work_struct *work)
 		spin_lock_irqsave(&pg->lock, flags);
 		if (err == SCSI_DH_RETRY || pg->flags & ALUA_PG_RUN_RTPG) {
 			pg->flags &= ~ALUA_PG_RUNNING;
+			if (!pg->interval && !(pg->flags & ALUA_PG_RUN_RTPG))
+				pg->interval = ALUA_RTPG_RETRY_DELAY;
 			pg->flags |= ALUA_PG_RUN_RTPG;
 			spin_unlock_irqrestore(&pg->lock, flags);
 			queue_delayed_work(kaluad_wq, &pg->rtpg_work,
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 110/144] test_firmware: fix a memory leak bug
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (108 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 109/144] scsi: scsi_dh_alua: always use a 2 second delay before retrying RTPG Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 111/144] tty/ldsem, locking/rwsem: Add missing ACQUIRE to read_failed sleep loop Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Wenwen Wang, Sasha Levin

[ Upstream commit d4fddac5a51c378c5d3e68658816c37132611e1f ]

In test_firmware_init(), the buffer pointed to by the global pointer
'test_fw_config' is allocated through kzalloc(). Then, the buffer is
initialized in __test_firmware_config_init(). In the case that the
initialization fails, the following execution in test_firmware_init() needs
to be terminated with an error code returned to indicate this failure.
However, the allocated buffer is not freed on this execution path, leading
to a memory leak bug.

To fix the above issue, free the allocated buffer before returning from
test_firmware_init().

Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
Link: https://lore.kernel.org/r/1563084696-6865-1-git-send-email-wang6495@umn.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 lib/test_firmware.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/lib/test_firmware.c b/lib/test_firmware.c
index 83ea6c4e623cf..6ca97a63b3d6b 100644
--- a/lib/test_firmware.c
+++ b/lib/test_firmware.c
@@ -886,8 +886,11 @@ static int __init test_firmware_init(void)
 		return -ENOMEM;
 
 	rc = __test_firmware_config_init();
-	if (rc)
+	if (rc) {
+		kfree(test_fw_config);
+		pr_err("could not init firmware test config: %d\n", rc);
 		return rc;
+	}
 
 	rc = misc_register(&test_fw_misc_device);
 	if (rc) {
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 111/144] tty/ldsem, locking/rwsem: Add missing ACQUIRE to read_failed sleep loop
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (109 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 110/144] test_firmware: fix a memory leak bug Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 112/144] perf/x86/intel: Fix SLOTS PEBS event constraint Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Will Deacon, Peter Zijlstra (Intel),
	Linus Torvalds, Peter Hurley, Thomas Gleixner, Ingo Molnar,
	Sasha Levin

[ Upstream commit 952041a8639a7a3a73a2b6573cb8aa8518bc39f8 ]

While reviewing rwsem down_slowpath, Will noticed ldsem had a copy of
a bug we just found for rwsem.

  X = 0;

  CPU0			CPU1

  rwsem_down_read()
    for (;;) {
      set_current_state(TASK_UNINTERRUPTIBLE);

                        X = 1;
                        rwsem_up_write();
                          rwsem_mark_wake()
                            atomic_long_add(adjustment, &sem->count);
                            smp_store_release(&waiter->task, NULL);

      if (!waiter.task)
        break;

      ...
    }

  r = X;

Allows 'r == 0'.

Reported-by: Will Deacon <will@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Will Deacon <will@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Hurley <peter@hurleysoftware.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: 4898e640caf0 ("tty: Add timed, writer-prioritized rw semaphore")
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/tty/tty_ldsem.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/drivers/tty/tty_ldsem.c b/drivers/tty/tty_ldsem.c
index 717292c1c0dfc..60ff236a3d63d 100644
--- a/drivers/tty/tty_ldsem.c
+++ b/drivers/tty/tty_ldsem.c
@@ -93,8 +93,7 @@ static void __ldsem_wake_readers(struct ld_semaphore *sem)
 
 	list_for_each_entry_safe(waiter, next, &sem->read_wait, list) {
 		tsk = waiter->task;
-		smp_mb();
-		waiter->task = NULL;
+		smp_store_release(&waiter->task, NULL);
 		wake_up_process(tsk);
 		put_task_struct(tsk);
 	}
@@ -194,7 +193,7 @@ down_read_failed(struct ld_semaphore *sem, long count, long timeout)
 	for (;;) {
 		set_current_state(TASK_UNINTERRUPTIBLE);
 
-		if (!waiter.task)
+		if (!smp_load_acquire(&waiter.task))
 			break;
 		if (!timeout)
 			break;
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 112/144] perf/x86/intel: Fix SLOTS PEBS event constraint
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (110 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 111/144] tty/ldsem, locking/rwsem: Add missing ACQUIRE to read_failed sleep loop Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 113/144] perf/x86/intel: Fix invalid Bit 13 for Icelake MSR_OFFCORE_RSP_x register Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andi Kleen, Kan Liang,
	Peter Zijlstra (Intel),
	Linus Torvalds, Thomas Gleixner, Ingo Molnar, Sasha Levin

[ Upstream commit 3d0c3953601d250175c7684ec0d9df612061dae5 ]

Sampling SLOTS event and ref-cycles event in a group on Icelake gives
EINVAL.

SLOTS event is the event stands for the fixed counter 3, not fixed
counter 2. Wrong mask was set to SLOTS event in
intel_icl_pebs_event_constraints[].

Reported-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: 6017608936c1 ("perf/x86/intel: Add Icelake support")
Link: https://lkml.kernel.org/r/20190723200429.8180-1-kan.liang@linux.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/events/intel/ds.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/events/intel/ds.c b/arch/x86/events/intel/ds.c
index 505c73dc6a730..6601b8759c92f 100644
--- a/arch/x86/events/intel/ds.c
+++ b/arch/x86/events/intel/ds.c
@@ -851,7 +851,7 @@ struct event_constraint intel_skl_pebs_event_constraints[] = {
 
 struct event_constraint intel_icl_pebs_event_constraints[] = {
 	INTEL_FLAGS_UEVENT_CONSTRAINT(0x1c0, 0x100000000ULL),	/* INST_RETIRED.PREC_DIST */
-	INTEL_FLAGS_UEVENT_CONSTRAINT(0x0400, 0x400000000ULL),	/* SLOTS */
+	INTEL_FLAGS_UEVENT_CONSTRAINT(0x0400, 0x800000000ULL),	/* SLOTS */
 
 	INTEL_PLD_CONSTRAINT(0x1cd, 0xff),			/* MEM_TRANS_RETIRED.LOAD_LATENCY */
 	INTEL_FLAGS_UEVENT_CONSTRAINT_DATALA_LD(0x1d0, 0xf),	/* MEM_INST_RETIRED.LOAD */
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 113/144] perf/x86/intel: Fix invalid Bit 13 for Icelake MSR_OFFCORE_RSP_x register
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (111 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 112/144] perf/x86/intel: Fix SLOTS PEBS event constraint Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 114/144] perf/x86: Apply more accurate check on hypervisor platform Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yunying Sun, Peter Zijlstra (Intel),
	Kan Liang, Linus Torvalds, Thomas Gleixner, acme,
	alexander.shishkin, bp, hpa, jolsa, namhyung, Ingo Molnar,
	Sasha Levin

[ Upstream commit 3b238a64c3009fed36eaea1af629d9377759d87d ]

The Intel SDM states that bit 13 of Icelake's MSR_OFFCORE_RSP_x
register is valid, and used for counting hardware generated prefetches
of L3 cache. Update the bitmask to allow bit 13.

Before:
$ perf stat -e cpu/event=0xb7,umask=0x1,config1=0x1bfff/u sleep 3
 Performance counter stats for 'sleep 3':
   <not supported>      cpu/event=0xb7,umask=0x1,config1=0x1bfff/u

After:
$ perf stat -e cpu/event=0xb7,umask=0x1,config1=0x1bfff/u sleep 3
 Performance counter stats for 'sleep 3':
             9,293      cpu/event=0xb7,umask=0x1,config1=0x1bfff/u

Signed-off-by: Yunying Sun <yunying.sun@intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Kan Liang <kan.liang@linux.intel.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: acme@kernel.org
Cc: alexander.shishkin@linux.intel.com
Cc: bp@alien8.de
Cc: hpa@zytor.com
Cc: jolsa@redhat.com
Cc: namhyung@kernel.org
Link: https://lkml.kernel.org/r/20190724082932.12833-1-yunying.sun@intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/events/intel/core.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c
index 2889dd0235668..e9042e3f3052c 100644
--- a/arch/x86/events/intel/core.c
+++ b/arch/x86/events/intel/core.c
@@ -263,8 +263,8 @@ static struct event_constraint intel_icl_event_constraints[] = {
 };
 
 static struct extra_reg intel_icl_extra_regs[] __read_mostly = {
-	INTEL_UEVENT_EXTRA_REG(0x01b7, MSR_OFFCORE_RSP_0, 0x3fffff9fffull, RSP_0),
-	INTEL_UEVENT_EXTRA_REG(0x01bb, MSR_OFFCORE_RSP_1, 0x3fffff9fffull, RSP_1),
+	INTEL_UEVENT_EXTRA_REG(0x01b7, MSR_OFFCORE_RSP_0, 0x3fffffbfffull, RSP_0),
+	INTEL_UEVENT_EXTRA_REG(0x01bb, MSR_OFFCORE_RSP_1, 0x3fffffbfffull, RSP_1),
 	INTEL_UEVENT_PEBS_LDLAT_EXTRA_REG(0x01cd),
 	INTEL_UEVENT_EXTRA_REG(0x01c6, MSR_PEBS_FRONTEND, 0x7fff17, FE),
 	EVENT_EXTRA_END
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 114/144] perf/x86: Apply more accurate check on hypervisor platform
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (112 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 113/144] perf/x86/intel: Fix invalid Bit 13 for Icelake MSR_OFFCORE_RSP_x register Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 115/144] perf/core: Fix creating kernel counters for PMUs that override event->cpu Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Zhenzhong Duan,
	Peter Zijlstra (Intel),
	Alexander Shishkin, Arnaldo Carvalho de Melo, Boris Ostrovsky,
	Borislav Petkov, Jiri Olsa, Juergen Gross, Linus Torvalds,
	Namhyung Kim, Thomas Gleixner, Ingo Molnar, Sasha Levin

[ Upstream commit 5ea3f6fb37b79da33ac9211df336fd2b9f47c39f ]

check_msr is used to fix a bug report in guest where KVM doesn't support
LBR MSR and cause #GP.

The msr check is bypassed on real HW to workaround a false failure,
see commit d0e1a507bdc7 ("perf/x86/intel: Disable check_msr for real HW")

When running a guest with CONFIG_HYPERVISOR_GUEST not set or "nopv"
enabled, current check isn't enough and #GP could trigger.

Signed-off-by: Zhenzhong Duan <zhenzhong.duan@oracle.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/1564022366-18293-1-git-send-email-zhenzhong.duan@oracle.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/events/intel/core.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c
index e9042e3f3052c..6179be624f357 100644
--- a/arch/x86/events/intel/core.c
+++ b/arch/x86/events/intel/core.c
@@ -20,7 +20,6 @@
 #include <asm/intel-family.h>
 #include <asm/apic.h>
 #include <asm/cpu_device_id.h>
-#include <asm/hypervisor.h>
 
 #include "../perf_event.h"
 
@@ -4057,7 +4056,7 @@ static bool check_msr(unsigned long msr, u64 mask)
 	 * Disable the check for real HW, so we don't
 	 * mess with potentionaly enabled registers:
 	 */
-	if (hypervisor_is_type(X86_HYPER_NATIVE))
+	if (!boot_cpu_has(X86_FEATURE_HYPERVISOR))
 		return true;
 
 	/*
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 115/144] perf/core: Fix creating kernel counters for PMUs that override event->cpu
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (113 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 114/144] perf/x86: Apply more accurate check on hypervisor platform Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 116/144] s390/dma: provide proper ARCH_ZONE_DMA_BITS value Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Leonard Crestez,
	Peter Zijlstra (Intel),
	Mark Rutland, Alexander Shishkin, Arnaldo Carvalho de Melo,
	Frank Li, Jiri Olsa, Linus Torvalds, Namhyung Kim,
	Thomas Gleixner, Will Deacon, Ingo Molnar, Sasha Levin

[ Upstream commit 4ce54af8b33d3e21ca935fc1b89b58cbba956051 ]

Some hardware PMU drivers will override perf_event.cpu inside their
event_init callback. This causes a lockdep splat when initialized through
the kernel API:

 WARNING: CPU: 0 PID: 250 at kernel/events/core.c:2917 ctx_sched_out+0x78/0x208
 pc : ctx_sched_out+0x78/0x208
 Call trace:
  ctx_sched_out+0x78/0x208
  __perf_install_in_context+0x160/0x248
  remote_function+0x58/0x68
  generic_exec_single+0x100/0x180
  smp_call_function_single+0x174/0x1b8
  perf_install_in_context+0x178/0x188
  perf_event_create_kernel_counter+0x118/0x160

Fix this by calling perf_install_in_context with event->cpu, just like
perf_event_open

Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Frank Li <Frank.li@nxp.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Will Deacon <will@kernel.org>
Link: https://lkml.kernel.org/r/c4ebe0503623066896d7046def4d6b1e06e0eb2e.1563972056.git.leonard.crestez@nxp.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/events/core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/events/core.c b/kernel/events/core.c
index f851934d55d48..4bc15cff1026a 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -11266,7 +11266,7 @@ perf_event_create_kernel_counter(struct perf_event_attr *attr, int cpu,
 		goto err_unlock;
 	}
 
-	perf_install_in_context(ctx, event, cpu);
+	perf_install_in_context(ctx, event, event->cpu);
 	perf_unpin_context(ctx);
 	mutex_unlock(&ctx->mutex);
 
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 116/144] s390/dma: provide proper ARCH_ZONE_DMA_BITS value
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (114 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 115/144] perf/core: Fix creating kernel counters for PMUs that override event->cpu Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 117/144] gen_compile_commands: lower the entry count threshold Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Halil Pasic, Petr Tesarik,
	Heiko Carstens, Sasha Levin

[ Upstream commit 1a2dcff881059dedc14fafc8a442664c8dbd60f1 ]

On s390 ZONE_DMA is up to 2G, i.e. ARCH_ZONE_DMA_BITS should be 31 bits.
The current value is 24 and makes __dma_direct_alloc_pages() take a
wrong turn first (but __dma_direct_alloc_pages() recovers then).

Let's correct ARCH_ZONE_DMA_BITS value and avoid wrong turns.

Signed-off-by: Halil Pasic <pasic@linux.ibm.com>
Reported-by: Petr Tesarik <ptesarik@suse.cz>
Fixes: c61e9637340e ("dma-direct: add support for allocation from ZONE_DMA and ZONE_DMA32")
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/s390/include/asm/page.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/arch/s390/include/asm/page.h b/arch/s390/include/asm/page.h
index a4d38092530ab..823578c6b9e2c 100644
--- a/arch/s390/include/asm/page.h
+++ b/arch/s390/include/asm/page.h
@@ -177,6 +177,8 @@ static inline int devmem_is_allowed(unsigned long pfn)
 #define VM_DATA_DEFAULT_FLAGS	(VM_READ | VM_WRITE | \
 				 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
 
+#define ARCH_ZONE_DMA_BITS	31
+
 #include <asm-generic/memory_model.h>
 #include <asm-generic/getorder.h>
 
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 117/144] gen_compile_commands: lower the entry count threshold
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (115 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 116/144] s390/dma: provide proper ARCH_ZONE_DMA_BITS value Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 118/144] HID: sony: Fix race condition between rumble and device remove Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Masahiro Yamada, Sasha Levin

[ Upstream commit cb36955a5569f1ff17a42ae93264ef391c013a97 ]

Running gen_compile_commands.py after building the kernel with
allnoconfig gave this:

$ ./scripts/gen_compile_commands.py
WARNING: Found 449 entries. Have you compiled the kernel?

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 scripts/gen_compile_commands.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/gen_compile_commands.py b/scripts/gen_compile_commands.py
index 7915823b92a5e..c458696ef3a79 100755
--- a/scripts/gen_compile_commands.py
+++ b/scripts/gen_compile_commands.py
@@ -21,9 +21,9 @@ _LINE_PATTERN = r'^cmd_[^ ]*\.o := (.* )([^ ]*\.c)$'
 _VALID_LOG_LEVELS = ['DEBUG', 'INFO', 'WARNING', 'ERROR', 'CRITICAL']
 
 # A kernel build generally has over 2000 entries in its compile_commands.json
-# database. If this code finds 500 or fewer, then warn the user that they might
+# database. If this code finds 300 or fewer, then warn the user that they might
 # not have all the .cmd files, and they might need to compile the kernel.
-_LOW_COUNT_THRESHOLD = 500
+_LOW_COUNT_THRESHOLD = 300
 
 
 def parse_arguments():
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 118/144] HID: sony: Fix race condition between rumble and device remove.
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (116 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 117/144] gen_compile_commands: lower the entry count threshold Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 119/144] ALSA: usb-audio: fix a memory leak bug Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Roderick Colenbrander, Jiri Kosina

From: Roderick Colenbrander <roderick@gaikai.com>

commit e0f6974a54d3f7f1b5fdf5a593bd43ce9206ec04 upstream.

Valve reported a kernel crash on Ubuntu 18.04 when disconnecting a DS4
gamepad while rumble is enabled. This issue is reproducible with a
frequency of 1 in 3 times in the game Borderlands 2 when using an
automatic weapon, which triggers many rumble operations.

We found the issue to be a race condition between sony_remove and the
final device destruction by the HID / input system. The problem was
that sony_remove didn't clean some of its work_item state in
"struct sony_sc". After sony_remove work, the corresponding evdev
node was around for sufficient time for applications to still queue
rumble work after "sony_remove".

On pre-4.19 kernels the race condition caused a kernel crash due to a
NULL-pointer dereference as "sc->output_report_dmabuf" got freed during
sony_remove. On newer kernels this crash doesn't happen due the buffer
now being allocated using devm_kzalloc. However we can still queue work,
while the driver is an undefined state.

This patch fixes the described problem, by guarding the work_item
"state_worker" with an initialized variable, which we are setting back
to 0 on cleanup.

Signed-off-by: Roderick Colenbrander <roderick.colenbrander@sony.com>
CC: stable@vger.kernel.org
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hid/hid-sony.c |   15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

--- a/drivers/hid/hid-sony.c
+++ b/drivers/hid/hid-sony.c
@@ -585,10 +585,14 @@ static void sony_set_leds(struct sony_sc
 static inline void sony_schedule_work(struct sony_sc *sc,
 				      enum sony_worker which)
 {
+	unsigned long flags;
+
 	switch (which) {
 	case SONY_WORKER_STATE:
-		if (!sc->defer_initialization)
+		spin_lock_irqsave(&sc->lock, flags);
+		if (!sc->defer_initialization && sc->state_worker_initialized)
 			schedule_work(&sc->state_worker);
+		spin_unlock_irqrestore(&sc->lock, flags);
 		break;
 	case SONY_WORKER_HOTPLUG:
 		if (sc->hotplug_worker_initialized)
@@ -2558,13 +2562,18 @@ static inline void sony_init_output_repo
 
 static inline void sony_cancel_work_sync(struct sony_sc *sc)
 {
+	unsigned long flags;
+
 	if (sc->hotplug_worker_initialized)
 		cancel_work_sync(&sc->hotplug_worker);
-	if (sc->state_worker_initialized)
+	if (sc->state_worker_initialized) {
+		spin_lock_irqsave(&sc->lock, flags);
+		sc->state_worker_initialized = 0;
+		spin_unlock_irqrestore(&sc->lock, flags);
 		cancel_work_sync(&sc->state_worker);
+	}
 }
 
-
 static int sony_input_configured(struct hid_device *hdev,
 					struct hid_input *hidinput)
 {



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 119/144] ALSA: usb-audio: fix a memory leak bug
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (117 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 118/144] HID: sony: Fix race condition between rumble and device remove Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 120/144] KVM/nSVM: properly map nested VMCB Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Wenwen Wang, Takashi Iwai

From: Wenwen Wang <wenwen@cs.uga.edu>

commit a67060201b746a308b1674f66bf289c9faef6d09 upstream.

In snd_usb_get_audioformat_uac3(), a structure for channel maps 'chmap' is
allocated through kzalloc() before the execution goto 'found_clock'.
However, this structure is not deallocated if the memory allocation for
'pd' fails, leading to a memory leak bug.

To fix the above issue, free 'fp->chmap' before returning NULL.

Fixes: 7edf3b5e6a45 ("ALSA: usb-audio: AudioStreaming Power Domain parsing")
Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/usb/stream.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -1043,6 +1043,7 @@ found_clock:
 
 		pd = kzalloc(sizeof(*pd), GFP_KERNEL);
 		if (!pd) {
+			kfree(fp->chmap);
 			kfree(fp->rate_table);
 			kfree(fp);
 			return NULL;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 120/144] KVM/nSVM: properly map nested VMCB
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (118 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 119/144] ALSA: usb-audio: fix a memory leak bug Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 121/144] can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vitaly Kuznetsov,
	Sean Christopherson, Paolo Bonzini

From: Vitaly Kuznetsov <vkuznets@redhat.com>

commit 8f38302c0be2d2daf3b40f7d2142ec77e35d209e upstream.

Commit 8c5fbf1a7231 ("KVM/nSVM: Use the new mapping API for mapping guest
memory") broke nested SVM completely: kvm_vcpu_map()'s second parameter is
GFN so vmcb_gpa needs to be converted with gpa_to_gfn(), not the other way
around.

Fixes: 8c5fbf1a7231 ("KVM/nSVM: Use the new mapping API for mapping guest memory")
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Reviewed-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kvm/svm.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -3290,7 +3290,7 @@ static int nested_svm_vmexit(struct vcpu
 				       vmcb->control.exit_int_info_err,
 				       KVM_ISA_SVM);
 
-	rc = kvm_vcpu_map(&svm->vcpu, gfn_to_gpa(svm->nested.vmcb), &map);
+	rc = kvm_vcpu_map(&svm->vcpu, gpa_to_gfn(svm->nested.vmcb), &map);
 	if (rc) {
 		if (rc == -EINVAL)
 			kvm_inject_gp(&svm->vcpu, 0);
@@ -3580,7 +3580,7 @@ static bool nested_svm_vmrun(struct vcpu
 
 	vmcb_gpa = svm->vmcb->save.rax;
 
-	rc = kvm_vcpu_map(&svm->vcpu, gfn_to_gpa(vmcb_gpa), &map);
+	rc = kvm_vcpu_map(&svm->vcpu, gpa_to_gfn(vmcb_gpa), &map);
 	if (rc) {
 		if (rc == -EINVAL)
 			kvm_inject_gp(&svm->vcpu, 0);



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 121/144] can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (119 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 120/144] KVM/nSVM: properly map nested VMCB Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 122/144] can: peak_usb: pcan_usb_fd: " Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tomas Bortoli,
	syzbot+d6a5a1a3657b596ef132, Marc Kleine-Budde

From: Tomas Bortoli <tomasbortoli@gmail.com>

commit ead16e53c2f0ed946d82d4037c630e2f60f4ab69 upstream.

Uninitialized Kernel memory can leak to USB devices.

Fix by using kzalloc() instead of kmalloc() on the affected buffers.

Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
Reported-by: syzbot+d6a5a1a3657b596ef132@syzkaller.appspotmail.com
Fixes: f14e22435a27 ("net: can: peak_usb: Do not do dma on the stack")
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/usb/peak_usb/pcan_usb_pro.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/can/usb/peak_usb/pcan_usb_pro.c
+++ b/drivers/net/can/usb/peak_usb/pcan_usb_pro.c
@@ -494,7 +494,7 @@ static int pcan_usb_pro_drv_loaded(struc
 	u8 *buffer;
 	int err;
 
-	buffer = kmalloc(PCAN_USBPRO_FCT_DRVLD_REQ_LEN, GFP_KERNEL);
+	buffer = kzalloc(PCAN_USBPRO_FCT_DRVLD_REQ_LEN, GFP_KERNEL);
 	if (!buffer)
 		return -ENOMEM;
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 122/144] can: peak_usb: pcan_usb_fd: Fix info-leaks to USB devices
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (120 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 121/144] can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices Greg Kroah-Hartman
@ 2019-08-14 17:01 ` " Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 123/144] hwmon: (nct7802) Fix wrong detection of in4 presence Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tomas Bortoli,
	syzbot+513e4d0985298538bf9b, Marc Kleine-Budde

From: Tomas Bortoli <tomasbortoli@gmail.com>

commit 30a8beeb3042f49d0537b7050fd21b490166a3d9 upstream.

Uninitialized Kernel memory can leak to USB devices.

Fix by using kzalloc() instead of kmalloc() on the affected buffers.

Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
Reported-by: syzbot+513e4d0985298538bf9b@syzkaller.appspotmail.com
Fixes: 0a25e1f4f185 ("can: peak_usb: add support for PEAK new CANFD USB adapters")
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/usb/peak_usb/pcan_usb_fd.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
+++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
@@ -841,7 +841,7 @@ static int pcan_usb_fd_init(struct peak_
 			goto err_out;
 
 		/* allocate command buffer once for all for the interface */
-		pdev->cmd_buffer_addr = kmalloc(PCAN_UFD_CMD_BUFFER_SIZE,
+		pdev->cmd_buffer_addr = kzalloc(PCAN_UFD_CMD_BUFFER_SIZE,
 						GFP_KERNEL);
 		if (!pdev->cmd_buffer_addr)
 			goto err_out_1;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 123/144] hwmon: (nct7802) Fix wrong detection of in4 presence
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (121 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 122/144] can: peak_usb: pcan_usb_fd: " Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 124/144] hwmon: (lm75) Fixup tmp75b clr_mask Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Gilles Buloz, Guenter Roeck

From: Guenter Roeck <linux@roeck-us.net>

commit 38ada2f406a9b81fb1249c5c9227fa657e7d5671 upstream.

The code to detect if in4 is present is wrong; if in4 is not present,
the in4_input sysfs attribute is still present.

In detail:

- Ihen RTD3_MD=11 (VSEN3 present), everything is as expected (no bug).
- If we have RTD3_MD!=11 (no VSEN3), we unexpectedly have a in4_input
  file under /sys and the "sensors" command displays in4_input.
  But as expected, we have no in4_min, in4_max, in4_alarm, in4_beep.

Fix is_visible function to detect and report in4_input visibility
as expected.

Reported-by: Gilles Buloz <Gilles.Buloz@kontron.com>
Cc: Gilles Buloz <Gilles.Buloz@kontron.com>
Cc: stable@vger.kernel.org
Fixes: 3434f37835804 ("hwmon: Driver for Nuvoton NCT7802Y")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hwmon/nct7802.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/hwmon/nct7802.c
+++ b/drivers/hwmon/nct7802.c
@@ -704,7 +704,7 @@ static struct attribute *nct7802_in_attr
 	&sensor_dev_attr_in3_alarm.dev_attr.attr,
 	&sensor_dev_attr_in3_beep.dev_attr.attr,
 
-	&sensor_dev_attr_in4_input.dev_attr.attr,	/* 17 */
+	&sensor_dev_attr_in4_input.dev_attr.attr,	/* 16 */
 	&sensor_dev_attr_in4_min.dev_attr.attr,
 	&sensor_dev_attr_in4_max.dev_attr.attr,
 	&sensor_dev_attr_in4_alarm.dev_attr.attr,
@@ -730,9 +730,9 @@ static umode_t nct7802_in_is_visible(str
 
 	if (index >= 6 && index < 11 && (reg & 0x03) != 0x03)	/* VSEN1 */
 		return 0;
-	if (index >= 11 && index < 17 && (reg & 0x0c) != 0x0c)	/* VSEN2 */
+	if (index >= 11 && index < 16 && (reg & 0x0c) != 0x0c)	/* VSEN2 */
 		return 0;
-	if (index >= 17 && (reg & 0x30) != 0x30)		/* VSEN3 */
+	if (index >= 16 && (reg & 0x30) != 0x30)		/* VSEN3 */
 		return 0;
 
 	return attr->mode;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 124/144] hwmon: (lm75) Fixup tmp75b clr_mask
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (122 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 123/144] hwmon: (nct7802) Fix wrong detection of in4 presence Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 125/144] drm/i915: Fix wrong escape clock divisor init for GLK Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Iker Perez del Palomar Sustatxa,
	Guenter Roeck

From: Iker Perez del Palomar Sustatxa <iker.perez@codethink.co.uk>

commit a95a4f3f2702b55a89393bf0f1b2b3d79e0f7da2 upstream.

The configuration register of the tmp75b sensor is 16bit long, however
the first byte is reserved, so there is not no need to take care of it.

Because the order of the bytes is little endian and it is only necessary
to write one byte, the desired bits must be shifted into a 8 bit range.

Fixes: 39abe9d88b30 ("hwmon: (lm75) Add support for TMP75B")
Cc: stable@vger.kernel.org
Signed-off-by: Iker Perez del Palomar Sustatxa <iker.perez@codethink.co.uk>
Link: https://lore.kernel.org/r/20190801075324.4638-1-iker.perez@codethink.co.uk
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hwmon/lm75.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/hwmon/lm75.c
+++ b/drivers/hwmon/lm75.c
@@ -343,7 +343,7 @@ lm75_probe(struct i2c_client *client, co
 		data->sample_time = MSEC_PER_SEC / 2;
 		break;
 	case tmp75b:  /* not one-shot mode, Conversion rate 37Hz */
-		clr_mask |= 1 << 15 | 0x3 << 13;
+		clr_mask |= 1 << 7 | 0x3 << 5;
 		data->resolution = 12;
 		data->sample_time = MSEC_PER_SEC / 37;
 		break;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 125/144] drm/i915: Fix wrong escape clock divisor init for GLK
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (123 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 124/144] hwmon: (lm75) Fixup tmp75b clr_mask Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 126/144] ALSA: firewire: fix a memory leak bug Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stanislav Lisovskiy,
	Vandita Kulkarni, Deepak M, Madhav Chauhan, Jani Nikula,
	Jani Nikula, Joonas Lahtinen, Rodrigo Vivi, intel-gfx

From: Stanislav Lisovskiy <stanislav.lisovskiy@intel.com>

commit 73a0ff0b30af79bf0303d557eb82f1d1945bb6ee upstream.

According to Bspec clock divisor registers in GeminiLake
should be initialized by shifting 1(<<) to amount of correspondent
divisor. While i915 was writing all this time that value as is.

Surprisingly that it by accident worked, until we met some issues
with Microtech Etab.

v2: Added Fixes tag and cc
v3: Added stable to cc as well.

Signed-off-by: Stanislav Lisovskiy <stanislav.lisovskiy@intel.com>
Reviewed-by: Vandita Kulkarni <vandita.kulkarni@intel.com>
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=108826
Fixes: bcc657004841 ("drm/i915/glk: Program txesc clock divider for GLK")
Cc: Deepak M <m.deepak@intel.com>
Cc: Madhav Chauhan <madhav.chauhan@intel.com>
Cc: Jani Nikula <jani.nikula@intel.com>
Cc: Jani Nikula <jani.nikula@linux.intel.com>
Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
Cc: intel-gfx@lists.freedesktop.org
Cc: stable@vger.kernel.org
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20190712081938.14185-1-stanislav.lisovskiy@intel.com
(cherry picked from commit ce52ad5dd52cfaf3398058384e0ff94134bbd89c)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/i915/vlv_dsi_pll.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/i915/vlv_dsi_pll.c
+++ b/drivers/gpu/drm/i915/vlv_dsi_pll.c
@@ -394,8 +394,8 @@ static void glk_dsi_program_esc_clock(st
 	else
 		txesc2_div = 10;
 
-	I915_WRITE(MIPIO_TXESC_CLK_DIV1, txesc1_div & GLK_TX_ESC_CLK_DIV1_MASK);
-	I915_WRITE(MIPIO_TXESC_CLK_DIV2, txesc2_div & GLK_TX_ESC_CLK_DIV2_MASK);
+	I915_WRITE(MIPIO_TXESC_CLK_DIV1, (1 << (txesc1_div - 1)) & GLK_TX_ESC_CLK_DIV1_MASK);
+	I915_WRITE(MIPIO_TXESC_CLK_DIV2, (1 << (txesc2_div - 1)) & GLK_TX_ESC_CLK_DIV2_MASK);
 }
 
 /* Program BXT Mipi clocks and dividers */



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 126/144] ALSA: firewire: fix a memory leak bug
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (124 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 125/144] drm/i915: Fix wrong escape clock divisor init for GLK Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 127/144] ALSA: hiface: fix multiple memory leak bugs Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wenwen Wang, Takashi Sakamoto, Takashi Iwai

From: Wenwen Wang <wenwen@cs.uga.edu>

commit 1be3c1fae6c1e1f5bb982b255d2034034454527a upstream.

In iso_packets_buffer_init(), 'b->packets' is allocated through
kmalloc_array(). Then, the aligned packet size is checked. If it is
larger than PAGE_SIZE, -EINVAL will be returned to indicate the error.
However, the allocated 'b->packets' is not deallocated on this path,
leading to a memory leak.

To fix the above issue, free 'b->packets' before returning the error code.

Fixes: 31ef9134eb52 ("ALSA: add LaCie FireWire Speakers/Griffin FireWave Surround driver")
Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Cc: <stable@vger.kernel.org> # v2.6.39+
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/firewire/packets-buffer.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/firewire/packets-buffer.c
+++ b/sound/firewire/packets-buffer.c
@@ -37,7 +37,7 @@ int iso_packets_buffer_init(struct iso_p
 	packets_per_page = PAGE_SIZE / packet_size;
 	if (WARN_ON(!packets_per_page)) {
 		err = -EINVAL;
-		goto error;
+		goto err_packets;
 	}
 	pages = DIV_ROUND_UP(count, packets_per_page);
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 127/144] ALSA: hiface: fix multiple memory leak bugs
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (125 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 126/144] ALSA: firewire: fix a memory leak bug Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 128/144] ALSA: hda - Dont override global PCM hw info flag Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Wenwen Wang, Takashi Iwai

From: Wenwen Wang <wenwen@cs.uga.edu>

commit 3d92aa45fbfd7319e3a19f4ec59fd32b3862b723 upstream.

In hiface_pcm_init(), 'rt' is firstly allocated through kzalloc(). Later
on, hiface_pcm_init_urb() is invoked to initialize 'rt->out_urbs[i]'. In
hiface_pcm_init_urb(), 'rt->out_urbs[i].buffer' is allocated through
kzalloc().  However, if hiface_pcm_init_urb() fails, both 'rt' and
'rt->out_urbs[i].buffer' are not deallocated, leading to memory leak bugs.
Also, 'rt->out_urbs[i].buffer' is not deallocated if snd_pcm_new() fails.

To fix the above issues, free 'rt' and 'rt->out_urbs[i].buffer'.

Fixes: a91c3fb2f842 ("Add M2Tech hiFace USB-SPDIF driver")
Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/usb/hiface/pcm.c |   11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

--- a/sound/usb/hiface/pcm.c
+++ b/sound/usb/hiface/pcm.c
@@ -600,14 +600,13 @@ int hiface_pcm_init(struct hiface_chip *
 		ret = hiface_pcm_init_urb(&rt->out_urbs[i], chip, OUT_EP,
 				    hiface_pcm_out_urb_handler);
 		if (ret < 0)
-			return ret;
+			goto error;
 	}
 
 	ret = snd_pcm_new(chip->card, "USB-SPDIF Audio", 0, 1, 0, &pcm);
 	if (ret < 0) {
-		kfree(rt);
 		dev_err(&chip->dev->dev, "Cannot create pcm instance\n");
-		return ret;
+		goto error;
 	}
 
 	pcm->private_data = rt;
@@ -620,4 +619,10 @@ int hiface_pcm_init(struct hiface_chip *
 
 	chip->pcm = rt;
 	return 0;
+
+error:
+	for (i = 0; i < PCM_N_URBS; i++)
+		kfree(rt->out_urbs[i].buffer);
+	kfree(rt);
+	return ret;
 }



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 128/144] ALSA: hda - Dont override global PCM hw info flag
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (126 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 127/144] ALSA: hiface: fix multiple memory leak bugs Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 129/144] ALSA: hda - Workaround for crackled sound on AMD controller (1022:1457) Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai

From: Takashi Iwai <tiwai@suse.de>

commit c1c6c877b0c79fd7e05c931435aa42211eaeebaf upstream.

The commit bfcba288b97f ("ALSA - hda: Add support for link audio time
reporting") introduced the conditional PCM hw info setup, but it
overwrites the global azx_pcm_hw object.  This will cause a problem if
any other HD-audio controller, as it'll inherit the same bit flag
although another controller doesn't support that feature.

Fix the bug by setting the PCM hw info flag locally.

Fixes: bfcba288b97f ("ALSA - hda: Add support for link audio time reporting")
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/hda_controller.c |    6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

--- a/sound/pci/hda/hda_controller.c
+++ b/sound/pci/hda/hda_controller.c
@@ -598,11 +598,9 @@ static int azx_pcm_open(struct snd_pcm_s
 	}
 	runtime->private_data = azx_dev;
 
-	if (chip->gts_present)
-		azx_pcm_hw.info = azx_pcm_hw.info |
-			SNDRV_PCM_INFO_HAS_LINK_SYNCHRONIZED_ATIME;
-
 	runtime->hw = azx_pcm_hw;
+	if (chip->gts_present)
+		runtime->hw.info |= SNDRV_PCM_INFO_HAS_LINK_SYNCHRONIZED_ATIME;
 	runtime->hw.channels_min = hinfo->channels_min;
 	runtime->hw.channels_max = hinfo->channels_max;
 	runtime->hw.formats = hinfo->formats;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 129/144] ALSA: hda - Workaround for crackled sound on AMD controller (1022:1457)
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (127 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 128/144] ALSA: hda - Dont override global PCM hw info flag Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 130/144] mac80211: dont WARN on short WMM parameters from AP Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai

From: Takashi Iwai <tiwai@suse.de>

commit c02f77d32d2c45cfb1b2bb99eabd8a78f5ecc7db upstream.

A long-time problem on the recent AMD chip (X370, X470, B450, etc with
PCI ID 1022:1457) with Realtek codecs is the crackled or distorted
sound for capture streams, as well as occasional playback hiccups.
After lengthy debugging sessions, the workarounds we've found are like
the following:

- Set up the proper driver caps for this controller, similar as the
  other AMD controller.

- Correct the DMA position reporting with the fixed FIFO size, which
  is similar like as workaround used for VIA chip set.

- Even after the position correction, PulseAudio still shows
  mysterious stalls of playback streams when a capture is triggered in
  timer-scheduled mode.  Since we have no clear way to eliminate the
  stall, pass the BATCH PCM flag for PA to suppress the tsched mode as
  a temporary workaround.

This patch implements the workarounds.  For the driver caps, it
defines a new preset, AXZ_DCAPS_PRESET_AMD_SB.  It enables the FIFO-
corrected position reporting (corresponding to the new position_fix=6)
and enforces the SNDRV_PCM_INFO_BATCH flag.

Note that the current implementation is merely a workaround.
Hopefully we'll find a better alternative in future, especially about
removing the BATCH flag hack again.

BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=195303
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/hda_controller.c |    7 ++++
 sound/pci/hda/hda_controller.h |    2 -
 sound/pci/hda/hda_intel.c      |   63 ++++++++++++++++++++++++++++++++++++++++-
 3 files changed, 70 insertions(+), 2 deletions(-)

--- a/sound/pci/hda/hda_controller.c
+++ b/sound/pci/hda/hda_controller.c
@@ -613,6 +613,13 @@ static int azx_pcm_open(struct snd_pcm_s
 				     20,
 				     178000000);
 
+	/* by some reason, the playback stream stalls on PulseAudio with
+	 * tsched=1 when a capture stream triggers.  Until we figure out the
+	 * real cause, disable tsched mode by telling the PCM info flag.
+	 */
+	if (chip->driver_caps & AZX_DCAPS_AMD_WORKAROUND)
+		runtime->hw.info |= SNDRV_PCM_INFO_BATCH;
+
 	if (chip->align_buffer_size)
 		/* constrain buffer sizes to be multiple of 128
 		   bytes. This is more efficient in terms of memory
--- a/sound/pci/hda/hda_controller.h
+++ b/sound/pci/hda/hda_controller.h
@@ -31,7 +31,7 @@
 /* 14 unused */
 #define AZX_DCAPS_CTX_WORKAROUND (1 << 15)	/* X-Fi workaround */
 #define AZX_DCAPS_POSFIX_LPIB	(1 << 16)	/* Use LPIB as default */
-/* 17 unused */
+#define AZX_DCAPS_AMD_WORKAROUND (1 << 17)	/* AMD-specific workaround */
 #define AZX_DCAPS_NO_64BIT	(1 << 18)	/* No 64bit address */
 #define AZX_DCAPS_SYNC_WRITE	(1 << 19)	/* sync each cmd write */
 #define AZX_DCAPS_OLD_SSYNC	(1 << 20)	/* Old SSYNC reg for ICH */
--- a/sound/pci/hda/hda_intel.c
+++ b/sound/pci/hda/hda_intel.c
@@ -64,6 +64,7 @@ enum {
 	POS_FIX_VIACOMBO,
 	POS_FIX_COMBO,
 	POS_FIX_SKL,
+	POS_FIX_FIFO,
 };
 
 /* Defines for ATI HD Audio support in SB450 south bridge */
@@ -135,7 +136,7 @@ module_param_array(model, charp, NULL, 0
 MODULE_PARM_DESC(model, "Use the given board model.");
 module_param_array(position_fix, int, NULL, 0444);
 MODULE_PARM_DESC(position_fix, "DMA pointer read method."
-		 "(-1 = system default, 0 = auto, 1 = LPIB, 2 = POSBUF, 3 = VIACOMBO, 4 = COMBO, 5 = SKL+).");
+		 "(-1 = system default, 0 = auto, 1 = LPIB, 2 = POSBUF, 3 = VIACOMBO, 4 = COMBO, 5 = SKL+, 6 = FIFO).");
 module_param_array(bdl_pos_adj, int, NULL, 0644);
 MODULE_PARM_DESC(bdl_pos_adj, "BDL position adjustment offset.");
 module_param_array(probe_mask, int, NULL, 0444);
@@ -332,6 +333,11 @@ enum {
 #define AZX_DCAPS_PRESET_ATI_HDMI_NS \
 	(AZX_DCAPS_PRESET_ATI_HDMI | AZX_DCAPS_SNOOP_OFF)
 
+/* quirks for AMD SB */
+#define AZX_DCAPS_PRESET_AMD_SB \
+	(AZX_DCAPS_NO_TCSEL | AZX_DCAPS_SYNC_WRITE | AZX_DCAPS_AMD_WORKAROUND |\
+	 AZX_DCAPS_SNOOP_TYPE(ATI) | AZX_DCAPS_PM_RUNTIME)
+
 /* quirks for Nvidia */
 #define AZX_DCAPS_PRESET_NVIDIA \
 	(AZX_DCAPS_NO_MSI | AZX_DCAPS_CORBRP_SELF_CLEAR |\
@@ -841,6 +847,49 @@ static unsigned int azx_via_get_position
 	return bound_pos + mod_dma_pos;
 }
 
+#define AMD_FIFO_SIZE	32
+
+/* get the current DMA position with FIFO size correction */
+static unsigned int azx_get_pos_fifo(struct azx *chip, struct azx_dev *azx_dev)
+{
+	struct snd_pcm_substream *substream = azx_dev->core.substream;
+	struct snd_pcm_runtime *runtime = substream->runtime;
+	unsigned int pos, delay;
+
+	pos = snd_hdac_stream_get_pos_lpib(azx_stream(azx_dev));
+	if (!runtime)
+		return pos;
+
+	runtime->delay = AMD_FIFO_SIZE;
+	delay = frames_to_bytes(runtime, AMD_FIFO_SIZE);
+	if (azx_dev->insufficient) {
+		if (pos < delay) {
+			delay = pos;
+			runtime->delay = bytes_to_frames(runtime, pos);
+		} else {
+			azx_dev->insufficient = 0;
+		}
+	}
+
+	/* correct the DMA position for capture stream */
+	if (substream->stream == SNDRV_PCM_STREAM_CAPTURE) {
+		if (pos < delay)
+			pos += azx_dev->core.bufsize;
+		pos -= delay;
+	}
+
+	return pos;
+}
+
+static int azx_get_delay_from_fifo(struct azx *chip, struct azx_dev *azx_dev,
+				   unsigned int pos)
+{
+	struct snd_pcm_substream *substream = azx_dev->core.substream;
+
+	/* just read back the calculated value in the above */
+	return substream->runtime->delay;
+}
+
 static unsigned int azx_skl_get_dpib_pos(struct azx *chip,
 					 struct azx_dev *azx_dev)
 {
@@ -1417,6 +1466,7 @@ static int check_position_fix(struct azx
 	case POS_FIX_VIACOMBO:
 	case POS_FIX_COMBO:
 	case POS_FIX_SKL:
+	case POS_FIX_FIFO:
 		return fix;
 	}
 
@@ -1433,6 +1483,10 @@ static int check_position_fix(struct azx
 		dev_dbg(chip->card->dev, "Using VIACOMBO position fix\n");
 		return POS_FIX_VIACOMBO;
 	}
+	if (chip->driver_caps & AZX_DCAPS_AMD_WORKAROUND) {
+		dev_dbg(chip->card->dev, "Using FIFO position fix\n");
+		return POS_FIX_FIFO;
+	}
 	if (chip->driver_caps & AZX_DCAPS_POSFIX_LPIB) {
 		dev_dbg(chip->card->dev, "Using LPIB position fix\n");
 		return POS_FIX_LPIB;
@@ -1453,6 +1507,7 @@ static void assign_position_fix(struct a
 		[POS_FIX_VIACOMBO] = azx_via_get_position,
 		[POS_FIX_COMBO] = azx_get_pos_lpib,
 		[POS_FIX_SKL] = azx_get_pos_skl,
+		[POS_FIX_FIFO] = azx_get_pos_fifo,
 	};
 
 	chip->get_position[0] = chip->get_position[1] = callbacks[fix];
@@ -1467,6 +1522,9 @@ static void assign_position_fix(struct a
 			azx_get_delay_from_lpib;
 	}
 
+	if (fix == POS_FIX_FIFO)
+		chip->get_delay[0] = chip->get_delay[1] =
+			azx_get_delay_from_fifo;
 }
 
 /*
@@ -2444,6 +2502,9 @@ static const struct pci_device_id azx_id
 	/* AMD Hudson */
 	{ PCI_DEVICE(0x1022, 0x780d),
 	  .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB },
+	/* AMD, X370 & co */
+	{ PCI_DEVICE(0x1022, 0x1457),
+	  .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_AMD_SB },
 	/* AMD Stoney */
 	{ PCI_DEVICE(0x1022, 0x157a),
 	  .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB |



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 130/144] mac80211: dont WARN on short WMM parameters from AP
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (128 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 129/144] ALSA: hda - Workaround for crackled sound on AMD controller (1022:1457) Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 131/144] dax: dax_layout_busy_page() should not unmap cow pages Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Brian Norris, Johannes Berg

From: Brian Norris <briannorris@chromium.org>

commit 05aaa5c97dce4c10a9e7eae2f1569a684e0c5ced upstream.

In a very similar spirit to commit c470bdc1aaf3 ("mac80211: don't WARN
on bad WMM parameters from buggy APs"), an AP may not transmit a
fully-formed WMM IE. For example, it may miss or repeat an Access
Category. The above loop won't catch that and will instead leave one of
the four ACs zeroed out. This triggers the following warning in
drv_conf_tx()

  wlan0: invalid CW_min/CW_max: 0/0

and it may leave one of the hardware queues unconfigured. If we detect
such a case, let's just print a warning and fall back to the defaults.

Tested with a hacked version of hostapd, intentionally corrupting the
IEs in hostapd_eid_wmm().

Cc: stable@vger.kernel.org
Signed-off-by: Brian Norris <briannorris@chromium.org>
Link: https://lore.kernel.org/r/20190726224758.210953-1-briannorris@chromium.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/mac80211/mlme.c |   10 ++++++++++
 1 file changed, 10 insertions(+)

--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -2041,6 +2041,16 @@ ieee80211_sta_wmm_params(struct ieee8021
 		ieee80211_regulatory_limit_wmm_params(sdata, &params[ac], ac);
 	}
 
+	/* WMM specification requires all 4 ACIs. */
+	for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
+		if (params[ac].cw_min == 0) {
+			sdata_info(sdata,
+				   "AP has invalid WMM params (missing AC %d), using defaults\n",
+				   ac);
+			return false;
+		}
+	}
+
 	for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
 		mlme_dbg(sdata,
 			 "WMM AC=%d acm=%d aifs=%d cWmin=%d cWmax=%d txop=%d uapsd=%d, downgraded=%d\n",



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 131/144] dax: dax_layout_busy_page() should not unmap cow pages
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (129 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 130/144] mac80211: dont WARN on short WMM parameters from AP Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 132/144] SMB3: Fix deadlock in validate negotiate hits reconnect Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Vivek Goyal, Dan Williams

From: Vivek Goyal <vgoyal@redhat.com>

commit d75996dd022b6d83bd14af59b2775b1aa639e4b9 upstream.

Vivek:

    "As of now dax_layout_busy_page() calls unmap_mapping_range() with last
     argument as 1, which says even unmap cow pages. I am wondering who needs
     to get rid of cow pages as well.

     I noticed one interesting side affect of this. I mount xfs with -o dax and
     mmaped a file with MAP_PRIVATE and wrote some data to a page which created
     cow page. Then I called fallocate() on that file to zero a page of file.
     fallocate() called dax_layout_busy_page() which unmapped cow pages as well
     and then I tried to read back the data I wrote and what I get is old
     data from persistent memory. I lost the data I had written. This
     read basically resulted in new fault and read back the data from
     persistent memory.

     This sounds wrong. Are there any users which need to unmap cow pages
     as well? If not, I am proposing changing it to not unmap cow pages.

     I noticed this while while writing virtio_fs code where when I tried
     to reclaim a memory range and that corrupted the executable and I
     was running from virtio-fs and program got segment violation."

Dan:

    "In fact the unmap_mapping_range() in this path is only to synchronize
     against get_user_pages_fast() and force it to call back into the
     filesystem to re-establish the mapping. COW pages should be left
     untouched by dax_layout_busy_page()."

Cc: <stable@vger.kernel.org>
Fixes: 5fac7408d828 ("mm, fs, dax: handle layout changes to pinned dax mappings")
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Link: https://lore.kernel.org/r/20190802192956.GA3032@redhat.com
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/dax.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/dax.c
+++ b/fs/dax.c
@@ -601,7 +601,7 @@ struct page *dax_layout_busy_page(struct
 	 * guaranteed to either see new references or prevent new
 	 * references from being established.
 	 */
-	unmap_mapping_range(mapping, 0, 0, 1);
+	unmap_mapping_range(mapping, 0, 0, 0);
 
 	xas_lock_irq(&xas);
 	xas_for_each(&xas, entry, ULONG_MAX) {



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 132/144] SMB3: Fix deadlock in validate negotiate hits reconnect
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (130 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 131/144] dax: dax_layout_busy_page() should not unmap cow pages Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 133/144] smb3: send CAP_DFS capability during session setup Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pavel Shilovsky, Steve French,
	Ronnie Sahlberg

From: Pavel Shilovsky <pshilov@microsoft.com>

commit e99c63e4d86d3a94818693147b469fa70de6f945 upstream.

Currently we skip SMB2_TREE_CONNECT command when checking during
reconnect because Tree Connect happens when establishing
an SMB session. For SMB 3.0 protocol version the code also calls
validate negotiate which results in SMB2_IOCL command being sent
over the wire. This may deadlock on trying to acquire a mutex when
checking for reconnect. Fix this by skipping SMB2_IOCL command
when doing the reconnect check.

Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/cifs/smb2pdu.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -252,7 +252,7 @@ smb2_reconnect(__le16 smb2_command, stru
 	if (tcon == NULL)
 		return 0;
 
-	if (smb2_command == SMB2_TREE_CONNECT)
+	if (smb2_command == SMB2_TREE_CONNECT || smb2_command == SMB2_IOCTL)
 		return 0;
 
 	if (tcon->tidStatus == CifsExiting) {



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 133/144] smb3: send CAP_DFS capability during session setup
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (131 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 132/144] SMB3: Fix deadlock in validate negotiate hits reconnect Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 134/144] NFSv4: Fix delegation state recovery Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Steve French, Pavel Shilovsky,
	Ronnie Sahlberg

From: Steve French <stfrench@microsoft.com>

commit 8d33096a460d5b9bd13300f01615df5bb454db10 upstream.

We had a report of a server which did not do a DFS referral
because the session setup Capabilities field was set to 0
(unlike negotiate protocol where we set CAP_DFS).  Better to
send it session setup in the capabilities as well (this also
more closely matches Windows client behavior).

Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/cifs/smb2pdu.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -1173,7 +1173,12 @@ SMB2_sess_alloc_buffer(struct SMB2_sess_
 	else
 		req->SecurityMode = 0;
 
+#ifdef CONFIG_CIFS_DFS_UPCALL
+	req->Capabilities = cpu_to_le32(SMB2_GLOBAL_CAP_DFS);
+#else
 	req->Capabilities = 0;
+#endif /* DFS_UPCALL */
+
 	req->Channel = 0; /* MBZ */
 
 	sess_data->iov[0].iov_base = (char *)req;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 134/144] NFSv4: Fix delegation state recovery
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (132 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 133/144] smb3: send CAP_DFS capability during session setup Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 135/144] NFSv4: Check the return value of update_open_stateid() Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Trond Myklebust

From: Trond Myklebust <trond.myklebust@hammerspace.com>

commit 5eb8d18ca0e001c6055da2b7f30d8f6dca23a44f upstream.

Once we clear the NFS_DELEGATED_STATE flag, we're telling
nfs_delegation_claim_opens() that we're done recovering all open state
for that stateid, so we really need to ensure that we test for all
open modes that are currently cached and recover them before exiting
nfs4_open_delegation_recall().

Fixes: 24311f884189d ("NFSv4: Recovery of recalled read delegations...")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Cc: stable@vger.kernel.org # v4.3+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/nfs/delegation.c |    2 +-
 fs/nfs/delegation.h |    2 +-
 fs/nfs/nfs4proc.c   |   25 ++++++++++++-------------
 3 files changed, 14 insertions(+), 15 deletions(-)

--- a/fs/nfs/delegation.c
+++ b/fs/nfs/delegation.c
@@ -153,7 +153,7 @@ again:
 		/* Block nfs4_proc_unlck */
 		mutex_lock(&sp->so_delegreturn_mutex);
 		seq = raw_seqcount_begin(&sp->so_reclaim_seqcount);
-		err = nfs4_open_delegation_recall(ctx, state, stateid, type);
+		err = nfs4_open_delegation_recall(ctx, state, stateid);
 		if (!err)
 			err = nfs_delegation_claim_locks(state, stateid);
 		if (!err && read_seqcount_retry(&sp->so_reclaim_seqcount, seq))
--- a/fs/nfs/delegation.h
+++ b/fs/nfs/delegation.h
@@ -63,7 +63,7 @@ void nfs_reap_expired_delegations(struct
 
 /* NFSv4 delegation-related procedures */
 int nfs4_proc_delegreturn(struct inode *inode, const struct cred *cred, const nfs4_stateid *stateid, int issync);
-int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state *state, const nfs4_stateid *stateid, fmode_t type);
+int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state *state, const nfs4_stateid *stateid);
 int nfs4_lock_delegation_recall(struct file_lock *fl, struct nfs4_state *state, const nfs4_stateid *stateid);
 bool nfs4_copy_delegation_stateid(struct inode *inode, fmode_t flags, nfs4_stateid *dst, const struct cred **cred);
 bool nfs4_refresh_delegation_stateid(nfs4_stateid *dst, struct inode *inode);
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -2148,12 +2148,10 @@ static int nfs4_handle_delegation_recall
 		case -NFS4ERR_BAD_HIGH_SLOT:
 		case -NFS4ERR_CONN_NOT_BOUND_TO_SESSION:
 		case -NFS4ERR_DEADSESSION:
-			set_bit(NFS_DELEGATED_STATE, &state->flags);
 			nfs4_schedule_session_recovery(server->nfs_client->cl_session, err);
 			return -EAGAIN;
 		case -NFS4ERR_STALE_CLIENTID:
 		case -NFS4ERR_STALE_STATEID:
-			set_bit(NFS_DELEGATED_STATE, &state->flags);
 			/* Don't recall a delegation if it was lost */
 			nfs4_schedule_lease_recovery(server->nfs_client);
 			return -EAGAIN;
@@ -2174,7 +2172,6 @@ static int nfs4_handle_delegation_recall
 			return -EAGAIN;
 		case -NFS4ERR_DELAY:
 		case -NFS4ERR_GRACE:
-			set_bit(NFS_DELEGATED_STATE, &state->flags);
 			ssleep(1);
 			return -EAGAIN;
 		case -ENOMEM:
@@ -2190,8 +2187,7 @@ static int nfs4_handle_delegation_recall
 }
 
 int nfs4_open_delegation_recall(struct nfs_open_context *ctx,
-		struct nfs4_state *state, const nfs4_stateid *stateid,
-		fmode_t type)
+		struct nfs4_state *state, const nfs4_stateid *stateid)
 {
 	struct nfs_server *server = NFS_SERVER(state->inode);
 	struct nfs4_opendata *opendata;
@@ -2202,20 +2198,23 @@ int nfs4_open_delegation_recall(struct n
 	if (IS_ERR(opendata))
 		return PTR_ERR(opendata);
 	nfs4_stateid_copy(&opendata->o_arg.u.delegation, stateid);
-	nfs_state_clear_delegation(state);
-	switch (type & (FMODE_READ|FMODE_WRITE)) {
-	case FMODE_READ|FMODE_WRITE:
-	case FMODE_WRITE:
+	if (!test_bit(NFS_O_RDWR_STATE, &state->flags)) {
 		err = nfs4_open_recover_helper(opendata, FMODE_READ|FMODE_WRITE);
 		if (err)
-			break;
+			goto out;
+	}
+	if (!test_bit(NFS_O_WRONLY_STATE, &state->flags)) {
 		err = nfs4_open_recover_helper(opendata, FMODE_WRITE);
 		if (err)
-			break;
-		/* Fall through */
-	case FMODE_READ:
+			goto out;
+	}
+	if (!test_bit(NFS_O_RDONLY_STATE, &state->flags)) {
 		err = nfs4_open_recover_helper(opendata, FMODE_READ);
+		if (err)
+			goto out;
 	}
+	nfs_state_clear_delegation(state);
+out:
 	nfs4_opendata_put(opendata);
 	return nfs4_handle_delegation_recall_error(server, state, stateid, NULL, err);
 }



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 135/144] NFSv4: Check the return value of update_open_stateid()
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (133 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 134/144] NFSv4: Fix delegation state recovery Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 136/144] NFSv4: Fix an Oops in nfs4_do_setattr Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Trond Myklebust

From: Trond Myklebust <trond.myklebust@hammerspace.com>

commit e3c8dc761ead061da2220ee8f8132f729ac3ddfe upstream.

Ensure that we always check the return value of update_open_stateid()
so that we can retry if the update of local state failed. This fixes
infinite looping on state recovery.

Fixes: e23008ec81ef3 ("NFSv4 reduce attribute requests for open reclaim")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Cc: stable@vger.kernel.org # v3.7+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/nfs/nfs4proc.c |   12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -1878,8 +1878,9 @@ _nfs4_opendata_reclaim_to_nfs4_state(str
 	if (data->o_res.delegation_type != 0)
 		nfs4_opendata_check_deleg(data, state);
 update:
-	update_open_stateid(state, &data->o_res.stateid, NULL,
-			    data->o_arg.fmode);
+	if (!update_open_stateid(state, &data->o_res.stateid,
+				NULL, data->o_arg.fmode))
+		return ERR_PTR(-EAGAIN);
 	refcount_inc(&state->count);
 
 	return state;
@@ -1944,8 +1945,11 @@ _nfs4_opendata_to_nfs4_state(struct nfs4
 
 	if (data->o_res.delegation_type != 0)
 		nfs4_opendata_check_deleg(data, state);
-	update_open_stateid(state, &data->o_res.stateid, NULL,
-			data->o_arg.fmode);
+	if (!update_open_stateid(state, &data->o_res.stateid,
+				NULL, data->o_arg.fmode)) {
+		nfs4_put_open_state(state);
+		state = ERR_PTR(-EAGAIN);
+	}
 out:
 	nfs_release_seqid(data->o_arg.seqid);
 	return state;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 136/144] NFSv4: Fix an Oops in nfs4_do_setattr
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (134 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 135/144] NFSv4: Check the return value of update_open_stateid() Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 137/144] KVM: Fix leak vCPUs VMCS value into other pCPU Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Olga Kornievskaia, Trond Myklebust

From: Trond Myklebust <trond.myklebust@hammerspace.com>

commit 09a54f0ebfe263bc27c90bbd80187b9a93283887 upstream.

If the user specifies an open mode of 3, then we don't have a NFSv4 state
attached to the context, and so we Oops when we try to dereference it.

Reported-by: Olga Kornievskaia <aglo@umich.edu>
Fixes: 29b59f9416937 ("NFSv4: change nfs4_do_setattr to take...")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Cc: stable@vger.kernel.org # v4.10: 991eedb1371dc: NFSv4: Only pass the...
Cc: stable@vger.kernel.org # v4.10+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/nfs/nfs4proc.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -3175,7 +3175,7 @@ static int _nfs4_do_setattr(struct inode
 
 	if (nfs4_copy_delegation_stateid(inode, FMODE_WRITE, &arg->stateid, &delegation_cred)) {
 		/* Use that stateid */
-	} else if (ctx != NULL) {
+	} else if (ctx != NULL && ctx->state) {
 		struct nfs_lock_context *l_ctx;
 		if (!nfs4_valid_open_stateid(ctx->state))
 			return -EBADF;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 137/144] KVM: Fix leak vCPUs VMCS value into other pCPU
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (135 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 136/144] NFSv4: Fix an Oops in nfs4_do_setattr Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 138/144] KVM: arm/arm64: Sync ICH_VMCR_EL2 back when about to block Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Paolo Bonzini,
	Radim Krčmář,
	Christian Borntraeger, Marc Zyngier, Wanpeng Li

From: Wanpeng Li <wanpengli@tencent.com>

commit 17e433b54393a6269acbcb792da97791fe1592d8 upstream.

After commit d73eb57b80b (KVM: Boost vCPUs that are delivering interrupts), a
five years old bug is exposed. Running ebizzy benchmark in three 80 vCPUs VMs
on one 80 pCPUs Skylake server, a lot of rcu_sched stall warning splatting
in the VMs after stress testing:

 INFO: rcu_sched detected stalls on CPUs/tasks: { 4 41 57 62 77} (detected by 15, t=60004 jiffies, g=899, c=898, q=15073)
 Call Trace:
   flush_tlb_mm_range+0x68/0x140
   tlb_flush_mmu.part.75+0x37/0xe0
   tlb_finish_mmu+0x55/0x60
   zap_page_range+0x142/0x190
   SyS_madvise+0x3cd/0x9c0
   system_call_fastpath+0x1c/0x21

swait_active() sustains to be true before finish_swait() is called in
kvm_vcpu_block(), voluntarily preempted vCPUs are taken into account
by kvm_vcpu_on_spin() loop greatly increases the probability condition
kvm_arch_vcpu_runnable(vcpu) is checked and can be true, when APICv
is enabled the yield-candidate vCPU's VMCS RVI field leaks(by
vmx_sync_pir_to_irr()) into spinning-on-a-taken-lock vCPU's current
VMCS.

This patch fixes it by checking conservatively a subset of events.

Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Cc: Christian Borntraeger <borntraeger@de.ibm.com>
Cc: Marc Zyngier <Marc.Zyngier@arm.com>
Cc: stable@vger.kernel.org
Fixes: 98f4a1467 (KVM: add kvm_arch_vcpu_runnable() test to kvm_vcpu_on_spin() loop)
Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/kvm/powerpc.c      |    5 +++++
 arch/x86/include/asm/kvm_host.h |    1 +
 arch/x86/kvm/svm.c              |    6 ++++++
 arch/x86/kvm/vmx/vmx.c          |    6 ++++++
 arch/x86/kvm/x86.c              |   16 ++++++++++++++++
 include/linux/kvm_host.h        |    1 +
 virt/kvm/kvm_main.c             |   25 ++++++++++++++++++++++++-
 7 files changed, 59 insertions(+), 1 deletion(-)

--- a/arch/powerpc/kvm/powerpc.c
+++ b/arch/powerpc/kvm/powerpc.c
@@ -50,6 +50,11 @@ int kvm_arch_vcpu_runnable(struct kvm_vc
 	return !!(v->arch.pending_exceptions) || kvm_request_pending(v);
 }
 
+bool kvm_arch_dy_runnable(struct kvm_vcpu *vcpu)
+{
+	return kvm_arch_vcpu_runnable(vcpu);
+}
+
 bool kvm_arch_vcpu_in_kernel(struct kvm_vcpu *vcpu)
 {
 	return false;
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -1169,6 +1169,7 @@ struct kvm_x86_ops {
 	int (*update_pi_irte)(struct kvm *kvm, unsigned int host_irq,
 			      uint32_t guest_irq, bool set);
 	void (*apicv_post_state_restore)(struct kvm_vcpu *vcpu);
+	bool (*dy_apicv_has_pending_interrupt)(struct kvm_vcpu *vcpu);
 
 	int (*set_hv_timer)(struct kvm_vcpu *vcpu, u64 guest_deadline_tsc,
 			    bool *expired);
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -5167,6 +5167,11 @@ static void svm_deliver_avic_intr(struct
 		kvm_vcpu_wake_up(vcpu);
 }
 
+static bool svm_dy_apicv_has_pending_interrupt(struct kvm_vcpu *vcpu)
+{
+	return false;
+}
+
 static void svm_ir_list_del(struct vcpu_svm *svm, struct amd_iommu_pi_data *pi)
 {
 	unsigned long flags;
@@ -7264,6 +7269,7 @@ static struct kvm_x86_ops svm_x86_ops __
 
 	.pmu_ops = &amd_pmu_ops,
 	.deliver_posted_interrupt = svm_deliver_avic_intr,
+	.dy_apicv_has_pending_interrupt = svm_dy_apicv_has_pending_interrupt,
 	.update_pi_irte = svm_update_pi_irte,
 	.setup_mce = svm_setup_mce,
 
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -6096,6 +6096,11 @@ static int vmx_sync_pir_to_irr(struct kv
 	return max_irr;
 }
 
+static bool vmx_dy_apicv_has_pending_interrupt(struct kvm_vcpu *vcpu)
+{
+	return pi_test_on(vcpu_to_pi_desc(vcpu));
+}
+
 static void vmx_load_eoi_exitmap(struct kvm_vcpu *vcpu, u64 *eoi_exit_bitmap)
 {
 	if (!kvm_vcpu_apicv_active(vcpu))
@@ -7662,6 +7667,7 @@ static struct kvm_x86_ops vmx_x86_ops __
 	.guest_apic_has_interrupt = vmx_guest_apic_has_interrupt,
 	.sync_pir_to_irr = vmx_sync_pir_to_irr,
 	.deliver_posted_interrupt = vmx_deliver_posted_interrupt,
+	.dy_apicv_has_pending_interrupt = vmx_dy_apicv_has_pending_interrupt,
 
 	.set_tss_addr = vmx_set_tss_addr,
 	.set_identity_map_addr = vmx_set_identity_map_addr,
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -9641,6 +9641,22 @@ int kvm_arch_vcpu_runnable(struct kvm_vc
 	return kvm_vcpu_running(vcpu) || kvm_vcpu_has_events(vcpu);
 }
 
+bool kvm_arch_dy_runnable(struct kvm_vcpu *vcpu)
+{
+	if (READ_ONCE(vcpu->arch.pv.pv_unhalted))
+		return true;
+
+	if (kvm_test_request(KVM_REQ_NMI, vcpu) ||
+		kvm_test_request(KVM_REQ_SMI, vcpu) ||
+		 kvm_test_request(KVM_REQ_EVENT, vcpu))
+		return true;
+
+	if (vcpu->arch.apicv_active && kvm_x86_ops->dy_apicv_has_pending_interrupt(vcpu))
+		return true;
+
+	return false;
+}
+
 bool kvm_arch_vcpu_in_kernel(struct kvm_vcpu *vcpu)
 {
 	return vcpu->arch.preempted_in_kernel;
--- a/include/linux/kvm_host.h
+++ b/include/linux/kvm_host.h
@@ -871,6 +871,7 @@ void kvm_arch_check_processor_compat(voi
 int kvm_arch_vcpu_runnable(struct kvm_vcpu *vcpu);
 bool kvm_arch_vcpu_in_kernel(struct kvm_vcpu *vcpu);
 int kvm_arch_vcpu_should_kick(struct kvm_vcpu *vcpu);
+bool kvm_arch_dy_runnable(struct kvm_vcpu *vcpu);
 
 #ifndef __KVM_HAVE_ARCH_VM_ALLOC
 /*
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -2475,6 +2475,29 @@ static bool kvm_vcpu_eligible_for_direct
 #endif
 }
 
+/*
+ * Unlike kvm_arch_vcpu_runnable, this function is called outside
+ * a vcpu_load/vcpu_put pair.  However, for most architectures
+ * kvm_arch_vcpu_runnable does not require vcpu_load.
+ */
+bool __weak kvm_arch_dy_runnable(struct kvm_vcpu *vcpu)
+{
+	return kvm_arch_vcpu_runnable(vcpu);
+}
+
+static bool vcpu_dy_runnable(struct kvm_vcpu *vcpu)
+{
+	if (kvm_arch_dy_runnable(vcpu))
+		return true;
+
+#ifdef CONFIG_KVM_ASYNC_PF
+	if (!list_empty_careful(&vcpu->async_pf.done))
+		return true;
+#endif
+
+	return false;
+}
+
 void kvm_vcpu_on_spin(struct kvm_vcpu *me, bool yield_to_kernel_mode)
 {
 	struct kvm *kvm = me->kvm;
@@ -2504,7 +2527,7 @@ void kvm_vcpu_on_spin(struct kvm_vcpu *m
 				continue;
 			if (vcpu == me)
 				continue;
-			if (swait_active(&vcpu->wq) && !kvm_arch_vcpu_runnable(vcpu))
+			if (swait_active(&vcpu->wq) && !vcpu_dy_runnable(vcpu))
 				continue;
 			if (yield_to_kernel_mode && !kvm_arch_vcpu_in_kernel(vcpu))
 				continue;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 138/144] KVM: arm/arm64: Sync ICH_VMCR_EL2 back when about to block
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (136 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 137/144] KVM: Fix leak vCPUs VMCS value into other pCPU Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 139/144] mwifiex: fix 802.11n/WPA detection Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Marc Zyngier

From: Marc Zyngier <maz@kernel.org>

commit 5eeaf10eec394b28fad2c58f1f5c3a5da0e87d1c upstream.

Since commit commit 328e56647944 ("KVM: arm/arm64: vgic: Defer
touching GICH_VMCR to vcpu_load/put"), we leave ICH_VMCR_EL2 (or
its GICv2 equivalent) loaded as long as we can, only syncing it
back when we're scheduled out.

There is a small snag with that though: kvm_vgic_vcpu_pending_irq(),
which is indirectly called from kvm_vcpu_check_block(), needs to
evaluate the guest's view of ICC_PMR_EL1. At the point were we
call kvm_vcpu_check_block(), the vcpu is still loaded, and whatever
changes to PMR is not visible in memory until we do a vcpu_put().

Things go really south if the guest does the following:

	mov x0, #0	// or any small value masking interrupts
	msr ICC_PMR_EL1, x0

	[vcpu preempted, then rescheduled, VMCR sampled]

	mov x0, #ff	// allow all interrupts
	msr ICC_PMR_EL1, x0
	wfi		// traps to EL2, so samping of VMCR

	[interrupt arrives just after WFI]

Here, the hypervisor's view of PMR is zero, while the guest has enabled
its interrupts. kvm_vgic_vcpu_pending_irq() will then say that no
interrupts are pending (despite an interrupt being received) and we'll
block for no reason. If the guest doesn't have a periodic interrupt
firing once it has blocked, it will stay there forever.

To avoid this unfortuante situation, let's resync VMCR from
kvm_arch_vcpu_blocking(), ensuring that a following kvm_vcpu_check_block()
will observe the latest value of PMR.

This has been found by booting an arm64 Linux guest with the pseudo NMI
feature, and thus using interrupt priorities to mask interrupts instead
of the usual PSTATE masking.

Cc: stable@vger.kernel.org # 4.12
Fixes: 328e56647944 ("KVM: arm/arm64: vgic: Defer touching GICH_VMCR to vcpu_load/put")
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/kvm/arm_vgic.h      |    1 +
 virt/kvm/arm/arm.c          |   11 +++++++++++
 virt/kvm/arm/vgic/vgic-v2.c |    9 ++++++++-
 virt/kvm/arm/vgic/vgic-v3.c |    7 ++++++-
 virt/kvm/arm/vgic/vgic.c    |   11 +++++++++++
 virt/kvm/arm/vgic/vgic.h    |    2 ++
 6 files changed, 39 insertions(+), 2 deletions(-)

--- a/include/kvm/arm_vgic.h
+++ b/include/kvm/arm_vgic.h
@@ -350,6 +350,7 @@ int kvm_vgic_vcpu_pending_irq(struct kvm
 
 void kvm_vgic_load(struct kvm_vcpu *vcpu);
 void kvm_vgic_put(struct kvm_vcpu *vcpu);
+void kvm_vgic_vmcr_sync(struct kvm_vcpu *vcpu);
 
 #define irqchip_in_kernel(k)	(!!((k)->arch.vgic.in_kernel))
 #define vgic_initialized(k)	((k)->arch.vgic.initialized)
--- a/virt/kvm/arm/arm.c
+++ b/virt/kvm/arm/arm.c
@@ -323,6 +323,17 @@ int kvm_cpu_has_pending_timer(struct kvm
 
 void kvm_arch_vcpu_blocking(struct kvm_vcpu *vcpu)
 {
+	/*
+	 * If we're about to block (most likely because we've just hit a
+	 * WFI), we need to sync back the state of the GIC CPU interface
+	 * so that we have the lastest PMR and group enables. This ensures
+	 * that kvm_arch_vcpu_runnable has up-to-date data to decide
+	 * whether we have pending interrupts.
+	 */
+	preempt_disable();
+	kvm_vgic_vmcr_sync(vcpu);
+	preempt_enable();
+
 	kvm_vgic_v4_enable_doorbell(vcpu);
 }
 
--- a/virt/kvm/arm/vgic/vgic-v2.c
+++ b/virt/kvm/arm/vgic/vgic-v2.c
@@ -484,10 +484,17 @@ void vgic_v2_load(struct kvm_vcpu *vcpu)
 		       kvm_vgic_global_state.vctrl_base + GICH_APR);
 }
 
-void vgic_v2_put(struct kvm_vcpu *vcpu)
+void vgic_v2_vmcr_sync(struct kvm_vcpu *vcpu)
 {
 	struct vgic_v2_cpu_if *cpu_if = &vcpu->arch.vgic_cpu.vgic_v2;
 
 	cpu_if->vgic_vmcr = readl_relaxed(kvm_vgic_global_state.vctrl_base + GICH_VMCR);
+}
+
+void vgic_v2_put(struct kvm_vcpu *vcpu)
+{
+	struct vgic_v2_cpu_if *cpu_if = &vcpu->arch.vgic_cpu.vgic_v2;
+
+	vgic_v2_vmcr_sync(vcpu);
 	cpu_if->vgic_apr = readl_relaxed(kvm_vgic_global_state.vctrl_base + GICH_APR);
 }
--- a/virt/kvm/arm/vgic/vgic-v3.c
+++ b/virt/kvm/arm/vgic/vgic-v3.c
@@ -662,12 +662,17 @@ void vgic_v3_load(struct kvm_vcpu *vcpu)
 		__vgic_v3_activate_traps(vcpu);
 }
 
-void vgic_v3_put(struct kvm_vcpu *vcpu)
+void vgic_v3_vmcr_sync(struct kvm_vcpu *vcpu)
 {
 	struct vgic_v3_cpu_if *cpu_if = &vcpu->arch.vgic_cpu.vgic_v3;
 
 	if (likely(cpu_if->vgic_sre))
 		cpu_if->vgic_vmcr = kvm_call_hyp_ret(__vgic_v3_read_vmcr);
+}
+
+void vgic_v3_put(struct kvm_vcpu *vcpu)
+{
+	vgic_v3_vmcr_sync(vcpu);
 
 	kvm_call_hyp(__vgic_v3_save_aprs, vcpu);
 
--- a/virt/kvm/arm/vgic/vgic.c
+++ b/virt/kvm/arm/vgic/vgic.c
@@ -919,6 +919,17 @@ void kvm_vgic_put(struct kvm_vcpu *vcpu)
 		vgic_v3_put(vcpu);
 }
 
+void kvm_vgic_vmcr_sync(struct kvm_vcpu *vcpu)
+{
+	if (unlikely(!irqchip_in_kernel(vcpu->kvm)))
+		return;
+
+	if (kvm_vgic_global_state.type == VGIC_V2)
+		vgic_v2_vmcr_sync(vcpu);
+	else
+		vgic_v3_vmcr_sync(vcpu);
+}
+
 int kvm_vgic_vcpu_pending_irq(struct kvm_vcpu *vcpu)
 {
 	struct vgic_cpu *vgic_cpu = &vcpu->arch.vgic_cpu;
--- a/virt/kvm/arm/vgic/vgic.h
+++ b/virt/kvm/arm/vgic/vgic.h
@@ -193,6 +193,7 @@ int vgic_register_dist_iodev(struct kvm
 void vgic_v2_init_lrs(void);
 void vgic_v2_load(struct kvm_vcpu *vcpu);
 void vgic_v2_put(struct kvm_vcpu *vcpu);
+void vgic_v2_vmcr_sync(struct kvm_vcpu *vcpu);
 
 void vgic_v2_save_state(struct kvm_vcpu *vcpu);
 void vgic_v2_restore_state(struct kvm_vcpu *vcpu);
@@ -223,6 +224,7 @@ bool vgic_v3_check_base(struct kvm *kvm)
 
 void vgic_v3_load(struct kvm_vcpu *vcpu);
 void vgic_v3_put(struct kvm_vcpu *vcpu);
+void vgic_v3_vmcr_sync(struct kvm_vcpu *vcpu);
 
 bool vgic_has_its(struct kvm *kvm);
 int kvm_vgic_register_its_device(void);



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 139/144] mwifiex: fix 802.11n/WPA detection
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (137 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 138/144] KVM: arm/arm64: Sync ICH_VMCR_EL2 back when about to block Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 140/144] iwlwifi: dont unmap as page memory that was mapped as single Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Brian Norris, Kalle Valo

From: Brian Norris <briannorris@chromium.org>

commit df612421fe2566654047769c6852ffae1a31df16 upstream.

Commit 63d7ef36103d ("mwifiex: Don't abort on small, spec-compliant
vendor IEs") adjusted the ieee_types_vendor_header struct, which
inadvertently messed up the offsets used in
mwifiex_is_wpa_oui_present(). Add that offset back in, mirroring
mwifiex_is_rsn_oui_present().

As it stands, commit 63d7ef36103d breaks compatibility with WPA (not
WPA2) 802.11n networks, since we hit the "info: Disable 11n if AES is
not supported by AP" case in mwifiex_is_network_compatible().

Fixes: 63d7ef36103d ("mwifiex: Don't abort on small, spec-compliant vendor IEs")
Cc: <stable@vger.kernel.org>
Signed-off-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/marvell/mwifiex/main.h |    1 +
 drivers/net/wireless/marvell/mwifiex/scan.c |    3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/net/wireless/marvell/mwifiex/main.h
+++ b/drivers/net/wireless/marvell/mwifiex/main.h
@@ -124,6 +124,7 @@ enum {
 
 #define MWIFIEX_MAX_TOTAL_SCAN_TIME	(MWIFIEX_TIMER_10S - MWIFIEX_TIMER_1S)
 
+#define WPA_GTK_OUI_OFFSET				2
 #define RSN_GTK_OUI_OFFSET				2
 
 #define MWIFIEX_OUI_NOT_PRESENT			0
--- a/drivers/net/wireless/marvell/mwifiex/scan.c
+++ b/drivers/net/wireless/marvell/mwifiex/scan.c
@@ -181,7 +181,8 @@ mwifiex_is_wpa_oui_present(struct mwifie
 	u8 ret = MWIFIEX_OUI_NOT_PRESENT;
 
 	if (has_vendor_hdr(bss_desc->bcn_wpa_ie, WLAN_EID_VENDOR_SPECIFIC)) {
-		iebody = (struct ie_body *) bss_desc->bcn_wpa_ie->data;
+		iebody = (struct ie_body *)((u8 *)bss_desc->bcn_wpa_ie->data +
+					    WPA_GTK_OUI_OFFSET);
 		oui = &mwifiex_wpa_oui[cipher][0];
 		ret = mwifiex_search_oui_in_ie(iebody, oui);
 		if (ret)



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 140/144] iwlwifi: dont unmap as page memory that was mapped as single
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (138 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 139/144] mwifiex: fix 802.11n/WPA detection Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 141/144] iwlwifi: mvm: fix an out-of-bound access Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Emmanuel Grumbach, Johannes Berg

From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>

commit 87e7e25aee6b59fef740856f4e86d4b60496c9e1 upstream.

In order to remember how to unmap a memory (as single or
as page), we maintain a bit per Transmit Buffer (TBs) in
the meta data (structure iwl_cmd_meta).
We maintain a bitmap: 1 bit per TB.
If the TB is set, we will free the memory as a page.
This bitmap was never cleared. Fix this.

Cc: stable@vger.kernel.org
Fixes: 3cd1980b0cdf ("iwlwifi: pcie: introduce new tfd and tb formats")
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/intel/iwlwifi/pcie/tx.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/net/wireless/intel/iwlwifi/pcie/tx.c
+++ b/drivers/net/wireless/intel/iwlwifi/pcie/tx.c
@@ -435,6 +435,8 @@ static void iwl_pcie_tfd_unmap(struct iw
 					 DMA_TO_DEVICE);
 	}
 
+	meta->tbs = 0;
+
 	if (trans->cfg->use_tfh) {
 		struct iwl_tfh_tfd *tfd_fh = (void *)tfd;
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 141/144] iwlwifi: mvm: fix an out-of-bound access
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (139 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 140/144] iwlwifi: dont unmap as page memory that was mapped as single Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 142/144] iwlwifi: mvm: fix a use-after-free bug in iwl_mvm_tx_tso_segment Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Emmanuel Grumbach, Johannes Berg

From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>

commit ba3224db78034435e9ff0247277cce7c7bb1756c upstream.

The index for the elements of the ACPI object we dereference
was static. This means that if we called the function twice
we wouldn't start from 3 again, but rather from the latest
index we reached in the previous call.
This was dutifully reported by KASAN.

Fix this.

Cc: stable@vger.kernel.org
Fixes: 6996490501ed ("iwlwifi: mvm: add support for EWRD (Dynamic SAR) ACPI table")
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/intel/iwlwifi/mvm/fw.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
@@ -753,7 +753,7 @@ static int iwl_mvm_sar_get_ewrd_table(st
 
 	for (i = 0; i < n_profiles; i++) {
 		/* the tables start at element 3 */
-		static int pos = 3;
+		int pos = 3;
 
 		/* The EWRD profiles officially go from 2 to 4, but we
 		 * save them in sar_profiles[1-3] (because we don't



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 142/144] iwlwifi: mvm: fix a use-after-free bug in iwl_mvm_tx_tso_segment
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (140 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 141/144] iwlwifi: mvm: fix an out-of-bound access Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 143/144] iwlwifi: mvm: dont send GEO_TX_POWER_LIMIT on version < 41 Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Emmanuel Grumbach, Johannes Berg

From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>

commit 71b256f8f7a5c09810d2c3ed6165629c2cc0a652 upstream.

Accessing the hdr of an skb that was consumed already isn't
a good idea.
First ask if the skb is a QoS packet, then keep that data
on stack, and then consume the skb.
This was spotted by KASAN.

Cc: stable@vger.kernel.org
Fixes: 08f7d8b69aaf ("iwlwifi: mvm: bring back mvm GSO code")
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/intel/iwlwifi/mvm/tx.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
@@ -831,6 +831,7 @@ iwl_mvm_tx_tso_segment(struct sk_buff *s
 	unsigned int tcp_payload_len;
 	unsigned int mss = skb_shinfo(skb)->gso_size;
 	bool ipv4 = (skb->protocol == htons(ETH_P_IP));
+	bool qos = ieee80211_is_data_qos(hdr->frame_control);
 	u16 ip_base_id = ipv4 ? ntohs(ip_hdr(skb)->id) : 0;
 
 	skb_shinfo(skb)->gso_size = num_subframes * mss;
@@ -864,7 +865,7 @@ iwl_mvm_tx_tso_segment(struct sk_buff *s
 		if (tcp_payload_len > mss) {
 			skb_shinfo(tmp)->gso_size = mss;
 		} else {
-			if (ieee80211_is_data_qos(hdr->frame_control)) {
+			if (qos) {
 				u8 *qc;
 
 				if (ipv4)



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 143/144] iwlwifi: mvm: dont send GEO_TX_POWER_LIMIT on version < 41
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (141 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 142/144] iwlwifi: mvm: fix a use-after-free bug in iwl_mvm_tx_tso_segment Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 17:01 ` [PATCH 5.2 144/144] iwlwifi: mvm: fix version check for GEO_TX_POWER_LIMIT support Greg Kroah-Hartman
                   ` (5 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Luca Coelho, Johannes Berg

From: Luca Coelho <luciano.coelho@intel.com>

commit 39bd984c203e86f3109b49c2a2e20677c4d3ab65 upstream.

Firmware versions before 41 don't support the GEO_TX_POWER_LIMIT
command, and sending it to the firmware will cause a firmware crash.
We allow this via debugfs, so we need to return an error value in case
it's not supported.

This had already been fixed during init, when we send the command if
the ACPI WGDS table is present.  Fix it also for the other,
userspace-triggered case.

Cc: stable@vger.kernel.org
Fixes: 7fe90e0e3d60 ("iwlwifi: mvm: refactor geo init")
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/intel/iwlwifi/mvm/fw.c |   22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
@@ -874,6 +874,17 @@ int iwl_mvm_sar_select_profile(struct iw
 	return iwl_mvm_send_cmd_pdu(mvm, REDUCE_TX_POWER_CMD, 0, len, &cmd);
 }
 
+static bool iwl_mvm_sar_geo_support(struct iwl_mvm *mvm)
+{
+	/*
+	 * The GEO_TX_POWER_LIMIT command is not supported on earlier
+	 * firmware versions.  Unfortunately, we don't have a TLV API
+	 * flag to rely on, so rely on the major version which is in
+	 * the first byte of ucode_ver.
+	 */
+	return IWL_UCODE_SERIAL(mvm->fw->ucode_ver) >= 41;
+}
+
 int iwl_mvm_get_sar_geo_profile(struct iwl_mvm *mvm)
 {
 	struct iwl_geo_tx_power_profiles_resp *resp;
@@ -889,6 +900,9 @@ int iwl_mvm_get_sar_geo_profile(struct i
 		.data = { &geo_cmd },
 	};
 
+	if (!iwl_mvm_sar_geo_support(mvm))
+		return -EOPNOTSUPP;
+
 	ret = iwl_mvm_send_cmd(mvm, &cmd);
 	if (ret) {
 		IWL_ERR(mvm, "Failed to get geographic profile info %d\n", ret);
@@ -914,13 +928,7 @@ static int iwl_mvm_sar_geo_init(struct i
 	int ret, i, j;
 	u16 cmd_wide_id =  WIDE_ID(PHY_OPS_GROUP, GEO_TX_POWER_LIMIT);
 
-	/*
-	 * This command is not supported on earlier firmware versions.
-	 * Unfortunately, we don't have a TLV API flag to rely on, so
-	 * rely on the major version which is in the first byte of
-	 * ucode_ver.
-	 */
-	if (IWL_UCODE_SERIAL(mvm->fw->ucode_ver) < 41)
+	if (!iwl_mvm_sar_geo_support(mvm))
 		return 0;
 
 	ret = iwl_mvm_sar_get_wgds_table(mvm);



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.2 144/144] iwlwifi: mvm: fix version check for GEO_TX_POWER_LIMIT support
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (142 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 143/144] iwlwifi: mvm: dont send GEO_TX_POWER_LIMIT on version < 41 Greg Kroah-Hartman
@ 2019-08-14 17:01 ` Greg Kroah-Hartman
  2019-08-14 23:16 ` [PATCH 5.2 000/144] 5.2.9-stable review kernelci.org bot
                   ` (4 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14 17:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Luca Coelho, Johannes Berg

From: Luca Coelho <luciano.coelho@intel.com>

commit f5a47fae6aa3eb06f100e701d2342ee56b857bee upstream.

We erroneously added a check for FW API version 41 before sending
GEO_TX_POWER_LIMIT, but this was already implemented in version 38.
Additionally, it was cherry-picked to older versions, namely 17, 26
and 29, so check for those as well.

Cc: stable@vger.kernel.org
Fixes: eca1e56ceedd ("iwlwifi: mvm: don't send GEO_TX_POWER_LIMIT to old firmwares")
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/intel/iwlwifi/mvm/fw.c |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
@@ -880,9 +880,14 @@ static bool iwl_mvm_sar_geo_support(stru
 	 * The GEO_TX_POWER_LIMIT command is not supported on earlier
 	 * firmware versions.  Unfortunately, we don't have a TLV API
 	 * flag to rely on, so rely on the major version which is in
-	 * the first byte of ucode_ver.
+	 * the first byte of ucode_ver.  This was implemented
+	 * initially on version 38 and then backported to 36, 29 and
+	 * 17.
 	 */
-	return IWL_UCODE_SERIAL(mvm->fw->ucode_ver) >= 41;
+	return IWL_UCODE_SERIAL(mvm->fw->ucode_ver) >= 38 ||
+	       IWL_UCODE_SERIAL(mvm->fw->ucode_ver) == 36 ||
+	       IWL_UCODE_SERIAL(mvm->fw->ucode_ver) == 29 ||
+	       IWL_UCODE_SERIAL(mvm->fw->ucode_ver) == 17;
 }
 
 int iwl_mvm_get_sar_geo_profile(struct iwl_mvm *mvm)



^ permalink raw reply	[flat|nested] 153+ messages in thread

* Re: [PATCH 5.2 000/144] 5.2.9-stable review
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (143 preceding siblings ...)
  2019-08-14 17:01 ` [PATCH 5.2 144/144] iwlwifi: mvm: fix version check for GEO_TX_POWER_LIMIT support Greg Kroah-Hartman
@ 2019-08-14 23:16 ` kernelci.org bot
  2019-08-15  1:34 ` Naresh Kamboju
                   ` (3 subsequent siblings)
  148 siblings, 0 replies; 153+ messages in thread
From: kernelci.org bot @ 2019-08-14 23:16 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	ben.hutchings, lkft-triage, stable

stable-rc/linux-5.2.y boot: 134 boots: 1 failed, 119 passed with 12 offline, 2 untried/unknown (v5.2.8-145-g2440e485aeda)

Full Boot Summary: https://kernelci.org/boot/all/job/stable-rc/branch/linux-5.2.y/kernel/v5.2.8-145-g2440e485aeda/
Full Build Summary: https://kernelci.org/build/stable-rc/branch/linux-5.2.y/kernel/v5.2.8-145-g2440e485aeda/

Tree: stable-rc
Branch: linux-5.2.y
Git Describe: v5.2.8-145-g2440e485aeda
Git Commit: 2440e485aeda5f36eaf2050eb1bb61be46275b39
Git URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
Tested: 81 unique boards, 27 SoC families, 17 builds out of 208

Boot Regressions Detected:

arm:

    qcom_defconfig:
        gcc-8:
          qcom-apq8064-cm-qs600:
              lab-baylibre-seattle: new failure (last pass: v5.2.8)
          qcom-apq8064-ifc6410:
              lab-baylibre-seattle: new failure (last pass: v5.2.8)

Boot Failure Detected:

arm64:
    defconfig:
        gcc-8:
            rk3399-firefly: 1 failed lab

Offline Platforms:

arm64:

    defconfig:
        gcc-8
            apq8016-sbc: 1 offline lab
            meson-gxbb-odroidc2: 1 offline lab

arm:

    multi_v7_defconfig:
        gcc-8
            imx6dl-wandboard_solo: 1 offline lab
            imx6q-wandboard: 1 offline lab
            qcom-apq8064-cm-qs600: 1 offline lab
            qcom-apq8064-ifc6410: 1 offline lab
            sun5i-r8-chip: 1 offline lab

    sunxi_defconfig:
        gcc-8
            sun5i-r8-chip: 1 offline lab

    qcom_defconfig:
        gcc-8
            qcom-apq8064-cm-qs600: 1 offline lab
            qcom-apq8064-ifc6410: 1 offline lab

    imx_v6_v7_defconfig:
        gcc-8
            imx6dl-wandboard_solo: 1 offline lab
            imx6q-wandboard: 1 offline lab

---
For more info write to <info@kernelci.org>

^ permalink raw reply	[flat|nested] 153+ messages in thread

* Re: [PATCH 5.2 000/144] 5.2.9-stable review
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (144 preceding siblings ...)
  2019-08-14 23:16 ` [PATCH 5.2 000/144] 5.2.9-stable review kernelci.org bot
@ 2019-08-15  1:34 ` Naresh Kamboju
  2019-08-15  7:19   ` Greg Kroah-Hartman
  2019-08-15 15:18 ` Guenter Roeck
                   ` (2 subsequent siblings)
  148 siblings, 1 reply; 153+ messages in thread
From: Naresh Kamboju @ 2019-08-15  1:34 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: open list, Linus Torvalds, Andrew Morton, Guenter Roeck,
	Shuah Khan, patches, Ben Hutchings, lkft-triage, linux- stable

On Wed, 14 Aug 2019 at 22:33, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 5.2.9 release.
> There are 144 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri 16 Aug 2019 04:55:34 PM UTC.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
>         https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.2.9-rc1.gz
> or in the git tree and branch at:
>         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.2.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>

Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.

Summary
------------------------------------------------------------------------

kernel: 5.2.9-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-5.2.y
git commit: 2440e485aeda5f36eaf2050eb1bb61be46275b39
git describe: v5.2.8-145-g2440e485aeda
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-5.2-oe/build/v5.2.8-145-g2440e485aeda


No regressions (compared to build v5.2.8)


No fixes (compared to build v5.2.8)

Ran 22959 total tests in the following environments and test suites.

Environments
--------------
- dragonboard-410c
- hi6220-hikey
- i386
- juno-r2
- qemu_arm
- qemu_arm64
- qemu_i386
- qemu_x86_64
- x15
- x86

Test Suites
-----------
* build
* install-android-platform-tools-r2600
* kselftest
* libgpiod
* libhugetlbfs
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-cpuhotplug-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-securebits-tests
* ltp-timers-tests
* spectre-meltdown-checker-test
* ltp-sched-tests
* ltp-syscalls-tests
* perf
* v4l2-compliance
* ltp-fs-tests
* ltp-open-posix-tests
* network-basic-tests
* kvm-unit-tests
* kselftest-vsyscall-mode-native
* kselftest-vsyscall-mode-none

-- 
Linaro LKFT
https://lkft.linaro.org

^ permalink raw reply	[flat|nested] 153+ messages in thread

* Re: [PATCH 5.2 000/144] 5.2.9-stable review
  2019-08-15  1:34 ` Naresh Kamboju
@ 2019-08-15  7:19   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-15  7:19 UTC (permalink / raw)
  To: Naresh Kamboju
  Cc: open list, Linus Torvalds, Andrew Morton, Guenter Roeck,
	Shuah Khan, patches, Ben Hutchings, lkft-triage, linux- stable

On Thu, Aug 15, 2019 at 07:04:45AM +0530, Naresh Kamboju wrote:
> On Wed, 14 Aug 2019 at 22:33, Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> >
> > This is the start of the stable review cycle for the 5.2.9 release.
> > There are 144 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Fri 16 Aug 2019 04:55:34 PM UTC.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> >         https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.2.9-rc1.gz
> > or in the git tree and branch at:
> >         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.2.y
> > and the diffstat can be found below.
> >
> > thanks,
> >
> > greg k-h
> >
> 
> Results from Linaro’s test farm.
> No regressions on arm64, arm, x86_64, and i386.

Thanks for testing all of these and letting me know.

greg k-h

^ permalink raw reply	[flat|nested] 153+ messages in thread

* Re: [PATCH 5.2 000/144] 5.2.9-stable review
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (145 preceding siblings ...)
  2019-08-15  1:34 ` Naresh Kamboju
@ 2019-08-15 15:18 ` Guenter Roeck
  2019-08-15 19:37   ` Greg Kroah-Hartman
  2019-08-16  2:07 ` shuah
  2019-08-16  6:39 ` Kelsey Skunberg
  148 siblings, 1 reply; 153+ messages in thread
From: Guenter Roeck @ 2019-08-15 15:18 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, shuah, patches, ben.hutchings,
	lkft-triage, stable

On Wed, Aug 14, 2019 at 06:59:16PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.2.9 release.
> There are 144 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Fri 16 Aug 2019 04:55:34 PM UTC.
> Anything received after that time might be too late.
> 

Build results:
	total: 159 pass: 159 fail: 0
Qemu test results:
	total: 390 pass: 390 fail: 0

Guenter

^ permalink raw reply	[flat|nested] 153+ messages in thread

* Re: [PATCH 5.2 000/144] 5.2.9-stable review
  2019-08-15 15:18 ` Guenter Roeck
@ 2019-08-15 19:37   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-15 19:37 UTC (permalink / raw)
  To: Guenter Roeck
  Cc: linux-kernel, torvalds, akpm, shuah, patches, ben.hutchings,
	lkft-triage, stable

On Thu, Aug 15, 2019 at 08:18:22AM -0700, Guenter Roeck wrote:
> On Wed, Aug 14, 2019 at 06:59:16PM +0200, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 5.2.9 release.
> > There are 144 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Fri 16 Aug 2019 04:55:34 PM UTC.
> > Anything received after that time might be too late.
> > 
> 
> Build results:
> 	total: 159 pass: 159 fail: 0
> Qemu test results:
> 	total: 390 pass: 390 fail: 0

Thanks for testing all of these and letting me know.

greg k-h

^ permalink raw reply	[flat|nested] 153+ messages in thread

* Re: [PATCH 5.2 000/144] 5.2.9-stable review
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (146 preceding siblings ...)
  2019-08-15 15:18 ` Guenter Roeck
@ 2019-08-16  2:07 ` shuah
  2019-08-16  6:39 ` Kelsey Skunberg
  148 siblings, 0 replies; 153+ messages in thread
From: shuah @ 2019-08-16  2:07 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, patches, ben.hutchings, lkft-triage,
	stable, shuah

On 8/14/19 10:59 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.2.9 release.
> There are 144 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Fri 16 Aug 2019 04:55:34 PM UTC.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.2.9-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.2.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

Compiled and booted on my test system. No dmesg regressions.

thanks,
-- Shuah

^ permalink raw reply	[flat|nested] 153+ messages in thread

* Re: [PATCH 5.2 000/144] 5.2.9-stable review
  2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
                   ` (147 preceding siblings ...)
  2019-08-16  2:07 ` shuah
@ 2019-08-16  6:39 ` Kelsey Skunberg
  2019-08-16  7:15   ` Greg Kroah-Hartman
  148 siblings, 1 reply; 153+ messages in thread
From: Kelsey Skunberg @ 2019-08-16  6:39 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, linux, shuah, patches,
	ben.hutchings, lkft-triage, stable

On Wed, Aug 14, 2019 at 06:59:16PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.2.9 release.
> There are 144 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Fri 16 Aug 2019 04:55:34 PM UTC.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.2.9-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.2.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h

Compiled and booted with no dmesg regressions on my system.

Cheers,
Kelsey 
 

^ permalink raw reply	[flat|nested] 153+ messages in thread

* Re: [PATCH 5.2 000/144] 5.2.9-stable review
  2019-08-16  6:39 ` Kelsey Skunberg
@ 2019-08-16  7:15   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-16  7:15 UTC (permalink / raw)
  To: Kelsey Skunberg
  Cc: linux-kernel, torvalds, akpm, linux, shuah, patches,
	ben.hutchings, lkft-triage, stable

On Fri, Aug 16, 2019 at 12:39:21AM -0600, Kelsey Skunberg wrote:
> On Wed, Aug 14, 2019 at 06:59:16PM +0200, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 5.2.9 release.
> > There are 144 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Fri 16 Aug 2019 04:55:34 PM UTC.
> > Anything received after that time might be too late.
> > 
> > The whole patch series can be found in one patch at:
> > 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.2.9-rc1.gz
> > or in the git tree and branch at:
> > 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.2.y
> > and the diffstat can be found below.
> > 
> > thanks,
> > 
> > greg k-h
> 
> Compiled and booted with no dmesg regressions on my system.

Wonderful, thanks for testing them all and letting me know.

greg k-h

^ permalink raw reply	[flat|nested] 153+ messages in thread

end of thread, back to index

Thread overview: 153+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-14 16:59 [PATCH 5.2 000/144] 5.2.9-stable review Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 001/144] Revert "PCI: Add missing link delays required by the PCIe spec" Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 002/144] IIO: Ingenic JZ47xx: Set clock divider on probe Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 003/144] iio: cros_ec_accel_legacy: Fix incorrect channel setting Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 004/144] iio: imu: mpu6050: add missing available scan masks Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 005/144] iio: adc: gyroadc: fix uninitialized return code Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 006/144] iio: adc: max9611: Fix misuse of GENMASK macro Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 007/144] staging: gasket: apex: fix copy-paste typo Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 008/144] staging: wilc1000: flush the workqueue before deinit the host Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 009/144] staging: android: ion: Bail out upon SIGKILL when allocating memory Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 010/144] Staging: fbtft: Fix probing of gpio descriptor Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 011/144] Staging: fbtft: Fix reset assertion when using " Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 012/144] crypto: ccp - Fix oops by properly managing allocated structures Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 013/144] crypto: ccp - Add support for valid authsize values less than 16 Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 014/144] crypto: ccp - Ignore tag length when decrypting GCM ciphertext Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 015/144] driver core: platform: return -ENXIO for missing GpioInt Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 016/144] usb: usbfs: fix double-free of usb memory upon submiturb error Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 017/144] Revert "USB: rio500: simplify locking" Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 018/144] usb: iowarrior: fix deadlock on disconnect Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 019/144] sound: fix a memory leak bug Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 020/144] mmc: cavium: Set the correct dma max segment size for mmc_host Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 021/144] mmc: cavium: Add the missing dma unmap when the dma has finished Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 022/144] loop: set PF_MEMALLOC_NOIO for the worker thread Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 023/144] bdev: Fixup error handling in blkdev_get() Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 024/144] Input: usbtouchscreen - initialize PM mutex before using it Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 025/144] Input: elantech - enable SMBus on new (2018+) systems Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 026/144] Input: synaptics - enable RMI mode for HP Spectre X360 Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 027/144] x86/mm: Check for pfn instead of page in vmalloc_sync_one() Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 028/144] x86/mm: Sync also unmappings in vmalloc_sync_all() Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 029/144] mm/vmalloc: Sync unmappings in __purge_vmap_area_lazy() Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 030/144] coresight: Fix DEBUG_LOCKS_WARN_ON for uninitialized attribute Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 031/144] perf annotate: Fix s390 gap between kernel end and module start Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 032/144] perf db-export: Fix thread__exec_comm() Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 033/144] perf record: Fix module size on s390 Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 034/144] x86/purgatory: Do not use __builtin_memcpy and __builtin_memset Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 035/144] x86/purgatory: Use CFLAGS_REMOVE rather than reset KBUILD_CFLAGS Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 036/144] genirq/affinity: Create affinity mask for single vector Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 037/144] gfs2: gfs2_walk_metadata fix Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 038/144] usb: host: xhci-rcar: Fix timeout in xhci_suspend() Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 039/144] usb: yurex: Fix use-after-free in yurex_delete Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 040/144] usb: typec: ucsi: ccg: Fix uninitilized symbol error Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 041/144] usb: typec: tcpm: free log buf memory when remove debug file Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 042/144] usb: typec: tcpm: remove tcpm dir if no children Greg Kroah-Hartman
2019-08-14 16:59 ` [PATCH 5.2 043/144] usb: typec: tcpm: Add NULL check before dereferencing config Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 044/144] usb: typec: tcpm: Ignore unsupported/unknown alternate mode requests Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 045/144] can: rcar_canfd: fix possible IRQ storm on high load Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 046/144] can: flexcan: fix stop mode acknowledgment Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 047/144] can: flexcan: fix an use-after-free in flexcan_setup_stop_mode() Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 048/144] can: peak_usb: fix potential double kfree_skb() Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 049/144] powerpc: fix off by one in max_zone_pfn initialization for ZONE_DMA Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 050/144] netfilter: nfnetlink: avoid deadlock due to synchronous request_module Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 051/144] vfio-ccw: Set pa_nr to 0 if memory allocation fails for pa_iova_pfn Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 052/144] vfio-ccw: Dont call cp_free if we are processing a channel program Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 053/144] netfilter: Fix rpfilter dropping vrf packets by mistake Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 054/144] netfilter: nf_tables: fix module autoload for redir Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 055/144] netfilter: conntrack: always store window size un-scaled Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 056/144] netfilter: nft_hash: fix symhash with modulus one Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 057/144] scripts/sphinx-pre-install: fix script for RHEL/CentOS Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 058/144] scripts/sphinx-pre-install: dont use LaTeX with CentOS 7 Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 059/144] scripts/sphinx-pre-install: fix latexmk dependencies Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 060/144] rq-qos: dont reset has_sleepers on spurious wakeups Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 061/144] rq-qos: set ourself TASK_UNINTERRUPTIBLE after we schedule Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 062/144] rq-qos: use a mb for got_token Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 063/144] netfilter: nf_tables: Support auto-loading for inet nat Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 064/144] drm/amd/display: No audio endpoint for Dell MST display Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 065/144] drm/amd/display: Clock does not lower in Updateplanes Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 066/144] drm/amd/display: Wait for backlight programming completion in set backlight level Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 067/144] drm/amd/display: fix DMCU hang when going into Modern Standby Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 068/144] drm/amd/display: use encoders engine id to find matched free audio device Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 069/144] drm/amd/display: put back front end initialization sequence Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 070/144] drm/amd/display: allocate 4 ddc engines for RV2 Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 071/144] drm/amd/display: Fix dc_create failure handling and 666 color depths Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 072/144] drm/amd/display: Only enable audio if speaker allocation exists Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 073/144] drm/amd/display: Increase size of audios array Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 074/144] iscsi_ibft: make ISCSI_IBFT dependson ACPI instead of ISCSI_IBFT_FIND Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 075/144] nl80211: fix NL80211_HE_MAX_CAPABILITY_LEN Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 076/144] mac80211: fix possible memory leak in ieee80211_assign_beacon Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 077/144] mac80211: dont warn about CW params when not using them Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 078/144] allocate_flower_entry: should check for null deref Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 079/144] hwmon: (occ) Fix division by zero issue Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 080/144] hwmon: (nct6775) Fix register address and added missed tolerance for nct6106 Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 081/144] ARM: dts: imx6ul: fix clock frequency property name of I2C buses Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 082/144] powerpc/papr_scm: Force a scm-unbind if initial scm-bind fails Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 083/144] arm64: Force SSBS on context switch Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 084/144] arm64: entry: SP Alignment Fault doesnt write to FAR_EL1 Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 085/144] iommu/vt-d: Check if domain->pgd was allocated Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 086/144] drm/msm/dpu: Correct dpu encoder spinlock initialization Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 087/144] drm: silence variable conn set but not used Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 088/144] arm64: dts: imx8mm: Correct SAI3 RXC/TXFS pins mux option #1 Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 089/144] arm64: dts: imx8mq: fix SAI compatible Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 090/144] cpufreq/pasemi: fix use-after-free in pas_cpufreq_cpu_init() Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 091/144] s390/qdio: add sanity checks to the fast-requeue path Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 092/144] ALSA: compress: Fix regression on compressed capture streams Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 093/144] ALSA: compress: Prevent bypasses of set_params Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 094/144] ALSA: compress: Dont allow paritial drain operations on capture streams Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 095/144] ALSA: compress: Be more restrictive about when a drain is allowed Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 096/144] perf script: Fix off by one in brstackinsn IPC computation Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 097/144] perf tools: Fix proper buffer size for feature processing Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 098/144] perf stat: Fix segfault for event group in repeat mode Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 099/144] perf session: Fix loading of compressed data split across adjacent records Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 100/144] perf probe: Avoid calling freeing routine multiple times for same pointer Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 101/144] drbd: dynamically allocate shash descriptor Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 102/144] ACPI/IORT: Fix off-by-one check in iort_dev_find_its_id() Greg Kroah-Hartman
2019-08-14 17:00 ` [PATCH 5.2 103/144] nvme: ignore subnqn for ADATA SX6000LNP Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 104/144] nvme: fix memory leak caused by incorrect subsystem free Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 105/144] ARM: davinci: fix sleep.S build error on ARMv4 Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 106/144] ARM: dts: bcm: bcm47094: add missing #cells for mdio-bus-mux Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 107/144] scsi: megaraid_sas: fix panic on loading firmware crashdump Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 108/144] scsi: ibmvfc: fix WARN_ON during event pool release Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 109/144] scsi: scsi_dh_alua: always use a 2 second delay before retrying RTPG Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 110/144] test_firmware: fix a memory leak bug Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 111/144] tty/ldsem, locking/rwsem: Add missing ACQUIRE to read_failed sleep loop Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 112/144] perf/x86/intel: Fix SLOTS PEBS event constraint Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 113/144] perf/x86/intel: Fix invalid Bit 13 for Icelake MSR_OFFCORE_RSP_x register Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 114/144] perf/x86: Apply more accurate check on hypervisor platform Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 115/144] perf/core: Fix creating kernel counters for PMUs that override event->cpu Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 116/144] s390/dma: provide proper ARCH_ZONE_DMA_BITS value Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 117/144] gen_compile_commands: lower the entry count threshold Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 118/144] HID: sony: Fix race condition between rumble and device remove Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 119/144] ALSA: usb-audio: fix a memory leak bug Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 120/144] KVM/nSVM: properly map nested VMCB Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 121/144] can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 122/144] can: peak_usb: pcan_usb_fd: " Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 123/144] hwmon: (nct7802) Fix wrong detection of in4 presence Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 124/144] hwmon: (lm75) Fixup tmp75b clr_mask Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 125/144] drm/i915: Fix wrong escape clock divisor init for GLK Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 126/144] ALSA: firewire: fix a memory leak bug Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 127/144] ALSA: hiface: fix multiple memory leak bugs Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 128/144] ALSA: hda - Dont override global PCM hw info flag Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 129/144] ALSA: hda - Workaround for crackled sound on AMD controller (1022:1457) Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 130/144] mac80211: dont WARN on short WMM parameters from AP Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 131/144] dax: dax_layout_busy_page() should not unmap cow pages Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 132/144] SMB3: Fix deadlock in validate negotiate hits reconnect Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 133/144] smb3: send CAP_DFS capability during session setup Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 134/144] NFSv4: Fix delegation state recovery Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 135/144] NFSv4: Check the return value of update_open_stateid() Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 136/144] NFSv4: Fix an Oops in nfs4_do_setattr Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 137/144] KVM: Fix leak vCPUs VMCS value into other pCPU Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 138/144] KVM: arm/arm64: Sync ICH_VMCR_EL2 back when about to block Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 139/144] mwifiex: fix 802.11n/WPA detection Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 140/144] iwlwifi: dont unmap as page memory that was mapped as single Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 141/144] iwlwifi: mvm: fix an out-of-bound access Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 142/144] iwlwifi: mvm: fix a use-after-free bug in iwl_mvm_tx_tso_segment Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 143/144] iwlwifi: mvm: dont send GEO_TX_POWER_LIMIT on version < 41 Greg Kroah-Hartman
2019-08-14 17:01 ` [PATCH 5.2 144/144] iwlwifi: mvm: fix version check for GEO_TX_POWER_LIMIT support Greg Kroah-Hartman
2019-08-14 23:16 ` [PATCH 5.2 000/144] 5.2.9-stable review kernelci.org bot
2019-08-15  1:34 ` Naresh Kamboju
2019-08-15  7:19   ` Greg Kroah-Hartman
2019-08-15 15:18 ` Guenter Roeck
2019-08-15 19:37   ` Greg Kroah-Hartman
2019-08-16  2:07 ` shuah
2019-08-16  6:39 ` Kelsey Skunberg
2019-08-16  7:15   ` Greg Kroah-Hartman

LKML Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/lkml/0 lkml/git/0.git
	git clone --mirror https://lore.kernel.org/lkml/1 lkml/git/1.git
	git clone --mirror https://lore.kernel.org/lkml/2 lkml/git/2.git
	git clone --mirror https://lore.kernel.org/lkml/3 lkml/git/3.git
	git clone --mirror https://lore.kernel.org/lkml/4 lkml/git/4.git
	git clone --mirror https://lore.kernel.org/lkml/5 lkml/git/5.git
	git clone --mirror https://lore.kernel.org/lkml/6 lkml/git/6.git
	git clone --mirror https://lore.kernel.org/lkml/7 lkml/git/7.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 lkml lkml/ https://lore.kernel.org/lkml \
		linux-kernel@vger.kernel.org linux-kernel@archiver.kernel.org
	public-inbox-index lkml


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-kernel


AGPL code for this site: git clone https://public-inbox.org/ public-inbox