linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 4.14 000/267] 4.14.159-stable review
@ 2019-12-16 17:45 Greg Kroah-Hartman
  2019-12-16 17:45 ` [PATCH 4.14 001/267] rsi: release skb if rsi_prepare_beacon fails Greg Kroah-Hartman
                   ` (270 more replies)
  0 siblings, 271 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	ben.hutchings, lkft-triage, stable

This is the start of the stable review cycle for the 4.14.159 release.
There are 267 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Wed, 18 Dec 2019 17:41:25 +0000.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.159-rc1.gz
or in the git tree and branch at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 4.14.159-rc1

Thomas Hellstrom <thellstrom@vmware.com>
    mm/memory.c: fix a huge pud insertion race during faulting

Michal Hocko <mhocko@suse.com>
    mm, thp, proc: report THP eligibility for each vma

Daniel Schultz <d.schultz@phytec.de>
    mfd: rk808: Fix RK818 ID template

yangerkun <yangerkun@huawei.com>
    ext4: fix a bug in ext4_wait_for_tail_page_commit

Chen Jun <chenjun102@huawei.com>
    mm/shmem.c: cast the type of unmap_start to u64

Will Deacon <will@kernel.org>
    firmware: qcom: scm: Ensure 'a0' status code is treated as signed

Theodore Ts'o <tytso@mit.edu>
    ext4: work around deleting a file with i_nlink == 0 safely

Vincenzo Frascino <vincenzo.frascino@arm.com>
    powerpc: Fix vDSO clock_getres()

Nathan Chancellor <natechancellor@gmail.com>
    powerpc: Avoid clang warnings around setjmp and longjmp

Miaoqing Pan <miaoqing@codeaurora.org>
    ath10k: fix fw crash by moving chip reset after napi disabled

Helen Koike <helen.koike@collabora.com>
    media: vimc: fix component match compare

Ido Schimmel <idosch@mellanox.com>
    mlxsw: spectrum_router: Refresh nexthop neighbour when it becomes dead

Tony Lindgren <tony@atomide.com>
    power: supply: cpcap-battery: Fix signed counter sample register

Shirish S <Shirish.S@amd.com>
    x86/MCE/AMD: Carve out the MC4_MISC thresholding quirk

Shirish S <Shirish.S@amd.com>
    x86/MCE/AMD: Turn off MC4_MISC thresholding on all family 0x15 models

YueHaibing <yuehaibing@huawei.com>
    e100: Fix passing zero to 'PTR_ERR' warning in e100_load_ucode_wait

Nathan Chancellor <natechancellor@gmail.com>
    drbd: Change drbd_request_detach_interruptible's return type to int

James Smart <jsmart2021@gmail.com>
    scsi: lpfc: Correct code setting non existent bits in sli4 ABORT WQE

James Smart <jsmart2021@gmail.com>
    scsi: lpfc: Cap NPIV vports to 256

H. Nikolaus Schaller <hns@goldelico.com>
    omap: pdata-quirks: remove openpandora quirks for mmc3 and wl1251

Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
    phy: renesas: rcar-gen3-usb2: Fix sysfs interface of "role"

Nuno Sá <nuno.sa@analog.com>
    iio: adis16480: Add debugfs_reg_access entry

Mathias Nyman <mathias.nyman@linux.intel.com>
    xhci: make sure interrupts are restored to correct state

Mika Westerberg <mika.westerberg@linux.intel.com>
    xhci: Fix memory leak in xhci_add_in_port()

Himanshu Madhani <hmadhani@marvell.com>
    scsi: qla2xxx: Fix message indicating vectors used by driver

Bart Van Assche <bvanassche@acm.org>
    scsi: qla2xxx: Always check the qla2x00_wait_for_hba_online() return value

Bart Van Assche <bvanassche@acm.org>
    scsi: qla2xxx: Fix qla24xx_process_bidir_cmd()

Bart Van Assche <bvanassche@acm.org>
    scsi: qla2xxx: Fix session lookup in qlt_abort_work()

Himanshu Madhani <hmadhani@marvell.com>
    scsi: qla2xxx: Fix DMA unmap leak

Steffen Maier <maier@linux.ibm.com>
    scsi: zfcp: trace channel log even for FCP command responses

Ming Lei <ming.lei@redhat.com>
    block: fix single range discard merge

Jeff Mahoney <jeffm@suse.com>
    reiserfs: fix extended attributes on the root directory

Jan Kara <jack@suse.cz>
    ext4: Fix credit estimate for final inode freeing

Dmitry Monakhov <dmtrmonakhov@yandex-team.ru>
    quota: fix livelock in dquot_writeback_dquots

Chengguang Xu <cgxu519@mykernel.net>
    ext2: check err when partial != NULL

Dmitry Monakhov <dmtrmonakhov@yandex-team.ru>
    quota: Check that quota is not dirty before release

Ville Syrjälä <ville.syrjala@linux.intel.com>
    video/hdmi: Fix AVI bar unpack

Cédric Le Goater <clg@kaod.org>
    powerpc/xive: Skip ioremap() of ESB pages for LSI interrupts

Alastair D'Silva <alastair@d-silva.org>
    powerpc: Allow flush_icache_range to work across ranges >4GB

Cédric Le Goater <clg@kaod.org>
    powerpc/xive: Prevent page fault issues in the machine crash handler

Alastair D'Silva <alastair@d-silva.org>
    powerpc: Allow 64bit VDSO __kernel_sync_dicache to work across ranges >4GB

Arnd Bergmann <arnd@arndb.de>
    ppdev: fix PPGETTIME/PPSETTIME ioctls

Jarkko Nikula <jarkko.nikula@bitmer.com>
    ARM: dts: omap3-tao3530: Fix incorrect MMC card detection GPIO polarity

H. Nikolaus Schaller <hns@goldelico.com>
    mmc: host: omap_hsmmc: add code for special init of wl1251 to get rid of pandora_wl1251_init_card

Krzysztof Kozlowski <krzk@kernel.org>
    pinctrl: samsung: Fix device node refcount leaks in S3C64xx wakeup controller init

Krzysztof Kozlowski <krzk@kernel.org>
    pinctrl: samsung: Fix device node refcount leaks in init code

Krzysztof Kozlowski <krzk@kernel.org>
    pinctrl: samsung: Fix device node refcount leaks in S3C24xx wakeup controller init

Nishka Dasgupta <nishkadg.linux@gmail.com>
    pinctrl: samsung: Add of_node_put() before return in error path

Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    ACPI: PM: Avoid attaching ACPI PM domain to certain devices

Vamshi K Sthambamkadi <vamshi.k.sthambamkadi@gmail.com>
    ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data()

Francesco Ruggeri <fruggeri@arista.com>
    ACPI: OSL: only free map once in osl.c

John Hubbard <jhubbard@nvidia.com>
    cpufreq: powernv: fix stack bloat and hard limit on number of CPUs

Leonard Crestez <leonard.crestez@nxp.com>
    PM / devfreq: Lock devfreq in trans_stat_show

Alexander Shishkin <alexander.shishkin@linux.intel.com>
    intel_th: pci: Add Tiger Lake CPU support

Alexander Shishkin <alexander.shishkin@linux.intel.com>
    intel_th: pci: Add Ice Lake CPU support

Alexander Shishkin <alexander.shishkin@linux.intel.com>
    intel_th: Fix a double put_device() in error path

Zhenzhong Duan <zhenzhong.duan@oracle.com>
    cpuidle: Do not unset the driver if it is there already

Hans Verkuil <hverkuil-cisco@xs4all.nl>
    media: cec.h: CEC_OP_REC_FLAG_ values were swapped

Johan Hovold <johan@kernel.org>
    media: radio: wl1273: fix interrupt masking on release

Johan Hovold <johan@kernel.org>
    media: bdisp: fix memleak on release

Gerald Schaefer <gerald.schaefer@de.ibm.com>
    s390/mm: properly clear _PAGE_NOEXEC bit when it is not supported

Denis Efremov <efremov@linux.com>
    ar5523: check NULL before memcpy() in ar5523_cmd()

Aleksa Sarai <cyphar@cyphar.com>
    cgroup: pids: use atomic64_t for pids->limit

Ming Lei <ming.lei@redhat.com>
    blk-mq: avoid sysfs buffer overflow with too many CPU cores

Pawel Harlozinski <pawel.harlozinski@linux.intel.com>
    ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report

Tejun Heo <tj@kernel.org>
    workqueue: Fix pwq ref leak in rescuer_thread()

Tejun Heo <tj@kernel.org>
    workqueue: Fix spurious sanity check failures in destroy_workqueue()

Dmitry Fomichev <dmitry.fomichev@wdc.com>
    dm zoned: reduce overhead of backing device checks

Sumit Garg <sumit.garg@linaro.org>
    hwrng: omap - Fix RNG wait loop timeout

Joel Stanley <joel@jms.id.au>
    watchdog: aspeed: Fix clock behaviour for ast2600

Dan Carpenter <dan.carpenter@oracle.com>
    md/raid0: Fix an error message in raid0_make_request()

Takashi Iwai <tiwai@suse.de>
    ALSA: hda - Fix pending unsol events at shutdown

Amir Goldstein <amir73il@gmail.com>
    ovl: relax WARN_ON() on rename to self

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    lib: raid6: fix awk build warnings

Larry Finger <Larry.Finger@lwfinger.net>
    rtlwifi: rtl8192de: Fix missing enable interrupt flag

Larry Finger <Larry.Finger@lwfinger.net>
    rtlwifi: rtl8192de: Fix missing callback that tests for hw release of buffer

Larry Finger <Larry.Finger@lwfinger.net>
    rtlwifi: rtl8192de: Fix missing code to retrieve RX buffer address

Josef Bacik <josef@toxicpanda.com>
    btrfs: record all roots for rename exchange on a subvol

Filipe Manana <fdmanana@suse.com>
    Btrfs: send, skip backreference walking for extents with many references

Qu Wenruo <wqu@suse.com>
    btrfs: Remove btrfs_bio::flags member

Filipe Manana <fdmanana@suse.com>
    Btrfs: fix negative subv_writers counter and data space leak after buffered write

Josef Bacik <josef@toxicpanda.com>
    btrfs: use refcount_inc_not_zero in kill_all_nodes

Josef Bacik <josef@toxicpanda.com>
    btrfs: check page->mapping when loading free space cache

Thinh Nguyen <Thinh.Nguyen@synopsys.com>
    usb: dwc3: ep0: Clear started flag on completion

David Hildenbrand <david@redhat.com>
    virtio-balloon: fix managed page counts when migrating pages between zones

Miquel Raynal <miquel.raynal@bootlin.com>
    mtd: spear_smi: Fix Write Burst mode

Tadeusz Struk <tadeusz.struk@intel.com>
    tpm: add check after commands attribs tab allocation

Pete Zaitcev <zaitcev@redhat.com>
    usb: mon: Fix a deadlock in usbmon between mmap and read

Emiliano Ingrassia <ingrassia@epigenesys.com>
    usb: core: urb: fix URB structure initialization function

Johan Hovold <johan@kernel.org>
    USB: adutux: fix interface sanity check

Johan Hovold <johan@kernel.org>
    USB: serial: io_edgeport: fix epic endpoint lookup

Johan Hovold <johan@kernel.org>
    USB: idmouse: fix interface sanity checks

Johan Hovold <johan@kernel.org>
    USB: atm: ueagle-atm: add missing endpoint check

Chris Lesiak <chris.lesiak@licor.com>
    iio: humidity: hdc100x: fix IIO_HUMIDITYRELATIVE channel reporting

H. Nikolaus Schaller <hns@goldelico.com>
    ARM: dts: pandora-common: define wl1251 as child node of mmc3

Mathias Nyman <mathias.nyman@linux.intel.com>
    xhci: handle some XHCI_TRUST_TX_LENGTH quirks cases as default behaviour.

Kai-Heng Feng <kai.heng.feng@canonical.com>
    xhci: Increase STS_HALT timeout in xhci_suspend()

Henry Lin <henryl@nvidia.com>
    usb: xhci: only set D3hot for pci device

Johan Hovold <johan@kernel.org>
    staging: gigaset: add endpoint-type sanity check

Johan Hovold <johan@kernel.org>
    staging: gigaset: fix illegal free on probe errors

Johan Hovold <johan@kernel.org>
    staging: gigaset: fix general protection fault on probe

Johan Hovold <johan@kernel.org>
    staging: rtl8712: fix interface sanity check

Johan Hovold <johan@kernel.org>
    staging: rtl8188eu: fix interface sanity check

Kai-Heng Feng <kai.heng.feng@canonical.com>
    usb: Allow USB device to be warm reset in suspended state

Oliver Neukum <oneukum@suse.com>
    USB: documentation: flags on usb-storage versus UAS

Oliver Neukum <oneukum@suse.com>
    USB: uas: heed CAPACITY_HEURISTICS

Oliver Neukum <oneukum@suse.com>
    USB: uas: honor flag to avoid CAPACITY16

Arnd Bergmann <arnd@arndb.de>
    media: venus: remove invalid compat_ioctl32 handler

Quinn Tran <qutran@marvell.com>
    scsi: qla2xxx: Fix driver unload hang

Gustavo A. R. Silva <gustavo@embeddedor.com>
    usb: gadget: pch_udc: fix use after free

Wei Yongjun <weiyongjun1@huawei.com>
    usb: gadget: configfs: Fix missing spin_lock_init()

YueHaibing <yuehaibing@huawei.com>
    appletalk: Set error code if register_snap_client failed

YueHaibing <yuehaibing@huawei.com>
    appletalk: Fix potential NULL pointer dereference in unregister_snap_client

Paolo Bonzini <pbonzini@redhat.com>
    KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID (CVE-2019-19332)

Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
    ASoC: rsnd: fixup MIX kctrl registration

Jann Horn <jannh@google.com>
    binder: Handle start==NULL in binder_update_page_range()

Wei Wang <wvw@google.com>
    thermal: Fix deadlock in thermal thermal_zone_device_check

Jan Kara <jack@suse.cz>
    iomap: Fix pipe page leakage during splicing

Viresh Kumar <viresh.kumar@linaro.org>
    RDMA/qib: Validate ->show()/store() callbacks before calling them

Gregory CLEMENT <gregory.clement@bootlin.com>
    spi: atmel: Fix CS high support

Navid Emamdoost <navid.emamdoost@gmail.com>
    crypto: user - fix memory leak in crypto_report

Ard Biesheuvel <ard.biesheuvel@linaro.org>
    crypto: ecdh - fix big endian bug in ECC library

Mark Salter <msalter@redhat.com>
    crypto: ccp - fix uninitialized list head

Ayush Sawal <ayush.sawal@chelsio.com>
    crypto: af_alg - cast ki_complete ternary op to int

Christian Lamparter <chunkeey@gmail.com>
    crypto: crypto4xx - fix double-free in crypto4xx_destroy_sdr

Paolo Bonzini <pbonzini@redhat.com>
    KVM: x86: fix presentation of TSX feature in ARCH_CAPABILITIES

Paolo Bonzini <pbonzini@redhat.com>
    KVM: x86: do not modify masked bits of shared MSRs

Zenghui Yu <yuzenghui@huawei.com>
    KVM: arm/arm64: vgic: Don't rely on the wrong pending table

Dan Carpenter <dan.carpenter@oracle.com>
    drm/i810: Prevent underflow in ioctl

Jan Kara <jack@suse.cz>
    jbd2: Fix possible overflow in jbd2_log_space_left()

Tejun Heo <tj@kernel.org>
    kernfs: fix ino wrap-around detection

Jouni Hogander <jouni.hogander@unikie.com>
    can: slcan: Fix use-after-free Read in slcan_open

Dmitry Torokhov <dmitry.torokhov@gmail.com>
    tty: vt: keyboard: reject invalid keycodes

Pavel Shilovsky <pshilov@microsoft.com>
    CIFS: Fix SMB2 oplock break processing

Pavel Shilovsky <pshilov@microsoft.com>
    CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks

Kai-Heng Feng <kai.heng.feng@canonical.com>
    x86/PCI: Avoid AMD FCH XHCI USB PME# from D0 defect

Navid Emamdoost <navid.emamdoost@gmail.com>
    Input: Fix memory leak in psxpad_spi_probe

Mike Leach <mike.leach@linaro.org>
    coresight: etm4x: Fix input validation for sysfs.

Hans de Goede <hdegoede@redhat.com>
    Input: goodix - add upside-down quirk for Teclast X89 tablet

Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Input: synaptics-rmi4 - don't increment rmiaddr for SMBus transfers

Lucas Stach <l.stach@pengutronix.de>
    Input: synaptics-rmi4 - re-enable IRQs in f34v7_do_reflash

Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Input: synaptics - switch another X1 Carbon 6 to RMI/SMbus

Kai-Heng Feng <kai.heng.feng@canonical.com>
    ALSA: hda - Add mute led support for HP ProBook 645 G4

Takashi Iwai <tiwai@suse.de>
    ALSA: pcm: oss: Avoid potential buffer overflows

Kailang Yang <kailang@realtek.com>
    ALSA: hda/realtek - Dell headphone has noise on unmute for ALC236

Miklos Szeredi <mszeredi@redhat.com>
    fuse: verify attributes

Miklos Szeredi <mszeredi@redhat.com>
    fuse: verify nlink

Xuewei Zhang <xueweiz@google.com>
    sched/fair: Scale bandwidth quota and period without losing quota/period ratio precision

Eric Dumazet <edumazet@google.com>
    tcp: exit if nothing to retransmit on RTO timeout

Dmitry Bogdanov <dmitry.bogdanov@aquantia.com>
    net: aquantia: fix RSS table and key sizes

Helen Fornazier <helen.koike@collabora.com>
    media: vimc: fix start stream when link is disabled

Rob Herring <robh@kernel.org>
    ARM: dts: sunxi: Fix PMU compatible strings

YueHaibing <yuehaibing@huawei.com>
    usb: mtu3: fix dbginfo in qmu_tx_zlp_error_handler

Qian Cai <cai@gmx.us>
    mlx4: Use snprintf instead of complicated strcpy

Mike Marciniszyn <mike.marciniszyn@intel.com>
    IB/hfi1: Close VNIC sdma_progress sleep window

Kaike Wan <kaike.wan@intel.com>
    IB/hfi1: Ignore LNI errors before DC8051 transitions to Polling state

Nir Dotan <nird@mellanox.com>
    mlxsw: spectrum_router: Relax GRE decap matching check

Jonathan Marek <jonathan@marek.ca>
    firmware: qcom: scm: fix compilation error when disabled

Andreas Pape <ap@ca-pape.de>
    media: stkwebcam: Bugfix for wrong return values

Dmitry Safonov <dima@arista.com>
    tty: Don't block on IO when ldisc change is pending

zhengbin <zhengbin13@huawei.com>
    nfsd: Return EPERM, not EACCES, in some SETATTR cases

Aaro Koskinen <aaro.koskinen@iki.fi>
    MIPS: OCTEON: cvmx_pko_mem_debug8: use oldest forward compatible definition

Geert Uytterhoeven <geert+renesas@glider.be>
    clk: renesas: r8a77995: Correct parent clock of DU

Joel Stanley <joel@jms.id.au>
    powerpc/math-emu: Update macros from GCC

Kees Cook <keescook@chromium.org>
    pstore/ram: Avoid NULL deref in ftrace merging failure path

Erez Alfasi <ereza@mellanox.com>
    net/mlx4_core: Fix return codes of unsupported operations

David Teigland <teigland@redhat.com>
    dlm: fix invalid cluster name warning

Rob Herring <robh@kernel.org>
    ARM: dts: realview: Fix some more duplicate regulator nodes

Chen-Yu Tsai <wens@csie.org>
    clk: sunxi-ng: h3/h5: Fix CSI_MCLK parent

Daniel Mack <daniel@zonque.org>
    ARM: dts: pxa: clean up USB controller nodes

Miquel Raynal <miquel.raynal@bootlin.com>
    mtd: fix mtd_oobavail() incoherent returned value

Masahiro Yamada <yamada.masahiro@socionext.com>
    kbuild: fix single target build for external module

Paul Walmsley <paul.walmsley@sifive.com>
    modpost: skip ELF local symbols during section mismatch check

Yuchung Cheng <ycheng@google.com>
    tcp: fix SNMP TCP timeout under-estimation

Yuchung Cheng <ycheng@google.com>
    tcp: fix SNMP under-estimation on failed retransmission

Yuchung Cheng <ycheng@google.com>
    tcp: fix off-by-one bug on aborting window-probing socket

Rob Herring <robh@kernel.org>
    ARM: dts: realview-pbx: Fix duplicate regulator nodes

Lubomir Rintel <lkundrak@v3.sk>
    ARM: dts: mmp2: fix the gpio interrupt cell number

Martin Schiller <ms@dev.tdt.de>
    net/x25: fix null_x25_address handling

Martin Schiller <ms@dev.tdt.de>
    net/x25: fix called/calling length calculation in x25_parse_address_block

Neil Armstrong <narmstrong@baylibre.com>
    arm64: dts: meson-gxl-khadas-vim: fix GPIO lines names

Neil Armstrong <narmstrong@baylibre.com>
    arm64: dts: meson-gxbb-odroidc2: fix GPIO lines names

Neil Armstrong <narmstrong@baylibre.com>
    arm64: dts: meson-gxbb-nanopi-k2: fix GPIO lines names

Neil Armstrong <narmstrong@baylibre.com>
    arm64: dts: meson-gxl-libretech-cc: fix GPIO lines names

Aaro Koskinen <aaro.koskinen@iki.fi>
    ARM: OMAP1/2: fix SoC name printing

Young_X <YangX92@hotmail.com>
    ASoC: au8540: use 64-bit arithmetic instead of 32-bit

Scott Mayhew <smayhew@redhat.com>
    nfsd: fix a warning in __cld_pipe_upcall()

Clément Péron <peron.clem@gmail.com>
    ARM: debug: enable UART1 for socfpga Cyclone5

Wen Yang <wen.yang99@zte.com.cn>
    dlm: NULL check before kmem_cache_destroy is not needed

Maxime Ripard <maxime.ripard@bootlin.com>
    ARM: dts: sun8i: v3s: Change pinctrl nodes to avoid warning

Maxime Ripard <maxime.ripard@bootlin.com>
    ARM: dts: sun5i: a10s: Fix HDMI output DTC warning

Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
    ASoC: rsnd: tidyup registering method for rsnd_kctrl_new()

J. Bruce Fields <bfields@redhat.com>
    lockd: fix decoding of TEST results

Lucas Stach <l.stach@pengutronix.de>
    i2c: imx: don't print error message on probe defer

Stefan Agner <stefan@agner.ch>
    serial: imx: fix error handling in console_setup

Colin Ian King <colin.king@canonical.com>
    altera-stapl: check for a null key before strcasecmp'ing it

Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
    dma-mapping: fix return type of dma_set_max_seg_size()

David Miller <davem@davemloft.net>
    sparc: Correct ctx->saw_frame_pointer logic.

Sahitya Tummala <stummala@codeaurora.org>
    f2fs: fix to allow node segment for GC by ioctl path

Otavio Salvador <otavio@ossystems.com.br>
    ARM: dts: rockchip: Assign the proper GPIO clocks for rv1108

Otavio Salvador <otavio@ossystems.com.br>
    ARM: dts: rockchip: Fix the PMU interrupt number for rv1108

Yunlong Song <yunlong.song@huawei.com>
    f2fs: change segment to section in f2fs_ioc_gc_range

Yunlong Song <yunlong.song@huawei.com>
    f2fs: fix count of seg_freed to make sec_freed correct

Alexey Dobriyan <adobriyan@gmail.com>
    ACPI: fix acpi_find_child_device() invocation in acpi_preset_companion()

Brian Norris <briannorris@chromium.org>
    usb: dwc3: don't log probe deferrals; but do log other error codes

Thinh Nguyen <thinh.nguyen@synopsys.com>
    usb: dwc3: debugfs: Properly print/set link state for HS

Christian Lamparter <chunkeey@gmail.com>
    dmaengine: dw-dmac: implement dma protection control setting

Vinod Koul <vkoul@kernel.org>
    dmaengine: coh901318: Remove unused variable

Jia-Ju Bai <baijiaju1990@gmail.com>
    dmaengine: coh901318: Fix a double-lock bug

Hans Verkuil <hverkuil-cisco@xs4all.nl>
    media: cec: report Vendor ID after initialization

Hans Verkuil <hverkuil@xs4all.nl>
    media: pulse8-cec: return 0 when invalidating the logical address

Marek Szyprowski <m.szyprowski@samsung.com>
    ARM: dts: exynos: Use Samsung SoC specific compatible for DWC2 module

Baruch Siach <baruch@tkos.co.il>
    rtc: dt-binding: abx80x: fix resistance scale

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    rtc: max8997: Fix the returned value in case of error in 'max8997_rtc_read_alarm()'

Vincent Chen <vincentc@andestech.com>
    math-emu/soft-fp.h: (_FP_ROUND_ZERO) cast 0 to void to fix warning

Ursula Braun <ursula.braun@linux.ibm.com>
    net/smc: use after free fix in smc_wr_tx_put_slot()

Aaro Koskinen <aaro.koskinen@iki.fi>
    MIPS: OCTEON: octeon-platform: fix typing

Dave Chinner <dchinner@redhat.com>
    iomap: sub-block dio needs to zeroout beyond EOF

Xue Chaojing <xuechaojing@huawei.com>
    net-next/hinic:fix a bug in set mac address

Mark Brown <broonie@kernel.org>
    regulator: Fix return value of _set_load() stub

Katsuhiro Suzuki <katsuhiro@katsuster.net>
    clk: rockchip: fix ID of 8ch clock of I2S1 for rk3328

Katsuhiro Suzuki <katsuhiro@katsuster.net>
    clk: rockchip: fix I2S1 clock gate register for rk3328

Janne Huttunen <janne.huttunen@nokia.com>
    mm/vmstat.c: fix NUMA statistics updates

Shreeya Patel <shreeya.patel23498@gmail.com>
    Staging: iio: adt7316: Fix i2c data reading, set the data field

Brian Masney <masneyb@onstation.org>
    pinctrl: qcom: ssbi-gpio: fix gpio-hog related boot issues

Raveendra Padasalagi <raveendra.padasalagi@broadcom.com>
    crypto: bcm - fix normal/non key hash algorithm failure

Vitaly Chikunov <vt@altlinux.org>
    crypto: ecc - check for invalid values in the key verification test

Steffen Maier <maier@linux.ibm.com>
    scsi: zfcp: drop default switch case which might paper over missing case

Andrew Lunn <andrew@lunn.ch>
    net: dsa: mv88e6xxx: Work around mv886e6161 SERDES missing MII_PHYSID2

Maciej W. Rozycki <macro@linux-mips.org>
    MIPS: SiByte: Enable ZONE_DMA32 for LittleSur

David Teigland <teigland@redhat.com>
    dlm: fix missing idr_destroy for recover_idr

John Keeping <john@metanate.com>
    ARM: dts: rockchip: Fix rk3288-rock2 vcc_flash name

Heiko Stuebner <heiko@sntech.de>
    clk: rockchip: fix rk3188 sclk_mac_lbtest parameter ordering

Finley Xiao <finley.xiao@rock-chips.com>
    clk: rockchip: fix rk3188 sclk_smc gate data

Mitch Williams <mitch.a.williams@intel.com>
    i40e: don't restart nway if autoneg not supported

Marek Szyprowski <m.szyprowski@samsung.com>
    rtc: s3c-rtc: Avoid using broken ALMYEAR register

Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
    net: ethernet: ti: cpts: correct debug for expired txq skb

Marek Szyprowski <m.szyprowski@samsung.com>
    extcon: max8997: Fix lack of path setting in USB device mode

Denis V. Lunev <den@openvz.org>
    dlm: fix possible call to kfree() for non-initialized pointer

Jagan Teki <jagan@amarulasolutions.com>
    clk: sunxi-ng: a64: Fix gate bit of DSI DPHY

Moni Shoua <monis@mellanox.com>
    net/mlx5: Release resource on error flow

Vincent Whitchurch <vincent.whitchurch@axis.com>
    ARM: 8813/1: Make aligned 2-byte getuser()/putuser() atomic on ARMv6+

Andrei Otcheretianski <andrei.otcheretianski@intel.com>
    iwlwifi: mvm: Send non offchannel traffic via AP sta

Johannes Berg <johannes.berg@intel.com>
    iwlwifi: mvm: synchronize TID queue removal

Arjun Vynipadath <arjun@chelsio.com>
    cxgb4vf: fix memleak in mac_hlist initialization

Douglas Anderson <dianders@chromium.org>
    serial: core: Allow processing sysrq at port unlock time

Wen Yang <wenyang@linux.alibaba.com>
    i2c: core: fix use after free in of_i2c_notify

Chuhong Yuan <hslester96@gmail.com>
    net: ep93xx_eth: fix mismatch of request_mem_region in remove

Chuhong Yuan <hslester96@gmail.com>
    rsxx: add missed destroy_workqueue calls in remove

paulhsia <paulhsia@chromium.org>
    ALSA: pcm: Fix stream lock usage in snd_pcm_period_elapsed()

Peter Zijlstra <peterz@infradead.org>
    sched/core: Avoid spurious lock dependencies

Pan Bian <bianpan2016@163.com>
    Input: cyttsp4_core - fix use after free bug

Xiaodong Xu <stid.smth@gmail.com>
    xfrm: release device reference for invalid state

Stephan Gerhold <stephan@gerhold.net>
    NFC: nxp-nci: Fix NULL pointer dereference after I2C communication error

Al Viro <viro@zeniv.linux.org.uk>
    audit_get_nd(): don't unlock parent too early

Al Viro <viro@zeniv.linux.org.uk>
    exportfs_decode_fh(): negative pinned may become positive without the parent locked

Mordechay Goodstein <mordechay.goodstein@intel.com>
    iwlwifi: pcie: don't consider IV len in A-MSDU

Sirong Wang <wangsirong@huawei.com>
    RDMA/hns: Correct the value of HNS_ROCE_HEM_CHUNK_LEN

Al Viro <viro@zeniv.linux.org.uk>
    autofs: fix a leak in autofs_expire_indirect()

Chuhong Yuan <hslester96@gmail.com>
    serial: ifx6x60: add missed pm_runtime_disable

Jiangfeng Xiao <xiaojiangfeng@huawei.com>
    serial: serial_core: Perform NULL checks for break_ctl ops

Vincent Whitchurch <vincent.whitchurch@axis.com>
    serial: pl011: Fix DMA ->flush_buffer()

Jeffrey Hugo <jeffrey.l.hugo@gmail.com>
    tty: serial: msm_serial: Fix flow control

Peng Fan <peng.fan@nxp.com>
    tty: serial: fsl_lpuart: use the sg count from dma_map_sg

Michał Mirosław <mirq-linux@rere.qmqm.pl>
    usb: gadget: u_serial: add missing port entry locking

Jon Hunter <jonathanh@nvidia.com>
    arm64: tegra: Fix 'active-low' warning for Jetson TX1 regulator

Navid Emamdoost <navid.emamdoost@gmail.com>
    rsi: release skb if rsi_prepare_beacon fails


-------------

Diffstat:

 Documentation/admin-guide/kernel-parameters.txt    | 22 ++---
 .../devicetree/bindings/rtc/abracon,abx80x.txt     |  2 +-
 Documentation/filesystems/proc.txt                 |  3 +
 Makefile                                           | 15 ++--
 arch/arm/Kconfig.debug                             | 23 ++++--
 arch/arm/boot/dts/arm-realview-pb1176.dts          |  4 +-
 arch/arm/boot/dts/arm-realview-pb11mp.dts          |  4 +-
 arch/arm/boot/dts/arm-realview-pbx.dtsi            |  5 +-
 arch/arm/boot/dts/exynos3250.dtsi                  |  2 +-
 arch/arm/boot/dts/mmp2.dtsi                        |  2 +-
 arch/arm/boot/dts/omap3-pandora-common.dtsi        | 36 ++++++++-
 arch/arm/boot/dts/omap3-tao3530.dtsi               |  2 +-
 arch/arm/boot/dts/pxa27x.dtsi                      |  2 +-
 arch/arm/boot/dts/pxa2xx.dtsi                      |  7 --
 arch/arm/boot/dts/pxa3xx.dtsi                      |  2 +-
 arch/arm/boot/dts/rk3288-rock2-som.dtsi            |  2 +-
 arch/arm/boot/dts/rv1108.dtsi                      | 10 +--
 arch/arm/boot/dts/sun5i-a10s.dtsi                  |  2 -
 arch/arm/boot/dts/sun6i-a31.dtsi                   |  2 +-
 arch/arm/boot/dts/sun7i-a20.dtsi                   |  2 +-
 arch/arm/boot/dts/sun8i-v3s-licheepi-zero.dts      |  4 +-
 arch/arm/boot/dts/sun8i-v3s.dtsi                   | 10 +--
 arch/arm/include/asm/uaccess.h                     | 18 +++++
 arch/arm/lib/getuser.S                             | 11 +++
 arch/arm/lib/putuser.S                             | 20 ++---
 arch/arm/mach-omap1/id.c                           |  6 +-
 arch/arm/mach-omap2/id.c                           |  4 +-
 arch/arm/mach-omap2/pdata-quirks.c                 | 93 ----------------------
 .../boot/dts/amlogic/meson-gxbb-nanopi-k2.dts      |  4 +-
 .../arm64/boot/dts/amlogic/meson-gxbb-odroidc2.dts |  4 +-
 .../dts/amlogic/meson-gxl-s905x-khadas-vim.dts     |  4 +-
 .../dts/amlogic/meson-gxl-s905x-libretech-cc.dts   |  4 +-
 arch/arm64/boot/dts/nvidia/tegra210-p2597.dtsi     |  2 +-
 arch/mips/Kconfig                                  |  1 +
 arch/mips/cavium-octeon/executive/cvmx-cmd-queue.c |  2 +-
 arch/mips/cavium-octeon/octeon-platform.c          |  2 +-
 arch/mips/include/asm/octeon/cvmx-pko.h            |  2 +-
 arch/powerpc/include/asm/sfp-machine.h             | 92 +++++++--------------
 arch/powerpc/include/asm/vdso_datapage.h           |  2 +
 arch/powerpc/kernel/Makefile                       |  4 +-
 arch/powerpc/kernel/asm-offsets.c                  |  2 +-
 arch/powerpc/kernel/misc_64.S                      |  4 +-
 arch/powerpc/kernel/time.c                         |  1 +
 arch/powerpc/kernel/vdso32/gettimeofday.S          |  7 +-
 arch/powerpc/kernel/vdso64/cacheflush.S            |  4 +-
 arch/powerpc/kernel/vdso64/gettimeofday.S          |  7 +-
 arch/powerpc/sysdev/xive/common.c                  |  9 +++
 arch/powerpc/sysdev/xive/spapr.c                   | 12 ++-
 arch/powerpc/xmon/Makefile                         |  4 +-
 arch/s390/include/asm/pgtable.h                    |  4 +-
 arch/sparc/net/bpf_jit_comp_64.c                   | 12 +++
 arch/x86/kernel/cpu/mcheck/mce.c                   | 30 -------
 arch/x86/kernel/cpu/mcheck/mce_amd.c               | 36 +++++++++
 arch/x86/kvm/cpuid.c                               |  5 +-
 arch/x86/kvm/x86.c                                 | 14 +++-
 arch/x86/pci/fixup.c                               | 11 +++
 block/blk-merge.c                                  |  2 +-
 block/blk-mq-sysfs.c                               | 15 ++--
 crypto/af_alg.c                                    |  2 +-
 crypto/crypto_user.c                               |  4 +-
 crypto/ecc.c                                       | 45 +++++++----
 drivers/acpi/bus.c                                 |  2 +-
 drivers/acpi/device_pm.c                           | 12 ++-
 drivers/acpi/osl.c                                 | 28 ++++---
 drivers/android/binder_alloc.c                     |  8 +-
 drivers/block/drbd/drbd_state.c                    |  6 +-
 drivers/block/drbd/drbd_state.h                    |  3 +-
 drivers/block/rsxx/core.c                          |  2 +
 drivers/char/hw_random/omap-rng.c                  |  9 ++-
 drivers/char/ppdev.c                               | 16 +++-
 drivers/char/tpm/tpm2-cmd.c                        |  4 +
 drivers/clk/renesas/r8a77995-cpg-mssr.c            |  4 +-
 drivers/clk/rockchip/clk-rk3188.c                  |  8 +-
 drivers/clk/rockchip/clk-rk3328.c                  |  2 +-
 drivers/clk/sunxi-ng/ccu-sun50i-a64.c              |  2 +-
 drivers/clk/sunxi-ng/ccu-sun8i-h3.c                |  2 +-
 drivers/cpufreq/powernv-cpufreq.c                  | 17 +++-
 drivers/cpuidle/driver.c                           | 15 ++--
 drivers/crypto/amcc/crypto4xx_core.c               |  6 +-
 drivers/crypto/bcm/cipher.c                        |  6 +-
 drivers/crypto/ccp/ccp-dmaengine.c                 |  1 +
 drivers/devfreq/devfreq.c                          | 12 ++-
 drivers/dma/coh901318.c                            |  5 --
 drivers/dma/dw/core.c                              |  2 +
 drivers/dma/dw/platform.c                          |  6 ++
 drivers/dma/dw/regs.h                              |  4 +
 drivers/extcon/extcon-max8997.c                    | 10 +--
 drivers/firmware/qcom_scm-64.c                     |  2 +-
 drivers/gpu/drm/i810/i810_dma.c                    |  4 +-
 .../hwtracing/coresight/coresight-etm4x-sysfs.c    | 21 +++--
 drivers/hwtracing/intel_th/core.c                  |  8 +-
 drivers/hwtracing/intel_th/pci.c                   | 10 +++
 drivers/i2c/busses/i2c-imx.c                       |  3 +-
 drivers/i2c/i2c-core-of.c                          |  4 +-
 drivers/iio/humidity/hdc100x.c                     |  2 +-
 drivers/iio/imu/adis16480.c                        |  1 +
 drivers/infiniband/hw/hfi1/chip.c                  | 47 ++++++++++-
 drivers/infiniband/hw/hfi1/vnic_sdma.c             | 15 ++--
 drivers/infiniband/hw/hns/hns_roce_hem.h           |  2 +-
 drivers/infiniband/hw/mlx4/sysfs.c                 | 12 +--
 drivers/infiniband/hw/qib/qib_sysfs.c              |  6 ++
 drivers/input/joystick/psxpad-spi.c                |  2 +-
 drivers/input/mouse/synaptics.c                    |  1 +
 drivers/input/rmi4/rmi_f34v7.c                     |  3 +
 drivers/input/rmi4/rmi_smbus.c                     |  2 -
 drivers/input/touchscreen/cyttsp4_core.c           |  7 --
 drivers/input/touchscreen/goodix.c                 |  9 +++
 drivers/isdn/gigaset/usb-gigaset.c                 | 23 ++++--
 drivers/md/dm-zoned-metadata.c                     | 29 ++++---
 drivers/md/dm-zoned-reclaim.c                      |  8 +-
 drivers/md/dm-zoned-target.c                       | 54 +++++++++----
 drivers/md/dm-zoned.h                              |  2 +
 drivers/md/raid0.c                                 |  2 +-
 drivers/media/cec/cec-adap.c                       |  7 ++
 drivers/media/platform/qcom/venus/vdec.c           |  3 -
 drivers/media/platform/qcom/venus/venc.c           |  3 -
 drivers/media/platform/sti/bdisp/bdisp-v4l2.c      |  3 +-
 drivers/media/platform/vimc/vimc-common.c          |  2 +
 drivers/media/platform/vimc/vimc-core.c            |  7 +-
 drivers/media/radio/radio-wl1273.c                 |  3 +-
 drivers/media/usb/pulse8-cec/pulse8-cec.c          |  2 +-
 drivers/media/usb/stkwebcam/stk-webcam.c           |  6 +-
 drivers/misc/altera-stapl/altera.c                 |  3 +-
 drivers/mmc/host/omap_hsmmc.c                      | 30 +++++++
 drivers/mtd/devices/spear_smi.c                    | 38 ++++++++-
 drivers/net/can/slcan.c                            |  1 +
 drivers/net/dsa/mv88e6xxx/chip.c                   | 21 +++--
 drivers/net/ethernet/aquantia/atlantic/aq_cfg.h    |  4 +-
 drivers/net/ethernet/aquantia/atlantic/aq_nic.c    |  2 +-
 .../net/ethernet/chelsio/cxgb4vf/cxgb4vf_main.c    |  6 +-
 drivers/net/ethernet/cirrus/ep93xx_eth.c           |  5 +-
 drivers/net/ethernet/huawei/hinic/hinic_main.c     |  7 +-
 drivers/net/ethernet/intel/e100.c                  |  4 +-
 drivers/net/ethernet/intel/i40e/i40e_ethtool.c     | 10 +--
 drivers/net/ethernet/mellanox/mlx4/main.c          | 11 ++-
 drivers/net/ethernet/mellanox/mlx5/core/qp.c       |  4 +-
 .../net/ethernet/mellanox/mlxsw/spectrum_router.c  | 78 ++++++++++++++++--
 drivers/net/ethernet/ti/cpts.c                     |  4 +-
 drivers/net/wireless/ath/ar5523/ar5523.c           |  3 +-
 drivers/net/wireless/ath/ath10k/pci.c              |  9 ++-
 drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c  | 15 ++++
 drivers/net/wireless/intel/iwlwifi/mvm/sta.c       | 10 +++
 drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c  | 20 ++---
 .../net/wireless/realtek/rtlwifi/rtl8192de/hw.c    |  9 ++-
 .../net/wireless/realtek/rtlwifi/rtl8192de/sw.c    |  1 +
 .../net/wireless/realtek/rtlwifi/rtl8192de/trx.c   | 25 +++++-
 .../net/wireless/realtek/rtlwifi/rtl8192de/trx.h   |  2 +
 drivers/net/wireless/rsi/rsi_91x_mgmt.c            |  1 +
 drivers/nfc/nxp-nci/i2c.c                          |  6 +-
 drivers/phy/renesas/phy-rcar-gen3-usb2.c           |  5 +-
 drivers/pinctrl/qcom/pinctrl-ssbi-gpio.c           | 23 ++++--
 drivers/pinctrl/samsung/pinctrl-exynos.c           |  4 +-
 drivers/pinctrl/samsung/pinctrl-s3c24xx.c          |  6 +-
 drivers/pinctrl/samsung/pinctrl-s3c64xx.c          |  6 +-
 drivers/pinctrl/samsung/pinctrl-samsung.c          | 10 ++-
 drivers/power/supply/cpcap-battery.c               | 11 +--
 drivers/rtc/rtc-max8997.c                          |  2 +-
 drivers/rtc/rtc-s3c.c                              |  6 --
 drivers/s390/scsi/zfcp_dbf.c                       |  8 +-
 drivers/s390/scsi/zfcp_erp.c                       |  3 -
 drivers/scsi/lpfc/lpfc.h                           |  3 +-
 drivers/scsi/lpfc/lpfc_attr.c                      | 12 ++-
 drivers/scsi/lpfc/lpfc_init.c                      |  3 +
 drivers/scsi/lpfc/lpfc_nvme.c                      |  2 -
 drivers/scsi/lpfc/lpfc_sli.c                       | 14 +---
 drivers/scsi/qla2xxx/qla_attr.c                    |  3 +-
 drivers/scsi/qla2xxx/qla_bsg.c                     | 15 ++--
 drivers/scsi/qla2xxx/qla_init.c                    |  2 -
 drivers/scsi/qla2xxx/qla_isr.c                     |  6 +-
 drivers/scsi/qla2xxx/qla_target.c                  | 11 +--
 drivers/spi/spi-atmel.c                            |  6 +-
 drivers/staging/iio/addac/adt7316-i2c.c            |  2 +
 drivers/staging/rtl8188eu/os_dep/usb_intf.c        |  2 +-
 drivers/staging/rtl8712/usb_intf.c                 |  2 +-
 drivers/thermal/thermal_core.c                     |  4 +-
 drivers/tty/n_hdlc.c                               |  4 +-
 drivers/tty/n_r3964.c                              |  2 +-
 drivers/tty/n_tty.c                                |  8 +-
 drivers/tty/serial/amba-pl011.c                    |  6 +-
 drivers/tty/serial/fsl_lpuart.c                    |  4 +-
 drivers/tty/serial/ifx6x60.c                       |  3 +
 drivers/tty/serial/imx.c                           |  2 +-
 drivers/tty/serial/msm_serial.c                    |  6 +-
 drivers/tty/serial/serial_core.c                   |  2 +-
 drivers/tty/tty_ldisc.c                            |  7 ++
 drivers/tty/vt/keyboard.c                          |  2 +-
 drivers/usb/atm/ueagle-atm.c                       | 18 +++--
 drivers/usb/core/hub.c                             |  5 +-
 drivers/usb/core/urb.c                             |  1 +
 drivers/usb/dwc3/core.c                            |  3 +-
 drivers/usb/dwc3/debug.h                           | 29 +++++++
 drivers/usb/dwc3/debugfs.c                         | 19 ++++-
 drivers/usb/dwc3/ep0.c                             |  8 ++
 drivers/usb/gadget/configfs.c                      |  1 +
 drivers/usb/gadget/function/u_serial.c             |  2 +
 drivers/usb/gadget/udc/pch_udc.c                   |  1 -
 drivers/usb/host/xhci-hub.c                        |  8 +-
 drivers/usb/host/xhci-mem.c                        |  4 +
 drivers/usb/host/xhci-pci.c                        | 13 +++
 drivers/usb/host/xhci-ring.c                       |  3 +-
 drivers/usb/host/xhci.c                            |  9 +--
 drivers/usb/host/xhci.h                            |  1 +
 drivers/usb/misc/adutux.c                          |  2 +-
 drivers/usb/misc/idmouse.c                         |  2 +-
 drivers/usb/mon/mon_bin.c                          | 32 +++++---
 drivers/usb/mtu3/mtu3_qmu.c                        |  2 +-
 drivers/usb/serial/io_edgeport.c                   | 10 ++-
 drivers/usb/storage/uas.c                          | 10 +++
 drivers/video/hdmi.c                               |  8 +-
 drivers/virtio/virtio_balloon.c                    | 11 +++
 drivers/watchdog/aspeed_wdt.c                      | 16 ++--
 fs/autofs4/expire.c                                |  5 +-
 fs/btrfs/delayed-inode.c                           | 13 ++-
 fs/btrfs/file.c                                    |  2 +-
 fs/btrfs/free-space-cache.c                        |  6 ++
 fs/btrfs/inode.c                                   |  3 +
 fs/btrfs/send.c                                    | 25 +++++-
 fs/btrfs/volumes.h                                 |  1 -
 fs/cifs/file.c                                     |  7 +-
 fs/cifs/smb2misc.c                                 |  7 +-
 fs/dlm/lockspace.c                                 |  1 +
 fs/dlm/member.c                                    |  2 +-
 fs/dlm/memory.c                                    |  9 +--
 fs/dlm/user.c                                      |  3 +-
 fs/exportfs/expfs.c                                | 31 +++++---
 fs/ext2/inode.c                                    |  7 +-
 fs/ext4/inode.c                                    | 25 ++++--
 fs/ext4/namei.c                                    | 11 ++-
 fs/f2fs/file.c                                     |  2 +-
 fs/f2fs/gc.c                                       | 10 +--
 fs/fuse/dir.c                                      | 27 +++++--
 fs/fuse/fuse_i.h                                   |  2 +
 fs/iomap.c                                         | 18 ++++-
 fs/kernfs/dir.c                                    |  5 +-
 fs/lockd/clnt4xdr.c                                | 22 ++---
 fs/lockd/clntxdr.c                                 | 22 ++---
 fs/nfsd/nfs4recover.c                              | 17 ++--
 fs/nfsd/vfs.c                                      | 17 +++-
 fs/ocfs2/quota_global.c                            |  2 +-
 fs/overlayfs/dir.c                                 |  2 +-
 fs/proc/task_mmu.c                                 |  3 +
 fs/pstore/ram.c                                    |  2 +-
 fs/quota/dquot.c                                   | 11 +--
 fs/reiserfs/inode.c                                | 12 ++-
 fs/reiserfs/namei.c                                |  7 +-
 fs/reiserfs/reiserfs.h                             |  2 +
 fs/reiserfs/super.c                                |  2 +
 fs/reiserfs/xattr.c                                | 19 +++--
 fs/reiserfs/xattr_acl.c                            |  4 +-
 include/asm-generic/pgtable.h                      | 25 ++++++
 include/dt-bindings/clock/rk3328-cru.h             |  2 +-
 include/linux/acpi.h                               |  2 +-
 include/linux/atalk.h                              |  2 +-
 include/linux/dma-mapping.h                        |  3 +-
 include/linux/huge_mm.h                            | 13 ++-
 include/linux/jbd2.h                               |  4 +-
 include/linux/kernfs.h                             |  1 +
 include/linux/mfd/rk808.h                          |  2 +-
 include/linux/mtd/mtd.h                            |  2 +-
 include/linux/platform_data/dma-dw.h               |  6 ++
 include/linux/qcom_scm.h                           |  3 +
 include/linux/quotaops.h                           | 10 +++
 include/linux/regulator/consumer.h                 |  2 +-
 include/linux/serial_core.h                        | 37 ++++++++-
 include/linux/tty.h                                |  7 ++
 include/math-emu/soft-fp.h                         |  2 +-
 include/uapi/linux/cec.h                           |  4 +-
 kernel/audit_watch.c                               |  2 +-
 kernel/cgroup/pids.c                               | 11 +--
 kernel/sched/core.c                                |  3 +-
 kernel/sched/fair.c                                | 36 +++++----
 kernel/workqueue.c                                 | 37 +++++++--
 lib/raid6/unroll.awk                               |  2 +-
 mm/huge_memory.c                                   | 12 ++-
 mm/memory.c                                        | 10 ++-
 mm/shmem.c                                         |  2 +-
 mm/vmstat.c                                        |  7 +-
 net/appletalk/aarp.c                               | 15 +++-
 net/appletalk/ddp.c                                | 21 +++--
 net/ipv4/tcp_output.c                              |  2 +-
 net/ipv4/tcp_timer.c                               | 20 +++--
 net/smc/smc_wr.c                                   |  4 +-
 net/x25/af_x25.c                                   | 18 +++--
 net/xfrm/xfrm_input.c                              |  3 +
 scripts/mod/modpost.c                              | 12 +++
 sound/core/oss/linear.c                            |  2 +
 sound/core/oss/mulaw.c                             |  2 +
 sound/core/oss/route.c                             |  2 +
 sound/core/pcm_lib.c                               |  8 +-
 sound/pci/hda/hda_bind.c                           |  4 +
 sound/pci/hda/hda_intel.c                          |  3 +
 sound/pci/hda/patch_conexant.c                     |  1 +
 sound/pci/hda/patch_realtek.c                      |  7 +-
 sound/soc/codecs/nau8540.c                         |  2 +-
 sound/soc/sh/rcar/core.c                           | 12 +++
 sound/soc/soc-jack.c                               |  3 +-
 virt/kvm/arm/vgic/vgic-v3.c                        |  6 +-
 297 files changed, 1762 insertions(+), 939 deletions(-)



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 001/267] rsi: release skb if rsi_prepare_beacon fails
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
@ 2019-12-16 17:45 ` Greg Kroah-Hartman
  2019-12-16 17:45 ` [PATCH 4.14 002/267] arm64: tegra: Fix active-low warning for Jetson TX1 regulator Greg Kroah-Hartman
                   ` (269 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Navid Emamdoost, Kalle Valo

From: Navid Emamdoost <navid.emamdoost@gmail.com>

commit d563131ef23cbc756026f839a82598c8445bc45f upstream.

In rsi_send_beacon, if rsi_prepare_beacon fails the allocated skb should
be released.

Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/rsi/rsi_91x_mgmt.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/net/wireless/rsi/rsi_91x_mgmt.c
+++ b/drivers/net/wireless/rsi/rsi_91x_mgmt.c
@@ -1576,6 +1576,7 @@ static int rsi_send_beacon(struct rsi_co
 		skb_pull(skb, (64 - dword_align_bytes));
 	if (rsi_prepare_beacon(common, skb)) {
 		rsi_dbg(ERR_ZONE, "Failed to prepare beacon\n");
+		dev_kfree_skb(skb);
 		return -EINVAL;
 	}
 	skb_queue_tail(&common->tx_queue[MGMT_BEACON_Q], skb);



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 002/267] arm64: tegra: Fix active-low warning for Jetson TX1 regulator
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
  2019-12-16 17:45 ` [PATCH 4.14 001/267] rsi: release skb if rsi_prepare_beacon fails Greg Kroah-Hartman
@ 2019-12-16 17:45 ` Greg Kroah-Hartman
  2019-12-16 17:45 ` [PATCH 4.14 003/267] usb: gadget: u_serial: add missing port entry locking Greg Kroah-Hartman
                   ` (268 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jon Hunter, Thierry Reding

From: Jon Hunter <jonathanh@nvidia.com>

commit 1e5e929c009559bd7e898ac8e17a5d01037cb057 upstream.

Commit 34993594181d ("arm64: tegra: Enable HDMI on Jetson TX1")
added a regulator for HDMI on the Jetson TX1 platform. This regulator
has an active high enable, but the GPIO specifier for enabling the
regulator incorrectly defines it as active-low. This causes the
following warning to occur on boot ...

 WARNING KERN regulator@10 GPIO handle specifies active low - ignored

The fixed-regulator binding does not use the active-low flag from the
gpio specifier and purely relies of the presence of the
'enable-active-high' property to determine if it is active high or low
(if this property is omitted). Fix this warning by setting the GPIO
to active-high in the GPIO specifier which aligns with the presense of
the 'enable-active-high' property.

Fixes: 34993594181d ("arm64: tegra: Enable HDMI on Jetson TX1")
Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/boot/dts/nvidia/tegra210-p2597.dtsi |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm64/boot/dts/nvidia/tegra210-p2597.dtsi
+++ b/arch/arm64/boot/dts/nvidia/tegra210-p2597.dtsi
@@ -1584,7 +1584,7 @@
 			regulator-name = "VDD_HDMI_5V0";
 			regulator-min-microvolt = <5000000>;
 			regulator-max-microvolt = <5000000>;
-			gpio = <&exp1 12 GPIO_ACTIVE_LOW>;
+			gpio = <&exp1 12 GPIO_ACTIVE_HIGH>;
 			enable-active-high;
 			vin-supply = <&vdd_5v0_sys>;
 		};



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 003/267] usb: gadget: u_serial: add missing port entry locking
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
  2019-12-16 17:45 ` [PATCH 4.14 001/267] rsi: release skb if rsi_prepare_beacon fails Greg Kroah-Hartman
  2019-12-16 17:45 ` [PATCH 4.14 002/267] arm64: tegra: Fix active-low warning for Jetson TX1 regulator Greg Kroah-Hartman
@ 2019-12-16 17:45 ` Greg Kroah-Hartman
  2019-12-16 17:45 ` [PATCH 4.14 004/267] tty: serial: fsl_lpuart: use the sg count from dma_map_sg Greg Kroah-Hartman
                   ` (267 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michał Mirosław,
	Ladislav Michl, Felipe Balbi

From: Michał Mirosław <mirq-linux@rere.qmqm.pl>

commit daf82bd24e308c5a83758047aff1bd81edda4f11 upstream.

gserial_alloc_line() misses locking (for a release barrier) while
resetting port entry on TTY allocation failure. Fix this.

Cc: stable@vger.kernel.org
Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Tested-by: Ladislav Michl <ladis@linux-mips.org>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/gadget/function/u_serial.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/usb/gadget/function/u_serial.c
+++ b/drivers/usb/gadget/function/u_serial.c
@@ -1392,8 +1392,10 @@ int gserial_alloc_line(unsigned char *li
 				__func__, port_num, PTR_ERR(tty_dev));
 
 		ret = PTR_ERR(tty_dev);
+		mutex_lock(&ports[port_num].lock);
 		port = ports[port_num].port;
 		ports[port_num].port = NULL;
+		mutex_unlock(&ports[port_num].lock);
 		gserial_free_port(port);
 		goto err;
 	}



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 004/267] tty: serial: fsl_lpuart: use the sg count from dma_map_sg
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2019-12-16 17:45 ` [PATCH 4.14 003/267] usb: gadget: u_serial: add missing port entry locking Greg Kroah-Hartman
@ 2019-12-16 17:45 ` Greg Kroah-Hartman
  2019-12-16 17:45 ` [PATCH 4.14 005/267] tty: serial: msm_serial: Fix flow control Greg Kroah-Hartman
                   ` (266 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Peng Fan

From: Peng Fan <peng.fan@nxp.com>

commit 487ee861de176090b055eba5b252b56a3b9973d6 upstream.

The dmaengine_prep_slave_sg needs to use sg count returned
by dma_map_sg, not use sport->dma_tx_nents, because the return
value of dma_map_sg is not always same with "nents".

When enabling iommu for lpuart + edma, iommu framework may concatenate
two sgs into one.

Fixes: 6250cc30c4c4e ("tty: serial: fsl_lpuart: Use scatter/gather DMA for Tx")
Cc: <stable@vger.kernel.org>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Link: https://lore.kernel.org/r/1572932977-17866-1-git-send-email-peng.fan@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serial/fsl_lpuart.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/tty/serial/fsl_lpuart.c
+++ b/drivers/tty/serial/fsl_lpuart.c
@@ -380,8 +380,8 @@ static void lpuart_dma_tx(struct lpuart_
 	}
 
 	sport->dma_tx_desc = dmaengine_prep_slave_sg(sport->dma_tx_chan, sgl,
-					sport->dma_tx_nents,
-					DMA_MEM_TO_DEV, DMA_PREP_INTERRUPT);
+					ret, DMA_MEM_TO_DEV,
+					DMA_PREP_INTERRUPT);
 	if (!sport->dma_tx_desc) {
 		dma_unmap_sg(dev, sgl, sport->dma_tx_nents, DMA_TO_DEVICE);
 		dev_err(dev, "Cannot prepare TX slave DMA!\n");



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 005/267] tty: serial: msm_serial: Fix flow control
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2019-12-16 17:45 ` [PATCH 4.14 004/267] tty: serial: fsl_lpuart: use the sg count from dma_map_sg Greg Kroah-Hartman
@ 2019-12-16 17:45 ` Greg Kroah-Hartman
  2019-12-16 17:45 ` [PATCH 4.14 006/267] serial: pl011: Fix DMA ->flush_buffer() Greg Kroah-Hartman
                   ` (265 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jeffrey Hugo, Bjorn Andersson, Andy Gross

From: Jeffrey Hugo <jeffrey.l.hugo@gmail.com>

commit b027ce258369cbfa88401a691c23dad01deb9f9b upstream.

hci_qca interfaces to the wcn3990 via a uart_dm on the msm8998 mtp and
Lenovo Miix 630 laptop.  As part of initializing the wcn3990, hci_qca
disables flow, configures the uart baudrate, and then reenables flow - at
which point an event is expected to be received over the uart from the
wcn3990.  It is observed that this event comes after the baudrate change
but before hci_qca re-enables flow. This is unexpected, and is a result of
msm_reset() being broken.

According to the uart_dm hardware documentation, it is recommended that
automatic hardware flow control be enabled by setting RX_RDY_CTL.  Auto
hw flow control will manage RFR based on the configured watermark.  When
there is space to receive data, the hw will assert RFR.  When the watermark
is hit, the hw will de-assert RFR.

The hardware documentation indicates that RFR can me manually managed via
CR when RX_RDY_CTL is not set.  SET_RFR asserts RFR, and RESET_RFR
de-asserts RFR.

msm_reset() is broken because after resetting the hardware, it
unconditionally asserts RFR via SET_RFR.  This enables flow regardless of
the current configuration, and would undo a previous flow disable
operation.  It should instead de-assert RFR via RESET_RFR to block flow
until the hardware is reconfigured.  msm_serial should rely on the client
to specify that flow should be enabled, either via mctrl() or the termios
structure, and only assert RFR in response to those triggers.

Fixes: 04896a77a97b ("msm_serial: serial driver for MSM7K onboard serial peripheral.")
Signed-off-by: Jeffrey Hugo <jeffrey.l.hugo@gmail.com>
Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Cc: stable <stable@vger.kernel.org>
Reviewed-by: Andy Gross <agross@kernel.org>
Link: https://lore.kernel.org/r/20191021154616.25457-1-jeffrey.l.hugo@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serial/msm_serial.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/tty/serial/msm_serial.c
+++ b/drivers/tty/serial/msm_serial.c
@@ -988,6 +988,7 @@ static unsigned int msm_get_mctrl(struct
 static void msm_reset(struct uart_port *port)
 {
 	struct msm_port *msm_port = UART_TO_MSM(port);
+	unsigned int mr;
 
 	/* reset everything */
 	msm_write(port, UART_CR_CMD_RESET_RX, UART_CR);
@@ -995,7 +996,10 @@ static void msm_reset(struct uart_port *
 	msm_write(port, UART_CR_CMD_RESET_ERR, UART_CR);
 	msm_write(port, UART_CR_CMD_RESET_BREAK_INT, UART_CR);
 	msm_write(port, UART_CR_CMD_RESET_CTS, UART_CR);
-	msm_write(port, UART_CR_CMD_SET_RFR, UART_CR);
+	msm_write(port, UART_CR_CMD_RESET_RFR, UART_CR);
+	mr = msm_read(port, UART_MR1);
+	mr &= ~UART_MR1_RX_RDY_CTL;
+	msm_write(port, mr, UART_MR1);
 
 	/* Disable DM modes */
 	if (msm_port->is_uartdm)



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 006/267] serial: pl011: Fix DMA ->flush_buffer()
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2019-12-16 17:45 ` [PATCH 4.14 005/267] tty: serial: msm_serial: Fix flow control Greg Kroah-Hartman
@ 2019-12-16 17:45 ` Greg Kroah-Hartman
  2019-12-16 17:45 ` [PATCH 4.14 007/267] serial: serial_core: Perform NULL checks for break_ctl ops Greg Kroah-Hartman
                   ` (264 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Vincent Whitchurch

From: Vincent Whitchurch <vincent.whitchurch@axis.com>

commit f6a196477184b99a31d16366a8e826558aa11f6d upstream.

PL011's ->flush_buffer() implementation releases and reacquires the port
lock.  Due to a race condition here, data can end up being added to the
circular buffer but neither being discarded nor being sent out.  This
leads to, for example, tcdrain(2) waiting indefinitely.

Process A                       Process B

uart_flush_buffer()
 - acquire lock
 - circ_clear
 - pl011_flush_buffer()
 -- release lock
 -- dmaengine_terminate_all()

                                uart_write()
                                - acquire lock
                                - add chars to circ buffer
                                - start_tx()
                                -- start DMA
                                - release lock

 -- acquire lock
 -- turn off DMA
 -- release lock

                                // Data in circ buffer but DMA is off

According to the comment in the code, the releasing of the lock around
dmaengine_terminate_all() is to avoid a deadlock with the DMA engine
callback.  However, since the time this code was written, the DMA engine
API documentation seems to have been clarified to say that
dmaengine_terminate_all() (in the identically implemented but
differently named dmaengine_terminate_async() variant) does not wait for
any running complete callback to be completed and can even be called
from a complete callback.  So there is no possibility of deadlock if the
DMA engine driver implements this API correctly.

So we should be able to just remove this release and reacquire of the
lock to prevent the aforementioned race condition.

Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191118092547.32135-1-vincent.whitchurch@axis.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serial/amba-pl011.c |    6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

--- a/drivers/tty/serial/amba-pl011.c
+++ b/drivers/tty/serial/amba-pl011.c
@@ -829,10 +829,8 @@ __acquires(&uap->port.lock)
 	if (!uap->using_tx_dma)
 		return;
 
-	/* Avoid deadlock with the DMA engine callback */
-	spin_unlock(&uap->port.lock);
-	dmaengine_terminate_all(uap->dmatx.chan);
-	spin_lock(&uap->port.lock);
+	dmaengine_terminate_async(uap->dmatx.chan);
+
 	if (uap->dmatx.queued) {
 		dma_unmap_sg(uap->dmatx.chan->device->dev, &uap->dmatx.sg, 1,
 			     DMA_TO_DEVICE);



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 007/267] serial: serial_core: Perform NULL checks for break_ctl ops
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2019-12-16 17:45 ` [PATCH 4.14 006/267] serial: pl011: Fix DMA ->flush_buffer() Greg Kroah-Hartman
@ 2019-12-16 17:45 ` Greg Kroah-Hartman
  2019-12-16 17:45 ` [PATCH 4.14 008/267] serial: ifx6x60: add missed pm_runtime_disable Greg Kroah-Hartman
                   ` (263 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jiangfeng Xiao

From: Jiangfeng Xiao <xiaojiangfeng@huawei.com>

commit 7d73170e1c282576419f8b50a771f1fcd2b81a94 upstream.

Doing fuzz test on sbsa uart device, causes a kernel crash
due to NULL pointer dereference:

------------[ cut here ]------------
Unable to handle kernel paging request at virtual address fffffffffffffffc
pgd = ffffffe331723000
[fffffffffffffffc] *pgd=0000002333595003, *pud=0000002333595003, *pmd=00000
Internal error: Oops: 96000005 [#1] PREEMPT SMP
Modules linked in: ping(O) jffs2 rtos_snapshot(O) pramdisk(O) hisi_sfc(O)
Drv_Nandc_K(O) Drv_SysCtl_K(O) Drv_SysClk_K(O) bsp_reg(O) hns3(O)
hns3_uio_enet(O) hclgevf(O) hclge(O) hnae3(O) mdio_factory(O)
mdio_registry(O) mdio_dev(O) mdio(O) hns3_info(O) rtos_kbox_panic(O)
uart_suspend(O) rsm(O) stp llc tunnel4 xt_tcpudp ipt_REJECT nf_reject_ipv4
iptable_filter ip_tables x_tables sd_mod xhci_plat_hcd xhci_pci xhci_hcd
usbmon usbhid usb_storage ohci_platform ohci_pci ohci_hcd hid_generic hid
ehci_platform ehci_pci ehci_hcd vfat fat usbcore usb_common scsi_mod
yaffs2multi(O) ext4 jbd2 ext2 mbcache ofpart i2c_dev i2c_core uio ubi nand
nand_ecc nand_ids cfi_cmdset_0002 cfi_cmdset_0001 cfi_probe gen_probe
cmdlinepart chipreg mtdblock mtd_blkdevs mtd nfsd auth_rpcgss oid_registry
nfsv3 nfs nfs_acl lockd sunrpc grace autofs4
CPU: 2 PID: 2385 Comm: tty_fuzz_test Tainted: G           O    4.4.193 #1
task: ffffffe32b23f110 task.stack: ffffffe32bda4000
PC is at uart_break_ctl+0x44/0x84
LR is at uart_break_ctl+0x34/0x84
pc : [<ffffff8393196098>] lr : [<ffffff8393196088>] pstate: 80000005
sp : ffffffe32bda7cc0
x29: ffffffe32bda7cc0 x28: ffffffe32b23f110
x27: ffffff8393402000 x26: 0000000000000000
x25: ffffffe32b233f40 x24: ffffffc07a8ec680
x23: 0000000000005425 x22: 00000000ffffffff
x21: ffffffe33ed73c98 x20: 0000000000000000
x19: ffffffe33ed94168 x18: 0000000000000004
x17: 0000007f92ae9d30 x16: ffffff8392fa6064
x15: 0000000000000010 x14: 0000000000000000
x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000000020 x10: 0000007ffdac1708
x9 : 0000000000000078 x8 : 000000000000001d
x7 : 0000000052a64887 x6 : ffffffe32bda7e08
x5 : ffffffe32b23c000 x4 : 0000005fbc5b0000
x3 : ffffff83938d5018 x2 : 0000000000000080
x1 : ffffffe32b23c040 x0 : ffffff83934428f8
virtual start addr offset is 38ac00000
module base offset is 2cd4cf1000
linear region base offset is : 0
Process tty_fuzz_test (pid: 2385, stack limit = 0xffffffe32bda4000)
Stack: (0xffffffe32bda7cc0 to 0xffffffe32bda8000)
7cc0: ffffffe32bda7cf0 ffffff8393177718 ffffffc07a8ec680 ffffff8393196054
7ce0: 000000001739f2e0 0000007ffdac1978 ffffffe32bda7d20 ffffff8393179a1c
7d00: 0000000000000000 ffffff8393c0a000 ffffffc07a8ec680 cb88537fdc8ba600
7d20: ffffffe32bda7df0 ffffff8392fa5a40 ffffff8393c0a000 0000000000005425
7d40: 0000007ffdac1978 ffffffe32b233f40 ffffff8393178dcc 0000000000000003
7d60: 000000000000011d 000000000000001d ffffffe32b23f110 000000000000029e
7d80: ffffffe34fe8d5d0 0000000000000000 ffffffe32bda7e14 cb88537fdc8ba600
7da0: ffffffe32bda7e30 ffffff8393042cfc ffffff8393c41720 ffffff8393c46410
7dc0: ffffff839304fa68 ffffffe32b233f40 0000000000005425 0000007ffdac1978
7de0: 000000000000011d cb88537fdc8ba600 ffffffe32bda7e70 ffffff8392fa60cc
7e00: 0000000000000000 ffffffe32b233f40 ffffffe32b233f40 0000000000000003
7e20: 0000000000005425 0000007ffdac1978 ffffffe32bda7e70 ffffff8392fa60b0
7e40: 0000000000000280 ffffffe32b233f40 ffffffe32b233f40 0000000000000003
7e60: 0000000000005425 cb88537fdc8ba600 0000000000000000 ffffff8392e02e78
7e80: 0000000000000280 0000005fbc5b0000 ffffffffffffffff 0000007f92ae9d3c
7ea0: 0000000060000000 0000000000000015 0000000000000003 0000000000005425
7ec0: 0000007ffdac1978 0000000000000000 00000000a54c910e 0000007f92b95014
7ee0: 0000007f92b95090 0000000052a64887 000000000000001d 0000000000000078
7f00: 0000007ffdac1708 0000000000000020 0000000000000000 0000000000000000
7f20: 0000000000000000 0000000000000010 000000556acf0090 0000007f92ae9d30
7f40: 0000000000000004 000000556acdef10 0000000000000000 000000556acdebd0
7f60: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
7f80: 0000000000000000 0000000000000000 0000000000000000 0000007ffdac1840
7fa0: 000000556acdedcc 0000007ffdac1840 0000007f92ae9d3c 0000000060000000
7fc0: 0000000000000000 0000000000000000 0000000000000003 000000000000001d
7fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
Call trace:
Exception stack(0xffffffe32bda7ab0 to 0xffffffe32bda7bf0)
7aa0:                                   0000000000001000 0000007fffffffff
7ac0: ffffffe32bda7cc0 ffffff8393196098 0000000080000005 0000000000000025
7ae0: ffffffe32b233f40 ffffff83930d777c ffffffe32bda7b30 ffffff83930d777c
7b00: ffffffe32bda7be0 ffffff83938d5000 ffffffe32bda7be0 ffffffe32bda7c20
7b20: ffffffe32bda7b60 ffffff83930d777c ffffffe32bda7c10 ffffff83938d5000
7b40: ffffffe32bda7c10 ffffffe32bda7c50 ffffff8393c0a000 ffffffe32b23f110
7b60: ffffffe32bda7b70 ffffff8392e09df4 ffffffe32bda7bb0 cb88537fdc8ba600
7b80: ffffff83934428f8 ffffffe32b23c040 0000000000000080 ffffff83938d5018
7ba0: 0000005fbc5b0000 ffffffe32b23c000 ffffffe32bda7e08 0000000052a64887
7bc0: 000000000000001d 0000000000000078 0000007ffdac1708 0000000000000020
7be0: 0000000000000000 0000000000000000
[<ffffff8393196098>] uart_break_ctl+0x44/0x84
[<ffffff8393177718>] send_break+0xa0/0x114
[<ffffff8393179a1c>] tty_ioctl+0xc50/0xe84
[<ffffff8392fa5a40>] do_vfs_ioctl+0xc4/0x6e8
[<ffffff8392fa60cc>] SyS_ioctl+0x68/0x9c
[<ffffff8392e02e78>] __sys_trace_return+0x0/0x4
Code: b9410ea0 34000160 f9408aa0 f9402814 (b85fc280)
---[ end trace 8606094f1960c5e0 ]---
Kernel panic - not syncing: Fatal exception

Fix this problem by adding NULL checks prior to calling break_ctl ops.

Signed-off-by: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/1574263133-28259-1-git-send-email-xiaojiangfeng@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serial/serial_core.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/tty/serial/serial_core.c
+++ b/drivers/tty/serial/serial_core.c
@@ -1125,7 +1125,7 @@ static int uart_break_ctl(struct tty_str
 	if (!uport)
 		goto out;
 
-	if (uport->type != PORT_UNKNOWN)
+	if (uport->type != PORT_UNKNOWN && uport->ops->break_ctl)
 		uport->ops->break_ctl(uport, break_state);
 	ret = 0;
 out:



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 008/267] serial: ifx6x60: add missed pm_runtime_disable
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2019-12-16 17:45 ` [PATCH 4.14 007/267] serial: serial_core: Perform NULL checks for break_ctl ops Greg Kroah-Hartman
@ 2019-12-16 17:45 ` Greg Kroah-Hartman
  2019-12-16 17:45 ` [PATCH 4.14 009/267] autofs: fix a leak in autofs_expire_indirect() Greg Kroah-Hartman
                   ` (262 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Chuhong Yuan

From: Chuhong Yuan <hslester96@gmail.com>

commit 50b2b571c5f3df721fc81bf9a12c521dfbe019ba upstream.

The driver forgets to call pm_runtime_disable in remove.
Add the missed calls to fix it.

Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191118024833.21587-1-hslester96@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serial/ifx6x60.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/tty/serial/ifx6x60.c
+++ b/drivers/tty/serial/ifx6x60.c
@@ -1245,6 +1245,9 @@ static int ifx_spi_spi_remove(struct spi
 	struct ifx_spi_device *ifx_dev = spi_get_drvdata(spi);
 	/* stop activity */
 	tasklet_kill(&ifx_dev->io_work_tasklet);
+
+	pm_runtime_disable(&spi->dev);
+
 	/* free irq */
 	free_irq(gpio_to_irq(ifx_dev->gpio.reset_out), ifx_dev);
 	free_irq(gpio_to_irq(ifx_dev->gpio.srdy), ifx_dev);



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 009/267] autofs: fix a leak in autofs_expire_indirect()
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2019-12-16 17:45 ` [PATCH 4.14 008/267] serial: ifx6x60: add missed pm_runtime_disable Greg Kroah-Hartman
@ 2019-12-16 17:45 ` Greg Kroah-Hartman
  2019-12-16 17:45 ` [PATCH 4.14 010/267] RDMA/hns: Correct the value of HNS_ROCE_HEM_CHUNK_LEN Greg Kroah-Hartman
                   ` (261 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro, Sasha Levin

From: Al Viro <viro@zeniv.linux.org.uk>

[ Upstream commit 03ad0d703df75c43f78bd72e16124b5b94a95188 ]

if the second call of should_expire() in there ends up
grabbing and returning a new reference to dentry, we need
to drop it before continuing.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/autofs4/expire.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/fs/autofs4/expire.c b/fs/autofs4/expire.c
index 141f9bc213a3d..94a0017c923b1 100644
--- a/fs/autofs4/expire.c
+++ b/fs/autofs4/expire.c
@@ -472,9 +472,10 @@ struct dentry *autofs4_expire_indirect(struct super_block *sb,
 		 */
 		flags &= ~AUTOFS_EXP_LEAVES;
 		found = should_expire(expired, mnt, timeout, how);
-		if (!found || found != expired)
-			/* Something has changed, continue */
+		if (found != expired) { // something has changed, continue
+			dput(found);
 			goto next;
+		}
 
 		if (expired != dentry)
 			dput(dentry);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 010/267] RDMA/hns: Correct the value of HNS_ROCE_HEM_CHUNK_LEN
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2019-12-16 17:45 ` [PATCH 4.14 009/267] autofs: fix a leak in autofs_expire_indirect() Greg Kroah-Hartman
@ 2019-12-16 17:45 ` Greg Kroah-Hartman
  2019-12-16 17:45 ` [PATCH 4.14 011/267] iwlwifi: pcie: dont consider IV len in A-MSDU Greg Kroah-Hartman
                   ` (260 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sirong Wang, Weihang Li,
	Jason Gunthorpe, Sasha Levin

From: Sirong Wang <wangsirong@huawei.com>

[ Upstream commit 531eb45b3da4267fc2a64233ba256c8ffb02edd2 ]

Size of pointer to buf field of struct hns_roce_hem_chunk should be
considered when calculating HNS_ROCE_HEM_CHUNK_LEN, or sg table size will
be larger than expected when allocating hem.

Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver")
Link: https://lore.kernel.org/r/1572575610-52530-2-git-send-email-liweihang@hisilicon.com
Signed-off-by: Sirong Wang <wangsirong@huawei.com>
Signed-off-by: Weihang Li <liweihang@hisilicon.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/infiniband/hw/hns/hns_roce_hem.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.h b/drivers/infiniband/hw/hns/hns_roce_hem.h
index 435748858252d..8e8917ebb013b 100644
--- a/drivers/infiniband/hw/hns/hns_roce_hem.h
+++ b/drivers/infiniband/hw/hns/hns_roce_hem.h
@@ -52,7 +52,7 @@ enum {
 
 #define HNS_ROCE_HEM_CHUNK_LEN	\
 	 ((256 - sizeof(struct list_head) - 2 * sizeof(int)) /	 \
-	 (sizeof(struct scatterlist)))
+	 (sizeof(struct scatterlist) + sizeof(void *)))
 
 enum {
 	 HNS_ROCE_HEM_PAGE_SHIFT = 12,
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 011/267] iwlwifi: pcie: dont consider IV len in A-MSDU
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2019-12-16 17:45 ` [PATCH 4.14 010/267] RDMA/hns: Correct the value of HNS_ROCE_HEM_CHUNK_LEN Greg Kroah-Hartman
@ 2019-12-16 17:45 ` Greg Kroah-Hartman
  2019-12-16 17:45 ` [PATCH 4.14 012/267] exportfs_decode_fh(): negative pinned may become positive without the parent locked Greg Kroah-Hartman
                   ` (259 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mordechay Goodstein, Luca Coelho,
	Kalle Valo, Sasha Levin

From: Mordechay Goodstein <mordechay.goodstein@intel.com>

[ Upstream commit cb1a4badf59275eb7221dcec621e8154917eabd1 ]

>From gen2 PN is totally offloaded to hardware (also the space for the
IV isn't part of the skb).  As you can see in mvm/mac80211.c:3545, the
MAC for cipher types CCMP/GCMP doesn't set
IEEE80211_KEY_FLAG_PUT_IV_SPACE for gen2 NICs.

This causes all the AMSDU data to be corrupted with cipher enabled.

Signed-off-by: Mordechay Goodstein <mordechay.goodstein@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 .../net/wireless/intel/iwlwifi/pcie/tx-gen2.c | 20 +++++++------------
 1 file changed, 7 insertions(+), 13 deletions(-)

diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c b/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c
index 6f45c8148b279..bbb39d6ec2ee3 100644
--- a/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c
+++ b/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c
@@ -232,27 +232,23 @@ static int iwl_pcie_gen2_build_amsdu(struct iwl_trans *trans,
 	struct ieee80211_hdr *hdr = (void *)skb->data;
 	unsigned int snap_ip_tcp_hdrlen, ip_hdrlen, total_len, hdr_room;
 	unsigned int mss = skb_shinfo(skb)->gso_size;
-	u16 length, iv_len, amsdu_pad;
+	u16 length, amsdu_pad;
 	u8 *start_hdr;
 	struct iwl_tso_hdr_page *hdr_page;
 	struct page **page_ptr;
 	struct tso_t tso;
 
-	/* if the packet is protected, then it must be CCMP or GCMP */
-	iv_len = ieee80211_has_protected(hdr->frame_control) ?
-		IEEE80211_CCMP_HDR_LEN : 0;
-
 	trace_iwlwifi_dev_tx(trans->dev, skb, tfd, sizeof(*tfd),
 			     &dev_cmd->hdr, start_len, 0);
 
 	ip_hdrlen = skb_transport_header(skb) - skb_network_header(skb);
 	snap_ip_tcp_hdrlen = 8 + ip_hdrlen + tcp_hdrlen(skb);
-	total_len = skb->len - snap_ip_tcp_hdrlen - hdr_len - iv_len;
+	total_len = skb->len - snap_ip_tcp_hdrlen - hdr_len;
 	amsdu_pad = 0;
 
 	/* total amount of header we may need for this A-MSDU */
 	hdr_room = DIV_ROUND_UP(total_len, mss) *
-		(3 + snap_ip_tcp_hdrlen + sizeof(struct ethhdr)) + iv_len;
+		(3 + snap_ip_tcp_hdrlen + sizeof(struct ethhdr));
 
 	/* Our device supports 9 segments at most, it will fit in 1 page */
 	hdr_page = get_page_hdr(trans, hdr_room);
@@ -263,14 +259,12 @@ static int iwl_pcie_gen2_build_amsdu(struct iwl_trans *trans,
 	start_hdr = hdr_page->pos;
 	page_ptr = (void *)((u8 *)skb->cb + trans_pcie->page_offs);
 	*page_ptr = hdr_page->page;
-	memcpy(hdr_page->pos, skb->data + hdr_len, iv_len);
-	hdr_page->pos += iv_len;
 
 	/*
-	 * Pull the ieee80211 header + IV to be able to use TSO core,
+	 * Pull the ieee80211 header to be able to use TSO core,
 	 * we will restore it for the tx_status flow.
 	 */
-	skb_pull(skb, hdr_len + iv_len);
+	skb_pull(skb, hdr_len);
 
 	/*
 	 * Remove the length of all the headers that we don't actually
@@ -348,8 +342,8 @@ static int iwl_pcie_gen2_build_amsdu(struct iwl_trans *trans,
 		}
 	}
 
-	/* re -add the WiFi header and IV */
-	skb_push(skb, hdr_len + iv_len);
+	/* re -add the WiFi header */
+	skb_push(skb, hdr_len);
 
 	return 0;
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 012/267] exportfs_decode_fh(): negative pinned may become positive without the parent locked
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2019-12-16 17:45 ` [PATCH 4.14 011/267] iwlwifi: pcie: dont consider IV len in A-MSDU Greg Kroah-Hartman
@ 2019-12-16 17:45 ` Greg Kroah-Hartman
  2019-12-16 17:45 ` [PATCH 4.14 013/267] audit_get_nd(): dont unlock parent too early Greg Kroah-Hartman
                   ` (258 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro, Sasha Levin

From: Al Viro <viro@zeniv.linux.org.uk>

[ Upstream commit a2ece088882666e1dc7113744ac912eb161e3f87 ]

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/exportfs/expfs.c | 31 +++++++++++++++++++------------
 1 file changed, 19 insertions(+), 12 deletions(-)

diff --git a/fs/exportfs/expfs.c b/fs/exportfs/expfs.c
index c22cc9d2a5c9a..a561ae17cf435 100644
--- a/fs/exportfs/expfs.c
+++ b/fs/exportfs/expfs.c
@@ -508,26 +508,33 @@ struct dentry *exportfs_decode_fh(struct vfsmount *mnt, struct fid *fid,
 		 * inode is actually connected to the parent.
 		 */
 		err = exportfs_get_name(mnt, target_dir, nbuf, result);
-		if (!err) {
-			inode_lock(target_dir->d_inode);
-			nresult = lookup_one_len(nbuf, target_dir,
-						 strlen(nbuf));
-			inode_unlock(target_dir->d_inode);
-			if (!IS_ERR(nresult)) {
-				if (nresult->d_inode) {
-					dput(result);
-					result = nresult;
-				} else
-					dput(nresult);
-			}
+		if (err) {
+			dput(target_dir);
+			goto err_result;
 		}
 
+		inode_lock(target_dir->d_inode);
+		nresult = lookup_one_len(nbuf, target_dir, strlen(nbuf));
+		if (!IS_ERR(nresult)) {
+			if (unlikely(nresult->d_inode != result->d_inode)) {
+				dput(nresult);
+				nresult = ERR_PTR(-ESTALE);
+			}
+		}
+		inode_unlock(target_dir->d_inode);
 		/*
 		 * At this point we are done with the parent, but it's pinned
 		 * by the child dentry anyway.
 		 */
 		dput(target_dir);
 
+		if (IS_ERR(nresult)) {
+			err = PTR_ERR(nresult);
+			goto err_result;
+		}
+		dput(result);
+		result = nresult;
+
 		/*
 		 * And finally make sure the dentry is actually acceptable
 		 * to NFSD.
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 013/267] audit_get_nd(): dont unlock parent too early
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2019-12-16 17:45 ` [PATCH 4.14 012/267] exportfs_decode_fh(): negative pinned may become positive without the parent locked Greg Kroah-Hartman
@ 2019-12-16 17:45 ` Greg Kroah-Hartman
  2019-12-16 17:45 ` [PATCH 4.14 014/267] NFC: nxp-nci: Fix NULL pointer dereference after I2C communication error Greg Kroah-Hartman
                   ` (257 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro, Sasha Levin

From: Al Viro <viro@zeniv.linux.org.uk>

[ Upstream commit 69924b89687a2923e88cc42144aea27868913d0e ]

if the child has been negative and just went positive
under us, we want coherent d_is_positive() and ->d_inode.
Don't unlock the parent until we'd done that work...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/audit_watch.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index 4a98f6e314a9b..35f1d706bd5b4 100644
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -365,12 +365,12 @@ static int audit_get_nd(struct audit_watch *watch, struct path *parent)
 	struct dentry *d = kern_path_locked(watch->path, parent);
 	if (IS_ERR(d))
 		return PTR_ERR(d);
-	inode_unlock(d_backing_inode(parent->dentry));
 	if (d_is_positive(d)) {
 		/* update watch filter fields */
 		watch->dev = d->d_sb->s_dev;
 		watch->ino = d_backing_inode(d)->i_ino;
 	}
+	inode_unlock(d_backing_inode(parent->dentry));
 	dput(d);
 	return 0;
 }
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 014/267] NFC: nxp-nci: Fix NULL pointer dereference after I2C communication error
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2019-12-16 17:45 ` [PATCH 4.14 013/267] audit_get_nd(): dont unlock parent too early Greg Kroah-Hartman
@ 2019-12-16 17:45 ` Greg Kroah-Hartman
  2019-12-16 17:45 ` [PATCH 4.14 015/267] xfrm: release device reference for invalid state Greg Kroah-Hartman
                   ` (256 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stephan Gerhold, Andy Shevchenko,
	David S. Miller, Sasha Levin

From: Stephan Gerhold <stephan@gerhold.net>

[ Upstream commit a71a29f50de1ef97ab55c151a1598eb12dde379d ]

I2C communication errors (-EREMOTEIO) during the IRQ handler of nxp-nci
result in a NULL pointer dereference at the moment:

    BUG: kernel NULL pointer dereference, address: 0000000000000000
    Oops: 0002 [#1] PREEMPT SMP NOPTI
    CPU: 1 PID: 355 Comm: irq/137-nxp-nci Not tainted 5.4.0-rc6 #1
    RIP: 0010:skb_queue_tail+0x25/0x50
    Call Trace:
     nci_recv_frame+0x36/0x90 [nci]
     nxp_nci_i2c_irq_thread_fn+0xd1/0x285 [nxp_nci_i2c]
     ? preempt_count_add+0x68/0xa0
     ? irq_forced_thread_fn+0x80/0x80
     irq_thread_fn+0x20/0x60
     irq_thread+0xee/0x180
     ? wake_threads_waitq+0x30/0x30
     kthread+0xfb/0x130
     ? irq_thread_check_affinity+0xd0/0xd0
     ? kthread_park+0x90/0x90
     ret_from_fork+0x1f/0x40

Afterward the kernel must be rebooted to work properly again.

This happens because it attempts to call nci_recv_frame() with skb == NULL.
However, unlike nxp_nci_fw_recv_frame(), nci_recv_frame() does not have any
NULL checks for skb, causing the NULL pointer dereference.

Change the code to call only nxp_nci_fw_recv_frame() in case of an error.
Make sure to log it so it is obvious that a communication error occurred.
The error above then becomes:

    nxp-nci_i2c i2c-NXP1001:00: NFC: Read failed with error -121
    nci: __nci_request: wait_for_completion_interruptible_timeout failed 0
    nxp-nci_i2c i2c-NXP1001:00: NFC: Read failed with error -121

Fixes: 6be88670fc59 ("NFC: nxp-nci_i2c: Add I2C support to NXP NCI driver")
Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/nfc/nxp-nci/i2c.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/nfc/nxp-nci/i2c.c b/drivers/nfc/nxp-nci/i2c.c
index 198585bbc7711..d9492cffd00e5 100644
--- a/drivers/nfc/nxp-nci/i2c.c
+++ b/drivers/nfc/nxp-nci/i2c.c
@@ -236,8 +236,10 @@ static irqreturn_t nxp_nci_i2c_irq_thread_fn(int irq, void *phy_id)
 
 	if (r == -EREMOTEIO) {
 		phy->hard_fault = r;
-		skb = NULL;
-	} else if (r < 0) {
+		if (info->mode == NXP_NCI_MODE_FW)
+			nxp_nci_fw_recv_frame(phy->ndev, NULL);
+	}
+	if (r < 0) {
 		nfc_err(&client->dev, "Read failed with error %d\n", r);
 		goto exit_irq_handled;
 	}
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 015/267] xfrm: release device reference for invalid state
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2019-12-16 17:45 ` [PATCH 4.14 014/267] NFC: nxp-nci: Fix NULL pointer dereference after I2C communication error Greg Kroah-Hartman
@ 2019-12-16 17:45 ` Greg Kroah-Hartman
  2019-12-16 17:45 ` [PATCH 4.14 016/267] Input: cyttsp4_core - fix use after free bug Greg Kroah-Hartman
                   ` (255 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Xiaodong Xu, Bo Chen,
	Steffen Klassert, Sasha Levin

From: Xiaodong Xu <stid.smth@gmail.com>

[ Upstream commit 4944a4b1077f74d89073624bd286219d2fcbfce3 ]

An ESP packet could be decrypted in async mode if the input handler for
this packet returns -EINPROGRESS in xfrm_input(). At this moment the device
reference in skb is held. Later xfrm_input() will be invoked again to
resume the processing.
If the transform state is still valid it would continue to release the
device reference and there won't be a problem; however if the transform
state is not valid when async resumption happens, the packet will be
dropped while the device reference is still being held.
When the device is deleted for some reason and the reference to this
device is not properly released, the kernel will keep logging like:

unregister_netdevice: waiting for ppp2 to become free. Usage count = 1

The issue is observed when running IPsec traffic over a PPPoE device based
on a bridge interface. By terminating the PPPoE connection on the server
end for multiple times, the PPPoE device on the client side will eventually
get stuck on the above warning message.

This patch will check the async mode first and continue to release device
reference in async resumption, before it is dropped due to invalid state.

v2: Do not assign address family from outer_mode in the transform if the
state is invalid

v3: Release device reference in the error path instead of jumping to resume

Fixes: 4ce3dbe397d7b ("xfrm: Fix xfrm_input() to verify state is valid when (encap_type < 0)")
Signed-off-by: Xiaodong Xu <stid.smth@gmail.com>
Reported-by: Bo Chen <chenborfc@163.com>
Tested-by: Bo Chen <chenborfc@163.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/xfrm/xfrm_input.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index fc0a9ce1be18f..311597401b821 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -245,6 +245,9 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
 			else
 				XFRM_INC_STATS(net,
 					       LINUX_MIB_XFRMINSTATEINVALID);
+
+			if (encap_type == -1)
+				dev_put(skb->dev);
 			goto drop;
 		}
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 016/267] Input: cyttsp4_core - fix use after free bug
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2019-12-16 17:45 ` [PATCH 4.14 015/267] xfrm: release device reference for invalid state Greg Kroah-Hartman
@ 2019-12-16 17:45 ` Greg Kroah-Hartman
  2019-12-16 17:45 ` [PATCH 4.14 017/267] sched/core: Avoid spurious lock dependencies Greg Kroah-Hartman
                   ` (254 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pan Bian, Dmitry Torokhov, Sasha Levin

From: Pan Bian <bianpan2016@163.com>

[ Upstream commit 79aae6acbef16f720a7949f8fc6ac69816c79d62 ]

The device md->input is used after it is released. Setting the device
data to NULL is unnecessary as the device is never used again. Instead,
md->input should be assigned NULL to avoid accessing the freed memory
accidently. Besides, checking md->si against NULL is superfluous as it
points to a variable address, which cannot be NULL.

Signed-off-by: Pan Bian <bianpan2016@163.com>
Link: https://lore.kernel.org/r/1572936379-6423-1-git-send-email-bianpan2016@163.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/input/touchscreen/cyttsp4_core.c | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/drivers/input/touchscreen/cyttsp4_core.c b/drivers/input/touchscreen/cyttsp4_core.c
index beaf61ce775b7..a9af83de88bb2 100644
--- a/drivers/input/touchscreen/cyttsp4_core.c
+++ b/drivers/input/touchscreen/cyttsp4_core.c
@@ -1972,11 +1972,6 @@ static int cyttsp4_mt_probe(struct cyttsp4 *cd)
 
 	/* get sysinfo */
 	md->si = &cd->sysinfo;
-	if (!md->si) {
-		dev_err(dev, "%s: Fail get sysinfo pointer from core p=%p\n",
-			__func__, md->si);
-		goto error_get_sysinfo;
-	}
 
 	rc = cyttsp4_setup_input_device(cd);
 	if (rc)
@@ -1986,8 +1981,6 @@ static int cyttsp4_mt_probe(struct cyttsp4 *cd)
 
 error_init_input:
 	input_free_device(md->input);
-error_get_sysinfo:
-	input_set_drvdata(md->input, NULL);
 error_alloc_failed:
 	dev_err(dev, "%s failed.\n", __func__);
 	return rc;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 017/267] sched/core: Avoid spurious lock dependencies
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2019-12-16 17:45 ` [PATCH 4.14 016/267] Input: cyttsp4_core - fix use after free bug Greg Kroah-Hartman
@ 2019-12-16 17:45 ` Greg Kroah-Hartman
  2019-12-16 17:45 ` [PATCH 4.14 018/267] ALSA: pcm: Fix stream lock usage in snd_pcm_period_elapsed() Greg Kroah-Hartman
                   ` (253 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Peter Zijlstra (Intel),
	Linus Torvalds, Qian Cai, Thomas Gleixner, akpm, bigeasy, cl,
	keescook, penberg, rientjes, thgarnie, tytso, will, Ingo Molnar,
	Sasha Levin

From: Peter Zijlstra <peterz@infradead.org>

[ Upstream commit ff51ff84d82aea5a889b85f2b9fb3aa2b8691668 ]

While seemingly harmless, __sched_fork() does hrtimer_init(), which,
when DEBUG_OBJETS, can end up doing allocations.

This then results in the following lock order:

  rq->lock
    zone->lock.rlock
      batched_entropy_u64.lock

Which in turn causes deadlocks when we do wakeups while holding that
batched_entropy lock -- as the random code does.

Solve this by moving __sched_fork() out from under rq->lock. This is
safe because nothing there relies on rq->lock, as also evident from the
other __sched_fork() callsite.

Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Qian Cai <cai@lca.pw>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: akpm@linux-foundation.org
Cc: bigeasy@linutronix.de
Cc: cl@linux.com
Cc: keescook@chromium.org
Cc: penberg@kernel.org
Cc: rientjes@google.com
Cc: thgarnie@google.com
Cc: tytso@mit.edu
Cc: will@kernel.org
Fixes: b7d5dc21072c ("random: add a spinlock_t to struct batched_entropy")
Link: https://lkml.kernel.org/r/20191001091837.GK4536@hirez.programming.kicks-ass.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/sched/core.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index bbf8b32fc69ec..97a27726ea217 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -5242,10 +5242,11 @@ void init_idle(struct task_struct *idle, int cpu)
 	struct rq *rq = cpu_rq(cpu);
 	unsigned long flags;
 
+	__sched_fork(0, idle);
+
 	raw_spin_lock_irqsave(&idle->pi_lock, flags);
 	raw_spin_lock(&rq->lock);
 
-	__sched_fork(0, idle);
 	idle->state = TASK_RUNNING;
 	idle->se.exec_start = sched_clock();
 	idle->flags |= PF_IDLE;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 018/267] ALSA: pcm: Fix stream lock usage in snd_pcm_period_elapsed()
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2019-12-16 17:45 ` [PATCH 4.14 017/267] sched/core: Avoid spurious lock dependencies Greg Kroah-Hartman
@ 2019-12-16 17:45 ` Greg Kroah-Hartman
  2019-12-16 17:45 ` [PATCH 4.14 019/267] rsxx: add missed destroy_workqueue calls in remove Greg Kroah-Hartman
                   ` (252 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, paulhsia, Takashi Iwai, Sasha Levin

From: paulhsia <paulhsia@chromium.org>

[ Upstream commit f5cdc9d4003a2f66ea57b3edd3e04acc2b1a4439 ]

If the nullity check for `substream->runtime` is outside of the lock
region, it is possible to have a null runtime in the critical section
if snd_pcm_detach_substream is called right before the lock.

Signed-off-by: paulhsia <paulhsia@chromium.org>
Link: https://lore.kernel.org/r/20191112171715.128727-2-paulhsia@chromium.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/core/pcm_lib.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/sound/core/pcm_lib.c b/sound/core/pcm_lib.c
index 729a85a6211d6..80453266a2def 100644
--- a/sound/core/pcm_lib.c
+++ b/sound/core/pcm_lib.c
@@ -1803,11 +1803,14 @@ void snd_pcm_period_elapsed(struct snd_pcm_substream *substream)
 	struct snd_pcm_runtime *runtime;
 	unsigned long flags;
 
-	if (PCM_RUNTIME_CHECK(substream))
+	if (snd_BUG_ON(!substream))
 		return;
-	runtime = substream->runtime;
 
 	snd_pcm_stream_lock_irqsave(substream, flags);
+	if (PCM_RUNTIME_CHECK(substream))
+		goto _unlock;
+	runtime = substream->runtime;
+
 	if (!snd_pcm_running(substream) ||
 	    snd_pcm_update_hw_ptr0(substream, 1) < 0)
 		goto _end;
@@ -1818,6 +1821,7 @@ void snd_pcm_period_elapsed(struct snd_pcm_substream *substream)
 #endif
  _end:
 	kill_fasync(&runtime->fasync, SIGIO, POLL_IN);
+ _unlock:
 	snd_pcm_stream_unlock_irqrestore(substream, flags);
 }
 EXPORT_SYMBOL(snd_pcm_period_elapsed);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 019/267] rsxx: add missed destroy_workqueue calls in remove
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2019-12-16 17:45 ` [PATCH 4.14 018/267] ALSA: pcm: Fix stream lock usage in snd_pcm_period_elapsed() Greg Kroah-Hartman
@ 2019-12-16 17:45 ` Greg Kroah-Hartman
  2019-12-16 17:45 ` [PATCH 4.14 020/267] net: ep93xx_eth: fix mismatch of request_mem_region " Greg Kroah-Hartman
                   ` (251 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chuhong Yuan, Jens Axboe, Sasha Levin

From: Chuhong Yuan <hslester96@gmail.com>

[ Upstream commit dcb77e4b274b8f13ac6482dfb09160cd2fae9a40 ]

The driver misses calling destroy_workqueue in remove like what is done
when probe fails.
Add the missed calls to fix it.

Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/block/rsxx/core.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/block/rsxx/core.c b/drivers/block/rsxx/core.c
index 34997df132e24..6beafaa335c71 100644
--- a/drivers/block/rsxx/core.c
+++ b/drivers/block/rsxx/core.c
@@ -1025,8 +1025,10 @@ static void rsxx_pci_remove(struct pci_dev *dev)
 
 	cancel_work_sync(&card->event_work);
 
+	destroy_workqueue(card->event_wq);
 	rsxx_destroy_dev(card);
 	rsxx_dma_destroy(card);
+	destroy_workqueue(card->creg_ctrl.creg_wq);
 
 	spin_lock_irqsave(&card->irq_lock, flags);
 	rsxx_disable_ier_and_isr(card, CR_INTR_ALL);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 020/267] net: ep93xx_eth: fix mismatch of request_mem_region in remove
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2019-12-16 17:45 ` [PATCH 4.14 019/267] rsxx: add missed destroy_workqueue calls in remove Greg Kroah-Hartman
@ 2019-12-16 17:45 ` Greg Kroah-Hartman
  2019-12-16 17:45 ` [PATCH 4.14 021/267] i2c: core: fix use after free in of_i2c_notify Greg Kroah-Hartman
                   ` (250 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chuhong Yuan, David S. Miller, Sasha Levin

From: Chuhong Yuan <hslester96@gmail.com>

[ Upstream commit 3df70afe8d33f4977d0e0891bdcfb639320b5257 ]

The driver calls release_resource in remove to match request_mem_region
in probe, which is incorrect.
Fix it by using the right one, release_mem_region.

Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/cirrus/ep93xx_eth.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/cirrus/ep93xx_eth.c b/drivers/net/ethernet/cirrus/ep93xx_eth.c
index e2a702996db41..82bd918bf967f 100644
--- a/drivers/net/ethernet/cirrus/ep93xx_eth.c
+++ b/drivers/net/ethernet/cirrus/ep93xx_eth.c
@@ -767,6 +767,7 @@ static int ep93xx_eth_remove(struct platform_device *pdev)
 {
 	struct net_device *dev;
 	struct ep93xx_priv *ep;
+	struct resource *mem;
 
 	dev = platform_get_drvdata(pdev);
 	if (dev == NULL)
@@ -782,8 +783,8 @@ static int ep93xx_eth_remove(struct platform_device *pdev)
 		iounmap(ep->base_addr);
 
 	if (ep->res != NULL) {
-		release_resource(ep->res);
-		kfree(ep->res);
+		mem = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+		release_mem_region(mem->start, resource_size(mem));
 	}
 
 	free_netdev(dev);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 021/267] i2c: core: fix use after free in of_i2c_notify
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2019-12-16 17:45 ` [PATCH 4.14 020/267] net: ep93xx_eth: fix mismatch of request_mem_region " Greg Kroah-Hartman
@ 2019-12-16 17:45 ` Greg Kroah-Hartman
  2019-12-16 17:45 ` [PATCH 4.14 022/267] serial: core: Allow processing sysrq at port unlock time Greg Kroah-Hartman
                   ` (249 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wen Yang, Wolfram Sang, Sasha Levin

From: Wen Yang <wenyang@linux.alibaba.com>

[ Upstream commit a4c2fec16f5e6a5fee4865e6e0e91e2bc2d10f37 ]

We can't use "adap->dev" after it has been freed.

Fixes: 5bf4fa7daea6 ("i2c: break out OF support into separate file")
Signed-off-by: Wen Yang <wenyang@linux.alibaba.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/i2c/i2c-core-of.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/i2c/i2c-core-of.c b/drivers/i2c/i2c-core-of.c
index 8d474bb1dc157..17d727e0b8424 100644
--- a/drivers/i2c/i2c-core-of.c
+++ b/drivers/i2c/i2c-core-of.c
@@ -238,14 +238,14 @@ static int of_i2c_notify(struct notifier_block *nb, unsigned long action,
 		}
 
 		client = of_i2c_register_device(adap, rd->dn);
-		put_device(&adap->dev);
-
 		if (IS_ERR(client)) {
 			dev_err(&adap->dev, "failed to create client for '%pOF'\n",
 				 rd->dn);
+			put_device(&adap->dev);
 			of_node_clear_flag(rd->dn, OF_POPULATED);
 			return notifier_from_errno(PTR_ERR(client));
 		}
+		put_device(&adap->dev);
 		break;
 	case OF_RECONFIG_CHANGE_REMOVE:
 		/* already depopulated? */
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 022/267] serial: core: Allow processing sysrq at port unlock time
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2019-12-16 17:45 ` [PATCH 4.14 021/267] i2c: core: fix use after free in of_i2c_notify Greg Kroah-Hartman
@ 2019-12-16 17:45 ` Greg Kroah-Hartman
  2019-12-16 17:45 ` [PATCH 4.14 023/267] cxgb4vf: fix memleak in mac_hlist initialization Greg Kroah-Hartman
                   ` (248 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Douglas Anderson, Sasha Levin

From: Douglas Anderson <dianders@chromium.org>

[ Upstream commit d6e1935819db0c91ce4a5af82466f3ab50d17346 ]

Right now serial drivers process sysrq keys deep in their character
receiving code.  This means that they've already grabbed their
port->lock spinlock.  This can end up getting in the way if we've go
to do serial stuff (especially kgdb) in response to the sysrq.

Serial drivers have various hacks in them to handle this.  Looking at
'8250_port.c' you can see that the console_write() skips locking if
we're in the sysrq handler.  Looking at 'msm_serial.c' you can see
that the port lock is dropped around uart_handle_sysrq_char().

It turns out that these hacks aren't exactly perfect.  If you have
lockdep turned on and use something like the 8250_port hack you'll get
a splat that looks like:

  WARNING: possible circular locking dependency detected
  [...] is trying to acquire lock:
  ... (console_owner){-.-.}, at: console_unlock+0x2e0/0x5e4

  but task is already holding lock:
  ... (&port_lock_key){-.-.}, at: serial8250_handle_irq+0x30/0xe4

  which lock already depends on the new lock.

  the existing dependency chain (in reverse order) is:

  -> #1 (&port_lock_key){-.-.}:
         _raw_spin_lock_irqsave+0x58/0x70
         serial8250_console_write+0xa8/0x250
         univ8250_console_write+0x40/0x4c
         console_unlock+0x528/0x5e4
         register_console+0x2c4/0x3b0
         uart_add_one_port+0x350/0x478
         serial8250_register_8250_port+0x350/0x3a8
         dw8250_probe+0x67c/0x754
         platform_drv_probe+0x58/0xa4
         really_probe+0x150/0x294
         driver_probe_device+0xac/0xe8
         __driver_attach+0x98/0xd0
         bus_for_each_dev+0x84/0xc8
         driver_attach+0x2c/0x34
         bus_add_driver+0xf0/0x1ec
         driver_register+0xb4/0x100
         __platform_driver_register+0x60/0x6c
         dw8250_platform_driver_init+0x20/0x28
	 ...

  -> #0 (console_owner){-.-.}:
         lock_acquire+0x1e8/0x214
         console_unlock+0x35c/0x5e4
         vprintk_emit+0x230/0x274
         vprintk_default+0x7c/0x84
         vprintk_func+0x190/0x1bc
         printk+0x80/0xa0
         __handle_sysrq+0x104/0x21c
         handle_sysrq+0x30/0x3c
         serial8250_read_char+0x15c/0x18c
         serial8250_rx_chars+0x34/0x74
         serial8250_handle_irq+0x9c/0xe4
         dw8250_handle_irq+0x98/0xcc
         serial8250_interrupt+0x50/0xe8
         ...

  other info that might help us debug this:

   Possible unsafe locking scenario:

         CPU0                    CPU1
         ----                    ----
    lock(&port_lock_key);
                                 lock(console_owner);
                                 lock(&port_lock_key);
    lock(console_owner);

   *** DEADLOCK ***

The hack used in 'msm_serial.c' doesn't cause the above splats but it
seems a bit ugly to unlock / lock our spinlock deep in our irq
handler.

It seems like we could defer processing the sysrq until the end of the
interrupt handler right after we've unlocked the port.  With this
scheme if a whole batch of sysrq characters comes in one irq then we
won't handle them all, but that seems like it should be a fine
compromise.

Signed-off-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/linux/serial_core.h | 37 ++++++++++++++++++++++++++++++++++++-
 1 file changed, 36 insertions(+), 1 deletion(-)

diff --git a/include/linux/serial_core.h b/include/linux/serial_core.h
index 868b60a79c0b8..b2a7b7c15451b 100644
--- a/include/linux/serial_core.h
+++ b/include/linux/serial_core.h
@@ -166,6 +166,7 @@ struct uart_port {
 	struct console		*cons;			/* struct console, if any */
 #if defined(CONFIG_SERIAL_CORE_CONSOLE) || defined(SUPPORT_SYSRQ)
 	unsigned long		sysrq;			/* sysrq timeout */
+	unsigned int		sysrq_ch;		/* char for sysrq */
 #endif
 
 	/* flags must be updated while holding port mutex */
@@ -474,8 +475,42 @@ uart_handle_sysrq_char(struct uart_port *port, unsigned int ch)
 	}
 	return 0;
 }
+static inline int
+uart_prepare_sysrq_char(struct uart_port *port, unsigned int ch)
+{
+	if (port->sysrq) {
+		if (ch && time_before(jiffies, port->sysrq)) {
+			port->sysrq_ch = ch;
+			port->sysrq = 0;
+			return 1;
+		}
+		port->sysrq = 0;
+	}
+	return 0;
+}
+static inline void
+uart_unlock_and_check_sysrq(struct uart_port *port, unsigned long irqflags)
+{
+	int sysrq_ch;
+
+	sysrq_ch = port->sysrq_ch;
+	port->sysrq_ch = 0;
+
+	spin_unlock_irqrestore(&port->lock, irqflags);
+
+	if (sysrq_ch)
+		handle_sysrq(sysrq_ch);
+}
 #else
-#define uart_handle_sysrq_char(port,ch) ({ (void)port; 0; })
+static inline int
+uart_handle_sysrq_char(struct uart_port *port, unsigned int ch) { return 0; }
+static inline int
+uart_prepare_sysrq_char(struct uart_port *port, unsigned int ch) { return 0; }
+static inline void
+uart_unlock_and_check_sysrq(struct uart_port *port, unsigned long irqflags)
+{
+	spin_unlock_irqrestore(&port->lock, irqflags);
+}
 #endif
 
 /*
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 023/267] cxgb4vf: fix memleak in mac_hlist initialization
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2019-12-16 17:45 ` [PATCH 4.14 022/267] serial: core: Allow processing sysrq at port unlock time Greg Kroah-Hartman
@ 2019-12-16 17:45 ` Greg Kroah-Hartman
  2019-12-16 17:45 ` [PATCH 4.14 024/267] iwlwifi: mvm: synchronize TID queue removal Greg Kroah-Hartman
                   ` (247 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arjun Vynipadath, Ganesh Goudar,
	David S. Miller, Sasha Levin

From: Arjun Vynipadath <arjun@chelsio.com>

[ Upstream commit 24357e06ba511ad874d664d39475dbb01c1ca450 ]

mac_hlist was initialized during adapter_up, which will be called
every time a vf device is first brought up, or every time when device
is brought up again after bringing all devices down. This means our
state of previous list is lost, causing a memleak if entries are
present in the list. To fix that, move list init to the condition
that performs initial one time adapter setup.

Signed-off-by: Arjun Vynipadath <arjun@chelsio.com>
Signed-off-by: Ganesh Goudar <ganeshgr@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/chelsio/cxgb4vf/cxgb4vf_main.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/chelsio/cxgb4vf/cxgb4vf_main.c b/drivers/net/ethernet/chelsio/cxgb4vf/cxgb4vf_main.c
index 8996ebbd222e0..26ba18ea08c6a 100644
--- a/drivers/net/ethernet/chelsio/cxgb4vf/cxgb4vf_main.c
+++ b/drivers/net/ethernet/chelsio/cxgb4vf/cxgb4vf_main.c
@@ -714,6 +714,10 @@ static int adapter_up(struct adapter *adapter)
 
 		if (adapter->flags & USING_MSIX)
 			name_msix_vecs(adapter);
+
+		/* Initialize hash mac addr list*/
+		INIT_LIST_HEAD(&adapter->mac_hlist);
+
 		adapter->flags |= FULL_INIT_DONE;
 	}
 
@@ -739,8 +743,6 @@ static int adapter_up(struct adapter *adapter)
 	enable_rx(adapter);
 	t4vf_sge_start(adapter);
 
-	/* Initialize hash mac addr list*/
-	INIT_LIST_HEAD(&adapter->mac_hlist);
 	return 0;
 }
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 024/267] iwlwifi: mvm: synchronize TID queue removal
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2019-12-16 17:45 ` [PATCH 4.14 023/267] cxgb4vf: fix memleak in mac_hlist initialization Greg Kroah-Hartman
@ 2019-12-16 17:45 ` Greg Kroah-Hartman
  2019-12-16 17:45 ` [PATCH 4.14 025/267] iwlwifi: mvm: Send non offchannel traffic via AP sta Greg Kroah-Hartman
                   ` (246 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johannes Berg, Luca Coelho, Sasha Levin

From: Johannes Berg <johannes.berg@intel.com>

[ Upstream commit 06bc6f6ed4ae0246a5e52094d1be90906a1361c7 ]

When we mark a TID as no longer having a queue, there's no
guarantee the TX path isn't using this txq_id right now,
having accessed it just before we reset the value. To fix
this, add synchronize_net() when we change the TIDs from
having a queue to not having one, so that we can then be
sure that the TX path is no longer accessing that queue.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
index d16e2ed4419fe..0cfdbaa2af3a7 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
@@ -436,6 +436,16 @@ static int iwl_mvm_remove_sta_queue_marking(struct iwl_mvm *mvm, int queue)
 
 	rcu_read_unlock();
 
+	/*
+	 * The TX path may have been using this TXQ_ID from the tid_data,
+	 * so make sure it's no longer running so that we can safely reuse
+	 * this TXQ later. We've set all the TIDs to IWL_MVM_INVALID_QUEUE
+	 * above, but nothing guarantees we've stopped using them. Thus,
+	 * without this, we could get to iwl_mvm_disable_txq() and remove
+	 * the queue while still sending frames to it.
+	 */
+	synchronize_net();
+
 	return disable_agg_tids;
 }
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 025/267] iwlwifi: mvm: Send non offchannel traffic via AP sta
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2019-12-16 17:45 ` [PATCH 4.14 024/267] iwlwifi: mvm: synchronize TID queue removal Greg Kroah-Hartman
@ 2019-12-16 17:45 ` Greg Kroah-Hartman
  2019-12-16 17:45 ` [PATCH 4.14 026/267] ARM: 8813/1: Make aligned 2-byte getuser()/putuser() atomic on ARMv6+ Greg Kroah-Hartman
                   ` (245 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andrei Otcheretianski, Luca Coelho,
	Sasha Levin

From: Andrei Otcheretianski <andrei.otcheretianski@intel.com>

[ Upstream commit dc1aca22f8f38b7e2ad7b118db87404d11e68771 ]

TDLS discovery response frame is a unicast direct frame to the peer.
Since we don't have a STA for this peer, this frame goes through
iwl_tx_skb_non_sta(). As the result aux_sta and some completely
arbitrary queue would be selected for this frame, resulting in a queue
hang.  Fix that by sending such frames through AP sta instead.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
index 77ed6ecf5ee54..b86c7a36d3f17 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
@@ -822,6 +822,21 @@ static void iwl_mvm_mac_tx(struct ieee80211_hw *hw,
 	    !ieee80211_is_bufferable_mmpdu(hdr->frame_control))
 		sta = NULL;
 
+	/* If there is no sta, and it's not offchannel - send through AP */
+	if (info->control.vif->type == NL80211_IFTYPE_STATION &&
+	    info->hw_queue != IWL_MVM_OFFCHANNEL_QUEUE && !sta) {
+		struct iwl_mvm_vif *mvmvif =
+			iwl_mvm_vif_from_mac80211(info->control.vif);
+		u8 ap_sta_id = READ_ONCE(mvmvif->ap_sta_id);
+
+		if (ap_sta_id < IWL_MVM_STATION_COUNT) {
+			/* mac80211 holds rcu read lock */
+			sta = rcu_dereference(mvm->fw_id_to_mac_id[ap_sta_id]);
+			if (IS_ERR_OR_NULL(sta))
+				goto drop;
+		}
+	}
+
 	if (sta) {
 		if (iwl_mvm_defer_tx(mvm, sta, skb))
 			return;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 026/267] ARM: 8813/1: Make aligned 2-byte getuser()/putuser() atomic on ARMv6+
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2019-12-16 17:45 ` [PATCH 4.14 025/267] iwlwifi: mvm: Send non offchannel traffic via AP sta Greg Kroah-Hartman
@ 2019-12-16 17:45 ` Greg Kroah-Hartman
  2019-12-16 17:45 ` [PATCH 4.14 027/267] net/mlx5: Release resource on error flow Greg Kroah-Hartman
                   ` (244 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vincent Whitchurch, Russell King,
	Sasha Levin

From: Vincent Whitchurch <vincent.whitchurch@axis.com>

[ Upstream commit 344eb5539abf3e0b6ce22568c03e86450073e097 ]

getuser() and putuser() (and there underscored variants) use two
strb[t]/ldrb[t] instructions when they are asked to get/put 16-bits.
This means that the read/write is not atomic even when performed to a
16-bit-aligned address.

This leads to problems with vhost: vhost uses __getuser() to read the
vring's 16-bit avail.index field, and if it happens to observe a partial
update of the index, wrong descriptors will be used which will lead to a
breakdown of the virtio communication.  A similar problem exists for
__putuser() which is used to write to the vring's used.index field.

The reason these functions use strb[t]/ldrb[t] is because strht/ldrht
instructions did not exist until ARMv6T2/ARMv7.  So we should be easily
able to fix this on ARMv7.  Also, since all ARMv6 processors also don't
actually use the unprivileged instructions anymore for uaccess (since
CONFIG_CPU_USE_DOMAINS is not used) we can easily fix them too.

Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/include/asm/uaccess.h | 18 ++++++++++++++++++
 arch/arm/lib/getuser.S         | 11 +++++++++++
 arch/arm/lib/putuser.S         | 20 ++++++++++----------
 3 files changed, 39 insertions(+), 10 deletions(-)

diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h
index a5807b67ca8a3..fe47d24955ea0 100644
--- a/arch/arm/include/asm/uaccess.h
+++ b/arch/arm/include/asm/uaccess.h
@@ -349,6 +349,13 @@ do {									\
 #define __get_user_asm_byte(x, addr, err)			\
 	__get_user_asm(x, addr, err, ldrb)
 
+#if __LINUX_ARM_ARCH__ >= 6
+
+#define __get_user_asm_half(x, addr, err)			\
+	__get_user_asm(x, addr, err, ldrh)
+
+#else
+
 #ifndef __ARMEB__
 #define __get_user_asm_half(x, __gu_addr, err)			\
 ({								\
@@ -367,6 +374,8 @@ do {									\
 })
 #endif
 
+#endif /* __LINUX_ARM_ARCH__ >= 6 */
+
 #define __get_user_asm_word(x, addr, err)			\
 	__get_user_asm(x, addr, err, ldr)
 #endif
@@ -442,6 +451,13 @@ do {									\
 #define __put_user_asm_byte(x, __pu_addr, err)			\
 	__put_user_asm(x, __pu_addr, err, strb)
 
+#if __LINUX_ARM_ARCH__ >= 6
+
+#define __put_user_asm_half(x, __pu_addr, err)			\
+	__put_user_asm(x, __pu_addr, err, strh)
+
+#else
+
 #ifndef __ARMEB__
 #define __put_user_asm_half(x, __pu_addr, err)			\
 ({								\
@@ -458,6 +474,8 @@ do {									\
 })
 #endif
 
+#endif /* __LINUX_ARM_ARCH__ >= 6 */
+
 #define __put_user_asm_word(x, __pu_addr, err)			\
 	__put_user_asm(x, __pu_addr, err, str)
 
diff --git a/arch/arm/lib/getuser.S b/arch/arm/lib/getuser.S
index 746e7801dcdf7..b2e4bc3a635e2 100644
--- a/arch/arm/lib/getuser.S
+++ b/arch/arm/lib/getuser.S
@@ -42,6 +42,12 @@ _ASM_NOKPROBE(__get_user_1)
 
 ENTRY(__get_user_2)
 	check_uaccess r0, 2, r1, r2, __get_user_bad
+#if __LINUX_ARM_ARCH__ >= 6
+
+2: TUSER(ldrh)	r2, [r0]
+
+#else
+
 #ifdef CONFIG_CPU_USE_DOMAINS
 rb	.req	ip
 2:	ldrbt	r2, [r0], #1
@@ -56,6 +62,9 @@ rb	.req	r0
 #else
 	orr	r2, rb, r2, lsl #8
 #endif
+
+#endif /* __LINUX_ARM_ARCH__ >= 6 */
+
 	mov	r0, #0
 	ret	lr
 ENDPROC(__get_user_2)
@@ -145,7 +154,9 @@ _ASM_NOKPROBE(__get_user_bad8)
 .pushsection __ex_table, "a"
 	.long	1b, __get_user_bad
 	.long	2b, __get_user_bad
+#if __LINUX_ARM_ARCH__ < 6
 	.long	3b, __get_user_bad
+#endif
 	.long	4b, __get_user_bad
 	.long	5b, __get_user_bad8
 	.long	6b, __get_user_bad8
diff --git a/arch/arm/lib/putuser.S b/arch/arm/lib/putuser.S
index 38d660d3705f4..515eeaa9975c6 100644
--- a/arch/arm/lib/putuser.S
+++ b/arch/arm/lib/putuser.S
@@ -41,16 +41,13 @@ ENDPROC(__put_user_1)
 
 ENTRY(__put_user_2)
 	check_uaccess r0, 2, r1, ip, __put_user_bad
-	mov	ip, r2, lsr #8
-#ifdef CONFIG_THUMB2_KERNEL
-#ifndef __ARMEB__
-2: TUSER(strb)	r2, [r0]
-3: TUSER(strb)	ip, [r0, #1]
+#if __LINUX_ARM_ARCH__ >= 6
+
+2: TUSER(strh)	r2, [r0]
+
 #else
-2: TUSER(strb)	ip, [r0]
-3: TUSER(strb)	r2, [r0, #1]
-#endif
-#else	/* !CONFIG_THUMB2_KERNEL */
+
+	mov	ip, r2, lsr #8
 #ifndef __ARMEB__
 2: TUSER(strb)	r2, [r0], #1
 3: TUSER(strb)	ip, [r0]
@@ -58,7 +55,8 @@ ENTRY(__put_user_2)
 2: TUSER(strb)	ip, [r0], #1
 3: TUSER(strb)	r2, [r0]
 #endif
-#endif	/* CONFIG_THUMB2_KERNEL */
+
+#endif /* __LINUX_ARM_ARCH__ >= 6 */
 	mov	r0, #0
 	ret	lr
 ENDPROC(__put_user_2)
@@ -91,7 +89,9 @@ ENDPROC(__put_user_bad)
 .pushsection __ex_table, "a"
 	.long	1b, __put_user_bad
 	.long	2b, __put_user_bad
+#if __LINUX_ARM_ARCH__ < 6
 	.long	3b, __put_user_bad
+#endif
 	.long	4b, __put_user_bad
 	.long	5b, __put_user_bad
 	.long	6b, __put_user_bad
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 027/267] net/mlx5: Release resource on error flow
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2019-12-16 17:45 ` [PATCH 4.14 026/267] ARM: 8813/1: Make aligned 2-byte getuser()/putuser() atomic on ARMv6+ Greg Kroah-Hartman
@ 2019-12-16 17:45 ` Greg Kroah-Hartman
  2019-12-16 17:45 ` [PATCH 4.14 028/267] clk: sunxi-ng: a64: Fix gate bit of DSI DPHY Greg Kroah-Hartman
                   ` (243 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Moni Shoua, Majd Dibbiny,
	Leon Romanovsky, Sasha Levin

From: Moni Shoua <monis@mellanox.com>

[ Upstream commit 698114968a22f6c0c9f42e983ba033cc36bb7217 ]

Fix reference counting leakage when the event handler aborts due to an
unsupported event for the resource type.

Fixes: a14c2d4beee5 ("net/mlx5_core: Warn on unsupported events of QP/RQ/SQ")
Signed-off-by: Moni Shoua <monis@mellanox.com>
Reviewed-by: Majd Dibbiny <majd@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/mellanox/mlx5/core/qp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/qp.c b/drivers/net/ethernet/mellanox/mlx5/core/qp.c
index 889130edb7152..5f091c6ea049d 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/qp.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/qp.c
@@ -124,7 +124,7 @@ void mlx5_rsc_event(struct mlx5_core_dev *dev, u32 rsn, int event_type)
 	if (!is_event_type_allowed((rsn >> MLX5_USER_INDEX_LEN), event_type)) {
 		mlx5_core_warn(dev, "event 0x%.2x is not allowed on resource 0x%.8x\n",
 			       event_type, rsn);
-		return;
+		goto out;
 	}
 
 	switch (common->res) {
@@ -138,7 +138,7 @@ void mlx5_rsc_event(struct mlx5_core_dev *dev, u32 rsn, int event_type)
 	default:
 		mlx5_core_warn(dev, "invalid resource type for 0x%x\n", rsn);
 	}
-
+out:
 	mlx5_core_put_rsc(common);
 }
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 028/267] clk: sunxi-ng: a64: Fix gate bit of DSI DPHY
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2019-12-16 17:45 ` [PATCH 4.14 027/267] net/mlx5: Release resource on error flow Greg Kroah-Hartman
@ 2019-12-16 17:45 ` Greg Kroah-Hartman
  2019-12-16 17:45 ` [PATCH 4.14 029/267] dlm: fix possible call to kfree() for non-initialized pointer Greg Kroah-Hartman
                   ` (242 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jagan Teki, Stephen Boyd,
	Maxime Ripard, Sasha Levin

From: Jagan Teki <jagan@amarulasolutions.com>

[ Upstream commit ee678706e46d0d185c27cc214ad97828e0643159 ]

DSI DPHY gate bit on MIPI DSI clock register is bit 15
not bit 30.

Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
Acked-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/clk/sunxi-ng/ccu-sun50i-a64.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/clk/sunxi-ng/ccu-sun50i-a64.c b/drivers/clk/sunxi-ng/ccu-sun50i-a64.c
index 36a30a3cfad71..eaafc038368f5 100644
--- a/drivers/clk/sunxi-ng/ccu-sun50i-a64.c
+++ b/drivers/clk/sunxi-ng/ccu-sun50i-a64.c
@@ -565,7 +565,7 @@ static const char * const dsi_dphy_parents[] = { "pll-video0", "pll-periph0" };
 static const u8 dsi_dphy_table[] = { 0, 2, };
 static SUNXI_CCU_M_WITH_MUX_TABLE_GATE(dsi_dphy_clk, "dsi-dphy",
 				       dsi_dphy_parents, dsi_dphy_table,
-				       0x168, 0, 4, 8, 2, BIT(31), CLK_SET_RATE_PARENT);
+				       0x168, 0, 4, 8, 2, BIT(15), CLK_SET_RATE_PARENT);
 
 static SUNXI_CCU_M_WITH_GATE(gpu_clk, "gpu", "pll-gpu",
 			     0x1a0, 0, 3, BIT(31), CLK_SET_RATE_PARENT);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 029/267] dlm: fix possible call to kfree() for non-initialized pointer
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2019-12-16 17:45 ` [PATCH 4.14 028/267] clk: sunxi-ng: a64: Fix gate bit of DSI DPHY Greg Kroah-Hartman
@ 2019-12-16 17:45 ` Greg Kroah-Hartman
  2019-12-16 17:45 ` [PATCH 4.14 030/267] extcon: max8997: Fix lack of path setting in USB device mode Greg Kroah-Hartman
                   ` (241 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Denis V. Lunev, David Teigland, Sasha Levin

From: Denis V. Lunev <den@openvz.org>

[ Upstream commit 58a923adf4d9aca8bf7205985c9c8fc531c65d72 ]

Technically dlm_config_nodes() could return error and keep nodes
uninitialized. After that on the fail path of we'll call kfree()
for that uninitialized value.

The patch is simple - we should just initialize nodes with NULL.

Signed-off-by: Denis V. Lunev <den@openvz.org>
Signed-off-by: David Teigland <teigland@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/dlm/member.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/dlm/member.c b/fs/dlm/member.c
index cad6d85911a80..0bc43b35d2c53 100644
--- a/fs/dlm/member.c
+++ b/fs/dlm/member.c
@@ -671,7 +671,7 @@ int dlm_ls_stop(struct dlm_ls *ls)
 int dlm_ls_start(struct dlm_ls *ls)
 {
 	struct dlm_recover *rv, *rv_old;
-	struct dlm_config_node *nodes;
+	struct dlm_config_node *nodes = NULL;
 	int error, count;
 
 	rv = kzalloc(sizeof(*rv), GFP_NOFS);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 030/267] extcon: max8997: Fix lack of path setting in USB device mode
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2019-12-16 17:45 ` [PATCH 4.14 029/267] dlm: fix possible call to kfree() for non-initialized pointer Greg Kroah-Hartman
@ 2019-12-16 17:45 ` Greg Kroah-Hartman
  2019-12-16 17:45 ` [PATCH 4.14 031/267] net: ethernet: ti: cpts: correct debug for expired txq skb Greg Kroah-Hartman
                   ` (240 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marek Szyprowski, Chanwoo Choi, Sasha Levin

From: Marek Szyprowski <m.szyprowski@samsung.com>

[ Upstream commit a2dc50914744eea9f83a70a5db0486be625e5dc0 ]

MAX8997 driver disables automatic path selection from MicroUSB connector
and manually sets path to either UART or USB lines. However the code for
setting USB path worked only for USB host mode (when ID pin is set
to ground). When standard USB cable (USB device mode) is connected, path
registers are not touched. This means that once the non-USB accessory is
connected to MAX8997-operated micro USB port, the path is no longer set
to USB and USB device mode doesn't work. This patch fixes it by setting
USB path both for USB and USB host modes.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/extcon/extcon-max8997.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/drivers/extcon/extcon-max8997.c b/drivers/extcon/extcon-max8997.c
index 4a0612fb9c070..b9b48d45a6dc4 100644
--- a/drivers/extcon/extcon-max8997.c
+++ b/drivers/extcon/extcon-max8997.c
@@ -321,12 +321,10 @@ static int max8997_muic_handle_usb(struct max8997_muic_info *info,
 {
 	int ret = 0;
 
-	if (usb_type == MAX8997_USB_HOST) {
-		ret = max8997_muic_set_path(info, info->path_usb, attached);
-		if (ret < 0) {
-			dev_err(info->dev, "failed to update muic register\n");
-			return ret;
-		}
+	ret = max8997_muic_set_path(info, info->path_usb, attached);
+	if (ret < 0) {
+		dev_err(info->dev, "failed to update muic register\n");
+		return ret;
 	}
 
 	switch (usb_type) {
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 031/267] net: ethernet: ti: cpts: correct debug for expired txq skb
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2019-12-16 17:45 ` [PATCH 4.14 030/267] extcon: max8997: Fix lack of path setting in USB device mode Greg Kroah-Hartman
@ 2019-12-16 17:45 ` Greg Kroah-Hartman
  2019-12-16 17:45 ` [PATCH 4.14 032/267] rtc: s3c-rtc: Avoid using broken ALMYEAR register Greg Kroah-Hartman
                   ` (239 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ivan Khoronzhuk, David S. Miller,
	Sasha Levin

From: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>

[ Upstream commit d0e14c4d9bcef0d4aa1057d2959adaa6f18d4a17 ]

The msgtype and seqid that is smth that belongs to event for
comparison but not for staled txq skb.

Signed-off-by: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/ti/cpts.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/net/ethernet/ti/cpts.c b/drivers/net/ethernet/ti/cpts.c
index 7d1281d812480..23c953496a0d1 100644
--- a/drivers/net/ethernet/ti/cpts.c
+++ b/drivers/net/ethernet/ti/cpts.c
@@ -116,9 +116,7 @@ static bool cpts_match_tx_ts(struct cpts *cpts, struct cpts_event *event)
 				mtype, seqid);
 		} else if (time_after(jiffies, skb_cb->tmo)) {
 			/* timeout any expired skbs over 1s */
-			dev_dbg(cpts->dev,
-				"expiring tx timestamp mtype %u seqid %04x\n",
-				mtype, seqid);
+			dev_dbg(cpts->dev, "expiring tx timestamp from txq\n");
 			__skb_unlink(skb, &cpts->txq);
 			dev_consume_skb_any(skb);
 		}
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 032/267] rtc: s3c-rtc: Avoid using broken ALMYEAR register
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2019-12-16 17:45 ` [PATCH 4.14 031/267] net: ethernet: ti: cpts: correct debug for expired txq skb Greg Kroah-Hartman
@ 2019-12-16 17:45 ` Greg Kroah-Hartman
  2019-12-16 17:45 ` [PATCH 4.14 033/267] i40e: dont restart nway if autoneg not supported Greg Kroah-Hartman
                   ` (238 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marek Szyprowski, Alexandre Belloni,
	Sasha Levin

From: Marek Szyprowski <m.szyprowski@samsung.com>

[ Upstream commit 50c8aec4212a966817e868056efc9bfbb73337c0 ]

(RTC,ALM)YEAR registers of Exynos built-in RTC device contains 3 BCD
characters. s3c-rtc driver uses only 2 lower of them and supports years
from 2000..2099 range. The third BCD value is typically set to 0, but it
looks that handling of it is broken in the hardware. It sometimes
defaults to a random (even non-BCD) value. This is not an issue
for handling RTCYEAR register, because bcd2bin() properly handles only
8bit values (2 BCD characters, the third one is skipped). The problem
is however with ALMYEAR register and proper RTC alarm operation. When
YEAREN bit is set for the configured alarm, RTC hardware triggers alarm
only when ALMYEAR and RTCYEAR matches. This usually doesn't happen
because of the random noise on the third BCD character.

Fix this by simply skipping setting ALMYEAR register in alarm
configuration. This workaround fixes broken alarm operation on Exynos
built-in rtc device. My tests revealed that the issue happens on the
following Exynos series: 3250, 4210, 4412, 5250 and 5410.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/rtc/rtc-s3c.c | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/drivers/rtc/rtc-s3c.c b/drivers/rtc/rtc-s3c.c
index a8992c227f611..4120a305954af 100644
--- a/drivers/rtc/rtc-s3c.c
+++ b/drivers/rtc/rtc-s3c.c
@@ -327,7 +327,6 @@ static int s3c_rtc_setalarm(struct device *dev, struct rtc_wkalrm *alrm)
 	struct rtc_time *tm = &alrm->time;
 	unsigned int alrm_en;
 	int ret;
-	int year = tm->tm_year - 100;
 
 	dev_dbg(dev, "s3c_rtc_setalarm: %d, %04d.%02d.%02d %02d:%02d:%02d\n",
 		alrm->enabled,
@@ -356,11 +355,6 @@ static int s3c_rtc_setalarm(struct device *dev, struct rtc_wkalrm *alrm)
 		writeb(bin2bcd(tm->tm_hour), info->base + S3C2410_ALMHOUR);
 	}
 
-	if (year < 100 && year >= 0) {
-		alrm_en |= S3C2410_RTCALM_YEAREN;
-		writeb(bin2bcd(year), info->base + S3C2410_ALMYEAR);
-	}
-
 	if (tm->tm_mon < 12 && tm->tm_mon >= 0) {
 		alrm_en |= S3C2410_RTCALM_MONEN;
 		writeb(bin2bcd(tm->tm_mon + 1), info->base + S3C2410_ALMMON);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 033/267] i40e: dont restart nway if autoneg not supported
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2019-12-16 17:45 ` [PATCH 4.14 032/267] rtc: s3c-rtc: Avoid using broken ALMYEAR register Greg Kroah-Hartman
@ 2019-12-16 17:45 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 034/267] clk: rockchip: fix rk3188 sclk_smc gate data Greg Kroah-Hartman
                   ` (237 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mitch Williams, Andrew Bowers,
	Jeff Kirsher, Sasha Levin

From: Mitch Williams <mitch.a.williams@intel.com>

[ Upstream commit 7c3758f7839377ab67529cc50264a640636c47af ]

On link types that do not support autoneg, we cannot attempt to restart
nway negotiation. This results in a dead link that requires a power
cycle to remedy.

Fix this by saving off the autoneg state and checking this value before
we try to restart nway.

Signed-off-by: Mitch Williams <mitch.a.williams@intel.com>
Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
index ef22793d6a032..751ac56168843 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
@@ -969,6 +969,7 @@ static int i40e_set_pauseparam(struct net_device *netdev,
 	i40e_status status;
 	u8 aq_failures;
 	int err = 0;
+	u32 is_an;
 
 	/* Changing the port's flow control is not supported if this isn't the
 	 * port's controlling PF
@@ -981,15 +982,14 @@ static int i40e_set_pauseparam(struct net_device *netdev,
 	if (vsi != pf->vsi[pf->lan_vsi])
 		return -EOPNOTSUPP;
 
-	if (pause->autoneg != ((hw_link_info->an_info & I40E_AQ_AN_COMPLETED) ?
-	    AUTONEG_ENABLE : AUTONEG_DISABLE)) {
+	is_an = hw_link_info->an_info & I40E_AQ_AN_COMPLETED;
+	if (pause->autoneg != is_an) {
 		netdev_info(netdev, "To change autoneg please use: ethtool -s <dev> autoneg <on|off>\n");
 		return -EOPNOTSUPP;
 	}
 
 	/* If we have link and don't have autoneg */
-	if (!test_bit(__I40E_DOWN, pf->state) &&
-	    !(hw_link_info->an_info & I40E_AQ_AN_COMPLETED)) {
+	if (!test_bit(__I40E_DOWN, pf->state) && !is_an) {
 		/* Send message that it might not necessarily work*/
 		netdev_info(netdev, "Autoneg did not complete so changing settings may not result in an actual change.\n");
 	}
@@ -1040,7 +1040,7 @@ static int i40e_set_pauseparam(struct net_device *netdev,
 		err = -EAGAIN;
 	}
 
-	if (!test_bit(__I40E_DOWN, pf->state)) {
+	if (!test_bit(__I40E_DOWN, pf->state) && is_an) {
 		/* Give it a little more time to try to come back */
 		msleep(75);
 		if (!test_bit(__I40E_DOWN, pf->state))
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 034/267] clk: rockchip: fix rk3188 sclk_smc gate data
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2019-12-16 17:45 ` [PATCH 4.14 033/267] i40e: dont restart nway if autoneg not supported Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 035/267] clk: rockchip: fix rk3188 sclk_mac_lbtest parameter ordering Greg Kroah-Hartman
                   ` (236 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Finley Xiao, Johan Jonker,
	Heiko Stuebner, Sasha Levin

From: Finley Xiao <finley.xiao@rock-chips.com>

[ Upstream commit a9f0c0e563717b9f63b3bb1c4a7c2df436a206d9 ]

Fix sclk_smc gate data.
Change variable order, flags come before the register address.

Signed-off-by: Finley Xiao <finley.xiao@rock-chips.com>
Signed-off-by: Johan Jonker <jbx9999@hotmail.com>
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/clk/rockchip/clk-rk3188.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/clk/rockchip/clk-rk3188.c b/drivers/clk/rockchip/clk-rk3188.c
index 2b0d772b4f432..022fecc9bcdf9 100644
--- a/drivers/clk/rockchip/clk-rk3188.c
+++ b/drivers/clk/rockchip/clk-rk3188.c
@@ -391,8 +391,8 @@ static struct rockchip_clk_branch common_clk_branches[] __initdata = {
 	 * Clock-Architecture Diagram 4
 	 */
 
-	GATE(SCLK_SMC, "sclk_smc", "hclk_peri",
-			RK2928_CLKGATE_CON(2), 4, 0, GFLAGS),
+	GATE(SCLK_SMC, "sclk_smc", "hclk_peri", 0,
+			RK2928_CLKGATE_CON(2), 4, GFLAGS),
 
 	COMPOSITE_NOMUX(SCLK_SPI0, "sclk_spi0", "pclk_peri", 0,
 			RK2928_CLKSEL_CON(25), 0, 7, DFLAGS,
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 035/267] clk: rockchip: fix rk3188 sclk_mac_lbtest parameter ordering
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 034/267] clk: rockchip: fix rk3188 sclk_smc gate data Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 036/267] ARM: dts: rockchip: Fix rk3288-rock2 vcc_flash name Greg Kroah-Hartman
                   ` (235 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Heiko Stuebner, Sasha Levin

From: Heiko Stuebner <heiko@sntech.de>

[ Upstream commit ac8cb53829a6ba119082e067f5bc8fab3611ce6a ]

Similar to commit a9f0c0e56371 ("clk: rockchip: fix rk3188 sclk_smc
gate data") there is one other gate clock in the rk3188 clock driver
with a similar wrong ordering, the sclk_mac_lbtest. So fix it as well.

Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/clk/rockchip/clk-rk3188.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/clk/rockchip/clk-rk3188.c b/drivers/clk/rockchip/clk-rk3188.c
index 022fecc9bcdf9..8cdfcd77e3ad9 100644
--- a/drivers/clk/rockchip/clk-rk3188.c
+++ b/drivers/clk/rockchip/clk-rk3188.c
@@ -362,8 +362,8 @@ static struct rockchip_clk_branch common_clk_branches[] __initdata = {
 			RK2928_CLKGATE_CON(2), 5, GFLAGS),
 	MUX(SCLK_MAC, "sclk_macref", mux_sclk_macref_p, CLK_SET_RATE_PARENT,
 			RK2928_CLKSEL_CON(21), 4, 1, MFLAGS),
-	GATE(0, "sclk_mac_lbtest", "sclk_macref",
-			RK2928_CLKGATE_CON(2), 12, 0, GFLAGS),
+	GATE(0, "sclk_mac_lbtest", "sclk_macref", 0,
+			RK2928_CLKGATE_CON(2), 12, GFLAGS),
 
 	COMPOSITE(0, "hsadc_src", mux_pll_src_gpll_cpll_p, 0,
 			RK2928_CLKSEL_CON(22), 0, 1, MFLAGS, 8, 8, DFLAGS,
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 036/267] ARM: dts: rockchip: Fix rk3288-rock2 vcc_flash name
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 035/267] clk: rockchip: fix rk3188 sclk_mac_lbtest parameter ordering Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 037/267] dlm: fix missing idr_destroy for recover_idr Greg Kroah-Hartman
                   ` (234 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, John Keeping, Heiko Stuebner, Sasha Levin

From: John Keeping <john@metanate.com>

[ Upstream commit 03d9f8fa2bfdc791865624d3adc29070cf67814e ]

There is no functional change from this, but it is confusing to find two
copies of vcc_sys and no vcc_flash when looking in
/sys/class/regulator/*/name.

Signed-off-by: John Keeping <john@metanate.com>
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/boot/dts/rk3288-rock2-som.dtsi | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm/boot/dts/rk3288-rock2-som.dtsi b/arch/arm/boot/dts/rk3288-rock2-som.dtsi
index b9c471fcbd42b..862c2248fcb6d 100644
--- a/arch/arm/boot/dts/rk3288-rock2-som.dtsi
+++ b/arch/arm/boot/dts/rk3288-rock2-som.dtsi
@@ -63,7 +63,7 @@
 
 	vcc_flash: flash-regulator {
 		compatible = "regulator-fixed";
-		regulator-name = "vcc_sys";
+		regulator-name = "vcc_flash";
 		regulator-min-microvolt = <1800000>;
 		regulator-max-microvolt = <1800000>;
 		startup-delay-us = <150>;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 037/267] dlm: fix missing idr_destroy for recover_idr
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 036/267] ARM: dts: rockchip: Fix rk3288-rock2 vcc_flash name Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 038/267] MIPS: SiByte: Enable ZONE_DMA32 for LittleSur Greg Kroah-Hartman
                   ` (233 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David Teigland, Sasha Levin

From: David Teigland <teigland@redhat.com>

[ Upstream commit 8fc6ed9a3508a0435b9270c313600799d210d319 ]

Which would leak memory for the idr internals.

Signed-off-by: David Teigland <teigland@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/dlm/lockspace.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/dlm/lockspace.c b/fs/dlm/lockspace.c
index 610f72ae7ad67..9c8c9a09b4a6d 100644
--- a/fs/dlm/lockspace.c
+++ b/fs/dlm/lockspace.c
@@ -807,6 +807,7 @@ static int release_lockspace(struct dlm_ls *ls, int force)
 
 	dlm_delete_debug_file(ls);
 
+	idr_destroy(&ls->ls_recover_idr);
 	kfree(ls->ls_recover_buf);
 
 	/*
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 038/267] MIPS: SiByte: Enable ZONE_DMA32 for LittleSur
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 037/267] dlm: fix missing idr_destroy for recover_idr Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 039/267] net: dsa: mv88e6xxx: Work around mv886e6161 SERDES missing MII_PHYSID2 Greg Kroah-Hartman
                   ` (232 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maciej W. Rozycki, Paul Burton,
	Christoph Hellwig, Ralf Baechle, linux-mips, Sasha Levin

From: Maciej W. Rozycki <macro@linux-mips.org>

[ Upstream commit 756d6d836dbfb04a5a486bc2ec89397aa4533737 ]

The LittleSur board is marked for high memory support and therefore
clearly must provide a way to have enough memory installed for some to
be present outside the low 4GiB physical address range.  With the memory
map of the BCM1250 SOC it has been built around it means over 1GiB of
actual DRAM, as only the first 1GiB is mapped in the low 4GiB physical
address range[1].

Complement commit cce335ae47e2 ("[MIPS] 64-bit Sibyte kernels need
DMA32.") then and also enable ZONE_DMA32 for LittleSur.


[1] "BCM1250/BCM1125/BCM1125H User Manual", Revision 1250_1125-UM100-R,
    Broadcom Corporation, 21 Oct 2002, Section 3: "System Overview",
    "Memory Map", pp. 34-38

Signed-off-by: Maciej W. Rozycki <macro@linux-mips.org>
Signed-off-by: Paul Burton <paul.burton@mips.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Patchwork: https://patchwork.linux-mips.org/patch/21107/
Fixes: cce335ae47e2 ("[MIPS] 64-bit Sibyte kernels need DMA32.")
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/mips/Kconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig
index ae4450e891abc..7e267d657c561 100644
--- a/arch/mips/Kconfig
+++ b/arch/mips/Kconfig
@@ -812,6 +812,7 @@ config SIBYTE_LITTLESUR
 	select SYS_SUPPORTS_BIG_ENDIAN
 	select SYS_SUPPORTS_HIGHMEM
 	select SYS_SUPPORTS_LITTLE_ENDIAN
+	select ZONE_DMA32 if 64BIT
 
 config SIBYTE_SENTOSA
 	bool "Sibyte BCM91250E-Sentosa"
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 039/267] net: dsa: mv88e6xxx: Work around mv886e6161 SERDES missing MII_PHYSID2
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 038/267] MIPS: SiByte: Enable ZONE_DMA32 for LittleSur Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 040/267] scsi: zfcp: drop default switch case which might paper over missing case Greg Kroah-Hartman
                   ` (231 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chris Healy, Andrew Lunn,
	David S. Miller, Sasha Levin

From: Andrew Lunn <andrew@lunn.ch>

[ Upstream commit ddc49acb659a2d8bfc5fdb0de0ef197712c11d75 ]

We already have a workaround for a couple of switches whose internal
PHYs only have the Marvel OUI, but no model number. We detect such
PHYs and give them the 6390 ID as the model number. However the
mv88e6161 has two SERDES interfaces in the same address range as its
internal PHYs. These suffer from the same problem, the Marvell OUI,
but no model number. As a result, these SERDES interfaces were getting
the same PHY ID as the mv88e6390, even though they are not PHYs, and
the Marvell PHY driver was trying to drive them.

Add a special case to stop this from happen.

Reported-by: Chris Healy <Chris.Healy@zii.aero>
Signed-off-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/dsa/mv88e6xxx/chip.c | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c
index be17194487c68..10ea01459a36b 100644
--- a/drivers/net/dsa/mv88e6xxx/chip.c
+++ b/drivers/net/dsa/mv88e6xxx/chip.c
@@ -2196,11 +2196,22 @@ static int mv88e6xxx_mdio_read(struct mii_bus *bus, int phy, int reg)
 	mutex_unlock(&chip->reg_lock);
 
 	if (reg == MII_PHYSID2) {
-		/* Some internal PHYS don't have a model number.  Use
-		 * the mv88e6390 family model number instead.
-		 */
-		if (!(val & 0x3f0))
-			val |= MV88E6XXX_PORT_SWITCH_ID_PROD_6390 >> 4;
+		/* Some internal PHYs don't have a model number. */
+		if (chip->info->family != MV88E6XXX_FAMILY_6165)
+			/* Then there is the 6165 family. It gets is
+			 * PHYs correct. But it can also have two
+			 * SERDES interfaces in the PHY address
+			 * space. And these don't have a model
+			 * number. But they are not PHYs, so we don't
+			 * want to give them something a PHY driver
+			 * will recognise.
+			 *
+			 * Use the mv88e6390 family model number
+			 * instead, for anything which really could be
+			 * a PHY,
+			 */
+			if (!(val & 0x3f0))
+				val |= MV88E6XXX_PORT_SWITCH_ID_PROD_6390 >> 4;
 	}
 
 	return err ? err : val;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 040/267] scsi: zfcp: drop default switch case which might paper over missing case
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 039/267] net: dsa: mv88e6xxx: Work around mv886e6161 SERDES missing MII_PHYSID2 Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 041/267] crypto: ecc - check for invalid values in the key verification test Greg Kroah-Hartman
                   ` (230 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Steffen Maier, Benjamin Block,
	Martin K. Petersen, Sasha Levin

From: Steffen Maier <maier@linux.ibm.com>

[ Upstream commit 0c902936e55cff9335b27ed632fc45e7115ced75 ]

This was introduced with v4.18 commit 8c3d20aada70 ("scsi: zfcp: fix
missing REC trigger trace for all objects in ERP_FAILED") but would now
suppress helpful -Wswitch compiler warnings when building with W=1 such as
the following forced example:

drivers/s390/scsi/zfcp_erp.c: In function 'zfcp_erp_handle_failed':
drivers/s390/scsi/zfcp_erp.c:126:2: warning: enumeration value 'ZFCP_ERP_ACTION_REOPEN_PORT_FORCED' not handled in switch [-Wswitch]
  switch (want) {
  ^~~~~~

But then again, only with W=1 we would notice unhandled enum cases.
Without the default cases and a missed unhandled enum case, the code might
perform unforeseen things we might not want...

As of today, we never run through the removed default case, so removing it
is no functional change.  In the future, we never should run through a
default case but introduce the necessary specific case(s) to handle new
functionality.

Signed-off-by: Steffen Maier <maier@linux.ibm.com>
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/s390/scsi/zfcp_erp.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/drivers/s390/scsi/zfcp_erp.c b/drivers/s390/scsi/zfcp_erp.c
index 64d70de98cdb6..8f90e4cea2545 100644
--- a/drivers/s390/scsi/zfcp_erp.c
+++ b/drivers/s390/scsi/zfcp_erp.c
@@ -179,9 +179,6 @@ static int zfcp_erp_handle_failed(int want, struct zfcp_adapter *adapter,
 				adapter, ZFCP_STATUS_COMMON_ERP_FAILED);
 		}
 		break;
-	default:
-		need = 0;
-		break;
 	}
 
 	return need;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 041/267] crypto: ecc - check for invalid values in the key verification test
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 040/267] scsi: zfcp: drop default switch case which might paper over missing case Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 042/267] crypto: bcm - fix normal/non key hash algorithm failure Greg Kroah-Hartman
                   ` (229 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vitaly Chikunov, Herbert Xu, Sasha Levin

From: Vitaly Chikunov <vt@altlinux.org>

[ Upstream commit 2eb4942b6609d35a4e835644a33203b0aef7443d ]

Currently used scalar multiplication algorithm (Matthieu Rivain, 2011)
have invalid values for scalar == 1, n-1, and for regularized version
n-2, which was previously not checked. Verify that they are not used as
private keys.

Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 crypto/ecc.c | 42 ++++++++++++++++++++++++++----------------
 1 file changed, 26 insertions(+), 16 deletions(-)

diff --git a/crypto/ecc.c b/crypto/ecc.c
index 18f32f2a5e1c9..3b422e24e647e 100644
--- a/crypto/ecc.c
+++ b/crypto/ecc.c
@@ -904,30 +904,43 @@ static inline void ecc_swap_digits(const u64 *in, u64 *out,
 		out[i] = __swab64(in[ndigits - 1 - i]);
 }
 
-int ecc_is_key_valid(unsigned int curve_id, unsigned int ndigits,
-		     const u64 *private_key, unsigned int private_key_len)
+static int __ecc_is_key_valid(const struct ecc_curve *curve,
+			      const u64 *private_key, unsigned int ndigits)
 {
-	int nbytes;
-	const struct ecc_curve *curve = ecc_get_curve(curve_id);
+	u64 one[ECC_MAX_DIGITS] = { 1, };
+	u64 res[ECC_MAX_DIGITS];
 
 	if (!private_key)
 		return -EINVAL;
 
-	nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT;
-
-	if (private_key_len != nbytes)
+	if (curve->g.ndigits != ndigits)
 		return -EINVAL;
 
-	if (vli_is_zero(private_key, ndigits))
+	/* Make sure the private key is in the range [2, n-3]. */
+	if (vli_cmp(one, private_key, ndigits) != -1)
 		return -EINVAL;
-
-	/* Make sure the private key is in the range [1, n-1]. */
-	if (vli_cmp(curve->n, private_key, ndigits) != 1)
+	vli_sub(res, curve->n, one, ndigits);
+	vli_sub(res, res, one, ndigits);
+	if (vli_cmp(res, private_key, ndigits) != 1)
 		return -EINVAL;
 
 	return 0;
 }
 
+int ecc_is_key_valid(unsigned int curve_id, unsigned int ndigits,
+		     const u64 *private_key, unsigned int private_key_len)
+{
+	int nbytes;
+	const struct ecc_curve *curve = ecc_get_curve(curve_id);
+
+	nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT;
+
+	if (private_key_len != nbytes)
+		return -EINVAL;
+
+	return __ecc_is_key_valid(curve, private_key, ndigits);
+}
+
 /*
  * ECC private keys are generated using the method of extra random bits,
  * equivalent to that described in FIPS 186-4, Appendix B.4.1.
@@ -971,11 +984,8 @@ int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits, u64 *privkey)
 	if (err)
 		return err;
 
-	if (vli_is_zero(priv, ndigits))
-		return -EINVAL;
-
-	/* Make sure the private key is in the range [1, n-1]. */
-	if (vli_cmp(curve->n, priv, ndigits) != 1)
+	/* Make sure the private key is in the valid range. */
+	if (__ecc_is_key_valid(curve, priv, ndigits))
 		return -EINVAL;
 
 	ecc_swap_digits(priv, privkey, ndigits);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 042/267] crypto: bcm - fix normal/non key hash algorithm failure
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 041/267] crypto: ecc - check for invalid values in the key verification test Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 043/267] pinctrl: qcom: ssbi-gpio: fix gpio-hog related boot issues Greg Kroah-Hartman
                   ` (228 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Raveendra Padasalagi, Herbert Xu,
	Sasha Levin

From: Raveendra Padasalagi <raveendra.padasalagi@broadcom.com>

[ Upstream commit 4f0129d13e69bad0363fd75553fb22897b32c379 ]

Remove setkey() callback handler for normal/non key
hash algorithms and keep it for AES-CBC/CMAC which needs key.

Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver")
Signed-off-by: Raveendra Padasalagi <raveendra.padasalagi@broadcom.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/crypto/bcm/cipher.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/crypto/bcm/cipher.c b/drivers/crypto/bcm/cipher.c
index b6be383a51a6a..84422435f39b4 100644
--- a/drivers/crypto/bcm/cipher.c
+++ b/drivers/crypto/bcm/cipher.c
@@ -4637,12 +4637,16 @@ static int spu_register_ahash(struct iproc_alg_s *driver_alg)
 	hash->halg.statesize = sizeof(struct spu_hash_export_s);
 
 	if (driver_alg->auth_info.mode != HASH_MODE_HMAC) {
-		hash->setkey = ahash_setkey;
 		hash->init = ahash_init;
 		hash->update = ahash_update;
 		hash->final = ahash_final;
 		hash->finup = ahash_finup;
 		hash->digest = ahash_digest;
+		if ((driver_alg->auth_info.alg == HASH_ALG_AES) &&
+		    ((driver_alg->auth_info.mode == HASH_MODE_XCBC) ||
+		    (driver_alg->auth_info.mode == HASH_MODE_CMAC))) {
+			hash->setkey = ahash_setkey;
+		}
 	} else {
 		hash->setkey = ahash_hmac_setkey;
 		hash->init = ahash_hmac_init;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 043/267] pinctrl: qcom: ssbi-gpio: fix gpio-hog related boot issues
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 042/267] crypto: bcm - fix normal/non key hash algorithm failure Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 044/267] Staging: iio: adt7316: Fix i2c data reading, set the data field Greg Kroah-Hartman
                   ` (227 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Brian Masney, Bjorn Andersson,
	Linus Walleij, Sasha Levin

From: Brian Masney <masneyb@onstation.org>

[ Upstream commit 7ed07855773814337b9814f1c3e866df52ebce68 ]

When attempting to setup up a gpio hog, device probing will repeatedly
fail with -EPROBE_DEFERED errors. It is caused by a circular dependency
between the gpio and pinctrl frameworks. If the gpio-ranges property is
present in device tree, then the gpio framework will handle the gpio pin
registration and eliminate the circular dependency.

See Christian Lamparter's commit a86caa9ba5d7 ("pinctrl: msm: fix
gpio-hog related boot issues") for a detailed commit message that
explains the issue in much more detail. The code comment in this commit
came from Christian's commit.

I did not test this change against any hardware supported by this
particular driver, however I was able to validate this same fix works
for pinctrl-spmi-gpio.c using a LG Nexus 5 (hammerhead) phone.

Signed-off-by: Brian Masney <masneyb@onstation.org>
Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/pinctrl/qcom/pinctrl-ssbi-gpio.c | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/drivers/pinctrl/qcom/pinctrl-ssbi-gpio.c b/drivers/pinctrl/qcom/pinctrl-ssbi-gpio.c
index 0e153bae322ee..6bed433e54205 100644
--- a/drivers/pinctrl/qcom/pinctrl-ssbi-gpio.c
+++ b/drivers/pinctrl/qcom/pinctrl-ssbi-gpio.c
@@ -762,12 +762,23 @@ static int pm8xxx_gpio_probe(struct platform_device *pdev)
 		return ret;
 	}
 
-	ret = gpiochip_add_pin_range(&pctrl->chip,
-				     dev_name(pctrl->dev),
-				     0, 0, pctrl->chip.ngpio);
-	if (ret) {
-		dev_err(pctrl->dev, "failed to add pin range\n");
-		goto unregister_gpiochip;
+	/*
+	 * For DeviceTree-supported systems, the gpio core checks the
+	 * pinctrl's device node for the "gpio-ranges" property.
+	 * If it is present, it takes care of adding the pin ranges
+	 * for the driver. In this case the driver can skip ahead.
+	 *
+	 * In order to remain compatible with older, existing DeviceTree
+	 * files which don't set the "gpio-ranges" property or systems that
+	 * utilize ACPI the driver has to call gpiochip_add_pin_range().
+	 */
+	if (!of_property_read_bool(pctrl->dev->of_node, "gpio-ranges")) {
+		ret = gpiochip_add_pin_range(&pctrl->chip, dev_name(pctrl->dev),
+					     0, 0, pctrl->chip.ngpio);
+		if (ret) {
+			dev_err(pctrl->dev, "failed to add pin range\n");
+			goto unregister_gpiochip;
+		}
 	}
 
 	platform_set_drvdata(pdev, pctrl);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 044/267] Staging: iio: adt7316: Fix i2c data reading, set the data field
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 043/267] pinctrl: qcom: ssbi-gpio: fix gpio-hog related boot issues Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 045/267] mm/vmstat.c: fix NUMA statistics updates Greg Kroah-Hartman
                   ` (226 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Shreeya Patel, Jonathan Cameron, Sasha Levin

From: Shreeya Patel <shreeya.patel23498@gmail.com>

[ Upstream commit 688cd642ba0c393344c802647848da5f0d925d0e ]

adt7316_i2c_read function nowhere sets the data field.
It is necessary to have an appropriate value for it.
Hence, assign the value stored in 'ret' variable to data field.

This is an ancient bug, and as no one seems to have noticed,
probably no sense in applying it to stable.

Signed-off-by: Shreeya Patel <shreeya.patel23498@gmail.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/staging/iio/addac/adt7316-i2c.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/staging/iio/addac/adt7316-i2c.c b/drivers/staging/iio/addac/adt7316-i2c.c
index f66dd3ebbab1f..856bcfa60c6c4 100644
--- a/drivers/staging/iio/addac/adt7316-i2c.c
+++ b/drivers/staging/iio/addac/adt7316-i2c.c
@@ -35,6 +35,8 @@ static int adt7316_i2c_read(void *client, u8 reg, u8 *data)
 		return ret;
 	}
 
+	*data = ret;
+
 	return 0;
 }
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 045/267] mm/vmstat.c: fix NUMA statistics updates
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 044/267] Staging: iio: adt7316: Fix i2c data reading, set the data field Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 046/267] clk: rockchip: fix I2S1 clock gate register for rk3328 Greg Kroah-Hartman
                   ` (225 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Janne Huttunen, Michal Hocko,
	Andrew Morton, Linus Torvalds, Sasha Levin

From: Janne Huttunen <janne.huttunen@nokia.com>

[ Upstream commit 13c9aaf7fa01cc7600c61981609feadeef3354ec ]

Scan through the whole array to see if an update is needed.  While we're
at it, use sizeof() to be safe against any possible type changes in the
future.

The bug here is that we wouldn't sync per-cpu counters into global ones
if there was an update of numa_stats for higher cpus.  Highly
theoretical one though because it is much more probable that zone_stats
are updated so we would refresh anyway.  So I wouldn't bother to mark
this for stable, yet something nice to fix.

[mhocko@suse.com: changelog enhancement]
Link: http://lkml.kernel.org/r/1541601517-17282-1-git-send-email-janne.huttunen@nokia.com
Fixes: 1d90ca897cb0 ("mm: update NUMA counter threshold size")
Signed-off-by: Janne Huttunen <janne.huttunen@nokia.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 mm/vmstat.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/mm/vmstat.c b/mm/vmstat.c
index ba91683264134..e2197b03da574 100644
--- a/mm/vmstat.c
+++ b/mm/vmstat.c
@@ -1805,12 +1805,13 @@ static bool need_update(int cpu)
 
 		/*
 		 * The fast way of checking if there are any vmstat diffs.
-		 * This works because the diffs are byte sized items.
 		 */
-		if (memchr_inv(p->vm_stat_diff, 0, NR_VM_ZONE_STAT_ITEMS))
+		if (memchr_inv(p->vm_stat_diff, 0, NR_VM_ZONE_STAT_ITEMS *
+			       sizeof(p->vm_stat_diff[0])))
 			return true;
 #ifdef CONFIG_NUMA
-		if (memchr_inv(p->vm_numa_stat_diff, 0, NR_VM_NUMA_STAT_ITEMS))
+		if (memchr_inv(p->vm_numa_stat_diff, 0, NR_VM_NUMA_STAT_ITEMS *
+			       sizeof(p->vm_numa_stat_diff[0])))
 			return true;
 #endif
 	}
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 046/267] clk: rockchip: fix I2S1 clock gate register for rk3328
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 045/267] mm/vmstat.c: fix NUMA statistics updates Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 047/267] clk: rockchip: fix ID of 8ch clock of I2S1 " Greg Kroah-Hartman
                   ` (224 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Katsuhiro Suzuki, Heiko Stuebner,
	Sasha Levin

From: Katsuhiro Suzuki <katsuhiro@katsuster.net>

[ Upstream commit 5c73ac2f8b70834a603eb2d92eb0bb464634420b ]

This patch fixes definition of I2S1 clock gate register for rk3328.
Current setting is not related I2S clocks.
  - bit6 of CRU_CLKGATE_CON0 means clk_ddrmon_en
  - bit6 of CRU_CLKGATE_CON1 means clk_i2s1_en

Signed-off-by: Katsuhiro Suzuki <katsuhiro@katsuster.net>
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/clk/rockchip/clk-rk3328.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/clk/rockchip/clk-rk3328.c b/drivers/clk/rockchip/clk-rk3328.c
index 33d1cf4e6d803..0e5222d1944b5 100644
--- a/drivers/clk/rockchip/clk-rk3328.c
+++ b/drivers/clk/rockchip/clk-rk3328.c
@@ -392,7 +392,7 @@ static struct rockchip_clk_branch rk3328_clk_branches[] __initdata = {
 			RK3328_CLKGATE_CON(1), 5, GFLAGS,
 			&rk3328_i2s1_fracmux),
 	GATE(SCLK_I2S1, "clk_i2s1", "i2s1_pre", CLK_SET_RATE_PARENT,
-			RK3328_CLKGATE_CON(0), 6, GFLAGS),
+			RK3328_CLKGATE_CON(1), 6, GFLAGS),
 	COMPOSITE_NODIV(SCLK_I2S1_OUT, "i2s1_out", mux_i2s1out_p, 0,
 			RK3328_CLKSEL_CON(8), 12, 1, MFLAGS,
 			RK3328_CLKGATE_CON(1), 7, GFLAGS),
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 047/267] clk: rockchip: fix ID of 8ch clock of I2S1 for rk3328
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 046/267] clk: rockchip: fix I2S1 clock gate register for rk3328 Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 048/267] regulator: Fix return value of _set_load() stub Greg Kroah-Hartman
                   ` (223 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Katsuhiro Suzuki, Heiko Stuebner,
	Sasha Levin

From: Katsuhiro Suzuki <katsuhiro@katsuster.net>

[ Upstream commit df7b1f2e0a4ae0fceff261e29cde63dafcf2360f ]

This patch fixes mistakes in HCLK_I2S1_8CH for running I2S1
successfully.

Signed-off-by: Katsuhiro Suzuki <katsuhiro@katsuster.net>
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/dt-bindings/clock/rk3328-cru.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/dt-bindings/clock/rk3328-cru.h b/include/dt-bindings/clock/rk3328-cru.h
index d2b26a4b43ebd..4a9db1b2669b8 100644
--- a/include/dt-bindings/clock/rk3328-cru.h
+++ b/include/dt-bindings/clock/rk3328-cru.h
@@ -178,7 +178,7 @@
 #define HCLK_TSP		309
 #define HCLK_GMAC		310
 #define HCLK_I2S0_8CH		311
-#define HCLK_I2S1_8CH		313
+#define HCLK_I2S1_8CH		312
 #define HCLK_I2S2_2CH		313
 #define HCLK_SPDIF_8CH		314
 #define HCLK_VOP		315
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 048/267] regulator: Fix return value of _set_load() stub
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 047/267] clk: rockchip: fix ID of 8ch clock of I2S1 " Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 049/267] net-next/hinic:fix a bug in set mac address Greg Kroah-Hartman
                   ` (222 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Cheng-Yi Chiang, Mark Brown,
	Douglas Anderson, Sasha Levin

From: Mark Brown <broonie@kernel.org>

[ Upstream commit f1abf67217de91f5cd3c757ae857632ca565099a ]

The stub implementation of _set_load() returns a mode value which is
within the bounds of valid return codes for success (the documentation
just says that failures are negative error codes) but not sensible or
what the actual implementation does.  Fix it to just return 0.

Reported-by: Cheng-Yi Chiang <cychiang@chromium.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/linux/regulator/consumer.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/linux/regulator/consumer.h b/include/linux/regulator/consumer.h
index 25602afd48447..f3f76051e8b00 100644
--- a/include/linux/regulator/consumer.h
+++ b/include/linux/regulator/consumer.h
@@ -508,7 +508,7 @@ static inline int regulator_get_error_flags(struct regulator *regulator,
 
 static inline int regulator_set_load(struct regulator *regulator, int load_uA)
 {
-	return REGULATOR_MODE_NORMAL;
+	return 0;
 }
 
 static inline int regulator_allow_bypass(struct regulator *regulator,
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 049/267] net-next/hinic:fix a bug in set mac address
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 048/267] regulator: Fix return value of _set_load() stub Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 050/267] iomap: sub-block dio needs to zeroout beyond EOF Greg Kroah-Hartman
                   ` (221 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Xue Chaojing, David S. Miller, Sasha Levin

From: Xue Chaojing <xuechaojing@huawei.com>

[ Upstream commit 9ea72dc9430306b77c73a8a21beb51437cde1d6d ]

In add_mac_addr(), if the MAC address is a muliticast address,
it will not be set, which causes the network card fail to receive
the multicast packet. This patch fixes this bug.

Signed-off-by: Xue Chaojing <xuechaojing@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/huawei/hinic/hinic_main.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/net/ethernet/huawei/hinic/hinic_main.c b/drivers/net/ethernet/huawei/hinic/hinic_main.c
index a696b5b2d40e6..44c73215d0264 100644
--- a/drivers/net/ethernet/huawei/hinic/hinic_main.c
+++ b/drivers/net/ethernet/huawei/hinic/hinic_main.c
@@ -598,9 +598,6 @@ static int add_mac_addr(struct net_device *netdev, const u8 *addr)
 	u16 vid = 0;
 	int err;
 
-	if (!is_valid_ether_addr(addr))
-		return -EADDRNOTAVAIL;
-
 	netif_info(nic_dev, drv, netdev, "set mac addr = %02x %02x %02x %02x %02x %02x\n",
 		   addr[0], addr[1], addr[2], addr[3], addr[4], addr[5]);
 
@@ -724,6 +721,7 @@ static void set_rx_mode(struct work_struct *work)
 {
 	struct hinic_rx_mode_work *rx_mode_work = work_to_rx_mode_work(work);
 	struct hinic_dev *nic_dev = rx_mode_work_to_nic_dev(rx_mode_work);
+	struct netdev_hw_addr *ha;
 
 	netif_info(nic_dev, drv, nic_dev->netdev, "set rx mode work\n");
 
@@ -731,6 +729,9 @@ static void set_rx_mode(struct work_struct *work)
 
 	__dev_uc_sync(nic_dev->netdev, add_mac_addr, remove_mac_addr);
 	__dev_mc_sync(nic_dev->netdev, add_mac_addr, remove_mac_addr);
+
+	netdev_for_each_mc_addr(ha, nic_dev->netdev)
+		add_mac_addr(nic_dev->netdev, ha->addr);
 }
 
 static void hinic_set_rx_mode(struct net_device *netdev)
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 050/267] iomap: sub-block dio needs to zeroout beyond EOF
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 049/267] net-next/hinic:fix a bug in set mac address Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 051/267] MIPS: OCTEON: octeon-platform: fix typing Greg Kroah-Hartman
                   ` (220 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dave Chinner, Christoph Hellwig,
	Darrick J. Wong, Sasha Levin

From: Dave Chinner <dchinner@redhat.com>

[ Upstream commit b450672fb66b4a991a5b55ee24209ac7ae7690ce ]

If we are doing sub-block dio that extends EOF, we need to zero
the unused tail of the block to initialise the data in it it. If we
do not zero the tail of the block, then an immediate mmap read of
the EOF block will expose stale data beyond EOF to userspace. Found
with fsx running sub-block DIO sizes vs MAPREAD/MAPWRITE operations.

Fix this by detecting if the end of the DIO write is beyond EOF
and zeroing the tail if necessary.

Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/iomap.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/fs/iomap.c b/fs/iomap.c
index 467d98bf70542..1cf160ced0d46 100644
--- a/fs/iomap.c
+++ b/fs/iomap.c
@@ -941,7 +941,14 @@ iomap_dio_actor(struct inode *inode, loff_t pos, loff_t length,
 		dio->submit.cookie = submit_bio(bio);
 	} while (nr_pages);
 
-	if (need_zeroout) {
+	/*
+	 * We need to zeroout the tail of a sub-block write if the extent type
+	 * requires zeroing or the write extends beyond EOF. If we don't zero
+	 * the block tail in the latter case, we can expose stale data via mmap
+	 * reads of the EOF block.
+	 */
+	if (need_zeroout ||
+	    ((dio->flags & IOMAP_DIO_WRITE) && pos >= i_size_read(inode))) {
 		/* zero out from the end of the write to the end of the block */
 		pad = pos & (fs_block_size - 1);
 		if (pad)
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 051/267] MIPS: OCTEON: octeon-platform: fix typing
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 050/267] iomap: sub-block dio needs to zeroout beyond EOF Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 052/267] net/smc: use after free fix in smc_wr_tx_put_slot() Greg Kroah-Hartman
                   ` (219 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Aaro Koskinen, Paul Burton,
	Ralf Baechle, James Hogan, linux-mips, Sasha Levin

From: Aaro Koskinen <aaro.koskinen@iki.fi>

[ Upstream commit 2cf1c8933dd93088cfb5f8f58b3bb9bbdf1781b9 ]

Use correct type for fdt_property nameoff field.

Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Signed-off-by: Paul Burton <paul.burton@mips.com>
Patchwork: https://patchwork.linux-mips.org/patch/21204/
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: James Hogan <jhogan@kernel.org>
Cc: linux-mips@linux-mips.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/mips/cavium-octeon/octeon-platform.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/mips/cavium-octeon/octeon-platform.c b/arch/mips/cavium-octeon/octeon-platform.c
index 1d92efb82c372..e1e24118c169e 100644
--- a/arch/mips/cavium-octeon/octeon-platform.c
+++ b/arch/mips/cavium-octeon/octeon-platform.c
@@ -501,7 +501,7 @@ static void __init octeon_fdt_set_phy(int eth, int phy_addr)
 	if (phy_addr >= 256 && alt_phy > 0) {
 		const struct fdt_property *phy_prop;
 		struct fdt_property *alt_prop;
-		u32 phy_handle_name;
+		fdt32_t phy_handle_name;
 
 		/* Use the alt phy node instead.*/
 		phy_prop = fdt_get_property(initial_boot_params, eth, "phy-handle", NULL);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 052/267] net/smc: use after free fix in smc_wr_tx_put_slot()
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 051/267] MIPS: OCTEON: octeon-platform: fix typing Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 053/267] math-emu/soft-fp.h: (_FP_ROUND_ZERO) cast 0 to void to fix warning Greg Kroah-Hartman
                   ` (218 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ursula Braun, David S. Miller, Sasha Levin

From: Ursula Braun <ursula.braun@linux.ibm.com>

[ Upstream commit e438bae43c1e08e688c09c410407b59fc1c173b4 ]

In smc_wr_tx_put_slot() field pend->idx is used after being
cleared. That means always idx 0 is cleared in the wr_tx_mask.
This results in a broken administration of available WR send
payload buffers.

Signed-off-by: Ursula Braun <ubraun@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/smc/smc_wr.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/smc/smc_wr.c b/net/smc/smc_wr.c
index de4537f66832a..ed6736a1a112e 100644
--- a/net/smc/smc_wr.c
+++ b/net/smc/smc_wr.c
@@ -223,12 +223,14 @@ int smc_wr_tx_put_slot(struct smc_link *link,
 
 	pend = container_of(wr_pend_priv, struct smc_wr_tx_pend, priv);
 	if (pend->idx < link->wr_tx_cnt) {
+		u32 idx = pend->idx;
+
 		/* clear the full struct smc_wr_tx_pend including .priv */
 		memset(&link->wr_tx_pends[pend->idx], 0,
 		       sizeof(link->wr_tx_pends[pend->idx]));
 		memset(&link->wr_tx_bufs[pend->idx], 0,
 		       sizeof(link->wr_tx_bufs[pend->idx]));
-		test_and_clear_bit(pend->idx, link->wr_tx_mask);
+		test_and_clear_bit(idx, link->wr_tx_mask);
 		return 1;
 	}
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 053/267] math-emu/soft-fp.h: (_FP_ROUND_ZERO) cast 0 to void to fix warning
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 052/267] net/smc: use after free fix in smc_wr_tx_put_slot() Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 054/267] rtc: max8997: Fix the returned value in case of error in max8997_rtc_read_alarm() Greg Kroah-Hartman
                   ` (217 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vincent Chen, Greentime Hu, Sasha Levin

From: Vincent Chen <vincentc@andestech.com>

[ Upstream commit 83312f1b7ae205dca647bf52bbe2d51303cdedfb ]

_FP_ROUND_ZERO is defined as 0 and used as a statemente in macro
_FP_ROUND. This generates "error: statement with no effect
[-Werror=unused-value]" from gcc. Defining _FP_ROUND_ZERO as (void)0 to
fix it.

This modification is quoted from glibc 'commit <In libc/:>
(8ed1e7d5894000c155acbd06f)'

Signed-off-by: Vincent Chen <vincentc@andestech.com>
Acked-by: Greentime Hu <greentime@andestech.com>
Signed-off-by: Greentime Hu <greentime@andestech.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/math-emu/soft-fp.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/math-emu/soft-fp.h b/include/math-emu/soft-fp.h
index 3f284bc031809..5650c16283830 100644
--- a/include/math-emu/soft-fp.h
+++ b/include/math-emu/soft-fp.h
@@ -138,7 +138,7 @@ do {							\
       _FP_FRAC_ADDI_##wc(X, _FP_WORK_ROUND);		\
 } while (0)
 
-#define _FP_ROUND_ZERO(wc, X)		0
+#define _FP_ROUND_ZERO(wc, X)		(void)0
 
 #define _FP_ROUND_PINF(wc, X)				\
 do {							\
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 054/267] rtc: max8997: Fix the returned value in case of error in max8997_rtc_read_alarm()
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 053/267] math-emu/soft-fp.h: (_FP_ROUND_ZERO) cast 0 to void to fix warning Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 055/267] rtc: dt-binding: abx80x: fix resistance scale Greg Kroah-Hartman
                   ` (216 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christophe JAILLET,
	Alexandre Belloni, Sasha Levin

From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>

[ Upstream commit 41ef3878203cd9218d92eaa07df4b85a2cb128fb ]

In case of error, we return 0.
This is spurious and not consistent with the other functions of the driver.
Propagate the error code instead.

Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/rtc/rtc-max8997.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/rtc/rtc-max8997.c b/drivers/rtc/rtc-max8997.c
index db984d4bf9526..4cce5bd448f65 100644
--- a/drivers/rtc/rtc-max8997.c
+++ b/drivers/rtc/rtc-max8997.c
@@ -221,7 +221,7 @@ static int max8997_rtc_read_alarm(struct device *dev, struct rtc_wkalrm *alrm)
 
 out:
 	mutex_unlock(&info->lock);
-	return 0;
+	return ret;
 }
 
 static int max8997_rtc_stop_alarm(struct max8997_rtc_info *info)
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 055/267] rtc: dt-binding: abx80x: fix resistance scale
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 054/267] rtc: max8997: Fix the returned value in case of error in max8997_rtc_read_alarm() Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 056/267] ARM: dts: exynos: Use Samsung SoC specific compatible for DWC2 module Greg Kroah-Hartman
                   ` (215 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Baruch Siach, Alexandre Belloni, Sasha Levin

From: Baruch Siach <baruch@tkos.co.il>

[ Upstream commit 73852e56827f5cb5db9d6e8dd8191fc2f2e8f424 ]

The abracon,tc-resistor property value is in kOhm.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 Documentation/devicetree/bindings/rtc/abracon,abx80x.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Documentation/devicetree/bindings/rtc/abracon,abx80x.txt b/Documentation/devicetree/bindings/rtc/abracon,abx80x.txt
index be789685a1c24..18b892d010d87 100644
--- a/Documentation/devicetree/bindings/rtc/abracon,abx80x.txt
+++ b/Documentation/devicetree/bindings/rtc/abracon,abx80x.txt
@@ -27,4 +27,4 @@ and valid to enable charging:
 
  - "abracon,tc-diode": should be "standard" (0.6V) or "schottky" (0.3V)
  - "abracon,tc-resistor": should be <0>, <3>, <6> or <11>. 0 disables the output
-                          resistor, the other values are in ohm.
+                          resistor, the other values are in kOhm.
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 056/267] ARM: dts: exynos: Use Samsung SoC specific compatible for DWC2 module
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 055/267] rtc: dt-binding: abx80x: fix resistance scale Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 057/267] media: pulse8-cec: return 0 when invalidating the logical address Greg Kroah-Hartman
                   ` (214 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marek Szyprowski,
	Krzysztof Kozlowski, Sasha Levin

From: Marek Szyprowski <m.szyprowski@samsung.com>

[ Upstream commit 6035cbcceb069f87296b3cd0bc4736ad5618bf47 ]

DWC2 hardware module integrated in Samsung SoCs requires some quirks to
operate properly, so use Samsung SoC specific compatible to notify driver
to apply respective fixes.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/boot/dts/exynos3250.dtsi | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm/boot/dts/exynos3250.dtsi b/arch/arm/boot/dts/exynos3250.dtsi
index aa06a02c3ff59..5ba6622549097 100644
--- a/arch/arm/boot/dts/exynos3250.dtsi
+++ b/arch/arm/boot/dts/exynos3250.dtsi
@@ -359,7 +359,7 @@
 		};
 
 		hsotg: hsotg@12480000 {
-			compatible = "snps,dwc2";
+			compatible = "samsung,s3c6400-hsotg", "snps,dwc2";
 			reg = <0x12480000 0x20000>;
 			interrupts = <GIC_SPI 141 IRQ_TYPE_LEVEL_HIGH>;
 			clocks = <&cmu CLK_USBOTG>;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 057/267] media: pulse8-cec: return 0 when invalidating the logical address
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 056/267] ARM: dts: exynos: Use Samsung SoC specific compatible for DWC2 module Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 058/267] media: cec: report Vendor ID after initialization Greg Kroah-Hartman
                   ` (213 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans Verkuil, Torbjorn Jansson,
	Hans Verkuil, Mauro Carvalho Chehab, Sasha Levin

From: Hans Verkuil <hverkuil@xs4all.nl>

[ Upstream commit 2e84eb9affac43eeaf834992888b72426a8cd442 ]

Return 0 when invalidating the logical address. The cec core produces
a warning for drivers that do this.

Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Reported-by: Torbjorn Jansson <torbjorn.jansson@mbox200.swipnet.se>
Signed-off-by: Hans Verkuil <hansverk@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/usb/pulse8-cec/pulse8-cec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/usb/pulse8-cec/pulse8-cec.c b/drivers/media/usb/pulse8-cec/pulse8-cec.c
index 50146f263d904..12da631c0fda0 100644
--- a/drivers/media/usb/pulse8-cec/pulse8-cec.c
+++ b/drivers/media/usb/pulse8-cec/pulse8-cec.c
@@ -585,7 +585,7 @@ unlock:
 	else
 		pulse8->config_pending = true;
 	mutex_unlock(&pulse8->config_lock);
-	return err;
+	return log_addr == CEC_LOG_ADDR_INVALID ? 0 : err;
 }
 
 static int pulse8_cec_adap_transmit(struct cec_adapter *adap, u8 attempts,
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 058/267] media: cec: report Vendor ID after initialization
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 057/267] media: pulse8-cec: return 0 when invalidating the logical address Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 059/267] dmaengine: coh901318: Fix a double-lock bug Greg Kroah-Hartman
                   ` (212 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans Verkuil, Mauro Carvalho Chehab,
	Sasha Levin

From: Hans Verkuil <hverkuil-cisco@xs4all.nl>

[ Upstream commit 7f02ac77c768ba2bcdd0ce719c1fca0870ffe2fb ]

The CEC specification requires that the Vendor ID (if any) is reported
after a logical address was claimed.

This was never done, so add support for this.

Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/cec/cec-adap.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/media/cec/cec-adap.c b/drivers/media/cec/cec-adap.c
index f8a808d45034e..27e57915eb4d1 100644
--- a/drivers/media/cec/cec-adap.c
+++ b/drivers/media/cec/cec-adap.c
@@ -1403,6 +1403,13 @@ configured:
 			las->log_addr[i],
 			cec_phys_addr_exp(adap->phys_addr));
 		cec_transmit_msg_fh(adap, &msg, NULL, false);
+
+		/* Report Vendor ID */
+		if (adap->log_addrs.vendor_id != CEC_VENDOR_ID_NONE) {
+			cec_msg_device_vendor_id(&msg,
+						 adap->log_addrs.vendor_id);
+			cec_transmit_msg_fh(adap, &msg, NULL, false);
+		}
 	}
 	adap->kthread_config = NULL;
 	complete(&adap->config_completion);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 059/267] dmaengine: coh901318: Fix a double-lock bug
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 058/267] media: cec: report Vendor ID after initialization Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 060/267] dmaengine: coh901318: Remove unused variable Greg Kroah-Hartman
                   ` (211 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jia-Ju Bai, Linus Walleij,
	Vinod Koul, Sasha Levin

From: Jia-Ju Bai <baijiaju1990@gmail.com>

[ Upstream commit 627469e4445b9b12e0229b3bdf8564d5ce384dd7 ]

The function coh901318_alloc_chan_resources() calls spin_lock_irqsave()
before calling coh901318_config().
But coh901318_config() calls spin_lock_irqsave() again in its
definition, which may cause a double-lock bug.

Because coh901318_config() is only called by
coh901318_alloc_chan_resources(), the bug fix is to remove the
calls to spin-lock and -unlock functions in coh901318_config().

Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/dma/coh901318.c |    4 ----
 1 file changed, 4 deletions(-)

--- a/drivers/dma/coh901318.c
+++ b/drivers/dma/coh901318.c
@@ -1802,8 +1802,6 @@ static int coh901318_config(struct coh90
 	int channel = cohc->id;
 	void __iomem *virtbase = cohc->base->virtbase;
 
-	spin_lock_irqsave(&cohc->lock, flags);
-
 	if (param)
 		p = param;
 	else
@@ -1823,8 +1821,6 @@ static int coh901318_config(struct coh90
 	coh901318_set_conf(cohc, p->config);
 	coh901318_set_ctrl(cohc, p->ctrl_lli_last);
 
-	spin_unlock_irqrestore(&cohc->lock, flags);
-
 	return 0;
 }
 



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 060/267] dmaengine: coh901318: Remove unused variable
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 059/267] dmaengine: coh901318: Fix a double-lock bug Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 061/267] dmaengine: dw-dmac: implement dma protection control setting Greg Kroah-Hartman
                   ` (210 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Stephen Rothwell, Vinod Koul

From: Vinod Koul <vkoul@kernel.org>

commit 35faaf0df42d285b40f8a6310afbe096720f7758 upstream.

Commit 627469e4445b ("dmaengine: coh901318: Fix a double-lock bug") left
flags variable unused, so remove it to fix the warning.

drivers/dma/coh901318.c: In function 'coh901318_config':
drivers/dma/coh901318.c:1805:16: warning: unused variable 'flags' [-Wunused-variable]
  unsigned long flags;
                ^~~~~

Fixes: 627469e4445b ("dmaengine: coh901318: Fix a double-lock bug")
Reported-By: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/dma/coh901318.c |    1 -
 1 file changed, 1 deletion(-)

--- a/drivers/dma/coh901318.c
+++ b/drivers/dma/coh901318.c
@@ -1797,7 +1797,6 @@ static struct dma_chan *coh901318_xlate(
 static int coh901318_config(struct coh901318_chan *cohc,
 			    struct coh901318_params *param)
 {
-	unsigned long flags;
 	const struct coh901318_params *p;
 	int channel = cohc->id;
 	void __iomem *virtbase = cohc->base->virtbase;



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 061/267] dmaengine: dw-dmac: implement dma protection control setting
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 060/267] dmaengine: coh901318: Remove unused variable Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 062/267] usb: dwc3: debugfs: Properly print/set link state for HS Greg Kroah-Hartman
                   ` (209 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andy Shevchenko, Christian Lamparter,
	Vinod Koul, Sasha Levin

From: Christian Lamparter <chunkeey@gmail.com>

[ Upstream commit 7b0c03ecc42fb223baf015877fee9d517c2c8af1 ]

This patch adds a new device-tree property that allows to
specify the dma protection control bits for the all of the
DMA controller's channel uniformly.

Setting the "correct" bits can have a huge impact on the
PPC460EX and APM82181 that use this DMA engine in combination
with a DesignWare' SATA-II core (sata_dwc_460ex driver).

In the OpenWrt Forum, the user takimata reported that:
|It seems your patch unleashed the full power of the SATA port.
|Where I was previously hitting a really hard limit at around
|82 MB/s for reading and 27 MB/s for writing, I am now getting this:
|
|root@OpenWrt:/mnt# time dd if=/dev/zero of=tempfile bs=1M count=1024
|1024+0 records in
|1024+0 records out
|real    0m 13.65s
|user    0m 0.01s
|sys     0m 11.89s
|
|root@OpenWrt:/mnt# time dd if=tempfile of=/dev/null bs=1M count=1024
|1024+0 records in
|1024+0 records out
|real    0m 8.41s
|user    0m 0.01s
|sys     0m 4.70s
|
|This means: 121 MB/s reading and 75 MB/s writing!
|
|The drive is a WD Green WD10EARX taken from an older MBL Single.
|I repeated the test a few times with even larger files to rule out
|any caching, I'm still seeing the same great performance. OpenWrt is
|now completely on par with the original MBL firmware's performance.

Another user And.short reported:
|I can report that your fix worked! Boots up fine with two
|drives even with more partitions, and no more reboot on
|concurrent disk access!

A closer look into the sata_dwc_460ex code revealed that
the driver did initally set the correct protection control
bits. However, this feature was lost when the sata_dwc_460ex
driver was converted to the generic DMA driver framework.

BugLink: https://forum.openwrt.org/t/wd-mybook-live-duo-two-disks/16195/55
BugLink: https://forum.openwrt.org/t/wd-mybook-live-duo-two-disks/16195/50
Fixes: 8b3444852a2b ("sata_dwc_460ex: move to generic DMA driver")
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/dma/dw/core.c                | 2 ++
 drivers/dma/dw/platform.c            | 6 ++++++
 drivers/dma/dw/regs.h                | 4 ++++
 include/linux/platform_data/dma-dw.h | 6 ++++++
 4 files changed, 18 insertions(+)

diff --git a/drivers/dma/dw/core.c b/drivers/dma/dw/core.c
index 0f389e008ce64..055d83b6cb68a 100644
--- a/drivers/dma/dw/core.c
+++ b/drivers/dma/dw/core.c
@@ -160,12 +160,14 @@ static void dwc_initialize_chan_idma32(struct dw_dma_chan *dwc)
 
 static void dwc_initialize_chan_dw(struct dw_dma_chan *dwc)
 {
+	struct dw_dma *dw = to_dw_dma(dwc->chan.device);
 	u32 cfghi = DWC_CFGH_FIFO_MODE;
 	u32 cfglo = DWC_CFGL_CH_PRIOR(dwc->priority);
 	bool hs_polarity = dwc->dws.hs_polarity;
 
 	cfghi |= DWC_CFGH_DST_PER(dwc->dws.dst_id);
 	cfghi |= DWC_CFGH_SRC_PER(dwc->dws.src_id);
+	cfghi |= DWC_CFGH_PROTCTL(dw->pdata->protctl);
 
 	/* Set polarity of handshake interface */
 	cfglo |= hs_polarity ? DWC_CFGL_HS_DST_POL | DWC_CFGL_HS_SRC_POL : 0;
diff --git a/drivers/dma/dw/platform.c b/drivers/dma/dw/platform.c
index bc31fe8020619..46a519e07195c 100644
--- a/drivers/dma/dw/platform.c
+++ b/drivers/dma/dw/platform.c
@@ -162,6 +162,12 @@ dw_dma_parse_dt(struct platform_device *pdev)
 			pdata->multi_block[tmp] = 1;
 	}
 
+	if (!of_property_read_u32(np, "snps,dma-protection-control", &tmp)) {
+		if (tmp > CHAN_PROTCTL_MASK)
+			return NULL;
+		pdata->protctl = tmp;
+	}
+
 	return pdata;
 }
 #else
diff --git a/drivers/dma/dw/regs.h b/drivers/dma/dw/regs.h
index 09e7dfdbb7907..646c9c960c071 100644
--- a/drivers/dma/dw/regs.h
+++ b/drivers/dma/dw/regs.h
@@ -200,6 +200,10 @@ enum dw_dma_msize {
 #define DWC_CFGH_FCMODE		(1 << 0)
 #define DWC_CFGH_FIFO_MODE	(1 << 1)
 #define DWC_CFGH_PROTCTL(x)	((x) << 2)
+#define DWC_CFGH_PROTCTL_DATA	(0 << 2)	/* data access - always set */
+#define DWC_CFGH_PROTCTL_PRIV	(1 << 2)	/* privileged -> AHB HPROT[1] */
+#define DWC_CFGH_PROTCTL_BUFFER	(2 << 2)	/* bufferable -> AHB HPROT[2] */
+#define DWC_CFGH_PROTCTL_CACHE	(4 << 2)	/* cacheable  -> AHB HPROT[3] */
 #define DWC_CFGH_DS_UPD_EN	(1 << 5)
 #define DWC_CFGH_SS_UPD_EN	(1 << 6)
 #define DWC_CFGH_SRC_PER(x)	((x) << 7)
diff --git a/include/linux/platform_data/dma-dw.h b/include/linux/platform_data/dma-dw.h
index 896cb71a382cb..1a1d58ebffbf1 100644
--- a/include/linux/platform_data/dma-dw.h
+++ b/include/linux/platform_data/dma-dw.h
@@ -49,6 +49,7 @@ struct dw_dma_slave {
  * @data_width: Maximum data width supported by hardware per AHB master
  *		(in bytes, power of 2)
  * @multi_block: Multi block transfers supported by hardware per channel.
+ * @protctl: Protection control signals setting per channel.
  */
 struct dw_dma_platform_data {
 	unsigned int	nr_channels;
@@ -65,6 +66,11 @@ struct dw_dma_platform_data {
 	unsigned char	nr_masters;
 	unsigned char	data_width[DW_DMA_MAX_NR_MASTERS];
 	unsigned char	multi_block[DW_DMA_MAX_NR_CHANNELS];
+#define CHAN_PROTCTL_PRIVILEGED		BIT(0)
+#define CHAN_PROTCTL_BUFFERABLE		BIT(1)
+#define CHAN_PROTCTL_CACHEABLE		BIT(2)
+#define CHAN_PROTCTL_MASK		GENMASK(2, 0)
+	unsigned char	protctl;
 };
 
 #endif /* _PLATFORM_DATA_DMA_DW_H */
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 062/267] usb: dwc3: debugfs: Properly print/set link state for HS
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (60 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 061/267] dmaengine: dw-dmac: implement dma protection control setting Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 063/267] usb: dwc3: dont log probe deferrals; but do log other error codes Greg Kroah-Hartman
                   ` (208 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thinh Nguyen, Felipe Balbi, Sasha Levin

From: Thinh Nguyen <thinh.nguyen@synopsys.com>

[ Upstream commit 0d36dede457873404becd7c9cb9d0f2bcfd0dcd9 ]

Highspeed device and below has different state names than superspeed and
higher. Add proper checks and printouts of link states for highspeed and
below.

Signed-off-by: Thinh Nguyen <thinhn@synopsys.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/dwc3/debug.h   | 29 +++++++++++++++++++++++++++++
 drivers/usb/dwc3/debugfs.c | 19 +++++++++++++++++--
 2 files changed, 46 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/dwc3/debug.h b/drivers/usb/dwc3/debug.h
index 5e9c070ec8747..1b4c2f8bb3daf 100644
--- a/drivers/usb/dwc3/debug.h
+++ b/drivers/usb/dwc3/debug.h
@@ -124,6 +124,35 @@ dwc3_gadget_link_string(enum dwc3_link_state link_state)
 	}
 }
 
+/**
+ * dwc3_gadget_hs_link_string - returns highspeed and below link name
+ * @link_state: link state code
+ */
+static inline const char *
+dwc3_gadget_hs_link_string(enum dwc3_link_state link_state)
+{
+	switch (link_state) {
+	case DWC3_LINK_STATE_U0:
+		return "On";
+	case DWC3_LINK_STATE_U2:
+		return "Sleep";
+	case DWC3_LINK_STATE_U3:
+		return "Suspend";
+	case DWC3_LINK_STATE_SS_DIS:
+		return "Disconnected";
+	case DWC3_LINK_STATE_RX_DET:
+		return "Early Suspend";
+	case DWC3_LINK_STATE_RECOV:
+		return "Recovery";
+	case DWC3_LINK_STATE_RESET:
+		return "Reset";
+	case DWC3_LINK_STATE_RESUME:
+		return "Resume";
+	default:
+		return "UNKNOWN link state\n";
+	}
+}
+
 /**
  * dwc3_trb_type_string - returns TRB type as a string
  * @type: the type of the TRB
diff --git a/drivers/usb/dwc3/debugfs.c b/drivers/usb/dwc3/debugfs.c
index 4e09be80e59f9..0d6a6a168a7ec 100644
--- a/drivers/usb/dwc3/debugfs.c
+++ b/drivers/usb/dwc3/debugfs.c
@@ -436,13 +436,17 @@ static int dwc3_link_state_show(struct seq_file *s, void *unused)
 	unsigned long		flags;
 	enum dwc3_link_state	state;
 	u32			reg;
+	u8			speed;
 
 	spin_lock_irqsave(&dwc->lock, flags);
 	reg = dwc3_readl(dwc->regs, DWC3_DSTS);
 	state = DWC3_DSTS_USBLNKST(reg);
-	spin_unlock_irqrestore(&dwc->lock, flags);
+	speed = reg & DWC3_DSTS_CONNECTSPD;
 
-	seq_printf(s, "%s\n", dwc3_gadget_link_string(state));
+	seq_printf(s, "%s\n", (speed >= DWC3_DSTS_SUPERSPEED) ?
+		   dwc3_gadget_link_string(state) :
+		   dwc3_gadget_hs_link_string(state));
+	spin_unlock_irqrestore(&dwc->lock, flags);
 
 	return 0;
 }
@@ -460,6 +464,8 @@ static ssize_t dwc3_link_state_write(struct file *file,
 	unsigned long		flags;
 	enum dwc3_link_state	state = 0;
 	char			buf[32];
+	u32			reg;
+	u8			speed;
 
 	if (copy_from_user(&buf, ubuf, min_t(size_t, sizeof(buf) - 1, count)))
 		return -EFAULT;
@@ -480,6 +486,15 @@ static ssize_t dwc3_link_state_write(struct file *file,
 		return -EINVAL;
 
 	spin_lock_irqsave(&dwc->lock, flags);
+	reg = dwc3_readl(dwc->regs, DWC3_DSTS);
+	speed = reg & DWC3_DSTS_CONNECTSPD;
+
+	if (speed < DWC3_DSTS_SUPERSPEED &&
+	    state != DWC3_LINK_STATE_RECOV) {
+		spin_unlock_irqrestore(&dwc->lock, flags);
+		return -EINVAL;
+	}
+
 	dwc3_gadget_set_link_state(dwc, state);
 	spin_unlock_irqrestore(&dwc->lock, flags);
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 063/267] usb: dwc3: dont log probe deferrals; but do log other error codes
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (61 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 062/267] usb: dwc3: debugfs: Properly print/set link state for HS Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 064/267] ACPI: fix acpi_find_child_device() invocation in acpi_preset_companion() Greg Kroah-Hartman
                   ` (207 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Brian Norris, Felipe Balbi, Sasha Levin

From: Brian Norris <briannorris@chromium.org>

[ Upstream commit 408d3ba006af57380fa48858b39f72fde6405031 ]

It's not very useful to repeat a bunch of probe deferral errors. And
it's also not very useful to log "failed" without telling the error
code.

Signed-off-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/dwc3/core.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c
index 48755c501201d..a497b878c3e2b 100644
--- a/drivers/usb/dwc3/core.c
+++ b/drivers/usb/dwc3/core.c
@@ -1261,7 +1261,8 @@ static int dwc3_probe(struct platform_device *pdev)
 
 	ret = dwc3_core_init(dwc);
 	if (ret) {
-		dev_err(dev, "failed to initialize core\n");
+		if (ret != -EPROBE_DEFER)
+			dev_err(dev, "failed to initialize core: %d\n", ret);
 		goto err4;
 	}
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 064/267] ACPI: fix acpi_find_child_device() invocation in acpi_preset_companion()
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (62 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 063/267] usb: dwc3: dont log probe deferrals; but do log other error codes Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 065/267] f2fs: fix count of seg_freed to make sec_freed correct Greg Kroah-Hartman
                   ` (206 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexey Dobriyan, Rafael J. Wysocki,
	Sasha Levin

From: Alexey Dobriyan <adobriyan@gmail.com>

[ Upstream commit f8c6d1402b89f22a3647705d63cbd171aa19a77e ]

acpi_find_child_device() accepts boolean not pointer as last argument.

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
[ rjw: Subject ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/linux/acpi.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/linux/acpi.h b/include/linux/acpi.h
index d7a9700b93339..4bb3bca75004d 100644
--- a/include/linux/acpi.h
+++ b/include/linux/acpi.h
@@ -99,7 +99,7 @@ static inline bool has_acpi_companion(struct device *dev)
 static inline void acpi_preset_companion(struct device *dev,
 					 struct acpi_device *parent, u64 addr)
 {
-	ACPI_COMPANION_SET(dev, acpi_find_child_device(parent, addr, NULL));
+	ACPI_COMPANION_SET(dev, acpi_find_child_device(parent, addr, false));
 }
 
 static inline const char *acpi_dev_name(struct acpi_device *adev)
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 065/267] f2fs: fix count of seg_freed to make sec_freed correct
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (63 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 064/267] ACPI: fix acpi_find_child_device() invocation in acpi_preset_companion() Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 066/267] f2fs: change segment to section in f2fs_ioc_gc_range Greg Kroah-Hartman
                   ` (205 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yunlong Song, Chao Yu, Jaegeuk Kim,
	Sasha Levin

From: Yunlong Song <yunlong.song@huawei.com>

[ Upstream commit d6c66cd19ef322fe0d51ba09ce1b7f386acab04a ]

When sbi->segs_per_sec > 1, and if some segno has 0 valid blocks before
gc starts, do_garbage_collect will skip counting seg_freed++, and this
will cause seg_freed < sbi->segs_per_sec and finally skip sec_freed++.

Signed-off-by: Yunlong Song <yunlong.song@huawei.com>
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/f2fs/gc.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c
index 67120181dc2af..9865f6d52fe48 100644
--- a/fs/f2fs/gc.c
+++ b/fs/f2fs/gc.c
@@ -952,9 +952,9 @@ static int do_garbage_collect(struct f2fs_sb_info *sbi,
 					GET_SUM_BLOCK(sbi, segno));
 		f2fs_put_page(sum_page, 0);
 
-		if (get_valid_blocks(sbi, segno, false) == 0 ||
-				!PageUptodate(sum_page) ||
-				unlikely(f2fs_cp_error(sbi)))
+		if (get_valid_blocks(sbi, segno, false) == 0)
+			goto freed;
+		if (!PageUptodate(sum_page) || unlikely(f2fs_cp_error(sbi)))
 			goto next;
 
 		sum = page_address(sum_page);
@@ -981,6 +981,7 @@ static int do_garbage_collect(struct f2fs_sb_info *sbi,
 
 		stat_inc_seg_count(sbi, type, gc_type);
 
+freed:
 		if (gc_type == FG_GC &&
 				get_valid_blocks(sbi, segno, false) == 0)
 			seg_freed++;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 066/267] f2fs: change segment to section in f2fs_ioc_gc_range
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (64 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 065/267] f2fs: fix count of seg_freed to make sec_freed correct Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 067/267] ARM: dts: rockchip: Fix the PMU interrupt number for rv1108 Greg Kroah-Hartman
                   ` (204 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yunlong Song, Chao Yu, Jaegeuk Kim,
	Sasha Levin

From: Yunlong Song <yunlong.song@huawei.com>

[ Upstream commit 67b0e42b768c9ddc3fd5ca1aee3db815cfaa635c ]

f2fs_ioc_gc_range skips blocks_per_seg each time, however, f2fs_gc moves
blocks of section each time, so fix it from segment to section.

Signed-off-by: Yunlong Song <yunlong.song@huawei.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/f2fs/file.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
index d68b0132718a6..a90173b856f6d 100644
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -2029,7 +2029,7 @@ do_more:
 	}
 
 	ret = f2fs_gc(sbi, range.sync, true, GET_SEGNO(sbi, range.start));
-	range.start += sbi->blocks_per_seg;
+	range.start += BLKS_PER_SEC(sbi);
 	if (range.start <= end)
 		goto do_more;
 out:
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 067/267] ARM: dts: rockchip: Fix the PMU interrupt number for rv1108
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (65 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 066/267] f2fs: change segment to section in f2fs_ioc_gc_range Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 068/267] ARM: dts: rockchip: Assign the proper GPIO clocks " Greg Kroah-Hartman
                   ` (203 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Otavio Salvador, Fabio Berton,
	Heiko Stuebner, Sasha Levin

From: Otavio Salvador <otavio@ossystems.com.br>

[ Upstream commit c955b7aec510145129ca7aaea6ecbf6d748f5ebf ]

According to the Rockchip vendor tree the PMU interrupt number is
76, so fix it accordingly.

Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Tested-by: Fabio Berton <fabio.berton@ossystems.com.br>
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/boot/dts/rv1108.dtsi | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm/boot/dts/rv1108.dtsi b/arch/arm/boot/dts/rv1108.dtsi
index e7cd1315db1b7..6013d2f888c33 100644
--- a/arch/arm/boot/dts/rv1108.dtsi
+++ b/arch/arm/boot/dts/rv1108.dtsi
@@ -101,7 +101,7 @@
 
 	arm-pmu {
 		compatible = "arm,cortex-a7-pmu";
-		interrupts = <GIC_SPI 67 IRQ_TYPE_LEVEL_HIGH>;
+		interrupts = <GIC_SPI 76 IRQ_TYPE_LEVEL_HIGH>;
 	};
 
 	timer {
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 068/267] ARM: dts: rockchip: Assign the proper GPIO clocks for rv1108
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (66 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 067/267] ARM: dts: rockchip: Fix the PMU interrupt number for rv1108 Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 069/267] f2fs: fix to allow node segment for GC by ioctl path Greg Kroah-Hartman
                   ` (202 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Otavio Salvador, Fabio Berton,
	Heiko Stuebner, Sasha Levin

From: Otavio Salvador <otavio@ossystems.com.br>

[ Upstream commit efc2e0bd9594060915696a418564aefd0270b1d6 ]

It is not correct to assign the 24MHz clock oscillator to the GPIO
ports.

Fix it by assigning the proper GPIO clocks instead.

Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Tested-by: Fabio Berton <fabio.berton@ossystems.com.br>
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/boot/dts/rv1108.dtsi | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/arch/arm/boot/dts/rv1108.dtsi b/arch/arm/boot/dts/rv1108.dtsi
index 6013d2f888c33..aa4119eaea987 100644
--- a/arch/arm/boot/dts/rv1108.dtsi
+++ b/arch/arm/boot/dts/rv1108.dtsi
@@ -522,7 +522,7 @@
 			compatible = "rockchip,gpio-bank";
 			reg = <0x20030000 0x100>;
 			interrupts = <GIC_SPI 40 IRQ_TYPE_LEVEL_HIGH>;
-			clocks = <&xin24m>;
+			clocks = <&cru PCLK_GPIO0_PMU>;
 
 			gpio-controller;
 			#gpio-cells = <2>;
@@ -535,7 +535,7 @@
 			compatible = "rockchip,gpio-bank";
 			reg = <0x10310000 0x100>;
 			interrupts = <GIC_SPI 41 IRQ_TYPE_LEVEL_HIGH>;
-			clocks = <&xin24m>;
+			clocks = <&cru PCLK_GPIO1>;
 
 			gpio-controller;
 			#gpio-cells = <2>;
@@ -548,7 +548,7 @@
 			compatible = "rockchip,gpio-bank";
 			reg = <0x10320000 0x100>;
 			interrupts = <GIC_SPI 42 IRQ_TYPE_LEVEL_HIGH>;
-			clocks = <&xin24m>;
+			clocks = <&cru PCLK_GPIO2>;
 
 			gpio-controller;
 			#gpio-cells = <2>;
@@ -561,7 +561,7 @@
 			compatible = "rockchip,gpio-bank";
 			reg = <0x10330000 0x100>;
 			interrupts = <GIC_SPI 43 IRQ_TYPE_LEVEL_HIGH>;
-			clocks = <&xin24m>;
+			clocks = <&cru PCLK_GPIO3>;
 
 			gpio-controller;
 			#gpio-cells = <2>;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 069/267] f2fs: fix to allow node segment for GC by ioctl path
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (67 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 068/267] ARM: dts: rockchip: Assign the proper GPIO clocks " Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 070/267] sparc: Correct ctx->saw_frame_pointer logic Greg Kroah-Hartman
                   ` (201 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sahitya Tummala, Chao Yu,
	Jaegeuk Kim, Sasha Levin

From: Sahitya Tummala <stummala@codeaurora.org>

[ Upstream commit 08ac9a3870f6babb2b1fff46118536ca8a71ef19 ]

Allow node type segments also to be GC'd via f2fs ioctl
F2FS_IOC_GARBAGE_COLLECT_RANGE.

Signed-off-by: Sahitya Tummala <stummala@codeaurora.org>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/f2fs/gc.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c
index 9865f6d52fe48..c2e4c6ce2cf79 100644
--- a/fs/f2fs/gc.c
+++ b/fs/f2fs/gc.c
@@ -330,8 +330,7 @@ static int get_victim_by_default(struct f2fs_sb_info *sbi,
 	p.min_cost = get_max_cost(sbi, &p);
 
 	if (*result != NULL_SEGNO) {
-		if (IS_DATASEG(get_seg_entry(sbi, *result)->type) &&
-			get_valid_blocks(sbi, *result, false) &&
+		if (get_valid_blocks(sbi, *result, false) &&
 			!sec_usage_check(sbi, GET_SEC_FROM_SEG(sbi, *result)))
 			p.min_segno = *result;
 		goto out;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 070/267] sparc: Correct ctx->saw_frame_pointer logic.
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (68 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 069/267] f2fs: fix to allow node segment for GC by ioctl path Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 071/267] dma-mapping: fix return type of dma_set_max_seg_size() Greg Kroah-Hartman
                   ` (200 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David S. Miller, Alexei Starovoitov,
	Sasha Levin

From: David Miller <davem@davemloft.net>

[ Upstream commit e2ac579a7a18bcd9e8cf14cf42eac0b8a2ba6c4b ]

We need to initialize the frame pointer register not just if it is
seen as a source operand, but also if it is seen as the destination
operand of a store or an atomic instruction (which effectively is a
source operand).

This is exercised by test_verifier's "non-invalid fp arithmetic"

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/sparc/net/bpf_jit_comp_64.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/arch/sparc/net/bpf_jit_comp_64.c b/arch/sparc/net/bpf_jit_comp_64.c
index adfb4581bd809..dfb1a62abe932 100644
--- a/arch/sparc/net/bpf_jit_comp_64.c
+++ b/arch/sparc/net/bpf_jit_comp_64.c
@@ -1326,6 +1326,9 @@ static int build_insn(const struct bpf_insn *insn, struct jit_ctx *ctx)
 		const u8 tmp2 = bpf2sparc[TMP_REG_2];
 		u32 opcode = 0, rs2;
 
+		if (insn->dst_reg == BPF_REG_FP)
+			ctx->saw_frame_pointer = true;
+
 		ctx->tmp_2_used = true;
 		emit_loadimm(imm, tmp2, ctx);
 
@@ -1364,6 +1367,9 @@ static int build_insn(const struct bpf_insn *insn, struct jit_ctx *ctx)
 		const u8 tmp = bpf2sparc[TMP_REG_1];
 		u32 opcode = 0, rs2;
 
+		if (insn->dst_reg == BPF_REG_FP)
+			ctx->saw_frame_pointer = true;
+
 		switch (BPF_SIZE(code)) {
 		case BPF_W:
 			opcode = ST32;
@@ -1396,6 +1402,9 @@ static int build_insn(const struct bpf_insn *insn, struct jit_ctx *ctx)
 		const u8 tmp2 = bpf2sparc[TMP_REG_2];
 		const u8 tmp3 = bpf2sparc[TMP_REG_3];
 
+		if (insn->dst_reg == BPF_REG_FP)
+			ctx->saw_frame_pointer = true;
+
 		ctx->tmp_1_used = true;
 		ctx->tmp_2_used = true;
 		ctx->tmp_3_used = true;
@@ -1416,6 +1425,9 @@ static int build_insn(const struct bpf_insn *insn, struct jit_ctx *ctx)
 		const u8 tmp2 = bpf2sparc[TMP_REG_2];
 		const u8 tmp3 = bpf2sparc[TMP_REG_3];
 
+		if (insn->dst_reg == BPF_REG_FP)
+			ctx->saw_frame_pointer = true;
+
 		ctx->tmp_1_used = true;
 		ctx->tmp_2_used = true;
 		ctx->tmp_3_used = true;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 071/267] dma-mapping: fix return type of dma_set_max_seg_size()
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (69 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 070/267] sparc: Correct ctx->saw_frame_pointer logic Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 072/267] altera-stapl: check for a null key before strcasecmping it Greg Kroah-Hartman
                   ` (199 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Niklas Söderlund,
	Geert Uytterhoeven, Christoph Hellwig, Sasha Levin

From: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>

[ Upstream commit c9d76d0655c06b8c1f944e46c4fd9e9cf4b331c0 ]

The function dma_set_max_seg_size() can return either 0 on success or
-EIO on error. Change its return type from unsigned int to int to
capture this.

Signed-off-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/linux/dma-mapping.h | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/include/linux/dma-mapping.h b/include/linux/dma-mapping.h
index 7bf3b99e6fbb1..9aee5f345e299 100644
--- a/include/linux/dma-mapping.h
+++ b/include/linux/dma-mapping.h
@@ -650,8 +650,7 @@ static inline unsigned int dma_get_max_seg_size(struct device *dev)
 	return SZ_64K;
 }
 
-static inline unsigned int dma_set_max_seg_size(struct device *dev,
-						unsigned int size)
+static inline int dma_set_max_seg_size(struct device *dev, unsigned int size)
 {
 	if (dev->dma_parms) {
 		dev->dma_parms->max_segment_size = size;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 072/267] altera-stapl: check for a null key before strcasecmping it
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (70 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 071/267] dma-mapping: fix return type of dma_set_max_seg_size() Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 073/267] serial: imx: fix error handling in console_setup Greg Kroah-Hartman
                   ` (198 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Colin Ian King, Sasha Levin

From: Colin Ian King <colin.king@canonical.com>

[ Upstream commit 9ccb645683ef46e3c52c12c088a368baa58447d4 ]

Currently the null check on key is occurring after the strcasecmp on
the key, hence there is a potential null pointer dereference on key.
Fix this by checking if key is null first. Also replace the == 0
check on strcasecmp with just the ! operator.

Detected by CoverityScan, CID#1248787 ("Dereference before null check")

Fixes: fa766c9be58b ("[media] Altera FPGA firmware download module")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/misc/altera-stapl/altera.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/misc/altera-stapl/altera.c b/drivers/misc/altera-stapl/altera.c
index f53e217e963f5..494e263daa748 100644
--- a/drivers/misc/altera-stapl/altera.c
+++ b/drivers/misc/altera-stapl/altera.c
@@ -2176,8 +2176,7 @@ static int altera_get_note(u8 *p, s32 program_size,
 			key_ptr = &p[note_strings +
 					get_unaligned_be32(
 					&p[note_table + (8 * i)])];
-			if ((strncasecmp(key, key_ptr, strlen(key_ptr)) == 0) &&
-						(key != NULL)) {
+			if (key && !strncasecmp(key, key_ptr, strlen(key_ptr))) {
 				status = 0;
 
 				value_ptr = &p[note_strings +
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 073/267] serial: imx: fix error handling in console_setup
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (71 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 072/267] altera-stapl: check for a null key before strcasecmping it Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 074/267] i2c: imx: dont print error message on probe defer Greg Kroah-Hartman
                   ` (197 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stefan Agner, Uwe Kleine-König,
	Sasha Levin

From: Stefan Agner <stefan@agner.ch>

[ Upstream commit 63fd4b94b948c14eeb27a3bbf50ea0f7f0593bad ]

The ipg clock only needs to be unprepared in case preparing
per clock fails. The ipg clock has already disabled at the point.

Fixes: 1cf93e0d5488 ("serial: imx: remove the uart_console() check")
Signed-off-by: Stefan Agner <stefan@agner.ch>
Reviewed-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/tty/serial/imx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/tty/serial/imx.c b/drivers/tty/serial/imx.c
index 4e827e5a52a36..aae68230fb7b8 100644
--- a/drivers/tty/serial/imx.c
+++ b/drivers/tty/serial/imx.c
@@ -1956,7 +1956,7 @@ imx_console_setup(struct console *co, char *options)
 
 	retval = clk_prepare(sport->clk_per);
 	if (retval)
-		clk_disable_unprepare(sport->clk_ipg);
+		clk_unprepare(sport->clk_ipg);
 
 error_console:
 	return retval;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 074/267] i2c: imx: dont print error message on probe defer
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (72 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 073/267] serial: imx: fix error handling in console_setup Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 075/267] lockd: fix decoding of TEST results Greg Kroah-Hartman
                   ` (196 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lucas Stach, Uwe Kleine-König,
	Wolfram Sang, Sasha Levin

From: Lucas Stach <l.stach@pengutronix.de>

[ Upstream commit fece4978510e43f09c8cd386fee15210e8c68493 ]

Probe deferral is a normal operating condition in the probe function,
so don't spam the log with an error in this case.

Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/i2c/busses/i2c-imx.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/i2c/busses/i2c-imx.c b/drivers/i2c/busses/i2c-imx.c
index b73dd837fb533..26f83029f64ae 100644
--- a/drivers/i2c/busses/i2c-imx.c
+++ b/drivers/i2c/busses/i2c-imx.c
@@ -1088,7 +1088,8 @@ static int i2c_imx_probe(struct platform_device *pdev)
 	/* Get I2C clock */
 	i2c_imx->clk = devm_clk_get(&pdev->dev, NULL);
 	if (IS_ERR(i2c_imx->clk)) {
-		dev_err(&pdev->dev, "can't get I2C clock\n");
+		if (PTR_ERR(i2c_imx->clk) != -EPROBE_DEFER)
+			dev_err(&pdev->dev, "can't get I2C clock\n");
 		return PTR_ERR(i2c_imx->clk);
 	}
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 075/267] lockd: fix decoding of TEST results
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (73 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 074/267] i2c: imx: dont print error message on probe defer Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 076/267] ASoC: rsnd: tidyup registering method for rsnd_kctrl_new() Greg Kroah-Hartman
                   ` (195 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, J. Bruce Fields, Sasha Levin

From: J. Bruce Fields <bfields@redhat.com>

[ Upstream commit b8db159239b3f51e2b909859935cc25cb3ff3eed ]

We fail to advance the read pointer when reading the stat.oh field that
identifies the lock-holder in a TEST result.

This turns out not to matter if the server is knfsd, which always
returns a zero-length field.  But other servers (Ganesha is an example)
may not do this.  The result is bad values in fcntl F_GETLK results.

Fix this.

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/lockd/clnt4xdr.c | 22 ++++++----------------
 fs/lockd/clntxdr.c  | 22 ++++++----------------
 2 files changed, 12 insertions(+), 32 deletions(-)

diff --git a/fs/lockd/clnt4xdr.c b/fs/lockd/clnt4xdr.c
index 00d5ef5f99f73..214a2fa1f1e39 100644
--- a/fs/lockd/clnt4xdr.c
+++ b/fs/lockd/clnt4xdr.c
@@ -128,24 +128,14 @@ static void encode_netobj(struct xdr_stream *xdr,
 static int decode_netobj(struct xdr_stream *xdr,
 			 struct xdr_netobj *obj)
 {
-	u32 length;
-	__be32 *p;
+	ssize_t ret;
 
-	p = xdr_inline_decode(xdr, 4);
-	if (unlikely(p == NULL))
-		goto out_overflow;
-	length = be32_to_cpup(p++);
-	if (unlikely(length > XDR_MAX_NETOBJ))
-		goto out_size;
-	obj->len = length;
-	obj->data = (u8 *)p;
+	ret = xdr_stream_decode_opaque_inline(xdr, (void *)&obj->data,
+						XDR_MAX_NETOBJ);
+	if (unlikely(ret < 0))
+		return -EIO;
+	obj->len = ret;
 	return 0;
-out_size:
-	dprintk("NFS: returned netobj was too long: %u\n", length);
-	return -EIO;
-out_overflow:
-	print_overflow_msg(__func__, xdr);
-	return -EIO;
 }
 
 /*
diff --git a/fs/lockd/clntxdr.c b/fs/lockd/clntxdr.c
index 2c6176387143c..747b9c8c940ac 100644
--- a/fs/lockd/clntxdr.c
+++ b/fs/lockd/clntxdr.c
@@ -125,24 +125,14 @@ static void encode_netobj(struct xdr_stream *xdr,
 static int decode_netobj(struct xdr_stream *xdr,
 			 struct xdr_netobj *obj)
 {
-	u32 length;
-	__be32 *p;
+	ssize_t ret;
 
-	p = xdr_inline_decode(xdr, 4);
-	if (unlikely(p == NULL))
-		goto out_overflow;
-	length = be32_to_cpup(p++);
-	if (unlikely(length > XDR_MAX_NETOBJ))
-		goto out_size;
-	obj->len = length;
-	obj->data = (u8 *)p;
+	ret = xdr_stream_decode_opaque_inline(xdr, (void *)&obj->data,
+			XDR_MAX_NETOBJ);
+	if (unlikely(ret < 0))
+		return -EIO;
+	obj->len = ret;
 	return 0;
-out_size:
-	dprintk("NFS: returned netobj was too long: %u\n", length);
-	return -EIO;
-out_overflow:
-	print_overflow_msg(__func__, xdr);
-	return -EIO;
 }
 
 /*
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 076/267] ASoC: rsnd: tidyup registering method for rsnd_kctrl_new()
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (74 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 075/267] lockd: fix decoding of TEST results Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 077/267] ARM: dts: sun5i: a10s: Fix HDMI output DTC warning Greg Kroah-Hartman
                   ` (194 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nguyen Viet Dung, Kuninori Morimoto,
	Hiroyuki Yokoyama, Mark Brown, Sasha Levin

From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>

[ Upstream commit 9c698e8481a15237a5b1db5f8391dd66d59e42a4 ]

Current rsnd dvc.c is using flags to avoid duplicating register for
MIXer case. OTOH, commit e894efef9ac7 ("ASoC: core: add support to card
rebind") allows to rebind sound card without rebinding all drivers.

Because of above patch and dvc.c flags, it can't re-register kctrl if
only sound card was rebinded, because dvc is keeping old flags.
(Of course it will be no problem if rsnd driver also be rebinded,
but it is not purpose of above patch).

This patch checks current card registered kctrl when registering.
In MIXer case, it can avoid duplicate register if card already has same
kctrl. In rebind case, it can re-register kctrl because card registered
kctl had been removed when unbinding.

This patch is updated version of commit b918f1bc7f1ce ("ASoC: rsnd: DVC
kctrl sets once")

Reported-by: Nguyen Viet Dung <dung.nguyen.aj@renesas.com>
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Tested-by: Nguyen Viet Dung <dung.nguyen.aj@renesas.com>
Cc: Hiroyuki Yokoyama <hiroyuki.yokoyama.vx@renesas.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/soc/sh/rcar/core.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/sound/soc/sh/rcar/core.c b/sound/soc/sh/rcar/core.c
index ab0bbef7eb48a..bb06dd72ca9a7 100644
--- a/sound/soc/sh/rcar/core.c
+++ b/sound/soc/sh/rcar/core.c
@@ -1278,6 +1278,18 @@ int rsnd_kctrl_new(struct rsnd_mod *mod,
 	};
 	int ret;
 
+	/*
+	 * 1) Avoid duplicate register (ex. MIXer case)
+	 * 2) re-register if card was rebinded
+	 */
+	list_for_each_entry(kctrl, &card->controls, list) {
+		struct rsnd_kctrl_cfg *c = kctrl->private_data;
+
+		if (strcmp(kctrl->id.name, name) == 0 &&
+		    c->mod == mod)
+			return 0;
+	}
+
 	if (size > RSND_MAX_CHANNELS)
 		return -EINVAL;
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 077/267] ARM: dts: sun5i: a10s: Fix HDMI output DTC warning
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (75 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 076/267] ASoC: rsnd: tidyup registering method for rsnd_kctrl_new() Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 078/267] ARM: dts: sun8i: v3s: Change pinctrl nodes to avoid warning Greg Kroah-Hartman
                   ` (193 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maxime Ripard, Chen-Yu Tsai, Sasha Levin

From: Maxime Ripard <maxime.ripard@bootlin.com>

[ Upstream commit ed5fc60b909427be6ca93d3e07a0a5f296d7000a ]

Our HDMI output endpoint on the A10s DTSI has a warning under DTC: "graph
node has single child node 'endpoint', #address-cells/#size-cells are not
necessary". Fix this by removing those properties.

Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
Acked-by: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/boot/dts/sun5i-a10s.dtsi | 2 --
 1 file changed, 2 deletions(-)

diff --git a/arch/arm/boot/dts/sun5i-a10s.dtsi b/arch/arm/boot/dts/sun5i-a10s.dtsi
index 18f25c5e75aeb..396fb6632bf07 100644
--- a/arch/arm/boot/dts/sun5i-a10s.dtsi
+++ b/arch/arm/boot/dts/sun5i-a10s.dtsi
@@ -104,8 +104,6 @@
 				};
 
 				hdmi_out: port@1 {
-					#address-cells = <1>;
-					#size-cells = <0>;
 					reg = <1>;
 				};
 			};
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 078/267] ARM: dts: sun8i: v3s: Change pinctrl nodes to avoid warning
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (76 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 077/267] ARM: dts: sun5i: a10s: Fix HDMI output DTC warning Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 079/267] dlm: NULL check before kmem_cache_destroy is not needed Greg Kroah-Hartman
                   ` (192 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maxime Ripard, Chen-Yu Tsai, Sasha Levin

From: Maxime Ripard <maxime.ripard@bootlin.com>

[ Upstream commit 438a44ce7e51ce571f942433c6c7cb87c4c0effd ]

All our pinctrl nodes were using a node name convention with a unit-address
to differentiate the different muxing options. However, since those nodes
didn't have a reg property, they were generating warnings in DTC.

In order to accomodate for this, convert the old nodes to the syntax we've
been using for the new SoCs, including removing the letter suffix of the
node labels to the bank of those pins to make things more readable.

Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
Acked-by: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/boot/dts/sun8i-v3s-licheepi-zero.dts |  4 ++--
 arch/arm/boot/dts/sun8i-v3s.dtsi              | 10 +++++-----
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/arch/arm/boot/dts/sun8i-v3s-licheepi-zero.dts b/arch/arm/boot/dts/sun8i-v3s-licheepi-zero.dts
index 387fc2aa546d6..333df90e8037c 100644
--- a/arch/arm/boot/dts/sun8i-v3s-licheepi-zero.dts
+++ b/arch/arm/boot/dts/sun8i-v3s-licheepi-zero.dts
@@ -78,7 +78,7 @@
 };
 
 &mmc0 {
-	pinctrl-0 = <&mmc0_pins_a>;
+	pinctrl-0 = <&mmc0_pins>;
 	pinctrl-names = "default";
 	broken-cd;
 	bus-width = <4>;
@@ -87,7 +87,7 @@
 };
 
 &uart0 {
-	pinctrl-0 = <&uart0_pins_a>;
+	pinctrl-0 = <&uart0_pb_pins>;
 	pinctrl-names = "default";
 	status = "okay";
 };
diff --git a/arch/arm/boot/dts/sun8i-v3s.dtsi b/arch/arm/boot/dts/sun8i-v3s.dtsi
index 3a06dc5b37467..da5823c6fa3e6 100644
--- a/arch/arm/boot/dts/sun8i-v3s.dtsi
+++ b/arch/arm/boot/dts/sun8i-v3s.dtsi
@@ -292,17 +292,17 @@
 			interrupt-controller;
 			#interrupt-cells = <3>;
 
-			i2c0_pins: i2c0 {
+			i2c0_pins: i2c0-pins {
 				pins = "PB6", "PB7";
 				function = "i2c0";
 			};
 
-			uart0_pins_a: uart0@0 {
+			uart0_pb_pins: uart0-pb-pins {
 				pins = "PB8", "PB9";
 				function = "uart0";
 			};
 
-			mmc0_pins_a: mmc0@0 {
+			mmc0_pins: mmc0-pins {
 				pins = "PF0", "PF1", "PF2", "PF3",
 				       "PF4", "PF5";
 				function = "mmc0";
@@ -310,7 +310,7 @@
 				bias-pull-up;
 			};
 
-			mmc1_pins: mmc1 {
+			mmc1_pins: mmc1-pins {
 				pins = "PG0", "PG1", "PG2", "PG3",
 				       "PG4", "PG5";
 				function = "mmc1";
@@ -318,7 +318,7 @@
 				bias-pull-up;
 			};
 
-			spi0_pins: spi0 {
+			spi0_pins: spi0-pins {
 				pins = "PC0", "PC1", "PC2", "PC3";
 				function = "spi0";
 			};
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 079/267] dlm: NULL check before kmem_cache_destroy is not needed
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (77 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 078/267] ARM: dts: sun8i: v3s: Change pinctrl nodes to avoid warning Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 080/267] ARM: debug: enable UART1 for socfpga Cyclone5 Greg Kroah-Hartman
                   ` (191 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wen Yang, David Teigland, Sasha Levin

From: Wen Yang <wen.yang99@zte.com.cn>

[ Upstream commit f31a89692830061bceba8469607e4e4b0f900159 ]

kmem_cache_destroy(NULL) is safe, so removes NULL check before
freeing the mem. This patch also fix ifnullfree.cocci warnings.

Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
Signed-off-by: David Teigland <teigland@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/dlm/memory.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/fs/dlm/memory.c b/fs/dlm/memory.c
index 7cd24bccd4fe5..37be29f21d04d 100644
--- a/fs/dlm/memory.c
+++ b/fs/dlm/memory.c
@@ -38,10 +38,8 @@ int __init dlm_memory_init(void)
 
 void dlm_memory_exit(void)
 {
-	if (lkb_cache)
-		kmem_cache_destroy(lkb_cache);
-	if (rsb_cache)
-		kmem_cache_destroy(rsb_cache);
+	kmem_cache_destroy(lkb_cache);
+	kmem_cache_destroy(rsb_cache);
 }
 
 char *dlm_allocate_lvb(struct dlm_ls *ls)
@@ -86,8 +84,7 @@ void dlm_free_lkb(struct dlm_lkb *lkb)
 		struct dlm_user_args *ua;
 		ua = lkb->lkb_ua;
 		if (ua) {
-			if (ua->lksb.sb_lvbptr)
-				kfree(ua->lksb.sb_lvbptr);
+			kfree(ua->lksb.sb_lvbptr);
 			kfree(ua);
 		}
 	}
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 080/267] ARM: debug: enable UART1 for socfpga Cyclone5
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (78 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 079/267] dlm: NULL check before kmem_cache_destroy is not needed Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 081/267] nfsd: fix a warning in __cld_pipe_upcall() Greg Kroah-Hartman
                   ` (190 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Clément Péron, Dinh Nguyen,
	Sasha Levin

From: Clément Péron <peron.clem@gmail.com>

[ Upstream commit f6628486c8489e91c513b62608f89ccdb745600d ]

Cyclone5 and Arria10 doesn't have the same memory map for UART1.

Split the SOCFPGA_UART1 into 2 options to allow debugging on UART1 for Cyclone5.

Signed-off-by: Clément Péron <peron.clem@gmail.com>
Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/Kconfig.debug | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/arch/arm/Kconfig.debug b/arch/arm/Kconfig.debug
index fd4b679945d3a..b14f154919a5d 100644
--- a/arch/arm/Kconfig.debug
+++ b/arch/arm/Kconfig.debug
@@ -1023,14 +1023,21 @@ choice
 		  Say Y here if you want kernel low-level debugging support
 		  on SOCFPGA(Cyclone 5 and Arria 5) based platforms.
 
-	config DEBUG_SOCFPGA_UART1
+	config DEBUG_SOCFPGA_ARRIA10_UART1
 		depends on ARCH_SOCFPGA
-		bool "Use SOCFPGA UART1 for low-level debug"
+		bool "Use SOCFPGA Arria10 UART1 for low-level debug"
 		select DEBUG_UART_8250
 		help
 		  Say Y here if you want kernel low-level debugging support
 		  on SOCFPGA(Arria 10) based platforms.
 
+	config DEBUG_SOCFPGA_CYCLONE5_UART1
+		depends on ARCH_SOCFPGA
+		bool "Use SOCFPGA Cyclone 5 UART1 for low-level debug"
+		select DEBUG_UART_8250
+		help
+		  Say Y here if you want kernel low-level debugging support
+		  on SOCFPGA(Cyclone 5 and Arria 5) based platforms.
 
 	config DEBUG_SUN9I_UART0
 		bool "Kernel low-level debugging messages via sun9i UART0"
@@ -1585,7 +1592,8 @@ config DEBUG_UART_PHYS
 	default 0xfe800000 if ARCH_IOP32X
 	default 0xff690000 if DEBUG_RK32_UART2
 	default 0xffc02000 if DEBUG_SOCFPGA_UART0
-	default 0xffc02100 if DEBUG_SOCFPGA_UART1
+	default 0xffc02100 if DEBUG_SOCFPGA_ARRIA10_UART1
+	default 0xffc03000 if DEBUG_SOCFPGA_CYCLONE5_UART1
 	default 0xffd82340 if ARCH_IOP13XX
 	default 0xffe40000 if DEBUG_RCAR_GEN1_SCIF0
 	default 0xffe42000 if DEBUG_RCAR_GEN1_SCIF2
@@ -1689,7 +1697,8 @@ config DEBUG_UART_VIRT
 	default 0xfeb30c00 if DEBUG_KEYSTONE_UART0
 	default 0xfeb31000 if DEBUG_KEYSTONE_UART1
 	default 0xfec02000 if DEBUG_SOCFPGA_UART0
-	default 0xfec02100 if DEBUG_SOCFPGA_UART1
+	default 0xfec02100 if DEBUG_SOCFPGA_ARRIA10_UART1
+	default 0xfec03000 if DEBUG_SOCFPGA_CYCLONE5_UART1
 	default 0xfec12000 if (DEBUG_MVEBU_UART0 || DEBUG_MVEBU_UART0_ALTERNATE) && ARCH_MVEBU
 	default 0xfec12100 if DEBUG_MVEBU_UART1_ALTERNATE
 	default 0xfec10000 if DEBUG_SIRFATLAS7_UART0
@@ -1737,9 +1746,9 @@ config DEBUG_UART_8250_WORD
 	depends on DEBUG_LL_UART_8250 || DEBUG_UART_8250
 	depends on DEBUG_UART_8250_SHIFT >= 2
 	default y if DEBUG_PICOXCELL_UART || \
-		DEBUG_SOCFPGA_UART0 || DEBUG_SOCFPGA_UART1 || \
-		DEBUG_KEYSTONE_UART0 || DEBUG_KEYSTONE_UART1 || \
-		DEBUG_ALPINE_UART0 || \
+		DEBUG_SOCFPGA_UART0 || DEBUG_SOCFPGA_ARRIA10_UART1 || \
+		DEBUG_SOCFPGA_CYCLONE5_UART1 || DEBUG_KEYSTONE_UART0 || \
+		DEBUG_KEYSTONE_UART1 || DEBUG_ALPINE_UART0 || \
 		DEBUG_DAVINCI_DMx_UART0 || DEBUG_DAVINCI_DA8XX_UART1 || \
 		DEBUG_DAVINCI_DA8XX_UART2 || \
 		DEBUG_BCM_KONA_UART || DEBUG_RK32_UART2
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 081/267] nfsd: fix a warning in __cld_pipe_upcall()
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (79 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 080/267] ARM: debug: enable UART1 for socfpga Cyclone5 Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 082/267] ASoC: au8540: use 64-bit arithmetic instead of 32-bit Greg Kroah-Hartman
                   ` (189 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Scott Mayhew, J. Bruce Fields, Sasha Levin

From: Scott Mayhew <smayhew@redhat.com>

[ Upstream commit b493fd31c0b89d9453917e977002de58bebc3802 ]

__cld_pipe_upcall() emits a "do not call blocking ops when
!TASK_RUNNING" warning due to the dput() call in rpc_queue_upcall().
Fix it by using a completion instead of hand coding the wait.

Signed-off-by: Scott Mayhew <smayhew@redhat.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/nfsd/nfs4recover.c | 17 ++++++-----------
 1 file changed, 6 insertions(+), 11 deletions(-)

diff --git a/fs/nfsd/nfs4recover.c b/fs/nfsd/nfs4recover.c
index 66eaeb1e8c2ce..dc9586feab317 100644
--- a/fs/nfsd/nfs4recover.c
+++ b/fs/nfsd/nfs4recover.c
@@ -661,7 +661,7 @@ struct cld_net {
 struct cld_upcall {
 	struct list_head	 cu_list;
 	struct cld_net		*cu_net;
-	struct task_struct	*cu_task;
+	struct completion	 cu_done;
 	struct cld_msg		 cu_msg;
 };
 
@@ -670,23 +670,18 @@ __cld_pipe_upcall(struct rpc_pipe *pipe, struct cld_msg *cmsg)
 {
 	int ret;
 	struct rpc_pipe_msg msg;
+	struct cld_upcall *cup = container_of(cmsg, struct cld_upcall, cu_msg);
 
 	memset(&msg, 0, sizeof(msg));
 	msg.data = cmsg;
 	msg.len = sizeof(*cmsg);
 
-	/*
-	 * Set task state before we queue the upcall. That prevents
-	 * wake_up_process in the downcall from racing with schedule.
-	 */
-	set_current_state(TASK_UNINTERRUPTIBLE);
 	ret = rpc_queue_upcall(pipe, &msg);
 	if (ret < 0) {
-		set_current_state(TASK_RUNNING);
 		goto out;
 	}
 
-	schedule();
+	wait_for_completion(&cup->cu_done);
 
 	if (msg.errno < 0)
 		ret = msg.errno;
@@ -753,7 +748,7 @@ cld_pipe_downcall(struct file *filp, const char __user *src, size_t mlen)
 	if (copy_from_user(&cup->cu_msg, src, mlen) != 0)
 		return -EFAULT;
 
-	wake_up_process(cup->cu_task);
+	complete(&cup->cu_done);
 	return mlen;
 }
 
@@ -768,7 +763,7 @@ cld_pipe_destroy_msg(struct rpc_pipe_msg *msg)
 	if (msg->errno >= 0)
 		return;
 
-	wake_up_process(cup->cu_task);
+	complete(&cup->cu_done);
 }
 
 static const struct rpc_pipe_ops cld_upcall_ops = {
@@ -899,7 +894,7 @@ restart_search:
 			goto restart_search;
 		}
 	}
-	new->cu_task = current;
+	init_completion(&new->cu_done);
 	new->cu_msg.cm_vers = CLD_UPCALL_VERSION;
 	put_unaligned(cn->cn_xid++, &new->cu_msg.cm_xid);
 	new->cu_net = cn;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 082/267] ASoC: au8540: use 64-bit arithmetic instead of 32-bit
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (80 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 081/267] nfsd: fix a warning in __cld_pipe_upcall() Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 083/267] ARM: OMAP1/2: fix SoC name printing Greg Kroah-Hartman
                   ` (188 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Young_X, Mark Brown, Sasha Levin

From: Young_X <YangX92@hotmail.com>

[ Upstream commit cd7fdc45bc69a62b4e22c6e875f1f1aea566256d ]

Add suffix ULL to constant 256 in order to give the compiler complete
information about the proper arithmetic to use.

Notice that such constant is used in a context that expects an
expression of type u64 (64 bits, unsigned) and the following
expression is currently being evaluated using 32-bit arithmetic:

    256 * fs * 2 * mclk_src_scaling[i].param

Signed-off-by: Young_X <YangX92@hotmail.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/soc/codecs/nau8540.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/soc/codecs/nau8540.c b/sound/soc/codecs/nau8540.c
index f9c9933acffb6..c0c64f90a61b7 100644
--- a/sound/soc/codecs/nau8540.c
+++ b/sound/soc/codecs/nau8540.c
@@ -548,7 +548,7 @@ static int nau8540_calc_fll_param(unsigned int fll_in,
 	fvco_max = 0;
 	fvco_sel = ARRAY_SIZE(mclk_src_scaling);
 	for (i = 0; i < ARRAY_SIZE(mclk_src_scaling); i++) {
-		fvco = 256 * fs * 2 * mclk_src_scaling[i].param;
+		fvco = 256ULL * fs * 2 * mclk_src_scaling[i].param;
 		if (fvco > NAU_FVCO_MIN && fvco < NAU_FVCO_MAX &&
 			fvco_max < fvco) {
 			fvco_max = fvco;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 083/267] ARM: OMAP1/2: fix SoC name printing
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (81 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 082/267] ASoC: au8540: use 64-bit arithmetic instead of 32-bit Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 084/267] arm64: dts: meson-gxl-libretech-cc: fix GPIO lines names Greg Kroah-Hartman
                   ` (187 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Aaro Koskinen, Tony Lindgren, Sasha Levin

From: Aaro Koskinen <aaro.koskinen@iki.fi>

[ Upstream commit 04a92358b3964988c78dfe370a559ae550383886 ]

Currently we get extra newlines on OMAP1/2 when the SoC name is printed:

[    0.000000] OMAP1510
[    0.000000]  revision 2 handled as 15xx id: bc058c9b93111a16

[    0.000000] OMAP2420
[    0.000000]

Fix by using pr_cont.

Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/mach-omap1/id.c | 6 +++---
 arch/arm/mach-omap2/id.c | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/arch/arm/mach-omap1/id.c b/arch/arm/mach-omap1/id.c
index 52de382fc8047..7e49dfda3d2f4 100644
--- a/arch/arm/mach-omap1/id.c
+++ b/arch/arm/mach-omap1/id.c
@@ -200,10 +200,10 @@ void __init omap_check_revision(void)
 		printk(KERN_INFO "Unknown OMAP cpu type: 0x%02x\n", cpu_type);
 	}
 
-	printk(KERN_INFO "OMAP%04x", omap_revision >> 16);
+	pr_info("OMAP%04x", omap_revision >> 16);
 	if ((omap_revision >> 8) & 0xff)
-		printk(KERN_INFO "%x", (omap_revision >> 8) & 0xff);
-	printk(KERN_INFO " revision %i handled as %02xxx id: %08x%08x\n",
+		pr_cont("%x", (omap_revision >> 8) & 0xff);
+	pr_cont(" revision %i handled as %02xxx id: %08x%08x\n",
 	       die_rev, omap_revision & 0xff, system_serial_low,
 	       system_serial_high);
 }
diff --git a/arch/arm/mach-omap2/id.c b/arch/arm/mach-omap2/id.c
index 16cb1c195fd8e..79d71b1eae594 100644
--- a/arch/arm/mach-omap2/id.c
+++ b/arch/arm/mach-omap2/id.c
@@ -199,8 +199,8 @@ void __init omap2xxx_check_revision(void)
 
 	pr_info("%s", soc_name);
 	if ((omap_rev() >> 8) & 0x0f)
-		pr_info("%s", soc_rev);
-	pr_info("\n");
+		pr_cont("%s", soc_rev);
+	pr_cont("\n");
 }
 
 #define OMAP3_SHOW_FEATURE(feat)		\
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 084/267] arm64: dts: meson-gxl-libretech-cc: fix GPIO lines names
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (82 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 083/267] ARM: OMAP1/2: fix SoC name printing Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 085/267] arm64: dts: meson-gxbb-nanopi-k2: " Greg Kroah-Hartman
                   ` (186 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Neil Armstrong, Kevin Hilman, Sasha Levin

From: Neil Armstrong <narmstrong@baylibre.com>

[ Upstream commit 11fa9774612decea87144d7f950a9c53a4fe3050 ]

The gpio line names were set in the pinctrl node instead of the gpio node,
at the time it was merged, it worked, but was obviously wrong.
This patch moves the properties to the gpio nodes.

Fixes: 47884c5c746e ("ARM64: dts: meson-gxl-libretech-cc: Add GPIO lines names")
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm64/boot/dts/amlogic/meson-gxl-s905x-libretech-cc.dts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/arm64/boot/dts/amlogic/meson-gxl-s905x-libretech-cc.dts b/arch/arm64/boot/dts/amlogic/meson-gxl-s905x-libretech-cc.dts
index 0814b6b29b86a..e2c71753e3278 100644
--- a/arch/arm64/boot/dts/amlogic/meson-gxl-s905x-libretech-cc.dts
+++ b/arch/arm64/boot/dts/amlogic/meson-gxl-s905x-libretech-cc.dts
@@ -139,7 +139,7 @@
 	};
 };
 
-&pinctrl_aobus {
+&gpio_ao {
 	gpio-line-names = "UART TX",
 			  "UART RX",
 			  "Blue LED",
@@ -152,7 +152,7 @@
 			  "7J1 Header Pin13";
 };
 
-&pinctrl_periphs {
+&gpio {
 	gpio-line-names = /* Bank GPIOZ */
 			  "", "", "", "", "", "", "",
 			  "", "", "", "", "", "", "",
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 085/267] arm64: dts: meson-gxbb-nanopi-k2: fix GPIO lines names
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (83 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 084/267] arm64: dts: meson-gxl-libretech-cc: fix GPIO lines names Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 086/267] arm64: dts: meson-gxbb-odroidc2: " Greg Kroah-Hartman
                   ` (185 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Neil Armstrong, Kevin Hilman, Sasha Levin

From: Neil Armstrong <narmstrong@baylibre.com>

[ Upstream commit f0783f5edb52af14ecaae6c5ce4f38e0a358f5d8 ]

The gpio line names were set in the pinctrl node instead of the gpio node,
at the time it was merged, it worked, but was obviously wrong.
This patch moves the properties to the gpio nodes.

Fixes: 12ada0513d7a ("ARM64: dts: meson-gxbb-nanopi-k2: Add GPIO lines names")
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm64/boot/dts/amlogic/meson-gxbb-nanopi-k2.dts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/arm64/boot/dts/amlogic/meson-gxbb-nanopi-k2.dts b/arch/arm64/boot/dts/amlogic/meson-gxbb-nanopi-k2.dts
index 4b17a76959b2f..c83c028e95af0 100644
--- a/arch/arm64/boot/dts/amlogic/meson-gxbb-nanopi-k2.dts
+++ b/arch/arm64/boot/dts/amlogic/meson-gxbb-nanopi-k2.dts
@@ -178,7 +178,7 @@
 	pinctrl-names = "default";
 };
 
-&pinctrl_aobus {
+&gpio_ao {
 	gpio-line-names = "UART TX", "UART RX", "Power Control", "Power Key In",
 			  "VCCK En", "CON1 Header Pin31",
 			  "I2S Header Pin6", "IR In", "I2S Header Pin7",
@@ -186,7 +186,7 @@
 			  "I2S Header Pin5", "HDMI CEC", "SYS LED";
 };
 
-&pinctrl_periphs {
+&gpio {
 	gpio-line-names = /* Bank GPIOZ */
 			  "Eth MDIO", "Eth MDC", "Eth RGMII RX Clk",
 			  "Eth RX DV", "Eth RX D0", "Eth RX D1", "Eth RX D2",
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 086/267] arm64: dts: meson-gxbb-odroidc2: fix GPIO lines names
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (84 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 085/267] arm64: dts: meson-gxbb-nanopi-k2: " Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 087/267] arm64: dts: meson-gxl-khadas-vim: " Greg Kroah-Hartman
                   ` (184 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Neil Armstrong, Kevin Hilman, Sasha Levin

From: Neil Armstrong <narmstrong@baylibre.com>

[ Upstream commit 2165b006b65d609140dafafcb14cce5a4aaacbab ]

The gpio line names were set in the pinctrl node instead of the gpio node,
at the time it was merged, it worked, but was obviously wrong.
This patch moves the properties to the gpio nodes.

Fixes: b03c7d6438bb ("ARM64: dts: meson-gxbb-odroidc2: Add GPIO lines names")
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm64/boot/dts/amlogic/meson-gxbb-odroidc2.dts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/arm64/boot/dts/amlogic/meson-gxbb-odroidc2.dts b/arch/arm64/boot/dts/amlogic/meson-gxbb-odroidc2.dts
index c3c65b06ba76b..4ea23df81f212 100644
--- a/arch/arm64/boot/dts/amlogic/meson-gxbb-odroidc2.dts
+++ b/arch/arm64/boot/dts/amlogic/meson-gxbb-odroidc2.dts
@@ -189,7 +189,7 @@
 	pinctrl-names = "default";
 };
 
-&pinctrl_aobus {
+&gpio_ao {
 	gpio-line-names = "UART TX", "UART RX", "VCCK En", "TF 3V3/1V8 En",
 			  "USB HUB nRESET", "USB OTG Power En",
 			  "J7 Header Pin2", "IR In", "J7 Header Pin4",
@@ -197,7 +197,7 @@
 			  "HDMI CEC", "SYS LED";
 };
 
-&pinctrl_periphs {
+&gpio {
 	gpio-line-names = /* Bank GPIOZ */
 			  "Eth MDIO", "Eth MDC", "Eth RGMII RX Clk",
 			  "Eth RX DV", "Eth RX D0", "Eth RX D1", "Eth RX D2",
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 087/267] arm64: dts: meson-gxl-khadas-vim: fix GPIO lines names
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (85 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 086/267] arm64: dts: meson-gxbb-odroidc2: " Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 088/267] net/x25: fix called/calling length calculation in x25_parse_address_block Greg Kroah-Hartman
                   ` (183 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Neil Armstrong, Kevin Hilman, Sasha Levin

From: Neil Armstrong <narmstrong@baylibre.com>

[ Upstream commit 5b78012636f537344bd551934387f5772c38ba80 ]

The gpio line names were set in the pinctrl node instead of the gpio node,
at the time it was merged, it worked, but was obviously wrong.
This patch moves the properties to the gpio nodes.

Fixes: 60795933b709 ("ARM64: dts: meson-gxl-khadas-vim: Add GPIO lines names")
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm64/boot/dts/amlogic/meson-gxl-s905x-khadas-vim.dts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/arm64/boot/dts/amlogic/meson-gxl-s905x-khadas-vim.dts b/arch/arm64/boot/dts/amlogic/meson-gxl-s905x-khadas-vim.dts
index edc512ad0bac3..fb5db5f33e8c3 100644
--- a/arch/arm64/boot/dts/amlogic/meson-gxl-s905x-khadas-vim.dts
+++ b/arch/arm64/boot/dts/amlogic/meson-gxl-s905x-khadas-vim.dts
@@ -112,7 +112,7 @@
 	linux,rc-map-name = "rc-geekbox";
 };
 
-&pinctrl_aobus {
+&gpio_ao {
 	gpio-line-names = "UART TX",
 			  "UART RX",
 			  "Power Key In",
@@ -125,7 +125,7 @@
 			  "SYS LED";
 };
 
-&pinctrl_periphs {
+&gpio {
 	gpio-line-names = /* Bank GPIOZ */
 			  "", "", "", "", "", "", "",
 			  "", "", "", "", "", "", "",
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 088/267] net/x25: fix called/calling length calculation in x25_parse_address_block
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (86 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 087/267] arm64: dts: meson-gxl-khadas-vim: " Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 089/267] net/x25: fix null_x25_address handling Greg Kroah-Hartman
                   ` (182 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin Schiller, David S. Miller,
	Sasha Levin

From: Martin Schiller <ms@dev.tdt.de>

[ Upstream commit d449ba3d581ed29f751a59792fdc775572c66904 ]

The length of the called and calling address was not calculated
correctly (BCD encoding).

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/x25/af_x25.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
index 1b830a6ee3ff6..6e7ad4c6f83c8 100644
--- a/net/x25/af_x25.c
+++ b/net/x25/af_x25.c
@@ -100,7 +100,7 @@ int x25_parse_address_block(struct sk_buff *skb,
 	}
 
 	len = *skb->data;
-	needed = 1 + (len >> 4) + (len & 0x0f);
+	needed = 1 + ((len >> 4) + (len & 0x0f) + 1) / 2;
 
 	if (!pskb_may_pull(skb, needed)) {
 		/* packet is too short to hold the addresses it claims
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 089/267] net/x25: fix null_x25_address handling
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (87 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 088/267] net/x25: fix called/calling length calculation in x25_parse_address_block Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 090/267] ARM: dts: mmp2: fix the gpio interrupt cell number Greg Kroah-Hartman
                   ` (181 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin Schiller, David S. Miller,
	Sasha Levin

From: Martin Schiller <ms@dev.tdt.de>

[ Upstream commit 06137619f061f498c2924f6543fa45b7d39f0501 ]

o x25_find_listener(): the compare for the null_x25_address was wrong.
   We have to check the x25_addr of the listener socket instead of the
   x25_addr of the incomming call.

 o x25_bind(): it was not possible to bind a socket to null_x25_address

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/x25/af_x25.c | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
index 6e7ad4c6f83c8..a156b6dc3a724 100644
--- a/net/x25/af_x25.c
+++ b/net/x25/af_x25.c
@@ -288,7 +288,7 @@ static struct sock *x25_find_listener(struct x25_address *addr,
 	sk_for_each(s, &x25_list)
 		if ((!strcmp(addr->x25_addr,
 			x25_sk(s)->source_addr.x25_addr) ||
-				!strcmp(addr->x25_addr,
+				!strcmp(x25_sk(s)->source_addr.x25_addr,
 					null_x25_address.x25_addr)) &&
 					s->sk_state == TCP_LISTEN) {
 			/*
@@ -684,11 +684,15 @@ static int x25_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
 		goto out;
 	}
 
-	len = strlen(addr->sx25_addr.x25_addr);
-	for (i = 0; i < len; i++) {
-		if (!isdigit(addr->sx25_addr.x25_addr[i])) {
-			rc = -EINVAL;
-			goto out;
+	/* check for the null_x25_address */
+	if (strcmp(addr->sx25_addr.x25_addr, null_x25_address.x25_addr)) {
+
+		len = strlen(addr->sx25_addr.x25_addr);
+		for (i = 0; i < len; i++) {
+			if (!isdigit(addr->sx25_addr.x25_addr[i])) {
+				rc = -EINVAL;
+				goto out;
+			}
 		}
 	}
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 090/267] ARM: dts: mmp2: fix the gpio interrupt cell number
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (88 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 089/267] net/x25: fix null_x25_address handling Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 091/267] ARM: dts: realview-pbx: Fix duplicate regulator nodes Greg Kroah-Hartman
                   ` (180 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lubomir Rintel, Pavel Machek,
	Olof Johansson, Sasha Levin

From: Lubomir Rintel <lkundrak@v3.sk>

[ Upstream commit 400583983f8a8e95ec02c9c9e2b50188753a87fb ]

gpio-pxa uses two cell to encode the interrupt source: the pin number
and the trigger type. Adjust the device node accordingly.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
Acked-by: Pavel Machek <pavel@ucw.cz>
Signed-off-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/boot/dts/mmp2.dtsi | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm/boot/dts/mmp2.dtsi b/arch/arm/boot/dts/mmp2.dtsi
index 47e5b63339d18..e95deed6a7973 100644
--- a/arch/arm/boot/dts/mmp2.dtsi
+++ b/arch/arm/boot/dts/mmp2.dtsi
@@ -180,7 +180,7 @@
 				clocks = <&soc_clocks MMP2_CLK_GPIO>;
 				resets = <&soc_clocks MMP2_CLK_GPIO>;
 				interrupt-controller;
-				#interrupt-cells = <1>;
+				#interrupt-cells = <2>;
 				ranges;
 
 				gcb0: gpio@d4019000 {
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 091/267] ARM: dts: realview-pbx: Fix duplicate regulator nodes
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (89 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 090/267] ARM: dts: mmp2: fix the gpio interrupt cell number Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 092/267] tcp: fix off-by-one bug on aborting window-probing socket Greg Kroah-Hartman
                   ` (179 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Linus Walleij, Rob Herring,
	Olof Johansson, Sasha Levin

From: Rob Herring <robh@kernel.org>

[ Upstream commit 7f4b001b7f6e0480b5bdab9cd8ce1711e43e5cb5 ]

There's a bug in dtc in checking for duplicate node names when there's
another section (e.g. "/ { };"). In this case, skeleton.dtsi provides
another section. Upon removal of skeleton.dtsi, the dtb fails to build
due to a duplicate node 'fixedregulator@0'. As both nodes were pretty
much the same 3.3V fixed regulator, it hasn't really mattered. Fix this
by renaming the nodes to something unique. In the process, drop the
unit-address which shouldn't be present wtihout reg property.

Cc: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Rob Herring <robh@kernel.org>
Signed-off-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/boot/dts/arm-realview-pbx.dtsi | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/arch/arm/boot/dts/arm-realview-pbx.dtsi b/arch/arm/boot/dts/arm-realview-pbx.dtsi
index 2bf3958b2e6b9..068293254fbb8 100644
--- a/arch/arm/boot/dts/arm-realview-pbx.dtsi
+++ b/arch/arm/boot/dts/arm-realview-pbx.dtsi
@@ -43,7 +43,7 @@
 	};
 
 	/* The voltage to the MMC card is hardwired at 3.3V */
-	vmmc: fixedregulator@0 {
+	vmmc: regulator-vmmc {
 		compatible = "regulator-fixed";
 		regulator-name = "vmmc";
 		regulator-min-microvolt = <3300000>;
@@ -51,7 +51,7 @@
 		regulator-boot-on;
         };
 
-	veth: fixedregulator@0 {
+	veth: regulator-veth {
 		compatible = "regulator-fixed";
 		regulator-name = "veth";
 		regulator-min-microvolt = <3300000>;
@@ -539,4 +539,3 @@
 		};
 	};
 };
-
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 092/267] tcp: fix off-by-one bug on aborting window-probing socket
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (90 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 091/267] ARM: dts: realview-pbx: Fix duplicate regulator nodes Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:46 ` [PATCH 4.14 093/267] tcp: fix SNMP under-estimation on failed retransmission Greg Kroah-Hartman
                   ` (178 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yuchung Cheng, Eric Dumazet,
	Neal Cardwell, David S. Miller, Sasha Levin

From: Yuchung Cheng <ycheng@google.com>

[ Upstream commit 3976535af0cb9fe34a55f2ffb8d7e6b39a2f8188 ]

Previously there is an off-by-one bug on determining when to abort
a stalled window-probing socket. This patch fixes that so it is
consistent with tcp_write_timeout().

Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ipv4/tcp_timer.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
index 592d6e9967a91..04e2c43a43a5a 100644
--- a/net/ipv4/tcp_timer.c
+++ b/net/ipv4/tcp_timer.c
@@ -358,7 +358,7 @@ static void tcp_probe_timer(struct sock *sk)
 			return;
 	}
 
-	if (icsk->icsk_probes_out > max_probes) {
+	if (icsk->icsk_probes_out >= max_probes) {
 abort:		tcp_write_err(sk);
 	} else {
 		/* Only send another probe if we didn't close things up. */
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 093/267] tcp: fix SNMP under-estimation on failed retransmission
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (91 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 092/267] tcp: fix off-by-one bug on aborting window-probing socket Greg Kroah-Hartman
@ 2019-12-16 17:46 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 094/267] tcp: fix SNMP TCP timeout under-estimation Greg Kroah-Hartman
                   ` (177 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yuchung Cheng, Eric Dumazet,
	Neal Cardwell, David S. Miller, Sasha Levin

From: Yuchung Cheng <ycheng@google.com>

[ Upstream commit ec641b39457e17774313b66697a8a1dc070257bd ]

Previously the SNMP counter LINUX_MIB_TCPRETRANSFAIL is not counting
the TSO/GSO properly on failed retransmission. This patch fixes that.

Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ipv4/tcp_output.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 5b808089eff89..6025cc509d974 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2932,7 +2932,7 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb, int segs)
 	if (likely(!err)) {
 		TCP_SKB_CB(skb)->sacked |= TCPCB_EVER_RETRANS;
 	} else if (err != -EBUSY) {
-		NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPRETRANSFAIL);
+		NET_ADD_STATS(sock_net(sk), LINUX_MIB_TCPRETRANSFAIL, segs);
 	}
 	return err;
 }
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 094/267] tcp: fix SNMP TCP timeout under-estimation
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (92 preceding siblings ...)
  2019-12-16 17:46 ` [PATCH 4.14 093/267] tcp: fix SNMP under-estimation on failed retransmission Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 095/267] modpost: skip ELF local symbols during section mismatch check Greg Kroah-Hartman
                   ` (176 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yuchung Cheng, Eric Dumazet,
	Neal Cardwell, David S. Miller, Sasha Levin

From: Yuchung Cheng <ycheng@google.com>

[ Upstream commit e1561fe2dd69dc5dddd69bd73aa65355bdfb048b ]

Previously the SNMP TCPTIMEOUTS counter has inconsistent accounting:
1. It counts all SYN and SYN-ACK timeouts
2. It counts timeouts in other states except recurring timeouts and
   timeouts after fast recovery or disorder state.

Such selective accounting makes analysis difficult and complicated. For
example the monitoring system needs to collect many other SNMP counters
to infer the total amount of timeout events. This patch makes TCPTIMEOUTS
counter simply counts all the retransmit timeout (SYN or data or FIN).

Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ipv4/tcp_timer.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
index 04e2c43a43a5a..65f66bd585e62 100644
--- a/net/ipv4/tcp_timer.c
+++ b/net/ipv4/tcp_timer.c
@@ -464,11 +464,12 @@ void tcp_retransmit_timer(struct sock *sk)
 		goto out_reset_timer;
 	}
 
+	__NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPTIMEOUTS);
 	if (tcp_write_timeout(sk))
 		goto out;
 
 	if (icsk->icsk_retransmits == 0) {
-		int mib_idx;
+		int mib_idx = 0;
 
 		if (icsk->icsk_ca_state == TCP_CA_Recovery) {
 			if (tcp_is_sack(tp))
@@ -483,10 +484,9 @@ void tcp_retransmit_timer(struct sock *sk)
 				mib_idx = LINUX_MIB_TCPSACKFAILURES;
 			else
 				mib_idx = LINUX_MIB_TCPRENOFAILURES;
-		} else {
-			mib_idx = LINUX_MIB_TCPTIMEOUTS;
 		}
-		__NET_INC_STATS(sock_net(sk), mib_idx);
+		if (mib_idx)
+			__NET_INC_STATS(sock_net(sk), mib_idx);
 	}
 
 	tcp_enter_loss(sk);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 095/267] modpost: skip ELF local symbols during section mismatch check
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (93 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 094/267] tcp: fix SNMP TCP timeout under-estimation Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 096/267] kbuild: fix single target build for external module Greg Kroah-Hartman
                   ` (175 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Paul Walmsley, Paul Walmsley,
	Sam Ravnborg, Masahiro Yamada, Sasha Levin

From: Paul Walmsley <paul.walmsley@sifive.com>

[ Upstream commit a4d26f1a0958bb1c2b60c6f1e67c6f5d43e2647b ]

During development of a serial console driver with a gcc 8.2.0
toolchain for RISC-V, the following modpost warning appeared:

----
WARNING: vmlinux.o(.data+0x19b10): Section mismatch in reference from the variable .LANCHOR1 to the function .init.text:sifive_serial_console_setup()
The variable .LANCHOR1 references
the function __init sifive_serial_console_setup()
If the reference is valid then annotate the
variable with __init* or __refdata (see linux/init.h) or name the variable:
*_template, *_timer, *_sht, *_ops, *_probe, *_probe_one, *_console
----

".LANCHOR1" is an ELF local symbol, automatically created by gcc's section
anchor generation code:

https://gcc.gnu.org/onlinedocs/gccint/Anchored-Addresses.html

https://gcc.gnu.org/git/?p=gcc.git;a=blob;f=gcc/varasm.c;h=cd9591a45617464946dcf9a126dde277d9de9804;hb=9fb89fa845c1b2e0a18d85ada0b077c84508ab78#l7473

This was verified by compiling the kernel with -fno-section-anchors
and observing that the ".LANCHOR1" ELF local symbol disappeared, and
modpost no longer warned about the section mismatch.  The serial
driver code idiom triggering the warning is standard Linux serial
driver practice that has a specific whitelist inclusion in modpost.c.

I'm neither a modpost nor an ELF expert, but naively, it doesn't seem
useful for modpost to report section mismatch warnings caused by ELF
local symbols by default.  Local symbols have compiler-generated
names, and thus bypass modpost's whitelisting algorithm, which relies
on the presence of a non-autogenerated symbol name.  This increases
the likelihood that false positive warnings will be generated (as in
the above case).

Thus, disable section mismatch reporting on ELF local symbols.  The
rationale here is similar to that of commit 2e3a10a1551d ("ARM: avoid
ARM binutils leaking ELF local symbols") and of similar code already
present in modpost.c:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/scripts/mod/modpost.c?h=v4.19-rc4&id=7876320f88802b22d4e2daf7eb027dd14175a0f8#n1256

This third version of the patch implements a suggestion from Masahiro
Yamada <yamada.masahiro@socionext.com> to restructure the code as an
additional pattern matching step inside secref_whitelist(), and
further improves the patch description.

Signed-off-by: Paul Walmsley <paul.walmsley@sifive.com>
Signed-off-by: Paul Walmsley <paul@pwsan.com>
Acked-by: Sam Ravnborg <sam@ravnborg.org>
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 scripts/mod/modpost.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
index c22041a4fc360..b6eb929899c55 100644
--- a/scripts/mod/modpost.c
+++ b/scripts/mod/modpost.c
@@ -1174,6 +1174,14 @@ static const struct sectioncheck *section_mismatch(
  *   fromsec = text section
  *   refsymname = *.constprop.*
  *
+ * Pattern 6:
+ *   Hide section mismatch warnings for ELF local symbols.  The goal
+ *   is to eliminate false positive modpost warnings caused by
+ *   compiler-generated ELF local symbol names such as ".LANCHOR1".
+ *   Autogenerated symbol names bypass modpost's "Pattern 2"
+ *   whitelisting, which relies on pattern-matching against symbol
+ *   names to work.  (One situation where gcc can autogenerate ELF
+ *   local symbols is when "-fsection-anchors" is used.)
  **/
 static int secref_whitelist(const struct sectioncheck *mismatch,
 			    const char *fromsec, const char *fromsym,
@@ -1212,6 +1220,10 @@ static int secref_whitelist(const struct sectioncheck *mismatch,
 	    match(fromsym, optim_symbols))
 		return 0;
 
+	/* Check for pattern 6 */
+	if (strstarts(fromsym, ".L"))
+		return 0;
+
 	return 1;
 }
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 096/267] kbuild: fix single target build for external module
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (94 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 095/267] modpost: skip ELF local symbols during section mismatch check Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 097/267] mtd: fix mtd_oobavail() incoherent returned value Greg Kroah-Hartman
                   ` (174 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Masahiro Yamada, Sasha Levin

From: Masahiro Yamada <yamada.masahiro@socionext.com>

[ Upstream commit e07db28eea38ed4e332b3a89f3995c86b713cb5b ]

Building a single target in an external module fails due to missing
.tmp_versions directory.

For example,

  $ make -C /lib/modules/$(uname -r)/build M=$PWD foo.o

will fail in the following way:

  CC [M]  /home/masahiro/foo/foo.o
/bin/sh: 1: cannot create /home/masahiro/foo/.tmp_versions/foo.mod: Directory nonexistent

This is because $(cmd_crmodverdir) is executed only before building
/, %/, %.ko single targets of external modules. Create .tmp_versions
in the 'prepare' target.

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 Makefile | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/Makefile b/Makefile
index d97288c0754fe..4de172b2e1fba 100644
--- a/Makefile
+++ b/Makefile
@@ -1529,9 +1529,6 @@ else # KBUILD_EXTMOD
 
 # We are always building modules
 KBUILD_MODULES := 1
-PHONY += crmodverdir
-crmodverdir:
-	$(cmd_crmodverdir)
 
 PHONY += $(objtree)/Module.symvers
 $(objtree)/Module.symvers:
@@ -1543,7 +1540,7 @@ $(objtree)/Module.symvers:
 
 module-dirs := $(addprefix _module_,$(KBUILD_EXTMOD))
 PHONY += $(module-dirs) modules
-$(module-dirs): crmodverdir $(objtree)/Module.symvers
+$(module-dirs): prepare $(objtree)/Module.symvers
 	$(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@)
 
 modules: $(module-dirs)
@@ -1584,7 +1581,8 @@ help:
 
 # Dummies...
 PHONY += prepare scripts
-prepare: ;
+prepare:
+	$(cmd_crmodverdir)
 scripts: ;
 endif # KBUILD_EXTMOD
 
@@ -1709,17 +1707,14 @@ endif
 
 # Modules
 /: prepare scripts FORCE
-	$(cmd_crmodverdir)
 	$(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
 	$(build)=$(build-dir)
 # Make sure the latest headers are built for Documentation
 Documentation/ samples/: headers_install
 %/: prepare scripts FORCE
-	$(cmd_crmodverdir)
 	$(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
 	$(build)=$(build-dir)
 %.ko: prepare scripts FORCE
-	$(cmd_crmodverdir)
 	$(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1)   \
 	$(build)=$(build-dir) $(@:.ko=.o)
 	$(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 097/267] mtd: fix mtd_oobavail() incoherent returned value
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (95 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 096/267] kbuild: fix single target build for external module Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 098/267] ARM: dts: pxa: clean up USB controller nodes Greg Kroah-Hartman
                   ` (173 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Miquel Raynal, Boris Brezillon, Sasha Levin

From: Miquel Raynal <miquel.raynal@bootlin.com>

[ Upstream commit 4348433d8c0234f44adb6e12112e69343f50f0c5 ]

mtd_oobavail() returns either mtd->oovabail or mtd->oobsize. Both
values are unsigned 32-bit entities, so there is no reason to pretend
returning a signed one.

Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/linux/mtd/mtd.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/linux/mtd/mtd.h b/include/linux/mtd/mtd.h
index 6cd0f6b7658b3..aadc2ee050f16 100644
--- a/include/linux/mtd/mtd.h
+++ b/include/linux/mtd/mtd.h
@@ -401,7 +401,7 @@ static inline struct device_node *mtd_get_of_node(struct mtd_info *mtd)
 	return dev_of_node(&mtd->dev);
 }
 
-static inline int mtd_oobavail(struct mtd_info *mtd, struct mtd_oob_ops *ops)
+static inline u32 mtd_oobavail(struct mtd_info *mtd, struct mtd_oob_ops *ops)
 {
 	return ops->mode == MTD_OPS_AUTO_OOB ? mtd->oobavail : mtd->oobsize;
 }
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 098/267] ARM: dts: pxa: clean up USB controller nodes
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (96 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 097/267] mtd: fix mtd_oobavail() incoherent returned value Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 099/267] clk: sunxi-ng: h3/h5: Fix CSI_MCLK parent Greg Kroah-Hartman
                   ` (172 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Daniel Mack, Sergey Yanovich,
	Robert Jarzmik, Sasha Levin

From: Daniel Mack <daniel@zonque.org>

[ Upstream commit c40ad24254f1dbd54f2df5f5f524130dc1862122 ]

PXA25xx SoCs don't have a USB controller, so drop the node from the
common pxa2xx.dtsi base file. Both pxa27x and pxa3xx have a dedicated
node already anyway.

While at it, unify the names for the nodes across all pxa platforms.

Signed-off-by: Daniel Mack <daniel@zonque.org>
Reported-by: Sergey Yanovich <ynvich@gmail.com>
Link: https://patchwork.kernel.org/patch/8375421/
Signed-off-by: Robert Jarzmik <robert.jarzmik@free.fr>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/boot/dts/pxa27x.dtsi | 2 +-
 arch/arm/boot/dts/pxa2xx.dtsi | 7 -------
 arch/arm/boot/dts/pxa3xx.dtsi | 2 +-
 3 files changed, 2 insertions(+), 9 deletions(-)

diff --git a/arch/arm/boot/dts/pxa27x.dtsi b/arch/arm/boot/dts/pxa27x.dtsi
index 3228ad5fb725f..ccbecad9c5c7c 100644
--- a/arch/arm/boot/dts/pxa27x.dtsi
+++ b/arch/arm/boot/dts/pxa27x.dtsi
@@ -35,7 +35,7 @@
 			clocks = <&clks CLK_NONE>;
 		};
 
-		pxa27x_ohci: usb@4c000000 {
+		usb0: usb@4c000000 {
 			compatible = "marvell,pxa-ohci";
 			reg = <0x4c000000 0x10000>;
 			interrupts = <3>;
diff --git a/arch/arm/boot/dts/pxa2xx.dtsi b/arch/arm/boot/dts/pxa2xx.dtsi
index e4ebcde17837c..a03bca81ae8a6 100644
--- a/arch/arm/boot/dts/pxa2xx.dtsi
+++ b/arch/arm/boot/dts/pxa2xx.dtsi
@@ -117,13 +117,6 @@
 			status = "disabled";
 		};
 
-		usb0: ohci@4c000000 {
-			compatible = "marvell,pxa-ohci";
-			reg = <0x4c000000 0x10000>;
-			interrupts = <3>;
-			status = "disabled";
-		};
-
 		mmc0: mmc@41100000 {
 			compatible = "marvell,pxa-mmc";
 			reg = <0x41100000 0x1000>;
diff --git a/arch/arm/boot/dts/pxa3xx.dtsi b/arch/arm/boot/dts/pxa3xx.dtsi
index 55c75b67351cb..affa5b6f6da14 100644
--- a/arch/arm/boot/dts/pxa3xx.dtsi
+++ b/arch/arm/boot/dts/pxa3xx.dtsi
@@ -189,7 +189,7 @@
 			status = "disabled";
 		};
 
-		pxa3xx_ohci: usb@4c000000 {
+		usb0: usb@4c000000 {
 			compatible = "marvell,pxa-ohci";
 			reg = <0x4c000000 0x10000>;
 			interrupts = <3>;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 099/267] clk: sunxi-ng: h3/h5: Fix CSI_MCLK parent
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (97 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 098/267] ARM: dts: pxa: clean up USB controller nodes Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 100/267] ARM: dts: realview: Fix some more duplicate regulator nodes Greg Kroah-Hartman
                   ` (171 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stephen Boyd, Chen-Yu Tsai, Sasha Levin

From: Chen-Yu Tsai <wens@csie.org>

[ Upstream commit 7bb7d29cffdd24bf419516d14b6768591e74069e ]

The third parent of CSI_MCLK is PLL_PERIPH1, not PLL_PERIPH0.
Fix it.

Fixes: 0577e4853bfb ("clk: sunxi-ng: Add H3 clocks")
Acked-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/clk/sunxi-ng/ccu-sun8i-h3.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/clk/sunxi-ng/ccu-sun8i-h3.c b/drivers/clk/sunxi-ng/ccu-sun8i-h3.c
index 1729ff6a5aaed..b09acda71abe9 100644
--- a/drivers/clk/sunxi-ng/ccu-sun8i-h3.c
+++ b/drivers/clk/sunxi-ng/ccu-sun8i-h3.c
@@ -460,7 +460,7 @@ static const char * const csi_sclk_parents[] = { "pll-periph0", "pll-periph1" };
 static SUNXI_CCU_M_WITH_MUX_GATE(csi_sclk_clk, "csi-sclk", csi_sclk_parents,
 				 0x134, 16, 4, 24, 3, BIT(31), 0);
 
-static const char * const csi_mclk_parents[] = { "osc24M", "pll-video", "pll-periph0" };
+static const char * const csi_mclk_parents[] = { "osc24M", "pll-video", "pll-periph1" };
 static SUNXI_CCU_M_WITH_MUX_GATE(csi_mclk_clk, "csi-mclk", csi_mclk_parents,
 				 0x134, 0, 5, 8, 3, BIT(15), 0);
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 100/267] ARM: dts: realview: Fix some more duplicate regulator nodes
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (98 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 099/267] clk: sunxi-ng: h3/h5: Fix CSI_MCLK parent Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 101/267] dlm: fix invalid cluster name warning Greg Kroah-Hartman
                   ` (170 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rob Herring, Linus Walleij,
	Olof Johansson, Sasha Levin

From: Rob Herring <robh@kernel.org>

[ Upstream commit f3b2f758ec1e6cdb13c925647cbd8ad4938b78fb ]

There's a bug in dtc in checking for duplicate node names when there's
another section (e.g. "/ { };"). In this case, skeleton.dtsi provides
another section. Upon removal of skeleton.dtsi, the dtb fails to build
due to a duplicate node 'fixedregulator@0'. As both nodes were pretty
much the same 3.3V fixed regulator, it hasn't really mattered. Fix this
by renaming the nodes to something unique. In the process, drop the
unit-address which shouldn't be present wtihout reg property.

Signed-off-by: Rob Herring <robh@kernel.org>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/boot/dts/arm-realview-pb1176.dts | 4 ++--
 arch/arm/boot/dts/arm-realview-pb11mp.dts | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/arch/arm/boot/dts/arm-realview-pb1176.dts b/arch/arm/boot/dts/arm-realview-pb1176.dts
index c1fd5615ddfe3..939c108c24a6c 100644
--- a/arch/arm/boot/dts/arm-realview-pb1176.dts
+++ b/arch/arm/boot/dts/arm-realview-pb1176.dts
@@ -45,7 +45,7 @@
 	};
 
 	/* The voltage to the MMC card is hardwired at 3.3V */
-	vmmc: fixedregulator@0 {
+	vmmc: regulator-vmmc {
 		compatible = "regulator-fixed";
 		regulator-name = "vmmc";
 		regulator-min-microvolt = <3300000>;
@@ -53,7 +53,7 @@
 		regulator-boot-on;
         };
 
-	veth: fixedregulator@0 {
+	veth: regulator-veth {
 		compatible = "regulator-fixed";
 		regulator-name = "veth";
 		regulator-min-microvolt = <3300000>;
diff --git a/arch/arm/boot/dts/arm-realview-pb11mp.dts b/arch/arm/boot/dts/arm-realview-pb11mp.dts
index e306f1cceb4ec..95037c48182de 100644
--- a/arch/arm/boot/dts/arm-realview-pb11mp.dts
+++ b/arch/arm/boot/dts/arm-realview-pb11mp.dts
@@ -145,7 +145,7 @@
 	};
 
 	/* The voltage to the MMC card is hardwired at 3.3V */
-	vmmc: fixedregulator@0 {
+	vmmc: regulator-vmmc {
 		compatible = "regulator-fixed";
 		regulator-name = "vmmc";
 		regulator-min-microvolt = <3300000>;
@@ -153,7 +153,7 @@
 		regulator-boot-on;
         };
 
-	veth: fixedregulator@0 {
+	veth: regulator-veth {
 		compatible = "regulator-fixed";
 		regulator-name = "veth";
 		regulator-min-microvolt = <3300000>;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 101/267] dlm: fix invalid cluster name warning
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (99 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 100/267] ARM: dts: realview: Fix some more duplicate regulator nodes Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 102/267] net/mlx4_core: Fix return codes of unsupported operations Greg Kroah-Hartman
                   ` (169 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David Teigland, Sasha Levin

From: David Teigland <teigland@redhat.com>

[ Upstream commit 3595c559326d0b660bb088a88e22e0ca630a0e35 ]

The warning added in commit 3b0e761ba83
  "dlm: print log message when cluster name is not set"

did not account for the fact that lockspaces created
from userland do not supply a cluster name, so bogus
warnings are printed every time a userland lockspace
is created.

Signed-off-by: David Teigland <teigland@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/dlm/user.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/dlm/user.c b/fs/dlm/user.c
index 1f0c071d4a861..02de11695d0ba 100644
--- a/fs/dlm/user.c
+++ b/fs/dlm/user.c
@@ -25,6 +25,7 @@
 #include "lvb_table.h"
 #include "user.h"
 #include "ast.h"
+#include "config.h"
 
 static const char name_prefix[] = "dlm";
 static const struct file_operations device_fops;
@@ -404,7 +405,7 @@ static int device_create_lockspace(struct dlm_lspace_params *params)
 	if (!capable(CAP_SYS_ADMIN))
 		return -EPERM;
 
-	error = dlm_new_lockspace(params->name, NULL, params->flags,
+	error = dlm_new_lockspace(params->name, dlm_config.ci_cluster_name, params->flags,
 				  DLM_USER_LVB_LEN, NULL, NULL, NULL,
 				  &lockspace);
 	if (error)
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 102/267] net/mlx4_core: Fix return codes of unsupported operations
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (100 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 101/267] dlm: fix invalid cluster name warning Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 103/267] pstore/ram: Avoid NULL deref in ftrace merging failure path Greg Kroah-Hartman
                   ` (168 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Erez Alfasi, Tariq Toukan,
	David S. Miller, Sasha Levin

From: Erez Alfasi <ereza@mellanox.com>

[ Upstream commit 95aac2cdafd8c8298c9b2589c52f44db0d824e0e ]

Functions __set_port_type and mlx4_check_port_params returned
-EINVAL while the proper return code is -EOPNOTSUPP as a
result of an unsupported operation. All drivers should generate
this and all users should check for it when detecting an
unsupported functionality.

Signed-off-by: Erez Alfasi <ereza@mellanox.com>
Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/mellanox/mlx4/main.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx4/main.c b/drivers/net/ethernet/mellanox/mlx4/main.c
index c273a3ebb8e8e..12d4b891301b6 100644
--- a/drivers/net/ethernet/mellanox/mlx4/main.c
+++ b/drivers/net/ethernet/mellanox/mlx4/main.c
@@ -199,7 +199,7 @@ int mlx4_check_port_params(struct mlx4_dev *dev,
 		for (i = 0; i < dev->caps.num_ports - 1; i++) {
 			if (port_type[i] != port_type[i + 1]) {
 				mlx4_err(dev, "Only same port types supported on this HCA, aborting\n");
-				return -EINVAL;
+				return -EOPNOTSUPP;
 			}
 		}
 	}
@@ -208,7 +208,7 @@ int mlx4_check_port_params(struct mlx4_dev *dev,
 		if (!(port_type[i] & dev->caps.supported_type[i+1])) {
 			mlx4_err(dev, "Requested port type for port %d is not supported on this HCA\n",
 				 i + 1);
-			return -EINVAL;
+			return -EOPNOTSUPP;
 		}
 	}
 	return 0;
@@ -1152,8 +1152,7 @@ static int __set_port_type(struct mlx4_port_info *info,
 		mlx4_err(mdev,
 			 "Requested port type for port %d is not supported on this HCA\n",
 			 info->port);
-		err = -EINVAL;
-		goto err_sup;
+		return -EOPNOTSUPP;
 	}
 
 	mlx4_stop_sense(mdev);
@@ -1175,7 +1174,7 @@ static int __set_port_type(struct mlx4_port_info *info,
 		for (i = 1; i <= mdev->caps.num_ports; i++) {
 			if (mdev->caps.possible_type[i] == MLX4_PORT_TYPE_AUTO) {
 				mdev->caps.possible_type[i] = mdev->caps.port_type[i];
-				err = -EINVAL;
+				err = -EOPNOTSUPP;
 			}
 		}
 	}
@@ -1201,7 +1200,7 @@ static int __set_port_type(struct mlx4_port_info *info,
 out:
 	mlx4_start_sense(mdev);
 	mutex_unlock(&priv->port_mutex);
-err_sup:
+
 	return err;
 }
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 103/267] pstore/ram: Avoid NULL deref in ftrace merging failure path
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (101 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 102/267] net/mlx4_core: Fix return codes of unsupported operations Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 104/267] powerpc/math-emu: Update macros from GCC Greg Kroah-Hartman
                   ` (167 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter,
	Joel Fernandes (Google),
	Kees Cook, Sasha Levin

From: Kees Cook <keescook@chromium.org>

[ Upstream commit 8665569e97dd52920713b95675409648986b5b0d ]

Given corruption in the ftrace records, it might be possible to allocate
tmp_prz without assigning prz to it, but still marking it as needing to
be freed, which would cause at least a NULL dereference.

smatch warnings:
fs/pstore/ram.c:340 ramoops_pstore_read() error: we previously assumed 'prz' could be null (see line 255)

https://lists.01.org/pipermail/kbuild-all/2018-December/055528.html

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Fixes: 2fbea82bbb89 ("pstore: Merge per-CPU ftrace records into one")
Cc: "Joel Fernandes (Google)" <joel@joelfernandes.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/pstore/ram.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/pstore/ram.c b/fs/pstore/ram.c
index 40bfc6c583749..1e675be10926d 100644
--- a/fs/pstore/ram.c
+++ b/fs/pstore/ram.c
@@ -297,6 +297,7 @@ static ssize_t ramoops_pstore_read(struct pstore_record *record)
 					  GFP_KERNEL);
 			if (!tmp_prz)
 				return -ENOMEM;
+			prz = tmp_prz;
 			free_prz = true;
 
 			while (cxt->ftrace_read_cnt < cxt->max_ftrace_cnt) {
@@ -319,7 +320,6 @@ static ssize_t ramoops_pstore_read(struct pstore_record *record)
 					goto out;
 			}
 			record->id = 0;
-			prz = tmp_prz;
 		}
 	}
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 104/267] powerpc/math-emu: Update macros from GCC
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (102 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 103/267] pstore/ram: Avoid NULL deref in ftrace merging failure path Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 105/267] clk: renesas: r8a77995: Correct parent clock of DU Greg Kroah-Hartman
                   ` (166 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Joel Stanley, Nick Desaulniers,
	Segher Boessenkool, Michael Ellerman, Sasha Levin

From: Joel Stanley <joel@jms.id.au>

[ Upstream commit b682c8692442711684befe413cf93cf01c5324ea ]

The add_ssaaaa, sub_ddmmss, umul_ppmm and udiv_qrnnd macros originate
from GCC's longlong.h which in turn was copied from GMP's longlong.h a
few decades ago.

This was found when compiling with clang:

   arch/powerpc/math-emu/fnmsub.c:46:2: error: invalid use of a cast in a
   inline asm context requiring an l-value: remove the cast or build with
   -fheinous-gnu-extensions
           FP_ADD_D(R, T, B);
           ^~~~~~~~~~~~~~~~~
   ...

   ./arch/powerpc/include/asm/sfp-machine.h:283:27: note: expanded from
   macro 'sub_ddmmss'
                  : "=r" ((USItype)(sh)),                                  \
                          ~~~~~~~~~~^~~

Segher points out: this was fixed in GCC over 16 years ago
( https://gcc.gnu.org/r56600 ), and in GMP (where it comes from)
presumably before that.

Update the add_ssaaaa, sub_ddmmss, umul_ppmm and udiv_qrnnd macros to
the latest GCC version in order to git rid of the invalid casts. These
were taken as-is from GCC's longlong in order to make future syncs
obvious. Other parts of sfp-machine.h were left as-is as the file
contains more features than present in longlong.h.

Link: https://github.com/ClangBuiltLinux/linux/issues/260
Signed-off-by: Joel Stanley <joel@jms.id.au>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Reviewed-by: Segher Boessenkool <segher@kernel.crashing.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/include/asm/sfp-machine.h | 92 ++++++++------------------
 1 file changed, 29 insertions(+), 63 deletions(-)

diff --git a/arch/powerpc/include/asm/sfp-machine.h b/arch/powerpc/include/asm/sfp-machine.h
index d89beaba26ff9..8b957aabb826d 100644
--- a/arch/powerpc/include/asm/sfp-machine.h
+++ b/arch/powerpc/include/asm/sfp-machine.h
@@ -213,30 +213,18 @@
  * respectively.  The result is placed in HIGH_SUM and LOW_SUM.  Overflow
  * (i.e. carry out) is not stored anywhere, and is lost.
  */
-#define add_ssaaaa(sh, sl, ah, al, bh, bl)				\
+#define add_ssaaaa(sh, sl, ah, al, bh, bl) \
   do {									\
     if (__builtin_constant_p (bh) && (bh) == 0)				\
-      __asm__ ("{a%I4|add%I4c} %1,%3,%4\n\t{aze|addze} %0,%2"		\
-	     : "=r" ((USItype)(sh)),					\
-	       "=&r" ((USItype)(sl))					\
-	     : "%r" ((USItype)(ah)),					\
-	       "%r" ((USItype)(al)),					\
-	       "rI" ((USItype)(bl)));					\
-    else if (__builtin_constant_p (bh) && (bh) ==~(USItype) 0)		\
-      __asm__ ("{a%I4|add%I4c} %1,%3,%4\n\t{ame|addme} %0,%2"		\
-	     : "=r" ((USItype)(sh)),					\
-	       "=&r" ((USItype)(sl))					\
-	     : "%r" ((USItype)(ah)),					\
-	       "%r" ((USItype)(al)),					\
-	       "rI" ((USItype)(bl)));					\
+      __asm__ ("add%I4c %1,%3,%4\n\taddze %0,%2"		\
+	     : "=r" (sh), "=&r" (sl) : "r" (ah), "%r" (al), "rI" (bl));\
+    else if (__builtin_constant_p (bh) && (bh) == ~(USItype) 0)		\
+      __asm__ ("add%I4c %1,%3,%4\n\taddme %0,%2"		\
+	     : "=r" (sh), "=&r" (sl) : "r" (ah), "%r" (al), "rI" (bl));\
     else								\
-      __asm__ ("{a%I5|add%I5c} %1,%4,%5\n\t{ae|adde} %0,%2,%3"		\
-	     : "=r" ((USItype)(sh)),					\
-	       "=&r" ((USItype)(sl))					\
-	     : "%r" ((USItype)(ah)),					\
-	       "r" ((USItype)(bh)),					\
-	       "%r" ((USItype)(al)),					\
-	       "rI" ((USItype)(bl)));					\
+      __asm__ ("add%I5c %1,%4,%5\n\tadde %0,%2,%3"		\
+	     : "=r" (sh), "=&r" (sl)					\
+	     : "%r" (ah), "r" (bh), "%r" (al), "rI" (bl));		\
   } while (0)
 
 /* sub_ddmmss is used in op-2.h and udivmodti4.c and should be equivalent to
@@ -248,44 +236,24 @@
  * and LOW_DIFFERENCE.  Overflow (i.e. carry out) is not stored anywhere,
  * and is lost.
  */
-#define sub_ddmmss(sh, sl, ah, al, bh, bl)				\
+#define sub_ddmmss(sh, sl, ah, al, bh, bl) \
   do {									\
     if (__builtin_constant_p (ah) && (ah) == 0)				\
-      __asm__ ("{sf%I3|subf%I3c} %1,%4,%3\n\t{sfze|subfze} %0,%2"	\
-	       : "=r" ((USItype)(sh)),					\
-		 "=&r" ((USItype)(sl))					\
-	       : "r" ((USItype)(bh)),					\
-		 "rI" ((USItype)(al)),					\
-		 "r" ((USItype)(bl)));					\
-    else if (__builtin_constant_p (ah) && (ah) ==~(USItype) 0)		\
-      __asm__ ("{sf%I3|subf%I3c} %1,%4,%3\n\t{sfme|subfme} %0,%2"	\
-	       : "=r" ((USItype)(sh)),					\
-		 "=&r" ((USItype)(sl))					\
-	       : "r" ((USItype)(bh)),					\
-		 "rI" ((USItype)(al)),					\
-		 "r" ((USItype)(bl)));					\
+      __asm__ ("subf%I3c %1,%4,%3\n\tsubfze %0,%2"	\
+	       : "=r" (sh), "=&r" (sl) : "r" (bh), "rI" (al), "r" (bl));\
+    else if (__builtin_constant_p (ah) && (ah) == ~(USItype) 0)		\
+      __asm__ ("subf%I3c %1,%4,%3\n\tsubfme %0,%2"	\
+	       : "=r" (sh), "=&r" (sl) : "r" (bh), "rI" (al), "r" (bl));\
     else if (__builtin_constant_p (bh) && (bh) == 0)			\
-      __asm__ ("{sf%I3|subf%I3c} %1,%4,%3\n\t{ame|addme} %0,%2"		\
-	       : "=r" ((USItype)(sh)),					\
-		 "=&r" ((USItype)(sl))					\
-	       : "r" ((USItype)(ah)),					\
-		 "rI" ((USItype)(al)),					\
-		 "r" ((USItype)(bl)));					\
-    else if (__builtin_constant_p (bh) && (bh) ==~(USItype) 0)		\
-      __asm__ ("{sf%I3|subf%I3c} %1,%4,%3\n\t{aze|addze} %0,%2"		\
-	       : "=r" ((USItype)(sh)),					\
-		 "=&r" ((USItype)(sl))					\
-	       : "r" ((USItype)(ah)),					\
-		 "rI" ((USItype)(al)),					\
-		 "r" ((USItype)(bl)));					\
+      __asm__ ("subf%I3c %1,%4,%3\n\taddme %0,%2"		\
+	       : "=r" (sh), "=&r" (sl) : "r" (ah), "rI" (al), "r" (bl));\
+    else if (__builtin_constant_p (bh) && (bh) == ~(USItype) 0)		\
+      __asm__ ("subf%I3c %1,%4,%3\n\taddze %0,%2"		\
+	       : "=r" (sh), "=&r" (sl) : "r" (ah), "rI" (al), "r" (bl));\
     else								\
-      __asm__ ("{sf%I4|subf%I4c} %1,%5,%4\n\t{sfe|subfe} %0,%3,%2"	\
-	       : "=r" ((USItype)(sh)),					\
-		 "=&r" ((USItype)(sl))					\
-	       : "r" ((USItype)(ah)),					\
-		 "r" ((USItype)(bh)),					\
-		 "rI" ((USItype)(al)),					\
-		 "r" ((USItype)(bl)));					\
+      __asm__ ("subf%I4c %1,%5,%4\n\tsubfe %0,%3,%2"	\
+	       : "=r" (sh), "=&r" (sl)					\
+	       : "r" (ah), "r" (bh), "rI" (al), "r" (bl));		\
   } while (0)
 
 /* asm fragments for mul and div */
@@ -294,13 +262,10 @@
  * UWtype integers MULTIPLER and MULTIPLICAND, and generates a two UWtype
  * word product in HIGH_PROD and LOW_PROD.
  */
-#define umul_ppmm(ph, pl, m0, m1)					\
+#define umul_ppmm(ph, pl, m0, m1) \
   do {									\
     USItype __m0 = (m0), __m1 = (m1);					\
-    __asm__ ("mulhwu %0,%1,%2"						\
-	     : "=r" ((USItype)(ph))					\
-	     : "%r" (__m0),						\
-               "r" (__m1));						\
+    __asm__ ("mulhwu %0,%1,%2" : "=r" (ph) : "%r" (m0), "r" (m1));	\
     (pl) = __m0 * __m1;							\
   } while (0)
 
@@ -312,9 +277,10 @@
  * significant bit of DENOMINATOR must be 1, then the pre-processor symbol
  * UDIV_NEEDS_NORMALIZATION is defined to 1.
  */
-#define udiv_qrnnd(q, r, n1, n0, d)					\
+#define udiv_qrnnd(q, r, n1, n0, d) \
   do {									\
-    UWtype __d1, __d0, __q1, __q0, __r1, __r0, __m;			\
+    UWtype __d1, __d0, __q1, __q0;					\
+    UWtype __r1, __r0, __m;						\
     __d1 = __ll_highpart (d);						\
     __d0 = __ll_lowpart (d);						\
 									\
@@ -325,7 +291,7 @@
     if (__r1 < __m)							\
       {									\
 	__q1--, __r1 += (d);						\
-	if (__r1 >= (d)) /* we didn't get carry when adding to __r1 */	\
+	if (__r1 >= (d)) /* i.e. we didn't get carry when adding to __r1 */\
 	  if (__r1 < __m)						\
 	    __q1--, __r1 += (d);					\
       }									\
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 105/267] clk: renesas: r8a77995: Correct parent clock of DU
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (103 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 104/267] powerpc/math-emu: Update macros from GCC Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 106/267] MIPS: OCTEON: cvmx_pko_mem_debug8: use oldest forward compatible definition Greg Kroah-Hartman
                   ` (165 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Geert Uytterhoeven, Stephen Boyd,
	Laurent Pinchart, Sasha Levin

From: Geert Uytterhoeven <geert+renesas@glider.be>

[ Upstream commit 515b2915ee08060ad4f6a3b3de38c5c2c5258e8b ]

According to the R-Car Gen3 Hardware Manual Rev 1.00, the parent clock
of the DU module clocks on R-Car D3 is S1D1.

Fixes: d71e851d82c6cfe5 ("clk: renesas: cpg-mssr: Add R8A77995 support")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Acked-by: Stephen Boyd <sboyd@kernel.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Tested-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/clk/renesas/r8a77995-cpg-mssr.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/clk/renesas/r8a77995-cpg-mssr.c b/drivers/clk/renesas/r8a77995-cpg-mssr.c
index e594cf8ee63b6..8434d5530fb15 100644
--- a/drivers/clk/renesas/r8a77995-cpg-mssr.c
+++ b/drivers/clk/renesas/r8a77995-cpg-mssr.c
@@ -141,8 +141,8 @@ static const struct mssr_mod_clk r8a77995_mod_clks[] __initconst = {
 	DEF_MOD("vspbs",		 627,	R8A77995_CLK_S0D1),
 	DEF_MOD("ehci0",		 703,	R8A77995_CLK_S3D2),
 	DEF_MOD("hsusb",		 704,	R8A77995_CLK_S3D2),
-	DEF_MOD("du1",			 723,	R8A77995_CLK_S2D1),
-	DEF_MOD("du0",			 724,	R8A77995_CLK_S2D1),
+	DEF_MOD("du1",			 723,	R8A77995_CLK_S1D1),
+	DEF_MOD("du0",			 724,	R8A77995_CLK_S1D1),
 	DEF_MOD("lvds",			 727,	R8A77995_CLK_S2D1),
 	DEF_MOD("vin7",			 804,	R8A77995_CLK_S1D2),
 	DEF_MOD("vin6",			 805,	R8A77995_CLK_S1D2),
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 106/267] MIPS: OCTEON: cvmx_pko_mem_debug8: use oldest forward compatible definition
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (104 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 105/267] clk: renesas: r8a77995: Correct parent clock of DU Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 107/267] nfsd: Return EPERM, not EACCES, in some SETATTR cases Greg Kroah-Hartman
                   ` (164 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Aaro Koskinen, Paul Burton,
	Ralf Baechle, James Hogan, linux-mips, Sasha Levin

From: Aaro Koskinen <aaro.koskinen@iki.fi>

[ Upstream commit 1c6121c39677175bd372076020948e184bad4b6b ]

cn58xx is compatible with cn50xx, so use the latter.

Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
[paul.burton@mips.com: s/cn52xx/cn50xx/ in commit message.]
Signed-off-by: Paul Burton <paul.burton@mips.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: James Hogan <jhogan@kernel.org>
Cc: linux-mips@vger.kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/mips/cavium-octeon/executive/cvmx-cmd-queue.c | 2 +-
 arch/mips/include/asm/octeon/cvmx-pko.h            | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/mips/cavium-octeon/executive/cvmx-cmd-queue.c b/arch/mips/cavium-octeon/executive/cvmx-cmd-queue.c
index 8241fc6aa17d8..3839feba68f20 100644
--- a/arch/mips/cavium-octeon/executive/cvmx-cmd-queue.c
+++ b/arch/mips/cavium-octeon/executive/cvmx-cmd-queue.c
@@ -266,7 +266,7 @@ int cvmx_cmd_queue_length(cvmx_cmd_queue_id_t queue_id)
 		} else {
 			union cvmx_pko_mem_debug8 debug8;
 			debug8.u64 = cvmx_read_csr(CVMX_PKO_MEM_DEBUG8);
-			return debug8.cn58xx.doorbell;
+			return debug8.cn50xx.doorbell;
 		}
 	case CVMX_CMD_QUEUE_ZIP:
 	case CVMX_CMD_QUEUE_DFA:
diff --git a/arch/mips/include/asm/octeon/cvmx-pko.h b/arch/mips/include/asm/octeon/cvmx-pko.h
index 5f47f76ed510a..20eb9c46a75ab 100644
--- a/arch/mips/include/asm/octeon/cvmx-pko.h
+++ b/arch/mips/include/asm/octeon/cvmx-pko.h
@@ -611,7 +611,7 @@ static inline void cvmx_pko_get_port_status(uint64_t port_num, uint64_t clear,
 		pko_reg_read_idx.s.index = cvmx_pko_get_base_queue(port_num);
 		cvmx_write_csr(CVMX_PKO_REG_READ_IDX, pko_reg_read_idx.u64);
 		debug8.u64 = cvmx_read_csr(CVMX_PKO_MEM_DEBUG8);
-		status->doorbell = debug8.cn58xx.doorbell;
+		status->doorbell = debug8.cn50xx.doorbell;
 	}
 }
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 107/267] nfsd: Return EPERM, not EACCES, in some SETATTR cases
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (105 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 106/267] MIPS: OCTEON: cvmx_pko_mem_debug8: use oldest forward compatible definition Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 108/267] tty: Dont block on IO when ldisc change is pending Greg Kroah-Hartman
                   ` (163 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, zhengbin, J. Bruce Fields, Sasha Levin

From: zhengbin <zhengbin13@huawei.com>

[ Upstream commit 255fbca65137e25b12bced18ec9a014dc77ecda0 ]

As the man(2) page for utime/utimes states, EPERM is returned when the
second parameter of utime or utimes is not NULL, the caller's effective UID
does not match the owner of the file, and the caller is not privileged.

However, in a NFS directory mounted from knfsd, it will return EACCES
(from nfsd_setattr-> fh_verify->nfsd_permission).  This patch fixes
that.

Signed-off-by: zhengbin <zhengbin13@huawei.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/nfsd/vfs.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
index f55527ef21e84..06d1f2edf2ec6 100644
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -396,10 +396,23 @@ nfsd_setattr(struct svc_rqst *rqstp, struct svc_fh *fhp, struct iattr *iap,
 	bool		get_write_count;
 	bool		size_change = (iap->ia_valid & ATTR_SIZE);
 
-	if (iap->ia_valid & (ATTR_ATIME | ATTR_MTIME | ATTR_SIZE))
+	if (iap->ia_valid & ATTR_SIZE) {
 		accmode |= NFSD_MAY_WRITE|NFSD_MAY_OWNER_OVERRIDE;
-	if (iap->ia_valid & ATTR_SIZE)
 		ftype = S_IFREG;
+	}
+
+	/*
+	 * If utimes(2) and friends are called with times not NULL, we should
+	 * not set NFSD_MAY_WRITE bit. Otherwise fh_verify->nfsd_permission
+	 * will return EACCESS, when the caller's effective UID does not match
+	 * the owner of the file, and the caller is not privileged. In this
+	 * situation, we should return EPERM(notify_change will return this).
+	 */
+	if (iap->ia_valid & (ATTR_ATIME | ATTR_MTIME)) {
+		accmode |= NFSD_MAY_OWNER_OVERRIDE;
+		if (!(iap->ia_valid & (ATTR_ATIME_SET | ATTR_MTIME_SET)))
+			accmode |= NFSD_MAY_WRITE;
+	}
 
 	/* Callers that do fh_verify should do the fh_want_write: */
 	get_write_count = !fhp->fh_dentry;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 108/267] tty: Dont block on IO when ldisc change is pending
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (106 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 107/267] nfsd: Return EPERM, not EACCES, in some SETATTR cases Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 109/267] media: stkwebcam: Bugfix for wrong return values Greg Kroah-Hartman
                   ` (162 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jiri Slaby, Mikulas Patocka,
	Dmitry Safonov, Sasha Levin

From: Dmitry Safonov <dima@arista.com>

[ Upstream commit c96cf923a98d1b094df9f0cf97a83e118817e31b ]

There might be situations where tty_ldisc_lock() has blocked, but there
is already IO on tty and it prevents line discipline changes.
It might theoretically turn into dead-lock.

Basically, provide more priority to pending tty_ldisc_lock() than to
servicing reads/writes over tty.

User-visible issue was reported by Mikulas where on pa-risc with
Debian 5 reboot took either 80 seconds, 3 minutes or 3:25 after proper
locking in tty_reopen().

Cc: Jiri Slaby <jslaby@suse.com>
Reported-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Dmitry Safonov <dima@arista.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/tty/n_hdlc.c    | 4 ++--
 drivers/tty/n_r3964.c   | 2 +-
 drivers/tty/n_tty.c     | 8 ++++----
 drivers/tty/tty_ldisc.c | 7 +++++++
 include/linux/tty.h     | 7 +++++++
 5 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c
index e83dea8d6633a..19c4aa800c810 100644
--- a/drivers/tty/n_hdlc.c
+++ b/drivers/tty/n_hdlc.c
@@ -614,7 +614,7 @@ static ssize_t n_hdlc_tty_read(struct tty_struct *tty, struct file *file,
 		}
 			
 		/* no data */
-		if (file->f_flags & O_NONBLOCK) {
+		if (tty_io_nonblock(tty, file)) {
 			ret = -EAGAIN;
 			break;
 		}
@@ -681,7 +681,7 @@ static ssize_t n_hdlc_tty_write(struct tty_struct *tty, struct file *file,
 		if (tbuf)
 			break;
 
-		if (file->f_flags & O_NONBLOCK) {
+		if (tty_io_nonblock(tty, file)) {
 			error = -EAGAIN;
 			break;
 		}
diff --git a/drivers/tty/n_r3964.c b/drivers/tty/n_r3964.c
index 305b6490d4053..08ac04d089916 100644
--- a/drivers/tty/n_r3964.c
+++ b/drivers/tty/n_r3964.c
@@ -1080,7 +1080,7 @@ static ssize_t r3964_read(struct tty_struct *tty, struct file *file,
 		pMsg = remove_msg(pInfo, pClient);
 		if (pMsg == NULL) {
 			/* no messages available. */
-			if (file->f_flags & O_NONBLOCK) {
+			if (tty_io_nonblock(tty, file)) {
 				ret = -EAGAIN;
 				goto unlock;
 			}
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
index 904fc9c37fdea..8214b0326b3a1 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -1704,7 +1704,7 @@ n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp,
 
 	down_read(&tty->termios_rwsem);
 
-	while (1) {
+	do {
 		/*
 		 * When PARMRK is set, each input char may take up to 3 chars
 		 * in the read buf; reduce the buffer space avail by 3x
@@ -1746,7 +1746,7 @@ n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp,
 			fp += n;
 		count -= n;
 		rcvd += n;
-	}
+	} while (!test_bit(TTY_LDISC_CHANGING, &tty->flags));
 
 	tty->receive_room = room;
 
@@ -2213,7 +2213,7 @@ static ssize_t n_tty_read(struct tty_struct *tty, struct file *file,
 					break;
 				if (!timeout)
 					break;
-				if (file->f_flags & O_NONBLOCK) {
+				if (tty_io_nonblock(tty, file)) {
 					retval = -EAGAIN;
 					break;
 				}
@@ -2367,7 +2367,7 @@ static ssize_t n_tty_write(struct tty_struct *tty, struct file *file,
 		}
 		if (!nr)
 			break;
-		if (file->f_flags & O_NONBLOCK) {
+		if (tty_io_nonblock(tty, file)) {
 			retval = -EAGAIN;
 			break;
 		}
diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c
index 01fcdc7ff0771..62dd2abb57fea 100644
--- a/drivers/tty/tty_ldisc.c
+++ b/drivers/tty/tty_ldisc.c
@@ -348,6 +348,11 @@ int tty_ldisc_lock(struct tty_struct *tty, unsigned long timeout)
 {
 	int ret;
 
+	/* Kindly asking blocked readers to release the read side */
+	set_bit(TTY_LDISC_CHANGING, &tty->flags);
+	wake_up_interruptible_all(&tty->read_wait);
+	wake_up_interruptible_all(&tty->write_wait);
+
 	ret = __tty_ldisc_lock(tty, timeout);
 	if (!ret)
 		return -EBUSY;
@@ -358,6 +363,8 @@ int tty_ldisc_lock(struct tty_struct *tty, unsigned long timeout)
 void tty_ldisc_unlock(struct tty_struct *tty)
 {
 	clear_bit(TTY_LDISC_HALTED, &tty->flags);
+	/* Can be cleared here - ldisc_unlock will wake up writers firstly */
+	clear_bit(TTY_LDISC_CHANGING, &tty->flags);
 	__tty_ldisc_unlock(tty);
 }
 
diff --git a/include/linux/tty.h b/include/linux/tty.h
index 1dd587ba6d882..0cd621d8c7f05 100644
--- a/include/linux/tty.h
+++ b/include/linux/tty.h
@@ -365,6 +365,7 @@ struct tty_file_private {
 #define TTY_NO_WRITE_SPLIT 	17	/* Preserve write boundaries to driver */
 #define TTY_HUPPED 		18	/* Post driver->hangup() */
 #define TTY_HUPPING		19	/* Hangup in progress */
+#define TTY_LDISC_CHANGING	20	/* Change pending - non-block IO */
 #define TTY_LDISC_HALTED	22	/* Line discipline is halted */
 
 /* Values for tty->flow_change */
@@ -382,6 +383,12 @@ static inline void tty_set_flow_change(struct tty_struct *tty, int val)
 	smp_mb();
 }
 
+static inline bool tty_io_nonblock(struct tty_struct *tty, struct file *file)
+{
+	return file->f_flags & O_NONBLOCK ||
+		test_bit(TTY_LDISC_CHANGING, &tty->flags);
+}
+
 static inline bool tty_io_error(struct tty_struct *tty)
 {
 	return test_bit(TTY_IO_ERROR, &tty->flags);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 109/267] media: stkwebcam: Bugfix for wrong return values
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (107 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 108/267] tty: Dont block on IO when ldisc change is pending Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 110/267] firmware: qcom: scm: fix compilation error when disabled Greg Kroah-Hartman
                   ` (161 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andreas Pape, Kieran Bingham,
	Mauro Carvalho Chehab, Sasha Levin

From: Andreas Pape <ap@ca-pape.de>

[ Upstream commit 3c28b91380dd1183347d32d87d820818031ebecf ]

usb_control_msg returns in case of a successfully sent message the number
of sent bytes as a positive number. Don't use this value as a return value
for stk_camera_read_reg, as a non-zero return value is used as an error
condition in some cases when stk_camera_read_reg is called.

Signed-off-by: Andreas Pape <ap@ca-pape.de>
Reviewed-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/usb/stkwebcam/stk-webcam.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/media/usb/stkwebcam/stk-webcam.c b/drivers/media/usb/stkwebcam/stk-webcam.c
index a7da1356a36ef..6992e84f8a8bb 100644
--- a/drivers/media/usb/stkwebcam/stk-webcam.c
+++ b/drivers/media/usb/stkwebcam/stk-webcam.c
@@ -164,7 +164,11 @@ int stk_camera_read_reg(struct stk_camera *dev, u16 index, u8 *value)
 		*value = *buf;
 
 	kfree(buf);
-	return ret;
+
+	if (ret < 0)
+		return ret;
+	else
+		return 0;
 }
 
 static int stk_start_stream(struct stk_camera *dev)
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 110/267] firmware: qcom: scm: fix compilation error when disabled
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (108 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 109/267] media: stkwebcam: Bugfix for wrong return values Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 111/267] mlxsw: spectrum_router: Relax GRE decap matching check Greg Kroah-Hartman
                   ` (160 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jonathan Marek, Bjorn Andersson,
	Andy Gross, Sasha Levin

From: Jonathan Marek <jonathan@marek.ca>

[ Upstream commit 16ad9501b1f2edebe24f8cf3c09da0695871986b ]

This fixes the case when CONFIG_QCOM_SCM is not enabled, and linux/errno.h
has not been included previously.

Signed-off-by: Jonathan Marek <jonathan@marek.ca>
Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Andy Gross <andy.gross@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/linux/qcom_scm.h | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/include/linux/qcom_scm.h b/include/linux/qcom_scm.h
index e5380471c2cd2..428278a44c7db 100644
--- a/include/linux/qcom_scm.h
+++ b/include/linux/qcom_scm.h
@@ -44,6 +44,9 @@ extern int qcom_scm_restore_sec_cfg(u32 device_id, u32 spare);
 extern int qcom_scm_iommu_secure_ptbl_size(u32 spare, size_t *size);
 extern int qcom_scm_iommu_secure_ptbl_init(u64 addr, u32 size, u32 spare);
 #else
+
+#include <linux/errno.h>
+
 static inline
 int qcom_scm_set_cold_boot_addr(void *entry, const cpumask_t *cpus)
 {
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 111/267] mlxsw: spectrum_router: Relax GRE decap matching check
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (109 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 110/267] firmware: qcom: scm: fix compilation error when disabled Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 112/267] IB/hfi1: Ignore LNI errors before DC8051 transitions to Polling state Greg Kroah-Hartman
                   ` (159 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nir Dotan, Ido Schimmel,
	David S. Miller, Sasha Levin

From: Nir Dotan <nird@mellanox.com>

[ Upstream commit da93d2913fdf43d5cde3c5a53ac9cc29684d5c7c ]

GRE decap offload is configured when local routes prefix correspond to the
local address of one of the offloaded GRE tunnels. The matching check was
found to be too strict, such that for a flat GRE configuration, in which
the overlay and underlay traffic share the same non-default VRF, decap flow
was not offloaded.

Relax the check for decap flow offloading. A match occurs if the local
address of the tunnel matches the local route address while both share the
same VRF table.

Fixes: 4607f6d26950 ("mlxsw: spectrum_router: Support IPv4 underlay decap")
Signed-off-by: Nir Dotan <nird@mellanox.com>
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
index 3ed4fb346f235..5b9a5c3834d9e 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
@@ -1252,15 +1252,12 @@ mlxsw_sp_ipip_entry_matches_decap(struct mlxsw_sp *mlxsw_sp,
 {
 	u32 ul_tb_id = l3mdev_fib_table(ul_dev) ? : RT_TABLE_MAIN;
 	enum mlxsw_sp_ipip_type ipipt = ipip_entry->ipipt;
-	struct net_device *ipip_ul_dev;
 
 	if (mlxsw_sp->router->ipip_ops_arr[ipipt]->ul_proto != ul_proto)
 		return false;
 
-	ipip_ul_dev = __mlxsw_sp_ipip_netdev_ul_dev_get(ipip_entry->ol_dev);
 	return mlxsw_sp_ipip_entry_saddr_matches(mlxsw_sp, ul_proto, ul_dip,
-						 ul_tb_id, ipip_entry) &&
-	       (!ipip_ul_dev || ipip_ul_dev == ul_dev);
+						 ul_tb_id, ipip_entry);
 }
 
 /* Given decap parameters, find the corresponding IPIP entry. */
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 112/267] IB/hfi1: Ignore LNI errors before DC8051 transitions to Polling state
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (110 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 111/267] mlxsw: spectrum_router: Relax GRE decap matching check Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 113/267] IB/hfi1: Close VNIC sdma_progress sleep window Greg Kroah-Hartman
                   ` (158 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mike Marciniszyn, Krzysztof Goreczny,
	Kaike Wan, Dennis Dalessandro, Jason Gunthorpe, Sasha Levin

From: Kaike Wan <kaike.wan@intel.com>

[ Upstream commit c1a797c0818e0122c7ec8422edd971cfec9b15ea ]

When it is requested to change its physical state back to Offline while in
the process to go up, DC8051 will set the ERROR field in the
DC8051_DBG_ERR_INFO_SET_BY_8051 register. This ERROR field will remain
until the next time when DC8051 transitions from Offline to Polling.
Subsequently, when the host requests DC8051 to change its physical state
to Polling again, it may receive a DC8051 interrupt with the stale ERROR
field still in DC8051_DBG_ERR_INFO_SET_BY_8051. If the host link state has
been changed to Polling, this stale ERROR will force the host to
transition to Offline state, resulting in a vicious cycle of Polling
->Offline->Polling->Offline. On the other hand, if the host link state is
still Offline when the stale ERROR is received, the stale ERROR will be
ignored, and the link will come up correctly.  This patch implements the
correct behavior by changing host link state to Polling only after DC8051
changes its physical state to Polling.

Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Krzysztof Goreczny <krzysztof.goreczny@intel.com>
Signed-off-by: Kaike Wan <kaike.wan@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/infiniband/hw/hfi1/chip.c | 47 ++++++++++++++++++++++++++++++-
 1 file changed, 46 insertions(+), 1 deletion(-)

diff --git a/drivers/infiniband/hw/hfi1/chip.c b/drivers/infiniband/hw/hfi1/chip.c
index 9dcdc0a8685e7..9f78bb07744c7 100644
--- a/drivers/infiniband/hw/hfi1/chip.c
+++ b/drivers/infiniband/hw/hfi1/chip.c
@@ -1074,6 +1074,8 @@ static void log_state_transition(struct hfi1_pportdata *ppd, u32 state);
 static void log_physical_state(struct hfi1_pportdata *ppd, u32 state);
 static int wait_physical_linkstate(struct hfi1_pportdata *ppd, u32 state,
 				   int msecs);
+static int wait_phys_link_out_of_offline(struct hfi1_pportdata *ppd,
+					 int msecs);
 static void read_planned_down_reason_code(struct hfi1_devdata *dd, u8 *pdrrc);
 static void read_link_down_reason(struct hfi1_devdata *dd, u8 *ldr);
 static void handle_temp_err(struct hfi1_devdata *dd);
@@ -10731,13 +10733,15 @@ int set_link_state(struct hfi1_pportdata *ppd, u32 state)
 			break;
 
 		ppd->port_error_action = 0;
-		ppd->host_link_state = HLS_DN_POLL;
 
 		if (quick_linkup) {
 			/* quick linkup does not go into polling */
 			ret = do_quick_linkup(dd);
 		} else {
 			ret1 = set_physical_link_state(dd, PLS_POLLING);
+			if (!ret1)
+				ret1 = wait_phys_link_out_of_offline(ppd,
+								     3000);
 			if (ret1 != HCMD_SUCCESS) {
 				dd_dev_err(dd,
 					   "Failed to transition to Polling link state, return 0x%x\n",
@@ -10745,6 +10749,14 @@ int set_link_state(struct hfi1_pportdata *ppd, u32 state)
 				ret = -EINVAL;
 			}
 		}
+
+		/*
+		 * Change the host link state after requesting DC8051 to
+		 * change its physical state so that we can ignore any
+		 * interrupt with stale LNI(XX) error, which will not be
+		 * cleared until DC8051 transitions to Polling state.
+		 */
+		ppd->host_link_state = HLS_DN_POLL;
 		ppd->offline_disabled_reason =
 			HFI1_ODR_MASK(OPA_LINKDOWN_REASON_NONE);
 		/*
@@ -12870,6 +12882,39 @@ static int wait_phys_link_offline_substates(struct hfi1_pportdata *ppd,
 	return read_state;
 }
 
+/*
+ * wait_phys_link_out_of_offline - wait for any out of offline state
+ * @ppd: port device
+ * @msecs: the number of milliseconds to wait
+ *
+ * Wait up to msecs milliseconds for any out of offline physical link
+ * state change to occur.
+ * Returns 0 if at least one state is reached, otherwise -ETIMEDOUT.
+ */
+static int wait_phys_link_out_of_offline(struct hfi1_pportdata *ppd,
+					 int msecs)
+{
+	u32 read_state;
+	unsigned long timeout;
+
+	timeout = jiffies + msecs_to_jiffies(msecs);
+	while (1) {
+		read_state = read_physical_state(ppd->dd);
+		if ((read_state & 0xF0) != PLS_OFFLINE)
+			break;
+		if (time_after(jiffies, timeout)) {
+			dd_dev_err(ppd->dd,
+				   "timeout waiting for phy link out of offline. Read state 0x%x, %dms\n",
+				   read_state, msecs);
+			return -ETIMEDOUT;
+		}
+		usleep_range(1950, 2050); /* sleep 2ms-ish */
+	}
+
+	log_state_transition(ppd, read_state);
+	return read_state;
+}
+
 #define CLEAR_STATIC_RATE_CONTROL_SMASK(r) \
 (r &= ~SEND_CTXT_CHECK_ENABLE_DISALLOW_PBC_STATIC_RATE_CONTROL_SMASK)
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 113/267] IB/hfi1: Close VNIC sdma_progress sleep window
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (111 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 112/267] IB/hfi1: Ignore LNI errors before DC8051 transitions to Polling state Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 114/267] mlx4: Use snprintf instead of complicated strcpy Greg Kroah-Hartman
                   ` (157 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gary Leshner, Mike Marciniszyn,
	Dennis Dalessandro, Jason Gunthorpe, Sasha Levin

From: Mike Marciniszyn <mike.marciniszyn@intel.com>

[ Upstream commit 18912c4524385dd6532c682cb9d4f6aa39ba8d47 ]

The call to sdma_progress() is called outside the wait lock.

In this case, there is a race condition where sdma_progress() can return
false and the sdma_engine can idle.  If that happens, there will be no
more sdma interrupts to cause the wakeup and the vnic_sdma xmit will hang.

Fix by moving the lock to enclose the sdma_progress() call.

Also, delete the tx_retry. The need for this was removed by:
commit bcad29137a97 ("IB/hfi1: Serve the most starved iowait entry first")

Fixes: 64551ede6cd1 ("IB/hfi1: VNIC SDMA support")
Reviewed-by: Gary Leshner <Gary.S.Leshner@intel.com>
Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/infiniband/hw/hfi1/vnic_sdma.c | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

diff --git a/drivers/infiniband/hw/hfi1/vnic_sdma.c b/drivers/infiniband/hw/hfi1/vnic_sdma.c
index c3c96c5869ed4..718dcdef946ee 100644
--- a/drivers/infiniband/hw/hfi1/vnic_sdma.c
+++ b/drivers/infiniband/hw/hfi1/vnic_sdma.c
@@ -57,7 +57,6 @@
 
 #define HFI1_VNIC_TXREQ_NAME_LEN   32
 #define HFI1_VNIC_SDMA_DESC_WTRMRK 64
-#define HFI1_VNIC_SDMA_RETRY_COUNT 1
 
 /*
  * struct vnic_txreq - VNIC transmit descriptor
@@ -67,7 +66,6 @@
  * @pad: pad buffer
  * @plen: pad length
  * @pbc_val: pbc value
- * @retry_count: tx retry count
  */
 struct vnic_txreq {
 	struct sdma_txreq       txreq;
@@ -77,8 +75,6 @@ struct vnic_txreq {
 	unsigned char           pad[HFI1_VNIC_MAX_PAD];
 	u16                     plen;
 	__le64                  pbc_val;
-
-	u32                     retry_count;
 };
 
 static void vnic_sdma_complete(struct sdma_txreq *txreq,
@@ -196,7 +192,6 @@ int hfi1_vnic_send_dma(struct hfi1_devdata *dd, u8 q_idx,
 	ret = build_vnic_tx_desc(sde, tx, pbc);
 	if (unlikely(ret))
 		goto free_desc;
-	tx->retry_count = 0;
 
 	ret = sdma_send_txreq(sde, &vnic_sdma->wait, &tx->txreq,
 			      vnic_sdma->pkts_sent);
@@ -238,14 +233,14 @@ static int hfi1_vnic_sdma_sleep(struct sdma_engine *sde,
 	struct hfi1_vnic_sdma *vnic_sdma =
 		container_of(wait, struct hfi1_vnic_sdma, wait);
 	struct hfi1_ibdev *dev = &vnic_sdma->dd->verbs_dev;
-	struct vnic_txreq *tx = container_of(txreq, struct vnic_txreq, txreq);
 
-	if (sdma_progress(sde, seq, txreq))
-		if (tx->retry_count++ < HFI1_VNIC_SDMA_RETRY_COUNT)
-			return -EAGAIN;
+	write_seqlock(&dev->iowait_lock);
+	if (sdma_progress(sde, seq, txreq)) {
+		write_sequnlock(&dev->iowait_lock);
+		return -EAGAIN;
+	}
 
 	vnic_sdma->state = HFI1_VNIC_SDMA_Q_DEFERRED;
-	write_seqlock(&dev->iowait_lock);
 	if (list_empty(&vnic_sdma->wait.list))
 		iowait_queue(pkts_sent, wait, &sde->dmawait);
 	write_sequnlock(&dev->iowait_lock);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 114/267] mlx4: Use snprintf instead of complicated strcpy
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (112 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 113/267] IB/hfi1: Close VNIC sdma_progress sleep window Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 115/267] usb: mtu3: fix dbginfo in qmu_tx_zlp_error_handler Greg Kroah-Hartman
                   ` (156 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Qian Cai, Leon Romanovsky,
	Jason Gunthorpe, Sasha Levin

From: Qian Cai <cai@gmx.us>

[ Upstream commit 0fbc9b8b4ea3f688a5da141a64f97aa33ad02ae9 ]

This fixes a compilation warning in sysfs.c

drivers/infiniband/hw/mlx4/sysfs.c:360:2: warning: 'strncpy' output may be
truncated copying 8 bytes from a string of length 31
[-Wstringop-truncation]

By eliminating the temporary stack buffer.

Signed-off-by: Qian Cai <cai@gmx.us>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/infiniband/hw/mlx4/sysfs.c | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/drivers/infiniband/hw/mlx4/sysfs.c b/drivers/infiniband/hw/mlx4/sysfs.c
index e219093d27645..d2da28d613f2c 100644
--- a/drivers/infiniband/hw/mlx4/sysfs.c
+++ b/drivers/infiniband/hw/mlx4/sysfs.c
@@ -353,16 +353,12 @@ err:
 
 static void get_name(struct mlx4_ib_dev *dev, char *name, int i, int max)
 {
-	char base_name[9];
-
-	/* pci_name format is: bus:dev:func -> xxxx:yy:zz.n */
-	strlcpy(name, pci_name(dev->dev->persist->pdev), max);
-	strncpy(base_name, name, 8); /*till xxxx:yy:*/
-	base_name[8] = '\0';
-	/* with no ARI only 3 last bits are used so when the fn is higher than 8
+	/* pci_name format is: bus:dev:func -> xxxx:yy:zz.n
+	 * with no ARI only 3 last bits are used so when the fn is higher than 8
 	 * need to add it to the dev num, so count in the last number will be
 	 * modulo 8 */
-	sprintf(name, "%s%.2d.%d", base_name, (i/8), (i%8));
+	snprintf(name, max, "%.8s%.2d.%d", pci_name(dev->dev->persist->pdev),
+		 i / 8, i % 8);
 }
 
 struct mlx4_port {
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 115/267] usb: mtu3: fix dbginfo in qmu_tx_zlp_error_handler
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (113 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 114/267] mlx4: Use snprintf instead of complicated strcpy Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 116/267] ARM: dts: sunxi: Fix PMU compatible strings Greg Kroah-Hartman
                   ` (155 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chunfeng Yun, YueHaibing,
	Felipe Balbi, Sasha Levin

From: YueHaibing <yuehaibing@huawei.com>

[ Upstream commit f770e3bc236ee954a3b4052bdf55739e26ee25db ]

Fixes gcc '-Wunused-but-set-variable' warning:

drivers/usb/mtu3/mtu3_qmu.c: In function 'qmu_tx_zlp_error_handler':
drivers/usb/mtu3/mtu3_qmu.c:385:22: warning:
 variable 'req' set but not used [-Wunused-but-set-variable]

It seems dbginfo original intention is print 'req' other than 'mreq'

Acked-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/mtu3/mtu3_qmu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/mtu3/mtu3_qmu.c b/drivers/usb/mtu3/mtu3_qmu.c
index 7d9ba8a52368f..c87947fb26940 100644
--- a/drivers/usb/mtu3/mtu3_qmu.c
+++ b/drivers/usb/mtu3/mtu3_qmu.c
@@ -372,7 +372,7 @@ static void qmu_tx_zlp_error_handler(struct mtu3 *mtu, u8 epnum)
 		return;
 	}
 
-	dev_dbg(mtu->dev, "%s send ZLP for req=%p\n", __func__, mreq);
+	dev_dbg(mtu->dev, "%s send ZLP for req=%p\n", __func__, req);
 
 	mtu3_clrbits(mbase, MU3D_EP_TXCR0(mep->epnum), TX_DMAREQEN);
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 116/267] ARM: dts: sunxi: Fix PMU compatible strings
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (114 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 115/267] usb: mtu3: fix dbginfo in qmu_tx_zlp_error_handler Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 117/267] media: vimc: fix start stream when link is disabled Greg Kroah-Hartman
                   ` (154 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maxime Ripard, Chen-Yu Tsai,
	Rob Herring, Will Deacon, Sasha Levin

From: Rob Herring <robh@kernel.org>

[ Upstream commit 5719ac19fc32d892434939c1756c2f9a8322e6ef ]

"arm,cortex-a15-pmu" is not a valid fallback compatible string for an
Cortex-A7 PMU, so drop it.

Cc: Maxime Ripard <maxime.ripard@bootlin.com>
Cc: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: Rob Herring <robh@kernel.org>
Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/boot/dts/sun6i-a31.dtsi | 2 +-
 arch/arm/boot/dts/sun7i-a20.dtsi | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/arm/boot/dts/sun6i-a31.dtsi b/arch/arm/boot/dts/sun6i-a31.dtsi
index eef072a21acca..0bb82d0442a59 100644
--- a/arch/arm/boot/dts/sun6i-a31.dtsi
+++ b/arch/arm/boot/dts/sun6i-a31.dtsi
@@ -173,7 +173,7 @@
 	};
 
 	pmu {
-		compatible = "arm,cortex-a7-pmu", "arm,cortex-a15-pmu";
+		compatible = "arm,cortex-a7-pmu";
 		interrupts = <GIC_SPI 120 IRQ_TYPE_LEVEL_HIGH>,
 			     <GIC_SPI 121 IRQ_TYPE_LEVEL_HIGH>,
 			     <GIC_SPI 122 IRQ_TYPE_LEVEL_HIGH>,
diff --git a/arch/arm/boot/dts/sun7i-a20.dtsi b/arch/arm/boot/dts/sun7i-a20.dtsi
index 96bee776e1456..77f04dbdf9967 100644
--- a/arch/arm/boot/dts/sun7i-a20.dtsi
+++ b/arch/arm/boot/dts/sun7i-a20.dtsi
@@ -171,7 +171,7 @@
 	};
 
 	pmu {
-		compatible = "arm,cortex-a7-pmu", "arm,cortex-a15-pmu";
+		compatible = "arm,cortex-a7-pmu";
 		interrupts = <GIC_SPI 120 IRQ_TYPE_LEVEL_HIGH>,
 			     <GIC_SPI 121 IRQ_TYPE_LEVEL_HIGH>;
 	};
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 117/267] media: vimc: fix start stream when link is disabled
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (115 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 116/267] ARM: dts: sunxi: Fix PMU compatible strings Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 118/267] net: aquantia: fix RSS table and key sizes Greg Kroah-Hartman
                   ` (153 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Helen Koike, Mauro Carvalho Chehab,
	Sasha Levin

From: Helen Fornazier <helen.koike@collabora.com>

[ Upstream commit e159b6074c82fe31b79aad672e02fa204dbbc6d8 ]

If link is disabled, media_entity_remote_pad returns NULL, causing a
NULL pointer deference.
Ignore links that are not enabled instead.

Signed-off-by: Helen Koike <helen.koike@collabora.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/platform/vimc/vimc-common.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/media/platform/vimc/vimc-common.c b/drivers/media/platform/vimc/vimc-common.c
index 743554de724d8..a9ab3871ccda2 100644
--- a/drivers/media/platform/vimc/vimc-common.c
+++ b/drivers/media/platform/vimc/vimc-common.c
@@ -241,6 +241,8 @@ int vimc_pipeline_s_stream(struct media_entity *ent, int enable)
 
 		/* Start the stream in the subdevice direct connected */
 		pad = media_entity_remote_pad(&ent->pads[i]);
+		if (!pad)
+			continue;
 
 		if (!is_media_entity_v4l2_subdev(pad->entity))
 			return -EINVAL;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 118/267] net: aquantia: fix RSS table and key sizes
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (116 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 117/267] media: vimc: fix start stream when link is disabled Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 119/267] tcp: exit if nothing to retransmit on RTO timeout Greg Kroah-Hartman
                   ` (152 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dmitry Bogdanov, Igor Russkikh,
	David S. Miller, Sasha Levin

From: Dmitry Bogdanov <dmitry.bogdanov@aquantia.com>

[ Upstream commit 474fb1150d40780e71f0b569aeac4f375df3af3d ]

Set RSS indirection table and RSS hash key sizes to their real size.

Signed-off-by: Dmitry Bogdanov <dmitry.bogdanov@aquantia.com>
Signed-off-by: Igor Russkikh <igor.russkikh@aquantia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/aquantia/atlantic/aq_cfg.h | 4 ++--
 drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_cfg.h b/drivers/net/ethernet/aquantia/atlantic/aq_cfg.h
index 57e796870595b..ea4b7e97c61ea 100644
--- a/drivers/net/ethernet/aquantia/atlantic/aq_cfg.h
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_cfg.h
@@ -40,8 +40,8 @@
 #define AQ_CFG_IS_LRO_DEF           1U
 
 /* RSS */
-#define AQ_CFG_RSS_INDIRECTION_TABLE_MAX  128U
-#define AQ_CFG_RSS_HASHKEY_SIZE           320U
+#define AQ_CFG_RSS_INDIRECTION_TABLE_MAX  64U
+#define AQ_CFG_RSS_HASHKEY_SIZE           40U
 
 #define AQ_CFG_IS_RSS_DEF           1U
 #define AQ_CFG_NUM_RSS_QUEUES_DEF   AQ_CFG_VECS_DEF
diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
index cc658a29cc33e..a69f5f1ad32a8 100644
--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
@@ -43,7 +43,7 @@ static void aq_nic_rss_init(struct aq_nic_s *self, unsigned int num_rss_queues)
 	struct aq_rss_parameters *rss_params = &cfg->aq_rss;
 	int i = 0;
 
-	static u8 rss_key[40] = {
+	static u8 rss_key[AQ_CFG_RSS_HASHKEY_SIZE] = {
 		0x1e, 0xad, 0x71, 0x87, 0x65, 0xfc, 0x26, 0x7d,
 		0x0d, 0x45, 0x67, 0x74, 0xcd, 0x06, 0x1a, 0x18,
 		0xb6, 0xc1, 0xf0, 0xc7, 0xbb, 0x18, 0xbe, 0xf8,
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 119/267] tcp: exit if nothing to retransmit on RTO timeout
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (117 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 118/267] net: aquantia: fix RSS table and key sizes Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 120/267] sched/fair: Scale bandwidth quota and period without losing quota/period ratio precision Greg Kroah-Hartman
                   ` (151 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yuchung Cheng, Eric Dumazet,
	Neal Cardwell, Soheil Hassas Yeganeh, David S. Miller

From: Eric Dumazet <edumazet@google.com>

Two upstream commits squashed together for v4.14 stable :

 commit 88f8598d0a302a08380eadefd09b9f5cb1c4c428 upstream.

  Previously TCP only warns if its RTO timer fires and the
  retransmission queue is empty, but it'll cause null pointer
  reference later on. It's better to avoid such catastrophic failure
  and simply exit with a warning.

Squashed with "tcp: refactor tcp_retransmit_timer()" :

 commit 0d580fbd2db084a5c96ee9c00492236a279d5e0f upstream.

  It appears linux-4.14 stable needs a backport of commit
  88f8598d0a30 ("tcp: exit if nothing to retransmit on RTO timeout")

  Since tcp_rtx_queue_empty() is not in pre 4.15 kernels,
  let's refactor tcp_retransmit_timer() to only use tcp_rtx_queue_head()

Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/tcp_timer.c |   10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

--- a/net/ipv4/tcp_timer.c
+++ b/net/ipv4/tcp_timer.c
@@ -413,6 +413,7 @@ void tcp_retransmit_timer(struct sock *s
 	struct tcp_sock *tp = tcp_sk(sk);
 	struct net *net = sock_net(sk);
 	struct inet_connection_sock *icsk = inet_csk(sk);
+	struct sk_buff *skb;
 
 	if (tp->fastopen_rsk) {
 		WARN_ON_ONCE(sk->sk_state != TCP_SYN_RECV &&
@@ -423,10 +424,13 @@ void tcp_retransmit_timer(struct sock *s
 		 */
 		return;
 	}
+
 	if (!tp->packets_out)
-		goto out;
+		return;
 
-	WARN_ON(tcp_write_queue_empty(sk));
+	skb = tcp_rtx_queue_head(sk);
+	if (WARN_ON_ONCE(!skb))
+		return;
 
 	tp->tlp_high_seq = 0;
 
@@ -459,7 +463,7 @@ void tcp_retransmit_timer(struct sock *s
 			goto out;
 		}
 		tcp_enter_loss(sk);
-		tcp_retransmit_skb(sk, tcp_write_queue_head(sk), 1);
+		tcp_retransmit_skb(sk, skb, 1);
 		__sk_dst_reset(sk);
 		goto out_reset_timer;
 	}



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 120/267] sched/fair: Scale bandwidth quota and period without losing quota/period ratio precision
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (118 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 119/267] tcp: exit if nothing to retransmit on RTO timeout Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 121/267] fuse: verify nlink Greg Kroah-Hartman
                   ` (150 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Phil Auld, Xuewei Zhang,
	Peter Zijlstra (Intel),
	Anton Blanchard, Ben Segall, Dietmar Eggemann, Juri Lelli,
	Linus Torvalds, Mel Gorman, Steven Rostedt, Thomas Gleixner,
	Vincent Guittot, Ingo Molnar

From: Xuewei Zhang <xueweiz@google.com>

commit 4929a4e6faa0f13289a67cae98139e727f0d4a97 upstream.

The quota/period ratio is used to ensure a child task group won't get
more bandwidth than the parent task group, and is calculated as:

  normalized_cfs_quota() = [(quota_us << 20) / period_us]

If the quota/period ratio was changed during this scaling due to
precision loss, it will cause inconsistency between parent and child
task groups.

See below example:

A userspace container manager (kubelet) does three operations:

 1) Create a parent cgroup, set quota to 1,000us and period to 10,000us.
 2) Create a few children cgroups.
 3) Set quota to 1,000us and period to 10,000us on a child cgroup.

These operations are expected to succeed. However, if the scaling of
147/128 happens before step 3, quota and period of the parent cgroup
will be changed:

  new_quota: 1148437ns,   1148us
 new_period: 11484375ns, 11484us

And when step 3 comes in, the ratio of the child cgroup will be
104857, which will be larger than the parent cgroup ratio (104821),
and will fail.

Scaling them by a factor of 2 will fix the problem.

Tested-by: Phil Auld <pauld@redhat.com>
Signed-off-by: Xuewei Zhang <xueweiz@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Phil Auld <pauld@redhat.com>
Cc: Anton Blanchard <anton@ozlabs.org>
Cc: Ben Segall <bsegall@google.com>
Cc: Dietmar Eggemann <dietmar.eggemann@arm.com>
Cc: Juri Lelli <juri.lelli@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vincent Guittot <vincent.guittot@linaro.org>
Fixes: 2e8e19226398 ("sched/fair: Limit sched_cfs_period_timer() loop to avoid hard lockup")
Link: https://lkml.kernel.org/r/20191004001243.140897-1-xueweiz@google.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>


---
 kernel/sched/fair.c |   34 +++++++++++++++++++++-------------
 1 file changed, 21 insertions(+), 13 deletions(-)

--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -4655,20 +4655,28 @@ static enum hrtimer_restart sched_cfs_pe
 		if (++count > 3) {
 			u64 new, old = ktime_to_ns(cfs_b->period);
 
-			new = (old * 147) / 128; /* ~115% */
-			new = min(new, max_cfs_quota_period);
+			/*
+			 * Grow period by a factor of 2 to avoid losing precision.
+			 * Precision loss in the quota/period ratio can cause __cfs_schedulable
+			 * to fail.
+			 */
+			new = old * 2;
+			if (new < max_cfs_quota_period) {
+				cfs_b->period = ns_to_ktime(new);
+				cfs_b->quota *= 2;
 
-			cfs_b->period = ns_to_ktime(new);
-
-			/* since max is 1s, this is limited to 1e9^2, which fits in u64 */
-			cfs_b->quota *= new;
-			cfs_b->quota = div64_u64(cfs_b->quota, old);
-
-			pr_warn_ratelimited(
-        "cfs_period_timer[cpu%d]: period too short, scaling up (new cfs_period_us %lld, cfs_quota_us = %lld)\n",
-	                        smp_processor_id(),
-	                        div_u64(new, NSEC_PER_USEC),
-                                div_u64(cfs_b->quota, NSEC_PER_USEC));
+				pr_warn_ratelimited(
+	"cfs_period_timer[cpu%d]: period too short, scaling up (new cfs_period_us = %lld, cfs_quota_us = %lld)\n",
+					smp_processor_id(),
+					div_u64(new, NSEC_PER_USEC),
+					div_u64(cfs_b->quota, NSEC_PER_USEC));
+			} else {
+				pr_warn_ratelimited(
+	"cfs_period_timer[cpu%d]: period too short, but cannot scale up without losing precision (cfs_period_us = %lld, cfs_quota_us = %lld)\n",
+					smp_processor_id(),
+					div_u64(old, NSEC_PER_USEC),
+					div_u64(cfs_b->quota, NSEC_PER_USEC));
+			}
 
 			/* reset count so we don't come right back in here */
 			count = 0;



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 121/267] fuse: verify nlink
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (119 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 120/267] sched/fair: Scale bandwidth quota and period without losing quota/period ratio precision Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 122/267] fuse: verify attributes Greg Kroah-Hartman
                   ` (149 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Miklos Szeredi

From: Miklos Szeredi <mszeredi@redhat.com>

commit c634da718db9b2fac201df2ae1b1b095344ce5eb upstream.

When adding a new hard link, make sure that i_nlink doesn't overflow.

Fixes: ac45d61357e8 ("fuse: fix nlink after unlink")
Cc: <stable@vger.kernel.org> # v3.4
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/dir.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -830,7 +830,8 @@ static int fuse_link(struct dentry *entr
 
 		spin_lock(&fc->lock);
 		fi->attr_version = ++fc->attr_version;
-		inc_nlink(inode);
+		if (likely(inode->i_nlink < UINT_MAX))
+			inc_nlink(inode);
 		spin_unlock(&fc->lock);
 		fuse_invalidate_attr(inode);
 		fuse_update_ctime(inode);



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 122/267] fuse: verify attributes
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (120 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 121/267] fuse: verify nlink Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 123/267] ALSA: hda/realtek - Dell headphone has noise on unmute for ALC236 Greg Kroah-Hartman
                   ` (148 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Arijit Banerjee, Miklos Szeredi

From: Miklos Szeredi <mszeredi@redhat.com>

commit eb59bd17d2fa6e5e84fba61a5ebdea984222e6d5 upstream.

If a filesystem returns negative inode sizes, future reads on the file were
causing the cpu to spin on truncate_pagecache.

Create a helper to validate the attributes.  This now does two things:

 - check the file mode
 - check if the file size fits in i_size without overflowing

Reported-by: Arijit Banerjee <arijit@rubrik.com>
Fixes: d8a5ba45457e ("[PATCH] FUSE - core")
Cc: <stable@vger.kernel.org> # v2.6.14
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/dir.c    |   24 +++++++++++++++++-------
 fs/fuse/fuse_i.h |    2 ++
 2 files changed, 19 insertions(+), 7 deletions(-)

--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -234,7 +234,8 @@ static int fuse_dentry_revalidate(struct
 		kfree(forget);
 		if (ret == -ENOMEM)
 			goto out;
-		if (ret || (outarg.attr.mode ^ inode->i_mode) & S_IFMT)
+		if (ret || fuse_invalid_attr(&outarg.attr) ||
+		    (outarg.attr.mode ^ inode->i_mode) & S_IFMT)
 			goto invalid;
 
 		forget_all_cached_acls(inode);
@@ -297,6 +298,12 @@ int fuse_valid_type(int m)
 		S_ISBLK(m) || S_ISFIFO(m) || S_ISSOCK(m);
 }
 
+bool fuse_invalid_attr(struct fuse_attr *attr)
+{
+	return !fuse_valid_type(attr->mode) ||
+		attr->size > LLONG_MAX;
+}
+
 int fuse_lookup_name(struct super_block *sb, u64 nodeid, const struct qstr *name,
 		     struct fuse_entry_out *outarg, struct inode **inode)
 {
@@ -328,7 +335,7 @@ int fuse_lookup_name(struct super_block
 	err = -EIO;
 	if (!outarg->nodeid)
 		goto out_put_forget;
-	if (!fuse_valid_type(outarg->attr.mode))
+	if (fuse_invalid_attr(&outarg->attr))
 		goto out_put_forget;
 
 	*inode = fuse_iget(sb, outarg->nodeid, outarg->generation,
@@ -451,7 +458,8 @@ static int fuse_create_open(struct inode
 		goto out_free_ff;
 
 	err = -EIO;
-	if (!S_ISREG(outentry.attr.mode) || invalid_nodeid(outentry.nodeid))
+	if (!S_ISREG(outentry.attr.mode) || invalid_nodeid(outentry.nodeid) ||
+	    fuse_invalid_attr(&outentry.attr))
 		goto out_free_ff;
 
 	ff->fh = outopen.fh;
@@ -557,7 +565,7 @@ static int create_new_entry(struct fuse_
 		goto out_put_forget_req;
 
 	err = -EIO;
-	if (invalid_nodeid(outarg.nodeid))
+	if (invalid_nodeid(outarg.nodeid) || fuse_invalid_attr(&outarg.attr))
 		goto out_put_forget_req;
 
 	if ((outarg.attr.mode ^ mode) & S_IFMT)
@@ -911,7 +919,8 @@ static int fuse_do_getattr(struct inode
 	args.out.args[0].value = &outarg;
 	err = fuse_simple_request(fc, &args);
 	if (!err) {
-		if ((inode->i_mode ^ outarg.attr.mode) & S_IFMT) {
+		if (fuse_invalid_attr(&outarg.attr) ||
+		    (inode->i_mode ^ outarg.attr.mode) & S_IFMT) {
 			make_bad_inode(inode);
 			err = -EIO;
 		} else {
@@ -1215,7 +1224,7 @@ static int fuse_direntplus_link(struct f
 
 	if (invalid_nodeid(o->nodeid))
 		return -EIO;
-	if (!fuse_valid_type(o->attr.mode))
+	if (fuse_invalid_attr(&o->attr))
 		return -EIO;
 
 	fc = get_fuse_conn(dir);
@@ -1692,7 +1701,8 @@ int fuse_do_setattr(struct dentry *dentr
 		goto error;
 	}
 
-	if ((inode->i_mode ^ outarg.attr.mode) & S_IFMT) {
+	if (fuse_invalid_attr(&outarg.attr) ||
+	    (inode->i_mode ^ outarg.attr.mode) & S_IFMT) {
 		make_bad_inode(inode);
 		err = -EIO;
 		goto error;
--- a/fs/fuse/fuse_i.h
+++ b/fs/fuse/fuse_i.h
@@ -896,6 +896,8 @@ void fuse_ctl_remove_conn(struct fuse_co
  */
 int fuse_valid_type(int m);
 
+bool fuse_invalid_attr(struct fuse_attr *attr);
+
 /**
  * Is current process allowed to perform filesystem operation?
  */



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 123/267] ALSA: hda/realtek - Dell headphone has noise on unmute for ALC236
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (121 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 122/267] fuse: verify attributes Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 124/267] ALSA: pcm: oss: Avoid potential buffer overflows Greg Kroah-Hartman
                   ` (147 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kailang Yang, Takashi Iwai

From: Kailang Yang <kailang@realtek.com>

commit e1e8c1fdce8b00fce08784d9d738c60ebf598ebc upstream.

headphone have noise even the volume is very small.
Let it fill up pcbeep hidden register to default value.
The issue was gone.

Fixes: 4344aec84bd8 ("ALSA: hda/realtek - New codec support for ALC256")
Fixes: 736f20a70608 ("ALSA: hda/realtek - Add support for ALC236/ALC3204")
Signed-off-by: Kailang Yang <kailang@realtek.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/9ae47f23a64d4e41a9c81e263cd8a250@realtek.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -333,9 +333,7 @@ static void alc_fill_eapd_coef(struct hd
 	case 0x10ec0215:
 	case 0x10ec0233:
 	case 0x10ec0235:
-	case 0x10ec0236:
 	case 0x10ec0255:
-	case 0x10ec0256:
 	case 0x10ec0257:
 	case 0x10ec0282:
 	case 0x10ec0283:
@@ -347,6 +345,11 @@ static void alc_fill_eapd_coef(struct hd
 	case 0x10ec0300:
 		alc_update_coef_idx(codec, 0x10, 1<<9, 0);
 		break;
+	case 0x10ec0236:
+	case 0x10ec0256:
+		alc_write_coef_idx(codec, 0x36, 0x5757);
+		alc_update_coef_idx(codec, 0x10, 1<<9, 0);
+		break;
 	case 0x10ec0275:
 		alc_update_coef_idx(codec, 0xe, 0, 1<<0);
 		break;



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 124/267] ALSA: pcm: oss: Avoid potential buffer overflows
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (122 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 123/267] ALSA: hda/realtek - Dell headphone has noise on unmute for ALC236 Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 125/267] ALSA: hda - Add mute led support for HP ProBook 645 G4 Greg Kroah-Hartman
                   ` (146 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+f153bde47a62e0b05f83, Takashi Iwai

From: Takashi Iwai <tiwai@suse.de>

commit 4cc8d6505ab82db3357613d36e6c58a297f57f7c upstream.

syzkaller reported an invalid access in PCM OSS read, and this seems
to be an overflow of the internal buffer allocated for a plugin.
Since the rate plugin adjusts its transfer size dynamically, the
calculation for the chained plugin might be bigger than the given
buffer size in some extreme cases, which lead to such an buffer
overflow as caught by KASAN.

Fix it by limiting the max transfer size properly by checking against
the destination size in each plugin transfer callback.

Reported-by: syzbot+f153bde47a62e0b05f83@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191204144824.17801-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/core/oss/linear.c |    2 ++
 sound/core/oss/mulaw.c  |    2 ++
 sound/core/oss/route.c  |    2 ++
 3 files changed, 6 insertions(+)

--- a/sound/core/oss/linear.c
+++ b/sound/core/oss/linear.c
@@ -107,6 +107,8 @@ static snd_pcm_sframes_t linear_transfer
 		}
 	}
 #endif
+	if (frames > dst_channels[0].frames)
+		frames = dst_channels[0].frames;
 	convert(plugin, src_channels, dst_channels, frames);
 	return frames;
 }
--- a/sound/core/oss/mulaw.c
+++ b/sound/core/oss/mulaw.c
@@ -269,6 +269,8 @@ static snd_pcm_sframes_t mulaw_transfer(
 		}
 	}
 #endif
+	if (frames > dst_channels[0].frames)
+		frames = dst_channels[0].frames;
 	data = (struct mulaw_priv *)plugin->extra_data;
 	data->func(plugin, src_channels, dst_channels, frames);
 	return frames;
--- a/sound/core/oss/route.c
+++ b/sound/core/oss/route.c
@@ -57,6 +57,8 @@ static snd_pcm_sframes_t route_transfer(
 		return -ENXIO;
 	if (frames == 0)
 		return 0;
+	if (frames > dst_channels[0].frames)
+		frames = dst_channels[0].frames;
 
 	nsrcs = plugin->src_format.channels;
 	ndsts = plugin->dst_format.channels;



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 125/267] ALSA: hda - Add mute led support for HP ProBook 645 G4
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (123 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 124/267] ALSA: pcm: oss: Avoid potential buffer overflows Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 126/267] Input: synaptics - switch another X1 Carbon 6 to RMI/SMbus Greg Kroah-Hartman
                   ` (145 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kai-Heng Feng, Takashi Iwai

From: Kai-Heng Feng <kai.heng.feng@canonical.com>

commit e190de6941db14813032af87873f5550ad5764fe upstream.

Mic mute led does not work on HP ProBook 645 G4.
We can use CXT_FIXUP_MUTE_LED_GPIO fixup to support it.

Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191120082035.18937-1-kai.heng.feng@canonical.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_conexant.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_conexant.c
+++ b/sound/pci/hda/patch_conexant.c
@@ -960,6 +960,7 @@ static const struct snd_pci_quirk cxt506
 	SND_PCI_QUIRK(0x103c, 0x837f, "HP ProBook 470 G5", CXT_FIXUP_MUTE_LED_GPIO),
 	SND_PCI_QUIRK(0x103c, 0x8299, "HP 800 G3 SFF", CXT_FIXUP_HP_MIC_NO_PRESENCE),
 	SND_PCI_QUIRK(0x103c, 0x829a, "HP 800 G3 DM", CXT_FIXUP_HP_MIC_NO_PRESENCE),
+	SND_PCI_QUIRK(0x103c, 0x8402, "HP ProBook 645 G4", CXT_FIXUP_MUTE_LED_GPIO),
 	SND_PCI_QUIRK(0x103c, 0x8455, "HP Z2 G4", CXT_FIXUP_HP_MIC_NO_PRESENCE),
 	SND_PCI_QUIRK(0x1043, 0x138d, "Asus", CXT_FIXUP_HEADPHONE_MIC_PIN),
 	SND_PCI_QUIRK(0x152d, 0x0833, "OLPC XO-1.5", CXT_FIXUP_OLPC_XO),



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 126/267] Input: synaptics - switch another X1 Carbon 6 to RMI/SMbus
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (124 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 125/267] ALSA: hda - Add mute led support for HP ProBook 645 G4 Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 127/267] Input: synaptics-rmi4 - re-enable IRQs in f34v7_do_reflash Greg Kroah-Hartman
                   ` (144 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Hans Verkuil, Dmitry Torokhov

From: Hans Verkuil <hverkuil-cisco@xs4all.nl>

commit fc1156f373e3927e0dcf06678906c367588bfdd6 upstream.

Some Lenovo X1 Carbon Gen 6 laptops report LEN0091. Add this
to the smbus_pnp_ids list.

Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20191119105118.54285-2-hverkuil-cisco@xs4all.nl
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/mouse/synaptics.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/input/mouse/synaptics.c
+++ b/drivers/input/mouse/synaptics.c
@@ -175,6 +175,7 @@ static const char * const smbus_pnp_ids[
 	"LEN0071", /* T480 */
 	"LEN0072", /* X1 Carbon Gen 5 (2017) - Elan/ALPS trackpoint */
 	"LEN0073", /* X1 Carbon G5 (Elantech) */
+	"LEN0091", /* X1 Carbon 6 */
 	"LEN0092", /* X1 Carbon 6 */
 	"LEN0093", /* T480 */
 	"LEN0096", /* X280 */



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 127/267] Input: synaptics-rmi4 - re-enable IRQs in f34v7_do_reflash
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (125 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 126/267] Input: synaptics - switch another X1 Carbon 6 to RMI/SMbus Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 128/267] Input: synaptics-rmi4 - dont increment rmiaddr for SMBus transfers Greg Kroah-Hartman
                   ` (143 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Lucas Stach, Dmitry Torokhov

From: Lucas Stach <l.stach@pengutronix.de>

commit 86bcd3a12999447faad60ec59c2d64d18d8e61ac upstream.

F34 is a bit special as it reinitializes the device and related driver
structs during the firmware update. This clears the fn_irq_mask which
will then prevent F34 from receiving further interrupts, leading to
timeouts during the firmware update. Make sure to reinitialize the
IRQ enables at the appropriate times.

The issue is in F34 code, but the commit in the fixes tag exposed the
issue, as before this commit things would work by accident.

Fixes: 363c53875aef (Input: synaptics-rmi4 - avoid processing unknown IRQs)
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Link: https://lore.kernel.org/r/20191129133514.23224-1-l.stach@pengutronix.de
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/rmi4/rmi_f34v7.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/input/rmi4/rmi_f34v7.c
+++ b/drivers/input/rmi4/rmi_f34v7.c
@@ -1192,6 +1192,9 @@ int rmi_f34v7_do_reflash(struct f34_data
 {
 	int ret;
 
+	f34->fn->rmi_dev->driver->set_irq_bits(f34->fn->rmi_dev,
+					       f34->fn->irq_mask);
+
 	rmi_f34v7_read_queries_bl_version(f34);
 
 	f34->v7.image = fw->data;



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 128/267] Input: synaptics-rmi4 - dont increment rmiaddr for SMBus transfers
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (126 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 127/267] Input: synaptics-rmi4 - re-enable IRQs in f34v7_do_reflash Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 129/267] Input: goodix - add upside-down quirk for Teclast X89 tablet Greg Kroah-Hartman
                   ` (142 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Hans Verkuil, Dmitry Torokhov

From: Hans Verkuil <hverkuil-cisco@xs4all.nl>

commit a284e11c371e446371675668d8c8120a27227339 upstream.

This increment of rmi_smbus in rmi_smb_read/write_block() causes
garbage to be read/written.

The first read of SMB_MAX_COUNT bytes is fine, but after that
it is nonsense. Trial-and-error showed that by dropping the
increment of rmiaddr everything is fine and the F54 function
properly works.

I tried a hack with rmi_smb_write_block() as well (writing to the
same F54 touchpad data area, then reading it back), and that
suggests that there too the rmiaddr increment has to be dropped.
It makes sense that if it has to be dropped for read, then it has
to be dropped for write as well.

It looks like the initial work with F54 was done using i2c, not smbus,
and it seems nobody ever tested F54 with smbus. The other functions
all read/write less than SMB_MAX_COUNT as far as I can tell, so this
issue was never noticed with non-F54 functions.

With this change I can read out the touchpad data correctly on my
Lenovo X1 Carbon 6th Gen laptop.

Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Link: https://lore.kernel.org/r/8dd22e21-4933-8e9c-a696-d281872c8de7@xs4all.nl
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/rmi4/rmi_smbus.c |    2 --
 1 file changed, 2 deletions(-)

--- a/drivers/input/rmi4/rmi_smbus.c
+++ b/drivers/input/rmi4/rmi_smbus.c
@@ -166,7 +166,6 @@ static int rmi_smb_write_block(struct rm
 		/* prepare to write next block of bytes */
 		cur_len -= SMB_MAX_COUNT;
 		databuff += SMB_MAX_COUNT;
-		rmiaddr += SMB_MAX_COUNT;
 	}
 exit:
 	mutex_unlock(&rmi_smb->page_mutex);
@@ -218,7 +217,6 @@ static int rmi_smb_read_block(struct rmi
 		/* prepare to read next block of bytes */
 		cur_len -= SMB_MAX_COUNT;
 		databuff += SMB_MAX_COUNT;
-		rmiaddr += SMB_MAX_COUNT;
 	}
 
 	retval = 0;



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 129/267] Input: goodix - add upside-down quirk for Teclast X89 tablet
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (127 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 128/267] Input: synaptics-rmi4 - dont increment rmiaddr for SMBus transfers Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 130/267] coresight: etm4x: Fix input validation for sysfs Greg Kroah-Hartman
                   ` (141 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans de Goede, Bastien Nocera,
	Dmitry Torokhov

From: Hans de Goede <hdegoede@redhat.com>

commit df5b5e555b356662a5e4a23c6774fdfce8547d54 upstream.

The touchscreen on the Teclast X89 is mounted upside down in relation to
the display orientation (the touchscreen itself is mounted upright, but the
display is mounted upside-down). Add a quirk for this so that we send
coordinates which match the display orientation.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Reviewed-by: Bastien Nocera <hadess@hadess.net>
Link: https://lore.kernel.org/r/20191202085636.6650-1-hdegoede@redhat.com
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/touchscreen/goodix.c |    9 +++++++++
 1 file changed, 9 insertions(+)

--- a/drivers/input/touchscreen/goodix.c
+++ b/drivers/input/touchscreen/goodix.c
@@ -93,6 +93,15 @@ static const unsigned long goodix_irq_fl
 static const struct dmi_system_id rotated_screen[] = {
 #if defined(CONFIG_DMI) && defined(CONFIG_X86)
 	{
+		.ident = "Teclast X89",
+		.matches = {
+			/* tPAD is too generic, also match on bios date */
+			DMI_MATCH(DMI_BOARD_VENDOR, "TECLAST"),
+			DMI_MATCH(DMI_BOARD_NAME, "tPAD"),
+			DMI_MATCH(DMI_BIOS_DATE, "12/19/2014"),
+		},
+	},
+	{
 		.ident = "WinBook TW100",
 		.matches = {
 			DMI_MATCH(DMI_SYS_VENDOR, "WinBook"),



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 130/267] coresight: etm4x: Fix input validation for sysfs.
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (128 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 129/267] Input: goodix - add upside-down quirk for Teclast X89 tablet Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 131/267] Input: Fix memory leak in psxpad_spi_probe Greg Kroah-Hartman
                   ` (140 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Leo Yan, Mathieu Poirier, Mike Leach

From: Mike Leach <mike.leach@linaro.org>

commit 2fe6899e36aa174abefd017887f9cfe0cb60c43a upstream.

A number of issues are fixed relating to sysfs input validation:-

1) bb_ctrl_store() - incorrect compare of bit select field to absolute
value. Reworked per ETMv4 specification.
2) seq_event_store() - incorrect mask value - register has two
event values.
3) cyc_threshold_store() - must mask with max before checking min
otherwise wrapped values can set illegal value below min.
4) res_ctrl_store() - update to mask off all res0 bits.

Reviewed-by: Leo Yan <leo.yan@linaro.org>
Reviewed-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Mike Leach <mike.leach@linaro.org>
Fixes: a77de2637c9eb ("coresight: etm4x: moving sysFS entries to a dedicated file")
Cc: stable <stable@vger.kernel.org> # 4.9+
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Link: https://lore.kernel.org/r/20191104181251.26732-6-mathieu.poirier@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hwtracing/coresight/coresight-etm4x-sysfs.c |   21 ++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

--- a/drivers/hwtracing/coresight/coresight-etm4x-sysfs.c
+++ b/drivers/hwtracing/coresight/coresight-etm4x-sysfs.c
@@ -667,10 +667,13 @@ static ssize_t cyc_threshold_store(struc
 
 	if (kstrtoul(buf, 16, &val))
 		return -EINVAL;
+
+	/* mask off max threshold before checking min value */
+	val &= ETM_CYC_THRESHOLD_MASK;
 	if (val < drvdata->ccitmin)
 		return -EINVAL;
 
-	config->ccctlr = val & ETM_CYC_THRESHOLD_MASK;
+	config->ccctlr = val;
 	return size;
 }
 static DEVICE_ATTR_RW(cyc_threshold);
@@ -701,14 +704,16 @@ static ssize_t bb_ctrl_store(struct devi
 		return -EINVAL;
 	if (!drvdata->nr_addr_cmp)
 		return -EINVAL;
+
 	/*
-	 * Bit[7:0] selects which address range comparator is used for
-	 * branch broadcast control.
+	 * Bit[8] controls include(1) / exclude(0), bits[0-7] select
+	 * individual range comparators. If include then at least 1
+	 * range must be selected.
 	 */
-	if (BMVAL(val, 0, 7) > drvdata->nr_addr_cmp)
+	if ((val & BIT(8)) && (BMVAL(val, 0, 7) == 0))
 		return -EINVAL;
 
-	config->bb_ctrl = val;
+	config->bb_ctrl = val & GENMASK(8, 0);
 	return size;
 }
 static DEVICE_ATTR_RW(bb_ctrl);
@@ -1341,8 +1346,8 @@ static ssize_t seq_event_store(struct de
 
 	spin_lock(&drvdata->spinlock);
 	idx = config->seq_idx;
-	/* RST, bits[7:0] */
-	config->seq_ctrl[idx] = val & 0xFF;
+	/* Seq control has two masks B[15:8] F[7:0] */
+	config->seq_ctrl[idx] = val & 0xFFFF;
 	spin_unlock(&drvdata->spinlock);
 	return size;
 }
@@ -1597,7 +1602,7 @@ static ssize_t res_ctrl_store(struct dev
 	if (idx % 2 != 0)
 		/* PAIRINV, bit[21] */
 		val &= ~BIT(21);
-	config->res_ctrl[idx] = val;
+	config->res_ctrl[idx] = val & GENMASK(21, 0);
 	spin_unlock(&drvdata->spinlock);
 	return size;
 }



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 131/267] Input: Fix memory leak in psxpad_spi_probe
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (129 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 130/267] coresight: etm4x: Fix input validation for sysfs Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 132/267] x86/PCI: Avoid AMD FCH XHCI USB PME# from D0 defect Greg Kroah-Hartman
                   ` (139 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, emamd001, Navid Emamdoost, Dmitry Torokhov

From: Navid Emamdoost <navid.emamdoost@gmail.com>

In the implementation of psxpad_spi_probe() the allocated memory for
pdev is leaked if psxpad_spi_init_ff() or input_register_polled_device()
fail. The solution is using device managed allocation, like the one used
for pad. Perform the allocation using
devm_input_allocate_polled_device().

Fixes: 8be193c7b1f4 ("Input: add support for PlayStation 1/2 joypads connected via SPI")
Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
Acked-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/input/joystick/psxpad-spi.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/input/joystick/psxpad-spi.c
+++ b/drivers/input/joystick/psxpad-spi.c
@@ -292,7 +292,7 @@ static int psxpad_spi_probe(struct spi_d
 	if (!pad)
 		return -ENOMEM;
 
-	pdev = input_allocate_polled_device();
+	pdev = devm_input_allocate_polled_device(&spi->dev);
 	if (!pdev) {
 		dev_err(&spi->dev, "failed to allocate input device\n");
 		return -ENOMEM;



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 132/267] x86/PCI: Avoid AMD FCH XHCI USB PME# from D0 defect
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (130 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 131/267] Input: Fix memory leak in psxpad_spi_probe Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 133/267] CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks Greg Kroah-Hartman
                   ` (138 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kai-Heng Feng, Bjorn Helgaas

From: Kai-Heng Feng <kai.heng.feng@canonical.com>

commit 7e8ce0e2b036dbc6617184317983aea4f2c52099 upstream.

The AMD FCH USB XHCI Controller advertises support for generating PME#
while in D0.  When in D0, it does signal PME# for USB 3.0 connect events,
but not for USB 2.0 or USB 1.1 connect events, which means the controller
doesn't wake correctly for those events.

  00:10.0 USB controller [0c03]: Advanced Micro Devices, Inc. [AMD] FCH USB XHCI Controller [1022:7914] (rev 20) (prog-if 30 [XHCI])
        Subsystem: Dell FCH USB XHCI Controller [1028:087e]
        Capabilities: [50] Power Management version 3
                Flags: PMEClk- DSI- D1- D2- AuxCurrent=0mA PME(D0+,D1-,D2-,D3hot+,D3cold+)

Clear PCI_PM_CAP_PME_D0 in dev->pme_support to indicate the device will not
assert PME# from D0 so we don't rely on it.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=203673
Link: https://lore.kernel.org/r/20190902145252.32111-1-kai.heng.feng@canonical.com
Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/pci/fixup.c |   11 +++++++++++
 1 file changed, 11 insertions(+)

--- a/arch/x86/pci/fixup.c
+++ b/arch/x86/pci/fixup.c
@@ -589,6 +589,17 @@ static void pci_fixup_amd_ehci_pme(struc
 DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_AMD, 0x7808, pci_fixup_amd_ehci_pme);
 
 /*
+ * Device [1022:7914]
+ * When in D0, PME# doesn't get asserted when plugging USB 2.0 device.
+ */
+static void pci_fixup_amd_fch_xhci_pme(struct pci_dev *dev)
+{
+	dev_info(&dev->dev, "PME# does not work under D0, disabling it\n");
+	dev->pme_support &= ~(PCI_PM_CAP_PME_D0 >> PCI_PM_CAP_PME_SHIFT);
+}
+DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_AMD, 0x7914, pci_fixup_amd_fch_xhci_pme);
+
+/*
  * Apple MacBook Pro: Avoid [mem 0x7fa00000-0x7fbfffff]
  *
  * Using the [mem 0x7fa00000-0x7fbfffff] region, e.g., by assigning it to



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 133/267] CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (131 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 132/267] x86/PCI: Avoid AMD FCH XHCI USB PME# from D0 defect Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 134/267] CIFS: Fix SMB2 oplock break processing Greg Kroah-Hartman
                   ` (137 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pavel Shilovsky, Aurelien Aptel,
	Steve French

From: Pavel Shilovsky <pshilov@microsoft.com>

commit 6f582b273ec23332074d970a7fb25bef835df71f upstream.

Currently when the client creates a cifsFileInfo structure for
a newly opened file, it allocates a list of byte-range locks
with a pointer to the new cfile and attaches this list to the
inode's lock list. The latter happens before initializing all
other fields, e.g. cfile->tlink. Thus a partially initialized
cifsFileInfo structure becomes available to other threads that
walk through the inode's lock list. One example of such a thread
may be an oplock break worker thread that tries to push all
cached byte-range locks. This causes NULL-pointer dereference
in smb2_push_mandatory_locks() when accessing cfile->tlink:

[598428.945633] BUG: kernel NULL pointer dereference, address: 0000000000000038
...
[598428.945749] Workqueue: cifsoplockd cifs_oplock_break [cifs]
[598428.945793] RIP: 0010:smb2_push_mandatory_locks+0xd6/0x5a0 [cifs]
...
[598428.945834] Call Trace:
[598428.945870]  ? cifs_revalidate_mapping+0x45/0x90 [cifs]
[598428.945901]  cifs_oplock_break+0x13d/0x450 [cifs]
[598428.945909]  process_one_work+0x1db/0x380
[598428.945914]  worker_thread+0x4d/0x400
[598428.945921]  kthread+0x104/0x140
[598428.945925]  ? process_one_work+0x380/0x380
[598428.945931]  ? kthread_park+0x80/0x80
[598428.945937]  ret_from_fork+0x35/0x40

Fix this by reordering initialization steps of the cifsFileInfo
structure: initialize all the fields first and then add the new
byte-range lock list to the inode's lock list.

Cc: Stable <stable@vger.kernel.org>
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/cifs/file.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/fs/cifs/file.c
+++ b/fs/cifs/file.c
@@ -312,9 +312,6 @@ cifs_new_fileinfo(struct cifs_fid *fid,
 	INIT_LIST_HEAD(&fdlocks->locks);
 	fdlocks->cfile = cfile;
 	cfile->llist = fdlocks;
-	cifs_down_write(&cinode->lock_sem);
-	list_add(&fdlocks->llist, &cinode->llist);
-	up_write(&cinode->lock_sem);
 
 	cfile->count = 1;
 	cfile->pid = current->tgid;
@@ -338,6 +335,10 @@ cifs_new_fileinfo(struct cifs_fid *fid,
 		oplock = 0;
 	}
 
+	cifs_down_write(&cinode->lock_sem);
+	list_add(&fdlocks->llist, &cinode->llist);
+	up_write(&cinode->lock_sem);
+
 	spin_lock(&tcon->open_file_lock);
 	if (fid->pending_open->oplock != CIFS_OPLOCK_NO_CHANGE && oplock)
 		oplock = fid->pending_open->oplock;



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 134/267] CIFS: Fix SMB2 oplock break processing
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (132 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 133/267] CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 135/267] tty: vt: keyboard: reject invalid keycodes Greg Kroah-Hartman
                   ` (136 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pavel Shilovsky, Steve French

From: Pavel Shilovsky <pshilov@microsoft.com>

commit fa9c2362497fbd64788063288dc4e74daf977ebb upstream.

Even when mounting modern protocol version the server may be
configured without supporting SMB2.1 leases and the client
uses SMB2 oplock to optimize IO performance through local caching.

However there is a problem in oplock break handling that leads
to missing a break notification on the client who has a file
opened. It latter causes big latencies to other clients that
are trying to open the same file.

The problem reproduces when there are multiple shares from the
same server mounted on the client. The processing code tries to
match persistent and volatile file ids from the break notification
with an open file but it skips all share besides the first one.
Fix this by looking up in all shares belonging to the server that
issued the oplock break.

Cc: Stable <stable@vger.kernel.org>
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/cifs/smb2misc.c |    7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

--- a/fs/cifs/smb2misc.c
+++ b/fs/cifs/smb2misc.c
@@ -622,10 +622,10 @@ smb2_is_valid_oplock_break(char *buffer,
 	spin_lock(&cifs_tcp_ses_lock);
 	list_for_each(tmp, &server->smb_ses_list) {
 		ses = list_entry(tmp, struct cifs_ses, smb_ses_list);
+
 		list_for_each(tmp1, &ses->tcon_list) {
 			tcon = list_entry(tmp1, struct cifs_tcon, tcon_list);
 
-			cifs_stats_inc(&tcon->stats.cifs_stats.num_oplock_brks);
 			spin_lock(&tcon->open_file_lock);
 			list_for_each(tmp2, &tcon->openFileList) {
 				cfile = list_entry(tmp2, struct cifsFileInfo,
@@ -637,6 +637,8 @@ smb2_is_valid_oplock_break(char *buffer,
 					continue;
 
 				cifs_dbg(FYI, "file id match, oplock break\n");
+				cifs_stats_inc(
+				    &tcon->stats.cifs_stats.num_oplock_brks);
 				cinode = CIFS_I(d_inode(cfile->dentry));
 				spin_lock(&cfile->file_info_lock);
 				if (!CIFS_CACHE_WRITE(cinode) &&
@@ -669,9 +671,6 @@ smb2_is_valid_oplock_break(char *buffer,
 				return true;
 			}
 			spin_unlock(&tcon->open_file_lock);
-			spin_unlock(&cifs_tcp_ses_lock);
-			cifs_dbg(FYI, "No matching file for oplock break\n");
-			return true;
 		}
 	}
 	spin_unlock(&cifs_tcp_ses_lock);



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 135/267] tty: vt: keyboard: reject invalid keycodes
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (133 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 134/267] CIFS: Fix SMB2 oplock break processing Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 136/267] can: slcan: Fix use-after-free Read in slcan_open Greg Kroah-Hartman
                   ` (135 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+19340dff067c2d3835c0, Dmitry Torokhov

From: Dmitry Torokhov <dmitry.torokhov@gmail.com>

commit b2b2dd71e0859436d4e05b2f61f86140250ed3f8 upstream.

Do not try to handle keycodes that are too big, otherwise we risk doing
out-of-bounds writes:

BUG: KASAN: global-out-of-bounds in clear_bit include/asm-generic/bitops-instrumented.h:56 [inline]
BUG: KASAN: global-out-of-bounds in kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline]
BUG: KASAN: global-out-of-bounds in kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495
Write of size 8 at addr ffffffff89a1b2d8 by task syz-executor108/1722
...
 kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline]
 kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495
 input_to_handler+0x3b6/0x4c0 drivers/input/input.c:118
 input_pass_values.part.0+0x2e3/0x720 drivers/input/input.c:145
 input_pass_values drivers/input/input.c:949 [inline]
 input_set_keycode+0x290/0x320 drivers/input/input.c:954
 evdev_handle_set_keycode_v2+0xc4/0x120 drivers/input/evdev.c:882
 evdev_do_ioctl drivers/input/evdev.c:1150 [inline]

In this case we were dealing with a fuzzed HID device that declared over
12K buttons, and while HID layer should not be reporting to us such big
keycodes, we should also be defensive and reject invalid data ourselves as
well.

Reported-by: syzbot+19340dff067c2d3835c0@syzkaller.appspotmail.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191122204220.GA129459@dtor-ws
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/vt/keyboard.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/tty/vt/keyboard.c
+++ b/drivers/tty/vt/keyboard.c
@@ -1460,7 +1460,7 @@ static void kbd_event(struct input_handl
 
 	if (event_type == EV_MSC && event_code == MSC_RAW && HW_RAW(handle->dev))
 		kbd_rawcode(value);
-	if (event_type == EV_KEY)
+	if (event_type == EV_KEY && event_code <= KEY_MAX)
 		kbd_keycode(event_code, value, HW_RAW(handle->dev));
 
 	spin_unlock(&kbd_event_lock);



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 136/267] can: slcan: Fix use-after-free Read in slcan_open
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (134 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 135/267] tty: vt: keyboard: reject invalid keycodes Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 137/267] kernfs: fix ino wrap-around detection Greg Kroah-Hartman
                   ` (134 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wolfgang Grandegger,
	Marc Kleine-Budde, David Miller, Oliver Hartkopp, Lukas Bulwahn,
	Jouni Hogander

From: Jouni Hogander <jouni.hogander@unikie.com>

commit 9ebd796e24008f33f06ebea5a5e6aceb68b51794 upstream.

Slcan_open doesn't clean-up device which registration failed from the
slcan_devs device list. On next open this list is iterated and freed
device is accessed. Fix this by calling slc_free_netdev in error path.

Driver/net/can/slcan.c is derived from slip.c. Use-after-free error was
identified in slip_open by syzboz. Same bug is in slcan.c. Here is the
trace from the Syzbot slip report:

__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
__kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
kasan_report+0x12/0x20 mm/kasan/common.c:634
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
sl_sync drivers/net/slip/slip.c:725 [inline]
slip_open+0xecd/0x11b7 drivers/net/slip/slip.c:801
tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469
tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596
tiocsetd drivers/tty/tty_io.c:2334 [inline]
tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:509 [inline]
do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696
ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
__do_sys_ioctl fs/ioctl.c:720 [inline]
__se_sys_ioctl fs/ioctl.c:718 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe

Fixes: ed50e1600b44 ("slcan: Fix memory leak in error path")
Cc: Wolfgang Grandegger <wg@grandegger.com>
Cc: Marc Kleine-Budde <mkl@pengutronix.de>
Cc: David Miller <davem@davemloft.net>
Cc: Oliver Hartkopp <socketcan@hartkopp.net>
Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
Cc: linux-stable <stable@vger.kernel.org> # >= v5.4
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/slcan.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/net/can/slcan.c
+++ b/drivers/net/can/slcan.c
@@ -613,6 +613,7 @@ err_free_chan:
 	sl->tty = NULL;
 	tty->disc_data = NULL;
 	clear_bit(SLF_INUSE, &sl->flags);
+	slc_free_netdev(sl->dev);
 	free_netdev(sl->dev);
 
 err_exit:



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 137/267] kernfs: fix ino wrap-around detection
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (135 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 136/267] can: slcan: Fix use-after-free Read in slcan_open Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 138/267] jbd2: Fix possible overflow in jbd2_log_space_left() Greg Kroah-Hartman
                   ` (133 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Tejun Heo, Namhyung Kim

From: Tejun Heo <tj@kernel.org>

commit e23f568aa63f64cd6b355094224cc9356c0f696b upstream.

When the 32bit ino wraps around, kernfs increments the generation
number to distinguish reused ino instances.  The wrap-around detection
tests whether the allocated ino is lower than what the cursor but the
cursor is pointing to the next ino to allocate so the condition never
triggers.

Fix it by remembering the last ino and comparing against that.

Signed-off-by: Tejun Heo <tj@kernel.org>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Fixes: 4a3ef68acacf ("kernfs: implement i_generation")
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: stable@vger.kernel.org # v4.14+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/kernfs/dir.c        |    5 ++---
 include/linux/kernfs.h |    1 +
 2 files changed, 3 insertions(+), 3 deletions(-)

--- a/fs/kernfs/dir.c
+++ b/fs/kernfs/dir.c
@@ -623,7 +623,6 @@ static struct kernfs_node *__kernfs_new_
 {
 	struct kernfs_node *kn;
 	u32 gen;
-	int cursor;
 	int ret;
 
 	name = kstrdup_const(name, GFP_KERNEL);
@@ -636,11 +635,11 @@ static struct kernfs_node *__kernfs_new_
 
 	idr_preload(GFP_KERNEL);
 	spin_lock(&kernfs_idr_lock);
-	cursor = idr_get_cursor(&root->ino_idr);
 	ret = idr_alloc_cyclic(&root->ino_idr, kn, 1, 0, GFP_ATOMIC);
-	if (ret >= 0 && ret < cursor)
+	if (ret >= 0 && ret < root->last_ino)
 		root->next_generation++;
 	gen = root->next_generation;
+	root->last_ino = ret;
 	spin_unlock(&kernfs_idr_lock);
 	idr_preload_end();
 	if (ret < 0)
--- a/include/linux/kernfs.h
+++ b/include/linux/kernfs.h
@@ -185,6 +185,7 @@ struct kernfs_root {
 
 	/* private fields, do not use outside kernfs proper */
 	struct idr		ino_idr;
+	u32			last_ino;
 	u32			next_generation;
 	struct kernfs_syscall_ops *syscall_ops;
 



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 138/267] jbd2: Fix possible overflow in jbd2_log_space_left()
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (136 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 137/267] kernfs: fix ino wrap-around detection Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 139/267] drm/i810: Prevent underflow in ioctl Greg Kroah-Hartman
                   ` (132 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Theodore Tso, Jan Kara

From: Jan Kara <jack@suse.cz>

commit add3efdd78b8a0478ce423bb9d4df6bd95e8b335 upstream.

When number of free space in the journal is very low, the arithmetic in
jbd2_log_space_left() could underflow resulting in very high number of
free blocks and thus triggering assertion failure in transaction commit
code complaining there's not enough space in the journal:

J_ASSERT(journal->j_free > 1);

Properly check for the low number of free blocks.

CC: stable@vger.kernel.org
Reviewed-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20191105164437.32602-1-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/jbd2.h |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/include/linux/jbd2.h
+++ b/include/linux/jbd2.h
@@ -1584,7 +1584,7 @@ static inline int jbd2_space_needed(jour
 static inline unsigned long jbd2_log_space_left(journal_t *journal)
 {
 	/* Allow for rounding errors */
-	unsigned long free = journal->j_free - 32;
+	long free = journal->j_free - 32;
 
 	if (journal->j_committing_transaction) {
 		unsigned long committing = atomic_read(&journal->
@@ -1593,7 +1593,7 @@ static inline unsigned long jbd2_log_spa
 		/* Transaction + control blocks */
 		free -= committing + (committing >> JBD2_CONTROL_BLOCKS_SHIFT);
 	}
-	return free;
+	return max_t(long, free, 0);
 }
 
 /*



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 139/267] drm/i810: Prevent underflow in ioctl
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (137 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 138/267] jbd2: Fix possible overflow in jbd2_log_space_left() Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 140/267] KVM: arm/arm64: vgic: Dont rely on the wrong pending table Greg Kroah-Hartman
                   ` (131 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Chris Wilson

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 4f69851fbaa26b155330be35ce8ac393e93e7442 upstream.

The "used" variables here come from the user in the ioctl and it can be
negative.  It could result in an out of bounds write.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Link: https://patchwork.freedesktop.org/patch/msgid/20191004102251.GC823@mwanda
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/i810/i810_dma.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/i810/i810_dma.c
+++ b/drivers/gpu/drm/i810/i810_dma.c
@@ -721,7 +721,7 @@ static void i810_dma_dispatch_vertex(str
 	if (nbox > I810_NR_SAREA_CLIPRECTS)
 		nbox = I810_NR_SAREA_CLIPRECTS;
 
-	if (used > 4 * 1024)
+	if (used < 0 || used > 4 * 1024)
 		used = 0;
 
 	if (sarea_priv->dirty)
@@ -1041,7 +1041,7 @@ static void i810_dma_dispatch_mc(struct
 	if (u != I810_BUF_CLIENT)
 		DRM_DEBUG("MC found buffer that isn't mine!\n");
 
-	if (used > 4 * 1024)
+	if (used < 0 || used > 4 * 1024)
 		used = 0;
 
 	sarea_priv->dirty = 0x7f;



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 140/267] KVM: arm/arm64: vgic: Dont rely on the wrong pending table
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (138 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 139/267] drm/i810: Prevent underflow in ioctl Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 141/267] KVM: x86: do not modify masked bits of shared MSRs Greg Kroah-Hartman
                   ` (130 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Zenghui Yu, Marc Zyngier, Eric Auger

From: Zenghui Yu <yuzenghui@huawei.com>

commit ca185b260951d3b55108c0b95e188682d8a507b7 upstream.

It's possible that two LPIs locate in the same "byte_offset" but target
two different vcpus, where their pending status are indicated by two
different pending tables.  In such a scenario, using last_byte_offset
optimization will lead KVM relying on the wrong pending table entry.
Let us use last_ptr instead, which can be treated as a byte index into
a pending table and also, can be vcpu specific.

Fixes: 280771252c1b ("KVM: arm64: vgic-v3: KVM_DEV_ARM_VGIC_SAVE_PENDING_TABLES")
Cc: stable@vger.kernel.org
Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Acked-by: Eric Auger <eric.auger@redhat.com>
Link: https://lore.kernel.org/r/20191029071919.177-4-yuzenghui@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 virt/kvm/arm/vgic/vgic-v3.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/virt/kvm/arm/vgic/vgic-v3.c
+++ b/virt/kvm/arm/vgic/vgic-v3.c
@@ -331,8 +331,8 @@ retry:
 int vgic_v3_save_pending_tables(struct kvm *kvm)
 {
 	struct vgic_dist *dist = &kvm->arch.vgic;
-	int last_byte_offset = -1;
 	struct vgic_irq *irq;
+	gpa_t last_ptr = ~(gpa_t)0;
 	int ret;
 	u8 val;
 
@@ -352,11 +352,11 @@ int vgic_v3_save_pending_tables(struct k
 		bit_nr = irq->intid % BITS_PER_BYTE;
 		ptr = pendbase + byte_offset;
 
-		if (byte_offset != last_byte_offset) {
+		if (ptr != last_ptr) {
 			ret = kvm_read_guest_lock(kvm, ptr, &val, 1);
 			if (ret)
 				return ret;
-			last_byte_offset = byte_offset;
+			last_ptr = ptr;
 		}
 
 		stored = val & (1U << bit_nr);



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 141/267] KVM: x86: do not modify masked bits of shared MSRs
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (139 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 140/267] KVM: arm/arm64: vgic: Dont rely on the wrong pending table Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 142/267] KVM: x86: fix presentation of TSX feature in ARCH_CAPABILITIES Greg Kroah-Hartman
                   ` (129 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jim Mattson, Paolo Bonzini

From: Paolo Bonzini <pbonzini@redhat.com>

commit de1fca5d6e0105c9d33924e1247e2f386efc3ece upstream.

"Shared MSRs" are guest MSRs that are written to the host MSRs but
keep their value until the next return to userspace.  They support
a mask, so that some bits keep the host value, but this mask is
only used to skip an unnecessary MSR write and the value written
to the MSR is always the guest MSR.

Fix this and, while at it, do not update smsr->values[slot].curr if
for whatever reason the wrmsr fails.  This should only happen due to
reserved bits, so the value written to smsr->values[slot].curr
will not match when the user-return notifier and the host value will
always be restored.  However, it is untidy and in rare cases this
can actually avoid spurious WRMSRs on return to userspace.

Cc: stable@vger.kernel.org
Reviewed-by: Jim Mattson <jmattson@google.com>
Tested-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kvm/x86.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -276,13 +276,14 @@ int kvm_set_shared_msr(unsigned slot, u6
 	struct kvm_shared_msrs *smsr = per_cpu_ptr(shared_msrs, cpu);
 	int err;
 
-	if (((value ^ smsr->values[slot].curr) & mask) == 0)
+	value = (value & mask) | (smsr->values[slot].host & ~mask);
+	if (value == smsr->values[slot].curr)
 		return 0;
-	smsr->values[slot].curr = value;
 	err = wrmsrl_safe(shared_msrs_global.msrs[slot], value);
 	if (err)
 		return 1;
 
+	smsr->values[slot].curr = value;
 	if (!smsr->registered) {
 		smsr->urn.on_user_return = kvm_on_user_return;
 		user_return_notifier_register(&smsr->urn);



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 142/267] KVM: x86: fix presentation of TSX feature in ARCH_CAPABILITIES
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (140 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 141/267] KVM: x86: do not modify masked bits of shared MSRs Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 143/267] crypto: crypto4xx - fix double-free in crypto4xx_destroy_sdr Greg Kroah-Hartman
                   ` (128 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jim Mattson, Paolo Bonzini

From: Paolo Bonzini <pbonzini@redhat.com>

commit cbbaa2727aa3ae9e0a844803da7cef7fd3b94f2b upstream.

KVM does not implement MSR_IA32_TSX_CTRL, so it must not be presented
to the guests.  It is also confusing to have !ARCH_CAP_TSX_CTRL_MSR &&
!RTM && ARCH_CAP_TAA_NO: lack of MSR_IA32_TSX_CTRL suggests TSX was not
hidden (it actually was), yet the value says that TSX is not vulnerable
to microarchitectural data sampling.  Fix both.

Cc: stable@vger.kernel.org
Tested-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kvm/x86.c |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -1113,10 +1113,15 @@ u64 kvm_get_arch_capabilities(void)
 	 * If TSX is disabled on the system, guests are also mitigated against
 	 * TAA and clear CPU buffer mitigation is not required for guests.
 	 */
-	if (boot_cpu_has_bug(X86_BUG_TAA) && boot_cpu_has(X86_FEATURE_RTM) &&
-	    (data & ARCH_CAP_TSX_CTRL_MSR))
+	if (!boot_cpu_has(X86_FEATURE_RTM))
+		data &= ~ARCH_CAP_TAA_NO;
+	else if (!boot_cpu_has_bug(X86_BUG_TAA))
+		data |= ARCH_CAP_TAA_NO;
+	else if (data & ARCH_CAP_TSX_CTRL_MSR)
 		data &= ~ARCH_CAP_MDS_NO;
 
+	/* KVM does not emulate MSR_IA32_TSX_CTRL.  */
+	data &= ~ARCH_CAP_TSX_CTRL_MSR;
 	return data;
 }
 



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 143/267] crypto: crypto4xx - fix double-free in crypto4xx_destroy_sdr
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (141 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 142/267] KVM: x86: fix presentation of TSX feature in ARCH_CAPABILITIES Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 144/267] crypto: af_alg - cast ki_complete ternary op to int Greg Kroah-Hartman
                   ` (127 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Christian Lamparter, Herbert Xu

From: Christian Lamparter <chunkeey@gmail.com>

commit 746c908c4d72e49068ab216c3926d2720d71a90d upstream.

This patch fixes a crash that can happen during probe
when the available dma memory is not enough (this can
happen if the crypto4xx is built as a module).

The descriptor window mapping would end up being free'd
twice, once in crypto4xx_build_pdr() and the second time
in crypto4xx_destroy_sdr().

Fixes: 5d59ad6eea82 ("crypto: crypto4xx - fix crypto4xx_build_pdr, crypto4xx_build_sdr leak")
Cc: <stable@vger.kernel.org>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/crypto/amcc/crypto4xx_core.c |    6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

--- a/drivers/crypto/amcc/crypto4xx_core.c
+++ b/drivers/crypto/amcc/crypto4xx_core.c
@@ -399,12 +399,8 @@ static u32 crypto4xx_build_sdr(struct cr
 		dma_alloc_coherent(dev->core_dev->device,
 			dev->scatter_buffer_size * PPC4XX_NUM_SD,
 			&dev->scatter_buffer_pa, GFP_ATOMIC);
-	if (!dev->scatter_buffer_va) {
-		dma_free_coherent(dev->core_dev->device,
-				  sizeof(struct ce_sd) * PPC4XX_NUM_SD,
-				  dev->sdr, dev->sdr_pa);
+	if (!dev->scatter_buffer_va)
 		return -ENOMEM;
-	}
 
 	sd_array = dev->sdr;
 



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 144/267] crypto: af_alg - cast ki_complete ternary op to int
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (142 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 143/267] crypto: crypto4xx - fix double-free in crypto4xx_destroy_sdr Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 145/267] crypto: ccp - fix uninitialized list head Greg Kroah-Hartman
                   ` (126 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ayush Sawal, Atul Gupta, Herbert Xu

From: Ayush Sawal <ayush.sawal@chelsio.com>

commit 64e7f852c47ce99f6c324c46d6a299a5a7ebead9 upstream.

when libkcapi test is executed  using HW accelerator, cipher operation
return -74.Since af_alg_async_cb->ki_complete treat err as unsigned int,
libkcapi receive 429467222 even though it expect -ve value.

Hence its required to cast resultlen to int so that proper
error is returned to libkcapi.

AEAD one shot non-aligned test 2(libkcapi test)
./../bin/kcapi   -x 10   -c "gcm(aes)" -i 7815d4b06ae50c9c56e87bd7
-k ea38ac0c9b9998c80e28fb496a2b88d9 -a
"853f98a750098bec1aa7497e979e78098155c877879556bb51ddeb6374cbaefc"
-t "c4ce58985b7203094be1d134c1b8ab0b" -q
"b03692f86d1b8b39baf2abb255197c98"

Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management")
Cc: <stable@vger.kernel.org>
Signed-off-by: Ayush Sawal <ayush.sawal@chelsio.com>
Signed-off-by: Atul Gupta <atul.gupta@chelsio.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ayush Sawal <ayush.sawal@chelsio.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 crypto/af_alg.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -1086,7 +1086,7 @@ void af_alg_async_cb(struct crypto_async
 	af_alg_free_resources(areq);
 	sock_put(sk);
 
-	iocb->ki_complete(iocb, err ? err : resultlen, 0);
+	iocb->ki_complete(iocb, err ? err : (int)resultlen, 0);
 }
 EXPORT_SYMBOL_GPL(af_alg_async_cb);
 



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 145/267] crypto: ccp - fix uninitialized list head
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (143 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 144/267] crypto: af_alg - cast ki_complete ternary op to int Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 146/267] crypto: ecdh - fix big endian bug in ECC library Greg Kroah-Hartman
                   ` (125 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sahaj Sarup, Mark Salter,
	Gary R Hook, Herbert Xu

From: Mark Salter <msalter@redhat.com>

commit 691505a803a7f223b2af621848d581259c61f77d upstream.

A NULL-pointer dereference was reported in fedora bz#1762199 while
reshaping a raid6 array after adding a fifth drive to an existing
array.

[   47.343549] md/raid:md0: raid level 6 active with 3 out of 5 devices, algorithm 2
[   47.804017] md0: detected capacity change from 0 to 7885289422848
[   47.822083] Unable to handle kernel read from unreadable memory at virtual address 0000000000000000
...
[   47.940477] CPU: 1 PID: 14210 Comm: md0_raid6 Tainted: G        W         5.2.18-200.fc30.aarch64 #1
[   47.949594] Hardware name: AMD Overdrive/Supercharger/To be filled by O.E.M., BIOS ROD1002C 04/08/2016
[   47.958886] pstate: 00400085 (nzcv daIf +PAN -UAO)
[   47.963668] pc : __list_del_entry_valid+0x2c/0xa8
[   47.968366] lr : ccp_tx_submit+0x84/0x168 [ccp]
[   47.972882] sp : ffff00001369b970
[   47.976184] x29: ffff00001369b970 x28: ffff00001369bdb8
[   47.981483] x27: 00000000ffffffff x26: ffff8003b758af70
[   47.986782] x25: ffff8003b758b2d8 x24: ffff8003e6245818
[   47.992080] x23: 0000000000000000 x22: ffff8003e62450c0
[   47.997379] x21: ffff8003dfd6add8 x20: 0000000000000003
[   48.002678] x19: ffff8003e6245100 x18: 0000000000000000
[   48.007976] x17: 0000000000000000 x16: 0000000000000000
[   48.013274] x15: 0000000000000000 x14: 0000000000000000
[   48.018572] x13: ffff7e000ef83a00 x12: 0000000000000001
[   48.023870] x11: ffff000010eff998 x10: 00000000000019a0
[   48.029169] x9 : 0000000000000000 x8 : ffff8003e6245180
[   48.034467] x7 : 0000000000000000 x6 : 000000000000003f
[   48.039766] x5 : 0000000000000040 x4 : ffff8003e0145080
[   48.045064] x3 : dead000000000200 x2 : 0000000000000000
[   48.050362] x1 : 0000000000000000 x0 : ffff8003e62450c0
[   48.055660] Call trace:
[   48.058095]  __list_del_entry_valid+0x2c/0xa8
[   48.062442]  ccp_tx_submit+0x84/0x168 [ccp]
[   48.066615]  async_tx_submit+0x224/0x368 [async_tx]
[   48.071480]  async_trigger_callback+0x68/0xfc [async_tx]
[   48.076784]  ops_run_biofill+0x178/0x1e8 [raid456]
[   48.081566]  raid_run_ops+0x248/0x818 [raid456]
[   48.086086]  handle_stripe+0x864/0x1208 [raid456]
[   48.090781]  handle_active_stripes.isra.0+0xb0/0x278 [raid456]
[   48.096604]  raid5d+0x378/0x618 [raid456]
[   48.100602]  md_thread+0xa0/0x150
[   48.103905]  kthread+0x104/0x130
[   48.107122]  ret_from_fork+0x10/0x18
[   48.110686] Code: d2804003 f2fbd5a3 eb03003f 54000320 (f9400021)
[   48.116766] ---[ end trace 23f390a527f7ad77 ]---

ccp_tx_submit is passed a dma_async_tx_descriptor which is contained in
a ccp_dma_desc and adds it to a ccp channel's pending list:

	list_del(&desc->entry);
	list_add_tail(&desc->entry, &chan->pending);

The problem is that desc->entry may be uninitialized in the
async_trigger_callback path where the descriptor was gotten
from ccp_prep_dma_interrupt which got it from ccp_alloc_dma_desc
which doesn't initialize the desc->entry list head. So, just
initialize the list head to avoid the problem.

Cc: <stable@vger.kernel.org>
Reported-by: Sahaj Sarup <sahajsarup@gmail.com>
Signed-off-by: Mark Salter <msalter@redhat.com>
Acked-by: Gary R Hook <gary.hook@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/crypto/ccp/ccp-dmaengine.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/crypto/ccp/ccp-dmaengine.c
+++ b/drivers/crypto/ccp/ccp-dmaengine.c
@@ -341,6 +341,7 @@ static struct ccp_dma_desc *ccp_alloc_dm
 	desc->tx_desc.flags = flags;
 	desc->tx_desc.tx_submit = ccp_tx_submit;
 	desc->ccp = chan->ccp;
+	INIT_LIST_HEAD(&desc->entry);
 	INIT_LIST_HEAD(&desc->pending);
 	INIT_LIST_HEAD(&desc->active);
 	desc->status = DMA_IN_PROGRESS;



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 146/267] crypto: ecdh - fix big endian bug in ECC library
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (144 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 145/267] crypto: ccp - fix uninitialized list head Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 147/267] crypto: user - fix memory leak in crypto_report Greg Kroah-Hartman
                   ` (124 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ard Biesheuvel, Herbert Xu

From: Ard Biesheuvel <ard.biesheuvel@linaro.org>

commit f398243e9fd6a3a059c1ea7b380c40628dbf0c61 upstream.

The elliptic curve arithmetic library used by the EC-DH KPP implementation
assumes big endian byte order, and unconditionally reverses the byte
and word order of multi-limb quantities. On big endian systems, the byte
reordering is not necessary, while the word ordering needs to be retained.

So replace the __swab64() invocation with a call to be64_to_cpu() which
should do the right thing for both little and big endian builds.

Fixes: 3c4b23901a0c ("crypto: ecdh - Add ECDH software support")
Cc: <stable@vger.kernel.org> # v4.9+
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 crypto/ecc.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/crypto/ecc.c
+++ b/crypto/ecc.c
@@ -898,10 +898,11 @@ static void ecc_point_mult(struct ecc_po
 static inline void ecc_swap_digits(const u64 *in, u64 *out,
 				   unsigned int ndigits)
 {
+	const __be64 *src = (__force __be64 *)in;
 	int i;
 
 	for (i = 0; i < ndigits; i++)
-		out[i] = __swab64(in[ndigits - 1 - i]);
+		out[i] = be64_to_cpu(src[ndigits - 1 - i]);
 }
 
 static int __ecc_is_key_valid(const struct ecc_curve *curve,



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 147/267] crypto: user - fix memory leak in crypto_report
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (145 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 146/267] crypto: ecdh - fix big endian bug in ECC library Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 148/267] spi: atmel: Fix CS high support Greg Kroah-Hartman
                   ` (123 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Navid Emamdoost, Herbert Xu

From: Navid Emamdoost <navid.emamdoost@gmail.com>

commit ffdde5932042600c6807d46c1550b28b0db6a3bc upstream.

In crypto_report, a new skb is created via nlmsg_new(). This skb should
be released if crypto_report_alg() fails.

Fixes: a38f7907b926 ("crypto: Add userspace configuration API")
Cc: <stable@vger.kernel.org>
Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 crypto/crypto_user.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/crypto/crypto_user.c
+++ b/crypto/crypto_user.c
@@ -288,8 +288,10 @@ static int crypto_report(struct sk_buff
 drop_alg:
 	crypto_mod_put(alg);
 
-	if (err)
+	if (err) {
+		kfree_skb(skb);
 		return err;
+	}
 
 	return nlmsg_unicast(crypto_nlsk, skb, NETLINK_CB(in_skb).portid);
 }



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 148/267] spi: atmel: Fix CS high support
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (146 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 147/267] crypto: user - fix memory leak in crypto_report Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 149/267] RDMA/qib: Validate ->show()/store() callbacks before calling them Greg Kroah-Hartman
                   ` (122 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Gregory CLEMENT, Mark Brown

From: Gregory CLEMENT <gregory.clement@bootlin.com>

commit 7cbb16b2122c09f2ae393a1542fed628505b9da6 upstream.

Until a few years ago, this driver was only used with CS GPIO. The
only exception is CS0 on AT91RM9200 which has to use internal CS. A
limitation of the internal CS is that they don't support CS High.

So by using the CS GPIO the CS high configuration was available except
for the particular case CS0 on RM9200.

When the support for the internal chip-select was added, the check of
the CS high support was not updated. Due to this the driver accepts
this configuration for all the SPI controller v2 (used by all SoCs
excepting the AT91RM9200) whereas the hardware doesn't support it for
infernal CS.

This patch fixes the test to match the hardware capabilities.

Fixes: 4820303480a1 ("spi: atmel: add support for the internal chip-select of the spi controller")
Cc: <stable@vger.kernel.org>
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Link: https://lore.kernel.org/r/20191017141846.7523-3-gregory.clement@bootlin.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/spi/spi-atmel.c |    6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

--- a/drivers/spi/spi-atmel.c
+++ b/drivers/spi/spi-atmel.c
@@ -1150,10 +1150,8 @@ static int atmel_spi_setup(struct spi_de
 	as = spi_master_get_devdata(spi->master);
 
 	/* see notes above re chipselect */
-	if (!atmel_spi_is_v2(as)
-			&& spi->chip_select == 0
-			&& (spi->mode & SPI_CS_HIGH)) {
-		dev_dbg(&spi->dev, "setup: can't be active-high\n");
+	if (!as->use_cs_gpios && (spi->mode & SPI_CS_HIGH)) {
+		dev_warn(&spi->dev, "setup: non GPIO CS can't be active-high\n");
 		return -EINVAL;
 	}
 



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 149/267] RDMA/qib: Validate ->show()/store() callbacks before calling them
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (147 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 148/267] spi: atmel: Fix CS high support Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 150/267] iomap: Fix pipe page leakage during splicing Greg Kroah-Hartman
                   ` (121 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Viresh Kumar, Jason Gunthorpe, Sasha Levin

From: Viresh Kumar <viresh.kumar@linaro.org>

commit 7ee23491b39259ae83899dd93b2a29ef0f22f0a7 upstream.

The permissions of the read-only or write-only sysfs files can be
changed (as root) and the user can then try to read a write-only file or
write to a read-only file which will lead to kernel crash here.

Protect against that by always validating the show/store callbacks.

Link: https://lore.kernel.org/r/d45cc26361a174ae12dbb86c994ef334d257924b.1573096807.git.viresh.kumar@linaro.org
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/hw/qib/qib_sysfs.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/infiniband/hw/qib/qib_sysfs.c
+++ b/drivers/infiniband/hw/qib/qib_sysfs.c
@@ -301,6 +301,9 @@ static ssize_t qib_portattr_show(struct
 	struct qib_pportdata *ppd =
 		container_of(kobj, struct qib_pportdata, pport_kobj);
 
+	if (!pattr->show)
+		return -EIO;
+
 	return pattr->show(ppd, buf);
 }
 
@@ -312,6 +315,9 @@ static ssize_t qib_portattr_store(struct
 	struct qib_pportdata *ppd =
 		container_of(kobj, struct qib_pportdata, pport_kobj);
 
+	if (!pattr->store)
+		return -EIO;
+
 	return pattr->store(ppd, buf, len);
 }
 



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 150/267] iomap: Fix pipe page leakage during splicing
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (148 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 149/267] RDMA/qib: Validate ->show()/store() callbacks before calling them Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 151/267] thermal: Fix deadlock in thermal thermal_zone_device_check Greg Kroah-Hartman
                   ` (120 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+991400e8eba7e00a26e1,
	Jan Kara, Darrick J. Wong, Christoph Hellwig

From: Jan Kara <jack@suse.cz>

commit 419e9c38aa075ed0cd3c13d47e15954b686bcdb6 upstream.

When splicing using iomap_dio_rw() to a pipe, we may leak pipe pages
because bio_iov_iter_get_pages() records that the pipe will have full
extent worth of data however if file size is not block size aligned
iomap_dio_rw() returns less than what bio_iov_iter_get_pages() set up
and splice code gets confused leaking a pipe page with the file tail.

Handle the situation similarly to the old direct IO implementation and
revert iter to actually returned read amount which makes iter consistent
with value returned from iomap_dio_rw() and thus the splice code is
happy.

Fixes: ff6a9292e6f6 ("iomap: implement direct I/O")
CC: stable@vger.kernel.org
Reported-by: syzbot+991400e8eba7e00a26e1@syzkaller.appspotmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/iomap.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/fs/iomap.c
+++ b/fs/iomap.c
@@ -1053,8 +1053,15 @@ iomap_dio_rw(struct kiocb *iocb, struct
 		}
 		pos += ret;
 
-		if (iov_iter_rw(iter) == READ && pos >= dio->i_size)
+		if (iov_iter_rw(iter) == READ && pos >= dio->i_size) {
+			/*
+			 * We only report that we've read data up to i_size.
+			 * Revert iter to a state corresponding to that as
+			 * some callers (such as splice code) rely on it.
+			 */
+			iov_iter_revert(iter, pos - dio->i_size);
 			break;
+		}
 	} while ((count = iov_iter_count(iter)) > 0);
 	blk_finish_plug(&plug);
 



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 151/267] thermal: Fix deadlock in thermal thermal_zone_device_check
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (149 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 150/267] iomap: Fix pipe page leakage during splicing Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 152/267] binder: Handle start==NULL in binder_update_page_range() Greg Kroah-Hartman
                   ` (119 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Wei Wang, Zhang Rui

From: Wei Wang <wvw@google.com>

commit 163b00cde7cf2206e248789d2780121ad5e6a70b upstream.

1851799e1d29 ("thermal: Fix use-after-free when unregistering thermal zone
device") changed cancel_delayed_work to cancel_delayed_work_sync to avoid
a use-after-free issue. However, cancel_delayed_work_sync could be called
insides the WQ causing deadlock.

[54109.642398] c0   1162 kworker/u17:1   D    0 11030      2 0x00000000
[54109.642437] c0   1162 Workqueue: thermal_passive_wq thermal_zone_device_check
[54109.642447] c0   1162 Call trace:
[54109.642456] c0   1162  __switch_to+0x138/0x158
[54109.642467] c0   1162  __schedule+0xba4/0x1434
[54109.642480] c0   1162  schedule_timeout+0xa0/0xb28
[54109.642492] c0   1162  wait_for_common+0x138/0x2e8
[54109.642511] c0   1162  flush_work+0x348/0x40c
[54109.642522] c0   1162  __cancel_work_timer+0x180/0x218
[54109.642544] c0   1162  handle_thermal_trip+0x2c4/0x5a4
[54109.642553] c0   1162  thermal_zone_device_update+0x1b4/0x25c
[54109.642563] c0   1162  thermal_zone_device_check+0x18/0x24
[54109.642574] c0   1162  process_one_work+0x3cc/0x69c
[54109.642583] c0   1162  worker_thread+0x49c/0x7c0
[54109.642593] c0   1162  kthread+0x17c/0x1b0
[54109.642602] c0   1162  ret_from_fork+0x10/0x18
[54109.643051] c0   1162 kworker/u17:2   D    0 16245      2 0x00000000
[54109.643067] c0   1162 Workqueue: thermal_passive_wq thermal_zone_device_check
[54109.643077] c0   1162 Call trace:
[54109.643085] c0   1162  __switch_to+0x138/0x158
[54109.643095] c0   1162  __schedule+0xba4/0x1434
[54109.643104] c0   1162  schedule_timeout+0xa0/0xb28
[54109.643114] c0   1162  wait_for_common+0x138/0x2e8
[54109.643122] c0   1162  flush_work+0x348/0x40c
[54109.643131] c0   1162  __cancel_work_timer+0x180/0x218
[54109.643141] c0   1162  handle_thermal_trip+0x2c4/0x5a4
[54109.643150] c0   1162  thermal_zone_device_update+0x1b4/0x25c
[54109.643159] c0   1162  thermal_zone_device_check+0x18/0x24
[54109.643167] c0   1162  process_one_work+0x3cc/0x69c
[54109.643177] c0   1162  worker_thread+0x49c/0x7c0
[54109.643186] c0   1162  kthread+0x17c/0x1b0
[54109.643195] c0   1162  ret_from_fork+0x10/0x18
[54109.644500] c0   1162 cat             D    0  7766      1 0x00000001
[54109.644515] c0   1162 Call trace:
[54109.644524] c0   1162  __switch_to+0x138/0x158
[54109.644536] c0   1162  __schedule+0xba4/0x1434
[54109.644546] c0   1162  schedule_preempt_disabled+0x80/0xb0
[54109.644555] c0   1162  __mutex_lock+0x3a8/0x7f0
[54109.644563] c0   1162  __mutex_lock_slowpath+0x14/0x20
[54109.644575] c0   1162  thermal_zone_get_temp+0x84/0x360
[54109.644586] c0   1162  temp_show+0x30/0x78
[54109.644609] c0   1162  dev_attr_show+0x5c/0xf0
[54109.644628] c0   1162  sysfs_kf_seq_show+0xcc/0x1a4
[54109.644636] c0   1162  kernfs_seq_show+0x48/0x88
[54109.644656] c0   1162  seq_read+0x1f4/0x73c
[54109.644664] c0   1162  kernfs_fop_read+0x84/0x318
[54109.644683] c0   1162  __vfs_read+0x50/0x1bc
[54109.644692] c0   1162  vfs_read+0xa4/0x140
[54109.644701] c0   1162  SyS_read+0xbc/0x144
[54109.644708] c0   1162  el0_svc_naked+0x34/0x38
[54109.845800] c0   1162 D 720.000s 1->7766->7766 cat [panic]

Fixes: 1851799e1d29 ("thermal: Fix use-after-free when unregistering thermal zone device")
Cc: stable@vger.kernel.org
Signed-off-by: Wei Wang <wvw@google.com>
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/thermal/thermal_core.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/thermal/thermal_core.c
+++ b/drivers/thermal/thermal_core.c
@@ -299,7 +299,7 @@ static void thermal_zone_device_set_poll
 		mod_delayed_work(system_freezable_wq, &tz->poll_queue,
 				 msecs_to_jiffies(delay));
 	else
-		cancel_delayed_work_sync(&tz->poll_queue);
+		cancel_delayed_work(&tz->poll_queue);
 }
 
 static void monitor_thermal_zone(struct thermal_zone_device *tz)
@@ -1350,7 +1350,7 @@ void thermal_zone_device_unregister(stru
 
 	mutex_unlock(&thermal_list_lock);
 
-	thermal_zone_device_set_polling(tz, 0);
+	cancel_delayed_work_sync(&tz->poll_queue);
 
 	thermal_set_governor(tz, NULL);
 



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 152/267] binder: Handle start==NULL in binder_update_page_range()
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (150 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 151/267] thermal: Fix deadlock in thermal thermal_zone_device_check Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:47 ` [PATCH 4.14 153/267] ASoC: rsnd: fixup MIX kctrl registration Greg Kroah-Hartman
                   ` (118 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jann Horn, Christian Brauner

From: Jann Horn <jannh@google.com>

commit 2a9edd056ed4fbf9d2e797c3fc06335af35bccc4 upstream.

The old loop wouldn't stop when reaching `start` if `start==NULL`, instead
continuing backwards to index -1 and crashing.

Luckily you need to be highly privileged to map things at NULL, so it's not
a big problem.

Fix it by adjusting the loop so that the loop variable is always in bounds.

This patch is deliberately minimal to simplify backporting, but IMO this
function could use a refactor. The jump labels in the second loop body are
horrible (the error gotos should be jumping to free_range instead), and
both loops would look nicer if they just iterated upwards through indices.
And the up_read()+mmput() shouldn't be duplicated like that.

Cc: stable@vger.kernel.org
Fixes: 457b9a6f09f0 ("Staging: android: add binder driver")
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Link: https://lore.kernel.org/r/20191018205631.248274-3-jannh@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/android/binder_alloc.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/drivers/android/binder_alloc.c
+++ b/drivers/android/binder_alloc.c
@@ -289,8 +289,7 @@ static int binder_update_page_range(stru
 	return 0;
 
 free_range:
-	for (page_addr = end - PAGE_SIZE; page_addr >= start;
-	     page_addr -= PAGE_SIZE) {
+	for (page_addr = end - PAGE_SIZE; 1; page_addr -= PAGE_SIZE) {
 		bool ret;
 		size_t index;
 
@@ -303,6 +302,8 @@ free_range:
 		WARN_ON(!ret);
 
 		trace_binder_free_lru_end(alloc, index);
+		if (page_addr == start)
+			break;
 		continue;
 
 err_vm_insert_page_failed:
@@ -312,7 +313,8 @@ err_map_kernel_failed:
 		page->page_ptr = NULL;
 err_alloc_page_failed:
 err_page_ptr_cleared:
-		;
+		if (page_addr == start)
+			break;
 	}
 err_no_vma:
 	if (mm) {



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 153/267] ASoC: rsnd: fixup MIX kctrl registration
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (151 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 152/267] binder: Handle start==NULL in binder_update_page_range() Greg Kroah-Hartman
@ 2019-12-16 17:47 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 154/267] KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID (CVE-2019-19332) Greg Kroah-Hartman
                   ` (117 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jiada Wang, Kuninori Morimoto,
	Mark Brown, Nobuhiro Iwamatsu

From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>

commit 7aea8a9d71d54f449f49e20324df06341cc18395 upstream.

Renesas sound device has many IPs and many situations.
If platform/board uses MIXer, situation will be more complex.
To avoid duplicate DVC kctrl registration when MIXer was used,
it had original flags.
But it was issue when sound card was re-binded, because
no one can't cleanup this flags then.

To solve this issue, commit 9c698e8481a15237a ("ASoC: rsnd: tidyup
registering method for rsnd_kctrl_new()") checks registered
card->controls, because if card was re-binded, these were cleanuped
automatically. This patch could solve re-binding issue.
But, it start to avoid MIX kctrl.

To solve these issues, we need below.
To avoid card re-binding issue: check registered card->controls
To avoid duplicate DVC registration: check registered rsnd_kctrl_cfg
To allow multiple MIX registration: check registered rsnd_kctrl_cfg
This patch do it.

Fixes: 9c698e8481a15237a ("ASoC: rsnd: tidyup registering method for rsnd_kctrl_new()")
Reported-by: Jiada Wang <jiada_wang@mentor.com>
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Tested-By: Jiada Wang <jiada_wang@mentor.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Cc: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/soc/sh/rcar/core.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/sound/soc/sh/rcar/core.c
+++ b/sound/soc/sh/rcar/core.c
@@ -1279,14 +1279,14 @@ int rsnd_kctrl_new(struct rsnd_mod *mod,
 	int ret;
 
 	/*
-	 * 1) Avoid duplicate register (ex. MIXer case)
-	 * 2) re-register if card was rebinded
+	 * 1) Avoid duplicate register for DVC with MIX case
+	 * 2) Allow duplicate register for MIX
+	 * 3) re-register if card was rebinded
 	 */
 	list_for_each_entry(kctrl, &card->controls, list) {
 		struct rsnd_kctrl_cfg *c = kctrl->private_data;
 
-		if (strcmp(kctrl->id.name, name) == 0 &&
-		    c->mod == mod)
+		if (c == cfg)
 			return 0;
 	}
 



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 154/267] KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID (CVE-2019-19332)
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (152 preceding siblings ...)
  2019-12-16 17:47 ` [PATCH 4.14 153/267] ASoC: rsnd: fixup MIX kctrl registration Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 155/267] appletalk: Fix potential NULL pointer dereference in unregister_snap_client Greg Kroah-Hartman
                   ` (116 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+e3f4897236c4eeb8af4f,
	Paolo Bonzini, Ben Hutchings

From: Paolo Bonzini <pbonzini@redhat.com>

commit 433f4ba1904100da65a311033f17a9bf586b287e upstream.

The bounds check was present in KVM_GET_SUPPORTED_CPUID but not
KVM_GET_EMULATED_CPUID.

Reported-by: syzbot+e3f4897236c4eeb8af4f@syzkaller.appspotmail.com
Fixes: 84cffe499b94 ("kvm: Emulate MOVBE", 2013-10-29)
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Cc: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kvm/cpuid.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -404,7 +404,7 @@ static inline int __do_cpuid_ent(struct
 
 	r = -E2BIG;
 
-	if (*nent >= maxnent)
+	if (WARN_ON(*nent >= maxnent))
 		goto out;
 
 	do_cpuid_1_ent(entry, function, index);
@@ -707,6 +707,9 @@ out:
 static int do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 func,
 			u32 idx, int *nent, int maxnent, unsigned int type)
 {
+	if (*nent >= maxnent)
+		return -E2BIG;
+
 	if (type == KVM_GET_EMULATED_CPUID)
 		return __do_cpuid_ent_emulated(entry, func, idx, nent, maxnent);
 



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 155/267] appletalk: Fix potential NULL pointer dereference in unregister_snap_client
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (153 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 154/267] KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID (CVE-2019-19332) Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 156/267] appletalk: Set error code if register_snap_client failed Greg Kroah-Hartman
                   ` (115 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, YueHaibing,
	David S. Miller, Ben Hutchings

From: YueHaibing <yuehaibing@huawei.com>

commit 9804501fa1228048857910a6bf23e085aade37cc upstream.

register_snap_client may return NULL, all the callers
check it, but only print a warning. This will result in
NULL pointer dereference in unregister_snap_client and other
places.

It has always been used like this since v2.6

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to <4.15: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/atalk.h |    2 +-
 net/appletalk/aarp.c  |   15 ++++++++++++---
 net/appletalk/ddp.c   |   20 ++++++++++++--------
 3 files changed, 25 insertions(+), 12 deletions(-)

--- a/include/linux/atalk.h
+++ b/include/linux/atalk.h
@@ -108,7 +108,7 @@ static __inline__ struct elapaarp *aarp_
 #define AARP_RESOLVE_TIME	(10 * HZ)
 
 extern struct datalink_proto *ddp_dl, *aarp_dl;
-extern void aarp_proto_init(void);
+extern int aarp_proto_init(void);
 
 /* Inter module exports */
 
--- a/net/appletalk/aarp.c
+++ b/net/appletalk/aarp.c
@@ -879,15 +879,24 @@ static struct notifier_block aarp_notifi
 
 static unsigned char aarp_snap_id[] = { 0x00, 0x00, 0x00, 0x80, 0xF3 };
 
-void __init aarp_proto_init(void)
+int __init aarp_proto_init(void)
 {
+	int rc;
+
 	aarp_dl = register_snap_client(aarp_snap_id, aarp_rcv);
-	if (!aarp_dl)
+	if (!aarp_dl) {
 		printk(KERN_CRIT "Unable to register AARP with SNAP.\n");
+		return -ENOMEM;
+	}
 	setup_timer(&aarp_timer, aarp_expire_timeout, 0);
 	aarp_timer.expires  = jiffies + sysctl_aarp_expiry_time;
 	add_timer(&aarp_timer);
-	register_netdevice_notifier(&aarp_notifier);
+	rc = register_netdevice_notifier(&aarp_notifier);
+	if (rc) {
+		del_timer_sync(&aarp_timer);
+		unregister_snap_client(aarp_dl);
+	}
+	return rc;
 }
 
 /* Remove the AARP entries associated with a device. */
--- a/net/appletalk/ddp.c
+++ b/net/appletalk/ddp.c
@@ -1911,9 +1911,6 @@ static unsigned char ddp_snap_id[] = { 0
 EXPORT_SYMBOL(atrtr_get_dev);
 EXPORT_SYMBOL(atalk_find_dev_addr);
 
-static const char atalk_err_snap[] __initconst =
-	KERN_CRIT "Unable to register DDP with SNAP.\n";
-
 /* Called by proto.c on kernel start up */
 static int __init atalk_init(void)
 {
@@ -1928,17 +1925,22 @@ static int __init atalk_init(void)
 		goto out_proto;
 
 	ddp_dl = register_snap_client(ddp_snap_id, atalk_rcv);
-	if (!ddp_dl)
-		printk(atalk_err_snap);
+	if (!ddp_dl) {
+		pr_crit("Unable to register DDP with SNAP.\n");
+		goto out_sock;
+	}
 
 	dev_add_pack(&ltalk_packet_type);
 	dev_add_pack(&ppptalk_packet_type);
 
 	rc = register_netdevice_notifier(&ddp_notifier);
 	if (rc)
-		goto out_sock;
+		goto out_snap;
+
+	rc = aarp_proto_init();
+	if (rc)
+		goto out_dev;
 
-	aarp_proto_init();
 	rc = atalk_proc_init();
 	if (rc)
 		goto out_aarp;
@@ -1952,11 +1954,13 @@ out_proc:
 	atalk_proc_exit();
 out_aarp:
 	aarp_cleanup_module();
+out_dev:
 	unregister_netdevice_notifier(&ddp_notifier);
-out_sock:
+out_snap:
 	dev_remove_pack(&ppptalk_packet_type);
 	dev_remove_pack(&ltalk_packet_type);
 	unregister_snap_client(ddp_dl);
+out_sock:
 	sock_unregister(PF_APPLETALK);
 out_proto:
 	proto_unregister(&ddp_proto);



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 156/267] appletalk: Set error code if register_snap_client failed
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (154 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 155/267] appletalk: Fix potential NULL pointer dereference in unregister_snap_client Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 157/267] usb: gadget: configfs: Fix missing spin_lock_init() Greg Kroah-Hartman
                   ` (114 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, YueHaibing, David S. Miller

From: YueHaibing <yuehaibing@huawei.com>

commit c93ad1337ad06a718890a89cdd85188ff9a5a5cc upstream.

If register_snap_client fails in atalk_init,
error code should be set, otherwise it will
triggers NULL pointer dereference while unloading
module.

Fixes: 9804501fa122 ("appletalk: Fix potential NULL pointer dereference in unregister_snap_client")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/appletalk/ddp.c |    1 +
 1 file changed, 1 insertion(+)

--- a/net/appletalk/ddp.c
+++ b/net/appletalk/ddp.c
@@ -1927,6 +1927,7 @@ static int __init atalk_init(void)
 	ddp_dl = register_snap_client(ddp_snap_id, atalk_rcv);
 	if (!ddp_dl) {
 		pr_crit("Unable to register DDP with SNAP.\n");
+		rc = -ENOMEM;
 		goto out_sock;
 	}
 



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 157/267] usb: gadget: configfs: Fix missing spin_lock_init()
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (155 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 156/267] appletalk: Set error code if register_snap_client failed Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 158/267] usb: gadget: pch_udc: fix use after free Greg Kroah-Hartman
                   ` (113 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Wei Yongjun, Peter Chen

From: Wei Yongjun <weiyongjun1@huawei.com>

commit 093edc2baad2c258b1f55d1ab9c63c2b5ae67e42 upstream.

The driver allocates the spinlock but not initialize it.
Use spin_lock_init() on it to initialize it correctly.

This is detected by Coccinelle semantic patch.

Fixes: 1a1c851bbd70 ("usb: gadget: configfs: fix concurrent issue between composite APIs")
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Cc: stable <stable@vger.kernel.org>
Reviewed-by: Peter Chen <peter.chen@nxp.com>
Link: https://lore.kernel.org/r/20191030034046.188808-1-weiyongjun1@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/gadget/configfs.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/gadget/configfs.c
+++ b/drivers/usb/gadget/configfs.c
@@ -1543,6 +1543,7 @@ static struct config_group *gadgets_make
 	gi->composite.resume = NULL;
 	gi->composite.max_speed = USB_SPEED_SUPER;
 
+	spin_lock_init(&gi->spinlock);
 	mutex_init(&gi->lock);
 	INIT_LIST_HEAD(&gi->string_list);
 	INIT_LIST_HEAD(&gi->available_func);



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 158/267] usb: gadget: pch_udc: fix use after free
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (156 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 157/267] usb: gadget: configfs: Fix missing spin_lock_init() Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 159/267] scsi: qla2xxx: Fix driver unload hang Greg Kroah-Hartman
                   ` (112 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michal Nazarewicz, Gustavo A. R. Silva

From: Gustavo A. R. Silva <gustavo@embeddedor.com>

commit 66d1b0c0580b7f1b1850ee4423f32ac42afa2e92 upstream.

Remove pointer dereference after free.

pci_pool_free doesn't care about contents of td.
It's just a void* for it

Addresses-Coverity-ID: 1091173 ("Use after free")
Cc: stable@vger.kernel.org
Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Link: https://lore.kernel.org/r/20191106202821.GA20347@embeddedor
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/gadget/udc/pch_udc.c |    1 -
 1 file changed, 1 deletion(-)

--- a/drivers/usb/gadget/udc/pch_udc.c
+++ b/drivers/usb/gadget/udc/pch_udc.c
@@ -1523,7 +1523,6 @@ static void pch_udc_free_dma_chain(struc
 		td = phys_to_virt(addr);
 		addr2 = (dma_addr_t)td->next;
 		dma_pool_free(dev->data_requests, td, addr);
-		td->next = 0x00;
 		addr = addr2;
 	}
 	req->chain_len = 1;



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 159/267] scsi: qla2xxx: Fix driver unload hang
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (157 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 158/267] usb: gadget: pch_udc: fix use after free Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 160/267] media: venus: remove invalid compat_ioctl32 handler Greg Kroah-Hartman
                   ` (111 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ewan D. Milne, Quinn Tran,
	Himanshu Madhani, Martin K. Petersen

From: Quinn Tran <qutran@marvell.com>

commit dd322b7f3efc8cda085bb60eadc4aee6324eadd8 upstream.

This patch fixes driver unload hang by removing msleep()

Fixes: d74595278f4ab ("scsi: qla2xxx: Add multiple queue pair functionality.")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20191105150657.8092-5-hmadhani@marvell.com
Reviewed-by: Ewan D. Milne <emilne@redhat.com>
Signed-off-by: Quinn Tran <qutran@marvell.com>
Signed-off-by: Himanshu Madhani <hmadhani@marvell.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/qla2xxx/qla_init.c |    2 --
 1 file changed, 2 deletions(-)

--- a/drivers/scsi/qla2xxx/qla_init.c
+++ b/drivers/scsi/qla2xxx/qla_init.c
@@ -8092,8 +8092,6 @@ int qla2xxx_delete_qpair(struct scsi_qla
 	struct qla_hw_data *ha = qpair->hw;
 
 	qpair->delete_in_progress = 1;
-	while (atomic_read(&qpair->ref_count))
-		msleep(500);
 
 	ret = qla25xx_delete_req_que(vha, qpair->req);
 	if (ret != QLA_SUCCESS)



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 160/267] media: venus: remove invalid compat_ioctl32 handler
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (158 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 159/267] scsi: qla2xxx: Fix driver unload hang Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 161/267] USB: uas: honor flag to avoid CAPACITY16 Greg Kroah-Hartman
                   ` (110 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Stanimir Varbanov,
	Hans Verkuil, Mauro Carvalho Chehab

From: Arnd Bergmann <arnd@arndb.de>

commit 4adc0423de92cf850d1ef5c0e7cb28fd7a38219e upstream.

v4l2_compat_ioctl32() is the function that calls into
v4l2_file_operations->compat_ioctl32(), so setting that back to the same
function leads to a trivial endless loop, followed by a kernel
stack overrun.

Remove the incorrect assignment.

Cc: stable@vger.kernel.org
Fixes: 7472c1c69138 ("[media] media: venus: vdec: add video decoder files")
Fixes: aaaa93eda64b ("[media] media: venus: venc: add video encoder files")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/platform/qcom/venus/vdec.c |    3 ---
 drivers/media/platform/qcom/venus/venc.c |    3 ---
 2 files changed, 6 deletions(-)

--- a/drivers/media/platform/qcom/venus/vdec.c
+++ b/drivers/media/platform/qcom/venus/vdec.c
@@ -1060,9 +1060,6 @@ static const struct v4l2_file_operations
 	.unlocked_ioctl = video_ioctl2,
 	.poll = v4l2_m2m_fop_poll,
 	.mmap = v4l2_m2m_fop_mmap,
-#ifdef CONFIG_COMPAT
-	.compat_ioctl32 = v4l2_compat_ioctl32,
-#endif
 };
 
 static int vdec_probe(struct platform_device *pdev)
--- a/drivers/media/platform/qcom/venus/venc.c
+++ b/drivers/media/platform/qcom/venus/venc.c
@@ -1166,9 +1166,6 @@ static const struct v4l2_file_operations
 	.unlocked_ioctl = video_ioctl2,
 	.poll = v4l2_m2m_fop_poll,
 	.mmap = v4l2_m2m_fop_mmap,
-#ifdef CONFIG_COMPAT
-	.compat_ioctl32 = v4l2_compat_ioctl32,
-#endif
 };
 
 static int venc_probe(struct platform_device *pdev)



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 161/267] USB: uas: honor flag to avoid CAPACITY16
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (159 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 160/267] media: venus: remove invalid compat_ioctl32 handler Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 162/267] USB: uas: heed CAPACITY_HEURISTICS Greg Kroah-Hartman
                   ` (109 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Oliver Neukum

From: Oliver Neukum <oneukum@suse.com>

commit bff000cae1eec750d62e265c4ba2db9af57b17e1 upstream.

Copy the support over from usb-storage to get feature parity

Signed-off-by: Oliver Neukum <oneukum@suse.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191114112758.32747-2-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/storage/uas.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/usb/storage/uas.c
+++ b/drivers/usb/storage/uas.c
@@ -832,6 +832,10 @@ static int uas_slave_configure(struct sc
 		sdev->wce_default_on = 1;
 	}
 
+	/* Some disks cannot handle READ_CAPACITY_16 */
+	if (devinfo->flags & US_FL_NO_READ_CAPACITY_16)
+		sdev->no_read_capacity_16 = 1;
+
 	/*
 	 * Some disks return the total number of blocks in response
 	 * to READ CAPACITY rather than the highest block number.



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 162/267] USB: uas: heed CAPACITY_HEURISTICS
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (160 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 161/267] USB: uas: honor flag to avoid CAPACITY16 Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 163/267] USB: documentation: flags on usb-storage versus UAS Greg Kroah-Hartman
                   ` (108 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Oliver Neukum

From: Oliver Neukum <oneukum@suse.com>

commit 335cbbd5762d5e5c67a8ddd6e6362c2aa42a328f upstream.

There is no need to ignore this flag. We should be as close
to storage in that regard as makes sense, so honor flags whose
cost is tiny.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191114112758.32747-3-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/storage/uas.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/usb/storage/uas.c
+++ b/drivers/usb/storage/uas.c
@@ -845,6 +845,12 @@ static int uas_slave_configure(struct sc
 		sdev->fix_capacity = 1;
 
 	/*
+	 * in some cases we have to guess
+	 */
+	if (devinfo->flags & US_FL_CAPACITY_HEURISTICS)
+		sdev->guess_capacity = 1;
+
+	/*
 	 * Some devices don't like MODE SENSE with page=0x3f,
 	 * which is the command used for checking if a device
 	 * is write-protected.  Now that we tell the sd driver



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 163/267] USB: documentation: flags on usb-storage versus UAS
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (161 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 162/267] USB: uas: heed CAPACITY_HEURISTICS Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 164/267] usb: Allow USB device to be warm reset in suspended state Greg Kroah-Hartman
                   ` (107 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Oliver Neukum

From: Oliver Neukum <oneukum@suse.com>

commit 65cc8bf99349f651a0a2cee69333525fe581f306 upstream.

Document which flags work storage, UAS or both

Signed-off-by: Oliver Neukum <oneukum@suse.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191114112758.32747-4-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 Documentation/admin-guide/kernel-parameters.txt |   22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -4693,13 +4693,13 @@
 			Flags is a set of characters, each corresponding
 			to a common usb-storage quirk flag as follows:
 				a = SANE_SENSE (collect more than 18 bytes
-					of sense data);
+					of sense data, not on uas);
 				b = BAD_SENSE (don't collect more than 18
-					bytes of sense data);
+					bytes of sense data, not on uas);
 				c = FIX_CAPACITY (decrease the reported
 					device capacity by one sector);
 				d = NO_READ_DISC_INFO (don't use
-					READ_DISC_INFO command);
+					READ_DISC_INFO command, not on uas);
 				e = NO_READ_CAPACITY_16 (don't use
 					READ_CAPACITY_16 command);
 				f = NO_REPORT_OPCODES (don't use report opcodes
@@ -4714,17 +4714,18 @@
 				j = NO_REPORT_LUNS (don't use report luns
 					command, uas only);
 				l = NOT_LOCKABLE (don't try to lock and
-					unlock ejectable media);
+					unlock ejectable media, not on uas);
 				m = MAX_SECTORS_64 (don't transfer more
-					than 64 sectors = 32 KB at a time);
+					than 64 sectors = 32 KB at a time,
+					not on uas);
 				n = INITIAL_READ10 (force a retry of the
-					initial READ(10) command);
+					initial READ(10) command, not on uas);
 				o = CAPACITY_OK (accept the capacity
-					reported by the device);
+					reported by the device, not on uas);
 				p = WRITE_CACHE (the device cache is ON
-					by default);
+					by default, not on uas);
 				r = IGNORE_RESIDUE (the device reports
-					bogus residue values);
+					bogus residue values, not on uas);
 				s = SINGLE_LUN (the device has only one
 					Logical Unit);
 				t = NO_ATA_1X (don't allow ATA(12) and ATA(16)
@@ -4733,7 +4734,8 @@
 				w = NO_WP_DETECT (don't test whether the
 					medium is write-protected).
 				y = ALWAYS_SYNC (issue a SYNCHRONIZE_CACHE
-					even if the device claims no cache)
+					even if the device claims no cache,
+					not on uas)
 			Example: quirks=0419:aaf5:rl,0421:0433:rc
 
 	user_debug=	[KNL,ARM]



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 164/267] usb: Allow USB device to be warm reset in suspended state
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (162 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 163/267] USB: documentation: flags on usb-storage versus UAS Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 165/267] staging: rtl8188eu: fix interface sanity check Greg Kroah-Hartman
                   ` (106 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kai-Heng Feng, Alan Stern

From: Kai-Heng Feng <kai.heng.feng@canonical.com>

commit e76b3bf7654c3c94554c24ba15a3d105f4006c80 upstream.

On Dell WD15 dock, sometimes USB ethernet cannot be detected after plugging
cable to the ethernet port, the hub and roothub get runtime resumed and
runtime suspended immediately:
...
[  433.315169] xhci_hcd 0000:3a:00.0: hcd_pci_runtime_resume: 0
[  433.315204] usb usb4: usb auto-resume
[  433.315226] hub 4-0:1.0: hub_resume
[  433.315239] xhci_hcd 0000:3a:00.0: Get port status 4-1 read: 0x10202e2, return 0x10343
[  433.315264] usb usb4-port1: status 0343 change 0001
[  433.315279] xhci_hcd 0000:3a:00.0: clear port1 connect change, portsc: 0x10002e2
[  433.315293] xhci_hcd 0000:3a:00.0: Get port status 4-2 read: 0x2a0, return 0x2a0
[  433.317012] xhci_hcd 0000:3a:00.0: xhci_hub_status_data: stopping port polling.
[  433.422282] xhci_hcd 0000:3a:00.0: Get port status 4-1 read: 0x10002e2, return 0x343
[  433.422307] usb usb4-port1: do warm reset
[  433.422311] usb 4-1: device reset not allowed in state 8
[  433.422339] hub 4-0:1.0: state 7 ports 2 chg 0002 evt 0000
[  433.422346] xhci_hcd 0000:3a:00.0: Get port status 4-1 read: 0x10002e2, return 0x343
[  433.422356] usb usb4-port1: do warm reset
[  433.422358] usb 4-1: device reset not allowed in state 8
[  433.422428] xhci_hcd 0000:3a:00.0: set port remote wake mask, actual port 0 status  = 0xf0002e2
[  433.422455] xhci_hcd 0000:3a:00.0: set port remote wake mask, actual port 1 status  = 0xe0002a0
[  433.422465] hub 4-0:1.0: hub_suspend
[  433.422475] usb usb4: bus auto-suspend, wakeup 1
[  433.426161] xhci_hcd 0000:3a:00.0: xhci_hub_status_data: stopping port polling.
[  433.466209] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting
[  433.510204] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting
[  433.554051] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting
[  433.598235] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting
[  433.642154] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting
[  433.686204] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting
[  433.730205] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting
[  433.774203] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting
[  433.818207] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting
[  433.862040] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting
[  433.862053] xhci_hcd 0000:3a:00.0: xhci_hub_status_data: stopping port polling.
[  433.862077] xhci_hcd 0000:3a:00.0: xhci_suspend: stopping port polling.
[  433.862096] xhci_hcd 0000:3a:00.0: // Setting command ring address to 0x8578fc001
[  433.862312] xhci_hcd 0000:3a:00.0: hcd_pci_runtime_suspend: 0
[  433.862445] xhci_hcd 0000:3a:00.0: PME# enabled
[  433.902376] xhci_hcd 0000:3a:00.0: restoring config space at offset 0xc (was 0x0, writing 0x20)
[  433.902395] xhci_hcd 0000:3a:00.0: restoring config space at offset 0x4 (was 0x100000, writing 0x100403)
[  433.902490] xhci_hcd 0000:3a:00.0: PME# disabled
[  433.902504] xhci_hcd 0000:3a:00.0: enabling bus mastering
[  433.902547] xhci_hcd 0000:3a:00.0: // Setting command ring address to 0x8578fc001
[  433.902649] pcieport 0000:00:1b.0: PME: Spurious native interrupt!
[  433.902839] xhci_hcd 0000:3a:00.0: Port change event, 4-1, id 3, portsc: 0xb0202e2
[  433.902842] xhci_hcd 0000:3a:00.0: resume root hub
[  433.902845] xhci_hcd 0000:3a:00.0: handle_port_status: starting port polling.
[  433.902877] xhci_hcd 0000:3a:00.0: xhci_resume: starting port polling.
[  433.902889] xhci_hcd 0000:3a:00.0: xhci_hub_status_data: stopping port polling.
[  433.902891] xhci_hcd 0000:3a:00.0: hcd_pci_runtime_resume: 0
[  433.902919] usb usb4: usb wakeup-resume
[  433.902942] usb usb4: usb auto-resume
[  433.902966] hub 4-0:1.0: hub_resume
...

As Mathias pointed out, the hub enters Cold Attach Status state and
requires a warm reset. However usb_reset_device() bails out early when
the device is in suspended state, as its callers port_event() and
hub_event() don't always resume the device.

Since there's nothing wrong to reset a suspended device, allow
usb_reset_device() to do so to solve the issue.

Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191106062710.29880-1-kai.heng.feng@canonical.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/core/hub.c |    5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -5630,7 +5630,7 @@ re_enumerate_no_bos:
 
 /**
  * usb_reset_device - warn interface drivers and perform a USB port reset
- * @udev: device to reset (not in SUSPENDED or NOTATTACHED state)
+ * @udev: device to reset (not in NOTATTACHED state)
  *
  * Warns all drivers bound to registered interfaces (using their pre_reset
  * method), performs the port reset, and then lets the drivers know that
@@ -5658,8 +5658,7 @@ int usb_reset_device(struct usb_device *
 	struct usb_host_config *config = udev->actconfig;
 	struct usb_hub *hub = usb_hub_to_struct_hub(udev->parent);
 
-	if (udev->state == USB_STATE_NOTATTACHED ||
-			udev->state == USB_STATE_SUSPENDED) {
+	if (udev->state == USB_STATE_NOTATTACHED) {
 		dev_dbg(&udev->dev, "device reset not allowed in state %d\n",
 				udev->state);
 		return -EINVAL;



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 165/267] staging: rtl8188eu: fix interface sanity check
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (163 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 164/267] usb: Allow USB device to be warm reset in suspended state Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 166/267] staging: rtl8712: " Greg Kroah-Hartman
                   ` (105 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold

From: Johan Hovold <johan@kernel.org>

commit 74ca34118a0e05793935d804ccffcedd6eb56596 upstream.

Make sure to use the current alternate setting when verifying the
interface descriptors to avoid binding to an invalid interface.

Failing to do so could cause the driver to misbehave or trigger a WARN()
in usb_submit_urb() that kernels with panic_on_warn set would choke on.

Fixes: c2478d39076b ("staging: r8188eu: Add files for new driver - part 20")
Cc: stable <stable@vger.kernel.org>     # 3.12
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20191210114751.5119-2-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/rtl8188eu/os_dep/usb_intf.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c
+++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
@@ -78,7 +78,7 @@ static struct dvobj_priv *usb_dvobj_init
 	phost_conf = pusbd->actconfig;
 	pconf_desc = &phost_conf->desc;
 
-	phost_iface = &usb_intf->altsetting[0];
+	phost_iface = usb_intf->cur_altsetting;
 	piface_desc = &phost_iface->desc;
 
 	pdvobjpriv->NumInterfaces = pconf_desc->bNumInterfaces;



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 166/267] staging: rtl8712: fix interface sanity check
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (164 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 165/267] staging: rtl8188eu: fix interface sanity check Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 167/267] staging: gigaset: fix general protection fault on probe Greg Kroah-Hartman
                   ` (104 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold

From: Johan Hovold <johan@kernel.org>

commit c724f776f048538ecfdf53a52b7a522309f5c504 upstream.

Make sure to use the current alternate setting when verifying the
interface descriptors to avoid binding to an invalid interface.

Failing to do so could cause the driver to misbehave or trigger a WARN()
in usb_submit_urb() that kernels with panic_on_warn set would choke on.

Fixes: 2865d42c78a9 ("staging: r8712u: Add the new driver to the mainline kernel")
Cc: stable <stable@vger.kernel.org>     # 2.6.37
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20191210114751.5119-3-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/rtl8712/usb_intf.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/rtl8712/usb_intf.c
+++ b/drivers/staging/rtl8712/usb_intf.c
@@ -275,7 +275,7 @@ static uint r8712_usb_dvobj_init(struct
 
 	pdvobjpriv->padapter = padapter;
 	padapter->EepromAddressSize = 6;
-	phost_iface = &pintf->altsetting[0];
+	phost_iface = pintf->cur_altsetting;
 	piface_desc = &phost_iface->desc;
 	pdvobjpriv->nr_endpoint = piface_desc->bNumEndpoints;
 	if (pusbd->speed == USB_SPEED_HIGH) {



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 167/267] staging: gigaset: fix general protection fault on probe
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (165 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 166/267] staging: rtl8712: " Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 168/267] staging: gigaset: fix illegal free on probe errors Greg Kroah-Hartman
                   ` (103 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+35b1c403a14f5c89eba7,
	Hansjoerg Lipp, Tilman Schmidt, Johan Hovold

From: Johan Hovold <johan@kernel.org>

commit 53f35a39c3860baac1e5ca80bf052751cfb24a99 upstream.

Fix a general protection fault when accessing the endpoint descriptors
which could be triggered by a malicious device due to missing sanity
checks on the number of endpoints.

Reported-by: syzbot+35b1c403a14f5c89eba7@syzkaller.appspotmail.com
Fixes: 07dc1f9f2f80 ("[PATCH] isdn4linux: Siemens Gigaset drivers - M105 USB DECT adapter")
Cc: stable <stable@vger.kernel.org>     # 2.6.17
Cc: Hansjoerg Lipp <hjlipp@web.de>
Cc: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20191202085610.12719-2-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/isdn/gigaset/usb-gigaset.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/isdn/gigaset/usb-gigaset.c
+++ b/drivers/isdn/gigaset/usb-gigaset.c
@@ -688,6 +688,11 @@ static int gigaset_probe(struct usb_inte
 		return -ENODEV;
 	}
 
+	if (hostif->desc.bNumEndpoints < 2) {
+		dev_err(&interface->dev, "missing endpoints\n");
+		return -ENODEV;
+	}
+
 	dev_info(&udev->dev, "%s: Device matched ... !\n", __func__);
 
 	/* allocate memory for our device state and initialize it */



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 168/267] staging: gigaset: fix illegal free on probe errors
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (166 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 167/267] staging: gigaset: fix general protection fault on probe Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 169/267] staging: gigaset: add endpoint-type sanity check Greg Kroah-Hartman
                   ` (102 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Tilman Schmidt, Johan Hovold

From: Johan Hovold <johan@kernel.org>

commit 84f60ca7b326ed8c08582417493982fe2573a9ad upstream.

The driver failed to initialise its receive-buffer pointer, something
which could lead to an illegal free on late probe errors.

Fix this by making sure to clear all driver data at allocation.

Fixes: 2032e2c2309d ("usb_gigaset: code cleanup")
Cc: stable <stable@vger.kernel.org>     # 2.6.33
Cc: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20191202085610.12719-3-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/isdn/gigaset/usb-gigaset.c |    6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

--- a/drivers/isdn/gigaset/usb-gigaset.c
+++ b/drivers/isdn/gigaset/usb-gigaset.c
@@ -574,8 +574,7 @@ static int gigaset_initcshw(struct cards
 {
 	struct usb_cardstate *ucs;
 
-	cs->hw.usb = ucs =
-		kmalloc(sizeof(struct usb_cardstate), GFP_KERNEL);
+	cs->hw.usb = ucs = kzalloc(sizeof(struct usb_cardstate), GFP_KERNEL);
 	if (!ucs) {
 		pr_err("out of memory\n");
 		return -ENOMEM;
@@ -587,9 +586,6 @@ static int gigaset_initcshw(struct cards
 	ucs->bchars[3] = 0;
 	ucs->bchars[4] = 0x11;
 	ucs->bchars[5] = 0x13;
-	ucs->bulk_out_buffer = NULL;
-	ucs->bulk_out_urb = NULL;
-	ucs->read_urb = NULL;
 	tasklet_init(&cs->write_tasklet,
 		     gigaset_modem_fill, (unsigned long) cs);
 



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 169/267] staging: gigaset: add endpoint-type sanity check
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (167 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 168/267] staging: gigaset: fix illegal free on probe errors Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 170/267] usb: xhci: only set D3hot for pci device Greg Kroah-Hartman
                   ` (101 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold

From: Johan Hovold <johan@kernel.org>

commit ed9ed5a89acba51b82bdff61144d4e4a4245ec8a upstream.

Add missing endpoint-type sanity checks to probe.

This specifically prevents a warning in USB core on URB submission when
fuzzing USB descriptors.

Signed-off-by: Johan Hovold <johan@kernel.org>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191202085610.12719-4-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/isdn/gigaset/usb-gigaset.c |   12 ++++++++++++
 1 file changed, 12 insertions(+)

--- a/drivers/isdn/gigaset/usb-gigaset.c
+++ b/drivers/isdn/gigaset/usb-gigaset.c
@@ -708,6 +708,12 @@ static int gigaset_probe(struct usb_inte
 
 	endpoint = &hostif->endpoint[0].desc;
 
+	if (!usb_endpoint_is_bulk_out(endpoint)) {
+		dev_err(&interface->dev, "missing bulk-out endpoint\n");
+		retval = -ENODEV;
+		goto error;
+	}
+
 	buffer_size = le16_to_cpu(endpoint->wMaxPacketSize);
 	ucs->bulk_out_size = buffer_size;
 	ucs->bulk_out_epnum = usb_endpoint_num(endpoint);
@@ -727,6 +733,12 @@ static int gigaset_probe(struct usb_inte
 
 	endpoint = &hostif->endpoint[1].desc;
 
+	if (!usb_endpoint_is_int_in(endpoint)) {
+		dev_err(&interface->dev, "missing int-in endpoint\n");
+		retval = -ENODEV;
+		goto error;
+	}
+
 	ucs->busy = 0;
 
 	ucs->read_urb = usb_alloc_urb(0, GFP_KERNEL);



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 170/267] usb: xhci: only set D3hot for pci device
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (168 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 169/267] staging: gigaset: add endpoint-type sanity check Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 171/267] xhci: Increase STS_HALT timeout in xhci_suspend() Greg Kroah-Hartman
                   ` (100 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Henry Lin, Mathias Nyman

From: Henry Lin <henryl@nvidia.com>

commit f2c710f7dca8457e88b4ac9de2060f011254f9dd upstream.

Xhci driver cannot call pci_set_power_state() on non-pci xhci host
controllers. For example, NVIDIA Tegra XHCI host controller which acts
as platform device with XHCI_SPURIOUS_WAKEUP quirk set in some platform
hits this issue during shutdown.

Cc: <stable@vger.kernel.org>
Fixes: 638298dc66ea ("xhci: Fix spurious wakeups after S5 on Haswell")
Signed-off-by: Henry Lin <henryl@nvidia.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20191211142007.8847-4-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/host/xhci-pci.c |   13 +++++++++++++
 drivers/usb/host/xhci.c     |    7 ++-----
 drivers/usb/host/xhci.h     |    1 +
 3 files changed, 16 insertions(+), 5 deletions(-)

--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -499,6 +499,18 @@ static int xhci_pci_resume(struct usb_hc
 }
 #endif /* CONFIG_PM */
 
+static void xhci_pci_shutdown(struct usb_hcd *hcd)
+{
+	struct xhci_hcd		*xhci = hcd_to_xhci(hcd);
+	struct pci_dev		*pdev = to_pci_dev(hcd->self.controller);
+
+	xhci_shutdown(hcd);
+
+	/* Yet another workaround for spurious wakeups at shutdown with HSW */
+	if (xhci->quirks & XHCI_SPURIOUS_WAKEUP)
+		pci_set_power_state(pdev, PCI_D3hot);
+}
+
 /*-------------------------------------------------------------------------*/
 
 /* PCI driver selection metadata; PCI hotplugging uses this */
@@ -534,6 +546,7 @@ static int __init xhci_pci_init(void)
 #ifdef CONFIG_PM
 	xhci_pci_hc_driver.pci_suspend = xhci_pci_suspend;
 	xhci_pci_hc_driver.pci_resume = xhci_pci_resume;
+	xhci_pci_hc_driver.shutdown = xhci_pci_shutdown;
 #endif
 	return pci_register_driver(&xhci_pci_driver);
 }
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -717,7 +717,7 @@ static void xhci_stop(struct usb_hcd *hc
  *
  * This will only ever be called with the main usb_hcd (the USB3 roothub).
  */
-static void xhci_shutdown(struct usb_hcd *hcd)
+void xhci_shutdown(struct usb_hcd *hcd)
 {
 	struct xhci_hcd *xhci = hcd_to_xhci(hcd);
 
@@ -736,11 +736,8 @@ static void xhci_shutdown(struct usb_hcd
 	xhci_dbg_trace(xhci, trace_xhci_dbg_init,
 			"xhci_shutdown completed - status = %x",
 			readl(&xhci->op_regs->status));
-
-	/* Yet another workaround for spurious wakeups at shutdown with HSW */
-	if (xhci->quirks & XHCI_SPURIOUS_WAKEUP)
-		pci_set_power_state(to_pci_dev(hcd->self.sysdev), PCI_D3hot);
 }
+EXPORT_SYMBOL_GPL(xhci_shutdown);
 
 #ifdef CONFIG_PM
 static void xhci_save_registers(struct xhci_hcd *xhci)
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -2022,6 +2022,7 @@ int xhci_start(struct xhci_hcd *xhci);
 int xhci_reset(struct xhci_hcd *xhci);
 int xhci_run(struct usb_hcd *hcd);
 int xhci_gen_setup(struct usb_hcd *hcd, xhci_get_quirks_t get_quirks);
+void xhci_shutdown(struct usb_hcd *hcd);
 void xhci_init_driver(struct hc_driver *drv,
 		      const struct xhci_driver_overrides *over);
 int xhci_disable_slot(struct xhci_hcd *xhci, u32 slot_id);



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 171/267] xhci: Increase STS_HALT timeout in xhci_suspend()
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (169 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 170/267] usb: xhci: only set D3hot for pci device Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 172/267] xhci: handle some XHCI_TRUST_TX_LENGTH quirks cases as default behaviour Greg Kroah-Hartman
                   ` (99 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kai-Heng Feng, Mathias Nyman

From: Kai-Heng Feng <kai.heng.feng@canonical.com>

commit 7c67cf6658cec70d8a43229f2ce74ca1443dc95e upstream.

I've recently observed failed xHCI suspend attempt on AMD Raven Ridge
system:
kernel: xhci_hcd 0000:04:00.4: WARN: xHC CMD_RUN timeout
kernel: PM: suspend_common(): xhci_pci_suspend+0x0/0xd0 returns -110
kernel: PM: pci_pm_suspend(): hcd_pci_suspend+0x0/0x30 returns -110
kernel: PM: dpm_run_callback(): pci_pm_suspend+0x0/0x150 returns -110
kernel: PM: Device 0000:04:00.4 failed to suspend async: error -110

Similar to commit ac343366846a ("xhci: Increase STS_SAVE timeout in
xhci_suspend()") we also need to increase the HALT timeout to make it be
able to suspend again.

Cc: <stable@vger.kernel.org> # 5.2+
Fixes: f7fac17ca925 ("xhci: Convert xhci_handshake() to use readl_poll_timeout_atomic()")
Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20191211142007.8847-5-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/host/xhci.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -908,7 +908,7 @@ static bool xhci_pending_portevent(struc
 int xhci_suspend(struct xhci_hcd *xhci, bool do_wakeup)
 {
 	int			rc = 0;
-	unsigned int		delay = XHCI_MAX_HALT_USEC;
+	unsigned int		delay = XHCI_MAX_HALT_USEC * 2;
 	struct usb_hcd		*hcd = xhci_to_hcd(xhci);
 	u32			command;
 	u32			res;



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 172/267] xhci: handle some XHCI_TRUST_TX_LENGTH quirks cases as default behaviour.
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (170 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 171/267] xhci: Increase STS_HALT timeout in xhci_suspend() Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 173/267] ARM: dts: pandora-common: define wl1251 as child node of mmc3 Greg Kroah-Hartman
                   ` (98 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eli Billauer, Ard Biesheuvel, Mathias Nyman

From: Mathias Nyman <mathias.nyman@linux.intel.com>

commit 7ff11162808cc2ec66353fc012c58bb449c892c3 upstream.

xhci driver claims it needs XHCI_TRUST_TX_LENGTH quirk for both
Broadcom/Cavium and a Renesas xHC controllers.

The quirk was inteded for handling false "success" complete event for
transfers that had data left untransferred.
These transfers should complete with "short packet" events instead.

In these two new cases the false "success" completion is reported
after a "short packet" if the TD consists of several TRBs.
xHCI specs 4.10.1.1.2 say remaining TRBs should report "short packet"
as well after the first short packet in a TD, but this issue seems so
common it doesn't make sense to add the quirk for all vendors.

Turn these events into short packets automatically instead.

This gets rid of the  "The WARN Successful completion on short TX for
slot 1 ep 1: needs XHCI_TRUST_TX_LENGTH quirk" warning in many cases.

Cc: <stable@vger.kernel.org>
Reported-by: Eli Billauer <eli.billauer@gmail.com>
Reported-by: Ard Biesheuvel <ardb@kernel.org>
Tested-by: Eli Billauer <eli.billauer@gmail.com>
Tested-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20191211142007.8847-6-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/host/xhci-ring.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -2398,7 +2398,8 @@ static int handle_tx_event(struct xhci_h
 	case COMP_SUCCESS:
 		if (EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)) == 0)
 			break;
-		if (xhci->quirks & XHCI_TRUST_TX_LENGTH)
+		if (xhci->quirks & XHCI_TRUST_TX_LENGTH ||
+		    ep_ring->last_td_was_short)
 			trb_comp_code = COMP_SHORT_PACKET;
 		else
 			xhci_warn_ratelimited(xhci,



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 173/267] ARM: dts: pandora-common: define wl1251 as child node of mmc3
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (171 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 172/267] xhci: handle some XHCI_TRUST_TX_LENGTH quirks cases as default behaviour Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 174/267] iio: humidity: hdc100x: fix IIO_HUMIDITYRELATIVE channel reporting Greg Kroah-Hartman
                   ` (97 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, H. Nikolaus Schaller, Tony Lindgren,
	Ulf Hansson

From: H. Nikolaus Schaller <hns@goldelico.com>

commit 4f9007d692017cef38baf2a9b82b7879d5b2407b upstream.

Since v4.7 the dma initialization requires that there is a
device tree property for "rx" and "tx" channels which is
not provided by the pdata-quirks initialization.

By conversion of the mmc3 setup to device tree this will
finally allows to remove the OpenPandora wlan specific omap3
data-quirks.

Fixes: 81eef6ca9201 ("mmc: omap_hsmmc: Use dma_request_chan() for requesting DMA channel")
Signed-off-by: H. Nikolaus Schaller <hns@goldelico.com>
Cc: <stable@vger.kernel.org> # v4.7+
Acked-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/omap3-pandora-common.dtsi |   36 ++++++++++++++++++++++++++--
 1 file changed, 34 insertions(+), 2 deletions(-)

--- a/arch/arm/boot/dts/omap3-pandora-common.dtsi
+++ b/arch/arm/boot/dts/omap3-pandora-common.dtsi
@@ -221,6 +221,17 @@
 		gpio = <&gpio6 4 GPIO_ACTIVE_HIGH>;	/* GPIO_164 */
 	};
 
+	/* wl1251 wifi+bt module */
+	wlan_en: fixed-regulator-wg7210_en {
+		compatible = "regulator-fixed";
+		regulator-name = "vwlan";
+		regulator-min-microvolt = <1800000>;
+		regulator-max-microvolt = <1800000>;
+		startup-delay-us = <50000>;
+		enable-active-high;
+		gpio = <&gpio1 23 GPIO_ACTIVE_HIGH>;
+	};
+
 	/* wg7210 (wifi+bt module) 32k clock buffer */
 	wg7210_32k: fixed-regulator-wg7210_32k {
 		compatible = "regulator-fixed";
@@ -514,9 +525,30 @@
 	/*wp-gpios = <&gpio4 31 GPIO_ACTIVE_HIGH>;*/	/* GPIO_127 */
 };
 
-/* mmc3 is probed using pdata-quirks to pass wl1251 card data */
 &mmc3 {
-	status = "disabled";
+	vmmc-supply = <&wlan_en>;
+
+	bus-width = <4>;
+	non-removable;
+	ti,non-removable;
+	cap-power-off-card;
+
+	pinctrl-names = "default";
+	pinctrl-0 = <&mmc3_pins>;
+
+	#address-cells = <1>;
+	#size-cells = <0>;
+
+	wlan: wifi@1 {
+		compatible = "ti,wl1251";
+
+		reg = <1>;
+
+		interrupt-parent = <&gpio1>;
+		interrupts = <21 IRQ_TYPE_LEVEL_HIGH>;	/* GPIO_21 */
+
+		ti,wl1251-has-eeprom;
+	};
 };
 
 /* bluetooth*/



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 174/267] iio: humidity: hdc100x: fix IIO_HUMIDITYRELATIVE channel reporting
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (172 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 173/267] ARM: dts: pandora-common: define wl1251 as child node of mmc3 Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 175/267] USB: atm: ueagle-atm: add missing endpoint check Greg Kroah-Hartman
                   ` (96 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chris Lesiak, Matt Ranostay, Stable,
	Jonathan Cameron

From: Chris Lesiak <chris.lesiak@licor.com>

commit 342a6928bd5017edbdae376042d8ad6af3d3b943 upstream.

The IIO_HUMIDITYRELATIVE channel was being incorrectly reported back
as percent when it should have been milli percent. This is via an
incorrect scale value being returned to userspace.

Signed-off-by: Chris Lesiak <chris.lesiak@licor.com>
Acked-by: Matt Ranostay <matt.ranostay@konsulko.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/humidity/hdc100x.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/iio/humidity/hdc100x.c
+++ b/drivers/iio/humidity/hdc100x.c
@@ -237,7 +237,7 @@ static int hdc100x_read_raw(struct iio_d
 			*val2 = 65536;
 			return IIO_VAL_FRACTIONAL;
 		} else {
-			*val = 100;
+			*val = 100000;
 			*val2 = 65536;
 			return IIO_VAL_FRACTIONAL;
 		}



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 175/267] USB: atm: ueagle-atm: add missing endpoint check
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (173 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 174/267] iio: humidity: hdc100x: fix IIO_HUMIDITYRELATIVE channel reporting Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 176/267] USB: idmouse: fix interface sanity checks Greg Kroah-Hartman
                   ` (95 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold

From: Johan Hovold <johan@kernel.org>

commit 09068c1ad53fb077bdac288869dec2435420bdc4 upstream.

Make sure that the interrupt interface has an endpoint before trying to
access its endpoint descriptors to avoid dereferencing a NULL pointer.

The driver binds to the interrupt interface with interface number 0, but
must not assume that this interface or its current alternate setting are
the first entries in the corresponding configuration arrays.

Fixes: b72458a80c75 ("[PATCH] USB: Eagle and ADI 930 usb adsl modem driver")
Cc: stable <stable@vger.kernel.org>     # 2.6.16
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20191210112601.3561-2-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/atm/ueagle-atm.c |   18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

--- a/drivers/usb/atm/ueagle-atm.c
+++ b/drivers/usb/atm/ueagle-atm.c
@@ -2167,10 +2167,11 @@ resubmit:
 /*
  * Start the modem : init the data and start kernel thread
  */
-static int uea_boot(struct uea_softc *sc)
+static int uea_boot(struct uea_softc *sc, struct usb_interface *intf)
 {
-	int ret, size;
 	struct intr_pkt *intr;
+	int ret = -ENOMEM;
+	int size;
 
 	uea_enters(INS_TO_USBDEV(sc));
 
@@ -2195,6 +2196,11 @@ static int uea_boot(struct uea_softc *sc
 	if (UEA_CHIP_VERSION(sc) == ADI930)
 		load_XILINX_firmware(sc);
 
+	if (intf->cur_altsetting->desc.bNumEndpoints < 1) {
+		ret = -ENODEV;
+		goto err0;
+	}
+
 	intr = kmalloc(size, GFP_KERNEL);
 	if (!intr)
 		goto err0;
@@ -2206,8 +2212,7 @@ static int uea_boot(struct uea_softc *sc
 	usb_fill_int_urb(sc->urb_int, sc->usb_dev,
 			 usb_rcvintpipe(sc->usb_dev, UEA_INTR_PIPE),
 			 intr, size, uea_intr, sc,
-			 sc->usb_dev->actconfig->interface[0]->altsetting[0].
-			 endpoint[0].desc.bInterval);
+			 intf->cur_altsetting->endpoint[0].desc.bInterval);
 
 	ret = usb_submit_urb(sc->urb_int, GFP_KERNEL);
 	if (ret < 0) {
@@ -2222,6 +2227,7 @@ static int uea_boot(struct uea_softc *sc
 	sc->kthread = kthread_create(uea_kthread, sc, "ueagle-atm");
 	if (IS_ERR(sc->kthread)) {
 		uea_err(INS_TO_USBDEV(sc), "failed to create thread\n");
+		ret = PTR_ERR(sc->kthread);
 		goto err2;
 	}
 
@@ -2236,7 +2242,7 @@ err1:
 	kfree(intr);
 err0:
 	uea_leaves(INS_TO_USBDEV(sc));
-	return -ENOMEM;
+	return ret;
 }
 
 /*
@@ -2597,7 +2603,7 @@ static int uea_bind(struct usbatm_data *
 	if (ret < 0)
 		goto error;
 
-	ret = uea_boot(sc);
+	ret = uea_boot(sc, intf);
 	if (ret < 0)
 		goto error_rm_grp;
 



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 176/267] USB: idmouse: fix interface sanity checks
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (174 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 175/267] USB: atm: ueagle-atm: add missing endpoint check Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 177/267] USB: serial: io_edgeport: fix epic endpoint lookup Greg Kroah-Hartman
                   ` (94 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold

From: Johan Hovold <johan@kernel.org>

commit 59920635b89d74b9207ea803d5e91498d39e8b69 upstream.

Make sure to use the current alternate setting when verifying the
interface descriptors to avoid binding to an invalid interface.

Failing to do so could cause the driver to misbehave or trigger a WARN()
in usb_submit_urb() that kernels with panic_on_warn set would choke on.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20191210112601.3561-4-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/misc/idmouse.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/misc/idmouse.c
+++ b/drivers/usb/misc/idmouse.c
@@ -341,7 +341,7 @@ static int idmouse_probe(struct usb_inte
 	int result;
 
 	/* check if we have gotten the data or the hid interface */
-	iface_desc = &interface->altsetting[0];
+	iface_desc = interface->cur_altsetting;
 	if (iface_desc->desc.bInterfaceClass != 0x0A)
 		return -ENODEV;
 



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 177/267] USB: serial: io_edgeport: fix epic endpoint lookup
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (175 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 176/267] USB: idmouse: fix interface sanity checks Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 178/267] USB: adutux: fix interface sanity check Greg Kroah-Hartman
                   ` (93 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold

From: Johan Hovold <johan@kernel.org>

commit 7c5a2df3367a2c4984f1300261345817d95b71f8 upstream.

Make sure to use the current alternate setting when looking up the
endpoints on epic devices to avoid binding to an invalid interface.

Failing to do so could cause the driver to misbehave or trigger a WARN()
in usb_submit_urb() that kernels with panic_on_warn set would choke on.

Fixes: 6e8cf7751f9f ("USB: add EPIC support to the io_edgeport driver")
Cc: stable <stable@vger.kernel.org>     # 2.6.21
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20191210112601.3561-5-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/io_edgeport.c |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

--- a/drivers/usb/serial/io_edgeport.c
+++ b/drivers/usb/serial/io_edgeport.c
@@ -2918,16 +2918,18 @@ static int edge_startup(struct usb_seria
 	response = 0;
 
 	if (edge_serial->is_epic) {
+		struct usb_host_interface *alt;
+
+		alt = serial->interface->cur_altsetting;
+
 		/* EPIC thing, set up our interrupt polling now and our read
 		 * urb, so that the device knows it really is connected. */
 		interrupt_in_found = bulk_in_found = bulk_out_found = false;
-		for (i = 0; i < serial->interface->altsetting[0]
-						.desc.bNumEndpoints; ++i) {
+		for (i = 0; i < alt->desc.bNumEndpoints; ++i) {
 			struct usb_endpoint_descriptor *endpoint;
 			int buffer_size;
 
-			endpoint = &serial->interface->altsetting[0].
-							endpoint[i].desc;
+			endpoint = &alt->endpoint[i].desc;
 			buffer_size = usb_endpoint_maxp(endpoint);
 			if (!interrupt_in_found &&
 			    (usb_endpoint_is_int_in(endpoint))) {



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 178/267] USB: adutux: fix interface sanity check
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (176 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 177/267] USB: serial: io_edgeport: fix epic endpoint lookup Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 179/267] usb: core: urb: fix URB structure initialization function Greg Kroah-Hartman
                   ` (92 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold

From: Johan Hovold <johan@kernel.org>

commit 3c11c4bed02b202e278c0f5c319ae435d7fb9815 upstream.

Make sure to use the current alternate setting when verifying the
interface descriptors to avoid binding to an invalid interface.

Failing to do so could cause the driver to misbehave or trigger a WARN()
in usb_submit_urb() that kernels with panic_on_warn set would choke on.

Fixes: 03270634e242 ("USB: Add ADU support for Ontrak ADU devices")
Cc: stable <stable@vger.kernel.org>     # 2.6.19
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20191210112601.3561-3-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/misc/adutux.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/misc/adutux.c
+++ b/drivers/usb/misc/adutux.c
@@ -671,7 +671,7 @@ static int adu_probe(struct usb_interfac
 	init_waitqueue_head(&dev->read_wait);
 	init_waitqueue_head(&dev->write_wait);
 
-	res = usb_find_common_endpoints_reverse(&interface->altsetting[0],
+	res = usb_find_common_endpoints_reverse(interface->cur_altsetting,
 			NULL, NULL,
 			&dev->interrupt_in_endpoint,
 			&dev->interrupt_out_endpoint);



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 179/267] usb: core: urb: fix URB structure initialization function
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (177 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 178/267] USB: adutux: fix interface sanity check Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 180/267] usb: mon: Fix a deadlock in usbmon between mmap and read Greg Kroah-Hartman
                   ` (91 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Emiliano Ingrassia

From: Emiliano Ingrassia <ingrassia@epigenesys.com>

commit 1cd17f7f0def31e3695501c4f86cd3faf8489840 upstream.

Explicitly initialize URB structure urb_list field in usb_init_urb().
This field can be potentially accessed uninitialized and its
initialization is coherent with the usage of list_del_init() in
usb_hcd_unlink_urb_from_ep() and usb_giveback_urb_bh() and its
explicit initialization in usb_hcd_submit_urb() error path.

Signed-off-by: Emiliano Ingrassia <ingrassia@epigenesys.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191127160355.GA27196@ingrassia.epigenesys.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/core/urb.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/core/urb.c
+++ b/drivers/usb/core/urb.c
@@ -45,6 +45,7 @@ void usb_init_urb(struct urb *urb)
 	if (urb) {
 		memset(urb, 0, sizeof(*urb));
 		kref_init(&urb->kref);
+		INIT_LIST_HEAD(&urb->urb_list);
 		INIT_LIST_HEAD(&urb->anchor_list);
 	}
 }



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 180/267] usb: mon: Fix a deadlock in usbmon between mmap and read
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (178 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 179/267] usb: core: urb: fix URB structure initialization function Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 181/267] tpm: add check after commands attribs tab allocation Greg Kroah-Hartman
                   ` (90 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pete Zaitcev,
	syzbot+56f9673bb4cdcbeb0e92, Alan Stern

From: Pete Zaitcev <zaitcev@redhat.com>

commit 19e6317d24c25ee737c65d1ffb7483bdda4bb54a upstream.

The problem arises because our read() function grabs a lock of the
circular buffer, finds something of interest, then invokes copy_to_user()
straight from the buffer, which in turn takes mm->mmap_sem. In the same
time, the callback mon_bin_vma_fault() is invoked under mm->mmap_sem.
It attempts to take the fetch lock and deadlocks.

This patch does away with protecting of our page list with any
semaphores, and instead relies on the kernel not close the device
while mmap is active in a process.

In addition, we prohibit re-sizing of a buffer while mmap is active.
This way, when (now unlocked) fault is processed, it works with the
page that is intended to be mapped-in, and not some other random page.
Note that this may have an ABI impact, but hopefully no legitimate
program is this wrong.

Signed-off-by: Pete Zaitcev <zaitcev@redhat.com>
Reported-by: syzbot+56f9673bb4cdcbeb0e92@syzkaller.appspotmail.com
Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
Fixes: 46eb14a6e158 ("USB: fix usbmon BUG trigger")
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191204203941.3503452b@suzdal.zaitcev.lan
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/mon/mon_bin.c |   32 +++++++++++++++++++++-----------
 1 file changed, 21 insertions(+), 11 deletions(-)

--- a/drivers/usb/mon/mon_bin.c
+++ b/drivers/usb/mon/mon_bin.c
@@ -1038,12 +1038,18 @@ static long mon_bin_ioctl(struct file *f
 
 		mutex_lock(&rp->fetch_lock);
 		spin_lock_irqsave(&rp->b_lock, flags);
-		mon_free_buff(rp->b_vec, rp->b_size/CHUNK_SIZE);
-		kfree(rp->b_vec);
-		rp->b_vec  = vec;
-		rp->b_size = size;
-		rp->b_read = rp->b_in = rp->b_out = rp->b_cnt = 0;
-		rp->cnt_lost = 0;
+		if (rp->mmap_active) {
+			mon_free_buff(vec, size/CHUNK_SIZE);
+			kfree(vec);
+			ret = -EBUSY;
+		} else {
+			mon_free_buff(rp->b_vec, rp->b_size/CHUNK_SIZE);
+			kfree(rp->b_vec);
+			rp->b_vec  = vec;
+			rp->b_size = size;
+			rp->b_read = rp->b_in = rp->b_out = rp->b_cnt = 0;
+			rp->cnt_lost = 0;
+		}
 		spin_unlock_irqrestore(&rp->b_lock, flags);
 		mutex_unlock(&rp->fetch_lock);
 		}
@@ -1215,13 +1221,21 @@ mon_bin_poll(struct file *file, struct p
 static void mon_bin_vma_open(struct vm_area_struct *vma)
 {
 	struct mon_reader_bin *rp = vma->vm_private_data;
+	unsigned long flags;
+
+	spin_lock_irqsave(&rp->b_lock, flags);
 	rp->mmap_active++;
+	spin_unlock_irqrestore(&rp->b_lock, flags);
 }
 
 static void mon_bin_vma_close(struct vm_area_struct *vma)
 {
+	unsigned long flags;
+
 	struct mon_reader_bin *rp = vma->vm_private_data;
+	spin_lock_irqsave(&rp->b_lock, flags);
 	rp->mmap_active--;
+	spin_unlock_irqrestore(&rp->b_lock, flags);
 }
 
 /*
@@ -1233,16 +1247,12 @@ static int mon_bin_vma_fault(struct vm_f
 	unsigned long offset, chunk_idx;
 	struct page *pageptr;
 
-	mutex_lock(&rp->fetch_lock);
 	offset = vmf->pgoff << PAGE_SHIFT;
-	if (offset >= rp->b_size) {
-		mutex_unlock(&rp->fetch_lock);
+	if (offset >= rp->b_size)
 		return VM_FAULT_SIGBUS;
-	}
 	chunk_idx = offset / CHUNK_SIZE;
 	pageptr = rp->b_vec[chunk_idx].pg;
 	get_page(pageptr);
-	mutex_unlock(&rp->fetch_lock);
 	vmf->page = pageptr;
 	return 0;
 }



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 181/267] tpm: add check after commands attribs tab allocation
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (179 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 180/267] usb: mon: Fix a deadlock in usbmon between mmap and read Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 182/267] mtd: spear_smi: Fix Write Burst mode Greg Kroah-Hartman
                   ` (89 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tadeusz Struk, Jerry Snitselaar,
	Jarkko Sakkinen

From: Tadeusz Struk <tadeusz.struk@intel.com>

commit f1689114acc5e89a196fec6d732dae3e48edb6ad upstream.

devm_kcalloc() can fail and return NULL so we need to check for that.

Cc: stable@vger.kernel.org
Fixes: 58472f5cd4f6f ("tpm: validate TPM 2.0 commands")
Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/char/tpm/tpm2-cmd.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/char/tpm/tpm2-cmd.c
+++ b/drivers/char/tpm/tpm2-cmd.c
@@ -1029,6 +1029,10 @@ static int tpm2_get_cc_attrs_tbl(struct
 
 	chip->cc_attrs_tbl = devm_kzalloc(&chip->dev, 4 * nr_commands,
 					  GFP_KERNEL);
+	if (!chip->cc_attrs_tbl) {
+		rc = -ENOMEM;
+		goto out;
+	}
 
 	rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_GET_CAPABILITY);
 	if (rc)



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 182/267] mtd: spear_smi: Fix Write Burst mode
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (180 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 181/267] tpm: add check after commands attribs tab allocation Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 183/267] virtio-balloon: fix managed page counts when migrating pages between zones Greg Kroah-Hartman
                   ` (88 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Russell King, Boris Brezillon,
	Miquel Raynal, Russell King

From: Miquel Raynal <miquel.raynal@bootlin.com>

commit 69c7f4618c16b4678f8a4949b6bb5ace259c0033 upstream.

Any write with either dd or flashcp to a device driven by the
spear_smi.c driver will pass through the spear_smi_cpy_toio()
function. This function will get called for chunks of up to 256 bytes.
If the amount of data is smaller, we may have a problem if the data
length is not 4-byte aligned. In this situation, the kernel panics
during the memcpy:

    # dd if=/dev/urandom bs=1001 count=1 of=/dev/mtd6
    spear_smi_cpy_toio [620] dest c9070000, src c7be8800, len 256
    spear_smi_cpy_toio [620] dest c9070100, src c7be8900, len 256
    spear_smi_cpy_toio [620] dest c9070200, src c7be8a00, len 256
    spear_smi_cpy_toio [620] dest c9070300, src c7be8b00, len 233
    Unhandled fault: external abort on non-linefetch (0x808) at 0xc90703e8
    [...]
    PC is at memcpy+0xcc/0x330

The above error occurs because the implementation of memcpy_toio()
tries to optimize the number of I/O by writing 4 bytes at a time as
much as possible, until there are less than 4 bytes left and then
switches to word or byte writes.

Unfortunately, the specification states about the Write Burst mode:

        "the next AHB Write request should point to the next
	incremented address and should have the same size (byte,
	half-word or word)"

This means ARM architecture implementation of memcpy_toio() cannot
reliably be used blindly here. Workaround this situation by update the
write path to stick to byte access when the burst length is not
multiple of 4.

Fixes: f18dbbb1bfe0 ("mtd: ST SPEAr: Add SMI driver for serial NOR flash")
Cc: Russell King <linux@armlinux.org.uk>
Cc: Boris Brezillon <boris.brezillon@collabora.com>
Cc: stable@vger.kernel.org
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Reviewed-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mtd/devices/spear_smi.c |   38 +++++++++++++++++++++++++++++++++++++-
 1 file changed, 37 insertions(+), 1 deletion(-)

--- a/drivers/mtd/devices/spear_smi.c
+++ b/drivers/mtd/devices/spear_smi.c
@@ -595,6 +595,26 @@ static int spear_mtd_read(struct mtd_inf
 	return 0;
 }
 
+/*
+ * The purpose of this function is to ensure a memcpy_toio() with byte writes
+ * only. Its structure is inspired from the ARM implementation of _memcpy_toio()
+ * which also does single byte writes but cannot be used here as this is just an
+ * implementation detail and not part of the API. Not mentioning the comment
+ * stating that _memcpy_toio() should be optimized.
+ */
+static void spear_smi_memcpy_toio_b(volatile void __iomem *dest,
+				    const void *src, size_t len)
+{
+	const unsigned char *from = src;
+
+	while (len) {
+		len--;
+		writeb(*from, dest);
+		from++;
+		dest++;
+	}
+}
+
 static inline int spear_smi_cpy_toio(struct spear_smi *dev, u32 bank,
 		void __iomem *dest, const void *src, size_t len)
 {
@@ -617,7 +637,23 @@ static inline int spear_smi_cpy_toio(str
 	ctrlreg1 = readl(dev->io_base + SMI_CR1);
 	writel((ctrlreg1 | WB_MODE) & ~SW_MODE, dev->io_base + SMI_CR1);
 
-	memcpy_toio(dest, src, len);
+	/*
+	 * In Write Burst mode (WB_MODE), the specs states that writes must be:
+	 * - incremental
+	 * - of the same size
+	 * The ARM implementation of memcpy_toio() will optimize the number of
+	 * I/O by using as much 4-byte writes as possible, surrounded by
+	 * 2-byte/1-byte access if:
+	 * - the destination is not 4-byte aligned
+	 * - the length is not a multiple of 4-byte.
+	 * Avoid this alternance of write access size by using our own 'byte
+	 * access' helper if at least one of the two conditions above is true.
+	 */
+	if (IS_ALIGNED(len, sizeof(u32)) &&
+	    IS_ALIGNED((uintptr_t)dest, sizeof(u32)))
+		memcpy_toio(dest, src, len);
+	else
+		spear_smi_memcpy_toio_b(dest, src, len);
 
 	writel(ctrlreg1, dev->io_base + SMI_CR1);
 



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 183/267] virtio-balloon: fix managed page counts when migrating pages between zones
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (181 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 182/267] mtd: spear_smi: Fix Write Burst mode Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 184/267] usb: dwc3: ep0: Clear started flag on completion Greg Kroah-Hartman
                   ` (87 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yumei Huang, Michael S. Tsirkin,
	Jason Wang, Jiang Liu, Andrew Morton, Igor Mammedov,
	virtualization, David Hildenbrand

From: David Hildenbrand <david@redhat.com>

commit 63341ab03706e11a31e3dd8ccc0fbc9beaf723f0 upstream.

In case we have to migrate a ballon page to a newpage of another zone, the
managed page count of both zones is wrong. Paired with memory offlining
(which will adjust the managed page count), we can trigger kernel crashes
and all kinds of different symptoms.

One way to reproduce:
1. Start a QEMU guest with 4GB, no NUMA
2. Hotplug a 1GB DIMM and online the memory to ZONE_NORMAL
3. Inflate the balloon to 1GB
4. Unplug the DIMM (be quick, otherwise unmovable data ends up on it)
5. Observe /proc/zoneinfo
  Node 0, zone   Normal
    pages free     16810
          min      24848885473806
          low      18471592959183339
          high     36918337032892872
          spanned  262144
          present  262144
          managed  18446744073709533486
6. Do anything that requires some memory (e.g., inflate the balloon some
more). The OOM goes crazy and the system crashes
  [  238.324946] Out of memory: Killed process 537 (login) total-vm:27584kB, anon-rss:860kB, file-rss:0kB, shmem-rss:00
  [  238.338585] systemd invoked oom-killer: gfp_mask=0x100cca(GFP_HIGHUSER_MOVABLE), order=0, oom_score_adj=0
  [  238.339420] CPU: 0 PID: 1 Comm: systemd Tainted: G      D W         5.4.0-next-20191204+ #75
  [  238.340139] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu4
  [  238.341121] Call Trace:
  [  238.341337]  dump_stack+0x8f/0xd0
  [  238.341630]  dump_header+0x61/0x5ea
  [  238.341942]  oom_kill_process.cold+0xb/0x10
  [  238.342299]  out_of_memory+0x24d/0x5a0
  [  238.342625]  __alloc_pages_slowpath+0xd12/0x1020
  [  238.343024]  __alloc_pages_nodemask+0x391/0x410
  [  238.343407]  pagecache_get_page+0xc3/0x3a0
  [  238.343757]  filemap_fault+0x804/0xc30
  [  238.344083]  ? ext4_filemap_fault+0x28/0x42
  [  238.344444]  ext4_filemap_fault+0x30/0x42
  [  238.344789]  __do_fault+0x37/0x1a0
  [  238.345087]  __handle_mm_fault+0x104d/0x1ab0
  [  238.345450]  handle_mm_fault+0x169/0x360
  [  238.345790]  do_user_addr_fault+0x20d/0x490
  [  238.346154]  do_page_fault+0x31/0x210
  [  238.346468]  async_page_fault+0x43/0x50
  [  238.346797] RIP: 0033:0x7f47eba4197e
  [  238.347110] Code: Bad RIP value.
  [  238.347387] RSP: 002b:00007ffd7c0c1890 EFLAGS: 00010293
  [  238.347834] RAX: 0000000000000002 RBX: 000055d196a20a20 RCX: 00007f47eba4197e
  [  238.348437] RDX: 0000000000000033 RSI: 00007ffd7c0c18c0 RDI: 0000000000000004
  [  238.349047] RBP: 00007ffd7c0c1c20 R08: 0000000000000000 R09: 0000000000000033
  [  238.349660] R10: 00000000ffffffff R11: 0000000000000293 R12: 0000000000000001
  [  238.350261] R13: ffffffffffffffff R14: 0000000000000000 R15: 00007ffd7c0c18c0
  [  238.350878] Mem-Info:
  [  238.351085] active_anon:3121 inactive_anon:51 isolated_anon:0
  [  238.351085]  active_file:12 inactive_file:7 isolated_file:0
  [  238.351085]  unevictable:0 dirty:0 writeback:0 unstable:0
  [  238.351085]  slab_reclaimable:5565 slab_unreclaimable:10170
  [  238.351085]  mapped:3 shmem:111 pagetables:155 bounce:0
  [  238.351085]  free:720717 free_pcp:2 free_cma:0
  [  238.353757] Node 0 active_anon:12484kB inactive_anon:204kB active_file:48kB inactive_file:28kB unevictable:0kB iss
  [  238.355979] Node 0 DMA free:11556kB min:36kB low:48kB high:60kB reserved_highatomic:0KB active_anon:152kB inactivB
  [  238.358345] lowmem_reserve[]: 0 2955 2884 2884 2884
  [  238.358761] Node 0 DMA32 free:2677864kB min:7004kB low:10028kB high:13052kB reserved_highatomic:0KB active_anon:0B
  [  238.361202] lowmem_reserve[]: 0 0 72057594037927865 72057594037927865 72057594037927865
  [  238.361888] Node 0 Normal free:193448kB min:99395541895224kB low:73886371836733356kB high:147673348131571488kB reB
  [  238.364765] lowmem_reserve[]: 0 0 0 0 0
  [  238.365101] Node 0 DMA: 7*4kB (U) 5*8kB (UE) 6*16kB (UME) 2*32kB (UM) 1*64kB (U) 2*128kB (UE) 3*256kB (UME) 2*512B
  [  238.366379] Node 0 DMA32: 0*4kB 1*8kB (U) 2*16kB (UM) 2*32kB (UM) 2*64kB (UM) 1*128kB (U) 1*256kB (U) 1*512kB (U)B
  [  238.367654] Node 0 Normal: 1985*4kB (UME) 1321*8kB (UME) 844*16kB (UME) 524*32kB (UME) 300*64kB (UME) 138*128kB (B
  [  238.369184] Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB
  [  238.369915] 130 total pagecache pages
  [  238.370241] 0 pages in swap cache
  [  238.370533] Swap cache stats: add 0, delete 0, find 0/0
  [  238.370981] Free swap  = 0kB
  [  238.371239] Total swap = 0kB
  [  238.371488] 1048445 pages RAM
  [  238.371756] 0 pages HighMem/MovableOnly
  [  238.372090] 306992 pages reserved
  [  238.372376] 0 pages cma reserved
  [  238.372661] 0 pages hwpoisoned

In another instance (older kernel), I was able to observe this
(negative page count :/):
  [  180.896971] Offlined Pages 32768
  [  182.667462] Offlined Pages 32768
  [  184.408117] Offlined Pages 32768
  [  186.026321] Offlined Pages 32768
  [  187.684861] Offlined Pages 32768
  [  189.227013] Offlined Pages 32768
  [  190.830303] Offlined Pages 32768
  [  190.833071] Built 1 zonelists, mobility grouping on.  Total pages: -36920272750453009

In another instance (older kernel), I was no longer able to start any
process:
  [root@vm ~]# [  214.348068] Offlined Pages 32768
  [  215.973009] Offlined Pages 32768
  cat /proc/meminfo
  -bash: fork: Cannot allocate memory
  [root@vm ~]# cat /proc/meminfo
  -bash: fork: Cannot allocate memory

Fix it by properly adjusting the managed page count when migrating if
the zone changed. The managed page count of the zones now looks after
unplug of the DIMM (and after deflating the balloon) just like before
inflating the balloon (and plugging+onlining the DIMM).

We'll temporarily modify the totalram page count. If this ever becomes a
problem, we can fine tune by providing helpers that don't touch
the totalram pages (e.g., adjust_zone_managed_page_count()).

Please note that fixing up the managed page count is only necessary when
we adjusted the managed page count when inflating - only if we
don't have VIRTIO_BALLOON_F_DEFLATE_ON_OOM. With that feature, the
managed page count is not touched when inflating/deflating.

Reported-by: Yumei Huang <yuhuang@redhat.com>
Fixes: 3dcc0571cd64 ("mm: correctly update zone->managed_pages")
Cc: <stable@vger.kernel.org> # v3.11+
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Jiang Liu <liuj97@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Igor Mammedov <imammedo@redhat.com>
Cc: virtualization@lists.linux-foundation.org
Signed-off-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/virtio/virtio_balloon.c |   11 +++++++++++
 1 file changed, 11 insertions(+)

--- a/drivers/virtio/virtio_balloon.c
+++ b/drivers/virtio/virtio_balloon.c
@@ -492,6 +492,17 @@ static int virtballoon_migratepage(struc
 
 	get_page(newpage); /* balloon reference */
 
+	/*
+	  * When we migrate a page to a different zone and adjusted the
+	  * managed page count when inflating, we have to fixup the count of
+	  * both involved zones.
+	  */
+	if (!virtio_has_feature(vb->vdev, VIRTIO_BALLOON_F_DEFLATE_ON_OOM) &&
+	    page_zone(page) != page_zone(newpage)) {
+		adjust_managed_page_count(page, 1);
+		adjust_managed_page_count(newpage, -1);
+	}
+
 	/* balloon's page migration 1st step  -- inflate "newpage" */
 	spin_lock_irqsave(&vb_dev_info->pages_lock, flags);
 	balloon_page_insert(vb_dev_info, newpage);



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 184/267] usb: dwc3: ep0: Clear started flag on completion
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (182 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 183/267] virtio-balloon: fix managed page counts when migrating pages between zones Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 185/267] btrfs: check page->mapping when loading free space cache Greg Kroah-Hartman
                   ` (86 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Thinh Nguyen, Felipe Balbi

From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>

commit 2d7b78f59e020b07fc6338eefe286f54ee2d6773 upstream.

Clear ep0's DWC3_EP_TRANSFER_STARTED flag if the END_TRANSFER command is
completed. Otherwise, we can't start control transfer again after
END_TRANSFER.

Cc: stable@vger.kernel.org
Signed-off-by: Thinh Nguyen <thinhn@synopsys.com>
Signed-off-by: Felipe Balbi <balbi@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/dwc3/ep0.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/drivers/usb/dwc3/ep0.c
+++ b/drivers/usb/dwc3/ep0.c
@@ -1147,6 +1147,9 @@ static void dwc3_ep0_xfernotready(struct
 void dwc3_ep0_interrupt(struct dwc3 *dwc,
 		const struct dwc3_event_depevt *event)
 {
+	struct dwc3_ep	*dep = dwc->eps[event->endpoint_number];
+	u8		cmd;
+
 	switch (event->endpoint_event) {
 	case DWC3_DEPEVT_XFERCOMPLETE:
 		dwc3_ep0_xfer_complete(dwc, event);
@@ -1159,7 +1162,12 @@ void dwc3_ep0_interrupt(struct dwc3 *dwc
 	case DWC3_DEPEVT_XFERINPROGRESS:
 	case DWC3_DEPEVT_RXTXFIFOEVT:
 	case DWC3_DEPEVT_STREAMEVT:
+		break;
 	case DWC3_DEPEVT_EPCMDCMPLT:
+		cmd = DEPEVT_PARAMETER_CMD(event->parameters);
+
+		if (cmd == DWC3_DEPCMD_ENDTRANSFER)
+			dep->flags &= ~DWC3_EP_TRANSFER_STARTED;
 		break;
 	}
 }



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 185/267] btrfs: check page->mapping when loading free space cache
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (183 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 184/267] usb: dwc3: ep0: Clear started flag on completion Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 186/267] btrfs: use refcount_inc_not_zero in kill_all_nodes Greg Kroah-Hartman
                   ` (85 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Filipe Manana, Nikolay Borisov,
	Josef Bacik, David Sterba

From: Josef Bacik <josef@toxicpanda.com>

commit 3797136b626ad4b6582223660c041efdea8f26b2 upstream.

While testing 5.2 we ran into the following panic

[52238.017028] BUG: kernel NULL pointer dereference, address: 0000000000000001
[52238.105608] RIP: 0010:drop_buffers+0x3d/0x150
[52238.304051] Call Trace:
[52238.308958]  try_to_free_buffers+0x15b/0x1b0
[52238.317503]  shrink_page_list+0x1164/0x1780
[52238.325877]  shrink_inactive_list+0x18f/0x3b0
[52238.334596]  shrink_node_memcg+0x23e/0x7d0
[52238.342790]  ? do_shrink_slab+0x4f/0x290
[52238.350648]  shrink_node+0xce/0x4a0
[52238.357628]  balance_pgdat+0x2c7/0x510
[52238.365135]  kswapd+0x216/0x3e0
[52238.371425]  ? wait_woken+0x80/0x80
[52238.378412]  ? balance_pgdat+0x510/0x510
[52238.386265]  kthread+0x111/0x130
[52238.392727]  ? kthread_create_on_node+0x60/0x60
[52238.401782]  ret_from_fork+0x1f/0x30

The page we were trying to drop had a page->private, but had no
page->mapping and so called drop_buffers, assuming that we had a
buffer_head on the page, and then panic'ed trying to deref 1, which is
our page->private for data pages.

This is happening because we're truncating the free space cache while
we're trying to load the free space cache.  This isn't supposed to
happen, and I'll fix that in a followup patch.  However we still
shouldn't allow those sort of mistakes to result in messing with pages
that do not belong to us.  So add the page->mapping check to verify that
we still own this page after dropping and re-acquiring the page lock.

This page being unlocked as:
btrfs_readpage
  extent_read_full_page
    __extent_read_full_page
      __do_readpage
        if (!nr)
	   unlock_page  <-- nr can be 0 only if submit_extent_page
			    returns an error

CC: stable@vger.kernel.org # 4.4+
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
[ add callchain ]
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/free-space-cache.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/fs/btrfs/free-space-cache.c
+++ b/fs/btrfs/free-space-cache.c
@@ -398,6 +398,12 @@ static int io_ctl_prepare_pages(struct b
 		if (uptodate && !PageUptodate(page)) {
 			btrfs_readpage(NULL, page);
 			lock_page(page);
+			if (page->mapping != inode->i_mapping) {
+				btrfs_err(BTRFS_I(inode)->root->fs_info,
+					  "free space cache page truncated");
+				io_ctl_drop_pages(io_ctl);
+				return -EIO;
+			}
 			if (!PageUptodate(page)) {
 				btrfs_err(BTRFS_I(inode)->root->fs_info,
 					   "error reading free space cache");



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 186/267] btrfs: use refcount_inc_not_zero in kill_all_nodes
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (184 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 185/267] btrfs: check page->mapping when loading free space cache Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 187/267] Btrfs: fix negative subv_writers counter and data space leak after buffered write Greg Kroah-Hartman
                   ` (84 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nikolay Borisov, Josef Bacik, David Sterba

From: Josef Bacik <josef@toxicpanda.com>

commit baf320b9d531f1cfbf64c60dd155ff80a58b3796 upstream.

We hit the following warning while running down a different problem

[ 6197.175850] ------------[ cut here ]------------
[ 6197.185082] refcount_t: underflow; use-after-free.
[ 6197.194704] WARNING: CPU: 47 PID: 966 at lib/refcount.c:190 refcount_sub_and_test_checked+0x53/0x60
[ 6197.521792] Call Trace:
[ 6197.526687]  __btrfs_release_delayed_node+0x76/0x1c0
[ 6197.536615]  btrfs_kill_all_delayed_nodes+0xec/0x130
[ 6197.546532]  ? __btrfs_btree_balance_dirty+0x60/0x60
[ 6197.556482]  btrfs_clean_one_deleted_snapshot+0x71/0xd0
[ 6197.566910]  cleaner_kthread+0xfa/0x120
[ 6197.574573]  kthread+0x111/0x130
[ 6197.581022]  ? kthread_create_on_node+0x60/0x60
[ 6197.590086]  ret_from_fork+0x1f/0x30
[ 6197.597228] ---[ end trace 424bb7ae00509f56 ]---

This is because the free side drops the ref without the lock, and then
takes the lock if our refcount is 0.  So you can have nodes on the tree
that have a refcount of 0.  Fix this by zero'ing out that element in our
temporary array so we don't try to kill it again.

CC: stable@vger.kernel.org # 4.14+
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: David Sterba <dsterba@suse.com>
[ add comment ]
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/delayed-inode.c |   13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

--- a/fs/btrfs/delayed-inode.c
+++ b/fs/btrfs/delayed-inode.c
@@ -1975,12 +1975,19 @@ void btrfs_kill_all_delayed_nodes(struct
 		}
 
 		inode_id = delayed_nodes[n - 1]->inode_id + 1;
-
-		for (i = 0; i < n; i++)
-			refcount_inc(&delayed_nodes[i]->refs);
+		for (i = 0; i < n; i++) {
+			/*
+			 * Don't increase refs in case the node is dead and
+			 * about to be removed from the tree in the loop below
+			 */
+			if (!refcount_inc_not_zero(&delayed_nodes[i]->refs))
+				delayed_nodes[i] = NULL;
+		}
 		spin_unlock(&root->inode_lock);
 
 		for (i = 0; i < n; i++) {
+			if (!delayed_nodes[i])
+				continue;
 			__btrfs_kill_delayed_node(delayed_nodes[i]);
 			btrfs_release_delayed_node(delayed_nodes[i]);
 		}



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 187/267] Btrfs: fix negative subv_writers counter and data space leak after buffered write
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (185 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 186/267] btrfs: use refcount_inc_not_zero in kill_all_nodes Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 188/267] btrfs: Remove btrfs_bio::flags member Greg Kroah-Hartman
                   ` (83 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Josef Bacik, Filipe Manana, David Sterba

From: Filipe Manana <fdmanana@suse.com>

commit a0e248bb502d5165b3314ac3819e888fdcdf7d9f upstream.

When doing a buffered write it's possible to leave the subv_writers
counter of the root, used for synchronization between buffered nocow
writers and snapshotting. This happens in an exceptional case like the
following:

1) We fail to allocate data space for the write, since there's not
   enough available data space nor enough unallocated space for allocating
   a new data block group;

2) Because of that failure, we try to go to NOCOW mode, which succeeds
   and therefore we set the local variable 'only_release_metadata' to true
   and set the root's sub_writers counter to 1 through the call to
   btrfs_start_write_no_snapshotting() made by check_can_nocow();

3) The call to btrfs_copy_from_user() returns zero, which is very unlikely
   to happen but not impossible;

4) No pages are copied because btrfs_copy_from_user() returned zero;

5) We call btrfs_end_write_no_snapshotting() which decrements the root's
   subv_writers counter to 0;

6) We don't set 'only_release_metadata' back to 'false' because we do
   it only if 'copied', the value returned by btrfs_copy_from_user(), is
   greater than zero;

7) On the next iteration of the while loop, which processes the same
   page range, we are now able to allocate data space for the write (we
   got enough data space released in the meanwhile);

8) After this if we fail at btrfs_delalloc_reserve_metadata(), because
   now there isn't enough free metadata space, or in some other place
   further below (prepare_pages(), lock_and_cleanup_extent_if_need(),
   btrfs_dirty_pages()), we break out of the while loop with
   'only_release_metadata' having a value of 'true';

9) Because 'only_release_metadata' is 'true' we end up decrementing the
   root's subv_writers counter to -1 (through a call to
   btrfs_end_write_no_snapshotting()), and we also end up not releasing the
   data space previously reserved through btrfs_check_data_free_space().
   As a consequence the mechanism for synchronizing NOCOW buffered writes
   with snapshotting gets broken.

Fix this by always setting 'only_release_metadata' to false at the start
of each iteration.

Fixes: 8257b2dc3c1a ("Btrfs: introduce btrfs_{start, end}_nocow_write() for each subvolume")
Fixes: 7ee9e4405f26 ("Btrfs: check if we can nocow if we don't have data space")
CC: stable@vger.kernel.org # 4.4+
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/file.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/btrfs/file.c
+++ b/fs/btrfs/file.c
@@ -1625,6 +1625,7 @@ static noinline ssize_t __btrfs_buffered
 			break;
 		}
 
+		only_release_metadata = false;
 		sector_offset = pos & (fs_info->sectorsize - 1);
 		reserve_bytes = round_up(write_bytes + sector_offset,
 				fs_info->sectorsize);
@@ -1778,7 +1779,6 @@ again:
 			set_extent_bit(&BTRFS_I(inode)->io_tree, lockstart,
 				       lockend, EXTENT_NORESERVE, NULL,
 				       NULL, GFP_NOFS);
-			only_release_metadata = false;
 		}
 
 		btrfs_drop_pages(pages, num_pages);



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 188/267] btrfs: Remove btrfs_bio::flags member
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (186 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 187/267] Btrfs: fix negative subv_writers counter and data space leak after buffered write Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 189/267] Btrfs: send, skip backreference walking for extents with many references Greg Kroah-Hartman
                   ` (82 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Qu Wenruo, David Sterba

From: Qu Wenruo <wqu@suse.com>

commit 34b127aecd4fe8e6a3903e10f204a7b7ffddca22 upstream.

The last user of btrfs_bio::flags was removed in commit 326e1dbb5736
("block: remove management of bi_remaining when restoring original
bi_end_io"), remove it.

(Tagged for stable as the structure is heavily used and space savings
are desirable.)

CC: stable@vger.kernel.org # 4.4+
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/volumes.h |    1 -
 1 file changed, 1 deletion(-)

--- a/fs/btrfs/volumes.h
+++ b/fs/btrfs/volumes.h
@@ -317,7 +317,6 @@ struct btrfs_bio {
 	u64 map_type; /* get from map_lookup->type */
 	bio_end_io_t *end_io;
 	struct bio *orig_bio;
-	unsigned long flags;
 	void *private;
 	atomic_t error;
 	int max_errors;



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 189/267] Btrfs: send, skip backreference walking for extents with many references
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (187 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 188/267] btrfs: Remove btrfs_bio::flags member Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 190/267] btrfs: record all roots for rename exchange on a subvol Greg Kroah-Hartman
                   ` (81 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Atemu, Qu Wenruo, Filipe Manana,
	David Sterba

From: Filipe Manana <fdmanana@suse.com>

commit fd0ddbe2509568b00df364156f47561e9f469f15 upstream.

Backreference walking, which is used by send to figure if it can issue
clone operations instead of write operations, can be very slow and use
too much memory when extents have many references. This change simply
skips backreference walking when an extent has more than 64 references,
in which case we fallback to a write operation instead of a clone
operation. This limit is conservative and in practice I observed no
signicant slowdown with up to 100 references and still low memory usage
up to that limit.

This is a temporary workaround until there are speedups in the backref
walking code, and as such it does not attempt to add extra interfaces or
knobs to tweak the threshold.

Reported-by: Atemu <atemu.main@gmail.com>
Link: https://lore.kernel.org/linux-btrfs/CAE4GHgkvqVADtS4AzcQJxo0Q1jKQgKaW3JGp3SGdoinVo=C9eQ@mail.gmail.com/T/#me55dc0987f9cc2acaa54372ce0492c65782be3fa
CC: stable@vger.kernel.org # 4.4+
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/send.c |   25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

--- a/fs/btrfs/send.c
+++ b/fs/btrfs/send.c
@@ -37,6 +37,14 @@
 #include "compression.h"
 
 /*
+ * Maximum number of references an extent can have in order for us to attempt to
+ * issue clone operations instead of write operations. This currently exists to
+ * avoid hitting limitations of the backreference walking code (taking a lot of
+ * time and using too much memory for extents with large number of references).
+ */
+#define SEND_MAX_EXTENT_REFS	64
+
+/*
  * A fs_path is a helper to dynamically build path names with unknown size.
  * It reallocates the internal buffer on demand.
  * It allows fast adding of path elements on the right side (normal path) and
@@ -1324,6 +1332,7 @@ static int find_extent_clone(struct send
 	struct clone_root *cur_clone_root;
 	struct btrfs_key found_key;
 	struct btrfs_path *tmp_path;
+	struct btrfs_extent_item *ei;
 	int compressed;
 	u32 i;
 
@@ -1373,7 +1382,6 @@ static int find_extent_clone(struct send
 	ret = extent_from_logical(fs_info, disk_byte, tmp_path,
 				  &found_key, &flags);
 	up_read(&fs_info->commit_root_sem);
-	btrfs_release_path(tmp_path);
 
 	if (ret < 0)
 		goto out;
@@ -1382,6 +1390,21 @@ static int find_extent_clone(struct send
 		goto out;
 	}
 
+	ei = btrfs_item_ptr(tmp_path->nodes[0], tmp_path->slots[0],
+			    struct btrfs_extent_item);
+	/*
+	 * Backreference walking (iterate_extent_inodes() below) is currently
+	 * too expensive when an extent has a large number of references, both
+	 * in time spent and used memory. So for now just fallback to write
+	 * operations instead of clone operations when an extent has more than
+	 * a certain amount of references.
+	 */
+	if (btrfs_extent_refs(tmp_path->nodes[0], ei) > SEND_MAX_EXTENT_REFS) {
+		ret = -ENOENT;
+		goto out;
+	}
+	btrfs_release_path(tmp_path);
+
 	/*
 	 * Setup the clone roots.
 	 */



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 190/267] btrfs: record all roots for rename exchange on a subvol
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (188 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 189/267] Btrfs: send, skip backreference walking for extents with many references Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 191/267] rtlwifi: rtl8192de: Fix missing code to retrieve RX buffer address Greg Kroah-Hartman
                   ` (80 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Filipe Manana, Josef Bacik, David Sterba

From: Josef Bacik <josef@toxicpanda.com>

commit 3e1740993e43116b3bc71b0aad1e6872f6ccf341 upstream.

Testing with the new fsstress support for subvolumes uncovered a pretty
bad problem with rename exchange on subvolumes.  We're modifying two
different subvolumes, but we only start the transaction on one of them,
so the other one is not added to the dirty root list.  This is caught by
btrfs_cow_block() with a warning because the root has not been updated,
however if we do not modify this root again we'll end up pointing at an
invalid root because the root item is never updated.

Fix this by making sure we add the destination root to the trans list,
the same as we do with normal renames.  This fixes the corruption.

Fixes: cdd1fedf8261 ("btrfs: add support for RENAME_EXCHANGE and RENAME_WHITEOUT")
CC: stable@vger.kernel.org # 4.9+
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/inode.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -9839,6 +9839,9 @@ static int btrfs_rename_exchange(struct
 		goto out_notrans;
 	}
 
+	if (dest != root)
+		btrfs_record_root_in_trans(trans, dest);
+
 	/*
 	 * We need to find a free sequence number both in the source and
 	 * in the destination directory for the exchange.



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 191/267] rtlwifi: rtl8192de: Fix missing code to retrieve RX buffer address
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (189 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 190/267] btrfs: record all roots for rename exchange on a subvol Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 192/267] rtlwifi: rtl8192de: Fix missing callback that tests for hw release of buffer Greg Kroah-Hartman
                   ` (79 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Larry Finger, Kalle Valo

From: Larry Finger <Larry.Finger@lwfinger.net>

commit 0e531cc575c4e9e3dd52ad287b49d3c2dc74c810 upstream.

In commit 38506ecefab9 ("rtlwifi: rtl_pci: Start modification for
new drivers"), a callback to get the RX buffer address was added to
the PCI driver. Unfortunately, driver rtl8192de was not modified
appropriately and the code runs into a WARN_ONCE() call. The use
of an incorrect array is also fixed.

Fixes: 38506ecefab9 ("rtlwifi: rtl_pci: Start modification for new drivers")
Cc: Stable <stable@vger.kernel.org> # 3.18+
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/realtek/rtlwifi/rtl8192de/trx.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/trx.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/trx.c
@@ -839,13 +839,15 @@ u32 rtl92de_get_desc(u8 *p_desc, bool is
 			break;
 		}
 	} else {
-		struct rx_desc_92c *pdesc = (struct rx_desc_92c *)p_desc;
 		switch (desc_name) {
 		case HW_DESC_OWN:
-			ret = GET_RX_DESC_OWN(pdesc);
+			ret = GET_RX_DESC_OWN(p_desc);
 			break;
 		case HW_DESC_RXPKT_LEN:
-			ret = GET_RX_DESC_PKT_LEN(pdesc);
+			ret = GET_RX_DESC_PKT_LEN(p_desc);
+			break;
+		case HW_DESC_RXBUFF_ADDR:
+			ret = GET_RX_DESC_BUFF_ADDR(p_desc);
 			break;
 		default:
 			WARN_ONCE(true, "rtl8192de: ERR rxdesc :%d not processed\n",



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 192/267] rtlwifi: rtl8192de: Fix missing callback that tests for hw release of buffer
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (190 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 191/267] rtlwifi: rtl8192de: Fix missing code to retrieve RX buffer address Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 193/267] rtlwifi: rtl8192de: Fix missing enable interrupt flag Greg Kroah-Hartman
                   ` (78 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Larry Finger, Kalle Valo

From: Larry Finger <Larry.Finger@lwfinger.net>

commit 3155db7613edea8fb943624062baf1e4f9cfbfd6 upstream.

In commit 38506ecefab9 ("rtlwifi: rtl_pci: Start modification for
new drivers"), a callback needed to check if the hardware has released
a buffer indicating that a DMA operation is completed was not added.

Fixes: 38506ecefab9 ("rtlwifi: rtl_pci: Start modification for new drivers")
Cc: Stable <stable@vger.kernel.org>	# v3.18+
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/realtek/rtlwifi/rtl8192de/sw.c  |    1 +
 drivers/net/wireless/realtek/rtlwifi/rtl8192de/trx.c |   17 +++++++++++++++++
 drivers/net/wireless/realtek/rtlwifi/rtl8192de/trx.h |    2 ++
 3 files changed, 20 insertions(+)

--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/sw.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/sw.c
@@ -237,6 +237,7 @@ static struct rtl_hal_ops rtl8192de_hal_
 	.led_control = rtl92de_led_control,
 	.set_desc = rtl92de_set_desc,
 	.get_desc = rtl92de_get_desc,
+	.is_tx_desc_closed = rtl92de_is_tx_desc_closed,
 	.tx_polling = rtl92de_tx_polling,
 	.enable_hw_sec = rtl92de_enable_hw_security_config,
 	.set_key = rtl92de_set_key,
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/trx.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/trx.c
@@ -858,6 +858,23 @@ u32 rtl92de_get_desc(u8 *p_desc, bool is
 	return ret;
 }
 
+bool rtl92de_is_tx_desc_closed(struct ieee80211_hw *hw,
+			       u8 hw_queue, u16 index)
+{
+	struct rtl_pci *rtlpci = rtl_pcidev(rtl_pcipriv(hw));
+	struct rtl8192_tx_ring *ring = &rtlpci->tx_ring[hw_queue];
+	u8 *entry = (u8 *)(&ring->desc[ring->idx]);
+	u8 own = (u8)rtl92de_get_desc(entry, true, HW_DESC_OWN);
+
+	/* a beacon packet will only use the first
+	 * descriptor by defaut, and the own bit may not
+	 * be cleared by the hardware
+	 */
+	if (own)
+		return false;
+	return true;
+}
+
 void rtl92de_tx_polling(struct ieee80211_hw *hw, u8 hw_queue)
 {
 	struct rtl_priv *rtlpriv = rtl_priv(hw);
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/trx.h
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/trx.h
@@ -736,6 +736,8 @@ bool rtl92de_rx_query_desc(struct ieee80
 void rtl92de_set_desc(struct ieee80211_hw *hw, u8 *pdesc, bool istx,
 		      u8 desc_name, u8 *val);
 u32 rtl92de_get_desc(u8 *pdesc, bool istx, u8 desc_name);
+bool rtl92de_is_tx_desc_closed(struct ieee80211_hw *hw,
+			       u8 hw_queue, u16 index);
 void rtl92de_tx_polling(struct ieee80211_hw *hw, u8 hw_queue);
 void rtl92de_tx_fill_cmddesc(struct ieee80211_hw *hw, u8 *pdesc,
 			     bool b_firstseg, bool b_lastseg,



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 193/267] rtlwifi: rtl8192de: Fix missing enable interrupt flag
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (191 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 192/267] rtlwifi: rtl8192de: Fix missing callback that tests for hw release of buffer Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 194/267] lib: raid6: fix awk build warnings Greg Kroah-Hartman
                   ` (77 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Larry Finger, Kalle Valo

From: Larry Finger <Larry.Finger@lwfinger.net>

commit 330bb7117101099c687e9c7f13d48068670b9c62 upstream.

In commit 38506ecefab9 ("rtlwifi: rtl_pci: Start modification for
new drivers"), the flag that indicates that interrupts are enabled was
never set.

In addition, there are several places when enable/disable interrupts
were commented out are restored. A sychronize_interrupts() call is
removed.

Fixes: 38506ecefab9 ("rtlwifi: rtl_pci: Start modification for new drivers")
Cc: Stable <stable@vger.kernel.org>	# v3.18+
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/realtek/rtlwifi/rtl8192de/hw.c |    9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/hw.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/hw.c
@@ -1198,6 +1198,7 @@ void rtl92de_enable_interrupt(struct iee
 
 	rtl_write_dword(rtlpriv, REG_HIMR, rtlpci->irq_mask[0] & 0xFFFFFFFF);
 	rtl_write_dword(rtlpriv, REG_HIMRE, rtlpci->irq_mask[1] & 0xFFFFFFFF);
+	rtlpci->irq_enabled = true;
 }
 
 void rtl92de_disable_interrupt(struct ieee80211_hw *hw)
@@ -1207,7 +1208,7 @@ void rtl92de_disable_interrupt(struct ie
 
 	rtl_write_dword(rtlpriv, REG_HIMR, IMR8190_DISABLED);
 	rtl_write_dword(rtlpriv, REG_HIMRE, IMR8190_DISABLED);
-	synchronize_irq(rtlpci->pdev->irq);
+	rtlpci->irq_enabled = false;
 }
 
 static void _rtl92de_poweroff_adapter(struct ieee80211_hw *hw)
@@ -1378,7 +1379,7 @@ void rtl92de_set_beacon_related_register
 
 	bcn_interval = mac->beacon_interval;
 	atim_window = 2;
-	/*rtl92de_disable_interrupt(hw);  */
+	rtl92de_disable_interrupt(hw);
 	rtl_write_word(rtlpriv, REG_ATIMWND, atim_window);
 	rtl_write_word(rtlpriv, REG_BCN_INTERVAL, bcn_interval);
 	rtl_write_word(rtlpriv, REG_BCNTCFG, 0x660f);
@@ -1398,9 +1399,9 @@ void rtl92de_set_beacon_interval(struct
 
 	RT_TRACE(rtlpriv, COMP_BEACON, DBG_DMESG,
 		 "beacon_interval:%d\n", bcn_interval);
-	/* rtl92de_disable_interrupt(hw); */
+	rtl92de_disable_interrupt(hw);
 	rtl_write_word(rtlpriv, REG_BCN_INTERVAL, bcn_interval);
-	/* rtl92de_enable_interrupt(hw); */
+	rtl92de_enable_interrupt(hw);
 }
 
 void rtl92de_update_interrupt_mask(struct ieee80211_hw *hw,



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 194/267] lib: raid6: fix awk build warnings
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (192 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 193/267] rtlwifi: rtl8192de: Fix missing enable interrupt flag Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 195/267] ovl: relax WARN_ON() on rename to self Greg Kroah-Hartman
                   ` (76 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 702600eef73033ddd4eafcefcbb6560f3e3a90f7 upstream.

Newer versions of awk spit out these fun warnings:
	awk: ../lib/raid6/unroll.awk:16: warning: regexp escape sequence `\#' is not a known regexp operator

As commit 700c1018b86d ("x86/insn: Fix awk regexp warnings") showed, it
turns out that there are a number of awk strings that do not need to be
escaped and newer versions of awk now warn about this.

Fix the string up so that no warning is produced.  The exact same kernel
module gets created before and after this patch, showing that it wasn't
needed.

Link: https://lore.kernel.org/r/20191206152600.GA75093@kroah.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 lib/raid6/unroll.awk |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/lib/raid6/unroll.awk
+++ b/lib/raid6/unroll.awk
@@ -13,7 +13,7 @@ BEGIN {
 	for (i = 0; i < rep; ++i) {
 		tmp = $0
 		gsub(/\$\$/, i, tmp)
-		gsub(/\$\#/, n, tmp)
+		gsub(/\$#/, n, tmp)
 		gsub(/\$\*/, "$", tmp)
 		print tmp
 	}



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 195/267] ovl: relax WARN_ON() on rename to self
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (193 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 194/267] lib: raid6: fix awk build warnings Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 196/267] ALSA: hda - Fix pending unsol events at shutdown Greg Kroah-Hartman
                   ` (75 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+bb1836a212e69f8e201a,
	Amir Goldstein, Miklos Szeredi

From: Amir Goldstein <amir73il@gmail.com>

commit 6889ee5a53b8d969aa542047f5ac8acdc0e79a91 upstream.

In ovl_rename(), if new upper is hardlinked to old upper underneath
overlayfs before upper dirs are locked, user will get an ESTALE error
and a WARN_ON will be printed.

Changes to underlying layers while overlayfs is mounted may result in
unexpected behavior, but it shouldn't crash the kernel and it shouldn't
trigger WARN_ON() either, so relax this WARN_ON().

Reported-by: syzbot+bb1836a212e69f8e201a@syzkaller.appspotmail.com
Fixes: 804032fabb3b ("ovl: don't check rename to self")
Cc: <stable@vger.kernel.org> # v4.9+
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/overlayfs/dir.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/overlayfs/dir.c
+++ b/fs/overlayfs/dir.c
@@ -1042,7 +1042,7 @@ static int ovl_rename(struct inode *oldd
 	if (newdentry == trap)
 		goto out_dput;
 
-	if (WARN_ON(olddentry->d_inode == newdentry->d_inode))
+	if (olddentry->d_inode == newdentry->d_inode)
 		goto out_dput;
 
 	err = 0;



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 196/267] ALSA: hda - Fix pending unsol events at shutdown
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (194 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 195/267] ovl: relax WARN_ON() on rename to self Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 197/267] md/raid0: Fix an error message in raid0_make_request() Greg Kroah-Hartman
                   ` (74 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chris Wilson, Takashi Iwai, Sasha Levin

From: Takashi Iwai <tiwai@suse.de>

[ Upstream commit ca58f55108fee41d87c9123f85ad4863e5de7f45 ]

This is an alternative fix attemp for the issue reported in the commit
caa8422d01e9 ("ALSA: hda: Flush interrupts on disabling") that was
reverted later due to regressions.  Instead of tweaking the hardware
disablement order and the enforced irq flushing, do calling
cancel_work_sync() of the unsol work early enough, and explicitly
ignore the unsol events during the shutdown by checking the
bus->shutdown flag.

Fixes: caa8422d01e9 ("ALSA: hda: Flush interrupts on disabling")
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Link: https://lore.kernel.org/r/s5h1ruxt9cz.wl-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/pci/hda/hda_bind.c  | 4 ++++
 sound/pci/hda/hda_intel.c | 3 +++
 2 files changed, 7 insertions(+)

diff --git a/sound/pci/hda/hda_bind.c b/sound/pci/hda/hda_bind.c
index 8db1890605f60..c175b2cf63f77 100644
--- a/sound/pci/hda/hda_bind.c
+++ b/sound/pci/hda/hda_bind.c
@@ -42,6 +42,10 @@ static void hda_codec_unsol_event(struct hdac_device *dev, unsigned int ev)
 {
 	struct hda_codec *codec = container_of(dev, struct hda_codec, core);
 
+	/* ignore unsol events during shutdown */
+	if (codec->bus->shutdown)
+		return;
+
 	if (codec->patch_ops.unsol_event)
 		codec->patch_ops.unsol_event(codec, ev);
 }
diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
index 96e9b3944b925..890793ad85ca1 100644
--- a/sound/pci/hda/hda_intel.c
+++ b/sound/pci/hda/hda_intel.c
@@ -1450,8 +1450,11 @@ static int azx_free(struct azx *chip)
 static int azx_dev_disconnect(struct snd_device *device)
 {
 	struct azx *chip = device->device_data;
+	struct hdac_bus *bus = azx_bus(chip);
 
 	chip->bus.shutdown = 1;
+	cancel_work_sync(&bus->unsol_work);
+
 	return 0;
 }
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 197/267] md/raid0: Fix an error message in raid0_make_request()
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (195 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 196/267] ALSA: hda - Fix pending unsol events at shutdown Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 198/267] watchdog: aspeed: Fix clock behaviour for ast2600 Greg Kroah-Hartman
                   ` (73 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Song Liu, Sasha Levin

From: Dan Carpenter <dan.carpenter@oracle.com>

[ Upstream commit e3fc3f3d0943b126f76b8533960e4168412d9e5a ]

The first argument to WARN() is supposed to be a condition.  The
original code will just print the mdname() instead of the full warning
message.

Fixes: c84a1372df92 ("md/raid0: avoid RAID0 data corruption due to layout confusion.")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/md/raid0.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/md/raid0.c b/drivers/md/raid0.c
index 449c4dd060fcd..204adde004a3c 100644
--- a/drivers/md/raid0.c
+++ b/drivers/md/raid0.c
@@ -616,7 +616,7 @@ static bool raid0_make_request(struct mddev *mddev, struct bio *bio)
 		tmp_dev = map_sector(mddev, zone, sector, &sector);
 		break;
 	default:
-		WARN("md/raid0:%s: Invalid layout\n", mdname(mddev));
+		WARN(1, "md/raid0:%s: Invalid layout\n", mdname(mddev));
 		bio_io_error(bio);
 		return true;
 	}
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 198/267] watchdog: aspeed: Fix clock behaviour for ast2600
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (196 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 197/267] md/raid0: Fix an error message in raid0_make_request() Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 199/267] hwrng: omap - Fix RNG wait loop timeout Greg Kroah-Hartman
                   ` (72 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Joel Stanley, Cédric Le Goater,
	Guenter Roeck, Wim Van Sebroeck, Sasha Levin

From: Joel Stanley <joel@jms.id.au>

[ Upstream commit c04571251b3d842096f1597f5d4badb508be016d ]

The ast2600 no longer uses bit 4 in the control register to indicate a
1MHz clock (It now controls whether this watchdog is reset by a SOC
reset). This means we do not want to set it. It also does not need to be
set for the ast2500, as it is read-only on that SoC.

The comment next to the clock rate selection wandered away from where it
was set, so put it back next to the register setting it's describing.

Fixes: b3528b487448 ("watchdog: aspeed: Add support for AST2600")
Signed-off-by: Joel Stanley <joel@jms.id.au>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Link: https://lore.kernel.org/r/20191108032905.22463-1-joel@jms.id.au
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/watchdog/aspeed_wdt.c | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/drivers/watchdog/aspeed_wdt.c b/drivers/watchdog/aspeed_wdt.c
index cee7334b2a000..f5835cbd5d415 100644
--- a/drivers/watchdog/aspeed_wdt.c
+++ b/drivers/watchdog/aspeed_wdt.c
@@ -204,11 +204,6 @@ static int aspeed_wdt_probe(struct platform_device *pdev)
 	if (IS_ERR(wdt->base))
 		return PTR_ERR(wdt->base);
 
-	/*
-	 * The ast2400 wdt can run at PCLK, or 1MHz. The ast2500 only
-	 * runs at 1MHz. We chose to always run at 1MHz, as there's no
-	 * good reason to have a faster watchdog counter.
-	 */
 	wdt->wdd.info = &aspeed_wdt_info;
 	wdt->wdd.ops = &aspeed_wdt_ops;
 	wdt->wdd.max_hw_heartbeat_ms = WDT_MAX_TIMEOUT_MS;
@@ -224,7 +219,16 @@ static int aspeed_wdt_probe(struct platform_device *pdev)
 		return -EINVAL;
 	config = ofdid->data;
 
-	wdt->ctrl = WDT_CTRL_1MHZ_CLK;
+	/*
+	 * On clock rates:
+	 *  - ast2400 wdt can run at PCLK, or 1MHz
+	 *  - ast2500 only runs at 1MHz, hard coding bit 4 to 1
+	 *  - ast2600 always runs at 1MHz
+	 *
+	 * Set the ast2400 to run at 1MHz as it simplifies the driver.
+	 */
+	if (of_device_is_compatible(np, "aspeed,ast2400-wdt"))
+		wdt->ctrl = WDT_CTRL_1MHZ_CLK;
 
 	/*
 	 * Control reset on a per-device basis to ensure the
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 199/267] hwrng: omap - Fix RNG wait loop timeout
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (197 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 198/267] watchdog: aspeed: Fix clock behaviour for ast2600 Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 200/267] dm zoned: reduce overhead of backing device checks Greg Kroah-Hartman
                   ` (71 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Sumit Garg, Herbert Xu

From: Sumit Garg <sumit.garg@linaro.org>

commit be867f987a4e1222114dd07a01838a17c26f3fff upstream.

Existing RNG data read timeout is 200us but it doesn't cover EIP76 RNG
data rate which takes approx. 700us to produce 16 bytes of output data
as per testing results. So configure the timeout as 1000us to also take
account of lack of udelay()'s reliability.

Fixes: 383212425c92 ("hwrng: omap - Add device variant for SafeXcel IP-76 found in Armada 8K")
Cc: <stable@vger.kernel.org>
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/char/hw_random/omap-rng.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/drivers/char/hw_random/omap-rng.c
+++ b/drivers/char/hw_random/omap-rng.c
@@ -66,6 +66,13 @@
 #define OMAP4_RNG_OUTPUT_SIZE			0x8
 #define EIP76_RNG_OUTPUT_SIZE			0x10
 
+/*
+ * EIP76 RNG takes approx. 700us to produce 16 bytes of output data
+ * as per testing results. And to account for the lack of udelay()'s
+ * reliability, we keep the timeout as 1000us.
+ */
+#define RNG_DATA_FILL_TIMEOUT			100
+
 enum {
 	RNG_OUTPUT_0_REG = 0,
 	RNG_OUTPUT_1_REG,
@@ -175,7 +182,7 @@ static int omap_rng_do_read(struct hwrng
 	if (max < priv->pdata->data_size)
 		return 0;
 
-	for (i = 0; i < 20; i++) {
+	for (i = 0; i < RNG_DATA_FILL_TIMEOUT; i++) {
 		present = priv->pdata->data_present(priv);
 		if (present || !wait)
 			break;



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 200/267] dm zoned: reduce overhead of backing device checks
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (198 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 199/267] hwrng: omap - Fix RNG wait loop timeout Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 201/267] workqueue: Fix spurious sanity check failures in destroy_workqueue() Greg Kroah-Hartman
                   ` (70 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, zhangxiaoxu, Dmitry Fomichev, Mike Snitzer

From: Dmitry Fomichev <dmitry.fomichev@wdc.com>

commit e7fad909b68aa37470d9f2d2731b5bec355ee5d6 upstream.

Commit 75d66ffb48efb3 added backing device health checks and as a part
of these checks, check_events() block ops template call is invoked in
dm-zoned mapping path as well as in reclaim and flush path. Calling
check_events() with ATA or SCSI backing devices introduces a blocking
scsi_test_unit_ready() call being made in sd_check_events(). Even though
the overhead of calling scsi_test_unit_ready() is small for ATA zoned
devices, it is much larger for SCSI and it affects performance in a very
negative way.

Fix this performance regression by executing check_events() only in case
of any I/O errors. The function dmz_bdev_is_dying() is modified to call
only blk_queue_dying(), while calls to check_events() are made in a new
helper function, dmz_check_bdev().

Reported-by: zhangxiaoxu <zhangxiaoxu5@huawei.com>
Fixes: 75d66ffb48efb3 ("dm zoned: properly handle backing device failure")
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Fomichev <dmitry.fomichev@wdc.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/dm-zoned-metadata.c |   29 ++++++++++++++--------
 drivers/md/dm-zoned-reclaim.c  |    8 +-----
 drivers/md/dm-zoned-target.c   |   54 ++++++++++++++++++++++++++++-------------
 drivers/md/dm-zoned.h          |    2 +
 4 files changed, 61 insertions(+), 32 deletions(-)

--- a/drivers/md/dm-zoned-metadata.c
+++ b/drivers/md/dm-zoned-metadata.c
@@ -552,6 +552,7 @@ static struct dmz_mblock *dmz_get_mblock
 		       TASK_UNINTERRUPTIBLE);
 	if (test_bit(DMZ_META_ERROR, &mblk->state)) {
 		dmz_release_mblock(zmd, mblk);
+		dmz_check_bdev(zmd->dev);
 		return ERR_PTR(-EIO);
 	}
 
@@ -623,6 +624,8 @@ static int dmz_rdwr_block(struct dmz_met
 	ret = submit_bio_wait(bio);
 	bio_put(bio);
 
+	if (ret)
+		dmz_check_bdev(zmd->dev);
 	return ret;
 }
 
@@ -689,6 +692,7 @@ static int dmz_write_dirty_mblocks(struc
 			       TASK_UNINTERRUPTIBLE);
 		if (test_bit(DMZ_META_ERROR, &mblk->state)) {
 			clear_bit(DMZ_META_ERROR, &mblk->state);
+			dmz_check_bdev(zmd->dev);
 			ret = -EIO;
 		}
 		nr_mblks_submitted--;
@@ -766,7 +770,7 @@ int dmz_flush_metadata(struct dmz_metada
 	/* If there are no dirty metadata blocks, just flush the device cache */
 	if (list_empty(&write_list)) {
 		ret = blkdev_issue_flush(zmd->dev->bdev, GFP_NOIO, NULL);
-		goto out;
+		goto err;
 	}
 
 	/*
@@ -776,7 +780,7 @@ int dmz_flush_metadata(struct dmz_metada
 	 */
 	ret = dmz_log_dirty_mblocks(zmd, &write_list);
 	if (ret)
-		goto out;
+		goto err;
 
 	/*
 	 * The log is on disk. It is now safe to update in place
@@ -784,11 +788,11 @@ int dmz_flush_metadata(struct dmz_metada
 	 */
 	ret = dmz_write_dirty_mblocks(zmd, &write_list, zmd->mblk_primary);
 	if (ret)
-		goto out;
+		goto err;
 
 	ret = dmz_write_sb(zmd, zmd->mblk_primary);
 	if (ret)
-		goto out;
+		goto err;
 
 	while (!list_empty(&write_list)) {
 		mblk = list_first_entry(&write_list, struct dmz_mblock, link);
@@ -803,16 +807,20 @@ int dmz_flush_metadata(struct dmz_metada
 
 	zmd->sb_gen++;
 out:
-	if (ret && !list_empty(&write_list)) {
-		spin_lock(&zmd->mblk_lock);
-		list_splice(&write_list, &zmd->mblk_dirty_list);
-		spin_unlock(&zmd->mblk_lock);
-	}
-
 	dmz_unlock_flush(zmd);
 	up_write(&zmd->mblk_sem);
 
 	return ret;
+
+err:
+	if (!list_empty(&write_list)) {
+		spin_lock(&zmd->mblk_lock);
+		list_splice(&write_list, &zmd->mblk_dirty_list);
+		spin_unlock(&zmd->mblk_lock);
+	}
+	if (!dmz_check_bdev(zmd->dev))
+		ret = -EIO;
+	goto out;
 }
 
 /*
@@ -1235,6 +1243,7 @@ static int dmz_update_zone(struct dmz_me
 	if (ret) {
 		dmz_dev_err(zmd->dev, "Get zone %u report failed",
 			    dmz_id(zmd, zone));
+		dmz_check_bdev(zmd->dev);
 		return ret;
 	}
 
--- a/drivers/md/dm-zoned-reclaim.c
+++ b/drivers/md/dm-zoned-reclaim.c
@@ -81,6 +81,7 @@ static int dmz_reclaim_align_wp(struct d
 			    "Align zone %u wp %llu to %llu (wp+%u) blocks failed %d",
 			    dmz_id(zmd, zone), (unsigned long long)wp_block,
 			    (unsigned long long)block, nr_blocks, ret);
+		dmz_check_bdev(zrc->dev);
 		return ret;
 	}
 
@@ -490,12 +491,7 @@ static void dmz_reclaim_work(struct work
 	ret = dmz_do_reclaim(zrc);
 	if (ret) {
 		dmz_dev_debug(zrc->dev, "Reclaim error %d\n", ret);
-		if (ret == -EIO)
-			/*
-			 * LLD might be performing some error handling sequence
-			 * at the underlying device. To not interfere, do not
-			 * attempt to schedule the next reclaim run immediately.
-			 */
+		if (!dmz_check_bdev(zrc->dev))
 			return;
 	}
 
--- a/drivers/md/dm-zoned-target.c
+++ b/drivers/md/dm-zoned-target.c
@@ -79,6 +79,8 @@ static inline void dmz_bio_endio(struct
 
 	if (status != BLK_STS_OK && bio->bi_status == BLK_STS_OK)
 		bio->bi_status = status;
+	if (bio->bi_status != BLK_STS_OK)
+		bioctx->target->dev->flags |= DMZ_CHECK_BDEV;
 
 	if (atomic_dec_and_test(&bioctx->ref)) {
 		struct dm_zone *zone = bioctx->zone;
@@ -564,32 +566,52 @@ out:
 }
 
 /*
- * Check the backing device availability. If it's on the way out,
+ * Check if the backing device is being removed. If it's on the way out,
  * start failing I/O. Reclaim and metadata components also call this
  * function to cleanly abort operation in the event of such failure.
  */
 bool dmz_bdev_is_dying(struct dmz_dev *dmz_dev)
 {
-	struct gendisk *disk;
+	if (dmz_dev->flags & DMZ_BDEV_DYING)
+		return true;
 
-	if (!(dmz_dev->flags & DMZ_BDEV_DYING)) {
-		disk = dmz_dev->bdev->bd_disk;
-		if (blk_queue_dying(bdev_get_queue(dmz_dev->bdev))) {
-			dmz_dev_warn(dmz_dev, "Backing device queue dying");
-			dmz_dev->flags |= DMZ_BDEV_DYING;
-		} else if (disk->fops->check_events) {
-			if (disk->fops->check_events(disk, 0) &
-					DISK_EVENT_MEDIA_CHANGE) {
-				dmz_dev_warn(dmz_dev, "Backing device offline");
-				dmz_dev->flags |= DMZ_BDEV_DYING;
-			}
-		}
+	if (dmz_dev->flags & DMZ_CHECK_BDEV)
+		return !dmz_check_bdev(dmz_dev);
+
+	if (blk_queue_dying(bdev_get_queue(dmz_dev->bdev))) {
+		dmz_dev_warn(dmz_dev, "Backing device queue dying");
+		dmz_dev->flags |= DMZ_BDEV_DYING;
 	}
 
 	return dmz_dev->flags & DMZ_BDEV_DYING;
 }
 
 /*
+ * Check the backing device availability. This detects such events as
+ * backing device going offline due to errors, media removals, etc.
+ * This check is less efficient than dmz_bdev_is_dying() and should
+ * only be performed as a part of error handling.
+ */
+bool dmz_check_bdev(struct dmz_dev *dmz_dev)
+{
+	struct gendisk *disk;
+
+	dmz_dev->flags &= ~DMZ_CHECK_BDEV;
+
+	if (dmz_bdev_is_dying(dmz_dev))
+		return false;
+
+	disk = dmz_dev->bdev->bd_disk;
+	if (disk->fops->check_events &&
+	    disk->fops->check_events(disk, 0) & DISK_EVENT_MEDIA_CHANGE) {
+		dmz_dev_warn(dmz_dev, "Backing device offline");
+		dmz_dev->flags |= DMZ_BDEV_DYING;
+	}
+
+	return !(dmz_dev->flags & DMZ_BDEV_DYING);
+}
+
+/*
  * Process a new BIO.
  */
 static int dmz_map(struct dm_target *ti, struct bio *bio)
@@ -901,8 +923,8 @@ static int dmz_prepare_ioctl(struct dm_t
 {
 	struct dmz_target *dmz = ti->private;
 
-	if (dmz_bdev_is_dying(dmz->dev))
-		return -ENODEV;
+	if (!dmz_check_bdev(dmz->dev))
+		return -EIO;
 
 	*bdev = dmz->dev->bdev;
 
--- a/drivers/md/dm-zoned.h
+++ b/drivers/md/dm-zoned.h
@@ -71,6 +71,7 @@ struct dmz_dev {
 
 /* Device flags. */
 #define DMZ_BDEV_DYING		(1 << 0)
+#define DMZ_CHECK_BDEV		(2 << 0)
 
 /*
  * Zone descriptor.
@@ -254,5 +255,6 @@ void dmz_schedule_reclaim(struct dmz_rec
  * Functions defined in dm-zoned-target.c
  */
 bool dmz_bdev_is_dying(struct dmz_dev *dmz_dev);
+bool dmz_check_bdev(struct dmz_dev *dmz_dev);
 
 #endif /* DM_ZONED_H */



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 201/267] workqueue: Fix spurious sanity check failures in destroy_workqueue()
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (199 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 200/267] dm zoned: reduce overhead of backing device checks Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 202/267] workqueue: Fix pwq ref leak in rescuer_thread() Greg Kroah-Hartman
                   ` (69 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tejun Heo, Marcin Pawlowski,
	Williams, Gerald S

From: Tejun Heo <tj@kernel.org>

commit def98c84b6cdf2eeea19ec5736e90e316df5206b upstream.

Before actually destrying a workqueue, destroy_workqueue() checks
whether it's actually idle.  If it isn't, it prints out a bunch of
warning messages and leaves the workqueue dangling.  It unfortunately
has a couple issues.

* Mayday list queueing increments pwq's refcnts which gets detected as
  busy and fails the sanity checks.  However, because mayday list
  queueing is asynchronous, this condition can happen without any
  actual work items left in the workqueue.

* Sanity check failure leaves the sysfs interface behind too which can
  lead to init failure of newer instances of the workqueue.

This patch fixes the above two by

* If a workqueue has a rescuer, disable and kill the rescuer before
  sanity checks.  Disabling and killing is guaranteed to flush the
  existing mayday list.

* Remove sysfs interface before sanity checks.

Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Marcin Pawlowski <mpawlowski@fb.com>
Reported-by: "Williams, Gerald S" <gerald.s.williams@intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/workqueue.c |   24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -4084,9 +4084,28 @@ void destroy_workqueue(struct workqueue_
 	struct pool_workqueue *pwq;
 	int node;
 
+	/*
+	 * Remove it from sysfs first so that sanity check failure doesn't
+	 * lead to sysfs name conflicts.
+	 */
+	workqueue_sysfs_unregister(wq);
+
 	/* drain it before proceeding with destruction */
 	drain_workqueue(wq);
 
+	/* kill rescuer, if sanity checks fail, leave it w/o rescuer */
+	if (wq->rescuer) {
+		struct worker *rescuer = wq->rescuer;
+
+		/* this prevents new queueing */
+		spin_lock_irq(&wq_mayday_lock);
+		wq->rescuer = NULL;
+		spin_unlock_irq(&wq_mayday_lock);
+
+		/* rescuer will empty maydays list before exiting */
+		kthread_stop(rescuer->task);
+	}
+
 	/* sanity checks */
 	mutex_lock(&wq->mutex);
 	for_each_pwq(pwq, wq) {
@@ -4118,11 +4137,6 @@ void destroy_workqueue(struct workqueue_
 	list_del_rcu(&wq->list);
 	mutex_unlock(&wq_pool_mutex);
 
-	workqueue_sysfs_unregister(wq);
-
-	if (wq->rescuer)
-		kthread_stop(wq->rescuer->task);
-
 	if (!(wq->flags & WQ_UNBOUND)) {
 		/*
 		 * The base ref is never dropped on per-cpu pwqs.  Directly



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 202/267] workqueue: Fix pwq ref leak in rescuer_thread()
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (200 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 201/267] workqueue: Fix spurious sanity check failures in destroy_workqueue() Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 203/267] ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report Greg Kroah-Hartman
                   ` (68 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tejun Heo, Williams, Gerald S, NeilBrown

From: Tejun Heo <tj@kernel.org>

commit e66b39af00f426b3356b96433d620cb3367ba1ff upstream.

008847f66c3 ("workqueue: allow rescuer thread to do more work.") made
the rescuer worker requeue the pwq immediately if there may be more
work items which need rescuing instead of waiting for the next mayday
timer expiration.  Unfortunately, it doesn't check whether the pwq is
already on the mayday list and unconditionally gets the ref and moves
it onto the list.  This doesn't corrupt the list but creates an
additional reference to the pwq.  It got queued twice but will only be
removed once.

This leak later can trigger pwq refcnt warning on workqueue
destruction and prevent freeing of the workqueue.

Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: "Williams, Gerald S" <gerald.s.williams@intel.com>
Cc: NeilBrown <neilb@suse.de>
Cc: stable@vger.kernel.org # v3.19+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/workqueue.c |   13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -2366,8 +2366,14 @@ repeat:
 			 */
 			if (need_to_create_worker(pool)) {
 				spin_lock(&wq_mayday_lock);
-				get_pwq(pwq);
-				list_move_tail(&pwq->mayday_node, &wq->maydays);
+				/*
+				 * Queue iff we aren't racing destruction
+				 * and somebody else hasn't queued it already.
+				 */
+				if (wq->rescuer && list_empty(&pwq->mayday_node)) {
+					get_pwq(pwq);
+					list_add_tail(&pwq->mayday_node, &wq->maydays);
+				}
 				spin_unlock(&wq_mayday_lock);
 			}
 		}
@@ -4413,7 +4419,8 @@ static void show_pwq(struct pool_workque
 	pr_info("  pwq %d:", pool->id);
 	pr_cont_pool_info(pool);
 
-	pr_cont(" active=%d/%d%s\n", pwq->nr_active, pwq->max_active,
+	pr_cont(" active=%d/%d refcnt=%d%s\n",
+		pwq->nr_active, pwq->max_active, pwq->refcnt,
 		!list_empty(&pwq->mayday_node) ? " MAYDAY" : "");
 
 	hash_for_each(pool->busy_hash, bkt, worker, hentry) {



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 203/267] ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (201 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 202/267] workqueue: Fix pwq ref leak in rescuer_thread() Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 204/267] blk-mq: avoid sysfs buffer overflow with too many CPU cores Greg Kroah-Hartman
                   ` (67 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pawel Harlozinski, Mark Brown

From: Pawel Harlozinski <pawel.harlozinski@linux.intel.com>

commit 8f157d4ff039e03e2ed4cb602eeed2fd4687a58f upstream.

Check for existance of jack before tracing.
NULL pointer dereference has been reported by KASAN while unloading
machine driver (snd_soc_cnl_rt274).

Signed-off-by: Pawel Harlozinski <pawel.harlozinski@linux.intel.com>
Link: https://lore.kernel.org/r/20191112130237.10141-1-pawel.harlozinski@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/soc/soc-jack.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/sound/soc/soc-jack.c
+++ b/sound/soc/soc-jack.c
@@ -127,10 +127,9 @@ void snd_soc_jack_report(struct snd_soc_
 	unsigned int sync = 0;
 	int enable;
 
-	trace_snd_soc_jack_report(jack, mask, status);
-
 	if (!jack)
 		return;
+	trace_snd_soc_jack_report(jack, mask, status);
 
 	dapm = &jack->card->dapm;
 



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 204/267] blk-mq: avoid sysfs buffer overflow with too many CPU cores
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (202 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 203/267] ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-17  4:28   ` Nobuhiro Iwamatsu
  2019-12-16 17:48 ` [PATCH 4.14 205/267] cgroup: pids: use atomic64_t for pids->limit Greg Kroah-Hartman
                   ` (66 subsequent siblings)
  270 siblings, 1 reply; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ming Lei, Jens Axboe

From: Ming Lei <ming.lei@redhat.com>

commit 8962842ca5abdcf98e22ab3b2b45a103f0408b95 upstream.

It is reported that sysfs buffer overflow can be triggered if the system
has too many CPU cores(>841 on 4K PAGE_SIZE) when showing CPUs of
hctx via /sys/block/$DEV/mq/$N/cpu_list.

Use snprintf to avoid the potential buffer overflow.

This version doesn't change the attribute format, and simply stops
showing CPU numbers if the buffer is going to overflow.

Cc: stable@vger.kernel.org
Fixes: 676141e48af7("blk-mq: don't dump CPU -> hw queue map on driver load")
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 block/blk-mq-sysfs.c |   15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

--- a/block/blk-mq-sysfs.c
+++ b/block/blk-mq-sysfs.c
@@ -145,20 +145,25 @@ static ssize_t blk_mq_hw_sysfs_nr_reserv
 
 static ssize_t blk_mq_hw_sysfs_cpus_show(struct blk_mq_hw_ctx *hctx, char *page)
 {
+	const size_t size = PAGE_SIZE - 1;
 	unsigned int i, first = 1;
-	ssize_t ret = 0;
+	int ret = 0, pos = 0;
 
 	for_each_cpu(i, hctx->cpumask) {
 		if (first)
-			ret += sprintf(ret + page, "%u", i);
+			ret = snprintf(pos + page, size - pos, "%u", i);
 		else
-			ret += sprintf(ret + page, ", %u", i);
+			ret = snprintf(pos + page, size - pos, ", %u", i);
+
+		if (ret >= size - pos)
+			break;
 
 		first = 0;
+		pos += ret;
 	}
 
-	ret += sprintf(ret + page, "\n");
-	return ret;
+	ret = snprintf(pos + page, size - pos, "\n");
+	return pos + ret;
 }
 
 static struct attribute *default_ctx_attrs[] = {



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 205/267] cgroup: pids: use atomic64_t for pids->limit
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (203 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 204/267] blk-mq: avoid sysfs buffer overflow with too many CPU cores Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 206/267] ar5523: check NULL before memcpy() in ar5523_cmd() Greg Kroah-Hartman
                   ` (65 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Aleksa Sarai, Tejun Heo

From: Aleksa Sarai <cyphar@cyphar.com>

commit a713af394cf382a30dd28a1015cbe572f1b9ca75 upstream.

Because pids->limit can be changed concurrently (but we don't want to
take a lock because it would be needlessly expensive), use atomic64_ts
instead.

Fixes: commit 49b786ea146f ("cgroup: implement the PIDs subsystem")
Cc: stable@vger.kernel.org # v4.3+
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/cgroup/pids.c |   11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

--- a/kernel/cgroup/pids.c
+++ b/kernel/cgroup/pids.c
@@ -48,7 +48,7 @@ struct pids_cgroup {
 	 * %PIDS_MAX = (%PID_MAX_LIMIT + 1).
 	 */
 	atomic64_t			counter;
-	int64_t				limit;
+	atomic64_t			limit;
 
 	/* Handle for "pids.events" */
 	struct cgroup_file		events_file;
@@ -76,8 +76,8 @@ pids_css_alloc(struct cgroup_subsys_stat
 	if (!pids)
 		return ERR_PTR(-ENOMEM);
 
-	pids->limit = PIDS_MAX;
 	atomic64_set(&pids->counter, 0);
+	atomic64_set(&pids->limit, PIDS_MAX);
 	atomic64_set(&pids->events_limit, 0);
 	return &pids->css;
 }
@@ -149,13 +149,14 @@ static int pids_try_charge(struct pids_c
 
 	for (p = pids; parent_pids(p); p = parent_pids(p)) {
 		int64_t new = atomic64_add_return(num, &p->counter);
+		int64_t limit = atomic64_read(&p->limit);
 
 		/*
 		 * Since new is capped to the maximum number of pid_t, if
 		 * p->limit is %PIDS_MAX then we know that this test will never
 		 * fail.
 		 */
-		if (new > p->limit)
+		if (new > limit)
 			goto revert;
 	}
 
@@ -280,7 +281,7 @@ set_limit:
 	 * Limit updates don't need to be mutex'd, since it isn't
 	 * critical that any racing fork()s follow the new limit.
 	 */
-	pids->limit = limit;
+	atomic64_set(&pids->limit, limit);
 	return nbytes;
 }
 
@@ -288,7 +289,7 @@ static int pids_max_show(struct seq_file
 {
 	struct cgroup_subsys_state *css = seq_css(sf);
 	struct pids_cgroup *pids = css_pids(css);
-	int64_t limit = pids->limit;
+	int64_t limit = atomic64_read(&pids->limit);
 
 	if (limit >= PIDS_MAX)
 		seq_printf(sf, "%s\n", PIDS_MAX_STR);



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 206/267] ar5523: check NULL before memcpy() in ar5523_cmd()
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (204 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 205/267] cgroup: pids: use atomic64_t for pids->limit Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 207/267] s390/mm: properly clear _PAGE_NOEXEC bit when it is not supported Greg Kroah-Hartman
                   ` (64 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pontus Fuchs, Kalle Valo,
	David S. Miller, David Laight, Denis Efremov

From: Denis Efremov <efremov@linux.com>

commit 315cee426f87658a6799815845788fde965ddaad upstream.

memcpy() call with "idata == NULL && ilen == 0" results in undefined
behavior in ar5523_cmd(). For example, NULL is passed in callchain
"ar5523_stat_work() -> ar5523_cmd_write() -> ar5523_cmd()". This patch
adds ilen check before memcpy() call in ar5523_cmd() to prevent an
undefined behavior.

Cc: Pontus Fuchs <pontus.fuchs@gmail.com>
Cc: Kalle Valo <kvalo@codeaurora.org>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: David Laight <David.Laight@ACULAB.COM>
Cc: stable@vger.kernel.org
Signed-off-by: Denis Efremov <efremov@linux.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/ath/ar5523/ar5523.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/net/wireless/ath/ar5523/ar5523.c
+++ b/drivers/net/wireless/ath/ar5523/ar5523.c
@@ -255,7 +255,8 @@ static int ar5523_cmd(struct ar5523 *ar,
 
 	if (flags & AR5523_CMD_FLAG_MAGIC)
 		hdr->magic = cpu_to_be32(1 << 24);
-	memcpy(hdr + 1, idata, ilen);
+	if (ilen)
+		memcpy(hdr + 1, idata, ilen);
 
 	cmd->odata = odata;
 	cmd->olen = olen;



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 207/267] s390/mm: properly clear _PAGE_NOEXEC bit when it is not supported
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (205 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 206/267] ar5523: check NULL before memcpy() in ar5523_cmd() Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 208/267] media: bdisp: fix memleak on release Greg Kroah-Hartman
                   ` (63 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Gerald Schaefer, Vasily Gorbik

From: Gerald Schaefer <gerald.schaefer@de.ibm.com>

commit ab874f22d35a8058d8fdee5f13eb69d8867efeae upstream.

On older HW or under a hypervisor, w/o the instruction-execution-
protection (IEP) facility, and also w/o EDAT-1, a translation-specification
exception may be recognized when bit 55 of a pte is one (_PAGE_NOEXEC).

The current code tries to prevent setting _PAGE_NOEXEC in such cases,
by removing it within set_pte_at(). However, ptep_set_access_flags()
will modify a pte directly, w/o using set_pte_at(). There is at least
one scenario where this can result in an active pte with _PAGE_NOEXEC
set, which would then lead to a panic due to a translation-specification
exception (write to swapped out page):

do_swap_page
  pte = mk_pte (with _PAGE_NOEXEC bit)
  set_pte_at   (will remove _PAGE_NOEXEC bit in page table, but keep it
                in local variable pte)
  vmf->orig_pte = pte (pte still contains _PAGE_NOEXEC bit)
  do_wp_page
    wp_page_reuse
      entry = vmf->orig_pte (still with _PAGE_NOEXEC bit)
      ptep_set_access_flags (writes entry with _PAGE_NOEXEC bit)

Fix this by clearing _PAGE_NOEXEC already in mk_pte_phys(), where the
pgprot value is applied, so that no pte with _PAGE_NOEXEC will ever be
visible, if it is not supported. The check in set_pte_at() can then also
be removed.

Cc: <stable@vger.kernel.org> # 4.11+
Fixes: 57d7f939e7bd ("s390: add no-execute support")
Signed-off-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/s390/include/asm/pgtable.h |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/s390/include/asm/pgtable.h
+++ b/arch/s390/include/asm/pgtable.h
@@ -1126,8 +1126,6 @@ int pgste_perform_essa(struct mm_struct
 static inline void set_pte_at(struct mm_struct *mm, unsigned long addr,
 			      pte_t *ptep, pte_t entry)
 {
-	if (!MACHINE_HAS_NX)
-		pte_val(entry) &= ~_PAGE_NOEXEC;
 	if (pte_present(entry))
 		pte_val(entry) &= ~_PAGE_UNUSED;
 	if (mm_has_pgste(mm))
@@ -1144,6 +1142,8 @@ static inline pte_t mk_pte_phys(unsigned
 {
 	pte_t __pte;
 	pte_val(__pte) = physpage + pgprot_val(pgprot);
+	if (!MACHINE_HAS_NX)
+		pte_val(__pte) &= ~_PAGE_NOEXEC;
 	return pte_mkyoung(__pte);
 }
 



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 208/267] media: bdisp: fix memleak on release
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (206 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 207/267] s390/mm: properly clear _PAGE_NOEXEC bit when it is not supported Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 209/267] media: radio: wl1273: fix interrupt masking " Greg Kroah-Hartman
                   ` (62 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johan Hovold, Fabien Dessenne,
	Hans Verkuil, Mauro Carvalho Chehab

From: Johan Hovold <johan@kernel.org>

commit 11609a7e21f8cea42630350aa57662928fa4dc63 upstream.

If a process is interrupted while accessing the video device and the
device lock is contended, release() could return early and fail to free
related resources.

Note that the return value of the v4l2 release file operation is
ignored.

Fixes: 28ffeebbb7bd ("[media] bdisp: 2D blitter driver using v4l2 mem2mem framework")
Cc: stable <stable@vger.kernel.org>     # 4.2
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Fabien Dessenne <fabien.dessenne@st.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/platform/sti/bdisp/bdisp-v4l2.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/media/platform/sti/bdisp/bdisp-v4l2.c
+++ b/drivers/media/platform/sti/bdisp/bdisp-v4l2.c
@@ -651,8 +651,7 @@ static int bdisp_release(struct file *fi
 
 	dev_dbg(bdisp->dev, "%s\n", __func__);
 
-	if (mutex_lock_interruptible(&bdisp->lock))
-		return -ERESTARTSYS;
+	mutex_lock(&bdisp->lock);
 
 	v4l2_m2m_ctx_release(ctx->fh.m2m_ctx);
 



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 209/267] media: radio: wl1273: fix interrupt masking on release
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (207 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 208/267] media: bdisp: fix memleak on release Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 210/267] media: cec.h: CEC_OP_REC_FLAG_ values were swapped Greg Kroah-Hartman
                   ` (61 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matti Aaltonen, Johan Hovold,
	Hans Verkuil, Mauro Carvalho Chehab

From: Johan Hovold <johan@kernel.org>

commit 1091eb830627625dcf79958d99353c2391f41708 upstream.

If a process is interrupted while accessing the radio device and the
core lock is contended, release() could return early and fail to update
the interrupt mask.

Note that the return value of the v4l2 release file operation is
ignored.

Fixes: 87d1a50ce451 ("[media] V4L2: WL1273 FM Radio: TI WL1273 FM radio driver")
Cc: stable <stable@vger.kernel.org>     # 2.6.38
Cc: Matti Aaltonen <matti.j.aaltonen@nokia.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/radio/radio-wl1273.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/media/radio/radio-wl1273.c
+++ b/drivers/media/radio/radio-wl1273.c
@@ -1156,8 +1156,7 @@ static int wl1273_fm_fops_release(struct
 	if (radio->rds_users > 0) {
 		radio->rds_users--;
 		if (radio->rds_users == 0) {
-			if (mutex_lock_interruptible(&core->lock))
-				return -EINTR;
+			mutex_lock(&core->lock);
 
 			radio->irq_flags &= ~WL1273_RDS_EVENT;
 



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 210/267] media: cec.h: CEC_OP_REC_FLAG_ values were swapped
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (208 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 209/267] media: radio: wl1273: fix interrupt masking " Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 211/267] cpuidle: Do not unset the driver if it is there already Greg Kroah-Hartman
                   ` (60 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans Verkuil, Jiunn Chang,
	Mauro Carvalho Chehab

From: Hans Verkuil <hverkuil-cisco@xs4all.nl>

commit 806e0cdfee0b99efbb450f9f6e69deb7118602fc upstream.

CEC_OP_REC_FLAG_NOT_USED is 0 and CEC_OP_REC_FLAG_USED is 1, not the
other way around.

Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Reported-by: Jiunn Chang <c0d1n61at3@gmail.com>
Cc: <stable@vger.kernel.org>      # for v4.10 and up
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/uapi/linux/cec.h |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/include/uapi/linux/cec.h
+++ b/include/uapi/linux/cec.h
@@ -789,8 +789,8 @@ struct cec_event {
 #define CEC_MSG_SELECT_DIGITAL_SERVICE			0x93
 #define CEC_MSG_TUNER_DEVICE_STATUS			0x07
 /* Recording Flag Operand (rec_flag) */
-#define CEC_OP_REC_FLAG_USED				0
-#define CEC_OP_REC_FLAG_NOT_USED			1
+#define CEC_OP_REC_FLAG_NOT_USED			0
+#define CEC_OP_REC_FLAG_USED				1
 /* Tuner Display Info Operand (tuner_display_info) */
 #define CEC_OP_TUNER_DISPLAY_INFO_DIGITAL		0
 #define CEC_OP_TUNER_DISPLAY_INFO_NONE			1



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 211/267] cpuidle: Do not unset the driver if it is there already
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (209 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 210/267] media: cec.h: CEC_OP_REC_FLAG_ values were swapped Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 212/267] intel_th: Fix a double put_device() in error path Greg Kroah-Hartman
                   ` (59 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Zhenzhong Duan, Rafael J. Wysocki

From: Zhenzhong Duan <zhenzhong.duan@oracle.com>

commit 918c1fe9fbbe46fcf56837ff21f0ef96424e8b29 upstream.

Fix __cpuidle_set_driver() to check if any of the CPUs in the mask has
a driver different from drv already and, if so, return -EBUSY before
updating any cpuidle_drivers per-CPU pointers.

Fixes: 82467a5a885d ("cpuidle: simplify multiple driver support")
Cc: 3.11+ <stable@vger.kernel.org> # 3.11+
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@oracle.com>
[ rjw: Subject & changelog ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/cpuidle/driver.c |   15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

--- a/drivers/cpuidle/driver.c
+++ b/drivers/cpuidle/driver.c
@@ -62,24 +62,23 @@ static inline void __cpuidle_unset_drive
  * __cpuidle_set_driver - set per CPU driver variables for the given driver.
  * @drv: a valid pointer to a struct cpuidle_driver
  *
- * For each CPU in the driver's cpumask, unset the registered driver per CPU
- * to @drv.
- *
- * Returns 0 on success, -EBUSY if the CPUs have driver(s) already.
+ * Returns 0 on success, -EBUSY if any CPU in the cpumask have a driver
+ * different from drv already.
  */
 static inline int __cpuidle_set_driver(struct cpuidle_driver *drv)
 {
 	int cpu;
 
 	for_each_cpu(cpu, drv->cpumask) {
+		struct cpuidle_driver *old_drv;
 
-		if (__cpuidle_get_cpu_driver(cpu)) {
-			__cpuidle_unset_driver(drv);
+		old_drv = __cpuidle_get_cpu_driver(cpu);
+		if (old_drv && old_drv != drv)
 			return -EBUSY;
-		}
+	}
 
+	for_each_cpu(cpu, drv->cpumask)
 		per_cpu(cpuidle_drivers, cpu) = drv;
-	}
 
 	return 0;
 }



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 212/267] intel_th: Fix a double put_device() in error path
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (210 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 211/267] cpuidle: Do not unset the driver if it is there already Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:48 ` [PATCH 4.14 213/267] intel_th: pci: Add Ice Lake CPU support Greg Kroah-Hartman
                   ` (58 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexander Shishkin, Wen Yang,
	Andy Shevchenko

From: Alexander Shishkin <alexander.shishkin@linux.intel.com>

commit 512592779a337feb5905d8fcf9498dbf33672d4a upstream.

Commit a753bfcfdb1f ("intel_th: Make the switch allocate its subdevices")
factored out intel_th_subdevice_alloc() from intel_th_populate(), but got
the error path wrong, resulting in two instances of a double put_device()
on a freshly initialized, but not 'added' device.

Fix this by only doing one put_device() in the error path.

Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Fixes: a753bfcfdb1f ("intel_th: Make the switch allocate its subdevices")
Reported-by: Wen Yang <wenyang@linux.alibaba.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: stable@vger.kernel.org # v4.14+
Link: https://lore.kernel.org/r/20191120130806.44028-2-alexander.shishkin@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hwtracing/intel_th/core.c |    8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

--- a/drivers/hwtracing/intel_th/core.c
+++ b/drivers/hwtracing/intel_th/core.c
@@ -628,10 +628,8 @@ intel_th_subdevice_alloc(struct intel_th
 	}
 
 	err = intel_th_device_add_resources(thdev, res, subdev->nres);
-	if (err) {
-		put_device(&thdev->dev);
+	if (err)
 		goto fail_put_device;
-	}
 
 	if (subdev->type == INTEL_TH_OUTPUT) {
 		thdev->dev.devt = MKDEV(th->major, th->num_thdevs);
@@ -644,10 +642,8 @@ intel_th_subdevice_alloc(struct intel_th
 	}
 
 	err = device_add(&thdev->dev);
-	if (err) {
-		put_device(&thdev->dev);
+	if (err)
 		goto fail_free_res;
-	}
 
 	/* need switch driver to be loaded to enumerate the rest */
 	if (subdev->type == INTEL_TH_SWITCH && !req) {



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 213/267] intel_th: pci: Add Ice Lake CPU support
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (211 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 212/267] intel_th: Fix a double put_device() in error path Greg Kroah-Hartman
@ 2019-12-16 17:48 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 214/267] intel_th: pci: Add Tiger " Greg Kroah-Hartman
                   ` (57 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexander Shishkin, Andy Shevchenko

From: Alexander Shishkin <alexander.shishkin@linux.intel.com>

commit 6a1743422a7c0fda26764a544136cac13e5ae486 upstream.

This adds support for the Trace Hub in Ice Lake CPU.

Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20191120130806.44028-3-alexander.shishkin@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hwtracing/intel_th/pci.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/hwtracing/intel_th/pci.c
+++ b/drivers/hwtracing/intel_th/pci.c
@@ -194,6 +194,11 @@ static const struct pci_device_id intel_
 		.driver_data = (kernel_ulong_t)&intel_th_2x,
 	},
 	{
+		/* Ice Lake CPU */
+		PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x8a29),
+		.driver_data = (kernel_ulong_t)&intel_th_2x,
+	},
+	{
 		/* Tiger Lake PCH */
 		PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0xa0a6),
 		.driver_data = (kernel_ulong_t)&intel_th_2x,



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 214/267] intel_th: pci: Add Tiger Lake CPU support
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (212 preceding siblings ...)
  2019-12-16 17:48 ` [PATCH 4.14 213/267] intel_th: pci: Add Ice Lake CPU support Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 215/267] PM / devfreq: Lock devfreq in trans_stat_show Greg Kroah-Hartman
                   ` (56 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexander Shishkin, Andy Shevchenko

From: Alexander Shishkin <alexander.shishkin@linux.intel.com>

commit 6e6c18bcb78c0dc0601ebe216bed12c844492d0c upstream.

This adds support for the Trace Hub in Tiger Lake CPU.

Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20191120130806.44028-4-alexander.shishkin@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hwtracing/intel_th/pci.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/hwtracing/intel_th/pci.c
+++ b/drivers/hwtracing/intel_th/pci.c
@@ -199,6 +199,11 @@ static const struct pci_device_id intel_
 		.driver_data = (kernel_ulong_t)&intel_th_2x,
 	},
 	{
+		/* Tiger Lake CPU */
+		PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x9a33),
+		.driver_data = (kernel_ulong_t)&intel_th_2x,
+	},
+	{
 		/* Tiger Lake PCH */
 		PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0xa0a6),
 		.driver_data = (kernel_ulong_t)&intel_th_2x,



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 215/267] PM / devfreq: Lock devfreq in trans_stat_show
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (213 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 214/267] intel_th: pci: Add Tiger " Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 216/267] cpufreq: powernv: fix stack bloat and hard limit on number of CPUs Greg Kroah-Hartman
                   ` (55 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Leonard Crestez, Matthias Kaehlcke,
	Chanwoo Choi

From: Leonard Crestez <leonard.crestez@nxp.com>

commit 2abb0d5268ae7b5ddf82099b1f8d5aa8414637d4 upstream.

There is no locking in this sysfs show function so stats printing can
race with a devfreq_update_status called as part of freq switching or
with initialization.

Also add an assert in devfreq_update_status to make it clear that lock
must be held by caller.

Fixes: 39688ce6facd ("PM / devfreq: account suspend/resume for stats")
Cc: stable@vger.kernel.org
Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
Reviewed-by: Matthias Kaehlcke <mka@chromium.org>
Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/devfreq/devfreq.c |   12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

--- a/drivers/devfreq/devfreq.c
+++ b/drivers/devfreq/devfreq.c
@@ -133,6 +133,7 @@ int devfreq_update_status(struct devfreq
 	int lev, prev_lev, ret = 0;
 	unsigned long cur_time;
 
+	lockdep_assert_held(&devfreq->lock);
 	cur_time = jiffies;
 
 	/* Immediately exit if previous_freq is not initialized yet. */
@@ -1161,12 +1162,17 @@ static ssize_t trans_stat_show(struct de
 	int i, j;
 	unsigned int max_state = devfreq->profile->max_state;
 
-	if (!devfreq->stop_polling &&
-			devfreq_update_status(devfreq, devfreq->previous_freq))
-		return 0;
 	if (max_state == 0)
 		return sprintf(buf, "Not Supported.\n");
 
+	mutex_lock(&devfreq->lock);
+	if (!devfreq->stop_polling &&
+			devfreq_update_status(devfreq, devfreq->previous_freq)) {
+		mutex_unlock(&devfreq->lock);
+		return 0;
+	}
+	mutex_unlock(&devfreq->lock);
+
 	len = sprintf(buf, "     From  :   To\n");
 	len += sprintf(buf + len, "           :");
 	for (i = 0; i < max_state; i++)



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 216/267] cpufreq: powernv: fix stack bloat and hard limit on number of CPUs
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (214 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 215/267] PM / devfreq: Lock devfreq in trans_stat_show Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 217/267] ACPI: OSL: only free map once in osl.c Greg Kroah-Hartman
                   ` (54 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, John Hubbard, Viresh Kumar,
	Rafael J. Wysocki

From: John Hubbard <jhubbard@nvidia.com>

commit db0d32d84031188443e25edbd50a71a6e7ac5d1d upstream.

The following build warning occurred on powerpc 64-bit builds:

drivers/cpufreq/powernv-cpufreq.c: In function 'init_chip_info':
drivers/cpufreq/powernv-cpufreq.c:1070:1: warning: the frame size of
1040 bytes is larger than 1024 bytes [-Wframe-larger-than=]

This is with a cross-compiler based on gcc 8.1.0, which I got from:
  https://mirrors.edge.kernel.org/pub/tools/crosstool/files/bin/x86_64/8.1.0/

The warning is due to putting 1024 bytes on the stack:

    unsigned int chip[256];

...and it's also undesirable to have a hard limit on the number of
CPUs here.

Fix both problems by dynamically allocating based on num_possible_cpus,
as recommended by Michael Ellerman.

Fixes: 053819e0bf840 ("cpufreq: powernv: Handle throttling due to Pmax capping at chip level")
Signed-off-by: John Hubbard <jhubbard@nvidia.com>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Cc: 4.10+ <stable@vger.kernel.org> # 4.10+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/cpufreq/powernv-cpufreq.c |   17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

--- a/drivers/cpufreq/powernv-cpufreq.c
+++ b/drivers/cpufreq/powernv-cpufreq.c
@@ -1002,9 +1002,14 @@ static struct cpufreq_driver powernv_cpu
 
 static int init_chip_info(void)
 {
-	unsigned int chip[256];
+	unsigned int *chip;
 	unsigned int cpu, i;
 	unsigned int prev_chip_id = UINT_MAX;
+	int ret = 0;
+
+	chip = kcalloc(num_possible_cpus(), sizeof(*chip), GFP_KERNEL);
+	if (!chip)
+		return -ENOMEM;
 
 	for_each_possible_cpu(cpu) {
 		unsigned int id = cpu_to_chip_id(cpu);
@@ -1016,8 +1021,10 @@ static int init_chip_info(void)
 	}
 
 	chips = kcalloc(nr_chips, sizeof(struct chip), GFP_KERNEL);
-	if (!chips)
-		return -ENOMEM;
+	if (!chips) {
+		ret = -ENOMEM;
+		goto free_and_return;
+	}
 
 	for (i = 0; i < nr_chips; i++) {
 		chips[i].id = chip[i];
@@ -1027,7 +1034,9 @@ static int init_chip_info(void)
 			per_cpu(chip_info, cpu) =  &chips[i];
 	}
 
-	return 0;
+free_and_return:
+	kfree(chip);
+	return ret;
 }
 
 static inline void clean_chip_info(void)



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 217/267] ACPI: OSL: only free map once in osl.c
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (215 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 216/267] cpufreq: powernv: fix stack bloat and hard limit on number of CPUs Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 218/267] ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data() Greg Kroah-Hartman
                   ` (53 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Francesco Ruggeri, Dmitry Safonov,
	Rafael J. Wysocki

From: Francesco Ruggeri <fruggeri@arista.com>

commit 833a426cc471b6088011b3d67f1dc4e147614647 upstream.

acpi_os_map_cleanup checks map->refcount outside of acpi_ioremap_lock
before freeing the map. This creates a race condition the can result
in the map being freed more than once.
A panic can be caused by running

for ((i=0; i<10; i++))
do
        for ((j=0; j<100000; j++))
        do
                cat /sys/firmware/acpi/tables/data/BERT >/dev/null
        done &
done

This patch makes sure that only the process that drops the reference
to 0 does the freeing.

Fixes: b7c1fadd6c2e ("ACPI: Do not use krefs under a mutex in osl.c")
Signed-off-by: Francesco Ruggeri <fruggeri@arista.com>
Reviewed-by: Dmitry Safonov <0x7f454c46@gmail.com>
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/acpi/osl.c |   28 +++++++++++++++++-----------
 1 file changed, 17 insertions(+), 11 deletions(-)

--- a/drivers/acpi/osl.c
+++ b/drivers/acpi/osl.c
@@ -371,19 +371,21 @@ void *__ref acpi_os_map_memory(acpi_phys
 }
 EXPORT_SYMBOL_GPL(acpi_os_map_memory);
 
-static void acpi_os_drop_map_ref(struct acpi_ioremap *map)
+/* Must be called with mutex_lock(&acpi_ioremap_lock) */
+static unsigned long acpi_os_drop_map_ref(struct acpi_ioremap *map)
 {
-	if (!--map->refcount)
+	unsigned long refcount = --map->refcount;
+
+	if (!refcount)
 		list_del_rcu(&map->list);
+	return refcount;
 }
 
 static void acpi_os_map_cleanup(struct acpi_ioremap *map)
 {
-	if (!map->refcount) {
-		synchronize_rcu_expedited();
-		acpi_unmap(map->phys, map->virt);
-		kfree(map);
-	}
+	synchronize_rcu_expedited();
+	acpi_unmap(map->phys, map->virt);
+	kfree(map);
 }
 
 /**
@@ -403,6 +405,7 @@ static void acpi_os_map_cleanup(struct a
 void __ref acpi_os_unmap_iomem(void __iomem *virt, acpi_size size)
 {
 	struct acpi_ioremap *map;
+	unsigned long refcount;
 
 	if (!acpi_permanent_mmap) {
 		__acpi_unmap_table(virt, size);
@@ -416,10 +419,11 @@ void __ref acpi_os_unmap_iomem(void __io
 		WARN(true, PREFIX "%s: bad address %p\n", __func__, virt);
 		return;
 	}
-	acpi_os_drop_map_ref(map);
+	refcount = acpi_os_drop_map_ref(map);
 	mutex_unlock(&acpi_ioremap_lock);
 
-	acpi_os_map_cleanup(map);
+	if (!refcount)
+		acpi_os_map_cleanup(map);
 }
 EXPORT_SYMBOL_GPL(acpi_os_unmap_iomem);
 
@@ -454,6 +458,7 @@ void acpi_os_unmap_generic_address(struc
 {
 	u64 addr;
 	struct acpi_ioremap *map;
+	unsigned long refcount;
 
 	if (gas->space_id != ACPI_ADR_SPACE_SYSTEM_MEMORY)
 		return;
@@ -469,10 +474,11 @@ void acpi_os_unmap_generic_address(struc
 		mutex_unlock(&acpi_ioremap_lock);
 		return;
 	}
-	acpi_os_drop_map_ref(map);
+	refcount = acpi_os_drop_map_ref(map);
 	mutex_unlock(&acpi_ioremap_lock);
 
-	acpi_os_map_cleanup(map);
+	if (!refcount)
+		acpi_os_map_cleanup(map);
 }
 EXPORT_SYMBOL(acpi_os_unmap_generic_address);
 



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 218/267] ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data()
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (216 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 217/267] ACPI: OSL: only free map once in osl.c Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 219/267] ACPI: PM: Avoid attaching ACPI PM domain to certain devices Greg Kroah-Hartman
                   ` (52 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vamshi K Sthambamkadi, Rafael J. Wysocki

From: Vamshi K Sthambamkadi <vamshi.k.sthambamkadi@gmail.com>

commit 627ead724eff33673597216f5020b72118827de4 upstream.

kmemleak reported backtrace:
    [<bbee0454>] kmem_cache_alloc_trace+0x128/0x260
    [<6677f215>] i2c_acpi_install_space_handler+0x4b/0xe0
    [<1180f4fc>] i2c_register_adapter+0x186/0x400
    [<6083baf7>] i2c_add_adapter+0x4e/0x70
    [<a3ddf966>] intel_gmbus_setup+0x1a2/0x2c0 [i915]
    [<84cb69ae>] i915_driver_probe+0x8d8/0x13a0 [i915]
    [<81911d4b>] i915_pci_probe+0x48/0x160 [i915]
    [<4b159af1>] pci_device_probe+0xdc/0x160
    [<b3c64704>] really_probe+0x1ee/0x450
    [<bc029f5a>] driver_probe_device+0x142/0x1b0
    [<d8829d20>] device_driver_attach+0x49/0x50
    [<de71f045>] __driver_attach+0xc9/0x150
    [<df33ac83>] bus_for_each_dev+0x56/0xa0
    [<80089bba>] driver_attach+0x19/0x20
    [<cc73f583>] bus_add_driver+0x177/0x220
    [<7b29d8c7>] driver_register+0x56/0xf0

In i2c_acpi_remove_space_handler(), a leak occurs whenever the
"data" parameter is initialized to 0 before being passed to
acpi_bus_get_private_data().

This is because the NULL pointer check in acpi_bus_get_private_data()
(condition->if(!*data)) returns EINVAL and, in consequence, memory is
never freed in i2c_acpi_remove_space_handler().

Fix the NULL pointer check in acpi_bus_get_private_data() to follow
the analogous check in acpi_get_data_full().

Signed-off-by: Vamshi K Sthambamkadi <vamshi.k.sthambamkadi@gmail.com>
[ rjw: Subject & changelog ]
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/acpi/bus.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/acpi/bus.c
+++ b/drivers/acpi/bus.c
@@ -196,7 +196,7 @@ int acpi_bus_get_private_data(acpi_handl
 {
 	acpi_status status;
 
-	if (!*data)
+	if (!data)
 		return -EINVAL;
 
 	status = acpi_get_data(handle, acpi_bus_private_data_handler, data);



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 219/267] ACPI: PM: Avoid attaching ACPI PM domain to certain devices
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (217 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 218/267] ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data() Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 220/267] pinctrl: samsung: Add of_node_put() before return in error path Greg Kroah-Hartman
                   ` (51 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Zhang Rui, Todd Brandt, Rafael J. Wysocki

From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

commit b9ea0bae260f6aae546db224daa6ac1bd9d94b91 upstream.

Certain ACPI-enumerated devices represented as platform devices in
Linux, like fans, require special low-level power management handling
implemented by their drivers that is not in agreement with the ACPI
PM domain behavior.  That leads to problems with managing ACPI fans
during system-wide suspend and resume.

For this reason, make acpi_dev_pm_attach() skip the affected devices
by adding a list of device IDs to avoid to it and putting the IDs of
the affected devices into that list.

Fixes: e5cc8ef31267 (ACPI / PM: Provide ACPI PM callback routines for subsystems)
Reported-by: Zhang Rui <rui.zhang@intel.com>
Tested-by: Todd Brandt <todd.e.brandt@linux.intel.com>
Cc: 3.10+ <stable@vger.kernel.org> # 3.10+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/acpi/device_pm.c |   12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

--- a/drivers/acpi/device_pm.c
+++ b/drivers/acpi/device_pm.c
@@ -1154,9 +1154,19 @@ static void acpi_dev_pm_detach(struct de
  */
 int acpi_dev_pm_attach(struct device *dev, bool power_on)
 {
+	/*
+	 * Skip devices whose ACPI companions match the device IDs below,
+	 * because they require special power management handling incompatible
+	 * with the generic ACPI PM domain.
+	 */
+	static const struct acpi_device_id special_pm_ids[] = {
+		{"PNP0C0B", }, /* Generic ACPI fan */
+		{"INT3404", }, /* Fan */
+		{}
+	};
 	struct acpi_device *adev = ACPI_COMPANION(dev);
 
-	if (!adev)
+	if (!adev || !acpi_match_device_ids(adev, special_pm_ids))
 		return -ENODEV;
 
 	if (dev->pm_domain)



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 220/267] pinctrl: samsung: Add of_node_put() before return in error path
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (218 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 219/267] ACPI: PM: Avoid attaching ACPI PM domain to certain devices Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 221/267] pinctrl: samsung: Fix device node refcount leaks in S3C24xx wakeup controller init Greg Kroah-Hartman
                   ` (50 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nishka Dasgupta, Krzysztof Kozlowski

From: Nishka Dasgupta <nishkadg.linux@gmail.com>

commit 3d2557ab75d4c568c79eefa2e550e0d80348a6bd upstream.

Each iteration of for_each_child_of_node puts the previous node, but in
the case of a return from the middle of the loop, there is no put, thus
causing a memory leak. Hence add an of_node_put before the return of
exynos_eint_wkup_init() error path.
Issue found with Coccinelle.

Signed-off-by: Nishka Dasgupta <nishkadg.linux@gmail.com>
Cc: <stable@vger.kernel.org>
Fixes: 14c255d35b25 ("pinctrl: exynos: Add irq_chip instance for Exynos7 wakeup interrupts")
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/pinctrl/samsung/pinctrl-exynos.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/pinctrl/samsung/pinctrl-exynos.c
+++ b/drivers/pinctrl/samsung/pinctrl-exynos.c
@@ -467,8 +467,10 @@ int exynos_eint_wkup_init(struct samsung
 		if (match) {
 			irq_chip = kmemdup(match->data,
 				sizeof(*irq_chip), GFP_KERNEL);
-			if (!irq_chip)
+			if (!irq_chip) {
+				of_node_put(np);
 				return -ENOMEM;
+			}
 			wkup_np = np;
 			break;
 		}



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 221/267] pinctrl: samsung: Fix device node refcount leaks in S3C24xx wakeup controller init
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (219 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 220/267] pinctrl: samsung: Add of_node_put() before return in error path Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 222/267] pinctrl: samsung: Fix device node refcount leaks in init code Greg Kroah-Hartman
                   ` (49 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Krzysztof Kozlowski

From: Krzysztof Kozlowski <krzk@kernel.org>

commit 6fbbcb050802d6ea109f387e961b1dbcc3a80c96 upstream.

In s3c24xx_eint_init() the for_each_child_of_node() loop is used with a
break to find a matching child node.  Although each iteration of
for_each_child_of_node puts the previous node, but early exit from loop
misses it.  This leads to leak of device node.

Cc: <stable@vger.kernel.org>
Fixes: af99a7507469 ("pinctrl: Add pinctrl-s3c24xx driver")
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/pinctrl/samsung/pinctrl-s3c24xx.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/pinctrl/samsung/pinctrl-s3c24xx.c
+++ b/drivers/pinctrl/samsung/pinctrl-s3c24xx.c
@@ -495,8 +495,10 @@ static int s3c24xx_eint_init(struct sams
 		return -ENODEV;
 
 	eint_data = devm_kzalloc(dev, sizeof(*eint_data), GFP_KERNEL);
-	if (!eint_data)
+	if (!eint_data) {
+		of_node_put(eint_np);
 		return -ENOMEM;
+	}
 
 	eint_data->drvdata = d;
 
@@ -508,12 +510,14 @@ static int s3c24xx_eint_init(struct sams
 		irq = irq_of_parse_and_map(eint_np, i);
 		if (!irq) {
 			dev_err(dev, "failed to get wakeup EINT IRQ %d\n", i);
+			of_node_put(eint_np);
 			return -ENXIO;
 		}
 
 		eint_data->parents[i] = irq;
 		irq_set_chained_handler_and_data(irq, handlers[i], eint_data);
 	}
+	of_node_put(eint_np);
 
 	bank = d->pin_banks;
 	for (i = 0; i < d->nr_banks; ++i, ++bank) {



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 222/267] pinctrl: samsung: Fix device node refcount leaks in init code
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (220 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 221/267] pinctrl: samsung: Fix device node refcount leaks in S3C24xx wakeup controller init Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 223/267] pinctrl: samsung: Fix device node refcount leaks in S3C64xx wakeup controller init Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Krzysztof Kozlowski

From: Krzysztof Kozlowski <krzk@kernel.org>

commit a322b3377f4bac32aa25fb1acb9e7afbbbbd0137 upstream.

Several functions use for_each_child_of_node() loop with a break to find
a matching child node.  Although each iteration of
for_each_child_of_node puts the previous node, but early exit from loop
misses it.  This leads to leak of device node.

Cc: <stable@vger.kernel.org>
Fixes: 9a2c1c3b91aa ("pinctrl: samsung: Allow grouping multiple pinmux/pinconf nodes")
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/pinctrl/samsung/pinctrl-samsung.c |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

--- a/drivers/pinctrl/samsung/pinctrl-samsung.c
+++ b/drivers/pinctrl/samsung/pinctrl-samsung.c
@@ -277,6 +277,7 @@ static int samsung_dt_node_to_map(struct
 						&reserved_maps, num_maps);
 		if (ret < 0) {
 			samsung_dt_free_map(pctldev, *map, *num_maps);
+			of_node_put(np);
 			return ret;
 		}
 	}
@@ -761,8 +762,10 @@ static struct samsung_pmx_func *samsung_
 		if (!of_get_child_count(cfg_np)) {
 			ret = samsung_pinctrl_create_function(dev, drvdata,
 							cfg_np, func);
-			if (ret < 0)
+			if (ret < 0) {
+				of_node_put(cfg_np);
 				return ERR_PTR(ret);
+			}
 			if (ret > 0) {
 				++func;
 				++func_cnt;
@@ -773,8 +776,11 @@ static struct samsung_pmx_func *samsung_
 		for_each_child_of_node(cfg_np, func_np) {
 			ret = samsung_pinctrl_create_function(dev, drvdata,
 						func_np, func);
-			if (ret < 0)
+			if (ret < 0) {
+				of_node_put(func_np);
+				of_node_put(cfg_np);
 				return ERR_PTR(ret);
+			}
 			if (ret > 0) {
 				++func;
 				++func_cnt;



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 223/267] pinctrl: samsung: Fix device node refcount leaks in S3C64xx wakeup controller init
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (221 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 222/267] pinctrl: samsung: Fix device node refcount leaks in init code Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 224/267] mmc: host: omap_hsmmc: add code for special init of wl1251 to get rid of pandora_wl1251_init_card Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Krzysztof Kozlowski

From: Krzysztof Kozlowski <krzk@kernel.org>

commit 7f028caadf6c37580d0f59c6c094ed09afc04062 upstream.

In s3c64xx_eint_eint0_init() the for_each_child_of_node() loop is used
with a break to find a matching child node.  Although each iteration of
for_each_child_of_node puts the previous node, but early exit from loop
misses it.  This leads to leak of device node.

Cc: <stable@vger.kernel.org>
Fixes: 61dd72613177 ("pinctrl: Add pinctrl-s3c64xx driver")
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/pinctrl/samsung/pinctrl-s3c64xx.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/pinctrl/samsung/pinctrl-s3c64xx.c
+++ b/drivers/pinctrl/samsung/pinctrl-s3c64xx.c
@@ -709,8 +709,10 @@ static int s3c64xx_eint_eint0_init(struc
 		return -ENODEV;
 
 	data = devm_kzalloc(dev, sizeof(*data), GFP_KERNEL);
-	if (!data)
+	if (!data) {
+		of_node_put(eint0_np);
 		return -ENOMEM;
+	}
 	data->drvdata = d;
 
 	for (i = 0; i < NUM_EINT0_IRQ; ++i) {
@@ -719,6 +721,7 @@ static int s3c64xx_eint_eint0_init(struc
 		irq = irq_of_parse_and_map(eint0_np, i);
 		if (!irq) {
 			dev_err(dev, "failed to get wakeup EINT IRQ %d\n", i);
+			of_node_put(eint0_np);
 			return -ENXIO;
 		}
 
@@ -726,6 +729,7 @@ static int s3c64xx_eint_eint0_init(struc
 						 s3c64xx_eint0_handlers[i],
 						 data);
 	}
+	of_node_put(eint0_np);
 
 	bank = d->pin_banks;
 	for (i = 0; i < d->nr_banks; ++i, ++bank) {



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 224/267] mmc: host: omap_hsmmc: add code for special init of wl1251 to get rid of pandora_wl1251_init_card
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (222 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 223/267] pinctrl: samsung: Fix device node refcount leaks in S3C64xx wakeup controller init Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 225/267] ARM: dts: omap3-tao3530: Fix incorrect MMC card detection GPIO polarity Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, H. Nikolaus Schaller, Ulf Hansson

From: H. Nikolaus Schaller <hns@goldelico.com>

commit f6498b922e57aecbe3b7fa30a308d9d586c0c369 upstream.

Pandora_wl1251_init_card was used to do special pdata based
setup of the sdio mmc interface. This does no longer work with
v4.7 and later. A fix requires a device tree based mmc3 setup.

Therefore we move the special setup to omap_hsmmc.c instead
of calling some pdata supplied init_card function.

The new code checks for a DT child node compatible to wl1251
so it will not affect other MMC3 use cases.

Generally, this code was and still is a hack and should be
moved to mmc core to e.g. read such properties from optional
DT child nodes.

Fixes: 81eef6ca9201 ("mmc: omap_hsmmc: Use dma_request_chan() for requesting DMA channel")
Signed-off-by: H. Nikolaus Schaller <hns@goldelico.com>
Cc: <stable@vger.kernel.org> # v4.7+
[Ulf: Fixed up some checkpatch complaints]
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mmc/host/omap_hsmmc.c |   30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

--- a/drivers/mmc/host/omap_hsmmc.c
+++ b/drivers/mmc/host/omap_hsmmc.c
@@ -1678,6 +1678,36 @@ static void omap_hsmmc_init_card(struct
 
 	if (mmc_pdata(host)->init_card)
 		mmc_pdata(host)->init_card(card);
+	else if (card->type == MMC_TYPE_SDIO ||
+		 card->type == MMC_TYPE_SD_COMBO) {
+		struct device_node *np = mmc_dev(mmc)->of_node;
+
+		/*
+		 * REVISIT: should be moved to sdio core and made more
+		 * general e.g. by expanding the DT bindings of child nodes
+		 * to provide a mechanism to provide this information:
+		 * Documentation/devicetree/bindings/mmc/mmc-card.txt
+		 */
+
+		np = of_get_compatible_child(np, "ti,wl1251");
+		if (np) {
+			/*
+			 * We have TI wl1251 attached to MMC3. Pass this
+			 * information to the SDIO core because it can't be
+			 * probed by normal methods.
+			 */
+
+			dev_info(host->dev, "found wl1251\n");
+			card->quirks |= MMC_QUIRK_NONSTD_SDIO;
+			card->cccr.wide_bus = 1;
+			card->cis.vendor = 0x104c;
+			card->cis.device = 0x9066;
+			card->cis.blksize = 512;
+			card->cis.max_dtr = 24000000;
+			card->ocr = 0x80;
+			of_node_put(np);
+		}
+	}
 }
 
 static void omap_hsmmc_enable_sdio_irq(struct mmc_host *mmc, int enable)



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 225/267] ARM: dts: omap3-tao3530: Fix incorrect MMC card detection GPIO polarity
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (223 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 224/267] mmc: host: omap_hsmmc: add code for special init of wl1251 to get rid of pandora_wl1251_init_card Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 226/267] ppdev: fix PPGETTIME/PPSETTIME ioctls Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jarkko Nikula, Tony Lindgren

From: Jarkko Nikula <jarkko.nikula@bitmer.com>

commit 287897f9aaa2ad1c923d9875914f57c4dc9159c8 upstream.

The MMC card detection GPIO polarity is active low on TAO3530, like in many
other similar boards. Now the card is not detected and it is unable to
mount rootfs from an SD card.

Fix this by using the correct polarity.

This incorrect polarity was defined already in the commit 30d95c6d7092
("ARM: dts: omap3: Add Technexion TAO3530 SOM omap3-tao3530.dtsi") in v3.18
kernel and later changed to use defined GPIO constants in v4.4 kernel by
the commit 3a637e008e54 ("ARM: dts: Use defined GPIO constants in flags
cell for OMAP2+ boards").

While the latter commit did not introduce the issue I'm marking it with
Fixes tag due the v4.4 kernels still being maintained.

Fixes: 3a637e008e54 ("ARM: dts: Use defined GPIO constants in flags cell for OMAP2+ boards")
Cc: linux-stable <stable@vger.kernel.org> # 4.4+
Signed-off-by: Jarkko Nikula <jarkko.nikula@bitmer.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/omap3-tao3530.dtsi |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/boot/dts/omap3-tao3530.dtsi
+++ b/arch/arm/boot/dts/omap3-tao3530.dtsi
@@ -224,7 +224,7 @@
 	pinctrl-0 = <&mmc1_pins>;
 	vmmc-supply = <&vmmc1>;
 	vqmmc-supply = <&vsim>;
-	cd-gpios = <&twl_gpio 0 GPIO_ACTIVE_HIGH>;
+	cd-gpios = <&twl_gpio 0 GPIO_ACTIVE_LOW>;
 	bus-width = <8>;
 };
 



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 226/267] ppdev: fix PPGETTIME/PPSETTIME ioctls
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (224 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 225/267] ARM: dts: omap3-tao3530: Fix incorrect MMC card detection GPIO polarity Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 227/267] powerpc: Allow 64bit VDSO __kernel_sync_dicache to work across ranges >4GB Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Arnd Bergmann

From: Arnd Bergmann <arnd@arndb.de>

commit 998174042da229e2cf5841f574aba4a743e69650 upstream.

Going through the uses of timeval in the user space API,
I noticed two bugs in ppdev that were introduced in the y2038
conversion:

* The range check was accidentally moved from ppsettime to
  ppgettime

* On sparc64, the microseconds are in the other half of the
  64-bit word.

Fix both, and mark the fix for stable backports.

Cc: stable@vger.kernel.org
Fixes: 3b9ab374a1e6 ("ppdev: convert to y2038 safe")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Link: https://lore.kernel.org/r/20191108203435.112759-8-arnd@arndb.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/char/ppdev.c |   16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

--- a/drivers/char/ppdev.c
+++ b/drivers/char/ppdev.c
@@ -623,20 +623,27 @@ static int pp_do_ioctl(struct file *file
 		if (copy_from_user(time32, argp, sizeof(time32)))
 			return -EFAULT;
 
+		if ((time32[0] < 0) || (time32[1] < 0))
+			return -EINVAL;
+
 		return pp_set_timeout(pp->pdev, time32[0], time32[1]);
 
 	case PPSETTIME64:
 		if (copy_from_user(time64, argp, sizeof(time64)))
 			return -EFAULT;
 
+		if ((time64[0] < 0) || (time64[1] < 0))
+			return -EINVAL;
+
+		if (IS_ENABLED(CONFIG_SPARC64) && !in_compat_syscall())
+			time64[1] >>= 32;
+
 		return pp_set_timeout(pp->pdev, time64[0], time64[1]);
 
 	case PPGETTIME32:
 		jiffies_to_timespec64(pp->pdev->timeout, &ts);
 		time32[0] = ts.tv_sec;
 		time32[1] = ts.tv_nsec / NSEC_PER_USEC;
-		if ((time32[0] < 0) || (time32[1] < 0))
-			return -EINVAL;
 
 		if (copy_to_user(argp, time32, sizeof(time32)))
 			return -EFAULT;
@@ -647,8 +654,9 @@ static int pp_do_ioctl(struct file *file
 		jiffies_to_timespec64(pp->pdev->timeout, &ts);
 		time64[0] = ts.tv_sec;
 		time64[1] = ts.tv_nsec / NSEC_PER_USEC;
-		if ((time64[0] < 0) || (time64[1] < 0))
-			return -EINVAL;
+
+		if (IS_ENABLED(CONFIG_SPARC64) && !in_compat_syscall())
+			time64[1] <<= 32;
 
 		if (copy_to_user(argp, time64, sizeof(time64)))
 			return -EFAULT;



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 227/267] powerpc: Allow 64bit VDSO __kernel_sync_dicache to work across ranges >4GB
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (225 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 226/267] ppdev: fix PPGETTIME/PPSETTIME ioctls Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 228/267] powerpc/xive: Prevent page fault issues in the machine crash handler Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alastair DSilva, Michael Ellerman

From: Alastair D'Silva <alastair@d-silva.org>

commit f9ec11165301982585e5e5f606739b5bae5331f3 upstream.

When calling __kernel_sync_dicache with a size >4GB, we were masking
off the upper 32 bits, so we would incorrectly flush a range smaller
than intended.

This patch replaces the 32 bit shifts with 64 bit ones, so that
the full size is accounted for.

Signed-off-by: Alastair D'Silva <alastair@d-silva.org>
Cc: stable@vger.kernel.org
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20191104023305.9581-3-alastair@au1.ibm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/kernel/vdso64/cacheflush.S |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/powerpc/kernel/vdso64/cacheflush.S
+++ b/arch/powerpc/kernel/vdso64/cacheflush.S
@@ -39,7 +39,7 @@ V_FUNCTION_BEGIN(__kernel_sync_dicache)
 	subf	r8,r6,r4		/* compute length */
 	add	r8,r8,r5		/* ensure we get enough */
 	lwz	r9,CFG_DCACHE_LOGBLOCKSZ(r10)
-	srw.	r8,r8,r9		/* compute line count */
+	srd.	r8,r8,r9		/* compute line count */
 	crclr	cr0*4+so
 	beqlr				/* nothing to do? */
 	mtctr	r8
@@ -56,7 +56,7 @@ V_FUNCTION_BEGIN(__kernel_sync_dicache)
 	subf	r8,r6,r4		/* compute length */
 	add	r8,r8,r5
 	lwz	r9,CFG_ICACHE_LOGBLOCKSZ(r10)
-	srw.	r8,r8,r9		/* compute line count */
+	srd.	r8,r8,r9		/* compute line count */
 	crclr	cr0*4+so
 	beqlr				/* nothing to do? */
 	mtctr	r8



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 228/267] powerpc/xive: Prevent page fault issues in the machine crash handler
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (226 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 227/267] powerpc: Allow 64bit VDSO __kernel_sync_dicache to work across ranges >4GB Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 229/267] powerpc: Allow flush_icache_range to work across ranges >4GB Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Cédric Le Goater, Greg Kurz,
	Michael Ellerman

From: Cédric Le Goater <clg@kaod.org>

commit 1ca3dec2b2dff9d286ce6cd64108bda0e98f9710 upstream.

When the machine crash handler is invoked, all interrupts are masked
but interrupts which have not been started yet do not have an ESB page
mapped in the Linux address space. This crashes the 'crash kexec'
sequence on sPAPR guests.

To fix, force the mapping of the ESB page when an interrupt is being
mapped in the Linux IRQ number space. This is done by setting the
initial state of the interrupt to OFF which is not necessarily the
case on PowerNV.

Fixes: 243e25112d06 ("powerpc/xive: Native exploitation of the XIVE interrupt controller")
Cc: stable@vger.kernel.org # v4.12+
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Greg Kurz <groug@kaod.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20191031063100.3864-1-clg@kaod.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/sysdev/xive/common.c |    9 +++++++++
 1 file changed, 9 insertions(+)

--- a/arch/powerpc/sysdev/xive/common.c
+++ b/arch/powerpc/sysdev/xive/common.c
@@ -967,6 +967,15 @@ static int xive_irq_alloc_data(unsigned
 	xd->target = XIVE_INVALID_TARGET;
 	irq_set_handler_data(virq, xd);
 
+	/*
+	 * Turn OFF by default the interrupt being mapped. A side
+	 * effect of this check is the mapping the ESB page of the
+	 * interrupt in the Linux address space. This prevents page
+	 * fault issues in the crash handler which masks all
+	 * interrupts.
+	 */
+	xive_esb_read(xd, XIVE_ESB_SET_PQ_01);
+
 	return 0;
 }
 



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 229/267] powerpc: Allow flush_icache_range to work across ranges >4GB
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (227 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 228/267] powerpc/xive: Prevent page fault issues in the machine crash handler Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 230/267] powerpc/xive: Skip ioremap() of ESB pages for LSI interrupts Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alastair DSilva, Michael Ellerman

From: Alastair D'Silva <alastair@d-silva.org>

commit 29430fae82073d39b1b881a3cd507416a56a363f upstream.

When calling flush_icache_range with a size >4GB, we were masking
off the upper 32 bits, so we would incorrectly flush a range smaller
than intended.

This patch replaces the 32 bit shifts with 64 bit ones, so that
the full size is accounted for.

Signed-off-by: Alastair D'Silva <alastair@d-silva.org>
Cc: stable@vger.kernel.org
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20191104023305.9581-2-alastair@au1.ibm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/kernel/misc_64.S |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/powerpc/kernel/misc_64.S
+++ b/arch/powerpc/kernel/misc_64.S
@@ -86,7 +86,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_COHERENT_I
 	subf	r8,r6,r4		/* compute length */
 	add	r8,r8,r5		/* ensure we get enough */
 	lwz	r9,DCACHEL1LOGBLOCKSIZE(r10)	/* Get log-2 of cache block size */
-	srw.	r8,r8,r9		/* compute line count */
+	srd.	r8,r8,r9		/* compute line count */
 	beqlr				/* nothing to do? */
 	mtctr	r8
 1:	dcbst	0,r6
@@ -102,7 +102,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_COHERENT_I
 	subf	r8,r6,r4		/* compute length */
 	add	r8,r8,r5
 	lwz	r9,ICACHEL1LOGBLOCKSIZE(r10)	/* Get log-2 of Icache block size */
-	srw.	r8,r8,r9		/* compute line count */
+	srd.	r8,r8,r9		/* compute line count */
 	beqlr				/* nothing to do? */
 	mtctr	r8
 2:	icbi	0,r6



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 230/267] powerpc/xive: Skip ioremap() of ESB pages for LSI interrupts
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (228 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 229/267] powerpc: Allow flush_icache_range to work across ranges >4GB Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 231/267] video/hdmi: Fix AVI bar unpack Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Cédric Le Goater, Daniel Axtens,
	Michael Ellerman

From: Cédric Le Goater <clg@kaod.org>

commit b67a95f2abff0c34e5667c15ab8900de73d8d087 upstream.

The PCI INTx interrupts and other LSI interrupts are handled differently
under a sPAPR platform. When the interrupt source characteristics are
queried, the hypervisor returns an H_INT_ESB flag to inform the OS
that it should be using the H_INT_ESB hcall for interrupt management
and not loads and stores on the interrupt ESB pages.

A default -1 value is returned for the addresses of the ESB pages. The
driver ignores this condition today and performs a bogus IO mapping.
Recent changes and the DEBUG_VM configuration option make the bug
visible with :

  kernel BUG at arch/powerpc/include/asm/book3s/64/pgtable.h:612!
  Oops: Exception in kernel mode, sig: 5 [#1]
  LE PAGE_SIZE=64K MMU=Radix MMU=Hash SMP NR_CPUS=1024 NUMA pSeries
  Modules linked in:
  CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.4.0-0.rc6.git0.1.fc32.ppc64le #1
  NIP:  c000000000f63294 LR: c000000000f62e44 CTR: 0000000000000000
  REGS: c0000000fa45f0d0 TRAP: 0700   Not tainted  (5.4.0-0.rc6.git0.1.fc32.ppc64le)
  ...
  NIP ioremap_page_range+0x4c4/0x6e0
  LR  ioremap_page_range+0x74/0x6e0
  Call Trace:
    ioremap_page_range+0x74/0x6e0 (unreliable)
    do_ioremap+0x8c/0x120
    __ioremap_caller+0x128/0x140
    ioremap+0x30/0x50
    xive_spapr_populate_irq_data+0x170/0x260
    xive_irq_domain_map+0x8c/0x170
    irq_domain_associate+0xb4/0x2d0
    irq_create_mapping+0x1e0/0x3b0
    irq_create_fwspec_mapping+0x27c/0x3e0
    irq_create_of_mapping+0x98/0xb0
    of_irq_parse_and_map_pci+0x168/0x230
    pcibios_setup_device+0x88/0x250
    pcibios_setup_bus_devices+0x54/0x100
    __of_scan_bus+0x160/0x310
    pcibios_scan_phb+0x330/0x390
    pcibios_init+0x8c/0x128
    do_one_initcall+0x60/0x2c0
    kernel_init_freeable+0x290/0x378
    kernel_init+0x2c/0x148
    ret_from_kernel_thread+0x5c/0x80

Fixes: bed81ee181dd ("powerpc/xive: introduce H_INT_ESB hcall")
Cc: stable@vger.kernel.org # v4.14+
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Tested-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20191203163642.2428-1-clg@kaod.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/sysdev/xive/spapr.c |   12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

--- a/arch/powerpc/sysdev/xive/spapr.c
+++ b/arch/powerpc/sysdev/xive/spapr.c
@@ -293,20 +293,28 @@ static int xive_spapr_populate_irq_data(
 	data->esb_shift = esb_shift;
 	data->trig_page = trig_page;
 
+	data->hw_irq = hw_irq;
+
 	/*
 	 * No chip-id for the sPAPR backend. This has an impact how we
 	 * pick a target. See xive_pick_irq_target().
 	 */
 	data->src_chip = XIVE_INVALID_CHIP_ID;
 
+	/*
+	 * When the H_INT_ESB flag is set, the H_INT_ESB hcall should
+	 * be used for interrupt management. Skip the remapping of the
+	 * ESB pages which are not available.
+	 */
+	if (data->flags & XIVE_IRQ_FLAG_H_INT_ESB)
+		return 0;
+
 	data->eoi_mmio = ioremap(data->eoi_page, 1u << data->esb_shift);
 	if (!data->eoi_mmio) {
 		pr_err("Failed to map EOI page for irq 0x%x\n", hw_irq);
 		return -ENOMEM;
 	}
 
-	data->hw_irq = hw_irq;
-
 	/* Full function page supports trigger */
 	if (flags & XIVE_SRC_TRIGGER) {
 		data->trig_mmio = data->eoi_mmio;



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 231/267] video/hdmi: Fix AVI bar unpack
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (229 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 230/267] powerpc/xive: Skip ioremap() of ESB pages for LSI interrupts Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 232/267] quota: Check that quota is not dirty before release Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, linux-media, Martin Bugge,
	Hans Verkuil, Thierry Reding, Mauro Carvalho Chehab,
	Ville Syrjälä

From: Ville Syrjälä <ville.syrjala@linux.intel.com>

commit 6039f37dd6b76641198e290f26b31c475248f567 upstream.

The bar values are little endian, not big endian. The pack
function did it right but the unpack got it wrong. Fix it.

Cc: stable@vger.kernel.org
Cc: linux-media@vger.kernel.org
Cc: Martin Bugge <marbugge@cisco.com>
Cc: Hans Verkuil <hans.verkuil@cisco.com>
Cc: Thierry Reding <treding@nvidia.com>
Cc: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Fixes: 2c676f378edb ("[media] hdmi: added unpack and logging functions for InfoFrames")
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20190919132853.30954-1-ville.syrjala@linux.intel.com
Reviewed-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/video/hdmi.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/video/hdmi.c
+++ b/drivers/video/hdmi.c
@@ -1036,12 +1036,12 @@ static int hdmi_avi_infoframe_unpack(str
 	if (ptr[0] & 0x10)
 		frame->active_aspect = ptr[1] & 0xf;
 	if (ptr[0] & 0x8) {
-		frame->top_bar = (ptr[5] << 8) + ptr[6];
-		frame->bottom_bar = (ptr[7] << 8) + ptr[8];
+		frame->top_bar = (ptr[6] << 8) | ptr[5];
+		frame->bottom_bar = (ptr[8] << 8) | ptr[7];
 	}
 	if (ptr[0] & 0x4) {
-		frame->left_bar = (ptr[9] << 8) + ptr[10];
-		frame->right_bar = (ptr[11] << 8) + ptr[12];
+		frame->left_bar = (ptr[10] << 8) | ptr[9];
+		frame->right_bar = (ptr[12] << 8) | ptr[11];
 	}
 	frame->scan_mode = ptr[0] & 0x3;
 



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 232/267] quota: Check that quota is not dirty before release
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (230 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 231/267] video/hdmi: Fix AVI bar unpack Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 233/267] ext2: check err when partial != NULL Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dmitry Monakhov, Jan Kara

From: Dmitry Monakhov <dmtrmonakhov@yandex-team.ru>

commit df4bb5d128e2c44848aeb36b7ceceba3ac85080d upstream.

There is a race window where quota was redirted once we drop dq_list_lock inside dqput(),
but before we grab dquot->dq_lock inside dquot_release()

TASK1                                                       TASK2 (chowner)
->dqput()
  we_slept:
    spin_lock(&dq_list_lock)
    if (dquot_dirty(dquot)) {
          spin_unlock(&dq_list_lock);
          dquot->dq_sb->dq_op->write_dquot(dquot);
          goto we_slept
    if (test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) {
          spin_unlock(&dq_list_lock);
          dquot->dq_sb->dq_op->release_dquot(dquot);
                                                            dqget()
							    mark_dquot_dirty()
							    dqput()
          goto we_slept;
        }
So dquot dirty quota will be released by TASK1, but on next we_sleept loop
we detect this and call ->write_dquot() for it.
XFSTEST: https://github.com/dmonakhov/xfstests/commit/440a80d4cbb39e9234df4d7240aee1d551c36107

Link: https://lore.kernel.org/r/20191031103920.3919-2-dmonakhov@openvz.org
CC: stable@vger.kernel.org
Signed-off-by: Dmitry Monakhov <dmtrmonakhov@yandex-team.ru>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ocfs2/quota_global.c  |    2 +-
 fs/quota/dquot.c         |    2 +-
 include/linux/quotaops.h |   10 ++++++++++
 3 files changed, 12 insertions(+), 2 deletions(-)

--- a/fs/ocfs2/quota_global.c
+++ b/fs/ocfs2/quota_global.c
@@ -727,7 +727,7 @@ static int ocfs2_release_dquot(struct dq
 
 	mutex_lock(&dquot->dq_lock);
 	/* Check whether we are not racing with some other dqget() */
-	if (atomic_read(&dquot->dq_count) > 1)
+	if (dquot_is_busy(dquot))
 		goto out;
 	/* Running from downconvert thread? Postpone quota processing to wq */
 	if (current == osb->dc_task) {
--- a/fs/quota/dquot.c
+++ b/fs/quota/dquot.c
@@ -491,7 +491,7 @@ int dquot_release(struct dquot *dquot)
 
 	mutex_lock(&dquot->dq_lock);
 	/* Check whether we are not racing with some other dqget() */
-	if (atomic_read(&dquot->dq_count) > 1)
+	if (dquot_is_busy(dquot))
 		goto out_dqlock;
 	if (dqopt->ops[dquot->dq_id.type]->release_dqblk) {
 		ret = dqopt->ops[dquot->dq_id.type]->release_dqblk(dquot);
--- a/include/linux/quotaops.h
+++ b/include/linux/quotaops.h
@@ -51,6 +51,16 @@ static inline struct dquot *dqgrab(struc
 	atomic_inc(&dquot->dq_count);
 	return dquot;
 }
+
+static inline bool dquot_is_busy(struct dquot *dquot)
+{
+	if (test_bit(DQ_MOD_B, &dquot->dq_flags))
+		return true;
+	if (atomic_read(&dquot->dq_count) > 1)
+		return true;
+	return false;
+}
+
 void dqput(struct dquot *dquot);
 int dquot_scan_active(struct super_block *sb,
 		      int (*fn)(struct dquot *dquot, unsigned long priv),



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 233/267] ext2: check err when partial != NULL
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (231 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 232/267] quota: Check that quota is not dirty before release Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 234/267] quota: fix livelock in dquot_writeback_dquots Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Chengguang Xu, Jan Kara

From: Chengguang Xu <cgxu519@mykernel.net>

commit e705f4b8aa27a59f8933e8f384e9752f052c469c upstream.

Check err when partial == NULL is meaningless because
partial == NULL means getting branch successfully without
error.

CC: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20191105045100.7104-1-cgxu519@mykernel.net
Signed-off-by: Chengguang Xu <cgxu519@mykernel.net>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext2/inode.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/fs/ext2/inode.c
+++ b/fs/ext2/inode.c
@@ -699,10 +699,13 @@ static int ext2_get_blocks(struct inode
 		if (!partial) {
 			count++;
 			mutex_unlock(&ei->truncate_mutex);
-			if (err)
-				goto cleanup;
 			goto got_it;
 		}
+
+		if (err) {
+			mutex_unlock(&ei->truncate_mutex);
+			goto cleanup;
+		}
 	}
 
 	/*



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 234/267] quota: fix livelock in dquot_writeback_dquots
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (232 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 233/267] ext2: check err when partial != NULL Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 235/267] ext4: Fix credit estimate for final inode freeing Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Konstantin Khlebnikov,
	Dmitry Monakhov, Jan Kara

From: Dmitry Monakhov <dmtrmonakhov@yandex-team.ru>

commit 6ff33d99fc5c96797103b48b7b0902c296f09c05 upstream.

Write only quotas which are dirty at entry.

XFSTEST: https://github.com/dmonakhov/xfstests/commit/b10ad23566a5bf75832a6f500e1236084083cddc

Link: https://lore.kernel.org/r/20191031103920.3919-1-dmonakhov@openvz.org
CC: stable@vger.kernel.org
Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Signed-off-by: Dmitry Monakhov <dmtrmonakhov@yandex-team.ru>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/quota/dquot.c |    9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/fs/quota/dquot.c
+++ b/fs/quota/dquot.c
@@ -617,7 +617,7 @@ EXPORT_SYMBOL(dquot_scan_active);
 /* Write all dquot structures to quota files */
 int dquot_writeback_dquots(struct super_block *sb, int type)
 {
-	struct list_head *dirty;
+	struct list_head dirty;
 	struct dquot *dquot;
 	struct quota_info *dqopt = sb_dqopt(sb);
 	int cnt;
@@ -631,9 +631,10 @@ int dquot_writeback_dquots(struct super_
 		if (!sb_has_quota_active(sb, cnt))
 			continue;
 		spin_lock(&dq_list_lock);
-		dirty = &dqopt->info[cnt].dqi_dirty_list;
-		while (!list_empty(dirty)) {
-			dquot = list_first_entry(dirty, struct dquot,
+		/* Move list away to avoid livelock. */
+		list_replace_init(&dqopt->info[cnt].dqi_dirty_list, &dirty);
+		while (!list_empty(&dirty)) {
+			dquot = list_first_entry(&dirty, struct dquot,
 						 dq_dirty);
 
 			WARN_ON(!test_bit(DQ_ACTIVE_B, &dquot->dq_flags));



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 235/267] ext4: Fix credit estimate for final inode freeing
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (233 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 234/267] quota: fix livelock in dquot_writeback_dquots Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 236/267] reiserfs: fix extended attributes on the root directory Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jan Kara, Theodore Tso

From: Jan Kara <jack@suse.cz>

commit 65db869c754e7c271691dd5feabf884347e694f5 upstream.

Estimate for the number of credits needed for final freeing of inode in
ext4_evict_inode() was to small. We may modify 4 blocks (inode & sb for
orphan deletion, bitmap & group descriptor for inode freeing) and not
just 3.

[ Fixed minor whitespace nit. -- TYT ]

Fixes: e50e5129f384 ("ext4: xattr-in-inode support")
CC: stable@vger.kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20191105164437.32602-6-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/inode.c |   13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -195,7 +195,12 @@ void ext4_evict_inode(struct inode *inod
 {
 	handle_t *handle;
 	int err;
-	int extra_credits = 3;
+	/*
+	 * Credits for final inode cleanup and freeing:
+	 * sb + inode (ext4_orphan_del()), block bitmap, group descriptor
+	 * (xattr block freeing), bitmap, group descriptor (inode freeing)
+	 */
+	int extra_credits = 6;
 	struct ext4_xattr_inode_array *ea_inode_array = NULL;
 
 	trace_ext4_evict_inode(inode);
@@ -251,8 +256,12 @@ void ext4_evict_inode(struct inode *inod
 	if (!IS_NOQUOTA(inode))
 		extra_credits += EXT4_MAXQUOTAS_DEL_BLOCKS(inode->i_sb);
 
+	/*
+	 * Block bitmap, group descriptor, and inode are accounted in both
+	 * ext4_blocks_for_truncate() and extra_credits. So subtract 3.
+	 */
 	handle = ext4_journal_start(inode, EXT4_HT_TRUNCATE,
-				 ext4_blocks_for_truncate(inode)+extra_credits);
+			 ext4_blocks_for_truncate(inode) + extra_credits - 3);
 	if (IS_ERR(handle)) {
 		ext4_std_error(inode->i_sb, PTR_ERR(handle));
 		/*



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 236/267] reiserfs: fix extended attributes on the root directory
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (234 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 235/267] ext4: Fix credit estimate for final inode freeing Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 237/267] block: fix single range discard merge Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jeff Mahoney, Jan Kara

From: Jeff Mahoney <jeffm@suse.com>

commit 60e4cf67a582d64f07713eda5fcc8ccdaf7833e6 upstream.

Since commit d0a5b995a308 (vfs: Add IOP_XATTR inode operations flag)
extended attributes haven't worked on the root directory in reiserfs.

This is due to reiserfs conditionally setting the sb->s_xattrs handler
array depending on whether it located or create the internal privroot
directory.  It necessarily does this after the root inode is already
read in.  The IOP_XATTR flag is set during inode initialization, so
it never gets set on the root directory.

This commit unconditionally assigns sb->s_xattrs and clears IOP_XATTR on
internal inodes.  The old return values due to the conditional assignment
are handled via open_xa_root, which now returns EOPNOTSUPP as the VFS
would have done.

Link: https://lore.kernel.org/r/20191024143127.17509-1-jeffm@suse.com
CC: stable@vger.kernel.org
Fixes: d0a5b995a308 ("vfs: Add IOP_XATTR inode operations flag")
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/reiserfs/inode.c     |   12 ++++++++++--
 fs/reiserfs/namei.c     |    7 +++++--
 fs/reiserfs/reiserfs.h  |    2 ++
 fs/reiserfs/super.c     |    2 ++
 fs/reiserfs/xattr.c     |   19 ++++++++++++-------
 fs/reiserfs/xattr_acl.c |    4 +---
 6 files changed, 32 insertions(+), 14 deletions(-)

--- a/fs/reiserfs/inode.c
+++ b/fs/reiserfs/inode.c
@@ -2096,6 +2096,15 @@ int reiserfs_new_inode(struct reiserfs_t
 		goto out_inserted_sd;
 	}
 
+	/*
+	 * Mark it private if we're creating the privroot
+	 * or something under it.
+	 */
+	if (IS_PRIVATE(dir) || dentry == REISERFS_SB(sb)->priv_root) {
+		inode->i_flags |= S_PRIVATE;
+		inode->i_opflags &= ~IOP_XATTR;
+	}
+
 	if (reiserfs_posixacl(inode->i_sb)) {
 		reiserfs_write_unlock(inode->i_sb);
 		retval = reiserfs_inherit_default_acl(th, dir, dentry, inode);
@@ -2110,8 +2119,7 @@ int reiserfs_new_inode(struct reiserfs_t
 		reiserfs_warning(inode->i_sb, "jdm-13090",
 				 "ACLs aren't enabled in the fs, "
 				 "but vfs thinks they are!");
-	} else if (IS_PRIVATE(dir))
-		inode->i_flags |= S_PRIVATE;
+	}
 
 	if (security->name) {
 		reiserfs_write_unlock(inode->i_sb);
--- a/fs/reiserfs/namei.c
+++ b/fs/reiserfs/namei.c
@@ -377,10 +377,13 @@ static struct dentry *reiserfs_lookup(st
 
 		/*
 		 * Propagate the private flag so we know we're
-		 * in the priv tree
+		 * in the priv tree.  Also clear IOP_XATTR
+		 * since we don't have xattrs on xattr files.
 		 */
-		if (IS_PRIVATE(dir))
+		if (IS_PRIVATE(dir)) {
 			inode->i_flags |= S_PRIVATE;
+			inode->i_opflags &= ~IOP_XATTR;
+		}
 	}
 	reiserfs_write_unlock(dir->i_sb);
 	if (retval == IO_ERROR) {
--- a/fs/reiserfs/reiserfs.h
+++ b/fs/reiserfs/reiserfs.h
@@ -1168,6 +1168,8 @@ static inline int bmap_would_wrap(unsign
 	return bmap_nr > ((1LL << 16) - 1);
 }
 
+extern const struct xattr_handler *reiserfs_xattr_handlers[];
+
 /*
  * this says about version of key of all items (but stat data) the
  * object consists of
--- a/fs/reiserfs/super.c
+++ b/fs/reiserfs/super.c
@@ -2052,6 +2052,8 @@ static int reiserfs_fill_super(struct su
 	if (replay_only(s))
 		goto error_unlocked;
 
+	s->s_xattr = reiserfs_xattr_handlers;
+
 	if (bdev_read_only(s->s_bdev) && !sb_rdonly(s)) {
 		SWARN(silent, s, "clm-7000",
 		      "Detected readonly device, marking FS readonly");
--- a/fs/reiserfs/xattr.c
+++ b/fs/reiserfs/xattr.c
@@ -122,13 +122,13 @@ static struct dentry *open_xa_root(struc
 	struct dentry *xaroot;
 
 	if (d_really_is_negative(privroot))
-		return ERR_PTR(-ENODATA);
+		return ERR_PTR(-EOPNOTSUPP);
 
 	inode_lock_nested(d_inode(privroot), I_MUTEX_XATTR);
 
 	xaroot = dget(REISERFS_SB(sb)->xattr_root);
 	if (!xaroot)
-		xaroot = ERR_PTR(-ENODATA);
+		xaroot = ERR_PTR(-EOPNOTSUPP);
 	else if (d_really_is_negative(xaroot)) {
 		int err = -ENODATA;
 
@@ -610,6 +610,10 @@ int reiserfs_xattr_set(struct inode *ino
 	int error, error2;
 	size_t jbegin_count = reiserfs_xattr_nblocks(inode, buffer_size);
 
+	/* Check before we start a transaction and then do nothing. */
+	if (!d_really_is_positive(REISERFS_SB(inode->i_sb)->priv_root))
+		return -EOPNOTSUPP;
+
 	if (!(flags & XATTR_REPLACE))
 		jbegin_count += reiserfs_xattr_jcreate_nblocks(inode);
 
@@ -832,8 +836,7 @@ ssize_t reiserfs_listxattr(struct dentry
 	if (d_really_is_negative(dentry))
 		return -EINVAL;
 
-	if (!dentry->d_sb->s_xattr ||
-	    get_inode_sd_version(d_inode(dentry)) == STAT_DATA_V1)
+	if (get_inode_sd_version(d_inode(dentry)) == STAT_DATA_V1)
 		return -EOPNOTSUPP;
 
 	dir = open_xa_dir(d_inode(dentry), XATTR_REPLACE);
@@ -873,6 +876,7 @@ static int create_privroot(struct dentry
 	}
 
 	d_inode(dentry)->i_flags |= S_PRIVATE;
+	d_inode(dentry)->i_opflags &= ~IOP_XATTR;
 	reiserfs_info(dentry->d_sb, "Created %s - reserved for xattr "
 		      "storage.\n", PRIVROOT_NAME);
 
@@ -886,7 +890,7 @@ static int create_privroot(struct dentry
 #endif
 
 /* Actual operations that are exported to VFS-land */
-static const struct xattr_handler *reiserfs_xattr_handlers[] = {
+const struct xattr_handler *reiserfs_xattr_handlers[] = {
 #ifdef CONFIG_REISERFS_FS_XATTR
 	&reiserfs_xattr_user_handler,
 	&reiserfs_xattr_trusted_handler,
@@ -957,8 +961,10 @@ int reiserfs_lookup_privroot(struct supe
 	if (!IS_ERR(dentry)) {
 		REISERFS_SB(s)->priv_root = dentry;
 		d_set_d_op(dentry, &xattr_lookup_poison_ops);
-		if (d_really_is_positive(dentry))
+		if (d_really_is_positive(dentry)) {
 			d_inode(dentry)->i_flags |= S_PRIVATE;
+			d_inode(dentry)->i_opflags &= ~IOP_XATTR;
+		}
 	} else
 		err = PTR_ERR(dentry);
 	inode_unlock(d_inode(s->s_root));
@@ -987,7 +993,6 @@ int reiserfs_xattr_init(struct super_blo
 	}
 
 	if (d_really_is_positive(privroot)) {
-		s->s_xattr = reiserfs_xattr_handlers;
 		inode_lock(d_inode(privroot));
 		if (!REISERFS_SB(s)->xattr_root) {
 			struct dentry *dentry;
--- a/fs/reiserfs/xattr_acl.c
+++ b/fs/reiserfs/xattr_acl.c
@@ -320,10 +320,8 @@ reiserfs_inherit_default_acl(struct reis
 	 * would be useless since permissions are ignored, and a pain because
 	 * it introduces locking cycles
 	 */
-	if (IS_PRIVATE(dir)) {
-		inode->i_flags |= S_PRIVATE;
+	if (IS_PRIVATE(inode))
 		goto apply_umask;
-	}
 
 	err = posix_acl_create(dir, &inode->i_mode, &default_acl, &acl);
 	if (err)



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 237/267] block: fix single range discard merge
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (235 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 236/267] reiserfs: fix extended attributes on the root directory Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 238/267] scsi: zfcp: trace channel log even for FCP command responses Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jens Axboe, Guangwu Zhang,
	Christoph Hellwig, Jianchao Wang, Ming Lei, Andre Tomt,
	Jack Wang

From: Ming Lei <ming.lei@redhat.com>

commit 2a5cf35cd6c56b2924bce103413ad3381bdc31fa upstream.

There are actually two kinds of discard merge:

- one is the normal discard merge, just like normal read/write request,
and call it single-range discard

- another is the multi-range discard, queue_max_discard_segments(rq->q) > 1

For the former case, queue_max_discard_segments(rq->q) is 1, and we
should handle this kind of discard merge like the normal read/write
request.

This patch fixes the following kernel panic issue[1], which is caused by
not removing the single-range discard request from elevator queue.

Guangwu has one raid discard test case, in which this issue is a bit
easier to trigger, and I verified that this patch can fix the kernel
panic issue in Guangwu's test case.

[1] kernel panic log from Jens's report

 BUG: unable to handle kernel NULL pointer dereference at 0000000000000148
 PGD 0 P4D 0.
 Oops: 0000 [#1] SMP PTI
 CPU: 37 PID: 763 Comm: kworker/37:1H Not tainted \
4.20.0-rc3-00649-ge64d9a554a91-dirty #14  Hardware name: Wiwynn \
Leopard-Orv2/Leopard-DDR BW, BIOS LBM08   03/03/2017       Workqueue: kblockd \
blk_mq_run_work_fn                                            RIP: \
0010:blk_mq_get_driver_tag+0x81/0x120                                       Code: 24 \
10 48 89 7c 24 20 74 21 83 fa ff 0f 95 c0 48 8b 4c 24 28 65 48 33 0c 25 28 00 00 00 \
0f 85 96 00 00 00 48 83 c4 30 5b 5d c3 <48> 8b 87 48 01 00 00 8b 40 04 39 43 20 72 37 \
f6 87 b0 00 00 00 02  RSP: 0018:ffffc90004aabd30 EFLAGS: 00010246                     \
  RAX: 0000000000000003 RBX: ffff888465ea1300 RCX: ffffc90004aabde8
 RDX: 00000000ffffffff RSI: ffffc90004aabde8 RDI: 0000000000000000
 RBP: 0000000000000000 R08: ffff888465ea1348 R09: 0000000000000000
 R10: 0000000000001000 R11: 00000000ffffffff R12: ffff888465ea1300
 R13: 0000000000000000 R14: ffff888465ea1348 R15: ffff888465d10000
 FS:  0000000000000000(0000) GS:ffff88846f9c0000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000148 CR3: 000000000220a003 CR4: 00000000003606e0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 Call Trace:
  blk_mq_dispatch_rq_list+0xec/0x480
  ? elv_rb_del+0x11/0x30
  blk_mq_do_dispatch_sched+0x6e/0xf0
  blk_mq_sched_dispatch_requests+0xfa/0x170
  __blk_mq_run_hw_queue+0x5f/0xe0
  process_one_work+0x154/0x350
  worker_thread+0x46/0x3c0
  kthread+0xf5/0x130
  ? process_one_work+0x350/0x350
  ? kthread_destroy_worker+0x50/0x50
  ret_from_fork+0x1f/0x30
 Modules linked in: sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel \
kvm switchtec irqbypass iTCO_wdt iTCO_vendor_support efivars cdc_ether usbnet mii \
cdc_acm i2c_i801 lpc_ich mfd_core ipmi_si ipmi_devintf ipmi_msghandler acpi_cpufreq \
button sch_fq_codel nfsd nfs_acl lockd grace auth_rpcgss oid_registry sunrpc nvme \
nvme_core fuse sg loop efivarfs autofs4  CR2: 0000000000000148                        \

 ---[ end trace 340a1fb996df1b9b ]---
 RIP: 0010:blk_mq_get_driver_tag+0x81/0x120
 Code: 24 10 48 89 7c 24 20 74 21 83 fa ff 0f 95 c0 48 8b 4c 24 28 65 48 33 0c 25 28 \
00 00 00 0f 85 96 00 00 00 48 83 c4 30 5b 5d c3 <48> 8b 87 48 01 00 00 8b 40 04 39 43 \
20 72 37 f6 87 b0 00 00 00 02

Fixes: 445251d0f4d329a ("blk-mq: fix discard merge with scheduler attached")
Reported-by: Jens Axboe <axboe@kernel.dk>
Cc: Guangwu Zhang <guazhang@redhat.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Jianchao Wang <jianchao.w.wang@oracle.com>
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Cc: Andre Tomt <andre@tomt.net>
Cc: Jack Wang <jack.wang.usish@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 block/blk-merge.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/block/blk-merge.c
+++ b/block/blk-merge.c
@@ -765,7 +765,7 @@ static struct request *attempt_merge(str
 
 	req->__data_len += blk_rq_bytes(next);
 
-	if (req_op(req) != REQ_OP_DISCARD)
+	if (!blk_discard_mergable(req))
 		elv_merge_requests(q, req, next);
 
 	/*



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 238/267] scsi: zfcp: trace channel log even for FCP command responses
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (236 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 237/267] block: fix single range discard merge Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 239/267] scsi: qla2xxx: Fix DMA unmap leak Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Benjamin Block, Steffen Maier,
	Martin K. Petersen, Sasha Levin

From: Steffen Maier <maier@linux.ibm.com>

[ Upstream commit 100843f176109af94600e500da0428e21030ca7f ]

While v2.6.26 commit b75db73159cc ("[SCSI] zfcp: Add qtcb dump to hba debug
trace") is right that we don't want to flood the (payload) trace ring
buffer, we don't trace successful FCP command responses by default.  So we
can include the channel log for problem determination with failed responses
of any FSF request type.

Fixes: b75db73159cc ("[SCSI] zfcp: Add qtcb dump to hba debug trace")
Fixes: a54ca0f62f95 ("[SCSI] zfcp: Redesign of the debug tracing for HBA records.")
Cc: <stable@vger.kernel.org> #2.6.38+
Link: https://lore.kernel.org/r/e37597b5c4ae123aaa85fd86c23a9f71e994e4a9.1572018132.git.bblock@linux.ibm.com
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Signed-off-by: Steffen Maier <maier@linux.ibm.com>
Signed-off-by: Benjamin Block <bblock@linux.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/s390/scsi/zfcp_dbf.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/drivers/s390/scsi/zfcp_dbf.c b/drivers/s390/scsi/zfcp_dbf.c
index 599447032e50a..bc6c1d6a1c42e 100644
--- a/drivers/s390/scsi/zfcp_dbf.c
+++ b/drivers/s390/scsi/zfcp_dbf.c
@@ -94,11 +94,9 @@ void zfcp_dbf_hba_fsf_res(char *tag, int level, struct zfcp_fsf_req *req)
 	memcpy(rec->u.res.fsf_status_qual, &q_head->fsf_status_qual,
 	       FSF_STATUS_QUALIFIER_SIZE);
 
-	if (req->fsf_command != FSF_QTCB_FCP_CMND) {
-		rec->pl_len = q_head->log_length;
-		zfcp_dbf_pl_write(dbf, (char *)q_pref + q_head->log_start,
-				  rec->pl_len, "fsf_res", req->req_id);
-	}
+	rec->pl_len = q_head->log_length;
+	zfcp_dbf_pl_write(dbf, (char *)q_pref + q_head->log_start,
+			  rec->pl_len, "fsf_res", req->req_id);
 
 	debug_event(dbf->hba, level, rec, sizeof(*rec));
 	spin_unlock_irqrestore(&dbf->hba_lock, flags);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 239/267] scsi: qla2xxx: Fix DMA unmap leak
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (237 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 238/267] scsi: zfcp: trace channel log even for FCP command responses Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 240/267] scsi: qla2xxx: Fix session lookup in qlt_abort_work() Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Quinn Tran, Himanshu Madhani,
	Martin K. Petersen, Sasha Levin

From: Himanshu Madhani <hmadhani@marvell.com>

[ Upstream commit 5d328de64d89400dcf9911125844d8adc0db697f ]

With debug kernel we see following wanings indicating memory leak.

[28809.523959] WARNING: CPU: 3 PID: 6790 at lib/dma-debug.c:978
dma_debug_device_change+0x166/0x1d0
[28809.523964] pci 0000:0c:00.6: DMA-API: device driver has pending DMA
allocations while released from device [count=5]
[28809.523964] One of leaked entries details: [device
address=0x00000002aefe4000] [size=8208 bytes] [mapped with DMA_BIDIRECTIONAL]
[mapped as coherent]

Fix this by unmapping DMA memory.

Signed-off-by: Quinn Tran <qutran@marvell.com>
Signed-off-by: Himanshu Madhani <hmadhani@marvell.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/qla2xxx/qla_bsg.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/scsi/qla2xxx/qla_bsg.c b/drivers/scsi/qla2xxx/qla_bsg.c
index 7472d3882ad41..6f8c7df69f66c 100644
--- a/drivers/scsi/qla2xxx/qla_bsg.c
+++ b/drivers/scsi/qla2xxx/qla_bsg.c
@@ -342,6 +342,8 @@ qla2x00_process_els(struct bsg_job *bsg_job)
 		dma_map_sg(&ha->pdev->dev, bsg_job->request_payload.sg_list,
 		bsg_job->request_payload.sg_cnt, DMA_TO_DEVICE);
 	if (!req_sg_cnt) {
+		dma_unmap_sg(&ha->pdev->dev, bsg_job->request_payload.sg_list,
+		    bsg_job->request_payload.sg_cnt, DMA_TO_DEVICE);
 		rval = -ENOMEM;
 		goto done_free_fcport;
 	}
@@ -349,6 +351,8 @@ qla2x00_process_els(struct bsg_job *bsg_job)
 	rsp_sg_cnt = dma_map_sg(&ha->pdev->dev, bsg_job->reply_payload.sg_list,
 		bsg_job->reply_payload.sg_cnt, DMA_FROM_DEVICE);
         if (!rsp_sg_cnt) {
+		dma_unmap_sg(&ha->pdev->dev, bsg_job->reply_payload.sg_list,
+		    bsg_job->reply_payload.sg_cnt, DMA_FROM_DEVICE);
 		rval = -ENOMEM;
 		goto done_free_fcport;
 	}
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 240/267] scsi: qla2xxx: Fix session lookup in qlt_abort_work()
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (238 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 239/267] scsi: qla2xxx: Fix DMA unmap leak Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 241/267] scsi: qla2xxx: Fix qla24xx_process_bidir_cmd() Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Himanshu Madhani, Bart Van Assche,
	Martin K. Petersen, Sasha Levin

From: Bart Van Assche <bvanassche@acm.org>

[ Upstream commit ac452b8e79320c9e90c78edf32ba2d42431e4daf ]

Pass the correct session ID to find_sess_by_s_id() instead of passing an
uninitialized variable.

Cc: Himanshu Madhani <hmadhani@marvell.com>
Fixes: 2d70c103fd2a ("[SCSI] qla2xxx: Add LLD target-mode infrastructure for >= 24xx series") # v3.5.
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Tested-by: Himanshu Madhani <hmadhani@marvell.com>
Reviewed-by: Himanshu Madhani <hmadhani@marvell.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/qla2xxx/qla_target.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c
index 11753ed3433ca..2f5658554275c 100644
--- a/drivers/scsi/qla2xxx/qla_target.c
+++ b/drivers/scsi/qla2xxx/qla_target.c
@@ -5918,7 +5918,6 @@ static void qlt_abort_work(struct qla_tgt *tgt,
 	struct qla_hw_data *ha = vha->hw;
 	struct fc_port *sess = NULL;
 	unsigned long flags = 0, flags2 = 0;
-	uint32_t be_s_id;
 	uint8_t s_id[3];
 	int rc;
 
@@ -5931,8 +5930,7 @@ static void qlt_abort_work(struct qla_tgt *tgt,
 	s_id[1] = prm->abts.fcp_hdr_le.s_id[1];
 	s_id[2] = prm->abts.fcp_hdr_le.s_id[0];
 
-	sess = ha->tgt.tgt_ops->find_sess_by_s_id(vha,
-	    (unsigned char *)&be_s_id);
+	sess = ha->tgt.tgt_ops->find_sess_by_s_id(vha, s_id);
 	if (!sess) {
 		spin_unlock_irqrestore(&ha->tgt.sess_lock, flags2);
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 241/267] scsi: qla2xxx: Fix qla24xx_process_bidir_cmd()
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (239 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 240/267] scsi: qla2xxx: Fix session lookup in qlt_abort_work() Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 242/267] scsi: qla2xxx: Always check the qla2x00_wait_for_hba_online() return value Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Himanshu Madhani, Bart Van Assche,
	Martin K. Petersen, Sasha Levin

From: Bart Van Assche <bvanassche@acm.org>

[ Upstream commit c29282c65d1cf54daeea63be46243d7f69d72f4d ]

Set the r??_data_len variables before using these instead of after.

This patch fixes the following Coverity complaint:

const: At condition req_data_len != rsp_data_len, the value of req_data_len
must be equal to 0.
const: At condition req_data_len != rsp_data_len, the value of rsp_data_len
must be equal to 0.
dead_error_condition: The condition req_data_len != rsp_data_len cannot be
true.

Cc: Himanshu Madhani <hmadhani@marvell.com>
Fixes: a9b6f722f62d ("[SCSI] qla2xxx: Implementation of bidirectional.") # v3.7.
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Tested-by: Himanshu Madhani <hmadhani@marvell.com>
Reviewed-by: Himanshu Madhani <hmadhani@marvell.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/qla2xxx/qla_bsg.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/drivers/scsi/qla2xxx/qla_bsg.c b/drivers/scsi/qla2xxx/qla_bsg.c
index 6f8c7df69f66c..c1ca21a88a096 100644
--- a/drivers/scsi/qla2xxx/qla_bsg.c
+++ b/drivers/scsi/qla2xxx/qla_bsg.c
@@ -1782,8 +1782,8 @@ qla24xx_process_bidir_cmd(struct bsg_job *bsg_job)
 	uint16_t nextlid = 0;
 	uint32_t tot_dsds;
 	srb_t *sp = NULL;
-	uint32_t req_data_len = 0;
-	uint32_t rsp_data_len = 0;
+	uint32_t req_data_len;
+	uint32_t rsp_data_len;
 
 	/* Check the type of the adapter */
 	if (!IS_BIDI_CAPABLE(ha)) {
@@ -1888,6 +1888,9 @@ qla24xx_process_bidir_cmd(struct bsg_job *bsg_job)
 		goto done_unmap_sg;
 	}
 
+	req_data_len = bsg_job->request_payload.payload_len;
+	rsp_data_len = bsg_job->reply_payload.payload_len;
+
 	if (req_data_len != rsp_data_len) {
 		rval = EXT_STATUS_BUSY;
 		ql_log(ql_log_warn, vha, 0x70aa,
@@ -1895,10 +1898,6 @@ qla24xx_process_bidir_cmd(struct bsg_job *bsg_job)
 		goto done_unmap_sg;
 	}
 
-	req_data_len = bsg_job->request_payload.payload_len;
-	rsp_data_len = bsg_job->reply_payload.payload_len;
-
-
 	/* Alloc SRB structure */
 	sp = qla2x00_get_sp(vha, &(vha->bidir_fcport), GFP_KERNEL);
 	if (!sp) {
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 242/267] scsi: qla2xxx: Always check the qla2x00_wait_for_hba_online() return value
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (240 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 241/267] scsi: qla2xxx: Fix qla24xx_process_bidir_cmd() Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 243/267] scsi: qla2xxx: Fix message indicating vectors used by driver Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Himanshu Madhani, Bart Van Assche,
	Martin K. Petersen, Sasha Levin

From: Bart Van Assche <bvanassche@acm.org>

[ Upstream commit e6803efae5acd109fad9f2f07dab674563441a53 ]

This patch fixes several Coverity complaints about not always checking
the qla2x00_wait_for_hba_online() return value.

Cc: Himanshu Madhani <hmadhani@marvell.com>
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Tested-by: Himanshu Madhani <hmadhani@marvell.com>
Reviewed-by: Himanshu Madhani <hmadhani@marvell.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/qla2xxx/qla_attr.c   | 3 ++-
 drivers/scsi/qla2xxx/qla_target.c | 7 +++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c
index 1844c2f594605..656253285db9d 100644
--- a/drivers/scsi/qla2xxx/qla_attr.c
+++ b/drivers/scsi/qla2xxx/qla_attr.c
@@ -652,7 +652,8 @@ qla2x00_sysfs_write_reset(struct file *filp, struct kobject *kobj,
 			break;
 		} else {
 			/* Make sure FC side is not in reset */
-			qla2x00_wait_for_hba_online(vha);
+			WARN_ON_ONCE(qla2x00_wait_for_hba_online(vha) !=
+				     QLA_SUCCESS);
 
 			/* Issue MPI reset */
 			scsi_block_requests(vha->host);
diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c
index 2f5658554275c..69ed544d80ef0 100644
--- a/drivers/scsi/qla2xxx/qla_target.c
+++ b/drivers/scsi/qla2xxx/qla_target.c
@@ -6394,7 +6394,8 @@ qlt_enable_vha(struct scsi_qla_host *vha)
 	} else {
 		set_bit(ISP_ABORT_NEEDED, &base_vha->dpc_flags);
 		qla2xxx_wake_dpc(base_vha);
-		qla2x00_wait_for_hba_online(base_vha);
+		WARN_ON_ONCE(qla2x00_wait_for_hba_online(base_vha) !=
+			     QLA_SUCCESS);
 	}
 }
 EXPORT_SYMBOL(qlt_enable_vha);
@@ -6424,7 +6425,9 @@ static void qlt_disable_vha(struct scsi_qla_host *vha)
 
 	set_bit(ISP_ABORT_NEEDED, &vha->dpc_flags);
 	qla2xxx_wake_dpc(vha);
-	qla2x00_wait_for_hba_online(vha);
+	if (qla2x00_wait_for_hba_online(vha) != QLA_SUCCESS)
+		ql_dbg(ql_dbg_tgt, vha, 0xe081,
+		       "qla2x00_wait_for_hba_online() failed\n");
 }
 
 /*
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 243/267] scsi: qla2xxx: Fix message indicating vectors used by driver
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (241 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 242/267] scsi: qla2xxx: Always check the qla2x00_wait_for_hba_online() return value Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 244/267] xhci: Fix memory leak in xhci_add_in_port() Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Himanshu Madhani, Ewan D. Milne,
	Lee Duncan, Martin K. Petersen, Sasha Levin

From: Himanshu Madhani <hmadhani@marvell.com>

[ Upstream commit da48b82425b8bf999fb9f7c220e967c4d661b5f8 ]

This patch updates log message which indicates number of vectors used by
the driver instead of displaying failure to get maximum requested
vectors. Driver will always request maximum vectors during
initialization. In the event driver is not able to get maximum requested
vectors, it will adjust the allocated vectors. This is normal and does not
imply failure in driver.

Signed-off-by: Himanshu Madhani <hmadhani@marvell.com>
Reviewed-by: Ewan D. Milne <emilne@redhat.com>
Reviewed-by: Lee Duncan <lduncan@suse.com>
Link: https://lore.kernel.org/r/20190830222402.23688-2-hmadhani@marvell.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/qla2xxx/qla_isr.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
index 6a76d72175154..ebca1a470e9bc 100644
--- a/drivers/scsi/qla2xxx/qla_isr.c
+++ b/drivers/scsi/qla2xxx/qla_isr.c
@@ -3369,10 +3369,8 @@ qla24xx_enable_msix(struct qla_hw_data *ha, struct rsp_que *rsp)
 		    ha->msix_count, ret);
 		goto msix_out;
 	} else if (ret < ha->msix_count) {
-		ql_log(ql_log_warn, vha, 0x00c6,
-		    "MSI-X: Failed to enable support "
-		     "with %d vectors, using %d vectors.\n",
-		    ha->msix_count, ret);
+		ql_log(ql_log_info, vha, 0x00c6,
+		    "MSI-X: Using %d vectors\n", ret);
 		ha->msix_count = ret;
 		/* Recalculate queue values */
 		if (ha->mqiobase && ql2xmqsupport) {
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 244/267] xhci: Fix memory leak in xhci_add_in_port()
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (242 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 243/267] scsi: qla2xxx: Fix message indicating vectors used by driver Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 245/267] xhci: make sure interrupts are restored to correct state Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mika Westerberg, Mathias Nyman, Sasha Levin

From: Mika Westerberg <mika.westerberg@linux.intel.com>

[ Upstream commit ce91f1a43b37463f517155bdfbd525eb43adbd1a ]

When xHCI is part of Alpine or Titan Ridge Thunderbolt controller and
the xHCI device is hot-removed as a result of unplugging a dock for
example, the driver leaks memory it allocates for xhci->usb3_rhub.psi
and xhci->usb2_rhub.psi in xhci_add_in_port() as reported by kmemleak:

unreferenced object 0xffff922c24ef42f0 (size 16):
  comm "kworker/u16:2", pid 178, jiffies 4294711640 (age 956.620s)
  hex dump (first 16 bytes):
    21 00 0c 00 12 00 dc 05 23 00 e0 01 00 00 00 00  !.......#.......
  backtrace:
    [<000000007ac80914>] xhci_mem_init+0xcf8/0xeb7
    [<0000000001b6d775>] xhci_init+0x7c/0x160
    [<00000000db443fe3>] xhci_gen_setup+0x214/0x340
    [<00000000fdffd320>] xhci_pci_setup+0x48/0x110
    [<00000000541e1e03>] usb_add_hcd.cold+0x265/0x747
    [<00000000ca47a56b>] usb_hcd_pci_probe+0x219/0x3b4
    [<0000000021043861>] xhci_pci_probe+0x24/0x1c0
    [<00000000b9231f25>] local_pci_probe+0x3d/0x70
    [<000000006385c9d7>] pci_device_probe+0xd0/0x150
    [<0000000070241068>] really_probe+0xf5/0x3c0
    [<0000000061f35c0a>] driver_probe_device+0x58/0x100
    [<000000009da11198>] bus_for_each_drv+0x79/0xc0
    [<000000009ce45f69>] __device_attach+0xda/0x160
    [<00000000df201aaf>] pci_bus_add_device+0x46/0x70
    [<0000000088a1bc48>] pci_bus_add_devices+0x27/0x60
    [<00000000ad9ee708>] pci_bus_add_devices+0x52/0x60
unreferenced object 0xffff922c24ef3318 (size 8):
  comm "kworker/u16:2", pid 178, jiffies 4294711640 (age 956.620s)
  hex dump (first 8 bytes):
    34 01 05 00 35 41 0a 00                          4...5A..
  backtrace:
    [<000000007ac80914>] xhci_mem_init+0xcf8/0xeb7
    [<0000000001b6d775>] xhci_init+0x7c/0x160
    [<00000000db443fe3>] xhci_gen_setup+0x214/0x340
    [<00000000fdffd320>] xhci_pci_setup+0x48/0x110
    [<00000000541e1e03>] usb_add_hcd.cold+0x265/0x747
    [<00000000ca47a56b>] usb_hcd_pci_probe+0x219/0x3b4
    [<0000000021043861>] xhci_pci_probe+0x24/0x1c0
    [<00000000b9231f25>] local_pci_probe+0x3d/0x70
    [<000000006385c9d7>] pci_device_probe+0xd0/0x150
    [<0000000070241068>] really_probe+0xf5/0x3c0
    [<0000000061f35c0a>] driver_probe_device+0x58/0x100
    [<000000009da11198>] bus_for_each_drv+0x79/0xc0
    [<000000009ce45f69>] __device_attach+0xda/0x160
    [<00000000df201aaf>] pci_bus_add_device+0x46/0x70
    [<0000000088a1bc48>] pci_bus_add_devices+0x27/0x60
    [<00000000ad9ee708>] pci_bus_add_devices+0x52/0x60

Fix this by calling kfree() for the both psi objects in
xhci_mem_cleanup().

Cc: <stable@vger.kernel.org> # 4.4+
Fixes: 47189098f8be ("xhci: parse xhci protocol speed ID list for usb 3.1 usage")
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20191211142007.8847-2-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/host/xhci-mem.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -1866,10 +1866,14 @@ no_bw:
 	kfree(xhci->port_array);
 	kfree(xhci->rh_bw);
 	kfree(xhci->ext_caps);
+	kfree(xhci->usb2_rhub.psi);
+	kfree(xhci->usb3_rhub.psi);
 
 	xhci->usb2_ports = NULL;
 	xhci->usb3_ports = NULL;
 	xhci->port_array = NULL;
+	xhci->usb2_rhub.psi = NULL;
+	xhci->usb3_rhub.psi = NULL;
 	xhci->rh_bw = NULL;
 	xhci->ext_caps = NULL;
 



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 245/267] xhci: make sure interrupts are restored to correct state
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (243 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 244/267] xhci: Fix memory leak in xhci_add_in_port() Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 246/267] iio: adis16480: Add debugfs_reg_access entry Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mathias Nyman, Sasha Levin

From: Mathias Nyman <mathias.nyman@linux.intel.com>

[ Upstream commit bd82873f23c9a6ad834348f8b83f3b6a5bca2c65 ]

spin_unlock_irqrestore() might be called with stale flags after
reading port status, possibly restoring interrupts to a incorrect
state.

If a usb2 port just finished resuming while the port status is read
the spin lock will be temporary released and re-acquired in a separate
function. The flags parameter is passed as value instead of a pointer,
not updating flags properly before the final spin_unlock_irqrestore()
is called.

Cc: <stable@vger.kernel.org> # v3.12+
Fixes: 8b3d45705e54 ("usb: Fix xHCI host issues on remote wakeup.")
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20191211142007.8847-7-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/host/xhci-hub.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c
index 997ff183c9cbb..95503bb9b067d 100644
--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -855,7 +855,7 @@ static u32 xhci_get_port_status(struct usb_hcd *hcd,
 		struct xhci_bus_state *bus_state,
 		__le32 __iomem **port_array,
 		u16 wIndex, u32 raw_port_status,
-		unsigned long flags)
+		unsigned long *flags)
 	__releases(&xhci->lock)
 	__acquires(&xhci->lock)
 {
@@ -937,12 +937,12 @@ static u32 xhci_get_port_status(struct usb_hcd *hcd,
 			xhci_set_link_state(xhci, port_array, wIndex,
 					XDEV_U0);
 
-			spin_unlock_irqrestore(&xhci->lock, flags);
+			spin_unlock_irqrestore(&xhci->lock, *flags);
 			time_left = wait_for_completion_timeout(
 					&bus_state->rexit_done[wIndex],
 					msecs_to_jiffies(
 						XHCI_MAX_REXIT_TIMEOUT_MS));
-			spin_lock_irqsave(&xhci->lock, flags);
+			spin_lock_irqsave(&xhci->lock, *flags);
 
 			if (time_left) {
 				slot_id = xhci_find_slot_id_by_port(hcd,
@@ -1090,7 +1090,7 @@ int xhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue,
 			break;
 		}
 		status = xhci_get_port_status(hcd, bus_state, port_array,
-				wIndex, temp, flags);
+				wIndex, temp, &flags);
 		if (status == 0xffffffff)
 			goto error;
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 246/267] iio: adis16480: Add debugfs_reg_access entry
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (244 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 245/267] xhci: make sure interrupts are restored to correct state Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 247/267] phy: renesas: rcar-gen3-usb2: Fix sysfs interface of "role" Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nuno Sá,
	Stable, Jonathan Cameron, Sasha Levin

From: Nuno Sá <nuno.sa@analog.com>

[ Upstream commit 4c35b7a51e2f291471f7221d112c6a45c63e83bc ]

The driver is defining debugfs entries by calling
`adis16480_debugfs_init()`. However, those entries are attached to the
iio_dev debugfs entry which won't exist if no debugfs_reg_access
callback is provided.

Fixes: 2f3abe6cbb6c ("iio:imu: Add support for the ADIS16480 and similar IMUs")
Signed-off-by: Nuno Sá <nuno.sa@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/iio/imu/adis16480.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/iio/imu/adis16480.c b/drivers/iio/imu/adis16480.c
index 6f975538996cd..c950aa10d0ae0 100644
--- a/drivers/iio/imu/adis16480.c
+++ b/drivers/iio/imu/adis16480.c
@@ -724,6 +724,7 @@ static const struct iio_info adis16480_info = {
 	.write_raw = &adis16480_write_raw,
 	.update_scan_mode = adis_update_scan_mode,
 	.driver_module = THIS_MODULE,
+	.debugfs_reg_access = adis_debugfs_reg_access,
 };
 
 static int adis16480_stop_device(struct iio_dev *indio_dev)
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 247/267] phy: renesas: rcar-gen3-usb2: Fix sysfs interface of "role"
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (245 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 246/267] iio: adis16480: Add debugfs_reg_access entry Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 248/267] omap: pdata-quirks: remove openpandora quirks for mmc3 and wl1251 Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pavel Machek, Yoshihiro Shimoda,
	Geert Uytterhoeven, Kishon Vijay Abraham I, Sasha Levin

From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>

[ Upstream commit 4bd5ead82d4b877ebe41daf95f28cda53205b039 ]

Since the role_store() uses strncmp(), it's possible to refer
out-of-memory if the sysfs data size is smaller than strlen("host").
This patch fixes it by using sysfs_streq() instead of strncmp().

Reported-by: Pavel Machek <pavel@denx.de>
Fixes: 9bb86777fb71 ("phy: rcar-gen3-usb2: add sysfs for usb role swap")
Cc: <stable@vger.kernel.org> # v4.10+
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Acked-by: Pavel Machek <pavel@denx.de>
Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/phy/renesas/phy-rcar-gen3-usb2.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/phy/renesas/phy-rcar-gen3-usb2.c b/drivers/phy/renesas/phy-rcar-gen3-usb2.c
index 7f5e36bfeee8d..f8c7ce89d8d73 100644
--- a/drivers/phy/renesas/phy-rcar-gen3-usb2.c
+++ b/drivers/phy/renesas/phy-rcar-gen3-usb2.c
@@ -22,6 +22,7 @@
 #include <linux/platform_device.h>
 #include <linux/pm_runtime.h>
 #include <linux/regulator/consumer.h>
+#include <linux/string.h>
 #include <linux/workqueue.h>
 
 /******* USB2.0 Host registers (original offset is +0x200) *******/
@@ -234,9 +235,9 @@ static ssize_t role_store(struct device *dev, struct device_attribute *attr,
 	 */
 	is_b_device = rcar_gen3_check_id(ch);
 	is_host = rcar_gen3_is_host(ch);
-	if (!strncmp(buf, "host", strlen("host")))
+	if (sysfs_streq(buf, "host"))
 		new_mode_is_host = true;
-	else if (!strncmp(buf, "peripheral", strlen("peripheral")))
+	else if (sysfs_streq(buf, "peripheral"))
 		new_mode_is_host = false;
 	else
 		return -EINVAL;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 248/267] omap: pdata-quirks: remove openpandora quirks for mmc3 and wl1251
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (246 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 247/267] phy: renesas: rcar-gen3-usb2: Fix sysfs interface of "role" Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 249/267] scsi: lpfc: Cap NPIV vports to 256 Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, H. Nikolaus Schaller, Tony Lindgren,
	Ulf Hansson, Sasha Levin

From: H. Nikolaus Schaller <hns@goldelico.com>

[ Upstream commit 2398c41d64321e62af54424fd399964f3d48cdc2 ]

With a wl1251 child node of mmc3 in the device tree decoded
in omap_hsmmc.c to handle special wl1251 initialization, we do
no longer need to instantiate the mmc3 through pdata quirks.

We also can remove the wlan regulator and reset/interrupt definitions
and do them through device tree.

Fixes: 81eef6ca9201 ("mmc: omap_hsmmc: Use dma_request_chan() for requesting DMA channel")
Signed-off-by: H. Nikolaus Schaller <hns@goldelico.com>
Cc: <stable@vger.kernel.org> # v4.7+
Acked-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/mach-omap2/pdata-quirks.c | 93 ------------------------------
 1 file changed, 93 deletions(-)

diff --git a/arch/arm/mach-omap2/pdata-quirks.c b/arch/arm/mach-omap2/pdata-quirks.c
index 6b433fce65a5b..2477f6086de4b 100644
--- a/arch/arm/mach-omap2/pdata-quirks.c
+++ b/arch/arm/mach-omap2/pdata-quirks.c
@@ -307,108 +307,15 @@ static void __init omap3_logicpd_torpedo_init(void)
 }
 
 /* omap3pandora legacy devices */
-#define PANDORA_WIFI_IRQ_GPIO		21
-#define PANDORA_WIFI_NRESET_GPIO	23
 
 static struct platform_device pandora_backlight = {
 	.name	= "pandora-backlight",
 	.id	= -1,
 };
 
-static struct regulator_consumer_supply pandora_vmmc3_supply[] = {
-	REGULATOR_SUPPLY("vmmc", "omap_hsmmc.2"),
-};
-
-static struct regulator_init_data pandora_vmmc3 = {
-	.constraints = {
-		.valid_ops_mask		= REGULATOR_CHANGE_STATUS,
-	},
-	.num_consumer_supplies	= ARRAY_SIZE(pandora_vmmc3_supply),
-	.consumer_supplies	= pandora_vmmc3_supply,
-};
-
-static struct fixed_voltage_config pandora_vwlan = {
-	.supply_name		= "vwlan",
-	.microvolts		= 1800000, /* 1.8V */
-	.gpio			= PANDORA_WIFI_NRESET_GPIO,
-	.startup_delay		= 50000, /* 50ms */
-	.enable_high		= 1,
-	.init_data		= &pandora_vmmc3,
-};
-
-static struct platform_device pandora_vwlan_device = {
-	.name		= "reg-fixed-voltage",
-	.id		= 1,
-	.dev = {
-		.platform_data = &pandora_vwlan,
-	},
-};
-
-static void pandora_wl1251_init_card(struct mmc_card *card)
-{
-	/*
-	 * We have TI wl1251 attached to MMC3. Pass this information to
-	 * SDIO core because it can't be probed by normal methods.
-	 */
-	if (card->type == MMC_TYPE_SDIO || card->type == MMC_TYPE_SD_COMBO) {
-		card->quirks |= MMC_QUIRK_NONSTD_SDIO;
-		card->cccr.wide_bus = 1;
-		card->cis.vendor = 0x104c;
-		card->cis.device = 0x9066;
-		card->cis.blksize = 512;
-		card->cis.max_dtr = 24000000;
-		card->ocr = 0x80;
-	}
-}
-
-static struct omap2_hsmmc_info pandora_mmc3[] = {
-	{
-		.mmc		= 3,
-		.caps		= MMC_CAP_4_BIT_DATA | MMC_CAP_POWER_OFF_CARD,
-		.gpio_cd	= -EINVAL,
-		.gpio_wp	= -EINVAL,
-		.init_card	= pandora_wl1251_init_card,
-	},
-	{}	/* Terminator */
-};
-
-static void __init pandora_wl1251_init(void)
-{
-	struct wl1251_platform_data pandora_wl1251_pdata;
-	int ret;
-
-	memset(&pandora_wl1251_pdata, 0, sizeof(pandora_wl1251_pdata));
-
-	pandora_wl1251_pdata.power_gpio = -1;
-
-	ret = gpio_request_one(PANDORA_WIFI_IRQ_GPIO, GPIOF_IN, "wl1251 irq");
-	if (ret < 0)
-		goto fail;
-
-	pandora_wl1251_pdata.irq = gpio_to_irq(PANDORA_WIFI_IRQ_GPIO);
-	if (pandora_wl1251_pdata.irq < 0)
-		goto fail_irq;
-
-	pandora_wl1251_pdata.use_eeprom = true;
-	ret = wl1251_set_platform_data(&pandora_wl1251_pdata);
-	if (ret < 0)
-		goto fail_irq;
-
-	return;
-
-fail_irq:
-	gpio_free(PANDORA_WIFI_IRQ_GPIO);
-fail:
-	pr_err("wl1251 board initialisation failed\n");
-}
-
 static void __init omap3_pandora_legacy_init(void)
 {
 	platform_device_register(&pandora_backlight);
-	platform_device_register(&pandora_vwlan_device);
-	omap_hsmmc_init(pandora_mmc3);
-	omap_hsmmc_late_init(pandora_mmc3);
-	pandora_wl1251_init();
 }
 #endif /* CONFIG_ARCH_OMAP3 */
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 249/267] scsi: lpfc: Cap NPIV vports to 256
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (247 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 248/267] omap: pdata-quirks: remove openpandora quirks for mmc3 and wl1251 Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 250/267] scsi: lpfc: Correct code setting non existent bits in sli4 ABORT WQE Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dick Kennedy, James Smart,
	Martin K. Petersen, Sasha Levin

From: James Smart <jsmart2021@gmail.com>

[ Upstream commit 8b47ae69e049ae0b3373859d901f0334322f9fe9 ]

Depending on the chipset, the number of NPIV vports may vary and be in
excess of what most switches support (256). To avoid confusion with the
users, limit the reported NPIV vports to 256.

Additionally correct the 16G adapter which is reporting a bogus NPIV vport
number if the link is down.

Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/lpfc/lpfc.h      |  3 ++-
 drivers/scsi/lpfc/lpfc_attr.c | 12 ++++++++++--
 drivers/scsi/lpfc/lpfc_init.c |  3 +++
 3 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h
index 03e95a3216c8c..5fc41aa53ceb3 100644
--- a/drivers/scsi/lpfc/lpfc.h
+++ b/drivers/scsi/lpfc/lpfc.h
@@ -969,7 +969,8 @@ struct lpfc_hba {
 	struct list_head port_list;
 	struct lpfc_vport *pport;	/* physical lpfc_vport pointer */
 	uint16_t max_vpi;		/* Maximum virtual nports */
-#define LPFC_MAX_VPI 0xFFFF		/* Max number of VPI supported */
+#define LPFC_MAX_VPI	0xFF		/* Max number VPI supported 0 - 0xff */
+#define LPFC_MAX_VPORTS	0x100		/* Max vports per port, with pport */
 	uint16_t max_vports;            /*
 					 * For IOV HBAs max_vpi can change
 					 * after a reset. max_vports is max
diff --git a/drivers/scsi/lpfc/lpfc_attr.c b/drivers/scsi/lpfc/lpfc_attr.c
index 82ce5d1930189..f447355cc9c04 100644
--- a/drivers/scsi/lpfc/lpfc_attr.c
+++ b/drivers/scsi/lpfc/lpfc_attr.c
@@ -1478,6 +1478,9 @@ lpfc_get_hba_info(struct lpfc_hba *phba,
 		max_vpi = (bf_get(lpfc_mbx_rd_conf_vpi_count, rd_config) > 0) ?
 			(bf_get(lpfc_mbx_rd_conf_vpi_count, rd_config) - 1) : 0;
 
+		/* Limit the max we support */
+		if (max_vpi > LPFC_MAX_VPI)
+			max_vpi = LPFC_MAX_VPI;
 		if (mvpi)
 			*mvpi = max_vpi;
 		if (avpi)
@@ -1493,8 +1496,13 @@ lpfc_get_hba_info(struct lpfc_hba *phba,
 			*axri = pmb->un.varRdConfig.avail_xri;
 		if (mvpi)
 			*mvpi = pmb->un.varRdConfig.max_vpi;
-		if (avpi)
-			*avpi = pmb->un.varRdConfig.avail_vpi;
+		if (avpi) {
+			/* avail_vpi is only valid if link is up and ready */
+			if (phba->link_state == LPFC_HBA_READY)
+				*avpi = pmb->un.varRdConfig.avail_vpi;
+			else
+				*avpi = pmb->un.varRdConfig.max_vpi;
+		}
 	}
 
 	mempool_free(pmboxq, phba->mbox_mem_pool);
diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c
index c69c2a2b2eadf..9fc5507ee39e7 100644
--- a/drivers/scsi/lpfc/lpfc_init.c
+++ b/drivers/scsi/lpfc/lpfc_init.c
@@ -7643,6 +7643,9 @@ lpfc_sli4_read_config(struct lpfc_hba *phba)
 			bf_get(lpfc_mbx_rd_conf_xri_base, rd_config);
 		phba->sli4_hba.max_cfg_param.max_vpi =
 			bf_get(lpfc_mbx_rd_conf_vpi_count, rd_config);
+		/* Limit the max we support */
+		if (phba->sli4_hba.max_cfg_param.max_vpi > LPFC_MAX_VPORTS)
+			phba->sli4_hba.max_cfg_param.max_vpi = LPFC_MAX_VPORTS;
 		phba->sli4_hba.max_cfg_param.vpi_base =
 			bf_get(lpfc_mbx_rd_conf_vpi_base, rd_config);
 		phba->sli4_hba.max_cfg_param.max_rpi =
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 250/267] scsi: lpfc: Correct code setting non existent bits in sli4 ABORT WQE
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (248 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 249/267] scsi: lpfc: Cap NPIV vports to 256 Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 251/267] drbd: Change drbd_request_detach_interruptibles return type to int Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dick Kennedy, James Smart,
	Martin K. Petersen, Sasha Levin

From: James Smart <jsmart2021@gmail.com>

[ Upstream commit 1c36833d82ff24d0d54215fd956e7cc30fffce54 ]

Driver is setting bits in word 10 of the SLI4 ABORT WQE (the wqid).  The
field was a carry over from a prior SLI revision. The field does not exist
in SLI4, and the action may result in an overlap with future definition of
the WQE.

Remove the setting of WQID in the ABORT WQE.

Also cleaned up WQE field settings - initialize to zero, don't bother to
set fields to zero.

Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/lpfc/lpfc_nvme.c |  2 --
 drivers/scsi/lpfc/lpfc_sli.c  | 14 +++-----------
 2 files changed, 3 insertions(+), 13 deletions(-)

diff --git a/drivers/scsi/lpfc/lpfc_nvme.c b/drivers/scsi/lpfc/lpfc_nvme.c
index 6c4499db969c1..fcf4b4175d771 100644
--- a/drivers/scsi/lpfc/lpfc_nvme.c
+++ b/drivers/scsi/lpfc/lpfc_nvme.c
@@ -1544,7 +1544,6 @@ lpfc_nvme_fcp_abort(struct nvme_fc_local_port *pnvme_lport,
 	bf_set(abort_cmd_criteria, &abts_wqe->abort_cmd, T_XRI_TAG);
 
 	/* word 7 */
-	bf_set(wqe_ct, &abts_wqe->abort_cmd.wqe_com, 0);
 	bf_set(wqe_cmnd, &abts_wqe->abort_cmd.wqe_com, CMD_ABORT_XRI_CX);
 	bf_set(wqe_class, &abts_wqe->abort_cmd.wqe_com,
 	       nvmereq_wqe->iocb.ulpClass);
@@ -1559,7 +1558,6 @@ lpfc_nvme_fcp_abort(struct nvme_fc_local_port *pnvme_lport,
 	       abts_buf->iotag);
 
 	/* word 10 */
-	bf_set(wqe_wqid, &abts_wqe->abort_cmd.wqe_com, nvmereq_wqe->hba_wqidx);
 	bf_set(wqe_qosd, &abts_wqe->abort_cmd.wqe_com, 1);
 	bf_set(wqe_lenloc, &abts_wqe->abort_cmd.wqe_com, LPFC_WQE_LENLOC_NONE);
 
diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
index 62bea4ffdc25a..d3bad0dbfaf7f 100644
--- a/drivers/scsi/lpfc/lpfc_sli.c
+++ b/drivers/scsi/lpfc/lpfc_sli.c
@@ -10722,19 +10722,12 @@ lpfc_sli4_abort_nvme_io(struct lpfc_hba *phba, struct lpfc_sli_ring *pring,
 
 	/* Complete prepping the abort wqe and issue to the FW. */
 	abts_wqe = &abtsiocbp->wqe;
-	bf_set(abort_cmd_ia, &abts_wqe->abort_cmd, 0);
-	bf_set(abort_cmd_criteria, &abts_wqe->abort_cmd, T_XRI_TAG);
-
-	/* Explicitly set reserved fields to zero.*/
-	abts_wqe->abort_cmd.rsrvd4 = 0;
-	abts_wqe->abort_cmd.rsrvd5 = 0;
 
-	/* WQE Common - word 6.  Context is XRI tag.  Set 0. */
-	bf_set(wqe_xri_tag, &abts_wqe->abort_cmd.wqe_com, 0);
-	bf_set(wqe_ctxt_tag, &abts_wqe->abort_cmd.wqe_com, 0);
+	/* Clear any stale WQE contents */
+	memset(abts_wqe, 0, sizeof(union lpfc_wqe));
+	bf_set(abort_cmd_criteria, &abts_wqe->abort_cmd, T_XRI_TAG);
 
 	/* word 7 */
-	bf_set(wqe_ct, &abts_wqe->abort_cmd.wqe_com, 0);
 	bf_set(wqe_cmnd, &abts_wqe->abort_cmd.wqe_com, CMD_ABORT_XRI_CX);
 	bf_set(wqe_class, &abts_wqe->abort_cmd.wqe_com,
 	       cmdiocb->iocb.ulpClass);
@@ -10749,7 +10742,6 @@ lpfc_sli4_abort_nvme_io(struct lpfc_hba *phba, struct lpfc_sli_ring *pring,
 	       abtsiocbp->iotag);
 
 	/* word 10 */
-	bf_set(wqe_wqid, &abts_wqe->abort_cmd.wqe_com, cmdiocb->hba_wqidx);
 	bf_set(wqe_qosd, &abts_wqe->abort_cmd.wqe_com, 1);
 	bf_set(wqe_lenloc, &abts_wqe->abort_cmd.wqe_com, LPFC_WQE_LENLOC_NONE);
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 251/267] drbd: Change drbd_request_detach_interruptibles return type to int
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (249 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 250/267] scsi: lpfc: Correct code setting non existent bits in sli4 ABORT WQE Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 252/267] e100: Fix passing zero to PTR_ERR warning in e100_load_ucode_wait Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nick Desaulniers, Nathan Chancellor,
	Jens Axboe, Sasha Levin

From: Nathan Chancellor <natechancellor@gmail.com>

[ Upstream commit 5816a0932b4fd74257b8cc5785bc8067186a8723 ]

Clang warns when an implicit conversion is done between enumerated
types:

drivers/block/drbd/drbd_state.c:708:8: warning: implicit conversion from
enumeration type 'enum drbd_ret_code' to different enumeration type
'enum drbd_state_rv' [-Wenum-conversion]
                rv = ERR_INTR;
                   ~ ^~~~~~~~

drbd_request_detach_interruptible's only call site is in the return
statement of adm_detach, which returns an int. Change the return type of
drbd_request_detach_interruptible to match, silencing Clang's warning.

Reported-by: Nick Desaulniers <ndesaulniers@google.com>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/block/drbd/drbd_state.c | 6 ++----
 drivers/block/drbd/drbd_state.h | 3 +--
 2 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/drivers/block/drbd/drbd_state.c b/drivers/block/drbd/drbd_state.c
index 0813c654c8938..b452359b6aae8 100644
--- a/drivers/block/drbd/drbd_state.c
+++ b/drivers/block/drbd/drbd_state.c
@@ -688,11 +688,9 @@ request_detach(struct drbd_device *device)
 			CS_VERBOSE | CS_ORDERED | CS_INHIBIT_MD_IO);
 }
 
-enum drbd_state_rv
-drbd_request_detach_interruptible(struct drbd_device *device)
+int drbd_request_detach_interruptible(struct drbd_device *device)
 {
-	enum drbd_state_rv rv;
-	int ret;
+	int ret, rv;
 
 	drbd_suspend_io(device); /* so no-one is stuck in drbd_al_begin_io */
 	wait_event_interruptible(device->state_wait,
diff --git a/drivers/block/drbd/drbd_state.h b/drivers/block/drbd/drbd_state.h
index b2a390ba73a05..f87371e55e682 100644
--- a/drivers/block/drbd/drbd_state.h
+++ b/drivers/block/drbd/drbd_state.h
@@ -162,8 +162,7 @@ static inline int drbd_request_state(struct drbd_device *device,
 }
 
 /* for use in adm_detach() (drbd_adm_detach(), drbd_adm_down()) */
-enum drbd_state_rv
-drbd_request_detach_interruptible(struct drbd_device *device);
+int drbd_request_detach_interruptible(struct drbd_device *device);
 
 enum drbd_role conn_highest_role(struct drbd_connection *connection);
 enum drbd_role conn_highest_peer(struct drbd_connection *connection);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 252/267] e100: Fix passing zero to PTR_ERR warning in e100_load_ucode_wait
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (250 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 251/267] drbd: Change drbd_request_detach_interruptibles return type to int Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 253/267] x86/MCE/AMD: Turn off MC4_MISC thresholding on all family 0x15 models Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, YueHaibing, Aaron Brown,
	Jeff Kirsher, Sasha Levin

From: YueHaibing <yuehaibing@huawei.com>

[ Upstream commit cd0d465bb697a9c7bf66a9fe940f7981232f1676 ]

Fix a static code checker warning:
drivers/net/ethernet/intel/e100.c:1349
 e100_load_ucode_wait() warn: passing zero to 'PTR_ERR'

Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/intel/e100.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/intel/e100.c b/drivers/net/ethernet/intel/e100.c
index 4d10270ddf8fb..90974462743b5 100644
--- a/drivers/net/ethernet/intel/e100.c
+++ b/drivers/net/ethernet/intel/e100.c
@@ -1370,8 +1370,8 @@ static inline int e100_load_ucode_wait(struct nic *nic)
 
 	fw = e100_request_firmware(nic);
 	/* If it's NULL, then no ucode is required */
-	if (!fw || IS_ERR(fw))
-		return PTR_ERR(fw);
+	if (IS_ERR_OR_NULL(fw))
+		return PTR_ERR_OR_ZERO(fw);
 
 	if ((err = e100_exec_cb(nic, (void *)fw, e100_setup_ucode)))
 		netif_err(nic, probe, nic->netdev,
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 253/267] x86/MCE/AMD: Turn off MC4_MISC thresholding on all family 0x15 models
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (251 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 252/267] e100: Fix passing zero to PTR_ERR warning in e100_load_ucode_wait Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 254/267] x86/MCE/AMD: Carve out the MC4_MISC thresholding quirk Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Shirish S, Borislav Petkov,
	H. Peter Anvin, Ingo Molnar, Thomas Gleixner, Tony Luck,
	Vishal Verma, x86-ml, Sasha Levin

From: Shirish S <Shirish.S@amd.com>

[ Upstream commit c95b323dcd3598dd7ef5005d6723c1ba3b801093 ]

MC4_MISC thresholding is not supported on all family 0x15 processors,
hence skip the x86_model check when applying the quirk.

 [ bp: massage commit message. ]

Signed-off-by: Shirish S <shirish.s@amd.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Tony Luck <tony.luck@intel.com>
Cc: Vishal Verma <vishal.l.verma@intel.com>
Cc: x86-ml <x86@kernel.org>
Link: https://lkml.kernel.org/r/1547106849-3476-2-git-send-email-shirish.s@amd.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/kernel/cpu/mcheck/mce.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c
index 4f3be91f0b0bc..dcc11303885b7 100644
--- a/arch/x86/kernel/cpu/mcheck/mce.c
+++ b/arch/x86/kernel/cpu/mcheck/mce.c
@@ -1661,11 +1661,10 @@ static int __mcheck_cpu_apply_quirks(struct cpuinfo_x86 *c)
 			mce_flags.overflow_recov = 1;
 
 		/*
-		 * Turn off MC4_MISC thresholding banks on those models since
+		 * Turn off MC4_MISC thresholding banks on all models since
 		 * they're not supported there.
 		 */
-		if (c->x86 == 0x15 &&
-		    (c->x86_model >= 0x10 && c->x86_model <= 0x1f)) {
+		if (c->x86 == 0x15) {
 			int i;
 			u64 hwcr;
 			bool need_toggle;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 254/267] x86/MCE/AMD: Carve out the MC4_MISC thresholding quirk
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (252 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 253/267] x86/MCE/AMD: Turn off MC4_MISC thresholding on all family 0x15 models Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 255/267] power: supply: cpcap-battery: Fix signed counter sample register Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Shirish S, Borislav Petkov,
	H. Peter Anvin, Ingo Molnar, Kees Cook, Thomas Gleixner,
	Tony Luck, Vishal Verma, Yazen Ghannam, x86-ml, Sasha Levin

From: Shirish S <Shirish.S@amd.com>

[ Upstream commit 30aa3d26edb0f3d7992757287eec0ca588a5c259 ]

The MC4_MISC thresholding quirk needs to be applied during S5 -> S0 and
S3 -> S0 state transitions, which follow different code paths. Carve it
out into a separate function and call it mce_amd_feature_init() where
the two code paths of the state transitions converge.

 [ bp: massage commit message and the carved out function. ]

Signed-off-by: Shirish S <shirish.s@amd.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Tony Luck <tony.luck@intel.com>
Cc: Vishal Verma <vishal.l.verma@intel.com>
Cc: Yazen Ghannam <yazen.ghannam@amd.com>
Cc: x86-ml <x86@kernel.org>
Link: https://lkml.kernel.org/r/1547651417-23583-3-git-send-email-shirish.s@amd.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/kernel/cpu/mcheck/mce.c     | 29 ----------------------
 arch/x86/kernel/cpu/mcheck/mce_amd.c | 36 ++++++++++++++++++++++++++++
 2 files changed, 36 insertions(+), 29 deletions(-)

diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c
index dcc11303885b7..c7bd2e549a6a1 100644
--- a/arch/x86/kernel/cpu/mcheck/mce.c
+++ b/arch/x86/kernel/cpu/mcheck/mce.c
@@ -1660,35 +1660,6 @@ static int __mcheck_cpu_apply_quirks(struct cpuinfo_x86 *c)
 		if (c->x86 == 0x15 && c->x86_model <= 0xf)
 			mce_flags.overflow_recov = 1;
 
-		/*
-		 * Turn off MC4_MISC thresholding banks on all models since
-		 * they're not supported there.
-		 */
-		if (c->x86 == 0x15) {
-			int i;
-			u64 hwcr;
-			bool need_toggle;
-			u32 msrs[] = {
-				0x00000413, /* MC4_MISC0 */
-				0xc0000408, /* MC4_MISC1 */
-			};
-
-			rdmsrl(MSR_K7_HWCR, hwcr);
-
-			/* McStatusWrEn has to be set */
-			need_toggle = !(hwcr & BIT(18));
-
-			if (need_toggle)
-				wrmsrl(MSR_K7_HWCR, hwcr | BIT(18));
-
-			/* Clear CntP bit safely */
-			for (i = 0; i < ARRAY_SIZE(msrs); i++)
-				msr_clear_bit(msrs[i], 62);
-
-			/* restore old settings */
-			if (need_toggle)
-				wrmsrl(MSR_K7_HWCR, hwcr);
-		}
 	}
 
 	if (c->x86_vendor == X86_VENDOR_INTEL) {
diff --git a/arch/x86/kernel/cpu/mcheck/mce_amd.c b/arch/x86/kernel/cpu/mcheck/mce_amd.c
index 4fa97a44e73fa..b434780ae6802 100644
--- a/arch/x86/kernel/cpu/mcheck/mce_amd.c
+++ b/arch/x86/kernel/cpu/mcheck/mce_amd.c
@@ -544,6 +544,40 @@ out:
 	return offset;
 }
 
+/*
+ * Turn off MC4_MISC thresholding banks on all family 0x15 models since
+ * they're not supported there.
+ */
+void disable_err_thresholding(struct cpuinfo_x86 *c)
+{
+	int i;
+	u64 hwcr;
+	bool need_toggle;
+	u32 msrs[] = {
+		0x00000413, /* MC4_MISC0 */
+		0xc0000408, /* MC4_MISC1 */
+	};
+
+	if (c->x86 != 0x15)
+		return;
+
+	rdmsrl(MSR_K7_HWCR, hwcr);
+
+	/* McStatusWrEn has to be set */
+	need_toggle = !(hwcr & BIT(18));
+
+	if (need_toggle)
+		wrmsrl(MSR_K7_HWCR, hwcr | BIT(18));
+
+	/* Clear CntP bit safely */
+	for (i = 0; i < ARRAY_SIZE(msrs); i++)
+		msr_clear_bit(msrs[i], 62);
+
+	/* restore old settings */
+	if (need_toggle)
+		wrmsrl(MSR_K7_HWCR, hwcr);
+}
+
 /* cpu init entry point, called from mce.c with preempt off */
 void mce_amd_feature_init(struct cpuinfo_x86 *c)
 {
@@ -551,6 +585,8 @@ void mce_amd_feature_init(struct cpuinfo_x86 *c)
 	unsigned int bank, block, cpu = smp_processor_id();
 	int offset = -1;
 
+	disable_err_thresholding(c);
+
 	for (bank = 0; bank < mca_cfg.banks; ++bank) {
 		if (mce_flags.smca)
 			smca_configure(bank, cpu);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 255/267] power: supply: cpcap-battery: Fix signed counter sample register
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (253 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 254/267] x86/MCE/AMD: Carve out the MC4_MISC thresholding quirk Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 256/267] mlxsw: spectrum_router: Refresh nexthop neighbour when it becomes dead Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tony Lindgren, Pavel Machek,
	Sebastian Reichel, Sasha Levin

From: Tony Lindgren <tony@atomide.com>

[ Upstream commit c68b901ac4fa969db8917b6a9f9b40524a690d20 ]

The accumulator sample register is signed 32-bits wide register on
droid 4. And only the earlier version of cpcap has a signed 24-bits
wide register. We're currently passing it around as unsigned, so
let's fix that and use sign_extend32() for the earlier revision.

Signed-off-by: Tony Lindgren <tony@atomide.com>
Acked-by: Pavel Machek <pavel@ucw.cz>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/power/supply/cpcap-battery.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/drivers/power/supply/cpcap-battery.c b/drivers/power/supply/cpcap-battery.c
index fe7fcf3a2ad03..7df9d432ee421 100644
--- a/drivers/power/supply/cpcap-battery.c
+++ b/drivers/power/supply/cpcap-battery.c
@@ -82,7 +82,7 @@ struct cpcap_battery_config {
 };
 
 struct cpcap_coulomb_counter_data {
-	s32 sample;		/* 24-bits */
+	s32 sample;		/* 24 or 32 bits */
 	s32 accumulator;
 	s16 offset;		/* 10-bits */
 };
@@ -213,7 +213,7 @@ static int cpcap_battery_get_current(struct cpcap_battery_ddata *ddata)
  * TI or ST coulomb counter in the PMIC.
  */
 static int cpcap_battery_cc_raw_div(struct cpcap_battery_ddata *ddata,
-				    u32 sample, s32 accumulator,
+				    s32 sample, s32 accumulator,
 				    s16 offset, u32 divider)
 {
 	s64 acc;
@@ -224,7 +224,6 @@ static int cpcap_battery_cc_raw_div(struct cpcap_battery_ddata *ddata,
 	if (!divider)
 		return 0;
 
-	sample &= 0xffffff;		/* 24-bits, unsigned */
 	offset &= 0x7ff;		/* 10-bits, signed */
 
 	switch (ddata->vendor) {
@@ -259,7 +258,7 @@ static int cpcap_battery_cc_raw_div(struct cpcap_battery_ddata *ddata,
 
 /* 3600000μAms = 1μAh */
 static int cpcap_battery_cc_to_uah(struct cpcap_battery_ddata *ddata,
-				   u32 sample, s32 accumulator,
+				   s32 sample, s32 accumulator,
 				   s16 offset)
 {
 	return cpcap_battery_cc_raw_div(ddata, sample,
@@ -268,7 +267,7 @@ static int cpcap_battery_cc_to_uah(struct cpcap_battery_ddata *ddata,
 }
 
 static int cpcap_battery_cc_to_ua(struct cpcap_battery_ddata *ddata,
-				  u32 sample, s32 accumulator,
+				  s32 sample, s32 accumulator,
 				  s16 offset)
 {
 	return cpcap_battery_cc_raw_div(ddata, sample,
@@ -312,6 +311,8 @@ cpcap_battery_read_accumulated(struct cpcap_battery_ddata *ddata,
 	/* Sample value CPCAP_REG_CCS1 & 2 */
 	ccd->sample = (buf[1] & 0x0fff) << 16;
 	ccd->sample |= buf[0];
+	if (ddata->vendor == CPCAP_VENDOR_TI)
+		ccd->sample = sign_extend32(24, ccd->sample);
 
 	/* Accumulator value CPCAP_REG_CCA1 & 2 */
 	ccd->accumulator = ((s16)buf[3]) << 16;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 256/267] mlxsw: spectrum_router: Refresh nexthop neighbour when it becomes dead
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (254 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 255/267] power: supply: cpcap-battery: Fix signed counter sample register Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 257/267] media: vimc: fix component match compare Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ido Schimmel, Alex Veber, Jiri Pirko,
	David S. Miller, Sasha Levin

From: Ido Schimmel <idosch@mellanox.com>

[ Upstream commit 83d5782681cc12b3d485a83cb34c46b2445f510c ]

The driver tries to periodically refresh neighbours that are used to
reach nexthops. This is done by periodically calling neigh_event_send().

However, if the neighbour becomes dead, there is nothing we can do to
return it to a connected state and the above function call is basically
a NOP.

This results in the nexthop never being written to the device's
adjacency table and therefore never used to forward packets.

Fix this by dropping our reference from the dead neighbour and
associating the nexthop with a new neigbhour which we will try to
refresh.

Fixes: a7ff87acd995 ("mlxsw: spectrum_router: Implement next-hop routing")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Reported-by: Alex Veber <alexve@mellanox.com>
Tested-by: Alex Veber <alexve@mellanox.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 .../ethernet/mellanox/mlxsw/spectrum_router.c | 73 ++++++++++++++++++-
 1 file changed, 70 insertions(+), 3 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
index 5b9a5c3834d9e..05a2006a20b9b 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
@@ -1762,7 +1762,7 @@ static void mlxsw_sp_router_probe_unresolved_nexthops(struct work_struct *work)
 static void
 mlxsw_sp_nexthop_neigh_update(struct mlxsw_sp *mlxsw_sp,
 			      struct mlxsw_sp_neigh_entry *neigh_entry,
-			      bool removing);
+			      bool removing, bool dead);
 
 static enum mlxsw_reg_rauht_op mlxsw_sp_rauht_op(bool adding)
 {
@@ -1891,7 +1891,8 @@ static void mlxsw_sp_router_neigh_event_work(struct work_struct *work)
 
 	memcpy(neigh_entry->ha, ha, ETH_ALEN);
 	mlxsw_sp_neigh_entry_update(mlxsw_sp, neigh_entry, entry_connected);
-	mlxsw_sp_nexthop_neigh_update(mlxsw_sp, neigh_entry, !entry_connected);
+	mlxsw_sp_nexthop_neigh_update(mlxsw_sp, neigh_entry, !entry_connected,
+				      dead);
 
 	if (!neigh_entry->connected && list_empty(&neigh_entry->nexthop_list))
 		mlxsw_sp_neigh_entry_destroy(mlxsw_sp, neigh_entry);
@@ -2535,13 +2536,79 @@ static void __mlxsw_sp_nexthop_neigh_update(struct mlxsw_sp_nexthop *nh,
 	nh->update = 1;
 }
 
+static int
+mlxsw_sp_nexthop_dead_neigh_replace(struct mlxsw_sp *mlxsw_sp,
+				    struct mlxsw_sp_neigh_entry *neigh_entry)
+{
+	struct neighbour *n, *old_n = neigh_entry->key.n;
+	struct mlxsw_sp_nexthop *nh;
+	bool entry_connected;
+	u8 nud_state, dead;
+	int err;
+
+	nh = list_first_entry(&neigh_entry->nexthop_list,
+			      struct mlxsw_sp_nexthop, neigh_list_node);
+
+	n = neigh_lookup(nh->nh_grp->neigh_tbl, &nh->gw_addr, nh->rif->dev);
+	if (!n) {
+		n = neigh_create(nh->nh_grp->neigh_tbl, &nh->gw_addr,
+				 nh->rif->dev);
+		if (IS_ERR(n))
+			return PTR_ERR(n);
+		neigh_event_send(n, NULL);
+	}
+
+	mlxsw_sp_neigh_entry_remove(mlxsw_sp, neigh_entry);
+	neigh_entry->key.n = n;
+	err = mlxsw_sp_neigh_entry_insert(mlxsw_sp, neigh_entry);
+	if (err)
+		goto err_neigh_entry_insert;
+
+	read_lock_bh(&n->lock);
+	nud_state = n->nud_state;
+	dead = n->dead;
+	read_unlock_bh(&n->lock);
+	entry_connected = nud_state & NUD_VALID && !dead;
+
+	list_for_each_entry(nh, &neigh_entry->nexthop_list,
+			    neigh_list_node) {
+		neigh_release(old_n);
+		neigh_clone(n);
+		__mlxsw_sp_nexthop_neigh_update(nh, !entry_connected);
+		mlxsw_sp_nexthop_group_refresh(mlxsw_sp, nh->nh_grp);
+	}
+
+	neigh_release(n);
+
+	return 0;
+
+err_neigh_entry_insert:
+	neigh_entry->key.n = old_n;
+	mlxsw_sp_neigh_entry_insert(mlxsw_sp, neigh_entry);
+	neigh_release(n);
+	return err;
+}
+
 static void
 mlxsw_sp_nexthop_neigh_update(struct mlxsw_sp *mlxsw_sp,
 			      struct mlxsw_sp_neigh_entry *neigh_entry,
-			      bool removing)
+			      bool removing, bool dead)
 {
 	struct mlxsw_sp_nexthop *nh;
 
+	if (list_empty(&neigh_entry->nexthop_list))
+		return;
+
+	if (dead) {
+		int err;
+
+		err = mlxsw_sp_nexthop_dead_neigh_replace(mlxsw_sp,
+							  neigh_entry);
+		if (err)
+			dev_err(mlxsw_sp->bus_info->dev, "Failed to replace dead neigh\n");
+		return;
+	}
+
 	list_for_each_entry(nh, &neigh_entry->nexthop_list,
 			    neigh_list_node) {
 		__mlxsw_sp_nexthop_neigh_update(nh, removing);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 257/267] media: vimc: fix component match compare
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (255 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 256/267] mlxsw: spectrum_router: Refresh nexthop neighbour when it becomes dead Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 258/267] ath10k: fix fw crash by moving chip reset after napi disabled Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Helen Koike, Boris Brezillon,
	Hans Verkuil, Mauro Carvalho Chehab, Sasha Levin

From: Helen Koike <helen.koike@collabora.com>

[ Upstream commit ee1c71a8e1456ab53fe667281d855849edf26a4d ]

If the system has other devices being registered in the component
framework, the compare function will be called with a device that
doesn't belong to vimc.
This device is not necessarily a platform_device, nor have a
platform_data (which causes a NULL pointer dereference error) and if it
does have a pdata, it is not necessarily type of struct vimc_platform_data.
So casting to any of these types is wrong.

Instead of expecting a given pdev with a given pdata, just expect for
the device it self. vimc-core is the one who creates them, we know in
advance exactly which object to expect in the match.

Fixes: 4a29b7090749 ("[media] vimc: Subdevices as modules")

Signed-off-by: Helen Koike <helen.koike@collabora.com>
Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com>
Tested-by: Boris Brezillon <boris.brezillon@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/platform/vimc/vimc-core.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/drivers/media/platform/vimc/vimc-core.c b/drivers/media/platform/vimc/vimc-core.c
index 57e5d6a020b0e..447a01ff4e23c 100644
--- a/drivers/media/platform/vimc/vimc-core.c
+++ b/drivers/media/platform/vimc/vimc-core.c
@@ -243,10 +243,7 @@ static void vimc_comp_unbind(struct device *master)
 
 static int vimc_comp_compare(struct device *comp, void *data)
 {
-	const struct platform_device *pdev = to_platform_device(comp);
-	const char *name = data;
-
-	return !strcmp(pdev->dev.platform_data, name);
+	return comp == data;
 }
 
 static struct component_match *vimc_add_subdevs(struct vimc_device *vimc)
@@ -275,7 +272,7 @@ static struct component_match *vimc_add_subdevs(struct vimc_device *vimc)
 		}
 
 		component_match_add(&vimc->pdev.dev, &match, vimc_comp_compare,
-				    (void *)vimc->pipe_cfg->ents[i].name);
+				    &vimc->subdevs[i]->dev);
 	}
 
 	return match;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 258/267] ath10k: fix fw crash by moving chip reset after napi disabled
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (256 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 257/267] media: vimc: fix component match compare Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 259/267] powerpc: Avoid clang warnings around setjmp and longjmp Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Miaoqing Pan, Kalle Valo, Sasha Levin

From: Miaoqing Pan <miaoqing@codeaurora.org>

[ Upstream commit 08d80e4cd27ba19f9bee9e5f788f9a9fc440a22f ]

On SMP platform, when continuously running wifi up/down, the napi
poll can be scheduled during chip reset, which will call
ath10k_pci_has_fw_crashed() to check the fw status. But in the reset
period, the value from FW_INDICATOR_ADDRESS register will return
0xdeadbeef, which also be treated as fw crash. Fix the issue by
moving chip reset after napi disabled.

ath10k_pci 0000:01:00.0: firmware crashed! (guid 73b30611-5b1e-4bdd-90b4-64c81eb947b6)
ath10k_pci 0000:01:00.0: qca9984/qca9994 hw1.0 target 0x01000000 chip_id 0x00000000 sub 168c:cafe
ath10k_pci 0000:01:00.0: htt-ver 2.2 wmi-op 6 htt-op 4 cal otp max-sta 512 raw 0 hwcrypto 1
ath10k_pci 0000:01:00.0: failed to get memcpy hi address for firmware address 4: -16
ath10k_pci 0000:01:00.0: failed to read firmware dump area: -16
ath10k_pci 0000:01:00.0: Copy Engine register dump:
ath10k_pci 0000:01:00.0: [00]: 0x0004a000   0   0   0   0
ath10k_pci 0000:01:00.0: [01]: 0x0004a400   0   0   0   0
ath10k_pci 0000:01:00.0: [02]: 0x0004a800   0   0   0   0
ath10k_pci 0000:01:00.0: [03]: 0x0004ac00   0   0   0   0
ath10k_pci 0000:01:00.0: [04]: 0x0004b000   0   0   0   0
ath10k_pci 0000:01:00.0: [05]: 0x0004b400   0   0   0   0
ath10k_pci 0000:01:00.0: [06]: 0x0004b800   0   0   0   0
ath10k_pci 0000:01:00.0: [07]: 0x0004bc00   1   0   1   0
ath10k_pci 0000:01:00.0: [08]: 0x0004c000   0   0   0   0
ath10k_pci 0000:01:00.0: [09]: 0x0004c400   0   0   0   0
ath10k_pci 0000:01:00.0: [10]: 0x0004c800   0   0   0   0
ath10k_pci 0000:01:00.0: [11]: 0x0004cc00   0   0   0   0

Tested HW: QCA9984,QCA9887,WCN3990

Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/ath/ath10k/pci.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c
index 0298ddc1ff060..f9e409caca688 100644
--- a/drivers/net/wireless/ath/ath10k/pci.c
+++ b/drivers/net/wireless/ath/ath10k/pci.c
@@ -1771,6 +1771,11 @@ static void ath10k_pci_hif_stop(struct ath10k *ar)
 
 	ath10k_dbg(ar, ATH10K_DBG_BOOT, "boot hif stop\n");
 
+	ath10k_pci_irq_disable(ar);
+	ath10k_pci_irq_sync(ar);
+	napi_synchronize(&ar->napi);
+	napi_disable(&ar->napi);
+
 	/* Most likely the device has HTT Rx ring configured. The only way to
 	 * prevent the device from accessing (and possible corrupting) host
 	 * memory is to reset the chip now.
@@ -1784,10 +1789,6 @@ static void ath10k_pci_hif_stop(struct ath10k *ar)
 	 */
 	ath10k_pci_safe_chip_reset(ar);
 
-	ath10k_pci_irq_disable(ar);
-	ath10k_pci_irq_sync(ar);
-	napi_synchronize(&ar->napi);
-	napi_disable(&ar->napi);
 	ath10k_pci_flush(ar);
 
 	spin_lock_irqsave(&ar_pci->ps_lock, flags);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 259/267] powerpc: Avoid clang warnings around setjmp and longjmp
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (257 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 258/267] ath10k: fix fw crash by moving chip reset after napi disabled Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 260/267] powerpc: Fix vDSO clock_getres() Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Segher Boessenkool, Nick Desaulniers,
	Nathan Chancellor, Michael Ellerman, Sasha Levin

From: Nathan Chancellor <natechancellor@gmail.com>

[ Upstream commit c9029ef9c95765e7b63c4d9aa780674447db1ec0 ]

Commit aea447141c7e ("powerpc: Disable -Wbuiltin-requires-header when
setjmp is used") disabled -Wbuiltin-requires-header because of a
warning about the setjmp and longjmp declarations.

r367387 in clang added another diagnostic around this, complaining
that there is no jmp_buf declaration.

  In file included from ../arch/powerpc/xmon/xmon.c:47:
  ../arch/powerpc/include/asm/setjmp.h:10:13: error: declaration of
  built-in function 'setjmp' requires the declaration of the 'jmp_buf'
  type, commonly provided in the header <setjmp.h>.
  [-Werror,-Wincomplete-setjmp-declaration]
  extern long setjmp(long *);
              ^
  ../arch/powerpc/include/asm/setjmp.h:11:13: error: declaration of
  built-in function 'longjmp' requires the declaration of the 'jmp_buf'
  type, commonly provided in the header <setjmp.h>.
  [-Werror,-Wincomplete-setjmp-declaration]
  extern void longjmp(long *, long);
              ^
  2 errors generated.

We are not using the standard library's longjmp/setjmp implementations
for obvious reasons; make this clear to clang by using -ffreestanding
on these files.

Cc: stable@vger.kernel.org # 4.14+
Suggested-by: Segher Boessenkool <segher@kernel.crashing.org>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20191119045712.39633-3-natechancellor@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/kernel/Makefile | 4 ++--
 arch/powerpc/xmon/Makefile   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile
index 142b08d406423..5607ce67d178b 100644
--- a/arch/powerpc/kernel/Makefile
+++ b/arch/powerpc/kernel/Makefile
@@ -5,8 +5,8 @@
 
 CFLAGS_ptrace.o		+= -DUTS_MACHINE='"$(UTS_MACHINE)"'
 
-# Disable clang warning for using setjmp without setjmp.h header
-CFLAGS_crash.o		+= $(call cc-disable-warning, builtin-requires-header)
+# Avoid clang warnings around longjmp/setjmp declarations
+CFLAGS_crash.o += -ffreestanding
 
 subdir-ccflags-$(CONFIG_PPC_WERROR) := -Werror
 
diff --git a/arch/powerpc/xmon/Makefile b/arch/powerpc/xmon/Makefile
index ac5ee067aa512..a60c44b4a3e50 100644
--- a/arch/powerpc/xmon/Makefile
+++ b/arch/powerpc/xmon/Makefile
@@ -1,8 +1,8 @@
 # SPDX-License-Identifier: GPL-2.0
 # Makefile for xmon
 
-# Disable clang warning for using setjmp without setjmp.h header
-subdir-ccflags-y := $(call cc-disable-warning, builtin-requires-header)
+# Avoid clang warnings around longjmp/setjmp declarations
+subdir-ccflags-y := -ffreestanding
 
 subdir-ccflags-$(CONFIG_PPC_WERROR) += -Werror
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 260/267] powerpc: Fix vDSO clock_getres()
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (258 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 259/267] powerpc: Avoid clang warnings around setjmp and longjmp Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 261/267] ext4: work around deleting a file with i_nlink == 0 safely Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vincenzo Frascino, Christophe Leroy,
	Shuah Khan, Michael Ellerman, Sasha Levin

From: Vincenzo Frascino <vincenzo.frascino@arm.com>

[ Upstream commit 552263456215ada7ee8700ce022d12b0cffe4802 ]

clock_getres in the vDSO library has to preserve the same behaviour
of posix_get_hrtimer_res().

In particular, posix_get_hrtimer_res() does:
    sec = 0;
    ns = hrtimer_resolution;
and hrtimer_resolution depends on the enablement of the high
resolution timers that can happen either at compile or at run time.

Fix the powerpc vdso implementation of clock_getres keeping a copy of
hrtimer_resolution in vdso data and using that directly.

Fixes: a7f290dad32e ("[PATCH] powerpc: Merge vdso's and add vdso support to 32 bits kernel")
Cc: stable@vger.kernel.org
Signed-off-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
Reviewed-by: Christophe Leroy <christophe.leroy@c-s.fr>
Acked-by: Shuah Khan <skhan@linuxfoundation.org>
[chleroy: changed CLOCK_REALTIME_RES to CLOCK_HRTIMER_RES]
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/a55eca3a5e85233838c2349783bcb5164dae1d09.1575273217.git.christophe.leroy@c-s.fr
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/include/asm/vdso_datapage.h  | 2 ++
 arch/powerpc/kernel/asm-offsets.c         | 2 +-
 arch/powerpc/kernel/time.c                | 1 +
 arch/powerpc/kernel/vdso32/gettimeofday.S | 7 +++++--
 arch/powerpc/kernel/vdso64/gettimeofday.S | 7 +++++--
 5 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/arch/powerpc/include/asm/vdso_datapage.h b/arch/powerpc/include/asm/vdso_datapage.h
index 1afe90ade595e..674c03350cd11 100644
--- a/arch/powerpc/include/asm/vdso_datapage.h
+++ b/arch/powerpc/include/asm/vdso_datapage.h
@@ -86,6 +86,7 @@ struct vdso_data {
 	__s32 wtom_clock_nsec;
 	struct timespec stamp_xtime;	/* xtime as at tb_orig_stamp */
 	__u32 stamp_sec_fraction;	/* fractional seconds of stamp_xtime */
+	__u32 hrtimer_res;			/* hrtimer resolution */
    	__u32 syscall_map_64[SYSCALL_MAP_SIZE]; /* map of syscalls  */
    	__u32 syscall_map_32[SYSCALL_MAP_SIZE]; /* map of syscalls */
 };
@@ -107,6 +108,7 @@ struct vdso_data {
 	__s32 wtom_clock_nsec;
 	struct timespec stamp_xtime;	/* xtime as at tb_orig_stamp */
 	__u32 stamp_sec_fraction;	/* fractional seconds of stamp_xtime */
+	__u32 hrtimer_res;		/* hrtimer resolution */
    	__u32 syscall_map_32[SYSCALL_MAP_SIZE]; /* map of syscalls */
 	__u32 dcache_block_size;	/* L1 d-cache block size     */
 	__u32 icache_block_size;	/* L1 i-cache block size     */
diff --git a/arch/powerpc/kernel/asm-offsets.c b/arch/powerpc/kernel/asm-offsets.c
index 2e5ea300258a0..1bc761e537a98 100644
--- a/arch/powerpc/kernel/asm-offsets.c
+++ b/arch/powerpc/kernel/asm-offsets.c
@@ -373,6 +373,7 @@ int main(void)
 	OFFSET(WTOM_CLOCK_NSEC, vdso_data, wtom_clock_nsec);
 	OFFSET(STAMP_XTIME, vdso_data, stamp_xtime);
 	OFFSET(STAMP_SEC_FRAC, vdso_data, stamp_sec_fraction);
+	OFFSET(CLOCK_HRTIMER_RES, vdso_data, hrtimer_res);
 	OFFSET(CFG_ICACHE_BLOCKSZ, vdso_data, icache_block_size);
 	OFFSET(CFG_DCACHE_BLOCKSZ, vdso_data, dcache_block_size);
 	OFFSET(CFG_ICACHE_LOGBLOCKSZ, vdso_data, icache_log_block_size);
@@ -401,7 +402,6 @@ int main(void)
 	DEFINE(CLOCK_REALTIME, CLOCK_REALTIME);
 	DEFINE(CLOCK_MONOTONIC, CLOCK_MONOTONIC);
 	DEFINE(NSEC_PER_SEC, NSEC_PER_SEC);
-	DEFINE(CLOCK_REALTIME_RES, MONOTONIC_RES_NSEC);
 
 #ifdef CONFIG_BUG
 	DEFINE(BUG_ENTRY_SIZE, sizeof(struct bug_entry));
diff --git a/arch/powerpc/kernel/time.c b/arch/powerpc/kernel/time.c
index 7c7c5a16284d2..14f3f28a089e7 100644
--- a/arch/powerpc/kernel/time.c
+++ b/arch/powerpc/kernel/time.c
@@ -920,6 +920,7 @@ void update_vsyscall(struct timekeeper *tk)
 	vdso_data->wtom_clock_nsec = tk->wall_to_monotonic.tv_nsec;
 	vdso_data->stamp_xtime = xt;
 	vdso_data->stamp_sec_fraction = frac_sec;
+	vdso_data->hrtimer_res = hrtimer_resolution;
 	smp_wmb();
 	++(vdso_data->tb_update_count);
 }
diff --git a/arch/powerpc/kernel/vdso32/gettimeofday.S b/arch/powerpc/kernel/vdso32/gettimeofday.S
index 1e0bc5955a400..03a65fee8020e 100644
--- a/arch/powerpc/kernel/vdso32/gettimeofday.S
+++ b/arch/powerpc/kernel/vdso32/gettimeofday.S
@@ -160,12 +160,15 @@ V_FUNCTION_BEGIN(__kernel_clock_getres)
 	cror	cr0*4+eq,cr0*4+eq,cr1*4+eq
 	bne	cr0,99f
 
+	mflr	r12
+  .cfi_register lr,r12
+	bl	__get_datapage@local	/* get data page */
+	lwz	r5, CLOCK_HRTIMER_RES(r3)
+	mtlr	r12
 	li	r3,0
 	cmpli	cr0,r4,0
 	crclr	cr0*4+so
 	beqlr
-	lis	r5,CLOCK_REALTIME_RES@h
-	ori	r5,r5,CLOCK_REALTIME_RES@l
 	stw	r3,TSPC32_TV_SEC(r4)
 	stw	r5,TSPC32_TV_NSEC(r4)
 	blr
diff --git a/arch/powerpc/kernel/vdso64/gettimeofday.S b/arch/powerpc/kernel/vdso64/gettimeofday.S
index 09b2a49f6dd53..c973378e1f2bc 100644
--- a/arch/powerpc/kernel/vdso64/gettimeofday.S
+++ b/arch/powerpc/kernel/vdso64/gettimeofday.S
@@ -145,12 +145,15 @@ V_FUNCTION_BEGIN(__kernel_clock_getres)
 	cror	cr0*4+eq,cr0*4+eq,cr1*4+eq
 	bne	cr0,99f
 
+	mflr	r12
+  .cfi_register lr,r12
+	bl	V_LOCAL_FUNC(__get_datapage)
+	lwz	r5, CLOCK_HRTIMER_RES(r3)
+	mtlr	r12
 	li	r3,0
 	cmpldi	cr0,r4,0
 	crclr	cr0*4+so
 	beqlr
-	lis	r5,CLOCK_REALTIME_RES@h
-	ori	r5,r5,CLOCK_REALTIME_RES@l
 	std	r3,TSPC64_TV_SEC(r4)
 	std	r5,TSPC64_TV_NSEC(r4)
 	blr
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 261/267] ext4: work around deleting a file with i_nlink == 0 safely
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (259 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 260/267] powerpc: Fix vDSO clock_getres() Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 262/267] firmware: qcom: scm: Ensure a0 status code is treated as signed Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Theodore Tso, stable, Andreas Dilger

From: Theodore Ts'o <tytso@mit.edu>

commit c7df4a1ecb8579838ec8c56b2bb6a6716e974f37 upstream.

If the file system is corrupted such that a file's i_links_count is
too small, then it's possible that when unlinking that file, i_nlink
will already be zero.  Previously we were working around this kind of
corruption by forcing i_nlink to one; but we were doing this before
trying to delete the directory entry --- and if the file system is
corrupted enough that ext4_delete_entry() fails, then we exit with
i_nlink elevated, and this causes the orphan inode list handling to be
FUBAR'ed, such that when we unmount the file system, the orphan inode
list can get corrupted.

A better way to fix this is to simply skip trying to call drop_nlink()
if i_nlink is already zero, thus moving the check to the place where
it makes the most sense.

https://bugzilla.kernel.org/show_bug.cgi?id=205433

Link: https://lore.kernel.org/r/20191112032903.8828-1-tytso@mit.edu
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/namei.c |   11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -3065,18 +3065,17 @@ static int ext4_unlink(struct inode *dir
 	if (IS_DIRSYNC(dir))
 		ext4_handle_sync(handle);
 
-	if (inode->i_nlink == 0) {
-		ext4_warning_inode(inode, "Deleting file '%.*s' with no links",
-				   dentry->d_name.len, dentry->d_name.name);
-		set_nlink(inode, 1);
-	}
 	retval = ext4_delete_entry(handle, dir, de, bh);
 	if (retval)
 		goto end_unlink;
 	dir->i_ctime = dir->i_mtime = current_time(dir);
 	ext4_update_dx_flag(dir);
 	ext4_mark_inode_dirty(handle, dir);
-	drop_nlink(inode);
+	if (inode->i_nlink == 0)
+		ext4_warning_inode(inode, "Deleting file '%.*s' with no links",
+				   dentry->d_name.len, dentry->d_name.name);
+	else
+		drop_nlink(inode);
 	if (!inode->i_nlink)
 		ext4_orphan_add(handle, inode);
 	inode->i_ctime = current_time(inode);



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 262/267] firmware: qcom: scm: Ensure a0 status code is treated as signed
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (260 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 261/267] ext4: work around deleting a file with i_nlink == 0 safely Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 263/267] mm/shmem.c: cast the type of unmap_start to u64 Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Bjorn Andersson, Will Deacon

From: Will Deacon <will@kernel.org>

commit ff34f3cce278a0982a7b66b1afaed6295141b1fc upstream.

The 'a0' member of 'struct arm_smccc_res' is declared as 'unsigned long',
however the Qualcomm SCM firmware interface driver expects to receive
negative error codes via this field, so ensure that it's cast to 'long'
before comparing to see if it is less than 0.

Cc: <stable@vger.kernel.org>
Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/firmware/qcom_scm-64.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/firmware/qcom_scm-64.c
+++ b/drivers/firmware/qcom_scm-64.c
@@ -158,7 +158,7 @@ static int qcom_scm_call(struct device *
 		kfree(args_virt);
 	}
 
-	if (res->a0 < 0)
+	if ((long)res->a0 < 0)
 		return qcom_scm_remap_error(res->a0);
 
 	return 0;



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 263/267] mm/shmem.c: cast the type of unmap_start to u64
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (261 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 262/267] firmware: qcom: scm: Ensure a0 status code is treated as signed Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 264/267] ext4: fix a bug in ext4_wait_for_tail_page_commit Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chen Jun, Andrew Morton,
	Hugh Dickins, Qian Cai, Kefeng Wang, Linus Torvalds

From: Chen Jun <chenjun102@huawei.com>

commit aa71ecd8d86500da6081a72da6b0b524007e0627 upstream.

In 64bit system. sb->s_maxbytes of shmem filesystem is MAX_LFS_FILESIZE,
which equal LLONG_MAX.

If offset > LLONG_MAX - PAGE_SIZE, offset + len < LLONG_MAX in
shmem_fallocate, which will pass the checking in vfs_fallocate.

	/* Check for wrap through zero too */
	if (((offset + len) > inode->i_sb->s_maxbytes) || ((offset + len) < 0))
		return -EFBIG;

loff_t unmap_start = round_up(offset, PAGE_SIZE) in shmem_fallocate
causes a overflow.

Syzkaller reports a overflow problem in mm/shmem:

  UBSAN: Undefined behaviour in mm/shmem.c:2014:10
  signed integer overflow: '9223372036854775807 + 1' cannot be represented in type 'long long int'
  CPU: 0 PID:17076 Comm: syz-executor0 Not tainted 4.1.46+ #1
  Hardware name: linux, dummy-virt (DT)
  Call trace:
     dump_backtrace+0x0/0x2c8 arch/arm64/kernel/traps.c:100
     show_stack+0x20/0x30 arch/arm64/kernel/traps.c:238
     __dump_stack lib/dump_stack.c:15 [inline]
     ubsan_epilogue+0x18/0x70 lib/ubsan.c:164
     handle_overflow+0x158/0x1b0 lib/ubsan.c:195
     shmem_fallocate+0x6d0/0x820 mm/shmem.c:2104
     vfs_fallocate+0x238/0x428 fs/open.c:312
     SYSC_fallocate fs/open.c:335 [inline]
     SyS_fallocate+0x54/0xc8 fs/open.c:239

The highest bit of unmap_start will be appended with sign bit 1
(overflow) when calculate shmem_falloc.start:

    shmem_falloc.start = unmap_start >> PAGE_SHIFT.

Fix it by casting the type of unmap_start to u64, when right shifted.

This bug is found in LTS Linux 4.1.  It also seems to exist in mainline.

Link: http://lkml.kernel.org/r/1573867464-5107-1-git-send-email-chenjun102@huawei.com
Signed-off-by: Chen Jun <chenjun102@huawei.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Hugh Dickins <hughd@google.com>
Cc: Qian Cai <cai@lca.pw>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/shmem.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -2895,7 +2895,7 @@ static long shmem_fallocate(struct file
 		}
 
 		shmem_falloc.waitq = &shmem_falloc_waitq;
-		shmem_falloc.start = unmap_start >> PAGE_SHIFT;
+		shmem_falloc.start = (u64)unmap_start >> PAGE_SHIFT;
 		shmem_falloc.next = (unmap_end + 1) >> PAGE_SHIFT;
 		spin_lock(&inode->i_lock);
 		inode->i_private = &shmem_falloc;



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 264/267] ext4: fix a bug in ext4_wait_for_tail_page_commit
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (262 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 263/267] mm/shmem.c: cast the type of unmap_start to u64 Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 265/267] mfd: rk808: Fix RK818 ID template Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, yangerkun, Jan Kara,
	Theodore Tso

From: yangerkun <yangerkun@huawei.com>

commit 565333a1554d704789e74205989305c811fd9c7a upstream.

No need to wait for any commit once the page is fully truncated.
Besides, it may confuse e.g. concurrent ext4_writepage() with the page
still be dirty (will be cleared by truncate_pagecache() in
ext4_setattr()) but buffers has been freed; and then trigger a bug
show as below:

[   26.057508] ------------[ cut here ]------------
[   26.058531] kernel BUG at fs/ext4/inode.c:2134!
...
[   26.088130] Call trace:
[   26.088695]  ext4_writepage+0x914/0xb28
[   26.089541]  writeout.isra.4+0x1b4/0x2b8
[   26.090409]  move_to_new_page+0x3b0/0x568
[   26.091338]  __unmap_and_move+0x648/0x988
[   26.092241]  unmap_and_move+0x48c/0xbb8
[   26.093096]  migrate_pages+0x220/0xb28
[   26.093945]  kernel_mbind+0x828/0xa18
[   26.094791]  __arm64_sys_mbind+0xc8/0x138
[   26.095716]  el0_svc_common+0x190/0x490
[   26.096571]  el0_svc_handler+0x60/0xd0
[   26.097423]  el0_svc+0x8/0xc

Run the procedure (generate by syzkaller) parallel with ext3.

void main()
{
	int fd, fd1, ret;
	void *addr;
	size_t length = 4096;
	int flags;
	off_t offset = 0;
	char *str = "12345";

	fd = open("a", O_RDWR | O_CREAT);
	assert(fd >= 0);

	/* Truncate to 4k */
	ret = ftruncate(fd, length);
	assert(ret == 0);

	/* Journal data mode */
	flags = 0xc00f;
	ret = ioctl(fd, _IOW('f', 2, long), &flags);
	assert(ret == 0);

	/* Truncate to 0 */
	fd1 = open("a", O_TRUNC | O_NOATIME);
	assert(fd1 >= 0);

	addr = mmap(NULL, length, PROT_WRITE | PROT_READ,
					MAP_SHARED, fd, offset);
	assert(addr != (void *)-1);

	memcpy(addr, str, 5);
	mbind(addr, length, 0, 0, 0, MPOL_MF_MOVE);
}

And the bug will be triggered once we seen the below order.

reproduce1                         reproduce2

...                            |   ...
truncate to 4k                 |
change to journal data mode    |
                               |   memcpy(set page dirty)
truncate to 0:                 |
ext4_setattr:                  |
...                            |
ext4_wait_for_tail_page_commit |
                               |   mbind(trigger bug)
truncate_pagecache(clean dirty)|   ...
...                            |

mbind will call ext4_writepage() since the page still be dirty, and then
report the bug since the buffers has been free. Fix it by return
directly once offset equals to 0 which means the page has been fully
truncated.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: yangerkun <yangerkun@huawei.com>
Link: https://lore.kernel.org/r/20190919063508.1045-1-yangerkun@huawei.com
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/inode.c |   12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -5305,11 +5305,15 @@ static void ext4_wait_for_tail_page_comm
 
 	offset = inode->i_size & (PAGE_SIZE - 1);
 	/*
-	 * All buffers in the last page remain valid? Then there's nothing to
-	 * do. We do the check mainly to optimize the common PAGE_SIZE ==
-	 * blocksize case
+	 * If the page is fully truncated, we don't need to wait for any commit
+	 * (and we even should not as __ext4_journalled_invalidatepage() may
+	 * strip all buffers from the page but keep the page dirty which can then
+	 * confuse e.g. concurrent ext4_writepage() seeing dirty page without
+	 * buffers). Also we don't need to wait for any commit if all buffers in
+	 * the page remain valid. This is most beneficial for the common case of
+	 * blocksize == PAGESIZE.
 	 */
-	if (offset > PAGE_SIZE - i_blocksize(inode))
+	if (!offset || offset > (PAGE_SIZE - i_blocksize(inode)))
 		return;
 	while (1) {
 		page = find_lock_page(inode->i_mapping,



^ permalink raw reply	[flat|nested] 280+ messages in thread

* [PATCH 4.14 265/267] mfd: rk808: Fix RK818 ID template
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (263 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 264/267] ext4: fix a bug in ext4_wait_for_tail_page_commit Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 266/267] mm, thp, proc: report THP eligibility for each vma Greg Kroah-Hartman
                   ` (5 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Elaine Zhang, Joseph Chen,
	Daniel Schultz, Heiko Stuebner, Lee Jones, Sasha Levin

From: Daniel Schultz <d.schultz@phytec.de>

[ Upstream commit 37ef8c2c15bdc1322b160e38986c187de2b877b2 ]

The Rockchip PMIC driver can automatically detect connected component
versions by reading the ID_MSB and ID_LSB registers. The probe function
will always fail with RK818 PMICs because the ID_MSK is 0xFFF0 and the
RK818 template ID is 0x8181.

This patch changes this value to 0x8180.

Fixes: 9d6105e19f61 ("mfd: rk808: Fix up the chip id get failed")
Cc: stable@vger.kernel.org
Cc: Elaine Zhang <zhangqing@rock-chips.com>
Cc: Joseph Chen <chenjh@rock-chips.com>
Signed-off-by: Daniel Schultz <d.schultz@phytec.de>
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/linux/mfd/rk808.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/linux/mfd/rk808.h b/include/linux/mfd/rk808.h
index d3156594674c2..338e0f6e2226b 100644
--- a/include/linux/mfd/rk808.h
+++ b/include/linux/mfd/rk808.h
@@ -443,7 +443,7 @@ enum {
 enum {
 	RK805_ID = 0x8050,
 	RK808_ID = 0x0000,
-	RK818_ID = 0x8181,
+	RK818_ID = 0x8180,
 };
 
 struct rk808 {
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 266/267] mm, thp, proc: report THP eligibility for each vma
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (264 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 265/267] mfd: rk808: Fix RK818 ID template Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-16 17:49 ` [PATCH 4.14 267/267] mm/memory.c: fix a huge pud insertion race during faulting Greg Kroah-Hartman
                   ` (4 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michal Hocko, Vlastimil Babka,
	Dan Williams, David Rientjes, Jan Kara, Mike Rapoport,
	Paul Oppenheimer, William Kucharski, Andrew Morton,
	Linus Torvalds, Sasha Levin

From: Michal Hocko <mhocko@suse.com>

[ Upstream commit 346a9dd5a9f9a0306e988401d4d726ef1b668057 ]

[ Upstream commit 7635d9cbe8327e131a1d3d8517dc186c2796ce2e ]

Userspace falls short when trying to find out whether a specific memory
range is eligible for THP.  There are usecases that would like to know
that
http://lkml.kernel.org/r/alpine.DEB.2.21.1809251248450.50347@chino.kir.corp.google.com
: This is used to identify heap mappings that should be able to fault thp
: but do not, and they normally point to a low-on-memory or fragmentation
: issue.

The only way to deduce this now is to query for hg resp.  nh flags and
confronting the state with the global setting.  Except that there is also
PR_SET_THP_DISABLE that might change the picture.  So the final logic is
not trivial.  Moreover the eligibility of the vma depends on the type of
VMA as well.  In the past we have supported only anononymous memory VMAs
but things have changed and shmem based vmas are supported as well these
days and the query logic gets even more complicated because the
eligibility depends on the mount option and another global configuration
knob.

Simplify the current state and report the THP eligibility in
/proc/<pid>/smaps for each existing vma.  Reuse
transparent_hugepage_enabled for this purpose.  The original
implementation of this function assumes that the caller knows that the vma
itself is supported for THP so make the core checks into
__transparent_hugepage_enabled and use it for existing callers.
__show_smap just use the new transparent_hugepage_enabled which also
checks the vma support status (please note that this one has to be out of
line due to include dependency issues).

[mhocko@kernel.org: fix oops with NULL ->f_mapping]
  Link: http://lkml.kernel.org/r/20181224185106.GC16738@dhcp22.suse.cz
Link: http://lkml.kernel.org/r/20181211143641.3503-3-mhocko@kernel.org
Signed-off-by: Michal Hocko <mhocko@suse.com>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Mike Rapoport <rppt@linux.ibm.com>
Cc: Paul Oppenheimer <bepvte@gmail.com>
Cc: William Kucharski <william.kucharski@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 Documentation/filesystems/proc.txt |  3 +++
 fs/proc/task_mmu.c                 |  3 +++
 include/linux/huge_mm.h            | 13 ++++++++++++-
 mm/huge_memory.c                   | 12 +++++++++++-
 mm/memory.c                        |  4 ++--
 5 files changed, 31 insertions(+), 4 deletions(-)

diff --git a/Documentation/filesystems/proc.txt b/Documentation/filesystems/proc.txt
index 4cee34ce496e6..9795b61d83cfe 100644
--- a/Documentation/filesystems/proc.txt
+++ b/Documentation/filesystems/proc.txt
@@ -423,6 +423,7 @@ SwapPss:               0 kB
 KernelPageSize:        4 kB
 MMUPageSize:           4 kB
 Locked:                0 kB
+THPeligible:           0
 VmFlags: rd ex mr mw me dw
 
 the first of these lines shows the same information as is displayed for the
@@ -460,6 +461,8 @@ replaced by copy-on-write) part of the underlying shmem object out on swap.
 "SwapPss" shows proportional swap share of this mapping. Unlike "Swap", this
 does not take into account swapped out page of underlying shmem objects.
 "Locked" indicates whether the mapping is locked in memory or not.
+"THPeligible" indicates whether the mapping is eligible for THP pages - 1 if
+true, 0 otherwise.
 
 "VmFlags" field deserves a separate description. This member represents the kernel
 flags associated with the particular virtual memory area in two letter encoded
diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
index 309d24118f9a0..7541f56251456 100644
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -860,6 +860,9 @@ static int show_smap(struct seq_file *m, void *v, int is_pid)
 			   (unsigned long)(mss->swap_pss >> (10 + PSS_SHIFT)),
 			   (unsigned long)(mss->pss_locked >> (10 + PSS_SHIFT)));
 
+	if (!rollup_mode)
+		seq_printf(m, "THPeligible:    %d\n", transparent_hugepage_enabled(vma));
+
 	if (!rollup_mode) {
 		arch_show_smap(m, vma);
 		show_smap_vma_flags(m, vma);
diff --git a/include/linux/huge_mm.h b/include/linux/huge_mm.h
index bfa38da4c261f..3dbf3b0ac38c3 100644
--- a/include/linux/huge_mm.h
+++ b/include/linux/huge_mm.h
@@ -92,7 +92,11 @@ extern bool is_vma_temporary_stack(struct vm_area_struct *vma);
 
 extern unsigned long transparent_hugepage_flags;
 
-static inline bool transparent_hugepage_enabled(struct vm_area_struct *vma)
+/*
+ * to be used on vmas which are known to support THP.
+ * Use transparent_hugepage_enabled otherwise
+ */
+static inline bool __transparent_hugepage_enabled(struct vm_area_struct *vma)
 {
 	if (vma->vm_flags & VM_NOHUGEPAGE)
 		return false;
@@ -116,6 +120,8 @@ static inline bool transparent_hugepage_enabled(struct vm_area_struct *vma)
 	return false;
 }
 
+bool transparent_hugepage_enabled(struct vm_area_struct *vma);
+
 #define transparent_hugepage_use_zero_page()				\
 	(transparent_hugepage_flags &					\
 	 (1<<TRANSPARENT_HUGEPAGE_USE_ZERO_PAGE_FLAG))
@@ -256,6 +262,11 @@ static inline bool thp_migration_supported(void)
 
 #define hpage_nr_pages(x) 1
 
+static inline bool __transparent_hugepage_enabled(struct vm_area_struct *vma)
+{
+	return false;
+}
+
 static inline bool transparent_hugepage_enabled(struct vm_area_struct *vma)
 {
 	return false;
diff --git a/mm/huge_memory.c b/mm/huge_memory.c
index 1adc2e6c50f9c..34cd798d46f41 100644
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -63,6 +63,16 @@ static struct shrinker deferred_split_shrinker;
 static atomic_t huge_zero_refcount;
 struct page *huge_zero_page __read_mostly;
 
+bool transparent_hugepage_enabled(struct vm_area_struct *vma)
+{
+	if (vma_is_anonymous(vma))
+		return __transparent_hugepage_enabled(vma);
+	if (vma_is_shmem(vma) && shmem_huge_enabled(vma))
+		return __transparent_hugepage_enabled(vma);
+
+	return false;
+}
+
 static struct page *get_huge_zero_page(void)
 {
 	struct page *zero_page;
@@ -1280,7 +1290,7 @@ int do_huge_pmd_wp_page(struct vm_fault *vmf, pmd_t orig_pmd)
 	get_page(page);
 	spin_unlock(vmf->ptl);
 alloc:
-	if (transparent_hugepage_enabled(vma) &&
+	if (__transparent_hugepage_enabled(vma) &&
 	    !transparent_hugepage_debug_cow()) {
 		huge_gfp = alloc_hugepage_direct_gfpmask(vma);
 		new_page = alloc_hugepage_vma(huge_gfp, vma, haddr, HPAGE_PMD_ORDER);
diff --git a/mm/memory.c b/mm/memory.c
index e9bce27bc18c3..24963eee4fb03 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -4054,7 +4054,7 @@ static int __handle_mm_fault(struct vm_area_struct *vma, unsigned long address,
 	vmf.pud = pud_alloc(mm, p4d, address);
 	if (!vmf.pud)
 		return VM_FAULT_OOM;
-	if (pud_none(*vmf.pud) && transparent_hugepage_enabled(vma)) {
+	if (pud_none(*vmf.pud) && __transparent_hugepage_enabled(vma)) {
 		ret = create_huge_pud(&vmf);
 		if (!(ret & VM_FAULT_FALLBACK))
 			return ret;
@@ -4080,7 +4080,7 @@ static int __handle_mm_fault(struct vm_area_struct *vma, unsigned long address,
 	vmf.pmd = pmd_alloc(mm, vmf.pud, address);
 	if (!vmf.pmd)
 		return VM_FAULT_OOM;
-	if (pmd_none(*vmf.pmd) && transparent_hugepage_enabled(vma)) {
+	if (pmd_none(*vmf.pmd) && __transparent_hugepage_enabled(vma)) {
 		ret = create_huge_pmd(&vmf);
 		if (!(ret & VM_FAULT_FALLBACK))
 			return ret;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* [PATCH 4.14 267/267] mm/memory.c: fix a huge pud insertion race during faulting
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (265 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 266/267] mm, thp, proc: report THP eligibility for each vma Greg Kroah-Hartman
@ 2019-12-16 17:49 ` Greg Kroah-Hartman
  2019-12-17  1:32 ` [PATCH 4.14 000/267] 4.14.159-stable review shuah
                   ` (3 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16 17:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thomas Hellstrom, Kirill A. Shutemov,
	Arnd Bergmann, Matthew Wilcox, Andrew Morton, Linus Torvalds,
	Sasha Levin

From: Thomas Hellstrom <thellstrom@vmware.com>

[ Upstream commit 3e0a2ff638b34f322eb170b1ae4515f61cfe3b14 ]

[ Upstream commit 625110b5e9dae9074d8a7e67dd07f821a053eed7 ]

A huge pud page can theoretically be faulted in racing with pmd_alloc()
in __handle_mm_fault().  That will lead to pmd_alloc() returning an
invalid pmd pointer.

Fix this by adding a pud_trans_unstable() function similar to
pmd_trans_unstable() and check whether the pud is really stable before
using the pmd pointer.

Race:
  Thread 1:             Thread 2:                 Comment
  create_huge_pud()                               Fallback - not taken.
                        create_huge_pud()         Taken.
  pmd_alloc()                                     Returns an invalid pointer.

This will result in user-visible huge page data corruption.

Note that this was caught during a code audit rather than a real
experienced problem.  It looks to me like the only implementation that
currently creates huge pud pagetable entries is dev_dax_huge_fault()
which doesn't appear to care much about private (COW) mappings or
write-tracking which is, I believe, a prerequisite for create_huge_pud()
falling back on thread 1, but not in thread 2.

Link: http://lkml.kernel.org/r/20191115115808.21181-2-thomas_os@shipmail.org
Fixes: a00cc7d9dd93 ("mm, x86: add support for PUD-sized transparent hugepages")
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/asm-generic/pgtable.h | 25 +++++++++++++++++++++++++
 mm/memory.c                   |  6 ++++++
 2 files changed, 31 insertions(+)

diff --git a/include/asm-generic/pgtable.h b/include/asm-generic/pgtable.h
index 0c21014a38f23..876826240dead 100644
--- a/include/asm-generic/pgtable.h
+++ b/include/asm-generic/pgtable.h
@@ -846,6 +846,31 @@ static inline int pud_trans_huge(pud_t pud)
 }
 #endif
 
+/* See pmd_none_or_trans_huge_or_clear_bad for discussion. */
+static inline int pud_none_or_trans_huge_or_dev_or_clear_bad(pud_t *pud)
+{
+	pud_t pudval = READ_ONCE(*pud);
+
+	if (pud_none(pudval) || pud_trans_huge(pudval) || pud_devmap(pudval))
+		return 1;
+	if (unlikely(pud_bad(pudval))) {
+		pud_clear_bad(pud);
+		return 1;
+	}
+	return 0;
+}
+
+/* See pmd_trans_unstable for discussion. */
+static inline int pud_trans_unstable(pud_t *pud)
+{
+#if defined(CONFIG_TRANSPARENT_HUGEPAGE) &&			\
+	defined(CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD)
+	return pud_none_or_trans_huge_or_dev_or_clear_bad(pud);
+#else
+	return 0;
+#endif
+}
+
 #ifndef pmd_read_atomic
 static inline pmd_t pmd_read_atomic(pmd_t *pmdp)
 {
diff --git a/mm/memory.c b/mm/memory.c
index 24963eee4fb03..174252bd87df8 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -4054,6 +4054,7 @@ static int __handle_mm_fault(struct vm_area_struct *vma, unsigned long address,
 	vmf.pud = pud_alloc(mm, p4d, address);
 	if (!vmf.pud)
 		return VM_FAULT_OOM;
+retry_pud:
 	if (pud_none(*vmf.pud) && __transparent_hugepage_enabled(vma)) {
 		ret = create_huge_pud(&vmf);
 		if (!(ret & VM_FAULT_FALLBACK))
@@ -4080,6 +4081,11 @@ static int __handle_mm_fault(struct vm_area_struct *vma, unsigned long address,
 	vmf.pmd = pmd_alloc(mm, vmf.pud, address);
 	if (!vmf.pmd)
 		return VM_FAULT_OOM;
+
+	/* Huge pud page fault raced with pmd_alloc? */
+	if (pud_trans_unstable(vmf.pud))
+		goto retry_pud;
+
 	if (pmd_none(*vmf.pmd) && __transparent_hugepage_enabled(vma)) {
 		ret = create_huge_pmd(&vmf);
 		if (!(ret & VM_FAULT_FALLBACK))
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 280+ messages in thread

* Re: [PATCH 4.14 000/267] 4.14.159-stable review
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (266 preceding siblings ...)
  2019-12-16 17:49 ` [PATCH 4.14 267/267] mm/memory.c: fix a huge pud insertion race during faulting Greg Kroah-Hartman
@ 2019-12-17  1:32 ` shuah
  2019-12-17  4:22 ` Naresh Kamboju
                   ` (2 subsequent siblings)
  270 siblings, 0 replies; 280+ messages in thread
From: shuah @ 2019-12-17  1:32 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, patches, ben.hutchings, lkft-triage,
	stable, shuah

On 12/16/19 10:45 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.14.159 release.
> There are 267 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed, 18 Dec 2019 17:41:25 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.159-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

Compiled and booted on my test system. No dmesg regressions.

thanks,
-- Shuah


^ permalink raw reply	[flat|nested] 280+ messages in thread

* Re: [PATCH 4.14 000/267] 4.14.159-stable review
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (267 preceding siblings ...)
  2019-12-17  1:32 ` [PATCH 4.14 000/267] 4.14.159-stable review shuah
@ 2019-12-17  4:22 ` Naresh Kamboju
  2019-12-17  7:53   ` Greg Kroah-Hartman
  2019-12-17  9:05 ` Greg Kroah-Hartman
  2019-12-17 18:18 ` Guenter Roeck
  270 siblings, 1 reply; 280+ messages in thread
From: Naresh Kamboju @ 2019-12-17  4:22 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: open list, Linus Torvalds, Andrew Morton, Guenter Roeck,
	Shuah Khan, patches, Ben Hutchings, lkft-triage, linux- stable,
	Michal Hocko, Arnd Bergmann, william.kucharski, bepvte, rppt,
	Jan Kara, rientjes, dan.j.williams, Vlastimil Babka

Results from Linaro’s test farm.
Regressions on arm and qemu_arm.

Regressions (compared to build v4.14.158)
------------------------------------------------------------------------
x15:
  ltp-fs-tests:
    * proc01

qemu_arm:
  libhugetlbfs:
    * HUGETLB_SHM_yes-shmoverride_linked-2M-32
    * LD_PRELOAD_libhugetlbfs.so-HUGETLB_SHM_yes-shmoverride_unlinked-2M-32
    * counters.sh-2M-32
    * truncate_sigbus_versus_oom-2M-32

  ltp-fs-tests:
    * proc01

On Mon, 16 Dec 2019 at 23:21, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 4.14.159 release.
> There are 267 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 18 Dec 2019 17:41:25 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
>         https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.159-rc1.gz
> or in the git tree and branch at:
>         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
> -------------
> Pseudo-Shortlog of commits:
>
> Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>     Linux 4.14.159-rc1

> Michal Hocko <mhocko@suse.com>
>     mm, thp, proc: report THP eligibility for each vma

LTP proc01 :
----------------
[ 1205.874471] ICMPv6: process `proc01' is using deprecated sysctl
(syscall) net.ipv6.neigh.default.base_reachable_time - use
net.ipv6.neigh.default.base_reachable_time_ms instead
[ 1205.905262] nr_pdflush_threads exported in /proc is scheduled for removal
[ 1215.501494] Unable to handle kernel NULL pointer dereference at
virtual address 000001d0
[ 1215.505049] pgd = ea89e7c0
[ 1215.506115] [000001d0] *pgd=6b2fc003, *pmd=13f916003
[ 1215.508081] Internal error: Oops: 207 [#1] SMP ARM
[ 1215.510200] Modules linked in: crc32_arm_ce sha2_arm_ce sha256_arm
sha1_arm_ce sha1_arm aes_arm_ce crypto_simd cryptd fuse
[ 1215.515303] CPU: 2 PID: 4950 Comm: proc01 Not tainted 4.14.159-rc1 #1
[ 1215.518334] Hardware name: Generic DT based system
[ 1215.520553] task: ea874240 task.stack: eb5e8000
[ 1215.522681] PC is at transparent_hugepage_enabled+0x54/0xb4
[ 1215.525237] LR is at transparent_hugepage_enabled+0x48/0xb4
[ 1215.527831] pc : [<c060d1bc>]    lr : [<c060d1b0>]    psr: 600f0013
[ 1215.530735] sp : eb5e9d68  ip : eb5e9d68  fp : eb5e9d7c
[ 1215.533145] r10: 00000004  r9 : 00000000  r8 : 0000d6f0
[ 1215.535559] r7 : ec74ff00  r6 : eb5e9de8  r5 : c1c0e320  r4 : c1c0e320
[ 1215.538507] r3 : 00000000  r2 : 80000000  r1 : c165d6cd  r0 : 00000000
[ 1215.541498] Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
[ 1215.544839] Control: 30c5383d  Table: 6a89e7c0  DAC: dbadc0de
[ 1215.547527] Process proc01 (pid: 4950, stack limit = 0xeb5e8220)
[ 1215.550292] Stack: (0xeb5e9d68 to 0xeb5ea000)
....
[ 1215.631288] [<c060d1bc>] (transparent_hugepage_enabled) from
[<c06a4ba8>] (show_smap+0x298/0x454)
[ 1215.635364] [<c06a4ba8>] (show_smap) from [<c06a4da0>]
(show_tid_smap+0x1c/0x20)
[ 1215.638733] [<c06a4da0>] (show_tid_smap) from [<c065acb0>]
(seq_read+0x3c4/0x520)
[ 1215.642134] [<c065acb0>] (seq_read) from [<c062d274>] (__vfs_read+0x38/0x12c)
[ 1215.645410] [<c062d274>] (__vfs_read) from [<c062d404>] (vfs_read+0x9c/0x164)
[ 1215.648750] [<c062d404>] (vfs_read) from [<c062d9f0>] (SyS_read+0x5c/0xd0)
[ 1215.651906] [<c062d9f0>] (SyS_read) from [<c0408d20>]
(ret_fast_syscall+0x0/0x28)
[ 1215.655371] Code: ebff672f e3500000 1afffff7 e5943020 (e59331d0)
[ 1215.658332] ---[ end trace 6088de7e307c3c4c ]---

libhugetlbfs test suite caused this failure on arm32,
---------------------------------------------------------------------

malloc (2M: 32): [   45.815802] Unable to handle kernel NULL pointer
dereference at virtual address 000001d0
[   45.824194] pgd = ec174080
[   45.827020] [000001d0] *pgd=ac29b003, *pmd=fb076003
[   45.831953] Internal error: Oops: 207 [#1] SMP ARM
[   45.836773] Modules linked in: snd_soc_simple_card
snd_soc_simple_card_utils snd_soc_core ac97_bus snd_pcm_dmaengine
snd_pcm snd_timer snd soundcore fuse
[   45.850649] CPU: 1 PID: 436 Comm: malloc Not tainted 4.14.159-rc1 #1
[   45.857039] Hardware name: Generic DRA74X (Flattened Device Tree)
[   45.863166] task: ec116a00 task.stack: ec64c000
[   45.867731] PC is at transparent_hugepage_enabled+0x54/0xb4
[   45.873333] LR is at transparent_hugepage_enabled+0x48/0xb4
[   45.878934] pc : [<c060d1bc>]    lr : [<c060d1b0>]    psr: 600b0013
[   45.885234] sp : ec64dd68  ip : ec64dd68  fp : ec64dd7c
[   45.890487] r10: 00000004  r9 : 00000000  r8 : 0000d6f0
[   45.895740] r7 : ca2a29c0  r6 : ec64dde8  r5 : c1c0e320  r4 : c1c0e320
[   45.902301] r3 : 00000000  r2 : 80000000  r1 : c165d6cd  r0 : 00000000
[   45.908864] Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
[   45.916036] Control: 30c5387d  Table: ac174080  DAC: 55555555
[   45.921813] Process malloc (pid: 436, stack limit = 0xec64c220)
[   45.927765] Stack: (0xec64dd68 to 0xec64e000)
..
[   46.104774] [<c060d1bc>] (transparent_hugepage_enabled) from
[<c06a4ba8>] (show_smap+0x298/0x454)
[   46.113697] [<c06a4ba8>] (show_smap) from [<c06a4d80>]
(show_pid_smap+0x1c/0x20)
[   46.121136] [<c06a4d80>] (show_pid_smap) from [<c065a9d0>]
(seq_read+0xe4/0x520)
[   46.128576] [<c065a9d0>] (seq_read) from [<c062d274>] (__vfs_read+0x38/0x12c)
[   46.135752] [<c062d274>] (__vfs_read) from [<c062d404>] (vfs_read+0x9c/0x164)
[   46.142926] [<c062d404>] (vfs_read) from [<c062d9f0>] (SyS_read+0x5c/0xd0)
[   46.149842] [<c062d9f0>] (SyS_read) from [<c0408d20>]
(ret_fast_syscall+0x0/0x28)
[   46.157367] Code: ebff672f e3500000 1afffff7 e5943020 (e59331d0)
[   46.163616] ---[ end trace c51b58b4d19d6cce ]---


Full test log,
https://lkft.validation.linaro.org/scheduler/job/1058080#L1126
https://lkft.validation.linaro.org/scheduler/job/1057628#L5461

-- 
Linaro LKFT
https://lkft.linaro.org

^ permalink raw reply	[flat|nested] 280+ messages in thread

* Re: [PATCH 4.14 204/267] blk-mq: avoid sysfs buffer overflow with too many CPU cores
  2019-12-16 17:48 ` [PATCH 4.14 204/267] blk-mq: avoid sysfs buffer overflow with too many CPU cores Greg Kroah-Hartman
@ 2019-12-17  4:28   ` Nobuhiro Iwamatsu
  2019-12-17  7:49     ` Greg Kroah-Hartman
  0 siblings, 1 reply; 280+ messages in thread
From: Nobuhiro Iwamatsu @ 2019-12-17  4:28 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: linux-kernel, stable, Ming Lei, Jens Axboe

On Mon, Dec 16, 2019 at 06:48:50PM +0100, Greg Kroah-Hartman wrote:
> From: Ming Lei <ming.lei@redhat.com>
> 
> commit 8962842ca5abdcf98e22ab3b2b45a103f0408b95 upstream.
> 
> It is reported that sysfs buffer overflow can be triggered if the system
> has too many CPU cores(>841 on 4K PAGE_SIZE) when showing CPUs of
> hctx via /sys/block/$DEV/mq/$N/cpu_list.
> 
> Use snprintf to avoid the potential buffer overflow.
> 
> This version doesn't change the attribute format, and simply stops
> showing CPU numbers if the buffer is going to overflow.
> 
> Cc: stable@vger.kernel.org
> Fixes: 676141e48af7("blk-mq: don't dump CPU -> hw queue map on driver load")
> Signed-off-by: Ming Lei <ming.lei@redhat.com>
> Signed-off-by: Jens Axboe <axboe@kernel.dk>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 

This commit also required following commit:

commit d2c9be89f8ebe7ebcc97676ac40f8dec1cf9b43a
Author: Ming Lei <ming.lei@redhat.com>
Date:   Mon Nov 4 16:26:53 2019 +0800

    blk-mq: make sure that line break can be printed

    8962842ca5ab ("blk-mq: avoid sysfs buffer overflow with too many CPU cores")
    avoids sysfs buffer overflow, and reserves one character for line break.
    However, the last snprintf() doesn't get correct 'size' parameter passed
    in, so fixed it.

    Fixes: 8962842ca5ab ("blk-mq: avoid sysfs buffer overflow with too many CPU cores")
    Signed-off-by: Ming Lei <ming.lei@redhat.com>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>


And this is also required for 4.4, 4.9 and 4.19.
Please apply.

Best regards,
  Nobuhiro

^ permalink raw reply	[flat|nested] 280+ messages in thread

* Re: [PATCH 4.14 204/267] blk-mq: avoid sysfs buffer overflow with too many CPU cores
  2019-12-17  4:28   ` Nobuhiro Iwamatsu
@ 2019-12-17  7:49     ` Greg Kroah-Hartman
  0 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-17  7:49 UTC (permalink / raw)
  To: Nobuhiro Iwamatsu; +Cc: linux-kernel, stable, Ming Lei, Jens Axboe

On Tue, Dec 17, 2019 at 01:28:29PM +0900, Nobuhiro Iwamatsu wrote:
> On Mon, Dec 16, 2019 at 06:48:50PM +0100, Greg Kroah-Hartman wrote:
> > From: Ming Lei <ming.lei@redhat.com>
> > 
> > commit 8962842ca5abdcf98e22ab3b2b45a103f0408b95 upstream.
> > 
> > It is reported that sysfs buffer overflow can be triggered if the system
> > has too many CPU cores(>841 on 4K PAGE_SIZE) when showing CPUs of
> > hctx via /sys/block/$DEV/mq/$N/cpu_list.
> > 
> > Use snprintf to avoid the potential buffer overflow.
> > 
> > This version doesn't change the attribute format, and simply stops
> > showing CPU numbers if the buffer is going to overflow.
> > 
> > Cc: stable@vger.kernel.org
> > Fixes: 676141e48af7("blk-mq: don't dump CPU -> hw queue map on driver load")
> > Signed-off-by: Ming Lei <ming.lei@redhat.com>
> > Signed-off-by: Jens Axboe <axboe@kernel.dk>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > 
> 
> This commit also required following commit:
> 
> commit d2c9be89f8ebe7ebcc97676ac40f8dec1cf9b43a
> Author: Ming Lei <ming.lei@redhat.com>
> Date:   Mon Nov 4 16:26:53 2019 +0800
> 
>     blk-mq: make sure that line break can be printed
> 
>     8962842ca5ab ("blk-mq: avoid sysfs buffer overflow with too many CPU cores")
>     avoids sysfs buffer overflow, and reserves one character for line break.
>     However, the last snprintf() doesn't get correct 'size' parameter passed
>     in, so fixed it.
> 
>     Fixes: 8962842ca5ab ("blk-mq: avoid sysfs buffer overflow with too many CPU cores")
>     Signed-off-by: Ming Lei <ming.lei@redhat.com>
>     Signed-off-by: Jens Axboe <axboe@kernel.dk>
> 
> 
> And this is also required for 4.4, 4.9 and 4.19.
> Please apply.

Thank you for catching this, now queued up.

greg k-h

^ permalink raw reply	[flat|nested] 280+ messages in thread

* Re: [PATCH 4.14 000/267] 4.14.159-stable review
  2019-12-17  4:22 ` Naresh Kamboju
@ 2019-12-17  7:53   ` Greg Kroah-Hartman
  2019-12-17  8:45     ` Naresh Kamboju
  0 siblings, 1 reply; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-17  7:53 UTC (permalink / raw)
  To: Naresh Kamboju
  Cc: open list, Linus Torvalds, Andrew Morton, Guenter Roeck,
	Shuah Khan, patches, Ben Hutchings, lkft-triage, linux- stable,
	Michal Hocko, Arnd Bergmann, william.kucharski, bepvte, rppt,
	Jan Kara, rientjes, dan.j.williams, Vlastimil Babka

On Tue, Dec 17, 2019 at 09:52:19AM +0530, Naresh Kamboju wrote:
> Results from Linaro’s test farm.
> Regressions on arm and qemu_arm.
> 
> Regressions (compared to build v4.14.158)
> ------------------------------------------------------------------------
> x15:
>   ltp-fs-tests:
>     * proc01
> 
> qemu_arm:
>   libhugetlbfs:
>     * HUGETLB_SHM_yes-shmoverride_linked-2M-32
>     * LD_PRELOAD_libhugetlbfs.so-HUGETLB_SHM_yes-shmoverride_unlinked-2M-32
>     * counters.sh-2M-32
>     * truncate_sigbus_versus_oom-2M-32
> 
>   ltp-fs-tests:
>     * proc01

What does all of this mean?

Can you bisect to find the offending patch?

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 280+ messages in thread

* Re: [PATCH 4.14 000/267] 4.14.159-stable review
  2019-12-17  7:53   ` Greg Kroah-Hartman
@ 2019-12-17  8:45     ` Naresh Kamboju
  2019-12-17  8:59       ` Greg Kroah-Hartman
  0 siblings, 1 reply; 280+ messages in thread
From: Naresh Kamboju @ 2019-12-17  8:45 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: open list, Linus Torvalds, Andrew Morton, Guenter Roeck,
	Shuah Khan, patches, Ben Hutchings, lkft-triage, linux- stable,
	Michal Hocko, Arnd Bergmann, william.kucharski, bepvte, rppt,
	Jan Kara, rientjes, dan.j.williams, Vlastimil Babka

 >   ltp-fs-tests:
> >     * proc01
>
> What does all of this mean?
>
> Can you bisect to find the offending patch?

Here is the offending patch,

Michal Hocko <mhocko@suse.com>
    mm, thp, proc: report THP eligibility for each vma

FYI,
Reverted this patch and re-validated ltp-fs-tests proc01 and now
getting PASS on arm.

- Naresh

^ permalink raw reply	[flat|nested] 280+ messages in thread

* Re: [PATCH 4.14 000/267] 4.14.159-stable review
  2019-12-17  8:45     ` Naresh Kamboju
@ 2019-12-17  8:59       ` Greg Kroah-Hartman
  0 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-17  8:59 UTC (permalink / raw)
  To: Naresh Kamboju
  Cc: open list, Linus Torvalds, Andrew Morton, Guenter Roeck,
	Shuah Khan, patches, Ben Hutchings, lkft-triage, linux- stable,
	Michal Hocko, Arnd Bergmann, william.kucharski, bepvte, rppt,
	Jan Kara, rientjes, dan.j.williams, Vlastimil Babka

On Tue, Dec 17, 2019 at 02:15:16PM +0530, Naresh Kamboju wrote:
>  >   ltp-fs-tests:
> > >     * proc01
> >
> > What does all of this mean?
> >
> > Can you bisect to find the offending patch?
> 
> Here is the offending patch,
> 
> Michal Hocko <mhocko@suse.com>
>     mm, thp, proc: report THP eligibility for each vma
> 
> FYI,
> Reverted this patch and re-validated ltp-fs-tests proc01 and now
> getting PASS on arm.

Ok, I'll go drop this.

Sasha, the backport of this patch didn't work.  Also you have two
"upstream commit" messages in the changelog, which feels odd :(

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 280+ messages in thread

* Re: [PATCH 4.14 000/267] 4.14.159-stable review
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (268 preceding siblings ...)
  2019-12-17  4:22 ` Naresh Kamboju
@ 2019-12-17  9:05 ` Greg Kroah-Hartman
  2019-12-17 11:27   ` Jon Hunter
  2019-12-17 14:28   ` Naresh Kamboju
  2019-12-17 18:18 ` Guenter Roeck
  270 siblings, 2 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-17  9:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: torvalds, akpm, linux, shuah, patches, ben.hutchings,
	lkft-triage, stable

On Mon, Dec 16, 2019 at 06:45:26PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.14.159 release.
> There are 267 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed, 18 Dec 2019 17:41:25 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.159-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
> and the diffstat can be found below.

There is a -rc2 out now to resolve some reported issues:
 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.159-rc2.gz


^ permalink raw reply	[flat|nested] 280+ messages in thread

* Re: [PATCH 4.14 000/267] 4.14.159-stable review
  2019-12-17  9:05 ` Greg Kroah-Hartman
@ 2019-12-17 11:27   ` Jon Hunter
  2019-12-17 14:28   ` Naresh Kamboju
  1 sibling, 0 replies; 280+ messages in thread
From: Jon Hunter @ 2019-12-17 11:27 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, shuah, patches, ben.hutchings,
	lkft-triage, stable, linux-tegra


On 17/12/2019 09:05, Greg Kroah-Hartman wrote:
> On Mon, Dec 16, 2019 at 06:45:26PM +0100, Greg Kroah-Hartman wrote:
>> This is the start of the stable review cycle for the 4.14.159 release.
>> There are 267 patches in this series, all will be posted as a response
>> to this one.  If anyone has any issues with these being applied, please
>> let me know.
>>
>> Responses should be made by Wed, 18 Dec 2019 17:41:25 +0000.
>> Anything received after that time might be too late.
>>
>> The whole patch series can be found in one patch at:
>> 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.159-rc1.gz
>> or in the git tree and branch at:
>> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
>> and the diffstat can be found below.
> 
> There is a -rc2 out now to resolve some reported issues:
>  	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.159-rc2.gz


All tests are passing for Tegra ...

Test results for stable-v4.14:
    8 builds:	8 pass, 0 fail
    16 boots:	16 pass, 0 fail
    24 tests:	24 pass, 0 fail

Linux version:	4.14.159-rc2-g66745e000c83
Boards tested:	tegra124-jetson-tk1, tegra20-ventana,
                tegra210-p2371-2180, tegra30-cardhu-a04

Cheers
Jon

-- 
nvpublic

^ permalink raw reply	[flat|nested] 280+ messages in thread

* Re: [PATCH 4.14 000/267] 4.14.159-stable review
  2019-12-17  9:05 ` Greg Kroah-Hartman
  2019-12-17 11:27   ` Jon Hunter
@ 2019-12-17 14:28   ` Naresh Kamboju
  2019-12-17 14:33     ` Greg Kroah-Hartman
  1 sibling, 1 reply; 280+ messages in thread
From: Naresh Kamboju @ 2019-12-17 14:28 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: open list, Linus Torvalds, Andrew Morton, Guenter Roeck,
	Shuah Khan, patches, Ben Hutchings, lkft-triage, linux- stable

On Tue, 17 Dec 2019 at 14:35, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
> There is a -rc2 out now to resolve some reported issues:
>         https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.159-rc2.gz

Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.

Summary
------------------------------------------------------------------------

kernel: 4.14.159-rc2
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-4.14.y
git commit: 66745e000c837d52e736de131726a861c6ea1ebf
git describe: v4.14.158-268-g66745e000c83
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-4.14-oe/build/v4.14.158-268-g66745e000c83

No regressions (compared to build v4.14.158)

No fixes (compared to build v4.14.158)

Ran 23039 total tests in the following environments and test suites.

Environments
--------------
- dragonboard-410c - arm64
- hi6220-hikey - arm64
- i386
- juno-r2 - arm64
- qemu_arm
- qemu_arm64
- qemu_i386
- qemu_x86_64
- x15 - arm
- x86_64

Test Suites
-----------
* build
* install-android-platform-tools-r2600
* kselftest
* libhugetlbfs
* linux-log-parser
* ltp-containers-tests
* ltp-cve-tests
* spectre-meltdown-checker-test
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-cpuhotplug-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* network-basic-tests
* perf
* v4l2-compliance
* ltp-open-posix-tests
* kvm-unit-tests
* kselftest-vsyscall-mode-native
* kselftest-vsyscall-mode-none
* ssuite

-- 
Linaro LKFT
https://lkft.linaro.org

^ permalink raw reply	[flat|nested] 280+ messages in thread

* Re: [PATCH 4.14 000/267] 4.14.159-stable review
  2019-12-17 14:28   ` Naresh Kamboju
@ 2019-12-17 14:33     ` Greg Kroah-Hartman
  0 siblings, 0 replies; 280+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-17 14:33 UTC (permalink / raw)
  To: Naresh Kamboju
  Cc: open list, Linus Torvalds, Andrew Morton, Guenter Roeck,
	Shuah Khan, patches, Ben Hutchings, lkft-triage, linux- stable

On Tue, Dec 17, 2019 at 07:58:25PM +0530, Naresh Kamboju wrote:
> On Tue, 17 Dec 2019 at 14:35, Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> > There is a -rc2 out now to resolve some reported issues:
> >         https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.159-rc2.gz
> 
> Results from Linaro’s test farm.
> No regressions on arm64, arm, x86_64, and i386.

Wonderful, thanks for the quick turn-around.

greg k-h

^ permalink raw reply	[flat|nested] 280+ messages in thread

* Re: [PATCH 4.14 000/267] 4.14.159-stable review
  2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
                   ` (269 preceding siblings ...)
  2019-12-17  9:05 ` Greg Kroah-Hartman
@ 2019-12-17 18:18 ` Guenter Roeck
  270 siblings, 0 replies; 280+ messages in thread
From: Guenter Roeck @ 2019-12-17 18:18 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, shuah, patches, ben.hutchings,
	lkft-triage, stable

On Mon, Dec 16, 2019 at 06:45:26PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.14.159 release.
> There are 267 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed, 18 Dec 2019 17:41:25 +0000.
> Anything received after that time might be too late.
> 

Build results:
	total: 172 pass: 172 fail: 0
Qemu test results:
	total: 375 pass: 375 fail: 0

Guenter

^ permalink raw reply	[flat|nested] 280+ messages in thread

end of thread, other threads:[~2019-12-17 18:18 UTC | newest]

Thread overview: 280+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-12-16 17:45 [PATCH 4.14 000/267] 4.14.159-stable review Greg Kroah-Hartman
2019-12-16 17:45 ` [PATCH 4.14 001/267] rsi: release skb if rsi_prepare_beacon fails Greg Kroah-Hartman
2019-12-16 17:45 ` [PATCH 4.14 002/267] arm64: tegra: Fix active-low warning for Jetson TX1 regulator Greg Kroah-Hartman
2019-12-16 17:45 ` [PATCH 4.14 003/267] usb: gadget: u_serial: add missing port entry locking Greg Kroah-Hartman
2019-12-16 17:45 ` [PATCH 4.14 004/267] tty: serial: fsl_lpuart: use the sg count from dma_map_sg Greg Kroah-Hartman
2019-12-16 17:45 ` [PATCH 4.14 005/267] tty: serial: msm_serial: Fix flow control Greg Kroah-Hartman
2019-12-16 17:45 ` [PATCH 4.14 006/267] serial: pl011: Fix DMA ->flush_buffer() Greg Kroah-Hartman
2019-12-16 17:45 ` [PATCH 4.14 007/267] serial: serial_core: Perform NULL checks for break_ctl ops Greg Kroah-Hartman
2019-12-16 17:45 ` [PATCH 4.14 008/267] serial: ifx6x60: add missed pm_runtime_disable Greg Kroah-Hartman
2019-12-16 17:45 ` [PATCH 4.14 009/267] autofs: fix a leak in autofs_expire_indirect() Greg Kroah-Hartman
2019-12-16 17:45 ` [PATCH 4.14 010/267] RDMA/hns: Correct the value of HNS_ROCE_HEM_CHUNK_LEN Greg Kroah-Hartman
2019-12-16 17:45 ` [PATCH 4.14 011/267] iwlwifi: pcie: dont consider IV len in A-MSDU Greg Kroah-Hartman
2019-12-16 17:45 ` [PATCH 4.14 012/267] exportfs_decode_fh(): negative pinned may become positive without the parent locked Greg Kroah-Hartman
2019-12-16 17:45 ` [PATCH 4.14 013/267] audit_get_nd(): dont unlock parent too early Greg Kroah-Hartman
2019-12-16 17:45 ` [PATCH 4.14 014/267] NFC: nxp-nci: Fix NULL pointer dereference after I2C communication error Greg Kroah-Hartman
2019-12-16 17:45 ` [PATCH 4.14 015/267] xfrm: release device reference for invalid state Greg Kroah-Hartman
2019-12-16 17:45 ` [PATCH 4.14 016/267] Input: cyttsp4_core - fix use after free bug Greg Kroah-Hartman
2019-12-16 17:45 ` [PATCH 4.14 017/267] sched/core: Avoid spurious lock dependencies Greg Kroah-Hartman
2019-12-16 17:45 ` [PATCH 4.14 018/267] ALSA: pcm: Fix stream lock usage in snd_pcm_period_elapsed() Greg Kroah-Hartman
2019-12-16 17:45 ` [PATCH 4.14 019/267] rsxx: add missed destroy_workqueue calls in remove Greg Kroah-Hartman
2019-12-16 17:45 ` [PATCH 4.14 020/267] net: ep93xx_eth: fix mismatch of request_mem_region " Greg Kroah-Hartman
2019-12-16 17:45 ` [PATCH 4.14 021/267] i2c: core: fix use after free in of_i2c_notify Greg Kroah-Hartman
2019-12-16 17:45 ` [PATCH 4.14 022/267] serial: core: Allow processing sysrq at port unlock time Greg Kroah-Hartman
2019-12-16 17:45 ` [PATCH 4.14 023/267] cxgb4vf: fix memleak in mac_hlist initialization Greg Kroah-Hartman
2019-12-16 17:45 ` [PATCH 4.14 024/267] iwlwifi: mvm: synchronize TID queue removal Greg Kroah-Hartman
2019-12-16 17:45 ` [PATCH 4.14 025/267] iwlwifi: mvm: Send non offchannel traffic via AP sta Greg Kroah-Hartman
2019-12-16 17:45 ` [PATCH 4.14 026/267] ARM: 8813/1: Make aligned 2-byte getuser()/putuser() atomic on ARMv6+ Greg Kroah-Hartman
2019-12-16 17:45 ` [PATCH 4.14 027/267] net/mlx5: Release resource on error flow Greg Kroah-Hartman
2019-12-16 17:45 ` [PATCH 4.14 028/267] clk: sunxi-ng: a64: Fix gate bit of DSI DPHY Greg Kroah-Hartman
2019-12-16 17:45 ` [PATCH 4.14 029/267] dlm: fix possible call to kfree() for non-initialized pointer Greg Kroah-Hartman
2019-12-16 17:45 ` [PATCH 4.14 030/267] extcon: max8997: Fix lack of path setting in USB device mode Greg Kroah-Hartman
2019-12-16 17:45 ` [PATCH 4.14 031/267] net: ethernet: ti: cpts: correct debug for expired txq skb Greg Kroah-Hartman
2019-12-16 17:45 ` [PATCH 4.14 032/267] rtc: s3c-rtc: Avoid using broken ALMYEAR register Greg Kroah-Hartman
2019-12-16 17:45 ` [PATCH 4.14 033/267] i40e: dont restart nway if autoneg not supported Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 034/267] clk: rockchip: fix rk3188 sclk_smc gate data Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 035/267] clk: rockchip: fix rk3188 sclk_mac_lbtest parameter ordering Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 036/267] ARM: dts: rockchip: Fix rk3288-rock2 vcc_flash name Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 037/267] dlm: fix missing idr_destroy for recover_idr Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 038/267] MIPS: SiByte: Enable ZONE_DMA32 for LittleSur Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 039/267] net: dsa: mv88e6xxx: Work around mv886e6161 SERDES missing MII_PHYSID2 Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 040/267] scsi: zfcp: drop default switch case which might paper over missing case Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 041/267] crypto: ecc - check for invalid values in the key verification test Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 042/267] crypto: bcm - fix normal/non key hash algorithm failure Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 043/267] pinctrl: qcom: ssbi-gpio: fix gpio-hog related boot issues Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 044/267] Staging: iio: adt7316: Fix i2c data reading, set the data field Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 045/267] mm/vmstat.c: fix NUMA statistics updates Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 046/267] clk: rockchip: fix I2S1 clock gate register for rk3328 Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 047/267] clk: rockchip: fix ID of 8ch clock of I2S1 " Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 048/267] regulator: Fix return value of _set_load() stub Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 049/267] net-next/hinic:fix a bug in set mac address Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 050/267] iomap: sub-block dio needs to zeroout beyond EOF Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 051/267] MIPS: OCTEON: octeon-platform: fix typing Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 052/267] net/smc: use after free fix in smc_wr_tx_put_slot() Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 053/267] math-emu/soft-fp.h: (_FP_ROUND_ZERO) cast 0 to void to fix warning Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 054/267] rtc: max8997: Fix the returned value in case of error in max8997_rtc_read_alarm() Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 055/267] rtc: dt-binding: abx80x: fix resistance scale Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 056/267] ARM: dts: exynos: Use Samsung SoC specific compatible for DWC2 module Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 057/267] media: pulse8-cec: return 0 when invalidating the logical address Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 058/267] media: cec: report Vendor ID after initialization Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 059/267] dmaengine: coh901318: Fix a double-lock bug Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 060/267] dmaengine: coh901318: Remove unused variable Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 061/267] dmaengine: dw-dmac: implement dma protection control setting Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 062/267] usb: dwc3: debugfs: Properly print/set link state for HS Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 063/267] usb: dwc3: dont log probe deferrals; but do log other error codes Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 064/267] ACPI: fix acpi_find_child_device() invocation in acpi_preset_companion() Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 065/267] f2fs: fix count of seg_freed to make sec_freed correct Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 066/267] f2fs: change segment to section in f2fs_ioc_gc_range Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 067/267] ARM: dts: rockchip: Fix the PMU interrupt number for rv1108 Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 068/267] ARM: dts: rockchip: Assign the proper GPIO clocks " Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 069/267] f2fs: fix to allow node segment for GC by ioctl path Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 070/267] sparc: Correct ctx->saw_frame_pointer logic Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 071/267] dma-mapping: fix return type of dma_set_max_seg_size() Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 072/267] altera-stapl: check for a null key before strcasecmping it Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 073/267] serial: imx: fix error handling in console_setup Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 074/267] i2c: imx: dont print error message on probe defer Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 075/267] lockd: fix decoding of TEST results Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 076/267] ASoC: rsnd: tidyup registering method for rsnd_kctrl_new() Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 077/267] ARM: dts: sun5i: a10s: Fix HDMI output DTC warning Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 078/267] ARM: dts: sun8i: v3s: Change pinctrl nodes to avoid warning Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 079/267] dlm: NULL check before kmem_cache_destroy is not needed Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 080/267] ARM: debug: enable UART1 for socfpga Cyclone5 Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 081/267] nfsd: fix a warning in __cld_pipe_upcall() Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 082/267] ASoC: au8540: use 64-bit arithmetic instead of 32-bit Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 083/267] ARM: OMAP1/2: fix SoC name printing Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 084/267] arm64: dts: meson-gxl-libretech-cc: fix GPIO lines names Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 085/267] arm64: dts: meson-gxbb-nanopi-k2: " Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 086/267] arm64: dts: meson-gxbb-odroidc2: " Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 087/267] arm64: dts: meson-gxl-khadas-vim: " Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 088/267] net/x25: fix called/calling length calculation in x25_parse_address_block Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 089/267] net/x25: fix null_x25_address handling Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 090/267] ARM: dts: mmp2: fix the gpio interrupt cell number Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 091/267] ARM: dts: realview-pbx: Fix duplicate regulator nodes Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 092/267] tcp: fix off-by-one bug on aborting window-probing socket Greg Kroah-Hartman
2019-12-16 17:46 ` [PATCH 4.14 093/267] tcp: fix SNMP under-estimation on failed retransmission Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 094/267] tcp: fix SNMP TCP timeout under-estimation Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 095/267] modpost: skip ELF local symbols during section mismatch check Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 096/267] kbuild: fix single target build for external module Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 097/267] mtd: fix mtd_oobavail() incoherent returned value Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 098/267] ARM: dts: pxa: clean up USB controller nodes Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 099/267] clk: sunxi-ng: h3/h5: Fix CSI_MCLK parent Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 100/267] ARM: dts: realview: Fix some more duplicate regulator nodes Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 101/267] dlm: fix invalid cluster name warning Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 102/267] net/mlx4_core: Fix return codes of unsupported operations Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 103/267] pstore/ram: Avoid NULL deref in ftrace merging failure path Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 104/267] powerpc/math-emu: Update macros from GCC Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 105/267] clk: renesas: r8a77995: Correct parent clock of DU Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 106/267] MIPS: OCTEON: cvmx_pko_mem_debug8: use oldest forward compatible definition Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 107/267] nfsd: Return EPERM, not EACCES, in some SETATTR cases Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 108/267] tty: Dont block on IO when ldisc change is pending Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 109/267] media: stkwebcam: Bugfix for wrong return values Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 110/267] firmware: qcom: scm: fix compilation error when disabled Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 111/267] mlxsw: spectrum_router: Relax GRE decap matching check Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 112/267] IB/hfi1: Ignore LNI errors before DC8051 transitions to Polling state Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 113/267] IB/hfi1: Close VNIC sdma_progress sleep window Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 114/267] mlx4: Use snprintf instead of complicated strcpy Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 115/267] usb: mtu3: fix dbginfo in qmu_tx_zlp_error_handler Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 116/267] ARM: dts: sunxi: Fix PMU compatible strings Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 117/267] media: vimc: fix start stream when link is disabled Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 118/267] net: aquantia: fix RSS table and key sizes Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 119/267] tcp: exit if nothing to retransmit on RTO timeout Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 120/267] sched/fair: Scale bandwidth quota and period without losing quota/period ratio precision Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 121/267] fuse: verify nlink Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 122/267] fuse: verify attributes Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 123/267] ALSA: hda/realtek - Dell headphone has noise on unmute for ALC236 Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 124/267] ALSA: pcm: oss: Avoid potential buffer overflows Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 125/267] ALSA: hda - Add mute led support for HP ProBook 645 G4 Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 126/267] Input: synaptics - switch another X1 Carbon 6 to RMI/SMbus Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 127/267] Input: synaptics-rmi4 - re-enable IRQs in f34v7_do_reflash Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 128/267] Input: synaptics-rmi4 - dont increment rmiaddr for SMBus transfers Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 129/267] Input: goodix - add upside-down quirk for Teclast X89 tablet Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 130/267] coresight: etm4x: Fix input validation for sysfs Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 131/267] Input: Fix memory leak in psxpad_spi_probe Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 132/267] x86/PCI: Avoid AMD FCH XHCI USB PME# from D0 defect Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 133/267] CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 134/267] CIFS: Fix SMB2 oplock break processing Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 135/267] tty: vt: keyboard: reject invalid keycodes Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 136/267] can: slcan: Fix use-after-free Read in slcan_open Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 137/267] kernfs: fix ino wrap-around detection Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 138/267] jbd2: Fix possible overflow in jbd2_log_space_left() Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 139/267] drm/i810: Prevent underflow in ioctl Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 140/267] KVM: arm/arm64: vgic: Dont rely on the wrong pending table Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 141/267] KVM: x86: do not modify masked bits of shared MSRs Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 142/267] KVM: x86: fix presentation of TSX feature in ARCH_CAPABILITIES Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 143/267] crypto: crypto4xx - fix double-free in crypto4xx_destroy_sdr Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 144/267] crypto: af_alg - cast ki_complete ternary op to int Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 145/267] crypto: ccp - fix uninitialized list head Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 146/267] crypto: ecdh - fix big endian bug in ECC library Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 147/267] crypto: user - fix memory leak in crypto_report Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 148/267] spi: atmel: Fix CS high support Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 149/267] RDMA/qib: Validate ->show()/store() callbacks before calling them Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 150/267] iomap: Fix pipe page leakage during splicing Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 151/267] thermal: Fix deadlock in thermal thermal_zone_device_check Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 152/267] binder: Handle start==NULL in binder_update_page_range() Greg Kroah-Hartman
2019-12-16 17:47 ` [PATCH 4.14 153/267] ASoC: rsnd: fixup MIX kctrl registration Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 154/267] KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID (CVE-2019-19332) Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 155/267] appletalk: Fix potential NULL pointer dereference in unregister_snap_client Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 156/267] appletalk: Set error code if register_snap_client failed Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 157/267] usb: gadget: configfs: Fix missing spin_lock_init() Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 158/267] usb: gadget: pch_udc: fix use after free Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 159/267] scsi: qla2xxx: Fix driver unload hang Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 160/267] media: venus: remove invalid compat_ioctl32 handler Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 161/267] USB: uas: honor flag to avoid CAPACITY16 Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 162/267] USB: uas: heed CAPACITY_HEURISTICS Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 163/267] USB: documentation: flags on usb-storage versus UAS Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 164/267] usb: Allow USB device to be warm reset in suspended state Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 165/267] staging: rtl8188eu: fix interface sanity check Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 166/267] staging: rtl8712: " Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 167/267] staging: gigaset: fix general protection fault on probe Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 168/267] staging: gigaset: fix illegal free on probe errors Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 169/267] staging: gigaset: add endpoint-type sanity check Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 170/267] usb: xhci: only set D3hot for pci device Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 171/267] xhci: Increase STS_HALT timeout in xhci_suspend() Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 172/267] xhci: handle some XHCI_TRUST_TX_LENGTH quirks cases as default behaviour Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 173/267] ARM: dts: pandora-common: define wl1251 as child node of mmc3 Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 174/267] iio: humidity: hdc100x: fix IIO_HUMIDITYRELATIVE channel reporting Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 175/267] USB: atm: ueagle-atm: add missing endpoint check Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 176/267] USB: idmouse: fix interface sanity checks Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 177/267] USB: serial: io_edgeport: fix epic endpoint lookup Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 178/267] USB: adutux: fix interface sanity check Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 179/267] usb: core: urb: fix URB structure initialization function Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 180/267] usb: mon: Fix a deadlock in usbmon between mmap and read Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 181/267] tpm: add check after commands attribs tab allocation Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 182/267] mtd: spear_smi: Fix Write Burst mode Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 183/267] virtio-balloon: fix managed page counts when migrating pages between zones Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 184/267] usb: dwc3: ep0: Clear started flag on completion Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 185/267] btrfs: check page->mapping when loading free space cache Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 186/267] btrfs: use refcount_inc_not_zero in kill_all_nodes Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 187/267] Btrfs: fix negative subv_writers counter and data space leak after buffered write Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 188/267] btrfs: Remove btrfs_bio::flags member Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 189/267] Btrfs: send, skip backreference walking for extents with many references Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 190/267] btrfs: record all roots for rename exchange on a subvol Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 191/267] rtlwifi: rtl8192de: Fix missing code to retrieve RX buffer address Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 192/267] rtlwifi: rtl8192de: Fix missing callback that tests for hw release of buffer Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 193/267] rtlwifi: rtl8192de: Fix missing enable interrupt flag Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 194/267] lib: raid6: fix awk build warnings Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 195/267] ovl: relax WARN_ON() on rename to self Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 196/267] ALSA: hda - Fix pending unsol events at shutdown Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 197/267] md/raid0: Fix an error message in raid0_make_request() Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 198/267] watchdog: aspeed: Fix clock behaviour for ast2600 Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 199/267] hwrng: omap - Fix RNG wait loop timeout Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 200/267] dm zoned: reduce overhead of backing device checks Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 201/267] workqueue: Fix spurious sanity check failures in destroy_workqueue() Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 202/267] workqueue: Fix pwq ref leak in rescuer_thread() Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 203/267] ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 204/267] blk-mq: avoid sysfs buffer overflow with too many CPU cores Greg Kroah-Hartman
2019-12-17  4:28   ` Nobuhiro Iwamatsu
2019-12-17  7:49     ` Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 205/267] cgroup: pids: use atomic64_t for pids->limit Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 206/267] ar5523: check NULL before memcpy() in ar5523_cmd() Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 207/267] s390/mm: properly clear _PAGE_NOEXEC bit when it is not supported Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 208/267] media: bdisp: fix memleak on release Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 209/267] media: radio: wl1273: fix interrupt masking " Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 210/267] media: cec.h: CEC_OP_REC_FLAG_ values were swapped Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 211/267] cpuidle: Do not unset the driver if it is there already Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 212/267] intel_th: Fix a double put_device() in error path Greg Kroah-Hartman
2019-12-16 17:48 ` [PATCH 4.14 213/267] intel_th: pci: Add Ice Lake CPU support Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 214/267] intel_th: pci: Add Tiger " Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 215/267] PM / devfreq: Lock devfreq in trans_stat_show Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 216/267] cpufreq: powernv: fix stack bloat and hard limit on number of CPUs Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 217/267] ACPI: OSL: only free map once in osl.c Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 218/267] ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data() Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 219/267] ACPI: PM: Avoid attaching ACPI PM domain to certain devices Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 220/267] pinctrl: samsung: Add of_node_put() before return in error path Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 221/267] pinctrl: samsung: Fix device node refcount leaks in S3C24xx wakeup controller init Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 222/267] pinctrl: samsung: Fix device node refcount leaks in init code Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 223/267] pinctrl: samsung: Fix device node refcount leaks in S3C64xx wakeup controller init Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 224/267] mmc: host: omap_hsmmc: add code for special init of wl1251 to get rid of pandora_wl1251_init_card Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 225/267] ARM: dts: omap3-tao3530: Fix incorrect MMC card detection GPIO polarity Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 226/267] ppdev: fix PPGETTIME/PPSETTIME ioctls Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 227/267] powerpc: Allow 64bit VDSO __kernel_sync_dicache to work across ranges >4GB Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 228/267] powerpc/xive: Prevent page fault issues in the machine crash handler Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 229/267] powerpc: Allow flush_icache_range to work across ranges >4GB Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 230/267] powerpc/xive: Skip ioremap() of ESB pages for LSI interrupts Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 231/267] video/hdmi: Fix AVI bar unpack Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 232/267] quota: Check that quota is not dirty before release Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 233/267] ext2: check err when partial != NULL Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 234/267] quota: fix livelock in dquot_writeback_dquots Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 235/267] ext4: Fix credit estimate for final inode freeing Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 236/267] reiserfs: fix extended attributes on the root directory Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 237/267] block: fix single range discard merge Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 238/267] scsi: zfcp: trace channel log even for FCP command responses Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 239/267] scsi: qla2xxx: Fix DMA unmap leak Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 240/267] scsi: qla2xxx: Fix session lookup in qlt_abort_work() Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 241/267] scsi: qla2xxx: Fix qla24xx_process_bidir_cmd() Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 242/267] scsi: qla2xxx: Always check the qla2x00_wait_for_hba_online() return value Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 243/267] scsi: qla2xxx: Fix message indicating vectors used by driver Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 244/267] xhci: Fix memory leak in xhci_add_in_port() Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 245/267] xhci: make sure interrupts are restored to correct state Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 246/267] iio: adis16480: Add debugfs_reg_access entry Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 247/267] phy: renesas: rcar-gen3-usb2: Fix sysfs interface of "role" Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 248/267] omap: pdata-quirks: remove openpandora quirks for mmc3 and wl1251 Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 249/267] scsi: lpfc: Cap NPIV vports to 256 Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 250/267] scsi: lpfc: Correct code setting non existent bits in sli4 ABORT WQE Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 251/267] drbd: Change drbd_request_detach_interruptibles return type to int Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 252/267] e100: Fix passing zero to PTR_ERR warning in e100_load_ucode_wait Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 253/267] x86/MCE/AMD: Turn off MC4_MISC thresholding on all family 0x15 models Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 254/267] x86/MCE/AMD: Carve out the MC4_MISC thresholding quirk Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 255/267] power: supply: cpcap-battery: Fix signed counter sample register Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 256/267] mlxsw: spectrum_router: Refresh nexthop neighbour when it becomes dead Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 257/267] media: vimc: fix component match compare Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 258/267] ath10k: fix fw crash by moving chip reset after napi disabled Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 259/267] powerpc: Avoid clang warnings around setjmp and longjmp Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 260/267] powerpc: Fix vDSO clock_getres() Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 261/267] ext4: work around deleting a file with i_nlink == 0 safely Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 262/267] firmware: qcom: scm: Ensure a0 status code is treated as signed Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 263/267] mm/shmem.c: cast the type of unmap_start to u64 Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 264/267] ext4: fix a bug in ext4_wait_for_tail_page_commit Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 265/267] mfd: rk808: Fix RK818 ID template Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 266/267] mm, thp, proc: report THP eligibility for each vma Greg Kroah-Hartman
2019-12-16 17:49 ` [PATCH 4.14 267/267] mm/memory.c: fix a huge pud insertion race during faulting Greg Kroah-Hartman
2019-12-17  1:32 ` [PATCH 4.14 000/267] 4.14.159-stable review shuah
2019-12-17  4:22 ` Naresh Kamboju
2019-12-17  7:53   ` Greg Kroah-Hartman
2019-12-17  8:45     ` Naresh Kamboju
2019-12-17  8:59       ` Greg Kroah-Hartman
2019-12-17  9:05 ` Greg Kroah-Hartman
2019-12-17 11:27   ` Jon Hunter
2019-12-17 14:28   ` Naresh Kamboju
2019-12-17 14:33     ` Greg Kroah-Hartman
2019-12-17 18:18 ` Guenter Roeck

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).