linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 4.14 000/148] 4.14.175-rc1 review
@ 2020-04-01 16:16 Greg Kroah-Hartman
  2020-04-01 16:16 ` [PATCH 4.14 001/148] spi: qup: call spi_qup_pm_resume_runtime before suspending Greg Kroah-Hartman
                   ` (151 more replies)
  0 siblings, 152 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	ben.hutchings, lkft-triage, stable

This is the start of the stable review cycle for the 4.14.175 release.
There are 148 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Fri, 03 Apr 2020 16:09:36 +0000.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.175-rc1.gz
or in the git tree and branch at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 4.14.175-rc1

Madalin Bucur <madalin.bucur@oss.nxp.com>
    arm64: dts: ls1046ardb: set RGMII interfaces to RGMII_ID mode

Madalin Bucur <madalin.bucur@oss.nxp.com>
    arm64: dts: ls1043a-rdb: correct RGMII delay mode to rgmii-id

Nick Hudson <skrll@netbsd.org>
    ARM: bcm2835-rpi-zero-w: Add missing pinctrl name

Sungbo Eo <mans0n@gorani.run>
    ARM: dts: oxnas: Fix clear-mask property

disconnect3d <dominik.b.czarnota@gmail.com>
    perf map: Fix off by one in strncpy() size argument

Ilie Halip <ilie.halip@gmail.com>
    arm64: alternative: fix build with clang integrated assembler

Marek Vasut <marex@denx.de>
    net: ks8851-ml: Fix IO operations, again

Hans de Goede <hdegoede@redhat.com>
    gpiolib: acpi: Add quirk to ignore EC wakeups on HP x2 10 CHT + AXP288 model

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    bpf: Explicitly memset some bpf info structures declared on the stack

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    bpf: Explicitly memset the bpf_attr structure

Georg Müller <georgmueller@gmx.net>
    platform/x86: pmc_atom: Add Lex 2I385SW to critclk_systems DMI table

Eric Biggers <ebiggers@google.com>
    vt: vt_ioctl: fix use-after-free in vt_in_use()

Eric Biggers <ebiggers@google.com>
    vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console

Eric Biggers <ebiggers@google.com>
    vt: vt_ioctl: remove unnecessary console allocation checks

Jiri Slaby <jslaby@suse.cz>
    vt: switch vt_dont_switch to bool

Jiri Slaby <jslaby@suse.cz>
    vt: ioctl, switch VT_IS_IN_USE and VT_BUSY to inlines

Jiri Slaby <jslaby@suse.cz>
    vt: selection, introduce vc_is_sel

Johannes Berg <johannes.berg@intel.com>
    mac80211: fix authentication with iwlwifi/mvm

Jouni Malinen <jouni@codeaurora.org>
    mac80211: Check port authorization in the ieee80211_tx_dequeue() case

Johan Hovold <johan@kernel.org>
    media: xirlink_cit: add missing descriptor sanity checks

Johan Hovold <johan@kernel.org>
    media: stv06xx: add missing descriptor sanity checks

Johan Hovold <johan@kernel.org>
    media: dib0700: fix rc endpoint lookup

Johan Hovold <johan@kernel.org>
    media: ov519: add missing endpoint sanity checks

Eric Biggers <ebiggers@google.com>
    libfs: fix infoleak in simple_attr_read()

Qiujun Huang <hqjagain@gmail.com>
    staging: wlan-ng: fix use-after-free Read in hfa384x_usbin_callback

Qiujun Huang <hqjagain@gmail.com>
    staging: wlan-ng: fix ODEBUG bug in prism2sta_disconnect_usb

Larry Finger <Larry.Finger@lwfinger.net>
    staging: rtl8188eu: Add ASUS USB-N10 Nano B1 to device table

Johan Hovold <johan@kernel.org>
    media: usbtv: fix control-message timeouts

Johan Hovold <johan@kernel.org>
    media: flexcop-usb: fix endpoint sanity check

Mans Rullgard <mans@mansr.com>
    usb: musb: fix crash with highmen PIO and usbmon

Qiujun Huang <hqjagain@gmail.com>
    USB: serial: io_edgeport: fix slab-out-of-bounds read in edge_interrupt_callback

Matthias Reichl <hias@horus.com>
    USB: cdc-acm: restore capability check order

Pawel Dembicki <paweldembicki@gmail.com>
    USB: serial: option: add Wistron Neweb D19Q1

Pawel Dembicki <paweldembicki@gmail.com>
    USB: serial: option: add BroadMobi BM806U

Pawel Dembicki <paweldembicki@gmail.com>
    USB: serial: option: add support for ASKEY WWHC050

David Howells <dhowells@redhat.com>
    afs: Fix some tracing details

Dan Carpenter <dan.carpenter@oracle.com>
    Input: raydium_i2c_ts - fix error codes in raydium_i2c_boot_trigger()

Gustavo A. R. Silva <gustavo@embeddedor.com>
    Input: raydium_i2c_ts - use true and false for boolean values

Torsten Hilbrich <torsten.hilbrich@secunet.com>
    vti6: Fix memory leak of skb if input policy check fails

Pablo Neira Ayuso <pablo@netfilter.org>
    netfilter: nft_fwd_netdev: validate family and chain type

YueHaibing <yuehaibing@huawei.com>
    xfrm: policy: Fix doulbe free in xfrm_policy_timer

Xin Long <lucien.xin@gmail.com>
    xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire

Xin Long <lucien.xin@gmail.com>
    xfrm: fix uctx len check in verify_sec_ctx_len

Maor Gottlieb <maorg@mellanox.com>
    RDMA/mlx5: Block delay drop to unprivileged users

Nicolas Dichtel <nicolas.dichtel@6wind.com>
    vti[6]: fix packet tx through bpf_redirect() in XinY cases

Raed Salem <raeds@mellanox.com>
    xfrm: handle NETDEV_UNREGISTER for xfrm device

Edward Cree <ecree@solarflare.com>
    genirq: Fix reference leaks on irq affinity notifiers

Mike Marciniszyn <mike.marciniszyn@intel.com>
    RDMA/core: Ensure security pkey modify is not lost

Hans de Goede <hdegoede@redhat.com>
    gpiolib: acpi: Add quirk to ignore EC wakeups on HP x2 10 BYT + AXP288 model

Hans de Goede <hdegoede@redhat.com>
    gpiolib: acpi: Rework honor_wakeup option into an ignore_wake option

Hans de Goede <hdegoede@redhat.com>
    gpiolib: acpi: Correct comment for HP x2 10 honor_wakeup quirk

Johannes Berg <johannes.berg@intel.com>
    mac80211: mark station unauthorized before key removal

Martin K. Petersen <martin.petersen@oracle.com>
    scsi: sd: Fix optimal I/O size for devices that change reported values

Dirk Mueller <dmueller@suse.com>
    scripts/dtc: Remove redundant YYLOC global declaration

Masami Hiramatsu <mhiramat@kernel.org>
    tools: Let O= makes handle a relative path with -C option

Masami Hiramatsu <mhiramat@kernel.org>
    perf probe: Do not depend on dwfl_module_addrsym()

Roger Quadros <rogerq@ti.com>
    ARM: dts: omap5: Add bus_dma_limit for L3 bus

Roger Quadros <rogerq@ti.com>
    ARM: dts: dra7: Add bus_dma_limit for L3 bus

Eugene Syromiatnikov <esyr@redhat.com>
    Input: avoid BIT() macro usage in the serio.h UAPI header

Yussuf Khalil <dev@pp3345.net>
    Input: synaptics - enable RMI on HP Envy 13-ad105ng

Chuhong Yuan <hslester96@gmail.com>
    i2c: hix5hd2: add missed clk_disable_unprepare in remove

Jiri Kosina <jkosina@suse.cz>
    ftrace/x86: Anotate text_mutex split between ftrace_arch_code_modify_post_process() and ftrace_arch_code_modify_prepare()

Mark Rutland <mark.rutland@arm.com>
    arm64: compat: map SPSR_ELx<->PSR for signals

Mark Rutland <mark.rutland@arm.com>
    arm64: ptrace: map SPSR_ELx<->PSR for compat tasks

Dominik Czarnota <dominik.b.czarnota@gmail.com>
    sxgbe: Fix off by one in samsung driver strncpy size arg

Nathan Chancellor <natechancellor@gmail.com>
    dpaa_eth: Remove unnecessary boolean expression in dpaa_get_headroom

Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
    mac80211: Do not send mesh HWMP PREQ if HWMP is disabled

Wen Xiong <wenxiong@linux.vnet.ibm.com>
    scsi: ipr: Fix softlockup when rescanning devices in petitboot

Madalin Bucur <madalin.bucur@nxp.com>
    fsl/fman: detect FMan erratum A050385

Madalin Bucur <madalin.bucur@nxp.com>
    arm64: dts: ls1043a: FMan erratum A050385

Madalin Bucur <madalin.bucur@nxp.com>
    dt-bindings: net: FMan erratum A050385

Tycho Andersen <tycho@tycho.ws>
    cgroup1: don't call release_agent when it is ""

Dajun Jin <adajunjin@gmail.com>
    drivers/of/of_mdio.c:fix of_mdiobus_register()

Mike Gilbert <floppym@gentoo.org>
    cpupower: avoid multiple definition with gcc -fno-common

Vasily Averin <vvs@virtuozzo.com>
    cgroup-v1: cgroup_pidlist_next should update position index

Sabrina Dubroca <sd@queasysnail.net>
    net: ipv4: don't let PMTU updates increase route MTU

Taehee Yoo <ap420073@gmail.com>
    hsr: set .netnsok flag

Taehee Yoo <ap420073@gmail.com>
    hsr: add restart routine into hsr_get_node_list()

Taehee Yoo <ap420073@gmail.com>
    hsr: use rcu_read_lock() in hsr_get_node_{list/status}()

Taehee Yoo <ap420073@gmail.com>
    vxlan: check return value of gro_cells_init()

René van Dorst <opensource@vdorst.com>
    net: dsa: mt7530: Change the LINK bit to reflect the link status

Edwin Peer <edwin.peer@broadcom.com>
    bnxt_en: fix memory leaks in bnxt_dcbnl_ieee_getets()

Oliver Hartkopp <socketcan@hartkopp.net>
    slcan: not call free_netdev before rtnl_unlock in slcan_open

Dan Carpenter <dan.carpenter@oracle.com>
    NFC: fdp: Fix a signedness bug in fdp_nci_send_patch()

Emil Renner Berthing <kernel@esmil.dk>
    net: stmmac: dwmac-rk: fix error path in rk_gmac_probe

Cong Wang <xiyou.wangcong@gmail.com>
    net_sched: keep alloc_hash updated after hash allocation

Cong Wang <xiyou.wangcong@gmail.com>
    net_sched: cls_route: remove the right filter from hashtable

Pawel Dembicki <paweldembicki@gmail.com>
    net: qmi_wwan: add support for ASKEY WWHC050

Willem de Bruijn <willemb@google.com>
    net/packet: tpacket_rcv: avoid a producer race condition

Jisheng Zhang <Jisheng.Zhang@synaptics.com>
    net: mvneta: Fix the case where the last poll did not process all rx

Florian Fainelli <f.fainelli@gmail.com>
    net: dsa: Fix duplicate frames flooded by learning

Willem de Bruijn <willemb@google.com>
    macsec: restrict to ethernet devices

Taehee Yoo <ap420073@gmail.com>
    hsr: fix general protection fault in hsr_addr_is_self()

Lyude Paul <lyude@redhat.com>
    Revert "drm/dp_mst: Skip validating ports during destruction, just ref"

Johan Hovold <johan@kernel.org>
    staging: greybus: loopback_test: fix potential path truncations

Johan Hovold <johan@kernel.org>
    staging: greybus: loopback_test: fix potential path truncation

Jernej Skrabec <jernej.skrabec@siol.net>
    drm/bridge: dw-hdmi: fix AVI frame colorimetry

Cristian Marussi <cristian.marussi@arm.com>
    arm64: smp: fix crash_smp_send_stop() behaviour

Cristian Marussi <cristian.marussi@arm.com>
    arm64: smp: fix smp_send_stop() behaviour

Kai-Heng Feng <kai.heng.feng@canonical.com>
    ALSA: hda/realtek: Fix pop noise on ALC225

Sasha Levin <sashal@kernel.org>
    Revert "ipv6: Fix handling of LLA with VRF and sockets bound to VRF"

Sasha Levin <sashal@kernel.org>
    Revert "vrf: mark skb for multicast or link-local as enslaved to VRF"

Thomas Gleixner <tglx@linutronix.de>
    futex: Unbreak futex hashing

Peter Zijlstra <peterz@infradead.org>
    futex: Fix inode life-time issue

Nathan Chancellor <natechancellor@gmail.com>
    kbuild: Disable -Wpointer-to-enum-cast

Eugen Hristev <eugen.hristev@microchip.com>
    iio: adc: at91-sama5d2_adc: fix differential channels in triggered mode

Eugen Hristev <eugen.hristev@microchip.com>
    iio: adc: at91-sama5d2_adc: fix channel configuration for differential channels

Anthony Mallet <anthony.mallet@laas.fr>
    USB: cdc-acm: fix rounding error in TIOCSSERIAL

Anthony Mallet <anthony.mallet@laas.fr>
    USB: cdc-acm: fix close_delay and closing_wait units in TIOCSSERIAL

Joerg Roedel <jroedel@suse.de>
    x86/mm: split vmalloc_sync_all()

Qian Cai <cai@lca.pw>
    page-flags: fix a crash at SetPageError(THP_SWAP)

Vlastimil Babka <vbabka@suse.cz>
    mm, slub: prevent kmalloc_node crashes and memory leaks

Linus Torvalds <torvalds@linux-foundation.org>
    mm: slub: be more careful about the double cmpxchg of freelist

Chunguang Xu <brookxu@tencent.com>
    memcg: fix NULL pointer dereference in __mem_cgroup_usage_unregister_event

Steven Rostedt (VMware) <rostedt@goodmis.org>
    xhci: Do not open code __print_symbolic() in xhci trace events

Corentin Labbe <clabbe@baylibre.com>
    rtc: max8907: add missing select REGMAP_IRQ

Alexander Shishkin <alexander.shishkin@linux.intel.com>
    intel_th: pci: Add Elkhart Lake CPU support

Alexander Shishkin <alexander.shishkin@linux.intel.com>
    intel_th: Fix user-visible error codes

Samuel Thibault <samuel.thibault@ens-lyon.org>
    staging/speakup: fix get_word non-space look-ahead

Michael Straube <straube.linux@gmail.com>
    staging: rtl8188eu: Add device id for MERCUSYS MW150US v2

Michał Mirosław <mirq-linux@rere.qmqm.pl>
    mmc: sdhci-of-at91: fix cd-gpios for SAMA5D2

Stephan Gerhold <stephan@gerhold.net>
    iio: magnetometer: ak8974: Fix negative raw values in sysfs

Fabrice Gasnier <fabrice.gasnier@st.com>
    iio: trigger: stm32-timer: disable master mode when stopping

Takashi Iwai <tiwai@suse.de>
    ALSA: pcm: oss: Remove WARNING from snd_pcm_plug_alloc() checks

Takashi Iwai <tiwai@suse.de>
    ALSA: pcm: oss: Avoid plugin buffer overflow

Takashi Iwai <tiwai@suse.de>
    ALSA: seq: oss: Fix running status after receiving sysex

Takashi Iwai <tiwai@suse.de>
    ALSA: seq: virmidi: Fix running status after receiving sysex

Takashi Iwai <tiwai@suse.de>
    ALSA: line6: Fix endless MIDI read loop

Alberto Mattea <alberto@mattea.info>
    usb: xhci: apply XHCI_SUSPEND_DELAY to AMD XHCI controller 1022:145c

Scott Chen <scott@labau.com.tw>
    USB: serial: pl2303: add device-id for HP LD381

Ran Wang <ran.wang_1@nxp.com>
    usb: host: xhci-plat: add a shutdown

Daniele Palmas <dnlplm@gmail.com>
    USB: serial: option: add ME910G1 ECM composition 0x110b

Hans de Goede <hdegoede@redhat.com>
    usb: quirks: add NO_LPM quirk for RTL8153 based ethernet adapters

Kai-Heng Feng <kai.heng.feng@canonical.com>
    USB: Disable LPM on WD19's Realtek Hub

Jonathan Neuschäfer <j.neuschaefer@gmx.net>
    parse-maintainers: Mark as executable

Carlo Nonato <carlo.nonato95@gmail.com>
    block, bfq: fix overwrite of bfq_group pointer in bfq_find_set_group()

Dongli Zhang <dongli.zhang@oracle.com>
    xenbus: req->err should be updated before req->state

Dongli Zhang <dongli.zhang@oracle.com>
    xenbus: req->body should be updated before req->state

Mike Snitzer <snitzer@redhat.com>
    dm bio record: save/restore bi_end_io and bi_integrity

Daniel Axtens <dja@axtens.net>
    altera-stapl: altera_get_note: prevent write beyond end of 'key'

luanshi <zhangliguang@linux.alibaba.com>
    drivers/perf: arm_pmu_acpi: Fix incorrect checking of gicc pointer

Marek Szyprowski <m.szyprowski@samsung.com>
    drm/exynos: dsi: fix workaround for the legacy clock name

Marek Szyprowski <m.szyprowski@samsung.com>
    drm/exynos: dsi: propagate error value and silence meaningless warning

Thommy Jakobsson <thommyj@gmail.com>
    spi/zynqmp: remove entry that causes a cs glitch

Evan Green <evgreen@chromium.org>
    spi: pxa2xx: Add CS control clock quirk

Kishon Vijay Abraham I <kishon@ti.com>
    ARM: dts: dra7: Add "dma-ranges" property to PCIe RC DT nodes

Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
    powerpc: Include .BTF section

Yuji Sasaki <sasakiy@chromium.org>
    spi: qup: call spi_qup_pm_resume_runtime before suspending


-------------

Diffstat:

 Documentation/devicetree/bindings/net/fsl-fman.txt |   7 ++
 Makefile                                           |   4 +-
 arch/arm/boot/dts/bcm2835-rpi-zero-w.dts           |   1 +
 arch/arm/boot/dts/dra7.dtsi                        |   3 +
 arch/arm/boot/dts/omap5.dtsi                       |   1 +
 arch/arm/boot/dts/ox810se.dtsi                     |   4 +-
 arch/arm/boot/dts/ox820.dtsi                       |   4 +-
 arch/arm64/boot/dts/freescale/fsl-ls1043-post.dtsi |   2 +
 arch/arm64/boot/dts/freescale/fsl-ls1043a-rdb.dts  |   4 +-
 arch/arm64/boot/dts/freescale/fsl-ls1046a-rdb.dts  |   4 +-
 arch/arm64/include/asm/alternative.h               |   2 +-
 arch/arm64/kernel/ptrace.c                         |   2 +
 arch/arm64/kernel/signal32.c                       |   8 +-
 arch/arm64/kernel/smp.c                            |  25 +++-
 arch/powerpc/kernel/vmlinux.lds.S                  |   6 +
 arch/x86/kernel/ftrace.c                           |   2 +
 arch/x86/mm/fault.c                                |  26 +++-
 block/bfq-cgroup.c                                 |   9 +-
 drivers/acpi/apei/ghes.c                           |   2 +-
 drivers/gpio/gpiolib-acpi.c                        | 140 +++++++++++++++++----
 drivers/gpu/drm/bridge/synopsys/dw-hdmi.c          |  46 ++++---
 drivers/gpu/drm/drm_dp_mst_topology.c              |  15 +--
 drivers/gpu/drm/exynos/exynos_drm_dsi.c            |  12 +-
 drivers/hwtracing/intel_th/msu.c                   |   6 +-
 drivers/hwtracing/intel_th/pci.c                   |   5 +
 drivers/i2c/busses/i2c-hix5hd2.c                   |   1 +
 drivers/iio/adc/at91-sama5d2_adc.c                 |  45 ++++++-
 drivers/iio/magnetometer/ak8974.c                  |   2 +-
 drivers/iio/trigger/stm32-timer-trigger.c          |  11 +-
 drivers/infiniband/core/security.c                 |  11 +-
 drivers/infiniband/hw/mlx5/qp.c                    |   4 +
 drivers/input/mouse/synaptics.c                    |   1 +
 drivers/input/touchscreen/raydium_i2c_ts.c         |   4 +-
 drivers/md/dm-bio-record.h                         |  15 +++
 drivers/media/usb/b2c2/flexcop-usb.c               |   6 +-
 drivers/media/usb/dvb-usb/dib0700_core.c           |   4 +-
 drivers/media/usb/gspca/ov519.c                    |  10 ++
 drivers/media/usb/gspca/stv06xx/stv06xx.c          |  19 ++-
 drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c   |   4 +
 drivers/media/usb/gspca/xirlink_cit.c              |  18 ++-
 drivers/media/usb/usbtv/usbtv-core.c               |   2 +-
 drivers/media/usb/usbtv/usbtv-video.c              |   5 +-
 drivers/misc/altera-stapl/altera.c                 |  12 +-
 drivers/mmc/host/sdhci-of-at91.c                   |   8 +-
 drivers/net/can/slcan.c                            |   3 +
 drivers/net/dsa/mt7530.c                           |   2 +-
 drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c      |  15 ++-
 drivers/net/ethernet/freescale/dpaa/dpaa_eth.c     |   4 +-
 drivers/net/ethernet/freescale/fman/Kconfig        |  28 +++++
 drivers/net/ethernet/freescale/fman/fman.c         |  18 +++
 drivers/net/ethernet/freescale/fman/fman.h         |   5 +
 drivers/net/ethernet/marvell/mvneta.c              |   3 +-
 drivers/net/ethernet/micrel/ks8851_mll.c           |  56 ++++++++-
 drivers/net/ethernet/samsung/sxgbe/sxgbe_main.c    |   2 +-
 drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c     |   2 +-
 drivers/net/macsec.c                               |   3 +
 drivers/net/usb/qmi_wwan.c                         |   1 +
 drivers/net/vrf.c                                  |  19 +--
 drivers/net/vxlan.c                                |  11 +-
 drivers/nfc/fdp/fdp.c                              |   5 +-
 drivers/of/of_mdio.c                               |   1 +
 drivers/perf/arm_pmu_acpi.c                        |   7 +-
 drivers/platform/x86/pmc_atom.c                    |   8 ++
 drivers/rtc/Kconfig                                |   1 +
 drivers/scsi/ipr.c                                 |   3 +-
 drivers/scsi/ipr.h                                 |   1 +
 drivers/scsi/sd.c                                  |   4 +-
 drivers/spi/spi-pxa2xx.c                           |  23 ++++
 drivers/spi/spi-qup.c                              |  11 +-
 drivers/spi/spi-zynqmp-gqspi.c                     |   3 -
 drivers/staging/greybus/tools/loopback_test.c      |  17 +--
 drivers/staging/rtl8188eu/os_dep/usb_intf.c        |   2 +
 drivers/staging/speakup/main.c                     |   2 +-
 drivers/staging/wlan-ng/hfa384x_usb.c              |   2 +
 drivers/staging/wlan-ng/prism2usb.c                |   1 +
 drivers/tty/vt/selection.c                         |   5 +
 drivers/tty/vt/vt.c                                |  30 ++++-
 drivers/tty/vt/vt_ioctl.c                          |  80 ++++++------
 drivers/usb/class/cdc-acm.c                        |  20 ++-
 drivers/usb/core/quirks.c                          |   6 +
 drivers/usb/host/xhci-pci.c                        |   3 +-
 drivers/usb/host/xhci-plat.c                       |   1 +
 drivers/usb/host/xhci-trace.h                      |  23 +---
 drivers/usb/musb/musb_host.c                       |  17 +--
 drivers/usb/serial/io_edgeport.c                   |   2 +-
 drivers/usb/serial/option.c                        |   8 ++
 drivers/usb/serial/pl2303.c                        |   1 +
 drivers/usb/serial/pl2303.h                        |   1 +
 drivers/xen/xenbus/xenbus_comms.c                  |   4 +
 drivers/xen/xenbus/xenbus_xs.c                     |   9 +-
 fs/afs/rxrpc.c                                     |   4 +-
 fs/inode.c                                         |   1 +
 fs/libfs.c                                         |   8 +-
 include/linux/fs.h                                 |   1 +
 include/linux/futex.h                              |  17 +--
 include/linux/page-flags.h                         |   2 +-
 include/linux/selection.h                          |   4 +-
 include/linux/vmalloc.h                            |   5 +-
 include/linux/vt_kern.h                            |   2 +-
 include/trace/events/afs.h                         |   2 +-
 include/uapi/linux/serio.h                         |  10 +-
 kernel/bpf/syscall.c                               |   9 +-
 kernel/cgroup/cgroup-v1.c                          |   3 +-
 kernel/futex.c                                     |  93 ++++++++------
 kernel/irq/manage.c                                |  11 +-
 kernel/notifier.c                                  |   2 +-
 mm/memcontrol.c                                    |  10 +-
 mm/nommu.c                                         |  10 +-
 mm/slub.c                                          |  32 +++--
 mm/vmalloc.c                                       |  11 +-
 net/dsa/tag_brcm.c                                 |   2 +
 net/hsr/hsr_framereg.c                             |  10 +-
 net/hsr/hsr_netlink.c                              |  74 ++++++-----
 net/hsr/hsr_slave.c                                |   8 +-
 net/ipv4/Kconfig                                   |   1 +
 net/ipv4/ip_vti.c                                  |  38 ++++--
 net/ipv4/route.c                                   |   7 +-
 net/ipv6/ip6_vti.c                                 |  34 +++--
 net/ipv6/tcp_ipv6.c                                |   3 +-
 net/mac80211/mesh_hwmp.c                           |   3 +-
 net/mac80211/sta_info.c                            |   6 +
 net/mac80211/tx.c                                  |  20 ++-
 net/netfilter/nft_fwd_netdev.c                     |   8 ++
 net/packet/af_packet.c                             |  21 ++++
 net/packet/internal.h                              |   5 +-
 net/sched/cls_route.c                              |   4 +-
 net/sched/cls_tcindex.c                            |   1 +
 net/xfrm/xfrm_device.c                             |   1 +
 net/xfrm/xfrm_policy.c                             |   2 +
 net/xfrm/xfrm_user.c                               |   6 +-
 scripts/Makefile.extrawarn                         |   1 +
 scripts/dtc/dtc-lexer.l                            |   1 -
 scripts/parse-maintainers.pl                       |   0
 sound/core/oss/pcm_plugin.c                        |  12 +-
 sound/core/seq/oss/seq_oss_midi.c                  |   1 +
 sound/core/seq/seq_virmidi.c                       |   1 +
 sound/pci/hda/patch_realtek.c                      |   2 +
 sound/usb/line6/driver.c                           |   2 +-
 sound/usb/line6/midibuf.c                          |   2 +-
 tools/perf/Makefile                                |   2 +-
 tools/perf/util/map.c                              |   2 +-
 tools/perf/util/probe-finder.c                     |  11 +-
 .../cpupower/utils/idle_monitor/amd_fam14h_idle.c  |   2 +-
 .../cpupower/utils/idle_monitor/cpuidle_sysfs.c    |   2 +-
 .../cpupower/utils/idle_monitor/cpupower-monitor.c |   2 +
 .../cpupower/utils/idle_monitor/cpupower-monitor.h |   2 +-
 tools/scripts/Makefile.include                     |   4 +-
 147 files changed, 1099 insertions(+), 436 deletions(-)



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 001/148] spi: qup: call spi_qup_pm_resume_runtime before suspending
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
@ 2020-04-01 16:16 ` Greg Kroah-Hartman
  2020-04-01 16:16 ` [PATCH 4.14 002/148] powerpc: Include .BTF section Greg Kroah-Hartman
                   ` (150 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yuji sasaki, Vinod Koul, Mark Brown,
	Sasha Levin

From: Yuji Sasaki <sasakiy@chromium.org>

[ Upstream commit 136b5cd2e2f97581ae560cff0db2a3b5369112da ]

spi_qup_suspend() will cause synchronous external abort when
runtime suspend is enabled and applied, as it tries to
access SPI controller register while clock is already disabled
in spi_qup_pm_suspend_runtime().

Signed-off-by: Yuji sasaki <sasakiy@chromium.org>
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Link: https://lore.kernel.org/r/20200214074340.2286170-1-vkoul@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/spi/spi-qup.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/drivers/spi/spi-qup.c b/drivers/spi/spi-qup.c
index 974a8ce58b68b..cb74fd1af2053 100644
--- a/drivers/spi/spi-qup.c
+++ b/drivers/spi/spi-qup.c
@@ -1190,6 +1190,11 @@ static int spi_qup_suspend(struct device *device)
 	struct spi_qup *controller = spi_master_get_devdata(master);
 	int ret;
 
+	if (pm_runtime_suspended(device)) {
+		ret = spi_qup_pm_resume_runtime(device);
+		if (ret)
+			return ret;
+	}
 	ret = spi_master_suspend(master);
 	if (ret)
 		return ret;
@@ -1198,10 +1203,8 @@ static int spi_qup_suspend(struct device *device)
 	if (ret)
 		return ret;
 
-	if (!pm_runtime_suspended(device)) {
-		clk_disable_unprepare(controller->cclk);
-		clk_disable_unprepare(controller->iclk);
-	}
+	clk_disable_unprepare(controller->cclk);
+	clk_disable_unprepare(controller->iclk);
 	return 0;
 }
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 4.14 002/148] powerpc: Include .BTF section
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
  2020-04-01 16:16 ` [PATCH 4.14 001/148] spi: qup: call spi_qup_pm_resume_runtime before suspending Greg Kroah-Hartman
@ 2020-04-01 16:16 ` Greg Kroah-Hartman
  2020-04-01 16:16 ` [PATCH 4.14 003/148] ARM: dts: dra7: Add "dma-ranges" property to PCIe RC DT nodes Greg Kroah-Hartman
                   ` (149 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Naveen N. Rao, Michael Ellerman, Sasha Levin

From: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>

[ Upstream commit cb0cc635c7a9fa8a3a0f75d4d896721819c63add ]

Selecting CONFIG_DEBUG_INFO_BTF results in the below warning from ld:
  ld: warning: orphan section `.BTF' from `.btf.vmlinux.bin.o' being placed in section `.BTF'

Include .BTF section in vmlinux explicitly to fix the same.

Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20200220113132.857132-1-naveen.n.rao@linux.vnet.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/kernel/vmlinux.lds.S | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/arch/powerpc/kernel/vmlinux.lds.S b/arch/powerpc/kernel/vmlinux.lds.S
index b0cf4af7ba840..e4da937d6cf91 100644
--- a/arch/powerpc/kernel/vmlinux.lds.S
+++ b/arch/powerpc/kernel/vmlinux.lds.S
@@ -317,6 +317,12 @@ SECTIONS
 		*(.branch_lt)
 	}
 
+#ifdef CONFIG_DEBUG_INFO_BTF
+	.BTF : AT(ADDR(.BTF) - LOAD_OFFSET) {
+		*(.BTF)
+	}
+#endif
+
 	.opd : AT(ADDR(.opd) - LOAD_OFFSET) {
 		*(.opd)
 	}
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 4.14 003/148] ARM: dts: dra7: Add "dma-ranges" property to PCIe RC DT nodes
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
  2020-04-01 16:16 ` [PATCH 4.14 001/148] spi: qup: call spi_qup_pm_resume_runtime before suspending Greg Kroah-Hartman
  2020-04-01 16:16 ` [PATCH 4.14 002/148] powerpc: Include .BTF section Greg Kroah-Hartman
@ 2020-04-01 16:16 ` Greg Kroah-Hartman
  2020-04-01 16:16 ` [PATCH 4.14 004/148] spi: pxa2xx: Add CS control clock quirk Greg Kroah-Hartman
                   ` (148 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kishon Vijay Abraham I,
	Tony Lindgren, Sasha Levin

From: Kishon Vijay Abraham I <kishon@ti.com>

[ Upstream commit 27f13774654ea6bd0b6fc9b97cce8d19e5735661 ]

'dma-ranges' in a PCI bridge node does correctly set dma masks for PCI
devices not described in the DT. Certain DRA7 platforms (e.g., DRA76)
has RAM above 32-bit boundary (accessible with LPAE config) though the
PCIe bridge will be able to access only 32-bits. Add 'dma-ranges'
property in PCIe RC DT nodes to indicate the host bridge can access
only 32 bits.

Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/boot/dts/dra7.dtsi | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/arch/arm/boot/dts/dra7.dtsi b/arch/arm/boot/dts/dra7.dtsi
index fec965009b9fc..a40a7af85d020 100644
--- a/arch/arm/boot/dts/dra7.dtsi
+++ b/arch/arm/boot/dts/dra7.dtsi
@@ -302,6 +302,7 @@
 				device_type = "pci";
 				ranges = <0x81000000 0 0          0x03000 0 0x00010000
 					  0x82000000 0 0x20013000 0x13000 0 0xffed000>;
+				dma-ranges = <0x02000000 0x0 0x00000000 0x00000000 0x1 0x00000000>;
 				bus-range = <0x00 0xff>;
 				#interrupt-cells = <1>;
 				num-lanes = <1>;
@@ -356,6 +357,7 @@
 				device_type = "pci";
 				ranges = <0x81000000 0 0          0x03000 0 0x00010000
 					  0x82000000 0 0x30013000 0x13000 0 0xffed000>;
+				dma-ranges = <0x02000000 0x0 0x00000000 0x00000000 0x1 0x00000000>;
 				bus-range = <0x00 0xff>;
 				#interrupt-cells = <1>;
 				num-lanes = <1>;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 4.14 004/148] spi: pxa2xx: Add CS control clock quirk
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2020-04-01 16:16 ` [PATCH 4.14 003/148] ARM: dts: dra7: Add "dma-ranges" property to PCIe RC DT nodes Greg Kroah-Hartman
@ 2020-04-01 16:16 ` Greg Kroah-Hartman
  2020-04-01 16:16 ` [PATCH 4.14 005/148] spi/zynqmp: remove entry that causes a cs glitch Greg Kroah-Hartman
                   ` (147 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rajat Jain, Evan Green, Mark Brown,
	Sasha Levin

From: Evan Green <evgreen@chromium.org>

[ Upstream commit 683f65ded66a9a7ff01ed7280804d2132ebfdf7e ]

In some circumstances on Intel LPSS controllers, toggling the LPSS
CS control register doesn't actually cause the CS line to toggle.
This seems to be failure of dynamic clock gating that occurs after
going through a suspend/resume transition, where the controller
is sent through a reset transition. This ruins SPI transactions
that either rely on delay_usecs, or toggle the CS line without
sending data.

Whenever CS is toggled, momentarily set the clock gating register
to "Force On" to poke the controller into acting on CS.

Signed-off-by: Rajat Jain <rajatja@google.com>
Signed-off-by: Evan Green <evgreen@chromium.org>
Link: https://lore.kernel.org/r/20200211223700.110252-1-rajatja@google.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/spi/spi-pxa2xx.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/drivers/spi/spi-pxa2xx.c b/drivers/spi/spi-pxa2xx.c
index b2245cdce230b..5160e16d3a985 100644
--- a/drivers/spi/spi-pxa2xx.c
+++ b/drivers/spi/spi-pxa2xx.c
@@ -76,6 +76,10 @@ MODULE_ALIAS("platform:pxa2xx-spi");
 #define LPSS_CAPS_CS_EN_SHIFT			9
 #define LPSS_CAPS_CS_EN_MASK			(0xf << LPSS_CAPS_CS_EN_SHIFT)
 
+#define LPSS_PRIV_CLOCK_GATE 0x38
+#define LPSS_PRIV_CLOCK_GATE_CLK_CTL_MASK 0x3
+#define LPSS_PRIV_CLOCK_GATE_CLK_CTL_FORCE_ON 0x3
+
 struct lpss_config {
 	/* LPSS offset from drv_data->ioaddr */
 	unsigned offset;
@@ -92,6 +96,8 @@ struct lpss_config {
 	unsigned cs_sel_shift;
 	unsigned cs_sel_mask;
 	unsigned cs_num;
+	/* Quirks */
+	unsigned cs_clk_stays_gated : 1;
 };
 
 /* Keep these sorted with enum pxa_ssp_type */
@@ -162,6 +168,7 @@ static const struct lpss_config lpss_platforms[] = {
 		.tx_threshold_hi = 56,
 		.cs_sel_shift = 8,
 		.cs_sel_mask = 3 << 8,
+		.cs_clk_stays_gated = true,
 	},
 };
 
@@ -385,6 +392,22 @@ static void lpss_ssp_cs_control(struct driver_data *drv_data, bool enable)
 	else
 		value |= LPSS_CS_CONTROL_CS_HIGH;
 	__lpss_ssp_write_priv(drv_data, config->reg_cs_ctrl, value);
+	if (config->cs_clk_stays_gated) {
+		u32 clkgate;
+
+		/*
+		 * Changing CS alone when dynamic clock gating is on won't
+		 * actually flip CS at that time. This ruins SPI transfers
+		 * that specify delays, or have no data. Toggle the clock mode
+		 * to force on briefly to poke the CS pin to move.
+		 */
+		clkgate = __lpss_ssp_read_priv(drv_data, LPSS_PRIV_CLOCK_GATE);
+		value = (clkgate & ~LPSS_PRIV_CLOCK_GATE_CLK_CTL_MASK) |
+			LPSS_PRIV_CLOCK_GATE_CLK_CTL_FORCE_ON;
+
+		__lpss_ssp_write_priv(drv_data, LPSS_PRIV_CLOCK_GATE, value);
+		__lpss_ssp_write_priv(drv_data, LPSS_PRIV_CLOCK_GATE, clkgate);
+	}
 }
 
 static void cs_assert(struct driver_data *drv_data)
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 4.14 005/148] spi/zynqmp: remove entry that causes a cs glitch
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2020-04-01 16:16 ` [PATCH 4.14 004/148] spi: pxa2xx: Add CS control clock quirk Greg Kroah-Hartman
@ 2020-04-01 16:16 ` Greg Kroah-Hartman
  2020-04-01 16:16 ` [PATCH 4.14 006/148] drm/exynos: dsi: propagate error value and silence meaningless warning Greg Kroah-Hartman
                   ` (146 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thommy Jakobsson,
	Naga Sureshkumar Relli, Mark Brown, Sasha Levin

From: Thommy Jakobsson <thommyj@gmail.com>

[ Upstream commit 5dd8304981ecffa77bb72b1c57c4be5dfe6cfae9 ]

In the public interface for chipselect, there is always an entry
commented as "Dummy generic FIFO entry" pushed down to the fifo right
after the activate/deactivate command. The dummy entry is 0x0,
irregardless if the intention was to activate or deactive the cs. This
causes the cs line to glitch rather than beeing activated in the case
when there was an activate command.

This has been observed on oscilloscope, and have caused problems for at
least one specific flash device type connected to the qspi port. After
the change the glitch is gone and cs goes active when intended.

The reason why this worked before (except for the glitch) was because
when sending the actual data, the CS bits are once again set. Since
most flashes uses mode 0, there is always a half clk period anyway for
cs to clk active setup time. If someone would rely on timing from a
chip_select call to a transfer_one, it would fail though.

It is unknown why the dummy entry was there in the first place, git log
seems to be of no help in this case. The reference manual gives no
indication of the necessity of this. In fact the lower 8 bits are a
setup (or hold in case of deactivate) time expressed in cycles. So this
should not be needed to fulfill any setup/hold timings.

Signed-off-by: Thommy Jakobsson <thommyj@gmail.com>
Reviewed-by: Naga Sureshkumar Relli <naga.sureshkumar.relli@xilinx.com>
Link: https://lore.kernel.org/r/20200224162643.29102-1-thommyj@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/spi/spi-zynqmp-gqspi.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/drivers/spi/spi-zynqmp-gqspi.c b/drivers/spi/spi-zynqmp-gqspi.c
index 18aeaceee2862..d26c0eda2d9ea 100644
--- a/drivers/spi/spi-zynqmp-gqspi.c
+++ b/drivers/spi/spi-zynqmp-gqspi.c
@@ -415,9 +415,6 @@ static void zynqmp_qspi_chipselect(struct spi_device *qspi, bool is_high)
 
 	zynqmp_gqspi_write(xqspi, GQSPI_GEN_FIFO_OFST, genfifoentry);
 
-	/* Dummy generic FIFO entry */
-	zynqmp_gqspi_write(xqspi, GQSPI_GEN_FIFO_OFST, 0x0);
-
 	/* Manually start the generic FIFO command */
 	zynqmp_gqspi_write(xqspi, GQSPI_CONFIG_OFST,
 			zynqmp_gqspi_read(xqspi, GQSPI_CONFIG_OFST) |
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 4.14 006/148] drm/exynos: dsi: propagate error value and silence meaningless warning
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2020-04-01 16:16 ` [PATCH 4.14 005/148] spi/zynqmp: remove entry that causes a cs glitch Greg Kroah-Hartman
@ 2020-04-01 16:16 ` Greg Kroah-Hartman
  2020-04-01 16:16 ` [PATCH 4.14 007/148] drm/exynos: dsi: fix workaround for the legacy clock name Greg Kroah-Hartman
                   ` (145 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marek Szyprowski,
	Krzysztof Kozlowski, Inki Dae, Sasha Levin

From: Marek Szyprowski <m.szyprowski@samsung.com>

[ Upstream commit 0a9d1e3f3f038785ebc72d53f1c409d07f6b4ff5 ]

Properly propagate error value from devm_regulator_bulk_get() and don't
confuse user with meaningless warning about failure in getting regulators
in case of deferred probe.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/exynos/exynos_drm_dsi.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/exynos/exynos_drm_dsi.c b/drivers/gpu/drm/exynos/exynos_drm_dsi.c
index 7904ffa9abfb9..aef18f807e383 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_dsi.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_dsi.c
@@ -1739,8 +1739,9 @@ static int exynos_dsi_probe(struct platform_device *pdev)
 	ret = devm_regulator_bulk_get(dev, ARRAY_SIZE(dsi->supplies),
 				      dsi->supplies);
 	if (ret) {
-		dev_info(dev, "failed to get regulators: %d\n", ret);
-		return -EPROBE_DEFER;
+		if (ret != -EPROBE_DEFER)
+			dev_info(dev, "failed to get regulators: %d\n", ret);
+		return ret;
 	}
 
 	dsi->clks = devm_kzalloc(dev,
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 4.14 007/148] drm/exynos: dsi: fix workaround for the legacy clock name
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2020-04-01 16:16 ` [PATCH 4.14 006/148] drm/exynos: dsi: propagate error value and silence meaningless warning Greg Kroah-Hartman
@ 2020-04-01 16:16 ` Greg Kroah-Hartman
  2020-04-01 16:16 ` [PATCH 4.14 008/148] drivers/perf: arm_pmu_acpi: Fix incorrect checking of gicc pointer Greg Kroah-Hartman
                   ` (144 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marek Szyprowski, Andrzej Hajda,
	Inki Dae, Sasha Levin

From: Marek Szyprowski <m.szyprowski@samsung.com>

[ Upstream commit c0fd99d659ba5582e09625c7a985d63fc2ca74b5 ]

Writing to the built-in strings arrays doesn't work if driver is loaded
as kernel module. This is also considered as a bad pattern. Fix this by
adding a call to clk_get() with legacy clock name. This fixes following
kernel oops if driver is loaded as module:

Unable to handle kernel paging request at virtual address bf047978
 pgd = (ptrval)
 [bf047978] *pgd=59344811, *pte=5903c6df, *ppte=5903c65f
 Internal error: Oops: 80f [#1] SMP ARM
 Modules linked in: mc exynosdrm(+) analogix_dp rtc_s3c exynos_ppmu i2c_gpio
 CPU: 1 PID: 212 Comm: systemd-udevd Not tainted 5.6.0-rc2-next-20200219 #326
 videodev: Linux video capture interface: v2.00
 Hardware name: Samsung Exynos (Flattened Device Tree)
 PC is at exynos_dsi_probe+0x1f0/0x384 [exynosdrm]
 LR is at exynos_dsi_probe+0x1dc/0x384 [exynosdrm]
 ...
 Process systemd-udevd (pid: 212, stack limit = 0x(ptrval))
 ...
 [<bf03cf14>] (exynos_dsi_probe [exynosdrm]) from [<c09b1ca0>] (platform_drv_probe+0x6c/0xa4)
 [<c09b1ca0>] (platform_drv_probe) from [<c09afcb8>] (really_probe+0x210/0x350)
 [<c09afcb8>] (really_probe) from [<c09aff74>] (driver_probe_device+0x60/0x1a0)
 [<c09aff74>] (driver_probe_device) from [<c09b0254>] (device_driver_attach+0x58/0x60)
 [<c09b0254>] (device_driver_attach) from [<c09b02dc>] (__driver_attach+0x80/0xbc)
 [<c09b02dc>] (__driver_attach) from [<c09ade00>] (bus_for_each_dev+0x68/0xb4)
 [<c09ade00>] (bus_for_each_dev) from [<c09aefd8>] (bus_add_driver+0x130/0x1e8)
 [<c09aefd8>] (bus_add_driver) from [<c09b0d64>] (driver_register+0x78/0x110)
 [<c09b0d64>] (driver_register) from [<bf038558>] (exynos_drm_init+0xe8/0x11c [exynosdrm])
 [<bf038558>] (exynos_drm_init [exynosdrm]) from [<c0302fa8>] (do_one_initcall+0x50/0x220)
 [<c0302fa8>] (do_one_initcall) from [<c03dd02c>] (do_init_module+0x60/0x210)
 [<c03dd02c>] (do_init_module) from [<c03dbf44>] (load_module+0x1c0c/0x2310)
 [<c03dbf44>] (load_module) from [<c03dc85c>] (sys_finit_module+0xac/0xbc)
 [<c03dc85c>] (sys_finit_module) from [<c0301000>] (ret_fast_syscall+0x0/0x54)
 Exception stack(0xd979bfa8 to 0xd979bff0)
 ...
 ---[ end trace db16efe05faab470 ]---

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Reviewed-by: Andrzej Hajda <a.hajda@samsung.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/exynos/exynos_drm_dsi.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/exynos/exynos_drm_dsi.c b/drivers/gpu/drm/exynos/exynos_drm_dsi.c
index aef18f807e383..366c975cde5b7 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_dsi.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_dsi.c
@@ -1754,9 +1754,10 @@ static int exynos_dsi_probe(struct platform_device *pdev)
 		dsi->clks[i] = devm_clk_get(dev, clk_names[i]);
 		if (IS_ERR(dsi->clks[i])) {
 			if (strcmp(clk_names[i], "sclk_mipi") == 0) {
-				strcpy(clk_names[i], OLD_SCLK_MIPI_CLK_NAME);
-				i--;
-				continue;
+				dsi->clks[i] = devm_clk_get(dev,
+							OLD_SCLK_MIPI_CLK_NAME);
+				if (!IS_ERR(dsi->clks[i]))
+					continue;
 			}
 
 			dev_info(dev, "failed to get the clock: %s\n",
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 4.14 008/148] drivers/perf: arm_pmu_acpi: Fix incorrect checking of gicc pointer
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2020-04-01 16:16 ` [PATCH 4.14 007/148] drm/exynos: dsi: fix workaround for the legacy clock name Greg Kroah-Hartman
@ 2020-04-01 16:16 ` Greg Kroah-Hartman
  2020-04-01 16:16 ` [PATCH 4.14 009/148] altera-stapl: altera_get_note: prevent write beyond end of key Greg Kroah-Hartman
                   ` (143 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Liguang Zhang, Will Deacon, Sasha Levin

From: luanshi <zhangliguang@linux.alibaba.com>

[ Upstream commit 3ba52ad55b533760a1f65836aa0ec9d35e36bb4f ]

Fix bogus NULL checks on the return value of acpi_cpu_get_madt_gicc()
by checking for a 0 'gicc->performance_interrupt' value instead.

Signed-off-by: Liguang Zhang <zhangliguang@linux.alibaba.com>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/perf/arm_pmu_acpi.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/drivers/perf/arm_pmu_acpi.c b/drivers/perf/arm_pmu_acpi.c
index 3303dd8d8eb57..604e549a9a47d 100644
--- a/drivers/perf/arm_pmu_acpi.c
+++ b/drivers/perf/arm_pmu_acpi.c
@@ -25,8 +25,6 @@ static int arm_pmu_acpi_register_irq(int cpu)
 	int gsi, trigger;
 
 	gicc = acpi_cpu_get_madt_gicc(cpu);
-	if (WARN_ON(!gicc))
-		return -EINVAL;
 
 	gsi = gicc->performance_interrupt;
 
@@ -65,11 +63,10 @@ static void arm_pmu_acpi_unregister_irq(int cpu)
 	int gsi;
 
 	gicc = acpi_cpu_get_madt_gicc(cpu);
-	if (!gicc)
-		return;
 
 	gsi = gicc->performance_interrupt;
-	acpi_unregister_gsi(gsi);
+	if (gsi)
+		acpi_unregister_gsi(gsi);
 }
 
 static int arm_pmu_acpi_parse_irqs(void)
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 4.14 009/148] altera-stapl: altera_get_note: prevent write beyond end of key
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2020-04-01 16:16 ` [PATCH 4.14 008/148] drivers/perf: arm_pmu_acpi: Fix incorrect checking of gicc pointer Greg Kroah-Hartman
@ 2020-04-01 16:16 ` Greg Kroah-Hartman
  2020-04-01 16:16 ` [PATCH 4.14 010/148] dm bio record: save/restore bi_end_io and bi_integrity Greg Kroah-Hartman
                   ` (142 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Igor M. Liplianin, Daniel Axtens,
	Kees Cook, Sasha Levin

From: Daniel Axtens <dja@axtens.net>

[ Upstream commit 3745488e9d599916a0b40d45d3f30e3d4720288e ]

altera_get_note is called from altera_init, where key is kzalloc(33).

When the allocation functions are annotated to allow the compiler to see
the sizes of objects, and with FORTIFY_SOURCE, we see:

In file included from drivers/misc/altera-stapl/altera.c:14:0:
In function ‘strlcpy’,
    inlined from ‘altera_init’ at drivers/misc/altera-stapl/altera.c:2189:5:
include/linux/string.h:378:4: error: call to ‘__write_overflow’ declared with attribute error: detected write beyond size of object passed as 1st parameter
    __write_overflow();
    ^~~~~~~~~~~~~~~~~~

That refers to this code in altera_get_note:

    if (key != NULL)
            strlcpy(key, &p[note_strings +
                            get_unaligned_be32(
                            &p[note_table + (8 * i)])],
                    length);

The error triggers because the length of 'key' is 33, but the copy
uses length supplied as the 'length' parameter, which is always
256. Split the size parameter into key_len and val_len, and use the
appropriate length depending on what is being copied.

Detected by compiler error, only compile-tested.

Cc: "Igor M. Liplianin" <liplianin@netup.ru>
Signed-off-by: Daniel Axtens <dja@axtens.net>
Link: https://lore.kernel.org/r/20200120074344.504-2-dja@axtens.net
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/202002251042.D898E67AC@keescook
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/misc/altera-stapl/altera.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/misc/altera-stapl/altera.c b/drivers/misc/altera-stapl/altera.c
index 494e263daa748..b7ee8043a133e 100644
--- a/drivers/misc/altera-stapl/altera.c
+++ b/drivers/misc/altera-stapl/altera.c
@@ -2126,8 +2126,8 @@ static int altera_execute(struct altera_state *astate,
 	return status;
 }
 
-static int altera_get_note(u8 *p, s32 program_size,
-			s32 *offset, char *key, char *value, int length)
+static int altera_get_note(u8 *p, s32 program_size, s32 *offset,
+			   char *key, char *value, int keylen, int vallen)
 /*
  * Gets key and value of NOTE fields in the JBC file.
  * Can be called in two modes:  if offset pointer is NULL,
@@ -2184,7 +2184,7 @@ static int altera_get_note(u8 *p, s32 program_size,
 						&p[note_table + (8 * i) + 4])];
 
 				if (value != NULL)
-					strlcpy(value, value_ptr, length);
+					strlcpy(value, value_ptr, vallen);
 
 			}
 		}
@@ -2203,13 +2203,13 @@ static int altera_get_note(u8 *p, s32 program_size,
 				strlcpy(key, &p[note_strings +
 						get_unaligned_be32(
 						&p[note_table + (8 * i)])],
-					length);
+					keylen);
 
 			if (value != NULL)
 				strlcpy(value, &p[note_strings +
 						get_unaligned_be32(
 						&p[note_table + (8 * i) + 4])],
-					length);
+					vallen);
 
 			*offset = i + 1;
 		}
@@ -2463,7 +2463,7 @@ int altera_init(struct altera_config *config, const struct firmware *fw)
 			__func__, (format_version == 2) ? "Jam STAPL" :
 						"pre-standardized Jam 1.1");
 		while (altera_get_note((u8 *)fw->data, fw->size,
-					&offset, key, value, 256) == 0)
+					&offset, key, value, 32, 256) == 0)
 			printk(KERN_INFO "%s: NOTE \"%s\" = \"%s\"\n",
 					__func__, key, value);
 	}
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 4.14 010/148] dm bio record: save/restore bi_end_io and bi_integrity
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2020-04-01 16:16 ` [PATCH 4.14 009/148] altera-stapl: altera_get_note: prevent write beyond end of key Greg Kroah-Hartman
@ 2020-04-01 16:16 ` Greg Kroah-Hartman
  2020-04-01 16:16 ` [PATCH 4.14 011/148] xenbus: req->body should be updated before req->state Greg Kroah-Hartman
                   ` (141 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mikulas Patocka, Mike Snitzer, Sasha Levin

From: Mike Snitzer <snitzer@redhat.com>

[ Upstream commit 1b17159e52bb31f982f82a6278acd7fab1d3f67b ]

Also, save/restore __bi_remaining in case the bio was used in a
BIO_CHAIN (e.g. due to blk_queue_split).

Suggested-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/md/dm-bio-record.h | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/drivers/md/dm-bio-record.h b/drivers/md/dm-bio-record.h
index c82578af56a5b..2ea0360108e1d 100644
--- a/drivers/md/dm-bio-record.h
+++ b/drivers/md/dm-bio-record.h
@@ -20,8 +20,13 @@
 struct dm_bio_details {
 	struct gendisk *bi_disk;
 	u8 bi_partno;
+	int __bi_remaining;
 	unsigned long bi_flags;
 	struct bvec_iter bi_iter;
+	bio_end_io_t *bi_end_io;
+#if defined(CONFIG_BLK_DEV_INTEGRITY)
+	struct bio_integrity_payload *bi_integrity;
+#endif
 };
 
 static inline void dm_bio_record(struct dm_bio_details *bd, struct bio *bio)
@@ -30,6 +35,11 @@ static inline void dm_bio_record(struct dm_bio_details *bd, struct bio *bio)
 	bd->bi_partno = bio->bi_partno;
 	bd->bi_flags = bio->bi_flags;
 	bd->bi_iter = bio->bi_iter;
+	bd->__bi_remaining = atomic_read(&bio->__bi_remaining);
+	bd->bi_end_io = bio->bi_end_io;
+#if defined(CONFIG_BLK_DEV_INTEGRITY)
+	bd->bi_integrity = bio_integrity(bio);
+#endif
 }
 
 static inline void dm_bio_restore(struct dm_bio_details *bd, struct bio *bio)
@@ -38,6 +48,11 @@ static inline void dm_bio_restore(struct dm_bio_details *bd, struct bio *bio)
 	bio->bi_partno = bd->bi_partno;
 	bio->bi_flags = bd->bi_flags;
 	bio->bi_iter = bd->bi_iter;
+	atomic_set(&bio->__bi_remaining, bd->__bi_remaining);
+	bio->bi_end_io = bd->bi_end_io;
+#if defined(CONFIG_BLK_DEV_INTEGRITY)
+	bio->bi_integrity = bd->bi_integrity;
+#endif
 }
 
 #endif
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 4.14 011/148] xenbus: req->body should be updated before req->state
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2020-04-01 16:16 ` [PATCH 4.14 010/148] dm bio record: save/restore bi_end_io and bi_integrity Greg Kroah-Hartman
@ 2020-04-01 16:16 ` Greg Kroah-Hartman
  2020-04-01 16:16 ` [PATCH 4.14 012/148] xenbus: req->err " Greg Kroah-Hartman
                   ` (140 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dongli Zhang, Julien Grall,
	Boris Ostrovsky, Sasha Levin

From: Dongli Zhang <dongli.zhang@oracle.com>

[ Upstream commit 1b6a51e86cce38cf4d48ce9c242120283ae2f603 ]

The req->body should be updated before req->state is updated and the
order should be guaranteed by a barrier.

Otherwise, read_reply() might return req->body = NULL.

Below is sample callstack when the issue is reproduced on purpose by
reordering the updates of req->body and req->state and adding delay in
code between updates of req->state and req->body.

[   22.356105] general protection fault: 0000 [#1] SMP PTI
[   22.361185] CPU: 2 PID: 52 Comm: xenwatch Not tainted 5.5.0xen+ #6
[   22.366727] Hardware name: Xen HVM domU, BIOS ...
[   22.372245] RIP: 0010:_parse_integer_fixup_radix+0x6/0x60
... ...
[   22.392163] RSP: 0018:ffffb2d64023fdf0 EFLAGS: 00010246
[   22.395933] RAX: 0000000000000000 RBX: 75746e7562755f6d RCX: 0000000000000000
[   22.400871] RDX: 0000000000000000 RSI: ffffb2d64023fdfc RDI: 75746e7562755f6d
[   22.405874] RBP: 0000000000000000 R08: 00000000000001e8 R09: 0000000000cdcdcd
[   22.410945] R10: ffffb2d6402ffe00 R11: ffff9d95395eaeb0 R12: ffff9d9535935000
[   22.417613] R13: ffff9d9526d4a000 R14: ffff9d9526f4f340 R15: ffff9d9537654000
[   22.423726] FS:  0000000000000000(0000) GS:ffff9d953bc80000(0000) knlGS:0000000000000000
[   22.429898] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   22.434342] CR2: 000000c4206a9000 CR3: 00000001ea3fc002 CR4: 00000000001606e0
[   22.439645] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   22.444941] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   22.450342] Call Trace:
[   22.452509]  simple_strtoull+0x27/0x70
[   22.455572]  xenbus_transaction_start+0x31/0x50
[   22.459104]  netback_changed+0x76c/0xcc1 [xen_netfront]
[   22.463279]  ? find_watch+0x40/0x40
[   22.466156]  xenwatch_thread+0xb4/0x150
[   22.469309]  ? wait_woken+0x80/0x80
[   22.472198]  kthread+0x10e/0x130
[   22.474925]  ? kthread_park+0x80/0x80
[   22.477946]  ret_from_fork+0x35/0x40
[   22.480968] Modules linked in: xen_kbdfront xen_fbfront(+) xen_netfront xen_blkfront
[   22.486783] ---[ end trace a9222030a747c3f7 ]---
[   22.490424] RIP: 0010:_parse_integer_fixup_radix+0x6/0x60

The virt_rmb() is added in the 'true' path of test_reply(). The "while"
is changed to "do while" so that test_reply() is used as a read memory
barrier.

Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com>
Link: https://lore.kernel.org/r/20200303221423.21962-1-dongli.zhang@oracle.com
Reviewed-by: Julien Grall <jgrall@amazon.com>
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/xen/xenbus/xenbus_comms.c | 2 ++
 drivers/xen/xenbus/xenbus_xs.c    | 9 ++++++---
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/drivers/xen/xenbus/xenbus_comms.c b/drivers/xen/xenbus/xenbus_comms.c
index d239fc3c5e3de..852ed161fc2a7 100644
--- a/drivers/xen/xenbus/xenbus_comms.c
+++ b/drivers/xen/xenbus/xenbus_comms.c
@@ -313,6 +313,8 @@ static int process_msg(void)
 			req->msg.type = state.msg.type;
 			req->msg.len = state.msg.len;
 			req->body = state.body;
+			/* write body, then update state */
+			virt_wmb();
 			req->state = xb_req_state_got_reply;
 			req->cb(req);
 		} else
diff --git a/drivers/xen/xenbus/xenbus_xs.c b/drivers/xen/xenbus/xenbus_xs.c
index 3f3b29398ab8e..b609c6e08796e 100644
--- a/drivers/xen/xenbus/xenbus_xs.c
+++ b/drivers/xen/xenbus/xenbus_xs.c
@@ -188,8 +188,11 @@ static bool xenbus_ok(void)
 
 static bool test_reply(struct xb_req_data *req)
 {
-	if (req->state == xb_req_state_got_reply || !xenbus_ok())
+	if (req->state == xb_req_state_got_reply || !xenbus_ok()) {
+		/* read req->state before all other fields */
+		virt_rmb();
 		return true;
+	}
 
 	/* Make sure to reread req->state each time. */
 	barrier();
@@ -199,7 +202,7 @@ static bool test_reply(struct xb_req_data *req)
 
 static void *read_reply(struct xb_req_data *req)
 {
-	while (req->state != xb_req_state_got_reply) {
+	do {
 		wait_event(req->wq, test_reply(req));
 
 		if (!xenbus_ok())
@@ -213,7 +216,7 @@ static void *read_reply(struct xb_req_data *req)
 		if (req->err)
 			return ERR_PTR(req->err);
 
-	}
+	} while (req->state != xb_req_state_got_reply);
 
 	return req->body;
 }
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 4.14 012/148] xenbus: req->err should be updated before req->state
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2020-04-01 16:16 ` [PATCH 4.14 011/148] xenbus: req->body should be updated before req->state Greg Kroah-Hartman
@ 2020-04-01 16:16 ` Greg Kroah-Hartman
  2020-04-01 16:16 ` [PATCH 4.14 013/148] block, bfq: fix overwrite of bfq_group pointer in bfq_find_set_group() Greg Kroah-Hartman
                   ` (139 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dongli Zhang, Julien Grall,
	Boris Ostrovsky, Sasha Levin

From: Dongli Zhang <dongli.zhang@oracle.com>

[ Upstream commit 8130b9d5b5abf26f9927b487c15319a187775f34 ]

This patch adds the barrier to guarantee that req->err is always updated
before req->state.

Otherwise, read_reply() would not return ERR_PTR(req->err) but
req->body, when process_writes()->xb_write() is failed.

Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com>
Link: https://lore.kernel.org/r/20200303221423.21962-2-dongli.zhang@oracle.com
Reviewed-by: Julien Grall <jgrall@amazon.com>
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/xen/xenbus/xenbus_comms.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/xen/xenbus/xenbus_comms.c b/drivers/xen/xenbus/xenbus_comms.c
index 852ed161fc2a7..eb5151fc8efab 100644
--- a/drivers/xen/xenbus/xenbus_comms.c
+++ b/drivers/xen/xenbus/xenbus_comms.c
@@ -397,6 +397,8 @@ static int process_writes(void)
 	if (state.req->state == xb_req_state_aborted)
 		kfree(state.req);
 	else {
+		/* write err, then update state */
+		virt_wmb();
 		state.req->state = xb_req_state_got_reply;
 		wake_up(&state.req->wq);
 	}
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 4.14 013/148] block, bfq: fix overwrite of bfq_group pointer in bfq_find_set_group()
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2020-04-01 16:16 ` [PATCH 4.14 012/148] xenbus: req->err " Greg Kroah-Hartman
@ 2020-04-01 16:16 ` Greg Kroah-Hartman
  2020-04-01 16:16 ` [PATCH 4.14 014/148] parse-maintainers: Mark as executable Greg Kroah-Hartman
                   ` (138 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kwon Je Oh, Carlo Nonato,
	Paolo Valente, Jens Axboe, Sasha Levin

From: Carlo Nonato <carlo.nonato95@gmail.com>

[ Upstream commit 14afc59361976c0ba39e3a9589c3eaa43ebc7e1d ]

The bfq_find_set_group() function takes as input a blkcg (which represents
a cgroup) and retrieves the corresponding bfq_group, then it updates the
bfq internal group hierarchy (see comments inside the function for why
this is needed) and finally it returns the bfq_group.
In the hierarchy update cycle, the pointer holding the correct bfq_group
that has to be returned is mistakenly used to traverse the hierarchy
bottom to top, meaning that in each iteration it gets overwritten with the
parent of the current group. Since the update cycle stops at root's
children (depth = 2), the overwrite becomes a problem only if the blkcg
describes a cgroup at a hierarchy level deeper than that (depth > 2). In
this case the root's child that happens to be also an ancestor of the
correct bfq_group is returned. The main consequence is that processes
contained in a cgroup at depth greater than 2 are wrongly placed in the
group described above by BFQ.

This commits fixes this problem by using a different bfq_group pointer in
the update cycle in order to avoid the overwrite of the variable holding
the original group reference.

Reported-by: Kwon Je Oh <kwonje.oh2@gmail.com>
Signed-off-by: Carlo Nonato <carlo.nonato95@gmail.com>
Signed-off-by: Paolo Valente <paolo.valente@linaro.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 block/bfq-cgroup.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/block/bfq-cgroup.c b/block/bfq-cgroup.c
index afbbe5750a1f8..7d7aee024ece2 100644
--- a/block/bfq-cgroup.c
+++ b/block/bfq-cgroup.c
@@ -499,12 +499,13 @@ struct bfq_group *bfq_find_set_group(struct bfq_data *bfqd,
 	 */
 	entity = &bfqg->entity;
 	for_each_entity(entity) {
-		bfqg = container_of(entity, struct bfq_group, entity);
-		if (bfqg != bfqd->root_group) {
-			parent = bfqg_parent(bfqg);
+		struct bfq_group *curr_bfqg = container_of(entity,
+						struct bfq_group, entity);
+		if (curr_bfqg != bfqd->root_group) {
+			parent = bfqg_parent(curr_bfqg);
 			if (!parent)
 				parent = bfqd->root_group;
-			bfq_group_set_parent(bfqg, parent);
+			bfq_group_set_parent(curr_bfqg, parent);
 		}
 	}
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 4.14 014/148] parse-maintainers: Mark as executable
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2020-04-01 16:16 ` [PATCH 4.14 013/148] block, bfq: fix overwrite of bfq_group pointer in bfq_find_set_group() Greg Kroah-Hartman
@ 2020-04-01 16:16 ` Greg Kroah-Hartman
  2020-04-01 16:16 ` [PATCH 4.14 015/148] USB: Disable LPM on WD19s Realtek Hub Greg Kroah-Hartman
                   ` (137 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jonathan Neuschäfer,
	Linus Torvalds, Sasha Levin

From: Jonathan Neuschäfer <j.neuschaefer@gmx.net>

[ Upstream commit 611d61f9ac99dc9e1494473fb90117a960a89dfa ]

This makes the script more convenient to run.

Signed-off-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 scripts/parse-maintainers.pl | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 mode change 100644 => 100755 scripts/parse-maintainers.pl

diff --git a/scripts/parse-maintainers.pl b/scripts/parse-maintainers.pl
old mode 100644
new mode 100755
-- 
2.20.1




^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 015/148] USB: Disable LPM on WD19s Realtek Hub
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2020-04-01 16:16 ` [PATCH 4.14 014/148] parse-maintainers: Mark as executable Greg Kroah-Hartman
@ 2020-04-01 16:16 ` Greg Kroah-Hartman
  2020-04-01 16:16 ` [PATCH 4.14 016/148] usb: quirks: add NO_LPM quirk for RTL8153 based ethernet adapters Greg Kroah-Hartman
                   ` (136 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:16 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alan Stern, Kai-Heng Feng

From: Kai-Heng Feng <kai.heng.feng@canonical.com>

commit b63e48fb50e1ca71db301ca9082befa6f16c55c4 upstream.

Realtek Hub (0bda:0x0487) used in Dell Dock WD19 sometimes drops off the
bus when bringing underlying ports from U3 to U0.

Disabling LPM on the hub during setting link state is not enough, so
let's disable LPM completely for this hub.

Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200205112633.25995-3-kai.heng.feng@canonical.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/core/quirks.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -229,6 +229,9 @@ static const struct usb_device_id usb_qu
 	{ USB_DEVICE(0x0b05, 0x17e0), .driver_info =
 			USB_QUIRK_IGNORE_REMOTE_WAKEUP },
 
+	/* Realtek hub in Dell WD19 (Type-C) */
+	{ USB_DEVICE(0x0bda, 0x0487), .driver_info = USB_QUIRK_NO_LPM },
+
 	/* Action Semiconductor flash disk */
 	{ USB_DEVICE(0x10d6, 0x2200), .driver_info =
 			USB_QUIRK_STRING_FETCH_255 },



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 016/148] usb: quirks: add NO_LPM quirk for RTL8153 based ethernet adapters
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2020-04-01 16:16 ` [PATCH 4.14 015/148] USB: Disable LPM on WD19s Realtek Hub Greg Kroah-Hartman
@ 2020-04-01 16:16 ` Greg Kroah-Hartman
  2020-04-01 16:16 ` [PATCH 4.14 017/148] USB: serial: option: add ME910G1 ECM composition 0x110b Greg Kroah-Hartman
                   ` (135 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, russianneuromancer, Hans de Goede

From: Hans de Goede <hdegoede@redhat.com>

commit 75d7676ead19b1fbb5e0ee934c9ccddcb666b68c upstream.

We have been receiving bug reports that ethernet connections over
RTL8153 based ethernet adapters stops working after a while with
errors like these showing up in dmesg when the ethernet stops working:

[12696.189484] r8152 6-1:1.0 enp10s0u1: Tx timeout
[12702.333456] r8152 6-1:1.0 enp10s0u1: Tx timeout
[12707.965422] r8152 6-1:1.0 enp10s0u1: Tx timeout

This has been reported on Dell WD15 docks, Belkin USB-C Express Dock 3.1
docks and with generic USB to ethernet dongles using the RTL8153
chipsets. Some users have tried adding usbcore.quirks=0bda:8153:k to
the kernel commandline and all users who have tried this report that
this fixes this.

Also note that we already have an existing NO_LPM quirk for the RTL8153
used in the Microsoft Surface Dock (where it uses a different usb-id).

This commit adds a NO_LPM quirk for the generic Realtek RTL8153
0bda:8153 usb-id, fixing the Tx timeout errors on these devices.

BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=198931
Cc: stable@vger.kernel.org
Cc: russianneuromancer@ya.ru
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20200313120708.100339-1-hdegoede@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/core/quirks.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -232,6 +232,9 @@ static const struct usb_device_id usb_qu
 	/* Realtek hub in Dell WD19 (Type-C) */
 	{ USB_DEVICE(0x0bda, 0x0487), .driver_info = USB_QUIRK_NO_LPM },
 
+	/* Generic RTL8153 based ethernet adapters */
+	{ USB_DEVICE(0x0bda, 0x8153), .driver_info = USB_QUIRK_NO_LPM },
+
 	/* Action Semiconductor flash disk */
 	{ USB_DEVICE(0x10d6, 0x2200), .driver_info =
 			USB_QUIRK_STRING_FETCH_255 },



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 017/148] USB: serial: option: add ME910G1 ECM composition 0x110b
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2020-04-01 16:16 ` [PATCH 4.14 016/148] usb: quirks: add NO_LPM quirk for RTL8153 based ethernet adapters Greg Kroah-Hartman
@ 2020-04-01 16:16 ` Greg Kroah-Hartman
  2020-04-01 16:16 ` [PATCH 4.14 018/148] usb: host: xhci-plat: add a shutdown Greg Kroah-Hartman
                   ` (134 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:16 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Daniele Palmas, Johan Hovold

From: Daniele Palmas <dnlplm@gmail.com>

commit 8e852a7953be2a6ee371449f7257fe15ace6a1fc upstream.

Add ME910G1 ECM composition 0x110b: tty, tty, tty, ecm

Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
Link: https://lore.kernel.org/r/20200304104310.2938-1-dnlplm@gmail.com
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/option.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1186,6 +1186,8 @@ static const struct usb_device_id option
 	  .driver_info = NCTRL(0) },
 	{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x110a, 0xff),	/* Telit ME910G1 */
 	  .driver_info = NCTRL(0) | RSVD(3) },
+	{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x110b, 0xff),	/* Telit ME910G1 (ECM) */
+	  .driver_info = NCTRL(0) },
 	{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910),
 	  .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) },
 	{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910_USBCFG4),



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 018/148] usb: host: xhci-plat: add a shutdown
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2020-04-01 16:16 ` [PATCH 4.14 017/148] USB: serial: option: add ME910G1 ECM composition 0x110b Greg Kroah-Hartman
@ 2020-04-01 16:16 ` Greg Kroah-Hartman
  2020-04-01 16:16 ` [PATCH 4.14 019/148] USB: serial: pl2303: add device-id for HP LD381 Greg Kroah-Hartman
                   ` (133 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ran Wang, Stephen Boyd, Peter Chen

From: Ran Wang <ran.wang_1@nxp.com>

commit b433e340e7565110b0ce9ca4b3e26f4b97a1decf upstream.

When loading new kernel via kexec, we need to shutdown host controller to
avoid any un-expected memory accessing during new kernel boot.

Signed-off-by: Ran Wang <ran.wang_1@nxp.com>
Cc: stable <stable@vger.kernel.org>
Tested-by: Stephen Boyd <swboyd@chromium.org>
Reviewed-by: Peter Chen <peter.chen@nxp.com>
Link: https://lore.kernel.org/r/20200306092328.41253-1-ran.wang_1@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/host/xhci-plat.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/host/xhci-plat.c
+++ b/drivers/usb/host/xhci-plat.c
@@ -416,6 +416,7 @@ MODULE_DEVICE_TABLE(acpi, usb_xhci_acpi_
 static struct platform_driver usb_xhci_driver = {
 	.probe	= xhci_plat_probe,
 	.remove	= xhci_plat_remove,
+	.shutdown = usb_hcd_platform_shutdown,
 	.driver	= {
 		.name = "xhci-hcd",
 		.pm = &xhci_plat_pm_ops,



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 019/148] USB: serial: pl2303: add device-id for HP LD381
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2020-04-01 16:16 ` [PATCH 4.14 018/148] usb: host: xhci-plat: add a shutdown Greg Kroah-Hartman
@ 2020-04-01 16:16 ` Greg Kroah-Hartman
  2020-04-01 16:16 ` [PATCH 4.14 020/148] usb: xhci: apply XHCI_SUSPEND_DELAY to AMD XHCI controller 1022:145c Greg Kroah-Hartman
                   ` (132 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:16 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Scott Chen, Johan Hovold

From: Scott Chen <scott@labau.com.tw>

commit cecc113c1af0dd41ccf265c1fdb84dbd05e63423 upstream.

Add a device id for HP LD381 Display
LD381:   03f0:0f7f

Signed-off-by: Scott Chen <scott@labau.com.tw>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/pl2303.c |    1 +
 drivers/usb/serial/pl2303.h |    1 +
 2 files changed, 2 insertions(+)

--- a/drivers/usb/serial/pl2303.c
+++ b/drivers/usb/serial/pl2303.c
@@ -96,6 +96,7 @@ static const struct usb_device_id id_tab
 	{ USB_DEVICE(SUPERIAL_VENDOR_ID, SUPERIAL_PRODUCT_ID) },
 	{ USB_DEVICE(HP_VENDOR_ID, HP_LD220_PRODUCT_ID) },
 	{ USB_DEVICE(HP_VENDOR_ID, HP_LD220TA_PRODUCT_ID) },
+	{ USB_DEVICE(HP_VENDOR_ID, HP_LD381_PRODUCT_ID) },
 	{ USB_DEVICE(HP_VENDOR_ID, HP_LD960_PRODUCT_ID) },
 	{ USB_DEVICE(HP_VENDOR_ID, HP_LD960TA_PRODUCT_ID) },
 	{ USB_DEVICE(HP_VENDOR_ID, HP_LCM220_PRODUCT_ID) },
--- a/drivers/usb/serial/pl2303.h
+++ b/drivers/usb/serial/pl2303.h
@@ -129,6 +129,7 @@
 #define HP_LM920_PRODUCT_ID	0x026b
 #define HP_TD620_PRODUCT_ID	0x0956
 #define HP_LD960_PRODUCT_ID	0x0b39
+#define HP_LD381_PRODUCT_ID	0x0f7f
 #define HP_LCM220_PRODUCT_ID	0x3139
 #define HP_LCM960_PRODUCT_ID	0x3239
 #define HP_LD220_PRODUCT_ID	0x3524



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 020/148] usb: xhci: apply XHCI_SUSPEND_DELAY to AMD XHCI controller 1022:145c
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2020-04-01 16:16 ` [PATCH 4.14 019/148] USB: serial: pl2303: add device-id for HP LD381 Greg Kroah-Hartman
@ 2020-04-01 16:16 ` Greg Kroah-Hartman
  2020-04-01 16:16 ` [PATCH 4.14 021/148] ALSA: line6: Fix endless MIDI read loop Greg Kroah-Hartman
                   ` (131 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:16 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alberto Mattea, Mathias Nyman

From: Alberto Mattea <alberto@mattea.info>

commit 16263abc12d09871156a1c8650fb651f0e552f5e upstream.

This controller timeouts during suspend (S3) with
[  240.521724] xhci_hcd 0000:30:00.3: WARN: xHC save state timeout
[  240.521729] xhci_hcd 0000:30:00.3: ERROR mismatched command completion event
thus preventing the system from entering S3.
Moreover it remains in an undefined state where some connected devices stop
working until a reboot.
Apply the XHCI_SUSPEND_DELAY quirk to make it suspend properly.

CC: stable@vger.kernel.org
Signed-off-by: Alberto Mattea <alberto@mattea.info>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20200306150858.21904-3-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/host/xhci-pci.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -140,7 +140,8 @@ static void xhci_pci_quirks(struct devic
 		xhci->quirks |= XHCI_AMD_PLL_FIX;
 
 	if (pdev->vendor == PCI_VENDOR_ID_AMD &&
-		(pdev->device == 0x15e0 ||
+		(pdev->device == 0x145c ||
+		 pdev->device == 0x15e0 ||
 		 pdev->device == 0x15e1 ||
 		 pdev->device == 0x43bb))
 		xhci->quirks |= XHCI_SUSPEND_DELAY;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 021/148] ALSA: line6: Fix endless MIDI read loop
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2020-04-01 16:16 ` [PATCH 4.14 020/148] usb: xhci: apply XHCI_SUSPEND_DELAY to AMD XHCI controller 1022:145c Greg Kroah-Hartman
@ 2020-04-01 16:16 ` Greg Kroah-Hartman
  2020-04-01 16:16 ` [PATCH 4.14 022/148] ALSA: seq: virmidi: Fix running status after receiving sysex Greg Kroah-Hartman
                   ` (130 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+cce32521ee0a824c21f7, Takashi Iwai

From: Takashi Iwai <tiwai@suse.de>

commit d683469b3c93d7e2afd39e6e1970f24700eb7a68 upstream.

The MIDI input event parser of the LINE6 driver may enter into an
endless loop when the unexpected data sequence is given, as it tries
to continue the secondary bytes without termination.  Also, when the
input data is too short, the parser returns a negative error, while
the caller doesn't handle it properly.  This would lead to the
unexpected behavior as well.

This patch addresses those issues by checking the return value
correctly and handling the one-byte event in the parser properly.

The bug was reported by syzkaller.

Reported-by: syzbot+cce32521ee0a824c21f7@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/000000000000033087059f8f8fa3@google.com
Link: https://lore.kernel.org/r/20200309095922.30269-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/usb/line6/driver.c  |    2 +-
 sound/usb/line6/midibuf.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

--- a/sound/usb/line6/driver.c
+++ b/sound/usb/line6/driver.c
@@ -313,7 +313,7 @@ static void line6_data_received(struct u
 				line6_midibuf_read(mb, line6->buffer_message,
 						LINE6_MIDI_MESSAGE_MAXLEN);
 
-			if (done == 0)
+			if (done <= 0)
 				break;
 
 			line6->message_length = done;
--- a/sound/usb/line6/midibuf.c
+++ b/sound/usb/line6/midibuf.c
@@ -163,7 +163,7 @@ int line6_midibuf_read(struct midi_buffe
 			int midi_length_prev =
 			    midibuf_message_length(this->command_prev);
 
-			if (midi_length_prev > 0) {
+			if (midi_length_prev > 1) {
 				midi_length = midi_length_prev - 1;
 				repeat = 1;
 			} else



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 022/148] ALSA: seq: virmidi: Fix running status after receiving sysex
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2020-04-01 16:16 ` [PATCH 4.14 021/148] ALSA: line6: Fix endless MIDI read loop Greg Kroah-Hartman
@ 2020-04-01 16:16 ` Greg Kroah-Hartman
  2020-04-01 16:16 ` [PATCH 4.14 023/148] ALSA: seq: oss: " Greg Kroah-Hartman
                   ` (129 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:16 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Andreas Steinmetz, Takashi Iwai

From: Takashi Iwai <tiwai@suse.de>

commit 4384f167ce5fa7241b61bb0984d651bc528ddebe upstream.

The virmidi driver handles sysex event exceptionally in a short-cut
snd_seq_dump_var_event() call, but this missed the reset of the
running status.  As a result, it may lead to an incomplete command
right after the sysex when an event with the same running status was
queued.

Fix it by clearing the running status properly via alling
snd_midi_event_reset_decode() for that code path.

Reported-by: Andreas Steinmetz <ast@domdv.de>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/3b4a4e0f232b7afbaf0a843f63d0e538e3029bfd.camel@domdv.de
Link: https://lore.kernel.org/r/20200316090506.23966-2-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/core/seq/seq_virmidi.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/core/seq/seq_virmidi.c
+++ b/sound/core/seq/seq_virmidi.c
@@ -95,6 +95,7 @@ static int snd_virmidi_dev_receive_event
 			if ((ev->flags & SNDRV_SEQ_EVENT_LENGTH_MASK) != SNDRV_SEQ_EVENT_LENGTH_VARIABLE)
 				continue;
 			snd_seq_dump_var_event(ev, (snd_seq_dump_func_t)snd_rawmidi_receive, vmidi->substream);
+			snd_midi_event_reset_decode(vmidi->parser);
 		} else {
 			len = snd_midi_event_decode(vmidi->parser, msg, sizeof(msg), ev);
 			if (len > 0)



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 023/148] ALSA: seq: oss: Fix running status after receiving sysex
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2020-04-01 16:16 ` [PATCH 4.14 022/148] ALSA: seq: virmidi: Fix running status after receiving sysex Greg Kroah-Hartman
@ 2020-04-01 16:16 ` Greg Kroah-Hartman
  2020-04-01 16:16 ` [PATCH 4.14 024/148] ALSA: pcm: oss: Avoid plugin buffer overflow Greg Kroah-Hartman
                   ` (128 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:16 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai

From: Takashi Iwai <tiwai@suse.de>

commit 6c3171ef76a0bad892050f6959a7eac02fb16df7 upstream.

This is a similar bug like the previous case for virmidi: the invalid
running status is kept after receiving a sysex message.

Again the fix is to clear the running status after handling the sysex.

Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/3b4a4e0f232b7afbaf0a843f63d0e538e3029bfd.camel@domdv.de
Link: https://lore.kernel.org/r/20200316090506.23966-3-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/core/seq/oss/seq_oss_midi.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/core/seq/oss/seq_oss_midi.c
+++ b/sound/core/seq/oss/seq_oss_midi.c
@@ -615,6 +615,7 @@ send_midi_event(struct seq_oss_devinfo *
 		len = snd_seq_oss_timer_start(dp->timer);
 	if (ev->type == SNDRV_SEQ_EVENT_SYSEX) {
 		snd_seq_oss_readq_sysex(dp->readq, mdev->seq_device, ev);
+		snd_midi_event_reset_decode(mdev->coder);
 	} else {
 		len = snd_midi_event_decode(mdev->coder, msg, sizeof(msg), ev);
 		if (len > 0)



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 024/148] ALSA: pcm: oss: Avoid plugin buffer overflow
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2020-04-01 16:16 ` [PATCH 4.14 023/148] ALSA: seq: oss: " Greg Kroah-Hartman
@ 2020-04-01 16:16 ` Greg Kroah-Hartman
  2020-04-01 16:16 ` [PATCH 4.14 025/148] ALSA: pcm: oss: Remove WARNING from snd_pcm_plug_alloc() checks Greg Kroah-Hartman
                   ` (127 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+e1fe9f44fb8ecf4fb5dd, Takashi Iwai

From: Takashi Iwai <tiwai@suse.de>

commit f2ecf903ef06eb1bbbfa969db9889643d487e73a upstream.

Each OSS PCM plugins allocate its internal buffer per pre-calculation
of the max buffer size through the chain of plugins (calling
src_frames and dst_frames callbacks).  This works for most plugins,
but the rate plugin might behave incorrectly.  The calculation in the
rate plugin involves with the fractional position, i.e. it may vary
depending on the input position.  Since the buffer size
pre-calculation is always done with the offset zero, it may return a
shorter size than it might be; this may result in the out-of-bound
access as spotted by fuzzer.

This patch addresses those possible buffer overflow accesses by simply
setting the upper limit per the given buffer size for each plugin
before src_frames() and after dst_frames() calls.

Reported-by: syzbot+e1fe9f44fb8ecf4fb5dd@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/000000000000b25ea005a02bcf21@google.com
Link: https://lore.kernel.org/r/20200309082148.19855-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/core/oss/pcm_plugin.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/sound/core/oss/pcm_plugin.c
+++ b/sound/core/oss/pcm_plugin.c
@@ -209,6 +209,8 @@ snd_pcm_sframes_t snd_pcm_plug_client_si
 	if (stream == SNDRV_PCM_STREAM_PLAYBACK) {
 		plugin = snd_pcm_plug_last(plug);
 		while (plugin && drv_frames > 0) {
+			if (drv_frames > plugin->buf_frames)
+				drv_frames = plugin->buf_frames;
 			plugin_prev = plugin->prev;
 			if (plugin->src_frames)
 				drv_frames = plugin->src_frames(plugin, drv_frames);
@@ -220,6 +222,8 @@ snd_pcm_sframes_t snd_pcm_plug_client_si
 			plugin_next = plugin->next;
 			if (plugin->dst_frames)
 				drv_frames = plugin->dst_frames(plugin, drv_frames);
+			if (drv_frames > plugin->buf_frames)
+				drv_frames = plugin->buf_frames;
 			plugin = plugin_next;
 		}
 	} else
@@ -248,11 +252,15 @@ snd_pcm_sframes_t snd_pcm_plug_slave_siz
 				if (frames < 0)
 					return frames;
 			}
+			if (frames > plugin->buf_frames)
+				frames = plugin->buf_frames;
 			plugin = plugin_next;
 		}
 	} else if (stream == SNDRV_PCM_STREAM_CAPTURE) {
 		plugin = snd_pcm_plug_last(plug);
 		while (plugin) {
+			if (frames > plugin->buf_frames)
+				frames = plugin->buf_frames;
 			plugin_prev = plugin->prev;
 			if (plugin->src_frames) {
 				frames = plugin->src_frames(plugin, frames);



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 025/148] ALSA: pcm: oss: Remove WARNING from snd_pcm_plug_alloc() checks
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2020-04-01 16:16 ` [PATCH 4.14 024/148] ALSA: pcm: oss: Avoid plugin buffer overflow Greg Kroah-Hartman
@ 2020-04-01 16:16 ` Greg Kroah-Hartman
  2020-04-01 16:16 ` [PATCH 4.14 026/148] iio: trigger: stm32-timer: disable master mode when stopping Greg Kroah-Hartman
                   ` (126 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+2a59ee7a9831b264f45e, Takashi Iwai

From: Takashi Iwai <tiwai@suse.de>

commit 5461e0530c222129dfc941058be114b5cbc00837 upstream.

The return value checks in snd_pcm_plug_alloc() are covered with
snd_BUG_ON() macro that may trigger a kernel WARNING depending on the
kconfig.  But since the error condition can be triggered by a weird
user space parameter passed to OSS layer, we shouldn't give the kernel
stack trace just for that.  As it's a normal error condition, let's
remove snd_BUG_ON() macro usage there.

Reported-by: syzbot+2a59ee7a9831b264f45e@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200312155730.7520-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/core/oss/pcm_plugin.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/sound/core/oss/pcm_plugin.c
+++ b/sound/core/oss/pcm_plugin.c
@@ -111,7 +111,7 @@ int snd_pcm_plug_alloc(struct snd_pcm_su
 		while (plugin->next) {
 			if (plugin->dst_frames)
 				frames = plugin->dst_frames(plugin, frames);
-			if (snd_BUG_ON((snd_pcm_sframes_t)frames <= 0))
+			if ((snd_pcm_sframes_t)frames <= 0)
 				return -ENXIO;
 			plugin = plugin->next;
 			err = snd_pcm_plugin_alloc(plugin, frames);
@@ -123,7 +123,7 @@ int snd_pcm_plug_alloc(struct snd_pcm_su
 		while (plugin->prev) {
 			if (plugin->src_frames)
 				frames = plugin->src_frames(plugin, frames);
-			if (snd_BUG_ON((snd_pcm_sframes_t)frames <= 0))
+			if ((snd_pcm_sframes_t)frames <= 0)
 				return -ENXIO;
 			plugin = plugin->prev;
 			err = snd_pcm_plugin_alloc(plugin, frames);



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 026/148] iio: trigger: stm32-timer: disable master mode when stopping
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2020-04-01 16:16 ` [PATCH 4.14 025/148] ALSA: pcm: oss: Remove WARNING from snd_pcm_plug_alloc() checks Greg Kroah-Hartman
@ 2020-04-01 16:16 ` Greg Kroah-Hartman
  2020-04-01 16:16 ` [PATCH 4.14 027/148] iio: magnetometer: ak8974: Fix negative raw values in sysfs Greg Kroah-Hartman
                   ` (125 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Fabrice Gasnier, Stable, Jonathan Cameron

From: Fabrice Gasnier <fabrice.gasnier@st.com>

commit 29e8c8253d7d5265f58122c0a7902e26df6c6f61 upstream.

Master mode should be disabled when stopping. This mainly impacts
possible other use-case after timer has been stopped. Currently,
master mode remains set (from start routine).

Fixes: 6fb34812c2a2 ("iio: stm32 trigger: Add support for TRGO2 triggers")

Signed-off-by: Fabrice Gasnier <fabrice.gasnier@st.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/trigger/stm32-timer-trigger.c |   11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

--- a/drivers/iio/trigger/stm32-timer-trigger.c
+++ b/drivers/iio/trigger/stm32-timer-trigger.c
@@ -161,7 +161,8 @@ static int stm32_timer_start(struct stm3
 	return 0;
 }
 
-static void stm32_timer_stop(struct stm32_timer_trigger *priv)
+static void stm32_timer_stop(struct stm32_timer_trigger *priv,
+			     struct iio_trigger *trig)
 {
 	u32 ccer, cr1;
 
@@ -179,6 +180,12 @@ static void stm32_timer_stop(struct stm3
 	regmap_write(priv->regmap, TIM_PSC, 0);
 	regmap_write(priv->regmap, TIM_ARR, 0);
 
+	/* Force disable master mode */
+	if (stm32_timer_is_trgo2_name(trig->name))
+		regmap_update_bits(priv->regmap, TIM_CR2, TIM_CR2_MMS2, 0);
+	else
+		regmap_update_bits(priv->regmap, TIM_CR2, TIM_CR2_MMS, 0);
+
 	/* Make sure that registers are updated */
 	regmap_update_bits(priv->regmap, TIM_EGR, TIM_EGR_UG, TIM_EGR_UG);
 }
@@ -197,7 +204,7 @@ static ssize_t stm32_tt_store_frequency(
 		return ret;
 
 	if (freq == 0) {
-		stm32_timer_stop(priv);
+		stm32_timer_stop(priv, trig);
 	} else {
 		ret = stm32_timer_start(priv, trig, freq);
 		if (ret)



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 027/148] iio: magnetometer: ak8974: Fix negative raw values in sysfs
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2020-04-01 16:16 ` [PATCH 4.14 026/148] iio: trigger: stm32-timer: disable master mode when stopping Greg Kroah-Hartman
@ 2020-04-01 16:16 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 028/148] mmc: sdhci-of-at91: fix cd-gpios for SAMA5D2 Greg Kroah-Hartman
                   ` (124 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stephan Gerhold, Linus Waleij,
	Stable, Jonathan Cameron

From: Stephan Gerhold <stephan@gerhold.net>

commit b500c086e4110829a308c23e83a7cdc65b26228a upstream.

At the moment, reading from in_magn_*_raw in sysfs tends to return
large values around 65000, even though the output of ak8974 is actually
limited to ±32768. This happens because the value is never converted
to the signed 16-bit integer variant.

Add an explicit cast to s16 to fix this.

Fixes: 7c94a8b2ee8c ("iio: magn: add a driver for AK8974")
Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
Reviewed-by: Linus Waleij <linus.walleij@linaro.org>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/magnetometer/ak8974.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/iio/magnetometer/ak8974.c
+++ b/drivers/iio/magnetometer/ak8974.c
@@ -563,7 +563,7 @@ static int ak8974_read_raw(struct iio_de
 		 * We read all axes and discard all but one, for optimized
 		 * reading, use the triggered buffer.
 		 */
-		*val = le16_to_cpu(hw_values[chan->address]);
+		*val = (s16)le16_to_cpu(hw_values[chan->address]);
 
 		ret = IIO_VAL_INT;
 	}



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 028/148] mmc: sdhci-of-at91: fix cd-gpios for SAMA5D2
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2020-04-01 16:16 ` [PATCH 4.14 027/148] iio: magnetometer: ak8974: Fix negative raw values in sysfs Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 029/148] staging: rtl8188eu: Add device id for MERCUSYS MW150US v2 Greg Kroah-Hartman
                   ` (123 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michał Mirosław,
	Adrian Hunter, Ulf Hansson

From: Michał Mirosław <mirq-linux@rere.qmqm.pl>

commit 53dd0a7cd65edc83b0c243d1c08377c8b876b2ee upstream.

SAMA5D2x doesn't drive CMD line if GPIO is used as CD line (at least
SAMA5D27 doesn't). Fix this by forcing card-detect in the module
if module-controlled CD is not used.

Fixed commit addresses the problem only for non-removable cards. This
amends it to also cover gpio-cd case.

Cc: stable@vger.kernel.org
Fixes: 7a1e3f143176 ("mmc: sdhci-of-at91: force card detect value for non removable devices")
Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Link: https://lore.kernel.org/r/8d10950d9940468577daef4772b82a071b204716.1584290561.git.mirq-linux@rere.qmqm.pl
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mmc/host/sdhci-of-at91.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/mmc/host/sdhci-of-at91.c
+++ b/drivers/mmc/host/sdhci-of-at91.c
@@ -125,7 +125,8 @@ static void sdhci_at91_reset(struct sdhc
 {
 	sdhci_reset(host, mask);
 
-	if (host->mmc->caps & MMC_CAP_NONREMOVABLE)
+	if ((host->mmc->caps & MMC_CAP_NONREMOVABLE)
+	    || mmc_gpio_get_cd(host->mmc) >= 0)
 		sdhci_at91_set_force_card_detect(host);
 }
 
@@ -404,8 +405,11 @@ static int sdhci_at91_probe(struct platf
 	 * detection procedure using the SDMCC_CD signal is bypassed.
 	 * This bit is reset when a software reset for all command is performed
 	 * so we need to implement our own reset function to set back this bit.
+	 *
+	 * WA: SAMA5D2 doesn't drive CMD if using CD GPIO line.
 	 */
-	if (host->mmc->caps & MMC_CAP_NONREMOVABLE)
+	if ((host->mmc->caps & MMC_CAP_NONREMOVABLE)
+	    || mmc_gpio_get_cd(host->mmc) >= 0)
 		sdhci_at91_set_force_card_detect(host);
 
 	pm_runtime_put_autosuspend(&pdev->dev);



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 029/148] staging: rtl8188eu: Add device id for MERCUSYS MW150US v2
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 028/148] mmc: sdhci-of-at91: fix cd-gpios for SAMA5D2 Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 030/148] staging/speakup: fix get_word non-space look-ahead Greg Kroah-Hartman
                   ` (122 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Michael Straube

From: Michael Straube <straube.linux@gmail.com>

commit bb5786b9286c253557a0115bc8d21879e61b7b94 upstream.

This device was added to the stand-alone driver on github.
Add it to the staging driver as well.

Link: https://github.com/lwfinger/rtl8188eu/commit/2141f244c3e7
Signed-off-by: Michael Straube <straube.linux@gmail.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200312093652.13918-1-straube.linux@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/rtl8188eu/os_dep/usb_intf.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c
+++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
@@ -46,6 +46,7 @@ static const struct usb_device_id rtw_us
 	{USB_DEVICE(0x2001, 0x331B)}, /* D-Link DWA-121 rev B1 */
 	{USB_DEVICE(0x2357, 0x010c)}, /* TP-Link TL-WN722N v2 */
 	{USB_DEVICE(0x2357, 0x0111)}, /* TP-Link TL-WN727N v5.21 */
+	{USB_DEVICE(0x2C4E, 0x0102)}, /* MERCUSYS MW150US v2 */
 	{USB_DEVICE(0x0df6, 0x0076)}, /* Sitecom N150 v2 */
 	{USB_DEVICE(USB_VENDER_ID_REALTEK, 0xffef)}, /* Rosewill RNX-N150NUB */
 	{}	/* Terminating entry */



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 030/148] staging/speakup: fix get_word non-space look-ahead
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 029/148] staging: rtl8188eu: Add device id for MERCUSYS MW150US v2 Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 031/148] intel_th: Fix user-visible error codes Greg Kroah-Hartman
                   ` (121 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kirk Reiser, Janina Sajka,
	Alexandr Epaneshnikov, Gregory Nowak, deedra waters,
	Samuel Thibault, Michael Taboada

From: Samuel Thibault <samuel.thibault@ens-lyon.org>

commit 9d32c0cde4e2d1343dfb88a67b2ec6397705b32b upstream.

get_char was erroneously given the address of the pointer to the text
instead of the address of the text, thus leading to random crashes when
the user requests speaking a word while the current position is on a space
character and say_word_ctl is not enabled.

Reported-on: https://github.com/bytefire/speakup/issues/1
Reported-by: Kirk Reiser <kirk@reisers.ca>
Reported-by: Janina Sajka <janina@rednote.net>
Reported-by: Alexandr Epaneshnikov <aarnaarn2@gmail.com>
Reported-by: Gregory Nowak <greg@gregn.net>
Reported-by: deedra waters <deedra@the-brannons.com>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Tested-by: Alexandr Epaneshnikov <aarnaarn2@gmail.com>
Tested-by: Gregory Nowak <greg@gregn.net>
Tested-by: Michael Taboada <michael@michaels.world>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200306003047.thijtmqrnayd3dmw@function
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/speakup/main.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/speakup/main.c
+++ b/drivers/staging/speakup/main.c
@@ -567,7 +567,7 @@ static u_long get_word(struct vc_data *v
 		return 0;
 	} else if (tmpx < vc->vc_cols - 2 &&
 		   (ch == SPACE || ch == 0 || (ch < 0x100 && IS_WDLM(ch))) &&
-		   get_char(vc, (u_short *)&tmp_pos + 1, &temp) > SPACE) {
+		   get_char(vc, (u_short *)tmp_pos + 1, &temp) > SPACE) {
 		tmp_pos += 2;
 		tmpx++;
 	} else



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 031/148] intel_th: Fix user-visible error codes
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 030/148] staging/speakup: fix get_word non-space look-ahead Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 032/148] intel_th: pci: Add Elkhart Lake CPU support Greg Kroah-Hartman
                   ` (120 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexander Shishkin, Andy Shevchenko

From: Alexander Shishkin <alexander.shishkin@linux.intel.com>

commit ce666be89a8a09c5924ff08fc32e119f974bdab6 upstream.

There are a few places in the driver that end up returning ENOTSUPP to
the user, replace those with EINVAL.

Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Fixes: ba82664c134ef ("intel_th: Add Memory Storage Unit driver")
Cc: stable@vger.kernel.org # v4.4+
Link: https://lore.kernel.org/r/20200317062215.15598-6-alexander.shishkin@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hwtracing/intel_th/msu.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/hwtracing/intel_th/msu.c
+++ b/drivers/hwtracing/intel_th/msu.c
@@ -499,7 +499,7 @@ static int msc_configure(struct msc *msc
 	lockdep_assert_held(&msc->buf_mutex);
 
 	if (msc->mode > MSC_MODE_MULTI)
-		return -ENOTSUPP;
+		return -EINVAL;
 
 	if (msc->mode == MSC_MODE_MULTI)
 		msc_buffer_clear_hw_header(msc);
@@ -950,7 +950,7 @@ static int msc_buffer_alloc(struct msc *
 	} else if (msc->mode == MSC_MODE_MULTI) {
 		ret = msc_buffer_multi_alloc(msc, nr_pages, nr_wins);
 	} else {
-		ret = -ENOTSUPP;
+		ret = -EINVAL;
 	}
 
 	if (!ret) {
@@ -1173,7 +1173,7 @@ static ssize_t intel_th_msc_read(struct
 		if (ret >= 0)
 			*ppos = iter->offset;
 	} else {
-		ret = -ENOTSUPP;
+		ret = -EINVAL;
 	}
 
 put_count:



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 032/148] intel_th: pci: Add Elkhart Lake CPU support
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 031/148] intel_th: Fix user-visible error codes Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 033/148] rtc: max8907: add missing select REGMAP_IRQ Greg Kroah-Hartman
                   ` (119 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexander Shishkin, Andy Shevchenko

From: Alexander Shishkin <alexander.shishkin@linux.intel.com>

commit add492d2e9446a77ede9bb43699ec85ca8fc1aba upstream.

This adds support for the Trace Hub in Elkhart Lake CPU.

Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20200317062215.15598-7-alexander.shishkin@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hwtracing/intel_th/pci.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/hwtracing/intel_th/pci.c
+++ b/drivers/hwtracing/intel_th/pci.c
@@ -219,6 +219,11 @@ static const struct pci_device_id intel_
 		.driver_data = (kernel_ulong_t)&intel_th_2x,
 	},
 	{
+		/* Elkhart Lake CPU */
+		PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x4529),
+		.driver_data = (kernel_ulong_t)&intel_th_2x,
+	},
+	{
 		/* Elkhart Lake */
 		PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x4b26),
 		.driver_data = (kernel_ulong_t)&intel_th_2x,



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 033/148] rtc: max8907: add missing select REGMAP_IRQ
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 032/148] intel_th: pci: Add Elkhart Lake CPU support Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 034/148] xhci: Do not open code __print_symbolic() in xhci trace events Greg Kroah-Hartman
                   ` (118 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Corentin Labbe, Linus Torvalds

From: Corentin Labbe <clabbe@baylibre.com>

commit 5d892919fdd0cefd361697472d4e1b174a594991 upstream.

I have hit the following build error:

  armv7a-hardfloat-linux-gnueabi-ld: drivers/rtc/rtc-max8907.o: in function `max8907_rtc_probe':
  rtc-max8907.c:(.text+0x400): undefined reference to `regmap_irq_get_virq'

max8907 should select REGMAP_IRQ

Fixes: 94c01ab6d7544 ("rtc: add MAX8907 RTC driver")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/rtc/Kconfig |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/rtc/Kconfig
+++ b/drivers/rtc/Kconfig
@@ -323,6 +323,7 @@ config RTC_DRV_MAX6900
 config RTC_DRV_MAX8907
 	tristate "Maxim MAX8907"
 	depends on MFD_MAX8907 || COMPILE_TEST
+	select REGMAP_IRQ
 	help
 	  If you say yes here you will get support for the
 	  RTC of Maxim MAX8907 PMIC.



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 034/148] xhci: Do not open code __print_symbolic() in xhci trace events
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 033/148] rtc: max8907: add missing select REGMAP_IRQ Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 035/148] memcg: fix NULL pointer dereference in __mem_cgroup_usage_unregister_event Greg Kroah-Hartman
                   ` (117 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tzvetomir Stoyanov,
	Steven Rostedt (VMware),
	Mathias Nyman

From: Steven Rostedt (VMware) <rostedt@goodmis.org>

commit 045706bff837ee89c13f1ace173db71922c1c40b upstream.

libtraceevent (used by perf and trace-cmd) failed to parse the
xhci_urb_dequeue trace event. This is because the user space trace
event format parsing is not a full C compiler. It can handle some basic
logic, but is not meant to be able to handle everything C can do.

In cases where a trace event field needs to be converted from a number
to a string, there's the __print_symbolic() macro that should be used:

 See samples/trace_events/trace-events-sample.h

Some xhci trace events open coded the __print_symbolic() causing the
user spaces tools to fail to parse it. This has to be replaced with
__print_symbolic() instead.

CC: stable@vger.kernel.org
Reported-by: Tzvetomir Stoyanov <tstoyanov@vmware.com>
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=206531
Fixes: 5abdc2e6e12ff ("usb: host: xhci: add urb_enqueue/dequeue/giveback tracers")
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20200306150858.21904-2-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/host/xhci-trace.h |   23 ++++++-----------------
 1 file changed, 6 insertions(+), 17 deletions(-)

--- a/drivers/usb/host/xhci-trace.h
+++ b/drivers/usb/host/xhci-trace.h
@@ -276,23 +276,12 @@ DECLARE_EVENT_CLASS(xhci_log_urb,
 	),
 	TP_printk("ep%d%s-%s: urb %p pipe %u slot %d length %d/%d sgs %d/%d stream %d flags %08x",
 			__entry->epnum, __entry->dir_in ? "in" : "out",
-			({ char *s;
-			switch (__entry->type) {
-			case USB_ENDPOINT_XFER_INT:
-				s = "intr";
-				break;
-			case USB_ENDPOINT_XFER_CONTROL:
-				s = "control";
-				break;
-			case USB_ENDPOINT_XFER_BULK:
-				s = "bulk";
-				break;
-			case USB_ENDPOINT_XFER_ISOC:
-				s = "isoc";
-				break;
-			default:
-				s = "UNKNOWN";
-			} s; }), __entry->urb, __entry->pipe, __entry->slot_id,
+			__print_symbolic(__entry->type,
+				   { USB_ENDPOINT_XFER_INT,	"intr" },
+				   { USB_ENDPOINT_XFER_CONTROL,	"control" },
+				   { USB_ENDPOINT_XFER_BULK,	"bulk" },
+				   { USB_ENDPOINT_XFER_ISOC,	"isoc" }),
+			__entry->urb, __entry->pipe, __entry->slot_id,
 			__entry->actual, __entry->length, __entry->num_mapped_sgs,
 			__entry->num_sgs, __entry->stream, __entry->flags
 		)



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 035/148] memcg: fix NULL pointer dereference in __mem_cgroup_usage_unregister_event
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 034/148] xhci: Do not open code __print_symbolic() in xhci trace events Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 036/148] mm: slub: be more careful about the double cmpxchg of freelist Greg Kroah-Hartman
                   ` (116 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chunguang Xu, Andrew Morton,
	Michal Hocko, Kirill A. Shutemov, Johannes Weiner,
	Vladimir Davydov, Linus Torvalds

From: Chunguang Xu <brookxu@tencent.com>

commit 7d36665a5886c27ca4c4d0afd3ecc50b400f3587 upstream.

An eventfd monitors multiple memory thresholds of the cgroup, closes them,
the kernel deletes all events related to this eventfd.  Before all events
are deleted, another eventfd monitors the memory threshold of this cgroup,
leading to a crash:

  BUG: kernel NULL pointer dereference, address: 0000000000000004
  #PF: supervisor write access in kernel mode
  #PF: error_code(0x0002) - not-present page
  PGD 800000033058e067 P4D 800000033058e067 PUD 3355ce067 PMD 0
  Oops: 0002 [#1] SMP PTI
  CPU: 2 PID: 14012 Comm: kworker/2:6 Kdump: loaded Not tainted 5.6.0-rc4 #3
  Hardware name: LENOVO 20AWS01K00/20AWS01K00, BIOS GLET70WW (2.24 ) 05/21/2014
  Workqueue: events memcg_event_remove
  RIP: 0010:__mem_cgroup_usage_unregister_event+0xb3/0x190
  RSP: 0018:ffffb47e01c4fe18 EFLAGS: 00010202
  RAX: 0000000000000001 RBX: ffff8bb223a8a000 RCX: 0000000000000001
  RDX: 0000000000000001 RSI: ffff8bb22fb83540 RDI: 0000000000000001
  RBP: ffffb47e01c4fe48 R08: 0000000000000000 R09: 0000000000000010
  R10: 000000000000000c R11: 071c71c71c71c71c R12: ffff8bb226aba880
  R13: ffff8bb223a8a480 R14: 0000000000000000 R15: 0000000000000000
  FS:  0000000000000000(0000) GS:ffff8bb242680000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000000000000004 CR3: 000000032c29c003 CR4: 00000000001606e0
  Call Trace:
    memcg_event_remove+0x32/0x90
    process_one_work+0x172/0x380
    worker_thread+0x49/0x3f0
    kthread+0xf8/0x130
    ret_from_fork+0x35/0x40
  CR2: 0000000000000004

We can reproduce this problem in the following ways:

1. We create a new cgroup subdirectory and a new eventfd, and then we
   monitor multiple memory thresholds of the cgroup through this eventfd.

2.  closing this eventfd, and __mem_cgroup_usage_unregister_event ()
   will be called multiple times to delete all events related to this
   eventfd.

The first time __mem_cgroup_usage_unregister_event() is called, the
kernel will clear all items related to this eventfd in thresholds->
primary.

Since there is currently only one eventfd, thresholds-> primary becomes
empty, so the kernel will set thresholds-> primary and hresholds-> spare
to NULL.  If at this time, the user creates a new eventfd and monitor
the memory threshold of this cgroup, kernel will re-initialize
thresholds-> primary.

Then when __mem_cgroup_usage_unregister_event () is called for the
second time, because thresholds-> primary is not empty, the system will
access thresholds-> spare, but thresholds-> spare is NULL, which will
trigger a crash.

In general, the longer it takes to delete all events related to this
eventfd, the easier it is to trigger this problem.

The solution is to check whether the thresholds associated with the
eventfd has been cleared when deleting the event.  If so, we do nothing.

[akpm@linux-foundation.org: fix comment, per Kirill]
Fixes: 907860ed381a ("cgroups: make cftype.unregister_event() void-returning")
Signed-off-by: Chunguang Xu <brookxu@tencent.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Acked-by: Michal Hocko <mhocko@suse.com>
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Vladimir Davydov <vdavydov.dev@gmail.com>
Cc: <stable@vger.kernel.org>
Link: http://lkml.kernel.org/r/077a6f67-aefa-4591-efec-f2f3af2b0b02@gmail.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/memcontrol.c |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -3518,7 +3518,7 @@ static void __mem_cgroup_usage_unregiste
 	struct mem_cgroup_thresholds *thresholds;
 	struct mem_cgroup_threshold_ary *new;
 	unsigned long usage;
-	int i, j, size;
+	int i, j, size, entries;
 
 	mutex_lock(&memcg->thresholds_lock);
 
@@ -3538,14 +3538,20 @@ static void __mem_cgroup_usage_unregiste
 	__mem_cgroup_threshold(memcg, type == _MEMSWAP);
 
 	/* Calculate new number of threshold */
-	size = 0;
+	size = entries = 0;
 	for (i = 0; i < thresholds->primary->size; i++) {
 		if (thresholds->primary->entries[i].eventfd != eventfd)
 			size++;
+		else
+			entries++;
 	}
 
 	new = thresholds->spare;
 
+	/* If no items related to eventfd have been cleared, nothing to do */
+	if (!entries)
+		goto unlock;
+
 	/* Set thresholds array to NULL if we don't have thresholds */
 	if (!size) {
 		kfree(new);



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 036/148] mm: slub: be more careful about the double cmpxchg of freelist
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 035/148] memcg: fix NULL pointer dereference in __mem_cgroup_usage_unregister_event Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 037/148] mm, slub: prevent kmalloc_node crashes and memory leaks Greg Kroah-Hartman
                   ` (115 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jann Horn, Linus Torvalds

From: Linus Torvalds <torvalds@linux-foundation.org>

commit 5076190daded2197f62fe92cf69674488be44175 upstream.

This is just a cleanup addition to Jann's fix to properly update the
transaction ID for the slub slowpath in commit fd4d9c7d0c71 ("mm: slub:
add missing TID bump..").

The transaction ID is what protects us against any concurrent accesses,
but we should really also make sure to make the 'freelist' comparison
itself always use the same freelist value that we then used as the new
next free pointer.

Jann points out that if we do all of this carefully, we could skip the
transaction ID update for all the paths that only remove entries from
the lists, and only update the TID when adding entries (to avoid the ABA
issue with cmpxchg and list handling re-adding a previously seen value).

But this patch just does the "make sure to cmpxchg the same value we
used" rather than then try to be clever.

Acked-by: Jann Horn <jannh@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/slub.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/mm/slub.c
+++ b/mm/slub.c
@@ -2943,11 +2943,13 @@ redo:
 	barrier();
 
 	if (likely(page == c->page)) {
-		set_freepointer(s, tail_obj, c->freelist);
+		void **freelist = READ_ONCE(c->freelist);
+
+		set_freepointer(s, tail_obj, freelist);
 
 		if (unlikely(!this_cpu_cmpxchg_double(
 				s->cpu_slab->freelist, s->cpu_slab->tid,
-				c->freelist, tid,
+				freelist, tid,
 				head, next_tid(tid)))) {
 
 			note_cmpxchg_failure("slab_free", s, tid);



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 037/148] mm, slub: prevent kmalloc_node crashes and memory leaks
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 036/148] mm: slub: be more careful about the double cmpxchg of freelist Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 038/148] page-flags: fix a crash at SetPageError(THP_SWAP) Greg Kroah-Hartman
                   ` (114 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sachin Sant,
	PUVICHAKRAVARTHY RAMACHANDRAN, Vlastimil Babka, Andrew Morton,
	Bharata B Rao, Srikar Dronamraju, Mel Gorman, Michael Ellerman,
	Michal Hocko, Christopher Lameter, linuxppc-dev, Joonsoo Kim,
	Pekka Enberg, David Rientjes, Kirill Tkhai, Nathan Lynch,
	Linus Torvalds

From: Vlastimil Babka <vbabka@suse.cz>

commit 0715e6c516f106ed553828a671d30ad9a3431536 upstream.

Sachin reports [1] a crash in SLUB __slab_alloc():

  BUG: Kernel NULL pointer dereference on read at 0x000073b0
  Faulting instruction address: 0xc0000000003d55f4
  Oops: Kernel access of bad area, sig: 11 [#1]
  LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
  Modules linked in:
  CPU: 19 PID: 1 Comm: systemd Not tainted 5.6.0-rc2-next-20200218-autotest #1
  NIP:  c0000000003d55f4 LR: c0000000003d5b94 CTR: 0000000000000000
  REGS: c0000008b37836d0 TRAP: 0300   Not tainted  (5.6.0-rc2-next-20200218-autotest)
  MSR:  8000000000009033 <SF,EE,ME,IR,DR,RI,LE>  CR: 24004844  XER: 00000000
  CFAR: c00000000000dec4 DAR: 00000000000073b0 DSISR: 40000000 IRQMASK: 1
  GPR00: c0000000003d5b94 c0000008b3783960 c00000000155d400 c0000008b301f500
  GPR04: 0000000000000dc0 0000000000000002 c0000000003443d8 c0000008bb398620
  GPR08: 00000008ba2f0000 0000000000000001 0000000000000000 0000000000000000
  GPR12: 0000000024004844 c00000001ec52a00 0000000000000000 0000000000000000
  GPR16: c0000008a1b20048 c000000001595898 c000000001750c18 0000000000000002
  GPR20: c000000001750c28 c000000001624470 0000000fffffffe0 5deadbeef0000122
  GPR24: 0000000000000001 0000000000000dc0 0000000000000002 c0000000003443d8
  GPR28: c0000008b301f500 c0000008bb398620 0000000000000000 c00c000002287180
  NIP ___slab_alloc+0x1f4/0x760
  LR __slab_alloc+0x34/0x60
  Call Trace:
    ___slab_alloc+0x334/0x760 (unreliable)
    __slab_alloc+0x34/0x60
    __kmalloc_node+0x110/0x490
    kvmalloc_node+0x58/0x110
    mem_cgroup_css_online+0x108/0x270
    online_css+0x48/0xd0
    cgroup_apply_control_enable+0x2ec/0x4d0
    cgroup_mkdir+0x228/0x5f0
    kernfs_iop_mkdir+0x90/0xf0
    vfs_mkdir+0x110/0x230
    do_mkdirat+0xb0/0x1a0
    system_call+0x5c/0x68

This is a PowerPC platform with following NUMA topology:

  available: 2 nodes (0-1)
  node 0 cpus:
  node 0 size: 0 MB
  node 0 free: 0 MB
  node 1 cpus: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
  node 1 size: 35247 MB
  node 1 free: 30907 MB
  node distances:
  node   0   1
    0:  10  40
    1:  40  10

  possible numa nodes: 0-31

This only happens with a mmotm patch "mm/memcontrol.c: allocate
shrinker_map on appropriate NUMA node" [2] which effectively calls
kmalloc_node for each possible node.  SLUB however only allocates
kmem_cache_node on online N_NORMAL_MEMORY nodes, and relies on
node_to_mem_node to return such valid node for other nodes since commit
a561ce00b09e ("slub: fall back to node_to_mem_node() node if allocating
on memoryless node").  This is however not true in this configuration
where the _node_numa_mem_ array is not initialized for nodes 0 and 2-31,
thus it contains zeroes and get_partial() ends up accessing
non-allocated kmem_cache_node.

A related issue was reported by Bharata (originally by Ramachandran) [3]
where a similar PowerPC configuration, but with mainline kernel without
patch [2] ends up allocating large amounts of pages by kmalloc-1k
kmalloc-512.  This seems to have the same underlying issue with
node_to_mem_node() not behaving as expected, and might probably also
lead to an infinite loop with CONFIG_SLUB_CPU_PARTIAL [4].

This patch should fix both issues by not relying on node_to_mem_node()
anymore and instead simply falling back to NUMA_NO_NODE, when
kmalloc_node(node) is attempted for a node that's not online, or has no
usable memory.  The "usable memory" condition is also changed from
node_present_pages() to N_NORMAL_MEMORY node state, as that is exactly
the condition that SLUB uses to allocate kmem_cache_node structures.
The check in get_partial() is removed completely, as the checks in
___slab_alloc() are now sufficient to prevent get_partial() being
reached with an invalid node.

[1] https://lore.kernel.org/linux-next/3381CD91-AB3D-4773-BA04-E7A072A63968@linux.vnet.ibm.com/
[2] https://lore.kernel.org/linux-mm/fff0e636-4c36-ed10-281c-8cdb0687c839@virtuozzo.com/
[3] https://lore.kernel.org/linux-mm/20200317092624.GB22538@in.ibm.com/
[4] https://lore.kernel.org/linux-mm/088b5996-faae-8a56-ef9c-5b567125ae54@suse.cz/

Fixes: a561ce00b09e ("slub: fall back to node_to_mem_node() node if allocating on memoryless node")
Reported-by: Sachin Sant <sachinp@linux.vnet.ibm.com>
Reported-by: PUVICHAKRAVARTHY RAMACHANDRAN <puvichakravarthy@in.ibm.com>
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Tested-by: Sachin Sant <sachinp@linux.vnet.ibm.com>
Tested-by: Bharata B Rao <bharata@linux.ibm.com>
Reviewed-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
Cc: Mel Gorman <mgorman@techsingularity.net>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Christopher Lameter <cl@linux.com>
Cc: linuxppc-dev@lists.ozlabs.org
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Kirill Tkhai <ktkhai@virtuozzo.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Nathan Lynch <nathanl@linux.ibm.com>
Cc: <stable@vger.kernel.org>
Link: http://lkml.kernel.org/r/20200320115533.9604-1-vbabka@suse.cz
Debugged-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/slub.c |   26 +++++++++++++++++---------
 1 file changed, 17 insertions(+), 9 deletions(-)

--- a/mm/slub.c
+++ b/mm/slub.c
@@ -1923,8 +1923,6 @@ static void *get_partial(struct kmem_cac
 
 	if (node == NUMA_NO_NODE)
 		searchnode = numa_mem_id();
-	else if (!node_present_pages(node))
-		searchnode = node_to_mem_node(node);
 
 	object = get_partial_node(s, get_node(s, searchnode), c, flags);
 	if (object || node != NUMA_NO_NODE)
@@ -2521,17 +2519,27 @@ static void *___slab_alloc(struct kmem_c
 	struct page *page;
 
 	page = c->page;
-	if (!page)
+	if (!page) {
+		/*
+		 * if the node is not online or has no normal memory, just
+		 * ignore the node constraint
+		 */
+		if (unlikely(node != NUMA_NO_NODE &&
+			     !node_state(node, N_NORMAL_MEMORY)))
+			node = NUMA_NO_NODE;
 		goto new_slab;
+	}
 redo:
 
 	if (unlikely(!node_match(page, node))) {
-		int searchnode = node;
-
-		if (node != NUMA_NO_NODE && !node_present_pages(node))
-			searchnode = node_to_mem_node(node);
-
-		if (unlikely(!node_match(page, searchnode))) {
+		/*
+		 * same as above but node_match() being false already
+		 * implies node != NUMA_NO_NODE
+		 */
+		if (!node_state(node, N_NORMAL_MEMORY)) {
+			node = NUMA_NO_NODE;
+			goto redo;
+		} else {
 			stat(s, ALLOC_NODE_MISMATCH);
 			deactivate_slab(s, page, c->freelist, c);
 			goto new_slab;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 038/148] page-flags: fix a crash at SetPageError(THP_SWAP)
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 037/148] mm, slub: prevent kmalloc_node crashes and memory leaks Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 039/148] x86/mm: split vmalloc_sync_all() Greg Kroah-Hartman
                   ` (113 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Qian Cai, Andrew Morton,
	David Hildenbrand, Huang, Ying, Rafael Aquini, Linus Torvalds

From: Qian Cai <cai@lca.pw>

commit d72520ad004a8ce18a6ba6cde317f0081b27365a upstream.

Commit bd4c82c22c36 ("mm, THP, swap: delay splitting THP after swapped
out") supported writing THP to a swap device but forgot to upgrade an
older commit df8c94d13c7e ("page-flags: define behavior of FS/IO-related
flags on compound pages") which could trigger a crash during THP
swapping out with DEBUG_VM_PGFLAGS=y,

  kernel BUG at include/linux/page-flags.h:317!

  page dumped because: VM_BUG_ON_PAGE(1 && PageCompound(page))
  page:fffff3b2ec3a8000 refcount:512 mapcount:0 mapping:000000009eb0338c index:0x7f6e58200 head:fffff3b2ec3a8000 order:9 compound_mapcount:0 compound_pincount:0
  anon flags: 0x45fffe0000d8454(uptodate|lru|workingset|owner_priv_1|writeback|head|reclaim|swapbacked)

  end_swap_bio_write()
    SetPageError(page)
      VM_BUG_ON_PAGE(1 && PageCompound(page))

  <IRQ>
  bio_endio+0x297/0x560
  dec_pending+0x218/0x430 [dm_mod]
  clone_endio+0xe4/0x2c0 [dm_mod]
  bio_endio+0x297/0x560
  blk_update_request+0x201/0x920
  scsi_end_request+0x6b/0x4b0
  scsi_io_completion+0x509/0x7e0
  scsi_finish_command+0x1ed/0x2a0
  scsi_softirq_done+0x1c9/0x1d0
  __blk_mqnterrupt+0xf/0x20
  </IRQ>

Fix by checking PF_NO_TAIL in those places instead.

Fixes: bd4c82c22c36 ("mm, THP, swap: delay splitting THP after swapped out")
Signed-off-by: Qian Cai <cai@lca.pw>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Reviewed-by: David Hildenbrand <david@redhat.com>
Acked-by: "Huang, Ying" <ying.huang@intel.com>
Acked-by: Rafael Aquini <aquini@redhat.com>
Cc: <stable@vger.kernel.org>
Link: http://lkml.kernel.org/r/20200310235846.1319-1-cai@lca.pw
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/page-flags.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/include/linux/page-flags.h
+++ b/include/linux/page-flags.h
@@ -264,7 +264,7 @@ static inline int TestClearPage##uname(s
 
 __PAGEFLAG(Locked, locked, PF_NO_TAIL)
 PAGEFLAG(Waiters, waiters, PF_ONLY_HEAD) __CLEARPAGEFLAG(Waiters, waiters, PF_ONLY_HEAD)
-PAGEFLAG(Error, error, PF_NO_COMPOUND) TESTCLEARFLAG(Error, error, PF_NO_COMPOUND)
+PAGEFLAG(Error, error, PF_NO_TAIL) TESTCLEARFLAG(Error, error, PF_NO_TAIL)
 PAGEFLAG(Referenced, referenced, PF_HEAD)
 	TESTCLEARFLAG(Referenced, referenced, PF_HEAD)
 	__SETPAGEFLAG(Referenced, referenced, PF_HEAD)



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 039/148] x86/mm: split vmalloc_sync_all()
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 038/148] page-flags: fix a crash at SetPageError(THP_SWAP) Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 040/148] USB: cdc-acm: fix close_delay and closing_wait units in TIOCSSERIAL Greg Kroah-Hartman
                   ` (112 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot, Shile Zhang,
	Joerg Roedel, Andrew Morton, Borislav Petkov, Dave Hansen,
	Andy Lutomirski, Peter Zijlstra, Thomas Gleixner, Ingo Molnar,
	Linus Torvalds, Rafael J . Wysocki

From: Joerg Roedel <jroedel@suse.de>

commit 763802b53a427ed3cbd419dbba255c414fdd9e7c upstream.

Commit 3f8fd02b1bf1 ("mm/vmalloc: Sync unmappings in
__purge_vmap_area_lazy()") introduced a call to vmalloc_sync_all() in
the vunmap() code-path.  While this change was necessary to maintain
correctness on x86-32-pae kernels, it also adds additional cycles for
architectures that don't need it.

Specifically on x86-64 with CONFIG_VMAP_STACK=y some people reported
severe performance regressions in micro-benchmarks because it now also
calls the x86-64 implementation of vmalloc_sync_all() on vunmap().  But
the vmalloc_sync_all() implementation on x86-64 is only needed for newly
created mappings.

To avoid the unnecessary work on x86-64 and to gain the performance
back, split up vmalloc_sync_all() into two functions:

	* vmalloc_sync_mappings(), and
	* vmalloc_sync_unmappings()

Most call-sites to vmalloc_sync_all() only care about new mappings being
synchronized.  The only exception is the new call-site added in the
above mentioned commit.

Shile Zhang directed us to a report of an 80% regression in reaim
throughput.

Fixes: 3f8fd02b1bf1 ("mm/vmalloc: Sync unmappings in __purge_vmap_area_lazy()")
Reported-by: kernel test robot <oliver.sang@intel.com>
Reported-by: Shile Zhang <shile.zhang@linux.alibaba.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Tested-by: Borislav Petkov <bp@suse.de>
Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>	[GHES]
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: <stable@vger.kernel.org>
Link: http://lkml.kernel.org/r/20191009124418.8286-1-joro@8bytes.org
Link: https://lists.01.org/hyperkitty/list/lkp@lists.01.org/thread/4D3JPPHBNOSPFK2KEPC6KGKS6J25AIDB/
Link: http://lkml.kernel.org/r/20191113095530.228959-1-shile.zhang@linux.alibaba.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/mm/fault.c      |   26 ++++++++++++++++++++++++--
 drivers/acpi/apei/ghes.c |    2 +-
 include/linux/vmalloc.h  |    5 +++--
 kernel/notifier.c        |    2 +-
 mm/nommu.c               |   10 +++++++---
 mm/vmalloc.c             |   11 +++++++----
 6 files changed, 43 insertions(+), 13 deletions(-)

--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -272,7 +272,7 @@ static inline pmd_t *vmalloc_sync_one(pg
 	return pmd_k;
 }
 
-void vmalloc_sync_all(void)
+static void vmalloc_sync(void)
 {
 	unsigned long address;
 
@@ -299,6 +299,16 @@ void vmalloc_sync_all(void)
 	}
 }
 
+void vmalloc_sync_mappings(void)
+{
+	vmalloc_sync();
+}
+
+void vmalloc_sync_unmappings(void)
+{
+	vmalloc_sync();
+}
+
 /*
  * 32-bit:
  *
@@ -401,11 +411,23 @@ out:
 
 #else /* CONFIG_X86_64: */
 
-void vmalloc_sync_all(void)
+void vmalloc_sync_mappings(void)
 {
+	/*
+	 * 64-bit mappings might allocate new p4d/pud pages
+	 * that need to be propagated to all tasks' PGDs.
+	 */
 	sync_global_pgds(VMALLOC_START & PGDIR_MASK, VMALLOC_END);
 }
 
+void vmalloc_sync_unmappings(void)
+{
+	/*
+	 * Unmappings never allocate or free p4d/pud pages.
+	 * No work is required here.
+	 */
+}
+
 /*
  * 64-bit:
  *
--- a/drivers/acpi/apei/ghes.c
+++ b/drivers/acpi/apei/ghes.c
@@ -201,7 +201,7 @@ static int ghes_estatus_pool_expand(unsi
 	 * New allocation must be visible in all pgd before it can be found by
 	 * an NMI allocating from the pool.
 	 */
-	vmalloc_sync_all();
+	vmalloc_sync_mappings();
 
 	return gen_pool_add(ghes_estatus_pool, addr, PAGE_ALIGN(len), -1);
 }
--- a/include/linux/vmalloc.h
+++ b/include/linux/vmalloc.h
@@ -106,8 +106,9 @@ extern int remap_vmalloc_range_partial(s
 
 extern int remap_vmalloc_range(struct vm_area_struct *vma, void *addr,
 							unsigned long pgoff);
-void vmalloc_sync_all(void);
- 
+void vmalloc_sync_mappings(void);
+void vmalloc_sync_unmappings(void);
+
 /*
  *	Lowlevel-APIs (not for driver use!)
  */
--- a/kernel/notifier.c
+++ b/kernel/notifier.c
@@ -552,7 +552,7 @@ NOKPROBE_SYMBOL(notify_die);
 
 int register_die_notifier(struct notifier_block *nb)
 {
-	vmalloc_sync_all();
+	vmalloc_sync_mappings();
 	return atomic_notifier_chain_register(&die_chain, nb);
 }
 EXPORT_SYMBOL_GPL(register_die_notifier);
--- a/mm/nommu.c
+++ b/mm/nommu.c
@@ -450,10 +450,14 @@ void vm_unmap_aliases(void)
 EXPORT_SYMBOL_GPL(vm_unmap_aliases);
 
 /*
- * Implement a stub for vmalloc_sync_all() if the architecture chose not to
- * have one.
+ * Implement a stub for vmalloc_sync_[un]mapping() if the architecture
+ * chose not to have one.
  */
-void __weak vmalloc_sync_all(void)
+void __weak vmalloc_sync_mappings(void)
+{
+}
+
+void __weak vmalloc_sync_unmappings(void)
 {
 }
 
--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -1769,7 +1769,7 @@ void *__vmalloc_node_range(unsigned long
 	 * First make sure the mappings are removed from all page-tables
 	 * before they are freed.
 	 */
-	vmalloc_sync_all();
+	vmalloc_sync_unmappings();
 
 	/*
 	 * In this function, newly allocated vm_struct has VM_UNINITIALIZED
@@ -2318,16 +2318,19 @@ int remap_vmalloc_range(struct vm_area_s
 EXPORT_SYMBOL(remap_vmalloc_range);
 
 /*
- * Implement a stub for vmalloc_sync_all() if the architecture chose not to
- * have one.
+ * Implement stubs for vmalloc_sync_[un]mappings () if the architecture chose
+ * not to have one.
  *
  * The purpose of this function is to make sure the vmalloc area
  * mappings are identical in all page-tables in the system.
  */
-void __weak vmalloc_sync_all(void)
+void __weak vmalloc_sync_mappings(void)
 {
 }
 
+void __weak vmalloc_sync_unmappings(void)
+{
+}
 
 static int f(pte_t *pte, pgtable_t table, unsigned long addr, void *data)
 {



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 040/148] USB: cdc-acm: fix close_delay and closing_wait units in TIOCSSERIAL
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 039/148] x86/mm: split vmalloc_sync_all() Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 041/148] USB: cdc-acm: fix rounding error " Greg Kroah-Hartman
                   ` (111 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Anthony Mallet, Sasha Levin

From: Anthony Mallet <anthony.mallet@laas.fr>

[ Upstream commit 633e2b2ded739a34bd0fb1d8b5b871f7e489ea29 ]

close_delay and closing_wait are specified in hundredth of a second but stored
internally in jiffies. Use the jiffies_to_msecs() and msecs_to_jiffies()
functions to convert from each other.

Signed-off-by: Anthony Mallet <anthony.mallet@laas.fr>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200312133101.7096-1-anthony.mallet@laas.fr
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/class/cdc-acm.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index 0453f0eb11781..74d0a91e84273 100644
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -926,10 +926,10 @@ static int get_serial_info(struct acm *acm, struct serial_struct __user *info)
 	memset(&tmp, 0, sizeof(tmp));
 	tmp.xmit_fifo_size = acm->writesize;
 	tmp.baud_base = le32_to_cpu(acm->line.dwDTERate);
-	tmp.close_delay	= acm->port.close_delay / 10;
+	tmp.close_delay	= jiffies_to_msecs(acm->port.close_delay) / 10;
 	tmp.closing_wait = acm->port.closing_wait == ASYNC_CLOSING_WAIT_NONE ?
 				ASYNC_CLOSING_WAIT_NONE :
-				acm->port.closing_wait / 10;
+				jiffies_to_msecs(acm->port.closing_wait) / 10;
 
 	if (copy_to_user(info, &tmp, sizeof(tmp)))
 		return -EFAULT;
@@ -947,9 +947,10 @@ static int set_serial_info(struct acm *acm,
 	if (copy_from_user(&new_serial, newinfo, sizeof(new_serial)))
 		return -EFAULT;
 
-	close_delay = new_serial.close_delay * 10;
+	close_delay = msecs_to_jiffies(new_serial.close_delay * 10);
 	closing_wait = new_serial.closing_wait == ASYNC_CLOSING_WAIT_NONE ?
-			ASYNC_CLOSING_WAIT_NONE : new_serial.closing_wait * 10;
+			ASYNC_CLOSING_WAIT_NONE :
+			msecs_to_jiffies(new_serial.closing_wait * 10);
 
 	mutex_lock(&acm->port.mutex);
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 4.14 041/148] USB: cdc-acm: fix rounding error in TIOCSSERIAL
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 040/148] USB: cdc-acm: fix close_delay and closing_wait units in TIOCSSERIAL Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 042/148] iio: adc: at91-sama5d2_adc: fix channel configuration for differential channels Greg Kroah-Hartman
                   ` (110 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Anthony Mallet, Sasha Levin

From: Anthony Mallet <anthony.mallet@laas.fr>

[ Upstream commit b401f8c4f492cbf74f3f59c9141e5be3071071bb ]

By default, tty_port_init() initializes those parameters to a multiple
of HZ. For instance in line 69 of tty_port.c:
   port->close_delay = (50 * HZ) / 100;
https://github.com/torvalds/linux/blob/master/drivers/tty/tty_port.c#L69

With e.g. CONFIG_HZ = 250 (as this is the case for Ubuntu 18.04
linux-image-4.15.0-37-generic), the default setting for close_delay is
thus 125.

When ioctl(fd, TIOCGSERIAL, &s) is executed, the setting returned in
user space is '12' (125/10). When ioctl(fd, TIOCSSERIAL, &s) is then
executed with the same setting '12', the value is interpreted as '120'
which is different from the current setting and a EPERM error may be
raised by set_serial_info() if !CAP_SYS_ADMIN.
https://github.com/torvalds/linux/blob/master/drivers/usb/class/cdc-acm.c#L919

Fixes: ba2d8ce9db0a6 ("cdc-acm: implement TIOCSSERIAL to avoid blocking close(2)")
Signed-off-by: Anthony Mallet <anthony.mallet@laas.fr>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200312133101.7096-2-anthony.mallet@laas.fr
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/class/cdc-acm.c | 25 ++++++++++++++++---------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index 74d0a91e84273..30a124b74d459 100644
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -942,6 +942,7 @@ static int set_serial_info(struct acm *acm,
 {
 	struct serial_struct new_serial;
 	unsigned int closing_wait, close_delay;
+	unsigned int old_closing_wait, old_close_delay;
 	int retval = 0;
 
 	if (copy_from_user(&new_serial, newinfo, sizeof(new_serial)))
@@ -952,18 +953,24 @@ static int set_serial_info(struct acm *acm,
 			ASYNC_CLOSING_WAIT_NONE :
 			msecs_to_jiffies(new_serial.closing_wait * 10);
 
+	/* we must redo the rounding here, so that the values match */
+	old_close_delay	= jiffies_to_msecs(acm->port.close_delay) / 10;
+	old_closing_wait = acm->port.closing_wait == ASYNC_CLOSING_WAIT_NONE ?
+				ASYNC_CLOSING_WAIT_NONE :
+				jiffies_to_msecs(acm->port.closing_wait) / 10;
+
 	mutex_lock(&acm->port.mutex);
 
-	if (!capable(CAP_SYS_ADMIN)) {
-		if ((close_delay != acm->port.close_delay) ||
-		    (closing_wait != acm->port.closing_wait))
+	if ((new_serial.close_delay != old_close_delay) ||
+            (new_serial.closing_wait != old_closing_wait)) {
+		if (!capable(CAP_SYS_ADMIN))
 			retval = -EPERM;
-		else
-			retval = -EOPNOTSUPP;
-	} else {
-		acm->port.close_delay  = close_delay;
-		acm->port.closing_wait = closing_wait;
-	}
+		else {
+			acm->port.close_delay  = close_delay;
+			acm->port.closing_wait = closing_wait;
+		}
+	} else
+		retval = -EOPNOTSUPP;
 
 	mutex_unlock(&acm->port.mutex);
 	return retval;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 4.14 042/148] iio: adc: at91-sama5d2_adc: fix channel configuration for differential channels
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 041/148] USB: cdc-acm: fix rounding error " Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 043/148] iio: adc: at91-sama5d2_adc: fix differential channels in triggered mode Greg Kroah-Hartman
                   ` (109 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eugen Hristev, Stable,
	Jonathan Cameron, Sasha Levin

From: Eugen Hristev <eugen.hristev@microchip.com>

[ Upstream commit f0c8d1f6dc8eac5a1fbf441c8e080721a7b6c0ff ]

When iterating through the channels, the index in the array is not the
scan index. Added an xlate function to translate to the proper index.
The result of the bug is that the channel array is indexed with a wrong index,
thus instead of the proper channel, we access invalid memory, which may
lead to invalid results and/or corruption.
This will be used also for devicetree channel xlate.

Fixes: 5e1a1da0f ("iio: adc: at91-sama5d2_adc: add hw trigger and buffer support")
Fixes: 073c66201 ("iio: adc: at91-sama5d2_adc: add support for DMA")
Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/iio/adc/at91-sama5d2_adc.c | 30 ++++++++++++++++++++++++++++--
 1 file changed, 28 insertions(+), 2 deletions(-)

diff --git a/drivers/iio/adc/at91-sama5d2_adc.c b/drivers/iio/adc/at91-sama5d2_adc.c
index a70ef7fec95f0..0898f40c2b892 100644
--- a/drivers/iio/adc/at91-sama5d2_adc.c
+++ b/drivers/iio/adc/at91-sama5d2_adc.c
@@ -300,6 +300,27 @@ static const struct iio_chan_spec at91_adc_channels[] = {
 				+ AT91_SAMA5D2_DIFF_CHAN_CNT + 1),
 };
 
+static int at91_adc_chan_xlate(struct iio_dev *indio_dev, int chan)
+{
+	int i;
+
+	for (i = 0; i < indio_dev->num_channels; i++) {
+		if (indio_dev->channels[i].scan_index == chan)
+			return i;
+	}
+	return -EINVAL;
+}
+
+static inline struct iio_chan_spec const *
+at91_adc_chan_get(struct iio_dev *indio_dev, int chan)
+{
+	int index = at91_adc_chan_xlate(indio_dev, chan);
+
+	if (index < 0)
+		return NULL;
+	return indio_dev->channels + index;
+}
+
 static int at91_adc_configure_trigger(struct iio_trigger *trig, bool state)
 {
 	struct iio_dev *indio = iio_trigger_get_drvdata(trig);
@@ -317,8 +338,10 @@ static int at91_adc_configure_trigger(struct iio_trigger *trig, bool state)
 	at91_adc_writel(st, AT91_SAMA5D2_TRGR, status);
 
 	for_each_set_bit(bit, indio->active_scan_mask, indio->num_channels) {
-		struct iio_chan_spec const *chan = indio->channels + bit;
+		struct iio_chan_spec const *chan = at91_adc_chan_get(indio, bit);
 
+		if (!chan)
+			continue;
 		if (state) {
 			at91_adc_writel(st, AT91_SAMA5D2_CHER,
 					BIT(chan->channel));
@@ -398,8 +421,11 @@ static irqreturn_t at91_adc_trigger_handler(int irq, void *p)
 	u8 bit;
 
 	for_each_set_bit(bit, indio->active_scan_mask, indio->num_channels) {
-		struct iio_chan_spec const *chan = indio->channels + bit;
+		struct iio_chan_spec const *chan =
+					at91_adc_chan_get(indio, bit);
 
+		if (!chan)
+			continue;
 		st->buffer[i] = at91_adc_readl(st, chan->address);
 		i++;
 	}
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 4.14 043/148] iio: adc: at91-sama5d2_adc: fix differential channels in triggered mode
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 042/148] iio: adc: at91-sama5d2_adc: fix channel configuration for differential channels Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 044/148] kbuild: Disable -Wpointer-to-enum-cast Greg Kroah-Hartman
                   ` (108 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eugen Hristev, Stable,
	Jonathan Cameron, Sasha Levin

From: Eugen Hristev <eugen.hristev@microchip.com>

[ Upstream commit a500f3bd787f8224341e44b238f318c407b10897 ]

The differential channels require writing the channel offset register (COR).
Otherwise they do not work in differential mode.
The configuration of COR is missing in triggered mode.

Fixes: 5e1a1da0f8c9 ("iio: adc: at91-sama5d2_adc: add hw trigger and buffer support")
Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/iio/adc/at91-sama5d2_adc.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/drivers/iio/adc/at91-sama5d2_adc.c b/drivers/iio/adc/at91-sama5d2_adc.c
index 0898f40c2b892..34639ee2d2ce6 100644
--- a/drivers/iio/adc/at91-sama5d2_adc.c
+++ b/drivers/iio/adc/at91-sama5d2_adc.c
@@ -339,9 +339,24 @@ static int at91_adc_configure_trigger(struct iio_trigger *trig, bool state)
 
 	for_each_set_bit(bit, indio->active_scan_mask, indio->num_channels) {
 		struct iio_chan_spec const *chan = at91_adc_chan_get(indio, bit);
+		u32 cor;
 
 		if (!chan)
 			continue;
+		if (state) {
+			cor = at91_adc_readl(st, AT91_SAMA5D2_COR);
+
+			if (chan->differential)
+				cor |= (BIT(chan->channel) |
+					BIT(chan->channel2)) <<
+					AT91_SAMA5D2_COR_DIFF_OFFSET;
+			else
+				cor &= ~(BIT(chan->channel) <<
+				       AT91_SAMA5D2_COR_DIFF_OFFSET);
+
+			at91_adc_writel(st, AT91_SAMA5D2_COR, cor);
+		}
+
 		if (state) {
 			at91_adc_writel(st, AT91_SAMA5D2_CHER,
 					BIT(chan->channel));
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 4.14 044/148] kbuild: Disable -Wpointer-to-enum-cast
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 043/148] iio: adc: at91-sama5d2_adc: fix differential channels in triggered mode Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 045/148] futex: Fix inode life-time issue Greg Kroah-Hartman
                   ` (107 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nathan Chancellor, Masahiro Yamada,
	Sasha Levin

From: Nathan Chancellor <natechancellor@gmail.com>

commit 82f2bc2fcc0160d6f82dd1ac64518ae0a4dd183f upstream.

Clang's -Wpointer-to-int-cast deviates from GCC in that it warns when
casting to enums. The kernel does this in certain places, such as device
tree matches to set the version of the device being used, which allows
the kernel to avoid using a gigantic union.

https://elixir.bootlin.com/linux/v5.5.8/source/drivers/ata/ahci_brcm.c#L428
https://elixir.bootlin.com/linux/v5.5.8/source/drivers/ata/ahci_brcm.c#L402
https://elixir.bootlin.com/linux/v5.5.8/source/include/linux/mod_devicetable.h#L264

To avoid a ton of false positive warnings, disable this particular part
of the warning, which has been split off into a separate diagnostic so
that the entire warning does not need to be turned off for clang. It
will be visible under W=1 in case people want to go about fixing these
easily and enabling the warning treewide.

Cc: stable@vger.kernel.org
Link: https://github.com/ClangBuiltLinux/linux/issues/887
Link: https://github.com/llvm/llvm-project/commit/2a41b31fcdfcb67ab7038fc2ffb606fd50b83a84
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 scripts/Makefile.extrawarn | 1 +
 1 file changed, 1 insertion(+)

diff --git a/scripts/Makefile.extrawarn b/scripts/Makefile.extrawarn
index 8d5357053f865..486e135d3e30a 100644
--- a/scripts/Makefile.extrawarn
+++ b/scripts/Makefile.extrawarn
@@ -72,5 +72,6 @@ KBUILD_CFLAGS += $(call cc-disable-warning, format)
 KBUILD_CFLAGS += $(call cc-disable-warning, sign-compare)
 KBUILD_CFLAGS += $(call cc-disable-warning, format-zero-length)
 KBUILD_CFLAGS += $(call cc-disable-warning, uninitialized)
+KBUILD_CFLAGS += $(call cc-disable-warning, pointer-to-enum-cast)
 endif
 endif
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 4.14 045/148] futex: Fix inode life-time issue
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 044/148] kbuild: Disable -Wpointer-to-enum-cast Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 046/148] futex: Unbreak futex hashing Greg Kroah-Hartman
                   ` (106 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jann Horn, Linus Torvalds,
	Peter Zijlstra (Intel)

From: Peter Zijlstra <peterz@infradead.org>

commit 8019ad13ef7f64be44d4f892af9c840179009254 upstream.

As reported by Jann, ihold() does not in fact guarantee inode
persistence. And instead of making it so, replace the usage of inode
pointers with a per boot, machine wide, unique inode identifier.

This sequence number is global, but shared (file backed) futexes are
rare enough that this should not become a performance issue.

Reported-by: Jann Horn <jannh@google.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/inode.c            |    1 
 include/linux/fs.h    |    1 
 include/linux/futex.h |   17 +++++----
 kernel/futex.c        |   89 +++++++++++++++++++++++++++++---------------------
 4 files changed, 65 insertions(+), 43 deletions(-)

--- a/fs/inode.c
+++ b/fs/inode.c
@@ -135,6 +135,7 @@ int inode_init_always(struct super_block
 	inode->i_sb = sb;
 	inode->i_blkbits = sb->s_blocksize_bits;
 	inode->i_flags = 0;
+	atomic64_set(&inode->i_sequence, 0);
 	atomic_set(&inode->i_count, 1);
 	inode->i_op = &empty_iops;
 	inode->i_fop = &no_open_fops;
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -645,6 +645,7 @@ struct inode {
 		struct rcu_head		i_rcu;
 	};
 	u64			i_version;
+	atomic64_t		i_sequence; /* see futex */
 	atomic_t		i_count;
 	atomic_t		i_dio_count;
 	atomic_t		i_writecount;
--- a/include/linux/futex.h
+++ b/include/linux/futex.h
@@ -34,23 +34,26 @@ long do_futex(u32 __user *uaddr, int op,
 
 union futex_key {
 	struct {
+		u64 i_seq;
 		unsigned long pgoff;
-		struct inode *inode;
-		int offset;
+		unsigned int offset;
 	} shared;
 	struct {
+		union {
+			struct mm_struct *mm;
+			u64 __tmp;
+		};
 		unsigned long address;
-		struct mm_struct *mm;
-		int offset;
+		unsigned int offset;
 	} private;
 	struct {
+		u64 ptr;
 		unsigned long word;
-		void *ptr;
-		int offset;
+		unsigned int offset;
 	} both;
 };
 
-#define FUTEX_KEY_INIT (union futex_key) { .both = { .ptr = NULL } }
+#define FUTEX_KEY_INIT (union futex_key) { .both = { .ptr = 0ULL } }
 
 #ifdef CONFIG_FUTEX
 enum {
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -445,7 +445,7 @@ static void get_futex_key_refs(union fut
 
 	switch (key->both.offset & (FUT_OFF_INODE|FUT_OFF_MMSHARED)) {
 	case FUT_OFF_INODE:
-		ihold(key->shared.inode); /* implies smp_mb(); (B) */
+		smp_mb();		/* explicit smp_mb(); (B) */
 		break;
 	case FUT_OFF_MMSHARED:
 		futex_get_mm(key); /* implies smp_mb(); (B) */
@@ -479,7 +479,6 @@ static void drop_futex_key_refs(union fu
 
 	switch (key->both.offset & (FUT_OFF_INODE|FUT_OFF_MMSHARED)) {
 	case FUT_OFF_INODE:
-		iput(key->shared.inode);
 		break;
 	case FUT_OFF_MMSHARED:
 		mmdrop(key->private.mm);
@@ -487,6 +486,46 @@ static void drop_futex_key_refs(union fu
 	}
 }
 
+/*
+ * Generate a machine wide unique identifier for this inode.
+ *
+ * This relies on u64 not wrapping in the life-time of the machine; which with
+ * 1ns resolution means almost 585 years.
+ *
+ * This further relies on the fact that a well formed program will not unmap
+ * the file while it has a (shared) futex waiting on it. This mapping will have
+ * a file reference which pins the mount and inode.
+ *
+ * If for some reason an inode gets evicted and read back in again, it will get
+ * a new sequence number and will _NOT_ match, even though it is the exact same
+ * file.
+ *
+ * It is important that match_futex() will never have a false-positive, esp.
+ * for PI futexes that can mess up the state. The above argues that false-negatives
+ * are only possible for malformed programs.
+ */
+static u64 get_inode_sequence_number(struct inode *inode)
+{
+	static atomic64_t i_seq;
+	u64 old;
+
+	/* Does the inode already have a sequence number? */
+	old = atomic64_read(&inode->i_sequence);
+	if (likely(old))
+		return old;
+
+	for (;;) {
+		u64 new = atomic64_add_return(1, &i_seq);
+		if (WARN_ON_ONCE(!new))
+			continue;
+
+		old = atomic64_cmpxchg_relaxed(&inode->i_sequence, 0, new);
+		if (old)
+			return old;
+		return new;
+	}
+}
+
 /**
  * get_futex_key() - Get parameters which are the keys for a futex
  * @uaddr:	virtual address of the futex
@@ -499,9 +538,15 @@ static void drop_futex_key_refs(union fu
  *
  * The key words are stored in @key on success.
  *
- * For shared mappings, it's (page->index, file_inode(vma->vm_file),
- * offset_within_page).  For private mappings, it's (uaddr, current->mm).
- * We can usually work out the index without swapping in the page.
+ * For shared mappings (when @fshared), the key is:
+ *   ( inode->i_sequence, page->index, offset_within_page )
+ * [ also see get_inode_sequence_number() ]
+ *
+ * For private mappings (or when !@fshared), the key is:
+ *   ( current->mm, address, 0 )
+ *
+ * This allows (cross process, where applicable) identification of the futex
+ * without keeping the page pinned for the duration of the FUTEX_WAIT.
  *
  * lock_page() might sleep, the caller should not hold a spinlock.
  */
@@ -641,8 +686,6 @@ again:
 		key->private.mm = mm;
 		key->private.address = address;
 
-		get_futex_key_refs(key); /* implies smp_mb(); (B) */
-
 	} else {
 		struct inode *inode;
 
@@ -674,40 +717,14 @@ again:
 			goto again;
 		}
 
-		/*
-		 * Take a reference unless it is about to be freed. Previously
-		 * this reference was taken by ihold under the page lock
-		 * pinning the inode in place so i_lock was unnecessary. The
-		 * only way for this check to fail is if the inode was
-		 * truncated in parallel which is almost certainly an
-		 * application bug. In such a case, just retry.
-		 *
-		 * We are not calling into get_futex_key_refs() in file-backed
-		 * cases, therefore a successful atomic_inc return below will
-		 * guarantee that get_futex_key() will still imply smp_mb(); (B).
-		 */
-		if (!atomic_inc_not_zero(&inode->i_count)) {
-			rcu_read_unlock();
-			put_page(page);
-
-			goto again;
-		}
-
-		/* Should be impossible but lets be paranoid for now */
-		if (WARN_ON_ONCE(inode->i_mapping != mapping)) {
-			err = -EFAULT;
-			rcu_read_unlock();
-			iput(inode);
-
-			goto out;
-		}
-
 		key->both.offset |= FUT_OFF_INODE; /* inode-based key */
-		key->shared.inode = inode;
+		key->shared.i_seq = get_inode_sequence_number(inode);
 		key->shared.pgoff = basepage_index(tail);
 		rcu_read_unlock();
 	}
 
+	get_futex_key_refs(key); /* implies smp_mb(); (B) */
+
 out:
 	put_page(page);
 	return err;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 046/148] futex: Unbreak futex hashing
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 045/148] futex: Fix inode life-time issue Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 047/148] Revert "vrf: mark skb for multicast or link-local as enslaved to VRF" Greg Kroah-Hartman
                   ` (105 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rong Chen, Thomas Gleixner, Linus Torvalds

From: Thomas Gleixner <tglx@linutronix.de>

commit 8d67743653dce5a0e7aa500fcccb237cde7ad88e upstream.

The recent futex inode life time fix changed the ordering of the futex key
union struct members, but forgot to adjust the hash function accordingly,

As a result the hashing omits the leading 64bit and even hashes beyond the
futex key causing a bad hash distribution which led to a ~100% performance
regression.

Hand in the futex key pointer instead of a random struct member and make
the size calculation based of the struct offset.

Fixes: 8019ad13ef7f ("futex: Fix inode life-time issue")
Reported-by: Rong Chen <rong.a.chen@intel.com>
Decoded-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Rong Chen <rong.a.chen@intel.com>
Link: https://lkml.kernel.org/r/87h7yy90ve.fsf@nanos.tec.linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/futex.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -401,9 +401,9 @@ static inline int hb_waiters_pending(str
  */
 static struct futex_hash_bucket *hash_futex(union futex_key *key)
 {
-	u32 hash = jhash2((u32*)&key->both.word,
-			  (sizeof(key->both.word)+sizeof(key->both.ptr))/4,
+	u32 hash = jhash2((u32 *)key, offsetof(typeof(*key), both.offset) / 4,
 			  key->both.offset);
+
 	return &futex_queues[hash & (futex_hashsize - 1)];
 }
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 047/148] Revert "vrf: mark skb for multicast or link-local as enslaved to VRF"
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 046/148] futex: Unbreak futex hashing Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 048/148] Revert "ipv6: Fix handling of LLA with VRF and sockets bound " Greg Kroah-Hartman
                   ` (104 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Sasha Levin

This reverts commit 2271c9500434af2a26b2c9eadeb3c0b075409fb5.

This patch shouldn't have been backported to 4.14.

Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/vrf.c | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
index e0cea5c05f0e2..03e4fcdfeab73 100644
--- a/drivers/net/vrf.c
+++ b/drivers/net/vrf.c
@@ -996,23 +996,24 @@ static struct sk_buff *vrf_ip6_rcv(struct net_device *vrf_dev,
 				   struct sk_buff *skb)
 {
 	int orig_iif = skb->skb_iif;
-	bool need_strict = rt6_need_strict(&ipv6_hdr(skb)->daddr);
-	bool is_ndisc = ipv6_ndisc_frame(skb);
+	bool need_strict;
 
-	/* loopback, multicast & non-ND link-local traffic; do not push through
-	 * packet taps again. Reset pkt_type for upper layers to process skb
+	/* loopback traffic; do not push through packet taps again.
+	 * Reset pkt_type for upper layers to process skb
 	 */
-	if (skb->pkt_type == PACKET_LOOPBACK || (need_strict && !is_ndisc)) {
+	if (skb->pkt_type == PACKET_LOOPBACK) {
 		skb->dev = vrf_dev;
 		skb->skb_iif = vrf_dev->ifindex;
 		IP6CB(skb)->flags |= IP6SKB_L3SLAVE;
-		if (skb->pkt_type == PACKET_LOOPBACK)
-			skb->pkt_type = PACKET_HOST;
+		skb->pkt_type = PACKET_HOST;
 		goto out;
 	}
 
-	/* if packet is NDISC then keep the ingress interface */
-	if (!is_ndisc) {
+	/* if packet is NDISC or addressed to multicast or link-local
+	 * then keep the ingress interface
+	 */
+	need_strict = rt6_need_strict(&ipv6_hdr(skb)->daddr);
+	if (!ipv6_ndisc_frame(skb) && !need_strict) {
 		vrf_rx_stats(vrf_dev, skb->len);
 		skb->dev = vrf_dev;
 		skb->skb_iif = vrf_dev->ifindex;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 4.14 048/148] Revert "ipv6: Fix handling of LLA with VRF and sockets bound to VRF"
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 047/148] Revert "vrf: mark skb for multicast or link-local as enslaved to VRF" Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 049/148] ALSA: hda/realtek: Fix pop noise on ALC225 Greg Kroah-Hartman
                   ` (103 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Sasha Levin

This reverts commit 0293f8d1bdd21b3eb71032edb5832f9090dea48e.

This patch shouldn't have been backported to 4.14.

Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ipv6/tcp_ipv6.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 5ec73cf386dfe..7b4ce3f9e2f4e 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -718,7 +718,6 @@ static void tcp_v6_init_req(struct request_sock *req,
 			    const struct sock *sk_listener,
 			    struct sk_buff *skb)
 {
-	bool l3_slave = ipv6_l3mdev_skb(TCP_SKB_CB(skb)->header.h6.flags);
 	struct inet_request_sock *ireq = inet_rsk(req);
 	const struct ipv6_pinfo *np = inet6_sk(sk_listener);
 
@@ -726,7 +725,7 @@ static void tcp_v6_init_req(struct request_sock *req,
 	ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr;
 
 	/* So that link locals have meaning */
-	if ((!sk_listener->sk_bound_dev_if || l3_slave) &&
+	if (!sk_listener->sk_bound_dev_if &&
 	    ipv6_addr_type(&ireq->ir_v6_rmt_addr) & IPV6_ADDR_LINKLOCAL)
 		ireq->ir_iif = tcp_v6_iif(skb);
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 4.14 049/148] ALSA: hda/realtek: Fix pop noise on ALC225
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 048/148] Revert "ipv6: Fix handling of LLA with VRF and sockets bound " Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 050/148] arm64: smp: fix smp_send_stop() behaviour Greg Kroah-Hartman
                   ` (102 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kai-Heng Feng, Takashi Iwai

From: Kai-Heng Feng <kai.heng.feng@canonical.com>

commit 3b36b13d5e69d6f51ff1c55d1b404a74646c9757 upstream.

Commit 317d9313925c ("ALSA: hda/realtek - Set default power save node to
0") makes the ALC225 have pop noise on S3 resume and cold boot.

So partially revert this commit for ALC225 to fix the regression.

Fixes: 317d9313925c ("ALSA: hda/realtek - Set default power save node to 0")
BugLink: https://bugs.launchpad.net/bugs/1866357
Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Link: https://lore.kernel.org/r/20200311061328.17614-1-kai.heng.feng@canonical.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -4687,6 +4687,8 @@ static void alc_determine_headset_type(s
 		is_ctia = (val & 0x1c02) == 0x1c02;
 		break;
 	case 0x10ec0225:
+		codec->power_save_node = 1;
+		/* fall through */
 	case 0x10ec0295:
 	case 0x10ec0299:
 		alc_process_coef_fw(codec, alc225_pre_hsmode);



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 050/148] arm64: smp: fix smp_send_stop() behaviour
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 049/148] ALSA: hda/realtek: Fix pop noise on ALC225 Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 051/148] arm64: smp: fix crash_smp_send_stop() behaviour Greg Kroah-Hartman
                   ` (101 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dave Martin, Mark Rutland,
	Cristian Marussi, Will Deacon

From: Cristian Marussi <cristian.marussi@arm.com>

commit d0bab0c39e32d39a8c5cddca72e5b4a3059fe050 upstream.

On a system with only one CPU online, when another one CPU panics while
starting-up, smp_send_stop() will fail to send any STOP message to the
other already online core, resulting in a system still responsive and
alive at the end of the panic procedure.

[  186.700083] CPU3: shutdown
[  187.075462] CPU2: shutdown
[  187.162869] CPU1: shutdown
[  188.689998] ------------[ cut here ]------------
[  188.691645] kernel BUG at arch/arm64/kernel/cpufeature.c:886!
[  188.692079] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
[  188.692444] Modules linked in:
[  188.693031] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 5.6.0-rc4-00001-g338d25c35a98 #104
[  188.693175] Hardware name: Foundation-v8A (DT)
[  188.693492] pstate: 200001c5 (nzCv dAIF -PAN -UAO)
[  188.694183] pc : has_cpuid_feature+0xf0/0x348
[  188.694311] lr : verify_local_elf_hwcaps+0x84/0xe8
[  188.694410] sp : ffff800011b1bf60
[  188.694536] x29: ffff800011b1bf60 x28: 0000000000000000
[  188.694707] x27: 0000000000000000 x26: 0000000000000000
[  188.694801] x25: 0000000000000000 x24: ffff80001189a25c
[  188.694905] x23: 0000000000000000 x22: 0000000000000000
[  188.694996] x21: ffff8000114aa018 x20: ffff800011156a38
[  188.695089] x19: ffff800010c944a0 x18: 0000000000000004
[  188.695187] x17: 0000000000000000 x16: 0000000000000000
[  188.695280] x15: 0000249dbde5431e x14: 0262cbe497efa1fa
[  188.695371] x13: 0000000000000002 x12: 0000000000002592
[  188.695472] x11: 0000000000000080 x10: 00400032b5503510
[  188.695572] x9 : 0000000000000000 x8 : ffff800010c80204
[  188.695659] x7 : 00000000410fd0f0 x6 : 0000000000000001
[  188.695750] x5 : 00000000410fd0f0 x4 : 0000000000000000
[  188.695836] x3 : 0000000000000000 x2 : ffff8000100939d8
[  188.695919] x1 : 0000000000180420 x0 : 0000000000180480
[  188.696253] Call trace:
[  188.696410]  has_cpuid_feature+0xf0/0x348
[  188.696504]  verify_local_elf_hwcaps+0x84/0xe8
[  188.696591]  check_local_cpu_capabilities+0x44/0x128
[  188.696666]  secondary_start_kernel+0xf4/0x188
[  188.697150] Code: 52805001 72a00301 6b01001f 54000ec0 (d4210000)
[  188.698639] ---[ end trace 3f12ca47652f7b72 ]---
[  188.699160] Kernel panic - not syncing: Attempted to kill the idle task!
[  188.699546] Kernel Offset: disabled
[  188.699828] CPU features: 0x00004,20c02008
[  188.700012] Memory Limit: none
[  188.700538] ---[ end Kernel panic - not syncing: Attempted to kill the idle task! ]---

[root@arch ~]# echo Helo
Helo
[root@arch ~]# cat /proc/cpuinfo | grep proce
processor	: 0

Make smp_send_stop() account also for the online status of the calling CPU
while evaluating how many CPUs are effectively online: this way, the right
number of STOPs is sent, so enforcing a proper freeze of the system at the
end of panic even under the above conditions.

Fixes: 08e875c16a16c ("arm64: SMP support")
Reported-by: Dave Martin <Dave.Martin@arm.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Cristian Marussi <cristian.marussi@arm.com>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/kernel/smp.c |   17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

--- a/arch/arm64/kernel/smp.c
+++ b/arch/arm64/kernel/smp.c
@@ -913,11 +913,22 @@ void tick_broadcast(const struct cpumask
 }
 #endif
 
+/*
+ * The number of CPUs online, not counting this CPU (which may not be
+ * fully online and so not counted in num_online_cpus()).
+ */
+static inline unsigned int num_other_online_cpus(void)
+{
+	unsigned int this_cpu_online = cpu_online(smp_processor_id());
+
+	return num_online_cpus() - this_cpu_online;
+}
+
 void smp_send_stop(void)
 {
 	unsigned long timeout;
 
-	if (num_online_cpus() > 1) {
+	if (num_other_online_cpus()) {
 		cpumask_t mask;
 
 		cpumask_copy(&mask, cpu_online_mask);
@@ -930,10 +941,10 @@ void smp_send_stop(void)
 
 	/* Wait up to one second for other CPUs to stop */
 	timeout = USEC_PER_SEC;
-	while (num_online_cpus() > 1 && timeout--)
+	while (num_other_online_cpus() && timeout--)
 		udelay(1);
 
-	if (num_online_cpus() > 1)
+	if (num_other_online_cpus())
 		pr_warning("SMP: failed to stop secondary CPUs %*pbl\n",
 			   cpumask_pr_args(cpu_online_mask));
 }



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 051/148] arm64: smp: fix crash_smp_send_stop() behaviour
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 050/148] arm64: smp: fix smp_send_stop() behaviour Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 052/148] drm/bridge: dw-hdmi: fix AVI frame colorimetry Greg Kroah-Hartman
                   ` (100 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mark Rutland, Cristian Marussi, Will Deacon

From: Cristian Marussi <cristian.marussi@arm.com>

commit f50b7dacccbab2b9e3ef18f52a6dcc18ed2050b9 upstream.

On a system configured to trigger a crash_kexec() reboot, when only one CPU
is online and another CPU panics while starting-up, crash_smp_send_stop()
will fail to send any STOP message to the other already online core,
resulting in fail to freeze and registers not properly saved.

Moreover even if the proper messages are sent (case CPUs > 2)
it will similarly fail to account for the booting CPU when executing
the final stop wait-loop, so potentially resulting in some CPU not
been waited for shutdown before rebooting.

A tangible effect of this behaviour can be observed when, after a panic
with kexec enabled and loaded, on the following reboot triggered by kexec,
the cpu that could not be successfully stopped fails to come back online:

[  362.291022] ------------[ cut here ]------------
[  362.291525] kernel BUG at arch/arm64/kernel/cpufeature.c:886!
[  362.292023] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
[  362.292400] Modules linked in:
[  362.292970] CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Not tainted 5.6.0-rc4-00003-gc780b890948a #105
[  362.293136] Hardware name: Foundation-v8A (DT)
[  362.293382] pstate: 200001c5 (nzCv dAIF -PAN -UAO)
[  362.294063] pc : has_cpuid_feature+0xf0/0x348
[  362.294177] lr : verify_local_elf_hwcaps+0x84/0xe8
[  362.294280] sp : ffff800011b1bf60
[  362.294362] x29: ffff800011b1bf60 x28: 0000000000000000
[  362.294534] x27: 0000000000000000 x26: 0000000000000000
[  362.294631] x25: 0000000000000000 x24: ffff80001189a25c
[  362.294718] x23: 0000000000000000 x22: 0000000000000000
[  362.294803] x21: ffff8000114aa018 x20: ffff800011156a00
[  362.294897] x19: ffff800010c944a0 x18: 0000000000000004
[  362.294987] x17: 0000000000000000 x16: 0000000000000000
[  362.295073] x15: 00004e53b831ae3c x14: 00004e53b831ae3c
[  362.295165] x13: 0000000000000384 x12: 0000000000000000
[  362.295251] x11: 0000000000000000 x10: 00400032b5503510
[  362.295334] x9 : 0000000000000000 x8 : ffff800010c7e204
[  362.295426] x7 : 00000000410fd0f0 x6 : 0000000000000001
[  362.295508] x5 : 00000000410fd0f0 x4 : 0000000000000000
[  362.295592] x3 : 0000000000000000 x2 : ffff8000100939d8
[  362.295683] x1 : 0000000000180420 x0 : 0000000000180480
[  362.296011] Call trace:
[  362.296257]  has_cpuid_feature+0xf0/0x348
[  362.296350]  verify_local_elf_hwcaps+0x84/0xe8
[  362.296424]  check_local_cpu_capabilities+0x44/0x128
[  362.296497]  secondary_start_kernel+0xf4/0x188
[  362.296998] Code: 52805001 72a00301 6b01001f 54000ec0 (d4210000)
[  362.298652] SMP: stopping secondary CPUs
[  362.300615] Starting crashdump kernel...
[  362.301168] Bye!
[    0.000000] Booting Linux on physical CPU 0x0000000003 [0x410fd0f0]
[    0.000000] Linux version 5.6.0-rc4-00003-gc780b890948a (crimar01@e120937-lin) (gcc version 8.3.0 (GNU Toolchain for the A-profile Architecture 8.3-2019.03 (arm-rel-8.36))) #105 SMP PREEMPT Fri Mar 6 17:00:42 GMT 2020
[    0.000000] Machine model: Foundation-v8A
[    0.000000] earlycon: pl11 at MMIO 0x000000001c090000 (options '')
[    0.000000] printk: bootconsole [pl11] enabled
.....
[    0.138024] rcu: Hierarchical SRCU implementation.
[    0.153472] its@2f020000: unable to locate ITS domain
[    0.154078] its@2f020000: Unable to locate ITS domain
[    0.157541] EFI services will not be available.
[    0.175395] smp: Bringing up secondary CPUs ...
[    0.209182] psci: failed to boot CPU1 (-22)
[    0.209377] CPU1: failed to boot: -22
[    0.274598] Detected PIPT I-cache on CPU2
[    0.278707] GICv3: CPU2: found redistributor 1 region 0:0x000000002f120000
[    0.285212] CPU2: Booted secondary processor 0x0000000001 [0x410fd0f0]
[    0.369053] Detected PIPT I-cache on CPU3
[    0.372947] GICv3: CPU3: found redistributor 2 region 0:0x000000002f140000
[    0.378664] CPU3: Booted secondary processor 0x0000000002 [0x410fd0f0]
[    0.401707] smp: Brought up 1 node, 3 CPUs
[    0.404057] SMP: Total of 3 processors activated.

Make crash_smp_send_stop() account also for the online status of the
calling CPU while evaluating how many CPUs are effectively online: this way
the right number of STOPs is sent and all other stopped-cores's registers
are properly saved.

Fixes: 78fd584cdec05 ("arm64: kdump: implement machine_crash_shutdown()")
Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Cristian Marussi <cristian.marussi@arm.com>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/kernel/smp.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/arch/arm64/kernel/smp.c
+++ b/arch/arm64/kernel/smp.c
@@ -965,13 +965,17 @@ void crash_smp_send_stop(void)
 
 	cpus_stopped = 1;
 
-	if (num_online_cpus() == 1)
+	/*
+	 * If this cpu is the only one alive at this point in time, online or
+	 * not, there are no stop messages to be sent around, so just back out.
+	 */
+	if (num_other_online_cpus() == 0)
 		return;
 
 	cpumask_copy(&mask, cpu_online_mask);
 	cpumask_clear_cpu(smp_processor_id(), &mask);
 
-	atomic_set(&waiting_for_crash_ipi, num_online_cpus() - 1);
+	atomic_set(&waiting_for_crash_ipi, num_other_online_cpus());
 
 	pr_crit("SMP: stopping secondary CPUs\n");
 	smp_cross_call(&mask, IPI_CPU_CRASH_STOP);



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 052/148] drm/bridge: dw-hdmi: fix AVI frame colorimetry
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 051/148] arm64: smp: fix crash_smp_send_stop() behaviour Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 053/148] staging: greybus: loopback_test: fix potential path truncation Greg Kroah-Hartman
                   ` (99 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Laurent Pinchart, Jernej Skrabec

From: Jernej Skrabec <jernej.skrabec@siol.net>

commit e8dca30f7118461d47e1c3510d0e31b277439151 upstream.

CTA-861-F explicitly states that for RGB colorspace colorimetry should
be set to "none". Fix that.

Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Fixes: def23aa7e982 ("drm: bridge: dw-hdmi: Switch to V4L bus format and encodings")
Signed-off-by: Jernej Skrabec <jernej.skrabec@siol.net>
Link: https://patchwork.freedesktop.org/patch/msgid/20200304232512.51616-2-jernej.skrabec@siol.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/bridge/synopsys/dw-hdmi.c |   46 ++++++++++++++++--------------
 1 file changed, 26 insertions(+), 20 deletions(-)

--- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c
+++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c
@@ -1348,28 +1348,34 @@ static void hdmi_config_AVI(struct dw_hd
 		frame.colorspace = HDMI_COLORSPACE_RGB;
 
 	/* Set up colorimetry */
-	switch (hdmi->hdmi_data.enc_out_encoding) {
-	case V4L2_YCBCR_ENC_601:
-		if (hdmi->hdmi_data.enc_in_encoding == V4L2_YCBCR_ENC_XV601)
-			frame.colorimetry = HDMI_COLORIMETRY_EXTENDED;
-		else
+	if (!hdmi_bus_fmt_is_rgb(hdmi->hdmi_data.enc_out_bus_format)) {
+		switch (hdmi->hdmi_data.enc_out_encoding) {
+		case V4L2_YCBCR_ENC_601:
+			if (hdmi->hdmi_data.enc_in_encoding == V4L2_YCBCR_ENC_XV601)
+				frame.colorimetry = HDMI_COLORIMETRY_EXTENDED;
+			else
+				frame.colorimetry = HDMI_COLORIMETRY_ITU_601;
+			frame.extended_colorimetry =
+					HDMI_EXTENDED_COLORIMETRY_XV_YCC_601;
+			break;
+		case V4L2_YCBCR_ENC_709:
+			if (hdmi->hdmi_data.enc_in_encoding == V4L2_YCBCR_ENC_XV709)
+				frame.colorimetry = HDMI_COLORIMETRY_EXTENDED;
+			else
+				frame.colorimetry = HDMI_COLORIMETRY_ITU_709;
+			frame.extended_colorimetry =
+					HDMI_EXTENDED_COLORIMETRY_XV_YCC_709;
+			break;
+		default: /* Carries no data */
 			frame.colorimetry = HDMI_COLORIMETRY_ITU_601;
+			frame.extended_colorimetry =
+					HDMI_EXTENDED_COLORIMETRY_XV_YCC_601;
+			break;
+		}
+	} else {
+		frame.colorimetry = HDMI_COLORIMETRY_NONE;
 		frame.extended_colorimetry =
-				HDMI_EXTENDED_COLORIMETRY_XV_YCC_601;
-		break;
-	case V4L2_YCBCR_ENC_709:
-		if (hdmi->hdmi_data.enc_in_encoding == V4L2_YCBCR_ENC_XV709)
-			frame.colorimetry = HDMI_COLORIMETRY_EXTENDED;
-		else
-			frame.colorimetry = HDMI_COLORIMETRY_ITU_709;
-		frame.extended_colorimetry =
-				HDMI_EXTENDED_COLORIMETRY_XV_YCC_709;
-		break;
-	default: /* Carries no data */
-		frame.colorimetry = HDMI_COLORIMETRY_ITU_601;
-		frame.extended_colorimetry =
-				HDMI_EXTENDED_COLORIMETRY_XV_YCC_601;
-		break;
+			HDMI_EXTENDED_COLORIMETRY_XV_YCC_601;
 	}
 
 	frame.scan_mode = HDMI_SCAN_MODE_NONE;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 053/148] staging: greybus: loopback_test: fix potential path truncation
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 052/148] drm/bridge: dw-hdmi: fix AVI frame colorimetry Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 054/148] staging: greybus: loopback_test: fix potential path truncations Greg Kroah-Hartman
                   ` (98 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold

From: Johan Hovold <johan@kernel.org>

commit f16023834863932f95dfad13fac3fc47f77d2f29 upstream.

Newer GCC warns about a possible truncation of a generated sysfs path
name as we're concatenating a directory path with a file name and
placing the result in a buffer that is half the size of the maximum
length of the directory path (which is user controlled).

loopback_test.c: In function 'open_poll_files':
loopback_test.c:651:31: warning: '%s' directive output may be truncated writing up to 511 bytes into a region of size 255 [-Wformat-truncation=]
  651 |   snprintf(buf, sizeof(buf), "%s%s", dev->sysfs_entry, "iteration_count");
      |                               ^~
loopback_test.c:651:3: note: 'snprintf' output between 16 and 527 bytes into a destination of size 255
  651 |   snprintf(buf, sizeof(buf), "%s%s", dev->sysfs_entry, "iteration_count");
      |   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Fix this by making sure the buffer is large enough the concatenated
strings.

Fixes: 6b0658f68786 ("greybus: tools: Add tools directory to greybus repo and add loopback")
Fixes: 9250c0ee2626 ("greybus: Loopback_test: use poll instead of inotify")
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20200312110151.22028-3-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/greybus/tools/loopback_test.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/greybus/tools/loopback_test.c
+++ b/drivers/staging/greybus/tools/loopback_test.c
@@ -644,7 +644,7 @@ baddir:
 static int open_poll_files(struct loopback_test *t)
 {
 	struct loopback_device *dev;
-	char buf[MAX_STR_LEN];
+	char buf[MAX_SYSFS_PATH + MAX_STR_LEN];
 	char dummy;
 	int fds_idx = 0;
 	int i;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 054/148] staging: greybus: loopback_test: fix potential path truncations
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 053/148] staging: greybus: loopback_test: fix potential path truncation Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 055/148] Revert "drm/dp_mst: Skip validating ports during destruction, just ref" Greg Kroah-Hartman
                   ` (97 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold

From: Johan Hovold <johan@kernel.org>

commit ae62cf5eb2792d9a818c2d93728ed92119357017 upstream.

Newer GCC warns about possible truncations of two generated path names as
we're concatenating the configurable sysfs and debugfs path prefixes
with a filename and placing the results in buffers of the same size as
the maximum length of the prefixes.

	snprintf(d->name, MAX_STR_LEN, "gb_loopback%u", dev_id);

	snprintf(d->sysfs_entry, MAX_SYSFS_PATH, "%s%s/",
		 t->sysfs_prefix, d->name);

	snprintf(d->debugfs_entry, MAX_SYSFS_PATH, "%sraw_latency_%s",
		 t->debugfs_prefix, d->name);

Fix this by separating the maximum path length from the maximum prefix
length and reducing the latter enough to fit the generated strings.

Note that we also need to reduce the device-name buffer size as GCC
isn't smart enough to figure out that we ever only used MAX_STR_LEN
bytes of it.

Fixes: 6b0658f68786 ("greybus: tools: Add tools directory to greybus repo and add loopback")
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20200312110151.22028-4-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/greybus/tools/loopback_test.c |   15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

--- a/drivers/staging/greybus/tools/loopback_test.c
+++ b/drivers/staging/greybus/tools/loopback_test.c
@@ -20,6 +20,7 @@
 #include <signal.h>
 
 #define MAX_NUM_DEVICES 10
+#define MAX_SYSFS_PREFIX 0x80
 #define MAX_SYSFS_PATH	0x200
 #define CSV_MAX_LINE	0x1000
 #define SYSFS_MAX_INT	0x20
@@ -68,7 +69,7 @@ struct loopback_results {
 };
 
 struct loopback_device {
-	char name[MAX_SYSFS_PATH];
+	char name[MAX_STR_LEN];
 	char sysfs_entry[MAX_SYSFS_PATH];
 	char debugfs_entry[MAX_SYSFS_PATH];
 	struct loopback_results results;
@@ -94,8 +95,8 @@ struct loopback_test {
 	int stop_all;
 	int poll_count;
 	char test_name[MAX_STR_LEN];
-	char sysfs_prefix[MAX_SYSFS_PATH];
-	char debugfs_prefix[MAX_SYSFS_PATH];
+	char sysfs_prefix[MAX_SYSFS_PREFIX];
+	char debugfs_prefix[MAX_SYSFS_PREFIX];
 	struct timespec poll_timeout;
 	struct loopback_device devices[MAX_NUM_DEVICES];
 	struct loopback_results aggregate_results;
@@ -914,10 +915,10 @@ int main(int argc, char *argv[])
 			t.iteration_max = atoi(optarg);
 			break;
 		case 'S':
-			snprintf(t.sysfs_prefix, MAX_SYSFS_PATH, "%s", optarg);
+			snprintf(t.sysfs_prefix, MAX_SYSFS_PREFIX, "%s", optarg);
 			break;
 		case 'D':
-			snprintf(t.debugfs_prefix, MAX_SYSFS_PATH, "%s", optarg);
+			snprintf(t.debugfs_prefix, MAX_SYSFS_PREFIX, "%s", optarg);
 			break;
 		case 'm':
 			t.mask = atol(optarg);
@@ -968,10 +969,10 @@ int main(int argc, char *argv[])
 	}
 
 	if (!strcmp(t.sysfs_prefix, ""))
-		snprintf(t.sysfs_prefix, MAX_SYSFS_PATH, "%s", sysfs_prefix);
+		snprintf(t.sysfs_prefix, MAX_SYSFS_PREFIX, "%s", sysfs_prefix);
 
 	if (!strcmp(t.debugfs_prefix, ""))
-		snprintf(t.debugfs_prefix, MAX_SYSFS_PATH, "%s", debugfs_prefix);
+		snprintf(t.debugfs_prefix, MAX_SYSFS_PREFIX, "%s", debugfs_prefix);
 
 	ret = find_loopback_devices(&t);
 	if (ret)



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 055/148] Revert "drm/dp_mst: Skip validating ports during destruction, just ref"
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 054/148] staging: greybus: loopback_test: fix potential path truncations Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 056/148] hsr: fix general protection fault in hsr_addr_is_self() Greg Kroah-Hartman
                   ` (96 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lyude Paul, Daniel Vetter, Sean Paul,
	Jerry Zuo, Harry Wentland, Guenter Roeck

From: Lyude Paul <lyude@redhat.com>

commit 9765635b30756eb74e05e260ac812659c296cd28 upstream.

This reverts commit:

c54c7374ff44 ("drm/dp_mst: Skip validating ports during destruction, just ref")

ugh.

In drm_dp_destroy_connector_work(), we have a pretty good chance of
freeing the actual struct drm_dp_mst_port. However, after destroying
things we send a hotplug through (*mgr->cbs->hotplug)(mgr) which is
where the problems start.

For i915, this calls all the way down to the fbcon probing helpers,
which start trying to access the port in a modeset.

[   45.062001] ==================================================================
[   45.062112] BUG: KASAN: use-after-free in ex_handler_refcount+0x146/0x180
[   45.062196] Write of size 4 at addr ffff8882b4b70968 by task kworker/3:1/53

[   45.062325] CPU: 3 PID: 53 Comm: kworker/3:1 Kdump: loaded Tainted: G           O      4.20.0-rc4Lyude-Test+ #3
[   45.062442] Hardware name: LENOVO 20BWS1KY00/20BWS1KY00, BIOS JBET71WW (1.35 ) 09/14/2018
[   45.062554] Workqueue: events drm_dp_destroy_connector_work [drm_kms_helper]
[   45.062641] Call Trace:
[   45.062685]  dump_stack+0xbd/0x15a
[   45.062735]  ? dump_stack_print_info.cold.0+0x1b/0x1b
[   45.062801]  ? printk+0x9f/0xc5
[   45.062847]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   45.062909]  ? ex_handler_refcount+0x146/0x180
[   45.062970]  print_address_description+0x71/0x239
[   45.063036]  ? ex_handler_refcount+0x146/0x180
[   45.063095]  kasan_report.cold.5+0x242/0x30b
[   45.063155]  __asan_report_store4_noabort+0x1c/0x20
[   45.063313]  ex_handler_refcount+0x146/0x180
[   45.063371]  ? ex_handler_clear_fs+0xb0/0xb0
[   45.063428]  fixup_exception+0x98/0xd7
[   45.063484]  ? raw_notifier_call_chain+0x20/0x20
[   45.063548]  do_trap+0x6d/0x210
[   45.063605]  ? _GLOBAL__sub_I_65535_1_drm_dp_aux_unregister_devnode+0x2f/0x1c6 [drm_kms_helper]
[   45.063732]  do_error_trap+0xc0/0x170
[   45.063802]  ? _GLOBAL__sub_I_65535_1_drm_dp_aux_unregister_devnode+0x2f/0x1c6 [drm_kms_helper]
[   45.063929]  do_invalid_op+0x3b/0x50
[   45.063997]  ? _GLOBAL__sub_I_65535_1_drm_dp_aux_unregister_devnode+0x2f/0x1c6 [drm_kms_helper]
[   45.064103]  invalid_op+0x14/0x20
[   45.064162] RIP: 0010:_GLOBAL__sub_I_65535_1_drm_dp_aux_unregister_devnode+0x2f/0x1c6 [drm_kms_helper]
[   45.064274] Code: 00 48 c7 c7 80 fe 53 a0 48 89 e5 e8 5b 6f 26 e1 5d c3 48 8d 0e 0f 0b 48 8d 0b 0f 0b 48 8d 0f 0f 0b 48 8d 0f 0f 0b 49 8d 4d 00 <0f> 0b 49 8d 0e 0f 0b 48 8d 08 0f 0b 49 8d 4d 00 0f 0b 48 8d 0b 0f
[   45.064569] RSP: 0018:ffff8882b789ee10 EFLAGS: 00010282
[   45.064637] RAX: ffff8882af47ae70 RBX: ffff8882af47aa60 RCX: ffff8882b4b70968
[   45.064723] RDX: ffff8882af47ae70 RSI: 0000000000000008 RDI: ffff8882b788bdb8
[   45.064808] RBP: ffff8882b789ee28 R08: ffffed1056f13db4 R09: ffffed1056f13db3
[   45.064894] R10: ffffed1056f13db3 R11: ffff8882b789ed9f R12: ffff8882af47ad28
[   45.064980] R13: ffff8882b4b70968 R14: ffff8882acd86728 R15: ffff8882b4b75dc8
[   45.065084]  drm_dp_mst_reset_vcpi_slots+0x12/0x80 [drm_kms_helper]
[   45.065225]  intel_mst_disable_dp+0xda/0x180 [i915]
[   45.065361]  intel_encoders_disable.isra.107+0x197/0x310 [i915]
[   45.065498]  haswell_crtc_disable+0xbe/0x400 [i915]
[   45.065622]  ? i9xx_disable_plane+0x1c0/0x3e0 [i915]
[   45.065750]  intel_atomic_commit_tail+0x74e/0x3e60 [i915]
[   45.065884]  ? intel_pre_plane_update+0xbc0/0xbc0 [i915]
[   45.065968]  ? drm_atomic_helper_swap_state+0x88b/0x1d90 [drm_kms_helper]
[   45.066054]  ? kasan_check_write+0x14/0x20
[   45.066165]  ? i915_gem_track_fb+0x13a/0x330 [i915]
[   45.066277]  ? i915_sw_fence_complete+0xe9/0x140 [i915]
[   45.066406]  ? __i915_sw_fence_complete+0xc50/0xc50 [i915]
[   45.066540]  intel_atomic_commit+0x72e/0xef0 [i915]
[   45.066635]  ? drm_dev_dbg+0x200/0x200 [drm]
[   45.066764]  ? intel_atomic_commit_tail+0x3e60/0x3e60 [i915]
[   45.066898]  ? intel_atomic_commit_tail+0x3e60/0x3e60 [i915]
[   45.067001]  drm_atomic_commit+0xc4/0xf0 [drm]
[   45.067074]  restore_fbdev_mode_atomic+0x562/0x780 [drm_kms_helper]
[   45.067166]  ? drm_fb_helper_debug_leave+0x690/0x690 [drm_kms_helper]
[   45.067249]  ? kasan_check_read+0x11/0x20
[   45.067324]  restore_fbdev_mode+0x127/0x4b0 [drm_kms_helper]
[   45.067364]  ? kasan_check_read+0x11/0x20
[   45.067406]  drm_fb_helper_restore_fbdev_mode_unlocked+0x164/0x200 [drm_kms_helper]
[   45.067462]  ? drm_fb_helper_hotplug_event+0x30/0x30 [drm_kms_helper]
[   45.067508]  ? kasan_check_write+0x14/0x20
[   45.070360]  ? mutex_unlock+0x22/0x40
[   45.073748]  drm_fb_helper_set_par+0xb2/0xf0 [drm_kms_helper]
[   45.075846]  drm_fb_helper_hotplug_event.part.33+0x1cd/0x290 [drm_kms_helper]
[   45.078088]  drm_fb_helper_hotplug_event+0x1c/0x30 [drm_kms_helper]
[   45.082614]  intel_fbdev_output_poll_changed+0x9f/0x140 [i915]
[   45.087069]  drm_kms_helper_hotplug_event+0x67/0x90 [drm_kms_helper]
[   45.089319]  intel_dp_mst_hotplug+0x37/0x50 [i915]
[   45.091496]  drm_dp_destroy_connector_work+0x510/0x6f0 [drm_kms_helper]
[   45.093675]  ? drm_dp_update_payload_part1+0x1220/0x1220 [drm_kms_helper]
[   45.095851]  ? kasan_check_write+0x14/0x20
[   45.098473]  ? kasan_check_read+0x11/0x20
[   45.101155]  ? strscpy+0x17c/0x530
[   45.103808]  ? __switch_to_asm+0x34/0x70
[   45.106456]  ? syscall_return_via_sysret+0xf/0x7f
[   45.109711]  ? read_word_at_a_time+0x20/0x20
[   45.113138]  ? __switch_to_asm+0x40/0x70
[   45.116529]  ? __switch_to_asm+0x34/0x70
[   45.119891]  ? __switch_to_asm+0x40/0x70
[   45.123224]  ? __switch_to_asm+0x34/0x70
[   45.126540]  ? __switch_to_asm+0x34/0x70
[   45.129824]  process_one_work+0x88d/0x15d0
[   45.133172]  ? pool_mayday_timeout+0x850/0x850
[   45.136459]  ? pci_mmcfg_check_reserved+0x110/0x128
[   45.139739]  ? wake_q_add+0xb0/0xb0
[   45.143010]  ? check_preempt_wakeup+0x652/0x1050
[   45.146304]  ? worker_enter_idle+0x29e/0x740
[   45.149589]  ? __schedule+0x1ec0/0x1ec0
[   45.152937]  ? kasan_check_read+0x11/0x20
[   45.156179]  ? _raw_spin_lock_irq+0xa3/0x130
[   45.159382]  ? _raw_read_unlock_irqrestore+0x30/0x30
[   45.162542]  ? kasan_check_write+0x14/0x20
[   45.165657]  worker_thread+0x1a5/0x1470
[   45.168725]  ? set_load_weight+0x2e0/0x2e0
[   45.171755]  ? process_one_work+0x15d0/0x15d0
[   45.174806]  ? __switch_to_asm+0x34/0x70
[   45.177645]  ? __switch_to_asm+0x40/0x70
[   45.180323]  ? __switch_to_asm+0x34/0x70
[   45.182936]  ? __switch_to_asm+0x40/0x70
[   45.185539]  ? __switch_to_asm+0x34/0x70
[   45.188100]  ? __switch_to_asm+0x40/0x70
[   45.190628]  ? __schedule+0x7d4/0x1ec0
[   45.193143]  ? save_stack+0xa9/0xd0
[   45.195632]  ? kasan_check_write+0x10/0x20
[   45.198162]  ? kasan_kmalloc+0xc4/0xe0
[   45.200609]  ? kmem_cache_alloc_trace+0xdd/0x190
[   45.203046]  ? kthread+0x9f/0x3b0
[   45.205470]  ? ret_from_fork+0x35/0x40
[   45.207876]  ? unwind_next_frame+0x43/0x50
[   45.210273]  ? __save_stack_trace+0x82/0x100
[   45.212658]  ? deactivate_slab.isra.67+0x3d4/0x580
[   45.215026]  ? default_wake_function+0x35/0x50
[   45.217399]  ? kasan_check_read+0x11/0x20
[   45.219825]  ? _raw_spin_lock_irqsave+0xae/0x140
[   45.222174]  ? __lock_text_start+0x8/0x8
[   45.224521]  ? replenish_dl_entity.cold.62+0x4f/0x4f
[   45.226868]  ? __kthread_parkme+0x87/0xf0
[   45.229200]  kthread+0x2f7/0x3b0
[   45.231557]  ? process_one_work+0x15d0/0x15d0
[   45.233923]  ? kthread_park+0x120/0x120
[   45.236249]  ret_from_fork+0x35/0x40

[   45.240875] Allocated by task 242:
[   45.243136]  save_stack+0x43/0xd0
[   45.245385]  kasan_kmalloc+0xc4/0xe0
[   45.247597]  kmem_cache_alloc_trace+0xdd/0x190
[   45.249793]  drm_dp_add_port+0x1e0/0x2170 [drm_kms_helper]
[   45.252000]  drm_dp_send_link_address+0x4a7/0x740 [drm_kms_helper]
[   45.254389]  drm_dp_check_and_send_link_address+0x1a7/0x210 [drm_kms_helper]
[   45.256803]  drm_dp_mst_link_probe_work+0x6f/0xb0 [drm_kms_helper]
[   45.259200]  process_one_work+0x88d/0x15d0
[   45.261597]  worker_thread+0x1a5/0x1470
[   45.264038]  kthread+0x2f7/0x3b0
[   45.266371]  ret_from_fork+0x35/0x40

[   45.270937] Freed by task 53:
[   45.273170]  save_stack+0x43/0xd0
[   45.275382]  __kasan_slab_free+0x139/0x190
[   45.277604]  kasan_slab_free+0xe/0x10
[   45.279826]  kfree+0x99/0x1b0
[   45.282044]  drm_dp_free_mst_port+0x4a/0x60 [drm_kms_helper]
[   45.284330]  drm_dp_destroy_connector_work+0x43e/0x6f0 [drm_kms_helper]
[   45.286660]  process_one_work+0x88d/0x15d0
[   45.288934]  worker_thread+0x1a5/0x1470
[   45.291231]  kthread+0x2f7/0x3b0
[   45.293547]  ret_from_fork+0x35/0x40

[   45.298206] The buggy address belongs to the object at ffff8882b4b70968
                which belongs to the cache kmalloc-2k of size 2048
[   45.303047] The buggy address is located 0 bytes inside of
                2048-byte region [ffff8882b4b70968, ffff8882b4b71168)
[   45.308010] The buggy address belongs to the page:
[   45.310477] page:ffffea000ad2dc00 count:1 mapcount:0 mapping:ffff8882c080cf40 index:0x0 compound_mapcount: 0
[   45.313051] flags: 0x8000000000010200(slab|head)
[   45.315635] raw: 8000000000010200 ffffea000aac2808 ffffea000abe8608 ffff8882c080cf40
[   45.318300] raw: 0000000000000000 00000000000d000d 00000001ffffffff 0000000000000000
[   45.320966] page dumped because: kasan: bad access detected

[   45.326312] Memory state around the buggy address:
[   45.329085]  ffff8882b4b70800: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   45.331845]  ffff8882b4b70880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   45.334584] >ffff8882b4b70900: fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb
[   45.337302]                                                           ^
[   45.340061]  ffff8882b4b70980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   45.342910]  ffff8882b4b70a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   45.345748] ==================================================================

So, this definitely isn't a fix that we want. This being said; there's
no real easy fix for this problem because of some of the catch-22's of
the MST helpers current design. For starters; we always need to validate
a port with drm_dp_get_validated_port_ref(), but validation relies on
the lifetime of the port in the actual topology. So once the port is
gone, it can't be validated again.

If we were to try to make the payload helpers not use port validation,
then we'd cause another problem: if the port isn't validated, it could
be freed and we'd just start causing more KASAN issues. There are
already hacks that attempt to workaround this in
drm_dp_mst_destroy_connector_work() by re-initializing the kref so that
it can be used again and it's memory can be freed once the VCPI helpers
finish removing the port's respective payloads. But none of these really
do anything helpful since the port still can't be validated since it's
gone from the topology. Also, that workaround is immensely confusing to
read through.

What really needs to be done in order to fix this is to teach DRM how to
track the lifetime of the structs for MST ports and branch devices
separately from their lifetime in the actual topology. Simply put; this
means having two different krefs-one that removes the port/branch device
from the topology, and one that finally calls kfree(). This would let us
simplify things, since we'd now be able to keep ports around without
having to keep them in the topology at the same time, which is exactly
what we need in order to teach our VCPI helpers to only validate ports
when it's actually necessary without running the risk of trying to use
unallocated memory.

Such a fix is on it's way, but for now let's play it safe and just
revert this. If this bug has been around for well over a year, we can
wait a little while to get an actual proper fix here.

Signed-off-by: Lyude Paul <lyude@redhat.com>
Fixes: c54c7374ff44 ("drm/dp_mst: Skip validating ports during destruction, just ref")
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: Sean Paul <sean@poorly.run>
Cc: Jerry Zuo <Jerry.Zuo@amd.com>
Cc: Harry Wentland <Harry.Wentland@amd.com>
Cc: stable@vger.kernel.org # v4.6+
Acked-by: Sean Paul <sean@poorly.run>
Link: https://patchwork.freedesktop.org/patch/msgid/20181128210005.24434-1-lyude@redhat.com
Cc: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/drm_dp_mst_topology.c |   15 ++-------------
 1 file changed, 2 insertions(+), 13 deletions(-)

--- a/drivers/gpu/drm/drm_dp_mst_topology.c
+++ b/drivers/gpu/drm/drm_dp_mst_topology.c
@@ -982,20 +982,9 @@ static struct drm_dp_mst_port *drm_dp_ms
 static struct drm_dp_mst_port *drm_dp_get_validated_port_ref(struct drm_dp_mst_topology_mgr *mgr, struct drm_dp_mst_port *port)
 {
 	struct drm_dp_mst_port *rport = NULL;
-
 	mutex_lock(&mgr->lock);
-	/*
-	 * Port may or may not be 'valid' but we don't care about that when
-	 * destroying the port and we are guaranteed that the port pointer
-	 * will be valid until we've finished
-	 */
-	if (current_work() == &mgr->destroy_connector_work) {
-		kref_get(&port->kref);
-		rport = port;
-	} else if (mgr->mst_primary) {
-		rport = drm_dp_mst_get_port_ref_locked(mgr->mst_primary,
-						       port);
-	}
+	if (mgr->mst_primary)
+		rport = drm_dp_mst_get_port_ref_locked(mgr->mst_primary, port);
 	mutex_unlock(&mgr->lock);
 	return rport;
 }



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 056/148] hsr: fix general protection fault in hsr_addr_is_self()
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 055/148] Revert "drm/dp_mst: Skip validating ports during destruction, just ref" Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 057/148] macsec: restrict to ethernet devices Greg Kroah-Hartman
                   ` (95 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+fcf5dd39282ceb27108d,
	Taehee Yoo, David S. Miller

From: Taehee Yoo <ap420073@gmail.com>

[ Upstream commit 3a303cfdd28d5f930a307c82e8a9d996394d5ebd ]

The port->hsr is used in the hsr_handle_frame(), which is a
callback of rx_handler.
hsr master and slaves are initialized in hsr_add_port().
This function initializes several pointers, which includes port->hsr after
registering rx_handler.
So, in the rx_handler routine, un-initialized pointer would be used.
In order to fix this, pointers should be initialized before
registering rx_handler.

Test commands:
    ip netns del left
    ip netns del right
    modprobe -rv veth
    modprobe -rv hsr
    killall ping
    modprobe hsr
    ip netns add left
    ip netns add right
    ip link add veth0 type veth peer name veth1
    ip link add veth2 type veth peer name veth3
    ip link add veth4 type veth peer name veth5
    ip link set veth1 netns left
    ip link set veth3 netns right
    ip link set veth4 netns left
    ip link set veth5 netns right
    ip link set veth0 up
    ip link set veth2 up
    ip link set veth0 address fc:00:00:00:00:01
    ip link set veth2 address fc:00:00:00:00:02
    ip netns exec left ip link set veth1 up
    ip netns exec left ip link set veth4 up
    ip netns exec right ip link set veth3 up
    ip netns exec right ip link set veth5 up
    ip link add hsr0 type hsr slave1 veth0 slave2 veth2
    ip a a 192.168.100.1/24 dev hsr0
    ip link set hsr0 up
    ip netns exec left ip link add hsr1 type hsr slave1 veth1 slave2 veth4
    ip netns exec left ip a a 192.168.100.2/24 dev hsr1
    ip netns exec left ip link set hsr1 up
    ip netns exec left ip n a 192.168.100.1 dev hsr1 lladdr \
	    fc:00:00:00:00:01 nud permanent
    ip netns exec left ip n r 192.168.100.1 dev hsr1 lladdr \
	    fc:00:00:00:00:01 nud permanent
    for i in {1..100}
    do
        ip netns exec left ping 192.168.100.1 &
    done
    ip netns exec left hping3 192.168.100.1 -2 --flood &
    ip netns exec right ip link add hsr2 type hsr slave1 veth3 slave2 veth5
    ip netns exec right ip a a 192.168.100.3/24 dev hsr2
    ip netns exec right ip link set hsr2 up
    ip netns exec right ip n a 192.168.100.1 dev hsr2 lladdr \
	    fc:00:00:00:00:02 nud permanent
    ip netns exec right ip n r 192.168.100.1 dev hsr2 lladdr \
	    fc:00:00:00:00:02 nud permanent
    for i in {1..100}
    do
        ip netns exec right ping 192.168.100.1 &
    done
    ip netns exec right hping3 192.168.100.1 -2 --flood &
    while :
    do
        ip link add hsr0 type hsr slave1 veth0 slave2 veth2
	ip a a 192.168.100.1/24 dev hsr0
	ip link set hsr0 up
	ip link del hsr0
    done

Splat looks like:
[  120.954938][    C0] general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1]I
[  120.957761][    C0] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
[  120.959064][    C0] CPU: 0 PID: 1511 Comm: hping3 Not tainted 5.6.0-rc5+ #460
[  120.960054][    C0] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[  120.962261][    C0] RIP: 0010:hsr_addr_is_self+0x65/0x2a0 [hsr]
[  120.963149][    C0] Code: 44 24 18 70 73 2f c0 48 c1 eb 03 48 8d 04 13 c7 00 f1 f1 f1 f1 c7 40 04 00 f2 f2 f2 4
[  120.966277][    C0] RSP: 0018:ffff8880d9c09af0 EFLAGS: 00010206
[  120.967293][    C0] RAX: 0000000000000006 RBX: 1ffff1101b38135f RCX: 0000000000000000
[  120.968516][    C0] RDX: dffffc0000000000 RSI: ffff8880d17cb208 RDI: 0000000000000000
[  120.969718][    C0] RBP: 0000000000000030 R08: ffffed101b3c0e3c R09: 0000000000000001
[  120.972203][    C0] R10: 0000000000000001 R11: ffffed101b3c0e3b R12: 0000000000000000
[  120.973379][    C0] R13: ffff8880aaf80100 R14: ffff8880aaf800f2 R15: ffff8880aaf80040
[  120.974410][    C0] FS:  00007f58e693f740(0000) GS:ffff8880d9c00000(0000) knlGS:0000000000000000
[  120.979794][    C0] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  120.980773][    C0] CR2: 00007ffcb8b38f29 CR3: 00000000afe8e001 CR4: 00000000000606f0
[  120.981945][    C0] Call Trace:
[  120.982411][    C0]  <IRQ>
[  120.982848][    C0]  ? hsr_add_node+0x8c0/0x8c0 [hsr]
[  120.983522][    C0]  ? rcu_read_lock_held+0x90/0xa0
[  120.984159][    C0]  ? rcu_read_lock_sched_held+0xc0/0xc0
[  120.984944][    C0]  hsr_handle_frame+0x1db/0x4e0 [hsr]
[  120.985597][    C0]  ? hsr_nl_nodedown+0x2b0/0x2b0 [hsr]
[  120.986289][    C0]  __netif_receive_skb_core+0x6bf/0x3170
[  120.992513][    C0]  ? check_chain_key+0x236/0x5d0
[  120.993223][    C0]  ? do_xdp_generic+0x1460/0x1460
[  120.993875][    C0]  ? register_lock_class+0x14d0/0x14d0
[  120.994609][    C0]  ? __netif_receive_skb_one_core+0x8d/0x160
[  120.995377][    C0]  __netif_receive_skb_one_core+0x8d/0x160
[  120.996204][    C0]  ? __netif_receive_skb_core+0x3170/0x3170
[ ... ]

Reported-by: syzbot+fcf5dd39282ceb27108d@syzkaller.appspotmail.com
Fixes: c5a759117210 ("net/hsr: Use list_head (and rcu) instead of array for slave devices.")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/hsr/hsr_slave.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/net/hsr/hsr_slave.c
+++ b/net/hsr/hsr_slave.c
@@ -152,16 +152,16 @@ int hsr_add_port(struct hsr_priv *hsr, s
 	if (port == NULL)
 		return -ENOMEM;
 
+	port->hsr = hsr;
+	port->dev = dev;
+	port->type = type;
+
 	if (type != HSR_PT_MASTER) {
 		res = hsr_portdev_setup(dev, port);
 		if (res)
 			goto fail_dev_setup;
 	}
 
-	port->hsr = hsr;
-	port->dev = dev;
-	port->type = type;
-
 	list_add_tail_rcu(&port->port_list, &hsr->ports);
 	synchronize_rcu();
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 057/148] macsec: restrict to ethernet devices
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 056/148] hsr: fix general protection fault in hsr_addr_is_self() Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 058/148] net: dsa: Fix duplicate frames flooded by learning Greg Kroah-Hartman
                   ` (94 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot, Willem de Bruijn, David S. Miller

From: Willem de Bruijn <willemb@google.com>

[ Upstream commit b06d072ccc4b1acd0147b17914b7ad1caa1818bb ]

Only attach macsec to ethernet devices.

Syzbot was able to trigger a KMSAN warning in macsec_handle_frame
by attaching to a phonet device.

Macvlan has a similar check in macvlan_port_create.

v1->v2
  - fix commit message typo

Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/macsec.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/net/macsec.c
+++ b/drivers/net/macsec.c
@@ -19,6 +19,7 @@
 #include <net/genetlink.h>
 #include <net/sock.h>
 #include <net/gro_cells.h>
+#include <linux/if_arp.h>
 
 #include <uapi/linux/if_macsec.h>
 
@@ -3219,6 +3220,8 @@ static int macsec_newlink(struct net *ne
 	real_dev = __dev_get_by_index(net, nla_get_u32(tb[IFLA_LINK]));
 	if (!real_dev)
 		return -ENODEV;
+	if (real_dev->type != ARPHRD_ETHER)
+		return -EINVAL;
 
 	dev->priv_flags |= IFF_MACSEC;
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 058/148] net: dsa: Fix duplicate frames flooded by learning
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 057/148] macsec: restrict to ethernet devices Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 059/148] net: mvneta: Fix the case where the last poll did not process all rx Greg Kroah-Hartman
                   ` (93 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maxime Bizon, Florian Fainelli,
	Vivien Didelot, David S. Miller

From: Florian Fainelli <f.fainelli@gmail.com>

[ Upstream commit 0e62f543bed03a64495bd2651d4fe1aa4bcb7fe5 ]

When both the switch and the bridge are learning about new addresses,
switch ports attached to the bridge would see duplicate ARP frames
because both entities would attempt to send them.

Fixes: 5037d532b83d ("net: dsa: add Broadcom tag RX/TX handler")
Reported-by: Maxime Bizon <mbizon@freebox.fr>
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Reviewed-by: Vivien Didelot <vivien.didelot@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/dsa/tag_brcm.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/net/dsa/tag_brcm.c
+++ b/net/dsa/tag_brcm.c
@@ -134,6 +134,8 @@ static struct sk_buff *brcm_tag_rcv(stru
 
 	skb->dev = ds->ports[source_port].netdev;
 
+	skb->offload_fwd_mark = 1;
+
 	return skb;
 }
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 059/148] net: mvneta: Fix the case where the last poll did not process all rx
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 058/148] net: dsa: Fix duplicate frames flooded by learning Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 060/148] net/packet: tpacket_rcv: avoid a producer race condition Greg Kroah-Hartman
                   ` (92 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jisheng Zhang, David S. Miller

From: Jisheng Zhang <Jisheng.Zhang@synaptics.com>

[ Upstream commit 065fd83e1be2e1ba0d446a257fd86a3cc7bddb51 ]

For the case where the last mvneta_poll did not process all
RX packets, we need to xor the pp->cause_rx_tx or port->cause_rx_tx
before claculating the rx_queue.

Fixes: 2dcf75e2793c ("net: mvneta: Associate RX queues with each CPU")
Signed-off-by: Jisheng Zhang <Jisheng.Zhang@synaptics.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/marvell/mvneta.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/net/ethernet/marvell/mvneta.c
+++ b/drivers/net/ethernet/marvell/mvneta.c
@@ -2759,11 +2759,10 @@ static int mvneta_poll(struct napi_struc
 	/* For the case where the last mvneta_poll did not process all
 	 * RX packets
 	 */
-	rx_queue = fls(((cause_rx_tx >> 8) & 0xff));
-
 	cause_rx_tx |= pp->neta_armada3700 ? pp->cause_rx_tx :
 		port->cause_rx_tx;
 
+	rx_queue = fls(((cause_rx_tx >> 8) & 0xff));
 	if (rx_queue) {
 		rx_queue = rx_queue - 1;
 		if (pp->bm_priv)



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 060/148] net/packet: tpacket_rcv: avoid a producer race condition
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 059/148] net: mvneta: Fix the case where the last poll did not process all rx Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 061/148] net: qmi_wwan: add support for ASKEY WWHC050 Greg Kroah-Hartman
                   ` (91 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jon Rosen, Willem de Bruijn, David S. Miller

From: Willem de Bruijn <willemb@google.com>

[ Upstream commit 61fad6816fc10fb8793a925d5c1256d1c3db0cd2 ]

PACKET_RX_RING can cause multiple writers to access the same slot if a
fast writer wraps the ring while a slow writer is still copying. This
is particularly likely with few, large, slots (e.g., GSO packets).

Synchronize kernel thread ownership of rx ring slots with a bitmap.

Writers acquire a slot race-free by testing tp_status TP_STATUS_KERNEL
while holding the sk receive queue lock. They release this lock before
copying and set tp_status to TP_STATUS_USER to release to userspace
when done. During copying, another writer may take the lock, also see
TP_STATUS_KERNEL, and start writing to the same slot.

Introduce a new rx_owner_map bitmap with a bit per slot. To acquire a
slot, test and set with the lock held. To release race-free, update
tp_status and owner bit as a transaction, so take the lock again.

This is the one of a variety of discussed options (see Link below):

* instead of a shadow ring, embed the data in the slot itself, such as
in tp_padding. But any test for this field may match a value left by
userspace, causing deadlock.

* avoid the lock on release. This leaves a small race if releasing the
shadow slot before setting TP_STATUS_USER. The below reproducer showed
that this race is not academic. If releasing the slot after tp_status,
the race is more subtle. See the first link for details.

* add a new tp_status TP_KERNEL_OWNED to avoid the transactional store
of two fields. But, legacy applications may interpret all non-zero
tp_status as owned by the user. As libpcap does. So this is possible
only opt-in by newer processes. It can be added as an optional mode.

* embed the struct at the tail of pg_vec to avoid extra allocation.
The implementation proved no less complex than a separate field.

The additional locking cost on release adds contention, no different
than scaling on multicore or multiqueue h/w. In practice, below
reproducer nor small packet tcpdump showed a noticeable change in
perf report in cycles spent in spinlock. Where contention is
problematic, packet sockets support mitigation through PACKET_FANOUT.
And we can consider adding opt-in state TP_KERNEL_OWNED.

Easy to reproduce by running multiple netperf or similar TCP_STREAM
flows concurrently with `tcpdump -B 129 -n greater 60000`.

Based on an earlier patchset by Jon Rosen. See links below.

I believe this issue goes back to the introduction of tpacket_rcv,
which predates git history.

Link: https://www.mail-archive.com/netdev@vger.kernel.org/msg237222.html
Suggested-by: Jon Rosen <jrosen@cisco.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Jon Rosen <jrosen@cisco.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/packet/af_packet.c |   21 +++++++++++++++++++++
 net/packet/internal.h  |    5 ++++-
 2 files changed, 25 insertions(+), 1 deletion(-)

--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2204,6 +2204,7 @@ static int tpacket_rcv(struct sk_buff *s
 	struct timespec ts;
 	__u32 ts_status;
 	bool is_drop_n_account = false;
+	unsigned int slot_id = 0;
 	bool do_vnet = false;
 
 	/* struct tpacket{2,3}_hdr is aligned to a multiple of TPACKET_ALIGNMENT.
@@ -2300,6 +2301,13 @@ static int tpacket_rcv(struct sk_buff *s
 	if (!h.raw)
 		goto drop_n_account;
 
+	if (po->tp_version <= TPACKET_V2) {
+		slot_id = po->rx_ring.head;
+		if (test_bit(slot_id, po->rx_ring.rx_owner_map))
+			goto drop_n_account;
+		__set_bit(slot_id, po->rx_ring.rx_owner_map);
+	}
+
 	if (do_vnet &&
 	    virtio_net_hdr_from_skb(skb, h.raw + macoff -
 				    sizeof(struct virtio_net_hdr),
@@ -2405,7 +2413,10 @@ static int tpacket_rcv(struct sk_buff *s
 #endif
 
 	if (po->tp_version <= TPACKET_V2) {
+		spin_lock(&sk->sk_receive_queue.lock);
 		__packet_set_status(po, h.raw, status);
+		__clear_bit(slot_id, po->rx_ring.rx_owner_map);
+		spin_unlock(&sk->sk_receive_queue.lock);
 		sk->sk_data_ready(sk);
 	} else {
 		prb_clear_blk_fill_status(&po->rx_ring);
@@ -4298,6 +4309,7 @@ static int packet_set_ring(struct sock *
 {
 	struct pgv *pg_vec = NULL;
 	struct packet_sock *po = pkt_sk(sk);
+	unsigned long *rx_owner_map = NULL;
 	int was_running, order = 0;
 	struct packet_ring_buffer *rb;
 	struct sk_buff_head *rb_queue;
@@ -4383,6 +4395,12 @@ static int packet_set_ring(struct sock *
 			}
 			break;
 		default:
+			if (!tx_ring) {
+				rx_owner_map = bitmap_alloc(req->tp_frame_nr,
+					GFP_KERNEL | __GFP_NOWARN | __GFP_ZERO);
+				if (!rx_owner_map)
+					goto out_free_pg_vec;
+			}
 			break;
 		}
 	}
@@ -4412,6 +4430,8 @@ static int packet_set_ring(struct sock *
 		err = 0;
 		spin_lock_bh(&rb_queue->lock);
 		swap(rb->pg_vec, pg_vec);
+		if (po->tp_version <= TPACKET_V2)
+			swap(rb->rx_owner_map, rx_owner_map);
 		rb->frame_max = (req->tp_frame_nr - 1);
 		rb->head = 0;
 		rb->frame_size = req->tp_frame_size;
@@ -4443,6 +4463,7 @@ static int packet_set_ring(struct sock *
 	}
 
 out_free_pg_vec:
+	bitmap_free(rx_owner_map);
 	if (pg_vec)
 		free_pg_vec(pg_vec, order, req->tp_block_nr);
 out:
--- a/net/packet/internal.h
+++ b/net/packet/internal.h
@@ -70,7 +70,10 @@ struct packet_ring_buffer {
 
 	unsigned int __percpu	*pending_refcnt;
 
-	struct tpacket_kbdq_core	prb_bdqc;
+	union {
+		unsigned long			*rx_owner_map;
+		struct tpacket_kbdq_core	prb_bdqc;
+	};
 };
 
 extern struct mutex fanout_mutex;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 061/148] net: qmi_wwan: add support for ASKEY WWHC050
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 060/148] net/packet: tpacket_rcv: avoid a producer race condition Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 062/148] net_sched: cls_route: remove the right filter from hashtable Greg Kroah-Hartman
                   ` (90 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Cezary Jackiewicz, Pawel Dembicki,
	Bjørn Mork, David S. Miller

From: Pawel Dembicki <paweldembicki@gmail.com>

[ Upstream commit 12a5ba5a1994568d4ceaff9e78c6b0329d953386 ]

ASKEY WWHC050 is a mcie LTE modem.
The oem configuration states:

T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  2 Spd=480  MxCh= 0
D:  Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
P:  Vendor=1690 ProdID=7588 Rev=ff.ff
S:  Manufacturer=Android
S:  Product=Android
S:  SerialNumber=813f0eef6e6e
C:* #Ifs= 6 Cfg#= 1 Atr=80 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=84(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=86(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
E:  Ad=88(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
E:  Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 5 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=(none)
E:  Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=125us

Tested on openwrt distribution.

Signed-off-by: Cezary Jackiewicz <cezary@eko.one.pl>
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
Acked-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/usb/qmi_wwan.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -1139,6 +1139,7 @@ static const struct usb_device_id produc
 	{QMI_FIXED_INTF(0x1435, 0xd181, 4)},	/* Wistron NeWeb D18Q1 */
 	{QMI_FIXED_INTF(0x1435, 0xd181, 5)},	/* Wistron NeWeb D18Q1 */
 	{QMI_QUIRK_SET_DTR(0x1508, 0x1001, 4)},	/* Fibocom NL668 series */
+	{QMI_FIXED_INTF(0x1690, 0x7588, 4)},    /* ASKEY WWHC050 */
 	{QMI_FIXED_INTF(0x16d8, 0x6003, 0)},	/* CMOTech 6003 */
 	{QMI_FIXED_INTF(0x16d8, 0x6007, 0)},	/* CMOTech CHE-628S */
 	{QMI_FIXED_INTF(0x16d8, 0x6008, 0)},	/* CMOTech CMU-301 */



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 062/148] net_sched: cls_route: remove the right filter from hashtable
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (60 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 061/148] net: qmi_wwan: add support for ASKEY WWHC050 Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 063/148] net_sched: keep alloc_hash updated after hash allocation Greg Kroah-Hartman
                   ` (89 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jamal Hadi Salim, Jiri Pirko,
	John Fastabend, Cong Wang, David S. Miller,
	syzbot+f9b32aaacd60305d9687, syzbot+2f8c233f131943d6056d,
	syzbot+9c2df9fd5e9445b74e01

From: Cong Wang <xiyou.wangcong@gmail.com>

[ Upstream commit ef299cc3fa1a9e1288665a9fdc8bff55629fd359 ]

route4_change() allocates a new filter and copies values from
the old one. After the new filter is inserted into the hash
table, the old filter should be removed and freed, as the final
step of the update.

However, the current code mistakenly removes the new one. This
looks apparently wrong to me, and it causes double "free" and
use-after-free too, as reported by syzbot.

Reported-and-tested-by: syzbot+f9b32aaacd60305d9687@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+2f8c233f131943d6056d@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+9c2df9fd5e9445b74e01@syzkaller.appspotmail.com
Fixes: 1109c00547fc ("net: sched: RCU cls_route")
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Jiri Pirko <jiri@resnulli.us>
Cc: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sched/cls_route.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/net/sched/cls_route.c
+++ b/net/sched/cls_route.c
@@ -539,8 +539,8 @@ static int route4_change(struct net *net
 			fp = &b->ht[h];
 			for (pfp = rtnl_dereference(*fp); pfp;
 			     fp = &pfp->next, pfp = rtnl_dereference(*fp)) {
-				if (pfp == f) {
-					*fp = f->next;
+				if (pfp == fold) {
+					rcu_assign_pointer(*fp, fold->next);
 					break;
 				}
 			}



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 063/148] net_sched: keep alloc_hash updated after hash allocation
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (61 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 062/148] net_sched: cls_route: remove the right filter from hashtable Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 064/148] net: stmmac: dwmac-rk: fix error path in rk_gmac_probe Greg Kroah-Hartman
                   ` (88 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jamal Hadi Salim, Jiri Pirko,
	Cong Wang, David S. Miller, syzbot+dcc34d54d68ef7d2d53d,
	syzbot+c72da7b9ed57cde6fca2

From: Cong Wang <xiyou.wangcong@gmail.com>

[ Upstream commit 0d1c3530e1bd38382edef72591b78e877e0edcd3 ]

In commit 599be01ee567 ("net_sched: fix an OOB access in cls_tcindex")
I moved cp->hash calculation before the first
tcindex_alloc_perfect_hash(), but cp->alloc_hash is left untouched.
This difference could lead to another out of bound access.

cp->alloc_hash should always be the size allocated, we should
update it after this tcindex_alloc_perfect_hash().

Reported-and-tested-by: syzbot+dcc34d54d68ef7d2d53d@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+c72da7b9ed57cde6fca2@syzkaller.appspotmail.com
Fixes: 599be01ee567 ("net_sched: fix an OOB access in cls_tcindex")
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sched/cls_tcindex.c |    1 +
 1 file changed, 1 insertion(+)

--- a/net/sched/cls_tcindex.c
+++ b/net/sched/cls_tcindex.c
@@ -375,6 +375,7 @@ tcindex_set_parms(struct net *net, struc
 
 		if (tcindex_alloc_perfect_hash(cp) < 0)
 			goto errout;
+		cp->alloc_hash = cp->hash;
 		for (i = 0; i < min(cp->hash, p->hash); i++)
 			cp->perfect[i].res = p->perfect[i].res;
 		balloc = 1;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 064/148] net: stmmac: dwmac-rk: fix error path in rk_gmac_probe
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (62 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 063/148] net_sched: keep alloc_hash updated after hash allocation Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 065/148] NFC: fdp: Fix a signedness bug in fdp_nci_send_patch() Greg Kroah-Hartman
                   ` (87 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Emil Renner Berthing, David S. Miller

From: Emil Renner Berthing <kernel@esmil.dk>

[ Upstream commit 9de9aa487daff7a5c73434c24269b44ed6a428e6 ]

Make sure we clean up devicetree related configuration
also when clock init fails.

Fixes: fecd4d7eef8b ("net: stmmac: dwmac-rk: Add integrated PHY support")
Signed-off-by: Emil Renner Berthing <kernel@esmil.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c
+++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c
@@ -1362,7 +1362,7 @@ static int rk_gmac_probe(struct platform
 
 	ret = rk_gmac_clk_init(plat_dat);
 	if (ret)
-		return ret;
+		goto err_remove_config_dt;
 
 	ret = rk_gmac_powerup(plat_dat->bsp_priv);
 	if (ret)



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 065/148] NFC: fdp: Fix a signedness bug in fdp_nci_send_patch()
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (63 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 064/148] net: stmmac: dwmac-rk: fix error path in rk_gmac_probe Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 066/148] slcan: not call free_netdev before rtnl_unlock in slcan_open Greg Kroah-Hartman
                   ` (86 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dan Carpenter, David S. Miller

From: Dan Carpenter <dan.carpenter@oracle.com>

[ Upstream commit 0dcdf9f64028ec3b75db6b691560f8286f3898bf ]

The nci_conn_max_data_pkt_payload_size() function sometimes returns
-EPROTO so "max_size" needs to be signed for the error handling to
work.  We can make "payload_size" an int as well.

Fixes: a06347c04c13 ("NFC: Add Intel Fields Peak NFC solution driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/nfc/fdp/fdp.c |    5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

--- a/drivers/nfc/fdp/fdp.c
+++ b/drivers/nfc/fdp/fdp.c
@@ -192,7 +192,7 @@ static int fdp_nci_send_patch(struct nci
 	const struct firmware *fw;
 	struct sk_buff *skb;
 	unsigned long len;
-	u8 max_size, payload_size;
+	int max_size, payload_size;
 	int rc = 0;
 
 	if ((type == NCI_PATCH_TYPE_OTP && !info->otp_patch) ||
@@ -215,8 +215,7 @@ static int fdp_nci_send_patch(struct nci
 
 	while (len) {
 
-		payload_size = min_t(unsigned long, (unsigned long) max_size,
-				     len);
+		payload_size = min_t(unsigned long, max_size, len);
 
 		skb = nci_skb_alloc(ndev, (NCI_CTRL_HDR_SIZE + payload_size),
 				    GFP_KERNEL);



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 066/148] slcan: not call free_netdev before rtnl_unlock in slcan_open
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (64 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 065/148] NFC: fdp: Fix a signedness bug in fdp_nci_send_patch() Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 067/148] bnxt_en: fix memory leaks in bnxt_dcbnl_ieee_getets() Greg Kroah-Hartman
                   ` (85 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, yangerkun, Oliver Hartkopp, David S. Miller

From: Oliver Hartkopp <socketcan@hartkopp.net>

[ Upstream commit 2091a3d42b4f339eaeed11228e0cbe9d4f92f558 ]

As the description before netdev_run_todo, we cannot call free_netdev
before rtnl_unlock, fix it by reorder the code.

This patch is a 1:1 copy of upstream slip.c commit f596c87005f7
("slip: not call free_netdev before rtnl_unlock in slip_open").

Reported-by: yangerkun <yangerkun@huawei.com>
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/can/slcan.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/net/can/slcan.c
+++ b/drivers/net/can/slcan.c
@@ -621,7 +621,10 @@ err_free_chan:
 	tty->disc_data = NULL;
 	clear_bit(SLF_INUSE, &sl->flags);
 	slc_free_netdev(sl->dev);
+	/* do not call free_netdev before rtnl_unlock */
+	rtnl_unlock();
 	free_netdev(sl->dev);
+	return err;
 
 err_exit:
 	rtnl_unlock();



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 067/148] bnxt_en: fix memory leaks in bnxt_dcbnl_ieee_getets()
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (65 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 066/148] slcan: not call free_netdev before rtnl_unlock in slcan_open Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 068/148] net: dsa: mt7530: Change the LINK bit to reflect the link status Greg Kroah-Hartman
                   ` (84 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Edwin Peer, Michael Chan, David S. Miller

From: Edwin Peer <edwin.peer@broadcom.com>

[ Upstream commit 62d4073e86e62e316bea2c53e77db10418fd5dd7 ]

The allocated ieee_ets structure goes out of scope without being freed,
leaking memory. Appropriate result codes should be returned so that
callers do not rely on invalid data passed by reference.

Also cache the ETS config retrieved from the device so that it doesn't
need to be freed. The balance of the code was clearly written with the
intent of having the results of querying the hardware cached in the
device structure. The commensurate store was evidently missed though.

Fixes: 7df4ae9fe855 ("bnxt_en: Implement DCBNL to support host-based DCBX.")
Signed-off-by: Edwin Peer <edwin.peer@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c |   15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c
@@ -387,24 +387,26 @@ static int bnxt_dcbnl_ieee_getets(struct
 {
 	struct bnxt *bp = netdev_priv(dev);
 	struct ieee_ets *my_ets = bp->ieee_ets;
+	int rc;
 
 	ets->ets_cap = bp->max_tc;
 
 	if (!my_ets) {
-		int rc;
-
 		if (bp->dcbx_cap & DCB_CAP_DCBX_HOST)
 			return 0;
 
 		my_ets = kzalloc(sizeof(*my_ets), GFP_KERNEL);
 		if (!my_ets)
-			return 0;
+			return -ENOMEM;
 		rc = bnxt_hwrm_queue_cos2bw_qcfg(bp, my_ets);
 		if (rc)
-			return 0;
+			goto error;
 		rc = bnxt_hwrm_queue_pri2cos_qcfg(bp, my_ets);
 		if (rc)
-			return 0;
+			goto error;
+
+		/* cache result */
+		bp->ieee_ets = my_ets;
 	}
 
 	ets->cbs = my_ets->cbs;
@@ -413,6 +415,9 @@ static int bnxt_dcbnl_ieee_getets(struct
 	memcpy(ets->tc_tsa, my_ets->tc_tsa, sizeof(ets->tc_tsa));
 	memcpy(ets->prio_tc, my_ets->prio_tc, sizeof(ets->prio_tc));
 	return 0;
+error:
+	kfree(my_ets);
+	return rc;
 }
 
 static int bnxt_dcbnl_ieee_setets(struct net_device *dev, struct ieee_ets *ets)



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 068/148] net: dsa: mt7530: Change the LINK bit to reflect the link status
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (66 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 067/148] bnxt_en: fix memory leaks in bnxt_dcbnl_ieee_getets() Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 069/148] vxlan: check return value of gro_cells_init() Greg Kroah-Hartman
                   ` (83 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andrew Smith, René van Dorst,
	Vivien Didelot, Florian Fainelli, David S. Miller

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=UTF-8, Size: 1678 bytes --]

From: "René van Dorst" <opensource@vdorst.com>

[ Upstream commit 22259471b51925353bd7b16f864c79fdd76e425e ]

Andrew reported:

After a number of network port link up/down changes, sometimes the switch
port gets stuck in a state where it thinks it is still transmitting packets
but the cpu port is not actually transmitting anymore. In this state you
will see a message on the console
"mtk_soc_eth 1e100000.ethernet eth0: transmit timed out" and the Tx counter
in ifconfig will be incrementing on virtual port, but not incrementing on
cpu port.

The issue is that MAC TX/RX status has no impact on the link status or
queue manager of the switch. So the queue manager just queues up packets
of a disabled port and sends out pause frames when the queue is full.

Change the LINK bit to reflect the link status.

Fixes: b8f126a8d543 ("net-next: dsa: add dsa support for Mediatek MT7530 switch")
Reported-by: Andrew Smith <andrew.smith@digi.com>
Signed-off-by: René van Dorst <opensource@vdorst.com>
Reviewed-by: Vivien Didelot <vivien.didelot@gmail.com>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/dsa/mt7530.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/dsa/mt7530.c
+++ b/drivers/net/dsa/mt7530.c
@@ -549,7 +549,7 @@ mt7530_mib_reset(struct dsa_switch *ds)
 static void
 mt7530_port_set_status(struct mt7530_priv *priv, int port, int enable)
 {
-	u32 mask = PMCR_TX_EN | PMCR_RX_EN;
+	u32 mask = PMCR_TX_EN | PMCR_RX_EN | PMCR_FORCE_LNK;
 
 	if (enable)
 		mt7530_set(priv, MT7530_PMCR_P(port), mask);



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 069/148] vxlan: check return value of gro_cells_init()
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (67 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 068/148] net: dsa: mt7530: Change the LINK bit to reflect the link status Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 070/148] hsr: use rcu_read_lock() in hsr_get_node_{list/status}() Greg Kroah-Hartman
                   ` (82 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Taehee Yoo, David S. Miller

From: Taehee Yoo <ap420073@gmail.com>

[ Upstream commit 384d91c267e621e0926062cfb3f20cb72dc16928 ]

gro_cells_init() returns error if memory allocation is failed.
But the vxlan module doesn't check the return value of gro_cells_init().

Fixes: 58ce31cca1ff ("vxlan: GRO support at tunnel layer")`
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/vxlan.c |   11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -2454,10 +2454,19 @@ static void vxlan_vs_add_dev(struct vxla
 /* Setup stats when device is created */
 static int vxlan_init(struct net_device *dev)
 {
+	struct vxlan_dev *vxlan = netdev_priv(dev);
+	int err;
+
 	dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats);
 	if (!dev->tstats)
 		return -ENOMEM;
 
+	err = gro_cells_init(&vxlan->gro_cells, dev);
+	if (err) {
+		free_percpu(dev->tstats);
+		return err;
+	}
+
 	return 0;
 }
 
@@ -2717,8 +2726,6 @@ static void vxlan_setup(struct net_devic
 
 	vxlan->dev = dev;
 
-	gro_cells_init(&vxlan->gro_cells, dev);
-
 	for (h = 0; h < FDB_HASH_SIZE; ++h)
 		INIT_HLIST_HEAD(&vxlan->fdb_head[h]);
 }



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 070/148] hsr: use rcu_read_lock() in hsr_get_node_{list/status}()
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (68 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 069/148] vxlan: check return value of gro_cells_init() Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 071/148] hsr: add restart routine into hsr_get_node_list() Greg Kroah-Hartman
                   ` (81 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Taehee Yoo, David S. Miller

From: Taehee Yoo <ap420073@gmail.com>

[ Upstream commit 173756b86803655d70af7732079b3aa935e6ab68 ]

hsr_get_node_{list/status}() are not under rtnl_lock() because
they are callback functions of generic netlink.
But they use __dev_get_by_index() without rtnl_lock().
So, it would use unsafe data.
In order to fix it, rcu_read_lock() and dev_get_by_index_rcu()
are used instead of __dev_get_by_index().

Fixes: f421436a591d ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/hsr/hsr_framereg.c |   10 ++--------
 net/hsr/hsr_netlink.c  |   43 +++++++++++++++++++++----------------------
 2 files changed, 23 insertions(+), 30 deletions(-)

--- a/net/hsr/hsr_framereg.c
+++ b/net/hsr/hsr_framereg.c
@@ -468,13 +468,9 @@ int hsr_get_node_data(struct hsr_priv *h
 	struct hsr_port *port;
 	unsigned long tdiff;
 
-
-	rcu_read_lock();
 	node = find_node_by_AddrA(&hsr->node_db, addr);
-	if (!node) {
-		rcu_read_unlock();
-		return -ENOENT;	/* No such entry */
-	}
+	if (!node)
+		return -ENOENT;
 
 	ether_addr_copy(addr_b, node->MacAddressB);
 
@@ -509,7 +505,5 @@ int hsr_get_node_data(struct hsr_priv *h
 		*addr_b_ifindex = -1;
 	}
 
-	rcu_read_unlock();
-
 	return 0;
 }
--- a/net/hsr/hsr_netlink.c
+++ b/net/hsr/hsr_netlink.c
@@ -259,17 +259,16 @@ static int hsr_get_node_status(struct sk
 	if (!na)
 		goto invalid;
 
-	hsr_dev = __dev_get_by_index(genl_info_net(info),
-					nla_get_u32(info->attrs[HSR_A_IFINDEX]));
+	rcu_read_lock();
+	hsr_dev = dev_get_by_index_rcu(genl_info_net(info),
+				       nla_get_u32(info->attrs[HSR_A_IFINDEX]));
 	if (!hsr_dev)
-		goto invalid;
+		goto rcu_unlock;
 	if (!is_hsr_master(hsr_dev))
-		goto invalid;
-
+		goto rcu_unlock;
 
 	/* Send reply */
-
-	skb_out = genlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
+	skb_out = genlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
 	if (!skb_out) {
 		res = -ENOMEM;
 		goto fail;
@@ -321,12 +320,10 @@ static int hsr_get_node_status(struct sk
 	res = nla_put_u16(skb_out, HSR_A_IF1_SEQ, hsr_node_if1_seq);
 	if (res < 0)
 		goto nla_put_failure;
-	rcu_read_lock();
 	port = hsr_port_get_hsr(hsr, HSR_PT_SLAVE_A);
 	if (port)
 		res = nla_put_u32(skb_out, HSR_A_IF1_IFINDEX,
 				  port->dev->ifindex);
-	rcu_read_unlock();
 	if (res < 0)
 		goto nla_put_failure;
 
@@ -336,20 +333,22 @@ static int hsr_get_node_status(struct sk
 	res = nla_put_u16(skb_out, HSR_A_IF2_SEQ, hsr_node_if2_seq);
 	if (res < 0)
 		goto nla_put_failure;
-	rcu_read_lock();
 	port = hsr_port_get_hsr(hsr, HSR_PT_SLAVE_B);
 	if (port)
 		res = nla_put_u32(skb_out, HSR_A_IF2_IFINDEX,
 				  port->dev->ifindex);
-	rcu_read_unlock();
 	if (res < 0)
 		goto nla_put_failure;
 
+	rcu_read_unlock();
+
 	genlmsg_end(skb_out, msg_head);
 	genlmsg_unicast(genl_info_net(info), skb_out, info->snd_portid);
 
 	return 0;
 
+rcu_unlock:
+	rcu_read_unlock();
 invalid:
 	netlink_ack(skb_in, nlmsg_hdr(skb_in), -EINVAL, NULL);
 	return 0;
@@ -359,6 +358,7 @@ nla_put_failure:
 	/* Fall through */
 
 fail:
+	rcu_read_unlock();
 	return res;
 }
 
@@ -385,17 +385,16 @@ static int hsr_get_node_list(struct sk_b
 	if (!na)
 		goto invalid;
 
-	hsr_dev = __dev_get_by_index(genl_info_net(info),
-				     nla_get_u32(info->attrs[HSR_A_IFINDEX]));
+	rcu_read_lock();
+	hsr_dev = dev_get_by_index_rcu(genl_info_net(info),
+				       nla_get_u32(info->attrs[HSR_A_IFINDEX]));
 	if (!hsr_dev)
-		goto invalid;
+		goto rcu_unlock;
 	if (!is_hsr_master(hsr_dev))
-		goto invalid;
-
+		goto rcu_unlock;
 
 	/* Send reply */
-
-	skb_out = genlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
+	skb_out = genlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
 	if (!skb_out) {
 		res = -ENOMEM;
 		goto fail;
@@ -415,14 +414,11 @@ static int hsr_get_node_list(struct sk_b
 
 	hsr = netdev_priv(hsr_dev);
 
-	rcu_read_lock();
 	pos = hsr_get_next_node(hsr, NULL, addr);
 	while (pos) {
 		res = nla_put(skb_out, HSR_A_NODE_ADDR, ETH_ALEN, addr);
-		if (res < 0) {
-			rcu_read_unlock();
+		if (res < 0)
 			goto nla_put_failure;
-		}
 		pos = hsr_get_next_node(hsr, pos, addr);
 	}
 	rcu_read_unlock();
@@ -432,6 +428,8 @@ static int hsr_get_node_list(struct sk_b
 
 	return 0;
 
+rcu_unlock:
+	rcu_read_unlock();
 invalid:
 	netlink_ack(skb_in, nlmsg_hdr(skb_in), -EINVAL, NULL);
 	return 0;
@@ -441,6 +439,7 @@ nla_put_failure:
 	/* Fall through */
 
 fail:
+	rcu_read_unlock();
 	return res;
 }
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 071/148] hsr: add restart routine into hsr_get_node_list()
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (69 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 070/148] hsr: use rcu_read_lock() in hsr_get_node_{list/status}() Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 072/148] hsr: set .netnsok flag Greg Kroah-Hartman
                   ` (80 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Taehee Yoo, David S. Miller

From: Taehee Yoo <ap420073@gmail.com>

[ Upstream commit ca19c70f5225771c05bcdcb832b4eb84d7271c5e ]

The hsr_get_node_list() is to send node addresses to the userspace.
If there are so many nodes, it could fail because of buffer size.
In order to avoid this failure, the restart routine is added.

Fixes: f421436a591d ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/hsr/hsr_netlink.c |   38 ++++++++++++++++++++++++--------------
 1 file changed, 24 insertions(+), 14 deletions(-)

--- a/net/hsr/hsr_netlink.c
+++ b/net/hsr/hsr_netlink.c
@@ -366,16 +366,14 @@ fail:
  */
 static int hsr_get_node_list(struct sk_buff *skb_in, struct genl_info *info)
 {
-	/* For receiving */
-	struct nlattr *na;
+	unsigned char addr[ETH_ALEN];
 	struct net_device *hsr_dev;
-
-	/* For sending */
 	struct sk_buff *skb_out;
-	void *msg_head;
 	struct hsr_priv *hsr;
-	void *pos;
-	unsigned char addr[ETH_ALEN];
+	bool restart = false;
+	struct nlattr *na;
+	void *pos = NULL;
+	void *msg_head;
 	int res;
 
 	if (!info)
@@ -393,8 +391,9 @@ static int hsr_get_node_list(struct sk_b
 	if (!is_hsr_master(hsr_dev))
 		goto rcu_unlock;
 
+restart:
 	/* Send reply */
-	skb_out = genlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
+	skb_out = genlmsg_new(GENLMSG_DEFAULT_SIZE, GFP_ATOMIC);
 	if (!skb_out) {
 		res = -ENOMEM;
 		goto fail;
@@ -408,17 +407,28 @@ static int hsr_get_node_list(struct sk_b
 		goto nla_put_failure;
 	}
 
-	res = nla_put_u32(skb_out, HSR_A_IFINDEX, hsr_dev->ifindex);
-	if (res < 0)
-		goto nla_put_failure;
+	if (!restart) {
+		res = nla_put_u32(skb_out, HSR_A_IFINDEX, hsr_dev->ifindex);
+		if (res < 0)
+			goto nla_put_failure;
+	}
 
 	hsr = netdev_priv(hsr_dev);
 
-	pos = hsr_get_next_node(hsr, NULL, addr);
+	if (!pos)
+		pos = hsr_get_next_node(hsr, NULL, addr);
 	while (pos) {
 		res = nla_put(skb_out, HSR_A_NODE_ADDR, ETH_ALEN, addr);
-		if (res < 0)
+		if (res < 0) {
+			if (res == -EMSGSIZE) {
+				genlmsg_end(skb_out, msg_head);
+				genlmsg_unicast(genl_info_net(info), skb_out,
+						info->snd_portid);
+				restart = true;
+				goto restart;
+			}
 			goto nla_put_failure;
+		}
 		pos = hsr_get_next_node(hsr, pos, addr);
 	}
 	rcu_read_unlock();
@@ -435,7 +445,7 @@ invalid:
 	return 0;
 
 nla_put_failure:
-	kfree_skb(skb_out);
+	nlmsg_free(skb_out);
 	/* Fall through */
 
 fail:



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 072/148] hsr: set .netnsok flag
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (70 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 071/148] hsr: add restart routine into hsr_get_node_list() Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 073/148] net: ipv4: dont let PMTU updates increase route MTU Greg Kroah-Hartman
                   ` (79 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Taehee Yoo, David S. Miller

From: Taehee Yoo <ap420073@gmail.com>

[ Upstream commit 09e91dbea0aa32be02d8877bd50490813de56b9a ]

The hsr module has been supporting the list and status command.
(HSR_C_GET_NODE_LIST and HSR_C_GET_NODE_STATUS)
These commands send node information to the user-space via generic netlink.
But, in the non-init_net namespace, these commands are not allowed
because .netnsok flag is false.
So, there is no way to get node information in the non-init_net namespace.

Fixes: f421436a591d ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/hsr/hsr_netlink.c |    1 +
 1 file changed, 1 insertion(+)

--- a/net/hsr/hsr_netlink.c
+++ b/net/hsr/hsr_netlink.c
@@ -476,6 +476,7 @@ static struct genl_family hsr_genl_famil
 	.name = "HSR",
 	.version = 1,
 	.maxattr = HSR_A_MAX,
+	.netnsok = true,
 	.module = THIS_MODULE,
 	.ops = hsr_ops,
 	.n_ops = ARRAY_SIZE(hsr_ops),



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 073/148] net: ipv4: dont let PMTU updates increase route MTU
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (71 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 072/148] hsr: set .netnsok flag Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 074/148] cgroup-v1: cgroup_pidlist_next should update position index Greg Kroah-Hartman
                   ` (78 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sabrina Dubroca, Stefano Brivio,
	David S. Miller, Sasha Levin

From: Sabrina Dubroca <sd@queasysnail.net>

[ Upstream commit 28d35bcdd3925e7293408cdb8aa5f2aac5f0d6e3 ]

When an MTU update with PMTU smaller than net.ipv4.route.min_pmtu is
received, we must clamp its value. However, we can receive a PMTU
exception with PMTU < old_mtu < ip_rt_min_pmtu, which would lead to an
increase in PMTU.

To fix this, take the smallest of the old MTU and ip_rt_min_pmtu.

Before this patch, in case of an update, the exception's MTU would
always change. Now, an exception can have only its lock flag updated,
but not the MTU, so we need to add a check on locking to the following
"is this exception getting updated, or close to expiring?" test.

Fixes: d52e5a7e7ca4 ("ipv4: lock mtu in fnhe when received PMTU < net.ipv4.route.min_pmtu")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ipv4/route.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 8b855d3eec9e7..05fe1d0075444 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1014,21 +1014,22 @@ out:	kfree_skb(skb);
 static void __ip_rt_update_pmtu(struct rtable *rt, struct flowi4 *fl4, u32 mtu)
 {
 	struct dst_entry *dst = &rt->dst;
+	u32 old_mtu = ipv4_mtu(dst);
 	struct fib_result res;
 	bool lock = false;
 
 	if (ip_mtu_locked(dst))
 		return;
 
-	if (ipv4_mtu(dst) < mtu)
+	if (old_mtu < mtu)
 		return;
 
 	if (mtu < ip_rt_min_pmtu) {
 		lock = true;
-		mtu = ip_rt_min_pmtu;
+		mtu = min(old_mtu, ip_rt_min_pmtu);
 	}
 
-	if (rt->rt_pmtu == mtu &&
+	if (rt->rt_pmtu == mtu && !lock &&
 	    time_before(jiffies, dst->expires - ip_rt_mtu_expires / 2))
 		return;
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 4.14 074/148] cgroup-v1: cgroup_pidlist_next should update position index
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (72 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 073/148] net: ipv4: dont let PMTU updates increase route MTU Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 075/148] cpupower: avoid multiple definition with gcc -fno-common Greg Kroah-Hartman
                   ` (77 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vasily Averin, Tejun Heo, Sasha Levin

From: Vasily Averin <vvs@virtuozzo.com>

[ Upstream commit db8dd9697238be70a6b4f9d0284cd89f59c0e070 ]

if seq_file .next fuction does not change position index,
read after some lseek can generate unexpected output.

 # mount | grep cgroup
 # dd if=/mnt/cgroup.procs bs=1  # normal output
...
1294
1295
1296
1304
1382
584+0 records in
584+0 records out
584 bytes copied

dd: /mnt/cgroup.procs: cannot skip to specified offset
83  <<< generates end of last line
1383  <<< ... and whole last line once again
0+1 records in
0+1 records out
8 bytes copied

dd: /mnt/cgroup.procs: cannot skip to specified offset
1386  <<< generates last line anyway
0+1 records in
0+1 records out
5 bytes copied

https://bugzilla.kernel.org/show_bug.cgi?id=206283
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/cgroup/cgroup-v1.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c
index a2c05d2476ac5..d148965180893 100644
--- a/kernel/cgroup/cgroup-v1.c
+++ b/kernel/cgroup/cgroup-v1.c
@@ -501,6 +501,7 @@ static void *cgroup_pidlist_next(struct seq_file *s, void *v, loff_t *pos)
 	 */
 	p++;
 	if (p >= end) {
+		(*pos)++;
 		return NULL;
 	} else {
 		*pos = *p;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 4.14 075/148] cpupower: avoid multiple definition with gcc -fno-common
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (73 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 074/148] cgroup-v1: cgroup_pidlist_next should update position index Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 076/148] drivers/of/of_mdio.c:fix of_mdiobus_register() Greg Kroah-Hartman
                   ` (76 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mike Gilbert, Shuah Khan, Sasha Levin

From: Mike Gilbert <floppym@gentoo.org>

[ Upstream commit 2de7fb60a4740135e03cf55c1982e393ccb87b6b ]

Building cpupower with -fno-common in CFLAGS results in errors due to
multiple definitions of the 'cpu_count' and 'start_time' variables.

./utils/idle_monitor/snb_idle.o:./utils/idle_monitor/cpupower-monitor.h:28:
multiple definition of `cpu_count';
./utils/idle_monitor/nhm_idle.o:./utils/idle_monitor/cpupower-monitor.h:28:
first defined here
...
./utils/idle_monitor/cpuidle_sysfs.o:./utils/idle_monitor/cpuidle_sysfs.c:22:
multiple definition of `start_time';
./utils/idle_monitor/amd_fam14h_idle.o:./utils/idle_monitor/amd_fam14h_idle.c:85:
first defined here

The -fno-common option will be enabled by default in GCC 10.

Bug: https://bugs.gentoo.org/707462
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/power/cpupower/utils/idle_monitor/amd_fam14h_idle.c  | 2 +-
 tools/power/cpupower/utils/idle_monitor/cpuidle_sysfs.c    | 2 +-
 tools/power/cpupower/utils/idle_monitor/cpupower-monitor.c | 2 ++
 tools/power/cpupower/utils/idle_monitor/cpupower-monitor.h | 2 +-
 4 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/tools/power/cpupower/utils/idle_monitor/amd_fam14h_idle.c b/tools/power/cpupower/utils/idle_monitor/amd_fam14h_idle.c
index 2116df9ad8325..c097a3748674f 100644
--- a/tools/power/cpupower/utils/idle_monitor/amd_fam14h_idle.c
+++ b/tools/power/cpupower/utils/idle_monitor/amd_fam14h_idle.c
@@ -83,7 +83,7 @@ static struct pci_access *pci_acc;
 static struct pci_dev *amd_fam14h_pci_dev;
 static int nbp1_entered;
 
-struct timespec start_time;
+static struct timespec start_time;
 static unsigned long long timediff;
 
 #ifdef DEBUG
diff --git a/tools/power/cpupower/utils/idle_monitor/cpuidle_sysfs.c b/tools/power/cpupower/utils/idle_monitor/cpuidle_sysfs.c
index 5b3205f162174..5277df27191f3 100644
--- a/tools/power/cpupower/utils/idle_monitor/cpuidle_sysfs.c
+++ b/tools/power/cpupower/utils/idle_monitor/cpuidle_sysfs.c
@@ -21,7 +21,7 @@ struct cpuidle_monitor cpuidle_sysfs_monitor;
 
 static unsigned long long **previous_count;
 static unsigned long long **current_count;
-struct timespec start_time;
+static struct timespec start_time;
 static unsigned long long timediff;
 
 static int cpuidle_get_count_percent(unsigned int id, double *percent,
diff --git a/tools/power/cpupower/utils/idle_monitor/cpupower-monitor.c b/tools/power/cpupower/utils/idle_monitor/cpupower-monitor.c
index 05f953f0f0a0c..80a21cb67d94f 100644
--- a/tools/power/cpupower/utils/idle_monitor/cpupower-monitor.c
+++ b/tools/power/cpupower/utils/idle_monitor/cpupower-monitor.c
@@ -29,6 +29,8 @@ struct cpuidle_monitor *all_monitors[] = {
 0
 };
 
+int cpu_count;
+
 static struct cpuidle_monitor *monitors[MONITORS_MAX];
 static unsigned int avail_monitors;
 
diff --git a/tools/power/cpupower/utils/idle_monitor/cpupower-monitor.h b/tools/power/cpupower/utils/idle_monitor/cpupower-monitor.h
index 9e43f3371fbc6..3558bbae2b5dc 100644
--- a/tools/power/cpupower/utils/idle_monitor/cpupower-monitor.h
+++ b/tools/power/cpupower/utils/idle_monitor/cpupower-monitor.h
@@ -18,7 +18,7 @@
 #define CSTATE_NAME_LEN 5
 #define CSTATE_DESC_LEN 60
 
-int cpu_count;
+extern int cpu_count;
 
 /* Hard to define the right names ...: */
 enum power_range_e {
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 4.14 076/148] drivers/of/of_mdio.c:fix of_mdiobus_register()
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (74 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 075/148] cpupower: avoid multiple definition with gcc -fno-common Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 077/148] cgroup1: dont call release_agent when it is "" Greg Kroah-Hartman
                   ` (75 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dajun Jin, Andrew Lunn,
	David S. Miller, Sasha Levin

From: Dajun Jin <adajunjin@gmail.com>

[ Upstream commit 209c65b61d94344522c41a83cd6ce51aac5fd0a4 ]

When registers a phy_device successful, should terminate the loop
or the phy_device would be registered in other addr. If there are
multiple PHYs without reg properties, it will go wrong.

Signed-off-by: Dajun Jin <adajunjin@gmail.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/of/of_mdio.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/of/of_mdio.c b/drivers/of/of_mdio.c
index fe26697d3bd72..69da2f6896dae 100644
--- a/drivers/of/of_mdio.c
+++ b/drivers/of/of_mdio.c
@@ -259,6 +259,7 @@ int of_mdiobus_register(struct mii_bus *mdio, struct device_node *np)
 				rc = of_mdiobus_register_phy(mdio, child, addr);
 				if (rc && rc != -ENODEV)
 					goto unregister;
+				break;
 			}
 		}
 	}
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 4.14 077/148] cgroup1: dont call release_agent when it is ""
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (75 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 076/148] drivers/of/of_mdio.c:fix of_mdiobus_register() Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 078/148] dt-bindings: net: FMan erratum A050385 Greg Kroah-Hartman
                   ` (74 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tycho Andersen, Tejun Heo, Sasha Levin

From: Tycho Andersen <tycho@tycho.ws>

[ Upstream commit 2e5383d7904e60529136727e49629a82058a5607 ]

Older (and maybe current) versions of systemd set release_agent to "" when
shutting down, but do not set notify_on_release to 0.

Since 64e90a8acb85 ("Introduce STATIC_USERMODEHELPER to mediate
call_usermodehelper()"), we filter out such calls when the user mode helper
path is "". However, when used in conjunction with an actual (i.e. non "")
STATIC_USERMODEHELPER, the path is never "", so the real usermode helper
will be called with argv[0] == "".

Let's avoid this by not invoking the release_agent when it is "".

Signed-off-by: Tycho Andersen <tycho@tycho.ws>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/cgroup/cgroup-v1.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c
index d148965180893..545f29c5268d7 100644
--- a/kernel/cgroup/cgroup-v1.c
+++ b/kernel/cgroup/cgroup-v1.c
@@ -824,7 +824,7 @@ void cgroup1_release_agent(struct work_struct *work)
 
 	pathbuf = kmalloc(PATH_MAX, GFP_KERNEL);
 	agentbuf = kstrdup(cgrp->root->release_agent_path, GFP_KERNEL);
-	if (!pathbuf || !agentbuf)
+	if (!pathbuf || !agentbuf || !strlen(agentbuf))
 		goto out;
 
 	spin_lock_irq(&css_set_lock);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 4.14 078/148] dt-bindings: net: FMan erratum A050385
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (76 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 077/148] cgroup1: dont call release_agent when it is "" Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 079/148] arm64: dts: ls1043a: " Greg Kroah-Hartman
                   ` (73 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Madalin Bucur, David S. Miller, Sasha Levin

From: Madalin Bucur <madalin.bucur@nxp.com>

[ Upstream commit 26d5bb9e4c4b541c475751e015072eb2cbf70d15 ]

FMAN DMA read or writes under heavy traffic load may cause FMAN
internal resource leak; thus stopping further packet processing.

The FMAN internal queue can overflow when FMAN splits single
read or write transactions into multiple smaller transactions
such that more than 17 AXI transactions are in flight from FMAN
to interconnect. When the FMAN internal queue overflows, it can
stall further packet processing. The issue can occur with any one
of the following three conditions:

  1. FMAN AXI transaction crosses 4K address boundary (Errata
     A010022)
  2. FMAN DMA address for an AXI transaction is not 16 byte
     aligned, i.e. the last 4 bits of an address are non-zero
  3. Scatter Gather (SG) frames have more than one SG buffer in
     the SG list and any one of the buffers, except the last
     buffer in the SG list has data size that is not a multiple
     of 16 bytes, i.e., other than 16, 32, 48, 64, etc.

With any one of the above three conditions present, there is
likelihood of stalled FMAN packet processing, especially under
stress with multiple ports injecting line-rate traffic.

To avoid situations that stall FMAN packet processing, all of the
above three conditions must be avoided; therefore, configure the
system with the following rules:

  1. Frame buffers must not span a 4KB address boundary, unless
     the frame start address is 256 byte aligned
  2. All FMAN DMA start addresses (for example, BMAN buffer
     address, FD[address] + FD[offset]) are 16B aligned
  3. SG table and buffer addresses are 16B aligned and the size
     of SG buffers are multiple of 16 bytes, except for the last
     SG buffer that can be of any size.

Additional workaround notes:
- Address alignment of 64 bytes is recommended for maximally
efficient system bus transactions (although 16 byte alignment is
sufficient to avoid the stall condition)
- To support frame sizes that are larger than 4K bytes, there are
two options:
  1. Large single buffer frames that span a 4KB page boundary can
     be converted into SG frames to avoid transaction splits at
     the 4KB boundary,
  2. Align the large single buffer to 256B address boundaries,
     ensure that the frame address plus offset is 256B aligned.
- If software generated SG frames have buffers that are unaligned
and with random non-multiple of 16 byte lengths, before
transmitting such frames via FMAN, frames will need to be copied
into a new single buffer or multiple buffer SG frame that is
compliant with the three rules listed above.

Signed-off-by: Madalin Bucur <madalin.bucur@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 Documentation/devicetree/bindings/net/fsl-fman.txt | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/Documentation/devicetree/bindings/net/fsl-fman.txt b/Documentation/devicetree/bindings/net/fsl-fman.txt
index df873d1f3b7c5..2aaae210317bb 100644
--- a/Documentation/devicetree/bindings/net/fsl-fman.txt
+++ b/Documentation/devicetree/bindings/net/fsl-fman.txt
@@ -110,6 +110,13 @@ PROPERTIES
 		Usage: required
 		Definition: See soc/fsl/qman.txt and soc/fsl/bman.txt
 
+- fsl,erratum-a050385
+		Usage: optional
+		Value type: boolean
+		Definition: A boolean property. Indicates the presence of the
+		erratum A050385 which indicates that DMA transactions that are
+		split can result in a FMan lock.
+
 =============================================================================
 FMan MURAM Node
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 4.14 079/148] arm64: dts: ls1043a: FMan erratum A050385
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (77 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 078/148] dt-bindings: net: FMan erratum A050385 Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 080/148] fsl/fman: detect " Greg Kroah-Hartman
                   ` (72 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Madalin Bucur, David S. Miller, Sasha Levin

From: Madalin Bucur <madalin.bucur@nxp.com>

[ Upstream commit b54d3900862374e1bb2846e6b39d79c896c0b200 ]

The LS1043A SoC is affected by the A050385 erratum stating that
FMAN DMA read or writes under heavy traffic load may cause FMAN
internal resource leak thus stopping further packet processing.

Signed-off-by: Madalin Bucur <madalin.bucur@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm64/boot/dts/freescale/fsl-ls1043-post.dtsi | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/arch/arm64/boot/dts/freescale/fsl-ls1043-post.dtsi b/arch/arm64/boot/dts/freescale/fsl-ls1043-post.dtsi
index 169e171407a63..acd205ef329f7 100644
--- a/arch/arm64/boot/dts/freescale/fsl-ls1043-post.dtsi
+++ b/arch/arm64/boot/dts/freescale/fsl-ls1043-post.dtsi
@@ -21,6 +21,8 @@
 };
 
 &fman0 {
+	fsl,erratum-a050385;
+
 	/* these aliases provide the FMan ports mapping */
 	enet0: ethernet@e0000 {
 	};
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 4.14 080/148] fsl/fman: detect FMan erratum A050385
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (78 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 079/148] arm64: dts: ls1043a: " Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 081/148] scsi: ipr: Fix softlockup when rescanning devices in petitboot Greg Kroah-Hartman
                   ` (71 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Madalin Bucur, David S. Miller, Sasha Levin

From: Madalin Bucur <madalin.bucur@nxp.com>

[ Upstream commit b281f7b93b258ce1419043bbd898a29254d5c9c7 ]

Detect the presence of the A050385 erratum.

Signed-off-by: Madalin Bucur <madalin.bucur@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/freescale/fman/Kconfig | 28 +++++++++++++++++++++
 drivers/net/ethernet/freescale/fman/fman.c  | 18 +++++++++++++
 drivers/net/ethernet/freescale/fman/fman.h  |  5 ++++
 3 files changed, 51 insertions(+)

diff --git a/drivers/net/ethernet/freescale/fman/Kconfig b/drivers/net/ethernet/freescale/fman/Kconfig
index 8870a9a798ca4..91437b94bfcb6 100644
--- a/drivers/net/ethernet/freescale/fman/Kconfig
+++ b/drivers/net/ethernet/freescale/fman/Kconfig
@@ -8,3 +8,31 @@ config FSL_FMAN
 	help
 		Freescale Data-Path Acceleration Architecture Frame Manager
 		(FMan) support
+
+config DPAA_ERRATUM_A050385
+	bool
+	depends on ARM64 && FSL_DPAA
+	default y
+	help
+		DPAA FMan erratum A050385 software workaround implementation:
+		align buffers, data start, SG fragment length to avoid FMan DMA
+		splits.
+		FMAN DMA read or writes under heavy traffic load may cause FMAN
+		internal resource leak thus stopping further packet processing.
+		The FMAN internal queue can overflow when FMAN splits single
+		read or write transactions into multiple smaller transactions
+		such that more than 17 AXI transactions are in flight from FMAN
+		to interconnect. When the FMAN internal queue overflows, it can
+		stall further packet processing. The issue can occur with any
+		one of the following three conditions:
+		1. FMAN AXI transaction crosses 4K address boundary (Errata
+		A010022)
+		2. FMAN DMA address for an AXI transaction is not 16 byte
+		aligned, i.e. the last 4 bits of an address are non-zero
+		3. Scatter Gather (SG) frames have more than one SG buffer in
+		the SG list and any one of the buffers, except the last
+		buffer in the SG list has data size that is not a multiple
+		of 16 bytes, i.e., other than 16, 32, 48, 64, etc.
+		With any one of the above three conditions present, there is
+		likelihood of stalled FMAN packet processing, especially under
+		stress with multiple ports injecting line-rate traffic.
diff --git a/drivers/net/ethernet/freescale/fman/fman.c b/drivers/net/ethernet/freescale/fman/fman.c
index 97425d94e280d..9080d2332d030 100644
--- a/drivers/net/ethernet/freescale/fman/fman.c
+++ b/drivers/net/ethernet/freescale/fman/fman.c
@@ -1,5 +1,6 @@
 /*
  * Copyright 2008-2015 Freescale Semiconductor Inc.
+ * Copyright 2020 NXP
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
@@ -566,6 +567,10 @@ struct fman_cfg {
 	u32 qmi_def_tnums_thresh;
 };
 
+#ifdef CONFIG_DPAA_ERRATUM_A050385
+static bool fman_has_err_a050385;
+#endif
+
 static irqreturn_t fman_exceptions(struct fman *fman,
 				   enum fman_exceptions exception)
 {
@@ -2517,6 +2522,14 @@ struct fman *fman_bind(struct device *fm_dev)
 }
 EXPORT_SYMBOL(fman_bind);
 
+#ifdef CONFIG_DPAA_ERRATUM_A050385
+bool fman_has_errata_a050385(void)
+{
+	return fman_has_err_a050385;
+}
+EXPORT_SYMBOL(fman_has_errata_a050385);
+#endif
+
 static irqreturn_t fman_err_irq(int irq, void *handle)
 {
 	struct fman *fman = (struct fman *)handle;
@@ -2843,6 +2856,11 @@ static struct fman *read_dts_node(struct platform_device *of_dev)
 		goto fman_free;
 	}
 
+#ifdef CONFIG_DPAA_ERRATUM_A050385
+	fman_has_err_a050385 =
+		of_property_read_bool(fm_node, "fsl,erratum-a050385");
+#endif
+
 	return fman;
 
 fman_node_put:
diff --git a/drivers/net/ethernet/freescale/fman/fman.h b/drivers/net/ethernet/freescale/fman/fman.h
index bfa02e0014ae0..693401994fa2d 100644
--- a/drivers/net/ethernet/freescale/fman/fman.h
+++ b/drivers/net/ethernet/freescale/fman/fman.h
@@ -1,5 +1,6 @@
 /*
  * Copyright 2008-2015 Freescale Semiconductor Inc.
+ * Copyright 2020 NXP
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
@@ -397,6 +398,10 @@ u16 fman_get_max_frm(void);
 
 int fman_get_rx_extra_headroom(void);
 
+#ifdef CONFIG_DPAA_ERRATUM_A050385
+bool fman_has_errata_a050385(void);
+#endif
+
 struct fman *fman_bind(struct device *dev);
 
 #endif /* __FM_H */
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 4.14 081/148] scsi: ipr: Fix softlockup when rescanning devices in petitboot
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (79 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 080/148] fsl/fman: detect " Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 082/148] mac80211: Do not send mesh HWMP PREQ if HWMP is disabled Greg Kroah-Hartman
                   ` (70 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wen Xiong, Martin K. Petersen, Sasha Levin

From: Wen Xiong <wenxiong@linux.vnet.ibm.com>

[ Upstream commit 394b61711f3ce33f75bf70a3e22938464a13b3ee ]

When trying to rescan disks in petitboot shell, we hit the following
softlockup stacktrace:

Kernel panic - not syncing: System is deadlocked on memory
[  241.223394] CPU: 32 PID: 693 Comm: sh Not tainted 5.4.16-openpower1 #1
[  241.223406] Call Trace:
[  241.223415] [c0000003f07c3180] [c000000000493fc4] dump_stack+0xa4/0xd8 (unreliable)
[  241.223432] [c0000003f07c31c0] [c00000000007d4ac] panic+0x148/0x3cc
[  241.223446] [c0000003f07c3260] [c000000000114b10] out_of_memory+0x468/0x4c4
[  241.223461] [c0000003f07c3300] [c0000000001472b0] __alloc_pages_slowpath+0x594/0x6d8
[  241.223476] [c0000003f07c3420] [c00000000014757c] __alloc_pages_nodemask+0x188/0x1a4
[  241.223492] [c0000003f07c34a0] [c000000000153e10] alloc_pages_current+0xcc/0xd8
[  241.223508] [c0000003f07c34e0] [c0000000001577ac] alloc_slab_page+0x30/0x98
[  241.223524] [c0000003f07c3520] [c0000000001597fc] new_slab+0x138/0x40c
[  241.223538] [c0000003f07c35f0] [c00000000015b204] ___slab_alloc+0x1e4/0x404
[  241.223552] [c0000003f07c36c0] [c00000000015b450] __slab_alloc+0x2c/0x48
[  241.223566] [c0000003f07c36f0] [c00000000015b754] kmem_cache_alloc_node+0x9c/0x1b4
[  241.223582] [c0000003f07c3760] [c000000000218c48] blk_alloc_queue_node+0x34/0x270
[  241.223599] [c0000003f07c37b0] [c000000000226574] blk_mq_init_queue+0x2c/0x78
[  241.223615] [c0000003f07c37e0] [c0000000002ff710] scsi_mq_alloc_queue+0x28/0x70
[  241.223631] [c0000003f07c3810] [c0000000003005b8] scsi_alloc_sdev+0x184/0x264
[  241.223647] [c0000003f07c38a0] [c000000000300ba0] scsi_probe_and_add_lun+0x288/0xa3c
[  241.223663] [c0000003f07c3a00] [c000000000301768] __scsi_scan_target+0xcc/0x478
[  241.223679] [c0000003f07c3b20] [c000000000301c64] scsi_scan_channel.part.9+0x74/0x7c
[  241.223696] [c0000003f07c3b70] [c000000000301df4] scsi_scan_host_selected+0xe0/0x158
[  241.223712] [c0000003f07c3bd0] [c000000000303f04] store_scan+0x104/0x114
[  241.223727] [c0000003f07c3cb0] [c0000000002d5ac4] dev_attr_store+0x30/0x4c
[  241.223741] [c0000003f07c3cd0] [c0000000001dbc34] sysfs_kf_write+0x64/0x78
[  241.223756] [c0000003f07c3cf0] [c0000000001da858] kernfs_fop_write+0x170/0x1b8
[  241.223773] [c0000003f07c3d40] [c0000000001621fc] __vfs_write+0x34/0x60
[  241.223787] [c0000003f07c3d60] [c000000000163c2c] vfs_write+0xa8/0xcc
[  241.223802] [c0000003f07c3db0] [c000000000163df4] ksys_write+0x70/0xbc
[  241.223816] [c0000003f07c3e20] [c00000000000b40c] system_call+0x5c/0x68

As a part of the scan process Linux will allocate and configure a
scsi_device for each target to be scanned. If the device is not present,
then the scsi_device is torn down. As a part of scsi_device teardown a
workqueue item will be scheduled and the lockups we see are because there
are 250k workqueue items to be processed.  Accoding to the specification of
SIS-64 sas controller, max_channel should be decreased on SIS-64 adapters
to 4.

The patch fixes softlockup issue.

Thanks for Oliver Halloran's help with debugging and explanation!

Link: https://lore.kernel.org/r/1583510248-23672-1-git-send-email-wenxiong@linux.vnet.ibm.com
Signed-off-by: Wen Xiong <wenxiong@linux.vnet.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/ipr.c | 3 ++-
 drivers/scsi/ipr.h | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c
index 35d54ee1c5c74..b172f0a020834 100644
--- a/drivers/scsi/ipr.c
+++ b/drivers/scsi/ipr.c
@@ -9962,6 +9962,7 @@ static void ipr_init_ioa_cfg(struct ipr_ioa_cfg *ioa_cfg,
 	ioa_cfg->max_devs_supported = ipr_max_devs;
 
 	if (ioa_cfg->sis64) {
+		host->max_channel = IPR_MAX_SIS64_BUSES;
 		host->max_id = IPR_MAX_SIS64_TARGETS_PER_BUS;
 		host->max_lun = IPR_MAX_SIS64_LUNS_PER_TARGET;
 		if (ipr_max_devs > IPR_MAX_SIS64_DEVS)
@@ -9970,6 +9971,7 @@ static void ipr_init_ioa_cfg(struct ipr_ioa_cfg *ioa_cfg,
 					   + ((sizeof(struct ipr_config_table_entry64)
 					       * ioa_cfg->max_devs_supported)));
 	} else {
+		host->max_channel = IPR_VSET_BUS;
 		host->max_id = IPR_MAX_NUM_TARGETS_PER_BUS;
 		host->max_lun = IPR_MAX_NUM_LUNS_PER_TARGET;
 		if (ipr_max_devs > IPR_MAX_PHYSICAL_DEVS)
@@ -9979,7 +9981,6 @@ static void ipr_init_ioa_cfg(struct ipr_ioa_cfg *ioa_cfg,
 					       * ioa_cfg->max_devs_supported)));
 	}
 
-	host->max_channel = IPR_VSET_BUS;
 	host->unique_id = host->host_no;
 	host->max_cmd_len = IPR_MAX_CDB_LEN;
 	host->can_queue = ioa_cfg->max_cmds;
diff --git a/drivers/scsi/ipr.h b/drivers/scsi/ipr.h
index 085e6c90f9e6a..89b36987ff309 100644
--- a/drivers/scsi/ipr.h
+++ b/drivers/scsi/ipr.h
@@ -1306,6 +1306,7 @@ struct ipr_resource_entry {
 #define IPR_ARRAY_VIRTUAL_BUS			0x1
 #define IPR_VSET_VIRTUAL_BUS			0x2
 #define IPR_IOAFP_VIRTUAL_BUS			0x3
+#define IPR_MAX_SIS64_BUSES			0x4
 
 #define IPR_GET_RES_PHYS_LOC(res) \
 	(((res)->bus << 24) | ((res)->target << 8) | (res)->lun)
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 4.14 082/148] mac80211: Do not send mesh HWMP PREQ if HWMP is disabled
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (80 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 081/148] scsi: ipr: Fix softlockup when rescanning devices in petitboot Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 083/148] dpaa_eth: Remove unnecessary boolean expression in dpaa_get_headroom Greg Kroah-Hartman
                   ` (69 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nicolas Cavallari, Johannes Berg,
	Sasha Levin

From: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>

[ Upstream commit ba32679cac50c38fdf488296f96b1f3175532b8e ]

When trying to transmit to an unknown destination, the mesh code would
unconditionally transmit a HWMP PREQ even if HWMP is not the current
path selection algorithm.

Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Link: https://lore.kernel.org/r/20200305140409.12204-1-cavallar@lri.fr
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/mac80211/mesh_hwmp.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c
index 994dde6e5f9d9..986e9b6b961d2 100644
--- a/net/mac80211/mesh_hwmp.c
+++ b/net/mac80211/mesh_hwmp.c
@@ -1137,7 +1137,8 @@ int mesh_nexthop_resolve(struct ieee80211_sub_if_data *sdata,
 		}
 	}
 
-	if (!(mpath->flags & MESH_PATH_RESOLVING))
+	if (!(mpath->flags & MESH_PATH_RESOLVING) &&
+	    mesh_path_sel_is_hwmp(sdata))
 		mesh_queue_preq(mpath, PREQ_Q_F_START);
 
 	if (skb_queue_len(&mpath->frame_queue) >= MESH_FRAME_QUEUE_LEN)
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 4.14 083/148] dpaa_eth: Remove unnecessary boolean expression in dpaa_get_headroom
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (81 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 082/148] mac80211: Do not send mesh HWMP PREQ if HWMP is disabled Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 084/148] sxgbe: Fix off by one in samsung driver strncpy size arg Greg Kroah-Hartman
                   ` (68 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nathan Chancellor, Madalin Bucur,
	David S. Miller, Sasha Levin

From: Nathan Chancellor <natechancellor@gmail.com>

[ Upstream commit 7395f62d95aafacdb9bd4996ec2f95b4a655d7e6 ]

Clang warns:

drivers/net/ethernet/freescale/dpaa/dpaa_eth.c:2860:9: warning:
converting the result of '?:' with integer constants to a boolean always
evaluates to 'true' [-Wtautological-constant-compare]
        return DPAA_FD_DATA_ALIGNMENT ? ALIGN(headroom,
               ^
drivers/net/ethernet/freescale/dpaa/dpaa_eth.c:131:34: note: expanded
from macro 'DPAA_FD_DATA_ALIGNMENT'
\#define DPAA_FD_DATA_ALIGNMENT  (fman_has_errata_a050385() ? 64 : 16)
                                 ^
1 warning generated.

This was exposed by commit 3c68b8fffb48 ("dpaa_eth: FMan erratum A050385
workaround") even though it appears to have been an issue since the
introductory commit 9ad1a3749333 ("dpaa_eth: add support for DPAA
Ethernet") since DPAA_FD_DATA_ALIGNMENT has never been able to be zero.

Just replace the whole boolean expression with the true branch, as it is
always been true.

Link: https://github.com/ClangBuiltLinux/linux/issues/928
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Reviewed-by: Madalin Bucur <madalin.bucur@oss.nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
index 39b8b6730e77c..67246d42c3d9f 100644
--- a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
+++ b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
@@ -2646,9 +2646,7 @@ static inline u16 dpaa_get_headroom(struct dpaa_buffer_layout *bl)
 	headroom = (u16)(bl->priv_data_size + DPAA_PARSE_RESULTS_SIZE +
 		DPAA_TIME_STAMP_SIZE + DPAA_HASH_RESULTS_SIZE);
 
-	return DPAA_FD_DATA_ALIGNMENT ? ALIGN(headroom,
-					      DPAA_FD_DATA_ALIGNMENT) :
-					headroom;
+	return ALIGN(headroom, DPAA_FD_DATA_ALIGNMENT);
 }
 
 static int dpaa_eth_probe(struct platform_device *pdev)
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 4.14 084/148] sxgbe: Fix off by one in samsung driver strncpy size arg
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (82 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 083/148] dpaa_eth: Remove unnecessary boolean expression in dpaa_get_headroom Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 085/148] arm64: ptrace: map SPSR_ELx<->PSR for compat tasks Greg Kroah-Hartman
                   ` (67 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dominik Czarnota, David S. Miller,
	Sasha Levin

From: Dominik Czarnota <dominik.b.czarnota@gmail.com>

[ Upstream commit f3cc008bf6d59b8d93b4190e01d3e557b0040e15 ]

This patch fixes an off-by-one error in strncpy size argument in
drivers/net/ethernet/samsung/sxgbe/sxgbe_main.c. The issue is that in:

        strncmp(opt, "eee_timer:", 6)

the passed string literal: "eee_timer:" has 10 bytes (without the NULL
byte) and the passed size argument is 6. As a result, the logic will
also accept other, malformed strings, e.g. "eee_tiXXX:".

This bug doesn't seem to have any security impact since its present in
module's cmdline parsing code.

Signed-off-by: Dominik Czarnota <dominik.b.czarnota@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/samsung/sxgbe/sxgbe_main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/samsung/sxgbe/sxgbe_main.c b/drivers/net/ethernet/samsung/sxgbe/sxgbe_main.c
index 89831adb8eb75..6d27eec85fcef 100644
--- a/drivers/net/ethernet/samsung/sxgbe/sxgbe_main.c
+++ b/drivers/net/ethernet/samsung/sxgbe/sxgbe_main.c
@@ -2284,7 +2284,7 @@ static int __init sxgbe_cmdline_opt(char *str)
 	if (!str || !*str)
 		return -EINVAL;
 	while ((opt = strsep(&str, ",")) != NULL) {
-		if (!strncmp(opt, "eee_timer:", 6)) {
+		if (!strncmp(opt, "eee_timer:", 10)) {
 			if (kstrtoint(opt + 10, 0, &eee_timer))
 				goto err;
 		}
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 4.14 085/148] arm64: ptrace: map SPSR_ELx<->PSR for compat tasks
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (83 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 084/148] sxgbe: Fix off by one in samsung driver strncpy size arg Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 086/148] arm64: compat: map SPSR_ELx<->PSR for signals Greg Kroah-Hartman
                   ` (66 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mark Rutland, Catalin Marinas,
	Suzuki Poulose, Will Deacon, Guenter Roeck

From: Mark Rutland <mark.rutland@arm.com>

commit 76fc52bd07d3e9cb708f1a50b60c825c96acd606 upstream.

The SPSR_ELx format for exceptions taken from AArch32 is slightly
different to the AArch32 PSR format.

Map between the two in the compat ptrace code.

Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Fixes: 7206dc93a58fb764 ("arm64: Expose Arm v8.4 features")
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Suzuki Poulose <suzuki.poulose@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Cc: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/kernel/ptrace.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -833,6 +833,7 @@ static int compat_gpr_get(struct task_st
 			break;
 		case 16:
 			reg = task_pt_regs(target)->pstate;
+			reg = pstate_to_compat_psr(reg);
 			break;
 		case 17:
 			reg = task_pt_regs(target)->orig_x0;
@@ -900,6 +901,7 @@ static int compat_gpr_set(struct task_st
 			newregs.pc = reg;
 			break;
 		case 16:
+			reg = compat_psr_to_pstate(reg);
 			newregs.pstate = reg;
 			break;
 		case 17:



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 086/148] arm64: compat: map SPSR_ELx<->PSR for signals
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (84 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 085/148] arm64: ptrace: map SPSR_ELx<->PSR for compat tasks Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:17 ` [PATCH 4.14 087/148] ftrace/x86: Anotate text_mutex split between ftrace_arch_code_modify_post_process() and ftrace_arch_code_modify_prepare() Greg Kroah-Hartman
                   ` (65 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mark Rutland, Catalin Marinas,
	Suzuki Poulose, Will Deacon, Guenter Roeck

From: Mark Rutland <mark.rutland@arm.com>

commit 25dc2c80cfa33153057aa94984855acd57adf92a upstream.

The SPSR_ELx format for exceptions taken from AArch32 differs from the
AArch32 PSR format. Thus, we must translate between the two when setting
up a compat sigframe, or restoring context from a compat sigframe.

Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Fixes: 7206dc93a58fb764 ("arm64: Expose Arm v8.4 features")
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Suzuki Poulose <suzuki.poulose@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Cc: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/kernel/signal32.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/arch/arm64/kernel/signal32.c
+++ b/arch/arm64/kernel/signal32.c
@@ -321,6 +321,7 @@ static int compat_restore_sigframe(struc
 	int err;
 	sigset_t set;
 	struct compat_aux_sigframe __user *aux;
+	unsigned long psr;
 
 	err = get_sigset_t(&set, &sf->uc.uc_sigmask);
 	if (err == 0) {
@@ -344,7 +345,9 @@ static int compat_restore_sigframe(struc
 	__get_user_error(regs->compat_sp, &sf->uc.uc_mcontext.arm_sp, err);
 	__get_user_error(regs->compat_lr, &sf->uc.uc_mcontext.arm_lr, err);
 	__get_user_error(regs->pc, &sf->uc.uc_mcontext.arm_pc, err);
-	__get_user_error(regs->pstate, &sf->uc.uc_mcontext.arm_cpsr, err);
+	__get_user_error(psr, &sf->uc.uc_mcontext.arm_cpsr, err);
+
+	regs->pstate = compat_psr_to_pstate(psr);
 
 	/*
 	 * Avoid compat_sys_sigreturn() restarting.
@@ -500,6 +503,7 @@ static int compat_setup_sigframe(struct
 				 struct pt_regs *regs, sigset_t *set)
 {
 	struct compat_aux_sigframe __user *aux;
+	unsigned long psr = pstate_to_compat_psr(regs->pstate);
 	int err = 0;
 
 	__put_user_error(regs->regs[0], &sf->uc.uc_mcontext.arm_r0, err);
@@ -518,7 +522,7 @@ static int compat_setup_sigframe(struct
 	__put_user_error(regs->compat_sp, &sf->uc.uc_mcontext.arm_sp, err);
 	__put_user_error(regs->compat_lr, &sf->uc.uc_mcontext.arm_lr, err);
 	__put_user_error(regs->pc, &sf->uc.uc_mcontext.arm_pc, err);
-	__put_user_error(regs->pstate, &sf->uc.uc_mcontext.arm_cpsr, err);
+	__put_user_error(psr, &sf->uc.uc_mcontext.arm_cpsr, err);
 
 	__put_user_error((compat_ulong_t)0, &sf->uc.uc_mcontext.trap_no, err);
 	/* set the compat FSR WnR */



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 087/148] ftrace/x86: Anotate text_mutex split between ftrace_arch_code_modify_post_process() and ftrace_arch_code_modify_prepare()
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (85 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 086/148] arm64: compat: map SPSR_ELx<->PSR for signals Greg Kroah-Hartman
@ 2020-04-01 16:17 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 088/148] i2c: hix5hd2: add missed clk_disable_unprepare in remove Greg Kroah-Hartman
                   ` (64 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jiri Kosina, Steven Rostedt (VMware),
	Guenter Roeck

From: Jiri Kosina <jkosina@suse.cz>

commit 074376ac0e1d1fcd4fafebca86ee6158e7c20680 upstream.

ftrace_arch_code_modify_prepare() is acquiring text_mutex, while the
corresponding release is happening in ftrace_arch_code_modify_post_process().

This has already been documented in the code, but let's also make the fact
that this is intentional clear to the semantic analysis tools such as sparse.

Link: http://lkml.kernel.org/r/nycvar.YFH.7.76.1906292321170.27227@cbobk.fhfr.pm

Fixes: 39611265edc1a ("ftrace/x86: Add a comment to why we take text_mutex in ftrace_arch_code_modify_prepare()")
Fixes: d5b844a2cf507 ("ftrace/x86: Remove possible deadlock between register_kprobe() and ftrace_run_update_code()")
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Cc: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/ftrace.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/arch/x86/kernel/ftrace.c
+++ b/arch/x86/kernel/ftrace.c
@@ -36,6 +36,7 @@
 #ifdef CONFIG_DYNAMIC_FTRACE
 
 int ftrace_arch_code_modify_prepare(void)
+    __acquires(&text_mutex)
 {
 	mutex_lock(&text_mutex);
 	set_kernel_text_rw();
@@ -44,6 +45,7 @@ int ftrace_arch_code_modify_prepare(void
 }
 
 int ftrace_arch_code_modify_post_process(void)
+    __releases(&text_mutex)
 {
 	set_all_modules_text_ro();
 	set_kernel_text_ro();



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 088/148] i2c: hix5hd2: add missed clk_disable_unprepare in remove
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (86 preceding siblings ...)
  2020-04-01 16:17 ` [PATCH 4.14 087/148] ftrace/x86: Anotate text_mutex split between ftrace_arch_code_modify_post_process() and ftrace_arch_code_modify_prepare() Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 089/148] Input: synaptics - enable RMI on HP Envy 13-ad105ng Greg Kroah-Hartman
                   ` (63 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chuhong Yuan, Wolfram Sang, stable

From: Chuhong Yuan <hslester96@gmail.com>

commit e1b9f99ff8c40bba6e59de9ad4a659447b1e4112 upstream.

The driver forgets to disable and unprepare clk when remove.
Add a call to clk_disable_unprepare to fix it.

Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/i2c/busses/i2c-hix5hd2.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/i2c/busses/i2c-hix5hd2.c
+++ b/drivers/i2c/busses/i2c-hix5hd2.c
@@ -498,6 +498,7 @@ static int hix5hd2_i2c_remove(struct pla
 	i2c_del_adapter(&priv->adap);
 	pm_runtime_disable(priv->dev);
 	pm_runtime_set_suspended(priv->dev);
+	clk_disable_unprepare(priv->clk);
 
 	return 0;
 }



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 089/148] Input: synaptics - enable RMI on HP Envy 13-ad105ng
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (87 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 088/148] i2c: hix5hd2: add missed clk_disable_unprepare in remove Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 090/148] Input: avoid BIT() macro usage in the serio.h UAPI header Greg Kroah-Hartman
                   ` (62 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Yussuf Khalil, Dmitry Torokhov

From: Yussuf Khalil <dev@pp3345.net>

commit 1369d0abe469fb4cdea8a5bce219d38cb857a658 upstream.

This laptop (and perhaps other variants of the same model) reports an
SMBus-capable Synaptics touchpad. Everything (including suspend and
resume) works fine when RMI is enabled via the kernel command line, so
let's add it to the whitelist.

Signed-off-by: Yussuf Khalil <dev@pp3345.net>
Link: https://lore.kernel.org/r/20200307213508.267187-1-dev@pp3345.net
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/mouse/synaptics.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/input/mouse/synaptics.c
+++ b/drivers/input/mouse/synaptics.c
@@ -189,6 +189,7 @@ static const char * const smbus_pnp_ids[
 	"SYN3052", /* HP EliteBook 840 G4 */
 	"SYN3221", /* HP 15-ay000 */
 	"SYN323d", /* HP Spectre X360 13-w013dx */
+	"SYN3257", /* HP Envy 13-ad105ng */
 	NULL
 };
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 090/148] Input: avoid BIT() macro usage in the serio.h UAPI header
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (88 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 089/148] Input: synaptics - enable RMI on HP Envy 13-ad105ng Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 091/148] ARM: dts: dra7: Add bus_dma_limit for L3 bus Greg Kroah-Hartman
                   ` (61 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eugene Syromiatnikov, Dmitry Torokhov

From: Eugene Syromiatnikov <esyr@redhat.com>

commit 52afa505a03d914081f40cb869a3248567a57573 upstream.

The commit 19ba1eb15a2a ("Input: psmouse - add a custom serio protocol
to send extra information") introduced usage of the BIT() macro
for SERIO_* flags; this macro is not provided in UAPI headers.
Replace if with similarly defined _BITUL() macro defined
in <linux/const.h>.

Fixes: 19ba1eb15a2a ("Input: psmouse - add a custom serio protocol to send extra information")
Signed-off-by: Eugene Syromiatnikov <esyr@redhat.com>
Cc: <stable@vger.kernel.org> # v5.0+
Link: https://lore.kernel.org/r/20200324041341.GA32335@asgard.redhat.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/uapi/linux/serio.h |   10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

--- a/include/uapi/linux/serio.h
+++ b/include/uapi/linux/serio.h
@@ -9,7 +9,7 @@
 #ifndef _UAPI_SERIO_H
 #define _UAPI_SERIO_H
 
-
+#include <linux/const.h>
 #include <linux/ioctl.h>
 
 #define SPIOCSTYPE	_IOW('q', 0x01, unsigned long)
@@ -18,10 +18,10 @@
 /*
  * bit masks for use in "interrupt" flags (3rd argument)
  */
-#define SERIO_TIMEOUT	BIT(0)
-#define SERIO_PARITY	BIT(1)
-#define SERIO_FRAME	BIT(2)
-#define SERIO_OOB_DATA	BIT(3)
+#define SERIO_TIMEOUT	_BITUL(0)
+#define SERIO_PARITY	_BITUL(1)
+#define SERIO_FRAME	_BITUL(2)
+#define SERIO_OOB_DATA	_BITUL(3)
 
 /*
  * Serio types



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 091/148] ARM: dts: dra7: Add bus_dma_limit for L3 bus
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (89 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 090/148] Input: avoid BIT() macro usage in the serio.h UAPI header Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 092/148] ARM: dts: omap5: " Greg Kroah-Hartman
                   ` (60 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Roger Quadros, stable, Tony Lindgren

From: Roger Quadros <rogerq@ti.com>

commit cfb5d65f25959f724081bae8445a0241db606af6 upstream.

The L3 interconnect's memory map is from 0x0 to
0xffffffff. Out of this, System memory (SDRAM) can be
accessed from 0x80000000 to 0xffffffff (2GB)

DRA7 does support 4GB of SDRAM but upper 2GB can only be
accessed by the MPU subsystem.

Add the dma-ranges property to reflect the physical address limit
of the L3 bus.

Issues ere observed only with SATA on DRA7-EVM with 4GB RAM
and CONFIG_ARM_LPAE enabled. This is because the controller
supports 64-bit DMA and its driver sets the dma_mask to 64-bit
thus resulting in DMA accesses beyond L3 limit of 2G.

Setting the correct bus_dma_limit fixes the issue.

Signed-off-by: Roger Quadros <rogerq@ti.com>
Cc: stable@kernel.org
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/dra7.dtsi |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/arm/boot/dts/dra7.dtsi
+++ b/arch/arm/boot/dts/dra7.dtsi
@@ -137,6 +137,7 @@
 		#address-cells = <1>;
 		#size-cells = <1>;
 		ranges = <0x0 0x0 0x0 0xc0000000>;
+		dma-ranges = <0x80000000 0x0 0x80000000 0x80000000>;
 		ti,hwmods = "l3_main_1", "l3_main_2";
 		reg = <0x0 0x44000000 0x0 0x1000000>,
 		      <0x0 0x45000000 0x0 0x1000>;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 092/148] ARM: dts: omap5: Add bus_dma_limit for L3 bus
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (90 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 091/148] ARM: dts: dra7: Add bus_dma_limit for L3 bus Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 093/148] perf probe: Do not depend on dwfl_module_addrsym() Greg Kroah-Hartman
                   ` (59 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, stable, Roger Quadros, Tony Lindgren

From: Roger Quadros <rogerq@ti.com>

commit dfa7ea303f56a3a8b1ed3b91ef35af2da67ca4ee upstream.

The L3 interconnect's memory map is from 0x0 to
0xffffffff. Out of this, System memory (SDRAM) can be
accessed from 0x80000000 to 0xffffffff (2GB)

OMAP5 does support 4GB of SDRAM but upper 2GB can only be
accessed by the MPU subsystem.

Add the dma-ranges property to reflect the physical address limit
of the L3 bus.

Cc: stable@kernel.org
Signed-off-by: Roger Quadros <rogerq@ti.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/omap5.dtsi |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/arm/boot/dts/omap5.dtsi
+++ b/arch/arm/boot/dts/omap5.dtsi
@@ -131,6 +131,7 @@
 		#address-cells = <1>;
 		#size-cells = <1>;
 		ranges = <0 0 0 0xc0000000>;
+		dma-ranges = <0x80000000 0x0 0x80000000 0x80000000>;
 		ti,hwmods = "l3_main_1", "l3_main_2", "l3_main_3";
 		reg = <0 0x44000000 0 0x2000>,
 		      <0 0x44800000 0 0x3000>,



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 093/148] perf probe: Do not depend on dwfl_module_addrsym()
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (91 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 092/148] ARM: dts: omap5: " Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 094/148] tools: Let O= makes handle a relative path with -C option Greg Kroah-Hartman
                   ` (58 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexandre Ghiti, Masami Hiramatsu,
	Alexander Shishkin, Jiri Olsa, Namhyung Kim, Peter Zijlstra,
	Sasha Levin, Arnaldo Carvalho de Melo

From: Masami Hiramatsu <mhiramat@kernel.org>

commit 1efde2754275dbd9d11c6e0132a4f09facf297ab upstream.

Do not depend on dwfl_module_addrsym() because it can fail on user-space
shared libraries.

Actually, same bug was fixed by commit 664fee3dc379 ("perf probe: Do not
use dwfl_module_addrsym if dwarf_diename finds symbol name"), but commit
07d369857808 ("perf probe: Fix wrong address verification) reverted to
get actual symbol address from symtab.

This fixes it again by getting symbol address from DIE, and only if the
DIE has only address range, it uses dwfl_module_addrsym().

Fixes: 07d369857808 ("perf probe: Fix wrong address verification)
Reported-by: Alexandre Ghiti <alex@ghiti.fr>
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Tested-by: Alexandre Ghiti <alex@ghiti.fr>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Sasha Levin <sashal@kernel.org>
Link: http://lore.kernel.org/lkml/158281812176.476.14164573830975116234.stgit@devnote2
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/perf/util/probe-finder.c |   11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

--- a/tools/perf/util/probe-finder.c
+++ b/tools/perf/util/probe-finder.c
@@ -626,14 +626,19 @@ static int convert_to_trace_point(Dwarf_
 		return -EINVAL;
 	}
 
-	/* Try to get actual symbol name from symtab */
-	symbol = dwfl_module_addrsym(mod, paddr, &sym, NULL);
+	if (dwarf_entrypc(sp_die, &eaddr) == 0) {
+		/* If the DIE has entrypc, use it. */
+		symbol = dwarf_diename(sp_die);
+	} else {
+		/* Try to get actual symbol name and address from symtab */
+		symbol = dwfl_module_addrsym(mod, paddr, &sym, NULL);
+		eaddr = sym.st_value;
+	}
 	if (!symbol) {
 		pr_warning("Failed to find symbol at 0x%lx\n",
 			   (unsigned long)paddr);
 		return -ENOENT;
 	}
-	eaddr = sym.st_value;
 
 	tp->offset = (unsigned long)(paddr - eaddr);
 	tp->address = (unsigned long)paddr;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 094/148] tools: Let O= makes handle a relative path with -C option
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (92 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 093/148] perf probe: Do not depend on dwfl_module_addrsym() Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 095/148] scripts/dtc: Remove redundant YYLOC global declaration Greg Kroah-Hartman
                   ` (57 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Randy Dunlap, Masami Hiramatsu,
	Andrew Morton, Borislav Petkov, Geert Uytterhoeven, Jiri Olsa,
	Masahiro Yamada, Michal Marek, Peter Zijlstra, Sasha Levin,
	Steven Rostedt (VMware),
	Arnaldo Carvalho de Melo

From: Masami Hiramatsu <mhiramat@kernel.org>

commit be40920fbf1003c38ccdc02b571e01a75d890c82 upstream.

When I tried to compile tools/perf from the top directory with the -C
option, the O= option didn't work correctly if I passed a relative path:

  $ make O=BUILD -C tools/perf/
  make: Entering directory '/home/mhiramat/ksrc/linux/tools/perf'
    BUILD:   Doing 'make -j8' parallel build
  ../scripts/Makefile.include:4: *** O=/home/mhiramat/ksrc/linux/tools/perf/BUILD does not exist.  Stop.
  make: *** [Makefile:70: all] Error 2
  make: Leaving directory '/home/mhiramat/ksrc/linux/tools/perf'

The O= directory existence check failed because the check script ran in
the build target directory instead of the directory where I ran the make
command.

To fix that, once change directory to $(PWD) and check O= directory,
since the PWD is set to where the make command runs.

Fixes: c883122acc0d ("perf tools: Let O= makes handle relative paths")
Reported-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Masahiro Yamada <masahiroy@kernel.org>
Cc: Michal Marek <michal.lkml@markovi.net>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Sasha Levin <sashal@kernel.org>
Cc: Steven Rostedt (VMware) <rostedt@goodmis.org>
Cc: stable@vger.kernel.org
Link: http://lore.kernel.org/lkml/158351957799.3363.15269768530697526765.stgit@devnote2
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/perf/Makefile            |    2 +-
 tools/scripts/Makefile.include |    4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

--- a/tools/perf/Makefile
+++ b/tools/perf/Makefile
@@ -35,7 +35,7 @@ endif
 # Only pass canonical directory names as the output directory:
 #
 ifneq ($(O),)
-  FULL_O := $(shell readlink -f $(O) || echo $(O))
+  FULL_O := $(shell cd $(PWD); readlink -f $(O) || echo $(O))
 endif
 
 #
--- a/tools/scripts/Makefile.include
+++ b/tools/scripts/Makefile.include
@@ -1,8 +1,8 @@
 # SPDX-License-Identifier: GPL-2.0
 ifneq ($(O),)
 ifeq ($(origin O), command line)
-	dummy := $(if $(shell test -d $(O) || echo $(O)),$(error O=$(O) does not exist),)
-	ABSOLUTE_O := $(shell cd $(O) ; pwd)
+	dummy := $(if $(shell cd $(PWD); test -d $(O) || echo $(O)),$(error O=$(O) does not exist),)
+	ABSOLUTE_O := $(shell cd $(PWD); cd $(O) ; pwd)
 	OUTPUT := $(ABSOLUTE_O)/$(if $(subdir),$(subdir)/)
 	COMMAND_O := O=$(ABSOLUTE_O)
 ifeq ($(objtree),)



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 095/148] scripts/dtc: Remove redundant YYLOC global declaration
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (93 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 094/148] tools: Let O= makes handle a relative path with -C option Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 096/148] scsi: sd: Fix optimal I/O size for devices that change reported values Greg Kroah-Hartman
                   ` (56 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dirk Mueller, David Gibson, Rob Herring

From: Dirk Mueller <dmueller@suse.com>

commit e33a814e772cdc36436c8c188d8c42d019fda639 upstream.

gcc 10 will default to -fno-common, which causes this error at link
time:

  (.text+0x0): multiple definition of `yylloc'; dtc-lexer.lex.o (symbol from plugin):(.text+0x0): first defined here

This is because both dtc-lexer as well as dtc-parser define the same
global symbol yyloc. Before with -fcommon those were merged into one
defintion. The proper solution would be to to mark this as "extern",
however that leads to:

  dtc-lexer.l:26:16: error: redundant redeclaration of 'yylloc' [-Werror=redundant-decls]
   26 | extern YYLTYPE yylloc;
      |                ^~~~~~
In file included from dtc-lexer.l:24:
dtc-parser.tab.h:127:16: note: previous declaration of 'yylloc' was here
  127 | extern YYLTYPE yylloc;
      |                ^~~~~~
cc1: all warnings being treated as errors

which means the declaration is completely redundant and can just be
dropped.

Signed-off-by: Dirk Mueller <dmueller@suse.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
[robh: cherry-pick from upstream]
Cc: stable@vger.kernel.org
Signed-off-by: Rob Herring <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 scripts/dtc/dtc-lexer.l |    1 -
 1 file changed, 1 deletion(-)

--- a/scripts/dtc/dtc-lexer.l
+++ b/scripts/dtc/dtc-lexer.l
@@ -38,7 +38,6 @@ LINECOMMENT	"//".*\n
 #include "srcpos.h"
 #include "dtc-parser.tab.h"
 
-YYLTYPE yylloc;
 extern bool treesource_error;
 
 /* CAUTION: this will stop working if we ever use yyless() or yyunput() */



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 096/148] scsi: sd: Fix optimal I/O size for devices that change reported values
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (94 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 095/148] scripts/dtc: Remove redundant YYLOC global declaration Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 097/148] mac80211: mark station unauthorized before key removal Greg Kroah-Hartman
                   ` (55 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bryan Gurney, Bernhard Sulzer,
	Martin K. Petersen

From: Martin K. Petersen <martin.petersen@oracle.com>

commit ea697a8bf5a4161e59806fab14f6e4a46dc7dcb0 upstream.

Some USB bridge devices will return a default set of characteristics during
initialization. And then, once an attached drive has spun up, substitute
the actual parameters reported by the drive. According to the SCSI spec,
the device should return a UNIT ATTENTION in case any reported parameters
change. But in this case the change is made silently after a small window
where default values are reported.

Commit a83da8a4509d ("scsi: sd: Optimal I/O size should be a multiple of
physical block size") validated the reported optimal I/O size against the
physical block size to overcome problems with devices reporting nonsensical
transfer sizes. However, this validation did not account for the fact that
aforementioned devices will return default values during a brief window
during spin-up. The subsequent change in reported characteristics would
invalidate the checking that had previously been performed.

Unset a previously configured optimal I/O size should the sanity checking
fail on subsequent revalidate attempts.

Link: https://lore.kernel.org/r/33fb522e-4f61-1b76-914f-c9e6a3553c9b@gmail.com
Cc: Bryan Gurney <bgurney@redhat.com>
Cc: <stable@vger.kernel.org>
Reported-by: Bernhard Sulzer <micraft.b@gmail.com>
Tested-by: Bernhard Sulzer <micraft.b@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/sd.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -3212,9 +3212,11 @@ static int sd_revalidate_disk(struct gen
 	if (sd_validate_opt_xfer_size(sdkp, dev_max)) {
 		q->limits.io_opt = logical_to_bytes(sdp, sdkp->opt_xfer_blocks);
 		rw_max = logical_to_sectors(sdp, sdkp->opt_xfer_blocks);
-	} else
+	} else {
+		q->limits.io_opt = 0;
 		rw_max = min_not_zero(logical_to_sectors(sdp, dev_max),
 				      (sector_t)BLK_DEF_MAX_SECTORS);
+	}
 
 	/* Do not exceed controller limit */
 	rw_max = min(rw_max, queue_max_hw_sectors(q));



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 097/148] mac80211: mark station unauthorized before key removal
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (95 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 096/148] scsi: sd: Fix optimal I/O size for devices that change reported values Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 098/148] gpiolib: acpi: Correct comment for HP x2 10 honor_wakeup quirk Greg Kroah-Hartman
                   ` (54 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johannes Berg

From: Johannes Berg <johannes.berg@intel.com>

commit b16798f5b907733966fd1a558fca823b3c67e4a1 upstream.

If a station is still marked as authorized, mark it as no longer
so before removing its keys. This allows frames transmitted to it
to be rejected, providing additional protection against leaking
plain text data during the disconnection flow.

Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20200326155133.ccb4fb0bb356.If48f0f0504efdcf16b8921f48c6d3bb2cb763c99@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/mac80211/sta_info.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -3,6 +3,7 @@
  * Copyright 2006-2007	Jiri Benc <jbenc@suse.cz>
  * Copyright 2013-2014  Intel Mobile Communications GmbH
  * Copyright (C) 2015 - 2017 Intel Deutschland GmbH
+ * Copyright (C) 2018-2020 Intel Corporation
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -951,6 +952,11 @@ static void __sta_info_destroy_part2(str
 	might_sleep();
 	lockdep_assert_held(&local->sta_mtx);
 
+	while (sta->sta_state == IEEE80211_STA_AUTHORIZED) {
+		ret = sta_info_move_state(sta, IEEE80211_STA_ASSOC);
+		WARN_ON_ONCE(ret);
+	}
+
 	/* now keys can no longer be reached */
 	ieee80211_free_sta_keys(local, sta);
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 098/148] gpiolib: acpi: Correct comment for HP x2 10 honor_wakeup quirk
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (96 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 097/148] mac80211: mark station unauthorized before key removal Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 099/148] gpiolib: acpi: Rework honor_wakeup option into an ignore_wake option Greg Kroah-Hartman
                   ` (53 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans de Goede, Mika Westerberg,
	Linus Walleij

From: Hans de Goede <hdegoede@redhat.com>

commit efaa87fa0947d525cf7c075316adde4e3ac7720b upstream.

Commit aa23ca3d98f7 ("gpiolib: acpi: Add honor_wakeup module-option +
quirk mechanism") added a quirk for some models of the HP x2 10 series.

There are 2 issues with the comment describing the quirk:
1) The comment claims the DMI quirk applies to all Cherry Trail based HP x2
   10 models. In the mean time I have learned that there are at least 3
   models of the HP x2 10 models:

   Bay Trail SoC + AXP288 PMIC
   Cherry Trail SoC + AXP288 PMIC
   Cherry Trail SoC + TI PMIC

   And this quirk's DMI matches only match the Cherry Trail SoC + TI PMIC
   SoC, which is good because we want a slightly different quirk for the
   others. This commit updates the comment to make it clear that the quirk
   is only for the Cherry Trail SoC + TI PMIC models.

2) The comment says that it is ok to disable wakeup on all ACPI GPIO event
   handlers, because there is only the one for the embedded-controller
   events. This is not true, there also is a handler for the special
   INT0002 device which is related to USB wakeups. We need to also disable
   wakeups on that one because the device turns of the USB-keyboard built
   into the dock when closing the lid. The XHCI controller takes a while
   to notice this, so it only notices it when already suspended, causing
   a spurious wakeup because of this. So disabling wakeup on all handlers
   is the right thing to do, but not because there only is the one handler
   for the EC events. This commit updates the comment to correctly reflect
   this.

Fixes: aa23ca3d98f7 ("gpiolib: acpi: Add honor_wakeup module-option + quirk mechanism")
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20200302111225.6641-1-hdegoede@redhat.com
Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpio/gpiolib-acpi.c |   14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

--- a/drivers/gpio/gpiolib-acpi.c
+++ b/drivers/gpio/gpiolib-acpi.c
@@ -1348,12 +1348,14 @@ static const struct dmi_system_id gpioli
 	},
 	{
 		/*
-		 * Various HP X2 10 Cherry Trail models use an external
-		 * embedded-controller connected via I2C + an ACPI GPIO
-		 * event handler. The embedded controller generates various
-		 * spurious wakeup events when suspended. So disable wakeup
-		 * for its handler (it uses the only ACPI GPIO event handler).
-		 * This breaks wakeup when opening the lid, the user needs
+		 * HP X2 10 models with Cherry Trail SoC + TI PMIC use an
+		 * external embedded-controller connected via I2C + an ACPI GPIO
+		 * event handler on INT33FF:01 pin 0, causing spurious wakeups.
+		 * When suspending by closing the LID, the power to the USB
+		 * keyboard is turned off, causing INT0002 ACPI events to
+		 * trigger once the XHCI controller notices the keyboard is
+		 * gone. So INT0002 events cause spurious wakeups too. Ignoring
+		 * EC wakes breaks wakeup when opening the lid, the user needs
 		 * to press the power-button to wakeup the system. The
 		 * alternative is suspend simply not working, which is worse.
 		 */



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 099/148] gpiolib: acpi: Rework honor_wakeup option into an ignore_wake option
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (97 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 098/148] gpiolib: acpi: Correct comment for HP x2 10 honor_wakeup quirk Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 100/148] gpiolib: acpi: Add quirk to ignore EC wakeups on HP x2 10 BYT + AXP288 model Greg Kroah-Hartman
                   ` (52 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans de Goede, Mika Westerberg,
	Andy Shevchenko, Linus Walleij

From: Hans de Goede <hdegoede@redhat.com>

commit 2ccb21f5516afef5e251184eeefbf36db90206d7 upstream.

Commit aa23ca3d98f7 ("gpiolib: acpi: Add honor_wakeup module-option +
quirk mechanism") was added to deal with spurious wakeups on one specific
model of the HP x2 10 series.

The approach taken there was to add a bool controlling wakeup support for
all ACPI GPIO events. This was sufficient for the specific HP x2 10 model
the commit was trying to fix, but in the mean time other models have
turned up which need a similar workaround to avoid spurious wakeups from
suspend, but only for one of the pins on which the ACPI tables request
ACPI GPIO events.

Since the honor_wakeup option was added to be able to ignore wake events,
the name was perhaps not the best, this commit renames it to ignore_wake
and changes it to a string with the following format:
gpiolib_acpi.ignore_wake=controller@pin[,controller@pin[,...]]

This allows working around spurious wakeup issues on a per pin basis.

This commit also reworks the existing quirk for the HP x2 10 so that
it functions as before.

Note:
-This removes the honor_wakeup parameter. This has only been upstream for
 a short time and to the best of my knowledge there are no users using
 this module parameter.

-The controller@pin[,controller@pin[,...]] syntax is based on an existing
 kernel module parameter using the same controller@pin format. That version
 uses ';' as separator, but in practice that is problematic because grub2
 cannot handle this without taking special care to escape the ';', so here
 we are using a ',' as separator instead which does not have this issue.

Fixes: aa23ca3d98f7 ("gpiolib: acpi: Add honor_wakeup module-option + quirk mechanism")
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20200302111225.6641-2-hdegoede@redhat.com
Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpio/gpiolib-acpi.c |   96 ++++++++++++++++++++++++++++++++++----------
 1 file changed, 76 insertions(+), 20 deletions(-)

--- a/drivers/gpio/gpiolib-acpi.c
+++ b/drivers/gpio/gpiolib-acpi.c
@@ -24,18 +24,21 @@
 
 #include "gpiolib.h"
 
-#define QUIRK_NO_EDGE_EVENTS_ON_BOOT		0x01l
-#define QUIRK_NO_WAKEUP				0x02l
-
 static int run_edge_events_on_boot = -1;
 module_param(run_edge_events_on_boot, int, 0444);
 MODULE_PARM_DESC(run_edge_events_on_boot,
 		 "Run edge _AEI event-handlers at boot: 0=no, 1=yes, -1=auto");
 
-static int honor_wakeup = -1;
-module_param(honor_wakeup, int, 0444);
-MODULE_PARM_DESC(honor_wakeup,
-		 "Honor the ACPI wake-capable flag: 0=no, 1=yes, -1=auto");
+static char *ignore_wake;
+module_param(ignore_wake, charp, 0444);
+MODULE_PARM_DESC(ignore_wake,
+		 "controller@pin combos on which to ignore the ACPI wake flag "
+		 "ignore_wake=controller@pin[,controller@pin[,...]]");
+
+struct acpi_gpiolib_dmi_quirk {
+	bool no_edge_events_on_boot;
+	char *ignore_wake;
+};
 
 /**
  * struct acpi_gpio_event - ACPI GPIO event handler data
@@ -262,6 +265,57 @@ static void acpi_gpiochip_request_irqs(s
 		acpi_gpiochip_request_irq(acpi_gpio, event);
 }
 
+static bool acpi_gpio_in_ignore_list(const char *controller_in, int pin_in)
+{
+	const char *controller, *pin_str;
+	int len, pin;
+	char *endp;
+
+	controller = ignore_wake;
+	while (controller) {
+		pin_str = strchr(controller, '@');
+		if (!pin_str)
+			goto err;
+
+		len = pin_str - controller;
+		if (len == strlen(controller_in) &&
+		    strncmp(controller, controller_in, len) == 0) {
+			pin = simple_strtoul(pin_str + 1, &endp, 10);
+			if (*endp != 0 && *endp != ',')
+				goto err;
+
+			if (pin == pin_in)
+				return true;
+		}
+
+		controller = strchr(controller, ',');
+		if (controller)
+			controller++;
+	}
+
+	return false;
+err:
+	pr_err_once("Error invalid value for gpiolib_acpi.ignore_wake: %s\n",
+		    ignore_wake);
+	return false;
+}
+
+static bool acpi_gpio_irq_is_wake(struct device *parent,
+				  struct acpi_resource_gpio *agpio)
+{
+	int pin = agpio->pin_table[0];
+
+	if (agpio->wake_capable != ACPI_WAKE_CAPABLE)
+		return false;
+
+	if (acpi_gpio_in_ignore_list(dev_name(parent), pin)) {
+		dev_info(parent, "Ignoring wakeup on pin %d\n", pin);
+		return false;
+	}
+
+	return true;
+}
+
 static acpi_status acpi_gpiochip_alloc_event(struct acpi_resource *ares,
 					     void *context)
 {
@@ -347,7 +401,7 @@ static acpi_status acpi_gpiochip_alloc_e
 	event->handle = evt_handle;
 	event->handler = handler;
 	event->irq = irq;
-	event->irq_is_wake = honor_wakeup && agpio->wake_capable == ACPI_WAKE_CAPABLE;
+	event->irq_is_wake = acpi_gpio_irq_is_wake(chip->parent, agpio);
 	event->pin = pin;
 	event->desc = desc;
 
@@ -1331,7 +1385,9 @@ static const struct dmi_system_id gpioli
 			DMI_MATCH(DMI_SYS_VENDOR, "MINIX"),
 			DMI_MATCH(DMI_PRODUCT_NAME, "Z83-4"),
 		},
-		.driver_data = (void *)QUIRK_NO_EDGE_EVENTS_ON_BOOT,
+		.driver_data = &(struct acpi_gpiolib_dmi_quirk) {
+			.no_edge_events_on_boot = true,
+		},
 	},
 	{
 		/*
@@ -1344,7 +1400,9 @@ static const struct dmi_system_id gpioli
 			DMI_MATCH(DMI_SYS_VENDOR, "Wortmann_AG"),
 			DMI_MATCH(DMI_PRODUCT_NAME, "TERRA_PAD_1061"),
 		},
-		.driver_data = (void *)QUIRK_NO_EDGE_EVENTS_ON_BOOT,
+		.driver_data = &(struct acpi_gpiolib_dmi_quirk) {
+			.no_edge_events_on_boot = true,
+		},
 	},
 	{
 		/*
@@ -1363,33 +1421,31 @@ static const struct dmi_system_id gpioli
 			DMI_MATCH(DMI_SYS_VENDOR, "HP"),
 			DMI_MATCH(DMI_PRODUCT_NAME, "HP x2 Detachable 10-p0XX"),
 		},
-		.driver_data = (void *)QUIRK_NO_WAKEUP,
+		.driver_data = &(struct acpi_gpiolib_dmi_quirk) {
+			.ignore_wake = "INT33FF:01@0,INT0002:00@2",
+		},
 	},
 	{} /* Terminating entry */
 };
 
 static int acpi_gpio_setup_params(void)
 {
+	const struct acpi_gpiolib_dmi_quirk *quirk = NULL;
 	const struct dmi_system_id *id;
-	long quirks = 0;
 
 	id = dmi_first_match(gpiolib_acpi_quirks);
 	if (id)
-		quirks = (long)id->driver_data;
+		quirk = id->driver_data;
 
 	if (run_edge_events_on_boot < 0) {
-		if (quirks & QUIRK_NO_EDGE_EVENTS_ON_BOOT)
+		if (quirk && quirk->no_edge_events_on_boot)
 			run_edge_events_on_boot = 0;
 		else
 			run_edge_events_on_boot = 1;
 	}
 
-	if (honor_wakeup < 0) {
-		if (quirks & QUIRK_NO_WAKEUP)
-			honor_wakeup = 0;
-		else
-			honor_wakeup = 1;
-	}
+	if (ignore_wake == NULL && quirk && quirk->ignore_wake)
+		ignore_wake = quirk->ignore_wake;
 
 	return 0;
 }



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 100/148] gpiolib: acpi: Add quirk to ignore EC wakeups on HP x2 10 BYT + AXP288 model
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (98 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 099/148] gpiolib: acpi: Rework honor_wakeup option into an ignore_wake option Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 101/148] RDMA/core: Ensure security pkey modify is not lost Greg Kroah-Hartman
                   ` (51 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans de Goede, Mika Westerberg,
	Linus Walleij

From: Hans de Goede <hdegoede@redhat.com>

commit 0e91506ba00730f088961a8d39f8693b0f8e3fea upstream.

Commit aa23ca3d98f7 ("gpiolib: acpi: Add honor_wakeup module-option +
quirk mechanism") was added to deal with spurious wakeups on one specific
model of the HP x2 10 series. In the mean time I have learned that there
are at least 3 different HP x2 10 models:

Bay Trail SoC + AXP288 PMIC
Cherry Trail SoC + AXP288 PMIC
Cherry Trail SoC + TI PMIC

And the original quirk is only correct for (and only matches the)
Cherry Trail SoC + TI PMIC model.

The Bay Trail SoC + AXP288 PMIC model has different DMI strings, has
the external EC interrupt on a different GPIO pin and only needs to ignore
wakeups on the EC interrupt, the INT0002 device works fine on this model.

This commit adds an extra DMI based quirk for the HP x2 10 BYT + AXP288
model, ignoring wakeups for ACPI GPIO events on the EC interrupt pin
on this model. This fixes spurious wakeups from suspend on this model.

Fixes: aa23ca3d98f7 ("gpiolib: acpi: Add honor_wakeup module-option + quirk mechanism")
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20200302111225.6641-3-hdegoede@redhat.com
Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpio/gpiolib-acpi.c |   15 +++++++++++++++
 1 file changed, 15 insertions(+)

--- a/drivers/gpio/gpiolib-acpi.c
+++ b/drivers/gpio/gpiolib-acpi.c
@@ -1425,6 +1425,21 @@ static const struct dmi_system_id gpioli
 			.ignore_wake = "INT33FF:01@0,INT0002:00@2",
 		},
 	},
+	{
+		/*
+		 * HP X2 10 models with Bay Trail SoC + AXP288 PMIC use an
+		 * external embedded-controller connected via I2C + an ACPI GPIO
+		 * event handler on INT33FC:02 pin 28, causing spurious wakeups.
+		 */
+		.matches = {
+			DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"),
+			DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion x2 Detachable"),
+			DMI_MATCH(DMI_BOARD_NAME, "815D"),
+		},
+		.driver_data = &(struct acpi_gpiolib_dmi_quirk) {
+			.ignore_wake = "INT33FC:02@28",
+		},
+	},
 	{} /* Terminating entry */
 };
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 101/148] RDMA/core: Ensure security pkey modify is not lost
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (99 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 100/148] gpiolib: acpi: Add quirk to ignore EC wakeups on HP x2 10 BYT + AXP288 model Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 102/148] genirq: Fix reference leaks on irq affinity notifiers Greg Kroah-Hartman
                   ` (50 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kaike Wan, Mike Marciniszyn,
	Leon Romanovsky, Jason Gunthorpe

From: Mike Marciniszyn <mike.marciniszyn@intel.com>

commit 2d47fbacf2725a67869f4d3634c2415e7dfab2f4 upstream.

The following modify sequence (loosely based on ipoib) will lose a pkey
modifcation:

- Modify (pkey index, port)
- Modify (new pkey index, NO port)

After the first modify, the qp_pps list will have saved the pkey and the
unit on the main list.

During the second modify, get_new_pps() will fetch the port from qp_pps
and read the new pkey index from qp_attr->pkey_index.  The state will
still be zero, or IB_PORT_PKEY_NOT_VALID. Because of the invalid state,
the new values will never replace the one in the qp pps list, losing the
new pkey.

This happens because the following if statements will never correct the
state because the first term will be false. If the code had been executed,
it would incorrectly overwrite valid values.

  if ((qp_attr_mask & IB_QP_PKEY_INDEX) && (qp_attr_mask & IB_QP_PORT))
	  new_pps->main.state = IB_PORT_PKEY_VALID;

  if (!(qp_attr_mask & (IB_QP_PKEY_INDEX | IB_QP_PORT)) && qp_pps) {
	  new_pps->main.port_num = qp_pps->main.port_num;
	  new_pps->main.pkey_index = qp_pps->main.pkey_index;
	  if (qp_pps->main.state != IB_PORT_PKEY_NOT_VALID)
		  new_pps->main.state = IB_PORT_PKEY_VALID;
  }

Fix by joining the two if statements with an or test to see if qp_pps is
non-NULL and in the correct state.

Fixes: 1dd017882e01 ("RDMA/core: Fix protection fault in get_pkey_idx_qp_list")
Link: https://lore.kernel.org/r/20200313124704.14982.55907.stgit@awfm-01.aw.intel.com
Reviewed-by: Kaike Wan <kaike.wan@intel.com>
Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/core/security.c |   11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

--- a/drivers/infiniband/core/security.c
+++ b/drivers/infiniband/core/security.c
@@ -348,16 +348,11 @@ static struct ib_ports_pkeys *get_new_pp
 	else if (qp_pps)
 		new_pps->main.pkey_index = qp_pps->main.pkey_index;
 
-	if ((qp_attr_mask & IB_QP_PKEY_INDEX) && (qp_attr_mask & IB_QP_PORT))
+	if (((qp_attr_mask & IB_QP_PKEY_INDEX) &&
+	     (qp_attr_mask & IB_QP_PORT)) ||
+	    (qp_pps && qp_pps->main.state != IB_PORT_PKEY_NOT_VALID))
 		new_pps->main.state = IB_PORT_PKEY_VALID;
 
-	if (!(qp_attr_mask & (IB_QP_PKEY_INDEX | IB_QP_PORT)) && qp_pps) {
-		new_pps->main.port_num = qp_pps->main.port_num;
-		new_pps->main.pkey_index = qp_pps->main.pkey_index;
-		if (qp_pps->main.state != IB_PORT_PKEY_NOT_VALID)
-			new_pps->main.state = IB_PORT_PKEY_VALID;
-	}
-
 	if (qp_attr_mask & IB_QP_ALT_PATH) {
 		new_pps->alt.port_num = qp_attr->alt_port_num;
 		new_pps->alt.pkey_index = qp_attr->alt_pkey_index;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 102/148] genirq: Fix reference leaks on irq affinity notifiers
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (100 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 101/148] RDMA/core: Ensure security pkey modify is not lost Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 103/148] xfrm: handle NETDEV_UNREGISTER for xfrm device Greg Kroah-Hartman
                   ` (49 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Edward Cree, Thomas Gleixner, Ben Hutchings

From: Edward Cree <ecree@solarflare.com>

commit df81dfcfd6991d547653d46c051bac195cd182c1 upstream.

The handling of notify->work did not properly maintain notify->kref in two
 cases:
1) where the work was already scheduled, another irq_set_affinity_locked()
   would get the ref and (no-op-ly) schedule the work.  Thus when
   irq_affinity_notify() ran, it would drop the original ref but not the
   additional one.
2) when cancelling the (old) work in irq_set_affinity_notifier(), if there
   was outstanding work a ref had been got for it but was never put.
Fix both by checking the return values of the work handling functions
 (schedule_work() for (1) and cancel_work_sync() for (2)) and put the
 extra ref if the return value indicates preexisting work.

Fixes: cd7eab44e994 ("genirq: Add IRQ affinity notifiers")
Fixes: 59c39840f5ab ("genirq: Prevent use-after-free and work list corruption")
Signed-off-by: Edward Cree <ecree@solarflare.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Ben Hutchings <ben@decadent.org.uk>
Link: https://lkml.kernel.org/r/24f5983f-2ab5-e83a-44ee-a45b5f9300f5@solarflare.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/irq/manage.c |   11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

--- a/kernel/irq/manage.c
+++ b/kernel/irq/manage.c
@@ -224,7 +224,11 @@ int irq_set_affinity_locked(struct irq_d
 
 	if (desc->affinity_notify) {
 		kref_get(&desc->affinity_notify->kref);
-		schedule_work(&desc->affinity_notify->work);
+		if (!schedule_work(&desc->affinity_notify->work)) {
+			/* Work was already scheduled, drop our extra ref */
+			kref_put(&desc->affinity_notify->kref,
+				 desc->affinity_notify->release);
+		}
 	}
 	irqd_set(data, IRQD_AFFINITY_SET);
 
@@ -324,7 +328,10 @@ irq_set_affinity_notifier(unsigned int i
 	raw_spin_unlock_irqrestore(&desc->lock, flags);
 
 	if (old_notify) {
-		cancel_work_sync(&old_notify->work);
+		if (cancel_work_sync(&old_notify->work)) {
+			/* Pending work had a ref, put that one too */
+			kref_put(&old_notify->kref, old_notify->release);
+		}
 		kref_put(&old_notify->kref, old_notify->release);
 	}
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 103/148] xfrm: handle NETDEV_UNREGISTER for xfrm device
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (101 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 102/148] genirq: Fix reference leaks on irq affinity notifiers Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 104/148] vti[6]: fix packet tx through bpf_redirect() in XinY cases Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Raed Salem, Boris Pismenny,
	Saeed Mahameed, Steffen Klassert

From: Raed Salem <raeds@mellanox.com>

commit 03891f820c2117b19e80b370281eb924a09cf79f upstream.

This patch to handle the asynchronous unregister
device event so the device IPsec offload resources
could be cleanly released.

Fixes: e4db5b61c572 ("xfrm: policy: remove pcpu policy cache")
Signed-off-by: Raed Salem <raeds@mellanox.com>
Reviewed-by: Boris Pismenny <borisp@mellanox.com>
Reviewed-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/xfrm/xfrm_device.c |    1 +
 1 file changed, 1 insertion(+)

--- a/net/xfrm/xfrm_device.c
+++ b/net/xfrm/xfrm_device.c
@@ -187,6 +187,7 @@ static int xfrm_dev_event(struct notifie
 		return xfrm_dev_feat_change(dev);
 
 	case NETDEV_DOWN:
+	case NETDEV_UNREGISTER:
 		return xfrm_dev_down(dev);
 	}
 	return NOTIFY_DONE;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 104/148] vti[6]: fix packet tx through bpf_redirect() in XinY cases
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (102 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 103/148] xfrm: handle NETDEV_UNREGISTER for xfrm device Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 105/148] RDMA/mlx5: Block delay drop to unprivileged users Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nicolas Dichtel, Steffen Klassert

From: Nicolas Dichtel <nicolas.dichtel@6wind.com>

commit f1ed10264ed6b66b9cd5e8461cffce69be482356 upstream.

I forgot the 4in6/6in4 cases in my previous patch. Let's fix them.

Fixes: 95224166a903 ("vti[6]: fix packet tx through bpf_redirect()")
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/ipv4/Kconfig   |    1 +
 net/ipv4/ip_vti.c  |   36 +++++++++++++++++++++++++++++-------
 net/ipv6/ip6_vti.c |   32 +++++++++++++++++++++++++-------
 3 files changed, 55 insertions(+), 14 deletions(-)

--- a/net/ipv4/Kconfig
+++ b/net/ipv4/Kconfig
@@ -297,6 +297,7 @@ config SYN_COOKIES
 
 config NET_IPVTI
 	tristate "Virtual (secure) IP: tunneling"
+	depends on IPV6 || IPV6=n
 	select INET_TUNNEL
 	select NET_IP_TUNNEL
 	depends on INET_XFRM_MODE_TUNNEL
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -208,17 +208,39 @@ static netdev_tx_t vti_xmit(struct sk_bu
 	int mtu;
 
 	if (!dst) {
-		struct rtable *rt;
+		switch (skb->protocol) {
+		case htons(ETH_P_IP): {
+			struct rtable *rt;
 
-		fl->u.ip4.flowi4_oif = dev->ifindex;
-		fl->u.ip4.flowi4_flags |= FLOWI_FLAG_ANYSRC;
-		rt = __ip_route_output_key(dev_net(dev), &fl->u.ip4);
-		if (IS_ERR(rt)) {
+			fl->u.ip4.flowi4_oif = dev->ifindex;
+			fl->u.ip4.flowi4_flags |= FLOWI_FLAG_ANYSRC;
+			rt = __ip_route_output_key(dev_net(dev), &fl->u.ip4);
+			if (IS_ERR(rt)) {
+				dev->stats.tx_carrier_errors++;
+				goto tx_error_icmp;
+			}
+			dst = &rt->dst;
+			skb_dst_set(skb, dst);
+			break;
+		}
+#if IS_ENABLED(CONFIG_IPV6)
+		case htons(ETH_P_IPV6):
+			fl->u.ip6.flowi6_oif = dev->ifindex;
+			fl->u.ip6.flowi6_flags |= FLOWI_FLAG_ANYSRC;
+			dst = ip6_route_output(dev_net(dev), NULL, &fl->u.ip6);
+			if (dst->error) {
+				dst_release(dst);
+				dst = NULL;
+				dev->stats.tx_carrier_errors++;
+				goto tx_error_icmp;
+			}
+			skb_dst_set(skb, dst);
+			break;
+#endif
+		default:
 			dev->stats.tx_carrier_errors++;
 			goto tx_error_icmp;
 		}
-		dst = &rt->dst;
-		skb_dst_set(skb, dst);
 	}
 
 	dst_hold(dst);
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -454,15 +454,33 @@ vti6_xmit(struct sk_buff *skb, struct ne
 	int mtu;
 
 	if (!dst) {
-		fl->u.ip6.flowi6_oif = dev->ifindex;
-		fl->u.ip6.flowi6_flags |= FLOWI_FLAG_ANYSRC;
-		dst = ip6_route_output(dev_net(dev), NULL, &fl->u.ip6);
-		if (dst->error) {
-			dst_release(dst);
-			dst = NULL;
+		switch (skb->protocol) {
+		case htons(ETH_P_IP): {
+			struct rtable *rt;
+
+			fl->u.ip4.flowi4_oif = dev->ifindex;
+			fl->u.ip4.flowi4_flags |= FLOWI_FLAG_ANYSRC;
+			rt = __ip_route_output_key(dev_net(dev), &fl->u.ip4);
+			if (IS_ERR(rt))
+				goto tx_err_link_failure;
+			dst = &rt->dst;
+			skb_dst_set(skb, dst);
+			break;
+		}
+		case htons(ETH_P_IPV6):
+			fl->u.ip6.flowi6_oif = dev->ifindex;
+			fl->u.ip6.flowi6_flags |= FLOWI_FLAG_ANYSRC;
+			dst = ip6_route_output(dev_net(dev), NULL, &fl->u.ip6);
+			if (dst->error) {
+				dst_release(dst);
+				dst = NULL;
+				goto tx_err_link_failure;
+			}
+			skb_dst_set(skb, dst);
+			break;
+		default:
 			goto tx_err_link_failure;
 		}
-		skb_dst_set(skb, dst);
 	}
 
 	dst_hold(dst);



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 105/148] RDMA/mlx5: Block delay drop to unprivileged users
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (103 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 104/148] vti[6]: fix packet tx through bpf_redirect() in XinY cases Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 106/148] xfrm: fix uctx len check in verify_sec_ctx_len Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maor Gottlieb, Leon Romanovsky,
	Jason Gunthorpe

From: Maor Gottlieb <maorg@mellanox.com>

commit ba80013fba656b9830ef45cd40a6a1e44707f47a upstream.

It has been discovered that this feature can globally block the RX port,
so it should be allowed for highly privileged users only.

Fixes: 03404e8ae652("IB/mlx5: Add support to dropless RQ")
Link: https://lore.kernel.org/r/20200322124906.1173790-1-leon@kernel.org
Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/hw/mlx5/qp.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/infiniband/hw/mlx5/qp.c
+++ b/drivers/infiniband/hw/mlx5/qp.c
@@ -4896,6 +4896,10 @@ struct ib_wq *mlx5_ib_create_wq(struct i
 	if (udata->outlen && udata->outlen < min_resp_len)
 		return ERR_PTR(-EINVAL);
 
+	if (!capable(CAP_SYS_RAWIO) &&
+	    init_attr->create_flags & IB_WQ_FLAGS_DELAY_DROP)
+		return ERR_PTR(-EPERM);
+
 	dev = to_mdev(pd->device);
 	switch (init_attr->wq_type) {
 	case IB_WQT_RQ:



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 106/148] xfrm: fix uctx len check in verify_sec_ctx_len
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (104 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 105/148] RDMA/mlx5: Block delay drop to unprivileged users Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 107/148] xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Xin Long, Steffen Klassert

From: Xin Long <lucien.xin@gmail.com>

commit 171d449a028573b2f0acdc7f31ecbb045391b320 upstream.

It's not sufficient to do 'uctx->len != (sizeof(struct xfrm_user_sec_ctx) +
uctx->ctx_len)' check only, as uctx->len may be greater than nla_len(rt),
in which case it will cause slab-out-of-bounds when accessing uctx->ctx_str
later.

This patch is to fix it by return -EINVAL when uctx->len > nla_len(rt).

Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/xfrm/xfrm_user.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -109,7 +109,8 @@ static inline int verify_sec_ctx_len(str
 		return 0;
 
 	uctx = nla_data(rt);
-	if (uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len))
+	if (uctx->len > nla_len(rt) ||
+	    uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len))
 		return -EINVAL;
 
 	return 0;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 107/148] xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (105 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 106/148] xfrm: fix uctx len check in verify_sec_ctx_len Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 108/148] xfrm: policy: Fix doulbe free in xfrm_policy_timer Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hangbin Liu, Xin Long, Steffen Klassert

From: Xin Long <lucien.xin@gmail.com>

commit a1a7e3a36e01ca6e67014f8cf673cb8e47be5550 upstream.

Without doing verify_sec_ctx_len() check in xfrm_add_acquire(), it may be
out-of-bounds to access uctx->ctx_str with uctx->ctx_len, as noticed by
syz:

  BUG: KASAN: slab-out-of-bounds in selinux_xfrm_alloc_user+0x237/0x430
  Read of size 768 at addr ffff8880123be9b4 by task syz-executor.1/11650

  Call Trace:
   dump_stack+0xe8/0x16e
   print_address_description.cold.3+0x9/0x23b
   kasan_report.cold.4+0x64/0x95
   memcpy+0x1f/0x50
   selinux_xfrm_alloc_user+0x237/0x430
   security_xfrm_policy_alloc+0x5c/0xb0
   xfrm_policy_construct+0x2b1/0x650
   xfrm_add_acquire+0x21d/0xa10
   xfrm_user_rcv_msg+0x431/0x6f0
   netlink_rcv_skb+0x15a/0x410
   xfrm_netlink_rcv+0x6d/0x90
   netlink_unicast+0x50e/0x6a0
   netlink_sendmsg+0x8ae/0xd40
   sock_sendmsg+0x133/0x170
   ___sys_sendmsg+0x834/0x9a0
   __sys_sendmsg+0x100/0x1e0
   do_syscall_64+0xe5/0x660
   entry_SYSCALL_64_after_hwframe+0x6a/0xdf

So fix it by adding the missing verify_sec_ctx_len check there.

Fixes: 980ebd25794f ("[IPSEC]: Sync series - acquire insert")
Reported-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/xfrm/xfrm_user.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2214,6 +2214,9 @@ static int xfrm_add_acquire(struct sk_bu
 	err = verify_newpolicy_info(&ua->policy);
 	if (err)
 		goto free_state;
+	err = verify_sec_ctx_len(attrs);
+	if (err)
+		goto free_state;
 
 	/*   build an XP */
 	xp = xfrm_policy_construct(net, &ua->policy, attrs, &err);



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 108/148] xfrm: policy: Fix doulbe free in xfrm_policy_timer
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (106 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 107/148] xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 109/148] netfilter: nft_fwd_netdev: validate family and chain type Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, YueHaibing, Timo Teräs,
	Herbert Xu, Steffen Klassert

From: YueHaibing <yuehaibing@huawei.com>

commit 4c59406ed00379c8663f8663d82b2537467ce9d7 upstream.

After xfrm_add_policy add a policy, its ref is 2, then

                             xfrm_policy_timer
                               read_lock
                               xp->walk.dead is 0
                               ....
                               mod_timer()
xfrm_policy_kill
  policy->walk.dead = 1
  ....
  del_timer(&policy->timer)
    xfrm_pol_put //ref is 1
  xfrm_pol_put  //ref is 0
    xfrm_policy_destroy
      call_rcu
                                 xfrm_pol_hold //ref is 1
                               read_unlock
                               xfrm_pol_put //ref is 0
                                 xfrm_policy_destroy
                                  call_rcu

xfrm_policy_destroy is called twice, which may leads to
double free.

Call Trace:
RIP: 0010:refcount_warn_saturate+0x161/0x210
...
 xfrm_policy_timer+0x522/0x600
 call_timer_fn+0x1b3/0x5e0
 ? __xfrm_decode_session+0x2990/0x2990
 ? msleep+0xb0/0xb0
 ? _raw_spin_unlock_irq+0x24/0x40
 ? __xfrm_decode_session+0x2990/0x2990
 ? __xfrm_decode_session+0x2990/0x2990
 run_timer_softirq+0x5c5/0x10e0

Fix this by use write_lock_bh in xfrm_policy_kill.

Fixes: ea2dea9dacc2 ("xfrm: remove policy lock when accessing policy->walk.dead")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Acked-by: Timo Teräs <timo.teras@iki.fi>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/xfrm/xfrm_policy.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -301,7 +301,9 @@ EXPORT_SYMBOL(xfrm_policy_destroy);
 
 static void xfrm_policy_kill(struct xfrm_policy *policy)
 {
+	write_lock_bh(&policy->lock);
 	policy->walk.dead = 1;
+	write_unlock_bh(&policy->lock);
 
 	atomic_inc(&policy->genid);
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 109/148] netfilter: nft_fwd_netdev: validate family and chain type
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (107 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 108/148] xfrm: policy: Fix doulbe free in xfrm_policy_timer Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 110/148] vti6: Fix memory leak of skb if input policy check fails Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pablo Neira Ayuso

From: Pablo Neira Ayuso <pablo@netfilter.org>

commit 76a109fac206e158eb3c967af98c178cff738e6a upstream.

Make sure the forward action is only used from ingress.

Fixes: 39e6dea28adc ("netfilter: nf_tables: add forward expression to the netdev family")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/netfilter/nft_fwd_netdev.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/net/netfilter/nft_fwd_netdev.c
+++ b/net/netfilter/nft_fwd_netdev.c
@@ -62,6 +62,13 @@ nla_put_failure:
 	return -1;
 }
 
+static int nft_fwd_validate(const struct nft_ctx *ctx,
+			    const struct nft_expr *expr,
+			    const struct nft_data **data)
+{
+	return nft_chain_validate_hooks(ctx->chain, (1 << NF_NETDEV_INGRESS));
+}
+
 static struct nft_expr_type nft_fwd_netdev_type;
 static const struct nft_expr_ops nft_fwd_netdev_ops = {
 	.type		= &nft_fwd_netdev_type,
@@ -69,6 +76,7 @@ static const struct nft_expr_ops nft_fwd
 	.eval		= nft_fwd_netdev_eval,
 	.init		= nft_fwd_netdev_init,
 	.dump		= nft_fwd_netdev_dump,
+	.validate	= nft_fwd_validate,
 };
 
 static struct nft_expr_type nft_fwd_netdev_type __read_mostly = {



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 110/148] vti6: Fix memory leak of skb if input policy check fails
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (108 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 109/148] netfilter: nft_fwd_netdev: validate family and chain type Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 111/148] Input: raydium_i2c_ts - use true and false for boolean values Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Torsten Hilbrich, Nicolas Dichtel,
	Steffen Klassert

From: Torsten Hilbrich <torsten.hilbrich@secunet.com>

commit 2a9de3af21aa8c31cd68b0b39330d69f8c1e59df upstream.

The vti6_rcv function performs some tests on the retrieved tunnel
including checking the IP protocol, the XFRM input policy, the
source and destination address.

In all but one places the skb is released in the error case. When
the input policy check fails the network packet is leaked.

Using the same goto-label discard in this case to fix this problem.

Fixes: ed1efb2aefbb ("ipv6: Add support for IPsec virtual tunnel interfaces")
Signed-off-by: Torsten Hilbrich <torsten.hilbrich@secunet.com>
Reviewed-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/ipv6/ip6_vti.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -315,7 +315,7 @@ static int vti6_rcv(struct sk_buff *skb)
 
 		if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
 			rcu_read_unlock();
-			return 0;
+			goto discard;
 		}
 
 		ipv6h = ipv6_hdr(skb);



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 111/148] Input: raydium_i2c_ts - use true and false for boolean values
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (109 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 110/148] vti6: Fix memory leak of skb if input policy check fails Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 112/148] Input: raydium_i2c_ts - fix error codes in raydium_i2c_boot_trigger() Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gustavo A. R. Silva, Dmitry Torokhov,
	Sasha Levin

From: Gustavo A. R. Silva <gustavo@embeddedor.com>

[ Upstream commit 6cad4e269e25dddd7260a53e9d9d90ba3a3cc35a ]

Return statements in functions returning bool should use true or false
instead of an integer value.

This code was detected with the help of Coccinelle.

Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/input/touchscreen/raydium_i2c_ts.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/input/touchscreen/raydium_i2c_ts.c b/drivers/input/touchscreen/raydium_i2c_ts.c
index 4f1d3fd5d4121..172f66e9da2d1 100644
--- a/drivers/input/touchscreen/raydium_i2c_ts.c
+++ b/drivers/input/touchscreen/raydium_i2c_ts.c
@@ -466,7 +466,7 @@ static bool raydium_i2c_boot_trigger(struct i2c_client *client)
 		}
 	}
 
-	return 0;
+	return false;
 }
 
 static bool raydium_i2c_fw_trigger(struct i2c_client *client)
@@ -492,7 +492,7 @@ static bool raydium_i2c_fw_trigger(struct i2c_client *client)
 		}
 	}
 
-	return 0;
+	return false;
 }
 
 static int raydium_i2c_check_path(struct i2c_client *client)
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 4.14 112/148] Input: raydium_i2c_ts - fix error codes in raydium_i2c_boot_trigger()
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (110 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 111/148] Input: raydium_i2c_ts - use true and false for boolean values Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 113/148] afs: Fix some tracing details Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Dmitry Torokhov, Sasha Levin

From: Dan Carpenter <dan.carpenter@oracle.com>

[ Upstream commit 32cf3a610c35cb21e3157f4bbf29d89960e30a36 ]

These functions are supposed to return negative error codes but instead
it returns true on failure and false on success.  The error codes are
eventually propagated back to user space.

Fixes: 48a2b783483b ("Input: add Raydium I2C touchscreen driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20200303101306.4potflz7na2nn3od@kili.mountain
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/input/touchscreen/raydium_i2c_ts.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/input/touchscreen/raydium_i2c_ts.c b/drivers/input/touchscreen/raydium_i2c_ts.c
index 172f66e9da2d1..7da44956555e5 100644
--- a/drivers/input/touchscreen/raydium_i2c_ts.c
+++ b/drivers/input/touchscreen/raydium_i2c_ts.c
@@ -441,7 +441,7 @@ static int raydium_i2c_write_object(struct i2c_client *client,
 	return 0;
 }
 
-static bool raydium_i2c_boot_trigger(struct i2c_client *client)
+static int raydium_i2c_boot_trigger(struct i2c_client *client)
 {
 	static const u8 cmd[7][6] = {
 		{ 0x08, 0x0C, 0x09, 0x00, 0x50, 0xD7 },
@@ -466,10 +466,10 @@ static bool raydium_i2c_boot_trigger(struct i2c_client *client)
 		}
 	}
 
-	return false;
+	return 0;
 }
 
-static bool raydium_i2c_fw_trigger(struct i2c_client *client)
+static int raydium_i2c_fw_trigger(struct i2c_client *client)
 {
 	static const u8 cmd[5][11] = {
 		{ 0, 0x09, 0x71, 0x0C, 0x09, 0x00, 0x50, 0xD7, 0, 0, 0 },
@@ -492,7 +492,7 @@ static bool raydium_i2c_fw_trigger(struct i2c_client *client)
 		}
 	}
 
-	return false;
+	return 0;
 }
 
 static int raydium_i2c_check_path(struct i2c_client *client)
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 4.14 113/148] afs: Fix some tracing details
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (111 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 112/148] Input: raydium_i2c_ts - fix error codes in raydium_i2c_boot_trigger() Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 114/148] USB: serial: option: add support for ASKEY WWHC050 Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David Howells, Sasha Levin

From: David Howells <dhowells@redhat.com>

[ Upstream commit 4636cf184d6d9a92a56c2554681ea520dd4fe49a ]

Fix a couple of tracelines to indicate the usage count after the atomic op,
not the usage count before it to be consistent with other afs and rxrpc
trace lines.

Change the wording of the afs_call_trace_work trace ID label from "WORK" to
"QUEUE" to reflect the fact that it's queueing work, not doing work.

Fixes: 341f741f04be ("afs: Refcount the afs_call struct")
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/afs/rxrpc.c             | 4 ++--
 include/trace/events/afs.h | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/fs/afs/rxrpc.c b/fs/afs/rxrpc.c
index ccc9c708a860a..7dc9c78a1c31c 100644
--- a/fs/afs/rxrpc.c
+++ b/fs/afs/rxrpc.c
@@ -173,7 +173,7 @@ void afs_put_call(struct afs_call *call)
 	int n = atomic_dec_return(&call->usage);
 	int o = atomic_read(&afs_outstanding_calls);
 
-	trace_afs_call(call, afs_call_trace_put, n + 1, o,
+	trace_afs_call(call, afs_call_trace_put, n, o,
 		       __builtin_return_address(0));
 
 	ASSERTCMP(n, >=, 0);
@@ -619,7 +619,7 @@ static void afs_wake_up_async_call(struct sock *sk, struct rxrpc_call *rxcall,
 
 	u = __atomic_add_unless(&call->usage, 1, 0);
 	if (u != 0) {
-		trace_afs_call(call, afs_call_trace_wake, u,
+		trace_afs_call(call, afs_call_trace_wake, u + 1,
 			       atomic_read(&afs_outstanding_calls),
 			       __builtin_return_address(0));
 
diff --git a/include/trace/events/afs.h b/include/trace/events/afs.h
index 8b95c16b70454..0978bdae2243b 100644
--- a/include/trace/events/afs.h
+++ b/include/trace/events/afs.h
@@ -40,7 +40,7 @@ enum afs_call_trace {
 	EM(afs_call_trace_free,			"FREE ") \
 	EM(afs_call_trace_put,			"PUT  ") \
 	EM(afs_call_trace_wake,			"WAKE ") \
-	E_(afs_call_trace_work,			"WORK ")
+	E_(afs_call_trace_work,			"QUEUE")
 
 /*
  * Export enum symbols via userspace.
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 4.14 114/148] USB: serial: option: add support for ASKEY WWHC050
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (112 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 113/148] afs: Fix some tracing details Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 115/148] USB: serial: option: add BroadMobi BM806U Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Cezary Jackiewicz, Pawel Dembicki,
	Johan Hovold

From: Pawel Dembicki <paweldembicki@gmail.com>

commit 007d20dca2376a751b1dad03442f118438b7e65e upstream.

ASKEY WWHC050 is a mcie LTE modem.
The oem configuration states:

T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  2 Spd=480  MxCh= 0
D:  Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
P:  Vendor=1690 ProdID=7588 Rev=ff.ff
S:  Manufacturer=Android
S:  Product=Android
S:  SerialNumber=813f0eef6e6e
C:* #Ifs= 6 Cfg#= 1 Atr=80 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=84(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=86(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
E:  Ad=88(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
E:  Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 5 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=(none)
E:  Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=125us

Tested on openwrt distribution.

Co-developed-by: Cezary Jackiewicz <cezary@eko.one.pl>
Signed-off-by: Cezary Jackiewicz <cezary@eko.one.pl>
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/option.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1994,6 +1994,8 @@ static const struct usb_device_id option
 	{ USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e01, 0xff, 0xff, 0xff) },	/* D-Link DWM-152/C1 */
 	{ USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e02, 0xff, 0xff, 0xff) },	/* D-Link DWM-156/C1 */
 	{ USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x7e11, 0xff, 0xff, 0xff) },	/* D-Link DWM-156/A3 */
+	{ USB_DEVICE_INTERFACE_CLASS(0x1690, 0x7588, 0xff),			/* ASKEY WWHC050 */
+	  .driver_info = RSVD(1) | RSVD(4) },
 	{ USB_DEVICE_INTERFACE_CLASS(0x2020, 0x2031, 0xff),			/* Olicard 600 */
 	  .driver_info = RSVD(4) },
 	{ USB_DEVICE_INTERFACE_CLASS(0x2020, 0x2060, 0xff),			/* BroadMobi BM818 */



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 115/148] USB: serial: option: add BroadMobi BM806U
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (113 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 114/148] USB: serial: option: add support for ASKEY WWHC050 Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 116/148] USB: serial: option: add Wistron Neweb D19Q1 Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Cezary Jackiewicz, Pawel Dembicki,
	Johan Hovold

From: Pawel Dembicki <paweldembicki@gmail.com>

commit 6cb2669cb97fc4fdf526127159ac59caae052247 upstream.

BroadMobi BM806U is an Qualcomm MDM9225 based 3G/4G modem.
Tested hardware BM806U is mounted on D-Link DWR-921-C3 router.

T:  Bus=01 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#=  2 Spd=480  MxCh= 0
D:  Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
P:  Vendor=2020 ProdID=2033 Rev= 2.28
S:  Manufacturer=Mobile Connect
S:  Product=Mobile Connect
S:  SerialNumber=f842866cfd5a
C:* #Ifs= 5 Cfg#= 1 Atr=80 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=83(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=85(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=87(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
E:  Ad=89(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
E:  Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms

Co-developed-by: Cezary Jackiewicz <cezary@eko.one.pl>
Signed-off-by: Cezary Jackiewicz <cezary@eko.one.pl>
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/option.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1998,6 +1998,8 @@ static const struct usb_device_id option
 	  .driver_info = RSVD(1) | RSVD(4) },
 	{ USB_DEVICE_INTERFACE_CLASS(0x2020, 0x2031, 0xff),			/* Olicard 600 */
 	  .driver_info = RSVD(4) },
+	{ USB_DEVICE_INTERFACE_CLASS(0x2020, 0x2033, 0xff),			/* BroadMobi BM806U */
+	  .driver_info = RSVD(4) },
 	{ USB_DEVICE_INTERFACE_CLASS(0x2020, 0x2060, 0xff),			/* BroadMobi BM818 */
 	  .driver_info = RSVD(4) },
 	{ USB_DEVICE_INTERFACE_CLASS(0x2020, 0x4000, 0xff) },			/* OLICARD300 - MT6225 */



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 116/148] USB: serial: option: add Wistron Neweb D19Q1
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (114 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 115/148] USB: serial: option: add BroadMobi BM806U Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 117/148] USB: cdc-acm: restore capability check order Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pawel Dembicki, Johan Hovold

From: Pawel Dembicki <paweldembicki@gmail.com>

commit dfee7e2f478346b12ea651d5c28b069f6a4af563 upstream.

This modem is embedded on dlink dwr-960 router.
The oem configuration states:

T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0
D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1435 ProdID=d191 Rev=ff.ff
S: Manufacturer=Android
S: Product=Android
S: SerialNumber=0123456789ABCDEF
C:* #Ifs= 6 Cfg#= 1 Atr=80 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
E: Ad=88(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 5 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=(none)
E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=125us

Tested on openwrt distribution

Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/option.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1994,6 +1994,8 @@ static const struct usb_device_id option
 	{ USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e01, 0xff, 0xff, 0xff) },	/* D-Link DWM-152/C1 */
 	{ USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e02, 0xff, 0xff, 0xff) },	/* D-Link DWM-156/C1 */
 	{ USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x7e11, 0xff, 0xff, 0xff) },	/* D-Link DWM-156/A3 */
+	{ USB_DEVICE_INTERFACE_CLASS(0x1435, 0xd191, 0xff),			/* Wistron Neweb D19Q1 */
+	  .driver_info = RSVD(1) | RSVD(4) },
 	{ USB_DEVICE_INTERFACE_CLASS(0x1690, 0x7588, 0xff),			/* ASKEY WWHC050 */
 	  .driver_info = RSVD(1) | RSVD(4) },
 	{ USB_DEVICE_INTERFACE_CLASS(0x2020, 0x2031, 0xff),			/* Olicard 600 */



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 117/148] USB: cdc-acm: restore capability check order
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (115 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 116/148] USB: serial: option: add Wistron Neweb D19Q1 Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 118/148] USB: serial: io_edgeport: fix slab-out-of-bounds read in edge_interrupt_callback Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Anthony Mallet, Oliver Neukum,
	Matthias Reichl

From: Matthias Reichl <hias@horus.com>

commit 62d65bdd9d05158aa2547f8ef72375535f3bc6e3 upstream.

commit b401f8c4f492c ("USB: cdc-acm: fix rounding error in TIOCSSERIAL")
introduced a regression by changing the order of capability and close
settings change checks. When running with CAP_SYS_ADMIN setting the
close settings to the values already set resulted in -EOPNOTSUPP.

Fix this by changing the check order back to how it was before.

Fixes: b401f8c4f492c ("USB: cdc-acm: fix rounding error in TIOCSSERIAL")
Cc: Anthony Mallet <anthony.mallet@laas.fr>
Cc: stable <stable@vger.kernel.org>
Cc: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Matthias Reichl <hias@horus.com>
Link: https://lore.kernel.org/r/20200327150350.3657-1-hias@horus.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/class/cdc-acm.c |   18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -961,16 +961,16 @@ static int set_serial_info(struct acm *a
 
 	mutex_lock(&acm->port.mutex);
 
-	if ((new_serial.close_delay != old_close_delay) ||
-            (new_serial.closing_wait != old_closing_wait)) {
-		if (!capable(CAP_SYS_ADMIN))
+	if (!capable(CAP_SYS_ADMIN)) {
+		if ((new_serial.close_delay != old_close_delay) ||
+	            (new_serial.closing_wait != old_closing_wait))
 			retval = -EPERM;
-		else {
-			acm->port.close_delay  = close_delay;
-			acm->port.closing_wait = closing_wait;
-		}
-	} else
-		retval = -EOPNOTSUPP;
+		else
+			retval = -EOPNOTSUPP;
+	} else {
+		acm->port.close_delay  = close_delay;
+		acm->port.closing_wait = closing_wait;
+	}
 
 	mutex_unlock(&acm->port.mutex);
 	return retval;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 118/148] USB: serial: io_edgeport: fix slab-out-of-bounds read in edge_interrupt_callback
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (116 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 117/148] USB: cdc-acm: restore capability check order Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 119/148] usb: musb: fix crash with highmen PIO and usbmon Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Qiujun Huang, Johan Hovold,
	syzbot+37ba33391ad5f3935bbd

From: Qiujun Huang <hqjagain@gmail.com>

commit 57aa9f294b09463492f604feaa5cc719beaace32 upstream.

Fix slab-out-of-bounds read in the interrupt-URB completion handler.

The boundary condition should be (length - 1) as we access
data[position + 1].

Reported-and-tested-by: syzbot+37ba33391ad5f3935bbd@syzkaller.appspotmail.com
Signed-off-by: Qiujun Huang <hqjagain@gmail.com>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/io_edgeport.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/serial/io_edgeport.c
+++ b/drivers/usb/serial/io_edgeport.c
@@ -714,7 +714,7 @@ static void edge_interrupt_callback(stru
 		/* grab the txcredits for the ports if available */
 		position = 2;
 		portNumber = 0;
-		while ((position < length) &&
+		while ((position < length - 1) &&
 				(portNumber < edge_serial->serial->num_ports)) {
 			txCredits = data[position] | (data[position+1] << 8);
 			if (txCredits) {



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 119/148] usb: musb: fix crash with highmen PIO and usbmon
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (117 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 118/148] USB: serial: io_edgeport: fix slab-out-of-bounds read in edge_interrupt_callback Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 120/148] media: flexcop-usb: fix endpoint sanity check Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mans Rullgard, Bin Liu

From: Mans Rullgard <mans@mansr.com>

commit 52974d94a206ce428d9d9b6eaa208238024be82a upstream.

When handling a PIO bulk transfer with highmem buffer, a temporary
mapping is assigned to urb->transfer_buffer.  After the transfer is
complete, an invalid address is left behind in this pointer.  This is
not ordinarily a problem since nothing touches that buffer before the
urb is released.  However, when usbmon is active, usbmon_urb_complete()
calls (indirectly) mon_bin_get_data() which does access the transfer
buffer if it is set.  To prevent an invalid memory access here, reset
urb->transfer_buffer to NULL when finished (musb_host_rx()), or do not
set it at all (musb_host_tx()).

Fixes: 8e8a55165469 ("usb: musb: host: Handle highmem in PIO mode")
Signed-off-by: Mans Rullgard <mans@mansr.com>
Cc: stable@vger.kernel.org
Signed-off-by: Bin Liu <b-liu@ti.com>
Link: https://lore.kernel.org/r/20200316211136.2274-8-b-liu@ti.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/musb/musb_host.c |   17 +++++------------
 1 file changed, 5 insertions(+), 12 deletions(-)

--- a/drivers/usb/musb/musb_host.c
+++ b/drivers/usb/musb/musb_host.c
@@ -1494,10 +1494,7 @@ done:
 	 * We need to map sg if the transfer_buffer is
 	 * NULL.
 	 */
-	if (!urb->transfer_buffer)
-		qh->use_sg = true;
-
-	if (qh->use_sg) {
+	if (!urb->transfer_buffer) {
 		/* sg_miter_start is already done in musb_ep_program */
 		if (!sg_miter_next(&qh->sg_miter)) {
 			dev_err(musb->controller, "error: sg list empty\n");
@@ -1505,9 +1502,8 @@ done:
 			status = -EINVAL;
 			goto done;
 		}
-		urb->transfer_buffer = qh->sg_miter.addr;
 		length = min_t(u32, length, qh->sg_miter.length);
-		musb_write_fifo(hw_ep, length, urb->transfer_buffer);
+		musb_write_fifo(hw_ep, length, qh->sg_miter.addr);
 		qh->sg_miter.consumed = length;
 		sg_miter_stop(&qh->sg_miter);
 	} else {
@@ -1516,11 +1512,6 @@ done:
 
 	qh->segsize = length;
 
-	if (qh->use_sg) {
-		if (offset + length >= urb->transfer_buffer_length)
-			qh->use_sg = false;
-	}
-
 	musb_ep_select(mbase, epnum);
 	musb_writew(epio, MUSB_TXCSR,
 			MUSB_TXCSR_H_WZC_BITS | MUSB_TXCSR_TXPKTRDY);
@@ -2038,8 +2029,10 @@ finish:
 	urb->actual_length += xfer_len;
 	qh->offset += xfer_len;
 	if (done) {
-		if (qh->use_sg)
+		if (qh->use_sg) {
 			qh->use_sg = false;
+			urb->transfer_buffer = NULL;
+		}
 
 		if (urb->status == -EINPROGRESS)
 			urb->status = status;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 120/148] media: flexcop-usb: fix endpoint sanity check
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (118 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 119/148] usb: musb: fix crash with highmen PIO and usbmon Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 121/148] media: usbtv: fix control-message timeouts Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Oliver Neukum, Johan Hovold,
	Sean Young, Mauro Carvalho Chehab

From: Johan Hovold <johan@kernel.org>

commit bca243b1ce0e46be26f7c63b5591dfbb41f558e5 upstream.

commit 1b976fc6d684 ("media: b2c2-flexcop-usb: add sanity checking") added
an endpoint sanity check to address a NULL-pointer dereference on probe.
Unfortunately the check was done on the current altsetting which was later
changed.

Fix this by moving the sanity check to after the altsetting is changed.

Fixes: 1b976fc6d684 ("media: b2c2-flexcop-usb: add sanity checking")
Cc: Oliver Neukum <oneukum@suse.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/usb/b2c2/flexcop-usb.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/media/usb/b2c2/flexcop-usb.c
+++ b/drivers/media/usb/b2c2/flexcop-usb.c
@@ -510,6 +510,9 @@ static int flexcop_usb_init(struct flexc
 		return ret;
 	}
 
+	if (fc_usb->uintf->cur_altsetting->desc.bNumEndpoints < 1)
+		return -ENODEV;
+
 	switch (fc_usb->udev->speed) {
 	case USB_SPEED_LOW:
 		err("cannot handle USB speed because it is too slow.");
@@ -543,9 +546,6 @@ static int flexcop_usb_probe(struct usb_
 	struct flexcop_device *fc = NULL;
 	int ret;
 
-	if (intf->cur_altsetting->desc.bNumEndpoints < 1)
-		return -ENODEV;
-
 	if ((fc = flexcop_device_kmalloc(sizeof(struct flexcop_usb))) == NULL) {
 		err("out of memory\n");
 		return -ENOMEM;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 121/148] media: usbtv: fix control-message timeouts
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (119 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 120/148] media: flexcop-usb: fix endpoint sanity check Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 122/148] staging: rtl8188eu: Add ASUS USB-N10 Nano B1 to device table Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johan Hovold, Lubomir Rintel,
	Hans Verkuil, Mauro Carvalho Chehab

From: Johan Hovold <johan@kernel.org>

commit 536f561d871c5781bc33d26d415685211b94032e upstream.

The driver was issuing synchronous uninterruptible control requests
without using a timeout. This could lead to the driver hanging on
various user requests due to a malfunctioning (or malicious) device
until the device is physically disconnected.

The USB upper limit of five seconds per request should be more than
enough.

Fixes: f3d27f34fdd7 ("[media] usbtv: Add driver for Fushicai USBTV007 video frame grabber")
Fixes: c53a846c48f2 ("[media] usbtv: add video controls")
Cc: stable <stable@vger.kernel.org>     # 3.11
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Lubomir Rintel <lkundrak@v3.sk>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/usb/usbtv/usbtv-core.c  |    2 +-
 drivers/media/usb/usbtv/usbtv-video.c |    5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

--- a/drivers/media/usb/usbtv/usbtv-core.c
+++ b/drivers/media/usb/usbtv/usbtv-core.c
@@ -56,7 +56,7 @@ int usbtv_set_regs(struct usbtv *usbtv,
 
 		ret = usb_control_msg(usbtv->udev, pipe, USBTV_REQUEST_REG,
 			USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
-			value, index, NULL, 0, 0);
+			value, index, NULL, 0, USB_CTRL_GET_TIMEOUT);
 		if (ret < 0)
 			return ret;
 	}
--- a/drivers/media/usb/usbtv/usbtv-video.c
+++ b/drivers/media/usb/usbtv/usbtv-video.c
@@ -720,7 +720,8 @@ static int usbtv_s_ctrl(struct v4l2_ctrl
 		ret = usb_control_msg(usbtv->udev,
 			usb_rcvctrlpipe(usbtv->udev, 0), USBTV_CONTROL_REG,
 			USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
-			0, USBTV_BASE + 0x0244, (void *)data, 3, 0);
+			0, USBTV_BASE + 0x0244, (void *)data, 3,
+			USB_CTRL_GET_TIMEOUT);
 		if (ret < 0)
 			goto error;
 	}
@@ -771,7 +772,7 @@ static int usbtv_s_ctrl(struct v4l2_ctrl
 	ret = usb_control_msg(usbtv->udev, usb_sndctrlpipe(usbtv->udev, 0),
 			USBTV_CONTROL_REG,
 			USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
-			0, index, (void *)data, size, 0);
+			0, index, (void *)data, size, USB_CTRL_SET_TIMEOUT);
 
 error:
 	if (ret < 0)



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 122/148] staging: rtl8188eu: Add ASUS USB-N10 Nano B1 to device table
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (120 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 121/148] media: usbtv: fix control-message timeouts Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 123/148] staging: wlan-ng: fix ODEBUG bug in prism2sta_disconnect_usb Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Larry Finger, kovi

From: Larry Finger <Larry.Finger@lwfinger.net>

commit 38ef48f7d4b7342f145a1b4f96023bde99aeb245 upstream.

The ASUS USB-N10 Nano B1 has been reported as a new RTL8188EU device.
Add it to the device tables.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Reported-by: kovi <zraetn@gmail.com>
Cc: Stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200321180011.26153-1-Larry.Finger@lwfinger.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/rtl8188eu/os_dep/usb_intf.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c
+++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
@@ -40,6 +40,7 @@ static const struct usb_device_id rtw_us
 	/****** 8188EUS ********/
 	{USB_DEVICE(0x056e, 0x4008)}, /* Elecom WDC-150SU2M */
 	{USB_DEVICE(0x07b8, 0x8179)}, /* Abocom - Abocom */
+	{USB_DEVICE(0x0B05, 0x18F0)}, /* ASUS USB-N10 Nano B1 */
 	{USB_DEVICE(0x2001, 0x330F)}, /* DLink DWA-125 REV D1 */
 	{USB_DEVICE(0x2001, 0x3310)}, /* Dlink DWA-123 REV D1 */
 	{USB_DEVICE(0x2001, 0x3311)}, /* DLink GO-USB-N150 REV B1 */



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 123/148] staging: wlan-ng: fix ODEBUG bug in prism2sta_disconnect_usb
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (121 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 122/148] staging: rtl8188eu: Add ASUS USB-N10 Nano B1 to device table Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 124/148] staging: wlan-ng: fix use-after-free Read in hfa384x_usbin_callback Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+6d2e7f6fa90e27be9d62, Qiujun Huang

From: Qiujun Huang <hqjagain@gmail.com>

commit a1f165a6b738f0c9d744bad4af7a53909278f5fc upstream.

We should cancel hw->usb_work before kfree(hw).

Reported-by: syzbot+6d2e7f6fa90e27be9d62@syzkaller.appspotmail.com
Signed-off-by: Qiujun Huang <hqjagain@gmail.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/1585120006-30042-1-git-send-email-hqjagain@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/wlan-ng/prism2usb.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/staging/wlan-ng/prism2usb.c
+++ b/drivers/staging/wlan-ng/prism2usb.c
@@ -180,6 +180,7 @@ static void prism2sta_disconnect_usb(str
 
 		cancel_work_sync(&hw->link_bh);
 		cancel_work_sync(&hw->commsqual_bh);
+		cancel_work_sync(&hw->usb_work);
 
 		/* Now we complete any outstanding commands
 		 * and tell everyone who is waiting for their



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 124/148] staging: wlan-ng: fix use-after-free Read in hfa384x_usbin_callback
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (122 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 123/148] staging: wlan-ng: fix ODEBUG bug in prism2sta_disconnect_usb Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 125/148] libfs: fix infoleak in simple_attr_read() Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Qiujun Huang, syzbot+7d42d68643a35f71ac8a

From: Qiujun Huang <hqjagain@gmail.com>

commit 1165dd73e811a07d947aee218510571f516081f6 upstream.

We can't handle the case length > WLAN_DATA_MAXLEN.
Because the size of rxfrm->data is WLAN_DATA_MAXLEN(2312), and we can't
read more than that.

Thanks-to: Hillf Danton <hdanton@sina.com>
Reported-and-tested-by: syzbot+7d42d68643a35f71ac8a@syzkaller.appspotmail.com
Signed-off-by: Qiujun Huang <hqjagain@gmail.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200326131850.17711-1-hqjagain@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/wlan-ng/hfa384x_usb.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/staging/wlan-ng/hfa384x_usb.c
+++ b/drivers/staging/wlan-ng/hfa384x_usb.c
@@ -3495,6 +3495,8 @@ static void hfa384x_int_rxmonitor(struct
 	     WLAN_HDR_A4_LEN + WLAN_DATA_MAXLEN + WLAN_CRC_LEN)) {
 		pr_debug("overlen frm: len=%zd\n",
 			 skblen - sizeof(struct p80211_caphdr));
+
+		return;
 	}
 
 	skb = dev_alloc_skb(skblen);



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 125/148] libfs: fix infoleak in simple_attr_read()
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (123 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 124/148] staging: wlan-ng: fix use-after-free Read in hfa384x_usbin_callback Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 126/148] media: ov519: add missing endpoint sanity checks Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+fcab69d1ada3e8d6f06b,
	Alexander Potapenko, Eric Biggers, Kees Cook

From: Eric Biggers <ebiggers@google.com>

commit a65cab7d7f05c2061a3e2490257d3086ff3202c6 upstream.

Reading from a debugfs file at a nonzero position, without first reading
at position 0, leaks uninitialized memory to userspace.

It's a bit tricky to do this, since lseek() and pread() aren't allowed
on these files, and write() doesn't update the position on them.  But
writing to them with splice() *does* update the position:

	#define _GNU_SOURCE 1
	#include <fcntl.h>
	#include <stdio.h>
	#include <unistd.h>
	int main()
	{
		int pipes[2], fd, n, i;
		char buf[32];

		pipe(pipes);
		write(pipes[1], "0", 1);
		fd = open("/sys/kernel/debug/fault_around_bytes", O_RDWR);
		splice(pipes[0], NULL, fd, NULL, 1, 0);
		n = read(fd, buf, sizeof(buf));
		for (i = 0; i < n; i++)
			printf("%02x", buf[i]);
		printf("\n");
	}

Output:
	5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a30

Fix the infoleak by making simple_attr_read() always fill
simple_attr::get_buf if it hasn't been filled yet.

Reported-by: syzbot+fcab69d1ada3e8d6f06b@syzkaller.appspotmail.com
Reported-by: Alexander Potapenko <glider@google.com>
Fixes: acaefc25d21f ("[PATCH] libfs: add simple attribute files")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20200308023849.988264-1-ebiggers@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/libfs.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/fs/libfs.c
+++ b/fs/libfs.c
@@ -802,7 +802,7 @@ int simple_attr_open(struct inode *inode
 {
 	struct simple_attr *attr;
 
-	attr = kmalloc(sizeof(*attr), GFP_KERNEL);
+	attr = kzalloc(sizeof(*attr), GFP_KERNEL);
 	if (!attr)
 		return -ENOMEM;
 
@@ -842,9 +842,11 @@ ssize_t simple_attr_read(struct file *fi
 	if (ret)
 		return ret;
 
-	if (*ppos) {		/* continued read */
+	if (*ppos && attr->get_buf[0]) {
+		/* continued read */
 		size = strlen(attr->get_buf);
-	} else {		/* first read */
+	} else {
+		/* first read */
 		u64 val;
 		ret = attr->get(attr->data, &val);
 		if (ret)



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 126/148] media: ov519: add missing endpoint sanity checks
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (124 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 125/148] libfs: fix infoleak in simple_attr_read() Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 127/148] media: dib0700: fix rc endpoint lookup Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans de Goede, Johan Hovold,
	Hans Verkuil, Mauro Carvalho Chehab

From: Johan Hovold <johan@kernel.org>

commit 998912346c0da53a6dbb71fab3a138586b596b30 upstream.

Make sure to check that we have at least one endpoint before accessing
the endpoint array to avoid dereferencing a NULL-pointer on stream
start.

Note that these sanity checks are not redundant as the driver is mixing
looking up altsettings by index and by number, which need not coincide.

Fixes: 1876bb923c98 ("V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge")
Fixes: b282d87332f5 ("V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)")
Cc: stable <stable@vger.kernel.org>     # 2.6.31
Cc: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/usb/gspca/ov519.c |   10 ++++++++++
 1 file changed, 10 insertions(+)

--- a/drivers/media/usb/gspca/ov519.c
+++ b/drivers/media/usb/gspca/ov519.c
@@ -3478,6 +3478,11 @@ static void ov511_mode_init_regs(struct
 		return;
 	}
 
+	if (alt->desc.bNumEndpoints < 1) {
+		sd->gspca_dev.usb_err = -ENODEV;
+		return;
+	}
+
 	packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
 	reg_w(sd, R51x_FIFO_PSIZE, packet_size >> 5);
 
@@ -3604,6 +3609,11 @@ static void ov518_mode_init_regs(struct
 		return;
 	}
 
+	if (alt->desc.bNumEndpoints < 1) {
+		sd->gspca_dev.usb_err = -ENODEV;
+		return;
+	}
+
 	packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
 	ov518_reg_w32(sd, R51x_FIFO_PSIZE, packet_size & ~7, 2);
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 127/148] media: dib0700: fix rc endpoint lookup
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (125 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 126/148] media: ov519: add missing endpoint sanity checks Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 128/148] media: stv06xx: add missing descriptor sanity checks Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johan Hovold, Sean Young,
	Mauro Carvalho Chehab

From: Johan Hovold <johan@kernel.org>

commit f52981019ad8d6718de79b425a574c6bddf81f7c upstream.

Make sure to use the current alternate setting when verifying the
interface descriptors to avoid submitting an URB to an invalid endpoint.

Failing to do so could cause the driver to misbehave or trigger a WARN()
in usb_submit_urb() that kernels with panic_on_warn set would choke on.

Fixes: c4018fa2e4c0 ("[media] dib0700: fix RC support on Hauppauge Nova-TD")
Cc: stable <stable@vger.kernel.org>     # 3.16
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/usb/dvb-usb/dib0700_core.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/media/usb/dvb-usb/dib0700_core.c
+++ b/drivers/media/usb/dvb-usb/dib0700_core.c
@@ -821,7 +821,7 @@ int dib0700_rc_setup(struct dvb_usb_devi
 
 	/* Starting in firmware 1.20, the RC info is provided on a bulk pipe */
 
-	if (intf->altsetting[0].desc.bNumEndpoints < rc_ep + 1)
+	if (intf->cur_altsetting->desc.bNumEndpoints < rc_ep + 1)
 		return -ENODEV;
 
 	purb = usb_alloc_urb(0, GFP_KERNEL);
@@ -841,7 +841,7 @@ int dib0700_rc_setup(struct dvb_usb_devi
 	 * Some devices like the Hauppauge NovaTD model 52009 use an interrupt
 	 * endpoint, while others use a bulk one.
 	 */
-	e = &intf->altsetting[0].endpoint[rc_ep].desc;
+	e = &intf->cur_altsetting->endpoint[rc_ep].desc;
 	if (usb_endpoint_dir_in(e)) {
 		if (usb_endpoint_xfer_bulk(e)) {
 			pipe = usb_rcvbulkpipe(d->udev, rc_ep);



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 128/148] media: stv06xx: add missing descriptor sanity checks
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (126 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 127/148] media: dib0700: fix rc endpoint lookup Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 129/148] media: xirlink_cit: " Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans de Goede, Johan Hovold,
	Hans Verkuil, Mauro Carvalho Chehab

From: Johan Hovold <johan@kernel.org>

commit 485b06aadb933190f4bc44e006076bc27a23f205 upstream.

Make sure to check that we have two alternate settings and at least one
endpoint before accessing the second altsetting structure and
dereferencing the endpoint arrays.

This specifically avoids dereferencing NULL-pointers or corrupting
memory when a device does not have the expected descriptors.

Note that the sanity checks in stv06xx_start() and pb0100_start() are
not redundant as the driver is mixing looking up altsettings by index
and by number, which may not coincide.

Fixes: 8668d504d72c ("V4L/DVB (12082): gspca_stv06xx: Add support for st6422 bridge and sensor")
Fixes: c0b33bdc5b8d ("[media] gspca-stv06xx: support bandwidth changing")
Cc: stable <stable@vger.kernel.org>     # 2.6.31
Cc: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/usb/gspca/stv06xx/stv06xx.c        |   19 ++++++++++++++++++-
 drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c |    4 ++++
 2 files changed, 22 insertions(+), 1 deletion(-)

--- a/drivers/media/usb/gspca/stv06xx/stv06xx.c
+++ b/drivers/media/usb/gspca/stv06xx/stv06xx.c
@@ -289,6 +289,9 @@ static int stv06xx_start(struct gspca_de
 		return -EIO;
 	}
 
+	if (alt->desc.bNumEndpoints < 1)
+		return -ENODEV;
+
 	packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
 	err = stv06xx_write_bridge(sd, STV_ISO_SIZE_L, packet_size);
 	if (err < 0)
@@ -313,11 +316,21 @@ out:
 
 static int stv06xx_isoc_init(struct gspca_dev *gspca_dev)
 {
+	struct usb_interface_cache *intfc;
 	struct usb_host_interface *alt;
 	struct sd *sd = (struct sd *) gspca_dev;
 
+	intfc = gspca_dev->dev->actconfig->intf_cache[0];
+
+	if (intfc->num_altsetting < 2)
+		return -ENODEV;
+
+	alt = &intfc->altsetting[1];
+
+	if (alt->desc.bNumEndpoints < 1)
+		return -ENODEV;
+
 	/* Start isoc bandwidth "negotiation" at max isoc bandwidth */
-	alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1];
 	alt->endpoint[0].desc.wMaxPacketSize =
 		cpu_to_le16(sd->sensor->max_packet_size[gspca_dev->curr_mode]);
 
@@ -330,6 +343,10 @@ static int stv06xx_isoc_nego(struct gspc
 	struct usb_host_interface *alt;
 	struct sd *sd = (struct sd *) gspca_dev;
 
+	/*
+	 * Existence of altsetting and endpoint was verified in
+	 * stv06xx_isoc_init()
+	 */
 	alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1];
 	packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
 	min_packet_size = sd->sensor->min_packet_size[gspca_dev->curr_mode];
--- a/drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c
+++ b/drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c
@@ -194,6 +194,10 @@ static int pb0100_start(struct sd *sd)
 	alt = usb_altnum_to_altsetting(intf, sd->gspca_dev.alt);
 	if (!alt)
 		return -ENODEV;
+
+	if (alt->desc.bNumEndpoints < 1)
+		return -ENODEV;
+
 	packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
 
 	/* If we don't have enough bandwidth use a lower framerate */



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 129/148] media: xirlink_cit: add missing descriptor sanity checks
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (127 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 128/148] media: stv06xx: add missing descriptor sanity checks Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 130/148] mac80211: Check port authorization in the ieee80211_tx_dequeue() case Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans de Goede, Johan Hovold,
	Hans Verkuil, Mauro Carvalho Chehab

From: Johan Hovold <johan@kernel.org>

commit a246b4d547708f33ff4d4b9a7a5dbac741dc89d8 upstream.

Make sure to check that we have two alternate settings and at least one
endpoint before accessing the second altsetting structure and
dereferencing the endpoint arrays.

This specifically avoids dereferencing NULL-pointers or corrupting
memory when a device does not have the expected descriptors.

Note that the sanity check in cit_get_packet_size() is not redundant as
the driver is mixing looking up altsettings by index and by number,
which may not coincide.

Fixes: 659fefa0eb17 ("V4L/DVB: gspca_xirlink_cit: Add support for camera with a bcd version of 0.01")
Fixes: 59f8b0bf3c12 ("V4L/DVB: gspca_xirlink_cit: support bandwidth changing for devices with 1 alt setting")
Cc: stable <stable@vger.kernel.org>     # 2.6.37
Cc: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/usb/gspca/xirlink_cit.c |   18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

--- a/drivers/media/usb/gspca/xirlink_cit.c
+++ b/drivers/media/usb/gspca/xirlink_cit.c
@@ -1451,6 +1451,9 @@ static int cit_get_packet_size(struct gs
 		return -EIO;
 	}
 
+	if (alt->desc.bNumEndpoints < 1)
+		return -ENODEV;
+
 	return le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
 }
 
@@ -2634,6 +2637,7 @@ static int sd_start(struct gspca_dev *gs
 
 static int sd_isoc_init(struct gspca_dev *gspca_dev)
 {
+	struct usb_interface_cache *intfc;
 	struct usb_host_interface *alt;
 	int max_packet_size;
 
@@ -2649,8 +2653,17 @@ static int sd_isoc_init(struct gspca_dev
 		break;
 	}
 
+	intfc = gspca_dev->dev->actconfig->intf_cache[0];
+
+	if (intfc->num_altsetting < 2)
+		return -ENODEV;
+
+	alt = &intfc->altsetting[1];
+
+	if (alt->desc.bNumEndpoints < 1)
+		return -ENODEV;
+
 	/* Start isoc bandwidth "negotiation" at max isoc bandwidth */
-	alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1];
 	alt->endpoint[0].desc.wMaxPacketSize = cpu_to_le16(max_packet_size);
 
 	return 0;
@@ -2673,6 +2686,9 @@ static int sd_isoc_nego(struct gspca_dev
 		break;
 	}
 
+	/*
+	 * Existence of altsetting and endpoint was verified in sd_isoc_init()
+	 */
 	alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1];
 	packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
 	if (packet_size <= min_packet_size)



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 130/148] mac80211: Check port authorization in the ieee80211_tx_dequeue() case
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (128 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 129/148] media: xirlink_cit: " Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 131/148] mac80211: fix authentication with iwlwifi/mvm Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jouni Malinen, Johannes Berg

From: Jouni Malinen <jouni@codeaurora.org>

commit ce2e1ca703071723ca2dd94d492a5ab6d15050da upstream.

mac80211 used to check port authorization in the Data frame enqueue case
when going through start_xmit(). However, that authorization status may
change while the frame is waiting in a queue. Add a similar check in the
dequeue case to avoid sending previously accepted frames after
authorization change. This provides additional protection against
potential leaking of frames after a station has been disconnected and
the keys for it are being removed.

Cc: stable@vger.kernel.org
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Link: https://lore.kernel.org/r/20200326155133.ced84317ea29.I34d4c47cd8cc8a4042b38a76f16a601fbcbfd9b3@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/mac80211/tx.c |   19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -3451,8 +3451,25 @@ begin:
 	tx.skb = skb;
 	tx.sdata = vif_to_sdata(info->control.vif);
 
-	if (txq->sta)
+	if (txq->sta) {
 		tx.sta = container_of(txq->sta, struct sta_info, sta);
+		/*
+		 * Drop unicast frames to unauthorised stations unless they are
+		 * EAPOL frames from the local station.
+		 */
+		if (unlikely(!ieee80211_vif_is_mesh(&tx.sdata->vif) &&
+			     tx.sdata->vif.type != NL80211_IFTYPE_OCB &&
+			     !is_multicast_ether_addr(hdr->addr1) &&
+			     !test_sta_flag(tx.sta, WLAN_STA_AUTHORIZED) &&
+			     (!(info->control.flags &
+				IEEE80211_TX_CTRL_PORT_CTRL_PROTO) ||
+			      !ether_addr_equal(tx.sdata->vif.addr,
+						hdr->addr2)))) {
+			I802_DEBUG_INC(local->tx_handlers_drop_unauth_port);
+			ieee80211_free_txskb(&local->hw, skb);
+			goto begin;
+		}
+	}
 
 	/*
 	 * The key can be removed while the packet was queued, so need to call



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 131/148] mac80211: fix authentication with iwlwifi/mvm
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (129 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 130/148] mac80211: Check port authorization in the ieee80211_tx_dequeue() case Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 132/148] vt: selection, introduce vc_is_sel Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johannes Berg, David S. Miller,
	Woody Suwalski

From: Johannes Berg <johannes.berg@intel.com>

commit be8c827f50a0bcd56361b31ada11dc0a3c2fd240 upstream.

The original patch didn't copy the ieee80211_is_data() condition
because on most drivers the management frames don't go through
this path. However, they do on iwlwifi/mvm, so we do need to keep
the condition here.

Cc: stable@vger.kernel.org
Fixes: ce2e1ca70307 ("mac80211: Check port authorization in the ieee80211_tx_dequeue() case")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Woody Suwalski <terraluna977@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/mac80211/tx.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -3457,7 +3457,8 @@ begin:
 		 * Drop unicast frames to unauthorised stations unless they are
 		 * EAPOL frames from the local station.
 		 */
-		if (unlikely(!ieee80211_vif_is_mesh(&tx.sdata->vif) &&
+		if (unlikely(ieee80211_is_data(hdr->frame_control) &&
+			     !ieee80211_vif_is_mesh(&tx.sdata->vif) &&
 			     tx.sdata->vif.type != NL80211_IFTYPE_OCB &&
 			     !is_multicast_ether_addr(hdr->addr1) &&
 			     !test_sta_flag(tx.sta, WLAN_STA_AUTHORIZED) &&



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 132/148] vt: selection, introduce vc_is_sel
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (130 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 131/148] mac80211: fix authentication with iwlwifi/mvm Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 133/148] vt: ioctl, switch VT_IS_IN_USE and VT_BUSY to inlines Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jiri Slaby

From: Jiri Slaby <jslaby@suse.cz>

commit dce05aa6eec977f1472abed95ccd71276b9a3864 upstream.

Avoid global variables (namely sel_cons) by introducing vc_is_sel. It
checks whether the parameter is the current selection console. This will
help putting sel_cons to a struct later.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Link: https://lore.kernel.org/r/20200219073951.16151-1-jslaby@suse.cz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/vt/selection.c |    5 +++++
 drivers/tty/vt/vt.c        |    7 ++++---
 drivers/tty/vt/vt_ioctl.c  |    2 +-
 include/linux/selection.h  |    4 +++-
 4 files changed, 13 insertions(+), 5 deletions(-)

--- a/drivers/tty/vt/selection.c
+++ b/drivers/tty/vt/selection.c
@@ -83,6 +83,11 @@ void clear_selection(void)
 	}
 }
 
+bool vc_is_sel(struct vc_data *vc)
+{
+	return vc == sel_cons;
+}
+
 /*
  * User settable table: what characters are to be considered alphabetic?
  * 128 bits. Locked by the console lock.
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -584,8 +584,9 @@ static void hide_softcursor(struct vc_da
 
 static void hide_cursor(struct vc_data *vc)
 {
-	if (vc == sel_cons)
+	if (vc_is_sel(vc))
 		clear_selection();
+
 	vc->vc_sw->con_cursor(vc, CM_ERASE);
 	hide_softcursor(vc);
 }
@@ -595,7 +596,7 @@ static void set_cursor(struct vc_data *v
 	if (!con_is_fg(vc) || console_blanked || vc->vc_mode == KD_GRAPHICS)
 		return;
 	if (vc->vc_deccm) {
-		if (vc == sel_cons)
+		if (vc_is_sel(vc))
 			clear_selection();
 		add_softcursor(vc);
 		if ((vc->vc_cursor_type & 0x0f) != 1)
@@ -873,7 +874,7 @@ static int vc_do_resize(struct tty_struc
 	if (!newscreen)
 		return -ENOMEM;
 
-	if (vc == sel_cons)
+	if (vc_is_sel(vc))
 		clear_selection();
 
 	old_rows = vc->vc_rows;
--- a/drivers/tty/vt/vt_ioctl.c
+++ b/drivers/tty/vt/vt_ioctl.c
@@ -43,7 +43,7 @@ char vt_dont_switch;
 extern struct tty_driver *console_driver;
 
 #define VT_IS_IN_USE(i)	(console_driver->ttys[i] && console_driver->ttys[i]->count)
-#define VT_BUSY(i)	(VT_IS_IN_USE(i) || i == fg_console || vc_cons[i].d == sel_cons)
+#define VT_BUSY(i)	(VT_IS_IN_USE(i) || i == fg_console || vc_is_sel(vc_cons[i].d))
 
 /*
  * Console (vt and kd) routines, as defined by USL SVR4 manual, and by
--- a/include/linux/selection.h
+++ b/include/linux/selection.h
@@ -13,8 +13,8 @@
 
 struct tty_struct;
 
-extern struct vc_data *sel_cons;
 struct tty_struct;
+struct vc_data;
 
 extern void clear_selection(void);
 extern int set_selection(const struct tiocl_selection __user *sel, struct tty_struct *tty);
@@ -23,6 +23,8 @@ extern int sel_loadlut(char __user *p);
 extern int mouse_reporting(void);
 extern void mouse_report(struct tty_struct * tty, int butt, int mrx, int mry);
 
+bool vc_is_sel(struct vc_data *vc);
+
 extern int console_blanked;
 
 extern const unsigned char color_table[];



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 133/148] vt: ioctl, switch VT_IS_IN_USE and VT_BUSY to inlines
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (131 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 132/148] vt: selection, introduce vc_is_sel Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 134/148] vt: switch vt_dont_switch to bool Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jiri Slaby

From: Jiri Slaby <jslaby@suse.cz>

commit e587e8f17433ddb26954f0edf5b2f95c42155ae9 upstream.

These two were macros. Switch them to static inlines, so that it's more
understandable what they are doing.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Link: https://lore.kernel.org/r/20200219073951.16151-2-jslaby@suse.cz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/vt/vt_ioctl.c |   29 ++++++++++++++++++++++-------
 1 file changed, 22 insertions(+), 7 deletions(-)

--- a/drivers/tty/vt/vt_ioctl.c
+++ b/drivers/tty/vt/vt_ioctl.c
@@ -40,10 +40,25 @@
 #include <linux/selection.h>
 
 char vt_dont_switch;
-extern struct tty_driver *console_driver;
 
-#define VT_IS_IN_USE(i)	(console_driver->ttys[i] && console_driver->ttys[i]->count)
-#define VT_BUSY(i)	(VT_IS_IN_USE(i) || i == fg_console || vc_is_sel(vc_cons[i].d))
+static inline bool vt_in_use(unsigned int i)
+{
+	extern struct tty_driver *console_driver;
+
+	return console_driver->ttys[i] && console_driver->ttys[i]->count;
+}
+
+static inline bool vt_busy(int i)
+{
+	if (vt_in_use(i))
+		return true;
+	if (i == fg_console)
+		return true;
+	if (vc_is_sel(vc_cons[i].d))
+		return true;
+
+	return false;
+}
 
 /*
  * Console (vt and kd) routines, as defined by USL SVR4 manual, and by
@@ -289,7 +304,7 @@ static int vt_disallocate(unsigned int v
 	int ret = 0;
 
 	console_lock();
-	if (VT_BUSY(vc_num))
+	if (vt_busy(vc_num))
 		ret = -EBUSY;
 	else if (vc_num)
 		vc = vc_deallocate(vc_num);
@@ -311,7 +326,7 @@ static void vt_disallocate_all(void)
 
 	console_lock();
 	for (i = 1; i < MAX_NR_CONSOLES; i++)
-		if (!VT_BUSY(i))
+		if (!vt_busy(i))
 			vc[i] = vc_deallocate(i);
 		else
 			vc[i] = NULL;
@@ -648,7 +663,7 @@ int vt_ioctl(struct tty_struct *tty,
 			state = 1;	/* /dev/tty0 is always open */
 			for (i = 0, mask = 2; i < MAX_NR_CONSOLES && mask;
 							++i, mask <<= 1)
-				if (VT_IS_IN_USE(i))
+				if (vt_in_use(i))
 					state |= mask;
 			ret = put_user(state, &vtstat->v_state);
 		}
@@ -661,7 +676,7 @@ int vt_ioctl(struct tty_struct *tty,
 	case VT_OPENQRY:
 		/* FIXME: locking ? - but then this is a stupid API */
 		for (i = 0; i < MAX_NR_CONSOLES; ++i)
-			if (! VT_IS_IN_USE(i))
+			if (!vt_in_use(i))
 				break;
 		uival = i < MAX_NR_CONSOLES ? (i+1) : -1;
 		goto setint;		 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 134/148] vt: switch vt_dont_switch to bool
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (132 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 133/148] vt: ioctl, switch VT_IS_IN_USE and VT_BUSY to inlines Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 135/148] vt: vt_ioctl: remove unnecessary console allocation checks Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jiri Slaby

From: Jiri Slaby <jslaby@suse.cz>

commit f400991bf872debffb01c46da882dc97d7e3248e upstream.

vt_dont_switch is pure boolean, no need for whole char.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Link: https://lore.kernel.org/r/20200219073951.16151-6-jslaby@suse.cz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/vt/vt_ioctl.c |    6 +++---
 include/linux/vt_kern.h   |    2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/tty/vt/vt_ioctl.c
+++ b/drivers/tty/vt/vt_ioctl.c
@@ -39,7 +39,7 @@
 #include <linux/kbd_diacr.h>
 #include <linux/selection.h>
 
-char vt_dont_switch;
+bool vt_dont_switch;
 
 static inline bool vt_in_use(unsigned int i)
 {
@@ -1026,12 +1026,12 @@ int vt_ioctl(struct tty_struct *tty,
 	case VT_LOCKSWITCH:
 		if (!capable(CAP_SYS_TTY_CONFIG))
 			return -EPERM;
-		vt_dont_switch = 1;
+		vt_dont_switch = true;
 		break;
 	case VT_UNLOCKSWITCH:
 		if (!capable(CAP_SYS_TTY_CONFIG))
 			return -EPERM;
-		vt_dont_switch = 0;
+		vt_dont_switch = false;
 		break;
 	case VT_GETHIFONTMASK:
 		ret = put_user(vc->vc_hi_font_mask,
--- a/include/linux/vt_kern.h
+++ b/include/linux/vt_kern.h
@@ -142,7 +142,7 @@ static inline bool vt_force_oops_output(
 	return false;
 }
 
-extern char vt_dont_switch;
+extern bool vt_dont_switch;
 extern int default_utf8;
 extern int global_cursor_default;
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 135/148] vt: vt_ioctl: remove unnecessary console allocation checks
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (133 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 134/148] vt: switch vt_dont_switch to bool Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 136/148] vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eric Biggers

From: Eric Biggers <ebiggers@google.com>

commit 1aa6e058dd6cd04471b1f21298270014daf48ac9 upstream.

The vc_cons_allocated() checks in vt_ioctl() and vt_compat_ioctl() are
unnecessary because they can only be reached by calling ioctl() on an
open tty, which implies the corresponding virtual console is allocated.

And even if the virtual console *could* be freed concurrently, then
these checks would be broken since they aren't done under console_lock,
and the vc_data is dereferenced before them anyway.

So, remove these unneeded checks to avoid confusion.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Link: https://lore.kernel.org/r/20200224080326.295046-1-ebiggers@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/vt/vt_ioctl.c |   21 ++-------------------
 1 file changed, 2 insertions(+), 19 deletions(-)

--- a/drivers/tty/vt/vt_ioctl.c
+++ b/drivers/tty/vt/vt_ioctl.c
@@ -350,22 +350,13 @@ int vt_ioctl(struct tty_struct *tty,
 {
 	struct vc_data *vc = tty->driver_data;
 	struct console_font_op op;	/* used in multiple places here */
-	unsigned int console;
+	unsigned int console = vc->vc_num;
 	unsigned char ucval;
 	unsigned int uival;
 	void __user *up = (void __user *)arg;
 	int i, perm;
 	int ret = 0;
 
-	console = vc->vc_num;
-
-
-	if (!vc_cons_allocated(console)) { 	/* impossible? */
-		ret = -ENOIOCTLCMD;
-		goto out;
-	}
-
-
 	/*
 	 * To have permissions to do most of the vt ioctls, we either have
 	 * to be the owner of the tty, or have CAP_SYS_TTY_CONFIG.
@@ -1195,18 +1186,10 @@ long vt_compat_ioctl(struct tty_struct *
 {
 	struct vc_data *vc = tty->driver_data;
 	struct console_font_op op;	/* used in multiple places here */
-	unsigned int console;
 	void __user *up = (void __user *)arg;
 	int perm;
 	int ret = 0;
 
-	console = vc->vc_num;
-
-	if (!vc_cons_allocated(console)) { 	/* impossible? */
-		ret = -ENOIOCTLCMD;
-		goto out;
-	}
-
 	/*
 	 * To have permissions to do most of the vt ioctls, we either have
 	 * to be the owner of the tty, or have CAP_SYS_TTY_CONFIG.
@@ -1266,7 +1249,7 @@ long vt_compat_ioctl(struct tty_struct *
 		arg = (unsigned long)compat_ptr(arg);
 		goto fallback;
 	}
-out:
+
 	return ret;
 
 fallback:



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 136/148] vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (134 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 135/148] vt: vt_ioctl: remove unnecessary console allocation checks Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 137/148] vt: vt_ioctl: fix use-after-free in vt_in_use() Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+522643ab5729b0421998,
	Jiri Slaby, Eric Biggers

From: Eric Biggers <ebiggers@google.com>

commit ca4463bf8438b403596edd0ec961ca0d4fbe0220 upstream.

The VT_DISALLOCATE ioctl can free a virtual console while tty_release()
is still running, causing a use-after-free in con_shutdown().  This
occurs because VT_DISALLOCATE considers a virtual console's
'struct vc_data' to be unused as soon as the corresponding tty's
refcount hits 0.  But actually it may be still being closed.

Fix this by making vc_data be reference-counted via the embedded
'struct tty_port'.  A newly allocated virtual console has refcount 1.
Opening it for the first time increments the refcount to 2.  Closing it
for the last time decrements the refcount (in tty_operations::cleanup()
so that it happens late enough), as does VT_DISALLOCATE.

Reproducer:
	#include <fcntl.h>
	#include <linux/vt.h>
	#include <sys/ioctl.h>
	#include <unistd.h>

	int main()
	{
		if (fork()) {
			for (;;)
				close(open("/dev/tty5", O_RDWR));
		} else {
			int fd = open("/dev/tty10", O_RDWR);

			for (;;)
				ioctl(fd, VT_DISALLOCATE, 5);
		}
	}

KASAN report:
	BUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278
	Write of size 8 at addr ffff88806a4ec108 by task syz_vt/129

	CPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014
	Call Trace:
	 [...]
	 con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278
	 release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514
	 tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629
	 tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789
	 [...]

	Allocated by task 129:
	 [...]
	 kzalloc include/linux/slab.h:669 [inline]
	 vc_allocate drivers/tty/vt/vt.c:1085 [inline]
	 vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066
	 con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229
	 tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]
	 tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341
	 tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]
	 tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035
	 [...]

	Freed by task 130:
	 [...]
	 kfree+0xbf/0x1e0 mm/slab.c:3757
	 vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]
	 vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818
	 tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660
	 [...]

Fixes: 4001d7b7fc27 ("vt: push down the tty lock so we can see what is left to tackle")
Cc: <stable@vger.kernel.org> # v3.4+
Reported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com
Acked-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Link: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/vt/vt.c       |   23 ++++++++++++++++++++++-
 drivers/tty/vt/vt_ioctl.c |   12 ++++--------
 2 files changed, 26 insertions(+), 9 deletions(-)

--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -751,6 +751,17 @@ static void visual_init(struct vc_data *
 	vc->vc_screenbuf_size = vc->vc_rows * vc->vc_size_row;
 }
 
+static void vc_port_destruct(struct tty_port *port)
+{
+	struct vc_data *vc = container_of(port, struct vc_data, port);
+
+	kfree(vc);
+}
+
+static const struct tty_port_operations vc_port_ops = {
+	.destruct = vc_port_destruct,
+};
+
 int vc_allocate(unsigned int currcons)	/* return 0 on success */
 {
 	struct vt_notifier_param param;
@@ -776,6 +787,7 @@ int vc_allocate(unsigned int currcons)	/
 
 	vc_cons[currcons].d = vc;
 	tty_port_init(&vc->port);
+	vc->port.ops = &vc_port_ops;
 	INIT_WORK(&vc_cons[currcons].SAK_work, vc_SAK);
 
 	visual_init(vc, currcons, 1);
@@ -2895,6 +2907,7 @@ static int con_install(struct tty_driver
 
 	tty->driver_data = vc;
 	vc->port.tty = tty;
+	tty_port_get(&vc->port);
 
 	if (!tty->winsize.ws_row && !tty->winsize.ws_col) {
 		tty->winsize.ws_row = vc_cons[currcons].d->vc_rows;
@@ -2930,6 +2943,13 @@ static void con_shutdown(struct tty_stru
 	console_unlock();
 }
 
+static void con_cleanup(struct tty_struct *tty)
+{
+	struct vc_data *vc = tty->driver_data;
+
+	tty_port_put(&vc->port);
+}
+
 static int default_color           = 7; /* white */
 static int default_italic_color    = 2; // green (ASCII)
 static int default_underline_color = 3; // cyan (ASCII)
@@ -3054,7 +3074,8 @@ static const struct tty_operations con_o
 	.throttle = con_throttle,
 	.unthrottle = con_unthrottle,
 	.resize = vt_resize,
-	.shutdown = con_shutdown
+	.shutdown = con_shutdown,
+	.cleanup = con_cleanup,
 };
 
 static struct cdev vc0_cdev;
--- a/drivers/tty/vt/vt_ioctl.c
+++ b/drivers/tty/vt/vt_ioctl.c
@@ -310,10 +310,8 @@ static int vt_disallocate(unsigned int v
 		vc = vc_deallocate(vc_num);
 	console_unlock();
 
-	if (vc && vc_num >= MIN_NR_CONSOLES) {
-		tty_port_destroy(&vc->port);
-		kfree(vc);
-	}
+	if (vc && vc_num >= MIN_NR_CONSOLES)
+		tty_port_put(&vc->port);
 
 	return ret;
 }
@@ -333,10 +331,8 @@ static void vt_disallocate_all(void)
 	console_unlock();
 
 	for (i = 1; i < MAX_NR_CONSOLES; i++) {
-		if (vc[i] && i >= MIN_NR_CONSOLES) {
-			tty_port_destroy(&vc[i]->port);
-			kfree(vc[i]);
-		}
+		if (vc[i] && i >= MIN_NR_CONSOLES)
+			tty_port_put(&vc[i]->port);
 	}
 }
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 137/148] vt: vt_ioctl: fix use-after-free in vt_in_use()
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (135 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 136/148] vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 138/148] platform/x86: pmc_atom: Add Lex 2I385SW to critclk_systems DMI table Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jiri Slaby, Eric Biggers

From: Eric Biggers <ebiggers@google.com>

commit 7cf64b18b0b96e751178b8d0505d8466ff5a448f upstream.

vt_in_use() dereferences console_driver->ttys[i] without proper locking.
This is broken because the tty can be closed and freed concurrently.

We could fix this by using 'READ_ONCE(console_driver->ttys[i]) != NULL'
and skipping the check of tty_struct::count.  But, looking at
console_driver->ttys[i] isn't really appropriate anyway because even if
it is NULL the tty can still be in the process of being closed.

Instead, fix it by making vt_in_use() require console_lock() and check
whether the vt is allocated and has port refcount > 1.  This works since
following the patch "vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use
virtual console" the port refcount is incremented while the vt is open.

Reproducer (very unreliable, but it worked for me after a few minutes):

	#include <fcntl.h>
	#include <linux/vt.h>

	int main()
	{
		int fd, nproc;
		struct vt_stat state;
		char ttyname[16];

		fd = open("/dev/tty10", O_RDONLY);
		for (nproc = 1; nproc < 8; nproc *= 2)
			fork();
		for (;;) {
			sprintf(ttyname, "/dev/tty%d", rand() % 8);
			close(open(ttyname, O_RDONLY));
			ioctl(fd, VT_GETSTATE, &state);
		}
	}

KASAN report:

	BUG: KASAN: use-after-free in vt_in_use drivers/tty/vt/vt_ioctl.c:48 [inline]
	BUG: KASAN: use-after-free in vt_ioctl+0x1ad3/0x1d70 drivers/tty/vt/vt_ioctl.c:657
	Read of size 4 at addr ffff888065722468 by task syz-vt2/132

	CPU: 0 PID: 132 Comm: syz-vt2 Not tainted 5.6.0-rc5-00130-g089b6d3654916 #13
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014
	Call Trace:
	 [...]
	 vt_in_use drivers/tty/vt/vt_ioctl.c:48 [inline]
	 vt_ioctl+0x1ad3/0x1d70 drivers/tty/vt/vt_ioctl.c:657
	 tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660
	 [...]

	Allocated by task 136:
	 [...]
	 kzalloc include/linux/slab.h:669 [inline]
	 alloc_tty_struct+0x96/0x8a0 drivers/tty/tty_io.c:2982
	 tty_init_dev+0x23/0x350 drivers/tty/tty_io.c:1334
	 tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]
	 tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035
	 [...]

	Freed by task 41:
	 [...]
	 kfree+0xbf/0x200 mm/slab.c:3757
	 free_tty_struct+0x8d/0xb0 drivers/tty/tty_io.c:177
	 release_one_tty+0x22d/0x2f0 drivers/tty/tty_io.c:1468
	 process_one_work+0x7f1/0x14b0 kernel/workqueue.c:2264
	 worker_thread+0x8b/0xc80 kernel/workqueue.c:2410
	 [...]

Fixes: 4001d7b7fc27 ("vt: push down the tty lock so we can see what is left to tackle")
Cc: <stable@vger.kernel.org> # v3.4+
Acked-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Link: https://lore.kernel.org/r/20200322034305.210082-3-ebiggers@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/vt/vt_ioctl.c |   16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

--- a/drivers/tty/vt/vt_ioctl.c
+++ b/drivers/tty/vt/vt_ioctl.c
@@ -43,9 +43,15 @@ bool vt_dont_switch;
 
 static inline bool vt_in_use(unsigned int i)
 {
-	extern struct tty_driver *console_driver;
+	const struct vc_data *vc = vc_cons[i].d;
 
-	return console_driver->ttys[i] && console_driver->ttys[i]->count;
+	/*
+	 * console_lock must be held to prevent the vc from being deallocated
+	 * while we're checking whether it's in-use.
+	 */
+	WARN_CONSOLE_UNLOCKED();
+
+	return vc && kref_read(&vc->port.kref) > 1;
 }
 
 static inline bool vt_busy(int i)
@@ -643,15 +649,16 @@ int vt_ioctl(struct tty_struct *tty,
 		struct vt_stat __user *vtstat = up;
 		unsigned short state, mask;
 
-		/* Review: FIXME: Console lock ? */
 		if (put_user(fg_console + 1, &vtstat->v_active))
 			ret = -EFAULT;
 		else {
 			state = 1;	/* /dev/tty0 is always open */
+			console_lock(); /* required by vt_in_use() */
 			for (i = 0, mask = 2; i < MAX_NR_CONSOLES && mask;
 							++i, mask <<= 1)
 				if (vt_in_use(i))
 					state |= mask;
+			console_unlock();
 			ret = put_user(state, &vtstat->v_state);
 		}
 		break;
@@ -661,10 +668,11 @@ int vt_ioctl(struct tty_struct *tty,
 	 * Returns the first available (non-opened) console.
 	 */
 	case VT_OPENQRY:
-		/* FIXME: locking ? - but then this is a stupid API */
+		console_lock(); /* required by vt_in_use() */
 		for (i = 0; i < MAX_NR_CONSOLES; ++i)
 			if (!vt_in_use(i))
 				break;
+		console_unlock();
 		uival = i < MAX_NR_CONSOLES ? (i+1) : -1;
 		goto setint;		 
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 138/148] platform/x86: pmc_atom: Add Lex 2I385SW to critclk_systems DMI table
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (136 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 137/148] vt: vt_ioctl: fix use-after-free in vt_in_use() Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 139/148] bpf: Explicitly memset the bpf_attr structure Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Georg Müller, Hans de Goede,
	Andy Shevchenko

From: Georg Müller <georgmueller@gmx.net>

commit 95b31e35239e5e1689e3d965d692a313c71bd8ab upstream.

The Lex 2I385SW board has two Intel I211 ethernet controllers. Without
this patch, only the first port is usable. The second port fails to
start with the following message:

    igb: probe of 0000:02:00.0 failed with error -2

Fixes: 648e921888ad ("clk: x86: Stop marking clocks as CLK_IS_CRITICAL")
Tested-by: Georg Müller <georgmueller@gmx.net>
Signed-off-by: Georg Müller <georgmueller@gmx.net>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/platform/x86/pmc_atom.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/drivers/platform/x86/pmc_atom.c
+++ b/drivers/platform/x86/pmc_atom.c
@@ -445,6 +445,14 @@ static const struct dmi_system_id critcl
 	},
 	{
 		/* pmc_plt_clk* - are used for ethernet controllers */
+		.ident = "Lex 2I385SW",
+		.matches = {
+			DMI_MATCH(DMI_SYS_VENDOR, "Lex BayTrail"),
+			DMI_MATCH(DMI_PRODUCT_NAME, "2I385SW"),
+		},
+	},
+	{
+		/* pmc_plt_clk* - are used for ethernet controllers */
 		.ident = "Beckhoff CB3163",
 		.matches = {
 			DMI_MATCH(DMI_SYS_VENDOR, "Beckhoff Automation"),



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 139/148] bpf: Explicitly memset the bpf_attr structure
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (137 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 138/148] platform/x86: pmc_atom: Add Lex 2I385SW to critclk_systems DMI table Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 140/148] bpf: Explicitly memset some bpf info structures declared on the stack Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maciej Żenczykowski,
	John Stultz, Alexander Potapenko, Alistair Delva,
	Daniel Borkmann, Yonghong Song

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8096f229421f7b22433775e928d506f0342e5907 upstream.

For the bpf syscall, we are relying on the compiler to properly zero out
the bpf_attr union that we copy userspace data into. Unfortunately that
doesn't always work properly, padding and other oddities might not be
correctly zeroed, and in some tests odd things have been found when the
stack is pre-initialized to other values.

Fix this by explicitly memsetting the structure to 0 before using it.

Reported-by: Maciej Żenczykowski <maze@google.com>
Reported-by: John Stultz <john.stultz@linaro.org>
Reported-by: Alexander Potapenko <glider@google.com>
Reported-by: Alistair Delva <adelva@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Yonghong Song <yhs@fb.com>
Link: https://android-review.googlesource.com/c/kernel/common/+/1235490
Link: https://lore.kernel.org/bpf/20200320094813.GA421650@kroah.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/bpf/syscall.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -1474,7 +1474,7 @@ static int bpf_obj_get_info_by_fd(const
 
 SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, size)
 {
-	union bpf_attr attr = {};
+	union bpf_attr attr;
 	int err;
 
 	if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN))
@@ -1486,6 +1486,7 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf
 	size = min_t(u32, size, sizeof(attr));
 
 	/* copy attributes from user space, may be less than sizeof(bpf_attr) */
+	memset(&attr, 0, sizeof(attr));
 	if (copy_from_user(&attr, uattr, size) != 0)
 		return -EFAULT;
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 140/148] bpf: Explicitly memset some bpf info structures declared on the stack
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (138 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 139/148] bpf: Explicitly memset the bpf_attr structure Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 141/148] gpiolib: acpi: Add quirk to ignore EC wakeups on HP x2 10 CHT + AXP288 model Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Daniel Borkmann, Yonghong Song

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5c6f25887963f15492b604dd25cb149c501bbabf upstream.

Trying to initialize a structure with "= {};" will not always clean out
all padding locations in a structure. So be explicit and call memset to
initialize everything for a number of bpf information structures that
are then copied from userspace, sometimes from smaller memory locations
than the size of the structure.

Reported-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Yonghong Song <yhs@fb.com>
Link: https://lore.kernel.org/bpf/20200320162258.GA794295@kroah.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/bpf/syscall.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -1364,7 +1364,7 @@ static int bpf_prog_get_info_by_fd(struc
 				   union bpf_attr __user *uattr)
 {
 	struct bpf_prog_info __user *uinfo = u64_to_user_ptr(attr->info.info);
-	struct bpf_prog_info info = {};
+	struct bpf_prog_info info;
 	u32 info_len = attr->info.info_len;
 	char __user *uinsns;
 	u32 ulen;
@@ -1375,6 +1375,7 @@ static int bpf_prog_get_info_by_fd(struc
 		return err;
 	info_len = min_t(u32, sizeof(info), info_len);
 
+	memset(&info, 0, sizeof(info));
 	if (copy_from_user(&info, uinfo, info_len))
 		return -EFAULT;
 
@@ -1420,7 +1421,7 @@ static int bpf_map_get_info_by_fd(struct
 				  union bpf_attr __user *uattr)
 {
 	struct bpf_map_info __user *uinfo = u64_to_user_ptr(attr->info.info);
-	struct bpf_map_info info = {};
+	struct bpf_map_info info;
 	u32 info_len = attr->info.info_len;
 	int err;
 
@@ -1429,6 +1430,7 @@ static int bpf_map_get_info_by_fd(struct
 		return err;
 	info_len = min_t(u32, sizeof(info), info_len);
 
+	memset(&info, 0, sizeof(info));
 	info.type = map->map_type;
 	info.id = map->id;
 	info.key_size = map->key_size;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 141/148] gpiolib: acpi: Add quirk to ignore EC wakeups on HP x2 10 CHT + AXP288 model
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (139 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 140/148] bpf: Explicitly memset some bpf info structures declared on the stack Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 142/148] net: ks8851-ml: Fix IO operations, again Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans de Goede, Mika Westerberg,
	Linus Walleij, Marc Lehmann

From: Hans de Goede <hdegoede@redhat.com>

commit 0c625ccfe6f754d0896b8881f5c85bcb81699f1f upstream.

There are at least 3 models of the HP x2 10 models:

Bay Trail SoC + AXP288 PMIC
Cherry Trail SoC + AXP288 PMIC
Cherry Trail SoC + TI PMIC

Like on the other HP x2 10 models we need to ignore wakeup for ACPI GPIO
events on the external embedded-controller pin to avoid spurious wakeups
on the HP x2 10 CHT + AXP288 model too.

This commit adds an extra DMI based quirk for the HP x2 10 CHT + AXP288
model, ignoring wakeups for ACPI GPIO events on the EC interrupt pin
on this model. This fixes spurious wakeups from suspend on this model.

Fixes: aa23ca3d98f7 ("gpiolib: acpi: Add honor_wakeup module-option + quirk mechanism")
Reported-and-tested-by: Marc Lehmann <schmorp@schmorp.de>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20200302111225.6641-4-hdegoede@redhat.com
Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpio/gpiolib-acpi.c |   15 +++++++++++++++
 1 file changed, 15 insertions(+)

--- a/drivers/gpio/gpiolib-acpi.c
+++ b/drivers/gpio/gpiolib-acpi.c
@@ -1440,6 +1440,21 @@ static const struct dmi_system_id gpioli
 			.ignore_wake = "INT33FC:02@28",
 		},
 	},
+	{
+		/*
+		 * HP X2 10 models with Cherry Trail SoC + AXP288 PMIC use an
+		 * external embedded-controller connected via I2C + an ACPI GPIO
+		 * event handler on INT33FF:01 pin 0, causing spurious wakeups.
+		 */
+		.matches = {
+			DMI_MATCH(DMI_SYS_VENDOR, "HP"),
+			DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion x2 Detachable"),
+			DMI_MATCH(DMI_BOARD_NAME, "813E"),
+		},
+		.driver_data = &(struct acpi_gpiolib_dmi_quirk) {
+			.ignore_wake = "INT33FF:01@0",
+		},
+	},
 	{} /* Terminating entry */
 };
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 142/148] net: ks8851-ml: Fix IO operations, again
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (140 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 141/148] gpiolib: acpi: Add quirk to ignore EC wakeups on HP x2 10 CHT + AXP288 model Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 143/148] arm64: alternative: fix build with clang integrated assembler Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marek Vasut, David S. Miller,
	Lukas Wunner, Petr Stetiar, YueHaibing

From: Marek Vasut <marex@denx.de>

commit 8262e6f9b1034ede34548a04dec4c302d92c9497 upstream.

This patch reverts 58292104832f ("net: ks8851-ml: Fix 16-bit IO operation")
and edacb098ea9c ("net: ks8851-ml: Fix 16-bit data access"), because it
turns out these were only necessary due to buggy hardware. This patch adds
a check for such a buggy hardware to prevent any such mistakes again.

While working further on the KS8851 driver, it came to light that the
KS8851-16MLL is capable of switching bus endianness by a hardware strap,
EESK pin. If this strap is incorrect, the IO accesses require such endian
swapping as is being reverted by this patch. Such swapping also impacts
the performance significantly.

Hence, in addition to removing it, detect that the hardware is broken,
report to user, and fail to bind with such hardware.

Fixes: 58292104832f ("net: ks8851-ml: Fix 16-bit IO operation")
Fixes: edacb098ea9c ("net: ks8851-ml: Fix 16-bit data access")
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: David S. Miller <davem@davemloft.net>
Cc: Lukas Wunner <lukas@wunner.de>
Cc: Petr Stetiar <ynezz@true.cz>
Cc: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/ethernet/micrel/ks8851_mll.c |   56 ++++++++++++++++++++++++++++---
 1 file changed, 52 insertions(+), 4 deletions(-)

--- a/drivers/net/ethernet/micrel/ks8851_mll.c
+++ b/drivers/net/ethernet/micrel/ks8851_mll.c
@@ -475,6 +475,50 @@ static int msg_enable;
  */
 
 /**
+ * ks_check_endian - Check whether endianness of the bus is correct
+ * @ks	  : The chip information
+ *
+ * The KS8851-16MLL EESK pin allows selecting the endianness of the 16bit
+ * bus. To maintain optimum performance, the bus endianness should be set
+ * such that it matches the endianness of the CPU.
+ */
+
+static int ks_check_endian(struct ks_net *ks)
+{
+	u16 cider;
+
+	/*
+	 * Read CIDER register first, however read it the "wrong" way around.
+	 * If the endian strap on the KS8851-16MLL in incorrect and the chip
+	 * is operating in different endianness than the CPU, then the meaning
+	 * of BE[3:0] byte-enable bits is also swapped such that:
+	 *    BE[3,2,1,0] becomes BE[1,0,3,2]
+	 *
+	 * Luckily for us, the byte-enable bits are the top four MSbits of
+	 * the address register and the CIDER register is at offset 0xc0.
+	 * Hence, by reading address 0xc0c0, which is not impacted by endian
+	 * swapping, we assert either BE[3:2] or BE[1:0] while reading the
+	 * CIDER register.
+	 *
+	 * If the bus configuration is correct, reading 0xc0c0 asserts
+	 * BE[3:2] and this read returns 0x0000, because to read register
+	 * with bottom two LSbits of address set to 0, BE[1:0] must be
+	 * asserted.
+	 *
+	 * If the bus configuration is NOT correct, reading 0xc0c0 asserts
+	 * BE[1:0] and this read returns non-zero 0x8872 value.
+	 */
+	iowrite16(BE3 | BE2 | KS_CIDER, ks->hw_addr_cmd);
+	cider = ioread16(ks->hw_addr);
+	if (!cider)
+		return 0;
+
+	netdev_err(ks->netdev, "incorrect EESK endian strap setting\n");
+
+	return -EINVAL;
+}
+
+/**
  * ks_rdreg16 - read 16 bit register from device
  * @ks	  : The chip information
  * @offset: The register address
@@ -484,7 +528,7 @@ static int msg_enable;
 
 static u16 ks_rdreg16(struct ks_net *ks, int offset)
 {
-	ks->cmd_reg_cache = (u16)offset | ((BE3 | BE2) >> (offset & 0x02));
+	ks->cmd_reg_cache = (u16)offset | ((BE1 | BE0) << (offset & 0x02));
 	iowrite16(ks->cmd_reg_cache, ks->hw_addr_cmd);
 	return ioread16(ks->hw_addr);
 }
@@ -499,7 +543,7 @@ static u16 ks_rdreg16(struct ks_net *ks,
 
 static void ks_wrreg16(struct ks_net *ks, int offset, u16 value)
 {
-	ks->cmd_reg_cache = (u16)offset | ((BE3 | BE2) >> (offset & 0x02));
+	ks->cmd_reg_cache = (u16)offset | ((BE1 | BE0) << (offset & 0x02));
 	iowrite16(ks->cmd_reg_cache, ks->hw_addr_cmd);
 	iowrite16(value, ks->hw_addr);
 }
@@ -515,7 +559,7 @@ static inline void ks_inblk(struct ks_ne
 {
 	len >>= 1;
 	while (len--)
-		*wptr++ = be16_to_cpu(ioread16(ks->hw_addr));
+		*wptr++ = (u16)ioread16(ks->hw_addr);
 }
 
 /**
@@ -529,7 +573,7 @@ static inline void ks_outblk(struct ks_n
 {
 	len >>= 1;
 	while (len--)
-		iowrite16(cpu_to_be16(*wptr++), ks->hw_addr);
+		iowrite16(*wptr++, ks->hw_addr);
 }
 
 static void ks_disable_int(struct ks_net *ks)
@@ -1539,6 +1583,10 @@ static int ks8851_probe(struct platform_
 		goto err_free;
 	}
 
+	err = ks_check_endian(ks);
+	if (err)
+		goto err_free;
+
 	netdev->irq = platform_get_irq(pdev, 0);
 
 	if ((int)netdev->irq < 0) {



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 143/148] arm64: alternative: fix build with clang integrated assembler
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (141 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 142/148] net: ks8851-ml: Fix IO operations, again Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 144/148] perf map: Fix off by one in strncpy() size argument Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nick Desaulniers, Ilie Halip, Will Deacon

From: Ilie Halip <ilie.halip@gmail.com>

commit 6f5459da2b8736720afdbd67c4bd2d1edba7d0e3 upstream.

Building an arm64 defconfig with clang's integrated assembler, this error
occurs:
    <instantiation>:2:2: error: unrecognized instruction mnemonic
     _ASM_EXTABLE 9999b, 9f
     ^
    arch/arm64/mm/cache.S:50:1: note: while in macro instantiation
    user_alt 9f, "dc cvau, x4", "dc civac, x4", 0
    ^

While GNU as seems fine with case-sensitive macro instantiations, clang
doesn't, so use the actual macro name (_asm_extable) as in the rest of
the file.

Also checked that the generated assembly matches the GCC output.

Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Tested-by: Nick Desaulniers <ndesaulniers@google.com>
Fixes: 290622efc76e ("arm64: fix "dc cvau" cache operation on errata-affected core")
Link: https://github.com/ClangBuiltLinux/linux/issues/924
Signed-off-by: Ilie Halip <ilie.halip@gmail.com>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/include/asm/alternative.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm64/include/asm/alternative.h
+++ b/arch/arm64/include/asm/alternative.h
@@ -216,7 +216,7 @@ alternative_endif
 
 .macro user_alt, label, oldinstr, newinstr, cond
 9999:	alternative_insn "\oldinstr", "\newinstr", \cond
-	_ASM_EXTABLE 9999b, \label
+	_asm_extable 9999b, \label
 .endm
 
 /*



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 144/148] perf map: Fix off by one in strncpy() size argument
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (142 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 143/148] arm64: alternative: fix build with clang integrated assembler Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 145/148] ARM: dts: oxnas: Fix clear-mask property Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, disconnect3d, Alexander Shishkin,
	Changbin Du, Jiri Olsa, John Keeping, Mark Rutland,
	Michael Lentine, Namhyung Kim, Peter Zijlstra, Song Liu,
	Stephane Eranian, Arnaldo Carvalho de Melo

From: disconnect3d <dominik.b.czarnota@gmail.com>

commit db2c549407d4a76563c579e4768f7d6d32afefba upstream.

This patch fixes an off-by-one error in strncpy size argument in
tools/perf/util/map.c. The issue is that in:

        strncmp(filename, "/system/lib/", 11)

the passed string literal: "/system/lib/" has 12 bytes (without the NULL
byte) and the passed size argument is 11. As a result, the logic won't
match the ending "/" byte and will pass filepaths that are stored in
other directories e.g. "/system/libmalicious/bin" or just
"/system/libmalicious".

This functionality seems to be present only on Android. I assume the
/system/ directory is only writable by the root user, so I don't think
this bug has much (or any) security impact.

Fixes: eca818369996 ("perf tools: Add automatic remapping of Android libraries")
Signed-off-by: disconnect3d <dominik.b.czarnota@gmail.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Changbin Du <changbin.du@intel.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: John Keeping <john@metanate.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Michael Lentine <mlentine@google.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Song Liu <songliubraving@fb.com>
Cc: Stephane Eranian <eranian@google.com>
Link: http://lore.kernel.org/lkml/20200309104855.3775-1-dominik.b.czarnota@gmail.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/perf/util/map.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/tools/perf/util/map.c
+++ b/tools/perf/util/map.c
@@ -90,7 +90,7 @@ static inline bool replace_android_lib(c
 		return true;
 	}
 
-	if (!strncmp(filename, "/system/lib/", 11)) {
+	if (!strncmp(filename, "/system/lib/", 12)) {
 		char *ndk, *app;
 		const char *arch;
 		size_t ndk_length;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 145/148] ARM: dts: oxnas: Fix clear-mask property
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (143 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 144/148] perf map: Fix off by one in strncpy() size argument Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 146/148] ARM: bcm2835-rpi-zero-w: Add missing pinctrl name Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Sungbo Eo, Neil Armstrong

From: Sungbo Eo <mans0n@gorani.run>

commit deeabb4c1341a12bf8b599e6a2f4cfa4fd74738c upstream.

Disable all rps-irq interrupts during driver initialization to prevent
an accidental interrupt on GIC.

Fixes: 84316f4ef141 ("ARM: boot: dts: Add Oxford Semiconductor OX810SE dtsi")
Fixes: 38d4a53733f5 ("ARM: dts: Add support for OX820 and Pogoplug V3")
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
Acked-by: Neil Armstrong <narmstrong@baylibre.com>
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/ox810se.dtsi |    4 ++--
 arch/arm/boot/dts/ox820.dtsi   |    4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

--- a/arch/arm/boot/dts/ox810se.dtsi
+++ b/arch/arm/boot/dts/ox810se.dtsi
@@ -322,8 +322,8 @@
 					interrupt-controller;
 					reg = <0 0x200>;
 					#interrupt-cells = <1>;
-					valid-mask = <0xFFFFFFFF>;
-					clear-mask = <0>;
+					valid-mask = <0xffffffff>;
+					clear-mask = <0xffffffff>;
 				};
 
 				timer0: timer@200 {
--- a/arch/arm/boot/dts/ox820.dtsi
+++ b/arch/arm/boot/dts/ox820.dtsi
@@ -239,8 +239,8 @@
 					reg = <0 0x200>;
 					interrupts = <GIC_SPI 5 IRQ_TYPE_LEVEL_HIGH>;
 					#interrupt-cells = <1>;
-					valid-mask = <0xFFFFFFFF>;
-					clear-mask = <0>;
+					valid-mask = <0xffffffff>;
+					clear-mask = <0xffffffff>;
 				};
 
 				timer0: timer@200 {



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 146/148] ARM: bcm2835-rpi-zero-w: Add missing pinctrl name
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (144 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 145/148] ARM: dts: oxnas: Fix clear-mask property Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:18 ` [PATCH 4.14 147/148] arm64: dts: ls1043a-rdb: correct RGMII delay mode to rgmii-id Greg Kroah-Hartman
                   ` (5 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Nick Hudson, Florian Fainelli

From: Nick Hudson <skrll@netbsd.org>

commit 6687c201fdc3139315c2ea7ef96c157672805cdc upstream.

Define the sdhci pinctrl state as "default" so it gets applied
correctly and to match all other RPis.

Fixes: 2c7c040c73e9 ("ARM: dts: bcm2835: Add Raspberry Pi Zero W")
Signed-off-by: Nick Hudson <skrll@netbsd.org>
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/bcm2835-rpi-zero-w.dts |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/arm/boot/dts/bcm2835-rpi-zero-w.dts
+++ b/arch/arm/boot/dts/bcm2835-rpi-zero-w.dts
@@ -118,6 +118,7 @@
 &sdhci {
 	#address-cells = <1>;
 	#size-cells = <0>;
+	pinctrl-names = "default";
 	pinctrl-0 = <&emmc_gpio34 &gpclk2_gpio43>;
 	mmc-pwrseq = <&wifi_pwrseq>;
 	non-removable;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 147/148] arm64: dts: ls1043a-rdb: correct RGMII delay mode to rgmii-id
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (145 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 146/148] ARM: bcm2835-rpi-zero-w: Add missing pinctrl name Greg Kroah-Hartman
@ 2020-04-01 16:18 ` Greg Kroah-Hartman
  2020-04-01 16:19 ` [PATCH 4.14 148/148] arm64: dts: ls1046ardb: set RGMII interfaces to RGMII_ID mode Greg Kroah-Hartman
                   ` (4 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:18 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Madalin Bucur, David S. Miller

From: Madalin Bucur <madalin.bucur@oss.nxp.com>

commit 4022d808c45277693ea86478fab1f081ebf997e8 upstream.

The correct setting for the RGMII ports on LS1043ARDB is to
enable delay on both Rx and Tx so the interface mode used must
be PHY_INTERFACE_MODE_RGMII_ID.

Since commit 1b3047b5208a80 ("net: phy: realtek: add support for
configuring the RX delay on RTL8211F") the Realtek 8211F PHY driver
has control over the RGMII RX delay and it is disabling it for
RGMII_TXID. The LS1043ARDB uses two such PHYs in RGMII_ID mode but
in the device tree the mode was described as "rgmii_txid".
This issue was not apparent at the time as the PHY driver took the
same action for RGMII_TXID and RGMII_ID back then but it became
visible (RX no longer working) after the above patch.

Changing the phy-connection-type to "rgmii-id" to address the issue.

Fixes: bf02f2ffe59c ("arm64: dts: add LS1043A DPAA FMan support")
Signed-off-by: Madalin Bucur <madalin.bucur@oss.nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/boot/dts/freescale/fsl-ls1043a-rdb.dts |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/arm64/boot/dts/freescale/fsl-ls1043a-rdb.dts
+++ b/arch/arm64/boot/dts/freescale/fsl-ls1043a-rdb.dts
@@ -155,12 +155,12 @@
 
 	ethernet@e4000 {
 		phy-handle = <&rgmii_phy1>;
-		phy-connection-type = "rgmii-txid";
+		phy-connection-type = "rgmii-id";
 	};
 
 	ethernet@e6000 {
 		phy-handle = <&rgmii_phy2>;
-		phy-connection-type = "rgmii-txid";
+		phy-connection-type = "rgmii-id";
 	};
 
 	ethernet@e8000 {



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 4.14 148/148] arm64: dts: ls1046ardb: set RGMII interfaces to RGMII_ID mode
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (146 preceding siblings ...)
  2020-04-01 16:18 ` [PATCH 4.14 147/148] arm64: dts: ls1043a-rdb: correct RGMII delay mode to rgmii-id Greg Kroah-Hartman
@ 2020-04-01 16:19 ` Greg Kroah-Hartman
  2020-04-02  0:12 ` [PATCH 4.14 000/148] 4.14.175-rc1 review Guenter Roeck
                   ` (3 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2020-04-01 16:19 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Madalin Bucur, David S. Miller

From: Madalin Bucur <madalin.bucur@oss.nxp.com>

commit d79e9d7c1e4ba5f95f2ff3541880c40ea9722212 upstream.

The correct setting for the RGMII ports on LS1046ARDB is to
enable delay on both Rx and Tx so the interface mode used must
be PHY_INTERFACE_MODE_RGMII_ID.

Since commit 1b3047b5208a80 ("net: phy: realtek: add support for
configuring the RX delay on RTL8211F") the Realtek 8211F PHY driver
has control over the RGMII RX delay and it is disabling it for
RGMII_TXID. The LS1046ARDB uses two such PHYs in RGMII_ID mode but
in the device tree the mode was described as "rgmii".

Changing the phy-connection-type to "rgmii-id" to address the issue.

Fixes: 3fa395d2c48a ("arm64: dts: add LS1046A DPAA FMan nodes")
Signed-off-by: Madalin Bucur <madalin.bucur@oss.nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/boot/dts/freescale/fsl-ls1046a-rdb.dts |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/arm64/boot/dts/freescale/fsl-ls1046a-rdb.dts
+++ b/arch/arm64/boot/dts/freescale/fsl-ls1046a-rdb.dts
@@ -162,12 +162,12 @@
 &fman0 {
 	ethernet@e4000 {
 		phy-handle = <&rgmii_phy1>;
-		phy-connection-type = "rgmii";
+		phy-connection-type = "rgmii-id";
 	};
 
 	ethernet@e6000 {
 		phy-handle = <&rgmii_phy2>;
-		phy-connection-type = "rgmii";
+		phy-connection-type = "rgmii-id";
 	};
 
 	ethernet@e8000 {



^ permalink raw reply	[flat|nested] 153+ messages in thread

* Re: [PATCH 4.14 000/148] 4.14.175-rc1 review
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (147 preceding siblings ...)
  2020-04-01 16:19 ` [PATCH 4.14 148/148] arm64: dts: ls1046ardb: set RGMII interfaces to RGMII_ID mode Greg Kroah-Hartman
@ 2020-04-02  0:12 ` Guenter Roeck
  2020-04-02  7:09 ` Jon Hunter
                   ` (2 subsequent siblings)
  151 siblings, 0 replies; 153+ messages in thread
From: Guenter Roeck @ 2020-04-02  0:12 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, shuah, patches, ben.hutchings, lkft-triage, stable

On 4/1/20 9:16 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.14.175 release.
> There are 148 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Fri, 03 Apr 2020 16:09:36 +0000.
> Anything received after that time might be too late.
> 

Build results:
	total: 171 pass: 171 fail: 0
Qemu test results:
	total: 405 pass: 405 fail: 0

Guenter

^ permalink raw reply	[flat|nested] 153+ messages in thread

* Re: [PATCH 4.14 000/148] 4.14.175-rc1 review
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (148 preceding siblings ...)
  2020-04-02  0:12 ` [PATCH 4.14 000/148] 4.14.175-rc1 review Guenter Roeck
@ 2020-04-02  7:09 ` Jon Hunter
  2020-04-02  7:54 ` Naresh Kamboju
  2020-04-02 22:47 ` shuah
  151 siblings, 0 replies; 153+ messages in thread
From: Jon Hunter @ 2020-04-02  7:09 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, shuah, patches, ben.hutchings,
	lkft-triage, stable, linux-tegra


On 01/04/2020 17:16, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.14.175 release.
> There are 148 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Fri, 03 Apr 2020 16:09:36 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.175-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h

All tests are passing for Tegra ...

Test results for stable-v4.14:
    8 builds:	8 pass, 0 fail
    16 boots:	16 pass, 0 fail
    24 tests:	24 pass, 0 fail

Linux version:	4.14.175-rc1-gbc03924ca6ea
Boards tested:	tegra124-jetson-tk1, tegra20-ventana,
                tegra210-p2371-2180, tegra30-cardhu-a04

Cheers
Jon

-- 
nvpublic

^ permalink raw reply	[flat|nested] 153+ messages in thread

* Re: [PATCH 4.14 000/148] 4.14.175-rc1 review
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (149 preceding siblings ...)
  2020-04-02  7:09 ` Jon Hunter
@ 2020-04-02  7:54 ` Naresh Kamboju
  2020-04-02 22:47 ` shuah
  151 siblings, 0 replies; 153+ messages in thread
From: Naresh Kamboju @ 2020-04-02  7:54 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: open list, Linus Torvalds, Andrew Morton, Guenter Roeck,
	Shuah Khan, patches, Ben Hutchings, lkft-triage, linux- stable

On Wed, 1 Apr 2020 at 22:11, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 4.14.175 release.
> There are 148 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 03 Apr 2020 16:09:36 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
>         https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.175-rc1.gz
> or in the git tree and branch at:
>         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h

Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.

Summary
------------------------------------------------------------------------

kernel: 4.14.175-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-4.14.y
git commit: bc03924ca6eab72bec9fb6f455ea41bca1fa5ccc
git describe: v4.14.174-149-gbc03924ca6ea
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-4.14-oe/build/v4.14.174-149-gbc03924ca6ea


No regressions (compared to build v4.14.174)


No fixes (compared to build v4.14.174)

Ran 41452 total tests in the following environments and test suites.

Environments
--------------
- dragonboard-410c - arm64
- hi6220-hikey - arm64
- i386
- juno-r2 - arm64
- juno-r2-compat
- juno-r2-kasan
- qemu_arm
- qemu_arm64
- qemu_i386
- qemu_x86_64
- x15 - arm
- x86_64
- x86-kasan

Test Suites
-----------
* build
* install-android-platform-tools-r2600
* install-android-platform-tools-r2800
* kselftest
* libhugetlbfs
* linux-log-parser
* ltp-commands-tests
* ltp-containers-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fs-tests
* ltp-io-tests
* ltp-math-tests
* ltp-sched-tests
* perf
* v4l2-compliance
* kvm-unit-tests
* ltp-cap_bounds-tests
* ltp-cpuhotplug-tests
* ltp-crypto-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-ipc-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* network-basic-tests
* ltp-open-posix-tests
* spectre-meltdown-checker-test
* kselftest-vsyscall-mode-native
* kselftest-vsyscall-mode-none

-- 
Linaro LKFT
https://lkft.linaro.org

^ permalink raw reply	[flat|nested] 153+ messages in thread

* Re: [PATCH 4.14 000/148] 4.14.175-rc1 review
  2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
                   ` (150 preceding siblings ...)
  2020-04-02  7:54 ` Naresh Kamboju
@ 2020-04-02 22:47 ` shuah
  151 siblings, 0 replies; 153+ messages in thread
From: shuah @ 2020-04-02 22:47 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, patches, ben.hutchings, lkft-triage,
	stable, shuah

On 4/1/20 10:16 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.14.175 release.
> There are 148 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Fri, 03 Apr 2020 16:09:36 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.175-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

Compiled and booted on my test system. No dmesg regressions.

thanks,
-- Shuah

^ permalink raw reply	[flat|nested] 153+ messages in thread

end of thread, other threads:[~2020-04-02 22:47 UTC | newest]

Thread overview: 153+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-01 16:16 [PATCH 4.14 000/148] 4.14.175-rc1 review Greg Kroah-Hartman
2020-04-01 16:16 ` [PATCH 4.14 001/148] spi: qup: call spi_qup_pm_resume_runtime before suspending Greg Kroah-Hartman
2020-04-01 16:16 ` [PATCH 4.14 002/148] powerpc: Include .BTF section Greg Kroah-Hartman
2020-04-01 16:16 ` [PATCH 4.14 003/148] ARM: dts: dra7: Add "dma-ranges" property to PCIe RC DT nodes Greg Kroah-Hartman
2020-04-01 16:16 ` [PATCH 4.14 004/148] spi: pxa2xx: Add CS control clock quirk Greg Kroah-Hartman
2020-04-01 16:16 ` [PATCH 4.14 005/148] spi/zynqmp: remove entry that causes a cs glitch Greg Kroah-Hartman
2020-04-01 16:16 ` [PATCH 4.14 006/148] drm/exynos: dsi: propagate error value and silence meaningless warning Greg Kroah-Hartman
2020-04-01 16:16 ` [PATCH 4.14 007/148] drm/exynos: dsi: fix workaround for the legacy clock name Greg Kroah-Hartman
2020-04-01 16:16 ` [PATCH 4.14 008/148] drivers/perf: arm_pmu_acpi: Fix incorrect checking of gicc pointer Greg Kroah-Hartman
2020-04-01 16:16 ` [PATCH 4.14 009/148] altera-stapl: altera_get_note: prevent write beyond end of key Greg Kroah-Hartman
2020-04-01 16:16 ` [PATCH 4.14 010/148] dm bio record: save/restore bi_end_io and bi_integrity Greg Kroah-Hartman
2020-04-01 16:16 ` [PATCH 4.14 011/148] xenbus: req->body should be updated before req->state Greg Kroah-Hartman
2020-04-01 16:16 ` [PATCH 4.14 012/148] xenbus: req->err " Greg Kroah-Hartman
2020-04-01 16:16 ` [PATCH 4.14 013/148] block, bfq: fix overwrite of bfq_group pointer in bfq_find_set_group() Greg Kroah-Hartman
2020-04-01 16:16 ` [PATCH 4.14 014/148] parse-maintainers: Mark as executable Greg Kroah-Hartman
2020-04-01 16:16 ` [PATCH 4.14 015/148] USB: Disable LPM on WD19s Realtek Hub Greg Kroah-Hartman
2020-04-01 16:16 ` [PATCH 4.14 016/148] usb: quirks: add NO_LPM quirk for RTL8153 based ethernet adapters Greg Kroah-Hartman
2020-04-01 16:16 ` [PATCH 4.14 017/148] USB: serial: option: add ME910G1 ECM composition 0x110b Greg Kroah-Hartman
2020-04-01 16:16 ` [PATCH 4.14 018/148] usb: host: xhci-plat: add a shutdown Greg Kroah-Hartman
2020-04-01 16:16 ` [PATCH 4.14 019/148] USB: serial: pl2303: add device-id for HP LD381 Greg Kroah-Hartman
2020-04-01 16:16 ` [PATCH 4.14 020/148] usb: xhci: apply XHCI_SUSPEND_DELAY to AMD XHCI controller 1022:145c Greg Kroah-Hartman
2020-04-01 16:16 ` [PATCH 4.14 021/148] ALSA: line6: Fix endless MIDI read loop Greg Kroah-Hartman
2020-04-01 16:16 ` [PATCH 4.14 022/148] ALSA: seq: virmidi: Fix running status after receiving sysex Greg Kroah-Hartman
2020-04-01 16:16 ` [PATCH 4.14 023/148] ALSA: seq: oss: " Greg Kroah-Hartman
2020-04-01 16:16 ` [PATCH 4.14 024/148] ALSA: pcm: oss: Avoid plugin buffer overflow Greg Kroah-Hartman
2020-04-01 16:16 ` [PATCH 4.14 025/148] ALSA: pcm: oss: Remove WARNING from snd_pcm_plug_alloc() checks Greg Kroah-Hartman
2020-04-01 16:16 ` [PATCH 4.14 026/148] iio: trigger: stm32-timer: disable master mode when stopping Greg Kroah-Hartman
2020-04-01 16:16 ` [PATCH 4.14 027/148] iio: magnetometer: ak8974: Fix negative raw values in sysfs Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 028/148] mmc: sdhci-of-at91: fix cd-gpios for SAMA5D2 Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 029/148] staging: rtl8188eu: Add device id for MERCUSYS MW150US v2 Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 030/148] staging/speakup: fix get_word non-space look-ahead Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 031/148] intel_th: Fix user-visible error codes Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 032/148] intel_th: pci: Add Elkhart Lake CPU support Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 033/148] rtc: max8907: add missing select REGMAP_IRQ Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 034/148] xhci: Do not open code __print_symbolic() in xhci trace events Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 035/148] memcg: fix NULL pointer dereference in __mem_cgroup_usage_unregister_event Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 036/148] mm: slub: be more careful about the double cmpxchg of freelist Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 037/148] mm, slub: prevent kmalloc_node crashes and memory leaks Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 038/148] page-flags: fix a crash at SetPageError(THP_SWAP) Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 039/148] x86/mm: split vmalloc_sync_all() Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 040/148] USB: cdc-acm: fix close_delay and closing_wait units in TIOCSSERIAL Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 041/148] USB: cdc-acm: fix rounding error " Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 042/148] iio: adc: at91-sama5d2_adc: fix channel configuration for differential channels Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 043/148] iio: adc: at91-sama5d2_adc: fix differential channels in triggered mode Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 044/148] kbuild: Disable -Wpointer-to-enum-cast Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 045/148] futex: Fix inode life-time issue Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 046/148] futex: Unbreak futex hashing Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 047/148] Revert "vrf: mark skb for multicast or link-local as enslaved to VRF" Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 048/148] Revert "ipv6: Fix handling of LLA with VRF and sockets bound " Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 049/148] ALSA: hda/realtek: Fix pop noise on ALC225 Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 050/148] arm64: smp: fix smp_send_stop() behaviour Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 051/148] arm64: smp: fix crash_smp_send_stop() behaviour Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 052/148] drm/bridge: dw-hdmi: fix AVI frame colorimetry Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 053/148] staging: greybus: loopback_test: fix potential path truncation Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 054/148] staging: greybus: loopback_test: fix potential path truncations Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 055/148] Revert "drm/dp_mst: Skip validating ports during destruction, just ref" Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 056/148] hsr: fix general protection fault in hsr_addr_is_self() Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 057/148] macsec: restrict to ethernet devices Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 058/148] net: dsa: Fix duplicate frames flooded by learning Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 059/148] net: mvneta: Fix the case where the last poll did not process all rx Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 060/148] net/packet: tpacket_rcv: avoid a producer race condition Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 061/148] net: qmi_wwan: add support for ASKEY WWHC050 Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 062/148] net_sched: cls_route: remove the right filter from hashtable Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 063/148] net_sched: keep alloc_hash updated after hash allocation Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 064/148] net: stmmac: dwmac-rk: fix error path in rk_gmac_probe Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 065/148] NFC: fdp: Fix a signedness bug in fdp_nci_send_patch() Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 066/148] slcan: not call free_netdev before rtnl_unlock in slcan_open Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 067/148] bnxt_en: fix memory leaks in bnxt_dcbnl_ieee_getets() Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 068/148] net: dsa: mt7530: Change the LINK bit to reflect the link status Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 069/148] vxlan: check return value of gro_cells_init() Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 070/148] hsr: use rcu_read_lock() in hsr_get_node_{list/status}() Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 071/148] hsr: add restart routine into hsr_get_node_list() Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 072/148] hsr: set .netnsok flag Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 073/148] net: ipv4: dont let PMTU updates increase route MTU Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 074/148] cgroup-v1: cgroup_pidlist_next should update position index Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 075/148] cpupower: avoid multiple definition with gcc -fno-common Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 076/148] drivers/of/of_mdio.c:fix of_mdiobus_register() Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 077/148] cgroup1: dont call release_agent when it is "" Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 078/148] dt-bindings: net: FMan erratum A050385 Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 079/148] arm64: dts: ls1043a: " Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 080/148] fsl/fman: detect " Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 081/148] scsi: ipr: Fix softlockup when rescanning devices in petitboot Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 082/148] mac80211: Do not send mesh HWMP PREQ if HWMP is disabled Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 083/148] dpaa_eth: Remove unnecessary boolean expression in dpaa_get_headroom Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 084/148] sxgbe: Fix off by one in samsung driver strncpy size arg Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 085/148] arm64: ptrace: map SPSR_ELx<->PSR for compat tasks Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 086/148] arm64: compat: map SPSR_ELx<->PSR for signals Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 4.14 087/148] ftrace/x86: Anotate text_mutex split between ftrace_arch_code_modify_post_process() and ftrace_arch_code_modify_prepare() Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 088/148] i2c: hix5hd2: add missed clk_disable_unprepare in remove Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 089/148] Input: synaptics - enable RMI on HP Envy 13-ad105ng Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 090/148] Input: avoid BIT() macro usage in the serio.h UAPI header Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 091/148] ARM: dts: dra7: Add bus_dma_limit for L3 bus Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 092/148] ARM: dts: omap5: " Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 093/148] perf probe: Do not depend on dwfl_module_addrsym() Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 094/148] tools: Let O= makes handle a relative path with -C option Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 095/148] scripts/dtc: Remove redundant YYLOC global declaration Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 096/148] scsi: sd: Fix optimal I/O size for devices that change reported values Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 097/148] mac80211: mark station unauthorized before key removal Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 098/148] gpiolib: acpi: Correct comment for HP x2 10 honor_wakeup quirk Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 099/148] gpiolib: acpi: Rework honor_wakeup option into an ignore_wake option Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 100/148] gpiolib: acpi: Add quirk to ignore EC wakeups on HP x2 10 BYT + AXP288 model Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 101/148] RDMA/core: Ensure security pkey modify is not lost Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 102/148] genirq: Fix reference leaks on irq affinity notifiers Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 103/148] xfrm: handle NETDEV_UNREGISTER for xfrm device Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 104/148] vti[6]: fix packet tx through bpf_redirect() in XinY cases Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 105/148] RDMA/mlx5: Block delay drop to unprivileged users Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 106/148] xfrm: fix uctx len check in verify_sec_ctx_len Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 107/148] xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 108/148] xfrm: policy: Fix doulbe free in xfrm_policy_timer Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 109/148] netfilter: nft_fwd_netdev: validate family and chain type Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 110/148] vti6: Fix memory leak of skb if input policy check fails Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 111/148] Input: raydium_i2c_ts - use true and false for boolean values Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 112/148] Input: raydium_i2c_ts - fix error codes in raydium_i2c_boot_trigger() Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 113/148] afs: Fix some tracing details Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 114/148] USB: serial: option: add support for ASKEY WWHC050 Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 115/148] USB: serial: option: add BroadMobi BM806U Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 116/148] USB: serial: option: add Wistron Neweb D19Q1 Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 117/148] USB: cdc-acm: restore capability check order Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 118/148] USB: serial: io_edgeport: fix slab-out-of-bounds read in edge_interrupt_callback Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 119/148] usb: musb: fix crash with highmen PIO and usbmon Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 120/148] media: flexcop-usb: fix endpoint sanity check Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 121/148] media: usbtv: fix control-message timeouts Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 122/148] staging: rtl8188eu: Add ASUS USB-N10 Nano B1 to device table Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 123/148] staging: wlan-ng: fix ODEBUG bug in prism2sta_disconnect_usb Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 124/148] staging: wlan-ng: fix use-after-free Read in hfa384x_usbin_callback Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 125/148] libfs: fix infoleak in simple_attr_read() Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 126/148] media: ov519: add missing endpoint sanity checks Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 127/148] media: dib0700: fix rc endpoint lookup Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 128/148] media: stv06xx: add missing descriptor sanity checks Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 129/148] media: xirlink_cit: " Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 130/148] mac80211: Check port authorization in the ieee80211_tx_dequeue() case Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 131/148] mac80211: fix authentication with iwlwifi/mvm Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 132/148] vt: selection, introduce vc_is_sel Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 133/148] vt: ioctl, switch VT_IS_IN_USE and VT_BUSY to inlines Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 134/148] vt: switch vt_dont_switch to bool Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 135/148] vt: vt_ioctl: remove unnecessary console allocation checks Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 136/148] vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 137/148] vt: vt_ioctl: fix use-after-free in vt_in_use() Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 138/148] platform/x86: pmc_atom: Add Lex 2I385SW to critclk_systems DMI table Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 139/148] bpf: Explicitly memset the bpf_attr structure Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 140/148] bpf: Explicitly memset some bpf info structures declared on the stack Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 141/148] gpiolib: acpi: Add quirk to ignore EC wakeups on HP x2 10 CHT + AXP288 model Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 142/148] net: ks8851-ml: Fix IO operations, again Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 143/148] arm64: alternative: fix build with clang integrated assembler Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 144/148] perf map: Fix off by one in strncpy() size argument Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 145/148] ARM: dts: oxnas: Fix clear-mask property Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 146/148] ARM: bcm2835-rpi-zero-w: Add missing pinctrl name Greg Kroah-Hartman
2020-04-01 16:18 ` [PATCH 4.14 147/148] arm64: dts: ls1043a-rdb: correct RGMII delay mode to rgmii-id Greg Kroah-Hartman
2020-04-01 16:19 ` [PATCH 4.14 148/148] arm64: dts: ls1046ardb: set RGMII interfaces to RGMII_ID mode Greg Kroah-Hartman
2020-04-02  0:12 ` [PATCH 4.14 000/148] 4.14.175-rc1 review Guenter Roeck
2020-04-02  7:09 ` Jon Hunter
2020-04-02  7:54 ` Naresh Kamboju
2020-04-02 22:47 ` shuah

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).