linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 5.4 000/222] 5.4.14-stable review
@ 2020-01-22  9:26 Greg Kroah-Hartman
  2020-01-22  9:26 ` [PATCH 5.4 001/222] ARM: dts: meson8: fix the size of the PMU registers Greg Kroah-Hartman
                   ` (225 more replies)
  0 siblings, 226 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	ben.hutchings, lkft-triage, stable

This is the start of the stable review cycle for the 5.4.14 release.
There are 222 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Fri, 24 Jan 2020 09:25:24 +0000.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.14-rc1.gz
or in the git tree and branch at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 5.4.14-rc1

Eddie James <eajames@linux.ibm.com>
    hwmon: (pmbus/ibm-cffps) Fix LED blink behavior

Eddie James <eajames@linux.ibm.com>
    hwmon: (pmbus/ibm-cffps) Switch LEDs to blocking brightness call

Stephan Gerhold <stephan@gerhold.net>
    regulator: ab8500: Remove SYSCLKREQ from enum ab8505_regulator_id

Anson Huang <Anson.Huang@nxp.com>
    clk: imx7ulp: Correct DDR clock mux options

Anson Huang <Anson.Huang@nxp.com>
    clk: imx7ulp: Correct system clock source option #7

Baolin Wang <baolin.wang@linaro.org>
    clk: sprd: Use IS_ERR() to validate the return value of syscon_regmap_lookup_by_phandle()

Andi Kleen <ak@linux.intel.com>
    perf script: Allow --time with --reltime

Masami Hiramatsu <mhiramat@kernel.org>
    perf probe: Fix wrong address verification

Tzu-En Huang <tehuang@realtek.com>
    rtw88: fix potential read outside array boundary

Bart Van Assche <bvanassche@acm.org>
    scsi: lpfc: Fix a kernel warning triggered by lpfc_get_sgl_per_hdwq()

James Smart <jsmart2021@gmail.com>
    scsi: lpfc: Fix hdwq sgl locks and irq handling

James Smart <jsmart2021@gmail.com>
    scsi: lpfc: Fix list corruption detected in lpfc_put_sgl_per_hdwq

Bart Van Assche <bvanassche@acm.org>
    scsi: core: scsi_trace: Use get_unaligned_be*()

Martin Wilck <mwilck@suse.com>
    scsi: qla2xxx: fix rports not being mark as lost in sync fabric scan

Huacai Chen <chenhc@lemote.com>
    scsi: qla2xxx: Fix qla2x00_request_irqs() for MSI

John Garry <john.garry@huawei.com>
    scsi: scsi_transport_sas: Fix memory leak when removing devices

Xiang Chen <chenxiang66@hisilicon.com>
    scsi: hisi_sas: Return directly if init hardware failed

James Smart <jsmart2021@gmail.com>
    scsi: lpfc: fix: Coverity: lpfc_get_scsi_buf_s3(): Null pointer dereferences

Bart Van Assche <bvanassche@acm.org>
    scsi: target: core: Fix a pr_debug() argument

Pan Bian <bianpan2016@163.com>
    scsi: bnx2i: fix potential use after free

Pan Bian <bianpan2016@163.com>
    scsi: qla4xxx: fix double free bug

Xiang Chen <chenxiang66@hisilicon.com>
    scsi: hisi_sas: Set the BIST init value before enabling BIST

Xiang Chen <chenxiang66@hisilicon.com>
    scsi: hisi_sas: Don't create debugfs dump folder twice

Dan Carpenter <dan.carpenter@oracle.com>
    scsi: esas2r: unlock on error in esas2r_nvram_read_direct()

Jeff Mahoney <jeffm@suse.com>
    reiserfs: fix handling of -EOPNOTSUPP in reiserfs_for_each_xattr

Johannes Berg <johannes.berg@intel.com>
    um: virtio_uml: Disallow modular build

Johannes Berg <johannes.berg@intel.com>
    um: Don't trace irqflags during shutdown

Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
    mtd: cfi_cmdset_0002: fix delayed error detection on HyperFlash

Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
    mtd: cfi_cmdset_0002: only check errors when ready in cfi_check_err_status()

Angelo Dureghello <angelo.dureghello@timesys.com>
    mtd: devices: fix mchp23k256 read and write

Sudeep Holla <sudeep.holla@arm.com>
    Revert "arm64: dts: juno: add dma-ranges property"

Tony Lindgren <tony@atomide.com>
    ARM: dts: Fix sgx sysconfig register for omap4

Andre Przywara <andre.przywara@arm.com>
    arm64: dts: juno: Fix UART frequency

Grygorii Strashko <grygorii.strashko@ti.com>
    ARM: dts: dra7: fix cpsw mdio fck clock

Andre Przywara <andre.przywara@arm.com>
    arm64: dts: allwinner: a64: Re-add PMU node

Frieder Schrempf <frieder.schrempf@kontron.de>
    ARM: dts: imx6ul-kontron-n6310-s: Disable the snvs-poweroff driver

Rob Clark <robdclark@chromium.org>
    arm64: dts: qcom: sdm845-cheza: delete zap-shader

S.j. Wang <shengjiu.wang@nxp.com>
    arm64: dts: imx8mm-evk: Assigned clocks for audio plls

Biju Das <biju.das@bp.renesas.com>
    arm64: dts: renesas: r8a774a1: Remove audio port node

Miquel Raynal <miquel.raynal@bootlin.com>
    arm64: dts: marvell: Fix CP110 NAND controller node multi-line comment alignment

Eric Dumazet <edumazet@google.com>
    tick/sched: Annotate lockless access to last_jiffies_update

Johannes Berg <johannes.berg@intel.com>
    cfg80211: check for set_wiphy_params

Miquel Raynal <miquel.raynal@bootlin.com>
    arm64: dts: marvell: Add AP806-dual missing CPU clocks

Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
    arm64: dts: renesas: r8a77970: Fix PWM3

Christian Hewitt <christianshewitt@gmail.com>
    arm64: dts: meson-gxl-s905x-khadas-vim: fix gpio-keys-polled node

Jerome Brunet <jbrunet@baylibre.com>
    arm64: dts: meson: g12: fix audio fifo reg size

Jerome Brunet <jbrunet@baylibre.com>
    arm64: dts: meson: axg: fix audio fifo reg size

Dan Carpenter <dan.carpenter@oracle.com>
    cw1200: Fix a signedness bug in cw1200_load_firmware()

Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
    arm64: dts: qcom: msm8998: Disable coresight by default

Jonathan Neuschäfer <j.neuschaefer@gmx.net>
    irqchip: Place CONFIG_SIFIVE_PLIC into the menu

Eric Dumazet <edumazet@google.com>
    tcp: refine rule to allow EPOLLOUT generation under mem pressure

Rob Herring <robh@kernel.org>
    dt-bindings: Add missing 'properties' keyword enclosing 'snps,tso'

Nathan Chancellor <natechancellor@gmail.com>
    xen/blkfront: Adjust indentation in xlvbd_alloc_gendisk

Ido Schimmel <idosch@mellanox.com>
    devlink: Wait longer before warning about unset port type

Jose Abreu <Jose.Abreu@synopsys.com>
    net: stmmac: tc: Do not setup flower filtering if RSS is enabled

Jose Abreu <Jose.Abreu@synopsys.com>
    net: stmmac: selftests: Update status when disabling RSS

Petr Machata <petrm@mellanox.com>
    selftests: mlxsw: qos_mc_aware: Fix mausezahn invocation

Jose Abreu <Jose.Abreu@synopsys.com>
    net: stmmac: selftests: Mark as fail when received VLAN ID != expected

Jose Abreu <Jose.Abreu@synopsys.com>
    net: stmmac: selftests: Make it work in Synopsys AXS101 boards

Petr Machata <petrm@mellanox.com>
    mlxsw: spectrum_qdisc: Include MC TCs in Qdisc counters

Petr Machata <petrm@mellanox.com>
    mlxsw: spectrum: Wipe xstats.backlog of down ports

Ido Schimmel <idosch@mellanox.com>
    mlxsw: spectrum: Do not modify cloned SKBs during xmit

Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
    sh_eth: check sh_eth_cpu_data::dual_port when dumping registers

changzhu <Changfeng.Zhu@amd.com>
    drm/amdgpu: allow direct upload save restore list for raven2

Navid Emamdoost <navid.emamdoost@gmail.com>
    i40e: prevent memory leak in i40e_setup_macvlans

Florian Fainelli <f.fainelli@gmail.com>
    net: dsa: bcm_sf2: Configure IMP port for 2Gb/sec

Eric Dumazet <edumazet@google.com>
    net: sched: act_ctinfo: fix memory leak

Alexander Lobakin <alobakin@dlink.ru>
    net: dsa: tag_gswip: fix typo in tagger name

Vladimir Oltean <vladimir.oltean@nxp.com>
    net: dsa: sja1105: Don't error out on disabled ports with no phy-mode

Florian Fainelli <f.fainelli@gmail.com>
    net: systemport: Fixed queue mapping in internal ring map

Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
    net: ethernet: ave: Avoid lockdep warning

Michael Chan <michael.chan@broadcom.com>
    bnxt_en: Do not treat DSN (Digital Serial Number) read failure as fatal.

Michael Chan <michael.chan@broadcom.com>
    bnxt_en: Fix ipv6 RFS filter matching logic.

Michael Chan <michael.chan@broadcom.com>
    bnxt_en: Fix NTUPLE firmware command failures.

Pengcheng Yang <yangpc@wangsu.com>
    tcp: fix marked lost packets not being retransmitted

Johan Hovold <johan@kernel.org>
    r8152: add missing endpoint sanity check

Vladis Dronov <vdronov@redhat.com>
    ptp: free ptp device pin descriptors properly

Colin Ian King <colin.king@canonical.com>
    net/wan/fsl_ucc_hdlc: fix out of bounds write on array utdm_info

Eric Dumazet <edumazet@google.com>
    net: usb: lan78xx: limit size of local TSO packets

Eric Dumazet <edumazet@google.com>
    net/sched: act_ife: initalize ife->metalist earlier

Michael Grzeschik <m.grzeschik@pengutronix.de>
    net: phy: dp83867: Set FORCE_LINK_GOOD to default after reset

Yonglong Liu <liuyonglong@huawei.com>
    net: hns: fix soft lockup when there is not enough memory

Yunsheng Lin <linyunsheng@huawei.com>
    net: hns3: pad the short frame before sending to the hardware

Alexander Lobakin <alobakin@dlink.ru>
    net: dsa: tag_qca: fix doubled Tx statistics

Cong Wang <xiyou.wangcong@gmail.com>
    net: avoid updating qdisc_xmit_lock_key in netdev_update_lockdep_key()

Mohammed Gamal <mgamal@redhat.com>
    hv_netvsc: Fix memory leak when removing rndis device

Eric Dumazet <edumazet@google.com>
    macvlan: use skb_reset_mac_header() in macvlan_queue_xmit()

Sven Eckelmann <sven@narfation.org>
    batman-adv: Fix DAT candidate selection on little endian systems

Martin KaFai Lau <kafai@fb.com>
    bpftool: Fix printing incorrect pointer in btf_dump_ptr

Lorenz Bauer <lmb@cloudflare.com>
    net: bpf: Don't leak time wait and request sockets

Johan Hovold <johan@kernel.org>
    NFC: pn533: fix bulk-message timeout

Florian Westphal <fw@strlen.de>
    netfilter: nf_tables: fix flowtable list del corruption

Pablo Neira Ayuso <pablo@netfilter.org>
    netfilter: nf_tables: store transaction list locally while requesting module

Florian Westphal <fw@strlen.de>
    netfilter: nf_tables: remove WARN and add NLA_STRING upper limits

Florian Westphal <fw@strlen.de>
    netfilter: nft_tunnel: ERSPAN_VERSION must not be null

Florian Westphal <fw@strlen.de>
    netfilter: nft_tunnel: fix null-attribute check

Eyal Birger <eyal.birger@gmail.com>
    netfilter: nat: fix ICMP header corruption on ICMP errors

Florian Westphal <fw@strlen.de>
    netfilter: arp_tables: init netns pointer in xt_tgdtor_param struct

Cong Wang <xiyou.wangcong@gmail.com>
    netfilter: fix a use-after-free in mtype_destroy()

Krzysztof Kozlowski <krzk@kernel.org>
    i2c: iop3xx: Fix memory leak in probe error path

Lingpeng Chen <forrest0579@gmail.com>
    bpf/sockmap: Read psock ingress_msg before sk_receive_queue

Felix Fietkau <nbd@nbd.name>
    cfg80211: fix page refcount issue in A-MSDU decap

Felix Fietkau <nbd@nbd.name>
    cfg80211: fix memory leak in cfg80211_cqm_rssi_update

Felix Fietkau <nbd@nbd.name>
    cfg80211: fix memory leak in nl80211_probe_mesh_link

Markus Theil <markus.theil@tu-ilmenau.de>
    cfg80211: fix deadlocks in autodisconnect work

Dmitry Osipenko <digetx@gmail.com>
    i2c: tegra: Properly disable runtime PM on driver's probe error

Dmitry Osipenko <digetx@gmail.com>
    i2c: tegra: Fix suspending in active runtime PM state

John Fastabend <john.fastabend@gmail.com>
    bpf: Sockmap/tls, fix pop data with SK_DROP return code

John Fastabend <john.fastabend@gmail.com>
    bpf: Sockmap/tls, skmsg can have wrapped skmsg that needs extra chaining

John Fastabend <john.fastabend@gmail.com>
    bpf: Sockmap/tls, tls_sw can create a plaintext buf > encrypt buf

John Fastabend <john.fastabend@gmail.com>
    bpf: Sockmap/tls, msg_push_data may leave end mark in place

John Fastabend <john.fastabend@gmail.com>
    bpf: Sockmap, skmsg helper overestimates push, pull, and pop bounds

John Fastabend <john.fastabend@gmail.com>
    bpf: Sockmap/tls, push write_space updates through ulp updates

John Fastabend <john.fastabend@gmail.com>
    bpf: Sockmap, ensure sock lock held during tear down

John Fastabend <john.fastabend@gmail.com>
    bpf: Sockmap/tls, during free we may call tcp_bpf_unhash() in loop

Daniel Borkmann <daniel@iogearbox.net>
    bpf: Fix incorrect verifier simulation of ARSH under ALU32

Mario Kleiner <mario.kleiner.de@gmail.com>
    drm/amd/display: Reorder detect_edp_sink_caps before link settings read.

Bart Van Assche <bvanassche@acm.org>
    block: Fix the type of 'sts' in bsg_queue_rq()

Randy Dunlap <rdunlap@infradead.org>
    net: fix kernel-doc warning in <linux/netdevice.h>

Tuong Lien <tuong.t.lien@dektech.com.au>
    tipc: fix retrans failure due to wrong destination

Tuong Lien <tuong.t.lien@dektech.com.au>
    tipc: fix potential hanging after b/rcast changing

Geert Uytterhoeven <geert+renesas@glider.be>
    reset: Fix {of,devm}_reset_control_array_get kerneldoc return types

Jose Abreu <Jose.Abreu@synopsys.com>
    net: stmmac: Enable 16KB buffer size

Jose Abreu <Jose.Abreu@synopsys.com>
    net: stmmac: 16KB buffer must be 16 byte aligned

Marcel Ziswiler <marcel.ziswiler@toradex.com>
    ARM: dts: imx7: Fix Toradex Colibri iMX7S 256MB NAND flash support

Jagan Teki <jagan@amarulasolutions.com>
    ARM: dts: imx6q-icore-mipi: Use 1.5 version of i.Core MX6DL

Anson Huang <Anson.Huang@nxp.com>
    ARM: dts: imx6sll-evk: Remove incorrect power supply assignment

Anson Huang <Anson.Huang@nxp.com>
    ARM: dts: imx6sl-evk: Remove incorrect power supply assignment

Anson Huang <Anson.Huang@nxp.com>
    ARM: dts: imx6sx-sdb: Remove incorrect power supply assignment

Anson Huang <Anson.Huang@nxp.com>
    ARM: dts: imx6qdl-sabresd: Remove incorrect power supply assignment

Yang Shi <yang.shi@linux.alibaba.com>
    mm: khugepaged: add trace status description for SCAN_PAGE_HAS_PRIVATE

Wen Yang <wenyang@linux.alibaba.com>
    mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio()

David Hildenbrand <david@redhat.com>
    mm/memory_hotplug: don't free usage map when removing a re-added early section

Filipe Manana <fdmanana@suse.com>
    Btrfs: always copy scrub arguments back to user space

Josef Bacik <josef@toxicpanda.com>
    btrfs: check rw_devices, not num_devices for balance

Johannes Thumshirn <johannes.thumshirn@wdc.com>
    btrfs: fix memory leak in qgroup accounting

Qu Wenruo <wqu@suse.com>
    btrfs: relocation: fix reloc_root lifespan and access

Josef Bacik <josef@toxicpanda.com>
    btrfs: do not delete mismatched root refs

Josef Bacik <josef@toxicpanda.com>
    btrfs: fix invalid removal of root ref

Josef Bacik <josef@toxicpanda.com>
    btrfs: rework arguments of btrfs_unlink_subvol

Vlastimil Babka <vbabka@suse.cz>
    mm, debug_pagealloc: don't rely on static keys too early

Adrian Huang <ahuang12@lenovo.com>
    mm: memcg/slab: call flush_memcg_workqueue() only if memcg workqueue is valid

Roman Gushchin <guro@fb.com>
    mm: memcg/slab: fix percpu slab vmstats flushing

Kirill A. Shutemov <kirill@shutemov.name>
    mm/huge_memory.c: thp: fix conflict of above-47bit hint address and PMD alignment

Kirill A. Shutemov <kirill@shutemov.name>
    mm/shmem.c: thp, shmem: fix conflict of above-47bit hint address and PMD alignment

Jin Yao <yao.jin@linux.intel.com>
    perf report: Fix incorrectly added dimensions as switch perf data file

Waiman Long <longman@redhat.com>
    locking/lockdep: Fix buffer overrun problem in stack_trace[]

Yuya Fujita <fujita.yuya@fujitsu.com>
    perf hists: Fix variable name's inconsistency in hists__for_each() macro

Marek Szyprowski <m.szyprowski@samsung.com>
    clk: samsung: exynos5420: Keep top G3D clocks enabled

Philipp Rudo <prudo@linux.ibm.com>
    s390/setup: Fix secure ipl message

Arvind Sankar <nivedita@alum.mit.edu>
    efi/earlycon: Fix write-combine mapping on x86

Shakeel Butt <shakeelb@google.com>
    x86/resctrl: Fix potential memory leak

YueHaibing <yuehaibing@huawei.com>
    drm/i915: Add missing include file <linux/math64.h>

Vignesh Raghavendra <vigneshr@ti.com>
    mtd: spi-nor: Fix selection of 4-byte addressing opcodes on Spansion

Long Li <longli@microsoft.com>
    scsi: storvsc: Correctly set number of hardware queues for IDE disk

Harald Freudenberger <freude@linux.ibm.com>
    s390/zcrypt: Fix CCA cipher key gen with clear key value function

Ard Biesheuvel <ardb@kernel.org>
    x86/efistub: Disable paging at mixed mode entry

Kan Liang <kan.liang@linux.intel.com>
    perf/x86/intel/uncore: Fix missing marker for snr_uncore_imc_freerunning_events

Waiman Long <longman@redhat.com>
    locking/rwsem: Fix kernel crash when spinning on RWSEM_OWNER_UNKNOWN

Tom Lendacky <thomas.lendacky@amd.com>
    x86/CPU/AMD: Ensure clearing of SME/SEV features is maintained

Qian Cai <cai@lca.pw>
    x86/resctrl: Fix an imbalance in domain_remove_cpu()

Arnd Bergmann <arnd@arndb.de>
    cpu/SMT: Fix x86 link error without CONFIG_SYSFS

Keiya Nobuta <nobuta.keiya@fujitsu.com>
    usb: core: hub: Improved device recognition on remote wakeup

Esben Haabendal <esben@geanix.com>
    mtd: rawnand: gpmi: Restore nfc timing setup after suspend/resume

Esben Haabendal <esben@geanix.com>
    mtd: rawnand: gpmi: Fix suspend/resume problem

Christian Brauner <christian.brauner@ubuntu.com>
    ptrace: reintroduce usage of subjective credentials in ptrace_has_cap()

Dan Carpenter <dan.carpenter@oracle.com>
    scsi: mptfusion: Fix double fetch bug in ioctl

Arnd Bergmann <arnd@arndb.de>
    scsi: fnic: fix invalid stack access

Ian Abbott <abbotti@mev.co.uk>
    staging: comedi: ni_routes: allow partial routing information

Ian Abbott <abbotti@mev.co.uk>
    staging: comedi: ni_routes: fix null dereference in ni_find_route_source()

Johan Hovold <johan@kernel.org>
    USB: serial: quatech2: handle unbound ports

Johan Hovold <johan@kernel.org>
    USB: serial: keyspan: handle unbound ports

Johan Hovold <johan@kernel.org>
    USB: serial: io_edgeport: add missing active-port sanity check

Johan Hovold <johan@kernel.org>
    USB: serial: io_edgeport: handle unbound ports on URB completion

Johan Hovold <johan@kernel.org>
    USB: serial: ch341: handle unbound port at reset_resume

Johan Hovold <johan@kernel.org>
    USB: serial: suppress driver bind attributes

Reinhard Speyerer <rspmn@arcor.de>
    USB: serial: option: add support for Quectel RM500Q in QDL mode

Johan Hovold <johan@kernel.org>
    USB: serial: opticon: fix control-message timeouts

Kristian Evensen <kristian.evensen@gmail.com>
    USB: serial: option: Add support for Quectel RM500Q

Jerónimo Borque <jeronimo@borque.com.ar>
    USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx

Lars Möllendorf <lars.moellendorf@plating.de>
    iio: buffer: align the size of scan bytes to size of the largest element

Tomasz Duszynski <tduszyns@gmail.com>
    iio: chemical: pms7003: fix unmet triggered buffer dependency

Guido Günther <agx@sigxcpu.org>
    iio: light: vcnl4000: Fix scale for vcnl4040

Stephan Gerhold <stephan@gerhold.net>
    iio: imu: st_lsm6dsx: Fix selection of ST_LSM6DS3_ID

Alexandru Tachici <alexandru.tachici@analog.com>
    iio: adc: ad7124: Fix DT channel configuration

Mark Rutland <mark.rutland@arm.com>
    perf: Correctly handle failed perf_get_aux_event()

Arnd Bergmann <arnd@arndb.de>
    ARM: davinci: select CONFIG_RESET_CONTROLLER

Kishon Vijay Abraham I <kishon@ti.com>
    ARM: dts: am571x-idk: Fix gpios property to have the correct gpio number

Ikjoon Jang <ikjn@chromium.org>
    cpuidle: teo: Fix intervals[] array indexing bug

Jens Axboe <axboe@kernel.dk>
    io_uring: only allow submit from owning task

Miklos Szeredi <mszeredi@redhat.com>
    fuse: fix fuse_send_readpages() in the syncronous read case

Mikulas Patocka <mpatocka@redhat.com>
    block: fix an integer overflow in logical block size

Chen-Yu Tsai <wens@csie.org>
    clk: sunxi-ng: r40: Allow setting parent rate for external clock outputs

Jari Ruusu <jari.ruusu@gmail.com>
    Fix built-in early-load Intel microcode alignment

Dinh Nguyen <dinguyen@kernel.org>
    arm64: dts: agilex/stratix10: fix pmu interrupt numbers

Stefan Mavrodiev <stefan@olimex.com>
    arm64: dts: allwinner: a64: olinuxino: Fix eMMC supply regulator

Stefan Mavrodiev <stefan@olimex.com>
    arm64: dts: allwinner: a64: olinuxino: Fix SDIO supply regulator

Johan Hovold <johan@kernel.org>
    ALSA: usb-audio: fix sync-ep altsetting sanity check

Takashi Sakamoto <o-takashi@sakamocchi.jp>
    ALSA: firewire-tascam: fix corruption due to spin lock without restoration in SoftIRQ context

Takashi Iwai <tiwai@suse.de>
    ALSA: seq: Fix racy access for queue timer in proc read

Takashi Sakamoto <o-takashi@sakamocchi.jp>
    ALSA: dice: fix fallback from protocol extension into limited functionality

Hans de Goede <hdegoede@redhat.com>
    ASoC: Intel: bytcht_es8316: Fix Irbis NB41 netbook quirk

Marek Vasut <marex@denx.de>
    ARM: dts: imx6q-dhcom: Fix SGTL5000 VDDIO regulator connection

Peng Fan <peng.fan@nxp.com>
    ARM: dts: imx7ulp: fix reg of cpu node

Tony Lindgren <tony@atomide.com>
    ARM: OMAP2+: Fix ti_sysc_find_one_clockdomain to check for to_clk_hw_omap

Stephan Gerhold <stephan@gerhold.net>
    ASoC: msm8916-wcd-analog: Fix MIC BIAS Internal1

Stephan Gerhold <stephan@gerhold.net>
    ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1

Olivier Moysan <olivier.moysan@st.com>
    ASoC: stm32: dfsdm: fix 16 bits record

Olivier Moysan <olivier.moysan@st.com>
    ASoC: stm32: sai: fix possible circular locking

Stephan Gerhold <stephan@gerhold.net>
    ASoC: msm8916-wcd-digital: Reset RX interpolation path after use

Angus Ainslie (Purism) <angus@akkea.ca>
    arm64: dts: imx8mq-librem5-devkit: use correct interrupt for the magnetometer

Kevin Hao <haokexin@gmail.com>
    Revert "gpio: thunderx: Switch to GPIOLIB_IRQCHIP"

Guenter Roeck <linux@roeck-us.net>
    clk: Don't try to enable critical clocks if prepare failed

Tony Lindgren <tony@atomide.com>
    bus: ti-sysc: Fix iterating over clocks

Adam Ford <aford173@gmail.com>
    arm64: dts: imx8mm: Change SDMA1 ahb clock for imx8mm

Yinbo Zhu <yinbo.zhu@nxp.com>
    arm64: dts: ls1028a: fix endian setting for dcfg

Alexandre Belloni <alexandre.belloni@bootlin.com>
    ARM: dts: imx6q-dhcom: fix rtc compatible

Martin Blumenstingl <martin.blumenstingl@googlemail.com>
    dt-bindings: reset: meson8b: fix duplicate reset IDs

Martin Blumenstingl <martin.blumenstingl@googlemail.com>
    soc: amlogic: meson-ee-pwrc: propagate errors from pm_genpd_init()

Martin Blumenstingl <martin.blumenstingl@googlemail.com>
    soc: amlogic: meson-ee-pwrc: propagate PD provider registration errors

Georgi Djakov <georgi.djakov@linaro.org>
    clk: qcom: gcc-sdm845: Add missing flag to votable GDSCs

Martin Blumenstingl <martin.blumenstingl@googlemail.com>
    ARM: dts: meson8: fix the size of the PMU registers


-------------

Diffstat:

 .../devicetree/bindings/net/snps,dwmac.yaml        |   1 +
 Makefile                                           |   4 +-
 arch/arm/boot/dts/am571x-idk.dts                   |   2 +-
 arch/arm/boot/dts/dra7-l4.dtsi                     |   2 +-
 arch/arm/boot/dts/imx6dl-icore-mipi.dts            |   2 +-
 arch/arm/boot/dts/imx6q-dhcom-pdk2.dts             |   2 +-
 arch/arm/boot/dts/imx6q-dhcom-som.dtsi             |   2 +-
 arch/arm/boot/dts/imx6qdl-sabresd.dtsi             |   4 -
 arch/arm/boot/dts/imx6sl-evk.dts                   |   4 -
 arch/arm/boot/dts/imx6sll-evk.dts                  |   4 -
 arch/arm/boot/dts/imx6sx-sdb-reva.dts              |   4 -
 arch/arm/boot/dts/imx6sx-sdb.dts                   |   4 -
 arch/arm/boot/dts/imx6ul-kontron-n6310-s.dts       |   4 -
 arch/arm/boot/dts/imx7s-colibri.dtsi               |   4 +
 arch/arm/boot/dts/imx7ulp.dtsi                     |   4 +-
 arch/arm/boot/dts/meson8.dtsi                      |   2 +-
 arch/arm/boot/dts/omap4.dtsi                       |   4 +-
 arch/arm/mach-davinci/Kconfig                      |   1 +
 arch/arm/mach-omap2/pdata-quirks.c                 |   6 +-
 .../dts/allwinner/sun50i-a64-olinuxino-emmc.dts    |   2 +-
 .../boot/dts/allwinner/sun50i-a64-olinuxino.dts    |   2 +-
 arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi      |   9 +
 arch/arm64/boot/dts/altera/socfpga_stratix10.dtsi  |   8 +-
 arch/arm64/boot/dts/amlogic/meson-axg.dtsi         |  12 +-
 arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi  |  12 +-
 .../dts/amlogic/meson-gxl-s905x-khadas-vim.dts     |   4 +-
 arch/arm64/boot/dts/arm/juno-base.dtsi             |   1 -
 arch/arm64/boot/dts/arm/juno-clocks.dtsi           |   4 +-
 arch/arm64/boot/dts/freescale/fsl-ls1028a.dtsi     |   2 +-
 arch/arm64/boot/dts/freescale/imx8mm-evk.dts       |   2 +
 arch/arm64/boot/dts/freescale/imx8mm.dtsi          |  10 +-
 .../boot/dts/freescale/imx8mq-librem5-devkit.dts   |   2 +-
 arch/arm64/boot/dts/intel/socfpga_agilex.dtsi      |   8 +-
 arch/arm64/boot/dts/marvell/armada-ap806-dual.dtsi |   2 +
 arch/arm64/boot/dts/marvell/armada-cp110.dtsi      |   8 +-
 arch/arm64/boot/dts/qcom/msm8998-mtp.dtsi          |  68 +++++++
 arch/arm64/boot/dts/qcom/msm8998.dtsi              |  51 +++--
 arch/arm64/boot/dts/qcom/sdm845-cheza.dtsi         |   2 +
 arch/arm64/boot/dts/qcom/sdm845.dtsi               |   2 +-
 arch/arm64/boot/dts/renesas/hihope-common.dtsi     |  20 +-
 arch/arm64/boot/dts/renesas/r8a774a1.dtsi          |  11 --
 arch/arm64/boot/dts/renesas/r8a77970.dtsi          |   2 +-
 arch/s390/kernel/setup.c                           |   2 +-
 arch/um/drivers/Kconfig                            |   2 +-
 arch/um/drivers/virtio_uml.c                       |   4 +-
 arch/um/os-Linux/main.c                            |   2 +-
 arch/x86/boot/compressed/head_64.S                 |   5 +
 arch/x86/events/intel/uncore_snbep.c               |   1 +
 arch/x86/kernel/cpu/amd.c                          |   4 +-
 arch/x86/kernel/cpu/resctrl/core.c                 |   2 +-
 arch/x86/kernel/cpu/resctrl/rdtgroup.c             |   6 +-
 block/blk-settings.c                               |   2 +-
 block/bsg-lib.c                                    |   2 +-
 drivers/base/firmware_loader/builtin/Makefile      |   2 +-
 drivers/block/xen-blkfront.c                       |   4 +-
 drivers/bus/ti-sysc.c                              |  10 +-
 drivers/clk/clk.c                                  |  10 +-
 drivers/clk/imx/clk-imx7ulp.c                      |   6 +-
 drivers/clk/qcom/gcc-sdm845.c                      |   7 +
 drivers/clk/samsung/clk-exynos5420.c               |   8 +
 drivers/clk/sprd/common.c                          |   2 +-
 drivers/clk/sunxi-ng/ccu-sun8i-r40.c               |   6 +-
 drivers/cpuidle/governors/teo.c                    |   2 +-
 drivers/firmware/efi/earlycon.c                    |  16 +-
 drivers/gpio/Kconfig                               |   1 -
 drivers/gpio/gpio-thunderx.c                       | 163 ++++++++++------
 drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c              |   4 +-
 drivers/gpu/drm/amd/display/dc/core/dc_link.c      |   2 +-
 drivers/gpu/drm/i915/selftests/i915_random.h       |   1 +
 drivers/hwmon/pmbus/ibm-cffps.c                    |  37 ++--
 drivers/i2c/busses/i2c-iop3xx.c                    |  12 +-
 drivers/i2c/busses/i2c-tegra.c                     |  38 +++-
 drivers/iio/adc/ad7124.c                           |  12 +-
 drivers/iio/chemical/Kconfig                       |   1 +
 drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c       |   3 +-
 drivers/iio/industrialio-buffer.c                  |   6 +-
 drivers/iio/light/vcnl4000.c                       |   3 +-
 drivers/irqchip/Kconfig                            |   4 +-
 drivers/md/dm-snap-persistent.c                    |   2 +-
 drivers/md/raid0.c                                 |   2 +-
 drivers/message/fusion/mptctl.c                    | 213 +++++----------------
 drivers/mtd/chips/cfi_cmdset_0002.c                |  60 +++---
 drivers/mtd/devices/mchp23k256.c                   |  20 +-
 drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c         |  11 +-
 drivers/mtd/spi-nor/spi-nor.c                      |   4 +-
 drivers/net/dsa/bcm_sf2.c                          |   2 +-
 drivers/net/dsa/sja1105/sja1105_main.c             |   2 +-
 drivers/net/ethernet/broadcom/bcmsysport.c         |   7 +-
 drivers/net/ethernet/broadcom/bnxt/bnxt.c          |  29 ++-
 drivers/net/ethernet/broadcom/bnxt/bnxt.h          |   4 +-
 drivers/net/ethernet/broadcom/bnxt/bnxt_vfr.c      |   3 +
 drivers/net/ethernet/hisilicon/hns/hns_enet.c      |   4 +-
 drivers/net/ethernet/hisilicon/hns3/hns3_enet.c    |   6 +
 drivers/net/ethernet/intel/i40e/i40e_main.c        |   1 +
 drivers/net/ethernet/mellanox/mlxsw/spectrum.c     |  31 +--
 .../net/ethernet/mellanox/mlxsw/spectrum_qdisc.c   |  30 ++-
 drivers/net/ethernet/renesas/sh_eth.c              |  38 ++--
 drivers/net/ethernet/socionext/sni_ave.c           |  20 +-
 drivers/net/ethernet/stmicro/stmmac/common.h       |   5 +-
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c  |   4 +-
 .../net/ethernet/stmicro/stmmac/stmmac_selftests.c |  46 +++--
 drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c    |   4 +
 drivers/net/hyperv/rndis_filter.c                  |   2 -
 drivers/net/macvlan.c                              |   5 +-
 drivers/net/phy/dp83867.c                          |   8 +-
 drivers/net/usb/lan78xx.c                          |   1 +
 drivers/net/usb/r8152.c                            |   3 +
 drivers/net/wan/fsl_ucc_hdlc.c                     |   2 +-
 drivers/net/wireless/realtek/rtw88/phy.c           |  17 +-
 drivers/net/wireless/realtek/rtw88/phy.h           |   9 +
 drivers/net/wireless/realtek/rtw88/rtw8822c.c      |   4 +-
 drivers/net/wireless/st/cw1200/fwio.c              |   6 +-
 drivers/nfc/pn533/usb.c                            |   2 +-
 drivers/ptp/ptp_clock.c                            |   4 +-
 drivers/reset/core.c                               |   6 +-
 drivers/s390/crypto/zcrypt_ccamisc.c               |   4 +-
 drivers/scsi/bnx2i/bnx2i_iscsi.c                   |   2 +-
 drivers/scsi/esas2r/esas2r_flash.c                 |   1 +
 drivers/scsi/fnic/vnic_dev.c                       |  20 +-
 drivers/scsi/hisi_sas/hisi_sas_main.c              |   3 -
 drivers/scsi/hisi_sas/hisi_sas_v3_hw.c             |  11 +-
 drivers/scsi/lpfc/lpfc_scsi.c                      |   2 +-
 drivers/scsi/lpfc/lpfc_sli.c                       |  56 +++---
 drivers/scsi/qla2xxx/qla_init.c                    |   6 +-
 drivers/scsi/qla2xxx/qla_isr.c                     |   6 +-
 drivers/scsi/qla4xxx/ql4_mbx.c                     |   3 -
 drivers/scsi/scsi_trace.c                          | 113 ++++-------
 drivers/scsi/scsi_transport_sas.c                  |   9 +-
 drivers/scsi/storvsc_drv.c                         |   4 +-
 drivers/soc/amlogic/meson-ee-pwrc.c                |  24 ++-
 drivers/staging/comedi/drivers/ni_routes.c         |  12 +-
 drivers/target/target_core_fabric_lib.c            |   2 +-
 drivers/usb/core/hub.c                             |   1 +
 drivers/usb/serial/ch341.c                         |   6 +-
 drivers/usb/serial/io_edgeport.c                   |  16 +-
 drivers/usb/serial/keyspan.c                       |   4 +
 drivers/usb/serial/opticon.c                       |   2 +-
 drivers/usb/serial/option.c                        |   6 +
 drivers/usb/serial/quatech2.c                      |   6 +
 drivers/usb/serial/usb-serial-simple.c             |   2 +
 drivers/usb/serial/usb-serial.c                    |   3 +
 fs/btrfs/inode.c                                   |  73 +++----
 fs/btrfs/ioctl.c                                   |  14 +-
 fs/btrfs/qgroup.c                                  |   6 +-
 fs/btrfs/relocation.c                              |  51 ++++-
 fs/btrfs/root-tree.c                               |  10 +-
 fs/btrfs/volumes.c                                 |   6 +-
 fs/fuse/file.c                                     |   4 +-
 fs/io_uring.c                                      |   6 +
 fs/reiserfs/xattr.c                                |   8 +-
 include/dt-bindings/reset/amlogic,meson8b-reset.h  |   6 +-
 include/linux/blkdev.h                             |   8 +-
 include/linux/mm.h                                 |  18 +-
 include/linux/mmzone.h                             |   5 +-
 include/linux/netdevice.h                          |   2 +-
 include/linux/regulator/ab8500.h                   |   2 -
 include/linux/skmsg.h                              |  13 +-
 include/linux/tnum.h                               |   2 +-
 include/net/tcp.h                                  |   6 +-
 include/trace/events/huge_memory.h                 |   3 +-
 init/main.c                                        |   1 +
 kernel/bpf/tnum.c                                  |   9 +-
 kernel/bpf/verifier.c                              |  13 +-
 kernel/cpu.c                                       | 143 +++++++-------
 kernel/events/core.c                               |   4 +-
 kernel/locking/lockdep.c                           |   7 +-
 kernel/locking/rwsem.c                             |   4 +-
 kernel/ptrace.c                                    |  15 +-
 kernel/time/tick-sched.c                           |  14 +-
 mm/huge_memory.c                                   |  38 ++--
 mm/memcontrol.c                                    |  37 +---
 mm/page-writeback.c                                |   4 +-
 mm/page_alloc.c                                    |  37 ++--
 mm/shmem.c                                         |   7 +-
 mm/slab.c                                          |   4 +-
 mm/slab_common.c                                   |   3 +-
 mm/slub.c                                          |   2 +-
 mm/sparse.c                                        |   9 +-
 mm/vmalloc.c                                       |   4 +-
 net/batman-adv/distributed-arp-table.c             |   4 +-
 net/core/dev.c                                     |  12 --
 net/core/devlink.c                                 |   2 +-
 net/core/filter.c                                  |  20 +-
 net/core/skmsg.c                                   |   2 +
 net/core/sock_map.c                                |   7 +-
 net/dsa/tag_gswip.c                                |   2 +-
 net/dsa/tag_qca.c                                  |   3 -
 net/ipv4/netfilter/arp_tables.c                    |  19 +-
 net/ipv4/tcp.c                                     |   6 +-
 net/ipv4/tcp_bpf.c                                 |  17 +-
 net/ipv4/tcp_input.c                               |   7 +-
 net/ipv4/tcp_ulp.c                                 |   6 +-
 net/netfilter/ipset/ip_set_bitmap_gen.h            |   2 +-
 net/netfilter/nf_nat_proto.c                       |  13 ++
 net/netfilter/nf_tables_api.c                      |  38 ++--
 net/netfilter/nft_tunnel.c                         |   5 +-
 net/sched/act_ctinfo.c                             |  11 ++
 net/sched/act_ife.c                                |   7 +-
 net/tipc/bcast.c                                   |  24 ++-
 net/tipc/socket.c                                  |  32 ++--
 net/tls/tls_main.c                                 |  10 +-
 net/tls/tls_sw.c                                   |  31 ++-
 net/wireless/nl80211.c                             |   3 +
 net/wireless/rdev-ops.h                            |   4 +
 net/wireless/sme.c                                 |   6 +-
 net/wireless/util.c                                |   2 +-
 sound/core/seq/seq_timer.c                         |  14 +-
 sound/firewire/dice/dice-extension.c               |   5 +-
 sound/firewire/tascam/amdtp-tascam.c               |   5 +-
 sound/soc/codecs/msm8916-wcd-analog.c              |  20 +-
 sound/soc/codecs/msm8916-wcd-digital.c             |   6 +
 sound/soc/intel/boards/bytcht_es8316.c             |   3 +-
 sound/soc/stm/stm32_adfsdm.c                       |  12 +-
 sound/soc/stm/stm32_sai_sub.c                      | 194 +++++++++++++------
 sound/usb/pcm.c                                    |   2 +-
 tools/bpf/bpftool/btf_dumper.c                     |   2 +-
 tools/perf/builtin-report.c                        |   5 +-
 tools/perf/builtin-script.c                        |   5 -
 tools/perf/util/hist.h                             |   4 +-
 tools/perf/util/probe-finder.c                     |  32 +---
 .../selftests/drivers/net/mlxsw/qos_mc_aware.sh    |   8 +-
 221 files changed, 1656 insertions(+), 1191 deletions(-)



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 001/222] ARM: dts: meson8: fix the size of the PMU registers
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
@ 2020-01-22  9:26 ` Greg Kroah-Hartman
  2020-01-22  9:26 ` [PATCH 5.4 002/222] clk: qcom: gcc-sdm845: Add missing flag to votable GDSCs Greg Kroah-Hartman
                   ` (224 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin Blumenstingl, Kevin Hilman

From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>

commit 46c9585ed4af688ff1be6d4e76d7ed2f04de4fba upstream.

The PMU registers are at least 0x18 bytes wide. Meson8b already uses a
size of 0x18. The structure of the PMU registers on Meson8 and Meson8b
is similar but not identical.

Meson8 and Meson8b have the following registers in common (starting at
AOBUS + 0xe0):
  #define AO_RTI_PWR_A9_CNTL0 0xe0 (0x38 << 2)
  #define AO_RTI_PWR_A9_CNTL1 0xe4 (0x39 << 2)
  #define AO_RTI_GEN_PWR_SLEEP0 0xe8 (0x3a << 2)
  #define AO_RTI_GEN_PWR_ISO0 0x4c (0x3b << 2)

Meson8b additionally has these three registers:
  #define AO_RTI_GEN_PWR_ACK0 0xf0 (0x3c << 2)
  #define AO_RTI_PWR_A9_MEM_PD0 0xf4 (0x3d << 2)
  #define AO_RTI_PWR_A9_MEM_PD1 0xf8 (0x3e << 2)

Thus we can assume that the register size of the PMU IP blocks is
identical on both SoCs (and Meson8 just contains some reserved registers
in that area) because the CEC registers start right after the PMU
(AO_RTI_*) registers at AOBUS + 0x100 (0x40 << 2).

The upcoming power domain driver will need to read and write the
AO_RTI_GEN_PWR_SLEEP0 and AO_RTI_GEN_PWR_ISO0 registers, so the updated
size is needed for that driver to work.

Fixes: 4a5a27116b447d ("ARM: dts: meson8: add support for booting the secondary CPU cores")
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/meson8.dtsi |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/boot/dts/meson8.dtsi
+++ b/arch/arm/boot/dts/meson8.dtsi
@@ -253,7 +253,7 @@
 &aobus {
 	pmu: pmu@e0 {
 		compatible = "amlogic,meson8-pmu", "syscon";
-		reg = <0xe0 0x8>;
+		reg = <0xe0 0x18>;
 	};
 
 	pinctrl_aobus: pinctrl@84 {



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 002/222] clk: qcom: gcc-sdm845: Add missing flag to votable GDSCs
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
  2020-01-22  9:26 ` [PATCH 5.4 001/222] ARM: dts: meson8: fix the size of the PMU registers Greg Kroah-Hartman
@ 2020-01-22  9:26 ` Greg Kroah-Hartman
  2020-01-22  9:26 ` [PATCH 5.4 003/222] soc: amlogic: meson-ee-pwrc: propagate PD provider registration errors Greg Kroah-Hartman
                   ` (223 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rob Clark, Georgi Djakov, Stephen Boyd

From: Georgi Djakov <georgi.djakov@linaro.org>

commit 5e82548e26ef62e257dc2ff37c11acb5eb72728e upstream.

On sdm845 devices, during boot we see the following warnings (unless we
have added 'pd_ignore_unused' to the kernel command line):
	hlos1_vote_mmnoc_mmu_tbu_sf_gdsc status stuck at 'on'
	hlos1_vote_mmnoc_mmu_tbu_hf1_gdsc status stuck at 'on'
	hlos1_vote_mmnoc_mmu_tbu_hf0_gdsc status stuck at 'on'
	hlos1_vote_aggre_noc_mmu_tbu2_gdsc status stuck at 'on'
	hlos1_vote_aggre_noc_mmu_tbu1_gdsc status stuck at 'on'
	hlos1_vote_aggre_noc_mmu_pcie_tbu_gdsc status stuck at 'on'
	hlos1_vote_aggre_noc_mmu_audio_tbu_gdsc status stuck at 'on'

As the name of these GDSCs suggests, they are "votable" and in downstream
DT, they all have the property "qcom,no-status-check-on-disable", which
means that we should not poll the status bit when we disable them.

Luckily the VOTABLE flag already exists and it does exactly what we need,
so let's make use of it to make the warnings disappear.

Fixes: 06391eddb60a ("clk: qcom: Add Global Clock controller (GCC) driver for SDM845")
Reported-by: Rob Clark <robdclark@gmail.com>
Signed-off-by: Georgi Djakov <georgi.djakov@linaro.org>
Link: https://lkml.kernel.org/r/20191126153437.11808-1-georgi.djakov@linaro.org
Tested-by: Rob Clark <robdclark@gmail.com>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/clk/qcom/gcc-sdm845.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/drivers/clk/qcom/gcc-sdm845.c
+++ b/drivers/clk/qcom/gcc-sdm845.c
@@ -3255,6 +3255,7 @@ static struct gdsc hlos1_vote_aggre_noc_
 		.name = "hlos1_vote_aggre_noc_mmu_audio_tbu_gdsc",
 	},
 	.pwrsts = PWRSTS_OFF_ON,
+	.flags = VOTABLE,
 };
 
 static struct gdsc hlos1_vote_aggre_noc_mmu_pcie_tbu_gdsc = {
@@ -3263,6 +3264,7 @@ static struct gdsc hlos1_vote_aggre_noc_
 		.name = "hlos1_vote_aggre_noc_mmu_pcie_tbu_gdsc",
 	},
 	.pwrsts = PWRSTS_OFF_ON,
+	.flags = VOTABLE,
 };
 
 static struct gdsc hlos1_vote_aggre_noc_mmu_tbu1_gdsc = {
@@ -3271,6 +3273,7 @@ static struct gdsc hlos1_vote_aggre_noc_
 		.name = "hlos1_vote_aggre_noc_mmu_tbu1_gdsc",
 	},
 	.pwrsts = PWRSTS_OFF_ON,
+	.flags = VOTABLE,
 };
 
 static struct gdsc hlos1_vote_aggre_noc_mmu_tbu2_gdsc = {
@@ -3279,6 +3282,7 @@ static struct gdsc hlos1_vote_aggre_noc_
 		.name = "hlos1_vote_aggre_noc_mmu_tbu2_gdsc",
 	},
 	.pwrsts = PWRSTS_OFF_ON,
+	.flags = VOTABLE,
 };
 
 static struct gdsc hlos1_vote_mmnoc_mmu_tbu_hf0_gdsc = {
@@ -3287,6 +3291,7 @@ static struct gdsc hlos1_vote_mmnoc_mmu_
 		.name = "hlos1_vote_mmnoc_mmu_tbu_hf0_gdsc",
 	},
 	.pwrsts = PWRSTS_OFF_ON,
+	.flags = VOTABLE,
 };
 
 static struct gdsc hlos1_vote_mmnoc_mmu_tbu_hf1_gdsc = {
@@ -3295,6 +3300,7 @@ static struct gdsc hlos1_vote_mmnoc_mmu_
 		.name = "hlos1_vote_mmnoc_mmu_tbu_hf1_gdsc",
 	},
 	.pwrsts = PWRSTS_OFF_ON,
+	.flags = VOTABLE,
 };
 
 static struct gdsc hlos1_vote_mmnoc_mmu_tbu_sf_gdsc = {
@@ -3303,6 +3309,7 @@ static struct gdsc hlos1_vote_mmnoc_mmu_
 		.name = "hlos1_vote_mmnoc_mmu_tbu_sf_gdsc",
 	},
 	.pwrsts = PWRSTS_OFF_ON,
+	.flags = VOTABLE,
 };
 
 static struct clk_regmap *gcc_sdm845_clocks[] = {



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 003/222] soc: amlogic: meson-ee-pwrc: propagate PD provider registration errors
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
  2020-01-22  9:26 ` [PATCH 5.4 001/222] ARM: dts: meson8: fix the size of the PMU registers Greg Kroah-Hartman
  2020-01-22  9:26 ` [PATCH 5.4 002/222] clk: qcom: gcc-sdm845: Add missing flag to votable GDSCs Greg Kroah-Hartman
@ 2020-01-22  9:26 ` Greg Kroah-Hartman
  2020-01-22  9:26 ` [PATCH 5.4 004/222] soc: amlogic: meson-ee-pwrc: propagate errors from pm_genpd_init() Greg Kroah-Hartman
                   ` (222 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin Blumenstingl, Kevin Hilman

From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>

commit 0766d65e6afaea8b80205a468207de9f18cd7ec8 upstream.

of_genpd_add_provider_onecell() can return an error. Propagate the error
so the driver registration fails when of_genpd_add_provider_onecell()
did not work.

Fixes: eef3c2ba0a42a6 ("soc: amlogic: Add support for Everything-Else power domains controller")
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/soc/amlogic/meson-ee-pwrc.c |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/drivers/soc/amlogic/meson-ee-pwrc.c
+++ b/drivers/soc/amlogic/meson-ee-pwrc.c
@@ -441,9 +441,7 @@ static int meson_ee_pwrc_probe(struct pl
 		pwrc->xlate.domains[i] = &dom->base;
 	}
 
-	of_genpd_add_provider_onecell(pdev->dev.of_node, &pwrc->xlate);
-
-	return 0;
+	return of_genpd_add_provider_onecell(pdev->dev.of_node, &pwrc->xlate);
 }
 
 static void meson_ee_pwrc_shutdown(struct platform_device *pdev)



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 004/222] soc: amlogic: meson-ee-pwrc: propagate errors from pm_genpd_init()
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2020-01-22  9:26 ` [PATCH 5.4 003/222] soc: amlogic: meson-ee-pwrc: propagate PD provider registration errors Greg Kroah-Hartman
@ 2020-01-22  9:26 ` Greg Kroah-Hartman
  2020-01-22  9:26 ` [PATCH 5.4 005/222] dt-bindings: reset: meson8b: fix duplicate reset IDs Greg Kroah-Hartman
                   ` (221 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin Blumenstingl, Kevin Hilman

From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>

commit c67aafd60d7e323fe74bf45fab60148f84cf9b95 upstream.

pm_genpd_init() can return an error. Propagate the error code to prevent
the driver from indicating that it successfully probed while there were
errors during pm_genpd_init().

Fixes: eef3c2ba0a42a6 ("soc: amlogic: Add support for Everything-Else power domains controller")
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/soc/amlogic/meson-ee-pwrc.c |   20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

--- a/drivers/soc/amlogic/meson-ee-pwrc.c
+++ b/drivers/soc/amlogic/meson-ee-pwrc.c
@@ -323,6 +323,8 @@ static int meson_ee_pwrc_init_domain(str
 				     struct meson_ee_pwrc *pwrc,
 				     struct meson_ee_pwrc_domain *dom)
 {
+	int ret;
+
 	dom->pwrc = pwrc;
 	dom->num_rstc = dom->desc.reset_names_count;
 	dom->num_clks = dom->desc.clk_names_count;
@@ -368,15 +370,21 @@ static int meson_ee_pwrc_init_domain(str
          * prepare/enable counters won't be in sync.
          */
 	if (dom->num_clks && dom->desc.get_power && !dom->desc.get_power(dom)) {
-		int ret = clk_bulk_prepare_enable(dom->num_clks, dom->clks);
+		ret = clk_bulk_prepare_enable(dom->num_clks, dom->clks);
 		if (ret)
 			return ret;
 
-		pm_genpd_init(&dom->base, &pm_domain_always_on_gov, false);
-	} else
-		pm_genpd_init(&dom->base, NULL,
-			      (dom->desc.get_power ?
-			       dom->desc.get_power(dom) : true));
+		ret = pm_genpd_init(&dom->base, &pm_domain_always_on_gov,
+				    false);
+		if (ret)
+			return ret;
+	} else {
+		ret = pm_genpd_init(&dom->base, NULL,
+				    (dom->desc.get_power ?
+				     dom->desc.get_power(dom) : true));
+		if (ret)
+			return ret;
+	}
 
 	return 0;
 }



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 005/222] dt-bindings: reset: meson8b: fix duplicate reset IDs
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2020-01-22  9:26 ` [PATCH 5.4 004/222] soc: amlogic: meson-ee-pwrc: propagate errors from pm_genpd_init() Greg Kroah-Hartman
@ 2020-01-22  9:26 ` Greg Kroah-Hartman
  2020-01-22  9:26 ` [PATCH 5.4 006/222] ARM: dts: imx6q-dhcom: fix rtc compatible Greg Kroah-Hartman
                   ` (220 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin Blumenstingl, Kevin Hilman

From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>

commit 4881873f4cc1460f63d85fa81363d56be328ccdc upstream.

According to the public S805 datasheet the RESET2 register uses the
following bits for the PIC_DC, PSC and NAND reset lines:
- PIC_DC is at bit 3 (meaning: RESET_VD_RMEM + 3)
- PSC is at bit 4 (meaning: RESET_VD_RMEM + 4)
- NAND is at bit 5 (meaning: RESET_VD_RMEM + 4)

Update the reset IDs of these three reset lines so they don't conflict
with PIC_DC and map to the actual hardware reset lines.

Fixes: 79795e20a184eb ("dt-bindings: reset: Add bindings for the Meson SoC Reset Controller")
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/dt-bindings/reset/amlogic,meson8b-reset.h |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/include/dt-bindings/reset/amlogic,meson8b-reset.h
+++ b/include/dt-bindings/reset/amlogic,meson8b-reset.h
@@ -46,9 +46,9 @@
 #define RESET_VD_RMEM			64
 #define RESET_AUDIN			65
 #define RESET_DBLK			66
-#define RESET_PIC_DC			66
-#define RESET_PSC			66
-#define RESET_NAND			66
+#define RESET_PIC_DC			67
+#define RESET_PSC			68
+#define RESET_NAND			69
 #define RESET_GE2D			70
 #define RESET_PARSER_REG		71
 #define RESET_PARSER_FETCH		72



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 006/222] ARM: dts: imx6q-dhcom: fix rtc compatible
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2020-01-22  9:26 ` [PATCH 5.4 005/222] dt-bindings: reset: meson8b: fix duplicate reset IDs Greg Kroah-Hartman
@ 2020-01-22  9:26 ` Greg Kroah-Hartman
  2020-01-22  9:26 ` [PATCH 5.4 007/222] arm64: dts: ls1028a: fix endian setting for dcfg Greg Kroah-Hartman
                   ` (219 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:26 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alexandre Belloni, Shawn Guo

From: Alexandre Belloni <alexandre.belloni@bootlin.com>

commit 7d7778b1396bc9e2a3875009af522beb4ea9355a upstream.

The only correct and documented compatible string for the rv3029 is
microcrystal,rv3029. Fix it up.

Fixes: 52c7a088badd ("ARM: dts: imx6q: Add support for the DHCOM iMX6 SoM and PDK2")
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/imx6q-dhcom-som.dtsi |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/boot/dts/imx6q-dhcom-som.dtsi
+++ b/arch/arm/boot/dts/imx6q-dhcom-som.dtsi
@@ -206,7 +206,7 @@
 	};
 
 	rtc@56 {
-		compatible = "rv3029c2";
+		compatible = "microcrystal,rv3029";
 		pinctrl-names = "default";
 		pinctrl-0 = <&pinctrl_rtc_hw300>;
 		reg = <0x56>;



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 007/222] arm64: dts: ls1028a: fix endian setting for dcfg
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2020-01-22  9:26 ` [PATCH 5.4 006/222] ARM: dts: imx6q-dhcom: fix rtc compatible Greg Kroah-Hartman
@ 2020-01-22  9:26 ` Greg Kroah-Hartman
  2020-01-22  9:26 ` [PATCH 5.4 008/222] arm64: dts: imx8mm: Change SDMA1 ahb clock for imx8mm Greg Kroah-Hartman
                   ` (218 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:26 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Yinbo Zhu, Yangbo Lu, Shawn Guo

From: Yinbo Zhu <yinbo.zhu@nxp.com>

commit 33eae7fb2e593fdbaac15d843e2558379c6d1149 upstream.

DCFG block uses little endian.  Fix it so that register access becomes
correct.

Signed-off-by: Yinbo Zhu <yinbo.zhu@nxp.com>
Acked-by: Yangbo Lu <yangbo.lu@nxp.com>
Fixes: 8897f3255c9c ("arm64: dts: Add support for NXP LS1028A SoC")
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/boot/dts/freescale/fsl-ls1028a.dtsi |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm64/boot/dts/freescale/fsl-ls1028a.dtsi
+++ b/arch/arm64/boot/dts/freescale/fsl-ls1028a.dtsi
@@ -158,7 +158,7 @@
 		dcfg: syscon@1e00000 {
 			compatible = "fsl,ls1028a-dcfg", "syscon";
 			reg = <0x0 0x1e00000 0x0 0x10000>;
-			big-endian;
+			little-endian;
 		};
 
 		rst: syscon@1e60000 {



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 008/222] arm64: dts: imx8mm: Change SDMA1 ahb clock for imx8mm
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2020-01-22  9:26 ` [PATCH 5.4 007/222] arm64: dts: ls1028a: fix endian setting for dcfg Greg Kroah-Hartman
@ 2020-01-22  9:26 ` Greg Kroah-Hartman
  2020-01-22  9:26 ` [PATCH 5.4 009/222] bus: ti-sysc: Fix iterating over clocks Greg Kroah-Hartman
                   ` (217 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:26 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Adam Ford, Shawn Guo

From: Adam Ford <aford173@gmail.com>

commit 24a572bf67994223e722cadfe663e15ba221882a upstream.

Using SDMA1 with UART1 is causing a "Timeout waiting for CH0" error.
This patch changes to ahb clock from SDMA1_ROOT to AHB which
fixes the timeout error.

Fixes:  a05ea40eb384 ("arm64: dts: imx: Add i.mx8mm dtsi support")
Signed-off-by: Adam Ford <aford173@gmail.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/boot/dts/freescale/imx8mm.dtsi |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm64/boot/dts/freescale/imx8mm.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mm.dtsi
@@ -741,7 +741,7 @@
 				reg = <0x30bd0000 0x10000>;
 				interrupts = <GIC_SPI 2 IRQ_TYPE_LEVEL_HIGH>;
 				clocks = <&clk IMX8MM_CLK_SDMA1_ROOT>,
-					 <&clk IMX8MM_CLK_SDMA1_ROOT>;
+					 <&clk IMX8MM_CLK_AHB>;
 				clock-names = "ipg", "ahb";
 				#dma-cells = <3>;
 				fsl,sdma-ram-script-name = "imx/sdma/sdma-imx7d.bin";



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 009/222] bus: ti-sysc: Fix iterating over clocks
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2020-01-22  9:26 ` [PATCH 5.4 008/222] arm64: dts: imx8mm: Change SDMA1 ahb clock for imx8mm Greg Kroah-Hartman
@ 2020-01-22  9:26 ` Greg Kroah-Hartman
  2020-01-22  9:26 ` [PATCH 5.4 010/222] clk: Dont try to enable critical clocks if prepare failed Greg Kroah-Hartman
                   ` (216 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:26 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Tony Lindgren

From: Tony Lindgren <tony@atomide.com>

commit 2c81f0f6d3f52ac222a5dc07a6e5c06e1543e88b upstream.

Commit d878970f6ce1 ("bus: ti-sysc: Add separate functions for handling
clocks") separated handling of optional clocks from the main clocks, but
introduced an issue where we do not necessarily allocate a slot for both
fck and ick clocks, but still assume fixed slots for enumerating over the
clocks.

Let's fix the issue by ensuring we always have slots for both fck and ick
even if we don't use ick, and don't attempt to enumerate optional clocks
if not allocated.

In the long run we might want to simplify things a bit by only allocating
space only for the optional clocks as we have only few devices with
optional clocks.

Fixes: d878970f6ce1 ("bus: ti-sysc: Add separate functions for handling clocks")
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/bus/ti-sysc.c |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

--- a/drivers/bus/ti-sysc.c
+++ b/drivers/bus/ti-sysc.c
@@ -343,6 +343,12 @@ static int sysc_get_clocks(struct sysc *
 		return -EINVAL;
 	}
 
+	/* Always add a slot for main clocks fck and ick even if unused */
+	if (!nr_fck)
+		ddata->nr_clocks++;
+	if (!nr_ick)
+		ddata->nr_clocks++;
+
 	ddata->clocks = devm_kcalloc(ddata->dev,
 				     ddata->nr_clocks, sizeof(*ddata->clocks),
 				     GFP_KERNEL);
@@ -421,7 +427,7 @@ static int sysc_enable_opt_clocks(struct
 	struct clk *clock;
 	int i, error;
 
-	if (!ddata->clocks)
+	if (!ddata->clocks || ddata->nr_clocks < SYSC_OPTFCK0 + 1)
 		return 0;
 
 	for (i = SYSC_OPTFCK0; i < SYSC_MAX_CLOCKS; i++) {
@@ -455,7 +461,7 @@ static void sysc_disable_opt_clocks(stru
 	struct clk *clock;
 	int i;
 
-	if (!ddata->clocks)
+	if (!ddata->clocks || ddata->nr_clocks < SYSC_OPTFCK0 + 1)
 		return;
 
 	for (i = SYSC_OPTFCK0; i < SYSC_MAX_CLOCKS; i++) {



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 010/222] clk: Dont try to enable critical clocks if prepare failed
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2020-01-22  9:26 ` [PATCH 5.4 009/222] bus: ti-sysc: Fix iterating over clocks Greg Kroah-Hartman
@ 2020-01-22  9:26 ` Greg Kroah-Hartman
  2020-01-22  9:26 ` [PATCH 5.4 011/222] Revert "gpio: thunderx: Switch to GPIOLIB_IRQCHIP" Greg Kroah-Hartman
                   ` (215 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jerome Brunet, Guenter Roeck, Stephen Boyd

From: Guenter Roeck <linux@roeck-us.net>

commit 12ead77432f2ce32dea797742316d15c5800cb32 upstream.

The following traceback is seen if a critical clock fails to prepare.

bcm2835-clk 3f101000.cprman: plld: couldn't lock PLL
------------[ cut here ]------------
Enabling unprepared plld_per
WARNING: CPU: 1 PID: 1 at drivers/clk/clk.c:1014 clk_core_enable+0xcc/0x2c0
...
Call trace:
 clk_core_enable+0xcc/0x2c0
 __clk_register+0x5c4/0x788
 devm_clk_hw_register+0x4c/0xb0
 bcm2835_register_pll_divider+0xc0/0x150
 bcm2835_clk_probe+0x134/0x1e8
 platform_drv_probe+0x50/0xa0
 really_probe+0xd4/0x308
 driver_probe_device+0x54/0xe8
 device_driver_attach+0x6c/0x78
 __driver_attach+0x54/0xd8
...

Check return values from clk_core_prepare() and clk_core_enable() and
bail out if any of those functions returns an error.

Cc: Jerome Brunet <jbrunet@baylibre.com>
Fixes: 99652a469df1 ("clk: migrate the count of orphaned clocks at init")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Link: https://lkml.kernel.org/r/20191225163429.29694-1-linux@roeck-us.net
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/clk/clk.c |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

--- a/drivers/clk/clk.c
+++ b/drivers/clk/clk.c
@@ -3408,11 +3408,17 @@ static int __clk_core_init(struct clk_co
 	if (core->flags & CLK_IS_CRITICAL) {
 		unsigned long flags;
 
-		clk_core_prepare(core);
+		ret = clk_core_prepare(core);
+		if (ret)
+			goto out;
 
 		flags = clk_enable_lock();
-		clk_core_enable(core);
+		ret = clk_core_enable(core);
 		clk_enable_unlock(flags);
+		if (ret) {
+			clk_core_unprepare(core);
+			goto out;
+		}
 	}
 
 	clk_core_reparent_orphans_nolock();



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 011/222] Revert "gpio: thunderx: Switch to GPIOLIB_IRQCHIP"
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2020-01-22  9:26 ` [PATCH 5.4 010/222] clk: Dont try to enable critical clocks if prepare failed Greg Kroah-Hartman
@ 2020-01-22  9:26 ` Greg Kroah-Hartman
  2020-01-22  9:26 ` [PATCH 5.4 012/222] arm64: dts: imx8mq-librem5-devkit: use correct interrupt for the magnetometer Greg Kroah-Hartman
                   ` (214 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:26 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kevin Hao, Linus Walleij

From: Kevin Hao <haokexin@gmail.com>

commit a564ac35d60564dd5b509e32afdc04e7aafee40e upstream.

This reverts commit a7fc89f9d5fcc10a5474cfe555f5a9e5df8b0f1f because
there are some bugs in this commit, and we don't have a simple way to
fix these bugs. So revert this commit to make the thunderx gpio work
on the stable kernel at least. We will switch to GPIOLIB_IRQCHIP
for thunderx gpio by following patches.

Fixes: a7fc89f9d5fc ("gpio: thunderx: Switch to GPIOLIB_IRQCHIP")
Signed-off-by: Kevin Hao <haokexin@gmail.com>
Link: https://lore.kernel.org/r/20200114082821.14015-2-haokexin@gmail.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpio/Kconfig         |    1 
 drivers/gpio/gpio-thunderx.c |  163 ++++++++++++++++++++++++++++---------------
 2 files changed, 107 insertions(+), 57 deletions(-)

--- a/drivers/gpio/Kconfig
+++ b/drivers/gpio/Kconfig
@@ -546,7 +546,6 @@ config GPIO_THUNDERX
 	tristate "Cavium ThunderX/OCTEON-TX GPIO"
 	depends on ARCH_THUNDER || (64BIT && COMPILE_TEST)
 	depends on PCI_MSI
-	select GPIOLIB_IRQCHIP
 	select IRQ_DOMAIN_HIERARCHY
 	select IRQ_FASTEOI_HIERARCHY_HANDLERS
 	help
--- a/drivers/gpio/gpio-thunderx.c
+++ b/drivers/gpio/gpio-thunderx.c
@@ -53,6 +53,7 @@ struct thunderx_line {
 struct thunderx_gpio {
 	struct gpio_chip	chip;
 	u8 __iomem		*register_base;
+	struct irq_domain	*irqd;
 	struct msix_entry	*msix_entries;	/* per line MSI-X */
 	struct thunderx_line	*line_entries;	/* per line irq info */
 	raw_spinlock_t		lock;
@@ -282,60 +283,54 @@ static void thunderx_gpio_set_multiple(s
 	}
 }
 
-static void thunderx_gpio_irq_ack(struct irq_data *d)
+static void thunderx_gpio_irq_ack(struct irq_data *data)
 {
-	struct gpio_chip *gc = irq_data_get_irq_chip_data(d);
-	struct thunderx_gpio *txgpio = gpiochip_get_data(gc);
+	struct thunderx_line *txline = irq_data_get_irq_chip_data(data);
 
 	writeq(GPIO_INTR_INTR,
-	       txgpio->register_base + intr_reg(irqd_to_hwirq(d)));
+	       txline->txgpio->register_base + intr_reg(txline->line));
 }
 
-static void thunderx_gpio_irq_mask(struct irq_data *d)
+static void thunderx_gpio_irq_mask(struct irq_data *data)
 {
-	struct gpio_chip *gc = irq_data_get_irq_chip_data(d);
-	struct thunderx_gpio *txgpio = gpiochip_get_data(gc);
+	struct thunderx_line *txline = irq_data_get_irq_chip_data(data);
 
 	writeq(GPIO_INTR_ENA_W1C,
-	       txgpio->register_base + intr_reg(irqd_to_hwirq(d)));
+	       txline->txgpio->register_base + intr_reg(txline->line));
 }
 
-static void thunderx_gpio_irq_mask_ack(struct irq_data *d)
+static void thunderx_gpio_irq_mask_ack(struct irq_data *data)
 {
-	struct gpio_chip *gc = irq_data_get_irq_chip_data(d);
-	struct thunderx_gpio *txgpio = gpiochip_get_data(gc);
+	struct thunderx_line *txline = irq_data_get_irq_chip_data(data);
 
 	writeq(GPIO_INTR_ENA_W1C | GPIO_INTR_INTR,
-	       txgpio->register_base + intr_reg(irqd_to_hwirq(d)));
+	       txline->txgpio->register_base + intr_reg(txline->line));
 }
 
-static void thunderx_gpio_irq_unmask(struct irq_data *d)
+static void thunderx_gpio_irq_unmask(struct irq_data *data)
 {
-	struct gpio_chip *gc = irq_data_get_irq_chip_data(d);
-	struct thunderx_gpio *txgpio = gpiochip_get_data(gc);
+	struct thunderx_line *txline = irq_data_get_irq_chip_data(data);
 
 	writeq(GPIO_INTR_ENA_W1S,
-	       txgpio->register_base + intr_reg(irqd_to_hwirq(d)));
+	       txline->txgpio->register_base + intr_reg(txline->line));
 }
 
-static int thunderx_gpio_irq_set_type(struct irq_data *d,
+static int thunderx_gpio_irq_set_type(struct irq_data *data,
 				      unsigned int flow_type)
 {
-	struct gpio_chip *gc = irq_data_get_irq_chip_data(d);
-	struct thunderx_gpio *txgpio = gpiochip_get_data(gc);
-	struct thunderx_line *txline =
-		&txgpio->line_entries[irqd_to_hwirq(d)];
+	struct thunderx_line *txline = irq_data_get_irq_chip_data(data);
+	struct thunderx_gpio *txgpio = txline->txgpio;
 	u64 bit_cfg;
 
-	irqd_set_trigger_type(d, flow_type);
+	irqd_set_trigger_type(data, flow_type);
 
 	bit_cfg = txline->fil_bits | GPIO_BIT_CFG_INT_EN;
 
 	if (flow_type & IRQ_TYPE_EDGE_BOTH) {
-		irq_set_handler_locked(d, handle_fasteoi_ack_irq);
+		irq_set_handler_locked(data, handle_fasteoi_ack_irq);
 		bit_cfg |= GPIO_BIT_CFG_INT_TYPE;
 	} else {
-		irq_set_handler_locked(d, handle_fasteoi_mask_irq);
+		irq_set_handler_locked(data, handle_fasteoi_mask_irq);
 	}
 
 	raw_spin_lock(&txgpio->lock);
@@ -364,6 +359,33 @@ static void thunderx_gpio_irq_disable(st
 	irq_chip_disable_parent(data);
 }
 
+static int thunderx_gpio_irq_request_resources(struct irq_data *data)
+{
+	struct thunderx_line *txline = irq_data_get_irq_chip_data(data);
+	struct thunderx_gpio *txgpio = txline->txgpio;
+	int r;
+
+	r = gpiochip_lock_as_irq(&txgpio->chip, txline->line);
+	if (r)
+		return r;
+
+	r = irq_chip_request_resources_parent(data);
+	if (r)
+		gpiochip_unlock_as_irq(&txgpio->chip, txline->line);
+
+	return r;
+}
+
+static void thunderx_gpio_irq_release_resources(struct irq_data *data)
+{
+	struct thunderx_line *txline = irq_data_get_irq_chip_data(data);
+	struct thunderx_gpio *txgpio = txline->txgpio;
+
+	irq_chip_release_resources_parent(data);
+
+	gpiochip_unlock_as_irq(&txgpio->chip, txline->line);
+}
+
 /*
  * Interrupts are chained from underlying MSI-X vectors.  We have
  * these irq_chip functions to be able to handle level triggering
@@ -380,22 +402,48 @@ static struct irq_chip thunderx_gpio_irq
 	.irq_unmask		= thunderx_gpio_irq_unmask,
 	.irq_eoi		= irq_chip_eoi_parent,
 	.irq_set_affinity	= irq_chip_set_affinity_parent,
+	.irq_request_resources	= thunderx_gpio_irq_request_resources,
+	.irq_release_resources	= thunderx_gpio_irq_release_resources,
 	.irq_set_type		= thunderx_gpio_irq_set_type,
 
 	.flags			= IRQCHIP_SET_TYPE_MASKED
 };
 
-static int thunderx_gpio_child_to_parent_hwirq(struct gpio_chip *gc,
-					       unsigned int child,
-					       unsigned int child_type,
-					       unsigned int *parent,
-					       unsigned int *parent_type)
+static int thunderx_gpio_irq_translate(struct irq_domain *d,
+				       struct irq_fwspec *fwspec,
+				       irq_hw_number_t *hwirq,
+				       unsigned int *type)
+{
+	struct thunderx_gpio *txgpio = d->host_data;
+
+	if (WARN_ON(fwspec->param_count < 2))
+		return -EINVAL;
+	if (fwspec->param[0] >= txgpio->chip.ngpio)
+		return -EINVAL;
+	*hwirq = fwspec->param[0];
+	*type = fwspec->param[1] & IRQ_TYPE_SENSE_MASK;
+	return 0;
+}
+
+static int thunderx_gpio_irq_alloc(struct irq_domain *d, unsigned int virq,
+				   unsigned int nr_irqs, void *arg)
 {
-	struct thunderx_gpio *txgpio = gpiochip_get_data(gc);
+	struct thunderx_line *txline = arg;
 
-	*parent = txgpio->base_msi + (2 * child);
-	*parent_type = IRQ_TYPE_LEVEL_HIGH;
-	return 0;
+	return irq_domain_set_hwirq_and_chip(d, virq, txline->line,
+					     &thunderx_gpio_irq_chip, txline);
+}
+
+static const struct irq_domain_ops thunderx_gpio_irqd_ops = {
+	.alloc		= thunderx_gpio_irq_alloc,
+	.translate	= thunderx_gpio_irq_translate
+};
+
+static int thunderx_gpio_to_irq(struct gpio_chip *chip, unsigned int offset)
+{
+	struct thunderx_gpio *txgpio = gpiochip_get_data(chip);
+
+	return irq_find_mapping(txgpio->irqd, offset);
 }
 
 static int thunderx_gpio_probe(struct pci_dev *pdev,
@@ -405,7 +453,6 @@ static int thunderx_gpio_probe(struct pc
 	struct device *dev = &pdev->dev;
 	struct thunderx_gpio *txgpio;
 	struct gpio_chip *chip;
-	struct gpio_irq_chip *girq;
 	int ngpio, i;
 	int err = 0;
 
@@ -450,8 +497,8 @@ static int thunderx_gpio_probe(struct pc
 	}
 
 	txgpio->msix_entries = devm_kcalloc(dev,
-					    ngpio, sizeof(struct msix_entry),
-					    GFP_KERNEL);
+					  ngpio, sizeof(struct msix_entry),
+					  GFP_KERNEL);
 	if (!txgpio->msix_entries) {
 		err = -ENOMEM;
 		goto out;
@@ -492,6 +539,27 @@ static int thunderx_gpio_probe(struct pc
 	if (err < 0)
 		goto out;
 
+	/*
+	 * Push GPIO specific irqdomain on hierarchy created as a side
+	 * effect of the pci_enable_msix()
+	 */
+	txgpio->irqd = irq_domain_create_hierarchy(irq_get_irq_data(txgpio->msix_entries[0].vector)->domain,
+						   0, 0, of_node_to_fwnode(dev->of_node),
+						   &thunderx_gpio_irqd_ops, txgpio);
+	if (!txgpio->irqd) {
+		err = -ENOMEM;
+		goto out;
+	}
+
+	/* Push on irq_data and the domain for each line. */
+	for (i = 0; i < ngpio; i++) {
+		err = irq_domain_push_irq(txgpio->irqd,
+					  txgpio->msix_entries[i].vector,
+					  &txgpio->line_entries[i]);
+		if (err < 0)
+			dev_err(dev, "irq_domain_push_irq: %d\n", err);
+	}
+
 	chip->label = KBUILD_MODNAME;
 	chip->parent = dev;
 	chip->owner = THIS_MODULE;
@@ -506,28 +574,11 @@ static int thunderx_gpio_probe(struct pc
 	chip->set = thunderx_gpio_set;
 	chip->set_multiple = thunderx_gpio_set_multiple;
 	chip->set_config = thunderx_gpio_set_config;
-	girq = &chip->irq;
-	girq->chip = &thunderx_gpio_irq_chip;
-	girq->fwnode = of_node_to_fwnode(dev->of_node);
-	girq->parent_domain =
-		irq_get_irq_data(txgpio->msix_entries[0].vector)->domain;
-	girq->child_to_parent_hwirq = thunderx_gpio_child_to_parent_hwirq;
-	girq->handler = handle_bad_irq;
-	girq->default_type = IRQ_TYPE_NONE;
-
+	chip->to_irq = thunderx_gpio_to_irq;
 	err = devm_gpiochip_add_data(dev, chip, txgpio);
 	if (err)
 		goto out;
 
-	/* Push on irq_data and the domain for each line. */
-	for (i = 0; i < ngpio; i++) {
-		err = irq_domain_push_irq(chip->irq.domain,
-					  txgpio->msix_entries[i].vector,
-					  chip);
-		if (err < 0)
-			dev_err(dev, "irq_domain_push_irq: %d\n", err);
-	}
-
 	dev_info(dev, "ThunderX GPIO: %d lines with base %d.\n",
 		 ngpio, chip->base);
 	return 0;
@@ -542,10 +593,10 @@ static void thunderx_gpio_remove(struct
 	struct thunderx_gpio *txgpio = pci_get_drvdata(pdev);
 
 	for (i = 0; i < txgpio->chip.ngpio; i++)
-		irq_domain_pop_irq(txgpio->chip.irq.domain,
+		irq_domain_pop_irq(txgpio->irqd,
 				   txgpio->msix_entries[i].vector);
 
-	irq_domain_remove(txgpio->chip.irq.domain);
+	irq_domain_remove(txgpio->irqd);
 
 	pci_set_drvdata(pdev, NULL);
 }



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 012/222] arm64: dts: imx8mq-librem5-devkit: use correct interrupt for the magnetometer
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2020-01-22  9:26 ` [PATCH 5.4 011/222] Revert "gpio: thunderx: Switch to GPIOLIB_IRQCHIP" Greg Kroah-Hartman
@ 2020-01-22  9:26 ` Greg Kroah-Hartman
  2020-01-22  9:26 ` [PATCH 5.4 013/222] ASoC: msm8916-wcd-digital: Reset RX interpolation path after use Greg Kroah-Hartman
                   ` (213 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Angus Ainslie (Purism),
	Martin Kepplinger, Shawn Guo

From: Angus Ainslie (Purism) <angus@akkea.ca>

commit 106f7b3bf943d267eb657f34616adcaadb2ab07f upstream.

The LSM9DS1 uses a high level interrupt.

Signed-off-by: Angus Ainslie (Purism) <angus@akkea.ca>
Signed-off-by: Martin Kepplinger <martin.kepplinger@puri.sm>
Fixes: eb4ea0857c83 ("arm64: dts: fsl: librem5: Add a device tree for the Librem5 devkit")
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/boot/dts/freescale/imx8mq-librem5-devkit.dts |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm64/boot/dts/freescale/imx8mq-librem5-devkit.dts
+++ b/arch/arm64/boot/dts/freescale/imx8mq-librem5-devkit.dts
@@ -421,7 +421,7 @@
 		pinctrl-names = "default";
 		pinctrl-0 = <&pinctrl_imu>;
 		interrupt-parent = <&gpio3>;
-		interrupts = <19 IRQ_TYPE_LEVEL_LOW>;
+		interrupts = <19 IRQ_TYPE_LEVEL_HIGH>;
 		vdd-supply = <&reg_3v3_p>;
 		vddio-supply = <&reg_3v3_p>;
 	};



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 013/222] ASoC: msm8916-wcd-digital: Reset RX interpolation path after use
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2020-01-22  9:26 ` [PATCH 5.4 012/222] arm64: dts: imx8mq-librem5-devkit: use correct interrupt for the magnetometer Greg Kroah-Hartman
@ 2020-01-22  9:26 ` Greg Kroah-Hartman
  2020-01-22  9:26 ` [PATCH 5.4 014/222] ASoC: stm32: sai: fix possible circular locking Greg Kroah-Hartman
                   ` (212 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Srinivas Kandagatla, Stephan Gerhold,
	Mark Brown

From: Stephan Gerhold <stephan@gerhold.net>

commit 85578bbd642f65065039b1765ebe1a867d5435b0 upstream.

For some reason, attempting to route audio through QDSP6 on MSM8916
causes the RX interpolation path to get "stuck" after playing audio
a few times. In this situation, the analog codec part is still working,
but the RX path in the digital codec stops working, so you only hear
the analog parts powering up. After a reboot everything works again.

So far I was not able to reproduce the problem when using lpass-cpu.

The downstream kernel driver avoids this by resetting the RX
interpolation path after use. In mainline we do something similar
for the TX decimator (LPASS_CDC_CLK_TX_RESET_B1_CTL), but the
interpolator reset (LPASS_CDC_CLK_RX_RESET_CTL) got lost when the
msm8916-wcd driver was split into analog and digital.

Fix this problem by adding the reset to
msm8916_wcd_digital_enable_interpolator().

Fixes: 150db8c5afa1 ("ASoC: codecs: Add msm8916-wcd digital codec")
Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
Link: https://lore.kernel.org/r/20200105102753.83108-1-stephan@gerhold.net
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/soc/codecs/msm8916-wcd-digital.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/sound/soc/codecs/msm8916-wcd-digital.c
+++ b/sound/soc/codecs/msm8916-wcd-digital.c
@@ -586,6 +586,12 @@ static int msm8916_wcd_digital_enable_in
 		snd_soc_component_write(component, rx_gain_reg[w->shift],
 			      snd_soc_component_read32(component, rx_gain_reg[w->shift]));
 		break;
+	case SND_SOC_DAPM_POST_PMD:
+		snd_soc_component_update_bits(component, LPASS_CDC_CLK_RX_RESET_CTL,
+					      1 << w->shift, 1 << w->shift);
+		snd_soc_component_update_bits(component, LPASS_CDC_CLK_RX_RESET_CTL,
+					      1 << w->shift, 0x0);
+		break;
 	}
 	return 0;
 }



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 014/222] ASoC: stm32: sai: fix possible circular locking
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2020-01-22  9:26 ` [PATCH 5.4 013/222] ASoC: msm8916-wcd-digital: Reset RX interpolation path after use Greg Kroah-Hartman
@ 2020-01-22  9:26 ` Greg Kroah-Hartman
  2020-01-22  9:26 ` [PATCH 5.4 015/222] ASoC: stm32: dfsdm: fix 16 bits record Greg Kroah-Hartman
                   ` (211 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:26 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Olivier Moysan, Mark Brown

From: Olivier Moysan <olivier.moysan@st.com>

commit a14bf98c045bf119b7e779f186528e38c6428830 upstream.

In current driver, locks can be taken as follows:
- Register access: take a lock on regmap config and then on clock.
- Master clock provider: take a lock on clock and then on regmap config.
This can lead to the circular locking summarized below.

Remove peripheral clock management through regmap framework, and manage
peripheral clock in driver instead. On register access, lock on clock
is taken first, which allows to avoid possible locking issue.

[ 6696.561513] ======================================================
[ 6696.567670] WARNING: possible circular locking dependency detected
[ 6696.573842] 4.19.49 #866 Not tainted
[ 6696.577397] ------------------------------------------------------
[ 6696.583566] pulseaudio/6439 is trying to acquire lock:
[ 6696.588697] 87b0a25b (enable_lock){..-.}, at: clk_enable_lock+0x64/0x128
[ 6696.595377]
[ 6696.595377] but task is already holding lock:
[ 6696.601197] d858f825 (stm32_sai_sub:1342:(sai->regmap_config)->lock){....}
...
[ 6696.812513]  Possible unsafe locking scenario:
[ 6696.812513]
[ 6696.818418]        CPU0                    CPU1
[ 6696.822935]        ----                    ----
[ 6696.827451]   lock(stm32_sai_sub:1342:(sai->regmap_config)->lock);
[ 6696.833618]                                lock(enable_lock);
[ 6696.839350]                                lock(stm32_sai_sub:1342:
                                              (sai->regmap_config)->lock);
[ 6696.848035]   lock(enable_lock);

Fixes: 03e78a242a15 ("ASoC: stm32: sai: add h7 support")

Signed-off-by: Olivier Moysan <olivier.moysan@st.com>
Link: https://lore.kernel.org/r/20200109083254.478-1-olivier.moysan@st.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/soc/stm/stm32_sai_sub.c |  196 ++++++++++++++++++++++++++++++------------
 1 file changed, 141 insertions(+), 55 deletions(-)

--- a/sound/soc/stm/stm32_sai_sub.c
+++ b/sound/soc/stm/stm32_sai_sub.c
@@ -184,6 +184,56 @@ static bool stm32_sai_sub_writeable_reg(
 	}
 }
 
+static int stm32_sai_sub_reg_up(struct stm32_sai_sub_data *sai,
+				unsigned int reg, unsigned int mask,
+				unsigned int val)
+{
+	int ret;
+
+	ret = clk_enable(sai->pdata->pclk);
+	if (ret < 0)
+		return ret;
+
+	ret = regmap_update_bits(sai->regmap, reg, mask, val);
+
+	clk_disable(sai->pdata->pclk);
+
+	return ret;
+}
+
+static int stm32_sai_sub_reg_wr(struct stm32_sai_sub_data *sai,
+				unsigned int reg, unsigned int mask,
+				unsigned int val)
+{
+	int ret;
+
+	ret = clk_enable(sai->pdata->pclk);
+	if (ret < 0)
+		return ret;
+
+	ret = regmap_write_bits(sai->regmap, reg, mask, val);
+
+	clk_disable(sai->pdata->pclk);
+
+	return ret;
+}
+
+static int stm32_sai_sub_reg_rd(struct stm32_sai_sub_data *sai,
+				unsigned int reg, unsigned int *val)
+{
+	int ret;
+
+	ret = clk_enable(sai->pdata->pclk);
+	if (ret < 0)
+		return ret;
+
+	ret = regmap_read(sai->regmap, reg, val);
+
+	clk_disable(sai->pdata->pclk);
+
+	return ret;
+}
+
 static const struct regmap_config stm32_sai_sub_regmap_config_f4 = {
 	.reg_bits = 32,
 	.reg_stride = 4,
@@ -295,7 +345,7 @@ static int stm32_sai_set_clk_div(struct
 
 	mask = SAI_XCR1_MCKDIV_MASK(SAI_XCR1_MCKDIV_WIDTH(version));
 	cr1 = SAI_XCR1_MCKDIV_SET(div);
-	ret = regmap_update_bits(sai->regmap, STM_SAI_CR1_REGX, mask, cr1);
+	ret = stm32_sai_sub_reg_up(sai, STM_SAI_CR1_REGX, mask, cr1);
 	if (ret < 0)
 		dev_err(&sai->pdev->dev, "Failed to update CR1 register\n");
 
@@ -372,8 +422,8 @@ static int stm32_sai_mclk_enable(struct
 
 	dev_dbg(&sai->pdev->dev, "Enable master clock\n");
 
-	return regmap_update_bits(sai->regmap, STM_SAI_CR1_REGX,
-				  SAI_XCR1_MCKEN, SAI_XCR1_MCKEN);
+	return stm32_sai_sub_reg_up(sai, STM_SAI_CR1_REGX,
+				    SAI_XCR1_MCKEN, SAI_XCR1_MCKEN);
 }
 
 static void stm32_sai_mclk_disable(struct clk_hw *hw)
@@ -383,7 +433,7 @@ static void stm32_sai_mclk_disable(struc
 
 	dev_dbg(&sai->pdev->dev, "Disable master clock\n");
 
-	regmap_update_bits(sai->regmap, STM_SAI_CR1_REGX, SAI_XCR1_MCKEN, 0);
+	stm32_sai_sub_reg_up(sai, STM_SAI_CR1_REGX, SAI_XCR1_MCKEN, 0);
 }
 
 static const struct clk_ops mclk_ops = {
@@ -446,15 +496,15 @@ static irqreturn_t stm32_sai_isr(int irq
 	unsigned int sr, imr, flags;
 	snd_pcm_state_t status = SNDRV_PCM_STATE_RUNNING;
 
-	regmap_read(sai->regmap, STM_SAI_IMR_REGX, &imr);
-	regmap_read(sai->regmap, STM_SAI_SR_REGX, &sr);
+	stm32_sai_sub_reg_rd(sai, STM_SAI_IMR_REGX, &imr);
+	stm32_sai_sub_reg_rd(sai, STM_SAI_SR_REGX, &sr);
 
 	flags = sr & imr;
 	if (!flags)
 		return IRQ_NONE;
 
-	regmap_write_bits(sai->regmap, STM_SAI_CLRFR_REGX, SAI_XCLRFR_MASK,
-			  SAI_XCLRFR_MASK);
+	stm32_sai_sub_reg_wr(sai, STM_SAI_CLRFR_REGX, SAI_XCLRFR_MASK,
+			     SAI_XCLRFR_MASK);
 
 	if (!sai->substream) {
 		dev_err(&pdev->dev, "Device stopped. Spurious IRQ 0x%x\n", sr);
@@ -503,8 +553,8 @@ static int stm32_sai_set_sysclk(struct s
 	int ret;
 
 	if (dir == SND_SOC_CLOCK_OUT && sai->sai_mclk) {
-		ret = regmap_update_bits(sai->regmap, STM_SAI_CR1_REGX,
-					 SAI_XCR1_NODIV,
+		ret = stm32_sai_sub_reg_up(sai, STM_SAI_CR1_REGX,
+					   SAI_XCR1_NODIV,
 					 freq ? 0 : SAI_XCR1_NODIV);
 		if (ret < 0)
 			return ret;
@@ -583,7 +633,7 @@ static int stm32_sai_set_dai_tdm_slot(st
 
 	slotr_mask |= SAI_XSLOTR_SLOTEN_MASK;
 
-	regmap_update_bits(sai->regmap, STM_SAI_SLOTR_REGX, slotr_mask, slotr);
+	stm32_sai_sub_reg_up(sai, STM_SAI_SLOTR_REGX, slotr_mask, slotr);
 
 	sai->slot_width = slot_width;
 	sai->slots = slots;
@@ -665,7 +715,7 @@ static int stm32_sai_set_dai_fmt(struct
 	cr1_mask |= SAI_XCR1_CKSTR;
 	frcr_mask |= SAI_XFRCR_FSPOL;
 
-	regmap_update_bits(sai->regmap, STM_SAI_FRCR_REGX, frcr_mask, frcr);
+	stm32_sai_sub_reg_up(sai, STM_SAI_FRCR_REGX, frcr_mask, frcr);
 
 	/* DAI clock master masks */
 	switch (fmt & SND_SOC_DAIFMT_MASTER_MASK) {
@@ -693,7 +743,7 @@ static int stm32_sai_set_dai_fmt(struct
 	cr1_mask |= SAI_XCR1_SLAVE;
 
 conf_update:
-	ret = regmap_update_bits(sai->regmap, STM_SAI_CR1_REGX, cr1_mask, cr1);
+	ret = stm32_sai_sub_reg_up(sai, STM_SAI_CR1_REGX, cr1_mask, cr1);
 	if (ret < 0) {
 		dev_err(cpu_dai->dev, "Failed to update CR1 register\n");
 		return ret;
@@ -730,12 +780,12 @@ static int stm32_sai_startup(struct snd_
 	}
 
 	/* Enable ITs */
-	regmap_write_bits(sai->regmap, STM_SAI_CLRFR_REGX,
-			  SAI_XCLRFR_MASK, SAI_XCLRFR_MASK);
+	stm32_sai_sub_reg_wr(sai, STM_SAI_CLRFR_REGX,
+			     SAI_XCLRFR_MASK, SAI_XCLRFR_MASK);
 
 	imr = SAI_XIMR_OVRUDRIE;
 	if (STM_SAI_IS_CAPTURE(sai)) {
-		regmap_read(sai->regmap, STM_SAI_CR2_REGX, &cr2);
+		stm32_sai_sub_reg_rd(sai, STM_SAI_CR2_REGX, &cr2);
 		if (cr2 & SAI_XCR2_MUTECNT_MASK)
 			imr |= SAI_XIMR_MUTEDETIE;
 	}
@@ -745,8 +795,8 @@ static int stm32_sai_startup(struct snd_
 	else
 		imr |= SAI_XIMR_AFSDETIE | SAI_XIMR_LFSDETIE;
 
-	regmap_update_bits(sai->regmap, STM_SAI_IMR_REGX,
-			   SAI_XIMR_MASK, imr);
+	stm32_sai_sub_reg_up(sai, STM_SAI_IMR_REGX,
+			     SAI_XIMR_MASK, imr);
 
 	return 0;
 }
@@ -763,10 +813,10 @@ static int stm32_sai_set_config(struct s
 	 * SAI fifo threshold is set to half fifo, to keep enough space
 	 * for DMA incoming bursts.
 	 */
-	regmap_write_bits(sai->regmap, STM_SAI_CR2_REGX,
-			  SAI_XCR2_FFLUSH | SAI_XCR2_FTH_MASK,
-			  SAI_XCR2_FFLUSH |
-			  SAI_XCR2_FTH_SET(STM_SAI_FIFO_TH_HALF));
+	stm32_sai_sub_reg_wr(sai, STM_SAI_CR2_REGX,
+			     SAI_XCR2_FFLUSH | SAI_XCR2_FTH_MASK,
+			     SAI_XCR2_FFLUSH |
+			     SAI_XCR2_FTH_SET(STM_SAI_FIFO_TH_HALF));
 
 	/* DS bits in CR1 not set for SPDIF (size forced to 24 bits).*/
 	if (STM_SAI_PROTOCOL_IS_SPDIF(sai)) {
@@ -795,7 +845,7 @@ static int stm32_sai_set_config(struct s
 	if ((sai->slots == 2) && (params_channels(params) == 1))
 		cr1 |= SAI_XCR1_MONO;
 
-	ret = regmap_update_bits(sai->regmap, STM_SAI_CR1_REGX, cr1_mask, cr1);
+	ret = stm32_sai_sub_reg_up(sai, STM_SAI_CR1_REGX, cr1_mask, cr1);
 	if (ret < 0) {
 		dev_err(cpu_dai->dev, "Failed to update CR1 register\n");
 		return ret;
@@ -809,7 +859,7 @@ static int stm32_sai_set_slots(struct sn
 	struct stm32_sai_sub_data *sai = snd_soc_dai_get_drvdata(cpu_dai);
 	int slotr, slot_sz;
 
-	regmap_read(sai->regmap, STM_SAI_SLOTR_REGX, &slotr);
+	stm32_sai_sub_reg_rd(sai, STM_SAI_SLOTR_REGX, &slotr);
 
 	/*
 	 * If SLOTSZ is set to auto in SLOTR, align slot width on data size
@@ -831,16 +881,16 @@ static int stm32_sai_set_slots(struct sn
 		sai->slots = 2;
 
 	/* The number of slots in the audio frame is equal to NBSLOT[3:0] + 1*/
-	regmap_update_bits(sai->regmap, STM_SAI_SLOTR_REGX,
-			   SAI_XSLOTR_NBSLOT_MASK,
-			   SAI_XSLOTR_NBSLOT_SET((sai->slots - 1)));
+	stm32_sai_sub_reg_up(sai, STM_SAI_SLOTR_REGX,
+			     SAI_XSLOTR_NBSLOT_MASK,
+			     SAI_XSLOTR_NBSLOT_SET((sai->slots - 1)));
 
 	/* Set default slots mask if not already set from DT */
 	if (!(slotr & SAI_XSLOTR_SLOTEN_MASK)) {
 		sai->slot_mask = (1 << sai->slots) - 1;
-		regmap_update_bits(sai->regmap,
-				   STM_SAI_SLOTR_REGX, SAI_XSLOTR_SLOTEN_MASK,
-				   SAI_XSLOTR_SLOTEN_SET(sai->slot_mask));
+		stm32_sai_sub_reg_up(sai,
+				     STM_SAI_SLOTR_REGX, SAI_XSLOTR_SLOTEN_MASK,
+				     SAI_XSLOTR_SLOTEN_SET(sai->slot_mask));
 	}
 
 	dev_dbg(cpu_dai->dev, "Slots %d, slot width %d\n",
@@ -870,14 +920,14 @@ static void stm32_sai_set_frame(struct s
 	dev_dbg(cpu_dai->dev, "Frame length %d, frame active %d\n",
 		sai->fs_length, fs_active);
 
-	regmap_update_bits(sai->regmap, STM_SAI_FRCR_REGX, frcr_mask, frcr);
+	stm32_sai_sub_reg_up(sai, STM_SAI_FRCR_REGX, frcr_mask, frcr);
 
 	if ((sai->fmt & SND_SOC_DAIFMT_FORMAT_MASK) == SND_SOC_DAIFMT_LSB) {
 		offset = sai->slot_width - sai->data_size;
 
-		regmap_update_bits(sai->regmap, STM_SAI_SLOTR_REGX,
-				   SAI_XSLOTR_FBOFF_MASK,
-				   SAI_XSLOTR_FBOFF_SET(offset));
+		stm32_sai_sub_reg_up(sai, STM_SAI_SLOTR_REGX,
+				     SAI_XSLOTR_FBOFF_MASK,
+				     SAI_XSLOTR_FBOFF_SET(offset));
 	}
 }
 
@@ -994,9 +1044,9 @@ static int stm32_sai_configure_clock(str
 					return -EINVAL;
 				}
 
-				regmap_update_bits(sai->regmap,
-						   STM_SAI_CR1_REGX,
-						   SAI_XCR1_OSR, cr1);
+				stm32_sai_sub_reg_up(sai,
+						     STM_SAI_CR1_REGX,
+						     SAI_XCR1_OSR, cr1);
 
 				div = stm32_sai_get_clk_div(sai, sai_clk_rate,
 							    sai->mclk_rate);
@@ -1058,12 +1108,12 @@ static int stm32_sai_trigger(struct snd_
 	case SNDRV_PCM_TRIGGER_PAUSE_RELEASE:
 		dev_dbg(cpu_dai->dev, "Enable DMA and SAI\n");
 
-		regmap_update_bits(sai->regmap, STM_SAI_CR1_REGX,
-				   SAI_XCR1_DMAEN, SAI_XCR1_DMAEN);
+		stm32_sai_sub_reg_up(sai, STM_SAI_CR1_REGX,
+				     SAI_XCR1_DMAEN, SAI_XCR1_DMAEN);
 
 		/* Enable SAI */
-		ret = regmap_update_bits(sai->regmap, STM_SAI_CR1_REGX,
-					 SAI_XCR1_SAIEN, SAI_XCR1_SAIEN);
+		ret = stm32_sai_sub_reg_up(sai, STM_SAI_CR1_REGX,
+					   SAI_XCR1_SAIEN, SAI_XCR1_SAIEN);
 		if (ret < 0)
 			dev_err(cpu_dai->dev, "Failed to update CR1 register\n");
 		break;
@@ -1072,16 +1122,16 @@ static int stm32_sai_trigger(struct snd_
 	case SNDRV_PCM_TRIGGER_STOP:
 		dev_dbg(cpu_dai->dev, "Disable DMA and SAI\n");
 
-		regmap_update_bits(sai->regmap, STM_SAI_IMR_REGX,
-				   SAI_XIMR_MASK, 0);
+		stm32_sai_sub_reg_up(sai, STM_SAI_IMR_REGX,
+				     SAI_XIMR_MASK, 0);
 
-		regmap_update_bits(sai->regmap, STM_SAI_CR1_REGX,
-				   SAI_XCR1_SAIEN,
-				   (unsigned int)~SAI_XCR1_SAIEN);
-
-		ret = regmap_update_bits(sai->regmap, STM_SAI_CR1_REGX,
-					 SAI_XCR1_DMAEN,
-					 (unsigned int)~SAI_XCR1_DMAEN);
+		stm32_sai_sub_reg_up(sai, STM_SAI_CR1_REGX,
+				     SAI_XCR1_SAIEN,
+				     (unsigned int)~SAI_XCR1_SAIEN);
+
+		ret = stm32_sai_sub_reg_up(sai, STM_SAI_CR1_REGX,
+					   SAI_XCR1_DMAEN,
+					   (unsigned int)~SAI_XCR1_DMAEN);
 		if (ret < 0)
 			dev_err(cpu_dai->dev, "Failed to update CR1 register\n");
 
@@ -1101,7 +1151,7 @@ static void stm32_sai_shutdown(struct sn
 	struct stm32_sai_sub_data *sai = snd_soc_dai_get_drvdata(cpu_dai);
 	unsigned long flags;
 
-	regmap_update_bits(sai->regmap, STM_SAI_IMR_REGX, SAI_XIMR_MASK, 0);
+	stm32_sai_sub_reg_up(sai, STM_SAI_IMR_REGX, SAI_XIMR_MASK, 0);
 
 	clk_disable_unprepare(sai->sai_ck);
 
@@ -1169,7 +1219,7 @@ static int stm32_sai_dai_probe(struct sn
 	cr1_mask |= SAI_XCR1_SYNCEN_MASK;
 	cr1 |= SAI_XCR1_SYNCEN_SET(sai->sync);
 
-	return regmap_update_bits(sai->regmap, STM_SAI_CR1_REGX, cr1_mask, cr1);
+	return stm32_sai_sub_reg_up(sai, STM_SAI_CR1_REGX, cr1_mask, cr1);
 }
 
 static const struct snd_soc_dai_ops stm32_sai_pcm_dai_ops = {
@@ -1322,8 +1372,13 @@ static int stm32_sai_sub_parse_of(struct
 	if (STM_SAI_HAS_PDM(sai) && STM_SAI_IS_SUB_A(sai))
 		sai->regmap_config = &stm32_sai_sub_regmap_config_h7;
 
-	sai->regmap = devm_regmap_init_mmio_clk(&pdev->dev, "sai_ck",
-						base, sai->regmap_config);
+	/*
+	 * Do not manage peripheral clock through regmap framework as this
+	 * can lead to circular locking issue with sai master clock provider.
+	 * Manage peripheral clock directly in driver instead.
+	 */
+	sai->regmap = devm_regmap_init_mmio(&pdev->dev, base,
+					    sai->regmap_config);
 	if (IS_ERR(sai->regmap)) {
 		dev_err(&pdev->dev, "Failed to initialize MMIO\n");
 		return PTR_ERR(sai->regmap);
@@ -1420,6 +1475,10 @@ static int stm32_sai_sub_parse_of(struct
 		return PTR_ERR(sai->sai_ck);
 	}
 
+	ret = clk_prepare(sai->pdata->pclk);
+	if (ret < 0)
+		return ret;
+
 	if (STM_SAI_IS_F4(sai->pdata))
 		return 0;
 
@@ -1501,22 +1560,48 @@ static int stm32_sai_sub_probe(struct pl
 	return 0;
 }
 
+static int stm32_sai_sub_remove(struct platform_device *pdev)
+{
+	struct stm32_sai_sub_data *sai = dev_get_drvdata(&pdev->dev);
+
+	clk_unprepare(sai->pdata->pclk);
+
+	return 0;
+}
+
 #ifdef CONFIG_PM_SLEEP
 static int stm32_sai_sub_suspend(struct device *dev)
 {
 	struct stm32_sai_sub_data *sai = dev_get_drvdata(dev);
+	int ret;
+
+	ret = clk_enable(sai->pdata->pclk);
+	if (ret < 0)
+		return ret;
 
 	regcache_cache_only(sai->regmap, true);
 	regcache_mark_dirty(sai->regmap);
+
+	clk_disable(sai->pdata->pclk);
+
 	return 0;
 }
 
 static int stm32_sai_sub_resume(struct device *dev)
 {
 	struct stm32_sai_sub_data *sai = dev_get_drvdata(dev);
+	int ret;
+
+	ret = clk_enable(sai->pdata->pclk);
+	if (ret < 0)
+		return ret;
 
 	regcache_cache_only(sai->regmap, false);
-	return regcache_sync(sai->regmap);
+	ret = regcache_sync(sai->regmap);
+
+	clk_disable(sai->pdata->pclk);
+
+	return ret;
 }
 #endif /* CONFIG_PM_SLEEP */
 
@@ -1531,6 +1616,7 @@ static struct platform_driver stm32_sai_
 		.pm = &stm32_sai_sub_pm_ops,
 	},
 	.probe = stm32_sai_sub_probe,
+	.remove = stm32_sai_sub_remove,
 };
 
 module_platform_driver(stm32_sai_sub_driver);



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 015/222] ASoC: stm32: dfsdm: fix 16 bits record
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2020-01-22  9:26 ` [PATCH 5.4 014/222] ASoC: stm32: sai: fix possible circular locking Greg Kroah-Hartman
@ 2020-01-22  9:26 ` Greg Kroah-Hartman
  2020-01-22  9:26 ` [PATCH 5.4 016/222] ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1 Greg Kroah-Hartman
                   ` (210 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:26 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Olivier Moysan, Mark Brown

From: Olivier Moysan <olivier.moysan@st.com>

commit 8e55ea19125b65cffe42747359af99d545e85f2f upstream.

In stm32_afsdm_pcm_cb function, the transfer size is provided in bytes.
However, samples are copied as 16 bits words from iio buffer.
Divide by two the transfer size, to copy the right number of samples.

Fixes: 1e7f6e1c69f0 ("ASoC: stm32: dfsdm: add 16 bits audio record support")

Signed-off-by: Olivier Moysan <olivier.moysan@st.com>
Link: https://lore.kernel.org/r/20200110131131.3191-1-olivier.moysan@st.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/soc/stm/stm32_adfsdm.c |   12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

--- a/sound/soc/stm/stm32_adfsdm.c
+++ b/sound/soc/stm/stm32_adfsdm.c
@@ -153,13 +153,13 @@ static const struct snd_soc_component_dr
 	.name = "stm32_dfsdm_audio",
 };
 
-static void memcpy_32to16(void *dest, const void *src, size_t n)
+static void stm32_memcpy_32to16(void *dest, const void *src, size_t n)
 {
 	unsigned int i = 0;
 	u16 *d = (u16 *)dest, *s = (u16 *)src;
 
 	s++;
-	for (i = n; i > 0; i--) {
+	for (i = n >> 1; i > 0; i--) {
 		*d++ = *s++;
 		s++;
 	}
@@ -186,8 +186,8 @@ static int stm32_afsdm_pcm_cb(const void
 
 	if ((priv->pos + src_size) > buff_size) {
 		if (format == SNDRV_PCM_FORMAT_S16_LE)
-			memcpy_32to16(&pcm_buff[priv->pos], src_buff,
-				      buff_size - priv->pos);
+			stm32_memcpy_32to16(&pcm_buff[priv->pos], src_buff,
+					    buff_size - priv->pos);
 		else
 			memcpy(&pcm_buff[priv->pos], src_buff,
 			       buff_size - priv->pos);
@@ -196,8 +196,8 @@ static int stm32_afsdm_pcm_cb(const void
 	}
 
 	if (format == SNDRV_PCM_FORMAT_S16_LE)
-		memcpy_32to16(&pcm_buff[priv->pos],
-			      &src_buff[src_size - cur_size], cur_size);
+		stm32_memcpy_32to16(&pcm_buff[priv->pos],
+				    &src_buff[src_size - cur_size], cur_size);
 	else
 		memcpy(&pcm_buff[priv->pos], &src_buff[src_size - cur_size],
 		       cur_size);



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 016/222] ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2020-01-22  9:26 ` [PATCH 5.4 015/222] ASoC: stm32: dfsdm: fix 16 bits record Greg Kroah-Hartman
@ 2020-01-22  9:26 ` Greg Kroah-Hartman
  2020-01-22  9:26 ` [PATCH 5.4 017/222] ASoC: msm8916-wcd-analog: Fix MIC BIAS Internal1 Greg Kroah-Hartman
                   ` (209 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Srinivas Kandagatla, Stephan Gerhold,
	Mark Brown

From: Stephan Gerhold <stephan@gerhold.net>

commit e0beec88397b163c7c4ea6fcfb67e8e07a2671dc upstream.

MIC BIAS External1 sets pm8916_wcd_analog_enable_micbias_ext1()
as event handler, which ends up in pm8916_wcd_analog_enable_micbias_ext().

But pm8916_wcd_analog_enable_micbias_ext() only handles the POST_PMU
event, which is not specified in the event flags for MIC BIAS External1.
This means that the code in the event handler is never actually run.

Set SND_SOC_DAPM_POST_PMU as the only event for the handler to fix this.

Fixes: 585e881e5b9e ("ASoC: codecs: Add msm8916-wcd analog codec")
Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
Link: https://lore.kernel.org/r/20200111164006.43074-2-stephan@gerhold.net
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/soc/codecs/msm8916-wcd-analog.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/sound/soc/codecs/msm8916-wcd-analog.c
+++ b/sound/soc/codecs/msm8916-wcd-analog.c
@@ -888,10 +888,10 @@ static const struct snd_soc_dapm_widget
 
 	SND_SOC_DAPM_SUPPLY("MIC BIAS External1", CDC_A_MICB_1_EN, 7, 0,
 			    pm8916_wcd_analog_enable_micbias_ext1,
-			    SND_SOC_DAPM_PRE_PMU | SND_SOC_DAPM_POST_PMD),
+			    SND_SOC_DAPM_POST_PMU),
 	SND_SOC_DAPM_SUPPLY("MIC BIAS External2", CDC_A_MICB_2_EN, 7, 0,
 			    pm8916_wcd_analog_enable_micbias_ext2,
-			    SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_POST_PMD),
+			    SND_SOC_DAPM_POST_PMU),
 
 	SND_SOC_DAPM_ADC_E("ADC1", NULL, CDC_A_TX_1_EN, 7, 0,
 			   pm8916_wcd_analog_enable_adc,



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 017/222] ASoC: msm8916-wcd-analog: Fix MIC BIAS Internal1
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2020-01-22  9:26 ` [PATCH 5.4 016/222] ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1 Greg Kroah-Hartman
@ 2020-01-22  9:26 ` Greg Kroah-Hartman
  2020-01-22  9:26 ` [PATCH 5.4 018/222] ARM: OMAP2+: Fix ti_sysc_find_one_clockdomain to check for to_clk_hw_omap Greg Kroah-Hartman
                   ` (208 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Srinivas Kandagatla, Stephan Gerhold,
	Mark Brown

From: Stephan Gerhold <stephan@gerhold.net>

commit 057efcf9faea4769cf1020677d93d040db9b23f3 upstream.

MIC BIAS Internal1 is broken at the moment because we always
enable the internal rbias resistor to the TX2 line (connected to
the headset microphone), rather than enabling the resistor connected
to TX1.

Move the RBIAS code to pm8916_wcd_analog_enable_micbias_int1/2()
to fix this.

Fixes: 585e881e5b9e ("ASoC: codecs: Add msm8916-wcd analog codec")
Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
Link: https://lore.kernel.org/r/20200111164006.43074-3-stephan@gerhold.net
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/soc/codecs/msm8916-wcd-analog.c |   16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

--- a/sound/soc/codecs/msm8916-wcd-analog.c
+++ b/sound/soc/codecs/msm8916-wcd-analog.c
@@ -391,9 +391,6 @@ static int pm8916_wcd_analog_enable_micb
 
 	switch (event) {
 	case SND_SOC_DAPM_PRE_PMU:
-		snd_soc_component_update_bits(component, CDC_A_MICB_1_INT_RBIAS,
-				    MICB_1_INT_TX2_INT_RBIAS_EN_MASK,
-				    MICB_1_INT_TX2_INT_RBIAS_EN_ENABLE);
 		snd_soc_component_update_bits(component, reg, MICB_1_EN_PULL_DOWN_EN_MASK, 0);
 		snd_soc_component_update_bits(component, CDC_A_MICB_1_EN,
 				    MICB_1_EN_OPA_STG2_TAIL_CURR_MASK,
@@ -443,6 +440,14 @@ static int pm8916_wcd_analog_enable_micb
 	struct snd_soc_component *component = snd_soc_dapm_to_component(w->dapm);
 	struct pm8916_wcd_analog_priv *wcd = snd_soc_component_get_drvdata(component);
 
+	switch (event) {
+	case SND_SOC_DAPM_PRE_PMU:
+		snd_soc_component_update_bits(component, CDC_A_MICB_1_INT_RBIAS,
+				    MICB_1_INT_TX1_INT_RBIAS_EN_MASK,
+				    MICB_1_INT_TX1_INT_RBIAS_EN_ENABLE);
+		break;
+	}
+
 	return pm8916_wcd_analog_enable_micbias_int(component, event, w->reg,
 						     wcd->micbias1_cap_mode);
 }
@@ -553,6 +558,11 @@ static int pm8916_wcd_analog_enable_micb
 	struct pm8916_wcd_analog_priv *wcd = snd_soc_component_get_drvdata(component);
 
 	switch (event) {
+	case SND_SOC_DAPM_PRE_PMU:
+		snd_soc_component_update_bits(component, CDC_A_MICB_1_INT_RBIAS,
+				    MICB_1_INT_TX2_INT_RBIAS_EN_MASK,
+				    MICB_1_INT_TX2_INT_RBIAS_EN_ENABLE);
+		break;
 	case SND_SOC_DAPM_POST_PMU:
 		pm8916_mbhc_configure_bias(wcd, true);
 		break;



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 018/222] ARM: OMAP2+: Fix ti_sysc_find_one_clockdomain to check for to_clk_hw_omap
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2020-01-22  9:26 ` [PATCH 5.4 017/222] ASoC: msm8916-wcd-analog: Fix MIC BIAS Internal1 Greg Kroah-Hartman
@ 2020-01-22  9:26 ` Greg Kroah-Hartman
  2020-01-22  9:26 ` [PATCH 5.4 019/222] ARM: dts: imx7ulp: fix reg of cpu node Greg Kroah-Hartman
                   ` (207 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:26 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Tony Lindgren

From: Tony Lindgren <tony@atomide.com>

commit 90bdfa0b05e3cc809a7c1aa3b1f162b46ea1b330 upstream.

We must bail out early if the clock is not hw_omap. Otherwise we will
try to access invalid address with hwclk->clkdm_name:

Unable to handle kernel paging request at virtual address ffffffff
Internal error: Oops: 27 [#1] ARM
...
(strcmp) from [<c011b348>] (clkdm_lookup+0x40/0x60)
[<c011b348>] (clkdm_lookup) from [<c011cb84>] (ti_sysc_clkdm_init+0x5c/0x64)
[<c011cb84>] (ti_sysc_clkdm_init) from [<c03680a8>] (sysc_probe+0x948/0x117c)
[<c03680a8>] (sysc_probe) from [<c03d0af4>] (platform_drv_probe+0x48/0x98)
...

Fixes: 2b2f7def058a ("bus: ti-sysc: Add support for missing clockdomain handling")
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/mach-omap2/pdata-quirks.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/arch/arm/mach-omap2/pdata-quirks.c
+++ b/arch/arm/mach-omap2/pdata-quirks.c
@@ -368,10 +368,14 @@ static void __init dra7x_evm_mmc_quirk(v
 
 static struct clockdomain *ti_sysc_find_one_clockdomain(struct clk *clk)
 {
+	struct clk_hw *hw = __clk_get_hw(clk);
 	struct clockdomain *clkdm = NULL;
 	struct clk_hw_omap *hwclk;
 
-	hwclk = to_clk_hw_omap(__clk_get_hw(clk));
+	hwclk = to_clk_hw_omap(hw);
+	if (!omap2_clk_is_hw_omap(hw))
+		return NULL;
+
 	if (hwclk && hwclk->clkdm_name)
 		clkdm = clkdm_lookup(hwclk->clkdm_name);
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 019/222] ARM: dts: imx7ulp: fix reg of cpu node
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2020-01-22  9:26 ` [PATCH 5.4 018/222] ARM: OMAP2+: Fix ti_sysc_find_one_clockdomain to check for to_clk_hw_omap Greg Kroah-Hartman
@ 2020-01-22  9:26 ` Greg Kroah-Hartman
  2020-01-22  9:26 ` [PATCH 5.4 020/222] ARM: dts: imx6q-dhcom: Fix SGTL5000 VDDIO regulator connection Greg Kroah-Hartman
                   ` (206 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Peng Fan, Fabio Estevam, Shawn Guo

From: Peng Fan <peng.fan@nxp.com>

commit b8ab62ff7199fac8ce27fa4a149929034fabe7f8 upstream.

According to arm cpus binding doc,
"
      On 32-bit ARM v7 or later systems this property is
        required and matches the CPU MPIDR[23:0] register
        bits.

        Bits [23:0] in the reg cell must be set to
        bits [23:0] in MPIDR.

        All other bits in the reg cell must be set to 0.
"

In i.MX7ULP, the MPIDR[23:0] is 0xf00, not 0, so fix it.
Otherwise there will be warning:
"DT missing boot CPU MPIDR[23:0], fall back to default cpu_logical_map"

Fixes: 20434dc92c05 ("ARM: dts: imx: add common imx7ulp dtsi support")
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/imx7ulp.dtsi |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/arm/boot/dts/imx7ulp.dtsi
+++ b/arch/arm/boot/dts/imx7ulp.dtsi
@@ -37,10 +37,10 @@
 		#address-cells = <1>;
 		#size-cells = <0>;
 
-		cpu0: cpu@0 {
+		cpu0: cpu@f00 {
 			compatible = "arm,cortex-a7";
 			device_type = "cpu";
-			reg = <0>;
+			reg = <0xf00>;
 		};
 	};
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 020/222] ARM: dts: imx6q-dhcom: Fix SGTL5000 VDDIO regulator connection
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2020-01-22  9:26 ` [PATCH 5.4 019/222] ARM: dts: imx7ulp: fix reg of cpu node Greg Kroah-Hartman
@ 2020-01-22  9:26 ` Greg Kroah-Hartman
  2020-01-22  9:26 ` [PATCH 5.4 021/222] ASoC: Intel: bytcht_es8316: Fix Irbis NB41 netbook quirk Greg Kroah-Hartman
                   ` (205 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:26 UTC (permalink / raw)
  To: linux-kernel, linux-arm-kernel
  Cc: Greg Kroah-Hartman, stable, Marek Vasut, Fabio Estevam,
	Ludwig Zenz, NXP Linux Team, Shawn Guo

From: Marek Vasut <marex@denx.de>

commit fe6a6689d1815b63528796886853890d8ee7f021 upstream.

The SGTL5000 VDDIO is connected to the PMIC SW2 output, not to
a fixed 3V3 rail. Describe this correctly in the DT.

Fixes: 52c7a088badd ("ARM: dts: imx6q: Add support for the DHCOM iMX6 SoM and PDK2")
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Fabio Estevam <festevam@gmail.com>
Cc: Ludwig Zenz <lzenz@dh-electronics.com>
Cc: NXP Linux Team <linux-imx@nxp.com>
To: linux-arm-kernel@lists.infradead.org
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/imx6q-dhcom-pdk2.dts |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/boot/dts/imx6q-dhcom-pdk2.dts
+++ b/arch/arm/boot/dts/imx6q-dhcom-pdk2.dts
@@ -55,7 +55,7 @@
 		#sound-dai-cells = <0>;
 		clocks = <&clk_ext_audio_codec>;
 		VDDA-supply = <&reg_3p3v>;
-		VDDIO-supply = <&reg_3p3v>;
+		VDDIO-supply = <&sw2_reg>;
 	};
 };
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 021/222] ASoC: Intel: bytcht_es8316: Fix Irbis NB41 netbook quirk
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2020-01-22  9:26 ` [PATCH 5.4 020/222] ARM: dts: imx6q-dhcom: Fix SGTL5000 VDDIO regulator connection Greg Kroah-Hartman
@ 2020-01-22  9:26 ` Greg Kroah-Hartman
  2020-01-22  9:26 ` [PATCH 5.4 022/222] ALSA: dice: fix fallback from protocol extension into limited functionality Greg Kroah-Hartman
                   ` (204 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, russianneuromancer, Hans de Goede,
	Pierre-Louis Bossart, Mark Brown

From: Hans de Goede <hdegoede@redhat.com>

commit 869bced7a055665e3ddb1ba671a441ce6f997bf1 upstream.

When a quirk for the Irbis NB41 netbook was added, to override the defaults
for this device, I forgot to add/keep the BYT_CHT_ES8316_SSP0 part of the
defaults, completely breaking audio on this netbook.

This commit adds the BYT_CHT_ES8316_SSP0 flag to the Irbis NB41 netbook
quirk, making audio work again.

Cc: stable@vger.kernel.org
Cc: russianneuromancer@ya.ru
Fixes: aa2ba991c420 ("ASoC: Intel: bytcht_es8316: Add quirk for Irbis NB41 netbook")
Reported-and-tested-by: russianneuromancer@ya.ru
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Link: https://lore.kernel.org/r/20200106113903.279394-1-hdegoede@redhat.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/soc/intel/boards/bytcht_es8316.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/sound/soc/intel/boards/bytcht_es8316.c
+++ b/sound/soc/intel/boards/bytcht_es8316.c
@@ -442,7 +442,8 @@ static const struct dmi_system_id byt_ch
 			DMI_MATCH(DMI_SYS_VENDOR, "IRBIS"),
 			DMI_MATCH(DMI_PRODUCT_NAME, "NB41"),
 		},
-		.driver_data = (void *)(BYT_CHT_ES8316_INTMIC_IN2_MAP
+		.driver_data = (void *)(BYT_CHT_ES8316_SSP0
+					| BYT_CHT_ES8316_INTMIC_IN2_MAP
 					| BYT_CHT_ES8316_JD_INVERTED),
 	},
 	{	/* Teclast X98 Plus II */



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 022/222] ALSA: dice: fix fallback from protocol extension into limited functionality
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2020-01-22  9:26 ` [PATCH 5.4 021/222] ASoC: Intel: bytcht_es8316: Fix Irbis NB41 netbook quirk Greg Kroah-Hartman
@ 2020-01-22  9:26 ` Greg Kroah-Hartman
  2020-01-22  9:26 ` [PATCH 5.4 023/222] ALSA: seq: Fix racy access for queue timer in proc read Greg Kroah-Hartman
                   ` (203 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:26 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Sakamoto, Takashi Iwai

From: Takashi Sakamoto <o-takashi@sakamocchi.jp>

commit 3e2dc6bdb56893bc28257e482e1dbe5d39f313df upstream.

At failure of attempt to detect protocol extension, ALSA dice driver
should be fallback to limited functionality. However it's not.

This commit fixes it.

Cc: <stable@vger.kernel.org> # v4.18+
Fixes: 58579c056c1c9 ("ALSA: dice: use extended protocol to detect available stream formats")
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Link: https://lore.kernel.org/r/20200113084630.14305-2-o-takashi@sakamocchi.jp
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/firewire/dice/dice-extension.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/sound/firewire/dice/dice-extension.c
+++ b/sound/firewire/dice/dice-extension.c
@@ -159,8 +159,11 @@ int snd_dice_detect_extension_formats(st
 		int j;
 
 		for (j = i + 1; j < 9; ++j) {
-			if (pointers[i * 2] == pointers[j * 2])
+			if (pointers[i * 2] == pointers[j * 2]) {
+				// Fallback to limited functionality.
+				err = -ENXIO;
 				goto end;
+			}
 		}
 	}
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 023/222] ALSA: seq: Fix racy access for queue timer in proc read
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2020-01-22  9:26 ` [PATCH 5.4 022/222] ALSA: dice: fix fallback from protocol extension into limited functionality Greg Kroah-Hartman
@ 2020-01-22  9:26 ` Greg Kroah-Hartman
  2020-01-22  9:26 ` [PATCH 5.4 024/222] ALSA: firewire-tascam: fix corruption due to spin lock without restoration in SoftIRQ context Greg Kroah-Hartman
                   ` (202 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+2b2ef983f973e5c40943, Takashi Iwai

From: Takashi Iwai <tiwai@suse.de>

commit 60adcfde92fa40fcb2dbf7cc52f9b096e0cd109a upstream.

snd_seq_info_timer_read() reads the information of the timer assigned
for each queue, but it's done in a racy way which may lead to UAF as
spotted by syzkaller.

This patch applies the missing q->timer_mutex lock while accessing the
timer object as well as a slight code change to adapt the standard
coding style.

Reported-by: syzbot+2b2ef983f973e5c40943@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200115203733.26530-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/core/seq/seq_timer.c |   14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

--- a/sound/core/seq/seq_timer.c
+++ b/sound/core/seq/seq_timer.c
@@ -465,15 +465,19 @@ void snd_seq_info_timer_read(struct snd_
 		q = queueptr(idx);
 		if (q == NULL)
 			continue;
-		if ((tmr = q->timer) == NULL ||
-		    (ti = tmr->timeri) == NULL) {
-			queuefree(q);
-			continue;
-		}
+		mutex_lock(&q->timer_mutex);
+		tmr = q->timer;
+		if (!tmr)
+			goto unlock;
+		ti = tmr->timeri;
+		if (!ti)
+			goto unlock;
 		snd_iprintf(buffer, "Timer for queue %i : %s\n", q->queue, ti->timer->name);
 		resolution = snd_timer_resolution(ti) * tmr->ticks;
 		snd_iprintf(buffer, "  Period time : %lu.%09lu\n", resolution / 1000000000, resolution % 1000000000);
 		snd_iprintf(buffer, "  Skew : %u / %u\n", tmr->skew, tmr->skew_base);
+unlock:
+		mutex_unlock(&q->timer_mutex);
 		queuefree(q);
  	}
 }



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 024/222] ALSA: firewire-tascam: fix corruption due to spin lock without restoration in SoftIRQ context
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2020-01-22  9:26 ` [PATCH 5.4 023/222] ALSA: seq: Fix racy access for queue timer in proc read Greg Kroah-Hartman
@ 2020-01-22  9:26 ` Greg Kroah-Hartman
  2020-01-22  9:26 ` [PATCH 5.4 025/222] ALSA: usb-audio: fix sync-ep altsetting sanity check Greg Kroah-Hartman
                   ` (201 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Scott Bahling, Takashi Sakamoto,
	Takashi Iwai

From: Takashi Sakamoto <o-takashi@sakamocchi.jp>

commit 747d1f076de5a60770011f6e512de43298ec64cb upstream.

ALSA firewire-tascam driver can bring corruption due to spin lock without
restoration of IRQ flag in SoftIRQ context. This commit fixes the bug.

Cc: Scott Bahling <sbahling@suse.com>
Cc: <stable@vger.kernel.org> # v4.21
Fixes: d7167422433c ("ALSA: firewire-tascam: queue events for change of control surface")
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Link: https://lore.kernel.org/r/20200113085719.26788-1-o-takashi@sakamocchi.jp
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/firewire/tascam/amdtp-tascam.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/sound/firewire/tascam/amdtp-tascam.c
+++ b/sound/firewire/tascam/amdtp-tascam.c
@@ -157,14 +157,15 @@ static void read_status_messages(struct
 			if ((before ^ after) & mask) {
 				struct snd_firewire_tascam_change *entry =
 						&tscm->queue[tscm->push_pos];
+				unsigned long flag;
 
-				spin_lock_irq(&tscm->lock);
+				spin_lock_irqsave(&tscm->lock, flag);
 				entry->index = index;
 				entry->before = before;
 				entry->after = after;
 				if (++tscm->push_pos >= SND_TSCM_QUEUE_COUNT)
 					tscm->push_pos = 0;
-				spin_unlock_irq(&tscm->lock);
+				spin_unlock_irqrestore(&tscm->lock, flag);
 
 				wake_up(&tscm->hwdep_wait);
 			}



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 025/222] ALSA: usb-audio: fix sync-ep altsetting sanity check
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2020-01-22  9:26 ` [PATCH 5.4 024/222] ALSA: firewire-tascam: fix corruption due to spin lock without restoration in SoftIRQ context Greg Kroah-Hartman
@ 2020-01-22  9:26 ` Greg Kroah-Hartman
  2020-01-22  9:26 ` [PATCH 5.4 026/222] arm64: dts: allwinner: a64: olinuxino: Fix SDIO supply regulator Greg Kroah-Hartman
                   ` (200 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:26 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold, Takashi Iwai

From: Johan Hovold <johan@kernel.org>

commit 5d1b71226dc4d44b4b65766fa9d74492f9d4587b upstream.

The altsetting sanity check in set_sync_ep_implicit_fb_quirk() was
checking for there to be at least one altsetting but then went on to
access the second one, which may not exist.

This could lead to random slab data being used to initialise the sync
endpoint in snd_usb_add_endpoint().

Fixes: c75a8a7ae565 ("ALSA: snd-usb: add support for implicit feedback")
Fixes: ca10a7ebdff1 ("ALSA: usb-audio: FT C400 sync playback EP to capture EP")
Fixes: 5e35dc0338d8 ("ALSA: usb-audio: add implicit fb quirk for Behringer UFX1204")
Fixes: 17f08b0d9aaf ("ALSA: usb-audio: add implicit fb quirk for Axe-Fx II")
Fixes: 103e9625647a ("ALSA: usb-audio: simplify set_sync_ep_implicit_fb_quirk")
Cc: stable <stable@vger.kernel.org>     # 3.5
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20200114083953.1106-1-johan@kernel.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/usb/pcm.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/usb/pcm.c
+++ b/sound/usb/pcm.c
@@ -370,7 +370,7 @@ static int set_sync_ep_implicit_fb_quirk
 add_sync_ep_from_ifnum:
 	iface = usb_ifnum_to_if(dev, ifnum);
 
-	if (!iface || iface->num_altsetting == 0)
+	if (!iface || iface->num_altsetting < 2)
 		return -EINVAL;
 
 	alts = &iface->altsetting[1];



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 026/222] arm64: dts: allwinner: a64: olinuxino: Fix SDIO supply regulator
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2020-01-22  9:26 ` [PATCH 5.4 025/222] ALSA: usb-audio: fix sync-ep altsetting sanity check Greg Kroah-Hartman
@ 2020-01-22  9:26 ` Greg Kroah-Hartman
  2020-01-22  9:26 ` [PATCH 5.4 027/222] arm64: dts: allwinner: a64: olinuxino: Fix eMMC " Greg Kroah-Hartman
                   ` (199 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:26 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Stefan Mavrodiev, Maxime Ripard

From: Stefan Mavrodiev <stefan@olimex.com>

commit 3d615c2fc2d111b51d2e20516b920138d4ae29a2 upstream.

A64-OLinuXino uses DCDC1 (VCC-IO) for MMC1 supply. In commit 916b68cfe4b5
("arm64: dts: a64-olinuxino: Enable RTL8723BS WiFi") ALDO2 is set, which is
VCC-PL. Since DCDC1 is always present, the boards are working without a
problem.

This patch sets the correct regulator.

Fixes: 916b68cfe4b5 ("arm64: dts: a64-olinuxino: Enable RTL8723BS WiFi")
Cc: stable@vger.kernel.org # v4.16+
Signed-off-by: Stefan Mavrodiev <stefan@olimex.com>
Signed-off-by: Maxime Ripard <maxime@cerno.tech>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/boot/dts/allwinner/sun50i-a64-olinuxino.dts |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm64/boot/dts/allwinner/sun50i-a64-olinuxino.dts
+++ b/arch/arm64/boot/dts/allwinner/sun50i-a64-olinuxino.dts
@@ -140,7 +140,7 @@
 &mmc1 {
 	pinctrl-names = "default";
 	pinctrl-0 = <&mmc1_pins>;
-	vmmc-supply = <&reg_aldo2>;
+	vmmc-supply = <&reg_dcdc1>;
 	vqmmc-supply = <&reg_dldo4>;
 	mmc-pwrseq = <&wifi_pwrseq>;
 	bus-width = <4>;



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 027/222] arm64: dts: allwinner: a64: olinuxino: Fix eMMC supply regulator
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2020-01-22  9:26 ` [PATCH 5.4 026/222] arm64: dts: allwinner: a64: olinuxino: Fix SDIO supply regulator Greg Kroah-Hartman
@ 2020-01-22  9:26 ` Greg Kroah-Hartman
  2020-01-22  9:26 ` [PATCH 5.4 028/222] arm64: dts: agilex/stratix10: fix pmu interrupt numbers Greg Kroah-Hartman
                   ` (198 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:26 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Stefan Mavrodiev, Maxime Ripard

From: Stefan Mavrodiev <stefan@olimex.com>

commit 8467ebbf708e5c4574b4eb5f663558fc724945ac upstream.

A64-OLinuXino-eMMC uses 1.8V for eMMC supply. This is done via a triple
jumper, which sets VCC-PL to either 1.8V or 3.3V. This setting is different
for boards with and without eMMC.

This is not a big issue for DDR52 mode, however the eMMC will not work in
HS200/HS400, since these modes explicitly requires 1.8V.

Fixes: 94f68f3a4b2a ("arm64: dts: allwinner: a64: Add A64 OlinuXino board (with eMMC)")
Cc: stable@vger.kernel.org # v5.4
Signed-off-by: Stefan Mavrodiev <stefan@olimex.com>
Signed-off-by: Maxime Ripard <maxime@cerno.tech>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/boot/dts/allwinner/sun50i-a64-olinuxino-emmc.dts |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm64/boot/dts/allwinner/sun50i-a64-olinuxino-emmc.dts
+++ b/arch/arm64/boot/dts/allwinner/sun50i-a64-olinuxino-emmc.dts
@@ -15,7 +15,7 @@
 	pinctrl-names = "default";
 	pinctrl-0 = <&mmc2_pins>;
 	vmmc-supply = <&reg_dcdc1>;
-	vqmmc-supply = <&reg_dcdc1>;
+	vqmmc-supply = <&reg_eldo1>;
 	bus-width = <8>;
 	non-removable;
 	cap-mmc-hw-reset;



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 028/222] arm64: dts: agilex/stratix10: fix pmu interrupt numbers
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2020-01-22  9:26 ` [PATCH 5.4 027/222] arm64: dts: allwinner: a64: olinuxino: Fix eMMC " Greg Kroah-Hartman
@ 2020-01-22  9:26 ` Greg Kroah-Hartman
  2020-01-22  9:26 ` [PATCH 5.4 029/222] Fix built-in early-load Intel microcode alignment Greg Kroah-Hartman
                   ` (197 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:26 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Meng Li, Dinh Nguyen

From: Dinh Nguyen <dinguyen@kernel.org>

commit 210de0e996aee8e360ccc9e173fe7f0a7ed2f695 upstream.

Fix up the correct interrupt numbers for the PMU unit on Agilex
and Stratix10.

Fixes: 78cd6a9d8e15 ("arm64: dts: Add base stratix 10 dtsi")
Cc: linux-stable <stable@vger.kernel.org>
Reported-by: Meng Li <Meng.Li@windriver.com>
Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/boot/dts/altera/socfpga_stratix10.dtsi |    8 ++++----
 arch/arm64/boot/dts/intel/socfpga_agilex.dtsi     |    8 ++++----
 2 files changed, 8 insertions(+), 8 deletions(-)

--- a/arch/arm64/boot/dts/altera/socfpga_stratix10.dtsi
+++ b/arch/arm64/boot/dts/altera/socfpga_stratix10.dtsi
@@ -61,10 +61,10 @@
 
 	pmu {
 		compatible = "arm,armv8-pmuv3";
-		interrupts = <0 120 8>,
-			     <0 121 8>,
-			     <0 122 8>,
-			     <0 123 8>;
+		interrupts = <0 170 4>,
+			     <0 171 4>,
+			     <0 172 4>,
+			     <0 173 4>;
 		interrupt-affinity = <&cpu0>,
 				     <&cpu1>,
 				     <&cpu2>,
--- a/arch/arm64/boot/dts/intel/socfpga_agilex.dtsi
+++ b/arch/arm64/boot/dts/intel/socfpga_agilex.dtsi
@@ -47,10 +47,10 @@
 
 	pmu {
 		compatible = "arm,armv8-pmuv3";
-		interrupts = <0 120 8>,
-			     <0 121 8>,
-			     <0 122 8>,
-			     <0 123 8>;
+		interrupts = <0 170 4>,
+			     <0 171 4>,
+			     <0 172 4>,
+			     <0 173 4>;
 		interrupt-affinity = <&cpu0>,
 				     <&cpu1>,
 				     <&cpu2>,



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 029/222] Fix built-in early-load Intel microcode alignment
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2020-01-22  9:26 ` [PATCH 5.4 028/222] arm64: dts: agilex/stratix10: fix pmu interrupt numbers Greg Kroah-Hartman
@ 2020-01-22  9:26 ` Greg Kroah-Hartman
  2020-01-22  9:26 ` [PATCH 5.4 030/222] clk: sunxi-ng: r40: Allow setting parent rate for external clock outputs Greg Kroah-Hartman
                   ` (196 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jari Ruusu, Borislav Petkov,
	Fenghua Yu, Luis Chamberlain, stable, Linus Torvalds

From: Jari Ruusu <jari.ruusu@gmail.com>

commit f5ae2ea6347a308cfe91f53b53682ce635497d0d upstream.

Intel Software Developer's Manual, volume 3, chapter 9.11.6 says:

 "Note that the microcode update must be aligned on a 16-byte boundary
  and the size of the microcode update must be 1-KByte granular"

When early-load Intel microcode is loaded from initramfs, userspace tool
'iucode_tool' has already 16-byte aligned those microcode bits in that
initramfs image.  Image that was created something like this:

 iucode_tool --write-earlyfw=FOO.cpio microcode-files...

However, when early-load Intel microcode is loaded from built-in
firmware BLOB using CONFIG_EXTRA_FIRMWARE= kernel config option, that
16-byte alignment is not guaranteed.

Fix this by forcing all built-in firmware BLOBs to 16-byte alignment.

[ If we end up having other firmware with much bigger alignment
  requirements, we might need to introduce some method for the firmware
  to specify it, this is the minimal "just increase the alignment a bit
  to account for this one special case" patch    - Linus ]

Signed-off-by: Jari Ruusu <jari.ruusu@gmail.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Fenghua Yu <fenghua.yu@intel.com>
Cc: Luis Chamberlain <mcgrof@kernel.org>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/base/firmware_loader/builtin/Makefile |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/base/firmware_loader/builtin/Makefile
+++ b/drivers/base/firmware_loader/builtin/Makefile
@@ -17,7 +17,7 @@ PROGBITS  = $(if $(CONFIG_ARM),%,@)progb
 filechk_fwbin = \
 	echo "/* Generated by $(src)/Makefile */"		;\
 	echo "    .section .rodata"				;\
-	echo "    .p2align $(ASM_ALIGN)"			;\
+	echo "    .p2align 4"					;\
 	echo "_fw_$(FWSTR)_bin:"				;\
 	echo "    .incbin \"$(fwdir)/$(FWNAME)\""		;\
 	echo "_fw_end:"						;\



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 030/222] clk: sunxi-ng: r40: Allow setting parent rate for external clock outputs
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2020-01-22  9:26 ` [PATCH 5.4 029/222] Fix built-in early-load Intel microcode alignment Greg Kroah-Hartman
@ 2020-01-22  9:26 ` Greg Kroah-Hartman
  2020-01-22  9:26 ` [PATCH 5.4 031/222] block: fix an integer overflow in logical block size Greg Kroah-Hartman
                   ` (195 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, stable, Chen-Yu Tsai, Maxime Ripard

From: Chen-Yu Tsai <wens@csie.org>

commit c7b305267eb77fe47498676e9337324c9653494c upstream.

One of the uses of the external clock outputs is to provide a stable
32768 Hz clock signal to WiFi and Bluetooth chips. On the R40, the RTC
has an internal RC oscillator that is muxed with the external crystal.

Allow setting the parent rate for the external clock outputs so that
requests for 32768 Hz get passed to the RTC's clock driver to mux in
the external crystal if it isn't already muxed correctly.

Fixes: cd030a78f7aa ("clk: sunxi-ng: support R40 SoC")
Fixes: 01a7ea763fc4 ("clk: sunxi-ng: r40: Force LOSC parent to RTC LOSC output")
Cc: <stable@kernel.org>
Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: Maxime Ripard <maxime@cerno.tech>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/clk/sunxi-ng/ccu-sun8i-r40.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/clk/sunxi-ng/ccu-sun8i-r40.c
+++ b/drivers/clk/sunxi-ng/ccu-sun8i-r40.c
@@ -761,7 +761,8 @@ static struct ccu_mp outa_clk = {
 		.reg		= 0x1f0,
 		.features	= CCU_FEATURE_FIXED_PREDIV,
 		.hw.init	= CLK_HW_INIT_PARENTS("outa", out_parents,
-						      &ccu_mp_ops, 0),
+						      &ccu_mp_ops,
+						      CLK_SET_RATE_PARENT),
 	}
 };
 
@@ -779,7 +780,8 @@ static struct ccu_mp outb_clk = {
 		.reg		= 0x1f4,
 		.features	= CCU_FEATURE_FIXED_PREDIV,
 		.hw.init	= CLK_HW_INIT_PARENTS("outb", out_parents,
-						      &ccu_mp_ops, 0),
+						      &ccu_mp_ops,
+						      CLK_SET_RATE_PARENT),
 	}
 };
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 031/222] block: fix an integer overflow in logical block size
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2020-01-22  9:26 ` [PATCH 5.4 030/222] clk: sunxi-ng: r40: Allow setting parent rate for external clock outputs Greg Kroah-Hartman
@ 2020-01-22  9:26 ` Greg Kroah-Hartman
  2020-01-22  9:26 ` [PATCH 5.4 032/222] fuse: fix fuse_send_readpages() in the syncronous read case Greg Kroah-Hartman
                   ` (194 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin K. Petersen, Ming Lei,
	Mikulas Patocka, Jens Axboe

From: Mikulas Patocka <mpatocka@redhat.com>

commit ad6bf88a6c19a39fb3b0045d78ea880325dfcf15 upstream.

Logical block size has type unsigned short. That means that it can be at
most 32768. However, there are architectures that can run with 64k pages
(for example arm64) and on these architectures, it may be possible to
create block devices with 64k block size.

For exmaple (run this on an architecture with 64k pages):

Mount will fail with this error because it tries to read the superblock using 2-sector
access:
  device-mapper: writecache: I/O is not aligned, sector 2, size 1024, block size 65536
  EXT4-fs (dm-0): unable to read superblock

This patch changes the logical block size from unsigned short to unsigned
int to avoid the overflow.

Cc: stable@vger.kernel.org
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 block/blk-settings.c            |    2 +-
 drivers/md/dm-snap-persistent.c |    2 +-
 drivers/md/raid0.c              |    2 +-
 include/linux/blkdev.h          |    8 ++++----
 4 files changed, 7 insertions(+), 7 deletions(-)

--- a/block/blk-settings.c
+++ b/block/blk-settings.c
@@ -328,7 +328,7 @@ EXPORT_SYMBOL(blk_queue_max_segment_size
  *   storage device can address.  The default of 512 covers most
  *   hardware.
  **/
-void blk_queue_logical_block_size(struct request_queue *q, unsigned short size)
+void blk_queue_logical_block_size(struct request_queue *q, unsigned int size)
 {
 	q->limits.logical_block_size = size;
 
--- a/drivers/md/dm-snap-persistent.c
+++ b/drivers/md/dm-snap-persistent.c
@@ -17,7 +17,7 @@
 #include <linux/dm-bufio.h>
 
 #define DM_MSG_PREFIX "persistent snapshot"
-#define DM_CHUNK_SIZE_DEFAULT_SECTORS 32	/* 16KB */
+#define DM_CHUNK_SIZE_DEFAULT_SECTORS 32U	/* 16KB */
 
 #define DM_PREFETCH_CHUNKS		12
 
--- a/drivers/md/raid0.c
+++ b/drivers/md/raid0.c
@@ -87,7 +87,7 @@ static int create_strip_zones(struct mdd
 	char b[BDEVNAME_SIZE];
 	char b2[BDEVNAME_SIZE];
 	struct r0conf *conf = kzalloc(sizeof(*conf), GFP_KERNEL);
-	unsigned short blksize = 512;
+	unsigned blksize = 512;
 
 	*private_conf = ERR_PTR(-ENOMEM);
 	if (!conf)
--- a/include/linux/blkdev.h
+++ b/include/linux/blkdev.h
@@ -328,6 +328,7 @@ struct queue_limits {
 	unsigned int		max_sectors;
 	unsigned int		max_segment_size;
 	unsigned int		physical_block_size;
+	unsigned int		logical_block_size;
 	unsigned int		alignment_offset;
 	unsigned int		io_min;
 	unsigned int		io_opt;
@@ -338,7 +339,6 @@ struct queue_limits {
 	unsigned int		discard_granularity;
 	unsigned int		discard_alignment;
 
-	unsigned short		logical_block_size;
 	unsigned short		max_segments;
 	unsigned short		max_integrity_segments;
 	unsigned short		max_discard_segments;
@@ -1080,7 +1080,7 @@ extern void blk_queue_max_write_same_sec
 		unsigned int max_write_same_sectors);
 extern void blk_queue_max_write_zeroes_sectors(struct request_queue *q,
 		unsigned int max_write_same_sectors);
-extern void blk_queue_logical_block_size(struct request_queue *, unsigned short);
+extern void blk_queue_logical_block_size(struct request_queue *, unsigned int);
 extern void blk_queue_physical_block_size(struct request_queue *, unsigned int);
 extern void blk_queue_alignment_offset(struct request_queue *q,
 				       unsigned int alignment);
@@ -1294,7 +1294,7 @@ static inline unsigned int queue_max_seg
 	return q->limits.max_segment_size;
 }
 
-static inline unsigned short queue_logical_block_size(const struct request_queue *q)
+static inline unsigned queue_logical_block_size(const struct request_queue *q)
 {
 	int retval = 512;
 
@@ -1304,7 +1304,7 @@ static inline unsigned short queue_logic
 	return retval;
 }
 
-static inline unsigned short bdev_logical_block_size(struct block_device *bdev)
+static inline unsigned int bdev_logical_block_size(struct block_device *bdev)
 {
 	return queue_logical_block_size(bdev_get_queue(bdev));
 }



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 032/222] fuse: fix fuse_send_readpages() in the syncronous read case
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2020-01-22  9:26 ` [PATCH 5.4 031/222] block: fix an integer overflow in logical block size Greg Kroah-Hartman
@ 2020-01-22  9:26 ` Greg Kroah-Hartman
  2020-01-22  9:26 ` [PATCH 5.4 033/222] io_uring: only allow submit from owning task Greg Kroah-Hartman
                   ` (193 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:26 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ondrej Holy, Miklos Szeredi

From: Miklos Szeredi <mszeredi@redhat.com>

commit 7df1e988c723a066754090b22d047c3225342152 upstream.

Buffered read in fuse normally goes via:

 -> generic_file_buffered_read()
   -> fuse_readpages()
     -> fuse_send_readpages()
       ->fuse_simple_request() [called since v5.4]

In the case of a read request, fuse_simple_request() will return a
non-negative bytecount on success or a negative error value.  A positive
bytecount was taken to be an error and the PG_error flag set on the page.
This resulted in generic_file_buffered_read() falling back to ->readpage(),
which would repeat the read request and succeed.  Because of the repeated
read succeeding the bug was not detected with regression tests or other use
cases.

The FTP module in GVFS however fails the second read due to the
non-seekable nature of FTP downloads.

Fix by checking and ignoring positive return value from
fuse_simple_request().

Reported-by: Ondrej Holy <oholy@redhat.com>
Link: https://gitlab.gnome.org/GNOME/gvfs/issues/441
Fixes: 134831e36bbd ("fuse: convert readpages to simple api")
Cc: <stable@vger.kernel.org> # v5.4
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/file.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -882,6 +882,7 @@ static void fuse_send_readpages(struct f
 	struct fuse_args_pages *ap = &ia->ap;
 	loff_t pos = page_offset(ap->pages[0]);
 	size_t count = ap->num_pages << PAGE_SHIFT;
+	ssize_t res;
 	int err;
 
 	ap->args.out_pages = true;
@@ -896,7 +897,8 @@ static void fuse_send_readpages(struct f
 		if (!err)
 			return;
 	} else {
-		err = fuse_simple_request(fc, &ap->args);
+		res = fuse_simple_request(fc, &ap->args);
+		err = res < 0 ? res : 0;
 	}
 	fuse_readpages_end(fc, &ap->args, err);
 }



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 033/222] io_uring: only allow submit from owning task
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2020-01-22  9:26 ` [PATCH 5.4 032/222] fuse: fix fuse_send_readpages() in the syncronous read case Greg Kroah-Hartman
@ 2020-01-22  9:26 ` Greg Kroah-Hartman
  2020-01-24 10:38   ` Stefan Metzmacher
  2020-01-22  9:27 ` [PATCH 5.4 034/222] cpuidle: teo: Fix intervals[] array indexing bug Greg Kroah-Hartman
                   ` (192 subsequent siblings)
  225 siblings, 1 reply; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:26 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Stefan Metzmacher, Jens Axboe

From: Jens Axboe <axboe@kernel.dk>

commit 44d282796f81eb1debc1d7cb53245b4cb3214cb5 upstream.

If the credentials or the mm doesn't match, don't allow the task to
submit anything on behalf of this ring. The task that owns the ring can
pass the file descriptor to another task, but we don't want to allow
that task to submit an SQE that then assumes the ring mm and creds if
it needs to go async.

Cc: stable@vger.kernel.org
Suggested-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>


---
 fs/io_uring.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -3716,6 +3716,12 @@ SYSCALL_DEFINE6(io_uring_enter, unsigned
 			wake_up(&ctx->sqo_wait);
 		submitted = to_submit;
 	} else if (to_submit) {
+		if (current->mm != ctx->sqo_mm ||
+		    current_cred() != ctx->creds) {
+			ret = -EPERM;
+			goto out;
+		}
+
 		to_submit = min(to_submit, ctx->sq_entries);
 
 		mutex_lock(&ctx->uring_lock);



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 034/222] cpuidle: teo: Fix intervals[] array indexing bug
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2020-01-22  9:26 ` [PATCH 5.4 033/222] io_uring: only allow submit from owning task Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 035/222] ARM: dts: am571x-idk: Fix gpios property to have the correct gpio number Greg Kroah-Hartman
                   ` (191 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ikjoon Jang, Rafael J. Wysocki

From: Ikjoon Jang <ikjn@chromium.org>

commit 57388a2ccb6c2f554fee39772886c69b796dde53 upstream.

Fix a simple bug in rotating array index.

Fixes: b26bf6ab716f ("cpuidle: New timer events oriented governor for tickless systems")
Signed-off-by: Ikjoon Jang <ikjn@chromium.org>
Cc: 5.1+ <stable@vger.kernel.org> # 5.1+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/cpuidle/governors/teo.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/cpuidle/governors/teo.c
+++ b/drivers/cpuidle/governors/teo.c
@@ -194,7 +194,7 @@ static void teo_update(struct cpuidle_dr
 	 * pattern detection.
 	 */
 	cpu_data->intervals[cpu_data->interval_idx++] = measured_us;
-	if (cpu_data->interval_idx > INTERVALS)
+	if (cpu_data->interval_idx >= INTERVALS)
 		cpu_data->interval_idx = 0;
 }
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 035/222] ARM: dts: am571x-idk: Fix gpios property to have the correct  gpio number
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 034/222] cpuidle: teo: Fix intervals[] array indexing bug Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 036/222] ARM: davinci: select CONFIG_RESET_CONTROLLER Greg Kroah-Hartman
                   ` (190 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kishon Vijay Abraham I, Tony Lindgren

From: Kishon Vijay Abraham I <kishon@ti.com>

commit 0c4eb2a6b3c6b0facd0a3bccda5db22e7b3b6f96 upstream.

commit d23f3839fe97d8dce03d ("ARM: dts: DRA7: Add pcie1 dt node for
EP mode") while adding the dt node for EP mode for DRA7 platform,
added rc node for am571x-idk and populated gpios property with
"gpio3 23". However the GPIO_PCIE_SWRST line is actually connected
to "gpio5 18". Fix it here. (The patch adding "gpio3 23" was tested
with another am57x board in EP mode which doesn't rely on reset from
host).

Cc: stable <stable@vger.kernel.org> # 4.14+
Fixes: d23f3839fe97d8dce03d ("ARM: dts: DRA7: Add pcie1 dt node for EP mode")
Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/am571x-idk.dts |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/boot/dts/am571x-idk.dts
+++ b/arch/arm/boot/dts/am571x-idk.dts
@@ -167,7 +167,7 @@
 
 &pcie1_rc {
 	status = "okay";
-	gpios = <&gpio3 23 GPIO_ACTIVE_HIGH>;
+	gpios = <&gpio5 18 GPIO_ACTIVE_HIGH>;
 };
 
 &pcie1_ep {



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 036/222] ARM: davinci: select CONFIG_RESET_CONTROLLER
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 035/222] ARM: dts: am571x-idk: Fix gpios property to have the correct gpio number Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 037/222] perf: Correctly handle failed perf_get_aux_event() Greg Kroah-Hartman
                   ` (189 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Bartosz Golaszewski,
	Philipp Zabel, Sekhar Nori, Olof Johansson

From: Arnd Bergmann <arnd@arndb.de>

commit 7afec66e2bf5683d8bfc812cc295313d1b8473bc upstream.

Selecting RESET_CONTROLLER is actually required, otherwise we
can get a link failure in the clock driver:

drivers/clk/davinci/psc.o: In function `__davinci_psc_register_clocks':
psc.c:(.text+0x9a0): undefined reference to `devm_reset_controller_register'
drivers/clk/davinci/psc-da850.o: In function `da850_psc0_init':
psc-da850.c:(.text+0x24): undefined reference to `reset_controller_add_lookup'

Link: https://lore.kernel.org/r/20191210195202.622734-1-arnd@arndb.de
Fixes: f962396ce292 ("ARM: davinci: support multiplatform build for ARM v5")
Cc: <stable@vger.kernel.org> # v5.4
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
Acked-by: Sekhar Nori <nsekhar@ti.com>
Signed-off-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/mach-davinci/Kconfig |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/arm/mach-davinci/Kconfig
+++ b/arch/arm/mach-davinci/Kconfig
@@ -9,6 +9,7 @@ menuconfig ARCH_DAVINCI
 	select PM_GENERIC_DOMAINS if PM
 	select PM_GENERIC_DOMAINS_OF if PM && OF
 	select REGMAP_MMIO
+	select RESET_CONTROLLER
 	select HAVE_IDE
 	select PINCTRL_SINGLE
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 037/222] perf: Correctly handle failed perf_get_aux_event()
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 036/222] ARM: davinci: select CONFIG_RESET_CONTROLLER Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 038/222] iio: adc: ad7124: Fix DT channel configuration Greg Kroah-Hartman
                   ` (188 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vince Weaver, Mark Rutland,
	Peter Zijlstra (Intel),
	Ingo Molnar, Alexander Shishkin

From: Mark Rutland <mark.rutland@arm.com>

commit da9ec3d3dd0f1240a48920be063448a2242dbd90 upstream.

Vince reports a worrying issue:

| so I was tracking down some odd behavior in the perf_fuzzer which turns
| out to be because perf_even_open() sometimes returns 0 (indicating a file
| descriptor of 0) even though as far as I can tell stdin is still open.

... and further the cause:

| error is triggered if aux_sample_size has non-zero value.
|
| seems to be this line in kernel/events/core.c:
|
| if (perf_need_aux_event(event) && !perf_get_aux_event(event, group_leader))
|                goto err_locked;
|
| (note, err is never set)

This seems to be a thinko in commit:

  ab43762ef010967e ("perf: Allow normal events to output AUX data")

... and we should probably return -EINVAL here, as this should only
happen when the new event is mis-configured or does not have a
compatible aux_event group leader.

Fixes: ab43762ef010967e ("perf: Allow normal events to output AUX data")
Reported-by: Vince Weaver <vincent.weaver@maine.edu>
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Tested-by: Vince Weaver <vincent.weaver@maine.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/events/core.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -11182,8 +11182,10 @@ SYSCALL_DEFINE5(perf_event_open,
 		}
 	}
 
-	if (event->attr.aux_output && !perf_get_aux_event(event, group_leader))
+	if (event->attr.aux_output && !perf_get_aux_event(event, group_leader)) {
+		err = -EINVAL;
 		goto err_locked;
+	}
 
 	/*
 	 * Must be under the same ctx::mutex as perf_install_in_context(),



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 038/222] iio: adc: ad7124: Fix DT channel configuration
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 037/222] perf: Correctly handle failed perf_get_aux_event() Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 039/222] iio: imu: st_lsm6dsx: Fix selection of ST_LSM6DS3_ID Greg Kroah-Hartman
                   ` (187 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexandru Tachici, Stable, Jonathan Cameron

From: Alexandru Tachici <alexandru.tachici@analog.com>

commit d7857e4ee1ba69732b16c73b2f2dde83ecd78ee4 upstream.

This patch fixes device tree channel configuration.

ad7124 driver reads channels configuration from the device tree.
It expects to find channel specifications as child nodes.
Before this patch ad7124 driver assumed that the child nodes are parsed
by for_each_available_child_of_node in the order 0,1,2,3...

This is wrong and the real order of the children can be seen by running:
dtc -I fs /sys/firmware/devicetree/base on the machine.

For example, running this on an rpi 3B+ yields the real
children order: 4,2,0,7,5,3,1,6

Before this patch the driver assigned the channel configuration
like this:
        - 0 <- 4
        - 1 <- 2
        - 2 <- 0
        ........
For example, the symptoms can be observed by connecting the 4th channel
to a 1V tension and then reading the in_voltage0-voltage19_raw sysfs
(multiplied of course by the scale) one would see that channel 0
measures 1V and channel 4 measures only noise.

Now the driver uses the reg property of each child in order to
correctly identify to which channel the parsed configuration
belongs to.

Fixes b3af341bbd966: ("iio: adc: Add ad7124 support")
Signed-off-by: Alexandru Tachici <alexandru.tachici@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/adc/ad7124.c |   12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

--- a/drivers/iio/adc/ad7124.c
+++ b/drivers/iio/adc/ad7124.c
@@ -494,13 +494,11 @@ static int ad7124_of_parse_channel_confi
 		st->channel_config[channel].buf_negative =
 			of_property_read_bool(child, "adi,buffered-negative");
 
-		*chan = ad7124_channel_template;
-		chan->address = channel;
-		chan->scan_index = channel;
-		chan->channel = ain[0];
-		chan->channel2 = ain[1];
-
-		chan++;
+		chan[channel] = ad7124_channel_template;
+		chan[channel].address = channel;
+		chan[channel].scan_index = channel;
+		chan[channel].channel = ain[0];
+		chan[channel].channel2 = ain[1];
 	}
 
 	return 0;



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 039/222] iio: imu: st_lsm6dsx: Fix selection of ST_LSM6DS3_ID
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 038/222] iio: adc: ad7124: Fix DT channel configuration Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 040/222] iio: light: vcnl4000: Fix scale for vcnl4040 Greg Kroah-Hartman
                   ` (186 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lorenzo Bianconi, Stephan Gerhold,
	Jonathan Cameron

From: Stephan Gerhold <stephan@gerhold.net>

commit fb4fbc8904e786537e29329d791147389e1465a2 upstream.

At the moment, attempting to probe a device with ST_LSM6DS3_ID
(e.g. using the st,lsm6ds3 compatible) fails with:

    st_lsm6dsx_i2c 1-006b: unsupported whoami [69]

... even though 0x69 is the whoami listed for ST_LSM6DS3_ID.

This happens because st_lsm6dsx_check_whoami() also attempts
to match unspecified (zero-initialized) entries in the "id" array.
ST_LSM6DS3_ID = 0 will therefore match any entry in
st_lsm6dsx_sensor_settings (here: the first), because none of them
actually have all 12 entries listed in the "id" array.

Avoid this by additionally checking if "name" is set,
which is only set for valid entries in the "id" array.

Note: Although the problem was introduced earlier it did not surface until
commit 52f4b1f19679 ("iio: imu: st_lsm6dsx: add support for accel/gyro unit of lsm9ds1")
because ST_LSM6DS3_ID was the first entry in st_lsm6dsx_sensor_settings.

Fixes: d068e4a0f921 ("iio: imu: st_lsm6dsx: add support to multiple devices with the same settings")
Cc: <stable@vger.kernel.org> # 5.4
Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c
+++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c
@@ -911,7 +911,8 @@ static int st_lsm6dsx_check_whoami(struc
 
 	for (i = 0; i < ARRAY_SIZE(st_lsm6dsx_sensor_settings); i++) {
 		for (j = 0; j < ST_LSM6DSX_MAX_ID; j++) {
-			if (id == st_lsm6dsx_sensor_settings[i].id[j].hw_id)
+			if (st_lsm6dsx_sensor_settings[i].id[j].name &&
+			    id == st_lsm6dsx_sensor_settings[i].id[j].hw_id)
 				break;
 		}
 		if (j < ST_LSM6DSX_MAX_ID)



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 040/222] iio: light: vcnl4000: Fix scale for vcnl4040
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 039/222] iio: imu: st_lsm6dsx: Fix selection of ST_LSM6DS3_ID Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 041/222] iio: chemical: pms7003: fix unmet triggered buffer dependency Greg Kroah-Hartman
                   ` (185 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Guido Günther, Marco Felsch,
	Stable, Jonathan Cameron

From: Guido Günther <agx@sigxcpu.org>

commit bc80573ea25bb033a58da81b3ce27205b97c088e upstream.

According to the data sheet the ambient sensor's scale is 0.12 lux/step
(not 0.024 lux/step as used by vcnl4200) when the integration time is
80ms. The integration time is currently hardcoded in the driver to that
value.

See p. 8 in https://www.vishay.com/docs/84307/designingvcnl4040.pdf

Fixes: 5a441aade5b3 ("iio: light: vcnl4000 add support for the VCNL4040 proximity and light sensor")
Signed-off-by: Guido Günther <agx@sigxcpu.org>
Reviewed-by: Marco Felsch <m.felsch@pengutronix.de>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/light/vcnl4000.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/iio/light/vcnl4000.c
+++ b/drivers/iio/light/vcnl4000.c
@@ -163,7 +163,6 @@ static int vcnl4200_init(struct vcnl4000
 	if (ret < 0)
 		return ret;
 
-	data->al_scale = 24000;
 	data->vcnl4200_al.reg = VCNL4200_AL_DATA;
 	data->vcnl4200_ps.reg = VCNL4200_PS_DATA;
 	switch (id) {
@@ -172,11 +171,13 @@ static int vcnl4200_init(struct vcnl4000
 		/* show 54ms in total. */
 		data->vcnl4200_al.sampling_rate = ktime_set(0, 54000 * 1000);
 		data->vcnl4200_ps.sampling_rate = ktime_set(0, 4200 * 1000);
+		data->al_scale = 24000;
 		break;
 	case VCNL4040_PROD_ID:
 		/* Integration time is 80ms, add 10ms. */
 		data->vcnl4200_al.sampling_rate = ktime_set(0, 100000 * 1000);
 		data->vcnl4200_ps.sampling_rate = ktime_set(0, 100000 * 1000);
+		data->al_scale = 120000;
 		break;
 	}
 	data->vcnl4200_al.last_measurement = ktime_set(0, 0);



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 041/222] iio: chemical: pms7003: fix unmet triggered buffer dependency
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 040/222] iio: light: vcnl4000: Fix scale for vcnl4040 Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 042/222] iio: buffer: align the size of scan bytes to size of the largest element Greg Kroah-Hartman
                   ` (184 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tomasz Duszynski, Stable, Jonathan Cameron

From: Tomasz Duszynski <tduszyns@gmail.com>

commit 217afe63ccf445fc220e5ef480683607b05c0aa5 upstream.

IIO triggered buffer depends on IIO buffer which is missing from Kconfig
file. This should go unnoticed most of the time because there's a
chance something else has already enabled buffers. In some rare cases
though one might experience kbuild warnings about unmet direct
dependencies and build failures due to missing symbols.

Fix this by selecting IIO_BUFFER explicitly.

Signed-off-by: Tomasz Duszynski <tduszyns@gmail.com>
Fixes: a1d642266c14 ("iio: chemical: add support for Plantower PMS7003 sensor")
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/chemical/Kconfig |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/iio/chemical/Kconfig
+++ b/drivers/iio/chemical/Kconfig
@@ -65,6 +65,7 @@ config IAQCORE
 config PMS7003
 	tristate "Plantower PMS7003 particulate matter sensor"
 	depends on SERIAL_DEV_BUS
+	select IIO_BUFFER
 	select IIO_TRIGGERED_BUFFER
 	help
 	  Say Y here to build support for the Plantower PMS7003 particulate



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 042/222] iio: buffer: align the size of scan bytes to size of the largest element
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 041/222] iio: chemical: pms7003: fix unmet triggered buffer dependency Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 043/222] USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx Greg Kroah-Hartman
                   ` (183 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lars Möllendorf,
	Lars-Peter Clausen, Stable, Jonathan Cameron

From: Lars Möllendorf <lars.moellendorf@plating.de>

commit 883f616530692d81cb70f8a32d85c0d2afc05f69 upstream.

Previous versions of `iio_compute_scan_bytes` only aligned each element
to its own length (i.e. its own natural alignment). Because multiple
consecutive sets of scan elements are buffered this does not work in
case the computed scan bytes do not align with the natural alignment of
the first scan element in the set.

This commit fixes this by aligning the scan bytes to the natural
alignment of the largest scan element in the set.

Fixes: 959d2952d124 ("staging:iio: make iio_sw_buffer_preenable much more general.")
Signed-off-by: Lars Möllendorf <lars.moellendorf@plating.de>
Reviewed-by: Lars-Peter Clausen <lars@metafoo.de>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/industrialio-buffer.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/iio/industrialio-buffer.c
+++ b/drivers/iio/industrialio-buffer.c
@@ -566,7 +566,7 @@ static int iio_compute_scan_bytes(struct
 				const unsigned long *mask, bool timestamp)
 {
 	unsigned bytes = 0;
-	int length, i;
+	int length, i, largest = 0;
 
 	/* How much space will the demuxed element take? */
 	for_each_set_bit(i, mask,
@@ -574,13 +574,17 @@ static int iio_compute_scan_bytes(struct
 		length = iio_storage_bytes_for_si(indio_dev, i);
 		bytes = ALIGN(bytes, length);
 		bytes += length;
+		largest = max(largest, length);
 	}
 
 	if (timestamp) {
 		length = iio_storage_bytes_for_timestamp(indio_dev);
 		bytes = ALIGN(bytes, length);
 		bytes += length;
+		largest = max(largest, length);
 	}
+
+	bytes = ALIGN(bytes, largest);
 	return bytes;
 }
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 043/222] USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 042/222] iio: buffer: align the size of scan bytes to size of the largest element Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 044/222] USB: serial: option: Add support for Quectel RM500Q Greg Kroah-Hartman
                   ` (182 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jerónimo Borque, Johan Hovold

From: Jerónimo Borque <jeronimo@borque.com.ar>

commit 260e41ac4dd3e5acb90be624c03ba7f019615b75 upstream.

Add device-ids for the Motorola Solutions TETRA radios MTP3xxx series
and MTP85xx series

$ lsusb -vd 0cad:

Bus 001 Device 009: ID 0cad:9015 Motorola CGISS TETRA PEI interface
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass            0
  bDeviceSubClass         0
  bDeviceProtocol         0
  bMaxPacketSize0        64
  idVendor           0x0cad Motorola CGISS
  idProduct          0x9015
  bcdDevice           24.16
  iManufacturer           1
  iProduct                2
  iSerial                 0
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength       0x0037
    bNumInterfaces          2
    bConfigurationValue     1
    iConfiguration          3
    bmAttributes         0x80
      (Bus Powered)
    MaxPower              500mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass       255 Vendor Specific Class
      bInterfaceSubClass      0
      bInterfaceProtocol      0
      iInterface              0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x01  EP 1 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass       255 Vendor Specific Class
      bInterfaceSubClass      0
      bInterfaceProtocol      0
      iInterface              0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x02  EP 2 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0

Bus 001 Device 010: ID 0cad:9013 Motorola CGISS TETRA PEI interface
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass            0
  bDeviceSubClass         0
  bDeviceProtocol         0
  bMaxPacketSize0        64
  idVendor           0x0cad Motorola CGISS
  idProduct          0x9013
  bcdDevice           24.16
  iManufacturer           1
  iProduct                2
  iSerial                 0
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength       0x0037
    bNumInterfaces          2
    bConfigurationValue     1
    iConfiguration          3
    bmAttributes         0x80
      (Bus Powered)
    MaxPower              500mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass       255 Vendor Specific Class
      bInterfaceSubClass      0
      bInterfaceProtocol      0
      iInterface              0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x01  EP 1 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass       255 Vendor Specific Class
      bInterfaceSubClass      0
      bInterfaceProtocol      0
      iInterface              0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x02  EP 2 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0

Signed-off-by: Jerónimo Borque <jeronimo@borque.com.ar>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/usb-serial-simple.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/usb/serial/usb-serial-simple.c
+++ b/drivers/usb/serial/usb-serial-simple.c
@@ -86,6 +86,8 @@ DEVICE(moto_modem, MOTO_IDS);
 #define MOTOROLA_TETRA_IDS()			\
 	{ USB_DEVICE(0x0cad, 0x9011) },	/* Motorola Solutions TETRA PEI */ \
 	{ USB_DEVICE(0x0cad, 0x9012) },	/* MTP6550 */ \
+	{ USB_DEVICE(0x0cad, 0x9013) },	/* MTP3xxx */ \
+	{ USB_DEVICE(0x0cad, 0x9015) },	/* MTP85xx */ \
 	{ USB_DEVICE(0x0cad, 0x9016) }	/* TPG2200 */
 DEVICE(motorola_tetra, MOTOROLA_TETRA_IDS);
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 044/222] USB: serial: option: Add support for Quectel RM500Q
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 043/222] USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 045/222] USB: serial: opticon: fix control-message timeouts Greg Kroah-Hartman
                   ` (181 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kristian Evensen, Johan Hovold

From: Kristian Evensen <kristian.evensen@gmail.com>

commit accf227de4d211b52c830a58b2df00d5739f2389 upstream.

RM500Q is a 5G module from Quectel, supporting both standalone and
non-standalone modes. Unlike other recent Quectel modems, it is possible
to identify the diagnostic interface (bInterfaceProtocol is unique).
Thus, there is no need to check for the number of endpoints or reserve
interfaces. The interface number is still dynamic though, so matching on
interface number is not possible and two entries have to be added to the
table.

Output from usb-devices with all interfaces enabled (order is diag,
nmea, at_port, modem, rmnet and adb):

Bus 004 Device 007: ID 2c7c:0800 Quectel Wireless Solutions Co., Ltd.
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               3.20
  bDeviceClass            0 (Defined at Interface level)
  bDeviceSubClass         0
  bDeviceProtocol         0
  bMaxPacketSize0         9
  idVendor           0x2c7c Quectel Wireless Solutions Co., Ltd.
  idProduct          0x0800
  bcdDevice            4.14
  iManufacturer           1 Quectel
  iProduct                2 LTE-A Module
  iSerial                 3 40046d60
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength          328
    bNumInterfaces          6
    bConfigurationValue     1
    iConfiguration          4 DIAG_SER_RMNET
    bmAttributes         0xa0
      (Bus Powered)
      Remote Wakeup
    MaxPower              224mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass       255 Vendor Specific Class
      bInterfaceSubClass    255 Vendor Specific Subclass
      bInterfaceProtocol     48
      iInterface              0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0400  1x 1024 bytes
        bInterval               0
        bMaxBurst               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x01  EP 1 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0400  1x 1024 bytes
        bInterval               0
        bMaxBurst               0
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       0
      bNumEndpoints           3
      bInterfaceClass       255 Vendor Specific Class
      bInterfaceSubClass      0
      bInterfaceProtocol      0
      iInterface              0
      ** UNRECOGNIZED:  05 24 00 10 01
      ** UNRECOGNIZED:  05 24 01 00 00
      ** UNRECOGNIZED:  04 24 02 02
      ** UNRECOGNIZED:  05 24 06 00 00
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x83  EP 3 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x000a  1x 10 bytes
        bInterval               9
        bMaxBurst               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0400  1x 1024 bytes
        bInterval               0
        bMaxBurst               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x02  EP 2 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0400  1x 1024 bytes
        bInterval               0
        bMaxBurst               0
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        2
      bAlternateSetting       0
      bNumEndpoints           3
      bInterfaceClass       255 Vendor Specific Class
      bInterfaceSubClass      0
      bInterfaceProtocol      0
      iInterface              0
      ** UNRECOGNIZED:  05 24 00 10 01
      ** UNRECOGNIZED:  05 24 01 00 00
      ** UNRECOGNIZED:  04 24 02 02
      ** UNRECOGNIZED:  05 24 06 00 00
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x85  EP 5 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x000a  1x 10 bytes
        bInterval               9
        bMaxBurst               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x84  EP 4 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0400  1x 1024 bytes
        bInterval               0
        bMaxBurst               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x03  EP 3 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0400  1x 1024 bytes
        bInterval               0
        bMaxBurst               0
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        3
      bAlternateSetting       0
      bNumEndpoints           3
      bInterfaceClass       255 Vendor Specific Class
      bInterfaceSubClass      0
      bInterfaceProtocol      0
      iInterface              0
      ** UNRECOGNIZED:  05 24 00 10 01
      ** UNRECOGNIZED:  05 24 01 00 00
      ** UNRECOGNIZED:  04 24 02 02
      ** UNRECOGNIZED:  05 24 06 00 00
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x87  EP 7 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x000a  1x 10 bytes
        bInterval               9
        bMaxBurst               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x86  EP 6 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0400  1x 1024 bytes
        bInterval               0
        bMaxBurst               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x04  EP 4 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0400  1x 1024 bytes
        bInterval               0
        bMaxBurst               0
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        4
      bAlternateSetting       0
      bNumEndpoints           3
      bInterfaceClass       255 Vendor Specific Class
      bInterfaceSubClass    255 Vendor Specific Subclass
      bInterfaceProtocol    255 Vendor Specific Protocol
      iInterface              5 CDEV Serial
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x88  EP 8 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0008  1x 8 bytes
        bInterval               9
        bMaxBurst               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x8e  EP 14 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0400  1x 1024 bytes
        bInterval               0
        bMaxBurst               6
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x0f  EP 15 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0400  1x 1024 bytes
        bInterval               0
        bMaxBurst               2
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        5
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass       255 Vendor Specific Class
      bInterfaceSubClass     66
      bInterfaceProtocol      1
      iInterface              6 ADB Interface
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x05  EP 5 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0400  1x 1024 bytes
        bInterval               0
        bMaxBurst               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x89  EP 9 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0400  1x 1024 bytes
        bInterval               0
        bMaxBurst               0
Binary Object Store Descriptor:
  bLength                 5
  bDescriptorType        15
  wTotalLength           42
  bNumDeviceCaps          3
  USB 2.0 Extension Device Capability:
    bLength                 7
    bDescriptorType        16
    bDevCapabilityType      2
    bmAttributes   0x00000006
      Link Power Management (LPM) Supported
  SuperSpeed USB Device Capability:
    bLength                10
    bDescriptorType        16
    bDevCapabilityType      3
    bmAttributes         0x00
    wSpeedsSupported   0x000f
      Device can operate at Low Speed (1Mbps)
      Device can operate at Full Speed (12Mbps)
      Device can operate at High Speed (480Mbps)
      Device can operate at SuperSpeed (5Gbps)
    bFunctionalitySupport   1
      Lowest fully-functional device speed is Full Speed (12Mbps)
    bU1DevExitLat           1 micro seconds
    bU2DevExitLat         500 micro seconds
  ** UNRECOGNIZED:  14 10 0a 00 01 00 00 00 00 11 00 00 30 40 0a 00 b0 40 0a 00
Device Status:     0x0000
  (Bus Powered)

Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/option.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -248,6 +248,7 @@ static void option_instat_callback(struc
 #define QUECTEL_PRODUCT_BG96			0x0296
 #define QUECTEL_PRODUCT_EP06			0x0306
 #define QUECTEL_PRODUCT_EM12			0x0512
+#define QUECTEL_PRODUCT_RM500Q			0x0800
 
 #define CMOTECH_VENDOR_ID			0x16d8
 #define CMOTECH_PRODUCT_6001			0x6001
@@ -1104,6 +1105,9 @@ static const struct usb_device_id option
 	{ USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM12, 0xff, 0xff, 0xff),
 	  .driver_info = RSVD(1) | RSVD(2) | RSVD(3) | RSVD(4) | NUMEP2 },
 	{ USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM12, 0xff, 0, 0) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM500Q, 0xff, 0xff, 0x30) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM500Q, 0xff, 0, 0) },
+
 	{ USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) },
 	{ USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CMU_300) },
 	{ USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6003),



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 045/222] USB: serial: opticon: fix control-message timeouts
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 044/222] USB: serial: option: Add support for Quectel RM500Q Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 046/222] USB: serial: option: add support for Quectel RM500Q in QDL mode Greg Kroah-Hartman
                   ` (180 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Martin Jansen, Johan Hovold

From: Johan Hovold <johan@kernel.org>

commit 5e28055f340275a8616eee88ef19186631b4d136 upstream.

The driver was issuing synchronous uninterruptible control requests
without using a timeout. This could lead to the driver hanging
on open() or tiocmset() due to a malfunctioning (or malicious) device
until the device is physically disconnected.

The USB upper limit of five seconds per request should be more than
enough.

Fixes: 309a057932ab ("USB: opticon: add rts and cts support")
Cc: stable <stable@vger.kernel.org>     # 2.6.39
Cc: Martin Jansen <martin.jansen@opticon.com>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/opticon.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/serial/opticon.c
+++ b/drivers/usb/serial/opticon.c
@@ -113,7 +113,7 @@ static int send_control_msg(struct usb_s
 	retval = usb_control_msg(serial->dev, usb_sndctrlpipe(serial->dev, 0),
 				requesttype,
 				USB_DIR_OUT|USB_TYPE_VENDOR|USB_RECIP_INTERFACE,
-				0, 0, buffer, 1, 0);
+				0, 0, buffer, 1, USB_CTRL_SET_TIMEOUT);
 	kfree(buffer);
 
 	if (retval < 0)



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 046/222] USB: serial: option: add support for Quectel RM500Q in QDL mode
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 045/222] USB: serial: opticon: fix control-message timeouts Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 047/222] USB: serial: suppress driver bind attributes Greg Kroah-Hartman
                   ` (179 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Reinhard Speyerer, Johan Hovold

From: Reinhard Speyerer <rspmn@arcor.de>

commit f3eaabbfd093c93d791eb930cc68d9b15246a65e upstream.

Add support for Quectel RM500Q in QDL mode.

T:  Bus=02 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 24 Spd=480  MxCh= 0
D:  Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
P:  Vendor=2c7c ProdID=0800 Rev= 0.00
S:  Manufacturer=Qualcomm CDMA Technologies MSM
S:  Product=QUSB_BULK_SN:xxxxxxxx
S:  SerialNumber=xxxxxxxx
C:* #Ifs= 1 Cfg#= 1 Atr=a0 MxPwr=  2mA
I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=10 Driver=option
E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms

It is assumed that the ZLP flag required for other Qualcomm-based
5G devices also applies to Quectel RM500Q.

Signed-off-by: Reinhard Speyerer <rspmn@arcor.de>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/option.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1107,6 +1107,8 @@ static const struct usb_device_id option
 	{ USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM12, 0xff, 0, 0) },
 	{ USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM500Q, 0xff, 0xff, 0x30) },
 	{ USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM500Q, 0xff, 0, 0) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM500Q, 0xff, 0xff, 0x10),
+	  .driver_info = ZLP },
 
 	{ USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) },
 	{ USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CMU_300) },



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 047/222] USB: serial: suppress driver bind attributes
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 046/222] USB: serial: option: add support for Quectel RM500Q in QDL mode Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 048/222] USB: serial: ch341: handle unbound port at reset_resume Greg Kroah-Hartman
                   ` (178 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold

From: Johan Hovold <johan@kernel.org>

commit fdb838efa31e1ed9a13ae6ad0b64e30fdbd00570 upstream.

USB-serial drivers must not be unbound from their ports before the
corresponding USB driver is unbound from the parent interface so
suppress the bind and unbind attributes.

Unbinding a serial driver while it's port is open is a sure way to
trigger a crash as any driver state is released on unbind while port
hangup is handled on the parent USB interface level. Drivers for
multiport devices where ports share a resource such as an interrupt
endpoint also generally cannot handle individual ports going away.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable <stable@vger.kernel.org>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/usb-serial.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/serial/usb-serial.c
+++ b/drivers/usb/serial/usb-serial.c
@@ -1317,6 +1317,9 @@ static int usb_serial_register(struct us
 		return -EINVAL;
 	}
 
+	/* Prevent individual ports from being unbound. */
+	driver->driver.suppress_bind_attrs = true;
+
 	usb_serial_operations_init(driver);
 
 	/* Add this device to our list of devices */



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 048/222] USB: serial: ch341: handle unbound port at reset_resume
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 047/222] USB: serial: suppress driver bind attributes Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 049/222] USB: serial: io_edgeport: handle unbound ports on URB completion Greg Kroah-Hartman
                   ` (177 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold

From: Johan Hovold <johan@kernel.org>

commit 4d5ef53f75c22d28f490bcc5c771fcc610a9afa4 upstream.

Check for NULL port data in reset_resume() to avoid dereferencing a NULL
pointer in case the port device isn't bound to a driver (e.g. after a
failed control request at port probe).

Fixes: 1ded7ea47b88 ("USB: ch341 serial: fix port number changed after resume")
Cc: stable <stable@vger.kernel.org>     # 2.6.30
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/ch341.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/usb/serial/ch341.c
+++ b/drivers/usb/serial/ch341.c
@@ -589,9 +589,13 @@ static int ch341_tiocmget(struct tty_str
 static int ch341_reset_resume(struct usb_serial *serial)
 {
 	struct usb_serial_port *port = serial->port[0];
-	struct ch341_private *priv = usb_get_serial_port_data(port);
+	struct ch341_private *priv;
 	int ret;
 
+	priv = usb_get_serial_port_data(port);
+	if (!priv)
+		return 0;
+
 	/* reconfigure ch341 serial port after bus-reset */
 	ch341_configure(serial->dev, priv);
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 049/222] USB: serial: io_edgeport: handle unbound ports on URB completion
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 048/222] USB: serial: ch341: handle unbound port at reset_resume Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 050/222] USB: serial: io_edgeport: add missing active-port sanity check Greg Kroah-Hartman
                   ` (176 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold

From: Johan Hovold <johan@kernel.org>

commit e37d1aeda737a20b1846a91a3da3f8b0f00cf690 upstream.

Check for NULL port data in the shared interrupt and bulk completion
callbacks to avoid dereferencing a NULL pointer in case a device sends
data for a port device which isn't bound to a driver (e.g. due to a
malicious device having unexpected endpoints or after an allocation
failure on port probe).

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable <stable@vger.kernel.org>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/io_edgeport.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/usb/serial/io_edgeport.c
+++ b/drivers/usb/serial/io_edgeport.c
@@ -716,7 +716,7 @@ static void edge_interrupt_callback(stru
 			if (txCredits) {
 				port = edge_serial->serial->port[portNumber];
 				edge_port = usb_get_serial_port_data(port);
-				if (edge_port->open) {
+				if (edge_port && edge_port->open) {
 					spin_lock_irqsave(&edge_port->ep_lock,
 							  flags);
 					edge_port->txCredits += txCredits;
@@ -1825,7 +1825,7 @@ static void process_rcvd_data(struct edg
 				port = edge_serial->serial->port[
 							edge_serial->rxPort];
 				edge_port = usb_get_serial_port_data(port);
-				if (edge_port->open) {
+				if (edge_port && edge_port->open) {
 					dev_dbg(dev, "%s - Sending %d bytes to TTY for port %d\n",
 						__func__, rxLen,
 						edge_serial->rxPort);



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 050/222] USB: serial: io_edgeport: add missing active-port sanity check
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 049/222] USB: serial: io_edgeport: handle unbound ports on URB completion Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 051/222] USB: serial: keyspan: handle unbound ports Greg Kroah-Hartman
                   ` (175 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold

From: Johan Hovold <johan@kernel.org>

commit 1568c58d11a7c851bd09341aeefd6a1c308ac40d upstream.

The driver receives the active port number from the device, but never
made sure that the port number was valid. This could lead to a
NULL-pointer dereference or memory corruption in case a device sends
data for an invalid port.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable <stable@vger.kernel.org>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/io_edgeport.c |   12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

--- a/drivers/usb/serial/io_edgeport.c
+++ b/drivers/usb/serial/io_edgeport.c
@@ -1725,7 +1725,8 @@ static void edge_break(struct tty_struct
 static void process_rcvd_data(struct edgeport_serial *edge_serial,
 				unsigned char *buffer, __u16 bufferLength)
 {
-	struct device *dev = &edge_serial->serial->dev->dev;
+	struct usb_serial *serial = edge_serial->serial;
+	struct device *dev = &serial->dev->dev;
 	struct usb_serial_port *port;
 	struct edgeport_port *edge_port;
 	__u16 lastBufferLength;
@@ -1821,9 +1822,8 @@ static void process_rcvd_data(struct edg
 
 			/* spit this data back into the tty driver if this
 			   port is open */
-			if (rxLen) {
-				port = edge_serial->serial->port[
-							edge_serial->rxPort];
+			if (rxLen && edge_serial->rxPort < serial->num_ports) {
+				port = serial->port[edge_serial->rxPort];
 				edge_port = usb_get_serial_port_data(port);
 				if (edge_port && edge_port->open) {
 					dev_dbg(dev, "%s - Sending %d bytes to TTY for port %d\n",
@@ -1833,8 +1833,8 @@ static void process_rcvd_data(struct edg
 							rxLen);
 					edge_port->port->icount.rx += rxLen;
 				}
-				buffer += rxLen;
 			}
+			buffer += rxLen;
 			break;
 
 		case EXPECT_HDR3:	/* Expect 3rd byte of status header */
@@ -1869,6 +1869,8 @@ static void process_rcvd_status(struct e
 	__u8 code = edge_serial->rxStatusCode;
 
 	/* switch the port pointer to the one being currently talked about */
+	if (edge_serial->rxPort >= edge_serial->serial->num_ports)
+		return;
 	port = edge_serial->serial->port[edge_serial->rxPort];
 	edge_port = usb_get_serial_port_data(port);
 	if (edge_port == NULL) {



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 051/222] USB: serial: keyspan: handle unbound ports
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 050/222] USB: serial: io_edgeport: add missing active-port sanity check Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 052/222] USB: serial: quatech2: " Greg Kroah-Hartman
                   ` (174 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold

From: Johan Hovold <johan@kernel.org>

commit 3018dd3fa114b13261e9599ddb5656ef97a1fa17 upstream.

Check for NULL port data in the control URB completion handlers to avoid
dereferencing a NULL pointer in the unlikely case where a port device
isn't bound to a driver (e.g. after an allocation failure on port
probe()).

Fixes: 0ca1268e109a ("USB Serial Keyspan: add support for USA-49WG & USA-28XG")
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable <stable@vger.kernel.org>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/keyspan.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/usb/serial/keyspan.c
+++ b/drivers/usb/serial/keyspan.c
@@ -1058,6 +1058,8 @@ static void	usa49_glocont_callback(struc
 	for (i = 0; i < serial->num_ports; ++i) {
 		port = serial->port[i];
 		p_priv = usb_get_serial_port_data(port);
+		if (!p_priv)
+			continue;
 
 		if (p_priv->resend_cont) {
 			dev_dbg(&port->dev, "%s - sending setup\n", __func__);
@@ -1459,6 +1461,8 @@ static void usa67_glocont_callback(struc
 	for (i = 0; i < serial->num_ports; ++i) {
 		port = serial->port[i];
 		p_priv = usb_get_serial_port_data(port);
+		if (!p_priv)
+			continue;
 
 		if (p_priv->resend_cont) {
 			dev_dbg(&port->dev, "%s - sending setup\n", __func__);



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 052/222] USB: serial: quatech2: handle unbound ports
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 051/222] USB: serial: keyspan: handle unbound ports Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 053/222] staging: comedi: ni_routes: fix null dereference in ni_find_route_source() Greg Kroah-Hartman
                   ` (173 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold

From: Johan Hovold <johan@kernel.org>

commit 9715a43eea77e42678a1002623f2d9a78f5b81a1 upstream.

Check for NULL port data in the modem- and line-status handlers to avoid
dereferencing a NULL pointer in the unlikely case where a port device
isn't bound to a driver (e.g. after an allocation failure on port
probe).

Note that the other (stubbed) event handlers qt2_process_xmit_empty()
and qt2_process_flush() would need similar sanity checks in case they
are ever implemented.

Fixes: f7a33e608d9a ("USB: serial: add quatech2 usb to serial driver")
Cc: stable <stable@vger.kernel.org>     # 3.5
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/quatech2.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/usb/serial/quatech2.c
+++ b/drivers/usb/serial/quatech2.c
@@ -841,7 +841,10 @@ static void qt2_update_msr(struct usb_se
 	u8 newMSR = (u8) *ch;
 	unsigned long flags;
 
+	/* May be called from qt2_process_read_urb() for an unbound port. */
 	port_priv = usb_get_serial_port_data(port);
+	if (!port_priv)
+		return;
 
 	spin_lock_irqsave(&port_priv->lock, flags);
 	port_priv->shadowMSR = newMSR;
@@ -869,7 +872,10 @@ static void qt2_update_lsr(struct usb_se
 	unsigned long flags;
 	u8 newLSR = (u8) *ch;
 
+	/* May be called from qt2_process_read_urb() for an unbound port. */
 	port_priv = usb_get_serial_port_data(port);
+	if (!port_priv)
+		return;
 
 	if (newLSR & UART_LSR_BI)
 		newLSR &= (u8) (UART_LSR_OE | UART_LSR_BI);



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 053/222] staging: comedi: ni_routes: fix null dereference in ni_find_route_source()
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 052/222] USB: serial: quatech2: " Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 054/222] staging: comedi: ni_routes: allow partial routing information Greg Kroah-Hartman
                   ` (172 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Spencer E. Olson, Ian Abbott

From: Ian Abbott <abbotti@mev.co.uk>

commit 01e20b664f808a4f3048ca3f930911fd257209bd upstream.

In `ni_find_route_source()`, `tables->route_values` gets dereferenced.
However it is possible that `tables->route_values` is `NULL`, leading to
a null pointer dereference.  `tables->route_values` will be `NULL` if
the call to `ni_assign_device_routes()` during board initialization
returned an error due to missing device family routing information or
missing board-specific routing information.  For example, there is
currently no board-specific routing information provided for the
PCIe-6251 board and several other boards, so those are affected by this
bug.

The bug is triggered when `ni_find_route_source()` is called via
`ni_check_trigger_arg()` or `ni_check_trigger_arg_roffs()` when checking
the arguments for setting up asynchronous commands.  Fix it by returning
`-EINVAL` if `tables->route_values` is `NULL`.

Even with this fix, setting up asynchronous commands to use external
trigger sources for boards with missing routing information will still
fail gracefully.  Since `ni_find_route_source()` only depends on the
device family routing information, it would be better if that was made
available even if the board-specific routing information is missing.
That will be addressed by another patch.

Fixes: 4bb90c87abbe ("staging: comedi: add interface to ni routing table information")
Cc: <stable@vger.kernel.org> # 4.20+
Cc: Spencer E. Olson <olsonse@umich.edu>
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/20200114182532.132058-2-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/comedi/drivers/ni_routes.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/staging/comedi/drivers/ni_routes.c
+++ b/drivers/staging/comedi/drivers/ni_routes.c
@@ -489,6 +489,9 @@ int ni_find_route_source(const u8 src_se
 {
 	int src;
 
+	if (!tables->route_values)
+		return -EINVAL;
+
 	dest = B(dest); /* subtract NI names offset */
 	/* ensure we are not going to under/over run the route value table */
 	if (dest < 0 || dest >= NI_NUM_NAMES)



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 054/222] staging: comedi: ni_routes: allow partial routing information
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 053/222] staging: comedi: ni_routes: fix null dereference in ni_find_route_source() Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 055/222] scsi: fnic: fix invalid stack access Greg Kroah-Hartman
                   ` (171 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Spencer E. Olson, Ian Abbott

From: Ian Abbott <abbotti@mev.co.uk>

commit 9fea3a40f6b07de977a2783270c8c3bc82544d45 upstream.

This patch fixes a regression on setting up asynchronous commands to use
external trigger sources when board-specific routing information is
missing.

`ni_find_device_routes()` (called via `ni_assign_device_routes()`) finds
the table of register values for the device family and the set of valid
routes for the specific board.  If both are found,
`tables->route_values` is set to point to the table of register values
for the device family and `tables->valid_routes` is set to point to the
list of valid routes for the specific board.  If either is not found,
both `tables->route_values` and `tables->valid_routes` are left set at
their initial null values (initialized by `ni_assign_device_routes()`)
and the function returns `-ENODATA`.

Returning an error results in some routing functionality being disabled.
Unfortunately, leaving `table->route_values` set to `NULL` also breaks
the setting up of asynchronous commands that are configured to use
external trigger sources.  Calls to `ni_check_trigger_arg()` or
`ni_check_trigger_arg_roffs()` while checking the asynchronous command
set-up would result in a null pointer dereference if
`table->route_values` is `NULL`.  The null pointer dereference is fixed
in another patch, but it now results in failure to set up the
asynchronous command.  That is a regression from the behavior prior to
commit 347e244884c3 ("staging: comedi: tio: implement global tio/ctr
routing") and commit 56d0b826d39f ("staging: comedi: ni_mio_common:
implement new routing for TRIG_EXT").

Change `ni_find_device_routes()` to set `tables->route_values` and/or
`tables->valid_routes` to valid information even if the other one can
only be set to `NULL` due to missing information.  The function will
still return an error in that case.  This should result in
`tables->valid_routes` being valid for all currently supported device
families even if the board-specific routing information is missing.
That should be enough to fix the regression on setting up asynchronous
commands to use external triggers for boards with missing routing
information.

Fixes: 347e244884c3 ("staging: comedi: tio: implement global tio/ctr routing")
Fixes: 56d0b826d39f ("staging: comedi: ni_mio_common: implement new routing for TRIG_EXT").
Cc: <stable@vger.kernel.org> # 4.20+
Cc: Spencer E. Olson <olsonse@umich.edu>
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/20200114182532.132058-3-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/comedi/drivers/ni_routes.c |    9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

--- a/drivers/staging/comedi/drivers/ni_routes.c
+++ b/drivers/staging/comedi/drivers/ni_routes.c
@@ -74,9 +74,6 @@ static int ni_find_device_routes(const c
 		}
 	}
 
-	if (!rv)
-		return -ENODATA;
-
 	/* Second, find the set of routes valid for this device. */
 	for (i = 0; ni_device_routes_list[i]; ++i) {
 		if (memcmp(ni_device_routes_list[i]->device, board_name,
@@ -86,12 +83,12 @@ static int ni_find_device_routes(const c
 		}
 	}
 
-	if (!dr)
-		return -ENODATA;
-
 	tables->route_values = rv;
 	tables->valid_routes = dr;
 
+	if (!rv || !dr)
+		return -ENODATA;
+
 	return 0;
 }
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 055/222] scsi: fnic: fix invalid stack access
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 054/222] staging: comedi: ni_routes: allow partial routing information Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 056/222] scsi: mptfusion: Fix double fetch bug in ioctl Greg Kroah-Hartman
                   ` (170 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Martin K. Petersen

From: Arnd Bergmann <arnd@arndb.de>

commit 42ec15ceaea74b5f7a621fc6686cbf69ca66c4cf upstream.

gcc -O3 warns that some local variables are not properly initialized:

drivers/scsi/fnic/vnic_dev.c: In function 'fnic_dev_hang_notify':
drivers/scsi/fnic/vnic_dev.c:511:16: error: 'a0' is used uninitialized in this function [-Werror=uninitialized]
  vdev->args[0] = *a0;
  ~~~~~~~~~~~~~~^~~~~
drivers/scsi/fnic/vnic_dev.c:691:6: note: 'a0' was declared here
  u64 a0, a1;
      ^~
drivers/scsi/fnic/vnic_dev.c:512:16: error: 'a1' is used uninitialized in this function [-Werror=uninitialized]
  vdev->args[1] = *a1;
  ~~~~~~~~~~~~~~^~~~~
drivers/scsi/fnic/vnic_dev.c:691:10: note: 'a1' was declared here
  u64 a0, a1;
          ^~
drivers/scsi/fnic/vnic_dev.c: In function 'fnic_dev_mac_addr':
drivers/scsi/fnic/vnic_dev.c:512:16: error: 'a1' is used uninitialized in this function [-Werror=uninitialized]
  vdev->args[1] = *a1;
  ~~~~~~~~~~~~~~^~~~~
drivers/scsi/fnic/vnic_dev.c:698:10: note: 'a1' was declared here
  u64 a0, a1;
          ^~

Apparently the code relies on the local variables occupying adjacent memory
locations in the same order, but this is of course not guaranteed.

Use an array of two u64 variables where needed to make it work correctly.

I suspect there is also an endianness bug here, but have not digged in deep
enough to be sure.

Fixes: 5df6d737dd4b ("[SCSI] fnic: Add new Cisco PCI-Express FCoE HBA")
Fixes: mmtom ("init/Kconfig: enable -O3 for all arches")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20200107201602.4096790-1-arnd@arndb.de
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/fnic/vnic_dev.c |   20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

--- a/drivers/scsi/fnic/vnic_dev.c
+++ b/drivers/scsi/fnic/vnic_dev.c
@@ -688,26 +688,26 @@ int vnic_dev_soft_reset_done(struct vnic
 
 int vnic_dev_hang_notify(struct vnic_dev *vdev)
 {
-	u64 a0, a1;
+	u64 a0 = 0, a1 = 0;
 	int wait = 1000;
 	return vnic_dev_cmd(vdev, CMD_HANG_NOTIFY, &a0, &a1, wait);
 }
 
 int vnic_dev_mac_addr(struct vnic_dev *vdev, u8 *mac_addr)
 {
-	u64 a0, a1;
+	u64 a[2] = {};
 	int wait = 1000;
 	int err, i;
 
 	for (i = 0; i < ETH_ALEN; i++)
 		mac_addr[i] = 0;
 
-	err = vnic_dev_cmd(vdev, CMD_MAC_ADDR, &a0, &a1, wait);
+	err = vnic_dev_cmd(vdev, CMD_MAC_ADDR, &a[0], &a[1], wait);
 	if (err)
 		return err;
 
 	for (i = 0; i < ETH_ALEN; i++)
-		mac_addr[i] = ((u8 *)&a0)[i];
+		mac_addr[i] = ((u8 *)&a)[i];
 
 	return 0;
 }
@@ -732,30 +732,30 @@ void vnic_dev_packet_filter(struct vnic_
 
 void vnic_dev_add_addr(struct vnic_dev *vdev, u8 *addr)
 {
-	u64 a0 = 0, a1 = 0;
+	u64 a[2] = {};
 	int wait = 1000;
 	int err;
 	int i;
 
 	for (i = 0; i < ETH_ALEN; i++)
-		((u8 *)&a0)[i] = addr[i];
+		((u8 *)&a)[i] = addr[i];
 
-	err = vnic_dev_cmd(vdev, CMD_ADDR_ADD, &a0, &a1, wait);
+	err = vnic_dev_cmd(vdev, CMD_ADDR_ADD, &a[0], &a[1], wait);
 	if (err)
 		pr_err("Can't add addr [%pM], %d\n", addr, err);
 }
 
 void vnic_dev_del_addr(struct vnic_dev *vdev, u8 *addr)
 {
-	u64 a0 = 0, a1 = 0;
+	u64 a[2] = {};
 	int wait = 1000;
 	int err;
 	int i;
 
 	for (i = 0; i < ETH_ALEN; i++)
-		((u8 *)&a0)[i] = addr[i];
+		((u8 *)&a)[i] = addr[i];
 
-	err = vnic_dev_cmd(vdev, CMD_ADDR_DEL, &a0, &a1, wait);
+	err = vnic_dev_cmd(vdev, CMD_ADDR_DEL, &a[0], &a[1], wait);
 	if (err)
 		pr_err("Can't del addr [%pM], %d\n", addr, err);
 }



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 056/222] scsi: mptfusion: Fix double fetch bug in ioctl
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 055/222] scsi: fnic: fix invalid stack access Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 057/222] ptrace: reintroduce usage of subjective credentials in ptrace_has_cap() Greg Kroah-Hartman
                   ` (169 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tom Hatskevich, Dan Carpenter,
	Martin K. Petersen

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 28d76df18f0ad5bcf5fa48510b225f0ed262a99b upstream.

Tom Hatskevich reported that we look up "iocp" then, in the called
functions we do a second copy_from_user() and look it up again.
The problem that could cause is:

drivers/message/fusion/mptctl.c
   674          /* All of these commands require an interrupt or
   675           * are unknown/illegal.
   676           */
   677          if ((ret = mptctl_syscall_down(iocp, nonblock)) != 0)
                                               ^^^^
We take this lock.

   678                  return ret;
   679
   680          if (cmd == MPTFWDOWNLOAD)
   681                  ret = mptctl_fw_download(arg);
                                                 ^^^
Then the user memory changes and we look up "iocp" again but a different
one so now we are holding the incorrect lock and have a race condition.

   682          else if (cmd == MPTCOMMAND)
   683                  ret = mptctl_mpt_command(arg);

The security impact of this bug is not as bad as it could have been
because these operations are all privileged and root already has
enormous destructive power.  But it's still worth fixing.

This patch passes the "iocp" pointer to the functions to avoid the
second lookup.  That deletes 100 lines of code from the driver so
it's a nice clean up as well.

Link: https://lore.kernel.org/r/20200114123414.GA7957@kadam
Reported-by: Tom Hatskevich <tom2001tom.23@gmail.com>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/message/fusion/mptctl.c |  213 +++++++++-------------------------------
 1 file changed, 50 insertions(+), 163 deletions(-)

--- a/drivers/message/fusion/mptctl.c
+++ b/drivers/message/fusion/mptctl.c
@@ -100,19 +100,19 @@ struct buflist {
  * Function prototypes. Called from OS entry point mptctl_ioctl.
  * arg contents specific to function.
  */
-static int mptctl_fw_download(unsigned long arg);
-static int mptctl_getiocinfo(unsigned long arg, unsigned int cmd);
-static int mptctl_gettargetinfo(unsigned long arg);
-static int mptctl_readtest(unsigned long arg);
-static int mptctl_mpt_command(unsigned long arg);
-static int mptctl_eventquery(unsigned long arg);
-static int mptctl_eventenable(unsigned long arg);
-static int mptctl_eventreport(unsigned long arg);
-static int mptctl_replace_fw(unsigned long arg);
-
-static int mptctl_do_reset(unsigned long arg);
-static int mptctl_hp_hostinfo(unsigned long arg, unsigned int cmd);
-static int mptctl_hp_targetinfo(unsigned long arg);
+static int mptctl_fw_download(MPT_ADAPTER *iocp, unsigned long arg);
+static int mptctl_getiocinfo(MPT_ADAPTER *iocp, unsigned long arg, unsigned int cmd);
+static int mptctl_gettargetinfo(MPT_ADAPTER *iocp, unsigned long arg);
+static int mptctl_readtest(MPT_ADAPTER *iocp, unsigned long arg);
+static int mptctl_mpt_command(MPT_ADAPTER *iocp, unsigned long arg);
+static int mptctl_eventquery(MPT_ADAPTER *iocp, unsigned long arg);
+static int mptctl_eventenable(MPT_ADAPTER *iocp, unsigned long arg);
+static int mptctl_eventreport(MPT_ADAPTER *iocp, unsigned long arg);
+static int mptctl_replace_fw(MPT_ADAPTER *iocp, unsigned long arg);
+
+static int mptctl_do_reset(MPT_ADAPTER *iocp, unsigned long arg);
+static int mptctl_hp_hostinfo(MPT_ADAPTER *iocp, unsigned long arg, unsigned int cmd);
+static int mptctl_hp_targetinfo(MPT_ADAPTER *iocp, unsigned long arg);
 
 static int  mptctl_probe(struct pci_dev *, const struct pci_device_id *);
 static void mptctl_remove(struct pci_dev *);
@@ -123,8 +123,8 @@ static long compat_mpctl_ioctl(struct fi
 /*
  * Private function calls.
  */
-static int mptctl_do_mpt_command(struct mpt_ioctl_command karg, void __user *mfPtr);
-static int mptctl_do_fw_download(int ioc, char __user *ufwbuf, size_t fwlen);
+static int mptctl_do_mpt_command(MPT_ADAPTER *iocp, struct mpt_ioctl_command karg, void __user *mfPtr);
+static int mptctl_do_fw_download(MPT_ADAPTER *iocp, char __user *ufwbuf, size_t fwlen);
 static MptSge_t *kbuf_alloc_2_sgl(int bytes, u32 dir, int sge_offset, int *frags,
 		struct buflist **blp, dma_addr_t *sglbuf_dma, MPT_ADAPTER *ioc);
 static void kfree_sgl(MptSge_t *sgl, dma_addr_t sgl_dma,
@@ -656,19 +656,19 @@ __mptctl_ioctl(struct file *file, unsign
 	 * by TM and FW reloads.
 	 */
 	if ((cmd & ~IOCSIZE_MASK) == (MPTIOCINFO & ~IOCSIZE_MASK)) {
-		return mptctl_getiocinfo(arg, _IOC_SIZE(cmd));
+		return mptctl_getiocinfo(iocp, arg, _IOC_SIZE(cmd));
 	} else if (cmd == MPTTARGETINFO) {
-		return mptctl_gettargetinfo(arg);
+		return mptctl_gettargetinfo(iocp, arg);
 	} else if (cmd == MPTTEST) {
-		return mptctl_readtest(arg);
+		return mptctl_readtest(iocp, arg);
 	} else if (cmd == MPTEVENTQUERY) {
-		return mptctl_eventquery(arg);
+		return mptctl_eventquery(iocp, arg);
 	} else if (cmd == MPTEVENTENABLE) {
-		return mptctl_eventenable(arg);
+		return mptctl_eventenable(iocp, arg);
 	} else if (cmd == MPTEVENTREPORT) {
-		return mptctl_eventreport(arg);
+		return mptctl_eventreport(iocp, arg);
 	} else if (cmd == MPTFWREPLACE) {
-		return mptctl_replace_fw(arg);
+		return mptctl_replace_fw(iocp, arg);
 	}
 
 	/* All of these commands require an interrupt or
@@ -678,15 +678,15 @@ __mptctl_ioctl(struct file *file, unsign
 		return ret;
 
 	if (cmd == MPTFWDOWNLOAD)
-		ret = mptctl_fw_download(arg);
+		ret = mptctl_fw_download(iocp, arg);
 	else if (cmd == MPTCOMMAND)
-		ret = mptctl_mpt_command(arg);
+		ret = mptctl_mpt_command(iocp, arg);
 	else if (cmd == MPTHARDRESET)
-		ret = mptctl_do_reset(arg);
+		ret = mptctl_do_reset(iocp, arg);
 	else if ((cmd & ~IOCSIZE_MASK) == (HP_GETHOSTINFO & ~IOCSIZE_MASK))
-		ret = mptctl_hp_hostinfo(arg, _IOC_SIZE(cmd));
+		ret = mptctl_hp_hostinfo(iocp, arg, _IOC_SIZE(cmd));
 	else if (cmd == HP_GETTARGETINFO)
-		ret = mptctl_hp_targetinfo(arg);
+		ret = mptctl_hp_targetinfo(iocp, arg);
 	else
 		ret = -EINVAL;
 
@@ -705,11 +705,10 @@ mptctl_ioctl(struct file *file, unsigned
 	return ret;
 }
 
-static int mptctl_do_reset(unsigned long arg)
+static int mptctl_do_reset(MPT_ADAPTER *iocp, unsigned long arg)
 {
 	struct mpt_ioctl_diag_reset __user *urinfo = (void __user *) arg;
 	struct mpt_ioctl_diag_reset krinfo;
-	MPT_ADAPTER		*iocp;
 
 	if (copy_from_user(&krinfo, urinfo, sizeof(struct mpt_ioctl_diag_reset))) {
 		printk(KERN_ERR MYNAM "%s@%d::mptctl_do_reset - "
@@ -718,12 +717,6 @@ static int mptctl_do_reset(unsigned long
 		return -EFAULT;
 	}
 
-	if (mpt_verify_adapter(krinfo.hdr.iocnum, &iocp) < 0) {
-		printk(KERN_DEBUG MYNAM "%s@%d::mptctl_do_reset - ioc%d not found!\n",
-				__FILE__, __LINE__, krinfo.hdr.iocnum);
-		return -ENODEV; /* (-6) No such device or address */
-	}
-
 	dctlprintk(iocp, printk(MYIOC_s_DEBUG_FMT "mptctl_do_reset called.\n",
 	    iocp->name));
 
@@ -754,7 +747,7 @@ static int mptctl_do_reset(unsigned long
  *		-ENOMSG if FW upload returned bad status
  */
 static int
-mptctl_fw_download(unsigned long arg)
+mptctl_fw_download(MPT_ADAPTER *iocp, unsigned long arg)
 {
 	struct mpt_fw_xfer __user *ufwdl = (void __user *) arg;
 	struct mpt_fw_xfer	 kfwdl;
@@ -766,7 +759,7 @@ mptctl_fw_download(unsigned long arg)
 		return -EFAULT;
 	}
 
-	return mptctl_do_fw_download(kfwdl.iocnum, kfwdl.bufp, kfwdl.fwlen);
+	return mptctl_do_fw_download(iocp, kfwdl.bufp, kfwdl.fwlen);
 }
 
 /*=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=*/
@@ -784,11 +777,10 @@ mptctl_fw_download(unsigned long arg)
  *		-ENOMSG if FW upload returned bad status
  */
 static int
-mptctl_do_fw_download(int ioc, char __user *ufwbuf, size_t fwlen)
+mptctl_do_fw_download(MPT_ADAPTER *iocp, char __user *ufwbuf, size_t fwlen)
 {
 	FWDownload_t		*dlmsg;
 	MPT_FRAME_HDR		*mf;
-	MPT_ADAPTER		*iocp;
 	FWDownloadTCSGE_t	*ptsge;
 	MptSge_t		*sgl, *sgIn;
 	char			*sgOut;
@@ -808,17 +800,10 @@ mptctl_do_fw_download(int ioc, char __us
 	pFWDownloadReply_t	 ReplyMsg = NULL;
 	unsigned long		 timeleft;
 
-	if (mpt_verify_adapter(ioc, &iocp) < 0) {
-		printk(KERN_DEBUG MYNAM "ioctl_fwdl - ioc%d not found!\n",
-				 ioc);
-		return -ENODEV; /* (-6) No such device or address */
-	} else {
-
-		/*  Valid device. Get a message frame and construct the FW download message.
-	 	*/
-		if ((mf = mpt_get_msg_frame(mptctl_id, iocp)) == NULL)
-			return -EAGAIN;
-	}
+	/*  Valid device. Get a message frame and construct the FW download message.
+	*/
+	if ((mf = mpt_get_msg_frame(mptctl_id, iocp)) == NULL)
+		return -EAGAIN;
 
 	dctlprintk(iocp, printk(MYIOC_s_DEBUG_FMT
 	    "mptctl_do_fwdl called. mptctl_id = %xh.\n", iocp->name, mptctl_id));
@@ -826,8 +811,6 @@ mptctl_do_fw_download(int ioc, char __us
 	    iocp->name, ufwbuf));
 	dctlprintk(iocp, printk(MYIOC_s_DEBUG_FMT "DbG: kfwdl.fwlen = %d\n",
 	    iocp->name, (int)fwlen));
-	dctlprintk(iocp, printk(MYIOC_s_DEBUG_FMT "DbG: kfwdl.ioc   = %04xh\n",
-	    iocp->name, ioc));
 
 	dlmsg = (FWDownload_t*) mf;
 	ptsge = (FWDownloadTCSGE_t *) &dlmsg->SGL;
@@ -1238,13 +1221,11 @@ kfree_sgl(MptSge_t *sgl, dma_addr_t sgl_
  *		-ENODEV  if no such device/adapter
  */
 static int
-mptctl_getiocinfo (unsigned long arg, unsigned int data_size)
+mptctl_getiocinfo (MPT_ADAPTER *ioc, unsigned long arg, unsigned int data_size)
 {
 	struct mpt_ioctl_iocinfo __user *uarg = (void __user *) arg;
 	struct mpt_ioctl_iocinfo *karg;
-	MPT_ADAPTER		*ioc;
 	struct pci_dev		*pdev;
-	int			iocnum;
 	unsigned int		port;
 	int			cim_rev;
 	struct scsi_device 	*sdev;
@@ -1272,14 +1253,6 @@ mptctl_getiocinfo (unsigned long arg, un
 		return PTR_ERR(karg);
 	}
 
-	if (((iocnum = mpt_verify_adapter(karg->hdr.iocnum, &ioc)) < 0) ||
-	    (ioc == NULL)) {
-		printk(KERN_DEBUG MYNAM "%s::mptctl_getiocinfo() @%d - ioc%d not found!\n",
-				__FILE__, __LINE__, iocnum);
-		kfree(karg);
-		return -ENODEV;
-	}
-
 	/* Verify the data transfer size is correct. */
 	if (karg->hdr.maxDataSize != data_size) {
 		printk(MYIOC_s_ERR_FMT "%s@%d::mptctl_getiocinfo - "
@@ -1385,15 +1358,13 @@ mptctl_getiocinfo (unsigned long arg, un
  *		-ENODEV  if no such device/adapter
  */
 static int
-mptctl_gettargetinfo (unsigned long arg)
+mptctl_gettargetinfo (MPT_ADAPTER *ioc, unsigned long arg)
 {
 	struct mpt_ioctl_targetinfo __user *uarg = (void __user *) arg;
 	struct mpt_ioctl_targetinfo karg;
-	MPT_ADAPTER		*ioc;
 	VirtDevice		*vdevice;
 	char			*pmem;
 	int			*pdata;
-	int			iocnum;
 	int			numDevices = 0;
 	int			lun;
 	int			maxWordsLeft;
@@ -1408,13 +1379,6 @@ mptctl_gettargetinfo (unsigned long arg)
 		return -EFAULT;
 	}
 
-	if (((iocnum = mpt_verify_adapter(karg.hdr.iocnum, &ioc)) < 0) ||
-	    (ioc == NULL)) {
-		printk(KERN_DEBUG MYNAM "%s::mptctl_gettargetinfo() @%d - ioc%d not found!\n",
-				__FILE__, __LINE__, iocnum);
-		return -ENODEV;
-	}
-
 	dctlprintk(ioc, printk(MYIOC_s_DEBUG_FMT "mptctl_gettargetinfo called.\n",
 	    ioc->name));
 	/* Get the port number and set the maximum number of bytes
@@ -1510,12 +1474,10 @@ mptctl_gettargetinfo (unsigned long arg)
  *		-ENODEV  if no such device/adapter
  */
 static int
-mptctl_readtest (unsigned long arg)
+mptctl_readtest (MPT_ADAPTER *ioc, unsigned long arg)
 {
 	struct mpt_ioctl_test __user *uarg = (void __user *) arg;
 	struct mpt_ioctl_test	 karg;
-	MPT_ADAPTER *ioc;
-	int iocnum;
 
 	if (copy_from_user(&karg, uarg, sizeof(struct mpt_ioctl_test))) {
 		printk(KERN_ERR MYNAM "%s@%d::mptctl_readtest - "
@@ -1524,13 +1486,6 @@ mptctl_readtest (unsigned long arg)
 		return -EFAULT;
 	}
 
-	if (((iocnum = mpt_verify_adapter(karg.hdr.iocnum, &ioc)) < 0) ||
-	    (ioc == NULL)) {
-		printk(KERN_DEBUG MYNAM "%s::mptctl_readtest() @%d - ioc%d not found!\n",
-				__FILE__, __LINE__, iocnum);
-		return -ENODEV;
-	}
-
 	dctlprintk(ioc, printk(MYIOC_s_DEBUG_FMT "mptctl_readtest called.\n",
 	    ioc->name));
 	/* Fill in the data and return the structure to the calling
@@ -1571,12 +1526,10 @@ mptctl_readtest (unsigned long arg)
  *		-ENODEV  if no such device/adapter
  */
 static int
-mptctl_eventquery (unsigned long arg)
+mptctl_eventquery (MPT_ADAPTER *ioc, unsigned long arg)
 {
 	struct mpt_ioctl_eventquery __user *uarg = (void __user *) arg;
 	struct mpt_ioctl_eventquery	 karg;
-	MPT_ADAPTER *ioc;
-	int iocnum;
 
 	if (copy_from_user(&karg, uarg, sizeof(struct mpt_ioctl_eventquery))) {
 		printk(KERN_ERR MYNAM "%s@%d::mptctl_eventquery - "
@@ -1585,13 +1538,6 @@ mptctl_eventquery (unsigned long arg)
 		return -EFAULT;
 	}
 
-	if (((iocnum = mpt_verify_adapter(karg.hdr.iocnum, &ioc)) < 0) ||
-	    (ioc == NULL)) {
-		printk(KERN_DEBUG MYNAM "%s::mptctl_eventquery() @%d - ioc%d not found!\n",
-				__FILE__, __LINE__, iocnum);
-		return -ENODEV;
-	}
-
 	dctlprintk(ioc, printk(MYIOC_s_DEBUG_FMT "mptctl_eventquery called.\n",
 	    ioc->name));
 	karg.eventEntries = MPTCTL_EVENT_LOG_SIZE;
@@ -1610,12 +1556,10 @@ mptctl_eventquery (unsigned long arg)
 
 /*=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=*/
 static int
-mptctl_eventenable (unsigned long arg)
+mptctl_eventenable (MPT_ADAPTER *ioc, unsigned long arg)
 {
 	struct mpt_ioctl_eventenable __user *uarg = (void __user *) arg;
 	struct mpt_ioctl_eventenable	 karg;
-	MPT_ADAPTER *ioc;
-	int iocnum;
 
 	if (copy_from_user(&karg, uarg, sizeof(struct mpt_ioctl_eventenable))) {
 		printk(KERN_ERR MYNAM "%s@%d::mptctl_eventenable - "
@@ -1624,13 +1568,6 @@ mptctl_eventenable (unsigned long arg)
 		return -EFAULT;
 	}
 
-	if (((iocnum = mpt_verify_adapter(karg.hdr.iocnum, &ioc)) < 0) ||
-	    (ioc == NULL)) {
-		printk(KERN_DEBUG MYNAM "%s::mptctl_eventenable() @%d - ioc%d not found!\n",
-				__FILE__, __LINE__, iocnum);
-		return -ENODEV;
-	}
-
 	dctlprintk(ioc, printk(MYIOC_s_DEBUG_FMT "mptctl_eventenable called.\n",
 	    ioc->name));
 	if (ioc->events == NULL) {
@@ -1658,12 +1595,10 @@ mptctl_eventenable (unsigned long arg)
 
 /*=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=*/
 static int
-mptctl_eventreport (unsigned long arg)
+mptctl_eventreport (MPT_ADAPTER *ioc, unsigned long arg)
 {
 	struct mpt_ioctl_eventreport __user *uarg = (void __user *) arg;
 	struct mpt_ioctl_eventreport	 karg;
-	MPT_ADAPTER		 *ioc;
-	int			 iocnum;
 	int			 numBytes, maxEvents, max;
 
 	if (copy_from_user(&karg, uarg, sizeof(struct mpt_ioctl_eventreport))) {
@@ -1673,12 +1608,6 @@ mptctl_eventreport (unsigned long arg)
 		return -EFAULT;
 	}
 
-	if (((iocnum = mpt_verify_adapter(karg.hdr.iocnum, &ioc)) < 0) ||
-	    (ioc == NULL)) {
-		printk(KERN_DEBUG MYNAM "%s::mptctl_eventreport() @%d - ioc%d not found!\n",
-				__FILE__, __LINE__, iocnum);
-		return -ENODEV;
-	}
 	dctlprintk(ioc, printk(MYIOC_s_DEBUG_FMT "mptctl_eventreport called.\n",
 	    ioc->name));
 
@@ -1712,12 +1641,10 @@ mptctl_eventreport (unsigned long arg)
 
 /*=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=*/
 static int
-mptctl_replace_fw (unsigned long arg)
+mptctl_replace_fw (MPT_ADAPTER *ioc, unsigned long arg)
 {
 	struct mpt_ioctl_replace_fw __user *uarg = (void __user *) arg;
 	struct mpt_ioctl_replace_fw	 karg;
-	MPT_ADAPTER		 *ioc;
-	int			 iocnum;
 	int			 newFwSize;
 
 	if (copy_from_user(&karg, uarg, sizeof(struct mpt_ioctl_replace_fw))) {
@@ -1727,13 +1654,6 @@ mptctl_replace_fw (unsigned long arg)
 		return -EFAULT;
 	}
 
-	if (((iocnum = mpt_verify_adapter(karg.hdr.iocnum, &ioc)) < 0) ||
-	    (ioc == NULL)) {
-		printk(KERN_DEBUG MYNAM "%s::mptctl_replace_fw() @%d - ioc%d not found!\n",
-				__FILE__, __LINE__, iocnum);
-		return -ENODEV;
-	}
-
 	dctlprintk(ioc, printk(MYIOC_s_DEBUG_FMT "mptctl_replace_fw called.\n",
 	    ioc->name));
 	/* If caching FW, Free the old FW image
@@ -1780,12 +1700,10 @@ mptctl_replace_fw (unsigned long arg)
  *		-ENOMEM if memory allocation error
  */
 static int
-mptctl_mpt_command (unsigned long arg)
+mptctl_mpt_command (MPT_ADAPTER *ioc, unsigned long arg)
 {
 	struct mpt_ioctl_command __user *uarg = (void __user *) arg;
 	struct mpt_ioctl_command  karg;
-	MPT_ADAPTER	*ioc;
-	int		iocnum;
 	int		rc;
 
 
@@ -1796,14 +1714,7 @@ mptctl_mpt_command (unsigned long arg)
 		return -EFAULT;
 	}
 
-	if (((iocnum = mpt_verify_adapter(karg.hdr.iocnum, &ioc)) < 0) ||
-	    (ioc == NULL)) {
-		printk(KERN_DEBUG MYNAM "%s::mptctl_mpt_command() @%d - ioc%d not found!\n",
-				__FILE__, __LINE__, iocnum);
-		return -ENODEV;
-	}
-
-	rc = mptctl_do_mpt_command (karg, &uarg->MF);
+	rc = mptctl_do_mpt_command (ioc, karg, &uarg->MF);
 
 	return rc;
 }
@@ -1821,9 +1732,8 @@ mptctl_mpt_command (unsigned long arg)
  *		-EPERM if SCSI I/O and target is untagged
  */
 static int
-mptctl_do_mpt_command (struct mpt_ioctl_command karg, void __user *mfPtr)
+mptctl_do_mpt_command (MPT_ADAPTER *ioc, struct mpt_ioctl_command karg, void __user *mfPtr)
 {
-	MPT_ADAPTER	*ioc;
 	MPT_FRAME_HDR	*mf = NULL;
 	MPIHeader_t	*hdr;
 	char		*psge;
@@ -1832,7 +1742,7 @@ mptctl_do_mpt_command (struct mpt_ioctl_
 	dma_addr_t	dma_addr_in;
 	dma_addr_t	dma_addr_out;
 	int		sgSize = 0;	/* Num SG elements */
-	int		iocnum, flagsLength;
+	int		flagsLength;
 	int		sz, rc = 0;
 	int		msgContext;
 	u16		req_idx;
@@ -1847,13 +1757,6 @@ mptctl_do_mpt_command (struct mpt_ioctl_
 	bufIn.kptr = bufOut.kptr = NULL;
 	bufIn.len = bufOut.len = 0;
 
-	if (((iocnum = mpt_verify_adapter(karg.hdr.iocnum, &ioc)) < 0) ||
-	    (ioc == NULL)) {
-		printk(KERN_DEBUG MYNAM "%s::mptctl_do_mpt_command() @%d - ioc%d not found!\n",
-				__FILE__, __LINE__, iocnum);
-		return -ENODEV;
-	}
-
 	spin_lock_irqsave(&ioc->taskmgmt_lock, flags);
 	if (ioc->ioc_reset_in_progress) {
 		spin_unlock_irqrestore(&ioc->taskmgmt_lock, flags);
@@ -2418,17 +2321,15 @@ done_free_mem:
  *		-ENOMEM if memory allocation error
  */
 static int
-mptctl_hp_hostinfo(unsigned long arg, unsigned int data_size)
+mptctl_hp_hostinfo(MPT_ADAPTER *ioc, unsigned long arg, unsigned int data_size)
 {
 	hp_host_info_t	__user *uarg = (void __user *) arg;
-	MPT_ADAPTER		*ioc;
 	struct pci_dev		*pdev;
 	char                    *pbuf=NULL;
 	dma_addr_t		buf_dma;
 	hp_host_info_t		karg;
 	CONFIGPARMS		cfg;
 	ConfigPageHeader_t	hdr;
-	int			iocnum;
 	int			rc, cim_rev;
 	ToolboxIstwiReadWriteRequest_t	*IstwiRWRequest;
 	MPT_FRAME_HDR		*mf = NULL;
@@ -2452,12 +2353,6 @@ mptctl_hp_hostinfo(unsigned long arg, un
 		return -EFAULT;
 	}
 
-	if (((iocnum = mpt_verify_adapter(karg.hdr.iocnum, &ioc)) < 0) ||
-	    (ioc == NULL)) {
-		printk(KERN_DEBUG MYNAM "%s::mptctl_hp_hostinfo() @%d - ioc%d not found!\n",
-				__FILE__, __LINE__, iocnum);
-		return -ENODEV;
-	}
 	dctlprintk(ioc, printk(MYIOC_s_DEBUG_FMT ": mptctl_hp_hostinfo called.\n",
 	    ioc->name));
 
@@ -2659,15 +2554,13 @@ retry_wait:
  *		-ENOMEM if memory allocation error
  */
 static int
-mptctl_hp_targetinfo(unsigned long arg)
+mptctl_hp_targetinfo(MPT_ADAPTER *ioc, unsigned long arg)
 {
 	hp_target_info_t __user *uarg = (void __user *) arg;
 	SCSIDevicePage0_t	*pg0_alloc;
 	SCSIDevicePage3_t	*pg3_alloc;
-	MPT_ADAPTER		*ioc;
 	MPT_SCSI_HOST 		*hd = NULL;
 	hp_target_info_t	karg;
-	int			iocnum;
 	int			data_sz;
 	dma_addr_t		page_dma;
 	CONFIGPARMS	 	cfg;
@@ -2681,12 +2574,6 @@ mptctl_hp_targetinfo(unsigned long arg)
 		return -EFAULT;
 	}
 
-	if (((iocnum = mpt_verify_adapter(karg.hdr.iocnum, &ioc)) < 0) ||
-		(ioc == NULL)) {
-		printk(KERN_DEBUG MYNAM "%s::mptctl_hp_targetinfo() @%d - ioc%d not found!\n",
-				__FILE__, __LINE__, iocnum);
-		return -ENODEV;
-	}
 	if (karg.hdr.id >= MPT_MAX_FC_DEVICES)
 		return -EINVAL;
 	dctlprintk(ioc, printk(MYIOC_s_DEBUG_FMT "mptctl_hp_targetinfo called.\n",
@@ -2854,7 +2741,7 @@ compat_mptfwxfer_ioctl(struct file *filp
 	kfw.fwlen = kfw32.fwlen;
 	kfw.bufp = compat_ptr(kfw32.bufp);
 
-	ret = mptctl_do_fw_download(kfw.iocnum, kfw.bufp, kfw.fwlen);
+	ret = mptctl_do_fw_download(iocp, kfw.bufp, kfw.fwlen);
 
 	mutex_unlock(&iocp->ioctl_cmds.mutex);
 
@@ -2908,7 +2795,7 @@ compat_mpt_command(struct file *filp, un
 
 	/* Pass new structure to do_mpt_command
 	 */
-	ret = mptctl_do_mpt_command (karg, &uarg->MF);
+	ret = mptctl_do_mpt_command (iocp, karg, &uarg->MF);
 
 	mutex_unlock(&iocp->ioctl_cmds.mutex);
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 057/222] ptrace: reintroduce usage of subjective credentials in ptrace_has_cap()
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 056/222] scsi: mptfusion: Fix double fetch bug in ioctl Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 058/222] mtd: rawnand: gpmi: Fix suspend/resume problem Greg Kroah-Hartman
                   ` (168 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Oleg Nesterov, Eric Paris, Kees Cook,
	Serge Hallyn, Jann Horn, Christian Brauner

From: Christian Brauner <christian.brauner@ubuntu.com>

commit 6b3ad6649a4c75504edeba242d3fd36b3096a57f upstream.

Commit 69f594a38967 ("ptrace: do not audit capability check when outputing /proc/pid/stat")
introduced the ability to opt out of audit messages for accesses to various
proc files since they are not violations of policy.  While doing so it
somehow switched the check from ns_capable() to
has_ns_capability{_noaudit}(). That means it switched from checking the
subjective credentials of the task to using the objective credentials. This
is wrong since. ptrace_has_cap() is currently only used in
ptrace_may_access() And is used to check whether the calling task (subject)
has the CAP_SYS_PTRACE capability in the provided user namespace to operate
on the target task (object). According to the cred.h comments this would
mean the subjective credentials of the calling task need to be used.
This switches ptrace_has_cap() to use security_capable(). Because we only
call ptrace_has_cap() in ptrace_may_access() and in there we already have a
stable reference to the calling task's creds under rcu_read_lock() there's
no need to go through another series of dereferences and rcu locking done
in ns_capable{_noaudit}().

As one example where this might be particularly problematic, Jann pointed
out that in combination with the upcoming IORING_OP_OPENAT feature, this
bug might allow unprivileged users to bypass the capability checks while
asynchronously opening files like /proc/*/mem, because the capability
checks for this would be performed against kernel credentials.

To illustrate on the former point about this being exploitable: When
io_uring creates a new context it records the subjective credentials of the
caller. Later on, when it starts to do work it creates a kernel thread and
registers a callback. The callback runs with kernel creds for
ktask->real_cred and ktask->cred. To prevent this from becoming a
full-blown 0-day io_uring will call override_cred() and override
ktask->cred with the subjective credentials of the creator of the io_uring
instance. With ptrace_has_cap() currently looking at ktask->real_cred this
override will be ineffective and the caller will be able to open arbitray
proc files as mentioned above.
Luckily, this is currently not exploitable but will turn into a 0-day once
IORING_OP_OPENAT{2} land in v5.6. Fix it now!

Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Eric Paris <eparis@redhat.com>
Cc: stable@vger.kernel.org
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
Reviewed-by: Jann Horn <jannh@google.com>
Fixes: 69f594a38967 ("ptrace: do not audit capability check when outputing /proc/pid/stat")
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/ptrace.c |   15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -264,12 +264,17 @@ static int ptrace_check_attach(struct ta
 	return ret;
 }
 
-static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode)
+static bool ptrace_has_cap(const struct cred *cred, struct user_namespace *ns,
+			   unsigned int mode)
 {
+	int ret;
+
 	if (mode & PTRACE_MODE_NOAUDIT)
-		return has_ns_capability_noaudit(current, ns, CAP_SYS_PTRACE);
+		ret = security_capable(cred, ns, CAP_SYS_PTRACE, CAP_OPT_NOAUDIT);
 	else
-		return has_ns_capability(current, ns, CAP_SYS_PTRACE);
+		ret = security_capable(cred, ns, CAP_SYS_PTRACE, CAP_OPT_NONE);
+
+	return ret == 0;
 }
 
 /* Returns 0 on success, -errno on denial. */
@@ -321,7 +326,7 @@ static int __ptrace_may_access(struct ta
 	    gid_eq(caller_gid, tcred->sgid) &&
 	    gid_eq(caller_gid, tcred->gid))
 		goto ok;
-	if (ptrace_has_cap(tcred->user_ns, mode))
+	if (ptrace_has_cap(cred, tcred->user_ns, mode))
 		goto ok;
 	rcu_read_unlock();
 	return -EPERM;
@@ -340,7 +345,7 @@ ok:
 	mm = task->mm;
 	if (mm &&
 	    ((get_dumpable(mm) != SUID_DUMP_USER) &&
-	     !ptrace_has_cap(mm->user_ns, mode)))
+	     !ptrace_has_cap(cred, mm->user_ns, mode)))
 	    return -EPERM;
 
 	return security_ptrace_access_check(task, mode);



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 058/222] mtd: rawnand: gpmi: Fix suspend/resume problem
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 057/222] ptrace: reintroduce usage of subjective credentials in ptrace_has_cap() Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 059/222] mtd: rawnand: gpmi: Restore nfc timing setup after suspend/resume Greg Kroah-Hartman
                   ` (167 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Esben Haabendal, Han Xu, Miquel Raynal

From: Esben Haabendal <esben@geanix.com>

commit 5bc6bb603b4d0c8802af75e4932232683ab2d761 upstream.

On system resume, the gpmi clock must be enabled before accessing gpmi
block.  Without this, resume causes something like

[  661.348790] gpmi_reset_block(5cbb0f7e): module reset timeout
[  661.348889] gpmi-nand 1806000.gpmi-nand: Error setting GPMI : -110
[  661.348928] PM: dpm_run_callback(): platform_pm_resume+0x0/0x44 returns -110
[  661.348961] PM: Device 1806000.gpmi-nand failed to resume: error -110

Fixes: ef347c0cfd61 ("mtd: rawnand: gpmi: Implement exec_op")
Cc: stable@vger.kernel.org
Signed-off-by: Esben Haabendal <esben@geanix.com>
Acked-by: Han Xu <han.xu@nxp.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c
+++ b/drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c
@@ -148,6 +148,10 @@ static int gpmi_init(struct gpmi_nand_da
 	struct resources *r = &this->resources;
 	int ret;
 
+	ret = pm_runtime_get_sync(this->dev);
+	if (ret < 0)
+		return ret;
+
 	ret = gpmi_reset_block(r->gpmi_regs, false);
 	if (ret)
 		goto err_out;
@@ -179,8 +183,9 @@ static int gpmi_init(struct gpmi_nand_da
 	 */
 	writel(BM_GPMI_CTRL1_DECOUPLE_CS, r->gpmi_regs + HW_GPMI_CTRL1_SET);
 
-	return 0;
 err_out:
+	pm_runtime_mark_last_busy(this->dev);
+	pm_runtime_put_autosuspend(this->dev);
 	return ret;
 }
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 059/222] mtd: rawnand: gpmi: Restore nfc timing setup after suspend/resume
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 058/222] mtd: rawnand: gpmi: Fix suspend/resume problem Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 060/222] usb: core: hub: Improved device recognition on remote wakeup Greg Kroah-Hartman
                   ` (166 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Esben Haabendal, Han Xu, Miquel Raynal

From: Esben Haabendal <esben@geanix.com>

commit d70486668cdf51b14a50425ab45fc18677a167b2 upstream.

As we reset the GPMI block at resume, the timing parameters setup by a
previous exec_op is lost.  Rewriting GPMI timing registers on first exec_op
after resume fixes the problem.

Fixes: ef347c0cfd61 ("mtd: rawnand: gpmi: Implement exec_op")
Cc: stable@vger.kernel.org
Signed-off-by: Esben Haabendal <esben@geanix.com>
Acked-by: Han Xu <han.xu@nxp.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c
+++ b/drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c
@@ -2727,6 +2727,10 @@ static int gpmi_pm_resume(struct device
 		return ret;
 	}
 
+	/* Set flag to get timing setup restored for next exec_op */
+	if (this->hw.clk_rate)
+		this->hw.must_apply_timings = true;
+
 	/* re-init the BCH registers */
 	ret = bch_set_geometry(this);
 	if (ret) {



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 060/222] usb: core: hub: Improved device recognition on remote wakeup
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 059/222] mtd: rawnand: gpmi: Restore nfc timing setup after suspend/resume Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 061/222] cpu/SMT: Fix x86 link error without CONFIG_SYSFS Greg Kroah-Hartman
                   ` (165 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Keiya Nobuta, Alan Stern

From: Keiya Nobuta <nobuta.keiya@fujitsu.com>

commit 9c06ac4c83df6d6fbdbf7488fbad822b4002ba19 upstream.

If hub_activate() is called before D+ has stabilized after remote
wakeup, the following situation might occur:

         __      ___________________
        /  \    /
D+   __/    \__/

Hub  _______________________________
          |  ^   ^           ^
          |  |   |           |
Host _____v__|___|___________|______
          |  |   |           |
          |  |   |           \-- Interrupt Transfer (*3)
          |  |    \-- ClearPortFeature (*2)
          |   \-- GetPortStatus (*1)
          \-- Host detects remote wakeup

- D+ goes high, Host starts running by remote wakeup
- D+ is not stable, goes low
- Host requests GetPortStatus at (*1) and gets the following hub status:
  - Current Connect Status bit is 0
  - Connect Status Change bit is 1
- D+ stabilizes, goes high
- Host requests ClearPortFeature and thus Connect Status Change bit is
  cleared at (*2)
- After waiting 100 ms, Host starts the Interrupt Transfer at (*3)
- Since the Connect Status Change bit is 0, Hub returns NAK.

In this case, port_event() is not called in hub_event() and Host cannot
recognize device. To solve this issue, flag change_bits even if only
Connect Status Change bit is 1 when got in the first GetPortStatus.

This issue occurs rarely because it only if D+ changes during a very
short time between GetPortStatus and ClearPortFeature. However, it is
fatal if it occurs in embedded system.

Signed-off-by: Keiya Nobuta <nobuta.keiya@fujitsu.com>
Cc: stable <stable@vger.kernel.org>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20200109051448.28150-1-nobuta.keiya@fujitsu.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/core/hub.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -1191,6 +1191,7 @@ static void hub_activate(struct usb_hub
 			 * PORT_OVER_CURRENT is not. So check for any of them.
 			 */
 			if (udev || (portstatus & USB_PORT_STAT_CONNECTION) ||
+			    (portchange & USB_PORT_STAT_C_CONNECTION) ||
 			    (portstatus & USB_PORT_STAT_OVERCURRENT) ||
 			    (portchange & USB_PORT_STAT_C_OVERCURRENT))
 				set_bit(port1, hub->change_bits);



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 061/222] cpu/SMT: Fix x86 link error without CONFIG_SYSFS
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 060/222] usb: core: hub: Improved device recognition on remote wakeup Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 062/222] x86/resctrl: Fix an imbalance in domain_remove_cpu() Greg Kroah-Hartman
                   ` (164 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Thomas Gleixner, Jiri Kosina

From: Arnd Bergmann <arnd@arndb.de>

commit dc8d37ed304eeeea47e65fb9edc1c6c8b0093386 upstream.

When CONFIG_SYSFS is disabled, but CONFIG_HOTPLUG_SMT is enabled,
the kernel fails to link:

arch/x86/power/cpu.o: In function `hibernate_resume_nonboot_cpu_disable':
(.text+0x38d): undefined reference to `cpuhp_smt_enable'
arch/x86/power/hibernate.o: In function `arch_resume_nosmt':
hibernate.c:(.text+0x291): undefined reference to `cpuhp_smt_enable'
hibernate.c:(.text+0x29c): undefined reference to `cpuhp_smt_disable'

Move the exported functions out of the #ifdef section into its
own with the correct conditions.

The patch that caused this is marked for stable backports, so
this one may need to be backported as well.

Fixes: ec527c318036 ("x86/power: Fix 'nosmt' vs hibernation triple fault during resume")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Jiri Kosina <jkosina@suse.cz>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20191210195614.786555-1-arnd@arndb.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/cpu.c |  143 +++++++++++++++++++++++++++++------------------------------
 1 file changed, 72 insertions(+), 71 deletions(-)

--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -1909,6 +1909,78 @@ void __cpuhp_remove_state(enum cpuhp_sta
 }
 EXPORT_SYMBOL(__cpuhp_remove_state);
 
+#ifdef CONFIG_HOTPLUG_SMT
+static void cpuhp_offline_cpu_device(unsigned int cpu)
+{
+	struct device *dev = get_cpu_device(cpu);
+
+	dev->offline = true;
+	/* Tell user space about the state change */
+	kobject_uevent(&dev->kobj, KOBJ_OFFLINE);
+}
+
+static void cpuhp_online_cpu_device(unsigned int cpu)
+{
+	struct device *dev = get_cpu_device(cpu);
+
+	dev->offline = false;
+	/* Tell user space about the state change */
+	kobject_uevent(&dev->kobj, KOBJ_ONLINE);
+}
+
+int cpuhp_smt_disable(enum cpuhp_smt_control ctrlval)
+{
+	int cpu, ret = 0;
+
+	cpu_maps_update_begin();
+	for_each_online_cpu(cpu) {
+		if (topology_is_primary_thread(cpu))
+			continue;
+		ret = cpu_down_maps_locked(cpu, CPUHP_OFFLINE);
+		if (ret)
+			break;
+		/*
+		 * As this needs to hold the cpu maps lock it's impossible
+		 * to call device_offline() because that ends up calling
+		 * cpu_down() which takes cpu maps lock. cpu maps lock
+		 * needs to be held as this might race against in kernel
+		 * abusers of the hotplug machinery (thermal management).
+		 *
+		 * So nothing would update device:offline state. That would
+		 * leave the sysfs entry stale and prevent onlining after
+		 * smt control has been changed to 'off' again. This is
+		 * called under the sysfs hotplug lock, so it is properly
+		 * serialized against the regular offline usage.
+		 */
+		cpuhp_offline_cpu_device(cpu);
+	}
+	if (!ret)
+		cpu_smt_control = ctrlval;
+	cpu_maps_update_done();
+	return ret;
+}
+
+int cpuhp_smt_enable(void)
+{
+	int cpu, ret = 0;
+
+	cpu_maps_update_begin();
+	cpu_smt_control = CPU_SMT_ENABLED;
+	for_each_present_cpu(cpu) {
+		/* Skip online CPUs and CPUs on offline nodes */
+		if (cpu_online(cpu) || !node_online(cpu_to_node(cpu)))
+			continue;
+		ret = _cpu_up(cpu, 0, CPUHP_ONLINE);
+		if (ret)
+			break;
+		/* See comment in cpuhp_smt_disable() */
+		cpuhp_online_cpu_device(cpu);
+	}
+	cpu_maps_update_done();
+	return ret;
+}
+#endif
+
 #if defined(CONFIG_SYSFS) && defined(CONFIG_HOTPLUG_CPU)
 static ssize_t show_cpuhp_state(struct device *dev,
 				struct device_attribute *attr, char *buf)
@@ -2063,77 +2135,6 @@ static const struct attribute_group cpuh
 
 #ifdef CONFIG_HOTPLUG_SMT
 
-static void cpuhp_offline_cpu_device(unsigned int cpu)
-{
-	struct device *dev = get_cpu_device(cpu);
-
-	dev->offline = true;
-	/* Tell user space about the state change */
-	kobject_uevent(&dev->kobj, KOBJ_OFFLINE);
-}
-
-static void cpuhp_online_cpu_device(unsigned int cpu)
-{
-	struct device *dev = get_cpu_device(cpu);
-
-	dev->offline = false;
-	/* Tell user space about the state change */
-	kobject_uevent(&dev->kobj, KOBJ_ONLINE);
-}
-
-int cpuhp_smt_disable(enum cpuhp_smt_control ctrlval)
-{
-	int cpu, ret = 0;
-
-	cpu_maps_update_begin();
-	for_each_online_cpu(cpu) {
-		if (topology_is_primary_thread(cpu))
-			continue;
-		ret = cpu_down_maps_locked(cpu, CPUHP_OFFLINE);
-		if (ret)
-			break;
-		/*
-		 * As this needs to hold the cpu maps lock it's impossible
-		 * to call device_offline() because that ends up calling
-		 * cpu_down() which takes cpu maps lock. cpu maps lock
-		 * needs to be held as this might race against in kernel
-		 * abusers of the hotplug machinery (thermal management).
-		 *
-		 * So nothing would update device:offline state. That would
-		 * leave the sysfs entry stale and prevent onlining after
-		 * smt control has been changed to 'off' again. This is
-		 * called under the sysfs hotplug lock, so it is properly
-		 * serialized against the regular offline usage.
-		 */
-		cpuhp_offline_cpu_device(cpu);
-	}
-	if (!ret)
-		cpu_smt_control = ctrlval;
-	cpu_maps_update_done();
-	return ret;
-}
-
-int cpuhp_smt_enable(void)
-{
-	int cpu, ret = 0;
-
-	cpu_maps_update_begin();
-	cpu_smt_control = CPU_SMT_ENABLED;
-	for_each_present_cpu(cpu) {
-		/* Skip online CPUs and CPUs on offline nodes */
-		if (cpu_online(cpu) || !node_online(cpu_to_node(cpu)))
-			continue;
-		ret = _cpu_up(cpu, 0, CPUHP_ONLINE);
-		if (ret)
-			break;
-		/* See comment in cpuhp_smt_disable() */
-		cpuhp_online_cpu_device(cpu);
-	}
-	cpu_maps_update_done();
-	return ret;
-}
-
-
 static ssize_t
 __store_smt_control(struct device *dev, struct device_attribute *attr,
 		    const char *buf, size_t count)



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 062/222] x86/resctrl: Fix an imbalance in domain_remove_cpu()
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (60 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 061/222] cpu/SMT: Fix x86 link error without CONFIG_SYSFS Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 063/222] x86/CPU/AMD: Ensure clearing of SME/SEV features is maintained Greg Kroah-Hartman
                   ` (163 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Qian Cai, Borislav Petkov,
	Reinette Chatre, Fenghua Yu, H. Peter Anvin, Ingo Molnar,
	john.stultz, sboyd, Thomas Gleixner, tj, Tony Luck,
	Vikas Shivappa, x86-ml

From: Qian Cai <cai@lca.pw>

commit e278af89f1ba0a9ef20947db6afc2c9afa37e85b upstream.

A system that supports resource monitoring may have multiple resources
while not all of these resources are capable of monitoring. Monitoring
related state is initialized only for resources that are capable of
monitoring and correspondingly this state should subsequently only be
removed from these resources that are capable of monitoring.

domain_add_cpu() calls domain_setup_mon_state() only when r->mon_capable
is true where it will initialize d->mbm_over. However,
domain_remove_cpu() calls cancel_delayed_work(&d->mbm_over) without
checking r->mon_capable resulting in an attempt to cancel d->mbm_over on
all resources, even those that never initialized d->mbm_over because
they are not capable of monitoring. Hence, it triggers a debugobjects
warning when offlining CPUs because those timer debugobjects are never
initialized:

  ODEBUG: assert_init not available (active state 0) object type:
  timer_list hint: 0x0
  WARNING: CPU: 143 PID: 789 at lib/debugobjects.c:484
  debug_print_object
  Hardware name: HP Synergy 680 Gen9/Synergy 680 Gen9 Compute Module, BIOS I40 05/23/2018
  RIP: 0010:debug_print_object
  Call Trace:
  debug_object_assert_init
  del_timer
  try_to_grab_pending
  cancel_delayed_work
  resctrl_offline_cpu
  cpuhp_invoke_callback
  cpuhp_thread_fun
  smpboot_thread_fn
  kthread
  ret_from_fork

Fixes: e33026831bdb ("x86/intel_rdt/mbm: Handle counter overflow")
Signed-off-by: Qian Cai <cai@lca.pw>
Signed-off-by: Borislav Petkov <bp@suse.de>
Acked-by: Reinette Chatre <reinette.chatre@intel.com>
Cc: Fenghua Yu <fenghua.yu@intel.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: john.stultz@linaro.org
Cc: sboyd@kernel.org
Cc: <stable@vger.kernel.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: tj@kernel.org
Cc: Tony Luck <tony.luck@intel.com>
Cc: Vikas Shivappa <vikas.shivappa@linux.intel.com>
Cc: x86-ml <x86@kernel.org>
Link: https://lkml.kernel.org/r/20191211033042.2188-1-cai@lca.pw
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/cpu/resctrl/core.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/kernel/cpu/resctrl/core.c
+++ b/arch/x86/kernel/cpu/resctrl/core.c
@@ -618,7 +618,7 @@ static void domain_remove_cpu(int cpu, s
 		if (static_branch_unlikely(&rdt_mon_enable_key))
 			rmdir_mondata_subdir_allrdtgrp(r, d->id);
 		list_del(&d->list);
-		if (is_mbm_enabled())
+		if (r->mon_capable && is_mbm_enabled())
 			cancel_delayed_work(&d->mbm_over);
 		if (is_llc_occupancy_enabled() &&  has_busy_rmid(r, d)) {
 			/*



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 063/222] x86/CPU/AMD: Ensure clearing of SME/SEV features is maintained
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (61 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 062/222] x86/resctrl: Fix an imbalance in domain_remove_cpu() Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 064/222] locking/rwsem: Fix kernel crash when spinning on RWSEM_OWNER_UNKNOWN Greg Kroah-Hartman
                   ` (162 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Tom Lendacky, Borislav Petkov

From: Tom Lendacky <thomas.lendacky@amd.com>

commit a006483b2f97af685f0e60f3a547c9ad4c9b9e94 upstream.

If the SME and SEV features are present via CPUID, but memory encryption
support is not enabled (MSR 0xC001_0010[23]), the feature flags are cleared
using clear_cpu_cap(). However, if get_cpu_cap() is later called, these
feature flags will be reset back to present, which is not desired.

Change from using clear_cpu_cap() to setup_clear_cpu_cap() so that the
clearing of the flags is maintained.

Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: <stable@vger.kernel.org> # 4.16.x-
Link: https://lkml.kernel.org/r/226de90a703c3c0be5a49565047905ac4e94e8f3.1579125915.git.thomas.lendacky@amd.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/cpu/amd.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
@@ -615,9 +615,9 @@ static void early_detect_mem_encrypt(str
 		return;
 
 clear_all:
-		clear_cpu_cap(c, X86_FEATURE_SME);
+		setup_clear_cpu_cap(X86_FEATURE_SME);
 clear_sev:
-		clear_cpu_cap(c, X86_FEATURE_SEV);
+		setup_clear_cpu_cap(X86_FEATURE_SEV);
 	}
 }
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 064/222] locking/rwsem: Fix kernel crash when spinning on RWSEM_OWNER_UNKNOWN
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (62 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 063/222] x86/CPU/AMD: Ensure clearing of SME/SEV features is maintained Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 065/222] perf/x86/intel/uncore: Fix missing marker for snr_uncore_imc_freerunning_events Greg Kroah-Hartman
                   ` (161 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christoph Hellwig, Waiman Long,
	Peter Zijlstra (Intel)

From: Waiman Long <longman@redhat.com>

commit 39e7234f00bc93613c086ae42d852d5f4147120a upstream.

The commit 91d2a812dfb9 ("locking/rwsem: Make handoff writer
optimistically spin on owner") will allow a recently woken up waiting
writer to spin on the owner. Unfortunately, if the owner happens to be
RWSEM_OWNER_UNKNOWN, the code will incorrectly spin on it leading to a
kernel crash. This is fixed by passing the proper non-spinnable bits
to rwsem_spin_on_owner() so that RWSEM_OWNER_UNKNOWN will be treated
as a non-spinnable target.

Fixes: 91d2a812dfb9 ("locking/rwsem: Make handoff writer optimistically spin on owner")

Reported-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Waiman Long <longman@redhat.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: Christoph Hellwig <hch@lst.de>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20200115154336.8679-1-longman@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/locking/rwsem.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/kernel/locking/rwsem.c
+++ b/kernel/locking/rwsem.c
@@ -1226,8 +1226,8 @@ wait:
 		 * In this case, we attempt to acquire the lock again
 		 * without sleeping.
 		 */
-		if ((wstate == WRITER_HANDOFF) &&
-		    (rwsem_spin_on_owner(sem, 0) == OWNER_NULL))
+		if (wstate == WRITER_HANDOFF &&
+		    rwsem_spin_on_owner(sem, RWSEM_NONSPINNABLE) == OWNER_NULL)
 			goto trylock_again;
 
 		/* Block until there are no active lockers. */



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 065/222] perf/x86/intel/uncore: Fix missing marker for snr_uncore_imc_freerunning_events
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (63 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 064/222] locking/rwsem: Fix kernel crash when spinning on RWSEM_OWNER_UNKNOWN Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 066/222] x86/efistub: Disable paging at mixed mode entry Greg Kroah-Hartman
                   ` (160 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Like Xu, Kan Liang,
	Peter Zijlstra (Intel),
	Ingo Molnar

From: Kan Liang <kan.liang@linux.intel.com>

commit fa694ae532836bd2f4cd659e9b4032abaf9fa9e5 upstream.

An Oops during the boot is found on some SNR machines.  It turns out
this is because the snr_uncore_imc_freerunning_events[] array was
missing an end-marker.

Fixes: ee49532b38dd ("perf/x86/intel/uncore: Add IMC uncore support for Snow Ridge")
Reported-by: Like Xu <like.xu@linux.intel.com>
Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Tested-by: Like Xu <like.xu@linux.intel.com>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20200116200210.18937-1-kan.liang@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/events/intel/uncore_snbep.c |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/x86/events/intel/uncore_snbep.c
+++ b/arch/x86/events/intel/uncore_snbep.c
@@ -4536,6 +4536,7 @@ static struct uncore_event_desc snr_unco
 	INTEL_UNCORE_EVENT_DESC(write,		"event=0xff,umask=0x21"),
 	INTEL_UNCORE_EVENT_DESC(write.scale,	"3.814697266e-6"),
 	INTEL_UNCORE_EVENT_DESC(write.unit,	"MiB"),
+	{ /* end: all zeroes */ },
 };
 
 static struct intel_uncore_ops snr_uncore_imc_freerunning_ops = {



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 066/222] x86/efistub: Disable paging at mixed mode entry
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (64 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 065/222] perf/x86/intel/uncore: Fix missing marker for snr_uncore_imc_freerunning_events Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 067/222] s390/zcrypt: Fix CCA cipher key gen with clear key value function Greg Kroah-Hartman
                   ` (159 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ard Biesheuvel, Arvind Sankar,
	Hans de Goede, Linus Torvalds, Peter Zijlstra, Thomas Gleixner,
	linux-efi, Ingo Molnar

From: Ard Biesheuvel <ardb@kernel.org>

commit 4911ee401b7ceff8f38e0ac597cbf503d71e690c upstream.

The EFI mixed mode entry code goes through the ordinary startup_32()
routine before jumping into the kernel's EFI boot code in 64-bit
mode. The 32-bit startup code must be entered with paging disabled,
but this is not documented as a requirement for the EFI handover
protocol, and so we should disable paging explicitly when entering
the kernel from 32-bit EFI firmware.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Cc: <stable@vger.kernel.org>
Cc: Arvind Sankar <nivedita@alum.mit.edu>
Cc: Hans de Goede <hdegoede@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-efi@vger.kernel.org
Link: https://lkml.kernel.org/r/20191224132909.102540-4-ardb@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/boot/compressed/head_64.S |    5 +++++
 1 file changed, 5 insertions(+)

--- a/arch/x86/boot/compressed/head_64.S
+++ b/arch/x86/boot/compressed/head_64.S
@@ -244,6 +244,11 @@ ENTRY(efi32_stub_entry)
 	leal	efi32_config(%ebp), %eax
 	movl	%eax, efi_config(%ebp)
 
+	/* Disable paging */
+	movl	%cr0, %eax
+	btrl	$X86_CR0_PG_BIT, %eax
+	movl	%eax, %cr0
+
 	jmp	startup_32
 ENDPROC(efi32_stub_entry)
 #endif



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 067/222] s390/zcrypt: Fix CCA cipher key gen with clear key value function
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (65 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 066/222] x86/efistub: Disable paging at mixed mode entry Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 068/222] scsi: storvsc: Correctly set number of hardware queues for IDE disk Greg Kroah-Hartman
                   ` (158 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Harald Freudenberger, Vasily Gorbik

From: Harald Freudenberger <freude@linux.ibm.com>

commit 94dd3bada53ee77b80d0aeee5571eeb83654d156 upstream.

Regression tests showed that the CCA cipher key function which
generates an CCA cipher key with given clear key value does not work
correctly. At parsing the reply CPRB two limits are wrong calculated
resulting in rejecting the reply as invalid with s390dbf message
"_ip_cprb_helper reply with invalid or unknown key block".

Fixes: f2bbc96e7cfa ("s390/pkey: add CCA AES cipher key support")
Cc: Stable <stable@vger.kernel.org>
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/s390/crypto/zcrypt_ccamisc.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/s390/crypto/zcrypt_ccamisc.c
+++ b/drivers/s390/crypto/zcrypt_ccamisc.c
@@ -1037,8 +1037,8 @@ static int _ip_cprb_helper(u16 cardnr, u
 	prepparm = (struct iprepparm *) prepcblk->rpl_parmb;
 
 	/* do some plausibility checks on the key block */
-	if (prepparm->kb.len < 120 + 5 * sizeof(uint16_t) ||
-	    prepparm->kb.len > 136 + 5 * sizeof(uint16_t)) {
+	if (prepparm->kb.len < 120 + 3 * sizeof(uint16_t) ||
+	    prepparm->kb.len > 136 + 3 * sizeof(uint16_t)) {
 		DEBUG_ERR("%s reply with invalid or unknown key block\n",
 			  __func__);
 		rc = -EIO;



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 068/222] scsi: storvsc: Correctly set number of hardware queues for IDE disk
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (66 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 067/222] s390/zcrypt: Fix CCA cipher key gen with clear key value function Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 069/222] mtd: spi-nor: Fix selection of 4-byte addressing opcodes on Spansion Greg Kroah-Hartman
                   ` (157 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ming Lei, Long Li, Martin K. Petersen

From: Long Li <longli@microsoft.com>

commit 7b571c19d4c0b78d27dd3bf1f3c42e4032390af6 upstream.

Commit 0ed881027690 ("scsi: storvsc: setup 1:1 mapping between hardware
queue and CPU queue") introduced a regression for disks attached to
IDE. For these disks the host VSP only offers one VMBUS channel. Setting
multiple queues can overload the VMBUS channel and result in performance
drop for high queue depth workload on system with large number of CPUs.

Fix it by leaving the number of hardware queues to 1 (default value) for
IDE disks.

Fixes: 0ed881027690 ("scsi: storvsc: setup 1:1 mapping between hardware queue and CPU queue")
Link: https://lore.kernel.org/r/1578960516-108228-1-git-send-email-longli@linuxonhyperv.com
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Long Li <longli@microsoft.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/storvsc_drv.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/scsi/storvsc_drv.c
+++ b/drivers/scsi/storvsc_drv.c
@@ -1835,9 +1835,11 @@ static int storvsc_probe(struct hv_devic
 	 */
 	host->sg_tablesize = (stor_device->max_transfer_bytes >> PAGE_SHIFT);
 	/*
+	 * For non-IDE disks, the host supports multiple channels.
 	 * Set the number of HW queues we are supporting.
 	 */
-	host->nr_hw_queues = num_present_cpus();
+	if (!dev_is_ide)
+		host->nr_hw_queues = num_present_cpus();
 
 	/*
 	 * Set the error handler work queue.



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 069/222] mtd: spi-nor: Fix selection of 4-byte addressing opcodes on Spansion
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (67 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 068/222] scsi: storvsc: Correctly set number of hardware queues for IDE disk Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 070/222] drm/i915: Add missing include file <linux/math64.h> Greg Kroah-Hartman
                   ` (156 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vignesh Raghavendra, Tudor Ambarus,
	Miquel Raynal

From: Vignesh Raghavendra <vigneshr@ti.com>

commit 440b6d50254bdbd84c2a665c7f53ec69dd741a4f upstream.

mtd->size is still unassigned when running spansion_post_sfdp_fixups()
hook, therefore use nor->params.size to determine the size of flash device.

This makes sure that 4-byte addressing opcodes are used on Spansion
flashes that are larger than 16MiB and don't have SFDP 4BAIT table
populated.

Fixes: 92094ebc385e ("mtd: spi-nor: Add spansion_post_sfdp_fixups()")
Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
Reviewed-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mtd/spi-nor/spi-nor.c |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/drivers/mtd/spi-nor/spi-nor.c
+++ b/drivers/mtd/spi-nor/spi-nor.c
@@ -4544,9 +4544,7 @@ static void spi_nor_info_init_params(str
 
 static void spansion_post_sfdp_fixups(struct spi_nor *nor)
 {
-	struct mtd_info *mtd = &nor->mtd;
-
-	if (mtd->size <= SZ_16M)
+	if (nor->params.size <= SZ_16M)
 		return;
 
 	nor->flags |= SNOR_F_4B_OPCODES;



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 070/222] drm/i915: Add missing include file <linux/math64.h>
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (68 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 069/222] mtd: spi-nor: Fix selection of 4-byte addressing opcodes on Spansion Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 071/222] x86/resctrl: Fix potential memory leak Greg Kroah-Hartman
                   ` (155 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, YueHaibing, Chris Wilson,
	Joonas Lahtinen

From: YueHaibing <yuehaibing@huawei.com>

commit ea38aa2ea5b0969776f0a47f174ce928a22be803 upstream.

Fix build error:
./drivers/gpu/drm/i915/selftests/i915_random.h: In function i915_prandom_u32_max_state:
./drivers/gpu/drm/i915/selftests/i915_random.h:48:23: error:
 implicit declaration of function mul_u32_u32; did you mean mul_u64_u32_div? [-Werror=implicit-function-declaration]
  return upper_32_bits(mul_u32_u32(prandom_u32_state(state), ep_ro));

Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: 7ce5b6850b47 ("drm/i915/selftests: Use mul_u32_u32() for 32b x 32b -> 64b result")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Link: https://patchwork.freedesktop.org/patch/msgid/20200107135014.36472-1-yuehaibing@huawei.com
(cherry picked from commit 62bf5465b26d1f502430b9c654be7d16bf2e242d)
Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/i915/selftests/i915_random.h |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/gpu/drm/i915/selftests/i915_random.h
+++ b/drivers/gpu/drm/i915/selftests/i915_random.h
@@ -25,6 +25,7 @@
 #ifndef __I915_SELFTESTS_RANDOM_H__
 #define __I915_SELFTESTS_RANDOM_H__
 
+#include <linux/math64.h>
 #include <linux/random.h>
 
 #include "../i915_selftest.h"



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 071/222] x86/resctrl: Fix potential memory leak
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (69 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 070/222] drm/i915: Add missing include file <linux/math64.h> Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 072/222] efi/earlycon: Fix write-combine mapping on x86 Greg Kroah-Hartman
                   ` (154 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Shakeel Butt, Borislav Petkov,
	Fenghua Yu, H. Peter Anvin, Ingo Molnar, Reinette Chatre,
	Thomas Gleixner, x86-ml

From: Shakeel Butt <shakeelb@google.com>

commit ab6a2114433a3b5b555983dcb9b752a85255f04b upstream.

set_cache_qos_cfg() is leaking memory when the given level is not
RDT_RESOURCE_L3 or RDT_RESOURCE_L2. At the moment, this function is
called with only valid levels but move the allocation after the valid
level checks in order to make it more robust and future proof.

 [ bp: Massage commit message. ]

Fixes: 99adde9b370de ("x86/intel_rdt: Enable L2 CDP in MSR IA32_L2_QOS_CFG")
Signed-off-by: Shakeel Butt <shakeelb@google.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: Fenghua Yu <fenghua.yu@intel.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Reinette Chatre <reinette.chatre@intel.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: x86-ml <x86@kernel.org>
Link: https://lkml.kernel.org/r/20200102165844.133133-1-shakeelb@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/cpu/resctrl/rdtgroup.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/arch/x86/kernel/cpu/resctrl/rdtgroup.c
+++ b/arch/x86/kernel/cpu/resctrl/rdtgroup.c
@@ -1741,9 +1741,6 @@ static int set_cache_qos_cfg(int level,
 	struct rdt_domain *d;
 	int cpu;
 
-	if (!zalloc_cpumask_var(&cpu_mask, GFP_KERNEL))
-		return -ENOMEM;
-
 	if (level == RDT_RESOURCE_L3)
 		update = l3_qos_cfg_update;
 	else if (level == RDT_RESOURCE_L2)
@@ -1751,6 +1748,9 @@ static int set_cache_qos_cfg(int level,
 	else
 		return -EINVAL;
 
+	if (!zalloc_cpumask_var(&cpu_mask, GFP_KERNEL))
+		return -ENOMEM;
+
 	r_l = &rdt_resources_all[level];
 	list_for_each_entry(d, &r_l->domains, list) {
 		/* Pick one CPU from each domain instance to update MSR */



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 072/222] efi/earlycon: Fix write-combine mapping on x86
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (70 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 071/222] x86/resctrl: Fix potential memory leak Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 073/222] s390/setup: Fix secure ipl message Greg Kroah-Hartman
                   ` (153 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arvind Sankar, Ard Biesheuvel,
	Hans de Goede, Linus Torvalds, Peter Zijlstra, Thomas Gleixner,
	linux-efi, Ingo Molnar

From: Arvind Sankar <nivedita@alum.mit.edu>

commit d92b54570d24d017d2630e314b525ed792f5aa6c upstream.

On x86, until PAT is initialized, WC translates into UC-. Since we
calculate and store pgprot_writecombine(PAGE_KERNEL) when earlycon is
initialized, this means we actually use UC- mappings instead of WC
mappings, which makes scrolling very slow.

Instead store a boolean flag to indicate whether we want to use
writeback or write-combine mappings, and recalculate the actual pgprot_t
we need on every mapping. Once PAT is initialized, we will start using
write-combine mappings, which speeds up the scrolling considerably.

Signed-off-by: Arvind Sankar <nivedita@alum.mit.edu>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Cc: Hans de Goede <hdegoede@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-efi@vger.kernel.org
Fixes: 69c1f396f25b ("efi/x86: Convert x86 EFI earlyprintk into generic earlycon implementation")
Link: https://lkml.kernel.org/r/20191224132909.102540-2-ardb@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/firmware/efi/earlycon.c |   16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

--- a/drivers/firmware/efi/earlycon.c
+++ b/drivers/firmware/efi/earlycon.c
@@ -17,7 +17,7 @@ static const struct console *earlycon_co
 static const struct font_desc *font;
 static u32 efi_x, efi_y;
 static u64 fb_base;
-static pgprot_t fb_prot;
+static bool fb_wb;
 static void *efi_fb;
 
 /*
@@ -33,10 +33,8 @@ static int __init efi_earlycon_remap_fb(
 	if (!earlycon_console || !(earlycon_console->flags & CON_ENABLED))
 		return 0;
 
-	if (pgprot_val(fb_prot) == pgprot_val(PAGE_KERNEL))
-		efi_fb = memremap(fb_base, screen_info.lfb_size, MEMREMAP_WB);
-	else
-		efi_fb = memremap(fb_base, screen_info.lfb_size, MEMREMAP_WC);
+	efi_fb = memremap(fb_base, screen_info.lfb_size,
+			  fb_wb ? MEMREMAP_WB : MEMREMAP_WC);
 
 	return efi_fb ? 0 : -ENOMEM;
 }
@@ -53,9 +51,12 @@ late_initcall(efi_earlycon_unmap_fb);
 
 static __ref void *efi_earlycon_map(unsigned long start, unsigned long len)
 {
+	pgprot_t fb_prot;
+
 	if (efi_fb)
 		return efi_fb + start;
 
+	fb_prot = fb_wb ? PAGE_KERNEL : pgprot_writecombine(PAGE_KERNEL);
 	return early_memremap_prot(fb_base + start, len, pgprot_val(fb_prot));
 }
 
@@ -215,10 +216,7 @@ static int __init efi_earlycon_setup(str
 	if (screen_info.capabilities & VIDEO_CAPABILITY_64BIT_BASE)
 		fb_base |= (u64)screen_info.ext_lfb_base << 32;
 
-	if (opt && !strcmp(opt, "ram"))
-		fb_prot = PAGE_KERNEL;
-	else
-		fb_prot = pgprot_writecombine(PAGE_KERNEL);
+	fb_wb = opt && !strcmp(opt, "ram");
 
 	si = &screen_info;
 	xres = si->lfb_width;



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 073/222] s390/setup: Fix secure ipl message
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (71 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 072/222] efi/earlycon: Fix write-combine mapping on x86 Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 074/222] clk: samsung: exynos5420: Keep top G3D clocks enabled Greg Kroah-Hartman
                   ` (152 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Philipp Rudo, Vasily Gorbik

From: Philipp Rudo <prudo@linux.ibm.com>

commit 40260b01d029ba374637838213af500e03305326 upstream.

The new machine loader on z15 always creates an IPL Report block and
thus sets the IPL_PL_FLAG_IPLSR even when secure boot is disabled. This
causes the wrong message being printed at boot. Fix this by checking for
IPL_PL_FLAG_SIPL instead.

Fixes: 9641b8cc733f ("s390/ipl: read IPL report at early boot")
Signed-off-by: Philipp Rudo <prudo@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/s390/kernel/setup.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/s390/kernel/setup.c
+++ b/arch/s390/kernel/setup.c
@@ -1059,7 +1059,7 @@ static void __init log_component_list(vo
 
 	if (!early_ipl_comp_list_addr)
 		return;
-	if (ipl_block.hdr.flags & IPL_PL_FLAG_IPLSR)
+	if (ipl_block.hdr.flags & IPL_PL_FLAG_SIPL)
 		pr_info("Linux is running with Secure-IPL enabled\n");
 	else
 		pr_info("Linux is running with Secure-IPL disabled\n");



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 074/222] clk: samsung: exynos5420: Keep top G3D clocks enabled
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (72 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 073/222] s390/setup: Fix secure ipl message Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 075/222] perf hists: Fix variable names inconsistency in hists__for_each() macro Greg Kroah-Hartman
                   ` (151 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marek Szyprowski,
	Krzysztof Kozlowski, Chanwoo Choi, Sylwester Nawrocki,
	Stephen Boyd

From: Marek Szyprowski <m.szyprowski@samsung.com>

commit 67f96ff7c8f073648696eab50fd23ded23441067 upstream.

In Exynos542x/5800 SoCs, the G3D leaf clocks are located in the G3D power
domain. This is similar to the other hardware modules and their power
domains. However there is one thing specific to G3D clocks hierarchy.
Unlike other hardware modules, the G3D clocks hierarchy doesn't have any
gate clock between the TOP part of the hierarchy and the part located in
the power domain and some SoC internal busses are sourced directly from
the TOP muxes. The consequence of this design if the fact that the TOP
part of the hierarchy has to be enabled permanently to ensure proper
operation of the SoC power related components (G3D power domain and
Exynos Power Management Unit for system suspend/resume).

This patch adds an explicit call to clk_prepare_enable() on the last MUX
in the TOP part of G3D clock hierarchy to keep it enabled permanently to
ensure that the internal busses get their clock regardless of the main
G3D clock enablement status.

This fixes following imprecise abort issue observed on Odroid XU3/XU4
after enabling Panfrost driver by commit 1a5a85c56402 "ARM: dts: exynos:
Add Mali/GPU node on Exynos5420 and enable it on Odroid XU3/4"):

panfrost 11800000.gpu: clock rate = 400000000
panfrost 11800000.gpu: failed to get regulator: -517
panfrost 11800000.gpu: regulator init failed -517
Power domain G3D disable failed
...
panfrost 11800000.gpu: clock rate = 400000000
8<--- cut here ---
Unhandled fault: imprecise external abort (0x1406) at 0x00000000
pgd = (ptrval)
[00000000] *pgd=00000000
Internal error: : 1406 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 7 PID: 53 Comm: kworker/7:1 Not tainted 5.4.0-rc8-next-20191119-00032-g56f1001191a6 #6923
Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
Workqueue: events deferred_probe_work_func
PC is at panfrost_gpu_soft_reset+0x94/0x110
LR is at ___might_sleep+0x128/0x2dc
...
[<c05c231c>] (panfrost_gpu_soft_reset) from [<c05c2704>] (panfrost_gpu_init+0x10/0x67c)
[<c05c2704>] (panfrost_gpu_init) from [<c05c15d0>] (panfrost_device_init+0x158/0x2cc)
[<c05c15d0>] (panfrost_device_init) from [<c05c0cb0>] (panfrost_probe+0x80/0x178)
[<c05c0cb0>] (panfrost_probe) from [<c05cfaa0>] (platform_drv_probe+0x48/0x9c)
[<c05cfaa0>] (platform_drv_probe) from [<c05cd20c>] (really_probe+0x1c4/0x474)
[<c05cd20c>] (really_probe) from [<c05cd694>] (driver_probe_device+0x78/0x1bc)
[<c05cd694>] (driver_probe_device) from [<c05cb374>] (bus_for_each_drv+0x74/0xb8)
[<c05cb374>] (bus_for_each_drv) from [<c05ccfa8>] (__device_attach+0xd4/0x16c)
[<c05ccfa8>] (__device_attach) from [<c05cc110>] (bus_probe_device+0x88/0x90)
[<c05cc110>] (bus_probe_device) from [<c05cc634>] (deferred_probe_work_func+0x4c/0xd0)
[<c05cc634>] (deferred_probe_work_func) from [<c0149df0>] (process_one_work+0x300/0x864)
[<c0149df0>] (process_one_work) from [<c014a3ac>] (worker_thread+0x58/0x5a0)
[<c014a3ac>] (worker_thread) from [<c0151174>] (kthread+0x12c/0x160)
[<c0151174>] (kthread) from [<c01010b4>] (ret_from_fork+0x14/0x20)
Exception stack(0xee03dfb0 to 0xee03dff8)
...
Code: e594300c e5933020 e3130c01 1a00000f (ebefff50).
---[ end trace badde2b74a65a540 ]---

In the above case, the Panfrost driver disables G3D clocks after failure
of getting the needed regulator and return with -EPROVE_DEFER code. This
causes G3D power domain disable failure and then, during second probe
an imprecise abort is triggered due to undefined power domain state.

Fixes: 45f10dabb56b ("clk: samsung: exynos5420: Add SET_RATE_PARENT flag to clocks on G3D path")
Fixes: c9f7567aff31 ("clk: samsung: exynos542x: Move G3D subsystem clocks to its sub-CMU")
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Link: https://lkml.kernel.org/r/20191216131407.17225-1-m.szyprowski@samsung.com
Acked-by: Krzysztof Kozlowski <krzk@kernel.org>
Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
Acked-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/clk/samsung/clk-exynos5420.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/drivers/clk/samsung/clk-exynos5420.c
+++ b/drivers/clk/samsung/clk-exynos5420.c
@@ -12,6 +12,7 @@
 #include <linux/clk-provider.h>
 #include <linux/of.h>
 #include <linux/of_address.h>
+#include <linux/clk.h>
 
 #include "clk.h"
 #include "clk-cpu.h"
@@ -1630,6 +1631,13 @@ static void __init exynos5x_clk_init(str
 				     exynos5x_subcmus);
 	}
 
+	/*
+	 * Keep top part of G3D clock path enabled permanently to ensure
+	 * that the internal busses get their clock regardless of the
+	 * main G3D clock enablement status.
+	 */
+	clk_prepare_enable(__clk_lookup("mout_sw_aclk_g3d"));
+
 	samsung_clk_of_add_provider(np, ctx);
 }
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 075/222] perf hists: Fix variable names inconsistency in hists__for_each() macro
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (73 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 074/222] clk: samsung: exynos5420: Keep top G3D clocks enabled Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 076/222] locking/lockdep: Fix buffer overrun problem in stack_trace[] Greg Kroah-Hartman
                   ` (150 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yuya Fujita, Jiri Olsa,
	Peter Zijlstra, Arnaldo Carvalho de Melo

From: Yuya Fujita <fujita.yuya@fujitsu.com>

commit 55347ec340af401437680fd0e88df6739a967f9f upstream.

Variable names are inconsistent in hists__for_each macro().

Due to this inconsistency, the macro replaces its second argument with
"fmt" regardless of its original name.

So far it works because only "fmt" is passed to the second argument.
However, this behavior is not expected and should be fixed.

Fixes: f0786af536bb ("perf hists: Introduce hists__for_each_format macro")
Fixes: aa6f50af822a ("perf hists: Introduce hists__for_each_sort_list macro")
Signed-off-by: Yuya Fujita <fujita.yuya@fujitsu.com>
Acked-by: Jiri Olsa <jolsa@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: http://lore.kernel.org/lkml/OSAPR01MB1588E1C47AC22043175DE1B2E8520@OSAPR01MB1588.jpnprd01.prod.outlook.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/perf/util/hist.h |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/tools/perf/util/hist.h
+++ b/tools/perf/util/hist.h
@@ -339,10 +339,10 @@ static inline void perf_hpp__prepend_sor
 	list_for_each_entry_safe(format, tmp, &(_list)->sorts, sort_list)
 
 #define hists__for_each_format(hists, format) \
-	perf_hpp_list__for_each_format((hists)->hpp_list, fmt)
+	perf_hpp_list__for_each_format((hists)->hpp_list, format)
 
 #define hists__for_each_sort_list(hists, format) \
-	perf_hpp_list__for_each_sort_list((hists)->hpp_list, fmt)
+	perf_hpp_list__for_each_sort_list((hists)->hpp_list, format)
 
 extern struct perf_hpp_fmt perf_hpp__format[];
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 076/222] locking/lockdep: Fix buffer overrun problem in stack_trace[]
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (74 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 075/222] perf hists: Fix variable names inconsistency in hists__for_each() macro Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 077/222] perf report: Fix incorrectly added dimensions as switch perf data file Greg Kroah-Hartman
                   ` (149 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Waiman Long, Peter Zijlstra (Intel),
	Bart Van Assche, Linus Torvalds, Thomas Gleixner, Ingo Molnar

From: Waiman Long <longman@redhat.com>

commit d91f3057263ceb691ef527e71b41a56b17f6c869 upstream.

If the lockdep code is really running out of the stack_trace entries,
it is likely that buffer overrun can happen and the data immediately
after stack_trace[] will be corrupted.

If there is less than LOCK_TRACE_SIZE_IN_LONGS entries left before
the call to save_trace(), the max_entries computation will leave it
with a very large positive number because of its unsigned nature. The
subsequent call to stack_trace_save() will then corrupt the data after
stack_trace[]. Fix that by changing max_entries to a signed integer
and check for negative value before calling stack_trace_save().

Signed-off-by: Waiman Long <longman@redhat.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: 12593b7467f9 ("locking/lockdep: Reduce space occupied by stack traces")
Link: https://lkml.kernel.org/r/20191220135128.14876-1-longman@redhat.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/locking/lockdep.c |    7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

--- a/kernel/locking/lockdep.c
+++ b/kernel/locking/lockdep.c
@@ -482,7 +482,7 @@ static struct lock_trace *save_trace(voi
 	struct lock_trace *trace, *t2;
 	struct hlist_head *hash_head;
 	u32 hash;
-	unsigned int max_entries;
+	int max_entries;
 
 	BUILD_BUG_ON_NOT_POWER_OF_2(STACK_TRACE_HASH_SIZE);
 	BUILD_BUG_ON(LOCK_TRACE_SIZE_IN_LONGS >= MAX_STACK_TRACE_ENTRIES);
@@ -490,10 +490,8 @@ static struct lock_trace *save_trace(voi
 	trace = (struct lock_trace *)(stack_trace + nr_stack_trace_entries);
 	max_entries = MAX_STACK_TRACE_ENTRIES - nr_stack_trace_entries -
 		LOCK_TRACE_SIZE_IN_LONGS;
-	trace->nr_entries = stack_trace_save(trace->entries, max_entries, 3);
 
-	if (nr_stack_trace_entries >= MAX_STACK_TRACE_ENTRIES -
-	    LOCK_TRACE_SIZE_IN_LONGS - 1) {
+	if (max_entries <= 0) {
 		if (!debug_locks_off_graph_unlock())
 			return NULL;
 
@@ -502,6 +500,7 @@ static struct lock_trace *save_trace(voi
 
 		return NULL;
 	}
+	trace->nr_entries = stack_trace_save(trace->entries, max_entries, 3);
 
 	hash = jhash(trace->entries, trace->nr_entries *
 		     sizeof(trace->entries[0]), 0);



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 077/222] perf report: Fix incorrectly added dimensions as switch perf data file
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (75 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 076/222] locking/lockdep: Fix buffer overrun problem in stack_trace[] Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 078/222] mm/shmem.c: thp, shmem: fix conflict of above-47bit hint address and PMD alignment Greg Kroah-Hartman
                   ` (148 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jin Yao, Arnaldo Carvalho de Melo,
	Jiri Olsa, Alexander Shishkin, Andi Kleen, Feng Tang, Jin Yao,
	Kan Liang, Peter Zijlstra

From: Jin Yao <yao.jin@linux.intel.com>

commit 0feba17bd7ee3b7e03d141f119049dcc23efa94e upstream.

We observed an issue that was some extra columns displayed after switching
perf data file in browser. The steps to reproduce:

1. perf record -a -e cycles,instructions -- sleep 3
2. perf report --group
3. In browser, we use hotkey 's' to switch to another perf.data
4. Now in browser, the extra columns 'Self' and 'Children' are displayed.

The issue is setup_sorting() executed again after repeat path, so dimensions
are added again.

This patch checks the last key returned from __cmd_report(). If it's
K_SWITCH_INPUT_DATA, skips the setup_sorting().

Fixes: ad0de0971b7f ("perf report: Enable the runtime switching of perf data file")
Signed-off-by: Jin Yao <yao.jin@linux.intel.com>
Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Acked-by: Jiri Olsa <jolsa@redhat.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Feng Tang <feng.tang@intel.com>
Cc: Jin Yao <yao.jin@intel.com>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: http://lore.kernel.org/lkml/20191220013722.20592-1-yao.jin@linux.intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/perf/builtin-report.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/tools/perf/builtin-report.c
+++ b/tools/perf/builtin-report.c
@@ -1031,6 +1031,7 @@ int cmd_report(int argc, const char **ar
 	struct stat st;
 	bool has_br_stack = false;
 	int branch_mode = -1;
+	int last_key = 0;
 	bool branch_call_mode = false;
 #define CALLCHAIN_DEFAULT_OPT  "graph,0.5,caller,function,percent"
 	static const char report_callchain_help[] = "Display call graph (stack chain/backtrace):\n\n"
@@ -1396,7 +1397,8 @@ repeat:
 		sort_order = sort_tmp;
 	}
 
-	if (setup_sorting(session->evlist) < 0) {
+	if ((last_key != K_SWITCH_INPUT_DATA) &&
+	    (setup_sorting(session->evlist) < 0)) {
 		if (sort_order)
 			parse_options_usage(report_usage, options, "s", 1);
 		if (field_order)
@@ -1475,6 +1477,7 @@ repeat:
 	ret = __cmd_report(&report);
 	if (ret == K_SWITCH_INPUT_DATA) {
 		perf_session__delete(session);
+		last_key = K_SWITCH_INPUT_DATA;
 		goto repeat;
 	} else
 		ret = 0;



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 078/222] mm/shmem.c: thp, shmem: fix conflict of above-47bit hint address and PMD alignment
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (76 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 077/222] perf report: Fix incorrectly added dimensions as switch perf data file Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 079/222] mm/huge_memory.c: thp: " Greg Kroah-Hartman
                   ` (147 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kirill A. Shutemov, Willhalm, Thomas,
	Dan Williams, Bruggeman, Otto G, Aneesh Kumar K . V,
	Andrew Morton, Linus Torvalds

From: Kirill A. Shutemov <kirill@shutemov.name>

commit 991589974d9c9ecb24ee3799ec8c415c730598a2 upstream.

Shmem/tmpfs tries to provide THP-friendly mappings if huge pages are
enabled.  But it doesn't work well with above-47bit hint address.

Normally, the kernel doesn't create userspace mappings above 47-bit,
even if the machine allows this (such as with 5-level paging on x86-64).
Not all user space is ready to handle wide addresses.  It's known that
at least some JIT compilers use higher bits in pointers to encode their
information.

Userspace can ask for allocation from full address space by specifying
hint address (with or without MAP_FIXED) above 47-bits.  If the
application doesn't need a particular address, but wants to allocate
from whole address space it can specify -1 as a hint address.

Unfortunately, this trick breaks THP alignment in shmem/tmp:
shmem_get_unmapped_area() would not try to allocate PMD-aligned area if
*any* hint address specified.

This can be fixed by requesting the aligned area if the we failed to
allocated at user-specified hint address.  The request with inflated
length will also take the user-specified hint address.  This way we will
not lose an allocation request from the full address space.

[kirill@shutemov.name: fold in a fixup]
  Link: http://lkml.kernel.org/r/20191223231309.t6bh5hkbmokihpfu@box
Link: http://lkml.kernel.org/r/20191220142548.7118-3-kirill.shutemov@linux.intel.com
Fixes: b569bab78d8d ("x86/mm: Prepare to expose larger address space to userspace")
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: "Willhalm, Thomas" <thomas.willhalm@intel.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: "Bruggeman, Otto G" <otto.g.bruggeman@intel.com>
Cc: "Aneesh Kumar K . V" <aneesh.kumar@linux.vnet.ibm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/shmem.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -2106,9 +2106,10 @@ unsigned long shmem_get_unmapped_area(st
 	/*
 	 * Our priority is to support MAP_SHARED mapped hugely;
 	 * and support MAP_PRIVATE mapped hugely too, until it is COWed.
-	 * But if caller specified an address hint, respect that as before.
+	 * But if caller specified an address hint and we allocated area there
+	 * successfully, respect that as before.
 	 */
-	if (uaddr)
+	if (uaddr == addr)
 		return addr;
 
 	if (shmem_huge != SHMEM_HUGE_FORCE) {
@@ -2142,7 +2143,7 @@ unsigned long shmem_get_unmapped_area(st
 	if (inflated_len < len)
 		return addr;
 
-	inflated_addr = get_area(NULL, 0, inflated_len, 0, flags);
+	inflated_addr = get_area(NULL, uaddr, inflated_len, 0, flags);
 	if (IS_ERR_VALUE(inflated_addr))
 		return addr;
 	if (inflated_addr & ~PAGE_MASK)



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 079/222] mm/huge_memory.c: thp: fix conflict of above-47bit hint address and PMD alignment
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (77 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 078/222] mm/shmem.c: thp, shmem: fix conflict of above-47bit hint address and PMD alignment Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 080/222] mm: memcg/slab: fix percpu slab vmstats flushing Greg Kroah-Hartman
                   ` (146 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kirill A. Shutemov, Thomas Willhalm,
	Dan Williams, Aneesh Kumar K . V, Bruggeman, Otto G,
	Andrew Morton, Linus Torvalds

From: Kirill A. Shutemov <kirill@shutemov.name>

commit 97d3d0f9a1cf132c63c0b8b8bd497b8a56283dd9 upstream.

Patch series "Fix two above-47bit hint address vs.  THP bugs".

The two get_unmapped_area() implementations have to be fixed to provide
THP-friendly mappings if above-47bit hint address is specified.

This patch (of 2):

Filesystems use thp_get_unmapped_area() to provide THP-friendly
mappings.  For DAX in particular.

Normally, the kernel doesn't create userspace mappings above 47-bit,
even if the machine allows this (such as with 5-level paging on x86-64).
Not all user space is ready to handle wide addresses.  It's known that
at least some JIT compilers use higher bits in pointers to encode their
information.

Userspace can ask for allocation from full address space by specifying
hint address (with or without MAP_FIXED) above 47-bits.  If the
application doesn't need a particular address, but wants to allocate
from whole address space it can specify -1 as a hint address.

Unfortunately, this trick breaks thp_get_unmapped_area(): the function
would not try to allocate PMD-aligned area if *any* hint address
specified.

Modify the routine to handle it correctly:

 - Try to allocate the space at the specified hint address with length
   padding required for PMD alignment.
 - If failed, retry without length padding (but with the same hint
   address);
 - If the returned address matches the hint address return it.
 - Otherwise, align the address as required for THP and return.

The user specified hint address is passed down to get_unmapped_area() so
above-47bit hint address will be taken into account without breaking
alignment requirements.

Link: http://lkml.kernel.org/r/20191220142548.7118-2-kirill.shutemov@linux.intel.com
Fixes: b569bab78d8d ("x86/mm: Prepare to expose larger address space to userspace")
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reported-by: Thomas Willhalm <thomas.willhalm@intel.com>
Tested-by: Dan Williams <dan.j.williams@intel.com>
Cc: "Aneesh Kumar K . V" <aneesh.kumar@linux.vnet.ibm.com>
Cc: "Bruggeman, Otto G" <otto.g.bruggeman@intel.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/huge_memory.c |   38 ++++++++++++++++++++++++--------------
 1 file changed, 24 insertions(+), 14 deletions(-)

--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -527,13 +527,13 @@ void prep_transhuge_page(struct page *pa
 	set_compound_page_dtor(page, TRANSHUGE_PAGE_DTOR);
 }
 
-static unsigned long __thp_get_unmapped_area(struct file *filp, unsigned long len,
+static unsigned long __thp_get_unmapped_area(struct file *filp,
+		unsigned long addr, unsigned long len,
 		loff_t off, unsigned long flags, unsigned long size)
 {
-	unsigned long addr;
 	loff_t off_end = off + len;
 	loff_t off_align = round_up(off, size);
-	unsigned long len_pad;
+	unsigned long len_pad, ret;
 
 	if (off_end <= off_align || (off_end - off_align) < size)
 		return 0;
@@ -542,30 +542,40 @@ static unsigned long __thp_get_unmapped_
 	if (len_pad < len || (off + len_pad) < off)
 		return 0;
 
-	addr = current->mm->get_unmapped_area(filp, 0, len_pad,
+	ret = current->mm->get_unmapped_area(filp, addr, len_pad,
 					      off >> PAGE_SHIFT, flags);
-	if (IS_ERR_VALUE(addr))
+
+	/*
+	 * The failure might be due to length padding. The caller will retry
+	 * without the padding.
+	 */
+	if (IS_ERR_VALUE(ret))
 		return 0;
 
-	addr += (off - addr) & (size - 1);
-	return addr;
+	/*
+	 * Do not try to align to THP boundary if allocation at the address
+	 * hint succeeds.
+	 */
+	if (ret == addr)
+		return addr;
+
+	ret += (off - ret) & (size - 1);
+	return ret;
 }
 
 unsigned long thp_get_unmapped_area(struct file *filp, unsigned long addr,
 		unsigned long len, unsigned long pgoff, unsigned long flags)
 {
+	unsigned long ret;
 	loff_t off = (loff_t)pgoff << PAGE_SHIFT;
 
-	if (addr)
-		goto out;
 	if (!IS_DAX(filp->f_mapping->host) || !IS_ENABLED(CONFIG_FS_DAX_PMD))
 		goto out;
 
-	addr = __thp_get_unmapped_area(filp, len, off, flags, PMD_SIZE);
-	if (addr)
-		return addr;
-
- out:
+	ret = __thp_get_unmapped_area(filp, addr, len, off, flags, PMD_SIZE);
+	if (ret)
+		return ret;
+out:
 	return current->mm->get_unmapped_area(filp, addr, len, pgoff, flags);
 }
 EXPORT_SYMBOL_GPL(thp_get_unmapped_area);



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 080/222] mm: memcg/slab: fix percpu slab vmstats flushing
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (78 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 079/222] mm/huge_memory.c: thp: " Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 081/222] mm: memcg/slab: call flush_memcg_workqueue() only if memcg workqueue is valid Greg Kroah-Hartman
                   ` (145 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Roman Gushchin, Johannes Weiner,
	Michal Hocko, Andrew Morton, Linus Torvalds

From: Roman Gushchin <guro@fb.com>

commit 4a87e2a25dc27131c3cce5e94421622193305638 upstream.

Currently slab percpu vmstats are flushed twice: during the memcg
offlining and just before freeing the memcg structure.  Each time percpu
counters are summed, added to the atomic counterparts and propagated up
by the cgroup tree.

The second flushing is required due to how recursive vmstats are
implemented: counters are batched in percpu variables on a local level,
and once a percpu value is crossing some predefined threshold, it spills
over to atomic values on the local and each ascendant levels.  It means
that without flushing some numbers cached in percpu variables will be
dropped on floor each time a cgroup is destroyed.  And with uptime the
error on upper levels might become noticeable.

The first flushing aims to make counters on ancestor levels more
precise.  Dying cgroups may resume in the dying state for a long time.
After kmem_cache reparenting which is performed during the offlining
slab counters of the dying cgroup don't have any chances to be updated,
because any slab operations will be performed on the parent level.  It
means that the inaccuracy caused by percpu batching will not decrease up
to the final destruction of the cgroup.  By the original idea flushing
slab counters during the offlining should minimize the visible
inaccuracy of slab counters on the parent level.

The problem is that percpu counters are not zeroed after the first
flushing.  So every cached percpu value is summed twice.  It creates a
small error (up to 32 pages per cpu, but usually less) which accumulates
on parent cgroup level.  After creating and destroying of thousands of
child cgroups, slab counter on parent level can be way off the real
value.

For now, let's just stop flushing slab counters on memcg offlining.  It
can't be done correctly without scheduling a work on each cpu: reading
and zeroing it during css offlining can race with an asynchronous
update, which doesn't expect values to be changed underneath.

With this change, slab counters on parent level will become eventually
consistent.  Once all dying children are gone, values are correct.  And
if not, the error is capped by 32 * NR_CPUS pages per dying cgroup.

It's not perfect, as slab are reparented, so any updates after the
reparenting will happen on the parent level.  It means that if a slab
page was allocated, a counter on child level was bumped, then the page
was reparented and freed, the annihilation of positive and negative
counter values will not happen until the child cgroup is released.  It
makes slab counters different from others, and it might want us to
implement flushing in a correct form again.  But it's also a question of
performance: scheduling a work on each cpu isn't free, and it's an open
question if the benefit of having more accurate counters is worth it.

We might also consider flushing all counters on offlining, not only slab
counters.

So let's fix the main problem now: make the slab counters eventually
consistent, so at least the error won't grow with uptime (or more
precisely the number of created and destroyed cgroups).  And think about
the accuracy of counters separately.

Link: http://lkml.kernel.org/r/20191220042728.1045881-1-guro@fb.com
Fixes: bee07b33db78 ("mm: memcontrol: flush percpu slab vmstats on kmem offlining")
Signed-off-by: Roman Gushchin <guro@fb.com>
Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/mmzone.h |    5 ++---
 mm/memcontrol.c        |   37 +++++++++----------------------------
 2 files changed, 11 insertions(+), 31 deletions(-)

--- a/include/linux/mmzone.h
+++ b/include/linux/mmzone.h
@@ -215,9 +215,8 @@ enum node_stat_item {
 	NR_INACTIVE_FILE,	/*  "     "     "   "       "         */
 	NR_ACTIVE_FILE,		/*  "     "     "   "       "         */
 	NR_UNEVICTABLE,		/*  "     "     "   "       "         */
-	NR_SLAB_RECLAIMABLE,	/* Please do not reorder this item */
-	NR_SLAB_UNRECLAIMABLE,	/* and this one without looking at
-				 * memcg_flush_percpu_vmstats() first. */
+	NR_SLAB_RECLAIMABLE,
+	NR_SLAB_UNRECLAIMABLE,
 	NR_ISOLATED_ANON,	/* Temporary isolated pages from anon lru */
 	NR_ISOLATED_FILE,	/* Temporary isolated pages from file lru */
 	WORKINGSET_NODES,
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -3404,49 +3404,34 @@ static u64 mem_cgroup_read_u64(struct cg
 	}
 }
 
-static void memcg_flush_percpu_vmstats(struct mem_cgroup *memcg, bool slab_only)
+static void memcg_flush_percpu_vmstats(struct mem_cgroup *memcg)
 {
-	unsigned long stat[MEMCG_NR_STAT];
+	unsigned long stat[MEMCG_NR_STAT] = {0};
 	struct mem_cgroup *mi;
 	int node, cpu, i;
-	int min_idx, max_idx;
-
-	if (slab_only) {
-		min_idx = NR_SLAB_RECLAIMABLE;
-		max_idx = NR_SLAB_UNRECLAIMABLE;
-	} else {
-		min_idx = 0;
-		max_idx = MEMCG_NR_STAT;
-	}
-
-	for (i = min_idx; i < max_idx; i++)
-		stat[i] = 0;
 
 	for_each_online_cpu(cpu)
-		for (i = min_idx; i < max_idx; i++)
+		for (i = 0; i < MEMCG_NR_STAT; i++)
 			stat[i] += per_cpu(memcg->vmstats_percpu->stat[i], cpu);
 
 	for (mi = memcg; mi; mi = parent_mem_cgroup(mi))
-		for (i = min_idx; i < max_idx; i++)
+		for (i = 0; i < MEMCG_NR_STAT; i++)
 			atomic_long_add(stat[i], &mi->vmstats[i]);
 
-	if (!slab_only)
-		max_idx = NR_VM_NODE_STAT_ITEMS;
-
 	for_each_node(node) {
 		struct mem_cgroup_per_node *pn = memcg->nodeinfo[node];
 		struct mem_cgroup_per_node *pi;
 
-		for (i = min_idx; i < max_idx; i++)
+		for (i = 0; i < NR_VM_NODE_STAT_ITEMS; i++)
 			stat[i] = 0;
 
 		for_each_online_cpu(cpu)
-			for (i = min_idx; i < max_idx; i++)
+			for (i = 0; i < NR_VM_NODE_STAT_ITEMS; i++)
 				stat[i] += per_cpu(
 					pn->lruvec_stat_cpu->count[i], cpu);
 
 		for (pi = pn; pi; pi = parent_nodeinfo(pi, node))
-			for (i = min_idx; i < max_idx; i++)
+			for (i = 0; i < NR_VM_NODE_STAT_ITEMS; i++)
 				atomic_long_add(stat[i], &pi->lruvec_stat[i]);
 	}
 }
@@ -3520,13 +3505,9 @@ static void memcg_offline_kmem(struct me
 		parent = root_mem_cgroup;
 
 	/*
-	 * Deactivate and reparent kmem_caches. Then flush percpu
-	 * slab statistics to have precise values at the parent and
-	 * all ancestor levels. It's required to keep slab stats
-	 * accurate after the reparenting of kmem_caches.
+	 * Deactivate and reparent kmem_caches.
 	 */
 	memcg_deactivate_kmem_caches(memcg, parent);
-	memcg_flush_percpu_vmstats(memcg, true);
 
 	kmemcg_id = memcg->kmemcg_id;
 	BUG_ON(kmemcg_id < 0);
@@ -5037,7 +5018,7 @@ static void mem_cgroup_free(struct mem_c
 	 * Flush percpu vmstats and vmevents to guarantee the value correctness
 	 * on parent's and all ancestor levels.
 	 */
-	memcg_flush_percpu_vmstats(memcg, false);
+	memcg_flush_percpu_vmstats(memcg);
 	memcg_flush_percpu_vmevents(memcg);
 	__mem_cgroup_free(memcg);
 }



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 081/222] mm: memcg/slab: call flush_memcg_workqueue() only if memcg workqueue is valid
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (79 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 080/222] mm: memcg/slab: fix percpu slab vmstats flushing Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 082/222] mm, debug_pagealloc: dont rely on static keys too early Greg Kroah-Hartman
                   ` (144 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Adrian Huang, Xiaochun Lee,
	Shakeel Butt, Joerg Roedel, Christoph Lameter, Pekka Enberg,
	David Rientjes, Joonsoo Kim, Michal Hocko, Johannes Weiner,
	Andrew Morton, Linus Torvalds

From: Adrian Huang <ahuang12@lenovo.com>

commit 2fe20210fc5f5e62644678b8f927c49f2c6f42a7 upstream.

When booting with amd_iommu=off, the following WARNING message
appears:

  AMD-Vi: AMD IOMMU disabled on kernel command-line
  ------------[ cut here ]------------
  WARNING: CPU: 0 PID: 0 at kernel/workqueue.c:2772 flush_workqueue+0x42e/0x450
  Modules linked in:
  CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.5.0-rc3-amd-iommu #6
  Hardware name: Lenovo ThinkSystem SR655-2S/7D2WRCZ000, BIOS D8E101L-1.00 12/05/2019
  RIP: 0010:flush_workqueue+0x42e/0x450
  Code: ff 0f 0b e9 7a fd ff ff 4d 89 ef e9 33 fe ff ff 0f 0b e9 7f fd ff ff 0f 0b e9 bc fd ff ff 0f 0b e9 a8 fd ff ff e8 52 2c fe ff <0f> 0b 31 d2 48 c7 c6 e0 88 c5 95 48 c7 c7 d8 ad f0 95 e8 19 f5 04
  Call Trace:
   kmem_cache_destroy+0x69/0x260
   iommu_go_to_state+0x40c/0x5ab
   amd_iommu_prepare+0x16/0x2a
   irq_remapping_prepare+0x36/0x5f
   enable_IR_x2apic+0x21/0x172
   default_setup_apic_routing+0x12/0x6f
   apic_intr_mode_init+0x1a1/0x1f1
   x86_late_time_init+0x17/0x1c
   start_kernel+0x480/0x53f
   secondary_startup_64+0xb6/0xc0
  ---[ end trace 30894107c3749449 ]---
  x2apic: IRQ remapping doesn't support X2APIC mode
  x2apic disabled

The warning is caused by the calling of 'kmem_cache_destroy()'
in free_iommu_resources(). Here is the call path:

  free_iommu_resources
    kmem_cache_destroy
      flush_memcg_workqueue
        flush_workqueue

The root cause is that the IOMMU subsystem runs before the workqueue
subsystem, which the variable 'wq_online' is still 'false'.  This leads
to the statement 'if (WARN_ON(!wq_online))' in flush_workqueue() is
'true'.

Since the variable 'memcg_kmem_cache_wq' is not allocated during the
time, it is unnecessary to call flush_memcg_workqueue().  This prevents
the WARNING message triggered by flush_workqueue().

Link: http://lkml.kernel.org/r/20200103085503.1665-1-ahuang12@lenovo.com
Fixes: 92ee383f6daab ("mm: fix race between kmem_cache destroy, create and deactivate")
Signed-off-by: Adrian Huang <ahuang12@lenovo.com>
Reported-by: Xiaochun Lee <lixc17@lenovo.com>
Reviewed-by: Shakeel Butt <shakeelb@google.com>
Cc: Joerg Roedel <jroedel@suse.de>
Cc: Christoph Lameter <cl@linux.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/slab_common.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/mm/slab_common.c
+++ b/mm/slab_common.c
@@ -903,7 +903,8 @@ static void flush_memcg_workqueue(struct
 	 * deactivates the memcg kmem_caches through workqueue. Make sure all
 	 * previous workitems on workqueue are processed.
 	 */
-	flush_workqueue(memcg_kmem_cache_wq);
+	if (likely(memcg_kmem_cache_wq))
+		flush_workqueue(memcg_kmem_cache_wq);
 
 	/*
 	 * If we're racing with children kmem_cache deactivation, it might



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 082/222] mm, debug_pagealloc: dont rely on static keys too early
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (80 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 081/222] mm: memcg/slab: call flush_memcg_workqueue() only if memcg workqueue is valid Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 083/222] btrfs: rework arguments of btrfs_unlink_subvol Greg Kroah-Hartman
                   ` (143 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vlastimil Babka, Stephen Rothwell,
	Joonsoo Kim, Kirill A. Shutemov, Michal Hocko, Matthew Wilcox,
	Mel Gorman, Peter Zijlstra, Borislav Petkov, Qian Cai,
	Andrew Morton, Linus Torvalds

From: Vlastimil Babka <vbabka@suse.cz>

commit 8e57f8acbbd121ecfb0c9dc13b8b030f86c6bd3b upstream.

Commit 96a2b03f281d ("mm, debug_pagelloc: use static keys to enable
debugging") has introduced a static key to reduce overhead when
debug_pagealloc is compiled in but not enabled.  It relied on the
assumption that jump_label_init() is called before parse_early_param()
as in start_kernel(), so when the "debug_pagealloc=on" option is parsed,
it is safe to enable the static key.

However, it turns out multiple architectures call parse_early_param()
earlier from their setup_arch().  x86 also calls jump_label_init() even
earlier, so no issue was found while testing the commit, but same is not
true for e.g.  ppc64 and s390 where the kernel would not boot with
debug_pagealloc=on as found by our QA.

To fix this without tricky changes to init code of multiple
architectures, this patch partially reverts the static key conversion
from 96a2b03f281d.  Init-time and non-fastpath calls (such as in arch
code) of debug_pagealloc_enabled() will again test a simple bool
variable.  Fastpath mm code is converted to a new
debug_pagealloc_enabled_static() variant that relies on the static key,
which is enabled in a well-defined point in mm_init() where it's
guaranteed that jump_label_init() has been called, regardless of
architecture.

[sfr@canb.auug.org.au: export _debug_pagealloc_enabled_early]
  Link: http://lkml.kernel.org/r/20200106164944.063ac07b@canb.auug.org.au
Link: http://lkml.kernel.org/r/20191219130612.23171-1-vbabka@suse.cz
Fixes: 96a2b03f281d ("mm, debug_pagelloc: use static keys to enable debugging")
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Mel Gorman <mgorman@techsingularity.net>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Qian Cai <cai@lca.pw>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/mm.h |   18 +++++++++++++++---
 init/main.c        |    1 +
 mm/page_alloc.c    |   37 +++++++++++++------------------------
 mm/slab.c          |    4 ++--
 mm/slub.c          |    2 +-
 mm/vmalloc.c       |    4 ++--
 6 files changed, 34 insertions(+), 32 deletions(-)

--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -2666,14 +2666,26 @@ static inline bool want_init_on_free(voi
 	       !page_poisoning_enabled();
 }
 
-#ifdef CONFIG_DEBUG_PAGEALLOC_ENABLE_DEFAULT
-DECLARE_STATIC_KEY_TRUE(_debug_pagealloc_enabled);
+#ifdef CONFIG_DEBUG_PAGEALLOC
+extern void init_debug_pagealloc(void);
 #else
-DECLARE_STATIC_KEY_FALSE(_debug_pagealloc_enabled);
+static inline void init_debug_pagealloc(void) {}
 #endif
+extern bool _debug_pagealloc_enabled_early;
+DECLARE_STATIC_KEY_FALSE(_debug_pagealloc_enabled);
 
 static inline bool debug_pagealloc_enabled(void)
 {
+	return IS_ENABLED(CONFIG_DEBUG_PAGEALLOC) &&
+		_debug_pagealloc_enabled_early;
+}
+
+/*
+ * For use in fast paths after init_debug_pagealloc() has run, or when a
+ * false negative result is not harmful when called too early.
+ */
+static inline bool debug_pagealloc_enabled_static(void)
+{
 	if (!IS_ENABLED(CONFIG_DEBUG_PAGEALLOC))
 		return false;
 
--- a/init/main.c
+++ b/init/main.c
@@ -553,6 +553,7 @@ static void __init mm_init(void)
 	 * bigger than MAX_ORDER unless SPARSEMEM.
 	 */
 	page_ext_init_flatmem();
+	init_debug_pagealloc();
 	report_meminit();
 	mem_init();
 	kmem_cache_init();
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -694,34 +694,27 @@ void prep_compound_page(struct page *pag
 #ifdef CONFIG_DEBUG_PAGEALLOC
 unsigned int _debug_guardpage_minorder;
 
-#ifdef CONFIG_DEBUG_PAGEALLOC_ENABLE_DEFAULT
-DEFINE_STATIC_KEY_TRUE(_debug_pagealloc_enabled);
-#else
+bool _debug_pagealloc_enabled_early __read_mostly
+			= IS_ENABLED(CONFIG_DEBUG_PAGEALLOC_ENABLE_DEFAULT);
+EXPORT_SYMBOL(_debug_pagealloc_enabled_early);
 DEFINE_STATIC_KEY_FALSE(_debug_pagealloc_enabled);
-#endif
 EXPORT_SYMBOL(_debug_pagealloc_enabled);
 
 DEFINE_STATIC_KEY_FALSE(_debug_guardpage_enabled);
 
 static int __init early_debug_pagealloc(char *buf)
 {
-	bool enable = false;
-
-	if (kstrtobool(buf, &enable))
-		return -EINVAL;
-
-	if (enable)
-		static_branch_enable(&_debug_pagealloc_enabled);
-
-	return 0;
+	return kstrtobool(buf, &_debug_pagealloc_enabled_early);
 }
 early_param("debug_pagealloc", early_debug_pagealloc);
 
-static void init_debug_guardpage(void)
+void init_debug_pagealloc(void)
 {
 	if (!debug_pagealloc_enabled())
 		return;
 
+	static_branch_enable(&_debug_pagealloc_enabled);
+
 	if (!debug_guardpage_minorder())
 		return;
 
@@ -1186,7 +1179,7 @@ static __always_inline bool free_pages_p
 	 */
 	arch_free_page(page, order);
 
-	if (debug_pagealloc_enabled())
+	if (debug_pagealloc_enabled_static())
 		kernel_map_pages(page, 1 << order, 0);
 
 	kasan_free_nondeferred_pages(page, order);
@@ -1207,7 +1200,7 @@ static bool free_pcp_prepare(struct page
 
 static bool bulkfree_pcp_prepare(struct page *page)
 {
-	if (debug_pagealloc_enabled())
+	if (debug_pagealloc_enabled_static())
 		return free_pages_check(page);
 	else
 		return false;
@@ -1221,7 +1214,7 @@ static bool bulkfree_pcp_prepare(struct
  */
 static bool free_pcp_prepare(struct page *page)
 {
-	if (debug_pagealloc_enabled())
+	if (debug_pagealloc_enabled_static())
 		return free_pages_prepare(page, 0, true);
 	else
 		return free_pages_prepare(page, 0, false);
@@ -1973,10 +1966,6 @@ void __init page_alloc_init_late(void)
 
 	for_each_populated_zone(zone)
 		set_zone_contiguous(zone);
-
-#ifdef CONFIG_DEBUG_PAGEALLOC
-	init_debug_guardpage();
-#endif
 }
 
 #ifdef CONFIG_CMA
@@ -2106,7 +2095,7 @@ static inline bool free_pages_prezeroed(
  */
 static inline bool check_pcp_refill(struct page *page)
 {
-	if (debug_pagealloc_enabled())
+	if (debug_pagealloc_enabled_static())
 		return check_new_page(page);
 	else
 		return false;
@@ -2128,7 +2117,7 @@ static inline bool check_pcp_refill(stru
 }
 static inline bool check_new_pcp(struct page *page)
 {
-	if (debug_pagealloc_enabled())
+	if (debug_pagealloc_enabled_static())
 		return check_new_page(page);
 	else
 		return false;
@@ -2155,7 +2144,7 @@ inline void post_alloc_hook(struct page
 	set_page_refcounted(page);
 
 	arch_alloc_page(page, order);
-	if (debug_pagealloc_enabled())
+	if (debug_pagealloc_enabled_static())
 		kernel_map_pages(page, 1 << order, 1);
 	kasan_alloc_pages(page, order);
 	kernel_poison_pages(page, 1 << order, 1);
--- a/mm/slab.c
+++ b/mm/slab.c
@@ -1415,7 +1415,7 @@ static void kmem_rcu_free(struct rcu_hea
 #if DEBUG
 static bool is_debug_pagealloc_cache(struct kmem_cache *cachep)
 {
-	if (debug_pagealloc_enabled() && OFF_SLAB(cachep) &&
+	if (debug_pagealloc_enabled_static() && OFF_SLAB(cachep) &&
 		(cachep->size % PAGE_SIZE) == 0)
 		return true;
 
@@ -2007,7 +2007,7 @@ int __kmem_cache_create(struct kmem_cach
 	 * to check size >= 256. It guarantees that all necessary small
 	 * sized slab is initialized in current slab initialization sequence.
 	 */
-	if (debug_pagealloc_enabled() && (flags & SLAB_POISON) &&
+	if (debug_pagealloc_enabled_static() && (flags & SLAB_POISON) &&
 		size >= 256 && cachep->object_size > cache_line_size()) {
 		if (size < PAGE_SIZE || size % PAGE_SIZE == 0) {
 			size_t tmp_size = ALIGN(size, PAGE_SIZE);
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -290,7 +290,7 @@ static inline void *get_freepointer_safe
 	unsigned long freepointer_addr;
 	void *p;
 
-	if (!debug_pagealloc_enabled())
+	if (!debug_pagealloc_enabled_static())
 		return get_freepointer(s, object);
 
 	freepointer_addr = (unsigned long)object + s->offset;
--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -1349,7 +1349,7 @@ static void free_unmap_vmap_area(struct
 {
 	flush_cache_vunmap(va->va_start, va->va_end);
 	unmap_vmap_area(va);
-	if (debug_pagealloc_enabled())
+	if (debug_pagealloc_enabled_static())
 		flush_tlb_kernel_range(va->va_start, va->va_end);
 
 	free_vmap_area_noflush(va);
@@ -1647,7 +1647,7 @@ static void vb_free(const void *addr, un
 
 	vunmap_page_range((unsigned long)addr, (unsigned long)addr + size);
 
-	if (debug_pagealloc_enabled())
+	if (debug_pagealloc_enabled_static())
 		flush_tlb_kernel_range((unsigned long)addr,
 					(unsigned long)addr + size);
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 083/222] btrfs: rework arguments of btrfs_unlink_subvol
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (81 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 082/222] mm, debug_pagealloc: dont rely on static keys too early Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 084/222] btrfs: fix invalid removal of root ref Greg Kroah-Hartman
                   ` (142 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Josef Bacik, David Sterba, Sasha Levin

From: Josef Bacik <josef@toxicpanda.com>

[ Upstream commit 045d3967b6920b663fc010ad414ade1b24143bd1 ]

btrfs_unlink_subvol takes the name of the dentry and the root objectid
based on what kind of inode this is, either a real subvolume link or a
empty one that we inherited as a snapshot.  We need to fix how we unlink
in the case for BTRFS_EMPTY_SUBVOL_DIR_OBJECTID in the future, so rework
btrfs_unlink_subvol to just take the dentry and handle getting the right
objectid given the type of inode this is.  There is no functional change
here, simply pushing the work into btrfs_unlink_subvol() proper.

Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/btrfs/inode.c |   46 ++++++++++++++++++++--------------------------
 1 file changed, 20 insertions(+), 26 deletions(-)

--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -4215,18 +4215,30 @@ out:
 }
 
 static int btrfs_unlink_subvol(struct btrfs_trans_handle *trans,
-			       struct inode *dir, u64 objectid,
-			       const char *name, int name_len)
+			       struct inode *dir, struct dentry *dentry)
 {
 	struct btrfs_root *root = BTRFS_I(dir)->root;
+	struct btrfs_inode *inode = BTRFS_I(d_inode(dentry));
 	struct btrfs_path *path;
 	struct extent_buffer *leaf;
 	struct btrfs_dir_item *di;
 	struct btrfs_key key;
+	const char *name = dentry->d_name.name;
+	int name_len = dentry->d_name.len;
 	u64 index;
 	int ret;
+	u64 objectid;
 	u64 dir_ino = btrfs_ino(BTRFS_I(dir));
 
+	if (btrfs_ino(inode) == BTRFS_FIRST_FREE_OBJECTID) {
+		objectid = inode->root->root_key.objectid;
+	} else if (btrfs_ino(inode) == BTRFS_EMPTY_SUBVOL_DIR_OBJECTID) {
+		objectid = inode->location.objectid;
+	} else {
+		WARN_ON(1);
+		return -EINVAL;
+	}
+
 	path = btrfs_alloc_path();
 	if (!path)
 		return -ENOMEM;
@@ -4464,8 +4476,7 @@ int btrfs_delete_subvolume(struct inode
 
 	btrfs_record_snapshot_destroy(trans, BTRFS_I(dir));
 
-	ret = btrfs_unlink_subvol(trans, dir, dest->root_key.objectid,
-				  dentry->d_name.name, dentry->d_name.len);
+	ret = btrfs_unlink_subvol(trans, dir, dentry);
 	if (ret) {
 		err = ret;
 		btrfs_abort_transaction(trans, ret);
@@ -4560,10 +4571,7 @@ static int btrfs_rmdir(struct inode *dir
 		return PTR_ERR(trans);
 
 	if (unlikely(btrfs_ino(BTRFS_I(inode)) == BTRFS_EMPTY_SUBVOL_DIR_OBJECTID)) {
-		err = btrfs_unlink_subvol(trans, dir,
-					  BTRFS_I(inode)->location.objectid,
-					  dentry->d_name.name,
-					  dentry->d_name.len);
+		err = btrfs_unlink_subvol(trans, dir, dentry);
 		goto out;
 	}
 
@@ -9519,7 +9527,6 @@ static int btrfs_rename_exchange(struct
 	u64 new_ino = btrfs_ino(BTRFS_I(new_inode));
 	u64 old_idx = 0;
 	u64 new_idx = 0;
-	u64 root_objectid;
 	int ret;
 	bool root_log_pinned = false;
 	bool dest_log_pinned = false;
@@ -9625,10 +9632,7 @@ static int btrfs_rename_exchange(struct
 
 	/* src is a subvolume */
 	if (old_ino == BTRFS_FIRST_FREE_OBJECTID) {
-		root_objectid = BTRFS_I(old_inode)->root->root_key.objectid;
-		ret = btrfs_unlink_subvol(trans, old_dir, root_objectid,
-					  old_dentry->d_name.name,
-					  old_dentry->d_name.len);
+		ret = btrfs_unlink_subvol(trans, old_dir, old_dentry);
 	} else { /* src is an inode */
 		ret = __btrfs_unlink_inode(trans, root, BTRFS_I(old_dir),
 					   BTRFS_I(old_dentry->d_inode),
@@ -9644,10 +9648,7 @@ static int btrfs_rename_exchange(struct
 
 	/* dest is a subvolume */
 	if (new_ino == BTRFS_FIRST_FREE_OBJECTID) {
-		root_objectid = BTRFS_I(new_inode)->root->root_key.objectid;
-		ret = btrfs_unlink_subvol(trans, new_dir, root_objectid,
-					  new_dentry->d_name.name,
-					  new_dentry->d_name.len);
+		ret = btrfs_unlink_subvol(trans, new_dir, new_dentry);
 	} else { /* dest is an inode */
 		ret = __btrfs_unlink_inode(trans, dest, BTRFS_I(new_dir),
 					   BTRFS_I(new_dentry->d_inode),
@@ -9845,7 +9846,6 @@ static int btrfs_rename(struct inode *ol
 	struct inode *new_inode = d_inode(new_dentry);
 	struct inode *old_inode = d_inode(old_dentry);
 	u64 index = 0;
-	u64 root_objectid;
 	int ret;
 	u64 old_ino = btrfs_ino(BTRFS_I(old_inode));
 	bool log_pinned = false;
@@ -9953,10 +9953,7 @@ static int btrfs_rename(struct inode *ol
 				BTRFS_I(old_inode), 1);
 
 	if (unlikely(old_ino == BTRFS_FIRST_FREE_OBJECTID)) {
-		root_objectid = BTRFS_I(old_inode)->root->root_key.objectid;
-		ret = btrfs_unlink_subvol(trans, old_dir, root_objectid,
-					old_dentry->d_name.name,
-					old_dentry->d_name.len);
+		ret = btrfs_unlink_subvol(trans, old_dir, old_dentry);
 	} else {
 		ret = __btrfs_unlink_inode(trans, root, BTRFS_I(old_dir),
 					BTRFS_I(d_inode(old_dentry)),
@@ -9975,10 +9972,7 @@ static int btrfs_rename(struct inode *ol
 		new_inode->i_ctime = current_time(new_inode);
 		if (unlikely(btrfs_ino(BTRFS_I(new_inode)) ==
 			     BTRFS_EMPTY_SUBVOL_DIR_OBJECTID)) {
-			root_objectid = BTRFS_I(new_inode)->location.objectid;
-			ret = btrfs_unlink_subvol(trans, new_dir, root_objectid,
-						new_dentry->d_name.name,
-						new_dentry->d_name.len);
+			ret = btrfs_unlink_subvol(trans, new_dir, new_dentry);
 			BUG_ON(new_inode->i_nlink == 0);
 		} else {
 			ret = btrfs_unlink_inode(trans, dest, BTRFS_I(new_dir),



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 084/222] btrfs: fix invalid removal of root ref
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (82 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 083/222] btrfs: rework arguments of btrfs_unlink_subvol Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 085/222] btrfs: do not delete mismatched root refs Greg Kroah-Hartman
                   ` (141 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Josef Bacik, David Sterba

From: Josef Bacik <josef@toxicpanda.com>

commit d49d3287e74ffe55ae7430d1e795e5f9bf7359ea upstream.

If we have the following sequence of events

  btrfs sub create A
  btrfs sub create A/B
  btrfs sub snap A C
  mkdir C/foo
  mv A/B C/foo
  rm -rf *

We will end up with a transaction abort.

The reason for this is because we create a root ref for B pointing to A.
When we create a snapshot of C we still have B in our tree, but because
the root ref points to A and not C we will make it appear to be empty.

The problem happens when we move B into C.  This removes the root ref
for B pointing to A and adds a ref of B pointing to C.  When we rmdir C
we'll see that we have a ref to our root and remove the root ref,
despite not actually matching our reference name.

Now btrfs_del_root_ref() allowing this to work is a bug as well, however
we know that this inode does not actually point to a root ref in the
first place, so we shouldn't be calling btrfs_del_root_ref() in the
first place and instead simply look up our dir index for this item and
do the rest of the removal.

CC: stable@vger.kernel.org # 4.4+
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/inode.c |   27 +++++++++++++++++++--------
 1 file changed, 19 insertions(+), 8 deletions(-)

--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -4260,13 +4260,16 @@ static int btrfs_unlink_subvol(struct bt
 	}
 	btrfs_release_path(path);
 
-	ret = btrfs_del_root_ref(trans, objectid, root->root_key.objectid,
-				 dir_ino, &index, name, name_len);
-	if (ret < 0) {
-		if (ret != -ENOENT) {
-			btrfs_abort_transaction(trans, ret);
-			goto out;
-		}
+	/*
+	 * This is a placeholder inode for a subvolume we didn't have a
+	 * reference to at the time of the snapshot creation.  In the meantime
+	 * we could have renamed the real subvol link into our snapshot, so
+	 * depending on btrfs_del_root_ref to return -ENOENT here is incorret.
+	 * Instead simply lookup the dir_index_item for this entry so we can
+	 * remove it.  Otherwise we know we have a ref to the root and we can
+	 * call btrfs_del_root_ref, and it _shouldn't_ fail.
+	 */
+	if (btrfs_ino(inode) == BTRFS_EMPTY_SUBVOL_DIR_OBJECTID) {
 		di = btrfs_search_dir_index_item(root, path, dir_ino,
 						 name, name_len);
 		if (IS_ERR_OR_NULL(di)) {
@@ -4281,8 +4284,16 @@ static int btrfs_unlink_subvol(struct bt
 		leaf = path->nodes[0];
 		btrfs_item_key_to_cpu(leaf, &key, path->slots[0]);
 		index = key.offset;
+		btrfs_release_path(path);
+	} else {
+		ret = btrfs_del_root_ref(trans, objectid,
+					 root->root_key.objectid, dir_ino,
+					 &index, name, name_len);
+		if (ret) {
+			btrfs_abort_transaction(trans, ret);
+			goto out;
+		}
 	}
-	btrfs_release_path(path);
 
 	ret = btrfs_delete_delayed_dir_index(trans, BTRFS_I(dir), index);
 	if (ret) {



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 085/222] btrfs: do not delete mismatched root refs
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (83 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 084/222] btrfs: fix invalid removal of root ref Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 086/222] btrfs: relocation: fix reloc_root lifespan and access Greg Kroah-Hartman
                   ` (140 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Josef Bacik, David Sterba

From: Josef Bacik <josef@toxicpanda.com>

commit 423a716cd7be16fb08690760691befe3be97d3fc upstream.

btrfs_del_root_ref() will simply WARN_ON() if the ref doesn't match in
any way, and then continue to delete the reference.  This shouldn't
happen, we have these values because there's more to the reference than
the original root and the sub root.  If any of these checks fail, return
-ENOENT.

CC: stable@vger.kernel.org # 4.4+
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/root-tree.c |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

--- a/fs/btrfs/root-tree.c
+++ b/fs/btrfs/root-tree.c
@@ -376,11 +376,13 @@ again:
 		leaf = path->nodes[0];
 		ref = btrfs_item_ptr(leaf, path->slots[0],
 				     struct btrfs_root_ref);
-
-		WARN_ON(btrfs_root_ref_dirid(leaf, ref) != dirid);
-		WARN_ON(btrfs_root_ref_name_len(leaf, ref) != name_len);
 		ptr = (unsigned long)(ref + 1);
-		WARN_ON(memcmp_extent_buffer(leaf, name, ptr, name_len));
+		if ((btrfs_root_ref_dirid(leaf, ref) != dirid) ||
+		    (btrfs_root_ref_name_len(leaf, ref) != name_len) ||
+		    memcmp_extent_buffer(leaf, name, ptr, name_len)) {
+			err = -ENOENT;
+			goto out;
+		}
 		*sequence = btrfs_root_ref_sequence(leaf, ref);
 
 		ret = btrfs_del_item(trans, tree_root, path);



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 086/222] btrfs: relocation: fix reloc_root lifespan and access
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (84 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 085/222] btrfs: do not delete mismatched root refs Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 087/222] btrfs: fix memory leak in qgroup accounting Greg Kroah-Hartman
                   ` (139 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Zygo Blaxell, Josef Bacik, Qu Wenruo,
	David Sterba

From: Qu Wenruo <wqu@suse.com>

commit 6282675e6708ec78518cc0e9ad1f1f73d7c5c53d upstream.

[BUG]
There are several different KASAN reports for balance + snapshot
workloads.  Involved call paths include:

   should_ignore_root+0x54/0xb0 [btrfs]
   build_backref_tree+0x11af/0x2280 [btrfs]
   relocate_tree_blocks+0x391/0xb80 [btrfs]
   relocate_block_group+0x3e5/0xa00 [btrfs]
   btrfs_relocate_block_group+0x240/0x4d0 [btrfs]
   btrfs_relocate_chunk+0x53/0xf0 [btrfs]
   btrfs_balance+0xc91/0x1840 [btrfs]
   btrfs_ioctl_balance+0x416/0x4e0 [btrfs]
   btrfs_ioctl+0x8af/0x3e60 [btrfs]
   do_vfs_ioctl+0x831/0xb10

   create_reloc_root+0x9f/0x460 [btrfs]
   btrfs_reloc_post_snapshot+0xff/0x6c0 [btrfs]
   create_pending_snapshot+0xa9b/0x15f0 [btrfs]
   create_pending_snapshots+0x111/0x140 [btrfs]
   btrfs_commit_transaction+0x7a6/0x1360 [btrfs]
   btrfs_mksubvol+0x915/0x960 [btrfs]
   btrfs_ioctl_snap_create_transid+0x1d5/0x1e0 [btrfs]
   btrfs_ioctl_snap_create_v2+0x1d3/0x270 [btrfs]
   btrfs_ioctl+0x241b/0x3e60 [btrfs]
   do_vfs_ioctl+0x831/0xb10

   btrfs_reloc_pre_snapshot+0x85/0xc0 [btrfs]
   create_pending_snapshot+0x209/0x15f0 [btrfs]
   create_pending_snapshots+0x111/0x140 [btrfs]
   btrfs_commit_transaction+0x7a6/0x1360 [btrfs]
   btrfs_mksubvol+0x915/0x960 [btrfs]
   btrfs_ioctl_snap_create_transid+0x1d5/0x1e0 [btrfs]
   btrfs_ioctl_snap_create_v2+0x1d3/0x270 [btrfs]
   btrfs_ioctl+0x241b/0x3e60 [btrfs]
   do_vfs_ioctl+0x831/0xb10

[CAUSE]
All these call sites are only relying on root->reloc_root, which can
undergo btrfs_drop_snapshot(), and since we don't have real refcount
based protection to reloc roots, we can reach already dropped reloc
root, triggering KASAN.

[FIX]
To avoid such access to unstable root->reloc_root, we should check
BTRFS_ROOT_DEAD_RELOC_TREE bit first.

This patch introduces wrappers that provide the correct way to check the
bit with memory barriers protection.

Most callers don't distinguish merged reloc tree and no reloc tree.  The
only exception is should_ignore_root(), as merged reloc tree can be
ignored, while no reloc tree shouldn't.

[CRITICAL SECTION ANALYSIS]
Although test_bit()/set_bit()/clear_bit() doesn't imply a barrier, the
DEAD_RELOC_TREE bit has extra help from transaction as a higher level
barrier, the lifespan of root::reloc_root and DEAD_RELOC_TREE bit are:

	NULL: reloc_root is NULL	PTR: reloc_root is not NULL
	0: DEAD_RELOC_ROOT bit not set	DEAD: DEAD_RELOC_ROOT bit set

	(NULL, 0)    Initial state		 __
	  |					 /\ Section A
        btrfs_init_reloc_root()			 \/
	  |				 	 __
	(PTR, 0)     reloc_root initialized      /\
          |					 |
	btrfs_update_reloc_root()		 |  Section B
          |					 |
	(PTR, DEAD)  reloc_root has been merged  \/
          |					 __
	=== btrfs_commit_transaction() ====================
	  |					 /\
	clean_dirty_subvols()			 |
	  |					 |  Section C
	(NULL, DEAD) reloc_root cleanup starts   \/
          |					 __
	btrfs_drop_snapshot()			 /\
	  |					 |  Section D
	(NULL, 0)    Back to initial state	 \/

Every have_reloc_root() or test_bit(DEAD_RELOC_ROOT) caller holds
transaction handle, so none of such caller can cross transaction boundary.

In Section A, every caller just found no DEAD bit, and grab reloc_root.

In the cross section A-B, caller may get no DEAD bit, but since reloc_root
is still completely valid thus accessing reloc_root is completely safe.

No test_bit() caller can cross the boundary of Section B and Section C.

In Section C, every caller found the DEAD bit, so no one will access
reloc_root.

In the cross section C-D, either caller gets the DEAD bit set, avoiding
access reloc_root no matter if it's safe or not.  Or caller get the DEAD
bit cleared, then access reloc_root, which is already NULL, nothing will
be wrong.

The memory write barriers are between the reloc_root updates and bit
set/clear, the pairing read side is before test_bit.

Reported-by: Zygo Blaxell <ce3g8jdj@umail.furryterror.org>
Fixes: d2311e698578 ("btrfs: relocation: Delay reloc tree deletion after merge_reloc_roots")
CC: stable@vger.kernel.org # 5.4+
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
[ barriers ]
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/relocation.c |   51 +++++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 46 insertions(+), 5 deletions(-)

--- a/fs/btrfs/relocation.c
+++ b/fs/btrfs/relocation.c
@@ -517,6 +517,34 @@ static int update_backref_cache(struct b
 	return 1;
 }
 
+static bool reloc_root_is_dead(struct btrfs_root *root)
+{
+	/*
+	 * Pair with set_bit/clear_bit in clean_dirty_subvols and
+	 * btrfs_update_reloc_root. We need to see the updated bit before
+	 * trying to access reloc_root
+	 */
+	smp_rmb();
+	if (test_bit(BTRFS_ROOT_DEAD_RELOC_TREE, &root->state))
+		return true;
+	return false;
+}
+
+/*
+ * Check if this subvolume tree has valid reloc tree.
+ *
+ * Reloc tree after swap is considered dead, thus not considered as valid.
+ * This is enough for most callers, as they don't distinguish dead reloc root
+ * from no reloc root.  But should_ignore_root() below is a special case.
+ */
+static bool have_reloc_root(struct btrfs_root *root)
+{
+	if (reloc_root_is_dead(root))
+		return false;
+	if (!root->reloc_root)
+		return false;
+	return true;
+}
 
 static int should_ignore_root(struct btrfs_root *root)
 {
@@ -525,6 +553,10 @@ static int should_ignore_root(struct btr
 	if (!test_bit(BTRFS_ROOT_REF_COWS, &root->state))
 		return 0;
 
+	/* This root has been merged with its reloc tree, we can ignore it */
+	if (reloc_root_is_dead(root))
+		return 1;
+
 	reloc_root = root->reloc_root;
 	if (!reloc_root)
 		return 0;
@@ -1439,7 +1471,7 @@ int btrfs_init_reloc_root(struct btrfs_t
 	 * The subvolume has reloc tree but the swap is finished, no need to
 	 * create/update the dead reloc tree
 	 */
-	if (test_bit(BTRFS_ROOT_DEAD_RELOC_TREE, &root->state))
+	if (reloc_root_is_dead(root))
 		return 0;
 
 	if (root->reloc_root) {
@@ -1478,8 +1510,7 @@ int btrfs_update_reloc_root(struct btrfs
 	struct btrfs_root_item *root_item;
 	int ret;
 
-	if (test_bit(BTRFS_ROOT_DEAD_RELOC_TREE, &root->state) ||
-	    !root->reloc_root)
+	if (!have_reloc_root(root))
 		goto out;
 
 	reloc_root = root->reloc_root;
@@ -1489,6 +1520,11 @@ int btrfs_update_reloc_root(struct btrfs
 	if (fs_info->reloc_ctl->merge_reloc_tree &&
 	    btrfs_root_refs(root_item) == 0) {
 		set_bit(BTRFS_ROOT_DEAD_RELOC_TREE, &root->state);
+		/*
+		 * Mark the tree as dead before we change reloc_root so
+		 * have_reloc_root will not touch it from now on.
+		 */
+		smp_wmb();
 		__del_reloc_root(reloc_root);
 	}
 
@@ -2202,6 +2238,11 @@ static int clean_dirty_subvols(struct re
 				if (ret2 < 0 && !ret)
 					ret = ret2;
 			}
+			/*
+			 * Need barrier to ensure clear_bit() only happens after
+			 * root->reloc_root = NULL. Pairs with have_reloc_root.
+			 */
+			smp_wmb();
 			clear_bit(BTRFS_ROOT_DEAD_RELOC_TREE, &root->state);
 			btrfs_put_fs_root(root);
 		} else {
@@ -4721,7 +4762,7 @@ void btrfs_reloc_pre_snapshot(struct btr
 	struct btrfs_root *root = pending->root;
 	struct reloc_control *rc = root->fs_info->reloc_ctl;
 
-	if (!root->reloc_root || !rc)
+	if (!rc || !have_reloc_root(root))
 		return;
 
 	if (!rc->merge_reloc_tree)
@@ -4755,7 +4796,7 @@ int btrfs_reloc_post_snapshot(struct btr
 	struct reloc_control *rc = root->fs_info->reloc_ctl;
 	int ret;
 
-	if (!root->reloc_root || !rc)
+	if (!rc || !have_reloc_root(root))
 		return 0;
 
 	rc = root->fs_info->reloc_ctl;



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 087/222] btrfs: fix memory leak in qgroup accounting
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (85 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 086/222] btrfs: relocation: fix reloc_root lifespan and access Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 088/222] btrfs: check rw_devices, not num_devices for balance Greg Kroah-Hartman
                   ` (138 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Qu Wenruo, Johannes Thumshirn, David Sterba

From: Johannes Thumshirn <johannes.thumshirn@wdc.com>

commit 26ef8493e1ab771cb01d27defca2fa1315dc3980 upstream.

When running xfstests on the current btrfs I get the following splat from
kmemleak:

unreferenced object 0xffff88821b2404e0 (size 32):
  comm "kworker/u4:7", pid 26663, jiffies 4295283698 (age 8.776s)
  hex dump (first 32 bytes):
    01 00 00 00 00 00 00 00 10 ff fd 26 82 88 ff ff  ...........&....
    10 ff fd 26 82 88 ff ff 20 ff fd 26 82 88 ff ff  ...&.... ..&....
  backtrace:
    [<00000000f94fd43f>] ulist_alloc+0x25/0x60 [btrfs]
    [<00000000fd023d99>] btrfs_find_all_roots_safe+0x41/0x100 [btrfs]
    [<000000008f17bd32>] btrfs_find_all_roots+0x52/0x70 [btrfs]
    [<00000000b7660afb>] btrfs_qgroup_rescan_worker+0x343/0x680 [btrfs]
    [<0000000058e66778>] btrfs_work_helper+0xac/0x1e0 [btrfs]
    [<00000000f0188930>] process_one_work+0x1cf/0x350
    [<00000000af5f2f8e>] worker_thread+0x28/0x3c0
    [<00000000b55a1add>] kthread+0x109/0x120
    [<00000000f88cbd17>] ret_from_fork+0x35/0x40

This corresponds to:

  (gdb) l *(btrfs_find_all_roots_safe+0x41)
  0x8d7e1 is in btrfs_find_all_roots_safe (fs/btrfs/backref.c:1413).
  1408
  1409            tmp = ulist_alloc(GFP_NOFS);
  1410            if (!tmp)
  1411                    return -ENOMEM;
  1412            *roots = ulist_alloc(GFP_NOFS);
  1413            if (!*roots) {
  1414                    ulist_free(tmp);
  1415                    return -ENOMEM;
  1416            }
  1417

Following the lifetime of the allocated 'roots' ulist, it gets freed
again in btrfs_qgroup_account_extent().

But this does not happen if the function is called with the
'BTRFS_FS_QUOTA_ENABLED' flag cleared, then btrfs_qgroup_account_extent()
does a short leave and directly returns.

Instead of directly returning we should jump to the 'out_free' in order to
free all resources as expected.

CC: stable@vger.kernel.org # 4.14+
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
[ add comment ]
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/qgroup.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/fs/btrfs/qgroup.c
+++ b/fs/btrfs/qgroup.c
@@ -2423,8 +2423,12 @@ int btrfs_qgroup_account_extent(struct b
 	u64 nr_old_roots = 0;
 	int ret = 0;
 
+	/*
+	 * If quotas get disabled meanwhile, the resouces need to be freed and
+	 * we can't just exit here.
+	 */
 	if (!test_bit(BTRFS_FS_QUOTA_ENABLED, &fs_info->flags))
-		return 0;
+		goto out_free;
 
 	if (new_roots) {
 		if (!maybe_fs_roots(new_roots))



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 088/222] btrfs: check rw_devices, not num_devices for balance
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (86 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 087/222] btrfs: fix memory leak in qgroup accounting Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 089/222] Btrfs: always copy scrub arguments back to user space Greg Kroah-Hartman
                   ` (137 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Josef Bacik, David Sterba

From: Josef Bacik <josef@toxicpanda.com>

commit b35cf1f0bf1f2b0b193093338414b9bd63b29015 upstream.

The fstest btrfs/154 reports

  [ 8675.381709] BTRFS: Transaction aborted (error -28)
  [ 8675.383302] WARNING: CPU: 1 PID: 31900 at fs/btrfs/block-group.c:2038 btrfs_create_pending_block_groups+0x1e0/0x1f0 [btrfs]
  [ 8675.390925] CPU: 1 PID: 31900 Comm: btrfs Not tainted 5.5.0-rc6-default+ #935
  [ 8675.392780] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba527-rebuilt.opensuse.org 04/01/2014
  [ 8675.395452] RIP: 0010:btrfs_create_pending_block_groups+0x1e0/0x1f0 [btrfs]
  [ 8675.402672] RSP: 0018:ffffb2090888fb00 EFLAGS: 00010286
  [ 8675.404413] RAX: 0000000000000000 RBX: ffff92026dfa91c8 RCX: 0000000000000001
  [ 8675.406609] RDX: 0000000000000000 RSI: ffffffff8e100899 RDI: ffffffff8e100971
  [ 8675.408775] RBP: ffff920247c61660 R08: 0000000000000000 R09: 0000000000000000
  [ 8675.410978] R10: 0000000000000000 R11: 0000000000000000 R12: 00000000ffffffe4
  [ 8675.412647] R13: ffff92026db74000 R14: ffff920247c616b8 R15: ffff92026dfbc000
  [ 8675.413994] FS:  00007fd5e57248c0(0000) GS:ffff92027d800000(0000) knlGS:0000000000000000
  [ 8675.416146] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  [ 8675.417833] CR2: 0000564aa51682d8 CR3: 000000006dcbc004 CR4: 0000000000160ee0
  [ 8675.419801] Call Trace:
  [ 8675.420742]  btrfs_start_dirty_block_groups+0x355/0x480 [btrfs]
  [ 8675.422600]  btrfs_commit_transaction+0xc8/0xaf0 [btrfs]
  [ 8675.424335]  reset_balance_state+0x14a/0x190 [btrfs]
  [ 8675.425824]  btrfs_balance.cold+0xe7/0x154 [btrfs]
  [ 8675.427313]  ? kmem_cache_alloc_trace+0x235/0x2c0
  [ 8675.428663]  btrfs_ioctl_balance+0x298/0x350 [btrfs]
  [ 8675.430285]  btrfs_ioctl+0x466/0x2550 [btrfs]
  [ 8675.431788]  ? mem_cgroup_charge_statistics+0x51/0xf0
  [ 8675.433487]  ? mem_cgroup_commit_charge+0x56/0x400
  [ 8675.435122]  ? do_raw_spin_unlock+0x4b/0xc0
  [ 8675.436618]  ? _raw_spin_unlock+0x1f/0x30
  [ 8675.438093]  ? __handle_mm_fault+0x499/0x740
  [ 8675.439619]  ? do_vfs_ioctl+0x56e/0x770
  [ 8675.441034]  do_vfs_ioctl+0x56e/0x770
  [ 8675.442411]  ksys_ioctl+0x3a/0x70
  [ 8675.443718]  ? trace_hardirqs_off_thunk+0x1a/0x1c
  [ 8675.445333]  __x64_sys_ioctl+0x16/0x20
  [ 8675.446705]  do_syscall_64+0x50/0x210
  [ 8675.448059]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
  [ 8675.479187] BTRFS: error (device vdb) in btrfs_create_pending_block_groups:2038: errno=-28 No space left

We now use btrfs_can_overcommit() to see if we can flip a block group
read only.  Before this would fail because we weren't taking into
account the usable un-allocated space for allocating chunks.  With my
patches we were allowed to do the balance, which is technically correct.

The test is trying to start balance on degraded mount.  So now we're
trying to allocate a chunk and cannot because we want to allocate a
RAID1 chunk, but there's only 1 device that's available for usage.  This
results in an ENOSPC.

But we shouldn't even be making it this far, we don't have enough
devices to restripe.  The problem is we're using btrfs_num_devices(),
that also includes missing devices. That's not actually what we want, we
need to use rw_devices.

The chunk_mutex is not needed here, rw_devices changes only in device
add, remove or replace, all are excluded by EXCL_OP mechanism.

Fixes: e4d8ec0f65b9 ("Btrfs: implement online profile changing")
CC: stable@vger.kernel.org # 4.4+
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: David Sterba <dsterba@suse.com>
[ add stacktrace, update changelog, drop chunk_mutex ]
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/volumes.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -4066,7 +4066,11 @@ int btrfs_balance(struct btrfs_fs_info *
 		}
 	}
 
-	num_devices = btrfs_num_devices(fs_info);
+	/*
+	 * rw_devices will not change at the moment, device add/delete/replace
+	 * are excluded by EXCL_OP
+	 */
+	num_devices = fs_info->fs_devices->rw_devices;
 
 	/*
 	 * SINGLE profile on-disk has no profile bit, but in-memory we have a



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 089/222] Btrfs: always copy scrub arguments back to user space
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (87 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 088/222] btrfs: check rw_devices, not num_devices for balance Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 090/222] mm/memory_hotplug: dont free usage map when removing a re-added early section Greg Kroah-Hartman
                   ` (136 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Graham Cobb, Johannes Thumshirn,
	Qu Wenruo, Filipe Manana, David Sterba

From: Filipe Manana <fdmanana@suse.com>

commit 5afe6ce748c1ea99e0d648153c05075e1ab93afb upstream.

If scrub returns an error we are not copying back the scrub arguments
structure to user space. This prevents user space to know how much
progress scrub has done if an error happened - this includes -ECANCELED
which is returned when users ask for scrub to stop. A particular use
case, which is used in btrfs-progs, is to resume scrub after it is
canceled, in that case it relies on checking the progress from the scrub
arguments structure and then use that progress in a call to resume
scrub.

So fix this by always copying the scrub arguments structure to user
space, overwriting the value returned to user space with -EFAULT only if
copying the structure failed to let user space know that either that
copying did not happen, and therefore the structure is stale, or it
happened partially and the structure is probably not valid and corrupt
due to the partial copy.

Reported-by: Graham Cobb <g.btrfs@cobb.uk.net>
Link: https://lore.kernel.org/linux-btrfs/d0a97688-78be-08de-ca7d-bcb4c7fb397e@cobb.uk.net/
Fixes: 06fe39ab15a6a4 ("Btrfs: do not overwrite scrub error with fault error in scrub ioctl")
CC: stable@vger.kernel.org # 5.1+
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Reviewed-by: Qu Wenruo <wqu@suse.com>
Tested-by: Graham Cobb <g.btrfs@cobb.uk.net>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/ioctl.c |   14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -4254,7 +4254,19 @@ static long btrfs_ioctl_scrub(struct fil
 			      &sa->progress, sa->flags & BTRFS_SCRUB_READONLY,
 			      0);
 
-	if (ret == 0 && copy_to_user(arg, sa, sizeof(*sa)))
+	/*
+	 * Copy scrub args to user space even if btrfs_scrub_dev() returned an
+	 * error. This is important as it allows user space to know how much
+	 * progress scrub has done. For example, if scrub is canceled we get
+	 * -ECANCELED from btrfs_scrub_dev() and return that error back to user
+	 * space. Later user space can inspect the progress from the structure
+	 * btrfs_ioctl_scrub_args and resume scrub from where it left off
+	 * previously (btrfs-progs does this).
+	 * If we fail to copy the btrfs_ioctl_scrub_args structure to user space
+	 * then return -EFAULT to signal the structure was not copied or it may
+	 * be corrupt and unreliable due to a partial copy.
+	 */
+	if (copy_to_user(arg, sa, sizeof(*sa)))
 		ret = -EFAULT;
 
 	if (!(sa->flags & BTRFS_SCRUB_READONLY))



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 090/222] mm/memory_hotplug: dont free usage map when removing a re-added early section
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (88 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 089/222] Btrfs: always copy scrub arguments back to user space Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 091/222] mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio() Greg Kroah-Hartman
                   ` (135 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David Hildenbrand, Pingfan Liu,
	Dan Williams, Oscar Salvador, Michal Hocko, Andrew Morton,
	Linus Torvalds

From: David Hildenbrand <david@redhat.com>

commit 8068df3b60373c390198f660574ea14c8098de57 upstream.

When we remove an early section, we don't free the usage map, as the
usage maps of other sections are placed into the same page.  Once the
section is removed, it is no longer an early section (especially, the
memmap is freed).  When we re-add that section, the usage map is reused,
however, it is no longer an early section.  When removing that section
again, we try to kfree() a usage map that was allocated during early
boot - bad.

Let's check against PageReserved() to see if we are dealing with an
usage map that was allocated during boot.  We could also check against
!(PageSlab(usage_page) || PageCompound(usage_page)), but PageReserved() is
cleaner.

Can be triggered using memtrace under ppc64/powernv:

  $ mount -t debugfs none /sys/kernel/debug/
  $ echo 0x20000000 > /sys/kernel/debug/powerpc/memtrace/enable
  $ echo 0x20000000 > /sys/kernel/debug/powerpc/memtrace/enable
   ------------[ cut here ]------------
   kernel BUG at mm/slub.c:3969!
   Oops: Exception in kernel mode, sig: 5 [#1]
   LE PAGE_SIZE=3D64K MMU=3DHash SMP NR_CPUS=3D2048 NUMA PowerNV
   Modules linked in:
   CPU: 0 PID: 154 Comm: sh Not tainted 5.5.0-rc2-next-20191216-00005-g0be1dba7b7c0 #61
   NIP kfree+0x338/0x3b0
   LR section_deactivate+0x138/0x200
   Call Trace:
     section_deactivate+0x138/0x200
     __remove_pages+0x114/0x150
     arch_remove_memory+0x3c/0x160
     try_remove_memory+0x114/0x1a0
     __remove_memory+0x20/0x40
     memtrace_enable_set+0x254/0x850
     simple_attr_write+0x138/0x160
     full_proxy_write+0x8c/0x110
     __vfs_write+0x38/0x70
     vfs_write+0x11c/0x2a0
     ksys_write+0x84/0x140
     system_call+0x5c/0x68
   ---[ end trace 4b053cbd84e0db62 ]---

The first invocation will offline+remove memory blocks.  The second
invocation will first add+online them again, in order to offline+remove
them again (usually we are lucky and the exact same memory blocks will
get "reallocated").

Tested on powernv with boot memory: The usage map will not get freed.
Tested on x86-64 with DIMMs: The usage map will get freed.

Using Dynamic Memory under a Power DLAPR can trigger it easily.

Triggering removal (I assume after previously removed+re-added) of
memory from the HMC GUI can crash the kernel with the same call trace
and is fixed by this patch.

Link: http://lkml.kernel.org/r/20191217104637.5509-1-david@redhat.com
Fixes: 326e1b8f83a4 ("mm/sparsemem: introduce a SECTION_IS_EARLY flag")
Signed-off-by: David Hildenbrand <david@redhat.com>
Tested-by: Pingfan Liu <piliu@redhat.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: Michal Hocko <mhocko@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/sparse.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/mm/sparse.c
+++ b/mm/sparse.c
@@ -775,7 +775,14 @@ static void section_deactivate(unsigned
 	if (bitmap_empty(subsection_map, SUBSECTIONS_PER_SECTION)) {
 		unsigned long section_nr = pfn_to_section_nr(pfn);
 
-		if (!section_is_early) {
+		/*
+		 * When removing an early section, the usage map is kept (as the
+		 * usage maps of other sections fall into the same page). It
+		 * will be re-used when re-adding the section - which is then no
+		 * longer an early section. If the usage map is PageReserved, it
+		 * was allocated during boot.
+		 */
+		if (!PageReserved(virt_to_page(ms->usage))) {
 			kfree(ms->usage);
 			ms->usage = NULL;
 		}



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 091/222] mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio()
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (89 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 090/222] mm/memory_hotplug: dont free usage map when removing a re-added early section Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 092/222] mm: khugepaged: add trace status description for SCAN_PAGE_HAS_PRIVATE Greg Kroah-Hartman
                   ` (134 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wen Yang, Andrew Morton, Qian Cai,
	Tejun Heo, Jens Axboe, Linus Torvalds

From: Wen Yang <wenyang@linux.alibaba.com>

commit 6d9e8c651dd979aa666bee15f086745f3ea9c4b3 upstream.

Patch series "use div64_ul() instead of div_u64() if the divisor is
unsigned long".

We were first inspired by commit b0ab99e7736a ("sched: Fix possible divide
by zero in avg_atom () calculation"), then refer to the recently analyzed
mm code, we found this suspicious place.

 201                 if (min) {
 202                         min *= this_bw;
 203                         do_div(min, tot_bw);
 204                 }

And we also disassembled and confirmed it:

  /usr/src/debug/kernel-4.9.168-016.ali3000/linux-4.9.168-016.ali3000.alios7.x86_64/mm/page-writeback.c: 201
  0xffffffff811c37da <__wb_calc_thresh+234>:      xor    %r10d,%r10d
  0xffffffff811c37dd <__wb_calc_thresh+237>:      test   %rax,%rax
  0xffffffff811c37e0 <__wb_calc_thresh+240>:      je 0xffffffff811c3800 <__wb_calc_thresh+272>
  /usr/src/debug/kernel-4.9.168-016.ali3000/linux-4.9.168-016.ali3000.alios7.x86_64/mm/page-writeback.c: 202
  0xffffffff811c37e2 <__wb_calc_thresh+242>:      imul   %r8,%rax
  /usr/src/debug/kernel-4.9.168-016.ali3000/linux-4.9.168-016.ali3000.alios7.x86_64/mm/page-writeback.c: 203
  0xffffffff811c37e6 <__wb_calc_thresh+246>:      mov    %r9d,%r10d    ---> truncates it to 32 bits here
  0xffffffff811c37e9 <__wb_calc_thresh+249>:      xor    %edx,%edx
  0xffffffff811c37eb <__wb_calc_thresh+251>:      div    %r10
  0xffffffff811c37ee <__wb_calc_thresh+254>:      imul   %rbx,%rax
  0xffffffff811c37f2 <__wb_calc_thresh+258>:      shr    $0x2,%rax
  0xffffffff811c37f6 <__wb_calc_thresh+262>:      mul    %rcx
  0xffffffff811c37f9 <__wb_calc_thresh+265>:      shr    $0x2,%rdx
  0xffffffff811c37fd <__wb_calc_thresh+269>:      mov    %rdx,%r10

This series uses div64_ul() instead of div_u64() if the divisor is
unsigned long, to avoid truncation to 32-bit on 64-bit platforms.

This patch (of 3):

The variables 'min' and 'max' are unsigned long and do_div truncates
them to 32 bits, which means it can test non-zero and be truncated to
zero for division.  Fix this issue by using div64_ul() instead.

Link: http://lkml.kernel.org/r/20200102081442.8273-2-wenyang@linux.alibaba.com
Fixes: 693108a8a667 ("writeback: make bdi->min/max_ratio handling cgroup writeback aware")
Signed-off-by: Wen Yang <wenyang@linux.alibaba.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Qian Cai <cai@lca.pw>
Cc: Tejun Heo <tj@kernel.org>
Cc: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/page-writeback.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/mm/page-writeback.c
+++ b/mm/page-writeback.c
@@ -201,11 +201,11 @@ static void wb_min_max_ratio(struct bdi_
 	if (this_bw < tot_bw) {
 		if (min) {
 			min *= this_bw;
-			do_div(min, tot_bw);
+			min = div64_ul(min, tot_bw);
 		}
 		if (max < 100) {
 			max *= this_bw;
-			do_div(max, tot_bw);
+			max = div64_ul(max, tot_bw);
 		}
 	}
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 092/222] mm: khugepaged: add trace status description for SCAN_PAGE_HAS_PRIVATE
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (90 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 091/222] mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio() Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:27 ` [PATCH 5.4 093/222] ARM: dts: imx6qdl-sabresd: Remove incorrect power supply assignment Greg Kroah-Hartman
                   ` (133 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yang Shi, Song Liu,
	Kirill A. Shutemov, Anshuman Khandual, Andrew Morton,
	Linus Torvalds

From: Yang Shi <yang.shi@linux.alibaba.com>

commit 554913f600b45d73de12ad58c1ac7baa0f22a703 upstream.

Commit 99cb0dbd47a1 ("mm,thp: add read-only THP support for (non-shmem)
FS") introduced a new khugepaged scan result: SCAN_PAGE_HAS_PRIVATE, but
the corresponding description for trace events were not added.

Link: http://lkml.kernel.org/r/1574793844-2914-1-git-send-email-yang.shi@linux.alibaba.com
Fixes: 99cb0dbd47a1 ("mm,thp: add read-only THP support for (non-shmem) FS")
Signed-off-by: Yang Shi <yang.shi@linux.alibaba.com>
Cc: Song Liu <songliubraving@fb.com>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Anshuman Khandual <anshuman.khandual@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/trace/events/huge_memory.h |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/include/trace/events/huge_memory.h
+++ b/include/trace/events/huge_memory.h
@@ -31,7 +31,8 @@
 	EM( SCAN_ALLOC_HUGE_PAGE_FAIL,	"alloc_huge_page_failed")	\
 	EM( SCAN_CGROUP_CHARGE_FAIL,	"ccgroup_charge_failed")	\
 	EM( SCAN_EXCEED_SWAP_PTE,	"exceed_swap_pte")		\
-	EMe(SCAN_TRUNCATED,		"truncated")			\
+	EM( SCAN_TRUNCATED,		"truncated")			\
+	EMe(SCAN_PAGE_HAS_PRIVATE,	"page_has_private")		\
 
 #undef EM
 #undef EMe



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 093/222] ARM: dts: imx6qdl-sabresd: Remove incorrect power supply assignment
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (91 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 092/222] mm: khugepaged: add trace status description for SCAN_PAGE_HAS_PRIVATE Greg Kroah-Hartman
@ 2020-01-22  9:27 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 094/222] ARM: dts: imx6sx-sdb: " Greg Kroah-Hartman
                   ` (132 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Anson Huang, Shawn Guo

From: Anson Huang <Anson.Huang@nxp.com>

commit 4521de30fbb3f5be0db58de93582ebce72c9d44f upstream.

The vdd3p0 LDO's input should be from external USB VBUS directly, NOT
PMIC's power supply, the vdd3p0 LDO's target output voltage can be
controlled by SW, and it requires input voltage to be high enough, with
incorrect power supply assigned, if the power supply's voltage is lower
than the LDO target output voltage, it will return fail and skip the LDO
voltage adjustment, so remove the power supply assignment for vdd3p0 to
avoid such scenario.

Fixes: 93385546ba36 ("ARM: dts: imx6qdl-sabresd: Assign corresponding power supply for LDOs")
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/imx6qdl-sabresd.dtsi |    4 ----
 1 file changed, 4 deletions(-)

--- a/arch/arm/boot/dts/imx6qdl-sabresd.dtsi
+++ b/arch/arm/boot/dts/imx6qdl-sabresd.dtsi
@@ -749,10 +749,6 @@
 	vin-supply = <&vgen5_reg>;
 };
 
-&reg_vdd3p0 {
-	vin-supply = <&sw2_reg>;
-};
-
 &reg_vdd2p5 {
 	vin-supply = <&vgen5_reg>;
 };



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 094/222] ARM: dts: imx6sx-sdb: Remove incorrect power supply assignment
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (92 preceding siblings ...)
  2020-01-22  9:27 ` [PATCH 5.4 093/222] ARM: dts: imx6qdl-sabresd: Remove incorrect power supply assignment Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 095/222] ARM: dts: imx6sl-evk: " Greg Kroah-Hartman
                   ` (131 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Anson Huang, Shawn Guo

From: Anson Huang <Anson.Huang@nxp.com>

commit d4918ebb5c256d26696a13e78ac68c146111191a upstream.

The vdd3p0 LDO's input should be from external USB VBUS directly, NOT
PMIC's power supply, the vdd3p0 LDO's target output voltage can be
controlled by SW, and it requires input voltage to be high enough, with
incorrect power supply assigned, if the power supply's voltage is lower
than the LDO target output voltage, it will return fail and skip the LDO
voltage adjustment, so remove the power supply assignment for vdd3p0 to
avoid such scenario.

Fixes: 37a4bdead109 ("ARM: dts: imx6sx-sdb: Assign corresponding power supply for LDOs")
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/imx6sx-sdb-reva.dts |    4 ----
 arch/arm/boot/dts/imx6sx-sdb.dts      |    4 ----
 2 files changed, 8 deletions(-)

--- a/arch/arm/boot/dts/imx6sx-sdb-reva.dts
+++ b/arch/arm/boot/dts/imx6sx-sdb-reva.dts
@@ -159,10 +159,6 @@
 	vin-supply = <&vgen6_reg>;
 };
 
-&reg_vdd3p0 {
-	vin-supply = <&sw2_reg>;
-};
-
 &reg_vdd2p5 {
 	vin-supply = <&vgen6_reg>;
 };
--- a/arch/arm/boot/dts/imx6sx-sdb.dts
+++ b/arch/arm/boot/dts/imx6sx-sdb.dts
@@ -141,10 +141,6 @@
 	vin-supply = <&vgen6_reg>;
 };
 
-&reg_vdd3p0 {
-	vin-supply = <&sw2_reg>;
-};
-
 &reg_vdd2p5 {
 	vin-supply = <&vgen6_reg>;
 };



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 095/222] ARM: dts: imx6sl-evk: Remove incorrect power supply assignment
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (93 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 094/222] ARM: dts: imx6sx-sdb: " Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 096/222] ARM: dts: imx6sll-evk: " Greg Kroah-Hartman
                   ` (130 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Anson Huang, Shawn Guo

From: Anson Huang <Anson.Huang@nxp.com>

commit b4eb9ef0e29cd28c6fd684e0ab77bda824acb20e upstream.

The vdd3p0 LDO's input should be from external USB VBUS directly, NOT
PMIC's power supply, the vdd3p0 LDO's target output voltage can be
controlled by SW, and it requires input voltage to be high enough, with
incorrect power supply assigned, if the power supply's voltage is lower
than the LDO target output voltage, it will return fail and skip the LDO
voltage adjustment, so remove the power supply assignment for vdd3p0 to
avoid such scenario.

Fixes: 3feea8805d6f ("ARM: dts: imx6sl-evk: Assign corresponding power supply for LDOs")
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/imx6sl-evk.dts |    4 ----
 1 file changed, 4 deletions(-)

--- a/arch/arm/boot/dts/imx6sl-evk.dts
+++ b/arch/arm/boot/dts/imx6sl-evk.dts
@@ -584,10 +584,6 @@
 	vin-supply = <&sw2_reg>;
 };
 
-&reg_vdd3p0 {
-	vin-supply = <&sw2_reg>;
-};
-
 &reg_vdd2p5 {
 	vin-supply = <&sw2_reg>;
 };



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 096/222] ARM: dts: imx6sll-evk: Remove incorrect power supply assignment
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (94 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 095/222] ARM: dts: imx6sl-evk: " Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 097/222] ARM: dts: imx6q-icore-mipi: Use 1.5 version of i.Core MX6DL Greg Kroah-Hartman
                   ` (129 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Anson Huang, Shawn Guo

From: Anson Huang <Anson.Huang@nxp.com>

commit 3479b2843c78ffb60247f522226ba68f93aee355 upstream.

The vdd3p0 LDO's input should be from external USB VBUS directly, NOT
PMIC's power supply, the vdd3p0 LDO's target output voltage can be
controlled by SW, and it requires input voltage to be high enough, with
incorrect power supply assigned, if the power supply's voltage is lower
than the LDO target output voltage, it will return fail and skip the LDO
voltage adjustment, so remove the power supply assignment for vdd3p0 to
avoid such scenario.

Fixes: 96a9169cf621 ("ARM: dts: imx6sll-evk: Assign corresponding power supply for vdd3p0")
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/imx6sll-evk.dts |    4 ----
 1 file changed, 4 deletions(-)

--- a/arch/arm/boot/dts/imx6sll-evk.dts
+++ b/arch/arm/boot/dts/imx6sll-evk.dts
@@ -265,10 +265,6 @@
 	status = "okay";
 };
 
-&reg_3p0 {
-	vin-supply = <&sw2_reg>;
-};
-
 &snvs_poweroff {
 	status = "okay";
 };



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 097/222] ARM: dts: imx6q-icore-mipi: Use 1.5 version of i.Core MX6DL
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (95 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 096/222] ARM: dts: imx6sll-evk: " Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 098/222] ARM: dts: imx7: Fix Toradex Colibri iMX7S 256MB NAND flash support Greg Kroah-Hartman
                   ` (128 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jacopo Mondi, Michael Trimarchi,
	Jagan Teki, Shawn Guo

From: Jagan Teki <jagan@amarulasolutions.com>

commit 4a132f60808ae3a751e107a373f8572012352d3c upstream.

The EDIMM STARTER KIT i.Core 1.5 MIPI Evaluation is based on
the 1.5 version of the i.Core MX6 cpu module. The 1.5 version
differs from the original one for a few details, including the
ethernet PHY interface clock provider.

With this commit, the ethernet interface works properly:
SMSC LAN8710/LAN8720 2188000.ethernet-1:00: attached PHY driver

While before using the 1.5 version, ethernet failed to startup
do to un-clocked PHY interface:
fec 2188000.ethernet eth0: could not attach to PHY

Similar fix has merged for i.Core MX6Q but missed to update for DL.

Fixes: a8039f2dd089 ("ARM: dts: imx6dl: Add Engicam i.CoreM6 1.5 Quad/Dual MIPI starter kit support")
Cc: Jacopo Mondi <jacopo@jmondi.org>
Signed-off-by: Michael Trimarchi <michael@amarulasolutions.com>
Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/imx6dl-icore-mipi.dts |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/boot/dts/imx6dl-icore-mipi.dts
+++ b/arch/arm/boot/dts/imx6dl-icore-mipi.dts
@@ -8,7 +8,7 @@
 /dts-v1/;
 
 #include "imx6dl.dtsi"
-#include "imx6qdl-icore.dtsi"
+#include "imx6qdl-icore-1.5.dtsi"
 
 / {
 	model = "Engicam i.CoreM6 DualLite/Solo MIPI Starter Kit";



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 098/222] ARM: dts: imx7: Fix Toradex Colibri iMX7S 256MB NAND flash support
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (96 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 097/222] ARM: dts: imx6q-icore-mipi: Use 1.5 version of i.Core MX6DL Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 099/222] net: stmmac: 16KB buffer must be 16 byte aligned Greg Kroah-Hartman
                   ` (127 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Marcel Ziswiler, Shawn Guo

From: Marcel Ziswiler <marcel.ziswiler@toradex.com>

commit 4b0b97e651ecf29f20248420b52b6864fbd40bc2 upstream.

Turns out when introducing the eMMC version the gpmi node required for
NAND flash support got enabled exclusively on Colibri iMX7D 512MB.

Fixes: f928a4a377e4 ("ARM: dts: imx7: add Toradex Colibri iMX7D 1GB (eMMC) support")
Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/imx7s-colibri.dtsi |    4 ++++
 1 file changed, 4 insertions(+)

--- a/arch/arm/boot/dts/imx7s-colibri.dtsi
+++ b/arch/arm/boot/dts/imx7s-colibri.dtsi
@@ -49,3 +49,7 @@
 		reg = <0x80000000 0x10000000>;
 	};
 };
+
+&gpmi {
+	status = "okay";
+};



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 099/222] net: stmmac: 16KB buffer must be 16 byte aligned
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (97 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 098/222] ARM: dts: imx7: Fix Toradex Colibri iMX7S 256MB NAND flash support Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 100/222] net: stmmac: Enable 16KB buffer size Greg Kroah-Hartman
                   ` (126 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jose Abreu, David S. Miller

From: Jose Abreu <Jose.Abreu@synopsys.com>

commit 8605131747e7e1fd8f6c9f97a00287aae2b2c640 upstream.

The 16KB RX Buffer must also be 16 byte aligned. Fix it.

Fixes: 7ac6653a085b ("stmmac: Move the STMicroelectronics driver")
Signed-off-by: Jose Abreu <Jose.Abreu@synopsys.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/ethernet/stmicro/stmmac/common.h |    5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

--- a/drivers/net/ethernet/stmicro/stmmac/common.h
+++ b/drivers/net/ethernet/stmicro/stmmac/common.h
@@ -364,9 +364,8 @@ struct dma_features {
 	unsigned int arpoffsel;
 };
 
-/* GMAC TX FIFO is 8K, Rx FIFO is 16K */
-#define BUF_SIZE_16KiB 16384
-/* RX Buffer size must be < 8191 and multiple of 4/8/16 bytes */
+/* RX Buffer size must be multiple of 4/8/16 bytes */
+#define BUF_SIZE_16KiB 16368
 #define BUF_SIZE_8KiB 8188
 #define BUF_SIZE_4KiB 4096
 #define BUF_SIZE_2KiB 2048



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 100/222] net: stmmac: Enable 16KB buffer size
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (98 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 099/222] net: stmmac: 16KB buffer must be 16 byte aligned Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 101/222] reset: Fix {of,devm}_reset_control_array_get kerneldoc return types Greg Kroah-Hartman
                   ` (125 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jose Abreu, David S. Miller

From: Jose Abreu <Jose.Abreu@synopsys.com>

commit b2f3a481c4cd62f78391b836b64c0a6e72b503d2 upstream.

XGMAC supports maximum MTU that can go to 16KB. Lets add this check in
the calculation of RX buffer size.

Fixes: 7ac6653a085b ("stmmac: Move the STMicroelectronics driver")
Signed-off-by: Jose Abreu <Jose.Abreu@synopsys.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -1108,7 +1108,9 @@ static int stmmac_set_bfsize(int mtu, in
 {
 	int ret = bufsize;
 
-	if (mtu >= BUF_SIZE_4KiB)
+	if (mtu >= BUF_SIZE_8KiB)
+		ret = BUF_SIZE_16KiB;
+	else if (mtu >= BUF_SIZE_4KiB)
 		ret = BUF_SIZE_8KiB;
 	else if (mtu >= BUF_SIZE_2KiB)
 		ret = BUF_SIZE_4KiB;



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 101/222] reset: Fix {of,devm}_reset_control_array_get kerneldoc return types
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (99 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 100/222] net: stmmac: Enable 16KB buffer size Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 102/222] tipc: fix potential hanging after b/rcast changing Greg Kroah-Hartman
                   ` (124 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Geert Uytterhoeven, Philipp Zabel

From: Geert Uytterhoeven <geert+renesas@glider.be>

commit 723c0011c7f6992f57e2c629fa9c89141acc115f upstream.

of_reset_control_array_get() and devm_reset_control_array_get() return
struct reset_control pointers, not internal struct reset_control_array
pointers, just like all other reset control API calls.

Correct the kerneldoc to match the code.

Fixes: 17c82e206d2a3cd8 ("reset: Add APIs to manage array of resets")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/reset/core.c |    6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

--- a/drivers/reset/core.c
+++ b/drivers/reset/core.c
@@ -861,8 +861,7 @@ static int of_reset_control_get_count(st
  * @acquired: only one reset control may be acquired for a given controller
  *            and ID
  *
- * Returns pointer to allocated reset_control_array on success or
- * error on failure
+ * Returns pointer to allocated reset_control on success or error on failure
  */
 struct reset_control *
 of_reset_control_array_get(struct device_node *np, bool shared, bool optional,
@@ -915,8 +914,7 @@ EXPORT_SYMBOL_GPL(of_reset_control_array
  * that just have to be asserted or deasserted, without any
  * requirements on the order.
  *
- * Returns pointer to allocated reset_control_array on success or
- * error on failure
+ * Returns pointer to allocated reset_control on success or error on failure
  */
 struct reset_control *
 devm_reset_control_array_get(struct device *dev, bool shared, bool optional)



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 102/222] tipc: fix potential hanging after b/rcast changing
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (100 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 101/222] reset: Fix {of,devm}_reset_control_array_get kerneldoc return types Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 103/222] tipc: fix retrans failure due to wrong destination Greg Kroah-Hartman
                   ` (123 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jon Maloy, Tuong Lien, David S. Miller

From: Tuong Lien <tuong.t.lien@dektech.com.au>

commit dca4a17d24ee9d878836ce5eb8dc25be1ffa5729 upstream.

In commit c55c8edafa91 ("tipc: smooth change between replicast and
broadcast"), we allow instant switching between replicast and broadcast
by sending a dummy 'SYN' packet on the last used link to synchronize
packets on the links. The 'SYN' message is an object of link congestion
also, so if that happens, a 'SOCK_WAKEUP' will be scheduled to be sent
back to the socket...
However, in that commit, we simply use the same socket 'cong_link_cnt'
counter for both the 'SYN' & normal payload message sending. Therefore,
if both the replicast & broadcast links are congested, the counter will
be not updated correctly but overwritten by the latter congestion.
Later on, when the 'SOCK_WAKEUP' messages are processed, the counter is
reduced one by one and eventually overflowed. Consequently, further
activities on the socket will only wait for the false congestion signal
to disappear but never been met.

Because sending the 'SYN' message is vital for the mechanism, it should
be done anyway. This commit fixes the issue by marking the message with
an error code e.g. 'TIPC_ERR_NO_PORT', so its sending should not face a
link congestion, there is no need to touch the socket 'cong_link_cnt'
either. In addition, in the event of any error (e.g. -ENOBUFS), we will
purge the entire payload message queue and make a return immediately.

Fixes: c55c8edafa91 ("tipc: smooth change between replicast and broadcast")
Acked-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: Tuong Lien <tuong.t.lien@dektech.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/tipc/bcast.c |   24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

--- a/net/tipc/bcast.c
+++ b/net/tipc/bcast.c
@@ -305,17 +305,17 @@ static int tipc_rcast_xmit(struct net *n
  * @skb: socket buffer to copy
  * @method: send method to be used
  * @dests: destination nodes for message.
- * @cong_link_cnt: returns number of encountered congested destination links
  * Returns 0 if success, otherwise errno
  */
 static int tipc_mcast_send_sync(struct net *net, struct sk_buff *skb,
 				struct tipc_mc_method *method,
-				struct tipc_nlist *dests,
-				u16 *cong_link_cnt)
+				struct tipc_nlist *dests)
 {
 	struct tipc_msg *hdr, *_hdr;
 	struct sk_buff_head tmpq;
 	struct sk_buff *_skb;
+	u16 cong_link_cnt;
+	int rc = 0;
 
 	/* Is a cluster supporting with new capabilities ? */
 	if (!(tipc_net(net)->capabilities & TIPC_MCAST_RBCTL))
@@ -343,18 +343,19 @@ static int tipc_mcast_send_sync(struct n
 	_hdr = buf_msg(_skb);
 	msg_set_size(_hdr, MCAST_H_SIZE);
 	msg_set_is_rcast(_hdr, !msg_is_rcast(hdr));
+	msg_set_errcode(_hdr, TIPC_ERR_NO_PORT);
 
 	__skb_queue_head_init(&tmpq);
 	__skb_queue_tail(&tmpq, _skb);
 	if (method->rcast)
-		tipc_bcast_xmit(net, &tmpq, cong_link_cnt);
+		rc = tipc_bcast_xmit(net, &tmpq, &cong_link_cnt);
 	else
-		tipc_rcast_xmit(net, &tmpq, dests, cong_link_cnt);
+		rc = tipc_rcast_xmit(net, &tmpq, dests, &cong_link_cnt);
 
 	/* This queue should normally be empty by now */
 	__skb_queue_purge(&tmpq);
 
-	return 0;
+	return rc;
 }
 
 /* tipc_mcast_xmit - deliver message to indicated destination nodes
@@ -396,9 +397,14 @@ int tipc_mcast_xmit(struct net *net, str
 		msg_set_is_rcast(hdr, method->rcast);
 
 		/* Switch method ? */
-		if (rcast != method->rcast)
-			tipc_mcast_send_sync(net, skb, method,
-					     dests, cong_link_cnt);
+		if (rcast != method->rcast) {
+			rc = tipc_mcast_send_sync(net, skb, method, dests);
+			if (unlikely(rc)) {
+				pr_err("Unable to send SYN: method %d, rc %d\n",
+				       rcast, rc);
+				goto exit;
+			}
+		}
 
 		if (method->rcast)
 			rc = tipc_rcast_xmit(net, pkts, dests, cong_link_cnt);



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 103/222] tipc: fix retrans failure due to wrong destination
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (101 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 102/222] tipc: fix potential hanging after b/rcast changing Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 104/222] net: fix kernel-doc warning in <linux/netdevice.h> Greg Kroah-Hartman
                   ` (122 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jon Maloy, Tuong Lien, David S. Miller

From: Tuong Lien <tuong.t.lien@dektech.com.au>

commit abc9b4e0549b93fdaff56e9532bc49a2d7b04955 upstream.

When a user message is sent, TIPC will check if the socket has faced a
congestion at link layer. If that happens, it will make a sleep to wait
for the congestion to disappear. This leaves a gap for other users to
take over the socket (e.g. multi threads) since the socket is released
as well. Also, in case of connectionless (e.g. SOCK_RDM), user is free
to send messages to various destinations (e.g. via 'sendto()'), then
the socket's preformatted header has to be updated correspondingly
prior to the actual payload message building.

Unfortunately, the latter action is done before the first action which
causes a condition issue that the destination of a certain message can
be modified incorrectly in the middle, leading to wrong destination
when that message is built. Consequently, when the message is sent to
the link layer, it gets stuck there forever because the peer node will
simply reject it. After a number of retransmission attempts, the link
is eventually taken down and the retransmission failure is reported.

This commit fixes the problem by rearranging the order of actions to
prevent the race condition from occurring, so the message building is
'atomic' and its header will not be modified by anyone.

Fixes: 365ad353c256 ("tipc: reduce risk of user starvation during link congestion")
Acked-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: Tuong Lien <tuong.t.lien@dektech.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/tipc/socket.c |   32 ++++++++++++++++++--------------
 1 file changed, 18 insertions(+), 14 deletions(-)

--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -1306,8 +1306,8 @@ static int __tipc_sendmsg(struct socket
 	struct tipc_msg *hdr = &tsk->phdr;
 	struct tipc_name_seq *seq;
 	struct sk_buff_head pkts;
-	u32 dport, dnode = 0;
-	u32 type, inst;
+	u32 dport = 0, dnode = 0;
+	u32 type = 0, inst = 0;
 	int mtu, rc;
 
 	if (unlikely(dlen > TIPC_MAX_USER_MSG_SIZE))
@@ -1360,23 +1360,11 @@ static int __tipc_sendmsg(struct socket
 		type = dest->addr.name.name.type;
 		inst = dest->addr.name.name.instance;
 		dnode = dest->addr.name.domain;
-		msg_set_type(hdr, TIPC_NAMED_MSG);
-		msg_set_hdr_sz(hdr, NAMED_H_SIZE);
-		msg_set_nametype(hdr, type);
-		msg_set_nameinst(hdr, inst);
-		msg_set_lookup_scope(hdr, tipc_node2scope(dnode));
 		dport = tipc_nametbl_translate(net, type, inst, &dnode);
-		msg_set_destnode(hdr, dnode);
-		msg_set_destport(hdr, dport);
 		if (unlikely(!dport && !dnode))
 			return -EHOSTUNREACH;
 	} else if (dest->addrtype == TIPC_ADDR_ID) {
 		dnode = dest->addr.id.node;
-		msg_set_type(hdr, TIPC_DIRECT_MSG);
-		msg_set_lookup_scope(hdr, 0);
-		msg_set_destnode(hdr, dnode);
-		msg_set_destport(hdr, dest->addr.id.ref);
-		msg_set_hdr_sz(hdr, BASIC_H_SIZE);
 	} else {
 		return -EINVAL;
 	}
@@ -1387,6 +1375,22 @@ static int __tipc_sendmsg(struct socket
 	if (unlikely(rc))
 		return rc;
 
+	if (dest->addrtype == TIPC_ADDR_NAME) {
+		msg_set_type(hdr, TIPC_NAMED_MSG);
+		msg_set_hdr_sz(hdr, NAMED_H_SIZE);
+		msg_set_nametype(hdr, type);
+		msg_set_nameinst(hdr, inst);
+		msg_set_lookup_scope(hdr, tipc_node2scope(dnode));
+		msg_set_destnode(hdr, dnode);
+		msg_set_destport(hdr, dport);
+	} else { /* TIPC_ADDR_ID */
+		msg_set_type(hdr, TIPC_DIRECT_MSG);
+		msg_set_lookup_scope(hdr, 0);
+		msg_set_destnode(hdr, dnode);
+		msg_set_destport(hdr, dest->addr.id.ref);
+		msg_set_hdr_sz(hdr, BASIC_H_SIZE);
+	}
+
 	__skb_queue_head_init(&pkts);
 	mtu = tipc_node_get_mtu(net, dnode, tsk->portid);
 	rc = tipc_msg_build(hdr, m, 0, dlen, mtu, &pkts);



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 104/222] net: fix kernel-doc warning in <linux/netdevice.h>
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (102 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 103/222] tipc: fix retrans failure due to wrong destination Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 105/222] block: Fix the type of sts in bsg_queue_rq() Greg Kroah-Hartman
                   ` (121 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Randy Dunlap, Taehee Yoo, David S. Miller

From: Randy Dunlap <rdunlap@infradead.org>

commit 1f26c0d3d24125992ab0026b0dab16c08df947c7 upstream.

Fix missing '*' kernel-doc notation that causes this warning:

../include/linux/netdevice.h:1779: warning: bad line:                                 spinlock

Fixes: ab92d68fc22f ("net: core: add generic lockdep keys")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Cc: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/netdevice.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -1761,7 +1761,7 @@ enum netdev_priv_flags {
  *			for hardware timestamping
  *	@sfp_bus:	attached &struct sfp_bus structure.
  *	@qdisc_tx_busylock_key: lockdep class annotating Qdisc->busylock
-				spinlock
+ *				spinlock
  *	@qdisc_running_key:	lockdep class annotating Qdisc->running seqcount
  *	@qdisc_xmit_lock_key:	lockdep class annotating
  *				netdev_queue->_xmit_lock spinlock



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 105/222] block: Fix the type of sts in bsg_queue_rq()
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (103 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 104/222] net: fix kernel-doc warning in <linux/netdevice.h> Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 106/222] drm/amd/display: Reorder detect_edp_sink_caps before link settings read Greg Kroah-Hartman
                   ` (120 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin Wilck, Bart Van Assche, Jens Axboe

From: Bart Van Assche <bvanassche@acm.org>

commit c44a4edb20938c85b64a256661443039f5bffdea upstream.

This patch fixes the following sparse warnings:

block/bsg-lib.c:269:19: warning: incorrect type in initializer (different base types)
block/bsg-lib.c:269:19:    expected int sts
block/bsg-lib.c:269:19:    got restricted blk_status_t [usertype]
block/bsg-lib.c:286:16: warning: incorrect type in return expression (different base types)
block/bsg-lib.c:286:16:    expected restricted blk_status_t
block/bsg-lib.c:286:16:    got int [assigned] sts

Cc: Martin Wilck <mwilck@suse.com>
Fixes: d46fe2cb2dce ("block: drop device references in bsg_queue_rq()")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 block/bsg-lib.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/block/bsg-lib.c
+++ b/block/bsg-lib.c
@@ -266,7 +266,7 @@ static blk_status_t bsg_queue_rq(struct
 	struct request *req = bd->rq;
 	struct bsg_set *bset =
 		container_of(q->tag_set, struct bsg_set, tag_set);
-	int sts = BLK_STS_IOERR;
+	blk_status_t sts = BLK_STS_IOERR;
 	int ret;
 
 	blk_mq_start_request(req);



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 106/222] drm/amd/display: Reorder detect_edp_sink_caps before link settings read.
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (104 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 105/222] block: Fix the type of sts in bsg_queue_rq() Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 107/222] bpf: Fix incorrect verifier simulation of ARSH under ALU32 Greg Kroah-Hartman
                   ` (119 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Harry Wentland, Mario Kleiner,
	Martin Leung, Alex Deucher, Sasha Levin

From: Mario Kleiner <mario.kleiner.de@gmail.com>

[ Upstream commit 3b7c59754cc22760760a84ebddb8e0b1e8dd871b ]

read_current_link_settings_on_detect() on eDP 1.4+ may use the
edp_supported_link_rates table which is set up by
detect_edp_sink_caps(), so that function needs to be called first.

Reviewed-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Mario Kleiner <mario.kleiner.de@gmail.com>
Cc: Martin Leung <martin.leung@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/amd/display/dc/core/dc_link.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link.c b/drivers/gpu/drm/amd/display/dc/core/dc_link.c
index 793aa8e8ec9a..c0f1c62c59b4 100644
--- a/drivers/gpu/drm/amd/display/dc/core/dc_link.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc_link.c
@@ -809,8 +809,8 @@ bool dc_link_detect(struct dc_link *link, enum dc_detect_reason reason)
 		}
 
 		case SIGNAL_TYPE_EDP: {
-			read_edp_current_link_settings_on_detect(link);
 			detect_edp_sink_caps(link);
+			read_edp_current_link_settings_on_detect(link);
 			sink_caps.transaction_type =
 				DDC_TRANSACTION_TYPE_I2C_OVER_AUX;
 			sink_caps.signal = SIGNAL_TYPE_EDP;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 238+ messages in thread

* [PATCH 5.4 107/222] bpf: Fix incorrect verifier simulation of ARSH under ALU32
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (105 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 106/222] drm/amd/display: Reorder detect_edp_sink_caps before link settings read Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 108/222] bpf: Sockmap/tls, during free we may call tcp_bpf_unhash() in loop Greg Kroah-Hartman
                   ` (118 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Anatoly Trosinenko, Daniel Borkmann,
	Yonghong Song, Alexei Starovoitov

From: Daniel Borkmann <daniel@iogearbox.net>

commit 0af2ffc93a4b50948f9dad2786b7f1bd253bf0b9 upstream.

Anatoly has been fuzzing with kBdysch harness and reported a hang in one
of the outcomes:

  0: R1=ctx(id=0,off=0,imm=0) R10=fp0
  0: (85) call bpf_get_socket_cookie#46
  1: R0_w=invP(id=0) R10=fp0
  1: (57) r0 &= 808464432
  2: R0_w=invP(id=0,umax_value=808464432,var_off=(0x0; 0x30303030)) R10=fp0
  2: (14) w0 -= 810299440
  3: R0_w=invP(id=0,umax_value=4294967295,var_off=(0xcf800000; 0x3077fff0)) R10=fp0
  3: (c4) w0 s>>= 1
  4: R0_w=invP(id=0,umin_value=1740636160,umax_value=2147221496,var_off=(0x67c00000; 0x183bfff8)) R10=fp0
  4: (76) if w0 s>= 0x30303030 goto pc+216
  221: R0_w=invP(id=0,umin_value=1740636160,umax_value=2147221496,var_off=(0x67c00000; 0x183bfff8)) R10=fp0
  221: (95) exit
  processed 6 insns (limit 1000000) [...]

Taking a closer look, the program was xlated as follows:

  # ./bpftool p d x i 12
  0: (85) call bpf_get_socket_cookie#7800896
  1: (bf) r6 = r0
  2: (57) r6 &= 808464432
  3: (14) w6 -= 810299440
  4: (c4) w6 s>>= 1
  5: (76) if w6 s>= 0x30303030 goto pc+216
  6: (05) goto pc-1
  7: (05) goto pc-1
  8: (05) goto pc-1
  [...]
  220: (05) goto pc-1
  221: (05) goto pc-1
  222: (95) exit

Meaning, the visible effect is very similar to f54c7898ed1c ("bpf: Fix
precision tracking for unbounded scalars"), that is, the fall-through
branch in the instruction 5 is considered to be never taken given the
conclusion from the min/max bounds tracking in w6, and therefore the
dead-code sanitation rewrites it as goto pc-1. However, real-life input
disagrees with verification analysis since a soft-lockup was observed.

The bug sits in the analysis of the ARSH. The definition is that we shift
the target register value right by K bits through shifting in copies of
its sign bit. In adjust_scalar_min_max_vals(), we do first coerce the
register into 32 bit mode, same happens after simulating the operation.
However, for the case of simulating the actual ARSH, we don't take the
mode into account and act as if it's always 64 bit, but location of sign
bit is different:

  dst_reg->smin_value >>= umin_val;
  dst_reg->smax_value >>= umin_val;
  dst_reg->var_off = tnum_arshift(dst_reg->var_off, umin_val);

Consider an unknown R0 where bpf_get_socket_cookie() (or others) would
for example return 0xffff. With the above ARSH simulation, we'd see the
following results:

  [...]
  1: R1=ctx(id=0,off=0,imm=0) R2_w=invP65535 R10=fp0
  1: (85) call bpf_get_socket_cookie#46
  2: R0_w=invP(id=0) R10=fp0
  2: (57) r0 &= 808464432
    -> R0_runtime = 0x3030
  3: R0_w=invP(id=0,umax_value=808464432,var_off=(0x0; 0x30303030)) R10=fp0
  3: (14) w0 -= 810299440
    -> R0_runtime = 0xcfb40000
  4: R0_w=invP(id=0,umax_value=4294967295,var_off=(0xcf800000; 0x3077fff0)) R10=fp0
                              (0xffffffff)
  4: (c4) w0 s>>= 1
    -> R0_runtime = 0xe7da0000
  5: R0_w=invP(id=0,umin_value=1740636160,umax_value=2147221496,var_off=(0x67c00000; 0x183bfff8)) R10=fp0
                              (0x67c00000)           (0x7ffbfff8)
  [...]

In insn 3, we have a runtime value of 0xcfb40000, which is '1100 1111 1011
0100 0000 0000 0000 0000', the result after the shift has 0xe7da0000 that
is '1110 0111 1101 1010 0000 0000 0000 0000', where the sign bit is correctly
retained in 32 bit mode. In insn4, the umax was 0xffffffff, and changed into
0x7ffbfff8 after the shift, that is, '0111 1111 1111 1011 1111 1111 1111 1000'
and means here that the simulation didn't retain the sign bit. With above
logic, the updates happen on the 64 bit min/max bounds and given we coerced
the register, the sign bits of the bounds are cleared as well, meaning, we
need to force the simulation into s32 space for 32 bit alu mode.

Verification after the fix below. We're first analyzing the fall-through branch
on 32 bit signed >= test eventually leading to rejection of the program in this
specific case:

  0: R1=ctx(id=0,off=0,imm=0) R10=fp0
  0: (b7) r2 = 808464432
  1: R1=ctx(id=0,off=0,imm=0) R2_w=invP808464432 R10=fp0
  1: (85) call bpf_get_socket_cookie#46
  2: R0_w=invP(id=0) R10=fp0
  2: (bf) r6 = r0
  3: R0_w=invP(id=0) R6_w=invP(id=0) R10=fp0
  3: (57) r6 &= 808464432
  4: R0_w=invP(id=0) R6_w=invP(id=0,umax_value=808464432,var_off=(0x0; 0x30303030)) R10=fp0
  4: (14) w6 -= 810299440
  5: R0_w=invP(id=0) R6_w=invP(id=0,umax_value=4294967295,var_off=(0xcf800000; 0x3077fff0)) R10=fp0
  5: (c4) w6 s>>= 1
  6: R0_w=invP(id=0) R6_w=invP(id=0,umin_value=3888119808,umax_value=4294705144,var_off=(0xe7c00000; 0x183bfff8)) R10=fp0
                                              (0x67c00000)          (0xfffbfff8)
  6: (76) if w6 s>= 0x30303030 goto pc+216
  7: R0_w=invP(id=0) R6_w=invP(id=0,umin_value=3888119808,umax_value=4294705144,var_off=(0xe7c00000; 0x183bfff8)) R10=fp0
  7: (30) r0 = *(u8 *)skb[808464432]
  BPF_LD_[ABS|IND] uses reserved fields
  processed 8 insns (limit 1000000) [...]

Fixes: 9cbe1f5a32dc ("bpf/verifier: improve register value range tracking with ARSH")
Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Yonghong Song <yhs@fb.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20200115204733.16648-1-daniel@iogearbox.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/tnum.h  |    2 +-
 kernel/bpf/tnum.c     |    9 +++++++--
 kernel/bpf/verifier.c |   13 ++++++++++---
 3 files changed, 18 insertions(+), 6 deletions(-)

--- a/include/linux/tnum.h
+++ b/include/linux/tnum.h
@@ -30,7 +30,7 @@ struct tnum tnum_lshift(struct tnum a, u
 /* Shift (rsh) a tnum right (by a fixed shift) */
 struct tnum tnum_rshift(struct tnum a, u8 shift);
 /* Shift (arsh) a tnum right (by a fixed min_shift) */
-struct tnum tnum_arshift(struct tnum a, u8 min_shift);
+struct tnum tnum_arshift(struct tnum a, u8 min_shift, u8 insn_bitness);
 /* Add two tnums, return @a + @b */
 struct tnum tnum_add(struct tnum a, struct tnum b);
 /* Subtract two tnums, return @a - @b */
--- a/kernel/bpf/tnum.c
+++ b/kernel/bpf/tnum.c
@@ -44,14 +44,19 @@ struct tnum tnum_rshift(struct tnum a, u
 	return TNUM(a.value >> shift, a.mask >> shift);
 }
 
-struct tnum tnum_arshift(struct tnum a, u8 min_shift)
+struct tnum tnum_arshift(struct tnum a, u8 min_shift, u8 insn_bitness)
 {
 	/* if a.value is negative, arithmetic shifting by minimum shift
 	 * will have larger negative offset compared to more shifting.
 	 * If a.value is nonnegative, arithmetic shifting by minimum shift
 	 * will have larger positive offset compare to more shifting.
 	 */
-	return TNUM((s64)a.value >> min_shift, (s64)a.mask >> min_shift);
+	if (insn_bitness == 32)
+		return TNUM((u32)(((s32)a.value) >> min_shift),
+			    (u32)(((s32)a.mask)  >> min_shift));
+	else
+		return TNUM((s64)a.value >> min_shift,
+			    (s64)a.mask  >> min_shift);
 }
 
 struct tnum tnum_add(struct tnum a, struct tnum b)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -4824,9 +4824,16 @@ static int adjust_scalar_min_max_vals(st
 		/* Upon reaching here, src_known is true and
 		 * umax_val is equal to umin_val.
 		 */
-		dst_reg->smin_value >>= umin_val;
-		dst_reg->smax_value >>= umin_val;
-		dst_reg->var_off = tnum_arshift(dst_reg->var_off, umin_val);
+		if (insn_bitness == 32) {
+			dst_reg->smin_value = (u32)(((s32)dst_reg->smin_value) >> umin_val);
+			dst_reg->smax_value = (u32)(((s32)dst_reg->smax_value) >> umin_val);
+		} else {
+			dst_reg->smin_value >>= umin_val;
+			dst_reg->smax_value >>= umin_val;
+		}
+
+		dst_reg->var_off = tnum_arshift(dst_reg->var_off, umin_val,
+						insn_bitness);
 
 		/* blow away the dst_reg umin_value/umax_value and rely on
 		 * dst_reg var_off to refine the result.



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 108/222] bpf: Sockmap/tls, during free we may call tcp_bpf_unhash() in loop
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (106 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 107/222] bpf: Fix incorrect verifier simulation of ARSH under ALU32 Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 109/222] bpf: Sockmap, ensure sock lock held during tear down Greg Kroah-Hartman
                   ` (117 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+83979935eb6304f8cd46,
	John Fastabend, Daniel Borkmann, Jakub Sitnicki, Song Liu

From: John Fastabend <john.fastabend@gmail.com>

commit 4da6a196f93b1af7612340e8c1ad8ce71e18f955 upstream.

When a sockmap is free'd and a socket in the map is enabled with tls
we tear down the bpf context on the socket, the psock struct and state,
and then call tcp_update_ulp(). The tcp_update_ulp() call is to inform
the tls stack it needs to update its saved sock ops so that when the tls
socket is later destroyed it doesn't try to call the now destroyed psock
hooks.

This is about keeping stacked ULPs in good shape so they always have
the right set of stacked ops.

However, recently unhash() hook was removed from TLS side. But, the
sockmap/bpf side is not doing any extra work to update the unhash op
when is torn down instead expecting TLS side to manage it. So both
TLS and sockmap believe the other side is managing the op and instead
no one updates the hook so it continues to point at tcp_bpf_unhash().
When unhash hook is called we call tcp_bpf_unhash() which detects the
psock has already been destroyed and calls sk->sk_prot_unhash() which
calls tcp_bpf_unhash() yet again and so on looping and hanging the core.

To fix have sockmap tear down logic fixup the stale pointer.

Fixes: 5d92e631b8be ("net/tls: partially revert fix transition through disconnect with close")
Reported-by: syzbot+83979935eb6304f8cd46@syzkaller.appspotmail.com
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
Acked-by: Song Liu <songliubraving@fb.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/bpf/20200111061206.8028-2-john.fastabend@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/skmsg.h |    1 +
 1 file changed, 1 insertion(+)

--- a/include/linux/skmsg.h
+++ b/include/linux/skmsg.h
@@ -354,6 +354,7 @@ static inline void sk_psock_update_proto
 static inline void sk_psock_restore_proto(struct sock *sk,
 					  struct sk_psock *psock)
 {
+	sk->sk_prot->unhash = psock->saved_unhash;
 	sk->sk_write_space = psock->saved_write_space;
 
 	if (psock->sk_proto) {



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 109/222] bpf: Sockmap, ensure sock lock held during tear down
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (107 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 108/222] bpf: Sockmap/tls, during free we may call tcp_bpf_unhash() in loop Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 110/222] bpf: Sockmap/tls, push write_space updates through ulp updates Greg Kroah-Hartman
                   ` (116 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, John Fastabend, Daniel Borkmann, Song Liu

From: John Fastabend <john.fastabend@gmail.com>

commit 7e81a35302066c5a00b4c72d83e3ea4cad6eeb5b upstream.

The sock_map_free() and sock_hash_free() paths used to delete sockmap
and sockhash maps walk the maps and destroy psock and bpf state associated
with the socks in the map. When done the socks no longer have BPF programs
attached and will function normally. This can happen while the socks in
the map are still "live" meaning data may be sent/received during the walk.

Currently, though we don't take the sock_lock when the psock and bpf state
is removed through this path. Specifically, this means we can be writing
into the ops structure pointers such as sendmsg, sendpage, recvmsg, etc.
while they are also being called from the networking side. This is not
safe, we never used proper READ_ONCE/WRITE_ONCE semantics here if we
believed it was safe. Further its not clear to me its even a good idea
to try and do this on "live" sockets while networking side might also
be using the socket. Instead of trying to reason about using the socks
from both sides lets realize that every use case I'm aware of rarely
deletes maps, in fact kubernetes/Cilium case builds map at init and
never tears it down except on errors. So lets do the simple fix and
grab sock lock.

This patch wraps sock deletes from maps in sock lock and adds some
annotations so we catch any other cases easier.

Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface")
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Song Liu <songliubraving@fb.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/bpf/20200111061206.8028-3-john.fastabend@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/core/skmsg.c    |    2 ++
 net/core/sock_map.c |    7 ++++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

--- a/net/core/skmsg.c
+++ b/net/core/skmsg.c
@@ -594,6 +594,8 @@ EXPORT_SYMBOL_GPL(sk_psock_destroy);
 
 void sk_psock_drop(struct sock *sk, struct sk_psock *psock)
 {
+	sock_owned_by_me(sk);
+
 	sk_psock_cork_free(psock);
 	sk_psock_zap_ingress(psock);
 
--- a/net/core/sock_map.c
+++ b/net/core/sock_map.c
@@ -241,8 +241,11 @@ static void sock_map_free(struct bpf_map
 		struct sock *sk;
 
 		sk = xchg(psk, NULL);
-		if (sk)
+		if (sk) {
+			lock_sock(sk);
 			sock_map_unref(sk, psk);
+			release_sock(sk);
+		}
 	}
 	raw_spin_unlock_bh(&stab->lock);
 	rcu_read_unlock();
@@ -862,7 +865,9 @@ static void sock_hash_free(struct bpf_ma
 		raw_spin_lock_bh(&bucket->lock);
 		hlist_for_each_entry_safe(elem, node, &bucket->head, node) {
 			hlist_del_rcu(&elem->node);
+			lock_sock(elem->sk);
 			sock_map_unref(elem->sk, elem);
+			release_sock(elem->sk);
 		}
 		raw_spin_unlock_bh(&bucket->lock);
 	}



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 110/222] bpf: Sockmap/tls, push write_space updates through ulp updates
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (108 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 109/222] bpf: Sockmap, ensure sock lock held during tear down Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 111/222] bpf: Sockmap, skmsg helper overestimates push, pull, and pop bounds Greg Kroah-Hartman
                   ` (115 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, John Fastabend, Daniel Borkmann,
	Jakub Sitnicki, Jonathan Lemon

From: John Fastabend <john.fastabend@gmail.com>

commit 33bfe20dd7117dd81fd896a53f743a233e1ad64f upstream.

When sockmap sock with TLS enabled is removed we cleanup bpf/psock state
and call tcp_update_ulp() to push updates to TLS ULP on top. However, we
don't push the write_space callback up and instead simply overwrite the
op with the psock stored previous op. This may or may not be correct so
to ensure we don't overwrite the TLS write space hook pass this field to
the ULP and have it fixup the ctx.

This completes a previous fix that pushed the ops through to the ULP
but at the time missed doing this for write_space, presumably because
write_space TLS hook was added around the same time.

Fixes: 95fa145479fbc ("bpf: sockmap/tls, close can race with map free")
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
Acked-by: Jonathan Lemon <jonathan.lemon@gmail.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/bpf/20200111061206.8028-4-john.fastabend@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/skmsg.h |   12 ++++++++----
 include/net/tcp.h     |    6 ++++--
 net/ipv4/tcp_ulp.c    |    6 ++++--
 net/tls/tls_main.c    |   10 +++++++---
 4 files changed, 23 insertions(+), 11 deletions(-)

--- a/include/linux/skmsg.h
+++ b/include/linux/skmsg.h
@@ -355,17 +355,21 @@ static inline void sk_psock_restore_prot
 					  struct sk_psock *psock)
 {
 	sk->sk_prot->unhash = psock->saved_unhash;
-	sk->sk_write_space = psock->saved_write_space;
 
 	if (psock->sk_proto) {
 		struct inet_connection_sock *icsk = inet_csk(sk);
 		bool has_ulp = !!icsk->icsk_ulp_data;
 
-		if (has_ulp)
-			tcp_update_ulp(sk, psock->sk_proto);
-		else
+		if (has_ulp) {
+			tcp_update_ulp(sk, psock->sk_proto,
+				       psock->saved_write_space);
+		} else {
 			sk->sk_prot = psock->sk_proto;
+			sk->sk_write_space = psock->saved_write_space;
+		}
 		psock->sk_proto = NULL;
+	} else {
+		sk->sk_write_space = psock->saved_write_space;
 	}
 }
 
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -2132,7 +2132,8 @@ struct tcp_ulp_ops {
 	/* initialize ulp */
 	int (*init)(struct sock *sk);
 	/* update ulp */
-	void (*update)(struct sock *sk, struct proto *p);
+	void (*update)(struct sock *sk, struct proto *p,
+		       void (*write_space)(struct sock *sk));
 	/* cleanup ulp */
 	void (*release)(struct sock *sk);
 	/* diagnostic */
@@ -2147,7 +2148,8 @@ void tcp_unregister_ulp(struct tcp_ulp_o
 int tcp_set_ulp(struct sock *sk, const char *name);
 void tcp_get_available_ulp(char *buf, size_t len);
 void tcp_cleanup_ulp(struct sock *sk);
-void tcp_update_ulp(struct sock *sk, struct proto *p);
+void tcp_update_ulp(struct sock *sk, struct proto *p,
+		    void (*write_space)(struct sock *sk));
 
 #define MODULE_ALIAS_TCP_ULP(name)				\
 	__MODULE_INFO(alias, alias_userspace, name);		\
--- a/net/ipv4/tcp_ulp.c
+++ b/net/ipv4/tcp_ulp.c
@@ -96,17 +96,19 @@ void tcp_get_available_ulp(char *buf, si
 	rcu_read_unlock();
 }
 
-void tcp_update_ulp(struct sock *sk, struct proto *proto)
+void tcp_update_ulp(struct sock *sk, struct proto *proto,
+		    void (*write_space)(struct sock *sk))
 {
 	struct inet_connection_sock *icsk = inet_csk(sk);
 
 	if (!icsk->icsk_ulp_ops) {
+		sk->sk_write_space = write_space;
 		sk->sk_prot = proto;
 		return;
 	}
 
 	if (icsk->icsk_ulp_ops->update)
-		icsk->icsk_ulp_ops->update(sk, proto);
+		icsk->icsk_ulp_ops->update(sk, proto, write_space);
 }
 
 void tcp_cleanup_ulp(struct sock *sk)
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -798,15 +798,19 @@ out:
 	return rc;
 }
 
-static void tls_update(struct sock *sk, struct proto *p)
+static void tls_update(struct sock *sk, struct proto *p,
+		       void (*write_space)(struct sock *sk))
 {
 	struct tls_context *ctx;
 
 	ctx = tls_get_ctx(sk);
-	if (likely(ctx))
+	if (likely(ctx)) {
+		ctx->sk_write_space = write_space;
 		ctx->sk_proto = p;
-	else
+	} else {
 		sk->sk_prot = p;
+		sk->sk_write_space = write_space;
+	}
 }
 
 static int tls_get_info(const struct sock *sk, struct sk_buff *skb)



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 111/222] bpf: Sockmap, skmsg helper overestimates push, pull, and pop bounds
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (109 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 110/222] bpf: Sockmap/tls, push write_space updates through ulp updates Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 112/222] bpf: Sockmap/tls, msg_push_data may leave end mark in place Greg Kroah-Hartman
                   ` (114 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, John Fastabend, Daniel Borkmann, Song Liu

From: John Fastabend <john.fastabend@gmail.com>

commit 6562e29cf6f0ddd368657d97a8d484ffc30df5ef upstream.

In the push, pull, and pop helpers operating on skmsg objects to make
data writable or insert/remove data we use this bounds check to ensure
specified data is valid,

 /* Bounds checks: start and pop must be inside message */
 if (start >= offset + l || last >= msg->sg.size)
     return -EINVAL;

The problem here is offset has already included the length of the
current element the 'l' above. So start could be past the end of
the scatterlist element in the case where start also points into an
offset on the last skmsg element.

To fix do the accounting slightly different by adding the length of
the previous entry to offset at the start of the iteration. And
ensure its initialized to zero so that the first iteration does
nothing.

Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface")
Fixes: 6fff607e2f14b ("bpf: sk_msg program helper bpf_msg_push_data")
Fixes: 7246d8ed4dcce ("bpf: helper to pop data from messages")
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Song Liu <songliubraving@fb.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/bpf/20200111061206.8028-5-john.fastabend@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/core/filter.c |   10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2231,10 +2231,10 @@ BPF_CALL_4(bpf_msg_pull_data, struct sk_
 	/* First find the starting scatterlist element */
 	i = msg->sg.start;
 	do {
+		offset += len;
 		len = sk_msg_elem(msg, i)->length;
 		if (start < offset + len)
 			break;
-		offset += len;
 		sk_msg_iter_var_next(i);
 	} while (i != msg->sg.end);
 
@@ -2346,7 +2346,7 @@ BPF_CALL_4(bpf_msg_push_data, struct sk_
 	   u32, len, u64, flags)
 {
 	struct scatterlist sge, nsge, nnsge, rsge = {0}, *psge;
-	u32 new, i = 0, l, space, copy = 0, offset = 0;
+	u32 new, i = 0, l = 0, space, copy = 0, offset = 0;
 	u8 *raw, *to, *from;
 	struct page *page;
 
@@ -2356,11 +2356,11 @@ BPF_CALL_4(bpf_msg_push_data, struct sk_
 	/* First find the starting scatterlist element */
 	i = msg->sg.start;
 	do {
+		offset += l;
 		l = sk_msg_elem(msg, i)->length;
 
 		if (start < offset + l)
 			break;
-		offset += l;
 		sk_msg_iter_var_next(i);
 	} while (i != msg->sg.end);
 
@@ -2506,7 +2506,7 @@ static void sk_msg_shift_right(struct sk
 BPF_CALL_4(bpf_msg_pop_data, struct sk_msg *, msg, u32, start,
 	   u32, len, u64, flags)
 {
-	u32 i = 0, l, space, offset = 0;
+	u32 i = 0, l = 0, space, offset = 0;
 	u64 last = start + len;
 	int pop;
 
@@ -2516,11 +2516,11 @@ BPF_CALL_4(bpf_msg_pop_data, struct sk_m
 	/* First find the starting scatterlist element */
 	i = msg->sg.start;
 	do {
+		offset += l;
 		l = sk_msg_elem(msg, i)->length;
 
 		if (start < offset + l)
 			break;
-		offset += l;
 		sk_msg_iter_var_next(i);
 	} while (i != msg->sg.end);
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 112/222] bpf: Sockmap/tls, msg_push_data may leave end mark in place
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (110 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 111/222] bpf: Sockmap, skmsg helper overestimates push, pull, and pop bounds Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 113/222] bpf: Sockmap/tls, tls_sw can create a plaintext buf > encrypt buf Greg Kroah-Hartman
                   ` (113 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, John Fastabend, Daniel Borkmann, Song Liu

From: John Fastabend <john.fastabend@gmail.com>

commit cf21e9ba1eb86c9333ca5b05b2f1cc94021bcaef upstream.

Leaving an incorrect end mark in place when passing to crypto
layer will cause crypto layer to stop processing data before
all data is encrypted. To fix clear the end mark on push
data instead of expecting users of the helper to clear the
mark value after the fact.

This happens when we push data into the middle of a skmsg and
have room for it so we don't do a set of copies that already
clear the end flag.

Fixes: 6fff607e2f14b ("bpf: sk_msg program helper bpf_msg_push_data")
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Song Liu <songliubraving@fb.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/bpf/20200111061206.8028-6-john.fastabend@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/core/filter.c |    1 +
 1 file changed, 1 insertion(+)

--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2415,6 +2415,7 @@ BPF_CALL_4(bpf_msg_push_data, struct sk_
 
 		sk_msg_iter_var_next(i);
 		sg_unmark_end(psge);
+		sg_unmark_end(&rsge);
 		sk_msg_iter_next(msg, end);
 	}
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 113/222] bpf: Sockmap/tls, tls_sw can create a plaintext buf > encrypt buf
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (111 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 112/222] bpf: Sockmap/tls, msg_push_data may leave end mark in place Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 114/222] bpf: Sockmap/tls, skmsg can have wrapped skmsg that needs extra chaining Greg Kroah-Hartman
                   ` (112 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, John Fastabend, Daniel Borkmann,
	Jonathan Lemon

From: John Fastabend <john.fastabend@gmail.com>

commit d468e4775c1c351616947ba0cccc43273963b9b5 upstream.

It is possible to build a plaintext buffer using push helper that is larger
than the allocated encrypt buffer. When this record is pushed to crypto
layers this can result in a NULL pointer dereference because the crypto
API expects the encrypt buffer is large enough to fit the plaintext
buffer. Kernel splat below.

To resolve catch the cases this can happen and split the buffer into two
records to send individually. Unfortunately, there is still one case to
handle where the split creates a zero sized buffer. In this case we merge
the buffers and unmark the split. This happens when apply is zero and user
pushed data beyond encrypt buffer. This fixes the original case as well
because the split allocated an encrypt buffer larger than the plaintext
buffer and the merge simply moves the pointers around so we now have
a reference to the new (larger) encrypt buffer.

Perhaps its not ideal but it seems the best solution for a fixes branch
and avoids handling these two cases, (a) apply that needs split and (b)
non apply case. The are edge cases anyways so optimizing them seems not
necessary unless someone wants later in next branches.

[  306.719107] BUG: kernel NULL pointer dereference, address: 0000000000000008
[...]
[  306.747260] RIP: 0010:scatterwalk_copychunks+0x12f/0x1b0
[...]
[  306.770350] Call Trace:
[  306.770956]  scatterwalk_map_and_copy+0x6c/0x80
[  306.772026]  gcm_enc_copy_hash+0x4b/0x50
[  306.772925]  gcm_hash_crypt_remain_continue+0xef/0x110
[  306.774138]  gcm_hash_crypt_continue+0xa1/0xb0
[  306.775103]  ? gcm_hash_crypt_continue+0xa1/0xb0
[  306.776103]  gcm_hash_assoc_remain_continue+0x94/0xa0
[  306.777170]  gcm_hash_assoc_continue+0x9d/0xb0
[  306.778239]  gcm_hash_init_continue+0x8f/0xa0
[  306.779121]  gcm_hash+0x73/0x80
[  306.779762]  gcm_encrypt_continue+0x6d/0x80
[  306.780582]  crypto_gcm_encrypt+0xcb/0xe0
[  306.781474]  crypto_aead_encrypt+0x1f/0x30
[  306.782353]  tls_push_record+0x3b9/0xb20 [tls]
[  306.783314]  ? sk_psock_msg_verdict+0x199/0x300
[  306.784287]  bpf_exec_tx_verdict+0x3f2/0x680 [tls]
[  306.785357]  tls_sw_sendmsg+0x4a3/0x6a0 [tls]

test_sockmap test signature to trigger bug,

[TEST]: (1, 1, 1, sendmsg, pass,redir,start 1,end 2,pop (1,2),ktls,):

Fixes: d3b18ad31f93d ("tls: add bpf support to sk_msg handling")
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Jonathan Lemon <jonathan.lemon@gmail.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/bpf/20200111061206.8028-7-john.fastabend@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/tls/tls_sw.c |   20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -677,12 +677,32 @@ static int tls_push_record(struct sock *
 
 	split_point = msg_pl->apply_bytes;
 	split = split_point && split_point < msg_pl->sg.size;
+	if (unlikely((!split &&
+		      msg_pl->sg.size +
+		      prot->overhead_size > msg_en->sg.size) ||
+		     (split &&
+		      split_point +
+		      prot->overhead_size > msg_en->sg.size))) {
+		split = true;
+		split_point = msg_en->sg.size;
+	}
 	if (split) {
 		rc = tls_split_open_record(sk, rec, &tmp, msg_pl, msg_en,
 					   split_point, prot->overhead_size,
 					   &orig_end);
 		if (rc < 0)
 			return rc;
+		/* This can happen if above tls_split_open_record allocates
+		 * a single large encryption buffer instead of two smaller
+		 * ones. In this case adjust pointers and continue without
+		 * split.
+		 */
+		if (!msg_pl->sg.size) {
+			tls_merge_open_record(sk, rec, tmp, orig_end);
+			msg_pl = &rec->msg_plaintext;
+			msg_en = &rec->msg_encrypted;
+			split = false;
+		}
 		sk_msg_trim(sk, msg_en, msg_pl->sg.size +
 			    prot->overhead_size);
 	}



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 114/222] bpf: Sockmap/tls, skmsg can have wrapped skmsg that needs extra chaining
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (112 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 113/222] bpf: Sockmap/tls, tls_sw can create a plaintext buf > encrypt buf Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 115/222] bpf: Sockmap/tls, fix pop data with SK_DROP return code Greg Kroah-Hartman
                   ` (111 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, John Fastabend, Daniel Borkmann,
	Jonathan Lemon

From: John Fastabend <john.fastabend@gmail.com>

commit 9aaaa56845a06aeabdd597cbe19492dc01f281ec upstream.

Its possible through a set of push, pop, apply helper calls to construct
a skmsg, which is just a ring of scatterlist elements, with the start
value larger than the end value. For example,

      end       start
  |_0_|_1_| ... |_n_|_n+1_|

Where end points at 1 and start points and n so that valid elements is
the set {n, n+1, 0, 1}.

Currently, because we don't build the correct chain only {n, n+1} will
be sent. This adds a check and sg_chain call to correctly submit the
above to the crypto and tls send path.

Fixes: d3b18ad31f93d ("tls: add bpf support to sk_msg handling")
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Jonathan Lemon <jonathan.lemon@gmail.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/bpf/20200111061206.8028-8-john.fastabend@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/tls/tls_sw.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -724,6 +724,12 @@ static int tls_push_record(struct sock *
 		sg_mark_end(sk_msg_elem(msg_pl, i));
 	}
 
+	if (msg_pl->sg.end < msg_pl->sg.start) {
+		sg_chain(&msg_pl->sg.data[msg_pl->sg.start],
+			 MAX_SKB_FRAGS - msg_pl->sg.start + 1,
+			 msg_pl->sg.data);
+	}
+
 	i = msg_pl->sg.start;
 	sg_chain(rec->sg_aead_in, 2, &msg_pl->sg.data[i]);
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 115/222] bpf: Sockmap/tls, fix pop data with SK_DROP return code
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (113 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 114/222] bpf: Sockmap/tls, skmsg can have wrapped skmsg that needs extra chaining Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 116/222] i2c: tegra: Fix suspending in active runtime PM state Greg Kroah-Hartman
                   ` (110 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, John Fastabend, Daniel Borkmann,
	Jonathan Lemon

From: John Fastabend <john.fastabend@gmail.com>

commit 7361d44896ff20d48bdd502d1a0cd66308055d45 upstream.

When user returns SK_DROP we need to reset the number of copied bytes
to indicate to the user the bytes were dropped and not sent. If we
don't reset the copied arg sendmsg will return as if those bytes were
copied giving the user a positive return value.

This works as expected today except in the case where the user also
pops bytes. In the pop case the sg.size is reduced but we don't correctly
account for this when copied bytes is reset. The popped bytes are not
accounted for and we return a small positive value potentially confusing
the user.

The reason this happens is due to a typo where we do the wrong comparison
when accounting for pop bytes. In this fix notice the if/else is not
needed and that we have a similar problem if we push data except its not
visible to the user because if delta is larger the sg.size we return a
negative value so it appears as an error regardless.

Fixes: 7246d8ed4dcce ("bpf: helper to pop data from messages")
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Jonathan Lemon <jonathan.lemon@gmail.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/bpf/20200111061206.8028-9-john.fastabend@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/ipv4/tcp_bpf.c |    5 +----
 net/tls/tls_sw.c   |    5 +----
 2 files changed, 2 insertions(+), 8 deletions(-)

--- a/net/ipv4/tcp_bpf.c
+++ b/net/ipv4/tcp_bpf.c
@@ -315,10 +315,7 @@ more_data:
 		 */
 		delta = msg->sg.size;
 		psock->eval = sk_psock_msg_verdict(sk, psock, msg);
-		if (msg->sg.size < delta)
-			delta -= msg->sg.size;
-		else
-			delta = 0;
+		delta -= msg->sg.size;
 	}
 
 	if (msg->cork_bytes &&
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -804,10 +804,7 @@ more_data:
 	if (psock->eval == __SK_NONE) {
 		delta = msg->sg.size;
 		psock->eval = sk_psock_msg_verdict(sk, psock, msg);
-		if (delta < msg->sg.size)
-			delta -= msg->sg.size;
-		else
-			delta = 0;
+		delta -= msg->sg.size;
 	}
 	if (msg->cork_bytes && msg->cork_bytes > msg->sg.size &&
 	    !enospc && !full_record) {



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 116/222] i2c: tegra: Fix suspending in active runtime PM state
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (114 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 115/222] bpf: Sockmap/tls, fix pop data with SK_DROP return code Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 117/222] i2c: tegra: Properly disable runtime PM on drivers probe error Greg Kroah-Hartman
                   ` (109 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thierry Reding, Dmitry Osipenko,
	Wolfram Sang

From: Dmitry Osipenko <digetx@gmail.com>

commit 9f42de8d4ec2304f10bbc51dc0484f3503d61196 upstream.

I noticed that sometime I2C clock is kept enabled during suspend-resume.
This happens because runtime PM defers dynamic suspension and thus it may
happen that runtime PM is in active state when system enters into suspend.
In particular I2C controller that is used for CPU's DVFS is often kept ON
during suspend because CPU's voltage scaling happens quite often.

Fixes: 8ebf15e9c869 ("i2c: tegra: Move suspend handling to NOIRQ phase")
Cc: <stable@vger.kernel.org> # v5.4+
Tested-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/i2c/busses/i2c-tegra.c |    9 +++++++++
 1 file changed, 9 insertions(+)

--- a/drivers/i2c/busses/i2c-tegra.c
+++ b/drivers/i2c/busses/i2c-tegra.c
@@ -1710,9 +1710,14 @@ static int tegra_i2c_remove(struct platf
 static int __maybe_unused tegra_i2c_suspend(struct device *dev)
 {
 	struct tegra_i2c_dev *i2c_dev = dev_get_drvdata(dev);
+	int err;
 
 	i2c_mark_adapter_suspended(&i2c_dev->adapter);
 
+	err = pm_runtime_force_suspend(dev);
+	if (err < 0)
+		return err;
+
 	return 0;
 }
 
@@ -1733,6 +1738,10 @@ static int __maybe_unused tegra_i2c_resu
 	if (err)
 		return err;
 
+	err = pm_runtime_force_resume(dev);
+	if (err < 0)
+		return err;
+
 	i2c_mark_adapter_resumed(&i2c_dev->adapter);
 
 	return 0;



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 117/222] i2c: tegra: Properly disable runtime PM on drivers probe error
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (115 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 116/222] i2c: tegra: Fix suspending in active runtime PM state Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 118/222] cfg80211: fix deadlocks in autodisconnect work Greg Kroah-Hartman
                   ` (108 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thierry Reding, Dmitry Osipenko,
	Wolfram Sang

From: Dmitry Osipenko <digetx@gmail.com>

commit 24a49678f5e20f18006e71b90ac1531876b27eb1 upstream.

One of the recent Tegra I2C commits made a change that resumes runtime PM
during driver's probe, but it missed to put the RPM in a case of error.
Note that it's not correct to use pm_runtime_status_suspended because it
breaks RPM refcounting.

Fixes: 8ebf15e9c869 ("i2c: tegra: Move suspend handling to NOIRQ phase")
Cc: <stable@vger.kernel.org> # v5.4+
Tested-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/i2c/busses/i2c-tegra.c |   29 +++++++++++++++++++----------
 1 file changed, 19 insertions(+), 10 deletions(-)

--- a/drivers/i2c/busses/i2c-tegra.c
+++ b/drivers/i2c/busses/i2c-tegra.c
@@ -1608,14 +1608,18 @@ static int tegra_i2c_probe(struct platfo
 	}
 
 	pm_runtime_enable(&pdev->dev);
-	if (!pm_runtime_enabled(&pdev->dev))
+	if (!pm_runtime_enabled(&pdev->dev)) {
 		ret = tegra_i2c_runtime_resume(&pdev->dev);
-	else
+		if (ret < 0) {
+			dev_err(&pdev->dev, "runtime resume failed\n");
+			goto unprepare_div_clk;
+		}
+	} else {
 		ret = pm_runtime_get_sync(i2c_dev->dev);
-
-	if (ret < 0) {
-		dev_err(&pdev->dev, "runtime resume failed\n");
-		goto unprepare_div_clk;
+		if (ret < 0) {
+			dev_err(&pdev->dev, "runtime resume failed\n");
+			goto disable_rpm;
+		}
 	}
 
 	if (i2c_dev->is_multimaster_mode) {
@@ -1623,7 +1627,7 @@ static int tegra_i2c_probe(struct platfo
 		if (ret < 0) {
 			dev_err(i2c_dev->dev, "div_clk enable failed %d\n",
 				ret);
-			goto disable_rpm;
+			goto put_rpm;
 		}
 	}
 
@@ -1671,11 +1675,16 @@ disable_div_clk:
 	if (i2c_dev->is_multimaster_mode)
 		clk_disable(i2c_dev->div_clk);
 
-disable_rpm:
-	pm_runtime_disable(&pdev->dev);
-	if (!pm_runtime_status_suspended(&pdev->dev))
+put_rpm:
+	if (pm_runtime_enabled(&pdev->dev))
+		pm_runtime_put_sync(&pdev->dev);
+	else
 		tegra_i2c_runtime_suspend(&pdev->dev);
 
+disable_rpm:
+	if (pm_runtime_enabled(&pdev->dev))
+		pm_runtime_disable(&pdev->dev);
+
 unprepare_div_clk:
 	clk_unprepare(i2c_dev->div_clk);
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 118/222] cfg80211: fix deadlocks in autodisconnect work
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (116 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 117/222] i2c: tegra: Properly disable runtime PM on drivers probe error Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 119/222] cfg80211: fix memory leak in nl80211_probe_mesh_link Greg Kroah-Hartman
                   ` (107 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Markus Theil, Johannes Berg

From: Markus Theil <markus.theil@tu-ilmenau.de>

commit 5a128a088a2ab0b5190eeb232b5aa0b1017a0317 upstream.

Use methods which do not try to acquire the wdev lock themselves.

Cc: stable@vger.kernel.org
Fixes: 37b1c004685a3 ("cfg80211: Support all iftypes in autodisconnect_wk")
Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
Link: https://lore.kernel.org/r/20200108115536.2262-1-markus.theil@tu-ilmenau.de
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/wireless/sme.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@@ -1307,14 +1307,14 @@ void cfg80211_autodisconnect_wk(struct w
 	if (wdev->conn_owner_nlportid) {
 		switch (wdev->iftype) {
 		case NL80211_IFTYPE_ADHOC:
-			cfg80211_leave_ibss(rdev, wdev->netdev, false);
+			__cfg80211_leave_ibss(rdev, wdev->netdev, false);
 			break;
 		case NL80211_IFTYPE_AP:
 		case NL80211_IFTYPE_P2P_GO:
-			cfg80211_stop_ap(rdev, wdev->netdev, false);
+			__cfg80211_stop_ap(rdev, wdev->netdev, false);
 			break;
 		case NL80211_IFTYPE_MESH_POINT:
-			cfg80211_leave_mesh(rdev, wdev->netdev);
+			__cfg80211_leave_mesh(rdev, wdev->netdev);
 			break;
 		case NL80211_IFTYPE_STATION:
 		case NL80211_IFTYPE_P2P_CLIENT:



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 119/222] cfg80211: fix memory leak in nl80211_probe_mesh_link
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (117 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 118/222] cfg80211: fix deadlocks in autodisconnect work Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 120/222] cfg80211: fix memory leak in cfg80211_cqm_rssi_update Greg Kroah-Hartman
                   ` (106 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Felix Fietkau, Johannes Berg

From: Felix Fietkau <nbd@nbd.name>

commit 2a279b34169e9bbf7c240691466420aba75b4175 upstream.

The per-tid statistics need to be released after the call to rdev_get_station

Cc: stable@vger.kernel.org
Fixes: 5ab92e7fe49a ("cfg80211: add support to probe unexercised mesh link")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Link: https://lore.kernel.org/r/20200108170630.33680-1-nbd@nbd.name
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/wireless/nl80211.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -13787,6 +13787,8 @@ static int nl80211_probe_mesh_link(struc
 	if (err)
 		return err;
 
+	cfg80211_sinfo_release_content(&sinfo);
+
 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
 }
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 120/222] cfg80211: fix memory leak in cfg80211_cqm_rssi_update
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (118 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 119/222] cfg80211: fix memory leak in nl80211_probe_mesh_link Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 121/222] cfg80211: fix page refcount issue in A-MSDU decap Greg Kroah-Hartman
                   ` (105 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Felix Fietkau, Johannes Berg

From: Felix Fietkau <nbd@nbd.name>

commit df16737d438f534d0cc9948c7c5158f1986c5c87 upstream.

The per-tid statistics need to be released after the call to rdev_get_station

Cc: stable@vger.kernel.org
Fixes: 8689c051a201 ("cfg80211: dynamically allocate per-tid stats for station info")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Link: https://lore.kernel.org/r/20200108170630.33680-2-nbd@nbd.name
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/wireless/nl80211.c |    1 +
 1 file changed, 1 insertion(+)

--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -10834,6 +10834,7 @@ static int cfg80211_cqm_rssi_update(stru
 		if (err)
 			return err;
 
+		cfg80211_sinfo_release_content(&sinfo);
 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
 			wdev->cqm_config->last_rssi_event_value =
 				(s8) sinfo.rx_beacon_signal_avg;



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 121/222] cfg80211: fix page refcount issue in A-MSDU decap
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (119 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 120/222] cfg80211: fix memory leak in cfg80211_cqm_rssi_update Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 122/222] bpf/sockmap: Read psock ingress_msg before sk_receive_queue Greg Kroah-Hartman
                   ` (104 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Felix Fietkau, Johannes Berg

From: Felix Fietkau <nbd@nbd.name>

commit 81c044fc3bdc5b7be967cd3682528ea94b58c06a upstream.

The fragments attached to a skb can be part of a compound page. In that case,
page_ref_inc will increment the refcount for the wrong page. Fix this by
using get_page instead, which calls page_ref_inc on the compound head and
also checks for overflow.

Fixes: 2b67f944f88c ("cfg80211: reuse existing page fragments in A-MSDU rx")
Cc: stable@vger.kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Link: https://lore.kernel.org/r/20200113182107.20461-1-nbd@nbd.name
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/wireless/util.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -564,7 +564,7 @@ __frame_add_frag(struct sk_buff *skb, st
 	struct skb_shared_info *sh = skb_shinfo(skb);
 	int page_offset;
 
-	page_ref_inc(page);
+	get_page(page);
 	page_offset = ptr - page_address(page);
 	skb_add_rx_frag(skb, sh->nr_frags, page, page_offset, len, size);
 }



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 122/222] bpf/sockmap: Read psock ingress_msg before sk_receive_queue
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (120 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 121/222] cfg80211: fix page refcount issue in A-MSDU decap Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 123/222] i2c: iop3xx: Fix memory leak in probe error path Greg Kroah-Hartman
                   ` (103 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arika Chen, Lingpeng Chen,
	John Fastabend, Daniel Borkmann, Song Liu

From: Lingpeng Chen <forrest0579@gmail.com>

commit e7a5f1f1cd0008e5ad379270a8657e121eedb669 upstream.

Right now in tcp_bpf_recvmsg, sock read data first from sk_receive_queue
if not empty than psock->ingress_msg otherwise. If a FIN packet arrives
and there's also some data in psock->ingress_msg, the data in
psock->ingress_msg will be purged. It is always happen when request to a
HTTP1.0 server like python SimpleHTTPServer since the server send FIN
packet after data is sent out.

Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface")
Reported-by: Arika Chen <eaglesora@gmail.com>
Suggested-by: Arika Chen <eaglesora@gmail.com>
Signed-off-by: Lingpeng Chen <forrest0579@gmail.com>
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Song Liu <songliubraving@fb.com>
Link: https://lore.kernel.org/bpf/20200109014833.18951-1-forrest0579@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/ipv4/tcp_bpf.c |   12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

--- a/net/ipv4/tcp_bpf.c
+++ b/net/ipv4/tcp_bpf.c
@@ -121,14 +121,14 @@ int tcp_bpf_recvmsg(struct sock *sk, str
 	struct sk_psock *psock;
 	int copied, ret;
 
-	if (unlikely(flags & MSG_ERRQUEUE))
-		return inet_recv_error(sk, msg, len, addr_len);
-	if (!skb_queue_empty(&sk->sk_receive_queue))
-		return tcp_recvmsg(sk, msg, len, nonblock, flags, addr_len);
-
 	psock = sk_psock_get(sk);
 	if (unlikely(!psock))
 		return tcp_recvmsg(sk, msg, len, nonblock, flags, addr_len);
+	if (unlikely(flags & MSG_ERRQUEUE))
+		return inet_recv_error(sk, msg, len, addr_len);
+	if (!skb_queue_empty(&sk->sk_receive_queue) &&
+	    sk_psock_queue_empty(psock))
+		return tcp_recvmsg(sk, msg, len, nonblock, flags, addr_len);
 	lock_sock(sk);
 msg_bytes_ready:
 	copied = __tcp_bpf_recvmsg(sk, psock, msg, len, flags);
@@ -139,7 +139,7 @@ msg_bytes_ready:
 		timeo = sock_rcvtimeo(sk, nonblock);
 		data = tcp_bpf_wait_data(sk, psock, flags, timeo, &err);
 		if (data) {
-			if (skb_queue_empty(&sk->sk_receive_queue))
+			if (!sk_psock_queue_empty(psock))
 				goto msg_bytes_ready;
 			release_sock(sk);
 			sk_psock_put(sk, psock);



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 123/222] i2c: iop3xx: Fix memory leak in probe error path
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (121 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 122/222] bpf/sockmap: Read psock ingress_msg before sk_receive_queue Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 124/222] netfilter: fix a use-after-free in mtype_destroy() Greg Kroah-Hartman
                   ` (102 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kbuild test robot, Dan Carpenter,
	Krzysztof Kozlowski, Wolfram Sang

From: Krzysztof Kozlowski <krzk@kernel.org>

commit e64175776d06a8ceebbfd349d7e66a4a46ca39ef upstream.

When handling devm_gpiod_get_optional() errors, free the memory already
allocated.  This fixes Smatch warnings:

    drivers/i2c/busses/i2c-iop3xx.c:437 iop3xx_i2c_probe() warn: possible memory leak of 'new_adapter'
    drivers/i2c/busses/i2c-iop3xx.c:442 iop3xx_i2c_probe() warn: possible memory leak of 'new_adapter'

Fixes: fdb7e884ad61 ("i2c: iop: Use GPIO descriptors")
Reported-by: kbuild test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/i2c/busses/i2c-iop3xx.c |   12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

--- a/drivers/i2c/busses/i2c-iop3xx.c
+++ b/drivers/i2c/busses/i2c-iop3xx.c
@@ -433,13 +433,17 @@ iop3xx_i2c_probe(struct platform_device
 	adapter_data->gpio_scl = devm_gpiod_get_optional(&pdev->dev,
 							 "scl",
 							 GPIOD_ASIS);
-	if (IS_ERR(adapter_data->gpio_scl))
-		return PTR_ERR(adapter_data->gpio_scl);
+	if (IS_ERR(adapter_data->gpio_scl)) {
+		ret = PTR_ERR(adapter_data->gpio_scl);
+		goto free_both;
+	}
 	adapter_data->gpio_sda = devm_gpiod_get_optional(&pdev->dev,
 							 "sda",
 							 GPIOD_ASIS);
-	if (IS_ERR(adapter_data->gpio_sda))
-		return PTR_ERR(adapter_data->gpio_sda);
+	if (IS_ERR(adapter_data->gpio_sda)) {
+		ret = PTR_ERR(adapter_data->gpio_sda);
+		goto free_both;
+	}
 
 	res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
 	if (!res) {



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 124/222] netfilter: fix a use-after-free in mtype_destroy()
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (122 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 123/222] i2c: iop3xx: Fix memory leak in probe error path Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 125/222] netfilter: arp_tables: init netns pointer in xt_tgdtor_param struct Greg Kroah-Hartman
                   ` (101 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+4c3cc6dbe7259dbf9054,
	Jozsef Kadlecsik, Cong Wang, Pablo Neira Ayuso

From: Cong Wang <xiyou.wangcong@gmail.com>

commit c120959387efa51479056fd01dc90adfba7a590c upstream.

map->members is freed by ip_set_free() right before using it in
mtype_ext_cleanup() again. So we just have to move it down.

Reported-by: syzbot+4c3cc6dbe7259dbf9054@syzkaller.appspotmail.com
Fixes: 40cd63bf33b2 ("netfilter: ipset: Support extensions which need a per data destroy function")
Acked-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/netfilter/ipset/ip_set_bitmap_gen.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/netfilter/ipset/ip_set_bitmap_gen.h
+++ b/net/netfilter/ipset/ip_set_bitmap_gen.h
@@ -60,9 +60,9 @@ mtype_destroy(struct ip_set *set)
 	if (SET_WITH_TIMEOUT(set))
 		del_timer_sync(&map->gc);
 
-	ip_set_free(map->members);
 	if (set->dsize && set->extensions & IPSET_EXT_DESTROY)
 		mtype_ext_cleanup(set);
+	ip_set_free(map->members);
 	ip_set_free(map);
 
 	set->data = NULL;



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 125/222] netfilter: arp_tables: init netns pointer in xt_tgdtor_param struct
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (123 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 124/222] netfilter: fix a use-after-free in mtype_destroy() Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 126/222] netfilter: nat: fix ICMP header corruption on ICMP errors Greg Kroah-Hartman
                   ` (100 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+91bdd8eece0f6629ec8b,
	Florian Westphal, Pablo Neira Ayuso

From: Florian Westphal <fw@strlen.de>

commit 212e7f56605ef9688d0846db60c6c6ec06544095 upstream.

An earlier commit (1b789577f655060d98d20e,
"netfilter: arp_tables: init netns pointer in xt_tgchk_param struct")
fixed missing net initialization for arptables, but turns out it was
incomplete.  We can get a very similar struct net NULL deref during
error unwinding:

general protection fault: 0000 [#1] PREEMPT SMP KASAN
RIP: 0010:xt_rateest_put+0xa1/0x440 net/netfilter/xt_RATEEST.c:77
 xt_rateest_tg_destroy+0x72/0xa0 net/netfilter/xt_RATEEST.c:175
 cleanup_entry net/ipv4/netfilter/arp_tables.c:509 [inline]
 translate_table+0x11f4/0x1d80 net/ipv4/netfilter/arp_tables.c:587
 do_replace net/ipv4/netfilter/arp_tables.c:981 [inline]
 do_arpt_set_ctl+0x317/0x650 net/ipv4/netfilter/arp_tables.c:1461

Also init the netns pointer in xt_tgdtor_param struct.

Fixes: add67461240c1d ("netfilter: add struct net * to target parameters")
Reported-by: syzbot+91bdd8eece0f6629ec8b@syzkaller.appspotmail.com
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/ipv4/netfilter/arp_tables.c |   19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -496,12 +496,13 @@ static inline int check_entry_size_and_h
 	return 0;
 }
 
-static inline void cleanup_entry(struct arpt_entry *e)
+static void cleanup_entry(struct arpt_entry *e, struct net *net)
 {
 	struct xt_tgdtor_param par;
 	struct xt_entry_target *t;
 
 	t = arpt_get_target(e);
+	par.net      = net;
 	par.target   = t->u.kernel.target;
 	par.targinfo = t->data;
 	par.family   = NFPROTO_ARP;
@@ -584,7 +585,7 @@ static int translate_table(struct net *n
 		xt_entry_foreach(iter, entry0, newinfo->size) {
 			if (i-- == 0)
 				break;
-			cleanup_entry(iter);
+			cleanup_entry(iter, net);
 		}
 		return ret;
 	}
@@ -927,7 +928,7 @@ static int __do_replace(struct net *net,
 	/* Decrease module usage counts and free resource */
 	loc_cpu_old_entry = oldinfo->entries;
 	xt_entry_foreach(iter, loc_cpu_old_entry, oldinfo->size)
-		cleanup_entry(iter);
+		cleanup_entry(iter, net);
 
 	xt_free_table_info(oldinfo);
 	if (copy_to_user(counters_ptr, counters,
@@ -990,7 +991,7 @@ static int do_replace(struct net *net, c
 
  free_newinfo_untrans:
 	xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
-		cleanup_entry(iter);
+		cleanup_entry(iter, net);
  free_newinfo:
 	xt_free_table_info(newinfo);
 	return ret;
@@ -1287,7 +1288,7 @@ static int compat_do_replace(struct net
 
  free_newinfo_untrans:
 	xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
-		cleanup_entry(iter);
+		cleanup_entry(iter, net);
  free_newinfo:
 	xt_free_table_info(newinfo);
 	return ret;
@@ -1514,7 +1515,7 @@ static int do_arpt_get_ctl(struct sock *
 	return ret;
 }
 
-static void __arpt_unregister_table(struct xt_table *table)
+static void __arpt_unregister_table(struct net *net, struct xt_table *table)
 {
 	struct xt_table_info *private;
 	void *loc_cpu_entry;
@@ -1526,7 +1527,7 @@ static void __arpt_unregister_table(stru
 	/* Decrease module usage counts and free resources */
 	loc_cpu_entry = private->entries;
 	xt_entry_foreach(iter, loc_cpu_entry, private->size)
-		cleanup_entry(iter);
+		cleanup_entry(iter, net);
 	if (private->number > private->initial_entries)
 		module_put(table_owner);
 	xt_free_table_info(private);
@@ -1566,7 +1567,7 @@ int arpt_register_table(struct net *net,
 
 	ret = nf_register_net_hooks(net, ops, hweight32(table->valid_hooks));
 	if (ret != 0) {
-		__arpt_unregister_table(new_table);
+		__arpt_unregister_table(net, new_table);
 		*res = NULL;
 	}
 
@@ -1581,7 +1582,7 @@ void arpt_unregister_table(struct net *n
 			   const struct nf_hook_ops *ops)
 {
 	nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks));
-	__arpt_unregister_table(table);
+	__arpt_unregister_table(net, table);
 }
 
 /* The built-in targets: standard (NULL) and error. */



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 126/222] netfilter: nat: fix ICMP header corruption on ICMP errors
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (124 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 125/222] netfilter: arp_tables: init netns pointer in xt_tgdtor_param struct Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 127/222] netfilter: nft_tunnel: fix null-attribute check Greg Kroah-Hartman
                   ` (99 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Shmulik Ladkani, Eyal Birger,
	Florian Westphal, Pablo Neira Ayuso

From: Eyal Birger <eyal.birger@gmail.com>

commit 61177e911dad660df86a4553eb01c95ece2f6a82 upstream.

Commit 8303b7e8f018 ("netfilter: nat: fix spurious connection timeouts")
made nf_nat_icmp_reply_translation() use icmp_manip_pkt() as the l4
manipulation function for the outer packet on ICMP errors.

However, icmp_manip_pkt() assumes the packet has an 'id' field which
is not correct for all types of ICMP messages.

This is not correct for ICMP error packets, and leads to bogus bytes
being written the ICMP header, which can be wrongfully regarded as
'length' bytes by RFC 4884 compliant receivers.

Fix by assigning the 'id' field only for ICMP messages that have this
semantic.

Reported-by: Shmulik Ladkani <shmulik.ladkani@gmail.com>
Fixes: 8303b7e8f018 ("netfilter: nat: fix spurious connection timeouts")
Signed-off-by: Eyal Birger <eyal.birger@gmail.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/netfilter/nf_nat_proto.c |   13 +++++++++++++
 1 file changed, 13 insertions(+)

--- a/net/netfilter/nf_nat_proto.c
+++ b/net/netfilter/nf_nat_proto.c
@@ -233,6 +233,19 @@ icmp_manip_pkt(struct sk_buff *skb,
 		return false;
 
 	hdr = (struct icmphdr *)(skb->data + hdroff);
+	switch (hdr->type) {
+	case ICMP_ECHO:
+	case ICMP_ECHOREPLY:
+	case ICMP_TIMESTAMP:
+	case ICMP_TIMESTAMPREPLY:
+	case ICMP_INFO_REQUEST:
+	case ICMP_INFO_REPLY:
+	case ICMP_ADDRESS:
+	case ICMP_ADDRESSREPLY:
+		break;
+	default:
+		return true;
+	}
 	inet_proto_csum_replace2(&hdr->checksum, skb,
 				 hdr->un.echo.id, tuple->src.u.icmp.id, false);
 	hdr->un.echo.id = tuple->src.u.icmp.id;



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 127/222] netfilter: nft_tunnel: fix null-attribute check
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (125 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 126/222] netfilter: nat: fix ICMP header corruption on ICMP errors Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 128/222] netfilter: nft_tunnel: ERSPAN_VERSION must not be null Greg Kroah-Hartman
                   ` (98 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+76d0b80493ac881ff77b,
	Florian Westphal, Pablo Neira Ayuso

From: Florian Westphal <fw@strlen.de>

commit 1c702bf902bd37349f6d91cd7f4b372b1e46d0ed upstream.

else we get null deref when one of the attributes is missing, both
must be non-null.

Reported-by: syzbot+76d0b80493ac881ff77b@syzkaller.appspotmail.com
Fixes: aaecfdb5c5dd8ba ("netfilter: nf_tables: match on tunnel metadata")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/netfilter/nft_tunnel.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -76,7 +76,7 @@ static int nft_tunnel_get_init(const str
 	struct nft_tunnel *priv = nft_expr_priv(expr);
 	u32 len;
 
-	if (!tb[NFTA_TUNNEL_KEY] &&
+	if (!tb[NFTA_TUNNEL_KEY] ||
 	    !tb[NFTA_TUNNEL_DREG])
 		return -EINVAL;
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 128/222] netfilter: nft_tunnel: ERSPAN_VERSION must not be null
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (126 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 127/222] netfilter: nft_tunnel: fix null-attribute check Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 129/222] netfilter: nf_tables: remove WARN and add NLA_STRING upper limits Greg Kroah-Hartman
                   ` (97 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Florian Westphal, Pablo Neira Ayuso

From: Florian Westphal <fw@strlen.de>

commit 9ec22d7c6c69146180577f3ad5fdf504beeaee62 upstream.

Fixes: af308b94a2a4a5 ("netfilter: nf_tables: add tunnel support")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/netfilter/nft_tunnel.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -266,6 +266,9 @@ static int nft_tunnel_obj_erspan_init(co
 	if (err < 0)
 		return err;
 
+	if (!tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION])
+		 return -EINVAL;
+
 	version = ntohl(nla_get_be32(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION]));
 	switch (version) {
 	case ERSPAN_VERSION:



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 129/222] netfilter: nf_tables: remove WARN and add NLA_STRING upper limits
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (127 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 128/222] netfilter: nft_tunnel: ERSPAN_VERSION must not be null Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 130/222] netfilter: nf_tables: store transaction list locally while requesting module Greg Kroah-Hartman
                   ` (96 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+0e63ae76d117ae1c3a01,
	Florian Westphal, Pablo Neira Ayuso

From: Florian Westphal <fw@strlen.de>

commit 9332d27d7918182add34e8043f6a754530fdd022 upstream.

This WARN can trigger because some of the names fed to the module
autoload function can be of arbitrary length.

Remove the WARN and add limits for all NLA_STRING attributes.

Reported-by: syzbot+0e63ae76d117ae1c3a01@syzkaller.appspotmail.com
Fixes: 452238e8d5ffd8 ("netfilter: nf_tables: add and use helper for module autoload")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/netfilter/nf_tables_api.c |   13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -22,6 +22,8 @@
 #include <net/net_namespace.h>
 #include <net/sock.h>
 
+#define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
+
 static LIST_HEAD(nf_tables_expressions);
 static LIST_HEAD(nf_tables_objects);
 static LIST_HEAD(nf_tables_flowtables);
@@ -521,7 +523,7 @@ static void nft_request_module(struct ne
 	va_start(args, fmt);
 	ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
 	va_end(args);
-	if (WARN(ret >= MODULE_NAME_LEN, "truncated: '%s' (len %d)", module_name, ret))
+	if (ret >= MODULE_NAME_LEN)
 		return;
 
 	mutex_unlock(&net->nft.commit_mutex);
@@ -1174,7 +1176,8 @@ static const struct nla_policy nft_chain
 				    .len = NFT_CHAIN_MAXNAMELEN - 1 },
 	[NFTA_CHAIN_HOOK]	= { .type = NLA_NESTED },
 	[NFTA_CHAIN_POLICY]	= { .type = NLA_U32 },
-	[NFTA_CHAIN_TYPE]	= { .type = NLA_STRING },
+	[NFTA_CHAIN_TYPE]	= { .type = NLA_STRING,
+				    .len = NFT_MODULE_AUTOLOAD_LIMIT },
 	[NFTA_CHAIN_COUNTERS]	= { .type = NLA_NESTED },
 	[NFTA_CHAIN_FLAGS]	= { .type = NLA_U32 },
 };
@@ -2088,7 +2091,8 @@ static const struct nft_expr_type *nft_e
 }
 
 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
-	[NFTA_EXPR_NAME]	= { .type = NLA_STRING },
+	[NFTA_EXPR_NAME]	= { .type = NLA_STRING,
+				    .len = NFT_MODULE_AUTOLOAD_LIMIT },
 	[NFTA_EXPR_DATA]	= { .type = NLA_NESTED },
 };
 
@@ -3931,7 +3935,8 @@ static const struct nla_policy nft_set_e
 	[NFTA_SET_ELEM_USERDATA]	= { .type = NLA_BINARY,
 					    .len = NFT_USERDATA_MAXLEN },
 	[NFTA_SET_ELEM_EXPR]		= { .type = NLA_NESTED },
-	[NFTA_SET_ELEM_OBJREF]		= { .type = NLA_STRING },
+	[NFTA_SET_ELEM_OBJREF]		= { .type = NLA_STRING,
+					    .len = NFT_OBJ_MAXNAMELEN - 1 },
 };
 
 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 130/222] netfilter: nf_tables: store transaction list locally while requesting module
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (128 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 129/222] netfilter: nf_tables: remove WARN and add NLA_STRING upper limits Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 131/222] netfilter: nf_tables: fix flowtable list del corruption Greg Kroah-Hartman
                   ` (95 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marco Oliverio, Pablo Neira Ayuso

From: Pablo Neira Ayuso <pablo@netfilter.org>

commit ec7470b834fe7b5d7eff11b6677f5d7fdf5e9a91 upstream.

This patch fixes a WARN_ON in nft_set_destroy() due to missing
set reference count drop from the preparation phase. This is triggered
by the module autoload path. Do not exercise the abort path from
nft_request_module() while preparation phase cleaning up is still
pending.

 WARNING: CPU: 3 PID: 3456 at net/netfilter/nf_tables_api.c:3740 nft_set_destroy+0x45/0x50 [nf_tables]
 [...]
 CPU: 3 PID: 3456 Comm: nft Not tainted 5.4.6-arch3-1 #1
 RIP: 0010:nft_set_destroy+0x45/0x50 [nf_tables]
 Code: e8 30 eb 83 c6 48 8b 85 80 00 00 00 48 8b b8 90 00 00 00 e8 dd 6b d7 c5 48 8b 7d 30 e8 24 dd eb c5 48 89 ef 5d e9 6b c6 e5 c5 <0f> 0b c3 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 8b 7f 10 e9 52
 RSP: 0018:ffffac4f43e53700 EFLAGS: 00010202
 RAX: 0000000000000001 RBX: ffff99d63a154d80 RCX: 0000000001f88e03
 RDX: 0000000001f88c03 RSI: ffff99d6560ef0c0 RDI: ffff99d63a101200
 RBP: ffff99d617721de0 R08: 0000000000000000 R09: 0000000000000318
 R10: 00000000f0000000 R11: 0000000000000001 R12: ffffffff880fabf0
 R13: dead000000000122 R14: dead000000000100 R15: ffff99d63a154d80
 FS:  00007ff3dbd5b740(0000) GS:ffff99d6560c0000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00001cb5de6a9000 CR3: 000000016eb6a004 CR4: 00000000001606e0
 Call Trace:
  __nf_tables_abort+0x3e3/0x6d0 [nf_tables]
  nft_request_module+0x6f/0x110 [nf_tables]
  nft_expr_type_request_module+0x28/0x50 [nf_tables]
  nf_tables_expr_parse+0x198/0x1f0 [nf_tables]
  nft_expr_init+0x3b/0xf0 [nf_tables]
  nft_dynset_init+0x1e2/0x410 [nf_tables]
  nf_tables_newrule+0x30a/0x930 [nf_tables]
  nfnetlink_rcv_batch+0x2a0/0x640 [nfnetlink]
  nfnetlink_rcv+0x125/0x171 [nfnetlink]
  netlink_unicast+0x179/0x210
  netlink_sendmsg+0x208/0x3d0
  sock_sendmsg+0x5e/0x60
  ____sys_sendmsg+0x21b/0x290

Update comment on the code to describe the new behaviour.

Reported-by: Marco Oliverio <marco.oliverio@tanaza.com>
Fixes: 452238e8d5ff ("netfilter: nf_tables: add and use helper for module autoload")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/netfilter/nf_tables_api.c |   19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -502,23 +502,21 @@ __nf_tables_chain_type_lookup(const stru
 }
 
 /*
- * Loading a module requires dropping mutex that guards the
- * transaction.
- * We first need to abort any pending transactions as once
- * mutex is unlocked a different client could start a new
- * transaction.  It must not see any 'future generation'
- * changes * as these changes will never happen.
+ * Loading a module requires dropping mutex that guards the transaction.
+ * A different client might race to start a new transaction meanwhile. Zap the
+ * list of pending transaction and then restore it once the mutex is grabbed
+ * again. Users of this function return EAGAIN which implicitly triggers the
+ * transaction abort path to clean up the list of pending transactions.
  */
 #ifdef CONFIG_MODULES
-static int __nf_tables_abort(struct net *net);
-
 static void nft_request_module(struct net *net, const char *fmt, ...)
 {
 	char module_name[MODULE_NAME_LEN];
+	LIST_HEAD(commit_list);
 	va_list args;
 	int ret;
 
-	__nf_tables_abort(net);
+	list_splice_init(&net->nft.commit_list, &commit_list);
 
 	va_start(args, fmt);
 	ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
@@ -529,6 +527,9 @@ static void nft_request_module(struct ne
 	mutex_unlock(&net->nft.commit_mutex);
 	request_module("%s", module_name);
 	mutex_lock(&net->nft.commit_mutex);
+
+	WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
+	list_splice(&commit_list, &net->nft.commit_list);
 }
 #endif
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 131/222] netfilter: nf_tables: fix flowtable list del corruption
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (129 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 130/222] netfilter: nf_tables: store transaction list locally while requesting module Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 132/222] NFC: pn533: fix bulk-message timeout Greg Kroah-Hartman
                   ` (94 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+37a6804945a3a13b1572,
	Florian Westphal, Pablo Neira Ayuso

From: Florian Westphal <fw@strlen.de>

commit 335178d5429c4cee61b58f4ac80688f556630818 upstream.

syzbot reported following crash:

  list_del corruption, ffff88808c9bb000->prev is LIST_POISON2 (dead000000000122)
  [..]
  Call Trace:
   __list_del_entry include/linux/list.h:131 [inline]
   list_del_rcu include/linux/rculist.h:148 [inline]
   nf_tables_commit+0x1068/0x3b30 net/netfilter/nf_tables_api.c:7183
   [..]

The commit transaction list has:

NFT_MSG_NEWTABLE
NFT_MSG_NEWFLOWTABLE
NFT_MSG_DELFLOWTABLE
NFT_MSG_DELTABLE

A missing generation check during DELTABLE processing causes it to queue
the DELFLOWTABLE operation a second time, so we corrupt the list here:

  case NFT_MSG_DELFLOWTABLE:
     list_del_rcu(&nft_trans_flowtable(trans)->list);
     nf_tables_flowtable_notify(&trans->ctx,

because we have two different DELFLOWTABLE transactions for the same
flowtable.  We then call list_del_rcu() twice for the same flowtable->list.

The object handling seems to suffer from the same bug so add a generation
check too and only queue delete transactions for flowtables/objects that
are still active in the next generation.

Reported-by: syzbot+37a6804945a3a13b1572@syzkaller.appspotmail.com
Fixes: 3b49e2e94e6eb ("netfilter: nf_tables: add flow table netlink frontend")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/netfilter/nf_tables_api.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -981,12 +981,18 @@ static int nft_flush_table(struct nft_ct
 	}
 
 	list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
+		if (!nft_is_active_next(ctx->net, flowtable))
+			continue;
+
 		err = nft_delflowtable(ctx, flowtable);
 		if (err < 0)
 			goto out;
 	}
 
 	list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
+		if (!nft_is_active_next(ctx->net, obj))
+			continue;
+
 		err = nft_delobj(ctx, obj);
 		if (err < 0)
 			goto out;



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 132/222] NFC: pn533: fix bulk-message timeout
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (130 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 131/222] netfilter: nf_tables: fix flowtable list del corruption Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 133/222] net: bpf: Dont leak time wait and request sockets Greg Kroah-Hartman
                   ` (93 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold, Jakub Kicinski

From: Johan Hovold <johan@kernel.org>

commit a112adafcb47760feff959ee1ecd10b74d2c5467 upstream.

The driver was doing a synchronous uninterruptible bulk-transfer without
using a timeout. This could lead to the driver hanging on probe due to a
malfunctioning (or malicious) device until the device is physically
disconnected. While sleeping in probe the driver prevents other devices
connected to the same hub from being added to (or removed from) the bus.

An arbitrary limit of five seconds should be more than enough.

Fixes: dbafc28955fa ("NFC: pn533: don't send USB data off of the stack")
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/nfc/pn533/usb.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/nfc/pn533/usb.c
+++ b/drivers/nfc/pn533/usb.c
@@ -391,7 +391,7 @@ static int pn533_acr122_poweron_rdr(stru
 		       cmd, sizeof(cmd), false);
 
 	rc = usb_bulk_msg(phy->udev, phy->out_urb->pipe, buffer, sizeof(cmd),
-			  &transferred, 0);
+			  &transferred, 5000);
 	kfree(buffer);
 	if (rc || (transferred != sizeof(cmd))) {
 		nfc_err(&phy->udev->dev,



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 133/222] net: bpf: Dont leak time wait and request sockets
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (131 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 132/222] NFC: pn533: fix bulk-message timeout Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 134/222] bpftool: Fix printing incorrect pointer in btf_dump_ptr Greg Kroah-Hartman
                   ` (92 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lorenz Bauer, Alexei Starovoitov,
	Martin KaFai Lau

From: Lorenz Bauer <lmb@cloudflare.com>

commit 2e012c74823629d9db27963c79caa3f5b2010746 upstream.

It's possible to leak time wait and request sockets via the following
BPF pseudo code:
 
  sk = bpf_skc_lookup_tcp(...)
  if (sk)
    bpf_sk_release(sk)

If sk->sk_state is TCP_NEW_SYN_RECV or TCP_TIME_WAIT the refcount taken
by bpf_skc_lookup_tcp is not undone by bpf_sk_release. This is because
sk_flags is re-used for other data in both kinds of sockets. The check

  !sock_flag(sk, SOCK_RCU_FREE)

therefore returns a bogus result. Check that sk_flags is valid by calling
sk_fullsock. Skip checking SOCK_RCU_FREE if we already know that sk is
not a full socket.

Fixes: edbf8c01de5a ("bpf: add skc_lookup_tcp helper")
Fixes: f7355a6c0497 ("bpf: Check sk_fullsock() before returning from bpf_sk_lookup()")
Signed-off-by: Lorenz Bauer <lmb@cloudflare.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Link: https://lore.kernel.org/bpf/20200110132336.26099-1-lmb@cloudflare.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/core/filter.c |    9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -5306,8 +5306,7 @@ __bpf_sk_lookup(struct sk_buff *skb, str
 	if (sk) {
 		sk = sk_to_full_sk(sk);
 		if (!sk_fullsock(sk)) {
-			if (!sock_flag(sk, SOCK_RCU_FREE))
-				sock_gen_put(sk);
+			sock_gen_put(sk);
 			return NULL;
 		}
 	}
@@ -5344,8 +5343,7 @@ bpf_sk_lookup(struct sk_buff *skb, struc
 	if (sk) {
 		sk = sk_to_full_sk(sk);
 		if (!sk_fullsock(sk)) {
-			if (!sock_flag(sk, SOCK_RCU_FREE))
-				sock_gen_put(sk);
+			sock_gen_put(sk);
 			return NULL;
 		}
 	}
@@ -5412,7 +5410,8 @@ static const struct bpf_func_proto bpf_s
 
 BPF_CALL_1(bpf_sk_release, struct sock *, sk)
 {
-	if (!sock_flag(sk, SOCK_RCU_FREE))
+	/* Only full sockets have sk->sk_flags. */
+	if (!sk_fullsock(sk) || !sock_flag(sk, SOCK_RCU_FREE))
 		sock_gen_put(sk);
 	return 0;
 }



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 134/222] bpftool: Fix printing incorrect pointer in btf_dump_ptr
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (132 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 133/222] net: bpf: Dont leak time wait and request sockets Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 135/222] batman-adv: Fix DAT candidate selection on little endian systems Greg Kroah-Hartman
                   ` (91 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin KaFai Lau, Alexei Starovoitov,
	Quentin Monnet

From: Martin KaFai Lau <kafai@fb.com>

commit 555089fdfc37ad65e0ee9b42ca40c238ff546f83 upstream.

For plain text output, it incorrectly prints the pointer value
"void *data".  The "void *data" is actually pointing to memory that
contains a bpf-map's value.  The intention is to print the content of
the bpf-map's value instead of printing the pointer pointing to the
bpf-map's value.

In this case, a member of the bpf-map's value is a pointer type.
Thus, it should print the "*(void **)data".

Fixes: 22c349e8db89 ("tools: bpftool: fix format strings and arguments for jsonw_printf()")
Signed-off-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Reviewed-by: Quentin Monnet <quentin.monnet@netronome.com>
Link: https://lore.kernel.org/bpf/20200110231644.3484151-1-kafai@fb.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/bpf/bpftool/btf_dumper.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/tools/bpf/bpftool/btf_dumper.c
+++ b/tools/bpf/bpftool/btf_dumper.c
@@ -26,7 +26,7 @@ static void btf_dumper_ptr(const void *d
 			   bool is_plain_text)
 {
 	if (is_plain_text)
-		jsonw_printf(jw, "%p", data);
+		jsonw_printf(jw, "%p", *(void **)data);
 	else
 		jsonw_printf(jw, "%lu", *(unsigned long *)data);
 }



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 135/222] batman-adv: Fix DAT candidate selection on little endian systems
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (133 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 134/222] bpftool: Fix printing incorrect pointer in btf_dump_ptr Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 136/222] macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() Greg Kroah-Hartman
                   ` (90 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Sven Eckelmann, Simon Wunderlich

From: Sven Eckelmann <sven@narfation.org>

commit 4cc4a1708903f404d2ca0dfde30e71e052c6cbc9 upstream.

The distributed arp table is using a DHT to store and retrieve MAC address
information for an IP address. This is done using unicast messages to
selected peers. The potential peers are looked up using the IP address and
the VID.

While the IP address is always stored in big endian byte order, this is not
the case of the VID. It can (depending on the host system) either be big
endian or little endian. The host must therefore always convert it to big
endian to ensure that all devices calculate the same peers for the same
lookup data.

Fixes: be1db4f6615b ("batman-adv: make the Distributed ARP Table vlan aware")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/batman-adv/distributed-arp-table.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/net/batman-adv/distributed-arp-table.c
+++ b/net/batman-adv/distributed-arp-table.c
@@ -285,6 +285,7 @@ static u32 batadv_hash_dat(const void *d
 	u32 hash = 0;
 	const struct batadv_dat_entry *dat = data;
 	const unsigned char *key;
+	__be16 vid;
 	u32 i;
 
 	key = (const unsigned char *)&dat->ip;
@@ -294,7 +295,8 @@ static u32 batadv_hash_dat(const void *d
 		hash ^= (hash >> 6);
 	}
 
-	key = (const unsigned char *)&dat->vid;
+	vid = htons(dat->vid);
+	key = (__force const unsigned char *)&vid;
 	for (i = 0; i < sizeof(dat->vid); i++) {
 		hash += key[i];
 		hash += (hash << 10);



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 136/222] macvlan: use skb_reset_mac_header() in macvlan_queue_xmit()
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (134 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 135/222] batman-adv: Fix DAT candidate selection on little endian systems Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 137/222] hv_netvsc: Fix memory leak when removing rndis device Greg Kroah-Hartman
                   ` (89 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, Jurgen Van Ham,
	Matteo Croce, David S. Miller, Sasha Levin

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit 1712b2fff8c682d145c7889d2290696647d82dab ]

I missed the fact that macvlan_broadcast() can be used both
in RX and TX.

skb_eth_hdr() makes only sense in TX paths, so we can not
use it blindly in macvlan_broadcast()

Fixes: 96cc4b69581d ("macvlan: do not assume mac_header is set in macvlan_broadcast()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Jurgen Van Ham <juvanham@gmail.com>
Tested-by: Matteo Croce <mcroce@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/macvlan.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
index 747c0542a53c..c5bf61565726 100644
--- a/drivers/net/macvlan.c
+++ b/drivers/net/macvlan.c
@@ -259,7 +259,7 @@ static void macvlan_broadcast(struct sk_buff *skb,
 			      struct net_device *src,
 			      enum macvlan_mode mode)
 {
-	const struct ethhdr *eth = skb_eth_hdr(skb);
+	const struct ethhdr *eth = eth_hdr(skb);
 	const struct macvlan_dev *vlan;
 	struct sk_buff *nskb;
 	unsigned int i;
@@ -513,10 +513,11 @@ static int macvlan_queue_xmit(struct sk_buff *skb, struct net_device *dev)
 	const struct macvlan_dev *dest;
 
 	if (vlan->mode == MACVLAN_MODE_BRIDGE) {
-		const struct ethhdr *eth = (void *)skb->data;
+		const struct ethhdr *eth = skb_eth_hdr(skb);
 
 		/* send to other bridge ports directly */
 		if (is_multicast_ether_addr(eth->h_dest)) {
+			skb_reset_mac_header(skb);
 			macvlan_broadcast(skb, port, dev, MACVLAN_MODE_BRIDGE);
 			goto xmit_world;
 		}
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 238+ messages in thread

* [PATCH 5.4 137/222] hv_netvsc: Fix memory leak when removing rndis device
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (135 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 136/222] macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 138/222] net: avoid updating qdisc_xmit_lock_key in netdev_update_lockdep_key() Greg Kroah-Hartman
                   ` (88 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mohammed Gamal, Haiyang Zhang,
	David S. Miller

From: Mohammed Gamal <mgamal@redhat.com>

[ Upstream commit 536dc5df2808efbefc5acee334d3c4f701790ec0 ]

kmemleak detects the following memory leak when hot removing
a network device:

unreferenced object 0xffff888083f63600 (size 256):
  comm "kworker/0:1", pid 12, jiffies 4294831717 (age 1113.676s)
  hex dump (first 32 bytes):
    00 40 c7 33 80 88 ff ff 00 00 00 00 10 00 00 00  .@.3............
    00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00  .....N..........
  backtrace:
    [<00000000d4a8f5be>] rndis_filter_device_add+0x117/0x11c0 [hv_netvsc]
    [<000000009c02d75b>] netvsc_probe+0x5e7/0xbf0 [hv_netvsc]
    [<00000000ddafce23>] vmbus_probe+0x74/0x170 [hv_vmbus]
    [<00000000046e64f1>] really_probe+0x22f/0xb50
    [<000000005cc35eb7>] driver_probe_device+0x25e/0x370
    [<0000000043c642b2>] bus_for_each_drv+0x11f/0x1b0
    [<000000005e3d09f0>] __device_attach+0x1c6/0x2f0
    [<00000000a72c362f>] bus_probe_device+0x1a6/0x260
    [<0000000008478399>] device_add+0x10a3/0x18e0
    [<00000000cf07b48c>] vmbus_device_register+0xe7/0x1e0 [hv_vmbus]
    [<00000000d46cf032>] vmbus_add_channel_work+0x8ab/0x1770 [hv_vmbus]
    [<000000002c94bb64>] process_one_work+0x919/0x17d0
    [<0000000096de6781>] worker_thread+0x87/0xb40
    [<00000000fbe7397e>] kthread+0x333/0x3f0
    [<000000004f844269>] ret_from_fork+0x3a/0x50

rndis_filter_device_add() allocates an instance of struct rndis_device
which never gets deallocated as rndis_filter_device_remove() sets
net_device->extension which points to the rndis_device struct to NULL,
leaving the rndis_device dangling.

Since net_device->extension is eventually freed in free_netvsc_device(),
we refrain from setting it to NULL inside rndis_filter_device_remove()

Signed-off-by: Mohammed Gamal <mgamal@redhat.com>
Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/hyperv/rndis_filter.c |    2 --
 1 file changed, 2 deletions(-)

--- a/drivers/net/hyperv/rndis_filter.c
+++ b/drivers/net/hyperv/rndis_filter.c
@@ -1436,8 +1436,6 @@ void rndis_filter_device_remove(struct h
 	/* Halt and release the rndis device */
 	rndis_filter_halt_device(net_dev, rndis_dev);
 
-	net_dev->extension = NULL;
-
 	netvsc_device_remove(dev);
 }
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 138/222] net: avoid updating qdisc_xmit_lock_key in netdev_update_lockdep_key()
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (136 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 137/222] hv_netvsc: Fix memory leak when removing rndis device Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 139/222] net: dsa: tag_qca: fix doubled Tx statistics Greg Kroah-Hartman
                   ` (87 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+4ec99438ed7450da6272,
	Taehee Yoo, Cong Wang, David S. Miller

From: Cong Wang <xiyou.wangcong@gmail.com>

[ Upstream commit 53d374979ef147ab51f5d632dfe20b14aebeccd0 ]

syzbot reported some bogus lockdep warnings, for example bad unlock
balance in sch_direct_xmit(). They are due to a race condition between
slow path and fast path, that is qdisc_xmit_lock_key gets re-registered
in netdev_update_lockdep_key() on slow path, while we could still
acquire the queue->_xmit_lock on fast path in this small window:

CPU A						CPU B
						__netif_tx_lock();
lockdep_unregister_key(qdisc_xmit_lock_key);
						__netif_tx_unlock();
lockdep_register_key(qdisc_xmit_lock_key);

In fact, unlike the addr_list_lock which has to be reordered when
the master/slave device relationship changes, queue->_xmit_lock is
only acquired on fast path and only when NETIF_F_LLTX is not set,
so there is likely no nested locking for it.

Therefore, we can just get rid of re-registration of
qdisc_xmit_lock_key.

Reported-by: syzbot+4ec99438ed7450da6272@syzkaller.appspotmail.com
Fixes: ab92d68fc22f ("net: core: add generic lockdep keys")
Cc: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/core/dev.c |   12 ------------
 1 file changed, 12 deletions(-)

--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -8953,22 +8953,10 @@ static void netdev_unregister_lockdep_ke
 
 void netdev_update_lockdep_key(struct net_device *dev)
 {
-	struct netdev_queue *queue;
-	int i;
-
-	lockdep_unregister_key(&dev->qdisc_xmit_lock_key);
 	lockdep_unregister_key(&dev->addr_list_lock_key);
-
-	lockdep_register_key(&dev->qdisc_xmit_lock_key);
 	lockdep_register_key(&dev->addr_list_lock_key);
 
 	lockdep_set_class(&dev->addr_list_lock, &dev->addr_list_lock_key);
-	for (i = 0; i < dev->num_tx_queues; i++) {
-		queue = netdev_get_tx_queue(dev, i);
-
-		lockdep_set_class(&queue->_xmit_lock,
-				  &dev->qdisc_xmit_lock_key);
-	}
 }
 EXPORT_SYMBOL(netdev_update_lockdep_key);
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 139/222] net: dsa: tag_qca: fix doubled Tx statistics
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (137 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 138/222] net: avoid updating qdisc_xmit_lock_key in netdev_update_lockdep_key() Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 140/222] net: hns3: pad the short frame before sending to the hardware Greg Kroah-Hartman
                   ` (86 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andrew Lunn, Alexander Lobakin,
	Florian Fainelli, David S. Miller

From: Alexander Lobakin <alobakin@dlink.ru>

[ Upstream commit bd5874da57edd001b35cf28ae737779498c16a56 ]

DSA subsystem takes care of netdev statistics since commit 4ed70ce9f01c
("net: dsa: Refactor transmit path to eliminate duplication"), so
any accounting inside tagger callbacks is redundant and can lead to
messing up the stats.
This bug is present in Qualcomm tagger since day 0.

Fixes: cafdc45c949b ("net-next: dsa: add Qualcomm tag RX/TX handler")
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Alexander Lobakin <alobakin@dlink.ru>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/dsa/tag_qca.c |    3 ---
 1 file changed, 3 deletions(-)

--- a/net/dsa/tag_qca.c
+++ b/net/dsa/tag_qca.c
@@ -33,9 +33,6 @@ static struct sk_buff *qca_tag_xmit(stru
 	struct dsa_port *dp = dsa_slave_to_port(dev);
 	u16 *phdr, hdr;
 
-	dev->stats.tx_packets++;
-	dev->stats.tx_bytes += skb->len;
-
 	if (skb_cow_head(skb, 0) < 0)
 		return NULL;
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 140/222] net: hns3: pad the short frame before sending to the hardware
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (138 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 139/222] net: dsa: tag_qca: fix doubled Tx statistics Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 141/222] net: hns: fix soft lockup when there is not enough memory Greg Kroah-Hartman
                   ` (85 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yunsheng Lin, Huazhong Tan, David S. Miller

From: Yunsheng Lin <linyunsheng@huawei.com>

[ Upstream commit 36c67349a1a1c88b9cf11d7ca7762ababdb38867 ]

The hardware can not handle short frames below or equal to 32
bytes according to the hardware user manual, and it will trigger
a RAS error when the frame's length is below 33 bytes.

This patch pads the SKB when skb->len is below 33 bytes before
sending it to hardware.

Fixes: 76ad4f0ee747 ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC")
Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/hisilicon/hns3/hns3_enet.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
@@ -54,6 +54,8 @@ MODULE_PARM_DESC(debug, " Network interf
 #define HNS3_INNER_VLAN_TAG	1
 #define HNS3_OUTER_VLAN_TAG	2
 
+#define HNS3_MIN_TX_LEN		33U
+
 /* hns3_pci_tbl - PCI Device ID Table
  *
  * Last entry must be all 0s
@@ -1329,6 +1331,10 @@ netdev_tx_t hns3_nic_net_xmit(struct sk_
 	int ret;
 	int i;
 
+	/* Hardware can only handle short frames above 32 bytes */
+	if (skb_put_padto(skb, HNS3_MIN_TX_LEN))
+		return NETDEV_TX_OK;
+
 	/* Prefetch the data used later */
 	prefetch(skb->data);
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 141/222] net: hns: fix soft lockup when there is not enough memory
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (139 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 140/222] net: hns3: pad the short frame before sending to the hardware Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 142/222] net: phy: dp83867: Set FORCE_LINK_GOOD to default after reset Greg Kroah-Hartman
                   ` (84 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Yonglong Liu, David S. Miller

From: Yonglong Liu <liuyonglong@huawei.com>

[ Upstream commit 49edd6a2c456150870ddcef5b7ed11b21d849e13 ]

When there is not enough memory and napi_alloc_skb() return NULL,
the HNS driver will print error message, and than try again, if
the memory is not enough for a while, huge error message and the
retry operation will cause soft lockup.

When napi_alloc_skb() return NULL because of no memory, we can
get a warn_alloc() call trace, so this patch deletes the error
message. We already use polling mode to handle irq, but the
retry operation will render the polling weight inactive, this
patch just return budget when the rx is not completed to avoid
dead loop.

Fixes: 36eedfde1a36 ("net: hns: Optimize hns_nic_common_poll for better performance")
Fixes: b5996f11ea54 ("net: add Hisilicon Network Subsystem basic ethernet support")
Signed-off-by: Yonglong Liu <liuyonglong@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/hisilicon/hns/hns_enet.c |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/drivers/net/ethernet/hisilicon/hns/hns_enet.c
+++ b/drivers/net/ethernet/hisilicon/hns/hns_enet.c
@@ -565,7 +565,6 @@ static int hns_nic_poll_rx_skb(struct hn
 	skb = *out_skb = napi_alloc_skb(&ring_data->napi,
 					HNS_RX_HEAD_SIZE);
 	if (unlikely(!skb)) {
-		netdev_err(ndev, "alloc rx skb fail\n");
 		ring->stats.sw_err_cnt++;
 		return -ENOMEM;
 	}
@@ -1056,7 +1055,6 @@ static int hns_nic_common_poll(struct na
 		container_of(napi, struct hns_nic_ring_data, napi);
 	struct hnae_ring *ring = ring_data->ring;
 
-try_again:
 	clean_complete += ring_data->poll_one(
 				ring_data, budget - clean_complete,
 				ring_data->ex_process);
@@ -1066,7 +1064,7 @@ try_again:
 			napi_complete(napi);
 			ring->q->handle->dev->ops->toggle_ring_irq(ring, 0);
 		} else {
-			goto try_again;
+			return budget;
 		}
 	}
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 142/222] net: phy: dp83867: Set FORCE_LINK_GOOD to default after reset
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (140 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 141/222] net: hns: fix soft lockup when there is not enough memory Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 143/222] net/sched: act_ife: initalize ife->metalist earlier Greg Kroah-Hartman
                   ` (83 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael Grzeschik, Andrew Lunn,
	David S. Miller

From: Michael Grzeschik <m.grzeschik@pengutronix.de>

[ Upstream commit 86ffe920e669ec73035e84553e18edf17d16317c ]

According to the Datasheet this bit should be 0 (Normal operation) in
default. With the FORCE_LINK_GOOD bit set, it is not possible to get a
link. This patch sets FORCE_LINK_GOOD to the default value after
resetting the phy.

Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/phy/dp83867.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

--- a/drivers/net/phy/dp83867.c
+++ b/drivers/net/phy/dp83867.c
@@ -80,6 +80,7 @@
 #define DP83867_PHYCR_FIFO_DEPTH_MAX		0x03
 #define DP83867_PHYCR_FIFO_DEPTH_MASK		GENMASK(15, 14)
 #define DP83867_PHYCR_RESERVED_MASK		BIT(11)
+#define DP83867_PHYCR_FORCE_LINK_GOOD		BIT(10)
 
 /* RGMIIDCTL bits */
 #define DP83867_RGMII_TX_CLK_DELAY_MAX		0xf
@@ -454,7 +455,12 @@ static int dp83867_phy_reset(struct phy_
 
 	usleep_range(10, 20);
 
-	return 0;
+	/* After reset FORCE_LINK_GOOD bit is set. Although the
+	 * default value should be unset. Disable FORCE_LINK_GOOD
+	 * for the phy to work properly.
+	 */
+	return phy_modify(phydev, MII_DP83867_PHYCTRL,
+			 DP83867_PHYCR_FORCE_LINK_GOOD, 0);
 }
 
 static struct phy_driver dp83867_driver[] = {



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 143/222] net/sched: act_ife: initalize ife->metalist earlier
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (141 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 142/222] net: phy: dp83867: Set FORCE_LINK_GOOD to default after reset Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 144/222] net: usb: lan78xx: limit size of local TSO packets Greg Kroah-Hartman
                   ` (82 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, syzbot, Davide Caratti,
	Cong Wang, David S. Miller

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit 44c23d71599f81a1c7fe8389e0319822dd50c37c ]

It seems better to init ife->metalist earlier in tcf_ife_init()
to avoid the following crash :

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 10483 Comm: syz-executor216 Not tainted 5.5.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:_tcf_ife_cleanup net/sched/act_ife.c:412 [inline]
RIP: 0010:tcf_ife_cleanup+0x6e/0x400 net/sched/act_ife.c:431
Code: 48 c1 ea 03 80 3c 02 00 0f 85 94 03 00 00 49 8b bd f8 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8d 67 e8 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 5c 03 00 00 48 bb 00 00 00 00 00 fc ff df 48 8b
RSP: 0018:ffffc90001dc6d00 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffffffff864619c0 RCX: ffffffff815bfa09
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000000
RBP: ffffc90001dc6d50 R08: 0000000000000004 R09: fffff520003b8d8e
R10: fffff520003b8d8d R11: 0000000000000003 R12: ffffffffffffffe8
R13: ffff8880a79fc000 R14: ffff88809aba0e00 R15: 0000000000000000
FS:  0000000001b51880(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000563f52cce140 CR3: 0000000093541000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 tcf_action_cleanup+0x62/0x1b0 net/sched/act_api.c:119
 __tcf_action_put+0xfa/0x130 net/sched/act_api.c:135
 __tcf_idr_release net/sched/act_api.c:165 [inline]
 __tcf_idr_release+0x59/0xf0 net/sched/act_api.c:145
 tcf_idr_release include/net/act_api.h:171 [inline]
 tcf_ife_init+0x97c/0x1870 net/sched/act_ife.c:616
 tcf_action_init_1+0x6b6/0xa40 net/sched/act_api.c:944
 tcf_action_init+0x21a/0x330 net/sched/act_api.c:1000
 tcf_action_add+0xf5/0x3b0 net/sched/act_api.c:1410
 tc_ctl_action+0x390/0x488 net/sched/act_api.c:1465
 rtnetlink_rcv_msg+0x45e/0xaf0 net/core/rtnetlink.c:5424
 netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477
 rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442
 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
 netlink_unicast+0x58c/0x7d0 net/netlink/af_netlink.c:1328
 netlink_sendmsg+0x91c/0xea0 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:639 [inline]
 sock_sendmsg+0xd7/0x130 net/socket.c:659
 ____sys_sendmsg+0x753/0x880 net/socket.c:2330
 ___sys_sendmsg+0x100/0x170 net/socket.c:2384
 __sys_sendmsg+0x105/0x1d0 net/socket.c:2417
 __do_sys_sendmsg net/socket.c:2426 [inline]
 __se_sys_sendmsg net/socket.c:2424 [inline]
 __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2424
 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Fixes: 11a94d7fd80f ("net/sched: act_ife: validate the control action inside init()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Davide Caratti <dcaratti@redhat.com>
Reviewed-by: Davide Caratti <dcaratti@redhat.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sched/act_ife.c |    7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

--- a/net/sched/act_ife.c
+++ b/net/sched/act_ife.c
@@ -536,6 +536,9 @@ static int tcf_ife_init(struct net *net,
 	}
 
 	ife = to_ife(*a);
+	if (ret == ACT_P_CREATED)
+		INIT_LIST_HEAD(&ife->metalist);
+
 	err = tcf_action_check_ctrlact(parm->action, tp, &goto_ch, extack);
 	if (err < 0)
 		goto release_idr;
@@ -565,10 +568,6 @@ static int tcf_ife_init(struct net *net,
 		p->eth_type = ife_type;
 	}
 
-
-	if (ret == ACT_P_CREATED)
-		INIT_LIST_HEAD(&ife->metalist);
-
 	if (tb[TCA_IFE_METALST]) {
 		err = nla_parse_nested_deprecated(tb2, IFE_META_MAX,
 						  tb[TCA_IFE_METALST], NULL,



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 144/222] net: usb: lan78xx: limit size of local TSO packets
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (142 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 143/222] net/sched: act_ife: initalize ife->metalist earlier Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 145/222] net/wan/fsl_ucc_hdlc: fix out of bounds write on array utdm_info Greg Kroah-Hartman
                   ` (81 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, RENARD Pierre-Francois,
	Stefan Wahren, Woojung Huh, Microchip Linux Driver Support,
	David S. Miller

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit f8d7408a4d7f60f8b2df0f81decdc882dd9c20dc ]

lan78xx_tx_bh() makes sure to not exceed MAX_SINGLE_PACKET_SIZE
bytes in the aggregated packets it builds, but does
nothing to prevent large GSO packets being submitted.

Pierre-Francois reported various hangs when/if TSO is enabled.

For localy generated packets, we can use netif_set_gso_max_size()
to limit the size of TSO packets.

Note that forwarded packets could still hit the issue,
so a complete fix might require implementing .ndo_features_check
for this driver, forcing a software segmentation if the size
of the TSO packet exceeds MAX_SINGLE_PACKET_SIZE.

Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: RENARD Pierre-Francois <pfrenard@gmail.com>
Tested-by: RENARD Pierre-Francois <pfrenard@gmail.com>
Cc: Stefan Wahren <stefan.wahren@i2se.com>
Cc: Woojung Huh <woojung.huh@microchip.com>
Cc: Microchip Linux Driver Support <UNGLinuxDriver@microchip.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/usb/lan78xx.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/net/usb/lan78xx.c
+++ b/drivers/net/usb/lan78xx.c
@@ -3750,6 +3750,7 @@ static int lan78xx_probe(struct usb_inte
 
 	/* MTU range: 68 - 9000 */
 	netdev->max_mtu = MAX_SINGLE_PACKET_SIZE;
+	netif_set_gso_max_size(netdev, MAX_SINGLE_PACKET_SIZE - MAX_HEADER);
 
 	dev->ep_blkin = (intf->cur_altsetting)->endpoint + 0;
 	dev->ep_blkout = (intf->cur_altsetting)->endpoint + 1;



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 145/222] net/wan/fsl_ucc_hdlc: fix out of bounds write on array utdm_info
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (143 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 144/222] net: usb: lan78xx: limit size of local TSO packets Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 146/222] ptp: free ptp device pin descriptors properly Greg Kroah-Hartman
                   ` (80 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Colin Ian King, David S. Miller

From: Colin Ian King <colin.king@canonical.com>

[ Upstream commit ddf420390526ede3b9ff559ac89f58cb59d9db2f ]

Array utdm_info is declared as an array of MAX_HDLC_NUM (4) elements
however up to UCC_MAX_NUM (8) elements are potentially being written
to it.  Currently we have an array out-of-bounds write error on the
last 4 elements. Fix this by making utdm_info UCC_MAX_NUM elements in
size.

Addresses-Coverity: ("Out-of-bounds write")
Fixes: c19b6d246a35 ("drivers/net: support hdlc function for QE-UCC")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/wan/fsl_ucc_hdlc.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/wan/fsl_ucc_hdlc.c
+++ b/drivers/net/wan/fsl_ucc_hdlc.c
@@ -73,7 +73,7 @@ static struct ucc_tdm_info utdm_primary_
 	},
 };
 
-static struct ucc_tdm_info utdm_info[MAX_HDLC_NUM];
+static struct ucc_tdm_info utdm_info[UCC_MAX_NUM];
 
 static int uhdlc_init(struct ucc_hdlc_private *priv)
 {



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 146/222] ptp: free ptp device pin descriptors properly
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (144 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 145/222] net/wan/fsl_ucc_hdlc: fix out of bounds write on array utdm_info Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 147/222] r8152: add missing endpoint sanity check Greg Kroah-Hartman
                   ` (79 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Antti Laakso, Vladis Dronov,
	Richard Cochran, David S. Miller

From: Vladis Dronov <vdronov@redhat.com>

[ Upstream commit 75718584cb3c64e6269109d4d54f888ac5a5fd15 ]

There is a bug in ptp_clock_unregister(), where ptp_cleanup_pin_groups()
first frees ptp->pin_{,dev_}attr, but then posix_clock_unregister() needs
them to destroy a related sysfs device.

These functions can not be just swapped, as posix_clock_unregister() frees
ptp which is needed in the ptp_cleanup_pin_groups(). Fix this by calling
ptp_cleanup_pin_groups() in ptp_clock_release(), right before ptp is freed.

This makes this patch fix an UAF bug in a patch which fixes an UAF bug.

Reported-by: Antti Laakso <antti.laakso@intel.com>
Fixes: a33121e5487b ("ptp: fix the race between the release of ptp_clock and cdev")
Link: https://lore.kernel.org/netdev/3d2bd09735dbdaf003585ca376b7c1e5b69a19bd.camel@intel.com/
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Acked-by: Richard Cochran <richardcochran@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/ptp/ptp_clock.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/ptp/ptp_clock.c
+++ b/drivers/ptp/ptp_clock.c
@@ -170,6 +170,7 @@ static void ptp_clock_release(struct dev
 {
 	struct ptp_clock *ptp = container_of(dev, struct ptp_clock, dev);
 
+	ptp_cleanup_pin_groups(ptp);
 	mutex_destroy(&ptp->tsevq_mux);
 	mutex_destroy(&ptp->pincfg_mux);
 	ida_simple_remove(&ptp_clocks_map, ptp->index);
@@ -302,9 +303,8 @@ int ptp_clock_unregister(struct ptp_cloc
 	if (ptp->pps_source)
 		pps_unregister_source(ptp->pps_source);
 
-	ptp_cleanup_pin_groups(ptp);
-
 	posix_clock_unregister(&ptp->clock);
+
 	return 0;
 }
 EXPORT_SYMBOL(ptp_clock_unregister);



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 147/222] r8152: add missing endpoint sanity check
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (145 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 146/222] ptp: free ptp device pin descriptors properly Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 148/222] tcp: fix marked lost packets not being retransmitted Greg Kroah-Hartman
                   ` (78 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, hayeswang, Johan Hovold, David S. Miller

From: Johan Hovold <johan@kernel.org>

[ Upstream commit 86f3f4cd53707ceeec079b83205c8d3c756eca93 ]

Add missing endpoint sanity check to probe in order to prevent a
NULL-pointer dereference (or slab out-of-bounds access) when retrieving
the interrupt-endpoint bInterval on ndo_open() in case a device lacks
the expected endpoints.

Fixes: 40a82917b1d3 ("net/usb/r8152: enable interrupt transfer")
Cc: hayeswang <hayeswang@realtek.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/usb/r8152.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/net/usb/r8152.c
+++ b/drivers/net/usb/r8152.c
@@ -5587,6 +5587,9 @@ static int rtl8152_probe(struct usb_inte
 		return -ENODEV;
 	}
 
+	if (intf->cur_altsetting->desc.bNumEndpoints < 3)
+		return -ENODEV;
+
 	usb_reset_device(udev);
 	netdev = alloc_etherdev(sizeof(struct r8152));
 	if (!netdev) {



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 148/222] tcp: fix marked lost packets not being retransmitted
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (146 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 147/222] r8152: add missing endpoint sanity check Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 149/222] bnxt_en: Fix NTUPLE firmware command failures Greg Kroah-Hartman
                   ` (77 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pengcheng Yang, Neal Cardwell,
	David S. Miller

From: Pengcheng Yang <yangpc@wangsu.com>

[ Upstream commit e176b1ba476cf36f723cfcc7a9e57f3cb47dec70 ]

When the packet pointed to by retransmit_skb_hint is unlinked by ACK,
retransmit_skb_hint will be set to NULL in tcp_clean_rtx_queue().
If packet loss is detected at this time, retransmit_skb_hint will be set
to point to the current packet loss in tcp_verify_retransmit_hint(),
then the packets that were previously marked lost but not retransmitted
due to the restriction of cwnd will be skipped and cannot be
retransmitted.

To fix this, when retransmit_skb_hint is NULL, retransmit_skb_hint can
be reset only after all marked lost packets are retransmitted
(retrans_out >= lost_out), otherwise we need to traverse from
tcp_rtx_queue_head in tcp_xmit_retransmit_queue().

Packetdrill to demonstrate:

// Disable RACK and set max_reordering to keep things simple
    0 `sysctl -q net.ipv4.tcp_recovery=0`
   +0 `sysctl -q net.ipv4.tcp_max_reordering=3`

// Establish a connection
   +0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
   +0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
   +0 bind(3, ..., ...) = 0
   +0 listen(3, 1) = 0

  +.1 < S 0:0(0) win 32792 <mss 1000,sackOK,nop,nop,nop,wscale 7>
   +0 > S. 0:0(0) ack 1 <...>
 +.01 < . 1:1(0) ack 1 win 257
   +0 accept(3, ..., ...) = 4

// Send 8 data segments
   +0 write(4, ..., 8000) = 8000
   +0 > P. 1:8001(8000) ack 1

// Enter recovery and 1:3001 is marked lost
 +.01 < . 1:1(0) ack 1 win 257 <sack 3001:4001,nop,nop>
   +0 < . 1:1(0) ack 1 win 257 <sack 5001:6001 3001:4001,nop,nop>
   +0 < . 1:1(0) ack 1 win 257 <sack 5001:7001 3001:4001,nop,nop>

// Retransmit 1:1001, now retransmit_skb_hint points to 1001:2001
   +0 > . 1:1001(1000) ack 1

// 1001:2001 was ACKed causing retransmit_skb_hint to be set to NULL
 +.01 < . 1:1(0) ack 2001 win 257 <sack 5001:8001 3001:4001,nop,nop>
// Now retransmit_skb_hint points to 4001:5001 which is now marked lost

// BUG: 2001:3001 was not retransmitted
   +0 > . 2001:3001(1000) ack 1

Signed-off-by: Pengcheng Yang <yangpc@wangsu.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Tested-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/tcp_input.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -915,9 +915,10 @@ static void tcp_check_sack_reordering(st
 /* This must be called before lost_out is incremented */
 static void tcp_verify_retransmit_hint(struct tcp_sock *tp, struct sk_buff *skb)
 {
-	if (!tp->retransmit_skb_hint ||
-	    before(TCP_SKB_CB(skb)->seq,
-		   TCP_SKB_CB(tp->retransmit_skb_hint)->seq))
+	if ((!tp->retransmit_skb_hint && tp->retrans_out >= tp->lost_out) ||
+	    (tp->retransmit_skb_hint &&
+	     before(TCP_SKB_CB(skb)->seq,
+		    TCP_SKB_CB(tp->retransmit_skb_hint)->seq)))
 		tp->retransmit_skb_hint = skb;
 }
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 149/222] bnxt_en: Fix NTUPLE firmware command failures.
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (147 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 148/222] tcp: fix marked lost packets not being retransmitted Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 150/222] bnxt_en: Fix ipv6 RFS filter matching logic Greg Kroah-Hartman
                   ` (76 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Michael Chan, David S. Miller

From: Michael Chan <michael.chan@broadcom.com>

[ Upstream commit ceb3284c588eee5ea256c70e4d8d7cf399b8134e ]

The NTUPLE related firmware commands are sent to the wrong firmware
channel, causing all these commands to fail on new firmware that
supports the new firmware channel.  Fix it by excluding the 3
NTUPLE firmware commands from the list for the new firmware channel.

Fixes: 760b6d33410c ("bnxt_en: Add support for 2nd firmware message channel.")
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/broadcom/bnxt/bnxt.h |    3 ---
 1 file changed, 3 deletions(-)

--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
@@ -1904,9 +1904,6 @@ static inline bool bnxt_cfa_hwrm_message
 	case HWRM_CFA_ENCAP_RECORD_FREE:
 	case HWRM_CFA_DECAP_FILTER_ALLOC:
 	case HWRM_CFA_DECAP_FILTER_FREE:
-	case HWRM_CFA_NTUPLE_FILTER_ALLOC:
-	case HWRM_CFA_NTUPLE_FILTER_FREE:
-	case HWRM_CFA_NTUPLE_FILTER_CFG:
 	case HWRM_CFA_EM_FLOW_ALLOC:
 	case HWRM_CFA_EM_FLOW_FREE:
 	case HWRM_CFA_EM_FLOW_CFG:



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 150/222] bnxt_en: Fix ipv6 RFS filter matching logic.
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (148 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 149/222] bnxt_en: Fix NTUPLE firmware command failures Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 151/222] bnxt_en: Do not treat DSN (Digital Serial Number) read failure as fatal Greg Kroah-Hartman
                   ` (75 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Michael Chan, David S. Miller

From: Michael Chan <michael.chan@broadcom.com>

[ Upstream commit 6fc7caa84e713f7627e171ab1e7c4b5be0dc9b3d ]

Fix bnxt_fltr_match() to match ipv6 source and destination addresses.
The function currently only checks ipv4 addresses and will not work
corrently on ipv6 filters.

Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.")
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/broadcom/bnxt/bnxt.c |   22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -10991,11 +10991,23 @@ static bool bnxt_fltr_match(struct bnxt_
 	struct flow_keys *keys1 = &f1->fkeys;
 	struct flow_keys *keys2 = &f2->fkeys;
 
-	if (keys1->addrs.v4addrs.src == keys2->addrs.v4addrs.src &&
-	    keys1->addrs.v4addrs.dst == keys2->addrs.v4addrs.dst &&
-	    keys1->ports.ports == keys2->ports.ports &&
-	    keys1->basic.ip_proto == keys2->basic.ip_proto &&
-	    keys1->basic.n_proto == keys2->basic.n_proto &&
+	if (keys1->basic.n_proto != keys2->basic.n_proto ||
+	    keys1->basic.ip_proto != keys2->basic.ip_proto)
+		return false;
+
+	if (keys1->basic.n_proto == htons(ETH_P_IP)) {
+		if (keys1->addrs.v4addrs.src != keys2->addrs.v4addrs.src ||
+		    keys1->addrs.v4addrs.dst != keys2->addrs.v4addrs.dst)
+			return false;
+	} else {
+		if (memcmp(&keys1->addrs.v6addrs.src, &keys2->addrs.v6addrs.src,
+			   sizeof(keys1->addrs.v6addrs.src)) ||
+		    memcmp(&keys1->addrs.v6addrs.dst, &keys2->addrs.v6addrs.dst,
+			   sizeof(keys1->addrs.v6addrs.dst)))
+			return false;
+	}
+
+	if (keys1->ports.ports == keys2->ports.ports &&
 	    keys1->control.flags == keys2->control.flags &&
 	    ether_addr_equal(f1->src_mac_addr, f2->src_mac_addr) &&
 	    ether_addr_equal(f1->dst_mac_addr, f2->dst_mac_addr))



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 151/222] bnxt_en: Do not treat DSN (Digital Serial Number) read failure as fatal.
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (149 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 150/222] bnxt_en: Fix ipv6 RFS filter matching logic Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 152/222] net: ethernet: ave: Avoid lockdep warning Greg Kroah-Hartman
                   ` (74 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marc Smith, Michael Chan, David S. Miller

From: Michael Chan <michael.chan@broadcom.com>

[ Upstream commit d061b2411d5f3d6272187ab734ce0640827fca13 ]

DSN read can fail, for example on a kdump kernel without PCIe extended
config space support.  If DSN read fails, don't set the
BNXT_FLAG_DSN_VALID flag and continue loading.  Check the flag
to see if the stored DSN is valid before using it.  Only VF reps
creation should fail without valid DSN.

Fixes: 03213a996531 ("bnxt: move bp->switch_id initialization to PF probe")
Reported-by: Marc Smith <msmith626@gmail.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/broadcom/bnxt/bnxt.c     |    7 +++----
 drivers/net/ethernet/broadcom/bnxt/bnxt.h     |    1 +
 drivers/net/ethernet/broadcom/bnxt/bnxt_vfr.c |    3 +++
 3 files changed, 7 insertions(+), 4 deletions(-)

--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -11299,7 +11299,7 @@ int bnxt_get_port_parent_id(struct net_d
 		return -EOPNOTSUPP;
 
 	/* The PF and it's VF-reps only support the switchdev framework */
-	if (!BNXT_PF(bp))
+	if (!BNXT_PF(bp) || !(bp->flags & BNXT_FLAG_DSN_VALID))
 		return -EOPNOTSUPP;
 
 	ppid->id_len = sizeof(bp->switch_id);
@@ -11691,6 +11691,7 @@ static int bnxt_pcie_dsn_get(struct bnxt
 	put_unaligned_le32(dw, &dsn[0]);
 	pci_read_config_dword(pdev, pos + 4, &dw);
 	put_unaligned_le32(dw, &dsn[4]);
+	bp->flags |= BNXT_FLAG_DSN_VALID;
 	return 0;
 }
 
@@ -11802,9 +11803,7 @@ static int bnxt_init_one(struct pci_dev
 
 	if (BNXT_PF(bp)) {
 		/* Read the adapter's DSN to use as the eswitch switch_id */
-		rc = bnxt_pcie_dsn_get(bp, bp->switch_id);
-		if (rc)
-			goto init_err_pci_clean;
+		bnxt_pcie_dsn_get(bp, bp->switch_id);
 	}
 
 	/* MTU range: 60 - FW defined max */
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
@@ -1510,6 +1510,7 @@ struct bnxt {
 	#define BNXT_FLAG_NO_AGG_RINGS	0x20000
 	#define BNXT_FLAG_RX_PAGE_MODE	0x40000
 	#define BNXT_FLAG_MULTI_HOST	0x100000
+	#define BNXT_FLAG_DSN_VALID	0x200000
 	#define BNXT_FLAG_DOUBLE_DB	0x400000
 	#define BNXT_FLAG_CHIP_NITRO_A0	0x1000000
 	#define BNXT_FLAG_DIM		0x2000000
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_vfr.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_vfr.c
@@ -398,6 +398,9 @@ static int bnxt_vf_reps_create(struct bn
 	struct net_device *dev;
 	int rc, i;
 
+	if (!(bp->flags & BNXT_FLAG_DSN_VALID))
+		return -ENODEV;
+
 	bp->vf_reps = kcalloc(num_vfs, sizeof(vf_rep), GFP_KERNEL);
 	if (!bp->vf_reps)
 		return -ENOMEM;



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 152/222] net: ethernet: ave: Avoid lockdep warning
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (150 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 151/222] bnxt_en: Do not treat DSN (Digital Serial Number) read failure as fatal Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:28 ` [PATCH 5.4 153/222] net: systemport: Fixed queue mapping in internal ring map Greg Kroah-Hartman
                   ` (73 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kunihiko Hayashi, David S. Miller

From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>

[ Upstream commit 82d5d6a638cbd12b7dfe8acafd9efd87a656cc06 ]

When building with PROVE_LOCKING=y, lockdep shows the following
dump message.

    INFO: trying to register non-static key.
    the code is fine but needs lockdep annotation.
    turning off the locking correctness validator.
     ...

Calling device_set_wakeup_enable() directly occurs this issue,
and it isn't necessary for initialization, so this patch creates
internal function __ave_ethtool_set_wol() and replaces with this
in ave_init() and ave_resume().

Fixes: 7200f2e3c9e2 ("net: ethernet: ave: Set initial wol state to disabled")
Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/socionext/sni_ave.c |   20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

--- a/drivers/net/ethernet/socionext/sni_ave.c
+++ b/drivers/net/ethernet/socionext/sni_ave.c
@@ -424,16 +424,22 @@ static void ave_ethtool_get_wol(struct n
 		phy_ethtool_get_wol(ndev->phydev, wol);
 }
 
-static int ave_ethtool_set_wol(struct net_device *ndev,
-			       struct ethtool_wolinfo *wol)
+static int __ave_ethtool_set_wol(struct net_device *ndev,
+				 struct ethtool_wolinfo *wol)
 {
-	int ret;
-
 	if (!ndev->phydev ||
 	    (wol->wolopts & (WAKE_ARP | WAKE_MAGICSECURE)))
 		return -EOPNOTSUPP;
 
-	ret = phy_ethtool_set_wol(ndev->phydev, wol);
+	return phy_ethtool_set_wol(ndev->phydev, wol);
+}
+
+static int ave_ethtool_set_wol(struct net_device *ndev,
+			       struct ethtool_wolinfo *wol)
+{
+	int ret;
+
+	ret = __ave_ethtool_set_wol(ndev, wol);
 	if (!ret)
 		device_set_wakeup_enable(&ndev->dev, !!wol->wolopts);
 
@@ -1216,7 +1222,7 @@ static int ave_init(struct net_device *n
 
 	/* set wol initial state disabled */
 	wol.wolopts = 0;
-	ave_ethtool_set_wol(ndev, &wol);
+	__ave_ethtool_set_wol(ndev, &wol);
 
 	if (!phy_interface_is_rgmii(phydev))
 		phy_set_max_speed(phydev, SPEED_100);
@@ -1768,7 +1774,7 @@ static int ave_resume(struct device *dev
 
 	ave_ethtool_get_wol(ndev, &wol);
 	wol.wolopts = priv->wolopts;
-	ave_ethtool_set_wol(ndev, &wol);
+	__ave_ethtool_set_wol(ndev, &wol);
 
 	if (ndev->phydev) {
 		ret = phy_resume(ndev->phydev);



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 153/222] net: systemport: Fixed queue mapping in internal ring map
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (151 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 152/222] net: ethernet: ave: Avoid lockdep warning Greg Kroah-Hartman
@ 2020-01-22  9:28 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 154/222] net: dsa: sja1105: Dont error out on disabled ports with no phy-mode Greg Kroah-Hartman
                   ` (72 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Florian Fainelli, David S. Miller

From: Florian Fainelli <f.fainelli@gmail.com>

[ Upstream commit 5a9ef19454cd5daec8041bc7c3c11deb7456d9a0 ]

We would not be transmitting using the correct SYSTEMPORT transmit queue
during ndo_select_queue() which looks up the internal TX ring map
because while establishing the mapping we would be off by 4, so for
instance, when we populate switch port mappings we would be doing:

switch port 0, queue 0 -> ring index #0
switch port 0, queue 1 -> ring index #1
...
switch port 0, queue 3 -> ring index #3
switch port 1, queue 0 -> ring index #8 (4 + 4 * 1)
...

instead of using ring index #4. This would cause our ndo_select_queue()
to use the fallback queue mechanism which would pick up an incorrect
ring for that switch port. Fix this by using the correct switch queue
number instead of SYSTEMPORT queue number.

Fixes: 25c440704661 ("net: systemport: Simplify queue mapping logic")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/broadcom/bcmsysport.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/drivers/net/ethernet/broadcom/bcmsysport.c
+++ b/drivers/net/ethernet/broadcom/bcmsysport.c
@@ -2323,7 +2323,7 @@ static int bcm_sysport_map_queues(struct
 		ring->switch_queue = qp;
 		ring->switch_port = port;
 		ring->inspect = true;
-		priv->ring_map[q + port * num_tx_queues] = ring;
+		priv->ring_map[qp + port * num_tx_queues] = ring;
 		qp++;
 	}
 
@@ -2338,7 +2338,7 @@ static int bcm_sysport_unmap_queues(stru
 	struct net_device *slave_dev;
 	unsigned int num_tx_queues;
 	struct net_device *dev;
-	unsigned int q, port;
+	unsigned int q, qp, port;
 
 	priv = container_of(nb, struct bcm_sysport_priv, dsa_notifier);
 	if (priv->netdev != info->master)
@@ -2364,7 +2364,8 @@ static int bcm_sysport_unmap_queues(stru
 			continue;
 
 		ring->inspect = false;
-		priv->ring_map[q + port * num_tx_queues] = NULL;
+		qp = ring->switch_queue;
+		priv->ring_map[qp + port * num_tx_queues] = NULL;
 	}
 
 	return 0;



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 154/222] net: dsa: sja1105: Dont error out on disabled ports with no phy-mode
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (152 preceding siblings ...)
  2020-01-22  9:28 ` [PATCH 5.4 153/222] net: systemport: Fixed queue mapping in internal ring map Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 155/222] net: dsa: tag_gswip: fix typo in tagger name Greg Kroah-Hartman
                   ` (71 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vladimir Oltean, Florian Fainelli,
	David S. Miller

From: Vladimir Oltean <vladimir.oltean@nxp.com>

[ Upstream commit 27afe0d34e9121a3d61cc0af9b17c2542dadde24 ]

The sja1105_parse_ports_node function was tested only on device trees
where all ports were enabled. Fix this check so that the driver
continues to probe only with the ports where status is not "disabled",
as expected.

Fixes: 8aa9ebccae87 ("net: dsa: Introduce driver for NXP SJA1105 5-port L2 switch")
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/dsa/sja1105/sja1105_main.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/dsa/sja1105/sja1105_main.c
+++ b/drivers/net/dsa/sja1105/sja1105_main.c
@@ -619,7 +619,7 @@ static int sja1105_parse_ports_node(stru
 	struct device *dev = &priv->spidev->dev;
 	struct device_node *child;
 
-	for_each_child_of_node(ports_node, child) {
+	for_each_available_child_of_node(ports_node, child) {
 		struct device_node *phy_node;
 		int phy_mode;
 		u32 index;



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 155/222] net: dsa: tag_gswip: fix typo in tagger name
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (153 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 154/222] net: dsa: sja1105: Dont error out on disabled ports with no phy-mode Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 156/222] net: sched: act_ctinfo: fix memory leak Greg Kroah-Hartman
                   ` (70 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andrew Lunn, Alexander Lobakin,
	Florian Fainelli, Hauke Mehrtens, David S. Miller

From: Alexander Lobakin <alobakin@dlink.ru>

[ Upstream commit ad32205470919c8e04cdd33e0613bdba50c2376d ]

The correct name is GSWIP (Gigabit Switch IP). Typo was introduced in
875138f81d71a ("dsa: Move tagger name into its ops structure") while
moving tagger names to their structures.

Fixes: 875138f81d71a ("dsa: Move tagger name into its ops structure")
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Alexander Lobakin <alobakin@dlink.ru>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/dsa/tag_gswip.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/dsa/tag_gswip.c
+++ b/net/dsa/tag_gswip.c
@@ -104,7 +104,7 @@ static struct sk_buff *gswip_tag_rcv(str
 }
 
 static const struct dsa_device_ops gswip_netdev_ops = {
-	.name = "gwsip",
+	.name = "gswip",
 	.proto	= DSA_TAG_PROTO_GSWIP,
 	.xmit = gswip_tag_xmit,
 	.rcv = gswip_tag_rcv,



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 156/222] net: sched: act_ctinfo: fix memory leak
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (154 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 155/222] net: dsa: tag_gswip: fix typo in tagger name Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 157/222] net: dsa: bcm_sf2: Configure IMP port for 2Gb/sec Greg Kroah-Hartman
                   ` (69 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, syzbot,
	Kevin ldir Darbyshire-Bryant, Cong Wang,
	Toke Høiland-Jørgensen, David S. Miller

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit 09d4f10a5e78d76a53e3e584f1e6a701b6d24108 ]

Implement a cleanup method to properly free ci->params

BUG: memory leak
unreferenced object 0xffff88811746e2c0 (size 64):
  comm "syz-executor617", pid 7106, jiffies 4294943055 (age 14.250s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    c0 34 60 84 ff ff ff ff 00 00 00 00 00 00 00 00  .4`.............
  backtrace:
    [<0000000015aa236f>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
    [<0000000015aa236f>] slab_post_alloc_hook mm/slab.h:586 [inline]
    [<0000000015aa236f>] slab_alloc mm/slab.c:3320 [inline]
    [<0000000015aa236f>] kmem_cache_alloc_trace+0x145/0x2c0 mm/slab.c:3549
    [<000000002c946bd1>] kmalloc include/linux/slab.h:556 [inline]
    [<000000002c946bd1>] kzalloc include/linux/slab.h:670 [inline]
    [<000000002c946bd1>] tcf_ctinfo_init+0x21a/0x530 net/sched/act_ctinfo.c:236
    [<0000000086952cca>] tcf_action_init_1+0x400/0x5b0 net/sched/act_api.c:944
    [<000000005ab29bf8>] tcf_action_init+0x135/0x1c0 net/sched/act_api.c:1000
    [<00000000392f56f9>] tcf_action_add+0x9a/0x200 net/sched/act_api.c:1410
    [<0000000088f3c5dd>] tc_ctl_action+0x14d/0x1bb net/sched/act_api.c:1465
    [<000000006b39d986>] rtnetlink_rcv_msg+0x178/0x4b0 net/core/rtnetlink.c:5424
    [<00000000fd6ecace>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477
    [<0000000047493d02>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442
    [<00000000bdcf8286>] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
    [<00000000bdcf8286>] netlink_unicast+0x223/0x310 net/netlink/af_netlink.c:1328
    [<00000000fc5b92d9>] netlink_sendmsg+0x2c0/0x570 net/netlink/af_netlink.c:1917
    [<00000000da84d076>] sock_sendmsg_nosec net/socket.c:639 [inline]
    [<00000000da84d076>] sock_sendmsg+0x54/0x70 net/socket.c:659
    [<0000000042fb2eee>] ____sys_sendmsg+0x2d0/0x300 net/socket.c:2330
    [<000000008f23f67e>] ___sys_sendmsg+0x8a/0xd0 net/socket.c:2384
    [<00000000d838e4f6>] __sys_sendmsg+0x80/0xf0 net/socket.c:2417
    [<00000000289a9cb1>] __do_sys_sendmsg net/socket.c:2426 [inline]
    [<00000000289a9cb1>] __se_sys_sendmsg net/socket.c:2424 [inline]
    [<00000000289a9cb1>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2424

Fixes: 24ec483cec98 ("net: sched: Introduce act_ctinfo action")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Kevin 'ldir' Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Cc: Toke Høiland-Jørgensen <toke@redhat.com>
Acked-by: Kevin 'ldir' Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sched/act_ctinfo.c |   11 +++++++++++
 1 file changed, 11 insertions(+)

--- a/net/sched/act_ctinfo.c
+++ b/net/sched/act_ctinfo.c
@@ -360,6 +360,16 @@ static int tcf_ctinfo_search(struct net
 	return tcf_idr_search(tn, a, index);
 }
 
+static void tcf_ctinfo_cleanup(struct tc_action *a)
+{
+	struct tcf_ctinfo *ci = to_ctinfo(a);
+	struct tcf_ctinfo_params *cp;
+
+	cp = rcu_dereference_protected(ci->params, 1);
+	if (cp)
+		kfree_rcu(cp, rcu);
+}
+
 static struct tc_action_ops act_ctinfo_ops = {
 	.kind	= "ctinfo",
 	.id	= TCA_ID_CTINFO,
@@ -367,6 +377,7 @@ static struct tc_action_ops act_ctinfo_o
 	.act	= tcf_ctinfo_act,
 	.dump	= tcf_ctinfo_dump,
 	.init	= tcf_ctinfo_init,
+	.cleanup= tcf_ctinfo_cleanup,
 	.walk	= tcf_ctinfo_walker,
 	.lookup	= tcf_ctinfo_search,
 	.size	= sizeof(struct tcf_ctinfo),



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 157/222] net: dsa: bcm_sf2: Configure IMP port for 2Gb/sec
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (155 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 156/222] net: sched: act_ctinfo: fix memory leak Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 158/222] i40e: prevent memory leak in i40e_setup_macvlans Greg Kroah-Hartman
                   ` (68 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Florian Fainelli, David S. Miller

From: Florian Fainelli <f.fainelli@gmail.com>

[ Upstream commit 8f1880cbe8d0d49ebb7e9ae409b3b96676e5aa97 ]

With the implementation of the system reset controller we lost a setting
that is currently applied by the bootloader and which configures the IMP
port for 2Gb/sec, the default is 1Gb/sec. This is needed given the
number of ports and applications we expect to run so bring back that
setting.

Fixes: 01b0ac07589e ("net: dsa: bcm_sf2: Add support for optional reset controller line")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/dsa/bcm_sf2.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/dsa/bcm_sf2.c
+++ b/drivers/net/dsa/bcm_sf2.c
@@ -68,7 +68,7 @@ static void bcm_sf2_imp_setup(struct dsa
 
 		/* Force link status for IMP port */
 		reg = core_readl(priv, offset);
-		reg |= (MII_SW_OR | LINK_STS);
+		reg |= (MII_SW_OR | LINK_STS | GMII_SPEED_UP_2G);
 		core_writel(priv, reg, offset);
 
 		/* Enable Broadcast, Multicast, Unicast forwarding to IMP port */



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 158/222] i40e: prevent memory leak in i40e_setup_macvlans
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (156 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 157/222] net: dsa: bcm_sf2: Configure IMP port for 2Gb/sec Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 159/222] drm/amdgpu: allow direct upload save restore list for raven2 Greg Kroah-Hartman
                   ` (67 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Navid Emamdoost, Andrew Bowers, Jeff Kirsher

From: Navid Emamdoost <navid.emamdoost@gmail.com>

[ Upstream commit 27d461333459d282ffa4a2bdb6b215a59d493a8f ]

In i40e_setup_macvlans if i40e_setup_channel fails the allocated memory
for ch should be released.

Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/intel/i40e/i40e_main.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
@@ -7168,6 +7168,7 @@ static int i40e_setup_macvlans(struct i4
 		ch->num_queue_pairs = qcnt;
 		if (!i40e_setup_channel(pf, vsi, ch)) {
 			ret = -EINVAL;
+			kfree(ch);
 			goto err_free;
 		}
 		ch->parent_vsi = vsi;



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 159/222] drm/amdgpu: allow direct upload save restore list for raven2
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (157 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 158/222] i40e: prevent memory leak in i40e_setup_macvlans Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 160/222] sh_eth: check sh_eth_cpu_data::dual_port when dumping registers Greg Kroah-Hartman
                   ` (66 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, changzhu, Huang Rui, Alex Deucher

From: changzhu <Changfeng.Zhu@amd.com>

commit eebc7f4d7ffa09f2a620bd1e2c67ddd579118af9 upstream.

It will cause modprobe atombios stuck problem in raven2 if it doesn't
allow direct upload save restore list from gfx driver.
So it needs to allow direct upload save restore list for raven2
temporarily.

Signed-off-by: changzhu <Changfeng.Zhu@amd.com>
Reviewed-by: Huang Rui <ray.huang@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
@@ -2923,7 +2923,9 @@ static void gfx_v9_0_init_pg(struct amdg
 	 * And it's needed by gfxoff feature.
 	 */
 	if (adev->gfx.rlc.is_rlc_v2_1) {
-		if (adev->asic_type == CHIP_VEGA12)
+		if (adev->asic_type == CHIP_VEGA12 ||
+		    (adev->asic_type == CHIP_RAVEN &&
+		     adev->rev_id >= 8))
 			gfx_v9_1_init_rlc_save_restore_list(adev);
 		gfx_v9_0_enable_save_restore_machine(adev);
 	}



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 160/222] sh_eth: check sh_eth_cpu_data::dual_port when dumping registers
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (158 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 159/222] drm/amdgpu: allow direct upload save restore list for raven2 Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 161/222] mlxsw: spectrum: Do not modify cloned SKBs during xmit Greg Kroah-Hartman
                   ` (65 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Sergei Shtylyov, David S. Miller

From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>

commit 3249b1e442a1be1a6b9f1026785b519d1443f807 upstream.

When adding the sh_eth_cpu_data::dual_port flag I forgot to add the flag
checks to __sh_eth_get_regs(), causing the non-existing TSU registers to
be dumped by 'ethtool' on the single port Ether controllers having TSU...

Fixes: a94cf2a614f8 ("sh_eth: fix TSU init on SH7734/R8A7740")
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/ethernet/renesas/sh_eth.c |   38 ++++++++++++++++++----------------
 1 file changed, 21 insertions(+), 17 deletions(-)

--- a/drivers/net/ethernet/renesas/sh_eth.c
+++ b/drivers/net/ethernet/renesas/sh_eth.c
@@ -2204,24 +2204,28 @@ static size_t __sh_eth_get_regs(struct n
 	if (cd->tsu) {
 		add_tsu_reg(ARSTR);
 		add_tsu_reg(TSU_CTRST);
-		add_tsu_reg(TSU_FWEN0);
-		add_tsu_reg(TSU_FWEN1);
-		add_tsu_reg(TSU_FCM);
-		add_tsu_reg(TSU_BSYSL0);
-		add_tsu_reg(TSU_BSYSL1);
-		add_tsu_reg(TSU_PRISL0);
-		add_tsu_reg(TSU_PRISL1);
-		add_tsu_reg(TSU_FWSL0);
-		add_tsu_reg(TSU_FWSL1);
+		if (cd->dual_port) {
+			add_tsu_reg(TSU_FWEN0);
+			add_tsu_reg(TSU_FWEN1);
+			add_tsu_reg(TSU_FCM);
+			add_tsu_reg(TSU_BSYSL0);
+			add_tsu_reg(TSU_BSYSL1);
+			add_tsu_reg(TSU_PRISL0);
+			add_tsu_reg(TSU_PRISL1);
+			add_tsu_reg(TSU_FWSL0);
+			add_tsu_reg(TSU_FWSL1);
+		}
 		add_tsu_reg(TSU_FWSLC);
-		add_tsu_reg(TSU_QTAGM0);
-		add_tsu_reg(TSU_QTAGM1);
-		add_tsu_reg(TSU_FWSR);
-		add_tsu_reg(TSU_FWINMK);
-		add_tsu_reg(TSU_ADQT0);
-		add_tsu_reg(TSU_ADQT1);
-		add_tsu_reg(TSU_VTAG0);
-		add_tsu_reg(TSU_VTAG1);
+		if (cd->dual_port) {
+			add_tsu_reg(TSU_QTAGM0);
+			add_tsu_reg(TSU_QTAGM1);
+			add_tsu_reg(TSU_FWSR);
+			add_tsu_reg(TSU_FWINMK);
+			add_tsu_reg(TSU_ADQT0);
+			add_tsu_reg(TSU_ADQT1);
+			add_tsu_reg(TSU_VTAG0);
+			add_tsu_reg(TSU_VTAG1);
+		}
 		add_tsu_reg(TSU_ADSBSY);
 		add_tsu_reg(TSU_TEN);
 		add_tsu_reg(TSU_POST1);



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 161/222] mlxsw: spectrum: Do not modify cloned SKBs during xmit
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (159 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 160/222] sh_eth: check sh_eth_cpu_data::dual_port when dumping registers Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 162/222] mlxsw: spectrum: Wipe xstats.backlog of down ports Greg Kroah-Hartman
                   ` (64 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ido Schimmel, Shalom Toledo,
	Jiri Pirko, David S. Miller

From: Ido Schimmel <idosch@mellanox.com>

commit 2da51ce75d86ab1f7770ac1391a9a1697ddaa60c upstream.

The driver needs to prepend a Tx header to each packet it is
transmitting. The header includes information such as the egress port
and traffic class.

The addition of the header requires the driver to modify the SKB's
header and therefore it must not be shared. Otherwise, we risk hitting
various race conditions.

For example, when a packet is flooded (cloned) by the bridge driver to
two switch ports swp1 and swp2:

t0 - mlxsw_sp_port_xmit() is called for swp1. Tx header is prepended with
     swp1's port number
t1 - mlxsw_sp_port_xmit() is called for swp2. Tx header is prepended with
     swp2's port number, overwriting swp1's port number
t2 - The device processes data buffer from t0. Packet is transmitted via
     swp2
t3 - The device processes data buffer from t1. Packet is transmitted via
     swp2

Usually, the device is fast enough and transmits the packet before its
Tx header is overwritten, but this is not the case in emulated
environments.

Fix this by making sure the SKB's header is writable by calling
skb_cow_head(). Since the function ensures we have headroom to push the
Tx header, the check further in the function can be removed.

v2:
* Use skb_cow_head() instead of skb_unshare() as suggested by Jakub
* Remove unnecessary check regarding headroom

Fixes: 56ade8fe3fe1 ("mlxsw: spectrum: Add initial support for Spectrum ASIC")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Reported-by: Shalom Toledo <shalomt@mellanox.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/ethernet/mellanox/mlxsw/spectrum.c |   18 ++++++------------
 1 file changed, 6 insertions(+), 12 deletions(-)

--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
@@ -812,23 +812,17 @@ static netdev_tx_t mlxsw_sp_port_xmit(st
 	u64 len;
 	int err;
 
+	if (skb_cow_head(skb, MLXSW_TXHDR_LEN)) {
+		this_cpu_inc(mlxsw_sp_port->pcpu_stats->tx_dropped);
+		dev_kfree_skb_any(skb);
+		return NETDEV_TX_OK;
+	}
+
 	memset(skb->cb, 0, sizeof(struct mlxsw_skb_cb));
 
 	if (mlxsw_core_skb_transmit_busy(mlxsw_sp->core, &tx_info))
 		return NETDEV_TX_BUSY;
 
-	if (unlikely(skb_headroom(skb) < MLXSW_TXHDR_LEN)) {
-		struct sk_buff *skb_orig = skb;
-
-		skb = skb_realloc_headroom(skb, MLXSW_TXHDR_LEN);
-		if (!skb) {
-			this_cpu_inc(mlxsw_sp_port->pcpu_stats->tx_dropped);
-			dev_kfree_skb_any(skb_orig);
-			return NETDEV_TX_OK;
-		}
-		dev_consume_skb_any(skb_orig);
-	}
-
 	if (eth_skb_pad(skb)) {
 		this_cpu_inc(mlxsw_sp_port->pcpu_stats->tx_dropped);
 		return NETDEV_TX_OK;



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 162/222] mlxsw: spectrum: Wipe xstats.backlog of down ports
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (160 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 161/222] mlxsw: spectrum: Do not modify cloned SKBs during xmit Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 163/222] mlxsw: spectrum_qdisc: Include MC TCs in Qdisc counters Greg Kroah-Hartman
                   ` (63 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Petr Machata, Jiri Pirko,
	Ido Schimmel, David S. Miller

From: Petr Machata <petrm@mellanox.com>

commit ca7609ff3680c51d6c29897f3117aa2ad904f92a upstream.

Per-port counter cache used by Qdiscs is updated periodically, unless the
port is down. The fact that the cache is not updated for down ports is no
problem for most counters, which are relative in nature. However, backlog
is absolute in nature, and if there is a non-zero value in the cache around
the time that the port goes down, that value just stays there. This value
then leaks to offloaded Qdiscs that report non-zero backlog even if
there (obviously) is no traffic.

The HW does not keep backlog of a downed port, so do likewise: as the port
goes down, wipe the backlog value from xstats.

Fixes: 075ab8adaf4e ("mlxsw: spectrum: Collect tclass related stats periodically")
Signed-off-by: Petr Machata <petrm@mellanox.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/ethernet/mellanox/mlxsw/spectrum.c |   13 +++++++++++++
 1 file changed, 13 insertions(+)

--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
@@ -1161,6 +1161,9 @@ static void update_stats_cache(struct wo
 			     periodic_hw_stats.update_dw.work);
 
 	if (!netif_carrier_ok(mlxsw_sp_port->dev))
+		/* Note: mlxsw_sp_port_down_wipe_counters() clears the cache as
+		 * necessary when port goes down.
+		 */
 		goto out;
 
 	mlxsw_sp_port_get_hw_stats(mlxsw_sp_port->dev,
@@ -4170,6 +4173,15 @@ static int mlxsw_sp_port_unsplit(struct
 	return 0;
 }
 
+static void
+mlxsw_sp_port_down_wipe_counters(struct mlxsw_sp_port *mlxsw_sp_port)
+{
+	int i;
+
+	for (i = 0; i < TC_MAX_QUEUE; i++)
+		mlxsw_sp_port->periodic_hw_stats.xstats.backlog[i] = 0;
+}
+
 static void mlxsw_sp_pude_event_func(const struct mlxsw_reg_info *reg,
 				     char *pude_pl, void *priv)
 {
@@ -4191,6 +4203,7 @@ static void mlxsw_sp_pude_event_func(con
 	} else {
 		netdev_info(mlxsw_sp_port->dev, "link down\n");
 		netif_carrier_off(mlxsw_sp_port->dev);
+		mlxsw_sp_port_down_wipe_counters(mlxsw_sp_port);
 	}
 }
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 163/222] mlxsw: spectrum_qdisc: Include MC TCs in Qdisc counters
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (161 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 162/222] mlxsw: spectrum: Wipe xstats.backlog of down ports Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 164/222] net: stmmac: selftests: Make it work in Synopsys AXS101 boards Greg Kroah-Hartman
                   ` (62 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Petr Machata, Jiri Pirko,
	Ido Schimmel, David S. Miller

From: Petr Machata <petrm@mellanox.com>

commit 85005b82e59fa7bb7388b12594ab2067bf73d66c upstream.

mlxsw configures Spectrum in such a way that BUM traffic is passed not
through its nominal traffic class TC, but through its MC counterpart TC+8.
However, when collecting statistics, Qdiscs only look at the nominal TC and
ignore the MC TC.

Add two helpers to compute the value for logical TC from the constituents,
one for backlog, the other for tail drops. Use them throughout instead of
going through the xstats pointer directly.

Counters for TX bytes and packets are deduced from packet priority
counters, and therefore already include BUM traffic. wred_drop counter is
irrelevant on MC TCs, because RED is not enabled on them.

Fixes: 7b8195306694 ("mlxsw: spectrum: Configure MC-aware mode on mlxsw ports")
Signed-off-by: Petr Machata <petrm@mellanox.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/ethernet/mellanox/mlxsw/spectrum_qdisc.c |   30 ++++++++++++++-----
 1 file changed, 23 insertions(+), 7 deletions(-)

--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_qdisc.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_qdisc.c
@@ -195,6 +195,20 @@ mlxsw_sp_qdisc_get_xstats(struct mlxsw_s
 	return -EOPNOTSUPP;
 }
 
+static u64
+mlxsw_sp_xstats_backlog(struct mlxsw_sp_port_xstats *xstats, int tclass_num)
+{
+	return xstats->backlog[tclass_num] +
+	       xstats->backlog[tclass_num + 8];
+}
+
+static u64
+mlxsw_sp_xstats_tail_drop(struct mlxsw_sp_port_xstats *xstats, int tclass_num)
+{
+	return xstats->tail_drop[tclass_num] +
+	       xstats->tail_drop[tclass_num + 8];
+}
+
 static void
 mlxsw_sp_qdisc_bstats_per_priority_get(struct mlxsw_sp_port_xstats *xstats,
 				       u8 prio_bitmap, u64 *tx_packets,
@@ -269,7 +283,7 @@ mlxsw_sp_setup_tc_qdisc_red_clean_stats(
 					       &stats_base->tx_bytes);
 	red_base->prob_mark = xstats->ecn;
 	red_base->prob_drop = xstats->wred_drop[tclass_num];
-	red_base->pdrop = xstats->tail_drop[tclass_num];
+	red_base->pdrop = mlxsw_sp_xstats_tail_drop(xstats, tclass_num);
 
 	stats_base->overlimits = red_base->prob_drop + red_base->prob_mark;
 	stats_base->drops = red_base->prob_drop + red_base->pdrop;
@@ -369,7 +383,8 @@ mlxsw_sp_qdisc_get_red_xstats(struct mlx
 
 	early_drops = xstats->wred_drop[tclass_num] - xstats_base->prob_drop;
 	marks = xstats->ecn - xstats_base->prob_mark;
-	pdrops = xstats->tail_drop[tclass_num] - xstats_base->pdrop;
+	pdrops = mlxsw_sp_xstats_tail_drop(xstats, tclass_num) -
+		 xstats_base->pdrop;
 
 	res->pdrop += pdrops;
 	res->prob_drop += early_drops;
@@ -402,9 +417,10 @@ mlxsw_sp_qdisc_get_red_stats(struct mlxs
 
 	overlimits = xstats->wred_drop[tclass_num] + xstats->ecn -
 		     stats_base->overlimits;
-	drops = xstats->wred_drop[tclass_num] + xstats->tail_drop[tclass_num] -
+	drops = xstats->wred_drop[tclass_num] +
+		mlxsw_sp_xstats_tail_drop(xstats, tclass_num) -
 		stats_base->drops;
-	backlog = xstats->backlog[tclass_num];
+	backlog = mlxsw_sp_xstats_backlog(xstats, tclass_num);
 
 	_bstats_update(stats_ptr->bstats, tx_bytes, tx_packets);
 	stats_ptr->qstats->overlimits += overlimits;
@@ -575,9 +591,9 @@ mlxsw_sp_qdisc_get_prio_stats(struct mlx
 	tx_packets = stats->tx_packets - stats_base->tx_packets;
 
 	for (i = 0; i < IEEE_8021QAZ_MAX_TCS; i++) {
-		drops += xstats->tail_drop[i];
+		drops += mlxsw_sp_xstats_tail_drop(xstats, i);
 		drops += xstats->wred_drop[i];
-		backlog += xstats->backlog[i];
+		backlog += mlxsw_sp_xstats_backlog(xstats, i);
 	}
 	drops = drops - stats_base->drops;
 
@@ -613,7 +629,7 @@ mlxsw_sp_setup_tc_qdisc_prio_clean_stats
 
 	stats_base->drops = 0;
 	for (i = 0; i < IEEE_8021QAZ_MAX_TCS; i++) {
-		stats_base->drops += xstats->tail_drop[i];
+		stats_base->drops += mlxsw_sp_xstats_tail_drop(xstats, i);
 		stats_base->drops += xstats->wred_drop[i];
 	}
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 164/222] net: stmmac: selftests: Make it work in Synopsys AXS101 boards
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (162 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 163/222] mlxsw: spectrum_qdisc: Include MC TCs in Qdisc counters Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 165/222] net: stmmac: selftests: Mark as fail when received VLAN ID != expected Greg Kroah-Hartman
                   ` (61 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jose Abreu, David S. Miller

From: Jose Abreu <Jose.Abreu@synopsys.com>

commit 0b9f932edc1a461933bfde08e620362e2190e0dd upstream.

Synopsys AXS101 boards do not support unaligned memory loads or stores.
Change the selftests mechanism to explicity:
- Not add extra alignment in TX SKB
- Use the unaligned version of ether_addr_equal()

Fixes: 091810dbded9 ("net: stmmac: Introduce selftests support")
Signed-off-by: Jose Abreu <Jose.Abreu@synopsys.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/ethernet/stmicro/stmmac/stmmac_selftests.c |   20 +++++++++--------
 1 file changed, 11 insertions(+), 9 deletions(-)

--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_selftests.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_selftests.c
@@ -80,7 +80,7 @@ static struct sk_buff *stmmac_test_get_u
 	if (attr->max_size && (attr->max_size > size))
 		size = attr->max_size;
 
-	skb = netdev_alloc_skb_ip_align(priv->dev, size);
+	skb = netdev_alloc_skb(priv->dev, size);
 	if (!skb)
 		return NULL;
 
@@ -244,6 +244,8 @@ static int stmmac_test_loopback_validate
 					 struct net_device *orig_ndev)
 {
 	struct stmmac_test_priv *tpriv = pt->af_packet_priv;
+	unsigned char *src = tpriv->packet->src;
+	unsigned char *dst = tpriv->packet->dst;
 	struct stmmachdr *shdr;
 	struct ethhdr *ehdr;
 	struct udphdr *uhdr;
@@ -260,15 +262,15 @@ static int stmmac_test_loopback_validate
 		goto out;
 
 	ehdr = (struct ethhdr *)skb_mac_header(skb);
-	if (tpriv->packet->dst) {
-		if (!ether_addr_equal(ehdr->h_dest, tpriv->packet->dst))
+	if (dst) {
+		if (!ether_addr_equal_unaligned(ehdr->h_dest, dst))
 			goto out;
 	}
 	if (tpriv->packet->sarc) {
-		if (!ether_addr_equal(ehdr->h_source, ehdr->h_dest))
+		if (!ether_addr_equal_unaligned(ehdr->h_source, ehdr->h_dest))
 			goto out;
-	} else if (tpriv->packet->src) {
-		if (!ether_addr_equal(ehdr->h_source, tpriv->packet->src))
+	} else if (src) {
+		if (!ether_addr_equal_unaligned(ehdr->h_source, src))
 			goto out;
 	}
 
@@ -714,7 +716,7 @@ static int stmmac_test_flowctrl_validate
 	struct ethhdr *ehdr;
 
 	ehdr = (struct ethhdr *)skb_mac_header(skb);
-	if (!ether_addr_equal(ehdr->h_source, orig_ndev->dev_addr))
+	if (!ether_addr_equal_unaligned(ehdr->h_source, orig_ndev->dev_addr))
 		goto out;
 	if (ehdr->h_proto != htons(ETH_P_PAUSE))
 		goto out;
@@ -856,7 +858,7 @@ static int stmmac_test_vlan_validate(str
 	}
 
 	ehdr = (struct ethhdr *)skb_mac_header(skb);
-	if (!ether_addr_equal(ehdr->h_dest, tpriv->packet->dst))
+	if (!ether_addr_equal_unaligned(ehdr->h_dest, tpriv->packet->dst))
 		goto out;
 
 	ihdr = ip_hdr(skb);
@@ -1546,7 +1548,7 @@ static int stmmac_test_arp_validate(stru
 	struct arphdr *ahdr;
 
 	ehdr = (struct ethhdr *)skb_mac_header(skb);
-	if (!ether_addr_equal(ehdr->h_dest, tpriv->packet->src))
+	if (!ether_addr_equal_unaligned(ehdr->h_dest, tpriv->packet->src))
 		goto out;
 
 	ahdr = arp_hdr(skb);



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 165/222] net: stmmac: selftests: Mark as fail when received VLAN ID != expected
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (163 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 164/222] net: stmmac: selftests: Make it work in Synopsys AXS101 boards Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 166/222] selftests: mlxsw: qos_mc_aware: Fix mausezahn invocation Greg Kroah-Hartman
                   ` (60 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jose Abreu, David S. Miller

From: Jose Abreu <Jose.Abreu@synopsys.com>

commit d39b68e5a736afa67d2e9cfb158efdd237d99dbd upstream.

When the VLAN ID does not match the expected one it means filter failed
in HW. Fix it.

Fixes: 94e18382003c ("net: stmmac: selftests: Add selftest for VLAN TX Offload")
Signed-off-by: Jose Abreu <Jose.Abreu@synopsys.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/ethernet/stmicro/stmmac/stmmac_selftests.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_selftests.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_selftests.c
@@ -853,8 +853,12 @@ static int stmmac_test_vlan_validate(str
 	if (tpriv->vlan_id) {
 		if (skb->vlan_proto != htons(proto))
 			goto out;
-		if (skb->vlan_tci != tpriv->vlan_id)
+		if (skb->vlan_tci != tpriv->vlan_id) {
+			/* Means filter did not work. */
+			tpriv->ok = false;
+			complete(&tpriv->comp);
 			goto out;
+		}
 	}
 
 	ehdr = (struct ethhdr *)skb_mac_header(skb);



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 166/222] selftests: mlxsw: qos_mc_aware: Fix mausezahn invocation
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (164 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 165/222] net: stmmac: selftests: Mark as fail when received VLAN ID != expected Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 167/222] net: stmmac: selftests: Update status when disabling RSS Greg Kroah-Hartman
                   ` (59 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Petr Machata, Amit Cohen,
	Ido Schimmel, David S. Miller

From: Petr Machata <petrm@mellanox.com>

commit fef6d6704944c7be72fd2b77c021f1aed3d5df0d upstream.

Mausezahn does not recognize "own" as a keyword on source IP address. As a
result, the MC stream is not running at all, and therefore no UC
degradation can be observed even in principle.

Fix the invocation, and tighten the test: due to the minimum shaper
configured at the MC TCs, we always expect about 20% degradation. Fail the
test if it is lower.

Fixes: 573363a68f27 ("selftests: mlxsw: Add qos_lib.sh")
Signed-off-by: Petr Machata <petrm@mellanox.com>
Reported-by: Amit Cohen <amitc@mellanox.com>
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/testing/selftests/drivers/net/mlxsw/qos_mc_aware.sh |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/tools/testing/selftests/drivers/net/mlxsw/qos_mc_aware.sh
+++ b/tools/testing/selftests/drivers/net/mlxsw/qos_mc_aware.sh
@@ -232,7 +232,7 @@ test_mc_aware()
 	stop_traffic
 	local ucth1=${uc_rate[1]}
 
-	start_traffic $h1 own bc bc
+	start_traffic $h1 192.0.2.65 bc bc
 
 	local d0=$(date +%s)
 	local t0=$(ethtool_stats_get $h3 rx_octets_prio_0)
@@ -254,7 +254,11 @@ test_mc_aware()
 			ret = 100 * ($ucth1 - $ucth2) / $ucth1
 			if (ret > 0) { ret } else { 0 }
 		    ")
-	check_err $(bc <<< "$deg > 25")
+
+	# Minimum shaper of 200Mbps on MC TCs should cause about 20% of
+	# degradation on 1Gbps link.
+	check_err $(bc <<< "$deg < 15") "Minimum shaper not in effect"
+	check_err $(bc <<< "$deg > 25") "MC traffic degrades UC performance too much"
 
 	local interval=$((d1 - d0))
 	local mc_ir=$(rate $u0 $u1 $interval)



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 167/222] net: stmmac: selftests: Update status when disabling RSS
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (165 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 166/222] selftests: mlxsw: qos_mc_aware: Fix mausezahn invocation Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 168/222] net: stmmac: tc: Do not setup flower filtering if RSS is enabled Greg Kroah-Hartman
                   ` (58 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jose Abreu, David S. Miller

From: Jose Abreu <Jose.Abreu@synopsys.com>

commit e715d74504352968cf24ac95476706bc911a69cd upstream.

We are disabling RSS on HW but not updating the internal private status
to the 'disabled' state. This is needed for next tc commit that will
check if RSS is disabled before trying to apply filters.

Fixes: 4647e021193d ("net: stmmac: selftests: Add selftest for L3/L4 Filters")
Signed-off-by: Jose Abreu <Jose.Abreu@synopsys.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/ethernet/stmicro/stmmac/stmmac_selftests.c |   20 +++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_selftests.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_selftests.c
@@ -1297,16 +1297,19 @@ static int __stmmac_test_l3filt(struct s
 	struct stmmac_packet_attrs attr = { };
 	struct flow_dissector *dissector;
 	struct flow_cls_offload *cls;
+	int ret, old_enable = 0;
 	struct flow_rule *rule;
-	int ret;
 
 	if (!tc_can_offload(priv->dev))
 		return -EOPNOTSUPP;
 	if (!priv->dma_cap.l3l4fnum)
 		return -EOPNOTSUPP;
-	if (priv->rss.enable)
+	if (priv->rss.enable) {
+		old_enable = priv->rss.enable;
+		priv->rss.enable = false;
 		stmmac_rss_configure(priv, priv->hw, NULL,
 				     priv->plat->rx_queues_to_use);
+	}
 
 	dissector = kzalloc(sizeof(*dissector), GFP_KERNEL);
 	if (!dissector) {
@@ -1373,7 +1376,8 @@ cleanup_cls:
 cleanup_dissector:
 	kfree(dissector);
 cleanup_rss:
-	if (priv->rss.enable) {
+	if (old_enable) {
+		priv->rss.enable = old_enable;
 		stmmac_rss_configure(priv, priv->hw, &priv->rss,
 				     priv->plat->rx_queues_to_use);
 	}
@@ -1418,16 +1422,19 @@ static int __stmmac_test_l4filt(struct s
 	struct stmmac_packet_attrs attr = { };
 	struct flow_dissector *dissector;
 	struct flow_cls_offload *cls;
+	int ret, old_enable = 0;
 	struct flow_rule *rule;
-	int ret;
 
 	if (!tc_can_offload(priv->dev))
 		return -EOPNOTSUPP;
 	if (!priv->dma_cap.l3l4fnum)
 		return -EOPNOTSUPP;
-	if (priv->rss.enable)
+	if (priv->rss.enable) {
+		old_enable = priv->rss.enable;
+		priv->rss.enable = false;
 		stmmac_rss_configure(priv, priv->hw, NULL,
 				     priv->plat->rx_queues_to_use);
+	}
 
 	dissector = kzalloc(sizeof(*dissector), GFP_KERNEL);
 	if (!dissector) {
@@ -1499,7 +1506,8 @@ cleanup_cls:
 cleanup_dissector:
 	kfree(dissector);
 cleanup_rss:
-	if (priv->rss.enable) {
+	if (old_enable) {
+		priv->rss.enable = old_enable;
 		stmmac_rss_configure(priv, priv->hw, &priv->rss,
 				     priv->plat->rx_queues_to_use);
 	}



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 168/222] net: stmmac: tc: Do not setup flower filtering if RSS is enabled
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (166 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 167/222] net: stmmac: selftests: Update status when disabling RSS Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 169/222] devlink: Wait longer before warning about unset port type Greg Kroah-Hartman
                   ` (57 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jose Abreu, David S. Miller

From: Jose Abreu <Jose.Abreu@synopsys.com>

commit 7bd754c47dd3ad1b048c9641294b0234fcce2c58 upstream.

RSS, when enabled, will bypass the L3 and L4 filtering causing it not
to work. Add a check before trying to setup the filters.

Fixes: 425eabddaf0f ("net: stmmac: Implement L3/L4 Filters using TC Flower")
Signed-off-by: Jose Abreu <Jose.Abreu@synopsys.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c
@@ -579,6 +579,10 @@ static int tc_setup_cls(struct stmmac_pr
 {
 	int ret = 0;
 
+	/* When RSS is enabled, the filtering will be bypassed */
+	if (priv->rss.enable)
+		return -EBUSY;
+
 	switch (cls->command) {
 	case FLOW_CLS_REPLACE:
 		ret = tc_add_flow(priv, cls);



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 169/222] devlink: Wait longer before warning about unset port type
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (167 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 168/222] net: stmmac: tc: Do not setup flower filtering if RSS is enabled Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 170/222] xen/blkfront: Adjust indentation in xlvbd_alloc_gendisk Greg Kroah-Hartman
                   ` (56 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ido Schimmel,
	syzbot+b0a18ed7b08b735d2f41, Alex Veber, Jiri Pirko,
	David S. Miller

From: Ido Schimmel <idosch@mellanox.com>

commit 4c582234ab3948d08a24c82eb1e00436aabacbc6 upstream.

The commit cited below causes devlink to emit a warning if a type was
not set on a devlink port for longer than 30 seconds to "prevent
misbehavior of drivers". This proved to be problematic when
unregistering the backing netdev. The flow is always:

devlink_port_type_clear()	// schedules the warning
unregister_netdev()		// blocking
devlink_port_unregister()	// cancels the warning

The call to unregister_netdev() can block for long periods of time for
various reasons: RTNL lock is contended, large amounts of configuration
to unroll following dismantle of the netdev, etc. This results in
devlink emitting a warning despite the driver behaving correctly.

In emulated environments (of future hardware) which are usually very
slow, the warning can also be emitted during port creation as more than
30 seconds can pass between the time the devlink port is registered and
when its type is set.

In addition, syzbot has hit this warning [1] 1974 times since 07/11/19
without being able to produce a reproducer. Probably because
reproduction depends on the load or other bugs (e.g., RTNL not being
released).

To prevent bogus warnings, increase the timeout to 1 hour.

[1] https://syzkaller.appspot.com/bug?id=e99b59e9c024a666c9f7450dc162a4b74d09d9cb

Fixes: 136bf27fc0e9 ("devlink: add warning in case driver does not set port type")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Reported-by: syzbot+b0a18ed7b08b735d2f41@syzkaller.appspotmail.com
Reported-by: Alex Veber <alexve@mellanox.com>
Tested-by: Alex Veber <alexve@mellanox.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/core/devlink.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/core/devlink.c
+++ b/net/core/devlink.c
@@ -6280,7 +6280,7 @@ static bool devlink_port_type_should_war
 	       devlink_port->attrs.flavour != DEVLINK_PORT_FLAVOUR_DSA;
 }
 
-#define DEVLINK_PORT_TYPE_WARN_TIMEOUT (HZ * 30)
+#define DEVLINK_PORT_TYPE_WARN_TIMEOUT (HZ * 3600)
 
 static void devlink_port_type_warn_schedule(struct devlink_port *devlink_port)
 {



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 170/222] xen/blkfront: Adjust indentation in xlvbd_alloc_gendisk
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (168 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 169/222] devlink: Wait longer before warning about unset port type Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 171/222] dt-bindings: Add missing properties keyword enclosing snps,tso Greg Kroah-Hartman
                   ` (55 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nathan Chancellor, Juergen Gross,
	Roger Pau Monné

From: Nathan Chancellor <natechancellor@gmail.com>

commit 589b72894f53124a39d1bb3c0cecaf9dcabac417 upstream.

Clang warns:

../drivers/block/xen-blkfront.c:1117:4: warning: misleading indentation;
statement is not part of the previous 'if' [-Wmisleading-indentation]
                nr_parts = PARTS_PER_DISK;
                ^
../drivers/block/xen-blkfront.c:1115:3: note: previous statement is here
                if (err)
                ^

This is because there is a space at the beginning of this line; remove
it so that the indentation is consistent according to the Linux kernel
coding style and clang no longer warns.

While we are here, the previous line has some trailing whitespace; clean
that up as well.

Fixes: c80a420995e7 ("xen-blkfront: handle Xen major numbers other than XENVBD")
Link: https://github.com/ClangBuiltLinux/linux/issues/791
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/block/xen-blkfront.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/block/xen-blkfront.c
+++ b/drivers/block/xen-blkfront.c
@@ -1113,8 +1113,8 @@ static int xlvbd_alloc_gendisk(blkif_sec
 	if (!VDEV_IS_EXTENDED(info->vdevice)) {
 		err = xen_translate_vdev(info->vdevice, &minor, &offset);
 		if (err)
-			return err;		
- 		nr_parts = PARTS_PER_DISK;
+			return err;
+		nr_parts = PARTS_PER_DISK;
 	} else {
 		minor = BLKIF_MINOR_EXT(info->vdevice);
 		nr_parts = PARTS_PER_EXT_DISK;



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 171/222] dt-bindings: Add missing properties keyword enclosing snps,tso
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (169 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 170/222] xen/blkfront: Adjust indentation in xlvbd_alloc_gendisk Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 172/222] tcp: refine rule to allow EPOLLOUT generation under mem pressure Greg Kroah-Hartman
                   ` (54 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David S. Miller, Maxime Ripard, Rob Herring

From: Rob Herring <robh@kernel.org>

commit dbce0b65046d1735d7054c54ec2387dba84ba258 upstream.

DT property definitions must be under a 'properties' keyword. This was
missing for 'snps,tso' in an if/then clause. A meta-schema fix will
catch future errors like this.

Fixes: 7db3545aef5f ("dt-bindings: net: stmmac: Convert the binding to a schemas")
Cc: "David S. Miller" <davem@davemloft.net>
Acked-by: Maxime Ripard <mripard@kernel.org>
Signed-off-by: Rob Herring <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 Documentation/devicetree/bindings/net/snps,dwmac.yaml |    1 +
 1 file changed, 1 insertion(+)

--- a/Documentation/devicetree/bindings/net/snps,dwmac.yaml
+++ b/Documentation/devicetree/bindings/net/snps,dwmac.yaml
@@ -347,6 +347,7 @@ allOf:
               - st,spear600-gmac
 
     then:
+      properties:
         snps,tso:
           $ref: /schemas/types.yaml#definitions/flag
           description:



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 172/222] tcp: refine rule to allow EPOLLOUT generation under mem pressure
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (170 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 171/222] dt-bindings: Add missing properties keyword enclosing snps,tso Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 173/222] irqchip: Place CONFIG_SIFIVE_PLIC into the menu Greg Kroah-Hartman
                   ` (53 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, Jason Baron,
	Neal Cardwell, Soheil Hassas Yeganeh, Jakub Kicinski

From: Eric Dumazet <edumazet@google.com>

commit 216808c6ba6d00169fd2aa928ec3c0e63bef254f upstream.

At the time commit ce5ec440994b ("tcp: ensure epoll edge trigger
wakeup when write queue is empty") was added to the kernel,
we still had a single write queue, combining rtx and write queues.

Once we moved the rtx queue into a separate rb-tree, testing
if sk_write_queue is empty has been suboptimal.

Indeed, if we have packets in the rtx queue, we probably want
to delay the EPOLLOUT generation at the time incoming packets
will free them, making room, but more importantly avoiding
flooding application with EPOLLOUT events.

Solution is to use tcp_rtx_and_write_queues_empty() helper.

Fixes: 75c119afe14f ("tcp: implement rb-tree based retransmit queue")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Jason Baron <jbaron@akamai.com>
Cc: Neal Cardwell <ncardwell@google.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/ipv4/tcp.c |    6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -1087,8 +1087,7 @@ do_error:
 		goto out;
 out_err:
 	/* make sure we wake any epoll edge trigger waiter */
-	if (unlikely(skb_queue_len(&sk->sk_write_queue) == 0 &&
-		     err == -EAGAIN)) {
+	if (unlikely(tcp_rtx_and_write_queues_empty(sk) && err == -EAGAIN)) {
 		sk->sk_write_space(sk);
 		tcp_chrono_stop(sk, TCP_CHRONO_SNDBUF_LIMITED);
 	}
@@ -1419,8 +1418,7 @@ out_err:
 	sock_zerocopy_put_abort(uarg, true);
 	err = sk_stream_error(sk, flags, err);
 	/* make sure we wake any epoll edge trigger waiter */
-	if (unlikely(skb_queue_len(&sk->sk_write_queue) == 0 &&
-		     err == -EAGAIN)) {
+	if (unlikely(tcp_rtx_and_write_queues_empty(sk) && err == -EAGAIN)) {
 		sk->sk_write_space(sk);
 		tcp_chrono_stop(sk, TCP_CHRONO_SNDBUF_LIMITED);
 	}



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 173/222] irqchip: Place CONFIG_SIFIVE_PLIC into the menu
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (171 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 172/222] tcp: refine rule to allow EPOLLOUT generation under mem pressure Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 174/222] arm64: dts: qcom: msm8998: Disable coresight by default Greg Kroah-Hartman
                   ` (52 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jonathan Neuschäfer,
	Marc Zyngier, Palmer Dabbelt

From: Jonathan Neuschäfer <j.neuschaefer@gmx.net>

commit 0149385537e6d36f535fcd83cfcabf83a32f0836 upstream.

Somehow CONFIG_SIFIVE_PLIC ended up outside of the "IRQ chip support"
menu.

Fixes: 8237f8bc4f6e ("irqchip: add a SiFive PLIC driver")
Signed-off-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Reviewed-by: Palmer Dabbelt <palmer@sifive.com>
Acked-by: Palmer Dabbelt <palmer@sifive.com>
Link: https://lore.kernel.org/r/20191002144452.10178-1-j.neuschaefer@gmx.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/irqchip/Kconfig |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/irqchip/Kconfig
+++ b/drivers/irqchip/Kconfig
@@ -483,8 +483,6 @@ config TI_SCI_INTA_IRQCHIP
 	  If you wish to use interrupt aggregator irq resources managed by the
 	  TI System Controller, say Y here. Otherwise, say N.
 
-endmenu
-
 config SIFIVE_PLIC
 	bool "SiFive Platform-Level Interrupt Controller"
 	depends on RISCV
@@ -496,3 +494,5 @@ config SIFIVE_PLIC
 	   interrupt sources are subordinate to the PLIC.
 
 	   If you don't know what to do here, say Y.
+
+endmenu



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 174/222] arm64: dts: qcom: msm8998: Disable coresight by default
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (172 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 173/222] irqchip: Place CONFIG_SIFIVE_PLIC into the menu Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 175/222] cw1200: Fix a signedness bug in cw1200_load_firmware() Greg Kroah-Hartman
                   ` (51 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sai Prakash Ranjan, Bjorn Andersson,
	Jeffrey Hugo

From: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>

commit a636f93fcdb4a516e7cba6a365645ee8429602b2 upstream.

Boot failure has been reported on MSM8998 based laptop when
coresight is enabled. This is most likely due to lack of
firmware support for coresight on production device when
compared to debug device like MTP where this issue is not
observed. So disable coresight by default for MSM8998 and
enable it only for MSM8998 MTP.

Reported-and-tested-by: Jeffrey Hugo <jeffrey.l.hugo@gmail.com>
Fixes: 783abfa2249a ("arm64: dts: qcom: msm8998: Add Coresight support")
Signed-off-by: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/boot/dts/qcom/msm8998-mtp.dtsi |   68 ++++++++++++++++++++++++++++++
 arch/arm64/boot/dts/qcom/msm8998.dtsi     |   51 +++++++++++++++-------
 2 files changed, 102 insertions(+), 17 deletions(-)

--- a/arch/arm64/boot/dts/qcom/msm8998-mtp.dtsi
+++ b/arch/arm64/boot/dts/qcom/msm8998-mtp.dtsi
@@ -27,6 +27,66 @@
 	status = "okay";
 };
 
+&etf {
+	status = "okay";
+};
+
+&etm1 {
+	status = "okay";
+};
+
+&etm2 {
+	status = "okay";
+};
+
+&etm3 {
+	status = "okay";
+};
+
+&etm4 {
+	status = "okay";
+};
+
+&etm5 {
+	status = "okay";
+};
+
+&etm6 {
+	status = "okay";
+};
+
+&etm7 {
+	status = "okay";
+};
+
+&etm8 {
+	status = "okay";
+};
+
+&etr {
+	status = "okay";
+};
+
+&funnel1 {
+	status = "okay";
+};
+
+&funnel2 {
+	status = "okay";
+};
+
+&funnel3 {
+	status = "okay";
+};
+
+&funnel4 {
+	status = "okay";
+};
+
+&funnel5 {
+	status = "okay";
+};
+
 &pm8005_lsid1 {
 	pm8005-regulators {
 		compatible = "qcom,pm8005-regulators";
@@ -51,6 +111,10 @@
 	vdda-phy-dpdm-supply = <&vreg_l24a_3p075>;
 };
 
+&replicator1 {
+	status = "okay";
+};
+
 &rpm_requests {
 	pm8998-regulators {
 		compatible = "qcom,rpm-pm8998-regulators";
@@ -249,6 +313,10 @@
 	pinctrl-1 = <&sdc2_clk_off &sdc2_cmd_off &sdc2_data_off &sdc2_cd_off>;
 };
 
+&stm {
+	status = "okay";
+};
+
 &ufshc {
 	vcc-supply = <&vreg_l20a_2p95>;
 	vccq-supply = <&vreg_l26a_1p2>;
--- a/arch/arm64/boot/dts/qcom/msm8998.dtsi
+++ b/arch/arm64/boot/dts/qcom/msm8998.dtsi
@@ -998,11 +998,12 @@
 			#interrupt-cells = <0x2>;
 		};
 
-		stm@6002000 {
+		stm: stm@6002000 {
 			compatible = "arm,coresight-stm", "arm,primecell";
 			reg = <0x06002000 0x1000>,
 			      <0x16280000 0x180000>;
 			reg-names = "stm-base", "stm-data-base";
+			status = "disabled";
 
 			clocks = <&rpmcc RPM_SMD_QDSS_CLK>, <&rpmcc RPM_SMD_QDSS_A_CLK>;
 			clock-names = "apb_pclk", "atclk";
@@ -1016,9 +1017,10 @@
 			};
 		};
 
-		funnel@6041000 {
+		funnel1: funnel@6041000 {
 			compatible = "arm,coresight-dynamic-funnel", "arm,primecell";
 			reg = <0x06041000 0x1000>;
+			status = "disabled";
 
 			clocks = <&rpmcc RPM_SMD_QDSS_CLK>, <&rpmcc RPM_SMD_QDSS_A_CLK>;
 			clock-names = "apb_pclk", "atclk";
@@ -1045,9 +1047,10 @@
 			};
 		};
 
-		funnel@6042000 {
+		funnel2: funnel@6042000 {
 			compatible = "arm,coresight-dynamic-funnel", "arm,primecell";
 			reg = <0x06042000 0x1000>;
+			status = "disabled";
 
 			clocks = <&rpmcc RPM_SMD_QDSS_CLK>, <&rpmcc RPM_SMD_QDSS_A_CLK>;
 			clock-names = "apb_pclk", "atclk";
@@ -1075,9 +1078,10 @@
 			};
 		};
 
-		funnel@6045000 {
+		funnel3: funnel@6045000 {
 			compatible = "arm,coresight-dynamic-funnel", "arm,primecell";
 			reg = <0x06045000 0x1000>;
+			status = "disabled";
 
 			clocks = <&rpmcc RPM_SMD_QDSS_CLK>, <&rpmcc RPM_SMD_QDSS_A_CLK>;
 			clock-names = "apb_pclk", "atclk";
@@ -1113,9 +1117,10 @@
 			};
 		};
 
-		replicator@6046000 {
+		replicator1: replicator@6046000 {
 			compatible = "arm,coresight-dynamic-replicator", "arm,primecell";
 			reg = <0x06046000 0x1000>;
+			status = "disabled";
 
 			clocks = <&rpmcc RPM_SMD_QDSS_CLK>, <&rpmcc RPM_SMD_QDSS_A_CLK>;
 			clock-names = "apb_pclk", "atclk";
@@ -1137,9 +1142,10 @@
 			};
 		};
 
-		etf@6047000 {
+		etf: etf@6047000 {
 			compatible = "arm,coresight-tmc", "arm,primecell";
 			reg = <0x06047000 0x1000>;
+			status = "disabled";
 
 			clocks = <&rpmcc RPM_SMD_QDSS_CLK>, <&rpmcc RPM_SMD_QDSS_A_CLK>;
 			clock-names = "apb_pclk", "atclk";
@@ -1163,9 +1169,10 @@
 			};
 		};
 
-		etr@6048000 {
+		etr: etr@6048000 {
 			compatible = "arm,coresight-tmc", "arm,primecell";
 			reg = <0x06048000 0x1000>;
+			status = "disabled";
 
 			clocks = <&rpmcc RPM_SMD_QDSS_CLK>, <&rpmcc RPM_SMD_QDSS_A_CLK>;
 			clock-names = "apb_pclk", "atclk";
@@ -1181,9 +1188,10 @@
 			};
 		};
 
-		etm@7840000 {
+		etm1: etm@7840000 {
 			compatible = "arm,coresight-etm4x", "arm,primecell";
 			reg = <0x07840000 0x1000>;
+			status = "disabled";
 
 			clocks = <&rpmcc RPM_SMD_QDSS_CLK>, <&rpmcc RPM_SMD_QDSS_A_CLK>;
 			clock-names = "apb_pclk", "atclk";
@@ -1200,9 +1208,10 @@
 			};
 		};
 
-		etm@7940000 {
+		etm2: etm@7940000 {
 			compatible = "arm,coresight-etm4x", "arm,primecell";
 			reg = <0x07940000 0x1000>;
+			status = "disabled";
 
 			clocks = <&rpmcc RPM_SMD_QDSS_CLK>, <&rpmcc RPM_SMD_QDSS_A_CLK>;
 			clock-names = "apb_pclk", "atclk";
@@ -1219,9 +1228,10 @@
 			};
 		};
 
-		etm@7a40000 {
+		etm3: etm@7a40000 {
 			compatible = "arm,coresight-etm4x", "arm,primecell";
 			reg = <0x07a40000 0x1000>;
+			status = "disabled";
 
 			clocks = <&rpmcc RPM_SMD_QDSS_CLK>, <&rpmcc RPM_SMD_QDSS_A_CLK>;
 			clock-names = "apb_pclk", "atclk";
@@ -1238,9 +1248,10 @@
 			};
 		};
 
-		etm@7b40000 {
+		etm4: etm@7b40000 {
 			compatible = "arm,coresight-etm4x", "arm,primecell";
 			reg = <0x07b40000 0x1000>;
+			status = "disabled";
 
 			clocks = <&rpmcc RPM_SMD_QDSS_CLK>, <&rpmcc RPM_SMD_QDSS_A_CLK>;
 			clock-names = "apb_pclk", "atclk";
@@ -1257,9 +1268,10 @@
 			};
 		};
 
-		funnel@7b60000 { /* APSS Funnel */
+		funnel4: funnel@7b60000 { /* APSS Funnel */
 			compatible = "arm,coresight-etm4x", "arm,primecell";
 			reg = <0x07b60000 0x1000>;
+			status = "disabled";
 
 			clocks = <&rpmcc RPM_SMD_QDSS_CLK>, <&rpmcc RPM_SMD_QDSS_A_CLK>;
 			clock-names = "apb_pclk", "atclk";
@@ -1343,9 +1355,10 @@
 			};
 		};
 
-		funnel@7b70000 {
+		funnel5: funnel@7b70000 {
 			compatible = "arm,coresight-dynamic-funnel", "arm,primecell";
 			reg = <0x07b70000 0x1000>;
+			status = "disabled";
 
 			clocks = <&rpmcc RPM_SMD_QDSS_CLK>, <&rpmcc RPM_SMD_QDSS_A_CLK>;
 			clock-names = "apb_pclk", "atclk";
@@ -1369,9 +1382,10 @@
 			};
 		};
 
-		etm@7c40000 {
+		etm5: etm@7c40000 {
 			compatible = "arm,coresight-etm4x", "arm,primecell";
 			reg = <0x07c40000 0x1000>;
+			status = "disabled";
 
 			clocks = <&rpmcc RPM_SMD_QDSS_CLK>, <&rpmcc RPM_SMD_QDSS_A_CLK>;
 			clock-names = "apb_pclk", "atclk";
@@ -1385,9 +1399,10 @@
 			};
 		};
 
-		etm@7d40000 {
+		etm6: etm@7d40000 {
 			compatible = "arm,coresight-etm4x", "arm,primecell";
 			reg = <0x07d40000 0x1000>;
+			status = "disabled";
 
 			clocks = <&rpmcc RPM_SMD_QDSS_CLK>, <&rpmcc RPM_SMD_QDSS_A_CLK>;
 			clock-names = "apb_pclk", "atclk";
@@ -1401,9 +1416,10 @@
 			};
 		};
 
-		etm@7e40000 {
+		etm7: etm@7e40000 {
 			compatible = "arm,coresight-etm4x", "arm,primecell";
 			reg = <0x07e40000 0x1000>;
+			status = "disabled";
 
 			clocks = <&rpmcc RPM_SMD_QDSS_CLK>, <&rpmcc RPM_SMD_QDSS_A_CLK>;
 			clock-names = "apb_pclk", "atclk";
@@ -1417,9 +1433,10 @@
 			};
 		};
 
-		etm@7f40000 {
+		etm8: etm@7f40000 {
 			compatible = "arm,coresight-etm4x", "arm,primecell";
 			reg = <0x07f40000 0x1000>;
+			status = "disabled";
 
 			clocks = <&rpmcc RPM_SMD_QDSS_CLK>, <&rpmcc RPM_SMD_QDSS_A_CLK>;
 			clock-names = "apb_pclk", "atclk";



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 175/222] cw1200: Fix a signedness bug in cw1200_load_firmware()
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (173 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 174/222] arm64: dts: qcom: msm8998: Disable coresight by default Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 176/222] arm64: dts: meson: axg: fix audio fifo reg size Greg Kroah-Hartman
                   ` (50 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Kalle Valo

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 4a50d454502f1401171ff061a5424583f91266db upstream.

The "priv->hw_type" is an enum and in this context GCC will treat it
as an unsigned int so the error handling will never trigger.

Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/st/cw1200/fwio.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/net/wireless/st/cw1200/fwio.c
+++ b/drivers/net/wireless/st/cw1200/fwio.c
@@ -320,12 +320,12 @@ int cw1200_load_firmware(struct cw1200_c
 		goto out;
 	}
 
-	priv->hw_type = cw1200_get_hw_type(val32, &major_revision);
-	if (priv->hw_type < 0) {
+	ret = cw1200_get_hw_type(val32, &major_revision);
+	if (ret < 0) {
 		pr_err("Can't deduce hardware type.\n");
-		ret = -ENOTSUPP;
 		goto out;
 	}
+	priv->hw_type = ret;
 
 	/* Set DPLL Reg value, and read back to confirm writes work */
 	ret = cw1200_reg_write_32(priv, ST90TDS_TSET_GEN_R_W_REG_ID,



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 176/222] arm64: dts: meson: axg: fix audio fifo reg size
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (174 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 175/222] cw1200: Fix a signedness bug in cw1200_load_firmware() Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 177/222] arm64: dts: meson: g12: " Greg Kroah-Hartman
                   ` (49 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jerome Brunet, Kevin Hilman

From: Jerome Brunet <jbrunet@baylibre.com>

commit 301b94d434ac3a3cd576a4bc1053cc243d6bd841 upstream.

The register region size initially is too small to access all
the fifo registers.

Fixes: f2b8f6a93357 ("arm64: dts: meson-axg: add audio fifos")
Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/boot/dts/amlogic/meson-axg.dtsi |   12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

--- a/arch/arm64/boot/dts/amlogic/meson-axg.dtsi
+++ b/arch/arm64/boot/dts/amlogic/meson-axg.dtsi
@@ -1162,7 +1162,7 @@
 
 			toddr_a: audio-controller@100 {
 				compatible = "amlogic,axg-toddr";
-				reg = <0x0 0x100 0x0 0x1c>;
+				reg = <0x0 0x100 0x0 0x2c>;
 				#sound-dai-cells = <0>;
 				sound-name-prefix = "TODDR_A";
 				interrupts = <GIC_SPI 84 IRQ_TYPE_EDGE_RISING>;
@@ -1173,7 +1173,7 @@
 
 			toddr_b: audio-controller@140 {
 				compatible = "amlogic,axg-toddr";
-				reg = <0x0 0x140 0x0 0x1c>;
+				reg = <0x0 0x140 0x0 0x2c>;
 				#sound-dai-cells = <0>;
 				sound-name-prefix = "TODDR_B";
 				interrupts = <GIC_SPI 85 IRQ_TYPE_EDGE_RISING>;
@@ -1184,7 +1184,7 @@
 
 			toddr_c: audio-controller@180 {
 				compatible = "amlogic,axg-toddr";
-				reg = <0x0 0x180 0x0 0x1c>;
+				reg = <0x0 0x180 0x0 0x2c>;
 				#sound-dai-cells = <0>;
 				sound-name-prefix = "TODDR_C";
 				interrupts = <GIC_SPI 86 IRQ_TYPE_EDGE_RISING>;
@@ -1195,7 +1195,7 @@
 
 			frddr_a: audio-controller@1c0 {
 				compatible = "amlogic,axg-frddr";
-				reg = <0x0 0x1c0 0x0 0x1c>;
+				reg = <0x0 0x1c0 0x0 0x2c>;
 				#sound-dai-cells = <0>;
 				sound-name-prefix = "FRDDR_A";
 				interrupts = <GIC_SPI 88 IRQ_TYPE_EDGE_RISING>;
@@ -1206,7 +1206,7 @@
 
 			frddr_b: audio-controller@200 {
 				compatible = "amlogic,axg-frddr";
-				reg = <0x0 0x200 0x0 0x1c>;
+				reg = <0x0 0x200 0x0 0x2c>;
 				#sound-dai-cells = <0>;
 				sound-name-prefix = "FRDDR_B";
 				interrupts = <GIC_SPI 89 IRQ_TYPE_EDGE_RISING>;
@@ -1217,7 +1217,7 @@
 
 			frddr_c: audio-controller@240 {
 				compatible = "amlogic,axg-frddr";
-				reg = <0x0 0x240 0x0 0x1c>;
+				reg = <0x0 0x240 0x0 0x2c>;
 				#sound-dai-cells = <0>;
 				sound-name-prefix = "FRDDR_C";
 				interrupts = <GIC_SPI 90 IRQ_TYPE_EDGE_RISING>;



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 177/222] arm64: dts: meson: g12: fix audio fifo reg size
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (175 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 176/222] arm64: dts: meson: axg: fix audio fifo reg size Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 178/222] arm64: dts: meson-gxl-s905x-khadas-vim: fix gpio-keys-polled node Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jerome Brunet, Kevin Hilman

From: Jerome Brunet <jbrunet@baylibre.com>

commit 22c4b148a0a1085e57a470e6f7dc515cf08f5a5c upstream.

The register region size initially is too small to access all
the fifo registers.

Fixes: c59b7fe5aafd ("arm64: dts: meson: g12a: add audio fifos")
Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi |   12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

--- a/arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi
+++ b/arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi
@@ -1509,7 +1509,7 @@
 				toddr_a: audio-controller@100 {
 					compatible = "amlogic,g12a-toddr",
 						     "amlogic,axg-toddr";
-					reg = <0x0 0x100 0x0 0x1c>;
+					reg = <0x0 0x100 0x0 0x2c>;
 					#sound-dai-cells = <0>;
 					sound-name-prefix = "TODDR_A";
 					interrupts = <GIC_SPI 148 IRQ_TYPE_EDGE_RISING>;
@@ -1521,7 +1521,7 @@
 				toddr_b: audio-controller@140 {
 					compatible = "amlogic,g12a-toddr",
 						     "amlogic,axg-toddr";
-					reg = <0x0 0x140 0x0 0x1c>;
+					reg = <0x0 0x140 0x0 0x2c>;
 					#sound-dai-cells = <0>;
 					sound-name-prefix = "TODDR_B";
 					interrupts = <GIC_SPI 149 IRQ_TYPE_EDGE_RISING>;
@@ -1533,7 +1533,7 @@
 				toddr_c: audio-controller@180 {
 					compatible = "amlogic,g12a-toddr",
 						     "amlogic,axg-toddr";
-					reg = <0x0 0x180 0x0 0x1c>;
+					reg = <0x0 0x180 0x0 0x2c>;
 					#sound-dai-cells = <0>;
 					sound-name-prefix = "TODDR_C";
 					interrupts = <GIC_SPI 150 IRQ_TYPE_EDGE_RISING>;
@@ -1545,7 +1545,7 @@
 				frddr_a: audio-controller@1c0 {
 					compatible = "amlogic,g12a-frddr",
 						     "amlogic,axg-frddr";
-					reg = <0x0 0x1c0 0x0 0x1c>;
+					reg = <0x0 0x1c0 0x0 0x2c>;
 					#sound-dai-cells = <0>;
 					sound-name-prefix = "FRDDR_A";
 					interrupts = <GIC_SPI 152 IRQ_TYPE_EDGE_RISING>;
@@ -1557,7 +1557,7 @@
 				frddr_b: audio-controller@200 {
 					compatible = "amlogic,g12a-frddr",
 						     "amlogic,axg-frddr";
-					reg = <0x0 0x200 0x0 0x1c>;
+					reg = <0x0 0x200 0x0 0x2c>;
 					#sound-dai-cells = <0>;
 					sound-name-prefix = "FRDDR_B";
 					interrupts = <GIC_SPI 153 IRQ_TYPE_EDGE_RISING>;
@@ -1569,7 +1569,7 @@
 				frddr_c: audio-controller@240 {
 					compatible = "amlogic,g12a-frddr",
 						     "amlogic,axg-frddr";
-					reg = <0x0 0x240 0x0 0x1c>;
+					reg = <0x0 0x240 0x0 0x2c>;
 					#sound-dai-cells = <0>;
 					sound-name-prefix = "FRDDR_C";
 					interrupts = <GIC_SPI 154 IRQ_TYPE_EDGE_RISING>;



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 178/222] arm64: dts: meson-gxl-s905x-khadas-vim: fix gpio-keys-polled node
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (176 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 177/222] arm64: dts: meson: g12: " Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 179/222] arm64: dts: renesas: r8a77970: Fix PWM3 Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Christian Hewitt, Kevin Hilman

From: Christian Hewitt <christianshewitt@gmail.com>

commit d5f6fa904ecbadbb8e9fa6302b0fc165bec0559a upstream.

Fix DTC warnings:

arch/arm/dts/meson-gxl-s905x-khadas-vim.dtb: Warning (avoid_unnecessary_addr_size):
   /gpio-keys-polled: unnecessary #address-cells/#size-cells
      without "ranges" or child "reg" property

Fixes: e15d2774b8c0 ("ARM64: dts: meson-gxl: add support for the Khadas VIM board")
Signed-off-by: Christian Hewitt <christianshewitt@gmail.com>
Reviewed-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/boot/dts/amlogic/meson-gxl-s905x-khadas-vim.dts |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/arch/arm64/boot/dts/amlogic/meson-gxl-s905x-khadas-vim.dts
+++ b/arch/arm64/boot/dts/amlogic/meson-gxl-s905x-khadas-vim.dts
@@ -33,11 +33,9 @@
 
 	gpio-keys-polled {
 		compatible = "gpio-keys-polled";
-		#address-cells = <1>;
-		#size-cells = <0>;
 		poll-interval = <100>;
 
-		button@0 {
+		power-button {
 			label = "power";
 			linux,code = <KEY_POWER>;
 			gpios = <&gpio_ao GPIOAO_2 GPIO_ACTIVE_LOW>;



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 179/222] arm64: dts: renesas: r8a77970: Fix PWM3
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (177 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 178/222] arm64: dts: meson-gxl-s905x-khadas-vim: fix gpio-keys-polled node Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 180/222] arm64: dts: marvell: Add AP806-dual missing CPU clocks Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kieran Bingham, Simon Horman,
	Geert Uytterhoeven

From: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>

commit 28a1b34c00dad4be91108369ca25ef8dc8bf850d upstream.

The pwm3 was incorrectly added with a compatible reference to the
renesas,pwm-r8a7790 (H2) due to a single characther ommision.

Fix the compatible string.

Fixes: de625477c632 ("arm64: dts: renesas: r8a779{7|8}0: add PWM support")
Signed-off-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
Link: https://lore.kernel.org/r/20190912103143.985-1-kieran.bingham+renesas@ideasonboard.com
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/boot/dts/renesas/r8a77970.dtsi |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm64/boot/dts/renesas/r8a77970.dtsi
+++ b/arch/arm64/boot/dts/renesas/r8a77970.dtsi
@@ -652,7 +652,7 @@
 		};
 
 		pwm3: pwm@e6e33000 {
-			compatible = "renesas,pwm-r8a7790", "renesas,pwm-rcar";
+			compatible = "renesas,pwm-r8a77970", "renesas,pwm-rcar";
 			reg = <0 0xe6e33000 0 8>;
 			#pwm-cells = <2>;
 			clocks = <&cpg CPG_MOD 523>;



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 180/222] arm64: dts: marvell: Add AP806-dual missing CPU clocks
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (178 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 179/222] arm64: dts: renesas: r8a77970: Fix PWM3 Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 181/222] cfg80211: check for set_wiphy_params Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Miquel Raynal, Gregory CLEMENT

From: Miquel Raynal <miquel.raynal@bootlin.com>

commit e231c6d47cca4b5df51bcf72dec1af767e63feaf upstream.

CPU clocks have been added to AP806-quad but not to the -dual
variant.

Fixes: c00bc38354cf ("arm64: dts: marvell: Add cpu clock node on Armada 7K/8K")
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/boot/dts/marvell/armada-ap806-dual.dtsi |    2 ++
 1 file changed, 2 insertions(+)

--- a/arch/arm64/boot/dts/marvell/armada-ap806-dual.dtsi
+++ b/arch/arm64/boot/dts/marvell/armada-ap806-dual.dtsi
@@ -21,6 +21,7 @@
 			reg = <0x000>;
 			enable-method = "psci";
 			#cooling-cells = <2>;
+			clocks = <&cpu_clk 0>;
 		};
 		cpu1: cpu@1 {
 			device_type = "cpu";
@@ -28,6 +29,7 @@
 			reg = <0x001>;
 			enable-method = "psci";
 			#cooling-cells = <2>;
+			clocks = <&cpu_clk 0>;
 		};
 	};
 };



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 181/222] cfg80211: check for set_wiphy_params
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (179 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 180/222] arm64: dts: marvell: Add AP806-dual missing CPU clocks Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 182/222] tick/sched: Annotate lockless access to last_jiffies_update Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+e8a797964a4180eb57d5,
	syzbot+34b582cf32c1db008f8e, Johannes Berg

From: Johannes Berg <johannes.berg@intel.com>

commit 24953de0a5e31dcca7e82c8a3c79abc2dfe8fb6e upstream.

Check if set_wiphy_params is assigned and return an error if not,
some drivers (e.g. virt_wifi where syzbot reported it) don't have
it.

Reported-by: syzbot+e8a797964a4180eb57d5@syzkaller.appspotmail.com
Reported-by: syzbot+34b582cf32c1db008f8e@syzkaller.appspotmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Link: https://lore.kernel.org/r/20200113125358.ac07f276efff.Ibd85ee1b12e47b9efb00a2adc5cd3fac50da791a@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/wireless/rdev-ops.h |    4 ++++
 1 file changed, 4 insertions(+)

--- a/net/wireless/rdev-ops.h
+++ b/net/wireless/rdev-ops.h
@@ -538,6 +538,10 @@ static inline int
 rdev_set_wiphy_params(struct cfg80211_registered_device *rdev, u32 changed)
 {
 	int ret;
+
+	if (!rdev->ops->set_wiphy_params)
+		return -EOPNOTSUPP;
+
 	trace_rdev_set_wiphy_params(&rdev->wiphy, changed);
 	ret = rdev->ops->set_wiphy_params(&rdev->wiphy, changed);
 	trace_rdev_return_int(&rdev->wiphy, ret);



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 182/222] tick/sched: Annotate lockless access to last_jiffies_update
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (180 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 181/222] cfg80211: check for set_wiphy_params Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 183/222] arm64: dts: marvell: Fix CP110 NAND controller node multi-line comment alignment Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot, Eric Dumazet, Thomas Gleixner

From: Eric Dumazet <edumazet@google.com>

commit de95a991bb72e009f47e0c4bbc90fc5f594588d5 upstream.

syzbot (KCSAN) reported a data-race in tick_do_update_jiffies64():

BUG: KCSAN: data-race in tick_do_update_jiffies64 / tick_do_update_jiffies64

write to 0xffffffff8603d008 of 8 bytes by interrupt on cpu 1:
 tick_do_update_jiffies64+0x100/0x250 kernel/time/tick-sched.c:73
 tick_sched_do_timer+0xd4/0xe0 kernel/time/tick-sched.c:138
 tick_sched_timer+0x43/0xe0 kernel/time/tick-sched.c:1292
 __run_hrtimer kernel/time/hrtimer.c:1514 [inline]
 __hrtimer_run_queues+0x274/0x5f0 kernel/time/hrtimer.c:1576
 hrtimer_interrupt+0x22a/0x480 kernel/time/hrtimer.c:1638
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1110 [inline]
 smp_apic_timer_interrupt+0xdc/0x280 arch/x86/kernel/apic/apic.c:1135
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830
 arch_local_irq_restore arch/x86/include/asm/paravirt.h:756 [inline]
 kcsan_setup_watchpoint+0x1d4/0x460 kernel/kcsan/core.c:436
 check_access kernel/kcsan/core.c:466 [inline]
 __tsan_read1 kernel/kcsan/core.c:593 [inline]
 __tsan_read1+0xc2/0x100 kernel/kcsan/core.c:593
 kallsyms_expand_symbol.constprop.0+0x70/0x160 kernel/kallsyms.c:79
 kallsyms_lookup_name+0x7f/0x120 kernel/kallsyms.c:170
 insert_report_filterlist kernel/kcsan/debugfs.c:155 [inline]
 debugfs_write+0x14b/0x2d0 kernel/kcsan/debugfs.c:256
 full_proxy_write+0xbd/0x100 fs/debugfs/file.c:225
 __vfs_write+0x67/0xc0 fs/read_write.c:494
 vfs_write fs/read_write.c:558 [inline]
 vfs_write+0x18a/0x390 fs/read_write.c:542
 ksys_write+0xd5/0x1b0 fs/read_write.c:611
 __do_sys_write fs/read_write.c:623 [inline]
 __se_sys_write fs/read_write.c:620 [inline]
 __x64_sys_write+0x4c/0x60 fs/read_write.c:620
 do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

read to 0xffffffff8603d008 of 8 bytes by task 0 on cpu 0:
 tick_do_update_jiffies64+0x2b/0x250 kernel/time/tick-sched.c:62
 tick_nohz_update_jiffies kernel/time/tick-sched.c:505 [inline]
 tick_nohz_irq_enter kernel/time/tick-sched.c:1257 [inline]
 tick_irq_enter+0x139/0x1c0 kernel/time/tick-sched.c:1274
 irq_enter+0x4f/0x60 kernel/softirq.c:354
 entering_irq arch/x86/include/asm/apic.h:517 [inline]
 entering_ack_irq arch/x86/include/asm/apic.h:523 [inline]
 smp_apic_timer_interrupt+0x55/0x280 arch/x86/kernel/apic/apic.c:1133
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830
 native_safe_halt+0xe/0x10 arch/x86/include/asm/irqflags.h:60
 arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:571
 default_idle_call+0x1e/0x40 kernel/sched/idle.c:94
 cpuidle_idle_call kernel/sched/idle.c:154 [inline]
 do_idle+0x1af/0x280 kernel/sched/idle.c:263
 cpu_startup_entry+0x1b/0x20 kernel/sched/idle.c:355
 rest_init+0xec/0xf6 init/main.c:452
 arch_call_rest_init+0x17/0x37
 start_kernel+0x838/0x85e init/main.c:786
 x86_64_start_reservations+0x29/0x2b arch/x86/kernel/head64.c:490
 x86_64_start_kernel+0x72/0x76 arch/x86/kernel/head64.c:471
 secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:241

Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.0-rc7+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

Use READ_ONCE() and WRITE_ONCE() to annotate this expected race.

Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/r/20191205045619.204946-1-edumazet@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/time/tick-sched.c |   14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

--- a/kernel/time/tick-sched.c
+++ b/kernel/time/tick-sched.c
@@ -58,8 +58,9 @@ static void tick_do_update_jiffies64(kti
 
 	/*
 	 * Do a quick check without holding jiffies_lock:
+	 * The READ_ONCE() pairs with two updates done later in this function.
 	 */
-	delta = ktime_sub(now, last_jiffies_update);
+	delta = ktime_sub(now, READ_ONCE(last_jiffies_update));
 	if (delta < tick_period)
 		return;
 
@@ -70,8 +71,9 @@ static void tick_do_update_jiffies64(kti
 	if (delta >= tick_period) {
 
 		delta = ktime_sub(delta, tick_period);
-		last_jiffies_update = ktime_add(last_jiffies_update,
-						tick_period);
+		/* Pairs with the lockless read in this function. */
+		WRITE_ONCE(last_jiffies_update,
+			   ktime_add(last_jiffies_update, tick_period));
 
 		/* Slow path for long timeouts */
 		if (unlikely(delta >= tick_period)) {
@@ -79,8 +81,10 @@ static void tick_do_update_jiffies64(kti
 
 			ticks = ktime_divns(delta, incr);
 
-			last_jiffies_update = ktime_add_ns(last_jiffies_update,
-							   incr * ticks);
+			/* Pairs with the lockless read in this function. */
+			WRITE_ONCE(last_jiffies_update,
+				   ktime_add_ns(last_jiffies_update,
+						incr * ticks));
 		}
 		do_timer(++ticks);
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 183/222] arm64: dts: marvell: Fix CP110 NAND controller node multi-line comment alignment
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (181 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 182/222] tick/sched: Annotate lockless access to last_jiffies_update Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 184/222] arm64: dts: renesas: r8a774a1: Remove audio port node Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Miquel Raynal, Gregory CLEMENT

From: Miquel Raynal <miquel.raynal@bootlin.com>

commit 2bc26088ba37d4f2a4b8bd813ee757992522d082 upstream.

Fix this tiny typo before renaming/changing this file.

Fixes: 72a3713fadfd ("arm64: dts: marvell: de-duplicate CP110 description")
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/boot/dts/marvell/armada-cp110.dtsi |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/arch/arm64/boot/dts/marvell/armada-cp110.dtsi
+++ b/arch/arm64/boot/dts/marvell/armada-cp110.dtsi
@@ -438,10 +438,10 @@
 
 		CP110_LABEL(nand_controller): nand@720000 {
 			/*
-			* Due to the limitation of the pins available
-			* this controller is only usable on the CPM
-			* for A7K and on the CPS for A8K.
-			*/
+			 * Due to the limitation of the pins available
+			 * this controller is only usable on the CPM
+			 * for A7K and on the CPS for A8K.
+			 */
 			compatible = "marvell,armada-8k-nand-controller",
 				"marvell,armada370-nand-controller";
 			reg = <0x720000 0x54>;



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 184/222] arm64: dts: renesas: r8a774a1: Remove audio port node
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (182 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 183/222] arm64: dts: marvell: Fix CP110 NAND controller node multi-line comment alignment Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 185/222] arm64: dts: imx8mm-evk: Assigned clocks for audio plls Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Biju Das, Geert Uytterhoeven

From: Biju Das <biju.das@bp.renesas.com>

commit a381325812691f57aece60aaee76938ac8fc6619 upstream.

This patch removes audio port node from SoC device tree and
fixes the below dtb warning

    Warning (unit_address_vs_reg): /soc/sound@ec500000/ports/port@0: node has a unit name, but no reg property

Fixes: e2f04248fcd4 ("arm64: dts: renesas: r8a774a1: Add audio support")
Signed-off-by: Biju Das <biju.das@bp.renesas.com>
Link: https://lore.kernel.org/r/1570200761-884-1-git-send-email-biju.das@bp.renesas.com
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/boot/dts/renesas/hihope-common.dtsi |   22 ++++++++++------------
 arch/arm64/boot/dts/renesas/r8a774a1.dtsi      |   11 -----------
 2 files changed, 10 insertions(+), 23 deletions(-)

--- a/arch/arm64/boot/dts/renesas/hihope-common.dtsi
+++ b/arch/arm64/boot/dts/renesas/hihope-common.dtsi
@@ -86,7 +86,7 @@
 
 		label = "rcar-sound";
 
-		dais = <&rsnd_port0>;
+		dais = <&rsnd_port>;
 	};
 
 	vbus0_usb2: regulator-vbus0-usb2 {
@@ -191,7 +191,7 @@
 		port@2 {
 			reg = <2>;
 			dw_hdmi0_snd_in: endpoint {
-				remote-endpoint = <&rsnd_endpoint0>;
+				remote-endpoint = <&rsnd_endpoint>;
 			};
 		};
 	};
@@ -327,17 +327,15 @@
 	/* Single DAI */
 	#sound-dai-cells = <0>;
 
-	ports {
-		rsnd_port0: port@0 {
-			rsnd_endpoint0: endpoint {
-				remote-endpoint = <&dw_hdmi0_snd_in>;
-
-				dai-format = "i2s";
-				bitclock-master = <&rsnd_endpoint0>;
-				frame-master = <&rsnd_endpoint0>;
+	rsnd_port: port {
+		rsnd_endpoint: endpoint {
+			remote-endpoint = <&dw_hdmi0_snd_in>;
+
+			dai-format = "i2s";
+			bitclock-master = <&rsnd_endpoint>;
+			frame-master = <&rsnd_endpoint>;
 
-				playback = <&ssi2>;
-			};
+			playback = <&ssi2>;
 		};
 	};
 };
--- a/arch/arm64/boot/dts/renesas/r8a774a1.dtsi
+++ b/arch/arm64/boot/dts/renesas/r8a774a1.dtsi
@@ -1726,17 +1726,6 @@
 				      "ssi.1", "ssi.0";
 			status = "disabled";
 
-			ports {
-				#address-cells = <1>;
-				#size-cells = <0>;
-				port@0 {
-					reg = <0>;
-				};
-				port@1 {
-					reg = <1>;
-				};
-			};
-
 			rcar_sound,ctu {
 				ctu00: ctu-0 { };
 				ctu01: ctu-1 { };



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 185/222] arm64: dts: imx8mm-evk: Assigned clocks for audio plls
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (183 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 184/222] arm64: dts: renesas: r8a774a1: Remove audio port node Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 186/222] arm64: dts: qcom: sdm845-cheza: delete zap-shader Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Shengjiu Wang, Daniel Baluta, Shawn Guo

From: S.j. Wang <shengjiu.wang@nxp.com>

commit e8b395b23643ca26e62a3081130d895e198c6154 upstream.

Assign clocks and clock-rates for audio plls, that audio
drivers can utilize them.

Add dai-tdm-slot-num and dai-tdm-slot-width for sound-wm8524,
that sai driver can generate correct bit clock.

Fixes: 13f3b9fdef6c ("arm64: dts: imx8mm-evk: Enable audio codec wm8524")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Reviewed-by: Daniel Baluta <daniel.baluta@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/boot/dts/freescale/imx8mm-evk.dts |    2 ++
 arch/arm64/boot/dts/freescale/imx8mm.dtsi    |    8 ++++++--
 2 files changed, 8 insertions(+), 2 deletions(-)

--- a/arch/arm64/boot/dts/freescale/imx8mm-evk.dts
+++ b/arch/arm64/boot/dts/freescale/imx8mm-evk.dts
@@ -62,6 +62,8 @@
 
 		cpudai: simple-audio-card,cpu {
 			sound-dai = <&sai3>;
+			dai-tdm-slot-num = <2>;
+			dai-tdm-slot-width = <32>;
 		};
 
 		simple-audio-card,codec {
--- a/arch/arm64/boot/dts/freescale/imx8mm.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mm.dtsi
@@ -479,14 +479,18 @@
 						<&clk IMX8MM_CLK_AUDIO_AHB>,
 						<&clk IMX8MM_CLK_IPG_AUDIO_ROOT>,
 						<&clk IMX8MM_SYS_PLL3>,
-						<&clk IMX8MM_VIDEO_PLL1>;
+						<&clk IMX8MM_VIDEO_PLL1>,
+						<&clk IMX8MM_AUDIO_PLL1>,
+						<&clk IMX8MM_AUDIO_PLL2>;
 				assigned-clock-parents = <&clk IMX8MM_SYS_PLL3_OUT>,
 							 <&clk IMX8MM_SYS_PLL1_800M>;
 				assigned-clock-rates = <0>,
 							<400000000>,
 							<400000000>,
 							<750000000>,
-							<594000000>;
+							<594000000>,
+							<393216000>,
+							<361267200>;
 			};
 
 			src: reset-controller@30390000 {



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 186/222] arm64: dts: qcom: sdm845-cheza: delete zap-shader
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (184 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 185/222] arm64: dts: imx8mm-evk: Assigned clocks for audio plls Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 187/222] ARM: dts: imx6ul-kontron-n6310-s: Disable the snvs-poweroff driver Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rob Clark, Douglas Anderson, Andy Gross

From: Rob Clark <robdclark@chromium.org>

commit 43b0a4b482478aa4fe7240230be74a79dee95679 upstream.

This is unused on cheza.  Delete the node to get ride of the reserved-
memory section, and to avoid the driver from attempting to load a zap
shader that doesn't exist every time it powers up the GPU.

This also avoids a massive amount of dmesg spam about missing zap fw:
  msm ae00000.mdss: [drm:adreno_request_fw] *ERROR* failed to load
qcom/a630_zap.mdt: -2
  adreno 5000000.gpu: [drm:adreno_zap_shader_load] *ERROR* Unable to
load a630_zap.mdt

Signed-off-by: Rob Clark <robdclark@chromium.org>
Cc: Douglas Anderson <dianders@chromium.org>
Fixes: 3fdeaee951aa ("arm64: dts: sdm845: Add zap shader region for GPU")
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Tested-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Andy Gross <agross@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/boot/dts/qcom/sdm845-cheza.dtsi |    2 ++
 arch/arm64/boot/dts/qcom/sdm845.dtsi       |    2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

--- a/arch/arm64/boot/dts/qcom/sdm845-cheza.dtsi
+++ b/arch/arm64/boot/dts/qcom/sdm845-cheza.dtsi
@@ -165,6 +165,8 @@
 /delete-node/ &venus_mem;
 /delete-node/ &cdsp_mem;
 /delete-node/ &cdsp_pas;
+/delete-node/ &zap_shader;
+/delete-node/ &gpu_mem;
 
 /* Increase the size from 120 MB to 128 MB */
 &mpss_region {
--- a/arch/arm64/boot/dts/qcom/sdm845.dtsi
+++ b/arch/arm64/boot/dts/qcom/sdm845.dtsi
@@ -2824,7 +2824,7 @@
 
 			qcom,gmu = <&gmu>;
 
-			zap-shader {
+			zap_shader: zap-shader {
 				memory-region = <&gpu_mem>;
 			};
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 187/222] ARM: dts: imx6ul-kontron-n6310-s: Disable the snvs-poweroff driver
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (185 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 186/222] arm64: dts: qcom: sdm845-cheza: delete zap-shader Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 188/222] arm64: dts: allwinner: a64: Re-add PMU node Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Frieder Schrempf, Shawn Guo

From: Frieder Schrempf <frieder.schrempf@kontron.de>

commit 0ccafdf3e81bb40fe415ea13e1f42b19c585f0a0 upstream.

The snvs-poweroff driver can power off the system by pulling the
PMIC_ON_REQ signal low, to let the PMIC disable the power.
The Kontron SoMs do not have this signal connected, so let's remove
the node.

This fixes a real issue when the signal is asserted at poweroff,
but not actually causing the power to turn off. It was observed,
that in this case the system would not shut down properly.

Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de>
Fixes: 1ea4b76cdfde ("ARM: dts: imx6ul-kontron-n6310: Add Kontron i.MX6UL N6310 SoM and boards")
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/imx6ul-kontron-n6310-s.dts |    4 ----
 1 file changed, 4 deletions(-)

--- a/arch/arm/boot/dts/imx6ul-kontron-n6310-s.dts
+++ b/arch/arm/boot/dts/imx6ul-kontron-n6310-s.dts
@@ -157,10 +157,6 @@
 	status = "okay";
 };
 
-&snvs_poweroff {
-	status = "okay";
-};
-
 &uart1 {
 	pinctrl-names = "default";
 	pinctrl-0 = <&pinctrl_uart1>;



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 188/222] arm64: dts: allwinner: a64: Re-add PMU node
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (186 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 187/222] ARM: dts: imx6ul-kontron-n6310-s: Disable the snvs-poweroff driver Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 189/222] ARM: dts: dra7: fix cpsw mdio fck clock Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Andre Przywara, Maxime Ripard

From: Andre Przywara <andre.przywara@arm.com>

commit 6b832a148717f1718f57805a9a4aa7f092582d15 upstream.

As it was found recently, the Performance Monitoring Unit (PMU) on the
Allwinner A64 SoC was not generating (the right) interrupts. With the
SPI numbers from the manual the kernel did not receive any overflow
interrupts, so perf was not happy at all.
It turns out that the numbers were just off by 4, so the PMU interrupts
are from 148 to 151, not from 152 to 155 as the manual describes.

This was found by playing around with U-Boot, which typically does not
use interrupts, so the GIC is fully available for experimentation:
With *every* PPI and SPI enabled, an overflowing PMU cycle counter was
found to set a bit in one of the GICD_ISPENDR registers, with careful
counting this was determined to be number 148.

Tested with perf record and perf top on a Pine64-LTS. Also tested with
tasksetting to every core to confirm the assignment between IRQs and
cores.

This somewhat "revert-fixes" commit ed3e9406bcbc ("arm64: dts: allwinner:
a64: Drop PMU node").

Fixes: 34a97fcc71c2 ("arm64: dts: allwinner: a64: Add PMU node")
Fixes: ed3e9406bcbc ("arm64: dts: allwinner: a64: Drop PMU node")
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Signed-off-by: Maxime Ripard <maxime@cerno.tech>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi |    9 +++++++++
 1 file changed, 9 insertions(+)

--- a/arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi
+++ b/arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi
@@ -142,6 +142,15 @@
 		clock-output-names = "ext-osc32k";
 	};
 
+	pmu {
+		compatible = "arm,cortex-a53-pmu";
+		interrupts = <GIC_SPI 116 IRQ_TYPE_LEVEL_HIGH>,
+			     <GIC_SPI 117 IRQ_TYPE_LEVEL_HIGH>,
+			     <GIC_SPI 118 IRQ_TYPE_LEVEL_HIGH>,
+			     <GIC_SPI 119 IRQ_TYPE_LEVEL_HIGH>;
+		interrupt-affinity = <&cpu0>, <&cpu1>, <&cpu2>, <&cpu3>;
+	};
+
 	psci {
 		compatible = "arm,psci-0.2";
 		method = "smc";



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 189/222] ARM: dts: dra7: fix cpsw mdio fck clock
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (187 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 188/222] arm64: dts: allwinner: a64: Re-add PMU node Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 190/222] arm64: dts: juno: Fix UART frequency Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Grygorii Strashko, Tony Lindgren

From: Grygorii Strashko <grygorii.strashko@ti.com>

commit 6af0a549c25e0d02366aa95507bfe3cad2f7b68b upstream.

The DRA7 CPSW MDIO functional clock (gmac_clkctrl DRA7_GMAC_GMAC_CLKCTRL 0)
is specified incorrectly, which is caused incorrect MDIO bus clock
configuration MDCLK. The correct CPSW MDIO functional clock is
gmac_main_clk (125MHz), which is the same as CPSW fck. Hence fix it.

Fixes: 1faa415c9c6e ("ARM: dts: Add fck for cpsw mdio for omap variants")
Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/dra7-l4.dtsi |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/boot/dts/dra7-l4.dtsi
+++ b/arch/arm/boot/dts/dra7-l4.dtsi
@@ -3059,7 +3059,7 @@
 
 				davinci_mdio: mdio@1000 {
 					compatible = "ti,cpsw-mdio","ti,davinci_mdio";
-					clocks = <&gmac_clkctrl DRA7_GMAC_GMAC_CLKCTRL 0>;
+					clocks = <&gmac_main_clk>;
 					clock-names = "fck";
 					#address-cells = <1>;
 					#size-cells = <0>;



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 190/222] arm64: dts: juno: Fix UART frequency
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (188 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 189/222] ARM: dts: dra7: fix cpsw mdio fck clock Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 191/222] ARM: dts: Fix sgx sysconfig register for omap4 Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andre Przywara, Liviu Dudau, Sudeep Holla

From: Andre Przywara <andre.przywara@arm.com>

commit 39a1a8941b27c37f79508426e27a2ec29829d66c upstream.

Older versions of the Juno *SoC* TRM [1] recommended that the UART clock
source should be 7.2738 MHz, whereas the *system* TRM [2] stated a more
correct value of 7.3728 MHz. Somehow the wrong value managed to end up in
our DT.

Doing a prime factorisation, a modulo divide by 115200 and trying
to buy a 7.2738 MHz crystal at your favourite electronics dealer suggest
that the old value was actually a typo. The actual UART clock is driven
by a PLL, configured via a parameter in some board.txt file in the
firmware, which reads 7.37 MHz (sic!).

Fix this to correct the baud rate divisor calculation on the Juno board.

[1] http://infocenter.arm.com/help/topic/com.arm.doc.ddi0515b.b/DDI0515B_b_juno_arm_development_platform_soc_trm.pdf
[2] http://infocenter.arm.com/help/topic/com.arm.doc.100113_0000_07_en/arm_versatile_express_juno_development_platform_(v2m_juno)_technical_reference_manual_100113_0000_07_en.pdf

Fixes: 71f867ec130e ("arm64: Add Juno board device tree.")
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Acked-by: Liviu Dudau <liviu.dudau@arm.com>
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/boot/dts/arm/juno-clocks.dtsi |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/arm64/boot/dts/arm/juno-clocks.dtsi
+++ b/arch/arm64/boot/dts/arm/juno-clocks.dtsi
@@ -8,10 +8,10 @@
  */
 / {
 	/* SoC fixed clocks */
-	soc_uartclk: refclk7273800hz {
+	soc_uartclk: refclk7372800hz {
 		compatible = "fixed-clock";
 		#clock-cells = <0>;
-		clock-frequency = <7273800>;
+		clock-frequency = <7372800>;
 		clock-output-names = "juno:uartclk";
 	};
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 191/222] ARM: dts: Fix sgx sysconfig register for omap4
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (189 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 190/222] arm64: dts: juno: Fix UART frequency Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 192/222] Revert "arm64: dts: juno: add dma-ranges property" Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, H. Nikolaus Schaller, Merlijn Wajer,
	Pavel Machek, Sebastian Reichel, Tomi Valkeinen, Tony Lindgren

From: Tony Lindgren <tony@atomide.com>

commit 3e5c3c41ae925458150273e2f74ffbf999530c5f upstream.

Looks like we've had the sgx sysconfig register and revision register
always wrong for omap4, including the old platform data. Let's fix the
offsets to what the TRM says. Otherwise the sgx module may never idle
depending on the state of the real sysconfig register.

Fixes: d23a163ebe5a ("ARM: dts: Add nodes for missing omap4 interconnect target modules")
Cc: H. Nikolaus Schaller <hns@goldelico.com>
Cc: Merlijn Wajer <merlijn@wizzup.org>
Cc: Pavel Machek <pavel@ucw.cz>
Cc: Sebastian Reichel <sre@kernel.org>
Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/omap4.dtsi |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/arm/boot/dts/omap4.dtsi
+++ b/arch/arm/boot/dts/omap4.dtsi
@@ -330,8 +330,8 @@
 
 		target-module@56000000 {
 			compatible = "ti,sysc-omap4", "ti,sysc";
-			reg = <0x5601fc00 0x4>,
-			      <0x5601fc10 0x4>;
+			reg = <0x5600fe00 0x4>,
+			      <0x5600fe10 0x4>;
 			reg-names = "rev", "sysc";
 			ti,sysc-midle = <SYSC_IDLE_FORCE>,
 					<SYSC_IDLE_NO>,



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 192/222] Revert "arm64: dts: juno: add dma-ranges property"
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (190 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 191/222] ARM: dts: Fix sgx sysconfig register for omap4 Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 193/222] mtd: devices: fix mchp23k256 read and write Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rob Herring, Liviu Dudau,
	Lorenzo Pieralisi, Robin Murphy, Sudeep Holla

From: Sudeep Holla <sudeep.holla@arm.com>

commit 54fb3fe0f211d4729a2551cf9497bd612189af9d upstream.

This reverts commit 193d00a2b35ee3353813b4006a18131122087205.

Commit 951d48855d86 ("of: Make of_dma_get_range() work on bus nodes")
reworked the logic such that of_dma_get_range() works correctly
starting from a bus node containing "dma-ranges".

Since on Juno we don't have a SoC level bus node and "dma-ranges" is
present only in the root node, we get the following error:

OF: translation of DMA address(0) to CPU address failed node(/sram@2e000000)
OF: translation of DMA address(0) to CPU address failed node(/uart@7ff80000)
...
OF: translation of DMA address(0) to CPU address failed node(/mhu@2b1f0000)
OF: translation of DMA address(0) to CPU address failed node(/iommu@2b600000)
OF: translation of DMA address(0) to CPU address failed node(/iommu@2b600000)
OF: translation of DMA address(0) to CPU address failed node(/iommu@2b600000)

So let's fix it by dropping the "dma-ranges" property for now. This
should be fine since it doesn't represent any kind of device-visible
restriction; it was only there for completeness, and we've since given
in to the assumption that missing "dma-ranges" implies a 1:1 mapping
anyway.

We can add it later with a proper SoC bus node and moving all the
devices that belong there along with the "dma-ranges" if required.

Fixes: 193d00a2b35e ("arm64: dts: juno: add dma-ranges property")
Cc: Rob Herring <robh+dt@kernel.org>
Cc: Liviu Dudau <liviu.dudau@arm.com>
Cc: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Acked-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/boot/dts/arm/juno-base.dtsi |    1 -
 1 file changed, 1 deletion(-)

--- a/arch/arm64/boot/dts/arm/juno-base.dtsi
+++ b/arch/arm64/boot/dts/arm/juno-base.dtsi
@@ -6,7 +6,6 @@
 	/*
 	 *  Devices shared by all Juno boards
 	 */
-	dma-ranges = <0 0 0 0 0x100 0>;
 
 	memtimer: timer@2a810000 {
 		compatible = "arm,armv7-timer-mem";



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 193/222] mtd: devices: fix mchp23k256 read and write
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (191 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 192/222] Revert "arm64: dts: juno: add dma-ranges property" Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 194/222] mtd: cfi_cmdset_0002: only check errors when ready in cfi_check_err_status() Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Angelo Dureghello, Andrew Lunn,
	Miquel Raynal

From: Angelo Dureghello <angelo.dureghello@timesys.com>

commit 14f89e088155314d311e4d4dd9f2b4ccaeef92b2 upstream.

Due to the use of sizeof(), command size set for the spi transfer
was wrong. Driver was sending and receiving always 1 byte less
and especially on write, it was hanging.

echo -n -e "\\x1\\x2\\x3\\x4" > /dev/mtd1

And read part too now works as expected.

hexdump -C -n16 /dev/mtd1
00000000  01 02 03 04 ab f3 ad c2  ab e3 f4 36 dd 38 04 15
00000010

Fixes: 4379075a870b ("mtd: mchp23k256: Add support for mchp23lcv1024")
Signed-off-by: Angelo Dureghello <angelo.dureghello@timesys.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mtd/devices/mchp23k256.c |   20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

--- a/drivers/mtd/devices/mchp23k256.c
+++ b/drivers/mtd/devices/mchp23k256.c
@@ -64,15 +64,17 @@ static int mchp23k256_write(struct mtd_i
 	struct spi_transfer transfer[2] = {};
 	struct spi_message message;
 	unsigned char command[MAX_CMD_SIZE];
-	int ret;
+	int ret, cmd_len;
 
 	spi_message_init(&message);
 
+	cmd_len = mchp23k256_cmdsz(flash);
+
 	command[0] = MCHP23K256_CMD_WRITE;
 	mchp23k256_addr2cmd(flash, to, command);
 
 	transfer[0].tx_buf = command;
-	transfer[0].len = mchp23k256_cmdsz(flash);
+	transfer[0].len = cmd_len;
 	spi_message_add_tail(&transfer[0], &message);
 
 	transfer[1].tx_buf = buf;
@@ -88,8 +90,8 @@ static int mchp23k256_write(struct mtd_i
 	if (ret)
 		return ret;
 
-	if (retlen && message.actual_length > sizeof(command))
-		*retlen += message.actual_length - sizeof(command);
+	if (retlen && message.actual_length > cmd_len)
+		*retlen += message.actual_length - cmd_len;
 
 	return 0;
 }
@@ -101,16 +103,18 @@ static int mchp23k256_read(struct mtd_in
 	struct spi_transfer transfer[2] = {};
 	struct spi_message message;
 	unsigned char command[MAX_CMD_SIZE];
-	int ret;
+	int ret, cmd_len;
 
 	spi_message_init(&message);
 
+	cmd_len = mchp23k256_cmdsz(flash);
+
 	memset(&transfer, 0, sizeof(transfer));
 	command[0] = MCHP23K256_CMD_READ;
 	mchp23k256_addr2cmd(flash, from, command);
 
 	transfer[0].tx_buf = command;
-	transfer[0].len = mchp23k256_cmdsz(flash);
+	transfer[0].len = cmd_len;
 	spi_message_add_tail(&transfer[0], &message);
 
 	transfer[1].rx_buf = buf;
@@ -126,8 +130,8 @@ static int mchp23k256_read(struct mtd_in
 	if (ret)
 		return ret;
 
-	if (retlen && message.actual_length > sizeof(command))
-		*retlen += message.actual_length - sizeof(command);
+	if (retlen && message.actual_length > cmd_len)
+		*retlen += message.actual_length - cmd_len;
 
 	return 0;
 }



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 194/222] mtd: cfi_cmdset_0002: only check errors when ready in cfi_check_err_status()
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (192 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 193/222] mtd: devices: fix mchp23k256 read and write Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 195/222] mtd: cfi_cmdset_0002: fix delayed error detection on HyperFlash Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sergei Shtylyov, Vignesh Raghavendra

From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>

commit 72914a8cff7e1d910c58e125e15a0da409e3135f upstream.

Cypress S26K{L|S}P{128|256|512}S datasheet says that the error bits in
the status register are only valid when the "device ready" bit 7 is set.
Add the check for the device ready bit in cfi_check_err_status() as that
function isn't always called with this bit set.

Fixes: 4844ef80305d ("mtd: cfi_cmdset_0002: Add support for polling status register")
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mtd/chips/cfi_cmdset_0002.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/mtd/chips/cfi_cmdset_0002.c
+++ b/drivers/mtd/chips/cfi_cmdset_0002.c
@@ -136,6 +136,10 @@ static void cfi_check_err_status(struct
 			 cfi->device_type, NULL);
 	status = map_read(map, adr);
 
+	/* The error bits are invalid while the chip's busy */
+	if (!map_word_bitsset(map, status, CMD(CFI_SR_DRB)))
+		return;
+
 	if (map_word_bitsset(map, status, CMD(0x3a))) {
 		unsigned long chipstatus = MERGESTATUS(status);
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 195/222] mtd: cfi_cmdset_0002: fix delayed error detection on HyperFlash
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (193 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 194/222] mtd: cfi_cmdset_0002: only check errors when ready in cfi_check_err_status() Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 196/222] um: Dont trace irqflags during shutdown Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sergei Shtylyov, Vignesh Raghavendra

From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>

commit c15995695ea971253ea9507f6732c8cd35384e01 upstream.

The commit 4844ef80305d ("mtd: cfi_cmdset_0002: Add support for polling
status register") added checking for the status register error bits into
chip_good() to only return 1 if these bits are 0s.  Unfortunately, this
means that polling using chip_good() always reaches a timeout condition
when erase or program failure bits are set. Let's fully delegate the task
of determining the error conditions to cfi_check_err_status() and make
chip_good() only look for the Device Ready/Busy condition.

Fixes: 4844ef80305d ("mtd: cfi_cmdset_0002: Add support for polling status register")
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mtd/chips/cfi_cmdset_0002.c |   58 ++++++++++++++++++++----------------
 1 file changed, 33 insertions(+), 25 deletions(-)

--- a/drivers/mtd/chips/cfi_cmdset_0002.c
+++ b/drivers/mtd/chips/cfi_cmdset_0002.c
@@ -123,14 +123,14 @@ static int cfi_use_status_reg(struct cfi
 		(extp->SoftwareFeatures & poll_mask) == CFI_POLL_STATUS_REG;
 }
 
-static void cfi_check_err_status(struct map_info *map, struct flchip *chip,
-				 unsigned long adr)
+static int cfi_check_err_status(struct map_info *map, struct flchip *chip,
+				unsigned long adr)
 {
 	struct cfi_private *cfi = map->fldrv_priv;
 	map_word status;
 
 	if (!cfi_use_status_reg(cfi))
-		return;
+		return 0;
 
 	cfi_send_gen_cmd(0x70, cfi->addr_unlock1, chip->start, map, cfi,
 			 cfi->device_type, NULL);
@@ -138,7 +138,7 @@ static void cfi_check_err_status(struct
 
 	/* The error bits are invalid while the chip's busy */
 	if (!map_word_bitsset(map, status, CMD(CFI_SR_DRB)))
-		return;
+		return 0;
 
 	if (map_word_bitsset(map, status, CMD(0x3a))) {
 		unsigned long chipstatus = MERGESTATUS(status);
@@ -155,7 +155,12 @@ static void cfi_check_err_status(struct
 		if (chipstatus & CFI_SR_SLSB)
 			pr_err("%s sector write protected, status %lx\n",
 			       map->name, chipstatus);
+
+		/* Erase/Program status bits are set on the operation failure */
+		if (chipstatus & (CFI_SR_ESB | CFI_SR_PSB))
+			return 1;
 	}
+	return 0;
 }
 
 /* #define DEBUG_CFI_FEATURES */
@@ -852,20 +857,16 @@ static int __xipram chip_good(struct map
 
 	if (cfi_use_status_reg(cfi)) {
 		map_word ready = CMD(CFI_SR_DRB);
-		map_word err = CMD(CFI_SR_PSB | CFI_SR_ESB);
+
 		/*
 		 * For chips that support status register, check device
-		 * ready bit and Erase/Program status bit to know if
-		 * operation succeeded.
+		 * ready bit
 		 */
 		cfi_send_gen_cmd(0x70, cfi->addr_unlock1, chip->start, map, cfi,
 				 cfi->device_type, NULL);
 		curd = map_read(map, addr);
 
-		if (map_word_andequal(map, curd, ready, ready))
-			return !map_word_bitsset(map, curd, err);
-
-		return 0;
+		return map_word_andequal(map, curd, ready, ready);
 	}
 
 	oldd = map_read(map, addr);
@@ -1703,8 +1704,11 @@ static int __xipram do_write_oneword_onc
 			break;
 		}
 
-		if (chip_good(map, chip, adr, datum))
+		if (chip_good(map, chip, adr, datum)) {
+			if (cfi_check_err_status(map, chip, adr))
+				ret = -EIO;
 			break;
+		}
 
 		/* Latency issues. Drop the lock, wait a while and retry */
 		UDELAY(map, chip, adr, 1);
@@ -1777,7 +1781,6 @@ static int __xipram do_write_oneword_ret
 	ret = do_write_oneword_once(map, chip, adr, datum, mode, cfi);
 	if (ret) {
 		/* reset on all failures. */
-		cfi_check_err_status(map, chip, adr);
 		map_write(map, CMD(0xF0), chip->start);
 		/* FIXME - should have reset delay before continuing */
 
@@ -1974,12 +1977,17 @@ static int __xipram do_write_buffer_wait
 		 */
 		if (time_after(jiffies, timeo) &&
 		    !chip_good(map, chip, adr, datum)) {
+			pr_err("MTD %s(): software timeout, address:0x%.8lx.\n",
+			       __func__, adr);
 			ret = -EIO;
 			break;
 		}
 
-		if (chip_good(map, chip, adr, datum))
+		if (chip_good(map, chip, adr, datum)) {
+			if (cfi_check_err_status(map, chip, adr))
+				ret = -EIO;
 			break;
+		}
 
 		/* Latency issues. Drop the lock, wait a while and retry */
 		UDELAY(map, chip, adr, 1);
@@ -2075,12 +2083,8 @@ static int __xipram do_write_buffer(stru
 				chip->word_write_time);
 
 	ret = do_write_buffer_wait(map, chip, adr, datum);
-	if (ret) {
-		cfi_check_err_status(map, chip, adr);
+	if (ret)
 		do_write_buffer_reset(map, chip, cfi);
-		pr_err("MTD %s(): software timeout, address:0x%.8lx.\n",
-		       __func__, adr);
-	}
 
 	xip_enable(map, chip, adr);
 
@@ -2275,9 +2279,9 @@ retry:
 		udelay(1);
 	}
 
-	if (!chip_good(map, chip, adr, datum)) {
+	if (!chip_good(map, chip, adr, datum) ||
+	    cfi_check_err_status(map, chip, adr)) {
 		/* reset on all failures. */
-		cfi_check_err_status(map, chip, adr);
 		map_write(map, CMD(0xF0), chip->start);
 		/* FIXME - should have reset delay before continuing */
 
@@ -2471,8 +2475,11 @@ static int __xipram do_erase_chip(struct
 			chip->erase_suspended = 0;
 		}
 
-		if (chip_good(map, chip, adr, map_word_ff(map)))
+		if (chip_good(map, chip, adr, map_word_ff(map))) {
+			if (cfi_check_err_status(map, chip, adr))
+				ret = -EIO;
 			break;
+		}
 
 		if (time_after(jiffies, timeo)) {
 			printk(KERN_WARNING "MTD %s(): software timeout\n",
@@ -2487,7 +2494,6 @@ static int __xipram do_erase_chip(struct
 	/* Did we succeed? */
 	if (ret) {
 		/* reset on all failures. */
-		cfi_check_err_status(map, chip, adr);
 		map_write(map, CMD(0xF0), chip->start);
 		/* FIXME - should have reset delay before continuing */
 
@@ -2568,8 +2574,11 @@ static int __xipram do_erase_oneblock(st
 			chip->erase_suspended = 0;
 		}
 
-		if (chip_good(map, chip, adr, map_word_ff(map)))
+		if (chip_good(map, chip, adr, map_word_ff(map))) {
+			if (cfi_check_err_status(map, chip, adr))
+				ret = -EIO;
 			break;
+		}
 
 		if (time_after(jiffies, timeo)) {
 			printk(KERN_WARNING "MTD %s(): software timeout\n",
@@ -2584,7 +2593,6 @@ static int __xipram do_erase_oneblock(st
 	/* Did we succeed? */
 	if (ret) {
 		/* reset on all failures. */
-		cfi_check_err_status(map, chip, adr);
 		map_write(map, CMD(0xF0), chip->start);
 		/* FIXME - should have reset delay before continuing */
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 196/222] um: Dont trace irqflags during shutdown
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (194 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 195/222] mtd: cfi_cmdset_0002: fix delayed error detection on HyperFlash Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 197/222] um: virtio_uml: Disallow modular build Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johannes Berg, Richard Weinberger

From: Johannes Berg <johannes.berg@intel.com>

commit 5c1f33e2a03c0b8710b5d910a46f1e1fb0607679 upstream.

In the main() code, we eventually enable signals just before
exec() or exit(), in order to to not have signals pending and
delivered *after* the exec().

I've observed SIGSEGV loops at this point, and the reason seems
to be the irqflags tracing; this makes sense as the kernel is
no longer really functional at this point. Since there's really
no reason to use unblock_signals_trace() here (I had just done
a global search & replace), use the plain unblock_signals() in
this case to avoid going into the no longer functional kernel.

Fixes: 0dafcbe128d2 ("um: Implement TRACE_IRQFLAGS_SUPPORT")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/um/os-Linux/main.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/um/os-Linux/main.c
+++ b/arch/um/os-Linux/main.c
@@ -170,7 +170,7 @@ int __init main(int argc, char **argv, c
 	 * that they won't be delivered after the exec, when
 	 * they are definitely not expected.
 	 */
-	unblock_signals_trace();
+	unblock_signals();
 
 	os_info("\n");
 	/* Reboot */



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 197/222] um: virtio_uml: Disallow modular build
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (195 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 196/222] um: Dont trace irqflags during shutdown Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 198/222] reiserfs: fix handling of -EOPNOTSUPP in reiserfs_for_each_xattr Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johannes Berg, Anton Ivanov,
	Richard Weinberger

From: Johannes Berg <johannes.berg@intel.com>

commit bf9f80cf0ccab5f346f7d3cdc445da8fcfe6ce34 upstream.

This driver *can* be a module, but then its parameters (socket path)
are untrusted data from inside the VM, and that isn't allowed. Allow
the code to only be built-in to avoid that.

Fixes: 5d38f324993f ("um: drivers: Add virtio vhost-user driver")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Acked-by: Anton Ivanov <anton.ivanov@cambridgegreys.co.uk>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/um/drivers/Kconfig      |    2 +-
 arch/um/drivers/virtio_uml.c |    4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

--- a/arch/um/drivers/Kconfig
+++ b/arch/um/drivers/Kconfig
@@ -337,7 +337,7 @@ config UML_NET_SLIRP
 endmenu
 
 config VIRTIO_UML
-	tristate "UML driver for virtio devices"
+	bool "UML driver for virtio devices"
 	select VIRTIO
 	help
 	  This driver provides support for virtio based paravirtual device
--- a/arch/um/drivers/virtio_uml.c
+++ b/arch/um/drivers/virtio_uml.c
@@ -4,12 +4,12 @@
  *
  * Copyright(c) 2019 Intel Corporation
  *
- * This module allows virtio devices to be used over a vhost-user socket.
+ * This driver allows virtio devices to be used over a vhost-user socket.
  *
  * Guest devices can be instantiated by kernel module or command line
  * parameters. One device will be created for each parameter. Syntax:
  *
- *		[virtio_uml.]device=<socket>:<virtio_id>[:<platform_id>]
+ *		virtio_uml.device=<socket>:<virtio_id>[:<platform_id>]
  * where:
  *		<socket>	:= vhost-user socket path to connect
  *		<virtio_id>	:= virtio device id (as in virtio_ids.h)



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 198/222] reiserfs: fix handling of -EOPNOTSUPP in reiserfs_for_each_xattr
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (196 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 197/222] um: virtio_uml: Disallow modular build Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 199/222] scsi: esas2r: unlock on error in esas2r_nvram_read_direct() Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael Brunnbauer, Jeff Mahoney, Jan Kara

From: Jeff Mahoney <jeffm@suse.com>

commit 394440d469413fa9b74f88a11f144d76017221f2 upstream.

Commit 60e4cf67a58 (reiserfs: fix extended attributes on the root
directory) introduced a regression open_xa_root started returning
-EOPNOTSUPP but it was not handled properly in reiserfs_for_each_xattr.

When the reiserfs module is built without CONFIG_REISERFS_FS_XATTR,
deleting an inode would result in a warning and chowning an inode
would also result in a warning and then fail to complete.

With CONFIG_REISERFS_FS_XATTR enabled, the xattr root would always be
present for read-write operations.

This commit handles -EOPNOSUPP in the same way -ENODATA is handled.

Fixes: 60e4cf67a582 ("reiserfs: fix extended attributes on the root directory")
CC: stable@vger.kernel.org	# Commit 60e4cf67a58 was picked up by stable
Link: https://lore.kernel.org/r/20200115180059.6935-1-jeffm@suse.com
Reported-by: Michael Brunnbauer <brunni@netestate.de>
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/reiserfs/xattr.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/fs/reiserfs/xattr.c
+++ b/fs/reiserfs/xattr.c
@@ -319,8 +319,12 @@ static int reiserfs_for_each_xattr(struc
 out_dir:
 	dput(dir);
 out:
-	/* -ENODATA isn't an error */
-	if (err == -ENODATA)
+	/*
+	 * -ENODATA: this object doesn't have any xattrs
+	 * -EOPNOTSUPP: this file system doesn't have xattrs enabled on disk.
+	 * Neither are errors
+	 */
+	if (err == -ENODATA || err == -EOPNOTSUPP)
 		err = 0;
 	return err;
 }



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 199/222] scsi: esas2r: unlock on error in esas2r_nvram_read_direct()
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (197 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 198/222] reiserfs: fix handling of -EOPNOTSUPP in reiserfs_for_each_xattr Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 200/222] scsi: hisi_sas: Dont create debugfs dump folder twice Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Martin K. Petersen

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 906ca6353ac09696c1bf0892513c8edffff5e0a6 upstream.

This error path is missing an unlock.

Fixes: 26780d9e12ed ("[SCSI] esas2r: ATTO Technology ExpressSAS 6G SAS/SATA RAID Adapter Driver")
Link: https://lore.kernel.org/r/20191022102324.GA27540@mwanda
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/esas2r/esas2r_flash.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/scsi/esas2r/esas2r_flash.c
+++ b/drivers/scsi/esas2r/esas2r_flash.c
@@ -1197,6 +1197,7 @@ bool esas2r_nvram_read_direct(struct esa
 	if (!esas2r_read_flash_block(a, a->nvram, FLS_OFFSET_NVR,
 				     sizeof(struct esas2r_sas_nvram))) {
 		esas2r_hdebug("NVRAM read failed, using defaults");
+		up(&a->nvram_semaphore);
 		return false;
 	}
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 200/222] scsi: hisi_sas: Dont create debugfs dump folder twice
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (198 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 199/222] scsi: esas2r: unlock on error in esas2r_nvram_read_direct() Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 201/222] scsi: hisi_sas: Set the BIST init value before enabling BIST Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Xiang Chen, John Garry, Martin K. Petersen

From: Xiang Chen <chenxiang66@hisilicon.com>

commit 35160421b63d4753a72e9f72ebcdd9d6f88f84b9 upstream.

Due to a merge error, we attempt to create 2x debugfs dump folders, which
fails:
[  861.101914] debugfs: Directory 'dump' with parent '0000:74:02.0'
already present!

This breaks the dump function.

To fix, remove the superfluous attempt to create the folder.

Fixes: 7ec7082c57ec ("scsi: hisi_sas: Add hisi_sas_debugfs_alloc() to centralise allocation")
Link: https://lore.kernel.org/r/1571926105-74636-2-git-send-email-john.garry@huawei.com
Signed-off-by: Xiang Chen <chenxiang66@hisilicon.com>
Signed-off-by: John Garry <john.garry@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/hisi_sas/hisi_sas_main.c |    3 ---
 1 file changed, 3 deletions(-)

--- a/drivers/scsi/hisi_sas/hisi_sas_main.c
+++ b/drivers/scsi/hisi_sas/hisi_sas_main.c
@@ -3719,9 +3719,6 @@ static int hisi_sas_debugfs_alloc(struct
 	int p, c, d;
 	size_t sz;
 
-	hisi_hba->debugfs_dump_dentry =
-			debugfs_create_dir("dump", hisi_hba->debugfs_dir);
-
 	sz = hw->debugfs_reg_array[DEBUGFS_GLOBAL]->count * 4;
 	hisi_hba->debugfs_regs[DEBUGFS_GLOBAL] =
 				devm_kmalloc(dev, sz, GFP_KERNEL);



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 201/222] scsi: hisi_sas: Set the BIST init value before enabling BIST
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (199 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 200/222] scsi: hisi_sas: Dont create debugfs dump folder twice Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 202/222] scsi: qla4xxx: fix double free bug Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Xiang Chen, John Garry, Martin K. Petersen

From: Xiang Chen <chenxiang66@hisilicon.com>

commit 65a3b8bd56942dc988b8c05615bd3f510a10012b upstream.

If set the BIST init value after enabling BIST, there may be still some few
error bits. According to the process, need to set the BIST init value
before enabling BIST.

Fixes: 97b151e75861 ("scsi: hisi_sas: Add BIST support for phy loopback")
Link: https://lore.kernel.org/r/1571926105-74636-3-git-send-email-john.garry@huawei.com
Signed-off-by: Xiang Chen <chenxiang66@hisilicon.com>
Signed-off-by: John Garry <john.garry@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/hisi_sas/hisi_sas_v3_hw.c |   10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

--- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
+++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
@@ -3022,11 +3022,6 @@ static int debugfs_set_bist_v3_hw(struct
 		hisi_sas_phy_write32(hisi_hba, phy_id,
 				     SAS_PHY_BIST_CTRL, reg_val);
 
-		mdelay(100);
-		reg_val |= (CFG_RX_BIST_EN_MSK | CFG_TX_BIST_EN_MSK);
-		hisi_sas_phy_write32(hisi_hba, phy_id,
-				     SAS_PHY_BIST_CTRL, reg_val);
-
 		/* set the bist init value */
 		hisi_sas_phy_write32(hisi_hba, phy_id,
 				     SAS_PHY_BIST_CODE,
@@ -3035,6 +3030,11 @@ static int debugfs_set_bist_v3_hw(struct
 				     SAS_PHY_BIST_CODE1,
 				     SAS_PHY_BIST_CODE1_INIT);
 
+		mdelay(100);
+		reg_val |= (CFG_RX_BIST_EN_MSK | CFG_TX_BIST_EN_MSK);
+		hisi_sas_phy_write32(hisi_hba, phy_id,
+				     SAS_PHY_BIST_CTRL, reg_val);
+
 		/* clear error bit */
 		mdelay(100);
 		hisi_sas_phy_read32(hisi_hba, phy_id, SAS_BIST_ERR_CNT);



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 202/222] scsi: qla4xxx: fix double free bug
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (200 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 201/222] scsi: hisi_sas: Set the BIST init value before enabling BIST Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 203/222] scsi: bnx2i: fix potential use after free Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pan Bian, Manish Rangankar,
	Martin K. Petersen

From: Pan Bian <bianpan2016@163.com>

commit 3fe3d2428b62822b7b030577cd612790bdd8c941 upstream.

The variable init_fw_cb is released twice, resulting in a double free
bug. The call to the function dma_free_coherent() before goto is removed to
get rid of potential double free.

Fixes: 2a49a78ed3c8 ("[SCSI] qla4xxx: added IPv6 support.")
Link: https://lore.kernel.org/r/1572945927-27796-1-git-send-email-bianpan2016@163.com
Signed-off-by: Pan Bian <bianpan2016@163.com>
Acked-by: Manish Rangankar <mrangankar@marvell.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/qla4xxx/ql4_mbx.c |    3 ---
 1 file changed, 3 deletions(-)

--- a/drivers/scsi/qla4xxx/ql4_mbx.c
+++ b/drivers/scsi/qla4xxx/ql4_mbx.c
@@ -640,9 +640,6 @@ int qla4xxx_initialize_fw_cb(struct scsi
 
 	if (qla4xxx_get_ifcb(ha, &mbox_cmd[0], &mbox_sts[0], init_fw_cb_dma) !=
 	    QLA_SUCCESS) {
-		dma_free_coherent(&ha->pdev->dev,
-				  sizeof(struct addr_ctrl_blk),
-				  init_fw_cb, init_fw_cb_dma);
 		goto exit_init_fw_cb;
 	}
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 203/222] scsi: bnx2i: fix potential use after free
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (201 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 202/222] scsi: qla4xxx: fix double free bug Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 204/222] scsi: target: core: Fix a pr_debug() argument Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pan Bian, Martin K. Petersen

From: Pan Bian <bianpan2016@163.com>

commit 29d28f2b8d3736ac61c28ef7e20fda63795b74d9 upstream.

The member hba->pcidev may be used after its reference is dropped. Move the
put function to where it is never used to avoid potential use after free
issues.

Fixes: a77171806515 ("[SCSI] bnx2i: Removed the reference to the netdev->base_addr")
Link: https://lore.kernel.org/r/1573043541-19126-1-git-send-email-bianpan2016@163.com
Signed-off-by: Pan Bian <bianpan2016@163.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/bnx2i/bnx2i_iscsi.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/scsi/bnx2i/bnx2i_iscsi.c
+++ b/drivers/scsi/bnx2i/bnx2i_iscsi.c
@@ -915,12 +915,12 @@ void bnx2i_free_hba(struct bnx2i_hba *hb
 	INIT_LIST_HEAD(&hba->ep_ofld_list);
 	INIT_LIST_HEAD(&hba->ep_active_list);
 	INIT_LIST_HEAD(&hba->ep_destroy_list);
-	pci_dev_put(hba->pcidev);
 
 	if (hba->regview) {
 		pci_iounmap(hba->pcidev, hba->regview);
 		hba->regview = NULL;
 	}
+	pci_dev_put(hba->pcidev);
 	bnx2i_free_mp_bdt(hba);
 	bnx2i_release_free_cid_que(hba);
 	iscsi_host_free(shost);



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 204/222] scsi: target: core: Fix a pr_debug() argument
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (202 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 203/222] scsi: bnx2i: fix potential use after free Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 205/222] scsi: lpfc: fix: Coverity: lpfc_get_scsi_buf_s3(): Null pointer dereferences Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christoph Hellwig, Bart Van Assche,
	Martin K. Petersen

From: Bart Van Assche <bvanassche@acm.org>

commit c941e0d172605731de9b4628bd4146d35cf2e7d6 upstream.

Print the string for which conversion failed instead of printing the
function name twice.

Fixes: 2650d71e244f ("target: move transport ID handling to the core")
Cc: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20191107215525.64415-1-bvanassche@acm.org
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/target/target_core_fabric_lib.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/target/target_core_fabric_lib.c
+++ b/drivers/target/target_core_fabric_lib.c
@@ -118,7 +118,7 @@ static int srp_get_pr_transport_id(
 	memset(buf + 8, 0, leading_zero_bytes);
 	rc = hex2bin(buf + 8 + leading_zero_bytes, p, count);
 	if (rc < 0) {
-		pr_debug("hex2bin failed for %s: %d\n", __func__, rc);
+		pr_debug("hex2bin failed for %s: %d\n", p, rc);
 		return rc;
 	}
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 205/222] scsi: lpfc: fix: Coverity: lpfc_get_scsi_buf_s3(): Null pointer dereferences
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (203 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 204/222] scsi: target: core: Fix a pr_debug() argument Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 206/222] scsi: hisi_sas: Return directly if init hardware failed Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable

From: James Smart <jsmart2021@gmail.com>

commit 6f23f8c5c9f1be4eb17c035129c80e49000c18a7 upstream.

Coverity reported the following:

---
 drivers/scsi/lpfc/lpfc_scsi.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/scsi/lpfc/lpfc_scsi.c
+++ b/drivers/scsi/lpfc/lpfc_scsi.c
@@ -719,7 +719,7 @@ lpfc_get_scsi_buf_s4(struct lpfc_hba *ph
 	iocb->ulpLe = 1;
 	iocb->ulpClass = CLASS3;
 
-	if (lpfc_ndlp_check_qdepth(phba, ndlp)) {
+	if (lpfc_ndlp_check_qdepth(phba, ndlp) && lpfc_cmd) {
 		atomic_inc(&ndlp->cmd_pending);
 		lpfc_cmd->flags |= LPFC_SBUF_BUMP_QDEPTH;
 	}



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 206/222] scsi: hisi_sas: Return directly if init hardware failed
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (204 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 205/222] scsi: lpfc: fix: Coverity: lpfc_get_scsi_buf_s3(): Null pointer dereferences Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 207/222] scsi: scsi_transport_sas: Fix memory leak when removing devices Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Xiang Chen, John Garry, Martin K. Petersen

From: Xiang Chen <chenxiang66@hisilicon.com>

commit 547fde8b5a1923050f388caae4f76613b5a620e0 upstream.

Need to return directly if init hardware failed.

Fixes: 73a4925d154c ("scsi: hisi_sas: Update all the registers after suspend and resume")
Link: https://lore.kernel.org/r/1573551059-107873-3-git-send-email-john.garry@huawei.com
Signed-off-by: Xiang Chen <chenxiang66@hisilicon.com>
Signed-off-by: John Garry <john.garry@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/hisi_sas/hisi_sas_v3_hw.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
+++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
@@ -3423,6 +3423,7 @@ static int hisi_sas_v3_resume(struct pci
 	if (rc) {
 		scsi_remove_host(shost);
 		pci_disable_device(pdev);
+		return rc;
 	}
 	hisi_hba->hw->phys_init(hisi_hba);
 	sas_resume_ha(sha);



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 207/222] scsi: scsi_transport_sas: Fix memory leak when removing devices
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (205 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 206/222] scsi: hisi_sas: Return directly if init hardware failed Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 208/222] scsi: qla2xxx: Fix qla2x00_request_irqs() for MSI Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, John Garry, Martin K. Petersen

From: John Garry <john.garry@huawei.com>

commit 82ea3e0e129e2ab913dd6684bab7a6e5e9896dee upstream.

Removing a non-host rphy causes a memory leak:

root@(none)$ echo 0 > /sys/devices/platform/HISI0162:01/host0/port-0:0/expander-0:0/port-0:0:10/phy-0:0:10/sas_phy/phy-0:0:10/enable
[   79.857888] hisi_sas_v2_hw HISI0162:01: dev[7:1] is gone
root@(none)$ echo scan > /sys/kernel/debug/kmemleak
[  131.656603] kmemleak: 3 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
root@(none)$ more /sys/kernel/debug/kmemleak
unreferenced object 0xffff041da5c66000 (size 256):
  comm "kworker/u128:1", pid 549, jiffies 4294898543 (age 113.728s)
  hex dump (first 32 bytes):
    00 5e c6 a5 1d 04 ff ff 01 00 00 00 00 00 00 00  .^..............
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<(____ptrval____)>] kmem_cache_alloc+0x188/0x260
    [<(____ptrval____)>] bsg_setup_queue+0x48/0x1a8
    [<(____ptrval____)>] sas_rphy_add+0x108/0x2d0
    [<(____ptrval____)>] sas_probe_devices+0x168/0x208
    [<(____ptrval____)>] sas_discover_domain+0x660/0x9c8
    [<(____ptrval____)>] process_one_work+0x3f8/0x690
    [<(____ptrval____)>] worker_thread+0x70/0x6a0
    [<(____ptrval____)>] kthread+0x1b8/0x1c0
    [<(____ptrval____)>] ret_from_fork+0x10/0x18
unreferenced object 0xffff041d8c075400 (size 128):
  comm "kworker/u128:1", pid 549, jiffies 4294898543 (age 113.728s)
  hex dump (first 32 bytes):
    00 40 25 97 1d 00 ff ff 00 00 00 00 00 00 00 00  .@%.............
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<(____ptrval____)>] __kmalloc_node+0x1a8/0x2c8
    [<(____ptrval____)>] blk_mq_realloc_tag_set_tags.part.70+0x48/0xd8
    [<(____ptrval____)>] blk_mq_alloc_tag_set+0x1dc/0x530
    [<(____ptrval____)>] bsg_setup_queue+0xe8/0x1a8
    [<(____ptrval____)>] sas_rphy_add+0x108/0x2d0
    [<(____ptrval____)>] sas_probe_devices+0x168/0x208
    [<(____ptrval____)>] sas_discover_domain+0x660/0x9c8
    [<(____ptrval____)>] process_one_work+0x3f8/0x690
    [<(____ptrval____)>] worker_thread+0x70/0x6a0
    [<(____ptrval____)>] kthread+0x1b8/0x1c0
    [<(____ptrval____)>] ret_from_fork+0x10/0x18
unreferenced object 0xffff041da5c65e00 (size 256):
  comm "kworker/u128:1", pid 549, jiffies 4294898543 (age 113.728s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<(____ptrval____)>] __kmalloc_node+0x1a8/0x2c8
    [<(____ptrval____)>] blk_mq_alloc_tag_set+0x254/0x530
    [<(____ptrval____)>] bsg_setup_queue+0xe8/0x1a8
    [<(____ptrval____)>] sas_rphy_add+0x108/0x2d0
    [<(____ptrval____)>] sas_probe_devices+0x168/0x208
    [<(____ptrval____)>] sas_discover_domain+0x660/0x9c8
    [<(____ptrval____)>] process_one_work+0x3f8/0x690
    [<(____ptrval____)>] worker_thread+0x70/0x6a0
    [<(____ptrval____)>] kthread+0x1b8/0x1c0
    [<(____ptrval____)>] ret_from_fork+0x10/0x18
root@(none)$

It turns out that we don't clean up the request queue fully for bsg
devices, as the blk mq tags for the request queue are not freed.

Fix by doing the queue removal in one place - in sas_rphy_remove() -
instead of unregistering the queue in sas_rphy_remove() and finally
cleaning up the queue in calling blk_cleanup_queue() from
sas_end_device_release() or sas_expander_release().

Function bsg_remove_queue() can handle a NULL pointer q, so remove the
precheck in sas_rphy_remove().

Fixes: 651a013649943 ("scsi: scsi_transport_sas: switch to bsg-lib for SMP passthrough")
Link: https://lore.kernel.org/r/1574242755-94156-1-git-send-email-john.garry@huawei.com
Signed-off-by: John Garry <john.garry@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/scsi_transport_sas.c |    9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

--- a/drivers/scsi/scsi_transport_sas.c
+++ b/drivers/scsi/scsi_transport_sas.c
@@ -1391,9 +1391,6 @@ static void sas_expander_release(struct
 	struct sas_rphy *rphy = dev_to_rphy(dev);
 	struct sas_expander_device *edev = rphy_to_expander_device(rphy);
 
-	if (rphy->q)
-		blk_cleanup_queue(rphy->q);
-
 	put_device(dev->parent);
 	kfree(edev);
 }
@@ -1403,9 +1400,6 @@ static void sas_end_device_release(struc
 	struct sas_rphy *rphy = dev_to_rphy(dev);
 	struct sas_end_device *edev = rphy_to_end_device(rphy);
 
-	if (rphy->q)
-		blk_cleanup_queue(rphy->q);
-
 	put_device(dev->parent);
 	kfree(edev);
 }
@@ -1634,8 +1628,7 @@ sas_rphy_remove(struct sas_rphy *rphy)
 	}
 
 	sas_rphy_unlink(rphy);
-	if (rphy->q)
-		bsg_unregister_queue(rphy->q);
+	bsg_remove_queue(rphy->q);
 	transport_remove_device(dev);
 	device_del(dev);
 }



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 208/222] scsi: qla2xxx: Fix qla2x00_request_irqs() for MSI
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (206 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 207/222] scsi: scsi_transport_sas: Fix memory leak when removing devices Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 209/222] scsi: qla2xxx: fix rports not being mark as lost in sync fabric scan Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael Hernandez, Huacai Chen,
	Himanshu Madhani, Martin K. Petersen

From: Huacai Chen <chenhc@lemote.com>

commit 45dc8f2d9c94ed74a5e31e63e9136a19a7e16081 upstream.

Commit 4fa183455988 ("scsi: qla2xxx: Utilize pci_alloc_irq_vectors/
pci_free_irq_vectors calls.") use pci_alloc_irq_vectors() to replace
pci_enable_msi() but it didn't handle the return value correctly. This bug
make qla2x00 always fail to setup MSI if MSI-X fail, so fix it.

BTW, improve the log message of return value in qla2x00_request_irqs() to
avoid confusion.

Fixes: 4fa183455988 ("scsi: qla2xxx: Utilize pci_alloc_irq_vectors/pci_free_irq_vectors calls.")
Cc: Michael Hernandez <michael.hernandez@cavium.com>
Link: https://lore.kernel.org/r/1574314847-14280-1-git-send-email-chenhc@lemote.com
Signed-off-by: Huacai Chen <chenhc@lemote.com>
Acked-by: Himanshu Madhani <hmadhani@marvell.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/qla2xxx/qla_isr.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/scsi/qla2xxx/qla_isr.c
+++ b/drivers/scsi/qla2xxx/qla_isr.c
@@ -3625,7 +3625,7 @@ qla2x00_request_irqs(struct qla_hw_data
 skip_msix:
 
 	ql_log(ql_log_info, vha, 0x0037,
-	    "Falling back-to MSI mode -%d.\n", ret);
+	    "Falling back-to MSI mode -- ret=%d.\n", ret);
 
 	if (!IS_QLA24XX(ha) && !IS_QLA2532(ha) && !IS_QLA8432(ha) &&
 	    !IS_QLA8001(ha) && !IS_P3P_TYPE(ha) && !IS_QLAFX00(ha) &&
@@ -3633,13 +3633,13 @@ skip_msix:
 		goto skip_msi;
 
 	ret = pci_alloc_irq_vectors(ha->pdev, 1, 1, PCI_IRQ_MSI);
-	if (!ret) {
+	if (ret > 0) {
 		ql_dbg(ql_dbg_init, vha, 0x0038,
 		    "MSI: Enabled.\n");
 		ha->flags.msi_enabled = 1;
 	} else
 		ql_log(ql_log_warn, vha, 0x0039,
-		    "Falling back-to INTa mode -- %d.\n", ret);
+		    "Falling back-to INTa mode -- ret=%d.\n", ret);
 skip_msi:
 
 	/* Skip INTx on ISP82xx. */



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 209/222] scsi: qla2xxx: fix rports not being mark as lost in sync fabric scan
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (207 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 208/222] scsi: qla2xxx: Fix qla2x00_request_irqs() for MSI Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 210/222] scsi: core: scsi_trace: Use get_unaligned_be*() Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David Bond, Martin Wilck,
	Himanshu Madhani, Martin K. Petersen

From: Martin Wilck <mwilck@suse.com>

commit d341e9a8f2cffe4000c610225c629f62c7489c74 upstream.

In qla2x00_find_all_fabric_devs(), fcport->flags & FCF_LOGIN_NEEDED is a
necessary condition for logging into new rports, but not for dropping lost
ones.

Fixes: 726b85487067 ("qla2xxx: Add framework for async fabric discovery")
Link: https://lore.kernel.org/r/20191122221912.20100-2-martin.wilck@suse.com
Tested-by: David Bond <dbond@suse.com>
Signed-off-by: Martin Wilck <mwilck@suse.com>
Acked-by: Himanshu Madhani <hmadhani@marvell.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/qla2xxx/qla_init.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/scsi/qla2xxx/qla_init.c
+++ b/drivers/scsi/qla2xxx/qla_init.c
@@ -5891,8 +5891,7 @@ qla2x00_find_all_fabric_devs(scsi_qla_ho
 		if (test_bit(LOOP_RESYNC_NEEDED, &vha->dpc_flags))
 			break;
 
-		if ((fcport->flags & FCF_FABRIC_DEVICE) == 0 ||
-		    (fcport->flags & FCF_LOGIN_NEEDED) == 0)
+		if ((fcport->flags & FCF_FABRIC_DEVICE) == 0)
 			continue;
 
 		if (fcport->scan_state == QLA_FCPORT_SCAN) {
@@ -5915,7 +5914,8 @@ qla2x00_find_all_fabric_devs(scsi_qla_ho
 			}
 		}
 
-		if (fcport->scan_state == QLA_FCPORT_FOUND)
+		if (fcport->scan_state == QLA_FCPORT_FOUND &&
+		    (fcport->flags & FCF_LOGIN_NEEDED) != 0)
 			qla24xx_fcport_handle_login(vha, fcport);
 	}
 	return (rval);



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 210/222] scsi: core: scsi_trace: Use get_unaligned_be*()
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (208 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 209/222] scsi: qla2xxx: fix rports not being mark as lost in sync fabric scan Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 211/222] scsi: lpfc: Fix list corruption detected in lpfc_put_sgl_per_hdwq Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christoph Hellwig, Hannes Reinecke,
	Douglas Gilbert, Colin Ian King, Bart Van Assche,
	Martin K. Petersen

From: Bart Van Assche <bvanassche@acm.org>

commit b1335f5b0486f61fb66b123b40f8e7a98e49605d upstream.

This patch fixes an unintended sign extension on left shifts. From Colin
King: "Shifting a u8 left will cause the value to be promoted to an
integer. If the top bit of the u8 is set then the following conversion to
an u64 will sign extend the value causing the upper 32 bits to be set in
the result."

Fix this by using get_unaligned_be*() instead.

Fixes: bf8162354233 ("[SCSI] add scsi trace core functions and put trace points")
Cc: Christoph Hellwig <hch@lst.de>
Cc: Hannes Reinecke <hare@suse.com>
Cc: Douglas Gilbert <dgilbert@interlog.com>
Link: https://lore.kernel.org/r/20191101211447.187151-1-bvanassche@acm.org
Reported-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/scsi_trace.c |  103 ++++++++++++----------------------------------
 1 file changed, 28 insertions(+), 75 deletions(-)

--- a/drivers/scsi/scsi_trace.c
+++ b/drivers/scsi/scsi_trace.c
@@ -9,7 +9,7 @@
 #include <trace/events/scsi.h>
 
 #define SERVICE_ACTION16(cdb) (cdb[1] & 0x1f)
-#define SERVICE_ACTION32(cdb) ((cdb[8] << 8) | cdb[9])
+#define SERVICE_ACTION32(cdb) (get_unaligned_be16(&cdb[8]))
 
 static const char *
 scsi_trace_misc(struct trace_seq *, unsigned char *, int);
@@ -39,17 +39,12 @@ static const char *
 scsi_trace_rw10(struct trace_seq *p, unsigned char *cdb, int len)
 {
 	const char *ret = trace_seq_buffer_ptr(p);
-	sector_t lba = 0, txlen = 0;
+	u32 lba, txlen;
 
-	lba |= (cdb[2] << 24);
-	lba |= (cdb[3] << 16);
-	lba |= (cdb[4] << 8);
-	lba |=  cdb[5];
-	txlen |= (cdb[7] << 8);
-	txlen |=  cdb[8];
+	lba = get_unaligned_be32(&cdb[2]);
+	txlen = get_unaligned_be16(&cdb[7]);
 
-	trace_seq_printf(p, "lba=%llu txlen=%llu protect=%u",
-			 (unsigned long long)lba, (unsigned long long)txlen,
+	trace_seq_printf(p, "lba=%u txlen=%u protect=%u", lba, txlen,
 			 cdb[1] >> 5);
 
 	if (cdb[0] == WRITE_SAME)
@@ -64,19 +59,12 @@ static const char *
 scsi_trace_rw12(struct trace_seq *p, unsigned char *cdb, int len)
 {
 	const char *ret = trace_seq_buffer_ptr(p);
-	sector_t lba = 0, txlen = 0;
+	u32 lba, txlen;
 
-	lba |= (cdb[2] << 24);
-	lba |= (cdb[3] << 16);
-	lba |= (cdb[4] << 8);
-	lba |=  cdb[5];
-	txlen |= (cdb[6] << 24);
-	txlen |= (cdb[7] << 16);
-	txlen |= (cdb[8] << 8);
-	txlen |=  cdb[9];
+	lba = get_unaligned_be32(&cdb[2]);
+	txlen = get_unaligned_be32(&cdb[6]);
 
-	trace_seq_printf(p, "lba=%llu txlen=%llu protect=%u",
-			 (unsigned long long)lba, (unsigned long long)txlen,
+	trace_seq_printf(p, "lba=%u txlen=%u protect=%u", lba, txlen,
 			 cdb[1] >> 5);
 	trace_seq_putc(p, 0);
 
@@ -87,23 +75,13 @@ static const char *
 scsi_trace_rw16(struct trace_seq *p, unsigned char *cdb, int len)
 {
 	const char *ret = trace_seq_buffer_ptr(p);
-	sector_t lba = 0, txlen = 0;
+	u64 lba;
+	u32 txlen;
 
-	lba |= ((u64)cdb[2] << 56);
-	lba |= ((u64)cdb[3] << 48);
-	lba |= ((u64)cdb[4] << 40);
-	lba |= ((u64)cdb[5] << 32);
-	lba |= (cdb[6] << 24);
-	lba |= (cdb[7] << 16);
-	lba |= (cdb[8] << 8);
-	lba |=  cdb[9];
-	txlen |= (cdb[10] << 24);
-	txlen |= (cdb[11] << 16);
-	txlen |= (cdb[12] << 8);
-	txlen |=  cdb[13];
+	lba = get_unaligned_be64(&cdb[2]);
+	txlen = get_unaligned_be32(&cdb[10]);
 
-	trace_seq_printf(p, "lba=%llu txlen=%llu protect=%u",
-			 (unsigned long long)lba, (unsigned long long)txlen,
+	trace_seq_printf(p, "lba=%llu txlen=%u protect=%u", lba, txlen,
 			 cdb[1] >> 5);
 
 	if (cdb[0] == WRITE_SAME_16)
@@ -118,8 +96,8 @@ static const char *
 scsi_trace_rw32(struct trace_seq *p, unsigned char *cdb, int len)
 {
 	const char *ret = trace_seq_buffer_ptr(p), *cmd;
-	sector_t lba = 0, txlen = 0;
-	u32 ei_lbrt = 0;
+	u64 lba;
+	u32 ei_lbrt, txlen;
 
 	switch (SERVICE_ACTION32(cdb)) {
 	case READ_32:
@@ -139,26 +117,12 @@ scsi_trace_rw32(struct trace_seq *p, uns
 		goto out;
 	}
 
-	lba |= ((u64)cdb[12] << 56);
-	lba |= ((u64)cdb[13] << 48);
-	lba |= ((u64)cdb[14] << 40);
-	lba |= ((u64)cdb[15] << 32);
-	lba |= (cdb[16] << 24);
-	lba |= (cdb[17] << 16);
-	lba |= (cdb[18] << 8);
-	lba |=  cdb[19];
-	ei_lbrt |= (cdb[20] << 24);
-	ei_lbrt |= (cdb[21] << 16);
-	ei_lbrt |= (cdb[22] << 8);
-	ei_lbrt |=  cdb[23];
-	txlen |= (cdb[28] << 24);
-	txlen |= (cdb[29] << 16);
-	txlen |= (cdb[30] << 8);
-	txlen |=  cdb[31];
-
-	trace_seq_printf(p, "%s_32 lba=%llu txlen=%llu protect=%u ei_lbrt=%u",
-			 cmd, (unsigned long long)lba,
-			 (unsigned long long)txlen, cdb[10] >> 5, ei_lbrt);
+	lba = get_unaligned_be64(&cdb[12]);
+	ei_lbrt = get_unaligned_be32(&cdb[20]);
+	txlen = get_unaligned_be32(&cdb[28]);
+
+	trace_seq_printf(p, "%s_32 lba=%llu txlen=%u protect=%u ei_lbrt=%u",
+			 cmd, lba, txlen, cdb[10] >> 5, ei_lbrt);
 
 	if (SERVICE_ACTION32(cdb) == WRITE_SAME_32)
 		trace_seq_printf(p, " unmap=%u", cdb[10] >> 3 & 1);
@@ -173,7 +137,7 @@ static const char *
 scsi_trace_unmap(struct trace_seq *p, unsigned char *cdb, int len)
 {
 	const char *ret = trace_seq_buffer_ptr(p);
-	unsigned int regions = cdb[7] << 8 | cdb[8];
+	unsigned int regions = get_unaligned_be16(&cdb[7]);
 
 	trace_seq_printf(p, "regions=%u", (regions - 8) / 16);
 	trace_seq_putc(p, 0);
@@ -185,8 +149,8 @@ static const char *
 scsi_trace_service_action_in(struct trace_seq *p, unsigned char *cdb, int len)
 {
 	const char *ret = trace_seq_buffer_ptr(p), *cmd;
-	sector_t lba = 0;
-	u32 alloc_len = 0;
+	u64 lba;
+	u32 alloc_len;
 
 	switch (SERVICE_ACTION16(cdb)) {
 	case SAI_READ_CAPACITY_16:
@@ -200,21 +164,10 @@ scsi_trace_service_action_in(struct trac
 		goto out;
 	}
 
-	lba |= ((u64)cdb[2] << 56);
-	lba |= ((u64)cdb[3] << 48);
-	lba |= ((u64)cdb[4] << 40);
-	lba |= ((u64)cdb[5] << 32);
-	lba |= (cdb[6] << 24);
-	lba |= (cdb[7] << 16);
-	lba |= (cdb[8] << 8);
-	lba |=  cdb[9];
-	alloc_len |= (cdb[10] << 24);
-	alloc_len |= (cdb[11] << 16);
-	alloc_len |= (cdb[12] << 8);
-	alloc_len |=  cdb[13];
+	lba = get_unaligned_be64(&cdb[2]);
+	alloc_len = get_unaligned_be32(&cdb[10]);
 
-	trace_seq_printf(p, "%s lba=%llu alloc_len=%u", cmd,
-			 (unsigned long long)lba, alloc_len);
+	trace_seq_printf(p, "%s lba=%llu alloc_len=%u", cmd, lba, alloc_len);
 
 out:
 	trace_seq_putc(p, 0);



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 211/222] scsi: lpfc: Fix list corruption detected in lpfc_put_sgl_per_hdwq
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (209 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 210/222] scsi: core: scsi_trace: Use get_unaligned_be*() Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 212/222] scsi: lpfc: Fix hdwq sgl locks and irq handling Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dick Kennedy, James Smart,
	Martin K. Petersen

From: James Smart <jsmart2021@gmail.com>

commit 35a635af54ce79881eb35ba20b64dcb1e81b0389 upstream.

In lpfc_release_io_buf, an lpfc_io_buf is returned to the 'available' pool
before any associated sgl or cmd and rsp buffers are returned via their
respective 'put' routines.  If xri rebalancing occurs and an lpfc_io_buf
structure is reused quickly, there may be a race condition between release
of old and association of new resources.

Re-ordered lpfc_release_io_buf to release sgl and cmd/rsp
buffer lists before releasing the lpfc_io_buf structure for re-use.

Fixes: d79c9e9d4b3d ("scsi: lpfc: Support dynamic unbounded SGL lists on G7 hardware.")
Link: https://lore.kernel.org/r/20190922035906.10977-17-jsmart2021@gmail.com
Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/lpfc/lpfc_sli.c |   14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

--- a/drivers/scsi/lpfc/lpfc_sli.c
+++ b/drivers/scsi/lpfc/lpfc_sli.c
@@ -20108,6 +20108,13 @@ void lpfc_release_io_buf(struct lpfc_hba
 	lpfc_ncmd->cur_iocbq.wqe_cmpl = NULL;
 	lpfc_ncmd->cur_iocbq.iocb_cmpl = NULL;
 
+	if (phba->cfg_xpsgl && !phba->nvmet_support &&
+	    !list_empty(&lpfc_ncmd->dma_sgl_xtra_list))
+		lpfc_put_sgl_per_hdwq(phba, lpfc_ncmd);
+
+	if (!list_empty(&lpfc_ncmd->dma_cmd_rsp_list))
+		lpfc_put_cmd_rsp_buf_per_hdwq(phba, lpfc_ncmd);
+
 	if (phba->cfg_xri_rebalancing) {
 		if (lpfc_ncmd->expedite) {
 			/* Return to expedite pool */
@@ -20172,13 +20179,6 @@ void lpfc_release_io_buf(struct lpfc_hba
 		spin_unlock_irqrestore(&qp->io_buf_list_put_lock,
 				       iflag);
 	}
-
-	if (phba->cfg_xpsgl && !phba->nvmet_support &&
-	    !list_empty(&lpfc_ncmd->dma_sgl_xtra_list))
-		lpfc_put_sgl_per_hdwq(phba, lpfc_ncmd);
-
-	if (!list_empty(&lpfc_ncmd->dma_cmd_rsp_list))
-		lpfc_put_cmd_rsp_buf_per_hdwq(phba, lpfc_ncmd);
 }
 
 /**



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 212/222] scsi: lpfc: Fix hdwq sgl locks and irq handling
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (210 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 211/222] scsi: lpfc: Fix list corruption detected in lpfc_put_sgl_per_hdwq Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:29 ` [PATCH 5.4 213/222] scsi: lpfc: Fix a kernel warning triggered by lpfc_get_sgl_per_hdwq() Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dick Kennedy, James Smart,
	Martin K. Petersen

From: James Smart <jsmart2021@gmail.com>

commit a4c21acca2be6729ecbe72eda9b08092725b0a77 upstream.

Many of the sgl-per-hdwq paths are locking with spin_lock_irq() and
spin_unlock_irq() and may unwittingly raising irq when it shouldn't. Hard
deadlocks were seen around lpfc_scsi_prep_cmnd().

Fix by converting the locks to irqsave/irqrestore.

Fixes: d79c9e9d4b3d ("scsi: lpfc: Support dynamic unbounded SGL lists on G7 hardware.")
Link: https://lore.kernel.org/r/20190922035906.10977-16-jsmart2021@gmail.com
Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/lpfc/lpfc_sli.c |   38 ++++++++++++++++++++++----------------
 1 file changed, 22 insertions(+), 16 deletions(-)

--- a/drivers/scsi/lpfc/lpfc_sli.c
+++ b/drivers/scsi/lpfc/lpfc_sli.c
@@ -20414,8 +20414,9 @@ lpfc_get_sgl_per_hdwq(struct lpfc_hba *p
 	struct sli4_hybrid_sgl *allocated_sgl = NULL;
 	struct lpfc_sli4_hdw_queue *hdwq = lpfc_buf->hdwq;
 	struct list_head *buf_list = &hdwq->sgl_list;
+	unsigned long iflags;
 
-	spin_lock_irq(&hdwq->hdwq_lock);
+	spin_lock_irqsave(&hdwq->hdwq_lock, iflags);
 
 	if (likely(!list_empty(buf_list))) {
 		/* break off 1 chunk from the sgl_list */
@@ -20427,7 +20428,7 @@ lpfc_get_sgl_per_hdwq(struct lpfc_hba *p
 		}
 	} else {
 		/* allocate more */
-		spin_unlock_irq(&hdwq->hdwq_lock);
+		spin_unlock_irqrestore(&hdwq->hdwq_lock, iflags);
 		tmp = kmalloc_node(sizeof(*tmp), GFP_ATOMIC,
 				   cpu_to_node(smp_processor_id()));
 		if (!tmp) {
@@ -20449,7 +20450,7 @@ lpfc_get_sgl_per_hdwq(struct lpfc_hba *p
 			return NULL;
 		}
 
-		spin_lock_irq(&hdwq->hdwq_lock);
+		spin_lock_irqsave(&hdwq->hdwq_lock, iflags);
 		list_add_tail(&tmp->list_node, &lpfc_buf->dma_sgl_xtra_list);
 	}
 
@@ -20457,7 +20458,7 @@ lpfc_get_sgl_per_hdwq(struct lpfc_hba *p
 					struct sli4_hybrid_sgl,
 					list_node);
 
-	spin_unlock_irq(&hdwq->hdwq_lock);
+	spin_unlock_irqrestore(&hdwq->hdwq_lock, iflags);
 
 	return allocated_sgl;
 }
@@ -20481,8 +20482,9 @@ lpfc_put_sgl_per_hdwq(struct lpfc_hba *p
 	struct sli4_hybrid_sgl *tmp = NULL;
 	struct lpfc_sli4_hdw_queue *hdwq = lpfc_buf->hdwq;
 	struct list_head *buf_list = &hdwq->sgl_list;
+	unsigned long iflags;
 
-	spin_lock_irq(&hdwq->hdwq_lock);
+	spin_lock_irqsave(&hdwq->hdwq_lock, iflags);
 
 	if (likely(!list_empty(&lpfc_buf->dma_sgl_xtra_list))) {
 		list_for_each_entry_safe(list_entry, tmp,
@@ -20495,7 +20497,7 @@ lpfc_put_sgl_per_hdwq(struct lpfc_hba *p
 		rc = -EINVAL;
 	}
 
-	spin_unlock_irq(&hdwq->hdwq_lock);
+	spin_unlock_irqrestore(&hdwq->hdwq_lock, iflags);
 	return rc;
 }
 
@@ -20516,8 +20518,9 @@ lpfc_free_sgl_per_hdwq(struct lpfc_hba *
 	struct list_head *buf_list = &hdwq->sgl_list;
 	struct sli4_hybrid_sgl *list_entry = NULL;
 	struct sli4_hybrid_sgl *tmp = NULL;
+	unsigned long iflags;
 
-	spin_lock_irq(&hdwq->hdwq_lock);
+	spin_lock_irqsave(&hdwq->hdwq_lock, iflags);
 
 	/* Free sgl pool */
 	list_for_each_entry_safe(list_entry, tmp,
@@ -20529,7 +20532,7 @@ lpfc_free_sgl_per_hdwq(struct lpfc_hba *
 		kfree(list_entry);
 	}
 
-	spin_unlock_irq(&hdwq->hdwq_lock);
+	spin_unlock_irqrestore(&hdwq->hdwq_lock, iflags);
 }
 
 /**
@@ -20553,8 +20556,9 @@ lpfc_get_cmd_rsp_buf_per_hdwq(struct lpf
 	struct fcp_cmd_rsp_buf *allocated_buf = NULL;
 	struct lpfc_sli4_hdw_queue *hdwq = lpfc_buf->hdwq;
 	struct list_head *buf_list = &hdwq->cmd_rsp_buf_list;
+	unsigned long iflags;
 
-	spin_lock_irq(&hdwq->hdwq_lock);
+	spin_lock_irqsave(&hdwq->hdwq_lock, iflags);
 
 	if (likely(!list_empty(buf_list))) {
 		/* break off 1 chunk from the list */
@@ -20567,7 +20571,7 @@ lpfc_get_cmd_rsp_buf_per_hdwq(struct lpf
 		}
 	} else {
 		/* allocate more */
-		spin_unlock_irq(&hdwq->hdwq_lock);
+		spin_unlock_irqrestore(&hdwq->hdwq_lock, iflags);
 		tmp = kmalloc_node(sizeof(*tmp), GFP_ATOMIC,
 				   cpu_to_node(smp_processor_id()));
 		if (!tmp) {
@@ -20594,7 +20598,7 @@ lpfc_get_cmd_rsp_buf_per_hdwq(struct lpf
 		tmp->fcp_rsp = (struct fcp_rsp *)((uint8_t *)tmp->fcp_cmnd +
 				sizeof(struct fcp_cmnd));
 
-		spin_lock_irq(&hdwq->hdwq_lock);
+		spin_lock_irqsave(&hdwq->hdwq_lock, iflags);
 		list_add_tail(&tmp->list_node, &lpfc_buf->dma_cmd_rsp_list);
 	}
 
@@ -20602,7 +20606,7 @@ lpfc_get_cmd_rsp_buf_per_hdwq(struct lpf
 					struct fcp_cmd_rsp_buf,
 					list_node);
 
-	spin_unlock_irq(&hdwq->hdwq_lock);
+	spin_unlock_irqrestore(&hdwq->hdwq_lock, iflags);
 
 	return allocated_buf;
 }
@@ -20627,8 +20631,9 @@ lpfc_put_cmd_rsp_buf_per_hdwq(struct lpf
 	struct fcp_cmd_rsp_buf *tmp = NULL;
 	struct lpfc_sli4_hdw_queue *hdwq = lpfc_buf->hdwq;
 	struct list_head *buf_list = &hdwq->cmd_rsp_buf_list;
+	unsigned long iflags;
 
-	spin_lock_irq(&hdwq->hdwq_lock);
+	spin_lock_irqsave(&hdwq->hdwq_lock, iflags);
 
 	if (likely(!list_empty(&lpfc_buf->dma_cmd_rsp_list))) {
 		list_for_each_entry_safe(list_entry, tmp,
@@ -20641,7 +20646,7 @@ lpfc_put_cmd_rsp_buf_per_hdwq(struct lpf
 		rc = -EINVAL;
 	}
 
-	spin_unlock_irq(&hdwq->hdwq_lock);
+	spin_unlock_irqrestore(&hdwq->hdwq_lock, iflags);
 	return rc;
 }
 
@@ -20662,8 +20667,9 @@ lpfc_free_cmd_rsp_buf_per_hdwq(struct lp
 	struct list_head *buf_list = &hdwq->cmd_rsp_buf_list;
 	struct fcp_cmd_rsp_buf *list_entry = NULL;
 	struct fcp_cmd_rsp_buf *tmp = NULL;
+	unsigned long iflags;
 
-	spin_lock_irq(&hdwq->hdwq_lock);
+	spin_lock_irqsave(&hdwq->hdwq_lock, iflags);
 
 	/* Free cmd_rsp buf pool */
 	list_for_each_entry_safe(list_entry, tmp,
@@ -20676,5 +20682,5 @@ lpfc_free_cmd_rsp_buf_per_hdwq(struct lp
 		kfree(list_entry);
 	}
 
-	spin_unlock_irq(&hdwq->hdwq_lock);
+	spin_unlock_irqrestore(&hdwq->hdwq_lock, iflags);
 }



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 213/222] scsi: lpfc: Fix a kernel warning triggered by lpfc_get_sgl_per_hdwq()
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (211 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 212/222] scsi: lpfc: Fix hdwq sgl locks and irq handling Greg Kroah-Hartman
@ 2020-01-22  9:29 ` Greg Kroah-Hartman
  2020-01-22  9:30 ` [PATCH 5.4 214/222] rtw88: fix potential read outside array boundary Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bart Van Assche, James Smart,
	Martin K. Petersen

From: Bart Van Assche <bvanassche@acm.org>

commit 765ab6cdac3b681952da0e22184bf6cf1ae41cf8 upstream.

Fix the following kernel bug report:

BUG: using smp_processor_id() in preemptible [00000000] code: systemd-udevd/954

Fixes: d79c9e9d4b3d ("scsi: lpfc: Support dynamic unbounded SGL lists on G7 hardware.")
Link: https://lore.kernel.org/r/20191107052158.25788-2-bvanassche@acm.org
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: James Smart <james.smart@broadcom.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/lpfc/lpfc_sli.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/scsi/lpfc/lpfc_sli.c
+++ b/drivers/scsi/lpfc/lpfc_sli.c
@@ -20430,7 +20430,7 @@ lpfc_get_sgl_per_hdwq(struct lpfc_hba *p
 		/* allocate more */
 		spin_unlock_irqrestore(&hdwq->hdwq_lock, iflags);
 		tmp = kmalloc_node(sizeof(*tmp), GFP_ATOMIC,
-				   cpu_to_node(smp_processor_id()));
+				   cpu_to_node(raw_smp_processor_id()));
 		if (!tmp) {
 			lpfc_printf_log(phba, KERN_INFO, LOG_SLI,
 					"8353 error kmalloc memory for HDWQ "
@@ -20573,7 +20573,7 @@ lpfc_get_cmd_rsp_buf_per_hdwq(struct lpf
 		/* allocate more */
 		spin_unlock_irqrestore(&hdwq->hdwq_lock, iflags);
 		tmp = kmalloc_node(sizeof(*tmp), GFP_ATOMIC,
-				   cpu_to_node(smp_processor_id()));
+				   cpu_to_node(raw_smp_processor_id()));
 		if (!tmp) {
 			lpfc_printf_log(phba, KERN_INFO, LOG_SLI,
 					"8355 error kmalloc memory for HDWQ "



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 214/222] rtw88: fix potential read outside array boundary
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (212 preceding siblings ...)
  2020-01-22  9:29 ` [PATCH 5.4 213/222] scsi: lpfc: Fix a kernel warning triggered by lpfc_get_sgl_per_hdwq() Greg Kroah-Hartman
@ 2020-01-22  9:30 ` Greg Kroah-Hartman
  2020-01-22  9:30 ` [PATCH 5.4 215/222] perf probe: Fix wrong address verification Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tzu-En Huang, Yan-Hsuan Chuang, Kalle Valo

From: Tzu-En Huang <tehuang@realtek.com>

commit 18a0696e85fde169e0109aa61d0505b2b935b59d upstream.

The level of cckpd is from 0 to 4, and it is the index of
array pd_lvl[] and cs_lvl[]. However, the length of both arrays
are 4, which is smaller than the possible maximum input index.
Enumerate cck level to make sure the max level will not be wrong
if new level is added in future.

Fixes: 479c4ee931a6 ("rtw88: add dynamic cck pd mechanism")
Signed-off-by: Tzu-En Huang <tehuang@realtek.com>
Signed-off-by: Yan-Hsuan Chuang <yhchuang@realtek.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/realtek/rtw88/phy.c      |   17 ++++++++---------
 drivers/net/wireless/realtek/rtw88/phy.h      |    9 +++++++++
 drivers/net/wireless/realtek/rtw88/rtw8822c.c |    4 ++--
 3 files changed, 19 insertions(+), 11 deletions(-)

--- a/drivers/net/wireless/realtek/rtw88/phy.c
+++ b/drivers/net/wireless/realtek/rtw88/phy.c
@@ -118,7 +118,7 @@ static void rtw_phy_cck_pd_init(struct r
 
 	for (i = 0; i <= RTW_CHANNEL_WIDTH_40; i++) {
 		for (j = 0; j < RTW_RF_PATH_MAX; j++)
-			dm_info->cck_pd_lv[i][j] = 0;
+			dm_info->cck_pd_lv[i][j] = CCK_PD_LV0;
 	}
 
 	dm_info->cck_fa_avg = CCK_FA_AVG_RESET;
@@ -461,7 +461,6 @@ static void rtw_phy_dpk_track(struct rtw
 		chip->ops->dpk_track(rtwdev);
 }
 
-#define CCK_PD_LV_MAX		5
 #define CCK_PD_FA_LV1_MIN	1000
 #define CCK_PD_FA_LV0_MAX	500
 
@@ -471,10 +470,10 @@ static u8 rtw_phy_cck_pd_lv_unlink(struc
 	u32 cck_fa_avg = dm_info->cck_fa_avg;
 
 	if (cck_fa_avg > CCK_PD_FA_LV1_MIN)
-		return 1;
+		return CCK_PD_LV1;
 
 	if (cck_fa_avg < CCK_PD_FA_LV0_MAX)
-		return 0;
+		return CCK_PD_LV0;
 
 	return CCK_PD_LV_MAX;
 }
@@ -494,15 +493,15 @@ static u8 rtw_phy_cck_pd_lv_link(struct
 	u32 cck_fa_avg = dm_info->cck_fa_avg;
 
 	if (igi > CCK_PD_IGI_LV4_VAL && rssi > CCK_PD_RSSI_LV4_VAL)
-		return 4;
+		return CCK_PD_LV4;
 	if (igi > CCK_PD_IGI_LV3_VAL && rssi > CCK_PD_RSSI_LV3_VAL)
-		return 3;
+		return CCK_PD_LV3;
 	if (igi > CCK_PD_IGI_LV2_VAL || rssi > CCK_PD_RSSI_LV2_VAL)
-		return 2;
+		return CCK_PD_LV2;
 	if (cck_fa_avg > CCK_PD_FA_LV1_MIN)
-		return 1;
+		return CCK_PD_LV1;
 	if (cck_fa_avg < CCK_PD_FA_LV0_MAX)
-		return 0;
+		return CCK_PD_LV0;
 
 	return CCK_PD_LV_MAX;
 }
--- a/drivers/net/wireless/realtek/rtw88/phy.h
+++ b/drivers/net/wireless/realtek/rtw88/phy.h
@@ -125,6 +125,15 @@ rtw_get_tx_power_params(struct rtw_dev *
 			u8 rate, u8 bw, u8 ch, u8 regd,
 			struct rtw_power_params *pwr_param);
 
+enum rtw_phy_cck_pd_lv {
+	CCK_PD_LV0,
+	CCK_PD_LV1,
+	CCK_PD_LV2,
+	CCK_PD_LV3,
+	CCK_PD_LV4,
+	CCK_PD_LV_MAX,
+};
+
 #define	MASKBYTE0		0xff
 #define	MASKBYTE1		0xff00
 #define	MASKBYTE2		0xff0000
--- a/drivers/net/wireless/realtek/rtw88/rtw8822c.c
+++ b/drivers/net/wireless/realtek/rtw88/rtw8822c.c
@@ -3168,8 +3168,8 @@ rtw8822c_phy_cck_pd_set_reg(struct rtw_d
 static void rtw8822c_phy_cck_pd_set(struct rtw_dev *rtwdev, u8 new_lvl)
 {
 	struct rtw_dm_info *dm_info = &rtwdev->dm_info;
-	s8 pd_lvl[4] = {2, 4, 6, 8};
-	s8 cs_lvl[4] = {2, 2, 2, 4};
+	s8 pd_lvl[CCK_PD_LV_MAX] = {0, 2, 4, 6, 8};
+	s8 cs_lvl[CCK_PD_LV_MAX] = {0, 2, 2, 2, 4};
 	u8 cur_lvl;
 	u8 nrx, bw;
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 215/222] perf probe: Fix wrong address verification
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (213 preceding siblings ...)
  2020-01-22  9:30 ` [PATCH 5.4 214/222] rtw88: fix potential read outside array boundary Greg Kroah-Hartman
@ 2020-01-22  9:30 ` Greg Kroah-Hartman
  2020-01-22  9:30 ` [PATCH 5.4 216/222] perf script: Allow --time with --reltime Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arnaldo Carvalho de Melo,
	Arnaldo Carvalho de Melo, Masami Hiramatsu, Jiri Olsa,
	Namhyung Kim

From: Masami Hiramatsu <mhiramat@kernel.org>

commit 07d369857808b7e8e471bbbbb0074a6718f89b31 upstream.

Since there are some DIE which has only ranges instead of the
combination of entrypc/highpc, address verification must use
dwarf_haspc() instead of dwarf_entrypc/dwarf_highpc.

Also, the ranges only DIE will have a partial code in different section
(e.g. unlikely code will be in text.unlikely as "FUNC.cold" symbol). In
that case, we can not use dwarf_entrypc() or die_entrypc(), because the
offset from original DIE can be a minus value.

Instead, this simply gets the symbol and offset from symtab.

Without this patch;

  # perf probe -D clear_tasks_mm_cpumask:1
  Failed to get entry address of clear_tasks_mm_cpumask
    Error: Failed to add events.

And with this patch:

  # perf probe -D clear_tasks_mm_cpumask:1
  p:probe/clear_tasks_mm_cpumask clear_tasks_mm_cpumask+0
  p:probe/clear_tasks_mm_cpumask_1 clear_tasks_mm_cpumask+5
  p:probe/clear_tasks_mm_cpumask_2 clear_tasks_mm_cpumask+8
  p:probe/clear_tasks_mm_cpumask_3 clear_tasks_mm_cpumask+16
  p:probe/clear_tasks_mm_cpumask_4 clear_tasks_mm_cpumask+82

Committer testing:

I managed to reproduce the above:

  [root@quaco ~]# perf probe -D clear_tasks_mm_cpumask:1
  p:probe/clear_tasks_mm_cpumask _text+919968
  p:probe/clear_tasks_mm_cpumask_1 _text+919973
  p:probe/clear_tasks_mm_cpumask_2 _text+919976
  [root@quaco ~]#

But then when trying to actually put the probe in place, it fails if I
use :0 as the offset:

  [root@quaco ~]# perf probe -L clear_tasks_mm_cpumask | head -5
  <clear_tasks_mm_cpumask@/usr/src/debug/kernel-5.2.fc30/linux-5.2.18-200.fc30.x86_64/kernel/cpu.c:0>
        0  void clear_tasks_mm_cpumask(int cpu)
        1  {
        2  	struct task_struct *p;

  [root@quaco ~]# perf probe clear_tasks_mm_cpumask:0
  Probe point 'clear_tasks_mm_cpumask' not found.
    Error: Failed to add events.
  [root@quaco

The next patch is needed to fix this case.

Fixes: 576b523721b7 ("perf probe: Fix probing symbols with optimization suffix")
Reported-by: Arnaldo Carvalho de Melo <acme@kernel.org>
Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Link: http://lore.kernel.org/lkml/157199318513.8075.10463906803299647907.stgit@devnote2
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/perf/util/probe-finder.c |   32 ++++++++++----------------------
 1 file changed, 10 insertions(+), 22 deletions(-)

--- a/tools/perf/util/probe-finder.c
+++ b/tools/perf/util/probe-finder.c
@@ -604,38 +604,26 @@ static int convert_to_trace_point(Dwarf_
 				  const char *function,
 				  struct probe_trace_point *tp)
 {
-	Dwarf_Addr eaddr, highaddr;
+	Dwarf_Addr eaddr;
 	GElf_Sym sym;
 	const char *symbol;
 
 	/* Verify the address is correct */
-	if (dwarf_entrypc(sp_die, &eaddr) != 0) {
-		pr_warning("Failed to get entry address of %s\n",
-			   dwarf_diename(sp_die));
-		return -ENOENT;
-	}
-	if (dwarf_highpc(sp_die, &highaddr) != 0) {
-		pr_warning("Failed to get end address of %s\n",
-			   dwarf_diename(sp_die));
-		return -ENOENT;
-	}
-	if (paddr > highaddr) {
-		pr_warning("Offset specified is greater than size of %s\n",
+	if (!dwarf_haspc(sp_die, paddr)) {
+		pr_warning("Specified offset is out of %s\n",
 			   dwarf_diename(sp_die));
 		return -EINVAL;
 	}
 
-	symbol = dwarf_diename(sp_die);
+	/* Try to get actual symbol name from symtab */
+	symbol = dwfl_module_addrsym(mod, paddr, &sym, NULL);
 	if (!symbol) {
-		/* Try to get the symbol name from symtab */
-		symbol = dwfl_module_addrsym(mod, paddr, &sym, NULL);
-		if (!symbol) {
-			pr_warning("Failed to find symbol at 0x%lx\n",
-				   (unsigned long)paddr);
-			return -ENOENT;
-		}
-		eaddr = sym.st_value;
+		pr_warning("Failed to find symbol at 0x%lx\n",
+			   (unsigned long)paddr);
+		return -ENOENT;
 	}
+	eaddr = sym.st_value;
+
 	tp->offset = (unsigned long)(paddr - eaddr);
 	tp->address = (unsigned long)paddr;
 	tp->symbol = strdup(symbol);



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 216/222] perf script: Allow --time with --reltime
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (214 preceding siblings ...)
  2020-01-22  9:30 ` [PATCH 5.4 215/222] perf probe: Fix wrong address verification Greg Kroah-Hartman
@ 2020-01-22  9:30 ` Greg Kroah-Hartman
  2020-01-22  9:30 ` [PATCH 5.4 217/222] clk: sprd: Use IS_ERR() to validate the return value of syscon_regmap_lookup_by_phandle() Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andi Kleen, Jiri Olsa,
	Arnaldo Carvalho de Melo

From: Andi Kleen <ak@linux.intel.com>

commit 3714437d3fcc7956cabcb0077f2a506b61160a56 upstream.

The original --reltime patch forbid --time with --reltime.

But it turns out --time doesn't really care about --reltime, because the
relative time is only used at final output, while the time filtering
always works earlier on absolute time.

So just remove the check and allow combining the two options.

Fixes: 90b10f47c0ee ("perf script: Support relative time")
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Acked-by: Jiri Olsa <jolsa@kernel.org>
Link: http://lore.kernel.org/lkml/20191002164642.1719-1-andi@firstfloor.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/perf/builtin-script.c |    5 -----
 1 file changed, 5 deletions(-)

--- a/tools/perf/builtin-script.c
+++ b/tools/perf/builtin-script.c
@@ -3605,11 +3605,6 @@ int cmd_script(int argc, const char **ar
 		}
 	}
 
-	if (script.time_str && reltime) {
-		fprintf(stderr, "Don't combine --reltime with --time\n");
-		return -1;
-	}
-
 	if (itrace_synth_opts.callchain &&
 	    itrace_synth_opts.callchain_sz > scripting_max_stack)
 		scripting_max_stack = itrace_synth_opts.callchain_sz;



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 217/222] clk: sprd: Use IS_ERR() to validate the return value of syscon_regmap_lookup_by_phandle()
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (215 preceding siblings ...)
  2020-01-22  9:30 ` [PATCH 5.4 216/222] perf script: Allow --time with --reltime Greg Kroah-Hartman
@ 2020-01-22  9:30 ` Greg Kroah-Hartman
  2020-01-22  9:30 ` [PATCH 5.4 218/222] clk: imx7ulp: Correct system clock source option #7 Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:30 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Baolin Wang, Stephen Boyd

From: Baolin Wang <baolin.wang@linaro.org>

commit 9629dbdabd1983ef53f125336e1d62d77b1620f9 upstream.

The syscon_regmap_lookup_by_phandle() will never return NULL, thus use
IS_ERR() to validate the return value instead of IS_ERR_OR_NULL().

Fixes: d41f59fd92f2 ("clk: sprd: Add common infrastructure")
Signed-off-by: Baolin Wang <baolin.wang@linaro.org>
Link: https://lkml.kernel.org/r/1995139bee5248ff3e9d46dc715968f212cfc4cc.1570520268.git.baolin.wang@linaro.org
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/clk/sprd/common.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/clk/sprd/common.c
+++ b/drivers/clk/sprd/common.c
@@ -46,7 +46,7 @@ int sprd_clk_regmap_init(struct platform
 
 	if (of_find_property(node, "sprd,syscon", NULL)) {
 		regmap = syscon_regmap_lookup_by_phandle(node, "sprd,syscon");
-		if (IS_ERR_OR_NULL(regmap)) {
+		if (IS_ERR(regmap)) {
 			pr_err("%s: failed to get syscon regmap\n", __func__);
 			return PTR_ERR(regmap);
 		}



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 218/222] clk: imx7ulp: Correct system clock source option #7
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (216 preceding siblings ...)
  2020-01-22  9:30 ` [PATCH 5.4 217/222] clk: sprd: Use IS_ERR() to validate the return value of syscon_regmap_lookup_by_phandle() Greg Kroah-Hartman
@ 2020-01-22  9:30 ` Greg Kroah-Hartman
  2020-01-22  9:30 ` [PATCH 5.4 219/222] clk: imx7ulp: Correct DDR clock mux options Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Anson Huang, Fabio Estevam, Shawn Guo

From: Anson Huang <Anson.Huang@nxp.com>

commit 96ac93a7c4bea4eb4186425795c00937d2dd6085 upstream.

In the latest reference manual Rev.0,06/2019, the SCS's option #7
is no longer from upll, it is reserved, update clock driver accordingly.

Fixes: b1260067ac3d ("clk: imx: add imx7ulp clk driver")
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
Reviewed-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/clk/imx/clk-imx7ulp.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/clk/imx/clk-imx7ulp.c
+++ b/drivers/clk/imx/clk-imx7ulp.c
@@ -24,7 +24,7 @@ static const char * const spll_pfd_sels[
 static const char * const spll_sels[]		= { "spll", "spll_pfd_sel", };
 static const char * const apll_pfd_sels[]	= { "apll_pfd0", "apll_pfd1", "apll_pfd2", "apll_pfd3", };
 static const char * const apll_sels[]		= { "apll", "apll_pfd_sel", };
-static const char * const scs_sels[]		= { "dummy", "sosc", "sirc", "firc", "dummy", "apll_sel", "spll_sel", "upll", };
+static const char * const scs_sels[]		= { "dummy", "sosc", "sirc", "firc", "dummy", "apll_sel", "spll_sel", "dummy", };
 static const char * const ddr_sels[]		= { "apll_pfd_sel", "upll", };
 static const char * const nic_sels[]		= { "firc", "ddr_clk", };
 static const char * const periph_plat_sels[]	= { "dummy", "nic1_bus_clk", "nic1_clk", "ddr_clk", "apll_pfd2", "apll_pfd1", "apll_pfd0", "upll", };



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 219/222] clk: imx7ulp: Correct DDR clock mux options
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (217 preceding siblings ...)
  2020-01-22  9:30 ` [PATCH 5.4 218/222] clk: imx7ulp: Correct system clock source option #7 Greg Kroah-Hartman
@ 2020-01-22  9:30 ` Greg Kroah-Hartman
  2020-01-22  9:30 ` [PATCH 5.4 220/222] regulator: ab8500: Remove SYSCLKREQ from enum ab8505_regulator_id Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Anson Huang, Fabio Estevam, Shawn Guo

From: Anson Huang <Anson.Huang@nxp.com>

commit 2e2b928a04bd74ea410da72bd60e1c5b06398276 upstream.

In the latest reference manual Rev.0,06/2019, the DDR clock mux
is extended to 2 bits, and the clock options are also changed,
correct them accordingly.

Fixes: b1260067ac3d ("clk: imx: add imx7ulp clk driver")
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
Reviewed-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/clk/imx/clk-imx7ulp.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/clk/imx/clk-imx7ulp.c
+++ b/drivers/clk/imx/clk-imx7ulp.c
@@ -25,7 +25,7 @@ static const char * const spll_sels[]		=
 static const char * const apll_pfd_sels[]	= { "apll_pfd0", "apll_pfd1", "apll_pfd2", "apll_pfd3", };
 static const char * const apll_sels[]		= { "apll", "apll_pfd_sel", };
 static const char * const scs_sels[]		= { "dummy", "sosc", "sirc", "firc", "dummy", "apll_sel", "spll_sel", "dummy", };
-static const char * const ddr_sels[]		= { "apll_pfd_sel", "upll", };
+static const char * const ddr_sels[]		= { "apll_pfd_sel", "dummy", "dummy", "dummy", };
 static const char * const nic_sels[]		= { "firc", "ddr_clk", };
 static const char * const periph_plat_sels[]	= { "dummy", "nic1_bus_clk", "nic1_clk", "ddr_clk", "apll_pfd2", "apll_pfd1", "apll_pfd0", "upll", };
 static const char * const periph_bus_sels[]	= { "dummy", "sosc_bus_clk", "mpll", "firc_bus_clk", "rosc", "nic1_bus_clk", "nic1_clk", "spll_bus_clk", };
@@ -119,7 +119,7 @@ static void __init imx7ulp_clk_scg1_init
 	clks[IMX7ULP_CLK_SYS_SEL]	= imx_clk_hw_mux2("scs_sel", base + 0x14, 24, 4, scs_sels, ARRAY_SIZE(scs_sels));
 	clks[IMX7ULP_CLK_HSRUN_SYS_SEL] = imx_clk_hw_mux2("hsrun_scs_sel", base + 0x1c, 24, 4, scs_sels, ARRAY_SIZE(scs_sels));
 	clks[IMX7ULP_CLK_NIC_SEL]	= imx_clk_hw_mux2("nic_sel", base + 0x40, 28, 1, nic_sels, ARRAY_SIZE(nic_sels));
-	clks[IMX7ULP_CLK_DDR_SEL]	= imx_clk_hw_mux_flags("ddr_sel", base + 0x30, 24, 1, ddr_sels, ARRAY_SIZE(ddr_sels), CLK_SET_RATE_PARENT | CLK_OPS_PARENT_ENABLE);
+	clks[IMX7ULP_CLK_DDR_SEL]	= imx_clk_hw_mux_flags("ddr_sel", base + 0x30, 24, 2, ddr_sels, ARRAY_SIZE(ddr_sels), CLK_SET_RATE_PARENT | CLK_OPS_PARENT_ENABLE);
 
 	clks[IMX7ULP_CLK_CORE_DIV]	= imx_clk_hw_divider_flags("divcore",	"scs_sel",  base + 0x14, 16, 4, CLK_SET_RATE_PARENT);
 	clks[IMX7ULP_CLK_HSRUN_CORE_DIV] = imx_clk_hw_divider_flags("hsrun_divcore", "hsrun_scs_sel", base + 0x1c, 16, 4, CLK_SET_RATE_PARENT);



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 220/222] regulator: ab8500: Remove SYSCLKREQ from enum ab8505_regulator_id
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (218 preceding siblings ...)
  2020-01-22  9:30 ` [PATCH 5.4 219/222] clk: imx7ulp: Correct DDR clock mux options Greg Kroah-Hartman
@ 2020-01-22  9:30 ` Greg Kroah-Hartman
  2020-01-22  9:30 ` [PATCH 5.4 221/222] hwmon: (pmbus/ibm-cffps) Switch LEDs to blocking brightness call Greg Kroah-Hartman
                   ` (5 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Linus Walleij, Stephan Gerhold, Mark Brown

From: Stephan Gerhold <stephan@gerhold.net>

commit 458ea3ad033fc86e291712ce50cbe60c3428cf30 upstream.

Those regulators are not actually supported by the AB8500 regulator
driver. There is no ab8500_regulator_info for them and no entry in
ab8505_regulator_match.

As such, they cannot be registered successfully, and looking them
up in ab8505_regulator_match causes an out-of-bounds array read.

Fixes: 547f384f33db ("regulator: ab8500: add support for ab8505")
Cc: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Link: https://lore.kernel.org/r/20191106173125.14496-2-stephan@gerhold.net
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/regulator/ab8500.h |    2 --
 1 file changed, 2 deletions(-)

--- a/include/linux/regulator/ab8500.h
+++ b/include/linux/regulator/ab8500.h
@@ -42,8 +42,6 @@ enum ab8505_regulator_id {
 	AB8505_LDO_ANAMIC2,
 	AB8505_LDO_AUX8,
 	AB8505_LDO_ANA,
-	AB8505_SYSCLKREQ_2,
-	AB8505_SYSCLKREQ_4,
 	AB8505_NUM_REGULATORS,
 };
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 221/222] hwmon: (pmbus/ibm-cffps) Switch LEDs to blocking brightness call
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (219 preceding siblings ...)
  2020-01-22  9:30 ` [PATCH 5.4 220/222] regulator: ab8500: Remove SYSCLKREQ from enum ab8505_regulator_id Greg Kroah-Hartman
@ 2020-01-22  9:30 ` Greg Kroah-Hartman
  2020-01-22  9:30 ` [PATCH 5.4 222/222] hwmon: (pmbus/ibm-cffps) Fix LED blink behavior Greg Kroah-Hartman
                   ` (4 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:30 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eddie James, Guenter Roeck

From: Eddie James <eajames@linux.ibm.com>

commit 9861ff954c7e83e2f738ce16fbe15f8a1e121771 upstream.

Since i2c_smbus functions can sleep, the brightness setting function
for this driver must be the blocking version to avoid scheduling while
atomic.

Signed-off-by: Eddie James <eajames@linux.ibm.com>
Link: https://lore.kernel.org/r/20191106200106.29519-2-eajames@linux.ibm.com
Fixes: ef9e1cdf419a3 ("hwmon: (pmbus/cffps) Add led class device for power supply fault led")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hwmon/pmbus/ibm-cffps.c |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

--- a/drivers/hwmon/pmbus/ibm-cffps.c
+++ b/drivers/hwmon/pmbus/ibm-cffps.c
@@ -292,8 +292,8 @@ static int ibm_cffps_read_word_data(stru
 	return rc;
 }
 
-static void ibm_cffps_led_brightness_set(struct led_classdev *led_cdev,
-					 enum led_brightness brightness)
+static int ibm_cffps_led_brightness_set(struct led_classdev *led_cdev,
+					enum led_brightness brightness)
 {
 	int rc;
 	struct ibm_cffps *psu = container_of(led_cdev, struct ibm_cffps, led);
@@ -311,9 +311,11 @@ static void ibm_cffps_led_brightness_set
 	rc = i2c_smbus_write_byte_data(psu->client, CFFPS_SYS_CONFIG_CMD,
 				       psu->led_state);
 	if (rc < 0)
-		return;
+		return rc;
 
 	led_cdev->brightness = brightness;
+
+	return 0;
 }
 
 static int ibm_cffps_led_blink_set(struct led_classdev *led_cdev,
@@ -351,7 +353,7 @@ static void ibm_cffps_create_led_class(s
 		 client->addr);
 	psu->led.name = psu->led_name;
 	psu->led.max_brightness = LED_FULL;
-	psu->led.brightness_set = ibm_cffps_led_brightness_set;
+	psu->led.brightness_set_blocking = ibm_cffps_led_brightness_set;
 	psu->led.blink_set = ibm_cffps_led_blink_set;
 
 	rc = devm_led_classdev_register(dev, &psu->led);



^ permalink raw reply	[flat|nested] 238+ messages in thread

* [PATCH 5.4 222/222] hwmon: (pmbus/ibm-cffps) Fix LED blink behavior
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (220 preceding siblings ...)
  2020-01-22  9:30 ` [PATCH 5.4 221/222] hwmon: (pmbus/ibm-cffps) Switch LEDs to blocking brightness call Greg Kroah-Hartman
@ 2020-01-22  9:30 ` Greg Kroah-Hartman
  2020-01-22 14:58 ` [PATCH 5.4 000/222] 5.4.14-stable review Jon Hunter
                   ` (3 subsequent siblings)
  225 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22  9:30 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eddie James, Guenter Roeck

From: Eddie James <eajames@linux.ibm.com>

commit 92b39ad440968bab38eb6577d63c12994601ed94 upstream.

The LED blink_set function incorrectly did not tell the PSU LED to blink
if brightness was LED_OFF. Fix this, and also correct the LED_OFF
command data, which should give control of the LED back to the PSU
firmware. Also prevent I2C failures from getting the driver LED state
out of sync and add some dev_dbg statements.

Signed-off-by: Eddie James <eajames@linux.ibm.com>
Link: https://lore.kernel.org/r/20191106200106.29519-3-eajames@linux.ibm.com
Fixes: ef9e1cdf419a3 ("hwmon: (pmbus/cffps) Add led class device for power supply fault led")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hwmon/pmbus/ibm-cffps.c |   27 +++++++++++++++++++--------
 1 file changed, 19 insertions(+), 8 deletions(-)

--- a/drivers/hwmon/pmbus/ibm-cffps.c
+++ b/drivers/hwmon/pmbus/ibm-cffps.c
@@ -39,9 +39,13 @@
 #define CFFPS_MFR_VAUX_FAULT			BIT(6)
 #define CFFPS_MFR_CURRENT_SHARE_WARNING		BIT(7)
 
+/*
+ * LED off state actually relinquishes LED control to PSU firmware, so it can
+ * turn on the LED for faults.
+ */
+#define CFFPS_LED_OFF				0
 #define CFFPS_LED_BLINK				BIT(0)
 #define CFFPS_LED_ON				BIT(1)
-#define CFFPS_LED_OFF				BIT(2)
 #define CFFPS_BLINK_RATE_MS			250
 
 enum {
@@ -296,23 +300,31 @@ static int ibm_cffps_led_brightness_set(
 					enum led_brightness brightness)
 {
 	int rc;
+	u8 next_led_state;
 	struct ibm_cffps *psu = container_of(led_cdev, struct ibm_cffps, led);
 
 	if (brightness == LED_OFF) {
-		psu->led_state = CFFPS_LED_OFF;
+		next_led_state = CFFPS_LED_OFF;
 	} else {
 		brightness = LED_FULL;
+
 		if (psu->led_state != CFFPS_LED_BLINK)
-			psu->led_state = CFFPS_LED_ON;
+			next_led_state = CFFPS_LED_ON;
+		else
+			next_led_state = CFFPS_LED_BLINK;
 	}
 
+	dev_dbg(&psu->client->dev, "LED brightness set: %d. Command: %d.\n",
+		brightness, next_led_state);
+
 	pmbus_set_page(psu->client, 0);
 
 	rc = i2c_smbus_write_byte_data(psu->client, CFFPS_SYS_CONFIG_CMD,
-				       psu->led_state);
+				       next_led_state);
 	if (rc < 0)
 		return rc;
 
+	psu->led_state = next_led_state;
 	led_cdev->brightness = brightness;
 
 	return 0;
@@ -325,10 +337,7 @@ static int ibm_cffps_led_blink_set(struc
 	int rc;
 	struct ibm_cffps *psu = container_of(led_cdev, struct ibm_cffps, led);
 
-	psu->led_state = CFFPS_LED_BLINK;
-
-	if (led_cdev->brightness == LED_OFF)
-		return 0;
+	dev_dbg(&psu->client->dev, "LED blink set.\n");
 
 	pmbus_set_page(psu->client, 0);
 
@@ -337,6 +346,8 @@ static int ibm_cffps_led_blink_set(struc
 	if (rc < 0)
 		return rc;
 
+	psu->led_state = CFFPS_LED_BLINK;
+	led_cdev->brightness = LED_FULL;
 	*delay_on = CFFPS_BLINK_RATE_MS;
 	*delay_off = CFFPS_BLINK_RATE_MS;
 



^ permalink raw reply	[flat|nested] 238+ messages in thread

* Re: [PATCH 5.4 000/222] 5.4.14-stable review
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (221 preceding siblings ...)
  2020-01-22  9:30 ` [PATCH 5.4 222/222] hwmon: (pmbus/ibm-cffps) Fix LED blink behavior Greg Kroah-Hartman
@ 2020-01-22 14:58 ` Jon Hunter
  2020-01-22 15:02   ` Greg Kroah-Hartman
  2020-01-22 18:09 ` Naresh Kamboju
                   ` (2 subsequent siblings)
  225 siblings, 1 reply; 238+ messages in thread
From: Jon Hunter @ 2020-01-22 14:58 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, shuah, patches, ben.hutchings,
	lkft-triage, stable, linux-tegra


On 22/01/2020 09:26, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.14 release.
> There are 222 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Fri, 24 Jan 2020 09:25:24 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.14-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h

All tests are passing for Tegra ...

Test results for stable-v5.4:
    13 builds:	13 pass, 0 fail
    22 boots:	22 pass, 0 fail
    38 tests:	38 pass, 0 fail

Linux version:	5.4.14-rc1-g8045d34c9af0
Boards tested:	tegra124-jetson-tk1, tegra186-p2771-0000,
                tegra194-p2972-0000, tegra20-ventana,
                tegra210-p2371-2180, tegra30-cardhu-a04

Cheers
Jon

-- 
nvpublic

^ permalink raw reply	[flat|nested] 238+ messages in thread

* Re: [PATCH 5.4 000/222] 5.4.14-stable review
  2020-01-22 14:58 ` [PATCH 5.4 000/222] 5.4.14-stable review Jon Hunter
@ 2020-01-22 15:02   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-22 15:02 UTC (permalink / raw)
  To: Jon Hunter
  Cc: linux-kernel, torvalds, akpm, linux, shuah, patches,
	ben.hutchings, lkft-triage, stable, linux-tegra

On Wed, Jan 22, 2020 at 02:58:33PM +0000, Jon Hunter wrote:
> 
> On 22/01/2020 09:26, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 5.4.14 release.
> > There are 222 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Fri, 24 Jan 2020 09:25:24 +0000.
> > Anything received after that time might be too late.
> > 
> > The whole patch series can be found in one patch at:
> > 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.14-rc1.gz
> > or in the git tree and branch at:
> > 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> > and the diffstat can be found below.
> > 
> > thanks,
> > 
> > greg k-h
> 
> All tests are passing for Tegra ...
> 
> Test results for stable-v5.4:
>     13 builds:	13 pass, 0 fail
>     22 boots:	22 pass, 0 fail
>     38 tests:	38 pass, 0 fail
> 
> Linux version:	5.4.14-rc1-g8045d34c9af0
> Boards tested:	tegra124-jetson-tk1, tegra186-p2771-0000,
>                 tegra194-p2972-0000, tegra20-ventana,
>                 tegra210-p2371-2180, tegra30-cardhu-a04

Wonderful, thanks for testing all of these and letting me know.

greg k-h

^ permalink raw reply	[flat|nested] 238+ messages in thread

* Re: [PATCH 5.4 000/222] 5.4.14-stable review
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (222 preceding siblings ...)
  2020-01-22 14:58 ` [PATCH 5.4 000/222] 5.4.14-stable review Jon Hunter
@ 2020-01-22 18:09 ` Naresh Kamboju
  2020-01-23  6:44   ` Greg Kroah-Hartman
  2020-01-22 19:00 ` Guenter Roeck
  2020-01-22 20:51 ` shuah
  225 siblings, 1 reply; 238+ messages in thread
From: Naresh Kamboju @ 2020-01-22 18:09 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: open list, Linus Torvalds, Andrew Morton, Guenter Roeck,
	Shuah Khan, patches, Ben Hutchings, lkft-triage, linux- stable

On Wed, 22 Jan 2020 at 18:48, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 5.4.14 release.
> There are 222 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 24 Jan 2020 09:25:24 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
>         https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.14-rc1.gz
> or in the git tree and branch at:
>         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h

Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.

Summary
------------------------------------------------------------------------

kernel: 5.4.14-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-5.4.y
git commit: 8045d34c9af0cfa13922e1d6a3f53155e2bcdc17
git describe: v5.4.13-223-g8045d34c9af0
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-5.4-oe/build/v5.4.13-223-g8045d34c9af0

No regressions (compared to build v5.4.13)

No fixes (compared to build v5.4.13)

Ran 21655 total tests in the following environments and test suites.

Environments
--------------
- dragonboard-410c
- hi6220-hikey
- i386
- juno-r2
- qemu_arm
- qemu_arm64
- qemu_i386
- qemu_x86_64
- x15
- x86

Test Suites
-----------
* build
* install-android-platform-tools-r2600
* kselftest
* libgpiod
* libhugetlbfs
* linux-log-parser
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-cpuhotplug-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* network-basic-tests
* perf
* spectre-meltdown-checker-test
* v4l2-compliance
* ltp-open-posix-tests
* ltp-syscalls-tests
* kvm-unit-tests
* kselftest-vsyscall-mode-native
* kselftest-vsyscall-mode-none

-- 
Linaro LKFT
https://lkft.linaro.org

^ permalink raw reply	[flat|nested] 238+ messages in thread

* Re: [PATCH 5.4 000/222] 5.4.14-stable review
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (223 preceding siblings ...)
  2020-01-22 18:09 ` Naresh Kamboju
@ 2020-01-22 19:00 ` Guenter Roeck
  2020-01-23  6:44   ` Greg Kroah-Hartman
  2020-01-22 20:51 ` shuah
  225 siblings, 1 reply; 238+ messages in thread
From: Guenter Roeck @ 2020-01-22 19:00 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, shuah, patches, ben.hutchings,
	lkft-triage, stable

On Wed, Jan 22, 2020 at 10:26:26AM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.14 release.
> There are 222 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Fri, 24 Jan 2020 09:25:24 +0000.
> Anything received after that time might be too late.
> 

Build results:
	total: 158 pass: 158 fail: 0
Qemu test results:
	total: 389 pass: 389 fail: 0

Guenter

^ permalink raw reply	[flat|nested] 238+ messages in thread

* Re: [PATCH 5.4 000/222] 5.4.14-stable review
  2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
                   ` (224 preceding siblings ...)
  2020-01-22 19:00 ` Guenter Roeck
@ 2020-01-22 20:51 ` shuah
  2020-01-23  6:44   ` Greg Kroah-Hartman
  225 siblings, 1 reply; 238+ messages in thread
From: shuah @ 2020-01-22 20:51 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, patches, ben.hutchings, lkft-triage,
	stable, shuah

On 1/22/20 2:26 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.14 release.
> There are 222 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Fri, 24 Jan 2020 09:25:24 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.14-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

Compiled and booted on my test system. No dmesg regressions.

thanks,
-- Shuah


^ permalink raw reply	[flat|nested] 238+ messages in thread

* Re: [PATCH 5.4 000/222] 5.4.14-stable review
  2020-01-22 20:51 ` shuah
@ 2020-01-23  6:44   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-23  6:44 UTC (permalink / raw)
  To: shuah
  Cc: linux-kernel, torvalds, akpm, linux, patches, ben.hutchings,
	lkft-triage, stable

On Wed, Jan 22, 2020 at 01:51:20PM -0700, shuah wrote:
> On 1/22/20 2:26 AM, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 5.4.14 release.
> > There are 222 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Fri, 24 Jan 2020 09:25:24 +0000.
> > Anything received after that time might be too late.
> > 
> > The whole patch series can be found in one patch at:
> > 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.14-rc1.gz
> > or in the git tree and branch at:
> > 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> > and the diffstat can be found below.
> > 
> > thanks,
> > 
> > greg k-h
> > 
> 
> Compiled and booted on my test system. No dmesg regressions.

Great, thanks for testing all of these and letting me know.

greg k-h

^ permalink raw reply	[flat|nested] 238+ messages in thread

* Re: [PATCH 5.4 000/222] 5.4.14-stable review
  2020-01-22 19:00 ` Guenter Roeck
@ 2020-01-23  6:44   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-23  6:44 UTC (permalink / raw)
  To: Guenter Roeck
  Cc: linux-kernel, torvalds, akpm, shuah, patches, ben.hutchings,
	lkft-triage, stable

On Wed, Jan 22, 2020 at 11:00:52AM -0800, Guenter Roeck wrote:
> On Wed, Jan 22, 2020 at 10:26:26AM +0100, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 5.4.14 release.
> > There are 222 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Fri, 24 Jan 2020 09:25:24 +0000.
> > Anything received after that time might be too late.
> > 
> 
> Build results:
> 	total: 158 pass: 158 fail: 0
> Qemu test results:
> 	total: 389 pass: 389 fail: 0

Thanks for testing all of these and letting me know.

greg k-h

^ permalink raw reply	[flat|nested] 238+ messages in thread

* Re: [PATCH 5.4 000/222] 5.4.14-stable review
  2020-01-22 18:09 ` Naresh Kamboju
@ 2020-01-23  6:44   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 238+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-23  6:44 UTC (permalink / raw)
  To: Naresh Kamboju
  Cc: open list, Linus Torvalds, Andrew Morton, Guenter Roeck,
	Shuah Khan, patches, Ben Hutchings, lkft-triage, linux- stable

On Wed, Jan 22, 2020 at 11:39:19PM +0530, Naresh Kamboju wrote:
> On Wed, 22 Jan 2020 at 18:48, Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> >
> > This is the start of the stable review cycle for the 5.4.14 release.
> > There are 222 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Fri, 24 Jan 2020 09:25:24 +0000.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> >         https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.14-rc1.gz
> > or in the git tree and branch at:
> >         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> > and the diffstat can be found below.
> >
> > thanks,
> >
> > greg k-h
> 
> Results from Linaro’s test farm.
> No regressions on arm64, arm, x86_64, and i386.

Thanks for testing all of these and letting me know.

greg k-h

^ permalink raw reply	[flat|nested] 238+ messages in thread

* Re: [PATCH 5.4 033/222] io_uring: only allow submit from owning task
  2020-01-22  9:26 ` [PATCH 5.4 033/222] io_uring: only allow submit from owning task Greg Kroah-Hartman
@ 2020-01-24 10:38   ` Stefan Metzmacher
  2020-01-24 10:41     ` Stefan Metzmacher
                       ` (2 more replies)
  0 siblings, 3 replies; 238+ messages in thread
From: Stefan Metzmacher @ 2020-01-24 10:38 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel; +Cc: stable, Jens Axboe, io-uring


[-- Attachment #1.1: Type: text/plain, Size: 3253 bytes --]

Am 22.01.20 um 10:26 schrieb Greg Kroah-Hartman:
> From: Jens Axboe <axboe@kernel.dk>
> 
> commit 44d282796f81eb1debc1d7cb53245b4cb3214cb5 upstream.
> 
> If the credentials or the mm doesn't match, don't allow the task to
> submit anything on behalf of this ring. The task that owns the ring can
> pass the file descriptor to another task, but we don't want to allow
> that task to submit an SQE that then assumes the ring mm and creds if
> it needs to go async.
> 
> Cc: stable@vger.kernel.org
> Suggested-by: Stefan Metzmacher <metze@samba.org>
> Signed-off-by: Jens Axboe <axboe@kernel.dk>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
> 
> ---
>  fs/io_uring.c |    6 ++++++
>  1 file changed, 6 insertions(+)
> 
> --- a/fs/io_uring.c
> +++ b/fs/io_uring.c
> @@ -3716,6 +3716,12 @@ SYSCALL_DEFINE6(io_uring_enter, unsigned
>  			wake_up(&ctx->sqo_wait);
>  		submitted = to_submit;
>  	} else if (to_submit) {
> +		if (current->mm != ctx->sqo_mm ||
> +		    current_cred() != ctx->creds) {
> +			ret = -EPERM;
> +			goto out;
> +		}
> +

I thought about this a bit more.

I'm not sure if this is actually to restrictive,
because it means applications like Samba won't
be able to use io-uring at all.

As even if current_cred() and ctx->creds describe the same
set of uid,gids the != won't ever match again and
makes the whole ring unuseable.

I'm not sure about what the best short term solution could be...

1. May just doing the check for path based operations?
  and fail individual requests with EPERM.

2. Or force REQ_F_FORCE_ASYNC for path based operations,
  so that they're always executed from within the workqueue
  with were ctx->creds is active.

3. Or (as proposed earlier) do the override_creds/revert_creds dance
  (and similar for mm) if needed.

To summaries the problem again:

For path based operations like:
- IORING_OP_CONNECT (maybe also - IORING_OP_ACCEPT???)
- IORING_OP_SEND*, IORING_OP_RECV* on DGRAM sockets
- IORING_OP_OPENAT, IORING_OP_STATX, IORING_OP_OPENAT2
it's important under which current_cred they are called.

Are IORING_OP_MADVISE, IORING_OP_FADVISE and IORING_OP_FALLOCATE
are only bound to the credentials of the passed fd they operate on?

The current assumption is that the io_uring_setup() syscall captures
the current_cred() to ctx->cred and all operations on the ring
are executed under the context of ctx->cred.
Therefore all helper threads do the override_creds/revert_creds dance.

But the possible non-blocking line execution of operations in
the io_uring_enter() syscall doesn't do the override_creds/revert_creds
dance and execute the operations under current_cred().

This means it's random depending on filled cached under what
credentials an operation is executed.

In order to prevent security problems the current patch is enough,
but as outlined above it will make io-uring complete unuseable
for applications using any syscall that changes current_cred().

Change 1. would be a little bit better, but still not really useful.

I'd actually prefer solution 3. as it's still possible to make
use of non-blocking operations, while the security is the
same as solution 2.

metze


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 238+ messages in thread

* Re: [PATCH 5.4 033/222] io_uring: only allow submit from owning task
  2020-01-24 10:38   ` Stefan Metzmacher
@ 2020-01-24 10:41     ` Stefan Metzmacher
  2020-01-24 16:58     ` Jens Axboe
  2020-01-26  5:54     ` Andres Freund
  2 siblings, 0 replies; 238+ messages in thread
From: Stefan Metzmacher @ 2020-01-24 10:41 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel; +Cc: stable, Jens Axboe, io-uring


[-- Attachment #1.1: Type: text/plain, Size: 1520 bytes --]

Am 24.01.20 um 11:38 schrieb Stefan Metzmacher:
> Am 22.01.20 um 10:26 schrieb Greg Kroah-Hartman:
>> From: Jens Axboe <axboe@kernel.dk>
>>
>> commit 44d282796f81eb1debc1d7cb53245b4cb3214cb5 upstream.
>>
>> If the credentials or the mm doesn't match, don't allow the task to
>> submit anything on behalf of this ring. The task that owns the ring can
>> pass the file descriptor to another task, but we don't want to allow
>> that task to submit an SQE that then assumes the ring mm and creds if
>> it needs to go async.
>>
>> Cc: stable@vger.kernel.org
>> Suggested-by: Stefan Metzmacher <metze@samba.org>
>> Signed-off-by: Jens Axboe <axboe@kernel.dk>
>> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>
>>
>> ---
>>  fs/io_uring.c |    6 ++++++
>>  1 file changed, 6 insertions(+)
>>
>> --- a/fs/io_uring.c
>> +++ b/fs/io_uring.c
>> @@ -3716,6 +3716,12 @@ SYSCALL_DEFINE6(io_uring_enter, unsigned
>>  			wake_up(&ctx->sqo_wait);
>>  		submitted = to_submit;
>>  	} else if (to_submit) {
>> +		if (current->mm != ctx->sqo_mm ||
>> +		    current_cred() != ctx->creds) {
>> +			ret = -EPERM;
>> +			goto out;
>> +		}
>> +
> 
> I thought about this a bit more.
> 
> I'm not sure if this is actually to restrictive,
> because it means applications like Samba won't
> be able to use io-uring at all.

Even for simple operations like IORING_OP_READ*, IORING_OP_WRITE*,
IORING_OP_FSYNC and IORING_OP_SYNC_FILE_RANGE, which only operate
on the given fd.

metze


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 238+ messages in thread

* Re: [PATCH 5.4 033/222] io_uring: only allow submit from owning task
  2020-01-24 10:38   ` Stefan Metzmacher
  2020-01-24 10:41     ` Stefan Metzmacher
@ 2020-01-24 16:58     ` Jens Axboe
  2020-01-24 19:11       ` Stefan Metzmacher
  2020-01-26  5:54     ` Andres Freund
  2 siblings, 1 reply; 238+ messages in thread
From: Jens Axboe @ 2020-01-24 16:58 UTC (permalink / raw)
  To: Stefan Metzmacher, Greg Kroah-Hartman, linux-kernel; +Cc: stable, io-uring

On 1/24/20 3:38 AM, Stefan Metzmacher wrote:
> Am 22.01.20 um 10:26 schrieb Greg Kroah-Hartman:
>> From: Jens Axboe <axboe@kernel.dk>
>>
>> commit 44d282796f81eb1debc1d7cb53245b4cb3214cb5 upstream.
>>
>> If the credentials or the mm doesn't match, don't allow the task to
>> submit anything on behalf of this ring. The task that owns the ring can
>> pass the file descriptor to another task, but we don't want to allow
>> that task to submit an SQE that then assumes the ring mm and creds if
>> it needs to go async.
>>
>> Cc: stable@vger.kernel.org
>> Suggested-by: Stefan Metzmacher <metze@samba.org>
>> Signed-off-by: Jens Axboe <axboe@kernel.dk>
>> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>
>>
>> ---
>>  fs/io_uring.c |    6 ++++++
>>  1 file changed, 6 insertions(+)
>>
>> --- a/fs/io_uring.c
>> +++ b/fs/io_uring.c
>> @@ -3716,6 +3716,12 @@ SYSCALL_DEFINE6(io_uring_enter, unsigned
>>  			wake_up(&ctx->sqo_wait);
>>  		submitted = to_submit;
>>  	} else if (to_submit) {
>> +		if (current->mm != ctx->sqo_mm ||
>> +		    current_cred() != ctx->creds) {
>> +			ret = -EPERM;
>> +			goto out;
>> +		}
>> +
> 
> I thought about this a bit more.
> 
> I'm not sure if this is actually to restrictive,
> because it means applications like Samba won't
> be able to use io-uring at all.
> 
> As even if current_cred() and ctx->creds describe the same
> set of uid,gids the != won't ever match again and
> makes the whole ring unuseable.
> 
> I'm not sure about what the best short term solution could be...
> 
> 1. May just doing the check for path based operations?
>   and fail individual requests with EPERM.
> 
> 2. Or force REQ_F_FORCE_ASYNC for path based operations,
>   so that they're always executed from within the workqueue
>   with were ctx->creds is active.
> 
> 3. Or (as proposed earlier) do the override_creds/revert_creds dance
>   (and similar for mm) if needed.
> 
> To summaries the problem again:
> 
> For path based operations like:
> - IORING_OP_CONNECT (maybe also - IORING_OP_ACCEPT???)
> - IORING_OP_SEND*, IORING_OP_RECV* on DGRAM sockets
> - IORING_OP_OPENAT, IORING_OP_STATX, IORING_OP_OPENAT2
> it's important under which current_cred they are called.
> 
> Are IORING_OP_MADVISE, IORING_OP_FADVISE and IORING_OP_FALLOCATE
> are only bound to the credentials of the passed fd they operate on?
> 
> The current assumption is that the io_uring_setup() syscall captures
> the current_cred() to ctx->cred and all operations on the ring
> are executed under the context of ctx->cred.
> Therefore all helper threads do the override_creds/revert_creds dance.

But it doesn't - we're expecting them to match, and with this change,
we assert that it's the case or return -EPERM.

> But the possible non-blocking line execution of operations in
> the io_uring_enter() syscall doesn't do the override_creds/revert_creds
> dance and execute the operations under current_cred().
> 
> This means it's random depending on filled cached under what
> credentials an operation is executed.
> 
> In order to prevent security problems the current patch is enough,
> but as outlined above it will make io-uring complete unuseable
> for applications using any syscall that changes current_cred().
> 
> Change 1. would be a little bit better, but still not really useful.
> 
> I'd actually prefer solution 3. as it's still possible to make
> use of non-blocking operations, while the security is the
> same as solution 2.

For your situation, we need to extend it anyway, and provide a way
to swap between personalities. So yeah it won't work as-is for your
use case, but we can work on making that the case.

-- 
Jens Axboe


^ permalink raw reply	[flat|nested] 238+ messages in thread

* Re: [PATCH 5.4 033/222] io_uring: only allow submit from owning task
  2020-01-24 16:58     ` Jens Axboe
@ 2020-01-24 19:11       ` Stefan Metzmacher
  2020-01-24 21:41         ` Jens Axboe
  0 siblings, 1 reply; 238+ messages in thread
From: Stefan Metzmacher @ 2020-01-24 19:11 UTC (permalink / raw)
  To: Jens Axboe, Greg Kroah-Hartman, linux-kernel; +Cc: stable, io-uring


[-- Attachment #1.1: Type: text/plain, Size: 4464 bytes --]

Am 24.01.20 um 17:58 schrieb Jens Axboe:
> On 1/24/20 3:38 AM, Stefan Metzmacher wrote:
>> Am 22.01.20 um 10:26 schrieb Greg Kroah-Hartman:
>>> From: Jens Axboe <axboe@kernel.dk>
>>>
>>> commit 44d282796f81eb1debc1d7cb53245b4cb3214cb5 upstream.
>>>
>>> If the credentials or the mm doesn't match, don't allow the task to
>>> submit anything on behalf of this ring. The task that owns the ring can
>>> pass the file descriptor to another task, but we don't want to allow
>>> that task to submit an SQE that then assumes the ring mm and creds if
>>> it needs to go async.
>>>
>>> Cc: stable@vger.kernel.org
>>> Suggested-by: Stefan Metzmacher <metze@samba.org>
>>> Signed-off-by: Jens Axboe <axboe@kernel.dk>
>>> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>>
>>>
>>> ---
>>>  fs/io_uring.c |    6 ++++++
>>>  1 file changed, 6 insertions(+)
>>>
>>> --- a/fs/io_uring.c
>>> +++ b/fs/io_uring.c
>>> @@ -3716,6 +3716,12 @@ SYSCALL_DEFINE6(io_uring_enter, unsigned
>>>  			wake_up(&ctx->sqo_wait);
>>>  		submitted = to_submit;
>>>  	} else if (to_submit) {
>>> +		if (current->mm != ctx->sqo_mm ||
>>> +		    current_cred() != ctx->creds) {
>>> +			ret = -EPERM;
>>> +			goto out;
>>> +		}
>>> +
>>
>> I thought about this a bit more.
>>
>> I'm not sure if this is actually to restrictive,
>> because it means applications like Samba won't
>> be able to use io-uring at all.
>>
>> As even if current_cred() and ctx->creds describe the same
>> set of uid,gids the != won't ever match again and
>> makes the whole ring unuseable.
>>
>> I'm not sure about what the best short term solution could be...
>>
>> 1. May just doing the check for path based operations?
>>   and fail individual requests with EPERM.
>>
>> 2. Or force REQ_F_FORCE_ASYNC for path based operations,
>>   so that they're always executed from within the workqueue
>>   with were ctx->creds is active.
>>
>> 3. Or (as proposed earlier) do the override_creds/revert_creds dance
>>   (and similar for mm) if needed.
>>
>> To summaries the problem again:
>>
>> For path based operations like:
>> - IORING_OP_CONNECT (maybe also - IORING_OP_ACCEPT???)
>> - IORING_OP_SEND*, IORING_OP_RECV* on DGRAM sockets
>> - IORING_OP_OPENAT, IORING_OP_STATX, IORING_OP_OPENAT2
>> it's important under which current_cred they are called.
>>
>> Are IORING_OP_MADVISE, IORING_OP_FADVISE and IORING_OP_FALLOCATE
>> are only bound to the credentials of the passed fd they operate on?
>>
>> The current assumption is that the io_uring_setup() syscall captures
>> the current_cred() to ctx->cred and all operations on the ring
>> are executed under the context of ctx->cred.
>> Therefore all helper threads do the override_creds/revert_creds dance.
> 
> But it doesn't - we're expecting them to match, and with this change,
> we assert that it's the case or return -EPERM.
> 
>> But the possible non-blocking line execution of operations in
>> the io_uring_enter() syscall doesn't do the override_creds/revert_creds
>> dance and execute the operations under current_cred().
>>
>> This means it's random depending on filled cached under what
>> credentials an operation is executed.
>>
>> In order to prevent security problems the current patch is enough,
>> but as outlined above it will make io-uring complete unuseable
>> for applications using any syscall that changes current_cred().
>>
>> Change 1. would be a little bit better, but still not really useful.
>>
>> I'd actually prefer solution 3. as it's still possible to make
>> use of non-blocking operations, while the security is the
>> same as solution 2.
> 
> For your situation, we need to extend it anyway, and provide a way
> to swap between personalities. So yeah it won't work as-is for your
> use case, but we can work on making that the case.

That's only for the OPENAT2 case, which we might want to use in future,
but there's a lot of work required to have async opens in Samba.

But I have a experimental module that, just use READV, WRITEV and FSYNC
with io-uring in order to avoid our userspace helper threads.

And that won't work anymore with the change as Samba change
current_cred() very often switch between (at least) 2 identities
root and the user. That will change the pointer of current_cred() each time.

I mean I could work around the check by using IORING_SETUP_SQPOLL,
but I'd like to avoid that.

metze


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 238+ messages in thread

* Re: [PATCH 5.4 033/222] io_uring: only allow submit from owning task
  2020-01-24 19:11       ` Stefan Metzmacher
@ 2020-01-24 21:41         ` Jens Axboe
  0 siblings, 0 replies; 238+ messages in thread
From: Jens Axboe @ 2020-01-24 21:41 UTC (permalink / raw)
  To: Stefan Metzmacher, Greg Kroah-Hartman, linux-kernel; +Cc: stable, io-uring

On 1/24/20 12:11 PM, Stefan Metzmacher wrote:
> Am 24.01.20 um 17:58 schrieb Jens Axboe:
>> On 1/24/20 3:38 AM, Stefan Metzmacher wrote:
>>> Am 22.01.20 um 10:26 schrieb Greg Kroah-Hartman:
>>>> From: Jens Axboe <axboe@kernel.dk>
>>>>
>>>> commit 44d282796f81eb1debc1d7cb53245b4cb3214cb5 upstream.
>>>>
>>>> If the credentials or the mm doesn't match, don't allow the task to
>>>> submit anything on behalf of this ring. The task that owns the ring can
>>>> pass the file descriptor to another task, but we don't want to allow
>>>> that task to submit an SQE that then assumes the ring mm and creds if
>>>> it needs to go async.
>>>>
>>>> Cc: stable@vger.kernel.org
>>>> Suggested-by: Stefan Metzmacher <metze@samba.org>
>>>> Signed-off-by: Jens Axboe <axboe@kernel.dk>
>>>> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>>>
>>>>
>>>> ---
>>>>  fs/io_uring.c |    6 ++++++
>>>>  1 file changed, 6 insertions(+)
>>>>
>>>> --- a/fs/io_uring.c
>>>> +++ b/fs/io_uring.c
>>>> @@ -3716,6 +3716,12 @@ SYSCALL_DEFINE6(io_uring_enter, unsigned
>>>>  			wake_up(&ctx->sqo_wait);
>>>>  		submitted = to_submit;
>>>>  	} else if (to_submit) {
>>>> +		if (current->mm != ctx->sqo_mm ||
>>>> +		    current_cred() != ctx->creds) {
>>>> +			ret = -EPERM;
>>>> +			goto out;
>>>> +		}
>>>> +
>>>
>>> I thought about this a bit more.
>>>
>>> I'm not sure if this is actually to restrictive,
>>> because it means applications like Samba won't
>>> be able to use io-uring at all.
>>>
>>> As even if current_cred() and ctx->creds describe the same
>>> set of uid,gids the != won't ever match again and
>>> makes the whole ring unuseable.
>>>
>>> I'm not sure about what the best short term solution could be...
>>>
>>> 1. May just doing the check for path based operations?
>>>   and fail individual requests with EPERM.
>>>
>>> 2. Or force REQ_F_FORCE_ASYNC for path based operations,
>>>   so that they're always executed from within the workqueue
>>>   with were ctx->creds is active.
>>>
>>> 3. Or (as proposed earlier) do the override_creds/revert_creds dance
>>>   (and similar for mm) if needed.
>>>
>>> To summaries the problem again:
>>>
>>> For path based operations like:
>>> - IORING_OP_CONNECT (maybe also - IORING_OP_ACCEPT???)
>>> - IORING_OP_SEND*, IORING_OP_RECV* on DGRAM sockets
>>> - IORING_OP_OPENAT, IORING_OP_STATX, IORING_OP_OPENAT2
>>> it's important under which current_cred they are called.
>>>
>>> Are IORING_OP_MADVISE, IORING_OP_FADVISE and IORING_OP_FALLOCATE
>>> are only bound to the credentials of the passed fd they operate on?
>>>
>>> The current assumption is that the io_uring_setup() syscall captures
>>> the current_cred() to ctx->cred and all operations on the ring
>>> are executed under the context of ctx->cred.
>>> Therefore all helper threads do the override_creds/revert_creds dance.
>>
>> But it doesn't - we're expecting them to match, and with this change,
>> we assert that it's the case or return -EPERM.
>>
>>> But the possible non-blocking line execution of operations in
>>> the io_uring_enter() syscall doesn't do the override_creds/revert_creds
>>> dance and execute the operations under current_cred().
>>>
>>> This means it's random depending on filled cached under what
>>> credentials an operation is executed.
>>>
>>> In order to prevent security problems the current patch is enough,
>>> but as outlined above it will make io-uring complete unuseable
>>> for applications using any syscall that changes current_cred().
>>>
>>> Change 1. would be a little bit better, but still not really useful.
>>>
>>> I'd actually prefer solution 3. as it's still possible to make
>>> use of non-blocking operations, while the security is the
>>> same as solution 2.
>>
>> For your situation, we need to extend it anyway, and provide a way
>> to swap between personalities. So yeah it won't work as-is for your
>> use case, but we can work on making that the case.
> 
> That's only for the OPENAT2 case, which we might want to use in future,
> but there's a lot of work required to have async opens in Samba.
> 
> But I have a experimental module that, just use READV, WRITEV and FSYNC
> with io-uring in order to avoid our userspace helper threads.
> 
> And that won't work anymore with the change as Samba change
> current_cred() very often switch between (at least) 2 identities
> root and the user. That will change the pointer of current_cred() each time.
> 
> I mean I could work around the check by using IORING_SETUP_SQPOLL,
> but I'd like to avoid that.

It's easy enough to support the current creds from io_uring_enter(),
where we need a bit of plumbing is if we have to go async for that
particular operation. We currently have that static as well, which is
why the current patch is needed.

What I'm trying to say is that'll we'll need code changes to support
this in any case, even just reverting that change isn't going to make
the problem go away for you.

Hence we just need to decide on what the best way to do this would be!

-- 
Jens Axboe


^ permalink raw reply	[flat|nested] 238+ messages in thread

* Re: [PATCH 5.4 033/222] io_uring: only allow submit from owning task
  2020-01-24 10:38   ` Stefan Metzmacher
  2020-01-24 10:41     ` Stefan Metzmacher
  2020-01-24 16:58     ` Jens Axboe
@ 2020-01-26  5:54     ` Andres Freund
  2020-01-26 16:57       ` Jens Axboe
  2 siblings, 1 reply; 238+ messages in thread
From: Andres Freund @ 2020-01-26  5:54 UTC (permalink / raw)
  To: Jens Axboe, Stefan Metzmacher
  Cc: Greg Kroah-Hartman, linux-kernel, stable, io-uring

Hi,

On 2020-01-24 11:38:02 +0100, Stefan Metzmacher wrote:
> Am 22.01.20 um 10:26 schrieb Greg Kroah-Hartman:
> > From: Jens Axboe <axboe@kernel.dk>
> >
> > commit 44d282796f81eb1debc1d7cb53245b4cb3214cb5 upstream.
> >
> > If the credentials or the mm doesn't match, don't allow the task to
> > submit anything on behalf of this ring. The task that owns the ring can
> > pass the file descriptor to another task, but we don't want to allow
> > that task to submit an SQE that then assumes the ring mm and creds if
> > it needs to go async.
> >
> > Cc: stable@vger.kernel.org
> > Suggested-by: Stefan Metzmacher <metze@samba.org>
> > Signed-off-by: Jens Axboe <axboe@kernel.dk>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> >
> >
> > ---
> >  fs/io_uring.c |    6 ++++++
> >  1 file changed, 6 insertions(+)
> >
> > --- a/fs/io_uring.c
> > +++ b/fs/io_uring.c
> > @@ -3716,6 +3716,12 @@ SYSCALL_DEFINE6(io_uring_enter, unsigned
> >  			wake_up(&ctx->sqo_wait);
> >  		submitted = to_submit;
> >  	} else if (to_submit) {
> > +		if (current->mm != ctx->sqo_mm ||
> > +		    current_cred() != ctx->creds) {
> > +			ret = -EPERM;
> > +			goto out;
> > +		}
> > +
>
> I thought about this a bit more.
>
> I'm not sure if this is actually to restrictive,
> because it means applications like Samba won't
> be able to use io-uring at all.

Yea, I think it is too restrictive. In fact, it broke my WIP branch to
make postgres use io_uring.


Postgres uses a forked process model, with all sub-processes forked off
one parent process ("postmaster"), sharing MAP_ANONYMOUS|MAP_SHARED
memory (buffer pool, locks, and lots of other IPC). My WIP branch so far
has postmaster create a number of io_urings that then the different
processes can use (with locking if necessary).

In plenty of the cases it's fairly important for performance to not
require an additional context switch initiate IO, therefore we cannot
delegate submitting to an io_uring to separate process. But it's not
feasible to have one (or even two) urings for each process either: For
one, that's just about guaranteed to bring us over the default
RLIMIT_MEMLOCK limit, and requiring root only config changes is not an
option for many (nor user friendly).


Not sharing queues makes it basically impossible to rely on io_uring
ordering properties when operation interlock is needed. E.g. to
guarantee that the journal is flushed before some data buffer can be
written back, being able to make use of links and drains is great - but
there's one journal for all processes. To be able to guarantee anything,
all the interlocked writes need to go through one io_uring. I've not yet
implemented this, so I don't have numbers, but I expect pretty
significant savings.


Not being able to share urings also makes it harder to resolve
deadlocks:

As we call into both library and user defined code, we cannot guarantee
that a specific backend process will promptly (or at all, when waiting
for some locks) process cqes. There's also sections where we don't want
to constantly check for ready events, for performance reasons.  But
operations initiated by a process might be blocking other connections:

E.g. process #1 might have initiated transferring a number of blocks
into postgres' buffer pool via io_uring , and now is busy processing the
first block that completed. But now process #2 might need one of the
buffers that had IO queued, but didn't complete in time for #1 to see
the results.  The way I have it set up right now, #2 simply can process
pending cqes in the relevant queue. Which, in this example, would mark
the pg buffer pool entry as valid, allowing #2 to continue.

Now, completions can still be read by all processes, so I could continue
to do the above: But that'd require all potentially needed io_urings to
be set up in postmaster, before the first fork, and all processes to
keep all those FDs open (commonly several hundred). Not an attractive
option either, imo.

Obviously we could solve this by having a sqe result processing thread
running within each process - but that'd be a very significant new
overhead. And it'd require making some non-threadsafe code threadsafe,
which I do not relish tackling as a side-effect of io_uring adoption.


It also turns out to be nice from a performance / context-switch rate
angle to be able to process cqes for submissions by other
processes. Saves an expensive context switch, and often enough it really
doesn't matter which process processes the completion (especially for
readahead). And in other cases it's cheap to just schedule the
subsequent work from the cqe processor, e.g. initiating readahead of a
few more blocks into the pg buffer pool.  Similarly, there are a few
cases where it's useful for several processes to submit IO into a uring
primarily drained by one specific process, to offload the subsequent
action, if that's expensive


Now, I think there's a valid argument to be made that postgres should
just use threads, and not be hampered by any of this. But a) that's not
going to happen all that soon, it's a large change, b) it's far from
free from problems either, especially scalability on larger machines,
and robustness.


> As even if current_cred() and ctx->creds describe the same
> set of uid,gids the != won't ever match again and
> makes the whole ring unuseable.

Indeed.  It also seems weird that a sqpoll now basically has different
semantics, allowing the io_uring to be used by multiple processes - a
task with a different mm can still wake the sqpoll thread up, even.

Since the different processes attached still can still write to the
io_uring mmaped memory, they can still queue sqes, they just can't
initiate the processing. But the next time the creator of the uring
submits, they will still be - and thus it seems that the kernel needs to
handle this safely. So I really don't get what this actually achieves?
Am I missing something here?

Greetings,

Andres Freund

^ permalink raw reply	[flat|nested] 238+ messages in thread

* Re: [PATCH 5.4 033/222] io_uring: only allow submit from owning task
  2020-01-26  5:54     ` Andres Freund
@ 2020-01-26 16:57       ` Jens Axboe
  0 siblings, 0 replies; 238+ messages in thread
From: Jens Axboe @ 2020-01-26 16:57 UTC (permalink / raw)
  To: Andres Freund, Stefan Metzmacher
  Cc: Greg Kroah-Hartman, linux-kernel, stable, io-uring

On 1/25/20 10:54 PM, Andres Freund wrote:
> Hi,
> 
> On 2020-01-24 11:38:02 +0100, Stefan Metzmacher wrote:
>> Am 22.01.20 um 10:26 schrieb Greg Kroah-Hartman:
>>> From: Jens Axboe <axboe@kernel.dk>
>>>
>>> commit 44d282796f81eb1debc1d7cb53245b4cb3214cb5 upstream.
>>>
>>> If the credentials or the mm doesn't match, don't allow the task to
>>> submit anything on behalf of this ring. The task that owns the ring can
>>> pass the file descriptor to another task, but we don't want to allow
>>> that task to submit an SQE that then assumes the ring mm and creds if
>>> it needs to go async.
>>>
>>> Cc: stable@vger.kernel.org
>>> Suggested-by: Stefan Metzmacher <metze@samba.org>
>>> Signed-off-by: Jens Axboe <axboe@kernel.dk>
>>> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>>
>>>
>>> ---
>>>  fs/io_uring.c |    6 ++++++
>>>  1 file changed, 6 insertions(+)
>>>
>>> --- a/fs/io_uring.c
>>> +++ b/fs/io_uring.c
>>> @@ -3716,6 +3716,12 @@ SYSCALL_DEFINE6(io_uring_enter, unsigned
>>>  			wake_up(&ctx->sqo_wait);
>>>  		submitted = to_submit;
>>>  	} else if (to_submit) {
>>> +		if (current->mm != ctx->sqo_mm ||
>>> +		    current_cred() != ctx->creds) {
>>> +			ret = -EPERM;
>>> +			goto out;
>>> +		}
>>> +
>>
>> I thought about this a bit more.
>>
>> I'm not sure if this is actually to restrictive,
>> because it means applications like Samba won't
>> be able to use io-uring at all.
> 
> Yea, I think it is too restrictive. In fact, it broke my WIP branch to
> make postgres use io_uring.
> 
> 
> Postgres uses a forked process model, with all sub-processes forked off
> one parent process ("postmaster"), sharing MAP_ANONYMOUS|MAP_SHARED
> memory (buffer pool, locks, and lots of other IPC). My WIP branch so far
> has postmaster create a number of io_urings that then the different
> processes can use (with locking if necessary).
> 
> In plenty of the cases it's fairly important for performance to not
> require an additional context switch initiate IO, therefore we cannot
> delegate submitting to an io_uring to separate process. But it's not
> feasible to have one (or even two) urings for each process either: For
> one, that's just about guaranteed to bring us over the default
> RLIMIT_MEMLOCK limit, and requiring root only config changes is not an
> option for many (nor user friendly).
> 
> 
> Not sharing queues makes it basically impossible to rely on io_uring
> ordering properties when operation interlock is needed. E.g. to
> guarantee that the journal is flushed before some data buffer can be
> written back, being able to make use of links and drains is great - but
> there's one journal for all processes. To be able to guarantee anything,
> all the interlocked writes need to go through one io_uring. I've not yet
> implemented this, so I don't have numbers, but I expect pretty
> significant savings.
> 
> 
> Not being able to share urings also makes it harder to resolve
> deadlocks:
> 
> As we call into both library and user defined code, we cannot guarantee
> that a specific backend process will promptly (or at all, when waiting
> for some locks) process cqes. There's also sections where we don't want
> to constantly check for ready events, for performance reasons.  But
> operations initiated by a process might be blocking other connections:
> 
> E.g. process #1 might have initiated transferring a number of blocks
> into postgres' buffer pool via io_uring , and now is busy processing the
> first block that completed. But now process #2 might need one of the
> buffers that had IO queued, but didn't complete in time for #1 to see
> the results.  The way I have it set up right now, #2 simply can process
> pending cqes in the relevant queue. Which, in this example, would mark
> the pg buffer pool entry as valid, allowing #2 to continue.
> 
> Now, completions can still be read by all processes, so I could continue
> to do the above: But that'd require all potentially needed io_urings to
> be set up in postmaster, before the first fork, and all processes to
> keep all those FDs open (commonly several hundred). Not an attractive
> option either, imo.
> 
> Obviously we could solve this by having a sqe result processing thread
> running within each process - but that'd be a very significant new
> overhead. And it'd require making some non-threadsafe code threadsafe,
> which I do not relish tackling as a side-effect of io_uring adoption.
> 
> 
> It also turns out to be nice from a performance / context-switch rate
> angle to be able to process cqes for submissions by other
> processes. Saves an expensive context switch, and often enough it really
> doesn't matter which process processes the completion (especially for
> readahead). And in other cases it's cheap to just schedule the
> subsequent work from the cqe processor, e.g. initiating readahead of a
> few more blocks into the pg buffer pool.  Similarly, there are a few
> cases where it's useful for several processes to submit IO into a uring
> primarily drained by one specific process, to offload the subsequent
> action, if that's expensive
> 
> 
> Now, I think there's a valid argument to be made that postgres should
> just use threads, and not be hampered by any of this. But a) that's not
> going to happen all that soon, it's a large change, b) it's far from
> free from problems either, especially scalability on larger machines,
> and robustness.
> 
> 
>> As even if current_cred() and ctx->creds describe the same
>> set of uid,gids the != won't ever match again and
>> makes the whole ring unuseable.
> 
> Indeed.  It also seems weird that a sqpoll now basically has different
> semantics, allowing the io_uring to be used by multiple processes - a
> task with a different mm can still wake the sqpoll thread up, even.
> 
> Since the different processes attached still can still write to the
> io_uring mmaped memory, they can still queue sqes, they just can't
> initiate the processing. But the next time the creator of the uring
> submits, they will still be - and thus it seems that the kernel needs to
> handle this safely. So I really don't get what this actually achieves?
> Am I missing something here?

Thanks for your detailed reported, I'm going to revert this change for
5.5.

-- 
Jens Axboe


^ permalink raw reply	[flat|nested] 238+ messages in thread

end of thread, other threads:[~2020-01-26 16:57 UTC | newest]

Thread overview: 238+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-22  9:26 [PATCH 5.4 000/222] 5.4.14-stable review Greg Kroah-Hartman
2020-01-22  9:26 ` [PATCH 5.4 001/222] ARM: dts: meson8: fix the size of the PMU registers Greg Kroah-Hartman
2020-01-22  9:26 ` [PATCH 5.4 002/222] clk: qcom: gcc-sdm845: Add missing flag to votable GDSCs Greg Kroah-Hartman
2020-01-22  9:26 ` [PATCH 5.4 003/222] soc: amlogic: meson-ee-pwrc: propagate PD provider registration errors Greg Kroah-Hartman
2020-01-22  9:26 ` [PATCH 5.4 004/222] soc: amlogic: meson-ee-pwrc: propagate errors from pm_genpd_init() Greg Kroah-Hartman
2020-01-22  9:26 ` [PATCH 5.4 005/222] dt-bindings: reset: meson8b: fix duplicate reset IDs Greg Kroah-Hartman
2020-01-22  9:26 ` [PATCH 5.4 006/222] ARM: dts: imx6q-dhcom: fix rtc compatible Greg Kroah-Hartman
2020-01-22  9:26 ` [PATCH 5.4 007/222] arm64: dts: ls1028a: fix endian setting for dcfg Greg Kroah-Hartman
2020-01-22  9:26 ` [PATCH 5.4 008/222] arm64: dts: imx8mm: Change SDMA1 ahb clock for imx8mm Greg Kroah-Hartman
2020-01-22  9:26 ` [PATCH 5.4 009/222] bus: ti-sysc: Fix iterating over clocks Greg Kroah-Hartman
2020-01-22  9:26 ` [PATCH 5.4 010/222] clk: Dont try to enable critical clocks if prepare failed Greg Kroah-Hartman
2020-01-22  9:26 ` [PATCH 5.4 011/222] Revert "gpio: thunderx: Switch to GPIOLIB_IRQCHIP" Greg Kroah-Hartman
2020-01-22  9:26 ` [PATCH 5.4 012/222] arm64: dts: imx8mq-librem5-devkit: use correct interrupt for the magnetometer Greg Kroah-Hartman
2020-01-22  9:26 ` [PATCH 5.4 013/222] ASoC: msm8916-wcd-digital: Reset RX interpolation path after use Greg Kroah-Hartman
2020-01-22  9:26 ` [PATCH 5.4 014/222] ASoC: stm32: sai: fix possible circular locking Greg Kroah-Hartman
2020-01-22  9:26 ` [PATCH 5.4 015/222] ASoC: stm32: dfsdm: fix 16 bits record Greg Kroah-Hartman
2020-01-22  9:26 ` [PATCH 5.4 016/222] ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1 Greg Kroah-Hartman
2020-01-22  9:26 ` [PATCH 5.4 017/222] ASoC: msm8916-wcd-analog: Fix MIC BIAS Internal1 Greg Kroah-Hartman
2020-01-22  9:26 ` [PATCH 5.4 018/222] ARM: OMAP2+: Fix ti_sysc_find_one_clockdomain to check for to_clk_hw_omap Greg Kroah-Hartman
2020-01-22  9:26 ` [PATCH 5.4 019/222] ARM: dts: imx7ulp: fix reg of cpu node Greg Kroah-Hartman
2020-01-22  9:26 ` [PATCH 5.4 020/222] ARM: dts: imx6q-dhcom: Fix SGTL5000 VDDIO regulator connection Greg Kroah-Hartman
2020-01-22  9:26 ` [PATCH 5.4 021/222] ASoC: Intel: bytcht_es8316: Fix Irbis NB41 netbook quirk Greg Kroah-Hartman
2020-01-22  9:26 ` [PATCH 5.4 022/222] ALSA: dice: fix fallback from protocol extension into limited functionality Greg Kroah-Hartman
2020-01-22  9:26 ` [PATCH 5.4 023/222] ALSA: seq: Fix racy access for queue timer in proc read Greg Kroah-Hartman
2020-01-22  9:26 ` [PATCH 5.4 024/222] ALSA: firewire-tascam: fix corruption due to spin lock without restoration in SoftIRQ context Greg Kroah-Hartman
2020-01-22  9:26 ` [PATCH 5.4 025/222] ALSA: usb-audio: fix sync-ep altsetting sanity check Greg Kroah-Hartman
2020-01-22  9:26 ` [PATCH 5.4 026/222] arm64: dts: allwinner: a64: olinuxino: Fix SDIO supply regulator Greg Kroah-Hartman
2020-01-22  9:26 ` [PATCH 5.4 027/222] arm64: dts: allwinner: a64: olinuxino: Fix eMMC " Greg Kroah-Hartman
2020-01-22  9:26 ` [PATCH 5.4 028/222] arm64: dts: agilex/stratix10: fix pmu interrupt numbers Greg Kroah-Hartman
2020-01-22  9:26 ` [PATCH 5.4 029/222] Fix built-in early-load Intel microcode alignment Greg Kroah-Hartman
2020-01-22  9:26 ` [PATCH 5.4 030/222] clk: sunxi-ng: r40: Allow setting parent rate for external clock outputs Greg Kroah-Hartman
2020-01-22  9:26 ` [PATCH 5.4 031/222] block: fix an integer overflow in logical block size Greg Kroah-Hartman
2020-01-22  9:26 ` [PATCH 5.4 032/222] fuse: fix fuse_send_readpages() in the syncronous read case Greg Kroah-Hartman
2020-01-22  9:26 ` [PATCH 5.4 033/222] io_uring: only allow submit from owning task Greg Kroah-Hartman
2020-01-24 10:38   ` Stefan Metzmacher
2020-01-24 10:41     ` Stefan Metzmacher
2020-01-24 16:58     ` Jens Axboe
2020-01-24 19:11       ` Stefan Metzmacher
2020-01-24 21:41         ` Jens Axboe
2020-01-26  5:54     ` Andres Freund
2020-01-26 16:57       ` Jens Axboe
2020-01-22  9:27 ` [PATCH 5.4 034/222] cpuidle: teo: Fix intervals[] array indexing bug Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 035/222] ARM: dts: am571x-idk: Fix gpios property to have the correct gpio number Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 036/222] ARM: davinci: select CONFIG_RESET_CONTROLLER Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 037/222] perf: Correctly handle failed perf_get_aux_event() Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 038/222] iio: adc: ad7124: Fix DT channel configuration Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 039/222] iio: imu: st_lsm6dsx: Fix selection of ST_LSM6DS3_ID Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 040/222] iio: light: vcnl4000: Fix scale for vcnl4040 Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 041/222] iio: chemical: pms7003: fix unmet triggered buffer dependency Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 042/222] iio: buffer: align the size of scan bytes to size of the largest element Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 043/222] USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 044/222] USB: serial: option: Add support for Quectel RM500Q Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 045/222] USB: serial: opticon: fix control-message timeouts Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 046/222] USB: serial: option: add support for Quectel RM500Q in QDL mode Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 047/222] USB: serial: suppress driver bind attributes Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 048/222] USB: serial: ch341: handle unbound port at reset_resume Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 049/222] USB: serial: io_edgeport: handle unbound ports on URB completion Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 050/222] USB: serial: io_edgeport: add missing active-port sanity check Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 051/222] USB: serial: keyspan: handle unbound ports Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 052/222] USB: serial: quatech2: " Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 053/222] staging: comedi: ni_routes: fix null dereference in ni_find_route_source() Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 054/222] staging: comedi: ni_routes: allow partial routing information Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 055/222] scsi: fnic: fix invalid stack access Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 056/222] scsi: mptfusion: Fix double fetch bug in ioctl Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 057/222] ptrace: reintroduce usage of subjective credentials in ptrace_has_cap() Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 058/222] mtd: rawnand: gpmi: Fix suspend/resume problem Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 059/222] mtd: rawnand: gpmi: Restore nfc timing setup after suspend/resume Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 060/222] usb: core: hub: Improved device recognition on remote wakeup Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 061/222] cpu/SMT: Fix x86 link error without CONFIG_SYSFS Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 062/222] x86/resctrl: Fix an imbalance in domain_remove_cpu() Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 063/222] x86/CPU/AMD: Ensure clearing of SME/SEV features is maintained Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 064/222] locking/rwsem: Fix kernel crash when spinning on RWSEM_OWNER_UNKNOWN Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 065/222] perf/x86/intel/uncore: Fix missing marker for snr_uncore_imc_freerunning_events Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 066/222] x86/efistub: Disable paging at mixed mode entry Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 067/222] s390/zcrypt: Fix CCA cipher key gen with clear key value function Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 068/222] scsi: storvsc: Correctly set number of hardware queues for IDE disk Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 069/222] mtd: spi-nor: Fix selection of 4-byte addressing opcodes on Spansion Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 070/222] drm/i915: Add missing include file <linux/math64.h> Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 071/222] x86/resctrl: Fix potential memory leak Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 072/222] efi/earlycon: Fix write-combine mapping on x86 Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 073/222] s390/setup: Fix secure ipl message Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 074/222] clk: samsung: exynos5420: Keep top G3D clocks enabled Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 075/222] perf hists: Fix variable names inconsistency in hists__for_each() macro Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 076/222] locking/lockdep: Fix buffer overrun problem in stack_trace[] Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 077/222] perf report: Fix incorrectly added dimensions as switch perf data file Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 078/222] mm/shmem.c: thp, shmem: fix conflict of above-47bit hint address and PMD alignment Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 079/222] mm/huge_memory.c: thp: " Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 080/222] mm: memcg/slab: fix percpu slab vmstats flushing Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 081/222] mm: memcg/slab: call flush_memcg_workqueue() only if memcg workqueue is valid Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 082/222] mm, debug_pagealloc: dont rely on static keys too early Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 083/222] btrfs: rework arguments of btrfs_unlink_subvol Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 084/222] btrfs: fix invalid removal of root ref Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 085/222] btrfs: do not delete mismatched root refs Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 086/222] btrfs: relocation: fix reloc_root lifespan and access Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 087/222] btrfs: fix memory leak in qgroup accounting Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 088/222] btrfs: check rw_devices, not num_devices for balance Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 089/222] Btrfs: always copy scrub arguments back to user space Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 090/222] mm/memory_hotplug: dont free usage map when removing a re-added early section Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 091/222] mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio() Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 092/222] mm: khugepaged: add trace status description for SCAN_PAGE_HAS_PRIVATE Greg Kroah-Hartman
2020-01-22  9:27 ` [PATCH 5.4 093/222] ARM: dts: imx6qdl-sabresd: Remove incorrect power supply assignment Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 094/222] ARM: dts: imx6sx-sdb: " Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 095/222] ARM: dts: imx6sl-evk: " Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 096/222] ARM: dts: imx6sll-evk: " Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 097/222] ARM: dts: imx6q-icore-mipi: Use 1.5 version of i.Core MX6DL Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 098/222] ARM: dts: imx7: Fix Toradex Colibri iMX7S 256MB NAND flash support Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 099/222] net: stmmac: 16KB buffer must be 16 byte aligned Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 100/222] net: stmmac: Enable 16KB buffer size Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 101/222] reset: Fix {of,devm}_reset_control_array_get kerneldoc return types Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 102/222] tipc: fix potential hanging after b/rcast changing Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 103/222] tipc: fix retrans failure due to wrong destination Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 104/222] net: fix kernel-doc warning in <linux/netdevice.h> Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 105/222] block: Fix the type of sts in bsg_queue_rq() Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 106/222] drm/amd/display: Reorder detect_edp_sink_caps before link settings read Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 107/222] bpf: Fix incorrect verifier simulation of ARSH under ALU32 Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 108/222] bpf: Sockmap/tls, during free we may call tcp_bpf_unhash() in loop Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 109/222] bpf: Sockmap, ensure sock lock held during tear down Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 110/222] bpf: Sockmap/tls, push write_space updates through ulp updates Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 111/222] bpf: Sockmap, skmsg helper overestimates push, pull, and pop bounds Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 112/222] bpf: Sockmap/tls, msg_push_data may leave end mark in place Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 113/222] bpf: Sockmap/tls, tls_sw can create a plaintext buf > encrypt buf Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 114/222] bpf: Sockmap/tls, skmsg can have wrapped skmsg that needs extra chaining Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 115/222] bpf: Sockmap/tls, fix pop data with SK_DROP return code Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 116/222] i2c: tegra: Fix suspending in active runtime PM state Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 117/222] i2c: tegra: Properly disable runtime PM on drivers probe error Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 118/222] cfg80211: fix deadlocks in autodisconnect work Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 119/222] cfg80211: fix memory leak in nl80211_probe_mesh_link Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 120/222] cfg80211: fix memory leak in cfg80211_cqm_rssi_update Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 121/222] cfg80211: fix page refcount issue in A-MSDU decap Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 122/222] bpf/sockmap: Read psock ingress_msg before sk_receive_queue Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 123/222] i2c: iop3xx: Fix memory leak in probe error path Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 124/222] netfilter: fix a use-after-free in mtype_destroy() Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 125/222] netfilter: arp_tables: init netns pointer in xt_tgdtor_param struct Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 126/222] netfilter: nat: fix ICMP header corruption on ICMP errors Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 127/222] netfilter: nft_tunnel: fix null-attribute check Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 128/222] netfilter: nft_tunnel: ERSPAN_VERSION must not be null Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 129/222] netfilter: nf_tables: remove WARN and add NLA_STRING upper limits Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 130/222] netfilter: nf_tables: store transaction list locally while requesting module Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 131/222] netfilter: nf_tables: fix flowtable list del corruption Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 132/222] NFC: pn533: fix bulk-message timeout Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 133/222] net: bpf: Dont leak time wait and request sockets Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 134/222] bpftool: Fix printing incorrect pointer in btf_dump_ptr Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 135/222] batman-adv: Fix DAT candidate selection on little endian systems Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 136/222] macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 137/222] hv_netvsc: Fix memory leak when removing rndis device Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 138/222] net: avoid updating qdisc_xmit_lock_key in netdev_update_lockdep_key() Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 139/222] net: dsa: tag_qca: fix doubled Tx statistics Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 140/222] net: hns3: pad the short frame before sending to the hardware Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 141/222] net: hns: fix soft lockup when there is not enough memory Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 142/222] net: phy: dp83867: Set FORCE_LINK_GOOD to default after reset Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 143/222] net/sched: act_ife: initalize ife->metalist earlier Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 144/222] net: usb: lan78xx: limit size of local TSO packets Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 145/222] net/wan/fsl_ucc_hdlc: fix out of bounds write on array utdm_info Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 146/222] ptp: free ptp device pin descriptors properly Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 147/222] r8152: add missing endpoint sanity check Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 148/222] tcp: fix marked lost packets not being retransmitted Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 149/222] bnxt_en: Fix NTUPLE firmware command failures Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 150/222] bnxt_en: Fix ipv6 RFS filter matching logic Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 151/222] bnxt_en: Do not treat DSN (Digital Serial Number) read failure as fatal Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 152/222] net: ethernet: ave: Avoid lockdep warning Greg Kroah-Hartman
2020-01-22  9:28 ` [PATCH 5.4 153/222] net: systemport: Fixed queue mapping in internal ring map Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 154/222] net: dsa: sja1105: Dont error out on disabled ports with no phy-mode Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 155/222] net: dsa: tag_gswip: fix typo in tagger name Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 156/222] net: sched: act_ctinfo: fix memory leak Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 157/222] net: dsa: bcm_sf2: Configure IMP port for 2Gb/sec Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 158/222] i40e: prevent memory leak in i40e_setup_macvlans Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 159/222] drm/amdgpu: allow direct upload save restore list for raven2 Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 160/222] sh_eth: check sh_eth_cpu_data::dual_port when dumping registers Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 161/222] mlxsw: spectrum: Do not modify cloned SKBs during xmit Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 162/222] mlxsw: spectrum: Wipe xstats.backlog of down ports Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 163/222] mlxsw: spectrum_qdisc: Include MC TCs in Qdisc counters Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 164/222] net: stmmac: selftests: Make it work in Synopsys AXS101 boards Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 165/222] net: stmmac: selftests: Mark as fail when received VLAN ID != expected Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 166/222] selftests: mlxsw: qos_mc_aware: Fix mausezahn invocation Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 167/222] net: stmmac: selftests: Update status when disabling RSS Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 168/222] net: stmmac: tc: Do not setup flower filtering if RSS is enabled Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 169/222] devlink: Wait longer before warning about unset port type Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 170/222] xen/blkfront: Adjust indentation in xlvbd_alloc_gendisk Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 171/222] dt-bindings: Add missing properties keyword enclosing snps,tso Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 172/222] tcp: refine rule to allow EPOLLOUT generation under mem pressure Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 173/222] irqchip: Place CONFIG_SIFIVE_PLIC into the menu Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 174/222] arm64: dts: qcom: msm8998: Disable coresight by default Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 175/222] cw1200: Fix a signedness bug in cw1200_load_firmware() Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 176/222] arm64: dts: meson: axg: fix audio fifo reg size Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 177/222] arm64: dts: meson: g12: " Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 178/222] arm64: dts: meson-gxl-s905x-khadas-vim: fix gpio-keys-polled node Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 179/222] arm64: dts: renesas: r8a77970: Fix PWM3 Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 180/222] arm64: dts: marvell: Add AP806-dual missing CPU clocks Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 181/222] cfg80211: check for set_wiphy_params Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 182/222] tick/sched: Annotate lockless access to last_jiffies_update Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 183/222] arm64: dts: marvell: Fix CP110 NAND controller node multi-line comment alignment Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 184/222] arm64: dts: renesas: r8a774a1: Remove audio port node Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 185/222] arm64: dts: imx8mm-evk: Assigned clocks for audio plls Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 186/222] arm64: dts: qcom: sdm845-cheza: delete zap-shader Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 187/222] ARM: dts: imx6ul-kontron-n6310-s: Disable the snvs-poweroff driver Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 188/222] arm64: dts: allwinner: a64: Re-add PMU node Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 189/222] ARM: dts: dra7: fix cpsw mdio fck clock Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 190/222] arm64: dts: juno: Fix UART frequency Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 191/222] ARM: dts: Fix sgx sysconfig register for omap4 Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 192/222] Revert "arm64: dts: juno: add dma-ranges property" Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 193/222] mtd: devices: fix mchp23k256 read and write Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 194/222] mtd: cfi_cmdset_0002: only check errors when ready in cfi_check_err_status() Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 195/222] mtd: cfi_cmdset_0002: fix delayed error detection on HyperFlash Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 196/222] um: Dont trace irqflags during shutdown Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 197/222] um: virtio_uml: Disallow modular build Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 198/222] reiserfs: fix handling of -EOPNOTSUPP in reiserfs_for_each_xattr Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 199/222] scsi: esas2r: unlock on error in esas2r_nvram_read_direct() Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 200/222] scsi: hisi_sas: Dont create debugfs dump folder twice Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 201/222] scsi: hisi_sas: Set the BIST init value before enabling BIST Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 202/222] scsi: qla4xxx: fix double free bug Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 203/222] scsi: bnx2i: fix potential use after free Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 204/222] scsi: target: core: Fix a pr_debug() argument Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 205/222] scsi: lpfc: fix: Coverity: lpfc_get_scsi_buf_s3(): Null pointer dereferences Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 206/222] scsi: hisi_sas: Return directly if init hardware failed Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 207/222] scsi: scsi_transport_sas: Fix memory leak when removing devices Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 208/222] scsi: qla2xxx: Fix qla2x00_request_irqs() for MSI Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 209/222] scsi: qla2xxx: fix rports not being mark as lost in sync fabric scan Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 210/222] scsi: core: scsi_trace: Use get_unaligned_be*() Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 211/222] scsi: lpfc: Fix list corruption detected in lpfc_put_sgl_per_hdwq Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 212/222] scsi: lpfc: Fix hdwq sgl locks and irq handling Greg Kroah-Hartman
2020-01-22  9:29 ` [PATCH 5.4 213/222] scsi: lpfc: Fix a kernel warning triggered by lpfc_get_sgl_per_hdwq() Greg Kroah-Hartman
2020-01-22  9:30 ` [PATCH 5.4 214/222] rtw88: fix potential read outside array boundary Greg Kroah-Hartman
2020-01-22  9:30 ` [PATCH 5.4 215/222] perf probe: Fix wrong address verification Greg Kroah-Hartman
2020-01-22  9:30 ` [PATCH 5.4 216/222] perf script: Allow --time with --reltime Greg Kroah-Hartman
2020-01-22  9:30 ` [PATCH 5.4 217/222] clk: sprd: Use IS_ERR() to validate the return value of syscon_regmap_lookup_by_phandle() Greg Kroah-Hartman
2020-01-22  9:30 ` [PATCH 5.4 218/222] clk: imx7ulp: Correct system clock source option #7 Greg Kroah-Hartman
2020-01-22  9:30 ` [PATCH 5.4 219/222] clk: imx7ulp: Correct DDR clock mux options Greg Kroah-Hartman
2020-01-22  9:30 ` [PATCH 5.4 220/222] regulator: ab8500: Remove SYSCLKREQ from enum ab8505_regulator_id Greg Kroah-Hartman
2020-01-22  9:30 ` [PATCH 5.4 221/222] hwmon: (pmbus/ibm-cffps) Switch LEDs to blocking brightness call Greg Kroah-Hartman
2020-01-22  9:30 ` [PATCH 5.4 222/222] hwmon: (pmbus/ibm-cffps) Fix LED blink behavior Greg Kroah-Hartman
2020-01-22 14:58 ` [PATCH 5.4 000/222] 5.4.14-stable review Jon Hunter
2020-01-22 15:02   ` Greg Kroah-Hartman
2020-01-22 18:09 ` Naresh Kamboju
2020-01-23  6:44   ` Greg Kroah-Hartman
2020-01-22 19:00 ` Guenter Roeck
2020-01-23  6:44   ` Greg Kroah-Hartman
2020-01-22 20:51 ` shuah
2020-01-23  6:44   ` Greg Kroah-Hartman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).