linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 3.16 00/99] 3.16.84-rc1 review
@ 2020-05-20 14:13 Ben Hutchings
  2020-05-20 14:13 ` [PATCH 3.16 01/99] fs/namespace.c: fix mountpoint reference counter race Ben Hutchings
                   ` (99 more replies)
  0 siblings, 100 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:13 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: torvalds, Guenter Roeck, akpm, Denis Kirjanov

This is the start of the stable review cycle for the 3.16.84 release.
There are 99 patches in this series, which will be posted as responses
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Fri May 22 20:00:00 UTC 2020.
Anything received after that time might be too late.

All the patches have also been committed to the linux-3.16.y-rc branch of
https://git.kernel.org/pub/scm/linux/kernel/git/bwh/linux-stable-rc.git .
A shortlog and diffstat can be found below.

Ben.

-------------

Al Viro (1):
      propagate_one(): mnt_set_mountpoint() needs mount_lock
         [b0d3869ce9eeacbb1bbd541909beeef4126426d5]

Alexandre Belloni (2):
      ARM: dts: at91: sama5d3: define clock rate range for tcb1
         [a7e0f3fc01df4b1b7077df777c37feae8c9e8b6d]
      ARM: dts: at91: sama5d3: fix maximum peripheral clock rates
         [ee0aa926ddb0bd8ba59e33e3803b3b5804e3f5da]

Ard Biesheuvel (1):
      efi/x86: Map the entire EFI vendor string before copying it
         [ffc2760bcf2dba0dbef74013ed73eea8310cc52c]

Arnd Bergmann (2):
      sparc32: fix struct ipc64_perm type definition
         [34ca70ef7d3a9fa7e89151597db5e37ae1d429b4]
      x86: kvm: avoid unused variable warning
         [7288bde1f9df6c1475675419bdd7725ce84dec56]

Bin Liu (1):
      usb: dwc3: turn off VBUS when leaving host mode
         [09ed259fac621634d51cd986aa8d65f035662658]

Bryan O'Donoghue (2):
      usb: gadget: f_ecm: Use atomic_t to track in-flight request
         [d710562e01c48d59be3f60d58b7a85958b39aeda]
      usb: gadget: f_ncm: Use atomic_t to track in-flight request
         [5b24c28cfe136597dc3913e1c00b119307a20c7e]

Chen Yucong (1):
      kvm: x86: use macros to compute bank MSRs
         [81760dccf8d1fe5b128b58736fe3f56a566133cb]

Christoffer Dall (1):
      KVM: arm64: Only sign-extend MMIO up to register width
         [b6ae256afd32f96bec0117175b329d0dd617655e]

Christophe JAILLET (1):
      pxa168fb: Fix the function used to release some memory in an error handling path
         [3c911fe799d1c338d94b78e7182ad452c37af897]

Chuhong Yuan (1):
      crypto: picoxcell - adjust the position of tasklet_init and fix missed tasklet_kill
         [7f8c36fe9be46862c4f3c5302f769378028a34fa]

Colin Ian King (2):
      iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop
         [c2f9a4e4a5abfc84c01b738496b3fd2d471e0b18]
      staging: wlan-ng: ensure error return is actually returned
         [4cc41cbce536876678b35e03c4a8a7bb72c78fa9]

Dan Carpenter (3):
      brcmfmac: Fix use after free in brcmf_sdio_readframes()
         [216b44000ada87a63891a8214c347e05a4aea8fe]
      mm/mempolicy.c: fix out of bounds write in mpol_parse_str()
         [c7a91bc7c2e17e0a9c8b9745a2cb118891218fd1]
      power: supply: sbs-battery: Fix a signedness bug in sbs_get_battery_capacity()
         [eb368de6de32925c65a97c1e929a31cae2155aee]

Daniel Jordan (3):
      padata: always acquire cpu_hotplug_lock before pinst->lock
         [38228e8848cd7dd86ccb90406af32de0cad24be3]
      padata: initialize pd->cpu with effective cpumask
         [ec9c7d19336ee98ecba8de80128aa405c45feebb]
      padata: purge get_cpu and reorder_via_wq from padata_do_serial
         [065cf577135a4977931c7a1e1edf442bfd9773dd]

Daniel Kiper (1):
      efi: Use early_mem*() instead of early_io*()
         [abc93f8eb6e46a480485f19256bdbda36ec78a84]

Eric Dumazet (4):
      bonding/alb: properly access headers in bond_alb_xmit()
         [38f88c45404293bbc027b956def6c10cbd45c616]
      cls_rsvp: fix rsvp_policy
         [cb3c0e6bdf64d0d124e94ce43cbe4ccbb9b37f51]
      net_sched: ematch: reject invalid TCF_EM_SIMPLE
         [55cd9f67f1e45de8517cdaab985fb8e56c0bc1d8]
      tcp: clear tp->total_retrans in tcp_disconnect()
         [c13c48c00a6bc1febc73902505bdec0967bd7095]

Fabian Frederick (1):
      nfs: use kmap/kunmap directly
         [0795bf8357c1887e2a95e6e4f5b89d0896a0d929]

Filipe Manana (1):
      Btrfs: fix race between adding and putting tree mod seq elements and nodes
         [7227ff4de55d931bbdc156c8ef0ce4f100c78a5b]

Geert Uytterhoeven (1):
      nfs: NFS_SWAP should depend on SWAP
         [474c4f306eefbb21b67ebd1de802d005c7d7ecdc]

Guenter Roeck (1):
      brcmfmac: abort and release host after error
         [863844ee3bd38219c88e82966d1df36a77716f3e]

Herbert Xu (7):
      crypto: af_alg - Use bh_lock_sock in sk_destruct
         [37f96694cf73ba116993a9d2d99ad6a75fa7fdb0]
      crypto: api - Check spawn->alg under lock in crypto_drop_spawn
         [7db3b61b6bba4310f454588c2ca6faf2958ad79f]
      crypto: api - Fix race condition in crypto_spawn_alg
         [73669cc556462f4e50376538d77ee312142e8a8a]
      crypto: pcrypt - Do not clear MAY_SLEEP flag in original request
         [e8d998264bffade3cfe0536559f712ab9058d654]
      crypto: pcrypt - Fix user-after-free on module unload
         [07bfd9bdf568a38d9440c607b72342036011f727]
      padata: Remove broken queue flushing
         [07928d9bfc81640bab36f5190e8725894d93b659]
      padata: Replace delayed timer with immediate workqueue in padata_reorder
         [6fc4dbcf0276279d488c5fbbfabe94734134f4fa]

Jan Kara (2):
      reiserfs: Fix memory leak of journal device string
         [5474ca7da6f34fa95e82edc747d5faa19cbdfb5c]
      reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling
         [4d5c1adaf893b8aa52525d2b81995e949bcb3239]

Jason A. Donenfeld (2):
      padata: avoid race in reordering
         [de5540d088fe97ad583cc7d396586437b32149a5]
      padata: get_next is never NULL
         [69b348449bda0f9588737539cfe135774c9939a7]

Joe Thornber (1):
      dm space map common: fix to ensure new block isn't already in use
         [4feaef830de7ffdd8352e1fe14ad3bf13c9688f8]

Johan Hovold (10):
      USB: serial: ir-usb: add missing endpoint sanity check
         [2988a8ae7476fe9535ab620320790d1714bdad1d]
      USB: serial: ir-usb: fix IrLAP framing
         [38c0d5bdf4973f9f5a888166e9d3e9ed0d32057a]
      USB: serial: ir-usb: fix link-speed handling
         [17a0184ca17e288decdca8b2841531e34d49285f]
      ath9k: fix storage endpoint lookup
         [0ef332951e856efa89507cdd13ba8f4fb8d4db12]
      brcmfmac: fix interface sanity check
         [3428fbcd6e6c0850b1a8b2a12082b7b2aabb3da3]
      media: iguanair: fix endpoint sanity check
         [1b257870a78b0a9ce98fdfb052c58542022ffb5b]
      orinoco_usb: fix interface sanity check
         [b73e05aa543cf8db4f4927e36952360d71291d41]
      rsi: fix use-after-free on failed probe and unbind
         [e93cd35101b61e4c79149be2cfc927c4b28dc60c]
      rsi_91x_usb: fix interface sanity check
         [3139b180906af43bc09bd3373fc2338a8271d9d9]
      zd1211rw: fix storage endpoint lookup
         [2d68bb2687abb747558b933e80845ff31570a49c]

John Hubbard (1):
      media/v4l2-core: set pages dirty upon releasing DMA buffers
         [3c7470b6f68434acae459482ab920d1e3fabd1c7]

Kai Li (1):
      jbd2: clear JBD2_ABORT flag before journal_reset to update log tail info when load journal
         [a09decff5c32060639a685581c380f51b14e1fc2]

Konstantin Khlebnikov (1):
      clocksource: Prevent double add_timer_on() for watchdog_timer
         [febac332a819f0e764aa4da62757ba21d18c182b]

Linus Walleij (1):
      mmc: spi: Toggle SPI polarity, do not hardcode it
         [af3ed119329cf9690598c5a562d95dfd128e91d6]

Logan Gunthorpe (1):
      PCI: Don't disable bridge BARs when assigning bus resources
         [9db8dc6d0785225c42a37be7b44d1b07b31b8957]

Luis Henriques (1):
      tracing: Fix tracing_stat return values in error handling paths
         [afccc00f75bbbee4e4ae833a96c2d29a7259c693]

Marios Pomonis (7):
      KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks
         [ea740059ecb37807ba47b84b33d1447435a8d868]
      KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c
         [6ec4c5eee1750d5d17951c4e1960d953376a0dda]
      KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks
         [8c86405f606ca8508b8d9280680166ca26723695]
      KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF attacks
         [670564559ca35b439c8d8861fc399451ddf95137]
      KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks
         [4bf79cb089f6b1c6c632492c0271054ce52ad766]
      KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks
         [3c9053a2cae7ba2ba73766a34cea41baa70f57f7]
      KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks
         [14e32321f3606e4b0970200b6e5e47ee6f1e6410]

Masahiro Yamada (1):
      kconfig: fix broken dependency in randconfig-generated .config
         [c8fb7d7e48d11520ad24808cfce7afb7b9c9f798]

Mathias Krause (2):
      padata: ensure padata_do_serial() runs on the correct CPU
         [350ef88e7e922354f82a931897ad4a4ce6c686ff]
      padata: ensure the reorder timer callback runs on the correct CPU
         [cf5868c8a22dc2854b96e9569064bb92365549ca]

Miaohe Lin (1):
      KVM: nVMX: vmread should not set rflags to specify success in case of #PF
         [a4d956b9390418623ae5d07933e2679c68b6f83c]

Michael Ellerman (1):
      of: Add OF_DMA_DEFAULT_COHERENT & select it on powerpc
         [dabf6b36b83a18d57e3d4b9d50544ed040d86255]

Navid Emamdoost (1):
      brcmfmac: Fix memory leak in brcmf_usbdev_qinit
         [4282dc057d750c6a7dd92953564b15c26b54c22c]

Oliver Neukum (1):
      media: iguanair: add sanity checks
         [ab1cbdf159beba7395a13ab70bc71180929ca064]

Paul Kocialkowski (1):
      rtc: hym8563: Return -EINVAL if the time is known to be invalid
         [f236a2a2ebabad0848ad0995af7ad1dc7029e895]

Pawan Gupta (1):
      x86/cpu: Update cached HLE state on write to TSX_CTRL_CPUID_CLEAR
         [5efc6fa9044c3356d6046c6e1da6d02572dbed6b]

Piotr Krysiuk (1):
      fs/namespace.c: fix mountpoint reference counter race
         [2763d11912317a12318135ca03e592bb6df65624]

Quinn Tran (1):
      scsi: qla2xxx: Fix mtcp dump collection failure
         [641e0efddcbde52461e017136acd3ce7f2ef0c14]

Roberto Bergantinos Corpas (1):
      sunrpc: expiry_time should be seconds not timeval
         [3d96208c30f84d6edf9ab4fac813306ac0d20c10]

Ronnie Sahlberg (1):
      cifs: fail i/o on soft mounts if sessionsetup errors out
         [b0dd940e582b6a60296b9847a54012a4b080dc72]

Sean Christopherson (6):
      KVM: Check for a bad hva before dropping into the ghc slow path
         [fcfbc617547fc6d9552cb6c1c563b6a90ee98085]
      KVM: PPC: Book3S HV: Uninit vCPU if vcore creation fails
         [1a978d9d3e72ddfa40ac60d26301b154247ee0bc]
      KVM: PPC: Book3S PR: Free shared page if mmu initialization fails
         [cb10bf9194f4d2c5d830eddca861f7ca0fecdbb4]
      KVM: x86/mmu: Apply max PA check for MMIO sptes to 32-bit KVM
         [e30a7d623dccdb3f880fbcad980b0cb589a1da45]
      KVM: x86: Don't let userspace set host-reserved cr4 bits
         [b11306b53b2540c6ba068c4deddb6a17d9f8d95b]
      KVM: x86: Free wbinvd_dirty_mask if vCPU creation fails
         [16be9ddea268ad841457a59109963fff8c9de38d]

Stephen Warren (2):
      ARM: tegra: Enable PLLP bypass during Tegra124 LP1
         [1a3388d506bf5b45bb283e6a4c4706cfb4897333]
      clk: tegra: Mark fuse clock as critical
         [bf83b96f87ae2abb1e535306ea53608e8de5dfbb]

Steven Rostedt (1):
      tracing: Fix very unlikely race of registering two stat tracers
         [dfb6cd1e654315168e36d947471bd2a0ccd834ae]

Takashi Iwai (2):
      ALSA: dummy: Fix PCM format loop in proc output
         [2acf25f13ebe8beb40e97a1bbe76f36277c64f1e]
      ALSA: sh: Fix compile warning wrt const
         [f1dd4795b1523fbca7ab4344dd5a8bb439cc770d]

Tobias Klauser (1):
      padata: Remove unused but set variables
         [119a0798dc42ed4c4f96d39b8b676efcea73aec6]

Trond Myklebust (2):
      NFS: Directory page cache pages need to be locked when read
         [114de38225d9b300f027e2aec9afbb6e0def154b]
      NFS: Fix memory leaks and corruption in readdir
         [4b310319c6a8ce708f1033d57145e2aa027a883c]

Vincent Whitchurch (1):
      CIFS: Fix task struct use-after-free on reconnect
         [f1f27ad74557e39f67a8331a808b860f89254f2d]

Vladimir Oltean (1):
      gianfar: Fix TX timestamping with a stacked DSA driver
         [c26a2c2ddc0115eb088873f5c309cf46b982f522]

Will Deacon (1):
      media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors
         [68035c80e129c4cfec659aac4180354530b26527]

Wuxu.Wu (1):
      spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls
         [19b61392c5a852b4e8a0bf35aecb969983c5932d]

Zhangyi (2):
      ext4, jbd2: ensure panic when aborting with zero errno
         [51f57b01e4a3c7d7bdceffd84de35144e8c538e7]
      jbd2: switch to use jbd2_journal_abort() when failed to submit the commit record
         [d0a186e0d3e7ac05cc77da7c157dae5aa59f95d9]

Zhihao Cheng (1):
      ubifs: Fix deadlock in concurrent bulk-read and writepage
         [f5de5b83303e61b1f3fb09bd77ce3ac2d7a475f2]

 Makefile                                           |   4 +-
 arch/arm/boot/dts/sama5d3.dtsi                     |  26 ++--
 arch/arm/boot/dts/sama5d3_can.dtsi                 |   4 +-
 arch/arm/boot/dts/sama5d3_tcb1.dtsi                |   1 +
 arch/arm/boot/dts/sama5d3_uart.dtsi                |   4 +-
 arch/arm/include/asm/kvm_emulate.h                 |   5 +
 arch/arm/include/asm/kvm_mmio.h                    |   2 +
 arch/arm/kvm/mmio.c                                |   6 +
 arch/arm/mach-tegra/sleep-tegra30.S                |  11 ++
 arch/arm64/include/asm/kvm_emulate.h               |   5 +
 arch/arm64/include/asm/kvm_mmio.h                  |   6 +-
 arch/powerpc/Kconfig                               |   1 +
 arch/powerpc/kvm/book3s_hv.c                       |   4 +-
 arch/powerpc/kvm/book3s_pr.c                       |   4 +-
 arch/sparc/include/uapi/asm/ipcbuf.h               |  22 ++--
 arch/x86/kernel/cpu/tsx.c                          |  13 +-
 arch/x86/kvm/emulate.c                             |  12 +-
 arch/x86/kvm/i8259.c                               |   4 +-
 arch/x86/kvm/lapic.c                               |  14 ++-
 arch/x86/kvm/vmx.c                                 |   4 +-
 arch/x86/kvm/x86.c                                 |  57 +++++++--
 arch/x86/platform/efi/efi.c                        |  37 +++---
 crypto/af_alg.c                                    |   6 +-
 crypto/algapi.c                                    |  22 ++--
 crypto/api.c                                       |   3 +-
 crypto/internal.h                                  |   1 -
 crypto/pcrypt.c                                    |   4 +-
 drivers/clk/tegra/clk-tegra-periph.c               |   6 +-
 drivers/crypto/picoxcell_crypto.c                  |  15 ++-
 drivers/firmware/efi/efi.c                         |   4 +-
 drivers/md/persistent-data/dm-space-map-common.c   |  27 ++++
 drivers/md/persistent-data/dm-space-map-common.h   |   2 +
 drivers/md/persistent-data/dm-space-map-disk.c     |   6 +-
 drivers/md/persistent-data/dm-space-map-metadata.c |   5 +-
 drivers/media/rc/iguanair.c                        |  15 ++-
 drivers/media/usb/uvc/uvc_driver.c                 |  12 ++
 drivers/media/v4l2-core/videobuf-dma-sg.c          |   5 +-
 drivers/mmc/host/mmc_spi.c                         |  11 +-
 drivers/net/bonding/bond_alb.c                     |  44 +++++--
 drivers/net/ethernet/freescale/gianfar.c           |  10 +-
 drivers/net/wireless/ath/ath9k/hif_usb.c           |   2 +-
 drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c |   3 +
 drivers/net/wireless/brcm80211/brcmfmac/usb.c      |   3 +-
 drivers/net/wireless/iwlegacy/common.c             |   2 +-
 drivers/net/wireless/orinoco/orinoco_usb.c         |   4 +-
 drivers/net/wireless/rsi/rsi_91x_usb.c             |  12 +-
 drivers/net/wireless/zd1211rw/zd_usb.c             |   2 +-
 drivers/of/Kconfig                                 |   4 +
 drivers/of/address.c                               |   6 +-
 drivers/pci/setup-bus.c                            |  20 ++-
 drivers/power/sbs-battery.c                        |   2 +-
 drivers/rtc/rtc-hym8563.c                          |   2 +-
 drivers/scsi/qla2xxx/qla_mbx.c                     |   3 +-
 drivers/spi/spi-dw.c                               |  14 ++-
 drivers/spi/spi-dw.h                               |   1 +
 drivers/staging/wlan-ng/prism2mgmt.c               |   2 +-
 drivers/usb/dwc3/core.c                            |   3 +
 drivers/usb/gadget/f_ecm.c                         |  16 ++-
 drivers/usb/gadget/f_ncm.c                         |  17 ++-
 drivers/usb/serial/ir-usb.c                        | 136 ++++++++++++++++-----
 drivers/video/fbdev/pxa168fb.c                     |   6 +-
 fs/btrfs/ctree.c                                   |   8 +-
 fs/btrfs/ctree.h                                   |   6 +-
 fs/btrfs/delayed-ref.c                             |   8 +-
 fs/btrfs/disk-io.c                                 |   1 -
 fs/btrfs/tests/btrfs-tests.c                       |   1 -
 fs/cifs/cifsglob.h                                 |   1 +
 fs/cifs/smb2pdu.c                                  |  10 +-
 fs/cifs/smb2transport.c                            |   2 +
 fs/cifs/transport.c                                |   4 +
 fs/jbd2/checkpoint.c                               |   2 +-
 fs/jbd2/commit.c                                   |   4 +-
 fs/jbd2/journal.c                                  |  21 ++--
 fs/namespace.c                                     |   2 +-
 fs/nfs/Kconfig                                     |   2 +-
 fs/nfs/dir.c                                       | 104 +++++++---------
 fs/pnode.c                                         |   9 +-
 fs/reiserfs/super.c                                |   4 +-
 fs/ubifs/file.c                                    |   5 +-
 include/linux/padata.h                             |  13 +-
 include/linux/usb/irda.h                           |  13 +-
 kernel/padata.c                                    | 134 +++++++-------------
 kernel/time/clocksource.c                          |  11 +-
 kernel/trace/trace_stat.c                          |  31 ++---
 mm/mempolicy.c                                     |   6 +-
 net/ipv4/tcp.c                                     |   1 +
 net/sched/cls_rsvp.h                               |   6 +-
 net/sched/ematch.c                                 |   3 +
 net/sunrpc/auth_gss/svcauth_gss.c                  |   4 +
 scripts/kconfig/confdata.c                         |   2 +-
 sound/drivers/dummy.c                              |   2 +-
 sound/sh/aica.c                                    |   4 +-
 virt/kvm/ioapic.c                                  |  15 ++-
 virt/kvm/kvm_main.c                                |  12 +-
 94 files changed, 711 insertions(+), 444 deletions(-)

-- 
Ben Hutchings
All the simple programs have been written, and all the good names taken


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 01/99] fs/namespace.c: fix mountpoint reference counter race
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
@ 2020-05-20 14:13 ` Ben Hutchings
  2020-05-20 14:13 ` [PATCH 3.16 02/99] propagate_one(): mnt_set_mountpoint() needs mount_lock Ben Hutchings
                   ` (98 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:13 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Piotr Krysiuk, Al Viro, Greg Kroah-Hartman

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Piotr Krysiuk <piotras@gmail.com>

A race condition between threads updating mountpoint reference counter
affects longterm releases 4.4.220, 4.9.220, 4.14.177 and 4.19.118.

The mountpoint reference counter corruption may occur when:
* one thread increments m_count member of struct mountpoint
  [under namespace_sem, but not holding mount_lock]
    pivot_root()
* another thread simultaneously decrements the same m_count
  [under mount_lock, but not holding namespace_sem]
    put_mountpoint()
      unhash_mnt()
        umount_mnt()
          mntput_no_expire()

To fix this race condition, grab mount_lock before updating m_count in
pivot_root().

Reference: CVE-2020-12114
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Piotr Krysiuk <piotras@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/namespace.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2937,8 +2937,8 @@ SYSCALL_DEFINE2(pivot_root, const char _
 	/* make certain new is below the root */
 	if (!is_path_reachable(new_mnt, new.dentry, &root))
 		goto out4;
-	root_mp->m_count++; /* pin it so it won't go away */
 	lock_mount_hash();
+	root_mp->m_count++; /* pin it so it won't go away */
 	detach_mnt(new_mnt, &parent_path);
 	detach_mnt(root_mnt, &root_parent);
 	if (root_mnt->mnt.mnt_flags & MNT_LOCKED) {


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 02/99] propagate_one(): mnt_set_mountpoint() needs mount_lock
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
  2020-05-20 14:13 ` [PATCH 3.16 01/99] fs/namespace.c: fix mountpoint reference counter race Ben Hutchings
@ 2020-05-20 14:13 ` Ben Hutchings
  2020-05-20 14:13 ` [PATCH 3.16 03/99] spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls Ben Hutchings
                   ` (97 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:13 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, stable, Piotr Krysiuk, Al Viro

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Al Viro <viro@zeniv.linux.org.uk>

commit b0d3869ce9eeacbb1bbd541909beeef4126426d5 upstream.

... to protect the modification of mp->m_count done by it.  Most of
the places that modify that thing also have namespace_lock held,
but not all of them can do so, so we really need mount_lock here.
Kudos to Piotr Krysiuk <piotras@gmail.com>, who'd spotted a related
bug in pivot_root(2) (fixed unnoticed in 5.3); search for other
similar turds has caught out this one.

Cc: stable@kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Piotr Krysiuk <piotras@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/pnode.c |    9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

--- a/fs/pnode.c
+++ b/fs/pnode.c
@@ -249,14 +249,13 @@ static int propagate_one(struct mount *m
 	child = copy_tree(last_source, last_source->mnt.mnt_root, type);
 	if (IS_ERR(child))
 		return PTR_ERR(child);
+	read_seqlock_excl(&mount_lock);
 	mnt_set_mountpoint(m, mp, child);
+	if (m->mnt_master != dest_master)
+		SET_MNT_MARK(m->mnt_master);
+	read_sequnlock_excl(&mount_lock);
 	last_dest = m;
 	last_source = child;
-	if (m->mnt_master != dest_master) {
-		read_seqlock_excl(&mount_lock);
-		SET_MNT_MARK(m->mnt_master);
-		read_sequnlock_excl(&mount_lock);
-	}
 	hlist_add_head(&child->mnt_hash, list);
 	return count_mounts(m->mnt_ns, child);
 }


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 03/99] spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
  2020-05-20 14:13 ` [PATCH 3.16 01/99] fs/namespace.c: fix mountpoint reference counter race Ben Hutchings
  2020-05-20 14:13 ` [PATCH 3.16 02/99] propagate_one(): mnt_set_mountpoint() needs mount_lock Ben Hutchings
@ 2020-05-20 14:13 ` Ben Hutchings
  2020-05-20 14:13 ` [PATCH 3.16 04/99] padata: Remove unused but set variables Ben Hutchings
                   ` (96 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:13 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Nobuhiro Iwamatsu (CIP), Mark Brown, wuxu.wu

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "wuxu.wu" <wuxu.wu@huawei.com>

commit 19b61392c5a852b4e8a0bf35aecb969983c5932d upstream.

dw_spi_irq() and dw_spi_transfer_one concurrent calls.

I find a panic in dw_writer(): txw = *(u8 *)(dws->tx), when dw->tx==null,
dw->len==4, and dw->tx_end==1.

When tpm driver's message overtime dw_spi_irq() and dw_spi_transfer_one
may concurrent visit dw_spi, so I think dw_spi structure lack of protection.

Otherwise dw_spi_transfer_one set dw rx/tx buffer and then open irq,
store dw rx/tx instructions and other cores handle irq load dw rx/tx
instructions may out of order.

	[ 1025.321302] Call trace:
	...
	[ 1025.321319]  __crash_kexec+0x98/0x148
	[ 1025.321323]  panic+0x17c/0x314
	[ 1025.321329]  die+0x29c/0x2e8
	[ 1025.321334]  die_kernel_fault+0x68/0x78
	[ 1025.321337]  __do_kernel_fault+0x90/0xb0
	[ 1025.321346]  do_page_fault+0x88/0x500
	[ 1025.321347]  do_translation_fault+0xa8/0xb8
	[ 1025.321349]  do_mem_abort+0x68/0x118
	[ 1025.321351]  el1_da+0x20/0x8c
	[ 1025.321362]  dw_writer+0xc8/0xd0
	[ 1025.321364]  interrupt_transfer+0x60/0x110
	[ 1025.321365]  dw_spi_irq+0x48/0x70
	...

Signed-off-by: wuxu.wu <wuxu.wu@huawei.com>
Link: https://lore.kernel.org/r/1577849981-31489-1-git-send-email-wuxu.wu@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
[iwamatsu: Backported to 3.16: adjut context]
Signed-off-by: Nobuhiro Iwamatsu (CIP) <nobuhiro1.iwamatsu@toshiba.co.jp>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/spi/spi-dw.c | 14 ++++++++++++--
 drivers/spi/spi-dw.h |  1 +
 2 files changed, 13 insertions(+), 2 deletions(-)

--- a/drivers/spi/spi-dw.c
+++ b/drivers/spi/spi-dw.c
@@ -182,9 +182,11 @@ static inline u32 rx_max(struct dw_spi *
 
 static void dw_writer(struct dw_spi *dws)
 {
-	u32 max = tx_max(dws);
+	u32 max;
 	u16 txw = 0;
 
+	spin_lock(&dws->buf_lock);
+	max = tx_max(dws);
 	while (max--) {
 		/* Set the tx word if the transfer's original "tx" is not null */
 		if (dws->tx_end - dws->len) {
@@ -196,13 +198,16 @@ static void dw_writer(struct dw_spi *dws
 		dw_writew(dws, DW_SPI_DR, txw);
 		dws->tx += dws->n_bytes;
 	}
+	spin_unlock(&dws->buf_lock);
 }
 
 static void dw_reader(struct dw_spi *dws)
 {
-	u32 max = rx_max(dws);
+	u32 max;
 	u16 rxw;
 
+	spin_lock(&dws->buf_lock);
+	max = rx_max(dws);
 	while (max--) {
 		rxw = dw_readw(dws, DW_SPI_DR);
 		/* Care rx only if the transfer's original "rx" is not null */
@@ -214,6 +219,7 @@ static void dw_reader(struct dw_spi *dws
 		}
 		dws->rx += dws->n_bytes;
 	}
+	spin_unlock(&dws->buf_lock);
 }
 
 static void *next_transfer(struct dw_spi *dws)
@@ -368,6 +374,7 @@ static void pump_transfers(unsigned long
 	struct spi_transfer *previous = NULL;
 	struct spi_device *spi = NULL;
 	struct chip_data *chip = NULL;
+	unsigned long flags;
 	u8 bits = 0;
 	u8 imask = 0;
 	u8 cs_change = 0;
@@ -406,6 +413,7 @@ static void pump_transfers(unsigned long
 	dws->dma_width = chip->dma_width;
 	dws->cs_control = chip->cs_control;
 
+	spin_lock_irqsave(&dws->buf_lock, flags);
 	dws->rx_dma = transfer->rx_dma;
 	dws->tx_dma = transfer->tx_dma;
 	dws->tx = (void *)transfer->tx_buf;
@@ -415,6 +423,7 @@ static void pump_transfers(unsigned long
 	dws->len = dws->cur_transfer->len;
 	if (chip != dws->prev_chip)
 		cs_change = 1;
+	spin_unlock_irqrestore(&dws->buf_lock, flags);
 
 	cr0 = chip->cr0;
 
@@ -651,6 +660,7 @@ int dw_spi_add_host(struct device *dev,
 	dws->dma_addr = (dma_addr_t)(dws->paddr + 0x60);
 	snprintf(dws->name, sizeof(dws->name), "dw_spi%d",
 			dws->bus_num);
+	spin_lock_init(&dws->buf_lock);
 
 	ret = request_irq(dws->irq, dw_spi_irq, IRQF_SHARED, dws->name, dws);
 	if (ret < 0) {
--- a/drivers/spi/spi-dw.h
+++ b/drivers/spi/spi-dw.h
@@ -116,6 +116,7 @@ struct dw_spi {
 	size_t			len;
 	void			*tx;
 	void			*tx_end;
+	spinlock_t		buf_lock;
 	void			*rx;
 	void			*rx_end;
 	int			dma_mapped;


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 04/99] padata: Remove unused but set variables
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (2 preceding siblings ...)
  2020-05-20 14:13 ` [PATCH 3.16 03/99] spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls Ben Hutchings
@ 2020-05-20 14:13 ` Ben Hutchings
  2020-05-20 14:13 ` [PATCH 3.16 05/99] padata: avoid race in reordering Ben Hutchings
                   ` (95 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:13 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Steffen Klassert, Herbert Xu, Tobias Klauser

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tobias Klauser <tklauser@distanz.ch>

commit 119a0798dc42ed4c4f96d39b8b676efcea73aec6 upstream.

Remove the unused but set variable pinst in padata_parallel_worker to
fix the following warning when building with 'W=1':

  kernel/padata.c: In function ‘padata_parallel_worker’:
  kernel/padata.c:68:26: warning: variable ‘pinst’ set but not used [-Wunused-but-set-variable]

Also remove the now unused variable pd which is only used to set pinst.

Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/padata.c | 4 ----
 1 file changed, 4 deletions(-)

--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -63,15 +63,11 @@ static int padata_cpu_hash(struct parall
 static void padata_parallel_worker(struct work_struct *parallel_work)
 {
 	struct padata_parallel_queue *pqueue;
-	struct parallel_data *pd;
-	struct padata_instance *pinst;
 	LIST_HEAD(local_list);
 
 	local_bh_disable();
 	pqueue = container_of(parallel_work,
 			      struct padata_parallel_queue, work);
-	pd = pqueue->pd;
-	pinst = pd->pinst;
 
 	spin_lock(&pqueue->parallel.lock);
 	list_replace_init(&pqueue->parallel.list, &local_list);


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 05/99] padata: avoid race in reordering
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (3 preceding siblings ...)
  2020-05-20 14:13 ` [PATCH 3.16 04/99] padata: Remove unused but set variables Ben Hutchings
@ 2020-05-20 14:13 ` Ben Hutchings
  2020-05-20 14:13 ` [PATCH 3.16 06/99] padata: get_next is never NULL Ben Hutchings
                   ` (94 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:13 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jason A. Donenfeld, Herbert Xu, Steffen Klassert

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Jason A. Donenfeld" <Jason@zx2c4.com>

commit de5540d088fe97ad583cc7d396586437b32149a5 upstream.

Under extremely heavy uses of padata, crashes occur, and with list
debugging turned on, this happens instead:

[87487.298728] WARNING: CPU: 1 PID: 882 at lib/list_debug.c:33
__list_add+0xae/0x130
[87487.301868] list_add corruption. prev->next should be next
(ffffb17abfc043d0), but was ffff8dba70872c80. (prev=ffff8dba70872b00).
[87487.339011]  [<ffffffff9a53d075>] dump_stack+0x68/0xa3
[87487.342198]  [<ffffffff99e119a1>] ? console_unlock+0x281/0x6d0
[87487.345364]  [<ffffffff99d6b91f>] __warn+0xff/0x140
[87487.348513]  [<ffffffff99d6b9aa>] warn_slowpath_fmt+0x4a/0x50
[87487.351659]  [<ffffffff9a58b5de>] __list_add+0xae/0x130
[87487.354772]  [<ffffffff9add5094>] ? _raw_spin_lock+0x64/0x70
[87487.357915]  [<ffffffff99eefd66>] padata_reorder+0x1e6/0x420
[87487.361084]  [<ffffffff99ef0055>] padata_do_serial+0xa5/0x120

padata_reorder calls list_add_tail with the list to which its adding
locked, which seems correct:

spin_lock(&squeue->serial.lock);
list_add_tail(&padata->list, &squeue->serial.list);
spin_unlock(&squeue->serial.lock);

This therefore leaves only place where such inconsistency could occur:
if padata->list is added at the same time on two different threads.
This pdata pointer comes from the function call to
padata_get_next(pd), which has in it the following block:

next_queue = per_cpu_ptr(pd->pqueue, cpu);
padata = NULL;
reorder = &next_queue->reorder;
if (!list_empty(&reorder->list)) {
       padata = list_entry(reorder->list.next,
                           struct padata_priv, list);
       spin_lock(&reorder->lock);
       list_del_init(&padata->list);
       atomic_dec(&pd->reorder_objects);
       spin_unlock(&reorder->lock);

       pd->processed++;

       goto out;
}
out:
return padata;

I strongly suspect that the problem here is that two threads can race
on reorder list. Even though the deletion is locked, call to
list_entry is not locked, which means it's feasible that two threads
pick up the same padata object and subsequently call list_add_tail on
them at the same time. The fix is thus be hoist that lock outside of
that block.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/padata.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -185,19 +185,20 @@ static struct padata_priv *padata_get_ne
 
 	reorder = &next_queue->reorder;
 
+	spin_lock(&reorder->lock);
 	if (!list_empty(&reorder->list)) {
 		padata = list_entry(reorder->list.next,
 				    struct padata_priv, list);
 
-		spin_lock(&reorder->lock);
 		list_del_init(&padata->list);
 		atomic_dec(&pd->reorder_objects);
-		spin_unlock(&reorder->lock);
 
 		pd->processed++;
 
+		spin_unlock(&reorder->lock);
 		goto out;
 	}
+	spin_unlock(&reorder->lock);
 
 	if (__this_cpu_read(pd->pqueue->cpu_index) == next_queue->cpu_index) {
 		padata = ERR_PTR(-ENODATA);


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 06/99] padata: get_next is never NULL
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (4 preceding siblings ...)
  2020-05-20 14:13 ` [PATCH 3.16 05/99] padata: avoid race in reordering Ben Hutchings
@ 2020-05-20 14:13 ` Ben Hutchings
  2020-05-20 14:13 ` [PATCH 3.16 07/99] padata: ensure the reorder timer callback runs on the correct CPU Ben Hutchings
                   ` (93 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:13 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jason A. Donenfeld, Herbert Xu,
	Dan Carpenter, Steffen Klassert

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Jason A. Donenfeld" <Jason@zx2c4.com>

commit 69b348449bda0f9588737539cfe135774c9939a7 upstream.

Per Dan's static checker warning, the code that returns NULL was removed
in 2010, so this patch updates the comments and fixes the code
assumptions.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/padata.c | 13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -153,8 +153,6 @@ EXPORT_SYMBOL(padata_do_parallel);
  * A pointer to the control struct of the next object that needs
  * serialization, if present in one of the percpu reorder queues.
  *
- * NULL, if all percpu reorder queues are empty.
- *
  * -EINPROGRESS, if the next object that needs serialization will
  *  be parallel processed by another cpu and is not yet present in
  *  the cpu's reorder queue.
@@ -181,8 +179,6 @@ static struct padata_priv *padata_get_ne
 	cpu = padata_index_to_cpu(pd, next_index);
 	next_queue = per_cpu_ptr(pd->pqueue, cpu);
 
-	padata = NULL;
-
 	reorder = &next_queue->reorder;
 
 	spin_lock(&reorder->lock);
@@ -234,12 +230,11 @@ static void padata_reorder(struct parall
 		padata = padata_get_next(pd);
 
 		/*
-		 * All reorder queues are empty, or the next object that needs
-		 * serialization is parallel processed by another cpu and is
-		 * still on it's way to the cpu's reorder queue, nothing to
-		 * do for now.
+		 * If the next object that needs serialization is parallel
+		 * processed by another cpu and is still on it's way to the
+		 * cpu's reorder queue, nothing to do for now.
 		 */
-		if (!padata || PTR_ERR(padata) == -EINPROGRESS)
+		if (PTR_ERR(padata) == -EINPROGRESS)
 			break;
 
 		/*


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 07/99] padata: ensure the reorder timer callback runs on the correct CPU
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (5 preceding siblings ...)
  2020-05-20 14:13 ` [PATCH 3.16 06/99] padata: get_next is never NULL Ben Hutchings
@ 2020-05-20 14:13 ` Ben Hutchings
  2020-05-20 14:13 ` [PATCH 3.16 08/99] padata: ensure padata_do_serial() " Ben Hutchings
                   ` (92 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:13 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Herbert Xu, Mathias Krause

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mathias Krause <minipli@googlemail.com>

commit cf5868c8a22dc2854b96e9569064bb92365549ca upstream.

The reorder timer function runs on the CPU where the timer interrupt was
handled which is not necessarily one of the CPUs of the 'pcpu' CPU mask
set.

Ensure the padata_reorder() callback runs on the correct CPU, which is
one in the 'pcpu' CPU mask set and, preferrably, the next expected one.
Do so by comparing the current CPU with the expected target CPU. If they
match, call padata_reorder() right away. If they differ, schedule a work
item on the target CPU that does the padata_reorder() call for us.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/linux/padata.h |  2 ++
 kernel/padata.c        | 43 +++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 44 insertions(+), 1 deletion(-)

--- a/include/linux/padata.h
+++ b/include/linux/padata.h
@@ -85,6 +85,7 @@ struct padata_serial_queue {
  * @swork: work struct for serialization.
  * @pd: Backpointer to the internal control structure.
  * @work: work struct for parallelization.
+ * @reorder_work: work struct for reordering.
  * @num_obj: Number of objects that are processed by this cpu.
  * @cpu_index: Index of the cpu.
  */
@@ -93,6 +94,7 @@ struct padata_parallel_queue {
        struct padata_list    reorder;
        struct parallel_data *pd;
        struct work_struct    work;
+       struct work_struct    reorder_work;
        atomic_t              num_obj;
        int                   cpu_index;
 };
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -279,11 +279,51 @@ static void padata_reorder(struct parall
 	return;
 }
 
+static void invoke_padata_reorder(struct work_struct *work)
+{
+	struct padata_parallel_queue *pqueue;
+	struct parallel_data *pd;
+
+	local_bh_disable();
+	pqueue = container_of(work, struct padata_parallel_queue, reorder_work);
+	pd = pqueue->pd;
+	padata_reorder(pd);
+	local_bh_enable();
+}
+
 static void padata_reorder_timer(unsigned long arg)
 {
 	struct parallel_data *pd = (struct parallel_data *)arg;
+	unsigned int weight;
+	int target_cpu, cpu;
 
-	padata_reorder(pd);
+	cpu = get_cpu();
+
+	/* We don't lock pd here to not interfere with parallel processing
+	 * padata_reorder() calls on other CPUs. We just need any CPU out of
+	 * the cpumask.pcpu set. It would be nice if it's the right one but
+	 * it doesn't matter if we're off to the next one by using an outdated
+	 * pd->processed value.
+	 */
+	weight = cpumask_weight(pd->cpumask.pcpu);
+	target_cpu = padata_index_to_cpu(pd, pd->processed % weight);
+
+	/* ensure to call the reorder callback on the correct CPU */
+	if (cpu != target_cpu) {
+		struct padata_parallel_queue *pqueue;
+		struct padata_instance *pinst;
+
+		/* The timer function is serialized wrt itself -- no locking
+		 * needed.
+		 */
+		pinst = pd->pinst;
+		pqueue = per_cpu_ptr(pd->pqueue, target_cpu);
+		queue_work_on(target_cpu, pinst->wq, &pqueue->reorder_work);
+	} else {
+		padata_reorder(pd);
+	}
+
+	put_cpu();
 }
 
 static void padata_serial_worker(struct work_struct *serial_work)
@@ -404,6 +444,7 @@ static void padata_init_pqueues(struct p
 		__padata_list_init(&pqueue->reorder);
 		__padata_list_init(&pqueue->parallel);
 		INIT_WORK(&pqueue->work, padata_parallel_worker);
+		INIT_WORK(&pqueue->reorder_work, invoke_padata_reorder);
 		atomic_set(&pqueue->num_obj, 0);
 	}
 }


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 08/99] padata: ensure padata_do_serial() runs on the correct CPU
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (6 preceding siblings ...)
  2020-05-20 14:13 ` [PATCH 3.16 07/99] padata: ensure the reorder timer callback runs on the correct CPU Ben Hutchings
@ 2020-05-20 14:13 ` Ben Hutchings
  2020-05-20 14:13 ` [PATCH 3.16 09/99] padata: Replace delayed timer with immediate workqueue in padata_reorder Ben Hutchings
                   ` (91 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:13 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Mathias Krause, Herbert Xu

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mathias Krause <minipli@googlemail.com>

commit 350ef88e7e922354f82a931897ad4a4ce6c686ff upstream.

If the algorithm we're parallelizing is asynchronous we might change
CPUs between padata_do_parallel() and padata_do_serial(). However, we
don't expect this to happen as we need to enqueue the padata object into
the per-cpu reorder queue we took it from, i.e. the same-cpu's parallel
queue.

Ensure we're not switching CPUs for a given padata object by tracking
the CPU within the padata object. If the serial callback gets called on
the wrong CPU, defer invoking padata_reorder() via a kernel worker on
the CPU we're expected to run on.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/linux/padata.h |  2 ++
 kernel/padata.c        | 20 +++++++++++++++++++-
 2 files changed, 21 insertions(+), 1 deletion(-)

--- a/include/linux/padata.h
+++ b/include/linux/padata.h
@@ -37,6 +37,7 @@
  * @list: List entry, to attach to the padata lists.
  * @pd: Pointer to the internal control structure.
  * @cb_cpu: Callback cpu for serializatioon.
+ * @cpu: Cpu for parallelization.
  * @seq_nr: Sequence number of the parallelized data object.
  * @info: Used to pass information from the parallel to the serial function.
  * @parallel: Parallel execution function.
@@ -46,6 +47,7 @@ struct padata_priv {
 	struct list_head	list;
 	struct parallel_data	*pd;
 	int			cb_cpu;
+	int			cpu;
 	int			info;
 	void                    (*parallel)(struct padata_priv *padata);
 	void                    (*serial)(struct padata_priv *padata);
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -130,6 +130,7 @@ int padata_do_parallel(struct padata_ins
 	padata->cb_cpu = cb_cpu;
 
 	target_cpu = padata_cpu_hash(pd);
+	padata->cpu = target_cpu;
 	queue = per_cpu_ptr(pd->pqueue, target_cpu);
 
 	spin_lock(&queue->parallel.lock);
@@ -367,10 +368,21 @@ void padata_do_serial(struct padata_priv
 	int cpu;
 	struct padata_parallel_queue *pqueue;
 	struct parallel_data *pd;
+	int reorder_via_wq = 0;
 
 	pd = padata->pd;
 
 	cpu = get_cpu();
+
+	/* We need to run on the same CPU padata_do_parallel(.., padata, ..)
+	 * was called on -- or, at least, enqueue the padata object into the
+	 * correct per-cpu queue.
+	 */
+	if (cpu != padata->cpu) {
+		reorder_via_wq = 1;
+		cpu = padata->cpu;
+	}
+
 	pqueue = per_cpu_ptr(pd->pqueue, cpu);
 
 	spin_lock(&pqueue->reorder.lock);
@@ -387,7 +399,13 @@ void padata_do_serial(struct padata_priv
 
 	put_cpu();
 
-	padata_reorder(pd);
+	/* If we're running on the wrong CPU, call padata_reorder() via a
+	 * kernel worker.
+	 */
+	if (reorder_via_wq)
+		queue_work_on(cpu, pd->pinst->wq, &pqueue->reorder_work);
+	else
+		padata_reorder(pd);
 }
 EXPORT_SYMBOL(padata_do_serial);
 


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 09/99] padata: Replace delayed timer with immediate workqueue in padata_reorder
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (7 preceding siblings ...)
  2020-05-20 14:13 ` [PATCH 3.16 08/99] padata: ensure padata_do_serial() " Ben Hutchings
@ 2020-05-20 14:13 ` Ben Hutchings
  2020-05-20 14:13 ` [PATCH 3.16 10/99] padata: initialize pd->cpu with effective cpumask Ben Hutchings
                   ` (90 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:13 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Herbert Xu

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Herbert Xu <herbert@gondor.apana.org.au>

commit 6fc4dbcf0276279d488c5fbbfabe94734134f4fa upstream.

The function padata_reorder will use a timer when it cannot progress
while completed jobs are outstanding (pd->reorder_objects > 0).  This
is suboptimal as if we do end up using the timer then it would have
introduced a gratuitous delay of one second.

In fact we can easily distinguish between whether completed jobs
are outstanding and whether we can make progress.  All we have to
do is look at the next pqueue list.

This patch does that by replacing pd->processed with pd->cpu so
that the next pqueue is more accessible.

A work queue is used instead of the original try_again to avoid
hogging the CPU.

Note that we don't bother removing the work queue in
padata_flush_queues because the whole premise is broken.  You
cannot flush async crypto requests so it makes no sense to even
try.  A subsequent patch will fix it by replacing it with a ref
counting scheme.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[bwh: Backported to 3.16:
 - Deleted code used the old timer API here
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/linux/padata.h | 13 ++----
 kernel/padata.c        | 97 ++++++++----------------------------------
 2 files changed, 22 insertions(+), 88 deletions(-)

--- a/include/linux/padata.h
+++ b/include/linux/padata.h
@@ -24,7 +24,6 @@
 #include <linux/workqueue.h>
 #include <linux/spinlock.h>
 #include <linux/list.h>
-#include <linux/timer.h>
 #include <linux/notifier.h>
 #include <linux/kobject.h>
 
@@ -85,18 +84,14 @@ struct padata_serial_queue {
  * @serial: List to wait for serialization after reordering.
  * @pwork: work struct for parallelization.
  * @swork: work struct for serialization.
- * @pd: Backpointer to the internal control structure.
  * @work: work struct for parallelization.
- * @reorder_work: work struct for reordering.
  * @num_obj: Number of objects that are processed by this cpu.
  * @cpu_index: Index of the cpu.
  */
 struct padata_parallel_queue {
        struct padata_list    parallel;
        struct padata_list    reorder;
-       struct parallel_data *pd;
        struct work_struct    work;
-       struct work_struct    reorder_work;
        atomic_t              num_obj;
        int                   cpu_index;
 };
@@ -122,10 +117,10 @@ struct padata_cpumask {
  * @reorder_objects: Number of objects waiting in the reorder queues.
  * @refcnt: Number of objects holding a reference on this parallel_data.
  * @max_seq_nr:  Maximal used sequence number.
+ * @cpu: Next CPU to be processed.
  * @cpumask: The cpumasks in use for parallel and serial workers.
+ * @reorder_work: work struct for reordering.
  * @lock: Reorder lock.
- * @processed: Number of already processed objects.
- * @timer: Reorder timer.
  */
 struct parallel_data {
 	struct padata_instance		*pinst;
@@ -134,10 +129,10 @@ struct parallel_data {
 	atomic_t			reorder_objects;
 	atomic_t			refcnt;
 	atomic_t			seq_nr;
+	int				cpu;
 	struct padata_cpumask		cpumask;
+	struct work_struct		reorder_work;
 	spinlock_t                      lock ____cacheline_aligned;
-	unsigned int			processed;
-	struct timer_list		timer;
 };
 
 /**
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -163,23 +163,12 @@ EXPORT_SYMBOL(padata_do_parallel);
  */
 static struct padata_priv *padata_get_next(struct parallel_data *pd)
 {
-	int cpu, num_cpus;
-	unsigned int next_nr, next_index;
 	struct padata_parallel_queue *next_queue;
 	struct padata_priv *padata;
 	struct padata_list *reorder;
+	int cpu = pd->cpu;
 
-	num_cpus = cpumask_weight(pd->cpumask.pcpu);
-
-	/*
-	 * Calculate the percpu reorder queue and the sequence
-	 * number of the next object.
-	 */
-	next_nr = pd->processed;
-	next_index = next_nr % num_cpus;
-	cpu = padata_index_to_cpu(pd, next_index);
 	next_queue = per_cpu_ptr(pd->pqueue, cpu);
-
 	reorder = &next_queue->reorder;
 
 	spin_lock(&reorder->lock);
@@ -190,7 +179,8 @@ static struct padata_priv *padata_get_ne
 		list_del_init(&padata->list);
 		atomic_dec(&pd->reorder_objects);
 
-		pd->processed++;
+		pd->cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu, -1,
+					    false);
 
 		spin_unlock(&reorder->lock);
 		goto out;
@@ -213,6 +203,7 @@ static void padata_reorder(struct parall
 	struct padata_priv *padata;
 	struct padata_serial_queue *squeue;
 	struct padata_instance *pinst = pd->pinst;
+	struct padata_parallel_queue *next_queue;
 
 	/*
 	 * We need to ensure that only one cpu can work on dequeueing of
@@ -244,7 +235,6 @@ static void padata_reorder(struct parall
 		 * so exit immediately.
 		 */
 		if (PTR_ERR(padata) == -ENODATA) {
-			del_timer(&pd->timer);
 			spin_unlock_bh(&pd->lock);
 			return;
 		}
@@ -263,70 +253,29 @@ static void padata_reorder(struct parall
 
 	/*
 	 * The next object that needs serialization might have arrived to
-	 * the reorder queues in the meantime, we will be called again
-	 * from the timer function if no one else cares for it.
+	 * the reorder queues in the meantime.
 	 *
-	 * Ensure reorder_objects is read after pd->lock is dropped so we see
-	 * an increment from another task in padata_do_serial.  Pairs with
+	 * Ensure reorder queue is read after pd->lock is dropped so we see
+	 * new objects from another task in padata_do_serial.  Pairs with
 	 * smp_mb__after_atomic in padata_do_serial.
 	 */
 	smp_mb();
-	if (atomic_read(&pd->reorder_objects)
-			&& !(pinst->flags & PADATA_RESET))
-		mod_timer(&pd->timer, jiffies + HZ);
-	else
-		del_timer(&pd->timer);
 
-	return;
+	next_queue = per_cpu_ptr(pd->pqueue, pd->cpu);
+	if (!list_empty(&next_queue->reorder.list))
+		queue_work(pinst->wq, &pd->reorder_work);
 }
 
 static void invoke_padata_reorder(struct work_struct *work)
 {
-	struct padata_parallel_queue *pqueue;
 	struct parallel_data *pd;
 
 	local_bh_disable();
-	pqueue = container_of(work, struct padata_parallel_queue, reorder_work);
-	pd = pqueue->pd;
+	pd = container_of(work, struct parallel_data, reorder_work);
 	padata_reorder(pd);
 	local_bh_enable();
 }
 
-static void padata_reorder_timer(unsigned long arg)
-{
-	struct parallel_data *pd = (struct parallel_data *)arg;
-	unsigned int weight;
-	int target_cpu, cpu;
-
-	cpu = get_cpu();
-
-	/* We don't lock pd here to not interfere with parallel processing
-	 * padata_reorder() calls on other CPUs. We just need any CPU out of
-	 * the cpumask.pcpu set. It would be nice if it's the right one but
-	 * it doesn't matter if we're off to the next one by using an outdated
-	 * pd->processed value.
-	 */
-	weight = cpumask_weight(pd->cpumask.pcpu);
-	target_cpu = padata_index_to_cpu(pd, pd->processed % weight);
-
-	/* ensure to call the reorder callback on the correct CPU */
-	if (cpu != target_cpu) {
-		struct padata_parallel_queue *pqueue;
-		struct padata_instance *pinst;
-
-		/* The timer function is serialized wrt itself -- no locking
-		 * needed.
-		 */
-		pinst = pd->pinst;
-		pqueue = per_cpu_ptr(pd->pqueue, target_cpu);
-		queue_work_on(target_cpu, pinst->wq, &pqueue->reorder_work);
-	} else {
-		padata_reorder(pd);
-	}
-
-	put_cpu();
-}
-
 static void padata_serial_worker(struct work_struct *serial_work)
 {
 	struct padata_serial_queue *squeue;
@@ -374,9 +323,8 @@ void padata_do_serial(struct padata_priv
 
 	cpu = get_cpu();
 
-	/* We need to run on the same CPU padata_do_parallel(.., padata, ..)
-	 * was called on -- or, at least, enqueue the padata object into the
-	 * correct per-cpu queue.
+	/* We need to enqueue the padata object into the correct
+	 * per-cpu queue.
 	 */
 	if (cpu != padata->cpu) {
 		reorder_via_wq = 1;
@@ -386,12 +334,12 @@ void padata_do_serial(struct padata_priv
 	pqueue = per_cpu_ptr(pd->pqueue, cpu);
 
 	spin_lock(&pqueue->reorder.lock);
-	atomic_inc(&pd->reorder_objects);
 	list_add_tail(&padata->list, &pqueue->reorder.list);
+	atomic_inc(&pd->reorder_objects);
 	spin_unlock(&pqueue->reorder.lock);
 
 	/*
-	 * Ensure the atomic_inc of reorder_objects above is ordered correctly
+	 * Ensure the addition to the reorder list is ordered correctly
 	 * with the trylock of pd->lock in padata_reorder.  Pairs with smp_mb
 	 * in padata_reorder.
 	 */
@@ -399,13 +347,7 @@ void padata_do_serial(struct padata_priv
 
 	put_cpu();
 
-	/* If we're running on the wrong CPU, call padata_reorder() via a
-	 * kernel worker.
-	 */
-	if (reorder_via_wq)
-		queue_work_on(cpu, pd->pinst->wq, &pqueue->reorder_work);
-	else
-		padata_reorder(pd);
+	padata_reorder(pd);
 }
 EXPORT_SYMBOL(padata_do_serial);
 
@@ -455,14 +397,12 @@ static void padata_init_pqueues(struct p
 	cpu_index = 0;
 	for_each_cpu(cpu, pd->cpumask.pcpu) {
 		pqueue = per_cpu_ptr(pd->pqueue, cpu);
-		pqueue->pd = pd;
 		pqueue->cpu_index = cpu_index;
 		cpu_index++;
 
 		__padata_list_init(&pqueue->reorder);
 		__padata_list_init(&pqueue->parallel);
 		INIT_WORK(&pqueue->work, padata_parallel_worker);
-		INIT_WORK(&pqueue->reorder_work, invoke_padata_reorder);
 		atomic_set(&pqueue->num_obj, 0);
 	}
 }
@@ -490,12 +430,13 @@ static struct parallel_data *padata_allo
 
 	padata_init_pqueues(pd);
 	padata_init_squeues(pd);
-	setup_timer(&pd->timer, padata_reorder_timer, (unsigned long)pd);
 	atomic_set(&pd->seq_nr, -1);
 	atomic_set(&pd->reorder_objects, 0);
 	atomic_set(&pd->refcnt, 0);
 	pd->pinst = pinst;
 	spin_lock_init(&pd->lock);
+	pd->cpu = cpumask_first(pcpumask);
+	INIT_WORK(&pd->reorder_work, invoke_padata_reorder);
 
 	return pd;
 
@@ -530,8 +471,6 @@ static void padata_flush_queues(struct p
 		flush_work(&pqueue->work);
 	}
 
-	del_timer_sync(&pd->timer);
-
 	if (atomic_read(&pd->reorder_objects))
 		padata_reorder(pd);
 


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 10/99] padata: initialize pd->cpu with effective cpumask
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (8 preceding siblings ...)
  2020-05-20 14:13 ` [PATCH 3.16 09/99] padata: Replace delayed timer with immediate workqueue in padata_reorder Ben Hutchings
@ 2020-05-20 14:13 ` Ben Hutchings
  2020-05-20 14:13 ` [PATCH 3.16 11/99] padata: Remove broken queue flushing Ben Hutchings
                   ` (89 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:13 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Steffen Klassert, linux-crypto, Herbert Xu,
	Daniel Jordan

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Daniel Jordan <daniel.m.jordan@oracle.com>

commit ec9c7d19336ee98ecba8de80128aa405c45feebb upstream.

Exercising CPU hotplug on a 5.2 kernel with recent padata fixes from
cryptodev-2.6.git in an 8-CPU kvm guest...

    # modprobe tcrypt alg="pcrypt(rfc4106(gcm(aes)))" type=3
    # echo 0 > /sys/devices/system/cpu/cpu1/online
    # echo c > /sys/kernel/pcrypt/pencrypt/parallel_cpumask
    # modprobe tcrypt mode=215

...caused the following crash:

    BUG: kernel NULL pointer dereference, address: 0000000000000000
    #PF: supervisor read access in kernel mode
    #PF: error_code(0x0000) - not-present page
    PGD 0 P4D 0
    Oops: 0000 [#1] SMP PTI
    CPU: 2 PID: 134 Comm: kworker/2:2 Not tainted 5.2.0-padata-base+ #7
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-<snip>
    Workqueue: pencrypt padata_parallel_worker
    RIP: 0010:padata_reorder+0xcb/0x180
    ...
    Call Trace:
     padata_do_serial+0x57/0x60
     pcrypt_aead_enc+0x3a/0x50 [pcrypt]
     padata_parallel_worker+0x9b/0xe0
     process_one_work+0x1b5/0x3f0
     worker_thread+0x4a/0x3c0
     ...

In padata_alloc_pd, pd->cpu is set using the user-supplied cpumask
instead of the effective cpumask, and in this case cpumask_first picked
an offline CPU.

The offline CPU's reorder->list.next is NULL in padata_reorder because
the list wasn't initialized in padata_init_pqueues, which only operates
on CPUs in the effective mask.

Fix by using the effective mask in padata_alloc_pd.

Fixes: 6fc4dbcf0276 ("padata: Replace delayed timer with immediate workqueue in padata_reorder")
Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: linux-crypto@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/padata.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -435,7 +435,7 @@ static struct parallel_data *padata_allo
 	atomic_set(&pd->refcnt, 0);
 	pd->pinst = pinst;
 	spin_lock_init(&pd->lock);
-	pd->cpu = cpumask_first(pcpumask);
+	pd->cpu = cpumask_first(pd->cpumask.pcpu);
 	INIT_WORK(&pd->reorder_work, invoke_padata_reorder);
 
 	return pd;


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 11/99] padata: Remove broken queue flushing
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (9 preceding siblings ...)
  2020-05-20 14:13 ` [PATCH 3.16 10/99] padata: initialize pd->cpu with effective cpumask Ben Hutchings
@ 2020-05-20 14:13 ` Ben Hutchings
  2020-05-20 14:13 ` [PATCH 3.16 12/99] padata: purge get_cpu and reorder_via_wq from padata_do_serial Ben Hutchings
                   ` (88 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:13 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Herbert Xu, Daniel Jordan

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Herbert Xu <herbert@gondor.apana.org.au>

commit 07928d9bfc81640bab36f5190e8725894d93b659 upstream.

The function padata_flush_queues is fundamentally broken because
it cannot force padata users to complete the request that is
underway.  IOW padata has to passively wait for the completion
of any outstanding work.

As it stands flushing is used in two places.  Its use in padata_stop
is simply unnecessary because nothing depends on the queues to
be flushed afterwards.

The other use in padata_replace is more substantial as we depend
on it to free the old pd structure.  This patch instead uses the
pd->refcnt to dynamically free the pd structure once all requests
are complete.

Fixes: 2b73b07ab8a4 ("padata: Flush the padata queues actively")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Reviewed-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -33,6 +33,8 @@
 
 #define MAX_OBJ_NUM 1000
 
+static void padata_free_pd(struct parallel_data *pd);
+
 static int padata_index_to_cpu(struct parallel_data *pd, int cpu_index)
 {
 	int cpu, target_cpu;
@@ -281,6 +283,7 @@ static void padata_serial_worker(struct
 	struct padata_serial_queue *squeue;
 	struct parallel_data *pd;
 	LIST_HEAD(local_list);
+	int cnt;
 
 	local_bh_disable();
 	squeue = container_of(serial_work, struct padata_serial_queue, work);
@@ -290,6 +293,8 @@ static void padata_serial_worker(struct
 	list_replace_init(&squeue->serial.list, &local_list);
 	spin_unlock(&squeue->serial.lock);
 
+	cnt = 0;
+
 	while (!list_empty(&local_list)) {
 		struct padata_priv *padata;
 
@@ -299,9 +304,12 @@ static void padata_serial_worker(struct
 		list_del_init(&padata->list);
 
 		padata->serial(padata);
-		atomic_dec(&pd->refcnt);
+		cnt++;
 	}
 	local_bh_enable();
+
+	if (atomic_sub_and_test(cnt, &pd->refcnt))
+		padata_free_pd(pd);
 }
 
 /**
@@ -432,7 +440,7 @@ static struct parallel_data *padata_allo
 	padata_init_squeues(pd);
 	atomic_set(&pd->seq_nr, -1);
 	atomic_set(&pd->reorder_objects, 0);
-	atomic_set(&pd->refcnt, 0);
+	atomic_set(&pd->refcnt, 1);
 	pd->pinst = pinst;
 	spin_lock_init(&pd->lock);
 	pd->cpu = cpumask_first(pd->cpumask.pcpu);
@@ -459,29 +467,6 @@ static void padata_free_pd(struct parall
 	kfree(pd);
 }
 
-/* Flush all objects out of the padata queues. */
-static void padata_flush_queues(struct parallel_data *pd)
-{
-	int cpu;
-	struct padata_parallel_queue *pqueue;
-	struct padata_serial_queue *squeue;
-
-	for_each_cpu(cpu, pd->cpumask.pcpu) {
-		pqueue = per_cpu_ptr(pd->pqueue, cpu);
-		flush_work(&pqueue->work);
-	}
-
-	if (atomic_read(&pd->reorder_objects))
-		padata_reorder(pd);
-
-	for_each_cpu(cpu, pd->cpumask.cbcpu) {
-		squeue = per_cpu_ptr(pd->squeue, cpu);
-		flush_work(&squeue->work);
-	}
-
-	BUG_ON(atomic_read(&pd->refcnt) != 0);
-}
-
 static void __padata_start(struct padata_instance *pinst)
 {
 	pinst->flags |= PADATA_INIT;
@@ -495,10 +480,6 @@ static void __padata_stop(struct padata_
 	pinst->flags &= ~PADATA_INIT;
 
 	synchronize_rcu();
-
-	get_online_cpus();
-	padata_flush_queues(pinst->pd);
-	put_online_cpus();
 }
 
 /* Replace the internal control structure with a new one. */
@@ -519,8 +500,8 @@ static void padata_replace(struct padata
 	if (!cpumask_equal(pd_old->cpumask.cbcpu, pd_new->cpumask.cbcpu))
 		notification_mask |= PADATA_CPU_SERIAL;
 
-	padata_flush_queues(pd_old);
-	padata_free_pd(pd_old);
+	if (atomic_dec_and_test(&pd_old->refcnt))
+		padata_free_pd(pd_old);
 
 	if (notification_mask)
 		blocking_notifier_call_chain(&pinst->cpumask_change_notifier,


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 12/99] padata: purge get_cpu and reorder_via_wq from padata_do_serial
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (10 preceding siblings ...)
  2020-05-20 14:13 ` [PATCH 3.16 11/99] padata: Remove broken queue flushing Ben Hutchings
@ 2020-05-20 14:13 ` Ben Hutchings
  2020-05-20 14:13 ` [PATCH 3.16 13/99] crypto: pcrypt - Fix user-after-free on module unload Ben Hutchings
                   ` (87 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:13 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Steffen Klassert, linux-crypto, Herbert Xu,
	Daniel Jordan

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Daniel Jordan <daniel.m.jordan@oracle.com>

commit 065cf577135a4977931c7a1e1edf442bfd9773dd upstream.

With the removal of the padata timer, padata_do_serial no longer
needs special CPU handling, so remove it.

Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: linux-crypto@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/padata.c | 23 +++--------------------
 1 file changed, 3 insertions(+), 20 deletions(-)

--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -322,24 +322,9 @@ static void padata_serial_worker(struct
  */
 void padata_do_serial(struct padata_priv *padata)
 {
-	int cpu;
-	struct padata_parallel_queue *pqueue;
-	struct parallel_data *pd;
-	int reorder_via_wq = 0;
-
-	pd = padata->pd;
-
-	cpu = get_cpu();
-
-	/* We need to enqueue the padata object into the correct
-	 * per-cpu queue.
-	 */
-	if (cpu != padata->cpu) {
-		reorder_via_wq = 1;
-		cpu = padata->cpu;
-	}
-
-	pqueue = per_cpu_ptr(pd->pqueue, cpu);
+	struct parallel_data *pd = padata->pd;
+	struct padata_parallel_queue *pqueue = per_cpu_ptr(pd->pqueue,
+							   padata->cpu);
 
 	spin_lock(&pqueue->reorder.lock);
 	list_add_tail(&padata->list, &pqueue->reorder.list);
@@ -353,8 +338,6 @@ void padata_do_serial(struct padata_priv
 	 */
 	smp_mb__after_atomic();
 
-	put_cpu();
-
 	padata_reorder(pd);
 }
 EXPORT_SYMBOL(padata_do_serial);


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 13/99] crypto: pcrypt - Fix user-after-free on module unload
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (11 preceding siblings ...)
  2020-05-20 14:13 ` [PATCH 3.16 12/99] padata: purge get_cpu and reorder_via_wq from padata_do_serial Ben Hutchings
@ 2020-05-20 14:13 ` Ben Hutchings
  2020-05-20 14:13 ` [PATCH 3.16 14/99] crypto: pcrypt - Do not clear MAY_SLEEP flag in original request Ben Hutchings
                   ` (86 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:13 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Herbert Xu

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Herbert Xu <herbert@gondor.apana.org.au>

commit 07bfd9bdf568a38d9440c607b72342036011f727 upstream.

On module unload of pcrypt we must unregister the crypto algorithms
first and then tear down the padata structure.  As otherwise the
crypto algorithms are still alive and can be used while the padata
structure is being freed.

Fixes: 5068c7a883d1 ("crypto: pcrypt - Add pcrypt crypto...")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 crypto/pcrypt.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/crypto/pcrypt.c
+++ b/crypto/pcrypt.c
@@ -552,11 +552,12 @@ err:
 
 static void __exit pcrypt_exit(void)
 {
+	crypto_unregister_template(&pcrypt_tmpl);
+
 	pcrypt_fini_padata(&pencrypt);
 	pcrypt_fini_padata(&pdecrypt);
 
 	kset_unregister(pcrypt_kset);
-	crypto_unregister_template(&pcrypt_tmpl);
 }
 
 module_init(pcrypt_init);


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 14/99] crypto: pcrypt - Do not clear MAY_SLEEP flag in original request
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (12 preceding siblings ...)
  2020-05-20 14:13 ` [PATCH 3.16 13/99] crypto: pcrypt - Fix user-after-free on module unload Ben Hutchings
@ 2020-05-20 14:13 ` Ben Hutchings
  2020-05-20 14:13 ` [PATCH 3.16 15/99] padata: always acquire cpu_hotplug_lock before pinst->lock Ben Hutchings
                   ` (85 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:13 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Eric Biggers, Herbert Xu

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Herbert Xu <herbert@gondor.apana.org.au>

commit e8d998264bffade3cfe0536559f712ab9058d654 upstream.

We should not be modifying the original request's MAY_SLEEP flag
upon completion.  It makes no sense to do so anyway.

Reported-by: Eric Biggers <ebiggers@kernel.org>
Fixes: 5068c7a883d1 ("crypto: pcrypt - Add pcrypt crypto...")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Tested-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 crypto/pcrypt.c | 1 -
 1 file changed, 1 deletion(-)

--- a/crypto/pcrypt.c
+++ b/crypto/pcrypt.c
@@ -137,7 +137,6 @@ static void pcrypt_aead_done(struct cryp
 	struct padata_priv *padata = pcrypt_request_padata(preq);
 
 	padata->info = err;
-	req->base.flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP;
 
 	padata_do_serial(padata);
 }


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 15/99] padata: always acquire cpu_hotplug_lock before pinst->lock
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (13 preceding siblings ...)
  2020-05-20 14:13 ` [PATCH 3.16 14/99] crypto: pcrypt - Do not clear MAY_SLEEP flag in original request Ben Hutchings
@ 2020-05-20 14:13 ` Ben Hutchings
  2020-05-20 14:13 ` [PATCH 3.16 16/99] crypto: af_alg - Use bh_lock_sock in sk_destruct Ben Hutchings
                   ` (84 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:13 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Steffen Klassert, Eric Biggers,
	linux-crypto, Herbert Xu, Daniel Jordan

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Daniel Jordan <daniel.m.jordan@oracle.com>

commit 38228e8848cd7dd86ccb90406af32de0cad24be3 upstream.

lockdep complains when padata's paths to update cpumasks via CPU hotplug
and sysfs are both taken:

  # echo 0 > /sys/devices/system/cpu/cpu1/online
  # echo ff > /sys/kernel/pcrypt/pencrypt/parallel_cpumask

  ======================================================
  WARNING: possible circular locking dependency detected
  5.4.0-rc8-padata-cpuhp-v3+ #1 Not tainted
  ------------------------------------------------------
  bash/205 is trying to acquire lock:
  ffffffff8286bcd0 (cpu_hotplug_lock.rw_sem){++++}, at: padata_set_cpumask+0x2b/0x120

  but task is already holding lock:
  ffff8880001abfa0 (&pinst->lock){+.+.}, at: padata_set_cpumask+0x26/0x120

  which lock already depends on the new lock.

padata doesn't take cpu_hotplug_lock and pinst->lock in a consistent
order.  Which should be first?  CPU hotplug calls into padata with
cpu_hotplug_lock already held, so it should have priority.

Fixes: 6751fb3c0e0c ("padata: Use get_online_cpus/put_online_cpus")
Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Cc: Eric Biggers <ebiggers@kernel.org>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: linux-crypto@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/padata.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -614,8 +614,8 @@ int padata_set_cpumask(struct padata_ins
 	struct cpumask *serial_mask, *parallel_mask;
 	int err = -EINVAL;
 
-	mutex_lock(&pinst->lock);
 	get_online_cpus();
+	mutex_lock(&pinst->lock);
 
 	switch (cpumask_type) {
 	case PADATA_CPU_PARALLEL:
@@ -633,8 +633,8 @@ int padata_set_cpumask(struct padata_ins
 	err =  __padata_set_cpumasks(pinst, parallel_mask, serial_mask);
 
 out:
-	put_online_cpus();
 	mutex_unlock(&pinst->lock);
+	put_online_cpus();
 
 	return err;
 }


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 16/99] crypto: af_alg - Use bh_lock_sock in sk_destruct
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (14 preceding siblings ...)
  2020-05-20 14:13 ` [PATCH 3.16 15/99] padata: always acquire cpu_hotplug_lock before pinst->lock Ben Hutchings
@ 2020-05-20 14:13 ` Ben Hutchings
  2020-05-20 14:13 ` [PATCH 3.16 17/99] crypto: api - Check spawn->alg under lock in crypto_drop_spawn Ben Hutchings
                   ` (83 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:13 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Eric Dumazet, syzbot+c2f1558d49e25cc36e5e,
	Herbert Xu

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Herbert Xu <herbert@gondor.apana.org.au>

commit 37f96694cf73ba116993a9d2d99ad6a75fa7fdb0 upstream.

As af_alg_release_parent may be called from BH context (most notably
due to an async request that only completes after socket closure,
or as reported here because of an RCU-delayed sk_destruct call), we
must use bh_lock_sock instead of lock_sock.

Reported-by: syzbot+c2f1558d49e25cc36e5e@syzkaller.appspotmail.com
Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
Fixes: c840ac6af3f8 ("crypto: af_alg - Disallow bind/setkey/...")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 crypto/af_alg.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -136,11 +136,13 @@ void af_alg_release_parent(struct sock *
 	sk = ask->parent;
 	ask = alg_sk(sk);
 
-	lock_sock(sk);
+	local_bh_disable();
+	bh_lock_sock(sk);
 	ask->nokey_refcnt -= nokey;
 	if (!last)
 		last = !--ask->refcnt;
-	release_sock(sk);
+	bh_unlock_sock(sk);
+	local_bh_enable();
 
 	if (last)
 		sock_put(sk);


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 17/99] crypto: api - Check spawn->alg under lock in crypto_drop_spawn
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (15 preceding siblings ...)
  2020-05-20 14:13 ` [PATCH 3.16 16/99] crypto: af_alg - Use bh_lock_sock in sk_destruct Ben Hutchings
@ 2020-05-20 14:13 ` Ben Hutchings
  2020-05-20 14:13 ` [PATCH 3.16 18/99] crypto: api - Fix race condition in crypto_spawn_alg Ben Hutchings
                   ` (82 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:13 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Herbert Xu

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Herbert Xu <herbert@gondor.apana.org.au>

commit 7db3b61b6bba4310f454588c2ca6faf2958ad79f upstream.

We need to check whether spawn->alg is NULL under lock as otherwise
the algorithm could be removed from under us after we have checked
it and found it to be non-NULL.  This could cause us to remove the
spawn from a non-existent list.

Fixes: 7ede5a5ba55a ("crypto: api - Fix crypto_drop_spawn crash...")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 crypto/algapi.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

--- a/crypto/algapi.c
+++ b/crypto/algapi.c
@@ -618,11 +618,9 @@ EXPORT_SYMBOL_GPL(crypto_init_spawn2);
 
 void crypto_drop_spawn(struct crypto_spawn *spawn)
 {
-	if (!spawn->alg)
-		return;
-
 	down_write(&crypto_alg_sem);
-	list_del(&spawn->list);
+	if (spawn->alg)
+		list_del(&spawn->list);
 	up_write(&crypto_alg_sem);
 }
 EXPORT_SYMBOL_GPL(crypto_drop_spawn);


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 18/99] crypto: api - Fix race condition in crypto_spawn_alg
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (16 preceding siblings ...)
  2020-05-20 14:13 ` [PATCH 3.16 17/99] crypto: api - Check spawn->alg under lock in crypto_drop_spawn Ben Hutchings
@ 2020-05-20 14:13 ` Ben Hutchings
  2020-05-20 14:13 ` [PATCH 3.16 19/99] mmc: spi: Toggle SPI polarity, do not hardcode it Ben Hutchings
                   ` (81 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:13 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Herbert Xu

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Herbert Xu <herbert@gondor.apana.org.au>

commit 73669cc556462f4e50376538d77ee312142e8a8a upstream.

The function crypto_spawn_alg is racy because it drops the lock
before shooting the dying algorithm.  The algorithm could disappear
altogether before we shoot it.

This patch fixes it by moving the shooting into the locked section.

Fixes: 6bfd48096ff8 ("[CRYPTO] api: Added spawns")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 crypto/algapi.c   | 16 +++++-----------
 crypto/api.c      |  3 +--
 crypto/internal.h |  1 -
 3 files changed, 6 insertions(+), 14 deletions(-)

--- a/crypto/algapi.c
+++ b/crypto/algapi.c
@@ -628,22 +628,16 @@ EXPORT_SYMBOL_GPL(crypto_drop_spawn);
 static struct crypto_alg *crypto_spawn_alg(struct crypto_spawn *spawn)
 {
 	struct crypto_alg *alg;
-	struct crypto_alg *alg2;
 
 	down_read(&crypto_alg_sem);
 	alg = spawn->alg;
-	alg2 = alg;
-	if (alg2)
-		alg2 = crypto_mod_get(alg2);
-	up_read(&crypto_alg_sem);
-
-	if (!alg2) {
-		if (alg)
-			crypto_shoot_alg(alg);
-		return ERR_PTR(-EAGAIN);
+	if (alg && !crypto_mod_get(alg)) {
+		alg->cra_flags |= CRYPTO_ALG_DYING;
+		alg = NULL;
 	}
+	up_read(&crypto_alg_sem);
 
-	return alg;
+	return alg ?: ERR_PTR(-EAGAIN);
 }
 
 struct crypto_tfm *crypto_spawn_tfm(struct crypto_spawn *spawn, u32 type,
--- a/crypto/api.c
+++ b/crypto/api.c
@@ -345,13 +345,12 @@ static unsigned int crypto_ctxsize(struc
 	return len;
 }
 
-void crypto_shoot_alg(struct crypto_alg *alg)
+static void crypto_shoot_alg(struct crypto_alg *alg)
 {
 	down_write(&crypto_alg_sem);
 	alg->cra_flags |= CRYPTO_ALG_DYING;
 	up_write(&crypto_alg_sem);
 }
-EXPORT_SYMBOL_GPL(crypto_shoot_alg);
 
 struct crypto_tfm *__crypto_alloc_tfm(struct crypto_alg *alg, u32 type,
 				      u32 mask)
--- a/crypto/internal.h
+++ b/crypto/internal.h
@@ -88,7 +88,6 @@ void crypto_alg_tested(const char *name,
 void crypto_remove_spawns(struct crypto_alg *alg, struct list_head *list,
 			  struct crypto_alg *nalg);
 void crypto_remove_final(struct list_head *list);
-void crypto_shoot_alg(struct crypto_alg *alg);
 struct crypto_tfm *__crypto_alloc_tfm(struct crypto_alg *alg, u32 type,
 				      u32 mask);
 void *crypto_create_tfm(struct crypto_alg *alg,


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 19/99] mmc: spi: Toggle SPI polarity, do not hardcode it
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (17 preceding siblings ...)
  2020-05-20 14:13 ` [PATCH 3.16 18/99] crypto: api - Fix race condition in crypto_spawn_alg Ben Hutchings
@ 2020-05-20 14:13 ` Ben Hutchings
  2020-05-20 14:13 ` [PATCH 3.16 20/99] reiserfs: Fix memory leak of journal device string Ben Hutchings
                   ` (80 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:13 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Mark Brown, Linus Walleij, Ulf Hansson,
	Phil Elwell

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Linus Walleij <linus.walleij@linaro.org>

commit af3ed119329cf9690598c5a562d95dfd128e91d6 upstream.

The code in mmc_spi_initsequence() tries to send a burst with
high chipselect and for this reason hardcodes the device into
SPI_CS_HIGH.

This is not good because the SPI_CS_HIGH flag indicates
logical "asserted" CS not always the physical level. In
some cases the signal is inverted in the GPIO library and
in that case SPI_CS_HIGH is already set, and enforcing
SPI_CS_HIGH again will actually drive it low.

Instead of hard-coding this, toggle the polarity so if the
default is LOW it goes high to assert chipselect but if it
is already high then toggle it low instead.

Cc: Phil Elwell <phil@raspberrypi.org>
Reported-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Reviewed-by: Mark Brown <broonie@kernel.org>
Link: https://lore.kernel.org/r/20191204152749.12652-1-linus.walleij@linaro.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mmc/host/mmc_spi.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

--- a/drivers/mmc/host/mmc_spi.c
+++ b/drivers/mmc/host/mmc_spi.c
@@ -1149,17 +1149,22 @@ static void mmc_spi_initsequence(struct
 	 * SPI protocol.  Another is that when chipselect is released while
 	 * the card returns BUSY status, the clock must issue several cycles
 	 * with chipselect high before the card will stop driving its output.
+	 *
+	 * SPI_CS_HIGH means "asserted" here. In some cases like when using
+	 * GPIOs for chip select, SPI_CS_HIGH is set but this will be logically
+	 * inverted by gpiolib, so if we want to ascertain to drive it high
+	 * we should toggle the default with an XOR as we do here.
 	 */
-	host->spi->mode |= SPI_CS_HIGH;
+	host->spi->mode ^= SPI_CS_HIGH;
 	if (spi_setup(host->spi) != 0) {
 		/* Just warn; most cards work without it. */
 		dev_warn(&host->spi->dev,
 				"can't change chip-select polarity\n");
-		host->spi->mode &= ~SPI_CS_HIGH;
+		host->spi->mode ^= SPI_CS_HIGH;
 	} else {
 		mmc_spi_readbytes(host, 18);
 
-		host->spi->mode &= ~SPI_CS_HIGH;
+		host->spi->mode ^= SPI_CS_HIGH;
 		if (spi_setup(host->spi) != 0) {
 			/* Wot, we can't get the same setup we had before? */
 			dev_err(&host->spi->dev,


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 20/99] reiserfs: Fix memory leak of journal device string
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (18 preceding siblings ...)
  2020-05-20 14:13 ` [PATCH 3.16 19/99] mmc: spi: Toggle SPI polarity, do not hardcode it Ben Hutchings
@ 2020-05-20 14:13 ` Ben Hutchings
  2020-05-20 14:13 ` [PATCH 3.16 21/99] reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling Ben Hutchings
                   ` (79 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:13 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, syzbot+1c6756baf4b16b94d2a6, Jan Kara

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jan Kara <jack@suse.cz>

commit 5474ca7da6f34fa95e82edc747d5faa19cbdfb5c upstream.

When a filesystem is mounted with jdev mount option, we store the
journal device name in an allocated string in superblock. However we
fail to ever free that string. Fix it.

Reported-by: syzbot+1c6756baf4b16b94d2a6@syzkaller.appspotmail.com
Fixes: c3aa077648e1 ("reiserfs: Properly display mount options in /proc/mounts")
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/reiserfs/super.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/fs/reiserfs/super.c
+++ b/fs/reiserfs/super.c
@@ -589,6 +589,7 @@ static void reiserfs_put_super(struct su
 	reiserfs_write_unlock(s);
 	mutex_destroy(&REISERFS_SB(s)->lock);
 	destroy_workqueue(REISERFS_SB(s)->commit_wq);
+	kfree(REISERFS_SB(s)->s_jdev);
 	kfree(s->s_fs_info);
 	s->s_fs_info = NULL;
 }
@@ -2188,6 +2189,7 @@ error_unlocked:
 			kfree(qf_names[j]);
 	}
 #endif
+	kfree(sbi->s_jdev);
 	kfree(sbi);
 
 	s->s_fs_info = NULL;


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 21/99] reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (19 preceding siblings ...)
  2020-05-20 14:13 ` [PATCH 3.16 20/99] reiserfs: Fix memory leak of journal device string Ben Hutchings
@ 2020-05-20 14:13 ` Ben Hutchings
  2020-05-20 14:13 ` [PATCH 3.16 22/99] ath9k: fix storage endpoint lookup Ben Hutchings
                   ` (78 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:13 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Jan Kara

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jan Kara <jack@suse.cz>

commit 4d5c1adaf893b8aa52525d2b81995e949bcb3239 upstream.

When we fail to allocate string for journal device name we jump to
'error' label which tries to unlock reiserfs write lock which is not
held. Jump to 'error_unlocked' instead.

Fixes: f32485be8397 ("reiserfs: delay reiserfs lock until journal initialization")
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/reiserfs/super.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/reiserfs/super.c
+++ b/fs/reiserfs/super.c
@@ -1901,7 +1901,7 @@ static int reiserfs_fill_super(struct su
 		if (!sbi->s_jdev) {
 			SWARN(silent, s, "", "Cannot allocate memory for "
 				"journal device name");
-			goto error;
+			goto error_unlocked;
 		}
 	}
 #ifdef CONFIG_QUOTA


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 22/99] ath9k: fix storage endpoint lookup
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (20 preceding siblings ...)
  2020-05-20 14:13 ` [PATCH 3.16 21/99] reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling Ben Hutchings
@ 2020-05-20 14:13 ` Ben Hutchings
  2020-05-20 14:13 ` [PATCH 3.16 23/99] rsi: fix use-after-free on failed probe and unbind Ben Hutchings
                   ` (77 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:13 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Kalle Valo, Johan Hovold

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 0ef332951e856efa89507cdd13ba8f4fb8d4db12 upstream.

Make sure to use the current alternate setting when verifying the
storage interface descriptors to avoid submitting an URB to an invalid
endpoint.

Failing to do so could cause the driver to misbehave or trigger a WARN()
in usb_submit_urb() that kernels with panic_on_warn set would choke on.

Fixes: 36bcce430657 ("ath9k_htc: Handle storage devices")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/wireless/ath/ath9k/hif_usb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -1141,7 +1141,7 @@ err_fw:
 static int send_eject_command(struct usb_interface *interface)
 {
 	struct usb_device *udev = interface_to_usbdev(interface);
-	struct usb_host_interface *iface_desc = &interface->altsetting[0];
+	struct usb_host_interface *iface_desc = interface->cur_altsetting;
 	struct usb_endpoint_descriptor *endpoint;
 	unsigned char *cmd;
 	u8 bulk_out_ep;


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 23/99] rsi: fix use-after-free on failed probe and unbind
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (21 preceding siblings ...)
  2020-05-20 14:13 ` [PATCH 3.16 22/99] ath9k: fix storage endpoint lookup Ben Hutchings
@ 2020-05-20 14:13 ` Ben Hutchings
  2020-05-20 14:13 ` [PATCH 3.16 24/99] brcmfmac: Fix use after free in brcmf_sdio_readframes() Ben Hutchings
                   ` (76 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:13 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Siva Rebbagondla, Fariya Fatima,
	Johan Hovold, Amitkumar Karwar, Prameela Rani Garnepudi,
	Kalle Valo, syzbot+b563b7f8dbe8223a51e8

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit e93cd35101b61e4c79149be2cfc927c4b28dc60c upstream.

Make sure to stop both URBs before returning after failed probe as well
as on disconnect to avoid use-after-free in the completion handler.

Reported-by: syzbot+b563b7f8dbe8223a51e8@syzkaller.appspotmail.com
Fixes: a4302bff28e2 ("rsi: add bluetooth rx endpoint")
Fixes: dad0d04fa7ba ("rsi: Add RS9113 wireless driver")
Cc: Siva Rebbagondla <siva.rebbagondla@redpinesignals.com>
Cc: Prameela Rani Garnepudi <prameela.j04cs@gmail.com>
Cc: Amitkumar Karwar <amit.karwar@redpinesignals.com>
Cc: Fariya Fatima <fariyaf@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16: There is no BT support, so we only need to
 kill one URB on disconnect.]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/net/wireless/rsi/rsi_91x_usb.c
+++ b/drivers/net/wireless/rsi/rsi_91x_usb.c
@@ -245,6 +245,14 @@ static void rsi_rx_done_handler(struct u
 	rsi_set_event(&dev->rx_thread.event);
 }
 
+static void rsi_rx_urb_kill(struct rsi_hw *adapter)
+{
+	struct rsi_91x_usbdev *dev = (struct rsi_91x_usbdev *)adapter->rsi_dev;
+	struct urb *urb = dev->rx_usb_urb[0];
+
+	usb_kill_urb(urb);
+}
+
 /**
  * rsi_rx_urb_submit() - This function submits the given URB to the USB stack.
  * @adapter: Pointer to the adapter structure.
@@ -510,6 +518,8 @@ static void rsi_disconnect(struct usb_in
 	if (!adapter)
 		return;
 
+	rsi_rx_urb_kill(adapter);
+
 	rsi_mac80211_detach(adapter);
 	rsi_deinit_usb_interface(adapter);
 	rsi_91x_deinit(adapter);


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 24/99] brcmfmac: Fix use after free in brcmf_sdio_readframes()
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (22 preceding siblings ...)
  2020-05-20 14:13 ` [PATCH 3.16 23/99] rsi: fix use-after-free on failed probe and unbind Ben Hutchings
@ 2020-05-20 14:13 ` Ben Hutchings
  2020-05-20 14:13 ` [PATCH 3.16 25/99] brcmfmac: abort and release host after error Ben Hutchings
                   ` (75 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:13 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Franky Lin, Kalle Valo, Dan Carpenter

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 216b44000ada87a63891a8214c347e05a4aea8fe upstream.

The brcmu_pkt_buf_free_skb() function frees "pkt" so it leads to a
static checker warning:

    drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c:1974 brcmf_sdio_readframes()
    error: dereferencing freed memory 'pkt'

It looks like there was supposed to be a continue after we free "pkt".

Fixes: 4754fceeb9a6 ("brcmfmac: streamline SDIO read frame routine")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
@@ -1972,6 +1972,7 @@ static uint brcmf_sdio_readframes(struct
 					       BRCMF_SDIO_FT_NORMAL)) {
 				rd->len = 0;
 				brcmu_pkt_buf_free_skb(pkt);
+				continue;
 			}
 			bus->sdcnt.rx_readahead_cnt++;
 			if (rd->len != roundup(rd_new.len, 16)) {


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 25/99] brcmfmac: abort and release host after error
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (23 preceding siblings ...)
  2020-05-20 14:13 ` [PATCH 3.16 24/99] brcmfmac: Fix use after free in brcmf_sdio_readframes() Ben Hutchings
@ 2020-05-20 14:13 ` Ben Hutchings
  2020-05-20 14:13 ` [PATCH 3.16 26/99] brcmfmac: fix interface sanity check Ben Hutchings
                   ` (74 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:13 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Dan Carpenter, Guenter Roeck, Brian Norris,
	Douglas Anderson, Kalle Valo, franky.lin, Matthias Kaehlcke

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Guenter Roeck <linux@roeck-us.net>

commit 863844ee3bd38219c88e82966d1df36a77716f3e upstream.

With commit 216b44000ada ("brcmfmac: Fix use after free in
brcmf_sdio_readframes()") applied, we see locking timeouts in
brcmf_sdio_watchdog_thread().

brcmfmac: brcmf_escan_timeout: timer expired
INFO: task brcmf_wdog/mmc1:621 blocked for more than 120 seconds.
Not tainted 4.19.94-07984-g24ff99a0f713 #1
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
brcmf_wdog/mmc1 D    0   621      2 0x00000000 last_sleep: 2440793077.  last_runnable: 2440766827
[<c0aa1e60>] (__schedule) from [<c0aa2100>] (schedule+0x98/0xc4)
[<c0aa2100>] (schedule) from [<c0853830>] (__mmc_claim_host+0x154/0x274)
[<c0853830>] (__mmc_claim_host) from [<bf10c5b8>] (brcmf_sdio_watchdog_thread+0x1b0/0x1f8 [brcmfmac])
[<bf10c5b8>] (brcmf_sdio_watchdog_thread [brcmfmac]) from [<c02570b8>] (kthread+0x178/0x180)

In addition to restarting or exiting the loop, it is also necessary to
abort the command and to release the host.

Fixes: 216b44000ada ("brcmfmac: Fix use after free in brcmf_sdio_readframes()")
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Matthias Kaehlcke <mka@chromium.org>
Cc: Brian Norris <briannorris@chromium.org>
Cc: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Acked-by: franky.lin@broadcom.com
Acked-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16:
 - Use bus->sdiodev->func[1] instead of ->func1
 - Adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
@@ -1971,6 +1971,8 @@ static uint brcmf_sdio_readframes(struct
 			if (brcmf_sdio_hdparse(bus, bus->rxhdr, &rd_new,
 					       BRCMF_SDIO_FT_NORMAL)) {
 				rd->len = 0;
+				brcmf_sdio_rxfail(bus, true, true);
+				sdio_release_host(bus->sdiodev->func[1]);
 				brcmu_pkt_buf_free_skb(pkt);
 				continue;
 			}


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 26/99] brcmfmac: fix interface sanity check
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (24 preceding siblings ...)
  2020-05-20 14:13 ` [PATCH 3.16 25/99] brcmfmac: abort and release host after error Ben Hutchings
@ 2020-05-20 14:13 ` Ben Hutchings
  2020-05-20 14:13 ` [PATCH 3.16 27/99] orinoco_usb: " Ben Hutchings
                   ` (73 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:13 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Johan Hovold, Arend van Spriel, Kalle Valo

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 3428fbcd6e6c0850b1a8b2a12082b7b2aabb3da3 upstream.

Make sure to use the current alternate setting when verifying the
interface descriptors to avoid binding to an invalid interface.

Failing to do so could cause the driver to misbehave or trigger a WARN()
in usb_submit_urb() that kernels with panic_on_warn set would choke on.

Fixes: 71bb244ba2fd ("brcm80211: fmac: add USB support for bcm43235/6/8 chipsets")
Cc: Arend van Spriel <arend@broadcom.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16:
 - Altsetting lookup is done by the IFALTS() macro
 - Adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/net/wireless/brcm80211/brcmfmac/usb.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/usb.c
@@ -41,7 +41,7 @@
 
 #define CONFIGDESC(usb)         (&((usb)->actconfig)->desc)
 #define IFPTR(usb, idx)         ((usb)->actconfig->interface[(idx)])
-#define IFALTS(usb, idx)        (IFPTR((usb), (idx))->altsetting[0])
+#define IFALTS(usb, idx)        (*IFPTR((usb), (idx))->cur_altsetting)
 #define IFDESC(usb, idx)        IFALTS((usb), (idx)).desc
 #define IFEPDESC(usb, idx, ep)  (IFALTS((usb), (idx)).endpoint[(ep)]).desc
 


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 27/99] orinoco_usb: fix interface sanity check
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (25 preceding siblings ...)
  2020-05-20 14:13 ` [PATCH 3.16 26/99] brcmfmac: fix interface sanity check Ben Hutchings
@ 2020-05-20 14:13 ` Ben Hutchings
  2020-05-20 14:13 ` [PATCH 3.16 28/99] rsi_91x_usb: " Ben Hutchings
                   ` (72 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:13 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Johan Hovold, Kalle Valo

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit b73e05aa543cf8db4f4927e36952360d71291d41 upstream.

Make sure to use the current alternate setting when verifying the
interface descriptors to avoid binding to an invalid interface.

Failing to do so could cause the driver to misbehave or trigger a WARN()
in usb_submit_urb() that kernels with panic_on_warn set would choke on.

Fixes: 9afac70a7305 ("orinoco: add orinoco_usb driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/wireless/orinoco/orinoco_usb.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/net/wireless/orinoco/orinoco_usb.c
+++ b/drivers/net/wireless/orinoco/orinoco_usb.c
@@ -1602,9 +1602,9 @@ static int ezusb_probe(struct usb_interf
 	/* set up the endpoint information */
 	/* check out the endpoints */
 
-	iface_desc = &interface->altsetting[0].desc;
+	iface_desc = &interface->cur_altsetting->desc;
 	for (i = 0; i < iface_desc->bNumEndpoints; ++i) {
-		ep = &interface->altsetting[0].endpoint[i].desc;
+		ep = &interface->cur_altsetting->endpoint[i].desc;
 
 		if (((ep->bEndpointAddress & USB_ENDPOINT_DIR_MASK)
 		     == USB_DIR_IN) &&


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 28/99] rsi_91x_usb: fix interface sanity check
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (26 preceding siblings ...)
  2020-05-20 14:13 ` [PATCH 3.16 27/99] orinoco_usb: " Ben Hutchings
@ 2020-05-20 14:13 ` Ben Hutchings
  2020-05-20 14:13 ` [PATCH 3.16 29/99] zd1211rw: fix storage endpoint lookup Ben Hutchings
                   ` (71 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:13 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Johan Hovold, Fariya Fatima, Kalle Valo

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 3139b180906af43bc09bd3373fc2338a8271d9d9 upstream.

Make sure to use the current alternate setting when verifying the
interface descriptors to avoid binding to an invalid interface.

Failing to do so could cause the driver to misbehave or trigger a WARN()
in usb_submit_urb() that kernels with panic_on_warn set would choke on.

Fixes: dad0d04fa7ba ("rsi: Add RS9113 wireless driver")
Cc: Fariya Fatima <fariyaf@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/wireless/rsi/rsi_91x_usb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/wireless/rsi/rsi_91x_usb.c
+++ b/drivers/net/wireless/rsi/rsi_91x_usb.c
@@ -103,7 +103,7 @@ static int rsi_find_bulk_in_and_out_endp
 	__le16 buffer_size;
 	int ii, bep_found = 0;
 
-	iface_desc = &(interface->altsetting[0]);
+	iface_desc = interface->cur_altsetting;
 
 	for (ii = 0; ii < iface_desc->desc.bNumEndpoints; ++ii) {
 		endpoint = &(iface_desc->endpoint[ii].desc);


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 29/99] zd1211rw: fix storage endpoint lookup
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (27 preceding siblings ...)
  2020-05-20 14:13 ` [PATCH 3.16 28/99] rsi_91x_usb: " Ben Hutchings
@ 2020-05-20 14:13 ` Ben Hutchings
  2020-05-20 14:13 ` [PATCH 3.16 30/99] brcmfmac: Fix memory leak in brcmf_usbdev_qinit Ben Hutchings
                   ` (70 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:13 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Johan Hovold, Kalle Valo

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 2d68bb2687abb747558b933e80845ff31570a49c upstream.

Make sure to use the current alternate setting when verifying the
storage interface descriptors to avoid submitting an URB to an invalid
endpoint.

Failing to do so could cause the driver to misbehave or trigger a WARN()
in usb_submit_urb() that kernels with panic_on_warn set would choke on.

Fixes: a1030e92c150 ("[PATCH] zd1211rw: Convert installer CDROM device into WLAN device")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/wireless/zd1211rw/zd_usb.c
+++ b/drivers/net/wireless/zd1211rw/zd_usb.c
@@ -1272,7 +1272,7 @@ static void print_id(struct usb_device *
 static int eject_installer(struct usb_interface *intf)
 {
 	struct usb_device *udev = interface_to_usbdev(intf);
-	struct usb_host_interface *iface_desc = &intf->altsetting[0];
+	struct usb_host_interface *iface_desc = intf->cur_altsetting;
 	struct usb_endpoint_descriptor *endpoint;
 	unsigned char *cmd;
 	u8 bulk_out_ep;


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 30/99] brcmfmac: Fix memory leak in brcmf_usbdev_qinit
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (28 preceding siblings ...)
  2020-05-20 14:13 ` [PATCH 3.16 29/99] zd1211rw: fix storage endpoint lookup Ben Hutchings
@ 2020-05-20 14:13 ` Ben Hutchings
  2020-05-20 14:13 ` [PATCH 3.16 31/99] crypto: picoxcell - adjust the position of tasklet_init and fix missed tasklet_kill Ben Hutchings
                   ` (69 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:13 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Kalle Valo, Navid Emamdoost

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Navid Emamdoost <navid.emamdoost@gmail.com>

commit 4282dc057d750c6a7dd92953564b15c26b54c22c upstream.

In the implementation of brcmf_usbdev_qinit() the allocated memory for
reqs is leaking if usb_alloc_urb() fails. Release reqs in the error
handling path.

Fixes: 71bb244ba2fd ("brcm80211: fmac: add USB support for bcm43235/6/8 chipsets")
Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/wireless/brcm80211/brcmfmac/usb.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/net/wireless/brcm80211/brcmfmac/usb.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/usb.c
@@ -365,6 +365,7 @@ fail:
 			usb_free_urb(req->urb);
 		list_del(q->next);
 	}
+	kfree(reqs);
 	return NULL;
 
 }


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 31/99] crypto: picoxcell - adjust the position of tasklet_init and fix missed tasklet_kill
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (29 preceding siblings ...)
  2020-05-20 14:13 ` [PATCH 3.16 30/99] brcmfmac: Fix memory leak in brcmf_usbdev_qinit Ben Hutchings
@ 2020-05-20 14:13 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 32/99] scsi: qla2xxx: Fix mtcp dump collection failure Ben Hutchings
                   ` (68 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:13 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Herbert Xu, Chuhong Yuan

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Chuhong Yuan <hslester96@gmail.com>

commit 7f8c36fe9be46862c4f3c5302f769378028a34fa upstream.

Since tasklet is needed to be initialized before registering IRQ
handler, adjust the position of tasklet_init to fix the wrong order.

Besides, to fix the missed tasklet_kill, this patch adds a helper
function and uses devm_add_action to kill the tasklet automatically.

Fixes: ce92136843cb ("crypto: picoxcell - add support for the picoxcell crypto engines")
Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/crypto/picoxcell_crypto.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

--- a/drivers/crypto/picoxcell_crypto.c
+++ b/drivers/crypto/picoxcell_crypto.c
@@ -1690,6 +1690,11 @@ static bool spacc_is_compatible(struct p
 	return false;
 }
 
+static void spacc_tasklet_kill(void *data)
+{
+	tasklet_kill(data);
+}
+
 static int spacc_probe(struct platform_device *pdev)
 {
 	int i, err, ret = -EINVAL;
@@ -1730,6 +1735,14 @@ static int spacc_probe(struct platform_d
 		return -ENXIO;
 	}
 
+	tasklet_init(&engine->complete, spacc_spacc_complete,
+		     (unsigned long)engine);
+
+	ret = devm_add_action(&pdev->dev, spacc_tasklet_kill,
+			      &engine->complete);
+	if (ret)
+		return ret;
+
 	if (devm_request_irq(&pdev->dev, irq->start, spacc_spacc_irq, 0,
 			     engine->name, engine)) {
 		dev_err(engine->dev, "failed to request IRQ\n");
@@ -1792,8 +1805,6 @@ static int spacc_probe(struct platform_d
 	INIT_LIST_HEAD(&engine->completed);
 	INIT_LIST_HEAD(&engine->in_progress);
 	engine->in_flight = 0;
-	tasklet_init(&engine->complete, spacc_spacc_complete,
-		     (unsigned long)engine);
 
 	platform_set_drvdata(pdev, engine);
 


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 32/99] scsi: qla2xxx: Fix mtcp dump collection failure
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (30 preceding siblings ...)
  2020-05-20 14:13 ` [PATCH 3.16 31/99] crypto: picoxcell - adjust the position of tasklet_init and fix missed tasklet_kill Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 33/99] rtc: hym8563: Return -EINVAL if the time is known to be invalid Ben Hutchings
                   ` (67 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Martin K. Petersen, Himanshu Madhani, Quinn Tran

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Quinn Tran <qutran@marvell.com>

commit 641e0efddcbde52461e017136acd3ce7f2ef0c14 upstream.

MTCP dump failed due to MB Reg 10 was picking garbage data from stack
memory.

Fixes: 81178772b636a ("[SCSI] qla2xxx: Implemetation of mctp.")
Link: https://lore.kernel.org/r/20191217220617.28084-14-hmadhani@marvell.com
Signed-off-by: Quinn Tran <qutran@marvell.com>
Signed-off-by: Himanshu Madhani <hmadhani@marvell.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/scsi/qla2xxx/qla_mbx.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/scsi/qla2xxx/qla_mbx.c
+++ b/drivers/scsi/qla2xxx/qla_mbx.c
@@ -5388,9 +5388,8 @@ qla2x00_dump_mctp_data(scsi_qla_host_t *
 	mcp->mb[7] = LSW(MSD(req_dma));
 	mcp->mb[8] = MSW(addr);
 	/* Setting RAM ID to valid */
-	mcp->mb[10] |= BIT_7;
 	/* For MCTP RAM ID is 0x40 */
-	mcp->mb[10] |= 0x40;
+	mcp->mb[10] = BIT_7 | 0x40;
 
 	mcp->out_mb |= MBX_10|MBX_8|MBX_7|MBX_6|MBX_5|MBX_4|MBX_3|MBX_2|MBX_1|
 	    MBX_0;


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 33/99] rtc: hym8563: Return -EINVAL if the time is known to be invalid
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (31 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 32/99] scsi: qla2xxx: Fix mtcp dump collection failure Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 34/99] gianfar: Fix TX timestamping with a stacked DSA driver Ben Hutchings
                   ` (66 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Paul Kocialkowski, Alexandre Belloni

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Paul Kocialkowski <paul.kocialkowski@bootlin.com>

commit f236a2a2ebabad0848ad0995af7ad1dc7029e895 upstream.

The current code returns -EPERM when the voltage loss bit is set.
Since the bit indicates that the time value is not valid, return
-EINVAL instead, which is the appropriate error code for this
situation.

Fixes: dcaf03849352 ("rtc: add hym8563 rtc-driver")
Signed-off-by: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
Link: https://lore.kernel.org/r/20191212153111.966923-1-paul.kocialkowski@bootlin.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/rtc/rtc-hym8563.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/rtc/rtc-hym8563.c
+++ b/drivers/rtc/rtc-hym8563.c
@@ -105,7 +105,7 @@ static int hym8563_rtc_read_time(struct
 
 	if (!hym8563->valid) {
 		dev_warn(&client->dev, "no valid clock/calendar values available\n");
-		return -EPERM;
+		return -EINVAL;
 	}
 
 	ret = i2c_smbus_read_i2c_block_data(client, HYM8563_SEC, 7, buf);


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 34/99] gianfar: Fix TX timestamping with a stacked DSA driver
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (32 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 33/99] rtc: hym8563: Return -EINVAL if the time is known to be invalid Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 35/99] pxa168fb: Fix the function used to release some memory in an error handling path Ben Hutchings
                   ` (65 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David S. Miller, Vladimir Oltean, Richard Cochran

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Vladimir Oltean <olteanv@gmail.com>

commit c26a2c2ddc0115eb088873f5c309cf46b982f522 upstream.

The driver wrongly assumes that it is the only entity that can set the
SKBTX_IN_PROGRESS bit of the current skb. Therefore, in the
gfar_clean_tx_ring function, where the TX timestamp is collected if
necessary, the aforementioned bit is used to discriminate whether or not
the TX timestamp should be delivered to the socket's error queue.

But a stacked driver such as a DSA switch can also set the
SKBTX_IN_PROGRESS bit, which is actually exactly what it should do in
order to denote that the hardware timestamping process is undergoing.

Therefore, gianfar would misinterpret the "in progress" bit as being its
own, and deliver a second skb clone in the socket's error queue,
completely throwing off a PTP process which is not expecting to receive
it, _even though_ TX timestamping is not enabled for gianfar.

There have been discussions [0] as to whether non-MAC drivers need or
not to set SKBTX_IN_PROGRESS at all (whose purpose is to avoid sending 2
timestamps, a sw and a hw one, to applications which only expect one).
But as of this patch, there are at least 2 PTP drivers that would break
in conjunction with gianfar: the sja1105 DSA switch and the felix
switch, by way of its ocelot core driver.

So regardless of that conclusion, fix the gianfar driver to not do stuff
based on flags set by others and not intended for it.

[0]: https://www.spinics.net/lists/netdev/msg619699.html

Fixes: f0ee7acfcdd4 ("gianfar: Add hardware TX timestamping support")
Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
Acked-by: Richard Cochran <richardcochran@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/freescale/gianfar.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

--- a/drivers/net/ethernet/freescale/gianfar.c
+++ b/drivers/net/ethernet/freescale/gianfar.c
@@ -2524,13 +2524,17 @@ static void gfar_clean_tx_ring(struct gf
 
 	while ((skb = tx_queue->tx_skbuff[skb_dirtytx])) {
 		unsigned long flags;
+		bool do_tstamp;
+
+		do_tstamp = (skb_shinfo(skb)->tx_flags & SKBTX_HW_TSTAMP) &&
+			    priv->hwts_tx_en;
 
 		frags = skb_shinfo(skb)->nr_frags;
 
 		/* When time stamping, one additional TxBD must be freed.
 		 * Also, we need to dma_unmap_single() the TxPAL.
 		 */
-		if (unlikely(skb_shinfo(skb)->tx_flags & SKBTX_IN_PROGRESS))
+		if (unlikely(do_tstamp))
 			nr_txbds = frags + 2;
 		else
 			nr_txbds = frags + 1;
@@ -2544,7 +2548,7 @@ static void gfar_clean_tx_ring(struct gf
 		    (lstatus & BD_LENGTH_MASK))
 			break;
 
-		if (unlikely(skb_shinfo(skb)->tx_flags & SKBTX_IN_PROGRESS)) {
+		if (unlikely(do_tstamp)) {
 			next = next_txbd(bdp, base, tx_ring_size);
 			buflen = next->length + GMAC_FCB_LEN + GMAC_TXPAL_LEN;
 		} else
@@ -2553,7 +2557,7 @@ static void gfar_clean_tx_ring(struct gf
 		dma_unmap_single(priv->dev, bdp->bufPtr,
 				 buflen, DMA_TO_DEVICE);
 
-		if (unlikely(skb_shinfo(skb)->tx_flags & SKBTX_IN_PROGRESS)) {
+		if (unlikely(do_tstamp)) {
 			struct skb_shared_hwtstamps shhwtstamps;
 			u64 *ns = (u64*) (((u32)skb->data + 0x10) & ~0x7);
 


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 35/99] pxa168fb: Fix the function used to release some memory in an error handling path
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (33 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 34/99] gianfar: Fix TX timestamping with a stacked DSA driver Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-21 14:09   ` Marion & Christophe JAILLET
  2020-05-20 14:14 ` [PATCH 3.16 36/99] ALSA: sh: Fix compile warning wrt const Ben Hutchings
                   ` (64 subsequent siblings)
  99 siblings, 1 reply; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, YueHaibing, Bartlomiej Zolnierkiewicz,
	Christophe JAILLET, Lubomir Rintel

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>

commit 3c911fe799d1c338d94b78e7182ad452c37af897 upstream.

In the probe function, some resources are allocated using 'dma_alloc_wc()',
they should be released with 'dma_free_wc()', not 'dma_free_coherent()'.

We already use 'dma_free_wc()' in the remove function, but not in the
error handling path of the probe function.

Also, remove a useless 'PAGE_ALIGN()'. 'info->fix.smem_len' is already
PAGE_ALIGNed.

Fixes: 638772c7553f ("fb: add support of LCD display controller on pxa168/910 (base layer)")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Reviewed-by: Lubomir Rintel <lkundrak@v3.sk>
CC: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20190831100024.3248-1-christophe.jaillet@wanadoo.fr
[bwh: Backported to 3.16: Use dma_free_writecombine().]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/video/fbdev/pxa168fb.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/video/fbdev/pxa168fb.c
+++ b/drivers/video/fbdev/pxa168fb.c
@@ -772,8 +772,8 @@ failed_free_cmap:
 failed_free_clk:
 	clk_disable(fbi->clk);
 failed_free_fbmem:
-	dma_free_coherent(fbi->dev, info->fix.smem_len,
-			info->screen_base, fbi->fb_start_dma);
+	dma_free_writecombine(fbi->dev, info->fix.smem_len,
+			      info->screen_base, fbi->fb_start_dma);
 failed_free_info:
 	kfree(info);
 failed_put_clk:
@@ -809,7 +809,7 @@ static int pxa168fb_remove(struct platfo
 
 	irq = platform_get_irq(pdev, 0);
 
-	dma_free_writecombine(fbi->dev, PAGE_ALIGN(info->fix.smem_len),
+	dma_free_writecombine(fbi->dev, info->fix.smem_len,
 				info->screen_base, info->fix.smem_start);
 
 	clk_disable(fbi->clk);


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 36/99] ALSA: sh: Fix compile warning wrt const
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (34 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 35/99] pxa168fb: Fix the function used to release some memory in an error handling path Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 37/99] clk: tegra: Mark fuse clock as critical Ben Hutchings
                   ` (63 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Takashi Iwai

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit f1dd4795b1523fbca7ab4344dd5a8bb439cc770d upstream.

A long-standing compile warning was seen during build test:
  sound/sh/aica.c: In function 'load_aica_firmware':
  sound/sh/aica.c:521:25: warning: passing argument 2 of 'spu_memload' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]

Fixes: 198de43d758c ("[ALSA] Add ALSA support for the SEGA Dreamcast PCM device")
Link: https://lore.kernel.org/r/20200105144823.29547-69-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/sh/aica.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/sound/sh/aica.c
+++ b/sound/sh/aica.c
@@ -120,10 +120,10 @@ static void spu_memset(u32 toi, u32 what
 }
 
 /* spu_memload - write to SPU address space */
-static void spu_memload(u32 toi, void *from, int length)
+static void spu_memload(u32 toi, const void *from, int length)
 {
 	unsigned long flags;
-	u32 *froml = from;
+	const u32 *froml = from;
 	u32 __iomem *to = (u32 __iomem *) (SPU_MEMORY_BASE + toi);
 	int i;
 	u32 val;


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 37/99] clk: tegra: Mark fuse clock as critical
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (35 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 36/99] ALSA: sh: Fix compile warning wrt const Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 15:51   ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 38/99] ARM: tegra: Enable PLLP bypass during Tegra124 LP1 Ben Hutchings
                   ` (62 subsequent siblings)
  99 siblings, 1 reply; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jonathan Hunter, Thierry Reding, Stephen Warren

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Stephen Warren <swarren@nvidia.com>

commit bf83b96f87ae2abb1e535306ea53608e8de5dfbb upstream.

For a little over a year, U-Boot on Tegra124 has configured the flow
controller to perform automatic RAM re-repair on off->on power
transitions of the CPU rail[1]. This is mandatory for correct operation
of Tegra124. However, RAM re-repair relies on certain clocks, which the
kernel must enable and leave running. The fuse clock is one of those
clocks. Mark this clock as critical so that LP1 power mode (system
suspend) operates correctly.

[1] 3cc7942a4ae5 ARM: tegra: implement RAM repair

Reported-by: Jonathan Hunter <jonathanh@nvidia.com>
Signed-off-by: Stephen Warren <swarren@nvidia.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/clk/tegra/clk-tegra-periph.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/clk/tegra/clk-tegra-periph.c
+++ b/drivers/clk/tegra/clk-tegra-periph.c
@@ -517,7 +517,11 @@ static struct tegra_periph_init_data gat
 	GATE("vcp", "clk_m", 29, 0, tegra_clk_vcp, 0),
 	GATE("apbdma", "clk_m", 34, 0, tegra_clk_apbdma, 0),
 	GATE("kbc", "clk_32k", 36, TEGRA_PERIPH_ON_APB | TEGRA_PERIPH_NO_RESET, tegra_clk_kbc, 0),
-	GATE("fuse", "clk_m", 39, TEGRA_PERIPH_ON_APB, tegra_clk_fuse, 0),
+	/*
+	 * Critical for RAM re-repair operation, which must occur on resume
+	 * from LP1 system suspend and as part of CCPLEX cluster switching.
+	 */
+	GATE("fuse", "clk_m", 39, TEGRA_PERIPH_ON_APB, tegra_clk_fuse, CLK_IS_CRITICAL),
 	GATE("fuse_burn", "clk_m", 39, TEGRA_PERIPH_ON_APB, tegra_clk_fuse_burn, 0),
 	GATE("kfuse", "clk_m", 40, TEGRA_PERIPH_ON_APB, tegra_clk_kfuse, 0),
 	GATE("apbif", "clk_m", 107, TEGRA_PERIPH_ON_APB, tegra_clk_apbif, 0),


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 38/99] ARM: tegra: Enable PLLP bypass during Tegra124 LP1
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (36 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 37/99] clk: tegra: Mark fuse clock as critical Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 39/99] media: iguanair: add sanity checks Ben Hutchings
                   ` (61 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Thierry Reding, Stephen Warren, Jonathan Hunter

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Stephen Warren <swarren@nvidia.com>

commit 1a3388d506bf5b45bb283e6a4c4706cfb4897333 upstream.

For a little over a year, U-Boot has configured the flow controller to
perform automatic RAM re-repair on off->on power transitions of the CPU
rail[1]. This is mandatory for correct operation of Tegra124. However,
RAM re-repair relies on certain clocks, which the kernel must enable and
leave running. PLLP is one of those clocks. This clock is shut down
during LP1 in order to save power. Enable bypass (which I believe routes
osc_div_clk, essentially the crystal clock, to the PLL output) so that
this clock signal toggles even though the PLL is not active. This is
required so that LP1 power mode (system suspend) operates correctly.

The bypass configuration must then be undone when resuming from LP1, so
that all peripheral clocks run at the expected rate. Without this, many
peripherals won't work correctly; for example, the UART baud rate would
be incorrect.

NVIDIA's downstream kernel code only does this if not compiled for
Tegra30, so the added code is made conditional upon the chip ID.
NVIDIA's downstream code makes this change conditional upon the active
CPU cluster. The upstream kernel currently doesn't support cluster
switching, so this patch doesn't test the active CPU cluster ID.

[1] 3cc7942a4ae5 ARM: tegra: implement RAM repair

Reported-by: Jonathan Hunter <jonathanh@nvidia.com>
Signed-off-by: Stephen Warren <swarren@nvidia.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm/mach-tegra/sleep-tegra30.S | 11 +++++++++++
 1 file changed, 11 insertions(+)

--- a/arch/arm/mach-tegra/sleep-tegra30.S
+++ b/arch/arm/mach-tegra/sleep-tegra30.S
@@ -378,6 +378,14 @@ _pll_m_c_x_done:
 	pll_locked r1, r0, CLK_RESET_PLLC_BASE
 	pll_locked r1, r0, CLK_RESET_PLLX_BASE
 
+	tegra_get_soc_id TEGRA_APB_MISC_BASE, r1
+	cmp	r1, #TEGRA30
+	beq	1f
+	ldr	r1, [r0, #CLK_RESET_PLLP_BASE]
+	bic	r1, r1, #(1<<31)	@ disable PllP bypass
+	str	r1, [r0, #CLK_RESET_PLLP_BASE]
+1:
+
 	mov32	r7, TEGRA_TMRUS_BASE
 	ldr	r1, [r7]
 	add	r1, r1, #LOCK_DELAY
@@ -637,7 +645,10 @@ tegra30_switch_cpu_to_clk32k:
 	str	r0, [r4, #PMC_PLLP_WB0_OVERRIDE]
 
 	/* disable PLLP, PLLA, PLLC and PLLX */
+	tegra_get_soc_id TEGRA_APB_MISC_BASE, r1
+	cmp	r1, #TEGRA30
 	ldr	r0, [r5, #CLK_RESET_PLLP_BASE]
+	orrne	r0, r0, #(1 << 31)	@ enable PllP bypass on fast cluster
 	bic	r0, r0, #(1 << 30)
 	str	r0, [r5, #CLK_RESET_PLLP_BASE]
 	ldr	r0, [r5, #CLK_RESET_PLLA_BASE]


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 39/99] media: iguanair: add sanity checks
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (37 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 38/99] ARM: tegra: Enable PLLP bypass during Tegra124 LP1 Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 40/99] media: iguanair: fix endpoint sanity check Ben Hutchings
                   ` (60 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Mauro Carvalho Chehab, Oliver Neukum,
	Sean Young, syzbot+01a77b82edaa374068e1

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <oneukum@suse.com>

commit ab1cbdf159beba7395a13ab70bc71180929ca064 upstream.

The driver needs to check the endpoint types, too, as opposed
to the number of endpoints. This also requires moving the check earlier.

Reported-by: syzbot+01a77b82edaa374068e1@syzkaller.appspotmail.com
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/rc/iguanair.c | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

--- a/drivers/media/rc/iguanair.c
+++ b/drivers/media/rc/iguanair.c
@@ -430,6 +430,10 @@ static int iguanair_probe(struct usb_int
 	int ret, pipein, pipeout;
 	struct usb_host_interface *idesc;
 
+	idesc = intf->altsetting;
+	if (idesc->desc.bNumEndpoints < 2)
+		return -ENODEV;
+
 	ir = kzalloc(sizeof(*ir), GFP_KERNEL);
 	rc = rc_allocate_device();
 	if (!ir || !rc) {
@@ -444,18 +448,13 @@ static int iguanair_probe(struct usb_int
 	ir->urb_in = usb_alloc_urb(0, GFP_KERNEL);
 	ir->urb_out = usb_alloc_urb(0, GFP_KERNEL);
 
-	if (!ir->buf_in || !ir->packet || !ir->urb_in || !ir->urb_out) {
+	if (!ir->buf_in || !ir->packet || !ir->urb_in || !ir->urb_out ||
+	    !usb_endpoint_is_int_in(&idesc->endpoint[0].desc) ||
+	    !usb_endpoint_is_int_out(&idesc->endpoint[1].desc)) {
 		ret = -ENOMEM;
 		goto out;
 	}
 
-	idesc = intf->altsetting;
-
-	if (idesc->desc.bNumEndpoints < 2) {
-		ret = -ENODEV;
-		goto out;
-	}
-
 	ir->rc = rc;
 	ir->dev = &intf->dev;
 	ir->udev = udev;


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 40/99] media: iguanair: fix endpoint sanity check
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (38 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 39/99] media: iguanair: add sanity checks Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 41/99] ARM: dts: at91: sama5d3: fix maximum peripheral clock rates Ben Hutchings
                   ` (59 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Oliver Neukum, Johan Hovold, Sean Young,
	Mauro Carvalho Chehab

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 1b257870a78b0a9ce98fdfb052c58542022ffb5b upstream.

Make sure to use the current alternate setting, which need not be the
first one by index, when verifying the endpoint descriptors and
initialising the URBs.

Failing to do so could cause the driver to misbehave or trigger a WARN()
in usb_submit_urb() that kernels with panic_on_warn set would choke on.

Fixes: 26ff63137c45 ("[media] Add support for the IguanaWorks USB IR Transceiver")
Fixes: ab1cbdf159be ("media: iguanair: add sanity checks")
Cc: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/rc/iguanair.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/media/rc/iguanair.c
+++ b/drivers/media/rc/iguanair.c
@@ -430,7 +430,7 @@ static int iguanair_probe(struct usb_int
 	int ret, pipein, pipeout;
 	struct usb_host_interface *idesc;
 
-	idesc = intf->altsetting;
+	idesc = intf->cur_altsetting;
 	if (idesc->desc.bNumEndpoints < 2)
 		return -ENODEV;
 


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 41/99] ARM: dts: at91: sama5d3: fix maximum peripheral clock rates
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (39 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 40/99] media: iguanair: fix endpoint sanity check Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 42/99] ARM: dts: at91: sama5d3: define clock rate range for tcb1 Ben Hutchings
                   ` (58 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Alexandre Belloni, Karl Rudbæk Olsen

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Alexandre Belloni <alexandre.belloni@bootlin.com>

commit ee0aa926ddb0bd8ba59e33e3803b3b5804e3f5da upstream.

Currently the maximum rate for peripheral clock is calculated based on a
typical 133MHz MCK. The maximum frequency is defined in the datasheet as a
ratio to MCK. Some sama5d3 platforms are using a 166MHz MCK. Update the
device trees to match the maximum rate based on 166MHz.

Reported-by: Karl Rudbæk Olsen <karl@micro-technic.com>
Fixes: d2e8190b7916 ("ARM: at91/dt: define sama5d3 clocks")
Link: https://lore.kernel.org/r/20200110172007.1253659-1-alexandre.belloni@bootlin.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
[bwh: Backported to 3.16: uart0_clk is only defined in sama5d3_uart.dtsi]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/arm/boot/dts/sama5d3.dtsi
+++ b/arch/arm/boot/dts/sama5d3.dtsi
@@ -1031,43 +1031,43 @@
 					usart0_clk: usart0_clk {
 						#clock-cells = <0>;
 						reg = <12>;
-						atmel,clk-output-range = <0 66000000>;
+						atmel,clk-output-range = <0 83000000>;
 					};
 
 					usart1_clk: usart1_clk {
 						#clock-cells = <0>;
 						reg = <13>;
-						atmel,clk-output-range = <0 66000000>;
+						atmel,clk-output-range = <0 83000000>;
 					};
 
 					usart2_clk: usart2_clk {
 						#clock-cells = <0>;
 						reg = <14>;
-						atmel,clk-output-range = <0 66000000>;
+						atmel,clk-output-range = <0 83000000>;
 					};
 
 					usart3_clk: usart3_clk {
 						#clock-cells = <0>;
 						reg = <15>;
-						atmel,clk-output-range = <0 66000000>;
+						atmel,clk-output-range = <0 83000000>;
 					};
 
 					twi0_clk: twi0_clk {
 						reg = <18>;
 						#clock-cells = <0>;
-						atmel,clk-output-range = <0 16625000>;
+						atmel,clk-output-range = <0 41500000>;
 					};
 
 					twi1_clk: twi1_clk {
 						#clock-cells = <0>;
 						reg = <19>;
-						atmel,clk-output-range = <0 16625000>;
+						atmel,clk-output-range = <0 41500000>;
 					};
 
 					twi2_clk: twi2_clk {
 						#clock-cells = <0>;
 						reg = <20>;
-						atmel,clk-output-range = <0 16625000>;
+						atmel,clk-output-range = <0 41500000>;
 					};
 
 					mci0_clk: mci0_clk {
@@ -1083,19 +1083,19 @@
 					spi0_clk: spi0_clk {
 						#clock-cells = <0>;
 						reg = <24>;
-						atmel,clk-output-range = <0 133000000>;
+						atmel,clk-output-range = <0 166000000>;
 					};
 
 					spi1_clk: spi1_clk {
 						#clock-cells = <0>;
 						reg = <25>;
-						atmel,clk-output-range = <0 133000000>;
+						atmel,clk-output-range = <0 166000000>;
 					};
 
 					tcb0_clk: tcb0_clk {
 						#clock-cells = <0>;
 						reg = <26>;
-						atmel,clk-output-range = <0 133000000>;
+						atmel,clk-output-range = <0 166000000>;
 					};
 
 					pwm_clk: pwm_clk {
@@ -1106,7 +1106,7 @@
 					adc_clk: adc_clk {
 						#clock-cells = <0>;
 						reg = <29>;
-						atmel,clk-output-range = <0 66000000>;
+						atmel,clk-output-range = <0 83000000>;
 					};
 
 					dma0_clk: dma0_clk {
@@ -1137,13 +1137,13 @@
 					ssc0_clk: ssc0_clk {
 						#clock-cells = <0>;
 						reg = <38>;
-						atmel,clk-output-range = <0 66000000>;
+						atmel,clk-output-range = <0 83000000>;
 					};
 
 					ssc1_clk: ssc1_clk {
 						#clock-cells = <0>;
 						reg = <39>;
-						atmel,clk-output-range = <0 66000000>;
+						atmel,clk-output-range = <0 83000000>;
 					};
 
 					sha_clk: sha_clk {
--- a/arch/arm/boot/dts/sama5d3_can.dtsi
+++ b/arch/arm/boot/dts/sama5d3_can.dtsi
@@ -37,13 +37,13 @@
 					can0_clk: can0_clk {
 						#clock-cells = <0>;
 						reg = <40>;
-						atmel,clk-output-range = <0 66000000>;
+						atmel,clk-output-range = <0 83000000>;
 					};
 
 					can1_clk: can1_clk {
 						#clock-cells = <0>;
 						reg = <41>;
-						atmel,clk-output-range = <0 66000000>;
+						atmel,clk-output-range = <0 83000000>;
 					};
 				};
 			};
--- a/arch/arm/boot/dts/sama5d3_uart.dtsi
+++ b/arch/arm/boot/dts/sama5d3_uart.dtsi
@@ -42,13 +42,13 @@
 					uart0_clk: uart0_clk {
 						#clock-cells = <0>;
 						reg = <16>;
-						atmel,clk-output-range = <0 66000000>;
+						atmel,clk-output-range = <0 83000000>;
 					};
 
 					uart1_clk: uart1_clk {
 						#clock-cells = <0>;
 						reg = <17>;
-						atmel,clk-output-range = <0 66000000>;
+						atmel,clk-output-range = <0 83000000>;
 					};
 				};
 			};


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 42/99] ARM: dts: at91: sama5d3: define clock rate range for tcb1
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (40 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 41/99] ARM: dts: at91: sama5d3: fix maximum peripheral clock rates Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 43/99] efi: Use early_mem*() instead of early_io*() Ben Hutchings
                   ` (57 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Karl Rudbæk Olsen, Alexandre Belloni

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Alexandre Belloni <alexandre.belloni@bootlin.com>

commit a7e0f3fc01df4b1b7077df777c37feae8c9e8b6d upstream.

The clock rate range for the TCB1 clock is missing. define it in the device
tree.

Reported-by: Karl Rudbæk Olsen <karl@micro-technic.com>
Fixes: d2e8190b7916 ("ARM: at91/dt: define sama5d3 clocks")
Link: https://lore.kernel.org/r/20200110172007.1253659-2-alexandre.belloni@bootlin.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm/boot/dts/sama5d3_tcb1.dtsi | 1 +
 1 file changed, 1 insertion(+)

--- a/arch/arm/boot/dts/sama5d3_tcb1.dtsi
+++ b/arch/arm/boot/dts/sama5d3_tcb1.dtsi
@@ -23,6 +23,7 @@
 					tcb1_clk: tcb1_clk {
 						#clock-cells = <0>;
 						reg = <27>;
+						atmel,clk-output-range = <0 166000000>;
 					};
 				};
 			};


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 43/99] efi: Use early_mem*() instead of early_io*()
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (41 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 42/99] ARM: dts: at91: sama5d3: define clock rate range for tcb1 Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 15:53   ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 44/99] efi/x86: Map the entire EFI vendor string before copying it Ben Hutchings
                   ` (56 subsequent siblings)
  99 siblings, 1 reply; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Daniel Kiper, Matt Fleming, Mark Salter,
	Leif Lindholm

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Daniel Kiper <daniel.kiper@oracle.com>

commit abc93f8eb6e46a480485f19256bdbda36ec78a84 upstream.

Use early_mem*() instead of early_io*() because all mapped EFI regions
are memory (usually RAM but they could also be ROM, EPROM, EEPROM, flash,
etc.) not I/O regions. Additionally, I/O family calls do not work correctly
under Xen in our case. early_ioremap() skips the PFN to MFN conversion
when building the PTE. Using it for memory will attempt to map the wrong
machine frame. However, all artificial EFI structures created under Xen
live in dom0 memory and should be mapped/unmapped using early_mem*() family
calls which map domain memory.

Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Cc: Leif Lindholm <leif.lindholm@linaro.org>
Cc: Mark Salter <msalter@redhat.com>
Signed-off-by: Matt Fleming <matt.fleming@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/platform/efi/efi.c | 28 ++++++++++++++--------------
 drivers/firmware/efi/efi.c  |  4 ++--
 2 files changed, 16 insertions(+), 16 deletions(-)

--- a/arch/x86/platform/efi/efi.c
+++ b/arch/x86/platform/efi/efi.c
@@ -435,7 +435,7 @@ void __init efi_unmap_memmap(void)
 {
 	clear_bit(EFI_MEMMAP, &efi.flags);
 	if (memmap.map) {
-		early_iounmap(memmap.map, memmap.nr_map * memmap.desc_size);
+		early_memunmap(memmap.map, memmap.nr_map * memmap.desc_size);
 		memmap.map = NULL;
 	}
 }
@@ -475,12 +475,12 @@ static int __init efi_systab_init(void *
 			if (!data)
 				return -ENOMEM;
 		}
-		systab64 = early_ioremap((unsigned long)phys,
+		systab64 = early_memremap((unsigned long)phys,
 					 sizeof(*systab64));
 		if (systab64 == NULL) {
 			pr_err("Couldn't map the system table!\n");
 			if (data)
-				early_iounmap(data, sizeof(*data));
+				early_memunmap(data, sizeof(*data));
 			return -ENOMEM;
 		}
 
@@ -512,9 +512,9 @@ static int __init efi_systab_init(void *
 					   systab64->tables;
 		tmp |= data ? data->tables : systab64->tables;
 
-		early_iounmap(systab64, sizeof(*systab64));
+		early_memunmap(systab64, sizeof(*systab64));
 		if (data)
-			early_iounmap(data, sizeof(*data));
+			early_memunmap(data, sizeof(*data));
 #ifdef CONFIG_X86_32
 		if (tmp >> 32) {
 			pr_err("EFI data located above 4GB, disabling EFI.\n");
@@ -524,7 +524,7 @@ static int __init efi_systab_init(void *
 	} else {
 		efi_system_table_32_t *systab32;
 
-		systab32 = early_ioremap((unsigned long)phys,
+		systab32 = early_memremap((unsigned long)phys,
 					 sizeof(*systab32));
 		if (systab32 == NULL) {
 			pr_err("Couldn't map the system table!\n");
@@ -545,7 +545,7 @@ static int __init efi_systab_init(void *
 		efi_systab.nr_tables = systab32->nr_tables;
 		efi_systab.tables = systab32->tables;
 
-		early_iounmap(systab32, sizeof(*systab32));
+		early_memunmap(systab32, sizeof(*systab32));
 	}
 
 	efi.systab = &efi_systab;
@@ -571,7 +571,7 @@ static int __init efi_runtime_init32(voi
 {
 	efi_runtime_services_32_t *runtime;
 
-	runtime = early_ioremap((unsigned long)efi.systab->runtime,
+	runtime = early_memremap((unsigned long)efi.systab->runtime,
 			sizeof(efi_runtime_services_32_t));
 	if (!runtime) {
 		pr_err("Could not map the runtime service table!\n");
@@ -586,7 +586,7 @@ static int __init efi_runtime_init32(voi
 	efi_phys.set_virtual_address_map =
 			(efi_set_virtual_address_map_t *)
 			(unsigned long)runtime->set_virtual_address_map;
-	early_iounmap(runtime, sizeof(efi_runtime_services_32_t));
+	early_memunmap(runtime, sizeof(efi_runtime_services_32_t));
 
 	return 0;
 }
@@ -595,7 +595,7 @@ static int __init efi_runtime_init64(voi
 {
 	efi_runtime_services_64_t *runtime;
 
-	runtime = early_ioremap((unsigned long)efi.systab->runtime,
+	runtime = early_memremap((unsigned long)efi.systab->runtime,
 			sizeof(efi_runtime_services_64_t));
 	if (!runtime) {
 		pr_err("Could not map the runtime service table!\n");
@@ -610,7 +610,7 @@ static int __init efi_runtime_init64(voi
 	efi_phys.set_virtual_address_map =
 			(efi_set_virtual_address_map_t *)
 			(unsigned long)runtime->set_virtual_address_map;
-	early_iounmap(runtime, sizeof(efi_runtime_services_64_t));
+	early_memunmap(runtime, sizeof(efi_runtime_services_64_t));
 
 	return 0;
 }
@@ -641,7 +641,7 @@ static int __init efi_runtime_init(void)
 static int __init efi_memmap_init(void)
 {
 	/* Map the EFI memory map */
-	memmap.map = early_ioremap((unsigned long)memmap.phys_map,
+	memmap.map = early_memremap((unsigned long)memmap.phys_map,
 				   memmap.nr_map * memmap.desc_size);
 	if (memmap.map == NULL) {
 		pr_err("Could not map the memory map!\n");
@@ -745,14 +745,14 @@ void __init efi_init(void)
 	/*
 	 * Show what we know for posterity
 	 */
-	c16 = tmp = early_ioremap(efi.systab->fw_vendor, 2);
+	c16 = tmp = early_memremap(efi.systab->fw_vendor, 2);
 	if (c16) {
 		for (i = 0; i < sizeof(vendor) - 1 && *c16; ++i)
 			vendor[i] = *c16++;
 		vendor[i] = '\0';
 	} else
 		pr_err("Could not map the firmware vendor!\n");
-	early_iounmap(tmp, 2);
+	early_memunmap(tmp, 2);
 
 	pr_info("EFI v%u.%.02u by %s\n",
 		efi.systab->hdr.revision >> 16,
--- a/drivers/firmware/efi/efi.c
+++ b/drivers/firmware/efi/efi.c
@@ -295,7 +295,7 @@ int __init efi_config_init(efi_config_ta
 			if (table64 >> 32) {
 				pr_cont("\n");
 				pr_err("Table located above 4GB, disabling EFI.\n");
-				early_iounmap(config_tables,
+				early_memunmap(config_tables,
 					       efi.systab->nr_tables * sz);
 				return -EINVAL;
 			}
@@ -311,7 +311,7 @@ int __init efi_config_init(efi_config_ta
 		tablep += sz;
 	}
 	pr_cont("\n");
-	early_iounmap(config_tables, efi.systab->nr_tables * sz);
+	early_memunmap(config_tables, efi.systab->nr_tables * sz);
 
 	set_bit(EFI_CONFIG_TABLES, &efi.flags);
 


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 44/99] efi/x86: Map the entire EFI vendor string before copying it
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (42 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 43/99] efi: Use early_mem*() instead of early_io*() Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 45/99] PCI: Don't disable bridge BARs when assigning bus resources Ben Hutchings
                   ` (55 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Matthew Garrett, Ard Biesheuvel,
	Ard Biesheuvel, linux-efi, Arvind Sankar, Andy Lutomirski,
	Ingo Molnar

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ard Biesheuvel <ardb@kernel.org>

commit ffc2760bcf2dba0dbef74013ed73eea8310cc52c upstream.

Fix a couple of issues with the way we map and copy the vendor string:
- we map only 2 bytes, which usually works since you get at least a
  page, but if the vendor string happens to cross a page boundary,
  a crash will result
- only call early_memunmap() if early_memremap() succeeded, or we will
  call it with a NULL address which it doesn't like,
- while at it, switch to early_memremap_ro(), and array indexing rather
  than pointer dereferencing to read the CHAR16 characters.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Arvind Sankar <nivedita@alum.mit.edu>
Cc: Matthew Garrett <mjg59@google.com>
Cc: linux-efi@vger.kernel.org
Fixes: 5b83683f32b1 ("x86: EFI runtime service support")
Link: https://lkml.kernel.org/r/20200103113953.9571-5-ardb@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16: Keep using early_memremap() since
 early_memremap_ro() is not defined.]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/platform/efi/efi.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

--- a/arch/x86/platform/efi/efi.c
+++ b/arch/x86/platform/efi/efi.c
@@ -718,7 +718,6 @@ void __init efi_init(void)
 	efi_char16_t *c16;
 	char vendor[100] = "unknown";
 	int i = 0;
-	void *tmp;
 
 #ifdef CONFIG_X86_32
 	if (boot_params.efi_info.efi_systab_hi ||
@@ -745,14 +744,16 @@ void __init efi_init(void)
 	/*
 	 * Show what we know for posterity
 	 */
-	c16 = tmp = early_memremap(efi.systab->fw_vendor, 2);
+	c16 = early_memremap(efi.systab->fw_vendor,
+			     sizeof(vendor) * sizeof(efi_char16_t));
 	if (c16) {
-		for (i = 0; i < sizeof(vendor) - 1 && *c16; ++i)
-			vendor[i] = *c16++;
+		for (i = 0; i < sizeof(vendor) - 1 && c16[i]; ++i)
+			vendor[i] = c16[i];
 		vendor[i] = '\0';
-	} else
+		early_memunmap(c16, sizeof(vendor) * sizeof(efi_char16_t));
+	} else {
 		pr_err("Could not map the firmware vendor!\n");
-	early_memunmap(tmp, 2);
+	}
 
 	pr_info("EFI v%u.%.02u by %s\n",
 		efi.systab->hdr.revision >> 16,


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 45/99] PCI: Don't disable bridge BARs when assigning bus resources
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (43 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 44/99] efi/x86: Map the entire EFI vendor string before copying it Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 46/99] power: supply: sbs-battery: Fix a signedness bug in sbs_get_battery_capacity() Ben Hutchings
                   ` (54 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Logan Gunthorpe, Bjorn Helgaas, Kit Chow

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Logan Gunthorpe <logang@deltatee.com>

commit 9db8dc6d0785225c42a37be7b44d1b07b31b8957 upstream.

Some PCI bridges implement BARs in addition to bridge windows.  For
example, here's a PLX switch:

  04:00.0 PCI bridge: PLX Technology, Inc. PEX 8724 24-Lane, 6-Port PCI
            Express Gen 3 (8 GT/s) Switch, 19 x 19mm FCBGA (rev ca)
	    (prog-if 00 [Normal decode])
      Flags: bus master, fast devsel, latency 0, IRQ 30, NUMA node 0
      Memory at 90a00000 (32-bit, non-prefetchable) [size=256K]
      Bus: primary=04, secondary=05, subordinate=0a, sec-latency=0
      I/O behind bridge: 00002000-00003fff
      Memory behind bridge: 90000000-909fffff
      Prefetchable memory behind bridge: 0000380000800000-0000380000bfffff

Previously, when the kernel assigned resource addresses (with the
pci=realloc command line parameter, for example) it could clear the struct
resource corresponding to the BAR.  When this happened, lspci would report
this BAR as "ignored":

   Region 0: Memory at <ignored> (32-bit, non-prefetchable) [size=256K]

This is because the kernel reports a zero start address and zero flags
in the corresponding sysfs resource file and in /proc/bus/pci/devices.
Investigation with 'lspci -x', however, shows the BIOS-assigned address
will still be programmed in the device's BAR registers.

It's clearly a bug that the kernel lost track of the BAR value, but in most
cases, this still won't result in a visible issue because nothing uses the
memory, so nothing is affected.  However, when an IOMMU is in use, it will
not reserve this space in the IOVA because the kernel no longer thinks the
range is valid.  (See dmar_init_reserved_ranges() for the Intel
implementation of this.)

Without the proper reserved range, a DMA mapping may allocate an IOVA that
matches a bridge BAR, which results in DMA accesses going to the BAR
instead of the intended RAM.

The problem was in pci_assign_unassigned_root_bus_resources().  When any
resource from a bridge device fails to get assigned, the code set the
resource's flags to zero.  This makes sense for bridge windows, as they
will be re-enabled later, but for regular BARs, it makes the kernel
permanently lose track of the fact that they decode address space.

Change pci_assign_unassigned_root_bus_resources() and
pci_assign_unassigned_bridge_resources() so they only clear "res->flags"
for bridge *windows*, not bridge BARs.

Fixes: da7822e5ad71 ("PCI: update bridge resources to get more big ranges when allocating space (again)")
Link: https://lore.kernel.org/r/20200108213208.4612-1-logang@deltatee.com
[bhelgaas: commit log, check for pci_is_bridge()]
Reported-by: Kit Chow <kchow@gigaio.com>
Signed-off-by: Logan Gunthorpe <logang@deltatee.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/pci/setup-bus.c | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

--- a/drivers/pci/setup-bus.c
+++ b/drivers/pci/setup-bus.c
@@ -1650,12 +1650,18 @@ again:
 	/* restore size and flags */
 	list_for_each_entry(fail_res, &fail_head, list) {
 		struct resource *res = fail_res->res;
+		int idx;
 
 		res->start = fail_res->start;
 		res->end = fail_res->end;
 		res->flags = fail_res->flags;
-		if (fail_res->dev->subordinate)
-			res->flags = 0;
+
+		if (pci_is_bridge(fail_res->dev)) {
+			idx = res - &fail_res->dev->resource[0];
+			if (idx >= PCI_BRIDGE_RESOURCES &&
+			    idx <= PCI_BRIDGE_RESOURCE_END)
+				res->flags = 0;
+		}
 	}
 	free_list(&fail_head);
 
@@ -1716,12 +1722,18 @@ again:
 	/* restore size and flags */
 	list_for_each_entry(fail_res, &fail_head, list) {
 		struct resource *res = fail_res->res;
+		int idx;
 
 		res->start = fail_res->start;
 		res->end = fail_res->end;
 		res->flags = fail_res->flags;
-		if (fail_res->dev->subordinate)
-			res->flags = 0;
+
+		if (pci_is_bridge(fail_res->dev)) {
+			idx = res - &fail_res->dev->resource[0];
+			if (idx >= PCI_BRIDGE_RESOURCES &&
+			    idx <= PCI_BRIDGE_RESOURCE_END)
+				res->flags = 0;
+		}
 	}
 	free_list(&fail_head);
 


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 46/99] power: supply: sbs-battery: Fix a signedness bug in sbs_get_battery_capacity()
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (44 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 45/99] PCI: Don't disable bridge BARs when assigning bus resources Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 47/99] dm space map common: fix to ensure new block isn't already in use Ben Hutchings
                   ` (53 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Sebastian Reichel, Dan Carpenter

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit eb368de6de32925c65a97c1e929a31cae2155aee upstream.

The "mode" variable is an enum and in this context GCC treats it as an
unsigned int so the error handling is never triggered.

Fixes: 51d075660457 ("bq20z75: Add support for charge properties")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/power/sbs-battery.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/power/sbs-battery.c
+++ b/drivers/power/sbs-battery.c
@@ -400,7 +400,7 @@ static int sbs_get_battery_capacity(stru
 		mode = BATTERY_MODE_AMPS;
 
 	mode = sbs_set_battery_mode(client, mode);
-	if (mode < 0)
+	if ((int)mode < 0)
 		return mode;
 
 	ret = sbs_read_word_data(client, sbs_data[reg_offset].addr);


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 47/99] dm space map common: fix to ensure new block isn't already in use
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (45 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 46/99] power: supply: sbs-battery: Fix a signedness bug in sbs_get_battery_capacity() Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 48/99] usb: dwc3: turn off VBUS when leaving host mode Ben Hutchings
                   ` (52 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Joe Thornber, Mike Snitzer, Eric Wheeler

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Joe Thornber <ejt@redhat.com>

commit 4feaef830de7ffdd8352e1fe14ad3bf13c9688f8 upstream.

The space-maps track the reference counts for disk blocks allocated by
both the thin-provisioning and cache targets.  There are variants for
tracking metadata blocks and data blocks.

Transactionality is implemented by never touching blocks from the
previous transaction, so we can rollback in the event of a crash.

When allocating a new block we need to ensure the block is free (has
reference count of 0) in both the current and previous transaction.
Prior to this fix we were doing this by searching for a free block in
the previous transaction, and relying on a 'begin' counter to track
where the last allocation in the current transaction was.  This
'begin' field was not being updated in all code paths (eg, increment
of a data block reference count due to breaking sharing of a neighbour
block in the same btree leaf).

This fix keeps the 'begin' field, but now it's just a hint to speed up
the search.  Instead the current transaction is searched for a free
block, and then the old transaction is double checked to ensure it's
free.  Much simpler.

This fixes reports of sm_disk_new_block()'s BUG_ON() triggering when
DM thin-provisioning's snapshots are heavily used.

Reported-by: Eric Wheeler <dm-devel@lists.ewheeler.net>
Signed-off-by: Joe Thornber <ejt@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 .../md/persistent-data/dm-space-map-common.c  | 27 +++++++++++++++++++
 .../md/persistent-data/dm-space-map-common.h  |  2 ++
 .../md/persistent-data/dm-space-map-disk.c    |  6 +++--
 .../persistent-data/dm-space-map-metadata.c   |  5 +++-
 4 files changed, 37 insertions(+), 3 deletions(-)

--- a/drivers/md/persistent-data/dm-space-map-common.c
+++ b/drivers/md/persistent-data/dm-space-map-common.c
@@ -384,6 +384,33 @@ int sm_ll_find_free_block(struct ll_disk
 	return -ENOSPC;
 }
 
+int sm_ll_find_common_free_block(struct ll_disk *old_ll, struct ll_disk *new_ll,
+	                         dm_block_t begin, dm_block_t end, dm_block_t *b)
+{
+	int r;
+	uint32_t count;
+
+	do {
+		r = sm_ll_find_free_block(new_ll, begin, new_ll->nr_blocks, b);
+		if (r)
+			break;
+
+		/* double check this block wasn't used in the old transaction */
+		if (*b >= old_ll->nr_blocks)
+			count = 0;
+		else {
+			r = sm_ll_lookup(old_ll, *b, &count);
+			if (r)
+				break;
+
+			if (count)
+				begin = *b + 1;
+		}
+	} while (count);
+
+	return r;
+}
+
 static int sm_ll_mutate(struct ll_disk *ll, dm_block_t b,
 			int (*mutator)(void *context, uint32_t old, uint32_t *new),
 			void *context, enum allocation_event *ev)
--- a/drivers/md/persistent-data/dm-space-map-common.h
+++ b/drivers/md/persistent-data/dm-space-map-common.h
@@ -109,6 +109,8 @@ int sm_ll_lookup_bitmap(struct ll_disk *
 int sm_ll_lookup(struct ll_disk *ll, dm_block_t b, uint32_t *result);
 int sm_ll_find_free_block(struct ll_disk *ll, dm_block_t begin,
 			  dm_block_t end, dm_block_t *result);
+int sm_ll_find_common_free_block(struct ll_disk *old_ll, struct ll_disk *new_ll,
+	                         dm_block_t begin, dm_block_t end, dm_block_t *result);
 int sm_ll_insert(struct ll_disk *ll, dm_block_t b, uint32_t ref_count, enum allocation_event *ev);
 int sm_ll_inc(struct ll_disk *ll, dm_block_t b, enum allocation_event *ev);
 int sm_ll_dec(struct ll_disk *ll, dm_block_t b, enum allocation_event *ev);
--- a/drivers/md/persistent-data/dm-space-map-disk.c
+++ b/drivers/md/persistent-data/dm-space-map-disk.c
@@ -165,8 +165,10 @@ static int sm_disk_new_block(struct dm_s
 	enum allocation_event ev;
 	struct sm_disk *smd = container_of(sm, struct sm_disk, sm);
 
-	/* FIXME: we should loop round a couple of times */
-	r = sm_ll_find_free_block(&smd->old_ll, smd->begin, smd->old_ll.nr_blocks, b);
+	/*
+	 * Any block we allocate has to be free in both the old and current ll.
+	 */
+	r = sm_ll_find_common_free_block(&smd->old_ll, &smd->ll, smd->begin, smd->ll.nr_blocks, b);
 	if (r)
 		return r;
 
--- a/drivers/md/persistent-data/dm-space-map-metadata.c
+++ b/drivers/md/persistent-data/dm-space-map-metadata.c
@@ -447,7 +447,10 @@ static int sm_metadata_new_block_(struct
 	enum allocation_event ev;
 	struct sm_metadata *smm = container_of(sm, struct sm_metadata, sm);
 
-	r = sm_ll_find_free_block(&smm->old_ll, smm->begin, smm->old_ll.nr_blocks, b);
+	/*
+	 * Any block we allocate has to be free in both the old and current ll.
+	 */
+	r = sm_ll_find_common_free_block(&smm->old_ll, &smm->ll, smm->begin, smm->ll.nr_blocks, b);
 	if (r)
 		return r;
 


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 48/99] usb: dwc3: turn off VBUS when leaving host mode
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (46 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 47/99] dm space map common: fix to ensure new block isn't already in use Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 49/99] usb: gadget: f_ncm: Use atomic_t to track in-flight request Ben Hutchings
                   ` (51 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Sasha Levin, Felipe Balbi, Bin Liu,
	Greg Kroah-Hartman

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Bin Liu <b-liu@ti.com>

commit 09ed259fac621634d51cd986aa8d65f035662658 upstream.

VBUS should be turned off when leaving the host mode.
Set GCTL_PRTCAP to device mode in teardown to de-assert DRVVBUS pin to
turn off VBUS power.

Fixes: 5f94adfeed97 ("usb: dwc3: core: refactor mode initialization to its own function")
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Felipe Balbi <balbi@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/dwc3/core.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/dwc3/core.c
+++ b/drivers/usb/dwc3/core.c
@@ -614,6 +614,9 @@ static void dwc3_core_exit_mode(struct d
 		/* do nothing */
 		break;
 	}
+
+	/* de-assert DRVVBUS for HOST and OTG mode */
+	dwc3_set_mode(dwc, DWC3_GCTL_PRTCAP_DEVICE);
 }
 
 #define DWC3_ALIGN_MASK		(16 - 1)


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 49/99] usb: gadget: f_ncm: Use atomic_t to track in-flight request
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (47 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 48/99] usb: dwc3: turn off VBUS when leaving host mode Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 50/99] usb: gadget: f_ecm: " Ben Hutchings
                   ` (50 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Felipe Balbi, Greg Kroah-Hartman,
	Bryan O'Donoghue

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>

commit 5b24c28cfe136597dc3913e1c00b119307a20c7e upstream.

Currently ncm->notify_req is used to flag when a request is in-flight.
ncm->notify_req is set to NULL and when a request completes it is
subsequently reset.

This is fundamentally buggy in that the unbind logic of the NCM driver will
unconditionally free ncm->notify_req leading to a NULL pointer dereference.

Fixes: 40d133d7f542 ("usb: gadget: f_ncm: convert to new function interface with backward compatibility")
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Felipe Balbi <balbi@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/gadget/f_ncm.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

--- a/drivers/usb/gadget/f_ncm.c
+++ b/drivers/usb/gadget/f_ncm.c
@@ -57,6 +57,7 @@ struct f_ncm {
 	struct usb_ep			*notify;
 	struct usb_request		*notify_req;
 	u8				notify_state;
+	atomic_t			notify_count;
 	bool				is_open;
 
 	const struct ndp_parser_opts	*parser_opts;
@@ -460,7 +461,7 @@ static void ncm_do_notify(struct f_ncm *
 	int				status;
 
 	/* notification already in flight? */
-	if (!req)
+	if (atomic_read(&ncm->notify_count))
 		return;
 
 	event = req->buf;
@@ -500,7 +501,8 @@ static void ncm_do_notify(struct f_ncm *
 	event->bmRequestType = 0xA1;
 	event->wIndex = cpu_to_le16(ncm->ctrl_id);
 
-	ncm->notify_req = NULL;
+	atomic_inc(&ncm->notify_count);
+
 	/*
 	 * In double buffering if there is a space in FIFO,
 	 * completion callback can be called right after the call,
@@ -510,7 +512,7 @@ static void ncm_do_notify(struct f_ncm *
 	status = usb_ep_queue(ncm->notify, req, GFP_ATOMIC);
 	spin_lock(&ncm->lock);
 	if (status < 0) {
-		ncm->notify_req = req;
+		atomic_dec(&ncm->notify_count);
 		DBG(cdev, "notify --> %d\n", status);
 	}
 }
@@ -545,17 +547,19 @@ static void ncm_notify_complete(struct u
 	case 0:
 		VDBG(cdev, "Notification %02x sent\n",
 		     event->bNotificationType);
+		atomic_dec(&ncm->notify_count);
 		break;
 	case -ECONNRESET:
 	case -ESHUTDOWN:
+		atomic_set(&ncm->notify_count, 0);
 		ncm->notify_state = NCM_NOTIFY_NONE;
 		break;
 	default:
 		DBG(cdev, "event %02x --> %d\n",
 			event->bNotificationType, req->status);
+		atomic_dec(&ncm->notify_count);
 		break;
 	}
-	ncm->notify_req = req;
 	ncm_do_notify(ncm);
 	spin_unlock(&ncm->lock);
 }
@@ -1382,6 +1386,11 @@ static void ncm_unbind(struct usb_config
 
 	usb_free_all_descriptors(f);
 
+	if (atomic_read(&ncm->notify_count)) {
+		usb_ep_dequeue(ncm->notify, ncm->notify_req);
+		atomic_set(&ncm->notify_count, 0);
+	}
+
 	kfree(ncm->notify_req->buf);
 	usb_ep_free_request(ncm->notify, ncm->notify_req);
 }


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 50/99] usb: gadget: f_ecm: Use atomic_t to track in-flight request
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (48 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 49/99] usb: gadget: f_ncm: Use atomic_t to track in-flight request Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 51/99] staging: wlan-ng: ensure error return is actually returned Ben Hutchings
                   ` (49 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, Bryan O'Donoghue,
	Felipe Balbi

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>

commit d710562e01c48d59be3f60d58b7a85958b39aeda upstream.

Currently ecm->notify_req is used to flag when a request is in-flight.
ecm->notify_req is set to NULL and when a request completes it is
subsequently reset.

This is fundamentally buggy in that the unbind logic of the ECM driver will
unconditionally free ecm->notify_req leading to a NULL pointer dereference.

Fixes: da741b8c56d6 ("usb ethernet gadget: split CDC Ethernet function")
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Felipe Balbi <balbi@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/gadget/f_ecm.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

--- a/drivers/usb/gadget/f_ecm.c
+++ b/drivers/usb/gadget/f_ecm.c
@@ -56,6 +56,7 @@ struct f_ecm {
 	struct usb_ep			*notify;
 	struct usb_request		*notify_req;
 	u8				notify_state;
+	atomic_t			notify_count;
 	bool				is_open;
 
 	/* FIXME is_open needs some irq-ish locking
@@ -384,7 +385,7 @@ static void ecm_do_notify(struct f_ecm *
 	int				status;
 
 	/* notification already in flight? */
-	if (!req)
+	if (atomic_read(&ecm->notify_count))
 		return;
 
 	event = req->buf;
@@ -424,10 +425,10 @@ static void ecm_do_notify(struct f_ecm *
 	event->bmRequestType = 0xA1;
 	event->wIndex = cpu_to_le16(ecm->ctrl_id);
 
-	ecm->notify_req = NULL;
+	atomic_inc(&ecm->notify_count);
 	status = usb_ep_queue(ecm->notify, req, GFP_ATOMIC);
 	if (status < 0) {
-		ecm->notify_req = req;
+		atomic_dec(&ecm->notify_count);
 		DBG(cdev, "notify --> %d\n", status);
 	}
 }
@@ -452,17 +453,19 @@ static void ecm_notify_complete(struct u
 	switch (req->status) {
 	case 0:
 		/* no fault */
+		atomic_dec(&ecm->notify_count);
 		break;
 	case -ECONNRESET:
 	case -ESHUTDOWN:
+		atomic_set(&ecm->notify_count, 0);
 		ecm->notify_state = ECM_NOTIFY_NONE;
 		break;
 	default:
 		DBG(cdev, "event %02x --> %d\n",
 			event->bNotificationType, req->status);
+		atomic_dec(&ecm->notify_count);
 		break;
 	}
-	ecm->notify_req = req;
 	ecm_do_notify(ecm);
 }
 
@@ -922,6 +925,11 @@ static void ecm_unbind(struct usb_config
 
 	usb_free_all_descriptors(f);
 
+	if (atomic_read(&ecm->notify_count)) {
+		usb_ep_dequeue(ecm->notify, ecm->notify_req);
+		atomic_set(&ecm->notify_count, 0);
+	}
+
 	kfree(ecm->notify_req->buf);
 	usb_ep_free_request(ecm->notify, ecm->notify_req);
 }


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 51/99] staging: wlan-ng: ensure error return is actually returned
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (49 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 50/99] usb: gadget: f_ecm: " Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 52/99] nfs: NFS_SWAP should depend on SWAP Ben Hutchings
                   ` (48 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, Colin Ian King

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Colin Ian King <colin.king@canonical.com>

commit 4cc41cbce536876678b35e03c4a8a7bb72c78fa9 upstream.

Currently when the call to prism2sta_ifst fails a netdev_err error
is reported, error return variable result is set to -1 but the
function always returns 0 for success.  Fix this by returning
the error value in variable result rather than 0.

Addresses-Coverity: ("Unused value")
Fixes: 00b3ed168508 ("Staging: add wlan-ng prism2 usb driver")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Link: https://lore.kernel.org/r/20200114181604.390235-1-colin.king@canonical.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/wlan-ng/prism2mgmt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/wlan-ng/prism2mgmt.c
+++ b/drivers/staging/wlan-ng/prism2mgmt.c
@@ -939,7 +939,7 @@ int prism2mgmt_flashdl_state(wlandevice_
 		}
 	}
 
-	return 0;
+	return result;
 }
 
 /*----------------------------------------------------------------


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 52/99] nfs: NFS_SWAP should depend on SWAP
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (50 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 51/99] staging: wlan-ng: ensure error return is actually returned Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 53/99] ubifs: Fix deadlock in concurrent bulk-read and writepage Ben Hutchings
                   ` (47 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Geert Uytterhoeven, Anna Schumaker

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Geert Uytterhoeven <geert+renesas@glider.be>

commit 474c4f306eefbb21b67ebd1de802d005c7d7ecdc upstream.

If CONFIG_SWAP=n, it does not make much sense to offer the user the
option to enable support for swapping over NFS, as that will still fail
at run time:

    # swapon /swap
    swapon: /swap: swapon failed: Function not implemented

Fix this by adding a dependency on CONFIG_SWAP.

Fixes: a564b8f0398636ba ("nfs: enable swap on NFS")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/nfs/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/nfs/Kconfig
+++ b/fs/nfs/Kconfig
@@ -89,7 +89,7 @@ config NFS_V4
 config NFS_SWAP
 	bool "Provide swap over NFS support"
 	default n
-	depends on NFS_FS
+	depends on NFS_FS && SWAP
 	select SUNRPC_SWAP
 	help
 	  This option enables swapon to work on files located on NFS mounts.


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 53/99] ubifs: Fix deadlock in concurrent bulk-read and writepage
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (51 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 52/99] nfs: NFS_SWAP should depend on SWAP Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 54/99] x86/cpu: Update cached HLE state on write to TSX_CTRL_CPUID_CLEAR Ben Hutchings
                   ` (46 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Zhihao Cheng, zhangyi (F), Richard Weinberger

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Zhihao Cheng <chengzhihao1@huawei.com>

commit f5de5b83303e61b1f3fb09bd77ce3ac2d7a475f2 upstream.

In ubifs, concurrent execution of writepage and bulk read on the same file
may cause ABBA deadlock, for example (Reproduce method see Link):

Process A(Bulk-read starts from page4)         Process B(write page4 back)
  vfs_read                                       wb_workfn or fsync
  ...                                            ...
  generic_file_buffered_read                     write_cache_pages
    ubifs_readpage                                 LOCK(page4)

      ubifs_bulk_read                              ubifs_writepage
        LOCK(ui->ui_mutex)                           ubifs_write_inode

	  ubifs_do_bulk_read                           LOCK(ui->ui_mutex)
	    find_or_create_page(alloc page4)                  ↑
	      LOCK(page4)                   <--     ABBA deadlock occurs!

In order to ensure the serialization execution of bulk read, we can't
remove the big lock 'ui->ui_mutex' in ubifs_bulk_read(). Instead, we
allow ubifs_do_bulk_read() to lock page failed by replacing
find_or_create_page(FGP_LOCK) with
pagecache_get_page(FGP_LOCK | FGP_NOWAIT).

Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Suggested-by: zhangyi (F) <yi.zhang@huawei.com>
Fixes: 4793e7c5e1c ("UBIFS: add bulk-read facility")
Link: https://bugzilla.kernel.org/show_bug.cgi?id=206153
Signed-off-by: Richard Weinberger <richard@nod.at>
[bwh: Backported to 3.16: Keep using constant GFP flags parameter.]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ubifs/file.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/fs/ubifs/file.c
+++ b/fs/ubifs/file.c
@@ -782,8 +782,9 @@ static int ubifs_do_bulk_read(struct ubi
 
 		if (page_offset > end_index)
 			break;
-		page = find_or_create_page(mapping, page_offset,
-					   GFP_NOFS | __GFP_COLD);
+		page = pagecache_get_page(mapping, page_offset,
+				 FGP_LOCK|FGP_ACCESSED|FGP_CREAT|FGP_NOWAIT,
+				 GFP_NOFS | __GFP_COLD);
 		if (!page)
 			break;
 		if (!PageUptodate(page))


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 54/99] x86/cpu: Update cached HLE state on write to TSX_CTRL_CPUID_CLEAR
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (52 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 53/99] ubifs: Fix deadlock in concurrent bulk-read and writepage Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 55/99] jbd2: clear JBD2_ABORT flag before journal_reset to update log tail info when load journal Ben Hutchings
                   ` (45 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Josh Poimboeuf, Dave Hansen,
	Neelima Krishnan, Thomas Gleixner, Pawan Gupta

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>

commit 5efc6fa9044c3356d6046c6e1da6d02572dbed6b upstream.

/proc/cpuinfo currently reports Hardware Lock Elision (HLE) feature to
be present on boot cpu even if it was disabled during the bootup. This
is because cpuinfo_x86->x86_capability HLE bit is not updated after TSX
state is changed via the new MSR IA32_TSX_CTRL.

Update the cached HLE bit also since it is expected to change after an
update to CPUID_CLEAR bit in MSR IA32_TSX_CTRL.

Fixes: 95c5824f75f3 ("x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default")
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Neelima Krishnan <neelima.krishnan@intel.com>
Reviewed-by: Dave Hansen <dave.hansen@linux.intel.com>
Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
Link: https://lore.kernel.org/r/2529b99546294c893dfa1c89e2b3e46da3369a59.1578685425.git.pawan.kumar.gupta@linux.intel.com
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kernel/cpu/tsx.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

--- a/arch/x86/kernel/cpu/tsx.c
+++ b/arch/x86/kernel/cpu/tsx.c
@@ -115,11 +115,12 @@ void __init tsx_init(void)
 		tsx_disable();
 
 		/*
-		 * tsx_disable() will change the state of the
-		 * RTM CPUID bit.  Clear it here since it is now
-		 * expected to be not set.
+		 * tsx_disable() will change the state of the RTM and HLE CPUID
+		 * bits. Clear them here since they are now expected to be not
+		 * set.
 		 */
 		setup_clear_cpu_cap(X86_FEATURE_RTM);
+		setup_clear_cpu_cap(X86_FEATURE_HLE);
 	} else if (tsx_ctrl_state == TSX_CTRL_ENABLE) {
 
 		/*
@@ -131,10 +132,10 @@ void __init tsx_init(void)
 		tsx_enable();
 
 		/*
-		 * tsx_enable() will change the state of the
-		 * RTM CPUID bit.  Force it here since it is now
-		 * expected to be set.
+		 * tsx_enable() will change the state of the RTM and HLE CPUID
+		 * bits. Force them here since they are now expected to be set.
 		 */
 		setup_force_cpu_cap(X86_FEATURE_RTM);
+		setup_force_cpu_cap(X86_FEATURE_HLE);
 	}
 }


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 55/99] jbd2: clear JBD2_ABORT flag before journal_reset to update log tail info when load journal
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (53 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 54/99] x86/cpu: Update cached HLE state on write to TSX_CTRL_CPUID_CLEAR Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 56/99] KVM: arm64: Only sign-extend MMIO up to register width Ben Hutchings
                   ` (44 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Theodore Ts'o, Kai Li

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Kai Li <li.kai4@h3c.com>

commit a09decff5c32060639a685581c380f51b14e1fc2 upstream.

If the journal is dirty when the filesystem is mounted, jbd2 will replay
the journal but the journal superblock will not be updated by
journal_reset() because JBD2_ABORT flag is still set (it was set in
journal_init_common()). This is problematic because when a new transaction
is then committed, it will be recorded in block 1 (journal->j_tail was set
to 1 in journal_reset()). If unclean shutdown happens again before the
journal superblock is updated, the new recorded transaction will not be
replayed during the next mount (because of stale sb->s_start and
sb->s_sequence values) which can lead to filesystem corruption.

Fixes: 85e0c4e89c1b ("jbd2: if the journal is aborted then don't allow update of the log tail")
Signed-off-by: Kai Li <li.kai4@h3c.com>
Link: https://lore.kernel.org/r/20200111022542.5008-1-li.kai4@h3c.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/jbd2/journal.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/fs/jbd2/journal.c
+++ b/fs/jbd2/journal.c
@@ -1674,6 +1674,11 @@ int jbd2_journal_load(journal_t *journal
 		       journal->j_devname);
 		return -EIO;
 	}
+	/*
+	 * clear JBD2_ABORT flag initialized in journal_init_common
+	 * here to update log tail information with the newest seq.
+	 */
+	journal->j_flags &= ~JBD2_ABORT;
 
 	/* OK, we've finished with the dynamic journal bits:
 	 * reinitialise the dynamic contents of the superblock in memory
@@ -1681,7 +1686,6 @@ int jbd2_journal_load(journal_t *journal
 	if (journal_reset(journal))
 		goto recovery_error;
 
-	journal->j_flags &= ~JBD2_ABORT;
 	journal->j_flags |= JBD2_LOADED;
 	return 0;
 


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 56/99] KVM: arm64: Only sign-extend MMIO up to register width
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (54 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 55/99] jbd2: clear JBD2_ABORT flag before journal_reset to update log tail info when load journal Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 57/99] sparc32: fix struct ipc64_perm type definition Ben Hutchings
                   ` (43 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Marc Zyngier, Christoffer Dall

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Christoffer Dall <christoffer.dall@arm.com>

commit b6ae256afd32f96bec0117175b329d0dd617655e upstream.

On AArch64 you can do a sign-extended load to either a 32-bit or 64-bit
register, and we should only sign extend the register up to the width of
the register as specified in the operation (by using the 32-bit Wn or
64-bit Xn register specifier).

As it turns out, the architecture provides this decoding information in
the SF ("Sixty-Four" -- how cute...) bit.

Let's take advantage of this with the usual 32-bit/64-bit header file
dance and do the right thing on AArch64 hosts.

Signed-off-by: Christoffer Dall <christoffer.dall@arm.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20191212195055.5541-1-christoffer.dall@arm.com
[bwh: Backported to 3.16:
 - Use ESR_EL2_SF
 - Adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm/include/asm/kvm_emulate.h   | 5 +++++
 arch/arm/include/asm/kvm_mmio.h      | 2 ++
 arch/arm/kvm/mmio.c                  | 6 ++++++
 arch/arm64/include/asm/kvm_emulate.h | 5 +++++
 arch/arm64/include/asm/kvm_mmio.h    | 6 ++----
 5 files changed, 20 insertions(+), 4 deletions(-)

--- a/arch/arm/include/asm/kvm_emulate.h
+++ b/arch/arm/include/asm/kvm_emulate.h
@@ -105,6 +105,11 @@ static inline bool kvm_vcpu_dabt_issext(
 	return kvm_vcpu_get_hsr(vcpu) & HSR_SSE;
 }
 
+static inline bool kvm_vcpu_dabt_issf(const struct kvm_vcpu *vcpu)
+{
+	return false;
+}
+
 static inline int kvm_vcpu_dabt_get_rd(struct kvm_vcpu *vcpu)
 {
 	return (kvm_vcpu_get_hsr(vcpu) & HSR_SRT_MASK) >> HSR_SRT_SHIFT;
--- a/arch/arm/include/asm/kvm_mmio.h
+++ b/arch/arm/include/asm/kvm_mmio.h
@@ -26,6 +26,8 @@
 struct kvm_decode {
 	unsigned long rt;
 	bool sign_extend;
+	/* Not used on 32-bit arm */
+	bool sixty_four;
 };
 
 /*
--- a/arch/arm64/include/asm/kvm_emulate.h
+++ b/arch/arm64/include/asm/kvm_emulate.h
@@ -140,6 +140,11 @@ static inline bool kvm_vcpu_dabt_issext(
 	return !!(kvm_vcpu_get_hsr(vcpu) & ESR_EL2_SSE);
 }
 
+static inline bool kvm_vcpu_dabt_issf(const struct kvm_vcpu *vcpu)
+{
+	return !!(kvm_vcpu_get_hsr(vcpu) & ESR_EL2_SF);
+}
+
 static inline int kvm_vcpu_dabt_get_rd(const struct kvm_vcpu *vcpu)
 {
 	return (kvm_vcpu_get_hsr(vcpu) & ESR_EL2_SRT_MASK) >> ESR_EL2_SRT_SHIFT;
--- a/arch/arm64/include/asm/kvm_mmio.h
+++ b/arch/arm64/include/asm/kvm_mmio.h
@@ -22,13 +22,11 @@
 #include <asm/kvm_asm.h>
 #include <asm/kvm_arm.h>
 
-/*
- * This is annoying. The mmio code requires this, even if we don't
- * need any decoding. To be fixed.
- */
 struct kvm_decode {
 	unsigned long rt;
 	bool sign_extend;
+	/* Witdth of the register accessed by the faulting instruction is 64-bits */
+	bool sixty_four;
 };
 
 /*
--- a/arch/arm/kvm/mmio.c
+++ b/arch/arm/kvm/mmio.c
@@ -112,6 +112,9 @@ int kvm_handle_mmio_return(struct kvm_vc
 			data = (data ^ mask) - mask;
 		}
 
+		if (!vcpu->arch.mmio_decode.sixty_four)
+			data = data & 0xffffffff;
+
 		trace_kvm_mmio(KVM_TRACE_MMIO_READ, len, run->mmio.phys_addr,
 			       &data);
 		data = vcpu_data_host_to_guest(vcpu, data, len);
@@ -127,6 +130,7 @@ static int decode_hsr(struct kvm_vcpu *v
 	unsigned long rt;
 	int len;
 	bool is_write, sign_extend;
+	bool sixty_four;
 
 	if (kvm_vcpu_dabt_isextabt(vcpu)) {
 		/* cache operation on I/O addr, tell guest unsupported */
@@ -146,6 +150,7 @@ static int decode_hsr(struct kvm_vcpu *v
 
 	is_write = kvm_vcpu_dabt_iswrite(vcpu);
 	sign_extend = kvm_vcpu_dabt_issext(vcpu);
+	sixty_four = kvm_vcpu_dabt_issf(vcpu);
 	rt = kvm_vcpu_dabt_get_rd(vcpu);
 
 	mmio->is_write = is_write;
@@ -153,6 +158,7 @@ static int decode_hsr(struct kvm_vcpu *v
 	mmio->len = len;
 	vcpu->arch.mmio_decode.sign_extend = sign_extend;
 	vcpu->arch.mmio_decode.rt = rt;
+	vcpu->arch.mmio_decode.sixty_four = sixty_four;
 
 	/*
 	 * The MMIO instruction is emulated and should not be re-executed


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 57/99] sparc32: fix struct ipc64_perm type definition
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (55 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 56/99] KVM: arm64: Only sign-extend MMIO up to register width Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 58/99] KVM: x86: Don't let userspace set host-reserved cr4 bits Ben Hutchings
                   ` (42 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Dmitry V . Levin, Arnd Bergmann,
	Rich Felker, libc-alpha, David S. Miller, Sam Ravnborg

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 34ca70ef7d3a9fa7e89151597db5e37ae1d429b4 upstream.

As discussed in the strace issue tracker, it appears that the sparc32
sysvipc support has been broken for the past 11 years. It was however
working in compat mode, which is how it must have escaped most of the
regular testing.

The problem is that a cleanup patch inadvertently changed the uid/gid
fields in struct ipc64_perm from 32-bit types to 16-bit types in uapi
headers.

Both glibc and uclibc-ng still use the original types, so they should
work fine with compat mode, but not natively.  Change the definitions
to use __kernel_uid32_t and __kernel_gid32_t again.

Fixes: 83c86984bff2 ("sparc: unify ipcbuf.h")
Link: https://github.com/strace/strace/issues/116
Cc: Sam Ravnborg <sam@ravnborg.org>
Cc: "Dmitry V . Levin" <ldv@altlinux.org>
Cc: Rich Felker <dalias@libc.org>
Cc: libc-alpha@sourceware.org
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/sparc/include/uapi/asm/ipcbuf.h | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

--- a/arch/sparc/include/uapi/asm/ipcbuf.h
+++ b/arch/sparc/include/uapi/asm/ipcbuf.h
@@ -14,19 +14,19 @@
 
 struct ipc64_perm
 {
-	__kernel_key_t	key;
-	__kernel_uid_t	uid;
-	__kernel_gid_t	gid;
-	__kernel_uid_t	cuid;
-	__kernel_gid_t	cgid;
+	__kernel_key_t		key;
+	__kernel_uid32_t	uid;
+	__kernel_gid32_t	gid;
+	__kernel_uid32_t	cuid;
+	__kernel_gid32_t	cgid;
 #ifndef __arch64__
-	unsigned short	__pad0;
+	unsigned short		__pad0;
 #endif
-	__kernel_mode_t	mode;
-	unsigned short	__pad1;
-	unsigned short	seq;
-	unsigned long long __unused1;
-	unsigned long long __unused2;
+	__kernel_mode_t		mode;
+	unsigned short		__pad1;
+	unsigned short		seq;
+	unsigned long long	__unused1;
+	unsigned long long	__unused2;
 };
 
 #endif /* __SPARC_IPCBUF_H */


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 58/99] KVM: x86: Don't let userspace set host-reserved cr4 bits
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (56 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 57/99] sparc32: fix struct ipc64_perm type definition Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 59/99] KVM: nVMX: vmread should not set rflags to specify success in case of #PF Ben Hutchings
                   ` (41 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Sean Christopherson, Paolo Bonzini, Jun Nakajima

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sean Christopherson <sean.j.christopherson@intel.com>

commit b11306b53b2540c6ba068c4deddb6a17d9f8d95b upstream.

Calculate the host-reserved cr4 bits at runtime based on the system's
capabilities (using logic similar to __do_cpuid_func()), and use the
dynamically generated mask for the reserved bit check in kvm_set_cr4()
instead using of the static CR4_RESERVED_BITS define.  This prevents
userspace from "enabling" features in cr4 that are not supported by the
system, e.g. by ignoring KVM_GET_SUPPORTED_CPUID and specifying a bogus
CPUID for the vCPU.

Allowing userspace to set unsupported bits in cr4 can lead to a variety
of undesirable behavior, e.g. failed VM-Enter, and in general increases
KVM's attack surface.  A crafty userspace can even abuse CR4.LA57 to
induce an unchecked #GP on a WRMSR.

On a platform without LA57 support:

  KVM_SET_CPUID2 // CPUID_7_0_ECX.LA57 = 1
  KVM_SET_SREGS  // CR4.LA57 = 1
  KVM_SET_MSRS   // KERNEL_GS_BASE = 0x0004000000000000
  KVM_RUN

leads to a #GP when writing KERNEL_GS_BASE into hardware:

  unchecked MSR access error: WRMSR to 0xc0000102 (tried to write 0x0004000000000000)
  at rIP: 0xffffffffa00f239a (vmx_prepare_switch_to_guest+0x10a/0x1d0 [kvm_intel])
  Call Trace:
   kvm_arch_vcpu_ioctl_run+0x671/0x1c70 [kvm]
   kvm_vcpu_ioctl+0x36b/0x5d0 [kvm]
   do_vfs_ioctl+0xa1/0x620
   ksys_ioctl+0x66/0x70
   __x64_sys_ioctl+0x16/0x20
   do_syscall_64+0x4c/0x170
   entry_SYSCALL_64_after_hwframe+0x44/0xa9
  RIP: 0033:0x7fc08133bf47

Note, the above sequence fails VM-Enter due to invalid guest state.
Userspace can allow VM-Enter to succeed (after the WRMSR #GP) by adding
a KVM_SET_SREGS w/ CR4.LA57=0 after KVM_SET_MSRS, in which case KVM will
technically leak the host's KERNEL_GS_BASE into the guest.  But, as
KERNEL_GS_BASE is a userspace-defined value/address, the leak is largely
benign as a malicious userspace would simply be exposing its own data to
the guest, and attacking a benevolent userspace would require multiple
bugs in the userspace VMM.

Cc: Jun Nakajima <jun.nakajima@intel.com>
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[bwh: Backported to 3.16:
 - PKE, LA57, and UMIP are totally unsupported and already included in
   CR4_RESERVED_BITS
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -82,6 +82,8 @@ u64 __read_mostly efer_reserved_bits = ~
 static u64 __read_mostly efer_reserved_bits = ~((u64)EFER_SCE);
 #endif
 
+static u64 __read_mostly cr4_reserved_bits = CR4_RESERVED_BITS;
+
 #define VM_STAT(x) offsetof(struct kvm, stat.x), KVM_STAT_VM
 #define VCPU_STAT(x) offsetof(struct kvm_vcpu, stat.x), KVM_STAT_VCPU
 
@@ -660,13 +662,32 @@ int kvm_set_xcr(struct kvm_vcpu *vcpu, u
 }
 EXPORT_SYMBOL_GPL(kvm_set_xcr);
 
+static u64 kvm_host_cr4_reserved_bits(struct cpuinfo_x86 *c)
+{
+	u64 reserved_bits = CR4_RESERVED_BITS;
+
+	if (!cpu_has(c, X86_FEATURE_XSAVE))
+		reserved_bits |= X86_CR4_OSXSAVE;
+
+	if (!cpu_has(c, X86_FEATURE_SMEP))
+		reserved_bits |= X86_CR4_SMEP;
+
+	if (!cpu_has(c, X86_FEATURE_SMAP))
+		reserved_bits |= X86_CR4_SMAP;
+
+	if (!cpu_has(c, X86_FEATURE_FSGSBASE))
+		reserved_bits |= X86_CR4_FSGSBASE;
+
+	return reserved_bits;
+}
+
 int kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
 {
 	unsigned long old_cr4 = kvm_read_cr4(vcpu);
 	unsigned long pdptr_bits = X86_CR4_PGE | X86_CR4_PSE | X86_CR4_PAE |
 				   X86_CR4_SMEP | X86_CR4_SMAP;
 
-	if (cr4 & CR4_RESERVED_BITS)
+	if (cr4 & cr4_reserved_bits)
 		return 1;
 
 	if (!guest_cpuid_has_xsave(vcpu) && (cr4 & X86_CR4_OSXSAVE))
@@ -7220,6 +7241,8 @@ int kvm_arch_hardware_setup(void)
 	if (r != 0)
 		return r;
 
+	cr4_reserved_bits = kvm_host_cr4_reserved_bits(&boot_cpu_data);
+
 	kvm_init_msr_list();
 	return 0;
 }


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 59/99] KVM: nVMX: vmread should not set rflags to specify success in case of #PF
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (57 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 58/99] KVM: x86: Don't let userspace set host-reserved cr4 bits Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 60/99] x86: kvm: avoid unused variable warning Ben Hutchings
                   ` (40 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Miaohe Lin, Paolo Bonzini,
	Sean Christopherson, Liran Alon

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Miaohe Lin <linmiaohe@huawei.com>

commit a4d956b9390418623ae5d07933e2679c68b6f83c upstream.

In case writing to vmread destination operand result in a #PF, vmread
should not call nested_vmx_succeed() to set rflags to specify success.
Similar to as done in VMPTRST (See handle_vmptrst()).

Reviewed-by: Liran Alon <liran.alon@oracle.com>
Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Reviewed-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kvm/vmx.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -6455,8 +6455,10 @@ static int handle_vmread(struct kvm_vcpu
 		/* _system ok, as nested_vmx_check_permission verified cpl=0 */
 		if (kvm_write_guest_virt_system(vcpu, gva, &field_value,
 						(is_long_mode(vcpu) ? 8 : 4),
-						&e))
+						&e)) {
 			kvm_inject_page_fault(vcpu, &e);
+			return 1;
+		}
 	}
 
 	nested_vmx_succeed(vcpu);


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 60/99] x86: kvm: avoid unused variable warning
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (58 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 59/99] KVM: nVMX: vmread should not set rflags to specify success in case of #PF Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 61/99] KVM: x86/mmu: Apply max PA check for MMIO sptes to 32-bit KVM Ben Hutchings
                   ` (39 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Paolo Bonzini, Arnd Bergmann

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 7288bde1f9df6c1475675419bdd7725ce84dec56 upstream.

Removing one of the two accesses of the maxphyaddr variable led to
a harmless warning:

arch/x86/kvm/x86.c: In function 'kvm_set_mmio_spte_mask':
arch/x86/kvm/x86.c:6563:6: error: unused variable 'maxphyaddr' [-Werror=unused-variable]

Removing the #ifdef seems to be the nicest workaround, as it
makes the code look cleaner than adding another #ifdef.

Fixes: 28a1f3ac1d0c ("kvm: x86: Set highest physical address bits in non-present/reserved SPTEs")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kvm/x86.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -5730,14 +5730,12 @@ static void kvm_set_mmio_spte_mask(void)
 	/* Set the present bit. */
 	mask |= 1ull;
 
-#ifdef CONFIG_X86_64
 	/*
 	 * If reserved bit is not supported, clear the present bit to disable
 	 * mmio page fault.
 	 */
-	if (maxphyaddr == 52)
+	if (IS_ENABLED(CONFIG_X86_64) && maxphyaddr == 52)
 		mask &= ~1ull;
-#endif
 
 	kvm_mmu_set_mmio_spte_mask(mask);
 }


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 61/99] KVM: x86/mmu: Apply max PA check for MMIO sptes to 32-bit KVM
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (59 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 60/99] x86: kvm: avoid unused variable warning Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 62/99] USB: serial: ir-usb: add missing endpoint sanity check Ben Hutchings
                   ` (38 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Paolo Bonzini, Sean Christopherson

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sean Christopherson <sean.j.christopherson@intel.com>

commit e30a7d623dccdb3f880fbcad980b0cb589a1da45 upstream.

Remove the bogus 64-bit only condition from the check that disables MMIO
spte optimization when the system supports the max PA, i.e. doesn't have
any reserved PA bits.  32-bit KVM always uses PAE paging for the shadow
MMU, and per Intel's SDM:

  PAE paging translates 32-bit linear addresses to 52-bit physical
  addresses.

The kernel's restrictions on max physical addresses are limits on how
much memory the kernel can reasonably use, not what physical addresses
are supported by hardware.

Fixes: ce88decffd17 ("KVM: MMU: mmio page fault support")
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kvm/x86.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -5734,7 +5734,7 @@ static void kvm_set_mmio_spte_mask(void)
 	 * If reserved bit is not supported, clear the present bit to disable
 	 * mmio page fault.
 	 */
-	if (IS_ENABLED(CONFIG_X86_64) && maxphyaddr == 52)
+	if (maxphyaddr == 52)
 		mask &= ~1ull;
 
 	kvm_mmu_set_mmio_spte_mask(mask);


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 62/99] USB: serial: ir-usb: add missing endpoint sanity check
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (60 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 61/99] KVM: x86/mmu: Apply max PA check for MMIO sptes to 32-bit KVM Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 63/99] USB: serial: ir-usb: fix link-speed handling Ben Hutchings
                   ` (37 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, Johan Hovold

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 2988a8ae7476fe9535ab620320790d1714bdad1d upstream.

Add missing endpoint sanity check to avoid dereferencing a NULL-pointer
on open() in case a device lacks a bulk-out endpoint.

Note that prior to commit f4a4cbb2047e ("USB: ir-usb: reimplement using
generic framework") the oops would instead happen on open() if the
device lacked a bulk-in endpoint and on write() if it lacked a bulk-out
endpoint.

Fixes: f4a4cbb2047e ("USB: ir-usb: reimplement using generic framework")
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/serial/ir-usb.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/serial/ir-usb.c
+++ b/drivers/usb/serial/ir-usb.c
@@ -199,6 +199,9 @@ static int ir_startup(struct usb_serial
 	struct usb_irda_cs_descriptor *irda_desc;
 	int rates;
 
+	if (serial->num_bulk_in < 1 || serial->num_bulk_out < 1)
+		return -ENODEV;
+
 	irda_desc = irda_usb_find_class_desc(serial, 0);
 	if (!irda_desc) {
 		dev_err(&serial->dev->dev,


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 63/99] USB: serial: ir-usb: fix link-speed handling
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (61 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 62/99] USB: serial: ir-usb: add missing endpoint sanity check Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 64/99] USB: serial: ir-usb: fix IrLAP framing Ben Hutchings
                   ` (36 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Johan Hovold, Greg Kroah-Hartman, Felipe Balbi

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 17a0184ca17e288decdca8b2841531e34d49285f upstream.

Commit e0d795e4f36c ("usb: irda: cleanup on ir-usb module") added a USB
IrDA header with common defines, but mistakingly switched to using the
class-descriptor baud-rate bitmask values for the outbound header.

This broke link-speed handling for rates above 9600 baud, but a device
would also be able to operate at the default 9600 baud until a
link-speed request was issued (e.g. using the TCGETS ioctl).

Fixes: e0d795e4f36c ("usb: irda: cleanup on ir-usb module")
Cc: Felipe Balbi <balbi@kernel.org>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/serial/ir-usb.c | 20 ++++++++++----------
 include/linux/usb/irda.h    | 13 ++++++++++++-
 2 files changed, 22 insertions(+), 11 deletions(-)

--- a/drivers/usb/serial/ir-usb.c
+++ b/drivers/usb/serial/ir-usb.c
@@ -339,34 +339,34 @@ static void ir_set_termios(struct tty_st
 
 	switch (baud) {
 	case 2400:
-		ir_baud = USB_IRDA_BR_2400;
+		ir_baud = USB_IRDA_LS_2400;
 		break;
 	case 9600:
-		ir_baud = USB_IRDA_BR_9600;
+		ir_baud = USB_IRDA_LS_9600;
 		break;
 	case 19200:
-		ir_baud = USB_IRDA_BR_19200;
+		ir_baud = USB_IRDA_LS_19200;
 		break;
 	case 38400:
-		ir_baud = USB_IRDA_BR_38400;
+		ir_baud = USB_IRDA_LS_38400;
 		break;
 	case 57600:
-		ir_baud = USB_IRDA_BR_57600;
+		ir_baud = USB_IRDA_LS_57600;
 		break;
 	case 115200:
-		ir_baud = USB_IRDA_BR_115200;
+		ir_baud = USB_IRDA_LS_115200;
 		break;
 	case 576000:
-		ir_baud = USB_IRDA_BR_576000;
+		ir_baud = USB_IRDA_LS_576000;
 		break;
 	case 1152000:
-		ir_baud = USB_IRDA_BR_1152000;
+		ir_baud = USB_IRDA_LS_1152000;
 		break;
 	case 4000000:
-		ir_baud = USB_IRDA_BR_4000000;
+		ir_baud = USB_IRDA_LS_4000000;
 		break;
 	default:
-		ir_baud = USB_IRDA_BR_9600;
+		ir_baud = USB_IRDA_LS_9600;
 		baud = 9600;
 	}
 
--- a/include/linux/usb/irda.h
+++ b/include/linux/usb/irda.h
@@ -118,11 +118,22 @@ struct usb_irda_cs_descriptor {
  * 6 - 115200 bps
  * 7 - 576000 bps
  * 8 - 1.152 Mbps
- * 9 - 5 mbps
+ * 9 - 4 Mbps
  * 10..15 - Reserved
  */
 #define USB_IRDA_STATUS_LINK_SPEED	0x0f
 
+#define USB_IRDA_LS_NO_CHANGE		0
+#define USB_IRDA_LS_2400		1
+#define USB_IRDA_LS_9600		2
+#define USB_IRDA_LS_19200		3
+#define USB_IRDA_LS_38400		4
+#define USB_IRDA_LS_57600		5
+#define USB_IRDA_LS_115200		6
+#define USB_IRDA_LS_576000		7
+#define USB_IRDA_LS_1152000		8
+#define USB_IRDA_LS_4000000		9
+
 /* The following is a 4-bit value used only for
  * outbound header:
  *


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 64/99] USB: serial: ir-usb: fix IrLAP framing
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (62 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 63/99] USB: serial: ir-usb: fix link-speed handling Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 65/99] media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors Ben Hutchings
                   ` (35 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Johan Hovold, Greg Kroah-Hartman

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 38c0d5bdf4973f9f5a888166e9d3e9ed0d32057a upstream.

Commit f4a4cbb2047e ("USB: ir-usb: reimplement using generic framework")
switched to using the generic write implementation which may combine
multiple write requests into larger transfers. This can break the IrLAP
protocol where end-of-frame is determined using the USB short packet
mechanism, for example, if multiple frames are sent in rapid succession.

Fixes: f4a4cbb2047e ("USB: ir-usb: reimplement using generic framework")
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/serial/ir-usb.c | 113 +++++++++++++++++++++++++++++-------
 1 file changed, 91 insertions(+), 22 deletions(-)

--- a/drivers/usb/serial/ir-usb.c
+++ b/drivers/usb/serial/ir-usb.c
@@ -49,9 +49,10 @@ static int buffer_size;
 static int xbof = -1;
 
 static int  ir_startup (struct usb_serial *serial);
-static int  ir_open(struct tty_struct *tty, struct usb_serial_port *port);
-static int ir_prepare_write_buffer(struct usb_serial_port *port,
-						void *dest, size_t size);
+static int ir_write(struct tty_struct *tty, struct usb_serial_port *port,
+		const unsigned char *buf, int count);
+static int ir_write_room(struct tty_struct *tty);
+static void ir_write_bulk_callback(struct urb *urb);
 static void ir_process_read_urb(struct urb *urb);
 static void ir_set_termios(struct tty_struct *tty,
 		struct usb_serial_port *port, struct ktermios *old_termios);
@@ -81,8 +82,9 @@ static struct usb_serial_driver ir_devic
 	.num_ports		= 1,
 	.set_termios		= ir_set_termios,
 	.attach			= ir_startup,
-	.open			= ir_open,
-	.prepare_write_buffer	= ir_prepare_write_buffer,
+	.write			= ir_write,
+	.write_room		= ir_write_room,
+	.write_bulk_callback	= ir_write_bulk_callback,
 	.process_read_urb	= ir_process_read_urb,
 };
 
@@ -258,35 +260,102 @@ static int ir_startup(struct usb_serial
 	return 0;
 }
 
-static int ir_open(struct tty_struct *tty, struct usb_serial_port *port)
+static int ir_write(struct tty_struct *tty, struct usb_serial_port *port,
+		const unsigned char *buf, int count)
 {
-	int i;
+	struct urb *urb = NULL;
+	unsigned long flags;
+	int ret;
 
-	for (i = 0; i < ARRAY_SIZE(port->write_urbs); ++i)
-		port->write_urbs[i]->transfer_flags = URB_ZERO_PACKET;
+	if (port->bulk_out_size == 0)
+		return -EINVAL;
 
-	/* Start reading from the device */
-	return usb_serial_generic_open(tty, port);
-}
+	if (count == 0)
+		return 0;
 
-static int ir_prepare_write_buffer(struct usb_serial_port *port,
-						void *dest, size_t size)
-{
-	unsigned char *buf = dest;
-	int count;
+	count = min(count, port->bulk_out_size - 1);
+
+	spin_lock_irqsave(&port->lock, flags);
+	if (__test_and_clear_bit(0, &port->write_urbs_free)) {
+		urb = port->write_urbs[0];
+		port->tx_bytes += count;
+	}
+	spin_unlock_irqrestore(&port->lock, flags);
+
+	if (!urb)
+		return 0;
 
 	/*
 	 * The first byte of the packet we send to the device contains an
-	 * inbound header which indicates an additional number of BOFs and
+	 * outbound header which indicates an additional number of BOFs and
 	 * a baud rate change.
 	 *
 	 * See section 5.4.2.2 of the USB IrDA spec.
 	 */
-	*buf = ir_xbof | ir_baud;
+	*(u8 *)urb->transfer_buffer = ir_xbof | ir_baud;
+
+	memcpy(urb->transfer_buffer + 1, buf, count);
+
+	urb->transfer_buffer_length = count + 1;
+	urb->transfer_flags = URB_ZERO_PACKET;
+
+	ret = usb_submit_urb(urb, GFP_ATOMIC);
+	if (ret) {
+		dev_err(&port->dev, "failed to submit write urb: %d\n", ret);
+
+		spin_lock_irqsave(&port->lock, flags);
+		__set_bit(0, &port->write_urbs_free);
+		port->tx_bytes -= count;
+		spin_unlock_irqrestore(&port->lock, flags);
+
+		return ret;
+	}
+
+	return count;
+}
+
+static void ir_write_bulk_callback(struct urb *urb)
+{
+	struct usb_serial_port *port = urb->context;
+	int status = urb->status;
+	unsigned long flags;
+
+	spin_lock_irqsave(&port->lock, flags);
+	__set_bit(0, &port->write_urbs_free);
+	port->tx_bytes -= urb->transfer_buffer_length - 1;
+	spin_unlock_irqrestore(&port->lock, flags);
+
+	switch (status) {
+	case 0:
+		break;
+	case -ENOENT:
+	case -ECONNRESET:
+	case -ESHUTDOWN:
+		dev_dbg(&port->dev, "write urb stopped: %d\n", status);
+		return;
+	case -EPIPE:
+		dev_err(&port->dev, "write urb stopped: %d\n", status);
+		return;
+	default:
+		dev_err(&port->dev, "nonzero write-urb status: %d\n", status);
+		break;
+	}
+
+	usb_serial_port_softint(port);
+}
+
+static int ir_write_room(struct tty_struct *tty)
+{
+	struct usb_serial_port *port = tty->driver_data;
+	int count = 0;
+
+	if (port->bulk_out_size == 0)
+		return 0;
+
+	if (test_bit(0, &port->write_urbs_free))
+		count = port->bulk_out_size - 1;
 
-	count = kfifo_out_locked(&port->write_fifo, buf + 1, size - 1,
-								&port->lock);
-	return count + 1;
+	return count;
 }
 
 static void ir_process_read_urb(struct urb *urb)


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 65/99] media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (63 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 64/99] USB: serial: ir-usb: fix IrLAP framing Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 66/99] KVM: PPC: Book3S HV: Uninit vCPU if vcore creation fails Ben Hutchings
                   ` (34 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Will Deacon, Andrey Konovalov,
	Laurent Pinchart, Mauro Carvalho Chehab

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Will Deacon <will@kernel.org>

commit 68035c80e129c4cfec659aac4180354530b26527 upstream.

Way back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked
up the following WARNING from the UVC chain scanning code:

  | list_add double add: new=ffff880069084010, prev=ffff880069084010,
  | next=ffff880067d22298.
  | ------------[ cut here ]------------
  | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0
  | Modules linked in:
  | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted
  | 4.14.0-rc2-42613-g1488251d1a98 #238
  | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
  | Workqueue: usb_hub_wq hub_event
  | task: ffff88006b01ca40 task.stack: ffff880064358000
  | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29
  | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286
  | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000
  | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac
  | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000
  | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010
  | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0
  | FS:  0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000
  | CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0
  | Call Trace:
  |  __list_add ./include/linux/list.h:59
  |  list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92
  |  uvc_scan_chain_forward.isra.8+0x373/0x416
  | drivers/media/usb/uvc/uvc_driver.c:1471
  |  uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585
  |  uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769
  |  uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104

Looking into the output from usbmon, the interesting part is the
following data packet:

  ffff880069c63e00 30710169 C Ci:1:002:0 0 143 = 09028f00 01030080
  00090403 00000e01 00000924 03000103 7c003328 010204db

If we drop the lead configuration and interface descriptors, we're left
with an output terminal descriptor describing a generic display:

  /* Output terminal descriptor */
  buf[0]	09
  buf[1]	24
  buf[2]	03	/* UVC_VC_OUTPUT_TERMINAL */
  buf[3]	00	/* ID */
  buf[4]	01	/* type == 0x0301 (UVC_OTT_DISPLAY) */
  buf[5]	03
  buf[6]	7c
  buf[7]	00	/* source ID refers to self! */
  buf[8]	33

The problem with this descriptor is that it is self-referential: the
source ID of 0 matches itself! This causes the 'struct uvc_entity'
representing the display to be added to its chain list twice during
'uvc_scan_chain()': once via 'uvc_scan_chain_entity()' when it is
processed directly from the 'dev->entities' list and then again
immediately afterwards when trying to follow the source ID in
'uvc_scan_chain_forward()'

Add a check before adding an entity to a chain list to ensure that the
entity is not already part of a chain.

Link: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/

Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver")
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/usb/uvc/uvc_driver.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

--- a/drivers/media/usb/uvc/uvc_driver.c
+++ b/drivers/media/usb/uvc/uvc_driver.c
@@ -1369,6 +1369,11 @@ static int uvc_scan_chain_forward(struct
 			break;
 		if (forward == prev)
 			continue;
+		if (forward->chain.next || forward->chain.prev) {
+			uvc_trace(UVC_TRACE_DESCR, "Found reference to "
+				"entity %d already in chain.\n", forward->id);
+			return -EINVAL;
+		}
 
 		switch (UVC_ENTITY_TYPE(forward)) {
 		case UVC_VC_EXTENSION_UNIT:
@@ -1450,6 +1455,13 @@ static int uvc_scan_chain_backward(struc
 				return -1;
 			}
 
+			if (term->chain.next || term->chain.prev) {
+				uvc_trace(UVC_TRACE_DESCR, "Found reference to "
+					"entity %d already in chain.\n",
+					term->id);
+				return -EINVAL;
+			}
+
 			if (uvc_trace_param & UVC_TRACE_PROBE)
 				printk(" %d", term->id);
 


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 66/99] KVM: PPC: Book3S HV: Uninit vCPU if vcore creation fails
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (64 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 65/99] media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 67/99] KVM: PPC: Book3S PR: Free shared page if mmu initialization fails Ben Hutchings
                   ` (33 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Sean Christopherson, Greg Kurz,
	Paul Mackerras, Paolo Bonzini

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sean Christopherson <sean.j.christopherson@intel.com>

commit 1a978d9d3e72ddfa40ac60d26301b154247ee0bc upstream.

Call kvm_vcpu_uninit() if vcore creation fails to avoid leaking any
resources allocated by kvm_vcpu_init(), i.e. the vcpu->run page.

Fixes: 371fefd6f2dc4 ("KVM: PPC: Allow book3s_hv guests to use SMT processor modes")
Reviewed-by: Greg Kurz <groug@kaod.org>
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Acked-by: Paul Mackerras <paulus@ozlabs.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/powerpc/kvm/book3s_hv.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/arch/powerpc/kvm/book3s_hv.c
+++ b/arch/powerpc/kvm/book3s_hv.c
@@ -1316,7 +1316,7 @@ static struct kvm_vcpu *kvmppc_core_vcpu
 	mutex_unlock(&kvm->lock);
 
 	if (!vcore)
-		goto free_vcpu;
+		goto uninit_vcpu;
 
 	spin_lock(&vcore->lock);
 	++vcore->num_threads;
@@ -1329,6 +1329,8 @@ static struct kvm_vcpu *kvmppc_core_vcpu
 
 	return vcpu;
 
+uninit_vcpu:
+	kvm_vcpu_uninit(vcpu);
 free_vcpu:
 	kmem_cache_free(kvm_vcpu_cache, vcpu);
 out:


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 67/99] KVM: PPC: Book3S PR: Free shared page if mmu initialization fails
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (65 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 66/99] KVM: PPC: Book3S HV: Uninit vCPU if vcore creation fails Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 68/99] KVM: x86: Free wbinvd_dirty_mask if vCPU creation fails Ben Hutchings
                   ` (32 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Greg Kurz, Sean Christopherson,
	Paolo Bonzini, Paul Mackerras

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sean Christopherson <sean.j.christopherson@intel.com>

commit cb10bf9194f4d2c5d830eddca861f7ca0fecdbb4 upstream.

Explicitly free the shared page if kvmppc_mmu_init() fails during
kvmppc_core_vcpu_create(), as the page is freed only in
kvmppc_core_vcpu_free(), which is not reached via kvm_vcpu_uninit().

Fixes: 96bc451a15329 ("KVM: PPC: Introduce shared page")
Reviewed-by: Greg Kurz <groug@kaod.org>
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Acked-by: Paul Mackerras <paulus@ozlabs.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/powerpc/kvm/book3s_pr.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/arch/powerpc/kvm/book3s_pr.c
+++ b/arch/powerpc/kvm/book3s_pr.c
@@ -1346,10 +1346,12 @@ static struct kvm_vcpu *kvmppc_core_vcpu
 
 	err = kvmppc_mmu_init(vcpu);
 	if (err < 0)
-		goto uninit_vcpu;
+		goto free_shared_page;
 
 	return vcpu;
 
+free_shared_page:
+	free_page((unsigned long)vcpu->arch.shared);
 uninit_vcpu:
 	kvm_vcpu_uninit(vcpu);
 free_shadow_vcpu:


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 68/99] KVM: x86: Free wbinvd_dirty_mask if vCPU creation fails
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (66 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 67/99] KVM: PPC: Book3S PR: Free shared page if mmu initialization fails Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 69/99] tracing: Fix very unlikely race of registering two stat tracers Ben Hutchings
                   ` (31 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Paolo Bonzini, Sean Christopherson

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sean Christopherson <sean.j.christopherson@intel.com>

commit 16be9ddea268ad841457a59109963fff8c9de38d upstream.

Free the vCPU's wbinvd_dirty_mask if vCPU creation fails after
kvm_arch_vcpu_init(), e.g. when installing the vCPU's file descriptor.
Do the freeing by calling kvm_arch_vcpu_free() instead of open coding
the freeing.  This adds a likely superfluous, but ultimately harmless,
call to kvmclock_reset(), which only clears vcpu->arch.pv_time_enabled.
Using kvm_arch_vcpu_free() allows for additional cleanup in the future.

Fixes: f5f48ee15c2ee ("KVM: VMX: Execute WBINVD to keep data consistency with assigned devices")
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[bwh: Backported to 3.16: Also delete the preceding fx_free(), since
 kvm_arch_vcpu_free() calls it.]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -7087,8 +7087,7 @@ void kvm_arch_vcpu_destroy(struct kvm_vc
 	kvm_mmu_unload(vcpu);
 	vcpu_put(vcpu);
 
-	fx_free(vcpu);
-	kvm_x86_ops->vcpu_free(vcpu);
+	kvm_arch_vcpu_free(vcpu);
 }
 
 void kvm_vcpu_reset(struct kvm_vcpu *vcpu)


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 69/99] tracing: Fix very unlikely race of registering two stat tracers
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (67 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 68/99] KVM: x86: Free wbinvd_dirty_mask if vCPU creation fails Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 70/99] tracing: Fix tracing_stat return values in error handling paths Ben Hutchings
                   ` (30 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Steven Rostedt (VMware), Luis Henriques

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>

commit dfb6cd1e654315168e36d947471bd2a0ccd834ae upstream.

Looking through old emails in my INBOX, I came across a patch from Luis
Henriques that attempted to fix a race of two stat tracers registering the
same stat trace (extremely unlikely, as this is done in the kernel, and
probably doesn't even exist). The submitted patch wasn't quite right as it
needed to deal with clean up a bit better (if two stat tracers were the
same, it would have the same files).

But to make the code cleaner, all we needed to do is to keep the
all_stat_sessions_mutex held for most of the registering function.

Link: http://lkml.kernel.org/r/1410299375-20068-1-git-send-email-luis.henriques@canonical.com

Fixes: 002bb86d8d42f ("tracing/ftrace: separate events tracing and stats tracing engine")
Reported-by: Luis Henriques <luis.henriques@canonical.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/trace/trace_stat.c | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

--- a/kernel/trace/trace_stat.c
+++ b/kernel/trace/trace_stat.c
@@ -302,7 +302,7 @@ static int init_stat_file(struct stat_se
 int register_stat_tracer(struct tracer_stat *trace)
 {
 	struct stat_session *session, *node;
-	int ret;
+	int ret = -EINVAL;
 
 	if (!trace)
 		return -EINVAL;
@@ -313,17 +313,15 @@ int register_stat_tracer(struct tracer_s
 	/* Already registered? */
 	mutex_lock(&all_stat_sessions_mutex);
 	list_for_each_entry(node, &all_stat_sessions, session_list) {
-		if (node->ts == trace) {
-			mutex_unlock(&all_stat_sessions_mutex);
-			return -EINVAL;
-		}
+		if (node->ts == trace)
+			goto out;
 	}
-	mutex_unlock(&all_stat_sessions_mutex);
 
+	ret = -ENOMEM;
 	/* Init the session */
 	session = kzalloc(sizeof(*session), GFP_KERNEL);
 	if (!session)
-		return -ENOMEM;
+		goto out;
 
 	session->ts = trace;
 	INIT_LIST_HEAD(&session->session_list);
@@ -332,15 +330,16 @@ int register_stat_tracer(struct tracer_s
 	ret = init_stat_file(session);
 	if (ret) {
 		destroy_session(session);
-		return ret;
+		goto out;
 	}
 
+	ret = 0;
 	/* Register */
-	mutex_lock(&all_stat_sessions_mutex);
 	list_add_tail(&session->session_list, &all_stat_sessions);
+ out:
 	mutex_unlock(&all_stat_sessions_mutex);
 
-	return 0;
+	return ret;
 }
 
 void unregister_stat_tracer(struct tracer_stat *trace)


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 70/99] tracing: Fix tracing_stat return values in error handling paths
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (68 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 69/99] tracing: Fix very unlikely race of registering two stat tracers Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 71/99] jbd2: switch to use jbd2_journal_abort() when failed to submit the commit record Ben Hutchings
                   ` (29 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Luis Henriques, Steven Rostedt (VMware)

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Luis Henriques <luis.henriques@canonical.com>

commit afccc00f75bbbee4e4ae833a96c2d29a7259c693 upstream.

tracing_stat_init() was always returning '0', even on the error paths.  It
now returns -ENODEV if tracing_init_dentry() fails or -ENOMEM if it fails
to created the 'trace_stat' debugfs directory.

Link: http://lkml.kernel.org/r/1410299381-20108-1-git-send-email-luis.henriques@canonical.com

Fixes: ed6f1c996bfe4 ("tracing: Check return value of tracing_init_dentry()")
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
[ Pulled from the archeological digging of my INBOX ]
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/trace/trace_stat.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

--- a/kernel/trace/trace_stat.c
+++ b/kernel/trace/trace_stat.c
@@ -277,19 +277,23 @@ static int tracing_stat_init(void)
 
 	d_tracing = tracing_init_dentry();
 	if (!d_tracing)
-		return 0;
+		return -ENODEV;
 
 	stat_dir = debugfs_create_dir("trace_stat", d_tracing);
-	if (!stat_dir)
+	if (!stat_dir) {
 		pr_warning("Could not create debugfs "
 			   "'trace_stat' entry\n");
+		return -ENOMEM;
+	}
 	return 0;
 }
 
 static int init_stat_file(struct stat_session *session)
 {
-	if (!stat_dir && tracing_stat_init())
-		return -ENODEV;
+	int ret;
+
+	if (!stat_dir && (ret = tracing_stat_init()))
+		return ret;
 
 	session->file = debugfs_create_file(session->ts->name, 0644,
 					    stat_dir,


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 71/99] jbd2: switch to use jbd2_journal_abort() when failed to submit the commit record
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (69 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 70/99] tracing: Fix tracing_stat return values in error handling paths Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 72/99] ext4, jbd2: ensure panic when aborting with zero errno Ben Hutchings
                   ` (28 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jan Kara, zhangyi (F), Theodore Ts'o

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "zhangyi (F)" <yi.zhang@huawei.com>

commit d0a186e0d3e7ac05cc77da7c157dae5aa59f95d9 upstream.

We invoke jbd2_journal_abort() to abort the journal and record errno
in the jbd2 superblock when committing journal transaction besides the
failure on submitting the commit record. But there is no need for the
case and we can also invoke jbd2_journal_abort() instead of
__jbd2_journal_abort_hard().

Fixes: 818d276ceb83a ("ext4: Add the journal checksum feature")
Signed-off-by: zhangyi (F) <yi.zhang@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20191204124614.45424-2-yi.zhang@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/jbd2/commit.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/fs/jbd2/commit.c
+++ b/fs/jbd2/commit.c
@@ -802,7 +802,7 @@ start_journal_io:
 		err = journal_submit_commit_record(journal, commit_transaction,
 						 &cbh, crc32_sum);
 		if (err)
-			__jbd2_journal_abort_hard(journal);
+			jbd2_journal_abort(journal, err);
 	}
 
 	blk_finish_plug(&plug);
@@ -894,7 +894,7 @@ start_journal_io:
 		err = journal_submit_commit_record(journal, commit_transaction,
 						&cbh, crc32_sum);
 		if (err)
-			__jbd2_journal_abort_hard(journal);
+			jbd2_journal_abort(journal, err);
 	}
 	if (cbh)
 		err = journal_wait_on_commit_record(journal, cbh);


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 72/99] ext4, jbd2: ensure panic when aborting with zero errno
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (70 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 71/99] jbd2: switch to use jbd2_journal_abort() when failed to submit the commit record Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 73/99] iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop Ben Hutchings
                   ` (27 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Theodore Ts'o, zhangyi (F), Jan Kara

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "zhangyi (F)" <yi.zhang@huawei.com>

commit 51f57b01e4a3c7d7bdceffd84de35144e8c538e7 upstream.

JBD2_REC_ERR flag used to indicate the errno has been updated when jbd2
aborted, and then __ext4_abort() and ext4_handle_error() can invoke
panic if ERRORS_PANIC is specified. But if the journal has been aborted
with zero errno, jbd2_journal_abort() didn't set this flag so we can
no longer panic. Fix this by always record the proper errno in the
journal superblock.

Fixes: 4327ba52afd03 ("ext4, jbd2: ensure entering into panic after recording an error in superblock")
Signed-off-by: zhangyi (F) <yi.zhang@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20191204124614.45424-3-yi.zhang@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/jbd2/checkpoint.c |  2 +-
 fs/jbd2/journal.c    | 15 ++++-----------
 2 files changed, 5 insertions(+), 12 deletions(-)

--- a/fs/jbd2/checkpoint.c
+++ b/fs/jbd2/checkpoint.c
@@ -173,7 +173,7 @@ void __jbd2_log_wait_for_space(journal_t
 				       "journal space in %s\n", __func__,
 				       journal->j_devname);
 				WARN_ON(1);
-				jbd2_journal_abort(journal, 0);
+				jbd2_journal_abort(journal, -EIO);
 			}
 			write_lock(&journal->j_state_lock);
 		} else {
--- a/fs/jbd2/journal.c
+++ b/fs/jbd2/journal.c
@@ -2106,12 +2106,10 @@ static void __journal_abort_soft (journa
 
 	__jbd2_journal_abort_hard(journal);
 
-	if (errno) {
-		jbd2_journal_update_sb_errno(journal);
-		write_lock(&journal->j_state_lock);
-		journal->j_flags |= JBD2_REC_ERR;
-		write_unlock(&journal->j_state_lock);
-	}
+	jbd2_journal_update_sb_errno(journal);
+	write_lock(&journal->j_state_lock);
+	journal->j_flags |= JBD2_REC_ERR;
+	write_unlock(&journal->j_state_lock);
 }
 
 /**
@@ -2153,11 +2151,6 @@ static void __journal_abort_soft (journa
  * failure to disk.  ext3_error, for example, now uses this
  * functionality.
  *
- * Errors which originate from within the journaling layer will NOT
- * supply an errno; a null errno implies that absolutely no further
- * writes are done to the journal (unless there are any already in
- * progress).
- *
  */
 
 void jbd2_journal_abort(journal_t *journal, int errno)


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 73/99] iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (71 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 72/99] ext4, jbd2: ensure panic when aborting with zero errno Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 74/99] CIFS: Fix task struct use-after-free on reconnect Ben Hutchings
                   ` (26 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Colin Ian King, Kalle Valo, Stanislaw Gruszka

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Colin Ian King <colin.king@canonical.com>

commit c2f9a4e4a5abfc84c01b738496b3fd2d471e0b18 upstream.

The loop counter addr is a u16 where as the upper limit of the loop
is an int. In the unlikely event that the il->cfg->eeprom_size is
greater than 64K then we end up with an infinite loop since addr will
wrap around an never reach upper loop limit. Fix this by making addr
an int.

Addresses-Coverity: ("Infinite loop")
Fixes: be663ab67077 ("iwlwifi: split the drivers for agn and legacy devices 3945/4965")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Stanislaw Gruszka <stf_xl@wp.pl>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/wireless/iwlegacy/common.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/wireless/iwlegacy/common.c
+++ b/drivers/net/wireless/iwlegacy/common.c
@@ -717,7 +717,7 @@ il_eeprom_init(struct il_priv *il)
 	u32 gp = _il_rd(il, CSR_EEPROM_GP);
 	int sz;
 	int ret;
-	u16 addr;
+	int addr;
 
 	/* allocate eeprom */
 	sz = il->cfg->eeprom_size;


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 74/99] CIFS: Fix task struct use-after-free on reconnect
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (72 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 73/99] iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 75/99] net_sched: ematch: reject invalid TCF_EM_SIMPLE Ben Hutchings
                   ` (25 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Paulo Alcantara (SUSE),
	Steve French, Vincent Whitchurch, Pavel Shilovsky

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Vincent Whitchurch <vincent.whitchurch@axis.com>

commit f1f27ad74557e39f67a8331a808b860f89254f2d upstream.

The task which created the MID may be gone by the time cifsd attempts to
call the callbacks on MIDs from cifs_reconnect().

This leads to a use-after-free of the task struct in cifs_wake_up_task:

 ==================================================================
 BUG: KASAN: use-after-free in __lock_acquire+0x31a0/0x3270
 Read of size 8 at addr ffff8880103e3a68 by task cifsd/630

 CPU: 0 PID: 630 Comm: cifsd Not tainted 5.5.0-rc6+ #119
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
 Call Trace:
  dump_stack+0x8e/0xcb
  print_address_description.constprop.5+0x1d3/0x3c0
  ? __lock_acquire+0x31a0/0x3270
  __kasan_report+0x152/0x1aa
  ? __lock_acquire+0x31a0/0x3270
  ? __lock_acquire+0x31a0/0x3270
  kasan_report+0xe/0x20
  __lock_acquire+0x31a0/0x3270
  ? __wake_up_common+0x1dc/0x630
  ? _raw_spin_unlock_irqrestore+0x4c/0x60
  ? mark_held_locks+0xf0/0xf0
  ? _raw_spin_unlock_irqrestore+0x39/0x60
  ? __wake_up_common_lock+0xd5/0x130
  ? __wake_up_common+0x630/0x630
  lock_acquire+0x13f/0x330
  ? try_to_wake_up+0xa3/0x19e0
  _raw_spin_lock_irqsave+0x38/0x50
  ? try_to_wake_up+0xa3/0x19e0
  try_to_wake_up+0xa3/0x19e0
  ? cifs_compound_callback+0x178/0x210
  ? set_cpus_allowed_ptr+0x10/0x10
  cifs_reconnect+0xa1c/0x15d0
  ? generic_ip_connect+0x1860/0x1860
  ? rwlock_bug.part.0+0x90/0x90
  cifs_readv_from_socket+0x479/0x690
  cifs_read_from_socket+0x9d/0xe0
  ? cifs_readv_from_socket+0x690/0x690
  ? mempool_resize+0x690/0x690
  ? rwlock_bug.part.0+0x90/0x90
  ? memset+0x1f/0x40
  ? allocate_buffers+0xff/0x340
  cifs_demultiplex_thread+0x388/0x2a50
  ? cifs_handle_standard+0x610/0x610
  ? rcu_read_lock_held_common+0x120/0x120
  ? mark_lock+0x11b/0xc00
  ? __lock_acquire+0x14ed/0x3270
  ? __kthread_parkme+0x78/0x100
  ? lockdep_hardirqs_on+0x3e8/0x560
  ? lock_downgrade+0x6a0/0x6a0
  ? lockdep_hardirqs_on+0x3e8/0x560
  ? _raw_spin_unlock_irqrestore+0x39/0x60
  ? cifs_handle_standard+0x610/0x610
  kthread+0x2bb/0x3a0
  ? kthread_create_worker_on_cpu+0xc0/0xc0
  ret_from_fork+0x3a/0x50

 Allocated by task 649:
  save_stack+0x19/0x70
  __kasan_kmalloc.constprop.5+0xa6/0xf0
  kmem_cache_alloc+0x107/0x320
  copy_process+0x17bc/0x5370
  _do_fork+0x103/0xbf0
  __x64_sys_clone+0x168/0x1e0
  do_syscall_64+0x9b/0xec0
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

 Freed by task 0:
  save_stack+0x19/0x70
  __kasan_slab_free+0x11d/0x160
  kmem_cache_free+0xb5/0x3d0
  rcu_core+0x52f/0x1230
  __do_softirq+0x24d/0x962

 The buggy address belongs to the object at ffff8880103e32c0
  which belongs to the cache task_struct of size 6016
 The buggy address is located 1960 bytes inside of
  6016-byte region [ffff8880103e32c0, ffff8880103e4a40)
 The buggy address belongs to the page:
 page:ffffea000040f800 refcount:1 mapcount:0 mapping:ffff8880108da5c0
 index:0xffff8880103e4c00 compound_mapcount: 0
 raw: 4000000000010200 ffffea00001f2208 ffffea00001e3408 ffff8880108da5c0
 raw: ffff8880103e4c00 0000000000050003 00000001ffffffff 0000000000000000
 page dumped because: kasan: bad access detected

 Memory state around the buggy address:
  ffff8880103e3900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff8880103e3980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 >ffff8880103e3a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                           ^
  ffff8880103e3a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff8880103e3b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ==================================================================

This can be reliably reproduced by adding the below delay to
cifs_reconnect(), running find(1) on the mount, restarting the samba
server while find is running, and killing find during the delay:

  	spin_unlock(&GlobalMid_Lock);
  	mutex_unlock(&server->srv_mutex);

 +	msleep(10000);
 +
  	cifs_dbg(FYI, "%s: issuing mid callbacks\n", __func__);
  	list_for_each_safe(tmp, tmp2, &retry_list) {
  		mid_entry = list_entry(tmp, struct mid_q_entry, qhead);

Fix this by holding a reference to the task struct until the MID is
freed.

Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
[bwh: Backported to 3.16:
 - In _cifs_mid_q_entry_release(), use mid instead of midEntry
 - Adjust context, indentation]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -1252,6 +1252,7 @@ struct mid_q_entry {
 	mid_receive_t *receive; /* call receive callback */
 	mid_callback_t *callback; /* call completion callback */
 	void *callback_data;	  /* general purpose pointer for callback */
+	struct task_struct *creator;
 	void *resp_buf;		/* pointer to received SMB header */
 	int mid_state;	/* wish this were enum but can not pass to wait_event */
 	unsigned int mid_flags;
--- a/fs/cifs/smb2transport.c
+++ b/fs/cifs/smb2transport.c
@@ -542,6 +542,8 @@ smb2_mid_entry_alloc(const struct smb2_h
 		 * The default is for the mid to be synchronous, so the
 		 * default callback just wakes up the current task.
 		 */
+		get_task_struct(current);
+		temp->creator = current;
 		temp->callback = cifs_wake_up_task;
 		temp->callback_data = current;
 	}
--- a/fs/cifs/transport.c
+++ b/fs/cifs/transport.c
@@ -72,6 +72,8 @@ AllocMidQEntry(const struct smb_hdr *smb
 		 * The default is for the mid to be synchronous, so the
 		 * default callback just wakes up the current task.
 		 */
+		get_task_struct(current);
+		temp->creator = current;
 		temp->callback = cifs_wake_up_task;
 		temp->callback_data = current;
 	}
@@ -86,6 +88,8 @@ static void _cifs_mid_q_entry_release(st
 	struct mid_q_entry *mid = container_of(refcount, struct mid_q_entry,
 					       refcount);
 
+	put_task_struct(mid->creator);
+
 	mempool_free(mid, cifs_mid_poolp);
 }
 


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 75/99] net_sched: ematch: reject invalid TCF_EM_SIMPLE
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (73 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 74/99] CIFS: Fix task struct use-after-free on reconnect Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 76/99] KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks Ben Hutchings
                   ` (24 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David S. Miller, Eric Dumazet,
	syzbot+03c4738ed29d5d366ddf, Cong Wang

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit 55cd9f67f1e45de8517cdaab985fb8e56c0bc1d8 upstream.

It is possible for malicious userspace to set TCF_EM_SIMPLE bit
even for matches that should not have this bit set.

This can fool two places using tcf_em_is_simple()

1) tcf_em_tree_destroy() -> memory leak of em->data
   if ops->destroy() is NULL

2) tcf_em_tree_dump() wrongly report/leak 4 low-order bytes
   of a kernel pointer.

BUG: memory leak
unreferenced object 0xffff888121850a40 (size 32):
  comm "syz-executor927", pid 7193, jiffies 4294941655 (age 19.840s)
  hex dump (first 32 bytes):
    00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<00000000f67036ea>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
    [<00000000f67036ea>] slab_post_alloc_hook mm/slab.h:586 [inline]
    [<00000000f67036ea>] slab_alloc mm/slab.c:3320 [inline]
    [<00000000f67036ea>] __do_kmalloc mm/slab.c:3654 [inline]
    [<00000000f67036ea>] __kmalloc_track_caller+0x165/0x300 mm/slab.c:3671
    [<00000000fab0cc8e>] kmemdup+0x27/0x60 mm/util.c:127
    [<00000000d9992e0a>] kmemdup include/linux/string.h:453 [inline]
    [<00000000d9992e0a>] em_nbyte_change+0x5b/0x90 net/sched/em_nbyte.c:32
    [<000000007e04f711>] tcf_em_validate net/sched/ematch.c:241 [inline]
    [<000000007e04f711>] tcf_em_tree_validate net/sched/ematch.c:359 [inline]
    [<000000007e04f711>] tcf_em_tree_validate+0x332/0x46f net/sched/ematch.c:300
    [<000000007a769204>] basic_set_parms net/sched/cls_basic.c:157 [inline]
    [<000000007a769204>] basic_change+0x1d7/0x5f0 net/sched/cls_basic.c:219
    [<00000000e57a5997>] tc_new_tfilter+0x566/0xf70 net/sched/cls_api.c:2104
    [<0000000074b68559>] rtnetlink_rcv_msg+0x3b2/0x4b0 net/core/rtnetlink.c:5415
    [<00000000b7fe53fb>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477
    [<00000000e83a40d0>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442
    [<00000000d62ba933>] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
    [<00000000d62ba933>] netlink_unicast+0x223/0x310 net/netlink/af_netlink.c:1328
    [<0000000088070f72>] netlink_sendmsg+0x2c0/0x570 net/netlink/af_netlink.c:1917
    [<00000000f70b15ea>] sock_sendmsg_nosec net/socket.c:639 [inline]
    [<00000000f70b15ea>] sock_sendmsg+0x54/0x70 net/socket.c:659
    [<00000000ef95a9be>] ____sys_sendmsg+0x2d0/0x300 net/socket.c:2330
    [<00000000b650f1ab>] ___sys_sendmsg+0x8a/0xd0 net/socket.c:2384
    [<0000000055bfa74a>] __sys_sendmsg+0x80/0xf0 net/socket.c:2417
    [<000000002abac183>] __do_sys_sendmsg net/socket.c:2426 [inline]
    [<000000002abac183>] __se_sys_sendmsg net/socket.c:2424 [inline]
    [<000000002abac183>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2424

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot+03c4738ed29d5d366ddf@syzkaller.appspotmail.com
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/sched/ematch.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/net/sched/ematch.c
+++ b/net/sched/ematch.c
@@ -241,6 +241,9 @@ static int tcf_em_validate(struct tcf_pr
 			goto errout;
 
 		if (em->ops->change) {
+			err = -EINVAL;
+			if (em_hdr->flags & TCF_EM_SIMPLE)
+				goto errout;
 			err = em->ops->change(tp, data, data_len, em);
 			if (err < 0)
 				goto errout;


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 76/99] KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (74 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 75/99] net_sched: ematch: reject invalid TCF_EM_SIMPLE Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 77/99] KVM: x86: Refactor picdev_write() to prevent " Ben Hutchings
                   ` (23 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Marios Pomonis, Nick Finco, Jim Mattson,
	Paolo Bonzini, Andrew Honig

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Marios Pomonis <pomonis@google.com>

commit 3c9053a2cae7ba2ba73766a34cea41baa70f57f7 upstream.

This fixes a Spectre-v1/L1TF vulnerability in x86_decode_insn().
kvm_emulate_instruction() (an ancestor of x86_decode_insn()) is an exported
symbol, so KVM should treat it conservatively from a security perspective.

Fixes: 045a282ca415 ("KVM: emulator: implement fninit, fnstsw, fnstcw")

Signed-off-by: Nick Finco <nifi@google.com>
Signed-off-by: Marios Pomonis <pomonis@google.com>
Reviewed-by: Andrew Honig <ahonig@google.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[bwh: Backported to 3.16: Add #include <linux/nospec.h>]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kvm/emulate.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -26,6 +26,7 @@
 #include <asm/kvm_emulate.h>
 #include <linux/stringify.h>
 #include <asm/nospec-branch.h>
+#include <linux/nospec.h>
 
 #include "x86.h"
 #include "tss.h"
@@ -4487,10 +4488,15 @@ done_prefixes:
 			}
 			break;
 		case Escape:
-			if (ctxt->modrm > 0xbf)
-				opcode = opcode.u.esc->high[ctxt->modrm - 0xc0];
-			else
+			if (ctxt->modrm > 0xbf) {
+				size_t size = ARRAY_SIZE(opcode.u.esc->high);
+				u32 index = array_index_nospec(
+					ctxt->modrm - 0xc0, size);
+
+				opcode = opcode.u.esc->high[index];
+			} else {
 				opcode = opcode.u.esc->op[(ctxt->modrm >> 3) & 7];
+			}
 			break;
 		default:
 			return EMULATION_FAILED;


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 77/99] KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (75 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 76/99] KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 78/99] KVM: x86: Protect ioapic_read_indirect() from " Ben Hutchings
                   ` (22 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Paolo Bonzini, Andrew Honig, Nick Finco,
	Marios Pomonis, Jim Mattson

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Marios Pomonis <pomonis@google.com>

commit 14e32321f3606e4b0970200b6e5e47ee6f1e6410 upstream.

This fixes a Spectre-v1/L1TF vulnerability in picdev_write().
It replaces index computations based on the (attacked-controlled) port
number with constants through a minor refactoring.

Fixes: 85f455f7ddbe ("KVM: Add support for in-kernel PIC emulation")

Signed-off-by: Nick Finco <nifi@google.com>
Signed-off-by: Marios Pomonis <pomonis@google.com>
Reviewed-by: Andrew Honig <ahonig@google.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[bwh: Backported to 3.16: pic_{,un}lock() are called outside the switch]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/kvm/i8259.c
+++ b/arch/x86/kvm/i8259.c
@@ -486,9 +486,11 @@ static int picdev_write(struct kvm_pic *
 	switch (addr) {
 	case 0x20:
 	case 0x21:
+		pic_ioport_write(&s->pics[0], addr, data);
+		break;
 	case 0xa0:
 	case 0xa1:
-		pic_ioport_write(&s->pics[addr >> 7], addr, data);
+		pic_ioport_write(&s->pics[1], addr, data);
 		break;
 	case 0x4d0:
 	case 0x4d1:


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 78/99] KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (76 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 77/99] KVM: x86: Refactor picdev_write() to prevent " Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 79/99] KVM: x86: Protect ioapic_write_indirect() " Ben Hutchings
                   ` (21 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jim Mattson, Marios Pomonis, Nick Finco,
	Andrew Honig, Paolo Bonzini

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Marios Pomonis <pomonis@google.com>

commit 8c86405f606ca8508b8d9280680166ca26723695 upstream.

This fixes a Spectre-v1/L1TF vulnerability in ioapic_read_indirect().
This function contains index computations based on the
(attacker-controlled) IOREGSEL register.

Fixes: a2c118bfab8b ("KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798)")

Signed-off-by: Nick Finco <nifi@google.com>
Signed-off-by: Marios Pomonis <pomonis@google.com>
Reviewed-by: Andrew Honig <ahonig@google.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 virt/kvm/ioapic.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

--- a/virt/kvm/ioapic.c
+++ b/virt/kvm/ioapic.c
@@ -36,6 +36,7 @@
 #include <linux/io.h>
 #include <linux/slab.h>
 #include <linux/export.h>
+#include <linux/nospec.h>
 #include <asm/processor.h>
 #include <asm/page.h>
 #include <asm/current.h>
@@ -73,13 +74,14 @@ static unsigned long ioapic_read_indirec
 	default:
 		{
 			u32 redir_index = (ioapic->ioregsel - 0x10) >> 1;
-			u64 redir_content;
+			u64 redir_content = ~0ULL;
 
-			if (redir_index < IOAPIC_NUM_PINS)
-				redir_content =
-					ioapic->redirtbl[redir_index].bits;
-			else
-				redir_content = ~0ULL;
+			if (redir_index < IOAPIC_NUM_PINS) {
+				u32 index = array_index_nospec(
+					redir_index, IOAPIC_NUM_PINS);
+
+				redir_content = ioapic->redirtbl[index].bits;
+			}
 
 			result = (ioapic->ioregsel & 0x1) ?
 			    (redir_content >> 32) & 0xffffffff :


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 79/99] KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF attacks
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (77 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 78/99] KVM: x86: Protect ioapic_read_indirect() from " Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 80/99] KVM: x86: Protect kvm_lapic_reg_write() " Ben Hutchings
                   ` (20 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Andrew Honig, Paolo Bonzini, Jim Mattson,
	Marios Pomonis, Nick Finco

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Marios Pomonis <pomonis@google.com>

commit 670564559ca35b439c8d8861fc399451ddf95137 upstream.

This fixes a Spectre-v1/L1TF vulnerability in ioapic_write_indirect().
This function contains index computations based on the
(attacker-controlled) IOREGSEL register.

This patch depends on patch
"KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks".

Fixes: 70f93dae32ac ("KVM: Use temporary variable to shorten lines.")

Signed-off-by: Nick Finco <nifi@google.com>
Signed-off-by: Marios Pomonis <pomonis@google.com>
Reviewed-by: Andrew Honig <ahonig@google.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 virt/kvm/ioapic.c | 1 +
 1 file changed, 1 insertion(+)

--- a/virt/kvm/ioapic.c
+++ b/virt/kvm/ioapic.c
@@ -312,6 +312,7 @@ static void ioapic_write_indirect(struct
 		ioapic_debug("change redir index %x val %x\n", index, val);
 		if (index >= IOAPIC_NUM_PINS)
 			return;
+		index = array_index_nospec(index, IOAPIC_NUM_PINS);
 		e = &ioapic->redirtbl[index];
 		mask_before = e->fields.mask;
 		if (ioapic->ioregsel & 1) {


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 80/99] KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (78 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 79/99] KVM: x86: Protect ioapic_write_indirect() " Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 81/99] kvm: x86: use macros to compute bank MSRs Ben Hutchings
                   ` (19 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Marios Pomonis, Nick Finco, Jim Mattson,
	Paolo Bonzini, Andrew Honig

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Marios Pomonis <pomonis@google.com>

commit 4bf79cb089f6b1c6c632492c0271054ce52ad766 upstream.

This fixes a Spectre-v1/L1TF vulnerability in kvm_lapic_reg_write().
This function contains index computations based on the
(attacker-controlled) MSR number.

Fixes: 0105d1a52640 ("KVM: x2apic interface to lapic")

Signed-off-by: Nick Finco <nifi@google.com>
Signed-off-by: Marios Pomonis <pomonis@google.com>
Reviewed-by: Andrew Honig <ahonig@google.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[bwh: Backported to 3.16:
 - Add #include <linux/nospec.h>
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -35,6 +35,7 @@
 #include <asm/apicdef.h>
 #include <linux/atomic.h>
 #include <linux/jump_label.h>
+#include <linux/nospec.h>
 #include "kvm_cache_regs.h"
 #include "irq.h"
 #include "trace.h"
@@ -1196,15 +1197,20 @@ static int apic_reg_write(struct kvm_lap
 	case APIC_LVTTHMR:
 	case APIC_LVTPC:
 	case APIC_LVT1:
-	case APIC_LVTERR:
+	case APIC_LVTERR: {
 		/* TODO: Check vector */
+		size_t size;
+		u32 index;
+
 		if (!kvm_apic_sw_enabled(apic))
 			val |= APIC_LVT_MASKED;
-
-		val &= apic_lvt_mask[(reg - APIC_LVTT) >> 4];
+		size = ARRAY_SIZE(apic_lvt_mask);
+		index = array_index_nospec(
+				(reg - APIC_LVTT) >> 4, size);
+		val &= apic_lvt_mask[index];
 		apic_set_reg(apic, reg, val);
-
 		break;
+	}
 
 	case APIC_LVTT:
 		if ((kvm_apic_get_reg(apic, APIC_LVTT) &


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 81/99] kvm: x86: use macros to compute bank MSRs
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (79 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 80/99] KVM: x86: Protect kvm_lapic_reg_write() " Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 82/99] KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c Ben Hutchings
                   ` (18 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Paolo Bonzini, Chen Yucong

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Chen Yucong <slaoub@gmail.com>

commit 81760dccf8d1fe5b128b58736fe3f56a566133cb upstream.

Avoid open coded calculations for bank MSRs by using well-defined
macros that hide the index of higher bank MSRs.

No semantic changes.

Signed-off-by: Chen Yucong <slaoub@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kvm/x86.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -1915,7 +1915,7 @@ static int set_msr_mce(struct kvm_vcpu *
 		break;
 	default:
 		if (msr >= MSR_IA32_MC0_CTL &&
-		    msr < MSR_IA32_MC0_CTL + 4 * bank_num) {
+		    msr < MSR_IA32_MCx_CTL(bank_num)) {
 			u32 offset = msr - MSR_IA32_MC0_CTL;
 			/* only 0 or all 1s can be written to IA32_MCi_CTL
 			 * some Linux kernels though clear bit 10 in bank 4 to
@@ -2276,7 +2276,7 @@ int kvm_set_msr_common(struct kvm_vcpu *
 
 	case MSR_IA32_MCG_CTL:
 	case MSR_IA32_MCG_STATUS:
-	case MSR_IA32_MC0_CTL ... MSR_IA32_MC0_CTL + 4 * KVM_MAX_MCE_BANKS - 1:
+	case MSR_IA32_MC0_CTL ... MSR_IA32_MCx_CTL(KVM_MAX_MCE_BANKS) - 1:
 		return set_msr_mce(vcpu, msr, data);
 
 	/* Performance counters are not protected by a CPUID bit,
@@ -2442,7 +2442,7 @@ static int get_msr_mce(struct kvm_vcpu *
 		break;
 	default:
 		if (msr >= MSR_IA32_MC0_CTL &&
-		    msr < MSR_IA32_MC0_CTL + 4 * bank_num) {
+		    msr < MSR_IA32_MCx_CTL(bank_num)) {
 			u32 offset = msr - MSR_IA32_MC0_CTL;
 			data = vcpu->arch.mce_banks[offset];
 			break;
@@ -2628,7 +2628,7 @@ int kvm_get_msr_common(struct kvm_vcpu *
 	case MSR_IA32_MCG_CAP:
 	case MSR_IA32_MCG_CTL:
 	case MSR_IA32_MCG_STATUS:
-	case MSR_IA32_MC0_CTL ... MSR_IA32_MC0_CTL + 4 * KVM_MAX_MCE_BANKS - 1:
+	case MSR_IA32_MC0_CTL ... MSR_IA32_MCx_CTL(KVM_MAX_MCE_BANKS) - 1:
 		return get_msr_mce(vcpu, msr_info->index, &msr_info->data);
 	case MSR_K7_CLK_CTL:
 		/*


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 82/99] KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (80 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 81/99] kvm: x86: use macros to compute bank MSRs Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 83/99] KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks Ben Hutchings
                   ` (17 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Marios Pomonis, Nick Finco, Jim Mattson,
	Paolo Bonzini, Andrew Honig

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Marios Pomonis <pomonis@google.com>

commit 6ec4c5eee1750d5d17951c4e1960d953376a0dda upstream.

This fixes a Spectre-v1/L1TF vulnerability in set_msr_mce() and
get_msr_mce().
Both functions contain index computations based on the
(attacker-controlled) MSR number.

Fixes: 890ca9aefa78 ("KVM: Add MCE support")

Signed-off-by: Nick Finco <nifi@google.com>
Signed-off-by: Marios Pomonis <pomonis@google.com>
Reviewed-by: Andrew Honig <ahonig@google.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[bwh: Backported to 3.16: Add #include <linux/nospec.h>]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -48,6 +48,7 @@
 #include <linux/pci.h>
 #include <linux/timekeeper_internal.h>
 #include <linux/pvclock_gtod.h>
+#include <linux/nospec.h>
 #include <trace/events/kvm.h>
 
 #define CREATE_TRACE_POINTS
@@ -1916,7 +1917,10 @@ static int set_msr_mce(struct kvm_vcpu *
 	default:
 		if (msr >= MSR_IA32_MC0_CTL &&
 		    msr < MSR_IA32_MCx_CTL(bank_num)) {
-			u32 offset = msr - MSR_IA32_MC0_CTL;
+			u32 offset = array_index_nospec(
+				msr - MSR_IA32_MC0_CTL,
+				MSR_IA32_MCx_CTL(bank_num) - MSR_IA32_MC0_CTL);
+
 			/* only 0 or all 1s can be written to IA32_MCi_CTL
 			 * some Linux kernels though clear bit 10 in bank 4 to
 			 * workaround a BIOS/GART TBL issue on AMD K8s, ignore
@@ -2443,7 +2447,10 @@ static int get_msr_mce(struct kvm_vcpu *
 	default:
 		if (msr >= MSR_IA32_MC0_CTL &&
 		    msr < MSR_IA32_MCx_CTL(bank_num)) {
-			u32 offset = msr - MSR_IA32_MC0_CTL;
+			u32 offset = array_index_nospec(
+				msr - MSR_IA32_MC0_CTL,
+				MSR_IA32_MCx_CTL(bank_num) - MSR_IA32_MC0_CTL);
+
 			data = vcpu->arch.mce_banks[offset];
 			break;
 		}


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 83/99] KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (81 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 82/99] KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 84/99] KVM: Check for a bad hva before dropping into the ghc slow path Ben Hutchings
                   ` (16 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Marios Pomonis, Nick Finco, Jim Mattson,
	Paolo Bonzini, Andrew Honig

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Marios Pomonis <pomonis@google.com>

commit ea740059ecb37807ba47b84b33d1447435a8d868 upstream.

This fixes a Spectre-v1/L1TF vulnerability in __kvm_set_dr() and
kvm_get_dr().
Both kvm_get_dr() and kvm_set_dr() (a wrapper of __kvm_set_dr()) are
exported symbols so KVM should tream them conservatively from a security
perspective.

Fixes: 020df0794f57 ("KVM: move DR register access handling into generic code")

Signed-off-by: Nick Finco <nifi@google.com>
Signed-off-by: Marios Pomonis <pomonis@google.com>
Reviewed-by: Andrew Honig <ahonig@google.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kvm/x86.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -801,9 +801,11 @@ static void kvm_update_dr7(struct kvm_vc
 
 static int __kvm_set_dr(struct kvm_vcpu *vcpu, int dr, unsigned long val)
 {
+	size_t size = ARRAY_SIZE(vcpu->arch.db);
+
 	switch (dr) {
 	case 0 ... 3:
-		vcpu->arch.db[dr] = val;
+		vcpu->arch.db[array_index_nospec(dr, size)] = val;
 		if (!(vcpu->guest_debug & KVM_GUESTDBG_USE_HW_BP))
 			vcpu->arch.eff_db[dr] = val;
 		break;
@@ -848,9 +850,11 @@ EXPORT_SYMBOL_GPL(kvm_set_dr);
 
 static int _kvm_get_dr(struct kvm_vcpu *vcpu, int dr, unsigned long *val)
 {
+	size_t size = ARRAY_SIZE(vcpu->arch.db);
+
 	switch (dr) {
 	case 0 ... 3:
-		*val = vcpu->arch.db[dr];
+		*val = vcpu->arch.db[array_index_nospec(dr, size)];
 		break;
 	case 4:
 		if (kvm_read_cr4_bits(vcpu, X86_CR4_DE))


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 84/99] KVM: Check for a bad hva before dropping into the ghc slow path
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (82 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 83/99] KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 85/99] of: Add OF_DMA_DEFAULT_COHERENT & select it on powerpc Ben Hutchings
                   ` (15 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Sean Christopherson, Jim Mattson,
	Paolo Bonzini, Andrew Honig

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sean Christopherson <sean.j.christopherson@intel.com>

commit fcfbc617547fc6d9552cb6c1c563b6a90ee98085 upstream.

When reading/writing using the guest/host cache, check for a bad hva
before checking for a NULL memslot, which triggers the slow path for
handing cross-page accesses.  Because the memslot is nullified on error
by __kvm_gfn_to_hva_cache_init(), if the bad hva is encountered after
crossing into a new page, then the kvm_{read,write}_guest() slow path
could potentially write/access the first chunk prior to detecting the
bad hva.

Arguably, performing a partial access is semantically correct from an
architectural perspective, but that behavior is certainly not intended.
In the original implementation, memslot was not explicitly nullified
and therefore the partial access behavior varied based on whether the
memslot itself was null, or if the hva was simply bad.  The current
behavior was introduced as a seemingly unintentional side effect in
commit f1b9dd5eb86c ("kvm: Disallow wraparound in
kvm_gfn_to_hva_cache_init"), which justified the change with "since some
callers don't check the return code from this function, it sit seems
prudent to clear ghc->memslot in the event of an error".

Regardless of intent, the partial access is dependent on _not_ checking
the result of the cache initialization, which is arguably a bug in its
own right, at best simply weird.

Fixes: 8f964525a121 ("KVM: Allow cross page reads and writes from cached translations.")
Cc: Jim Mattson <jmattson@google.com>
Cc: Andrew Honig <ahonig@google.com>
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 virt/kvm/kvm_main.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -1596,12 +1596,12 @@ int kvm_write_guest_cached(struct kvm *k
 	if (slots->generation != ghc->generation)
 		kvm_gfn_to_hva_cache_init(kvm, ghc, ghc->gpa, ghc->len);
 
-	if (unlikely(!ghc->memslot))
-		return kvm_write_guest(kvm, ghc->gpa, data, len);
-
 	if (kvm_is_error_hva(ghc->hva))
 		return -EFAULT;
 
+	if (unlikely(!ghc->memslot))
+		return kvm_write_guest(kvm, ghc->gpa, data, len);
+
 	r = __copy_to_user((void __user *)ghc->hva, data, len);
 	if (r)
 		return -EFAULT;
@@ -1622,12 +1622,12 @@ int kvm_read_guest_cached(struct kvm *kv
 	if (slots->generation != ghc->generation)
 		kvm_gfn_to_hva_cache_init(kvm, ghc, ghc->gpa, ghc->len);
 
-	if (unlikely(!ghc->memslot))
-		return kvm_read_guest(kvm, ghc->gpa, data, len);
-
 	if (kvm_is_error_hva(ghc->hva))
 		return -EFAULT;
 
+	if (unlikely(!ghc->memslot))
+		return kvm_read_guest(kvm, ghc->gpa, data, len);
+
 	r = __copy_from_user(data, (void __user *)ghc->hva, len);
 	if (r)
 		return -EFAULT;


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 85/99] of: Add OF_DMA_DEFAULT_COHERENT & select it on powerpc
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (83 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 84/99] KVM: Check for a bad hva before dropping into the ghc slow path Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 86/99] Btrfs: fix race between adding and putting tree mod seq elements and nodes Ben Hutchings
                   ` (14 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Christian Zigotzky, Ulf Hansson,
	Michael Ellerman, Rob Herring

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Michael Ellerman <mpe@ellerman.id.au>

commit dabf6b36b83a18d57e3d4b9d50544ed040d86255 upstream.

There's an OF helper called of_dma_is_coherent(), which checks if a
device has a "dma-coherent" property to see if the device is coherent
for DMA.

But on some platforms devices are coherent by default, and on some
platforms it's not possible to update existing device trees to add the
"dma-coherent" property.

So add a Kconfig symbol to allow arch code to tell
of_dma_is_coherent() that devices are coherent by default, regardless
of the presence of the property.

Select that symbol on powerpc when NOT_COHERENT_CACHE is not set, ie.
when the system has a coherent cache.

Fixes: 92ea637edea3 ("of: introduce of_dma_is_coherent() helper")
Reported-by: Christian Zigotzky <chzigotzky@xenosoft.de>
Tested-by: Christian Zigotzky <chzigotzky@xenosoft.de>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Rob Herring <robh@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/powerpc/Kconfig | 1 +
 drivers/of/Kconfig   | 4 ++++
 drivers/of/address.c | 6 +++++-
 3 files changed, 10 insertions(+), 1 deletion(-)

--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -89,6 +89,7 @@ config PPC
 	select ARCH_MIGHT_HAVE_PC_SERIO
 	select BINFMT_ELF
 	select OF
+	select OF_DMA_DEFAULT_COHERENT		if !NOT_COHERENT_CACHE
 	select OF_EARLY_FLATTREE
 	select OF_RESERVED_MEM
 	select HAVE_FTRACE_MCOUNT_RECORD
--- a/drivers/of/Kconfig
+++ b/drivers/of/Kconfig
@@ -78,4 +78,8 @@ config OF_RESERVED_MEM
 	help
 	  Helpers to allow for reservation of memory regions
 
+config OF_DMA_DEFAULT_COHERENT
+	# arches should select this if DMA is coherent by default for OF devices
+	bool
+
 endmenu # OF
--- a/drivers/of/address.c
+++ b/drivers/of/address.c
@@ -812,12 +812,16 @@ EXPORT_SYMBOL_GPL(of_dma_get_range);
  * @np:	device node
  *
  * It returns true if "dma-coherent" property was found
- * for this device in DT.
+ * for this device in the DT, or if DMA is coherent by
+ * default for OF devices on the current platform.
  */
 bool of_dma_is_coherent(struct device_node *np)
 {
 	struct device_node *node = of_node_get(np);
 
+	if (IS_ENABLED(CONFIG_OF_DMA_DEFAULT_COHERENT))
+		return true;
+
 	while (node) {
 		if (of_property_read_bool(node, "dma-coherent")) {
 			of_node_put(node);


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 86/99] Btrfs: fix race between adding and putting tree mod seq elements and nodes
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (84 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 85/99] of: Add OF_DMA_DEFAULT_COHERENT & select it on powerpc Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 87/99] mm/mempolicy.c: fix out of bounds write in mpol_parse_str() Ben Hutchings
                   ` (13 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David Sterba, Filipe Manana,
	Nikolay Borisov, Josef Bacik

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Filipe Manana <fdmanana@suse.com>

commit 7227ff4de55d931bbdc156c8ef0ce4f100c78a5b upstream.

There is a race between adding and removing elements to the tree mod log
list and rbtree that can lead to use-after-free problems.

Consider the following example that explains how/why the problems happens:

1) Task A has mod log element with sequence number 200. It currently is
   the only element in the mod log list;

2) Task A calls btrfs_put_tree_mod_seq() because it no longer needs to
   access the tree mod log. When it enters the function, it initializes
   'min_seq' to (u64)-1. Then it acquires the lock 'tree_mod_seq_lock'
   before checking if there are other elements in the mod seq list.
   Since the list it empty, 'min_seq' remains set to (u64)-1. Then it
   unlocks the lock 'tree_mod_seq_lock';

3) Before task A acquires the lock 'tree_mod_log_lock', task B adds
   itself to the mod seq list through btrfs_get_tree_mod_seq() and gets a
   sequence number of 201;

4) Some other task, name it task C, modifies a btree and because there
   elements in the mod seq list, it adds a tree mod elem to the tree
   mod log rbtree. That node added to the mod log rbtree is assigned
   a sequence number of 202;

5) Task B, which is doing fiemap and resolving indirect back references,
   calls btrfs get_old_root(), with 'time_seq' == 201, which in turn
   calls tree_mod_log_search() - the search returns the mod log node
   from the rbtree with sequence number 202, created by task C;

6) Task A now acquires the lock 'tree_mod_log_lock', starts iterating
   the mod log rbtree and finds the node with sequence number 202. Since
   202 is less than the previously computed 'min_seq', (u64)-1, it
   removes the node and frees it;

7) Task B still has a pointer to the node with sequence number 202, and
   it dereferences the pointer itself and through the call to
   __tree_mod_log_rewind(), resulting in a use-after-free problem.

This issue can be triggered sporadically with the test case generic/561
from fstests, and it happens more frequently with a higher number of
duperemove processes. When it happens to me, it either freezes the VM or
it produces a trace like the following before crashing:

  [ 1245.321140] general protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI
  [ 1245.321200] CPU: 1 PID: 26997 Comm: pool Not tainted 5.5.0-rc6-btrfs-next-52 #1
  [ 1245.321235] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014
  [ 1245.321287] RIP: 0010:rb_next+0x16/0x50
  [ 1245.321307] Code: ....
  [ 1245.321372] RSP: 0018:ffffa151c4d039b0 EFLAGS: 00010202
  [ 1245.321388] RAX: 6b6b6b6b6b6b6b6b RBX: ffff8ae221363c80 RCX: 6b6b6b6b6b6b6b6b
  [ 1245.321409] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff8ae221363c80
  [ 1245.321439] RBP: ffff8ae20fcc4688 R08: 0000000000000002 R09: 0000000000000000
  [ 1245.321475] R10: ffff8ae20b120910 R11: 00000000243f8bb1 R12: 0000000000000038
  [ 1245.321506] R13: ffff8ae221363c80 R14: 000000000000075f R15: ffff8ae223f762b8
  [ 1245.321539] FS:  00007fdee1ec7700(0000) GS:ffff8ae236c80000(0000) knlGS:0000000000000000
  [ 1245.321591] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  [ 1245.321614] CR2: 00007fded4030c48 CR3: 000000021da16003 CR4: 00000000003606e0
  [ 1245.321642] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  [ 1245.321668] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
  [ 1245.321706] Call Trace:
  [ 1245.321798]  __tree_mod_log_rewind+0xbf/0x280 [btrfs]
  [ 1245.321841]  btrfs_search_old_slot+0x105/0xd00 [btrfs]
  [ 1245.321877]  resolve_indirect_refs+0x1eb/0xc60 [btrfs]
  [ 1245.321912]  find_parent_nodes+0x3dc/0x11b0 [btrfs]
  [ 1245.321947]  btrfs_check_shared+0x115/0x1c0 [btrfs]
  [ 1245.321980]  ? extent_fiemap+0x59d/0x6d0 [btrfs]
  [ 1245.322029]  extent_fiemap+0x59d/0x6d0 [btrfs]
  [ 1245.322066]  do_vfs_ioctl+0x45a/0x750
  [ 1245.322081]  ksys_ioctl+0x70/0x80
  [ 1245.322092]  ? trace_hardirqs_off_thunk+0x1a/0x1c
  [ 1245.322113]  __x64_sys_ioctl+0x16/0x20
  [ 1245.322126]  do_syscall_64+0x5c/0x280
  [ 1245.322139]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
  [ 1245.322155] RIP: 0033:0x7fdee3942dd7
  [ 1245.322177] Code: ....
  [ 1245.322258] RSP: 002b:00007fdee1ec6c88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
  [ 1245.322294] RAX: ffffffffffffffda RBX: 00007fded40210d8 RCX: 00007fdee3942dd7
  [ 1245.322314] RDX: 00007fded40210d8 RSI: 00000000c020660b RDI: 0000000000000004
  [ 1245.322337] RBP: 0000562aa89e7510 R08: 0000000000000000 R09: 00007fdee1ec6d44
  [ 1245.322369] R10: 0000000000000073 R11: 0000000000000246 R12: 00007fdee1ec6d48
  [ 1245.322390] R13: 00007fdee1ec6d40 R14: 00007fded40210d0 R15: 00007fdee1ec6d50
  [ 1245.322423] Modules linked in: ....
  [ 1245.323443] ---[ end trace 01de1e9ec5dff3cd ]---

Fix this by ensuring that btrfs_put_tree_mod_seq() computes the minimum
sequence number and iterates the rbtree while holding the lock
'tree_mod_log_lock' in write mode. Also get rid of the 'tree_mod_seq_lock'
lock, since it is now redundant.

Fixes: bd989ba359f2ac ("Btrfs: add tree modification log functions")
Fixes: 097b8a7c9e48e2 ("Btrfs: join tree mod log code with the code holding back delayed refs")
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 3.16:
 - Use tree_mod_log_write_{,un}lock() in ctree.c for consistency
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/btrfs/ctree.c             | 8 ++------
 fs/btrfs/ctree.h             | 6 ++----
 fs/btrfs/delayed-ref.c       | 8 ++++----
 fs/btrfs/disk-io.c           | 1 -
 fs/btrfs/tests/btrfs-tests.c | 1 -
 5 files changed, 8 insertions(+), 16 deletions(-)

--- a/fs/btrfs/ctree.c
+++ b/fs/btrfs/ctree.c
@@ -365,12 +365,10 @@ u64 btrfs_get_tree_mod_seq(struct btrfs_
 			   struct seq_list *elem)
 {
 	tree_mod_log_write_lock(fs_info);
-	spin_lock(&fs_info->tree_mod_seq_lock);
 	if (!elem->seq) {
 		elem->seq = btrfs_inc_tree_mod_seq(fs_info);
 		list_add_tail(&elem->list, &fs_info->tree_mod_seq_list);
 	}
-	spin_unlock(&fs_info->tree_mod_seq_lock);
 	tree_mod_log_write_unlock(fs_info);
 
 	return elem->seq;
@@ -390,7 +388,7 @@ void btrfs_put_tree_mod_seq(struct btrfs
 	if (!seq_putting)
 		return;
 
-	spin_lock(&fs_info->tree_mod_seq_lock);
+	tree_mod_log_write_lock(fs_info);
 	list_del(&elem->list);
 	elem->seq = 0;
 
@@ -401,19 +399,17 @@ void btrfs_put_tree_mod_seq(struct btrfs
 				 * blocker with lower sequence number exists, we
 				 * cannot remove anything from the log
 				 */
-				spin_unlock(&fs_info->tree_mod_seq_lock);
+				tree_mod_log_write_unlock(fs_info);
 				return;
 			}
 			min_seq = cur_elem->seq;
 		}
 	}
-	spin_unlock(&fs_info->tree_mod_seq_lock);
 
 	/*
 	 * anything that's lower than the lowest existing (read: blocked)
 	 * sequence number can be removed from the tree.
 	 */
-	tree_mod_log_write_lock(fs_info);
 	tm_root = &fs_info->tree_mod_log;
 	for (node = rb_first(tm_root); node; node = next) {
 		next = rb_next(node);
--- a/fs/btrfs/ctree.h
+++ b/fs/btrfs/ctree.h
@@ -1502,14 +1502,12 @@ struct btrfs_fs_info {
 	spinlock_t delayed_iput_lock;
 	struct list_head delayed_iputs;
 
-	/* this protects tree_mod_seq_list */
-	spinlock_t tree_mod_seq_lock;
 	atomic64_t tree_mod_seq;
-	struct list_head tree_mod_seq_list;
 
-	/* this protects tree_mod_log */
+	/* this protects tree_mod_log and tree_mod_seq_list */
 	rwlock_t tree_mod_log_lock;
 	struct rb_root tree_mod_log;
+	struct list_head tree_mod_seq_list;
 
 	atomic_t nr_async_submits;
 	atomic_t async_submit_draining;
--- a/fs/btrfs/delayed-ref.c
+++ b/fs/btrfs/delayed-ref.c
@@ -344,7 +344,7 @@ void btrfs_merge_delayed_refs(struct btr
 	if (head->is_data)
 		return;
 
-	spin_lock(&fs_info->tree_mod_seq_lock);
+	read_lock(&fs_info->tree_mod_log_lock);
 	if (!list_empty(&fs_info->tree_mod_seq_list)) {
 		struct seq_list *elem;
 
@@ -352,7 +352,7 @@ void btrfs_merge_delayed_refs(struct btr
 					struct seq_list, list);
 		seq = elem->seq;
 	}
-	spin_unlock(&fs_info->tree_mod_seq_lock);
+	read_unlock(&fs_info->tree_mod_log_lock);
 
 	node = rb_first(&head->ref_root);
 	while (node) {
@@ -377,7 +377,7 @@ int btrfs_check_delayed_seq(struct btrfs
 	struct seq_list *elem;
 	int ret = 0;
 
-	spin_lock(&fs_info->tree_mod_seq_lock);
+	read_lock(&fs_info->tree_mod_log_lock);
 	if (!list_empty(&fs_info->tree_mod_seq_list)) {
 		elem = list_first_entry(&fs_info->tree_mod_seq_list,
 					struct seq_list, list);
@@ -390,7 +390,7 @@ int btrfs_check_delayed_seq(struct btrfs
 		}
 	}
 
-	spin_unlock(&fs_info->tree_mod_seq_lock);
+	read_unlock(&fs_info->tree_mod_log_lock);
 	return ret;
 }
 
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -2167,7 +2167,6 @@ int open_ctree(struct super_block *sb,
 	spin_lock_init(&fs_info->delayed_iput_lock);
 	spin_lock_init(&fs_info->defrag_inodes_lock);
 	spin_lock_init(&fs_info->free_chunk_lock);
-	spin_lock_init(&fs_info->tree_mod_seq_lock);
 	spin_lock_init(&fs_info->super_lock);
 	spin_lock_init(&fs_info->qgroup_op_lock);
 	spin_lock_init(&fs_info->buffer_lock);
--- a/fs/btrfs/tests/btrfs-tests.c
+++ b/fs/btrfs/tests/btrfs-tests.c
@@ -109,7 +109,6 @@ struct btrfs_fs_info *btrfs_alloc_dummy_
 	spin_lock_init(&fs_info->qgroup_op_lock);
 	spin_lock_init(&fs_info->super_lock);
 	spin_lock_init(&fs_info->fs_roots_radix_lock);
-	spin_lock_init(&fs_info->tree_mod_seq_lock);
 	mutex_init(&fs_info->qgroup_ioctl_lock);
 	mutex_init(&fs_info->qgroup_rescan_lock);
 	rwlock_init(&fs_info->tree_mod_log_lock);


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 87/99] mm/mempolicy.c: fix out of bounds write in mpol_parse_str()
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (85 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 86/99] Btrfs: fix race between adding and putting tree mod seq elements and nodes Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 88/99] media/v4l2-core: set pages dirty upon releasing DMA buffers Ben Hutchings
                   ` (12 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Vlastimil Babka, Hugh Dickins,
	Lee Schermerhorn, Linus Torvalds, syzbot+e64a13c5369a194d67df,
	Andrea Arcangeli, Michal Hocko, Dan Carpenter

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit c7a91bc7c2e17e0a9c8b9745a2cb118891218fd1 upstream.

What we are trying to do is change the '=' character to a NUL terminator
and then at the end of the function we restore it back to an '='.  The
problem is there are two error paths where we jump to the end of the
function before we have replaced the '=' with NUL.

We end up putting the '=' in the wrong place (possibly one element
before the start of the buffer).

Link: http://lkml.kernel.org/r/20200115055426.vdjwvry44nfug7yy@kili.mountain
Reported-by: syzbot+e64a13c5369a194d67df@syzkaller.appspotmail.com
Fixes: 095f1fc4ebf3 ("mempolicy: rework shmem mpol parsing and display")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Dmitry Vyukov <dvyukov@google.com>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Hugh Dickins <hughd@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 mm/mempolicy.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -2687,6 +2687,9 @@ int mpol_parse_str(char *str, struct mem
 	char *flags = strchr(str, '=');
 	int err = 1;
 
+	if (flags)
+		*flags++ = '\0';	/* terminate mode string */
+
 	if (nodelist) {
 		/* NUL-terminate mode or flags string */
 		*nodelist++ = '\0';
@@ -2697,9 +2700,6 @@ int mpol_parse_str(char *str, struct mem
 	} else
 		nodes_clear(nodes);
 
-	if (flags)
-		*flags++ = '\0';	/* terminate mode string */
-
 	for (mode = 0; mode < MPOL_MAX; mode++) {
 		if (!strcmp(str, policy_modes[mode])) {
 			break;


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 88/99] media/v4l2-core: set pages dirty upon releasing DMA buffers
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (86 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 87/99] mm/mempolicy.c: fix out of bounds write in mpol_parse_str() Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 89/99] tcp: clear tp->total_retrans in tcp_disconnect() Ben Hutchings
                   ` (11 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jens Axboe, Jerome Glisse,
	Aneesh Kumar K.V, John Hubbard, Linus Torvalds, Jan Kara,
	Dan Williams, Jason Gunthorpe, Hans Verkuil, Christoph Hellwig,
	Leon Romanovsky, Alex Williamson, Daniel Vetter, Jonathan Corbet,
	Jason Gunthorpe, Björn Töpel, Ira Weiny, Mike Rapoport,
	Mauro Carvalho Chehab, Kirill A. Shutemov

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: John Hubbard <jhubbard@nvidia.com>

commit 3c7470b6f68434acae459482ab920d1e3fabd1c7 upstream.

After DMA is complete, and the device and CPU caches are synchronized,
it's still required to mark the CPU pages as dirty, if the data was
coming from the device.  However, this driver was just issuing a bare
put_page() call, without any set_page_dirty*() call.

Fix the problem, by calling set_page_dirty_lock() if the CPU pages were
potentially receiving data from the device.

Link: http://lkml.kernel.org/r/20200107224558.2362728-11-jhubbard@nvidia.com
Signed-off-by: John Hubbard <jhubbard@nvidia.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Acked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
Cc: Alex Williamson <alex.williamson@redhat.com>
Cc: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
Cc: Björn Töpel <bjorn.topel@intel.com>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Ira Weiny <ira.weiny@intel.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Jason Gunthorpe <jgg@mellanox.com>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Jerome Glisse <jglisse@redhat.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Kirill A. Shutemov <kirill@shutemov.name>
Cc: Leon Romanovsky <leonro@mellanox.com>
Cc: Mike Rapoport <rppt@linux.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/v4l2-core/videobuf-dma-sg.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/media/v4l2-core/videobuf-dma-sg.c
+++ b/drivers/media/v4l2-core/videobuf-dma-sg.c
@@ -316,8 +316,11 @@ int videobuf_dma_free(struct videobuf_dm
 	BUG_ON(dma->sglen);
 
 	if (dma->pages) {
-		for (i = 0; i < dma->nr_pages; i++)
+		for (i = 0; i < dma->nr_pages; i++) {
+			if (dma->direction == DMA_FROM_DEVICE)
+				set_page_dirty_lock(dma->pages[i]);
 			page_cache_release(dma->pages[i]);
+		}
 		kfree(dma->pages);
 		dma->pages = NULL;
 	}


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 89/99] tcp: clear tp->total_retrans in tcp_disconnect()
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (87 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 88/99] media/v4l2-core: set pages dirty upon releasing DMA buffers Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 90/99] ALSA: dummy: Fix PCM format loop in proc output Ben Hutchings
                   ` (10 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jakub Kicinski, Eric Dumazet, SeongJae Park

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit c13c48c00a6bc1febc73902505bdec0967bd7095 upstream.

total_retrans needs to be cleared in tcp_disconnect().

tcp_disconnect() is rarely used, but it is worth fixing it.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: SeongJae Park <sjpark@amazon.de>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/ipv4/tcp.c | 1 +
 1 file changed, 1 insertion(+)

--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2363,6 +2363,7 @@ int tcp_disconnect(struct sock *sk, int
 	tp->window_clamp = 0;
 	tcp_set_ca_state(sk, TCP_CA_Open);
 	tcp_clear_retrans(tp);
+	tp->total_retrans = 0;
 	inet_csk_delack_init(sk);
 	/* Initialize rcv_mss to TCP_MIN_MSS to avoid division by 0
 	 * issue in __tcp_select_window()


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 90/99] ALSA: dummy: Fix PCM format loop in proc output
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (88 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 89/99] tcp: clear tp->total_retrans in tcp_disconnect() Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:14 ` [PATCH 3.16 91/99] clocksource: Prevent double add_timer_on() for watchdog_timer Ben Hutchings
                   ` (9 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Takashi Iwai

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 2acf25f13ebe8beb40e97a1bbe76f36277c64f1e upstream.

The loop termination for iterating over all formats should contain
SNDRV_PCM_FORMAT_LAST, not less than it.

Fixes: 9b151fec139d ("ALSA: dummy - Add debug proc file")
Link: https://lore.kernel.org/r/20200201080530.22390-3-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/drivers/dummy.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/drivers/dummy.c
+++ b/sound/drivers/dummy.c
@@ -927,7 +927,7 @@ static void print_formats(struct snd_dum
 {
 	int i;
 
-	for (i = 0; i < SNDRV_PCM_FORMAT_LAST; i++) {
+	for (i = 0; i <= SNDRV_PCM_FORMAT_LAST; i++) {
 		if (dummy->pcm_hw.formats & (1ULL << i))
 			snd_iprintf(buffer, " %s", snd_pcm_format_name(i));
 	}


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 91/99] clocksource: Prevent double add_timer_on() for watchdog_timer
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (89 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 90/99] ALSA: dummy: Fix PCM format loop in proc output Ben Hutchings
@ 2020-05-20 14:14 ` Ben Hutchings
  2020-05-20 14:15 ` [PATCH 3.16 92/99] cls_rsvp: fix rsvp_policy Ben Hutchings
                   ` (8 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Thomas Gleixner, Konstantin Khlebnikov

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>

commit febac332a819f0e764aa4da62757ba21d18c182b upstream.

Kernel crashes inside QEMU/KVM are observed:

  kernel BUG at kernel/time/timer.c:1154!
  BUG_ON(timer_pending(timer) || !timer->function) in add_timer_on().

At the same time another cpu got:

  general protection fault: 0000 [#1] SMP PTI of poinson pointer 0xdead000000000200 in:

  __hlist_del at include/linux/list.h:681
  (inlined by) detach_timer at kernel/time/timer.c:818
  (inlined by) expire_timers at kernel/time/timer.c:1355
  (inlined by) __run_timers at kernel/time/timer.c:1686
  (inlined by) run_timer_softirq at kernel/time/timer.c:1699

Unfortunately kernel logs are badly scrambled, stacktraces are lost.

Printing the timer->function before the BUG_ON() pointed to
clocksource_watchdog().

The execution of clocksource_watchdog() can race with a sequence of
clocksource_stop_watchdog() .. clocksource_start_watchdog():

expire_timers()
 detach_timer(timer, true);
  timer->entry.pprev = NULL;
 raw_spin_unlock_irq(&base->lock);
 call_timer_fn
  clocksource_watchdog()

					clocksource_watchdog_kthread() or
					clocksource_unbind()

					spin_lock_irqsave(&watchdog_lock, flags);
					clocksource_stop_watchdog();
					 del_timer(&watchdog_timer);
					 watchdog_running = 0;
					spin_unlock_irqrestore(&watchdog_lock, flags);

					spin_lock_irqsave(&watchdog_lock, flags);
					clocksource_start_watchdog();
					 add_timer_on(&watchdog_timer, ...);
					 watchdog_running = 1;
					spin_unlock_irqrestore(&watchdog_lock, flags);

  spin_lock(&watchdog_lock);
  add_timer_on(&watchdog_timer, ...);
   BUG_ON(timer_pending(timer) || !timer->function);
    timer_pending() -> true
    BUG()

I.e. inside clocksource_watchdog() watchdog_timer could be already armed.

Check timer_pending() before calling add_timer_on(). This is sufficient as
all operations are synchronized by watchdog_lock.

Fixes: 75c5158f70c0 ("timekeeping: Update clocksource with stop_machine")
Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/r/158048693917.4378.13823603769948933793.stgit@buzz
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/time/clocksource.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

--- a/kernel/time/clocksource.c
+++ b/kernel/time/clocksource.c
@@ -343,8 +343,15 @@ static void clocksource_watchdog(unsigne
 	next_cpu = cpumask_next(raw_smp_processor_id(), cpu_online_mask);
 	if (next_cpu >= nr_cpu_ids)
 		next_cpu = cpumask_first(cpu_online_mask);
-	watchdog_timer.expires += WATCHDOG_INTERVAL;
-	add_timer_on(&watchdog_timer, next_cpu);
+
+	/*
+	 * Arm timer if not already pending: could race with concurrent
+	 * pair clocksource_stop_watchdog() clocksource_start_watchdog().
+	 */
+	if (!timer_pending(&watchdog_timer)) {
+		watchdog_timer.expires += WATCHDOG_INTERVAL;
+		add_timer_on(&watchdog_timer, next_cpu);
+	}
 out:
 	spin_unlock(&watchdog_lock);
 }


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 92/99] cls_rsvp: fix rsvp_policy
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (90 preceding siblings ...)
  2020-05-20 14:14 ` [PATCH 3.16 91/99] clocksource: Prevent double add_timer_on() for watchdog_timer Ben Hutchings
@ 2020-05-20 14:15 ` Ben Hutchings
  2020-05-20 14:15 ` [PATCH 3.16 93/99] kconfig: fix broken dependency in randconfig-generated .config Ben Hutchings
                   ` (7 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, syzbot, Cong Wang, Jakub Kicinski, Eric Dumazet

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit cb3c0e6bdf64d0d124e94ce43cbe4ccbb9b37f51 upstream.

NLA_BINARY can be confusing, since .len value represents
the max size of the blob.

cls_rsvp really wants user space to provide long enough data
for TCA_RSVP_DST and TCA_RSVP_SRC attributes.

BUG: KMSAN: uninit-value in rsvp_get net/sched/cls_rsvp.h:258 [inline]
BUG: KMSAN: uninit-value in gen_handle net/sched/cls_rsvp.h:402 [inline]
BUG: KMSAN: uninit-value in rsvp_change+0x1ae9/0x4220 net/sched/cls_rsvp.h:572
CPU: 1 PID: 13228 Comm: syz-executor.1 Not tainted 5.5.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x220 lib/dump_stack.c:118
 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
 __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
 rsvp_get net/sched/cls_rsvp.h:258 [inline]
 gen_handle net/sched/cls_rsvp.h:402 [inline]
 rsvp_change+0x1ae9/0x4220 net/sched/cls_rsvp.h:572
 tc_new_tfilter+0x31fe/0x5010 net/sched/cls_api.c:2104
 rtnetlink_rcv_msg+0xcb7/0x1570 net/core/rtnetlink.c:5415
 netlink_rcv_skb+0x451/0x650 net/netlink/af_netlink.c:2477
 rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5442
 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
 netlink_unicast+0xf9e/0x1100 net/netlink/af_netlink.c:1328
 netlink_sendmsg+0x1248/0x14d0 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:639 [inline]
 sock_sendmsg net/socket.c:659 [inline]
 ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330
 ___sys_sendmsg net/socket.c:2384 [inline]
 __sys_sendmsg+0x451/0x5f0 net/socket.c:2417
 __do_sys_sendmsg net/socket.c:2426 [inline]
 __se_sys_sendmsg+0x97/0xb0 net/socket.c:2424
 __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424
 do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45b349
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f269d43dc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f269d43e6d4 RCX: 000000000045b349
RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000009c2 R14: 00000000004cb338 R15: 000000000075bfd4

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
 kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127
 kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82
 slab_alloc_node mm/slub.c:2774 [inline]
 __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4382
 __kmalloc_reserve net/core/skbuff.c:141 [inline]
 __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:209
 alloc_skb include/linux/skbuff.h:1049 [inline]
 netlink_alloc_large_skb net/netlink/af_netlink.c:1174 [inline]
 netlink_sendmsg+0x7d3/0x14d0 net/netlink/af_netlink.c:1892
 sock_sendmsg_nosec net/socket.c:639 [inline]
 sock_sendmsg net/socket.c:659 [inline]
 ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330
 ___sys_sendmsg net/socket.c:2384 [inline]
 __sys_sendmsg+0x451/0x5f0 net/socket.c:2417
 __do_sys_sendmsg net/socket.c:2426 [inline]
 __se_sys_sendmsg+0x97/0xb0 net/socket.c:2424
 __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424
 do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: 6fa8c0144b77 ("[NET_SCHED]: Use nla_policy for attribute validation in classifiers")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/sched/cls_rsvp.h | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

--- a/net/sched/cls_rsvp.h
+++ b/net/sched/cls_rsvp.h
@@ -404,10 +404,8 @@ static u32 gen_tunnel(struct rsvp_head *
 
 static const struct nla_policy rsvp_policy[TCA_RSVP_MAX + 1] = {
 	[TCA_RSVP_CLASSID]	= { .type = NLA_U32 },
-	[TCA_RSVP_DST]		= { .type = NLA_BINARY,
-				    .len = RSVP_DST_LEN * sizeof(u32) },
-	[TCA_RSVP_SRC]		= { .type = NLA_BINARY,
-				    .len = RSVP_DST_LEN * sizeof(u32) },
+	[TCA_RSVP_DST]		= { .len = RSVP_DST_LEN * sizeof(u32) },
+	[TCA_RSVP_SRC]		= { .len = RSVP_DST_LEN * sizeof(u32) },
 	[TCA_RSVP_PINFO]	= { .len = sizeof(struct tc_rsvp_pinfo) },
 };
 


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 93/99] kconfig: fix broken dependency in randconfig-generated .config
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (91 preceding siblings ...)
  2020-05-20 14:15 ` [PATCH 3.16 92/99] cls_rsvp: fix rsvp_policy Ben Hutchings
@ 2020-05-20 14:15 ` Ben Hutchings
  2020-05-20 14:15 ` [PATCH 3.16 94/99] nfs: use kmap/kunmap directly Ben Hutchings
                   ` (6 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Vincenzo Frascino, Masahiro Yamada

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Masahiro Yamada <masahiroy@kernel.org>

commit c8fb7d7e48d11520ad24808cfce7afb7b9c9f798 upstream.

Running randconfig on arm64 using KCONFIG_SEED=0x40C5E904 (e.g. on v5.5)
produces the .config with CONFIG_EFI=y and CONFIG_CPU_BIG_ENDIAN=y,
which does not meet the !CONFIG_CPU_BIG_ENDIAN dependency.

This is because the user choice for CONFIG_CPU_LITTLE_ENDIAN vs
CONFIG_CPU_BIG_ENDIAN is set by randomize_choice_values() after the
value of CONFIG_EFI is calculated.

When this happens, the has_changed flag should be set.

Currently, it takes the result from the last iteration. It should
accumulate all the results of the loop.

Fixes: 3b9a19e08960 ("kconfig: loop as long as we changed some symbols in randconfig")
Reported-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 scripts/kconfig/confdata.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/scripts/kconfig/confdata.c
+++ b/scripts/kconfig/confdata.c
@@ -1231,7 +1231,7 @@ bool conf_set_all_new_symbols(enum conf_
 
 		sym_calc_value(csym);
 		if (mode == def_random)
-			has_changed = randomize_choice_values(csym);
+			has_changed |= randomize_choice_values(csym);
 		else {
 			set_all_choice_values(csym);
 			has_changed = true;


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 94/99] nfs: use kmap/kunmap directly
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (92 preceding siblings ...)
  2020-05-20 14:15 ` [PATCH 3.16 93/99] kconfig: fix broken dependency in randconfig-generated .config Ben Hutchings
@ 2020-05-20 14:15 ` Ben Hutchings
  2020-05-20 14:15 ` [PATCH 3.16 95/99] NFS: Fix memory leaks and corruption in readdir Ben Hutchings
                   ` (5 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Fabian Frederick, Trond Myklebust

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Fabian Frederick <fabf@skynet.be>

commit 0795bf8357c1887e2a95e6e4f5b89d0896a0d929 upstream.

This patch removes useless nfs_readdir_get_array() and
nfs_readdir_release_array() as suggested by Trond Myklebust

nfs_readdir() calls nfs_revalidate_mapping() before
readdir_search_pagecache() , nfs_do_filldir(), uncached_readdir()
so mapping should be correct.

While kmap() can't fail, all subsequent error checks were removed
as well as unused labels.

Signed-off-by: Fabian Frederick <fabf@skynet.be>
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/nfs/dir.c | 67 ++++++++++------------------------------------------
 1 file changed, 12 insertions(+), 55 deletions(-)

--- a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -170,27 +170,6 @@ typedef struct {
 } nfs_readdir_descriptor_t;
 
 /*
- * The caller is responsible for calling nfs_readdir_release_array(page)
- */
-static
-struct nfs_cache_array *nfs_readdir_get_array(struct page *page)
-{
-	void *ptr;
-	if (page == NULL)
-		return ERR_PTR(-EIO);
-	ptr = kmap(page);
-	if (ptr == NULL)
-		return ERR_PTR(-ENOMEM);
-	return ptr;
-}
-
-static
-void nfs_readdir_release_array(struct page *page)
-{
-	kunmap(page);
-}
-
-/*
  * we are freeing strings created by nfs_add_to_readdir_array()
  */
 static
@@ -229,13 +208,10 @@ int nfs_readdir_make_qstr(struct qstr *s
 static
 int nfs_readdir_add_to_array(struct nfs_entry *entry, struct page *page)
 {
-	struct nfs_cache_array *array = nfs_readdir_get_array(page);
+	struct nfs_cache_array *array = kmap(page);
 	struct nfs_cache_array_entry *cache_entry;
 	int ret;
 
-	if (IS_ERR(array))
-		return PTR_ERR(array);
-
 	cache_entry = &array->array[array->size];
 
 	/* Check that this entry lies within the page bounds */
@@ -254,7 +230,7 @@ int nfs_readdir_add_to_array(struct nfs_
 	if (entry->eof != 0)
 		array->eof_index = array->size;
 out:
-	nfs_readdir_release_array(page);
+	kunmap(page);
 	return ret;
 }
 
@@ -343,11 +319,7 @@ int nfs_readdir_search_array(nfs_readdir
 	struct nfs_cache_array *array;
 	int status;
 
-	array = nfs_readdir_get_array(desc->page);
-	if (IS_ERR(array)) {
-		status = PTR_ERR(array);
-		goto out;
-	}
+	array = kmap(desc->page);
 
 	if (*desc->dir_cookie == 0)
 		status = nfs_readdir_search_for_pos(array, desc);
@@ -359,8 +331,7 @@ int nfs_readdir_search_array(nfs_readdir
 		desc->current_index += array->size;
 		desc->page_index++;
 	}
-	nfs_readdir_release_array(desc->page);
-out:
+	kunmap(desc->page);
 	return status;
 }
 
@@ -551,13 +522,10 @@ int nfs_readdir_page_filler(nfs_readdir_
 	} while (!entry->eof);
 
 	if (count == 0 || (status == -EBADCOOKIE && entry->eof != 0)) {
-		array = nfs_readdir_get_array(page);
-		if (!IS_ERR(array)) {
-			array->eof_index = array->size;
-			status = 0;
-			nfs_readdir_release_array(page);
-		} else
-			status = PTR_ERR(array);
+		array = kmap(page);
+		array->eof_index = array->size;
+		status = 0;
+		kunmap(page);
 	}
 
 	put_page(scratch);
@@ -627,11 +595,7 @@ int nfs_readdir_xdr_to_array(nfs_readdir
 		goto out;
 	}
 
-	array = nfs_readdir_get_array(page);
-	if (IS_ERR(array)) {
-		status = PTR_ERR(array);
-		goto out_label_free;
-	}
+	array = kmap(page);
 	memset(array, 0, sizeof(struct nfs_cache_array));
 	array->eof_index = -1;
 
@@ -655,8 +619,7 @@ int nfs_readdir_xdr_to_array(nfs_readdir
 
 	nfs_readdir_free_large_page(pages_ptr, pages, array_size);
 out_release_array:
-	nfs_readdir_release_array(page);
-out_label_free:
+	kunmap(page);
 	nfs4_label_free(entry.label);
 out:
 	nfs_free_fattr(entry.fattr);
@@ -754,12 +717,7 @@ int nfs_do_filldir(nfs_readdir_descripto
 	struct nfs_cache_array *array = NULL;
 	struct nfs_open_dir_context *ctx = file->private_data;
 
-	array = nfs_readdir_get_array(desc->page);
-	if (IS_ERR(array)) {
-		res = PTR_ERR(array);
-		goto out;
-	}
-
+	array = kmap(desc->page);
 	for (i = desc->cache_entry_index; i < array->size; i++) {
 		struct nfs_cache_array_entry *ent;
 
@@ -780,8 +738,7 @@ int nfs_do_filldir(nfs_readdir_descripto
 	if (array->eof_index >= 0)
 		desc->eof = 1;
 
-	nfs_readdir_release_array(desc->page);
-out:
+	kunmap(desc->page);
 	cache_page_release(desc);
 	dfprintk(DIRCACHE, "NFS: nfs_do_filldir() filling ended @ cookie %Lu; returning = %d\n",
 			(unsigned long long)*desc->dir_cookie, res);


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 95/99] NFS: Fix memory leaks and corruption in readdir
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (93 preceding siblings ...)
  2020-05-20 14:15 ` [PATCH 3.16 94/99] nfs: use kmap/kunmap directly Ben Hutchings
@ 2020-05-20 14:15 ` Ben Hutchings
  2020-05-20 14:15 ` [PATCH 3.16 96/99] NFS: Directory page cache pages need to be locked when read Ben Hutchings
                   ` (4 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Benjamin Coddington, Trond Myklebust,
	Trond Myklebust, Anna Schumaker

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Trond Myklebust <trondmy@gmail.com>

commit 4b310319c6a8ce708f1033d57145e2aa027a883c upstream.

nfs_readdir_xdr_to_array() must not exit without having initialised
the array, so that the page cache deletion routines can safely
call nfs_readdir_clear_array().
Furthermore, we should ensure that if we exit nfs_readdir_filler()
with an error, we free up any page contents to prevent a leak
if we try to fill the page again.

Fixes: 11de3b11e08c ("NFS: Fix a memory leak in nfs_readdir")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/nfs/dir.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

--- a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -169,6 +169,17 @@ typedef struct {
 	unsigned int	eof:1;
 } nfs_readdir_descriptor_t;
 
+static
+void nfs_readdir_init_array(struct page *page)
+{
+	struct nfs_cache_array *array;
+
+	array = kmap_atomic(page);
+	memset(array, 0, sizeof(struct nfs_cache_array));
+	array->eof_index = -1;
+	kunmap_atomic(array);
+}
+
 /*
  * we are freeing strings created by nfs_add_to_readdir_array()
  */
@@ -181,6 +192,7 @@ void nfs_readdir_clear_array(struct page
 	array = kmap_atomic(page);
 	for (i = 0; i < array->size; i++)
 		kfree(array->array[i].string.name);
+	array->size = 0;
 	kunmap_atomic(array);
 }
 
@@ -580,6 +592,8 @@ int nfs_readdir_xdr_to_array(nfs_readdir
 	int status = -ENOMEM;
 	unsigned int array_size = ARRAY_SIZE(pages);
 
+	nfs_readdir_init_array(page);
+
 	entry.prev_cookie = 0;
 	entry.cookie = desc->last_cookie;
 	entry.eof = 0;
@@ -596,8 +610,6 @@ int nfs_readdir_xdr_to_array(nfs_readdir
 	}
 
 	array = kmap(page);
-	memset(array, 0, sizeof(struct nfs_cache_array));
-	array->eof_index = -1;
 
 	status = nfs_readdir_large_page(pages, array_size);
 	if (status < 0)
@@ -651,6 +663,7 @@ int nfs_readdir_filler(nfs_readdir_descr
 	unlock_page(page);
 	return 0;
  error:
+	nfs_readdir_clear_array(page);
 	unlock_page(page);
 	return ret;
 }


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 96/99] NFS: Directory page cache pages need to be locked when read
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (94 preceding siblings ...)
  2020-05-20 14:15 ` [PATCH 3.16 95/99] NFS: Fix memory leaks and corruption in readdir Ben Hutchings
@ 2020-05-20 14:15 ` Ben Hutchings
  2020-05-20 14:15 ` [PATCH 3.16 97/99] cifs: fail i/o on soft mounts if sessionsetup errors out Ben Hutchings
                   ` (3 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Anna Schumaker, Trond Myklebust,
	Trond Myklebust, Benjamin Coddington

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Trond Myklebust <trondmy@gmail.com>

commit 114de38225d9b300f027e2aec9afbb6e0def154b upstream.

When a NFS directory page cache page is removed from the page cache,
its contents are freed through a call to nfs_readdir_clear_array().
To prevent the removal of the page cache entry until after we've
finished reading it, we must take the page lock.

Fixes: 11de3b11e08c ("NFS: Fix a memory leak in nfs_readdir")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/nfs/dir.c | 30 +++++++++++++++++++-----------
 1 file changed, 19 insertions(+), 11 deletions(-)

--- a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -671,8 +671,6 @@ int nfs_readdir_filler(nfs_readdir_descr
 static
 void cache_page_release(nfs_readdir_descriptor_t *desc)
 {
-	if (!desc->page->mapping)
-		nfs_readdir_clear_array(desc->page);
 	page_cache_release(desc->page);
 	desc->page = NULL;
 }
@@ -686,19 +684,28 @@ struct page *get_cache_page(nfs_readdir_
 
 /*
  * Returns 0 if desc->dir_cookie was found on page desc->page_index
+ * and locks the page to prevent removal from the page cache.
  */
 static
-int find_cache_page(nfs_readdir_descriptor_t *desc)
+int find_and_lock_cache_page(nfs_readdir_descriptor_t *desc)
 {
 	int res;
 
 	desc->page = get_cache_page(desc);
 	if (IS_ERR(desc->page))
 		return PTR_ERR(desc->page);
-
-	res = nfs_readdir_search_array(desc);
+	res = lock_page_killable(desc->page);
 	if (res != 0)
-		cache_page_release(desc);
+		goto error;
+	res = -EAGAIN;
+	if (desc->page->mapping != NULL) {
+		res = nfs_readdir_search_array(desc);
+		if (res == 0)
+			return 0;
+	}
+	unlock_page(desc->page);
+error:
+	cache_page_release(desc);
 	return res;
 }
 
@@ -713,7 +720,7 @@ int readdir_search_pagecache(nfs_readdir
 		desc->last_cookie = 0;
 	}
 	do {
-		res = find_cache_page(desc);
+		res = find_and_lock_cache_page(desc);
 	} while (res == -EAGAIN);
 	return res;
 }
@@ -752,7 +759,6 @@ int nfs_do_filldir(nfs_readdir_descripto
 		desc->eof = 1;
 
 	kunmap(desc->page);
-	cache_page_release(desc);
 	dfprintk(DIRCACHE, "NFS: nfs_do_filldir() filling ended @ cookie %Lu; returning = %d\n",
 			(unsigned long long)*desc->dir_cookie, res);
 	return res;
@@ -798,13 +804,13 @@ int uncached_readdir(nfs_readdir_descrip
 
 	status = nfs_do_filldir(desc);
 
+ out_release:
+	nfs_readdir_clear_array(desc->page);
+	cache_page_release(desc);
  out:
 	dfprintk(DIRCACHE, "NFS: %s: returns %d\n",
 			__func__, status);
 	return status;
- out_release:
-	cache_page_release(desc);
-	goto out;
 }
 
 /* The file offset position represents the dirent entry number.  A
@@ -870,6 +876,8 @@ static int nfs_readdir(struct file *file
 			break;
 
 		res = nfs_do_filldir(desc);
+		unlock_page(desc->page);
+		cache_page_release(desc);
 		if (res < 0)
 			break;
 	} while (!desc->eof);


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 97/99] cifs: fail i/o on soft mounts if sessionsetup errors out
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (95 preceding siblings ...)
  2020-05-20 14:15 ` [PATCH 3.16 96/99] NFS: Directory page cache pages need to be locked when read Ben Hutchings
@ 2020-05-20 14:15 ` Ben Hutchings
  2020-05-20 14:15 ` [PATCH 3.16 98/99] bonding/alb: properly access headers in bond_alb_xmit() Ben Hutchings
                   ` (2 subsequent siblings)
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:15 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Ronnie Sahlberg, Steve French

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ronnie Sahlberg <lsahlber@redhat.com>

commit b0dd940e582b6a60296b9847a54012a4b080dc72 upstream.

RHBZ: 1579050

If we have a soft mount we should fail commands for session-setup
failures (such as the password having changed/ account being deleted/ ...)
and return an error back to the application.

Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/cifs/smb2pdu.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -250,9 +250,14 @@ smb2_reconnect(__le16 smb2_command, stru
 	 */
 	mutex_lock(&tcon->ses->session_mutex);
 	rc = cifs_negotiate_protocol(0, tcon->ses);
-	if (!rc && tcon->ses->need_reconnect)
+	if (!rc && tcon->ses->need_reconnect) {
 		rc = cifs_setup_session(0, tcon->ses, nls_codepage);
-
+		if ((rc == -EACCES) && !tcon->retry) {
+			rc = -EHOSTDOWN;
+			mutex_unlock(&tcon->ses->session_mutex);
+			goto failed;
+		}
+	}
 	if (rc || !tcon->need_reconnect) {
 		mutex_unlock(&tcon->ses->session_mutex);
 		goto out;
@@ -290,6 +295,7 @@ out:
 	case SMB2_SET_INFO:
 		rc = -EAGAIN;
 	}
+failed:
 	unload_nls(nls_codepage);
 	return rc;
 }


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 98/99] bonding/alb: properly access headers in bond_alb_xmit()
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (96 preceding siblings ...)
  2020-05-20 14:15 ` [PATCH 3.16 97/99] cifs: fail i/o on soft mounts if sessionsetup errors out Ben Hutchings
@ 2020-05-20 14:15 ` Ben Hutchings
  2020-05-20 14:15 ` [PATCH 3.16 99/99] sunrpc: expiry_time should be seconds not timeval Ben Hutchings
  2020-05-20 21:23 ` [PATCH 3.16 00/99] 3.16.84-rc1 review Guenter Roeck
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Eric Dumazet, Andy Gospodarek,
	David S. Miller, syzbot, Veaceslav Falico, Jay Vosburgh

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit 38f88c45404293bbc027b956def6c10cbd45c616 upstream.

syzbot managed to send an IPX packet through bond_alb_xmit()
and af_packet and triggered a use-after-free.

First, bond_alb_xmit() was using ipx_hdr() helper to reach
the IPX header, but ipx_hdr() was using the transport offset
instead of the network offset. In the particular syzbot
report transport offset was 0xFFFF

This patch removes ipx_hdr() since it was only (mis)used from bonding.

Then we need to make sure IPv4/IPv6/IPX headers are pulled
in skb->head before dereferencing anything.

BUG: KASAN: use-after-free in bond_alb_xmit+0x153a/0x1590 drivers/net/bonding/bond_alb.c:1452
Read of size 2 at addr ffff8801ce56dfff by task syz-executor.2/18108
 (if (ipx_hdr(skb)->ipx_checksum != IPX_NO_CHECKSUM) ...)

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 [<ffffffff8441fc42>] __dump_stack lib/dump_stack.c:17 [inline]
 [<ffffffff8441fc42>] dump_stack+0x14d/0x20b lib/dump_stack.c:53
 [<ffffffff81a7dec4>] print_address_description+0x6f/0x20b mm/kasan/report.c:282
 [<ffffffff81a7e0ec>] kasan_report_error mm/kasan/report.c:380 [inline]
 [<ffffffff81a7e0ec>] kasan_report mm/kasan/report.c:438 [inline]
 [<ffffffff81a7e0ec>] kasan_report.cold+0x8c/0x2a0 mm/kasan/report.c:422
 [<ffffffff81a7dc4f>] __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:469
 [<ffffffff82c8c00a>] bond_alb_xmit+0x153a/0x1590 drivers/net/bonding/bond_alb.c:1452
 [<ffffffff82c60c74>] __bond_start_xmit drivers/net/bonding/bond_main.c:4199 [inline]
 [<ffffffff82c60c74>] bond_start_xmit+0x4f4/0x1570 drivers/net/bonding/bond_main.c:4224
 [<ffffffff83baa558>] __netdev_start_xmit include/linux/netdevice.h:4525 [inline]
 [<ffffffff83baa558>] netdev_start_xmit include/linux/netdevice.h:4539 [inline]
 [<ffffffff83baa558>] xmit_one net/core/dev.c:3611 [inline]
 [<ffffffff83baa558>] dev_hard_start_xmit+0x168/0x910 net/core/dev.c:3627
 [<ffffffff83bacf35>] __dev_queue_xmit+0x1f55/0x33b0 net/core/dev.c:4238
 [<ffffffff83bae3a8>] dev_queue_xmit+0x18/0x20 net/core/dev.c:4278
 [<ffffffff84339189>] packet_snd net/packet/af_packet.c:3226 [inline]
 [<ffffffff84339189>] packet_sendmsg+0x4919/0x70b0 net/packet/af_packet.c:3252
 [<ffffffff83b1ac0c>] sock_sendmsg_nosec net/socket.c:673 [inline]
 [<ffffffff83b1ac0c>] sock_sendmsg+0x12c/0x160 net/socket.c:684
 [<ffffffff83b1f5a2>] __sys_sendto+0x262/0x380 net/socket.c:1996
 [<ffffffff83b1f700>] SYSC_sendto net/socket.c:2008 [inline]
 [<ffffffff83b1f700>] SyS_sendto+0x40/0x60 net/socket.c:2004

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Jay Vosburgh <j.vosburgh@gmail.com>
Cc: Veaceslav Falico <vfalico@gmail.com>
Cc: Andy Gospodarek <andy@greyhouse.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
 - Don't delete ipx_hdr() as it's still used by net/ipx here
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/net/bonding/bond_alb.c
+++ b/drivers/net/bonding/bond_alb.c
@@ -1450,26 +1450,31 @@ int bond_alb_xmit(struct sk_buff *skb, s
 	bool do_tx_balance = true;
 	u32 hash_index = 0;
 	const u8 *hash_start = NULL;
-	struct ipv6hdr *ip6hdr;
 
 	skb_reset_mac_header(skb);
 	eth_data = eth_hdr(skb);
 
 	switch (ntohs(skb->protocol)) {
 	case ETH_P_IP: {
-		const struct iphdr *iph = ip_hdr(skb);
+		const struct iphdr *iph;
 
 		if (ether_addr_equal_64bits(eth_data->h_dest, mac_bcast) ||
-		    (iph->daddr == ip_bcast) ||
-		    (iph->protocol == IPPROTO_IGMP)) {
+		    !pskb_network_may_pull(skb, sizeof(*iph))) {
+			do_tx_balance = false;
+			break;
+		}
+		iph = ip_hdr(skb);
+		if (iph->daddr == ip_bcast || iph->protocol == IPPROTO_IGMP) {
 			do_tx_balance = false;
 			break;
 		}
 		hash_start = (char *)&(iph->daddr);
 		hash_size = sizeof(iph->daddr);
-	}
 		break;
-	case ETH_P_IPV6:
+	}
+	case ETH_P_IPV6: {
+		const struct ipv6hdr *ip6hdr;
+
 		/* IPv6 doesn't really use broadcast mac address, but leave
 		 * that here just in case.
 		 */
@@ -1486,7 +1491,11 @@ int bond_alb_xmit(struct sk_buff *skb, s
 			break;
 		}
 
-		/* Additianally, DAD probes should not be tx-balanced as that
+		if (!pskb_network_may_pull(skb, sizeof(*ip6hdr))) {
+			do_tx_balance = false;
+			break;
+		}
+		/* Additionally, DAD probes should not be tx-balanced as that
 		 * will lead to false positives for duplicate addresses and
 		 * prevent address configuration from working.
 		 */
@@ -1496,17 +1505,26 @@ int bond_alb_xmit(struct sk_buff *skb, s
 			break;
 		}
 
-		hash_start = (char *)&(ipv6_hdr(skb)->daddr);
-		hash_size = sizeof(ipv6_hdr(skb)->daddr);
+		hash_start = (char *)&ip6hdr->daddr;
+		hash_size = sizeof(ip6hdr->daddr);
 		break;
-	case ETH_P_IPX:
-		if (ipx_hdr(skb)->ipx_checksum != IPX_NO_CHECKSUM) {
+	}
+	case ETH_P_IPX: {
+		const struct ipxhdr *ipxhdr;
+
+		if (pskb_network_may_pull(skb, sizeof(*ipxhdr))) {
+			do_tx_balance = false;
+			break;
+		}
+		ipxhdr = (struct ipxhdr *)skb_network_header(skb);
+
+		if (ipxhdr->ipx_checksum != IPX_NO_CHECKSUM) {
 			/* something is wrong with this packet */
 			do_tx_balance = false;
 			break;
 		}
 
-		if (ipx_hdr(skb)->ipx_type != IPX_TYPE_NCP) {
+		if (ipxhdr->ipx_type != IPX_TYPE_NCP) {
 			/* The only protocol worth balancing in
 			 * this family since it has an "ARP" like
 			 * mechanism
@@ -1515,9 +1533,11 @@ int bond_alb_xmit(struct sk_buff *skb, s
 			break;
 		}
 
+		eth_data = eth_hdr(skb);
 		hash_start = (char *)eth_data->h_dest;
 		hash_size = ETH_ALEN;
 		break;
+	}
 	case ETH_P_ARP:
 		do_tx_balance = false;
 		if (bond_info->rlb_enabled)


^ permalink raw reply	[flat|nested] 112+ messages in thread

* [PATCH 3.16 99/99] sunrpc: expiry_time should be seconds not timeval
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (97 preceding siblings ...)
  2020-05-20 14:15 ` [PATCH 3.16 98/99] bonding/alb: properly access headers in bond_alb_xmit() Ben Hutchings
@ 2020-05-20 14:15 ` Ben Hutchings
  2020-05-20 21:23 ` [PATCH 3.16 00/99] 3.16.84-rc1 review Guenter Roeck
  99 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 14:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, J. Bruce Fields,
	Roberto Bergantinos Corpas, Frank Sorenson

3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Roberto Bergantinos Corpas <rbergant@redhat.com>

commit 3d96208c30f84d6edf9ab4fac813306ac0d20c10 upstream.

When upcalling gssproxy, cache_head.expiry_time is set as a
timeval, not seconds since boot. As such, RPC cache expiry
logic will not clean expired objects created under
auth.rpcsec.context cache.

This has proven to cause kernel memory leaks on field. Using
64 bit variants of getboottime/timespec

Expiration times have worked this way since 2010's c5b29f885afe "sunrpc:
use seconds since boot in expiry cache".  The gssproxy code introduced
in 2012 added gss_proxy_save_rsc and introduced the bug.  That's a while
for this to lurk, but it required a bit of an extreme case to make it
obvious.

Signed-off-by: Roberto Bergantinos Corpas <rbergant@redhat.com>
Fixes: 030d794bf498 "SUNRPC: Use gssproxy upcall for server..."
Tested-By: Frank Sorenson <sorenson@redhat.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
[bwh: Backported to 3.16: Use struct timespec and getboottime()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/sunrpc/auth_gss/svcauth_gss.c | 4 ++++
 1 file changed, 4 insertions(+)

--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -1171,6 +1171,7 @@ static int gss_proxy_save_rsc(struct cac
 		dprintk("RPC:       No creds found!\n");
 		goto out;
 	} else {
+		struct timespec boot;
 
 		/* steal creds */
 		rsci.cred = ud->creds;
@@ -1191,6 +1192,9 @@ static int gss_proxy_save_rsc(struct cac
 						&expiry, GFP_KERNEL);
 		if (status)
 			goto out;
+
+		getboottime(&boot);
+		expiry -= boot.tv_sec;
 	}
 
 	rsci.h.expiry_time = expiry;


^ permalink raw reply	[flat|nested] 112+ messages in thread

* Re: [PATCH 3.16 37/99] clk: tegra: Mark fuse clock as critical
  2020-05-20 14:14 ` [PATCH 3.16 37/99] clk: tegra: Mark fuse clock as critical Ben Hutchings
@ 2020-05-20 15:51   ` Ben Hutchings
  0 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 15:51 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jonathan Hunter, Thierry Reding, Stephen Warren

[-- Attachment #1: Type: text/plain, Size: 2230 bytes --]

On Wed, 2020-05-20 at 15:14 +0100, Ben Hutchings wrote:
> 3.16.84-rc1 review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: Stephen Warren <swarren@nvidia.com>
> 
> commit bf83b96f87ae2abb1e535306ea53608e8de5dfbb upstream.

I've now dropped this, as CLK_IS_CRITICAL is not implemented on 3.16.

Ben.

> For a little over a year, U-Boot on Tegra124 has configured the flow
> controller to perform automatic RAM re-repair on off->on power
> transitions of the CPU rail[1]. This is mandatory for correct operation
> of Tegra124. However, RAM re-repair relies on certain clocks, which the
> kernel must enable and leave running. The fuse clock is one of those
> clocks. Mark this clock as critical so that LP1 power mode (system
> suspend) operates correctly.
> 
> [1] 3cc7942a4ae5 ARM: tegra: implement RAM repair
> 
> Reported-by: Jonathan Hunter <jonathanh@nvidia.com>
> Signed-off-by: Stephen Warren <swarren@nvidia.com>
> Signed-off-by: Thierry Reding <treding@nvidia.com>
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> ---
>  drivers/clk/tegra/clk-tegra-periph.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> --- a/drivers/clk/tegra/clk-tegra-periph.c
> +++ b/drivers/clk/tegra/clk-tegra-periph.c
> @@ -517,7 +517,11 @@ static struct tegra_periph_init_data gat
>  	GATE("vcp", "clk_m", 29, 0, tegra_clk_vcp, 0),
>  	GATE("apbdma", "clk_m", 34, 0, tegra_clk_apbdma, 0),
>  	GATE("kbc", "clk_32k", 36, TEGRA_PERIPH_ON_APB | TEGRA_PERIPH_NO_RESET, tegra_clk_kbc, 0),
> -	GATE("fuse", "clk_m", 39, TEGRA_PERIPH_ON_APB, tegra_clk_fuse, 0),
> +	/*
> +	 * Critical for RAM re-repair operation, which must occur on resume
> +	 * from LP1 system suspend and as part of CCPLEX cluster switching.
> +	 */
> +	GATE("fuse", "clk_m", 39, TEGRA_PERIPH_ON_APB, tegra_clk_fuse, CLK_IS_CRITICAL),
>  	GATE("fuse_burn", "clk_m", 39, TEGRA_PERIPH_ON_APB, tegra_clk_fuse_burn, 0),
>  	GATE("kfuse", "clk_m", 40, TEGRA_PERIPH_ON_APB, tegra_clk_kfuse, 0),
>  	GATE("apbif", "clk_m", 107, TEGRA_PERIPH_ON_APB, tegra_clk_apbif, 0),
> 
-- 
Ben Hutchings
All the simple programs have been written, and all the good names taken



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 112+ messages in thread

* Re: [PATCH 3.16 43/99] efi: Use early_mem*() instead of early_io*()
  2020-05-20 14:14 ` [PATCH 3.16 43/99] efi: Use early_mem*() instead of early_io*() Ben Hutchings
@ 2020-05-20 15:53   ` Ben Hutchings
  0 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-20 15:53 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Daniel Kiper, Matt Fleming, Mark Salter,
	Leif Lindholm

[-- Attachment #1: Type: text/plain, Size: 6594 bytes --]

On Wed, 2020-05-20 at 15:14 +0100, Ben Hutchings wrote:
> 3.16.84-rc1 review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: Daniel Kiper <daniel.kiper@oracle.com>
> 
> commit abc93f8eb6e46a480485f19256bdbda36ec78a84 upstream.

I've now seen that this depends on the preceding commit 4fa62481e231
"arch/ia64: Define early_memunmap()".  I've queued that up as well.

Ben.

> Use early_mem*() instead of early_io*() because all mapped EFI regions
> are memory (usually RAM but they could also be ROM, EPROM, EEPROM, flash,
> etc.) not I/O regions. Additionally, I/O family calls do not work correctly
> under Xen in our case. early_ioremap() skips the PFN to MFN conversion
> when building the PTE. Using it for memory will attempt to map the wrong
> machine frame. However, all artificial EFI structures created under Xen
> live in dom0 memory and should be mapped/unmapped using early_mem*() family
> calls which map domain memory.
> 
> Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
> Cc: Leif Lindholm <leif.lindholm@linaro.org>
> Cc: Mark Salter <msalter@redhat.com>
> Signed-off-by: Matt Fleming <matt.fleming@intel.com>
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> ---
>  arch/x86/platform/efi/efi.c | 28 ++++++++++++++--------------
>  drivers/firmware/efi/efi.c  |  4 ++--
>  2 files changed, 16 insertions(+), 16 deletions(-)
> 
> --- a/arch/x86/platform/efi/efi.c
> +++ b/arch/x86/platform/efi/efi.c
> @@ -435,7 +435,7 @@ void __init efi_unmap_memmap(void)
>  {
>  	clear_bit(EFI_MEMMAP, &efi.flags);
>  	if (memmap.map) {
> -		early_iounmap(memmap.map, memmap.nr_map * memmap.desc_size);
> +		early_memunmap(memmap.map, memmap.nr_map * memmap.desc_size);
>  		memmap.map = NULL;
>  	}
>  }
> @@ -475,12 +475,12 @@ static int __init efi_systab_init(void *
>  			if (!data)
>  				return -ENOMEM;
>  		}
> -		systab64 = early_ioremap((unsigned long)phys,
> +		systab64 = early_memremap((unsigned long)phys,
>  					 sizeof(*systab64));
>  		if (systab64 == NULL) {
>  			pr_err("Couldn't map the system table!\n");
>  			if (data)
> -				early_iounmap(data, sizeof(*data));
> +				early_memunmap(data, sizeof(*data));
>  			return -ENOMEM;
>  		}
>  
> @@ -512,9 +512,9 @@ static int __init efi_systab_init(void *
>  					   systab64->tables;
>  		tmp |= data ? data->tables : systab64->tables;
>  
> -		early_iounmap(systab64, sizeof(*systab64));
> +		early_memunmap(systab64, sizeof(*systab64));
>  		if (data)
> -			early_iounmap(data, sizeof(*data));
> +			early_memunmap(data, sizeof(*data));
>  #ifdef CONFIG_X86_32
>  		if (tmp >> 32) {
>  			pr_err("EFI data located above 4GB, disabling EFI.\n");
> @@ -524,7 +524,7 @@ static int __init efi_systab_init(void *
>  	} else {
>  		efi_system_table_32_t *systab32;
>  
> -		systab32 = early_ioremap((unsigned long)phys,
> +		systab32 = early_memremap((unsigned long)phys,
>  					 sizeof(*systab32));
>  		if (systab32 == NULL) {
>  			pr_err("Couldn't map the system table!\n");
> @@ -545,7 +545,7 @@ static int __init efi_systab_init(void *
>  		efi_systab.nr_tables = systab32->nr_tables;
>  		efi_systab.tables = systab32->tables;
>  
> -		early_iounmap(systab32, sizeof(*systab32));
> +		early_memunmap(systab32, sizeof(*systab32));
>  	}
>  
>  	efi.systab = &efi_systab;
> @@ -571,7 +571,7 @@ static int __init efi_runtime_init32(voi
>  {
>  	efi_runtime_services_32_t *runtime;
>  
> -	runtime = early_ioremap((unsigned long)efi.systab->runtime,
> +	runtime = early_memremap((unsigned long)efi.systab->runtime,
>  			sizeof(efi_runtime_services_32_t));
>  	if (!runtime) {
>  		pr_err("Could not map the runtime service table!\n");
> @@ -586,7 +586,7 @@ static int __init efi_runtime_init32(voi
>  	efi_phys.set_virtual_address_map =
>  			(efi_set_virtual_address_map_t *)
>  			(unsigned long)runtime->set_virtual_address_map;
> -	early_iounmap(runtime, sizeof(efi_runtime_services_32_t));
> +	early_memunmap(runtime, sizeof(efi_runtime_services_32_t));
>  
>  	return 0;
>  }
> @@ -595,7 +595,7 @@ static int __init efi_runtime_init64(voi
>  {
>  	efi_runtime_services_64_t *runtime;
>  
> -	runtime = early_ioremap((unsigned long)efi.systab->runtime,
> +	runtime = early_memremap((unsigned long)efi.systab->runtime,
>  			sizeof(efi_runtime_services_64_t));
>  	if (!runtime) {
>  		pr_err("Could not map the runtime service table!\n");
> @@ -610,7 +610,7 @@ static int __init efi_runtime_init64(voi
>  	efi_phys.set_virtual_address_map =
>  			(efi_set_virtual_address_map_t *)
>  			(unsigned long)runtime->set_virtual_address_map;
> -	early_iounmap(runtime, sizeof(efi_runtime_services_64_t));
> +	early_memunmap(runtime, sizeof(efi_runtime_services_64_t));
>  
>  	return 0;
>  }
> @@ -641,7 +641,7 @@ static int __init efi_runtime_init(void)
>  static int __init efi_memmap_init(void)
>  {
>  	/* Map the EFI memory map */
> -	memmap.map = early_ioremap((unsigned long)memmap.phys_map,
> +	memmap.map = early_memremap((unsigned long)memmap.phys_map,
>  				   memmap.nr_map * memmap.desc_size);
>  	if (memmap.map == NULL) {
>  		pr_err("Could not map the memory map!\n");
> @@ -745,14 +745,14 @@ void __init efi_init(void)
>  	/*
>  	 * Show what we know for posterity
>  	 */
> -	c16 = tmp = early_ioremap(efi.systab->fw_vendor, 2);
> +	c16 = tmp = early_memremap(efi.systab->fw_vendor, 2);
>  	if (c16) {
>  		for (i = 0; i < sizeof(vendor) - 1 && *c16; ++i)
>  			vendor[i] = *c16++;
>  		vendor[i] = '\0';
>  	} else
>  		pr_err("Could not map the firmware vendor!\n");
> -	early_iounmap(tmp, 2);
> +	early_memunmap(tmp, 2);
>  
>  	pr_info("EFI v%u.%.02u by %s\n",
>  		efi.systab->hdr.revision >> 16,
> --- a/drivers/firmware/efi/efi.c
> +++ b/drivers/firmware/efi/efi.c
> @@ -295,7 +295,7 @@ int __init efi_config_init(efi_config_ta
>  			if (table64 >> 32) {
>  				pr_cont("\n");
>  				pr_err("Table located above 4GB, disabling EFI.\n");
> -				early_iounmap(config_tables,
> +				early_memunmap(config_tables,
>  					       efi.systab->nr_tables * sz);
>  				return -EINVAL;
>  			}
> @@ -311,7 +311,7 @@ int __init efi_config_init(efi_config_ta
>  		tablep += sz;
>  	}
>  	pr_cont("\n");
> -	early_iounmap(config_tables, efi.systab->nr_tables * sz);
> +	early_memunmap(config_tables, efi.systab->nr_tables * sz);
>  
>  	set_bit(EFI_CONFIG_TABLES, &efi.flags);
>  
> 
-- 
Ben Hutchings
All the simple programs have been written, and all the good names taken


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 112+ messages in thread

* Re: [PATCH 3.16 00/99] 3.16.84-rc1 review
  2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
                   ` (98 preceding siblings ...)
  2020-05-20 14:15 ` [PATCH 3.16 99/99] sunrpc: expiry_time should be seconds not timeval Ben Hutchings
@ 2020-05-20 21:23 ` Guenter Roeck
  2020-05-21  2:47   ` Chen-Yu Tsai
  2020-05-21 20:20   ` Ben Hutchings
  99 siblings, 2 replies; 112+ messages in thread
From: Guenter Roeck @ 2020-05-20 21:23 UTC (permalink / raw)
  To: Ben Hutchings, linux-kernel, stable; +Cc: torvalds, akpm, Denis Kirjanov

On 5/20/20 7:13 AM, Ben Hutchings wrote:
> This is the start of the stable review cycle for the 3.16.84 release.
> There are 99 patches in this series, which will be posted as responses
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Fri May 22 20:00:00 UTC 2020.
> Anything received after that time might be too late.
> 
Build results:
	total: 135 pass: 135 fail: 0
Qemu test results:
	total: 230 pass: 227 fail: 3
Failed tests:
	arm:cubieboard:multi_v7_defconfig:mem512:sun4i-a10-cubieboard:initrd
	arm:cubieboard:multi_v7_defconfig:usb:mem512:sun4i-a10-cubieboard:rootfs
	arm:cubieboard:multi_v7_defconfig:sata:mem512:sun4i-a10-cubieboard:rootfs

The arm tests fail due to a compile error.

drivers/clk/tegra/clk-tegra-periph.c:524:65: error: 'CLK_IS_CRITICAL' undeclared here (not in a function); did you mean 'CLK_IS_BASIC'?

Guenter

^ permalink raw reply	[flat|nested] 112+ messages in thread

* Re: [PATCH 3.16 00/99] 3.16.84-rc1 review
  2020-05-20 21:23 ` [PATCH 3.16 00/99] 3.16.84-rc1 review Guenter Roeck
@ 2020-05-21  2:47   ` Chen-Yu Tsai
  2020-05-21  7:40     ` Guenter Roeck
  2020-05-21 20:20   ` Ben Hutchings
  1 sibling, 1 reply; 112+ messages in thread
From: Chen-Yu Tsai @ 2020-05-21  2:47 UTC (permalink / raw)
  To: Ben Hutchings
  Cc: linux-kernel, stable, torvalds, Andrew Morton, Denis Kirjanov,
	Guenter Roeck

On Thu, May 21, 2020 at 5:23 AM Guenter Roeck <linux@roeck-us.net> wrote:
>
> On 5/20/20 7:13 AM, Ben Hutchings wrote:
> > This is the start of the stable review cycle for the 3.16.84 release.
> > There are 99 patches in this series, which will be posted as responses
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Fri May 22 20:00:00 UTC 2020.
> > Anything received after that time might be too late.
> >
> Build results:
>         total: 135 pass: 135 fail: 0
> Qemu test results:
>         total: 230 pass: 227 fail: 3
> Failed tests:
>         arm:cubieboard:multi_v7_defconfig:mem512:sun4i-a10-cubieboard:initrd
>         arm:cubieboard:multi_v7_defconfig:usb:mem512:sun4i-a10-cubieboard:rootfs
>         arm:cubieboard:multi_v7_defconfig:sata:mem512:sun4i-a10-cubieboard:rootfs
>
> The arm tests fail due to a compile error.
>
> drivers/clk/tegra/clk-tegra-periph.c:524:65: error: 'CLK_IS_CRITICAL' undeclared here (not in a function); did you mean 'CLK_IS_BASIC'?

This looks like a result of having

      clk: tegra: Mark fuse clock as critical
         [bf83b96f87ae2abb1e535306ea53608e8de5dfbb]

In which case you probably need to add

    32b9b1096186 clk: Allow clocks to be marked as CRITICAL

to the pile.


ChenYu

^ permalink raw reply	[flat|nested] 112+ messages in thread

* Re: [PATCH 3.16 00/99] 3.16.84-rc1 review
  2020-05-21  2:47   ` Chen-Yu Tsai
@ 2020-05-21  7:40     ` Guenter Roeck
  2020-05-21 20:22       ` Ben Hutchings
  0 siblings, 1 reply; 112+ messages in thread
From: Guenter Roeck @ 2020-05-21  7:40 UTC (permalink / raw)
  To: Chen-Yu Tsai, Ben Hutchings
  Cc: linux-kernel, stable, torvalds, Andrew Morton, Denis Kirjanov

On 5/20/20 7:47 PM, Chen-Yu Tsai wrote:
> On Thu, May 21, 2020 at 5:23 AM Guenter Roeck <linux@roeck-us.net> wrote:
>>
>> On 5/20/20 7:13 AM, Ben Hutchings wrote:
>>> This is the start of the stable review cycle for the 3.16.84 release.
>>> There are 99 patches in this series, which will be posted as responses
>>> to this one.  If anyone has any issues with these being applied, please
>>> let me know.
>>>
>>> Responses should be made by Fri May 22 20:00:00 UTC 2020.
>>> Anything received after that time might be too late.
>>>
>> Build results:
>>         total: 135 pass: 135 fail: 0
>> Qemu test results:
>>         total: 230 pass: 227 fail: 3
>> Failed tests:
>>         arm:cubieboard:multi_v7_defconfig:mem512:sun4i-a10-cubieboard:initrd
>>         arm:cubieboard:multi_v7_defconfig:usb:mem512:sun4i-a10-cubieboard:rootfs
>>         arm:cubieboard:multi_v7_defconfig:sata:mem512:sun4i-a10-cubieboard:rootfs
>>
>> The arm tests fail due to a compile error.
>>
>> drivers/clk/tegra/clk-tegra-periph.c:524:65: error: 'CLK_IS_CRITICAL' undeclared here (not in a function); did you mean 'CLK_IS_BASIC'?
> 
> This looks like a result of having
> 
>       clk: tegra: Mark fuse clock as critical
>          [bf83b96f87ae2abb1e535306ea53608e8de5dfbb]
> 
> In which case you probably need to add
> 
>     32b9b1096186 clk: Allow clocks to be marked as CRITICAL
> 

Then you might also need commit ef56b79b66f ("clk: fix critical
clock locking") which fixes it.

Guenter

^ permalink raw reply	[flat|nested] 112+ messages in thread

* Re: [PATCH 3.16 35/99] pxa168fb: Fix the function used to release some memory in an error handling path
  2020-05-20 14:14 ` [PATCH 3.16 35/99] pxa168fb: Fix the function used to release some memory in an error handling path Ben Hutchings
@ 2020-05-21 14:09   ` Marion & Christophe JAILLET
  2020-05-21 14:31     ` Marion & Christophe JAILLET
  0 siblings, 1 reply; 112+ messages in thread
From: Marion & Christophe JAILLET @ 2020-05-21 14:09 UTC (permalink / raw)
  To: Ben Hutchings, linux-kernel, stable
  Cc: akpm, Denis Kirjanov, YueHaibing, Bartlomiej Zolnierkiewicz,
	Lubomir Rintel

Hi,

I don't think that this one is applicable to 3.16.x

The remove function and the error handling path of the probe function 
both use 'dma_free_wc'.
I've not look in details, but it looks consistent and the patch would 
not apply as-is anyway.

just my 2c.

CJ

Le 20/05/2020 à 16:14, Ben Hutchings a écrit :
> 3.16.84-rc1 review patch.  If anyone has any objections, please let me know.
>
> ------------------
>
> From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
>
> commit 3c911fe799d1c338d94b78e7182ad452c37af897 upstream.
>
> In the probe function, some resources are allocated using 'dma_alloc_wc()',
> they should be released with 'dma_free_wc()', not 'dma_free_coherent()'.
>
> We already use 'dma_free_wc()' in the remove function, but not in the
> error handling path of the probe function.
>
> Also, remove a useless 'PAGE_ALIGN()'. 'info->fix.smem_len' is already
> PAGE_ALIGNed.
>
> Fixes: 638772c7553f ("fb: add support of LCD display controller on pxa168/910 (base layer)")
> Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
> Reviewed-by: Lubomir Rintel <lkundrak@v3.sk>
> CC: YueHaibing <yuehaibing@huawei.com>
> Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
> Link: https://patchwork.freedesktop.org/patch/msgid/20190831100024.3248-1-christophe.jaillet@wanadoo.fr
> [bwh: Backported to 3.16: Use dma_free_writecombine().]
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> ---
>   drivers/video/fbdev/pxa168fb.c | 6 +++---
>   1 file changed, 3 insertions(+), 3 deletions(-)
>
> --- a/drivers/video/fbdev/pxa168fb.c
> +++ b/drivers/video/fbdev/pxa168fb.c
> @@ -772,8 +772,8 @@ failed_free_cmap:
>   failed_free_clk:
>   	clk_disable(fbi->clk);
>   failed_free_fbmem:
> -	dma_free_coherent(fbi->dev, info->fix.smem_len,
> -			info->screen_base, fbi->fb_start_dma);
> +	dma_free_writecombine(fbi->dev, info->fix.smem_len,
> +			      info->screen_base, fbi->fb_start_dma);
>   failed_free_info:
>   	kfree(info);
>   failed_put_clk:
> @@ -809,7 +809,7 @@ static int pxa168fb_remove(struct platfo
>   
>   	irq = platform_get_irq(pdev, 0);
>   
> -	dma_free_writecombine(fbi->dev, PAGE_ALIGN(info->fix.smem_len),
> +	dma_free_writecombine(fbi->dev, info->fix.smem_len,
>   				info->screen_base, info->fix.smem_start);
>   
>   	clk_disable(fbi->clk);
>

^ permalink raw reply	[flat|nested] 112+ messages in thread

* Re: [PATCH 3.16 35/99] pxa168fb: Fix the function used to release some memory in an error handling path
  2020-05-21 14:09   ` Marion & Christophe JAILLET
@ 2020-05-21 14:31     ` Marion & Christophe JAILLET
  2020-05-21 20:28       ` Ben Hutchings
  0 siblings, 1 reply; 112+ messages in thread
From: Marion & Christophe JAILLET @ 2020-05-21 14:31 UTC (permalink / raw)
  To: Ben Hutchings, linux-kernel, stable
  Cc: akpm, Denis Kirjanov, YueHaibing, Bartlomiej Zolnierkiewicz,
	Lubomir Rintel

Hi,

sorry for the noise, I have messed up my 
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ usage.
I thought I was looking at the 3.16.83 branch, but I was not.

The patch looks good to me.

CJ

Le 21/05/2020 à 16:09, Marion & Christophe JAILLET a écrit :
> Hi,
>
> I don't think that this one is applicable to 3.16.x
>
> The remove function and the error handling path of the probe function 
> both use 'dma_free_wc'.
> I've not look in details, but it looks consistent and the patch would 
> not apply as-is anyway.
>
> just my 2c.
>
> CJ
>
> Le 20/05/2020 à 16:14, Ben Hutchings a écrit :
>> 3.16.84-rc1 review patch.  If anyone has any objections, please let 
>> me know.
>>
>> ------------------
>>
>> From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
>>
>> commit 3c911fe799d1c338d94b78e7182ad452c37af897 upstream.
>>
>> In the probe function, some resources are allocated using 
>> 'dma_alloc_wc()',
>> they should be released with 'dma_free_wc()', not 'dma_free_coherent()'.
>>
>> We already use 'dma_free_wc()' in the remove function, but not in the
>> error handling path of the probe function.
>>
>> Also, remove a useless 'PAGE_ALIGN()'. 'info->fix.smem_len' is already
>> PAGE_ALIGNed.
>>
>> Fixes: 638772c7553f ("fb: add support of LCD display controller on 
>> pxa168/910 (base layer)")
>> Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
>> Reviewed-by: Lubomir Rintel <lkundrak@v3.sk>
>> CC: YueHaibing <yuehaibing@huawei.com>
>> Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
>> Link: 
>> https://patchwork.freedesktop.org/patch/msgid/20190831100024.3248-1-christophe.jaillet@wanadoo.fr
>> [bwh: Backported to 3.16: Use dma_free_writecombine().]
>> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
>> ---
>>   drivers/video/fbdev/pxa168fb.c | 6 +++---
>>   1 file changed, 3 insertions(+), 3 deletions(-)
>>
>> --- a/drivers/video/fbdev/pxa168fb.c
>> +++ b/drivers/video/fbdev/pxa168fb.c
>> @@ -772,8 +772,8 @@ failed_free_cmap:
>>   failed_free_clk:
>>       clk_disable(fbi->clk);
>>   failed_free_fbmem:
>> -    dma_free_coherent(fbi->dev, info->fix.smem_len,
>> -            info->screen_base, fbi->fb_start_dma);
>> +    dma_free_writecombine(fbi->dev, info->fix.smem_len,
>> +                  info->screen_base, fbi->fb_start_dma);
>>   failed_free_info:
>>       kfree(info);
>>   failed_put_clk:
>> @@ -809,7 +809,7 @@ static int pxa168fb_remove(struct platfo
>>         irq = platform_get_irq(pdev, 0);
>>   -    dma_free_writecombine(fbi->dev, PAGE_ALIGN(info->fix.smem_len),
>> +    dma_free_writecombine(fbi->dev, info->fix.smem_len,
>>                   info->screen_base, info->fix.smem_start);
>>         clk_disable(fbi->clk);
>>

^ permalink raw reply	[flat|nested] 112+ messages in thread

* Re: [PATCH 3.16 00/99] 3.16.84-rc1 review
  2020-05-20 21:23 ` [PATCH 3.16 00/99] 3.16.84-rc1 review Guenter Roeck
  2020-05-21  2:47   ` Chen-Yu Tsai
@ 2020-05-21 20:20   ` Ben Hutchings
  2020-05-21 22:37     ` Guenter Roeck
  1 sibling, 1 reply; 112+ messages in thread
From: Ben Hutchings @ 2020-05-21 20:20 UTC (permalink / raw)
  To: Guenter Roeck, linux-kernel, stable; +Cc: torvalds, akpm, Denis Kirjanov

[-- Attachment #1: Type: text/plain, Size: 1273 bytes --]

On Wed, 2020-05-20 at 14:23 -0700, Guenter Roeck wrote:
> On 5/20/20 7:13 AM, Ben Hutchings wrote:
> > This is the start of the stable review cycle for the 3.16.84 release.
> > There are 99 patches in this series, which will be posted as responses
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Fri May 22 20:00:00 UTC 2020.
> > Anything received after that time might be too late.
> > 
> Build results:
> 	total: 135 pass: 135 fail: 0
> Qemu test results:
> 	total: 230 pass: 227 fail: 3
> Failed tests:
> 	arm:cubieboard:multi_v7_defconfig:mem512:sun4i-a10-cubieboard:initrd
> 	arm:cubieboard:multi_v7_defconfig:usb:mem512:sun4i-a10-cubieboard:rootfs
> 	arm:cubieboard:multi_v7_defconfig:sata:mem512:sun4i-a10-cubieboard:rootfs
> 
> The arm tests fail due to a compile error.
> 
> drivers/clk/tegra/clk-tegra-periph.c:524:65: error: 'CLK_IS_CRITICAL' undeclared here (not in a function); did you mean 'CLK_IS_BASIC'?

I already looked at your first test results and dropped the patch that
uses CLK_IS_CRITICAL, so there's something else going wrong there...

Ben.

-- 
Ben Hutchings
Reality is just a crutch for people who can't handle science fiction.



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 112+ messages in thread

* Re: [PATCH 3.16 00/99] 3.16.84-rc1 review
  2020-05-21  7:40     ` Guenter Roeck
@ 2020-05-21 20:22       ` Ben Hutchings
  0 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-21 20:22 UTC (permalink / raw)
  To: Guenter Roeck, Chen-Yu Tsai
  Cc: linux-kernel, stable, torvalds, Andrew Morton, Denis Kirjanov

[-- Attachment #1: Type: text/plain, Size: 1837 bytes --]

On Thu, 2020-05-21 at 00:40 -0700, Guenter Roeck wrote:
> On 5/20/20 7:47 PM, Chen-Yu Tsai wrote:
> > On Thu, May 21, 2020 at 5:23 AM Guenter Roeck <linux@roeck-us.net> wrote:
> > > On 5/20/20 7:13 AM, Ben Hutchings wrote:
> > > > This is the start of the stable review cycle for the 3.16.84 release.
> > > > There are 99 patches in this series, which will be posted as responses
> > > > to this one.  If anyone has any issues with these being applied, please
> > > > let me know.
> > > > 
> > > > Responses should be made by Fri May 22 20:00:00 UTC 2020.
> > > > Anything received after that time might be too late.
> > > > 
> > > Build results:
> > >         total: 135 pass: 135 fail: 0
> > > Qemu test results:
> > >         total: 230 pass: 227 fail: 3
> > > Failed tests:
> > >         arm:cubieboard:multi_v7_defconfig:mem512:sun4i-a10-cubieboard:initrd
> > >         arm:cubieboard:multi_v7_defconfig:usb:mem512:sun4i-a10-cubieboard:rootfs
> > >         arm:cubieboard:multi_v7_defconfig:sata:mem512:sun4i-a10-cubieboard:rootfs
> > > 
> > > The arm tests fail due to a compile error.
> > > 
> > > drivers/clk/tegra/clk-tegra-periph.c:524:65: error: 'CLK_IS_CRITICAL' undeclared here (not in a function); did you mean 'CLK_IS_BASIC'?
> > 
> > This looks like a result of having
> > 
> >       clk: tegra: Mark fuse clock as critical
> >          [bf83b96f87ae2abb1e535306ea53608e8de5dfbb]
> > 
> > In which case you probably need to add
> > 
> >     32b9b1096186 clk: Allow clocks to be marked as CRITICAL
> > 
> 
> Then you might also need commit ef56b79b66f ("clk: fix critical
> clock locking") which fixes it.

At this stage I don't think it makes sense to add the feature to 3.16.

Ben.

-- 
Ben Hutchings
Reality is just a crutch for people who can't handle science fiction.



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 112+ messages in thread

* Re: [PATCH 3.16 35/99] pxa168fb: Fix the function used to release some memory in an error handling path
  2020-05-21 14:31     ` Marion & Christophe JAILLET
@ 2020-05-21 20:28       ` Ben Hutchings
  0 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-21 20:28 UTC (permalink / raw)
  To: Marion & Christophe JAILLET, linux-kernel, stable
  Cc: akpm, Denis Kirjanov, YueHaibing, Bartlomiej Zolnierkiewicz,
	Lubomir Rintel

[-- Attachment #1: Type: text/plain, Size: 3235 bytes --]

On Thu, 2020-05-21 at 16:31 +0200, Marion & Christophe JAILLET wrote:
> Hi,
> 
> sorry for the noise, I have messed up my 
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ usage.
> I thought I was looking at the 3.16.83 branch, but I was not.
> 
> The patch looks good to me.

Thanks for reviewing,

Ben.

> CJ
> 
> Le 21/05/2020 à 16:09, Marion & Christophe JAILLET a écrit :
> > Hi,
> > 
> > I don't think that this one is applicable to 3.16.x
> > 
> > The remove function and the error handling path of the probe function 
> > both use 'dma_free_wc'.
> > I've not look in details, but it looks consistent and the patch would 
> > not apply as-is anyway.
> > 
> > just my 2c.
> > 
> > CJ
> > 
> > Le 20/05/2020 à 16:14, Ben Hutchings a écrit :
> > > 3.16.84-rc1 review patch.  If anyone has any objections, please let 
> > > me know.
> > > 
> > > ------------------
> > > 
> > > From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
> > > 
> > > commit 3c911fe799d1c338d94b78e7182ad452c37af897 upstream.
> > > 
> > > In the probe function, some resources are allocated using 
> > > 'dma_alloc_wc()',
> > > they should be released with 'dma_free_wc()', not 'dma_free_coherent()'.
> > > 
> > > We already use 'dma_free_wc()' in the remove function, but not in the
> > > error handling path of the probe function.
> > > 
> > > Also, remove a useless 'PAGE_ALIGN()'. 'info->fix.smem_len' is already
> > > PAGE_ALIGNed.
> > > 
> > > Fixes: 638772c7553f ("fb: add support of LCD display controller on 
> > > pxa168/910 (base layer)")
> > > Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
> > > Reviewed-by: Lubomir Rintel <lkundrak@v3.sk>
> > > CC: YueHaibing <yuehaibing@huawei.com>
> > > Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
> > > Link: 
> > > https://patchwork.freedesktop.org/patch/msgid/20190831100024.3248-1-christophe.jaillet@wanadoo.fr
> > > [bwh: Backported to 3.16: Use dma_free_writecombine().]
> > > Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> > > ---
> > >   drivers/video/fbdev/pxa168fb.c | 6 +++---
> > >   1 file changed, 3 insertions(+), 3 deletions(-)
> > > 
> > > --- a/drivers/video/fbdev/pxa168fb.c
> > > +++ b/drivers/video/fbdev/pxa168fb.c
> > > @@ -772,8 +772,8 @@ failed_free_cmap:
> > >   failed_free_clk:
> > >       clk_disable(fbi->clk);
> > >   failed_free_fbmem:
> > > -    dma_free_coherent(fbi->dev, info->fix.smem_len,
> > > -            info->screen_base, fbi->fb_start_dma);
> > > +    dma_free_writecombine(fbi->dev, info->fix.smem_len,
> > > +                  info->screen_base, fbi->fb_start_dma);
> > >   failed_free_info:
> > >       kfree(info);
> > >   failed_put_clk:
> > > @@ -809,7 +809,7 @@ static int pxa168fb_remove(struct platfo
> > >         irq = platform_get_irq(pdev, 0);
> > >   -    dma_free_writecombine(fbi->dev, PAGE_ALIGN(info->fix.smem_len),
> > > +    dma_free_writecombine(fbi->dev, info->fix.smem_len,
> > >                   info->screen_base, info->fix.smem_start);
> > >         clk_disable(fbi->clk);
> > > 
-- 
Ben Hutchings
Reality is just a crutch for people who can't handle science fiction.



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 112+ messages in thread

* Re: [PATCH 3.16 00/99] 3.16.84-rc1 review
  2020-05-21 20:20   ` Ben Hutchings
@ 2020-05-21 22:37     ` Guenter Roeck
  2020-05-22  0:00       ` Ben Hutchings
  0 siblings, 1 reply; 112+ messages in thread
From: Guenter Roeck @ 2020-05-21 22:37 UTC (permalink / raw)
  To: Ben Hutchings, linux-kernel, stable; +Cc: torvalds, akpm, Denis Kirjanov


[-- Attachment #1.1: Type: text/plain, Size: 1497 bytes --]

On 5/21/20 1:20 PM, Ben Hutchings wrote:
> On Wed, 2020-05-20 at 14:23 -0700, Guenter Roeck wrote:
>> On 5/20/20 7:13 AM, Ben Hutchings wrote:
>>> This is the start of the stable review cycle for the 3.16.84 release.
>>> There are 99 patches in this series, which will be posted as responses
>>> to this one.  If anyone has any issues with these being applied, please
>>> let me know.
>>>
>>> Responses should be made by Fri May 22 20:00:00 UTC 2020.
>>> Anything received after that time might be too late.
>>>
>> Build results:
>> 	total: 135 pass: 135 fail: 0
>> Qemu test results:
>> 	total: 230 pass: 227 fail: 3
>> Failed tests:
>> 	arm:cubieboard:multi_v7_defconfig:mem512:sun4i-a10-cubieboard:initrd
>> 	arm:cubieboard:multi_v7_defconfig:usb:mem512:sun4i-a10-cubieboard:rootfs
>> 	arm:cubieboard:multi_v7_defconfig:sata:mem512:sun4i-a10-cubieboard:rootfs
>>
>> The arm tests fail due to a compile error.
>>
>> drivers/clk/tegra/clk-tegra-periph.c:524:65: error: 'CLK_IS_CRITICAL' undeclared here (not in a function); did you mean 'CLK_IS_BASIC'?
> 
> I already looked at your first test results and dropped the patch that
> uses CLK_IS_CRITICAL, so there's something else going wrong there...
> 

Ah yes. Sorry, I didn't notice that there was a rebuild.

Images are fine; the three failing tests should not have been
tested in the first place (they never did, but I didn't update
the blacklist when I increased the qemu memory size to 512MB).

Guenter


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 112+ messages in thread

* Re: [PATCH 3.16 00/99] 3.16.84-rc1 review
  2020-05-21 22:37     ` Guenter Roeck
@ 2020-05-22  0:00       ` Ben Hutchings
  0 siblings, 0 replies; 112+ messages in thread
From: Ben Hutchings @ 2020-05-22  0:00 UTC (permalink / raw)
  To: Guenter Roeck, linux-kernel, stable; +Cc: torvalds, akpm, Denis Kirjanov

[-- Attachment #1: Type: text/plain, Size: 1758 bytes --]

On Thu, 2020-05-21 at 15:37 -0700, Guenter Roeck wrote:
> On 5/21/20 1:20 PM, Ben Hutchings wrote:
> > On Wed, 2020-05-20 at 14:23 -0700, Guenter Roeck wrote:
> > > On 5/20/20 7:13 AM, Ben Hutchings wrote:
> > > > This is the start of the stable review cycle for the 3.16.84 release.
> > > > There are 99 patches in this series, which will be posted as responses
> > > > to this one.  If anyone has any issues with these being applied, please
> > > > let me know.
> > > > 
> > > > Responses should be made by Fri May 22 20:00:00 UTC 2020.
> > > > Anything received after that time might be too late.
> > > > 
> > > Build results:
> > > 	total: 135 pass: 135 fail: 0
> > > Qemu test results:
> > > 	total: 230 pass: 227 fail: 3
> > > Failed tests:
> > > 	arm:cubieboard:multi_v7_defconfig:mem512:sun4i-a10-cubieboard:initrd
> > > 	arm:cubieboard:multi_v7_defconfig:usb:mem512:sun4i-a10-cubieboard:rootfs
> > > 	arm:cubieboard:multi_v7_defconfig:sata:mem512:sun4i-a10-cubieboard:rootfs
> > > 
> > > The arm tests fail due to a compile error.
> > > 
> > > drivers/clk/tegra/clk-tegra-periph.c:524:65: error: 'CLK_IS_CRITICAL' undeclared here (not in a function); did you mean 'CLK_IS_BASIC'?
> > 
> > I already looked at your first test results and dropped the patch that
> > uses CLK_IS_CRITICAL, so there's something else going wrong there...
> > 
> 
> Ah yes. Sorry, I didn't notice that there was a rebuild.
> 
> Images are fine; the three failing tests should not have been
> tested in the first place (they never did, but I didn't update
> the blacklist when I increased the qemu memory size to 512MB).

OK, thanks for checking.

Ben.

-- 
Ben Hutchings
Logic doesn't apply to the real world. - Marvin Minsky



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 112+ messages in thread

end of thread, other threads:[~2020-05-22  0:00 UTC | newest]

Thread overview: 112+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-20 14:13 [PATCH 3.16 00/99] 3.16.84-rc1 review Ben Hutchings
2020-05-20 14:13 ` [PATCH 3.16 01/99] fs/namespace.c: fix mountpoint reference counter race Ben Hutchings
2020-05-20 14:13 ` [PATCH 3.16 02/99] propagate_one(): mnt_set_mountpoint() needs mount_lock Ben Hutchings
2020-05-20 14:13 ` [PATCH 3.16 03/99] spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls Ben Hutchings
2020-05-20 14:13 ` [PATCH 3.16 04/99] padata: Remove unused but set variables Ben Hutchings
2020-05-20 14:13 ` [PATCH 3.16 05/99] padata: avoid race in reordering Ben Hutchings
2020-05-20 14:13 ` [PATCH 3.16 06/99] padata: get_next is never NULL Ben Hutchings
2020-05-20 14:13 ` [PATCH 3.16 07/99] padata: ensure the reorder timer callback runs on the correct CPU Ben Hutchings
2020-05-20 14:13 ` [PATCH 3.16 08/99] padata: ensure padata_do_serial() " Ben Hutchings
2020-05-20 14:13 ` [PATCH 3.16 09/99] padata: Replace delayed timer with immediate workqueue in padata_reorder Ben Hutchings
2020-05-20 14:13 ` [PATCH 3.16 10/99] padata: initialize pd->cpu with effective cpumask Ben Hutchings
2020-05-20 14:13 ` [PATCH 3.16 11/99] padata: Remove broken queue flushing Ben Hutchings
2020-05-20 14:13 ` [PATCH 3.16 12/99] padata: purge get_cpu and reorder_via_wq from padata_do_serial Ben Hutchings
2020-05-20 14:13 ` [PATCH 3.16 13/99] crypto: pcrypt - Fix user-after-free on module unload Ben Hutchings
2020-05-20 14:13 ` [PATCH 3.16 14/99] crypto: pcrypt - Do not clear MAY_SLEEP flag in original request Ben Hutchings
2020-05-20 14:13 ` [PATCH 3.16 15/99] padata: always acquire cpu_hotplug_lock before pinst->lock Ben Hutchings
2020-05-20 14:13 ` [PATCH 3.16 16/99] crypto: af_alg - Use bh_lock_sock in sk_destruct Ben Hutchings
2020-05-20 14:13 ` [PATCH 3.16 17/99] crypto: api - Check spawn->alg under lock in crypto_drop_spawn Ben Hutchings
2020-05-20 14:13 ` [PATCH 3.16 18/99] crypto: api - Fix race condition in crypto_spawn_alg Ben Hutchings
2020-05-20 14:13 ` [PATCH 3.16 19/99] mmc: spi: Toggle SPI polarity, do not hardcode it Ben Hutchings
2020-05-20 14:13 ` [PATCH 3.16 20/99] reiserfs: Fix memory leak of journal device string Ben Hutchings
2020-05-20 14:13 ` [PATCH 3.16 21/99] reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling Ben Hutchings
2020-05-20 14:13 ` [PATCH 3.16 22/99] ath9k: fix storage endpoint lookup Ben Hutchings
2020-05-20 14:13 ` [PATCH 3.16 23/99] rsi: fix use-after-free on failed probe and unbind Ben Hutchings
2020-05-20 14:13 ` [PATCH 3.16 24/99] brcmfmac: Fix use after free in brcmf_sdio_readframes() Ben Hutchings
2020-05-20 14:13 ` [PATCH 3.16 25/99] brcmfmac: abort and release host after error Ben Hutchings
2020-05-20 14:13 ` [PATCH 3.16 26/99] brcmfmac: fix interface sanity check Ben Hutchings
2020-05-20 14:13 ` [PATCH 3.16 27/99] orinoco_usb: " Ben Hutchings
2020-05-20 14:13 ` [PATCH 3.16 28/99] rsi_91x_usb: " Ben Hutchings
2020-05-20 14:13 ` [PATCH 3.16 29/99] zd1211rw: fix storage endpoint lookup Ben Hutchings
2020-05-20 14:13 ` [PATCH 3.16 30/99] brcmfmac: Fix memory leak in brcmf_usbdev_qinit Ben Hutchings
2020-05-20 14:13 ` [PATCH 3.16 31/99] crypto: picoxcell - adjust the position of tasklet_init and fix missed tasklet_kill Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 32/99] scsi: qla2xxx: Fix mtcp dump collection failure Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 33/99] rtc: hym8563: Return -EINVAL if the time is known to be invalid Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 34/99] gianfar: Fix TX timestamping with a stacked DSA driver Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 35/99] pxa168fb: Fix the function used to release some memory in an error handling path Ben Hutchings
2020-05-21 14:09   ` Marion & Christophe JAILLET
2020-05-21 14:31     ` Marion & Christophe JAILLET
2020-05-21 20:28       ` Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 36/99] ALSA: sh: Fix compile warning wrt const Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 37/99] clk: tegra: Mark fuse clock as critical Ben Hutchings
2020-05-20 15:51   ` Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 38/99] ARM: tegra: Enable PLLP bypass during Tegra124 LP1 Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 39/99] media: iguanair: add sanity checks Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 40/99] media: iguanair: fix endpoint sanity check Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 41/99] ARM: dts: at91: sama5d3: fix maximum peripheral clock rates Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 42/99] ARM: dts: at91: sama5d3: define clock rate range for tcb1 Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 43/99] efi: Use early_mem*() instead of early_io*() Ben Hutchings
2020-05-20 15:53   ` Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 44/99] efi/x86: Map the entire EFI vendor string before copying it Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 45/99] PCI: Don't disable bridge BARs when assigning bus resources Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 46/99] power: supply: sbs-battery: Fix a signedness bug in sbs_get_battery_capacity() Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 47/99] dm space map common: fix to ensure new block isn't already in use Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 48/99] usb: dwc3: turn off VBUS when leaving host mode Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 49/99] usb: gadget: f_ncm: Use atomic_t to track in-flight request Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 50/99] usb: gadget: f_ecm: " Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 51/99] staging: wlan-ng: ensure error return is actually returned Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 52/99] nfs: NFS_SWAP should depend on SWAP Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 53/99] ubifs: Fix deadlock in concurrent bulk-read and writepage Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 54/99] x86/cpu: Update cached HLE state on write to TSX_CTRL_CPUID_CLEAR Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 55/99] jbd2: clear JBD2_ABORT flag before journal_reset to update log tail info when load journal Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 56/99] KVM: arm64: Only sign-extend MMIO up to register width Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 57/99] sparc32: fix struct ipc64_perm type definition Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 58/99] KVM: x86: Don't let userspace set host-reserved cr4 bits Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 59/99] KVM: nVMX: vmread should not set rflags to specify success in case of #PF Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 60/99] x86: kvm: avoid unused variable warning Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 61/99] KVM: x86/mmu: Apply max PA check for MMIO sptes to 32-bit KVM Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 62/99] USB: serial: ir-usb: add missing endpoint sanity check Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 63/99] USB: serial: ir-usb: fix link-speed handling Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 64/99] USB: serial: ir-usb: fix IrLAP framing Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 65/99] media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 66/99] KVM: PPC: Book3S HV: Uninit vCPU if vcore creation fails Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 67/99] KVM: PPC: Book3S PR: Free shared page if mmu initialization fails Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 68/99] KVM: x86: Free wbinvd_dirty_mask if vCPU creation fails Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 69/99] tracing: Fix very unlikely race of registering two stat tracers Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 70/99] tracing: Fix tracing_stat return values in error handling paths Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 71/99] jbd2: switch to use jbd2_journal_abort() when failed to submit the commit record Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 72/99] ext4, jbd2: ensure panic when aborting with zero errno Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 73/99] iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 74/99] CIFS: Fix task struct use-after-free on reconnect Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 75/99] net_sched: ematch: reject invalid TCF_EM_SIMPLE Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 76/99] KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 77/99] KVM: x86: Refactor picdev_write() to prevent " Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 78/99] KVM: x86: Protect ioapic_read_indirect() from " Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 79/99] KVM: x86: Protect ioapic_write_indirect() " Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 80/99] KVM: x86: Protect kvm_lapic_reg_write() " Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 81/99] kvm: x86: use macros to compute bank MSRs Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 82/99] KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 83/99] KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 84/99] KVM: Check for a bad hva before dropping into the ghc slow path Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 85/99] of: Add OF_DMA_DEFAULT_COHERENT & select it on powerpc Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 86/99] Btrfs: fix race between adding and putting tree mod seq elements and nodes Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 87/99] mm/mempolicy.c: fix out of bounds write in mpol_parse_str() Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 88/99] media/v4l2-core: set pages dirty upon releasing DMA buffers Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 89/99] tcp: clear tp->total_retrans in tcp_disconnect() Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 90/99] ALSA: dummy: Fix PCM format loop in proc output Ben Hutchings
2020-05-20 14:14 ` [PATCH 3.16 91/99] clocksource: Prevent double add_timer_on() for watchdog_timer Ben Hutchings
2020-05-20 14:15 ` [PATCH 3.16 92/99] cls_rsvp: fix rsvp_policy Ben Hutchings
2020-05-20 14:15 ` [PATCH 3.16 93/99] kconfig: fix broken dependency in randconfig-generated .config Ben Hutchings
2020-05-20 14:15 ` [PATCH 3.16 94/99] nfs: use kmap/kunmap directly Ben Hutchings
2020-05-20 14:15 ` [PATCH 3.16 95/99] NFS: Fix memory leaks and corruption in readdir Ben Hutchings
2020-05-20 14:15 ` [PATCH 3.16 96/99] NFS: Directory page cache pages need to be locked when read Ben Hutchings
2020-05-20 14:15 ` [PATCH 3.16 97/99] cifs: fail i/o on soft mounts if sessionsetup errors out Ben Hutchings
2020-05-20 14:15 ` [PATCH 3.16 98/99] bonding/alb: properly access headers in bond_alb_xmit() Ben Hutchings
2020-05-20 14:15 ` [PATCH 3.16 99/99] sunrpc: expiry_time should be seconds not timeval Ben Hutchings
2020-05-20 21:23 ` [PATCH 3.16 00/99] 3.16.84-rc1 review Guenter Roeck
2020-05-21  2:47   ` Chen-Yu Tsai
2020-05-21  7:40     ` Guenter Roeck
2020-05-21 20:22       ` Ben Hutchings
2020-05-21 20:20   ` Ben Hutchings
2020-05-21 22:37     ` Guenter Roeck
2020-05-22  0:00       ` Ben Hutchings

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).