Stable Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro
@ 2019-08-14  2:14 Sasha Levin
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 02/68] iio: cros_ec_accel_legacy: Fix incorrect channel setting Sasha Levin
                   ` (66 more replies)
  0 siblings, 67 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Joe Perches, Stable, Jonathan Cameron, Sasha Levin, linux-iio

From: Joe Perches <joe@perches.com>

[ Upstream commit ae8cc91a7d85e018c0c267f580820b2bb558cd48 ]

Arguments are supposed to be ordered high then low.

Signed-off-by: Joe Perches <joe@perches.com>
Fixes: 69780a3bbc0b ("iio: adc: Add Maxim max9611 ADC driver")
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/iio/adc/max9611.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/iio/adc/max9611.c b/drivers/iio/adc/max9611.c
index 0538ff8c4ac1d..ce9af43fa2de7 100644
--- a/drivers/iio/adc/max9611.c
+++ b/drivers/iio/adc/max9611.c
@@ -86,7 +86,7 @@
 #define MAX9611_TEMP_MAX_POS		0x7f80
 #define MAX9611_TEMP_MAX_NEG		0xff80
 #define MAX9611_TEMP_MIN_NEG		0xd980
-#define MAX9611_TEMP_MASK		GENMASK(7, 15)
+#define MAX9611_TEMP_MASK		GENMASK(15, 7)
 #define MAX9611_TEMP_SHIFT		0x07
 #define MAX9611_TEMP_RAW(_r)		((_r) >> MAX9611_TEMP_SHIFT)
 #define MAX9611_TEMP_SCALE_NUM		1000000
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 02/68] iio: cros_ec_accel_legacy: Fix incorrect channel setting
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
@ 2019-08-14  2:14 ` Sasha Levin
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 03/68] HID: Add 044f:b320 ThrustMaster, Inc. 2 in 1 DT Sasha Levin
                   ` (65 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Gwendal Grignou, Stable, Jonathan Cameron, Sasha Levin, linux-iio

From: Gwendal Grignou <gwendal@chromium.org>

[ Upstream commit 6cdff99c9f7d7d28b87cf05dd464f7c7736332ae ]

INFO_SCALE is set both for each channel and all channels.
iio is using all channel setting, so the error was not user visible.

Signed-off-by: Gwendal Grignou <gwendal@chromium.org>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/iio/accel/cros_ec_accel_legacy.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/iio/accel/cros_ec_accel_legacy.c b/drivers/iio/accel/cros_ec_accel_legacy.c
index 063e89eff791a..c776a3509a717 100644
--- a/drivers/iio/accel/cros_ec_accel_legacy.c
+++ b/drivers/iio/accel/cros_ec_accel_legacy.c
@@ -328,7 +328,6 @@ static const struct iio_chan_spec_ext_info cros_ec_accel_legacy_ext_info[] = {
 		.modified = 1,					        \
 		.info_mask_separate =					\
 			BIT(IIO_CHAN_INFO_RAW) |			\
-			BIT(IIO_CHAN_INFO_SCALE) |			\
 			BIT(IIO_CHAN_INFO_CALIBBIAS),			\
 		.info_mask_shared_by_all = BIT(IIO_CHAN_INFO_SCALE),	\
 		.ext_info = cros_ec_accel_legacy_ext_info,		\
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 03/68] HID: Add 044f:b320 ThrustMaster, Inc. 2 in 1 DT
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 02/68] iio: cros_ec_accel_legacy: Fix incorrect channel setting Sasha Levin
@ 2019-08-14  2:14 ` Sasha Levin
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 04/68] MIPS: kernel: only use i8253 clocksource with periodic clockevent Sasha Levin
                   ` (64 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Ilya Trukhanov, Jiri Kosina, Sasha Levin, linux-input

From: Ilya Trukhanov <lahvuun@gmail.com>

[ Upstream commit 65f11c72780fa9d598df88def045ccb6a885cf80 ]

Enable force feedback for the Thrustmaster Dual Trigger 2 in 1 Rumble Force
gamepad. Compared to other Thrustmaster devices, left and right rumble
motors here are swapped.

Signed-off-by: Ilya Trukhanov <lahvuun@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/hid/hid-tmff.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/drivers/hid/hid-tmff.c b/drivers/hid/hid-tmff.c
index bea8def64f437..30b8c3256c991 100644
--- a/drivers/hid/hid-tmff.c
+++ b/drivers/hid/hid-tmff.c
@@ -34,6 +34,8 @@
 
 #include "hid-ids.h"
 
+#define THRUSTMASTER_DEVICE_ID_2_IN_1_DT	0xb320
+
 static const signed short ff_rumble[] = {
 	FF_RUMBLE,
 	-1
@@ -88,6 +90,7 @@ static int tmff_play(struct input_dev *dev, void *data,
 	struct hid_field *ff_field = tmff->ff_field;
 	int x, y;
 	int left, right;	/* Rumbling */
+	int motor_swap;
 
 	switch (effect->type) {
 	case FF_CONSTANT:
@@ -112,6 +115,13 @@ static int tmff_play(struct input_dev *dev, void *data,
 					ff_field->logical_minimum,
 					ff_field->logical_maximum);
 
+		/* 2-in-1 strong motor is left */
+		if (hid->product == THRUSTMASTER_DEVICE_ID_2_IN_1_DT) {
+			motor_swap = left;
+			left = right;
+			right = motor_swap;
+		}
+
 		dbg_hid("(left,right)=(%08x, %08x)\n", left, right);
 		ff_field->value[0] = left;
 		ff_field->value[1] = right;
@@ -238,6 +248,8 @@ static const struct hid_device_id tm_devices[] = {
 		.driver_data = (unsigned long)ff_rumble },
 	{ HID_USB_DEVICE(USB_VENDOR_ID_THRUSTMASTER, 0xb304),   /* FireStorm Dual Power 2 (and 3) */
 		.driver_data = (unsigned long)ff_rumble },
+	{ HID_USB_DEVICE(USB_VENDOR_ID_THRUSTMASTER, THRUSTMASTER_DEVICE_ID_2_IN_1_DT),   /* Dual Trigger 2-in-1 */
+		.driver_data = (unsigned long)ff_rumble },
 	{ HID_USB_DEVICE(USB_VENDOR_ID_THRUSTMASTER, 0xb323),   /* Dual Trigger 3-in-1 (PC Mode) */
 		.driver_data = (unsigned long)ff_rumble },
 	{ HID_USB_DEVICE(USB_VENDOR_ID_THRUSTMASTER, 0xb324),   /* Dual Trigger 3-in-1 (PS3 Mode) */
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 04/68] MIPS: kernel: only use i8253 clocksource with periodic clockevent
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 02/68] iio: cros_ec_accel_legacy: Fix incorrect channel setting Sasha Levin
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 03/68] HID: Add 044f:b320 ThrustMaster, Inc. 2 in 1 DT Sasha Levin
@ 2019-08-14  2:14 ` Sasha Levin
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 05/68] mips: fix cacheinfo Sasha Levin
                   ` (63 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Thomas Bogendoerfer, Paul Burton, Ralf Baechle, James Hogan,
	linux-mips, Sasha Levin

From: Thomas Bogendoerfer <tbogendoerfer@suse.de>

[ Upstream commit a07e3324538a989b7cdbf2c679be6a7f9df2544f ]

i8253 clocksource needs a free running timer. This could only
be used, if i8253 clockevent is set up as periodic.

Signed-off-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
Signed-off-by: Paul Burton <paul.burton@mips.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: James Hogan <jhogan@kernel.org>
Cc: linux-mips@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/mips/kernel/i8253.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/mips/kernel/i8253.c b/arch/mips/kernel/i8253.c
index 5f209f111e59e..df7ddd246eaac 100644
--- a/arch/mips/kernel/i8253.c
+++ b/arch/mips/kernel/i8253.c
@@ -32,7 +32,8 @@ void __init setup_pit_timer(void)
 
 static int __init init_pit_clocksource(void)
 {
-	if (num_possible_cpus() > 1) /* PIT does not scale! */
+	if (num_possible_cpus() > 1 || /* PIT does not scale! */
+	    !clockevent_state_periodic(&i8253_clockevent))
 		return 0;
 
 	return clocksource_i8253_init();
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 05/68] mips: fix cacheinfo
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (2 preceding siblings ...)
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 04/68] MIPS: kernel: only use i8253 clocksource with periodic clockevent Sasha Levin
@ 2019-08-14  2:14 ` Sasha Levin
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 06/68] netfilter: ebtables: fix a memory leak bug in compat Sasha Levin
                   ` (62 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Vladimir Kondratiev, Paul Burton, Ralf Baechle, James Hogan,
	linux-mips, Sasha Levin

From: Vladimir Kondratiev <vladimir.kondratiev@linux.intel.com>

[ Upstream commit b8bea8a5e5d942e62203416ab41edecaed4fda02 ]

Because CONFIG_OF defined for MIPS, cacheinfo attempts to fill information
from DT, ignoring data filled by architecture routine. This leads to error
reported

 cacheinfo: Unable to detect cache hierarchy for CPU 0

Way to fix this provided in
commit fac51482577d ("drivers: base: cacheinfo: fix x86 with
 CONFIG_OF enabled")

Utilize same mechanism to report that cacheinfo set by architecture
specific function

Signed-off-by: Vladimir Kondratiev <vladimir.kondratiev@linux.intel.com>
Signed-off-by: Paul Burton <paul.burton@mips.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: James Hogan <jhogan@kernel.org>
Cc: linux-mips@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/mips/kernel/cacheinfo.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/arch/mips/kernel/cacheinfo.c b/arch/mips/kernel/cacheinfo.c
index 97d5239ca47ba..428ef21892039 100644
--- a/arch/mips/kernel/cacheinfo.c
+++ b/arch/mips/kernel/cacheinfo.c
@@ -80,6 +80,8 @@ static int __populate_cache_leaves(unsigned int cpu)
 	if (c->tcache.waysize)
 		populate_cache(tcache, this_leaf, 3, CACHE_TYPE_UNIFIED);
 
+	this_cpu_ci->cpu_map_populated = true;
+
 	return 0;
 }
 
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 06/68] netfilter: ebtables: fix a memory leak bug in compat
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (3 preceding siblings ...)
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 05/68] mips: fix cacheinfo Sasha Levin
@ 2019-08-14  2:14 ` Sasha Levin
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 07/68] ASoC: dapm: Fix handling of custom_stop_condition on DAPM graph walks Sasha Levin
                   ` (61 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Wenwen Wang, Florian Westphal, Pablo Neira Ayuso, Sasha Levin,
	netfilter-devel, coreteam, netdev

From: Wenwen Wang <wenwen@cs.uga.edu>

[ Upstream commit 15a78ba1844a8e052c1226f930133de4cef4e7ad ]

In compat_do_replace(), a temporary buffer is allocated through vmalloc()
to hold entries copied from the user space. The buffer address is firstly
saved to 'newinfo->entries', and later on assigned to 'entries_tmp'. Then
the entries in this temporary buffer is copied to the internal kernel
structure through compat_copy_entries(). If this copy process fails,
compat_do_replace() should be terminated. However, the allocated temporary
buffer is not freed on this path, leading to a memory leak.

To fix the bug, free the buffer before returning from compat_do_replace().

Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/bridge/netfilter/ebtables.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 0bb4d712b80cb..57856f8bc22dd 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -2268,8 +2268,10 @@ static int compat_do_replace(struct net *net, void __user *user,
 	state.buf_kern_len = size64;
 
 	ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state);
-	if (WARN_ON(ret < 0))
+	if (WARN_ON(ret < 0)) {
+		vfree(entries_tmp);
 		goto out_unlock;
+	}
 
 	vfree(entries_tmp);
 	tmp.entries_size = size64;
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 07/68] ASoC: dapm: Fix handling of custom_stop_condition on DAPM graph walks
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (4 preceding siblings ...)
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 06/68] netfilter: ebtables: fix a memory leak bug in compat Sasha Levin
@ 2019-08-14  2:14 ` Sasha Levin
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 08/68] selftests/bpf: fix sendmsg6_prog on s390 Sasha Levin
                   ` (60 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:14 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: Charles Keepax, Mark Brown, Sasha Levin

From: Charles Keepax <ckeepax@opensource.cirrus.com>

[ Upstream commit 8dd26dff00c0636b1d8621acaeef3f6f3a39dd77 ]

DPCM uses snd_soc_dapm_dai_get_connected_widgets to build a
list of the widgets connected to a specific front end DAI so it
can search through this list for available back end DAIs. The
custom_stop_condition was added to is_connected_ep to facilitate this
list not containing more widgets than is necessary. Doing so both
speeds up the DPCM handling as less widgets need to be searched and
avoids issues with CODEC to CODEC links as these would be confused
with back end DAIs if they appeared in the list of available widgets.

custom_stop_condition was implemented by aborting the graph walk
when the condition is triggered, however there is an issue with this
approach. Whilst walking the graph is_connected_ep should update the
endpoints cache on each widget, if the walk is aborted the number
of attached end points is unknown for that sub-graph. When the stop
condition triggered, the original patch ignored the triggering widget
and returned zero connected end points; a later patch updated this
to set the triggering widget's cache to 1 and return that. Both of
these approaches result in inaccurate values being stored in various
end point caches as the values propagate back through the graph,
which can result in later issues with widgets powering/not powering
unexpectedly.

As the original goal was to reduce the size of the widget list passed
to the DPCM code, the simplest solution is to limit the functionality
of the custom_stop_condition to the widget list. This means the rest
of the graph will still be processed resulting in correct end point
caches, but only widgets up to the stop condition will be added to the
returned widget list.

Fixes: 6742064aef7f ("ASoC: dapm: support user-defined stop condition in dai_get_connected_widgets")
Fixes: 5fdd022c2026 ("ASoC: dpcm: play nice with CODEC<->CODEC links")
Fixes: 09464974eaa8 ("ASoC: dapm: Fix to return correct path list in is_connected_ep.")
Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Link: https://lore.kernel.org/r/20190718084333.15598-1-ckeepax@opensource.cirrus.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/soc/soc-dapm.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c
index 3bfc788372f31..4ce57510b6236 100644
--- a/sound/soc/soc-dapm.c
+++ b/sound/soc/soc-dapm.c
@@ -1145,8 +1145,8 @@ static __always_inline int is_connected_ep(struct snd_soc_dapm_widget *widget,
 		list_add_tail(&widget->work_list, list);
 
 	if (custom_stop_condition && custom_stop_condition(widget, dir)) {
-		widget->endpoints[dir] = 1;
-		return widget->endpoints[dir];
+		list = NULL;
+		custom_stop_condition = NULL;
 	}
 
 	if ((widget->is_ep & SND_SOC_DAPM_DIR_TO_EP(dir)) && widget->connected) {
@@ -1183,8 +1183,8 @@ static __always_inline int is_connected_ep(struct snd_soc_dapm_widget *widget,
  *
  * Optionally, can be supplied with a function acting as a stopping condition.
  * This function takes the dapm widget currently being examined and the walk
- * direction as an arguments, it should return true if the walk should be
- * stopped and false otherwise.
+ * direction as an arguments, it should return true if widgets from that point
+ * in the graph onwards should not be added to the widget list.
  */
 static int is_connected_output_ep(struct snd_soc_dapm_widget *widget,
 	struct list_head *list,
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 08/68] selftests/bpf: fix sendmsg6_prog on s390
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (5 preceding siblings ...)
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 07/68] ASoC: dapm: Fix handling of custom_stop_condition on DAPM graph walks Sasha Levin
@ 2019-08-14  2:14 ` Sasha Levin
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 09/68] bonding: Force slave speed check after link state recovery for 802.3ad Sasha Levin
                   ` (59 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Ilya Leoshkevich, Andrey Ignatov, Daniel Borkmann, Sasha Levin,
	linux-kselftest, netdev, bpf

From: Ilya Leoshkevich <iii@linux.ibm.com>

[ Upstream commit c8eee4135a456bc031d67cadc454e76880d1afd8 ]

"sendmsg6: rewrite IP & port (C)" fails on s390, because the code in
sendmsg_v6_prog() assumes that (ctx->user_ip6[0] & 0xFFFF) refers to
leading IPv6 address digits, which is not the case on big-endian
machines.

Since checking bitwise operations doesn't seem to be the point of the
test, replace two short comparisons with a single int comparison.

Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Acked-by: Andrey Ignatov <rdna@fb.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/testing/selftests/bpf/sendmsg6_prog.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/tools/testing/selftests/bpf/sendmsg6_prog.c b/tools/testing/selftests/bpf/sendmsg6_prog.c
index 5aeaa284fc474..a680628204108 100644
--- a/tools/testing/selftests/bpf/sendmsg6_prog.c
+++ b/tools/testing/selftests/bpf/sendmsg6_prog.c
@@ -41,8 +41,7 @@ int sendmsg_v6_prog(struct bpf_sock_addr *ctx)
 	}
 
 	/* Rewrite destination. */
-	if ((ctx->user_ip6[0] & 0xFFFF) == bpf_htons(0xFACE) &&
-	     ctx->user_ip6[0] >> 16 == bpf_htons(0xB00C)) {
+	if (ctx->user_ip6[0] == bpf_htonl(0xFACEB00C)) {
 		ctx->user_ip6[0] = bpf_htonl(DST_REWRITE_IP6_0);
 		ctx->user_ip6[1] = bpf_htonl(DST_REWRITE_IP6_1);
 		ctx->user_ip6[2] = bpf_htonl(DST_REWRITE_IP6_2);
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 09/68] bonding: Force slave speed check after link state recovery for 802.3ad
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (6 preceding siblings ...)
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 08/68] selftests/bpf: fix sendmsg6_prog on s390 Sasha Levin
@ 2019-08-14  2:14 ` Sasha Levin
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 10/68] net: mvpp2: Don't check for 3 consecutive Idle frames for 10G links Sasha Levin
                   ` (58 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Thomas Falcon, Jarod Wilson, Jay Vosburgh, Veaceslav Falico,
	Andy Gospodarek, David S . Miller, Sasha Levin, netdev

From: Thomas Falcon <tlfalcon@linux.ibm.com>

[ Upstream commit 12185dfe44360f814ac4ead9d22ad2af7511b2e9 ]

The following scenario was encountered during testing of logical
partition mobility on pseries partitions with bonded ibmvnic
adapters in LACP mode.

1. Driver receives a signal that the device has been
   swapped, and it needs to reset to initialize the new
   device.

2. Driver reports loss of carrier and begins initialization.

3. Bonding driver receives NETDEV_CHANGE notifier and checks
   the slave's current speed and duplex settings. Because these
   are unknown at the time, the bond sets its link state to
   BOND_LINK_FAIL and handles the speed update, clearing
   AD_PORT_LACP_ENABLE.

4. Driver finishes recovery and reports that the carrier is on.

5. Bond receives a new notification and checks the speed again.
   The speeds are valid but miimon has not altered the link
   state yet.  AD_PORT_LACP_ENABLE remains off.

Because the slave's link state is still BOND_LINK_FAIL,
no further port checks are made when it recovers. Though
the slave devices are operational and have valid speed
and duplex settings, the bond will not send LACPDU's. The
simplest fix I can see is to force another speed check
in bond_miimon_commit. This way the bond will update
AD_PORT_LACP_ENABLE if needed when transitioning from
BOND_LINK_FAIL to BOND_LINK_UP.

CC: Jarod Wilson <jarod@redhat.com>
CC: Jay Vosburgh <j.vosburgh@gmail.com>
CC: Veaceslav Falico <vfalico@gmail.com>
CC: Andy Gospodarek <andy@greyhouse.net>
Signed-off-by: Thomas Falcon <tlfalcon@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/bonding/bond_main.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index be0b785becd09..ff27f29b6fe76 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -2188,6 +2188,15 @@ static void bond_miimon_commit(struct bonding *bond)
 	bond_for_each_slave(bond, slave, iter) {
 		switch (slave->new_link) {
 		case BOND_LINK_NOCHANGE:
+			/* For 802.3ad mode, check current slave speed and
+			 * duplex again in case its port was disabled after
+			 * invalid speed/duplex reporting but recovered before
+			 * link monitoring could make a decision on the actual
+			 * link status
+			 */
+			if (BOND_MODE(bond) == BOND_MODE_8023AD &&
+			    slave->link == BOND_LINK_UP)
+				bond_3ad_adapter_speed_duplex_changed(slave);
 			continue;
 
 		case BOND_LINK_UP:
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 10/68] net: mvpp2: Don't check for 3 consecutive Idle frames for 10G links
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (7 preceding siblings ...)
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 09/68] bonding: Force slave speed check after link state recovery for 802.3ad Sasha Levin
@ 2019-08-14  2:14 ` Sasha Levin
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 11/68] selftests: forwarding: gre_multipath: Enable IPv4 forwarding Sasha Levin
                   ` (57 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Maxime Chevallier, David S . Miller, Sasha Levin, netdev

From: Maxime Chevallier <maxime.chevallier@bootlin.com>

[ Upstream commit bba18318e7d1d5c8b0bbafd65010a0cee3c65608 ]

PPv2's XLGMAC can wait for 3 idle frames before triggering a link up
event. This can cause the link to be stuck low when there's traffic on
the interface, so disable this feature.

Fixes: 4bb043262878 ("net: mvpp2: phylink support")
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
index 6455511457ca3..9b608d23ff7ee 100644
--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
@@ -4412,9 +4412,9 @@ static void mvpp2_xlg_config(struct mvpp2_port *port, unsigned int mode,
 	if (state->pause & MLO_PAUSE_RX)
 		ctrl0 |= MVPP22_XLG_CTRL0_RX_FLOW_CTRL_EN;
 
-	ctrl4 &= ~MVPP22_XLG_CTRL4_MACMODSELECT_GMAC;
-	ctrl4 |= MVPP22_XLG_CTRL4_FWD_FC | MVPP22_XLG_CTRL4_FWD_PFC |
-		 MVPP22_XLG_CTRL4_EN_IDLE_CHECK;
+	ctrl4 &= ~(MVPP22_XLG_CTRL4_MACMODSELECT_GMAC |
+		   MVPP22_XLG_CTRL4_EN_IDLE_CHECK);
+	ctrl4 |= MVPP22_XLG_CTRL4_FWD_FC | MVPP22_XLG_CTRL4_FWD_PFC;
 
 	writel(ctrl0, port->base + MVPP22_XLG_CTRL0_REG);
 	writel(ctrl4, port->base + MVPP22_XLG_CTRL4_REG);
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 11/68] selftests: forwarding: gre_multipath: Enable IPv4 forwarding
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (8 preceding siblings ...)
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 10/68] net: mvpp2: Don't check for 3 consecutive Idle frames for 10G links Sasha Levin
@ 2019-08-14  2:14 ` Sasha Levin
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 12/68] selftests: forwarding: gre_multipath: Fix flower filters Sasha Levin
                   ` (56 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Ido Schimmel, Stephen Suryaputra, David S . Miller, Sasha Levin,
	netdev, linux-kselftest

From: Ido Schimmel <idosch@mellanox.com>

[ Upstream commit efa7b79f675da0efafe3f32ba0d6efe916cf4867 ]

The test did not enable IPv4 forwarding during its setup phase, which
causes the test to fail on machines where IPv4 forwarding is disabled.

Fixes: 54818c4c4b93 ("selftests: forwarding: Test multipath tunneling")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Reported-by: Stephen Suryaputra <ssuryaextr@gmail.com>
Tested-by: Stephen Suryaputra <ssuryaextr@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/testing/selftests/net/forwarding/gre_multipath.sh | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/tools/testing/selftests/net/forwarding/gre_multipath.sh b/tools/testing/selftests/net/forwarding/gre_multipath.sh
index cca2baa03fb81..37d7297e1cf8a 100755
--- a/tools/testing/selftests/net/forwarding/gre_multipath.sh
+++ b/tools/testing/selftests/net/forwarding/gre_multipath.sh
@@ -187,12 +187,16 @@ setup_prepare()
 	sw1_create
 	sw2_create
 	h2_create
+
+	forwarding_enable
 }
 
 cleanup()
 {
 	pre_cleanup
 
+	forwarding_restore
+
 	h2_destroy
 	sw2_destroy
 	sw1_destroy
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 12/68] selftests: forwarding: gre_multipath: Fix flower filters
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (9 preceding siblings ...)
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 11/68] selftests: forwarding: gre_multipath: Enable IPv4 forwarding Sasha Levin
@ 2019-08-14  2:14 ` Sasha Levin
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 13/68] can: dev: call netif_carrier_off() in register_candev() Sasha Levin
                   ` (55 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Ido Schimmel, Stephen Suryaputra, David S . Miller, Sasha Levin,
	netdev, linux-kselftest

From: Ido Schimmel <idosch@mellanox.com>

[ Upstream commit 1be79d89b7ae96e004911bd228ce8c2b5cc6415f ]

The TC filters used in the test do not work with veth devices because the
outer Ethertype is 802.1Q and not IPv4. The test passes with mlxsw
netdevs since the hardware always looks at "The first Ethertype that
does not point to either: VLAN, CNTAG or configurable Ethertype".

Fix this by matching on the VLAN ID instead, but on the ingress side.
The reason why this is not performed at egress is explained in the
commit cited below.

Fixes: 541ad323db3a ("selftests: forwarding: gre_multipath: Update next-hop statistics match criteria")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Reported-by: Stephen Suryaputra <ssuryaextr@gmail.com>
Tested-by: Stephen Suryaputra <ssuryaextr@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 .../selftests/net/forwarding/gre_multipath.sh | 24 +++++++++----------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/tools/testing/selftests/net/forwarding/gre_multipath.sh b/tools/testing/selftests/net/forwarding/gre_multipath.sh
index 37d7297e1cf8a..a8d8e8b3dc819 100755
--- a/tools/testing/selftests/net/forwarding/gre_multipath.sh
+++ b/tools/testing/selftests/net/forwarding/gre_multipath.sh
@@ -93,18 +93,10 @@ sw1_create()
 	ip route add vrf v$ol1 192.0.2.16/28 \
 	   nexthop dev g1a \
 	   nexthop dev g1b
-
-	tc qdisc add dev $ul1 clsact
-	tc filter add dev $ul1 egress pref 111 prot ipv4 \
-	   flower dst_ip 192.0.2.66 action pass
-	tc filter add dev $ul1 egress pref 222 prot ipv4 \
-	   flower dst_ip 192.0.2.82 action pass
 }
 
 sw1_destroy()
 {
-	tc qdisc del dev $ul1 clsact
-
 	ip route del vrf v$ol1 192.0.2.16/28
 
 	ip route del vrf v$ol1 192.0.2.82/32 via 192.0.2.146
@@ -139,10 +131,18 @@ sw2_create()
 	ip route add vrf v$ol2 192.0.2.0/28 \
 	   nexthop dev g2a \
 	   nexthop dev g2b
+
+	tc qdisc add dev $ul2 clsact
+	tc filter add dev $ul2 ingress pref 111 prot 802.1Q \
+	   flower vlan_id 111 action pass
+	tc filter add dev $ul2 ingress pref 222 prot 802.1Q \
+	   flower vlan_id 222 action pass
 }
 
 sw2_destroy()
 {
+	tc qdisc del dev $ul2 clsact
+
 	ip route del vrf v$ol2 192.0.2.0/28
 
 	ip route del vrf v$ol2 192.0.2.81/32 via 192.0.2.145
@@ -215,15 +215,15 @@ multipath4_test()
 	   nexthop dev g1a weight $weight1 \
 	   nexthop dev g1b weight $weight2
 
-	local t0_111=$(tc_rule_stats_get $ul1 111 egress)
-	local t0_222=$(tc_rule_stats_get $ul1 222 egress)
+	local t0_111=$(tc_rule_stats_get $ul2 111 ingress)
+	local t0_222=$(tc_rule_stats_get $ul2 222 ingress)
 
 	ip vrf exec v$h1 \
 	   $MZ $h1 -q -p 64 -A 192.0.2.1 -B 192.0.2.18 \
 	       -d 1msec -t udp "sp=1024,dp=0-32768"
 
-	local t1_111=$(tc_rule_stats_get $ul1 111 egress)
-	local t1_222=$(tc_rule_stats_get $ul1 222 egress)
+	local t1_111=$(tc_rule_stats_get $ul2 111 ingress)
+	local t1_222=$(tc_rule_stats_get $ul2 222 ingress)
 
 	local d111=$((t1_111 - t0_111))
 	local d222=$((t1_222 - t0_222))
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 13/68] can: dev: call netif_carrier_off() in register_candev()
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (10 preceding siblings ...)
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 12/68] selftests: forwarding: gre_multipath: Fix flower filters Sasha Levin
@ 2019-08-14  2:14 ` Sasha Levin
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 14/68] can: mcp251x: add error check when wq alloc failed Sasha Levin
                   ` (54 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Rasmus Villemoes, Willem de Bruijn, Marc Kleine-Budde,
	Sasha Levin, linux-can, netdev

From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>

[ Upstream commit c63845609c4700488e5eacd6ab4d06d5d420e5ef ]

CONFIG_CAN_LEDS is deprecated. When trying to use the generic netdev
trigger as suggested, there's a small inconsistency with the link
property: The LED is on initially, stays on when the device is brought
up, and then turns off (as expected) when the device is brought down.

Make sure the LED always reflects the state of the CAN device.

Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Acked-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/can/dev.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
index c05e4d50d43d7..bd127ce3aba24 100644
--- a/drivers/net/can/dev.c
+++ b/drivers/net/can/dev.c
@@ -1260,6 +1260,8 @@ int register_candev(struct net_device *dev)
 		return -EINVAL;
 
 	dev->rtnl_link_ops = &can_link_ops;
+	netif_carrier_off(dev);
+
 	return register_netdev(dev);
 }
 EXPORT_SYMBOL_GPL(register_candev);
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 14/68] can: mcp251x: add error check when wq alloc failed
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (11 preceding siblings ...)
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 13/68] can: dev: call netif_carrier_off() in register_candev() Sasha Levin
@ 2019-08-14  2:14 ` Sasha Levin
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 15/68] can: gw: Fix error path of cgw_module_init Sasha Levin
                   ` (53 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Weitao Hou, Willem de Bruijn, Sean Nyekjaer, Marc Kleine-Budde,
	Sasha Levin, linux-can, netdev

From: Weitao Hou <houweitaoo@gmail.com>

[ Upstream commit 375f755899b8fc21196197e02aab26257df26e85 ]

add error check when workqueue alloc failed, and remove redundant code
to make it clear.

Fixes: e0000163e30e ("can: Driver for the Microchip MCP251x SPI CAN controllers")
Signed-off-by: Weitao Hou <houweitaoo@gmail.com>
Acked-by: Willem de Bruijn <willemb@google.com>
Tested-by: Sean Nyekjaer <sean@geanix.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/can/spi/mcp251x.c | 49 ++++++++++++++++-------------------
 1 file changed, 22 insertions(+), 27 deletions(-)

diff --git a/drivers/net/can/spi/mcp251x.c b/drivers/net/can/spi/mcp251x.c
index da64e71a62ee2..fccb6bf21fada 100644
--- a/drivers/net/can/spi/mcp251x.c
+++ b/drivers/net/can/spi/mcp251x.c
@@ -678,17 +678,6 @@ static int mcp251x_power_enable(struct regulator *reg, int enable)
 		return regulator_disable(reg);
 }
 
-static void mcp251x_open_clean(struct net_device *net)
-{
-	struct mcp251x_priv *priv = netdev_priv(net);
-	struct spi_device *spi = priv->spi;
-
-	free_irq(spi->irq, priv);
-	mcp251x_hw_sleep(spi);
-	mcp251x_power_enable(priv->transceiver, 0);
-	close_candev(net);
-}
-
 static int mcp251x_stop(struct net_device *net)
 {
 	struct mcp251x_priv *priv = netdev_priv(net);
@@ -954,37 +943,43 @@ static int mcp251x_open(struct net_device *net)
 				   flags | IRQF_ONESHOT, DEVICE_NAME, priv);
 	if (ret) {
 		dev_err(&spi->dev, "failed to acquire irq %d\n", spi->irq);
-		mcp251x_power_enable(priv->transceiver, 0);
-		close_candev(net);
-		goto open_unlock;
+		goto out_close;
 	}
 
 	priv->wq = alloc_workqueue("mcp251x_wq", WQ_FREEZABLE | WQ_MEM_RECLAIM,
 				   0);
+	if (!priv->wq) {
+		ret = -ENOMEM;
+		goto out_clean;
+	}
 	INIT_WORK(&priv->tx_work, mcp251x_tx_work_handler);
 	INIT_WORK(&priv->restart_work, mcp251x_restart_work_handler);
 
 	ret = mcp251x_hw_reset(spi);
-	if (ret) {
-		mcp251x_open_clean(net);
-		goto open_unlock;
-	}
+	if (ret)
+		goto out_free_wq;
 	ret = mcp251x_setup(net, spi);
-	if (ret) {
-		mcp251x_open_clean(net);
-		goto open_unlock;
-	}
+	if (ret)
+		goto out_free_wq;
 	ret = mcp251x_set_normal_mode(spi);
-	if (ret) {
-		mcp251x_open_clean(net);
-		goto open_unlock;
-	}
+	if (ret)
+		goto out_free_wq;
 
 	can_led_event(net, CAN_LED_EVENT_OPEN);
 
 	netif_wake_queue(net);
+	mutex_unlock(&priv->mcp_lock);
 
-open_unlock:
+	return 0;
+
+out_free_wq:
+	destroy_workqueue(priv->wq);
+out_clean:
+	free_irq(spi->irq, priv);
+	mcp251x_hw_sleep(spi);
+out_close:
+	mcp251x_power_enable(priv->transceiver, 0);
+	close_candev(net);
 	mutex_unlock(&priv->mcp_lock);
 	return ret;
 }
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 15/68] can: gw: Fix error path of cgw_module_init
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (12 preceding siblings ...)
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 14/68] can: mcp251x: add error check when wq alloc failed Sasha Levin
@ 2019-08-14  2:14 ` Sasha Levin
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 16/68] ASoC: Fail card instantiation if DAI format setup fails Sasha Levin
                   ` (52 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: YueHaibing, Oliver Hartkopp, Marc Kleine-Budde, Sasha Levin,
	linux-can, netdev

From: YueHaibing <yuehaibing@huawei.com>

[ Upstream commit b7a14297f102b6e2ce6f16feffebbb9bde1e9b55 ]

This patch add error path for cgw_module_init to avoid possible crash if
some error occurs.

Fixes: c1aabdf379bc ("can-gw: add netlink based CAN routing")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/can/gw.c | 48 +++++++++++++++++++++++++++++++++---------------
 1 file changed, 33 insertions(+), 15 deletions(-)

diff --git a/net/can/gw.c b/net/can/gw.c
index 53859346dc9a9..bd2161470e456 100644
--- a/net/can/gw.c
+++ b/net/can/gw.c
@@ -1046,32 +1046,50 @@ static __init int cgw_module_init(void)
 	pr_info("can: netlink gateway (rev " CAN_GW_VERSION ") max_hops=%d\n",
 		max_hops);
 
-	register_pernet_subsys(&cangw_pernet_ops);
+	ret = register_pernet_subsys(&cangw_pernet_ops);
+	if (ret)
+		return ret;
+
+	ret = -ENOMEM;
 	cgw_cache = kmem_cache_create("can_gw", sizeof(struct cgw_job),
 				      0, 0, NULL);
-
 	if (!cgw_cache)
-		return -ENOMEM;
+		goto out_cache_create;
 
 	/* set notifier */
 	notifier.notifier_call = cgw_notifier;
-	register_netdevice_notifier(&notifier);
+	ret = register_netdevice_notifier(&notifier);
+	if (ret)
+		goto out_register_notifier;
 
 	ret = rtnl_register_module(THIS_MODULE, PF_CAN, RTM_GETROUTE,
 				   NULL, cgw_dump_jobs, 0);
-	if (ret) {
-		unregister_netdevice_notifier(&notifier);
-		kmem_cache_destroy(cgw_cache);
-		return -ENOBUFS;
-	}
-
-	/* Only the first call to rtnl_register_module can fail */
-	rtnl_register_module(THIS_MODULE, PF_CAN, RTM_NEWROUTE,
-			     cgw_create_job, NULL, 0);
-	rtnl_register_module(THIS_MODULE, PF_CAN, RTM_DELROUTE,
-			     cgw_remove_job, NULL, 0);
+	if (ret)
+		goto out_rtnl_register1;
+
+	ret = rtnl_register_module(THIS_MODULE, PF_CAN, RTM_NEWROUTE,
+				   cgw_create_job, NULL, 0);
+	if (ret)
+		goto out_rtnl_register2;
+	ret = rtnl_register_module(THIS_MODULE, PF_CAN, RTM_DELROUTE,
+				   cgw_remove_job, NULL, 0);
+	if (ret)
+		goto out_rtnl_register3;
 
 	return 0;
+
+out_rtnl_register3:
+	rtnl_unregister(PF_CAN, RTM_NEWROUTE);
+out_rtnl_register2:
+	rtnl_unregister(PF_CAN, RTM_GETROUTE);
+out_rtnl_register1:
+	unregister_netdevice_notifier(&notifier);
+out_register_notifier:
+	kmem_cache_destroy(cgw_cache);
+out_cache_create:
+	unregister_pernet_subsys(&cangw_pernet_ops);
+
+	return ret;
 }
 
 static __exit void cgw_module_exit(void)
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 16/68] ASoC: Fail card instantiation if DAI format setup fails
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (13 preceding siblings ...)
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 15/68] can: gw: Fix error path of cgw_module_init Sasha Levin
@ 2019-08-14  2:14 ` Sasha Levin
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 17/68] st21nfca_connectivity_event_received: null check the allocation Sasha Levin
                   ` (51 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Ricard Wanderlof, Ricard Wanderlof, Mark Brown, Sasha Levin

From: Ricard Wanderlof <ricard.wanderlof@axis.com>

[ Upstream commit 40aa5383e393d72f6aa3943a4e7b1aae25a1e43b ]

If the DAI format setup fails, there is no valid communication format
between CPU and CODEC, so fail card instantiation, rather than continue
with a card that will most likely not function properly.

Signed-off-by: Ricard Wanderlof <ricardw@axis.com>
Link: https://lore.kernel.org/r/alpine.DEB.2.20.1907241132350.6338@lnxricardw1.se.axis.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/soc/soc-core.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index 62aa320c20708..dafc3b7f8d723 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -1513,8 +1513,11 @@ static int soc_probe_link_dais(struct snd_soc_card *card,
 		}
 	}
 
-	if (dai_link->dai_fmt)
-		snd_soc_runtime_set_dai_fmt(rtd, dai_link->dai_fmt);
+	if (dai_link->dai_fmt) {
+		ret = snd_soc_runtime_set_dai_fmt(rtd, dai_link->dai_fmt);
+		if (ret)
+			return ret;
+	}
 
 	ret = soc_post_component_init(rtd, dai_link->name);
 	if (ret)
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 17/68] st21nfca_connectivity_event_received: null check the allocation
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (14 preceding siblings ...)
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 16/68] ASoC: Fail card instantiation if DAI format setup fails Sasha Levin
@ 2019-08-14  2:14 ` Sasha Levin
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 18/68] st_nci_hci_connectivity_event_received: " Sasha Levin
                   ` (50 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Navid Emamdoost, David S . Miller, Sasha Levin, netdev

From: Navid Emamdoost <navid.emamdoost@gmail.com>

[ Upstream commit 9891d06836e67324c9e9c4675ed90fc8b8110034 ]

devm_kzalloc may fail and return null. So the null check is needed.

Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/nfc/st21nfca/se.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/nfc/st21nfca/se.c b/drivers/nfc/st21nfca/se.c
index 4bed9e842db38..fd967a38a94a5 100644
--- a/drivers/nfc/st21nfca/se.c
+++ b/drivers/nfc/st21nfca/se.c
@@ -328,6 +328,8 @@ int st21nfca_connectivity_event_received(struct nfc_hci_dev *hdev, u8 host,
 
 		transaction = (struct nfc_evt_transaction *)devm_kzalloc(dev,
 						   skb->len - 2, GFP_KERNEL);
+		if (!transaction)
+			return -ENOMEM;
 
 		transaction->aid_len = skb->data[1];
 		memcpy(transaction->aid, &skb->data[2],
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 18/68] st_nci_hci_connectivity_event_received: null check the allocation
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (15 preceding siblings ...)
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 17/68] st21nfca_connectivity_event_received: null check the allocation Sasha Levin
@ 2019-08-14  2:14 ` " Sasha Levin
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 19/68] ASoC: rockchip: Fix mono capture Sasha Levin
                   ` (49 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Navid Emamdoost, David S . Miller, Sasha Levin, netdev

From: Navid Emamdoost <navid.emamdoost@gmail.com>

[ Upstream commit 3008e06fdf0973770370f97d5f1fba3701d8281d ]

devm_kzalloc may fail and return NULL. So the null check is needed.

Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/nfc/st-nci/se.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/nfc/st-nci/se.c b/drivers/nfc/st-nci/se.c
index f55d082ace715..5d6e7e931bc6c 100644
--- a/drivers/nfc/st-nci/se.c
+++ b/drivers/nfc/st-nci/se.c
@@ -344,6 +344,8 @@ static int st_nci_hci_connectivity_event_received(struct nci_dev *ndev,
 
 		transaction = (struct nfc_evt_transaction *)devm_kzalloc(dev,
 					    skb->len - 2, GFP_KERNEL);
+		if (!transaction)
+			return -ENOMEM;
 
 		transaction->aid_len = skb->data[1];
 		memcpy(transaction->aid, &skb->data[2], transaction->aid_len);
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 19/68] ASoC: rockchip: Fix mono capture
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (16 preceding siblings ...)
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 18/68] st_nci_hci_connectivity_event_received: " Sasha Levin
@ 2019-08-14  2:14 ` Sasha Levin
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 20/68] ASoC: ti: davinci-mcasp: Correct slot_width posed constraint Sasha Levin
                   ` (48 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Cheng-Yi Chiang, Mark Brown, Sasha Levin, linux-rockchip

From: Cheng-Yi Chiang <cychiang@chromium.org>

[ Upstream commit 789e162a6255325325bd321ab0cd51dc7e285054 ]

This reverts commit db51707b9c9aeedd310ebce60f15d5bb006567e0.
Revert "ASoC: rockchip: i2s: Support mono capture"

Previous discussion in

https://patchwork.kernel.org/patch/10147153/

explains the issue of the patch.
While device is configured as 1-ch, hardware is still
generating a 2-ch stream.
When user space reads the data and assumes it is a 1-ch stream,
the rate will be slower by 2x.

Revert the change so 1-ch is not supported.
User space can selectively take one channel data out of two channel
if 1-ch is preferred.
Currently, both channels record identical data.

Signed-off-by: Cheng-Yi Chiang <cychiang@chromium.org>
Link: https://lore.kernel.org/r/20190726044202.26866-1-cychiang@chromium.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/soc/rockchip/rockchip_i2s.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/sound/soc/rockchip/rockchip_i2s.c b/sound/soc/rockchip/rockchip_i2s.c
index 60d43d53a8f5e..11399f81c92f9 100644
--- a/sound/soc/rockchip/rockchip_i2s.c
+++ b/sound/soc/rockchip/rockchip_i2s.c
@@ -329,7 +329,6 @@ static int rockchip_i2s_hw_params(struct snd_pcm_substream *substream,
 		val |= I2S_CHN_4;
 		break;
 	case 2:
-	case 1:
 		val |= I2S_CHN_2;
 		break;
 	default:
@@ -462,7 +461,7 @@ static struct snd_soc_dai_driver rockchip_i2s_dai = {
 	},
 	.capture = {
 		.stream_name = "Capture",
-		.channels_min = 1,
+		.channels_min = 2,
 		.channels_max = 2,
 		.rates = SNDRV_PCM_RATE_8000_192000,
 		.formats = (SNDRV_PCM_FMTBIT_S8 |
@@ -662,7 +661,7 @@ static int rockchip_i2s_probe(struct platform_device *pdev)
 	}
 
 	if (!of_property_read_u32(node, "rockchip,capture-channels", &val)) {
-		if (val >= 1 && val <= 8)
+		if (val >= 2 && val <= 8)
 			soc_dai->capture.channels_max = val;
 	}
 
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 20/68] ASoC: ti: davinci-mcasp: Correct slot_width posed constraint
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (17 preceding siblings ...)
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 19/68] ASoC: rockchip: Fix mono capture Sasha Levin
@ 2019-08-14  2:14 ` Sasha Levin
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 21/68] net: usb: qmi_wwan: Add the BroadMobi BM818 card Sasha Levin
                   ` (47 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:14 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: Peter Ujfalusi, Mark Brown, Sasha Levin

From: Peter Ujfalusi <peter.ujfalusi@ti.com>

[ Upstream commit 1e112c35e3c96db7c8ca6ddaa96574f00c06e7db ]

The slot_width is a property for the bus while the constraint for
SNDRV_PCM_HW_PARAM_SAMPLE_BITS is for the in memory format.

Applying slot_width constraint to sample_bits works most of the time, but
it will blacklist valid formats in some cases.

With slot_width 24 we can support S24_3LE and S24_LE formats as they both
look the same on the bus, but a a 24 constraint on sample_bits would not
allow S24_LE as it is stored in 32bits in memory.

Implement a simple hw_rule function to allow all formats which require less
or equal number of bits on the bus as slot_width (if configured).

Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
Link: https://lore.kernel.org/r/20190726064244.3762-2-peter.ujfalusi@ti.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/soc/davinci/davinci-mcasp.c | 43 ++++++++++++++++++++++++-------
 1 file changed, 34 insertions(+), 9 deletions(-)

diff --git a/sound/soc/davinci/davinci-mcasp.c b/sound/soc/davinci/davinci-mcasp.c
index 160b2764b2ad8..6a8c279a4b20b 100644
--- a/sound/soc/davinci/davinci-mcasp.c
+++ b/sound/soc/davinci/davinci-mcasp.c
@@ -1150,6 +1150,28 @@ static int davinci_mcasp_trigger(struct snd_pcm_substream *substream,
 	return ret;
 }
 
+static int davinci_mcasp_hw_rule_slot_width(struct snd_pcm_hw_params *params,
+					    struct snd_pcm_hw_rule *rule)
+{
+	struct davinci_mcasp_ruledata *rd = rule->private;
+	struct snd_mask *fmt = hw_param_mask(params, SNDRV_PCM_HW_PARAM_FORMAT);
+	struct snd_mask nfmt;
+	int i, slot_width;
+
+	snd_mask_none(&nfmt);
+	slot_width = rd->mcasp->slot_width;
+
+	for (i = 0; i <= SNDRV_PCM_FORMAT_LAST; i++) {
+		if (snd_mask_test(fmt, i)) {
+			if (snd_pcm_format_width(i) <= slot_width) {
+				snd_mask_set(&nfmt, i);
+			}
+		}
+	}
+
+	return snd_mask_refine(fmt, &nfmt);
+}
+
 static const unsigned int davinci_mcasp_dai_rates[] = {
 	8000, 11025, 16000, 22050, 32000, 44100, 48000, 64000,
 	88200, 96000, 176400, 192000,
@@ -1257,7 +1279,7 @@ static int davinci_mcasp_startup(struct snd_pcm_substream *substream,
 	struct davinci_mcasp_ruledata *ruledata =
 					&mcasp->ruledata[substream->stream];
 	u32 max_channels = 0;
-	int i, dir;
+	int i, dir, ret;
 	int tdm_slots = mcasp->tdm_slots;
 
 	/* Do not allow more then one stream per direction */
@@ -1286,6 +1308,7 @@ static int davinci_mcasp_startup(struct snd_pcm_substream *substream,
 			max_channels++;
 	}
 	ruledata->serializers = max_channels;
+	ruledata->mcasp = mcasp;
 	max_channels *= tdm_slots;
 	/*
 	 * If the already active stream has less channels than the calculated
@@ -1311,20 +1334,22 @@ static int davinci_mcasp_startup(struct snd_pcm_substream *substream,
 				   0, SNDRV_PCM_HW_PARAM_CHANNELS,
 				   &mcasp->chconstr[substream->stream]);
 
-	if (mcasp->slot_width)
-		snd_pcm_hw_constraint_minmax(substream->runtime,
-					     SNDRV_PCM_HW_PARAM_SAMPLE_BITS,
-					     8, mcasp->slot_width);
+	if (mcasp->slot_width) {
+		/* Only allow formats require <= slot_width bits on the bus */
+		ret = snd_pcm_hw_rule_add(substream->runtime, 0,
+					  SNDRV_PCM_HW_PARAM_FORMAT,
+					  davinci_mcasp_hw_rule_slot_width,
+					  ruledata,
+					  SNDRV_PCM_HW_PARAM_FORMAT, -1);
+		if (ret)
+			return ret;
+	}
 
 	/*
 	 * If we rely on implicit BCLK divider setting we should
 	 * set constraints based on what we can provide.
 	 */
 	if (mcasp->bclk_master && mcasp->bclk_div == 0 && mcasp->sysclk_freq) {
-		int ret;
-
-		ruledata->mcasp = mcasp;
-
 		ret = snd_pcm_hw_rule_add(substream->runtime, 0,
 					  SNDRV_PCM_HW_PARAM_RATE,
 					  davinci_mcasp_hw_rule_rate,
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 21/68] net: usb: qmi_wwan: Add the BroadMobi BM818 card
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (18 preceding siblings ...)
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 20/68] ASoC: ti: davinci-mcasp: Correct slot_width posed constraint Sasha Levin
@ 2019-08-14  2:14 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 22/68] qed: RDMA - Fix the hw_ver returned in device attributes Sasha Levin
                   ` (46 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Bob Ham, Angus Ainslie, David S . Miller, Sasha Levin, netdev, linux-usb

From: Bob Ham <bob.ham@puri.sm>

[ Upstream commit 9a07406b00cdc6ec689dc142540739575c717f3c ]

The BroadMobi BM818 M.2 card uses the QMI protocol

Signed-off-by: Bob Ham <bob.ham@puri.sm>
Signed-off-by: Angus Ainslie (Purism) <angus@akkea.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/usb/qmi_wwan.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
index 128c8a327d8ee..51017c6bb3bcb 100644
--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -1231,6 +1231,7 @@ static const struct usb_device_id products[] = {
 	{QMI_FIXED_INTF(0x2001, 0x7e35, 4)},	/* D-Link DWM-222 */
 	{QMI_FIXED_INTF(0x2020, 0x2031, 4)},	/* Olicard 600 */
 	{QMI_FIXED_INTF(0x2020, 0x2033, 4)},	/* BroadMobi BM806U */
+	{QMI_FIXED_INTF(0x2020, 0x2060, 4)},	/* BroadMobi BM818 */
 	{QMI_FIXED_INTF(0x0f3d, 0x68a2, 8)},    /* Sierra Wireless MC7700 */
 	{QMI_FIXED_INTF(0x114f, 0x68a2, 8)},    /* Sierra Wireless MC7750 */
 	{QMI_FIXED_INTF(0x1199, 0x68a2, 8)},	/* Sierra Wireless MC7710 in QMI mode */
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 22/68] qed: RDMA - Fix the hw_ver returned in device attributes
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (19 preceding siblings ...)
  2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 21/68] net: usb: qmi_wwan: Add the BroadMobi BM818 card Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 23/68] isdn: mISDN: hfcsusb: Fix possible null-pointer dereferences in start_isoc_chain() Sasha Levin
                   ` (45 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Michal Kalderon, David S . Miller, Sasha Levin, netdev

From: Michal Kalderon <michal.kalderon@marvell.com>

[ Upstream commit 81af04b432fdfabcdbd2c06be2ee647e3ca41a22 ]

The hw_ver field was initialized to zero. Return the chip revision.
This is relevant for rdma driver.

Signed-off-by: Michal Kalderon <michal.kalderon@marvell.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/qlogic/qed/qed_rdma.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/qlogic/qed/qed_rdma.c b/drivers/net/ethernet/qlogic/qed/qed_rdma.c
index 13802b825d65a..909422d939033 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_rdma.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_rdma.c
@@ -442,7 +442,7 @@ static void qed_rdma_init_devinfo(struct qed_hwfn *p_hwfn,
 	/* Vendor specific information */
 	dev->vendor_id = cdev->vendor_id;
 	dev->vendor_part_id = cdev->device_id;
-	dev->hw_ver = 0;
+	dev->hw_ver = cdev->chip_rev;
 	dev->fw_ver = (FW_MAJOR_VERSION << 24) | (FW_MINOR_VERSION << 16) |
 		      (FW_REVISION_VERSION << 8) | (FW_ENGINEERING_VERSION);
 
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 23/68] isdn: mISDN: hfcsusb: Fix possible null-pointer dereferences in start_isoc_chain()
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (20 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 22/68] qed: RDMA - Fix the hw_ver returned in device attributes Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 24/68] mac80211_hwsim: Fix possible null-pointer dereferences in hwsim_dump_radio_nl() Sasha Levin
                   ` (44 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: Jia-Ju Bai, David S . Miller, Sasha Levin, netdev

From: Jia-Ju Bai <baijiaju1990@gmail.com>

[ Upstream commit a0d57a552b836206ad7705a1060e6e1ce5a38203 ]

In start_isoc_chain(), usb_alloc_urb() on line 1392 may fail
and return NULL. At this time, fifo->iso[i].urb is assigned to NULL.

Then, fifo->iso[i].urb is used at some places, such as:
LINE 1405:    fill_isoc_urb(fifo->iso[i].urb, ...)
                  urb->number_of_packets = num_packets;
                  urb->transfer_flags = URB_ISO_ASAP;
                  urb->actual_length = 0;
                  urb->interval = interval;
LINE 1416:    fifo->iso[i].urb->...
LINE 1419:    fifo->iso[i].urb->...

Thus, possible null-pointer dereferences may occur.

To fix these bugs, "continue" is added to avoid using fifo->iso[i].urb
when it is NULL.

These bugs are found by a static analysis tool STCheck written by us.

Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/isdn/hardware/mISDN/hfcsusb.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c
index 060dc7fd66c1d..cfdb130cb1008 100644
--- a/drivers/isdn/hardware/mISDN/hfcsusb.c
+++ b/drivers/isdn/hardware/mISDN/hfcsusb.c
@@ -1406,6 +1406,7 @@ start_isoc_chain(struct usb_fifo *fifo, int num_packets_per_urb,
 				printk(KERN_DEBUG
 				       "%s: %s: alloc urb for fifo %i failed",
 				       hw->name, __func__, fifo->fifonum);
+				continue;
 			}
 			fifo->iso[i].owner_fifo = (struct usb_fifo *) fifo;
 			fifo->iso[i].indx = i;
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 24/68] mac80211_hwsim: Fix possible null-pointer dereferences in hwsim_dump_radio_nl()
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (21 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 23/68] isdn: mISDN: hfcsusb: Fix possible null-pointer dereferences in start_isoc_chain() Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 25/68] netfilter: ipset: Actually allow destination MAC address for hash:ip,mac sets too Sasha Levin
                   ` (43 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Jia-Ju Bai, Johannes Berg, Sasha Levin, linux-wireless, netdev

From: Jia-Ju Bai <baijiaju1990@gmail.com>

[ Upstream commit b55f3b841099e641bdb2701d361a4c304e2dbd6f ]

In hwsim_dump_radio_nl(), when genlmsg_put() on line 3617 fails, hdr is
assigned to NULL. Then hdr is used on lines 3622 and 3623:
    genl_dump_check_consistent(cb, hdr);
    genlmsg_end(skb, hdr);

Thus, possible null-pointer dereferences may occur.

To fix these bugs, hdr is used here when it is not NULL.

This bug is found by a static analysis tool STCheck written by us.

Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Link: https://lore.kernel.org/r/20190729082332.28895-1-baijiaju1990@gmail.com
[put braces on all branches]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/mac80211_hwsim.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
index 7cd428c0af433..ce2dd06af62e8 100644
--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -3502,10 +3502,12 @@ static int hwsim_dump_radio_nl(struct sk_buff *skb,
 		hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).portid,
 				  cb->nlh->nlmsg_seq, &hwsim_genl_family,
 				  NLM_F_MULTI, HWSIM_CMD_GET_RADIO);
-		if (!hdr)
+		if (hdr) {
+			genl_dump_check_consistent(cb, hdr);
+			genlmsg_end(skb, hdr);
+		} else {
 			res = -EMSGSIZE;
-		genl_dump_check_consistent(cb, hdr);
-		genlmsg_end(skb, hdr);
+		}
 	}
 
 done:
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 25/68] netfilter: ipset: Actually allow destination MAC address for hash:ip,mac sets too
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (22 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 24/68] mac80211_hwsim: Fix possible null-pointer dereferences in hwsim_dump_radio_nl() Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 26/68] netfilter: ipset: Copy the right MAC address in bitmap:ip,mac and hash:ip,mac sets Sasha Levin
                   ` (42 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Stefano Brivio, Chen Yi, Jozsef Kadlecsik, Sasha Levin,
	netfilter-devel, coreteam, netdev

From: Stefano Brivio <sbrivio@redhat.com>

[ Upstream commit b89d15480d0cacacae1a0fe0b3da01b529f2914f ]

In commit 8cc4ccf58379 ("ipset: Allow matching on destination MAC address
for mac and ipmac sets"), ipset.git commit 1543514c46a7, I removed the
KADT check that prevents matching on destination MAC addresses for
hash:mac sets, but forgot to remove the same check for hash:ip,mac set.

Drop this check: functionality is now commented in man pages and there's
no reason to restrict to source MAC address matching anymore.

Reported-by: Chen Yi <yiche@redhat.com>
Fixes: 8cc4ccf58379 ("ipset: Allow matching on destination MAC address for mac and ipmac sets")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/netfilter/ipset/ip_set_hash_ipmac.c | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/net/netfilter/ipset/ip_set_hash_ipmac.c b/net/netfilter/ipset/ip_set_hash_ipmac.c
index fd87de3ed55b3..75c21c8b76514 100644
--- a/net/netfilter/ipset/ip_set_hash_ipmac.c
+++ b/net/netfilter/ipset/ip_set_hash_ipmac.c
@@ -95,10 +95,6 @@ hash_ipmac4_kadt(struct ip_set *set, const struct sk_buff *skb,
 	struct hash_ipmac4_elem e = { .ip = 0, { .foo[0] = 0, .foo[1] = 0 } };
 	struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set);
 
-	 /* MAC can be src only */
-	if (!(opt->flags & IPSET_DIM_TWO_SRC))
-		return 0;
-
 	if (skb_mac_header(skb) < skb->head ||
 	    (skb_mac_header(skb) + ETH_HLEN) > skb->data)
 		return -EINVAL;
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 26/68] netfilter: ipset: Copy the right MAC address in bitmap:ip,mac and hash:ip,mac sets
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (23 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 25/68] netfilter: ipset: Actually allow destination MAC address for hash:ip,mac sets too Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 27/68] netfilter: ipset: Fix rename concurrency with listing Sasha Levin
                   ` (41 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Stefano Brivio, Chen Yi, Jozsef Kadlecsik, Sasha Levin,
	netfilter-devel, coreteam, netdev

From: Stefano Brivio <sbrivio@redhat.com>

[ Upstream commit 1b4a75108d5bc153daf965d334e77e8e94534f96 ]

In commit 8cc4ccf58379 ("ipset: Allow matching on destination MAC address
for mac and ipmac sets"), ipset.git commit 1543514c46a7, I added to the
KADT functions for sets matching on MAC addreses the copy of source or
destination MAC address depending on the configured match.

This was done correctly for hash:mac, but for hash:ip,mac and
bitmap:ip,mac, copying and pasting the same code block presents an
obvious problem: in these two set types, the MAC address is the second
dimension, not the first one, and we are actually selecting the MAC
address depending on whether the first dimension (IP address) specifies
source or destination.

Fix this by checking for the IPSET_DIM_TWO_SRC flag in option flags.

This way, mixing source and destination matches for the two dimensions
of ip,mac set types works as expected. With this setup:

  ip netns add A
  ip link add veth1 type veth peer name veth2 netns A
  ip addr add 192.0.2.1/24 dev veth1
  ip -net A addr add 192.0.2.2/24 dev veth2
  ip link set veth1 up
  ip -net A link set veth2 up

  dst=$(ip netns exec A cat /sys/class/net/veth2/address)

  ip netns exec A ipset create test_bitmap bitmap:ip,mac range 192.0.0.0/16
  ip netns exec A ipset add test_bitmap 192.0.2.1,${dst}
  ip netns exec A iptables -A INPUT -m set ! --match-set test_bitmap src,dst -j DROP

  ip netns exec A ipset create test_hash hash:ip,mac
  ip netns exec A ipset add test_hash 192.0.2.1,${dst}
  ip netns exec A iptables -A INPUT -m set ! --match-set test_hash src,dst -j DROP

ipset correctly matches a test packet:

  # ping -c1 192.0.2.2 >/dev/null
  # echo $?
  0

Reported-by: Chen Yi <yiche@redhat.com>
Fixes: 8cc4ccf58379 ("ipset: Allow matching on destination MAC address for mac and ipmac sets")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/netfilter/ipset/ip_set_bitmap_ipmac.c | 2 +-
 net/netfilter/ipset/ip_set_hash_ipmac.c   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
index 13ade5782847b..4f01321e793ce 100644
--- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c
+++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
@@ -230,7 +230,7 @@ bitmap_ipmac_kadt(struct ip_set *set, const struct sk_buff *skb,
 
 	e.id = ip_to_id(map, ip);
 
-	if (opt->flags & IPSET_DIM_ONE_SRC)
+	if (opt->flags & IPSET_DIM_TWO_SRC)
 		ether_addr_copy(e.ether, eth_hdr(skb)->h_source);
 	else
 		ether_addr_copy(e.ether, eth_hdr(skb)->h_dest);
diff --git a/net/netfilter/ipset/ip_set_hash_ipmac.c b/net/netfilter/ipset/ip_set_hash_ipmac.c
index 75c21c8b76514..16ec822e40447 100644
--- a/net/netfilter/ipset/ip_set_hash_ipmac.c
+++ b/net/netfilter/ipset/ip_set_hash_ipmac.c
@@ -99,7 +99,7 @@ hash_ipmac4_kadt(struct ip_set *set, const struct sk_buff *skb,
 	    (skb_mac_header(skb) + ETH_HLEN) > skb->data)
 		return -EINVAL;
 
-	if (opt->flags & IPSET_DIM_ONE_SRC)
+	if (opt->flags & IPSET_DIM_TWO_SRC)
 		ether_addr_copy(e.ether, eth_hdr(skb)->h_source);
 	else
 		ether_addr_copy(e.ether, eth_hdr(skb)->h_dest);
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 27/68] netfilter: ipset: Fix rename concurrency with listing
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (24 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 26/68] netfilter: ipset: Copy the right MAC address in bitmap:ip,mac and hash:ip,mac sets Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 28/68] netfilter: ebtables: also count base chain policies Sasha Levin
                   ` (40 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Jozsef Kadlecsik, Shijie Luo, Sasha Levin, netfilter-devel,
	coreteam, netdev

From: Jozsef Kadlecsik <kadlec@netfilter.org>

[ Upstream commit 6c1f7e2c1b96ab9b09ac97c4df2bd9dc327206f6 ]

Shijie Luo reported that when stress-testing ipset with multiple concurrent
create, rename, flush, list, destroy commands, it can result

ipset <version>: Broken LIST kernel message: missing DATA part!

error messages and broken list results. The problem was the rename operation
was not properly handled with respect of listing. The patch fixes the issue.

Reported-by: Shijie Luo <luoshijie1@huawei.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/netfilter/ipset/ip_set_core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 1577f2f76060d..e2538c5786714 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1157,7 +1157,7 @@ static int ip_set_rename(struct net *net, struct sock *ctnl,
 		return -ENOENT;
 
 	write_lock_bh(&ip_set_ref_lock);
-	if (set->ref != 0) {
+	if (set->ref != 0 || set->ref_netlink != 0) {
 		ret = -IPSET_ERR_REFERENCED;
 		goto out;
 	}
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 28/68] netfilter: ebtables: also count base chain policies
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (25 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 27/68] netfilter: ipset: Fix rename concurrency with listing Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 29/68] rxrpc: Fix potential deadlock Sasha Levin
                   ` (39 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Florian Westphal, syzbot+276ddebab3382bbf72db, Pablo Neira Ayuso,
	Sasha Levin, netfilter-devel, coreteam, netdev

From: Florian Westphal <fw@strlen.de>

[ Upstream commit 3b48300d5cc7c7bed63fddb006c4046549ed4aec ]

ebtables doesn't include the base chain policies in the rule count,
so we need to add them manually when we call into the x_tables core
to allocate space for the comapt offset table.

This lead syzbot to trigger:
WARNING: CPU: 1 PID: 9012 at net/netfilter/x_tables.c:649
xt_compat_add_offset.cold+0x11/0x36 net/netfilter/x_tables.c:649

Reported-by: syzbot+276ddebab3382bbf72db@syzkaller.appspotmail.com
Fixes: 2035f3ff8eaa ("netfilter: ebtables: compat: un-break 32bit setsockopt when no rules are present")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/bridge/netfilter/ebtables.c | 28 +++++++++++++++++-----------
 1 file changed, 17 insertions(+), 11 deletions(-)

diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 57856f8bc22dd..62ffc989a44a2 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1779,20 +1779,28 @@ static int compat_calc_entry(const struct ebt_entry *e,
 	return 0;
 }
 
+static int ebt_compat_init_offsets(unsigned int number)
+{
+	if (number > INT_MAX)
+		return -EINVAL;
+
+	/* also count the base chain policies */
+	number += NF_BR_NUMHOOKS;
+
+	return xt_compat_init_offsets(NFPROTO_BRIDGE, number);
+}
 
 static int compat_table_info(const struct ebt_table_info *info,
 			     struct compat_ebt_replace *newinfo)
 {
 	unsigned int size = info->entries_size;
 	const void *entries = info->entries;
+	int ret;
 
 	newinfo->entries_size = size;
-	if (info->nentries) {
-		int ret = xt_compat_init_offsets(NFPROTO_BRIDGE,
-						 info->nentries);
-		if (ret)
-			return ret;
-	}
+	ret = ebt_compat_init_offsets(info->nentries);
+	if (ret)
+		return ret;
 
 	return EBT_ENTRY_ITERATE(entries, size, compat_calc_entry, info,
 							entries, newinfo);
@@ -2241,11 +2249,9 @@ static int compat_do_replace(struct net *net, void __user *user,
 
 	xt_compat_lock(NFPROTO_BRIDGE);
 
-	if (tmp.nentries) {
-		ret = xt_compat_init_offsets(NFPROTO_BRIDGE, tmp.nentries);
-		if (ret < 0)
-			goto out_unlock;
-	}
+	ret = ebt_compat_init_offsets(tmp.nentries);
+	if (ret < 0)
+		goto out_unlock;
 
 	ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state);
 	if (ret < 0)
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 29/68] rxrpc: Fix potential deadlock
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (26 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 28/68] netfilter: ebtables: also count base chain policies Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 30/68] rxrpc: Fix the lack of notification when sendmsg() fails on a DATA packet Sasha Levin
                   ` (38 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: David Howells, syzbot+72af434e4b3417318f84, Marc Dionne,
	Jeffrey Altman, Sasha Levin, linux-afs, netdev

From: David Howells <dhowells@redhat.com>

[ Upstream commit 60034d3d146b11922ab1db613bce062dddc0327a ]

There is a potential deadlock in rxrpc_peer_keepalive_dispatch() whereby
rxrpc_put_peer() is called with the peer_hash_lock held, but if it reduces
the peer's refcount to 0, rxrpc_put_peer() calls __rxrpc_put_peer() - which
the tries to take the already held lock.

Fix this by providing a version of rxrpc_put_peer() that can be called in
situations where the lock is already held.

The bug may produce the following lockdep report:

============================================
WARNING: possible recursive locking detected
5.2.0-next-20190718 #41 Not tainted
--------------------------------------------
kworker/0:3/21678 is trying to acquire lock:
00000000aa5eecdf (&(&rxnet->peer_hash_lock)->rlock){+.-.}, at: spin_lock_bh
/./include/linux/spinlock.h:343 [inline]
00000000aa5eecdf (&(&rxnet->peer_hash_lock)->rlock){+.-.}, at:
__rxrpc_put_peer /net/rxrpc/peer_object.c:415 [inline]
00000000aa5eecdf (&(&rxnet->peer_hash_lock)->rlock){+.-.}, at:
rxrpc_put_peer+0x2d3/0x6a0 /net/rxrpc/peer_object.c:435

but task is already holding lock:
00000000aa5eecdf (&(&rxnet->peer_hash_lock)->rlock){+.-.}, at: spin_lock_bh
/./include/linux/spinlock.h:343 [inline]
00000000aa5eecdf (&(&rxnet->peer_hash_lock)->rlock){+.-.}, at:
rxrpc_peer_keepalive_dispatch /net/rxrpc/peer_event.c:378 [inline]
00000000aa5eecdf (&(&rxnet->peer_hash_lock)->rlock){+.-.}, at:
rxrpc_peer_keepalive_worker+0x6b3/0xd02 /net/rxrpc/peer_event.c:430

Fixes: 330bdcfadcee ("rxrpc: Fix the keepalive generator [ver #2]")
Reported-by: syzbot+72af434e4b3417318f84@syzkaller.appspotmail.com
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Marc Dionne <marc.dionne@auristor.com>
Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/rxrpc/ar-internal.h |  1 +
 net/rxrpc/peer_event.c  |  2 +-
 net/rxrpc/peer_object.c | 18 ++++++++++++++++++
 3 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h
index 03e0fc8c183f0..a4c341828b72f 100644
--- a/net/rxrpc/ar-internal.h
+++ b/net/rxrpc/ar-internal.h
@@ -1057,6 +1057,7 @@ void rxrpc_destroy_all_peers(struct rxrpc_net *);
 struct rxrpc_peer *rxrpc_get_peer(struct rxrpc_peer *);
 struct rxrpc_peer *rxrpc_get_peer_maybe(struct rxrpc_peer *);
 void rxrpc_put_peer(struct rxrpc_peer *);
+void rxrpc_put_peer_locked(struct rxrpc_peer *);
 
 /*
  * proc.c
diff --git a/net/rxrpc/peer_event.c b/net/rxrpc/peer_event.c
index bd2fa3b7caa7e..dc7fdaf20445b 100644
--- a/net/rxrpc/peer_event.c
+++ b/net/rxrpc/peer_event.c
@@ -375,7 +375,7 @@ static void rxrpc_peer_keepalive_dispatch(struct rxrpc_net *rxnet,
 		spin_lock_bh(&rxnet->peer_hash_lock);
 		list_add_tail(&peer->keepalive_link,
 			      &rxnet->peer_keepalive[slot & mask]);
-		rxrpc_put_peer(peer);
+		rxrpc_put_peer_locked(peer);
 	}
 
 	spin_unlock_bh(&rxnet->peer_hash_lock);
diff --git a/net/rxrpc/peer_object.c b/net/rxrpc/peer_object.c
index 5691b7d266ca0..71547e8673b99 100644
--- a/net/rxrpc/peer_object.c
+++ b/net/rxrpc/peer_object.c
@@ -440,6 +440,24 @@ void rxrpc_put_peer(struct rxrpc_peer *peer)
 	}
 }
 
+/*
+ * Drop a ref on a peer record where the caller already holds the
+ * peer_hash_lock.
+ */
+void rxrpc_put_peer_locked(struct rxrpc_peer *peer)
+{
+	const void *here = __builtin_return_address(0);
+	int n;
+
+	n = atomic_dec_return(&peer->usage);
+	trace_rxrpc_peer(peer, rxrpc_peer_put, n, here);
+	if (n == 0) {
+		hash_del_rcu(&peer->hash_link);
+		list_del_init(&peer->keepalive_link);
+		kfree_rcu(peer, rcu);
+	}
+}
+
 /*
  * Make sure all peer records have been discarded.
  */
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 30/68] rxrpc: Fix the lack of notification when sendmsg() fails on a DATA packet
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (27 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 29/68] rxrpc: Fix potential deadlock Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 31/68] driver core: Fix use-after-free and double free on glue directory Sasha Levin
                   ` (37 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: David Howells, Marc Dionne, Jeffrey Altman, Sasha Levin,
	linux-afs, netdev

From: David Howells <dhowells@redhat.com>

[ Upstream commit c69565ee6681e151e2bb80502930a16e04b553d1 ]

Fix the fact that a notification isn't sent to the recvmsg side to indicate
a call failed when sendmsg() fails to transmit a DATA packet with the error
ENETUNREACH, EHOSTUNREACH or ECONNREFUSED.

Without this notification, the afs client just sits there waiting for the
call to complete in some manner (which it's not now going to do), which
also pins the rxrpc call in place.

This can be seen if the client has a scope-level IPv6 address, but not a
global-level IPv6 address, and we try and transmit an operation to a
server's IPv6 address.

Looking in /proc/net/rxrpc/calls shows completed calls just sat there with
an abort code of RX_USER_ABORT and an error code of -ENETUNREACH.

Fixes: c54e43d752c7 ("rxrpc: Fix missing start of call timeout")
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Marc Dionne <marc.dionne@auristor.com>
Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/rxrpc/sendmsg.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/rxrpc/sendmsg.c b/net/rxrpc/sendmsg.c
index be01f9c5d963d..5d6ab4f6fd7ab 100644
--- a/net/rxrpc/sendmsg.c
+++ b/net/rxrpc/sendmsg.c
@@ -230,6 +230,7 @@ static void rxrpc_queue_packet(struct rxrpc_sock *rx, struct rxrpc_call *call,
 			rxrpc_set_call_completion(call,
 						  RXRPC_CALL_LOCAL_ERROR,
 						  0, ret);
+			rxrpc_notify_socket(call);
 			goto out;
 		}
 		_debug("need instant resend %d", ret);
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 31/68] driver core: Fix use-after-free and double free on glue directory
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (28 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 30/68] rxrpc: Fix the lack of notification when sendmsg() fails on a DATA packet Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  7:36   ` Greg Kroah-Hartman
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 32/68] isdn: hfcsusb: Fix mISDN driver crash caused by transfer buffer on the stack Sasha Levin
                   ` (36 subsequent siblings)
  66 siblings, 1 reply; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Muchun Song, Mukesh Ojha, Prateek Sood, Greg Kroah-Hartman, Sasha Levin

From: Muchun Song <smuchun@gmail.com>

[ Upstream commit ac43432cb1f5c2950408534987e57c2071e24d8f ]

There is a race condition between removing glue directory and adding a new
device under the glue dir. It can be reproduced in following test:

CPU1:                                         CPU2:

device_add()
  get_device_parent()
    class_dir_create_and_add()
      kobject_add_internal()
        create_dir()    // create glue_dir

                                              device_add()
                                                get_device_parent()
                                                  kobject_get() // get glue_dir

device_del()
  cleanup_glue_dir()
    kobject_del(glue_dir)

                                                kobject_add()
                                                  kobject_add_internal()
                                                    create_dir() // in glue_dir
                                                      sysfs_create_dir_ns()
                                                        kernfs_create_dir_ns(sd)

      sysfs_remove_dir() // glue_dir->sd=NULL
      sysfs_put()        // free glue_dir->sd

                                                          // sd is freed
                                                          kernfs_new_node(sd)
                                                            kernfs_get(glue_dir)
                                                            kernfs_add_one()
                                                            kernfs_put()

Before CPU1 remove last child device under glue dir, if CPU2 add a new
device under glue dir, the glue_dir kobject reference count will be
increase to 2 via kobject_get() in get_device_parent(). And CPU2 has
been called kernfs_create_dir_ns(), but not call kernfs_new_node().
Meanwhile, CPU1 call sysfs_remove_dir() and sysfs_put(). This result in
glue_dir->sd is freed and it's reference count will be 0. Then CPU2 call
kernfs_get(glue_dir) will trigger a warning in kernfs_get() and increase
it's reference count to 1. Because glue_dir->sd is freed by CPU1, the next
call kernfs_add_one() by CPU2 will fail(This is also use-after-free)
and call kernfs_put() to decrease reference count. Because the reference
count is decremented to 0, it will also call kmem_cache_free() to free
the glue_dir->sd again. This will result in double free.

In order to avoid this happening, we also should make sure that kernfs_node
for glue_dir is released in CPU1 only when refcount for glue_dir kobj is
1 to fix this race.

The following calltrace is captured in kernel 4.14 with the following patch
applied:

commit 726e41097920 ("drivers: core: Remove glue dirs from sysfs earlier")

--------------------------------------------------------------------------
[    3.633703] WARNING: CPU: 4 PID: 513 at .../fs/kernfs/dir.c:494
                Here is WARN_ON(!atomic_read(&kn->count) in kernfs_get().
....
[    3.633986] Call trace:
[    3.633991]  kernfs_create_dir_ns+0xa8/0xb0
[    3.633994]  sysfs_create_dir_ns+0x54/0xe8
[    3.634001]  kobject_add_internal+0x22c/0x3f0
[    3.634005]  kobject_add+0xe4/0x118
[    3.634011]  device_add+0x200/0x870
[    3.634017]  _request_firmware+0x958/0xc38
[    3.634020]  request_firmware_into_buf+0x4c/0x70
....
[    3.634064] kernel BUG at .../mm/slub.c:294!
                Here is BUG_ON(object == fp) in set_freepointer().
....
[    3.634346] Call trace:
[    3.634351]  kmem_cache_free+0x504/0x6b8
[    3.634355]  kernfs_put+0x14c/0x1d8
[    3.634359]  kernfs_create_dir_ns+0x88/0xb0
[    3.634362]  sysfs_create_dir_ns+0x54/0xe8
[    3.634366]  kobject_add_internal+0x22c/0x3f0
[    3.634370]  kobject_add+0xe4/0x118
[    3.634374]  device_add+0x200/0x870
[    3.634378]  _request_firmware+0x958/0xc38
[    3.634381]  request_firmware_into_buf+0x4c/0x70
--------------------------------------------------------------------------

Fixes: 726e41097920 ("drivers: core: Remove glue dirs from sysfs earlier")
Signed-off-by: Muchun Song <smuchun@gmail.com>
Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
Signed-off-by: Prateek Sood <prsood@codeaurora.org>
Link: https://lore.kernel.org/r/20190727032122.24639-1-smuchun@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/base/core.c | 53 ++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 52 insertions(+), 1 deletion(-)

diff --git a/drivers/base/core.c b/drivers/base/core.c
index e1a8d5c06f65e..fcda6313e7def 100644
--- a/drivers/base/core.c
+++ b/drivers/base/core.c
@@ -1648,12 +1648,63 @@ static inline struct kobject *get_glue_dir(struct device *dev)
  */
 static void cleanup_glue_dir(struct device *dev, struct kobject *glue_dir)
 {
+	unsigned int ref;
+
 	/* see if we live in a "glue" directory */
 	if (!live_in_glue_dir(glue_dir, dev))
 		return;
 
 	mutex_lock(&gdp_mutex);
-	if (!kobject_has_children(glue_dir))
+	/**
+	 * There is a race condition between removing glue directory
+	 * and adding a new device under the glue directory.
+	 *
+	 * CPU1:                                         CPU2:
+	 *
+	 * device_add()
+	 *   get_device_parent()
+	 *     class_dir_create_and_add()
+	 *       kobject_add_internal()
+	 *         create_dir()    // create glue_dir
+	 *
+	 *                                               device_add()
+	 *                                                 get_device_parent()
+	 *                                                   kobject_get() // get glue_dir
+	 *
+	 * device_del()
+	 *   cleanup_glue_dir()
+	 *     kobject_del(glue_dir)
+	 *
+	 *                                               kobject_add()
+	 *                                                 kobject_add_internal()
+	 *                                                   create_dir() // in glue_dir
+	 *                                                     sysfs_create_dir_ns()
+	 *                                                       kernfs_create_dir_ns(sd)
+	 *
+	 *       sysfs_remove_dir() // glue_dir->sd=NULL
+	 *       sysfs_put()        // free glue_dir->sd
+	 *
+	 *                                                         // sd is freed
+	 *                                                         kernfs_new_node(sd)
+	 *                                                           kernfs_get(glue_dir)
+	 *                                                           kernfs_add_one()
+	 *                                                           kernfs_put()
+	 *
+	 * Before CPU1 remove last child device under glue dir, if CPU2 add
+	 * a new device under glue dir, the glue_dir kobject reference count
+	 * will be increase to 2 in kobject_get(k). And CPU2 has been called
+	 * kernfs_create_dir_ns(). Meanwhile, CPU1 call sysfs_remove_dir()
+	 * and sysfs_put(). This result in glue_dir->sd is freed.
+	 *
+	 * Then the CPU2 will see a stale "empty" but still potentially used
+	 * glue dir around in kernfs_new_node().
+	 *
+	 * In order to avoid this happening, we also should make sure that
+	 * kernfs_node for glue_dir is released in CPU1 only when refcount
+	 * for glue_dir kobj is 1.
+	 */
+	ref = kref_read(&glue_dir->kref);
+	if (!kobject_has_children(glue_dir) && !--ref)
 		kobject_del(glue_dir);
 	kobject_put(glue_dir);
 	mutex_unlock(&gdp_mutex);
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 32/68] isdn: hfcsusb: Fix mISDN driver crash caused by transfer buffer on the stack
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (29 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 31/68] driver core: Fix use-after-free and double free on glue directory Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 33/68] net: phy: phy_led_triggers: Fix a possible null-pointer dereference in phy_led_trigger_change_speed() Sasha Levin
                   ` (35 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Juliana Rodrigueiro, David S . Miller, Sasha Levin, netdev

From: Juliana Rodrigueiro <juliana.rodrigueiro@intra2net.com>

[ Upstream commit d8a1de3d5bb881507602bc02e004904828f88711 ]

Since linux 4.9 it is not possible to use buffers on the stack for DMA transfers.

During usb probe the driver crashes with "transfer buffer is on stack" message.

This fix k-allocates a buffer to be used on "read_reg_atomic", which is a macro
that calls "usb_control_msg" under the hood.

Kernel 4.19 backtrace:

usb_hcd_submit_urb+0x3e5/0x900
? sched_clock+0x9/0x10
? log_store+0x203/0x270
? get_random_u32+0x6f/0x90
? cache_alloc_refill+0x784/0x8a0
usb_submit_urb+0x3b4/0x550
usb_start_wait_urb+0x4e/0xd0
usb_control_msg+0xb8/0x120
hfcsusb_probe+0x6bc/0xb40 [hfcsusb]
usb_probe_interface+0xc2/0x260
really_probe+0x176/0x280
driver_probe_device+0x49/0x130
__driver_attach+0xa9/0xb0
? driver_probe_device+0x130/0x130
bus_for_each_dev+0x5a/0x90
driver_attach+0x14/0x20
? driver_probe_device+0x130/0x130
bus_add_driver+0x157/0x1e0
driver_register+0x51/0xe0
usb_register_driver+0x5d/0x120
? 0xf81ed000
hfcsusb_drv_init+0x17/0x1000 [hfcsusb]
do_one_initcall+0x44/0x190
? free_unref_page_commit+0x6a/0xd0
do_init_module+0x46/0x1c0
load_module+0x1dc1/0x2400
sys_init_module+0xed/0x120
do_fast_syscall_32+0x7a/0x200
entry_SYSENTER_32+0x6b/0xbe

Signed-off-by: Juliana Rodrigueiro <juliana.rodrigueiro@intra2net.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/isdn/hardware/mISDN/hfcsusb.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c
index cfdb130cb1008..c952002c6301d 100644
--- a/drivers/isdn/hardware/mISDN/hfcsusb.c
+++ b/drivers/isdn/hardware/mISDN/hfcsusb.c
@@ -1705,13 +1705,23 @@ hfcsusb_stop_endpoint(struct hfcsusb *hw, int channel)
 static int
 setup_hfcsusb(struct hfcsusb *hw)
 {
+	void *dmabuf = kmalloc(sizeof(u_char), GFP_KERNEL);
 	u_char b;
+	int ret;
 
 	if (debug & DBG_HFC_CALL_TRACE)
 		printk(KERN_DEBUG "%s: %s\n", hw->name, __func__);
 
+	if (!dmabuf)
+		return -ENOMEM;
+
+	ret = read_reg_atomic(hw, HFCUSB_CHIP_ID, dmabuf);
+
+	memcpy(&b, dmabuf, sizeof(u_char));
+	kfree(dmabuf);
+
 	/* check the chip id */
-	if (read_reg_atomic(hw, HFCUSB_CHIP_ID, &b) != 1) {
+	if (ret != 1) {
 		printk(KERN_DEBUG "%s: %s: cannot read chip id\n",
 		       hw->name, __func__);
 		return 1;
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 33/68] net: phy: phy_led_triggers: Fix a possible null-pointer dereference in phy_led_trigger_change_speed()
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (30 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 32/68] isdn: hfcsusb: Fix mISDN driver crash caused by transfer buffer on the stack Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 34/68] perf bench numa: Fix cpu0 binding Sasha Levin
                   ` (34 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: Jia-Ju Bai, David S . Miller, Sasha Levin, netdev

From: Jia-Ju Bai <baijiaju1990@gmail.com>

[ Upstream commit 271da132e29b5341c31eca6ba6a72ea1302ebac8 ]

In phy_led_trigger_change_speed(), there is an if statement on line 48
to check whether phy->last_triggered is NULL:
    if (!phy->last_triggered)

When phy->last_triggered is NULL, it is used on line 52:
    led_trigger_event(&phy->last_triggered->trigger, LED_OFF);

Thus, a possible null-pointer dereference may occur.

To fix this bug, led_trigger_event(&phy->last_triggered->trigger,
LED_OFF) is called when phy->last_triggered is not NULL.

This bug is found by a static analysis tool STCheck written by
the OSLAB group in Tsinghua University.

Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/phy/phy_led_triggers.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/phy/phy_led_triggers.c b/drivers/net/phy/phy_led_triggers.c
index 491efc1bf5c48..7278eca70f9f3 100644
--- a/drivers/net/phy/phy_led_triggers.c
+++ b/drivers/net/phy/phy_led_triggers.c
@@ -58,8 +58,9 @@ void phy_led_trigger_change_speed(struct phy_device *phy)
 		if (!phy->last_triggered)
 			led_trigger_event(&phy->led_link_trigger->trigger,
 					  LED_FULL);
+		else
+			led_trigger_event(&phy->last_triggered->trigger, LED_OFF);
 
-		led_trigger_event(&phy->last_triggered->trigger, LED_OFF);
 		led_trigger_event(&plt->trigger, LED_FULL);
 		phy->last_triggered = plt;
 	}
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 34/68] perf bench numa: Fix cpu0 binding
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (31 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 33/68] net: phy: phy_led_triggers: Fix a possible null-pointer dereference in phy_led_trigger_change_speed() Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 35/68] Input: kbtab - sanity check for endpoint type Sasha Levin
                   ` (33 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Jiri Olsa, Michael Petlan, Alexander Shishkin, Andi Kleen,
	Namhyung Kim, Peter Zijlstra, Satheesh Rajendran,
	Arnaldo Carvalho de Melo, Sasha Levin

From: Jiri Olsa <jolsa@kernel.org>

[ Upstream commit 6bbfe4e602691b90ac866712bd4c43c51e546a60 ]

Michael reported an issue with perf bench numa failing with binding to
cpu0 with '-0' option.

  # perf bench numa mem -p 3 -t 1 -P 512 -s 100 -zZcm0 --thp 1 -M 1 -ddd
  # Running 'numa/mem' benchmark:

   # Running main, "perf bench numa numa-mem -p 3 -t 1 -P 512 -s 100 -zZcm0 --thp 1 -M 1 -ddd"
  binding to node 0, mask: 0000000000000001 => -1
  perf: bench/numa.c:356: bind_to_memnode: Assertion `!(ret)' failed.
  Aborted (core dumped)

This happens when the cpu0 is not part of node0, which is the benchmark
assumption and we can see that's not the case for some powerpc servers.

Using correct node for cpu0 binding.

Reported-by: Michael Petlan <mpetlan@redhat.com>
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Satheesh Rajendran <sathnaga@linux.vnet.ibm.com>
Link: http://lkml.kernel.org/r/20190801142642.28004-1-jolsa@kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/perf/bench/numa.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/tools/perf/bench/numa.c b/tools/perf/bench/numa.c
index fa56fde6e8d80..91c0a4434da27 100644
--- a/tools/perf/bench/numa.c
+++ b/tools/perf/bench/numa.c
@@ -378,8 +378,10 @@ static u8 *alloc_data(ssize_t bytes0, int map_flags,
 
 	/* Allocate and initialize all memory on CPU#0: */
 	if (init_cpu0) {
-		orig_mask = bind_to_node(0);
-		bind_to_memnode(0);
+		int node = numa_node_of_cpu(0);
+
+		orig_mask = bind_to_node(node);
+		bind_to_memnode(node);
 	}
 
 	bytes = bytes0 + HPSIZE;
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 35/68] Input: kbtab - sanity check for endpoint type
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (32 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 34/68] perf bench numa: Fix cpu0 binding Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 36/68] net: usb: pegasus: fix improper read if get_registers() fail Sasha Levin
                   ` (32 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Oliver Neukum, syzbot+c7df50363aaff50aa363, Dmitry Torokhov,
	Sasha Levin, linux-input

From: Oliver Neukum <oneukum@suse.com>

[ Upstream commit c88090dfc84254fa149174eb3e6a8458de1912c4 ]

The driver should check whether the endpoint it uses has the correct
type.

Reported-by: syzbot+c7df50363aaff50aa363@syzkaller.appspotmail.com
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/input/tablet/kbtab.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/input/tablet/kbtab.c b/drivers/input/tablet/kbtab.c
index 75b500651e4e4..b1cf0c9712740 100644
--- a/drivers/input/tablet/kbtab.c
+++ b/drivers/input/tablet/kbtab.c
@@ -116,6 +116,10 @@ static int kbtab_probe(struct usb_interface *intf, const struct usb_device_id *i
 	if (intf->cur_altsetting->desc.bNumEndpoints < 1)
 		return -ENODEV;
 
+	endpoint = &intf->cur_altsetting->endpoint[0].desc;
+	if (!usb_endpoint_is_int_in(endpoint))
+		return -ENODEV;
+
 	kbtab = kzalloc(sizeof(struct kbtab), GFP_KERNEL);
 	input_dev = input_allocate_device();
 	if (!kbtab || !input_dev)
@@ -154,8 +158,6 @@ static int kbtab_probe(struct usb_interface *intf, const struct usb_device_id *i
 	input_set_abs_params(input_dev, ABS_Y, 0, 0x1750, 4, 0);
 	input_set_abs_params(input_dev, ABS_PRESSURE, 0, 0xff, 0, 0);
 
-	endpoint = &intf->cur_altsetting->endpoint[0].desc;
-
 	usb_fill_int_urb(kbtab->irq, dev,
 			 usb_rcvintpipe(dev, endpoint->bEndpointAddress),
 			 kbtab->data, 8,
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 36/68] net: usb: pegasus: fix improper read if get_registers() fail
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (33 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 35/68] Input: kbtab - sanity check for endpoint type Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 37/68] can: sja1000: force the string buffer NULL-terminated Sasha Levin
                   ` (31 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Denis Kirjanov, syzbot+3499a83b2d062ae409d4, David S . Miller,
	Sasha Levin, linux-usb, netdev

From: Denis Kirjanov <kda@linux-powerpc.org>

[ Upstream commit 224c04973db1125fcebefffd86115f99f50f8277 ]

get_registers() may fail with -ENOMEM and in this
case we can read a garbage from the status variable tmp.

Reported-by: syzbot+3499a83b2d062ae409d4@syzkaller.appspotmail.com
Signed-off-by: Denis Kirjanov <kda@linux-powerpc.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/usb/pegasus.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c
index f4247b275e090..b7a0df95d4b0f 100644
--- a/drivers/net/usb/pegasus.c
+++ b/drivers/net/usb/pegasus.c
@@ -285,7 +285,7 @@ static void mdio_write(struct net_device *dev, int phy_id, int loc, int val)
 static int read_eprom_word(pegasus_t *pegasus, __u8 index, __u16 *retdata)
 {
 	int i;
-	__u8 tmp;
+	__u8 tmp = 0;
 	__le16 retdatai;
 	int ret;
 
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 37/68] can: sja1000: force the string buffer NULL-terminated
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (34 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 36/68] net: usb: pegasus: fix improper read if get_registers() fail Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 38/68] can: peak_usb: " Sasha Levin
                   ` (30 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Wang Xiayang, Marc Kleine-Budde, Sasha Levin, linux-can, netdev

From: Wang Xiayang <xywang.sjtu@sjtu.edu.cn>

[ Upstream commit cd28aa2e056cd1ea79fc5f24eed0ce868c6cab5c ]

strncpy() does not ensure NULL-termination when the input string size
equals to the destination buffer size IFNAMSIZ. The output string
'name' is passed to dev_info which relies on NULL-termination.

Use strlcpy() instead.

This issue is identified by a Coccinelle script.

Signed-off-by: Wang Xiayang <xywang.sjtu@sjtu.edu.cn>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/can/sja1000/peak_pcmcia.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/can/sja1000/peak_pcmcia.c b/drivers/net/can/sja1000/peak_pcmcia.c
index b8c39ede7cd51..179bfcd541f2f 100644
--- a/drivers/net/can/sja1000/peak_pcmcia.c
+++ b/drivers/net/can/sja1000/peak_pcmcia.c
@@ -487,7 +487,7 @@ static void pcan_free_channels(struct pcan_pccard *card)
 		if (!netdev)
 			continue;
 
-		strncpy(name, netdev->name, IFNAMSIZ);
+		strlcpy(name, netdev->name, IFNAMSIZ);
 
 		unregister_sja1000dev(netdev);
 
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 38/68] can: peak_usb: force the string buffer NULL-terminated
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (35 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 37/68] can: sja1000: force the string buffer NULL-terminated Sasha Levin
@ 2019-08-14  2:15 ` " Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 39/68] net/ethernet/qlogic/qed: " Sasha Levin
                   ` (29 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Wang Xiayang, Marc Kleine-Budde, Sasha Levin, linux-can, netdev

From: Wang Xiayang <xywang.sjtu@sjtu.edu.cn>

[ Upstream commit e787f19373b8a5fa24087800ed78314fd17b984a ]

strncpy() does not ensure NULL-termination when the input string size
equals to the destination buffer size IFNAMSIZ. The output string is
passed to dev_info() which relies on the NULL-termination.

Use strlcpy() instead.

This issue is identified by a Coccinelle script.

Signed-off-by: Wang Xiayang <xywang.sjtu@sjtu.edu.cn>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/can/usb/peak_usb/pcan_usb_core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_core.c b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
index 611f9d31be5d0..1909eac4591ba 100644
--- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c
+++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
@@ -863,7 +863,7 @@ static void peak_usb_disconnect(struct usb_interface *intf)
 
 		dev_prev_siblings = dev->prev_siblings;
 		dev->state &= ~PCAN_USB_STATE_CONNECTED;
-		strncpy(name, netdev->name, IFNAMSIZ);
+		strlcpy(name, netdev->name, IFNAMSIZ);
 
 		unregister_netdev(netdev);
 
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 39/68] net/ethernet/qlogic/qed: force the string buffer NULL-terminated
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (36 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 38/68] can: peak_usb: " Sasha Levin
@ 2019-08-14  2:15 ` " Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 40/68] NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim() Sasha Levin
                   ` (28 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: Wang Xiayang, David S . Miller, Sasha Levin, netdev

From: Wang Xiayang <xywang.sjtu@sjtu.edu.cn>

[ Upstream commit 3690c8c9a8edff0db077a38783112d8fe12a7dd2 ]

strncpy() does not ensure NULL-termination when the input string
size equals to the destination buffer size 30.
The output string is passed to qed_int_deassertion_aeu_bit()
which calls DP_INFO() and relies NULL-termination.

Use strlcpy instead. The other conditional branch above strncpy()
needs no fix as snprintf() ensures NULL-termination.

This issue is identified by a Coccinelle script.

Signed-off-by: Wang Xiayang <xywang.sjtu@sjtu.edu.cn>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/qlogic/qed/qed_int.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/qlogic/qed/qed_int.c b/drivers/net/ethernet/qlogic/qed/qed_int.c
index b22f464ea3fa7..f9e475075d3ea 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_int.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_int.c
@@ -939,7 +939,7 @@ static int qed_int_deassertion(struct qed_hwfn  *p_hwfn,
 						snprintf(bit_name, 30,
 							 p_aeu->bit_name, num);
 					else
-						strncpy(bit_name,
+						strlcpy(bit_name,
 							p_aeu->bit_name, 30);
 
 					/* We now need to pass bitmask in its
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 40/68] NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim()
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (37 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 39/68] net/ethernet/qlogic/qed: " Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 41/68] NFS: Fix regression whereby fscache errors are appearing on 'nofsc' mounts Sasha Levin
                   ` (27 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Trond Myklebust, John Hubbard, Sasha Levin, linux-nfs

From: Trond Myklebust <trond.myklebust@hammerspace.com>

[ Upstream commit c77e22834ae9a11891cb613bd9a551be1b94f2bc ]

John Hubbard reports seeing the following stack trace:

nfs4_do_reclaim
   rcu_read_lock /* we are now in_atomic() and must not sleep */
       nfs4_purge_state_owners
           nfs4_free_state_owner
               nfs4_destroy_seqid_counter
                   rpc_destroy_wait_queue
                       cancel_delayed_work_sync
                           __cancel_work_timer
                               __flush_work
                                   start_flush_work
                                       might_sleep:
                                        (kernel/workqueue.c:2975: BUG)

The solution is to separate out the freeing of the state owners
from nfs4_purge_state_owners(), and perform that outside the atomic
context.

Reported-by: John Hubbard <jhubbard@nvidia.com>
Fixes: 0aaaf5c424c7f ("NFS: Cache state owners after files are closed")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/nfs/nfs4_fs.h    |  3 ++-
 fs/nfs/nfs4client.c |  5 ++++-
 fs/nfs/nfs4state.c  | 27 ++++++++++++++++++++++-----
 3 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/fs/nfs/nfs4_fs.h b/fs/nfs/nfs4_fs.h
index 63287d911c088..5b61520dce888 100644
--- a/fs/nfs/nfs4_fs.h
+++ b/fs/nfs/nfs4_fs.h
@@ -469,7 +469,8 @@ static inline void nfs4_schedule_session_recovery(struct nfs4_session *session,
 
 extern struct nfs4_state_owner *nfs4_get_state_owner(struct nfs_server *, struct rpc_cred *, gfp_t);
 extern void nfs4_put_state_owner(struct nfs4_state_owner *);
-extern void nfs4_purge_state_owners(struct nfs_server *);
+extern void nfs4_purge_state_owners(struct nfs_server *, struct list_head *);
+extern void nfs4_free_state_owners(struct list_head *head);
 extern struct nfs4_state * nfs4_get_open_state(struct inode *, struct nfs4_state_owner *);
 extern void nfs4_put_open_state(struct nfs4_state *);
 extern void nfs4_close_state(struct nfs4_state *, fmode_t);
diff --git a/fs/nfs/nfs4client.c b/fs/nfs/nfs4client.c
index 8f53455c47653..86991bcfbeb12 100644
--- a/fs/nfs/nfs4client.c
+++ b/fs/nfs/nfs4client.c
@@ -754,9 +754,12 @@ int nfs41_walk_client_list(struct nfs_client *new,
 
 static void nfs4_destroy_server(struct nfs_server *server)
 {
+	LIST_HEAD(freeme);
+
 	nfs_server_return_all_delegations(server);
 	unset_pnfs_layoutdriver(server);
-	nfs4_purge_state_owners(server);
+	nfs4_purge_state_owners(server, &freeme);
+	nfs4_free_state_owners(&freeme);
 }
 
 /*
diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c
index 3ba2087469ac8..c36ef75f2054b 100644
--- a/fs/nfs/nfs4state.c
+++ b/fs/nfs/nfs4state.c
@@ -628,24 +628,39 @@ void nfs4_put_state_owner(struct nfs4_state_owner *sp)
 /**
  * nfs4_purge_state_owners - Release all cached state owners
  * @server: nfs_server with cached state owners to release
+ * @head: resulting list of state owners
  *
  * Called at umount time.  Remaining state owners will be on
  * the LRU with ref count of zero.
+ * Note that the state owners are not freed, but are added
+ * to the list @head, which can later be used as an argument
+ * to nfs4_free_state_owners.
  */
-void nfs4_purge_state_owners(struct nfs_server *server)
+void nfs4_purge_state_owners(struct nfs_server *server, struct list_head *head)
 {
 	struct nfs_client *clp = server->nfs_client;
 	struct nfs4_state_owner *sp, *tmp;
-	LIST_HEAD(doomed);
 
 	spin_lock(&clp->cl_lock);
 	list_for_each_entry_safe(sp, tmp, &server->state_owners_lru, so_lru) {
-		list_move(&sp->so_lru, &doomed);
+		list_move(&sp->so_lru, head);
 		nfs4_remove_state_owner_locked(sp);
 	}
 	spin_unlock(&clp->cl_lock);
+}
 
-	list_for_each_entry_safe(sp, tmp, &doomed, so_lru) {
+/**
+ * nfs4_purge_state_owners - Release all cached state owners
+ * @head: resulting list of state owners
+ *
+ * Frees a list of state owners that was generated by
+ * nfs4_purge_state_owners
+ */
+void nfs4_free_state_owners(struct list_head *head)
+{
+	struct nfs4_state_owner *sp, *tmp;
+
+	list_for_each_entry_safe(sp, tmp, head, so_lru) {
 		list_del(&sp->so_lru);
 		nfs4_free_state_owner(sp);
 	}
@@ -1843,12 +1858,13 @@ static int nfs4_do_reclaim(struct nfs_client *clp, const struct nfs4_state_recov
 	struct nfs4_state_owner *sp;
 	struct nfs_server *server;
 	struct rb_node *pos;
+	LIST_HEAD(freeme);
 	int status = 0;
 
 restart:
 	rcu_read_lock();
 	list_for_each_entry_rcu(server, &clp->cl_superblocks, client_link) {
-		nfs4_purge_state_owners(server);
+		nfs4_purge_state_owners(server, &freeme);
 		spin_lock(&clp->cl_lock);
 		for (pos = rb_first(&server->state_owners);
 		     pos != NULL;
@@ -1877,6 +1893,7 @@ static int nfs4_do_reclaim(struct nfs_client *clp, const struct nfs4_state_recov
 		spin_unlock(&clp->cl_lock);
 	}
 	rcu_read_unlock();
+	nfs4_free_state_owners(&freeme);
 	return 0;
 }
 
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 41/68] NFS: Fix regression whereby fscache errors are appearing on 'nofsc' mounts
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (38 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 40/68] NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim() Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 42/68] HID: quirks: Set the INCREMENT_USAGE_ON_DUPLICATE quirk on Saitek X52 Sasha Levin
                   ` (26 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Trond Myklebust, Steve Dickson, David Howells, Sasha Levin, linux-nfs

From: Trond Myklebust <trond.myklebust@hammerspace.com>

[ Upstream commit dea1bb35c5f35e0577cfc61f79261d80b8715221 ]

People are reporing seeing fscache errors being reported concerning
duplicate cookies even in cases where they are not setting up fscache
at all. The rule needs to be that if fscache is not enabled, then it
should have no side effects at all.

To ensure this is the case, we disable fscache completely on all superblocks
for which the 'fsc' mount option was not set. In order to avoid issues
with '-oremount', we also disable the ability to turn fscache on via
remount.

Fixes: f1fe29b4a02d ("NFS: Use i_writecount to control whether...")
Link: https://bugzilla.kernel.org/show_bug.cgi?id=200145
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Cc: Steve Dickson <steved@redhat.com>
Cc: David Howells <dhowells@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/nfs/fscache.c | 7 ++++++-
 fs/nfs/fscache.h | 2 +-
 fs/nfs/super.c   | 1 +
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/fs/nfs/fscache.c b/fs/nfs/fscache.c
index 4dc887813c71d..a7bc4e0494f92 100644
--- a/fs/nfs/fscache.c
+++ b/fs/nfs/fscache.c
@@ -118,6 +118,10 @@ void nfs_fscache_get_super_cookie(struct super_block *sb, const char *uniq, int
 	struct rb_node **p, *parent;
 	int diff;
 
+	nfss->fscache_key = NULL;
+	nfss->fscache = NULL;
+	if (!(nfss->options & NFS_OPTION_FSCACHE))
+		return;
 	if (!uniq) {
 		uniq = "";
 		ulen = 1;
@@ -230,10 +234,11 @@ void nfs_fscache_release_super_cookie(struct super_block *sb)
 void nfs_fscache_init_inode(struct inode *inode)
 {
 	struct nfs_fscache_inode_auxdata auxdata;
+	struct nfs_server *nfss = NFS_SERVER(inode);
 	struct nfs_inode *nfsi = NFS_I(inode);
 
 	nfsi->fscache = NULL;
-	if (!S_ISREG(inode->i_mode))
+	if (!(nfss->fscache && S_ISREG(inode->i_mode)))
 		return;
 
 	memset(&auxdata, 0, sizeof(auxdata));
diff --git a/fs/nfs/fscache.h b/fs/nfs/fscache.h
index 161ba2edb9d04..6363ea9568581 100644
--- a/fs/nfs/fscache.h
+++ b/fs/nfs/fscache.h
@@ -186,7 +186,7 @@ static inline void nfs_fscache_wait_on_invalidate(struct inode *inode)
  */
 static inline const char *nfs_server_fscache_state(struct nfs_server *server)
 {
-	if (server->fscache && (server->options & NFS_OPTION_FSCACHE))
+	if (server->fscache)
 		return "yes";
 	return "no ";
 }
diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index 6df9b85caf205..d90efdea9fbd6 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -2239,6 +2239,7 @@ nfs_compare_remount_data(struct nfs_server *nfss,
 	    data->acdirmin != nfss->acdirmin / HZ ||
 	    data->acdirmax != nfss->acdirmax / HZ ||
 	    data->timeo != (10U * nfss->client->cl_timeout->to_initval / HZ) ||
+	    (data->options & NFS_OPTION_FSCACHE) != (nfss->options & NFS_OPTION_FSCACHE) ||
 	    data->nfs_server.port != nfss->port ||
 	    data->nfs_server.addrlen != nfss->nfs_client->cl_addrlen ||
 	    !rpc_cmp_addr((struct sockaddr *)&data->nfs_server.address,
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 42/68] HID: quirks: Set the INCREMENT_USAGE_ON_DUPLICATE quirk on Saitek X52
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (39 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 41/68] NFS: Fix regression whereby fscache errors are appearing on 'nofsc' mounts Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 43/68] HID: holtek: test for sanity of intfdata Sasha Levin
                   ` (25 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: István Váradi, Jiri Kosina, Sasha Levin, linux-input

From: István Váradi <ivaradi@varadiistvan.hu>

[ Upstream commit 7bc74853fd61432ec59f812a40425bf6d8c986a4 ]

The Saitek X52 joystick has a pair of axes that are originally
(by the Windows driver) used as mouse pointer controls. The corresponding
usage->hid values are 0x50024 and 0x50026. Thus they are handled
as unknown axes and both get mapped to ABS_MISC. The quirk makes
the second axis to be mapped to ABS_MISC1 and thus made available
separately.

[jkosina@suse.cz: squashed two patches into one]
Signed-off-by: István Váradi <ivaradi@varadiistvan.hu>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/hid/hid-ids.h    | 1 +
 drivers/hid/hid-quirks.c | 1 +
 2 files changed, 2 insertions(+)

diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
index 2898bb0619454..4a2fa57ddcb84 100644
--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -971,6 +971,7 @@
 #define USB_DEVICE_ID_SAITEK_RAT7	0x0cd7
 #define USB_DEVICE_ID_SAITEK_RAT9	0x0cfa
 #define USB_DEVICE_ID_SAITEK_MMO7	0x0cd0
+#define USB_DEVICE_ID_SAITEK_X52	0x075c
 
 #define USB_VENDOR_ID_SAMSUNG		0x0419
 #define USB_DEVICE_ID_SAMSUNG_IR_REMOTE	0x0001
diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c
index d29c7c9cd185d..e553f6fae7a4c 100644
--- a/drivers/hid/hid-quirks.c
+++ b/drivers/hid/hid-quirks.c
@@ -143,6 +143,7 @@ static const struct hid_device_id hid_quirks[] = {
 	{ HID_USB_DEVICE(USB_VENDOR_ID_RETROUSB, USB_DEVICE_ID_RETROUSB_SNES_RETROPAD), HID_QUIRK_INCREMENT_USAGE_ON_DUPLICATE },
 	{ HID_USB_DEVICE(USB_VENDOR_ID_RETROUSB, USB_DEVICE_ID_RETROUSB_SNES_RETROPORT), HID_QUIRK_INCREMENT_USAGE_ON_DUPLICATE },
 	{ HID_USB_DEVICE(USB_VENDOR_ID_SAITEK, USB_DEVICE_ID_SAITEK_RUMBLEPAD), HID_QUIRK_BADPAD },
+	{ HID_USB_DEVICE(USB_VENDOR_ID_SAITEK, USB_DEVICE_ID_SAITEK_X52), HID_QUIRK_INCREMENT_USAGE_ON_DUPLICATE },
 	{ HID_USB_DEVICE(USB_VENDOR_ID_SEMICO, USB_DEVICE_ID_SEMICO_USB_KEYKOARD2), HID_QUIRK_NO_INIT_REPORTS },
 	{ HID_USB_DEVICE(USB_VENDOR_ID_SEMICO, USB_DEVICE_ID_SEMICO_USB_KEYKOARD), HID_QUIRK_NO_INIT_REPORTS },
 	{ HID_USB_DEVICE(USB_VENDOR_ID_SENNHEISER, USB_DEVICE_ID_SENNHEISER_BTD500USB), HID_QUIRK_NOGET },
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 43/68] HID: holtek: test for sanity of intfdata
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (40 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 42/68] HID: quirks: Set the INCREMENT_USAGE_ON_DUPLICATE quirk on Saitek X52 Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 44/68] HID: input: fix a4tech horizontal wheel custom usage Sasha Levin
                   ` (24 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Oliver Neukum, syzbot+965152643a75a56737be, Jiri Kosina,
	Sasha Levin, linux-input

From: Oliver Neukum <oneukum@suse.com>

[ Upstream commit 01ec0a5f19c8c82960a07f6c7410fc9e01d7fb51 ]

The ioctl handler uses the intfdata of a second interface,
which may not be present in a broken or malicious device, hence
the intfdata needs to be checked for NULL.

[jkosina@suse.cz: fix newly added spurious space]
Reported-by: syzbot+965152643a75a56737be@syzkaller.appspotmail.com
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/hid/hid-holtek-kbd.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/hid/hid-holtek-kbd.c b/drivers/hid/hid-holtek-kbd.c
index 6e1a4a4fc0c10..ab9da597106fa 100644
--- a/drivers/hid/hid-holtek-kbd.c
+++ b/drivers/hid/hid-holtek-kbd.c
@@ -126,9 +126,14 @@ static int holtek_kbd_input_event(struct input_dev *dev, unsigned int type,
 
 	/* Locate the boot interface, to receive the LED change events */
 	struct usb_interface *boot_interface = usb_ifnum_to_if(usb_dev, 0);
+	struct hid_device *boot_hid;
+	struct hid_input *boot_hid_input;
 
-	struct hid_device *boot_hid = usb_get_intfdata(boot_interface);
-	struct hid_input *boot_hid_input = list_first_entry(&boot_hid->inputs,
+	if (unlikely(boot_interface == NULL))
+		return -ENODEV;
+
+	boot_hid = usb_get_intfdata(boot_interface);
+	boot_hid_input = list_first_entry(&boot_hid->inputs,
 		struct hid_input, list);
 
 	return boot_hid_input->input->event(boot_hid_input->input, type, code,
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 44/68] HID: input: fix a4tech horizontal wheel custom usage
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (41 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 43/68] HID: holtek: test for sanity of intfdata Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 45/68] drm/rockchip: Suspend DP late Sasha Levin
                   ` (23 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Nicolas Saenz Julienne, Jiri Kosina, Sasha Levin, linux-input

From: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>

[ Upstream commit 1c703b53e5bfb5c2205c30f0fb157ce271fd42fb ]

Some a4tech mice use the 'GenericDesktop.00b8' usage to inform whether
the previous wheel report was horizontal or vertical. Before
c01908a14bf73 ("HID: input: add mapping for "Toggle Display" key") this
usage was being mapped to 'Relative.Misc'. After the patch it's simply
ignored (usage->type == 0 & usage->code == 0). Which ultimately makes
hid-a4tech ignore the WHEEL/HWHEEL selection event, as it has no
usage->type.

We shouldn't rely on a mapping for that usage as it's nonstandard and
doesn't really map to an input event. So we bypass the mapping and make
sure the custom event handling properly handles both reports.

Fixes: c01908a14bf73 ("HID: input: add mapping for "Toggle Display" key")
Signed-off-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/hid/hid-a4tech.c | 30 +++++++++++++++++++++++++++---
 1 file changed, 27 insertions(+), 3 deletions(-)

diff --git a/drivers/hid/hid-a4tech.c b/drivers/hid/hid-a4tech.c
index 9428ea7cdf8a0..c52bd163abb3e 100644
--- a/drivers/hid/hid-a4tech.c
+++ b/drivers/hid/hid-a4tech.c
@@ -26,12 +26,36 @@
 #define A4_2WHEEL_MOUSE_HACK_7	0x01
 #define A4_2WHEEL_MOUSE_HACK_B8	0x02
 
+#define A4_WHEEL_ORIENTATION	(HID_UP_GENDESK | 0x000000b8)
+
 struct a4tech_sc {
 	unsigned long quirks;
 	unsigned int hw_wheel;
 	__s32 delayed_value;
 };
 
+static int a4_input_mapping(struct hid_device *hdev, struct hid_input *hi,
+			    struct hid_field *field, struct hid_usage *usage,
+			    unsigned long **bit, int *max)
+{
+	struct a4tech_sc *a4 = hid_get_drvdata(hdev);
+
+	if (a4->quirks & A4_2WHEEL_MOUSE_HACK_B8 &&
+	    usage->hid == A4_WHEEL_ORIENTATION) {
+		/*
+		 * We do not want to have this usage mapped to anything as it's
+		 * nonstandard and doesn't really behave like an HID report.
+		 * It's only selecting the orientation (vertical/horizontal) of
+		 * the previous mouse wheel report. The input_events will be
+		 * generated once both reports are recorded in a4_event().
+		 */
+		return -1;
+	}
+
+	return 0;
+
+}
+
 static int a4_input_mapped(struct hid_device *hdev, struct hid_input *hi,
 		struct hid_field *field, struct hid_usage *usage,
 		unsigned long **bit, int *max)
@@ -53,8 +77,7 @@ static int a4_event(struct hid_device *hdev, struct hid_field *field,
 	struct a4tech_sc *a4 = hid_get_drvdata(hdev);
 	struct input_dev *input;
 
-	if (!(hdev->claimed & HID_CLAIMED_INPUT) || !field->hidinput ||
-			!usage->type)
+	if (!(hdev->claimed & HID_CLAIMED_INPUT) || !field->hidinput)
 		return 0;
 
 	input = field->hidinput->input;
@@ -65,7 +88,7 @@ static int a4_event(struct hid_device *hdev, struct hid_field *field,
 			return 1;
 		}
 
-		if (usage->hid == 0x000100b8) {
+		if (usage->hid == A4_WHEEL_ORIENTATION) {
 			input_event(input, EV_REL, value ? REL_HWHEEL :
 					REL_WHEEL, a4->delayed_value);
 			return 1;
@@ -129,6 +152,7 @@ MODULE_DEVICE_TABLE(hid, a4_devices);
 static struct hid_driver a4_driver = {
 	.name = "a4tech",
 	.id_table = a4_devices,
+	.input_mapping = a4_input_mapping,
 	.input_mapped = a4_input_mapped,
 	.event = a4_event,
 	.probe = a4_probe,
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 45/68] drm/rockchip: Suspend DP late
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (42 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 44/68] HID: input: fix a4tech horizontal wheel custom usage Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 46/68] SMB3: Fix potential memory leak when processing compound chain Sasha Levin
                   ` (22 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Douglas Anderson, Sean Paul, Sasha Levin, dri-devel, linux-rockchip

From: Douglas Anderson <dianders@chromium.org>

[ Upstream commit f7ccbed656f78212593ca965d9a8f34bf24e0aab ]

In commit fe64ba5c6323 ("drm/rockchip: Resume DP early") we moved
resume to be early but left suspend at its normal time.  This seems
like it could be OK, but casues problems if a suspend gets interrupted
partway through.  The OS only balances matching suspend/resume levels.
...so if suspend was called then resume will be called.  If suspend
late was called then resume early will be called.  ...but if suspend
was called resume early might not get called.  This leads to an
unbalance in the clock enables / disables.

Lets take the simple fix and just move suspend to be late to match.
This makes the PM core take proper care in keeping things balanced.

Fixes: fe64ba5c6323 ("drm/rockchip: Resume DP early")
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Sean Paul <seanpaul@chromium.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20190802184616.44822-1-dianders@chromium.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/rockchip/analogix_dp-rockchip.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/rockchip/analogix_dp-rockchip.c b/drivers/gpu/drm/rockchip/analogix_dp-rockchip.c
index 080f053521950..6a4da3a0ff1c3 100644
--- a/drivers/gpu/drm/rockchip/analogix_dp-rockchip.c
+++ b/drivers/gpu/drm/rockchip/analogix_dp-rockchip.c
@@ -436,7 +436,7 @@ static int rockchip_dp_resume(struct device *dev)
 
 static const struct dev_pm_ops rockchip_dp_pm_ops = {
 #ifdef CONFIG_PM_SLEEP
-	.suspend = rockchip_dp_suspend,
+	.suspend_late = rockchip_dp_suspend,
 	.resume_early = rockchip_dp_resume,
 #endif
 };
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 46/68] SMB3: Fix potential memory leak when processing compound chain
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (43 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 45/68] drm/rockchip: Suspend DP late Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 47/68] SMB3: Kernel oops mounting a encryptData share with CONFIG_DEBUG_VIRTUAL Sasha Levin
                   ` (21 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Pavel Shilovsky, Ronnie Sahlberg, Steve French, Sasha Levin, linux-cifs

From: Pavel Shilovsky <pshilov@microsoft.com>

[ Upstream commit 3edeb4a4146dc3b54d6fa71b7ee0585cb52ebfdf ]

When a reconnect happens in the middle of processing a compound chain
the code leaks a buffer from the memory pool. Fix this by properly
checking for a return code and freeing buffers in case of error.

Also maintain a buf variable to be equal to either smallbuf or bigbuf
depending on a response buffer size while parsing a chain and when
returning to the caller.

Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/cifs/smb2ops.c | 29 +++++++++++++++++------------
 1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
index 0ccf8f9b63a2e..97fdbec54db97 100644
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -3121,7 +3121,6 @@ receive_encrypted_standard(struct TCP_Server_Info *server,
 {
 	int ret, length;
 	char *buf = server->smallbuf;
-	char *tmpbuf;
 	struct smb2_sync_hdr *shdr;
 	unsigned int pdu_length = server->pdu_size;
 	unsigned int buf_size;
@@ -3151,18 +3150,15 @@ receive_encrypted_standard(struct TCP_Server_Info *server,
 		return length;
 
 	next_is_large = server->large_buf;
- one_more:
+one_more:
 	shdr = (struct smb2_sync_hdr *)buf;
 	if (shdr->NextCommand) {
-		if (next_is_large) {
-			tmpbuf = server->bigbuf;
+		if (next_is_large)
 			next_buffer = (char *)cifs_buf_get();
-		} else {
-			tmpbuf = server->smallbuf;
+		else
 			next_buffer = (char *)cifs_small_buf_get();
-		}
 		memcpy(next_buffer,
-		       tmpbuf + le32_to_cpu(shdr->NextCommand),
+		       buf + le32_to_cpu(shdr->NextCommand),
 		       pdu_length - le32_to_cpu(shdr->NextCommand));
 	}
 
@@ -3191,12 +3187,21 @@ receive_encrypted_standard(struct TCP_Server_Info *server,
 		pdu_length -= le32_to_cpu(shdr->NextCommand);
 		server->large_buf = next_is_large;
 		if (next_is_large)
-			server->bigbuf = next_buffer;
+			server->bigbuf = buf = next_buffer;
 		else
-			server->smallbuf = next_buffer;
-
-		buf += le32_to_cpu(shdr->NextCommand);
+			server->smallbuf = buf = next_buffer;
 		goto one_more;
+	} else if (ret != 0) {
+		/*
+		 * ret != 0 here means that we didn't get to handle_mid() thus
+		 * server->smallbuf and server->bigbuf are still valid. We need
+		 * to free next_buffer because it is not going to be used
+		 * anywhere.
+		 */
+		if (next_is_large)
+			free_rsp_buf(CIFS_LARGE_BUFFER, next_buffer);
+		else
+			free_rsp_buf(CIFS_SMALL_BUFFER, next_buffer);
 	}
 
 	return ret;
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 47/68] SMB3: Kernel oops mounting a encryptData share with CONFIG_DEBUG_VIRTUAL
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (44 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 46/68] SMB3: Fix potential memory leak when processing compound chain Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 48/68] HID: hiddev: avoid opening a disconnected device Sasha Levin
                   ` (20 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Sebastien Tisserant, Pavel Shilovsky, Steve French, Sasha Levin,
	linux-cifs

From: Sebastien Tisserant <stisserant@wallix.com>

[ Upstream commit ee9d66182392695535cc9fccfcb40c16f72de2a9 ]

Fix kernel oops when mounting a encryptData CIFS share with
CONFIG_DEBUG_VIRTUAL

Signed-off-by: Sebastien Tisserant <stisserant@wallix.com>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/cifs/smb2ops.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
index 97fdbec54db97..cc9e846a38658 100644
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -2545,7 +2545,15 @@ fill_transform_hdr(struct smb2_transform_hdr *tr_hdr, unsigned int orig_len,
 static inline void smb2_sg_set_buf(struct scatterlist *sg, const void *buf,
 				   unsigned int buflen)
 {
-	sg_set_page(sg, virt_to_page(buf), buflen, offset_in_page(buf));
+	void *addr;
+	/*
+	 * VMAP_STACK (at least) puts stack into the vmalloc address space
+	 */
+	if (is_vmalloc_addr(buf))
+		addr = vmalloc_to_page(buf);
+	else
+		addr = virt_to_page(buf);
+	sg_set_page(sg, addr, buflen, offset_in_page(buf));
 }
 
 /* Assumes the first rqst has a transform header as the first iov.
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 48/68] HID: hiddev: avoid opening a disconnected device
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (45 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 47/68] SMB3: Kernel oops mounting a encryptData share with CONFIG_DEBUG_VIRTUAL Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 49/68] HID: hiddev: do cleanup in failure of opening a device Sasha Levin
                   ` (19 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Hillf Danton, syzbot, Andrey Konovalov, Jiri Kosina, Sasha Levin,
	linux-usb, linux-input

From: Hillf Danton <hdanton@sina.com>

[ Upstream commit 9c09b214f30e3c11f9b0b03f89442df03643794d ]

syzbot found the following crash on:

HEAD commit:    e96407b4 usb-fuzzer: main usb gadget fuzzer driver
git tree:       https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=147ac20c600000
kernel config:  https://syzkaller.appspot.com/x/.config?x=792eb47789f57810
dashboard link: https://syzkaller.appspot.com/bug?extid=62a1e04fd3ec2abf099e
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)

==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x302a/0x3b50
kernel/locking/lockdep.c:3753
Read of size 8 at addr ffff8881cf591a08 by task syz-executor.1/26260

CPU: 1 PID: 26260 Comm: syz-executor.1 Not tainted 5.3.0-rc2+ #24
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0xca/0x13e lib/dump_stack.c:113
  print_address_description+0x6a/0x32c mm/kasan/report.c:351
  __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
  kasan_report+0xe/0x12 mm/kasan/common.c:612
  __lock_acquire+0x302a/0x3b50 kernel/locking/lockdep.c:3753
  lock_acquire+0x127/0x320 kernel/locking/lockdep.c:4412
  __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
  _raw_spin_lock_irqsave+0x32/0x50 kernel/locking/spinlock.c:159
  hiddev_release+0x82/0x520 drivers/hid/usbhid/hiddev.c:221
  __fput+0x2d7/0x840 fs/file_table.c:280
  task_work_run+0x13f/0x1c0 kernel/task_work.c:113
  exit_task_work include/linux/task_work.h:22 [inline]
  do_exit+0x8ef/0x2c50 kernel/exit.c:878
  do_group_exit+0x125/0x340 kernel/exit.c:982
  get_signal+0x466/0x23d0 kernel/signal.c:2728
  do_signal+0x88/0x14e0 arch/x86/kernel/signal.c:815
  exit_to_usermode_loop+0x1a2/0x200 arch/x86/entry/common.c:159
  prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
  syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
  do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459829
Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f75b2a6ccf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 000000000075c078 RCX: 0000000000459829
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000075c078
RBP: 000000000075c070 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000075c07c
R13: 00007ffcdfe1023f R14: 00007f75b2a6d9c0 R15: 000000000075c07c

Allocated by task 104:
  save_stack+0x1b/0x80 mm/kasan/common.c:69
  set_track mm/kasan/common.c:77 [inline]
  __kasan_kmalloc mm/kasan/common.c:487 [inline]
  __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:460
  kmalloc include/linux/slab.h:552 [inline]
  kzalloc include/linux/slab.h:748 [inline]
  hiddev_connect+0x242/0x5b0 drivers/hid/usbhid/hiddev.c:900
  hid_connect+0x239/0xbb0 drivers/hid/hid-core.c:1882
  hid_hw_start drivers/hid/hid-core.c:1981 [inline]
  hid_hw_start+0xa2/0x130 drivers/hid/hid-core.c:1972
  appleir_probe+0x13e/0x1a0 drivers/hid/hid-appleir.c:308
  hid_device_probe+0x2be/0x3f0 drivers/hid/hid-core.c:2209
  really_probe+0x281/0x650 drivers/base/dd.c:548
  driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709
  __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816
  bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
  __device_attach+0x217/0x360 drivers/base/dd.c:882
  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
  device_add+0xae6/0x16f0 drivers/base/core.c:2114
  hid_add_device+0x33c/0x990 drivers/hid/hid-core.c:2365
  usbhid_probe+0xa81/0xfa0 drivers/hid/usbhid/hid-core.c:1386
  usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
  really_probe+0x281/0x650 drivers/base/dd.c:548
  driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709
  __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816
  bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
  __device_attach+0x217/0x360 drivers/base/dd.c:882
  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
  device_add+0xae6/0x16f0 drivers/base/core.c:2114
  usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
  generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
  usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266
  really_probe+0x281/0x650 drivers/base/dd.c:548
  driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709
  __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816
  bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
  __device_attach+0x217/0x360 drivers/base/dd.c:882
  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
  device_add+0xae6/0x16f0 drivers/base/core.c:2114
  usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536
  hub_port_connect drivers/usb/core/hub.c:5098 [inline]
  hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
  port_event drivers/usb/core/hub.c:5359 [inline]
  hub_event+0x1b5c/0x3640 drivers/usb/core/hub.c:5441
  process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
  worker_thread+0x96/0xe20 kernel/workqueue.c:2415
  kthread+0x318/0x420 kernel/kthread.c:255
  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Freed by task 104:
  save_stack+0x1b/0x80 mm/kasan/common.c:69
  set_track mm/kasan/common.c:77 [inline]
  __kasan_slab_free+0x130/0x180 mm/kasan/common.c:449
  slab_free_hook mm/slub.c:1423 [inline]
  slab_free_freelist_hook mm/slub.c:1470 [inline]
  slab_free mm/slub.c:3012 [inline]
  kfree+0xe4/0x2f0 mm/slub.c:3953
  hiddev_connect.cold+0x45/0x5c drivers/hid/usbhid/hiddev.c:914
  hid_connect+0x239/0xbb0 drivers/hid/hid-core.c:1882
  hid_hw_start drivers/hid/hid-core.c:1981 [inline]
  hid_hw_start+0xa2/0x130 drivers/hid/hid-core.c:1972
  appleir_probe+0x13e/0x1a0 drivers/hid/hid-appleir.c:308
  hid_device_probe+0x2be/0x3f0 drivers/hid/hid-core.c:2209
  really_probe+0x281/0x650 drivers/base/dd.c:548
  driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709
  __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816
  bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
  __device_attach+0x217/0x360 drivers/base/dd.c:882
  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
  device_add+0xae6/0x16f0 drivers/base/core.c:2114
  hid_add_device+0x33c/0x990 drivers/hid/hid-core.c:2365
  usbhid_probe+0xa81/0xfa0 drivers/hid/usbhid/hid-core.c:1386
  usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
  really_probe+0x281/0x650 drivers/base/dd.c:548
  driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709
  __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816
  bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
  __device_attach+0x217/0x360 drivers/base/dd.c:882
  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
  device_add+0xae6/0x16f0 drivers/base/core.c:2114
  usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
  generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
  usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266
  really_probe+0x281/0x650 drivers/base/dd.c:548
  driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709
  __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816
  bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
  __device_attach+0x217/0x360 drivers/base/dd.c:882
  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
  device_add+0xae6/0x16f0 drivers/base/core.c:2114
  usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536
  hub_port_connect drivers/usb/core/hub.c:5098 [inline]
  hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
  port_event drivers/usb/core/hub.c:5359 [inline]
  hub_event+0x1b5c/0x3640 drivers/usb/core/hub.c:5441
  process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
  worker_thread+0x96/0xe20 kernel/workqueue.c:2415
  kthread+0x318/0x420 kernel/kthread.c:255
  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

The buggy address belongs to the object at ffff8881cf591900
  which belongs to the cache kmalloc-512 of size 512
The buggy address is located 264 bytes inside of
  512-byte region [ffff8881cf591900, ffff8881cf591b00)
The buggy address belongs to the page:
page:ffffea00073d6400 refcount:1 mapcount:0 mapping:ffff8881da002500
index:0x0 compound_mapcount: 0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 0000000000000000 0000000100000001 ffff8881da002500
raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
  ffff8881cf591900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff8881cf591980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8881cf591a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                       ^
  ffff8881cf591a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff8881cf591b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

In order to avoid opening a disconnected device, we need to check exist
again after acquiring the existance lock, and bail out if necessary.

Reported-by: syzbot <syzbot+62a1e04fd3ec2abf099e@syzkaller.appspotmail.com>
Cc: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Hillf Danton <hdanton@sina.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/hid/usbhid/hiddev.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c
index a746017fac170..56da33bc3862e 100644
--- a/drivers/hid/usbhid/hiddev.c
+++ b/drivers/hid/usbhid/hiddev.c
@@ -297,6 +297,14 @@ static int hiddev_open(struct inode *inode, struct file *file)
 	spin_unlock_irq(&list->hiddev->list_lock);
 
 	mutex_lock(&hiddev->existancelock);
+	/*
+	 * recheck exist with existance lock held to
+	 * avoid opening a disconnected device
+	 */
+	if (!list->hiddev->exist) {
+		res = -ENODEV;
+		goto bail_unlock;
+	}
 	if (!list->hiddev->open++)
 		if (list->hiddev->exist) {
 			struct hid_device *hid = hiddev->hid;
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 49/68] HID: hiddev: do cleanup in failure of opening a device
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (46 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 48/68] HID: hiddev: avoid opening a disconnected device Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 50/68] s390: put _stext and _etext into .text section Sasha Levin
                   ` (18 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Hillf Danton, syzbot, Andrey Konovalov, Jiri Kosina, Sasha Levin,
	linux-usb, linux-input

From: Hillf Danton <hdanton@sina.com>

[ Upstream commit 6d4472d7bec39917b54e4e80245784ea5d60ce49 ]

Undo what we did for opening before releasing the memory slice.

Reported-by: syzbot <syzbot+62a1e04fd3ec2abf099e@syzkaller.appspotmail.com>
Cc: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Hillf Danton <hdanton@sina.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/hid/usbhid/hiddev.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c
index 56da33bc3862e..5a949ca42b1d0 100644
--- a/drivers/hid/usbhid/hiddev.c
+++ b/drivers/hid/usbhid/hiddev.c
@@ -321,6 +321,10 @@ static int hiddev_open(struct inode *inode, struct file *file)
 	hid_hw_power(hid, PM_HINT_NORMAL);
 bail_unlock:
 	mutex_unlock(&hiddev->existancelock);
+
+	spin_lock_irq(&list->hiddev->list_lock);
+	list_del(&list->node);
+	spin_unlock_irq(&list->hiddev->list_lock);
 bail:
 	file->private_data = NULL;
 	vfree(list);
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 50/68] s390: put _stext and _etext into .text section
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (47 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 49/68] HID: hiddev: do cleanup in failure of opening a device Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 51/68] Input: iforce - add sanity checks Sasha Levin
                   ` (17 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Vasily Gorbik, Thomas Richter, Andreas Krebbel, Sasha Levin, linux-s390

From: Vasily Gorbik <gor@linux.ibm.com>

[ Upstream commit 24350fdadbdec780406a1ef988e6cd3875e374a8 ]

Perf relies on _etext and _stext symbols being one of 't', 'T', 'v' or
'V'. Put them into .text section to guarantee that.

Also moves padding to page boundary inside .text which has an effect that
.text section is now padded with nops rather than 0's, which apparently
has been the initial intention for specifying 0x0700 fill expression.

Reported-by: Thomas Richter <tmricht@linux.ibm.com>
Tested-by: Thomas Richter <tmricht@linux.ibm.com>
Suggested-by: Andreas Krebbel <krebbel@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/s390/kernel/vmlinux.lds.S | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/arch/s390/kernel/vmlinux.lds.S b/arch/s390/kernel/vmlinux.lds.S
index b43f8d33a3697..18ede6e806b91 100644
--- a/arch/s390/kernel/vmlinux.lds.S
+++ b/arch/s390/kernel/vmlinux.lds.S
@@ -31,10 +31,9 @@ PHDRS {
 SECTIONS
 {
 	. = 0x100000;
-	_stext = .;		/* Start of text section */
 	.text : {
-		/* Text and read-only data */
-		_text = .;
+		_stext = .;		/* Start of text section */
+		_text = .;		/* Text and read-only data */
 		HEAD_TEXT
 		TEXT_TEXT
 		SCHED_TEXT
@@ -46,11 +45,10 @@ SECTIONS
 		*(.text.*_indirect_*)
 		*(.fixup)
 		*(.gnu.warning)
+		. = ALIGN(PAGE_SIZE);
+		_etext = .;		/* End of text section */
 	} :text = 0x0700
 
-	. = ALIGN(PAGE_SIZE);
-	_etext = .;		/* End of text section */
-
 	NOTES :text :note
 
 	.dummy : { *(.dummy) } :data
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 51/68] Input: iforce - add sanity checks
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (48 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 50/68] s390: put _stext and _etext into .text section Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 52/68] net: cxgb3_main: Fix a resource leak in a error path in 'init_one()' Sasha Levin
                   ` (16 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Oliver Neukum, syzbot+5efc10c005014d061a74, Dmitry Torokhov,
	Sasha Levin, linux-input

From: Oliver Neukum <oneukum@suse.com>

[ Upstream commit 849f5ae3a513c550cad741c68dd3d7eb2bcc2a2c ]

The endpoint type should also be checked before a device
is accepted.

Reported-by: syzbot+5efc10c005014d061a74@syzkaller.appspotmail.com
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/input/joystick/iforce/iforce-usb.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/input/joystick/iforce/iforce-usb.c b/drivers/input/joystick/iforce/iforce-usb.c
index 78073259c9a1a..c431df7401b44 100644
--- a/drivers/input/joystick/iforce/iforce-usb.c
+++ b/drivers/input/joystick/iforce/iforce-usb.c
@@ -141,7 +141,12 @@ static int iforce_usb_probe(struct usb_interface *intf,
 		return -ENODEV;
 
 	epirq = &interface->endpoint[0].desc;
+	if (!usb_endpoint_is_int_in(epirq))
+		return -ENODEV;
+
 	epout = &interface->endpoint[1].desc;
+	if (!usb_endpoint_is_int_out(epout))
+		return -ENODEV;
 
 	if (!(iforce = kzalloc(sizeof(struct iforce) + 32, GFP_KERNEL)))
 		goto fail;
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 52/68] net: cxgb3_main: Fix a resource leak in a error path in 'init_one()'
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (49 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 51/68] Input: iforce - add sanity checks Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 53/68] net: stmmac: Fix issues when number of Queues >= 4 Sasha Levin
                   ` (15 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Christophe JAILLET, David S . Miller, Sasha Levin, netdev

From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>

[ Upstream commit debea2cd3193ac868289e8893c3a719c265b0612 ]

A call to 'kfree_skb()' is missing in the error handling path of
'init_one()'.
This is already present in 'remove_one()' but is missing here.

Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
index c34ea385fe4a5..6be6de0774b61 100644
--- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
+++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
@@ -3270,7 +3270,7 @@ static int init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
 	if (!adapter->regs) {
 		dev_err(&pdev->dev, "cannot map device registers\n");
 		err = -ENOMEM;
-		goto out_free_adapter;
+		goto out_free_adapter_nofail;
 	}
 
 	adapter->pdev = pdev;
@@ -3398,6 +3398,9 @@ static int init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
 		if (adapter->port[i])
 			free_netdev(adapter->port[i]);
 
+out_free_adapter_nofail:
+	kfree_skb(adapter->nofail_skb);
+
 out_free_adapter:
 	kfree(adapter);
 
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 53/68] net: stmmac: Fix issues when number of Queues >= 4
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (50 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 52/68] net: cxgb3_main: Fix a resource leak in a error path in 'init_one()' Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 54/68] net: stmmac: tc: Do not return a fragment entry Sasha Levin
                   ` (14 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Jose Abreu, Jose Abreu, David S . Miller, Sasha Levin, netdev

From: Jose Abreu <Jose.Abreu@synopsys.com>

[ Upstream commit e8df7e8c233a18d2704e37ecff47583b494789d3 ]

When queues >= 4 we use different registers but we were not subtracting
the offset of 4. Fix this.

Found out by Coverity.

Signed-off-by: Jose Abreu <joabreu@synopsys.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c   | 4 ++++
 drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
index d0e6e1503581f..48cf5e2b24417 100644
--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
+++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
@@ -88,6 +88,8 @@ static void dwmac4_rx_queue_priority(struct mac_device_info *hw,
 	u32 value;
 
 	base_register = (queue < 4) ? GMAC_RXQ_CTRL2 : GMAC_RXQ_CTRL3;
+	if (queue >= 4)
+		queue -= 4;
 
 	value = readl(ioaddr + base_register);
 
@@ -105,6 +107,8 @@ static void dwmac4_tx_queue_priority(struct mac_device_info *hw,
 	u32 value;
 
 	base_register = (queue < 4) ? GMAC_TXQ_PRTY_MAP0 : GMAC_TXQ_PRTY_MAP1;
+	if (queue >= 4)
+		queue -= 4;
 
 	value = readl(ioaddr + base_register);
 
diff --git a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c
index d182f82f7b586..870302a7177e2 100644
--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c
+++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c
@@ -106,6 +106,8 @@ static void dwxgmac2_rx_queue_prio(struct mac_device_info *hw, u32 prio,
 	u32 value, reg;
 
 	reg = (queue < 4) ? XGMAC_RXQ_CTRL2 : XGMAC_RXQ_CTRL3;
+	if (queue >= 4)
+		queue -= 4;
 
 	value = readl(ioaddr + reg);
 	value &= ~XGMAC_PSRQ(queue);
@@ -169,6 +171,8 @@ static void dwxgmac2_map_mtl_to_dma(struct mac_device_info *hw, u32 queue,
 	u32 value, reg;
 
 	reg = (queue < 4) ? XGMAC_MTL_RXQ_DMA_MAP0 : XGMAC_MTL_RXQ_DMA_MAP1;
+	if (queue >= 4)
+		queue -= 4;
 
 	value = readl(ioaddr + reg);
 	value &= ~XGMAC_QxMDMACH(queue);
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 54/68] net: stmmac: tc: Do not return a fragment entry
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (51 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 53/68] net: stmmac: Fix issues when number of Queues >= 4 Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 55/68] net: hisilicon: make hip04_tx_reclaim non-reentrant Sasha Levin
                   ` (13 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Jose Abreu, Jose Abreu, David S . Miller, Sasha Levin, netdev

From: Jose Abreu <Jose.Abreu@synopsys.com>

[ Upstream commit 4a6a1385a4db5f42258a40fcd497cbfd22075968 ]

Do not try to return a fragment entry from TC list. Otherwise we may not
clean properly allocated entries.

Signed-off-by: Jose Abreu <joabreu@synopsys.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c
index 58ea18af9813a..37c0bc699cd9c 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c
@@ -37,7 +37,7 @@ static struct stmmac_tc_entry *tc_find_entry(struct stmmac_priv *priv,
 		entry = &priv->tc_entries[i];
 		if (!entry->in_use && !first && free)
 			first = entry;
-		if (entry->handle == loc && !free)
+		if ((entry->handle == loc) && !free && !entry->is_frag)
 			dup = entry;
 	}
 
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 55/68] net: hisilicon: make hip04_tx_reclaim non-reentrant
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (52 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 54/68] net: stmmac: tc: Do not return a fragment entry Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 56/68] net: hisilicon: fix hip04-xmit never return TX_BUSY Sasha Levin
                   ` (12 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Jiangfeng Xiao, David S . Miller, Sasha Levin, netdev

From: Jiangfeng Xiao <xiaojiangfeng@huawei.com>

[ Upstream commit 1a2c070ae805910a853b4a14818481ed2e17c727 ]

If hip04_tx_reclaim is interrupted while it is running
and then __napi_schedule continues to execute
hip04_rx_poll->hip04_tx_reclaim, reentrancy occurs
and oops is generated. So you need to mask the interrupt
during the hip04_tx_reclaim run.

The kernel oops exception stack is as follows:

Unable to handle kernel NULL pointer dereference
at virtual address 00000050
pgd = c0003000
[00000050] *pgd=80000000a04003, *pmd=00000000
Internal error: Oops: 206 [#1] SMP ARM
Modules linked in: hip04_eth mtdblock mtd_blkdevs mtd
ohci_platform ehci_platform ohci_hcd ehci_hcd
vfat fat sd_mod usb_storage scsi_mod usbcore usb_common
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G           O    4.4.185 #1
Hardware name: Hisilicon A15
task: c0a250e0 task.stack: c0a00000
PC is at hip04_tx_reclaim+0xe0/0x17c [hip04_eth]
LR is at hip04_tx_reclaim+0x30/0x17c [hip04_eth]
pc : [<bf30c3a4>]    lr : [<bf30c2f4>]    psr: 600e0313
sp : c0a01d88  ip : 00000000  fp : c0601f9c
r10: 00000000  r9 : c3482380  r8 : 00000001
r7 : 00000000  r6 : 000000e1  r5 : c3482000  r4 : 0000000c
r3 : f2209800  r2 : 00000000  r1 : 00000000  r0 : 00000000
Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
Control: 32c5387d  Table: 03d28c80  DAC: 55555555
Process swapper/0 (pid: 0, stack limit = 0xc0a00190)
Stack: (0xc0a01d88 to 0xc0a02000)
[<bf30c3a4>] (hip04_tx_reclaim [hip04_eth]) from [<bf30d2e0>]
                                                (hip04_rx_poll+0x88/0x368 [hip04_eth])
[<bf30d2e0>] (hip04_rx_poll [hip04_eth]) from [<c04c2d9c>] (net_rx_action+0x114/0x34c)
[<c04c2d9c>] (net_rx_action) from [<c021eed8>] (__do_softirq+0x218/0x318)
[<c021eed8>] (__do_softirq) from [<c021f284>] (irq_exit+0x88/0xac)
[<c021f284>] (irq_exit) from [<c0240090>] (msa_irq_exit+0x11c/0x1d4)
[<c0240090>] (msa_irq_exit) from [<c02677e0>] (__handle_domain_irq+0x110/0x148)
[<c02677e0>] (__handle_domain_irq) from [<c0201588>] (gic_handle_irq+0xd4/0x118)
[<c0201588>] (gic_handle_irq) from [<c0551700>] (__irq_svc+0x40/0x58)
Exception stack(0xc0a01f30 to 0xc0a01f78)
1f20:                                     c0ae8b40 00000000 00000000 00000000
1f40: 00000002 ffffe000 c0601f9c 00000000 ffffffff c0a2257c c0a22440 c0831a38
1f60: c0a01ec4 c0a01f80 c0203714 c0203718 600e0213 ffffffff
[<c0551700>] (__irq_svc) from [<c0203718>] (arch_cpu_idle+0x20/0x3c)
[<c0203718>] (arch_cpu_idle) from [<c025bfd8>] (cpu_startup_entry+0x244/0x29c)
[<c025bfd8>] (cpu_startup_entry) from [<c054b0d8>] (rest_init+0xc8/0x10c)
[<c054b0d8>] (rest_init) from [<c0800c58>] (start_kernel+0x468/0x514)
Code: a40599e5 016086e2 018088e2 7660efe6 (503090e5)
---[ end trace 1db21d6d09c49d74 ]---
Kernel panic - not syncing: Fatal exception in interrupt
CPU3: stopping
CPU: 3 PID: 0 Comm: swapper/3 Tainted: G      D    O    4.4.185 #1

Signed-off-by: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/hisilicon/hip04_eth.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/hisilicon/hip04_eth.c b/drivers/net/ethernet/hisilicon/hip04_eth.c
index 6127697ede120..57c0afa25f9fb 100644
--- a/drivers/net/ethernet/hisilicon/hip04_eth.c
+++ b/drivers/net/ethernet/hisilicon/hip04_eth.c
@@ -497,6 +497,9 @@ static int hip04_rx_poll(struct napi_struct *napi, int budget)
 	u16 len;
 	u32 err;
 
+	/* clean up tx descriptors */
+	tx_remaining = hip04_tx_reclaim(ndev, false);
+
 	while (cnt && !last) {
 		buf = priv->rx_buf[priv->rx_head];
 		skb = build_skb(buf, priv->rx_buf_size);
@@ -557,8 +560,7 @@ static int hip04_rx_poll(struct napi_struct *napi, int budget)
 	}
 	napi_complete_done(napi, rx);
 done:
-	/* clean up tx descriptors and start a new timer if necessary */
-	tx_remaining = hip04_tx_reclaim(ndev, false);
+	/* start a new timer if necessary */
 	if (rx < budget && tx_remaining)
 		hip04_start_tx_timer(priv);
 
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 56/68] net: hisilicon: fix hip04-xmit never return TX_BUSY
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (53 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 55/68] net: hisilicon: make hip04_tx_reclaim non-reentrant Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 57/68] net: hisilicon: Fix dma_map_single failed on arm64 Sasha Levin
                   ` (11 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Jiangfeng Xiao, David S . Miller, Sasha Levin, netdev

From: Jiangfeng Xiao <xiaojiangfeng@huawei.com>

[ Upstream commit f2243b82785942be519016067ee6c55a063bbfe2 ]

TX_DESC_NUM is 256, in tx_count, the maximum value of
mod(TX_DESC_NUM - 1) is 254, the variable "count" in
the hip04_mac_start_xmit function is never equal to
(TX_DESC_NUM - 1), so hip04_mac_start_xmit never
return NETDEV_TX_BUSY.

tx_count is modified to mod(TX_DESC_NUM) so that
the maximum value of tx_count can reach
(TX_DESC_NUM - 1), then hip04_mac_start_xmit can reurn
NETDEV_TX_BUSY.

Signed-off-by: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/hisilicon/hip04_eth.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/hisilicon/hip04_eth.c b/drivers/net/ethernet/hisilicon/hip04_eth.c
index 57c0afa25f9fb..fe3b1637fd5f4 100644
--- a/drivers/net/ethernet/hisilicon/hip04_eth.c
+++ b/drivers/net/ethernet/hisilicon/hip04_eth.c
@@ -185,7 +185,7 @@ struct hip04_priv {
 
 static inline unsigned int tx_count(unsigned int head, unsigned int tail)
 {
-	return (head - tail) % (TX_DESC_NUM - 1);
+	return (head - tail) % TX_DESC_NUM;
 }
 
 static void hip04_config_port(struct net_device *ndev, u32 speed, u32 duplex)
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 57/68] net: hisilicon: Fix dma_map_single failed on arm64
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (54 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 56/68] net: hisilicon: fix hip04-xmit never return TX_BUSY Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 58/68] libata: have ata_scsi_rw_xlat() fail invalid passthrough requests Sasha Levin
                   ` (10 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Jiangfeng Xiao, David S . Miller, Sasha Levin, netdev

From: Jiangfeng Xiao <xiaojiangfeng@huawei.com>

[ Upstream commit 96a50c0d907ac8f5c3d6b051031a19eb8a2b53e3 ]

On the arm64 platform, executing "ifconfig eth0 up" will fail,
returning "ifconfig: SIOCSIFFLAGS: Input/output error."

ndev->dev is not initialized, dma_map_single->get_dma_ops->
dummy_dma_ops->__dummy_map_page will return DMA_ERROR_CODE
directly, so when we use dma_map_single, the first parameter
is to use the device of platform_device.

Signed-off-by: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/hisilicon/hip04_eth.c | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/drivers/net/ethernet/hisilicon/hip04_eth.c b/drivers/net/ethernet/hisilicon/hip04_eth.c
index fe3b1637fd5f4..a91d49dd92ea6 100644
--- a/drivers/net/ethernet/hisilicon/hip04_eth.c
+++ b/drivers/net/ethernet/hisilicon/hip04_eth.c
@@ -157,6 +157,7 @@ struct hip04_priv {
 	unsigned int reg_inten;
 
 	struct napi_struct napi;
+	struct device *dev;
 	struct net_device *ndev;
 
 	struct tx_desc *tx_desc;
@@ -387,7 +388,7 @@ static int hip04_tx_reclaim(struct net_device *ndev, bool force)
 		}
 
 		if (priv->tx_phys[tx_tail]) {
-			dma_unmap_single(&ndev->dev, priv->tx_phys[tx_tail],
+			dma_unmap_single(priv->dev, priv->tx_phys[tx_tail],
 					 priv->tx_skb[tx_tail]->len,
 					 DMA_TO_DEVICE);
 			priv->tx_phys[tx_tail] = 0;
@@ -437,8 +438,8 @@ static int hip04_mac_start_xmit(struct sk_buff *skb, struct net_device *ndev)
 		return NETDEV_TX_BUSY;
 	}
 
-	phys = dma_map_single(&ndev->dev, skb->data, skb->len, DMA_TO_DEVICE);
-	if (dma_mapping_error(&ndev->dev, phys)) {
+	phys = dma_map_single(priv->dev, skb->data, skb->len, DMA_TO_DEVICE);
+	if (dma_mapping_error(priv->dev, phys)) {
 		dev_kfree_skb(skb);
 		return NETDEV_TX_OK;
 	}
@@ -508,7 +509,7 @@ static int hip04_rx_poll(struct napi_struct *napi, int budget)
 			goto refill;
 		}
 
-		dma_unmap_single(&ndev->dev, priv->rx_phys[priv->rx_head],
+		dma_unmap_single(priv->dev, priv->rx_phys[priv->rx_head],
 				 RX_BUF_SIZE, DMA_FROM_DEVICE);
 		priv->rx_phys[priv->rx_head] = 0;
 
@@ -537,9 +538,9 @@ static int hip04_rx_poll(struct napi_struct *napi, int budget)
 		buf = netdev_alloc_frag(priv->rx_buf_size);
 		if (!buf)
 			goto done;
-		phys = dma_map_single(&ndev->dev, buf,
+		phys = dma_map_single(priv->dev, buf,
 				      RX_BUF_SIZE, DMA_FROM_DEVICE);
-		if (dma_mapping_error(&ndev->dev, phys))
+		if (dma_mapping_error(priv->dev, phys))
 			goto done;
 		priv->rx_buf[priv->rx_head] = buf;
 		priv->rx_phys[priv->rx_head] = phys;
@@ -642,9 +643,9 @@ static int hip04_mac_open(struct net_device *ndev)
 	for (i = 0; i < RX_DESC_NUM; i++) {
 		dma_addr_t phys;
 
-		phys = dma_map_single(&ndev->dev, priv->rx_buf[i],
+		phys = dma_map_single(priv->dev, priv->rx_buf[i],
 				      RX_BUF_SIZE, DMA_FROM_DEVICE);
-		if (dma_mapping_error(&ndev->dev, phys))
+		if (dma_mapping_error(priv->dev, phys))
 			return -EIO;
 
 		priv->rx_phys[i] = phys;
@@ -678,7 +679,7 @@ static int hip04_mac_stop(struct net_device *ndev)
 
 	for (i = 0; i < RX_DESC_NUM; i++) {
 		if (priv->rx_phys[i]) {
-			dma_unmap_single(&ndev->dev, priv->rx_phys[i],
+			dma_unmap_single(priv->dev, priv->rx_phys[i],
 					 RX_BUF_SIZE, DMA_FROM_DEVICE);
 			priv->rx_phys[i] = 0;
 		}
@@ -822,6 +823,7 @@ static int hip04_mac_probe(struct platform_device *pdev)
 		return -ENOMEM;
 
 	priv = netdev_priv(ndev);
+	priv->dev = d;
 	priv->ndev = ndev;
 	platform_set_drvdata(pdev, ndev);
 	SET_NETDEV_DEV(ndev, &pdev->dev);
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 58/68] libata: have ata_scsi_rw_xlat() fail invalid passthrough requests
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (55 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 57/68] net: hisilicon: Fix dma_map_single failed on arm64 Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 59/68] libata: add SG safety checks in SFF pio transfers Sasha Levin
                   ` (9 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Jens Axboe, Krishna Ram Prakash R, Kees Cook, Sasha Levin, linux-ide

From: Jens Axboe <axboe@kernel.dk>

[ Upstream commit 2d7271501720038381d45fb3dcbe4831228fc8cc ]

For passthrough requests, libata-scsi takes what the user passes in
as gospel. This can be problematic if the user fills in the CDB
incorrectly. One example of that is in request sizes. For read/write
commands, the CDB contains fields describing the transfer length of
the request. These should match with the SG_IO header fields, but
libata-scsi currently does no validation of that.

Check that the number of blocks in the CDB for passthrough requests
matches what was mapped into the request. If the CDB asks for more
data then the validated SG_IO header fields, error it.

Reported-by: Krishna Ram Prakash R <krp@gtux.in>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/ata/libata-scsi.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c
index 1984fc78c750b..3a64fa4aaf7e3 100644
--- a/drivers/ata/libata-scsi.c
+++ b/drivers/ata/libata-scsi.c
@@ -1803,6 +1803,21 @@ static unsigned int ata_scsi_verify_xlat(struct ata_queued_cmd *qc)
 	return 1;
 }
 
+static bool ata_check_nblocks(struct scsi_cmnd *scmd, u32 n_blocks)
+{
+	struct request *rq = scmd->request;
+	u32 req_blocks;
+
+	if (!blk_rq_is_passthrough(rq))
+		return true;
+
+	req_blocks = blk_rq_bytes(rq) / scmd->device->sector_size;
+	if (n_blocks > req_blocks)
+		return false;
+
+	return true;
+}
+
 /**
  *	ata_scsi_rw_xlat - Translate SCSI r/w command into an ATA one
  *	@qc: Storage for translated ATA taskfile
@@ -1847,6 +1862,8 @@ static unsigned int ata_scsi_rw_xlat(struct ata_queued_cmd *qc)
 		scsi_10_lba_len(cdb, &block, &n_block);
 		if (cdb[1] & (1 << 3))
 			tf_flags |= ATA_TFLAG_FUA;
+		if (!ata_check_nblocks(scmd, n_block))
+			goto invalid_fld;
 		break;
 	case READ_6:
 	case WRITE_6:
@@ -1861,6 +1878,8 @@ static unsigned int ata_scsi_rw_xlat(struct ata_queued_cmd *qc)
 		 */
 		if (!n_block)
 			n_block = 256;
+		if (!ata_check_nblocks(scmd, n_block))
+			goto invalid_fld;
 		break;
 	case READ_16:
 	case WRITE_16:
@@ -1871,6 +1890,8 @@ static unsigned int ata_scsi_rw_xlat(struct ata_queued_cmd *qc)
 		scsi_16_lba_len(cdb, &block, &n_block);
 		if (cdb[1] & (1 << 3))
 			tf_flags |= ATA_TFLAG_FUA;
+		if (!ata_check_nblocks(scmd, n_block))
+			goto invalid_fld;
 		break;
 	default:
 		DPRINTK("no-byte command\n");
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 59/68] libata: add SG safety checks in SFF pio transfers
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (56 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 58/68] libata: have ata_scsi_rw_xlat() fail invalid passthrough requests Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 60/68] x86/lib/cpu: Address missing prototypes warning Sasha Levin
                   ` (8 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: Jens Axboe, Kees Cook, Sasha Levin, linux-ide

From: Jens Axboe <axboe@kernel.dk>

[ Upstream commit 752ead44491e8c91e14d7079625c5916b30921c5 ]

Abort processing of a command if we run out of mapped data in the
SG list. This should never happen, but a previous bug caused it to
be possible. Play it safe and attempt to abort nicely if we don't
have more SG segments left.

Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/ata/libata-sff.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/ata/libata-sff.c b/drivers/ata/libata-sff.c
index c5ea0fc635e54..873cc09060551 100644
--- a/drivers/ata/libata-sff.c
+++ b/drivers/ata/libata-sff.c
@@ -674,6 +674,10 @@ static void ata_pio_sector(struct ata_queued_cmd *qc)
 	unsigned int offset;
 	unsigned char *buf;
 
+	if (!qc->cursg) {
+		qc->curbytes = qc->nbytes;
+		return;
+	}
 	if (qc->curbytes == qc->nbytes - qc->sect_size)
 		ap->hsm_task_state = HSM_ST_LAST;
 
@@ -699,6 +703,8 @@ static void ata_pio_sector(struct ata_queued_cmd *qc)
 
 	if (qc->cursg_ofs == qc->cursg->length) {
 		qc->cursg = sg_next(qc->cursg);
+		if (!qc->cursg)
+			ap->hsm_task_state = HSM_ST_LAST;
 		qc->cursg_ofs = 0;
 	}
 }
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 60/68] x86/lib/cpu: Address missing prototypes warning
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (57 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 59/68] libata: add SG safety checks in SFF pio transfers Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 61/68] drm/vmwgfx: fix memory leak when too many retries have occurred Sasha Levin
                   ` (7 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: Valdis Klētnieks, Thomas Gleixner, Sasha Levin

From: Valdis Klētnieks <valdis.kletnieks@vt.edu>

[ Upstream commit 04f5bda84b0712d6f172556a7e8dca9ded5e73b9 ]

When building with W=1, warnings about missing prototypes are emitted:

  CC      arch/x86/lib/cpu.o
arch/x86/lib/cpu.c:5:14: warning: no previous prototype for 'x86_family' [-Wmissing-prototypes]
    5 | unsigned int x86_family(unsigned int sig)
      |              ^~~~~~~~~~
arch/x86/lib/cpu.c:18:14: warning: no previous prototype for 'x86_model' [-Wmissing-prototypes]
   18 | unsigned int x86_model(unsigned int sig)
      |              ^~~~~~~~~
arch/x86/lib/cpu.c:33:14: warning: no previous prototype for 'x86_stepping' [-Wmissing-prototypes]
   33 | unsigned int x86_stepping(unsigned int sig)
      |              ^~~~~~~~~~~~

Add the proper include file so the prototypes are there.

Signed-off-by: Valdis Kletnieks <valdis.kletnieks@vt.edu>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/42513.1565234837@turing-police
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/lib/cpu.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/x86/lib/cpu.c b/arch/x86/lib/cpu.c
index 2dd1fe13a37b3..19f707992db22 100644
--- a/arch/x86/lib/cpu.c
+++ b/arch/x86/lib/cpu.c
@@ -1,5 +1,6 @@
 #include <linux/types.h>
 #include <linux/export.h>
+#include <asm/cpu.h>
 
 unsigned int x86_family(unsigned int sig)
 {
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 61/68] drm/vmwgfx: fix memory leak when too many retries have occurred
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (58 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 60/68] x86/lib/cpu: Address missing prototypes warning Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 62/68] block, bfq: handle NULL return value by bfq_init_rq() Sasha Levin
                   ` (6 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Colin Ian King, Deepak Rawat, Thomas Hellstrom, Sasha Levin, dri-devel

From: Colin Ian King <colin.king@canonical.com>

[ Upstream commit 6b7c3b86f0b63134b2ab56508921a0853ffa687a ]

Currently when too many retries have occurred there is a memory
leak on the allocation for reply on the error return path. Fix
this by kfree'ing reply before returning.

Addresses-Coverity: ("Resource leak")
Fixes: a9cd9c044aa9 ("drm/vmwgfx: Add a check to handle host message failure")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Reviewed-by: Deepak Rawat <drawat@vmware.com>
Signed-off-by: Deepak Rawat <drawat@vmware.com>
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/vmwgfx/vmwgfx_msg.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c b/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c
index e4e09d47c5c0e..59e9d05ab928b 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c
@@ -389,8 +389,10 @@ static int vmw_recv_msg(struct rpc_channel *channel, void **msg,
 		break;
 	}
 
-	if (retries == RETRIES)
+	if (retries == RETRIES) {
+		kfree(reply);
 		return -EINVAL;
+	}
 
 	*msg_len = reply_len;
 	*msg     = reply;
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 62/68] block, bfq: handle NULL return value by bfq_init_rq()
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (59 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 61/68] drm/vmwgfx: fix memory leak when too many retries have occurred Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 63/68] perf ftrace: Fix failure to set cpumask when only one cpu is present Sasha Levin
                   ` (5 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Paolo Valente, Hsin-Yi Wang, Nicolas Boichat, Doug Anderson,
	Guenter Roeck, Jens Axboe, Sasha Levin, linux-block

From: Paolo Valente <paolo.valente@linaro.org>

[ Upstream commit fd03177c33b287c6541f4048f1d67b7b45a1abc9 ]

As reported in [1], the call bfq_init_rq(rq) may return NULL in case
of OOM (in particular, if rq->elv.icq is NULL because memory
allocation failed in failed in ioc_create_icq()).

This commit handles this circumstance.

[1] https://lkml.org/lkml/2019/7/22/824

Cc: Hsin-Yi Wang <hsinyi@google.com>
Cc: Nicolas Boichat <drinkcat@chromium.org>
Cc: Doug Anderson <dianders@chromium.org>
Reported-by: Guenter Roeck <linux@roeck-us.net>
Reported-by: Hsin-Yi Wang <hsinyi@google.com>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Paolo Valente <paolo.valente@linaro.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 block/bfq-iosched.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
index becd793a258c8..d8d2ac294b0c0 100644
--- a/block/bfq-iosched.c
+++ b/block/bfq-iosched.c
@@ -1886,9 +1886,14 @@ static void bfq_request_merged(struct request_queue *q, struct request *req,
 	    blk_rq_pos(container_of(rb_prev(&req->rb_node),
 				    struct request, rb_node))) {
 		struct bfq_queue *bfqq = bfq_init_rq(req);
-		struct bfq_data *bfqd = bfqq->bfqd;
+		struct bfq_data *bfqd;
 		struct request *prev, *next_rq;
 
+		if (!bfqq)
+			return;
+
+		bfqd = bfqq->bfqd;
+
 		/* Reposition request in its sort_list */
 		elv_rb_del(&bfqq->sort_list, req);
 		elv_rb_add(&bfqq->sort_list, req);
@@ -1930,6 +1935,9 @@ static void bfq_requests_merged(struct request_queue *q, struct request *rq,
 	struct bfq_queue *bfqq = bfq_init_rq(rq),
 		*next_bfqq = bfq_init_rq(next);
 
+	if (!bfqq)
+		return;
+
 	/*
 	 * If next and rq belong to the same bfq_queue and next is older
 	 * than rq, then reposition rq in the fifo (by substituting next
@@ -4590,12 +4598,12 @@ static void bfq_insert_request(struct blk_mq_hw_ctx *hctx, struct request *rq,
 
 	spin_lock_irq(&bfqd->lock);
 	bfqq = bfq_init_rq(rq);
-	if (at_head || blk_rq_is_passthrough(rq)) {
+	if (!bfqq || at_head || blk_rq_is_passthrough(rq)) {
 		if (at_head)
 			list_add(&rq->queuelist, &bfqd->dispatch);
 		else
 			list_add_tail(&rq->queuelist, &bfqd->dispatch);
-	} else { /* bfqq is assumed to be non null here */
+	} else {
 		idle_timer_disabled = __bfq_insert_request(bfqd, rq);
 		/*
 		 * Update bfqq, because, if a queue merge has occurred
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 63/68] perf ftrace: Fix failure to set cpumask when only one cpu is present
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (60 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 62/68] block, bfq: handle NULL return value by bfq_init_rq() Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 64/68] perf cpumap: Fix writing to illegal memory in handling cpumap mask Sasha Levin
                   ` (4 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: He Zhe, Arnaldo Carvalho de Melo, Alexander Shishkin,
	Alexey Budankov, Jiri Olsa, Kan Liang, Namhyung Kim,
	Peter Zijlstra, Stephane Eranian, Sasha Levin

From: He Zhe <zhe.he@windriver.com>

[ Upstream commit cf30ae726c011e0372fd4c2d588466c8b50a8907 ]

The buffer containing the string used to set cpumask is overwritten at
the end of the string later in cpu_map__snprint_mask due to not enough
memory space, when there is only one cpu.

And thus causes the following failure:

  $ perf ftrace ls
  failed to reset ftrace
  $

This patch fixes the calculation of the cpumask string size.

Signed-off-by: He Zhe <zhe.he@windriver.com>
Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Alexey Budankov <alexey.budankov@linux.intel.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Fixes: dc23103278c5 ("perf ftrace: Add support for -a and -C option")
Link: http://lkml.kernel.org/r/1564734592-15624-1-git-send-email-zhe.he@windriver.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/perf/builtin-ftrace.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/perf/builtin-ftrace.c b/tools/perf/builtin-ftrace.c
index f42f228e88992..137955197ba8d 100644
--- a/tools/perf/builtin-ftrace.c
+++ b/tools/perf/builtin-ftrace.c
@@ -174,7 +174,7 @@ static int set_tracing_cpumask(struct cpu_map *cpumap)
 	int last_cpu;
 
 	last_cpu = cpu_map__cpu(cpumap, cpumap->nr - 1);
-	mask_size = (last_cpu + 3) / 4 + 1;
+	mask_size = last_cpu / 4 + 2; /* one more byte for EOS */
 	mask_size += last_cpu / 32; /* ',' is needed for every 32th cpus */
 
 	cpumask = malloc(mask_size);
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 64/68] perf cpumap: Fix writing to illegal memory in handling cpumap mask
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (61 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 63/68] perf ftrace: Fix failure to set cpumask when only one cpu is present Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 65/68] perf pmu-events: Fix missing "cpu_clk_unhalted.core" event Sasha Levin
                   ` (3 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: He Zhe, Alexander Shishkin, Alexey Budankov, Jiri Olsa,
	Kan Liang, Namhyung Kim, Peter Zijlstra, Stephane Eranian,
	Arnaldo Carvalho de Melo, Sasha Levin

From: He Zhe <zhe.he@windriver.com>

[ Upstream commit 5f5e25f1c7933a6e1673515c0b1d5acd82fea1ed ]

cpu_map__snprint_mask() would write to illegal memory pointed by
zalloc(0) when there is only one cpu.

This patch fixes the calculation and adds sanity check against the input
parameters.

Signed-off-by: He Zhe <zhe.he@windriver.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Alexey Budankov <alexey.budankov@linux.intel.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Fixes: 4400ac8a9a90 ("perf cpumap: Introduce cpu_map__snprint_mask()")
Link: http://lkml.kernel.org/r/1564734592-15624-2-git-send-email-zhe.he@windriver.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/perf/util/cpumap.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/tools/perf/util/cpumap.c b/tools/perf/util/cpumap.c
index 383674f448fcd..f93846edc1e0d 100644
--- a/tools/perf/util/cpumap.c
+++ b/tools/perf/util/cpumap.c
@@ -701,7 +701,10 @@ size_t cpu_map__snprint_mask(struct cpu_map *map, char *buf, size_t size)
 	unsigned char *bitmap;
 	int last_cpu = cpu_map__cpu(map, map->nr - 1);
 
-	bitmap = zalloc((last_cpu + 7) / 8);
+	if (buf == NULL)
+		return 0;
+
+	bitmap = zalloc(last_cpu / 8 + 1);
 	if (bitmap == NULL) {
 		buf[0] = '\0';
 		return 0;
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 65/68] perf pmu-events: Fix missing "cpu_clk_unhalted.core" event
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (62 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 64/68] perf cpumap: Fix writing to illegal memory in handling cpumap mask Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 66/68] KVM: arm64: Don't write junk to sysregs on reset Sasha Levin
                   ` (2 subsequent siblings)
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Jin Yao, Alexander Shishkin, Andi Kleen, Jin Yao, Jiri Olsa,
	Kan Liang, Peter Zijlstra, Arnaldo Carvalho de Melo, Sasha Levin

From: Jin Yao <yao.jin@linux.intel.com>

[ Upstream commit 8e6e5bea2e34c61291d00cb3f47560341aa84bc3 ]

The events defined in pmu-events JSON are parsed and added into perf
tool. For fixed counters, we handle the encodings between JSON and perf
by using a static array fixed[].

But the fixed[] has missed an important event "cpu_clk_unhalted.core".

For example, on the Tremont platform,

  [root@localhost ~]# perf stat -e cpu_clk_unhalted.core -a
  event syntax error: 'cpu_clk_unhalted.core'
                       \___ parser error

With this patch, the event cpu_clk_unhalted.core can be parsed.

  [root@localhost perf]# ./perf stat -e cpu_clk_unhalted.core -a -vvv
  ------------------------------------------------------------
  perf_event_attr:
    type                             4
    size                             112
    config                           0x3c
    sample_type                      IDENTIFIER
    read_format                      TOTAL_TIME_ENABLED|TOTAL_TIME_RUNNING
    disabled                         1
    inherit                          1
    exclude_guest                    1
  ------------------------------------------------------------
...

Signed-off-by: Jin Yao <yao.jin@linux.intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Jin Yao <yao.jin@intel.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: http://lkml.kernel.org/r/20190729072755.2166-1-yao.jin@linux.intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/perf/pmu-events/jevents.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/perf/pmu-events/jevents.c b/tools/perf/pmu-events/jevents.c
index 68c92bb599eef..6b36b71106695 100644
--- a/tools/perf/pmu-events/jevents.c
+++ b/tools/perf/pmu-events/jevents.c
@@ -450,6 +450,7 @@ static struct fixed {
 	{ "inst_retired.any_p", "event=0xc0" },
 	{ "cpu_clk_unhalted.ref", "event=0x0,umask=0x03" },
 	{ "cpu_clk_unhalted.thread", "event=0x3c" },
+	{ "cpu_clk_unhalted.core", "event=0x3c" },
 	{ "cpu_clk_unhalted.thread_any", "event=0x3c,any=1" },
 	{ NULL, NULL},
 };
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 66/68] KVM: arm64: Don't write junk to sysregs on reset
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (63 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 65/68] perf pmu-events: Fix missing "cpu_clk_unhalted.core" event Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 67/68] KVM: arm: Don't write junk to CP15 registers " Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 68/68] selftests: kvm: Adding config fragments Sasha Levin
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: Marc Zyngier, Zenghui Yu, Sasha Levin, kvmarm

From: Marc Zyngier <maz@kernel.org>

[ Upstream commit 03fdfb2690099c19160a3f2c5b77db60b3afeded ]

At the moment, the way we reset system registers is mildly insane:
We write junk to them, call the reset functions, and then check that
we have something else in them.

The "fun" thing is that this can happen while the guest is running
(PSCI, for example). If anything in KVM has to evaluate the state
of a system register while junk is in there, bad thing may happen.

Let's stop doing that. Instead, we track that we have called a
reset function for that register, and assume that the reset
function has done something. This requires fixing a couple of
sysreg refinition in the trap table.

In the end, the very need of this reset check is pretty dubious,
as it doesn't check everything (a lot of the sysregs leave outside of
the sys_regs[] array). It may well be axed in the near future.

Tested-by: Zenghui Yu <yuzenghui@huawei.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm64/kvm/sys_regs.c | 32 ++++++++++++++++++--------------
 1 file changed, 18 insertions(+), 14 deletions(-)

diff --git a/arch/arm64/kvm/sys_regs.c b/arch/arm64/kvm/sys_regs.c
index d112af75680bb..6da2bbdb9648f 100644
--- a/arch/arm64/kvm/sys_regs.c
+++ b/arch/arm64/kvm/sys_regs.c
@@ -626,7 +626,7 @@ static void reset_pmcr(struct kvm_vcpu *vcpu, const struct sys_reg_desc *r)
 	 */
 	val = ((pmcr & ~ARMV8_PMU_PMCR_MASK)
 	       | (ARMV8_PMU_PMCR_MASK & 0xdecafbad)) & (~ARMV8_PMU_PMCR_E);
-	__vcpu_sys_reg(vcpu, PMCR_EL0) = val;
+	__vcpu_sys_reg(vcpu, r->reg) = val;
 }
 
 static bool check_pmu_access_disabled(struct kvm_vcpu *vcpu, u64 flags)
@@ -968,13 +968,13 @@ static bool access_pmuserenr(struct kvm_vcpu *vcpu, struct sys_reg_params *p,
 /* Silly macro to expand the DBG{BCR,BVR,WVR,WCR}n_EL1 registers in one go */
 #define DBG_BCR_BVR_WCR_WVR_EL1(n)					\
 	{ SYS_DESC(SYS_DBGBVRn_EL1(n)),					\
-	  trap_bvr, reset_bvr, n, 0, get_bvr, set_bvr },		\
+	  trap_bvr, reset_bvr, 0, 0, get_bvr, set_bvr },		\
 	{ SYS_DESC(SYS_DBGBCRn_EL1(n)),					\
-	  trap_bcr, reset_bcr, n, 0, get_bcr, set_bcr },		\
+	  trap_bcr, reset_bcr, 0, 0, get_bcr, set_bcr },		\
 	{ SYS_DESC(SYS_DBGWVRn_EL1(n)),					\
-	  trap_wvr, reset_wvr, n, 0,  get_wvr, set_wvr },		\
+	  trap_wvr, reset_wvr, 0, 0,  get_wvr, set_wvr },		\
 	{ SYS_DESC(SYS_DBGWCRn_EL1(n)),					\
-	  trap_wcr, reset_wcr, n, 0,  get_wcr, set_wcr }
+	  trap_wcr, reset_wcr, 0, 0,  get_wcr, set_wcr }
 
 /* Macro to expand the PMEVCNTRn_EL0 register */
 #define PMU_PMEVCNTR_EL0(n)						\
@@ -1359,7 +1359,7 @@ static const struct sys_reg_desc sys_reg_descs[] = {
 
 	{ SYS_DESC(SYS_CSSELR_EL1), NULL, reset_unknown, CSSELR_EL1 },
 
-	{ SYS_DESC(SYS_PMCR_EL0), access_pmcr, reset_pmcr, },
+	{ SYS_DESC(SYS_PMCR_EL0), access_pmcr, reset_pmcr, PMCR_EL0 },
 	{ SYS_DESC(SYS_PMCNTENSET_EL0), access_pmcnten, reset_unknown, PMCNTENSET_EL0 },
 	{ SYS_DESC(SYS_PMCNTENCLR_EL0), access_pmcnten, NULL, PMCNTENSET_EL0 },
 	{ SYS_DESC(SYS_PMOVSCLR_EL0), access_pmovs, NULL, PMOVSSET_EL0 },
@@ -2072,13 +2072,19 @@ static int emulate_sys_reg(struct kvm_vcpu *vcpu,
 }
 
 static void reset_sys_reg_descs(struct kvm_vcpu *vcpu,
-			      const struct sys_reg_desc *table, size_t num)
+				const struct sys_reg_desc *table, size_t num,
+				unsigned long *bmap)
 {
 	unsigned long i;
 
 	for (i = 0; i < num; i++)
-		if (table[i].reset)
+		if (table[i].reset) {
+			int reg = table[i].reg;
+
 			table[i].reset(vcpu, &table[i]);
+			if (reg > 0 && reg < NR_SYS_REGS)
+				set_bit(reg, bmap);
+		}
 }
 
 /**
@@ -2576,18 +2582,16 @@ void kvm_reset_sys_regs(struct kvm_vcpu *vcpu)
 {
 	size_t num;
 	const struct sys_reg_desc *table;
-
-	/* Catch someone adding a register without putting in reset entry. */
-	memset(&vcpu->arch.ctxt.sys_regs, 0x42, sizeof(vcpu->arch.ctxt.sys_regs));
+	DECLARE_BITMAP(bmap, NR_SYS_REGS) = { 0, };
 
 	/* Generic chip reset first (so target could override). */
-	reset_sys_reg_descs(vcpu, sys_reg_descs, ARRAY_SIZE(sys_reg_descs));
+	reset_sys_reg_descs(vcpu, sys_reg_descs, ARRAY_SIZE(sys_reg_descs), bmap);
 
 	table = get_target_table(vcpu->arch.target, true, &num);
-	reset_sys_reg_descs(vcpu, table, num);
+	reset_sys_reg_descs(vcpu, table, num, bmap);
 
 	for (num = 1; num < NR_SYS_REGS; num++) {
-		if (WARN(__vcpu_sys_reg(vcpu, num) == 0x4242424242424242,
+		if (WARN(!test_bit(num, bmap),
 			 "Didn't reset __vcpu_sys_reg(%zi)\n", num))
 			break;
 	}
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 67/68] KVM: arm: Don't write junk to CP15 registers on reset
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (64 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 66/68] KVM: arm64: Don't write junk to sysregs on reset Sasha Levin
@ 2019-08-14  2:15 ` " Sasha Levin
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 68/68] selftests: kvm: Adding config fragments Sasha Levin
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: Marc Zyngier, Sasha Levin, kvmarm

From: Marc Zyngier <maz@kernel.org>

[ Upstream commit c69509c70aa45a8c4954c88c629a64acf4ee4a36 ]

At the moment, the way we reset CP15 registers is mildly insane:
We write junk to them, call the reset functions, and then check that
we have something else in them.

The "fun" thing is that this can happen while the guest is running
(PSCI, for example). If anything in KVM has to evaluate the state
of a CP15 register while junk is in there, bad thing may happen.

Let's stop doing that. Instead, we track that we have called a
reset function for that register, and assume that the reset
function has done something.

In the end, the very need of this reset check is pretty dubious,
as it doesn't check everything (a lot of the CP15 reg leave outside
of the cp15_regs[] array). It may well be axed in the near future.

Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/kvm/coproc.c | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/arch/arm/kvm/coproc.c b/arch/arm/kvm/coproc.c
index fd6cde23bb5d0..871fa50a09f19 100644
--- a/arch/arm/kvm/coproc.c
+++ b/arch/arm/kvm/coproc.c
@@ -658,13 +658,22 @@ int kvm_handle_cp14_64(struct kvm_vcpu *vcpu, struct kvm_run *run)
 }
 
 static void reset_coproc_regs(struct kvm_vcpu *vcpu,
-			      const struct coproc_reg *table, size_t num)
+			      const struct coproc_reg *table, size_t num,
+			      unsigned long *bmap)
 {
 	unsigned long i;
 
 	for (i = 0; i < num; i++)
-		if (table[i].reset)
+		if (table[i].reset) {
+			int reg = table[i].reg;
+
 			table[i].reset(vcpu, &table[i]);
+			if (reg > 0 && reg < NR_CP15_REGS) {
+				set_bit(reg, bmap);
+				if (table[i].is_64bit)
+					set_bit(reg + 1, bmap);
+			}
+		}
 }
 
 static struct coproc_params decode_32bit_hsr(struct kvm_vcpu *vcpu)
@@ -1439,17 +1448,15 @@ void kvm_reset_coprocs(struct kvm_vcpu *vcpu)
 {
 	size_t num;
 	const struct coproc_reg *table;
-
-	/* Catch someone adding a register without putting in reset entry. */
-	memset(vcpu->arch.ctxt.cp15, 0x42, sizeof(vcpu->arch.ctxt.cp15));
+	DECLARE_BITMAP(bmap, NR_CP15_REGS) = { 0, };
 
 	/* Generic chip reset first (so target could override). */
-	reset_coproc_regs(vcpu, cp15_regs, ARRAY_SIZE(cp15_regs));
+	reset_coproc_regs(vcpu, cp15_regs, ARRAY_SIZE(cp15_regs), bmap);
 
 	table = get_target_table(vcpu->arch.target, &num);
-	reset_coproc_regs(vcpu, table, num);
+	reset_coproc_regs(vcpu, table, num, bmap);
 
 	for (num = 1; num < NR_CP15_REGS; num++)
-		WARN(vcpu_cp15(vcpu, num) == 0x42424242,
+		WARN(!test_bit(num, bmap),
 		     "Didn't reset vcpu_cp15(vcpu, %zi)", num);
 }
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* [PATCH AUTOSEL 4.19 68/68] selftests: kvm: Adding config fragments
  2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
                   ` (65 preceding siblings ...)
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 67/68] KVM: arm: Don't write junk to CP15 registers " Sasha Levin
@ 2019-08-14  2:15 ` Sasha Levin
  66 siblings, 0 replies; 69+ messages in thread
From: Sasha Levin @ 2019-08-14  2:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Naresh Kamboju, Paolo Bonzini, Sasha Levin, kvm, linux-kselftest

From: Naresh Kamboju <naresh.kamboju () linaro ! org>

[ Upstream commit c096397c78f766db972f923433031f2dec01cae0 ]

selftests kvm test cases need pre-required kernel configs for the test
to get pass.

Signed-off-by: Naresh Kamboju <naresh.kamboju@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/testing/selftests/kvm/config | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 tools/testing/selftests/kvm/config

diff --git a/tools/testing/selftests/kvm/config b/tools/testing/selftests/kvm/config
new file mode 100644
index 0000000000000..63ed533f73d6e
--- /dev/null
+++ b/tools/testing/selftests/kvm/config
@@ -0,0 +1,3 @@
+CONFIG_KVM=y
+CONFIG_KVM_INTEL=y
+CONFIG_KVM_AMD=y
-- 
2.20.1


^ permalink raw reply	[flat|nested] 69+ messages in thread

* Re: [PATCH AUTOSEL 4.19 31/68] driver core: Fix use-after-free and double free on glue directory
  2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 31/68] driver core: Fix use-after-free and double free on glue directory Sasha Levin
@ 2019-08-14  7:36   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 69+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-14  7:36 UTC (permalink / raw)
  To: Sasha Levin; +Cc: linux-kernel, stable, Muchun Song, Mukesh Ojha, Prateek Sood

On Tue, Aug 13, 2019 at 10:15:09PM -0400, Sasha Levin wrote:
> From: Muchun Song <smuchun@gmail.com>
> 
> [ Upstream commit ac43432cb1f5c2950408534987e57c2071e24d8f ]
> 
> There is a race condition between removing glue directory and adding a new
> device under the glue dir. It can be reproduced in following test:
> 
> CPU1:                                         CPU2:
> 
> device_add()
>   get_device_parent()
>     class_dir_create_and_add()
>       kobject_add_internal()
>         create_dir()    // create glue_dir
> 
>                                               device_add()
>                                                 get_device_parent()
>                                                   kobject_get() // get glue_dir
> 
> device_del()
>   cleanup_glue_dir()
>     kobject_del(glue_dir)
> 
>                                                 kobject_add()
>                                                   kobject_add_internal()
>                                                     create_dir() // in glue_dir
>                                                       sysfs_create_dir_ns()
>                                                         kernfs_create_dir_ns(sd)
> 
>       sysfs_remove_dir() // glue_dir->sd=NULL
>       sysfs_put()        // free glue_dir->sd
> 
>                                                           // sd is freed
>                                                           kernfs_new_node(sd)
>                                                             kernfs_get(glue_dir)
>                                                             kernfs_add_one()
>                                                             kernfs_put()
> 
> Before CPU1 remove last child device under glue dir, if CPU2 add a new
> device under glue dir, the glue_dir kobject reference count will be
> increase to 2 via kobject_get() in get_device_parent(). And CPU2 has
> been called kernfs_create_dir_ns(), but not call kernfs_new_node().
> Meanwhile, CPU1 call sysfs_remove_dir() and sysfs_put(). This result in
> glue_dir->sd is freed and it's reference count will be 0. Then CPU2 call
> kernfs_get(glue_dir) will trigger a warning in kernfs_get() and increase
> it's reference count to 1. Because glue_dir->sd is freed by CPU1, the next
> call kernfs_add_one() by CPU2 will fail(This is also use-after-free)
> and call kernfs_put() to decrease reference count. Because the reference
> count is decremented to 0, it will also call kmem_cache_free() to free
> the glue_dir->sd again. This will result in double free.
> 
> In order to avoid this happening, we also should make sure that kernfs_node
> for glue_dir is released in CPU1 only when refcount for glue_dir kobj is
> 1 to fix this race.
> 
> The following calltrace is captured in kernel 4.14 with the following patch
> applied:
> 
> commit 726e41097920 ("drivers: core: Remove glue dirs from sysfs earlier")
> 
> --------------------------------------------------------------------------
> [    3.633703] WARNING: CPU: 4 PID: 513 at .../fs/kernfs/dir.c:494
>                 Here is WARN_ON(!atomic_read(&kn->count) in kernfs_get().
> ....
> [    3.633986] Call trace:
> [    3.633991]  kernfs_create_dir_ns+0xa8/0xb0
> [    3.633994]  sysfs_create_dir_ns+0x54/0xe8
> [    3.634001]  kobject_add_internal+0x22c/0x3f0
> [    3.634005]  kobject_add+0xe4/0x118
> [    3.634011]  device_add+0x200/0x870
> [    3.634017]  _request_firmware+0x958/0xc38
> [    3.634020]  request_firmware_into_buf+0x4c/0x70
> ....
> [    3.634064] kernel BUG at .../mm/slub.c:294!
>                 Here is BUG_ON(object == fp) in set_freepointer().
> ....
> [    3.634346] Call trace:
> [    3.634351]  kmem_cache_free+0x504/0x6b8
> [    3.634355]  kernfs_put+0x14c/0x1d8
> [    3.634359]  kernfs_create_dir_ns+0x88/0xb0
> [    3.634362]  sysfs_create_dir_ns+0x54/0xe8
> [    3.634366]  kobject_add_internal+0x22c/0x3f0
> [    3.634370]  kobject_add+0xe4/0x118
> [    3.634374]  device_add+0x200/0x870
> [    3.634378]  _request_firmware+0x958/0xc38
> [    3.634381]  request_firmware_into_buf+0x4c/0x70
> --------------------------------------------------------------------------
> 
> Fixes: 726e41097920 ("drivers: core: Remove glue dirs from sysfs earlier")
> Signed-off-by: Muchun Song <smuchun@gmail.com>
> Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
> Signed-off-by: Prateek Sood <prsood@codeaurora.org>
> Link: https://lore.kernel.org/r/20190727032122.24639-1-smuchun@gmail.com
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
>  drivers/base/core.c | 53 ++++++++++++++++++++++++++++++++++++++++++++-
>  1 file changed, 52 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/base/core.c b/drivers/base/core.c
> index e1a8d5c06f65e..fcda6313e7def 100644
> --- a/drivers/base/core.c
> +++ b/drivers/base/core.c
> @@ -1648,12 +1648,63 @@ static inline struct kobject *get_glue_dir(struct device *dev)
>   */
>  static void cleanup_glue_dir(struct device *dev, struct kobject *glue_dir)
>  {
> +	unsigned int ref;
> +
>  	/* see if we live in a "glue" directory */
>  	if (!live_in_glue_dir(glue_dir, dev))
>  		return;
>  
>  	mutex_lock(&gdp_mutex);
> -	if (!kobject_has_children(glue_dir))
> +	/**
> +	 * There is a race condition between removing glue directory
> +	 * and adding a new device under the glue directory.
> +	 *
> +	 * CPU1:                                         CPU2:
> +	 *
> +	 * device_add()
> +	 *   get_device_parent()
> +	 *     class_dir_create_and_add()
> +	 *       kobject_add_internal()
> +	 *         create_dir()    // create glue_dir
> +	 *
> +	 *                                               device_add()
> +	 *                                                 get_device_parent()
> +	 *                                                   kobject_get() // get glue_dir
> +	 *
> +	 * device_del()
> +	 *   cleanup_glue_dir()
> +	 *     kobject_del(glue_dir)
> +	 *
> +	 *                                               kobject_add()
> +	 *                                                 kobject_add_internal()
> +	 *                                                   create_dir() // in glue_dir
> +	 *                                                     sysfs_create_dir_ns()
> +	 *                                                       kernfs_create_dir_ns(sd)
> +	 *
> +	 *       sysfs_remove_dir() // glue_dir->sd=NULL
> +	 *       sysfs_put()        // free glue_dir->sd
> +	 *
> +	 *                                                         // sd is freed
> +	 *                                                         kernfs_new_node(sd)
> +	 *                                                           kernfs_get(glue_dir)
> +	 *                                                           kernfs_add_one()
> +	 *                                                           kernfs_put()
> +	 *
> +	 * Before CPU1 remove last child device under glue dir, if CPU2 add
> +	 * a new device under glue dir, the glue_dir kobject reference count
> +	 * will be increase to 2 in kobject_get(k). And CPU2 has been called
> +	 * kernfs_create_dir_ns(). Meanwhile, CPU1 call sysfs_remove_dir()
> +	 * and sysfs_put(). This result in glue_dir->sd is freed.
> +	 *
> +	 * Then the CPU2 will see a stale "empty" but still potentially used
> +	 * glue dir around in kernfs_new_node().
> +	 *
> +	 * In order to avoid this happening, we also should make sure that
> +	 * kernfs_node for glue_dir is released in CPU1 only when refcount
> +	 * for glue_dir kobj is 1.
> +	 */
> +	ref = kref_read(&glue_dir->kref);
> +	if (!kobject_has_children(glue_dir) && !--ref)
>  		kobject_del(glue_dir);
>  	kobject_put(glue_dir);
>  	mutex_unlock(&gdp_mutex);

Same here, please drop for now.

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 69+ messages in thread

end of thread, back to index

Thread overview: 69+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 02/68] iio: cros_ec_accel_legacy: Fix incorrect channel setting Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 03/68] HID: Add 044f:b320 ThrustMaster, Inc. 2 in 1 DT Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 04/68] MIPS: kernel: only use i8253 clocksource with periodic clockevent Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 05/68] mips: fix cacheinfo Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 06/68] netfilter: ebtables: fix a memory leak bug in compat Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 07/68] ASoC: dapm: Fix handling of custom_stop_condition on DAPM graph walks Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 08/68] selftests/bpf: fix sendmsg6_prog on s390 Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 09/68] bonding: Force slave speed check after link state recovery for 802.3ad Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 10/68] net: mvpp2: Don't check for 3 consecutive Idle frames for 10G links Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 11/68] selftests: forwarding: gre_multipath: Enable IPv4 forwarding Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 12/68] selftests: forwarding: gre_multipath: Fix flower filters Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 13/68] can: dev: call netif_carrier_off() in register_candev() Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 14/68] can: mcp251x: add error check when wq alloc failed Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 15/68] can: gw: Fix error path of cgw_module_init Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 16/68] ASoC: Fail card instantiation if DAI format setup fails Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 17/68] st21nfca_connectivity_event_received: null check the allocation Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 18/68] st_nci_hci_connectivity_event_received: " Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 19/68] ASoC: rockchip: Fix mono capture Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 20/68] ASoC: ti: davinci-mcasp: Correct slot_width posed constraint Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 21/68] net: usb: qmi_wwan: Add the BroadMobi BM818 card Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 22/68] qed: RDMA - Fix the hw_ver returned in device attributes Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 23/68] isdn: mISDN: hfcsusb: Fix possible null-pointer dereferences in start_isoc_chain() Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 24/68] mac80211_hwsim: Fix possible null-pointer dereferences in hwsim_dump_radio_nl() Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 25/68] netfilter: ipset: Actually allow destination MAC address for hash:ip,mac sets too Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 26/68] netfilter: ipset: Copy the right MAC address in bitmap:ip,mac and hash:ip,mac sets Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 27/68] netfilter: ipset: Fix rename concurrency with listing Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 28/68] netfilter: ebtables: also count base chain policies Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 29/68] rxrpc: Fix potential deadlock Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 30/68] rxrpc: Fix the lack of notification when sendmsg() fails on a DATA packet Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 31/68] driver core: Fix use-after-free and double free on glue directory Sasha Levin
2019-08-14  7:36   ` Greg Kroah-Hartman
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 32/68] isdn: hfcsusb: Fix mISDN driver crash caused by transfer buffer on the stack Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 33/68] net: phy: phy_led_triggers: Fix a possible null-pointer dereference in phy_led_trigger_change_speed() Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 34/68] perf bench numa: Fix cpu0 binding Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 35/68] Input: kbtab - sanity check for endpoint type Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 36/68] net: usb: pegasus: fix improper read if get_registers() fail Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 37/68] can: sja1000: force the string buffer NULL-terminated Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 38/68] can: peak_usb: " Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 39/68] net/ethernet/qlogic/qed: " Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 40/68] NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim() Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 41/68] NFS: Fix regression whereby fscache errors are appearing on 'nofsc' mounts Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 42/68] HID: quirks: Set the INCREMENT_USAGE_ON_DUPLICATE quirk on Saitek X52 Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 43/68] HID: holtek: test for sanity of intfdata Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 44/68] HID: input: fix a4tech horizontal wheel custom usage Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 45/68] drm/rockchip: Suspend DP late Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 46/68] SMB3: Fix potential memory leak when processing compound chain Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 47/68] SMB3: Kernel oops mounting a encryptData share with CONFIG_DEBUG_VIRTUAL Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 48/68] HID: hiddev: avoid opening a disconnected device Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 49/68] HID: hiddev: do cleanup in failure of opening a device Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 50/68] s390: put _stext and _etext into .text section Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 51/68] Input: iforce - add sanity checks Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 52/68] net: cxgb3_main: Fix a resource leak in a error path in 'init_one()' Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 53/68] net: stmmac: Fix issues when number of Queues >= 4 Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 54/68] net: stmmac: tc: Do not return a fragment entry Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 55/68] net: hisilicon: make hip04_tx_reclaim non-reentrant Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 56/68] net: hisilicon: fix hip04-xmit never return TX_BUSY Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 57/68] net: hisilicon: Fix dma_map_single failed on arm64 Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 58/68] libata: have ata_scsi_rw_xlat() fail invalid passthrough requests Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 59/68] libata: add SG safety checks in SFF pio transfers Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 60/68] x86/lib/cpu: Address missing prototypes warning Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 61/68] drm/vmwgfx: fix memory leak when too many retries have occurred Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 62/68] block, bfq: handle NULL return value by bfq_init_rq() Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 63/68] perf ftrace: Fix failure to set cpumask when only one cpu is present Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 64/68] perf cpumap: Fix writing to illegal memory in handling cpumap mask Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 65/68] perf pmu-events: Fix missing "cpu_clk_unhalted.core" event Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 66/68] KVM: arm64: Don't write junk to sysregs on reset Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 67/68] KVM: arm: Don't write junk to CP15 registers " Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 68/68] selftests: kvm: Adding config fragments Sasha Levin

Stable Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/stable/0 stable/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 stable stable/ https://lore.kernel.org/stable \
		stable@vger.kernel.org stable@archiver.kernel.org
	public-inbox-index stable


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.stable


AGPL code for this site: git clone https://public-inbox.org/ public-inbox