stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 4.19 000/306] 4.19.87-stable review
@ 2019-11-27 20:27 Greg Kroah-Hartman
  2019-11-27 20:27 ` [PATCH 4.19 001/306] mlxsw: spectrum_router: Fix determining underlay for a GRE tunnel Greg Kroah-Hartman
                   ` (309 more replies)
  0 siblings, 310 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	ben.hutchings, lkft-triage, stable

This is the start of the stable review cycle for the 4.19.87 release.
There are 306 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Fri, 29 Nov 2019 20:18:09 +0000.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.87-rc1.gz
or in the git tree and branch at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 4.19.87-rc1

Michael Ellerman <mpe@ellerman.id.au>
    KVM: PPC: Book3S HV: Flush link stack on guest exit to host kernel

Michael Ellerman <mpe@ellerman.id.au>
    powerpc/book3s64: Fix link stack flush on context switch

Christopher M. Riedl <cmr@informatik.wtf>
    powerpc/64s: support nospectre_v2 cmdline option

Bernd Porr <mail@berndporr.me.uk>
    staging: comedi: usbduxfast: usbduxfast_ai_cmdtest rounding error

Aleksander Morgado <aleksander@aleksander.es>
    USB: serial: option: add support for Foxconn T77W968 LTE modules

Aleksander Morgado <aleksander@aleksander.es>
    USB: serial: option: add support for DW5821e with eSIM support

Johan Hovold <johan@kernel.org>
    USB: serial: mos7840: fix remote wakeup

Johan Hovold <johan@kernel.org>
    USB: serial: mos7720: fix remote wakeup

Pavel Löbl <pavel@loebl.cz>
    USB: serial: mos7840: add USB ID to support Moxa UPort 2210

Oliver Neukum <oneukum@suse.com>
    appledisplay: fix error handling in the scheduled work

Oliver Neukum <oneukum@suse.com>
    USB: chaoskey: fix error case of a timeout

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    usb-serial: cp201x: support Mark-10 digital force gauge

Suwan Kim <suwan.kim027@gmail.com>
    usbip: Fix uninitialized symbol 'nents' in stub_recv_cmd_submit()

Hewenliang <hewenliang4@huawei.com>
    usbip: tools: fix fd leakage in the function of read_attr_usbip_status

Oliver Neukum <oneukum@suse.com>
    USBIP: add config dependency for SGL_ALLOC

Halil Pasic <pasic@linux.ibm.com>
    virtio_ring: fix return code on DMA mapping fails

Sean Young <sean@mess.org>
    media: imon: invalid dereference in imon_touch_event

Vito Caputo <vcaputo@pengaru.com>
    media: cxusb: detect cxusb_ctrl_msg error in query

Oliver Neukum <oneukum@suse.com>
    media: b2c2-flexcop-usb: add sanity checking

Laurent Pinchart <laurent.pinchart@ideasonboard.com>
    media: uvcvideo: Fix error path in control parsing failure

Kai Shen <shenkai8@huawei.com>
    cpufreq: Add NULL checks to show() and store() methods of cpufreq

Alan Stern <stern@rowland.harvard.edu>
    media: usbvision: Fix races among open, close, and disconnect

Alexander Popov <alex.popov@linux.com>
    media: vivid: Fix wrong locking that causes race conditions on streaming stop

Vandana BN <bnvandana@gmail.com>
    media: vivid: Set vid_cap_streaming and vid_out_streaming to true

Jouni Hogander <jouni.hogander@unikie.com>
    net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject

Oliver Neukum <oneukum@suse.com>
    nfc: port100: handle command failure cleanly

Takashi Iwai <tiwai@suse.de>
    ALSA: usb-audio: Fix NULL dereference at parsing BADD

Yang Tao <yang.tao172@zte.com.cn>
    futex: Prevent robust futex exit race

Arnd Bergmann <arnd@arndb.de>
    y2038: futex: Move compat implementation into futex.c

Andy Lutomirski <luto@kernel.org>
    x86/entry/32: Fix FIXUP_ESPFIX_STACK with user CR3

Ingo Molnar <mingo@kernel.org>
    x86/pti/32: Calculate the various PTI cpu_entry_area sizes correctly, make the CPU_ENTRY_AREA_PAGES assert precise

Andy Lutomirski <luto@kernel.org>
    selftests/x86/sigreturn/32: Invalidate DS and ES when abusing the kernel

Andy Lutomirski <luto@kernel.org>
    selftests/x86/mov_ss_trap: Fix the SYSENTER test

Thomas Gleixner <tglx@linutronix.de>
    x86/cpu_entry_area: Add guard page for entry stack on 32bit

Thomas Gleixner <tglx@linutronix.de>
    x86/pti/32: Size initial_page_table correctly

Andy Lutomirski <luto@kernel.org>
    x86/doublefault/32: Fix stack canaries in the double fault handler

Navid Emamdoost <navid.emamdoost@gmail.com>
    nbd: prevent memory leak

Waiman Long <longman@redhat.com>
    x86/speculation: Fix redundant MDS mitigation message

Waiman Long <longman@redhat.com>
    x86/speculation: Fix incorrect MDS/TAA mitigation status

Alexander Kapshuk <alexander.kapshuk@gmail.com>
    x86/insn: Fix awk regexp warnings

Alexey Brodkin <Alexey.Brodkin@synopsys.com>
    ARC: perf: Accommodate big-endian CPU

Chester Lin <clin@suse.com>
    ARM: 8904/1: skip nomap memblocks while finding the lowmem/highmem boundary

Gang He <ghe@suse.com>
    ocfs2: remove ocfs2_is_o2cb_active()

Max Uvarov <muvarov@gmail.com>
    net: phy: dp83867: increase SGMII autoneg timer duration

Max Uvarov <muvarov@gmail.com>
    net: phy: dp83867: fix speed 10 in sgmii mode

David Hildenbrand <david@redhat.com>
    mm/memory_hotplug: don't access uninitialized memmaps in shrink_zone_span()

John Pittman <jpittman@redhat.com>
    md/raid10: prevent access of uninitialized resync_pages offset

Denis Efremov <efremov@linux.com>
    ath9k_hw: fix uninitialized variable data

Hui Peng <benquike@gmail.com>
    ath10k: Fix a NULL-ptr-deref bug in ath10k_usb_alloc_urb_from_pipe

Sean Christopherson <sean.j.christopherson@intel.com>
    KVM: MMU: Do not treat ZONE_DEVICE pages as being reserved

Tomas Bortoli <tomasbortoli@gmail.com>
    Bluetooth: Fix invalid-free in bcsp_close()

Vinayak Menon <vinmenon@codeaurora.org>
    mm/page_io.c: do not free shared swap slots

Johannes Berg <johannes.berg@intel.com>
    cfg80211: call disconnect_wk when AP stops

David Ahern <dsahern@gmail.com>
    ipv6: Fix handling of LLA with VRF and sockets bound to VRF

zhong jiang <zhongjiang@huawei.com>
    mm/memory_hotplug: Do not unlock when fails to take the device_hotplug_lock

Masahiro Yamada <yamada.masahiro@socionext.com>
    i2c: uniphier-f: fix timeout error after reading 8 bytes

Vignesh R <vigneshr@ti.com>
    spi: omap2-mcspi: Fix DMA and FIFO event trigger size mismatch

Igor Konopko <igor.j.konopko@intel.com>
    nvme-pci: fix surprise removal

Kishon Vijay Abraham I <kishon@ti.com>
    PCI: keystone: Use quirk to limit MRRS for K2G

Nathan Chancellor <natechancellor@gmail.com>
    pinctrl: zynq: Use define directive for PIN_CONFIG_IO_STANDARD

Nathan Chancellor <natechancellor@gmail.com>
    pinctrl: lpc18xx: Use define directive for PIN_CONFIG_GPIO_PIN_INT

Nathan Chancellor <natechancellor@gmail.com>
    pinctrl: bcm2835: Use define directive for BCM2835_PINCONF_PARAM_PULL

Brian Masney <masneyb@onstation.org>
    pinctrl: qcom: spmi-gpio: fix gpio-hog related boot issues

Sriram R <srirrama@codeaurora.org>
    cfg80211: Prevent regulatory restore during STA disconnect in concurrent interfaces

Quentin Monnet <quentin.monnet@netronome.com>
    tools: bpftool: pass an argument to silence open_obj_pinned()

Frank Rowand <frank.rowand@sony.com>
    of: unittest: initialize args before calling of_*parse_*()

Frank Rowand <frank.rowand@sony.com>
    of: unittest: allow base devicetree to have symbol metadata

David Barmann <david.barmann@stackpath.com>
    sock: Reset dst when changing sk_mark via setsockopt

YueHaibing <yuehaibing@huawei.com>
    net: bcmgenet: return correct value 'ret' from bcmgenet_power_down

Colin Ian King <colin.king@canonical.com>
    ACPICA: Use %d for signed int print formatting instead of %u

Dmitry Osipenko <digetx@gmail.com>
    clk: tegra20: Turn EMC clock gate into divider

Mike Manning <mmanning@vyatta.att-mail.com>
    vrf: mark skb for multicast or link-local as enslaved to VRF

Tycho Andersen <tycho@tycho.ws>
    dlm: don't leak kernel pointer to userspace

Tycho Andersen <tycho@tycho.ws>
    dlm: fix invalid free

Badhri Jagan Sridharan <badhri@google.com>
    usb: typec: tcpm: charge current handling for sink during hard reset

James Smart <jsmart2021@gmail.com>
    scsi: lpfc: Correct loss of fc4 type on remote port address change

James Smart <jsmart2021@gmail.com>
    scsi: lpfc: Fix odd recovery in duplicate FLOGIs in point-to-point

James Smart <jsmart2021@gmail.com>
    scsi: lpfc: fcoe: Fix link down issue after 1000+ link bounces

Shivasharan S <shivasharan.srikanteshwara@broadcom.com>
    scsi: megaraid_sas: Fix goto labels in error handling

Shivasharan S <shivasharan.srikanteshwara@broadcom.com>
    scsi: megaraid_sas: Fix msleep granularity

Suganath Prabu <suganath-prabu.subramani@broadcom.com>
    scsi: mpt3sas: Fix driver modifying persistent data in Manufacturing page11

Suganath Prabu <suganath-prabu.subramani@broadcom.com>
    scsi: mpt3sas: Don't modify EEDPTagMode field setting on SAS3.5 HBA devices

Suganath Prabu <suganath-prabu.subramani@broadcom.com>
    scsi: mpt3sas: Fix Sync cache command failure during driver unload

Florian Fainelli <f.fainelli@gmail.com>
    net: dsa: bcm_sf2: Turn on PHY to allow successful registration

Shaokun Zhang <zhangshaokun@hisilicon.com>
    rtlwifi: rtl8192de: Fix misleading REG_MCUFWDL information

Dan Carpenter <dan.carpenter@oracle.com>
    wireless: airo: potential buffer overflow in sprintf()

Ali MJ Al-Nasrawy <alimjalnasrawy@gmail.com>
    brcmsmac: never log "tid x is not agg'able" by default

Gustavo A. R. Silva <gustavo@embeddedor.com>
    rtl8xxxu: Fix missing break in switch

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    wlcore: Fix the return value in case of error in 'wlcore_vendor_cmd_smart_config_start()'

Brian Norris <briannorris@chromium.org>
    ath10k: snoc: fix unbalanced clock error handling

Lior David <liord@codeaurora.org>
    wil6210: fix locking in wmi_call

Maya Erez <merez@codeaurora.org>
    wil6210: fix RGF_CAF_ICR address for Talyn-MB

Maya Erez <merez@codeaurora.org>
    wil6210: fix L2 RX status handling

Ahmad Masri <amasri@codeaurora.org>
    wil6210: fix debugfs memory access alignment

Arnd Bergmann <arnd@arndb.de>
    btrfs: avoid link error with CONFIG_NO_AUTO_INLINE

Chiranjeevi Rapolu <chiranjeevi.rapolu@intel.com>
    media: ov13858: Check for possible null pointer

Nickhu <nickhu@andestech.com>
    nds32: Fix bug in bitfield.h

Taehee Yoo <ap420073@gmail.com>
    net: bpfilter: fix iptables failure if bpfilter_umh is disabled

Andrei Vagin <avagin@gmail.com>
    sock_diag: fix autoloading of the raw_diag module

Richard Guy Briggs <rgb@redhat.com>
    audit: print empty EXECVE args

Florian Fainelli <f.fainelli@gmail.com>
    soc: bcm: brcmstb: Fix re-entry point with a THUMB2_KERNEL

Icenowy Zheng <icenowy@aosc.io>
    clk: sunxi-ng: enable so-said LDOs for A64 SoC's pll-mipi clock

Leonard Crestez <leonard.crestez@nxp.com>
    ARM: dts: imx6sx-sdb: Fix enet phy regulator

Arnd Bergmann <arnd@arndb.de>
    openvswitch: fix linking without CONFIG_NF_CONNTRACK_LABELS

Valentin Schneider <valentin.schneider@arm.com>
    sched/fair: Don't increase sd->balance_interval on newidle balance

Peter Zijlstra <peterz@infradead.org>
    sched/topology: Fix off by one bug

Eric Dumazet <edumazet@google.com>
    net: do not abort bulk send on BQL status

Larry Chen <lchen@suse.com>
    ocfs2: fix clusters leak in ocfs2_defrag_extent()

Changwei Ge <ge.changwei@h3c.com>
    ocfs2: don't put and assigning null to bh allocated outside

Changwei Ge <ge.changwei@h3c.com>
    ocfs2: don't use iocb when EIOCBQUEUED returns

Guozhonghua <guozhonghua@h3c.com>
    ocfs2: without quota support, avoid calling quota recovery

Roman Gushchin <guro@fb.com>
    mm: handle no memcg case in memcg_kmem_charge() properly

Len Brown <len.brown@intel.com>
    tools/power turbosat: fix AMD APIC-id output

Victor Kamensky <kamensky@cisco.com>
    arm64: makefile fix build of .i file in external module case

Keith Busch <keith.busch@intel.com>
    nvme-pci: fix conflicting p2p resource adds

Michael Kelley <mikelley@microsoft.com>
    irq/matrix: Fix memory overallocation

Dave Jiang <dave.jiang@intel.com>
    ntb: intel: fix return value for ndev_vec_mask()

Jon Mason <jdmason@kudzu.us>
    ntb_netdev: fix sleep time mismatch

Huazhong Tan <tanhuazhong@huawei.com>
    net: hns3: bugfix for hclge_mdio_write and hclge_mdio_read

Huazhong Tan <tanhuazhong@huawei.com>
    net: hns3: bugfix for is_valid_csq_clean_head()

Huazhong Tan <tanhuazhong@huawei.com>
    net: hns3: bugfix for reporting unknown vector0 interrupt repeatly problem

Huazhong Tan <tanhuazhong@huawei.com>
    net: hns3: bugfix for buffer not free problem during resetting

Jacob Keller <jacob.e.keller@intel.com>
    fm10k: ensure completer aborts are marked as non-fatal after a resume

Miroslav Lichvar <mlichvar@redhat.com>
    igb: shorten maximum PHC timecounter update interval

David Hildenbrand <david@redhat.com>
    powerpc/powernv: hold device_hotplug_lock when calling device_online()

David Hildenbrand <david@redhat.com>
    mm/memory_hotplug: fix online/offline_pages called w.o. mem_hotplug_lock

David Hildenbrand <david@redhat.com>
    mm/memory_hotplug: make add_memory() take the device_hotplug_lock

Borislav Petkov <bp@suse.de>
    kernel/panic.c: do not append newline to the stack protector panic string

Colin Ian King <colin.king@canonical.com>
    fs/hfs/extent.c: fix array out of bounds read of array extent

Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
    hfs: update timestamp on truncate()

Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
    hfsplus: update timestamps on truncate()

Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
    hfs: fix return value of hfs_get_block()

Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
    hfsplus: fix return value of hfsplus_get_block()

Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
    hfs: prevent btree data loss on ENOSPC

Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
    hfsplus: prevent btree data loss on ENOSPC

Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
    hfs: fix BUG on bnode parent update

Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
    hfsplus: fix BUG on bnode parent update

Rasmus Villemoes <linux@rasmusvillemoes.dk>
    lib/bitmap.c: fix remaining space computation in bitmap_print_to_pagebuf

Rasmus Villemoes <linux@rasmusvillemoes.dk>
    linux/bitmap.h: fix type of nbits in bitmap_shift_right()

Rasmus Villemoes <linux@rasmusvillemoes.dk>
    linux/bitmap.h: handle constant zero-size bitmaps correctly

Dan Carpenter <dan.carpenter@oracle.com>
    mm/gup_benchmark.c: prevent integer overflow in ioctl

Ming Lei <ming.lei@redhat.com>
    block: call rq_qos_exit() after queue is frozen

Michael Ellerman <mpe@ellerman.id.au>
    selftests/powerpc/cache_shape: Fix out-of-tree build

Michael Ellerman <mpe@ellerman.id.au>
    selftests/powerpc/switch_endian: Fix out-of-tree build

Joel Stanley <joel@jms.id.au>
    selftests/powerpc/signal: Fix out-of-tree build

Joel Stanley <joel@jms.id.au>
    selftests/powerpc/ptrace: Fix out-of-tree build

Joel Stanley <joel@jms.id.au>
    powerpc/xmon: Relax frame size for clang

Hangbin Liu <liuhangbin@gmail.com>
    ipv4/igmp: fix v1/v2 switchback timeout based on rfc3376, 8.12

Darrick J. Wong <darrick.wong@oracle.com>
    vfs: avoid problematic remapping requests into partial EOF block

Anton Ivanov <anton.ivanov@cambridgegreys.com>
    um: Make line/tty semantics use true write IRQ

Masahiro Yamada <yamada.masahiro@socionext.com>
    i2c: uniphier-f: fix race condition when IRQ is cleared

Masahiro Yamada <yamada.masahiro@socionext.com>
    i2c: uniphier-f: fix occasional timeout error

Masahiro Yamada <yamada.masahiro@socionext.com>
    i2c: uniphier-f: make driver robust against concurrency

Jianchao Wang <jianchao.w.wang@oracle.com>
    block: fix the DISCARD request merge

Sabrina Dubroca <sd@queasysnail.net>
    macsec: let the administrator set UP state even if lowerdev is down

Sabrina Dubroca <sd@queasysnail.net>
    macsec: update operstate when lower device changes

Andrea Arcangeli <aarcange@redhat.com>
    mm: thp: fix MADV_DONTNEED vs migrate_misplaced_transhuge_page race condition

Keith Busch <keith.busch@intel.com>
    tools/testing/selftests/vm/gup_benchmark.c: fix 'write' flag usage

Dave Chinner <dchinner@redhat.com>
    mm/page-writeback.c: fix range_cyclic writeback vs writepages deadlock

Jia-Ju Bai <baijiaju1990@gmail.com>
    fs/ocfs2/dlm/dlmdebug.c: fix a sleep-in-atomic-context bug in dlm_print_one_mle()

Andrey Ryabinin <aryabinin@virtuozzo.com>
    arm64: lib: use C string functions with KASAN enabled

David S. Miller <davem@davemloft.net>
    sparc64: Rework xchg() definition to avoid warnings.

Felipe Rechia <felipe.rechia@datacom.com.br>
    powerpc/process: Fix flush_all_to_thread for SPE

Martin Lau <kafai@fb.com>
    bpf, btf: fix a missing check bug in btf_parse

Taehee Yoo <ap420073@gmail.com>
    bpf: devmap: fix wrong interface selection in notifier_call

Tristram Ha <Tristram.Ha@microchip.com>
    net: ethernet: cadence: fix socket buffer corruption problem

Geert Uytterhoeven <geert+renesas@glider.be>
    thermal: rcar_thermal: Prevent hardware access during system suspend

Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
    thermal: rcar_thermal: fix duplicate IRQ request

Peng Hao <peng.hao2@zte.com.cn>
    selftests: fix warning: "_GNU_SOURCE" redefined

Andrea Parri <andrea.parri@amarulasolutions.com>
    selftests: kvm: Fix -Wformat warnings

Jerry Hoemann <jerry.hoemann@hpe.com>
    selftests: watchdog: Fix error message.

Shuah Khan (Samsung OSG) <shuah@kernel.org>
    selftests: watchdog: fix message when /dev/watchdog open fails

Masami Hiramatsu <mhiramat@kernel.org>
    selftests/ftrace: Fix to test kprobe $comm arg only if available

Keiji Hayashibara <hayashibara.keiji@socionext.com>
    spi: uniphier: fix incorrect property items

Garry McNulty <garrmcnu@gmail.com>
    fs/cifs: fix uninitialised variable warnings

Masahisa Kojima <masahisa.kojima@linaro.org>
    net: socionext: Stop PHY before resetting netsec

Marek Szyprowski <m.szyprowski@samsung.com>
    mfd: max8997: Enale irq-wakeup unconditionally

Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    mfd: intel_soc_pmic_bxtwc: Chain power button IRQs as well

Fabio Estevam <fabio.estevam@nxp.com>
    mfd: mc13xxx-core: Fix PMIC shutdown when reading ADC values

Sapthagiri Baratam <sapthagiri.baratam@cirrus.com>
    mfd: arizona: Correct calling of runtime_put_sync

Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
    net: ethernet: ti: cpsw: unsync mcast entries while switch promisc mode

Dan Carpenter <dan.carpenter@oracle.com>
    qlcnic: fix a return in qlcnic_dcb_get_capability()

Nathan Chancellor <natechancellor@gmail.com>
    mISDN: Fix type of switch control variable in ctrl_teimanager

Chao Yu <yuchao0@huawei.com>
    f2fs: spread f2fs_set_inode_flags()

Chao Yu <yuchao0@huawei.com>
    f2fs: fix to spread clear_cold_data()

Dan Carpenter <dan.carpenter@oracle.com>
    thermal: armada: fix a test in probe()

Vincent Chen <vincentc@andestech.com>
    RISC-V: Avoid corrupting the upper 32-bit of phys_addr_t in ioremap

Nathan Chancellor <natechancellor@gmail.com>
    rtc: s35390a: Change buf's type to u8 in s35390a_init

Luis Henriques <lhenriques@suse.com>
    ceph: only allow punch hole mode in fallocate

Yan, Zheng <zyan@redhat.com>
    ceph: fix dentry leak in ceph_readdir_prepopulate

Quentin Monnet <quentin.monnet@netronome.com>
    tools: bpftool: fix completion for "bpftool map update"

Quentin Monnet <quentin.monnet@netronome.com>
    selftests/bpf: fix return value comparison for tests in test_libbpf.sh

Nicholas Piggin <npiggin@gmail.com>
    powerpc/64s/radix: Fix radix__flush_tlb_collapsed_pmd double flushing pmd

Michael Ellerman <mpe@ellerman.id.au>
    powerpc/mm/radix: Fix small page at boundary when splitting

Michael Ellerman <mpe@ellerman.id.au>
    powerpc/mm/radix: Fix overuse of small pages in splitting logic

Michael Ellerman <mpe@ellerman.id.au>
    powerpc/mm/radix: Fix off-by-one in split mapping logic

Aravinda Prasad <aravinda@linux.vnet.ibm.com>
    powerpc/pseries: Export raw per-CPU VPA data via debugfs

Gustavo A. R. Silva <gustavo@embeddedor.com>
    scsi: hisi_sas: Fix NULL pointer dereference

David S. Miller <davem@davemloft.net>
    sparc: Fix parport build warnings.

Jithu Joseph <jithu.joseph@intel.com>
    x86/intel_rdt: Prevent pseudo-locking from using stale pointers

Vignesh R <vigneshr@ti.com>
    spi: omap2-mcspi: Set FIFO DMA trigger level to word length

Christoph Hellwig <hch@lst.de>
    swiotlb: do not panic on mapping failures

Thomas Richter <tmricht@linux.ibm.com>
    s390/perf: Return error when debug_register fails

Nathan Chancellor <natechancellor@gmail.com>
    atm: zatm: Fix empty body Clang warnings

J. Bruce Fields <bfields@redhat.com>
    sunrpc: safely reallow resvport min/max inversion

Trond Myklebust <trond.myklebust@hammerspace.com>
    SUNRPC: Fix a compile warning for cmpxchg64()

Peng Hao <peng.hao2@zte.com.cn>
    selftests/bpf: fix file resource leak in load_kallsyms

Heinz Mauelshagen <heinzm@redhat.com>
    dm raid: avoid bitmap with raid4/5/6 journal device

Xin Long <lucien.xin@gmail.com>
    sctp: use sk_wmem_queued to check for writable space

Colin Ian King <colin.king@canonical.com>
    usbip: tools: fix atoi() on non-null terminated string

Mattias Jacobsson <2pi@mok.nu>
    USB: misc: appledisplay: fix backlight update_status return code

Jon Derrick <jonathan.derrick@intel.com>
    PCI: vmd: Detach resources after stopping root bus

Benjamin Herrenschmidt <benh@kernel.crashing.org>
    macintosh/windfarm_smu_sat: Fix debug output

Philipp Klocke <philipp97kl@gmail.com>
    ALSA: i2c/cs8427: Fix int to char conversion

Ulf Hansson <ulf.hansson@linaro.org>
    PM / Domains: Deal with multiple states but no governor in genpd

Hans de Goede <hdegoede@redhat.com>
    ACPI / scan: Create platform device for INT33FE ACPI nodes

Steven Rostedt (VMware) <rostedt@goodmis.org>
    kprobes, x86/ptrace.h: Make regs_get_kernel_stack_nth() not fault on bad stack

Brian Foster <bfoster@redhat.com>
    xfs: clear ail delwri queued bufs on unmount of shutdown fs

Dave Chinner <dchinner@redhat.com>
    xfs: fix use-after-free race in xfs_buf_rele

Netanel Belgazal <netanel@amazon.com>
    net: ena: Fix Kconfig dependency on X86

Kyeongdon Kim <kyeongdon.kim@lge.com>
    net: fix warning in af_unix

Marek Behún <marek.behun@nic.cz>
    net: dsa: mv88e6xxx: Fix 88E6141/6341 2500mbps SERDES speed

Finn Thain <fthain@telegraphics.com.au>
    scsi: zorro_esp: Limit DMA transfers to 65535 bytes

Christoph Hellwig <hch@lst.de>
    scsi: dc395x: fix DMA API usage in sg_update_list

Christoph Hellwig <hch@lst.de>
    scsi: dc395x: fix dma API usage in srb_done

Marcel Ziswiler <marcel.ziswiler@toradex.com>
    ASoC: tegra_sgtl5000: fix device_node refcounting

Alexandre Belloni <alexandre.belloni@bootlin.com>
    clk: at91: audio-pll: fix audio pmc type

Lubomir Rintel <lkundrak@v3.sk>
    clk: mmp2: fix the clock id for sdh2_clk and sdh3_clk

Honghui Zhang <honghui.zhang@mediatek.com>
    PCI: mediatek: Fixup MSI enablement logic by enabling MSI before clocks

Keith Busch <keith.busch@intel.com>
    nvme-pci: fix hot removal during error handling

Bart Van Assche <bvanassche@acm.org>
    nvmet-fcloop: suppress a compiler warning

Bart Van Assche <bvanassche@acm.org>
    nvmet: avoid integer overflow in the discard code

Nathan Chancellor <natechancellor@gmail.com>
    crypto: ccree - avoid implicit enum conversion

Nathan Chancellor <natechancellor@gmail.com>
    scsi: iscsi_tcp: Explicitly cast param in iscsi_sw_tcp_host_get_param

Nathan Chancellor <natechancellor@gmail.com>
    scsi: bfa: Avoid implicit enum conversion in bfad_im_post_vendor_event

Nathan Chancellor <natechancellor@gmail.com>
    scsi: isci: Change sci_controller_start_task's return type to sci_status

Nathan Chancellor <natechancellor@gmail.com>
    scsi: isci: Use proper enumerated type in atapi_d2h_reg_frame_handler

Joseph Lo <josephl@nvidia.com>
    clk: tegra: Fixes for MBIST work around

Uros Bizjak <ubizjak@gmail.com>
    KVM/x86: Fix invvpid and invept register operand size in 64-bit mode

Sean Christopherson <sean.j.christopherson@intel.com>
    KVM: nVMX: move check_vmentry_postreqs() call to nested_vmx_enter_non_root_mode()

Sean Christopherson <sean.j.christopherson@intel.com>
    KVM: nVMX: reset cache/shadows when switching loaded VMCS

Jakub Kicinski <jakub.kicinski@netronome.com>
    nfp: bpf: protect against mis-initializing atomic counters

Gustavo A. R. Silva <gustavo@embeddedor.com>
    scsi: ips: fix missing break in switch

Rahul Verma <Rahul.Verma@cavium.com>
    qed: Align local and global PTT to propagate through the APIs.

Omar Sandoval <osandov@fb.com>
    amiflop: clean up on errors during setup

Hans de Goede <hdegoede@redhat.com>
    pwm: lpss: Only set update bit if we are actually changing the settings

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    pinctrl: sunxi: Fix a memory leak in 'sunxi_pinctrl_build_state()'

Selvin Xavier <selvin.xavier@broadcom.com>
    RDMA/bnxt_re: Avoid resource leak in case the NQ registration fails

Devesh Sharma <devesh.sharma@broadcom.com>
    RDMA/bnxt_re: Fix qp async event reporting

Selvin Xavier <selvin.xavier@broadcom.com>
    RDMA/bnxt_re: Avoid NULL check after accessing the pointer

Xiang Chen <chenxiang66@hisilicon.com>
    scsi: hisi_sas: Free slot later in slot_complete_vx_hw()

Xiang Chen <chenxiang66@hisilicon.com>
    scsi: hisi_sas: Fix the race between IO completion and timeout for SMP/internal IO

Luo Jiaxing <luojiaxing@huawei.com>
    scsi: hisi_sas: Feed back linkrate(max/min) when re-attached

Angelo Dureghello <angelo@sysam.it>
    m68k: fix command-line parsing when passed from u-boot

Julien Folly <julien.folly@gmail.com>
    w1: IAD Register is yet readable trough iad sys file. Fix snprintf (%u for unsigned, count for max size).

Wenwen Wang <wang6495@umn.edu>
    misc: mic: fix a DMA pool free failure

Duncan Laurie <dlaurie@chromium.org>
    gsmi: Fix bug in append_to_eventlog sysfs handler

Nikolay Borisov <nborisov@suse.com>
    btrfs: handle error of get_old_root

Su Yue <suy.fnst@cn.fujitsu.com>
    btrfs: defrag: use btrfs_mod_outstanding_extents in cluster_pages_for_defrag

Honghui Zhang <honghui.zhang@mediatek.com>
    PCI: mediatek: Fix class type for MT7622 to PCI_CLASS_BRIDGE_PCI

Chaotian Jing <chaotian.jing@mediatek.com>
    mmc: mediatek: fix cannot receive new request when msdc_cmd_is_ready fail

Chaotian Jing <chaotian.jing@mediatek.com>
    mmc: mediatek: fill the actual clock for mmc debugfs

Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
    spi: sh-msiof: fix deferred probing

Jens Axboe <axboe@kernel.dk>
    cdrom: don't attempt to fiddle with cdo->capability

Jens Axboe <axboe@kernel.dk>
    skd: fixup usage of legacy IO API

Carl Huang <cjhuang@codeaurora.org>
    ath10k: allocate small size dma memory in ath10k_pci_diag_write_mem

Rakesh Pillai <pillair@codeaurora.org>
    ath10k: set probe request oui during driver start

Ali MJ Al-Nasrawy <alimjalnasrawy@gmail.com>
    brcmsmac: AP mode: update beacon when TIM changes

Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
    mt76x0: phy: fix restore phase in mt76x0_phy_recalibrate_after_assoc

Felix Fietkau <nbd@nbd.name>
    mt76: do not store aggregation sequence number for null-data frames

Dan Carpenter <dan.carpenter@oracle.com>
    EDAC, thunderx: Fix memory leak in thunderx_l2c_threaded_isr()

Sam Bobroff <sbobroff@linux.ibm.com>
    powerpc/eeh: Fix use of EEH_PE_KEEP on wrong field

Sam Bobroff <sbobroff@linux.ibm.com>
    powerpc/eeh: Fix null deref for devices removed during EEH

Joel Stanley <joel@jms.id.au>
    powerpc/boot: Disable vector instructions

Joel Stanley <joel@jms.id.au>
    powerpc/boot: Fix opal console in boot wrapper

Dan Carpenter <dan.carpenter@oracle.com>
    powerpc: Fix signedness bug in update_flash_db()

Al Viro <viro@zeniv.linux.org.uk>
    synclink_gt(): fix compat_ioctl()

Al Viro <viro@zeniv.linux.org.uk>
    pty: fix compat ioctls

Andreas Gruenbacher <agruenba@redhat.com>
    gfs2: Fix marking bitmaps non-full

Alan Douglas <adouglas@cadence.com>
    PCI: cadence: Write MSI data with 32bits

Gustavo A. R. Silva <gustavo@embeddedor.com>
    pinctrl: madera: Fix uninitialized variable bug in madera_mux_set_mux

Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
    printk: fix integer overflow in setup_log_buf()

Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
    printk: lock/unlock console only for new logbuf entries

Michael Schupikov <michael@schupikov.de>
    crypto: testmgr - fix sizeof() on COMP_BUF_SIZE

Takashi Sakamoto <o-takashi@sakamocchi.jp>
    ALSA: isight: fix leak of reference to firewire unit in error path of .probe callback

Adrian Bunk <bunk@kernel.org>
    mwifiex: Fix NL80211_TX_POWER_LIMITED

Chris Wilson <chris@chris-wilson.co.uk>
    drm/i915/userptr: Try to acquire the page lock around set_page_dirty()

Chris Wilson <chris@chris-wilson.co.uk>
    drm/i915/pmu: "Frequency" is reported as accumulated cycles

Evan Quan <evan.quan@amd.com>
    drm/amd/powerplay: issue no PPSMC_MSG_GetCurrPkgPwr on unsupported ASICs

Andrey Ryabinin <aryabinin@virtuozzo.com>
    mm/ksm.c: don't WARN if page is still mapped in remove_stable_node()

Joseph Qi <joseph.qi@linux.alibaba.com>
    Revert "fs: ocfs2: fix possible null-pointer dereferences in ocfs2_xa_prepare_entry()"

Laurent Vivier <lvivier@redhat.com>
    virtio_console: allocate inbufs in add_port() only if it is needed

Sun Ke <sunke32@huawei.com>
    nbd:fix memory leak in nbd_get_socket()

Laura Abbott <labbott@redhat.com>
    tools: gpio: Correctly add make dependencies for gpio_utils

Thierry Reding <treding@nvidia.com>
    gpio: max77620: Fixup debounce delays

Stefano Garzarella <sgarzare@redhat.com>
    vhost/vsock: split packets to send using multiple buffers

Maor Gottlieb <maorg@mellanox.com>
    net/mlx5: Fix auto group size calculation

Eran Ben Elisha <eranbe@mellanox.com>
    net/mlxfw: Verify FSM error code translation doesn't exceed array size

Roi Dayan <roid@mellanox.com>
    net/mlx5e: Fix set vf link state error flow

Martin Habets <mhabets@solarflare.com>
    sfc: Only cancel the PPS workqueue if it exists

Xin Long <lucien.xin@gmail.com>
    net: sched: ensure opts_len <= IP_TUNNEL_OPTS_MAX in act_tunnel_key

Davide Caratti <dcaratti@redhat.com>
    net/sched: act_pedit: fix WARN() in the traffic path

Dan Carpenter <dan.carpenter@oracle.com>
    net: rtnetlink: prevent underflows in do_setvfinfo()

Tariq Toukan <tariqt@mellanox.com>
    net/mlx4_en: Fix wrong limitation for number of TX rings

Luigi Rizzo <lrizzo@google.com>
    net/mlx4_en: fix mlx4 ethtool -N insertion

Petr Machata <petrm@mellanox.com>
    mlxsw: spectrum_router: Fix determining underlay for a GRE tunnel


-------------

Diffstat:

 Documentation/admin-guide/hw-vuln/mds.rst          |   7 +-
 .../admin-guide/hw-vuln/tsx_async_abort.rst        |   5 +-
 Documentation/admin-guide/kernel-parameters.txt    |  11 +
 .../devicetree/bindings/spi/spi-uniphier.txt       |  14 +-
 Makefile                                           |   4 +-
 arch/arc/kernel/perf_event.c                       |   4 +-
 arch/arm/boot/dts/imx6sx-sdb.dtsi                  |   7 +-
 arch/arm/mm/mmu.c                                  |   3 +
 arch/arm64/Makefile                                |   2 +
 arch/arm64/include/asm/string.h                    |  14 +-
 arch/arm64/kernel/arm64ksyms.c                     |   7 +-
 arch/arm64/lib/memchr.S                            |   2 +-
 arch/arm64/lib/memcmp.S                            |   2 +-
 arch/arm64/lib/strchr.S                            |   2 +-
 arch/arm64/lib/strcmp.S                            |   2 +-
 arch/arm64/lib/strlen.S                            |   2 +-
 arch/arm64/lib/strncmp.S                           |   2 +-
 arch/arm64/lib/strnlen.S                           |   2 +-
 arch/arm64/lib/strrchr.S                           |   2 +-
 arch/m68k/kernel/uboot.c                           |   2 +-
 arch/nds32/include/asm/bitfield.h                  |   4 +-
 arch/powerpc/boot/Makefile                         |   4 +-
 arch/powerpc/boot/opal.c                           |   8 -
 arch/powerpc/include/asm/asm-prototypes.h          |   3 +
 arch/powerpc/include/asm/security_features.h       |   3 +
 arch/powerpc/kernel/eeh_driver.c                   |   4 +
 arch/powerpc/kernel/eeh_pe.c                       |   2 +-
 arch/powerpc/kernel/entry_64.S                     |   6 +
 arch/powerpc/kernel/process.c                      |   3 +-
 arch/powerpc/kernel/security.c                     |  74 +++++-
 arch/powerpc/kvm/book3s_hv_rmhandlers.S            |  28 +++
 arch/powerpc/mm/pgtable-radix.c                    |   8 +-
 arch/powerpc/mm/tlb-radix.c                        |   1 -
 arch/powerpc/platforms/powernv/memtrace.c          |   2 +
 arch/powerpc/platforms/ps3/os-area.c               |   2 +-
 arch/powerpc/platforms/pseries/hotplug-memory.c    |   2 +-
 arch/powerpc/platforms/pseries/lpar.c              |  54 +++++
 arch/powerpc/xmon/Makefile                         |   6 +
 arch/riscv/mm/ioremap.c                            |   2 +-
 arch/s390/kernel/perf_cpum_sf.c                    |   6 +-
 arch/sparc/include/asm/cmpxchg_64.h                |   7 +-
 arch/sparc/include/asm/parport.h                   |   2 +
 arch/um/drivers/line.c                             |   4 +-
 arch/x86/entry/entry_32.S                          |  21 +-
 arch/x86/include/asm/cpu_entry_area.h              |  18 +-
 arch/x86/include/asm/pgtable_32_types.h            |   8 +-
 arch/x86/include/asm/ptrace.h                      |  42 +++-
 arch/x86/kernel/cpu/bugs.c                         |  30 ++-
 arch/x86/kernel/cpu/intel_rdt.c                    |   7 +
 arch/x86/kernel/cpu/intel_rdt_ctrlmondata.c        |  12 +-
 arch/x86/kernel/cpu/intel_rdt_pseudo_lock.c        |  10 +
 arch/x86/kernel/cpu/intel_rdt_rdtgroup.c           |  38 +++-
 arch/x86/kernel/doublefault.c                      |   3 +
 arch/x86/kernel/head_32.S                          |  10 +
 arch/x86/kvm/mmu.c                                 |   8 +-
 arch/x86/kvm/vmx.c                                 |  22 +-
 arch/x86/mm/cpu_entry_area.c                       |   4 +-
 arch/x86/tools/gen-insn-attr-x86.awk               |   4 +-
 block/blk-core.c                                   |   3 +
 block/blk-merge.c                                  |  46 +++-
 block/blk-sysfs.c                                  |   2 -
 crypto/testmgr.c                                   |   6 +-
 drivers/acpi/acpi_memhotplug.c                     |   2 +-
 drivers/acpi/scan.c                                |   1 +
 drivers/atm/zatm.c                                 |  42 ++--
 drivers/base/memory.c                              |  22 +-
 drivers/base/power/domain.c                        |   6 +
 drivers/block/amiflop.c                            |  84 ++++---
 drivers/block/nbd.c                                |   6 +-
 drivers/block/skd_main.c                           |   4 +-
 drivers/bluetooth/hci_bcsp.c                       |   3 +
 drivers/cdrom/cdrom.c                              |  27 ++-
 drivers/char/virtio_console.c                      |  28 ++-
 drivers/clk/at91/clk-audio-pll.c                   |   2 +-
 drivers/clk/mmp/clk-of-mmp2.c                      |   4 +-
 drivers/clk/sunxi-ng/ccu-sun50i-a64.c              |   7 +-
 drivers/clk/tegra/clk-tegra20.c                    |  36 ++-
 drivers/clk/tegra/clk-tegra210.c                   |   6 +-
 drivers/cpufreq/cpufreq.c                          |   6 +
 drivers/crypto/ccree/cc_hw_queue_defs.h            |   6 +-
 drivers/edac/thunderx_edac.c                       |   4 +-
 drivers/firmware/google/gsmi.c                     |   5 +-
 drivers/gpio/gpio-max77620.c                       |   6 +-
 drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c   |  23 +-
 drivers/gpu/drm/i915/i915_gem_userptr.c            |  22 +-
 drivers/gpu/drm/i915/i915_pmu.c                    |   4 +-
 drivers/i2c/busses/i2c-uniphier-f.c                |  72 ++++--
 drivers/infiniband/hw/bnxt_re/bnxt_re.h            |   2 +
 drivers/infiniband/hw/bnxt_re/main.c               |  44 ++--
 drivers/infiniband/hw/bnxt_re/qplib_rcfw.c         |  13 +-
 drivers/isdn/mISDN/tei.c                           |   7 +-
 drivers/macintosh/windfarm_smu_sat.c               |  25 +--
 drivers/md/dm-raid.c                               |   2 +-
 drivers/md/raid10.c                                |   2 +-
 drivers/media/i2c/ov13858.c                        |   6 +-
 drivers/media/platform/vivid/vivid-kthread-cap.c   |   8 +-
 drivers/media/platform/vivid/vivid-kthread-out.c   |   8 +-
 drivers/media/platform/vivid/vivid-sdr-cap.c       |   8 +-
 drivers/media/platform/vivid/vivid-vid-cap.c       |   3 -
 drivers/media/platform/vivid/vivid-vid-out.c       |   3 -
 drivers/media/rc/imon.c                            |   3 +-
 drivers/media/usb/b2c2/flexcop-usb.c               |   3 +
 drivers/media/usb/dvb-usb/cxusb.c                  |   3 +-
 drivers/media/usb/usbvision/usbvision-video.c      |  21 +-
 drivers/media/usb/uvc/uvc_driver.c                 |  28 +--
 drivers/mfd/arizona-core.c                         |   8 +-
 drivers/mfd/intel_soc_pmic_bxtwc.c                 |  41 +++-
 drivers/mfd/max8997.c                              |   8 +-
 drivers/mfd/mc13xxx-core.c                         |   3 +-
 drivers/misc/mic/scif/scif_fence.c                 |   2 +-
 drivers/mmc/host/mtk-sd.c                          |  15 +-
 drivers/net/dsa/bcm_sf2.c                          |   4 +
 drivers/net/dsa/mv88e6xxx/chip.c                   |   4 +-
 drivers/net/dsa/mv88e6xxx/port.c                   |  25 ++-
 drivers/net/dsa/mv88e6xxx/port.h                   |   1 +
 drivers/net/ethernet/amazon/Kconfig                |   2 +-
 drivers/net/ethernet/broadcom/genet/bcmgenet.c     |   2 +-
 drivers/net/ethernet/cadence/macb_main.c           |   2 +-
 drivers/net/ethernet/hisilicon/hns3/hns3_enet.c    |  24 +-
 .../net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.c |  12 +-
 .../ethernet/hisilicon/hns3/hns3pf/hclge_main.c    |   2 +-
 .../ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c    |   4 +-
 drivers/net/ethernet/intel/fm10k/fm10k_iov.c       |  48 ++--
 drivers/net/ethernet/intel/igb/igb_ptp.c           |   8 +-
 drivers/net/ethernet/mellanox/mlx4/en_ethtool.c    |   9 +-
 drivers/net/ethernet/mellanox/mlx4/en_netdev.c     |   9 +
 drivers/net/ethernet/mellanox/mlx5/core/eswitch.c  |   2 +-
 drivers/net/ethernet/mellanox/mlx5/core/fs_core.c  |  10 +-
 drivers/net/ethernet/mellanox/mlx5/core/fs_core.h  |   1 +
 drivers/net/ethernet/mellanox/mlxfw/mlxfw_fsm.c    |   2 +
 .../net/ethernet/mellanox/mlxsw/spectrum_router.c  |  19 +-
 drivers/net/ethernet/netronome/nfp/bpf/main.h      |   7 +-
 drivers/net/ethernet/netronome/nfp/bpf/offload.c   |  18 +-
 drivers/net/ethernet/netronome/nfp/bpf/verifier.c  |  58 ++++-
 drivers/net/ethernet/qlogic/qed/qed.h              |   2 +-
 drivers/net/ethernet/qlogic/qed/qed_main.c         |  22 +-
 drivers/net/ethernet/qlogic/qed/qed_mcp.c          |  27 +--
 drivers/net/ethernet/qlogic/qed/qed_mcp.h          |   5 +-
 drivers/net/ethernet/qlogic/qed/qed_vf.c           |   2 +-
 drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.c    |   2 +-
 drivers/net/ethernet/sfc/ptp.c                     |   3 +-
 drivers/net/ethernet/socionext/netsec.c            |  19 +-
 drivers/net/ethernet/ti/cpsw.c                     |   1 +
 drivers/net/macsec.c                               |  20 +-
 drivers/net/ntb_netdev.c                           |   2 +-
 drivers/net/phy/dp83867.c                          |  37 +++
 drivers/net/vrf.c                                  |  19 +-
 drivers/net/wireless/ath/ath10k/mac.c              |  14 +-
 drivers/net/wireless/ath/ath10k/pci.c              |  23 +-
 drivers/net/wireless/ath/ath10k/snoc.c             |   2 +-
 drivers/net/wireless/ath/ath10k/usb.c              |   8 +
 drivers/net/wireless/ath/ath9k/ar9003_eeprom.c     |   2 +-
 drivers/net/wireless/ath/wil6210/debugfs.c         |  15 +-
 drivers/net/wireless/ath/wil6210/main.c            |  11 +-
 drivers/net/wireless/ath/wil6210/txrx_edma.c       |  23 +-
 drivers/net/wireless/ath/wil6210/wil6210.h         |   1 +
 drivers/net/wireless/ath/wil6210/wmi.c             |   9 +-
 .../broadcom/brcm80211/brcmsmac/mac80211_if.c      |  30 ++-
 .../wireless/broadcom/brcm80211/brcmsmac/main.h    |   1 +
 drivers/net/wireless/cisco/airo.c                  |   2 +-
 drivers/net/wireless/marvell/mwifiex/cfg80211.c    |  13 +-
 drivers/net/wireless/marvell/mwifiex/ioctl.h       |   1 +
 drivers/net/wireless/marvell/mwifiex/sta_ioctl.c   |  11 +-
 drivers/net/wireless/mediatek/mt76/mt76x0/phy.c    |   7 +-
 drivers/net/wireless/mediatek/mt76/tx.c            |   3 +-
 .../net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c  |   1 +
 .../net/wireless/realtek/rtlwifi/rtl8192de/fw.c    |   2 +-
 drivers/net/wireless/ti/wlcore/vendor_cmd.c        |   2 +-
 drivers/nfc/port100.c                              |   2 +-
 drivers/ntb/hw/intel/ntb_hw_gen1.c                 |   2 +-
 drivers/nvme/host/core.c                           |   2 +-
 drivers/nvme/host/pci.c                            |   8 +-
 drivers/nvme/target/fcloop.c                       |   1 +
 drivers/nvme/target/io-cmd-file.c                  |   3 +-
 drivers/of/unittest.c                              |  58 ++++-
 drivers/pci/controller/dwc/pci-keystone.c          |   3 +
 drivers/pci/controller/pcie-cadence-ep.c           |   2 +-
 drivers/pci/controller/pcie-mediatek.c             | 143 ++++++------
 drivers/pci/controller/vmd.c                       |   2 +-
 drivers/pinctrl/bcm/pinctrl-bcm2835.c              |   6 +-
 drivers/pinctrl/cirrus/pinctrl-madera-core.c       |   2 +-
 drivers/pinctrl/pinctrl-lpc18xx.c                  |  10 +-
 drivers/pinctrl/pinctrl-zynq.c                     |   9 +-
 drivers/pinctrl/qcom/pinctrl-spmi-gpio.c           |  21 +-
 drivers/pinctrl/sunxi/pinctrl-sunxi.c              |  11 +-
 drivers/platform/x86/intel_cht_int33fe.c           |  24 +-
 drivers/pwm/pwm-lpss.c                             |  12 +-
 drivers/rtc/rtc-s35390a.c                          |   2 +-
 drivers/scsi/bfa/bfa_defs_svc.h                    |   2 +-
 drivers/scsi/bfa/bfad_im.h                         |   2 +-
 drivers/scsi/dc395x.c                              |  12 +-
 drivers/scsi/hisi_sas/hisi_sas_main.c              |  56 ++++-
 drivers/scsi/hisi_sas/hisi_sas_v2_hw.c             |   2 +-
 drivers/scsi/hisi_sas/hisi_sas_v3_hw.c             |   2 +-
 drivers/scsi/ips.c                                 |   1 +
 drivers/scsi/isci/host.c                           |   8 +-
 drivers/scsi/isci/host.h                           |   2 +-
 drivers/scsi/isci/request.c                        |   4 +-
 drivers/scsi/isci/task.c                           |   4 +-
 drivers/scsi/iscsi_tcp.c                           |   3 +-
 drivers/scsi/lpfc/lpfc.h                           |   1 +
 drivers/scsi/lpfc/lpfc_els.c                       |  95 ++++++--
 drivers/scsi/lpfc/lpfc_hbadisc.c                   |  29 +++
 drivers/scsi/lpfc/lpfc_init.c                      |   2 +-
 drivers/scsi/lpfc/lpfc_nportdisc.c                 |   5 +-
 drivers/scsi/lpfc/lpfc_sli.c                       |  11 +-
 drivers/scsi/lpfc/lpfc_sli4.h                      |   1 +
 drivers/scsi/megaraid/megaraid_sas_base.c          |   9 +-
 drivers/scsi/mpt3sas/mpt3sas_base.c                |   2 +-
 drivers/scsi/mpt3sas/mpt3sas_config.c              |   4 -
 drivers/scsi/mpt3sas/mpt3sas_scsih.c               |  36 ++-
 drivers/scsi/zorro_esp.c                           |   8 +-
 drivers/soc/bcm/brcmstb/pm/pm-arm.c                |   2 +-
 drivers/spi/spi-omap2-mcspi.c                      |  26 +--
 drivers/spi/spi-sh-msiof.c                         |   4 +-
 drivers/staging/comedi/drivers/usbduxfast.c        |  21 +-
 drivers/thermal/armada_thermal.c                   |   4 +-
 drivers/thermal/rcar_thermal.c                     |   6 +-
 drivers/tty/pty.c                                  |  14 +-
 drivers/tty/synclink_gt.c                          |  16 +-
 drivers/usb/misc/appledisplay.c                    |  15 +-
 drivers/usb/misc/chaoskey.c                        |  24 +-
 drivers/usb/serial/cp210x.c                        |   1 +
 drivers/usb/serial/mos7720.c                       |   4 -
 drivers/usb/serial/mos7840.c                       |  16 +-
 drivers/usb/serial/option.c                        |   7 +
 drivers/usb/typec/tcpm.c                           |   9 +-
 drivers/usb/usbip/Kconfig                          |   1 +
 drivers/usb/usbip/stub_rx.c                        |  50 +++--
 drivers/vhost/vsock.c                              |  66 ++++--
 drivers/virtio/virtio_ring.c                       |   2 +-
 drivers/w1/slaves/w1_ds2438.c                      |  66 ++++--
 drivers/xen/balloon.c                              |   3 +
 fs/btrfs/ctree.c                                   |   4 +
 fs/btrfs/ioctl.c                                   |   2 +-
 fs/btrfs/super.c                                   |   6 +-
 fs/ceph/file.c                                     |  45 +---
 fs/ceph/inode.c                                    |   1 -
 fs/cifs/smb2pdu.c                                  |   6 +-
 fs/dlm/member.c                                    |   5 +-
 fs/dlm/user.c                                      |   2 +-
 fs/f2fs/data.c                                     |   8 +-
 fs/f2fs/dir.c                                      |   1 +
 fs/f2fs/f2fs.h                                     |   2 +-
 fs/f2fs/namei.c                                    |   2 +
 fs/f2fs/segment.c                                  |   4 +-
 fs/f2fs/super.c                                    |   5 +-
 fs/gfs2/rgrp.c                                     |  13 +-
 fs/hfs/brec.c                                      |   1 +
 fs/hfs/btree.c                                     |  41 ++--
 fs/hfs/btree.h                                     |   1 +
 fs/hfs/catalog.c                                   |  16 ++
 fs/hfs/extent.c                                    |  10 +-
 fs/hfs/inode.c                                     |   2 +
 fs/hfsplus/attributes.c                            |  10 +
 fs/hfsplus/brec.c                                  |   1 +
 fs/hfsplus/btree.c                                 |  44 ++--
 fs/hfsplus/catalog.c                               |  24 ++
 fs/hfsplus/extents.c                               |   8 +-
 fs/hfsplus/hfsplus_fs.h                            |   2 +
 fs/hfsplus/inode.c                                 |   1 +
 fs/ocfs2/buffer_head_io.c                          |  77 +++++--
 fs/ocfs2/dlm/dlmdebug.c                            |   2 +-
 fs/ocfs2/dlmglue.c                                 |   2 +-
 fs/ocfs2/file.c                                    |   4 +-
 fs/ocfs2/journal.c                                 |  51 +++--
 fs/ocfs2/move_extents.c                            |  17 ++
 fs/ocfs2/stackglue.c                               |   6 -
 fs/ocfs2/stackglue.h                               |   3 -
 fs/ocfs2/xattr.c                                   |  56 +++--
 fs/read_write.c                                    |  33 +++
 fs/xfs/xfs_buf.c                                   |  45 +++-
 fs/xfs/xfs_trans_ail.c                             |  28 ++-
 include/linux/bitmap.h                             |   9 +-
 include/linux/futex.h                              |   8 -
 include/linux/inetdevice.h                         |   4 +-
 include/linux/kvm_host.h                           |   1 +
 include/linux/memory_hotplug.h                     |   1 +
 include/linux/mfd/intel_soc_pmic.h                 |   1 +
 include/linux/mfd/max8997.h                        |   1 -
 include/linux/mfd/mc13xxx.h                        |   1 +
 kernel/Makefile                                    |   3 -
 kernel/auditsc.c                                   |   2 +-
 kernel/bpf/btf.c                                   |  55 +++--
 kernel/bpf/devmap.c                                |   3 +-
 kernel/dma/swiotlb.c                               |  33 +--
 kernel/futex.c                                     | 247 ++++++++++++++++++++-
 kernel/futex_compat.c                              | 202 -----------------
 kernel/irq/matrix.c                                |   2 +-
 kernel/panic.c                                     |   2 +-
 kernel/printk/printk.c                             |  12 +-
 kernel/sched/fair.c                                |  13 +-
 kernel/sched/topology.c                            |   2 +-
 lib/bitmap.c                                       |  10 +-
 mm/gup_benchmark.c                                 |   3 +
 mm/ksm.c                                           |  14 +-
 mm/memcontrol.c                                    |   2 +-
 mm/memory_hotplug.c                                |  76 +++++--
 mm/migrate.c                                       |  25 ++-
 mm/page-writeback.c                                |  33 ++-
 mm/page_io.c                                       |   7 +-
 net/core/dev.c                                     |   2 +-
 net/core/net-sysfs.c                               |  24 +-
 net/core/rtnetlink.c                               |  23 +-
 net/core/sock.c                                    |   7 +-
 net/ipv4/igmp.c                                    |  53 +++--
 net/ipv4/ip_sockglue.c                             |   6 +-
 net/ipv6/tcp_ipv6.c                                |   3 +-
 net/openvswitch/conntrack.c                        |   3 +-
 net/sched/act_pedit.c                              |  12 +-
 net/sched/act_tunnel_key.c                         |   4 +
 net/sctp/socket.c                                  |  38 +---
 net/sunrpc/auth_gss/gss_krb5_seal.c                |   1 +
 net/sunrpc/xprtsock.c                              |  34 +--
 net/unix/af_unix.c                                 |   2 +
 net/vmw_vsock/virtio_transport_common.c            |  15 +-
 net/wireless/ap.c                                  |   2 +
 net/wireless/core.h                                |   2 +
 net/wireless/sme.c                                 |   8 +-
 sound/firewire/isight.c                            |  10 +-
 sound/i2c/cs8427.c                                 |   2 +-
 sound/soc/tegra/tegra_sgtl5000.c                   |  17 +-
 sound/usb/mixer.c                                  |   3 +
 tools/bpf/bpftool/bash-completion/bpftool          |   2 +-
 tools/bpf/bpftool/common.c                         |  15 +-
 tools/bpf/bpftool/main.h                           |   2 +-
 tools/gpio/Build                                   |   1 +
 tools/gpio/Makefile                                |  10 +-
 tools/objtool/arch/x86/tools/gen-insn-attr-x86.awk |   4 +-
 tools/power/acpi/tools/acpidump/apmain.c           |   2 +-
 tools/power/x86/turbostat/turbostat.c              |  93 +++++---
 tools/testing/selftests/bpf/test_libbpf.sh         |   2 +-
 tools/testing/selftests/bpf/trace_helpers.c        |   1 +
 .../ftrace/test.d/kprobe/kprobe_args_syntax.tc     |   3 +
 tools/testing/selftests/kvm/dirty_log_test.c       |   4 +-
 .../testing/selftests/powerpc/cache_shape/Makefile |   9 +-
 tools/testing/selftests/powerpc/ptrace/Makefile    |  13 +-
 tools/testing/selftests/powerpc/signal/Makefile    |  11 +-
 .../selftests/powerpc/switch_endian/Makefile       |   1 +
 tools/testing/selftests/proc/fd-001-lookup.c       |   2 +-
 tools/testing/selftests/proc/fd-003-kthread.c      |   2 +-
 tools/testing/selftests/vm/gup_benchmark.c         |   1 +
 tools/testing/selftests/watchdog/watchdog-test.c   |  16 +-
 tools/testing/selftests/x86/mov_ss_trap.c          |   3 +-
 tools/testing/selftests/x86/sigreturn.c            |  13 ++
 tools/usb/usbip/libsrc/usbip_host_common.c         |   8 +-
 virt/kvm/kvm_main.c                                |  26 ++-
 347 files changed, 3163 insertions(+), 1630 deletions(-)



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 001/306] mlxsw: spectrum_router: Fix determining underlay for a GRE tunnel
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
@ 2019-11-27 20:27 ` Greg Kroah-Hartman
  2019-11-27 20:27 ` [PATCH 4.19 002/306] net/mlx4_en: fix mlx4 ethtool -N insertion Greg Kroah-Hartman
                   ` (308 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Petr Machata, Ido Schimmel, David S. Miller

From: Petr Machata <petrm@mellanox.com>

[ Upstream commit 1fc1657775dc1b19e9ac1d46b4054ed8ae5d99ab ]

The helper mlxsw_sp_ipip_dev_ul_tb_id() determines the underlay VRF of a
GRE tunnel. For a tunnel without a bound device, it uses the same VRF that
the tunnel is in. However in Linux, a GRE tunnel without a bound device
uses the main VRF as the underlay. Fix the function accordingly.

mlxsw further assumed that moving a tunnel to a different VRF could cause
conflict in local tunnel endpoint address, which cannot be offloaded.
However, the only way that an underlay could be changed by moving the
tunnel device itself is if the tunnel device does not have a bound device.
But in that case the underlay is always the main VRF, so there is no
opportunity to introduce a conflict by moving such device. Thus this check
constitutes a dead code, and can be removed, which do.

Fixes: 6ddb7426a7d4 ("mlxsw: spectrum_router: Introduce loopback RIFs")
Signed-off-by: Petr Machata <petrm@mellanox.com>
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c |   19 ------------------
 1 file changed, 1 insertion(+), 18 deletions(-)

--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
@@ -970,7 +970,7 @@ u32 mlxsw_sp_ipip_dev_ul_tb_id(const str
 	if (d)
 		return l3mdev_fib_table(d) ? : RT_TABLE_MAIN;
 	else
-		return l3mdev_fib_table(ol_dev) ? : RT_TABLE_MAIN;
+		return RT_TABLE_MAIN;
 }
 
 static struct mlxsw_sp_rif *
@@ -1532,27 +1532,10 @@ static int mlxsw_sp_netdevice_ipip_ol_vr
 {
 	struct mlxsw_sp_ipip_entry *ipip_entry =
 		mlxsw_sp_ipip_entry_find_by_ol_dev(mlxsw_sp, ol_dev);
-	enum mlxsw_sp_l3proto ul_proto;
-	union mlxsw_sp_l3addr saddr;
-	u32 ul_tb_id;
 
 	if (!ipip_entry)
 		return 0;
 
-	/* For flat configuration cases, moving overlay to a different VRF might
-	 * cause local address conflict, and the conflicting tunnels need to be
-	 * demoted.
-	 */
-	ul_tb_id = mlxsw_sp_ipip_dev_ul_tb_id(ol_dev);
-	ul_proto = mlxsw_sp->router->ipip_ops_arr[ipip_entry->ipipt]->ul_proto;
-	saddr = mlxsw_sp_ipip_netdev_saddr(ul_proto, ol_dev);
-	if (mlxsw_sp_ipip_demote_tunnel_by_saddr(mlxsw_sp, ul_proto,
-						 saddr, ul_tb_id,
-						 ipip_entry)) {
-		mlxsw_sp_ipip_entry_demote_tunnel(mlxsw_sp, ipip_entry);
-		return 0;
-	}
-
 	return __mlxsw_sp_ipip_entry_update_tunnel(mlxsw_sp, ipip_entry,
 						   true, false, false, extack);
 }



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 002/306] net/mlx4_en: fix mlx4 ethtool -N insertion
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
  2019-11-27 20:27 ` [PATCH 4.19 001/306] mlxsw: spectrum_router: Fix determining underlay for a GRE tunnel Greg Kroah-Hartman
@ 2019-11-27 20:27 ` Greg Kroah-Hartman
  2019-11-27 20:27 ` [PATCH 4.19 003/306] net/mlx4_en: Fix wrong limitation for number of TX rings Greg Kroah-Hartman
                   ` (307 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Luigi Rizzo, Tariq Toukan

From: Luigi Rizzo <lrizzo@google.com>

[ Upstream commit 34e59836565e36fade1464e054a3551c1a0364be ]

ethtool expects ETHTOOL_GRXCLSRLALL to set ethtool_rxnfc->data with the
total number of entries in the rx classifier table.  Surprisingly, mlx4
is missing this part (in principle ethtool could still move forward and
try the insert).

Tested: compiled and run command:
	phh13:~# ethtool -N eth1 flow-type udp4  queue 4
	Added rule with ID 255

Signed-off-by: Luigi Rizzo <lrizzo@google.com>
Reviewed-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/mellanox/mlx4/en_ethtool.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
@@ -1745,6 +1745,7 @@ static int mlx4_en_get_rxnfc(struct net_
 		err = mlx4_en_get_flow(dev, cmd, cmd->fs.location);
 		break;
 	case ETHTOOL_GRXCLSRLALL:
+		cmd->data = MAX_NUM_OF_FS_RULES;
 		while ((!err || err == -ENOENT) && priority < cmd->rule_cnt) {
 			err = mlx4_en_get_flow(dev, cmd, i);
 			if (!err)



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 003/306] net/mlx4_en: Fix wrong limitation for number of TX rings
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
  2019-11-27 20:27 ` [PATCH 4.19 001/306] mlxsw: spectrum_router: Fix determining underlay for a GRE tunnel Greg Kroah-Hartman
  2019-11-27 20:27 ` [PATCH 4.19 002/306] net/mlx4_en: fix mlx4 ethtool -N insertion Greg Kroah-Hartman
@ 2019-11-27 20:27 ` Greg Kroah-Hartman
  2019-11-27 20:27 ` [PATCH 4.19 004/306] net: rtnetlink: prevent underflows in do_setvfinfo() Greg Kroah-Hartman
                   ` (306 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Tariq Toukan, David S. Miller

From: Tariq Toukan <tariqt@mellanox.com>

[ Upstream commit 2744bf42680f64ebf2ee8a00354897857c073331 ]

XDP_TX rings should not be limited by max_num_tx_rings_p_up.
To make sure total number of TX rings never exceed MAX_TX_RINGS,
add similar check in mlx4_en_alloc_tx_queue_per_tc(), where
a new value is assigned for num_up.

Fixes: 7e1dc5e926d5 ("net/mlx4_en: Limit the number of TX rings")
Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/mellanox/mlx4/en_ethtool.c |    8 ++++----
 drivers/net/ethernet/mellanox/mlx4/en_netdev.c  |    9 +++++++++
 2 files changed, 13 insertions(+), 4 deletions(-)

--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
@@ -1812,6 +1812,7 @@ static int mlx4_en_set_channels(struct n
 	struct mlx4_en_dev *mdev = priv->mdev;
 	struct mlx4_en_port_profile new_prof;
 	struct mlx4_en_priv *tmp;
+	int total_tx_count;
 	int port_up = 0;
 	int xdp_count;
 	int err = 0;
@@ -1826,13 +1827,12 @@ static int mlx4_en_set_channels(struct n
 
 	mutex_lock(&mdev->state_lock);
 	xdp_count = priv->tx_ring_num[TX_XDP] ? channel->rx_count : 0;
-	if (channel->tx_count * priv->prof->num_up + xdp_count >
-	    priv->mdev->profile.max_num_tx_rings_p_up * priv->prof->num_up) {
+	total_tx_count = channel->tx_count * priv->prof->num_up + xdp_count;
+	if (total_tx_count > MAX_TX_RINGS) {
 		err = -EINVAL;
 		en_err(priv,
 		       "Total number of TX and XDP rings (%d) exceeds the maximum supported (%d)\n",
-		       channel->tx_count * priv->prof->num_up  + xdp_count,
-		       MAX_TX_RINGS);
+		       total_tx_count, MAX_TX_RINGS);
 		goto out;
 	}
 
--- a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
@@ -92,6 +92,7 @@ int mlx4_en_alloc_tx_queue_per_tc(struct
 	struct mlx4_en_dev *mdev = priv->mdev;
 	struct mlx4_en_port_profile new_prof;
 	struct mlx4_en_priv *tmp;
+	int total_count;
 	int port_up = 0;
 	int err = 0;
 
@@ -105,6 +106,14 @@ int mlx4_en_alloc_tx_queue_per_tc(struct
 				      MLX4_EN_NUM_UP_HIGH;
 	new_prof.tx_ring_num[TX] = new_prof.num_tx_rings_p_up *
 				   new_prof.num_up;
+	total_count = new_prof.tx_ring_num[TX] + new_prof.tx_ring_num[TX_XDP];
+	if (total_count > MAX_TX_RINGS) {
+		err = -EINVAL;
+		en_err(priv,
+		       "Total number of TX and XDP rings (%d) exceeds the maximum supported (%d)\n",
+		       total_count, MAX_TX_RINGS);
+		goto out;
+	}
 	err = mlx4_en_try_alloc_resources(priv, tmp, &new_prof, true);
 	if (err)
 		goto out;



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 004/306] net: rtnetlink: prevent underflows in do_setvfinfo()
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2019-11-27 20:27 ` [PATCH 4.19 003/306] net/mlx4_en: Fix wrong limitation for number of TX rings Greg Kroah-Hartman
@ 2019-11-27 20:27 ` Greg Kroah-Hartman
  2019-11-27 20:27 ` [PATCH 4.19 005/306] net/sched: act_pedit: fix WARN() in the traffic path Greg Kroah-Hartman
                   ` (305 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dan Carpenter, David S. Miller

From: Dan Carpenter <dan.carpenter@oracle.com>

[ Upstream commit d658c8f56ec7b3de8051a24afb25da9ba3c388c5 ]

The "ivm->vf" variable is a u32, but the problem is that a number of
drivers cast it to an int and then forget to check for negatives.  An
example of this is in the cxgb4 driver.

drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
  2890  static int cxgb4_mgmt_get_vf_config(struct net_device *dev,
  2891                                      int vf, struct ifla_vf_info *ivi)
                                            ^^^^^^
  2892  {
  2893          struct port_info *pi = netdev_priv(dev);
  2894          struct adapter *adap = pi->adapter;
  2895          struct vf_info *vfinfo;
  2896
  2897          if (vf >= adap->num_vfs)
                    ^^^^^^^^^^^^^^^^^^^
  2898                  return -EINVAL;
  2899          vfinfo = &adap->vfinfo[vf];
                ^^^^^^^^^^^^^^^^^^^^^^^^^^

There are 48 functions affected.

drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c:8435 hclge_set_vf_vlan_filter() warn: can 'vfid' underflow 's32min-2147483646'
drivers/net/ethernet/freescale/enetc/enetc_pf.c:377 enetc_pf_set_vf_mac() warn: can 'vf' underflow 's32min-2147483646'
drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:2899 cxgb4_mgmt_get_vf_config() warn: can 'vf' underflow 's32min-254'
drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:2960 cxgb4_mgmt_set_vf_rate() warn: can 'vf' underflow 's32min-254'
drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:3019 cxgb4_mgmt_set_vf_rate() warn: can 'vf' underflow 's32min-254'
drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:3038 cxgb4_mgmt_set_vf_vlan() warn: can 'vf' underflow 's32min-254'
drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:3086 cxgb4_mgmt_set_vf_link_state() warn: can 'vf' underflow 's32min-254'
drivers/net/ethernet/chelsio/cxgb/cxgb2.c:791 get_eeprom() warn: can 'i' underflow 's32min-(-4),0,4-s32max'
drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:82 bnxt_set_vf_spoofchk() warn: can 'vf_id' underflow 's32min-65534'
drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:164 bnxt_set_vf_trust() warn: can 'vf_id' underflow 's32min-65534'
drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:186 bnxt_get_vf_config() warn: can 'vf_id' underflow 's32min-65534'
drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:228 bnxt_set_vf_mac() warn: can 'vf_id' underflow 's32min-65534'
drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:264 bnxt_set_vf_vlan() warn: can 'vf_id' underflow 's32min-65534'
drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:293 bnxt_set_vf_bw() warn: can 'vf_id' underflow 's32min-65534'
drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:333 bnxt_set_vf_link_state() warn: can 'vf_id' underflow 's32min-65534'
drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c:2595 bnx2x_vf_op_prep() warn: can 'vfidx' underflow 's32min-63'
drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c:2595 bnx2x_vf_op_prep() warn: can 'vfidx' underflow 's32min-63'
drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2281 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63'
drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2285 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63'
drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2286 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63'
drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2292 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63'
drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2297 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63'
drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:1832 qlcnic_sriov_set_vf_mac() warn: can 'vf' underflow 's32min-254'
drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:1864 qlcnic_sriov_set_vf_tx_rate() warn: can 'vf' underflow 's32min-254'
drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:1937 qlcnic_sriov_set_vf_vlan() warn: can 'vf' underflow 's32min-254'
drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:2005 qlcnic_sriov_get_vf_config() warn: can 'vf' underflow 's32min-254'
drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:2036 qlcnic_sriov_set_vf_spoofchk() warn: can 'vf' underflow 's32min-254'
drivers/net/ethernet/emulex/benet/be_main.c:1914 be_get_vf_config() warn: can 'vf' underflow 's32min-65534'
drivers/net/ethernet/emulex/benet/be_main.c:1915 be_get_vf_config() warn: can 'vf' underflow 's32min-65534'
drivers/net/ethernet/emulex/benet/be_main.c:1922 be_set_vf_tvt() warn: can 'vf' underflow 's32min-65534'
drivers/net/ethernet/emulex/benet/be_main.c:1951 be_clear_vf_tvt() warn: can 'vf' underflow 's32min-65534'
drivers/net/ethernet/emulex/benet/be_main.c:2063 be_set_vf_tx_rate() warn: can 'vf' underflow 's32min-65534'
drivers/net/ethernet/emulex/benet/be_main.c:2091 be_set_vf_link_state() warn: can 'vf' underflow 's32min-65534'
drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:2609 ice_set_vf_port_vlan() warn: can 'vf_id' underflow 's32min-65534'
drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3050 ice_get_vf_cfg() warn: can 'vf_id' underflow 's32min-65534'
drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3103 ice_set_vf_spoofchk() warn: can 'vf_id' underflow 's32min-65534'
drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3181 ice_set_vf_mac() warn: can 'vf_id' underflow 's32min-65534'
drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3237 ice_set_vf_trust() warn: can 'vf_id' underflow 's32min-65534'
drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3286 ice_set_vf_link_state() warn: can 'vf_id' underflow 's32min-65534'
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:3919 i40e_validate_vf() warn: can 'vf_id' underflow 's32min-2147483646'
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:3957 i40e_ndo_set_vf_mac() warn: can 'vf_id' underflow 's32min-2147483646'
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4104 i40e_ndo_set_vf_port_vlan() warn: can 'vf_id' underflow 's32min-2147483646'
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4263 i40e_ndo_set_vf_bw() warn: can 'vf_id' underflow 's32min-2147483646'
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4309 i40e_ndo_get_vf_config() warn: can 'vf_id' underflow 's32min-2147483646'
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4371 i40e_ndo_set_vf_link_state() warn: can 'vf_id' underflow 's32min-2147483646'
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4441 i40e_ndo_set_vf_spoofchk() warn: can 'vf_id' underflow 's32min-2147483646'
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4441 i40e_ndo_set_vf_spoofchk() warn: can 'vf_id' underflow 's32min-2147483646'
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4504 i40e_ndo_set_vf_trust() warn: can 'vf_id' underflow 's32min-2147483646'

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/core/rtnetlink.c |   23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -2126,6 +2126,8 @@ static int do_setvfinfo(struct net_devic
 	if (tb[IFLA_VF_MAC]) {
 		struct ifla_vf_mac *ivm = nla_data(tb[IFLA_VF_MAC]);
 
+		if (ivm->vf >= INT_MAX)
+			return -EINVAL;
 		err = -EOPNOTSUPP;
 		if (ops->ndo_set_vf_mac)
 			err = ops->ndo_set_vf_mac(dev, ivm->vf,
@@ -2137,6 +2139,8 @@ static int do_setvfinfo(struct net_devic
 	if (tb[IFLA_VF_VLAN]) {
 		struct ifla_vf_vlan *ivv = nla_data(tb[IFLA_VF_VLAN]);
 
+		if (ivv->vf >= INT_MAX)
+			return -EINVAL;
 		err = -EOPNOTSUPP;
 		if (ops->ndo_set_vf_vlan)
 			err = ops->ndo_set_vf_vlan(dev, ivv->vf, ivv->vlan,
@@ -2169,6 +2173,8 @@ static int do_setvfinfo(struct net_devic
 		if (len == 0)
 			return -EINVAL;
 
+		if (ivvl[0]->vf >= INT_MAX)
+			return -EINVAL;
 		err = ops->ndo_set_vf_vlan(dev, ivvl[0]->vf, ivvl[0]->vlan,
 					   ivvl[0]->qos, ivvl[0]->vlan_proto);
 		if (err < 0)
@@ -2179,6 +2185,8 @@ static int do_setvfinfo(struct net_devic
 		struct ifla_vf_tx_rate *ivt = nla_data(tb[IFLA_VF_TX_RATE]);
 		struct ifla_vf_info ivf;
 
+		if (ivt->vf >= INT_MAX)
+			return -EINVAL;
 		err = -EOPNOTSUPP;
 		if (ops->ndo_get_vf_config)
 			err = ops->ndo_get_vf_config(dev, ivt->vf, &ivf);
@@ -2197,6 +2205,8 @@ static int do_setvfinfo(struct net_devic
 	if (tb[IFLA_VF_RATE]) {
 		struct ifla_vf_rate *ivt = nla_data(tb[IFLA_VF_RATE]);
 
+		if (ivt->vf >= INT_MAX)
+			return -EINVAL;
 		err = -EOPNOTSUPP;
 		if (ops->ndo_set_vf_rate)
 			err = ops->ndo_set_vf_rate(dev, ivt->vf,
@@ -2209,6 +2219,8 @@ static int do_setvfinfo(struct net_devic
 	if (tb[IFLA_VF_SPOOFCHK]) {
 		struct ifla_vf_spoofchk *ivs = nla_data(tb[IFLA_VF_SPOOFCHK]);
 
+		if (ivs->vf >= INT_MAX)
+			return -EINVAL;
 		err = -EOPNOTSUPP;
 		if (ops->ndo_set_vf_spoofchk)
 			err = ops->ndo_set_vf_spoofchk(dev, ivs->vf,
@@ -2220,6 +2232,8 @@ static int do_setvfinfo(struct net_devic
 	if (tb[IFLA_VF_LINK_STATE]) {
 		struct ifla_vf_link_state *ivl = nla_data(tb[IFLA_VF_LINK_STATE]);
 
+		if (ivl->vf >= INT_MAX)
+			return -EINVAL;
 		err = -EOPNOTSUPP;
 		if (ops->ndo_set_vf_link_state)
 			err = ops->ndo_set_vf_link_state(dev, ivl->vf,
@@ -2233,6 +2247,8 @@ static int do_setvfinfo(struct net_devic
 
 		err = -EOPNOTSUPP;
 		ivrssq_en = nla_data(tb[IFLA_VF_RSS_QUERY_EN]);
+		if (ivrssq_en->vf >= INT_MAX)
+			return -EINVAL;
 		if (ops->ndo_set_vf_rss_query_en)
 			err = ops->ndo_set_vf_rss_query_en(dev, ivrssq_en->vf,
 							   ivrssq_en->setting);
@@ -2243,6 +2259,8 @@ static int do_setvfinfo(struct net_devic
 	if (tb[IFLA_VF_TRUST]) {
 		struct ifla_vf_trust *ivt = nla_data(tb[IFLA_VF_TRUST]);
 
+		if (ivt->vf >= INT_MAX)
+			return -EINVAL;
 		err = -EOPNOTSUPP;
 		if (ops->ndo_set_vf_trust)
 			err = ops->ndo_set_vf_trust(dev, ivt->vf, ivt->setting);
@@ -2253,15 +2271,18 @@ static int do_setvfinfo(struct net_devic
 	if (tb[IFLA_VF_IB_NODE_GUID]) {
 		struct ifla_vf_guid *ivt = nla_data(tb[IFLA_VF_IB_NODE_GUID]);
 
+		if (ivt->vf >= INT_MAX)
+			return -EINVAL;
 		if (!ops->ndo_set_vf_guid)
 			return -EOPNOTSUPP;
-
 		return handle_vf_guid(dev, ivt, IFLA_VF_IB_NODE_GUID);
 	}
 
 	if (tb[IFLA_VF_IB_PORT_GUID]) {
 		struct ifla_vf_guid *ivt = nla_data(tb[IFLA_VF_IB_PORT_GUID]);
 
+		if (ivt->vf >= INT_MAX)
+			return -EINVAL;
 		if (!ops->ndo_set_vf_guid)
 			return -EOPNOTSUPP;
 



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 005/306] net/sched: act_pedit: fix WARN() in the traffic path
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2019-11-27 20:27 ` [PATCH 4.19 004/306] net: rtnetlink: prevent underflows in do_setvfinfo() Greg Kroah-Hartman
@ 2019-11-27 20:27 ` Greg Kroah-Hartman
  2019-11-27 20:27 ` [PATCH 4.19 006/306] net: sched: ensure opts_len <= IP_TUNNEL_OPTS_MAX in act_tunnel_key Greg Kroah-Hartman
                   ` (304 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Davide Caratti, David S. Miller

From: Davide Caratti <dcaratti@redhat.com>

[ Upstream commit f67169fef8dbcc1ac6a6a109ecaad0d3b259002c ]

when configuring act_pedit rules, the number of keys is validated only on
addition of a new entry. This is not sufficient to avoid hitting a WARN()
in the traffic path: for example, it is possible to replace a valid entry
with a new one having 0 extended keys, thus causing splats in dmesg like:

 pedit BUG: index 42
 WARNING: CPU: 2 PID: 4054 at net/sched/act_pedit.c:410 tcf_pedit_act+0xc84/0x1200 [act_pedit]
 [...]
 RIP: 0010:tcf_pedit_act+0xc84/0x1200 [act_pedit]
 Code: 89 fa 48 c1 ea 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e ac 00 00 00 48 8b 44 24 10 48 c7 c7 a0 c4 e4 c0 8b 70 18 e8 1c 30 95 ea <0f> 0b e9 a0 fa ff ff e8 00 03 f5 ea e9 14 f4 ff ff 48 89 58 40 e9
 RSP: 0018:ffff888077c9f320 EFLAGS: 00010286
 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffffac2983a2
 RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff888053927bec
 RBP: dffffc0000000000 R08: ffffed100a726209 R09: ffffed100a726209
 R10: 0000000000000001 R11: ffffed100a726208 R12: ffff88804beea780
 R13: ffff888079a77400 R14: ffff88804beea780 R15: ffff888027ab2000
 FS:  00007fdeec9bd740(0000) GS:ffff888053900000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00007ffdb3dfd000 CR3: 000000004adb4006 CR4: 00000000001606e0
 Call Trace:
  tcf_action_exec+0x105/0x3f0
  tcf_classify+0xf2/0x410
  __dev_queue_xmit+0xcbf/0x2ae0
  ip_finish_output2+0x711/0x1fb0
  ip_output+0x1bf/0x4b0
  ip_send_skb+0x37/0xa0
  raw_sendmsg+0x180c/0x2430
  sock_sendmsg+0xdb/0x110
  __sys_sendto+0x257/0x2b0
  __x64_sys_sendto+0xdd/0x1b0
  do_syscall_64+0xa5/0x4e0
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
 RIP: 0033:0x7fdeeb72e993
 Code: 48 8b 0d e0 74 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 0d d6 2c 00 00 75 13 49 89 ca b8 2c 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 34 c3 48 83 ec 08 e8 4b cc 00 00 48 89 04 24
 RSP: 002b:00007ffdb3de8a18 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
 RAX: ffffffffffffffda RBX: 000055c81972b700 RCX: 00007fdeeb72e993
 RDX: 0000000000000040 RSI: 000055c81972b700 RDI: 0000000000000003
 RBP: 00007ffdb3dea130 R08: 000055c819728510 R09: 0000000000000010
 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040
 R13: 000055c81972b6c0 R14: 000055c81972969c R15: 0000000000000080

Fix this moving the check on 'nkeys' earlier in tcf_pedit_init(), so that
attempts to install rules having 0 keys are always rejected with -EINVAL.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sched/act_pedit.c |   12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

--- a/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -46,7 +46,7 @@ static struct tcf_pedit_key_ex *tcf_pedi
 	int err = -EINVAL;
 	int rem;
 
-	if (!nla || !n)
+	if (!nla)
 		return NULL;
 
 	keys_ex = kcalloc(n, sizeof(*k), GFP_KERNEL);
@@ -169,6 +169,10 @@ static int tcf_pedit_init(struct net *ne
 	}
 
 	parm = nla_data(pattr);
+	if (!parm->nkeys) {
+		NL_SET_ERR_MSG_MOD(extack, "Pedit requires keys to be passed");
+		return -EINVAL;
+	}
 	ksize = parm->nkeys * sizeof(struct tc_pedit_key);
 	if (nla_len(pattr) < sizeof(*parm) + ksize) {
 		NL_SET_ERR_MSG_ATTR(extack, pattr, "Length of TCA_PEDIT_PARMS or TCA_PEDIT_PARMS_EX pedit attribute is invalid");
@@ -182,12 +186,6 @@ static int tcf_pedit_init(struct net *ne
 	index = parm->index;
 	err = tcf_idr_check_alloc(tn, &index, a, bind);
 	if (!err) {
-		if (!parm->nkeys) {
-			tcf_idr_cleanup(tn, index);
-			NL_SET_ERR_MSG_MOD(extack, "Pedit requires keys to be passed");
-			ret = -EINVAL;
-			goto out_free;
-		}
 		ret = tcf_idr_create(tn, index, est, a,
 				     &act_pedit_ops, bind, false);
 		if (ret) {



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 006/306] net: sched: ensure opts_len <= IP_TUNNEL_OPTS_MAX in act_tunnel_key
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2019-11-27 20:27 ` [PATCH 4.19 005/306] net/sched: act_pedit: fix WARN() in the traffic path Greg Kroah-Hartman
@ 2019-11-27 20:27 ` Greg Kroah-Hartman
  2019-11-27 20:27 ` [PATCH 4.19 007/306] sfc: Only cancel the PPS workqueue if it exists Greg Kroah-Hartman
                   ` (303 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Xin Long, Simon Horman, David S. Miller

From: Xin Long <lucien.xin@gmail.com>

[ Upstream commit 4f0e97d070984d487df027f163e52bb72d1713d8 ]

info->options_len is 'u8' type, and when opts_len with a value >
IP_TUNNEL_OPTS_MAX, 'info->options_len = opts_len' will cast int
to u8 and set a wrong value to info->options_len.

Kernel crashed in my test when doing:

  # opts="0102:80:00800022"
  # for i in {1..99}; do opts="$opts,0102:80:00800022"; done
  # ip link add name geneve0 type geneve dstport 0 external
  # tc qdisc add dev eth0 ingress
  # tc filter add dev eth0 protocol ip parent ffff: \
       flower indev eth0 ip_proto udp action tunnel_key \
       set src_ip 10.0.99.192 dst_ip 10.0.99.193 \
       dst_port 6081 id 11 geneve_opts $opts \
       action mirred egress redirect dev geneve0

So we should do the similar check as cls_flower does, return error
when opts_len > IP_TUNNEL_OPTS_MAX in tunnel_key_copy_opts().

Fixes: 0ed5269f9e41 ("net/sched: add tunnel option support to act_tunnel_key")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sched/act_tunnel_key.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/net/sched/act_tunnel_key.c
+++ b/net/sched/act_tunnel_key.c
@@ -137,6 +137,10 @@ static int tunnel_key_copy_opts(const st
 			if (opt_len < 0)
 				return opt_len;
 			opts_len += opt_len;
+			if (opts_len > IP_TUNNEL_OPTS_MAX) {
+				NL_SET_ERR_MSG(extack, "Tunnel options exceeds max size");
+				return -EINVAL;
+			}
 			if (dst) {
 				dst_len -= opt_len;
 				dst += opt_len;



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 007/306] sfc: Only cancel the PPS workqueue if it exists
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2019-11-27 20:27 ` [PATCH 4.19 006/306] net: sched: ensure opts_len <= IP_TUNNEL_OPTS_MAX in act_tunnel_key Greg Kroah-Hartman
@ 2019-11-27 20:27 ` Greg Kroah-Hartman
  2019-11-27 20:27 ` [PATCH 4.19 008/306] net/mlx5e: Fix set vf link state error flow Greg Kroah-Hartman
                   ` (302 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Martin Habets, David S. Miller

From: Martin Habets <mhabets@solarflare.com>

[ Upstream commit 723eb53690041740a13ac78efeaf6804f5d684c9 ]

The workqueue only exists for the primary PF. For other functions
we hit a WARN_ON in kernel/workqueue.c.

Fixes: 7c236c43b838 ("sfc: Add support for IEEE-1588 PTP")
Signed-off-by: Martin Habets <mhabets@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/sfc/ptp.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/net/ethernet/sfc/ptp.c
+++ b/drivers/net/ethernet/sfc/ptp.c
@@ -1534,7 +1534,8 @@ void efx_ptp_remove(struct efx_nic *efx)
 	(void)efx_ptp_disable(efx);
 
 	cancel_work_sync(&efx->ptp_data->work);
-	cancel_work_sync(&efx->ptp_data->pps_work);
+	if (efx->ptp_data->pps_workwq)
+		cancel_work_sync(&efx->ptp_data->pps_work);
 
 	skb_queue_purge(&efx->ptp_data->rxq);
 	skb_queue_purge(&efx->ptp_data->txq);



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 008/306] net/mlx5e: Fix set vf link state error flow
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2019-11-27 20:27 ` [PATCH 4.19 007/306] sfc: Only cancel the PPS workqueue if it exists Greg Kroah-Hartman
@ 2019-11-27 20:27 ` Greg Kroah-Hartman
  2019-11-27 20:27 ` [PATCH 4.19 009/306] net/mlxfw: Verify FSM error code translation doesnt exceed array size Greg Kroah-Hartman
                   ` (301 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Roi Dayan, Vlad Buslov, Saeed Mahameed

From: Roi Dayan <roid@mellanox.com>

[ Upstream commit 751021218f7e66ee9bbaa2be23056e447cd75ec4 ]

Before this commit the ndo always returned success.
Fix that.

Fixes: 1ab2068a4c66 ("net/mlx5: Implement vports admin state backup/restore")
Signed-off-by: Roi Dayan <roid@mellanox.com>
Reviewed-by: Vlad Buslov <vladbu@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/mellanox/mlx5/core/eswitch.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
@@ -1861,7 +1861,7 @@ int mlx5_eswitch_set_vport_state(struct
 
 unlock:
 	mutex_unlock(&esw->state_lock);
-	return 0;
+	return err;
 }
 
 int mlx5_eswitch_get_vport_config(struct mlx5_eswitch *esw,



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 009/306] net/mlxfw: Verify FSM error code translation doesnt exceed array size
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2019-11-27 20:27 ` [PATCH 4.19 008/306] net/mlx5e: Fix set vf link state error flow Greg Kroah-Hartman
@ 2019-11-27 20:27 ` Greg Kroah-Hartman
  2019-11-27 20:27 ` [PATCH 4.19 010/306] net/mlx5: Fix auto group size calculation Greg Kroah-Hartman
                   ` (300 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eran Ben Elisha, Jiri Pirko, Saeed Mahameed

From: Eran Ben Elisha <eranbe@mellanox.com>

[ Upstream commit 30e9e0550bf693c94bc15827781fe42dd60be634 ]

Array mlxfw_fsm_state_err_str contains value to string translation, when
values are provided by mlxfw_dev. If value is larger than
MLXFW_FSM_STATE_ERR_MAX, return "unknown error" as expected instead of
reading an address than exceed array size.

Fixes: 410ed13cae39 ("Add the mlxfw module for Mellanox firmware flash process")
Signed-off-by: Eran Ben Elisha <eranbe@mellanox.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/mellanox/mlxfw/mlxfw_fsm.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/net/ethernet/mellanox/mlxfw/mlxfw_fsm.c
+++ b/drivers/net/ethernet/mellanox/mlxfw/mlxfw_fsm.c
@@ -86,6 +86,8 @@ retry:
 		return err;
 
 	if (fsm_state_err != MLXFW_FSM_STATE_ERR_OK) {
+		fsm_state_err = min_t(enum mlxfw_fsm_state_err,
+				      fsm_state_err, MLXFW_FSM_STATE_ERR_MAX);
 		pr_err("Firmware flash failed: %s\n",
 		       mlxfw_fsm_state_err_str[fsm_state_err]);
 		return -EINVAL;



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 010/306] net/mlx5: Fix auto group size calculation
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2019-11-27 20:27 ` [PATCH 4.19 009/306] net/mlxfw: Verify FSM error code translation doesnt exceed array size Greg Kroah-Hartman
@ 2019-11-27 20:27 ` Greg Kroah-Hartman
  2019-11-27 20:27 ` [PATCH 4.19 011/306] vhost/vsock: split packets to send using multiple buffers Greg Kroah-Hartman
                   ` (299 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Maor Gottlieb, Saeed Mahameed

From: Maor Gottlieb <maorg@mellanox.com>

[ Upstream commit 97fd8da281f80e7e69e0114bc906575734d4dfaf ]

Once all the large flow groups (defined by the user when the flow table
is created - max_num_groups) were created, then all the following new
flow groups will have only one flow table entry, even though the flow table
has place to larger groups.
Fix the condition to prefer large flow group.

Fixes: f0d22d187473 ("net/mlx5_core: Introduce flow steering autogrouped flow table")
Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/mellanox/mlx5/core/fs_core.c |   10 ++++++----
 drivers/net/ethernet/mellanox/mlx5/core/fs_core.h |    1 +
 2 files changed, 7 insertions(+), 4 deletions(-)

--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
@@ -520,7 +520,7 @@ static void del_sw_flow_group(struct fs_
 
 	rhashtable_destroy(&fg->ftes_hash);
 	ida_destroy(&fg->fte_allocator);
-	if (ft->autogroup.active)
+	if (ft->autogroup.active && fg->max_ftes == ft->autogroup.group_size)
 		ft->autogroup.num_groups--;
 	err = rhltable_remove(&ft->fgs_hash,
 			      &fg->hash,
@@ -1065,6 +1065,8 @@ mlx5_create_auto_grouped_flow_table(stru
 
 	ft->autogroup.active = true;
 	ft->autogroup.required_groups = max_num_groups;
+	/* We save place for flow groups in addition to max types */
+	ft->autogroup.group_size = ft->max_fte / (max_num_groups + 1);
 
 	return ft;
 }
@@ -1270,8 +1272,7 @@ static struct mlx5_flow_group *alloc_aut
 		return ERR_PTR(-ENOENT);
 
 	if (ft->autogroup.num_groups < ft->autogroup.required_groups)
-		/* We save place for flow groups in addition to max types */
-		group_size = ft->max_fte / (ft->autogroup.required_groups + 1);
+		group_size = ft->autogroup.group_size;
 
 	/*  ft->max_fte == ft->autogroup.max_types */
 	if (group_size == 0)
@@ -1298,7 +1299,8 @@ static struct mlx5_flow_group *alloc_aut
 	if (IS_ERR(fg))
 		goto out;
 
-	ft->autogroup.num_groups++;
+	if (group_size == ft->autogroup.group_size)
+		ft->autogroup.num_groups++;
 
 out:
 	return fg;
--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.h
@@ -121,6 +121,7 @@ struct mlx5_flow_table {
 	struct {
 		bool			active;
 		unsigned int		required_groups;
+		unsigned int		group_size;
 		unsigned int		num_groups;
 	} autogroup;
 	/* Protect fwd_rules */



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 011/306] vhost/vsock: split packets to send using multiple buffers
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2019-11-27 20:27 ` [PATCH 4.19 010/306] net/mlx5: Fix auto group size calculation Greg Kroah-Hartman
@ 2019-11-27 20:27 ` Greg Kroah-Hartman
  2019-11-27 20:27 ` [PATCH 4.19 012/306] gpio: max77620: Fixup debounce delays Greg Kroah-Hartman
                   ` (298 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stefano Garzarella, Stefan Hajnoczi,
	Michael S. Tsirkin, David S. Miller

From: Stefano Garzarella <sgarzare@redhat.com>

commit 6dbd3e66e7785a2f055bf84d98de9b8fd31ff3f5 upstream.

If the packets to sent to the guest are bigger than the buffer
available, we can split them, using multiple buffers and fixing
the length in the packet header.
This is safe since virtio-vsock supports only stream sockets.

Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/vhost/vsock.c                   |   66 +++++++++++++++++++++++---------
 net/vmw_vsock/virtio_transport_common.c |   15 +++++--
 2 files changed, 60 insertions(+), 21 deletions(-)

--- a/drivers/vhost/vsock.c
+++ b/drivers/vhost/vsock.c
@@ -103,7 +103,7 @@ vhost_transport_do_send_pkt(struct vhost
 		struct iov_iter iov_iter;
 		unsigned out, in;
 		size_t nbytes;
-		size_t len;
+		size_t iov_len, payload_len;
 		int head;
 
 		spin_lock_bh(&vsock->send_pkt_list_lock);
@@ -148,8 +148,24 @@ vhost_transport_do_send_pkt(struct vhost
 			break;
 		}
 
-		len = iov_length(&vq->iov[out], in);
-		iov_iter_init(&iov_iter, READ, &vq->iov[out], in, len);
+		iov_len = iov_length(&vq->iov[out], in);
+		if (iov_len < sizeof(pkt->hdr)) {
+			virtio_transport_free_pkt(pkt);
+			vq_err(vq, "Buffer len [%zu] too small\n", iov_len);
+			break;
+		}
+
+		iov_iter_init(&iov_iter, READ, &vq->iov[out], in, iov_len);
+		payload_len = pkt->len - pkt->off;
+
+		/* If the packet is greater than the space available in the
+		 * buffer, we split it using multiple buffers.
+		 */
+		if (payload_len > iov_len - sizeof(pkt->hdr))
+			payload_len = iov_len - sizeof(pkt->hdr);
+
+		/* Set the correct length in the header */
+		pkt->hdr.len = cpu_to_le32(payload_len);
 
 		nbytes = copy_to_iter(&pkt->hdr, sizeof(pkt->hdr), &iov_iter);
 		if (nbytes != sizeof(pkt->hdr)) {
@@ -158,33 +174,47 @@ vhost_transport_do_send_pkt(struct vhost
 			break;
 		}
 
-		nbytes = copy_to_iter(pkt->buf, pkt->len, &iov_iter);
-		if (nbytes != pkt->len) {
+		nbytes = copy_to_iter(pkt->buf + pkt->off, payload_len,
+				      &iov_iter);
+		if (nbytes != payload_len) {
 			virtio_transport_free_pkt(pkt);
 			vq_err(vq, "Faulted on copying pkt buf\n");
 			break;
 		}
 
-		vhost_add_used(vq, head, sizeof(pkt->hdr) + pkt->len);
+		vhost_add_used(vq, head, sizeof(pkt->hdr) + payload_len);
 		added = true;
 
-		if (pkt->reply) {
-			int val;
-
-			val = atomic_dec_return(&vsock->queued_replies);
-
-			/* Do we have resources to resume tx processing? */
-			if (val + 1 == tx_vq->num)
-				restart_tx = true;
-		}
-
 		/* Deliver to monitoring devices all correctly transmitted
 		 * packets.
 		 */
 		virtio_transport_deliver_tap_pkt(pkt);
 
-		total_len += pkt->len;
-		virtio_transport_free_pkt(pkt);
+		pkt->off += payload_len;
+		total_len += payload_len;
+
+		/* If we didn't send all the payload we can requeue the packet
+		 * to send it with the next available buffer.
+		 */
+		if (pkt->off < pkt->len) {
+			spin_lock_bh(&vsock->send_pkt_list_lock);
+			list_add(&pkt->list, &vsock->send_pkt_list);
+			spin_unlock_bh(&vsock->send_pkt_list_lock);
+		} else {
+			if (pkt->reply) {
+				int val;
+
+				val = atomic_dec_return(&vsock->queued_replies);
+
+				/* Do we have resources to resume tx
+				 * processing?
+				 */
+				if (val + 1 == tx_vq->num)
+					restart_tx = true;
+			}
+
+			virtio_transport_free_pkt(pkt);
+		}
 	} while(likely(!vhost_exceeds_weight(vq, ++pkts, total_len)));
 	if (added)
 		vhost_signal(&vsock->dev, vq);
--- a/net/vmw_vsock/virtio_transport_common.c
+++ b/net/vmw_vsock/virtio_transport_common.c
@@ -92,8 +92,17 @@ static struct sk_buff *virtio_transport_
 	struct virtio_vsock_pkt *pkt = opaque;
 	struct af_vsockmon_hdr *hdr;
 	struct sk_buff *skb;
+	size_t payload_len;
+	void *payload_buf;
 
-	skb = alloc_skb(sizeof(*hdr) + sizeof(pkt->hdr) + pkt->len,
+	/* A packet could be split to fit the RX buffer, so we can retrieve
+	 * the payload length from the header and the buffer pointer taking
+	 * care of the offset in the original packet.
+	 */
+	payload_len = le32_to_cpu(pkt->hdr.len);
+	payload_buf = pkt->buf + pkt->off;
+
+	skb = alloc_skb(sizeof(*hdr) + sizeof(pkt->hdr) + payload_len,
 			GFP_ATOMIC);
 	if (!skb)
 		return NULL;
@@ -133,8 +142,8 @@ static struct sk_buff *virtio_transport_
 
 	skb_put_data(skb, &pkt->hdr, sizeof(pkt->hdr));
 
-	if (pkt->len) {
-		skb_put_data(skb, pkt->buf, pkt->len);
+	if (payload_len) {
+		skb_put_data(skb, payload_buf, payload_len);
 	}
 
 	return skb;



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 012/306] gpio: max77620: Fixup debounce delays
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2019-11-27 20:27 ` [PATCH 4.19 011/306] vhost/vsock: split packets to send using multiple buffers Greg Kroah-Hartman
@ 2019-11-27 20:27 ` Greg Kroah-Hartman
  2019-11-27 20:27 ` [PATCH 4.19 013/306] tools: gpio: Correctly add make dependencies for gpio_utils Greg Kroah-Hartman
                   ` (297 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pavel Machek, Thierry Reding,
	Bartosz Golaszewski

From: Thierry Reding <treding@nvidia.com>

commit b0391479ae04dfcbd208b9571c375064caad9a57 upstream.

When converting milliseconds to microseconds in commit fffa6af94894
("gpio: max77620: Use correct unit for debounce times") some ~1 ms gaps
were introduced between the various ranges supported by the controller.
Fix this by changing the start of each range to the value immediately
following the end of the previous range. This way a debounce time of,
say 8250 us will translate into 16 ms instead of returning an -EINVAL
error.

Typically the debounce delay is only ever set through device tree and
specified in milliseconds, so we can never really hit this issue because
debounce times are always a multiple of 1000 us.

The only notable exception for this is drivers/mmc/host/mmc-spi.c where
the CD GPIO is requested, which passes a 1 us debounce time. According
to a comment preceeding that code this should actually be 1 ms (i.e.
1000 us).

Reported-by: Pavel Machek <pavel@denx.de>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Acked-by: Pavel Machek <pavel@denx.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpio/gpio-max77620.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/gpio/gpio-max77620.c
+++ b/drivers/gpio/gpio-max77620.c
@@ -163,13 +163,13 @@ static int max77620_gpio_set_debounce(st
 	case 0:
 		val = MAX77620_CNFG_GPIO_DBNC_None;
 		break;
-	case 1000 ... 8000:
+	case 1 ... 8000:
 		val = MAX77620_CNFG_GPIO_DBNC_8ms;
 		break;
-	case 9000 ... 16000:
+	case 8001 ... 16000:
 		val = MAX77620_CNFG_GPIO_DBNC_16ms;
 		break;
-	case 17000 ... 32000:
+	case 16001 ... 32000:
 		val = MAX77620_CNFG_GPIO_DBNC_32ms;
 		break;
 	default:



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 013/306] tools: gpio: Correctly add make dependencies for gpio_utils
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2019-11-27 20:27 ` [PATCH 4.19 012/306] gpio: max77620: Fixup debounce delays Greg Kroah-Hartman
@ 2019-11-27 20:27 ` Greg Kroah-Hartman
  2019-11-27 20:27 ` [PATCH 4.19 014/306] nbd:fix memory leak in nbd_get_socket() Greg Kroah-Hartman
                   ` (296 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Laura Abbott, Bartosz Golaszewski

From: Laura Abbott <labbott@redhat.com>

commit 0161a94e2d1c713bd34d72bc0239d87c31747bf7 upstream.

gpio tools fail to build correctly with make parallelization:

$ make -s -j24
ld: gpio-utils.o: file not recognized: file truncated
make[1]: *** [/home/labbott/linux_upstream/tools/build/Makefile.build:145: lsgpio-in.o] Error 1
make: *** [Makefile:43: lsgpio-in.o] Error 2
make: *** Waiting for unfinished jobs....

This is because gpio-utils.o is used across multiple targets.
Fix this by making gpio-utios.o a proper dependency.

Cc: <stable@vger.kernel.org>
Signed-off-by: Laura Abbott <labbott@redhat.com>
Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/gpio/Build    |    1 +
 tools/gpio/Makefile |   10 +++++++---
 2 files changed, 8 insertions(+), 3 deletions(-)

--- a/tools/gpio/Build
+++ b/tools/gpio/Build
@@ -1,3 +1,4 @@
+gpio-utils-y += gpio-utils.o
 lsgpio-y += lsgpio.o gpio-utils.o
 gpio-hammer-y += gpio-hammer.o gpio-utils.o
 gpio-event-mon-y += gpio-event-mon.o gpio-utils.o
--- a/tools/gpio/Makefile
+++ b/tools/gpio/Makefile
@@ -35,11 +35,15 @@ $(OUTPUT)include/linux/gpio.h: ../../inc
 
 prepare: $(OUTPUT)include/linux/gpio.h
 
+GPIO_UTILS_IN := $(output)gpio-utils-in.o
+$(GPIO_UTILS_IN): prepare FORCE
+	$(Q)$(MAKE) $(build)=gpio-utils
+
 #
 # lsgpio
 #
 LSGPIO_IN := $(OUTPUT)lsgpio-in.o
-$(LSGPIO_IN): prepare FORCE
+$(LSGPIO_IN): prepare FORCE $(OUTPUT)gpio-utils-in.o
 	$(Q)$(MAKE) $(build)=lsgpio
 $(OUTPUT)lsgpio: $(LSGPIO_IN)
 	$(QUIET_LINK)$(CC) $(CFLAGS) $(LDFLAGS) $< -o $@
@@ -48,7 +52,7 @@ $(OUTPUT)lsgpio: $(LSGPIO_IN)
 # gpio-hammer
 #
 GPIO_HAMMER_IN := $(OUTPUT)gpio-hammer-in.o
-$(GPIO_HAMMER_IN): prepare FORCE
+$(GPIO_HAMMER_IN): prepare FORCE $(OUTPUT)gpio-utils-in.o
 	$(Q)$(MAKE) $(build)=gpio-hammer
 $(OUTPUT)gpio-hammer: $(GPIO_HAMMER_IN)
 	$(QUIET_LINK)$(CC) $(CFLAGS) $(LDFLAGS) $< -o $@
@@ -57,7 +61,7 @@ $(OUTPUT)gpio-hammer: $(GPIO_HAMMER_IN)
 # gpio-event-mon
 #
 GPIO_EVENT_MON_IN := $(OUTPUT)gpio-event-mon-in.o
-$(GPIO_EVENT_MON_IN): prepare FORCE
+$(GPIO_EVENT_MON_IN): prepare FORCE $(OUTPUT)gpio-utils-in.o
 	$(Q)$(MAKE) $(build)=gpio-event-mon
 $(OUTPUT)gpio-event-mon: $(GPIO_EVENT_MON_IN)
 	$(QUIET_LINK)$(CC) $(CFLAGS) $(LDFLAGS) $< -o $@



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 014/306] nbd:fix memory leak in nbd_get_socket()
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2019-11-27 20:27 ` [PATCH 4.19 013/306] tools: gpio: Correctly add make dependencies for gpio_utils Greg Kroah-Hartman
@ 2019-11-27 20:27 ` Greg Kroah-Hartman
  2019-11-27 20:27 ` [PATCH 4.19 015/306] virtio_console: allocate inbufs in add_port() only if it is needed Greg Kroah-Hartman
                   ` (295 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Josef Bacik, Mike Christie, Sun Ke,
	Jens Axboe

From: Sun Ke <sunke32@huawei.com>

commit dff10bbea4be47bdb615b036c834a275b7c68133 upstream.

Before returning NULL, put the sock first.

Cc: stable@vger.kernel.org
Fixes: cf1b2326b734 ("nbd: verify socket is supported during setup")
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: Mike Christie <mchristi@redhat.com>
Signed-off-by: Sun Ke <sunke32@huawei.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/block/nbd.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -945,6 +945,7 @@ static struct socket *nbd_get_socket(str
 	if (sock->ops->shutdown == sock_no_shutdown) {
 		dev_err(disk_to_dev(nbd->disk), "Unsupported socket: shutdown callout must be supported.\n");
 		*err = -EINVAL;
+		sockfd_put(sock);
 		return NULL;
 	}
 



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 015/306] virtio_console: allocate inbufs in add_port() only if it is needed
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2019-11-27 20:27 ` [PATCH 4.19 014/306] nbd:fix memory leak in nbd_get_socket() Greg Kroah-Hartman
@ 2019-11-27 20:27 ` Greg Kroah-Hartman
  2019-11-27 20:27 ` [PATCH 4.19 016/306] Revert "fs: ocfs2: fix possible null-pointer dereferences in ocfs2_xa_prepare_entry()" Greg Kroah-Hartman
                   ` (294 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, mst, Laurent Vivier

From: Laurent Vivier <lvivier@redhat.com>

commit d791cfcbf98191122af70b053a21075cb450d119 upstream.

When we hot unplug a virtserialport and then try to hot plug again,
it fails:

(qemu) chardev-add socket,id=serial0,path=/tmp/serial0,server,nowait
(qemu) device_add virtserialport,bus=virtio-serial0.0,nr=2,\
                  chardev=serial0,id=serial0,name=serial0
(qemu) device_del serial0
(qemu) device_add virtserialport,bus=virtio-serial0.0,nr=2,\
                  chardev=serial0,id=serial0,name=serial0
kernel error:
  virtio-ports vport2p2: Error allocating inbufs
qemu error:
  virtio-serial-bus: Guest failure in adding port 2 for device \
                     virtio-serial0.0

This happens because buffers for the in_vq are allocated when the port is
added but are not released when the port is unplugged.

They are only released when virtconsole is removed (see a7a69ec0d8e4)

To avoid the problem and to be symmetric, we could allocate all the buffers
in init_vqs() as they are released in remove_vqs(), but it sounds like
a waste of memory.

Rather than that, this patch changes add_port() logic to ignore ENOSPC
error in fill_queue(), which means queue has already been filled.

Fixes: a7a69ec0d8e4 ("virtio_console: free buffers after reset")
Cc: mst@redhat.com
Cc: stable@vger.kernel.org
Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/char/virtio_console.c |   28 +++++++++++++---------------
 1 file changed, 13 insertions(+), 15 deletions(-)

--- a/drivers/char/virtio_console.c
+++ b/drivers/char/virtio_console.c
@@ -1349,24 +1349,24 @@ static void set_console_size(struct port
 	port->cons.ws.ws_col = cols;
 }
 
-static unsigned int fill_queue(struct virtqueue *vq, spinlock_t *lock)
+static int fill_queue(struct virtqueue *vq, spinlock_t *lock)
 {
 	struct port_buffer *buf;
-	unsigned int nr_added_bufs;
+	int nr_added_bufs;
 	int ret;
 
 	nr_added_bufs = 0;
 	do {
 		buf = alloc_buf(vq->vdev, PAGE_SIZE, 0);
 		if (!buf)
-			break;
+			return -ENOMEM;
 
 		spin_lock_irq(lock);
 		ret = add_inbuf(vq, buf);
 		if (ret < 0) {
 			spin_unlock_irq(lock);
 			free_buf(buf, true);
-			break;
+			return ret;
 		}
 		nr_added_bufs++;
 		spin_unlock_irq(lock);
@@ -1386,7 +1386,6 @@ static int add_port(struct ports_device
 	char debugfs_name[16];
 	struct port *port;
 	dev_t devt;
-	unsigned int nr_added_bufs;
 	int err;
 
 	port = kmalloc(sizeof(*port), GFP_KERNEL);
@@ -1445,11 +1444,13 @@ static int add_port(struct ports_device
 	spin_lock_init(&port->outvq_lock);
 	init_waitqueue_head(&port->waitqueue);
 
-	/* Fill the in_vq with buffers so the host can send us data. */
-	nr_added_bufs = fill_queue(port->in_vq, &port->inbuf_lock);
-	if (!nr_added_bufs) {
+	/* We can safely ignore ENOSPC because it means
+	 * the queue already has buffers. Buffers are removed
+	 * only by virtcons_remove(), not by unplug_port()
+	 */
+	err = fill_queue(port->in_vq, &port->inbuf_lock);
+	if (err < 0 && err != -ENOSPC) {
 		dev_err(port->dev, "Error allocating inbufs\n");
-		err = -ENOMEM;
 		goto free_device;
 	}
 
@@ -2083,14 +2084,11 @@ static int virtcons_probe(struct virtio_
 	INIT_WORK(&portdev->control_work, &control_work_handler);
 
 	if (multiport) {
-		unsigned int nr_added_bufs;
-
 		spin_lock_init(&portdev->c_ivq_lock);
 		spin_lock_init(&portdev->c_ovq_lock);
 
-		nr_added_bufs = fill_queue(portdev->c_ivq,
-					   &portdev->c_ivq_lock);
-		if (!nr_added_bufs) {
+		err = fill_queue(portdev->c_ivq, &portdev->c_ivq_lock);
+		if (err < 0) {
 			dev_err(&vdev->dev,
 				"Error allocating buffers for control queue\n");
 			/*
@@ -2101,7 +2099,7 @@ static int virtcons_probe(struct virtio_
 					   VIRTIO_CONSOLE_DEVICE_READY, 0);
 			/* Device was functional: we need full cleanup. */
 			virtcons_remove(vdev);
-			return -ENOMEM;
+			return err;
 		}
 	} else {
 		/*



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 016/306] Revert "fs: ocfs2: fix possible null-pointer dereferences in ocfs2_xa_prepare_entry()"
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2019-11-27 20:27 ` [PATCH 4.19 015/306] virtio_console: allocate inbufs in add_port() only if it is needed Greg Kroah-Hartman
@ 2019-11-27 20:27 ` Greg Kroah-Hartman
  2019-11-27 20:27 ` [PATCH 4.19 017/306] mm/ksm.c: dont WARN if page is still mapped in remove_stable_node() Greg Kroah-Hartman
                   ` (293 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Joseph Qi, Thomas Voegtle,
	Changwei Ge, Jia-Ju Bai, Mark Fasheh, Joel Becker, Junxiao Bi,
	Gang He, Jun Piao, Andrew Morton, Linus Torvalds

From: Joseph Qi <joseph.qi@linux.alibaba.com>

commit 94b07b6f9e2e996afff7395de6b35f34f4cb10bf upstream.

This reverts commit 56e94ea132bb5c2c1d0b60a6aeb34dcb7d71a53d.

Commit 56e94ea132bb ("fs: ocfs2: fix possible null-pointer dereferences
in ocfs2_xa_prepare_entry()") introduces a regression that fail to
create directory with mount option user_xattr and acl.  Actually the
reported NULL pointer dereference case can be correctly handled by
loc->xl_ops->xlo_add_entry(), so revert it.

Link: http://lkml.kernel.org/r/1573624916-83825-1-git-send-email-joseph.qi@linux.alibaba.com
Fixes: 56e94ea132bb ("fs: ocfs2: fix possible null-pointer dereferences in ocfs2_xa_prepare_entry()")
Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Reported-by: Thomas Voegtle <tv@lio96.de>
Acked-by: Changwei Ge <gechangwei@live.cn>
Cc: Jia-Ju Bai <baijiaju1990@gmail.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Gang He <ghe@suse.com>
Cc: Jun Piao <piaojun@huawei.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ocfs2/xattr.c |   56 ++++++++++++++++++++++++++++++++-----------------------
 1 file changed, 33 insertions(+), 23 deletions(-)

--- a/fs/ocfs2/xattr.c
+++ b/fs/ocfs2/xattr.c
@@ -1498,6 +1498,18 @@ static int ocfs2_xa_check_space(struct o
 	return loc->xl_ops->xlo_check_space(loc, xi);
 }
 
+static void ocfs2_xa_add_entry(struct ocfs2_xa_loc *loc, u32 name_hash)
+{
+	loc->xl_ops->xlo_add_entry(loc, name_hash);
+	loc->xl_entry->xe_name_hash = cpu_to_le32(name_hash);
+	/*
+	 * We can't leave the new entry's xe_name_offset at zero or
+	 * add_namevalue() will go nuts.  We set it to the size of our
+	 * storage so that it can never be less than any other entry.
+	 */
+	loc->xl_entry->xe_name_offset = cpu_to_le16(loc->xl_size);
+}
+
 static void ocfs2_xa_add_namevalue(struct ocfs2_xa_loc *loc,
 				   struct ocfs2_xattr_info *xi)
 {
@@ -2129,31 +2141,29 @@ static int ocfs2_xa_prepare_entry(struct
 	if (rc)
 		goto out;
 
-	if (!loc->xl_entry) {
-		rc = -EINVAL;
-		goto out;
-	}
-
-	if (ocfs2_xa_can_reuse_entry(loc, xi)) {
-		orig_value_size = loc->xl_entry->xe_value_size;
-		rc = ocfs2_xa_reuse_entry(loc, xi, ctxt);
-		if (rc)
-			goto out;
-		goto alloc_value;
-	}
+	if (loc->xl_entry) {
+		if (ocfs2_xa_can_reuse_entry(loc, xi)) {
+			orig_value_size = loc->xl_entry->xe_value_size;
+			rc = ocfs2_xa_reuse_entry(loc, xi, ctxt);
+			if (rc)
+				goto out;
+			goto alloc_value;
+		}
 
-	if (!ocfs2_xattr_is_local(loc->xl_entry)) {
-		orig_clusters = ocfs2_xa_value_clusters(loc);
-		rc = ocfs2_xa_value_truncate(loc, 0, ctxt);
-		if (rc) {
-			mlog_errno(rc);
-			ocfs2_xa_cleanup_value_truncate(loc,
-							"overwriting",
-							orig_clusters);
-			goto out;
+		if (!ocfs2_xattr_is_local(loc->xl_entry)) {
+			orig_clusters = ocfs2_xa_value_clusters(loc);
+			rc = ocfs2_xa_value_truncate(loc, 0, ctxt);
+			if (rc) {
+				mlog_errno(rc);
+				ocfs2_xa_cleanup_value_truncate(loc,
+								"overwriting",
+								orig_clusters);
+				goto out;
+			}
 		}
-	}
-	ocfs2_xa_wipe_namevalue(loc);
+		ocfs2_xa_wipe_namevalue(loc);
+	} else
+		ocfs2_xa_add_entry(loc, name_hash);
 
 	/*
 	 * If we get here, we have a blank entry.  Fill it.  We grow our



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 017/306] mm/ksm.c: dont WARN if page is still mapped in remove_stable_node()
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2019-11-27 20:27 ` [PATCH 4.19 016/306] Revert "fs: ocfs2: fix possible null-pointer dereferences in ocfs2_xa_prepare_entry()" Greg Kroah-Hartman
@ 2019-11-27 20:27 ` Greg Kroah-Hartman
  2019-11-27 20:27 ` [PATCH 4.19 018/306] drm/amd/powerplay: issue no PPSMC_MSG_GetCurrPkgPwr on unsupported ASICs Greg Kroah-Hartman
                   ` (292 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andrey Ryabinin, Hugh Dickins,
	Andrea Arcangeli, Andrew Morton, Linus Torvalds

From: Andrey Ryabinin <aryabinin@virtuozzo.com>

commit 9a63236f1ad82d71a98aa80320b6cb618fb32f44 upstream.

It's possible to hit the WARN_ON_ONCE(page_mapped(page)) in
remove_stable_node() when it races with __mmput() and squeezes in
between ksm_exit() and exit_mmap().

  WARNING: CPU: 0 PID: 3295 at mm/ksm.c:888 remove_stable_node+0x10c/0x150

  Call Trace:
   remove_all_stable_nodes+0x12b/0x330
   run_store+0x4ef/0x7b0
   kernfs_fop_write+0x200/0x420
   vfs_write+0x154/0x450
   ksys_write+0xf9/0x1d0
   do_syscall_64+0x99/0x510
   entry_SYSCALL_64_after_hwframe+0x49/0xbe

Remove the warning as there is nothing scary going on.

Link: http://lkml.kernel.org/r/20191119131850.5675-1-aryabinin@virtuozzo.com
Fixes: cbf86cfe04a6 ("ksm: remove old stable nodes more thoroughly")
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Acked-by: Hugh Dickins <hughd@google.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/ksm.c |   14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

--- a/mm/ksm.c
+++ b/mm/ksm.c
@@ -870,13 +870,13 @@ static int remove_stable_node(struct sta
 		return 0;
 	}
 
-	if (WARN_ON_ONCE(page_mapped(page))) {
-		/*
-		 * This should not happen: but if it does, just refuse to let
-		 * merge_across_nodes be switched - there is no need to panic.
-		 */
-		err = -EBUSY;
-	} else {
+	/*
+	 * Page could be still mapped if this races with __mmput() running in
+	 * between ksm_exit() and exit_mmap(). Just refuse to let
+	 * merge_across_nodes/max_page_sharing be switched.
+	 */
+	err = -EBUSY;
+	if (!page_mapped(page)) {
 		/*
 		 * The stable node did not yet appear stale to get_ksm_page(),
 		 * since that allows for an unmapped ksm page to be recognized



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 018/306] drm/amd/powerplay: issue no PPSMC_MSG_GetCurrPkgPwr on unsupported ASICs
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2019-11-27 20:27 ` [PATCH 4.19 017/306] mm/ksm.c: dont WARN if page is still mapped in remove_stable_node() Greg Kroah-Hartman
@ 2019-11-27 20:27 ` Greg Kroah-Hartman
  2019-11-27 20:27 ` [PATCH 4.19 019/306] drm/i915/pmu: "Frequency" is reported as accumulated cycles Greg Kroah-Hartman
                   ` (291 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Evan Quan, Alex Deucher

From: Evan Quan <evan.quan@amd.com>

commit 355d991cb6ff6ae76b5e28b8edae144124c730e4 upstream.

Otherwise, the error message prompted will confuse user.

Signed-off-by: Evan Quan <evan.quan@amd.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c |   23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

--- a/drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c
+++ b/drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c
@@ -3472,18 +3472,31 @@ static int smu7_get_pp_table_entry(struc
 
 static int smu7_get_gpu_power(struct pp_hwmgr *hwmgr, u32 *query)
 {
+	struct amdgpu_device *adev = hwmgr->adev;
 	int i;
 	u32 tmp = 0;
 
 	if (!query)
 		return -EINVAL;
 
-	smum_send_msg_to_smc_with_parameter(hwmgr, PPSMC_MSG_GetCurrPkgPwr, 0);
-	tmp = cgs_read_register(hwmgr->device, mmSMC_MSG_ARG_0);
-	*query = tmp;
+	/*
+	 * PPSMC_MSG_GetCurrPkgPwr is not supported on:
+	 *  - Hawaii
+	 *  - Bonaire
+	 *  - Fiji
+	 *  - Tonga
+	 */
+	if ((adev->asic_type != CHIP_HAWAII) &&
+	    (adev->asic_type != CHIP_BONAIRE) &&
+	    (adev->asic_type != CHIP_FIJI) &&
+	    (adev->asic_type != CHIP_TONGA)) {
+		smum_send_msg_to_smc_with_parameter(hwmgr, PPSMC_MSG_GetCurrPkgPwr, 0);
+		tmp = cgs_read_register(hwmgr->device, mmSMC_MSG_ARG_0);
+		*query = tmp;
 
-	if (tmp != 0)
-		return 0;
+		if (tmp != 0)
+			return 0;
+	}
 
 	smum_send_msg_to_smc(hwmgr, PPSMC_MSG_PmStatusLogStart);
 	cgs_write_ind_register(hwmgr->device, CGS_IND_REG__SMC,



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 019/306] drm/i915/pmu: "Frequency" is reported as accumulated cycles
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2019-11-27 20:27 ` [PATCH 4.19 018/306] drm/amd/powerplay: issue no PPSMC_MSG_GetCurrPkgPwr on unsupported ASICs Greg Kroah-Hartman
@ 2019-11-27 20:27 ` Greg Kroah-Hartman
  2019-11-27 20:27 ` [PATCH 4.19 020/306] drm/i915/userptr: Try to acquire the page lock around set_page_dirty() Greg Kroah-Hartman
                   ` (290 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chris Wilson, Tvrtko Ursulin,
	Joonas Lahtinen, Rodrigo Vivi

From: Chris Wilson <chris@chris-wilson.co.uk>

commit add3eeed3683e2636ef524db48e1a678757c8e96 upstream.

We report "frequencies" (actual-frequency, requested-frequency) as the
number of accumulated cycles so that the average frequency over that
period may be determined by the user. This means the units we report to
the user are Mcycles (or just M), not MHz.

Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Cc: stable@vger.kernel.org
Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20191109105356.5273-1-chris@chris-wilson.co.uk
(cherry picked from commit e88866ef02851c88fe95a4bb97820b94b4d46f36)
Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
(cherry picked from commit a7d87b70d6da96c6772e50728c8b4e78e4cbfd55)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/i915/i915_pmu.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/i915/i915_pmu.c
+++ b/drivers/gpu/drm/i915/i915_pmu.c
@@ -827,8 +827,8 @@ create_event_attributes(struct drm_i915_
 		const char *name;
 		const char *unit;
 	} events[] = {
-		__event(I915_PMU_ACTUAL_FREQUENCY, "actual-frequency", "MHz"),
-		__event(I915_PMU_REQUESTED_FREQUENCY, "requested-frequency", "MHz"),
+		__event(I915_PMU_ACTUAL_FREQUENCY, "actual-frequency", "M"),
+		__event(I915_PMU_REQUESTED_FREQUENCY, "requested-frequency", "M"),
 		__event(I915_PMU_INTERRUPTS, "interrupts", NULL),
 		__event(I915_PMU_RC6_RESIDENCY, "rc6-residency", "ns"),
 	};



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 020/306] drm/i915/userptr: Try to acquire the page lock around set_page_dirty()
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2019-11-27 20:27 ` [PATCH 4.19 019/306] drm/i915/pmu: "Frequency" is reported as accumulated cycles Greg Kroah-Hartman
@ 2019-11-27 20:27 ` Greg Kroah-Hartman
  2019-11-27 20:27 ` [PATCH 4.19 021/306] mwifiex: Fix NL80211_TX_POWER_LIMITED Greg Kroah-Hartman
                   ` (289 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chris Wilson, Lionel Landwerlin,
	Tvrtko Ursulin, Joonas Lahtinen, Rodrigo Vivi

From: Chris Wilson <chris@chris-wilson.co.uk>

commit 2d691aeca4aecbb8d0414a777a46981a8e142b05 upstream.

set_page_dirty says:

	For pages with a mapping this should be done under the page lock
	for the benefit of asynchronous memory errors who prefer a
	consistent dirty state. This rule can be broken in some special
	cases, but should be better not to.

Under those rules, it is only safe for us to use the plain set_page_dirty
calls for shmemfs/anonymous memory. Userptr may be used with real
mappings and so needs to use the locked version (set_page_dirty_lock).

However, following a try_to_unmap() we may want to remove the userptr and
so call put_pages(). However, try_to_unmap() acquires the page lock and
so we must avoid recursively locking the pages ourselves -- which means
that we cannot safely acquire the lock around set_page_dirty(). Since we
can't be sure of the lock, we have to risk skip dirtying the page, or
else risk calling set_page_dirty() without a lock and so risk fs
corruption.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=203317
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=112012
Fixes: 5cc9ed4b9a7a ("drm/i915: Introduce mapping of user pages into video memory (userptr) ioctl")
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Cc: stable@vger.kernel.org
Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20191111133205.11590-1-chris@chris-wilson.co.uk
(cherry picked from commit 0d4bbe3d407f79438dc4f87943db21f7134cfc65)
Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
(cherry picked from commit cee7fb437edcdb2f9f8affa959e274997f5dca4d)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/i915/i915_gem_userptr.c |   22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

--- a/drivers/gpu/drm/i915/i915_gem_userptr.c
+++ b/drivers/gpu/drm/i915/i915_gem_userptr.c
@@ -691,8 +691,28 @@ i915_gem_userptr_put_pages(struct drm_i9
 	i915_gem_gtt_finish_pages(obj, pages);
 
 	for_each_sgt_page(page, sgt_iter, pages) {
-		if (obj->mm.dirty)
+		if (obj->mm.dirty && trylock_page(page)) {
+			/*
+			 * As this may not be anonymous memory (e.g. shmem)
+			 * but exist on a real mapping, we have to lock
+			 * the page in order to dirty it -- holding
+			 * the page reference is not sufficient to
+			 * prevent the inode from being truncated.
+			 * Play safe and take the lock.
+			 *
+			 * However...!
+			 *
+			 * The mmu-notifier can be invalidated for a
+			 * migrate_page, that is alreadying holding the lock
+			 * on the page. Such a try_to_unmap() will result
+			 * in us calling put_pages() and so recursively try
+			 * to lock the page. We avoid that deadlock with
+			 * a trylock_page() and in exchange we risk missing
+			 * some page dirtying.
+			 */
 			set_page_dirty(page);
+			unlock_page(page);
+		}
 
 		mark_page_accessed(page);
 		put_page(page);



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 021/306] mwifiex: Fix NL80211_TX_POWER_LIMITED
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2019-11-27 20:27 ` [PATCH 4.19 020/306] drm/i915/userptr: Try to acquire the page lock around set_page_dirty() Greg Kroah-Hartman
@ 2019-11-27 20:27 ` Greg Kroah-Hartman
  2019-11-27 20:27 ` [PATCH 4.19 022/306] ALSA: isight: fix leak of reference to firewire unit in error path of .probe callback Greg Kroah-Hartman
                   ` (288 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Adrian Bunk, Kalle Valo, Sasha Levin

From: Adrian Bunk <bunk@kernel.org>

[ Upstream commit 65a576e27309120e0621f54d5c81eb9128bd56be ]

NL80211_TX_POWER_LIMITED was treated as NL80211_TX_POWER_AUTOMATIC,
which is the opposite of what should happen and can cause nasty
regulatory problems.

if/else converted to a switch without default to make gcc warn
on unhandled enum values.

Signed-off-by: Adrian Bunk <bunk@kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/marvell/mwifiex/cfg80211.c  | 13 +++++++++++--
 drivers/net/wireless/marvell/mwifiex/ioctl.h     |  1 +
 drivers/net/wireless/marvell/mwifiex/sta_ioctl.c | 11 +++++++----
 3 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/drivers/net/wireless/marvell/mwifiex/cfg80211.c b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
index 47ec5293c045d..7b74ef71bef1d 100644
--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c
+++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
@@ -376,11 +376,20 @@ mwifiex_cfg80211_set_tx_power(struct wiphy *wiphy,
 	struct mwifiex_power_cfg power_cfg;
 	int dbm = MBM_TO_DBM(mbm);
 
-	if (type == NL80211_TX_POWER_FIXED) {
+	switch (type) {
+	case NL80211_TX_POWER_FIXED:
 		power_cfg.is_power_auto = 0;
+		power_cfg.is_power_fixed = 1;
 		power_cfg.power_level = dbm;
-	} else {
+		break;
+	case NL80211_TX_POWER_LIMITED:
+		power_cfg.is_power_auto = 0;
+		power_cfg.is_power_fixed = 0;
+		power_cfg.power_level = dbm;
+		break;
+	case NL80211_TX_POWER_AUTOMATIC:
 		power_cfg.is_power_auto = 1;
+		break;
 	}
 
 	priv = mwifiex_get_priv(adapter, MWIFIEX_BSS_ROLE_ANY);
diff --git a/drivers/net/wireless/marvell/mwifiex/ioctl.h b/drivers/net/wireless/marvell/mwifiex/ioctl.h
index 48e154e1865df..0dd592ea6e833 100644
--- a/drivers/net/wireless/marvell/mwifiex/ioctl.h
+++ b/drivers/net/wireless/marvell/mwifiex/ioctl.h
@@ -267,6 +267,7 @@ struct mwifiex_ds_encrypt_key {
 
 struct mwifiex_power_cfg {
 	u32 is_power_auto;
+	u32 is_power_fixed;
 	u32 power_level;
 };
 
diff --git a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
index 843d65bba1811..74e50566db1f2 100644
--- a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
+++ b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
@@ -688,6 +688,9 @@ int mwifiex_set_tx_power(struct mwifiex_private *priv,
 	txp_cfg = (struct host_cmd_ds_txpwr_cfg *) buf;
 	txp_cfg->action = cpu_to_le16(HostCmd_ACT_GEN_SET);
 	if (!power_cfg->is_power_auto) {
+		u16 dbm_min = power_cfg->is_power_fixed ?
+			      dbm : priv->min_tx_power_level;
+
 		txp_cfg->mode = cpu_to_le32(1);
 		pg_tlv = (struct mwifiex_types_power_group *)
 			 (buf + sizeof(struct host_cmd_ds_txpwr_cfg));
@@ -702,7 +705,7 @@ int mwifiex_set_tx_power(struct mwifiex_private *priv,
 		pg->last_rate_code = 0x03;
 		pg->modulation_class = MOD_CLASS_HR_DSSS;
 		pg->power_step = 0;
-		pg->power_min = (s8) dbm;
+		pg->power_min = (s8) dbm_min;
 		pg->power_max = (s8) dbm;
 		pg++;
 		/* Power group for modulation class OFDM */
@@ -710,7 +713,7 @@ int mwifiex_set_tx_power(struct mwifiex_private *priv,
 		pg->last_rate_code = 0x07;
 		pg->modulation_class = MOD_CLASS_OFDM;
 		pg->power_step = 0;
-		pg->power_min = (s8) dbm;
+		pg->power_min = (s8) dbm_min;
 		pg->power_max = (s8) dbm;
 		pg++;
 		/* Power group for modulation class HTBW20 */
@@ -718,7 +721,7 @@ int mwifiex_set_tx_power(struct mwifiex_private *priv,
 		pg->last_rate_code = 0x20;
 		pg->modulation_class = MOD_CLASS_HT;
 		pg->power_step = 0;
-		pg->power_min = (s8) dbm;
+		pg->power_min = (s8) dbm_min;
 		pg->power_max = (s8) dbm;
 		pg->ht_bandwidth = HT_BW_20;
 		pg++;
@@ -727,7 +730,7 @@ int mwifiex_set_tx_power(struct mwifiex_private *priv,
 		pg->last_rate_code = 0x20;
 		pg->modulation_class = MOD_CLASS_HT;
 		pg->power_step = 0;
-		pg->power_min = (s8) dbm;
+		pg->power_min = (s8) dbm_min;
 		pg->power_max = (s8) dbm;
 		pg->ht_bandwidth = HT_BW_40;
 	}
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 022/306] ALSA: isight: fix leak of reference to firewire unit in error path of .probe callback
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2019-11-27 20:27 ` [PATCH 4.19 021/306] mwifiex: Fix NL80211_TX_POWER_LIMITED Greg Kroah-Hartman
@ 2019-11-27 20:27 ` Greg Kroah-Hartman
  2019-11-27 20:27 ` [PATCH 4.19 023/306] crypto: testmgr - fix sizeof() on COMP_BUF_SIZE Greg Kroah-Hartman
                   ` (287 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Takashi Sakamoto, Takashi Iwai, Sasha Levin

From: Takashi Sakamoto <o-takashi@sakamocchi.jp>

[ Upstream commit 51e68fb0929c29e47e9074ca3e99ffd6021a1c5a ]

In some error paths, reference count of firewire unit is not decreased.
This commit fixes the bug.

Fixes: 5b14ec25a79b('ALSA: firewire: release reference count of firewire unit in .remove callback of bus driver')
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/firewire/isight.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/sound/firewire/isight.c b/sound/firewire/isight.c
index 30957477e005e..0717ab9e48e3b 100644
--- a/sound/firewire/isight.c
+++ b/sound/firewire/isight.c
@@ -640,7 +640,7 @@ static int isight_probe(struct fw_unit *unit,
 	if (!isight->audio_base) {
 		dev_err(&unit->device, "audio unit base not found\n");
 		err = -ENXIO;
-		goto err_unit;
+		goto error;
 	}
 	fw_iso_resources_init(&isight->resources, unit);
 
@@ -669,12 +669,12 @@ static int isight_probe(struct fw_unit *unit,
 	dev_set_drvdata(&unit->device, isight);
 
 	return 0;
-
-err_unit:
-	fw_unit_put(isight->unit);
-	mutex_destroy(&isight->mutex);
 error:
 	snd_card_free(card);
+
+	mutex_destroy(&isight->mutex);
+	fw_unit_put(isight->unit);
+
 	return err;
 }
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 023/306] crypto: testmgr - fix sizeof() on COMP_BUF_SIZE
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2019-11-27 20:27 ` [PATCH 4.19 022/306] ALSA: isight: fix leak of reference to firewire unit in error path of .probe callback Greg Kroah-Hartman
@ 2019-11-27 20:27 ` Greg Kroah-Hartman
  2019-11-27 20:27 ` [PATCH 4.19 024/306] printk: lock/unlock console only for new logbuf entries Greg Kroah-Hartman
                   ` (286 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael Schupikov, Ard Biesheuvel,
	Herbert Xu, Sasha Levin

From: Michael Schupikov <michael@schupikov.de>

[ Upstream commit 22a8118d329334833cd30f2ceb36d28e8cae8a4f ]

After allocation, output and decomp_output both point to memory chunks of
size COMP_BUF_SIZE. Then, only the first bytes are zeroed out using
sizeof(COMP_BUF_SIZE) as parameter to memset(), because
sizeof(COMP_BUF_SIZE) provides the size of the constant and not the size of
allocated memory.

Instead, the whole allocated memory is meant to be zeroed out. Use
COMP_BUF_SIZE as parameter to memset() directly in order to accomplish
this.

Fixes: 336073840a872 ("crypto: testmgr - Allow different compression results")

Signed-off-by: Michael Schupikov <michael@schupikov.de>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 crypto/testmgr.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 3664c26f4838e..13cb2ea99d6a5 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -1400,8 +1400,8 @@ static int test_comp(struct crypto_comp *tfm,
 		int ilen;
 		unsigned int dlen = COMP_BUF_SIZE;
 
-		memset(output, 0, sizeof(COMP_BUF_SIZE));
-		memset(decomp_output, 0, sizeof(COMP_BUF_SIZE));
+		memset(output, 0, COMP_BUF_SIZE);
+		memset(decomp_output, 0, COMP_BUF_SIZE);
 
 		ilen = ctemplate[i].inlen;
 		ret = crypto_comp_compress(tfm, ctemplate[i].input,
@@ -1445,7 +1445,7 @@ static int test_comp(struct crypto_comp *tfm,
 		int ilen;
 		unsigned int dlen = COMP_BUF_SIZE;
 
-		memset(decomp_output, 0, sizeof(COMP_BUF_SIZE));
+		memset(decomp_output, 0, COMP_BUF_SIZE);
 
 		ilen = dtemplate[i].inlen;
 		ret = crypto_comp_decompress(tfm, dtemplate[i].input,
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 024/306] printk: lock/unlock console only for new logbuf entries
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2019-11-27 20:27 ` [PATCH 4.19 023/306] crypto: testmgr - fix sizeof() on COMP_BUF_SIZE Greg Kroah-Hartman
@ 2019-11-27 20:27 ` Greg Kroah-Hartman
  2019-11-27 20:27 ` [PATCH 4.19 025/306] printk: fix integer overflow in setup_log_buf() Greg Kroah-Hartman
                   ` (285 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:27 UTC (permalink / raw)
  To: linux-kernel, Steven Rostedt
  Cc: Greg Kroah-Hartman, stable, Andrew Morton, Dmitriy Vyukov,
	Tetsuo Handa, Tejun Heo, Peter Zijlstra, Sergey Senozhatsky,
	Sergey Senozhatsky, Petr Mladek, Sasha Levin

From: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>

[ Upstream commit 3ac37a93fa9217e576bebfd4ba3e80edaaeb2289 ]

Prior to commit 5c2992ee7fd8a29 ("printk: remove console flushing special
cases for partial buffered lines") we would do console_cont_flush()
for each pr_cont() to print cont fragments, so console_unlock() would
actually print data:

	pr_cont();
	 console_lock();
	 console_unlock()
	  console_cont_flush(); // print cont fragment
	...
	pr_cont();
	 console_lock();
	 console_unlock()
	  console_cont_flush(); // print cont fragment

We don't do console_cont_flush() anymore, so when we do pr_cont()
console_unlock() does nothing (unless we flushed the cont buffer):

	pr_cont();
	 console_lock();
	 console_unlock();      // noop
	...
	pr_cont();
	 console_lock();
	 console_unlock();      // noop
	...
	pr_cont();
	  cont_flush();
	    console_lock();
	    console_unlock();   // print data

We also wakeup klogd purposelessly for pr_cont() output - un-flushed
cont buffer is not stored in log_buf; there is nothing to pull.

Thus we can console_lock()/console_unlock()/wake_up_klogd() only when
we know that we log_store()-ed a message and there is something to
print to the consoles/syslog.

Link: http://lkml.kernel.org/r/20181002023836.4487-3-sergey.senozhatsky@gmail.com
To: Steven Rostedt <rostedt@goodmis.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Dmitriy Vyukov <dvyukov@google.com>
Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: Tejun Heo <tj@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: LKML <linux-kernel@vger.kernel.org>
Cc: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Signed-off-by: Petr Mladek <pmladek@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/printk/printk.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
index c7b3d5489937d..59ceaed1aeed7 100644
--- a/kernel/printk/printk.c
+++ b/kernel/printk/printk.c
@@ -1901,8 +1901,9 @@ asmlinkage int vprintk_emit(int facility, int level,
 			    const char *fmt, va_list args)
 {
 	int printed_len;
-	bool in_sched = false;
+	bool in_sched = false, pending_output;
 	unsigned long flags;
+	u64 curr_log_seq;
 
 	if (level == LOGLEVEL_SCHED) {
 		level = LOGLEVEL_DEFAULT;
@@ -1914,11 +1915,13 @@ asmlinkage int vprintk_emit(int facility, int level,
 
 	/* This stops the holder of console_sem just where we want him */
 	logbuf_lock_irqsave(flags);
+	curr_log_seq = log_next_seq;
 	printed_len = vprintk_store(facility, level, dict, dictlen, fmt, args);
+	pending_output = (curr_log_seq != log_next_seq);
 	logbuf_unlock_irqrestore(flags);
 
 	/* If called from the scheduler, we can not call up(). */
-	if (!in_sched) {
+	if (!in_sched && pending_output) {
 		/*
 		 * Disable preemption to avoid being preempted while holding
 		 * console_sem which would prevent anyone from printing to
@@ -1935,7 +1938,8 @@ asmlinkage int vprintk_emit(int facility, int level,
 		preempt_enable();
 	}
 
-	wake_up_klogd();
+	if (pending_output)
+		wake_up_klogd();
 	return printed_len;
 }
 EXPORT_SYMBOL(vprintk_emit);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 025/306] printk: fix integer overflow in setup_log_buf()
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2019-11-27 20:27 ` [PATCH 4.19 024/306] printk: lock/unlock console only for new logbuf entries Greg Kroah-Hartman
@ 2019-11-27 20:27 ` Greg Kroah-Hartman
  2019-11-27 20:27 ` [PATCH 4.19 026/306] pinctrl: madera: Fix uninitialized variable bug in madera_mux_set_mux Greg Kroah-Hartman
                   ` (284 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:27 UTC (permalink / raw)
  To: linux-kernel, Steven Rostedt
  Cc: Greg Kroah-Hartman, stable, Sergey Senozhatsky,
	Sergey Senozhatsky, Petr Mladek, Sasha Levin

From: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>

[ Upstream commit d2130e82e9454304e9b91ba9da551b5989af8c27 ]

The way we calculate logbuf free space percentage overflows signed
integer:

	int free;

	free = __LOG_BUF_LEN - log_next_idx;
	pr_info("early log buf free: %u(%u%%)\n",
		free, (free * 100) / __LOG_BUF_LEN);

We support LOG_BUF_LEN of up to 1<<25 bytes. Since setup_log_buf() is
called during early init, logbuf is mostly empty, so

	__LOG_BUF_LEN - log_next_idx

is close to 1<<25. Thus when we multiply it by 100, we overflow signed
integer value range: 100 is 2^6 + 2^5 + 2^2.

Example, booting with LOG_BUF_LEN 1<<25 and log_buf_len=2G
boot param:

[    0.075317] log_buf_len: -2147483648 bytes
[    0.075319] early log buf free: 33549896(-28%)

Make "free" unsigned integer and use appropriate printk() specifier.

Link: http://lkml.kernel.org/r/20181010113308.9337-1-sergey.senozhatsky@gmail.com
To: Steven Rostedt <rostedt@goodmis.org>
Cc: linux-kernel@vger.kernel.org
Cc: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Signed-off-by: Petr Mladek <pmladek@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/printk/printk.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
index 59ceaed1aeed7..845efadaf7ecf 100644
--- a/kernel/printk/printk.c
+++ b/kernel/printk/printk.c
@@ -1105,7 +1105,7 @@ void __init setup_log_buf(int early)
 {
 	unsigned long flags;
 	char *new_log_buf;
-	int free;
+	unsigned int free;
 
 	if (log_buf != __log_buf)
 		return;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 026/306] pinctrl: madera: Fix uninitialized variable bug in madera_mux_set_mux
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2019-11-27 20:27 ` [PATCH 4.19 025/306] printk: fix integer overflow in setup_log_buf() Greg Kroah-Hartman
@ 2019-11-27 20:27 ` Greg Kroah-Hartman
  2019-11-27 20:27 ` [PATCH 4.19 027/306] PCI: cadence: Write MSI data with 32bits Greg Kroah-Hartman
                   ` (283 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gustavo A. R. Silva, Charles Keepax,
	Linus Walleij, Sasha Levin

From: Gustavo A. R. Silva <gustavo@embeddedor.com>

[ Upstream commit 4fe81669df50889ff1072c030c59df5f1fa6534e ]

There is a potential execution path in which variable *ret* is checked
in an IF statement, and then its value is used to report an error at
line 659 without being properly initialized previously:

659 if (ret)
660	dev_err(priv->dev, "Failed to write to 0x%x (%d)\n", reg, ret);

Fix this by initializing variable *ret* to 0 in order to
avoid unpredictable or unintended results.

Addresses-Coverity-ID: 1471969 ("Uninitialized scalar variable")
Fixes: 218d72a77b0b ("pinctrl: madera: Add driver for Cirrus Logic Madera codecs")
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/pinctrl/cirrus/pinctrl-madera-core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/pinctrl/cirrus/pinctrl-madera-core.c b/drivers/pinctrl/cirrus/pinctrl-madera-core.c
index c4f4d904e4a61..618e04407ac85 100644
--- a/drivers/pinctrl/cirrus/pinctrl-madera-core.c
+++ b/drivers/pinctrl/cirrus/pinctrl-madera-core.c
@@ -608,7 +608,7 @@ static int madera_mux_set_mux(struct pinctrl_dev *pctldev,
 	unsigned int n_chip_groups = priv->chip->n_pin_groups;
 	const char *func_name = madera_mux_funcs[selector].name;
 	unsigned int reg;
-	int i, ret;
+	int i, ret = 0;
 
 	dev_dbg(priv->dev, "%s selecting %u (%s) for group %u (%s)\n",
 		__func__, selector, func_name, group,
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 027/306] PCI: cadence: Write MSI data with 32bits
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2019-11-27 20:27 ` [PATCH 4.19 026/306] pinctrl: madera: Fix uninitialized variable bug in madera_mux_set_mux Greg Kroah-Hartman
@ 2019-11-27 20:27 ` Greg Kroah-Hartman
  2019-11-27 20:27 ` [PATCH 4.19 028/306] gfs2: Fix marking bitmaps non-full Greg Kroah-Hartman
                   ` (282 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alan Douglas, Lorenzo Pieralisi, Sasha Levin

From: Alan Douglas <adouglas@cadence.com>

[ Upstream commit e81e36a96bb56f243b5ac1d114c37c086761595b ]

According to the PCIe specification, although the MSI data is only
16bits, the upper 16bits should be written as 0. Use writel
instead of writew when writing the MSI data to the host.

Fixes: 37dddf14f1ae ("PCI: cadence: Add EndPoint Controller driver for Cadence PCIe controller")
Signed-off-by: Alan Douglas <adouglas@cadence.com>
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/pci/controller/pcie-cadence-ep.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/pci/controller/pcie-cadence-ep.c b/drivers/pci/controller/pcie-cadence-ep.c
index 6692654798d44..c3a088910f48d 100644
--- a/drivers/pci/controller/pcie-cadence-ep.c
+++ b/drivers/pci/controller/pcie-cadence-ep.c
@@ -355,7 +355,7 @@ static int cdns_pcie_ep_send_msi_irq(struct cdns_pcie_ep *ep, u8 fn,
 		ep->irq_pci_addr = (pci_addr & ~pci_addr_mask);
 		ep->irq_pci_fn = fn;
 	}
-	writew(data, ep->irq_cpu_addr + (pci_addr & pci_addr_mask));
+	writel(data, ep->irq_cpu_addr + (pci_addr & pci_addr_mask));
 
 	return 0;
 }
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 028/306] gfs2: Fix marking bitmaps non-full
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2019-11-27 20:27 ` [PATCH 4.19 027/306] PCI: cadence: Write MSI data with 32bits Greg Kroah-Hartman
@ 2019-11-27 20:27 ` Greg Kroah-Hartman
  2019-11-27 20:27 ` [PATCH 4.19 029/306] pty: fix compat ioctls Greg Kroah-Hartman
                   ` (281 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andreas Gruenbacher, Bob Peterson,
	Steven Whitehouse, Sasha Levin

From: Andreas Gruenbacher <agruenba@redhat.com>

[ Upstream commit ec23df2b0cf3e1620f5db77972b7fb735f267eff ]

Reservations in gfs can span multiple gfs2_bitmaps (but they won't span
multiple resource groups).  When removing a reservation, we want to
clear the GBF_FULL flags of all involved gfs2_bitmaps, not just that of
the first bitmap.

Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
Reviewed-by: Steven Whitehouse <swhiteho@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/gfs2/rgrp.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/fs/gfs2/rgrp.c b/fs/gfs2/rgrp.c
index 63e5387c84d26..c94c4ac1ae78b 100644
--- a/fs/gfs2/rgrp.c
+++ b/fs/gfs2/rgrp.c
@@ -642,7 +642,10 @@ static void __rs_deltree(struct gfs2_blkreserv *rs)
 	RB_CLEAR_NODE(&rs->rs_node);
 
 	if (rs->rs_free) {
-		struct gfs2_bitmap *bi = rbm_bi(&rs->rs_rbm);
+		u64 last_block = gfs2_rbm_to_block(&rs->rs_rbm) +
+				 rs->rs_free - 1;
+		struct gfs2_rbm last_rbm = { .rgd = rs->rs_rbm.rgd, };
+		struct gfs2_bitmap *start, *last;
 
 		/* return reserved blocks to the rgrp */
 		BUG_ON(rs->rs_rbm.rgd->rd_reserved < rs->rs_free);
@@ -653,7 +656,13 @@ static void __rs_deltree(struct gfs2_blkreserv *rs)
 		   it will force the number to be recalculated later. */
 		rgd->rd_extfail_pt += rs->rs_free;
 		rs->rs_free = 0;
-		clear_bit(GBF_FULL, &bi->bi_flags);
+		if (gfs2_rbm_from_block(&last_rbm, last_block))
+			return;
+		start = rbm_bi(&rs->rs_rbm);
+		last = rbm_bi(&last_rbm);
+		do
+			clear_bit(GBF_FULL, &start->bi_flags);
+		while (start++ != last);
 	}
 }
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 029/306] pty: fix compat ioctls
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2019-11-27 20:27 ` [PATCH 4.19 028/306] gfs2: Fix marking bitmaps non-full Greg Kroah-Hartman
@ 2019-11-27 20:27 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 030/306] synclink_gt(): fix compat_ioctl() Greg Kroah-Hartman
                   ` (280 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro, Sasha Levin

From: Al Viro <viro@zeniv.linux.org.uk>

[ Upstream commit 50f45326afab723df529eca54095e2feac24da2d ]

pointer-taking ones need compat_ptr(); int-taking one doesn't.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/tty/pty.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c
index 678406e0948b2..00099a8439d21 100644
--- a/drivers/tty/pty.c
+++ b/drivers/tty/pty.c
@@ -28,6 +28,7 @@
 #include <linux/mount.h>
 #include <linux/file.h>
 #include <linux/ioctl.h>
+#include <linux/compat.h>
 
 #undef TTY_DEBUG_HANGUP
 #ifdef TTY_DEBUG_HANGUP
@@ -488,6 +489,7 @@ static int pty_bsd_ioctl(struct tty_struct *tty,
 	return -ENOIOCTLCMD;
 }
 
+#ifdef CONFIG_COMPAT
 static long pty_bsd_compat_ioctl(struct tty_struct *tty,
 				 unsigned int cmd, unsigned long arg)
 {
@@ -495,8 +497,11 @@ static long pty_bsd_compat_ioctl(struct tty_struct *tty,
 	 * PTY ioctls don't require any special translation between 32-bit and
 	 * 64-bit userspace, they are already compatible.
 	 */
-	return pty_bsd_ioctl(tty, cmd, arg);
+	return pty_bsd_ioctl(tty, cmd, (unsigned long)compat_ptr(arg));
 }
+#else
+#define pty_bsd_compat_ioctl NULL
+#endif
 
 static int legacy_count = CONFIG_LEGACY_PTY_COUNT;
 /*
@@ -676,6 +681,7 @@ static int pty_unix98_ioctl(struct tty_struct *tty,
 	return -ENOIOCTLCMD;
 }
 
+#ifdef CONFIG_COMPAT
 static long pty_unix98_compat_ioctl(struct tty_struct *tty,
 				 unsigned int cmd, unsigned long arg)
 {
@@ -683,8 +689,12 @@ static long pty_unix98_compat_ioctl(struct tty_struct *tty,
 	 * PTY ioctls don't require any special translation between 32-bit and
 	 * 64-bit userspace, they are already compatible.
 	 */
-	return pty_unix98_ioctl(tty, cmd, arg);
+	return pty_unix98_ioctl(tty, cmd,
+		cmd == TIOCSIG ? arg : (unsigned long)compat_ptr(arg));
 }
+#else
+#define pty_unix98_compat_ioctl NULL
+#endif
 
 /**
  *	ptm_unix98_lookup	-	find a pty master
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 030/306] synclink_gt(): fix compat_ioctl()
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2019-11-27 20:27 ` [PATCH 4.19 029/306] pty: fix compat ioctls Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-30 10:28   ` Pavel Machek
  2019-11-27 20:28 ` [PATCH 4.19 031/306] powerpc: Fix signedness bug in update_flash_db() Greg Kroah-Hartman
                   ` (279 subsequent siblings)
  309 siblings, 1 reply; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro, Sasha Levin

From: Al Viro <viro@zeniv.linux.org.uk>

[ Upstream commit 27230e51349fde075598c1b59d15e1ff802f3f6e ]

compat_ptr() for pointer-taking ones...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/tty/synclink_gt.c | 16 ++++------------
 1 file changed, 4 insertions(+), 12 deletions(-)

diff --git a/drivers/tty/synclink_gt.c b/drivers/tty/synclink_gt.c
index a94086597ebd6..b88ecf102764e 100644
--- a/drivers/tty/synclink_gt.c
+++ b/drivers/tty/synclink_gt.c
@@ -1186,14 +1186,13 @@ static long slgt_compat_ioctl(struct tty_struct *tty,
 			 unsigned int cmd, unsigned long arg)
 {
 	struct slgt_info *info = tty->driver_data;
-	int rc = -ENOIOCTLCMD;
+	int rc;
 
 	if (sanity_check(info, tty->name, "compat_ioctl"))
 		return -ENODEV;
 	DBGINFO(("%s compat_ioctl() cmd=%08X\n", info->device_name, cmd));
 
 	switch (cmd) {
-
 	case MGSL_IOCSPARAMS32:
 		rc = set_params32(info, compat_ptr(arg));
 		break;
@@ -1213,18 +1212,11 @@ static long slgt_compat_ioctl(struct tty_struct *tty,
 	case MGSL_IOCWAITGPIO:
 	case MGSL_IOCGXSYNC:
 	case MGSL_IOCGXCTRL:
-	case MGSL_IOCSTXIDLE:
-	case MGSL_IOCTXENABLE:
-	case MGSL_IOCRXENABLE:
-	case MGSL_IOCTXABORT:
-	case TIOCMIWAIT:
-	case MGSL_IOCSIF:
-	case MGSL_IOCSXSYNC:
-	case MGSL_IOCSXCTRL:
-		rc = ioctl(tty, cmd, arg);
+		rc = ioctl(tty, cmd, (unsigned long)compat_ptr(arg));
 		break;
+	default:
+		rc = ioctl(tty, cmd, arg);
 	}
-
 	DBGINFO(("%s compat_ioctl() cmd=%08X rc=%d\n", info->device_name, cmd, rc));
 	return rc;
 }
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 031/306] powerpc: Fix signedness bug in update_flash_db()
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 030/306] synclink_gt(): fix compat_ioctl() Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 032/306] powerpc/boot: Fix opal console in boot wrapper Greg Kroah-Hartman
                   ` (278 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Geoff Levand,
	Michael Ellerman, Sasha Levin

From: Dan Carpenter <dan.carpenter@oracle.com>

[ Upstream commit 014704e6f54189a203cc14c7c0bb411b940241bc ]

The "count < sizeof(struct os_area_db)" comparison is type promoted to
size_t so negative values of "count" are treated as very high values
and we accidentally return success instead of a negative error code.

This doesn't really change runtime much but it fixes a static checker
warning.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Geoff Levand <geoff@infradead.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/platforms/ps3/os-area.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/powerpc/platforms/ps3/os-area.c b/arch/powerpc/platforms/ps3/os-area.c
index cdbfc5cfd6f38..f5387ad822798 100644
--- a/arch/powerpc/platforms/ps3/os-area.c
+++ b/arch/powerpc/platforms/ps3/os-area.c
@@ -664,7 +664,7 @@ static int update_flash_db(void)
 	db_set_64(db, &os_area_db_id_rtc_diff, saved_params.rtc_diff);
 
 	count = os_area_flash_write(db, sizeof(struct os_area_db), pos);
-	if (count < sizeof(struct os_area_db)) {
+	if (count < 0 || count < sizeof(struct os_area_db)) {
 		pr_debug("%s: os_area_flash_write failed %zd\n", __func__,
 			 count);
 		error = count < 0 ? count : -EIO;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 032/306] powerpc/boot: Fix opal console in boot wrapper
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 031/306] powerpc: Fix signedness bug in update_flash_db() Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 033/306] powerpc/boot: Disable vector instructions Greg Kroah-Hartman
                   ` (277 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Joel Stanley, Michael Ellerman, Sasha Levin

From: Joel Stanley <joel@jms.id.au>

[ Upstream commit 1a855eaccf353f7ed1d51a3d4b3af727ccbd81ca ]

As of commit 10c77dba40ff ("powerpc/boot: Fix build failure in 32-bit
boot wrapper") the opal code is hidden behind CONFIG_PPC64_BOOT_WRAPPER,
but the boot wrapper avoids include/linux, so it does not get the normal
Kconfig flags.

We can drop the guard entirely as in commit f8e8e69cea49 ("powerpc/boot:
Only build OPAL code when necessary") the makefile only includes opal.c
in the build if CONFIG_PPC64_BOOT_WRAPPER is set.

Fixes: 10c77dba40ff ("powerpc/boot: Fix build failure in 32-bit boot wrapper")
Signed-off-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/boot/opal.c | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/arch/powerpc/boot/opal.c b/arch/powerpc/boot/opal.c
index 0272570d02de1..dfb199ef5b949 100644
--- a/arch/powerpc/boot/opal.c
+++ b/arch/powerpc/boot/opal.c
@@ -13,8 +13,6 @@
 #include <libfdt.h>
 #include "../include/asm/opal-api.h"
 
-#ifdef CONFIG_PPC64_BOOT_WRAPPER
-
 /* Global OPAL struct used by opal-call.S */
 struct opal {
 	u64 base;
@@ -101,9 +99,3 @@ int opal_console_init(void *devp, struct serial_console_data *scdp)
 
 	return 0;
 }
-#else
-int opal_console_init(void *devp, struct serial_console_data *scdp)
-{
-	return -1;
-}
-#endif /* __powerpc64__ */
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 033/306] powerpc/boot: Disable vector instructions
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 032/306] powerpc/boot: Fix opal console in boot wrapper Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 034/306] powerpc/eeh: Fix null deref for devices removed during EEH Greg Kroah-Hartman
                   ` (276 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Joel Stanley, Michael Ellerman, Sasha Levin

From: Joel Stanley <joel@jms.id.au>

[ Upstream commit e8e132e6885962582784b6fa16a80d07ea739c0f ]

This will avoid auto-vectorisation when building with higher
optimisation levels.

We don't know if the machine can support VSX and even if it's present
it's probably not going to be enabled at this point in boot.

These flag were both added prior to GCC 4.6 which is the minimum
compiler version supported by upstream, thanks to Segher for the
details.

Signed-off-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/boot/Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/powerpc/boot/Makefile b/arch/powerpc/boot/Makefile
index 25e3184f11f78..7d5ddf53750ce 100644
--- a/arch/powerpc/boot/Makefile
+++ b/arch/powerpc/boot/Makefile
@@ -32,8 +32,8 @@ else
 endif
 
 BOOTCFLAGS    := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
-		 -fno-strict-aliasing -Os -msoft-float -pipe \
-		 -fomit-frame-pointer -fno-builtin -fPIC -nostdinc \
+		 -fno-strict-aliasing -Os -msoft-float -mno-altivec -mno-vsx \
+		 -pipe -fomit-frame-pointer -fno-builtin -fPIC -nostdinc \
 		 -D$(compress-y)
 
 ifdef CONFIG_PPC64_BOOT_WRAPPER
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 034/306] powerpc/eeh: Fix null deref for devices removed during EEH
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 033/306] powerpc/boot: Disable vector instructions Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 035/306] powerpc/eeh: Fix use of EEH_PE_KEEP on wrong field Greg Kroah-Hartman
                   ` (275 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sam Bobroff, Michael Ellerman, Sasha Levin

From: Sam Bobroff <sbobroff@linux.ibm.com>

[ Upstream commit bcbe3730531239abd45ab6c6af4a18078b37dd47 ]

If a device is removed during EEH processing (either by a driver's
handler or as part of recovery), it can lead to a null dereference
in eeh_pe_report_edev().

To handle this, skip devices that have been removed.

Signed-off-by: Sam Bobroff <sbobroff@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/kernel/eeh_driver.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/arch/powerpc/kernel/eeh_driver.c b/arch/powerpc/kernel/eeh_driver.c
index 110eba400de7c..af1f3d5f9a0f7 100644
--- a/arch/powerpc/kernel/eeh_driver.c
+++ b/arch/powerpc/kernel/eeh_driver.c
@@ -281,6 +281,10 @@ static void eeh_pe_report_edev(struct eeh_dev *edev, eeh_report_fn fn,
 	struct pci_driver *driver;
 	enum pci_ers_result new_result;
 
+	if (!edev->pdev) {
+		eeh_edev_info(edev, "no device");
+		return;
+	}
 	device_lock(&edev->pdev->dev);
 	if (eeh_edev_actionable(edev)) {
 		driver = eeh_pcid_get(edev->pdev);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 035/306] powerpc/eeh: Fix use of EEH_PE_KEEP on wrong field
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 034/306] powerpc/eeh: Fix null deref for devices removed during EEH Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 036/306] EDAC, thunderx: Fix memory leak in thunderx_l2c_threaded_isr() Greg Kroah-Hartman
                   ` (274 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sam Bobroff, Michael Ellerman, Sasha Levin

From: Sam Bobroff <sbobroff@linux.ibm.com>

[ Upstream commit 473af09b56dc4be68e4af33220ceca6be67aa60d ]

eeh_add_to_parent_pe() sometimes removes the EEH_PE_KEEP flag, but it
incorrectly removes it from pe->type, instead of pe->state.

However, rather than clearing it from the correct field, remove it.
Inspection of the code shows that it can't ever have had any effect
(even if it had been cleared from the correct field), because the
field is never tested after it is cleared by the statement in
question.

The clear statement was added by commit 807a827d4e74 ("powerpc/eeh:
Keep PE during hotplug"), but it didn't explain why it was necessary.

Signed-off-by: Sam Bobroff <sbobroff@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/kernel/eeh_pe.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/powerpc/kernel/eeh_pe.c b/arch/powerpc/kernel/eeh_pe.c
index 1b238ecc553e2..210d239a93950 100644
--- a/arch/powerpc/kernel/eeh_pe.c
+++ b/arch/powerpc/kernel/eeh_pe.c
@@ -379,7 +379,7 @@ int eeh_add_to_parent_pe(struct eeh_dev *edev)
 		while (parent) {
 			if (!(parent->type & EEH_PE_INVALID))
 				break;
-			parent->type &= ~(EEH_PE_INVALID | EEH_PE_KEEP);
+			parent->type &= ~EEH_PE_INVALID;
 			parent = parent->parent;
 		}
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 036/306] EDAC, thunderx: Fix memory leak in thunderx_l2c_threaded_isr()
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 035/306] powerpc/eeh: Fix use of EEH_PE_KEEP on wrong field Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 037/306] mt76: do not store aggregation sequence number for null-data frames Greg Kroah-Hartman
                   ` (273 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Borislav Petkov,
	David Daney, Jan Glauber, Mauro Carvalho Chehab,
	Sergey Temerkhanov, linux-edac, Sasha Levin

From: Dan Carpenter <dan.carpenter@oracle.com>

[ Upstream commit d8c27ba86a2fd806d3957e5a9b30e66dfca2a61d ]

Fix memory leak in L2c threaded interrupt handler.

 [ bp: Rewrite commit message. ]

Fixes: 41003396f932 ("EDAC, thunderx: Add Cavium ThunderX EDAC driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
CC: David Daney <david.daney@cavium.com>
CC: Jan Glauber <jglauber@cavium.com>
CC: Mauro Carvalho Chehab <mchehab@kernel.org>
CC: Sergey Temerkhanov <s.temerkhanov@gmail.com>
CC: linux-edac <linux-edac@vger.kernel.org>
Link: http://lkml.kernel.org/r/20181013102843.GG16086@mwanda
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/edac/thunderx_edac.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/edac/thunderx_edac.c b/drivers/edac/thunderx_edac.c
index c009d94f40c52..34be60fe68922 100644
--- a/drivers/edac/thunderx_edac.c
+++ b/drivers/edac/thunderx_edac.c
@@ -1884,7 +1884,7 @@ static irqreturn_t thunderx_l2c_threaded_isr(int irq, void *irq_id)
 	default:
 		dev_err(&l2c->pdev->dev, "Unsupported device: %04x\n",
 			l2c->pdev->device);
-		return IRQ_NONE;
+		goto err_free;
 	}
 
 	while (CIRC_CNT(l2c->ring_head, l2c->ring_tail,
@@ -1906,7 +1906,7 @@ static irqreturn_t thunderx_l2c_threaded_isr(int irq, void *irq_id)
 		l2c->ring_tail++;
 	}
 
-	return IRQ_HANDLED;
+	ret = IRQ_HANDLED;
 
 err_free:
 	kfree(other);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 037/306] mt76: do not store aggregation sequence number for null-data frames
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 036/306] EDAC, thunderx: Fix memory leak in thunderx_l2c_threaded_isr() Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 038/306] mt76x0: phy: fix restore phase in mt76x0_phy_recalibrate_after_assoc Greg Kroah-Hartman
                   ` (272 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Felix Fietkau, Sasha Levin

From: Felix Fietkau <nbd@nbd.name>

[ Upstream commit 5155938d8a0fe0e0251435cae02539e81fb8e407 ]

Fixes a rare corner case where a BlockAckReq might get the wrong
sequence number.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/mediatek/mt76/tx.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/mediatek/mt76/tx.c b/drivers/net/wireless/mediatek/mt76/tx.c
index 20447fdce4c33..227e5ebfe3dc2 100644
--- a/drivers/net/wireless/mediatek/mt76/tx.c
+++ b/drivers/net/wireless/mediatek/mt76/tx.c
@@ -148,7 +148,8 @@ mt76_check_agg_ssn(struct mt76_txq *mtxq, struct sk_buff *skb)
 {
 	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
 
-	if (!ieee80211_is_data_qos(hdr->frame_control))
+	if (!ieee80211_is_data_qos(hdr->frame_control) ||
+	    !ieee80211_is_data_present(hdr->frame_control))
 		return;
 
 	mtxq->agg_ssn = le16_to_cpu(hdr->seq_ctrl) + 0x10;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 038/306] mt76x0: phy: fix restore phase in mt76x0_phy_recalibrate_after_assoc
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 037/306] mt76: do not store aggregation sequence number for null-data frames Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 039/306] brcmsmac: AP mode: update beacon when TIM changes Greg Kroah-Hartman
                   ` (271 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lorenzo Bianconi, Felix Fietkau, Sasha Levin

From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>

[ Upstream commit 4df942733fd26d9378a4a00619be348c771e0190 ]

Fix restore value configured in MT_BBP(IBI, 9) register in
mt76x0_phy_recalibrate_after_assoc routine.

Fixes: 10de7a8b4ab9 ("mt76x0: phy files")
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/mediatek/mt76/mt76x0/phy.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/drivers/net/wireless/mediatek/mt76/mt76x0/phy.c b/drivers/net/wireless/mediatek/mt76/mt76x0/phy.c
index 14e8c575f6c3e..924c761f34fd9 100644
--- a/drivers/net/wireless/mediatek/mt76/mt76x0/phy.c
+++ b/drivers/net/wireless/mediatek/mt76/mt76x0/phy.c
@@ -793,9 +793,8 @@ void mt76x0_phy_recalibrate_after_assoc(struct mt76x0_dev *dev)
 	mt76_wr(dev, MT_TX_ALC_CFG_0, 0);
 	usleep_range(500, 700);
 
-	reg_val = mt76_rr(dev, 0x2124);
-	reg_val &= 0xffffff7e;
-	mt76_wr(dev, 0x2124, reg_val);
+	reg_val = mt76_rr(dev, MT_BBP(IBI, 9));
+	mt76_wr(dev, MT_BBP(IBI, 9), 0xffffff7e);
 
 	mt76x0_mcu_calibrate(dev, MCU_CAL_RXDCOC, 0);
 
@@ -806,7 +805,7 @@ void mt76x0_phy_recalibrate_after_assoc(struct mt76x0_dev *dev)
 	mt76x0_mcu_calibrate(dev, MCU_CAL_RXIQ, is_5ghz);
 	mt76x0_mcu_calibrate(dev, MCU_CAL_RX_GROUP_DELAY, is_5ghz);
 
-	mt76_wr(dev, 0x2124, reg_val);
+	mt76_wr(dev, MT_BBP(IBI, 9), reg_val);
 	mt76_wr(dev, MT_TX_ALC_CFG_0, tx_alc);
 	msleep(100);
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 039/306] brcmsmac: AP mode: update beacon when TIM changes
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 038/306] mt76x0: phy: fix restore phase in mt76x0_phy_recalibrate_after_assoc Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 040/306] ath10k: set probe request oui during driver start Greg Kroah-Hartman
                   ` (270 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ali MJ Al-Nasrawy, Kalle Valo, Sasha Levin

From: Ali MJ Al-Nasrawy <alimjalnasrawy@gmail.com>

[ Upstream commit 2258ee58baa554609a3cc3996276e4276f537b6d ]

Beacons are not updated to reflect TIM changes. This is not compliant with
power-saving client stations as the beacons do not have valid TIM and can
cause the network to stall at random occasions and to have highly variable
latencies.
Fix it by updating beacon templates on mac80211 set_tim callback.

Addresses an issue described in:
https://marc.info/?i=20180911163534.21312d08%20()%20manjaro

Signed-off-by: Ali MJ Al-Nasrawy <alimjalnasrawy@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 .../broadcom/brcm80211/brcmsmac/mac80211_if.c | 26 +++++++++++++++++++
 .../broadcom/brcm80211/brcmsmac/main.h        |  1 +
 2 files changed, 27 insertions(+)

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
index 6255fb6d97a70..81ff558046a8f 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
@@ -502,6 +502,7 @@ brcms_ops_add_interface(struct ieee80211_hw *hw, struct ieee80211_vif *vif)
 	}
 
 	spin_lock_bh(&wl->lock);
+	wl->wlc->vif = vif;
 	wl->mute_tx = false;
 	brcms_c_mute(wl->wlc, false);
 	if (vif->type == NL80211_IFTYPE_STATION)
@@ -519,6 +520,11 @@ brcms_ops_add_interface(struct ieee80211_hw *hw, struct ieee80211_vif *vif)
 static void
 brcms_ops_remove_interface(struct ieee80211_hw *hw, struct ieee80211_vif *vif)
 {
+	struct brcms_info *wl = hw->priv;
+
+	spin_lock_bh(&wl->lock);
+	wl->wlc->vif = NULL;
+	spin_unlock_bh(&wl->lock);
 }
 
 static int brcms_ops_config(struct ieee80211_hw *hw, u32 changed)
@@ -937,6 +943,25 @@ static void brcms_ops_set_tsf(struct ieee80211_hw *hw,
 	spin_unlock_bh(&wl->lock);
 }
 
+static int brcms_ops_beacon_set_tim(struct ieee80211_hw *hw,
+				 struct ieee80211_sta *sta, bool set)
+{
+	struct brcms_info *wl = hw->priv;
+	struct sk_buff *beacon = NULL;
+	u16 tim_offset = 0;
+
+	spin_lock_bh(&wl->lock);
+	if (wl->wlc->vif)
+		beacon = ieee80211_beacon_get_tim(hw, wl->wlc->vif,
+						  &tim_offset, NULL);
+	if (beacon)
+		brcms_c_set_new_beacon(wl->wlc, beacon, tim_offset,
+				       wl->wlc->vif->bss_conf.dtim_period);
+	spin_unlock_bh(&wl->lock);
+
+	return 0;
+}
+
 static const struct ieee80211_ops brcms_ops = {
 	.tx = brcms_ops_tx,
 	.start = brcms_ops_start,
@@ -955,6 +980,7 @@ static const struct ieee80211_ops brcms_ops = {
 	.flush = brcms_ops_flush,
 	.get_tsf = brcms_ops_get_tsf,
 	.set_tsf = brcms_ops_set_tsf,
+	.set_tim = brcms_ops_beacon_set_tim,
 };
 
 void brcms_dpc(unsigned long data)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/main.h b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/main.h
index c4d135cff04ad..9f76b880814e8 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/main.h
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/main.h
@@ -563,6 +563,7 @@ struct brcms_c_info {
 
 	struct wiphy *wiphy;
 	struct scb pri_scb;
+	struct ieee80211_vif *vif;
 
 	struct sk_buff *beacon;
 	u16 beacon_tim_offset;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 040/306] ath10k: set probe request oui during driver start
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 039/306] brcmsmac: AP mode: update beacon when TIM changes Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 041/306] ath10k: allocate small size dma memory in ath10k_pci_diag_write_mem Greg Kroah-Hartman
                   ` (269 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rakesh Pillai, Kalle Valo, Sasha Levin

From: Rakesh Pillai <pillair@codeaurora.org>

[ Upstream commit f1157695c527d4ee949ac83f743f80107751a70c ]

Currently the wmi command for setting probe request
oui, needed for mac randomization, is sent during
the mac register. At this time, during the driver
init the wmi has already been detached. This can
cause unexpected behavior since the firmware is
already down and the wmi has been detached.

Send the wmi command for setting probe request
oui during the driver start. This will make sure
that the firmware is started and wmi is initialized
before we send this command.

Tested HW: WCN3990
Tested FW: WLAN.HL.2.0-01188-QCAHLSWMTPLZ-1

Fixes: 60e1d0fb290197fe505dff6e4e3b7e4d258dbf60
Signed-off-by: Rakesh Pillai <pillair@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/ath/ath10k/mac.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
index d3d33cc2adfde..613ca74f1b286 100644
--- a/drivers/net/wireless/ath/ath10k/mac.c
+++ b/drivers/net/wireless/ath/ath10k/mac.c
@@ -4686,6 +4686,14 @@ static int ath10k_start(struct ieee80211_hw *hw)
 		goto err_core_stop;
 	}
 
+	if (test_bit(WMI_SERVICE_SPOOF_MAC_SUPPORT, ar->wmi.svc_map)) {
+		ret = ath10k_wmi_scan_prob_req_oui(ar, ar->mac_addr);
+		if (ret) {
+			ath10k_err(ar, "failed to set prob req oui: %i\n", ret);
+			goto err_core_stop;
+		}
+	}
+
 	if (test_bit(WMI_SERVICE_ADAPTIVE_OCS, ar->wmi.svc_map)) {
 		ret = ath10k_wmi_adaptive_qcs(ar, true);
 		if (ret) {
@@ -8551,12 +8559,6 @@ int ath10k_mac_register(struct ath10k *ar)
 	}
 
 	if (test_bit(WMI_SERVICE_SPOOF_MAC_SUPPORT, ar->wmi.svc_map)) {
-		ret = ath10k_wmi_scan_prob_req_oui(ar, ar->mac_addr);
-		if (ret) {
-			ath10k_err(ar, "failed to set prob req oui: %i\n", ret);
-			goto err_dfs_detector_exit;
-		}
-
 		ar->hw->wiphy->features |=
 			NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
 	}
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 041/306] ath10k: allocate small size dma memory in ath10k_pci_diag_write_mem
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 040/306] ath10k: set probe request oui during driver start Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 042/306] skd: fixup usage of legacy IO API Greg Kroah-Hartman
                   ` (268 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Carl Huang, Brian Norris, Kalle Valo,
	Sasha Levin

From: Carl Huang <cjhuang@codeaurora.org>

[ Upstream commit 0738b4998c6d1caf9ca2447b946709a7278c70f1 ]

ath10k_pci_diag_write_mem may allocate big size of the dma memory
based on the parameter nbytes. Take firmware diag download as
example, the biggest size is about 500K. In some systems, the
allocation is likely to fail because it can't acquire such a large
contiguous dma memory.

The fix is to allocate a small size dma memory. In the loop,
driver copies the data to the allocated dma memory and writes to
the destination until all the data is written.

Tested with QCA6174 PCI with
firmware-6.bin_WLAN.RM.4.4.1-00119-QCARMSWP-1, this also affects
QCA9377 PCI.

Signed-off-by: Carl Huang <cjhuang@codeaurora.org>
Reviewed-by: Brian Norris <briannorris@chomium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/ath/ath10k/pci.c | 23 +++++++++++------------
 1 file changed, 11 insertions(+), 12 deletions(-)

diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c
index 97fa5c74f2fe7..50a801a5d4f15 100644
--- a/drivers/net/wireless/ath/ath10k/pci.c
+++ b/drivers/net/wireless/ath/ath10k/pci.c
@@ -1054,10 +1054,9 @@ int ath10k_pci_diag_write_mem(struct ath10k *ar, u32 address,
 	struct ath10k_ce *ce = ath10k_ce_priv(ar);
 	int ret = 0;
 	u32 *buf;
-	unsigned int completed_nbytes, orig_nbytes, remaining_bytes;
+	unsigned int completed_nbytes, alloc_nbytes, remaining_bytes;
 	struct ath10k_ce_pipe *ce_diag;
 	void *data_buf = NULL;
-	u32 ce_data;	/* Host buffer address in CE space */
 	dma_addr_t ce_data_base = 0;
 	int i;
 
@@ -1071,9 +1070,10 @@ int ath10k_pci_diag_write_mem(struct ath10k *ar, u32 address,
 	 *   1) 4-byte alignment
 	 *   2) Buffer in DMA-able space
 	 */
-	orig_nbytes = nbytes;
+	alloc_nbytes = min_t(unsigned int, nbytes, DIAG_TRANSFER_LIMIT);
+
 	data_buf = (unsigned char *)dma_alloc_coherent(ar->dev,
-						       orig_nbytes,
+						       alloc_nbytes,
 						       &ce_data_base,
 						       GFP_ATOMIC);
 	if (!data_buf) {
@@ -1081,9 +1081,6 @@ int ath10k_pci_diag_write_mem(struct ath10k *ar, u32 address,
 		goto done;
 	}
 
-	/* Copy caller's data to allocated DMA buf */
-	memcpy(data_buf, data, orig_nbytes);
-
 	/*
 	 * The address supplied by the caller is in the
 	 * Target CPU virtual address space.
@@ -1096,12 +1093,14 @@ int ath10k_pci_diag_write_mem(struct ath10k *ar, u32 address,
 	 */
 	address = ath10k_pci_targ_cpu_to_ce_addr(ar, address);
 
-	remaining_bytes = orig_nbytes;
-	ce_data = ce_data_base;
+	remaining_bytes = nbytes;
 	while (remaining_bytes) {
 		/* FIXME: check cast */
 		nbytes = min_t(int, remaining_bytes, DIAG_TRANSFER_LIMIT);
 
+		/* Copy caller's data to allocated DMA buf */
+		memcpy(data_buf, data, nbytes);
+
 		/* Set up to receive directly into Target(!) address */
 		ret = ce_diag->ops->ce_rx_post_buf(ce_diag, &address, address);
 		if (ret != 0)
@@ -1111,7 +1110,7 @@ int ath10k_pci_diag_write_mem(struct ath10k *ar, u32 address,
 		 * Request CE to send caller-supplied data that
 		 * was copied to bounce buffer to Target(!) address.
 		 */
-		ret = ath10k_ce_send_nolock(ce_diag, NULL, (u32)ce_data,
+		ret = ath10k_ce_send_nolock(ce_diag, NULL, ce_data_base,
 					    nbytes, 0, 0);
 		if (ret != 0)
 			goto done;
@@ -1152,12 +1151,12 @@ int ath10k_pci_diag_write_mem(struct ath10k *ar, u32 address,
 
 		remaining_bytes -= nbytes;
 		address += nbytes;
-		ce_data += nbytes;
+		data += nbytes;
 	}
 
 done:
 	if (data_buf) {
-		dma_free_coherent(ar->dev, orig_nbytes, data_buf,
+		dma_free_coherent(ar->dev, alloc_nbytes, data_buf,
 				  ce_data_base);
 	}
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 042/306] skd: fixup usage of legacy IO API
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 041/306] ath10k: allocate small size dma memory in ath10k_pci_diag_write_mem Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 043/306] cdrom: dont attempt to fiddle with cdo->capability Greg Kroah-Hartman
                   ` (267 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jens Axboe, Sasha Levin

From: Jens Axboe <axboe@kernel.dk>

[ Upstream commit 6d1f9dfde7343c4ebfb8f84dcb333af571bb3b22 ]

We need to be using the mq variant of request requeue here.

Fixes: ca33dd92968b ("skd: Convert to blk-mq")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/block/skd_main.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/block/skd_main.c b/drivers/block/skd_main.c
index 87b9e7fbf0621..27323fa23997d 100644
--- a/drivers/block/skd_main.c
+++ b/drivers/block/skd_main.c
@@ -1416,7 +1416,7 @@ static void skd_resolve_req_exception(struct skd_device *skdev,
 
 	case SKD_CHECK_STATUS_BUSY_IMMINENT:
 		skd_log_skreq(skdev, skreq, "retry(busy)");
-		blk_requeue_request(skdev->queue, req);
+		blk_mq_requeue_request(req, true);
 		dev_info(&skdev->pdev->dev, "drive BUSY imminent\n");
 		skdev->state = SKD_DRVR_STATE_BUSY_IMMINENT;
 		skdev->timer_countdown = SKD_TIMER_MINUTES(20);
@@ -1426,7 +1426,7 @@ static void skd_resolve_req_exception(struct skd_device *skdev,
 	case SKD_CHECK_STATUS_REQUEUE_REQUEST:
 		if ((unsigned long) ++req->special < SKD_MAX_RETRIES) {
 			skd_log_skreq(skdev, skreq, "retry");
-			blk_requeue_request(skdev->queue, req);
+			blk_mq_requeue_request(req, true);
 			break;
 		}
 		/* fall through */
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 043/306] cdrom: dont attempt to fiddle with cdo->capability
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 042/306] skd: fixup usage of legacy IO API Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 044/306] spi: sh-msiof: fix deferred probing Greg Kroah-Hartman
                   ` (266 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ondrej Zary, Jens Axboe, Sasha Levin

From: Jens Axboe <axboe@kernel.dk>

[ Upstream commit 8f94004e2a51a3ea195cf3447eb5d5906f36d8b3 ]

We can't modify cdo->capability as it is defined as a const.
Change the modification hack to just WARN_ON_ONCE() if we hit
any of the invalid combinations.

This fixes a regression for pcd, which doesn't work after the
constify patch.

Fixes: 853fe1bf7554 ("cdrom: Make device operations read-only")
Tested-by: Ondrej Zary <linux@rainbow-software.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/cdrom/cdrom.c | 27 +++++++++++++--------------
 1 file changed, 13 insertions(+), 14 deletions(-)

diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
index 27a82a559ab94..933268b8d6a54 100644
--- a/drivers/cdrom/cdrom.c
+++ b/drivers/cdrom/cdrom.c
@@ -411,10 +411,10 @@ static int cdrom_get_disc_info(struct cdrom_device_info *cdi,
  * hack to have the capability flags defined const, while we can still
  * change it here without gcc complaining at every line.
  */
-#define ENSURE(call, bits)			\
-do {						\
-	if (cdo->call == NULL)			\
-		*change_capability &= ~(bits);	\
+#define ENSURE(cdo, call, bits)					\
+do {								\
+	if (cdo->call == NULL)					\
+		WARN_ON_ONCE((cdo)->capability & (bits));	\
 } while (0)
 
 /*
@@ -590,7 +590,6 @@ int register_cdrom(struct cdrom_device_info *cdi)
 {
 	static char banner_printed;
 	const struct cdrom_device_ops *cdo = cdi->ops;
-	int *change_capability = (int *)&cdo->capability; /* hack */
 
 	cd_dbg(CD_OPEN, "entering register_cdrom\n");
 
@@ -602,16 +601,16 @@ int register_cdrom(struct cdrom_device_info *cdi)
 		cdrom_sysctl_register();
 	}
 
-	ENSURE(drive_status, CDC_DRIVE_STATUS);
+	ENSURE(cdo, drive_status, CDC_DRIVE_STATUS);
 	if (cdo->check_events == NULL && cdo->media_changed == NULL)
-		*change_capability = ~(CDC_MEDIA_CHANGED | CDC_SELECT_DISC);
-	ENSURE(tray_move, CDC_CLOSE_TRAY | CDC_OPEN_TRAY);
-	ENSURE(lock_door, CDC_LOCK);
-	ENSURE(select_speed, CDC_SELECT_SPEED);
-	ENSURE(get_last_session, CDC_MULTI_SESSION);
-	ENSURE(get_mcn, CDC_MCN);
-	ENSURE(reset, CDC_RESET);
-	ENSURE(generic_packet, CDC_GENERIC_PACKET);
+		WARN_ON_ONCE(cdo->capability & (CDC_MEDIA_CHANGED | CDC_SELECT_DISC));
+	ENSURE(cdo, tray_move, CDC_CLOSE_TRAY | CDC_OPEN_TRAY);
+	ENSURE(cdo, lock_door, CDC_LOCK);
+	ENSURE(cdo, select_speed, CDC_SELECT_SPEED);
+	ENSURE(cdo, get_last_session, CDC_MULTI_SESSION);
+	ENSURE(cdo, get_mcn, CDC_MCN);
+	ENSURE(cdo, reset, CDC_RESET);
+	ENSURE(cdo, generic_packet, CDC_GENERIC_PACKET);
 	cdi->mc_flags = 0;
 	cdi->options = CDO_USE_FFLAGS;
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 044/306] spi: sh-msiof: fix deferred probing
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 043/306] cdrom: dont attempt to fiddle with cdo->capability Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 045/306] mmc: mediatek: fill the actual clock for mmc debugfs Greg Kroah-Hartman
                   ` (265 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sergei Shtylyov, Mark Brown, Sasha Levin

From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>

[ Upstream commit f34c6e6257aa477cdfe7e9bbbecd3c5648ecda69 ]

Since commit 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq")
platform_get_irq() can return -EPROBE_DEFER. However, the driver overrides
an error returned by that function with -ENOENT which breaks the deferred
probing. Propagate upstream an error code returned by platform_get_irq()
and remove the bogus "platform" from the error message, while at it...

Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq")
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/spi/spi-sh-msiof.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/spi/spi-sh-msiof.c b/drivers/spi/spi-sh-msiof.c
index 101cd6aae2ea5..30ea0a2068e09 100644
--- a/drivers/spi/spi-sh-msiof.c
+++ b/drivers/spi/spi-sh-msiof.c
@@ -1343,8 +1343,8 @@ static int sh_msiof_spi_probe(struct platform_device *pdev)
 
 	i = platform_get_irq(pdev, 0);
 	if (i < 0) {
-		dev_err(&pdev->dev, "cannot get platform IRQ\n");
-		ret = -ENOENT;
+		dev_err(&pdev->dev, "cannot get IRQ\n");
+		ret = i;
 		goto err1;
 	}
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 045/306] mmc: mediatek: fill the actual clock for mmc debugfs
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 044/306] spi: sh-msiof: fix deferred probing Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 046/306] mmc: mediatek: fix cannot receive new request when msdc_cmd_is_ready fail Greg Kroah-Hartman
                   ` (264 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chaotian Jing, Ulf Hansson, Sasha Levin

From: Chaotian Jing <chaotian.jing@mediatek.com>

[ Upstream commit 56f6cbbed0463f1c78d602b17c315916cc1cd238 ]

as the mmc core layer has the mmc->actual_clock, so fill it
and drop msdc_host->sclk.

Signed-off-by: Chaotian Jing <chaotian.jing@mediatek.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/mmc/host/mtk-sd.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/drivers/mmc/host/mtk-sd.c b/drivers/mmc/host/mtk-sd.c
index f171cce5197de..621c914dc5c01 100644
--- a/drivers/mmc/host/mtk-sd.c
+++ b/drivers/mmc/host/mtk-sd.c
@@ -390,7 +390,6 @@ struct msdc_host {
 	struct clk *src_clk_cg; /* msdc source clock control gate */
 	u32 mclk;		/* mmc subsystem clock frequency */
 	u32 src_clk_freq;	/* source clock frequency */
-	u32 sclk;		/* SD/MS bus clock frequency */
 	unsigned char timing;
 	bool vqmmc_enabled;
 	u32 latch_ck;
@@ -635,10 +634,10 @@ static void msdc_set_timeout(struct msdc_host *host, u32 ns, u32 clks)
 
 	host->timeout_ns = ns;
 	host->timeout_clks = clks;
-	if (host->sclk == 0) {
+	if (host->mmc->actual_clock == 0) {
 		timeout = 0;
 	} else {
-		clk_ns  = 1000000000UL / host->sclk;
+		clk_ns  = 1000000000UL / host->mmc->actual_clock;
 		timeout = (ns + clk_ns - 1) / clk_ns + clks;
 		/* in 1048576 sclk cycle unit */
 		timeout = (timeout + (0x1 << 20) - 1) >> 20;
@@ -683,6 +682,7 @@ static void msdc_set_mclk(struct msdc_host *host, unsigned char timing, u32 hz)
 	if (!hz) {
 		dev_dbg(host->dev, "set mclk to 0\n");
 		host->mclk = 0;
+		host->mmc->actual_clock = 0;
 		sdr_clr_bits(host->base + MSDC_CFG, MSDC_CFG_CKPDN);
 		return;
 	}
@@ -761,7 +761,7 @@ static void msdc_set_mclk(struct msdc_host *host, unsigned char timing, u32 hz)
 	while (!(readl(host->base + MSDC_CFG) & MSDC_CFG_CKSTB))
 		cpu_relax();
 	sdr_set_bits(host->base + MSDC_CFG, MSDC_CFG_CKPDN);
-	host->sclk = sclk;
+	host->mmc->actual_clock = sclk;
 	host->mclk = hz;
 	host->timing = timing;
 	/* need because clk changed. */
@@ -772,7 +772,7 @@ static void msdc_set_mclk(struct msdc_host *host, unsigned char timing, u32 hz)
 	 * mmc_select_hs400() will drop to 50Mhz and High speed mode,
 	 * tune result of hs200/200Mhz is not suitable for 50Mhz
 	 */
-	if (host->sclk <= 52000000) {
+	if (host->mmc->actual_clock <= 52000000) {
 		writel(host->def_tune_para.iocon, host->base + MSDC_IOCON);
 		writel(host->def_tune_para.pad_tune, host->base + tune_reg);
 	} else {
@@ -787,7 +787,8 @@ static void msdc_set_mclk(struct msdc_host *host, unsigned char timing, u32 hz)
 		sdr_set_field(host->base + tune_reg,
 			      MSDC_PAD_TUNE_CMDRRDLY,
 			      host->hs400_cmd_int_delay);
-	dev_dbg(host->dev, "sclk: %d, timing: %d\n", host->sclk, timing);
+	dev_dbg(host->dev, "sclk: %d, timing: %d\n", host->mmc->actual_clock,
+		timing);
 }
 
 static inline u32 msdc_cmd_find_resp(struct msdc_host *host,
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 046/306] mmc: mediatek: fix cannot receive new request when msdc_cmd_is_ready fail
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 045/306] mmc: mediatek: fill the actual clock for mmc debugfs Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 047/306] PCI: mediatek: Fix class type for MT7622 to PCI_CLASS_BRIDGE_PCI Greg Kroah-Hartman
                   ` (263 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chaotian Jing, Ulf Hansson, Sasha Levin

From: Chaotian Jing <chaotian.jing@mediatek.com>

[ Upstream commit f38a9774ddde9d79b3487dd888edd8b8623552af ]

when msdc_cmd_is_ready return fail, the req_timeout work has not been
inited and cancel_delayed_work() will return false, then, the request
return directly and never call mmc_request_done().

so need call mod_delayed_work() before msdc_cmd_is_ready()

Signed-off-by: Chaotian Jing <chaotian.jing@mediatek.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/mmc/host/mtk-sd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/mmc/host/mtk-sd.c b/drivers/mmc/host/mtk-sd.c
index 621c914dc5c01..673f6a9616cd9 100644
--- a/drivers/mmc/host/mtk-sd.c
+++ b/drivers/mmc/host/mtk-sd.c
@@ -1056,6 +1056,7 @@ static void msdc_start_command(struct msdc_host *host,
 	WARN_ON(host->cmd);
 	host->cmd = cmd;
 
+	mod_delayed_work(system_wq, &host->req_timeout, DAT_TIMEOUT);
 	if (!msdc_cmd_is_ready(host, mrq, cmd))
 		return;
 
@@ -1067,7 +1068,6 @@ static void msdc_start_command(struct msdc_host *host,
 
 	cmd->error = 0;
 	rawcmd = msdc_cmd_prepare_raw_cmd(host, mrq, cmd);
-	mod_delayed_work(system_wq, &host->req_timeout, DAT_TIMEOUT);
 
 	sdr_set_bits(host->base + MSDC_INTEN, cmd_ints_mask);
 	writel(cmd->arg, host->base + SDC_ARG);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 047/306] PCI: mediatek: Fix class type for MT7622 to PCI_CLASS_BRIDGE_PCI
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 046/306] mmc: mediatek: fix cannot receive new request when msdc_cmd_is_ready fail Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 048/306] btrfs: defrag: use btrfs_mod_outstanding_extents in cluster_pages_for_defrag Greg Kroah-Hartman
                   ` (262 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Honghui Zhang, Lorenzo Pieralisi,
	Ryder Lee, Sasha Levin

From: Honghui Zhang <honghui.zhang@mediatek.com>

[ Upstream commit a7f172ab6a8e755e60311f27512034b0441ef421 ]

commit 101c92dc80c8 ("PCI: mediatek: Set up vendor ID and class
type for MT7622") erroneously set the class type for MT7622 to
PCI_CLASS_BRIDGE_HOST.

The PCIe controller of MT7622 integrates a Root Port that has type 1
configuration space header and related bridge windows.

The HW default value of this bridge's class type is invalid.

Fix its class type and set it to PCI_CLASS_BRIDGE_PCI to
match the hardware implementation.

Fixes: 101c92dc80c8 ("PCI: mediatek: Set up vendor ID and class type for MT7622")
Signed-off-by: Honghui Zhang <honghui.zhang@mediatek.com>
[lorenzo.pieralisi@arm.com: reworked the commit log]
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Acked-by: Ryder Lee <ryder.lee@mediatek.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/pci/controller/pcie-mediatek.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/pci/controller/pcie-mediatek.c b/drivers/pci/controller/pcie-mediatek.c
index 0d100f56cb884..8d1364c317747 100644
--- a/drivers/pci/controller/pcie-mediatek.c
+++ b/drivers/pci/controller/pcie-mediatek.c
@@ -432,7 +432,7 @@ static int mtk_pcie_startup_port_v2(struct mtk_pcie_port *port)
 		val = PCI_VENDOR_ID_MEDIATEK;
 		writew(val, port->base + PCIE_CONF_VEND_ID);
 
-		val = PCI_CLASS_BRIDGE_HOST;
+		val = PCI_CLASS_BRIDGE_PCI;
 		writew(val, port->base + PCIE_CONF_CLASS_ID);
 	}
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 048/306] btrfs: defrag: use btrfs_mod_outstanding_extents in cluster_pages_for_defrag
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 047/306] PCI: mediatek: Fix class type for MT7622 to PCI_CLASS_BRIDGE_PCI Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 049/306] btrfs: handle error of get_old_root Greg Kroah-Hartman
                   ` (261 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Su Yue, David Sterba, Sasha Levin

From: Su Yue <suy.fnst@cn.fujitsu.com>

[ Upstream commit 28c4a3e21ad030d7571ee9b1b246a5cbfd886627 ]

Since commit 8b62f87bad9c ("Btrfs: rework outstanding_extents"),
manual operations of outstanding_extent in btrfs_inode are replaced by
btrfs_mod_outstanding_extents().
The one in cluster_pages_for_defrag seems to be lost, so replace it
of btrfs_mod_outstanding_extents().

Fixes: 8b62f87bad9c ("Btrfs: rework outstanding_extents")
Signed-off-by: Su Yue <suy.fnst@cn.fujitsu.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/btrfs/ioctl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index 7592beb53fc4e..00ff4349b4579 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -1337,7 +1337,7 @@ static int cluster_pages_for_defrag(struct inode *inode,
 
 	if (i_done != page_cnt) {
 		spin_lock(&BTRFS_I(inode)->lock);
-		BTRFS_I(inode)->outstanding_extents++;
+		btrfs_mod_outstanding_extents(BTRFS_I(inode), 1);
 		spin_unlock(&BTRFS_I(inode)->lock);
 		btrfs_delalloc_release_space(inode, data_reserved,
 				start_index << PAGE_SHIFT,
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 049/306] btrfs: handle error of get_old_root
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 048/306] btrfs: defrag: use btrfs_mod_outstanding_extents in cluster_pages_for_defrag Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 050/306] gsmi: Fix bug in append_to_eventlog sysfs handler Greg Kroah-Hartman
                   ` (260 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nikolay Borisov, Lu Fengqi,
	David Sterba, Sasha Levin

From: Nikolay Borisov <nborisov@suse.com>

[ Upstream commit 315bed43fea532650933e7bba316a7601d439edf ]

In btrfs_search_old_slot get_old_root is always used with the assumption
it cannot fail. However, this is not true in rare circumstance it can
fail and return null. This will lead to null point dereference when the
header is read. Fix this by checking the return value and properly
handling NULL by setting ret to -EIO and returning gracefully.

Coverity-id: 1087503
Signed-off-by: Nikolay Borisov <nborisov@suse.com>
Reviewed-by: Lu Fengqi <lufq.fnst@cn.fujitsu.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/btrfs/ctree.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c
index 9fd383285f0ea..fc764f350f05a 100644
--- a/fs/btrfs/ctree.c
+++ b/fs/btrfs/ctree.c
@@ -3031,6 +3031,10 @@ int btrfs_search_old_slot(struct btrfs_root *root, const struct btrfs_key *key,
 
 again:
 	b = get_old_root(root, time_seq);
+	if (!b) {
+		ret = -EIO;
+		goto done;
+	}
 	level = btrfs_header_level(b);
 	p->locks[level] = BTRFS_READ_LOCK;
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 050/306] gsmi: Fix bug in append_to_eventlog sysfs handler
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 049/306] btrfs: handle error of get_old_root Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 051/306] misc: mic: fix a DMA pool free failure Greg Kroah-Hartman
                   ` (259 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Duncan Laurie, Vadim Bendebury,
	Stefan Reinauer, Furquan Shaikh, Furquan Shaikh, Aaron Durbin,
	Justin TerAvest, Ross Zwisler, Guenter Roeck, Sasha Levin

From: Duncan Laurie <dlaurie@chromium.org>

[ Upstream commit 655603de68469adaff16842ac17a5aec9c9ce89b ]

The sysfs handler should return the number of bytes consumed, which in the
case of a successful write is the entire buffer.  Also fix a bug where
param.data_len was being set to (count - (2 * sizeof(u32))) instead of just
(count - sizeof(u32)).  The latter is correct because we skip over the
leading u32 which is our param.type, but we were also incorrectly
subtracting sizeof(u32) on the line where we were actually setting
param.data_len:

	param.data_len = count - sizeof(u32);

This meant that for our example event.kernel_software_watchdog with total
length 10 bytes, param.data_len was just 2 prior to this change.

To test, successfully append an event to the log with gsmi sysfs.
This sample event is for a "Kernel Software Watchdog"

> xxd -g 1 event.kernel_software_watchdog
0000000: 01 00 00 00 ad de 06 00 00 00

> cat event.kernel_software_watchdog > /sys/firmware/gsmi/append_to_eventlog

> mosys eventlog list | tail -1
14 | 2012-06-25 10:14:14 | Kernl Event | Software Watchdog

Signed-off-by: Duncan Laurie <dlaurie@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Stefan Reinauer <reinauer@chromium.org>
Signed-off-by: Furquan Shaikh <furquan@google.com>
Tested-by: Furquan Shaikh <furquan@chromium.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Reviewed-by: Justin TerAvest <teravest@chromium.org>
[zwisler: updated changelog for 2nd bug fix and upstream]
Signed-off-by: Ross Zwisler <zwisler@google.com>
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/firmware/google/gsmi.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/drivers/firmware/google/gsmi.c b/drivers/firmware/google/gsmi.c
index c8f169bf2e27d..62337be07afcb 100644
--- a/drivers/firmware/google/gsmi.c
+++ b/drivers/firmware/google/gsmi.c
@@ -480,11 +480,10 @@ static ssize_t eventlog_write(struct file *filp, struct kobject *kobj,
 	if (count < sizeof(u32))
 		return -EINVAL;
 	param.type = *(u32 *)buf;
-	count -= sizeof(u32);
 	buf += sizeof(u32);
 
 	/* The remaining buffer is the data payload */
-	if (count > gsmi_dev.data_buf->length)
+	if ((count - sizeof(u32)) > gsmi_dev.data_buf->length)
 		return -EINVAL;
 	param.data_len = count - sizeof(u32);
 
@@ -504,7 +503,7 @@ static ssize_t eventlog_write(struct file *filp, struct kobject *kobj,
 
 	spin_unlock_irqrestore(&gsmi_dev.lock, flags);
 
-	return rc;
+	return (rc == 0) ? count : rc;
 
 }
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 051/306] misc: mic: fix a DMA pool free failure
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 050/306] gsmi: Fix bug in append_to_eventlog sysfs handler Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 052/306] w1: IAD Register is yet readable trough iad sys file. Fix snprintf (%u for unsigned, count for max size) Greg Kroah-Hartman
                   ` (258 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Wenwen Wang, Sasha Levin

From: Wenwen Wang <wang6495@umn.edu>

[ Upstream commit 6b995f4eec34745f6cb20d66d5277611f0b3c3fa ]

In _scif_prog_signal(), the boolean variable 'x100' is used to indicate
whether the MIC Coprocessor is X100. If 'x100' is true, the status
descriptor will be used to write the value to the destination. Otherwise, a
DMA pool will be allocated for this purpose. Specifically, if the DMA pool
is allocated successfully, two memory addresses will be returned. One is
for the CPU and the other is for the device to access the DMA pool. The
former is stored to the variable 'status' and the latter is stored to the
variable 'src'. After the allocation, the address in 'src' is saved to
'status->src_dma_addr', which is actually in the DMA pool, and 'src' is
then modified.

Later on, if an error occurs, the execution flow will transfer to the label
'dma_fail', which will check 'x100' and free up the allocated DMA pool if
'x100' is false. The point here is that 'status->src_dma_addr' is used for
freeing up the DMA pool. As mentioned before, 'status->src_dma_addr' is in
the DMA pool. And thus, the device is able to modify this data. This can
potentially cause failures when freeing up the DMA pool because of the
modified device address.

This patch avoids the above issue by using the variable 'src' (with
necessary calculation) to free up the DMA pool.

Signed-off-by: Wenwen Wang <wang6495@umn.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/misc/mic/scif/scif_fence.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/misc/mic/scif/scif_fence.c b/drivers/misc/mic/scif/scif_fence.c
index cac3bcc308a7e..7bb929f05d852 100644
--- a/drivers/misc/mic/scif/scif_fence.c
+++ b/drivers/misc/mic/scif/scif_fence.c
@@ -272,7 +272,7 @@ static int _scif_prog_signal(scif_epd_t epd, dma_addr_t dst, u64 val)
 dma_fail:
 	if (!x100)
 		dma_pool_free(ep->remote_dev->signal_pool, status,
-			      status->src_dma_addr);
+			      src - offsetof(struct scif_status, val));
 alloc_fail:
 	return err;
 }
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 052/306] w1: IAD Register is yet readable trough iad sys file. Fix snprintf (%u for unsigned, count for max size).
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 051/306] misc: mic: fix a DMA pool free failure Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 053/306] m68k: fix command-line parsing when passed from u-boot Greg Kroah-Hartman
                   ` (257 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Julien Folly, Evgeniy Polyakov, Sasha Levin

From: Julien Folly <julien.folly@gmail.com>

[ Upstream commit 6eaafbb6998e999467cf78a76e155ee00e372b14 ]

IAD Register is yet readable trough the "iad" sys file.

A write to the "iad" sys file enables or disables the current
measurement, but it was not possible to get the measured value by
reading it.
Fix: %u in snprintf for unsigned values (vdd and vad)
Fix: Avoid possibles overflows (Usage of the 'count' variables)

Signed-off-by: Julien Folly <julien.folly@gmail.com>
Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/w1/slaves/w1_ds2438.c | 66 +++++++++++++++++++++++++++--------
 1 file changed, 52 insertions(+), 14 deletions(-)

diff --git a/drivers/w1/slaves/w1_ds2438.c b/drivers/w1/slaves/w1_ds2438.c
index bf641a191d077..7c4e33dbee4d5 100644
--- a/drivers/w1/slaves/w1_ds2438.c
+++ b/drivers/w1/slaves/w1_ds2438.c
@@ -186,8 +186,8 @@ static int w1_ds2438_change_config_bit(struct w1_slave *sl, u8 mask, u8 value)
 	return -1;
 }
 
-static uint16_t w1_ds2438_get_voltage(struct w1_slave *sl,
-				      int adc_input, uint16_t *voltage)
+static int w1_ds2438_get_voltage(struct w1_slave *sl,
+				 int adc_input, uint16_t *voltage)
 {
 	unsigned int retries = W1_DS2438_RETRIES;
 	u8 w1_buf[DS2438_PAGE_SIZE + 1 /*for CRC*/];
@@ -235,6 +235,25 @@ static uint16_t w1_ds2438_get_voltage(struct w1_slave *sl,
 	return ret;
 }
 
+static int w1_ds2438_get_current(struct w1_slave *sl, int16_t *voltage)
+{
+	u8 w1_buf[DS2438_PAGE_SIZE + 1 /*for CRC*/];
+	int ret;
+
+	mutex_lock(&sl->master->bus_mutex);
+
+	if (w1_ds2438_get_page(sl, 0, w1_buf) == 0) {
+		/* The voltage measured across current sense resistor RSENS. */
+		*voltage = (((int16_t) w1_buf[DS2438_CURRENT_MSB]) << 8) | ((int16_t) w1_buf[DS2438_CURRENT_LSB]);
+		ret = 0;
+	} else
+		ret = -1;
+
+	mutex_unlock(&sl->master->bus_mutex);
+
+	return ret;
+}
+
 static ssize_t iad_write(struct file *filp, struct kobject *kobj,
 			 struct bin_attribute *bin_attr, char *buf,
 			 loff_t off, size_t count)
@@ -257,6 +276,27 @@ static ssize_t iad_write(struct file *filp, struct kobject *kobj,
 	return ret;
 }
 
+static ssize_t iad_read(struct file *filp, struct kobject *kobj,
+			struct bin_attribute *bin_attr, char *buf,
+			loff_t off, size_t count)
+{
+	struct w1_slave *sl = kobj_to_w1_slave(kobj);
+	int ret;
+	int16_t voltage;
+
+	if (off != 0)
+		return 0;
+	if (!buf)
+		return -EINVAL;
+
+	if (w1_ds2438_get_current(sl, &voltage) == 0) {
+		ret = snprintf(buf, count, "%i\n", voltage);
+	} else
+		ret = -EIO;
+
+	return ret;
+}
+
 static ssize_t page0_read(struct file *filp, struct kobject *kobj,
 			  struct bin_attribute *bin_attr, char *buf,
 			  loff_t off, size_t count)
@@ -272,9 +312,13 @@ static ssize_t page0_read(struct file *filp, struct kobject *kobj,
 
 	mutex_lock(&sl->master->bus_mutex);
 
+	/* Read no more than page0 size */
+	if (count > DS2438_PAGE_SIZE)
+		count = DS2438_PAGE_SIZE;
+
 	if (w1_ds2438_get_page(sl, 0, w1_buf) == 0) {
-		memcpy(buf, &w1_buf, DS2438_PAGE_SIZE);
-		ret = DS2438_PAGE_SIZE;
+		memcpy(buf, &w1_buf, count);
+		ret = count;
 	} else
 		ret = -EIO;
 
@@ -289,7 +333,6 @@ static ssize_t temperature_read(struct file *filp, struct kobject *kobj,
 {
 	struct w1_slave *sl = kobj_to_w1_slave(kobj);
 	int ret;
-	ssize_t c = PAGE_SIZE;
 	int16_t temp;
 
 	if (off != 0)
@@ -298,8 +341,7 @@ static ssize_t temperature_read(struct file *filp, struct kobject *kobj,
 		return -EINVAL;
 
 	if (w1_ds2438_get_temperature(sl, &temp) == 0) {
-		c -= snprintf(buf + PAGE_SIZE - c, c, "%d\n", temp);
-		ret = PAGE_SIZE - c;
+		ret = snprintf(buf, count, "%i\n", temp);
 	} else
 		ret = -EIO;
 
@@ -312,7 +354,6 @@ static ssize_t vad_read(struct file *filp, struct kobject *kobj,
 {
 	struct w1_slave *sl = kobj_to_w1_slave(kobj);
 	int ret;
-	ssize_t c = PAGE_SIZE;
 	uint16_t voltage;
 
 	if (off != 0)
@@ -321,8 +362,7 @@ static ssize_t vad_read(struct file *filp, struct kobject *kobj,
 		return -EINVAL;
 
 	if (w1_ds2438_get_voltage(sl, DS2438_ADC_INPUT_VAD, &voltage) == 0) {
-		c -= snprintf(buf + PAGE_SIZE - c, c, "%d\n", voltage);
-		ret = PAGE_SIZE - c;
+		ret = snprintf(buf, count, "%u\n", voltage);
 	} else
 		ret = -EIO;
 
@@ -335,7 +375,6 @@ static ssize_t vdd_read(struct file *filp, struct kobject *kobj,
 {
 	struct w1_slave *sl = kobj_to_w1_slave(kobj);
 	int ret;
-	ssize_t c = PAGE_SIZE;
 	uint16_t voltage;
 
 	if (off != 0)
@@ -344,15 +383,14 @@ static ssize_t vdd_read(struct file *filp, struct kobject *kobj,
 		return -EINVAL;
 
 	if (w1_ds2438_get_voltage(sl, DS2438_ADC_INPUT_VDD, &voltage) == 0) {
-		c -= snprintf(buf + PAGE_SIZE - c, c, "%d\n", voltage);
-		ret = PAGE_SIZE - c;
+		ret = snprintf(buf, count, "%u\n", voltage);
 	} else
 		ret = -EIO;
 
 	return ret;
 }
 
-static BIN_ATTR(iad, S_IRUGO | S_IWUSR | S_IWGRP, NULL, iad_write, 1);
+static BIN_ATTR(iad, S_IRUGO | S_IWUSR | S_IWGRP, iad_read, iad_write, 0);
 static BIN_ATTR_RO(page0, DS2438_PAGE_SIZE);
 static BIN_ATTR_RO(temperature, 0/* real length varies */);
 static BIN_ATTR_RO(vad, 0/* real length varies */);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 053/306] m68k: fix command-line parsing when passed from u-boot
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 052/306] w1: IAD Register is yet readable trough iad sys file. Fix snprintf (%u for unsigned, count for max size) Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 054/306] scsi: hisi_sas: Feed back linkrate(max/min) when re-attached Greg Kroah-Hartman
                   ` (256 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Angelo Dureghello, Greg Ungerer, Sasha Levin

From: Angelo Dureghello <angelo@sysam.it>

[ Upstream commit 381fdd62c38344a771aed06adaf14aae65c47454 ]

This patch fixes command_line array zero-terminated
one byte over the end of the array, causing boot to hang.

Signed-off-by: Angelo Dureghello <angelo@sysam.it>
Signed-off-by: Greg Ungerer <gerg@linux-m68k.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/m68k/kernel/uboot.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/m68k/kernel/uboot.c b/arch/m68k/kernel/uboot.c
index b29c3b241e1bb..1070828770645 100644
--- a/arch/m68k/kernel/uboot.c
+++ b/arch/m68k/kernel/uboot.c
@@ -102,5 +102,5 @@ __init void process_uboot_commandline(char *commandp, int size)
 	}
 
 	parse_uboot_commandline(commandp, len);
-	commandp[size - 1] = 0;
+	commandp[len - 1] = 0;
 }
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 054/306] scsi: hisi_sas: Feed back linkrate(max/min) when re-attached
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 053/306] m68k: fix command-line parsing when passed from u-boot Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 055/306] scsi: hisi_sas: Fix the race between IO completion and timeout for SMP/internal IO Greg Kroah-Hartman
                   ` (255 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Luo Jiaxing, John Garry,
	Martin K. Petersen, Sasha Levin

From: Luo Jiaxing <luojiaxing@huawei.com>

[ Upstream commit 5a54691f874ab29ec82f08bc6936866a3ccdaa91 ]

At directly attached situation, if the user modifies the sysfs interface
of maximum_linkrate and minimum_linkrate to renegotiate the linkrate
between SAS controller and target, the value of both files mentioned
above should have change to user setting after renegotiate is over, but
it remains unchanged.

To fix this bug, maximum_linkrate and minimum_linkrate will be directly
fed back to relevant sas_phy structure.

Signed-off-by: Luo Jiaxing <luojiaxing@huawei.com>
Signed-off-by: John Garry <john.garry@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/hisi_sas/hisi_sas_main.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c
index fd9d82c9033de..e9747379384b2 100644
--- a/drivers/scsi/hisi_sas/hisi_sas_main.c
+++ b/drivers/scsi/hisi_sas/hisi_sas_main.c
@@ -906,6 +906,9 @@ static void hisi_sas_phy_set_linkrate(struct hisi_hba *hisi_hba, int phy_no,
 	_r.maximum_linkrate = max;
 	_r.minimum_linkrate = min;
 
+	sas_phy->phy->maximum_linkrate = max;
+	sas_phy->phy->minimum_linkrate = min;
+
 	hisi_hba->hw->phy_disable(hisi_hba, phy_no);
 	msleep(100);
 	hisi_hba->hw->phy_set_linkrate(hisi_hba, phy_no, &_r);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 055/306] scsi: hisi_sas: Fix the race between IO completion and timeout for SMP/internal IO
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 054/306] scsi: hisi_sas: Feed back linkrate(max/min) when re-attached Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 056/306] scsi: hisi_sas: Free slot later in slot_complete_vx_hw() Greg Kroah-Hartman
                   ` (254 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Xiang Chen, John Garry,
	Martin K. Petersen, Sasha Levin

From: Xiang Chen <chenxiang66@hisilicon.com>

[ Upstream commit 584f53fe5f529d877968c711a095923c1ed12307 ]

If SMP/internal IO times out, we will possibly free the task immediately.

However if the IO actually completes at the same time, the IO completion
may refer to task which has been freed.

So to solve the issue, flush the tasklet to finish IO completion before
free'ing slot/task.

Signed-off-by: Xiang Chen <chenxiang66@hisilicon.com>
Signed-off-by: John Garry <john.garry@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/hisi_sas/hisi_sas_main.c | 55 ++++++++++++++++++++++-----
 1 file changed, 46 insertions(+), 9 deletions(-)

diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c
index e9747379384b2..d4a2625a44232 100644
--- a/drivers/scsi/hisi_sas/hisi_sas_main.c
+++ b/drivers/scsi/hisi_sas/hisi_sas_main.c
@@ -955,8 +955,7 @@ static int hisi_sas_control_phy(struct asd_sas_phy *sas_phy, enum phy_func func,
 
 static void hisi_sas_task_done(struct sas_task *task)
 {
-	if (!del_timer(&task->slow_task->timer))
-		return;
+	del_timer(&task->slow_task->timer);
 	complete(&task->slow_task->completion);
 }
 
@@ -965,13 +964,17 @@ static void hisi_sas_tmf_timedout(struct timer_list *t)
 	struct sas_task_slow *slow = from_timer(slow, t, timer);
 	struct sas_task *task = slow->task;
 	unsigned long flags;
+	bool is_completed = true;
 
 	spin_lock_irqsave(&task->task_state_lock, flags);
-	if (!(task->task_state_flags & SAS_TASK_STATE_DONE))
+	if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) {
 		task->task_state_flags |= SAS_TASK_STATE_ABORTED;
+		is_completed = false;
+	}
 	spin_unlock_irqrestore(&task->task_state_lock, flags);
 
-	complete(&task->slow_task->completion);
+	if (!is_completed)
+		complete(&task->slow_task->completion);
 }
 
 #define TASK_TIMEOUT 20
@@ -1022,10 +1025,18 @@ static int hisi_sas_exec_internal_tmf_task(struct domain_device *device,
 		if ((task->task_state_flags & SAS_TASK_STATE_ABORTED)) {
 			if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) {
 				struct hisi_sas_slot *slot = task->lldd_task;
+				struct hisi_sas_cq *cq =
+					&hisi_hba->cq[slot->dlvry_queue];
 
 				dev_err(dev, "abort tmf: TMF task timeout and not done\n");
-				if (slot)
+				if (slot) {
+					/*
+					 * flush tasklet to avoid free'ing task
+					 * before using task in IO completion
+					 */
+					tasklet_kill(&cq->tasklet);
 					slot->task = NULL;
+				}
 
 				goto ex_err;
 			} else
@@ -1401,6 +1412,17 @@ static int hisi_sas_abort_task(struct sas_task *task)
 
 	spin_lock_irqsave(&task->task_state_lock, flags);
 	if (task->task_state_flags & SAS_TASK_STATE_DONE) {
+		struct hisi_sas_slot *slot = task->lldd_task;
+		struct hisi_sas_cq *cq;
+
+		if (slot) {
+			/*
+			 * flush tasklet to avoid free'ing task
+			 * before using task in IO completion
+			 */
+			cq = &hisi_hba->cq[slot->dlvry_queue];
+			tasklet_kill(&cq->tasklet);
+		}
 		spin_unlock_irqrestore(&task->task_state_lock, flags);
 		rc = TMF_RESP_FUNC_COMPLETE;
 		goto out;
@@ -1456,12 +1478,19 @@ static int hisi_sas_abort_task(struct sas_task *task)
 		/* SMP */
 		struct hisi_sas_slot *slot = task->lldd_task;
 		u32 tag = slot->idx;
+		struct hisi_sas_cq *cq = &hisi_hba->cq[slot->dlvry_queue];
 
 		rc = hisi_sas_internal_task_abort(hisi_hba, device,
 			     HISI_SAS_INT_ABT_CMD, tag);
 		if (((rc < 0) || (rc == TMF_RESP_FUNC_FAILED)) &&
-					task->lldd_task)
-			hisi_sas_do_release_task(hisi_hba, task, slot);
+					task->lldd_task) {
+			/*
+			 * flush tasklet to avoid free'ing task
+			 * before using task in IO completion
+			 */
+			tasklet_kill(&cq->tasklet);
+			slot->task = NULL;
+		}
 	}
 
 out:
@@ -1827,9 +1856,17 @@ hisi_sas_internal_task_abort(struct hisi_hba *hisi_hba,
 	if ((task->task_state_flags & SAS_TASK_STATE_ABORTED)) {
 		if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) {
 			struct hisi_sas_slot *slot = task->lldd_task;
-
-			if (slot)
+			struct hisi_sas_cq *cq =
+				&hisi_hba->cq[slot->dlvry_queue];
+
+			if (slot) {
+				/*
+				 * flush tasklet to avoid free'ing task
+				 * before using task in IO completion
+				 */
+				tasklet_kill(&cq->tasklet);
 				slot->task = NULL;
+			}
 			dev_err(dev, "internal task abort: timeout and not done.\n");
 			res = -EIO;
 			goto exit;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 056/306] scsi: hisi_sas: Free slot later in slot_complete_vx_hw()
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 055/306] scsi: hisi_sas: Fix the race between IO completion and timeout for SMP/internal IO Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 057/306] RDMA/bnxt_re: Avoid NULL check after accessing the pointer Greg Kroah-Hartman
                   ` (253 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Xiang Chen, John Garry,
	Martin K. Petersen, Sasha Levin

From: Xiang Chen <chenxiang66@hisilicon.com>

[ Upstream commit 3e178f3ecfcf91a258e832b0f0843a4cfd9059ac ]

If an SSP/SMP IO times out, it may be actually in reality be
simultaneously processing completion of the slot in
slot_complete_vx_hw().

Then if the slot is freed in slot_complete_vx_hw() (this IPTT is freed
and it may be re-used by other slot), and we may abort the wrong slot in
hisi_sas_abort_task().

So to solve the issue, free the slot after the check of
SAS_TASK_STATE_ABORTED in slot_complete_vx_hw().

Signed-off-by: Xiang Chen <chenxiang66@hisilicon.com>
Signed-off-by: John Garry <john.garry@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/hisi_sas/hisi_sas_v2_hw.c | 2 +-
 drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c
index 1c4ea58da1ae1..c4774d63d5d04 100644
--- a/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c
+++ b/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c
@@ -2481,7 +2481,6 @@ slot_complete_v2_hw(struct hisi_hba *hisi_hba, struct hisi_sas_slot *slot)
 	}
 
 out:
-	hisi_sas_slot_task_free(hisi_hba, task, slot);
 	sts = ts->stat;
 	spin_lock_irqsave(&task->task_state_lock, flags);
 	if (task->task_state_flags & SAS_TASK_STATE_ABORTED) {
@@ -2491,6 +2490,7 @@ slot_complete_v2_hw(struct hisi_hba *hisi_hba, struct hisi_sas_slot *slot)
 	}
 	task->task_state_flags |= SAS_TASK_STATE_DONE;
 	spin_unlock_irqrestore(&task->task_state_lock, flags);
+	hisi_sas_slot_task_free(hisi_hba, task, slot);
 
 	if (!is_internal && (task->task_proto != SAS_PROTOCOL_SMP)) {
 		spin_lock_irqsave(&device->done_lock, flags);
diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
index 3922b17e2ea39..fb2a5969181b5 100644
--- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
+++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
@@ -1749,7 +1749,6 @@ slot_complete_v3_hw(struct hisi_hba *hisi_hba, struct hisi_sas_slot *slot)
 	}
 
 out:
-	hisi_sas_slot_task_free(hisi_hba, task, slot);
 	sts = ts->stat;
 	spin_lock_irqsave(&task->task_state_lock, flags);
 	if (task->task_state_flags & SAS_TASK_STATE_ABORTED) {
@@ -1759,6 +1758,7 @@ slot_complete_v3_hw(struct hisi_hba *hisi_hba, struct hisi_sas_slot *slot)
 	}
 	task->task_state_flags |= SAS_TASK_STATE_DONE;
 	spin_unlock_irqrestore(&task->task_state_lock, flags);
+	hisi_sas_slot_task_free(hisi_hba, task, slot);
 
 	if (!is_internal && (task->task_proto != SAS_PROTOCOL_SMP)) {
 		spin_lock_irqsave(&device->done_lock, flags);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 057/306] RDMA/bnxt_re: Avoid NULL check after accessing the pointer
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 056/306] scsi: hisi_sas: Free slot later in slot_complete_vx_hw() Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 058/306] RDMA/bnxt_re: Fix qp async event reporting Greg Kroah-Hartman
                   ` (252 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Selvin Xavier,
	Jason Gunthorpe, Sasha Levin

From: Selvin Xavier <selvin.xavier@broadcom.com>

[ Upstream commit eae4ad1b0c9a77ef0cbac212d58d46976eaacfc1 ]

This is reported by smatch check.  rcfw->creq_bar_reg_iomem is accessed in
bnxt_qplib_rcfw_stop_irq and this variable check afterwards doesn't make
sense.  Also, rcfw->creq_bar_reg_iomem will never be NULL.  So Removing
this check.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Fixes: 6e04b1035689 ("RDMA/bnxt_re: Fix broken RoCE driver due to recent L2 driver changes")
Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
index 6637df77d2365..8b3b5fdc19bbb 100644
--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
+++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
@@ -614,13 +614,8 @@ void bnxt_qplib_disable_rcfw_channel(struct bnxt_qplib_rcfw *rcfw)
 
 	bnxt_qplib_rcfw_stop_irq(rcfw, true);
 
-	if (rcfw->cmdq_bar_reg_iomem)
-		iounmap(rcfw->cmdq_bar_reg_iomem);
-	rcfw->cmdq_bar_reg_iomem = NULL;
-
-	if (rcfw->creq_bar_reg_iomem)
-		iounmap(rcfw->creq_bar_reg_iomem);
-	rcfw->creq_bar_reg_iomem = NULL;
+	iounmap(rcfw->cmdq_bar_reg_iomem);
+	iounmap(rcfw->creq_bar_reg_iomem);
 
 	indx = find_first_bit(rcfw->cmdq_bitmap, rcfw->bmap_size);
 	if (indx != rcfw->bmap_size)
@@ -629,6 +624,8 @@ void bnxt_qplib_disable_rcfw_channel(struct bnxt_qplib_rcfw *rcfw)
 	kfree(rcfw->cmdq_bitmap);
 	rcfw->bmap_size = 0;
 
+	rcfw->cmdq_bar_reg_iomem = NULL;
+	rcfw->creq_bar_reg_iomem = NULL;
 	rcfw->aeq_handler = NULL;
 	rcfw->vector = 0;
 }
@@ -714,6 +711,8 @@ int bnxt_qplib_enable_rcfw_channel(struct pci_dev *pdev,
 		dev_err(&rcfw->pdev->dev,
 			"QPLIB: CREQ BAR region %d mapping failed",
 			rcfw->creq_bar_reg);
+		iounmap(rcfw->cmdq_bar_reg_iomem);
+		rcfw->cmdq_bar_reg_iomem = NULL;
 		return -ENOMEM;
 	}
 	rcfw->creq_qp_event_processed = 0;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 058/306] RDMA/bnxt_re: Fix qp async event reporting
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 057/306] RDMA/bnxt_re: Avoid NULL check after accessing the pointer Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 059/306] RDMA/bnxt_re: Avoid resource leak in case the NQ registration fails Greg Kroah-Hartman
                   ` (251 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Devesh Sharma, Selvin Xavier,
	Jason Gunthorpe, Sasha Levin

From: Devesh Sharma <devesh.sharma@broadcom.com>

[ Upstream commit 4c01f2e3a906a0d2d798be5751c331cf501bc129 ]

Reports affiliated async event on the qp-async event channel instead of
global event channel.

Signed-off-by: Devesh Sharma <devesh.sharma@broadcom.com>
Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/infiniband/hw/bnxt_re/main.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/drivers/infiniband/hw/bnxt_re/main.c b/drivers/infiniband/hw/bnxt_re/main.c
index 22bd9784fa2ea..7ffad368c5fa1 100644
--- a/drivers/infiniband/hw/bnxt_re/main.c
+++ b/drivers/infiniband/hw/bnxt_re/main.c
@@ -989,12 +989,17 @@ static void bnxt_re_dispatch_event(struct ib_device *ibdev, struct ib_qp *qp,
 	struct ib_event ib_event;
 
 	ib_event.device = ibdev;
-	if (qp)
+	if (qp) {
 		ib_event.element.qp = qp;
-	else
+		ib_event.event = event;
+		if (qp->event_handler)
+			qp->event_handler(&ib_event, qp->qp_context);
+
+	} else {
 		ib_event.element.port_num = port_num;
-	ib_event.event = event;
-	ib_dispatch_event(&ib_event);
+		ib_event.event = event;
+		ib_dispatch_event(&ib_event);
+	}
 }
 
 #define HWRM_QUEUE_PRI2COS_QCFG_INPUT_FLAGS_IVLAN      0x02
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 059/306] RDMA/bnxt_re: Avoid resource leak in case the NQ registration fails
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 058/306] RDMA/bnxt_re: Fix qp async event reporting Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 060/306] pinctrl: sunxi: Fix a memory leak in sunxi_pinctrl_build_state() Greg Kroah-Hartman
                   ` (250 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Selvin Xavier, Jason Gunthorpe, Sasha Levin

From: Selvin Xavier <selvin.xavier@broadcom.com>

[ Upstream commit 5df950994934814a8b91f0cf9f653842d2ba082d ]

In case the NQ alloc/enable fails, free up the already allocated/enabled
NQ before reporting failure. Also, track the alloc/enable using proper
state checking.

Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/infiniband/hw/bnxt_re/bnxt_re.h |  2 ++
 drivers/infiniband/hw/bnxt_re/main.c    | 31 ++++++++++++++++++-------
 2 files changed, 24 insertions(+), 9 deletions(-)

diff --git a/drivers/infiniband/hw/bnxt_re/bnxt_re.h b/drivers/infiniband/hw/bnxt_re/bnxt_re.h
index 96f76896488da..802942adea8e8 100644
--- a/drivers/infiniband/hw/bnxt_re/bnxt_re.h
+++ b/drivers/infiniband/hw/bnxt_re/bnxt_re.h
@@ -120,6 +120,8 @@ struct bnxt_re_dev {
 #define BNXT_RE_FLAG_HAVE_L2_REF		3
 #define BNXT_RE_FLAG_RCFW_CHANNEL_EN		4
 #define BNXT_RE_FLAG_QOS_WORK_REG		5
+#define BNXT_RE_FLAG_RESOURCES_ALLOCATED	7
+#define BNXT_RE_FLAG_RESOURCES_INITIALIZED	8
 #define BNXT_RE_FLAG_ISSUE_ROCE_STATS          29
 	struct net_device		*netdev;
 	unsigned int			version, major, minor;
diff --git a/drivers/infiniband/hw/bnxt_re/main.c b/drivers/infiniband/hw/bnxt_re/main.c
index 7ffad368c5fa1..589b0d4677d52 100644
--- a/drivers/infiniband/hw/bnxt_re/main.c
+++ b/drivers/infiniband/hw/bnxt_re/main.c
@@ -864,10 +864,8 @@ static void bnxt_re_cleanup_res(struct bnxt_re_dev *rdev)
 {
 	int i;
 
-	if (rdev->nq[0].hwq.max_elements) {
-		for (i = 1; i < rdev->num_msix; i++)
-			bnxt_qplib_disable_nq(&rdev->nq[i - 1]);
-	}
+	for (i = 1; i < rdev->num_msix; i++)
+		bnxt_qplib_disable_nq(&rdev->nq[i - 1]);
 
 	if (rdev->qplib_res.rcfw)
 		bnxt_qplib_cleanup_res(&rdev->qplib_res);
@@ -876,6 +874,7 @@ static void bnxt_re_cleanup_res(struct bnxt_re_dev *rdev)
 static int bnxt_re_init_res(struct bnxt_re_dev *rdev)
 {
 	int rc = 0, i;
+	int num_vec_enabled = 0;
 
 	bnxt_qplib_init_res(&rdev->qplib_res);
 
@@ -891,9 +890,13 @@ static int bnxt_re_init_res(struct bnxt_re_dev *rdev)
 				"Failed to enable NQ with rc = 0x%x", rc);
 			goto fail;
 		}
+		num_vec_enabled++;
 	}
 	return 0;
 fail:
+	for (i = num_vec_enabled; i >= 0; i--)
+		bnxt_qplib_disable_nq(&rdev->nq[i]);
+
 	return rc;
 }
 
@@ -925,6 +928,7 @@ static void bnxt_re_free_res(struct bnxt_re_dev *rdev)
 static int bnxt_re_alloc_res(struct bnxt_re_dev *rdev)
 {
 	int rc = 0, i;
+	int num_vec_created = 0;
 
 	/* Configure and allocate resources for qplib */
 	rdev->qplib_res.rcfw = &rdev->rcfw;
@@ -951,7 +955,7 @@ static int bnxt_re_alloc_res(struct bnxt_re_dev *rdev)
 		if (rc) {
 			dev_err(rdev_to_dev(rdev), "Alloc Failed NQ%d rc:%#x",
 				i, rc);
-			goto dealloc_dpi;
+			goto free_nq;
 		}
 		rc = bnxt_re_net_ring_alloc
 			(rdev, rdev->nq[i].hwq.pbl[PBL_LVL_0].pg_map_arr,
@@ -964,14 +968,17 @@ static int bnxt_re_alloc_res(struct bnxt_re_dev *rdev)
 			dev_err(rdev_to_dev(rdev),
 				"Failed to allocate NQ fw id with rc = 0x%x",
 				rc);
+			bnxt_qplib_free_nq(&rdev->nq[i]);
 			goto free_nq;
 		}
+		num_vec_created++;
 	}
 	return 0;
 free_nq:
-	for (i = 0; i < rdev->num_msix - 1; i++)
+	for (i = num_vec_created; i >= 0; i--) {
+		bnxt_re_net_ring_free(rdev, rdev->nq[i].ring_id);
 		bnxt_qplib_free_nq(&rdev->nq[i]);
-dealloc_dpi:
+	}
 	bnxt_qplib_dealloc_dpi(&rdev->qplib_res,
 			       &rdev->qplib_res.dpi_tbl,
 			       &rdev->dpi_privileged);
@@ -1206,8 +1213,11 @@ static void bnxt_re_ib_unreg(struct bnxt_re_dev *rdev)
 	if (test_and_clear_bit(BNXT_RE_FLAG_QOS_WORK_REG, &rdev->flags))
 		cancel_delayed_work(&rdev->worker);
 
-	bnxt_re_cleanup_res(rdev);
-	bnxt_re_free_res(rdev);
+	if (test_and_clear_bit(BNXT_RE_FLAG_RESOURCES_INITIALIZED,
+			       &rdev->flags))
+		bnxt_re_cleanup_res(rdev);
+	if (test_and_clear_bit(BNXT_RE_FLAG_RESOURCES_ALLOCATED, &rdev->flags))
+		bnxt_re_free_res(rdev);
 
 	if (test_and_clear_bit(BNXT_RE_FLAG_RCFW_CHANNEL_EN, &rdev->flags)) {
 		rc = bnxt_qplib_deinit_rcfw(&rdev->rcfw);
@@ -1337,12 +1347,15 @@ static int bnxt_re_ib_reg(struct bnxt_re_dev *rdev)
 		pr_err("Failed to allocate resources: %#x\n", rc);
 		goto fail;
 	}
+	set_bit(BNXT_RE_FLAG_RESOURCES_ALLOCATED, &rdev->flags);
 	rc = bnxt_re_init_res(rdev);
 	if (rc) {
 		pr_err("Failed to initialize resources: %#x\n", rc);
 		goto fail;
 	}
 
+	set_bit(BNXT_RE_FLAG_RESOURCES_INITIALIZED, &rdev->flags);
+
 	if (!rdev->is_virtfn) {
 		rc = bnxt_re_setup_qos(rdev);
 		if (rc)
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 060/306] pinctrl: sunxi: Fix a memory leak in sunxi_pinctrl_build_state()
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 059/306] RDMA/bnxt_re: Avoid resource leak in case the NQ registration fails Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 061/306] pwm: lpss: Only set update bit if we are actually changing the settings Greg Kroah-Hartman
                   ` (249 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christophe JAILLET, Maxime Ripard,
	Linus Walleij, Sasha Levin

From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>

[ Upstream commit a93a676b079144009f55fff2ab0e34c3b7258c8a ]

If 'krealloc()' fails, 'pctl->functions' is set to NULL.
We should instead use a temp variable in order to be able to free the
previously allocated memeory, in case of OOM.

Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Acked-by: Maxime Ripard <maxime.ripard@bootlin.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/pinctrl/sunxi/pinctrl-sunxi.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/drivers/pinctrl/sunxi/pinctrl-sunxi.c b/drivers/pinctrl/sunxi/pinctrl-sunxi.c
index 26ebedc1f6d31..61aaaf58c5993 100644
--- a/drivers/pinctrl/sunxi/pinctrl-sunxi.c
+++ b/drivers/pinctrl/sunxi/pinctrl-sunxi.c
@@ -1042,6 +1042,7 @@ static int sunxi_pinctrl_add_function(struct sunxi_pinctrl *pctl,
 static int sunxi_pinctrl_build_state(struct platform_device *pdev)
 {
 	struct sunxi_pinctrl *pctl = platform_get_drvdata(pdev);
+	void *ptr;
 	int i;
 
 	/*
@@ -1108,13 +1109,15 @@ static int sunxi_pinctrl_build_state(struct platform_device *pdev)
 	}
 
 	/* And now allocated and fill the array for real */
-	pctl->functions = krealloc(pctl->functions,
-				   pctl->nfunctions * sizeof(*pctl->functions),
-				   GFP_KERNEL);
-	if (!pctl->functions) {
+	ptr = krealloc(pctl->functions,
+		       pctl->nfunctions * sizeof(*pctl->functions),
+		       GFP_KERNEL);
+	if (!ptr) {
 		kfree(pctl->functions);
+		pctl->functions = NULL;
 		return -ENOMEM;
 	}
+	pctl->functions = ptr;
 
 	for (i = 0; i < pctl->desc->npins; i++) {
 		const struct sunxi_desc_pin *pin = pctl->desc->pins + i;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 061/306] pwm: lpss: Only set update bit if we are actually changing the settings
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 060/306] pinctrl: sunxi: Fix a memory leak in sunxi_pinctrl_build_state() Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 062/306] amiflop: clean up on errors during setup Greg Kroah-Hartman
                   ` (248 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans de Goede, Thierry Reding, Sasha Levin

From: Hans de Goede <hdegoede@redhat.com>

[ Upstream commit 2153bbc12f77fb2203276befc0f0dddbfb023bb1 ]

According to the datasheet the update bit must be set if the on-time-div
or the base-unit changes.

Now that we properly order device resume on Cherry Trail so that the GFX0
_PS0 method no longer exits with an error, we end up with a sequence of
events where we are writing the same values twice in a row.

First the _PS0 method restores the duty cycle of 0% the GPU driver set
on suspend and then the GPU driver first updates just the enabled bit in
the pwm_state from 0 to 1, causing us to write the same values again,
before restoring the pre-suspend duty-cycle in a separate pwm_apply call.

When writing the update bit the second time, without changing any of
the values the update bit clears immediately / instantly, instead of
staying 1 for a while as usual. After this the next setting of the update
bit seems to be ignored, causing the restoring of the pre-suspend
duty-cycle to not get applied. This makes the backlight come up with
a 0% dutycycle after suspend/resume.

Any further brightness changes after this do work.

This commit moves the setting of the update bit into pwm_lpss_prepare()
and only sets the bit if we have actually changed any of the values.

This avoids the setting of the update bit the second time we configure
the PWM to 0% dutycycle, this fixes the backlight coming up with 0%
duty-cycle after a suspend/resume.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/pwm/pwm-lpss.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/drivers/pwm/pwm-lpss.c b/drivers/pwm/pwm-lpss.c
index 4721a264bac25..1e69c1c9ec096 100644
--- a/drivers/pwm/pwm-lpss.c
+++ b/drivers/pwm/pwm-lpss.c
@@ -97,7 +97,7 @@ static void pwm_lpss_prepare(struct pwm_lpss_chip *lpwm, struct pwm_device *pwm,
 	unsigned long long on_time_div;
 	unsigned long c = lpwm->info->clk_rate, base_unit_range;
 	unsigned long long base_unit, freq = NSEC_PER_SEC;
-	u32 ctrl;
+	u32 orig_ctrl, ctrl;
 
 	do_div(freq, period_ns);
 
@@ -114,13 +114,17 @@ static void pwm_lpss_prepare(struct pwm_lpss_chip *lpwm, struct pwm_device *pwm,
 	do_div(on_time_div, period_ns);
 	on_time_div = 255ULL - on_time_div;
 
-	ctrl = pwm_lpss_read(pwm);
+	orig_ctrl = ctrl = pwm_lpss_read(pwm);
 	ctrl &= ~PWM_ON_TIME_DIV_MASK;
 	ctrl &= ~(base_unit_range << PWM_BASE_UNIT_SHIFT);
 	base_unit &= base_unit_range;
 	ctrl |= (u32) base_unit << PWM_BASE_UNIT_SHIFT;
 	ctrl |= on_time_div;
-	pwm_lpss_write(pwm, ctrl);
+
+	if (orig_ctrl != ctrl) {
+		pwm_lpss_write(pwm, ctrl);
+		pwm_lpss_write(pwm, ctrl | PWM_SW_UPDATE);
+	}
 }
 
 static inline void pwm_lpss_cond_enable(struct pwm_device *pwm, bool cond)
@@ -144,7 +148,6 @@ static int pwm_lpss_apply(struct pwm_chip *chip, struct pwm_device *pwm,
 				return ret;
 			}
 			pwm_lpss_prepare(lpwm, pwm, state->duty_cycle, state->period);
-			pwm_lpss_write(pwm, pwm_lpss_read(pwm) | PWM_SW_UPDATE);
 			pwm_lpss_cond_enable(pwm, lpwm->info->bypass == false);
 			ret = pwm_lpss_wait_for_update(pwm);
 			if (ret) {
@@ -157,7 +160,6 @@ static int pwm_lpss_apply(struct pwm_chip *chip, struct pwm_device *pwm,
 			if (ret)
 				return ret;
 			pwm_lpss_prepare(lpwm, pwm, state->duty_cycle, state->period);
-			pwm_lpss_write(pwm, pwm_lpss_read(pwm) | PWM_SW_UPDATE);
 			return pwm_lpss_wait_for_update(pwm);
 		}
 	} else if (pwm_is_enabled(pwm)) {
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 062/306] amiflop: clean up on errors during setup
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (60 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 061/306] pwm: lpss: Only set update bit if we are actually changing the settings Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 063/306] qed: Align local and global PTT to propagate through the APIs Greg Kroah-Hartman
                   ` (247 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Omar Sandoval, Jens Axboe, Sasha Levin

From: Omar Sandoval <osandov@fb.com>

[ Upstream commit 53d0f8dbde89cf6c862c7a62e00c6123e02cba41 ]

The error handling in fd_probe_drives() doesn't clean up at all. Fix it
up in preparation for converting to blk-mq. While we're here, get rid of
the commented out amiga_floppy_remove().

Signed-off-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/block/amiflop.c | 84 ++++++++++++++++++++---------------------
 1 file changed, 40 insertions(+), 44 deletions(-)

diff --git a/drivers/block/amiflop.c b/drivers/block/amiflop.c
index 3aaf6af3ec23d..2158e130744e0 100644
--- a/drivers/block/amiflop.c
+++ b/drivers/block/amiflop.c
@@ -1701,11 +1701,41 @@ static const struct block_device_operations floppy_fops = {
 	.check_events	= amiga_check_events,
 };
 
+static struct gendisk *fd_alloc_disk(int drive)
+{
+	struct gendisk *disk;
+
+	disk = alloc_disk(1);
+	if (!disk)
+		goto out;
+
+	disk->queue = blk_init_queue(do_fd_request, &amiflop_lock);
+	if (IS_ERR(disk->queue)) {
+		disk->queue = NULL;
+		goto out_put_disk;
+	}
+
+	unit[drive].trackbuf = kmalloc(FLOPPY_MAX_SECTORS * 512, GFP_KERNEL);
+	if (!unit[drive].trackbuf)
+		goto out_cleanup_queue;
+
+	return disk;
+
+out_cleanup_queue:
+	blk_cleanup_queue(disk->queue);
+	disk->queue = NULL;
+out_put_disk:
+	put_disk(disk);
+out:
+	unit[drive].type->code = FD_NODRIVE;
+	return NULL;
+}
+
 static int __init fd_probe_drives(void)
 {
 	int drive,drives,nomem;
 
-	printk(KERN_INFO "FD: probing units\nfound ");
+	pr_info("FD: probing units\nfound");
 	drives=0;
 	nomem=0;
 	for(drive=0;drive<FD_MAX_UNITS;drive++) {
@@ -1713,27 +1743,17 @@ static int __init fd_probe_drives(void)
 		fd_probe(drive);
 		if (unit[drive].type->code == FD_NODRIVE)
 			continue;
-		disk = alloc_disk(1);
+
+		disk = fd_alloc_disk(drive);
 		if (!disk) {
-			unit[drive].type->code = FD_NODRIVE;
+			pr_cont(" no mem for fd%d", drive);
+			nomem = 1;
 			continue;
 		}
 		unit[drive].gendisk = disk;
-
-		disk->queue = blk_init_queue(do_fd_request, &amiflop_lock);
-		if (!disk->queue) {
-			unit[drive].type->code = FD_NODRIVE;
-			continue;
-		}
-
 		drives++;
-		if ((unit[drive].trackbuf = kmalloc(FLOPPY_MAX_SECTORS * 512, GFP_KERNEL)) == NULL) {
-			printk("no mem for ");
-			unit[drive].type = &drive_types[num_dr_types - 1]; /* FD_NODRIVE */
-			drives--;
-			nomem = 1;
-		}
-		printk("fd%d ",drive);
+
+		pr_cont(" fd%d",drive);
 		disk->major = FLOPPY_MAJOR;
 		disk->first_minor = drive;
 		disk->fops = &floppy_fops;
@@ -1744,11 +1764,11 @@ static int __init fd_probe_drives(void)
 	}
 	if ((drives > 0) || (nomem == 0)) {
 		if (drives == 0)
-			printk("no drives");
-		printk("\n");
+			pr_cont(" no drives");
+		pr_cont("\n");
 		return drives;
 	}
-	printk("\n");
+	pr_cont("\n");
 	return -ENOMEM;
 }
  
@@ -1831,30 +1851,6 @@ static int __init amiga_floppy_probe(struct platform_device *pdev)
 	return ret;
 }
 
-#if 0 /* not safe to unload */
-static int __exit amiga_floppy_remove(struct platform_device *pdev)
-{
-	int i;
-
-	for( i = 0; i < FD_MAX_UNITS; i++) {
-		if (unit[i].type->code != FD_NODRIVE) {
-			struct request_queue *q = unit[i].gendisk->queue;
-			del_gendisk(unit[i].gendisk);
-			put_disk(unit[i].gendisk);
-			kfree(unit[i].trackbuf);
-			if (q)
-				blk_cleanup_queue(q);
-		}
-	}
-	blk_unregister_region(MKDEV(FLOPPY_MAJOR, 0), 256);
-	free_irq(IRQ_AMIGA_CIAA_TB, NULL);
-	free_irq(IRQ_AMIGA_DSKBLK, NULL);
-	custom.dmacon = DMAF_DISK; /* disable DMA */
-	amiga_chip_free(raw_buf);
-	unregister_blkdev(FLOPPY_MAJOR, "fd");
-}
-#endif
-
 static struct platform_driver amiga_floppy_driver = {
 	.driver   = {
 		.name	= "amiga-floppy",
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 063/306] qed: Align local and global PTT to propagate through the APIs.
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (61 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 062/306] amiflop: clean up on errors during setup Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 064/306] scsi: ips: fix missing break in switch Greg Kroah-Hartman
                   ` (246 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rahul Verma, Ariel Elior,
	David S. Miller, Sasha Levin

From: Rahul Verma <Rahul.Verma@cavium.com>

[ Upstream commit 706d08913d1f68610c32b4a001026aa989878dd9 ]

    Align the use of local PTT to propagate through the qed_mcp* API's.
    Global ptt should not be used.

    Register access should be done through layers. Register address is
    mapped into a PTT, PF translation table. Several interface functions
    require a PTT to direct read/write into register. There is a pool of
    PTT maintained, and several PTT are used simultaneously to access
    device registers in different flows. Same PTT should not be used in
    flows that can run concurrently.
    To avoid running out of PTT resources, too many PTT should not be
    acquired without releasing them. Every PF has a global PTT, which is
    used throughout the life of PF, in most important flows for register
    access. Generic functions acquire the PTT locally and release after
    the use. This patch aligns the use of Global PTT and Local PTT
    accordingly.

Signed-off-by: Rahul Verma <rahul.verma@cavium.com>
Signed-off-by: Ariel Elior <ariel.elior@cavium.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/qlogic/qed/qed.h      |  2 +-
 drivers/net/ethernet/qlogic/qed/qed_main.c | 22 ++++++++++++++----
 drivers/net/ethernet/qlogic/qed/qed_mcp.c  | 27 ++++++++++------------
 drivers/net/ethernet/qlogic/qed/qed_mcp.h  |  5 ++--
 drivers/net/ethernet/qlogic/qed/qed_vf.c   |  2 +-
 5 files changed, 35 insertions(+), 23 deletions(-)

diff --git a/drivers/net/ethernet/qlogic/qed/qed.h b/drivers/net/ethernet/qlogic/qed/qed.h
index a60e1c8d470a0..32e786a3952b1 100644
--- a/drivers/net/ethernet/qlogic/qed/qed.h
+++ b/drivers/net/ethernet/qlogic/qed/qed.h
@@ -914,7 +914,7 @@ u16 qed_get_cm_pq_idx_llt_mtc(struct qed_hwfn *p_hwfn, u8 tc);
 /* Prototypes */
 int qed_fill_dev_info(struct qed_dev *cdev,
 		      struct qed_dev_info *dev_info);
-void qed_link_update(struct qed_hwfn *hwfn);
+void qed_link_update(struct qed_hwfn *hwfn, struct qed_ptt *ptt);
 u32 qed_unzip_data(struct qed_hwfn *p_hwfn,
 		   u32 input_len, u8 *input_buf,
 		   u32 max_size, u8 *unzip_buf);
diff --git a/drivers/net/ethernet/qlogic/qed/qed_main.c b/drivers/net/ethernet/qlogic/qed/qed_main.c
index 637687b766ff0..049a83b40e469 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_main.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_main.c
@@ -1462,6 +1462,7 @@ static int qed_get_link_data(struct qed_hwfn *hwfn,
 }
 
 static void qed_fill_link(struct qed_hwfn *hwfn,
+			  struct qed_ptt *ptt,
 			  struct qed_link_output *if_link)
 {
 	struct qed_mcp_link_params params;
@@ -1542,7 +1543,7 @@ static void qed_fill_link(struct qed_hwfn *hwfn,
 
 	/* TODO - fill duplex properly */
 	if_link->duplex = DUPLEX_FULL;
-	qed_mcp_get_media_type(hwfn->cdev, &media_type);
+	qed_mcp_get_media_type(hwfn, ptt, &media_type);
 	if_link->port = qed_get_port_type(media_type);
 
 	if_link->autoneg = params.speed.autoneg;
@@ -1598,21 +1599,34 @@ static void qed_fill_link(struct qed_hwfn *hwfn,
 static void qed_get_current_link(struct qed_dev *cdev,
 				 struct qed_link_output *if_link)
 {
+	struct qed_hwfn *hwfn;
+	struct qed_ptt *ptt;
 	int i;
 
-	qed_fill_link(&cdev->hwfns[0], if_link);
+	hwfn = &cdev->hwfns[0];
+	if (IS_PF(cdev)) {
+		ptt = qed_ptt_acquire(hwfn);
+		if (ptt) {
+			qed_fill_link(hwfn, ptt, if_link);
+			qed_ptt_release(hwfn, ptt);
+		} else {
+			DP_NOTICE(hwfn, "Failed to fill link; No PTT\n");
+		}
+	} else {
+		qed_fill_link(hwfn, NULL, if_link);
+	}
 
 	for_each_hwfn(cdev, i)
 		qed_inform_vf_link_state(&cdev->hwfns[i]);
 }
 
-void qed_link_update(struct qed_hwfn *hwfn)
+void qed_link_update(struct qed_hwfn *hwfn, struct qed_ptt *ptt)
 {
 	void *cookie = hwfn->cdev->ops_cookie;
 	struct qed_common_cb_ops *op = hwfn->cdev->protocol_ops.common;
 	struct qed_link_output if_link;
 
-	qed_fill_link(hwfn, &if_link);
+	qed_fill_link(hwfn, ptt, &if_link);
 	qed_inform_vf_link_state(hwfn);
 
 	if (IS_LEAD_HWFN(hwfn) && cookie)
diff --git a/drivers/net/ethernet/qlogic/qed/qed_mcp.c b/drivers/net/ethernet/qlogic/qed/qed_mcp.c
index 58c7eb9d8e1b8..938ace333af10 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_mcp.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_mcp.c
@@ -1382,7 +1382,7 @@ static void qed_mcp_handle_link_change(struct qed_hwfn *p_hwfn,
 	if (p_hwfn->mcp_info->capabilities & FW_MB_PARAM_FEATURE_SUPPORT_EEE)
 		qed_mcp_read_eee_config(p_hwfn, p_ptt, p_link);
 
-	qed_link_update(p_hwfn);
+	qed_link_update(p_hwfn, p_ptt);
 out:
 	spin_unlock_bh(&p_hwfn->mcp_info->link_lock);
 }
@@ -1849,12 +1849,10 @@ int qed_mcp_get_mbi_ver(struct qed_hwfn *p_hwfn,
 	return 0;
 }
 
-int qed_mcp_get_media_type(struct qed_dev *cdev, u32 *p_media_type)
+int qed_mcp_get_media_type(struct qed_hwfn *p_hwfn,
+			   struct qed_ptt *p_ptt, u32 *p_media_type)
 {
-	struct qed_hwfn *p_hwfn = &cdev->hwfns[0];
-	struct qed_ptt  *p_ptt;
-
-	if (IS_VF(cdev))
+	if (IS_VF(p_hwfn->cdev))
 		return -EINVAL;
 
 	if (!qed_mcp_is_init(p_hwfn)) {
@@ -1862,16 +1860,15 @@ int qed_mcp_get_media_type(struct qed_dev *cdev, u32 *p_media_type)
 		return -EBUSY;
 	}
 
-	*p_media_type = MEDIA_UNSPECIFIED;
-
-	p_ptt = qed_ptt_acquire(p_hwfn);
-	if (!p_ptt)
-		return -EBUSY;
-
-	*p_media_type = qed_rd(p_hwfn, p_ptt, p_hwfn->mcp_info->port_addr +
-			       offsetof(struct public_port, media_type));
+	if (!p_ptt) {
+		*p_media_type = MEDIA_UNSPECIFIED;
+		return -EINVAL;
+	}
 
-	qed_ptt_release(p_hwfn, p_ptt);
+	*p_media_type = qed_rd(p_hwfn, p_ptt,
+			       p_hwfn->mcp_info->port_addr +
+			       offsetof(struct public_port,
+					media_type));
 
 	return 0;
 }
diff --git a/drivers/net/ethernet/qlogic/qed/qed_mcp.h b/drivers/net/ethernet/qlogic/qed/qed_mcp.h
index 85e6b3989e7a9..80a6b5d1ff338 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_mcp.h
+++ b/drivers/net/ethernet/qlogic/qed/qed_mcp.h
@@ -322,14 +322,15 @@ int qed_mcp_get_mbi_ver(struct qed_hwfn *p_hwfn,
  * @brief Get media type value of the port.
  *
  * @param cdev      - qed dev pointer
+ * @param p_ptt
  * @param mfw_ver    - media type value
  *
  * @return int -
  *      0 - Operation was successul.
  *      -EBUSY - Operation failed
  */
-int qed_mcp_get_media_type(struct qed_dev      *cdev,
-			   u32                  *media_type);
+int qed_mcp_get_media_type(struct qed_hwfn *p_hwfn,
+			   struct qed_ptt *p_ptt, u32 *media_type);
 
 /**
  * @brief General function for sending commands to the MCP
diff --git a/drivers/net/ethernet/qlogic/qed/qed_vf.c b/drivers/net/ethernet/qlogic/qed/qed_vf.c
index 6ab3fb008139d..5dda547772c13 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_vf.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_vf.c
@@ -1698,7 +1698,7 @@ static void qed_handle_bulletin_change(struct qed_hwfn *hwfn)
 	ops->ports_update(cookie, vxlan_port, geneve_port);
 
 	/* Always update link configuration according to bulletin */
-	qed_link_update(hwfn);
+	qed_link_update(hwfn, NULL);
 }
 
 void qed_iov_vf_task(struct work_struct *work)
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 064/306] scsi: ips: fix missing break in switch
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (62 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 063/306] qed: Align local and global PTT to propagate through the APIs Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 065/306] nfp: bpf: protect against mis-initializing atomic counters Greg Kroah-Hartman
                   ` (245 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin K. Petersen,
	Gustavo A. R. Silva, Sasha Levin

From: Gustavo A. R. Silva <gustavo@embeddedor.com>

[ Upstream commit 5d25ff7a544889bc4b749fda31778d6a18dddbcb ]

Add missing break statement in order to prevent the code from falling
through to case TEST_UNIT_READY.

Addresses-Coverity-ID: 1357338 ("Missing break in switch")
Suggested-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/ips.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/scsi/ips.c b/drivers/scsi/ips.c
index bd6ac6b5980a1..fe587ef1741d4 100644
--- a/drivers/scsi/ips.c
+++ b/drivers/scsi/ips.c
@@ -3485,6 +3485,7 @@ ips_send_cmd(ips_ha_t * ha, ips_scb_t * scb)
 
 		case START_STOP:
 			scb->scsi_cmd->result = DID_OK << 16;
+			break;
 
 		case TEST_UNIT_READY:
 		case INQUIRY:
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 065/306] nfp: bpf: protect against mis-initializing atomic counters
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (63 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 064/306] scsi: ips: fix missing break in switch Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 066/306] KVM: nVMX: reset cache/shadows when switching loaded VMCS Greg Kroah-Hartman
                   ` (244 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David Beckett, Jakub Kicinski,
	Quentin Monnet, Alexei Starovoitov, Sasha Levin

From: Jakub Kicinski <jakub.kicinski@netronome.com>

[ Upstream commit 527db74b71ee5a279f818aae51f2c26b4e5c7648 ]

Atomic operations on the NFP are currently always in big endian.
The driver keeps track of regions of memory storing atomic values
and byte swaps them accordingly.  There are corner cases where
the map values may be initialized before the driver knows they
are used as atomic counters.  This can happen either when the
datapath is performing the update and the stack contents are
unknown or when map is updated before the program which will
use it for atomic values is loaded.

To avoid situation where user initializes the value to 0 1 2 3
and then after loading a program which uses the word as an atomic
counter starts reading 3 2 1 0 - only allow atomic counters to be
initialized to endian-neutral values.

For updates from the datapath the stack information may not be
as precise, so just allow initializing such values to 0.

Example code which would break:
struct bpf_map_def SEC("maps") rxcnt = {
       .type = BPF_MAP_TYPE_HASH,
       .key_size = sizeof(__u32),
       .value_size = sizeof(__u64),
       .max_entries = 1,
};

int xdp_prog1()
{
      	__u64 nonzeroval = 3;
	__u32 key = 0;
	__u64 *value;

	value = bpf_map_lookup_elem(&rxcnt, &key);
	if (!value)
		bpf_map_update_elem(&rxcnt, &key, &nonzeroval, BPF_ANY);
	else
		__sync_fetch_and_add(value, 1);

	return XDP_PASS;
}

$ offload bpftool map dump
key: 00 00 00 00 value: 00 00 00 03 00 00 00 00

should be:

$ offload bpftool map dump
key: 00 00 00 00 value: 03 00 00 00 00 00 00 00

Reported-by: David Beckett <david.beckett@netronome.com>
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Quentin Monnet <quentin.monnet@netronome.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/netronome/nfp/bpf/main.h |  7 ++-
 .../net/ethernet/netronome/nfp/bpf/offload.c  | 18 +++++-
 .../net/ethernet/netronome/nfp/bpf/verifier.c | 58 +++++++++++++++++--
 3 files changed, 76 insertions(+), 7 deletions(-)

diff --git a/drivers/net/ethernet/netronome/nfp/bpf/main.h b/drivers/net/ethernet/netronome/nfp/bpf/main.h
index dbd00982fd2b6..2134045e14c36 100644
--- a/drivers/net/ethernet/netronome/nfp/bpf/main.h
+++ b/drivers/net/ethernet/netronome/nfp/bpf/main.h
@@ -206,6 +206,11 @@ enum nfp_bpf_map_use {
 	NFP_MAP_USE_ATOMIC_CNT,
 };
 
+struct nfp_bpf_map_word {
+	unsigned char type		:4;
+	unsigned char non_zero_update	:1;
+};
+
 /**
  * struct nfp_bpf_map - private per-map data attached to BPF maps for offload
  * @offmap:	pointer to the offloaded BPF map
@@ -219,7 +224,7 @@ struct nfp_bpf_map {
 	struct nfp_app_bpf *bpf;
 	u32 tid;
 	struct list_head l;
-	enum nfp_bpf_map_use use_map[];
+	struct nfp_bpf_map_word use_map[];
 };
 
 struct nfp_bpf_neutral_map {
diff --git a/drivers/net/ethernet/netronome/nfp/bpf/offload.c b/drivers/net/ethernet/netronome/nfp/bpf/offload.c
index 1ccd6371a15b5..6140e4650b71c 100644
--- a/drivers/net/ethernet/netronome/nfp/bpf/offload.c
+++ b/drivers/net/ethernet/netronome/nfp/bpf/offload.c
@@ -299,10 +299,25 @@ static void nfp_map_bpf_byte_swap(struct nfp_bpf_map *nfp_map, void *value)
 	unsigned int i;
 
 	for (i = 0; i < DIV_ROUND_UP(nfp_map->offmap->map.value_size, 4); i++)
-		if (nfp_map->use_map[i] == NFP_MAP_USE_ATOMIC_CNT)
+		if (nfp_map->use_map[i].type == NFP_MAP_USE_ATOMIC_CNT)
 			word[i] = (__force u32)cpu_to_be32(word[i]);
 }
 
+/* Mark value as unsafely initialized in case it becomes atomic later
+ * and we didn't byte swap something non-byte swap neutral.
+ */
+static void
+nfp_map_bpf_byte_swap_record(struct nfp_bpf_map *nfp_map, void *value)
+{
+	u32 *word = value;
+	unsigned int i;
+
+	for (i = 0; i < DIV_ROUND_UP(nfp_map->offmap->map.value_size, 4); i++)
+		if (nfp_map->use_map[i].type == NFP_MAP_UNUSED &&
+		    word[i] != (__force u32)cpu_to_be32(word[i]))
+			nfp_map->use_map[i].non_zero_update = 1;
+}
+
 static int
 nfp_bpf_map_lookup_entry(struct bpf_offloaded_map *offmap,
 			 void *key, void *value)
@@ -322,6 +337,7 @@ nfp_bpf_map_update_entry(struct bpf_offloaded_map *offmap,
 			 void *key, void *value, u64 flags)
 {
 	nfp_map_bpf_byte_swap(offmap->dev_priv, value);
+	nfp_map_bpf_byte_swap_record(offmap->dev_priv, value);
 	return nfp_bpf_ctrl_update_entry(offmap, key, value, flags);
 }
 
diff --git a/drivers/net/ethernet/netronome/nfp/bpf/verifier.c b/drivers/net/ethernet/netronome/nfp/bpf/verifier.c
index a6e9248669e14..db7e186dae56d 100644
--- a/drivers/net/ethernet/netronome/nfp/bpf/verifier.c
+++ b/drivers/net/ethernet/netronome/nfp/bpf/verifier.c
@@ -108,6 +108,46 @@ nfp_record_adjust_head(struct nfp_app_bpf *bpf, struct nfp_prog *nfp_prog,
 	nfp_prog->adjust_head_location = location;
 }
 
+static bool nfp_bpf_map_update_value_ok(struct bpf_verifier_env *env)
+{
+	const struct bpf_reg_state *reg1 = cur_regs(env) + BPF_REG_1;
+	const struct bpf_reg_state *reg3 = cur_regs(env) + BPF_REG_3;
+	struct bpf_offloaded_map *offmap;
+	struct bpf_func_state *state;
+	struct nfp_bpf_map *nfp_map;
+	int off, i;
+
+	state = env->cur_state->frame[reg3->frameno];
+
+	/* We need to record each time update happens with non-zero words,
+	 * in case such word is used in atomic operations.
+	 * Implicitly depend on nfp_bpf_stack_arg_ok(reg3) being run before.
+	 */
+
+	offmap = map_to_offmap(reg1->map_ptr);
+	nfp_map = offmap->dev_priv;
+	off = reg3->off + reg3->var_off.value;
+
+	for (i = 0; i < offmap->map.value_size; i++) {
+		struct bpf_stack_state *stack_entry;
+		unsigned int soff;
+
+		soff = -(off + i) - 1;
+		stack_entry = &state->stack[soff / BPF_REG_SIZE];
+		if (stack_entry->slot_type[soff % BPF_REG_SIZE] == STACK_ZERO)
+			continue;
+
+		if (nfp_map->use_map[i / 4].type == NFP_MAP_USE_ATOMIC_CNT) {
+			pr_vlog(env, "value at offset %d/%d may be non-zero, bpf_map_update_elem() is required to initialize atomic counters to zero to avoid offload endian issues\n",
+				i, soff);
+			return false;
+		}
+		nfp_map->use_map[i / 4].non_zero_update = 1;
+	}
+
+	return true;
+}
+
 static int
 nfp_bpf_stack_arg_ok(const char *fname, struct bpf_verifier_env *env,
 		     const struct bpf_reg_state *reg,
@@ -198,7 +238,8 @@ nfp_bpf_check_call(struct nfp_prog *nfp_prog, struct bpf_verifier_env *env,
 					 bpf->helpers.map_update, reg1) ||
 		    !nfp_bpf_stack_arg_ok("map_update", env, reg2,
 					  meta->func_id ? &meta->arg2 : NULL) ||
-		    !nfp_bpf_stack_arg_ok("map_update", env, reg3, NULL))
+		    !nfp_bpf_stack_arg_ok("map_update", env, reg3, NULL) ||
+		    !nfp_bpf_map_update_value_ok(env))
 			return -EOPNOTSUPP;
 		break;
 
@@ -376,15 +417,22 @@ nfp_bpf_map_mark_used_one(struct bpf_verifier_env *env,
 			  struct nfp_bpf_map *nfp_map,
 			  unsigned int off, enum nfp_bpf_map_use use)
 {
-	if (nfp_map->use_map[off / 4] != NFP_MAP_UNUSED &&
-	    nfp_map->use_map[off / 4] != use) {
+	if (nfp_map->use_map[off / 4].type != NFP_MAP_UNUSED &&
+	    nfp_map->use_map[off / 4].type != use) {
 		pr_vlog(env, "map value use type conflict %s vs %s off: %u\n",
-			nfp_bpf_map_use_name(nfp_map->use_map[off / 4]),
+			nfp_bpf_map_use_name(nfp_map->use_map[off / 4].type),
 			nfp_bpf_map_use_name(use), off);
 		return -EOPNOTSUPP;
 	}
 
-	nfp_map->use_map[off / 4] = use;
+	if (nfp_map->use_map[off / 4].non_zero_update &&
+	    use == NFP_MAP_USE_ATOMIC_CNT) {
+		pr_vlog(env, "atomic counter in map value may already be initialized to non-zero value off: %u\n",
+			off);
+		return -EOPNOTSUPP;
+	}
+
+	nfp_map->use_map[off / 4].type = use;
 
 	return 0;
 }
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 066/306] KVM: nVMX: reset cache/shadows when switching loaded VMCS
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (64 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 065/306] nfp: bpf: protect against mis-initializing atomic counters Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 067/306] KVM: nVMX: move check_vmentry_postreqs() call to nested_vmx_enter_non_root_mode() Greg Kroah-Hartman
                   ` (243 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jim Mattson, Sean Christopherson,
	Paolo Bonzini, Sasha Levin

From: Sean Christopherson <sean.j.christopherson@intel.com>

[ Upstream commit b7031fd40fcc741b0f9b0c04c8d844e445858b84 ]

Reset the vm_{entry,exit}_controls_shadow variables as well as the
segment cache after loading a new VMCS in vmx_switch_vmcs().  The
shadows/cache track VMCS data, i.e. they're stale every time we
switch to a new VMCS regardless of reason.

This fixes a bug where stale control shadows would be consumed after
a nested VMExit due to a failed consistency check.

Suggested-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/kvm/vmx.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 1ab4bb3d6a040..fe7fdd666f091 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -11013,6 +11013,10 @@ static void vmx_switch_vmcs(struct kvm_vcpu *vcpu, struct loaded_vmcs *vmcs)
 	vmx->loaded_vmcs = vmcs;
 	vmx_vcpu_load(vcpu, cpu);
 	put_cpu();
+
+	vm_entry_controls_reset_shadow(vmx);
+	vm_exit_controls_reset_shadow(vmx);
+	vmx_segment_cache_clear(vmx);
 }
 
 /*
@@ -12699,7 +12703,6 @@ static int enter_vmx_non_root_mode(struct kvm_vcpu *vcpu, u32 *exit_qual)
 		vmx->nested.vmcs01_guest_bndcfgs = vmcs_read64(GUEST_BNDCFGS);
 
 	vmx_switch_vmcs(vcpu, &vmx->nested.vmcs02);
-	vmx_segment_cache_clear(vmx);
 
 	if (vmcs12->cpu_based_vm_exec_control & CPU_BASED_USE_TSC_OFFSETING)
 		vcpu->arch.tsc_offset += vmcs12->tsc_offset;
@@ -13530,9 +13533,6 @@ static void nested_vmx_vmexit(struct kvm_vcpu *vcpu, u32 exit_reason,
 	}
 
 	vmx_switch_vmcs(vcpu, &vmx->vmcs01);
-	vm_entry_controls_reset_shadow(vmx);
-	vm_exit_controls_reset_shadow(vmx);
-	vmx_segment_cache_clear(vmx);
 
 	/* Update any VMCS fields that might have changed while L2 ran */
 	vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, vmx->msr_autoload.host.nr);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 067/306] KVM: nVMX: move check_vmentry_postreqs() call to nested_vmx_enter_non_root_mode()
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (65 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 066/306] KVM: nVMX: reset cache/shadows when switching loaded VMCS Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-12-02 14:40   ` Jack Wang
  2019-11-27 20:28 ` [PATCH 4.19 068/306] KVM/x86: Fix invvpid and invept register operand size in 64-bit mode Greg Kroah-Hartman
                   ` (242 subsequent siblings)
  309 siblings, 1 reply; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sean Christopherson, Jim Mattson,
	Paolo Bonzini, Sasha Levin

From: Sean Christopherson <sean.j.christopherson@intel.com>

[ Upstream commit 7671ce21b13b9596163a29f4712cb2451a9b97dc ]

In preparation of supporting checkpoint/restore for nested state,
commit ca0bde28f2ed ("kvm: nVMX: Split VMCS checks from nested_vmx_run()")
modified check_vmentry_postreqs() to only perform the guest EFER
consistency checks when nested_run_pending is true.  But, in the
normal nested VMEntry flow, nested_run_pending is only set after
check_vmentry_postreqs(), i.e. the consistency check is being skipped.

Alternatively, nested_run_pending could be set prior to calling
check_vmentry_postreqs() in nested_vmx_run(), but placing the
consistency checks in nested_vmx_enter_non_root_mode() allows us
to split prepare_vmcs02() and interleave the preparation with
the consistency checks without having to change the call sites
of nested_vmx_enter_non_root_mode().  In other words, the rest
of the consistency check code in nested_vmx_run() will be joining
the postreqs checks in future patches.

Fixes: ca0bde28f2ed ("kvm: nVMX: Split VMCS checks from nested_vmx_run()")
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Cc: Jim Mattson <jmattson@google.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/kvm/vmx.c | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index fe7fdd666f091..bdf019f322117 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -12694,6 +12694,9 @@ static int enter_vmx_non_root_mode(struct kvm_vcpu *vcpu, u32 *exit_qual)
 	if (likely(!evaluate_pending_interrupts) && kvm_vcpu_apicv_active(vcpu))
 		evaluate_pending_interrupts |= vmx_has_apicv_interrupt(vcpu);
 
+	if (from_vmentry && check_vmentry_postreqs(vcpu, vmcs12, exit_qual))
+		return EXIT_REASON_INVALID_STATE;
+
 	enter_guest_mode(vcpu);
 
 	if (!(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS))
@@ -12836,13 +12839,6 @@ static int nested_vmx_run(struct kvm_vcpu *vcpu, bool launch)
 	 */
 	skip_emulated_instruction(vcpu);
 
-	ret = check_vmentry_postreqs(vcpu, vmcs12, &exit_qual);
-	if (ret) {
-		nested_vmx_entry_failure(vcpu, vmcs12,
-					 EXIT_REASON_INVALID_STATE, exit_qual);
-		return 1;
-	}
-
 	/*
 	 * We're finally done with prerequisite checking, and can start with
 	 * the nested entry.
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 068/306] KVM/x86: Fix invvpid and invept register operand size in 64-bit mode
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (66 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 067/306] KVM: nVMX: move check_vmentry_postreqs() call to nested_vmx_enter_non_root_mode() Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 069/306] clk: tegra: Fixes for MBIST work around Greg Kroah-Hartman
                   ` (241 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Uros Bizjak, Paolo Bonzini, Sasha Levin

From: Uros Bizjak <ubizjak@gmail.com>

[ Upstream commit 5ebb272b2ea7e02911a03a893f8d922d49f9bb4a ]

Register operand size of invvpid and invept instruction in 64-bit mode
has always 64 bits. Adjust inline function argument type to reflect
correct size.

Signed-off-by: Uros Bizjak <ubizjak@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/kvm/vmx.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index bdf019f322117..0b7559bf15ea7 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -2079,7 +2079,7 @@ static int __find_msr_index(struct vcpu_vmx *vmx, u32 msr)
 	return -1;
 }
 
-static inline void __invvpid(int ext, u16 vpid, gva_t gva)
+static inline void __invvpid(unsigned long ext, u16 vpid, gva_t gva)
 {
     struct {
 	u64 vpid : 16;
@@ -2094,7 +2094,7 @@ static inline void __invvpid(int ext, u16 vpid, gva_t gva)
     BUG_ON(error);
 }
 
-static inline void __invept(int ext, u64 eptp, gpa_t gpa)
+static inline void __invept(unsigned long ext, u64 eptp, gpa_t gpa)
 {
 	struct {
 		u64 eptp, gpa;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 069/306] clk: tegra: Fixes for MBIST work around
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (67 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 068/306] KVM/x86: Fix invvpid and invept register operand size in 64-bit mode Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 070/306] scsi: isci: Use proper enumerated type in atapi_d2h_reg_frame_handler Greg Kroah-Hartman
                   ` (240 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Joseph Lo, Peter De Schrijver,
	Jon Hunter, Stephen Boyd, Sasha Levin

From: Joseph Lo <josephl@nvidia.com>

[ Upstream commit a4dbbceeee3e0ba670875a147237d6566de78840 ]

Fix some incorrect data in LVL2 offset and bit mask.

Fixes: e403d0057343 ("clk: tegra: MBIST work around for Tegra210")
Signed-off-by: Joseph Lo <josephl@nvidia.com>
Signed-off-by: Peter De Schrijver <pdeschrijver@nvidia.com>
Acked-by: Jon Hunter <jonathanh@nvidia.com>
Acked-by: Peter De Schrijver <pdeschrijver@nvidia.com>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/clk/tegra/clk-tegra210.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/clk/tegra/clk-tegra210.c b/drivers/clk/tegra/clk-tegra210.c
index 080bfa24863ee..7264e97310348 100644
--- a/drivers/clk/tegra/clk-tegra210.c
+++ b/drivers/clk/tegra/clk-tegra210.c
@@ -2603,7 +2603,7 @@ static struct tegra210_domain_mbist_war tegra210_pg_mbist_war[] = {
 	[TEGRA_POWERGATE_MPE] = {
 		.handle_lvl2_ovr = tegra210_generic_mbist_war,
 		.lvl2_offset = LVL2_CLK_GATE_OVRE,
-		.lvl2_mask = BIT(2),
+		.lvl2_mask = BIT(29),
 	},
 	[TEGRA_POWERGATE_SOR] = {
 		.handle_lvl2_ovr = tegra210_generic_mbist_war,
@@ -2654,14 +2654,14 @@ static struct tegra210_domain_mbist_war tegra210_pg_mbist_war[] = {
 		.num_clks = ARRAY_SIZE(nvdec_slcg_clkids),
 		.clk_init_data = nvdec_slcg_clkids,
 		.handle_lvl2_ovr = tegra210_generic_mbist_war,
-		.lvl2_offset = LVL2_CLK_GATE_OVRC,
+		.lvl2_offset = LVL2_CLK_GATE_OVRE,
 		.lvl2_mask = BIT(9) | BIT(31),
 	},
 	[TEGRA_POWERGATE_NVJPG] = {
 		.num_clks = ARRAY_SIZE(nvjpg_slcg_clkids),
 		.clk_init_data = nvjpg_slcg_clkids,
 		.handle_lvl2_ovr = tegra210_generic_mbist_war,
-		.lvl2_offset = LVL2_CLK_GATE_OVRC,
+		.lvl2_offset = LVL2_CLK_GATE_OVRE,
 		.lvl2_mask = BIT(9) | BIT(31),
 	},
 	[TEGRA_POWERGATE_AUD] = {
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 070/306] scsi: isci: Use proper enumerated type in atapi_d2h_reg_frame_handler
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (68 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 069/306] clk: tegra: Fixes for MBIST work around Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 071/306] scsi: isci: Change sci_controller_start_tasks return type to sci_status Greg Kroah-Hartman
                   ` (239 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nathan Chancellor,
	Martin K. Petersen, Sasha Levin

From: Nathan Chancellor <natechancellor@gmail.com>

[ Upstream commit e9e9a103528c7e199ead6e5374c9c52cf16b5802 ]

Clang warns when one enumerated type is implicitly converted to another.

drivers/scsi/isci/request.c:1629:13: warning: implicit conversion from
enumeration type 'enum sci_io_status' to different enumeration type
'enum sci_status' [-Wenum-conversion]
                        status = SCI_IO_FAILURE_RESPONSE_VALID;
                               ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/scsi/isci/request.c:1631:12: warning: implicit conversion from
enumeration type 'enum sci_io_status' to different enumeration type
'enum sci_status' [-Wenum-conversion]
                status = SCI_IO_FAILURE_RESPONSE_VALID;
                       ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~

status is of type sci_status but SCI_IO_FAILURE_RESPONSE_VALID is of
type sci_io_status. Use SCI_FAILURE_IO_RESPONSE_VALID, which is from
sci_status and has SCI_IO_FAILURE_RESPONSE_VALID's exact value since
that is what SCI_IO_FAILURE_RESPONSE_VALID is mapped to in the isci.h
file.

Link: https://github.com/ClangBuiltLinux/linux/issues/153
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/isci/request.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/scsi/isci/request.c b/drivers/scsi/isci/request.c
index ed197bc8e801a..2f151708b59ae 100644
--- a/drivers/scsi/isci/request.c
+++ b/drivers/scsi/isci/request.c
@@ -1626,9 +1626,9 @@ static enum sci_status atapi_d2h_reg_frame_handler(struct isci_request *ireq,
 
 	if (status == SCI_SUCCESS) {
 		if (ireq->stp.rsp.status & ATA_ERR)
-			status = SCI_IO_FAILURE_RESPONSE_VALID;
+			status = SCI_FAILURE_IO_RESPONSE_VALID;
 	} else {
-		status = SCI_IO_FAILURE_RESPONSE_VALID;
+		status = SCI_FAILURE_IO_RESPONSE_VALID;
 	}
 
 	if (status != SCI_SUCCESS) {
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 071/306] scsi: isci: Change sci_controller_start_tasks return type to sci_status
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (69 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 070/306] scsi: isci: Use proper enumerated type in atapi_d2h_reg_frame_handler Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 072/306] scsi: bfa: Avoid implicit enum conversion in bfad_im_post_vendor_event Greg Kroah-Hartman
                   ` (238 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nathan Chancellor,
	Martin K. Petersen, Sasha Levin

From: Nathan Chancellor <natechancellor@gmail.com>

[ Upstream commit 362b5da3dfceada6e74ecdd7af3991bbe42c0c0f ]

Clang warns when an enumerated type is implicitly converted to another.

drivers/scsi/isci/request.c:3476:13: warning: implicit conversion from
enumeration type 'enum sci_task_status' to different enumeration type
'enum sci_status' [-Wenum-conversion]
                        status = sci_controller_start_task(ihost,
                               ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/scsi/isci/host.c:2744:10: warning: implicit conversion from
enumeration type 'enum sci_status' to different enumeration type 'enum
sci_task_status' [-Wenum-conversion]
                return SCI_SUCCESS;
                ~~~~~~ ^~~~~~~~~~~
drivers/scsi/isci/host.c:2753:9: warning: implicit conversion from
enumeration type 'enum sci_status' to different enumeration type 'enum
sci_task_status' [-Wenum-conversion]
        return status;
        ~~~~~~ ^~~~~~

Avoid all of these implicit conversion by just making
sci_controller_start_task use sci_status. This silences
Clang and has no functional change since sci_task_status
has all of its values mapped to something in sci_status.

Link: https://github.com/ClangBuiltLinux/linux/issues/153
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/isci/host.c | 8 ++++----
 drivers/scsi/isci/host.h | 2 +-
 drivers/scsi/isci/task.c | 4 ++--
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/drivers/scsi/isci/host.c b/drivers/scsi/isci/host.c
index 1ee3868ade079..7b5deae68d33b 100644
--- a/drivers/scsi/isci/host.c
+++ b/drivers/scsi/isci/host.c
@@ -2717,9 +2717,9 @@ enum sci_status sci_controller_continue_io(struct isci_request *ireq)
  *    the task management request.
  * @task_request: the handle to the task request object to start.
  */
-enum sci_task_status sci_controller_start_task(struct isci_host *ihost,
-					       struct isci_remote_device *idev,
-					       struct isci_request *ireq)
+enum sci_status sci_controller_start_task(struct isci_host *ihost,
+					  struct isci_remote_device *idev,
+					  struct isci_request *ireq)
 {
 	enum sci_status status;
 
@@ -2728,7 +2728,7 @@ enum sci_task_status sci_controller_start_task(struct isci_host *ihost,
 			 "%s: SCIC Controller starting task from invalid "
 			 "state\n",
 			 __func__);
-		return SCI_TASK_FAILURE_INVALID_STATE;
+		return SCI_FAILURE_INVALID_STATE;
 	}
 
 	status = sci_remote_device_start_task(ihost, idev, ireq);
diff --git a/drivers/scsi/isci/host.h b/drivers/scsi/isci/host.h
index b3539928073c6..6bc3f022630a2 100644
--- a/drivers/scsi/isci/host.h
+++ b/drivers/scsi/isci/host.h
@@ -489,7 +489,7 @@ enum sci_status sci_controller_start_io(
 	struct isci_remote_device *idev,
 	struct isci_request *ireq);
 
-enum sci_task_status sci_controller_start_task(
+enum sci_status sci_controller_start_task(
 	struct isci_host *ihost,
 	struct isci_remote_device *idev,
 	struct isci_request *ireq);
diff --git a/drivers/scsi/isci/task.c b/drivers/scsi/isci/task.c
index 6dcaed0c1fc8c..fb6eba331ac6e 100644
--- a/drivers/scsi/isci/task.c
+++ b/drivers/scsi/isci/task.c
@@ -258,7 +258,7 @@ static int isci_task_execute_tmf(struct isci_host *ihost,
 				 struct isci_tmf *tmf, unsigned long timeout_ms)
 {
 	DECLARE_COMPLETION_ONSTACK(completion);
-	enum sci_task_status status = SCI_TASK_FAILURE;
+	enum sci_status status = SCI_FAILURE;
 	struct isci_request *ireq;
 	int ret = TMF_RESP_FUNC_FAILED;
 	unsigned long flags;
@@ -301,7 +301,7 @@ static int isci_task_execute_tmf(struct isci_host *ihost,
 	/* start the TMF io. */
 	status = sci_controller_start_task(ihost, idev, ireq);
 
-	if (status != SCI_TASK_SUCCESS) {
+	if (status != SCI_SUCCESS) {
 		dev_dbg(&ihost->pdev->dev,
 			 "%s: start_io failed - status = 0x%x, request = %p\n",
 			 __func__,
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 072/306] scsi: bfa: Avoid implicit enum conversion in bfad_im_post_vendor_event
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (70 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 071/306] scsi: isci: Change sci_controller_start_tasks return type to sci_status Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 073/306] scsi: iscsi_tcp: Explicitly cast param in iscsi_sw_tcp_host_get_param Greg Kroah-Hartman
                   ` (237 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nathan Chancellor, Nick Desaulniers,
	Martin K. Petersen, Sasha Levin

From: Nathan Chancellor <natechancellor@gmail.com>

[ Upstream commit 761c830ec7b3d0674b3ad89cefd77a692634e305 ]

Clang warns when one enumerated type is implicitly converted to another.

drivers/scsi/bfa/bfa_fcs_lport.c:379:26: warning: implicit conversion
from enumeration type 'enum bfa_lport_aen_event' to different
enumeration type 'enum bfa_ioc_aen_event' [-Wenum-conversion]
                                  BFA_AEN_CAT_LPORT, event);
                                                     ^~~~~

The root cause of these warnings is the bfad_im_post_vendor_event
function, which expects a value from enum bfa_ioc_aen_event but there
are multiple instances of values from enums bfa_port_aen_event,
bfa_audit_aen_event, and bfa_lport_aen_event being used in this
function.

Given that this doesn't appear to be a problem since cat helps with
differentiating the events, just change evt's type to int so that no
conversion needs to happen and Clang won't warn. Update aen_type's type
in bfa_aen_entry_s as members that hold enumerated types should be int.

Link: https://github.com/ClangBuiltLinux/linux/issues/147
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/bfa/bfa_defs_svc.h | 2 +-
 drivers/scsi/bfa/bfad_im.h      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/scsi/bfa/bfa_defs_svc.h b/drivers/scsi/bfa/bfa_defs_svc.h
index 3d0c96a5c8735..c19c26e0e405e 100644
--- a/drivers/scsi/bfa/bfa_defs_svc.h
+++ b/drivers/scsi/bfa/bfa_defs_svc.h
@@ -1453,7 +1453,7 @@ union bfa_aen_data_u {
 struct bfa_aen_entry_s {
 	struct list_head	qe;
 	enum bfa_aen_category   aen_category;
-	u32                     aen_type;
+	int                     aen_type;
 	union bfa_aen_data_u    aen_data;
 	u64			aen_tv_sec;
 	u64			aen_tv_usec;
diff --git a/drivers/scsi/bfa/bfad_im.h b/drivers/scsi/bfa/bfad_im.h
index e61ed8dad0b4f..bd4ac187fd8e7 100644
--- a/drivers/scsi/bfa/bfad_im.h
+++ b/drivers/scsi/bfa/bfad_im.h
@@ -143,7 +143,7 @@ struct bfad_im_s {
 static inline void bfad_im_post_vendor_event(struct bfa_aen_entry_s *entry,
 					     struct bfad_s *drv, int cnt,
 					     enum bfa_aen_category cat,
-					     enum bfa_ioc_aen_event evt)
+					     int evt)
 {
 	struct timespec64 ts;
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 073/306] scsi: iscsi_tcp: Explicitly cast param in iscsi_sw_tcp_host_get_param
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (71 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 072/306] scsi: bfa: Avoid implicit enum conversion in bfad_im_post_vendor_event Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 074/306] crypto: ccree - avoid implicit enum conversion Greg Kroah-Hartman
                   ` (236 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nathan Chancellor, Nick Desaulniers,
	Martin K. Petersen, Sasha Levin

From: Nathan Chancellor <natechancellor@gmail.com>

[ Upstream commit 20054597f169090109fc3f0dfa1a48583f4178a4 ]

Clang warns when one enumerated type is implicitly converted to another.

drivers/scsi/iscsi_tcp.c:803:15: warning: implicit conversion from
enumeration type 'enum iscsi_host_param' to different enumeration type
'enum iscsi_param' [-Wenum-conversion]
                                                 &addr, param, buf);
                                                        ^~~~~
1 warning generated.

iscsi_conn_get_addr_param handles ISCSI_HOST_PARAM_IPADDRESS just fine
so add an explicit cast to iscsi_param to make it clear to Clang that
this is expected behavior.

Link: https://github.com/ClangBuiltLinux/linux/issues/153
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/iscsi_tcp.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c
index b025a0b743417..23354f206533b 100644
--- a/drivers/scsi/iscsi_tcp.c
+++ b/drivers/scsi/iscsi_tcp.c
@@ -800,7 +800,8 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost,
 			return rc;
 
 		return iscsi_conn_get_addr_param((struct sockaddr_storage *)
-						 &addr, param, buf);
+						 &addr,
+						 (enum iscsi_param)param, buf);
 	default:
 		return iscsi_host_get_param(shost, param, buf);
 	}
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 074/306] crypto: ccree - avoid implicit enum conversion
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (72 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 073/306] scsi: iscsi_tcp: Explicitly cast param in iscsi_sw_tcp_host_get_param Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 075/306] nvmet: avoid integer overflow in the discard code Greg Kroah-Hartman
                   ` (235 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nathan Chancellor, Gilad Ben-Yossef,
	Nick Desaulniers, Herbert Xu, Sasha Levin

From: Nathan Chancellor <natechancellor@gmail.com>

[ Upstream commit 18e732b8035d175181aae2ded127994cb01694f7 ]

Clang warns when one enumerated type is implicitly converted to another
and this happens in several locations in this driver, ultimately related
to the set_cipher_{mode,config0} functions. set_cipher_mode expects a mode
of type drv_cipher_mode and set_cipher_config0 expects a mode of type
drv_crypto_direction.

drivers/crypto/ccree/cc_ivgen.c:58:35: warning: implicit conversion from
enumeration type 'enum cc_desc_direction' to different enumeration type
'enum drv_crypto_direction' [-Wenum-conversion]
        set_cipher_config0(&iv_seq[idx], DESC_DIRECTION_ENCRYPT_ENCRYPT);

drivers/crypto/ccree/cc_hash.c:99:28: warning: implicit conversion from
enumeration type 'enum cc_hash_conf_pad' to different enumeration type
'enum drv_crypto_direction' [-Wenum-conversion]
                set_cipher_config0(desc, HASH_DIGEST_RESULT_LITTLE_ENDIAN);

drivers/crypto/ccree/cc_aead.c:1643:30: warning: implicit conversion
from enumeration type 'enum drv_hash_hw_mode' to different enumeration
type 'enum drv_cipher_mode' [-Wenum-conversion]
        set_cipher_mode(&desc[idx], DRV_HASH_HW_GHASH);

Since this fundamentally isn't a problem because these values just
represent simple integers for a shift operation, make it clear to Clang
that this is okay by making the mode parameter in both functions an int.

Link: https://github.com/ClangBuiltLinux/linux/issues/46
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Acked-by: Gilad Ben-Yossef <gilad@benyossef.com>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/crypto/ccree/cc_hw_queue_defs.h | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/drivers/crypto/ccree/cc_hw_queue_defs.h b/drivers/crypto/ccree/cc_hw_queue_defs.h
index a091ae57f9024..45985b955d2c8 100644
--- a/drivers/crypto/ccree/cc_hw_queue_defs.h
+++ b/drivers/crypto/ccree/cc_hw_queue_defs.h
@@ -449,8 +449,7 @@ static inline void set_flow_mode(struct cc_hw_desc *pdesc,
  * @pdesc: pointer HW descriptor struct
  * @mode:  Any one of the modes defined in [CC7x-DESC]
  */
-static inline void set_cipher_mode(struct cc_hw_desc *pdesc,
-				   enum drv_cipher_mode mode)
+static inline void set_cipher_mode(struct cc_hw_desc *pdesc, int mode)
 {
 	pdesc->word[4] |= FIELD_PREP(WORD4_CIPHER_MODE, mode);
 }
@@ -461,8 +460,7 @@ static inline void set_cipher_mode(struct cc_hw_desc *pdesc,
  * @pdesc: pointer HW descriptor struct
  * @mode: Any one of the modes defined in [CC7x-DESC]
  */
-static inline void set_cipher_config0(struct cc_hw_desc *pdesc,
-				      enum drv_crypto_direction mode)
+static inline void set_cipher_config0(struct cc_hw_desc *pdesc, int mode)
 {
 	pdesc->word[4] |= FIELD_PREP(WORD4_CIPHER_CONF0, mode);
 }
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 075/306] nvmet: avoid integer overflow in the discard code
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (73 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 074/306] crypto: ccree - avoid implicit enum conversion Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 076/306] nvmet-fcloop: suppress a compiler warning Greg Kroah-Hartman
                   ` (234 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bart Van Assche, Chaitanya Kulkarni,
	Christoph Hellwig, Sasha Levin

From: Bart Van Assche <bvanassche@acm.org>

[ Upstream commit 8eacd1bd21d6913ec27e6120e9a8733352e191d3 ]

Although I'm not sure whether it is a good idea to support large discard
commands, I think integer overflow for discard ranges larger than 4 GB
should be avoided. This patch avoids that smatch reports the following:

drivers/nvme/target/io-cmd-file.c:249:1 nvmet_file_execute_discard() warn: should '((range.nlb)) << req->ns->blksize_shift' be a 64 bit type?

Fixes: d5eff33ee6f8 ("nvmet: add simple file backed ns support")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/nvme/target/io-cmd-file.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/nvme/target/io-cmd-file.c b/drivers/nvme/target/io-cmd-file.c
index 81a9dc5290a87..39d972e2595f0 100644
--- a/drivers/nvme/target/io-cmd-file.c
+++ b/drivers/nvme/target/io-cmd-file.c
@@ -246,7 +246,8 @@ static void nvmet_file_execute_discard(struct nvmet_req *req)
 			break;
 
 		offset = le64_to_cpu(range.slba) << req->ns->blksize_shift;
-		len = le32_to_cpu(range.nlb) << req->ns->blksize_shift;
+		len = le32_to_cpu(range.nlb);
+		len <<= req->ns->blksize_shift;
 		if (offset + len > req->ns->size) {
 			ret = NVME_SC_LBA_RANGE | NVME_SC_DNR;
 			break;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 076/306] nvmet-fcloop: suppress a compiler warning
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (74 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 075/306] nvmet: avoid integer overflow in the discard code Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 077/306] nvme-pci: fix hot removal during error handling Greg Kroah-Hartman
                   ` (233 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bart Van Assche, James Smart,
	Christoph Hellwig, Sasha Levin

From: Bart Van Assche <bvanassche@acm.org>

[ Upstream commit 1216e9ef18b84f4fb5934792368fb01eb3540520 ]

Building with W=1 enables the compiler warning -Wimplicit-fallthrough=3. That
option does not recognize the fall-through comment in the fcloop driver. Add
a fall-through comment that is recognized for -Wimplicit-fallthrough=3. This
patch avoids that the compiler reports the following warning when building
with W=1:

drivers/nvme/target/fcloop.c:647:6: warning: this statement may fall through [-Wimplicit-fallthrough=]
   if (op == NVMET_FCOP_READDATA)
      ^

Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: James Smart <james.smart@broadcom.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/nvme/target/fcloop.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/nvme/target/fcloop.c b/drivers/nvme/target/fcloop.c
index 5251689a1d9ac..291f4121f516a 100644
--- a/drivers/nvme/target/fcloop.c
+++ b/drivers/nvme/target/fcloop.c
@@ -648,6 +648,7 @@ fcloop_fcp_op(struct nvmet_fc_target_port *tgtport,
 			break;
 
 		/* Fall-Thru to RSP handling */
+		/* FALLTHRU */
 
 	case NVMET_FCOP_RSP:
 		if (fcpreq) {
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 077/306] nvme-pci: fix hot removal during error handling
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (75 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 076/306] nvmet-fcloop: suppress a compiler warning Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 078/306] PCI: mediatek: Fixup MSI enablement logic by enabling MSI before clocks Greg Kroah-Hartman
                   ` (232 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Keith Busch, Sagi Grimberg,
	Christoph Hellwig, Sasha Levin

From: Keith Busch <keith.busch@intel.com>

[ Upstream commit cb4bfda62afa25b4eee3d635d33fccdd9485dd7c ]

A removal waits for the reset_work to complete. If a surprise removal
occurs around the same time as an error triggered controller reset, and
reset work happened to dispatch a command to the removed controller, the
command won't be recovered since the timeout work doesn't do anything
during error recovery. We wouldn't want to wait for timeout handling
anyway, so this patch fixes this by disabling the controller and killing
admin queues prior to syncing with the reset_work.

Signed-off-by: Keith Busch <keith.busch@intel.com>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/nvme/host/pci.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index a64a8bca0d5b9..9479c0db08f62 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -2583,13 +2583,12 @@ static void nvme_remove(struct pci_dev *pdev)
 	struct nvme_dev *dev = pci_get_drvdata(pdev);
 
 	nvme_change_ctrl_state(&dev->ctrl, NVME_CTRL_DELETING);
-
-	cancel_work_sync(&dev->ctrl.reset_work);
 	pci_set_drvdata(pdev, NULL);
 
 	if (!pci_device_is_present(pdev)) {
 		nvme_change_ctrl_state(&dev->ctrl, NVME_CTRL_DEAD);
 		nvme_dev_disable(dev, true);
+		nvme_dev_remove_admin(dev);
 	}
 
 	flush_work(&dev->ctrl.reset_work);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 078/306] PCI: mediatek: Fixup MSI enablement logic by enabling MSI before clocks
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (76 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 077/306] nvme-pci: fix hot removal during error handling Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 079/306] clk: mmp2: fix the clock id for sdh2_clk and sdh3_clk Greg Kroah-Hartman
                   ` (231 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Honghui Zhang, Lorenzo Pieralisi,
	Ryder Lee, Sasha Levin

From: Honghui Zhang <honghui.zhang@mediatek.com>

[ Upstream commit 3828d60fd2ef99f97a677c1f95af2ab3e65e2576 ]

Commit 43e6409db64d ("PCI: mediatek: Add MSI support for MT2712 and
MT7622") added MSI support but enabled MSI in the wrong place, at a step
in the probe sequence where clocks were not still enabled.

Fix this issue by calling mtk_pcie_enable_msi() in mtk_pcie_startup_port_v2()
since clocks are enabled when mtk_pcie_startup_port_v2() is called.

To avoid forward declaration of mtk_pcie_enable_msi(), move the
mtk_pcie_startup_port_v2() function definition in the file.

Fixes: 43e6409db64d ("PCI: mediatek: Add MSI support for MT2712 and MT7622")
Signed-off-by: Honghui Zhang <honghui.zhang@mediatek.com>
[lorenzo.pieralisi@arm.com: squashed commit and adapted log]
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Acked-by: Ryder Lee <ryder.lee@mediatek.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/pci/controller/pcie-mediatek.c | 143 +++++++++++++------------
 1 file changed, 72 insertions(+), 71 deletions(-)

diff --git a/drivers/pci/controller/pcie-mediatek.c b/drivers/pci/controller/pcie-mediatek.c
index 8d1364c317747..1bfbceb9f4458 100644
--- a/drivers/pci/controller/pcie-mediatek.c
+++ b/drivers/pci/controller/pcie-mediatek.c
@@ -394,75 +394,6 @@ static struct pci_ops mtk_pcie_ops_v2 = {
 	.write = mtk_pcie_config_write,
 };
 
-static int mtk_pcie_startup_port_v2(struct mtk_pcie_port *port)
-{
-	struct mtk_pcie *pcie = port->pcie;
-	struct resource *mem = &pcie->mem;
-	const struct mtk_pcie_soc *soc = port->pcie->soc;
-	u32 val;
-	size_t size;
-	int err;
-
-	/* MT7622 platforms need to enable LTSSM and ASPM from PCIe subsys */
-	if (pcie->base) {
-		val = readl(pcie->base + PCIE_SYS_CFG_V2);
-		val |= PCIE_CSR_LTSSM_EN(port->slot) |
-		       PCIE_CSR_ASPM_L1_EN(port->slot);
-		writel(val, pcie->base + PCIE_SYS_CFG_V2);
-	}
-
-	/* Assert all reset signals */
-	writel(0, port->base + PCIE_RST_CTRL);
-
-	/*
-	 * Enable PCIe link down reset, if link status changed from link up to
-	 * link down, this will reset MAC control registers and configuration
-	 * space.
-	 */
-	writel(PCIE_LINKDOWN_RST_EN, port->base + PCIE_RST_CTRL);
-
-	/* De-assert PHY, PE, PIPE, MAC and configuration reset	*/
-	val = readl(port->base + PCIE_RST_CTRL);
-	val |= PCIE_PHY_RSTB | PCIE_PERSTB | PCIE_PIPE_SRSTB |
-	       PCIE_MAC_SRSTB | PCIE_CRSTB;
-	writel(val, port->base + PCIE_RST_CTRL);
-
-	/* Set up vendor ID and class code */
-	if (soc->need_fix_class_id) {
-		val = PCI_VENDOR_ID_MEDIATEK;
-		writew(val, port->base + PCIE_CONF_VEND_ID);
-
-		val = PCI_CLASS_BRIDGE_PCI;
-		writew(val, port->base + PCIE_CONF_CLASS_ID);
-	}
-
-	/* 100ms timeout value should be enough for Gen1/2 training */
-	err = readl_poll_timeout(port->base + PCIE_LINK_STATUS_V2, val,
-				 !!(val & PCIE_PORT_LINKUP_V2), 20,
-				 100 * USEC_PER_MSEC);
-	if (err)
-		return -ETIMEDOUT;
-
-	/* Set INTx mask */
-	val = readl(port->base + PCIE_INT_MASK);
-	val &= ~INTX_MASK;
-	writel(val, port->base + PCIE_INT_MASK);
-
-	/* Set AHB to PCIe translation windows */
-	size = mem->end - mem->start;
-	val = lower_32_bits(mem->start) | AHB2PCIE_SIZE(fls(size));
-	writel(val, port->base + PCIE_AHB_TRANS_BASE0_L);
-
-	val = upper_32_bits(mem->start);
-	writel(val, port->base + PCIE_AHB_TRANS_BASE0_H);
-
-	/* Set PCIe to AXI translation memory space.*/
-	val = fls(0xffffffff) | WIN_ENABLE;
-	writel(val, port->base + PCIE_AXI_WINDOW0);
-
-	return 0;
-}
-
 static void mtk_compose_msi_msg(struct irq_data *data, struct msi_msg *msg)
 {
 	struct mtk_pcie_port *port = irq_data_get_irq_chip_data(data);
@@ -639,8 +570,6 @@ static int mtk_pcie_init_irq_domain(struct mtk_pcie_port *port,
 		ret = mtk_pcie_allocate_msi_domains(port);
 		if (ret)
 			return ret;
-
-		mtk_pcie_enable_msi(port);
 	}
 
 	return 0;
@@ -707,6 +636,78 @@ static int mtk_pcie_setup_irq(struct mtk_pcie_port *port,
 	return 0;
 }
 
+static int mtk_pcie_startup_port_v2(struct mtk_pcie_port *port)
+{
+	struct mtk_pcie *pcie = port->pcie;
+	struct resource *mem = &pcie->mem;
+	const struct mtk_pcie_soc *soc = port->pcie->soc;
+	u32 val;
+	size_t size;
+	int err;
+
+	/* MT7622 platforms need to enable LTSSM and ASPM from PCIe subsys */
+	if (pcie->base) {
+		val = readl(pcie->base + PCIE_SYS_CFG_V2);
+		val |= PCIE_CSR_LTSSM_EN(port->slot) |
+		       PCIE_CSR_ASPM_L1_EN(port->slot);
+		writel(val, pcie->base + PCIE_SYS_CFG_V2);
+	}
+
+	/* Assert all reset signals */
+	writel(0, port->base + PCIE_RST_CTRL);
+
+	/*
+	 * Enable PCIe link down reset, if link status changed from link up to
+	 * link down, this will reset MAC control registers and configuration
+	 * space.
+	 */
+	writel(PCIE_LINKDOWN_RST_EN, port->base + PCIE_RST_CTRL);
+
+	/* De-assert PHY, PE, PIPE, MAC and configuration reset	*/
+	val = readl(port->base + PCIE_RST_CTRL);
+	val |= PCIE_PHY_RSTB | PCIE_PERSTB | PCIE_PIPE_SRSTB |
+	       PCIE_MAC_SRSTB | PCIE_CRSTB;
+	writel(val, port->base + PCIE_RST_CTRL);
+
+	/* Set up vendor ID and class code */
+	if (soc->need_fix_class_id) {
+		val = PCI_VENDOR_ID_MEDIATEK;
+		writew(val, port->base + PCIE_CONF_VEND_ID);
+
+		val = PCI_CLASS_BRIDGE_PCI;
+		writew(val, port->base + PCIE_CONF_CLASS_ID);
+	}
+
+	/* 100ms timeout value should be enough for Gen1/2 training */
+	err = readl_poll_timeout(port->base + PCIE_LINK_STATUS_V2, val,
+				 !!(val & PCIE_PORT_LINKUP_V2), 20,
+				 100 * USEC_PER_MSEC);
+	if (err)
+		return -ETIMEDOUT;
+
+	/* Set INTx mask */
+	val = readl(port->base + PCIE_INT_MASK);
+	val &= ~INTX_MASK;
+	writel(val, port->base + PCIE_INT_MASK);
+
+	if (IS_ENABLED(CONFIG_PCI_MSI))
+		mtk_pcie_enable_msi(port);
+
+	/* Set AHB to PCIe translation windows */
+	size = mem->end - mem->start;
+	val = lower_32_bits(mem->start) | AHB2PCIE_SIZE(fls(size));
+	writel(val, port->base + PCIE_AHB_TRANS_BASE0_L);
+
+	val = upper_32_bits(mem->start);
+	writel(val, port->base + PCIE_AHB_TRANS_BASE0_H);
+
+	/* Set PCIe to AXI translation memory space.*/
+	val = fls(0xffffffff) | WIN_ENABLE;
+	writel(val, port->base + PCIE_AXI_WINDOW0);
+
+	return 0;
+}
+
 static void __iomem *mtk_pcie_map_bus(struct pci_bus *bus,
 				      unsigned int devfn, int where)
 {
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 079/306] clk: mmp2: fix the clock id for sdh2_clk and sdh3_clk
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (77 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 078/306] PCI: mediatek: Fixup MSI enablement logic by enabling MSI before clocks Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 080/306] clk: at91: audio-pll: fix audio pmc type Greg Kroah-Hartman
                   ` (230 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lubomir Rintel, Stephen Boyd, Sasha Levin

From: Lubomir Rintel <lkundrak@v3.sk>

[ Upstream commit 4917fb90eec7c26dac1497ada3bd4a325f670fcc ]

A typo that makes it impossible to get the correct clocks for
MMP2_CLK_SDH2 and MMP2_CLK_SDH3.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
Fixes: 1ec770d92a62 ("clk: mmp: add mmp2 DT support for clock driver")
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/clk/mmp/clk-of-mmp2.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/clk/mmp/clk-of-mmp2.c b/drivers/clk/mmp/clk-of-mmp2.c
index 0fc75c3959570..d083b860f0833 100644
--- a/drivers/clk/mmp/clk-of-mmp2.c
+++ b/drivers/clk/mmp/clk-of-mmp2.c
@@ -227,8 +227,8 @@ static struct mmp_param_gate_clk apmu_gate_clks[] = {
 	/* The gate clocks has mux parent. */
 	{MMP2_CLK_SDH0, "sdh0_clk", "sdh_mix_clk", CLK_SET_RATE_PARENT, APMU_SDH0, 0x1b, 0x1b, 0x0, 0, &sdh_lock},
 	{MMP2_CLK_SDH1, "sdh1_clk", "sdh_mix_clk", CLK_SET_RATE_PARENT, APMU_SDH1, 0x1b, 0x1b, 0x0, 0, &sdh_lock},
-	{MMP2_CLK_SDH1, "sdh2_clk", "sdh_mix_clk", CLK_SET_RATE_PARENT, APMU_SDH2, 0x1b, 0x1b, 0x0, 0, &sdh_lock},
-	{MMP2_CLK_SDH1, "sdh3_clk", "sdh_mix_clk", CLK_SET_RATE_PARENT, APMU_SDH3, 0x1b, 0x1b, 0x0, 0, &sdh_lock},
+	{MMP2_CLK_SDH2, "sdh2_clk", "sdh_mix_clk", CLK_SET_RATE_PARENT, APMU_SDH2, 0x1b, 0x1b, 0x0, 0, &sdh_lock},
+	{MMP2_CLK_SDH3, "sdh3_clk", "sdh_mix_clk", CLK_SET_RATE_PARENT, APMU_SDH3, 0x1b, 0x1b, 0x0, 0, &sdh_lock},
 	{MMP2_CLK_DISP0, "disp0_clk", "disp0_div", CLK_SET_RATE_PARENT, APMU_DISP0, 0x1b, 0x1b, 0x0, 0, &disp0_lock},
 	{MMP2_CLK_DISP0_SPHY, "disp0_sphy_clk", "disp0_sphy_div", CLK_SET_RATE_PARENT, APMU_DISP0, 0x1024, 0x1024, 0x0, 0, &disp0_lock},
 	{MMP2_CLK_DISP1, "disp1_clk", "disp1_div", CLK_SET_RATE_PARENT, APMU_DISP1, 0x1b, 0x1b, 0x0, 0, &disp1_lock},
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 080/306] clk: at91: audio-pll: fix audio pmc type
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (78 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 079/306] clk: mmp2: fix the clock id for sdh2_clk and sdh3_clk Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 081/306] ASoC: tegra_sgtl5000: fix device_node refcounting Greg Kroah-Hartman
                   ` (229 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexandre Belloni, Stephen Boyd, Sasha Levin

From: Alexandre Belloni <alexandre.belloni@bootlin.com>

[ Upstream commit 7fa75007b7d7421aea59ff2b12ab1bd65a5abfa6 ]

The allocation for the audio pmc is using the size of struct clk_audio_pad
instead of struct clk_audio_pmc. This works fine because the former is
larger than the latter but it is safer to be correct.

Fixes: ("0865805d82d4 clk: at91: add audio pll clock drivers")
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/clk/at91/clk-audio-pll.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/clk/at91/clk-audio-pll.c b/drivers/clk/at91/clk-audio-pll.c
index da7bafcfbe706..b3eaf654fac98 100644
--- a/drivers/clk/at91/clk-audio-pll.c
+++ b/drivers/clk/at91/clk-audio-pll.c
@@ -509,7 +509,7 @@ static void __init of_sama5d2_clk_audio_pll_pad_setup(struct device_node *np)
 
 static void __init of_sama5d2_clk_audio_pll_pmc_setup(struct device_node *np)
 {
-	struct clk_audio_pad *apmc_ck;
+	struct clk_audio_pmc *apmc_ck;
 	struct clk_init_data init = {};
 
 	apmc_ck = kzalloc(sizeof(*apmc_ck), GFP_KERNEL);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 081/306] ASoC: tegra_sgtl5000: fix device_node refcounting
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (79 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 080/306] clk: at91: audio-pll: fix audio pmc type Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 082/306] scsi: dc395x: fix dma API usage in srb_done Greg Kroah-Hartman
                   ` (228 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marcel Ziswiler, Jon Hunter,
	Mark Brown, Sasha Levin

From: Marcel Ziswiler <marcel.ziswiler@toradex.com>

[ Upstream commit a85227da2dcc291b762c8482a505bc7d0d2d4b07 ]

Similar to the following:

commit 4321723648b0 ("ASoC: tegra_alc5632: fix device_node refcounting")

commit 7c5dfd549617 ("ASoC: tegra: fix device_node refcounting")

Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
Acked-by: Jon Hunter <jonathanh@nvidia.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/soc/tegra/tegra_sgtl5000.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/sound/soc/tegra/tegra_sgtl5000.c b/sound/soc/tegra/tegra_sgtl5000.c
index 45a4aa9d2a479..901457da25ec3 100644
--- a/sound/soc/tegra/tegra_sgtl5000.c
+++ b/sound/soc/tegra/tegra_sgtl5000.c
@@ -149,14 +149,14 @@ static int tegra_sgtl5000_driver_probe(struct platform_device *pdev)
 		dev_err(&pdev->dev,
 			"Property 'nvidia,i2s-controller' missing/invalid\n");
 		ret = -EINVAL;
-		goto err;
+		goto err_put_codec_of_node;
 	}
 
 	tegra_sgtl5000_dai.platform_of_node = tegra_sgtl5000_dai.cpu_of_node;
 
 	ret = tegra_asoc_utils_init(&machine->util_data, &pdev->dev);
 	if (ret)
-		goto err;
+		goto err_put_cpu_of_node;
 
 	ret = snd_soc_register_card(card);
 	if (ret) {
@@ -169,6 +169,13 @@ static int tegra_sgtl5000_driver_probe(struct platform_device *pdev)
 
 err_fini_utils:
 	tegra_asoc_utils_fini(&machine->util_data);
+err_put_cpu_of_node:
+	of_node_put(tegra_sgtl5000_dai.cpu_of_node);
+	tegra_sgtl5000_dai.cpu_of_node = NULL;
+	tegra_sgtl5000_dai.platform_of_node = NULL;
+err_put_codec_of_node:
+	of_node_put(tegra_sgtl5000_dai.codec_of_node);
+	tegra_sgtl5000_dai.codec_of_node = NULL;
 err:
 	return ret;
 }
@@ -183,6 +190,12 @@ static int tegra_sgtl5000_driver_remove(struct platform_device *pdev)
 
 	tegra_asoc_utils_fini(&machine->util_data);
 
+	of_node_put(tegra_sgtl5000_dai.cpu_of_node);
+	tegra_sgtl5000_dai.cpu_of_node = NULL;
+	tegra_sgtl5000_dai.platform_of_node = NULL;
+	of_node_put(tegra_sgtl5000_dai.codec_of_node);
+	tegra_sgtl5000_dai.codec_of_node = NULL;
+
 	return ret;
 }
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 082/306] scsi: dc395x: fix dma API usage in srb_done
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (80 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 081/306] ASoC: tegra_sgtl5000: fix device_node refcounting Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 083/306] scsi: dc395x: fix DMA API usage in sg_update_list Greg Kroah-Hartman
                   ` (227 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christoph Hellwig,
	Martin K. Petersen, Sasha Levin

From: Christoph Hellwig <hch@lst.de>

[ Upstream commit 3a5bd7021184dec2946f2a4d7a8943f8a5713e52 ]

We can't just transfer ownership to the CPU and then unmap, as this will
break with swiotlb.

Instead unmap the command and sense buffer a little earlier in the I/O
completion handler and get rid of the pci_dma_sync_sg_for_cpu call
entirely.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/dc395x.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/drivers/scsi/dc395x.c b/drivers/scsi/dc395x.c
index 1ed2cd82129d2..08161df64ead5 100644
--- a/drivers/scsi/dc395x.c
+++ b/drivers/scsi/dc395x.c
@@ -3447,14 +3447,12 @@ static void srb_done(struct AdapterCtlBlk *acb, struct DeviceCtlBlk *dcb,
 		}
 	}
 
-	if (dir != PCI_DMA_NONE && scsi_sg_count(cmd))
-		pci_dma_sync_sg_for_cpu(acb->dev, scsi_sglist(cmd),
-					scsi_sg_count(cmd), dir);
-
 	ckc_only = 0;
 /* Check Error Conditions */
       ckc_e:
 
+	pci_unmap_srb(acb, srb);
+
 	if (cmd->cmnd[0] == INQUIRY) {
 		unsigned char *base = NULL;
 		struct ScsiInqData *ptr;
@@ -3507,7 +3505,6 @@ static void srb_done(struct AdapterCtlBlk *acb, struct DeviceCtlBlk *dcb,
 			cmd, cmd->result);
 		srb_free_insert(acb, srb);
 	}
-	pci_unmap_srb(acb, srb);
 
 	cmd->scsi_done(cmd);
 	waiting_process_next(acb);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 083/306] scsi: dc395x: fix DMA API usage in sg_update_list
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (81 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 082/306] scsi: dc395x: fix dma API usage in srb_done Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 084/306] scsi: zorro_esp: Limit DMA transfers to 65535 bytes Greg Kroah-Hartman
                   ` (226 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christoph Hellwig,
	Martin K. Petersen, Sasha Levin

From: Christoph Hellwig <hch@lst.de>

[ Upstream commit 6c404a68bf83b4135a8a9aa1c388ebdf98e8ba7f ]

We need to transfer device ownership to the CPU before we can manipulate
the mapped data.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/dc395x.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/scsi/dc395x.c b/drivers/scsi/dc395x.c
index 08161df64ead5..3943347ec3c7c 100644
--- a/drivers/scsi/dc395x.c
+++ b/drivers/scsi/dc395x.c
@@ -1969,6 +1969,11 @@ static void sg_update_list(struct ScsiReqBlk *srb, u32 left)
 			xferred -= psge->length;
 		} else {
 			/* Partial SG entry done */
+			pci_dma_sync_single_for_cpu(srb->dcb->
+					    acb->dev,
+					    srb->sg_bus_addr,
+					    SEGMENTX_LEN,
+					    PCI_DMA_TODEVICE);
 			psge->length -= xferred;
 			psge->address += xferred;
 			srb->sg_index = idx;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 084/306] scsi: zorro_esp: Limit DMA transfers to 65535 bytes
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (82 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 083/306] scsi: dc395x: fix DMA API usage in sg_update_list Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 085/306] net: dsa: mv88e6xxx: Fix 88E6141/6341 2500mbps SERDES speed Greg Kroah-Hartman
                   ` (225 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Finn Thain, Michael Schmitz,
	Martin K. Petersen, Sasha Levin

From: Finn Thain <fthain@telegraphics.com.au>

[ Upstream commit b7ded0e8b0d11b6df1c4e5aa23a26e6629c21985 ]

The core driver, esp_scsi, does not use the ESP_CONFIG2_FENAB bit, so the
chip's Transfer Counter register is only 16 bits wide (not 24).  A larger
transfer cannot work and will theoretically result in a failed command
and a "DMA length is zero" error.

Fixes: 3109e5ae0311 ("scsi: zorro_esp: New driver for Amiga Zorro NCR53C9x boards")
Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
Cc: Michael Schmitz <schmitzmic@gmail.com>
Tested-by: Michael Schmitz <schmitzmic@gmail.com>
Reviewed-by: Michael Schmitz <schmitzmic@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/zorro_esp.c | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/drivers/scsi/zorro_esp.c b/drivers/scsi/zorro_esp.c
index bb70882e6b56e..be79127db5946 100644
--- a/drivers/scsi/zorro_esp.c
+++ b/drivers/scsi/zorro_esp.c
@@ -245,7 +245,7 @@ static int fastlane_esp_irq_pending(struct esp *esp)
 static u32 zorro_esp_dma_length_limit(struct esp *esp, u32 dma_addr,
 					u32 dma_len)
 {
-	return dma_len > 0xFFFFFF ? 0xFFFFFF : dma_len;
+	return dma_len > 0xFFFF ? 0xFFFF : dma_len;
 }
 
 static void zorro_esp_reset_dma(struct esp *esp)
@@ -484,7 +484,6 @@ static void zorro_esp_send_blz1230_dma_cmd(struct esp *esp, u32 addr,
 	scsi_esp_cmd(esp, ESP_CMD_DMA);
 	zorro_esp_write8(esp, (esp_count >> 0) & 0xff, ESP_TCLOW);
 	zorro_esp_write8(esp, (esp_count >> 8) & 0xff, ESP_TCMED);
-	zorro_esp_write8(esp, (esp_count >> 16) & 0xff, ESP_TCHI);
 
 	scsi_esp_cmd(esp, cmd);
 }
@@ -529,7 +528,6 @@ static void zorro_esp_send_blz1230II_dma_cmd(struct esp *esp, u32 addr,
 	scsi_esp_cmd(esp, ESP_CMD_DMA);
 	zorro_esp_write8(esp, (esp_count >> 0) & 0xff, ESP_TCLOW);
 	zorro_esp_write8(esp, (esp_count >> 8) & 0xff, ESP_TCMED);
-	zorro_esp_write8(esp, (esp_count >> 16) & 0xff, ESP_TCHI);
 
 	scsi_esp_cmd(esp, cmd);
 }
@@ -574,7 +572,6 @@ static void zorro_esp_send_blz2060_dma_cmd(struct esp *esp, u32 addr,
 	scsi_esp_cmd(esp, ESP_CMD_DMA);
 	zorro_esp_write8(esp, (esp_count >> 0) & 0xff, ESP_TCLOW);
 	zorro_esp_write8(esp, (esp_count >> 8) & 0xff, ESP_TCMED);
-	zorro_esp_write8(esp, (esp_count >> 16) & 0xff, ESP_TCHI);
 
 	scsi_esp_cmd(esp, cmd);
 }
@@ -599,7 +596,6 @@ static void zorro_esp_send_cyber_dma_cmd(struct esp *esp, u32 addr,
 
 	zorro_esp_write8(esp, (esp_count >> 0) & 0xff, ESP_TCLOW);
 	zorro_esp_write8(esp, (esp_count >> 8) & 0xff, ESP_TCMED);
-	zorro_esp_write8(esp, (esp_count >> 16) & 0xff, ESP_TCHI);
 
 	if (write) {
 		/* DMA receive */
@@ -649,7 +645,6 @@ static void zorro_esp_send_cyberII_dma_cmd(struct esp *esp, u32 addr,
 
 	zorro_esp_write8(esp, (esp_count >> 0) & 0xff, ESP_TCLOW);
 	zorro_esp_write8(esp, (esp_count >> 8) & 0xff, ESP_TCMED);
-	zorro_esp_write8(esp, (esp_count >> 16) & 0xff, ESP_TCHI);
 
 	if (write) {
 		/* DMA receive */
@@ -691,7 +686,6 @@ static void zorro_esp_send_fastlane_dma_cmd(struct esp *esp, u32 addr,
 
 	zorro_esp_write8(esp, (esp_count >> 0) & 0xff, ESP_TCLOW);
 	zorro_esp_write8(esp, (esp_count >> 8) & 0xff, ESP_TCMED);
-	zorro_esp_write8(esp, (esp_count >> 16) & 0xff, ESP_TCHI);
 
 	if (write) {
 		/* DMA receive */
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 085/306] net: dsa: mv88e6xxx: Fix 88E6141/6341 2500mbps SERDES speed
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (83 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 084/306] scsi: zorro_esp: Limit DMA transfers to 65535 bytes Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 086/306] net: fix warning in af_unix Greg Kroah-Hartman
                   ` (224 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marek Behún, David S. Miller,
	Sasha Levin

From: Marek Behún <marek.behun@nic.cz>

[ Upstream commit 26422340da467538cd65eaa9c65538039ee99c8c ]

This is a fix for the port_set_speed method for the Topaz family.
Currently the same method is used as for the Peridot family, but
this is wrong for the SERDES port.

On Topaz, the SERDES port is port 5, not 9 and 10 as in Peridot.
Moreover setting alt_bit on Topaz only makes sense for port 0 (for
(differentiating 100mbps vs 200mbps). The SERDES port does not
support more than 2500mbps, so alt_bit does not make any difference.

Signed-off-by: Marek Behún <marek.behun@nic.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/dsa/mv88e6xxx/chip.c |  4 ++--
 drivers/net/dsa/mv88e6xxx/port.c | 25 +++++++++++++++++++++++--
 drivers/net/dsa/mv88e6xxx/port.h |  1 +
 3 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c
index d075f0f7a3de8..411ae9961bf4f 100644
--- a/drivers/net/dsa/mv88e6xxx/chip.c
+++ b/drivers/net/dsa/mv88e6xxx/chip.c
@@ -3028,7 +3028,7 @@ static const struct mv88e6xxx_ops mv88e6141_ops = {
 	.port_set_link = mv88e6xxx_port_set_link,
 	.port_set_duplex = mv88e6xxx_port_set_duplex,
 	.port_set_rgmii_delay = mv88e6390_port_set_rgmii_delay,
-	.port_set_speed = mv88e6390_port_set_speed,
+	.port_set_speed = mv88e6341_port_set_speed,
 	.port_tag_remap = mv88e6095_port_tag_remap,
 	.port_set_frame_mode = mv88e6351_port_set_frame_mode,
 	.port_set_egress_floods = mv88e6352_port_set_egress_floods,
@@ -3649,7 +3649,7 @@ static const struct mv88e6xxx_ops mv88e6341_ops = {
 	.port_set_link = mv88e6xxx_port_set_link,
 	.port_set_duplex = mv88e6xxx_port_set_duplex,
 	.port_set_rgmii_delay = mv88e6390_port_set_rgmii_delay,
-	.port_set_speed = mv88e6390_port_set_speed,
+	.port_set_speed = mv88e6341_port_set_speed,
 	.port_tag_remap = mv88e6095_port_tag_remap,
 	.port_set_frame_mode = mv88e6351_port_set_frame_mode,
 	.port_set_egress_floods = mv88e6352_port_set_egress_floods,
diff --git a/drivers/net/dsa/mv88e6xxx/port.c b/drivers/net/dsa/mv88e6xxx/port.c
index fdeddbfa829da..2f16a310c110e 100644
--- a/drivers/net/dsa/mv88e6xxx/port.c
+++ b/drivers/net/dsa/mv88e6xxx/port.c
@@ -228,8 +228,11 @@ static int mv88e6xxx_port_set_speed(struct mv88e6xxx_chip *chip, int port,
 		ctrl = MV88E6XXX_PORT_MAC_CTL_SPEED_1000;
 		break;
 	case 2500:
-		ctrl = MV88E6390_PORT_MAC_CTL_SPEED_10000 |
-			MV88E6390_PORT_MAC_CTL_ALTSPEED;
+		if (alt_bit)
+			ctrl = MV88E6390_PORT_MAC_CTL_SPEED_10000 |
+				MV88E6390_PORT_MAC_CTL_ALTSPEED;
+		else
+			ctrl = MV88E6390_PORT_MAC_CTL_SPEED_10000;
 		break;
 	case 10000:
 		/* all bits set, fall through... */
@@ -291,6 +294,24 @@ int mv88e6185_port_set_speed(struct mv88e6xxx_chip *chip, int port, int speed)
 	return mv88e6xxx_port_set_speed(chip, port, speed, false, false);
 }
 
+/* Support 10, 100, 200, 1000, 2500 Mbps (e.g. 88E6341) */
+int mv88e6341_port_set_speed(struct mv88e6xxx_chip *chip, int port, int speed)
+{
+	if (speed == SPEED_MAX)
+		speed = port < 5 ? 1000 : 2500;
+
+	if (speed > 2500)
+		return -EOPNOTSUPP;
+
+	if (speed == 200 && port != 0)
+		return -EOPNOTSUPP;
+
+	if (speed == 2500 && port < 5)
+		return -EOPNOTSUPP;
+
+	return mv88e6xxx_port_set_speed(chip, port, speed, !port, true);
+}
+
 /* Support 10, 100, 200, 1000 Mbps (e.g. 88E6352 family) */
 int mv88e6352_port_set_speed(struct mv88e6xxx_chip *chip, int port, int speed)
 {
diff --git a/drivers/net/dsa/mv88e6xxx/port.h b/drivers/net/dsa/mv88e6xxx/port.h
index 95b59f5eb3931..cbb64a7683e28 100644
--- a/drivers/net/dsa/mv88e6xxx/port.h
+++ b/drivers/net/dsa/mv88e6xxx/port.h
@@ -280,6 +280,7 @@ int mv88e6xxx_port_set_duplex(struct mv88e6xxx_chip *chip, int port, int dup);
 
 int mv88e6065_port_set_speed(struct mv88e6xxx_chip *chip, int port, int speed);
 int mv88e6185_port_set_speed(struct mv88e6xxx_chip *chip, int port, int speed);
+int mv88e6341_port_set_speed(struct mv88e6xxx_chip *chip, int port, int speed);
 int mv88e6352_port_set_speed(struct mv88e6xxx_chip *chip, int port, int speed);
 int mv88e6390_port_set_speed(struct mv88e6xxx_chip *chip, int port, int speed);
 int mv88e6390x_port_set_speed(struct mv88e6xxx_chip *chip, int port, int speed);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 086/306] net: fix warning in af_unix
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (84 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 085/306] net: dsa: mv88e6xxx: Fix 88E6141/6341 2500mbps SERDES speed Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 087/306] net: ena: Fix Kconfig dependency on X86 Greg Kroah-Hartman
                   ` (223 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kyeongdon Kim, David S. Miller, Sasha Levin

From: Kyeongdon Kim <kyeongdon.kim@lge.com>

[ Upstream commit 33c4368ee2589c165aebd8d388cbd91e9adb9688 ]

This fixes the "'hash' may be used uninitialized in this function"

net/unix/af_unix.c:1041:20: warning: 'hash' may be used uninitialized in this function [-Wmaybe-uninitialized]
  addr->hash = hash ^ sk->sk_type;

Signed-off-by: Kyeongdon Kim <kyeongdon.kim@lge.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/unix/af_unix.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 231b6c032d2c3..d2d6ff0c6265d 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -225,6 +225,8 @@ static inline void unix_release_addr(struct unix_address *addr)
 
 static int unix_mkname(struct sockaddr_un *sunaddr, int len, unsigned int *hashp)
 {
+	*hashp = 0;
+
 	if (len <= sizeof(short) || len > sizeof(*sunaddr))
 		return -EINVAL;
 	if (!sunaddr || sunaddr->sun_family != AF_UNIX)
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 087/306] net: ena: Fix Kconfig dependency on X86
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (85 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 086/306] net: fix warning in af_unix Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 088/306] xfs: fix use-after-free race in xfs_buf_rele Greg Kroah-Hartman
                   ` (222 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Netanel Belgazal, David S. Miller,
	Sasha Levin

From: Netanel Belgazal <netanel@amazon.com>

[ Upstream commit 8c590f9776386b8f697fd0b7ed6142ae6e3de79e ]

The Kconfig limitation of X86 is to too wide.
The ENA driver only requires a little endian dependency.

Change the dependency to be on little endian CPU.

Signed-off-by: Netanel Belgazal <netanel@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/amazon/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/amazon/Kconfig b/drivers/net/ethernet/amazon/Kconfig
index 99b30353541ab..9e87d7b8360f5 100644
--- a/drivers/net/ethernet/amazon/Kconfig
+++ b/drivers/net/ethernet/amazon/Kconfig
@@ -17,7 +17,7 @@ if NET_VENDOR_AMAZON
 
 config ENA_ETHERNET
 	tristate "Elastic Network Adapter (ENA) support"
-	depends on (PCI_MSI && X86)
+	depends on PCI_MSI && !CPU_BIG_ENDIAN
 	---help---
 	  This driver supports Elastic Network Adapter (ENA)"
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 088/306] xfs: fix use-after-free race in xfs_buf_rele
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (86 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 087/306] net: ena: Fix Kconfig dependency on X86 Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:28 ` [PATCH 4.19 089/306] xfs: clear ail delwri queued bufs on unmount of shutdown fs Greg Kroah-Hartman
                   ` (221 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dave Chinner, Brian Foster,
	Dave Chinner, Sasha Levin

From: Dave Chinner <dchinner@redhat.com>

[ Upstream commit 37fd1678245f7a5898c1b05128bc481fb403c290 ]

When looking at a 4.18 based KASAN use after free report, I noticed
that racing xfs_buf_rele() may race on dropping the last reference
to the buffer and taking the buffer lock. This was the symptom
displayed by the KASAN report, but the actual issue that was
reported had already been fixed in 4.19-rc1 by commit e339dd8d8b04
("xfs: use sync buffer I/O for sync delwri queue submission").

Despite this, I think there is still an issue with xfs_buf_rele()
in this code:

        release = atomic_dec_and_lock(&bp->b_hold, &pag->pag_buf_lock);
        spin_lock(&bp->b_lock);
        if (!release) {
.....

If two threads race on the b_lock after both dropping a reference
and one getting dropping the last reference so release = true, we
end up with:

CPU 0				CPU 1
atomic_dec_and_lock()
				atomic_dec_and_lock()
				spin_lock(&bp->b_lock)
spin_lock(&bp->b_lock)
<spins>
				<release = true bp->b_lru_ref = 0>
				<remove from lists>
				freebuf = true
				spin_unlock(&bp->b_lock)
				xfs_buf_free(bp)
<gets lock, reading and writing freed memory>
<accesses freed memory>
spin_unlock(&bp->b_lock) <reads/writes freed memory>

IOWs, we can't safely take bp->b_lock after dropping the hold
reference because the buffer may go away at any time after we
drop that reference. However, this can be fixed simply by taking the
bp->b_lock before we drop the reference.

It is safe to nest the pag_buf_lock inside bp->b_lock as the
pag_buf_lock is only used to serialise against lookup in
xfs_buf_find() and no other locks are held over or under the
pag_buf_lock there. Make this clear by documenting the buffer lock
orders at the top of the file.

Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/xfs/xfs_buf.c | 38 +++++++++++++++++++++++++++++++++++++-
 1 file changed, 37 insertions(+), 1 deletion(-)

diff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c
index e839907e8492f..f4a89c94c931b 100644
--- a/fs/xfs/xfs_buf.c
+++ b/fs/xfs/xfs_buf.c
@@ -37,6 +37,32 @@ static kmem_zone_t *xfs_buf_zone;
 #define xb_to_gfp(flags) \
 	((((flags) & XBF_READ_AHEAD) ? __GFP_NORETRY : GFP_NOFS) | __GFP_NOWARN)
 
+/*
+ * Locking orders
+ *
+ * xfs_buf_ioacct_inc:
+ * xfs_buf_ioacct_dec:
+ *	b_sema (caller holds)
+ *	  b_lock
+ *
+ * xfs_buf_stale:
+ *	b_sema (caller holds)
+ *	  b_lock
+ *	    lru_lock
+ *
+ * xfs_buf_rele:
+ *	b_lock
+ *	  pag_buf_lock
+ *	    lru_lock
+ *
+ * xfs_buftarg_wait_rele
+ *	lru_lock
+ *	  b_lock (trylock due to inversion)
+ *
+ * xfs_buftarg_isolate
+ *	lru_lock
+ *	  b_lock (trylock due to inversion)
+ */
 
 static inline int
 xfs_buf_is_vmapped(
@@ -1006,8 +1032,18 @@ xfs_buf_rele(
 
 	ASSERT(atomic_read(&bp->b_hold) > 0);
 
-	release = atomic_dec_and_lock(&bp->b_hold, &pag->pag_buf_lock);
+	/*
+	 * We grab the b_lock here first to serialise racing xfs_buf_rele()
+	 * calls. The pag_buf_lock being taken on the last reference only
+	 * serialises against racing lookups in xfs_buf_find(). IOWs, the second
+	 * to last reference we drop here is not serialised against the last
+	 * reference until we take bp->b_lock. Hence if we don't grab b_lock
+	 * first, the last "release" reference can win the race to the lock and
+	 * free the buffer before the second-to-last reference is processed,
+	 * leading to a use-after-free scenario.
+	 */
 	spin_lock(&bp->b_lock);
+	release = atomic_dec_and_lock(&bp->b_hold, &pag->pag_buf_lock);
 	if (!release) {
 		/*
 		 * Drop the in-flight state if the buffer is already on the LRU
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 089/306] xfs: clear ail delwri queued bufs on unmount of shutdown fs
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (87 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 088/306] xfs: fix use-after-free race in xfs_buf_rele Greg Kroah-Hartman
@ 2019-11-27 20:28 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 090/306] kprobes, x86/ptrace.h: Make regs_get_kernel_stack_nth() not fault on bad stack Greg Kroah-Hartman
                   ` (220 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Brian Foster, Dave Chinner,
	Dave Chinner, Sasha Levin

From: Brian Foster <bfoster@redhat.com>

[ Upstream commit efc3289cf8d39c34502a7cc9695ca2fa125aad0c ]

In the typical unmount case, the AIL is forced out by the unmount
sequence before the xfsaild task is stopped. Since AIL items are
removed on writeback completion, this means that the AIL
->ail_buf_list delwri queue has been drained. This is not always
true in the shutdown case, however.

It's possible for buffers to sit on a delwri queue for a period of
time across submission attempts if said items are locked or have
been relogged and pinned since first added to the queue. If the
attempt to log such an item results in a log I/O error, the error
processing can shutdown the fs, remove the item from the AIL, stale
the buffer (dropping the LRU reference) and clear its delwri queue
state. The latter bit means the buffer will be released from a
delwri queue on the next submission attempt, but this might never
occur if the filesystem has shutdown and the AIL is empty.

This means that such buffers are held indefinitely by the AIL delwri
queue across destruction of the AIL. Aside from being a memory leak,
these buffers can also hold references to in-core perag structures.
The latter problem manifests as a generic/475 failure, reproducing
the following asserts at unmount time:

  XFS: Assertion failed: atomic_read(&pag->pag_ref) == 0,
	file: fs/xfs/xfs_mount.c, line: 151
  XFS: Assertion failed: atomic_read(&pag->pag_ref) == 0,
	file: fs/xfs/xfs_mount.c, line: 132

To prevent this problem, clear the AIL delwri queue as a final step
before xfsaild() exit. The !empty state should never occur in the
normal case, so add an assert to catch unexpected problems going
forward.

[dgc: add comment explaining need for xfs_buf_delwri_cancel() after
 calling xfs_buf_delwri_submit_nowait().]

Signed-off-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/xfs/xfs_buf.c       |  7 +++++++
 fs/xfs/xfs_trans_ail.c | 28 ++++++++++++++++++++++------
 2 files changed, 29 insertions(+), 6 deletions(-)

diff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c
index f4a89c94c931b..e36124546d0db 100644
--- a/fs/xfs/xfs_buf.c
+++ b/fs/xfs/xfs_buf.c
@@ -2025,6 +2025,13 @@ xfs_buf_delwri_submit_buffers(
  * is only safely useable for callers that can track I/O completion by higher
  * level means, e.g. AIL pushing as the @buffer_list is consumed in this
  * function.
+ *
+ * Note: this function will skip buffers it would block on, and in doing so
+ * leaves them on @buffer_list so they can be retried on a later pass. As such,
+ * it is up to the caller to ensure that the buffer list is fully submitted or
+ * cancelled appropriately when they are finished with the list. Failure to
+ * cancel or resubmit the list until it is empty will result in leaked buffers
+ * at unmount time.
  */
 int
 xfs_buf_delwri_submit_nowait(
diff --git a/fs/xfs/xfs_trans_ail.c b/fs/xfs/xfs_trans_ail.c
index 55326f971cb36..d3a4e89bf4a0d 100644
--- a/fs/xfs/xfs_trans_ail.c
+++ b/fs/xfs/xfs_trans_ail.c
@@ -531,17 +531,33 @@ xfsaild(
 			set_current_state(TASK_INTERRUPTIBLE);
 
 		/*
-		 * Check kthread_should_stop() after we set the task state
-		 * to guarantee that we either see the stop bit and exit or
-		 * the task state is reset to runnable such that it's not
-		 * scheduled out indefinitely and detects the stop bit at
-		 * next iteration.
-		 *
+		 * Check kthread_should_stop() after we set the task state to
+		 * guarantee that we either see the stop bit and exit or the
+		 * task state is reset to runnable such that it's not scheduled
+		 * out indefinitely and detects the stop bit at next iteration.
 		 * A memory barrier is included in above task state set to
 		 * serialize again kthread_stop().
 		 */
 		if (kthread_should_stop()) {
 			__set_current_state(TASK_RUNNING);
+
+			/*
+			 * The caller forces out the AIL before stopping the
+			 * thread in the common case, which means the delwri
+			 * queue is drained. In the shutdown case, the queue may
+			 * still hold relogged buffers that haven't been
+			 * submitted because they were pinned since added to the
+			 * queue.
+			 *
+			 * Log I/O error processing stales the underlying buffer
+			 * and clears the delwri state, expecting the buf to be
+			 * removed on the next submission attempt. That won't
+			 * happen if we're shutting down, so this is the last
+			 * opportunity to release such buffers from the queue.
+			 */
+			ASSERT(list_empty(&ailp->ail_buf_list) ||
+			       XFS_FORCED_SHUTDOWN(ailp->ail_mount));
+			xfs_buf_delwri_cancel(&ailp->ail_buf_list);
 			break;
 		}
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 090/306] kprobes, x86/ptrace.h: Make regs_get_kernel_stack_nth() not fault on bad stack
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (88 preceding siblings ...)
  2019-11-27 20:28 ` [PATCH 4.19 089/306] xfs: clear ail delwri queued bufs on unmount of shutdown fs Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 091/306] ACPI / scan: Create platform device for INT33FE ACPI nodes Greg Kroah-Hartman
                   ` (219 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andy Lutomirski,
	Steven Rostedt (VMware), Joel Fernandes (Google),
	Borislav Petkov, Josh Poimboeuf, Linus Torvalds,
	Masami Hiramatsu, Peter Zijlstra, Thomas Gleixner, Ingo Molnar,
	Sasha Levin

From: Steven Rostedt (VMware) <rostedt@goodmis.org>

[ Upstream commit c2712b858187f5bcd7b042fe4daa3ba3a12635c0 ]

Andy had some concerns about using regs_get_kernel_stack_nth() in a new
function regs_get_kernel_argument() as if there's any error in the stack
code, it could cause a bad memory access. To be on the safe side, call
probe_kernel_read() on the stack address to be extra careful in accessing
the memory. A helper function, regs_get_kernel_stack_nth_addr(), was added
to just return the stack address (or NULL if not on the stack), that will be
used to find the address (and could be used by other functions) and read the
address with kernel_probe_read().

Requested-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/20181017165951.09119177@gandalf.local.home
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/include/asm/ptrace.h | 42 +++++++++++++++++++++++++++++------
 1 file changed, 35 insertions(+), 7 deletions(-)

diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h
index 6de1fd3d00974..ee696efec99fd 100644
--- a/arch/x86/include/asm/ptrace.h
+++ b/arch/x86/include/asm/ptrace.h
@@ -236,24 +236,52 @@ static inline int regs_within_kernel_stack(struct pt_regs *regs,
 		(kernel_stack_pointer(regs) & ~(THREAD_SIZE - 1)));
 }
 
+/**
+ * regs_get_kernel_stack_nth_addr() - get the address of the Nth entry on stack
+ * @regs:	pt_regs which contains kernel stack pointer.
+ * @n:		stack entry number.
+ *
+ * regs_get_kernel_stack_nth() returns the address of the @n th entry of the
+ * kernel stack which is specified by @regs. If the @n th entry is NOT in
+ * the kernel stack, this returns NULL.
+ */
+static inline unsigned long *regs_get_kernel_stack_nth_addr(struct pt_regs *regs, unsigned int n)
+{
+	unsigned long *addr = (unsigned long *)kernel_stack_pointer(regs);
+
+	addr += n;
+	if (regs_within_kernel_stack(regs, (unsigned long)addr))
+		return addr;
+	else
+		return NULL;
+}
+
+/* To avoid include hell, we can't include uaccess.h */
+extern long probe_kernel_read(void *dst, const void *src, size_t size);
+
 /**
  * regs_get_kernel_stack_nth() - get Nth entry of the stack
  * @regs:	pt_regs which contains kernel stack pointer.
  * @n:		stack entry number.
  *
  * regs_get_kernel_stack_nth() returns @n th entry of the kernel stack which
- * is specified by @regs. If the @n th entry is NOT in the kernel stack,
+ * is specified by @regs. If the @n th entry is NOT in the kernel stack
  * this returns 0.
  */
 static inline unsigned long regs_get_kernel_stack_nth(struct pt_regs *regs,
 						      unsigned int n)
 {
-	unsigned long *addr = (unsigned long *)kernel_stack_pointer(regs);
-	addr += n;
-	if (regs_within_kernel_stack(regs, (unsigned long)addr))
-		return *addr;
-	else
-		return 0;
+	unsigned long *addr;
+	unsigned long val;
+	long ret;
+
+	addr = regs_get_kernel_stack_nth_addr(regs, n);
+	if (addr) {
+		ret = probe_kernel_read(&val, addr, sizeof(val));
+		if (!ret)
+			return val;
+	}
+	return 0;
 }
 
 #define arch_has_single_step()	(1)
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 091/306] ACPI / scan: Create platform device for INT33FE ACPI nodes
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (89 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 090/306] kprobes, x86/ptrace.h: Make regs_get_kernel_stack_nth() not fault on bad stack Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 092/306] PM / Domains: Deal with multiple states but no governor in genpd Greg Kroah-Hartman
                   ` (218 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans de Goede, Andy Shevchenko,
	Rafael J. Wysocki, Sasha Levin, Alexander Meiler

From: Hans de Goede <hdegoede@redhat.com>

[ Upstream commit 589edb56b424876cbbf61547b987a1f57d7ea99d ]

Bay and Cherry Trail devices with a Dollar Cove or Whiskey Cove PMIC
have an ACPI node with a HID of INT33FE which is a "virtual" battery
device implementing a standard ACPI battery interface which depends upon
a proprietary, undocument OpRegion called BMOP. Since we do have docs
for the actual fuel-gauges used on these boards we instead use native
fuel-gauge drivers talking directly to the fuel-gauge ICs on boards which
rely on this INT33FE device for their battery monitoring.

On boards with a Dollar Cove PMIC the INT33FE device's resources (_CRS)
describe a non-existing I2C client at address 0x6b with a bus-speed of
100KHz. This is a problem on some boards since there are actual devices
on that same bus which need a speed of 400KHz to function properly.

This commit adds the INT33FE HID to the list of devices with I2C resources
which should be enumerated as a platform-device rather then letting the
i2c-core instantiate an i2c-client matching the first I2C resource,
so that its bus-speed will not influence the max speed of the I2C bus.
This fixes e.g. the touchscreen not working on the Teclast X98 II Plus.

The INT33FE device on boards with a Whiskey Cove PMIC is somewhat special.
Its first I2C resource is for a secondary I2C address of the PMIC itself,
which is already described in an ACPI device with an INT34D3 HID.

But it has 3 more I2C resources describing 3 other chips for which we do
need to instantiate I2C clients and which need device-connections added
between them for things to work properly. This special case is handled by
the drivers/platform/x86/intel_cht_int33fe.c code.

Before this commit that code was binding to the i2c-client instantiated
for the secondary I2C address of the PMIC, since we now instantiate a
platform device for the INT33FE device instead, this commit also changes
the intel_cht_int33fe driver from an i2c driver to a platform driver.

This also brings the intel_cht_int33fe drv inline with how we instantiate
multiple i2c clients from a single ACPI device in other cases, as done
by the drivers/platform/x86/i2c-multi-instantiate.c code.

Reported-and-tested-by: Alexander Meiler <alex.meiler@protonmail.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/acpi/scan.c                      |  1 +
 drivers/platform/x86/intel_cht_int33fe.c | 24 +++++++++---------------
 2 files changed, 10 insertions(+), 15 deletions(-)

diff --git a/drivers/acpi/scan.c b/drivers/acpi/scan.c
index e1b6231cfa1c5..1dcc48b9d33c9 100644
--- a/drivers/acpi/scan.c
+++ b/drivers/acpi/scan.c
@@ -1550,6 +1550,7 @@ static bool acpi_device_enumeration_by_parent(struct acpi_device *device)
 	 */
 	static const struct acpi_device_id i2c_multi_instantiate_ids[] = {
 		{"BSG1160", },
+		{"INT33FE", },
 		{}
 	};
 
diff --git a/drivers/platform/x86/intel_cht_int33fe.c b/drivers/platform/x86/intel_cht_int33fe.c
index a26f410800c21..f40b1c1921064 100644
--- a/drivers/platform/x86/intel_cht_int33fe.c
+++ b/drivers/platform/x86/intel_cht_int33fe.c
@@ -24,6 +24,7 @@
 #include <linux/i2c.h>
 #include <linux/interrupt.h>
 #include <linux/module.h>
+#include <linux/platform_device.h>
 #include <linux/regulator/consumer.h>
 #include <linux/slab.h>
 
@@ -88,9 +89,9 @@ static const struct property_entry fusb302_props[] = {
 	{ }
 };
 
-static int cht_int33fe_probe(struct i2c_client *client)
+static int cht_int33fe_probe(struct platform_device *pdev)
 {
-	struct device *dev = &client->dev;
+	struct device *dev = &pdev->dev;
 	struct i2c_board_info board_info;
 	struct cht_int33fe_data *data;
 	struct i2c_client *max17047;
@@ -207,7 +208,7 @@ static int cht_int33fe_probe(struct i2c_client *client)
 	if (!data->pi3usb30532)
 		goto out_unregister_fusb302;
 
-	i2c_set_clientdata(client, data);
+	platform_set_drvdata(pdev, data);
 
 	return 0;
 
@@ -223,9 +224,9 @@ static int cht_int33fe_probe(struct i2c_client *client)
 	return -EPROBE_DEFER; /* Wait for the i2c-adapter to load */
 }
 
-static int cht_int33fe_remove(struct i2c_client *i2c)
+static int cht_int33fe_remove(struct platform_device *pdev)
 {
-	struct cht_int33fe_data *data = i2c_get_clientdata(i2c);
+	struct cht_int33fe_data *data = platform_get_drvdata(pdev);
 
 	i2c_unregister_device(data->pi3usb30532);
 	i2c_unregister_device(data->fusb302);
@@ -237,29 +238,22 @@ static int cht_int33fe_remove(struct i2c_client *i2c)
 	return 0;
 }
 
-static const struct i2c_device_id cht_int33fe_i2c_id[] = {
-	{ }
-};
-MODULE_DEVICE_TABLE(i2c, cht_int33fe_i2c_id);
-
 static const struct acpi_device_id cht_int33fe_acpi_ids[] = {
 	{ "INT33FE", },
 	{ }
 };
 MODULE_DEVICE_TABLE(acpi, cht_int33fe_acpi_ids);
 
-static struct i2c_driver cht_int33fe_driver = {
+static struct platform_driver cht_int33fe_driver = {
 	.driver	= {
 		.name = "Intel Cherry Trail ACPI INT33FE driver",
 		.acpi_match_table = ACPI_PTR(cht_int33fe_acpi_ids),
 	},
-	.probe_new = cht_int33fe_probe,
+	.probe = cht_int33fe_probe,
 	.remove = cht_int33fe_remove,
-	.id_table = cht_int33fe_i2c_id,
-	.disable_i2c_core_irq_mapping = true,
 };
 
-module_i2c_driver(cht_int33fe_driver);
+module_platform_driver(cht_int33fe_driver);
 
 MODULE_DESCRIPTION("Intel Cherry Trail ACPI INT33FE pseudo device driver");
 MODULE_AUTHOR("Hans de Goede <hdegoede@redhat.com>");
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 092/306] PM / Domains: Deal with multiple states but no governor in genpd
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (90 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 091/306] ACPI / scan: Create platform device for INT33FE ACPI nodes Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 093/306] ALSA: i2c/cs8427: Fix int to char conversion Greg Kroah-Hartman
                   ` (217 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ulf Hansson, Lina Iyer,
	Rafael J. Wysocki, Sasha Levin

From: Ulf Hansson <ulf.hansson@linaro.org>

[ Upstream commit 2c9b7f8772033cc8bafbd4eefe2ca605bf3eb094 ]

A caller of pm_genpd_init() that provides some states for the genpd via the
->states pointer in the struct generic_pm_domain, should also provide a
governor. This because it's the job of the governor to pick a state that
satisfies the constraints.

Therefore, let's print a warning to inform the user about such bogus
configuration and avoid to bail out, by instead picking the shallowest
state before genpd invokes the ->power_off() callback.

Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Reviewed-by: Lina Iyer <ilina@codeaurora.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/base/power/domain.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/base/power/domain.c b/drivers/base/power/domain.c
index bf5be0bfaf773..52c292d0908a2 100644
--- a/drivers/base/power/domain.c
+++ b/drivers/base/power/domain.c
@@ -467,6 +467,10 @@ static int genpd_power_off(struct generic_pm_domain *genpd, bool one_dev_on,
 			return -EAGAIN;
 	}
 
+	/* Default to shallowest state. */
+	if (!genpd->gov)
+		genpd->state_idx = 0;
+
 	if (genpd->power_off) {
 		int ret;
 
@@ -1686,6 +1690,8 @@ int pm_genpd_init(struct generic_pm_domain *genpd,
 		ret = genpd_set_default_power_state(genpd);
 		if (ret)
 			return ret;
+	} else if (!gov) {
+		pr_warn("%s : no governor for states\n", genpd->name);
 	}
 
 	device_initialize(&genpd->dev);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 093/306] ALSA: i2c/cs8427: Fix int to char conversion
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (91 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 092/306] PM / Domains: Deal with multiple states but no governor in genpd Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 094/306] macintosh/windfarm_smu_sat: Fix debug output Greg Kroah-Hartman
                   ` (216 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Philipp Klocke, Takashi Iwai, Sasha Levin

From: Philipp Klocke <philipp97kl@gmail.com>

[ Upstream commit eb7ebfa3c1989aa8e59d5e68ab3cddd7df1bfb27 ]

Compiling with clang yields the following warning:

sound/i2c/cs8427.c:140:31: warning: implicit conversion from 'int'
to 'char' changes value from 160 to -96 [-Wconstant-conversion]
    data[0] = CS8427_REG_AUTOINC | CS8427_REG_CORU_DATABUF;
            ~ ~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~

Because CS8427_REG_AUTOINC is defined as 128, it is too big for a
char field.
So change data from char to unsigned char, that it can hold the value.

This patch does not change the generated code.

Signed-off-by: Philipp Klocke <philipp97kl@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/i2c/cs8427.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/i2c/cs8427.c b/sound/i2c/cs8427.c
index 2647309bc6757..8afa2f8884660 100644
--- a/sound/i2c/cs8427.c
+++ b/sound/i2c/cs8427.c
@@ -118,7 +118,7 @@ static int snd_cs8427_send_corudata(struct snd_i2c_device *device,
 	struct cs8427 *chip = device->private_data;
 	char *hw_data = udata ?
 		chip->playback.hw_udata : chip->playback.hw_status;
-	char data[32];
+	unsigned char data[32];
 	int err, idx;
 
 	if (!memcmp(hw_data, ndata, count))
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 094/306] macintosh/windfarm_smu_sat: Fix debug output
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (92 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 093/306] ALSA: i2c/cs8427: Fix int to char conversion Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 095/306] PCI: vmd: Detach resources after stopping root bus Greg Kroah-Hartman
                   ` (215 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Benjamin Herrenschmidt,
	Michael Ellerman, Sasha Levin

From: Benjamin Herrenschmidt <benh@kernel.crashing.org>

[ Upstream commit fc0c8b36d379a046525eacb9c3323ca635283757 ]

There's some antiquated debug output that's trying
to do a hand-made hexdump and turning into horrible
1-byte-per-line output these days.

Use print_hex_dump() instead

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/macintosh/windfarm_smu_sat.c | 25 +++++++------------------
 1 file changed, 7 insertions(+), 18 deletions(-)

diff --git a/drivers/macintosh/windfarm_smu_sat.c b/drivers/macintosh/windfarm_smu_sat.c
index da7f4fc1a51d1..a0f61eb853c55 100644
--- a/drivers/macintosh/windfarm_smu_sat.c
+++ b/drivers/macintosh/windfarm_smu_sat.c
@@ -22,14 +22,6 @@
 
 #define VERSION "1.0"
 
-#define DEBUG
-
-#ifdef DEBUG
-#define DBG(args...)	printk(args)
-#else
-#define DBG(args...)	do { } while(0)
-#endif
-
 /* If the cache is older than 800ms we'll refetch it */
 #define MAX_AGE		msecs_to_jiffies(800)
 
@@ -106,13 +98,10 @@ struct smu_sdbp_header *smu_sat_get_sdb_partition(unsigned int sat_id, int id,
 		buf[i+2] = data[3];
 		buf[i+3] = data[2];
 	}
-#ifdef DEBUG
-	DBG(KERN_DEBUG "sat %d partition %x:", sat_id, id);
-	for (i = 0; i < len; ++i)
-		DBG(" %x", buf[i]);
-	DBG("\n");
-#endif
 
+	printk(KERN_DEBUG "sat %d partition %x:", sat_id, id);
+	print_hex_dump(KERN_DEBUG, "  ", DUMP_PREFIX_OFFSET,
+		       16, 1, buf, len, false);
 	if (size)
 		*size = len;
 	return (struct smu_sdbp_header *) buf;
@@ -132,13 +121,13 @@ static int wf_sat_read_cache(struct wf_sat *sat)
 	if (err < 0)
 		return err;
 	sat->last_read = jiffies;
+
 #ifdef LOTSA_DEBUG
 	{
 		int i;
-		DBG(KERN_DEBUG "wf_sat_get: data is");
-		for (i = 0; i < 16; ++i)
-			DBG(" %.2x", sat->cache[i]);
-		DBG("\n");
+		printk(KERN_DEBUG "wf_sat_get: data is");
+		print_hex_dump(KERN_DEBUG, "  ", DUMP_PREFIX_OFFSET,
+			       16, 1, sat->cache, 16, false);
 	}
 #endif
 	return 0;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 095/306] PCI: vmd: Detach resources after stopping root bus
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (93 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 094/306] macintosh/windfarm_smu_sat: Fix debug output Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 096/306] USB: misc: appledisplay: fix backlight update_status return code Greg Kroah-Hartman
                   ` (214 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jon Derrick, Lorenzo Pieralisi,
	Keith Busch, Sasha Levin

From: Jon Derrick <jonathan.derrick@intel.com>

[ Upstream commit dc8af3a827df6d4bb925d3b81b7ec94a7cce9482 ]

The VMD removal path calls pci_stop_root_busi(), which tears down the pcie
tree, including detaching all of the attached drivers. During driver
detachment, devices may use pci_release_region() to release resources.
This path relies on the resource being accessible in resource tree.

By detaching the child domain from the parent resource domain prior to
stopping the bus, we are preventing the list traversal from finding the
resource to be freed. If we instead detach the resource after stopping
the bus, we will have properly freed the resource and detaching is
simply accounting at that point.

Without this order, the resource is never freed and is orphaned on VMD
removal, leading to a warning:

[  181.940162] Trying to free nonexistent resource <e5a10000-e5a13fff>

Fixes: 2c2c5c5cd213 ("x86/PCI: VMD: Attach VMD resources to parent domain's resource tree")
Signed-off-by: Jon Derrick <jonathan.derrick@intel.com>
[lorenzo.pieralisi@arm.com: updated commit log]
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Reviewed-by: Keith Busch <keith.busch@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/pci/controller/vmd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/pci/controller/vmd.c b/drivers/pci/controller/vmd.c
index 65eaa6b618685..ab36e5ca1aca3 100644
--- a/drivers/pci/controller/vmd.c
+++ b/drivers/pci/controller/vmd.c
@@ -818,12 +818,12 @@ static void vmd_remove(struct pci_dev *dev)
 {
 	struct vmd_dev *vmd = pci_get_drvdata(dev);
 
-	vmd_detach_resources(vmd);
 	sysfs_remove_link(&vmd->dev->dev.kobj, "domain");
 	pci_stop_root_bus(vmd->bus);
 	pci_remove_root_bus(vmd->bus);
 	vmd_cleanup_srcu(vmd);
 	vmd_teardown_dma_ops(vmd);
+	vmd_detach_resources(vmd);
 	irq_domain_remove(vmd->irq_domain);
 }
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 096/306] USB: misc: appledisplay: fix backlight update_status return code
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (94 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 095/306] PCI: vmd: Detach resources after stopping root bus Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 097/306] usbip: tools: fix atoi() on non-null terminated string Greg Kroah-Hartman
                   ` (213 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mattias Jacobsson, Sasha Levin

From: Mattias Jacobsson <2pi@mok.nu>

[ Upstream commit 090158555ff8d194a98616034100b16697dd80d0 ]

Upon success the update_status handler returns a positive number
corresponding to the number of bytes transferred by usb_control_msg.
However the return code of the update_status handler should indicate if
an error occurred(negative) or how many bytes of the user's input to sysfs
that was consumed. Return code zero indicates all bytes were consumed.

The bug can for example result in the update_status handler being called
twice, the second time with only the "unconsumed" part of the user's input
to sysfs. Effectively setting an incorrect brightness.

Change the update_status handler to return zero for all successful
transactions and forward usb_control_msg's error code upon failure.

Signed-off-by: Mattias Jacobsson <2pi@mok.nu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/misc/appledisplay.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/misc/appledisplay.c b/drivers/usb/misc/appledisplay.c
index 1c6da8d6cccf8..39ca31b4de466 100644
--- a/drivers/usb/misc/appledisplay.c
+++ b/drivers/usb/misc/appledisplay.c
@@ -148,8 +148,11 @@ static int appledisplay_bl_update_status(struct backlight_device *bd)
 		pdata->msgdata, 2,
 		ACD_USB_TIMEOUT);
 	mutex_unlock(&pdata->sysfslock);
-	
-	return retval;
+
+	if (retval < 0)
+		return retval;
+	else
+		return 0;
 }
 
 static int appledisplay_bl_get_brightness(struct backlight_device *bd)
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 097/306] usbip: tools: fix atoi() on non-null terminated string
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (95 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 096/306] USB: misc: appledisplay: fix backlight update_status return code Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 098/306] sctp: use sk_wmem_queued to check for writable space Greg Kroah-Hartman
                   ` (212 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Colin Ian King, Sasha Levin

From: Colin Ian King <colin.king@canonical.com>

[ Upstream commit e325808c0051b16729ffd472ff887c6cae5c6317 ]

Currently the call to atoi is being passed a single char string
that is not null terminated, so there is a potential read overrun
along the stack when parsing for an integer value.  Fix this by
instead using a 2 char string that is initialized to all zeros
to ensure that a 1 char read into the string is always terminated
with a \0.

Detected by cppcheck:
"Invalid atoi() argument nr 1. A nul-terminated string is required."

Fixes: 3391ba0e2792 ("usbip: tools: Extract generic code to be shared with vudc backend")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/usb/usbip/libsrc/usbip_host_common.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tools/usb/usbip/libsrc/usbip_host_common.c b/tools/usb/usbip/libsrc/usbip_host_common.c
index dc93fadbee963..d79c7581b175f 100644
--- a/tools/usb/usbip/libsrc/usbip_host_common.c
+++ b/tools/usb/usbip/libsrc/usbip_host_common.c
@@ -43,7 +43,7 @@ static int32_t read_attr_usbip_status(struct usbip_usb_device *udev)
 	int size;
 	int fd;
 	int length;
-	char status;
+	char status[2] = { 0 };
 	int value = 0;
 
 	size = snprintf(status_attr_path, sizeof(status_attr_path),
@@ -61,14 +61,14 @@ static int32_t read_attr_usbip_status(struct usbip_usb_device *udev)
 		return -1;
 	}
 
-	length = read(fd, &status, 1);
+	length = read(fd, status, 1);
 	if (length < 0) {
 		err("error reading attribute %s", status_attr_path);
 		close(fd);
 		return -1;
 	}
 
-	value = atoi(&status);
+	value = atoi(status);
 
 	return value;
 }
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 098/306] sctp: use sk_wmem_queued to check for writable space
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (96 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 097/306] usbip: tools: fix atoi() on non-null terminated string Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 099/306] dm raid: avoid bitmap with raid4/5/6 journal device Greg Kroah-Hartman
                   ` (211 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Xin Long, David S. Miller, Sasha Levin

From: Xin Long <lucien.xin@gmail.com>

[ Upstream commit cd305c74b0f8b49748a79a8f67fc8e5e3e0c4794 ]

sk->sk_wmem_queued is used to count the size of chunks in out queue
while sk->sk_wmem_alloc is for counting the size of chunks has been
sent. sctp is increasing both of them before enqueuing the chunks,
and using sk->sk_wmem_alloc to check for writable space.

However, sk_wmem_alloc is also increased by 1 for the skb allocked
for sending in sctp_packet_transmit() but it will not wake up the
waiters when sk_wmem_alloc is decreased in this skb's destructor.

If msg size is equal to sk_sndbuf and sendmsg is waiting for sndbuf,
the check 'msg_len <= sctp_wspace(asoc)' in sctp_wait_for_sndbuf()
will keep waiting if there's a skb allocked in sctp_packet_transmit,
and later even if this skb got freed, the waiting thread will never
get waked up.

This issue has been there since very beginning, so we change to use
sk->sk_wmem_queued to check for writable space as sk_wmem_queued is
not increased for the skb allocked for sending, also as TCP does.

SOCK_SNDBUF_LOCK check is also removed here as it's for tx buf auto
tuning which I will add in another patch.

Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/sctp/socket.c | 38 +++++++++-----------------------------
 1 file changed, 9 insertions(+), 29 deletions(-)

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index c766315527226..e7a11cd7633f5 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -83,7 +83,7 @@
 #include <net/sctp/stream_sched.h>
 
 /* Forward declarations for internal helper functions. */
-static int sctp_writeable(struct sock *sk);
+static bool sctp_writeable(struct sock *sk);
 static void sctp_wfree(struct sk_buff *skb);
 static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
 				size_t msg_len);
@@ -119,25 +119,10 @@ static void sctp_enter_memory_pressure(struct sock *sk)
 /* Get the sndbuf space available at the time on the association.  */
 static inline int sctp_wspace(struct sctp_association *asoc)
 {
-	int amt;
+	struct sock *sk = asoc->base.sk;
 
-	if (asoc->ep->sndbuf_policy)
-		amt = asoc->sndbuf_used;
-	else
-		amt = sk_wmem_alloc_get(asoc->base.sk);
-
-	if (amt >= asoc->base.sk->sk_sndbuf) {
-		if (asoc->base.sk->sk_userlocks & SOCK_SNDBUF_LOCK)
-			amt = 0;
-		else {
-			amt = sk_stream_wspace(asoc->base.sk);
-			if (amt < 0)
-				amt = 0;
-		}
-	} else {
-		amt = asoc->base.sk->sk_sndbuf - amt;
-	}
-	return amt;
+	return asoc->ep->sndbuf_policy ? sk->sk_sndbuf - asoc->sndbuf_used
+				       : sk_stream_wspace(sk);
 }
 
 /* Increment the used sndbuf space count of the corresponding association by
@@ -1928,10 +1913,10 @@ static int sctp_sendmsg_to_asoc(struct sctp_association *asoc,
 		asoc->pmtu_pending = 0;
 	}
 
-	if (sctp_wspace(asoc) < msg_len)
+	if (sctp_wspace(asoc) < (int)msg_len)
 		sctp_prsctp_prune(asoc, sinfo, msg_len - sctp_wspace(asoc));
 
-	if (!sctp_wspace(asoc)) {
+	if (sctp_wspace(asoc) <= 0) {
 		timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
 		err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len);
 		if (err)
@@ -8516,7 +8501,7 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
 			goto do_error;
 		if (signal_pending(current))
 			goto do_interrupted;
-		if (msg_len <= sctp_wspace(asoc))
+		if ((int)msg_len <= sctp_wspace(asoc))
 			break;
 
 		/* Let another process have a go.  Since we are going
@@ -8591,14 +8576,9 @@ void sctp_write_space(struct sock *sk)
  * UDP-style sockets or TCP-style sockets, this code should work.
  *  - Daisy
  */
-static int sctp_writeable(struct sock *sk)
+static bool sctp_writeable(struct sock *sk)
 {
-	int amt = 0;
-
-	amt = sk->sk_sndbuf - sk_wmem_alloc_get(sk);
-	if (amt < 0)
-		amt = 0;
-	return amt;
+	return sk->sk_sndbuf > sk->sk_wmem_queued;
 }
 
 /* Wait for an association to go into ESTABLISHED state. If timeout is 0,
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 099/306] dm raid: avoid bitmap with raid4/5/6 journal device
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (97 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 098/306] sctp: use sk_wmem_queued to check for writable space Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 100/306] selftests/bpf: fix file resource leak in load_kallsyms Greg Kroah-Hartman
                   ` (210 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Heinz Mauelshagen, Mike Snitzer, Sasha Levin

From: Heinz Mauelshagen <heinzm@redhat.com>

[ Upstream commit d857ad75edf3c0066fcd920746f9dc75382b3324 ]

With raid4/5/6, journal device and write intent bitmap are mutually exclusive.

Signed-off-by: Heinz Mauelshagen <heinzm@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/md/dm-raid.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c
index b78a8a4d061ca..6c9b542882613 100644
--- a/drivers/md/dm-raid.c
+++ b/drivers/md/dm-raid.c
@@ -2475,7 +2475,7 @@ static int super_validate(struct raid_set *rs, struct md_rdev *rdev)
 	}
 
 	/* Enable bitmap creation for RAID levels != 0 */
-	mddev->bitmap_info.offset = rt_is_raid0(rs->raid_type) ? 0 : to_sector(4096);
+	mddev->bitmap_info.offset = (rt_is_raid0(rs->raid_type) || rs->journal_dev.dev) ? 0 : to_sector(4096);
 	mddev->bitmap_info.default_offset = mddev->bitmap_info.offset;
 
 	if (!test_and_clear_bit(FirstUse, &rdev->flags)) {
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 100/306] selftests/bpf: fix file resource leak in load_kallsyms
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (98 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 099/306] dm raid: avoid bitmap with raid4/5/6 journal device Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 101/306] SUNRPC: Fix a compile warning for cmpxchg64() Greg Kroah-Hartman
                   ` (209 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Peng Hao, Daniel Borkmann, Sasha Levin

From: Peng Hao <peng.hao2@zte.com.cn>

[ Upstream commit 1bd70d2eba9d90eb787634361f0f6fa2c86b3f6d ]

FILE pointer variable f is opened but never closed.

Signed-off-by: Peng Hao <peng.hao2@zte.com.cn>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/testing/selftests/bpf/trace_helpers.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/testing/selftests/bpf/trace_helpers.c b/tools/testing/selftests/bpf/trace_helpers.c
index cf156b3536798..82922f13dcd3a 100644
--- a/tools/testing/selftests/bpf/trace_helpers.c
+++ b/tools/testing/selftests/bpf/trace_helpers.c
@@ -41,6 +41,7 @@ int load_kallsyms(void)
 		syms[i].name = strdup(func);
 		i++;
 	}
+	fclose(f);
 	sym_cnt = i;
 	qsort(syms, sym_cnt, sizeof(struct ksym), ksym_cmp);
 	return 0;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 101/306] SUNRPC: Fix a compile warning for cmpxchg64()
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (99 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 100/306] selftests/bpf: fix file resource leak in load_kallsyms Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 102/306] sunrpc: safely reallow resvport min/max inversion Greg Kroah-Hartman
                   ` (208 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Trond Myklebust, Sasha Levin

From: Trond Myklebust <trond.myklebust@hammerspace.com>

[ Upstream commit e732f4485a150492b286f3efc06f9b34dd6b9995 ]

Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/sunrpc/auth_gss/gss_krb5_seal.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/sunrpc/auth_gss/gss_krb5_seal.c b/net/sunrpc/auth_gss/gss_krb5_seal.c
index eaad9bc7a0bdc..e1f0571843c8c 100644
--- a/net/sunrpc/auth_gss/gss_krb5_seal.c
+++ b/net/sunrpc/auth_gss/gss_krb5_seal.c
@@ -63,6 +63,7 @@
 #include <linux/sunrpc/gss_krb5.h>
 #include <linux/random.h>
 #include <linux/crypto.h>
+#include <linux/atomic.h>
 
 #if IS_ENABLED(CONFIG_SUNRPC_DEBUG)
 # define RPCDBG_FACILITY        RPCDBG_AUTH
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 102/306] sunrpc: safely reallow resvport min/max inversion
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (100 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 101/306] SUNRPC: Fix a compile warning for cmpxchg64() Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 103/306] atm: zatm: Fix empty body Clang warnings Greg Kroah-Hartman
                   ` (207 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, J. Bruce Fields, Trond Myklebust,
	Sasha Levin

From: J. Bruce Fields <bfields@redhat.com>

[ Upstream commit 826799e66e8683e5698e140bb9ef69afc8c0014e ]

Commits ffb6ca33b04b and e08ea3a96fc7 prevent setting xprt_min_resvport
greater than xprt_max_resvport, but may also break simple code that sets
one parameter then the other, if the new range does not overlap the old.

Also it looks racy to me, unless there's some serialization I'm not
seeing.  Granted it would probably require malicious privileged processes
(unless there's a chance these might eventually be settable in unprivileged
containers), but still it seems better not to let userspace panic the
kernel.

Simpler seems to be to allow setting the parameters to whatever you want
but interpret xprt_min_resvport > xprt_max_resvport as the empty range.

Fixes: ffb6ca33b04b "sunrpc: Prevent resvport min/max inversion..."
Fixes: e08ea3a96fc7 "sunrpc: Prevent rexvport min/max inversion..."
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/sunrpc/xprtsock.c | 34 ++++++++++++++++++----------------
 1 file changed, 18 insertions(+), 16 deletions(-)

diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c
index c0d7875a64ffc..9dc059dea689d 100644
--- a/net/sunrpc/xprtsock.c
+++ b/net/sunrpc/xprtsock.c
@@ -129,7 +129,7 @@ static struct ctl_table xs_tunables_table[] = {
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_minmax,
 		.extra1		= &xprt_min_resvport_limit,
-		.extra2		= &xprt_max_resvport
+		.extra2		= &xprt_max_resvport_limit
 	},
 	{
 		.procname	= "max_resvport",
@@ -137,7 +137,7 @@ static struct ctl_table xs_tunables_table[] = {
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_minmax,
-		.extra1		= &xprt_min_resvport,
+		.extra1		= &xprt_min_resvport_limit,
 		.extra2		= &xprt_max_resvport_limit
 	},
 	{
@@ -1776,11 +1776,17 @@ static void xs_udp_timer(struct rpc_xprt *xprt, struct rpc_task *task)
 	spin_unlock_bh(&xprt->transport_lock);
 }
 
-static unsigned short xs_get_random_port(void)
+static int xs_get_random_port(void)
 {
-	unsigned short range = xprt_max_resvport - xprt_min_resvport + 1;
-	unsigned short rand = (unsigned short) prandom_u32() % range;
-	return rand + xprt_min_resvport;
+	unsigned short min = xprt_min_resvport, max = xprt_max_resvport;
+	unsigned short range;
+	unsigned short rand;
+
+	if (max < min)
+		return -EADDRINUSE;
+	range = max - min + 1;
+	rand = (unsigned short) prandom_u32() % range;
+	return rand + min;
 }
 
 /**
@@ -1836,9 +1842,9 @@ static void xs_set_srcport(struct sock_xprt *transport, struct socket *sock)
 		transport->srcport = xs_sock_getport(sock);
 }
 
-static unsigned short xs_get_srcport(struct sock_xprt *transport)
+static int xs_get_srcport(struct sock_xprt *transport)
 {
-	unsigned short port = transport->srcport;
+	int port = transport->srcport;
 
 	if (port == 0 && transport->xprt.resvport)
 		port = xs_get_random_port();
@@ -1859,7 +1865,7 @@ static int xs_bind(struct sock_xprt *transport, struct socket *sock)
 {
 	struct sockaddr_storage myaddr;
 	int err, nloop = 0;
-	unsigned short port = xs_get_srcport(transport);
+	int port = xs_get_srcport(transport);
 	unsigned short last;
 
 	/*
@@ -1877,8 +1883,8 @@ static int xs_bind(struct sock_xprt *transport, struct socket *sock)
 	 * transport->xprt.resvport == 1) xs_get_srcport above will
 	 * ensure that port is non-zero and we will bind as needed.
 	 */
-	if (port == 0)
-		return 0;
+	if (port <= 0)
+		return port;
 
 	memcpy(&myaddr, &transport->srcaddr, transport->xprt.addrlen);
 	do {
@@ -3319,12 +3325,8 @@ static int param_set_uint_minmax(const char *val,
 
 static int param_set_portnr(const char *val, const struct kernel_param *kp)
 {
-	if (kp->arg == &xprt_min_resvport)
-		return param_set_uint_minmax(val, kp,
-			RPC_MIN_RESVPORT,
-			xprt_max_resvport);
 	return param_set_uint_minmax(val, kp,
-			xprt_min_resvport,
+			RPC_MIN_RESVPORT,
 			RPC_MAX_RESVPORT);
 }
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 103/306] atm: zatm: Fix empty body Clang warnings
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (101 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 102/306] sunrpc: safely reallow resvport min/max inversion Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 104/306] s390/perf: Return error when debug_register fails Greg Kroah-Hartman
                   ` (206 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Masahiro Yamada, Nathan Chancellor,
	David S. Miller, Sasha Levin

From: Nathan Chancellor <natechancellor@gmail.com>

[ Upstream commit 64b9d16e2d02ca6e5dc8fcd30cfd52b0ecaaa8f4 ]

Clang warns:

drivers/atm/zatm.c:513:7: error: while loop has empty body
[-Werror,-Wempty-body]
        zwait;
             ^
drivers/atm/zatm.c:513:7: note: put the semicolon on a separate line to
silence this warning

Get rid of this warning by using an empty do-while loop. While we're at
it, add parentheses to make it clear that this is a function-like macro.

Link: https://github.com/ClangBuiltLinux/linux/issues/42
Suggested-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/atm/zatm.c | 42 +++++++++++++++++++++---------------------
 1 file changed, 21 insertions(+), 21 deletions(-)

diff --git a/drivers/atm/zatm.c b/drivers/atm/zatm.c
index e89146ddede69..d5c76b50d3575 100644
--- a/drivers/atm/zatm.c
+++ b/drivers/atm/zatm.c
@@ -126,7 +126,7 @@ static unsigned long dummy[2] = {0,0};
 #define zin_n(r) inl(zatm_dev->base+r*4)
 #define zin(r) inl(zatm_dev->base+uPD98401_##r*4)
 #define zout(v,r) outl(v,zatm_dev->base+uPD98401_##r*4)
-#define zwait while (zin(CMR) & uPD98401_BUSY)
+#define zwait() do {} while (zin(CMR) & uPD98401_BUSY)
 
 /* RX0, RX1, TX0, TX1 */
 static const int mbx_entries[NR_MBX] = { 1024,1024,1024,1024 };
@@ -140,7 +140,7 @@ static const int mbx_esize[NR_MBX] = { 16,16,4,4 }; /* entry size in bytes */
 
 static void zpokel(struct zatm_dev *zatm_dev,u32 value,u32 addr)
 {
-	zwait;
+	zwait();
 	zout(value,CER);
 	zout(uPD98401_IND_ACC | uPD98401_IA_BALL |
 	    (uPD98401_IA_TGT_CM << uPD98401_IA_TGT_SHIFT) | addr,CMR);
@@ -149,10 +149,10 @@ static void zpokel(struct zatm_dev *zatm_dev,u32 value,u32 addr)
 
 static u32 zpeekl(struct zatm_dev *zatm_dev,u32 addr)
 {
-	zwait;
+	zwait();
 	zout(uPD98401_IND_ACC | uPD98401_IA_BALL | uPD98401_IA_RW |
 	  (uPD98401_IA_TGT_CM << uPD98401_IA_TGT_SHIFT) | addr,CMR);
-	zwait;
+	zwait();
 	return zin(CER);
 }
 
@@ -241,7 +241,7 @@ static void refill_pool(struct atm_dev *dev,int pool)
 	}
 	if (first) {
 		spin_lock_irqsave(&zatm_dev->lock, flags);
-		zwait;
+		zwait();
 		zout(virt_to_bus(first),CER);
 		zout(uPD98401_ADD_BAT | (pool << uPD98401_POOL_SHIFT) | count,
 		    CMR);
@@ -508,9 +508,9 @@ static int open_rx_first(struct atm_vcc *vcc)
 	}
 	if (zatm_vcc->pool < 0) return -EMSGSIZE;
 	spin_lock_irqsave(&zatm_dev->lock, flags);
-	zwait;
+	zwait();
 	zout(uPD98401_OPEN_CHAN,CMR);
-	zwait;
+	zwait();
 	DPRINTK("0x%x 0x%x\n",zin(CMR),zin(CER));
 	chan = (zin(CMR) & uPD98401_CHAN_ADDR) >> uPD98401_CHAN_ADDR_SHIFT;
 	spin_unlock_irqrestore(&zatm_dev->lock, flags);
@@ -571,21 +571,21 @@ static void close_rx(struct atm_vcc *vcc)
 		pos = vcc->vci >> 1;
 		shift = (1-(vcc->vci & 1)) << 4;
 		zpokel(zatm_dev,zpeekl(zatm_dev,pos) & ~(0xffff << shift),pos);
-		zwait;
+		zwait();
 		zout(uPD98401_NOP,CMR);
-		zwait;
+		zwait();
 		zout(uPD98401_NOP,CMR);
 		spin_unlock_irqrestore(&zatm_dev->lock, flags);
 	}
 	spin_lock_irqsave(&zatm_dev->lock, flags);
-	zwait;
+	zwait();
 	zout(uPD98401_DEACT_CHAN | uPD98401_CHAN_RT | (zatm_vcc->rx_chan <<
 	    uPD98401_CHAN_ADDR_SHIFT),CMR);
-	zwait;
+	zwait();
 	udelay(10); /* why oh why ... ? */
 	zout(uPD98401_CLOSE_CHAN | uPD98401_CHAN_RT | (zatm_vcc->rx_chan <<
 	    uPD98401_CHAN_ADDR_SHIFT),CMR);
-	zwait;
+	zwait();
 	if (!(zin(CMR) & uPD98401_CHAN_ADDR))
 		printk(KERN_CRIT DEV_LABEL "(itf %d): can't close RX channel "
 		    "%d\n",vcc->dev->number,zatm_vcc->rx_chan);
@@ -699,7 +699,7 @@ printk("NONONONOO!!!!\n");
 	skb_queue_tail(&zatm_vcc->tx_queue,skb);
 	DPRINTK("QRP=0x%08lx\n",zpeekl(zatm_dev,zatm_vcc->tx_chan*VC_SIZE/4+
 	  uPD98401_TXVC_QRP));
-	zwait;
+	zwait();
 	zout(uPD98401_TX_READY | (zatm_vcc->tx_chan <<
 	    uPD98401_CHAN_ADDR_SHIFT),CMR);
 	spin_unlock_irqrestore(&zatm_dev->lock, flags);
@@ -891,12 +891,12 @@ static void close_tx(struct atm_vcc *vcc)
 	}
 	spin_lock_irqsave(&zatm_dev->lock, flags);
 #if 0
-	zwait;
+	zwait();
 	zout(uPD98401_DEACT_CHAN | (chan << uPD98401_CHAN_ADDR_SHIFT),CMR);
 #endif
-	zwait;
+	zwait();
 	zout(uPD98401_CLOSE_CHAN | (chan << uPD98401_CHAN_ADDR_SHIFT),CMR);
-	zwait;
+	zwait();
 	if (!(zin(CMR) & uPD98401_CHAN_ADDR))
 		printk(KERN_CRIT DEV_LABEL "(itf %d): can't close TX channel "
 		    "%d\n",vcc->dev->number,chan);
@@ -926,9 +926,9 @@ static int open_tx_first(struct atm_vcc *vcc)
 	zatm_vcc->tx_chan = 0;
 	if (vcc->qos.txtp.traffic_class == ATM_NONE) return 0;
 	spin_lock_irqsave(&zatm_dev->lock, flags);
-	zwait;
+	zwait();
 	zout(uPD98401_OPEN_CHAN,CMR);
-	zwait;
+	zwait();
 	DPRINTK("0x%x 0x%x\n",zin(CMR),zin(CER));
 	chan = (zin(CMR) & uPD98401_CHAN_ADDR) >> uPD98401_CHAN_ADDR_SHIFT;
 	spin_unlock_irqrestore(&zatm_dev->lock, flags);
@@ -1557,7 +1557,7 @@ static void zatm_phy_put(struct atm_dev *dev,unsigned char value,
 	struct zatm_dev *zatm_dev;
 
 	zatm_dev = ZATM_DEV(dev);
-	zwait;
+	zwait();
 	zout(value,CER);
 	zout(uPD98401_IND_ACC | uPD98401_IA_B0 |
 	    (uPD98401_IA_TGT_PHY << uPD98401_IA_TGT_SHIFT) | addr,CMR);
@@ -1569,10 +1569,10 @@ static unsigned char zatm_phy_get(struct atm_dev *dev,unsigned long addr)
 	struct zatm_dev *zatm_dev;
 
 	zatm_dev = ZATM_DEV(dev);
-	zwait;
+	zwait();
 	zout(uPD98401_IND_ACC | uPD98401_IA_B0 | uPD98401_IA_RW |
 	  (uPD98401_IA_TGT_PHY << uPD98401_IA_TGT_SHIFT) | addr,CMR);
-	zwait;
+	zwait();
 	return zin(CER) & 0xff;
 }
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 104/306] s390/perf: Return error when debug_register fails
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (102 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 103/306] atm: zatm: Fix empty body Clang warnings Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 105/306] swiotlb: do not panic on mapping failures Greg Kroah-Hartman
                   ` (205 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thomas Richter, Hendrik Brueckner,
	Martin Schwidefsky, Sasha Levin

From: Thomas Richter <tmricht@linux.ibm.com>

[ Upstream commit ec0c0bb489727de0d4dca6a00be6970ab8a3b30a ]

Return an error when the function debug_register() fails allocating
the debug handle.
Also remove the registered debug handle when the initialization fails
later on.

Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/s390/kernel/perf_cpum_sf.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c
index 44404836e9d11..df92c2af99b69 100644
--- a/arch/s390/kernel/perf_cpum_sf.c
+++ b/arch/s390/kernel/perf_cpum_sf.c
@@ -2045,14 +2045,17 @@ static int __init init_cpum_sampling_pmu(void)
 	}
 
 	sfdbg = debug_register(KMSG_COMPONENT, 2, 1, 80);
-	if (!sfdbg)
+	if (!sfdbg) {
 		pr_err("Registering for s390dbf failed\n");
+		return -ENOMEM;
+	}
 	debug_register_view(sfdbg, &debug_sprintf_view);
 
 	err = register_external_irq(EXT_IRQ_MEASURE_ALERT,
 				    cpumf_measurement_alert);
 	if (err) {
 		pr_cpumsf_err(RS_INIT_FAILURE_ALRT);
+		debug_unregister(sfdbg);
 		goto out;
 	}
 
@@ -2061,6 +2064,7 @@ static int __init init_cpum_sampling_pmu(void)
 		pr_cpumsf_err(RS_INIT_FAILURE_PERF);
 		unregister_external_irq(EXT_IRQ_MEASURE_ALERT,
 					cpumf_measurement_alert);
+		debug_unregister(sfdbg);
 		goto out;
 	}
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 105/306] swiotlb: do not panic on mapping failures
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (103 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 104/306] s390/perf: Return error when debug_register fails Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-28 21:20   ` Pavel Machek
  2019-11-27 20:29 ` [PATCH 4.19 106/306] spi: omap2-mcspi: Set FIFO DMA trigger level to word length Greg Kroah-Hartman
                   ` (204 subsequent siblings)
  309 siblings, 1 reply; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christoph Hellwig, Robin Murphy, Sasha Levin

From: Christoph Hellwig <hch@lst.de>

[ Upstream commit 8088546832aa2c0d8f99dd56edf6384f8a9b63b3 ]

All properly written drivers now have error handling in the
dma_map_single / dma_map_page callers.  As swiotlb_tbl_map_single already
prints a useful warning when running out of swiotlb pool space we can
also remove swiotlb_full entirely as it serves no purpose now.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/dma/swiotlb.c | 33 +--------------------------------
 1 file changed, 1 insertion(+), 32 deletions(-)

diff --git a/kernel/dma/swiotlb.c b/kernel/dma/swiotlb.c
index 4f8a6dbf0b609..2a8c41f12d450 100644
--- a/kernel/dma/swiotlb.c
+++ b/kernel/dma/swiotlb.c
@@ -761,34 +761,6 @@ static bool swiotlb_free_buffer(struct device *dev, size_t size,
 	return true;
 }
 
-static void
-swiotlb_full(struct device *dev, size_t size, enum dma_data_direction dir,
-	     int do_panic)
-{
-	if (swiotlb_force == SWIOTLB_NO_FORCE)
-		return;
-
-	/*
-	 * Ran out of IOMMU space for this operation. This is very bad.
-	 * Unfortunately the drivers cannot handle this operation properly.
-	 * unless they check for dma_mapping_error (most don't)
-	 * When the mapping is small enough return a static buffer to limit
-	 * the damage, or panic when the transfer is too big.
-	 */
-	dev_err_ratelimited(dev, "DMA: Out of SW-IOMMU space for %zu bytes\n",
-			    size);
-
-	if (size <= io_tlb_overflow || !do_panic)
-		return;
-
-	if (dir == DMA_BIDIRECTIONAL)
-		panic("DMA: Random memory could be DMA accessed\n");
-	if (dir == DMA_FROM_DEVICE)
-		panic("DMA: Random memory could be DMA written\n");
-	if (dir == DMA_TO_DEVICE)
-		panic("DMA: Random memory could be DMA read\n");
-}
-
 /*
  * Map a single buffer of the indicated size for DMA in streaming mode.  The
  * physical address to use is returned.
@@ -817,10 +789,8 @@ dma_addr_t swiotlb_map_page(struct device *dev, struct page *page,
 
 	/* Oh well, have to allocate and map a bounce buffer. */
 	map = map_single(dev, phys, size, dir, attrs);
-	if (map == SWIOTLB_MAP_ERROR) {
-		swiotlb_full(dev, size, dir, 1);
+	if (map == SWIOTLB_MAP_ERROR)
 		return __phys_to_dma(dev, io_tlb_overflow_buffer);
-	}
 
 	dev_addr = __phys_to_dma(dev, map);
 
@@ -954,7 +924,6 @@ swiotlb_map_sg_attrs(struct device *hwdev, struct scatterlist *sgl, int nelems,
 			if (map == SWIOTLB_MAP_ERROR) {
 				/* Don't panic here, we expect map_sg users
 				   to do proper error handling. */
-				swiotlb_full(hwdev, sg->length, dir, 0);
 				attrs |= DMA_ATTR_SKIP_CPU_SYNC;
 				swiotlb_unmap_sg_attrs(hwdev, sgl, i, dir,
 						       attrs);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 106/306] spi: omap2-mcspi: Set FIFO DMA trigger level to word length
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (104 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 105/306] swiotlb: do not panic on mapping failures Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 107/306] x86/intel_rdt: Prevent pseudo-locking from using stale pointers Greg Kroah-Hartman
                   ` (203 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vignesh R, Mark Brown, Sasha Levin

From: Vignesh R <vigneshr@ti.com>

[ Upstream commit b682cffa3ac6d9d9e16e9b413c45caee3b391fab ]

McSPI has 32 byte FIFO in Transmit-Receive mode. Current code tries to
configuration FIFO watermark level for DMA trigger to be GCD of transfer
length and max FIFO size which would mean trigger level may be set to 32
for transmit-receive mode if length is aligned. This does not work in
case of SPI slave mode where FIFO always needs to have data ready
whenever master starts the clock. With DMA trigger size of 32 there will
be a small window during slave TX where DMA is still putting data into
FIFO but master would have started clock for next byte, resulting in
shifting out of stale data. Similarly, on Slave RX side there may be RX
FIFO overflow
Fix this by setting FIFO watermark for DMA trigger to word
length. This means DMA is triggered as soon as FIFO has space for word
length bytes and DMA would make sure FIFO is almost always full
therefore improving FIFO occupancy in both master and slave mode.

Signed-off-by: Vignesh R <vigneshr@ti.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/spi/spi-omap2-mcspi.c | 26 +++++++-------------------
 1 file changed, 7 insertions(+), 19 deletions(-)

diff --git a/drivers/spi/spi-omap2-mcspi.c b/drivers/spi/spi-omap2-mcspi.c
index e2be7da743438..f50cb8a4b4138 100644
--- a/drivers/spi/spi-omap2-mcspi.c
+++ b/drivers/spi/spi-omap2-mcspi.c
@@ -299,7 +299,7 @@ static void omap2_mcspi_set_fifo(const struct spi_device *spi,
 	struct omap2_mcspi_cs *cs = spi->controller_state;
 	struct omap2_mcspi *mcspi;
 	unsigned int wcnt;
-	int max_fifo_depth, fifo_depth, bytes_per_word;
+	int max_fifo_depth, bytes_per_word;
 	u32 chconf, xferlevel;
 
 	mcspi = spi_master_get_devdata(master);
@@ -315,10 +315,6 @@ static void omap2_mcspi_set_fifo(const struct spi_device *spi,
 		else
 			max_fifo_depth = OMAP2_MCSPI_MAX_FIFODEPTH;
 
-		fifo_depth = gcd(t->len, max_fifo_depth);
-		if (fifo_depth < 2 || fifo_depth % bytes_per_word != 0)
-			goto disable_fifo;
-
 		wcnt = t->len / bytes_per_word;
 		if (wcnt > OMAP2_MCSPI_MAX_FIFOWCNT)
 			goto disable_fifo;
@@ -326,16 +322,17 @@ static void omap2_mcspi_set_fifo(const struct spi_device *spi,
 		xferlevel = wcnt << 16;
 		if (t->rx_buf != NULL) {
 			chconf |= OMAP2_MCSPI_CHCONF_FFER;
-			xferlevel |= (fifo_depth - 1) << 8;
+			xferlevel |= (bytes_per_word - 1) << 8;
 		}
+
 		if (t->tx_buf != NULL) {
 			chconf |= OMAP2_MCSPI_CHCONF_FFET;
-			xferlevel |= fifo_depth - 1;
+			xferlevel |= bytes_per_word - 1;
 		}
 
 		mcspi_write_reg(master, OMAP2_MCSPI_XFERLEVEL, xferlevel);
 		mcspi_write_chconf0(spi, chconf);
-		mcspi->fifo_depth = fifo_depth;
+		mcspi->fifo_depth = max_fifo_depth;
 
 		return;
 	}
@@ -585,7 +582,6 @@ omap2_mcspi_txrx_dma(struct spi_device *spi, struct spi_transfer *xfer)
 	struct dma_slave_config	cfg;
 	enum dma_slave_buswidth width;
 	unsigned es;
-	u32			burst;
 	void __iomem		*chstat_reg;
 	void __iomem            *irqstat_reg;
 	int			wait_res;
@@ -605,22 +601,14 @@ omap2_mcspi_txrx_dma(struct spi_device *spi, struct spi_transfer *xfer)
 	}
 
 	count = xfer->len;
-	burst = 1;
-
-	if (mcspi->fifo_depth > 0) {
-		if (count > mcspi->fifo_depth)
-			burst = mcspi->fifo_depth / es;
-		else
-			burst = count / es;
-	}
 
 	memset(&cfg, 0, sizeof(cfg));
 	cfg.src_addr = cs->phys + OMAP2_MCSPI_RX0;
 	cfg.dst_addr = cs->phys + OMAP2_MCSPI_TX0;
 	cfg.src_addr_width = width;
 	cfg.dst_addr_width = width;
-	cfg.src_maxburst = burst;
-	cfg.dst_maxburst = burst;
+	cfg.src_maxburst = es;
+	cfg.dst_maxburst = es;
 
 	rx = xfer->rx_buf;
 	tx = xfer->tx_buf;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 107/306] x86/intel_rdt: Prevent pseudo-locking from using stale pointers
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (105 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 106/306] spi: omap2-mcspi: Set FIFO DMA trigger level to word length Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 108/306] sparc: Fix parport build warnings Greg Kroah-Hartman
                   ` (202 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jithu Joseph, Reinette Chatre,
	Thomas Gleixner, fenghua.yu, tony.luck, gavin.hindman, hpa,
	Sasha Levin

From: Jithu Joseph <jithu.joseph@intel.com>

[ Upstream commit b61b8bba18fe2b63d38fdaf9b83de25e2d787dfe ]

When the last CPU in an rdt_domain goes offline, its rdt_domain struct gets
freed. Current pseudo-locking code is unaware of this scenario and tries to
dereference the freed structure in a few places.

Add checks to prevent pseudo-locking code from doing this.

While further work is needed to seamlessly restore resource groups (not
just pseudo-locking) to their configuration when the domain is brought back
online, the immediate issue of invalid pointers is addressed here.

Fixes: f4e80d67a5274 ("x86/intel_rdt: Resctrl files reflect pseudo-locked information")
Fixes: 443810fe61605 ("x86/intel_rdt: Create debugfs files for pseudo-locking testing")
Fixes: 746e08590b864 ("x86/intel_rdt: Create character device exposing pseudo-locked region")
Fixes: 33dc3e410a0d9 ("x86/intel_rdt: Make CPU information accessible for pseudo-locked regions")
Signed-off-by: Jithu Joseph <jithu.joseph@intel.com>
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: fenghua.yu@intel.com
Cc: tony.luck@intel.com
Cc: gavin.hindman@intel.com
Cc: hpa@zytor.com
Link: https://lkml.kernel.org/r/231f742dbb7b00a31cc104416860e27dba6b072d.1539384145.git.reinette.chatre@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/kernel/cpu/intel_rdt.c             |  7 ++++
 arch/x86/kernel/cpu/intel_rdt_ctrlmondata.c | 12 +++++--
 arch/x86/kernel/cpu/intel_rdt_pseudo_lock.c | 10 ++++++
 arch/x86/kernel/cpu/intel_rdt_rdtgroup.c    | 38 +++++++++++++++------
 4 files changed, 55 insertions(+), 12 deletions(-)

diff --git a/arch/x86/kernel/cpu/intel_rdt.c b/arch/x86/kernel/cpu/intel_rdt.c
index cc43c5abd187b..b99a04da70f61 100644
--- a/arch/x86/kernel/cpu/intel_rdt.c
+++ b/arch/x86/kernel/cpu/intel_rdt.c
@@ -610,6 +610,13 @@ static void domain_remove_cpu(int cpu, struct rdt_resource *r)
 			cancel_delayed_work(&d->cqm_limbo);
 		}
 
+		/*
+		 * rdt_domain "d" is going to be freed below, so clear
+		 * its pointer from pseudo_lock_region struct.
+		 */
+		if (d->plr)
+			d->plr->d = NULL;
+
 		kfree(d->ctrl_val);
 		kfree(d->mbps_val);
 		kfree(d->rmid_busy_llc);
diff --git a/arch/x86/kernel/cpu/intel_rdt_ctrlmondata.c b/arch/x86/kernel/cpu/intel_rdt_ctrlmondata.c
index 968ace3c6d730..c8b72aff55e00 100644
--- a/arch/x86/kernel/cpu/intel_rdt_ctrlmondata.c
+++ b/arch/x86/kernel/cpu/intel_rdt_ctrlmondata.c
@@ -408,8 +408,16 @@ int rdtgroup_schemata_show(struct kernfs_open_file *of,
 			for_each_alloc_enabled_rdt_resource(r)
 				seq_printf(s, "%s:uninitialized\n", r->name);
 		} else if (rdtgrp->mode == RDT_MODE_PSEUDO_LOCKED) {
-			seq_printf(s, "%s:%d=%x\n", rdtgrp->plr->r->name,
-				   rdtgrp->plr->d->id, rdtgrp->plr->cbm);
+			if (!rdtgrp->plr->d) {
+				rdt_last_cmd_clear();
+				rdt_last_cmd_puts("Cache domain offline\n");
+				ret = -ENODEV;
+			} else {
+				seq_printf(s, "%s:%d=%x\n",
+					   rdtgrp->plr->r->name,
+					   rdtgrp->plr->d->id,
+					   rdtgrp->plr->cbm);
+			}
 		} else {
 			closid = rdtgrp->closid;
 			for_each_alloc_enabled_rdt_resource(r) {
diff --git a/arch/x86/kernel/cpu/intel_rdt_pseudo_lock.c b/arch/x86/kernel/cpu/intel_rdt_pseudo_lock.c
index 912d53939f4f4..a999a58ca3318 100644
--- a/arch/x86/kernel/cpu/intel_rdt_pseudo_lock.c
+++ b/arch/x86/kernel/cpu/intel_rdt_pseudo_lock.c
@@ -1116,6 +1116,11 @@ static int pseudo_lock_measure_cycles(struct rdtgroup *rdtgrp, int sel)
 		goto out;
 	}
 
+	if (!plr->d) {
+		ret = -ENODEV;
+		goto out;
+	}
+
 	plr->thread_done = 0;
 	cpu = cpumask_first(&plr->d->cpu_mask);
 	if (!cpu_online(cpu)) {
@@ -1429,6 +1434,11 @@ static int pseudo_lock_dev_mmap(struct file *filp, struct vm_area_struct *vma)
 
 	plr = rdtgrp->plr;
 
+	if (!plr->d) {
+		mutex_unlock(&rdtgroup_mutex);
+		return -ENODEV;
+	}
+
 	/*
 	 * Task is required to run with affinity to the cpus associated
 	 * with the pseudo-locked region. If this is not the case the task
diff --git a/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c b/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c
index ad64031e82dcd..a2d7e6646cce8 100644
--- a/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c
+++ b/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c
@@ -268,17 +268,27 @@ static int rdtgroup_cpus_show(struct kernfs_open_file *of,
 			      struct seq_file *s, void *v)
 {
 	struct rdtgroup *rdtgrp;
+	struct cpumask *mask;
 	int ret = 0;
 
 	rdtgrp = rdtgroup_kn_lock_live(of->kn);
 
 	if (rdtgrp) {
-		if (rdtgrp->mode == RDT_MODE_PSEUDO_LOCKED)
-			seq_printf(s, is_cpu_list(of) ? "%*pbl\n" : "%*pb\n",
-				   cpumask_pr_args(&rdtgrp->plr->d->cpu_mask));
-		else
+		if (rdtgrp->mode == RDT_MODE_PSEUDO_LOCKED) {
+			if (!rdtgrp->plr->d) {
+				rdt_last_cmd_clear();
+				rdt_last_cmd_puts("Cache domain offline\n");
+				ret = -ENODEV;
+			} else {
+				mask = &rdtgrp->plr->d->cpu_mask;
+				seq_printf(s, is_cpu_list(of) ?
+					   "%*pbl\n" : "%*pb\n",
+					   cpumask_pr_args(mask));
+			}
+		} else {
 			seq_printf(s, is_cpu_list(of) ? "%*pbl\n" : "%*pb\n",
 				   cpumask_pr_args(&rdtgrp->cpu_mask));
+		}
 	} else {
 		ret = -ENOENT;
 	}
@@ -1286,6 +1296,7 @@ static int rdtgroup_size_show(struct kernfs_open_file *of,
 	struct rdt_resource *r;
 	struct rdt_domain *d;
 	unsigned int size;
+	int ret = 0;
 	bool sep;
 	u32 ctrl;
 
@@ -1296,11 +1307,18 @@ static int rdtgroup_size_show(struct kernfs_open_file *of,
 	}
 
 	if (rdtgrp->mode == RDT_MODE_PSEUDO_LOCKED) {
-		seq_printf(s, "%*s:", max_name_width, rdtgrp->plr->r->name);
-		size = rdtgroup_cbm_to_size(rdtgrp->plr->r,
-					    rdtgrp->plr->d,
-					    rdtgrp->plr->cbm);
-		seq_printf(s, "%d=%u\n", rdtgrp->plr->d->id, size);
+		if (!rdtgrp->plr->d) {
+			rdt_last_cmd_clear();
+			rdt_last_cmd_puts("Cache domain offline\n");
+			ret = -ENODEV;
+		} else {
+			seq_printf(s, "%*s:", max_name_width,
+				   rdtgrp->plr->r->name);
+			size = rdtgroup_cbm_to_size(rdtgrp->plr->r,
+						    rdtgrp->plr->d,
+						    rdtgrp->plr->cbm);
+			seq_printf(s, "%d=%u\n", rdtgrp->plr->d->id, size);
+		}
 		goto out;
 	}
 
@@ -1330,7 +1348,7 @@ static int rdtgroup_size_show(struct kernfs_open_file *of,
 out:
 	rdtgroup_kn_unlock(of->kn);
 
-	return 0;
+	return ret;
 }
 
 /* rdtgroup information files for one cache resource. */
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 108/306] sparc: Fix parport build warnings.
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (106 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 107/306] x86/intel_rdt: Prevent pseudo-locking from using stale pointers Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 109/306] scsi: hisi_sas: Fix NULL pointer dereference Greg Kroah-Hartman
                   ` (201 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David S. Miller, Sasha Levin

From: David S. Miller <davem@davemloft.net>

[ Upstream commit 46b8306480fb424abd525acc1763da1c63a27d8a ]

If PARPORT_PC_FIFO is not enabled, do not provide the dma lock
macros and lock definition.  Otherwise:

./arch/sparc/include/asm/parport.h:24:24: warning: ‘dma_spin_lock’ defined but not used [-Wunused-variable]
 static DEFINE_SPINLOCK(dma_spin_lock);
                        ^~~~~~~~~~~~~
./include/linux/spinlock_types.h:81:39: note: in definition of macro ‘DEFINE_SPINLOCK’
 #define DEFINE_SPINLOCK(x) spinlock_t x = __SPIN_LOCK_UNLOCKED(x)

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/sparc/include/asm/parport.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/arch/sparc/include/asm/parport.h b/arch/sparc/include/asm/parport.h
index 05df5f0430535..3c5a1c620f0f7 100644
--- a/arch/sparc/include/asm/parport.h
+++ b/arch/sparc/include/asm/parport.h
@@ -21,6 +21,7 @@
  */
 #define HAS_DMA
 
+#ifdef CONFIG_PARPORT_PC_FIFO
 static DEFINE_SPINLOCK(dma_spin_lock);
 
 #define claim_dma_lock() \
@@ -31,6 +32,7 @@ static DEFINE_SPINLOCK(dma_spin_lock);
 
 #define release_dma_lock(__flags) \
 	spin_unlock_irqrestore(&dma_spin_lock, __flags);
+#endif
 
 static struct sparc_ebus_info {
 	struct ebus_dma_info info;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 109/306] scsi: hisi_sas: Fix NULL pointer dereference
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (107 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 108/306] sparc: Fix parport build warnings Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 110/306] powerpc/pseries: Export raw per-CPU VPA data via debugfs Greg Kroah-Hartman
                   ` (200 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gustavo A. R. Silva, Xiang Chen,
	Martin K. Petersen, Sasha Levin

From: Gustavo A. R. Silva <gustavo@embeddedor.com>

[ Upstream commit f4445bb93d82a984657b469e63118c2794a4c3d3 ]

There is a NULL pointer dereference in case *slot* happens to be NULL at
lines 1053 and 1878:

struct hisi_sas_cq *cq =
	&hisi_hba->cq[slot->dlvry_queue];

Notice that *slot* is being NULL checked at lines 1057 and 1881:
if (slot), which implies it may be NULL.

Fix this by placing the declaration and definition of variable cq, which
contains the pointer dereference slot->dlvry_queue, after slot has been
properly NULL checked.

Addresses-Coverity-ID: 1474515 ("Dereference before null check")
Addresses-Coverity-ID: 1474520 ("Dereference before null check")
Fixes: 584f53fe5f52 ("scsi: hisi_sas: Fix the race between IO completion and timeout for SMP/internal IO")
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Reviewed-by: Xiang Chen <chenxiang66@hisilicon.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/hisi_sas/hisi_sas_main.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c
index d4a2625a44232..f478d1f50dfc0 100644
--- a/drivers/scsi/hisi_sas/hisi_sas_main.c
+++ b/drivers/scsi/hisi_sas/hisi_sas_main.c
@@ -1025,11 +1025,11 @@ static int hisi_sas_exec_internal_tmf_task(struct domain_device *device,
 		if ((task->task_state_flags & SAS_TASK_STATE_ABORTED)) {
 			if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) {
 				struct hisi_sas_slot *slot = task->lldd_task;
-				struct hisi_sas_cq *cq =
-					&hisi_hba->cq[slot->dlvry_queue];
 
 				dev_err(dev, "abort tmf: TMF task timeout and not done\n");
 				if (slot) {
+					struct hisi_sas_cq *cq =
+					       &hisi_hba->cq[slot->dlvry_queue];
 					/*
 					 * flush tasklet to avoid free'ing task
 					 * before using task in IO completion
@@ -1856,10 +1856,10 @@ hisi_sas_internal_task_abort(struct hisi_hba *hisi_hba,
 	if ((task->task_state_flags & SAS_TASK_STATE_ABORTED)) {
 		if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) {
 			struct hisi_sas_slot *slot = task->lldd_task;
-			struct hisi_sas_cq *cq =
-				&hisi_hba->cq[slot->dlvry_queue];
 
 			if (slot) {
+				struct hisi_sas_cq *cq =
+					&hisi_hba->cq[slot->dlvry_queue];
 				/*
 				 * flush tasklet to avoid free'ing task
 				 * before using task in IO completion
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 110/306] powerpc/pseries: Export raw per-CPU VPA data via debugfs
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (108 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 109/306] scsi: hisi_sas: Fix NULL pointer dereference Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 111/306] powerpc/mm/radix: Fix off-by-one in split mapping logic Greg Kroah-Hartman
                   ` (199 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Aravinda Prasad, Michael Ellerman,
	Sasha Levin

From: Aravinda Prasad <aravinda@linux.vnet.ibm.com>

[ Upstream commit c6c26fb55e8e4b3fc376be5611685990a17de27a ]

This patch exports the raw per-CPU VPA data via debugfs.
A per-CPU file is created which exports the VPA data of
that CPU to help debug some of the VPA related issues or
to analyze the per-CPU VPA related statistics.

v3: Removed offline CPU check.

v2: Included offline CPU check and other review comments.

Signed-off-by: Aravinda Prasad <aravinda@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/platforms/pseries/lpar.c | 54 +++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)

diff --git a/arch/powerpc/platforms/pseries/lpar.c b/arch/powerpc/platforms/pseries/lpar.c
index ea602f7f97ce1..49e3a88b6a0c1 100644
--- a/arch/powerpc/platforms/pseries/lpar.c
+++ b/arch/powerpc/platforms/pseries/lpar.c
@@ -48,6 +48,7 @@
 #include <asm/kexec.h>
 #include <asm/fadump.h>
 #include <asm/asm-prototypes.h>
+#include <asm/debugfs.h>
 
 #include "pseries.h"
 
@@ -1032,3 +1033,56 @@ static int __init reserve_vrma_context_id(void)
 	return 0;
 }
 machine_device_initcall(pseries, reserve_vrma_context_id);
+
+#ifdef CONFIG_DEBUG_FS
+/* debugfs file interface for vpa data */
+static ssize_t vpa_file_read(struct file *filp, char __user *buf, size_t len,
+			      loff_t *pos)
+{
+	int cpu = (long)filp->private_data;
+	struct lppaca *lppaca = &lppaca_of(cpu);
+
+	return simple_read_from_buffer(buf, len, pos, lppaca,
+				sizeof(struct lppaca));
+}
+
+static const struct file_operations vpa_fops = {
+	.open		= simple_open,
+	.read		= vpa_file_read,
+	.llseek		= default_llseek,
+};
+
+static int __init vpa_debugfs_init(void)
+{
+	char name[16];
+	long i;
+	static struct dentry *vpa_dir;
+
+	if (!firmware_has_feature(FW_FEATURE_SPLPAR))
+		return 0;
+
+	vpa_dir = debugfs_create_dir("vpa", powerpc_debugfs_root);
+	if (!vpa_dir) {
+		pr_warn("%s: can't create vpa root dir\n", __func__);
+		return -ENOMEM;
+	}
+
+	/* set up the per-cpu vpa file*/
+	for_each_possible_cpu(i) {
+		struct dentry *d;
+
+		sprintf(name, "cpu-%ld", i);
+
+		d = debugfs_create_file(name, 0400, vpa_dir, (void *)i,
+					&vpa_fops);
+		if (!d) {
+			pr_warn("%s: can't create per-cpu vpa file\n",
+					__func__);
+			return -ENOMEM;
+		}
+	}
+
+	return 0;
+}
+machine_arch_initcall(pseries, vpa_debugfs_init);
+#endif /* CONFIG_DEBUG_FS */
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 111/306] powerpc/mm/radix: Fix off-by-one in split mapping logic
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (109 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 110/306] powerpc/pseries: Export raw per-CPU VPA data via debugfs Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 112/306] powerpc/mm/radix: Fix overuse of small pages in splitting logic Greg Kroah-Hartman
                   ` (198 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Michael Ellerman, Sasha Levin

From: Michael Ellerman <mpe@ellerman.id.au>

[ Upstream commit 5c6499b7041b43807dfaeda28aa87fc0e62558f7 ]

When we have CONFIG_STRICT_KERNEL_RWX enabled, we try to split the
kernel linear (1:1) mapping so that the kernel text is in a separate
page to kernel data, so we can mark the former read-only.

We could achieve that just by always using 64K pages for the linear
mapping, but we try to be smarter. Instead we use huge pages when
possible, and only switch to smaller pages when necessary.

However we have an off-by-one bug in that logic, which causes us to
calculate the wrong boundary between text and data.

For example with the end of the kernel text at 16M we see:

  radix-mmu: Mapped 0x0000000000000000-0x0000000001200000 with 64.0 KiB pages
  radix-mmu: Mapped 0x0000000001200000-0x0000000040000000 with 2.00 MiB pages
  radix-mmu: Mapped 0x0000000040000000-0x0000000100000000 with 1.00 GiB pages

ie. we mapped from 0 to 18M with 64K pages, even though the boundary
between text and data is at 16M.

With the fix we see we're correctly hitting the 16M boundary:

  radix-mmu: Mapped 0x0000000000000000-0x0000000001000000 with 64.0 KiB pages
  radix-mmu: Mapped 0x0000000001000000-0x0000000040000000 with 2.00 MiB pages
  radix-mmu: Mapped 0x0000000040000000-0x0000000100000000 with 1.00 GiB pages

Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/mm/pgtable-radix.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/powerpc/mm/pgtable-radix.c b/arch/powerpc/mm/pgtable-radix.c
index 3ea4c1f107d7e..24a2eadc8c21a 100644
--- a/arch/powerpc/mm/pgtable-radix.c
+++ b/arch/powerpc/mm/pgtable-radix.c
@@ -294,14 +294,14 @@ static int __meminit create_physical_mapping(unsigned long start,
 		}
 
 		if (split_text_mapping && (mapping_size == PUD_SIZE) &&
-			(addr <= __pa_symbol(__init_begin)) &&
+			(addr < __pa_symbol(__init_begin)) &&
 			(addr + mapping_size) >= __pa_symbol(_stext)) {
 			max_mapping_size = PMD_SIZE;
 			goto retry;
 		}
 
 		if (split_text_mapping && (mapping_size == PMD_SIZE) &&
-		    (addr <= __pa_symbol(__init_begin)) &&
+		    (addr < __pa_symbol(__init_begin)) &&
 		    (addr + mapping_size) >= __pa_symbol(_stext)) {
 			mapping_size = PAGE_SIZE;
 			psize = mmu_virtual_psize;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 112/306] powerpc/mm/radix: Fix overuse of small pages in splitting logic
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (110 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 111/306] powerpc/mm/radix: Fix off-by-one in split mapping logic Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 113/306] powerpc/mm/radix: Fix small page at boundary when splitting Greg Kroah-Hartman
                   ` (197 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Michael Ellerman, Sasha Levin

From: Michael Ellerman <mpe@ellerman.id.au>

[ Upstream commit 3b5657ed5b4e27ccf593a41ff3c5aa27dae8df18 ]

When we have CONFIG_STRICT_KERNEL_RWX enabled, we want to split the
linear mapping at the text/data boundary so we can map the kernel text
read only.

But the current logic uses small pages for the entire text section,
regardless of whether a larger page size would fit. eg. with the
boundary at 16M we could use 2M pages, but instead we use 64K pages up
to the 16M boundary:

  Mapped 0x0000000000000000-0x0000000001000000 with 64.0 KiB pages
  Mapped 0x0000000001000000-0x0000000040000000 with 2.00 MiB pages
  Mapped 0x0000000040000000-0x0000000100000000 with 1.00 GiB pages

This is because the test is checking if addr is < __init_begin
and addr + mapping_size is >= _stext. But that is true for all pages
between _stext and __init_begin.

Instead what we want to check is if we are crossing the text/data
boundary, which is at __init_begin. With that fixed we see:

  Mapped 0x0000000000000000-0x0000000000e00000 with 2.00 MiB pages
  Mapped 0x0000000000e00000-0x0000000001000000 with 64.0 KiB pages
  Mapped 0x0000000001000000-0x0000000040000000 with 2.00 MiB pages
  Mapped 0x0000000040000000-0x0000000100000000 with 1.00 GiB pages

ie. we're correctly using 2MB pages below __init_begin, but we still
drop down to 64K pages unnecessarily at the boundary.

Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/mm/pgtable-radix.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/powerpc/mm/pgtable-radix.c b/arch/powerpc/mm/pgtable-radix.c
index 24a2eadc8c21a..b387c7b917b7e 100644
--- a/arch/powerpc/mm/pgtable-radix.c
+++ b/arch/powerpc/mm/pgtable-radix.c
@@ -295,14 +295,14 @@ static int __meminit create_physical_mapping(unsigned long start,
 
 		if (split_text_mapping && (mapping_size == PUD_SIZE) &&
 			(addr < __pa_symbol(__init_begin)) &&
-			(addr + mapping_size) >= __pa_symbol(_stext)) {
+			(addr + mapping_size) >= __pa_symbol(__init_begin)) {
 			max_mapping_size = PMD_SIZE;
 			goto retry;
 		}
 
 		if (split_text_mapping && (mapping_size == PMD_SIZE) &&
 		    (addr < __pa_symbol(__init_begin)) &&
-		    (addr + mapping_size) >= __pa_symbol(_stext)) {
+		    (addr + mapping_size) >= __pa_symbol(__init_begin)) {
 			mapping_size = PAGE_SIZE;
 			psize = mmu_virtual_psize;
 		}
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 113/306] powerpc/mm/radix: Fix small page at boundary when splitting
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (111 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 112/306] powerpc/mm/radix: Fix overuse of small pages in splitting logic Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 114/306] powerpc/64s/radix: Fix radix__flush_tlb_collapsed_pmd double flushing pmd Greg Kroah-Hartman
                   ` (196 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Michael Ellerman, Sasha Levin

From: Michael Ellerman <mpe@ellerman.id.au>

[ Upstream commit 81d1b54dec95209ab5e5be2cf37182885f998753 ]

When we have CONFIG_STRICT_KERNEL_RWX enabled, we want to split the
linear mapping at the text/data boundary so we can map the kernel
text read only.

Currently we always use a small page at the text/data boundary, even
when that's not necessary:

  Mapped 0x0000000000000000-0x0000000000e00000 with 2.00 MiB pages
  Mapped 0x0000000000e00000-0x0000000001000000 with 64.0 KiB pages
  Mapped 0x0000000001000000-0x0000000040000000 with 2.00 MiB pages

This is because the check that the mapping crosses the __init_begin
boundary is too strict, it also returns true when we map exactly up to
the boundary.

So fix it to check that the mapping would actually map past
__init_begin, and with that we see:

  Mapped 0x0000000000000000-0x0000000040000000 with 2.00 MiB pages
  Mapped 0x0000000040000000-0x0000000100000000 with 1.00 GiB pages

Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/mm/pgtable-radix.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/powerpc/mm/pgtable-radix.c b/arch/powerpc/mm/pgtable-radix.c
index b387c7b917b7e..69caeb5bccb21 100644
--- a/arch/powerpc/mm/pgtable-radix.c
+++ b/arch/powerpc/mm/pgtable-radix.c
@@ -295,14 +295,14 @@ static int __meminit create_physical_mapping(unsigned long start,
 
 		if (split_text_mapping && (mapping_size == PUD_SIZE) &&
 			(addr < __pa_symbol(__init_begin)) &&
-			(addr + mapping_size) >= __pa_symbol(__init_begin)) {
+			(addr + mapping_size) > __pa_symbol(__init_begin)) {
 			max_mapping_size = PMD_SIZE;
 			goto retry;
 		}
 
 		if (split_text_mapping && (mapping_size == PMD_SIZE) &&
 		    (addr < __pa_symbol(__init_begin)) &&
-		    (addr + mapping_size) >= __pa_symbol(__init_begin)) {
+		    (addr + mapping_size) > __pa_symbol(__init_begin)) {
 			mapping_size = PAGE_SIZE;
 			psize = mmu_virtual_psize;
 		}
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 114/306] powerpc/64s/radix: Fix radix__flush_tlb_collapsed_pmd double flushing pmd
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (112 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 113/306] powerpc/mm/radix: Fix small page at boundary when splitting Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 115/306] selftests/bpf: fix return value comparison for tests in test_libbpf.sh Greg Kroah-Hartman
                   ` (195 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nicholas Piggin, Michael Ellerman,
	Sasha Levin

From: Nicholas Piggin <npiggin@gmail.com>

[ Upstream commit dd76ff5af35350fd6d5bb5b069e73b6017f66893 ]

Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/mm/tlb-radix.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/arch/powerpc/mm/tlb-radix.c b/arch/powerpc/mm/tlb-radix.c
index 796ff5de26d09..1749f15fc0705 100644
--- a/arch/powerpc/mm/tlb-radix.c
+++ b/arch/powerpc/mm/tlb-radix.c
@@ -1072,7 +1072,6 @@ void radix__flush_tlb_collapsed_pmd(struct mm_struct *mm, unsigned long addr)
 			goto local;
 		}
 		_tlbie_va_range(addr, end, pid, PAGE_SIZE, mmu_virtual_psize, true);
-		goto local;
 	} else {
 local:
 		_tlbiel_va_range(addr, end, pid, PAGE_SIZE, mmu_virtual_psize, true);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 115/306] selftests/bpf: fix return value comparison for tests in test_libbpf.sh
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (113 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 114/306] powerpc/64s/radix: Fix radix__flush_tlb_collapsed_pmd double flushing pmd Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 116/306] tools: bpftool: fix completion for "bpftool map update" Greg Kroah-Hartman
                   ` (194 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Quentin Monnet, Jakub Kicinski,
	Alexei Starovoitov, Sasha Levin

From: Quentin Monnet <quentin.monnet@netronome.com>

[ Upstream commit c5fa5d602221362f8341ecd9e32d83194abf5bd9 ]

The return value for each test in test_libbpf.sh is compared with

    if (( $? == 0 )) ; then ...

This works well with bash, but not with dash, that /bin/sh is aliased to
on some systems (such as Ubuntu).

Let's replace this comparison by something that works on both shells.

Signed-off-by: Quentin Monnet <quentin.monnet@netronome.com>
Reviewed-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/testing/selftests/bpf/test_libbpf.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/testing/selftests/bpf/test_libbpf.sh b/tools/testing/selftests/bpf/test_libbpf.sh
index 8b1bc96d8e0cc..2989b2e2d856d 100755
--- a/tools/testing/selftests/bpf/test_libbpf.sh
+++ b/tools/testing/selftests/bpf/test_libbpf.sh
@@ -6,7 +6,7 @@ export TESTNAME=test_libbpf
 # Determine selftest success via shell exit code
 exit_handler()
 {
-	if (( $? == 0 )); then
+	if [ $? -eq 0 ]; then
 		echo "selftests: $TESTNAME [PASS]";
 	else
 		echo "$TESTNAME: failed at file $LAST_LOADED" 1>&2
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 116/306] tools: bpftool: fix completion for "bpftool map update"
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (114 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 115/306] selftests/bpf: fix return value comparison for tests in test_libbpf.sh Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 117/306] ceph: fix dentry leak in ceph_readdir_prepopulate Greg Kroah-Hartman
                   ` (193 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Quentin Monnet, Jakub Kicinski,
	Daniel Borkmann, Sasha Levin

From: Quentin Monnet <quentin.monnet@netronome.com>

[ Upstream commit fe8ecccc10b3adc071de05ca7af728ca1a4ac9aa ]

When trying to complete "bpftool map update" commands, the call to
printf would print an error message that would show on the command line
if no map is found to complete the command line.

Fix it by making sure we have map ids to complete the line with, before
we try to print something.

Signed-off-by: Quentin Monnet <quentin.monnet@netronome.com>
Reviewed-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/bpf/bpftool/bash-completion/bpftool | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/bpf/bpftool/bash-completion/bpftool b/tools/bpf/bpftool/bash-completion/bpftool
index 598066c401912..c2b6b2176f3b7 100644
--- a/tools/bpf/bpftool/bash-completion/bpftool
+++ b/tools/bpf/bpftool/bash-completion/bpftool
@@ -143,7 +143,7 @@ _bpftool_map_update_map_type()
     local type
     type=$(bpftool -jp map show $keyword $ref | \
         command sed -n 's/.*"type": "\(.*\)",$/\1/p')
-    printf $type
+    [[ -n $type ]] && printf $type
 }
 
 _bpftool_map_update_get_id()
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 117/306] ceph: fix dentry leak in ceph_readdir_prepopulate
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (115 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 116/306] tools: bpftool: fix completion for "bpftool map update" Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 118/306] ceph: only allow punch hole mode in fallocate Greg Kroah-Hartman
                   ` (192 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yan, Zheng, Jeff Layton,
	Ilya Dryomov, Sasha Levin

From: Yan, Zheng <zyan@redhat.com>

[ Upstream commit c58f450bd61511d897efc2ea472c69630635b557 ]

Signed-off-by: "Yan, Zheng" <zyan@redhat.com>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/ceph/inode.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
index acb70a6a82f0f..1e438e0faf77e 100644
--- a/fs/ceph/inode.c
+++ b/fs/ceph/inode.c
@@ -1694,7 +1694,6 @@ int ceph_readdir_prepopulate(struct ceph_mds_request *req,
 			if (IS_ERR(realdn)) {
 				err = PTR_ERR(realdn);
 				d_drop(dn);
-				dn = NULL;
 				goto next_item;
 			}
 			dn = realdn;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 118/306] ceph: only allow punch hole mode in fallocate
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (116 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 117/306] ceph: fix dentry leak in ceph_readdir_prepopulate Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 119/306] rtc: s35390a: Change bufs type to u8 in s35390a_init Greg Kroah-Hartman
                   ` (191 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Luis Henriques, Yan, Zheng,
	Ilya Dryomov, Sasha Levin

From: Luis Henriques <lhenriques@suse.com>

[ Upstream commit bddff633ab7bc60a18a86ac8b322695b6f8594d0 ]

Current implementation of cephfs fallocate isn't correct as it doesn't
really reserve the space in the cluster, which means that a subsequent
call to a write may actually fail due to lack of space.  In fact, it is
currently possible to fallocate an amount space that is larger than the
free space in the cluster.  It has behaved this way since the initial
commit ad7a60de882a ("ceph: punch hole support").

Since there's no easy solution to fix this at the moment, this patch
simply removes support for all fallocate operations but
FALLOC_FL_PUNCH_HOLE (which implies FALLOC_FL_KEEP_SIZE).

Link: https://tracker.ceph.com/issues/36317
Signed-off-by: Luis Henriques <lhenriques@suse.com>
Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/ceph/file.c | 45 +++++++++------------------------------------
 1 file changed, 9 insertions(+), 36 deletions(-)

diff --git a/fs/ceph/file.c b/fs/ceph/file.c
index 92ab204336829..91a7ad259bcf2 100644
--- a/fs/ceph/file.c
+++ b/fs/ceph/file.c
@@ -1735,7 +1735,6 @@ static long ceph_fallocate(struct file *file, int mode,
 	struct ceph_file_info *fi = file->private_data;
 	struct inode *inode = file_inode(file);
 	struct ceph_inode_info *ci = ceph_inode(inode);
-	struct ceph_fs_client *fsc = ceph_inode_to_client(inode);
 	struct ceph_cap_flush *prealloc_cf;
 	int want, got = 0;
 	int dirty;
@@ -1743,10 +1742,7 @@ static long ceph_fallocate(struct file *file, int mode,
 	loff_t endoff = 0;
 	loff_t size;
 
-	if ((offset + length) > max(i_size_read(inode), fsc->max_file_size))
-		return -EFBIG;
-
-	if (mode & ~(FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE))
+	if (mode != (FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE))
 		return -EOPNOTSUPP;
 
 	if (!S_ISREG(inode->i_mode))
@@ -1763,18 +1759,6 @@ static long ceph_fallocate(struct file *file, int mode,
 		goto unlock;
 	}
 
-	if (!(mode & (FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE)) &&
-	    ceph_quota_is_max_bytes_exceeded(inode, offset + length)) {
-		ret = -EDQUOT;
-		goto unlock;
-	}
-
-	if (ceph_osdmap_flag(&fsc->client->osdc, CEPH_OSDMAP_FULL) &&
-	    !(mode & FALLOC_FL_PUNCH_HOLE)) {
-		ret = -ENOSPC;
-		goto unlock;
-	}
-
 	if (ci->i_inline_version != CEPH_INLINE_NONE) {
 		ret = ceph_uninline_data(file, NULL);
 		if (ret < 0)
@@ -1782,12 +1766,12 @@ static long ceph_fallocate(struct file *file, int mode,
 	}
 
 	size = i_size_read(inode);
-	if (!(mode & FALLOC_FL_KEEP_SIZE)) {
-		endoff = offset + length;
-		ret = inode_newsize_ok(inode, endoff);
-		if (ret)
-			goto unlock;
-	}
+
+	/* Are we punching a hole beyond EOF? */
+	if (offset >= size)
+		goto unlock;
+	if ((offset + length) > size)
+		length = size - offset;
 
 	if (fi->fmode & CEPH_FILE_MODE_LAZY)
 		want = CEPH_CAP_FILE_BUFFER | CEPH_CAP_FILE_LAZYIO;
@@ -1798,16 +1782,8 @@ static long ceph_fallocate(struct file *file, int mode,
 	if (ret < 0)
 		goto unlock;
 
-	if (mode & FALLOC_FL_PUNCH_HOLE) {
-		if (offset < size)
-			ceph_zero_pagecache_range(inode, offset, length);
-		ret = ceph_zero_objects(inode, offset, length);
-	} else if (endoff > size) {
-		truncate_pagecache_range(inode, size, -1);
-		if (ceph_inode_set_size(inode, endoff))
-			ceph_check_caps(ceph_inode(inode),
-				CHECK_CAPS_AUTHONLY, NULL);
-	}
+	ceph_zero_pagecache_range(inode, offset, length);
+	ret = ceph_zero_objects(inode, offset, length);
 
 	if (!ret) {
 		spin_lock(&ci->i_ceph_lock);
@@ -1817,9 +1793,6 @@ static long ceph_fallocate(struct file *file, int mode,
 		spin_unlock(&ci->i_ceph_lock);
 		if (dirty)
 			__mark_inode_dirty(inode, dirty);
-		if ((endoff > size) &&
-		    ceph_quota_is_max_bytes_approaching(inode, endoff))
-			ceph_check_caps(ci, CHECK_CAPS_NODELAY, NULL);
 	}
 
 	ceph_put_cap_refs(ci, got);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 119/306] rtc: s35390a: Change bufs type to u8 in s35390a_init
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (117 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 118/306] ceph: only allow punch hole mode in fallocate Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 120/306] RISC-V: Avoid corrupting the upper 32-bit of phys_addr_t in ioremap Greg Kroah-Hartman
                   ` (190 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nathan Chancellor, Alexandre Belloni,
	Sasha Levin

From: Nathan Chancellor <natechancellor@gmail.com>

[ Upstream commit ef0f02fd69a02b50e468a4ddbe33e3d81671e248 ]

Clang warns:

drivers/rtc/rtc-s35390a.c:124:27: warning: implicit conversion from
'int' to 'char' changes value from 192 to -64 [-Wconstant-conversion]
        buf = S35390A_FLAG_RESET | S35390A_FLAG_24H;
            ~ ~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~
1 warning generated.

Update buf to be an unsigned 8-bit integer, which matches the buf member
in struct i2c_msg.

https://github.com/ClangBuiltLinux/linux/issues/145
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/rtc/rtc-s35390a.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/rtc/rtc-s35390a.c b/drivers/rtc/rtc-s35390a.c
index 77feb603cd4c0..3c64dbb08109a 100644
--- a/drivers/rtc/rtc-s35390a.c
+++ b/drivers/rtc/rtc-s35390a.c
@@ -108,7 +108,7 @@ static int s35390a_get_reg(struct s35390a *s35390a, int reg, char *buf, int len)
 
 static int s35390a_init(struct s35390a *s35390a)
 {
-	char buf;
+	u8 buf;
 	int ret;
 	unsigned initcount = 0;
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 120/306] RISC-V: Avoid corrupting the upper 32-bit of phys_addr_t in ioremap
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (118 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 119/306] rtc: s35390a: Change bufs type to u8 in s35390a_init Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 121/306] thermal: armada: fix a test in probe() Greg Kroah-Hartman
                   ` (189 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vincent Chen, Christoph Hellwig,
	Palmer Dabbelt, Sasha Levin

From: Vincent Chen <vincentc@andestech.com>

[ Upstream commit 827a438156e4c423b6875a092e272933952a2910 ]

For 32bit, the upper 32-bit of phys_addr_t will be flushed to zero
after AND with PAGE_MASK because the data type of PAGE_MASK is
unsigned long. To fix this problem, the page alignment is done by
subtracting the page offset instead of AND with PAGE_MASK.

Signed-off-by: Vincent Chen <vincentc@andestech.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/riscv/mm/ioremap.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/riscv/mm/ioremap.c b/arch/riscv/mm/ioremap.c
index 70ef2724cdf61..bd2f2db557cc5 100644
--- a/arch/riscv/mm/ioremap.c
+++ b/arch/riscv/mm/ioremap.c
@@ -42,7 +42,7 @@ static void __iomem *__ioremap_caller(phys_addr_t addr, size_t size,
 
 	/* Page-align mappings */
 	offset = addr & (~PAGE_MASK);
-	addr &= PAGE_MASK;
+	addr -= offset;
 	size = PAGE_ALIGN(size + offset);
 
 	area = get_vm_area_caller(size, VM_IOREMAP, caller);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 121/306] thermal: armada: fix a test in probe()
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (119 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 120/306] RISC-V: Avoid corrupting the upper 32-bit of phys_addr_t in ioremap Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 122/306] f2fs: fix to spread clear_cold_data() Greg Kroah-Hartman
                   ` (188 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Miquel Raynal,
	Eduardo Valentin, Sasha Levin

From: Dan Carpenter <dan.carpenter@oracle.com>

[ Upstream commit d1d2c290b3c04b65fa6132eeebe50a070746d8f6 ]

The platform_get_resource() function doesn't return error pointers, it
returns NULL on error.

Fixes: 3d4e51844a4e ("thermal: armada: convert driver to syscon register accesses")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Eduardo Valentin <edubezval@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/thermal/armada_thermal.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/thermal/armada_thermal.c b/drivers/thermal/armada_thermal.c
index e16b3cb1808c5..1c9830b2c84da 100644
--- a/drivers/thermal/armada_thermal.c
+++ b/drivers/thermal/armada_thermal.c
@@ -526,8 +526,8 @@ static int armada_thermal_probe_legacy(struct platform_device *pdev,
 
 	/* First memory region points towards the status register */
 	res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
-	if (IS_ERR(res))
-		return PTR_ERR(res);
+	if (!res)
+		return -EIO;
 
 	/*
 	 * Edit the resource start address and length to map over all the
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 122/306] f2fs: fix to spread clear_cold_data()
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (120 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 121/306] thermal: armada: fix a test in probe() Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 123/306] f2fs: spread f2fs_set_inode_flags() Greg Kroah-Hartman
                   ` (187 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Weichao Guo, Chao Yu, Jaegeuk Kim,
	Sasha Levin

From: Chao Yu <yuchao0@huawei.com>

[ Upstream commit 2baf07818549c8bb8d7b3437e889b86eab56d38e ]

We need to drop PG_checked flag on page as well when we clear PG_uptodate
flag, in order to avoid treating the page as GCing one later.

Signed-off-by: Weichao Guo <guoweichao@huawei.com>
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/f2fs/data.c    | 8 +++++++-
 fs/f2fs/dir.c     | 1 +
 fs/f2fs/segment.c | 4 +++-
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
index 3a2fd66769660..a7436ad194585 100644
--- a/fs/f2fs/data.c
+++ b/fs/f2fs/data.c
@@ -1782,6 +1782,7 @@ int f2fs_do_write_data_page(struct f2fs_io_info *fio)
 	/* This page is already truncated */
 	if (fio->old_blkaddr == NULL_ADDR) {
 		ClearPageUptodate(page);
+		clear_cold_data(page);
 		goto out_writepage;
 	}
 got_it:
@@ -1957,8 +1958,10 @@ static int __write_data_page(struct page *page, bool *submitted,
 
 out:
 	inode_dec_dirty_pages(inode);
-	if (err)
+	if (err) {
 		ClearPageUptodate(page);
+		clear_cold_data(page);
+	}
 
 	if (wbc->for_reclaim) {
 		f2fs_submit_merged_write_cond(sbi, inode, 0, page->index, DATA);
@@ -2573,6 +2576,8 @@ void f2fs_invalidate_page(struct page *page, unsigned int offset,
 		}
 	}
 
+	clear_cold_data(page);
+
 	/* This is atomic written page, keep Private */
 	if (IS_ATOMIC_WRITTEN_PAGE(page))
 		return f2fs_drop_inmem_page(inode, page);
@@ -2591,6 +2596,7 @@ int f2fs_release_page(struct page *page, gfp_t wait)
 	if (IS_ATOMIC_WRITTEN_PAGE(page))
 		return 0;
 
+	clear_cold_data(page);
 	set_page_private(page, 0);
 	ClearPagePrivate(page);
 	return 1;
diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c
index ecc3a4e2be96d..cd611a57d04d7 100644
--- a/fs/f2fs/dir.c
+++ b/fs/f2fs/dir.c
@@ -733,6 +733,7 @@ void f2fs_delete_entry(struct f2fs_dir_entry *dentry, struct page *page,
 		clear_page_dirty_for_io(page);
 		ClearPagePrivate(page);
 		ClearPageUptodate(page);
+		clear_cold_data(page);
 		inode_dec_dirty_pages(dir);
 		f2fs_remove_dirty_inode(dir);
 	}
diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
index d78009694f3fd..43a07514c3574 100644
--- a/fs/f2fs/segment.c
+++ b/fs/f2fs/segment.c
@@ -277,8 +277,10 @@ static int __revoke_inmem_pages(struct inode *inode,
 		}
 next:
 		/* we don't need to invalidate this in the sccessful status */
-		if (drop || recover)
+		if (drop || recover) {
 			ClearPageUptodate(page);
+			clear_cold_data(page);
+		}
 		set_page_private(page, 0);
 		ClearPagePrivate(page);
 		f2fs_put_page(page, 1);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 123/306] f2fs: spread f2fs_set_inode_flags()
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (121 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 122/306] f2fs: fix to spread clear_cold_data() Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 124/306] mISDN: Fix type of switch control variable in ctrl_teimanager Greg Kroah-Hartman
                   ` (186 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chao Yu, Jaegeuk Kim, Sasha Levin

From: Chao Yu <yuchao0@huawei.com>

[ Upstream commit 9149a5eb606152df158eb7d7da5a34e84b574189 ]

This patch changes codes as below:
- use f2fs_set_inode_flags() to update i_flags atomically to avoid
potential race.
- synchronize F2FS_I(inode)->i_flags to inode->i_flags in
f2fs_new_inode().
- use f2fs_set_inode_flags() to simply codes in f2fs_quota_{on,off}.

Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/f2fs/f2fs.h  | 2 +-
 fs/f2fs/namei.c | 2 ++
 fs/f2fs/super.c | 5 ++---
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
index 2dc49a5419070..34e48bcf50874 100644
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -3388,7 +3388,7 @@ static inline void f2fs_set_encrypted_inode(struct inode *inode)
 {
 #ifdef CONFIG_F2FS_FS_ENCRYPTION
 	file_set_encrypt(inode);
-	inode->i_flags |= S_ENCRYPTED;
+	f2fs_set_inode_flags(inode);
 #endif
 }
 
diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c
index 1f67e389169f5..6b23dcbf52f45 100644
--- a/fs/f2fs/namei.c
+++ b/fs/f2fs/namei.c
@@ -124,6 +124,8 @@ static struct inode *f2fs_new_inode(struct inode *dir, umode_t mode)
 	if (F2FS_I(inode)->i_flags & F2FS_PROJINHERIT_FL)
 		set_inode_flag(inode, FI_PROJ_INHERIT);
 
+	f2fs_set_inode_flags(inode);
+
 	trace_f2fs_new_inode(inode, 0);
 	return inode;
 
diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
index 15779123d0895..7a9cc64f5ca37 100644
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -1837,8 +1837,7 @@ static int f2fs_quota_on(struct super_block *sb, int type, int format_id,
 
 	inode_lock(inode);
 	F2FS_I(inode)->i_flags |= F2FS_NOATIME_FL | F2FS_IMMUTABLE_FL;
-	inode_set_flags(inode, S_NOATIME | S_IMMUTABLE,
-					S_NOATIME | S_IMMUTABLE);
+	f2fs_set_inode_flags(inode);
 	inode_unlock(inode);
 	f2fs_mark_inode_dirty_sync(inode, false);
 
@@ -1863,7 +1862,7 @@ static int f2fs_quota_off(struct super_block *sb, int type)
 
 	inode_lock(inode);
 	F2FS_I(inode)->i_flags &= ~(F2FS_NOATIME_FL | F2FS_IMMUTABLE_FL);
-	inode_set_flags(inode, 0, S_NOATIME | S_IMMUTABLE);
+	f2fs_set_inode_flags(inode);
 	inode_unlock(inode);
 	f2fs_mark_inode_dirty_sync(inode, false);
 out_put:
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 124/306] mISDN: Fix type of switch control variable in ctrl_teimanager
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (122 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 123/306] f2fs: spread f2fs_set_inode_flags() Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 125/306] qlcnic: fix a return in qlcnic_dcb_get_capability() Greg Kroah-Hartman
                   ` (185 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nathan Chancellor, David S. Miller,
	Sasha Levin

From: Nathan Chancellor <natechancellor@gmail.com>

[ Upstream commit aeb5e02aca91522733eb1db595ac607d30c87767 ]

Clang warns (trimmed for brevity):

drivers/isdn/mISDN/tei.c:1193:7: warning: overflow converting case value
to switch condition type (2147764552 to 18446744071562348872) [-Wswitch]
        case IMHOLD_L1:
             ^
drivers/isdn/mISDN/tei.c:1187:7: warning: overflow converting case value
to switch condition type (2147764550 to 18446744071562348870) [-Wswitch]
        case IMCLEAR_L2:
             ^
2 warnings generated.

The root cause is that the _IOC macro can generate really large numbers,
which don't find into type int. My research into how GCC and Clang are
handling this at a low level didn't prove fruitful and surveying the
kernel tree shows that aside from here and a few places in the scsi
subsystem, everything that uses _IOC is at least of type 'unsigned int'.
Make that change here because as nothing in this function cares about
the signedness of the variable and it removes ambiguity, which is never
good when dealing with compilers.

While we're here, remove the unnecessary local variable ret (just return
-EINVAL and 0 directly).

Link: https://github.com/ClangBuiltLinux/linux/issues/67
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/isdn/mISDN/tei.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/drivers/isdn/mISDN/tei.c b/drivers/isdn/mISDN/tei.c
index 12d9e5f4beb1f..58635b5f296f0 100644
--- a/drivers/isdn/mISDN/tei.c
+++ b/drivers/isdn/mISDN/tei.c
@@ -1180,8 +1180,7 @@ static int
 ctrl_teimanager(struct manager *mgr, void *arg)
 {
 	/* currently we only have one option */
-	int	*val = (int *)arg;
-	int	ret = 0;
+	unsigned int *val = (unsigned int *)arg;
 
 	switch (val[0]) {
 	case IMCLEAR_L2:
@@ -1197,9 +1196,9 @@ ctrl_teimanager(struct manager *mgr, void *arg)
 			test_and_clear_bit(OPTION_L1_HOLD, &mgr->options);
 		break;
 	default:
-		ret = -EINVAL;
+		return -EINVAL;
 	}
-	return ret;
+	return 0;
 }
 
 /* This function does create a L2 for fixed TEI in NT Mode */
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 125/306] qlcnic: fix a return in qlcnic_dcb_get_capability()
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (123 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 124/306] mISDN: Fix type of switch control variable in ctrl_teimanager Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 126/306] net: ethernet: ti: cpsw: unsync mcast entries while switch promisc mode Greg Kroah-Hartman
                   ` (184 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, David S. Miller, Sasha Levin

From: Dan Carpenter <dan.carpenter@oracle.com>

[ Upstream commit c94f026fb742b2d3199422751dbc4f6fc0e753d8 ]

These functions are supposed to return one on failure and zero on
success.  Returning a zero here could cause uninitialized variable
bugs in several of the callers.  For example:

    drivers/scsi/cxgbi/cxgb4i/cxgb4i.c:1660 get_iscsi_dcb_priority()
    error: uninitialized symbol 'caps'.

Fixes: 48365e485275 ("qlcnic: dcb: Add support for CEE Netlink interface.")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.c
index 4b76c69fe86d2..834208e55f7b8 100644
--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.c
+++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.c
@@ -883,7 +883,7 @@ static u8 qlcnic_dcb_get_capability(struct net_device *netdev, int capid,
 	struct qlcnic_adapter *adapter = netdev_priv(netdev);
 
 	if (!test_bit(QLCNIC_DCB_STATE, &adapter->dcb->state))
-		return 0;
+		return 1;
 
 	switch (capid) {
 	case DCB_CAP_ATTR_PG:
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 126/306] net: ethernet: ti: cpsw: unsync mcast entries while switch promisc mode
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (124 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 125/306] qlcnic: fix a return in qlcnic_dcb_get_capability() Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 127/306] mfd: arizona: Correct calling of runtime_put_sync Greg Kroah-Hartman
                   ` (183 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ivan Khoronzhuk, Grygorii Strashko,
	David S. Miller, Sasha Levin

From: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>

[ Upstream commit 9737cc99dd14b5b8b9d267618a6061feade8ea68 ]

After flushing all mcast entries from the table, the ones contained in
mc list of ndev are not restored when promisc mode is toggled off,
because they are considered as synched with ALE, thus, in order to
restore them after promisc mode - reset syncing info. This fix
touches only switch mode devices, including single port boards
like Beagle Bone.

Fixes: commit 5da1948969bc
("net: ethernet: ti: cpsw: fix lost of mcast packets while rx_mode update")

Signed-off-by: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
Reviewed-by: Grygorii Strashko <grygorii.strashko@ti.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/ti/cpsw.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/ethernet/ti/cpsw.c b/drivers/net/ethernet/ti/cpsw.c
index 1afed85550c0a..8417d4c178447 100644
--- a/drivers/net/ethernet/ti/cpsw.c
+++ b/drivers/net/ethernet/ti/cpsw.c
@@ -642,6 +642,7 @@ static void cpsw_set_promiscious(struct net_device *ndev, bool enable)
 
 			/* Clear all mcast from ALE */
 			cpsw_ale_flush_multicast(ale, ALE_ALL_PORTS, -1);
+			__dev_mc_unsync(ndev, NULL);
 
 			/* Flood All Unicast Packets to Host port */
 			cpsw_ale_control_set(ale, 0, ALE_P0_UNI_FLOOD, 1);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 127/306] mfd: arizona: Correct calling of runtime_put_sync
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (125 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 126/306] net: ethernet: ti: cpsw: unsync mcast entries while switch promisc mode Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 128/306] mfd: mc13xxx-core: Fix PMIC shutdown when reading ADC values Greg Kroah-Hartman
                   ` (182 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sapthagiri Baratam, Charles Keepax,
	Lee Jones, Sasha Levin

From: Sapthagiri Baratam <sapthagiri.baratam@cirrus.com>

[ Upstream commit 6b269a41a4520f7eb639e61a45ebbb9c9267d5e0 ]

Don't call runtime_put_sync when clk32k_ref is ARIZONA_32KZ_MCLK2
as there is no corresponding runtime_get_sync call.

MCLK1 is not in the AoD power domain so if it is used as 32kHz clock
source we need to hold a runtime PM reference to keep the device from
going into low power mode.

Fixes: cdd8da8cc66b ("mfd: arizona: Add gating of external MCLKn clocks")
Signed-off-by: Sapthagiri Baratam <sapthagiri.baratam@cirrus.com>
Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/mfd/arizona-core.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/mfd/arizona-core.c b/drivers/mfd/arizona-core.c
index 47d6d40f41cd5..a4403a57ddc89 100644
--- a/drivers/mfd/arizona-core.c
+++ b/drivers/mfd/arizona-core.c
@@ -52,8 +52,10 @@ int arizona_clk32k_enable(struct arizona *arizona)
 			if (ret != 0)
 				goto err_ref;
 			ret = clk_prepare_enable(arizona->mclk[ARIZONA_MCLK1]);
-			if (ret != 0)
-				goto err_pm;
+			if (ret != 0) {
+				pm_runtime_put_sync(arizona->dev);
+				goto err_ref;
+			}
 			break;
 		case ARIZONA_32KZ_MCLK2:
 			ret = clk_prepare_enable(arizona->mclk[ARIZONA_MCLK2]);
@@ -67,8 +69,6 @@ int arizona_clk32k_enable(struct arizona *arizona)
 					 ARIZONA_CLK_32K_ENA);
 	}
 
-err_pm:
-	pm_runtime_put_sync(arizona->dev);
 err_ref:
 	if (ret != 0)
 		arizona->clk32k_ref--;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 128/306] mfd: mc13xxx-core: Fix PMIC shutdown when reading ADC values
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (126 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 127/306] mfd: arizona: Correct calling of runtime_put_sync Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 129/306] mfd: intel_soc_pmic_bxtwc: Chain power button IRQs as well Greg Kroah-Hartman
                   ` (181 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Fabio Estevam, Chris Healy,
	Lee Jones, Sasha Levin

From: Fabio Estevam <fabio.estevam@nxp.com>

[ Upstream commit 55143439b7b501882bea9d95a54adfe00ffc79a3 ]

When trying to read any MC13892 ADC channel on a imx51-babbage board:

The MC13892 PMIC shutdowns completely.

After debugging this issue and comparing the MC13892 and MC13783
initializations done in the vendor kernel, it was noticed that the
CHRGRAWDIV bit of the ADC0 register was not being set.

This bit is set by default after power on, but the driver was
clearing it.

After setting this bit it is possible to read the ADC values correctly.

Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
Tested-by: Chris Healy <cphealy@gmail.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/mfd/mc13xxx-core.c  | 3 ++-
 include/linux/mfd/mc13xxx.h | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/mfd/mc13xxx-core.c b/drivers/mfd/mc13xxx-core.c
index 234febfe6398b..d0bf50e3568d7 100644
--- a/drivers/mfd/mc13xxx-core.c
+++ b/drivers/mfd/mc13xxx-core.c
@@ -278,7 +278,8 @@ int mc13xxx_adc_do_conversion(struct mc13xxx *mc13xxx, unsigned int mode,
 	if (ret)
 		goto out;
 
-	adc0 = MC13XXX_ADC0_ADINC1 | MC13XXX_ADC0_ADINC2;
+	adc0 = MC13XXX_ADC0_ADINC1 | MC13XXX_ADC0_ADINC2 |
+	       MC13XXX_ADC0_CHRGRAWDIV;
 	adc1 = MC13XXX_ADC1_ADEN | MC13XXX_ADC1_ADTRIGIGN | MC13XXX_ADC1_ASC;
 
 	/*
diff --git a/include/linux/mfd/mc13xxx.h b/include/linux/mfd/mc13xxx.h
index 54a3cd808f9e6..2ad9bdc0a5ec8 100644
--- a/include/linux/mfd/mc13xxx.h
+++ b/include/linux/mfd/mc13xxx.h
@@ -249,6 +249,7 @@ struct mc13xxx_platform_data {
 #define MC13XXX_ADC0_TSMOD0		(1 << 12)
 #define MC13XXX_ADC0_TSMOD1		(1 << 13)
 #define MC13XXX_ADC0_TSMOD2		(1 << 14)
+#define MC13XXX_ADC0_CHRGRAWDIV		(1 << 15)
 #define MC13XXX_ADC0_ADINC1		(1 << 16)
 #define MC13XXX_ADC0_ADINC2		(1 << 17)
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 129/306] mfd: intel_soc_pmic_bxtwc: Chain power button IRQs as well
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (127 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 128/306] mfd: mc13xxx-core: Fix PMIC shutdown when reading ADC values Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 130/306] mfd: max8997: Enale irq-wakeup unconditionally Greg Kroah-Hartman
                   ` (180 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andy Shevchenko, Mika Westerberg,
	Lee Jones, Sasha Levin

From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>

[ Upstream commit 9f8ddee1dab836ca758ca8fc555ab5a3aaa5d3fd ]

Power button IRQ actually has a second level of interrupts to
distinguish between UI and POWER buttons. Moreover, current
implementation looks awkward in approach to handle second level IRQs by
first level related IRQ chip.

To address above issues, split power button IRQ to be chained as well.

Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/mfd/intel_soc_pmic_bxtwc.c | 41 ++++++++++++++++++++++--------
 include/linux/mfd/intel_soc_pmic.h |  1 +
 2 files changed, 32 insertions(+), 10 deletions(-)

diff --git a/drivers/mfd/intel_soc_pmic_bxtwc.c b/drivers/mfd/intel_soc_pmic_bxtwc.c
index 15bc052704a6d..9ca1f8c015de9 100644
--- a/drivers/mfd/intel_soc_pmic_bxtwc.c
+++ b/drivers/mfd/intel_soc_pmic_bxtwc.c
@@ -31,8 +31,8 @@
 
 /* Interrupt Status Registers */
 #define BXTWC_IRQLVL1		0x4E02
-#define BXTWC_PWRBTNIRQ		0x4E03
 
+#define BXTWC_PWRBTNIRQ		0x4E03
 #define BXTWC_THRM0IRQ		0x4E04
 #define BXTWC_THRM1IRQ		0x4E05
 #define BXTWC_THRM2IRQ		0x4E06
@@ -47,10 +47,9 @@
 
 /* Interrupt MASK Registers */
 #define BXTWC_MIRQLVL1		0x4E0E
-#define BXTWC_MPWRTNIRQ		0x4E0F
-
 #define BXTWC_MIRQLVL1_MCHGR	BIT(5)
 
+#define BXTWC_MPWRBTNIRQ	0x4E0F
 #define BXTWC_MTHRM0IRQ		0x4E12
 #define BXTWC_MTHRM1IRQ		0x4E13
 #define BXTWC_MTHRM2IRQ		0x4E14
@@ -66,9 +65,7 @@
 /* Whiskey Cove PMIC share same ACPI ID between different platforms */
 #define BROXTON_PMIC_WC_HRV	4
 
-/* Manage in two IRQ chips since mask registers are not consecutive */
 enum bxtwc_irqs {
-	/* Level 1 */
 	BXTWC_PWRBTN_LVL1_IRQ = 0,
 	BXTWC_TMU_LVL1_IRQ,
 	BXTWC_THRM_LVL1_IRQ,
@@ -77,9 +74,11 @@ enum bxtwc_irqs {
 	BXTWC_CHGR_LVL1_IRQ,
 	BXTWC_GPIO_LVL1_IRQ,
 	BXTWC_CRIT_LVL1_IRQ,
+};
 
-	/* Level 2 */
-	BXTWC_PWRBTN_IRQ,
+enum bxtwc_irqs_pwrbtn {
+	BXTWC_PWRBTN_IRQ = 0,
+	BXTWC_UIBTN_IRQ,
 };
 
 enum bxtwc_irqs_bcu {
@@ -113,7 +112,10 @@ static const struct regmap_irq bxtwc_regmap_irqs[] = {
 	REGMAP_IRQ_REG(BXTWC_CHGR_LVL1_IRQ, 0, BIT(5)),
 	REGMAP_IRQ_REG(BXTWC_GPIO_LVL1_IRQ, 0, BIT(6)),
 	REGMAP_IRQ_REG(BXTWC_CRIT_LVL1_IRQ, 0, BIT(7)),
-	REGMAP_IRQ_REG(BXTWC_PWRBTN_IRQ, 1, 0x03),
+};
+
+static const struct regmap_irq bxtwc_regmap_irqs_pwrbtn[] = {
+	REGMAP_IRQ_REG(BXTWC_PWRBTN_IRQ, 0, 0x01),
 };
 
 static const struct regmap_irq bxtwc_regmap_irqs_bcu[] = {
@@ -125,7 +127,7 @@ static const struct regmap_irq bxtwc_regmap_irqs_adc[] = {
 };
 
 static const struct regmap_irq bxtwc_regmap_irqs_chgr[] = {
-	REGMAP_IRQ_REG(BXTWC_USBC_IRQ, 0, BIT(5)),
+	REGMAP_IRQ_REG(BXTWC_USBC_IRQ, 0, 0x20),
 	REGMAP_IRQ_REG(BXTWC_CHGR0_IRQ, 0, 0x1f),
 	REGMAP_IRQ_REG(BXTWC_CHGR1_IRQ, 1, 0x1f),
 };
@@ -144,7 +146,16 @@ static struct regmap_irq_chip bxtwc_regmap_irq_chip = {
 	.mask_base = BXTWC_MIRQLVL1,
 	.irqs = bxtwc_regmap_irqs,
 	.num_irqs = ARRAY_SIZE(bxtwc_regmap_irqs),
-	.num_regs = 2,
+	.num_regs = 1,
+};
+
+static struct regmap_irq_chip bxtwc_regmap_irq_chip_pwrbtn = {
+	.name = "bxtwc_irq_chip_pwrbtn",
+	.status_base = BXTWC_PWRBTNIRQ,
+	.mask_base = BXTWC_MPWRBTNIRQ,
+	.irqs = bxtwc_regmap_irqs_pwrbtn,
+	.num_irqs = ARRAY_SIZE(bxtwc_regmap_irqs_pwrbtn),
+	.num_regs = 1,
 };
 
 static struct regmap_irq_chip bxtwc_regmap_irq_chip_tmu = {
@@ -472,6 +483,16 @@ static int bxtwc_probe(struct platform_device *pdev)
 		return ret;
 	}
 
+	ret = bxtwc_add_chained_irq_chip(pmic, pmic->irq_chip_data,
+					 BXTWC_PWRBTN_LVL1_IRQ,
+					 IRQF_ONESHOT,
+					 &bxtwc_regmap_irq_chip_pwrbtn,
+					 &pmic->irq_chip_data_pwrbtn);
+	if (ret) {
+		dev_err(&pdev->dev, "Failed to add PWRBTN IRQ chip\n");
+		return ret;
+	}
+
 	ret = bxtwc_add_chained_irq_chip(pmic, pmic->irq_chip_data,
 					 BXTWC_TMU_LVL1_IRQ,
 					 IRQF_ONESHOT,
diff --git a/include/linux/mfd/intel_soc_pmic.h b/include/linux/mfd/intel_soc_pmic.h
index 5aacdb017a9f6..806a4f095312b 100644
--- a/include/linux/mfd/intel_soc_pmic.h
+++ b/include/linux/mfd/intel_soc_pmic.h
@@ -25,6 +25,7 @@ struct intel_soc_pmic {
 	int irq;
 	struct regmap *regmap;
 	struct regmap_irq_chip_data *irq_chip_data;
+	struct regmap_irq_chip_data *irq_chip_data_pwrbtn;
 	struct regmap_irq_chip_data *irq_chip_data_tmu;
 	struct regmap_irq_chip_data *irq_chip_data_bcu;
 	struct regmap_irq_chip_data *irq_chip_data_adc;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 130/306] mfd: max8997: Enale irq-wakeup unconditionally
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (128 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 129/306] mfd: intel_soc_pmic_bxtwc: Chain power button IRQs as well Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 131/306] net: socionext: Stop PHY before resetting netsec Greg Kroah-Hartman
                   ` (179 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marek Szyprowski,
	Krzysztof Kozlowski, Lee Jones, Sasha Levin

From: Marek Szyprowski <m.szyprowski@samsung.com>

[ Upstream commit efddff27c886e729a7f84a7205bd84d7d4af7336 ]

IRQ wake up support for MAX8997 driver was initially configured by
respective property in pdata. However, after the driver conversion to
device-tree, setting it was left as 'todo'. Nowadays most of other PMIC MFD
drivers initialized from device-tree assume that they can be an irq wakeup
source, so enable it also for MAX8997. This fixes support for wakeup from
MAX8997 RTC alarm.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/mfd/max8997.c       | 8 +-------
 include/linux/mfd/max8997.h | 1 -
 2 files changed, 1 insertion(+), 8 deletions(-)

diff --git a/drivers/mfd/max8997.c b/drivers/mfd/max8997.c
index 3f554c4475218..d1495d76bf2c3 100644
--- a/drivers/mfd/max8997.c
+++ b/drivers/mfd/max8997.c
@@ -153,12 +153,6 @@ static struct max8997_platform_data *max8997_i2c_parse_dt_pdata(
 
 	pd->ono = irq_of_parse_and_map(dev->of_node, 1);
 
-	/*
-	 * ToDo: the 'wakeup' member in the platform data is more of a linux
-	 * specfic information. Hence, there is no binding for that yet and
-	 * not parsed here.
-	 */
-
 	return pd;
 }
 
@@ -246,7 +240,7 @@ static int max8997_i2c_probe(struct i2c_client *i2c,
 	 */
 
 	/* MAX8997 has a power button input. */
-	device_init_wakeup(max8997->dev, pdata->wakeup);
+	device_init_wakeup(max8997->dev, true);
 
 	return ret;
 
diff --git a/include/linux/mfd/max8997.h b/include/linux/mfd/max8997.h
index cf815577bd686..3ae1fe743bc34 100644
--- a/include/linux/mfd/max8997.h
+++ b/include/linux/mfd/max8997.h
@@ -178,7 +178,6 @@ struct max8997_led_platform_data {
 struct max8997_platform_data {
 	/* IRQ */
 	int ono;
-	int wakeup;
 
 	/* ---- PMIC ---- */
 	struct max8997_regulator_data *regulators;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 131/306] net: socionext: Stop PHY before resetting netsec
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (129 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 130/306] mfd: max8997: Enale irq-wakeup unconditionally Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 132/306] fs/cifs: fix uninitialised variable warnings Greg Kroah-Hartman
                   ` (178 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Masahisa Kojima, Yoshitoyo Osaki,
	David S. Miller, Sasha Levin

From: Masahisa Kojima <masahisa.kojima@linaro.org>

[ Upstream commit 8e850f25b5812aefedec6732732eb10e7b47cb5c ]

In ndo_stop, driver resets the netsec ethernet controller IP.
When the netsec IP is reset, HW running mode turns to NRM mode
and driver has to wait until this mode transition completes.

But mode transition to NRM will not complete if the PHY is
in normal operation state. Netsec IP requires PHY is in
power down state when it is reset.

This modification stops the PHY before resetting netsec.

Together with this modification, phy_addr is stored in netsec_priv
structure because ndev->phydev is not yet ready in ndo_init.

Fixes: 533dd11a12f6 ("net: socionext: Add Synquacer NetSec driver")
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Signed-off-by: Yoshitoyo Osaki <osaki.yoshitoyo@socionext.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/socionext/netsec.c | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/drivers/net/ethernet/socionext/netsec.c b/drivers/net/ethernet/socionext/netsec.c
index d2caeb9edc044..28d582c18afb9 100644
--- a/drivers/net/ethernet/socionext/netsec.c
+++ b/drivers/net/ethernet/socionext/netsec.c
@@ -274,6 +274,7 @@ struct netsec_priv {
 	struct clk *clk;
 	u32 msg_enable;
 	u32 freq;
+	u32 phy_addr;
 	bool rx_cksum_offload_flag;
 };
 
@@ -1346,11 +1347,11 @@ static int netsec_netdev_stop(struct net_device *ndev)
 	netsec_uninit_pkt_dring(priv, NETSEC_RING_TX);
 	netsec_uninit_pkt_dring(priv, NETSEC_RING_RX);
 
-	ret = netsec_reset_hardware(priv, false);
-
 	phy_stop(ndev->phydev);
 	phy_disconnect(ndev->phydev);
 
+	ret = netsec_reset_hardware(priv, false);
+
 	pm_runtime_put_sync(priv->dev);
 
 	return ret;
@@ -1360,6 +1361,7 @@ static int netsec_netdev_init(struct net_device *ndev)
 {
 	struct netsec_priv *priv = netdev_priv(ndev);
 	int ret;
+	u16 data;
 
 	ret = netsec_alloc_dring(priv, NETSEC_RING_TX);
 	if (ret)
@@ -1369,6 +1371,11 @@ static int netsec_netdev_init(struct net_device *ndev)
 	if (ret)
 		goto err1;
 
+	/* set phy power down */
+	data = netsec_phy_read(priv->mii_bus, priv->phy_addr, MII_BMCR) |
+		BMCR_PDOWN;
+	netsec_phy_write(priv->mii_bus, priv->phy_addr, MII_BMCR, data);
+
 	ret = netsec_reset_hardware(priv, true);
 	if (ret)
 		goto err2;
@@ -1418,7 +1425,7 @@ static const struct net_device_ops netsec_netdev_ops = {
 };
 
 static int netsec_of_probe(struct platform_device *pdev,
-			   struct netsec_priv *priv)
+			   struct netsec_priv *priv, u32 *phy_addr)
 {
 	priv->phy_np = of_parse_phandle(pdev->dev.of_node, "phy-handle", 0);
 	if (!priv->phy_np) {
@@ -1426,6 +1433,8 @@ static int netsec_of_probe(struct platform_device *pdev,
 		return -EINVAL;
 	}
 
+	*phy_addr = of_mdio_parse_addr(&pdev->dev, priv->phy_np);
+
 	priv->clk = devm_clk_get(&pdev->dev, NULL); /* get by 'phy_ref_clk' */
 	if (IS_ERR(priv->clk)) {
 		dev_err(&pdev->dev, "phy_ref_clk not found\n");
@@ -1626,12 +1635,14 @@ static int netsec_probe(struct platform_device *pdev)
 	}
 
 	if (dev_of_node(&pdev->dev))
-		ret = netsec_of_probe(pdev, priv);
+		ret = netsec_of_probe(pdev, priv, &phy_addr);
 	else
 		ret = netsec_acpi_probe(pdev, priv, &phy_addr);
 	if (ret)
 		goto free_ndev;
 
+	priv->phy_addr = phy_addr;
+
 	if (!priv->freq) {
 		dev_err(&pdev->dev, "missing PHY reference clock frequency\n");
 		ret = -ENODEV;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 132/306] fs/cifs: fix uninitialised variable warnings
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (130 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 131/306] net: socionext: Stop PHY before resetting netsec Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 133/306] spi: uniphier: fix incorrect property items Greg Kroah-Hartman
                   ` (177 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Garry McNulty, Steve French,
	Aurelien Aptel, Sasha Levin

From: Garry McNulty <garrmcnu@gmail.com>

[ Upstream commit ef2298a06d012973bbc592b86fe5ff730d4d0c63 ]

In some error conditions, resp_buftype can be passed uninitialised to
free_rsp_buf(), potentially resulting in a spurious debug message.
If resp_buftype randomly had the value 1 (CIFS_SMALL_BUFFER) then this
would log a debug message.
The rsp pointer is initialised to NULL so there is no other side-effect.

Detected by CoverityScan, CID 1438585 ("Uninitialized scalar variable")
Detected by CoverityScan, CID 1438667 ("Uninitialized scalar variable")
Detected by CoverityScan, CID 1438764 ("Uninitialized scalar variable")

Signed-off-by: Garry McNulty <garrmcnu@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/cifs/smb2pdu.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index b1f5d0d28335a..9194f17675c89 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -2283,7 +2283,7 @@ SMB2_open(const unsigned int xid, struct cifs_open_parms *oparms, __le16 *path,
 	struct cifs_ses *ses = tcon->ses;
 	struct kvec iov[SMB2_CREATE_IOV_SIZE];
 	struct kvec rsp_iov = {NULL, 0};
-	int resp_buftype;
+	int resp_buftype = CIFS_NO_BUFFER;
 	int rc = 0;
 	int flags = 0;
 
@@ -2570,7 +2570,7 @@ SMB2_close_flags(const unsigned int xid, struct cifs_tcon *tcon,
 	struct cifs_ses *ses = tcon->ses;
 	struct kvec iov[1];
 	struct kvec rsp_iov;
-	int resp_buftype;
+	int resp_buftype = CIFS_NO_BUFFER;
 	int rc = 0;
 
 	cifs_dbg(FYI, "Close\n");
@@ -2723,7 +2723,7 @@ query_info(const unsigned int xid, struct cifs_tcon *tcon,
 	struct kvec iov[1];
 	struct kvec rsp_iov;
 	int rc = 0;
-	int resp_buftype;
+	int resp_buftype = CIFS_NO_BUFFER;
 	struct cifs_ses *ses = tcon->ses;
 	int flags = 0;
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 133/306] spi: uniphier: fix incorrect property items
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (131 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 132/306] fs/cifs: fix uninitialised variable warnings Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 134/306] selftests/ftrace: Fix to test kprobe $comm arg only if available Greg Kroah-Hartman
                   ` (176 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Keiji Hayashibara, Mark Brown, Sasha Levin

From: Keiji Hayashibara <hayashibara.keiji@socionext.com>

[ Upstream commit 3511ba7d4ca6f39e2d060bb94e42a41ad1fee7bf ]

This commit fixes incorrect property because it was different
from the actual.
The parameters of '#address-cells' and '#size-cells' were removed,
and 'interrupts', 'pinctrl-names' and 'pinctrl-0' were added.

Fixes: 4dcd5c2781f3 ("spi: add DT bindings for UniPhier SPI controller")
Signed-off-by: Keiji Hayashibara <hayashibara.keiji@socionext.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 .../devicetree/bindings/spi/spi-uniphier.txt       | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/Documentation/devicetree/bindings/spi/spi-uniphier.txt b/Documentation/devicetree/bindings/spi/spi-uniphier.txt
index 504a4ecfc7b16..b04e66a52de5d 100644
--- a/Documentation/devicetree/bindings/spi/spi-uniphier.txt
+++ b/Documentation/devicetree/bindings/spi/spi-uniphier.txt
@@ -5,18 +5,20 @@ UniPhier SoCs have SCSSI which supports SPI single channel.
 Required properties:
  - compatible: should be "socionext,uniphier-scssi"
  - reg: address and length of the spi master registers
- - #address-cells: must be <1>, see spi-bus.txt
- - #size-cells: must be <0>, see spi-bus.txt
- - clocks: A phandle to the clock for the device.
- - resets: A phandle to the reset control for the device.
+ - interrupts: a single interrupt specifier
+ - pinctrl-names: should be "default"
+ - pinctrl-0: pin control state for the default mode
+ - clocks: a phandle to the clock for the device
+ - resets: a phandle to the reset control for the device
 
 Example:
 
 spi0: spi@54006000 {
 	compatible = "socionext,uniphier-scssi";
 	reg = <0x54006000 0x100>;
-	#address-cells = <1>;
-	#size-cells = <0>;
+	interrupts = <0 39 4>;
+	pinctrl-names = "default";
+	pinctrl-0 = <&pinctrl_spi0>;
 	clocks = <&peri_clk 11>;
 	resets = <&peri_rst 11>;
 };
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 134/306] selftests/ftrace: Fix to test kprobe $comm arg only if available
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (132 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 133/306] spi: uniphier: fix incorrect property items Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 135/306] selftests: watchdog: fix message when /dev/watchdog open fails Greg Kroah-Hartman
                   ` (175 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Masami Hiramatsu,
	Shuah Khan (Samsung OSG),
	Sasha Levin

From: Masami Hiramatsu <mhiramat@kernel.org>

[ Upstream commit 2452c96e617a0ff6fb2692e55217a3fa57a7322c ]

Test $comm in kprobe-event argument syntax testcase
only if it is supported on the kernel because
$comm has been introduced 4.8 kernel.
So on older stable kernel, it should be skipped.

Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Shuah Khan (Samsung OSG) <shuah@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 .../selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc       | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc
index d026ff4e562f3..92ffb3bd33d82 100644
--- a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc
+++ b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc
@@ -78,8 +78,11 @@ test_badarg "\$stackp" "\$stack0+10" "\$stack1-10"
 echo "r ${PROBEFUNC} \$retval" > kprobe_events
 ! echo "p ${PROBEFUNC} \$retval" > kprobe_events
 
+# $comm was introduced in 4.8, older kernels reject it.
+if grep -A1 "fetcharg:" README | grep -q '\$comm' ; then
 : "Comm access"
 test_goodarg "\$comm"
+fi
 
 : "Indirect memory access"
 test_goodarg "+0(${GOODREG})" "-0(${GOODREG})" "+10(\$stack)" \
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 135/306] selftests: watchdog: fix message when /dev/watchdog open fails
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (133 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 134/306] selftests/ftrace: Fix to test kprobe $comm arg only if available Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 136/306] selftests: watchdog: Fix error message Greg Kroah-Hartman
                   ` (174 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Shuah Khan (Samsung OSG), Sasha Levin

From: Shuah Khan (Samsung OSG) <shuah@kernel.org>

[ Upstream commit 9a244229a4b850b11952a0df79607c69b18fd8df ]

When /dev/watchdog open fails, watchdog exits with "watchdog not enabled"
message. This is incorrect when open fails due to insufficient privilege.

Fix message to clearly state the reason when open fails with EACCESS when
a non-root user runs it.

Signed-off-by: Shuah Khan (Samsung OSG) <shuah@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/testing/selftests/watchdog/watchdog-test.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/tools/testing/selftests/watchdog/watchdog-test.c b/tools/testing/selftests/watchdog/watchdog-test.c
index 6e290874b70e2..e029e2017280f 100644
--- a/tools/testing/selftests/watchdog/watchdog-test.c
+++ b/tools/testing/selftests/watchdog/watchdog-test.c
@@ -89,7 +89,13 @@ int main(int argc, char *argv[])
 	fd = open("/dev/watchdog", O_WRONLY);
 
 	if (fd == -1) {
-		printf("Watchdog device not enabled.\n");
+		if (errno == ENOENT)
+			printf("Watchdog device not enabled.\n");
+		else if (errno == EACCES)
+			printf("Run watchdog as root.\n");
+		else
+			printf("Watchdog device open failed %s\n",
+				strerror(errno));
 		exit(-1);
 	}
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 136/306] selftests: watchdog: Fix error message.
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (134 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 135/306] selftests: watchdog: fix message when /dev/watchdog open fails Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 137/306] selftests: kvm: Fix -Wformat warnings Greg Kroah-Hartman
                   ` (173 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jerry Hoemann,
	Shuah Khan (Samsung OSG),
	Sasha Levin

From: Jerry Hoemann <jerry.hoemann@hpe.com>

[ Upstream commit 04d5e4bd37516ad60854eb74592c7dbddd75d277 ]

Printf's say errno but print the string version of error.
Make consistent.

Signed-off-by: Jerry Hoemann <jerry.hoemann@hpe.com>
Signed-off-by: Shuah Khan (Samsung OSG) <shuah@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/testing/selftests/watchdog/watchdog-test.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/tools/testing/selftests/watchdog/watchdog-test.c b/tools/testing/selftests/watchdog/watchdog-test.c
index e029e2017280f..f1c6e025cbe54 100644
--- a/tools/testing/selftests/watchdog/watchdog-test.c
+++ b/tools/testing/selftests/watchdog/watchdog-test.c
@@ -109,7 +109,7 @@ int main(int argc, char *argv[])
 				printf("Last boot is caused by: %s.\n", (flags != 0) ?
 					"Watchdog" : "Power-On-Reset");
 			else
-				printf("WDIOC_GETBOOTSTATUS errno '%s'\n", strerror(errno));
+				printf("WDIOC_GETBOOTSTATUS error '%s'\n", strerror(errno));
 			break;
 		case 'd':
 			flags = WDIOS_DISABLECARD;
@@ -117,7 +117,7 @@ int main(int argc, char *argv[])
 			if (!ret)
 				printf("Watchdog card disabled.\n");
 			else
-				printf("WDIOS_DISABLECARD errno '%s'\n", strerror(errno));
+				printf("WDIOS_DISABLECARD error '%s'\n", strerror(errno));
 			break;
 		case 'e':
 			flags = WDIOS_ENABLECARD;
@@ -125,7 +125,7 @@ int main(int argc, char *argv[])
 			if (!ret)
 				printf("Watchdog card enabled.\n");
 			else
-				printf("WDIOS_ENABLECARD errno '%s'\n", strerror(errno));
+				printf("WDIOS_ENABLECARD error '%s'\n", strerror(errno));
 			break;
 		case 'p':
 			ping_rate = strtoul(optarg, NULL, 0);
@@ -139,7 +139,7 @@ int main(int argc, char *argv[])
 			if (!ret)
 				printf("Watchdog timeout set to %u seconds.\n", flags);
 			else
-				printf("WDIOC_SETTIMEOUT errno '%s'\n", strerror(errno));
+				printf("WDIOC_SETTIMEOUT error '%s'\n", strerror(errno));
 			break;
 		default:
 			usage(argv[0]);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 137/306] selftests: kvm: Fix -Wformat warnings
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (135 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 136/306] selftests: watchdog: Fix error message Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 138/306] selftests: fix warning: "_GNU_SOURCE" redefined Greg Kroah-Hartman
                   ` (172 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andrea Parri,
	Shuah Khan (Samsung OSG),
	Sasha Levin

From: Andrea Parri <andrea.parri@amarulasolutions.com>

[ Upstream commit fb363e2d20351e1d16629df19e7bce1a31b3227a ]

Fixes the following warnings:

dirty_log_test.c: In function ‘help’:
dirty_log_test.c:216:9: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 2 has type ‘int’ [-Wformat=]
  printf(" -i: specify iteration counts (default: %"PRIu64")\n",
         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from include/test_util.h:18:0,
                 from dirty_log_test.c:16:
/usr/include/inttypes.h:105:34: note: format string is defined here
 # define PRIu64  __PRI64_PREFIX "u"
dirty_log_test.c:218:9: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 2 has type ‘int’ [-Wformat=]
  printf(" -I: specify interval in ms (default: %"PRIu64" ms)\n",
         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from include/test_util.h:18:0,
                 from dirty_log_test.c:16:
/usr/include/inttypes.h:105:34: note: format string is defined here
 # define PRIu64  __PRI64_PREFIX "u"

Signed-off-by: Andrea Parri <andrea.parri@amarulasolutions.com>
Signed-off-by: Shuah Khan (Samsung OSG) <shuah@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/testing/selftests/kvm/dirty_log_test.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tools/testing/selftests/kvm/dirty_log_test.c b/tools/testing/selftests/kvm/dirty_log_test.c
index 0c2cdc105f968..a9c4b5e21d7e7 100644
--- a/tools/testing/selftests/kvm/dirty_log_test.c
+++ b/tools/testing/selftests/kvm/dirty_log_test.c
@@ -31,9 +31,9 @@
 /* How many pages to dirty for each guest loop */
 #define  TEST_PAGES_PER_LOOP            1024
 /* How many host loops to run (one KVM_GET_DIRTY_LOG for each loop) */
-#define  TEST_HOST_LOOP_N               32
+#define  TEST_HOST_LOOP_N               32UL
 /* Interval for each host loop (ms) */
-#define  TEST_HOST_LOOP_INTERVAL        10
+#define  TEST_HOST_LOOP_INTERVAL        10UL
 
 /*
  * Guest variables.  We use these variables to share data between host
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 138/306] selftests: fix warning: "_GNU_SOURCE" redefined
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (136 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 137/306] selftests: kvm: Fix -Wformat warnings Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 139/306] thermal: rcar_thermal: fix duplicate IRQ request Greg Kroah-Hartman
                   ` (171 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Peng Hao, Shuah Khan (Samsung OSG),
	Sasha Levin

From: Peng Hao <peng.hao2@zte.com.cn>

[ Upstream commit 0387662d1b6c5ad2950d8e94d5e380af3f15c05c ]

Makefile contains -D_GNU_SOURCE. remove define "_GNU_SOURCE"
in c files.

Signed-off-by: Peng Hao <peng.hao2@zte.com.cn>
Signed-off-by: Shuah Khan (Samsung OSG) <shuah@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/testing/selftests/proc/fd-001-lookup.c  | 2 +-
 tools/testing/selftests/proc/fd-003-kthread.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/tools/testing/selftests/proc/fd-001-lookup.c b/tools/testing/selftests/proc/fd-001-lookup.c
index a2010dfb21104..60d7948e7124f 100644
--- a/tools/testing/selftests/proc/fd-001-lookup.c
+++ b/tools/testing/selftests/proc/fd-001-lookup.c
@@ -14,7 +14,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 // Test /proc/*/fd lookup.
-#define _GNU_SOURCE
+
 #undef NDEBUG
 #include <assert.h>
 #include <dirent.h>
diff --git a/tools/testing/selftests/proc/fd-003-kthread.c b/tools/testing/selftests/proc/fd-003-kthread.c
index 1d659d55368c2..dc591f97b63d4 100644
--- a/tools/testing/selftests/proc/fd-003-kthread.c
+++ b/tools/testing/selftests/proc/fd-003-kthread.c
@@ -14,7 +14,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 // Test that /proc/$KERNEL_THREAD/fd/ is empty.
-#define _GNU_SOURCE
+
 #undef NDEBUG
 #include <sys/syscall.h>
 #include <assert.h>
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 139/306] thermal: rcar_thermal: fix duplicate IRQ request
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (137 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 138/306] selftests: fix warning: "_GNU_SOURCE" redefined Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 140/306] thermal: rcar_thermal: Prevent hardware access during system suspend Greg Kroah-Hartman
                   ` (170 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sergei Shtylyov, Geert Uytterhoeven,
	Simon Horman, Daniel Lezcano, Eduardo Valentin, Sasha Levin

From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>

[ Upstream commit df016bbba63743bbef9ff5c6c282561211dd72cc ]

The driver on R8A77995 requests the same IRQ twice since
platform_get_resource() is always called for the 1st IRQ resource.

Fixes: 1969d9dc2079 ("thermal: rcar_thermal: add r8a77995 support")
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
Reviewed-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Signed-off-by: Eduardo Valentin <edubezval@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/thermal/rcar_thermal.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/thermal/rcar_thermal.c b/drivers/thermal/rcar_thermal.c
index 8df2ce94c28d8..edaa4058686b7 100644
--- a/drivers/thermal/rcar_thermal.c
+++ b/drivers/thermal/rcar_thermal.c
@@ -493,7 +493,7 @@ static int rcar_thermal_probe(struct platform_device *pdev)
 	pm_runtime_get_sync(dev);
 
 	for (i = 0; i < chip->nirqs; i++) {
-		irq = platform_get_resource(pdev, IORESOURCE_IRQ, 0);
+		irq = platform_get_resource(pdev, IORESOURCE_IRQ, i);
 		if (!irq)
 			continue;
 		if (!common->base) {
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 140/306] thermal: rcar_thermal: Prevent hardware access during system suspend
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (138 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 139/306] thermal: rcar_thermal: fix duplicate IRQ request Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 141/306] net: ethernet: cadence: fix socket buffer corruption problem Greg Kroah-Hartman
                   ` (169 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Geert Uytterhoeven,
	Niklas Söderlund, Eduardo Valentin, Sasha Levin

From: Geert Uytterhoeven <geert+renesas@glider.be>

[ Upstream commit 3a31386217628ffe2491695be2db933c25dde785 ]

On r8a7791/koelsch, sometimes the following message is printed during
system suspend:

    rcar_thermal e61f0000.thermal: thermal sensor was broken

This happens if the workqueue runs while the device is already
suspended.  Fix this by using the freezable system workqueue instead,
cfr. commit 51e20d0e3a60cf46 ("thermal: Prevent polling from happening
during system suspend").

Fixes: e0a5172e9eec7f0d ("thermal: rcar: add interrupt support")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
Signed-off-by: Eduardo Valentin <edubezval@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/thermal/rcar_thermal.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/thermal/rcar_thermal.c b/drivers/thermal/rcar_thermal.c
index edaa4058686b7..4dc30e7890f6c 100644
--- a/drivers/thermal/rcar_thermal.c
+++ b/drivers/thermal/rcar_thermal.c
@@ -434,8 +434,8 @@ static irqreturn_t rcar_thermal_irq(int irq, void *data)
 	rcar_thermal_for_each_priv(priv, common) {
 		if (rcar_thermal_had_changed(priv, status)) {
 			rcar_thermal_irq_disable(priv);
-			schedule_delayed_work(&priv->work,
-					      msecs_to_jiffies(300));
+			queue_delayed_work(system_freezable_wq, &priv->work,
+					   msecs_to_jiffies(300));
 		}
 	}
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 141/306] net: ethernet: cadence: fix socket buffer corruption problem
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (139 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 140/306] thermal: rcar_thermal: Prevent hardware access during system suspend Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 142/306] bpf: devmap: fix wrong interface selection in notifier_call Greg Kroah-Hartman
                   ` (168 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tristram Ha, David S. Miller, Sasha Levin

From: Tristram Ha <Tristram.Ha@microchip.com>

[ Upstream commit 899ecaedd15599c22553d158f53b127cc1632dc2 ]

Socket buffer is not re-created when headroom is 2 and tailroom is 1.

Signed-off-by: Tristram Ha <Tristram.Ha@microchip.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/cadence/macb_main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
index 74eeb3a985bf1..f175b20ac510a 100644
--- a/drivers/net/ethernet/cadence/macb_main.c
+++ b/drivers/net/ethernet/cadence/macb_main.c
@@ -1721,7 +1721,7 @@ static int macb_pad_and_fcs(struct sk_buff **skb, struct net_device *ndev)
 			padlen = 0;
 		/* No room for FCS, need to reallocate skb. */
 		else
-			padlen = ETH_FCS_LEN - tailroom;
+			padlen = ETH_FCS_LEN;
 	} else {
 		/* Add room for FCS. */
 		padlen += ETH_FCS_LEN;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 142/306] bpf: devmap: fix wrong interface selection in notifier_call
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (140 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 141/306] net: ethernet: cadence: fix socket buffer corruption problem Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 143/306] bpf, btf: fix a missing check bug in btf_parse Greg Kroah-Hartman
                   ` (167 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Taehee Yoo, Song Liu,
	Daniel Borkmann, Sasha Levin

From: Taehee Yoo <ap420073@gmail.com>

[ Upstream commit f592f804831f1cf9d1f9966f58c80f150e6829b5 ]

The dev_map_notification() removes interface in devmap if
unregistering interface's ifindex is same.
But only checking ifindex is not enough because other netns can have
same ifindex. so that wrong interface selection could occurred.
Hence netdev pointer comparison code is added.

v2: compare netdev pointer instead of using net_eq() (Daniel Borkmann)
v1: Initial patch

Fixes: 2ddf71e23cc2 ("net: add notifier hooks for devmap bpf map")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Acked-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/bpf/devmap.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c
index fc500ca464d00..1defea4b27553 100644
--- a/kernel/bpf/devmap.c
+++ b/kernel/bpf/devmap.c
@@ -520,8 +520,7 @@ static int dev_map_notification(struct notifier_block *notifier,
 				struct bpf_dtab_netdev *dev, *odev;
 
 				dev = READ_ONCE(dtab->netdev_map[i]);
-				if (!dev ||
-				    dev->dev->ifindex != netdev->ifindex)
+				if (!dev || netdev != dev->dev)
 					continue;
 				odev = cmpxchg(&dtab->netdev_map[i], dev, NULL);
 				if (dev == odev)
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 143/306] bpf, btf: fix a missing check bug in btf_parse
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (141 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 142/306] bpf: devmap: fix wrong interface selection in notifier_call Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 144/306] powerpc/process: Fix flush_all_to_thread for SPE Greg Kroah-Hartman
                   ` (166 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin KaFai Lau, Song Liu,
	Daniel Borkmann, Sasha Levin, Wenwen Wang

From: Martin Lau <kafai@fb.com>

[ Upstream commit 4a6998aff82a20a1aece86a186d8e5263f8b2315 ]

Wenwen Wang reported:

  In btf_parse(), the header of the user-space btf data 'btf_data'
  is firstly parsed and verified through btf_parse_hdr().
  In btf_parse_hdr(), the header is copied from user-space 'btf_data'
  to kernel-space 'btf->hdr' and then verified. If no error happens
  during the verification process, the whole data of 'btf_data',
  including the header, is then copied to 'data' in btf_parse(). It
  is obvious that the header is copied twice here. More importantly,
  no check is enforced after the second copy to make sure the headers
  obtained in these two copies are same. Given that 'btf_data' resides
  in the user space, a malicious user can race to modify the header
  between these two copies. By doing so, the user can inject
  inconsistent data, which can cause undefined behavior of the
  kernel and introduce potential security risk.

This issue is similar to the one fixed in commit 8af03d1ae2e1 ("bpf:
btf: Fix a missing check bug"). To fix it, this patch copies the user
'btf_data' *before* parsing / verifying the BTF header.

Fixes: 69b693f0aefa ("bpf: btf: Introduce BPF Type Format (BTF)")
Signed-off-by: Martin KaFai Lau <kafai@fb.com>
Co-developed-by: Wenwen Wang <wang6495@umn.edu>
Acked-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/bpf/btf.c | 55 ++++++++++++++++++++++--------------------------
 1 file changed, 25 insertions(+), 30 deletions(-)

diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index 378cef70341c4..cfa27b7d1168c 100644
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -2067,50 +2067,44 @@ static int btf_check_sec_info(struct btf_verifier_env *env,
 	return 0;
 }
 
-static int btf_parse_hdr(struct btf_verifier_env *env, void __user *btf_data,
-			 u32 btf_data_size)
+static int btf_parse_hdr(struct btf_verifier_env *env)
 {
+	u32 hdr_len, hdr_copy, btf_data_size;
 	const struct btf_header *hdr;
-	u32 hdr_len, hdr_copy;
-	/*
-	 * Minimal part of the "struct btf_header" that
-	 * contains the hdr_len.
-	 */
-	struct btf_min_header {
-		u16	magic;
-		u8	version;
-		u8	flags;
-		u32	hdr_len;
-	} __user *min_hdr;
 	struct btf *btf;
 	int err;
 
 	btf = env->btf;
-	min_hdr = btf_data;
+	btf_data_size = btf->data_size;
 
-	if (btf_data_size < sizeof(*min_hdr)) {
+	if (btf_data_size <
+	    offsetof(struct btf_header, hdr_len) + sizeof(hdr->hdr_len)) {
 		btf_verifier_log(env, "hdr_len not found");
 		return -EINVAL;
 	}
 
-	if (get_user(hdr_len, &min_hdr->hdr_len))
-		return -EFAULT;
-
+	hdr = btf->data;
+	hdr_len = hdr->hdr_len;
 	if (btf_data_size < hdr_len) {
 		btf_verifier_log(env, "btf_header not found");
 		return -EINVAL;
 	}
 
-	err = bpf_check_uarg_tail_zero(btf_data, sizeof(btf->hdr), hdr_len);
-	if (err) {
-		if (err == -E2BIG)
-			btf_verifier_log(env, "Unsupported btf_header");
-		return err;
+	/* Ensure the unsupported header fields are zero */
+	if (hdr_len > sizeof(btf->hdr)) {
+		u8 *expected_zero = btf->data + sizeof(btf->hdr);
+		u8 *end = btf->data + hdr_len;
+
+		for (; expected_zero < end; expected_zero++) {
+			if (*expected_zero) {
+				btf_verifier_log(env, "Unsupported btf_header");
+				return -E2BIG;
+			}
+		}
 	}
 
 	hdr_copy = min_t(u32, hdr_len, sizeof(btf->hdr));
-	if (copy_from_user(&btf->hdr, btf_data, hdr_copy))
-		return -EFAULT;
+	memcpy(&btf->hdr, btf->data, hdr_copy);
 
 	hdr = &btf->hdr;
 
@@ -2186,10 +2180,6 @@ static struct btf *btf_parse(void __user *btf_data, u32 btf_data_size,
 	}
 	env->btf = btf;
 
-	err = btf_parse_hdr(env, btf_data, btf_data_size);
-	if (err)
-		goto errout;
-
 	data = kvmalloc(btf_data_size, GFP_KERNEL | __GFP_NOWARN);
 	if (!data) {
 		err = -ENOMEM;
@@ -2198,13 +2188,18 @@ static struct btf *btf_parse(void __user *btf_data, u32 btf_data_size,
 
 	btf->data = data;
 	btf->data_size = btf_data_size;
-	btf->nohdr_data = btf->data + btf->hdr.hdr_len;
 
 	if (copy_from_user(data, btf_data, btf_data_size)) {
 		err = -EFAULT;
 		goto errout;
 	}
 
+	err = btf_parse_hdr(env);
+	if (err)
+		goto errout;
+
+	btf->nohdr_data = btf->data + btf->hdr.hdr_len;
+
 	err = btf_parse_str_sec(env);
 	if (err)
 		goto errout;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 144/306] powerpc/process: Fix flush_all_to_thread for SPE
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (142 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 143/306] bpf, btf: fix a missing check bug in btf_parse Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 145/306] sparc64: Rework xchg() definition to avoid warnings Greg Kroah-Hartman
                   ` (165 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Felipe Rechia, Michael Ellerman, Sasha Levin

From: Felipe Rechia <felipe.rechia@datacom.com.br>

[ Upstream commit e901378578c62202594cba0f6c076f3df365ec91 ]

Fix a bug introduced by the creation of flush_all_to_thread() for
processors that have SPE (Signal Processing Engine) and use it to
compute floating-point operations.

>From userspace perspective, the problem was seen in attempts of
computing floating-point operations which should generate exceptions.
For example:

  fork();
  float x = 0.0 / 0.0;
  isnan(x);           // forked process returns False (should be True)

The operation above also should always cause the SPEFSCR FINV bit to
be set. However, the SPE floating-point exceptions were turned off
after a fork().

Kernel versions prior to the bug used flush_spe_to_thread(), which
first saves SPEFSCR register values in tsk->thread and then calls
giveup_spe(tsk).

After commit 579e633e764e, the save_all() function was called first
to giveup_spe(), and then the SPEFSCR register values were saved in
tsk->thread. This would save the SPEFSCR register values after
disabling SPE for that thread, causing the bug described above.

Fixes 579e633e764e ("powerpc: create flush_all_to_thread()")
Signed-off-by: Felipe Rechia <felipe.rechia@datacom.com.br>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/kernel/process.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
index 909c9407e392a..02b69a68139cc 100644
--- a/arch/powerpc/kernel/process.c
+++ b/arch/powerpc/kernel/process.c
@@ -575,12 +575,11 @@ void flush_all_to_thread(struct task_struct *tsk)
 	if (tsk->thread.regs) {
 		preempt_disable();
 		BUG_ON(tsk != current);
-		save_all(tsk);
-
 #ifdef CONFIG_SPE
 		if (tsk->thread.regs->msr & MSR_SPE)
 			tsk->thread.spefscr = mfspr(SPRN_SPEFSCR);
 #endif
+		save_all(tsk);
 
 		preempt_enable();
 	}
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 145/306] sparc64: Rework xchg() definition to avoid warnings.
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (143 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 144/306] powerpc/process: Fix flush_all_to_thread for SPE Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 146/306] arm64: lib: use C string functions with KASAN enabled Greg Kroah-Hartman
                   ` (164 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David S. Miller, Sasha Levin

From: David S. Miller <davem@davemloft.net>

[ Upstream commit 6c2fc9cddc1ffdef8ada1dc8404e5affae849953 ]

Such as:

fs/ocfs2/file.c: In function ‘ocfs2_file_write_iter’:
./arch/sparc/include/asm/cmpxchg_64.h:55:22: warning: value computed is not used [-Wunused-value]
 #define xchg(ptr,x) ((__typeof__(*(ptr)))__xchg((unsigned long)(x),(ptr),sizeof(*(ptr))))

and

drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c: In function ‘ixgbevf_xdp_setup’:
./arch/sparc/include/asm/cmpxchg_64.h:55:22: warning: value computed is not used [-Wunused-value]
 #define xchg(ptr,x) ((__typeof__(*(ptr)))__xchg((unsigned long)(x),(ptr),sizeof(*(ptr))))

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/sparc/include/asm/cmpxchg_64.h | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/arch/sparc/include/asm/cmpxchg_64.h b/arch/sparc/include/asm/cmpxchg_64.h
index f71ef3729888f..316faa0130bab 100644
--- a/arch/sparc/include/asm/cmpxchg_64.h
+++ b/arch/sparc/include/asm/cmpxchg_64.h
@@ -52,7 +52,12 @@ static inline unsigned long xchg64(__volatile__ unsigned long *m, unsigned long
 	return val;
 }
 
-#define xchg(ptr,x) ((__typeof__(*(ptr)))__xchg((unsigned long)(x),(ptr),sizeof(*(ptr))))
+#define xchg(ptr,x)							\
+({	__typeof__(*(ptr)) __ret;					\
+	__ret = (__typeof__(*(ptr)))					\
+		__xchg((unsigned long)(x), (ptr), sizeof(*(ptr)));	\
+	__ret;								\
+})
 
 void __xchg_called_with_bad_pointer(void);
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 146/306] arm64: lib: use C string functions with KASAN enabled
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (144 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 145/306] sparc64: Rework xchg() definition to avoid warnings Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 147/306] fs/ocfs2/dlm/dlmdebug.c: fix a sleep-in-atomic-context bug in dlm_print_one_mle() Greg Kroah-Hartman
                   ` (163 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andrey Ryabinin, Kyeongdon Kim,
	Alexander Potapenko, Ard Biesheuvel, Dmitry Vyukov, Mark Rutland,
	Andrew Morton, Linus Torvalds, Sasha Levin

From: Andrey Ryabinin <aryabinin@virtuozzo.com>

[ Upstream commit 19a2ca0fb560fd7be7b5293c6b652c6d6078dcde ]

ARM64 has asm implementation of memchr(), memcmp(), str[r]chr(),
str[n]cmp(), str[n]len().  KASAN don't see memory accesses in asm code,
thus it can potentially miss many bugs.

Ifdef out __HAVE_ARCH_* defines of these functions when KASAN is enabled,
so the generic implementations from lib/string.c will be used.

We can't just remove the asm functions because efistub uses them.  And we
can't have two non-weak functions either, so declare the asm functions as
weak.

Link: http://lkml.kernel.org/r/20180920135631.23833-2-aryabinin@virtuozzo.com
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Reported-by: Kyeongdon Kim <kyeongdon.kim@lge.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm64/include/asm/string.h | 14 ++++++++------
 arch/arm64/kernel/arm64ksyms.c  |  7 +++++--
 arch/arm64/lib/memchr.S         |  2 +-
 arch/arm64/lib/memcmp.S         |  2 +-
 arch/arm64/lib/strchr.S         |  2 +-
 arch/arm64/lib/strcmp.S         |  2 +-
 arch/arm64/lib/strlen.S         |  2 +-
 arch/arm64/lib/strncmp.S        |  2 +-
 arch/arm64/lib/strnlen.S        |  2 +-
 arch/arm64/lib/strrchr.S        |  2 +-
 10 files changed, 21 insertions(+), 16 deletions(-)

diff --git a/arch/arm64/include/asm/string.h b/arch/arm64/include/asm/string.h
index dd95d33a5bd5d..03a6c256b7ec4 100644
--- a/arch/arm64/include/asm/string.h
+++ b/arch/arm64/include/asm/string.h
@@ -16,6 +16,7 @@
 #ifndef __ASM_STRING_H
 #define __ASM_STRING_H
 
+#ifndef CONFIG_KASAN
 #define __HAVE_ARCH_STRRCHR
 extern char *strrchr(const char *, int c);
 
@@ -34,6 +35,13 @@ extern __kernel_size_t strlen(const char *);
 #define __HAVE_ARCH_STRNLEN
 extern __kernel_size_t strnlen(const char *, __kernel_size_t);
 
+#define __HAVE_ARCH_MEMCMP
+extern int memcmp(const void *, const void *, size_t);
+
+#define __HAVE_ARCH_MEMCHR
+extern void *memchr(const void *, int, __kernel_size_t);
+#endif
+
 #define __HAVE_ARCH_MEMCPY
 extern void *memcpy(void *, const void *, __kernel_size_t);
 extern void *__memcpy(void *, const void *, __kernel_size_t);
@@ -42,16 +50,10 @@ extern void *__memcpy(void *, const void *, __kernel_size_t);
 extern void *memmove(void *, const void *, __kernel_size_t);
 extern void *__memmove(void *, const void *, __kernel_size_t);
 
-#define __HAVE_ARCH_MEMCHR
-extern void *memchr(const void *, int, __kernel_size_t);
-
 #define __HAVE_ARCH_MEMSET
 extern void *memset(void *, int, __kernel_size_t);
 extern void *__memset(void *, int, __kernel_size_t);
 
-#define __HAVE_ARCH_MEMCMP
-extern int memcmp(const void *, const void *, size_t);
-
 #ifdef CONFIG_ARCH_HAS_UACCESS_FLUSHCACHE
 #define __HAVE_ARCH_MEMCPY_FLUSHCACHE
 void memcpy_flushcache(void *dst, const void *src, size_t cnt);
diff --git a/arch/arm64/kernel/arm64ksyms.c b/arch/arm64/kernel/arm64ksyms.c
index d894a20b70b28..72f63a59b0088 100644
--- a/arch/arm64/kernel/arm64ksyms.c
+++ b/arch/arm64/kernel/arm64ksyms.c
@@ -44,20 +44,23 @@ EXPORT_SYMBOL(__arch_copy_in_user);
 EXPORT_SYMBOL(memstart_addr);
 
 	/* string / mem functions */
+#ifndef CONFIG_KASAN
 EXPORT_SYMBOL(strchr);
 EXPORT_SYMBOL(strrchr);
 EXPORT_SYMBOL(strcmp);
 EXPORT_SYMBOL(strncmp);
 EXPORT_SYMBOL(strlen);
 EXPORT_SYMBOL(strnlen);
+EXPORT_SYMBOL(memcmp);
+EXPORT_SYMBOL(memchr);
+#endif
+
 EXPORT_SYMBOL(memset);
 EXPORT_SYMBOL(memcpy);
 EXPORT_SYMBOL(memmove);
 EXPORT_SYMBOL(__memset);
 EXPORT_SYMBOL(__memcpy);
 EXPORT_SYMBOL(__memmove);
-EXPORT_SYMBOL(memchr);
-EXPORT_SYMBOL(memcmp);
 
 	/* atomic bitops */
 EXPORT_SYMBOL(set_bit);
diff --git a/arch/arm64/lib/memchr.S b/arch/arm64/lib/memchr.S
index 4444c1d25f4bb..0f164a4baf52a 100644
--- a/arch/arm64/lib/memchr.S
+++ b/arch/arm64/lib/memchr.S
@@ -30,7 +30,7 @@
  * Returns:
  *	x0 - address of first occurrence of 'c' or 0
  */
-ENTRY(memchr)
+WEAK(memchr)
 	and	w1, w1, #0xff
 1:	subs	x2, x2, #1
 	b.mi	2f
diff --git a/arch/arm64/lib/memcmp.S b/arch/arm64/lib/memcmp.S
index 2a4e239bd17a0..fb295f52e9f87 100644
--- a/arch/arm64/lib/memcmp.S
+++ b/arch/arm64/lib/memcmp.S
@@ -58,7 +58,7 @@ pos		.req	x11
 limit_wd	.req	x12
 mask		.req	x13
 
-ENTRY(memcmp)
+WEAK(memcmp)
 	cbz	limit, .Lret0
 	eor	tmp1, src1, src2
 	tst	tmp1, #7
diff --git a/arch/arm64/lib/strchr.S b/arch/arm64/lib/strchr.S
index dae0cf5591f99..7c83091d1bcdd 100644
--- a/arch/arm64/lib/strchr.S
+++ b/arch/arm64/lib/strchr.S
@@ -29,7 +29,7 @@
  * Returns:
  *	x0 - address of first occurrence of 'c' or 0
  */
-ENTRY(strchr)
+WEAK(strchr)
 	and	w1, w1, #0xff
 1:	ldrb	w2, [x0], #1
 	cmp	w2, w1
diff --git a/arch/arm64/lib/strcmp.S b/arch/arm64/lib/strcmp.S
index 471fe61760ef6..7d5d15398bfbc 100644
--- a/arch/arm64/lib/strcmp.S
+++ b/arch/arm64/lib/strcmp.S
@@ -60,7 +60,7 @@ tmp3		.req	x9
 zeroones	.req	x10
 pos		.req	x11
 
-ENTRY(strcmp)
+WEAK(strcmp)
 	eor	tmp1, src1, src2
 	mov	zeroones, #REP8_01
 	tst	tmp1, #7
diff --git a/arch/arm64/lib/strlen.S b/arch/arm64/lib/strlen.S
index 55ccc8e24c084..8e0b14205dcb4 100644
--- a/arch/arm64/lib/strlen.S
+++ b/arch/arm64/lib/strlen.S
@@ -56,7 +56,7 @@ pos		.req	x12
 #define REP8_7f 0x7f7f7f7f7f7f7f7f
 #define REP8_80 0x8080808080808080
 
-ENTRY(strlen)
+WEAK(strlen)
 	mov	zeroones, #REP8_01
 	bic	src, srcin, #15
 	ands	tmp1, srcin, #15
diff --git a/arch/arm64/lib/strncmp.S b/arch/arm64/lib/strncmp.S
index e267044761c6f..66bd145935d9e 100644
--- a/arch/arm64/lib/strncmp.S
+++ b/arch/arm64/lib/strncmp.S
@@ -64,7 +64,7 @@ limit_wd	.req	x13
 mask		.req	x14
 endloop		.req	x15
 
-ENTRY(strncmp)
+WEAK(strncmp)
 	cbz	limit, .Lret0
 	eor	tmp1, src1, src2
 	mov	zeroones, #REP8_01
diff --git a/arch/arm64/lib/strnlen.S b/arch/arm64/lib/strnlen.S
index eae38da6e0bb3..355be04441fe6 100644
--- a/arch/arm64/lib/strnlen.S
+++ b/arch/arm64/lib/strnlen.S
@@ -59,7 +59,7 @@ limit_wd	.req	x14
 #define REP8_7f 0x7f7f7f7f7f7f7f7f
 #define REP8_80 0x8080808080808080
 
-ENTRY(strnlen)
+WEAK(strnlen)
 	cbz	limit, .Lhit_limit
 	mov	zeroones, #REP8_01
 	bic	src, srcin, #15
diff --git a/arch/arm64/lib/strrchr.S b/arch/arm64/lib/strrchr.S
index f8e2784d57521..ea84924d59901 100644
--- a/arch/arm64/lib/strrchr.S
+++ b/arch/arm64/lib/strrchr.S
@@ -29,7 +29,7 @@
  * Returns:
  *	x0 - address of last occurrence of 'c' or 0
  */
-ENTRY(strrchr)
+WEAK(strrchr)
 	mov	x3, #0
 	and	w1, w1, #0xff
 1:	ldrb	w2, [x0], #1
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 147/306] fs/ocfs2/dlm/dlmdebug.c: fix a sleep-in-atomic-context bug in dlm_print_one_mle()
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (145 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 146/306] arm64: lib: use C string functions with KASAN enabled Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 148/306] mm/page-writeback.c: fix range_cyclic writeback vs writepages deadlock Greg Kroah-Hartman
                   ` (162 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jia-Ju Bai, Andrew Morton,
	Mark Fasheh, Joel Becker, Junxiao Bi, Joseph Qi, Changwei Ge,
	Linus Torvalds, Sasha Levin

From: Jia-Ju Bai <baijiaju1990@gmail.com>

[ Upstream commit 999865764f5f128896402572b439269acb471022 ]

The kernel module may sleep with holding a spinlock.

The function call paths (from bottom to top) in Linux-4.16 are:

[FUNC] get_zeroed_page(GFP_NOFS)
fs/ocfs2/dlm/dlmdebug.c, 332: get_zeroed_page in dlm_print_one_mle
fs/ocfs2/dlm/dlmmaster.c, 240: dlm_print_one_mle in __dlm_put_mle
fs/ocfs2/dlm/dlmmaster.c, 255: __dlm_put_mle in dlm_put_mle
fs/ocfs2/dlm/dlmmaster.c, 254: spin_lock in dlm_put_ml

[FUNC] get_zeroed_page(GFP_NOFS)
fs/ocfs2/dlm/dlmdebug.c, 332: get_zeroed_page in dlm_print_one_mle
fs/ocfs2/dlm/dlmmaster.c, 240: dlm_print_one_mle in __dlm_put_mle
fs/ocfs2/dlm/dlmmaster.c, 222: __dlm_put_mle in dlm_put_mle_inuse
fs/ocfs2/dlm/dlmmaster.c, 219: spin_lock in dlm_put_mle_inuse

To fix this bug, GFP_NOFS is replaced with GFP_ATOMIC.

This bug is found by my static analysis tool DSAC.

Link: http://lkml.kernel.org/r/20180901112528.27025-1-baijiaju1990@gmail.com
Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Joseph Qi <jiangqi903@gmail.com>
Cc: Changwei Ge <ge.changwei@h3c.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/ocfs2/dlm/dlmdebug.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/ocfs2/dlm/dlmdebug.c b/fs/ocfs2/dlm/dlmdebug.c
index 9b984cae4c4e0..1d6dc8422899b 100644
--- a/fs/ocfs2/dlm/dlmdebug.c
+++ b/fs/ocfs2/dlm/dlmdebug.c
@@ -329,7 +329,7 @@ void dlm_print_one_mle(struct dlm_master_list_entry *mle)
 {
 	char *buf;
 
-	buf = (char *) get_zeroed_page(GFP_NOFS);
+	buf = (char *) get_zeroed_page(GFP_ATOMIC);
 	if (buf) {
 		dump_mle(mle, buf, PAGE_SIZE - 1);
 		free_page((unsigned long)buf);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 148/306] mm/page-writeback.c: fix range_cyclic writeback vs writepages deadlock
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (146 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 147/306] fs/ocfs2/dlm/dlmdebug.c: fix a sleep-in-atomic-context bug in dlm_print_one_mle() Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:29 ` [PATCH 4.19 149/306] tools/testing/selftests/vm/gup_benchmark.c: fix write flag usage Greg Kroah-Hartman
                   ` (161 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dave Chinner, Jan Kara,
	Nicholas Piggin, Andrew Morton, Linus Torvalds, Sasha Levin

From: Dave Chinner <dchinner@redhat.com>

[ Upstream commit 64081362e8ff4587b4554087f3cfc73d3e0a4cd7 ]

We've recently seen a workload on XFS filesystems with a repeatable
deadlock between background writeback and a multi-process application
doing concurrent writes and fsyncs to a small range of a file.

range_cyclic
writeback		Process 1		Process 2

xfs_vm_writepages
  write_cache_pages
    writeback_index = 2
    cycled = 0
    ....
    find page 2 dirty
    lock Page 2
    ->writepage
      page 2 writeback
      page 2 clean
      page 2 added to bio
    no more pages
			write()
			locks page 1
			dirties page 1
			locks page 2
			dirties page 1
			fsync()
			....
			xfs_vm_writepages
			write_cache_pages
			  start index 0
			  find page 1 towrite
			  lock Page 1
			  ->writepage
			    page 1 writeback
			    page 1 clean
			    page 1 added to bio
			  find page 2 towrite
			  lock Page 2
			  page 2 is writeback
			  <blocks>
						write()
						locks page 1
						dirties page 1
						fsync()
						....
						xfs_vm_writepages
						write_cache_pages
						  start index 0

    !done && !cycled
      sets index to 0, restarts lookup
    find page 1 dirty
						  find page 1 towrite
						  lock Page 1
						  page 1 is writeback
						  <blocks>

    lock Page 1
    <blocks>

DEADLOCK because:

	- process 1 needs page 2 writeback to complete to make
	  enough progress to issue IO pending for page 1
	- writeback needs page 1 writeback to complete so process 2
	  can progress and unlock the page it is blocked on, then it
	  can issue the IO pending for page 2
	- process 2 can't make progress until process 1 issues IO
	  for page 1

The underlying cause of the problem here is that range_cyclic writeback is
processing pages in descending index order as we hold higher index pages
in a structure controlled from above write_cache_pages().  The
write_cache_pages() caller needs to be able to submit these pages for IO
before write_cache_pages restarts writeback at mapping index 0 to avoid
wcp inverting the page lock/writeback wait order.

generic_writepages() is not susceptible to this bug as it has no private
context held across write_cache_pages() - filesystems using this
infrastructure always submit pages in ->writepage immediately and so there
is no problem with range_cyclic going back to mapping index 0.

However:
	mpage_writepages() has a private bio context,
	exofs_writepages() has page_collect
	fuse_writepages() has fuse_fill_wb_data
	nfs_writepages() has nfs_pageio_descriptor
	xfs_vm_writepages() has xfs_writepage_ctx

All of these ->writepages implementations can hold pages under writeback
in their private structures until write_cache_pages() returns, and hence
they are all susceptible to this deadlock.

Also worth noting is that ext4 has it's own bastardised version of
write_cache_pages() and so it /may/ have an equivalent deadlock.  I looked
at the code long enough to understand that it has a similar retry loop for
range_cyclic writeback reaching the end of the file and then promptly ran
away before my eyes bled too much.  I'll leave it for the ext4 developers
to determine if their code is actually has this deadlock and how to fix it
if it has.

There's a few ways I can see avoid this deadlock.  There's probably more,
but these are the first I've though of:

1. get rid of range_cyclic altogether

2. range_cyclic always stops at EOF, and we start again from
writeback index 0 on the next call into write_cache_pages()

2a. wcp also returns EAGAIN to ->writepages implementations to
indicate range cyclic has hit EOF. writepages implementations can
then flush the current context and call wpc again to continue. i.e.
lift the retry into the ->writepages implementation

3. range_cyclic uses trylock_page() rather than lock_page(), and it
skips pages it can't lock without blocking. It will already do this
for pages under writeback, so this seems like a no-brainer

3a. all non-WB_SYNC_ALL writeback uses trylock_page() to avoid
blocking as per pages under writeback.

I don't think #1 is an option - range_cyclic prevents frequently
dirtied lower file offset from starving background writeback of
rarely touched higher file offsets.

#2 is simple, and I don't think it will have any impact on
performance as going back to the start of the file implies an
immediate seek. We'll have exactly the same number of seeks if we
switch writeback to another inode, and then come back to this one
later and restart from index 0.

#2a is pretty much "status quo without the deadlock". Moving the
retry loop up into the wcp caller means we can issue IO on the
pending pages before calling wcp again, and so avoid locking or
waiting on pages in the wrong order. I'm not convinced we need to do
this given that we get the same thing from #2 on the next writeback
call from the writeback infrastructure.

#3 is really just a band-aid - it doesn't fix the access/wait
inversion problem, just prevents it from becoming a deadlock
situation. I'd prefer we fix the inversion, not sweep it under the
carpet like this.

#3a is really an optimisation that just so happens to include the
band-aid fix of #3.

So it seems that the simplest way to fix this issue is to implement
solution #2

Link: http://lkml.kernel.org/r/20181005054526.21507-1-david@fromorbit.com
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Jan Kara <jack@suse.de>
Cc: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 mm/page-writeback.c | 33 +++++++++++++++------------------
 1 file changed, 15 insertions(+), 18 deletions(-)

diff --git a/mm/page-writeback.c b/mm/page-writeback.c
index ea4fd3af3b4bd..43df0c52e1ccb 100644
--- a/mm/page-writeback.c
+++ b/mm/page-writeback.c
@@ -2149,6 +2149,13 @@ EXPORT_SYMBOL(tag_pages_for_writeback);
  * not miss some pages (e.g., because some other process has cleared TOWRITE
  * tag we set). The rule we follow is that TOWRITE tag can be cleared only
  * by the process clearing the DIRTY tag (and submitting the page for IO).
+ *
+ * To avoid deadlocks between range_cyclic writeback and callers that hold
+ * pages in PageWriteback to aggregate IO until write_cache_pages() returns,
+ * we do not loop back to the start of the file. Doing so causes a page
+ * lock/page writeback access order inversion - we should only ever lock
+ * multiple pages in ascending page->index order, and looping back to the start
+ * of the file violates that rule and causes deadlocks.
  */
 int write_cache_pages(struct address_space *mapping,
 		      struct writeback_control *wbc, writepage_t writepage,
@@ -2163,7 +2170,6 @@ int write_cache_pages(struct address_space *mapping,
 	pgoff_t index;
 	pgoff_t end;		/* Inclusive */
 	pgoff_t done_index;
-	int cycled;
 	int range_whole = 0;
 	int tag;
 
@@ -2171,23 +2177,17 @@ int write_cache_pages(struct address_space *mapping,
 	if (wbc->range_cyclic) {
 		writeback_index = mapping->writeback_index; /* prev offset */
 		index = writeback_index;
-		if (index == 0)
-			cycled = 1;
-		else
-			cycled = 0;
 		end = -1;
 	} else {
 		index = wbc->range_start >> PAGE_SHIFT;
 		end = wbc->range_end >> PAGE_SHIFT;
 		if (wbc->range_start == 0 && wbc->range_end == LLONG_MAX)
 			range_whole = 1;
-		cycled = 1; /* ignore range_cyclic tests */
 	}
 	if (wbc->sync_mode == WB_SYNC_ALL || wbc->tagged_writepages)
 		tag = PAGECACHE_TAG_TOWRITE;
 	else
 		tag = PAGECACHE_TAG_DIRTY;
-retry:
 	if (wbc->sync_mode == WB_SYNC_ALL || wbc->tagged_writepages)
 		tag_pages_for_writeback(mapping, index, end);
 	done_index = index;
@@ -2279,17 +2279,14 @@ int write_cache_pages(struct address_space *mapping,
 		pagevec_release(&pvec);
 		cond_resched();
 	}
-	if (!cycled && !done) {
-		/*
-		 * range_cyclic:
-		 * We hit the last page and there is more work to be done: wrap
-		 * back to the start of the file
-		 */
-		cycled = 1;
-		index = 0;
-		end = writeback_index - 1;
-		goto retry;
-	}
+
+	/*
+	 * If we hit the last page and there is more work to be done: wrap
+	 * back the index back to the start of the file for the next
+	 * time we are called.
+	 */
+	if (wbc->range_cyclic && !done)
+		done_index = 0;
 	if (wbc->range_cyclic || (range_whole && wbc->nr_to_write > 0))
 		mapping->writeback_index = done_index;
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 149/306] tools/testing/selftests/vm/gup_benchmark.c: fix write flag usage
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (147 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 148/306] mm/page-writeback.c: fix range_cyclic writeback vs writepages deadlock Greg Kroah-Hartman
@ 2019-11-27 20:29 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 150/306] mm: thp: fix MADV_DONTNEED vs migrate_misplaced_transhuge_page race condition Greg Kroah-Hartman
                   ` (160 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Keith Busch, Kirill A. Shutemov,
	Andrew Morton, Dave Hansen, Dan Williams, Linus Torvalds,
	Sasha Levin

From: Keith Busch <keith.busch@intel.com>

[ Upstream commit 319e0bec1aecb36c5ac6d23812af487ff2c8f47f ]

If the '-w' parameter was provided, the benchmark would exit due to a
mssing 'break'.

Link: http://lkml.kernel.org/r/20181010195605.10689-3-keith.busch@intel.com
Signed-off-by: Keith Busch <keith.busch@intel.com>
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/testing/selftests/vm/gup_benchmark.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/testing/selftests/vm/gup_benchmark.c b/tools/testing/selftests/vm/gup_benchmark.c
index 9601bc24454d9..17da711f26afb 100644
--- a/tools/testing/selftests/vm/gup_benchmark.c
+++ b/tools/testing/selftests/vm/gup_benchmark.c
@@ -51,6 +51,7 @@ int main(int argc, char **argv)
 			break;
 		case 'w':
 			write = 1;
+			break;
 		default:
 			return -1;
 		}
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 150/306] mm: thp: fix MADV_DONTNEED vs migrate_misplaced_transhuge_page race condition
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (148 preceding siblings ...)
  2019-11-27 20:29 ` [PATCH 4.19 149/306] tools/testing/selftests/vm/gup_benchmark.c: fix write flag usage Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 151/306] macsec: update operstate when lower device changes Greg Kroah-Hartman
                   ` (159 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andrea Arcangeli, Aaron Tomlin,
	Mel Gorman, Kirill A. Shutemov, Jerome Glisse, Andrew Morton,
	Linus Torvalds, Sasha Levin

From: Andrea Arcangeli <aarcange@redhat.com>

[ Upstream commit d7c3393413fe7e7dc54498ea200ea94742d61e18 ]

Patch series "migrate_misplaced_transhuge_page race conditions".

Aaron found a new instance of the THP MADV_DONTNEED race against
pmdp_clear_flush* variants, that was apparently left unfixed.

While looking into the race found by Aaron, I may have found two more
issues in migrate_misplaced_transhuge_page.

These race conditions would not cause kernel instability, but they'd
corrupt userland data or leave data non zero after MADV_DONTNEED.

I did only minor testing, and I don't expect to be able to reproduce this
(especially the lack of ->invalidate_range before migrate_page_copy,
requires the latest iommu hardware or infiniband to reproduce).  The last
patch is noop for x86 and it needs further review from maintainers of
archs that implement flush_cache_range() (not in CC yet).

To avoid confusion, it's not the first patch that introduces the bug fixed
in the second patch, even before removing the
pmdp_huge_clear_flush_notify, that _notify suffix was called after
migrate_page_copy already run.

This patch (of 3):

This is a corollary of ced108037c2aa ("thp: fix MADV_DONTNEED vs.  numa
balancing race"), 58ceeb6bec8 ("thp: fix MADV_DONTNEED vs.  MADV_FREE
race") and 5b7abeae3af8c ("thp: fix MADV_DONTNEED vs clear soft dirty
race).

When the above three fixes where posted Dave asked
https://lkml.kernel.org/r/929b3844-aec2-0111-fef7-8002f9d4e2b9@intel.com
but apparently this was missed.

The pmdp_clear_flush* in migrate_misplaced_transhuge_page() was introduced
in a54a407fbf7 ("mm: Close races between THP migration and PMD numa
clearing").

The important part of such commit is only the part where the page lock is
not released until the first do_huge_pmd_numa_page() finished disarming
the pagenuma/protnone.

The addition of pmdp_clear_flush() wasn't beneficial to such commit and
there's no commentary about such an addition either.

I guess the pmdp_clear_flush() in such commit was added just in case for
safety, but it ended up introducing the MADV_DONTNEED race condition found
by Aaron.

At that point in time nobody thought of such kind of MADV_DONTNEED race
conditions yet (they were fixed later) so the code may have looked more
robust by adding the pmdp_clear_flush().

This specific race condition won't destabilize the kernel, but it can
confuse userland because after MADV_DONTNEED the memory won't be zeroed
out.

This also optimizes the code and removes a superfluous TLB flush.

[akpm@linux-foundation.org: reflow comment to 80 cols, fix grammar and typo (beacuse)]
Link: http://lkml.kernel.org/r/20181013002430.698-2-aarcange@redhat.com
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Reported-by: Aaron Tomlin <atomlin@redhat.com>
Acked-by: Mel Gorman <mgorman@suse.de>
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 mm/migrate.c | 25 ++++++++++++++++++-------
 1 file changed, 18 insertions(+), 7 deletions(-)

diff --git a/mm/migrate.c b/mm/migrate.c
index 0c48191a90368..4d3588c012034 100644
--- a/mm/migrate.c
+++ b/mm/migrate.c
@@ -2048,15 +2048,26 @@ int migrate_misplaced_transhuge_page(struct mm_struct *mm,
 	entry = maybe_pmd_mkwrite(pmd_mkdirty(entry), vma);
 
 	/*
-	 * Clear the old entry under pagetable lock and establish the new PTE.
-	 * Any parallel GUP will either observe the old page blocking on the
-	 * page lock, block on the page table lock or observe the new page.
-	 * The SetPageUptodate on the new page and page_add_new_anon_rmap
-	 * guarantee the copy is visible before the pagetable update.
+	 * Overwrite the old entry under pagetable lock and establish
+	 * the new PTE. Any parallel GUP will either observe the old
+	 * page blocking on the page lock, block on the page table
+	 * lock or observe the new page. The SetPageUptodate on the
+	 * new page and page_add_new_anon_rmap guarantee the copy is
+	 * visible before the pagetable update.
 	 */
 	flush_cache_range(vma, mmun_start, mmun_end);
 	page_add_anon_rmap(new_page, vma, mmun_start, true);
-	pmdp_huge_clear_flush_notify(vma, mmun_start, pmd);
+	/*
+	 * At this point the pmd is numa/protnone (i.e. non present) and the TLB
+	 * has already been flushed globally.  So no TLB can be currently
+	 * caching this non present pmd mapping.  There's no need to clear the
+	 * pmd before doing set_pmd_at(), nor to flush the TLB after
+	 * set_pmd_at().  Clearing the pmd here would introduce a race
+	 * condition against MADV_DONTNEED, because MADV_DONTNEED only holds the
+	 * mmap_sem for reading.  If the pmd is set to NULL at any given time,
+	 * MADV_DONTNEED won't wait on the pmd lock and it'll skip clearing this
+	 * pmd.
+	 */
 	set_pmd_at(mm, mmun_start, pmd, entry);
 	update_mmu_cache_pmd(vma, address, &entry);
 
@@ -2070,7 +2081,7 @@ int migrate_misplaced_transhuge_page(struct mm_struct *mm,
 	 * No need to double call mmu_notifier->invalidate_range() callback as
 	 * the above pmdp_huge_clear_flush_notify() did already call it.
 	 */
-	mmu_notifier_invalidate_range_only_end(mm, mmun_start, mmun_end);
+	mmu_notifier_invalidate_range_end(mm, mmun_start, mmun_end);
 
 	/* Take an "isolate" reference and put new page on the LRU. */
 	get_page(new_page);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 151/306] macsec: update operstate when lower device changes
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (149 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 150/306] mm: thp: fix MADV_DONTNEED vs migrate_misplaced_transhuge_page race condition Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 152/306] macsec: let the administrator set UP state even if lowerdev is down Greg Kroah-Hartman
                   ` (158 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Radu Rendec, Patrick Talbert,
	Sabrina Dubroca, David S. Miller, Sasha Levin

From: Sabrina Dubroca <sd@queasysnail.net>

[ Upstream commit e6ac075882b2afcdf2d5ab328ce4ab42a1eb9593 ]

Like all other virtual devices (macvlan, vlan), the operstate of a
macsec device should match the state of its lower device. This is done
by calling netif_stacked_transfer_operstate from its netdevice notifier.

We also need to call netif_stacked_transfer_operstate when a new macsec
device is created, so that its operstate is set properly. This is only
relevant when we try to bring the device up directly when we create it.

Radu Rendec proposed a similar patch, inspired from the 802.1q driver,
that included changing the administrative state of the macsec device,
instead of just the operstate. This version is similar to what the
macvlan driver does, and updates only the operstate.

Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver")
Reported-by: Radu Rendec <radu.rendec@gmail.com>
Reported-by: Patrick Talbert <ptalbert@redhat.com>
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/macsec.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
index 05115fb0c97a9..50acd8c9d7f53 100644
--- a/drivers/net/macsec.c
+++ b/drivers/net/macsec.c
@@ -3305,6 +3305,9 @@ static int macsec_newlink(struct net *net, struct net_device *dev,
 	if (err < 0)
 		goto del_dev;
 
+	netif_stacked_transfer_operstate(real_dev, dev);
+	linkwatch_fire_event(dev);
+
 	macsec_generation++;
 
 	return 0;
@@ -3489,6 +3492,20 @@ static int macsec_notify(struct notifier_block *this, unsigned long event,
 		return NOTIFY_DONE;
 
 	switch (event) {
+	case NETDEV_DOWN:
+	case NETDEV_UP:
+	case NETDEV_CHANGE: {
+		struct macsec_dev *m, *n;
+		struct macsec_rxh_data *rxd;
+
+		rxd = macsec_data_rtnl(real_dev);
+		list_for_each_entry_safe(m, n, &rxd->secys, secys) {
+			struct net_device *dev = m->secy.netdev;
+
+			netif_stacked_transfer_operstate(real_dev, dev);
+		}
+		break;
+	}
 	case NETDEV_UNREGISTER: {
 		struct macsec_dev *m, *n;
 		struct macsec_rxh_data *rxd;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 152/306] macsec: let the administrator set UP state even if lowerdev is down
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (150 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 151/306] macsec: update operstate when lower device changes Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 153/306] block: fix the DISCARD request merge Greg Kroah-Hartman
                   ` (157 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Radu Rendec, Sabrina Dubroca,
	David S. Miller, Sasha Levin

From: Sabrina Dubroca <sd@queasysnail.net>

[ Upstream commit 07bddef9839378bd6f95b393cf24c420529b4ef1 ]

Currently, the kernel doesn't let the administrator set a macsec device
up unless its lower device is currently up. This is inconsistent, as a
macsec device that is up won't automatically go down when its lower
device goes down.

Now that linkstate propagation works, there's really no reason for this
limitation, so let's remove it.

Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver")
Reported-by: Radu Rendec <radu.rendec@gmail.com>
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/macsec.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
index 50acd8c9d7f53..10a8ef2d025a1 100644
--- a/drivers/net/macsec.c
+++ b/drivers/net/macsec.c
@@ -2813,9 +2813,6 @@ static int macsec_dev_open(struct net_device *dev)
 	struct net_device *real_dev = macsec->real_dev;
 	int err;
 
-	if (!(real_dev->flags & IFF_UP))
-		return -ENETDOWN;
-
 	err = dev_uc_add(real_dev, dev->dev_addr);
 	if (err < 0)
 		return err;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 153/306] block: fix the DISCARD request merge
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (151 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 152/306] macsec: let the administrator set UP state even if lowerdev is down Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-12-14 14:13   ` [PATCH 4.19 153/306] block: fix the DISCARD request merge (4.19.87+ crash) Andre Tomt
  2019-11-27 20:30 ` [PATCH 4.19 154/306] i2c: uniphier-f: make driver robust against concurrency Greg Kroah-Hartman
                   ` (156 subsequent siblings)
  309 siblings, 1 reply; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christoph Hellwig, Ming Lei,
	Jianchao Wang, Jens Axboe, Sasha Levin

From: Jianchao Wang <jianchao.w.wang@oracle.com>

[ Upstream commit 69840466086d2248898020a08dda52732686c4e6 ]

There are two cases when handle DISCARD merge.
If max_discard_segments == 1, the bios/requests need to be contiguous
to merge. If max_discard_segments > 1, it takes every bio as a range
and different range needn't to be contiguous.

But now, attempt_merge screws this up. It always consider contiguity
for DISCARD for the case max_discard_segments > 1 and cannot merge
contiguous DISCARD for the case max_discard_segments == 1, because
rq_attempt_discard_merge always returns false in this case.
This patch fixes both of the two cases above.

Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Jianchao Wang <jianchao.w.wang@oracle.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 block/blk-merge.c | 46 ++++++++++++++++++++++++++++++++++++----------
 1 file changed, 36 insertions(+), 10 deletions(-)

diff --git a/block/blk-merge.c b/block/blk-merge.c
index 2e042190a4f1c..1dced51de1c6c 100644
--- a/block/blk-merge.c
+++ b/block/blk-merge.c
@@ -669,6 +669,31 @@ static void blk_account_io_merge(struct request *req)
 		part_stat_unlock();
 	}
 }
+/*
+ * Two cases of handling DISCARD merge:
+ * If max_discard_segments > 1, the driver takes every bio
+ * as a range and send them to controller together. The ranges
+ * needn't to be contiguous.
+ * Otherwise, the bios/requests will be handled as same as
+ * others which should be contiguous.
+ */
+static inline bool blk_discard_mergable(struct request *req)
+{
+	if (req_op(req) == REQ_OP_DISCARD &&
+	    queue_max_discard_segments(req->q) > 1)
+		return true;
+	return false;
+}
+
+enum elv_merge blk_try_req_merge(struct request *req, struct request *next)
+{
+	if (blk_discard_mergable(req))
+		return ELEVATOR_DISCARD_MERGE;
+	else if (blk_rq_pos(req) + blk_rq_sectors(req) == blk_rq_pos(next))
+		return ELEVATOR_BACK_MERGE;
+
+	return ELEVATOR_NO_MERGE;
+}
 
 /*
  * For non-mq, this has to be called with the request spinlock acquired.
@@ -686,12 +711,6 @@ static struct request *attempt_merge(struct request_queue *q,
 	if (req_op(req) != req_op(next))
 		return NULL;
 
-	/*
-	 * not contiguous
-	 */
-	if (blk_rq_pos(req) + blk_rq_sectors(req) != blk_rq_pos(next))
-		return NULL;
-
 	if (rq_data_dir(req) != rq_data_dir(next)
 	    || req->rq_disk != next->rq_disk
 	    || req_no_special_merge(next))
@@ -715,11 +734,19 @@ static struct request *attempt_merge(struct request_queue *q,
 	 * counts here. Handle DISCARDs separately, as they
 	 * have separate settings.
 	 */
-	if (req_op(req) == REQ_OP_DISCARD) {
+
+	switch (blk_try_req_merge(req, next)) {
+	case ELEVATOR_DISCARD_MERGE:
 		if (!req_attempt_discard_merge(q, req, next))
 			return NULL;
-	} else if (!ll_merge_requests_fn(q, req, next))
+		break;
+	case ELEVATOR_BACK_MERGE:
+		if (!ll_merge_requests_fn(q, req, next))
+			return NULL;
+		break;
+	default:
 		return NULL;
+	}
 
 	/*
 	 * If failfast settings disagree or any of the two is already
@@ -843,8 +870,7 @@ bool blk_rq_merge_ok(struct request *rq, struct bio *bio)
 
 enum elv_merge blk_try_merge(struct request *rq, struct bio *bio)
 {
-	if (req_op(rq) == REQ_OP_DISCARD &&
-	    queue_max_discard_segments(rq->q) > 1)
+	if (blk_discard_mergable(rq))
 		return ELEVATOR_DISCARD_MERGE;
 	else if (blk_rq_pos(rq) + blk_rq_sectors(rq) == bio->bi_iter.bi_sector)
 		return ELEVATOR_BACK_MERGE;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 154/306] i2c: uniphier-f: make driver robust against concurrency
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (152 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 153/306] block: fix the DISCARD request merge Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 155/306] i2c: uniphier-f: fix occasional timeout error Greg Kroah-Hartman
                   ` (155 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Masahiro Yamada, Wolfram Sang, Sasha Levin

From: Masahiro Yamada <yamada.masahiro@socionext.com>

[ Upstream commit f1fdcbbdf45d9609f3d4063b67e9ea941ba3a58f ]

This is unlikely to happen, but it is possible for a CPU to enter
the interrupt handler just after wait_for_completion_timeout() has
expired. If this happens, the hardware is accessed from multiple
contexts concurrently.

Disable the IRQ after wait_for_completion_timeout(), and do nothing
from the handler when the IRQ is disabled.

Fixes: 6a62974b667f ("i2c: uniphier_f: add UniPhier FIFO-builtin I2C driver")
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/i2c/busses/i2c-uniphier-f.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/drivers/i2c/busses/i2c-uniphier-f.c b/drivers/i2c/busses/i2c-uniphier-f.c
index bc26ec822e268..b9a0690b4fd73 100644
--- a/drivers/i2c/busses/i2c-uniphier-f.c
+++ b/drivers/i2c/busses/i2c-uniphier-f.c
@@ -98,6 +98,7 @@ struct uniphier_fi2c_priv {
 	unsigned int flags;
 	unsigned int busy_cnt;
 	unsigned int clk_cycle;
+	spinlock_t lock;	/* IRQ synchronization */
 };
 
 static void uniphier_fi2c_fill_txfifo(struct uniphier_fi2c_priv *priv,
@@ -162,7 +163,10 @@ static irqreturn_t uniphier_fi2c_interrupt(int irq, void *dev_id)
 	struct uniphier_fi2c_priv *priv = dev_id;
 	u32 irq_status;
 
+	spin_lock(&priv->lock);
+
 	irq_status = readl(priv->membase + UNIPHIER_FI2C_INT);
+	irq_status &= priv->enabled_irqs;
 
 	dev_dbg(&priv->adap.dev,
 		"interrupt: enabled_irqs=%04x, irq_status=%04x\n",
@@ -230,6 +234,8 @@ static irqreturn_t uniphier_fi2c_interrupt(int irq, void *dev_id)
 		goto handled;
 	}
 
+	spin_unlock(&priv->lock);
+
 	return IRQ_NONE;
 
 data_done:
@@ -246,6 +252,8 @@ static irqreturn_t uniphier_fi2c_interrupt(int irq, void *dev_id)
 handled:
 	uniphier_fi2c_clear_irqs(priv);
 
+	spin_unlock(&priv->lock);
+
 	return IRQ_HANDLED;
 }
 
@@ -311,7 +319,7 @@ static int uniphier_fi2c_master_xfer_one(struct i2c_adapter *adap,
 {
 	struct uniphier_fi2c_priv *priv = i2c_get_adapdata(adap);
 	bool is_read = msg->flags & I2C_M_RD;
-	unsigned long time_left;
+	unsigned long time_left, flags;
 
 	dev_dbg(&adap->dev, "%s: addr=0x%02x, len=%d, stop=%d\n",
 		is_read ? "receive" : "transmit", msg->addr, msg->len, stop);
@@ -342,6 +350,12 @@ static int uniphier_fi2c_master_xfer_one(struct i2c_adapter *adap,
 	       priv->membase + UNIPHIER_FI2C_CR);
 
 	time_left = wait_for_completion_timeout(&priv->comp, adap->timeout);
+
+	spin_lock_irqsave(&priv->lock, flags);
+	priv->enabled_irqs = 0;
+	uniphier_fi2c_set_irqs(priv);
+	spin_unlock_irqrestore(&priv->lock, flags);
+
 	if (!time_left) {
 		dev_err(&adap->dev, "transaction timeout.\n");
 		uniphier_fi2c_recover(priv);
@@ -546,6 +560,7 @@ static int uniphier_fi2c_probe(struct platform_device *pdev)
 
 	priv->clk_cycle = clk_rate / bus_speed;
 	init_completion(&priv->comp);
+	spin_lock_init(&priv->lock);
 	priv->adap.owner = THIS_MODULE;
 	priv->adap.algo = &uniphier_fi2c_algo;
 	priv->adap.dev.parent = dev;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 155/306] i2c: uniphier-f: fix occasional timeout error
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (153 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 154/306] i2c: uniphier-f: make driver robust against concurrency Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 156/306] i2c: uniphier-f: fix race condition when IRQ is cleared Greg Kroah-Hartman
                   ` (154 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Masahiro Yamada, Wolfram Sang, Sasha Levin

From: Masahiro Yamada <yamada.masahiro@socionext.com>

[ Upstream commit 39226aaa85f002d695e3cafade3309e12ffdaecd ]

Currently, a timeout error could happen at a repeated START condition.

For a (non-repeated) START condition, the controller starts sending
data when the UNIPHIER_FI2C_CR_STA bit is set. However, for a repeated
START condition, the hardware starts running when the slave address is
written to the TX FIFO - the write to the UNIPHIER_FI2C_CR register is
actually unneeded.

Because the hardware is already running before the IRQ is enabled for
a repeated START, the driver may miss the IRQ event. In most cases,
this problem does not show up since modern CPUs are much faster than
the I2C transfer. However, it is still possible that a context switch
happens after the controller starts, but before the IRQ register is
set up.

To fix this,

 - Do not write UNIPHIER_FI2C_CR for repeated START conditions.

 - Enable IRQ *before* writing the slave address to the TX FIFO.

 - Disable IRQ for the current CPU while queuing up the TX FIFO;
   If the CPU is interrupted by some task, the interrupt handler
   might be invoked due to the empty TX FIFO before completing the
   setup.

Fixes: 6a62974b667f ("i2c: uniphier_f: add UniPhier FIFO-builtin I2C driver")
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/i2c/busses/i2c-uniphier-f.c | 33 ++++++++++++++++++++++-------
 1 file changed, 25 insertions(+), 8 deletions(-)

diff --git a/drivers/i2c/busses/i2c-uniphier-f.c b/drivers/i2c/busses/i2c-uniphier-f.c
index b9a0690b4fd73..bbd5b137aa216 100644
--- a/drivers/i2c/busses/i2c-uniphier-f.c
+++ b/drivers/i2c/busses/i2c-uniphier-f.c
@@ -260,6 +260,8 @@ static irqreturn_t uniphier_fi2c_interrupt(int irq, void *dev_id)
 static void uniphier_fi2c_tx_init(struct uniphier_fi2c_priv *priv, u16 addr)
 {
 	priv->enabled_irqs |= UNIPHIER_FI2C_INT_TE;
+	uniphier_fi2c_set_irqs(priv);
+
 	/* do not use TX byte counter */
 	writel(0, priv->membase + UNIPHIER_FI2C_TBC);
 	/* set slave address */
@@ -292,6 +294,8 @@ static void uniphier_fi2c_rx_init(struct uniphier_fi2c_priv *priv, u16 addr)
 		priv->enabled_irqs |= UNIPHIER_FI2C_INT_RF;
 	}
 
+	uniphier_fi2c_set_irqs(priv);
+
 	/* set slave address with RD bit */
 	writel(UNIPHIER_FI2C_DTTX_CMD | UNIPHIER_FI2C_DTTX_RD | addr << 1,
 	       priv->membase + UNIPHIER_FI2C_DTTX);
@@ -315,14 +319,16 @@ static void uniphier_fi2c_recover(struct uniphier_fi2c_priv *priv)
 }
 
 static int uniphier_fi2c_master_xfer_one(struct i2c_adapter *adap,
-					 struct i2c_msg *msg, bool stop)
+					 struct i2c_msg *msg, bool repeat,
+					 bool stop)
 {
 	struct uniphier_fi2c_priv *priv = i2c_get_adapdata(adap);
 	bool is_read = msg->flags & I2C_M_RD;
 	unsigned long time_left, flags;
 
-	dev_dbg(&adap->dev, "%s: addr=0x%02x, len=%d, stop=%d\n",
-		is_read ? "receive" : "transmit", msg->addr, msg->len, stop);
+	dev_dbg(&adap->dev, "%s: addr=0x%02x, len=%d, repeat=%d, stop=%d\n",
+		is_read ? "receive" : "transmit", msg->addr, msg->len,
+		repeat, stop);
 
 	priv->len = msg->len;
 	priv->buf = msg->buf;
@@ -338,16 +344,24 @@ static int uniphier_fi2c_master_xfer_one(struct i2c_adapter *adap,
 	writel(UNIPHIER_FI2C_RST_TBRST | UNIPHIER_FI2C_RST_RBRST,
 	       priv->membase + UNIPHIER_FI2C_RST);	/* reset TX/RX FIFO */
 
+	spin_lock_irqsave(&priv->lock, flags);
+
 	if (is_read)
 		uniphier_fi2c_rx_init(priv, msg->addr);
 	else
 		uniphier_fi2c_tx_init(priv, msg->addr);
 
-	uniphier_fi2c_set_irqs(priv);
-
 	dev_dbg(&adap->dev, "start condition\n");
-	writel(UNIPHIER_FI2C_CR_MST | UNIPHIER_FI2C_CR_STA,
-	       priv->membase + UNIPHIER_FI2C_CR);
+	/*
+	 * For a repeated START condition, writing a slave address to the FIFO
+	 * kicks the controller. So, the UNIPHIER_FI2C_CR register should be
+	 * written only for a non-repeated START condition.
+	 */
+	if (!repeat)
+		writel(UNIPHIER_FI2C_CR_MST | UNIPHIER_FI2C_CR_STA,
+		       priv->membase + UNIPHIER_FI2C_CR);
+
+	spin_unlock_irqrestore(&priv->lock, flags);
 
 	time_left = wait_for_completion_timeout(&priv->comp, adap->timeout);
 
@@ -408,6 +422,7 @@ static int uniphier_fi2c_master_xfer(struct i2c_adapter *adap,
 				     struct i2c_msg *msgs, int num)
 {
 	struct i2c_msg *msg, *emsg = msgs + num;
+	bool repeat = false;
 	int ret;
 
 	ret = uniphier_fi2c_check_bus_busy(adap);
@@ -418,9 +433,11 @@ static int uniphier_fi2c_master_xfer(struct i2c_adapter *adap,
 		/* Emit STOP if it is the last message or I2C_M_STOP is set. */
 		bool stop = (msg + 1 == emsg) || (msg->flags & I2C_M_STOP);
 
-		ret = uniphier_fi2c_master_xfer_one(adap, msg, stop);
+		ret = uniphier_fi2c_master_xfer_one(adap, msg, repeat, stop);
 		if (ret)
 			return ret;
+
+		repeat = !stop;
 	}
 
 	return num;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 156/306] i2c: uniphier-f: fix race condition when IRQ is cleared
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (154 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 155/306] i2c: uniphier-f: fix occasional timeout error Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 157/306] um: Make line/tty semantics use true write IRQ Greg Kroah-Hartman
                   ` (153 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Masahiro Yamada, Wolfram Sang, Sasha Levin

From: Masahiro Yamada <yamada.masahiro@socionext.com>

[ Upstream commit eaba68785c2d24ebf1f0d46c24e11b79cc2f94c7 ]

The current IRQ handler clears all the IRQ status bits when it bails
out. This is dangerous because it might clear away the status bits
that have just been set while processing the current handler. If this
happens, the IRQ event for the latest transfer is lost forever.

The IRQ status bits must be cleared *before* the next transfer is
kicked.

Fixes: 6a62974b667f ("i2c: uniphier_f: add UniPhier FIFO-builtin I2C driver")
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/i2c/busses/i2c-uniphier-f.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/drivers/i2c/busses/i2c-uniphier-f.c b/drivers/i2c/busses/i2c-uniphier-f.c
index bbd5b137aa216..928ea9930d17e 100644
--- a/drivers/i2c/busses/i2c-uniphier-f.c
+++ b/drivers/i2c/busses/i2c-uniphier-f.c
@@ -143,9 +143,10 @@ static void uniphier_fi2c_set_irqs(struct uniphier_fi2c_priv *priv)
 	writel(priv->enabled_irqs, priv->membase + UNIPHIER_FI2C_IE);
 }
 
-static void uniphier_fi2c_clear_irqs(struct uniphier_fi2c_priv *priv)
+static void uniphier_fi2c_clear_irqs(struct uniphier_fi2c_priv *priv,
+				     u32 mask)
 {
-	writel(-1, priv->membase + UNIPHIER_FI2C_IC);
+	writel(mask, priv->membase + UNIPHIER_FI2C_IC);
 }
 
 static void uniphier_fi2c_stop(struct uniphier_fi2c_priv *priv)
@@ -172,6 +173,8 @@ static irqreturn_t uniphier_fi2c_interrupt(int irq, void *dev_id)
 		"interrupt: enabled_irqs=%04x, irq_status=%04x\n",
 		priv->enabled_irqs, irq_status);
 
+	uniphier_fi2c_clear_irqs(priv, irq_status);
+
 	if (irq_status & UNIPHIER_FI2C_INT_STOP)
 		goto complete;
 
@@ -250,8 +253,6 @@ static irqreturn_t uniphier_fi2c_interrupt(int irq, void *dev_id)
 	}
 
 handled:
-	uniphier_fi2c_clear_irqs(priv);
-
 	spin_unlock(&priv->lock);
 
 	return IRQ_HANDLED;
@@ -340,7 +341,7 @@ static int uniphier_fi2c_master_xfer_one(struct i2c_adapter *adap,
 		priv->flags |= UNIPHIER_FI2C_STOP;
 
 	reinit_completion(&priv->comp);
-	uniphier_fi2c_clear_irqs(priv);
+	uniphier_fi2c_clear_irqs(priv, U32_MAX);
 	writel(UNIPHIER_FI2C_RST_TBRST | UNIPHIER_FI2C_RST_RBRST,
 	       priv->membase + UNIPHIER_FI2C_RST);	/* reset TX/RX FIFO */
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 157/306] um: Make line/tty semantics use true write IRQ
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (155 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 156/306] i2c: uniphier-f: fix race condition when IRQ is cleared Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 158/306] vfs: avoid problematic remapping requests into partial EOF block Greg Kroah-Hartman
                   ` (152 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Anton Ivanov, Richard Weinberger,
	Sasha Levin

From: Anton Ivanov <anton.ivanov@cambridgegreys.com>

[ Upstream commit 917e2fd2c53eb3c4162f5397555cbd394390d4bc ]

This fixes a long standing bug where large amounts of output
could freeze the tty (most commonly seen on stdio console).
While the bug has always been there it became more pronounced
after moving to the new interrupt controller.

The line semantics are now changed to have true IRQ write
semantics which should further improve the tty/line subsystem
stability and performance

Signed-off-by: Anton Ivanov <anton.ivanov@cambridgegreys.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/um/drivers/line.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/um/drivers/line.c b/arch/um/drivers/line.c
index 8d80b27502e6a..7e524efed5848 100644
--- a/arch/um/drivers/line.c
+++ b/arch/um/drivers/line.c
@@ -261,7 +261,7 @@ static irqreturn_t line_write_interrupt(int irq, void *data)
 	if (err == 0) {
 		spin_unlock(&line->lock);
 		return IRQ_NONE;
-	} else if (err < 0) {
+	} else if ((err < 0) && (err != -EAGAIN)) {
 		line->head = line->buffer;
 		line->tail = line->buffer;
 	}
@@ -284,7 +284,7 @@ int line_setup_irq(int fd, int input, int output, struct line *line, void *data)
 	if (err)
 		return err;
 	if (output)
-		err = um_request_irq(driver->write_irq, fd, IRQ_NONE,
+		err = um_request_irq(driver->write_irq, fd, IRQ_WRITE,
 				     line_write_interrupt, IRQF_SHARED,
 				     driver->write_irq_name, data);
 	return err;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 158/306] vfs: avoid problematic remapping requests into partial EOF block
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (156 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 157/306] um: Make line/tty semantics use true write IRQ Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 159/306] ipv4/igmp: fix v1/v2 switchback timeout based on rfc3376, 8.12 Greg Kroah-Hartman
                   ` (151 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Darrick J. Wong, Christoph Hellwig,
	Dave Chinner, Sasha Levin

From: Darrick J. Wong <darrick.wong@oracle.com>

[ Upstream commit 07d19dc9fbe9128378b9e226abe886fd8fd473df ]

A deduplication data corruption is exposed in XFS and btrfs. It is
caused by extending the block match range to include the partial EOF
block, but then allowing unknown data beyond EOF to be considered a
"match" to data in the destination file because the comparison is only
made to the end of the source file. This corrupts the destination file
when the source extent is shared with it.

The VFS remapping prep functions  only support whole block dedupe, but
we still need to appear to support whole file dedupe correctly.  Hence
if the dedupe request includes the last block of the souce file, don't
include it in the actual dedupe operation. If the rest of the range
dedupes successfully, then reject the entire request.  A subsequent
patch will enable us to shorten dedupe requests correctly.

When reflinking sub-file ranges, a data corruption can occur when the
source file range includes a partial EOF block. This shares the unknown
data beyond EOF into the second file at a position inside EOF, exposing
stale data in the second file.

If the reflink request includes the last block of the souce file, only
proceed with the reflink operation if it lands at or past the
destination file's current EOF. If it lands within the destination file
EOF, reject the entire request with -EINVAL and make the caller go the
hard way.  A subsequent patch will enable us to shorten reflink requests
correctly.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/read_write.c | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/fs/read_write.c b/fs/read_write.c
index 5fb5ee5b8cd70..2195380620d02 100644
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -1715,6 +1715,34 @@ static int clone_verify_area(struct file *file, loff_t pos, u64 len, bool write)
 
 	return security_file_permission(file, write ? MAY_WRITE : MAY_READ);
 }
+/*
+ * Ensure that we don't remap a partial EOF block in the middle of something
+ * else.  Assume that the offsets have already been checked for block
+ * alignment.
+ *
+ * For deduplication we always scale down to the previous block because we
+ * can't meaningfully compare post-EOF contents.
+ *
+ * For clone we only link a partial EOF block above the destination file's EOF.
+ */
+static int generic_remap_check_len(struct inode *inode_in,
+				   struct inode *inode_out,
+				   loff_t pos_out,
+				   u64 *len,
+				   bool is_dedupe)
+{
+	u64 blkmask = i_blocksize(inode_in) - 1;
+
+	if ((*len & blkmask) == 0)
+		return 0;
+
+	if (is_dedupe)
+		*len &= ~blkmask;
+	else if (pos_out + *len < i_size_read(inode_out))
+		return -EINVAL;
+
+	return 0;
+}
 
 /*
  * Check that the two inodes are eligible for cloning, the ranges make
@@ -1821,6 +1849,11 @@ int vfs_clone_file_prep_inodes(struct inode *inode_in, loff_t pos_in,
 			return -EBADE;
 	}
 
+	ret = generic_remap_check_len(inode_in, inode_out, pos_out, len,
+			is_dedupe);
+	if (ret)
+		return ret;
+
 	return 1;
 }
 EXPORT_SYMBOL(vfs_clone_file_prep_inodes);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 159/306] ipv4/igmp: fix v1/v2 switchback timeout based on rfc3376, 8.12
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (157 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 158/306] vfs: avoid problematic remapping requests into partial EOF block Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 160/306] powerpc/xmon: Relax frame size for clang Greg Kroah-Hartman
                   ` (150 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ying Xu, Hangbin Liu,
	David S. Miller, Sasha Levin

From: Hangbin Liu <liuhangbin@gmail.com>

[ Upstream commit 966c37f2d77eb44d47af8e919267b1ba675b2eca ]

Similiar with ipv6 mcast commit 89225d1ce6af3 ("net: ipv6: mld: fix v1/v2
switchback timeout to rfc3810, 9.12.")

i) RFC3376 8.12. Older Version Querier Present Timeout says:

   The Older Version Querier Interval is the time-out for transitioning
   a host back to IGMPv3 mode once an older version query is heard.
   When an older version query is received, hosts set their Older
   Version Querier Present Timer to Older Version Querier Interval.

   This value MUST be ((the Robustness Variable) times (the Query
   Interval in the last Query received)) plus (one Query Response
   Interval).

Currently we only use a hardcode value IGMP_V1/v2_ROUTER_PRESENT_TIMEOUT.
Fix it by adding two new items mr_qi(Query Interval) and mr_qri(Query Response
Interval) in struct in_device.

Now we can calculate the switchback time via (mr_qrv * mr_qi) + mr_qri.
We need update these values when receive IGMPv3 queries.

Reported-by: Ying Xu <yinxu@redhat.com>
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/linux/inetdevice.h |  4 ++-
 net/ipv4/igmp.c            | 53 ++++++++++++++++++++++++++------------
 2 files changed, 39 insertions(+), 18 deletions(-)

diff --git a/include/linux/inetdevice.h b/include/linux/inetdevice.h
index c759d1cbcedd8..a64f21a97369a 100644
--- a/include/linux/inetdevice.h
+++ b/include/linux/inetdevice.h
@@ -37,7 +37,9 @@ struct in_device {
 	unsigned long		mr_v1_seen;
 	unsigned long		mr_v2_seen;
 	unsigned long		mr_maxdelay;
-	unsigned char		mr_qrv;
+	unsigned long		mr_qi;		/* Query Interval */
+	unsigned long		mr_qri;		/* Query Response Interval */
+	unsigned char		mr_qrv;		/* Query Robustness Variable */
 	unsigned char		mr_gq_running;
 	unsigned char		mr_ifc_count;
 	struct timer_list	mr_gq_timer;	/* general query timer */
diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
index b2240b7f225d5..523d26f5e22e2 100644
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -111,13 +111,10 @@
 #ifdef CONFIG_IP_MULTICAST
 /* Parameter names and values are taken from igmp-v2-06 draft */
 
-#define IGMP_V1_ROUTER_PRESENT_TIMEOUT		(400*HZ)
-#define IGMP_V2_ROUTER_PRESENT_TIMEOUT		(400*HZ)
 #define IGMP_V2_UNSOLICITED_REPORT_INTERVAL	(10*HZ)
 #define IGMP_V3_UNSOLICITED_REPORT_INTERVAL	(1*HZ)
+#define IGMP_QUERY_INTERVAL			(125*HZ)
 #define IGMP_QUERY_RESPONSE_INTERVAL		(10*HZ)
-#define IGMP_QUERY_ROBUSTNESS_VARIABLE		2
-
 
 #define IGMP_INITIAL_REPORT_DELAY		(1)
 
@@ -953,13 +950,15 @@ static bool igmp_heard_query(struct in_device *in_dev, struct sk_buff *skb,
 
 			max_delay = IGMP_QUERY_RESPONSE_INTERVAL;
 			in_dev->mr_v1_seen = jiffies +
-				IGMP_V1_ROUTER_PRESENT_TIMEOUT;
+				(in_dev->mr_qrv * in_dev->mr_qi) +
+				in_dev->mr_qri;
 			group = 0;
 		} else {
 			/* v2 router present */
 			max_delay = ih->code*(HZ/IGMP_TIMER_SCALE);
 			in_dev->mr_v2_seen = jiffies +
-				IGMP_V2_ROUTER_PRESENT_TIMEOUT;
+				(in_dev->mr_qrv * in_dev->mr_qi) +
+				in_dev->mr_qri;
 		}
 		/* cancel the interface change timer */
 		in_dev->mr_ifc_count = 0;
@@ -999,8 +998,21 @@ static bool igmp_heard_query(struct in_device *in_dev, struct sk_buff *skb,
 		if (!max_delay)
 			max_delay = 1;	/* can't mod w/ 0 */
 		in_dev->mr_maxdelay = max_delay;
-		if (ih3->qrv)
-			in_dev->mr_qrv = ih3->qrv;
+
+		/* RFC3376, 4.1.6. QRV and 4.1.7. QQIC, when the most recently
+		 * received value was zero, use the default or statically
+		 * configured value.
+		 */
+		in_dev->mr_qrv = ih3->qrv ?: net->ipv4.sysctl_igmp_qrv;
+		in_dev->mr_qi = IGMPV3_QQIC(ih3->qqic)*HZ ?: IGMP_QUERY_INTERVAL;
+
+		/* RFC3376, 8.3. Query Response Interval:
+		 * The number of seconds represented by the [Query Response
+		 * Interval] must be less than the [Query Interval].
+		 */
+		if (in_dev->mr_qri >= in_dev->mr_qi)
+			in_dev->mr_qri = (in_dev->mr_qi/HZ - 1)*HZ;
+
 		if (!group) { /* general query */
 			if (ih3->nsrcs)
 				return true;	/* no sources allowed */
@@ -1738,18 +1750,30 @@ void ip_mc_down(struct in_device *in_dev)
 	ip_mc_dec_group(in_dev, IGMP_ALL_HOSTS);
 }
 
-void ip_mc_init_dev(struct in_device *in_dev)
-{
 #ifdef CONFIG_IP_MULTICAST
+static void ip_mc_reset(struct in_device *in_dev)
+{
 	struct net *net = dev_net(in_dev->dev);
+
+	in_dev->mr_qi = IGMP_QUERY_INTERVAL;
+	in_dev->mr_qri = IGMP_QUERY_RESPONSE_INTERVAL;
+	in_dev->mr_qrv = net->ipv4.sysctl_igmp_qrv;
+}
+#else
+static void ip_mc_reset(struct in_device *in_dev)
+{
+}
 #endif
+
+void ip_mc_init_dev(struct in_device *in_dev)
+{
 	ASSERT_RTNL();
 
 #ifdef CONFIG_IP_MULTICAST
 	timer_setup(&in_dev->mr_gq_timer, igmp_gq_timer_expire, 0);
 	timer_setup(&in_dev->mr_ifc_timer, igmp_ifc_timer_expire, 0);
-	in_dev->mr_qrv = net->ipv4.sysctl_igmp_qrv;
 #endif
+	ip_mc_reset(in_dev);
 
 	spin_lock_init(&in_dev->mc_tomb_lock);
 }
@@ -1759,15 +1783,10 @@ void ip_mc_init_dev(struct in_device *in_dev)
 void ip_mc_up(struct in_device *in_dev)
 {
 	struct ip_mc_list *pmc;
-#ifdef CONFIG_IP_MULTICAST
-	struct net *net = dev_net(in_dev->dev);
-#endif
 
 	ASSERT_RTNL();
 
-#ifdef CONFIG_IP_MULTICAST
-	in_dev->mr_qrv = net->ipv4.sysctl_igmp_qrv;
-#endif
+	ip_mc_reset(in_dev);
 	ip_mc_inc_group(in_dev, IGMP_ALL_HOSTS);
 
 	for_each_pmc_rtnl(in_dev, pmc) {
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 160/306] powerpc/xmon: Relax frame size for clang
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (158 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 159/306] ipv4/igmp: fix v1/v2 switchback timeout based on rfc3376, 8.12 Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 161/306] selftests/powerpc/ptrace: Fix out-of-tree build Greg Kroah-Hartman
                   ` (149 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Joel Stanley, Michael Ellerman, Sasha Levin

From: Joel Stanley <joel@jms.id.au>

[ Upstream commit 9c87156cce5a63735d1218f0096a65c50a7a32aa ]

When building with clang (8 trunk, 7.0 release) the frame size limit is
hit:

 arch/powerpc/xmon/xmon.c:452:12: warning: stack frame size of 2576
 bytes in function 'xmon_core' [-Wframe-larger-than=]

Some investigation by Naveen indicates this is due to clang saving the
addresses to printf format strings on the stack.

While this issue is investigated, bump up the frame size limit for xmon
when building with clang.

Link: https://github.com/ClangBuiltLinux/linux/issues/252
Signed-off-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/xmon/Makefile | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/arch/powerpc/xmon/Makefile b/arch/powerpc/xmon/Makefile
index 9d7d8e6d705c4..9ba44e190e5e4 100644
--- a/arch/powerpc/xmon/Makefile
+++ b/arch/powerpc/xmon/Makefile
@@ -13,6 +13,12 @@ UBSAN_SANITIZE := n
 ORIG_CFLAGS := $(KBUILD_CFLAGS)
 KBUILD_CFLAGS = $(subst $(CC_FLAGS_FTRACE),,$(ORIG_CFLAGS))
 
+ifdef CONFIG_CC_IS_CLANG
+# clang stores addresses on the stack causing the frame size to blow
+# out. See https://github.com/ClangBuiltLinux/linux/issues/252
+KBUILD_CFLAGS += -Wframe-larger-than=4096
+endif
+
 ccflags-$(CONFIG_PPC64) := $(NO_MINIMAL_TOC)
 
 obj-y			+= xmon.o nonstdio.o spr_access.o
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 161/306] selftests/powerpc/ptrace: Fix out-of-tree build
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (159 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 160/306] powerpc/xmon: Relax frame size for clang Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 162/306] selftests/powerpc/signal: " Greg Kroah-Hartman
                   ` (148 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Joel Stanley, Michael Ellerman, Sasha Levin

From: Joel Stanley <joel@jms.id.au>

[ Upstream commit c39b79082a38a4f8c801790edecbbb4d62ed2992 ]

We should use TEST_GEN_PROGS, not TEST_PROGS. That tells the selftests
makefile (lib.mk) that those tests are generated (built), and so it
adds the $(OUTPUT) prefix for us, making the out-of-tree build work
correctly.

It also means we don't need our own clean rule, lib.mk does it.

We also have to update the ptrace-pkey and core-pkey rules to use
$(OUTPUT).

Signed-off-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/testing/selftests/powerpc/ptrace/Makefile | 13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

diff --git a/tools/testing/selftests/powerpc/ptrace/Makefile b/tools/testing/selftests/powerpc/ptrace/Makefile
index 923d531265f8c..9f9423430059e 100644
--- a/tools/testing/selftests/powerpc/ptrace/Makefile
+++ b/tools/testing/selftests/powerpc/ptrace/Makefile
@@ -1,5 +1,5 @@
 # SPDX-License-Identifier: GPL-2.0
-TEST_PROGS := ptrace-gpr ptrace-tm-gpr ptrace-tm-spd-gpr \
+TEST_GEN_PROGS := ptrace-gpr ptrace-tm-gpr ptrace-tm-spd-gpr \
               ptrace-tar ptrace-tm-tar ptrace-tm-spd-tar ptrace-vsx ptrace-tm-vsx \
               ptrace-tm-spd-vsx ptrace-tm-spr ptrace-hwbreak ptrace-pkey core-pkey \
               perf-hwbreak
@@ -7,14 +7,9 @@ TEST_PROGS := ptrace-gpr ptrace-tm-gpr ptrace-tm-spd-gpr \
 top_srcdir = ../../../../..
 include ../../lib.mk
 
-all: $(TEST_PROGS)
-
 CFLAGS += -m64 -I../../../../../usr/include -I../tm -mhtm -fno-pie
 
-ptrace-pkey core-pkey: child.h
-ptrace-pkey core-pkey: LDLIBS += -pthread
-
-$(TEST_PROGS): ../harness.c ../utils.c ../lib/reg.S ptrace.h
+$(OUTPUT)/ptrace-pkey $(OUTPUT)/core-pkey: child.h
+$(OUTPUT)/ptrace-pkey $(OUTPUT)/core-pkey: LDLIBS += -pthread
 
-clean:
-	rm -f $(TEST_PROGS) *.o
+$(TEST_GEN_PROGS): ../harness.c ../utils.c ../lib/reg.S ptrace.h
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 162/306] selftests/powerpc/signal: Fix out-of-tree build
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (160 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 161/306] selftests/powerpc/ptrace: Fix out-of-tree build Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 163/306] selftests/powerpc/switch_endian: " Greg Kroah-Hartman
                   ` (147 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Joel Stanley, Michael Ellerman, Sasha Levin

From: Joel Stanley <joel@jms.id.au>

[ Upstream commit 27825349d7b238533a47e3d98b8bb0efd886b752 ]

We should use TEST_GEN_PROGS, not TEST_PROGS. That tells the selftests
makefile (lib.mk) that those tests are generated (built), and so it
adds the $(OUTPUT) prefix for us, making the out-of-tree build work
correctly.

It also means we don't need our own clean rule, lib.mk does it.

We also have to update the signal_tm rule to use $(OUTPUT).

Signed-off-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/testing/selftests/powerpc/signal/Makefile | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/tools/testing/selftests/powerpc/signal/Makefile b/tools/testing/selftests/powerpc/signal/Makefile
index 1fca25c6ace06..209a958dca127 100644
--- a/tools/testing/selftests/powerpc/signal/Makefile
+++ b/tools/testing/selftests/powerpc/signal/Makefile
@@ -1,15 +1,10 @@
 # SPDX-License-Identifier: GPL-2.0
-TEST_PROGS := signal signal_tm
-
-all: $(TEST_PROGS)
-
-$(TEST_PROGS): ../harness.c ../utils.c signal.S
+TEST_GEN_PROGS := signal signal_tm
 
 CFLAGS += -maltivec
-signal_tm: CFLAGS += -mhtm
+$(OUTPUT)/signal_tm: CFLAGS += -mhtm
 
 top_srcdir = ../../../../..
 include ../../lib.mk
 
-clean:
-	rm -f $(TEST_PROGS) *.o
+$(TEST_GEN_PROGS): ../harness.c ../utils.c signal.S
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 163/306] selftests/powerpc/switch_endian: Fix out-of-tree build
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (161 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 162/306] selftests/powerpc/signal: " Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 164/306] selftests/powerpc/cache_shape: " Greg Kroah-Hartman
                   ` (146 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Michael Ellerman, Sasha Levin

From: Michael Ellerman <mpe@ellerman.id.au>

[ Upstream commit 266bac361d5677e61a6815bd29abeb3bdced2b07 ]

For the out-of-tree build to work we need to tell switch_endian_test
to look for check-reversed.S in $(OUTPUT).

Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/testing/selftests/powerpc/switch_endian/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/testing/selftests/powerpc/switch_endian/Makefile b/tools/testing/selftests/powerpc/switch_endian/Makefile
index fcd2dcb8972ba..bdc081afedb0f 100644
--- a/tools/testing/selftests/powerpc/switch_endian/Makefile
+++ b/tools/testing/selftests/powerpc/switch_endian/Makefile
@@ -8,6 +8,7 @@ EXTRA_CLEAN = $(OUTPUT)/*.o $(OUTPUT)/check-reversed.S
 top_srcdir = ../../../../..
 include ../../lib.mk
 
+$(OUTPUT)/switch_endian_test: ASFLAGS += -I $(OUTPUT)
 $(OUTPUT)/switch_endian_test: $(OUTPUT)/check-reversed.S
 
 $(OUTPUT)/check-reversed.o: $(OUTPUT)/check.o
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 164/306] selftests/powerpc/cache_shape: Fix out-of-tree build
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (162 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 163/306] selftests/powerpc/switch_endian: " Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 165/306] block: call rq_qos_exit() after queue is frozen Greg Kroah-Hartman
                   ` (145 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Michael Ellerman, Sasha Levin

From: Michael Ellerman <mpe@ellerman.id.au>

[ Upstream commit 69f8117f17b332a68cd8f4bf8c2d0d3d5b84efc5 ]

Use TEST_GEN_PROGS and don't redefine all, this makes the out-of-tree
build work. We need to move the extra dependencies below the include
of lib.mk, because it adds the $(OUTPUT) prefix if it's defined.

We can also drop the clean rule, lib.mk does it for us.

Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/testing/selftests/powerpc/cache_shape/Makefile | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/tools/testing/selftests/powerpc/cache_shape/Makefile b/tools/testing/selftests/powerpc/cache_shape/Makefile
index ede4d3dae7505..689f6c8ebcd8d 100644
--- a/tools/testing/selftests/powerpc/cache_shape/Makefile
+++ b/tools/testing/selftests/powerpc/cache_shape/Makefile
@@ -1,12 +1,7 @@
 # SPDX-License-Identifier: GPL-2.0
-TEST_PROGS := cache_shape
-
-all: $(TEST_PROGS)
-
-$(TEST_PROGS): ../harness.c ../utils.c
+TEST_GEN_PROGS := cache_shape
 
 top_srcdir = ../../../../..
 include ../../lib.mk
 
-clean:
-	rm -f $(TEST_PROGS) *.o
+$(TEST_GEN_PROGS): ../harness.c ../utils.c
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 165/306] block: call rq_qos_exit() after queue is frozen
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (163 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 164/306] selftests/powerpc/cache_shape: " Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 166/306] mm/gup_benchmark.c: prevent integer overflow in ioctl Greg Kroah-Hartman
                   ` (144 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Josef Bacik, Ming Lei, Jens Axboe,
	Sasha Levin

From: Ming Lei <ming.lei@redhat.com>

[ Upstream commit c57cdf7a9e51d97a43e29b8f4a04157875104000 ]

rq_qos_exit() removes the current q->rq_qos, this action has to be
done after queue is frozen, otherwise the IO queue path may never
be waken up, then IO hang is caused.

So fixes this issue by moving rq_qos_exit() after queue is frozen.

Cc: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 block/blk-core.c  | 3 +++
 block/blk-sysfs.c | 2 --
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/block/blk-core.c b/block/blk-core.c
index 074ae9376189b..ea33d6abdcfc9 100644
--- a/block/blk-core.c
+++ b/block/blk-core.c
@@ -784,6 +784,9 @@ void blk_cleanup_queue(struct request_queue *q)
 	 * prevent that q->request_fn() gets invoked after draining finished.
 	 */
 	blk_freeze_queue(q);
+
+	rq_qos_exit(q);
+
 	spin_lock_irq(lock);
 	queue_flag_set(QUEUE_FLAG_DEAD, q);
 	spin_unlock_irq(lock);
diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c
index bab47a17b96f4..8286640d4d663 100644
--- a/block/blk-sysfs.c
+++ b/block/blk-sysfs.c
@@ -997,8 +997,6 @@ void blk_unregister_queue(struct gendisk *disk)
 	kobject_del(&q->kobj);
 	blk_trace_remove_sysfs(disk_to_dev(disk));
 
-	rq_qos_exit(q);
-
 	mutex_lock(&q->sysfs_lock);
 	if (q->request_fn || (q->mq_ops && q->elevator))
 		elv_unregister_queue(q);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 166/306] mm/gup_benchmark.c: prevent integer overflow in ioctl
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (164 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 165/306] block: call rq_qos_exit() after queue is frozen Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 167/306] linux/bitmap.h: handle constant zero-size bitmaps correctly Greg Kroah-Hartman
                   ` (143 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Kirill A. Shutemov,
	Andrew Morton, Stephen Rothwell, Keith Busch, Michael S. Tsirkin,
	Kees Cook, YueHaibing, Linus Torvalds, Sasha Levin

From: Dan Carpenter <dan.carpenter@oracle.com>

[ Upstream commit 4b408c74ee5a0b74fc9265c2fe39b0e7dec7c056 ]

The concern here is that "gup->size" is a u64 and "nr_pages" is unsigned
long.  On 32 bit systems we could trick the kernel into allocating fewer
pages than expected.

Link: http://lkml.kernel.org/r/20181025061546.hnhkv33diogf2uis@kili.mountain
Fixes: 64c349f4ae78 ("mm: add infrastructure for get_user_pages_fast() benchmarking")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Cc: Keith Busch <keith.busch@intel.com>
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 mm/gup_benchmark.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/mm/gup_benchmark.c b/mm/gup_benchmark.c
index 7405c9d89d651..7e6f2d2dafb55 100644
--- a/mm/gup_benchmark.c
+++ b/mm/gup_benchmark.c
@@ -23,6 +23,9 @@ static int __gup_benchmark_ioctl(unsigned int cmd,
 	int nr;
 	struct page **pages;
 
+	if (gup->size > ULONG_MAX)
+		return -EINVAL;
+
 	nr_pages = gup->size / PAGE_SIZE;
 	pages = kvcalloc(nr_pages, sizeof(void *), GFP_KERNEL);
 	if (!pages)
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 167/306] linux/bitmap.h: handle constant zero-size bitmaps correctly
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (165 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 166/306] mm/gup_benchmark.c: prevent integer overflow in ioctl Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 168/306] linux/bitmap.h: fix type of nbits in bitmap_shift_right() Greg Kroah-Hartman
                   ` (142 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rasmus Villemoes, Andy Shevchenko,
	Yury Norov, Sudeep Holla, Andrew Morton, Linus Torvalds,
	Sasha Levin

From: Rasmus Villemoes <linux@rasmusvillemoes.dk>

[ Upstream commit 7275b097851a5e2e0dd4da039c7e96b59ac5314e ]

The static inlines in bitmap.h do not handle a compile-time constant
nbits==0 correctly (they dereference the passed src or dst pointers,
despite only 0 words being valid to access).  I had the 0-day buildbot
chew on a patch [1] that would cause build failures for such cases without
complaining, suggesting that we don't have any such users currently, at
least for the 70 .config/arch combinations that was built.  Should any
turn up, make sure they use the out-of-line versions, which do handle
nbits==0 correctly.

This is of course not the most efficient, but it's much less churn than
teaching all the static inlines an "if (zero_const_nbits())", and since we
don't have any current instances, this doesn't affect existing code at
all.

[1] lkml.kernel.org/r/20180815085539.27485-1-linux@rasmusvillemoes.dk

Link: http://lkml.kernel.org/r/20180818131623.8755-3-linux@rasmusvillemoes.dk
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Cc: Yury Norov <ynorov@caviumnetworks.com>
Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Cc: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/linux/bitmap.h | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/include/linux/bitmap.h b/include/linux/bitmap.h
index acf5e8df3504f..a9805bacbd7ca 100644
--- a/include/linux/bitmap.h
+++ b/include/linux/bitmap.h
@@ -204,8 +204,13 @@ extern int bitmap_print_to_pagebuf(bool list, char *buf,
 #define BITMAP_FIRST_WORD_MASK(start) (~0UL << ((start) & (BITS_PER_LONG - 1)))
 #define BITMAP_LAST_WORD_MASK(nbits) (~0UL >> (-(nbits) & (BITS_PER_LONG - 1)))
 
+/*
+ * The static inlines below do not handle constant nbits==0 correctly,
+ * so make such users (should any ever turn up) call the out-of-line
+ * versions.
+ */
 #define small_const_nbits(nbits) \
-	(__builtin_constant_p(nbits) && (nbits) <= BITS_PER_LONG)
+	(__builtin_constant_p(nbits) && (nbits) <= BITS_PER_LONG && (nbits) > 0)
 
 static inline void bitmap_zero(unsigned long *dst, unsigned int nbits)
 {
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 168/306] linux/bitmap.h: fix type of nbits in bitmap_shift_right()
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (166 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 167/306] linux/bitmap.h: handle constant zero-size bitmaps correctly Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 169/306] lib/bitmap.c: fix remaining space computation in bitmap_print_to_pagebuf Greg Kroah-Hartman
                   ` (141 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rasmus Villemoes, Yury Norov,
	Andy Shevchenko, Sudeep Holla, Andrew Morton, Linus Torvalds,
	Sasha Levin

From: Rasmus Villemoes <linux@rasmusvillemoes.dk>

[ Upstream commit d9873969fa8725dc6a5a21ab788c057fd8719751 ]

Most other bitmap API, including the OOL version __bitmap_shift_right,
take unsigned nbits.  This was accidentally left out from 2fbad29917c98.

Link: http://lkml.kernel.org/r/20180818131623.8755-5-linux@rasmusvillemoes.dk
Fixes: 2fbad29917c98 ("lib: bitmap: change bitmap_shift_right to take unsigned parameters")
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Reported-by: Yury Norov <ynorov@caviumnetworks.com>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Cc: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/linux/bitmap.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/linux/bitmap.h b/include/linux/bitmap.h
index a9805bacbd7ca..b71a033c781ef 100644
--- a/include/linux/bitmap.h
+++ b/include/linux/bitmap.h
@@ -403,7 +403,7 @@ static __always_inline void bitmap_clear(unsigned long *map, unsigned int start,
 }
 
 static inline void bitmap_shift_right(unsigned long *dst, const unsigned long *src,
-				unsigned int shift, int nbits)
+				unsigned int shift, unsigned int nbits)
 {
 	if (small_const_nbits(nbits))
 		*dst = (*src & BITMAP_LAST_WORD_MASK(nbits)) >> shift;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 169/306] lib/bitmap.c: fix remaining space computation in bitmap_print_to_pagebuf
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (167 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 168/306] linux/bitmap.h: fix type of nbits in bitmap_shift_right() Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 170/306] hfsplus: fix BUG on bnode parent update Greg Kroah-Hartman
                   ` (140 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rasmus Villemoes, Andy Shevchenko,
	Yury Norov, Sudeep Holla, Andrew Morton, Linus Torvalds,
	Sasha Levin

From: Rasmus Villemoes <linux@rasmusvillemoes.dk>

[ Upstream commit ce1091d471107dbf6f91db66a480a25950c9b9ff ]

For various alignments of buf, the current expression computes

4096 ok
4095 ok
8190
8189
...
4097

i.e., if the caller has already written two bytes into the page buffer,
len is 8190 rather than 4094, because PTR_ALIGN aligns up to the next
boundary.  So if the printed version of the bitmap is huge, scnprintf()
ends up writing beyond the page boundary.

I don't think any current callers actually write anything before
bitmap_print_to_pagebuf, but the API seems to be designed to allow it.

[akpm@linux-foundation.org: use offset_in_page(), per Andy]
[akpm@linux-foundation.org: include mm.h for offset_in_page()]
Link: http://lkml.kernel.org/r/20180818131623.8755-7-linux@rasmusvillemoes.dk
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Cc: Yury Norov <ynorov@caviumnetworks.com>
Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Cc: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 lib/bitmap.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/lib/bitmap.c b/lib/bitmap.c
index 2fd07f6df0b85..c4ca9ceb09fe3 100644
--- a/lib/bitmap.c
+++ b/lib/bitmap.c
@@ -13,6 +13,7 @@
 #include <linux/bitops.h>
 #include <linux/bug.h>
 #include <linux/kernel.h>
+#include <linux/mm.h>
 #include <linux/slab.h>
 #include <linux/string.h>
 #include <linux/uaccess.h>
@@ -466,14 +467,15 @@ EXPORT_SYMBOL(bitmap_parse_user);
  * ranges if list is specified or hex digits grouped into comma-separated
  * sets of 8 digits/set. Returns the number of characters written to buf.
  *
- * It is assumed that @buf is a pointer into a PAGE_SIZE area and that
- * sufficient storage remains at @buf to accommodate the
- * bitmap_print_to_pagebuf() output.
+ * It is assumed that @buf is a pointer into a PAGE_SIZE, page-aligned
+ * area and that sufficient storage remains at @buf to accommodate the
+ * bitmap_print_to_pagebuf() output. Returns the number of characters
+ * actually printed to @buf, excluding terminating '\0'.
  */
 int bitmap_print_to_pagebuf(bool list, char *buf, const unsigned long *maskp,
 			    int nmaskbits)
 {
-	ptrdiff_t len = PTR_ALIGN(buf + PAGE_SIZE - 1, PAGE_SIZE) - buf;
+	ptrdiff_t len = PAGE_SIZE - offset_in_page(buf);
 	int n = 0;
 
 	if (len > 1)
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 170/306] hfsplus: fix BUG on bnode parent update
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (168 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 169/306] lib/bitmap.c: fix remaining space computation in bitmap_print_to_pagebuf Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 171/306] hfs: " Greg Kroah-Hartman
                   ` (139 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ernesto A .  Fernández,
	Christoph Hellwig, Andrew Morton, Linus Torvalds, Sasha Levin

From: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>

[ Upstream commit 19a9d0f1acf75e8be8cfba19c1a34e941846fa2b ]

Creating, renaming or deleting a file may hit BUG_ON() if the first
record of both a leaf node and its parent are changed, and if this
forces the parent to be split.  This bug is triggered by xfstests
generic/027, somewhat rarely; here is a more reliable reproducer:

  truncate -s 50M fs.iso
  mkfs.hfsplus fs.iso
  mount fs.iso /mnt
  i=1000
  while [ $i -le 2400 ]; do
    touch /mnt/$i &>/dev/null
    ((++i))
  done
  i=2400
  while [ $i -ge 1000 ]; do
    mv /mnt/$i /mnt/$(perl -e "print $i x61") &>/dev/null
    ((--i))
  done

The issue is that a newly created bnode is being put twice.  Reset
new_node to NULL in hfs_brec_update_parent() before reaching goto again.

Link: http://lkml.kernel.org/r/5ee1db09b60373a15890f6a7c835d00e76bf601d.1535682461.git.ernesto.mnd.fernandez@gmail.com
Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
Cc: Christoph Hellwig <hch@infradead.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/hfsplus/brec.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/hfsplus/brec.c b/fs/hfsplus/brec.c
index aa17a392b4140..1918544a78716 100644
--- a/fs/hfsplus/brec.c
+++ b/fs/hfsplus/brec.c
@@ -449,6 +449,7 @@ static int hfs_brec_update_parent(struct hfs_find_data *fd)
 			/* restore search_key */
 			hfs_bnode_read_key(node, fd->search_key, 14);
 		}
+		new_node = NULL;
 	}
 
 	if (!rec && node->parent)
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 171/306] hfs: fix BUG on bnode parent update
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (169 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 170/306] hfsplus: fix BUG on bnode parent update Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 172/306] hfsplus: prevent btree data loss on ENOSPC Greg Kroah-Hartman
                   ` (138 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ernesto A .  Fernández,
	Andrew Morton, Christoph Hellwig, Viacheslav Dubeyko,
	Linus Torvalds, Sasha Levin

From: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>

[ Upstream commit ef75bcc5763d130451a99825f247d301088b790b ]

hfs_brec_update_parent() may hit BUG_ON() if the first record of both a
leaf node and its parent are changed, and if this forces the parent to
be split.  It is not possible for this to happen on a valid hfs
filesystem because the index nodes have fixed length keys.

For reasons I ignore, the hfs module does have support for a number of
hfsplus features.  A corrupt btree header may report variable length
keys and trigger this BUG, so it's better to fix it.

Link: http://lkml.kernel.org/r/cf9b02d57f806217a2b1bf5db8c3e39730d8f603.1535682463.git.ernesto.mnd.fernandez@gmail.com
Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/hfs/brec.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/hfs/brec.c b/fs/hfs/brec.c
index da25c49203cc5..896396554bcc1 100644
--- a/fs/hfs/brec.c
+++ b/fs/hfs/brec.c
@@ -445,6 +445,7 @@ static int hfs_brec_update_parent(struct hfs_find_data *fd)
 			/* restore search_key */
 			hfs_bnode_read_key(node, fd->search_key, 14);
 		}
+		new_node = NULL;
 	}
 
 	if (!rec && node->parent)
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 172/306] hfsplus: prevent btree data loss on ENOSPC
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (170 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 171/306] hfs: " Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 173/306] hfs: " Greg Kroah-Hartman
                   ` (137 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ernesto A .  Fernández,
	Christoph Hellwig, Andrew Morton, Linus Torvalds, Sasha Levin

From: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>

[ Upstream commit d92915c35bfaf763d78bf1d5ac7f183420e3bd99 ]

Inserting or deleting a record in a btree may require splitting several of
its nodes.  If we hit ENOSPC halfway through, the new nodes will be left
orphaned and their records will be lost.  This could mean lost inodes,
extents or xattrs.

Henceforth, check the available disk space before making any changes.
This still leaves the potential problem of corruption on ENOMEM.

The patch can be tested with xfstests generic/027.

Link: http://lkml.kernel.org/r/4596eef22fbda137b4ffa0272d92f0da15364421.1536269129.git.ernesto.mnd.fernandez@gmail.com
Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/hfsplus/attributes.c | 10 ++++++++++
 fs/hfsplus/btree.c      | 44 ++++++++++++++++++++++++++---------------
 fs/hfsplus/catalog.c    | 24 ++++++++++++++++++++++
 fs/hfsplus/extents.c    |  4 ++++
 fs/hfsplus/hfsplus_fs.h |  2 ++
 5 files changed, 68 insertions(+), 16 deletions(-)

diff --git a/fs/hfsplus/attributes.c b/fs/hfsplus/attributes.c
index 2bab6b3cdba48..e6d554476db41 100644
--- a/fs/hfsplus/attributes.c
+++ b/fs/hfsplus/attributes.c
@@ -217,6 +217,11 @@ int hfsplus_create_attr(struct inode *inode,
 	if (err)
 		goto failed_init_create_attr;
 
+	/* Fail early and avoid ENOSPC during the btree operation */
+	err = hfs_bmap_reserve(fd.tree, fd.tree->depth + 1);
+	if (err)
+		goto failed_create_attr;
+
 	if (name) {
 		err = hfsplus_attr_build_key(sb, fd.search_key,
 						inode->i_ino, name);
@@ -313,6 +318,11 @@ int hfsplus_delete_attr(struct inode *inode, const char *name)
 	if (err)
 		return err;
 
+	/* Fail early and avoid ENOSPC during the btree operation */
+	err = hfs_bmap_reserve(fd.tree, fd.tree->depth);
+	if (err)
+		goto out;
+
 	if (name) {
 		err = hfsplus_attr_build_key(sb, fd.search_key,
 						inode->i_ino, name);
diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c
index 3de3bc4918b55..66774f4cb4fd5 100644
--- a/fs/hfsplus/btree.c
+++ b/fs/hfsplus/btree.c
@@ -342,26 +342,21 @@ static struct hfs_bnode *hfs_bmap_new_bmap(struct hfs_bnode *prev, u32 idx)
 	return node;
 }
 
-struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree)
+/* Make sure @tree has enough space for the @rsvd_nodes */
+int hfs_bmap_reserve(struct hfs_btree *tree, int rsvd_nodes)
 {
-	struct hfs_bnode *node, *next_node;
-	struct page **pagep;
-	u32 nidx, idx;
-	unsigned off;
-	u16 off16;
-	u16 len;
-	u8 *data, byte, m;
-	int i;
+	struct inode *inode = tree->inode;
+	struct hfsplus_inode_info *hip = HFSPLUS_I(inode);
+	u32 count;
+	int res;
 
-	while (!tree->free_nodes) {
-		struct inode *inode = tree->inode;
-		struct hfsplus_inode_info *hip = HFSPLUS_I(inode);
-		u32 count;
-		int res;
+	if (rsvd_nodes <= 0)
+		return 0;
 
+	while (tree->free_nodes < rsvd_nodes) {
 		res = hfsplus_file_extend(inode, hfs_bnode_need_zeroout(tree));
 		if (res)
-			return ERR_PTR(res);
+			return res;
 		hip->phys_size = inode->i_size =
 			(loff_t)hip->alloc_blocks <<
 				HFSPLUS_SB(tree->sb)->alloc_blksz_shift;
@@ -369,9 +364,26 @@ struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree)
 			hip->alloc_blocks << HFSPLUS_SB(tree->sb)->fs_shift;
 		inode_set_bytes(inode, inode->i_size);
 		count = inode->i_size >> tree->node_size_shift;
-		tree->free_nodes = count - tree->node_count;
+		tree->free_nodes += count - tree->node_count;
 		tree->node_count = count;
 	}
+	return 0;
+}
+
+struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree)
+{
+	struct hfs_bnode *node, *next_node;
+	struct page **pagep;
+	u32 nidx, idx;
+	unsigned off;
+	u16 off16;
+	u16 len;
+	u8 *data, byte, m;
+	int i, res;
+
+	res = hfs_bmap_reserve(tree, 1);
+	if (res)
+		return ERR_PTR(res);
 
 	nidx = 0;
 	node = hfs_bnode_find(tree, nidx);
diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c
index a196369ba779f..35472cba750e1 100644
--- a/fs/hfsplus/catalog.c
+++ b/fs/hfsplus/catalog.c
@@ -265,6 +265,14 @@ int hfsplus_create_cat(u32 cnid, struct inode *dir,
 	if (err)
 		return err;
 
+	/*
+	 * Fail early and avoid ENOSPC during the btree operations. We may
+	 * have to split the root node at most once.
+	 */
+	err = hfs_bmap_reserve(fd.tree, 2 * fd.tree->depth);
+	if (err)
+		goto err2;
+
 	hfsplus_cat_build_key_with_cnid(sb, fd.search_key, cnid);
 	entry_size = hfsplus_fill_cat_thread(sb, &entry,
 		S_ISDIR(inode->i_mode) ?
@@ -333,6 +341,14 @@ int hfsplus_delete_cat(u32 cnid, struct inode *dir, const struct qstr *str)
 	if (err)
 		return err;
 
+	/*
+	 * Fail early and avoid ENOSPC during the btree operations. We may
+	 * have to split the root node at most once.
+	 */
+	err = hfs_bmap_reserve(fd.tree, 2 * (int)fd.tree->depth - 2);
+	if (err)
+		goto out;
+
 	if (!str) {
 		int len;
 
@@ -433,6 +449,14 @@ int hfsplus_rename_cat(u32 cnid,
 		return err;
 	dst_fd = src_fd;
 
+	/*
+	 * Fail early and avoid ENOSPC during the btree operations. We may
+	 * have to split the root node at most twice.
+	 */
+	err = hfs_bmap_reserve(src_fd.tree, 4 * (int)src_fd.tree->depth - 1);
+	if (err)
+		goto out;
+
 	/* find the old dir entry and read the data */
 	err = hfsplus_cat_build_key(sb, src_fd.search_key,
 			src_dir->i_ino, src_name);
diff --git a/fs/hfsplus/extents.c b/fs/hfsplus/extents.c
index 8e0f59767694b..8a8893d522ef3 100644
--- a/fs/hfsplus/extents.c
+++ b/fs/hfsplus/extents.c
@@ -100,6 +100,10 @@ static int __hfsplus_ext_write_extent(struct inode *inode,
 	if (hip->extent_state & HFSPLUS_EXT_NEW) {
 		if (res != -ENOENT)
 			return res;
+		/* Fail early and avoid ENOSPC during the btree operation */
+		res = hfs_bmap_reserve(fd->tree, fd->tree->depth + 1);
+		if (res)
+			return res;
 		hfs_brec_insert(fd, hip->cached_extents,
 				sizeof(hfsplus_extent_rec));
 		hip->extent_state &= ~(HFSPLUS_EXT_DIRTY | HFSPLUS_EXT_NEW);
diff --git a/fs/hfsplus/hfsplus_fs.h b/fs/hfsplus/hfsplus_fs.h
index 8e039435958a8..dd7ad9f13e3aa 100644
--- a/fs/hfsplus/hfsplus_fs.h
+++ b/fs/hfsplus/hfsplus_fs.h
@@ -311,6 +311,7 @@ static inline unsigned short hfsplus_min_io_size(struct super_block *sb)
 #define hfs_btree_open hfsplus_btree_open
 #define hfs_btree_close hfsplus_btree_close
 #define hfs_btree_write hfsplus_btree_write
+#define hfs_bmap_reserve hfsplus_bmap_reserve
 #define hfs_bmap_alloc hfsplus_bmap_alloc
 #define hfs_bmap_free hfsplus_bmap_free
 #define hfs_bnode_read hfsplus_bnode_read
@@ -395,6 +396,7 @@ u32 hfsplus_calc_btree_clump_size(u32 block_size, u32 node_size, u64 sectors,
 struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id);
 void hfs_btree_close(struct hfs_btree *tree);
 int hfs_btree_write(struct hfs_btree *tree);
+int hfs_bmap_reserve(struct hfs_btree *tree, int rsvd_nodes);
 struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree);
 void hfs_bmap_free(struct hfs_bnode *node);
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 173/306] hfs: prevent btree data loss on ENOSPC
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (171 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 172/306] hfsplus: prevent btree data loss on ENOSPC Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 174/306] hfsplus: fix return value of hfsplus_get_block() Greg Kroah-Hartman
                   ` (136 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ernesto A .  Fernández,
	Christoph Hellwig, Andrew Morton, Linus Torvalds, Sasha Levin

From: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>

[ Upstream commit 54640c7502e5ed41fbf4eedd499e85f9acc9698f ]

Inserting a new record in a btree may require splitting several of its
nodes.  If we hit ENOSPC halfway through, the new nodes will be left
orphaned and their records will be lost.  This could mean lost inodes or
extents.

Henceforth, check the available disk space before making any changes.
This still leaves the potential problem of corruption on ENOMEM.

There is no need to reserve space before deleting a catalog record, as we
do for hfsplus.  This difference is because hfs index nodes have fixed
length keys.

Link: http://lkml.kernel.org/r/ab5fc8a7d5ffccfd5f27b1cf2cb4ceb6c110da74.1536269131.git.ernesto.mnd.fernandez@gmail.com
Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/hfs/btree.c   | 41 +++++++++++++++++++++++++----------------
 fs/hfs/btree.h   |  1 +
 fs/hfs/catalog.c | 16 ++++++++++++++++
 fs/hfs/extent.c  |  4 ++++
 4 files changed, 46 insertions(+), 16 deletions(-)

diff --git a/fs/hfs/btree.c b/fs/hfs/btree.c
index 9bdff5e406261..19017d2961734 100644
--- a/fs/hfs/btree.c
+++ b/fs/hfs/btree.c
@@ -220,25 +220,17 @@ static struct hfs_bnode *hfs_bmap_new_bmap(struct hfs_bnode *prev, u32 idx)
 	return node;
 }
 
-struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree)
+/* Make sure @tree has enough space for the @rsvd_nodes */
+int hfs_bmap_reserve(struct hfs_btree *tree, int rsvd_nodes)
 {
-	struct hfs_bnode *node, *next_node;
-	struct page **pagep;
-	u32 nidx, idx;
-	unsigned off;
-	u16 off16;
-	u16 len;
-	u8 *data, byte, m;
-	int i;
-
-	while (!tree->free_nodes) {
-		struct inode *inode = tree->inode;
-		u32 count;
-		int res;
+	struct inode *inode = tree->inode;
+	u32 count;
+	int res;
 
+	while (tree->free_nodes < rsvd_nodes) {
 		res = hfs_extend_file(inode);
 		if (res)
-			return ERR_PTR(res);
+			return res;
 		HFS_I(inode)->phys_size = inode->i_size =
 				(loff_t)HFS_I(inode)->alloc_blocks *
 				HFS_SB(tree->sb)->alloc_blksz;
@@ -246,9 +238,26 @@ struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree)
 					  tree->sb->s_blocksize_bits;
 		inode_set_bytes(inode, inode->i_size);
 		count = inode->i_size >> tree->node_size_shift;
-		tree->free_nodes = count - tree->node_count;
+		tree->free_nodes += count - tree->node_count;
 		tree->node_count = count;
 	}
+	return 0;
+}
+
+struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree)
+{
+	struct hfs_bnode *node, *next_node;
+	struct page **pagep;
+	u32 nidx, idx;
+	unsigned off;
+	u16 off16;
+	u16 len;
+	u8 *data, byte, m;
+	int i, res;
+
+	res = hfs_bmap_reserve(tree, 1);
+	if (res)
+		return ERR_PTR(res);
 
 	nidx = 0;
 	node = hfs_bnode_find(tree, nidx);
diff --git a/fs/hfs/btree.h b/fs/hfs/btree.h
index c8b252dbb26c0..dcc2aab1b2c43 100644
--- a/fs/hfs/btree.h
+++ b/fs/hfs/btree.h
@@ -82,6 +82,7 @@ struct hfs_find_data {
 extern struct hfs_btree *hfs_btree_open(struct super_block *, u32, btree_keycmp);
 extern void hfs_btree_close(struct hfs_btree *);
 extern void hfs_btree_write(struct hfs_btree *);
+extern int hfs_bmap_reserve(struct hfs_btree *, int);
 extern struct hfs_bnode * hfs_bmap_alloc(struct hfs_btree *);
 extern void hfs_bmap_free(struct hfs_bnode *node);
 
diff --git a/fs/hfs/catalog.c b/fs/hfs/catalog.c
index 8a66405b0f8b5..d365bf0b8c77d 100644
--- a/fs/hfs/catalog.c
+++ b/fs/hfs/catalog.c
@@ -97,6 +97,14 @@ int hfs_cat_create(u32 cnid, struct inode *dir, const struct qstr *str, struct i
 	if (err)
 		return err;
 
+	/*
+	 * Fail early and avoid ENOSPC during the btree operations. We may
+	 * have to split the root node at most once.
+	 */
+	err = hfs_bmap_reserve(fd.tree, 2 * fd.tree->depth);
+	if (err)
+		goto err2;
+
 	hfs_cat_build_key(sb, fd.search_key, cnid, NULL);
 	entry_size = hfs_cat_build_thread(sb, &entry, S_ISDIR(inode->i_mode) ?
 			HFS_CDR_THD : HFS_CDR_FTH,
@@ -295,6 +303,14 @@ int hfs_cat_move(u32 cnid, struct inode *src_dir, const struct qstr *src_name,
 		return err;
 	dst_fd = src_fd;
 
+	/*
+	 * Fail early and avoid ENOSPC during the btree operations. We may
+	 * have to split the root node at most once.
+	 */
+	err = hfs_bmap_reserve(src_fd.tree, 2 * src_fd.tree->depth);
+	if (err)
+		goto out;
+
 	/* find the old dir entry and read the data */
 	hfs_cat_build_key(sb, src_fd.search_key, src_dir->i_ino, src_name);
 	err = hfs_brec_find(&src_fd);
diff --git a/fs/hfs/extent.c b/fs/hfs/extent.c
index 5d01826545809..0c638c6121526 100644
--- a/fs/hfs/extent.c
+++ b/fs/hfs/extent.c
@@ -117,6 +117,10 @@ static int __hfs_ext_write_extent(struct inode *inode, struct hfs_find_data *fd)
 	if (HFS_I(inode)->flags & HFS_FLG_EXT_NEW) {
 		if (res != -ENOENT)
 			return res;
+		/* Fail early and avoid ENOSPC during the btree operation */
+		res = hfs_bmap_reserve(fd->tree, fd->tree->depth + 1);
+		if (res)
+			return res;
 		hfs_brec_insert(fd, HFS_I(inode)->cached_extents, sizeof(hfs_extent_rec));
 		HFS_I(inode)->flags &= ~(HFS_FLG_EXT_DIRTY|HFS_FLG_EXT_NEW);
 	} else {
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 174/306] hfsplus: fix return value of hfsplus_get_block()
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (172 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 173/306] hfs: " Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 175/306] hfs: fix return value of hfs_get_block() Greg Kroah-Hartman
                   ` (135 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ernesto A .  Fernández,
	Vyacheslav Dubeyko, Andrew Morton, Linus Torvalds, Sasha Levin

From: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>

[ Upstream commit 839c3a6a5e1fbc8542d581911b35b2cb5cd29304 ]

Direct writes to empty inodes fail with EIO.  The generic direct-io code
is in part to blame (a patch has been submitted as "direct-io: allow
direct writes to empty inodes"), but hfsplus is worse affected than the
other filesystems because the fallback to buffered I/O doesn't happen.

The problem is the return value of hfsplus_get_block() when called with
!create.  Change it to be more consistent with the other modules.

Link: http://lkml.kernel.org/r/2cd1301404ec7cf1e39c8f11a01a4302f1460ad6.1539195310.git.ernesto.mnd.fernandez@gmail.com
Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
Reviewed-by: Vyacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/hfsplus/extents.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/hfsplus/extents.c b/fs/hfsplus/extents.c
index 8a8893d522ef3..a930ddd156819 100644
--- a/fs/hfsplus/extents.c
+++ b/fs/hfsplus/extents.c
@@ -237,7 +237,9 @@ int hfsplus_get_block(struct inode *inode, sector_t iblock,
 	ablock = iblock >> sbi->fs_shift;
 
 	if (iblock >= hip->fs_blocks) {
-		if (iblock > hip->fs_blocks || !create)
+		if (!create)
+			return 0;
+		if (iblock > hip->fs_blocks)
 			return -EIO;
 		if (ablock >= hip->alloc_blocks) {
 			res = hfsplus_file_extend(inode, false);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 175/306] hfs: fix return value of hfs_get_block()
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (173 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 174/306] hfsplus: fix return value of hfsplus_get_block() Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 176/306] hfsplus: update timestamps on truncate() Greg Kroah-Hartman
                   ` (134 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ernesto A .  Fernández,
	Vyacheslav Dubeyko, Andrew Morton, Linus Torvalds, Sasha Levin

From: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>

[ Upstream commit 1267a07be5ebbff2d2739290f3d043ae137c15b4 ]

Direct writes to empty inodes fail with EIO.  The generic direct-io code
is in part to blame (a patch has been submitted as "direct-io: allow
direct writes to empty inodes"), but hfs is worse affected than the other
filesystems because the fallback to buffered I/O doesn't happen.

The problem is the return value of hfs_get_block() when called with
!create.  Change it to be more consistent with the other modules.

Link: http://lkml.kernel.org/r/4538ab8c35ea37338490525f0f24cbc37227528c.1539195310.git.ernesto.mnd.fernandez@gmail.com
Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
Reviewed-by: Vyacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/hfs/extent.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/hfs/extent.c b/fs/hfs/extent.c
index 0c638c6121526..5f1ff97a3b987 100644
--- a/fs/hfs/extent.c
+++ b/fs/hfs/extent.c
@@ -345,7 +345,9 @@ int hfs_get_block(struct inode *inode, sector_t block,
 	ablock = (u32)block / HFS_SB(sb)->fs_div;
 
 	if (block >= HFS_I(inode)->fs_blocks) {
-		if (block > HFS_I(inode)->fs_blocks || !create)
+		if (!create)
+			return 0;
+		if (block > HFS_I(inode)->fs_blocks)
 			return -EIO;
 		if (ablock >= HFS_I(inode)->alloc_blocks) {
 			res = hfs_extend_file(inode);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 176/306] hfsplus: update timestamps on truncate()
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (174 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 175/306] hfs: fix return value of hfs_get_block() Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 177/306] hfs: update timestamp " Greg Kroah-Hartman
                   ` (133 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ernesto A .  Fernández,
	Vyacheslav Dubeyko, Andrew Morton, Linus Torvalds, Sasha Levin

From: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>

[ Upstream commit dc8844aada735890a6de109bef327f5df36a982e ]

The vfs takes care of updating ctime and mtime on ftruncate(), but on
truncate() it must be done by the module.

This patch can be tested with xfstests generic/313.

Link: http://lkml.kernel.org/r/9beb0913eea37288599e8e1b7cec8768fb52d1b8.1539316825.git.ernesto.mnd.fernandez@gmail.com
Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
Reviewed-by: Vyacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/hfsplus/inode.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/hfsplus/inode.c b/fs/hfsplus/inode.c
index 8e9427a42b819..d7ab9d8c4b674 100644
--- a/fs/hfsplus/inode.c
+++ b/fs/hfsplus/inode.c
@@ -261,6 +261,7 @@ static int hfsplus_setattr(struct dentry *dentry, struct iattr *attr)
 		}
 		truncate_setsize(inode, attr->ia_size);
 		hfsplus_file_truncate(inode);
+		inode->i_mtime = inode->i_ctime = current_time(inode);
 	}
 
 	setattr_copy(inode, attr);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 177/306] hfs: update timestamp on truncate()
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (175 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 176/306] hfsplus: update timestamps on truncate() Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 178/306] fs/hfs/extent.c: fix array out of bounds read of array extent Greg Kroah-Hartman
                   ` (132 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ernesto A .  Fernández,
	Vyacheslav Dubeyko, Andrew Morton, Linus Torvalds, Sasha Levin

From: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>

[ Upstream commit 8cd3cb5061730af085a3f9890a3352f162b4e20c ]

The vfs takes care of updating mtime on ftruncate(), but on truncate() it
must be done by the module.

Link: http://lkml.kernel.org/r/e1611eda2985b672ed2d8677350b4ad8c2d07e8a.1539316825.git.ernesto.mnd.fernandez@gmail.com
Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
Reviewed-by: Vyacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/hfs/inode.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/hfs/inode.c b/fs/hfs/inode.c
index a2dfa1b2a89c7..da243c84e93b0 100644
--- a/fs/hfs/inode.c
+++ b/fs/hfs/inode.c
@@ -642,6 +642,8 @@ int hfs_inode_setattr(struct dentry *dentry, struct iattr * attr)
 
 		truncate_setsize(inode, attr->ia_size);
 		hfs_file_truncate(inode);
+		inode->i_atime = inode->i_mtime = inode->i_ctime =
+						  current_time(inode);
 	}
 
 	setattr_copy(inode, attr);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 178/306] fs/hfs/extent.c: fix array out of bounds read of array extent
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (176 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 177/306] hfs: update timestamp " Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 179/306] kernel/panic.c: do not append newline to the stack protector panic string Greg Kroah-Hartman
                   ` (131 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Colin Ian King, Ernesto A. Fernndez,
	David Howells, Al Viro, Hin-Tak Leung, Vyacheslav Dubeyko,
	Andrew Morton, Linus Torvalds, Sasha Levin

From: Colin Ian King <colin.king@canonical.com>

[ Upstream commit 6c9a3f843a29d6894dfc40df338b91dbd78f0ae3 ]

Currently extent and index i are both being incremented causing an array
out of bounds read on extent[i].  Fix this by removing the extraneous
increment of extent.

Ernesto said:

: This is only triggered when deleting a file with a resource fork.  I
: may be wrong because the documentation isn't clear, but I don't think
: you can create those under linux.  So I guess nobody was testing them.
:
: > A disk space leak, perhaps?
:
: That's what it looks like in general.  hfs_free_extents() won't do
: anything if the block count doesn't add up, and the error will be
: ignored.  Now, if the block count randomly does add up, we could see
: some corruption.

Detected by CoverityScan, CID#711541 ("Out of bounds read")

Link: http://lkml.kernel.org/r/20180831140538.31566-1-colin.king@canonical.com
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Reviewed-by: Ernesto A. Fernndez <ernesto.mnd.fernandez@gmail.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Hin-Tak Leung <htl10@users.sourceforge.net>
Cc: Vyacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/hfs/extent.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/hfs/extent.c b/fs/hfs/extent.c
index 5f1ff97a3b987..263d5028d9d18 100644
--- a/fs/hfs/extent.c
+++ b/fs/hfs/extent.c
@@ -304,7 +304,7 @@ int hfs_free_fork(struct super_block *sb, struct hfs_cat_file *file, int type)
 		return 0;
 
 	blocks = 0;
-	for (i = 0; i < 3; extent++, i++)
+	for (i = 0; i < 3; i++)
 		blocks += be16_to_cpu(extent[i].count);
 
 	res = hfs_free_extents(sb, extent, blocks, blocks);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 179/306] kernel/panic.c: do not append newline to the stack protector panic string
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (177 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 178/306] fs/hfs/extent.c: fix array out of bounds read of array extent Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 180/306] mm/memory_hotplug: make add_memory() take the device_hotplug_lock Greg Kroah-Hartman
                   ` (130 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Borislav Petkov, Kees Cook,
	Masahiro Yamada, Steven Rostedt (VMware),
	Andrew Morton, Linus Torvalds, Sasha Levin

From: Borislav Petkov <bp@suse.de>

[ Upstream commit 95c4fb78fb23081472465ca20d5d31c4b780ed82 ]

... because panic() itself already does this. Otherwise you have
line-broken trailer:

  [    1.836965] ---[ end Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: pgd_alloc+0x29e/0x2a0
  [    1.836965]  ]---

Link: http://lkml.kernel.org/r/20181008202901.7894-1-bp@alien8.de
Signed-off-by: Borislav Petkov <bp@suse.de>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
Cc: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/panic.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/panic.c b/kernel/panic.c
index 72e001e3753e3..8138a676fb7d1 100644
--- a/kernel/panic.c
+++ b/kernel/panic.c
@@ -636,7 +636,7 @@ device_initcall(register_warn_debugfs);
  */
 __visible void __stack_chk_fail(void)
 {
-	panic("stack-protector: Kernel stack is corrupted in: %pB\n",
+	panic("stack-protector: Kernel stack is corrupted in: %pB",
 		__builtin_return_address(0));
 }
 EXPORT_SYMBOL(__stack_chk_fail);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 180/306] mm/memory_hotplug: make add_memory() take the device_hotplug_lock
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (178 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 179/306] kernel/panic.c: do not append newline to the stack protector panic string Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 181/306] mm/memory_hotplug: fix online/offline_pages called w.o. mem_hotplug_lock Greg Kroah-Hartman
                   ` (129 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David Hildenbrand, Pavel Tatashin,
	Rafael J. Wysocki, Rashmica Gupta, Oscar Salvador,
	Benjamin Herrenschmidt, Paul Mackerras, Michael Ellerman,
	Rafael J. Wysocki, Len Brown, Boris Ostrovsky, Juergen Gross,
	Nathan Fontenot, John Allen, Michal Hocko, Dan Williams,
	Joonsoo Kim, Vlastimil Babka, Mathieu Malaterre,
	YASUAKI ISHIMATSU, Balbir Singh, Haiyang Zhang, Heiko Carstens,
	Jonathan Corbet, Kate Stewart, K. Y. Srinivasan,
	Martin Schwidefsky, Michael Neuling, Philippe Ombredanne,
	Stephen Hemminger, Thomas Gleixner, Andrew Morton,
	Linus Torvalds, Sasha Levin

From: David Hildenbrand <david@redhat.com>

[ Upstream commit 8df1d0e4a265f25dc1e7e7624ccdbcb4a6630c89 ]

add_memory() currently does not take the device_hotplug_lock, however
is aleady called under the lock from
	arch/powerpc/platforms/pseries/hotplug-memory.c
	drivers/acpi/acpi_memhotplug.c
to synchronize against CPU hot-remove and similar.

In general, we should hold the device_hotplug_lock when adding memory to
synchronize against online/offline request (e.g.  from user space) - which
already resulted in lock inversions due to device_lock() and
mem_hotplug_lock - see 30467e0b3be ("mm, hotplug: fix concurrent memory
hot-add deadlock").  add_memory()/add_memory_resource() will create memory
block devices, so this really feels like the right thing to do.

Holding the device_hotplug_lock makes sure that a memory block device
can really only be accessed (e.g. via .online/.state) from user space,
once the memory has been fully added to the system.

The lock is not held yet in
	drivers/xen/balloon.c
	arch/powerpc/platforms/powernv/memtrace.c
	drivers/s390/char/sclp_cmd.c
	drivers/hv/hv_balloon.c
So, let's either use the locked variants or take the lock.

Don't export add_memory_resource(), as it once was exported to be used by
XEN, which is never built as a module.  If somebody requires it, we also
have to export a locked variant (as device_hotplug_lock is never
exported).

Link: http://lkml.kernel.org/r/20180925091457.28651-3-david@redhat.com
Signed-off-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Pavel Tatashin <pavel.tatashin@microsoft.com>
Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Rashmica Gupta <rashmica.g@gmail.com>
Reviewed-by: Oscar Salvador <osalvador@suse.de>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
Cc: Len Brown <lenb@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Nathan Fontenot <nfont@linux.vnet.ibm.com>
Cc: John Allen <jallen@linux.vnet.ibm.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Mathieu Malaterre <malat@debian.org>
Cc: Pavel Tatashin <pavel.tatashin@microsoft.com>
Cc: YASUAKI ISHIMATSU <yasu.isimatu@gmail.com>
Cc: Balbir Singh <bsingharora@gmail.com>
Cc: Haiyang Zhang <haiyangz@microsoft.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Kate Stewart <kstewart@linuxfoundation.org>
Cc: "K. Y. Srinivasan" <kys@microsoft.com>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Michael Neuling <mikey@neuling.org>
Cc: Philippe Ombredanne <pombredanne@nexb.com>
Cc: Stephen Hemminger <sthemmin@microsoft.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 .../platforms/pseries/hotplug-memory.c        |  2 +-
 drivers/acpi/acpi_memhotplug.c                |  2 +-
 drivers/base/memory.c                         |  9 ++++++--
 drivers/xen/balloon.c                         |  3 +++
 include/linux/memory_hotplug.h                |  1 +
 mm/memory_hotplug.c                           | 22 ++++++++++++++++---
 6 files changed, 32 insertions(+), 7 deletions(-)

diff --git a/arch/powerpc/platforms/pseries/hotplug-memory.c b/arch/powerpc/platforms/pseries/hotplug-memory.c
index 2f166136bb50a..d93ff494e7781 100644
--- a/arch/powerpc/platforms/pseries/hotplug-memory.c
+++ b/arch/powerpc/platforms/pseries/hotplug-memory.c
@@ -676,7 +676,7 @@ static int dlpar_add_lmb(struct drmem_lmb *lmb)
 	nid = memory_add_physaddr_to_nid(lmb->base_addr);
 
 	/* Add the memory */
-	rc = add_memory(nid, lmb->base_addr, block_sz);
+	rc = __add_memory(nid, lmb->base_addr, block_sz);
 	if (rc) {
 		invalidate_lmb_associativity_index(lmb);
 		return rc;
diff --git a/drivers/acpi/acpi_memhotplug.c b/drivers/acpi/acpi_memhotplug.c
index 6b0d3ef7309cb..2ccfbb61ca899 100644
--- a/drivers/acpi/acpi_memhotplug.c
+++ b/drivers/acpi/acpi_memhotplug.c
@@ -228,7 +228,7 @@ static int acpi_memory_enable_device(struct acpi_memory_device *mem_device)
 		if (node < 0)
 			node = memory_add_physaddr_to_nid(info->start_addr);
 
-		result = add_memory(node, info->start_addr, info->length);
+		result = __add_memory(node, info->start_addr, info->length);
 
 		/*
 		 * If the memory block has been used by the kernel, add_memory()
diff --git a/drivers/base/memory.c b/drivers/base/memory.c
index 85ee64d0a44e9..07901cacfec63 100644
--- a/drivers/base/memory.c
+++ b/drivers/base/memory.c
@@ -519,15 +519,20 @@ memory_probe_store(struct device *dev, struct device_attribute *attr,
 	if (phys_addr & ((pages_per_block << PAGE_SHIFT) - 1))
 		return -EINVAL;
 
+	ret = lock_device_hotplug_sysfs();
+	if (ret)
+		goto out;
+
 	nid = memory_add_physaddr_to_nid(phys_addr);
-	ret = add_memory(nid, phys_addr,
-			 MIN_MEMORY_BLOCK_SIZE * sections_per_block);
+	ret = __add_memory(nid, phys_addr,
+			   MIN_MEMORY_BLOCK_SIZE * sections_per_block);
 
 	if (ret)
 		goto out;
 
 	ret = count;
 out:
+	unlock_device_hotplug();
 	return ret;
 }
 
diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c
index d4e8b717ce2b2..747a15acbce37 100644
--- a/drivers/xen/balloon.c
+++ b/drivers/xen/balloon.c
@@ -350,7 +350,10 @@ static enum bp_state reserve_additional_memory(void)
 	 * callers drop the mutex before trying again.
 	 */
 	mutex_unlock(&balloon_mutex);
+	/* add_memory_resource() requires the device_hotplug lock */
+	lock_device_hotplug();
 	rc = add_memory_resource(nid, resource, memhp_auto_online);
+	unlock_device_hotplug();
 	mutex_lock(&balloon_mutex);
 
 	if (rc) {
diff --git a/include/linux/memory_hotplug.h b/include/linux/memory_hotplug.h
index 34a28227068dc..16487052017d5 100644
--- a/include/linux/memory_hotplug.h
+++ b/include/linux/memory_hotplug.h
@@ -322,6 +322,7 @@ static inline void remove_memory(int nid, u64 start, u64 size) {}
 extern void __ref free_area_init_core_hotplug(int nid);
 extern int walk_memory_range(unsigned long start_pfn, unsigned long end_pfn,
 		void *arg, int (*func)(struct memory_block *, void *));
+extern int __add_memory(int nid, u64 start, u64 size);
 extern int add_memory(int nid, u64 start, u64 size);
 extern int add_memory_resource(int nid, struct resource *resource, bool online);
 extern int arch_add_memory(int nid, u64 start, u64 size,
diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c
index 7965112eb0635..0db85bffa3892 100644
--- a/mm/memory_hotplug.c
+++ b/mm/memory_hotplug.c
@@ -1077,7 +1077,12 @@ static int online_memory_block(struct memory_block *mem, void *arg)
 	return device_online(&mem->dev);
 }
 
-/* we are OK calling __meminit stuff here - we have CONFIG_MEMORY_HOTPLUG */
+/*
+ * NOTE: The caller must call lock_device_hotplug() to serialize hotplug
+ * and online/offline operations (triggered e.g. by sysfs).
+ *
+ * we are OK calling __meminit stuff here - we have CONFIG_MEMORY_HOTPLUG
+ */
 int __ref add_memory_resource(int nid, struct resource *res, bool online)
 {
 	u64 start, size;
@@ -1146,9 +1151,9 @@ int __ref add_memory_resource(int nid, struct resource *res, bool online)
 	mem_hotplug_done();
 	return ret;
 }
-EXPORT_SYMBOL_GPL(add_memory_resource);
 
-int __ref add_memory(int nid, u64 start, u64 size)
+/* requires device_hotplug_lock, see add_memory_resource() */
+int __ref __add_memory(int nid, u64 start, u64 size)
 {
 	struct resource *res;
 	int ret;
@@ -1162,6 +1167,17 @@ int __ref add_memory(int nid, u64 start, u64 size)
 		release_memory_resource(res);
 	return ret;
 }
+
+int add_memory(int nid, u64 start, u64 size)
+{
+	int rc;
+
+	lock_device_hotplug();
+	rc = __add_memory(nid, start, size);
+	unlock_device_hotplug();
+
+	return rc;
+}
 EXPORT_SYMBOL_GPL(add_memory);
 
 #ifdef CONFIG_MEMORY_HOTREMOVE
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 181/306] mm/memory_hotplug: fix online/offline_pages called w.o. mem_hotplug_lock
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (179 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 180/306] mm/memory_hotplug: make add_memory() take the device_hotplug_lock Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 182/306] powerpc/powernv: hold device_hotplug_lock when calling device_online() Greg Kroah-Hartman
                   ` (128 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David Hildenbrand, Pavel Tatashin,
	Rashmica Gupta, Oscar Salvador, Benjamin Herrenschmidt,
	Paul Mackerras, Michael Ellerman, Rafael J. Wysocki, Len Brown,
	K. Y. Srinivasan, Haiyang Zhang, Stephen Hemminger,
	Martin Schwidefsky, Heiko Carstens, Boris Ostrovsky,
	Juergen Gross, Michael Neuling, Balbir Singh, Kate Stewart,
	Thomas Gleixner, Philippe Ombredanne, Vlastimil Babka,
	Dan Williams, YASUAKI ISHIMATSU, Mathieu Malaterre, John Allen,
	Jonathan Corbet, Joonsoo Kim, Nathan Fontenot, Rafael J. Wysocki,
	Andrew Morton, Linus Torvalds, Sasha Levin

From: David Hildenbrand <david@redhat.com>

[ Upstream commit 381eab4a6ee81266f8dddc62e57376c7e584e5b8 ]

There seem to be some problems as result of 30467e0b3be ("mm, hotplug:
fix concurrent memory hot-add deadlock"), which tried to fix a possible
lock inversion reported and discussed in [1] due to the two locks
	a) device_lock()
	b) mem_hotplug_lock

While add_memory() first takes b), followed by a) during
bus_probe_device(), onlining of memory from user space first took a),
followed by b), exposing a possible deadlock.

In [1], and it was decided to not make use of device_hotplug_lock, but
rather to enforce a locking order.

The problems I spotted related to this:

1. Memory block device attributes: While .state first calls
   mem_hotplug_begin() and the calls device_online() - which takes
   device_lock() - .online does no longer call mem_hotplug_begin(), so
   effectively calls online_pages() without mem_hotplug_lock.

2. device_online() should be called under device_hotplug_lock, however
   onlining memory during add_memory() does not take care of that.

In addition, I think there is also something wrong about the locking in

3. arch/powerpc/platforms/powernv/memtrace.c calls offline_pages()
   without locks. This was introduced after 30467e0b3be. And skimming over
   the code, I assume it could need some more care in regards to locking
   (e.g. device_online() called without device_hotplug_lock. This will
   be addressed in the following patches.

Now that we hold the device_hotplug_lock when
- adding memory (e.g. via add_memory()/add_memory_resource())
- removing memory (e.g. via remove_memory())
- device_online()/device_offline()

We can move mem_hotplug_lock usage back into
online_pages()/offline_pages().

Why is mem_hotplug_lock still needed? Essentially to make
get_online_mems()/put_online_mems() be very fast (relying on
device_hotplug_lock would be very slow), and to serialize against
addition of memory that does not create memory block devices (hmm).

[1] http://driverdev.linuxdriverproject.org/pipermail/ driverdev-devel/
    2015-February/065324.html

This patch is partly based on a patch by Vitaly Kuznetsov.

Link: http://lkml.kernel.org/r/20180925091457.28651-4-david@redhat.com
Signed-off-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Pavel Tatashin <pavel.tatashin@microsoft.com>
Reviewed-by: Rashmica Gupta <rashmica.g@gmail.com>
Reviewed-by: Oscar Salvador <osalvador@suse.de>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
Cc: Len Brown <lenb@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: "K. Y. Srinivasan" <kys@microsoft.com>
Cc: Haiyang Zhang <haiyangz@microsoft.com>
Cc: Stephen Hemminger <sthemmin@microsoft.com>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Rashmica Gupta <rashmica.g@gmail.com>
Cc: Michael Neuling <mikey@neuling.org>
Cc: Balbir Singh <bsingharora@gmail.com>
Cc: Kate Stewart <kstewart@linuxfoundation.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Philippe Ombredanne <pombredanne@nexb.com>
Cc: Pavel Tatashin <pavel.tatashin@microsoft.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: YASUAKI ISHIMATSU <yasu.isimatu@gmail.com>
Cc: Mathieu Malaterre <malat@debian.org>
Cc: John Allen <jallen@linux.vnet.ibm.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Nathan Fontenot <nfont@linux.vnet.ibm.com>
Cc: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/base/memory.c | 13 +------------
 mm/memory_hotplug.c   | 28 ++++++++++++++++++++--------
 2 files changed, 21 insertions(+), 20 deletions(-)

diff --git a/drivers/base/memory.c b/drivers/base/memory.c
index 07901cacfec63..0f8e77f78cc80 100644
--- a/drivers/base/memory.c
+++ b/drivers/base/memory.c
@@ -228,7 +228,6 @@ static bool pages_correctly_probed(unsigned long start_pfn)
 /*
  * MEMORY_HOTPLUG depends on SPARSEMEM in mm/Kconfig, so it is
  * OK to have direct references to sparsemem variables in here.
- * Must already be protected by mem_hotplug_begin().
  */
 static int
 memory_block_action(unsigned long phys_index, unsigned long action, int online_type)
@@ -294,7 +293,6 @@ static int memory_subsys_online(struct device *dev)
 	if (mem->online_type < 0)
 		mem->online_type = MMOP_ONLINE_KEEP;
 
-	/* Already under protection of mem_hotplug_begin() */
 	ret = memory_block_change_state(mem, MEM_ONLINE, MEM_OFFLINE);
 
 	/* clear online_type */
@@ -341,19 +339,11 @@ store_mem_state(struct device *dev,
 		goto err;
 	}
 
-	/*
-	 * Memory hotplug needs to hold mem_hotplug_begin() for probe to find
-	 * the correct memory block to online before doing device_online(dev),
-	 * which will take dev->mutex.  Take the lock early to prevent an
-	 * inversion, memory_subsys_online() callbacks will be implemented by
-	 * assuming it's already protected.
-	 */
-	mem_hotplug_begin();
-
 	switch (online_type) {
 	case MMOP_ONLINE_KERNEL:
 	case MMOP_ONLINE_MOVABLE:
 	case MMOP_ONLINE_KEEP:
+		/* mem->online_type is protected by device_hotplug_lock */
 		mem->online_type = online_type;
 		ret = device_online(&mem->dev);
 		break;
@@ -364,7 +354,6 @@ store_mem_state(struct device *dev,
 		ret = -EINVAL; /* should never happen */
 	}
 
-	mem_hotplug_done();
 err:
 	unlock_device_hotplug();
 
diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c
index 0db85bffa3892..3a0a87e7c40ad 100644
--- a/mm/memory_hotplug.c
+++ b/mm/memory_hotplug.c
@@ -846,7 +846,6 @@ static struct zone * __meminit move_pfn_range(int online_type, int nid,
 	return zone;
 }
 
-/* Must be protected by mem_hotplug_begin() or a device_lock */
 int __ref online_pages(unsigned long pfn, unsigned long nr_pages, int online_type)
 {
 	unsigned long flags;
@@ -858,6 +857,8 @@ int __ref online_pages(unsigned long pfn, unsigned long nr_pages, int online_typ
 	struct memory_notify arg;
 	struct memory_block *mem;
 
+	mem_hotplug_begin();
+
 	/*
 	 * We can't use pfn_to_nid() because nid might be stored in struct page
 	 * which is not yet initialized. Instead, we find nid from memory block.
@@ -923,6 +924,7 @@ int __ref online_pages(unsigned long pfn, unsigned long nr_pages, int online_typ
 
 	if (onlined_pages)
 		memory_notify(MEM_ONLINE, &arg);
+	mem_hotplug_done();
 	return 0;
 
 failed_addition:
@@ -930,6 +932,7 @@ int __ref online_pages(unsigned long pfn, unsigned long nr_pages, int online_typ
 		 (unsigned long long) pfn << PAGE_SHIFT,
 		 (((unsigned long long) pfn + nr_pages) << PAGE_SHIFT) - 1);
 	memory_notify(MEM_CANCEL_ONLINE, &arg);
+	mem_hotplug_done();
 	return ret;
 }
 #endif /* CONFIG_MEMORY_HOTPLUG_SPARSE */
@@ -1134,20 +1137,20 @@ int __ref add_memory_resource(int nid, struct resource *res, bool online)
 	/* create new memmap entry */
 	firmware_map_add_hotplug(start, start + size, "System RAM");
 
+	/* device_online() will take the lock when calling online_pages() */
+	mem_hotplug_done();
+
 	/* online pages if requested */
 	if (online)
 		walk_memory_range(PFN_DOWN(start), PFN_UP(start + size - 1),
 				  NULL, online_memory_block);
 
-	goto out;
-
+	return ret;
 error:
 	/* rollback pgdat allocation and others */
 	if (new_node)
 		rollback_node_hotadd(nid);
 	memblock_remove(start, size);
-
-out:
 	mem_hotplug_done();
 	return ret;
 }
@@ -1614,10 +1617,16 @@ static int __ref __offline_pages(unsigned long start_pfn,
 		return -EINVAL;
 	if (!IS_ALIGNED(end_pfn, pageblock_nr_pages))
 		return -EINVAL;
+
+	mem_hotplug_begin();
+
 	/* This makes hotplug much easier...and readable.
 	   we assume this for now. .*/
-	if (!test_pages_in_a_zone(start_pfn, end_pfn, &valid_start, &valid_end))
+	if (!test_pages_in_a_zone(start_pfn, end_pfn, &valid_start,
+				  &valid_end)) {
+		mem_hotplug_done();
 		return -EINVAL;
+	}
 
 	zone = page_zone(pfn_to_page(valid_start));
 	node = zone_to_nid(zone);
@@ -1626,8 +1635,10 @@ static int __ref __offline_pages(unsigned long start_pfn,
 	/* set above range as isolated */
 	ret = start_isolate_page_range(start_pfn, end_pfn,
 				       MIGRATE_MOVABLE, true);
-	if (ret)
+	if (ret) {
+		mem_hotplug_done();
 		return ret;
+	}
 
 	arg.start_pfn = start_pfn;
 	arg.nr_pages = nr_pages;
@@ -1698,6 +1709,7 @@ static int __ref __offline_pages(unsigned long start_pfn,
 	writeback_set_ratelimit();
 
 	memory_notify(MEM_OFFLINE, &arg);
+	mem_hotplug_done();
 	return 0;
 
 failed_removal:
@@ -1707,10 +1719,10 @@ static int __ref __offline_pages(unsigned long start_pfn,
 	memory_notify(MEM_CANCEL_OFFLINE, &arg);
 	/* pushback to free area */
 	undo_isolate_page_range(start_pfn, end_pfn, MIGRATE_MOVABLE);
+	mem_hotplug_done();
 	return ret;
 }
 
-/* Must be protected by mem_hotplug_begin() or a device_lock */
 int offline_pages(unsigned long start_pfn, unsigned long nr_pages)
 {
 	return __offline_pages(start_pfn, start_pfn + nr_pages);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 182/306] powerpc/powernv: hold device_hotplug_lock when calling device_online()
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (180 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 181/306] mm/memory_hotplug: fix online/offline_pages called w.o. mem_hotplug_lock Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 183/306] igb: shorten maximum PHC timecounter update interval Greg Kroah-Hartman
                   ` (127 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David Hildenbrand, Pavel Tatashin,
	Rashmica Gupta, Benjamin Herrenschmidt, Paul Mackerras,
	Michael Ellerman, Balbir Singh, Michael Neuling, Boris Ostrovsky,
	Dan Williams, Haiyang Zhang, Heiko Carstens, John Allen,
	Jonathan Corbet, Joonsoo Kim, Juergen Gross, Kate Stewart,
	K. Y. Srinivasan, Len Brown, Martin Schwidefsky,
	Mathieu Malaterre, Michal Hocko, Nathan Fontenot, Oscar Salvador,
	Philippe Ombredanne, Rafael J. Wysocki, Rafael J. Wysocki,
	Stephen Hemminger, Thomas Gleixner, Vlastimil Babka,
	YASUAKI ISHIMATSU, Andrew Morton, Linus Torvalds, Sasha Levin

From: David Hildenbrand <david@redhat.com>

[ Upstream commit cec1680591d6d5b10ecc10f370210089416e98af ]

device_online() should be called with device_hotplug_lock() held.

Link: http://lkml.kernel.org/r/20180925091457.28651-5-david@redhat.com
Signed-off-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Pavel Tatashin <pavel.tatashin@microsoft.com>
Reviewed-by: Rashmica Gupta <rashmica.g@gmail.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Rashmica Gupta <rashmica.g@gmail.com>
Cc: Balbir Singh <bsingharora@gmail.com>
Cc: Michael Neuling <mikey@neuling.org>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Haiyang Zhang <haiyangz@microsoft.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: John Allen <jallen@linux.vnet.ibm.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Kate Stewart <kstewart@linuxfoundation.org>
Cc: "K. Y. Srinivasan" <kys@microsoft.com>
Cc: Len Brown <lenb@kernel.org>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Mathieu Malaterre <malat@debian.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Nathan Fontenot <nfont@linux.vnet.ibm.com>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: Philippe Ombredanne <pombredanne@nexb.com>
Cc: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
Cc: Stephen Hemminger <sthemmin@microsoft.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: YASUAKI ISHIMATSU <yasu.isimatu@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/platforms/powernv/memtrace.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/arch/powerpc/platforms/powernv/memtrace.c b/arch/powerpc/platforms/powernv/memtrace.c
index 232bf5987f91d..dd3cc4632b9ae 100644
--- a/arch/powerpc/platforms/powernv/memtrace.c
+++ b/arch/powerpc/platforms/powernv/memtrace.c
@@ -244,9 +244,11 @@ static int memtrace_online(void)
 		 * we need to online the memory ourselves.
 		 */
 		if (!memhp_auto_online) {
+			lock_device_hotplug();
 			walk_memory_range(PFN_DOWN(ent->start),
 					  PFN_UP(ent->start + ent->size - 1),
 					  NULL, online_mem_block);
+			unlock_device_hotplug();
 		}
 
 		/*
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 183/306] igb: shorten maximum PHC timecounter update interval
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (181 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 182/306] powerpc/powernv: hold device_hotplug_lock when calling device_online() Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 184/306] fm10k: ensure completer aborts are marked as non-fatal after a resume Greg Kroah-Hartman
                   ` (126 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jacob Keller, Richard Cochran,
	Thomas Gleixner, Miroslav Lichvar, Aaron Brown, Jeff Kirsher,
	Sasha Levin

From: Miroslav Lichvar <mlichvar@redhat.com>

[ Upstream commit 094bf4d0e9657f6ea1ee3d7e07ce3970796949ce ]

The timecounter needs to be updated at least once per ~550 seconds in
order to avoid a 40-bit SYSTIM timestamp to be misinterpreted as an old
timestamp.

Since commit 500462a9d ("timers: Switch to a non-cascading wheel"),
scheduling of delayed work seems to be less accurate and a requested
delay of 540 seconds may actually be longer than 550 seconds. Shorten
the delay to 480 seconds to be sure the timecounter is updated in time.

This fixes an issue with HW timestamps on 82580/I350/I354 being off by
~1100 seconds for few seconds every ~9 minutes.

Cc: Jacob Keller <jacob.e.keller@intel.com>
Cc: Richard Cochran <richardcochran@gmail.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Miroslav Lichvar <mlichvar@redhat.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/intel/igb/igb_ptp.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/intel/igb/igb_ptp.c b/drivers/net/ethernet/intel/igb/igb_ptp.c
index 9f4d700e09df3..29ced6b74d364 100644
--- a/drivers/net/ethernet/intel/igb/igb_ptp.c
+++ b/drivers/net/ethernet/intel/igb/igb_ptp.c
@@ -51,9 +51,15 @@
  *
  * The 40 bit 82580 SYSTIM overflows every
  *   2^40 * 10^-9 /  60  = 18.3 minutes.
+ *
+ * SYSTIM is converted to real time using a timecounter. As
+ * timecounter_cyc2time() allows old timestamps, the timecounter
+ * needs to be updated at least once per half of the SYSTIM interval.
+ * Scheduling of delayed work is not very accurate, so we aim for 8
+ * minutes to be sure the actual interval is shorter than 9.16 minutes.
  */
 
-#define IGB_SYSTIM_OVERFLOW_PERIOD	(HZ * 60 * 9)
+#define IGB_SYSTIM_OVERFLOW_PERIOD	(HZ * 60 * 8)
 #define IGB_PTP_TX_TIMEOUT		(HZ * 15)
 #define INCPERIOD_82576			BIT(E1000_TIMINCA_16NS_SHIFT)
 #define INCVALUE_82576_MASK		GENMASK(E1000_TIMINCA_16NS_SHIFT - 1, 0)
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 184/306] fm10k: ensure completer aborts are marked as non-fatal after a resume
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (182 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 183/306] igb: shorten maximum PHC timecounter update interval Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 185/306] net: hns3: bugfix for buffer not free problem during resetting Greg Kroah-Hartman
                   ` (125 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jacob Keller, Jeff Kirsher, Sasha Levin

From: Jacob Keller <jacob.e.keller@intel.com>

[ Upstream commit e330af788998b0de4da4f5bd7ddd087507999800 ]

VF drivers can trigger PCIe completer aborts any time they read a queue
that they don't own. Even in nominal circumstances, it is not possible
to prevent the VF driver from reading queues it doesn't own. VF drivers
may attempt to read queues it previously owned, but which it no longer
does due to a PF reset.

Normally these completer aborts aren't an issue. However, on some
platforms these trigger machine check errors. This is true even if we
lower their severity from fatal to non-fatal. Indeed, we already have
code for lowering the severity.

We could attempt to mask these errors conditionally around resets, which
is the most common time they would occur. However this would essentially
be a race between the PF and VF drivers, and we may still occasionally
see machine check exceptions on these strictly configured platforms.

Instead, mask the errors entirely any time we resume VFs. By doing so,
we prevent the completer aborts from being sent to the parent PCIe
device, and thus these strict platforms will not upgrade them into
machine check errors.

Additionally, we don't lose any information by masking these errors,
because we'll still report VFs which attempt to access queues via the
FUM_BAD_VF_QACCESS errors.

Without this change, on platforms where completer aborts cause machine
check exceptions, the VF reading queues it doesn't own could crash the
host system. Masking the completer abort prevents this, so we should
mask it for good, and not just around a PCIe reset. Otherwise malicious
or misconfigured VFs could cause the host system to crash.

Because we are masking the error entirely, there is little reason to
also keep setting the severity bit, so that code is also removed.

Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/intel/fm10k/fm10k_iov.c | 48 ++++++++++++--------
 1 file changed, 28 insertions(+), 20 deletions(-)

diff --git a/drivers/net/ethernet/intel/fm10k/fm10k_iov.c b/drivers/net/ethernet/intel/fm10k/fm10k_iov.c
index e707d717012fa..618032612f52d 100644
--- a/drivers/net/ethernet/intel/fm10k/fm10k_iov.c
+++ b/drivers/net/ethernet/intel/fm10k/fm10k_iov.c
@@ -302,6 +302,28 @@ void fm10k_iov_suspend(struct pci_dev *pdev)
 	}
 }
 
+static void fm10k_mask_aer_comp_abort(struct pci_dev *pdev)
+{
+	u32 err_mask;
+	int pos;
+
+	pos = pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_ERR);
+	if (!pos)
+		return;
+
+	/* Mask the completion abort bit in the ERR_UNCOR_MASK register,
+	 * preventing the device from reporting these errors to the upstream
+	 * PCIe root device. This avoids bringing down platforms which upgrade
+	 * non-fatal completer aborts into machine check exceptions. Completer
+	 * aborts can occur whenever a VF reads a queue it doesn't own.
+	 */
+	pci_read_config_dword(pdev, pos + PCI_ERR_UNCOR_MASK, &err_mask);
+	err_mask |= PCI_ERR_UNC_COMP_ABORT;
+	pci_write_config_dword(pdev, pos + PCI_ERR_UNCOR_MASK, err_mask);
+
+	mmiowb();
+}
+
 int fm10k_iov_resume(struct pci_dev *pdev)
 {
 	struct fm10k_intfc *interface = pci_get_drvdata(pdev);
@@ -317,6 +339,12 @@ int fm10k_iov_resume(struct pci_dev *pdev)
 	if (!iov_data)
 		return -ENOMEM;
 
+	/* Lower severity of completer abort error reporting as
+	 * the VFs can trigger this any time they read a queue
+	 * that they don't own.
+	 */
+	fm10k_mask_aer_comp_abort(pdev);
+
 	/* allocate hardware resources for the VFs */
 	hw->iov.ops.assign_resources(hw, num_vfs, num_vfs);
 
@@ -460,20 +488,6 @@ void fm10k_iov_disable(struct pci_dev *pdev)
 	fm10k_iov_free_data(pdev);
 }
 
-static void fm10k_disable_aer_comp_abort(struct pci_dev *pdev)
-{
-	u32 err_sev;
-	int pos;
-
-	pos = pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_ERR);
-	if (!pos)
-		return;
-
-	pci_read_config_dword(pdev, pos + PCI_ERR_UNCOR_SEVER, &err_sev);
-	err_sev &= ~PCI_ERR_UNC_COMP_ABORT;
-	pci_write_config_dword(pdev, pos + PCI_ERR_UNCOR_SEVER, err_sev);
-}
-
 int fm10k_iov_configure(struct pci_dev *pdev, int num_vfs)
 {
 	int current_vfs = pci_num_vf(pdev);
@@ -495,12 +509,6 @@ int fm10k_iov_configure(struct pci_dev *pdev, int num_vfs)
 
 	/* allocate VFs if not already allocated */
 	if (num_vfs && num_vfs != current_vfs) {
-		/* Disable completer abort error reporting as
-		 * the VFs can trigger this any time they read a queue
-		 * that they don't own.
-		 */
-		fm10k_disable_aer_comp_abort(pdev);
-
 		err = pci_enable_sriov(pdev, num_vfs);
 		if (err) {
 			dev_err(&pdev->dev,
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 185/306] net: hns3: bugfix for buffer not free problem during resetting
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (183 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 184/306] fm10k: ensure completer aborts are marked as non-fatal after a resume Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-29 11:00   ` Pavel Machek
  2019-11-27 20:30 ` [PATCH 4.19 186/306] net: hns3: bugfix for reporting unknown vector0 interrupt repeatly problem Greg Kroah-Hartman
                   ` (124 subsequent siblings)
  309 siblings, 1 reply; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Huazhong Tan, David S. Miller, Sasha Levin

From: Huazhong Tan <tanhuazhong@huawei.com>

[ Upstream commit 73b907a083b8a8c1c62cb494bc9fbe6ae086c460 ]

When hns3_get_ring_config()/hns3_queue_to_ring()/
hns3_get_vector_ring_chain() failed during resetting, the allocated
memory has not been freed before these three functions return. So
this patch adds error handler in these functions to fix it.

Fixes: 76ad4f0ee747 ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC")
Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 .../net/ethernet/hisilicon/hns3/hns3_enet.c   | 24 ++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
index e11a7de20b8f4..3708f149d0a6a 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
@@ -2547,7 +2547,7 @@ static int hns3_get_vector_ring_chain(struct hns3_enet_tqp_vector *tqp_vector,
 			chain = devm_kzalloc(&pdev->dev, sizeof(*chain),
 					     GFP_KERNEL);
 			if (!chain)
-				return -ENOMEM;
+				goto err_free_chain;
 
 			cur_chain->next = chain;
 			chain->tqp_index = tx_ring->tqp->tqp_index;
@@ -2577,7 +2577,7 @@ static int hns3_get_vector_ring_chain(struct hns3_enet_tqp_vector *tqp_vector,
 	while (rx_ring) {
 		chain = devm_kzalloc(&pdev->dev, sizeof(*chain), GFP_KERNEL);
 		if (!chain)
-			return -ENOMEM;
+			goto err_free_chain;
 
 		cur_chain->next = chain;
 		chain->tqp_index = rx_ring->tqp->tqp_index;
@@ -2592,6 +2592,16 @@ static int hns3_get_vector_ring_chain(struct hns3_enet_tqp_vector *tqp_vector,
 	}
 
 	return 0;
+
+err_free_chain:
+	cur_chain = head->next;
+	while (cur_chain) {
+		chain = cur_chain->next;
+		devm_kfree(&pdev->dev, chain);
+		cur_chain = chain;
+	}
+
+	return -ENOMEM;
 }
 
 static void hns3_free_vector_ring_chain(struct hns3_enet_tqp_vector *tqp_vector,
@@ -2836,8 +2846,10 @@ static int hns3_queue_to_ring(struct hnae3_queue *tqp,
 		return ret;
 
 	ret = hns3_ring_get_cfg(tqp, priv, HNAE3_RING_TYPE_RX);
-	if (ret)
+	if (ret) {
+		devm_kfree(priv->dev, priv->ring_data[tqp->tqp_index].ring);
 		return ret;
+	}
 
 	return 0;
 }
@@ -2864,6 +2876,12 @@ static int hns3_get_ring_config(struct hns3_nic_priv *priv)
 
 	return 0;
 err:
+	while (i--) {
+		devm_kfree(priv->dev, priv->ring_data[i].ring);
+		devm_kfree(priv->dev,
+			   priv->ring_data[i + h->kinfo.num_tqps].ring);
+	}
+
 	devm_kfree(&pdev->dev, priv->ring_data);
 	return ret;
 }
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 186/306] net: hns3: bugfix for reporting unknown vector0 interrupt repeatly problem
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (184 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 185/306] net: hns3: bugfix for buffer not free problem during resetting Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 187/306] net: hns3: bugfix for is_valid_csq_clean_head() Greg Kroah-Hartman
                   ` (123 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Huazhong Tan, David S. Miller, Sasha Levin

From: Huazhong Tan <tanhuazhong@huawei.com>

[ Upstream commit 0d4411408a7fb9aad0645f23911d9bfdd2ce3177 ]

The current driver supports handling two vector0 interrupts, reset and
mailbox. When the hardware reports an interrupt of another type of
interrupt source, if the driver does not process the interrupt, but
enables the interrupt, the hardware will repeatedly report the unknown
interrupt.

Therefore, the driver enables the vector0 interrupt after clearing the
known type of interrupt source. Other conditions are not enabled.

Fixes: cd8c5c269b1d ("net: hns3: Fix for hclge_reset running repeatly problem")
Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
index b04df79f393f8..f8cc8d1f0b209 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
@@ -2574,7 +2574,7 @@ static irqreturn_t hclge_misc_irq_handle(int irq, void *data)
 	}
 
 	/* clear the source of interrupt if it is not cause by reset */
-	if (event_cause != HCLGE_VECTOR0_EVENT_RST) {
+	if (event_cause == HCLGE_VECTOR0_EVENT_MBX) {
 		hclge_clear_event_cause(hdev, event_cause, clearval);
 		hclge_enable_vector(&hdev->misc_vector, true);
 	}
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 187/306] net: hns3: bugfix for is_valid_csq_clean_head()
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (185 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 186/306] net: hns3: bugfix for reporting unknown vector0 interrupt repeatly problem Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-12-04 12:38   ` Pavel Machek
  2019-11-27 20:30 ` [PATCH 4.19 188/306] net: hns3: bugfix for hclge_mdio_write and hclge_mdio_read Greg Kroah-Hartman
                   ` (122 subsequent siblings)
  309 siblings, 1 reply; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Huazhong Tan, David S. Miller, Sasha Levin

From: Huazhong Tan <tanhuazhong@huawei.com>

[ Upstream commit 6d71ec6cbf74ac9c2823ef751b1baa5b889bb3ac ]

The HEAD pointer of the hardware command queue maybe equal to the command
queue's next_to_use in the driver, so that does not belong to the invalid
HEAD pointer, since the hardware may not process the command in time,
causing the HEAD pointer to be too late to update. The variables' name
in this function is unreadable, so give them a more readable one.

Fixes: 3ff504908f95 ("net: hns3: fix a dead loop in hclge_cmd_csq_clean")
Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 .../net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.c   | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.c
index 68026a5ad7e77..690f62ed87dca 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.c
@@ -24,15 +24,15 @@ static int hclge_ring_space(struct hclge_cmq_ring *ring)
 	return ring->desc_num - used - 1;
 }
 
-static int is_valid_csq_clean_head(struct hclge_cmq_ring *ring, int h)
+static int is_valid_csq_clean_head(struct hclge_cmq_ring *ring, int head)
 {
-	int u = ring->next_to_use;
-	int c = ring->next_to_clean;
+	int ntu = ring->next_to_use;
+	int ntc = ring->next_to_clean;
 
-	if (unlikely(h >= ring->desc_num))
-		return 0;
+	if (ntu > ntc)
+		return head >= ntc && head <= ntu;
 
-	return u > c ? (h > c && h <= u) : (h > c || h <= u);
+	return head >= ntc || head <= ntu;
 }
 
 static int hclge_alloc_cmd_desc(struct hclge_cmq_ring *ring)
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 188/306] net: hns3: bugfix for hclge_mdio_write and hclge_mdio_read
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (186 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 187/306] net: hns3: bugfix for is_valid_csq_clean_head() Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 189/306] ntb_netdev: fix sleep time mismatch Greg Kroah-Hartman
                   ` (121 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Huazhong Tan, David S. Miller, Sasha Levin

From: Huazhong Tan <tanhuazhong@huawei.com>

[ Upstream commit 1c12493809924deda6c0834cb2f2c5a6dc786390 ]

When there is a PHY, the driver needs to complete some operations through
MDIO during reset reinitialization, so HCLGE_STATE_CMD_DISABLE is more
suitable than HCLGE_STATE_RST_HANDLING to prevent the MDIO operation from
being sent during the hardware reset.

Fixes: b50ae26c57cb ("net: hns3: never send command queue message to IMP when reset)
Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c
index 398971a062f47..03491e8ebb730 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c
@@ -54,7 +54,7 @@ static int hclge_mdio_write(struct mii_bus *bus, int phyid, int regnum,
 	struct hclge_desc desc;
 	int ret;
 
-	if (test_bit(HCLGE_STATE_RST_HANDLING, &hdev->state))
+	if (test_bit(HCLGE_STATE_CMD_DISABLE, &hdev->state))
 		return 0;
 
 	hclge_cmd_setup_basic_desc(&desc, HCLGE_OPC_MDIO_CONFIG, false);
@@ -92,7 +92,7 @@ static int hclge_mdio_read(struct mii_bus *bus, int phyid, int regnum)
 	struct hclge_desc desc;
 	int ret;
 
-	if (test_bit(HCLGE_STATE_RST_HANDLING, &hdev->state))
+	if (test_bit(HCLGE_STATE_CMD_DISABLE, &hdev->state))
 		return 0;
 
 	hclge_cmd_setup_basic_desc(&desc, HCLGE_OPC_MDIO_CONFIG, true);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 189/306] ntb_netdev: fix sleep time mismatch
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (187 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 188/306] net: hns3: bugfix for hclge_mdio_write and hclge_mdio_read Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 190/306] ntb: intel: fix return value for ndev_vec_mask() Greg Kroah-Hartman
                   ` (120 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gerd W. Haeussler, Jon Mason,
	Dave Jiang, Sasha Levin

From: Jon Mason <jdmason@kudzu.us>

[ Upstream commit a861594b1b7ffd630f335b351c4e9f938feadb8e ]

The tx_time should be in usecs (according to the comment above the
variable), but the setting of the timer during the rearming is done in
msecs.  Change it to match the expected units.

Fixes: e74bfeedad08 ("NTB: Add flow control to the ntb_netdev")
Suggested-by: Gerd W. Haeussler <gerd.haeussler@cesys-it.com>
Signed-off-by: Jon Mason <jdmason@kudzu.us>
Acked-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ntb_netdev.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ntb_netdev.c b/drivers/net/ntb_netdev.c
index b12023bc2cab5..df8d49ad48c38 100644
--- a/drivers/net/ntb_netdev.c
+++ b/drivers/net/ntb_netdev.c
@@ -236,7 +236,7 @@ static void ntb_netdev_tx_timer(struct timer_list *t)
 	struct net_device *ndev = dev->ndev;
 
 	if (ntb_transport_tx_free_entry(dev->qp) < tx_stop) {
-		mod_timer(&dev->tx_timer, jiffies + msecs_to_jiffies(tx_time));
+		mod_timer(&dev->tx_timer, jiffies + usecs_to_jiffies(tx_time));
 	} else {
 		/* Make sure anybody stopping the queue after this sees the new
 		 * value of ntb_transport_tx_free_entry()
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 190/306] ntb: intel: fix return value for ndev_vec_mask()
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (188 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 189/306] ntb_netdev: fix sleep time mismatch Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 191/306] irq/matrix: Fix memory overallocation Greg Kroah-Hartman
                   ` (119 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dave Jiang, Lucas Van, Jon Mason,
	Sasha Levin

From: Dave Jiang <dave.jiang@intel.com>

[ Upstream commit 7756e2b5d68c36e170a111dceea22f7365f83256 ]

ndev_vec_mask() should be returning u64 mask value instead of int.
Otherwise the mask value returned can be incorrect for larger
vectors.

Fixes: e26a5843f7f5 ("NTB: Split ntb_hw_intel and ntb_transport drivers")

Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Tested-by: Lucas Van <lucas.van@intel.com>
Signed-off-by: Jon Mason <jdmason@kudzu.us>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/ntb/hw/intel/ntb_hw_gen1.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/ntb/hw/intel/ntb_hw_gen1.c b/drivers/ntb/hw/intel/ntb_hw_gen1.c
index 6aa5732272791..2ad263f708da7 100644
--- a/drivers/ntb/hw/intel/ntb_hw_gen1.c
+++ b/drivers/ntb/hw/intel/ntb_hw_gen1.c
@@ -265,7 +265,7 @@ static inline int ndev_db_clear_mask(struct intel_ntb_dev *ndev, u64 db_bits,
 	return 0;
 }
 
-static inline int ndev_vec_mask(struct intel_ntb_dev *ndev, int db_vector)
+static inline u64 ndev_vec_mask(struct intel_ntb_dev *ndev, int db_vector)
 {
 	u64 shift, mask;
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 191/306] irq/matrix: Fix memory overallocation
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (189 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 190/306] ntb: intel: fix return value for ndev_vec_mask() Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 192/306] nvme-pci: fix conflicting p2p resource adds Greg Kroah-Hartman
                   ` (118 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael Kelley, Thomas Gleixner,
	KY Srinivasan, Sasha Levin

From: Michael Kelley <mikelley@microsoft.com>

[ Upstream commit 57f01796f14fecf00d330fe39c8d2477ced9cd79 ]

IRQ_MATRIX_SIZE is the number of longs needed for a bitmap, multiplied by
the size of a long, yielding a byte count. But it is used to size an array
of longs, which is way more memory than is needed.

Change IRQ_MATRIX_SIZE so it is just the number of longs needed and the
arrays come out the correct size.

Fixes: 2f75d9e1c905 ("genirq: Implement bitmap matrix allocator")
Signed-off-by: Michael Kelley <mikelley@microsoft.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: KY Srinivasan <kys@microsoft.com>
Link: https://lkml.kernel.org/r/1541032428-10392-1-git-send-email-mikelley@microsoft.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/irq/matrix.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/irq/matrix.c b/kernel/irq/matrix.c
index 92337703ca9fd..30cc217b86318 100644
--- a/kernel/irq/matrix.c
+++ b/kernel/irq/matrix.c
@@ -8,7 +8,7 @@
 #include <linux/cpu.h>
 #include <linux/irq.h>
 
-#define IRQ_MATRIX_SIZE	(BITS_TO_LONGS(IRQ_MATRIX_BITS) * sizeof(unsigned long))
+#define IRQ_MATRIX_SIZE	(BITS_TO_LONGS(IRQ_MATRIX_BITS))
 
 struct cpumap {
 	unsigned int		available;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 192/306] nvme-pci: fix conflicting p2p resource adds
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (190 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 191/306] irq/matrix: Fix memory overallocation Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 193/306] arm64: makefile fix build of .i file in external module case Greg Kroah-Hartman
                   ` (117 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Keith Busch, Logan Gunthorpe,
	Christoph Hellwig, Jens Axboe, Sasha Levin

From: Keith Busch <keith.busch@intel.com>

[ Upstream commit 9fe5c59ff6a1e5e26a39b75489a1420e7eaaf0b1 ]

The nvme pci driver had been adding its CMB resource to the P2P DMA
subsystem everytime on on a controller reset. This results in the
following warning:

    ------------[ cut here ]------------
    nvme 0000:00:03.0: Conflicting mapping in same section
    WARNING: CPU: 7 PID: 81 at kernel/memremap.c:155 devm_memremap_pages+0xa6/0x380
    ...
    Call Trace:
     pci_p2pdma_add_resource+0x153/0x370
     nvme_reset_work+0x28c/0x17b1 [nvme]
     ? add_timer+0x107/0x1e0
     ? dequeue_entity+0x81/0x660
     ? dequeue_entity+0x3b0/0x660
     ? pick_next_task_fair+0xaf/0x610
     ? __switch_to+0xbc/0x410
     process_one_work+0x1cf/0x350
     worker_thread+0x215/0x3d0
     ? process_one_work+0x350/0x350
     kthread+0x107/0x120
     ? kthread_park+0x80/0x80
     ret_from_fork+0x1f/0x30
    ---[ end trace f7ea76ac6ee72727 ]---
    nvme nvme0: failed to register the CMB

This patch fixes this by registering the CMB with P2P only once.

Signed-off-by: Keith Busch <keith.busch@intel.com>
Reviewed-by: Logan Gunthorpe <logang@deltatee.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/nvme/host/pci.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index 9479c0db08f62..124f41157173e 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -1652,6 +1652,9 @@ static void nvme_map_cmb(struct nvme_dev *dev)
 	struct pci_dev *pdev = to_pci_dev(dev->dev);
 	int bar;
 
+	if (dev->cmb_size)
+		return;
+
 	dev->cmbsz = readl(dev->bar + NVME_REG_CMBSZ);
 	if (!dev->cmbsz)
 		return;
@@ -2136,7 +2139,6 @@ static void nvme_pci_disable(struct nvme_dev *dev)
 {
 	struct pci_dev *pdev = to_pci_dev(dev->dev);
 
-	nvme_release_cmb(dev);
 	pci_free_irq_vectors(pdev);
 
 	if (pci_is_enabled(pdev)) {
@@ -2595,6 +2597,7 @@ static void nvme_remove(struct pci_dev *pdev)
 	nvme_stop_ctrl(&dev->ctrl);
 	nvme_remove_namespaces(&dev->ctrl);
 	nvme_dev_disable(dev, true);
+	nvme_release_cmb(dev);
 	nvme_free_host_mem(dev);
 	nvme_dev_remove_admin(dev);
 	nvme_free_queues(dev, 0);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 193/306] arm64: makefile fix build of .i file in external module case
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (191 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 192/306] nvme-pci: fix conflicting p2p resource adds Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 194/306] tools/power turbosat: fix AMD APIC-id output Greg Kroah-Hartman
                   ` (116 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kevin Brodsky, Victor Kamensky,
	Catalin Marinas, Sasha Levin

From: Victor Kamensky <kamensky@cisco.com>

[ Upstream commit 98356eb0ae499c63e78073ccedd9a5fc5c563288 ]

After 'a66649dab350 arm64: fix vdso-offsets.h dependency' if
one will try to build .i file in case of external kernel module,
build fails complaining that prepare0 target is missing. This
issue came up with SystemTap when it tries to build variety
of .i files for its own generated kernel modules trying to
figure given kernel features/capabilities.

The issue is that prepare0 is defined in top level Makefile
only if KBUILD_EXTMOD is not defined. .i file rule depends
on prepare and in case KBUILD_EXTMOD defined top level Makefile
contains empty rule for prepare. But after mentioned commit
arch/arm64/Makefile would introduce dependency on prepare0
through its own prepare target.

Fix it to put proper ifdef KBUILD_EXTMOD around code introduced
by mentioned commit. It matches what top level Makefile does.

Acked-by: Kevin Brodsky <kevin.brodsky@arm.com>
Signed-off-by: Victor Kamensky <kamensky@cisco.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm64/Makefile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
index 5d8787f0ca5f9..9a5e281412116 100644
--- a/arch/arm64/Makefile
+++ b/arch/arm64/Makefile
@@ -148,6 +148,7 @@ archclean:
 	$(Q)$(MAKE) $(clean)=$(boot)
 	$(Q)$(MAKE) $(clean)=$(boot)/dts
 
+ifeq ($(KBUILD_EXTMOD),)
 # We need to generate vdso-offsets.h before compiling certain files in kernel/.
 # In order to do that, we should use the archprepare target, but we can't since
 # asm-offsets.h is included in some files used to generate vdso-offsets.h, and
@@ -157,6 +158,7 @@ archclean:
 prepare: vdso_prepare
 vdso_prepare: prepare0
 	$(Q)$(MAKE) $(build)=arch/arm64/kernel/vdso include/generated/vdso-offsets.h
+endif
 
 define archhelp
   echo  '* Image.gz      - Compressed kernel image (arch/$(ARCH)/boot/Image.gz)'
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 194/306] tools/power turbosat: fix AMD APIC-id output
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (192 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 193/306] arm64: makefile fix build of .i file in external module case Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 195/306] mm: handle no memcg case in memcg_kmem_charge() properly Greg Kroah-Hartman
                   ` (115 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Len Brown, Sasha Levin

From: Len Brown <len.brown@intel.com>

[ Upstream commit 3404155190ce09a1e5d8407e968fc19aac4493e3 ]

turbostat recently gained a feature adding APIC and X2APIC columns.
While they are disabled by-default, they are enabled with --debug
or when explicitly requested, eg.

$ sudo turbostat --quiet --show Package,Node,Core,CPU,APIC,X2APIC date

But these columns erroneously showed zeros on AMD hardware.
This patch corrects the APIC and X2APIC [sic] columns on AMD.

Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/power/x86/turbostat/turbostat.c | 93 +++++++++++++++++----------
 1 file changed, 60 insertions(+), 33 deletions(-)

diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c
index 823bbc741ad7a..02d123871ef95 100644
--- a/tools/power/x86/turbostat/turbostat.c
+++ b/tools/power/x86/turbostat/turbostat.c
@@ -1,6 +1,6 @@
 /*
  * turbostat -- show CPU frequency and C-state residency
- * on modern Intel turbo-capable processors.
+ * on modern Intel and AMD processors.
  *
  * Copyright (c) 2013 Intel Corporation.
  * Len Brown <len.brown@intel.com>
@@ -71,6 +71,8 @@ unsigned int do_irtl_snb;
 unsigned int do_irtl_hsw;
 unsigned int units = 1000000;	/* MHz etc */
 unsigned int genuine_intel;
+unsigned int authentic_amd;
+unsigned int max_level, max_extended_level;
 unsigned int has_invariant_tsc;
 unsigned int do_nhm_platform_info;
 unsigned int no_MSR_MISC_PWR_MGMT;
@@ -1667,30 +1669,51 @@ int get_mp(int cpu, struct msr_counter *mp, unsigned long long *counterp)
 
 void get_apic_id(struct thread_data *t)
 {
-	unsigned int eax, ebx, ecx, edx, max_level;
+	unsigned int eax, ebx, ecx, edx;
 
-	eax = ebx = ecx = edx = 0;
+	if (DO_BIC(BIC_APIC)) {
+		eax = ebx = ecx = edx = 0;
+		__cpuid(1, eax, ebx, ecx, edx);
 
-	if (!genuine_intel)
+		t->apic_id = (ebx >> 24) & 0xff;
+	}
+
+	if (!DO_BIC(BIC_X2APIC))
 		return;
 
-	__cpuid(0, max_level, ebx, ecx, edx);
+	if (authentic_amd) {
+		unsigned int topology_extensions;
 
-	__cpuid(1, eax, ebx, ecx, edx);
-	t->apic_id = (ebx >> 24) & 0xf;
+		if (max_extended_level < 0x8000001e)
+			return;
 
-	if (max_level < 0xb)
+		eax = ebx = ecx = edx = 0;
+		__cpuid(0x80000001, eax, ebx, ecx, edx);
+			topology_extensions = ecx & (1 << 22);
+
+		if (topology_extensions == 0)
+			return;
+
+		eax = ebx = ecx = edx = 0;
+		__cpuid(0x8000001e, eax, ebx, ecx, edx);
+
+		t->x2apic_id = eax;
 		return;
+	}
 
-	if (!DO_BIC(BIC_X2APIC))
+	if (!genuine_intel)
+		return;
+
+	if (max_level < 0xb)
 		return;
 
 	ecx = 0;
 	__cpuid(0xb, eax, ebx, ecx, edx);
 	t->x2apic_id = edx;
 
-	if (debug && (t->apic_id != t->x2apic_id))
-		fprintf(outf, "cpu%d: apic 0x%x x2apic 0x%x\n", t->cpu_id, t->apic_id, t->x2apic_id);
+	if (debug && (t->apic_id != (t->x2apic_id & 0xff)))
+		fprintf(outf, "cpu%d: BIOS BUG: apic 0x%x x2apic 0x%x\n",
+				t->cpu_id, t->apic_id, t->x2apic_id);
 }
 
 /*
@@ -4439,16 +4462,18 @@ void decode_c6_demotion_policy_msr(void)
 
 void process_cpuid()
 {
-	unsigned int eax, ebx, ecx, edx, max_level, max_extended_level;
-	unsigned int fms, family, model, stepping;
+	unsigned int eax, ebx, ecx, edx;
+	unsigned int fms, family, model, stepping, ecx_flags, edx_flags;
 	unsigned int has_turbo;
 
 	eax = ebx = ecx = edx = 0;
 
 	__cpuid(0, max_level, ebx, ecx, edx);
 
-	if (ebx == 0x756e6547 && edx == 0x49656e69 && ecx == 0x6c65746e)
+	if (ebx == 0x756e6547 && ecx == 0x6c65746e && edx == 0x49656e69)
 		genuine_intel = 1;
+	else if (ebx == 0x68747541 && ecx == 0x444d4163 && edx == 0x69746e65)
+		authentic_amd = 1;
 
 	if (!quiet)
 		fprintf(outf, "CPUID(0): %.4s%.4s%.4s ",
@@ -4462,25 +4487,8 @@ void process_cpuid()
 		family += (fms >> 20) & 0xff;
 	if (family >= 6)
 		model += ((fms >> 16) & 0xf) << 4;
-
-	if (!quiet) {
-		fprintf(outf, "%d CPUID levels; family:model:stepping 0x%x:%x:%x (%d:%d:%d)\n",
-			max_level, family, model, stepping, family, model, stepping);
-		fprintf(outf, "CPUID(1): %s %s %s %s %s %s %s %s %s %s\n",
-			ecx & (1 << 0) ? "SSE3" : "-",
-			ecx & (1 << 3) ? "MONITOR" : "-",
-			ecx & (1 << 6) ? "SMX" : "-",
-			ecx & (1 << 7) ? "EIST" : "-",
-			ecx & (1 << 8) ? "TM2" : "-",
-			edx & (1 << 4) ? "TSC" : "-",
-			edx & (1 << 5) ? "MSR" : "-",
-			edx & (1 << 22) ? "ACPI-TM" : "-",
-			edx & (1 << 28) ? "HT" : "-",
-			edx & (1 << 29) ? "TM" : "-");
-	}
-
-	if (!(edx & (1 << 5)))
-		errx(1, "CPUID: no MSR");
+	ecx_flags = ecx;
+	edx_flags = edx;
 
 	/*
 	 * check max extended function levels of CPUID.
@@ -4490,6 +4498,25 @@ void process_cpuid()
 	ebx = ecx = edx = 0;
 	__cpuid(0x80000000, max_extended_level, ebx, ecx, edx);
 
+	if (!quiet) {
+		fprintf(outf, "0x%x CPUID levels; 0x%x xlevels; family:model:stepping 0x%x:%x:%x (%d:%d:%d)\n",
+			max_level, max_extended_level, family, model, stepping, family, model, stepping);
+		fprintf(outf, "CPUID(1): %s %s %s %s %s %s %s %s %s %s\n",
+			ecx_flags & (1 << 0) ? "SSE3" : "-",
+			ecx_flags & (1 << 3) ? "MONITOR" : "-",
+			ecx_flags & (1 << 6) ? "SMX" : "-",
+			ecx_flags & (1 << 7) ? "EIST" : "-",
+			ecx_flags & (1 << 8) ? "TM2" : "-",
+			edx_flags & (1 << 4) ? "TSC" : "-",
+			edx_flags & (1 << 5) ? "MSR" : "-",
+			edx_flags & (1 << 22) ? "ACPI-TM" : "-",
+			edx_flags & (1 << 28) ? "HT" : "-",
+			edx_flags & (1 << 29) ? "TM" : "-");
+	}
+
+	if (!(edx_flags & (1 << 5)))
+		errx(1, "CPUID: no MSR");
+
 	if (max_extended_level >= 0x80000007) {
 
 		/*
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 195/306] mm: handle no memcg case in memcg_kmem_charge() properly
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (193 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 194/306] tools/power turbosat: fix AMD APIC-id output Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 196/306] ocfs2: without quota support, avoid calling quota recovery Greg Kroah-Hartman
                   ` (114 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Roman Gushchin, Mike Galbraith,
	Rik van Riel, Michal Hocko, Johannes Weiner, Vladimir Davydov,
	Shakeel Butt, Andrew Morton, Linus Torvalds, Sasha Levin

From: Roman Gushchin <guro@fb.com>

[ Upstream commit e68599a3c3ad0f3171a7cb4e48aa6f9a69381902 ]

Mike Galbraith reported a regression caused by the commit 9b6f7e163cd0
("mm: rework memcg kernel stack accounting") on a system with
"cgroup_disable=memory" boot option: the system panics with the following
stack trace:

  BUG: unable to handle kernel NULL pointer dereference at 00000000000000f8
  PGD 0 P4D 0
  Oops: 0002 [#1] PREEMPT SMP PTI
  CPU: 0 PID: 1 Comm: systemd Not tainted 4.19.0-preempt+ #410
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20180531_142017-buildhw-08.phx2.fed4
  RIP: 0010:page_counter_try_charge+0x22/0xc0
  Code: 41 5d c3 c3 0f 1f 40 00 0f 1f 44 00 00 48 85 ff 0f 84 a7 00 00 00 41 56 48 89 f8 49 89 fe 49
  Call Trace:
   try_charge+0xcb/0x780
   memcg_kmem_charge_memcg+0x28/0x80
   memcg_kmem_charge+0x8b/0x1d0
   copy_process.part.41+0x1ca/0x2070
   _do_fork+0xd7/0x3d0
   do_syscall_64+0x5a/0x180
   entry_SYSCALL_64_after_hwframe+0x49/0xbe

The problem occurs because get_mem_cgroup_from_current() returns the NULL
pointer if memory controller is disabled.  Let's check if this is a case
at the beginning of memcg_kmem_charge() and just return 0 if
mem_cgroup_disabled() returns true.  This is how we handle this case in
many other places in the memory controller code.

Link: http://lkml.kernel.org/r/20181029215123.17830-1-guro@fb.com
Fixes: 9b6f7e163cd0 ("mm: rework memcg kernel stack accounting")
Signed-off-by: Roman Gushchin <guro@fb.com>
Reported-by: Mike Galbraith <efault@gmx.de>
Acked-by: Rik van Riel <riel@surriel.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Vladimir Davydov <vdavydov.dev@gmail.com>
Cc: Shakeel Butt <shakeelb@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 mm/memcontrol.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mm/memcontrol.c b/mm/memcontrol.c
index 5af38d8a9afd3..3a3d109dce215 100644
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -2678,7 +2678,7 @@ int memcg_kmem_charge(struct page *page, gfp_t gfp, int order)
 	struct mem_cgroup *memcg;
 	int ret = 0;
 
-	if (memcg_kmem_bypass())
+	if (mem_cgroup_disabled() || memcg_kmem_bypass())
 		return 0;
 
 	memcg = get_mem_cgroup_from_current();
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 196/306] ocfs2: without quota support, avoid calling quota recovery
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (194 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 195/306] mm: handle no memcg case in memcg_kmem_charge() properly Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 197/306] ocfs2: dont use iocb when EIOCBQUEUED returns Greg Kroah-Hartman
                   ` (113 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, guozhonghua, Jan Kara, Mark Fasheh,
	Joel Becker, Junxiao Bi, Joseph Qi, Changwei Ge, Andrew Morton,
	Linus Torvalds, Sasha Levin

From: Guozhonghua <guozhonghua@h3c.com>

[ Upstream commit 21158ca85b73ddd0088076a5209cfd040513a8b5 ]

During one dead node's recovery by other node, quota recovery work will
be queued.  We should avoid calling quota when it is not supported, so
check the quota flags.

Link: http://lkml.kernel.org/r/71604351584F6A4EBAE558C676F37CA401071AC9FB@H3CMLB12-EX.srv.huawei-3com.com
Signed-off-by: guozhonghua <guozhonghua@h3c.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Joseph Qi <jiangqi903@gmail.com>
Cc: Changwei Ge <ge.changwei@h3c.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/ocfs2/journal.c | 51 ++++++++++++++++++++++++++++++----------------
 1 file changed, 34 insertions(+), 17 deletions(-)

diff --git a/fs/ocfs2/journal.c b/fs/ocfs2/journal.c
index c492cbb2410f6..babb0ec76d676 100644
--- a/fs/ocfs2/journal.c
+++ b/fs/ocfs2/journal.c
@@ -1379,15 +1379,23 @@ static int __ocfs2_recovery_thread(void *arg)
 	int rm_quota_used = 0, i;
 	struct ocfs2_quota_recovery *qrec;
 
+	/* Whether the quota supported. */
+	int quota_enabled = OCFS2_HAS_RO_COMPAT_FEATURE(osb->sb,
+			OCFS2_FEATURE_RO_COMPAT_USRQUOTA)
+		|| OCFS2_HAS_RO_COMPAT_FEATURE(osb->sb,
+			OCFS2_FEATURE_RO_COMPAT_GRPQUOTA);
+
 	status = ocfs2_wait_on_mount(osb);
 	if (status < 0) {
 		goto bail;
 	}
 
-	rm_quota = kcalloc(osb->max_slots, sizeof(int), GFP_NOFS);
-	if (!rm_quota) {
-		status = -ENOMEM;
-		goto bail;
+	if (quota_enabled) {
+		rm_quota = kcalloc(osb->max_slots, sizeof(int), GFP_NOFS);
+		if (!rm_quota) {
+			status = -ENOMEM;
+			goto bail;
+		}
 	}
 restart:
 	status = ocfs2_super_lock(osb, 1);
@@ -1423,9 +1431,14 @@ static int __ocfs2_recovery_thread(void *arg)
 		 * then quota usage would be out of sync until some node takes
 		 * the slot. So we remember which nodes need quota recovery
 		 * and when everything else is done, we recover quotas. */
-		for (i = 0; i < rm_quota_used && rm_quota[i] != slot_num; i++);
-		if (i == rm_quota_used)
-			rm_quota[rm_quota_used++] = slot_num;
+		if (quota_enabled) {
+			for (i = 0; i < rm_quota_used
+					&& rm_quota[i] != slot_num; i++)
+				;
+
+			if (i == rm_quota_used)
+				rm_quota[rm_quota_used++] = slot_num;
+		}
 
 		status = ocfs2_recover_node(osb, node_num, slot_num);
 skip_recovery:
@@ -1453,16 +1466,19 @@ static int __ocfs2_recovery_thread(void *arg)
 	/* Now it is right time to recover quotas... We have to do this under
 	 * superblock lock so that no one can start using the slot (and crash)
 	 * before we recover it */
-	for (i = 0; i < rm_quota_used; i++) {
-		qrec = ocfs2_begin_quota_recovery(osb, rm_quota[i]);
-		if (IS_ERR(qrec)) {
-			status = PTR_ERR(qrec);
-			mlog_errno(status);
-			continue;
+	if (quota_enabled) {
+		for (i = 0; i < rm_quota_used; i++) {
+			qrec = ocfs2_begin_quota_recovery(osb, rm_quota[i]);
+			if (IS_ERR(qrec)) {
+				status = PTR_ERR(qrec);
+				mlog_errno(status);
+				continue;
+			}
+			ocfs2_queue_recovery_completion(osb->journal,
+					rm_quota[i],
+					NULL, NULL, qrec,
+					ORPHAN_NEED_TRUNCATE);
 		}
-		ocfs2_queue_recovery_completion(osb->journal, rm_quota[i],
-						NULL, NULL, qrec,
-						ORPHAN_NEED_TRUNCATE);
 	}
 
 	ocfs2_super_unlock(osb, 1);
@@ -1484,7 +1500,8 @@ static int __ocfs2_recovery_thread(void *arg)
 
 	mutex_unlock(&osb->recovery_lock);
 
-	kfree(rm_quota);
+	if (quota_enabled)
+		kfree(rm_quota);
 
 	/* no one is callint kthread_stop() for us so the kthread() api
 	 * requires that we call do_exit().  And it isn't exported, but
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 197/306] ocfs2: dont use iocb when EIOCBQUEUED returns
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (195 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 196/306] ocfs2: without quota support, avoid calling quota recovery Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 198/306] ocfs2: dont put and assigning null to bh allocated outside Greg Kroah-Hartman
                   ` (112 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Changwei Ge, Andrew Morton,
	Mark Fasheh, Joel Becker, Junxiao Bi, Joseph Qi, Linus Torvalds,
	Sasha Levin

From: Changwei Ge <ge.changwei@h3c.com>

[ Upstream commit 9e985787750db8aae87f02b67e908f28ac4d6b83 ]

When -EIOCBQUEUED returns, it means that aio_complete() will be called
from dio_complete(), which is an asynchronous progress against
write_iter.  Generally, IO is a very slow progress than executing
instruction, but we still can't take the risk to access a freed iocb.

And we do face a BUG crash issue.  Using the crash tool, iocb is
obviously freed already.

  crash> struct -x kiocb ffff881a350f5900
  struct kiocb {
    ki_filp = 0xffff881a350f5a80,
    ki_pos = 0x0,
    ki_complete = 0x0,
    private = 0x0,
    ki_flags = 0x0
  }

And the backtrace shows:
  ocfs2_file_write_iter+0xcaa/0xd00 [ocfs2]
  aio_run_iocb+0x229/0x2f0
  do_io_submit+0x291/0x540
  SyS_io_submit+0x10/0x20
  system_call_fastpath+0x16/0x75

Link: http://lkml.kernel.org/r/1523361653-14439-1-git-send-email-ge.changwei@h3c.com
Signed-off-by: Changwei Ge <ge.changwei@h3c.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Joseph Qi <jiangqi903@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/ocfs2/file.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
index a847fe52c56ee..a3e077fcfeb9b 100644
--- a/fs/ocfs2/file.c
+++ b/fs/ocfs2/file.c
@@ -2389,7 +2389,7 @@ static ssize_t ocfs2_file_write_iter(struct kiocb *iocb,
 
 	written = __generic_file_write_iter(iocb, from);
 	/* buffered aio wouldn't have proper lock coverage today */
-	BUG_ON(written == -EIOCBQUEUED && !(iocb->ki_flags & IOCB_DIRECT));
+	BUG_ON(written == -EIOCBQUEUED && !direct_io);
 
 	/*
 	 * deep in g_f_a_w_n()->ocfs2_direct_IO we pass in a ocfs2_dio_end_io
@@ -2509,7 +2509,7 @@ static ssize_t ocfs2_file_read_iter(struct kiocb *iocb,
 	trace_generic_file_read_iter_ret(ret);
 
 	/* buffered aio wouldn't have proper lock coverage today */
-	BUG_ON(ret == -EIOCBQUEUED && !(iocb->ki_flags & IOCB_DIRECT));
+	BUG_ON(ret == -EIOCBQUEUED && !direct_io);
 
 	/* see ocfs2_file_write_iter */
 	if (ret == -EIOCBQUEUED || !ocfs2_iocb_is_rw_locked(iocb)) {
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 198/306] ocfs2: dont put and assigning null to bh allocated outside
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (196 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 197/306] ocfs2: dont use iocb when EIOCBQUEUED returns Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 199/306] ocfs2: fix clusters leak in ocfs2_defrag_extent() Greg Kroah-Hartman
                   ` (111 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Changwei Ge, Guozhonghua,
	Mark Fasheh, Joel Becker, Junxiao Bi, Joseph Qi, Andrew Morton,
	Linus Torvalds, Sasha Levin

From: Changwei Ge <ge.changwei@h3c.com>

[ Upstream commit cf76c78595ca87548ca5e45c862ac9e0949c4687 ]

ocfs2_read_blocks() and ocfs2_read_blocks_sync() are both used to read
several blocks from disk.  Currently, the input argument *bhs* can be
NULL or NOT.  It depends on the caller's behavior.  If the function
fails in reading blocks from disk, the corresponding bh will be assigned
to NULL and put.

Obviously, above process for non-NULL input bh is not appropriate.
Because the caller doesn't even know its bhs are put and re-assigned.

If buffer head is managed by caller, ocfs2_read_blocks and
ocfs2_read_blocks_sync() should not evaluate it to NULL.  It will cause
caller accessing illegal memory, thus crash.

Link: http://lkml.kernel.org/r/HK2PR06MB045285E0F4FBB561F9F2F9B3D5680@HK2PR06MB0452.apcprd06.prod.outlook.com
Signed-off-by: Changwei Ge <ge.changwei@h3c.com>
Reviewed-by: Guozhonghua <guozhonghua@h3c.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Joseph Qi <jiangqi903@gmail.com>
Cc: Changwei Ge <ge.changwei@h3c.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/ocfs2/buffer_head_io.c | 77 ++++++++++++++++++++++++++++++---------
 1 file changed, 59 insertions(+), 18 deletions(-)

diff --git a/fs/ocfs2/buffer_head_io.c b/fs/ocfs2/buffer_head_io.c
index 9f8250df99f1f..f9b84f7a3e4bb 100644
--- a/fs/ocfs2/buffer_head_io.c
+++ b/fs/ocfs2/buffer_head_io.c
@@ -99,25 +99,34 @@ int ocfs2_write_block(struct ocfs2_super *osb, struct buffer_head *bh,
 	return ret;
 }
 
+/* Caller must provide a bhs[] with all NULL or non-NULL entries, so it
+ * will be easier to handle read failure.
+ */
 int ocfs2_read_blocks_sync(struct ocfs2_super *osb, u64 block,
 			   unsigned int nr, struct buffer_head *bhs[])
 {
 	int status = 0;
 	unsigned int i;
 	struct buffer_head *bh;
+	int new_bh = 0;
 
 	trace_ocfs2_read_blocks_sync((unsigned long long)block, nr);
 
 	if (!nr)
 		goto bail;
 
+	/* Don't put buffer head and re-assign it to NULL if it is allocated
+	 * outside since the caller can't be aware of this alternation!
+	 */
+	new_bh = (bhs[0] == NULL);
+
 	for (i = 0 ; i < nr ; i++) {
 		if (bhs[i] == NULL) {
 			bhs[i] = sb_getblk(osb->sb, block++);
 			if (bhs[i] == NULL) {
 				status = -ENOMEM;
 				mlog_errno(status);
-				goto bail;
+				break;
 			}
 		}
 		bh = bhs[i];
@@ -157,9 +166,26 @@ int ocfs2_read_blocks_sync(struct ocfs2_super *osb, u64 block,
 		submit_bh(REQ_OP_READ, 0, bh);
 	}
 
+read_failure:
 	for (i = nr; i > 0; i--) {
 		bh = bhs[i - 1];
 
+		if (unlikely(status)) {
+			if (new_bh && bh) {
+				/* If middle bh fails, let previous bh
+				 * finish its read and then put it to
+				 * aovoid bh leak
+				 */
+				if (!buffer_jbd(bh))
+					wait_on_buffer(bh);
+				put_bh(bh);
+				bhs[i - 1] = NULL;
+			} else if (bh && buffer_uptodate(bh)) {
+				clear_buffer_uptodate(bh);
+			}
+			continue;
+		}
+
 		/* No need to wait on the buffer if it's managed by JBD. */
 		if (!buffer_jbd(bh))
 			wait_on_buffer(bh);
@@ -169,8 +195,7 @@ int ocfs2_read_blocks_sync(struct ocfs2_super *osb, u64 block,
 			 * so we can safely record this and loop back
 			 * to cleanup the other buffers. */
 			status = -EIO;
-			put_bh(bh);
-			bhs[i - 1] = NULL;
+			goto read_failure;
 		}
 	}
 
@@ -178,6 +203,9 @@ int ocfs2_read_blocks_sync(struct ocfs2_super *osb, u64 block,
 	return status;
 }
 
+/* Caller must provide a bhs[] with all NULL or non-NULL entries, so it
+ * will be easier to handle read failure.
+ */
 int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr,
 		      struct buffer_head *bhs[], int flags,
 		      int (*validate)(struct super_block *sb,
@@ -187,6 +215,7 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr,
 	int i, ignore_cache = 0;
 	struct buffer_head *bh;
 	struct super_block *sb = ocfs2_metadata_cache_get_super(ci);
+	int new_bh = 0;
 
 	trace_ocfs2_read_blocks_begin(ci, (unsigned long long)block, nr, flags);
 
@@ -212,6 +241,11 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr,
 		goto bail;
 	}
 
+	/* Don't put buffer head and re-assign it to NULL if it is allocated
+	 * outside since the caller can't be aware of this alternation!
+	 */
+	new_bh = (bhs[0] == NULL);
+
 	ocfs2_metadata_cache_io_lock(ci);
 	for (i = 0 ; i < nr ; i++) {
 		if (bhs[i] == NULL) {
@@ -220,7 +254,8 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr,
 				ocfs2_metadata_cache_io_unlock(ci);
 				status = -ENOMEM;
 				mlog_errno(status);
-				goto bail;
+				/* Don't forget to put previous bh! */
+				break;
 			}
 		}
 		bh = bhs[i];
@@ -314,16 +349,27 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr,
 		}
 	}
 
-	status = 0;
-
+read_failure:
 	for (i = (nr - 1); i >= 0; i--) {
 		bh = bhs[i];
 
 		if (!(flags & OCFS2_BH_READAHEAD)) {
-			if (status) {
-				/* Clear the rest of the buffers on error */
-				put_bh(bh);
-				bhs[i] = NULL;
+			if (unlikely(status)) {
+				/* Clear the buffers on error including those
+				 * ever succeeded in reading
+				 */
+				if (new_bh && bh) {
+					/* If middle bh fails, let previous bh
+					 * finish its read and then put it to
+					 * aovoid bh leak
+					 */
+					if (!buffer_jbd(bh))
+						wait_on_buffer(bh);
+					put_bh(bh);
+					bhs[i] = NULL;
+				} else if (bh && buffer_uptodate(bh)) {
+					clear_buffer_uptodate(bh);
+				}
 				continue;
 			}
 			/* We know this can't have changed as we hold the
@@ -341,9 +387,7 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr,
 				 * uptodate. */
 				status = -EIO;
 				clear_buffer_needs_validate(bh);
-				put_bh(bh);
-				bhs[i] = NULL;
-				continue;
+				goto read_failure;
 			}
 
 			if (buffer_needs_validate(bh)) {
@@ -353,11 +397,8 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr,
 				BUG_ON(buffer_jbd(bh));
 				clear_buffer_needs_validate(bh);
 				status = validate(sb, bh);
-				if (status) {
-					put_bh(bh);
-					bhs[i] = NULL;
-					continue;
-				}
+				if (status)
+					goto read_failure;
 			}
 		}
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 199/306] ocfs2: fix clusters leak in ocfs2_defrag_extent()
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (197 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 198/306] ocfs2: dont put and assigning null to bh allocated outside Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 200/306] net: do not abort bulk send on BQL status Greg Kroah-Hartman
                   ` (110 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Larry Chen, Andrew Morton,
	Mark Fasheh, Joel Becker, Junxiao Bi, Joseph Qi, Changwei Ge,
	Linus Torvalds, Sasha Levin

From: Larry Chen <lchen@suse.com>

[ Upstream commit 6194ae4242dec0c9d604bc05df83aa9260a899e4 ]

ocfs2_defrag_extent() might leak allocated clusters.  When the file
system has insufficient space, the number of claimed clusters might be
less than the caller wants.  If that happens, the original code might
directly commit the transaction without returning clusters.

This patch is based on code in ocfs2_add_clusters_in_btree().

[akpm@linux-foundation.org: include localalloc.h, reduce scope of data_ac]
Link: http://lkml.kernel.org/r/20180904041621.16874-3-lchen@suse.com
Signed-off-by: Larry Chen <lchen@suse.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Joseph Qi <jiangqi903@gmail.com>
Cc: Changwei Ge <ge.changwei@h3c.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/ocfs2/move_extents.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/fs/ocfs2/move_extents.c b/fs/ocfs2/move_extents.c
index f55f82ca34250..1565dd8e8856e 100644
--- a/fs/ocfs2/move_extents.c
+++ b/fs/ocfs2/move_extents.c
@@ -25,6 +25,7 @@
 #include "ocfs2_ioctl.h"
 
 #include "alloc.h"
+#include "localalloc.h"
 #include "aops.h"
 #include "dlmglue.h"
 #include "extent_map.h"
@@ -222,6 +223,7 @@ static int ocfs2_defrag_extent(struct ocfs2_move_extents_context *context,
 	struct ocfs2_refcount_tree *ref_tree = NULL;
 	u32 new_phys_cpos, new_len;
 	u64 phys_blkno = ocfs2_clusters_to_blocks(inode->i_sb, phys_cpos);
+	int need_free = 0;
 
 	if ((ext_flags & OCFS2_EXT_REFCOUNTED) && *len) {
 		BUG_ON(!ocfs2_is_refcount_inode(inode));
@@ -312,6 +314,7 @@ static int ocfs2_defrag_extent(struct ocfs2_move_extents_context *context,
 		if (!partial) {
 			context->range->me_flags &= ~OCFS2_MOVE_EXT_FL_COMPLETE;
 			ret = -ENOSPC;
+			need_free = 1;
 			goto out_commit;
 		}
 	}
@@ -336,6 +339,20 @@ static int ocfs2_defrag_extent(struct ocfs2_move_extents_context *context,
 		mlog_errno(ret);
 
 out_commit:
+	if (need_free && context->data_ac) {
+		struct ocfs2_alloc_context *data_ac = context->data_ac;
+
+		if (context->data_ac->ac_which == OCFS2_AC_USE_LOCAL)
+			ocfs2_free_local_alloc_bits(osb, handle, data_ac,
+					new_phys_cpos, new_len);
+		else
+			ocfs2_free_clusters(handle,
+					data_ac->ac_inode,
+					data_ac->ac_bh,
+					ocfs2_clusters_to_blocks(osb->sb, new_phys_cpos),
+					new_len);
+	}
+
 	ocfs2_commit_trans(osb, handle);
 
 out_unlock_mutex:
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 200/306] net: do not abort bulk send on BQL status
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (198 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 199/306] ocfs2: fix clusters leak in ocfs2_defrag_extent() Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 201/306] sched/topology: Fix off by one bug Greg Kroah-Hartman
                   ` (109 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, David S. Miller, Sasha Levin

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit fe60faa5063822f2d555f4f326c7dd72a60929bf ]

Before calling dev_hard_start_xmit(), upper layers tried
to cook optimal skb list based on BQL budget.

Problem is that GSO packets can end up comsuming more than
the BQL budget.

Breaking the loop is not useful, since requeued packets
are ahead of any packets still in the qdisc.

It is also more expensive, since next TX completion will
push these packets later, while skbs are not in cpu caches.

It is also a behavior difference with TSO packets, that can
break the BQL limit by a large amount.

Note that drivers should use __netdev_tx_sent_queue()
in order to have optimal xmit_more support, and avoid
useless atomic operations as shown in the following patch.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/core/dev.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/core/dev.c b/net/core/dev.c
index e96c88b1465d7..91179febdeee1 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3277,7 +3277,7 @@ struct sk_buff *dev_hard_start_xmit(struct sk_buff *first, struct net_device *de
 		}
 
 		skb = next;
-		if (netif_xmit_stopped(txq) && skb) {
+		if (netif_tx_queue_stopped(txq) && skb) {
 			rc = NETDEV_TX_BUSY;
 			break;
 		}
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 201/306] sched/topology: Fix off by one bug
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (199 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 200/306] net: do not abort bulk send on BQL status Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 202/306] sched/fair: Dont increase sd->balance_interval on newidle balance Greg Kroah-Hartman
                   ` (108 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Peter Zijlstra (Intel),
	Linus Torvalds, Thomas Gleixner, Ingo Molnar, Sasha Levin

From: Peter Zijlstra <peterz@infradead.org>

[ Upstream commit 993f0b0510dad98b4e6e39506834dab0d13fd539 ]

With the addition of the NUMA identity level, we increased @level by
one and will run off the end of the array in the distance sort loop.

Fixed: 051f3ca02e46 ("sched/topology: Introduce NUMA identity node sched domain")
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/sched/topology.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/sched/topology.c b/kernel/sched/topology.c
index c0a7514649715..74b694392f2fd 100644
--- a/kernel/sched/topology.c
+++ b/kernel/sched/topology.c
@@ -1329,7 +1329,7 @@ void sched_init_numa(void)
 	int level = 0;
 	int i, j, k;
 
-	sched_domains_numa_distance = kzalloc(sizeof(int) * nr_node_ids, GFP_KERNEL);
+	sched_domains_numa_distance = kzalloc(sizeof(int) * (nr_node_ids + 1), GFP_KERNEL);
 	if (!sched_domains_numa_distance)
 		return;
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 202/306] sched/fair: Dont increase sd->balance_interval on newidle balance
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (200 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 201/306] sched/topology: Fix off by one bug Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 203/306] openvswitch: fix linking without CONFIG_NF_CONNTRACK_LABELS Greg Kroah-Hartman
                   ` (107 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Valentin Schneider,
	Peter Zijlstra (Intel),
	Dietmar.Eggemann, Linus Torvalds, Thomas Gleixner,
	patrick.bellasi, vincent.guittot, Ingo Molnar, Sasha Levin

From: Valentin Schneider <valentin.schneider@arm.com>

[ Upstream commit 3f130a37c442d5c4d66531b240ebe9abfef426b5 ]

When load_balance() fails to move some load because of task affinity,
we end up increasing sd->balance_interval to delay the next periodic
balance in the hopes that next time we look, that annoying pinned
task(s) will be gone.

However, idle_balance() pays no attention to sd->balance_interval, yet
it will still lead to an increase in balance_interval in case of
pinned tasks.

If we're going through several newidle balances (e.g. we have a
periodic task), this can lead to a huge increase of the
balance_interval in a very small amount of time.

To prevent that, don't increase the balance interval when going
through a newidle balance.

This is a similar approach to what is done in commit 58b26c4c0257
("sched: Increment cache_nice_tries only on periodic lb"), where we
disregard newidle balance and rely on periodic balance for more stable
results.

Signed-off-by: Valentin Schneider <valentin.schneider@arm.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Dietmar.Eggemann@arm.com
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: patrick.bellasi@arm.com
Cc: vincent.guittot@linaro.org
Link: http://lkml.kernel.org/r/1537974727-30788-2-git-send-email-valentin.schneider@arm.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/sched/fair.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
index e5e8f67218728..f77fcd37b226f 100644
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -8819,13 +8819,22 @@ static int load_balance(int this_cpu, struct rq *this_rq,
 	sd->nr_balance_failed = 0;
 
 out_one_pinned:
+	ld_moved = 0;
+
+	/*
+	 * idle_balance() disregards balance intervals, so we could repeatedly
+	 * reach this code, which would lead to balance_interval skyrocketting
+	 * in a short amount of time. Skip the balance_interval increase logic
+	 * to avoid that.
+	 */
+	if (env.idle == CPU_NEWLY_IDLE)
+		goto out;
+
 	/* tune up the balancing interval */
 	if (((env.flags & LBF_ALL_PINNED) &&
 			sd->balance_interval < MAX_PINNED_INTERVAL) ||
 			(sd->balance_interval < sd->max_interval))
 		sd->balance_interval *= 2;
-
-	ld_moved = 0;
 out:
 	return ld_moved;
 }
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 203/306] openvswitch: fix linking without CONFIG_NF_CONNTRACK_LABELS
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (201 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 202/306] sched/fair: Dont increase sd->balance_interval on newidle balance Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 204/306] ARM: dts: imx6sx-sdb: Fix enet phy regulator Greg Kroah-Hartman
                   ` (106 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, David S. Miller, Sasha Levin

From: Arnd Bergmann <arnd@arndb.de>

[ Upstream commit a277d516de5f498c91d91189717ef7e01102ad27 ]

When CONFIG_CC_OPTIMIZE_FOR_DEBUGGING is enabled, the compiler
fails to optimize out a dead code path, which leads to a link failure:

net/openvswitch/conntrack.o: In function `ovs_ct_set_labels':
conntrack.c:(.text+0x2e60): undefined reference to `nf_connlabels_replace'

In this configuration, we can take a shortcut, and completely
remove the contrack label code. This may also help the regular
optimization.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/openvswitch/conntrack.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
index 35ae64cbef33f..46aa1aa51db41 100644
--- a/net/openvswitch/conntrack.c
+++ b/net/openvswitch/conntrack.c
@@ -1199,7 +1199,8 @@ static int ovs_ct_commit(struct net *net, struct sw_flow_key *key,
 					 &info->labels.mask);
 		if (err)
 			return err;
-	} else if (labels_nonzero(&info->labels.mask)) {
+	} else if (IS_ENABLED(CONFIG_NF_CONNTRACK_LABELS) &&
+		   labels_nonzero(&info->labels.mask)) {
 		err = ovs_ct_set_labels(ct, key, &info->labels.value,
 					&info->labels.mask);
 		if (err)
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 204/306] ARM: dts: imx6sx-sdb: Fix enet phy regulator
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (202 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 203/306] openvswitch: fix linking without CONFIG_NF_CONNTRACK_LABELS Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 205/306] clk: sunxi-ng: enable so-said LDOs for A64 SoCs pll-mipi clock Greg Kroah-Hartman
                   ` (105 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Leonard Crestez, Shawn Guo, Sasha Levin

From: Leonard Crestez <leonard.crestez@nxp.com>

[ Upstream commit 1ad9fb750a104f51851c092edd7b3553f0218428 ]

Bindings for "fixed-regulator" only explicitly support "gpio" property,
not "gpios". Fix by correcting the property name.

The enet PHYs on imx6sx-sdb needs to be explicitly reset after a power
cycle, this can be handled by the phy-reset-gpios property. Sadly this
is not handled on suspend: the fec driver turns phy-supply off but
doesn't assert phy-reset-gpios again on resume.

Since additional phy-level work is required to support powering off the
phy in suspend fix the problem by just marking the regulator as
"boot-on" "always-on" so that it's never turned off. This behavior is
equivalent to older releases.

Keep the phy-reset-gpios property on fec anyway because it is a correct
description of board design.

This issue was exposed by commit efdfeb079cc3 ("regulator: fixed:
Convert to use GPIO descriptor only") which causes the "gpios" property
to also be parsed. Before that commit the "gpios" property had no
effect, PHY reset was only handled in the the bootloader.

This fixes linux-next boot failures previously reported here:
 https://lore.kernel.org/patchwork/patch/982437/#1177900
 https://lore.kernel.org/patchwork/patch/994091/#1178304

Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/boot/dts/imx6sx-sdb.dtsi | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/arch/arm/boot/dts/imx6sx-sdb.dtsi b/arch/arm/boot/dts/imx6sx-sdb.dtsi
index f8f31872fa144..d6d517e4922ff 100644
--- a/arch/arm/boot/dts/imx6sx-sdb.dtsi
+++ b/arch/arm/boot/dts/imx6sx-sdb.dtsi
@@ -115,7 +115,9 @@
 		regulator-name = "enet_3v3";
 		regulator-min-microvolt = <3300000>;
 		regulator-max-microvolt = <3300000>;
-		gpios = <&gpio2 6 GPIO_ACTIVE_LOW>;
+		gpio = <&gpio2 6 GPIO_ACTIVE_LOW>;
+		regulator-boot-on;
+		regulator-always-on;
 	};
 
 	reg_pcie_gpio: regulator-pcie-gpio {
@@ -178,6 +180,7 @@
 	phy-supply = <&reg_enet_3v3>;
 	phy-mode = "rgmii";
 	phy-handle = <&ethphy1>;
+	phy-reset-gpios = <&gpio2 7 GPIO_ACTIVE_LOW>;
 	status = "okay";
 
 	mdio {
@@ -371,6 +374,8 @@
 				MX6SX_PAD_RGMII1_RD3__ENET1_RX_DATA_3	0x3081
 				MX6SX_PAD_RGMII1_RX_CTL__ENET1_RX_EN	0x3081
 				MX6SX_PAD_ENET2_RX_CLK__ENET2_REF_CLK_25M	0x91
+				/* phy reset */
+				MX6SX_PAD_ENET2_CRS__GPIO2_IO_7		0x10b0
 			>;
 		};
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 205/306] clk: sunxi-ng: enable so-said LDOs for A64 SoCs pll-mipi clock
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (203 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 204/306] ARM: dts: imx6sx-sdb: Fix enet phy regulator Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 206/306] soc: bcm: brcmstb: Fix re-entry point with a THUMB2_KERNEL Greg Kroah-Hartman
                   ` (104 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Icenowy Zheng, Maxime Ripard, Sasha Levin

From: Icenowy Zheng <icenowy@aosc.io>

[ Upstream commit 859783d1390035e29ba850963bded2b4ffdf43b5 ]

In the user manual of A64 SoC, the bit 22 and 23 of pll-mipi control
register is called "LDO{1,2}_EN", and according to the BSP source code
from Allwinner , the LDOs are enabled during the clock's enabling
process.

The clock failed to generate output if the two LDOs are not enabled.

Add the two bits to the clock's gate bits, so that the LDOs are enabled
when the PLL is enabled.

Fixes: c6a0637460c2 ("clk: sunxi-ng: Add A64 clocks")
Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/clk/sunxi-ng/ccu-sun50i-a64.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/clk/sunxi-ng/ccu-sun50i-a64.c b/drivers/clk/sunxi-ng/ccu-sun50i-a64.c
index ee9c12cf3f08c..2a60981799216 100644
--- a/drivers/clk/sunxi-ng/ccu-sun50i-a64.c
+++ b/drivers/clk/sunxi-ng/ccu-sun50i-a64.c
@@ -158,7 +158,12 @@ static SUNXI_CCU_NM_WITH_FRAC_GATE_LOCK(pll_gpu_clk, "pll-gpu",
 #define SUN50I_A64_PLL_MIPI_REG		0x040
 
 static struct ccu_nkm pll_mipi_clk = {
-	.enable		= BIT(31),
+	/*
+	 * The bit 23 and 22 are called "LDO{1,2}_EN" on the SoC's
+	 * user manual, and by experiments the PLL doesn't work without
+	 * these bits toggled.
+	 */
+	.enable		= BIT(31) | BIT(23) | BIT(22),
 	.lock		= BIT(28),
 	.n		= _SUNXI_CCU_MULT(8, 4),
 	.k		= _SUNXI_CCU_MULT_MIN(4, 2, 2),
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 206/306] soc: bcm: brcmstb: Fix re-entry point with a THUMB2_KERNEL
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (204 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 205/306] clk: sunxi-ng: enable so-said LDOs for A64 SoCs pll-mipi clock Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 207/306] audit: print empty EXECVE args Greg Kroah-Hartman
                   ` (103 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Florian Fainelli, Sasha Levin

From: Florian Fainelli <f.fainelli@gmail.com>

[ Upstream commit fb14ada11d62fb849fc357a25ef8016ba438ba10 ]

When the kernel is built with CONFIG_THUMB2_KERNEL we would set the
kernel's resume entry point to be a function that is already built as
Thumb-2 code while the boot agent doing the resume is in ARM mode, so
this does not work. There is a header label defined: cpu_resume_arm
which we can use to do the switching for us.

Fixes: 0b741b8234c8 ("soc: bcm: brcmstb: Add support for S2/S3/S5 suspend states (ARM)")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/soc/bcm/brcmstb/pm/pm-arm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/soc/bcm/brcmstb/pm/pm-arm.c b/drivers/soc/bcm/brcmstb/pm/pm-arm.c
index a5577dd5eb087..8ee06347447c0 100644
--- a/drivers/soc/bcm/brcmstb/pm/pm-arm.c
+++ b/drivers/soc/bcm/brcmstb/pm/pm-arm.c
@@ -404,7 +404,7 @@ noinline int brcmstb_pm_s3_finish(void)
 {
 	struct brcmstb_s3_params *params = ctrl.s3_params;
 	dma_addr_t params_pa = ctrl.s3_params_pa;
-	phys_addr_t reentry = virt_to_phys(&cpu_resume);
+	phys_addr_t reentry = virt_to_phys(&cpu_resume_arm);
 	enum bsp_initiate_command cmd;
 	u32 flags;
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 207/306] audit: print empty EXECVE args
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (205 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 206/306] soc: bcm: brcmstb: Fix re-entry point with a THUMB2_KERNEL Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 208/306] sock_diag: fix autoloading of the raw_diag module Greg Kroah-Hartman
                   ` (102 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Richard Guy Briggs, Paul Moore, Sasha Levin

From: Richard Guy Briggs <rgb@redhat.com>

[ Upstream commit ea956d8be91edc702a98b7fe1f9463e7ca8c42ab ]

Empty executable arguments were being skipped when printing out the list
of arguments in an EXECVE record, making it appear they were somehow
lost.  Include empty arguments as an itemized empty string.

Reproducer:
	autrace /bin/ls "" "/etc"
	ausearch --start recent -m execve -i | grep EXECVE
	type=EXECVE msg=audit(10/03/2018 13:04:03.208:1391) : argc=3 a0=/bin/ls a2=/etc

With fix:
	type=EXECVE msg=audit(10/03/2018 21:51:38.290:194) : argc=3 a0=/bin/ls a1= a2=/etc
	type=EXECVE msg=audit(1538617898.290:194): argc=3 a0="/bin/ls" a1="" a2="/etc"

Passes audit-testsuite.  GH issue tracker at
https://github.com/linux-audit/audit-kernel/issues/99

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
[PM: cleaned up the commit metadata]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/auditsc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index b2d1f043f17fb..1513873e23bd1 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1107,7 +1107,7 @@ static void audit_log_execve_info(struct audit_context *context,
 		}
 
 		/* write as much as we can to the audit log */
-		if (len_buf > 0) {
+		if (len_buf >= 0) {
 			/* NOTE: some magic numbers here - basically if we
 			 *       can't fit a reasonable amount of data into the
 			 *       existing audit buffer, flush it and start with
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 208/306] sock_diag: fix autoloading of the raw_diag module
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (206 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 207/306] audit: print empty EXECVE args Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:30 ` [PATCH 4.19 209/306] net: bpfilter: fix iptables failure if bpfilter_umh is disabled Greg Kroah-Hartman
                   ` (101 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Cyrill Gorcunov, Xin Long,
	Andrei Vagin, David S. Miller, Sasha Levin

From: Andrei Vagin <avagin@gmail.com>

[ Upstream commit c34c1287778b080ed692c0a46a8e345206cc29e6 ]

IPPROTO_RAW isn't registred as an inet protocol, so
inet_protos[protocol] is always NULL for it.

Cc: Cyrill Gorcunov <gorcunov@gmail.com>
Cc: Xin Long <lucien.xin@gmail.com>
Fixes: bf2ae2e4bf93 ("sock_diag: request _diag module only when the family or proto has been registered")
Signed-off-by: Andrei Vagin <avagin@gmail.com>
Reviewed-by: Cyrill Gorcunov <gorcunov@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/core/sock.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/core/sock.c b/net/core/sock.c
index 6c11078217769..ba4f843cdd1d1 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -3347,6 +3347,7 @@ int sock_load_diag_module(int family, int protocol)
 
 #ifdef CONFIG_INET
 	if (family == AF_INET &&
+	    protocol != IPPROTO_RAW &&
 	    !rcu_access_pointer(inet_protos[protocol]))
 		return -ENOENT;
 #endif
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 209/306] net: bpfilter: fix iptables failure if bpfilter_umh is disabled
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (207 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 208/306] sock_diag: fix autoloading of the raw_diag module Greg Kroah-Hartman
@ 2019-11-27 20:30 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 210/306] nds32: Fix bug in bitfield.h Greg Kroah-Hartman
                   ` (100 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Taehee Yoo, David S. Miller, Sasha Levin

From: Taehee Yoo <ap420073@gmail.com>

[ Upstream commit 97adaddaa6db7a8af81b9b11e30cbe3628cd6700 ]

When iptables command is executed, ip_{set/get}sockopt() try to upload
bpfilter.ko if bpfilter is enabled. if it couldn't find bpfilter.ko,
command is failed.
bpfilter.ko is generated if CONFIG_BPFILTER_UMH is enabled.
ip_{set/get}sockopt() only checks CONFIG_BPFILTER.
So that if CONFIG_BPFILTER is enabled and CONFIG_BPFILTER_UMH is disabled,
iptables command is always failed.

test config:
   CONFIG_BPFILTER=y
   # CONFIG_BPFILTER_UMH is not set

test command:
   %iptables -L
   iptables: No chain/target/match by that name.

Fixes: d2ba09c17a06 ("net: add skeleton of bpfilter kernel module")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ipv4/ip_sockglue.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index b7a26120d5521..82f341e84faec 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -1244,7 +1244,7 @@ int ip_setsockopt(struct sock *sk, int level,
 		return -ENOPROTOOPT;
 
 	err = do_ip_setsockopt(sk, level, optname, optval, optlen);
-#ifdef CONFIG_BPFILTER
+#if IS_ENABLED(CONFIG_BPFILTER_UMH)
 	if (optname >= BPFILTER_IPT_SO_SET_REPLACE &&
 	    optname < BPFILTER_IPT_SET_MAX)
 		err = bpfilter_ip_set_sockopt(sk, optname, optval, optlen);
@@ -1557,7 +1557,7 @@ int ip_getsockopt(struct sock *sk, int level,
 	int err;
 
 	err = do_ip_getsockopt(sk, level, optname, optval, optlen, 0);
-#ifdef CONFIG_BPFILTER
+#if IS_ENABLED(CONFIG_BPFILTER_UMH)
 	if (optname >= BPFILTER_IPT_SO_GET_INFO &&
 	    optname < BPFILTER_IPT_GET_MAX)
 		err = bpfilter_ip_get_sockopt(sk, optname, optval, optlen);
@@ -1594,7 +1594,7 @@ int compat_ip_getsockopt(struct sock *sk, int level, int optname,
 	err = do_ip_getsockopt(sk, level, optname, optval, optlen,
 		MSG_CMSG_COMPAT);
 
-#ifdef CONFIG_BPFILTER
+#if IS_ENABLED(CONFIG_BPFILTER_UMH)
 	if (optname >= BPFILTER_IPT_SO_GET_INFO &&
 	    optname < BPFILTER_IPT_GET_MAX)
 		err = bpfilter_ip_get_sockopt(sk, optname, optval, optlen);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 210/306] nds32: Fix bug in bitfield.h
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (208 preceding siblings ...)
  2019-11-27 20:30 ` [PATCH 4.19 209/306] net: bpfilter: fix iptables failure if bpfilter_umh is disabled Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 211/306] media: ov13858: Check for possible null pointer Greg Kroah-Hartman
                   ` (99 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nickhu, Greentime Hu, Sasha Levin

From: Nickhu <nickhu@andestech.com>

[ Upstream commit 9aaafac8cffa1c1edb66e19a63841b7c86be07ca ]

There two bitfield bug for perfomance counter
in bitfield.h:

	PFM_CTL_offSEL1		21 --> 16
	PFM_CTL_offSEL2		27 --> 22

This commit fix it.

Signed-off-by: Nickhu <nickhu@andestech.com>
Acked-by: Greentime Hu <greentime@andestech.com>
Signed-off-by: Greentime Hu <greentime@andestech.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/nds32/include/asm/bitfield.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/nds32/include/asm/bitfield.h b/arch/nds32/include/asm/bitfield.h
index 8e84fc385b946..19b2841219adf 100644
--- a/arch/nds32/include/asm/bitfield.h
+++ b/arch/nds32/include/asm/bitfield.h
@@ -692,8 +692,8 @@
 #define PFM_CTL_offKU1		13	/* Enable user mode event counting for PFMC1 */
 #define PFM_CTL_offKU2		14	/* Enable user mode event counting for PFMC2 */
 #define PFM_CTL_offSEL0		15	/* The event selection for PFMC0 */
-#define PFM_CTL_offSEL1		21	/* The event selection for PFMC1 */
-#define PFM_CTL_offSEL2		27	/* The event selection for PFMC2 */
+#define PFM_CTL_offSEL1		16	/* The event selection for PFMC1 */
+#define PFM_CTL_offSEL2		22	/* The event selection for PFMC2 */
 /* bit 28:31 reserved */
 
 #define PFM_CTL_mskEN0		( 0x01  << PFM_CTL_offEN0 )
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 211/306] media: ov13858: Check for possible null pointer
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (209 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 210/306] nds32: Fix bug in bitfield.h Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-12-03 10:22   ` Pavel Machek
  2019-11-27 20:31 ` [PATCH 4.19 212/306] btrfs: avoid link error with CONFIG_NO_AUTO_INLINE Greg Kroah-Hartman
                   ` (98 subsequent siblings)
  309 siblings, 1 reply; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chiranjeevi Rapolu, Sakari Ailus,
	Mauro Carvalho Chehab, Sasha Levin

From: Chiranjeevi Rapolu <chiranjeevi.rapolu@intel.com>

[ Upstream commit 35629182eb8f931b0de6ed38c0efac58e922c801 ]

Check for possible null pointer to avoid crash.

Signed-off-by: Chiranjeevi Rapolu <chiranjeevi.rapolu@intel.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/i2c/ov13858.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/media/i2c/ov13858.c b/drivers/media/i2c/ov13858.c
index 0e7a85c4996c7..afd66d243403b 100644
--- a/drivers/media/i2c/ov13858.c
+++ b/drivers/media/i2c/ov13858.c
@@ -1612,7 +1612,8 @@ static int ov13858_init_controls(struct ov13858 *ov13858)
 				OV13858_NUM_OF_LINK_FREQS - 1,
 				0,
 				link_freq_menu_items);
-	ov13858->link_freq->flags |= V4L2_CTRL_FLAG_READ_ONLY;
+	if (ov13858->link_freq)
+		ov13858->link_freq->flags |= V4L2_CTRL_FLAG_READ_ONLY;
 
 	pixel_rate_max = link_freq_to_pixel_rate(link_freq_menu_items[0]);
 	pixel_rate_min = link_freq_to_pixel_rate(link_freq_menu_items[1]);
@@ -1635,7 +1636,8 @@ static int ov13858_init_controls(struct ov13858 *ov13858)
 	ov13858->hblank = v4l2_ctrl_new_std(
 				ctrl_hdlr, &ov13858_ctrl_ops, V4L2_CID_HBLANK,
 				hblank, hblank, 1, hblank);
-	ov13858->hblank->flags |= V4L2_CTRL_FLAG_READ_ONLY;
+	if (ov13858->hblank)
+		ov13858->hblank->flags |= V4L2_CTRL_FLAG_READ_ONLY;
 
 	exposure_max = mode->vts_def - 8;
 	ov13858->exposure = v4l2_ctrl_new_std(
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 212/306] btrfs: avoid link error with CONFIG_NO_AUTO_INLINE
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (210 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 211/306] media: ov13858: Check for possible null pointer Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 213/306] wil6210: fix debugfs memory access alignment Greg Kroah-Hartman
                   ` (97 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nikolay Borisov, Changbin Du,
	Arnd Bergmann, David Sterba, Sasha Levin

From: Arnd Bergmann <arnd@arndb.de>

[ Upstream commit 7e17916b35797396f681a3270245fd29c1e4c250 ]

Note: this patch fixes a problem in a feature outside of btrfs ("kernel
hacking: add a config option to disable compiler auto-inlining") and is
applied ahead of time due to cross-subsystem dependencies.

On 32-bit ARM with gcc-8, I see a link error with the addition of the
CONFIG_NO_AUTO_INLINE option:

fs/btrfs/super.o: In function `btrfs_statfs':
super.c:(.text+0x67b8): undefined reference to `__aeabi_uldivmod'
super.c:(.text+0x67fc): undefined reference to `__aeabi_uldivmod'
super.c:(.text+0x6858): undefined reference to `__aeabi_uldivmod'
super.c:(.text+0x6920): undefined reference to `__aeabi_uldivmod'
super.c:(.text+0x693c): undefined reference to `__aeabi_uldivmod'
fs/btrfs/super.o:super.c:(.text+0x6958): more undefined references to `__aeabi_uldivmod' follow

So far this is the only file that shows the behavior, so I'd propose
to just work around it by marking the functions as 'static inline'
that normally get inlined here.

The reference to __aeabi_uldivmod comes from a div_u64() which has an
optimization for a constant division that uses a straight '/' operator
when the result should be known to the compiler. My interpretation is
that as we turn off inlining, gcc still expects the result to be constant
but fails to use that constant value.

Link: https://lkml.kernel.org/r/20181103153941.1881966-1-arnd@arndb.de
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
Reviewed-by: Changbin Du <changbin.du@gmail.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
[ add the note ]
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/btrfs/super.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
index 8888337a95b64..ddbad8d509490 100644
--- a/fs/btrfs/super.c
+++ b/fs/btrfs/super.c
@@ -1919,7 +1919,7 @@ static int btrfs_remount(struct super_block *sb, int *flags, char *data)
 }
 
 /* Used to sort the devices by max_avail(descending sort) */
-static int btrfs_cmp_device_free_bytes(const void *dev_info1,
+static inline int btrfs_cmp_device_free_bytes(const void *dev_info1,
 				       const void *dev_info2)
 {
 	if (((struct btrfs_device_info *)dev_info1)->max_avail >
@@ -1948,8 +1948,8 @@ static inline void btrfs_descending_sort_devices(
  * The helper to calc the free space on the devices that can be used to store
  * file data.
  */
-static int btrfs_calc_avail_data_space(struct btrfs_fs_info *fs_info,
-				       u64 *free_bytes)
+static inline int btrfs_calc_avail_data_space(struct btrfs_fs_info *fs_info,
+					      u64 *free_bytes)
 {
 	struct btrfs_device_info *devices_info;
 	struct btrfs_fs_devices *fs_devices = fs_info->fs_devices;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 213/306] wil6210: fix debugfs memory access alignment
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (211 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 212/306] btrfs: avoid link error with CONFIG_NO_AUTO_INLINE Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 214/306] wil6210: fix L2 RX status handling Greg Kroah-Hartman
                   ` (96 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ahmad Masri, Maya Erez, Kalle Valo,
	Sasha Levin

From: Ahmad Masri <amasri@codeaurora.org>

[ Upstream commit 84ec040d0fb25197584d28a0dedc355503cd19b9 ]

All wil6210 device memory access should be 4 bytes aligned. In io
blob wil6210 did not force alignment for read function, this caused
alignment fault on some platforms.
Fixing that by accessing all 4 lower bytes and return to host the
requested data.

Signed-off-by: Ahmad Masri <amasri@codeaurora.org>
Signed-off-by: Maya Erez <merez@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/ath/wil6210/debugfs.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/drivers/net/wireless/ath/wil6210/debugfs.c b/drivers/net/wireless/ath/wil6210/debugfs.c
index ceace95b1595c..44296c0159252 100644
--- a/drivers/net/wireless/ath/wil6210/debugfs.c
+++ b/drivers/net/wireless/ath/wil6210/debugfs.c
@@ -662,10 +662,10 @@ static ssize_t wil_read_file_ioblob(struct file *file, char __user *user_buf,
 	enum { max_count = 4096 };
 	struct wil_blob_wrapper *wil_blob = file->private_data;
 	struct wil6210_priv *wil = wil_blob->wil;
-	loff_t pos = *ppos;
+	loff_t aligned_pos, pos = *ppos;
 	size_t available = wil_blob->blob.size;
 	void *buf;
-	size_t ret;
+	size_t unaligned_bytes, aligned_count, ret;
 	int rc;
 
 	if (test_bit(wil_status_suspending, wil_blob->wil->status) ||
@@ -683,7 +683,12 @@ static ssize_t wil_read_file_ioblob(struct file *file, char __user *user_buf,
 	if (count > max_count)
 		count = max_count;
 
-	buf = kmalloc(count, GFP_KERNEL);
+	/* set pos to 4 bytes aligned */
+	unaligned_bytes = pos % 4;
+	aligned_pos = pos - unaligned_bytes;
+	aligned_count = count + unaligned_bytes;
+
+	buf = kmalloc(aligned_count, GFP_KERNEL);
 	if (!buf)
 		return -ENOMEM;
 
@@ -694,9 +699,9 @@ static ssize_t wil_read_file_ioblob(struct file *file, char __user *user_buf,
 	}
 
 	wil_memcpy_fromio_32(buf, (const void __iomem *)
-			     wil_blob->blob.data + pos, count);
+			     wil_blob->blob.data + aligned_pos, aligned_count);
 
-	ret = copy_to_user(user_buf, buf, count);
+	ret = copy_to_user(user_buf, buf + unaligned_bytes, count);
 
 	wil_pm_runtime_put(wil);
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 214/306] wil6210: fix L2 RX status handling
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (212 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 213/306] wil6210: fix debugfs memory access alignment Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 215/306] wil6210: fix RGF_CAF_ICR address for Talyn-MB Greg Kroah-Hartman
                   ` (95 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maya Erez, Kalle Valo, Sasha Levin

From: Maya Erez <merez@codeaurora.org>

[ Upstream commit 04de15010aa42a92add66b159e3ae44b4287390f ]

L2 RX status errors should not be treated as a bitmap and the actual
error values should be checked.
Print L2 errors as wil_err_ratelimited for easier debugging
when such errors occurs.

Signed-off-by: Maya Erez <merez@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/ath/wil6210/txrx_edma.c | 23 ++++++++++----------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/drivers/net/wireless/ath/wil6210/txrx_edma.c b/drivers/net/wireless/ath/wil6210/txrx_edma.c
index 409a6fa8b6c8f..5fa8d6ad66482 100644
--- a/drivers/net/wireless/ath/wil6210/txrx_edma.c
+++ b/drivers/net/wireless/ath/wil6210/txrx_edma.c
@@ -808,23 +808,24 @@ static int wil_rx_error_check_edma(struct wil6210_priv *wil,
 		wil_dbg_txrx(wil, "L2 RX error, l2_rx_status=0x%x\n",
 			     l2_rx_status);
 		/* Due to HW issue, KEY error will trigger a MIC error */
-		if (l2_rx_status & WIL_RX_EDMA_ERROR_MIC) {
-			wil_dbg_txrx(wil,
-				     "L2 MIC/KEY error, dropping packet\n");
+		if (l2_rx_status == WIL_RX_EDMA_ERROR_MIC) {
+			wil_err_ratelimited(wil,
+					    "L2 MIC/KEY error, dropping packet\n");
 			stats->rx_mic_error++;
 		}
-		if (l2_rx_status & WIL_RX_EDMA_ERROR_KEY) {
-			wil_dbg_txrx(wil, "L2 KEY error, dropping packet\n");
+		if (l2_rx_status == WIL_RX_EDMA_ERROR_KEY) {
+			wil_err_ratelimited(wil,
+					    "L2 KEY error, dropping packet\n");
 			stats->rx_key_error++;
 		}
-		if (l2_rx_status & WIL_RX_EDMA_ERROR_REPLAY) {
-			wil_dbg_txrx(wil,
-				     "L2 REPLAY error, dropping packet\n");
+		if (l2_rx_status == WIL_RX_EDMA_ERROR_REPLAY) {
+			wil_err_ratelimited(wil,
+					    "L2 REPLAY error, dropping packet\n");
 			stats->rx_replay++;
 		}
-		if (l2_rx_status & WIL_RX_EDMA_ERROR_AMSDU) {
-			wil_dbg_txrx(wil,
-				     "L2 AMSDU error, dropping packet\n");
+		if (l2_rx_status == WIL_RX_EDMA_ERROR_AMSDU) {
+			wil_err_ratelimited(wil,
+					    "L2 AMSDU error, dropping packet\n");
 			stats->rx_amsdu_error++;
 		}
 		return -EFAULT;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 215/306] wil6210: fix RGF_CAF_ICR address for Talyn-MB
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (213 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 214/306] wil6210: fix L2 RX status handling Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 216/306] wil6210: fix locking in wmi_call Greg Kroah-Hartman
                   ` (94 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maya Erez, Kalle Valo, Sasha Levin

From: Maya Erez <merez@codeaurora.org>

[ Upstream commit 7c69709f8ed27197b16aa1c3f9b0744402b2fa02 ]

RGF_CAF_ICR register location has changed in Talyn-MB.
Add RGF_CAF_ICR_TALYN_MB to support the new address.

Signed-off-by: Maya Erez <merez@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/ath/wil6210/main.c    | 11 +++++++++--
 drivers/net/wireless/ath/wil6210/wil6210.h |  1 +
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/ath/wil6210/main.c b/drivers/net/wireless/ath/wil6210/main.c
index 920cb233f4db7..10673fa9388ec 100644
--- a/drivers/net/wireless/ath/wil6210/main.c
+++ b/drivers/net/wireless/ath/wil6210/main.c
@@ -1397,8 +1397,15 @@ static void wil_pre_fw_config(struct wil6210_priv *wil)
 	wil6210_clear_irq(wil);
 	/* CAF_ICR - clear and mask */
 	/* it is W1C, clear by writing back same value */
-	wil_s(wil, RGF_CAF_ICR + offsetof(struct RGF_ICR, ICR), 0);
-	wil_w(wil, RGF_CAF_ICR + offsetof(struct RGF_ICR, IMV), ~0);
+	if (wil->hw_version < HW_VER_TALYN_MB) {
+		wil_s(wil, RGF_CAF_ICR + offsetof(struct RGF_ICR, ICR), 0);
+		wil_w(wil, RGF_CAF_ICR + offsetof(struct RGF_ICR, IMV), ~0);
+	} else {
+		wil_s(wil,
+		      RGF_CAF_ICR_TALYN_MB + offsetof(struct RGF_ICR, ICR), 0);
+		wil_w(wil, RGF_CAF_ICR_TALYN_MB +
+		      offsetof(struct RGF_ICR, IMV), ~0);
+	}
 	/* clear PAL_UNIT_ICR (potential D0->D3 leftover)
 	 * In Talyn-MB host cannot access this register due to
 	 * access control, hence PAL_UNIT_ICR is cleared by the FW
diff --git a/drivers/net/wireless/ath/wil6210/wil6210.h b/drivers/net/wireless/ath/wil6210/wil6210.h
index 17c294b1ead13..75fe1a3b70466 100644
--- a/drivers/net/wireless/ath/wil6210/wil6210.h
+++ b/drivers/net/wireless/ath/wil6210/wil6210.h
@@ -319,6 +319,7 @@ struct RGF_ICR {
 /* MAC timer, usec, for packet lifetime */
 #define RGF_MAC_MTRL_COUNTER_0		(0x886aa8)
 
+#define RGF_CAF_ICR_TALYN_MB		(0x8893d4) /* struct RGF_ICR */
 #define RGF_CAF_ICR			(0x88946c) /* struct RGF_ICR */
 #define RGF_CAF_OSC_CONTROL		(0x88afa4)
 	#define BIT_CAF_OSC_XTAL_EN		BIT(0)
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 216/306] wil6210: fix locking in wmi_call
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (214 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 215/306] wil6210: fix RGF_CAF_ICR address for Talyn-MB Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 217/306] ath10k: snoc: fix unbalanced clock error handling Greg Kroah-Hartman
                   ` (93 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lior David, Maya Erez, Kalle Valo,
	Sasha Levin

From: Lior David <liord@codeaurora.org>

[ Upstream commit dc57731dbd535880fe6ced31c229262c34df7d64 ]

Switch from spin_lock to spin_lock_irqsave, because
wmi_ev_lock is used inside interrupt handler.

Signed-off-by: Lior David <liord@codeaurora.org>
Signed-off-by: Maya Erez <merez@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/ath/wil6210/wmi.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/net/wireless/ath/wil6210/wmi.c b/drivers/net/wireless/ath/wil6210/wmi.c
index 2010f771478df..8a603432f5317 100644
--- a/drivers/net/wireless/ath/wil6210/wmi.c
+++ b/drivers/net/wireless/ath/wil6210/wmi.c
@@ -1639,16 +1639,17 @@ int wmi_call(struct wil6210_priv *wil, u16 cmdid, u8 mid, void *buf, u16 len,
 {
 	int rc;
 	unsigned long remain;
+	ulong flags;
 
 	mutex_lock(&wil->wmi_mutex);
 
-	spin_lock(&wil->wmi_ev_lock);
+	spin_lock_irqsave(&wil->wmi_ev_lock, flags);
 	wil->reply_id = reply_id;
 	wil->reply_mid = mid;
 	wil->reply_buf = reply;
 	wil->reply_size = reply_size;
 	reinit_completion(&wil->wmi_call);
-	spin_unlock(&wil->wmi_ev_lock);
+	spin_unlock_irqrestore(&wil->wmi_ev_lock, flags);
 
 	rc = __wmi_send(wil, cmdid, mid, buf, len);
 	if (rc)
@@ -1668,12 +1669,12 @@ int wmi_call(struct wil6210_priv *wil, u16 cmdid, u8 mid, void *buf, u16 len,
 	}
 
 out:
-	spin_lock(&wil->wmi_ev_lock);
+	spin_lock_irqsave(&wil->wmi_ev_lock, flags);
 	wil->reply_id = 0;
 	wil->reply_mid = U8_MAX;
 	wil->reply_buf = NULL;
 	wil->reply_size = 0;
-	spin_unlock(&wil->wmi_ev_lock);
+	spin_unlock_irqrestore(&wil->wmi_ev_lock, flags);
 
 	mutex_unlock(&wil->wmi_mutex);
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 217/306] ath10k: snoc: fix unbalanced clock error handling
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (215 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 216/306] wil6210: fix locking in wmi_call Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 218/306] wlcore: Fix the return value in case of error in wlcore_vendor_cmd_smart_config_start() Greg Kroah-Hartman
                   ` (92 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Brian Norris, Douglas Anderson,
	Kalle Valo, Sasha Levin

From: Brian Norris <briannorris@chromium.org>

[ Upstream commit 82e60d920e8ad70cd9a280ab156566755f1fe4aa ]

Similar to regulator error handling, we should only start tearing down
the 'i - 1' clock when clock 'i' fails to enable. Otherwise, we might
end up with an unbalanced clock, where we never successfully enabled the
clock, but we try to disable it anyway.

Fixes: a6a793f98786 ("ath10k: vote for hardware resources for WCN3990")
Signed-off-by: Brian Norris <briannorris@chromium.org>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/ath/ath10k/snoc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ath/ath10k/snoc.c b/drivers/net/wireless/ath/ath10k/snoc.c
index fa1843a7e0fda..e2d78f77edb70 100644
--- a/drivers/net/wireless/ath/ath10k/snoc.c
+++ b/drivers/net/wireless/ath/ath10k/snoc.c
@@ -1190,7 +1190,7 @@ static int ath10k_wcn3990_clk_init(struct ath10k *ar)
 	return 0;
 
 err_clock_config:
-	for (; i >= 0; i--) {
+	for (i = i - 1; i >= 0; i--) {
 		clk_info = &ar_snoc->clk[i];
 
 		if (!clk_info->handle)
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 218/306] wlcore: Fix the return value in case of error in wlcore_vendor_cmd_smart_config_start()
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (216 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 217/306] ath10k: snoc: fix unbalanced clock error handling Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 219/306] rtl8xxxu: Fix missing break in switch Greg Kroah-Hartman
                   ` (91 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christophe JAILLET, Kalle Valo, Sasha Levin

From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>

[ Upstream commit 3419348a97bcc256238101129d69b600ceb5cc70 ]

We return 0 unconditionally at the end of
'wlcore_vendor_cmd_smart_config_start()'.
However, 'ret' is set to some error codes in several error handling paths
and we already return some error codes at the beginning of the function.

Return 'ret' instead to propagate the error code.

Fixes: 80ff8063e87c ("wlcore: handle smart config vendor commands")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/ti/wlcore/vendor_cmd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ti/wlcore/vendor_cmd.c b/drivers/net/wireless/ti/wlcore/vendor_cmd.c
index dbe78d8491eff..7f34ec077ee57 100644
--- a/drivers/net/wireless/ti/wlcore/vendor_cmd.c
+++ b/drivers/net/wireless/ti/wlcore/vendor_cmd.c
@@ -70,7 +70,7 @@ wlcore_vendor_cmd_smart_config_start(struct wiphy *wiphy,
 out:
 	mutex_unlock(&wl->mutex);
 
-	return 0;
+	return ret;
 }
 
 static int
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 219/306] rtl8xxxu: Fix missing break in switch
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (217 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 218/306] wlcore: Fix the return value in case of error in wlcore_vendor_cmd_smart_config_start() Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 220/306] brcmsmac: never log "tid x is not aggable" by default Greg Kroah-Hartman
                   ` (90 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gustavo A. R. Silva, Kalle Valo, Sasha Levin

From: Gustavo A. R. Silva <gustavo@embeddedor.com>

[ Upstream commit 307b00c5e695857ca92fc6a4b8ab6c48f988a1b1 ]

Add missing break statement in order to prevent the code from falling
through to the default case.

Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)")
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
index 505ab1b055ff4..2b4fcdf4ec5bb 100644
--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
@@ -5691,6 +5691,7 @@ static int rtl8xxxu_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
 		break;
 	case WLAN_CIPHER_SUITE_TKIP:
 		key->flags |= IEEE80211_KEY_FLAG_GENERATE_MMIC;
+		break;
 	default:
 		return -EOPNOTSUPP;
 	}
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 220/306] brcmsmac: never log "tid x is not aggable" by default
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (218 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 219/306] rtl8xxxu: Fix missing break in switch Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 221/306] wireless: airo: potential buffer overflow in sprintf() Greg Kroah-Hartman
                   ` (89 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ali MJ Al-Nasrawy, Kalle Valo, Sasha Levin

From: Ali MJ Al-Nasrawy <alimjalnasrawy@gmail.com>

[ Upstream commit 96fca788e5788b7ea3b0050eb35a343637e0a465 ]

This message greatly spams the log under heavy Tx of frames with BK access
class which is especially true when operating as AP. It is also not informative
as the "agg'ablity" of TIDs are set once and never change.
Fix this by logging only in debug mode.

Signed-off-by: Ali MJ Al-Nasrawy <alimjalnasrawy@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 .../net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
index 81ff558046a8f..6188275b17e5a 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
@@ -846,8 +846,8 @@ brcms_ops_ampdu_action(struct ieee80211_hw *hw,
 		status = brcms_c_aggregatable(wl->wlc, tid);
 		spin_unlock_bh(&wl->lock);
 		if (!status) {
-			brcms_err(wl->wlc->hw->d11core,
-				  "START: tid %d is not agg\'able\n", tid);
+			brcms_dbg_ht(wl->wlc->hw->d11core,
+				     "START: tid %d is not agg\'able\n", tid);
 			return -EINVAL;
 		}
 		ieee80211_start_tx_ba_cb_irqsafe(vif, sta->addr, tid);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 221/306] wireless: airo: potential buffer overflow in sprintf()
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (219 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 220/306] brcmsmac: never log "tid x is not aggable" by default Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 222/306] rtlwifi: rtl8192de: Fix misleading REG_MCUFWDL information Greg Kroah-Hartman
                   ` (88 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Kalle Valo, Sasha Levin

From: Dan Carpenter <dan.carpenter@oracle.com>

[ Upstream commit 3d39e1bb1c88f32820c5f9271f2c8c2fb9a52bac ]

It looks like we wanted to print a maximum of BSSList_rid.ssidLen bytes
of the ssid, but we accidentally use "%*s" (width) instead of "%.*s"
(precision) so if the ssid doesn't have a NUL terminator this could lead
to an overflow.

Static analysis.  Not tested.

Fixes: e174961ca1a0 ("net: convert print_mac to %pM")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/cisco/airo.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/cisco/airo.c b/drivers/net/wireless/cisco/airo.c
index 04dd7a9365938..5512c7f73fce8 100644
--- a/drivers/net/wireless/cisco/airo.c
+++ b/drivers/net/wireless/cisco/airo.c
@@ -5462,7 +5462,7 @@ static int proc_BSSList_open( struct inode *inode, struct file *file ) {
            we have to add a spin lock... */
 	rc = readBSSListRid(ai, doLoseSync, &BSSList_rid);
 	while(rc == 0 && BSSList_rid.index != cpu_to_le16(0xffff)) {
-		ptr += sprintf(ptr, "%pM %*s rssi = %d",
+		ptr += sprintf(ptr, "%pM %.*s rssi = %d",
 			       BSSList_rid.bssid,
 				(int)BSSList_rid.ssidLen,
 				BSSList_rid.ssid,
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 222/306] rtlwifi: rtl8192de: Fix misleading REG_MCUFWDL information
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (220 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 221/306] wireless: airo: potential buffer overflow in sprintf() Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 223/306] net: dsa: bcm_sf2: Turn on PHY to allow successful registration Greg Kroah-Hartman
                   ` (87 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ping-Ke Shih, Kalle Valo,
	Shaokun Zhang, Sasha Levin

From: Shaokun Zhang <zhangshaokun@hisilicon.com>

[ Upstream commit 7d129adff3afbd3a449bc3593f2064ac546d58d3 ]

RT_TRACE shows REG_MCUFWDL value as a decimal value with a '0x'
prefix, which is somewhat misleading.

Fix it to print hexadecimal, as was intended.

Cc: Ping-Ke Shih <pkshih@realtek.com>
Cc: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Shaokun Zhang <zhangshaokun@hisilicon.com>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/realtek/rtlwifi/rtl8192de/fw.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/fw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/fw.c
index 85cedd083d2b8..75bfa9dfef4aa 100644
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/fw.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/fw.c
@@ -173,7 +173,7 @@ static int _rtl92d_fw_init(struct ieee80211_hw *hw)
 			 rtl_read_byte(rtlpriv, FW_MAC1_READY));
 	}
 	RT_TRACE(rtlpriv, COMP_FW, DBG_DMESG,
-		 "Polling FW ready fail!! REG_MCUFWDL:0x%08ul\n",
+		 "Polling FW ready fail!! REG_MCUFWDL:0x%08x\n",
 		 rtl_read_dword(rtlpriv, REG_MCUFWDL));
 	return -1;
 }
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 223/306] net: dsa: bcm_sf2: Turn on PHY to allow successful registration
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (221 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 222/306] rtlwifi: rtl8192de: Fix misleading REG_MCUFWDL information Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-29 13:00   ` Pavel Machek
  2019-11-27 20:31 ` [PATCH 4.19 224/306] scsi: mpt3sas: Fix Sync cache command failure during driver unload Greg Kroah-Hartman
                   ` (86 subsequent siblings)
  309 siblings, 1 reply; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Florian Fainelli, David S. Miller,
	Sasha Levin

From: Florian Fainelli <f.fainelli@gmail.com>

[ Upstream commit c04a17d2a9ccf1eaba1c5a56f83e997540a70556 ]

We are binding to the PHY using the SF2 slave MDIO bus that we create,
binding involves reading the PHY's MII_PHYSID1/2 which won't be possible
if the PHY is turned off. Temporarily turn it on/off for the bus probing
to succeeed. This fixes unbind/bind problems where the port connecting
to that PHY would be in error since it could not connect to it.

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/dsa/bcm_sf2.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c
index ca3655d28e00f..17cec68e56b4f 100644
--- a/drivers/net/dsa/bcm_sf2.c
+++ b/drivers/net/dsa/bcm_sf2.c
@@ -1099,12 +1099,16 @@ static int bcm_sf2_sw_probe(struct platform_device *pdev)
 		return ret;
 	}
 
+	bcm_sf2_gphy_enable_set(priv->dev->ds, true);
+
 	ret = bcm_sf2_mdio_register(ds);
 	if (ret) {
 		pr_err("failed to register MDIO bus\n");
 		return ret;
 	}
 
+	bcm_sf2_gphy_enable_set(priv->dev->ds, false);
+
 	ret = bcm_sf2_cfp_rst(priv);
 	if (ret) {
 		pr_err("failed to reset CFP\n");
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 224/306] scsi: mpt3sas: Fix Sync cache command failure during driver unload
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (222 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 223/306] net: dsa: bcm_sf2: Turn on PHY to allow successful registration Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 225/306] scsi: mpt3sas: Dont modify EEDPTagMode field setting on SAS3.5 HBA devices Greg Kroah-Hartman
                   ` (85 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Suganath Prabu, Bjorn Helgaas,
	Andy Shevchenko, Martin K. Petersen, Sasha Levin

From: Suganath Prabu <suganath-prabu.subramani@broadcom.com>

[ Upstream commit 9029a72500b95578a35877a43473b82cb0386c53 ]

This is to fix SYNC CACHE and START STOP command failures with
DID_NO_CONNECT during driver unload.

In driver's IO submission patch (i.e. in driver's .queuecommand()) driver
won't allow any SCSI commands to the IOC when ioc->remove_host flag is set
and hence SYNC CACHE commands which are issued to the target drives (where
write cache is enabled) during driver unload time is failed with
DID_NO_CONNECT status.

Now modified the driver to allow SYNC CACHE and START STOP commands to IOC,
even when remove_host flag is set.

Signed-off-by: Suganath Prabu <suganath-prabu.subramani@broadcom.com>
Reviewed-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/mpt3sas/mpt3sas_scsih.c | 36 +++++++++++++++++++++++++++-
 1 file changed, 35 insertions(+), 1 deletion(-)

diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
index 73d661a0ecbb9..d3c944d997039 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
@@ -3791,6 +3791,40 @@ _scsih_tm_tr_complete(struct MPT3SAS_ADAPTER *ioc, u16 smid, u8 msix_index,
 	return _scsih_check_for_pending_tm(ioc, smid);
 }
 
+/** _scsih_allow_scmd_to_device - check whether scmd needs to
+ *				 issue to IOC or not.
+ * @ioc: per adapter object
+ * @scmd: pointer to scsi command object
+ *
+ * Returns true if scmd can be issued to IOC otherwise returns false.
+ */
+inline bool _scsih_allow_scmd_to_device(struct MPT3SAS_ADAPTER *ioc,
+	struct scsi_cmnd *scmd)
+{
+
+	if (ioc->pci_error_recovery)
+		return false;
+
+	if (ioc->hba_mpi_version_belonged == MPI2_VERSION) {
+		if (ioc->remove_host)
+			return false;
+
+		return true;
+	}
+
+	if (ioc->remove_host) {
+
+		switch (scmd->cmnd[0]) {
+		case SYNCHRONIZE_CACHE:
+		case START_STOP:
+			return true;
+		default:
+			return false;
+		}
+	}
+
+	return true;
+}
 
 /**
  * _scsih_sas_control_complete - completion routine
@@ -4623,7 +4657,7 @@ scsih_qcmd(struct Scsi_Host *shost, struct scsi_cmnd *scmd)
 		return 0;
 	}
 
-	if (ioc->pci_error_recovery || ioc->remove_host) {
+	if (!(_scsih_allow_scmd_to_device(ioc, scmd))) {
 		scmd->result = DID_NO_CONNECT << 16;
 		scmd->scsi_done(scmd);
 		return 0;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 225/306] scsi: mpt3sas: Dont modify EEDPTagMode field setting on SAS3.5 HBA devices
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (223 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 224/306] scsi: mpt3sas: Fix Sync cache command failure during driver unload Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 226/306] scsi: mpt3sas: Fix driver modifying persistent data in Manufacturing page11 Greg Kroah-Hartman
                   ` (84 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Suganath Prabu, Bjorn Helgaas,
	Andy Shevchenko, Martin K. Petersen, Sasha Levin

From: Suganath Prabu <suganath-prabu.subramani@broadcom.com>

[ Upstream commit 6cd1bc7b9b5075d395ba0120923903873fc7ea0e ]

If EEDPTagMode field in manufacturing page11 is set then unset it. This is
needed to fix a hardware bug only in SAS3/SAS2 cards. So, skipping
EEDPTagMode changes in Manufacturing page11 for SAS 3.5 controllers.

Signed-off-by: Suganath Prabu <suganath-prabu.subramani@broadcom.com>
Reviewed-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/mpt3sas/mpt3sas_base.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.c b/drivers/scsi/mpt3sas/mpt3sas_base.c
index d2ab52026014f..2c556c7fcf0dc 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_base.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_base.c
@@ -4117,7 +4117,7 @@ _base_static_config_pages(struct MPT3SAS_ADAPTER *ioc)
 	 * flag unset in NVDATA.
 	 */
 	mpt3sas_config_get_manufacturing_pg11(ioc, &mpi_reply, &ioc->manu_pg11);
-	if (ioc->manu_pg11.EEDPTagMode == 0) {
+	if (!ioc->is_gen35_ioc && ioc->manu_pg11.EEDPTagMode == 0) {
 		pr_err("%s: overriding NVDATA EEDPTagMode setting\n",
 		    ioc->name);
 		ioc->manu_pg11.EEDPTagMode &= ~0x3;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 226/306] scsi: mpt3sas: Fix driver modifying persistent data in Manufacturing page11
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (224 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 225/306] scsi: mpt3sas: Dont modify EEDPTagMode field setting on SAS3.5 HBA devices Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 227/306] scsi: megaraid_sas: Fix msleep granularity Greg Kroah-Hartman
                   ` (83 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Suganath Prabu, Bjorn Helgaas,
	Andy Shevchenko, Martin K. Petersen, Sasha Levin

From: Suganath Prabu <suganath-prabu.subramani@broadcom.com>

[ Upstream commit 97f35194093362a63b33caba2485521ddabe2c95 ]

Currently driver is modifying both current & NVRAM/persistent data in
Manufacturing page11. Driver should change only current copy of
Manufacturing page11. It should not modify the persistent data.

So removed the section of code where driver is modifying the persistent
data of Manufacturing page11.

Signed-off-by: Suganath Prabu <suganath-prabu.subramani@broadcom.com>
Reviewed-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/mpt3sas/mpt3sas_config.c | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/drivers/scsi/mpt3sas/mpt3sas_config.c b/drivers/scsi/mpt3sas/mpt3sas_config.c
index d29a2dcc7d0ec..9b01c5a7aebd9 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_config.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_config.c
@@ -692,10 +692,6 @@ mpt3sas_config_set_manufacturing_pg11(struct MPT3SAS_ADAPTER *ioc,
 	r = _config_request(ioc, &mpi_request, mpi_reply,
 	    MPT3_CONFIG_PAGE_DEFAULT_TIMEOUT, config_page,
 	    sizeof(*config_page));
-	mpi_request.Action = MPI2_CONFIG_ACTION_PAGE_WRITE_NVRAM;
-	r = _config_request(ioc, &mpi_request, mpi_reply,
-	    MPT3_CONFIG_PAGE_DEFAULT_TIMEOUT, config_page,
-	    sizeof(*config_page));
  out:
 	return r;
 }
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 227/306] scsi: megaraid_sas: Fix msleep granularity
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (225 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 226/306] scsi: mpt3sas: Fix driver modifying persistent data in Manufacturing page11 Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 228/306] scsi: megaraid_sas: Fix goto labels in error handling Greg Kroah-Hartman
                   ` (82 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Shivasharan S, Martin K. Petersen,
	Sasha Levin

From: Shivasharan S <shivasharan.srikanteshwara@broadcom.com>

[ Upstream commit 9155cf30a3c4ef97e225d6daddf9bd4b173267e8 ]

In megasas_transition_to_ready() driver waits 180seconds for controller to
change FW state. Here we are calling msleep(1) in a loop for this.  As
explained in timers-howto.txt, msleep(1) will actually sleep longer than
1ms. If a faulty controller is connected, we will end up waiting for much
more than 180 seconds causing unnecessary delays during load.

Change the granularity of msleep() call from 1ms to 1000ms.

Signed-off-by: Shivasharan S <shivasharan.srikanteshwara@broadcom.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/megaraid/megaraid_sas_base.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c
index bc37666f998e6..2f94ab9c23540 100644
--- a/drivers/scsi/megaraid/megaraid_sas_base.c
+++ b/drivers/scsi/megaraid/megaraid_sas_base.c
@@ -3894,12 +3894,12 @@ megasas_transition_to_ready(struct megasas_instance *instance, int ocr)
 		/*
 		 * The cur_state should not last for more than max_wait secs
 		 */
-		for (i = 0; i < (max_wait * 1000); i++) {
+		for (i = 0; i < max_wait; i++) {
 			curr_abs_state = instance->instancet->
 				read_fw_status_reg(instance->reg_set);
 
 			if (abs_state == curr_abs_state) {
-				msleep(1);
+				msleep(1000);
 			} else
 				break;
 		}
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 228/306] scsi: megaraid_sas: Fix goto labels in error handling
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (226 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 227/306] scsi: megaraid_sas: Fix msleep granularity Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 229/306] scsi: lpfc: fcoe: Fix link down issue after 1000+ link bounces Greg Kroah-Hartman
                   ` (81 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Shivasharan S, Martin K. Petersen,
	Sasha Levin

From: Shivasharan S <shivasharan.srikanteshwara@broadcom.com>

[ Upstream commit 8a25fa17b6ed6e6c8101e9c68a10ae68a9025f2c ]

During init, if pci_alloc_irq_vectors() fails, the driver has not yet setup
the IRQs. Fix the goto labels and error handling for this case.

Signed-off-by: Shivasharan S <shivasharan.srikanteshwara@broadcom.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/megaraid/megaraid_sas_base.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c
index 2f94ab9c23540..2f31d266339f8 100644
--- a/drivers/scsi/megaraid/megaraid_sas_base.c
+++ b/drivers/scsi/megaraid/megaraid_sas_base.c
@@ -5410,7 +5410,7 @@ static int megasas_init_fw(struct megasas_instance *instance)
 	if (!instance->msix_vectors) {
 		i = pci_alloc_irq_vectors(instance->pdev, 1, 1, PCI_IRQ_LEGACY);
 		if (i < 0)
-			goto fail_setup_irqs;
+			goto fail_init_adapter;
 	}
 
 	megasas_setup_reply_map(instance);
@@ -5619,9 +5619,8 @@ static int megasas_init_fw(struct megasas_instance *instance)
 
 fail_get_ld_pd_list:
 	instance->instancet->disable_intr(instance);
-fail_init_adapter:
 	megasas_destroy_irqs(instance);
-fail_setup_irqs:
+fail_init_adapter:
 	if (instance->msix_vectors)
 		pci_free_irq_vectors(instance->pdev);
 	instance->msix_vectors = 0;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 229/306] scsi: lpfc: fcoe: Fix link down issue after 1000+ link bounces
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (227 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 228/306] scsi: megaraid_sas: Fix goto labels in error handling Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 230/306] scsi: lpfc: Fix odd recovery in duplicate FLOGIs in point-to-point Greg Kroah-Hartman
                   ` (80 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dick Kennedy, James Smart,
	Hannes Reinecke, Martin K. Petersen, Sasha Levin

From: James Smart <jsmart2021@gmail.com>

[ Upstream commit 036cad1f1ac9ce03e2db94b8460f98eaf1e1ee4c ]

On FCoE adapters, when running link bounce test in a loop, initiator
failed to login with switch switch and required driver reload to
recover. Switch reached a point where all subsequent FLOGIs would be
LS_RJT'd. Further testing showed the condition to be related to not
performing FCF discovery between FLOGI's.

Fix by monitoring FLOGI failures and once a repeated error is seen
repeat FCF discovery.

Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
Reviewed-by: Hannes Reinecke <hare@suse.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/lpfc/lpfc_els.c     |  2 ++
 drivers/scsi/lpfc/lpfc_hbadisc.c | 20 ++++++++++++++++++++
 drivers/scsi/lpfc/lpfc_init.c    |  2 +-
 drivers/scsi/lpfc/lpfc_sli.c     | 11 ++---------
 drivers/scsi/lpfc/lpfc_sli4.h    |  1 +
 5 files changed, 26 insertions(+), 10 deletions(-)

diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
index f3c6801c0b312..8bf916b9a987d 100644
--- a/drivers/scsi/lpfc/lpfc_els.c
+++ b/drivers/scsi/lpfc/lpfc_els.c
@@ -1157,6 +1157,7 @@ lpfc_cmpl_els_flogi(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
 			phba->fcf.fcf_flag &= ~FCF_DISCOVERY;
 			phba->hba_flag &= ~(FCF_RR_INPROG | HBA_DEVLOSS_TMO);
 			spin_unlock_irq(&phba->hbalock);
+			phba->fcf.fcf_redisc_attempted = 0; /* reset */
 			goto out;
 		}
 		if (!rc) {
@@ -1171,6 +1172,7 @@ lpfc_cmpl_els_flogi(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
 			phba->fcf.fcf_flag &= ~FCF_DISCOVERY;
 			phba->hba_flag &= ~(FCF_RR_INPROG | HBA_DEVLOSS_TMO);
 			spin_unlock_irq(&phba->hbalock);
+			phba->fcf.fcf_redisc_attempted = 0; /* reset */
 			goto out;
 		}
 	}
diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c
index db183d1f34ab2..0d19e5f6b3bcc 100644
--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
+++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
@@ -1997,6 +1997,26 @@ int lpfc_sli4_fcf_rr_next_proc(struct lpfc_vport *vport, uint16_t fcf_index)
 				"failover and change port state:x%x/x%x\n",
 				phba->pport->port_state, LPFC_VPORT_UNKNOWN);
 		phba->pport->port_state = LPFC_VPORT_UNKNOWN;
+
+		if (!phba->fcf.fcf_redisc_attempted) {
+			lpfc_unregister_fcf(phba);
+
+			rc = lpfc_sli4_redisc_fcf_table(phba);
+			if (!rc) {
+				lpfc_printf_log(phba, KERN_INFO, LOG_FIP,
+						"3195 Rediscover FCF table\n");
+				phba->fcf.fcf_redisc_attempted = 1;
+				lpfc_sli4_clear_fcf_rr_bmask(phba);
+			} else {
+				lpfc_printf_log(phba, KERN_WARNING, LOG_FIP,
+						"3196 Rediscover FCF table "
+						"failed. Status:x%x\n", rc);
+			}
+		} else {
+			lpfc_printf_log(phba, KERN_WARNING, LOG_FIP,
+					"3197 Already rediscover FCF table "
+					"attempted. No more retry\n");
+		}
 		goto stop_flogi_current_fcf;
 	} else {
 		lpfc_printf_log(phba, KERN_INFO, LOG_FIP | LOG_ELS,
diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c
index 9acb5b44ce4c1..a7d3e532e0f58 100644
--- a/drivers/scsi/lpfc/lpfc_init.c
+++ b/drivers/scsi/lpfc/lpfc_init.c
@@ -5044,7 +5044,7 @@ lpfc_sli4_async_fip_evt(struct lpfc_hba *phba,
 			break;
 		}
 		/* If fast FCF failover rescan event is pending, do nothing */
-		if (phba->fcf.fcf_flag & FCF_REDISC_EVT) {
+		if (phba->fcf.fcf_flag & (FCF_REDISC_EVT | FCF_REDISC_PEND)) {
 			spin_unlock_irq(&phba->hbalock);
 			break;
 		}
diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
index e704297618e06..3361ae75578f2 100644
--- a/drivers/scsi/lpfc/lpfc_sli.c
+++ b/drivers/scsi/lpfc/lpfc_sli.c
@@ -18431,15 +18431,8 @@ lpfc_sli4_fcf_rr_next_index_get(struct lpfc_hba *phba)
 			goto initial_priority;
 		lpfc_printf_log(phba, KERN_WARNING, LOG_FIP,
 				"2844 No roundrobin failover FCF available\n");
-		if (next_fcf_index >= LPFC_SLI4_FCF_TBL_INDX_MAX)
-			return LPFC_FCOE_FCF_NEXT_NONE;
-		else {
-			lpfc_printf_log(phba, KERN_WARNING, LOG_FIP,
-				"3063 Only FCF available idx %d, flag %x\n",
-				next_fcf_index,
-			phba->fcf.fcf_pri[next_fcf_index].fcf_rec.flag);
-			return next_fcf_index;
-		}
+
+		return LPFC_FCOE_FCF_NEXT_NONE;
 	}
 
 	if (next_fcf_index < LPFC_SLI4_FCF_TBL_INDX_MAX &&
diff --git a/drivers/scsi/lpfc/lpfc_sli4.h b/drivers/scsi/lpfc/lpfc_sli4.h
index 399c0015c5465..3dcc6615a23b2 100644
--- a/drivers/scsi/lpfc/lpfc_sli4.h
+++ b/drivers/scsi/lpfc/lpfc_sli4.h
@@ -279,6 +279,7 @@ struct lpfc_fcf {
 #define FCF_REDISC_EVT	0x100 /* FCF rediscovery event to worker thread */
 #define FCF_REDISC_FOV	0x200 /* Post FCF rediscovery fast failover */
 #define FCF_REDISC_PROG (FCF_REDISC_PEND | FCF_REDISC_EVT)
+	uint16_t fcf_redisc_attempted;
 	uint32_t addr_mode;
 	uint32_t eligible_fcf_cnt;
 	struct lpfc_fcf_rec current_rec;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 230/306] scsi: lpfc: Fix odd recovery in duplicate FLOGIs in point-to-point
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (228 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 229/306] scsi: lpfc: fcoe: Fix link down issue after 1000+ link bounces Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 231/306] scsi: lpfc: Correct loss of fc4 type on remote port address change Greg Kroah-Hartman
                   ` (79 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dick Kennedy, James Smart,
	Hannes Reinecke, Martin K. Petersen, Sasha Levin

From: James Smart <jsmart2021@gmail.com>

[ Upstream commit d496b9a7246cb9813da1fe49e14edbbbf8e232d5 ]

Testing a point-to-point topology and a case of re-FLOGI without
intervening link bouncing, showed an odd interaction with firmware and
a resulting scenario where the driver no longer probed after accepting
the new FLOGI.

Work around the firmware issue by issuing a link bounce if a FLOGI is
received after the link is already up and FLOGI's accepted.

While debugging the issue, realized that some debug traces should be
clarified to help in the future.

Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
Reviewed-by: Hannes Reinecke <hare@suse.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/lpfc/lpfc.h         |  1 +
 drivers/scsi/lpfc/lpfc_els.c     | 66 ++++++++++++++++++++++++++------
 drivers/scsi/lpfc/lpfc_hbadisc.c |  9 +++++
 3 files changed, 64 insertions(+), 12 deletions(-)

diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h
index 43732e8d13473..ebcfcbb8b4ccc 100644
--- a/drivers/scsi/lpfc/lpfc.h
+++ b/drivers/scsi/lpfc/lpfc.h
@@ -490,6 +490,7 @@ struct lpfc_vport {
 	struct nvme_fc_local_port *localport;
 	uint8_t  nvmei_support; /* driver supports NVME Initiator */
 	uint32_t last_fcp_wqidx;
+	uint32_t rcv_flogi_cnt; /* How many unsol FLOGIs ACK'd. */
 };
 
 struct hbq_s {
diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
index 8bf916b9a987d..e263a486b1c6c 100644
--- a/drivers/scsi/lpfc/lpfc_els.c
+++ b/drivers/scsi/lpfc/lpfc_els.c
@@ -1057,9 +1057,9 @@ lpfc_cmpl_els_flogi(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
 			goto flogifail;
 
 		lpfc_printf_vlog(vport, KERN_WARNING, LOG_ELS,
-				 "0150 FLOGI failure Status:x%x/x%x TMO:x%x\n",
+				 "0150 FLOGI failure Status:x%x/x%x xri x%x TMO:x%x\n",
 				 irsp->ulpStatus, irsp->un.ulpWord[4],
-				 irsp->ulpTimeout);
+				 cmdiocb->sli4_xritag, irsp->ulpTimeout);
 
 		/* FLOGI failed, so there is no fabric */
 		spin_lock_irq(shost->host_lock);
@@ -1113,7 +1113,8 @@ lpfc_cmpl_els_flogi(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
 	/* FLOGI completes successfully */
 	lpfc_printf_vlog(vport, KERN_INFO, LOG_ELS,
 			 "0101 FLOGI completes successfully, I/O tag:x%x, "
-			 "Data: x%x x%x x%x x%x x%x x%x\n", cmdiocb->iotag,
+			 "xri x%x Data: x%x x%x x%x x%x x%x %x\n",
+			 cmdiocb->iotag, cmdiocb->sli4_xritag,
 			 irsp->un.ulpWord[4], sp->cmn.e_d_tov,
 			 sp->cmn.w2.r_a_tov, sp->cmn.edtovResolution,
 			 vport->port_state, vport->fc_flag);
@@ -4266,14 +4267,6 @@ lpfc_els_rsp_acc(struct lpfc_vport *vport, uint32_t flag,
 	default:
 		return 1;
 	}
-	/* Xmit ELS ACC response tag <ulpIoTag> */
-	lpfc_printf_vlog(vport, KERN_INFO, LOG_ELS,
-			 "0128 Xmit ELS ACC response tag x%x, XRI: x%x, "
-			 "DID: x%x, nlp_flag: x%x nlp_state: x%x RPI: x%x "
-			 "fc_flag x%x\n",
-			 elsiocb->iotag, elsiocb->iocb.ulpContext,
-			 ndlp->nlp_DID, ndlp->nlp_flag, ndlp->nlp_state,
-			 ndlp->nlp_rpi, vport->fc_flag);
 	if (ndlp->nlp_flag & NLP_LOGO_ACC) {
 		spin_lock_irq(shost->host_lock);
 		if (!(ndlp->nlp_flag & NLP_RPI_REGISTERED ||
@@ -4442,6 +4435,15 @@ lpfc_els_rsp_adisc_acc(struct lpfc_vport *vport, struct lpfc_iocbq *oldiocb,
 		lpfc_els_free_iocb(phba, elsiocb);
 		return 1;
 	}
+
+	/* Xmit ELS ACC response tag <ulpIoTag> */
+	lpfc_printf_vlog(vport, KERN_INFO, LOG_ELS,
+			 "0128 Xmit ELS ACC response Status: x%x, IoTag: x%x, "
+			 "XRI: x%x, DID: x%x, nlp_flag: x%x nlp_state: x%x "
+			 "RPI: x%x, fc_flag x%x\n",
+			 rc, elsiocb->iotag, elsiocb->sli4_xritag,
+			 ndlp->nlp_DID, ndlp->nlp_flag, ndlp->nlp_state,
+			 ndlp->nlp_rpi, vport->fc_flag);
 	return 0;
 }
 
@@ -6452,6 +6454,11 @@ lpfc_els_rcv_flogi(struct lpfc_vport *vport, struct lpfc_iocbq *cmdiocb,
 	port_state = vport->port_state;
 	vport->fc_flag |= FC_PT2PT;
 	vport->fc_flag &= ~(FC_FABRIC | FC_PUBLIC_LOOP);
+
+	/* Acking an unsol FLOGI.  Count 1 for link bounce
+	 * work-around.
+	 */
+	vport->rcv_flogi_cnt++;
 	spin_unlock_irq(shost->host_lock);
 	lpfc_printf_vlog(vport, KERN_INFO, LOG_ELS,
 			 "3311 Rcv Flogi PS x%x new PS x%x "
@@ -7849,8 +7856,9 @@ lpfc_els_unsol_buffer(struct lpfc_hba *phba, struct lpfc_sli_ring *pring,
 	struct ls_rjt stat;
 	uint32_t *payload;
 	uint32_t cmd, did, newnode;
-	uint8_t rjt_exp, rjt_err = 0;
+	uint8_t rjt_exp, rjt_err = 0, init_link = 0;
 	IOCB_t *icmd = &elsiocb->iocb;
+	LPFC_MBOXQ_t *mbox;
 
 	if (!vport || !(elsiocb->context2))
 		goto dropit;
@@ -7999,6 +8007,19 @@ lpfc_els_unsol_buffer(struct lpfc_hba *phba, struct lpfc_sli_ring *pring,
 			did, vport->port_state, ndlp->nlp_flag);
 
 		phba->fc_stat.elsRcvFLOGI++;
+
+		/* If the driver believes fabric discovery is done and is ready,
+		 * bounce the link.  There is some descrepancy.
+		 */
+		if (vport->port_state >= LPFC_LOCAL_CFG_LINK &&
+		    vport->fc_flag & FC_PT2PT &&
+		    vport->rcv_flogi_cnt >= 1) {
+			rjt_err = LSRJT_LOGICAL_BSY;
+			rjt_exp = LSEXP_NOTHING_MORE;
+			init_link++;
+			goto lsrjt;
+		}
+
 		lpfc_els_rcv_flogi(vport, elsiocb, ndlp);
 		if (newnode)
 			lpfc_nlp_put(ndlp);
@@ -8227,6 +8248,27 @@ lpfc_els_unsol_buffer(struct lpfc_hba *phba, struct lpfc_sli_ring *pring,
 
 	lpfc_nlp_put(elsiocb->context1);
 	elsiocb->context1 = NULL;
+
+	/* Special case.  Driver received an unsolicited command that
+	 * unsupportable given the driver's current state.  Reset the
+	 * link and start over.
+	 */
+	if (init_link) {
+		mbox = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL);
+		if (!mbox)
+			return;
+		lpfc_linkdown(phba);
+		lpfc_init_link(phba, mbox,
+			       phba->cfg_topology,
+			       phba->cfg_link_speed);
+		mbox->u.mb.un.varInitLnk.lipsr_AL_PA = 0;
+		mbox->mbox_cmpl = lpfc_sli_def_mbox_cmpl;
+		mbox->vport = vport;
+		if (lpfc_sli_issue_mbox(phba, mbox, MBX_NOWAIT) ==
+		    MBX_NOT_FINISHED)
+			mempool_free(mbox, phba->mbox_mem_pool);
+	}
+
 	return;
 
 dropit:
diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c
index 0d19e5f6b3bcc..68f223882d96b 100644
--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
+++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
@@ -952,6 +952,7 @@ lpfc_linkdown(struct lpfc_hba *phba)
 		}
 		spin_lock_irq(shost->host_lock);
 		phba->pport->fc_flag &= ~(FC_PT2PT | FC_PT2PT_PLOGI);
+		phba->pport->rcv_flogi_cnt = 0;
 		spin_unlock_irq(shost->host_lock);
 	}
 	return 0;
@@ -1023,6 +1024,7 @@ lpfc_linkup(struct lpfc_hba *phba)
 {
 	struct lpfc_vport **vports;
 	int i;
+	struct Scsi_Host  *shost = lpfc_shost_from_vport(phba->pport);
 
 	phba->link_state = LPFC_LINK_UP;
 
@@ -1036,6 +1038,13 @@ lpfc_linkup(struct lpfc_hba *phba)
 			lpfc_linkup_port(vports[i]);
 	lpfc_destroy_vport_work_array(phba, vports);
 
+	/* Clear the pport flogi counter in case the link down was
+	 * absorbed without an ACQE. No lock here - in worker thread
+	 * and discovery is synchronized.
+	 */
+	spin_lock_irq(shost->host_lock);
+	phba->pport->rcv_flogi_cnt = 0;
+	spin_unlock_irq(shost->host_lock);
 	return 0;
 }
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 231/306] scsi: lpfc: Correct loss of fc4 type on remote port address change
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (229 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 230/306] scsi: lpfc: Fix odd recovery in duplicate FLOGIs in point-to-point Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 232/306] usb: typec: tcpm: charge current handling for sink during hard reset Greg Kroah-Hartman
                   ` (78 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dick Kennedy, James Smart,
	Hannes Reinecke, Martin K. Petersen, Sasha Levin

From: James Smart <jsmart2021@gmail.com>

[ Upstream commit d83ca3ea833d7a66d49225e4191c4e37cab8f079 ]

An address change for a remote port cause PRLI for the wrong protocol
to be sent.  The node copy done in the discovery code skipped copying
the fc4 protocols supported as well.

Fix the copy logic for the address change.  Beefed up log messages in
this area as well.

Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
Reviewed-by: Hannes Reinecke <hare@suse.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/lpfc/lpfc_els.c       | 27 +++++++++++++++++++++++----
 drivers/scsi/lpfc/lpfc_nportdisc.c |  5 +++--
 2 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
index e263a486b1c6c..222fa9b7f4788 100644
--- a/drivers/scsi/lpfc/lpfc_els.c
+++ b/drivers/scsi/lpfc/lpfc_els.c
@@ -1556,8 +1556,10 @@ lpfc_plogi_confirm_nport(struct lpfc_hba *phba, uint32_t *prsp,
 	 */
 	new_ndlp = lpfc_findnode_wwpn(vport, &sp->portName);
 
+	/* return immediately if the WWPN matches ndlp */
 	if (new_ndlp == ndlp && NLP_CHK_NODE_ACT(new_ndlp))
 		return ndlp;
+
 	if (phba->sli_rev == LPFC_SLI_REV4) {
 		active_rrqs_xri_bitmap = mempool_alloc(phba->active_rrq_pool,
 						       GFP_KERNEL);
@@ -1566,9 +1568,13 @@ lpfc_plogi_confirm_nport(struct lpfc_hba *phba, uint32_t *prsp,
 			       phba->cfg_rrq_xri_bitmap_sz);
 	}
 
-	lpfc_printf_vlog(vport, KERN_INFO, LOG_ELS,
-		 "3178 PLOGI confirm: ndlp %p x%x: new_ndlp %p\n",
-		 ndlp, ndlp->nlp_DID, new_ndlp);
+	lpfc_printf_vlog(vport, KERN_INFO, LOG_ELS | LOG_NODE,
+			 "3178 PLOGI confirm: ndlp x%x x%x x%x: "
+			 "new_ndlp x%x x%x x%x\n",
+			 ndlp->nlp_DID, ndlp->nlp_flag,  ndlp->nlp_fc4_type,
+			 (new_ndlp ? new_ndlp->nlp_DID : 0),
+			 (new_ndlp ? new_ndlp->nlp_flag : 0),
+			 (new_ndlp ? new_ndlp->nlp_fc4_type : 0));
 
 	if (!new_ndlp) {
 		rc = memcmp(&ndlp->nlp_portname, name,
@@ -1617,6 +1623,14 @@ lpfc_plogi_confirm_nport(struct lpfc_hba *phba, uint32_t *prsp,
 			       phba->cfg_rrq_xri_bitmap_sz);
 	}
 
+	/* At this point in this routine, we know new_ndlp will be
+	 * returned. however, any previous GID_FTs that were done
+	 * would have updated nlp_fc4_type in ndlp, so we must ensure
+	 * new_ndlp has the right value.
+	 */
+	if (vport->fc_flag & FC_FABRIC)
+		new_ndlp->nlp_fc4_type = ndlp->nlp_fc4_type;
+
 	lpfc_unreg_rpi(vport, new_ndlp);
 	new_ndlp->nlp_DID = ndlp->nlp_DID;
 	new_ndlp->nlp_prev_state = ndlp->nlp_prev_state;
@@ -1666,7 +1680,6 @@ lpfc_plogi_confirm_nport(struct lpfc_hba *phba, uint32_t *prsp,
 		if (ndlp->nrport) {
 			ndlp->nrport = NULL;
 			lpfc_nlp_put(ndlp);
-			new_ndlp->nlp_fc4_type = ndlp->nlp_fc4_type;
 		}
 
 		/* We shall actually free the ndlp with both nlp_DID and
@@ -1740,6 +1753,12 @@ lpfc_plogi_confirm_nport(struct lpfc_hba *phba, uint32_t *prsp,
 	    active_rrqs_xri_bitmap)
 		mempool_free(active_rrqs_xri_bitmap,
 			     phba->active_rrq_pool);
+
+	lpfc_printf_vlog(vport, KERN_INFO, LOG_ELS | LOG_NODE,
+			 "3173 PLOGI confirm exit: new_ndlp x%x x%x x%x\n",
+			 new_ndlp->nlp_DID, new_ndlp->nlp_flag,
+			 new_ndlp->nlp_fc4_type);
+
 	return new_ndlp;
 }
 
diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c
index c15f3265eefeb..bd8dc6a2243c0 100644
--- a/drivers/scsi/lpfc/lpfc_nportdisc.c
+++ b/drivers/scsi/lpfc/lpfc_nportdisc.c
@@ -2868,8 +2868,9 @@ lpfc_disc_state_machine(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp,
 	/* DSM in event <evt> on NPort <nlp_DID> in state <cur_state> */
 	lpfc_printf_vlog(vport, KERN_INFO, LOG_DISCOVERY,
 			 "0211 DSM in event x%x on NPort x%x in "
-			 "state %d Data: x%x\n",
-			 evt, ndlp->nlp_DID, cur_state, ndlp->nlp_flag);
+			 "state %d Data: x%x x%x\n",
+			 evt, ndlp->nlp_DID, cur_state,
+			 ndlp->nlp_flag, ndlp->nlp_fc4_type);
 
 	lpfc_debugfs_disc_trc(vport, LPFC_DISC_TRC_DSM,
 		 "DSM in:          evt:%d ste:%d did:x%x",
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 232/306] usb: typec: tcpm: charge current handling for sink during hard reset
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (230 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 231/306] scsi: lpfc: Correct loss of fc4 type on remote port address change Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 233/306] dlm: fix invalid free Greg Kroah-Hartman
                   ` (77 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Badhri Jagan Sridharan, Rob Herring,
	Heikki Krogerus, Sasha Levin

From: Badhri Jagan Sridharan <badhri@google.com>

[ Upstream commit 157c0f2f641a9938382b092c64548ebdabfe25e0 ]

During the initial connect to a non-pd port, sink would hard reset
twice before deeming that the port partner is non-pd. TCPM sets the
the charge path to false during the hard reset. This causes unnecessary
connects/disconnects of charge path and makes port take longer to
charge from the non-pd ports. Avoid this by not setting the charge path
to false unless the partner has already identified to be pd capable.

When partner is a pd port, set the charge path to false in
SNK_HARD_RESET_SINK_OFF. Set the current limits to default value based
of CC pull up and resume the charge path when port enters
SNK_HARD_RESET_SINK_ON.

Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
Reviewed-by: Rob Herring <robh@kernel.org>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>

--------
Changes in V3:
Rebase on top of usb-next

Changes in V2:
Based on feedback of jackp@codeaurora.org
- vsafe_5v_hard_reset flag from tcpc_config is removed
- Patch only differentiates between pd port partner and non-pd port
partner

V1 version of the patch is here:
https://lkml.org/lkml/2018/9/14/11
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/typec/tcpm.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/typec/tcpm.c b/drivers/usb/typec/tcpm.c
index 819ae3b2bd7e8..39cf190012393 100644
--- a/drivers/usb/typec/tcpm.c
+++ b/drivers/usb/typec/tcpm.c
@@ -3322,7 +3322,8 @@ static void run_state_machine(struct tcpm_port *port)
 	case SNK_HARD_RESET_SINK_OFF:
 		memset(&port->pps_data, 0, sizeof(port->pps_data));
 		tcpm_set_vconn(port, false);
-		tcpm_set_charge(port, false);
+		if (port->pd_capable)
+			tcpm_set_charge(port, false);
 		tcpm_set_roles(port, port->self_powered, TYPEC_SINK,
 			       TYPEC_DEVICE);
 		/*
@@ -3354,6 +3355,12 @@ static void run_state_machine(struct tcpm_port *port)
 		 * Similar, dual-mode ports in source mode should transition
 		 * to PE_SNK_Transition_to_default.
 		 */
+		if (port->pd_capable) {
+			tcpm_set_current_limit(port,
+					       tcpm_get_current_limit(port),
+					       5000);
+			tcpm_set_charge(port, true);
+		}
 		tcpm_set_attached_state(port, true);
 		tcpm_set_state(port, SNK_STARTUP, 0);
 		break;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 233/306] dlm: fix invalid free
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (231 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 232/306] usb: typec: tcpm: charge current handling for sink during hard reset Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 234/306] dlm: dont leak kernel pointer to userspace Greg Kroah-Hartman
                   ` (76 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tycho Andersen, David Teigland, Sasha Levin

From: Tycho Andersen <tycho@tycho.ws>

[ Upstream commit d968b4e240cfe39d39d80483bac8bca8716fd93c ]

dlm_config_nodes() does not allocate nodes on failure, so we should not
free() nodes when it fails.

Signed-off-by: Tycho Andersen <tycho@tycho.ws>
Signed-off-by: David Teigland <teigland@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/dlm/member.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/fs/dlm/member.c b/fs/dlm/member.c
index 3fda3832cf6a6..cad6d85911a80 100644
--- a/fs/dlm/member.c
+++ b/fs/dlm/member.c
@@ -680,7 +680,7 @@ int dlm_ls_start(struct dlm_ls *ls)
 
 	error = dlm_config_nodes(ls->ls_name, &nodes, &count);
 	if (error < 0)
-		goto fail;
+		goto fail_rv;
 
 	spin_lock(&ls->ls_recover_lock);
 
@@ -712,8 +712,9 @@ int dlm_ls_start(struct dlm_ls *ls)
 	return 0;
 
  fail:
-	kfree(rv);
 	kfree(nodes);
+ fail_rv:
+	kfree(rv);
 	return error;
 }
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 234/306] dlm: dont leak kernel pointer to userspace
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (232 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 233/306] dlm: fix invalid free Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 235/306] vrf: mark skb for multicast or link-local as enslaved to VRF Greg Kroah-Hartman
                   ` (75 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tycho Andersen, David Teigland, Sasha Levin

From: Tycho Andersen <tycho@tycho.ws>

[ Upstream commit 9de30f3f7f4d31037cfbb7c787e1089c1944b3a7 ]

In copy_result_to_user(), we first create a struct dlm_lock_result, which
contains a struct dlm_lksb, the last member of which is a pointer to the
lvb. Unfortunately, we copy the entire struct dlm_lksb to the result
struct, which is then copied to userspace at the end of the function,
leaking the contents of sb_lvbptr, which is a valid kernel pointer in some
cases (indeed, later in the same function the data it points to is copied
to userspace).

It is an error to leak kernel pointers to userspace, as it undermines KASLR
protections (see e.g. 65eea8edc31 ("floppy: Do not copy a kernel pointer to
user memory in FDGETPRM ioctl") for another example of this).

Signed-off-by: Tycho Andersen <tycho@tycho.ws>
Signed-off-by: David Teigland <teigland@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/dlm/user.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/dlm/user.c b/fs/dlm/user.c
index 2a669390cd7f6..13f29409600bb 100644
--- a/fs/dlm/user.c
+++ b/fs/dlm/user.c
@@ -702,7 +702,7 @@ static int copy_result_to_user(struct dlm_user_args *ua, int compat,
 	result.version[0] = DLM_DEVICE_VERSION_MAJOR;
 	result.version[1] = DLM_DEVICE_VERSION_MINOR;
 	result.version[2] = DLM_DEVICE_VERSION_PATCH;
-	memcpy(&result.lksb, &ua->lksb, sizeof(struct dlm_lksb));
+	memcpy(&result.lksb, &ua->lksb, offsetof(struct dlm_lksb, sb_lvbptr));
 	result.user_lksb = ua->user_lksb;
 
 	/* FIXME: dlm1 provides for the user's bastparam/addr to not be updated
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 235/306] vrf: mark skb for multicast or link-local as enslaved to VRF
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (233 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 234/306] dlm: dont leak kernel pointer to userspace Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 236/306] clk: tegra20: Turn EMC clock gate into divider Greg Kroah-Hartman
                   ` (74 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mike Manning, David Ahern,
	David S. Miller, Sasha Levin

From: Mike Manning <mmanning@vyatta.att-mail.com>

[ Upstream commit 6f12fa775530195a501fb090d092c637f32d0cc5 ]

The skb for packets that are multicast or to a link-local address are
not marked as being enslaved to a VRF, if they are received on a socket
bound to the VRF. This is needed for ND and it is preferable for the
kernel not to have to deal with the additional use-cases if ll or mcast
packets are handled as enslaved. However, this does not allow service
instances listening on unbound and bound to VRF sockets to distinguish
the VRF used, if packets are sent as multicast or to a link-local
address. The fix is for the VRF driver to also mark these skb as being
enslaved to the VRF.

Signed-off-by: Mike Manning <mmanning@vyatta.att-mail.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Tested-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/vrf.c | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
index 9f895083bc0aa..7f5ee6bb44300 100644
--- a/drivers/net/vrf.c
+++ b/drivers/net/vrf.c
@@ -993,24 +993,23 @@ static struct sk_buff *vrf_ip6_rcv(struct net_device *vrf_dev,
 				   struct sk_buff *skb)
 {
 	int orig_iif = skb->skb_iif;
-	bool need_strict;
+	bool need_strict = rt6_need_strict(&ipv6_hdr(skb)->daddr);
+	bool is_ndisc = ipv6_ndisc_frame(skb);
 
-	/* loopback traffic; do not push through packet taps again.
-	 * Reset pkt_type for upper layers to process skb
+	/* loopback, multicast & non-ND link-local traffic; do not push through
+	 * packet taps again. Reset pkt_type for upper layers to process skb
 	 */
-	if (skb->pkt_type == PACKET_LOOPBACK) {
+	if (skb->pkt_type == PACKET_LOOPBACK || (need_strict && !is_ndisc)) {
 		skb->dev = vrf_dev;
 		skb->skb_iif = vrf_dev->ifindex;
 		IP6CB(skb)->flags |= IP6SKB_L3SLAVE;
-		skb->pkt_type = PACKET_HOST;
+		if (skb->pkt_type == PACKET_LOOPBACK)
+			skb->pkt_type = PACKET_HOST;
 		goto out;
 	}
 
-	/* if packet is NDISC or addressed to multicast or link-local
-	 * then keep the ingress interface
-	 */
-	need_strict = rt6_need_strict(&ipv6_hdr(skb)->daddr);
-	if (!ipv6_ndisc_frame(skb) && !need_strict) {
+	/* if packet is NDISC then keep the ingress interface */
+	if (!is_ndisc) {
 		vrf_rx_stats(vrf_dev, skb->len);
 		skb->dev = vrf_dev;
 		skb->skb_iif = vrf_dev->ifindex;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 236/306] clk: tegra20: Turn EMC clock gate into divider
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (234 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 235/306] vrf: mark skb for multicast or link-local as enslaved to VRF Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 237/306] ACPICA: Use %d for signed int print formatting instead of %u Greg Kroah-Hartman
                   ` (73 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dmitry Osipenko, Peter De Schrijver,
	Stephen Boyd, Thierry Reding, Sasha Levin

From: Dmitry Osipenko <digetx@gmail.com>

[ Upstream commit 514fddba845ed3a1b17e01e99cb3a2a52256a88a ]

Kernel should never gate the EMC clock as it causes immediate lockup, so
removing clk-gate functionality doesn't affect anything. Turning EMC clk
gate into divider allows to implement glitch-less EMC scaling, avoiding
reparenting to a backup clock.

Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Acked-by: Peter De Schrijver <pdeschrijver@nvidia.com>
Acked-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/clk/tegra/clk-tegra20.c | 36 ++++++++++++++++++++++++---------
 1 file changed, 26 insertions(+), 10 deletions(-)

diff --git a/drivers/clk/tegra/clk-tegra20.c b/drivers/clk/tegra/clk-tegra20.c
index cc857d4d4a86e..68551effb5ca2 100644
--- a/drivers/clk/tegra/clk-tegra20.c
+++ b/drivers/clk/tegra/clk-tegra20.c
@@ -578,7 +578,6 @@ static struct tegra_clk tegra20_clks[tegra_clk_max] __initdata = {
 	[tegra_clk_afi] = { .dt_id = TEGRA20_CLK_AFI, .present = true },
 	[tegra_clk_fuse] = { .dt_id = TEGRA20_CLK_FUSE, .present = true },
 	[tegra_clk_kfuse] = { .dt_id = TEGRA20_CLK_KFUSE, .present = true },
-	[tegra_clk_emc] = { .dt_id = TEGRA20_CLK_EMC, .present = true },
 };
 
 static unsigned long tegra20_clk_measure_input_freq(void)
@@ -799,6 +798,31 @@ static struct tegra_periph_init_data tegra_periph_nodiv_clk_list[] = {
 	TEGRA_INIT_DATA_NODIV("disp2",	mux_pllpdc_clkm, CLK_SOURCE_DISP2, 30, 2, 26,  0, TEGRA20_CLK_DISP2),
 };
 
+static void __init tegra20_emc_clk_init(void)
+{
+	struct clk *clk;
+
+	clk = clk_register_mux(NULL, "emc_mux", mux_pllmcp_clkm,
+			       ARRAY_SIZE(mux_pllmcp_clkm),
+			       CLK_SET_RATE_NO_REPARENT,
+			       clk_base + CLK_SOURCE_EMC,
+			       30, 2, 0, &emc_lock);
+
+	clk = tegra_clk_register_mc("mc", "emc_mux", clk_base + CLK_SOURCE_EMC,
+				    &emc_lock);
+	clks[TEGRA20_CLK_MC] = clk;
+
+	/*
+	 * Note that 'emc_mux' source and 'emc' rate shouldn't be changed at
+	 * the same time due to a HW bug, this won't happen because we're
+	 * defining 'emc_mux' and 'emc' as distinct clocks.
+	 */
+	clk = tegra_clk_register_divider("emc", "emc_mux",
+				clk_base + CLK_SOURCE_EMC, CLK_IS_CRITICAL,
+				TEGRA_DIVIDER_INT, 0, 8, 1, &emc_lock);
+	clks[TEGRA20_CLK_EMC] = clk;
+}
+
 static void __init tegra20_periph_clk_init(void)
 {
 	struct tegra_periph_init_data *data;
@@ -812,15 +836,7 @@ static void __init tegra20_periph_clk_init(void)
 	clks[TEGRA20_CLK_AC97] = clk;
 
 	/* emc */
-	clk = clk_register_mux(NULL, "emc_mux", mux_pllmcp_clkm,
-			       ARRAY_SIZE(mux_pllmcp_clkm),
-			       CLK_SET_RATE_NO_REPARENT,
-			       clk_base + CLK_SOURCE_EMC,
-			       30, 2, 0, &emc_lock);
-
-	clk = tegra_clk_register_mc("mc", "emc_mux", clk_base + CLK_SOURCE_EMC,
-				    &emc_lock);
-	clks[TEGRA20_CLK_MC] = clk;
+	tegra20_emc_clk_init();
 
 	/* dsi */
 	clk = tegra_clk_register_periph_gate("dsi", "pll_d", 0, clk_base, 0,
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 237/306] ACPICA: Use %d for signed int print formatting instead of %u
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (235 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 236/306] clk: tegra20: Turn EMC clock gate into divider Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 238/306] net: bcmgenet: return correct value ret from bcmgenet_power_down Greg Kroah-Hartman
                   ` (72 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Colin Ian King, Erik Schmauss,
	Rafael J. Wysocki, Sasha Levin

From: Colin Ian King <colin.king@canonical.com>

[ Upstream commit f8ddf49b420112e28bdd23d7ad52d7991a0ccbe3 ]

Fix warnings found using static analysis with cppcheck, use %d printf
format specifier for signed ints rather than %u

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Erik Schmauss <erik.schmauss@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/power/acpi/tools/acpidump/apmain.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/power/acpi/tools/acpidump/apmain.c b/tools/power/acpi/tools/acpidump/apmain.c
index db213171f8d99..2d9b94b631cb9 100644
--- a/tools/power/acpi/tools/acpidump/apmain.c
+++ b/tools/power/acpi/tools/acpidump/apmain.c
@@ -106,7 +106,7 @@ static int ap_insert_action(char *argument, u32 to_be_done)
 
 	current_action++;
 	if (current_action > AP_MAX_ACTIONS) {
-		fprintf(stderr, "Too many table options (max %u)\n",
+		fprintf(stderr, "Too many table options (max %d)\n",
 			AP_MAX_ACTIONS);
 		return (-1);
 	}
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 238/306] net: bcmgenet: return correct value ret from bcmgenet_power_down
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (236 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 237/306] ACPICA: Use %d for signed int print formatting instead of %u Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 239/306] sock: Reset dst when changing sk_mark via setsockopt Greg Kroah-Hartman
                   ` (71 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, YueHaibing, David S. Miller, Sasha Levin

From: YueHaibing <yuehaibing@huawei.com>

[ Upstream commit 0db55093b56618088b9a1d445eb6e43b311bea33 ]

Fixes gcc '-Wunused-but-set-variable' warning:

drivers/net/ethernet/broadcom/genet/bcmgenet.c: In function 'bcmgenet_power_down':
drivers/net/ethernet/broadcom/genet/bcmgenet.c:1136:6: warning:
 variable 'ret' set but not used [-Wunused-but-set-variable]

bcmgenet_power_down should return 'ret' instead of 0.

Fixes: ca8cf341903f ("net: bcmgenet: propagate errors from bcmgenet_power_down")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/broadcom/genet/bcmgenet.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
index bb60104b4f805..338d223804343 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -1169,7 +1169,7 @@ static int bcmgenet_power_down(struct bcmgenet_priv *priv,
 		break;
 	}
 
-	return 0;
+	return ret;
 }
 
 static void bcmgenet_power_up(struct bcmgenet_priv *priv,
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 239/306] sock: Reset dst when changing sk_mark via setsockopt
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (237 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 238/306] net: bcmgenet: return correct value ret from bcmgenet_power_down Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 240/306] of: unittest: allow base devicetree to have symbol metadata Greg Kroah-Hartman
                   ` (70 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David Barmann, Eric Dumazet,
	David S. Miller, Sasha Levin

From: David Barmann <david.barmann@stackpath.com>

[ Upstream commit 50254256f382c56bde87d970f3d0d02fdb76ec70 ]

When setting the SO_MARK socket option, if the mark changes, the dst
needs to be reset so that a new route lookup is performed.

This fixes the case where an application wants to change routing by
setting a new sk_mark.  If this is done after some packets have already
been sent, the dst is cached and has no effect.

Signed-off-by: David Barmann <david.barmann@stackpath.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/core/sock.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/core/sock.c b/net/core/sock.c
index ba4f843cdd1d1..948fd687292a6 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -951,10 +951,12 @@ int sock_setsockopt(struct socket *sock, int level, int optname,
 			clear_bit(SOCK_PASSSEC, &sock->flags);
 		break;
 	case SO_MARK:
-		if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
+		if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) {
 			ret = -EPERM;
-		else
+		} else if (val != sk->sk_mark) {
 			sk->sk_mark = val;
+			sk_dst_reset(sk);
+		}
 		break;
 
 	case SO_RXQ_OVFL:
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 240/306] of: unittest: allow base devicetree to have symbol metadata
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (238 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 239/306] sock: Reset dst when changing sk_mark via setsockopt Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 241/306] of: unittest: initialize args before calling of_*parse_*() Greg Kroah-Hartman
                   ` (69 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alan Tull, Frank Rowand, Sasha Levin

From: Frank Rowand <frank.rowand@sony.com>

[ Upstream commit 5babefb7f7ab1f23861336d511cc666fa45ede82 ]

The overlay metadata nodes in the FDT created from testcases.dts
are not handled properly.

The __fixups__ and __local_fixups__ node were added to the live
devicetree, but should not be.

Only the first property in the /__symbols__ node was added to the
live devicetree if the live devicetree already contained a
/__symbols node.  All of the node's properties must be added.

Tested-by: Alan Tull <atull@kernel.org>
Signed-off-by: Frank Rowand <frank.rowand@sony.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/of/unittest.c | 43 +++++++++++++++++++++++++++++++++++--------
 1 file changed, 35 insertions(+), 8 deletions(-)

diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c
index bac4b4bbc33de..e8997cdb228cb 100644
--- a/drivers/of/unittest.c
+++ b/drivers/of/unittest.c
@@ -1067,20 +1067,44 @@ static void __init of_unittest_platform_populate(void)
  *	of np into dup node (present in live tree) and
  *	updates parent of children of np to dup.
  *
- *	@np:	node already present in live tree
+ *	@np:	node whose properties are being added to the live tree
  *	@dup:	node present in live tree to be updated
  */
 static void update_node_properties(struct device_node *np,
 					struct device_node *dup)
 {
 	struct property *prop;
+	struct property *save_next;
 	struct device_node *child;
-
-	for_each_property_of_node(np, prop)
-		of_add_property(dup, prop);
+	int ret;
 
 	for_each_child_of_node(np, child)
 		child->parent = dup;
+
+	/*
+	 * "unittest internal error: unable to add testdata property"
+	 *
+	 *    If this message reports a property in node '/__symbols__' then
+	 *    the respective unittest overlay contains a label that has the
+	 *    same name as a label in the live devicetree.  The label will
+	 *    be in the live devicetree only if the devicetree source was
+	 *    compiled with the '-@' option.  If you encounter this error,
+	 *    please consider renaming __all__ of the labels in the unittest
+	 *    overlay dts files with an odd prefix that is unlikely to be
+	 *    used in a real devicetree.
+	 */
+
+	/*
+	 * open code for_each_property_of_node() because of_add_property()
+	 * sets prop->next to NULL
+	 */
+	for (prop = np->properties; prop != NULL; prop = save_next) {
+		save_next = prop->next;
+		ret = of_add_property(dup, prop);
+		if (ret)
+			pr_err("unittest internal error: unable to add testdata property %pOF/%s",
+			       np, prop->name);
+	}
 }
 
 /**
@@ -1089,18 +1113,23 @@ static void update_node_properties(struct device_node *np,
  *
  *	@np:	Node to attach to live tree
  */
-static int attach_node_and_children(struct device_node *np)
+static void attach_node_and_children(struct device_node *np)
 {
 	struct device_node *next, *dup, *child;
 	unsigned long flags;
 	const char *full_name;
 
 	full_name = kasprintf(GFP_KERNEL, "%pOF", np);
+
+	if (!strcmp(full_name, "/__local_fixups__") ||
+	    !strcmp(full_name, "/__fixups__"))
+		return;
+
 	dup = of_find_node_by_path(full_name);
 	kfree(full_name);
 	if (dup) {
 		update_node_properties(np, dup);
-		return 0;
+		return;
 	}
 
 	child = np->child;
@@ -1121,8 +1150,6 @@ static int attach_node_and_children(struct device_node *np)
 		attach_node_and_children(child);
 		child = next;
 	}
-
-	return 0;
 }
 
 /**
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 241/306] of: unittest: initialize args before calling of_*parse_*()
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (239 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 240/306] of: unittest: allow base devicetree to have symbol metadata Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 242/306] tools: bpftool: pass an argument to silence open_obj_pinned() Greg Kroah-Hartman
                   ` (68 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Guenter Roeck, Alan Tull,
	Frank Rowand, Sasha Levin

From: Frank Rowand <frank.rowand@sony.com>

[ Upstream commit eeb07c573ec307c53fe2f6ac6d8d11c261f64006 ]

Callers of of_irq_parse_one() blindly use the pointer args.np
without checking whether of_irq_parse_one() had an error and
thus did not set the value of args.np.  Initialize args to
zero so that using the format "%pOF" to show the value of
args.np will show "(null)" when of_irq_parse_one() has an
error.  This prevents the dereference of a random value.

Make the same fix for callers of of_parse_phandle_with_args()
and of_parse_phandle_with_args_map().

Reported-by: Guenter Roeck <linux@roeck-us.net>
Tested-by: Alan Tull <atull@kernel.org>
Signed-off-by: Frank Rowand <frank.rowand@sony.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/of/unittest.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c
index e8997cdb228cb..68f52966bbc04 100644
--- a/drivers/of/unittest.c
+++ b/drivers/of/unittest.c
@@ -375,6 +375,7 @@ static void __init of_unittest_parse_phandle_with_args(void)
 	for (i = 0; i < 8; i++) {
 		bool passed = true;
 
+		memset(&args, 0, sizeof(args));
 		rc = of_parse_phandle_with_args(np, "phandle-list",
 						"#phandle-cells", i, &args);
 
@@ -428,6 +429,7 @@ static void __init of_unittest_parse_phandle_with_args(void)
 	}
 
 	/* Check for missing list property */
+	memset(&args, 0, sizeof(args));
 	rc = of_parse_phandle_with_args(np, "phandle-list-missing",
 					"#phandle-cells", 0, &args);
 	unittest(rc == -ENOENT, "expected:%i got:%i\n", -ENOENT, rc);
@@ -436,6 +438,7 @@ static void __init of_unittest_parse_phandle_with_args(void)
 	unittest(rc == -ENOENT, "expected:%i got:%i\n", -ENOENT, rc);
 
 	/* Check for missing cells property */
+	memset(&args, 0, sizeof(args));
 	rc = of_parse_phandle_with_args(np, "phandle-list",
 					"#phandle-cells-missing", 0, &args);
 	unittest(rc == -EINVAL, "expected:%i got:%i\n", -EINVAL, rc);
@@ -444,6 +447,7 @@ static void __init of_unittest_parse_phandle_with_args(void)
 	unittest(rc == -EINVAL, "expected:%i got:%i\n", -EINVAL, rc);
 
 	/* Check for bad phandle in list */
+	memset(&args, 0, sizeof(args));
 	rc = of_parse_phandle_with_args(np, "phandle-list-bad-phandle",
 					"#phandle-cells", 0, &args);
 	unittest(rc == -EINVAL, "expected:%i got:%i\n", -EINVAL, rc);
@@ -452,6 +456,7 @@ static void __init of_unittest_parse_phandle_with_args(void)
 	unittest(rc == -EINVAL, "expected:%i got:%i\n", -EINVAL, rc);
 
 	/* Check for incorrectly formed argument list */
+	memset(&args, 0, sizeof(args));
 	rc = of_parse_phandle_with_args(np, "phandle-list-bad-args",
 					"#phandle-cells", 1, &args);
 	unittest(rc == -EINVAL, "expected:%i got:%i\n", -EINVAL, rc);
@@ -502,6 +507,7 @@ static void __init of_unittest_parse_phandle_with_args_map(void)
 	for (i = 0; i < 8; i++) {
 		bool passed = true;
 
+		memset(&args, 0, sizeof(args));
 		rc = of_parse_phandle_with_args_map(np, "phandle-list",
 						    "phandle", i, &args);
 
@@ -559,21 +565,25 @@ static void __init of_unittest_parse_phandle_with_args_map(void)
 	}
 
 	/* Check for missing list property */
+	memset(&args, 0, sizeof(args));
 	rc = of_parse_phandle_with_args_map(np, "phandle-list-missing",
 					    "phandle", 0, &args);
 	unittest(rc == -ENOENT, "expected:%i got:%i\n", -ENOENT, rc);
 
 	/* Check for missing cells,map,mask property */
+	memset(&args, 0, sizeof(args));
 	rc = of_parse_phandle_with_args_map(np, "phandle-list",
 					    "phandle-missing", 0, &args);
 	unittest(rc == -EINVAL, "expected:%i got:%i\n", -EINVAL, rc);
 
 	/* Check for bad phandle in list */
+	memset(&args, 0, sizeof(args));
 	rc = of_parse_phandle_with_args_map(np, "phandle-list-bad-phandle",
 					    "phandle", 0, &args);
 	unittest(rc == -EINVAL, "expected:%i got:%i\n", -EINVAL, rc);
 
 	/* Check for incorrectly formed argument list */
+	memset(&args, 0, sizeof(args));
 	rc = of_parse_phandle_with_args_map(np, "phandle-list-bad-args",
 					    "phandle", 1, &args);
 	unittest(rc == -EINVAL, "expected:%i got:%i\n", -EINVAL, rc);
@@ -783,7 +793,7 @@ static void __init of_unittest_parse_interrupts(void)
 	for (i = 0; i < 4; i++) {
 		bool passed = true;
 
-		args.args_count = 0;
+		memset(&args, 0, sizeof(args));
 		rc = of_irq_parse_one(np, i, &args);
 
 		passed &= !rc;
@@ -804,7 +814,7 @@ static void __init of_unittest_parse_interrupts(void)
 	for (i = 0; i < 4; i++) {
 		bool passed = true;
 
-		args.args_count = 0;
+		memset(&args, 0, sizeof(args));
 		rc = of_irq_parse_one(np, i, &args);
 
 		/* Test the values from tests-phandle.dtsi */
@@ -860,6 +870,7 @@ static void __init of_unittest_parse_interrupts_extended(void)
 	for (i = 0; i < 7; i++) {
 		bool passed = true;
 
+		memset(&args, 0, sizeof(args));
 		rc = of_irq_parse_one(np, i, &args);
 
 		/* Test the values from tests-phandle.dtsi */
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 242/306] tools: bpftool: pass an argument to silence open_obj_pinned()
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (240 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 241/306] of: unittest: initialize args before calling of_*parse_*() Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 243/306] cfg80211: Prevent regulatory restore during STA disconnect in concurrent interfaces Greg Kroah-Hartman
                   ` (67 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Quentin Monnet, Jakub Kicinski,
	Daniel Borkmann, Sasha Levin

From: Quentin Monnet <quentin.monnet@netronome.com>

[ Upstream commit f120919f9905a2cad9dea792a28a11fb623f72c1 ]

Function open_obj_pinned() prints error messages when it fails to open a
link in the BPF virtual file system. However, in some occasions it is
not desirable to print an error, for example when we parse all links
under the bpffs root, and the error is due to some paths actually being
symbolic links.

Example output:

    # ls -l /sys/fs/bpf/
    lrwxrwxrwx 1 root root 0 Oct 18 19:00 ip -> /sys/fs/bpf/tc/
    drwx------ 3 root root 0 Oct 18 19:00 tc
    lrwxrwxrwx 1 root root 0 Oct 18 19:00 xdp -> /sys/fs/bpf/tc/

    # bpftool --bpffs prog show
    Error: bpf obj get (/sys/fs/bpf): Permission denied
    Error: bpf obj get (/sys/fs/bpf): Permission denied

    # strace -e bpf bpftool --bpffs prog show
    bpf(BPF_OBJ_GET, {pathname="/sys/fs/bpf/ip", bpf_fd=0}, 72) = -1 EACCES (Permission denied)
    Error: bpf obj get (/sys/fs/bpf): Permission denied
    bpf(BPF_OBJ_GET, {pathname="/sys/fs/bpf/xdp", bpf_fd=0}, 72) = -1 EACCES (Permission denied)
    Error: bpf obj get (/sys/fs/bpf): Permission denied
    ...

To fix it, pass a bool as a second argument to the function, and prevent
it from printing an error when the argument is set to true.

Signed-off-by: Quentin Monnet <quentin.monnet@netronome.com>
Reviewed-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/bpf/bpftool/common.c | 15 ++++++++-------
 tools/bpf/bpftool/main.h   |  2 +-
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/tools/bpf/bpftool/common.c b/tools/bpf/bpftool/common.c
index be7aebff0c1e5..158469f57461d 100644
--- a/tools/bpf/bpftool/common.c
+++ b/tools/bpf/bpftool/common.c
@@ -130,16 +130,17 @@ static int mnt_bpffs(const char *target, char *buff, size_t bufflen)
 	return 0;
 }
 
-int open_obj_pinned(char *path)
+int open_obj_pinned(char *path, bool quiet)
 {
 	int fd;
 
 	fd = bpf_obj_get(path);
 	if (fd < 0) {
-		p_err("bpf obj get (%s): %s", path,
-		      errno == EACCES && !is_bpffs(dirname(path)) ?
-		    "directory not in bpf file system (bpffs)" :
-		    strerror(errno));
+		if (!quiet)
+			p_err("bpf obj get (%s): %s", path,
+			      errno == EACCES && !is_bpffs(dirname(path)) ?
+			    "directory not in bpf file system (bpffs)" :
+			    strerror(errno));
 		return -1;
 	}
 
@@ -151,7 +152,7 @@ int open_obj_pinned_any(char *path, enum bpf_obj_type exp_type)
 	enum bpf_obj_type type;
 	int fd;
 
-	fd = open_obj_pinned(path);
+	fd = open_obj_pinned(path, false);
 	if (fd < 0)
 		return -1;
 
@@ -384,7 +385,7 @@ int build_pinned_obj_table(struct pinned_obj_table *tab,
 		while ((ftse = fts_read(fts))) {
 			if (!(ftse->fts_info & FTS_F))
 				continue;
-			fd = open_obj_pinned(ftse->fts_path);
+			fd = open_obj_pinned(ftse->fts_path, true);
 			if (fd < 0)
 				continue;
 
diff --git a/tools/bpf/bpftool/main.h b/tools/bpf/bpftool/main.h
index 238e734d75b3e..057a227bdb9f9 100644
--- a/tools/bpf/bpftool/main.h
+++ b/tools/bpf/bpftool/main.h
@@ -126,7 +126,7 @@ int cmd_select(const struct cmd *cmds, int argc, char **argv,
 int get_fd_type(int fd);
 const char *get_fd_type_name(enum bpf_obj_type type);
 char *get_fdinfo(int fd, const char *key);
-int open_obj_pinned(char *path);
+int open_obj_pinned(char *path, bool quiet);
 int open_obj_pinned_any(char *path, enum bpf_obj_type exp_type);
 int do_pin_any(int argc, char **argv, int (*get_fd_by_id)(__u32));
 int do_pin_fd(int fd, const char *name);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 243/306] cfg80211: Prevent regulatory restore during STA disconnect in concurrent interfaces
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (241 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 242/306] tools: bpftool: pass an argument to silence open_obj_pinned() Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 244/306] pinctrl: qcom: spmi-gpio: fix gpio-hog related boot issues Greg Kroah-Hartman
                   ` (66 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sriram R, Johannes Berg, Sasha Levin

From: Sriram R <srirrama@codeaurora.org>

[ Upstream commit 113f3aaa81bd56aba02659786ed65cbd9cb9a6fc ]

Currently when an AP and STA interfaces are active in the same or different
radios, regulatory settings are restored whenever the STA disconnects. This
restores all channel information including dfs states in all radios.
For example, if an AP interface is active in one radio and STA in another,
when radar is detected on the AP interface, the dfs state of the channel
will be changed to UNAVAILABLE. But when the STA interface disconnects,
this issues a regulatory disconnect hint which restores all regulatory
settings in all the radios attached and thereby losing the stored dfs
state on the other radio where the channel was marked as unavailable
earlier. Hence prevent such regulatory restore whenever another active
beaconing interface is present in the same or other radios.

Signed-off-by: Sriram R <srirrama@codeaurora.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/wireless/sme.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/wireless/sme.c b/net/wireless/sme.c
index d536b07582f8c..c7047c7b4e80f 100644
--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@@ -642,11 +642,15 @@ static bool cfg80211_is_all_idle(void)
 	 * All devices must be idle as otherwise if you are actively
 	 * scanning some new beacon hints could be learned and would
 	 * count as new regulatory hints.
+	 * Also if there is any other active beaconing interface we
+	 * need not issue a disconnect hint and reset any info such
+	 * as chan dfs state, etc.
 	 */
 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
 			wdev_lock(wdev);
-			if (wdev->conn || wdev->current_bss)
+			if (wdev->conn || wdev->current_bss ||
+			    cfg80211_beaconing_iface_active(wdev))
 				is_all_idle = false;
 			wdev_unlock(wdev);
 		}
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 244/306] pinctrl: qcom: spmi-gpio: fix gpio-hog related boot issues
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (242 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 243/306] cfg80211: Prevent regulatory restore during STA disconnect in concurrent interfaces Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 245/306] pinctrl: bcm2835: Use define directive for BCM2835_PINCONF_PARAM_PULL Greg Kroah-Hartman
                   ` (65 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Brian Masney, Linus Walleij, Sasha Levin

From: Brian Masney <masneyb@onstation.org>

[ Upstream commit 149a96047237574b756d872007c006acd0cc6687 ]

When attempting to setup up a gpio hog, device probing would repeatedly
fail with -EPROBE_DEFERED errors. It was caused by a circular dependency
between the gpio and pinctrl frameworks. If the gpio-ranges property is
present in device tree, then the gpio framework will handle the gpio pin
registration and eliminate the circular dependency.

See Christian Lamparter's commit a86caa9ba5d7 ("pinctrl: msm: fix
gpio-hog related boot issues") for a detailed commit message that
explains the issue in much more detail. The code comment in this commit
came from Christian's commit.

Signed-off-by: Brian Masney <masneyb@onstation.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/pinctrl/qcom/pinctrl-spmi-gpio.c | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/drivers/pinctrl/qcom/pinctrl-spmi-gpio.c b/drivers/pinctrl/qcom/pinctrl-spmi-gpio.c
index cf82db78e69e6..0c30f5eb4c714 100644
--- a/drivers/pinctrl/qcom/pinctrl-spmi-gpio.c
+++ b/drivers/pinctrl/qcom/pinctrl-spmi-gpio.c
@@ -1028,10 +1028,23 @@ static int pmic_gpio_probe(struct platform_device *pdev)
 		return ret;
 	}
 
-	ret = gpiochip_add_pin_range(&state->chip, dev_name(dev), 0, 0, npins);
-	if (ret) {
-		dev_err(dev, "failed to add pin range\n");
-		goto err_range;
+	/*
+	 * For DeviceTree-supported systems, the gpio core checks the
+	 * pinctrl's device node for the "gpio-ranges" property.
+	 * If it is present, it takes care of adding the pin ranges
+	 * for the driver. In this case the driver can skip ahead.
+	 *
+	 * In order to remain compatible with older, existing DeviceTree
+	 * files which don't set the "gpio-ranges" property or systems that
+	 * utilize ACPI the driver has to call gpiochip_add_pin_range().
+	 */
+	if (!of_property_read_bool(dev->of_node, "gpio-ranges")) {
+		ret = gpiochip_add_pin_range(&state->chip, dev_name(dev), 0, 0,
+					     npins);
+		if (ret) {
+			dev_err(dev, "failed to add pin range\n");
+			goto err_range;
+		}
 	}
 
 	return 0;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 245/306] pinctrl: bcm2835: Use define directive for BCM2835_PINCONF_PARAM_PULL
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (243 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 244/306] pinctrl: qcom: spmi-gpio: fix gpio-hog related boot issues Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 246/306] pinctrl: lpc18xx: Use define directive for PIN_CONFIG_GPIO_PIN_INT Greg Kroah-Hartman
                   ` (64 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nathan Chancellor, Stefan Wahren,
	Linus Walleij, Sasha Levin

From: Nathan Chancellor <natechancellor@gmail.com>

[ Upstream commit b40ac08ff886302a6aa457fd72e94a969f50e245 ]

Clang warns when one enumerated type is implicitly converted to another:

drivers/pinctrl/bcm/pinctrl-bcm2835.c:707:40: warning: implicit
conversion from enumeration type 'enum bcm2835_pinconf_param' to
different enumeration type 'enum pin_config_param' [-Wenum-conversion]
        configs[0] = pinconf_to_config_packed(BCM2835_PINCONF_PARAM_PULL, pull);
                     ~~~~~~~~~~~~~~~~~~~~~~~~ ^~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.

It is expected that pinctrl drivers can extend pin_config_param because
of the gap between PIN_CONFIG_END and PIN_CONFIG_MAX so this conversion
isn't an issue. Most drivers that take advantage of this define the
PIN_CONFIG variables as constants, rather than enumerated values. Do the
same thing here so that Clang no longer warns.

Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Acked-by: Stefan Wahren <stefan.wahren@i2se.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/pinctrl/bcm/pinctrl-bcm2835.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/drivers/pinctrl/bcm/pinctrl-bcm2835.c b/drivers/pinctrl/bcm/pinctrl-bcm2835.c
index 08925d24180b0..1bd3c10ce1893 100644
--- a/drivers/pinctrl/bcm/pinctrl-bcm2835.c
+++ b/drivers/pinctrl/bcm/pinctrl-bcm2835.c
@@ -72,10 +72,8 @@
 #define GPIO_REG_OFFSET(p)	((p) / 32)
 #define GPIO_REG_SHIFT(p)	((p) % 32)
 
-enum bcm2835_pinconf_param {
-	/* argument: bcm2835_pinconf_pull */
-	BCM2835_PINCONF_PARAM_PULL = (PIN_CONFIG_END + 1),
-};
+/* argument: bcm2835_pinconf_pull */
+#define BCM2835_PINCONF_PARAM_PULL	(PIN_CONFIG_END + 1)
 
 struct bcm2835_pinctrl {
 	struct device *dev;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 246/306] pinctrl: lpc18xx: Use define directive for PIN_CONFIG_GPIO_PIN_INT
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (244 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 245/306] pinctrl: bcm2835: Use define directive for BCM2835_PINCONF_PARAM_PULL Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 247/306] pinctrl: zynq: Use define directive for PIN_CONFIG_IO_STANDARD Greg Kroah-Hartman
                   ` (63 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nathan Chancellor, Linus Walleij,
	Sasha Levin

From: Nathan Chancellor <natechancellor@gmail.com>

[ Upstream commit f24bfb39975c241374cadebbd037c17960cf1412 ]

Clang warns when one enumerated type is implicitly converted to another:

drivers/pinctrl/pinctrl-lpc18xx.c:643:29: warning: implicit conversion
from enumeration type 'enum lpc18xx_pin_config_param' to different
enumeration type 'enum pin_config_param' [-Wenum-conversion]
        {"nxp,gpio-pin-interrupt", PIN_CONFIG_GPIO_PIN_INT, 0},
        ~                          ^~~~~~~~~~~~~~~~~~~~~~~
drivers/pinctrl/pinctrl-lpc18xx.c:648:12: warning: implicit conversion
from enumeration type 'enum lpc18xx_pin_config_param' to different
enumeration type 'enum pin_config_param' [-Wenum-conversion]
        PCONFDUMP(PIN_CONFIG_GPIO_PIN_INT, "gpio pin int", NULL, true),
        ~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./include/linux/pinctrl/pinconf-generic.h:163:11: note: expanded from
macro 'PCONFDUMP'
        .param = a, .display = b, .format = c, .has_arg = d     \
                 ^
2 warnings generated.

It is expected that pinctrl drivers can extend pin_config_param because
of the gap between PIN_CONFIG_END and PIN_CONFIG_MAX so this conversion
isn't an issue. Most drivers that take advantage of this define the
PIN_CONFIG variables as constants, rather than enumerated values. Do the
same thing here so that Clang no longer warns.

Link: https://github.com/ClangBuiltLinux/linux/issues/140
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/pinctrl/pinctrl-lpc18xx.c | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/drivers/pinctrl/pinctrl-lpc18xx.c b/drivers/pinctrl/pinctrl-lpc18xx.c
index 190f17e4bbdaf..1d3b88e6ab862 100644
--- a/drivers/pinctrl/pinctrl-lpc18xx.c
+++ b/drivers/pinctrl/pinctrl-lpc18xx.c
@@ -630,14 +630,8 @@ static const struct pinctrl_pin_desc lpc18xx_pins[] = {
 	LPC18XX_PIN(i2c0_sda, PIN_I2C0_SDA),
 };
 
-/**
- * enum lpc18xx_pin_config_param - possible pin configuration parameters
- * @PIN_CONFIG_GPIO_PIN_INT: route gpio to the gpio pin interrupt
- * 	controller.
- */
-enum lpc18xx_pin_config_param {
-	PIN_CONFIG_GPIO_PIN_INT = PIN_CONFIG_END + 1,
-};
+/* PIN_CONFIG_GPIO_PIN_INT: route gpio to the gpio pin interrupt controller */
+#define PIN_CONFIG_GPIO_PIN_INT		(PIN_CONFIG_END + 1)
 
 static const struct pinconf_generic_params lpc18xx_params[] = {
 	{"nxp,gpio-pin-interrupt", PIN_CONFIG_GPIO_PIN_INT, 0},
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 247/306] pinctrl: zynq: Use define directive for PIN_CONFIG_IO_STANDARD
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (245 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 246/306] pinctrl: lpc18xx: Use define directive for PIN_CONFIG_GPIO_PIN_INT Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 248/306] PCI: keystone: Use quirk to limit MRRS for K2G Greg Kroah-Hartman
                   ` (62 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nathan Chancellor, Michal Simek,
	Linus Walleij, Sasha Levin

From: Nathan Chancellor <natechancellor@gmail.com>

[ Upstream commit cd8a145a066a1a3beb0ae615c7cb2ee4217418d7 ]

Clang warns when one enumerated type is implicitly converted to another:

drivers/pinctrl/pinctrl-zynq.c:985:18: warning: implicit conversion from
enumeration type 'enum zynq_pin_config_param' to different enumeration
type 'enum pin_config_param' [-Wenum-conversion]
        {"io-standard", PIN_CONFIG_IOSTANDARD, zynq_iostd_lvcmos18},
        ~               ^~~~~~~~~~~~~~~~~~~~~
drivers/pinctrl/pinctrl-zynq.c:990:16: warning: implicit conversion from
enumeration type 'enum zynq_pin_config_param' to different enumeration
type 'enum pin_config_param' [-Wenum-conversion]
        = { PCONFDUMP(PIN_CONFIG_IOSTANDARD, "IO-standard", NULL, true),
            ~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./include/linux/pinctrl/pinconf-generic.h:163:11: note: expanded from
macro 'PCONFDUMP'
        .param = a, .display = b, .format = c, .has_arg = d     \
                 ^
2 warnings generated.

It is expected that pinctrl drivers can extend pin_config_param because
of the gap between PIN_CONFIG_END and PIN_CONFIG_MAX so this conversion
isn't an issue. Most drivers that take advantage of this define the
PIN_CONFIG variables as constants, rather than enumerated values. Do the
same thing here so that Clang no longer warns.

Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Acked-by: Michal Simek <michal.simek@xilinx.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/pinctrl/pinctrl-zynq.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/drivers/pinctrl/pinctrl-zynq.c b/drivers/pinctrl/pinctrl-zynq.c
index a0daf27042bd0..90fd37e8207bf 100644
--- a/drivers/pinctrl/pinctrl-zynq.c
+++ b/drivers/pinctrl/pinctrl-zynq.c
@@ -971,15 +971,12 @@ enum zynq_io_standards {
 	zynq_iostd_max
 };
 
-/**
- * enum zynq_pin_config_param - possible pin configuration parameters
- * @PIN_CONFIG_IOSTANDARD: if the pin can select an IO standard, the argument to
+/*
+ * PIN_CONFIG_IOSTANDARD: if the pin can select an IO standard, the argument to
  *	this parameter (on a custom format) tells the driver which alternative
  *	IO standard to use.
  */
-enum zynq_pin_config_param {
-	PIN_CONFIG_IOSTANDARD = PIN_CONFIG_END + 1,
-};
+#define PIN_CONFIG_IOSTANDARD		(PIN_CONFIG_END + 1)
 
 static const struct pinconf_generic_params zynq_dt_params[] = {
 	{"io-standard", PIN_CONFIG_IOSTANDARD, zynq_iostd_lvcmos18},
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 248/306] PCI: keystone: Use quirk to limit MRRS for K2G
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (246 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 247/306] pinctrl: zynq: Use define directive for PIN_CONFIG_IO_STANDARD Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 249/306] nvme-pci: fix surprise removal Greg Kroah-Hartman
                   ` (61 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kishon Vijay Abraham I,
	Lorenzo Pieralisi, Sasha Levin

From: Kishon Vijay Abraham I <kishon@ti.com>

[ Upstream commit 148e340c0696369fadbbddc8f4bef801ed247d71 ]

PCI controller in K2G also has a limitation that memory read request
size (MRRS) must not exceed 256 bytes. Use the quirk to limit MRRS
(added for K2HK, K2L and K2E) for K2G as well.

Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/pci/controller/dwc/pci-keystone.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/pci/controller/dwc/pci-keystone.c b/drivers/pci/controller/dwc/pci-keystone.c
index 5e199e7d2d4fd..765357b87ff69 100644
--- a/drivers/pci/controller/dwc/pci-keystone.c
+++ b/drivers/pci/controller/dwc/pci-keystone.c
@@ -36,6 +36,7 @@
 #define PCIE_RC_K2HK		0xb008
 #define PCIE_RC_K2E		0xb009
 #define PCIE_RC_K2L		0xb00a
+#define PCIE_RC_K2G		0xb00b
 
 #define to_keystone_pcie(x)	dev_get_drvdata((x)->dev)
 
@@ -50,6 +51,8 @@ static void quirk_limit_mrrs(struct pci_dev *dev)
 		 .class = PCI_CLASS_BRIDGE_PCI << 8, .class_mask = ~0, },
 		{ PCI_DEVICE(PCI_VENDOR_ID_TI, PCIE_RC_K2L),
 		 .class = PCI_CLASS_BRIDGE_PCI << 8, .class_mask = ~0, },
+		{ PCI_DEVICE(PCI_VENDOR_ID_TI, PCIE_RC_K2G),
+		 .class = PCI_CLASS_BRIDGE_PCI << 8, .class_mask = ~0, },
 		{ 0, },
 	};
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 249/306] nvme-pci: fix surprise removal
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (247 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 248/306] PCI: keystone: Use quirk to limit MRRS for K2G Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 250/306] spi: omap2-mcspi: Fix DMA and FIFO event trigger size mismatch Greg Kroah-Hartman
                   ` (60 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Igor Konopko, Keith Busch,
	Christoph Hellwig, Sasha Levin

From: Igor Konopko <igor.j.konopko@intel.com>

[ Upstream commit 751a0cc0cd3a0d51e6aaf6fd3b8bd31f4ecfaf3e ]

When a PCIe NVMe device is not present, nvme_dev_remove_admin() calls
blk_cleanup_queue() on the admin queue, which frees the hctx for that
queue.  Moments later, on the same path nvme_kill_queues() calls
blk_mq_unquiesce_queue() on admin queue and tries to access hctx of it,
which leads to following OOPS:

Oops: 0000 [#1] SMP PTI
RIP: 0010:sbitmap_any_bit_set+0xb/0x40
Call Trace:
 blk_mq_run_hw_queue+0xd5/0x150
 blk_mq_run_hw_queues+0x3a/0x50
 nvme_kill_queues+0x26/0x50
 nvme_remove_namespaces+0xb2/0xc0
 nvme_remove+0x60/0x140
 pci_device_remove+0x3b/0xb0

Fixes: cb4bfda62afa2 ("nvme-pci: fix hot removal during error handling")
Signed-off-by: Igor Konopko <igor.j.konopko@intel.com>
Reviewed-by: Keith Busch <keith.busch@intel.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/nvme/host/core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index 5d0f99bcc987f..44da9fe5b27b8 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -3647,7 +3647,7 @@ void nvme_kill_queues(struct nvme_ctrl *ctrl)
 	down_read(&ctrl->namespaces_rwsem);
 
 	/* Forcibly unquiesce queues to avoid blocking dispatch */
-	if (ctrl->admin_q)
+	if (ctrl->admin_q && !blk_queue_dying(ctrl->admin_q))
 		blk_mq_unquiesce_queue(ctrl->admin_q);
 
 	list_for_each_entry(ns, &ctrl->namespaces, list)
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 250/306] spi: omap2-mcspi: Fix DMA and FIFO event trigger size mismatch
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (248 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 249/306] nvme-pci: fix surprise removal Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 251/306] i2c: uniphier-f: fix timeout error after reading 8 bytes Greg Kroah-Hartman
                   ` (59 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David Lechner, Vignesh R, Mark Brown,
	Sasha Levin

From: Vignesh R <vigneshr@ti.com>

[ Upstream commit baf8b9f8d260c55a86405f70a384c29cda888476 ]

Commit b682cffa3ac6 ("spi: omap2-mcspi: Set FIFO DMA trigger level to word length")
broke SPI transfers where bits_per_word != 8. This is because of
mimsatch between McSPI FIFO level event trigger size (SPI word length) and
DMA request size(word length * maxburst). This leads to data
corruption, lockup and errors like:

	spi1.0: EOW timed out

Fix this by setting DMA maxburst size to 1 so that
McSPI FIFO level event trigger size matches DMA request size.

Fixes: b682cffa3ac6 ("spi: omap2-mcspi: Set FIFO DMA trigger level to word length")
Cc: stable@vger.kernel.org
Reported-by: David Lechner <david@lechnology.com>
Tested-by: David Lechner <david@lechnology.com>
Signed-off-by: Vignesh R <vigneshr@ti.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/spi/spi-omap2-mcspi.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/spi/spi-omap2-mcspi.c b/drivers/spi/spi-omap2-mcspi.c
index f50cb8a4b4138..eb2d2de172af3 100644
--- a/drivers/spi/spi-omap2-mcspi.c
+++ b/drivers/spi/spi-omap2-mcspi.c
@@ -607,8 +607,8 @@ omap2_mcspi_txrx_dma(struct spi_device *spi, struct spi_transfer *xfer)
 	cfg.dst_addr = cs->phys + OMAP2_MCSPI_TX0;
 	cfg.src_addr_width = width;
 	cfg.dst_addr_width = width;
-	cfg.src_maxburst = es;
-	cfg.dst_maxburst = es;
+	cfg.src_maxburst = 1;
+	cfg.dst_maxburst = 1;
 
 	rx = xfer->rx_buf;
 	tx = xfer->tx_buf;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 251/306] i2c: uniphier-f: fix timeout error after reading 8 bytes
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (249 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 250/306] spi: omap2-mcspi: Fix DMA and FIFO event trigger size mismatch Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 252/306] mm/memory_hotplug: Do not unlock when fails to take the device_hotplug_lock Greg Kroah-Hartman
                   ` (58 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Masahiro Yamada, Wolfram Sang, Sasha Levin

From: Masahiro Yamada <yamada.masahiro@socionext.com>

[ Upstream commit c2a653deaa81f5a750c0dfcbaf9f8e5195cbe4a5 ]

I was totally screwed up in commit eaba68785c2d ("i2c: uniphier-f:
fix race condition when IRQ is cleared"). Since that commit, if the
number of read bytes is multiple of the FIFO size (8, 16, 24... bytes),
the STOP condition could be issued twice, depending on the timing.
If this happens, the controller will go wrong, resulting in the timeout
error.

It was more than 3 years ago when I wrote this driver, so my memory
about this hardware was vague. Please let me correct the description
in the commit log of eaba68785c2d.

Clearing the IRQ status on exiting the IRQ handler is absolutely
fine. This controller makes a pause while any IRQ status is asserted.
If the IRQ status is cleared first, the hardware may start the next
transaction before the IRQ handler finishes what it supposed to do.

This partially reverts the bad commit with clear comments so that I
will never repeat this mistake.

I also investigated what is happening at the last moment of the read
mode. The UNIPHIER_FI2C_INT_RF interrupt is asserted a bit earlier
(by half a period of the clock cycle) than UNIPHIER_FI2C_INT_RB.

I consulted a hardware engineer, and I got the following information:

UNIPHIER_FI2C_INT_RF
    asserted at the falling edge of SCL at the 8th bit.

UNIPHIER_FI2C_INT_RB
    asserted at the rising edge of SCL at the 9th (ACK) bit.

In order to avoid calling uniphier_fi2c_stop() twice, check the latter
interrupt. I also commented this because it is obscure hardware internal.

Fixes: eaba68785c2d ("i2c: uniphier-f: fix race condition when IRQ is cleared")
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/i2c/busses/i2c-uniphier-f.c | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/drivers/i2c/busses/i2c-uniphier-f.c b/drivers/i2c/busses/i2c-uniphier-f.c
index 928ea9930d17e..dd0687e36a47b 100644
--- a/drivers/i2c/busses/i2c-uniphier-f.c
+++ b/drivers/i2c/busses/i2c-uniphier-f.c
@@ -173,8 +173,6 @@ static irqreturn_t uniphier_fi2c_interrupt(int irq, void *dev_id)
 		"interrupt: enabled_irqs=%04x, irq_status=%04x\n",
 		priv->enabled_irqs, irq_status);
 
-	uniphier_fi2c_clear_irqs(priv, irq_status);
-
 	if (irq_status & UNIPHIER_FI2C_INT_STOP)
 		goto complete;
 
@@ -214,7 +212,13 @@ static irqreturn_t uniphier_fi2c_interrupt(int irq, void *dev_id)
 
 	if (irq_status & (UNIPHIER_FI2C_INT_RF | UNIPHIER_FI2C_INT_RB)) {
 		uniphier_fi2c_drain_rxfifo(priv);
-		if (!priv->len)
+		/*
+		 * If the number of bytes to read is multiple of the FIFO size
+		 * (msg->len == 8, 16, 24, ...), the INT_RF bit is set a little
+		 * earlier than INT_RB. We wait for INT_RB to confirm the
+		 * completion of the current message.
+		 */
+		if (!priv->len && (irq_status & UNIPHIER_FI2C_INT_RB))
 			goto data_done;
 
 		if (unlikely(priv->flags & UNIPHIER_FI2C_MANUAL_NACK)) {
@@ -253,6 +257,13 @@ static irqreturn_t uniphier_fi2c_interrupt(int irq, void *dev_id)
 	}
 
 handled:
+	/*
+	 * This controller makes a pause while any bit of the IRQ status is
+	 * asserted. Clear the asserted bit to kick the controller just before
+	 * exiting the handler.
+	 */
+	uniphier_fi2c_clear_irqs(priv, irq_status);
+
 	spin_unlock(&priv->lock);
 
 	return IRQ_HANDLED;
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 252/306] mm/memory_hotplug: Do not unlock when fails to take the device_hotplug_lock
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (250 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 251/306] i2c: uniphier-f: fix timeout error after reading 8 bytes Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 253/306] ipv6: Fix handling of LLA with VRF and sockets bound to VRF Greg Kroah-Hartman
                   ` (57 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yang yingliang, zhong jiang,
	Oscar Salvador, David Hildenbrand, Michal Hocko, Sasha Levin

From: zhong jiang <zhongjiang@huawei.com>

[ Upstream commit d2ab99403ee00d8014e651728a4702ea1ae5e52c ]

When adding the memory by probing memory block in sysfs interface, there is an
obvious issue that we will unlock the device_hotplug_lock when fails to takes it.

That issue was introduced in Commit 8df1d0e4a265
("mm/memory_hotplug: make add_memory() take the device_hotplug_lock")

We should drop out in time when fails to take the device_hotplug_lock.

Fixes: 8df1d0e4a265 ("mm/memory_hotplug: make add_memory() take the device_hotplug_lock")
Reported-by: Yang yingliang <yangyingliang@huawei.com>
Signed-off-by: zhong jiang <zhongjiang@huawei.com>
Reviewed-by: Oscar Salvador <osalvador@suse.de>
Reviewed-by: David Hildenbrand <david@redhat.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/base/memory.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/base/memory.c b/drivers/base/memory.c
index 0f8e77f78cc80..ac1574a696100 100644
--- a/drivers/base/memory.c
+++ b/drivers/base/memory.c
@@ -510,7 +510,7 @@ memory_probe_store(struct device *dev, struct device_attribute *attr,
 
 	ret = lock_device_hotplug_sysfs();
 	if (ret)
-		goto out;
+		return ret;
 
 	nid = memory_add_physaddr_to_nid(phys_addr);
 	ret = __add_memory(nid, phys_addr,
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 253/306] ipv6: Fix handling of LLA with VRF and sockets bound to VRF
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (251 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 252/306] mm/memory_hotplug: Do not unlock when fails to take the device_hotplug_lock Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 254/306] cfg80211: call disconnect_wk when AP stops Greg Kroah-Hartman
                   ` (56 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Donald Sharp, Mike Manning,
	David Ahern, David S. Miller, Sasha Levin

From: David Ahern <dsahern@gmail.com>

[ Upstream commit c2027d1e17582903e368abf5d4838b22a98f2b7b ]

A recent commit allows sockets bound to a VRF to receive ipv6 link local
packets. However, it only works for UDP and worse TCP connection attempts
to the LLA with the only listener bound to the VRF just hang where as
before the client gets a reset and connection refused. Fix by adjusting
ir_iif for LL addresses and packets received through a device enslaved
to a VRF.

Fixes: 6f12fa775530 ("vrf: mark skb for multicast or link-local as enslaved to VRF")
Reported-by: Donald Sharp <sharpd@cumulusnetworks.com>
Cc: Mike Manning <mmanning@vyatta.att-mail.com>
Signed-off-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ipv6/tcp_ipv6.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index e7cdfa92c3820..9a117a79af659 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -734,6 +734,7 @@ static void tcp_v6_init_req(struct request_sock *req,
 			    const struct sock *sk_listener,
 			    struct sk_buff *skb)
 {
+	bool l3_slave = ipv6_l3mdev_skb(TCP_SKB_CB(skb)->header.h6.flags);
 	struct inet_request_sock *ireq = inet_rsk(req);
 	const struct ipv6_pinfo *np = inet6_sk(sk_listener);
 
@@ -741,7 +742,7 @@ static void tcp_v6_init_req(struct request_sock *req,
 	ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr;
 
 	/* So that link locals have meaning */
-	if (!sk_listener->sk_bound_dev_if &&
+	if ((!sk_listener->sk_bound_dev_if || l3_slave) &&
 	    ipv6_addr_type(&ireq->ir_v6_rmt_addr) & IPV6_ADDR_LINKLOCAL)
 		ireq->ir_iif = tcp_v6_iif(skb);
 
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 254/306] cfg80211: call disconnect_wk when AP stops
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (252 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 253/306] ipv6: Fix handling of LLA with VRF and sockets bound to VRF Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 255/306] mm/page_io.c: do not free shared swap slots Greg Kroah-Hartman
                   ` (55 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johannes Berg, Sasha Levin

From: Johannes Berg <johannes.berg@intel.com>

[ Upstream commit e005bd7ddea06784c1eb91ac5bb6b171a94f3b05 ]

Since we now prevent regulatory restore during STA disconnect
if concurrent AP interfaces are active, we need to reschedule
this check when the AP state changes. This fixes never doing
a restore when an AP is the last interface to stop. Or to put
it another way: we need to re-check after anything we check
here changes.

Cc: stable@vger.kernel.org
Fixes: 113f3aaa81bd ("cfg80211: Prevent regulatory restore during STA disconnect in concurrent interfaces")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/wireless/ap.c   | 2 ++
 net/wireless/core.h | 2 ++
 net/wireless/sme.c  | 2 +-
 3 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/wireless/ap.c b/net/wireless/ap.c
index 882d97bdc6bfd..550ac9d827fe7 100644
--- a/net/wireless/ap.c
+++ b/net/wireless/ap.c
@@ -41,6 +41,8 @@ int __cfg80211_stop_ap(struct cfg80211_registered_device *rdev,
 		cfg80211_sched_dfs_chan_update(rdev);
 	}
 
+	schedule_work(&cfg80211_disconnect_work);
+
 	return err;
 }
 
diff --git a/net/wireless/core.h b/net/wireless/core.h
index 7f52ef5693203..f5d58652108dd 100644
--- a/net/wireless/core.h
+++ b/net/wireless/core.h
@@ -430,6 +430,8 @@ void cfg80211_process_wdev_events(struct wireless_dev *wdev);
 bool cfg80211_does_bw_fit_range(const struct ieee80211_freq_range *freq_range,
 				u32 center_freq_khz, u32 bw_khz);
 
+extern struct work_struct cfg80211_disconnect_work;
+
 /**
  * cfg80211_chandef_dfs_usable - checks if chandef is DFS usable
  * @wiphy: the wiphy to validate against
diff --git a/net/wireless/sme.c b/net/wireless/sme.c
index c7047c7b4e80f..07c2196e9d573 100644
--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@@ -667,7 +667,7 @@ static void disconnect_work(struct work_struct *work)
 	rtnl_unlock();
 }
 
-static DECLARE_WORK(cfg80211_disconnect_work, disconnect_work);
+DECLARE_WORK(cfg80211_disconnect_work, disconnect_work);
 
 
 /*
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 255/306] mm/page_io.c: do not free shared swap slots
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (253 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 254/306] cfg80211: call disconnect_wk when AP stops Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 256/306] Bluetooth: Fix invalid-free in bcsp_close() Greg Kroah-Hartman
                   ` (54 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vinayak Menon, Minchan Kim,
	Minchan Kim, Michal Hocko, Hugh Dickins, Andrew Morton,
	Linus Torvalds, Sasha Levin

From: Vinayak Menon <vinmenon@codeaurora.org>

[ Upstream commit 5df373e95689b9519b8557da7c5bd0db0856d776 ]

The following race is observed due to which a processes faulting on a
swap entry, finds the page neither in swapcache nor swap.  This causes
zram to give a zero filled page that gets mapped to the process,
resulting in a user space crash later.

Consider parent and child processes Pa and Pb sharing the same swap slot
with swap_count 2.  Swap is on zram with SWP_SYNCHRONOUS_IO set.
Virtual address 'VA' of Pa and Pb points to the shared swap entry.

Pa                                       Pb

fault on VA                              fault on VA
do_swap_page                             do_swap_page
lookup_swap_cache fails                  lookup_swap_cache fails
                                         Pb scheduled out
swapin_readahead (deletes zram entry)
swap_free (makes swap_count 1)
                                         Pb scheduled in
                                         swap_readpage (swap_count == 1)
                                         Takes SWP_SYNCHRONOUS_IO path
                                         zram enrty absent
                                         zram gives a zero filled page

Fix this by making sure that swap slot is freed only when swap count
drops down to one.

Link: http://lkml.kernel.org/r/1571743294-14285-1-git-send-email-vinmenon@codeaurora.org
Fixes: aa8d22a11da9 ("mm: swap: SWP_SYNCHRONOUS_IO: skip swapcache only if swapped page has no other reference")
Signed-off-by: Vinayak Menon <vinmenon@codeaurora.org>
Suggested-by: Minchan Kim <minchan@google.com>
Acked-by: Minchan Kim <minchan@kernel.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 mm/page_io.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/mm/page_io.c b/mm/page_io.c
index aafd19ec1db46..08d2eae58fcee 100644
--- a/mm/page_io.c
+++ b/mm/page_io.c
@@ -76,6 +76,7 @@ static void swap_slot_free_notify(struct page *page)
 {
 	struct swap_info_struct *sis;
 	struct gendisk *disk;
+	swp_entry_t entry;
 
 	/*
 	 * There is no guarantee that the page is in swap cache - the software
@@ -107,11 +108,11 @@ static void swap_slot_free_notify(struct page *page)
 	 * we again wish to reclaim it.
 	 */
 	disk = sis->bdev->bd_disk;
-	if (disk->fops->swap_slot_free_notify) {
-		swp_entry_t entry;
+	entry.val = page_private(page);
+	if (disk->fops->swap_slot_free_notify &&
+			__swap_count(sis, entry) == 1) {
 		unsigned long offset;
 
-		entry.val = page_private(page);
 		offset = swp_offset(entry);
 
 		SetPageDirty(page);
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 256/306] Bluetooth: Fix invalid-free in bcsp_close()
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (254 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 255/306] mm/page_io.c: do not free shared swap slots Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 257/306] KVM: MMU: Do not treat ZONE_DEVICE pages as being reserved Greg Kroah-Hartman
                   ` (53 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tomas Bortoli,
	syzbot+a0d209a4676664613e76, Marcel Holtmann,
	Alexander Potapenko

From: Tomas Bortoli <tomasbortoli@gmail.com>

commit cf94da6f502d8caecabd56b194541c873c8a7a3c upstream.

Syzbot reported an invalid-free that I introduced fixing a memleak.

bcsp_recv() also frees bcsp->rx_skb but never nullifies its value.
Nullify bcsp->rx_skb every time it is freed.

Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
Reported-by: syzbot+a0d209a4676664613e76@syzkaller.appspotmail.com
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Cc: Alexander Potapenko <glider@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/bluetooth/hci_bcsp.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/bluetooth/hci_bcsp.c
+++ b/drivers/bluetooth/hci_bcsp.c
@@ -606,6 +606,7 @@ static int bcsp_recv(struct hci_uart *hu
 			if (*ptr == 0xc0) {
 				BT_ERR("Short BCSP packet");
 				kfree_skb(bcsp->rx_skb);
+				bcsp->rx_skb = NULL;
 				bcsp->rx_state = BCSP_W4_PKT_START;
 				bcsp->rx_count = 0;
 			} else
@@ -621,6 +622,7 @@ static int bcsp_recv(struct hci_uart *hu
 			    bcsp->rx_skb->data[2])) != bcsp->rx_skb->data[3]) {
 				BT_ERR("Error in BCSP hdr checksum");
 				kfree_skb(bcsp->rx_skb);
+				bcsp->rx_skb = NULL;
 				bcsp->rx_state = BCSP_W4_PKT_DELIMITER;
 				bcsp->rx_count = 0;
 				continue;
@@ -645,6 +647,7 @@ static int bcsp_recv(struct hci_uart *hu
 				       bscp_get_crc(bcsp));
 
 				kfree_skb(bcsp->rx_skb);
+				bcsp->rx_skb = NULL;
 				bcsp->rx_state = BCSP_W4_PKT_DELIMITER;
 				bcsp->rx_count = 0;
 				continue;



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 257/306] KVM: MMU: Do not treat ZONE_DEVICE pages as being reserved
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (255 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 256/306] Bluetooth: Fix invalid-free in bcsp_close() Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 258/306] ath10k: Fix a NULL-ptr-deref bug in ath10k_usb_alloc_urb_from_pipe Greg Kroah-Hartman
                   ` (52 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Adam Borowski, Dan Williams,
	Sean Christopherson, Paolo Bonzini, David Hildenbrand

From: Sean Christopherson <sean.j.christopherson@intel.com>

commit a78986aae9b2988f8493f9f65a587ee433e83bc3 upstream.

Explicitly exempt ZONE_DEVICE pages from kvm_is_reserved_pfn() and
instead manually handle ZONE_DEVICE on a case-by-case basis.  For things
like page refcounts, KVM needs to treat ZONE_DEVICE pages like normal
pages, e.g. put pages grabbed via gup().  But for flows such as setting
A/D bits or shifting refcounts for transparent huge pages, KVM needs to
to avoid processing ZONE_DEVICE pages as the flows in question lack the
underlying machinery for proper handling of ZONE_DEVICE pages.

This fixes a hang reported by Adam Borowski[*] in dev_pagemap_cleanup()
when running a KVM guest backed with /dev/dax memory, as KVM straight up
doesn't put any references to ZONE_DEVICE pages acquired by gup().

Note, Dan Williams proposed an alternative solution of doing put_page()
on ZONE_DEVICE pages immediately after gup() in order to simplify the
auditing needed to ensure is_zone_device_page() is called if and only if
the backing device is pinned (via gup()).  But that approach would break
kvm_vcpu_{un}map() as KVM requires the page to be pinned from map() 'til
unmap() when accessing guest memory, unlike KVM's secondary MMU, which
coordinates with mmu_notifier invalidations to avoid creating stale
page references, i.e. doesn't rely on pages being pinned.

[*] http://lkml.kernel.org/r/20190919115547.GA17963@angband.pl

Reported-by: Adam Borowski <kilobyte@angband.pl>
Analyzed-by: David Hildenbrand <david@redhat.com>
Acked-by: Dan Williams <dan.j.williams@intel.com>
Cc: stable@vger.kernel.org
Fixes: 3565fce3a659 ("mm, x86: get_user_pages() for dax mappings")
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[sean: backport to 4.x; resolve conflict in mmu.c]
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kvm/mmu.c       |    8 ++++----
 include/linux/kvm_host.h |    1 +
 virt/kvm/kvm_main.c      |   26 +++++++++++++++++++++++---
 3 files changed, 28 insertions(+), 7 deletions(-)

--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -3261,7 +3261,7 @@ static void transparent_hugepage_adjust(
 	 * here.
 	 */
 	if (!is_error_noslot_pfn(pfn) && !kvm_is_reserved_pfn(pfn) &&
-	    level == PT_PAGE_TABLE_LEVEL &&
+	    !kvm_is_zone_device_pfn(pfn) && level == PT_PAGE_TABLE_LEVEL &&
 	    PageTransCompoundMap(pfn_to_page(pfn)) &&
 	    !mmu_gfn_lpage_is_disallowed(vcpu, gfn, PT_DIRECTORY_LEVEL)) {
 		unsigned long mask;
@@ -5709,9 +5709,9 @@ restart:
 		 * the guest, and the guest page table is using 4K page size
 		 * mapping if the indirect sp has level = 1.
 		 */
-		if (sp->role.direct &&
-			!kvm_is_reserved_pfn(pfn) &&
-			PageTransCompoundMap(pfn_to_page(pfn))) {
+		if (sp->role.direct && !kvm_is_reserved_pfn(pfn) &&
+		    !kvm_is_zone_device_pfn(pfn) &&
+		    PageTransCompoundMap(pfn_to_page(pfn))) {
 			drop_spte(kvm, sptep);
 			need_tlb_flush = 1;
 			goto restart;
--- a/include/linux/kvm_host.h
+++ b/include/linux/kvm_host.h
@@ -911,6 +911,7 @@ int kvm_cpu_has_pending_timer(struct kvm
 void kvm_vcpu_kick(struct kvm_vcpu *vcpu);
 
 bool kvm_is_reserved_pfn(kvm_pfn_t pfn);
+bool kvm_is_zone_device_pfn(kvm_pfn_t pfn);
 
 struct kvm_irq_ack_notifier {
 	struct hlist_node link;
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -147,10 +147,30 @@ __weak int kvm_arch_mmu_notifier_invalid
 	return 0;
 }
 
+bool kvm_is_zone_device_pfn(kvm_pfn_t pfn)
+{
+	/*
+	 * The metadata used by is_zone_device_page() to determine whether or
+	 * not a page is ZONE_DEVICE is guaranteed to be valid if and only if
+	 * the device has been pinned, e.g. by get_user_pages().  WARN if the
+	 * page_count() is zero to help detect bad usage of this helper.
+	 */
+	if (!pfn_valid(pfn) || WARN_ON_ONCE(!page_count(pfn_to_page(pfn))))
+		return false;
+
+	return is_zone_device_page(pfn_to_page(pfn));
+}
+
 bool kvm_is_reserved_pfn(kvm_pfn_t pfn)
 {
+	/*
+	 * ZONE_DEVICE pages currently set PG_reserved, but from a refcounting
+	 * perspective they are "normal" pages, albeit with slightly different
+	 * usage rules.
+	 */
 	if (pfn_valid(pfn))
-		return PageReserved(pfn_to_page(pfn));
+		return PageReserved(pfn_to_page(pfn)) &&
+		       !kvm_is_zone_device_pfn(pfn);
 
 	return true;
 }
@@ -1727,7 +1747,7 @@ EXPORT_SYMBOL_GPL(kvm_release_pfn_dirty)
 
 void kvm_set_pfn_dirty(kvm_pfn_t pfn)
 {
-	if (!kvm_is_reserved_pfn(pfn)) {
+	if (!kvm_is_reserved_pfn(pfn) && !kvm_is_zone_device_pfn(pfn)) {
 		struct page *page = pfn_to_page(pfn);
 
 		if (!PageReserved(page))
@@ -1738,7 +1758,7 @@ EXPORT_SYMBOL_GPL(kvm_set_pfn_dirty);
 
 void kvm_set_pfn_accessed(kvm_pfn_t pfn)
 {
-	if (!kvm_is_reserved_pfn(pfn))
+	if (!kvm_is_reserved_pfn(pfn) && !kvm_is_zone_device_pfn(pfn))
 		mark_page_accessed(pfn_to_page(pfn));
 }
 EXPORT_SYMBOL_GPL(kvm_set_pfn_accessed);



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 258/306] ath10k: Fix a NULL-ptr-deref bug in ath10k_usb_alloc_urb_from_pipe
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (256 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 257/306] KVM: MMU: Do not treat ZONE_DEVICE pages as being reserved Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 259/306] ath9k_hw: fix uninitialized variable data Greg Kroah-Hartman
                   ` (51 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hui Peng, Mathias Payer,
	Guenter Roeck, Kalle Valo

From: Hui Peng <benquike@gmail.com>

commit bfd6e6e6c5d2ee43a3d9902b36e01fc7527ebb27 upstream.

The `ar_usb` field of `ath10k_usb_pipe_usb_pipe` objects
are initialized to point to the containing `ath10k_usb` object
according to endpoint descriptors read from the device side, as shown
below in `ath10k_usb_setup_pipe_resources`:

for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
        endpoint = &iface_desc->endpoint[i].desc;

        // get the address from endpoint descriptor
        pipe_num = ath10k_usb_get_logical_pipe_num(ar_usb,
                                                endpoint->bEndpointAddress,
                                                &urbcount);
        ......
        // select the pipe object
        pipe = &ar_usb->pipes[pipe_num];

        // initialize the ar_usb field
        pipe->ar_usb = ar_usb;
}

The driver assumes that the addresses reported in endpoint
descriptors from device side  to be complete. If a device is
malicious and does not report complete addresses, it may trigger
NULL-ptr-deref `ath10k_usb_alloc_urb_from_pipe` and
`ath10k_usb_free_urb_to_pipe`.

This patch fixes the bug by preventing potential NULL-ptr-deref.

Signed-off-by: Hui Peng <benquike@gmail.com>
Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[groeck: Add driver tag to subject, fix build warning]
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/ath/ath10k/usb.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/drivers/net/wireless/ath/ath10k/usb.c
+++ b/drivers/net/wireless/ath/ath10k/usb.c
@@ -49,6 +49,10 @@ ath10k_usb_alloc_urb_from_pipe(struct at
 	struct ath10k_urb_context *urb_context = NULL;
 	unsigned long flags;
 
+	/* bail if this pipe is not initialized */
+	if (!pipe->ar_usb)
+		return NULL;
+
 	spin_lock_irqsave(&pipe->ar_usb->cs_lock, flags);
 	if (!list_empty(&pipe->urb_list_head)) {
 		urb_context = list_first_entry(&pipe->urb_list_head,
@@ -66,6 +70,10 @@ static void ath10k_usb_free_urb_to_pipe(
 {
 	unsigned long flags;
 
+	/* bail if this pipe is not initialized */
+	if (!pipe->ar_usb)
+		return;
+
 	spin_lock_irqsave(&pipe->ar_usb->cs_lock, flags);
 
 	pipe->urb_cnt++;



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 259/306] ath9k_hw: fix uninitialized variable data
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (257 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 258/306] ath10k: Fix a NULL-ptr-deref bug in ath10k_usb_alloc_urb_from_pipe Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 260/306] md/raid10: prevent access of uninitialized resync_pages offset Greg Kroah-Hartman
                   ` (50 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rajkumar Manoharan, John W. Linville,
	Kalle Valo, David S. Miller, Denis Efremov

From: Denis Efremov <efremov@linux.com>

commit 80e84f36412e0c5172447b6947068dca0d04ee82 upstream.

Currently, data variable in ar9003_hw_thermo_cal_apply() could be
uninitialized if ar9300_otp_read_word() will fail to read the value.
Initialize data variable with 0 to prevent an undefined behavior. This
will be enough to handle error case when ar9300_otp_read_word() fails.

Fixes: 80fe43f2bbd5 ("ath9k_hw: Read and configure thermocal for AR9462")
Cc: Rajkumar Manoharan <rmanohar@qca.qualcomm.com>
Cc: John W. Linville <linville@tuxdriver.com>
Cc: Kalle Valo <kvalo@codeaurora.org>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: stable@vger.kernel.org
Signed-off-by: Denis Efremov <efremov@linux.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/ath/ath9k/ar9003_eeprom.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
+++ b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
@@ -4183,7 +4183,7 @@ static void ar9003_hw_thermometer_apply(
 
 static void ar9003_hw_thermo_cal_apply(struct ath_hw *ah)
 {
-	u32 data, ko, kg;
+	u32 data = 0, ko, kg;
 
 	if (!AR_SREV_9462_20_OR_LATER(ah))
 		return;



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 260/306] md/raid10: prevent access of uninitialized resync_pages offset
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (258 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 259/306] ath9k_hw: fix uninitialized variable data Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 262/306] net: phy: dp83867: fix speed 10 in sgmii mode Greg Kroah-Hartman
                   ` (49 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, John Pittman, David Jeffery,
	Laurence Oberman, Song Liu

From: John Pittman <jpittman@redhat.com>

commit 45422b704db392a6d79d07ee3e3670b11048bd53 upstream.

Due to unneeded multiplication in the out_free_pages portion of
r10buf_pool_alloc(), when using a 3-copy raid10 layout, it is
possible to access a resync_pages offset that has not been
initialized.  This access translates into a crash of the system
within resync_free_pages() while passing a bad pointer to
put_page().  Remove the multiplication, preventing access to the
uninitialized area.

Fixes: f0250618361db ("md: raid10: don't use bio's vec table to manage resync pages")
Cc: stable@vger.kernel.org # 4.12+
Signed-off-by: John Pittman <jpittman@redhat.com>
Suggested-by: David Jeffery <djeffery@redhat.com>
Reviewed-by: Laurence Oberman <loberman@redhat.com>
Signed-off-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/raid10.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
@@ -229,7 +229,7 @@ static void * r10buf_pool_alloc(gfp_t gf
 
 out_free_pages:
 	while (--j >= 0)
-		resync_free_pages(&rps[j * 2]);
+		resync_free_pages(&rps[j]);
 
 	j = 0;
 out_free_bio:



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 262/306] net: phy: dp83867: fix speed 10 in sgmii mode
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (259 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 260/306] md/raid10: prevent access of uninitialized resync_pages offset Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 263/306] net: phy: dp83867: increase SGMII autoneg timer duration Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Max Uvarov, Heiner Kallweit,
	Florian Fainelli, David S. Miller, Adrian Bunk

From: Max Uvarov <muvarov@gmail.com>

commit 333061b924539c0de081339643f45514f5f1c1e6 upstream.

For supporting 10Mps speed in SGMII mode DP83867_10M_SGMII_RATE_ADAPT bit
of DP83867_10M_SGMII_CFG register has to be cleared by software.
That does not affect speeds 100 and 1000 so can be done on init.

Signed-off-by: Max Uvarov <muvarov@gmail.com>
Cc: Heiner Kallweit <hkallweit1@gmail.com>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[ adapted for kernels without phy_modify_mmd ]
Signed-off-by: Adrian Bunk <bunk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/phy/dp83867.c |   19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

--- a/drivers/net/phy/dp83867.c
+++ b/drivers/net/phy/dp83867.c
@@ -37,6 +37,8 @@
 #define DP83867_STRAP_STS1	0x006E
 #define DP83867_RGMIIDCTL	0x0086
 #define DP83867_IO_MUX_CFG	0x0170
+#define DP83867_10M_SGMII_CFG   0x016F
+#define DP83867_10M_SGMII_RATE_ADAPT_MASK BIT(7)
 
 #define DP83867_SW_RESET	BIT(15)
 #define DP83867_SW_RESTART	BIT(14)
@@ -294,6 +296,23 @@ static int dp83867_config_init(struct ph
 		}
 	}
 
+	if (phydev->interface == PHY_INTERFACE_MODE_SGMII) {
+		/* For support SPEED_10 in SGMII mode
+		 * DP83867_10M_SGMII_RATE_ADAPT bit
+		 * has to be cleared by software. That
+		 * does not affect SPEED_100 and
+		 * SPEED_1000.
+		 */
+		val = phy_read_mmd(phydev, DP83867_DEVADDR,
+				   DP83867_10M_SGMII_CFG);
+		val &= ~DP83867_10M_SGMII_RATE_ADAPT_MASK;
+		ret = phy_write_mmd(phydev, DP83867_DEVADDR,
+				    DP83867_10M_SGMII_CFG, val);
+
+		if (ret)
+			return ret;
+	}
+
 	/* Enable Interrupt output INT_OE in CFG3 register */
 	if (phy_interrupt_is_valid(phydev)) {
 		val = phy_read(phydev, DP83867_CFG3);



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 263/306] net: phy: dp83867: increase SGMII autoneg timer duration
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (260 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 262/306] net: phy: dp83867: fix speed 10 in sgmii mode Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 264/306] ocfs2: remove ocfs2_is_o2cb_active() Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Max Uvarov, Heiner Kallweit,
	Florian Fainelli, David S. Miller, Adrian Bunk

From: Max Uvarov <muvarov@gmail.com>

commit 1a97a477e666cbdededab93bd3754e508f0c09d7 upstream.

After reset SGMII Autoneg timer is set to 2us (bits 6 and 5 are 01).
That is not enough to finalize autonegatiation on some devices.
Increase this timer duration to maximum supported 16ms.

Signed-off-by: Max Uvarov <muvarov@gmail.com>
Cc: Heiner Kallweit <hkallweit1@gmail.com>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[ adapted for kernels without phy_modify_mmd ]
Signed-off-by: Adrian Bunk <bunk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/phy/dp83867.c |   18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

--- a/drivers/net/phy/dp83867.c
+++ b/drivers/net/phy/dp83867.c
@@ -33,6 +33,12 @@
 
 /* Extended Registers */
 #define DP83867_CFG4            0x0031
+#define DP83867_CFG4_SGMII_ANEG_MASK (BIT(5) | BIT(6))
+#define DP83867_CFG4_SGMII_ANEG_TIMER_11MS   (3 << 5)
+#define DP83867_CFG4_SGMII_ANEG_TIMER_800US  (2 << 5)
+#define DP83867_CFG4_SGMII_ANEG_TIMER_2US    (1 << 5)
+#define DP83867_CFG4_SGMII_ANEG_TIMER_16MS   (0 << 5)
+
 #define DP83867_RGMIICTL	0x0032
 #define DP83867_STRAP_STS1	0x006E
 #define DP83867_RGMIIDCTL	0x0086
@@ -311,6 +317,18 @@ static int dp83867_config_init(struct ph
 
 		if (ret)
 			return ret;
+
+		/* After reset SGMII Autoneg timer is set to 2us (bits 6 and 5
+		 * are 01). That is not enough to finalize autoneg on some
+		 * devices. Increase this timer duration to maximum 16ms.
+		 */
+		val = phy_read_mmd(phydev, DP83867_DEVADDR, DP83867_CFG4);
+		val &= ~DP83867_CFG4_SGMII_ANEG_MASK;
+		val |= DP83867_CFG4_SGMII_ANEG_TIMER_16MS;
+		ret = phy_write_mmd(phydev, DP83867_DEVADDR, DP83867_CFG4, val);
+
+		if (ret)
+			return ret;
 	}
 
 	/* Enable Interrupt output INT_OE in CFG3 register */



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 264/306] ocfs2: remove ocfs2_is_o2cb_active()
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (261 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 263/306] net: phy: dp83867: increase SGMII autoneg timer duration Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 265/306] ARM: 8904/1: skip nomap memblocks while finding the lowmem/highmem boundary Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gang He, Joseph Qi, Eric Ren,
	Changwei Ge, Mark Fasheh, Joel Becker, Junxiao Bi, Andrew Morton,
	Linus Torvalds, Lee Jones

From: Gang He <ghe@suse.com>

commit a634644751c46238df58bbfe992e30c1668388db upstream.

Remove ocfs2_is_o2cb_active().  We have similar functions to identify
which cluster stack is being used via osb->osb_cluster_stack.

Secondly, the current implementation of ocfs2_is_o2cb_active() is not
totally safe.  Based on the design of stackglue, we need to get
ocfs2_stack_lock before using ocfs2_stack related data structures, and
that active_stack pointer can be NULL in the case of mount failure.

Link: http://lkml.kernel.org/r/1495441079-11708-1-git-send-email-ghe@suse.com
Signed-off-by: Gang He <ghe@suse.com>
Reviewed-by: Joseph Qi <jiangqi903@gmail.com>
Reviewed-by: Eric Ren <zren@suse.com>
Acked-by: Changwei Ge <ge.changwei@h3c.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ocfs2/dlmglue.c   |    2 +-
 fs/ocfs2/stackglue.c |    6 ------
 fs/ocfs2/stackglue.h |    3 ---
 3 files changed, 1 insertion(+), 10 deletions(-)

--- a/fs/ocfs2/dlmglue.c
+++ b/fs/ocfs2/dlmglue.c
@@ -3603,7 +3603,7 @@ static int ocfs2_downconvert_lock(struct
 	 * we can recover correctly from node failure. Otherwise, we may get
 	 * invalid LVB in LKB, but without DLM_SBF_VALNOTVALID being set.
 	 */
-	if (!ocfs2_is_o2cb_active() &&
+	if (ocfs2_userspace_stack(osb) &&
 	    lockres->l_ops->flags & LOCK_TYPE_USES_LVB)
 		lvb = 1;
 
--- a/fs/ocfs2/stackglue.c
+++ b/fs/ocfs2/stackglue.c
@@ -48,12 +48,6 @@ static char ocfs2_hb_ctl_path[OCFS2_MAX_
  */
 static struct ocfs2_stack_plugin *active_stack;
 
-inline int ocfs2_is_o2cb_active(void)
-{
-	return !strcmp(active_stack->sp_name, OCFS2_STACK_PLUGIN_O2CB);
-}
-EXPORT_SYMBOL_GPL(ocfs2_is_o2cb_active);
-
 static struct ocfs2_stack_plugin *ocfs2_stack_lookup(const char *name)
 {
 	struct ocfs2_stack_plugin *p;
--- a/fs/ocfs2/stackglue.h
+++ b/fs/ocfs2/stackglue.h
@@ -298,9 +298,6 @@ void ocfs2_stack_glue_set_max_proto_vers
 int ocfs2_stack_glue_register(struct ocfs2_stack_plugin *plugin);
 void ocfs2_stack_glue_unregister(struct ocfs2_stack_plugin *plugin);
 
-/* In ocfs2_downconvert_lock(), we need to know which stack we are using */
-int ocfs2_is_o2cb_active(void);
-
 extern struct kset *ocfs2_kset;
 
 #endif  /* STACKGLUE_H */



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 265/306] ARM: 8904/1: skip nomap memblocks while finding the lowmem/highmem boundary
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (262 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 264/306] ocfs2: remove ocfs2_is_o2cb_active() Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 266/306] ARC: perf: Accommodate big-endian CPU Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chester Lin, Mike Rapoport,
	Russell King, Lee Jones

From: Chester Lin <clin@suse.com>

commit 1d31999cf04c21709f72ceb17e65b54a401330da upstream.

adjust_lowmem_bounds() checks every memblocks in order to find the boundary
between lowmem and highmem. However some memblocks could be marked as NOMAP
so they are not used by kernel, which should be skipped while calculating
the boundary.

Signed-off-by: Chester Lin <clin@suse.com>
Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/mm/mmu.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/arch/arm/mm/mmu.c
+++ b/arch/arm/mm/mmu.c
@@ -1195,6 +1195,9 @@ void __init adjust_lowmem_bounds(void)
 		phys_addr_t block_start = reg->base;
 		phys_addr_t block_end = reg->base + reg->size;
 
+		if (memblock_is_nomap(reg))
+			continue;
+
 		if (reg->base < vmalloc_limit) {
 			if (block_end > lowmem_limit)
 				/*



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 266/306] ARC: perf: Accommodate big-endian CPU
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (263 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 265/306] ARM: 8904/1: skip nomap memblocks while finding the lowmem/highmem boundary Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 267/306] x86/insn: Fix awk regexp warnings Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alexey Brodkin, Vineet Gupta

From: Alexey Brodkin <Alexey.Brodkin@synopsys.com>

commit 5effc09c4907901f0e71e68e5f2e14211d9a203f upstream.

8-letter strings representing ARC perf events are stores in two
32-bit registers as ASCII characters like that: "IJMP", "IALL", "IJMPTAK" etc.

And the same order of bytes in the word is used regardless CPU endianness.

Which means in case of big-endian CPU core we need to swap bytes to get
the same order as if it was on little-endian CPU.

Otherwise we're seeing the following error message on boot:
------------------------->8----------------------
ARC perf        : 8 counters (32 bits), 40 conditions, [overflow IRQ support]
sysfs: cannot create duplicate filename '/devices/arc_pct/events/pmji'
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.2.18 #3
Stack Trace:
  arc_unwind_core+0xd4/0xfc
  dump_stack+0x64/0x80
  sysfs_warn_dup+0x46/0x58
  sysfs_add_file_mode_ns+0xb2/0x168
  create_files+0x70/0x2a0
------------[ cut here ]------------
WARNING: CPU: 0 PID: 1 at kernel/events/core.c:12144 perf_event_sysfs_init+0x70/0xa0
Failed to register pmu: arc_pct, reason -17
Modules linked in:
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.2.18 #3
Stack Trace:
  arc_unwind_core+0xd4/0xfc
  dump_stack+0x64/0x80
  __warn+0x9c/0xd4
  warn_slowpath_fmt+0x22/0x2c
  perf_event_sysfs_init+0x70/0xa0
---[ end trace a75fb9a9837bd1ec ]---
------------------------->8----------------------

What happens here we're trying to register more than one raw perf event
with the same name "PMJI". Why? Because ARC perf events are 4 to 8 letters
and encoded into two 32-bit words. In this particular case we deal with 2
events:
 * "IJMP____" which counts all jump & branch instructions
 * "IJMPC___" which counts only conditional jumps & branches

Those strings are split in two 32-bit words this way "IJMP" + "____" &
"IJMP" + "C___" correspondingly. Now if we read them swapped due to CPU core
being big-endian then we read "PMJI" + "____" & "PMJI" + "___C".

And since we interpret read array of ASCII letters as a null-terminated string
on big-endian CPU we end up with 2 events of the same name "PMJI".

Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
Cc: stable@vger.kernel.org
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>



---
 arch/arc/kernel/perf_event.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/arc/kernel/perf_event.c
+++ b/arch/arc/kernel/perf_event.c
@@ -490,8 +490,8 @@ static int arc_pmu_device_probe(struct p
 	/* loop thru all available h/w condition indexes */
 	for (j = 0; j < cc_bcr.c; j++) {
 		write_aux_reg(ARC_REG_CC_INDEX, j);
-		cc_name.indiv.word0 = read_aux_reg(ARC_REG_CC_NAME0);
-		cc_name.indiv.word1 = read_aux_reg(ARC_REG_CC_NAME1);
+		cc_name.indiv.word0 = le32_to_cpu(read_aux_reg(ARC_REG_CC_NAME0));
+		cc_name.indiv.word1 = le32_to_cpu(read_aux_reg(ARC_REG_CC_NAME1));
 
 		/* See if it has been mapped to a perf event_id */
 		for (i = 0; i < ARRAY_SIZE(arc_pmu_ev_hw_map); i++) {



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 267/306] x86/insn: Fix awk regexp warnings
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (264 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 266/306] ARC: perf: Accommodate big-endian CPU Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 268/306] x86/speculation: Fix incorrect MDS/TAA mitigation status Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kbuild test robot, Alexander Kapshuk,
	Borislav Petkov, Masami Hiramatsu, H. Peter Anvin,
	Peter Zijlstra (Intel),
	Arnaldo Carvalho de Melo, Ingo Molnar, Josh Poimboeuf,
	Thomas Gleixner, x86-ml

From: Alexander Kapshuk <alexander.kapshuk@gmail.com>

commit 700c1018b86d0d4b3f1f2d459708c0cdf42b521d upstream.

gawk 5.0.1 generates the following regexp warnings:

  GEN      /home/sasha/torvalds/tools/objtool/arch/x86/lib/inat-tables.c
  awk: ../arch/x86/tools/gen-insn-attr-x86.awk:260: warning: regexp escape sequence `\:' is not a known regexp operator
  awk: ../arch/x86/tools/gen-insn-attr-x86.awk:350: (FILENAME=../arch/x86/lib/x86-opcode-map.txt FNR=41) warning: regexp escape sequence `\&' is  not a known regexp operator

Ealier versions of gawk are not known to generate these warnings. The
gawk manual referenced below does not list characters ':' and '&' as
needing escaping, so 'unescape' them. See

  https://www.gnu.org/software/gawk/manual/html_node/Escape-Sequences.html

for more info.

Running diff on the output generated by the script before and after
applying the patch reported no differences.

 [ bp: Massage commit message. ]

[ Caught the respective tools header discrepancy. ]
Reported-by: kbuild test robot <lkp@intel.com>
Signed-off-by: Alexander Kapshuk <alexander.kapshuk@gmail.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: "Peter Zijlstra (Intel)" <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: x86-ml <x86@kernel.org>
Link: https://lkml.kernel.org/r/20190924044659.3785-1-alexander.kapshuk@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/tools/gen-insn-attr-x86.awk               |    4 ++--
 tools/objtool/arch/x86/tools/gen-insn-attr-x86.awk |    4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

--- a/arch/x86/tools/gen-insn-attr-x86.awk
+++ b/arch/x86/tools/gen-insn-attr-x86.awk
@@ -69,7 +69,7 @@ BEGIN {
 
 	lprefix1_expr = "\\((66|!F3)\\)"
 	lprefix2_expr = "\\(F3\\)"
-	lprefix3_expr = "\\((F2|!F3|66\\&F2)\\)"
+	lprefix3_expr = "\\((F2|!F3|66&F2)\\)"
 	lprefix_expr = "\\((66|F2|F3)\\)"
 	max_lprefix = 4
 
@@ -257,7 +257,7 @@ function convert_operands(count,opnd,
 	return add_flags(imm, mod)
 }
 
-/^[0-9a-f]+\:/ {
+/^[0-9a-f]+:/ {
 	if (NR == 1)
 		next
 	# get index
--- a/tools/objtool/arch/x86/tools/gen-insn-attr-x86.awk
+++ b/tools/objtool/arch/x86/tools/gen-insn-attr-x86.awk
@@ -69,7 +69,7 @@ BEGIN {
 
 	lprefix1_expr = "\\((66|!F3)\\)"
 	lprefix2_expr = "\\(F3\\)"
-	lprefix3_expr = "\\((F2|!F3|66\\&F2)\\)"
+	lprefix3_expr = "\\((F2|!F3|66&F2)\\)"
 	lprefix_expr = "\\((66|F2|F3)\\)"
 	max_lprefix = 4
 
@@ -257,7 +257,7 @@ function convert_operands(count,opnd,
 	return add_flags(imm, mod)
 }
 
-/^[0-9a-f]+\:/ {
+/^[0-9a-f]+:/ {
 	if (NR == 1)
 		next
 	# get index



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 268/306] x86/speculation: Fix incorrect MDS/TAA mitigation status
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (265 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 267/306] x86/insn: Fix awk regexp warnings Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:31 ` [PATCH 4.19 269/306] x86/speculation: Fix redundant MDS mitigation message Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Waiman Long, Borislav Petkov,
	H. Peter Anvin, Ingo Molnar, Jiri Kosina, Jonathan Corbet,
	Josh Poimboeuf, linux-doc, Mark Gross, Pawan Gupta,
	Peter Zijlstra, Thomas Gleixner, Tim Chen, Tony Luck,
	Tyler Hicks, x86-ml

From: Waiman Long <longman@redhat.com>

commit 64870ed1b12e235cfca3f6c6da75b542c973ff78 upstream.

For MDS vulnerable processors with TSX support, enabling either MDS or
TAA mitigations will enable the use of VERW to flush internal processor
buffers at the right code path. IOW, they are either both mitigated
or both not. However, if the command line options are inconsistent,
the vulnerabilites sysfs files may not report the mitigation status
correctly.

For example, with only the "mds=off" option:

  vulnerabilities/mds:Vulnerable; SMT vulnerable
  vulnerabilities/tsx_async_abort:Mitigation: Clear CPU buffers; SMT vulnerable

The mds vulnerabilities file has wrong status in this case. Similarly,
the taa vulnerability file will be wrong with mds mitigation on, but
taa off.

Change taa_select_mitigation() to sync up the two mitigation status
and have them turned off if both "mds=off" and "tsx_async_abort=off"
are present.

Update documentation to emphasize the fact that both "mds=off" and
"tsx_async_abort=off" have to be specified together for processors that
are affected by both TAA and MDS to be effective.

 [ bp: Massage and add kernel-parameters.txt change too. ]

Fixes: 1b42f017415b ("x86/speculation/taa: Add mitigation for TSX Async Abort")
Signed-off-by: Waiman Long <longman@redhat.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jiri Kosina <jkosina@suse.cz>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: linux-doc@vger.kernel.org
Cc: Mark Gross <mgross@linux.intel.com>
Cc: <stable@vger.kernel.org>
Cc: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Tim Chen <tim.c.chen@linux.intel.com>
Cc: Tony Luck <tony.luck@intel.com>
Cc: Tyler Hicks <tyhicks@canonical.com>
Cc: x86-ml <x86@kernel.org>
Link: https://lkml.kernel.org/r/20191115161445.30809-2-longman@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 Documentation/admin-guide/hw-vuln/mds.rst             |    7 +++++--
 Documentation/admin-guide/hw-vuln/tsx_async_abort.rst |    5 ++++-
 Documentation/admin-guide/kernel-parameters.txt       |   11 +++++++++++
 arch/x86/kernel/cpu/bugs.c                            |   17 +++++++++++++++--
 4 files changed, 35 insertions(+), 5 deletions(-)

--- a/Documentation/admin-guide/hw-vuln/mds.rst
+++ b/Documentation/admin-guide/hw-vuln/mds.rst
@@ -265,8 +265,11 @@ time with the option "mds=". The valid a
 
   ============  =============================================================
 
-Not specifying this option is equivalent to "mds=full".
-
+Not specifying this option is equivalent to "mds=full". For processors
+that are affected by both TAA (TSX Asynchronous Abort) and MDS,
+specifying just "mds=off" without an accompanying "tsx_async_abort=off"
+will have no effect as the same mitigation is used for both
+vulnerabilities.
 
 Mitigation selection guide
 --------------------------
--- a/Documentation/admin-guide/hw-vuln/tsx_async_abort.rst
+++ b/Documentation/admin-guide/hw-vuln/tsx_async_abort.rst
@@ -174,7 +174,10 @@ the option "tsx_async_abort=". The valid
                 CPU is not vulnerable to cross-thread TAA attacks.
   ============  =============================================================
 
-Not specifying this option is equivalent to "tsx_async_abort=full".
+Not specifying this option is equivalent to "tsx_async_abort=full". For
+processors that are affected by both TAA and MDS, specifying just
+"tsx_async_abort=off" without an accompanying "mds=off" will have no
+effect as the same mitigation is used for both vulnerabilities.
 
 The kernel command line also allows to control the TSX feature using the
 parameter "tsx=" on CPUs which support TSX control. MSR_IA32_TSX_CTRL is used
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -2359,6 +2359,12 @@
 				     SMT on vulnerable CPUs
 			off        - Unconditionally disable MDS mitigation
 
+			On TAA-affected machines, mds=off can be prevented by
+			an active TAA mitigation as both vulnerabilities are
+			mitigated with the same mechanism so in order to disable
+			this mitigation, you need to specify tsx_async_abort=off
+			too.
+
 			Not specifying this option is equivalent to
 			mds=full.
 
@@ -4773,6 +4779,11 @@
 				     vulnerable to cross-thread TAA attacks.
 			off        - Unconditionally disable TAA mitigation
 
+			On MDS-affected machines, tsx_async_abort=off can be
+			prevented by an active MDS mitigation as both vulnerabilities
+			are mitigated with the same mechanism so in order to disable
+			this mitigation, you need to specify mds=off too.
+
 			Not specifying this option is equivalent to
 			tsx_async_abort=full.  On CPUs which are MDS affected
 			and deploy MDS mitigation, TAA mitigation is not
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -304,8 +304,12 @@ static void __init taa_select_mitigation
 		return;
 	}
 
-	/* TAA mitigation is turned off on the cmdline (tsx_async_abort=off) */
-	if (taa_mitigation == TAA_MITIGATION_OFF)
+	/*
+	 * TAA mitigation via VERW is turned off if both
+	 * tsx_async_abort=off and mds=off are specified.
+	 */
+	if (taa_mitigation == TAA_MITIGATION_OFF &&
+	    mds_mitigation == MDS_MITIGATION_OFF)
 		goto out;
 
 	if (boot_cpu_has(X86_FEATURE_MD_CLEAR))
@@ -339,6 +343,15 @@ static void __init taa_select_mitigation
 	if (taa_nosmt || cpu_mitigations_auto_nosmt())
 		cpu_smt_disable(false);
 
+	/*
+	 * Update MDS mitigation, if necessary, as the mds_user_clear is
+	 * now enabled for TAA mitigation.
+	 */
+	if (mds_mitigation == MDS_MITIGATION_OFF &&
+	    boot_cpu_has_bug(X86_BUG_MDS)) {
+		mds_mitigation = MDS_MITIGATION_FULL;
+		mds_select_mitigation();
+	}
 out:
 	pr_info("%s\n", taa_strings[taa_mitigation]);
 }



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 269/306] x86/speculation: Fix redundant MDS mitigation message
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (266 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 268/306] x86/speculation: Fix incorrect MDS/TAA mitigation status Greg Kroah-Hartman
@ 2019-11-27 20:31 ` Greg Kroah-Hartman
  2019-11-27 20:32 ` [PATCH 4.19 270/306] nbd: prevent memory leak Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pawan Gupta, Waiman Long,
	Borislav Petkov, H. Peter Anvin, Ingo Molnar, Josh Poimboeuf,
	Mark Gross, Peter Zijlstra, Thomas Gleixner, Tim Chen, Tony Luck,
	Tyler Hicks, x86-ml

From: Waiman Long <longman@redhat.com>

commit cd5a2aa89e847bdda7b62029d94e95488d73f6b2 upstream.

Since MDS and TAA mitigations are inter-related for processors that are
affected by both vulnerabilities, the followiing confusing messages can
be printed in the kernel log:

  MDS: Vulnerable
  MDS: Mitigation: Clear CPU buffers

To avoid the first incorrect message, defer the printing of MDS
mitigation after the TAA mitigation selection has been done. However,
that has the side effect of printing TAA mitigation first before MDS
mitigation.

 [ bp: Check box is affected/mitigations are disabled first before
   printing and massage. ]

Suggested-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Waiman Long <longman@redhat.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Mark Gross <mgross@linux.intel.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Tim Chen <tim.c.chen@linux.intel.com>
Cc: Tony Luck <tony.luck@intel.com>
Cc: Tyler Hicks <tyhicks@canonical.com>
Cc: x86-ml <x86@kernel.org>
Link: https://lkml.kernel.org/r/20191115161445.30809-3-longman@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/cpu/bugs.c |   13 +++++++++++++
 1 file changed, 13 insertions(+)

--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -39,6 +39,7 @@ static void __init spectre_v2_select_mit
 static void __init ssb_select_mitigation(void);
 static void __init l1tf_select_mitigation(void);
 static void __init mds_select_mitigation(void);
+static void __init mds_print_mitigation(void);
 static void __init taa_select_mitigation(void);
 
 /* The base value of the SPEC_CTRL MSR that always has to be preserved. */
@@ -108,6 +109,12 @@ void __init check_bugs(void)
 	mds_select_mitigation();
 	taa_select_mitigation();
 
+	/*
+	 * As MDS and TAA mitigations are inter-related, print MDS
+	 * mitigation until after TAA mitigation selection is done.
+	 */
+	mds_print_mitigation();
+
 	arch_smt_update();
 
 #ifdef CONFIG_X86_32
@@ -245,6 +252,12 @@ static void __init mds_select_mitigation
 		    (mds_nosmt || cpu_mitigations_auto_nosmt()))
 			cpu_smt_disable(false);
 	}
+}
+
+static void __init mds_print_mitigation(void)
+{
+	if (!boot_cpu_has_bug(X86_BUG_MDS) || cpu_mitigations_off())
+		return;
 
 	pr_info("%s\n", mds_strings[mds_mitigation]);
 }



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 270/306] nbd: prevent memory leak
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (267 preceding siblings ...)
  2019-11-27 20:31 ` [PATCH 4.19 269/306] x86/speculation: Fix redundant MDS mitigation message Greg Kroah-Hartman
@ 2019-11-27 20:32 ` Greg Kroah-Hartman
  2019-11-27 20:32 ` [PATCH 4.19 271/306] x86/doublefault/32: Fix stack canaries in the double fault handler Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Josef Bacik, Navid Emamdoost, Jens Axboe

From: Navid Emamdoost <navid.emamdoost@gmail.com>

commit 03bf73c315edca28f47451913177e14cd040a216 upstream.

In nbd_add_socket when krealloc succeeds, if nsock's allocation fail the
reallocted memory is leak. The correct behaviour should be assigning the
reallocted memory to config->socks right after success.

Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/block/nbd.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -984,14 +984,15 @@ static int nbd_add_socket(struct nbd_dev
 		sockfd_put(sock);
 		return -ENOMEM;
 	}
+
+	config->socks = socks;
+
 	nsock = kzalloc(sizeof(struct nbd_sock), GFP_KERNEL);
 	if (!nsock) {
 		sockfd_put(sock);
 		return -ENOMEM;
 	}
 
-	config->socks = socks;
-
 	nsock->fallback_index = -1;
 	nsock->dead = false;
 	mutex_init(&nsock->tx_lock);



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 271/306] x86/doublefault/32: Fix stack canaries in the double fault handler
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (268 preceding siblings ...)
  2019-11-27 20:32 ` [PATCH 4.19 270/306] nbd: prevent memory leak Greg Kroah-Hartman
@ 2019-11-27 20:32 ` Greg Kroah-Hartman
  2019-11-27 20:32 ` [PATCH 4.19 272/306] x86/pti/32: Size initial_page_table correctly Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andy Lutomirski,
	Peter Zijlstra (Intel),
	stable

From: Andy Lutomirski <luto@kernel.org>

commit 3580d0b29cab08483f84a16ce6a1151a1013695f upstream.

The double fault TSS was missing GS setup, which is needed for stack
canaries to work.

Signed-off-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/doublefault.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/arch/x86/kernel/doublefault.c
+++ b/arch/x86/kernel/doublefault.c
@@ -65,6 +65,9 @@ struct x86_hw_tss doublefault_tss __cach
 	.ss		= __KERNEL_DS,
 	.ds		= __USER_DS,
 	.fs		= __KERNEL_PERCPU,
+#ifndef CONFIG_X86_32_LAZY_GS
+	.gs		= __KERNEL_STACK_CANARY,
+#endif
 
 	.__cr3		= __pa_nodebug(swapper_pg_dir),
 };



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 272/306] x86/pti/32: Size initial_page_table correctly
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (269 preceding siblings ...)
  2019-11-27 20:32 ` [PATCH 4.19 271/306] x86/doublefault/32: Fix stack canaries in the double fault handler Greg Kroah-Hartman
@ 2019-11-27 20:32 ` Greg Kroah-Hartman
  2019-11-27 20:32 ` [PATCH 4.19 273/306] x86/cpu_entry_area: Add guard page for entry stack on 32bit Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thomas Gleixner,
	Peter Zijlstra (Intel),
	Joerg Roedel, stable

From: Thomas Gleixner <tglx@linutronix.de>

commit f490e07c53d66045d9d739e134145ec9b38653d3 upstream.

Commit 945fd17ab6ba ("x86/cpu_entry_area: Sync cpu_entry_area to
initial_page_table") introduced the sync for the initial page table for
32bit.

sync_initial_page_table() uses clone_pgd_range() which does the update for
the kernel page table. If PTI is enabled it also updates the user space
page table counterpart, which is assumed to be in the next page after the
target PGD.

At this point in time 32-bit did not have PTI support, so the user space
page table update was not taking place.

The support for PTI on 32-bit which was introduced later on, did not take
that into account and missed to add the user space counter part for the
initial page table.

As a consequence sync_initial_page_table() overwrites any data which is
located in the page behing initial_page_table causing random failures,
e.g. by corrupting doublefault_tss and wreckaging the doublefault handler
on 32bit.

Fix it by adding a "user" page table right after initial_page_table.

Fixes: 7757d607c6b3 ("x86/pti: Allow CONFIG_PAGE_TABLE_ISOLATION for x86_32")
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Joerg Roedel <jroedel@suse.de>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/head_32.S |   10 ++++++++++
 1 file changed, 10 insertions(+)

--- a/arch/x86/kernel/head_32.S
+++ b/arch/x86/kernel/head_32.S
@@ -571,6 +571,16 @@ ENTRY(initial_page_table)
 #  error "Kernel PMDs should be 1, 2 or 3"
 # endif
 	.align PAGE_SIZE		/* needs to be page-sized too */
+
+#ifdef CONFIG_PAGE_TABLE_ISOLATION
+	/*
+	 * PTI needs another page so sync_initial_pagetable() works correctly
+	 * and does not scribble over the data which is placed behind the
+	 * actual initial_page_table. See clone_pgd_range().
+	 */
+	.fill 1024, 4, 0
+#endif
+
 #endif
 
 .data



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 273/306] x86/cpu_entry_area: Add guard page for entry stack on 32bit
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (270 preceding siblings ...)
  2019-11-27 20:32 ` [PATCH 4.19 272/306] x86/pti/32: Size initial_page_table correctly Greg Kroah-Hartman
@ 2019-11-27 20:32 ` Greg Kroah-Hartman
  2019-11-27 20:32 ` [PATCH 4.19 274/306] selftests/x86/mov_ss_trap: Fix the SYSENTER test Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thomas Gleixner,
	Peter Zijlstra (Intel),
	stable

From: Thomas Gleixner <tglx@linutronix.de>

commit 880a98c339961eaa074393e3a2117cbe9125b8bb upstream.

The entry stack in the cpu entry area is protected against overflow by the
readonly GDT on 64-bit, but on 32-bit the GDT needs to be writeable and
therefore does not trigger a fault on stack overflow.

Add a guard page.

Fixes: c482feefe1ae ("x86/entry/64: Make cpu_entry_area.tss read-only")
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/include/asm/cpu_entry_area.h |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/arch/x86/include/asm/cpu_entry_area.h
+++ b/arch/x86/include/asm/cpu_entry_area.h
@@ -20,8 +20,12 @@ struct cpu_entry_area {
 
 	/*
 	 * The GDT is just below entry_stack and thus serves (on x86_64) as
-	 * a a read-only guard page.
+	 * a read-only guard page. On 32-bit the GDT must be writeable, so
+	 * it needs an extra guard page.
 	 */
+#ifdef CONFIG_X86_32
+	char guard_entry_stack[PAGE_SIZE];
+#endif
 	struct entry_stack_page entry_stack_page;
 
 	/*



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 274/306] selftests/x86/mov_ss_trap: Fix the SYSENTER test
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (271 preceding siblings ...)
  2019-11-27 20:32 ` [PATCH 4.19 273/306] x86/cpu_entry_area: Add guard page for entry stack on 32bit Greg Kroah-Hartman
@ 2019-11-27 20:32 ` Greg Kroah-Hartman
  2019-11-27 20:32 ` [PATCH 4.19 275/306] selftests/x86/sigreturn/32: Invalidate DS and ES when abusing the kernel Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andy Lutomirski,
	Peter Zijlstra (Intel),
	stable

From: Andy Lutomirski <luto@kernel.org>

commit 8caa016bfc129f2c925d52da43022171d1d1de91 upstream.

For reasons that I haven't quite fully diagnosed, running
mov_ss_trap_32 on a 32-bit kernel results in an infinite loop in
userspace.  This appears to be because the hacky SYSENTER test
doesn't segfault as desired; instead it corrupts the program state
such that it infinite loops.

Fix it by explicitly clearing EBP before doing SYSENTER.  This will
give a more reliable segfault.

Fixes: 59c2a7226fc5 ("x86/selftests: Add mov_to_ss test")
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/testing/selftests/x86/mov_ss_trap.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/tools/testing/selftests/x86/mov_ss_trap.c
+++ b/tools/testing/selftests/x86/mov_ss_trap.c
@@ -257,7 +257,8 @@ int main()
 			err(1, "sigaltstack");
 		sethandler(SIGSEGV, handle_and_longjmp, SA_RESETHAND | SA_ONSTACK);
 		nr = SYS_getpid;
-		asm volatile ("mov %[ss], %%ss; SYSENTER" : "+a" (nr)
+		/* Clear EBP first to make sure we segfault cleanly. */
+		asm volatile ("xorl %%ebp, %%ebp; mov %[ss], %%ss; SYSENTER" : "+a" (nr)
 			      : [ss] "m" (ss) : "flags", "rcx"
 #ifdef __x86_64__
 				, "r11"



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 275/306] selftests/x86/sigreturn/32: Invalidate DS and ES when abusing the kernel
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (272 preceding siblings ...)
  2019-11-27 20:32 ` [PATCH 4.19 274/306] selftests/x86/mov_ss_trap: Fix the SYSENTER test Greg Kroah-Hartman
@ 2019-11-27 20:32 ` Greg Kroah-Hartman
  2019-11-27 20:32 ` [PATCH 4.19 276/306] x86/pti/32: Calculate the various PTI cpu_entry_area sizes correctly, make the CPU_ENTRY_AREA_PAGES assert precise Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andy Lutomirski,
	Peter Zijlstra (Intel),
	stable

From: Andy Lutomirski <luto@kernel.org>

commit 4d2fa82d98d2d296043a04eb517d7dbade5b13b8 upstream.

If the kernel accidentally uses DS or ES while the user values are
loaded, it will work fine for sane userspace.  In the interest of
simulating maximally insane userspace, make sigreturn_32 zero out DS
and ES for the nasty parts so that inadvertent use of these segments
will crash.

Signed-off-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/testing/selftests/x86/sigreturn.c |   13 +++++++++++++
 1 file changed, 13 insertions(+)

--- a/tools/testing/selftests/x86/sigreturn.c
+++ b/tools/testing/selftests/x86/sigreturn.c
@@ -459,6 +459,19 @@ static void sigusr1(int sig, siginfo_t *
 	ctx->uc_mcontext.gregs[REG_SP] = (unsigned long)0x8badf00d5aadc0deULL;
 	ctx->uc_mcontext.gregs[REG_CX] = 0;
 
+#ifdef __i386__
+	/*
+	 * Make sure the kernel doesn't inadvertently use DS or ES-relative
+	 * accesses in a region where user DS or ES is loaded.
+	 *
+	 * Skip this for 64-bit builds because long mode doesn't care about
+	 * DS and ES and skipping it increases test coverage a little bit,
+	 * since 64-bit kernels can still run the 32-bit build.
+	 */
+	ctx->uc_mcontext.gregs[REG_DS] = 0;
+	ctx->uc_mcontext.gregs[REG_ES] = 0;
+#endif
+
 	memcpy(&requested_regs, &ctx->uc_mcontext.gregs, sizeof(gregset_t));
 	requested_regs[REG_CX] = *ssptr(ctx);	/* The asm code does this. */
 



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 276/306] x86/pti/32: Calculate the various PTI cpu_entry_area sizes correctly, make the CPU_ENTRY_AREA_PAGES assert precise
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (273 preceding siblings ...)
  2019-11-27 20:32 ` [PATCH 4.19 275/306] selftests/x86/sigreturn/32: Invalidate DS and ES when abusing the kernel Greg Kroah-Hartman
@ 2019-11-27 20:32 ` Greg Kroah-Hartman
  2019-11-27 20:32 ` [PATCH 4.19 277/306] x86/entry/32: Fix FIXUP_ESPFIX_STACK with user CR3 Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thomas Gleixner, Borislav Petkov,
	Peter Zijlstra (Intel),
	Linus Torvalds, Andy Lutomirski, stable, Ingo Molnar

From: Ingo Molnar <mingo@kernel.org>

commit 05b042a1944322844eaae7ea596d5f154166d68a upstream.

When two recent commits that increased the size of the 'struct cpu_entry_area'
were merged in -tip, the 32-bit defconfig build started failing on the following
build time assert:

  ./include/linux/compiler.h:391:38: error: call to ‘__compiletime_assert_189’ declared with attribute error: BUILD_BUG_ON failed: CPU_ENTRY_AREA_PAGES * PAGE_SIZE < CPU_ENTRY_AREA_MAP_SIZE
  arch/x86/mm/cpu_entry_area.c:189:2: note: in expansion of macro ‘BUILD_BUG_ON’
  In function ‘setup_cpu_entry_area_ptes’,

Which corresponds to the following build time assert:

	BUILD_BUG_ON(CPU_ENTRY_AREA_PAGES * PAGE_SIZE < CPU_ENTRY_AREA_MAP_SIZE);

The purpose of this assert is to sanity check the fixed-value definition of
CPU_ENTRY_AREA_PAGES arch/x86/include/asm/pgtable_32_types.h:

	#define CPU_ENTRY_AREA_PAGES    (NR_CPUS * 41)

The '41' is supposed to match sizeof(struct cpu_entry_area)/PAGE_SIZE, which value
we didn't want to define in such a low level header, because it would cause
dependency hell.

Every time the size of cpu_entry_area is changed, we have to adjust CPU_ENTRY_AREA_PAGES
accordingly - and this assert is checking that constraint.

But the assert is both imprecise and buggy, primarily because it doesn't
include the single readonly IDT page that is mapped at CPU_ENTRY_AREA_BASE
(which begins at a PMD boundary).

This bug was hidden by the fact that by accident CPU_ENTRY_AREA_PAGES is defined
too large upstream (v5.4-rc8):

	#define CPU_ENTRY_AREA_PAGES    (NR_CPUS * 40)

While 'struct cpu_entry_area' is 155648 bytes, or 38 pages. So we had two extra
pages, which hid the bug.

The following commit (not yet upstream) increased the size to 40 pages:

  x86/iopl: ("Restrict iopl() permission scope")

... but increased CPU_ENTRY_AREA_PAGES only 41 - i.e. shortening the gap
to just 1 extra page.

Then another not-yet-upstream commit changed the size again:

  880a98c33996: ("x86/cpu_entry_area: Add guard page for entry stack on 32bit")

Which increased the cpu_entry_area size from 38 to 39 pages, but
didn't change CPU_ENTRY_AREA_PAGES (kept it at 40). This worked
fine, because we still had a page left from the accidental 'reserve'.

But when these two commits were merged into the same tree, the
combined size of cpu_entry_area grew from 38 to 40 pages, while
CPU_ENTRY_AREA_PAGES finally caught up to 40 as well.

Which is fine in terms of functionality, but the assert broke:

	BUILD_BUG_ON(CPU_ENTRY_AREA_PAGES * PAGE_SIZE < CPU_ENTRY_AREA_MAP_SIZE);

because CPU_ENTRY_AREA_MAP_SIZE is the total size of the area,
which is 1 page larger due to the IDT page.

To fix all this, change the assert to two precise asserts:

	BUILD_BUG_ON((CPU_ENTRY_AREA_PAGES+1)*PAGE_SIZE != CPU_ENTRY_AREA_MAP_SIZE);
	BUILD_BUG_ON(CPU_ENTRY_AREA_TOTAL_SIZE != CPU_ENTRY_AREA_MAP_SIZE);

This takes the IDT page into account, and also connects the size-based
define of CPU_ENTRY_AREA_TOTAL_SIZE with the address-subtraction based
define of CPU_ENTRY_AREA_MAP_SIZE.

Also clean up some of the names which made it rather confusing:

 - 'CPU_ENTRY_AREA_TOT_SIZE' wasn't actually the 'total' size of
   the cpu-entry-area, but the per-cpu array size, so rename this
   to CPU_ENTRY_AREA_ARRAY_SIZE.

 - Introduce CPU_ENTRY_AREA_TOTAL_SIZE that _is_ the total mapping
   size, with the IDT included.

 - Add comments where '+1' denotes the IDT mapping - it wasn't
   obvious and took me about 3 hours to decode...

Finally, because this particular commit is actually applied after
this patch:

  880a98c33996: ("x86/cpu_entry_area: Add guard page for entry stack on 32bit")

Fix the CPU_ENTRY_AREA_PAGES value from 40 pages to the correct 39 pages.

All future commits that change cpu_entry_area will have to adjust
this value precisely.

As a side note, we should probably attempt to remove CPU_ENTRY_AREA_PAGES
and derive its value directly from the structure, without causing
header hell - but that is an adventure for another day! :-)

Fixes: 880a98c33996: ("x86/cpu_entry_area: Add guard page for entry stack on 32bit")
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: stable@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/include/asm/cpu_entry_area.h   |   12 +++++++-----
 arch/x86/include/asm/pgtable_32_types.h |    8 ++++----
 arch/x86/mm/cpu_entry_area.c            |    4 +++-
 3 files changed, 14 insertions(+), 10 deletions(-)

--- a/arch/x86/include/asm/cpu_entry_area.h
+++ b/arch/x86/include/asm/cpu_entry_area.h
@@ -45,7 +45,6 @@ struct cpu_entry_area {
 	 */
 	char exception_stacks[(N_EXCEPTION_STACKS - 1) * EXCEPTION_STKSZ + DEBUG_STKSZ];
 #endif
-#ifdef CONFIG_CPU_SUP_INTEL
 	/*
 	 * Per CPU debug store for Intel performance monitoring. Wastes a
 	 * full page at the moment.
@@ -56,24 +55,27 @@ struct cpu_entry_area {
 	 * Reserve enough fixmap PTEs.
 	 */
 	struct debug_store_buffers cpu_debug_buffers;
-#endif
 };
 
-#define CPU_ENTRY_AREA_SIZE	(sizeof(struct cpu_entry_area))
-#define CPU_ENTRY_AREA_TOT_SIZE	(CPU_ENTRY_AREA_SIZE * NR_CPUS)
+#define CPU_ENTRY_AREA_SIZE		(sizeof(struct cpu_entry_area))
+#define CPU_ENTRY_AREA_ARRAY_SIZE	(CPU_ENTRY_AREA_SIZE * NR_CPUS)
+
+/* Total size includes the readonly IDT mapping page as well: */
+#define CPU_ENTRY_AREA_TOTAL_SIZE	(CPU_ENTRY_AREA_ARRAY_SIZE + PAGE_SIZE)
 
 DECLARE_PER_CPU(struct cpu_entry_area *, cpu_entry_area);
 
 extern void setup_cpu_entry_areas(void);
 extern void cea_set_pte(void *cea_vaddr, phys_addr_t pa, pgprot_t flags);
 
+/* Single page reserved for the readonly IDT mapping: */
 #define	CPU_ENTRY_AREA_RO_IDT		CPU_ENTRY_AREA_BASE
 #define CPU_ENTRY_AREA_PER_CPU		(CPU_ENTRY_AREA_RO_IDT + PAGE_SIZE)
 
 #define CPU_ENTRY_AREA_RO_IDT_VADDR	((void *)CPU_ENTRY_AREA_RO_IDT)
 
 #define CPU_ENTRY_AREA_MAP_SIZE			\
-	(CPU_ENTRY_AREA_PER_CPU + CPU_ENTRY_AREA_TOT_SIZE - CPU_ENTRY_AREA_BASE)
+	(CPU_ENTRY_AREA_PER_CPU + CPU_ENTRY_AREA_ARRAY_SIZE - CPU_ENTRY_AREA_BASE)
 
 extern struct cpu_entry_area *get_cpu_entry_area(int cpu);
 
--- a/arch/x86/include/asm/pgtable_32_types.h
+++ b/arch/x86/include/asm/pgtable_32_types.h
@@ -44,11 +44,11 @@ extern bool __vmalloc_start_set; /* set
  * Define this here and validate with BUILD_BUG_ON() in pgtable_32.c
  * to avoid include recursion hell
  */
-#define CPU_ENTRY_AREA_PAGES	(NR_CPUS * 40)
+#define CPU_ENTRY_AREA_PAGES	(NR_CPUS * 39)
 
-#define CPU_ENTRY_AREA_BASE						\
-	((FIXADDR_TOT_START - PAGE_SIZE * (CPU_ENTRY_AREA_PAGES + 1))   \
-	 & PMD_MASK)
+/* The +1 is for the readonly IDT page: */
+#define CPU_ENTRY_AREA_BASE	\
+	((FIXADDR_TOT_START - PAGE_SIZE*(CPU_ENTRY_AREA_PAGES+1)) & PMD_MASK)
 
 #define LDT_BASE_ADDR		\
 	((CPU_ENTRY_AREA_BASE - PAGE_SIZE) & PMD_MASK)
--- a/arch/x86/mm/cpu_entry_area.c
+++ b/arch/x86/mm/cpu_entry_area.c
@@ -188,7 +188,9 @@ static __init void setup_cpu_entry_area_
 #ifdef CONFIG_X86_32
 	unsigned long start, end;
 
-	BUILD_BUG_ON(CPU_ENTRY_AREA_PAGES * PAGE_SIZE < CPU_ENTRY_AREA_MAP_SIZE);
+	/* The +1 is for the readonly IDT: */
+	BUILD_BUG_ON((CPU_ENTRY_AREA_PAGES+1)*PAGE_SIZE != CPU_ENTRY_AREA_MAP_SIZE);
+	BUILD_BUG_ON(CPU_ENTRY_AREA_TOTAL_SIZE != CPU_ENTRY_AREA_MAP_SIZE);
 	BUG_ON(CPU_ENTRY_AREA_BASE & ~PMD_MASK);
 
 	start = CPU_ENTRY_AREA_BASE;



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 277/306] x86/entry/32: Fix FIXUP_ESPFIX_STACK with user CR3
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (274 preceding siblings ...)
  2019-11-27 20:32 ` [PATCH 4.19 276/306] x86/pti/32: Calculate the various PTI cpu_entry_area sizes correctly, make the CPU_ENTRY_AREA_PAGES assert precise Greg Kroah-Hartman
@ 2019-11-27 20:32 ` Greg Kroah-Hartman
  2019-11-27 20:32 ` [PATCH 4.19 278/306] y2038: futex: Move compat implementation into futex.c Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andy Lutomirski, Peter Zijlstra,
	Thomas Gleixner, Linus Torvalds, Ingo Molnar, Borislav Petkov

From: Andy Lutomirski <luto@kernel.org>

commit 4a13b0e3e10996b9aa0b45a764ecfe49f6fcd360 upstream.

UNWIND_ESPFIX_STACK needs to read the GDT, and the GDT mapping that
can be accessed via %fs is not mapped in the user pagetables.  Use
SGDT to find the cpu_entry_area mapping and read the espfix offset
from that instead.

Reported-and-tested-by: Borislav Petkov <bp@alien8.de>
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/entry/entry_32.S |   21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

--- a/arch/x86/entry/entry_32.S
+++ b/arch/x86/entry/entry_32.S
@@ -315,7 +315,8 @@
 
 .macro CHECK_AND_APPLY_ESPFIX
 #ifdef CONFIG_X86_ESPFIX32
-#define GDT_ESPFIX_SS PER_CPU_VAR(gdt_page) + (GDT_ENTRY_ESPFIX_SS * 8)
+#define GDT_ESPFIX_OFFSET (GDT_ENTRY_ESPFIX_SS * 8)
+#define GDT_ESPFIX_SS PER_CPU_VAR(gdt_page) + GDT_ESPFIX_OFFSET
 
 	ALTERNATIVE	"jmp .Lend_\@", "", X86_BUG_ESPFIX
 
@@ -1056,12 +1057,26 @@ ENDPROC(entry_INT80_32)
  * We can't call C functions using the ESPFIX stack. This code reads
  * the high word of the segment base from the GDT and swiches to the
  * normal stack and adjusts ESP with the matching offset.
+ *
+ * We might be on user CR3 here, so percpu data is not mapped and we can't
+ * access the GDT through the percpu segment.  Instead, use SGDT to find
+ * the cpu_entry_area alias of the GDT.
  */
 #ifdef CONFIG_X86_ESPFIX32
 	/* fixup the stack */
-	mov	GDT_ESPFIX_SS + 4, %al /* bits 16..23 */
-	mov	GDT_ESPFIX_SS + 7, %ah /* bits 24..31 */
+	pushl	%ecx
+	subl	$2*4, %esp
+	sgdt	(%esp)
+	movl	2(%esp), %ecx				/* GDT address */
+	/*
+	 * Careful: ECX is a linear pointer, so we need to force base
+	 * zero.  %cs is the only known-linear segment we have right now.
+	 */
+	mov	%cs:GDT_ESPFIX_OFFSET + 4(%ecx), %al	/* bits 16..23 */
+	mov	%cs:GDT_ESPFIX_OFFSET + 7(%ecx), %ah	/* bits 24..31 */
 	shl	$16, %eax
+	addl	$2*4, %esp
+	popl	%ecx
 	addl	%esp, %eax			/* the adjusted stack pointer */
 	pushl	$__KERNEL_DS
 	pushl	%eax



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 278/306] y2038: futex: Move compat implementation into futex.c
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (275 preceding siblings ...)
  2019-11-27 20:32 ` [PATCH 4.19 277/306] x86/entry/32: Fix FIXUP_ESPFIX_STACK with user CR3 Greg Kroah-Hartman
@ 2019-11-27 20:32 ` Greg Kroah-Hartman
  2019-11-27 20:32 ` [PATCH 4.19 279/306] futex: Prevent robust futex exit race Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:32 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Arnd Bergmann

From: Arnd Bergmann <arnd@arndb.de>

commit 04e7712f4460585e5eed5b853fd8b82a9943958f upstream.

We are going to share the compat_sys_futex() handler between 64-bit
architectures and 32-bit architectures that need to deal with both 32-bit
and 64-bit time_t, and this is easier if both entry points are in the
same file.

In fact, most other system call handlers do the same thing these days, so
let's follow the trend here and merge all of futex_compat.c into futex.c.

In the process, a few minor changes have to be done to make sure everything
still makes sense: handle_futex_death() and futex_cmpxchg_enabled() become
local symbol, and the compat version of the fetch_robust_entry() function
gets renamed to compat_fetch_robust_entry() to avoid a symbol clash.

This is intended as a purely cosmetic patch, no behavior should
change.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/futex.h |    8 -
 kernel/Makefile       |    3 
 kernel/futex.c        |  195 +++++++++++++++++++++++++++++++++++++++++++++++-
 kernel/futex_compat.c |  202 --------------------------------------------------
 4 files changed, 192 insertions(+), 216 deletions(-)

--- a/include/linux/futex.h
+++ b/include/linux/futex.h
@@ -9,9 +9,6 @@ struct inode;
 struct mm_struct;
 struct task_struct;
 
-extern int
-handle_futex_death(u32 __user *uaddr, struct task_struct *curr, int pi);
-
 /*
  * Futexes are matched on equal values of this key.
  * The key type depends on whether it's a shared or private mapping.
@@ -55,11 +52,6 @@ extern void exit_robust_list(struct task
 
 long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout,
 	      u32 __user *uaddr2, u32 val2, u32 val3);
-#ifdef CONFIG_HAVE_FUTEX_CMPXCHG
-#define futex_cmpxchg_enabled 1
-#else
-extern int futex_cmpxchg_enabled;
-#endif
 #else
 static inline void exit_robust_list(struct task_struct *curr)
 {
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -50,9 +50,6 @@ obj-$(CONFIG_PROFILING) += profile.o
 obj-$(CONFIG_STACKTRACE) += stacktrace.o
 obj-y += time/
 obj-$(CONFIG_FUTEX) += futex.o
-ifeq ($(CONFIG_COMPAT),y)
-obj-$(CONFIG_FUTEX) += futex_compat.o
-endif
 obj-$(CONFIG_GENERIC_ISA_DMA) += dma.o
 obj-$(CONFIG_SMP) += smp.o
 ifneq ($(CONFIG_SMP),y)
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -44,6 +44,7 @@
  *  along with this program; if not, write to the Free Software
  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  */
+#include <linux/compat.h>
 #include <linux/slab.h>
 #include <linux/poll.h>
 #include <linux/fs.h>
@@ -173,8 +174,10 @@
  * double_lock_hb() and double_unlock_hb(), respectively.
  */
 
-#ifndef CONFIG_HAVE_FUTEX_CMPXCHG
-int __read_mostly futex_cmpxchg_enabled;
+#ifdef CONFIG_HAVE_FUTEX_CMPXCHG
+#define futex_cmpxchg_enabled 1
+#else
+static int  __read_mostly futex_cmpxchg_enabled;
 #endif
 
 /*
@@ -3458,7 +3461,7 @@ err_unlock:
  * Process a futex-list entry, check whether it's owned by the
  * dying task, and do notification if so:
  */
-int handle_futex_death(u32 __user *uaddr, struct task_struct *curr, int pi)
+static int handle_futex_death(u32 __user *uaddr, struct task_struct *curr, int pi)
 {
 	u32 uval, uninitialized_var(nval), mval;
 	int err;
@@ -3707,6 +3710,192 @@ SYSCALL_DEFINE6(futex, u32 __user *, uad
 	return do_futex(uaddr, op, val, tp, uaddr2, val2, val3);
 }
 
+#ifdef CONFIG_COMPAT
+/*
+ * Fetch a robust-list pointer. Bit 0 signals PI futexes:
+ */
+static inline int
+compat_fetch_robust_entry(compat_uptr_t *uentry, struct robust_list __user **entry,
+		   compat_uptr_t __user *head, unsigned int *pi)
+{
+	if (get_user(*uentry, head))
+		return -EFAULT;
+
+	*entry = compat_ptr((*uentry) & ~1);
+	*pi = (unsigned int)(*uentry) & 1;
+
+	return 0;
+}
+
+static void __user *futex_uaddr(struct robust_list __user *entry,
+				compat_long_t futex_offset)
+{
+	compat_uptr_t base = ptr_to_compat(entry);
+	void __user *uaddr = compat_ptr(base + futex_offset);
+
+	return uaddr;
+}
+
+/*
+ * Walk curr->robust_list (very carefully, it's a userspace list!)
+ * and mark any locks found there dead, and notify any waiters.
+ *
+ * We silently return on any sign of list-walking problem.
+ */
+void compat_exit_robust_list(struct task_struct *curr)
+{
+	struct compat_robust_list_head __user *head = curr->compat_robust_list;
+	struct robust_list __user *entry, *next_entry, *pending;
+	unsigned int limit = ROBUST_LIST_LIMIT, pi, pip;
+	unsigned int uninitialized_var(next_pi);
+	compat_uptr_t uentry, next_uentry, upending;
+	compat_long_t futex_offset;
+	int rc;
+
+	if (!futex_cmpxchg_enabled)
+		return;
+
+	/*
+	 * Fetch the list head (which was registered earlier, via
+	 * sys_set_robust_list()):
+	 */
+	if (compat_fetch_robust_entry(&uentry, &entry, &head->list.next, &pi))
+		return;
+	/*
+	 * Fetch the relative futex offset:
+	 */
+	if (get_user(futex_offset, &head->futex_offset))
+		return;
+	/*
+	 * Fetch any possibly pending lock-add first, and handle it
+	 * if it exists:
+	 */
+	if (compat_fetch_robust_entry(&upending, &pending,
+			       &head->list_op_pending, &pip))
+		return;
+
+	next_entry = NULL;	/* avoid warning with gcc */
+	while (entry != (struct robust_list __user *) &head->list) {
+		/*
+		 * Fetch the next entry in the list before calling
+		 * handle_futex_death:
+		 */
+		rc = compat_fetch_robust_entry(&next_uentry, &next_entry,
+			(compat_uptr_t __user *)&entry->next, &next_pi);
+		/*
+		 * A pending lock might already be on the list, so
+		 * dont process it twice:
+		 */
+		if (entry != pending) {
+			void __user *uaddr = futex_uaddr(entry, futex_offset);
+
+			if (handle_futex_death(uaddr, curr, pi))
+				return;
+		}
+		if (rc)
+			return;
+		uentry = next_uentry;
+		entry = next_entry;
+		pi = next_pi;
+		/*
+		 * Avoid excessively long or circular lists:
+		 */
+		if (!--limit)
+			break;
+
+		cond_resched();
+	}
+	if (pending) {
+		void __user *uaddr = futex_uaddr(pending, futex_offset);
+
+		handle_futex_death(uaddr, curr, pip);
+	}
+}
+
+COMPAT_SYSCALL_DEFINE2(set_robust_list,
+		struct compat_robust_list_head __user *, head,
+		compat_size_t, len)
+{
+	if (!futex_cmpxchg_enabled)
+		return -ENOSYS;
+
+	if (unlikely(len != sizeof(*head)))
+		return -EINVAL;
+
+	current->compat_robust_list = head;
+
+	return 0;
+}
+
+COMPAT_SYSCALL_DEFINE3(get_robust_list, int, pid,
+			compat_uptr_t __user *, head_ptr,
+			compat_size_t __user *, len_ptr)
+{
+	struct compat_robust_list_head __user *head;
+	unsigned long ret;
+	struct task_struct *p;
+
+	if (!futex_cmpxchg_enabled)
+		return -ENOSYS;
+
+	rcu_read_lock();
+
+	ret = -ESRCH;
+	if (!pid)
+		p = current;
+	else {
+		p = find_task_by_vpid(pid);
+		if (!p)
+			goto err_unlock;
+	}
+
+	ret = -EPERM;
+	if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS))
+		goto err_unlock;
+
+	head = p->compat_robust_list;
+	rcu_read_unlock();
+
+	if (put_user(sizeof(*head), len_ptr))
+		return -EFAULT;
+	return put_user(ptr_to_compat(head), head_ptr);
+
+err_unlock:
+	rcu_read_unlock();
+
+	return ret;
+}
+
+COMPAT_SYSCALL_DEFINE6(futex, u32 __user *, uaddr, int, op, u32, val,
+		struct old_timespec32 __user *, utime, u32 __user *, uaddr2,
+		u32, val3)
+{
+	struct timespec ts;
+	ktime_t t, *tp = NULL;
+	int val2 = 0;
+	int cmd = op & FUTEX_CMD_MASK;
+
+	if (utime && (cmd == FUTEX_WAIT || cmd == FUTEX_LOCK_PI ||
+		      cmd == FUTEX_WAIT_BITSET ||
+		      cmd == FUTEX_WAIT_REQUEUE_PI)) {
+		if (compat_get_timespec(&ts, utime))
+			return -EFAULT;
+		if (!timespec_valid(&ts))
+			return -EINVAL;
+
+		t = timespec_to_ktime(ts);
+		if (cmd == FUTEX_WAIT)
+			t = ktime_add_safe(ktime_get(), t);
+		tp = &t;
+	}
+	if (cmd == FUTEX_REQUEUE || cmd == FUTEX_CMP_REQUEUE ||
+	    cmd == FUTEX_CMP_REQUEUE_PI || cmd == FUTEX_WAKE_OP)
+		val2 = (int) (unsigned long) utime;
+
+	return do_futex(uaddr, op, val, tp, uaddr2, val2, val3);
+}
+#endif /* CONFIG_COMPAT */
+
 static void __init futex_detect_cmpxchg(void)
 {
 #ifndef CONFIG_HAVE_FUTEX_CMPXCHG
--- a/kernel/futex_compat.c
+++ /dev/null
@@ -1,202 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0
-/*
- * linux/kernel/futex_compat.c
- *
- * Futex compatibililty routines.
- *
- * Copyright 2006, Red Hat, Inc., Ingo Molnar
- */
-
-#include <linux/linkage.h>
-#include <linux/compat.h>
-#include <linux/nsproxy.h>
-#include <linux/futex.h>
-#include <linux/ptrace.h>
-#include <linux/syscalls.h>
-
-#include <linux/uaccess.h>
-
-
-/*
- * Fetch a robust-list pointer. Bit 0 signals PI futexes:
- */
-static inline int
-fetch_robust_entry(compat_uptr_t *uentry, struct robust_list __user **entry,
-		   compat_uptr_t __user *head, unsigned int *pi)
-{
-	if (get_user(*uentry, head))
-		return -EFAULT;
-
-	*entry = compat_ptr((*uentry) & ~1);
-	*pi = (unsigned int)(*uentry) & 1;
-
-	return 0;
-}
-
-static void __user *futex_uaddr(struct robust_list __user *entry,
-				compat_long_t futex_offset)
-{
-	compat_uptr_t base = ptr_to_compat(entry);
-	void __user *uaddr = compat_ptr(base + futex_offset);
-
-	return uaddr;
-}
-
-/*
- * Walk curr->robust_list (very carefully, it's a userspace list!)
- * and mark any locks found there dead, and notify any waiters.
- *
- * We silently return on any sign of list-walking problem.
- */
-void compat_exit_robust_list(struct task_struct *curr)
-{
-	struct compat_robust_list_head __user *head = curr->compat_robust_list;
-	struct robust_list __user *entry, *next_entry, *pending;
-	unsigned int limit = ROBUST_LIST_LIMIT, pi, pip;
-	unsigned int uninitialized_var(next_pi);
-	compat_uptr_t uentry, next_uentry, upending;
-	compat_long_t futex_offset;
-	int rc;
-
-	if (!futex_cmpxchg_enabled)
-		return;
-
-	/*
-	 * Fetch the list head (which was registered earlier, via
-	 * sys_set_robust_list()):
-	 */
-	if (fetch_robust_entry(&uentry, &entry, &head->list.next, &pi))
-		return;
-	/*
-	 * Fetch the relative futex offset:
-	 */
-	if (get_user(futex_offset, &head->futex_offset))
-		return;
-	/*
-	 * Fetch any possibly pending lock-add first, and handle it
-	 * if it exists:
-	 */
-	if (fetch_robust_entry(&upending, &pending,
-			       &head->list_op_pending, &pip))
-		return;
-
-	next_entry = NULL;	/* avoid warning with gcc */
-	while (entry != (struct robust_list __user *) &head->list) {
-		/*
-		 * Fetch the next entry in the list before calling
-		 * handle_futex_death:
-		 */
-		rc = fetch_robust_entry(&next_uentry, &next_entry,
-			(compat_uptr_t __user *)&entry->next, &next_pi);
-		/*
-		 * A pending lock might already be on the list, so
-		 * dont process it twice:
-		 */
-		if (entry != pending) {
-			void __user *uaddr = futex_uaddr(entry, futex_offset);
-
-			if (handle_futex_death(uaddr, curr, pi))
-				return;
-		}
-		if (rc)
-			return;
-		uentry = next_uentry;
-		entry = next_entry;
-		pi = next_pi;
-		/*
-		 * Avoid excessively long or circular lists:
-		 */
-		if (!--limit)
-			break;
-
-		cond_resched();
-	}
-	if (pending) {
-		void __user *uaddr = futex_uaddr(pending, futex_offset);
-
-		handle_futex_death(uaddr, curr, pip);
-	}
-}
-
-COMPAT_SYSCALL_DEFINE2(set_robust_list,
-		struct compat_robust_list_head __user *, head,
-		compat_size_t, len)
-{
-	if (!futex_cmpxchg_enabled)
-		return -ENOSYS;
-
-	if (unlikely(len != sizeof(*head)))
-		return -EINVAL;
-
-	current->compat_robust_list = head;
-
-	return 0;
-}
-
-COMPAT_SYSCALL_DEFINE3(get_robust_list, int, pid,
-			compat_uptr_t __user *, head_ptr,
-			compat_size_t __user *, len_ptr)
-{
-	struct compat_robust_list_head __user *head;
-	unsigned long ret;
-	struct task_struct *p;
-
-	if (!futex_cmpxchg_enabled)
-		return -ENOSYS;
-
-	rcu_read_lock();
-
-	ret = -ESRCH;
-	if (!pid)
-		p = current;
-	else {
-		p = find_task_by_vpid(pid);
-		if (!p)
-			goto err_unlock;
-	}
-
-	ret = -EPERM;
-	if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS))
-		goto err_unlock;
-
-	head = p->compat_robust_list;
-	rcu_read_unlock();
-
-	if (put_user(sizeof(*head), len_ptr))
-		return -EFAULT;
-	return put_user(ptr_to_compat(head), head_ptr);
-
-err_unlock:
-	rcu_read_unlock();
-
-	return ret;
-}
-
-COMPAT_SYSCALL_DEFINE6(futex, u32 __user *, uaddr, int, op, u32, val,
-		struct compat_timespec __user *, utime, u32 __user *, uaddr2,
-		u32, val3)
-{
-	struct timespec ts;
-	ktime_t t, *tp = NULL;
-	int val2 = 0;
-	int cmd = op & FUTEX_CMD_MASK;
-
-	if (utime && (cmd == FUTEX_WAIT || cmd == FUTEX_LOCK_PI ||
-		      cmd == FUTEX_WAIT_BITSET ||
-		      cmd == FUTEX_WAIT_REQUEUE_PI)) {
-		if (compat_get_timespec(&ts, utime))
-			return -EFAULT;
-		if (!timespec_valid(&ts))
-			return -EINVAL;
-
-		t = timespec_to_ktime(ts);
-		if (cmd == FUTEX_WAIT)
-			t = ktime_add_safe(ktime_get(), t);
-		tp = &t;
-	}
-	if (cmd == FUTEX_REQUEUE || cmd == FUTEX_CMP_REQUEUE ||
-	    cmd == FUTEX_CMP_REQUEUE_PI || cmd == FUTEX_WAKE_OP)
-		val2 = (int) (unsigned long) utime;
-
-	return do_futex(uaddr, op, val, tp, uaddr2, val2, val3);
-}



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 279/306] futex: Prevent robust futex exit race
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (276 preceding siblings ...)
  2019-11-27 20:32 ` [PATCH 4.19 278/306] y2038: futex: Move compat implementation into futex.c Greg Kroah-Hartman
@ 2019-11-27 20:32 ` Greg Kroah-Hartman
  2019-11-27 20:32 ` [PATCH 4.19 280/306] ALSA: usb-audio: Fix NULL dereference at parsing BADD Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yang Tao, Yi Wang, Thomas Gleixner,
	Ingo Molnar, Peter Zijlstra (Intel)

From: Yang Tao <yang.tao172@zte.com.cn>

commit ca16d5bee59807bf04deaab0a8eccecd5061528c upstream.

Robust futexes utilize the robust_list mechanism to allow the kernel to
release futexes which are held when a task exits. The exit can be voluntary
or caused by a signal or fault. This prevents that waiters block forever.

The futex operations in user space store a pointer to the futex they are
either locking or unlocking in the op_pending member of the per task robust
list.

After a lock operation has succeeded the futex is queued in the robust list
linked list and the op_pending pointer is cleared.

After an unlock operation has succeeded the futex is removed from the
robust list linked list and the op_pending pointer is cleared.

The robust list exit code checks for the pending operation and any futex
which is queued in the linked list. It carefully checks whether the futex
value is the TID of the exiting task. If so, it sets the OWNER_DIED bit and
tries to wake up a potential waiter.

This is race free for the lock operation but unlock has two race scenarios
where waiters might not be woken up. These issues can be observed with
regular robust pthread mutexes. PI aware pthread mutexes are not affected.

(1) Unlocking task is killed after unlocking the futex value in user space
    before being able to wake a waiter.

        pthread_mutex_unlock()
                |
                V
        atomic_exchange_rel (&mutex->__data.__lock, 0)
                        <------------------------killed
            lll_futex_wake ()                   |
                                                |
                                                |(__lock = 0)
                                                |(enter kernel)
                                                |
                                                V
                                            do_exit()
                                            exit_mm()
                                          mm_release()
                                        exit_robust_list()
                                        handle_futex_death()
                                                |
                                                |(__lock = 0)
                                                |(uval = 0)
                                                |
                                                V
        if ((uval & FUTEX_TID_MASK) != task_pid_vnr(curr))
                return 0;

    The sanity check which ensures that the user space futex is owned by
    the exiting task prevents the wakeup of waiters which in consequence
    block infinitely.

(2) Waiting task is killed after a wakeup and before it can acquire the
    futex in user space.

        OWNER                         WAITER
				futex_wait()
   pthread_mutex_unlock()               |
                |                       |
                |(__lock = 0)           |
                |                       |
                V                       |
         futex_wake() ------------>  wakeup()
                                        |
                                        |(return to userspace)
                                        |(__lock = 0)
                                        |
                                        V
                        oldval = mutex->__data.__lock
                                          <-----------------killed
    atomic_compare_and_exchange_val_acq (&mutex->__data.__lock,  |
                        id | assume_other_futex_waiters, 0)      |
                                                                 |
                                                                 |
                                                   (enter kernel)|
                                                                 |
                                                                 V
                                                         do_exit()
                                                        |
                                                        |
                                                        V
                                        handle_futex_death()
                                        |
                                        |(__lock = 0)
                                        |(uval = 0)
                                        |
                                        V
        if ((uval & FUTEX_TID_MASK) != task_pid_vnr(curr))
                return 0;

    The sanity check which ensures that the user space futex is owned
    by the exiting task prevents the wakeup of waiters, which seems to
    be correct as the exiting task does not own the futex value, but
    the consequence is that other waiters wont be woken up and block
    infinitely.

In both scenarios the following conditions are true:

   - task->robust_list->list_op_pending != NULL
   - user space futex value == 0
   - Regular futex (not PI)

If these conditions are met then it is reasonably safe to wake up a
potential waiter in order to prevent the above problems.

As this might be a false positive it can cause spurious wakeups, but the
waiter side has to handle other types of unrelated wakeups, e.g. signals
gracefully anyway. So such a spurious wakeup will not affect the
correctness of these operations.

This workaround must not touch the user space futex value and cannot set
the OWNER_DIED bit because the lock value is 0, i.e. uncontended. Setting
OWNER_DIED in this case would result in inconsistent state and subsequently
in malfunction of the owner died handling in user space.

The rest of the user space state is still consistent as no other task can
observe the list_op_pending entry in the exiting tasks robust list.

The eventually woken up waiter will observe the uncontended lock value and
take it over.

[ tglx: Massaged changelog and comment. Made the return explicit and not
  	depend on the subsequent check and added constants to hand into
  	handle_futex_death() instead of plain numbers. Fixed a few coding
	style issues. ]

Fixes: 0771dfefc9e5 ("[PATCH] lightweight robust futexes: core")
Signed-off-by: Yang Tao <yang.tao172@zte.com.cn>
Signed-off-by: Yi Wang <wang.yi59@zte.com.cn>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/1573010582-35297-1-git-send-email-wang.yi59@zte.com.cn
Link: https://lkml.kernel.org/r/20191106224555.943191378@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/futex.c |   58 ++++++++++++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 51 insertions(+), 7 deletions(-)

--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -3457,11 +3457,16 @@ err_unlock:
 	return ret;
 }
 
+/* Constants for the pending_op argument of handle_futex_death */
+#define HANDLE_DEATH_PENDING	true
+#define HANDLE_DEATH_LIST	false
+
 /*
  * Process a futex-list entry, check whether it's owned by the
  * dying task, and do notification if so:
  */
-static int handle_futex_death(u32 __user *uaddr, struct task_struct *curr, int pi)
+static int handle_futex_death(u32 __user *uaddr, struct task_struct *curr,
+			      bool pi, bool pending_op)
 {
 	u32 uval, uninitialized_var(nval), mval;
 	int err;
@@ -3474,6 +3479,42 @@ retry:
 	if (get_user(uval, uaddr))
 		return -1;
 
+	/*
+	 * Special case for regular (non PI) futexes. The unlock path in
+	 * user space has two race scenarios:
+	 *
+	 * 1. The unlock path releases the user space futex value and
+	 *    before it can execute the futex() syscall to wake up
+	 *    waiters it is killed.
+	 *
+	 * 2. A woken up waiter is killed before it can acquire the
+	 *    futex in user space.
+	 *
+	 * In both cases the TID validation below prevents a wakeup of
+	 * potential waiters which can cause these waiters to block
+	 * forever.
+	 *
+	 * In both cases the following conditions are met:
+	 *
+	 *	1) task->robust_list->list_op_pending != NULL
+	 *	   @pending_op == true
+	 *	2) User space futex value == 0
+	 *	3) Regular futex: @pi == false
+	 *
+	 * If these conditions are met, it is safe to attempt waking up a
+	 * potential waiter without touching the user space futex value and
+	 * trying to set the OWNER_DIED bit. The user space futex value is
+	 * uncontended and the rest of the user space mutex state is
+	 * consistent, so a woken waiter will just take over the
+	 * uncontended futex. Setting the OWNER_DIED bit would create
+	 * inconsistent state and malfunction of the user space owner died
+	 * handling.
+	 */
+	if (pending_op && !pi && !uval) {
+		futex_wake(uaddr, 1, 1, FUTEX_BITSET_MATCH_ANY);
+		return 0;
+	}
+
 	if ((uval & FUTEX_TID_MASK) != task_pid_vnr(curr))
 		return 0;
 
@@ -3593,10 +3634,11 @@ void exit_robust_list(struct task_struct
 		 * A pending lock might already be on the list, so
 		 * don't process it twice:
 		 */
-		if (entry != pending)
+		if (entry != pending) {
 			if (handle_futex_death((void __user *)entry + futex_offset,
-						curr, pi))
+						curr, pi, HANDLE_DEATH_LIST))
 				return;
+		}
 		if (rc)
 			return;
 		entry = next_entry;
@@ -3610,9 +3652,10 @@ void exit_robust_list(struct task_struct
 		cond_resched();
 	}
 
-	if (pending)
+	if (pending) {
 		handle_futex_death((void __user *)pending + futex_offset,
-				   curr, pip);
+				   curr, pip, HANDLE_DEATH_PENDING);
+	}
 }
 
 long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout,
@@ -3789,7 +3832,8 @@ void compat_exit_robust_list(struct task
 		if (entry != pending) {
 			void __user *uaddr = futex_uaddr(entry, futex_offset);
 
-			if (handle_futex_death(uaddr, curr, pi))
+			if (handle_futex_death(uaddr, curr, pi,
+					       HANDLE_DEATH_LIST))
 				return;
 		}
 		if (rc)
@@ -3808,7 +3852,7 @@ void compat_exit_robust_list(struct task
 	if (pending) {
 		void __user *uaddr = futex_uaddr(pending, futex_offset);
 
-		handle_futex_death(uaddr, curr, pip);
+		handle_futex_death(uaddr, curr, pip, HANDLE_DEATH_PENDING);
 	}
 }
 



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 280/306] ALSA: usb-audio: Fix NULL dereference at parsing BADD
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (277 preceding siblings ...)
  2019-11-27 20:32 ` [PATCH 4.19 279/306] futex: Prevent robust futex exit race Greg Kroah-Hartman
@ 2019-11-27 20:32 ` Greg Kroah-Hartman
  2019-11-27 20:32 ` [PATCH 4.19 281/306] nfc: port100: handle command failure cleanly Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+a36ab65c6653d7ccdd62,
	Dan Carpenter, Takashi Iwai

From: Takashi Iwai <tiwai@suse.de>

commit 9435f2bb66874a0c4dd25e7c978957a7ca2c93b1 upstream.

snd_usb_mixer_controls_badd() that parses UAC3 BADD profiles misses a
NULL check for the given interfaces.  When a malformed USB descriptor
is passed, this may lead to an Oops, as spotted by syzkaller.
Skip the iteration if the interface doesn't exist for avoiding the
crash.

Fixes: 17156f23e93c ("ALSA: usb: add UAC3 BADD profiles support")
Reported-by: syzbot+a36ab65c6653d7ccdd62@syzkaller.appspotmail.com
Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191122112840.24797-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/usb/mixer.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -2949,6 +2949,9 @@ static int snd_usb_mixer_controls_badd(s
 			continue;
 
 		iface = usb_ifnum_to_if(dev, intf);
+		if (!iface)
+			continue;
+
 		num = iface->num_altsetting;
 
 		if (num < 2)



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 281/306] nfc: port100: handle command failure cleanly
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (278 preceding siblings ...)
  2019-11-27 20:32 ` [PATCH 4.19 280/306] ALSA: usb-audio: Fix NULL dereference at parsing BADD Greg Kroah-Hartman
@ 2019-11-27 20:32 ` Greg Kroah-Hartman
  2019-11-27 20:32 ` [PATCH 4.19 282/306] net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Oliver Neukum, David S. Miller,
	syzbot+711468aa5c3a1eabf863

From: Oliver Neukum <oneukum@suse.com>

commit 5f9f0b11f0816b35867f2cf71e54d95f53f03902 upstream.

If starting the transfer of a command suceeds but the transfer for the reply
fails, it is not enough to initiate killing the transfer for the
command may still be running. You need to wait for the killing to finish
before you can reuse URB and buffer.

Reported-and-tested-by: syzbot+711468aa5c3a1eabf863@syzkaller.appspotmail.com
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/nfc/port100.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/nfc/port100.c
+++ b/drivers/nfc/port100.c
@@ -792,7 +792,7 @@ static int port100_send_frame_async(stru
 
 	rc = port100_submit_urb_for_ack(dev, GFP_KERNEL);
 	if (rc)
-		usb_unlink_urb(dev->out_urb);
+		usb_kill_urb(dev->out_urb);
 
 exit:
 	mutex_unlock(&dev->out_urb_lock);



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 282/306] net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (279 preceding siblings ...)
  2019-11-27 20:32 ` [PATCH 4.19 281/306] nfc: port100: handle command failure cleanly Greg Kroah-Hartman
@ 2019-11-27 20:32 ` Greg Kroah-Hartman
  2019-11-28  3:33   ` Nobuhiro Iwamatsu
  2019-11-27 20:32 ` [PATCH 4.19 283/306] media: vivid: Set vid_cap_streaming and vid_out_streaming to true Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  309 siblings, 1 reply; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David Miller, Lukas Bulwahn, Jouni Hogander

From: Jouni Hogander <jouni.hogander@unikie.com>

commit b8eb718348b8fb30b5a7d0a8fce26fb3f4ac741b upstream.

kobject_init_and_add takes reference even when it fails. This has
to be given up by the caller in error handling. Otherwise memory
allocated by kobject_init_and_add is never freed. Originally found
by Syzkaller:

BUG: memory leak
unreferenced object 0xffff8880679f8b08 (size 8):
  comm "netdev_register", pid 269, jiffies 4294693094 (age 12.132s)
  hex dump (first 8 bytes):
    72 78 2d 30 00 36 20 d4                          rx-0.6 .
  backtrace:
    [<000000008c93818e>] __kmalloc_track_caller+0x16e/0x290
    [<000000001f2e4e49>] kvasprintf+0xb1/0x140
    [<000000007f313394>] kvasprintf_const+0x56/0x160
    [<00000000aeca11c8>] kobject_set_name_vargs+0x5b/0x140
    [<0000000073a0367c>] kobject_init_and_add+0xd8/0x170
    [<0000000088838e4b>] net_rx_queue_update_kobjects+0x152/0x560
    [<000000006be5f104>] netdev_register_kobject+0x210/0x380
    [<00000000e31dab9d>] register_netdevice+0xa1b/0xf00
    [<00000000f68b2465>] __tun_chr_ioctl+0x20d5/0x3dd0
    [<000000004c50599f>] tun_chr_ioctl+0x2f/0x40
    [<00000000bbd4c317>] do_vfs_ioctl+0x1c7/0x1510
    [<00000000d4c59e8f>] ksys_ioctl+0x99/0xb0
    [<00000000946aea81>] __x64_sys_ioctl+0x78/0xb0
    [<0000000038d946e5>] do_syscall_64+0x16f/0x580
    [<00000000e0aa5d8f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
    [<00000000285b3d1a>] 0xffffffffffffffff

Cc: David Miller <davem@davemloft.net>
Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/core/net-sysfs.c |   24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -932,21 +932,23 @@ static int rx_queue_add_kobject(struct n
 	error = kobject_init_and_add(kobj, &rx_queue_ktype, NULL,
 				     "rx-%u", index);
 	if (error)
-		return error;
+		goto err;
 
 	dev_hold(queue->dev);
 
 	if (dev->sysfs_rx_queue_group) {
 		error = sysfs_create_group(kobj, dev->sysfs_rx_queue_group);
-		if (error) {
-			kobject_put(kobj);
-			return error;
-		}
+		if (error)
+			goto err;
 	}
 
 	kobject_uevent(kobj, KOBJ_ADD);
 
 	return error;
+
+err:
+	kobject_put(kobj);
+	return error;
 }
 #endif /* CONFIG_SYSFS */
 
@@ -1471,21 +1473,21 @@ static int netdev_queue_add_kobject(stru
 	error = kobject_init_and_add(kobj, &netdev_queue_ktype, NULL,
 				     "tx-%u", index);
 	if (error)
-		return error;
+		goto err;
 
 	dev_hold(queue->dev);
 
 #ifdef CONFIG_BQL
 	error = sysfs_create_group(kobj, &dql_group);
-	if (error) {
-		kobject_put(kobj);
-		return error;
-	}
+	if (error)
+		goto err;
 #endif
 
 	kobject_uevent(kobj, KOBJ_ADD);
 
-	return 0;
+err:
+	kobject_put(kobj);
+	return error;
 }
 #endif /* CONFIG_SYSFS */
 



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 283/306] media: vivid: Set vid_cap_streaming and vid_out_streaming to true
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (280 preceding siblings ...)
  2019-11-27 20:32 ` [PATCH 4.19 282/306] net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject Greg Kroah-Hartman
@ 2019-11-27 20:32 ` Greg Kroah-Hartman
  2019-11-27 20:32 ` [PATCH 4.19 284/306] media: vivid: Fix wrong locking that causes race conditions on streaming stop Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vandana BN, Hans Verkuil,
	Mauro Carvalho Chehab

From: Vandana BN <bnvandana@gmail.com>

commit b4add02d2236fd5f568db141cfd8eb4290972eb3 upstream.

When vbi stream is started, followed by video streaming,
the vid_cap_streaming and vid_out_streaming were not being set to true,
which would cause the video stream to stop when vbi stream is stopped.
This patch allows to set vid_cap_streaming and vid_out_streaming to true.
According to Hans Verkuil it appears that these 'if (dev->kthread_vid_cap)'
checks are a left-over from the original vivid development and should never
have been there.

Signed-off-by: Vandana BN <bnvandana@gmail.com>
Cc: <stable@vger.kernel.org>      # for v3.18 and up
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/platform/vivid/vivid-vid-cap.c |    3 ---
 drivers/media/platform/vivid/vivid-vid-out.c |    3 ---
 2 files changed, 6 deletions(-)

--- a/drivers/media/platform/vivid/vivid-vid-cap.c
+++ b/drivers/media/platform/vivid/vivid-vid-cap.c
@@ -222,9 +222,6 @@ static int vid_cap_start_streaming(struc
 	if (vb2_is_streaming(&dev->vb_vid_out_q))
 		dev->can_loop_video = vivid_vid_can_loop(dev);
 
-	if (dev->kthread_vid_cap)
-		return 0;
-
 	dev->vid_cap_seq_count = 0;
 	dprintk(dev, 1, "%s\n", __func__);
 	for (i = 0; i < VIDEO_MAX_FRAME; i++)
--- a/drivers/media/platform/vivid/vivid-vid-out.c
+++ b/drivers/media/platform/vivid/vivid-vid-out.c
@@ -146,9 +146,6 @@ static int vid_out_start_streaming(struc
 	if (vb2_is_streaming(&dev->vb_vid_cap_q))
 		dev->can_loop_video = vivid_vid_can_loop(dev);
 
-	if (dev->kthread_vid_out)
-		return 0;
-
 	dev->vid_out_seq_count = 0;
 	dprintk(dev, 1, "%s\n", __func__);
 	if (dev->start_streaming_error) {



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 284/306] media: vivid: Fix wrong locking that causes race conditions on streaming stop
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (281 preceding siblings ...)
  2019-11-27 20:32 ` [PATCH 4.19 283/306] media: vivid: Set vid_cap_streaming and vid_out_streaming to true Greg Kroah-Hartman
@ 2019-11-27 20:32 ` Greg Kroah-Hartman
  2019-11-27 20:32 ` [PATCH 4.19 285/306] media: usbvision: Fix races among open, close, and disconnect Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexander Popov, Linus Torvalds,
	Hans Verkuil, Mauro Carvalho Chehab

From: Alexander Popov <alex.popov@linux.com>

commit 6dcd5d7a7a29c1e4b8016a06aed78cd650cd8c27 upstream.

There is the same incorrect approach to locking implemented in
vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out() and
sdr_cap_stop_streaming().

These functions are called during streaming stopping with vivid_dev.mutex
locked. And they all do the same mistake while stopping their kthreads,
which need to lock this mutex as well. See the example from
vivid_stop_generating_vid_cap():
  /* shutdown control thread */
  vivid_grab_controls(dev, false);
  mutex_unlock(&dev->mutex);
  kthread_stop(dev->kthread_vid_cap);
  dev->kthread_vid_cap = NULL;
  mutex_lock(&dev->mutex);

But when this mutex is unlocked, another vb2_fop_read() can lock it
instead of vivid_thread_vid_cap() and manipulate the buffer queue.
That causes a use-after-free access later.

To fix those issues let's:
  1. avoid unlocking the mutex in vivid_stop_generating_vid_cap(),
vivid_stop_generating_vid_out() and sdr_cap_stop_streaming();
  2. use mutex_trylock() with schedule_timeout_uninterruptible() in
the loops of the vivid kthread handlers.

Signed-off-by: Alexander Popov <alex.popov@linux.com>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Tested-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Cc: <stable@vger.kernel.org>      # for v3.18 and up
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/platform/vivid/vivid-kthread-cap.c |    8 +++++---
 drivers/media/platform/vivid/vivid-kthread-out.c |    8 +++++---
 drivers/media/platform/vivid/vivid-sdr-cap.c     |    8 +++++---
 3 files changed, 15 insertions(+), 9 deletions(-)

--- a/drivers/media/platform/vivid/vivid-kthread-cap.c
+++ b/drivers/media/platform/vivid/vivid-kthread-cap.c
@@ -765,7 +765,11 @@ static int vivid_thread_vid_cap(void *da
 		if (kthread_should_stop())
 			break;
 
-		mutex_lock(&dev->mutex);
+		if (!mutex_trylock(&dev->mutex)) {
+			schedule_timeout_uninterruptible(1);
+			continue;
+		}
+
 		cur_jiffies = jiffies;
 		if (dev->cap_seq_resync) {
 			dev->jiffies_vid_cap = cur_jiffies;
@@ -918,8 +922,6 @@ void vivid_stop_generating_vid_cap(struc
 
 	/* shutdown control thread */
 	vivid_grab_controls(dev, false);
-	mutex_unlock(&dev->mutex);
 	kthread_stop(dev->kthread_vid_cap);
 	dev->kthread_vid_cap = NULL;
-	mutex_lock(&dev->mutex);
 }
--- a/drivers/media/platform/vivid/vivid-kthread-out.c
+++ b/drivers/media/platform/vivid/vivid-kthread-out.c
@@ -135,7 +135,11 @@ static int vivid_thread_vid_out(void *da
 		if (kthread_should_stop())
 			break;
 
-		mutex_lock(&dev->mutex);
+		if (!mutex_trylock(&dev->mutex)) {
+			schedule_timeout_uninterruptible(1);
+			continue;
+		}
+
 		cur_jiffies = jiffies;
 		if (dev->out_seq_resync) {
 			dev->jiffies_vid_out = cur_jiffies;
@@ -289,8 +293,6 @@ void vivid_stop_generating_vid_out(struc
 
 	/* shutdown control thread */
 	vivid_grab_controls(dev, false);
-	mutex_unlock(&dev->mutex);
 	kthread_stop(dev->kthread_vid_out);
 	dev->kthread_vid_out = NULL;
-	mutex_lock(&dev->mutex);
 }
--- a/drivers/media/platform/vivid/vivid-sdr-cap.c
+++ b/drivers/media/platform/vivid/vivid-sdr-cap.c
@@ -137,7 +137,11 @@ static int vivid_thread_sdr_cap(void *da
 		if (kthread_should_stop())
 			break;
 
-		mutex_lock(&dev->mutex);
+		if (!mutex_trylock(&dev->mutex)) {
+			schedule_timeout_uninterruptible(1);
+			continue;
+		}
+
 		cur_jiffies = jiffies;
 		if (dev->sdr_cap_seq_resync) {
 			dev->jiffies_sdr_cap = cur_jiffies;
@@ -297,10 +301,8 @@ static void sdr_cap_stop_streaming(struc
 	}
 
 	/* shutdown control thread */
-	mutex_unlock(&dev->mutex);
 	kthread_stop(dev->kthread_sdr_cap);
 	dev->kthread_sdr_cap = NULL;
-	mutex_lock(&dev->mutex);
 }
 
 const struct vb2_ops vivid_sdr_cap_qops = {



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 285/306] media: usbvision: Fix races among open, close, and disconnect
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (282 preceding siblings ...)
  2019-11-27 20:32 ` [PATCH 4.19 284/306] media: vivid: Fix wrong locking that causes race conditions on streaming stop Greg Kroah-Hartman
@ 2019-11-27 20:32 ` Greg Kroah-Hartman
  2019-11-27 20:32 ` [PATCH 4.19 286/306] cpufreq: Add NULL checks to show() and store() methods of cpufreq Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alan Stern, Hans Verkuil,
	Mauro Carvalho Chehab

From: Alan Stern <stern@rowland.harvard.edu>

commit 9e08117c9d4efc1e1bc6fce83dab856d9fd284b6 upstream.

Visual inspection of the usbvision driver shows that it suffers from
three races between its open, close, and disconnect handlers.  In
particular, the driver is careful to update its usbvision->user and
usbvision->remove_pending flags while holding the private mutex, but:

	usbvision_v4l2_close() and usbvision_radio_close() don't hold
	the mutex while they check the value of
	usbvision->remove_pending;

	usbvision_disconnect() doesn't hold the mutex while checking
	the value of usbvision->user; and

	also, usbvision_v4l2_open() and usbvision_radio_open() don't
	check whether the device has been unplugged before allowing
	the user to open the device files.

Each of these can potentially lead to usbvision_release() being called
twice and use-after-free errors.

This patch fixes the races by reading the flags while the mutex is
still held and checking for pending removes before allowing an open to
succeed.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: <stable@vger.kernel.org>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/usb/usbvision/usbvision-video.c |   21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

--- a/drivers/media/usb/usbvision/usbvision-video.c
+++ b/drivers/media/usb/usbvision/usbvision-video.c
@@ -327,6 +327,10 @@ static int usbvision_v4l2_open(struct fi
 	if (mutex_lock_interruptible(&usbvision->v4l2_lock))
 		return -ERESTARTSYS;
 
+	if (usbvision->remove_pending) {
+		err_code = -ENODEV;
+		goto unlock;
+	}
 	if (usbvision->user) {
 		err_code = -EBUSY;
 	} else {
@@ -390,6 +394,7 @@ unlock:
 static int usbvision_v4l2_close(struct file *file)
 {
 	struct usb_usbvision *usbvision = video_drvdata(file);
+	int r;
 
 	PDEBUG(DBG_IO, "close");
 
@@ -404,9 +409,10 @@ static int usbvision_v4l2_close(struct f
 	usbvision_scratch_free(usbvision);
 
 	usbvision->user--;
+	r = usbvision->remove_pending;
 	mutex_unlock(&usbvision->v4l2_lock);
 
-	if (usbvision->remove_pending) {
+	if (r) {
 		printk(KERN_INFO "%s: Final disconnect\n", __func__);
 		usbvision_release(usbvision);
 		return 0;
@@ -1090,6 +1096,11 @@ static int usbvision_radio_open(struct f
 
 	if (mutex_lock_interruptible(&usbvision->v4l2_lock))
 		return -ERESTARTSYS;
+
+	if (usbvision->remove_pending) {
+		err_code = -ENODEV;
+		goto out;
+	}
 	err_code = v4l2_fh_open(file);
 	if (err_code)
 		goto out;
@@ -1122,6 +1133,7 @@ out:
 static int usbvision_radio_close(struct file *file)
 {
 	struct usb_usbvision *usbvision = video_drvdata(file);
+	int r;
 
 	PDEBUG(DBG_IO, "");
 
@@ -1134,9 +1146,10 @@ static int usbvision_radio_close(struct
 	usbvision_audio_off(usbvision);
 	usbvision->radio = 0;
 	usbvision->user--;
+	r = usbvision->remove_pending;
 	mutex_unlock(&usbvision->v4l2_lock);
 
-	if (usbvision->remove_pending) {
+	if (r) {
 		printk(KERN_INFO "%s: Final disconnect\n", __func__);
 		v4l2_fh_release(file);
 		usbvision_release(usbvision);
@@ -1562,6 +1575,7 @@ err_usb:
 static void usbvision_disconnect(struct usb_interface *intf)
 {
 	struct usb_usbvision *usbvision = to_usbvision(usb_get_intfdata(intf));
+	int u;
 
 	PDEBUG(DBG_PROBE, "");
 
@@ -1578,13 +1592,14 @@ static void usbvision_disconnect(struct
 	v4l2_device_disconnect(&usbvision->v4l2_dev);
 	usbvision_i2c_unregister(usbvision);
 	usbvision->remove_pending = 1;	/* Now all ISO data will be ignored */
+	u = usbvision->user;
 
 	usb_put_dev(usbvision->dev);
 	usbvision->dev = NULL;	/* USB device is no more */
 
 	mutex_unlock(&usbvision->v4l2_lock);
 
-	if (usbvision->user) {
+	if (u) {
 		printk(KERN_INFO "%s: In use, disconnect pending\n",
 		       __func__);
 		wake_up_interruptible(&usbvision->wait_frame);



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 286/306] cpufreq: Add NULL checks to show() and store() methods of cpufreq
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (283 preceding siblings ...)
  2019-11-27 20:32 ` [PATCH 4.19 285/306] media: usbvision: Fix races among open, close, and disconnect Greg Kroah-Hartman
@ 2019-11-27 20:32 ` Greg Kroah-Hartman
  2019-11-27 20:32 ` [PATCH 4.19 287/306] media: uvcvideo: Fix error path in control parsing failure Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kai Shen, Feilong Lin, Viresh Kumar,
	Rafael J. Wysocki

From: Kai Shen <shenkai8@huawei.com>

commit e6e8df07268c1f75dd9215536e2ce4587b70f977 upstream.

Add NULL checks to show() and store() in cpufreq.c to avoid attempts
to invoke a NULL callback.

Though some interfaces of cpufreq are set as read-only, users can
still get write permission using chmod which can lead to a kernel
crash, as follows:

chmod +w /sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq
echo 1 >  /sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq

This bug was found in linux 4.19.

Signed-off-by: Kai Shen <shenkai8@huawei.com>
Reported-by: Feilong Lin <linfeilong@huawei.com>
Reviewed-by: Feilong Lin <linfeilong@huawei.com>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
[ rjw: Subject & changelog ]
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/cpufreq/cpufreq.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/cpufreq/cpufreq.c
+++ b/drivers/cpufreq/cpufreq.c
@@ -909,6 +909,9 @@ static ssize_t show(struct kobject *kobj
 	struct freq_attr *fattr = to_attr(attr);
 	ssize_t ret;
 
+	if (!fattr->show)
+		return -EIO;
+
 	down_read(&policy->rwsem);
 	ret = fattr->show(policy, buf);
 	up_read(&policy->rwsem);
@@ -923,6 +926,9 @@ static ssize_t store(struct kobject *kob
 	struct freq_attr *fattr = to_attr(attr);
 	ssize_t ret = -EINVAL;
 
+	if (!fattr->store)
+		return -EIO;
+
 	/*
 	 * cpus_read_trylock() is used here to work around a circular lock
 	 * dependency problem with respect to the cpufreq_register_driver().



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 287/306] media: uvcvideo: Fix error path in control parsing failure
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (284 preceding siblings ...)
  2019-11-27 20:32 ` [PATCH 4.19 286/306] cpufreq: Add NULL checks to show() and store() methods of cpufreq Greg Kroah-Hartman
@ 2019-11-27 20:32 ` Greg Kroah-Hartman
  2019-11-27 20:32 ` [PATCH 4.19 288/306] media: b2c2-flexcop-usb: add sanity checking Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+c86454eb3af9e8a4da20,
	Laurent Pinchart, Mauro Carvalho Chehab

From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>

commit 8c279e9394cade640ed86ec6c6645a0e7df5e0b6 upstream.

When parsing the UVC control descriptors fails, the error path tries to
cleanup a media device that hasn't been initialised, potentially
resulting in a crash. Fix this by initialising the media device before
the error handling path can be reached.

Fixes: 5a254d751e52 ("[media] uvcvideo: Register a v4l2_device")
Reported-by: syzbot+c86454eb3af9e8a4da20@syzkaller.appspotmail.com
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/usb/uvc/uvc_driver.c |   28 +++++++++++++++-------------
 1 file changed, 15 insertions(+), 13 deletions(-)

--- a/drivers/media/usb/uvc/uvc_driver.c
+++ b/drivers/media/usb/uvc/uvc_driver.c
@@ -2124,6 +2124,20 @@ static int uvc_probe(struct usb_interfac
 			   sizeof(dev->name) - len);
 	}
 
+	/* Initialize the media device. */
+#ifdef CONFIG_MEDIA_CONTROLLER
+	dev->mdev.dev = &intf->dev;
+	strscpy(dev->mdev.model, dev->name, sizeof(dev->mdev.model));
+	if (udev->serial)
+		strscpy(dev->mdev.serial, udev->serial,
+			sizeof(dev->mdev.serial));
+	usb_make_path(udev, dev->mdev.bus_info, sizeof(dev->mdev.bus_info));
+	dev->mdev.hw_revision = le16_to_cpu(udev->descriptor.bcdDevice);
+	media_device_init(&dev->mdev);
+
+	dev->vdev.mdev = &dev->mdev;
+#endif
+
 	/* Parse the Video Class control descriptor. */
 	if (uvc_parse_control(dev) < 0) {
 		uvc_trace(UVC_TRACE_PROBE, "Unable to parse UVC "
@@ -2144,19 +2158,7 @@ static int uvc_probe(struct usb_interfac
 			"linux-uvc-devel mailing list.\n");
 	}
 
-	/* Initialize the media device and register the V4L2 device. */
-#ifdef CONFIG_MEDIA_CONTROLLER
-	dev->mdev.dev = &intf->dev;
-	strlcpy(dev->mdev.model, dev->name, sizeof(dev->mdev.model));
-	if (udev->serial)
-		strlcpy(dev->mdev.serial, udev->serial,
-			sizeof(dev->mdev.serial));
-	strcpy(dev->mdev.bus_info, udev->devpath);
-	dev->mdev.hw_revision = le16_to_cpu(udev->descriptor.bcdDevice);
-	media_device_init(&dev->mdev);
-
-	dev->vdev.mdev = &dev->mdev;
-#endif
+	/* Register the V4L2 device. */
 	if (v4l2_device_register(&intf->dev, &dev->vdev) < 0)
 		goto error;
 



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 288/306] media: b2c2-flexcop-usb: add sanity checking
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (285 preceding siblings ...)
  2019-11-27 20:32 ` [PATCH 4.19 287/306] media: uvcvideo: Fix error path in control parsing failure Greg Kroah-Hartman
@ 2019-11-27 20:32 ` Greg Kroah-Hartman
  2019-11-27 20:32 ` [PATCH 4.19 289/306] media: cxusb: detect cxusb_ctrl_msg error in query Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+d93dff37e6a89431c158,
	Oliver Neukum, Sean Young, Mauro Carvalho Chehab

From: Oliver Neukum <oneukum@suse.com>

commit 1b976fc6d684e3282914cdbe7a8d68fdce19095c upstream.

The driver needs an isochronous endpoint to be present. It will
oops in its absence. Add checking for it.

Reported-by: syzbot+d93dff37e6a89431c158@syzkaller.appspotmail.com
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/usb/b2c2/flexcop-usb.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/media/usb/b2c2/flexcop-usb.c
+++ b/drivers/media/usb/b2c2/flexcop-usb.c
@@ -537,6 +537,9 @@ static int flexcop_usb_probe(struct usb_
 	struct flexcop_device *fc = NULL;
 	int ret;
 
+	if (intf->cur_altsetting->desc.bNumEndpoints < 1)
+		return -ENODEV;
+
 	if ((fc = flexcop_device_kmalloc(sizeof(struct flexcop_usb))) == NULL) {
 		err("out of memory\n");
 		return -ENOMEM;



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 289/306] media: cxusb: detect cxusb_ctrl_msg error in query
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (286 preceding siblings ...)
  2019-11-27 20:32 ` [PATCH 4.19 288/306] media: b2c2-flexcop-usb: add sanity checking Greg Kroah-Hartman
@ 2019-11-27 20:32 ` Greg Kroah-Hartman
  2019-11-27 20:32 ` [PATCH 4.19 290/306] media: imon: invalid dereference in imon_touch_event Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vito Caputo, syzbot, Sean Young,
	Mauro Carvalho Chehab

From: Vito Caputo <vcaputo@pengaru.com>

commit ca8f245f284eeffa56f3b7a5eb6fc503159ee028 upstream.

Don't use uninitialized ircode[] in cxusb_rc_query() when
cxusb_ctrl_msg() fails to populate its contents.

syzbot reported:

dvb-usb: bulk message failed: -22 (1/-30591)
=====================================================
BUG: KMSAN: uninit-value in ir_lookup_by_scancode drivers/media/rc/rc-main.c:494 [inline]
BUG: KMSAN: uninit-value in rc_g_keycode_from_table drivers/media/rc/rc-main.c:582 [inline]
BUG: KMSAN: uninit-value in rc_keydown+0x1a6/0x6f0 drivers/media/rc/rc-main.c:816
CPU: 1 PID: 11436 Comm: kworker/1:2 Not tainted 5.3.0-rc7+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events dvb_usb_read_remote_control
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x191/0x1f0 lib/dump_stack.c:113
 kmsan_report+0x13a/0x2b0 mm/kmsan/kmsan_report.c:108
 __msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:250
 bsearch+0x1dd/0x250 lib/bsearch.c:41
 ir_lookup_by_scancode drivers/media/rc/rc-main.c:494 [inline]
 rc_g_keycode_from_table drivers/media/rc/rc-main.c:582 [inline]
 rc_keydown+0x1a6/0x6f0 drivers/media/rc/rc-main.c:816
 cxusb_rc_query+0x2e1/0x360 drivers/media/usb/dvb-usb/cxusb.c:548
 dvb_usb_read_remote_control+0xf9/0x290 drivers/media/usb/dvb-usb/dvb-usb-remote.c:261
 process_one_work+0x1572/0x1ef0 kernel/workqueue.c:2269
 worker_thread+0x111b/0x2460 kernel/workqueue.c:2415
 kthread+0x4b5/0x4f0 kernel/kthread.c:256
 ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:150 [inline]
 kmsan_internal_chain_origin+0xd2/0x170 mm/kmsan/kmsan.c:314
 __msan_chain_origin+0x6b/0xe0 mm/kmsan/kmsan_instr.c:184
 rc_g_keycode_from_table drivers/media/rc/rc-main.c:583 [inline]
 rc_keydown+0x2c4/0x6f0 drivers/media/rc/rc-main.c:816
 cxusb_rc_query+0x2e1/0x360 drivers/media/usb/dvb-usb/cxusb.c:548
 dvb_usb_read_remote_control+0xf9/0x290 drivers/media/usb/dvb-usb/dvb-usb-remote.c:261
 process_one_work+0x1572/0x1ef0 kernel/workqueue.c:2269
 worker_thread+0x111b/0x2460 kernel/workqueue.c:2415
 kthread+0x4b5/0x4f0 kernel/kthread.c:256
 ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355

Local variable description: ----ircode@cxusb_rc_query
Variable was created at:
 cxusb_rc_query+0x4d/0x360 drivers/media/usb/dvb-usb/cxusb.c:543
 dvb_usb_read_remote_control+0xf9/0x290 drivers/media/usb/dvb-usb/dvb-usb-remote.c:261

Signed-off-by: Vito Caputo <vcaputo@pengaru.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/usb/dvb-usb/cxusb.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/media/usb/dvb-usb/cxusb.c
+++ b/drivers/media/usb/dvb-usb/cxusb.c
@@ -457,7 +457,8 @@ static int cxusb_rc_query(struct dvb_usb
 {
 	u8 ircode[4];
 
-	cxusb_ctrl_msg(d, CMD_GET_IR_CODE, NULL, 0, ircode, 4);
+	if (cxusb_ctrl_msg(d, CMD_GET_IR_CODE, NULL, 0, ircode, 4) < 0)
+		return 0;
 
 	if (ircode[2] || ircode[3])
 		rc_keydown(d->rc_dev, RC_PROTO_NEC,



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 290/306] media: imon: invalid dereference in imon_touch_event
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (287 preceding siblings ...)
  2019-11-27 20:32 ` [PATCH 4.19 289/306] media: cxusb: detect cxusb_ctrl_msg error in query Greg Kroah-Hartman
@ 2019-11-27 20:32 ` Greg Kroah-Hartman
  2019-11-27 20:32 ` [PATCH 4.19 291/306] virtio_ring: fix return code on DMA mapping fails Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+f49d12d34f2321cf4df2,
	Sean Young, Mauro Carvalho Chehab

From: Sean Young <sean@mess.org>

commit f3f5ba42c58d56d50f539854d8cc188944e96087 upstream.

The touch timer is set up in intf1. If the second interface does not exist,
the timer and touch input device are not setup and we get the following
error, when touch events are reported via intf0.

kernel BUG at kernel/time/timer.c:956!
invalid opcode: 0000 [#1] SMP KASAN
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.0-rc1+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__mod_timer kernel/time/timer.c:956 [inline]
RIP: 0010:__mod_timer kernel/time/timer.c:949 [inline]
RIP: 0010:mod_timer+0x5a2/0xb50 kernel/time/timer.c:1100
Code: 45 10 c7 44 24 14 ff ff ff ff 48 89 44 24 08 48 8d 45 20 48 c7 44 24 18 00 00 00 00 48 89 04 24 e9 5a fc ff ff e8 ae ce 0e 00 <0f> 0b e8 a7 ce 0e 00 4c 89 74 24 20 e9 37 fe ff ff e8 98 ce 0e 00
RSP: 0018:ffff8881db209930 EFLAGS: 00010006
RAX: ffffffff86c2b200 RBX: 00000000ffffa688 RCX: ffffffff83efc583
RDX: 0000000000000100 RSI: ffffffff812f4d82 RDI: ffff8881d2356200
RBP: ffff8881d23561e8 R08: ffffffff86c2b200 R09: ffffed103a46abeb
R10: ffffed103a46abea R11: ffff8881d2355f53 R12: dffffc0000000000
R13: 1ffff1103b64132d R14: ffff8881d2355f50 R15: 0000000000000006
FS:  0000000000000000(0000) GS:ffff8881db200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f75e2799000 CR3: 00000001d3b07000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 imon_touch_event drivers/media/rc/imon.c:1348 [inline]
 imon_incoming_packet.isra.0+0x2546/0x2f10 drivers/media/rc/imon.c:1603
 usb_rx_callback_intf0+0x151/0x1e0 drivers/media/rc/imon.c:1734
 __usb_hcd_giveback_urb+0x1f2/0x470 drivers/usb/core/hcd.c:1654
 usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1719
 dummy_timer+0x120f/0x2fa2 drivers/usb/gadget/udc/dummy_hcd.c:1965
 call_timer_fn+0x179/0x650 kernel/time/timer.c:1404
 expire_timers kernel/time/timer.c:1449 [inline]
 __run_timers kernel/time/timer.c:1773 [inline]
 __run_timers kernel/time/timer.c:1740 [inline]
 run_timer_softirq+0x5e3/0x1490 kernel/time/timer.c:1786
 __do_softirq+0x221/0x912 kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0x178/0x1a0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:536 [inline]
 smp_apic_timer_interrupt+0x12f/0x500 arch/x86/kernel/apic/apic.c:1137
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830
 </IRQ>
RIP: 0010:default_idle+0x28/0x2e0 arch/x86/kernel/process.c:581
Code: 90 90 41 56 41 55 65 44 8b 2d 44 3a 8f 7a 41 54 55 53 0f 1f 44 00 00 e8 36 ee d0 fb e9 07 00 00 00 0f 00 2d fa dd 4f 00 fb f4 <65> 44 8b 2d 20 3a 8f 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
RSP: 0018:ffffffff86c07da8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: ffffffff86c2b200 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffff86c2ba4c
RBP: fffffbfff0d85640 R08: ffffffff86c2b200 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 cpuidle_idle_call kernel/sched/idle.c:154 [inline]
 do_idle+0x3b6/0x500 kernel/sched/idle.c:263
 cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:355
 start_kernel+0x82a/0x864 init/main.c:784
 secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:241
Modules linked in:

Reported-by: syzbot+f49d12d34f2321cf4df2@syzkaller.appspotmail.com
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/rc/imon.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/media/rc/imon.c
+++ b/drivers/media/rc/imon.c
@@ -1607,8 +1607,7 @@ static void imon_incoming_packet(struct
 	spin_unlock_irqrestore(&ictx->kc_lock, flags);
 
 	/* send touchscreen events through input subsystem if touchpad data */
-	if (ictx->display_type == IMON_DISPLAY_TYPE_VGA && len == 8 &&
-	    buf[7] == 0x86) {
+	if (ictx->touch && len == 8 && buf[7] == 0x86) {
 		imon_touch_event(ictx, buf);
 		return;
 



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 291/306] virtio_ring: fix return code on DMA mapping fails
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (288 preceding siblings ...)
  2019-11-27 20:32 ` [PATCH 4.19 290/306] media: imon: invalid dereference in imon_touch_event Greg Kroah-Hartman
@ 2019-11-27 20:32 ` Greg Kroah-Hartman
  2019-11-27 20:32 ` [PATCH 4.19 292/306] USBIP: add config dependency for SGL_ALLOC Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Halil Pasic, Michael Mueller,
	Michael S. Tsirkin, Sasha Levin

From: Halil Pasic <pasic@linux.ibm.com>

[ Upstream commit f7728002c1c7bfa787b276a31c3ef458739b8e7c ]

Commit 780bc7903a32 ("virtio_ring: Support DMA APIs")  makes
virtqueue_add() return -EIO when we fail to map our I/O buffers. This is
a very realistic scenario for guests with encrypted memory, as swiotlb
may run out of space, depending on it's size and the I/O load.

The virtio-blk driver interprets -EIO form virtqueue_add() as an IO
error, despite the fact that swiotlb full is in absence of bugs a
recoverable condition.

Let us change the return code to -ENOMEM, and make the block layer
recover form these failures when virtio-blk encounters the condition
described above.

Cc: stable@vger.kernel.org
Fixes: 780bc7903a32 ("virtio_ring: Support DMA APIs")
Signed-off-by: Halil Pasic <pasic@linux.ibm.com>
Tested-by: Michael Mueller <mimu@linux.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/virtio/virtio_ring.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c
index 9529e28e18222..6228b48d1e127 100644
--- a/drivers/virtio/virtio_ring.c
+++ b/drivers/virtio/virtio_ring.c
@@ -431,7 +431,7 @@ unmap_release:
 		kfree(desc);
 
 	END_USE(vq);
-	return -EIO;
+	return -ENOMEM;
 }
 
 /**
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 359+ messages in thread

* [PATCH 4.19 292/306] USBIP: add config dependency for SGL_ALLOC
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (289 preceding siblings ...)
  2019-11-27 20:32 ` [PATCH 4.19 291/306] virtio_ring: fix return code on DMA mapping fails Greg Kroah-Hartman
@ 2019-11-27 20:32 ` Greg Kroah-Hartman
  2019-11-27 20:32 ` [PATCH 4.19 293/306] usbip: tools: fix fd leakage in the function of read_attr_usbip_status Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:32 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Oliver Neukum, Shuah Khan

From: Oliver Neukum <oneukum@suse.com>

commit 1ec13abac58b6f24e32f0d3081ef4e7456e62ed8 upstream.

USBIP uses lib/scatterlist.h
Hence it needs to set CONFIG_SGL_ALLOC

Signed-off-by: Oliver Neukum <oneukum@suse.com>
Cc: stable <stable@vger.kernel.org>
Acked-by: Shuah Khan <skhan@linuxfoundation.org>
Link: https://lore.kernel.org/r/20191112154939.21217-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/usbip/Kconfig |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/usbip/Kconfig
+++ b/drivers/usb/usbip/Kconfig
@@ -2,6 +2,7 @@ config USBIP_CORE
 	tristate "USB/IP support"
 	depends on NET
 	select USB_COMMON
+	select SGL_ALLOC
 	---help---
 	  This enables pushing USB packets over IP to allow remote
 	  machines direct access to USB devices. It provides the



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 293/306] usbip: tools: fix fd leakage in the function of read_attr_usbip_status
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (290 preceding siblings ...)
  2019-11-27 20:32 ` [PATCH 4.19 292/306] USBIP: add config dependency for SGL_ALLOC Greg Kroah-Hartman
@ 2019-11-27 20:32 ` Greg Kroah-Hartman
  2019-11-27 20:32 ` [PATCH 4.19 294/306] usbip: Fix uninitialized symbol nents in stub_recv_cmd_submit() Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:32 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Hewenliang

From: Hewenliang <hewenliang4@huawei.com>

commit 26a4d4c00f85cb844dd11dd35e848b079c2f5e8f upstream.

We should close the fd before the return of read_attr_usbip_status.

Fixes: 3391ba0e2792 ("usbip: tools: Extract generic code to be shared with vudc backend")
Signed-off-by: Hewenliang <hewenliang4@huawei.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191025043515.20053-1-hewenliang4@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/usb/usbip/libsrc/usbip_host_common.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/tools/usb/usbip/libsrc/usbip_host_common.c
+++ b/tools/usb/usbip/libsrc/usbip_host_common.c
@@ -69,7 +69,7 @@ static int32_t read_attr_usbip_status(st
 	}
 
 	value = atoi(status);
-
+	close(fd);
 	return value;
 }
 



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 294/306] usbip: Fix uninitialized symbol nents in stub_recv_cmd_submit()
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (291 preceding siblings ...)
  2019-11-27 20:32 ` [PATCH 4.19 293/306] usbip: tools: fix fd leakage in the function of read_attr_usbip_status Greg Kroah-Hartman
@ 2019-11-27 20:32 ` Greg Kroah-Hartman
  2019-11-27 20:32 ` [PATCH 4.19 295/306] usb-serial: cp201x: support Mark-10 digital force gauge Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kbuild test robot, Dan Carpenter,
	Suwan Kim, Shuah Khan

From: Suwan Kim <suwan.kim027@gmail.com>

commit 2a9125317b247f2cf35c196f968906dcf062ae2d upstream.

Smatch reported that nents is not initialized and used in
stub_recv_cmd_submit(). nents is currently initialized by sgl_alloc()
and used to allocate multiple URBs when host controller doesn't
support scatter-gather DMA. The use of uninitialized nents means that
buf_len is zero and use_sg is true. But buffer length should not be
zero when an URB uses scatter-gather DMA.

To prevent this situation, add the conditional that checks buf_len
and use_sg. And move the use of nents right after the sgl_alloc() to
avoid the use of uninitialized nents.

If the error occurs, it adds SDEV_EVENT_ERROR_MALLOC and stub_priv
will be released by stub event handler and connection will be shut
down.

Fixes: ea44d190764b ("usbip: Implement SG support to vhci-hcd and stub driver")
Reported-by: kbuild test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Suwan Kim <suwan.kim027@gmail.com>
Acked-by: Shuah Khan <skhan@linuxfoundation.org>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191111141035.27788-1-suwan.kim027@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/usbip/stub_rx.c |   50 ++++++++++++++++++++++++++++----------------
 1 file changed, 32 insertions(+), 18 deletions(-)

--- a/drivers/usb/usbip/stub_rx.c
+++ b/drivers/usb/usbip/stub_rx.c
@@ -470,18 +470,50 @@ static void stub_recv_cmd_submit(struct
 	if (pipe == -1)
 		return;
 
+	/*
+	 * Smatch reported the error case where use_sg is true and buf_len is 0.
+	 * In this case, It adds SDEV_EVENT_ERROR_MALLOC and stub_priv will be
+	 * released by stub event handler and connection will be shut down.
+	 */
 	priv = stub_priv_alloc(sdev, pdu);
 	if (!priv)
 		return;
 
 	buf_len = (unsigned long long)pdu->u.cmd_submit.transfer_buffer_length;
 
+	if (use_sg && !buf_len) {
+		dev_err(&udev->dev, "sg buffer with zero length\n");
+		goto err_malloc;
+	}
+
 	/* allocate urb transfer buffer, if needed */
 	if (buf_len) {
 		if (use_sg) {
 			sgl = sgl_alloc(buf_len, GFP_KERNEL, &nents);
 			if (!sgl)
 				goto err_malloc;
+
+			/* Check if the server's HCD supports SG */
+			if (!udev->bus->sg_tablesize) {
+				/*
+				 * If the server's HCD doesn't support SG, break
+				 * a single SG request into several URBs and map
+				 * each SG list entry to corresponding URB
+				 * buffer. The previously allocated SG list is
+				 * stored in priv->sgl (If the server's HCD
+				 * support SG, SG list is stored only in
+				 * urb->sg) and it is used as an indicator that
+				 * the server split single SG request into
+				 * several URBs. Later, priv->sgl is used by
+				 * stub_complete() and stub_send_ret_submit() to
+				 * reassemble the divied URBs.
+				 */
+				support_sg = 0;
+				num_urbs = nents;
+				priv->completed_urbs = 0;
+				pdu->u.cmd_submit.transfer_flags &=
+								~URB_DMA_MAP_SG;
+			}
 		} else {
 			buffer = kzalloc(buf_len, GFP_KERNEL);
 			if (!buffer)
@@ -489,24 +521,6 @@ static void stub_recv_cmd_submit(struct
 		}
 	}
 
-	/* Check if the server's HCD supports SG */
-	if (use_sg && !udev->bus->sg_tablesize) {
-		/*
-		 * If the server's HCD doesn't support SG, break a single SG
-		 * request into several URBs and map each SG list entry to
-		 * corresponding URB buffer. The previously allocated SG
-		 * list is stored in priv->sgl (If the server's HCD support SG,
-		 * SG list is stored only in urb->sg) and it is used as an
-		 * indicator that the server split single SG request into
-		 * several URBs. Later, priv->sgl is used by stub_complete() and
-		 * stub_send_ret_submit() to reassemble the divied URBs.
-		 */
-		support_sg = 0;
-		num_urbs = nents;
-		priv->completed_urbs = 0;
-		pdu->u.cmd_submit.transfer_flags &= ~URB_DMA_MAP_SG;
-	}
-
 	/* allocate urb array */
 	priv->num_urbs = num_urbs;
 	priv->urbs = kmalloc_array(num_urbs, sizeof(*priv->urbs), GFP_KERNEL);



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 295/306] usb-serial: cp201x: support Mark-10 digital force gauge
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (292 preceding siblings ...)
  2019-11-27 20:32 ` [PATCH 4.19 294/306] usbip: Fix uninitialized symbol nents in stub_recv_cmd_submit() Greg Kroah-Hartman
@ 2019-11-27 20:32 ` Greg Kroah-Hartman
  2019-11-27 20:32 ` [PATCH 4.19 296/306] USB: chaoskey: fix error case of a timeout Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:32 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Joel Jennings, Johan Hovold

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 347bc8cb26388791c5881a3775cb14a3f765a674 upstream.

Add support for the Mark-10 digital force gauge device to the cp201x
driver.

Based on a report and a larger patch from Joel Jennings

Reported-by: Joel Jennings <joel.jennings@makeitlabs.com>
Cc: stable <stable@vger.kernel.org>
Acked-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20191118092119.GA153852@kroah.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/cp210x.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -125,6 +125,7 @@ static const struct usb_device_id id_tab
 	{ USB_DEVICE(0x10C4, 0x8341) }, /* Siemens MC35PU GPRS Modem */
 	{ USB_DEVICE(0x10C4, 0x8382) }, /* Cygnal Integrated Products, Inc. */
 	{ USB_DEVICE(0x10C4, 0x83A8) }, /* Amber Wireless AMB2560 */
+	{ USB_DEVICE(0x10C4, 0x83AA) }, /* Mark-10 Digital Force Gauge */
 	{ USB_DEVICE(0x10C4, 0x83D8) }, /* DekTec DTA Plus VHF/UHF Booster/Attenuator */
 	{ USB_DEVICE(0x10C4, 0x8411) }, /* Kyocera GPS Module */
 	{ USB_DEVICE(0x10C4, 0x8418) }, /* IRZ Automation Teleport SG-10 GSM/GPRS Modem */



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 296/306] USB: chaoskey: fix error case of a timeout
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (293 preceding siblings ...)
  2019-11-27 20:32 ` [PATCH 4.19 295/306] usb-serial: cp201x: support Mark-10 digital force gauge Greg Kroah-Hartman
@ 2019-11-27 20:32 ` Greg Kroah-Hartman
  2019-11-27 20:32 ` [PATCH 4.19 297/306] appledisplay: fix error handling in the scheduled work Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:32 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Oliver Neukum

From: Oliver Neukum <oneukum@suse.com>

commit 92aa5986f4f7b5a8bf282ca0f50967f4326559f5 upstream.

In case of a timeout or if a signal aborts a read
communication with the device needs to be ended
lest we overwrite an active URB the next time we
do IO to the device, as the URB may still be active.

Signed-off-by: Oliver Neukum <oneukum@suse.de>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191107142856.16774-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/misc/chaoskey.c |   24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

--- a/drivers/usb/misc/chaoskey.c
+++ b/drivers/usb/misc/chaoskey.c
@@ -384,13 +384,17 @@ static int _chaoskey_fill(struct chaoske
 		!dev->reading,
 		(started ? NAK_TIMEOUT : ALEA_FIRST_TIMEOUT) );
 
-	if (result < 0)
+	if (result < 0) {
+		usb_kill_urb(dev->urb);
 		goto out;
+	}
 
-	if (result == 0)
+	if (result == 0) {
 		result = -ETIMEDOUT;
-	else
+		usb_kill_urb(dev->urb);
+	} else {
 		result = dev->valid;
+	}
 out:
 	/* Let the device go back to sleep eventually */
 	usb_autopm_put_interface(dev->interface);
@@ -526,7 +530,21 @@ static int chaoskey_suspend(struct usb_i
 
 static int chaoskey_resume(struct usb_interface *interface)
 {
+	struct chaoskey *dev;
+	struct usb_device *udev = interface_to_usbdev(interface);
+
 	usb_dbg(interface, "resume");
+	dev = usb_get_intfdata(interface);
+
+	/*
+	 * We may have lost power.
+	 * In that case the device that needs a long time
+	 * for the first requests needs an extended timeout
+	 * again
+	 */
+	if (le16_to_cpu(udev->descriptor.idVendor) == ALEA_VENDOR_ID)
+		dev->reads_started = false;
+
 	return 0;
 }
 #else



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 297/306] appledisplay: fix error handling in the scheduled work
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (294 preceding siblings ...)
  2019-11-27 20:32 ` [PATCH 4.19 296/306] USB: chaoskey: fix error case of a timeout Greg Kroah-Hartman
@ 2019-11-27 20:32 ` Greg Kroah-Hartman
  2019-11-27 20:32 ` [PATCH 4.19 298/306] USB: serial: mos7840: add USB ID to support Moxa UPort 2210 Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Oliver Neukum, syzbot+495dab1f175edc9c2f13

From: Oliver Neukum <oneukum@suse.com>

commit 91feb01596e5efc0cc922cc73f5583114dccf4d2 upstream.

The work item can operate on

1. stale memory left over from the last transfer
the actual length of the data transfered needs to be checked
2. memory already freed
the error handling in appledisplay_probe() needs
to cancel the work in that case

Reported-and-tested-by: syzbot+495dab1f175edc9c2f13@syzkaller.appspotmail.com
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191106124902.7765-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/misc/appledisplay.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

--- a/drivers/usb/misc/appledisplay.c
+++ b/drivers/usb/misc/appledisplay.c
@@ -170,7 +170,12 @@ static int appledisplay_bl_get_brightnes
 		0,
 		pdata->msgdata, 2,
 		ACD_USB_TIMEOUT);
-	brightness = pdata->msgdata[1];
+	if (retval < 2) {
+		if (retval >= 0)
+			retval = -EMSGSIZE;
+	} else {
+		brightness = pdata->msgdata[1];
+	}
 	mutex_unlock(&pdata->sysfslock);
 
 	if (retval < 0)
@@ -305,6 +310,7 @@ error:
 	if (pdata) {
 		if (pdata->urb) {
 			usb_kill_urb(pdata->urb);
+			cancel_delayed_work_sync(&pdata->work);
 			if (pdata->urbdata)
 				usb_free_coherent(pdata->udev, ACD_URB_BUFFER_LEN,
 					pdata->urbdata, pdata->urb->transfer_dma);



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 298/306] USB: serial: mos7840: add USB ID to support Moxa UPort 2210
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (295 preceding siblings ...)
  2019-11-27 20:32 ` [PATCH 4.19 297/306] appledisplay: fix error handling in the scheduled work Greg Kroah-Hartman
@ 2019-11-27 20:32 ` Greg Kroah-Hartman
  2019-11-27 20:32 ` [PATCH 4.19 299/306] USB: serial: mos7720: fix remote wakeup Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:32 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pavel Löbl, Johan Hovold

From: Pavel Löbl <pavel@loebl.cz>

commit e696d00e65e81d46e911f24b12e441037bf11b38 upstream.

Add USB ID for MOXA UPort 2210. This device contains mos7820 but
it passes GPIO0 check implemented by driver and it's detected as
mos7840. Hence product id check is added to force mos7820 mode.

Signed-off-by: Pavel Löbl <pavel@loebl.cz>
Cc: stable <stable@vger.kernel.org>
[ johan: rename id defines and add vendor-id check ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/mos7840.c |   11 +++++++++++
 1 file changed, 11 insertions(+)

--- a/drivers/usb/serial/mos7840.c
+++ b/drivers/usb/serial/mos7840.c
@@ -118,11 +118,15 @@
 /* This driver also supports
  * ATEN UC2324 device using Moschip MCS7840
  * ATEN UC2322 device using Moschip MCS7820
+ * MOXA UPort 2210 device using Moschip MCS7820
  */
 #define USB_VENDOR_ID_ATENINTL		0x0557
 #define ATENINTL_DEVICE_ID_UC2324	0x2011
 #define ATENINTL_DEVICE_ID_UC2322	0x7820
 
+#define USB_VENDOR_ID_MOXA		0x110a
+#define MOXA_DEVICE_ID_2210		0x2210
+
 /* Interrupt Routine Defines    */
 
 #define SERIAL_IIR_RLS      0x06
@@ -193,6 +197,7 @@ static const struct usb_device_id id_tab
 	{USB_DEVICE(USB_VENDOR_ID_BANDB, BANDB_DEVICE_ID_USOPTL2_4)},
 	{USB_DEVICE(USB_VENDOR_ID_ATENINTL, ATENINTL_DEVICE_ID_UC2324)},
 	{USB_DEVICE(USB_VENDOR_ID_ATENINTL, ATENINTL_DEVICE_ID_UC2322)},
+	{USB_DEVICE(USB_VENDOR_ID_MOXA, MOXA_DEVICE_ID_2210)},
 	{}			/* terminating entry */
 };
 MODULE_DEVICE_TABLE(usb, id_table);
@@ -2053,6 +2058,7 @@ static int mos7840_probe(struct usb_seri
 				const struct usb_device_id *id)
 {
 	u16 product = le16_to_cpu(serial->dev->descriptor.idProduct);
+	u16 vid = le16_to_cpu(serial->dev->descriptor.idVendor);
 	u8 *buf;
 	int device_type;
 
@@ -2062,6 +2068,11 @@ static int mos7840_probe(struct usb_seri
 		goto out;
 	}
 
+	if (vid == USB_VENDOR_ID_MOXA && product == MOXA_DEVICE_ID_2210) {
+		device_type = MOSCHIP_DEVICE_ID_7820;
+		goto out;
+	}
+
 	buf = kzalloc(VENDOR_READ_LENGTH, GFP_KERNEL);
 	if (!buf)
 		return -ENOMEM;



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 299/306] USB: serial: mos7720: fix remote wakeup
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (296 preceding siblings ...)
  2019-11-27 20:32 ` [PATCH 4.19 298/306] USB: serial: mos7840: add USB ID to support Moxa UPort 2210 Greg Kroah-Hartman
@ 2019-11-27 20:32 ` Greg Kroah-Hartman
  2019-11-27 20:32 ` [PATCH 4.19 300/306] USB: serial: mos7840: " Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:32 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold

From: Johan Hovold <johan@kernel.org>

commit ea422312a462696093b5db59d294439796cba4ad upstream.

The driver was setting the device remote-wakeup feature during probe in
violation of the USB specification (which says it should only be set
just prior to suspending the device). This could potentially waste
power during suspend as well as lead to spurious wakeups.

Note that USB core would clear the remote-wakeup feature at first
resume.

Fixes: 0f64478cbc7a ("USB: add USB serial mos7720 driver")
Cc: stable <stable@vger.kernel.org>     # 2.6.19
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/mos7720.c |    4 ----
 1 file changed, 4 deletions(-)

--- a/drivers/usb/serial/mos7720.c
+++ b/drivers/usb/serial/mos7720.c
@@ -1894,10 +1894,6 @@ static int mos7720_startup(struct usb_se
 	product = le16_to_cpu(serial->dev->descriptor.idProduct);
 	dev = serial->dev;
 
-	/* setting configuration feature to one */
-	usb_control_msg(serial->dev, usb_sndctrlpipe(serial->dev, 0),
-			(__u8)0x03, 0x00, 0x01, 0x00, NULL, 0x00, 5000);
-
 	if (product == MOSCHIP_DEVICE_ID_7715) {
 		struct urb *urb = serial->port[0]->interrupt_in_urb;
 



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 300/306] USB: serial: mos7840: fix remote wakeup
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (297 preceding siblings ...)
  2019-11-27 20:32 ` [PATCH 4.19 299/306] USB: serial: mos7720: fix remote wakeup Greg Kroah-Hartman
@ 2019-11-27 20:32 ` Greg Kroah-Hartman
  2019-11-27 20:32 ` [PATCH 4.19 301/306] USB: serial: option: add support for DW5821e with eSIM support Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:32 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold

From: Johan Hovold <johan@kernel.org>

commit 92fe35fb9c70a00d8fbbf5bd6172c921dd9c7815 upstream.

The driver was setting the device remote-wakeup feature during probe in
violation of the USB specification (which says it should only be set
just prior to suspending the device). This could potentially waste
power during suspend as well as lead to spurious wakeups.

Note that USB core would clear the remote-wakeup feature at first
resume.

Fixes: 3f5429746d91 ("USB: Moschip 7840 USB-Serial Driver")
Cc: stable <stable@vger.kernel.org>     # 2.6.19
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/mos7840.c |    5 -----
 1 file changed, 5 deletions(-)

--- a/drivers/usb/serial/mos7840.c
+++ b/drivers/usb/serial/mos7840.c
@@ -2325,11 +2325,6 @@ out:
 			goto error;
 		} else
 			dev_dbg(&port->dev, "ZLP_REG5 Writing success status%d\n", status);
-
-		/* setting configuration feature to one */
-		usb_control_msg(serial->dev, usb_sndctrlpipe(serial->dev, 0),
-				0x03, 0x00, 0x01, 0x00, NULL, 0x00,
-				MOS_WDR_TIMEOUT);
 	}
 	return 0;
 error:



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 301/306] USB: serial: option: add support for DW5821e with eSIM support
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (298 preceding siblings ...)
  2019-11-27 20:32 ` [PATCH 4.19 300/306] USB: serial: mos7840: " Greg Kroah-Hartman
@ 2019-11-27 20:32 ` Greg Kroah-Hartman
  2019-11-27 20:32 ` [PATCH 4.19 302/306] USB: serial: option: add support for Foxconn T77W968 LTE modules Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:32 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Aleksander Morgado, Johan Hovold

From: Aleksander Morgado <aleksander@aleksander.es>

commit 957c31ea082e3fe5196f46d5b04018b10de47400 upstream.

The device exposes AT, NMEA and DIAG ports in both USB configurations.
Exactly same layout as the default DW5821e module, just a different
vid/pid.

P:  Vendor=413c ProdID=81e0 Rev=03.18
S:  Manufacturer=Dell Inc.
S:  Product=DW5821e-eSIM Snapdragon X20 LTE
S:  SerialNumber=0123456789ABCDEF
C:  #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
I:  If#=0x0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
I:  If#=0x1 Alt= 0 #EPs= 1 Cls=03(HID  ) Sub=00 Prot=00 Driver=usbhid
I:  If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I:  If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I:  If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I:  If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option

P:  Vendor=413c ProdID=81e0 Rev=03.18
S:  Manufacturer=Dell Inc.
S:  Product=DW5821e-eSIM Snapdragon X20 LTE
S:  SerialNumber=0123456789ABCDEF
C:  #Ifs= 7 Cfg#= 2 Atr=a0 MxPwr=500mA
I:  If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
I:  If#=0x1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
I:  If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I:  If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I:  If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I:  If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I:  If#=0x6 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)

Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/option.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -197,6 +197,7 @@ static void option_instat_callback(struc
 #define DELL_PRODUCT_5804_MINICARD_ATT		0x819b  /* Novatel E371 */
 
 #define DELL_PRODUCT_5821E			0x81d7
+#define DELL_PRODUCT_5821E_ESIM			0x81e0
 
 #define KYOCERA_VENDOR_ID			0x0c88
 #define KYOCERA_PRODUCT_KPC650			0x17da
@@ -1044,6 +1045,8 @@ static const struct usb_device_id option
 	{ USB_DEVICE_AND_INTERFACE_INFO(DELL_VENDOR_ID, DELL_PRODUCT_5804_MINICARD_ATT, 0xff, 0xff, 0xff) },
 	{ USB_DEVICE(DELL_VENDOR_ID, DELL_PRODUCT_5821E),
 	  .driver_info = RSVD(0) | RSVD(1) | RSVD(6) },
+	{ USB_DEVICE(DELL_VENDOR_ID, DELL_PRODUCT_5821E_ESIM),
+	  .driver_info = RSVD(0) | RSVD(1) | RSVD(6) },
 	{ USB_DEVICE(ANYDATA_VENDOR_ID, ANYDATA_PRODUCT_ADU_E100A) },	/* ADU-E100, ADU-310 */
 	{ USB_DEVICE(ANYDATA_VENDOR_ID, ANYDATA_PRODUCT_ADU_500A) },
 	{ USB_DEVICE(ANYDATA_VENDOR_ID, ANYDATA_PRODUCT_ADU_620UW) },



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 302/306] USB: serial: option: add support for Foxconn T77W968 LTE modules
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (299 preceding siblings ...)
  2019-11-27 20:32 ` [PATCH 4.19 301/306] USB: serial: option: add support for DW5821e with eSIM support Greg Kroah-Hartman
@ 2019-11-27 20:32 ` Greg Kroah-Hartman
  2019-11-27 20:32 ` [PATCH 4.19 303/306] staging: comedi: usbduxfast: usbduxfast_ai_cmdtest rounding error Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:32 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Aleksander Morgado, Johan Hovold

From: Aleksander Morgado <aleksander@aleksander.es>

commit f0797095423e6ea3b4be61134ee353c7f504d440 upstream.

These are the Foxconn-branded variants of the Dell DW5821e modules,
same USB layout as those. The device exposes AT, NMEA and DIAG ports
in both USB configurations.

P:  Vendor=0489 ProdID=e0b4 Rev=03.18
S:  Manufacturer=FII
S:  Product=T77W968 LTE
S:  SerialNumber=0123456789ABCDEF
C:  #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
I:  If#=0x0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
I:  If#=0x1 Alt= 0 #EPs= 1 Cls=03(HID  ) Sub=00 Prot=00 Driver=usbhid
I:  If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I:  If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I:  If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I:  If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option

P:  Vendor=0489 ProdID=e0b4 Rev=03.18
S:  Manufacturer=FII
S:  Product=T77W968 LTE
S:  SerialNumber=0123456789ABCDEF
C:  #Ifs= 7 Cfg#= 2 Atr=a0 MxPwr=500mA
I:  If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
I:  If#=0x1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
I:  If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I:  If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I:  If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I:  If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I:  If#=0x6 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)

Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
[ johan: drop id defines ]
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/option.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1993,6 +1993,10 @@ static const struct usb_device_id option
 	{ USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x13) },
 	{ USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x14) },
 	{ USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x1b) },
+	{ USB_DEVICE(0x0489, 0xe0b4),						/* Foxconn T77W968 */
+	  .driver_info = RSVD(0) | RSVD(1) | RSVD(6) },
+	{ USB_DEVICE(0x0489, 0xe0b5),						/* Foxconn T77W968 ESIM */
+	  .driver_info = RSVD(0) | RSVD(1) | RSVD(6) },
 	{ USB_DEVICE(0x1508, 0x1001),						/* Fibocom NL668 */
 	  .driver_info = RSVD(4) | RSVD(5) | RSVD(6) },
 	{ USB_DEVICE(0x2cb7, 0x0104),						/* Fibocom NL678 series */



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 303/306] staging: comedi: usbduxfast: usbduxfast_ai_cmdtest rounding error
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (300 preceding siblings ...)
  2019-11-27 20:32 ` [PATCH 4.19 302/306] USB: serial: option: add support for Foxconn T77W968 LTE modules Greg Kroah-Hartman
@ 2019-11-27 20:32 ` Greg Kroah-Hartman
  2019-11-27 20:32 ` [PATCH 4.19 304/306] powerpc/64s: support nospectre_v2 cmdline option Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:32 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Bernd Porr, Ian Abbott

From: Bernd Porr <mail@berndporr.me.uk>

commit 5618332e5b955b4bff06d0b88146b971c8dd7b32 upstream.

The userspace comedilib function 'get_cmd_generic_timed' fills
the cmd structure with an informed guess and then calls the
function 'usbduxfast_ai_cmdtest' in this driver repeatedly while
'usbduxfast_ai_cmdtest' is modifying the cmd struct until it
no longer changes. However, because of rounding errors this never
converged because 'steps = (cmd->convert_arg * 30) / 1000' and then
back to 'cmd->convert_arg = (steps * 1000) / 30' won't be the same
because of rounding errors. 'Steps' should only be converted back to
the 'convert_arg' if 'steps' has actually been modified. In addition
the case of steps being 0 wasn't checked which is also now done.

Signed-off-by: Bernd Porr <mail@berndporr.me.uk>
Cc: <stable@vger.kernel.org> # 4.4+
Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/20191118230759.1727-1-mail@berndporr.me.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/comedi/drivers/usbduxfast.c |   21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

--- a/drivers/staging/comedi/drivers/usbduxfast.c
+++ b/drivers/staging/comedi/drivers/usbduxfast.c
@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
- *  Copyright (C) 2004-2014 Bernd Porr, mail@berndporr.me.uk
+ *  Copyright (C) 2004-2019 Bernd Porr, mail@berndporr.me.uk
  */
 
 /*
@@ -8,7 +8,7 @@
  * Description: University of Stirling USB DAQ & INCITE Technology Limited
  * Devices: [ITL] USB-DUX-FAST (usbduxfast)
  * Author: Bernd Porr <mail@berndporr.me.uk>
- * Updated: 10 Oct 2014
+ * Updated: 16 Nov 2019
  * Status: stable
  */
 
@@ -22,6 +22,7 @@
  *
  *
  * Revision history:
+ * 1.0: Fixed a rounding error in usbduxfast_ai_cmdtest
  * 0.9: Dropping the first data packet which seems to be from the last transfer.
  *      Buffer overflows in the FX2 are handed over to comedi.
  * 0.92: Dropping now 4 packets. The quad buffer has to be emptied.
@@ -350,6 +351,7 @@ static int usbduxfast_ai_cmdtest(struct
 				 struct comedi_cmd *cmd)
 {
 	int err = 0;
+	int err2 = 0;
 	unsigned int steps;
 	unsigned int arg;
 
@@ -399,11 +401,16 @@ static int usbduxfast_ai_cmdtest(struct
 	 */
 	steps = (cmd->convert_arg * 30) / 1000;
 	if (cmd->chanlist_len !=  1)
-		err |= comedi_check_trigger_arg_min(&steps,
-						    MIN_SAMPLING_PERIOD);
-	err |= comedi_check_trigger_arg_max(&steps, MAX_SAMPLING_PERIOD);
-	arg = (steps * 1000) / 30;
-	err |= comedi_check_trigger_arg_is(&cmd->convert_arg, arg);
+		err2 |= comedi_check_trigger_arg_min(&steps,
+						     MIN_SAMPLING_PERIOD);
+	else
+		err2 |= comedi_check_trigger_arg_min(&steps, 1);
+	err2 |= comedi_check_trigger_arg_max(&steps, MAX_SAMPLING_PERIOD);
+	if (err2) {
+		err |= err2;
+		arg = (steps * 1000) / 30;
+		err |= comedi_check_trigger_arg_is(&cmd->convert_arg, arg);
+	}
 
 	if (cmd->stop_src == TRIG_COUNT)
 		err |= comedi_check_trigger_arg_min(&cmd->stop_arg, 1);



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 304/306] powerpc/64s: support nospectre_v2 cmdline option
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (301 preceding siblings ...)
  2019-11-27 20:32 ` [PATCH 4.19 303/306] staging: comedi: usbduxfast: usbduxfast_ai_cmdtest rounding error Greg Kroah-Hartman
@ 2019-11-27 20:32 ` Greg Kroah-Hartman
  2019-11-27 20:32 ` [PATCH 4.19 305/306] powerpc/book3s64: Fix link stack flush on context switch Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael Ellerman,
	Christopher M. Riedl, Andrew Donnellan, Daniel Axtens

From: "Christopher M. Riedl" <cmr@informatik.wtf>

commit d8f0e0b073e1ec52a05f0c2a56318b47387d2f10 upstream.

Add support for disabling the kernel implemented spectre v2 mitigation
(count cache flush on context switch) via the nospectre_v2 and
mitigations=off cmdline options.

Suggested-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Christopher M. Riedl <cmr@informatik.wtf>
Reviewed-by: Andrew Donnellan <ajd@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20190524024647.381-1-cmr@informatik.wtf
Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/kernel/security.c |   19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

--- a/arch/powerpc/kernel/security.c
+++ b/arch/powerpc/kernel/security.c
@@ -28,7 +28,7 @@ static enum count_cache_flush_type count
 bool barrier_nospec_enabled;
 static bool no_nospec;
 static bool btb_flush_enabled;
-#ifdef CONFIG_PPC_FSL_BOOK3E
+#if defined(CONFIG_PPC_FSL_BOOK3E) || defined(CONFIG_PPC_BOOK3S_64)
 static bool no_spectrev2;
 #endif
 
@@ -106,7 +106,7 @@ static __init int barrier_nospec_debugfs
 device_initcall(barrier_nospec_debugfs_init);
 #endif /* CONFIG_DEBUG_FS */
 
-#ifdef CONFIG_PPC_FSL_BOOK3E
+#if defined(CONFIG_PPC_FSL_BOOK3E) || defined(CONFIG_PPC_BOOK3S_64)
 static int __init handle_nospectre_v2(char *p)
 {
 	no_spectrev2 = true;
@@ -114,6 +114,9 @@ static int __init handle_nospectre_v2(ch
 	return 0;
 }
 early_param("nospectre_v2", handle_nospectre_v2);
+#endif /* CONFIG_PPC_FSL_BOOK3E || CONFIG_PPC_BOOK3S_64 */
+
+#ifdef CONFIG_PPC_FSL_BOOK3E
 void setup_spectre_v2(void)
 {
 	if (no_spectrev2 || cpu_mitigations_off())
@@ -391,7 +394,17 @@ static void toggle_count_cache_flush(boo
 
 void setup_count_cache_flush(void)
 {
-	toggle_count_cache_flush(true);
+	bool enable = true;
+
+	if (no_spectrev2 || cpu_mitigations_off()) {
+		if (security_ftr_enabled(SEC_FTR_BCCTRL_SERIALISED) ||
+		    security_ftr_enabled(SEC_FTR_COUNT_CACHE_DISABLED))
+			pr_warn("Spectre v2 mitigations not under software control, can't disable\n");
+
+		enable = false;
+	}
+
+	toggle_count_cache_flush(enable);
 }
 
 #ifdef CONFIG_DEBUG_FS



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 305/306] powerpc/book3s64: Fix link stack flush on context switch
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (302 preceding siblings ...)
  2019-11-27 20:32 ` [PATCH 4.19 304/306] powerpc/64s: support nospectre_v2 cmdline option Greg Kroah-Hartman
@ 2019-11-27 20:32 ` Greg Kroah-Hartman
  2019-11-27 20:32 ` [PATCH 4.19 306/306] KVM: PPC: Book3S HV: Flush link stack on guest exit to host kernel Greg Kroah-Hartman
                   ` (5 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Anthony Steinhauser, Michael Ellerman

From: Michael Ellerman <mpe@ellerman.id.au>

commit 39e72bf96f5847ba87cc5bd7a3ce0fed813dc9ad upstream.

In commit ee13cb249fab ("powerpc/64s: Add support for software count
cache flush"), I added support for software to flush the count
cache (indirect branch cache) on context switch if firmware told us
that was the required mitigation for Spectre v2.

As part of that code we also added a software flush of the link
stack (return address stack), which protects against Spectre-RSB
between user processes.

That is all correct for CPUs that activate that mitigation, which is
currently Power9 Nimbus DD2.3.

What I got wrong is that on older CPUs, where firmware has disabled
the count cache, we also need to flush the link stack on context
switch.

To fix it we create a new feature bit which is not set by firmware,
which tells us we need to flush the link stack. We set that when
firmware tells us that either of the existing Spectre v2 mitigations
are enabled.

Then we adjust the patching code so that if we see that feature bit we
enable the link stack flush. If we're also told to flush the count
cache in software then we fall through and do that also.

On the older CPUs we don't need to do do the software count cache
flush, firmware has disabled it, so in that case we patch in an early
return after the link stack flush.

The naming of some of the functions is awkward after this patch,
because they're called "count cache" but they also do link stack. But
we'll fix that up in a later commit to ease backporting.

This is the fix for CVE-2019-18660.

Reported-by: Anthony Steinhauser <asteinhauser@google.com>
Fixes: ee13cb249fab ("powerpc/64s: Add support for software count cache flush")
Cc: stable@vger.kernel.org # v4.4+
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/include/asm/asm-prototypes.h    |    1 
 arch/powerpc/include/asm/security_features.h |    3 +
 arch/powerpc/kernel/entry_64.S               |    6 +++
 arch/powerpc/kernel/security.c               |   48 ++++++++++++++++++++++++---
 4 files changed, 54 insertions(+), 4 deletions(-)

--- a/arch/powerpc/include/asm/asm-prototypes.h
+++ b/arch/powerpc/include/asm/asm-prototypes.h
@@ -146,6 +146,7 @@ void _kvmppc_save_tm_pr(struct kvm_vcpu
 /* Patch sites */
 extern s32 patch__call_flush_count_cache;
 extern s32 patch__flush_count_cache_return;
+extern s32 patch__flush_link_stack_return;
 extern s32 patch__memset_nocache, patch__memcpy_nocache;
 
 extern long flush_count_cache;
--- a/arch/powerpc/include/asm/security_features.h
+++ b/arch/powerpc/include/asm/security_features.h
@@ -81,6 +81,9 @@ static inline bool security_ftr_enabled(
 // Software required to flush count cache on context switch
 #define SEC_FTR_FLUSH_COUNT_CACHE	0x0000000000000400ull
 
+// Software required to flush link stack on context switch
+#define SEC_FTR_FLUSH_LINK_STACK	0x0000000000001000ull
+
 
 // Features enabled by default
 #define SEC_FTR_DEFAULT \
--- a/arch/powerpc/kernel/entry_64.S
+++ b/arch/powerpc/kernel/entry_64.S
@@ -533,6 +533,7 @@ flush_count_cache:
 	/* Save LR into r9 */
 	mflr	r9
 
+	// Flush the link stack
 	.rept 64
 	bl	.+4
 	.endr
@@ -542,6 +543,11 @@ flush_count_cache:
 	.balign 32
 	/* Restore LR */
 1:	mtlr	r9
+
+	// If we're just flushing the link stack, return here
+3:	nop
+	patch_site 3b patch__flush_link_stack_return
+
 	li	r9,0x7fff
 	mtctr	r9
 
--- a/arch/powerpc/kernel/security.c
+++ b/arch/powerpc/kernel/security.c
@@ -24,6 +24,7 @@ enum count_cache_flush_type {
 	COUNT_CACHE_FLUSH_HW	= 0x4,
 };
 static enum count_cache_flush_type count_cache_flush_type = COUNT_CACHE_FLUSH_NONE;
+static bool link_stack_flush_enabled;
 
 bool barrier_nospec_enabled;
 static bool no_nospec;
@@ -204,11 +205,19 @@ ssize_t cpu_show_spectre_v2(struct devic
 
 		if (ccd)
 			seq_buf_printf(&s, "Indirect branch cache disabled");
+
+		if (link_stack_flush_enabled)
+			seq_buf_printf(&s, ", Software link stack flush");
+
 	} else if (count_cache_flush_type != COUNT_CACHE_FLUSH_NONE) {
 		seq_buf_printf(&s, "Mitigation: Software count cache flush");
 
 		if (count_cache_flush_type == COUNT_CACHE_FLUSH_HW)
 			seq_buf_printf(&s, " (hardware accelerated)");
+
+		if (link_stack_flush_enabled)
+			seq_buf_printf(&s, ", Software link stack flush");
+
 	} else if (btb_flush_enabled) {
 		seq_buf_printf(&s, "Mitigation: Branch predictor state flush");
 	} else {
@@ -369,18 +378,40 @@ static __init int stf_barrier_debugfs_in
 device_initcall(stf_barrier_debugfs_init);
 #endif /* CONFIG_DEBUG_FS */
 
+static void no_count_cache_flush(void)
+{
+	count_cache_flush_type = COUNT_CACHE_FLUSH_NONE;
+	pr_info("count-cache-flush: software flush disabled.\n");
+}
+
 static void toggle_count_cache_flush(bool enable)
 {
-	if (!enable || !security_ftr_enabled(SEC_FTR_FLUSH_COUNT_CACHE)) {
+	if (!security_ftr_enabled(SEC_FTR_FLUSH_COUNT_CACHE) &&
+	    !security_ftr_enabled(SEC_FTR_FLUSH_LINK_STACK))
+		enable = false;
+
+	if (!enable) {
 		patch_instruction_site(&patch__call_flush_count_cache, PPC_INST_NOP);
-		count_cache_flush_type = COUNT_CACHE_FLUSH_NONE;
-		pr_info("count-cache-flush: software flush disabled.\n");
+		pr_info("link-stack-flush: software flush disabled.\n");
+		link_stack_flush_enabled = false;
+		no_count_cache_flush();
 		return;
 	}
 
+	// This enables the branch from _switch to flush_count_cache
 	patch_branch_site(&patch__call_flush_count_cache,
 			  (u64)&flush_count_cache, BRANCH_SET_LINK);
 
+	pr_info("link-stack-flush: software flush enabled.\n");
+	link_stack_flush_enabled = true;
+
+	// If we just need to flush the link stack, patch an early return
+	if (!security_ftr_enabled(SEC_FTR_FLUSH_COUNT_CACHE)) {
+		patch_instruction_site(&patch__flush_link_stack_return, PPC_INST_BLR);
+		no_count_cache_flush();
+		return;
+	}
+
 	if (!security_ftr_enabled(SEC_FTR_BCCTR_FLUSH_ASSIST)) {
 		count_cache_flush_type = COUNT_CACHE_FLUSH_SW;
 		pr_info("count-cache-flush: full software flush sequence enabled.\n");
@@ -399,11 +430,20 @@ void setup_count_cache_flush(void)
 	if (no_spectrev2 || cpu_mitigations_off()) {
 		if (security_ftr_enabled(SEC_FTR_BCCTRL_SERIALISED) ||
 		    security_ftr_enabled(SEC_FTR_COUNT_CACHE_DISABLED))
-			pr_warn("Spectre v2 mitigations not under software control, can't disable\n");
+			pr_warn("Spectre v2 mitigations not fully under software control, can't disable\n");
 
 		enable = false;
 	}
 
+	/*
+	 * There's no firmware feature flag/hypervisor bit to tell us we need to
+	 * flush the link stack on context switch. So we set it here if we see
+	 * either of the Spectre v2 mitigations that aim to protect userspace.
+	 */
+	if (security_ftr_enabled(SEC_FTR_COUNT_CACHE_DISABLED) ||
+	    security_ftr_enabled(SEC_FTR_FLUSH_COUNT_CACHE))
+		security_ftr_set(SEC_FTR_FLUSH_LINK_STACK);
+
 	toggle_count_cache_flush(enable);
 }
 



^ permalink raw reply	[flat|nested] 359+ messages in thread

* [PATCH 4.19 306/306] KVM: PPC: Book3S HV: Flush link stack on guest exit to host kernel
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (303 preceding siblings ...)
  2019-11-27 20:32 ` [PATCH 4.19 305/306] powerpc/book3s64: Fix link stack flush on context switch Greg Kroah-Hartman
@ 2019-11-27 20:32 ` Greg Kroah-Hartman
  2019-11-28  0:27 ` [PATCH 4.19 000/306] 4.19.87-stable review Daniel Díaz
                   ` (4 subsequent siblings)
  309 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-27 20:32 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Michael Ellerman, Daniel Axtens

From: Michael Ellerman <mpe@ellerman.id.au>

commit af2e8c68b9c5403f77096969c516f742f5bb29e0 upstream.

On some systems that are vulnerable to Spectre v2, it is up to
software to flush the link stack (return address stack), in order to
protect against Spectre-RSB.

When exiting from a guest we do some house keeping and then
potentially exit to C code which is several stack frames deep in the
host kernel. We will then execute a series of returns without
preceeding calls, opening up the possiblity that the guest could have
poisoned the link stack, and direct speculative execution of the host
to a gadget of some sort.

To prevent this we add a flush of the link stack on exit from a guest.

Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
[dja: straightforward backport to v4.19]
Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/include/asm/asm-prototypes.h |    2 ++
 arch/powerpc/kernel/security.c            |    9 +++++++++
 arch/powerpc/kvm/book3s_hv_rmhandlers.S   |   28 ++++++++++++++++++++++++++++
 3 files changed, 39 insertions(+)

--- a/arch/powerpc/include/asm/asm-prototypes.h
+++ b/arch/powerpc/include/asm/asm-prototypes.h
@@ -147,8 +147,10 @@ void _kvmppc_save_tm_pr(struct kvm_vcpu
 extern s32 patch__call_flush_count_cache;
 extern s32 patch__flush_count_cache_return;
 extern s32 patch__flush_link_stack_return;
+extern s32 patch__call_kvm_flush_link_stack;
 extern s32 patch__memset_nocache, patch__memcpy_nocache;
 
 extern long flush_count_cache;
+extern long kvm_flush_link_stack;
 
 #endif /* _ASM_POWERPC_ASM_PROTOTYPES_H */
--- a/arch/powerpc/kernel/security.c
+++ b/arch/powerpc/kernel/security.c
@@ -392,6 +392,9 @@ static void toggle_count_cache_flush(boo
 
 	if (!enable) {
 		patch_instruction_site(&patch__call_flush_count_cache, PPC_INST_NOP);
+#ifdef CONFIG_KVM_BOOK3S_HV_POSSIBLE
+		patch_instruction_site(&patch__call_kvm_flush_link_stack, PPC_INST_NOP);
+#endif
 		pr_info("link-stack-flush: software flush disabled.\n");
 		link_stack_flush_enabled = false;
 		no_count_cache_flush();
@@ -402,6 +405,12 @@ static void toggle_count_cache_flush(boo
 	patch_branch_site(&patch__call_flush_count_cache,
 			  (u64)&flush_count_cache, BRANCH_SET_LINK);
 
+#ifdef CONFIG_KVM_BOOK3S_HV_POSSIBLE
+	// This enables the branch from guest_exit_cont to kvm_flush_link_stack
+	patch_branch_site(&patch__call_kvm_flush_link_stack,
+			  (u64)&kvm_flush_link_stack, BRANCH_SET_LINK);
+#endif
+
 	pr_info("link-stack-flush: software flush enabled.\n");
 	link_stack_flush_enabled = true;
 
--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S
+++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
@@ -18,6 +18,7 @@
  */
 
 #include <asm/ppc_asm.h>
+#include <asm/code-patching-asm.h>
 #include <asm/kvm_asm.h>
 #include <asm/reg.h>
 #include <asm/mmu.h>
@@ -1559,6 +1560,10 @@ mc_cont:
 1:
 #endif /* CONFIG_KVM_XICS */
 
+	/* Possibly flush the link stack here. */
+1:	nop
+	patch_site 1b patch__call_kvm_flush_link_stack
+
 	/* For hash guest, read the guest SLB and save it away */
 	ld	r5, VCPU_KVM(r9)
 	lbz	r0, KVM_RADIX(r5)
@@ -2107,6 +2112,29 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300)
 	mtlr	r0
 	blr
 
+.balign 32
+.global kvm_flush_link_stack
+kvm_flush_link_stack:
+	/* Save LR into r0 */
+	mflr	r0
+
+	/* Flush the link stack. On Power8 it's up to 32 entries in size. */
+	.rept 32
+	bl	.+4
+	.endr
+
+	/* And on Power9 it's up to 64. */
+BEGIN_FTR_SECTION
+	.rept 32
+	bl	.+4
+	.endr
+END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300)
+
+	/* Restore LR */
+	mtlr	r0
+	blr
+
+
 #ifdef CONFIG_PPC_TRANSACTIONAL_MEM
 /*
  * Softpatch interrupt for transactional memory emulation cases



^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 000/306] 4.19.87-stable review
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (304 preceding siblings ...)
  2019-11-27 20:32 ` [PATCH 4.19 306/306] KVM: PPC: Book3S HV: Flush link stack on guest exit to host kernel Greg Kroah-Hartman
@ 2019-11-28  0:27 ` Daniel Díaz
  2019-11-28  8:05   ` Greg Kroah-Hartman
  2019-11-28  6:53 ` Naresh Kamboju
                   ` (3 subsequent siblings)
  309 siblings, 1 reply; 359+ messages in thread
From: Daniel Díaz @ 2019-11-28  0:27 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: open list, torvalds, Andrew Morton, Guenter Roeck, Shuah Khan,
	patches, Ben Hutchings, lkft-triage, linux- stable

Hello!


On Wed, 27 Nov 2019 at 14:55, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
> This is the start of the stable review cycle for the 4.19.87 release.
> There are 306 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 29 Nov 2019 20:18:09 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
>         https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.87-rc1.gz
> or in the git tree and branch at:
>         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h

We're seeing this build failure on 4.19 (and 4.14) on x86 32-bits:
> In file included from /srv/oe/build/tmp-lkft-glibc/work-shared/intel-core2-32/kernel-source/include/linux/export.h:45:0,
>                  from /srv/oe/build/tmp-lkft-glibc/work-shared/intel-core2-32/kernel-source/include/linux/linkage.h:7,
>                  from /srv/oe/build/tmp-lkft-glibc/work-shared/intel-core2-32/kernel-source/include/linux/preempt.h:10,
>                  from /srv/oe/build/tmp-lkft-glibc/work-shared/intel-core2-32/kernel-source/include/linux/spinlock.h:51,
>                  from /srv/oe/build/tmp-lkft-glibc/work-shared/intel-core2-32/kernel-source/arch/x86/mm/cpu_entry_area.c:3:
> In function 'setup_cpu_entry_area_ptes',
>     inlined from 'setup_cpu_entry_areas' at /srv/oe/build/tmp-lkft-glibc/work-shared/intel-core2-32/kernel-source/arch/x86/mm/cpu_entry_area.c:209:2:
> /srv/oe/build/tmp-lkft-glibc/work-shared/intel-core2-32/kernel-source/include/linux/compiler.h:348:38: error: call to '__compiletime_assert_192' declared with attribute error: BUILD_BUG_ON failed: (CPU_ENTRY_AREA_PAGES+1)*PAGE_SIZE != CPU_ENTRY_AREA_MAP_SIZE
>   _compiletime_assert(condition, msg, __compiletime_assert_, __LINE__)
>                                       ^
> /srv/oe/build/tmp-lkft-glibc/work-shared/intel-core2-32/kernel-source/include/linux/compiler.h:329:4: note: in definition of macro '__compiletime_assert'
>     prefix ## suffix();    \
>     ^~~~~~
> /srv/oe/build/tmp-lkft-glibc/work-shared/intel-core2-32/kernel-source/include/linux/compiler.h:348:2: note: in expansion of macro '_compiletime_assert'
>   _compiletime_assert(condition, msg, __compiletime_assert_, __LINE__)
>   ^~~~~~~~~~~~~~~~~~~
> /srv/oe/build/tmp-lkft-glibc/work-shared/intel-core2-32/kernel-source/include/linux/build_bug.h:45:37: note: in expansion of macro 'compiletime_assert'
>  #define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
>                                      ^~~~~~~~~~~~~~~~~~
> /srv/oe/build/tmp-lkft-glibc/work-shared/intel-core2-32/kernel-source/include/linux/build_bug.h:69:2: note: in expansion of macro 'BUILD_BUG_ON_MSG'
>   BUILD_BUG_ON_MSG(condition, "BUILD_BUG_ON failed: " #condition)
>   ^~~~~~~~~~~~~~~~
> /srv/oe/build/tmp-lkft-glibc/work-shared/intel-core2-32/kernel-source/arch/x86/mm/cpu_entry_area.c:192:2: note: in expansion of macro 'BUILD_BUG_ON'
>   BUILD_BUG_ON((CPU_ENTRY_AREA_PAGES+1)*PAGE_SIZE != CPU_ENTRY_AREA_MAP_SIZE);
>   ^~~~~~~~~~~~

Bisection points to "x86/cpu_entry_area: Add guard page for entry
stack on 32bit" (e50622b4a1, also present in 4.14.y as 880a98c339).

Greetings!

Daniel Díaz
daniel.diaz@linaro.org

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 282/306] net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject
  2019-11-27 20:32 ` [PATCH 4.19 282/306] net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject Greg Kroah-Hartman
@ 2019-11-28  3:33   ` Nobuhiro Iwamatsu
  2019-11-28  7:35     ` Greg Kroah-Hartman
  0 siblings, 1 reply; 359+ messages in thread
From: Nobuhiro Iwamatsu @ 2019-11-28  3:33 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, stable, David Miller, Lukas Bulwahn, Jouni Hogander

Hi,

On Wed, Nov 27, 2019 at 09:32:12PM +0100, Greg Kroah-Hartman wrote:
> From: Jouni Hogander <jouni.hogander@unikie.com>
> 
> commit b8eb718348b8fb30b5a7d0a8fce26fb3f4ac741b upstream.
> 
> kobject_init_and_add takes reference even when it fails. This has
> to be given up by the caller in error handling. Otherwise memory
> allocated by kobject_init_and_add is never freed. Originally found
> by Syzkaller:
> 
> BUG: memory leak
> unreferenced object 0xffff8880679f8b08 (size 8):
>   comm "netdev_register", pid 269, jiffies 4294693094 (age 12.132s)
>   hex dump (first 8 bytes):
>     72 78 2d 30 00 36 20 d4                          rx-0.6 .
>   backtrace:
>     [<000000008c93818e>] __kmalloc_track_caller+0x16e/0x290
>     [<000000001f2e4e49>] kvasprintf+0xb1/0x140
>     [<000000007f313394>] kvasprintf_const+0x56/0x160
>     [<00000000aeca11c8>] kobject_set_name_vargs+0x5b/0x140
>     [<0000000073a0367c>] kobject_init_and_add+0xd8/0x170
>     [<0000000088838e4b>] net_rx_queue_update_kobjects+0x152/0x560
>     [<000000006be5f104>] netdev_register_kobject+0x210/0x380
>     [<00000000e31dab9d>] register_netdevice+0xa1b/0xf00
>     [<00000000f68b2465>] __tun_chr_ioctl+0x20d5/0x3dd0
>     [<000000004c50599f>] tun_chr_ioctl+0x2f/0x40
>     [<00000000bbd4c317>] do_vfs_ioctl+0x1c7/0x1510
>     [<00000000d4c59e8f>] ksys_ioctl+0x99/0xb0
>     [<00000000946aea81>] __x64_sys_ioctl+0x78/0xb0
>     [<0000000038d946e5>] do_syscall_64+0x16f/0x580
>     [<00000000e0aa5d8f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>     [<00000000285b3d1a>] 0xffffffffffffffff
> 
> Cc: David Miller <davem@davemloft.net>
> Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
> Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 

We also need the following commits to fix this issue:

commit 48a322b6f9965b2f1e4ce81af972f0e287b07ed0
Author: Eric Dumazet <edumazet@google.com>
Date:   Wed Nov 20 19:19:07 2019 -0800

    net-sysfs: fix netdev_queue_add_kobject() breakage

    kobject_put() should only be called in error path.

    Fixes: b8eb718348b8 ("net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Jouni Hogander <jouni.hogander@unikie.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

And this should also apply to 4.14.y and 5.3.y.
Please apply this commnit to 4.14.y, 4.19.y and 5.3.y

Best regards,
  Nobuhiro


> ---
>  net/core/net-sysfs.c |   24 +++++++++++++-----------
>  1 file changed, 13 insertions(+), 11 deletions(-)
> 
> --- a/net/core/net-sysfs.c
> +++ b/net/core/net-sysfs.c
> @@ -932,21 +932,23 @@ static int rx_queue_add_kobject(struct n
>  	error = kobject_init_and_add(kobj, &rx_queue_ktype, NULL,
>  				     "rx-%u", index);
>  	if (error)
> -		return error;
> +		goto err;
>  
>  	dev_hold(queue->dev);
>  
>  	if (dev->sysfs_rx_queue_group) {
>  		error = sysfs_create_group(kobj, dev->sysfs_rx_queue_group);
> -		if (error) {
> -			kobject_put(kobj);
> -			return error;
> -		}
> +		if (error)
> +			goto err;
>  	}
>  
>  	kobject_uevent(kobj, KOBJ_ADD);
>  
>  	return error;
> +
> +err:
> +	kobject_put(kobj);
> +	return error;
>  }
>  #endif /* CONFIG_SYSFS */
>  
> @@ -1471,21 +1473,21 @@ static int netdev_queue_add_kobject(stru
>  	error = kobject_init_and_add(kobj, &netdev_queue_ktype, NULL,
>  				     "tx-%u", index);
>  	if (error)
> -		return error;
> +		goto err;
>  
>  	dev_hold(queue->dev);
>  
>  #ifdef CONFIG_BQL
>  	error = sysfs_create_group(kobj, &dql_group);
> -	if (error) {
> -		kobject_put(kobj);
> -		return error;
> -	}
> +	if (error)
> +		goto err;
>  #endif
>  
>  	kobject_uevent(kobj, KOBJ_ADD);
>  
> -	return 0;
> +err:
> +	kobject_put(kobj);
> +	return error;
>  }
>  #endif /* CONFIG_SYSFS */
>  
> 
> 
> 

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 000/306] 4.19.87-stable review
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (305 preceding siblings ...)
  2019-11-28  0:27 ` [PATCH 4.19 000/306] 4.19.87-stable review Daniel Díaz
@ 2019-11-28  6:53 ` Naresh Kamboju
  2019-11-28  7:36   ` Greg Kroah-Hartman
  2019-11-28 10:56 ` Jon Hunter
                   ` (2 subsequent siblings)
  309 siblings, 1 reply; 359+ messages in thread
From: Naresh Kamboju @ 2019-11-28  6:53 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: open list, Linus Torvalds, Andrew Morton, Guenter Roeck,
	Shuah Khan, patches, Ben Hutchings, lkft-triage, linux- stable,
	Netdev, Al Viro, linux-fsdevel, Eric Dumazet, jouni.hogander,
	David S. Miller, lukas.bulwahn

On Thu, 28 Nov 2019 at 02:25, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 4.19.87 release.
> There are 306 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 29 Nov 2019 20:18:09 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
>         https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.87-rc1.gz
> or in the git tree and branch at:
>         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h

Kernel BUG noticed on x86_64 device while booting 4.19.87-rc1 kernel.

The problematic patch is,

> Jouni Hogander <jouni.hogander@unikie.com>
>     net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject

And this kernel panic is been fixed by below patch,

commit 48a322b6f9965b2f1e4ce81af972f0e287b07ed0
Author: Eric Dumazet <edumazet@google.com>
Date:   Wed Nov 20 19:19:07 2019 -0800

    net-sysfs: fix netdev_queue_add_kobject() breakage

    kobject_put() should only be called in error path.

    Fixes: b8eb718348b8 ("net-sysfs: Fix reference count leak in
rx|netdev_queue_add_kobject")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Jouni Hogander <jouni.hogander@unikie.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

Summary
------------------------------------------------------------------------

kernel: 4.19.87-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-4.19.y
git commit: 57c5d287ed483d6100bdca528c57562b894487b5
git describe: v4.19.86-307-g57c5d287ed48
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-4.19-oe-sanity/build/v4.19.86-307-g57c5d287ed48

Regressions (compared to build v4.19.86)

[    3.556598] BUG: unable to handle kernel NULL pointer dereference
at 0000000000000090
[    3.569683] PGD 0 P4D 0
[    3.572221] Oops: 0000 [#1] SMP PTI
[    3.575705] CPU: 2 PID: 1 Comm: swapper/0 Not tainted 4.19.87-rc1 #1
[    3.582049] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS
2.0b 07/27/2017
[    3.589523] RIP: 0010:kernfs_find_ns+0x1f/0x130
[    3.594053] Code: fe ff ff 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00
55 48 89 e5 41 57 41 56 41 55 41 54 49 89 ff 53 49 89 f6 49 89 d5 48
83 ec 08 <0f> b7 87 90 00 00 00 48 8b 5f 68 66 83 e0 20 66 89 45 d6 8b
05 68
[    3.612788] RSP: 0000:ffffaf514002fba8 EFLAGS: 00010292
[    3.618007] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff95d15b89
[    3.625130] RDX: 0000000000000000 RSI: ffffffff95ddefc7 RDI: 0000000000000000
[    3.632254] RBP: ffffaf514002fbd8 R08: ffffffff94b88f05 R09: 0000000000000001
[    3.639377] R10: ffffaf514002fbd8 R11: 0000000000000001 R12: ffffffff95ddefc7
[    3.646502] R13: 0000000000000000 R14: ffffffff95ddefc7 R15: 0000000000000000
[    3.653625] FS:  0000000000000000(0000) GS:ffff95c0dfb00000(0000)
knlGS:0000000000000000
[    3.661704] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    3.667442] CR2: 0000000000000090 CR3: 00000003bc01e001 CR4: 00000000003606e0
[    3.674565] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[    3.681689] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[    3.688811] Call Trace:
[    3.691259]  kernfs_find_and_get_ns+0x33/0x60
[    3.695616]  sysfs_remove_group+0x2a/0x90
[    3.699622]  netdev_queue_update_kobjects+0xc6/0x150
[    3.704587]  netif_set_real_num_tx_queues+0x7e/0x230
[    3.709546]  ? igb_configure_msix+0xde/0x170
[    3.713816]  __igb_open+0x19e/0x5e0
[    3.717322]  igb_open+0x10/0x20
[    3.720506]  __dev_open+0xd7/0x170
[    3.723904]  ? _raw_spin_unlock_bh+0x35/0x40
[    3.728168]  __dev_change_flags+0x17e/0x1d0
[    3.732363]  dev_change_flags+0x29/0x60
[    3.736195]  ip_auto_config+0x28b/0xf04
[    3.740033]  ? tcp_set_default_congestion_control+0xac/0x150
[    3.745683]  ? root_nfs_parse_addr+0xa5/0xa5
[    3.749948]  ? set_debug_rodata+0x17/0x17
[    3.753951]  do_one_initcall+0x61/0x2b4
[    3.757783]  ? do_one_initcall+0x61/0x2b4
[    3.761793]  ? set_debug_rodata+0xa/0x17
[    3.765713]  ? rcu_read_lock_sched_held+0x81/0x90
[    3.770418]  kernel_init_freeable+0x1d8/0x270
[    3.774777]  ? rest_init+0x190/0x190
[    3.778354]  kernel_init+0xe/0x110
[    3.781753]  ret_from_fork+0x3a/0x50
[    3.785349] Modules linked in:
[    3.788427] CR2: 0000000000000090
[    3.791740] ---[ end trace 831b7578b86a527b ]---
[    3.796358] RIP: 0010:kernfs_find_ns+0x1f/0x130
[    3.800889] Code: fe ff ff 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00
55 48 89 e5 41 57 41 56 41 55 41 54 49 89 ff 53 49 89 f6 49 89 d5 48
83 ec 08 <0f> b7 87 90 00 00 00 48 8b 5f 68 66 83 e0 20 66 89 45 d6 8b
05 68
[    3.819625] RSP: 0000:ffffaf514002fba8 EFLAGS: 00010292
[    3.824843] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff95d15b89
[    3.831968] RDX: 0000000000000000 RSI: ffffffff95ddefc7 RDI: 0000000000000000
[    3.839091] RBP: ffffaf514002fbd8 R08: ffffffff94b88f05 R09: 0000000000000001
[    3.846216] R10: ffffaf514002fbd8 R11: 0000000000000001 R12: ffffffff95ddefc7
[    3.853363] R13: 0000000000000000 R14: ffffffff95ddefc7 R15: 0000000000000000
[    3.860499] FS:  0000000000000000(0000) GS:ffff95c0dfb00000(0000)
knlGS:0000000000000000
[    3.868583] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    3.874323] CR2: 0000000000000090 CR3: 00000003bc01e001 CR4: 00000000003606e0
[    3.881454] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[    3.888576] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[    3.895702] BUG: sleeping function called from invalid context at
/usr/src/kernel/include/linux/percpu-rwsem.h:34
[    3.905946] in_atomic(): 0, irqs_disabled(): 1, pid: 1, name: swapper/0
[    3.912550] INFO: lockdep is turned off.
[    3.916465] irq event stamp: 1027104
[    3.920038] hardirqs last  enabled at (1027103):
[<ffffffff9553abd6>] _raw_spin_unlock_irqrestore+0x36/0x50
[    3.929770] hardirqs last disabled at (1027104):
[<ffffffff94801c8b>] trace_hardirqs_off_thunk+0x1a/0x1c
[    3.939233] softirqs last  enabled at (1025718):
[<ffffffff9580031f>] __do_softirq+0x31f/0x426
[    3.947832] softirqs last disabled at (1025703):
[<ffffffff948eddb6>] irq_exit+0xd6/0xe0
[    3.955916] CPU: 2 PID: 1 Comm: swapper/0 Tainted: G      D
  4.19.87-rc1 #1
[    3.963648] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS
2.0b 07/27/2017
[    3.971126] Call Trace:
[    3.973572]  dump_stack+0x7a/0xa5
[    3.976890]  ___might_sleep+0x152/0x240
[    3.980720]  __might_sleep+0x4a/0x80
[    3.984309]  exit_signals+0x33/0x240
[    3.987896]  do_exit+0xbd/0xcf0
[    3.991035]  ? kernel_init_freeable+0x1d8/0x270
[    3.995567]  ? rest_init+0x190/0x190
[    3.999136]  rewind_stack_do_exit+0x17/0x20
[    4.003348] Kernel panic - not syncing: Attempted to kill init!
exitcode=0x00000009
[    4.003348]
[    4.012537] Kernel Offset: 0x13800000 from 0xffffffff81000000
(relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[    4.023318] ---[ end Kernel panic - not syncing: Attempted to kill
init! exitcode=0x00000009
[    4.023318]  ]---


--
Linaro LKFT
https://lkft.linaro.org

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 282/306] net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject
  2019-11-28  3:33   ` Nobuhiro Iwamatsu
@ 2019-11-28  7:35     ` Greg Kroah-Hartman
  0 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-28  7:35 UTC (permalink / raw)
  To: Nobuhiro Iwamatsu
  Cc: linux-kernel, stable, David Miller, Lukas Bulwahn, Jouni Hogander

On Thu, Nov 28, 2019 at 12:33:02PM +0900, Nobuhiro Iwamatsu wrote:
> Hi,
> 
> On Wed, Nov 27, 2019 at 09:32:12PM +0100, Greg Kroah-Hartman wrote:
> > From: Jouni Hogander <jouni.hogander@unikie.com>
> > 
> > commit b8eb718348b8fb30b5a7d0a8fce26fb3f4ac741b upstream.
> > 
> > kobject_init_and_add takes reference even when it fails. This has
> > to be given up by the caller in error handling. Otherwise memory
> > allocated by kobject_init_and_add is never freed. Originally found
> > by Syzkaller:
> > 
> > BUG: memory leak
> > unreferenced object 0xffff8880679f8b08 (size 8):
> >   comm "netdev_register", pid 269, jiffies 4294693094 (age 12.132s)
> >   hex dump (first 8 bytes):
> >     72 78 2d 30 00 36 20 d4                          rx-0.6 .
> >   backtrace:
> >     [<000000008c93818e>] __kmalloc_track_caller+0x16e/0x290
> >     [<000000001f2e4e49>] kvasprintf+0xb1/0x140
> >     [<000000007f313394>] kvasprintf_const+0x56/0x160
> >     [<00000000aeca11c8>] kobject_set_name_vargs+0x5b/0x140
> >     [<0000000073a0367c>] kobject_init_and_add+0xd8/0x170
> >     [<0000000088838e4b>] net_rx_queue_update_kobjects+0x152/0x560
> >     [<000000006be5f104>] netdev_register_kobject+0x210/0x380
> >     [<00000000e31dab9d>] register_netdevice+0xa1b/0xf00
> >     [<00000000f68b2465>] __tun_chr_ioctl+0x20d5/0x3dd0
> >     [<000000004c50599f>] tun_chr_ioctl+0x2f/0x40
> >     [<00000000bbd4c317>] do_vfs_ioctl+0x1c7/0x1510
> >     [<00000000d4c59e8f>] ksys_ioctl+0x99/0xb0
> >     [<00000000946aea81>] __x64_sys_ioctl+0x78/0xb0
> >     [<0000000038d946e5>] do_syscall_64+0x16f/0x580
> >     [<00000000e0aa5d8f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> >     [<00000000285b3d1a>] 0xffffffffffffffff
> > 
> > Cc: David Miller <davem@davemloft.net>
> > Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
> > Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
> > Signed-off-by: David S. Miller <davem@davemloft.net>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > 
> 
> We also need the following commits to fix this issue:
> 
> commit 48a322b6f9965b2f1e4ce81af972f0e287b07ed0
> Author: Eric Dumazet <edumazet@google.com>
> Date:   Wed Nov 20 19:19:07 2019 -0800
> 
>     net-sysfs: fix netdev_queue_add_kobject() breakage
> 
>     kobject_put() should only be called in error path.
> 
>     Fixes: b8eb718348b8 ("net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject")
>     Signed-off-by: Eric Dumazet <edumazet@google.com>
>     Cc: Jouni Hogander <jouni.hogander@unikie.com>
>     Signed-off-by: David S. Miller <davem@davemloft.net>
> 
> And this should also apply to 4.14.y and 5.3.y.
> Please apply this commnit to 4.14.y, 4.19.y and 5.3.y

Thanks for the report, will go queue it up now.

greg k-h

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 000/306] 4.19.87-stable review
  2019-11-28  6:53 ` Naresh Kamboju
@ 2019-11-28  7:36   ` Greg Kroah-Hartman
  2019-11-28 15:56     ` shuah
                       ` (2 more replies)
  0 siblings, 3 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-28  7:36 UTC (permalink / raw)
  To: Naresh Kamboju
  Cc: open list, Linus Torvalds, Andrew Morton, Guenter Roeck,
	Shuah Khan, patches, Ben Hutchings, lkft-triage, linux- stable,
	Netdev, Al Viro, linux-fsdevel, Eric Dumazet, jouni.hogander,
	David S. Miller, lukas.bulwahn

On Thu, Nov 28, 2019 at 12:23:41PM +0530, Naresh Kamboju wrote:
> On Thu, 28 Nov 2019 at 02:25, Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> >
> > This is the start of the stable review cycle for the 4.19.87 release.
> > There are 306 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Fri, 29 Nov 2019 20:18:09 +0000.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> >         https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.87-rc1.gz
> > or in the git tree and branch at:
> >         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> > and the diffstat can be found below.
> >
> > thanks,
> >
> > greg k-h
> 
> Kernel BUG noticed on x86_64 device while booting 4.19.87-rc1 kernel.
> 
> The problematic patch is,
> 
> > Jouni Hogander <jouni.hogander@unikie.com>
> >     net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject
> 
> And this kernel panic is been fixed by below patch,
> 
> commit 48a322b6f9965b2f1e4ce81af972f0e287b07ed0
> Author: Eric Dumazet <edumazet@google.com>
> Date:   Wed Nov 20 19:19:07 2019 -0800
> 
>     net-sysfs: fix netdev_queue_add_kobject() breakage
> 
>     kobject_put() should only be called in error path.
> 
>     Fixes: b8eb718348b8 ("net-sysfs: Fix reference count leak in
> rx|netdev_queue_add_kobject")
>     Signed-off-by: Eric Dumazet <edumazet@google.com>
>     Cc: Jouni Hogander <jouni.hogander@unikie.com>
>     Signed-off-by: David S. Miller <davem@davemloft.net>

Now queued up, I'll push out -rc2 versions with this fix.

greg k-h

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 000/306] 4.19.87-stable review
  2019-11-28  0:27 ` [PATCH 4.19 000/306] 4.19.87-stable review Daniel Díaz
@ 2019-11-28  8:05   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-28  8:05 UTC (permalink / raw)
  To: Daniel Díaz
  Cc: open list, torvalds, Andrew Morton, Guenter Roeck, Shuah Khan,
	patches, Ben Hutchings, lkft-triage, linux- stable

On Wed, Nov 27, 2019 at 06:27:55PM -0600, Daniel Díaz wrote:
> Hello!
> 
> 
> On Wed, 27 Nov 2019 at 14:55, Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> > This is the start of the stable review cycle for the 4.19.87 release.
> > There are 306 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Fri, 29 Nov 2019 20:18:09 +0000.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> >         https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.87-rc1.gz
> > or in the git tree and branch at:
> >         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> > and the diffstat can be found below.
> >
> > thanks,
> >
> > greg k-h
> 
> We're seeing this build failure on 4.19 (and 4.14) on x86 32-bits:
> > In file included from /srv/oe/build/tmp-lkft-glibc/work-shared/intel-core2-32/kernel-source/include/linux/export.h:45:0,
> >                  from /srv/oe/build/tmp-lkft-glibc/work-shared/intel-core2-32/kernel-source/include/linux/linkage.h:7,
> >                  from /srv/oe/build/tmp-lkft-glibc/work-shared/intel-core2-32/kernel-source/include/linux/preempt.h:10,
> >                  from /srv/oe/build/tmp-lkft-glibc/work-shared/intel-core2-32/kernel-source/include/linux/spinlock.h:51,
> >                  from /srv/oe/build/tmp-lkft-glibc/work-shared/intel-core2-32/kernel-source/arch/x86/mm/cpu_entry_area.c:3:
> > In function 'setup_cpu_entry_area_ptes',
> >     inlined from 'setup_cpu_entry_areas' at /srv/oe/build/tmp-lkft-glibc/work-shared/intel-core2-32/kernel-source/arch/x86/mm/cpu_entry_area.c:209:2:
> > /srv/oe/build/tmp-lkft-glibc/work-shared/intel-core2-32/kernel-source/include/linux/compiler.h:348:38: error: call to '__compiletime_assert_192' declared with attribute error: BUILD_BUG_ON failed: (CPU_ENTRY_AREA_PAGES+1)*PAGE_SIZE != CPU_ENTRY_AREA_MAP_SIZE
> >   _compiletime_assert(condition, msg, __compiletime_assert_, __LINE__)
> >                                       ^
> > /srv/oe/build/tmp-lkft-glibc/work-shared/intel-core2-32/kernel-source/include/linux/compiler.h:329:4: note: in definition of macro '__compiletime_assert'
> >     prefix ## suffix();    \
> >     ^~~~~~
> > /srv/oe/build/tmp-lkft-glibc/work-shared/intel-core2-32/kernel-source/include/linux/compiler.h:348:2: note: in expansion of macro '_compiletime_assert'
> >   _compiletime_assert(condition, msg, __compiletime_assert_, __LINE__)
> >   ^~~~~~~~~~~~~~~~~~~
> > /srv/oe/build/tmp-lkft-glibc/work-shared/intel-core2-32/kernel-source/include/linux/build_bug.h:45:37: note: in expansion of macro 'compiletime_assert'
> >  #define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
> >                                      ^~~~~~~~~~~~~~~~~~
> > /srv/oe/build/tmp-lkft-glibc/work-shared/intel-core2-32/kernel-source/include/linux/build_bug.h:69:2: note: in expansion of macro 'BUILD_BUG_ON_MSG'
> >   BUILD_BUG_ON_MSG(condition, "BUILD_BUG_ON failed: " #condition)
> >   ^~~~~~~~~~~~~~~~
> > /srv/oe/build/tmp-lkft-glibc/work-shared/intel-core2-32/kernel-source/arch/x86/mm/cpu_entry_area.c:192:2: note: in expansion of macro 'BUILD_BUG_ON'
> >   BUILD_BUG_ON((CPU_ENTRY_AREA_PAGES+1)*PAGE_SIZE != CPU_ENTRY_AREA_MAP_SIZE);
> >   ^~~~~~~~~~~~
> 
> Bisection points to "x86/cpu_entry_area: Add guard page for entry
> stack on 32bit" (e50622b4a1, also present in 4.14.y as 880a98c339).

Ugh, I was hoping that 32bit stuff "just worked".  I'll take a look at
the whole series later today and try to work to backport some of the
known-missing parts of that series.

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 000/306] 4.19.87-stable review
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (306 preceding siblings ...)
  2019-11-28  6:53 ` Naresh Kamboju
@ 2019-11-28 10:56 ` Jon Hunter
  2019-11-28 16:17 ` Guenter Roeck
  2019-11-29 10:37 ` Greg Kroah-Hartman
  309 siblings, 0 replies; 359+ messages in thread
From: Jon Hunter @ 2019-11-28 10:56 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, shuah, patches, ben.hutchings,
	lkft-triage, stable, linux-tegra


On 27/11/2019 20:27, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.19.87 release.
> There are 306 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Fri, 29 Nov 2019 20:18:09 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.87-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 
> -------------

All tests are passing for Tegra ...

Test results for stable-v4.19:
    13 builds:	13 pass, 0 fail
    22 boots:	22 pass, 0 fail
    32 tests:	32 pass, 0 fail

Linux version:	4.19.87-rc1-g57c5d287ed48
Boards tested:	tegra124-jetson-tk1, tegra186-p2771-0000,
                tegra194-p2972-0000, tegra20-ventana,
                tegra210-p2371-2180, tegra30-cardhu-a04

Cheers
Jon

-- 
nvpublic

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 000/306] 4.19.87-stable review
  2019-11-28  7:36   ` Greg Kroah-Hartman
@ 2019-11-28 15:56     ` shuah
  2019-11-28 23:57       ` shuah
  2019-11-29  5:46     ` Lukas Bulwahn
  2019-11-29  8:54     ` Naresh Kamboju
  2 siblings, 1 reply; 359+ messages in thread
From: shuah @ 2019-11-28 15:56 UTC (permalink / raw)
  To: Greg Kroah-Hartman, Naresh Kamboju
  Cc: open list, Linus Torvalds, Andrew Morton, Guenter Roeck, patches,
	Ben Hutchings, lkft-triage, linux- stable, Netdev, Al Viro,
	linux-fsdevel, Eric Dumazet, jouni.hogander, David S. Miller,
	lukas.bulwahn, shuah

On 11/28/19 12:36 AM, Greg Kroah-Hartman wrote:
> On Thu, Nov 28, 2019 at 12:23:41PM +0530, Naresh Kamboju wrote:
>> On Thu, 28 Nov 2019 at 02:25, Greg Kroah-Hartman
>> <gregkh@linuxfoundation.org> wrote:
>>>
>>> This is the start of the stable review cycle for the 4.19.87 release.
>>> There are 306 patches in this series, all will be posted as a response
>>> to this one.  If anyone has any issues with these being applied, please
>>> let me know.
>>>
>>> Responses should be made by Fri, 29 Nov 2019 20:18:09 +0000.
>>> Anything received after that time might be too late.
>>>
>>> The whole patch series can be found in one patch at:
>>>          https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.87-rc1.gz
>>> or in the git tree and branch at:
>>>          git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
>>> and the diffstat can be found below.
>>>
>>> thanks,
>>>
>>> greg k-h
>>
>> Kernel BUG noticed on x86_64 device while booting 4.19.87-rc1 kernel.
>>
>> The problematic patch is,
>>
>>> Jouni Hogander <jouni.hogander@unikie.com>
>>>      net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject
>>
>> And this kernel panic is been fixed by below patch,
>>
>> commit 48a322b6f9965b2f1e4ce81af972f0e287b07ed0
>> Author: Eric Dumazet <edumazet@google.com>
>> Date:   Wed Nov 20 19:19:07 2019 -0800
>>
>>      net-sysfs: fix netdev_queue_add_kobject() breakage
>>
>>      kobject_put() should only be called in error path.
>>
>>      Fixes: b8eb718348b8 ("net-sysfs: Fix reference count leak in
>> rx|netdev_queue_add_kobject")
>>      Signed-off-by: Eric Dumazet <edumazet@google.com>
>>      Cc: Jouni Hogander <jouni.hogander@unikie.com>
>>      Signed-off-by: David S. Miller <davem@davemloft.net>
> 
> Now queued up, I'll push out -rc2 versions with this fix.
> 
> greg k-h
> 

Ran into this on my test system. I will try rc2.

thanks,
-- Shuah


^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 000/306] 4.19.87-stable review
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (307 preceding siblings ...)
  2019-11-28 10:56 ` Jon Hunter
@ 2019-11-28 16:17 ` Guenter Roeck
  2019-11-29 10:37 ` Greg Kroah-Hartman
  309 siblings, 0 replies; 359+ messages in thread
From: Guenter Roeck @ 2019-11-28 16:17 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, shuah, patches, ben.hutchings, lkft-triage, stable

On 11/27/19 12:27 PM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.19.87 release.
> There are 306 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Fri, 29 Nov 2019 20:18:09 +0000.
> Anything received after that time might be too late.
> 

Build results:
	total: 156 pass: 151 fail: 5
Failed builds:
	i386:defconfig
	i386:allyesconfig
	i386:allmodconfig
	i386:allnoconfig
	i386:tinyconfig
Qemu test results:
	total: 390 pass: 365 fail: 25
Failed tests:
	<all i386>

As already reported.

Guenter

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 105/306] swiotlb: do not panic on mapping failures
  2019-11-27 20:29 ` [PATCH 4.19 105/306] swiotlb: do not panic on mapping failures Greg Kroah-Hartman
@ 2019-11-28 21:20   ` Pavel Machek
  0 siblings, 0 replies; 359+ messages in thread
From: Pavel Machek @ 2019-11-28 21:20 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, stable, Christoph Hellwig, Robin Murphy, Sasha Levin

[-- Attachment #1: Type: text/plain, Size: 2859 bytes --]

On Wed 2019-11-27 21:29:15, Greg Kroah-Hartman wrote:
> From: Christoph Hellwig <hch@lst.de>
> 
> [ Upstream commit 8088546832aa2c0d8f99dd56edf6384f8a9b63b3 ]
> 
> All properly written drivers now have error handling in the
> dma_map_single / dma_map_page callers.  As swiotlb_tbl_map_single already
> prints a useful warning when running out of swiotlb pool space we can
> also remove swiotlb_full entirely as it serves no purpose now.

Umm. I trust you that is true in mainline, but is it also true for
-stable kernels?

Does this fix anything for -stable users?

Best regards,
							Pavel

> +++ b/kernel/dma/swiotlb.c
> @@ -761,34 +761,6 @@ static bool swiotlb_free_buffer(struct device *dev, size_t size,
>  	return true;
>  }
>  
> -static void
> -swiotlb_full(struct device *dev, size_t size, enum dma_data_direction dir,
> -	     int do_panic)
> -{
> -	if (swiotlb_force == SWIOTLB_NO_FORCE)
> -		return;
> -
> -	/*
> -	 * Ran out of IOMMU space for this operation. This is very bad.
> -	 * Unfortunately the drivers cannot handle this operation properly.
> -	 * unless they check for dma_mapping_error (most don't)
> -	 * When the mapping is small enough return a static buffer to limit
> -	 * the damage, or panic when the transfer is too big.
> -	 */
> -	dev_err_ratelimited(dev, "DMA: Out of SW-IOMMU space for %zu bytes\n",
> -			    size);
> -
> -	if (size <= io_tlb_overflow || !do_panic)
> -		return;
> -
> -	if (dir == DMA_BIDIRECTIONAL)
> -		panic("DMA: Random memory could be DMA accessed\n");
> -	if (dir == DMA_FROM_DEVICE)
> -		panic("DMA: Random memory could be DMA written\n");
> -	if (dir == DMA_TO_DEVICE)
> -		panic("DMA: Random memory could be DMA read\n");
> -}
> -
>  /*
>   * Map a single buffer of the indicated size for DMA in streaming mode.  The
>   * physical address to use is returned.
> @@ -817,10 +789,8 @@ dma_addr_t swiotlb_map_page(struct device *dev, struct page *page,
>  
>  	/* Oh well, have to allocate and map a bounce buffer. */
>  	map = map_single(dev, phys, size, dir, attrs);
> -	if (map == SWIOTLB_MAP_ERROR) {
> -		swiotlb_full(dev, size, dir, 1);
> +	if (map == SWIOTLB_MAP_ERROR)
>  		return __phys_to_dma(dev, io_tlb_overflow_buffer);
> -	}
>  
>  	dev_addr = __phys_to_dma(dev, map);
>  
> @@ -954,7 +924,6 @@ swiotlb_map_sg_attrs(struct device *hwdev, struct scatterlist *sgl, int nelems,
>  			if (map == SWIOTLB_MAP_ERROR) {
>  				/* Don't panic here, we expect map_sg users
>  				   to do proper error handling. */
> -				swiotlb_full(hwdev, sg->length, dir, 0);
>  				attrs |= DMA_ATTR_SKIP_CPU_SYNC;
>  				swiotlb_unmap_sg_attrs(hwdev, sgl, i, dir,
>  						       attrs);

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 000/306] 4.19.87-stable review
  2019-11-28 15:56     ` shuah
@ 2019-11-28 23:57       ` shuah
  2019-11-29  6:43         ` Greg Kroah-Hartman
  0 siblings, 1 reply; 359+ messages in thread
From: shuah @ 2019-11-28 23:57 UTC (permalink / raw)
  To: Greg Kroah-Hartman, Naresh Kamboju
  Cc: open list, Linus Torvalds, Andrew Morton, Guenter Roeck, patches,
	Ben Hutchings, lkft-triage, linux- stable, Netdev, Al Viro,
	linux-fsdevel, Eric Dumazet, jouni.hogander, David S. Miller,
	lukas.bulwahn, shuah

On 11/28/19 8:56 AM, shuah wrote:
> On 11/28/19 12:36 AM, Greg Kroah-Hartman wrote:
>> On Thu, Nov 28, 2019 at 12:23:41PM +0530, Naresh Kamboju wrote:
>>> On Thu, 28 Nov 2019 at 02:25, Greg Kroah-Hartman
>>> <gregkh@linuxfoundation.org> wrote:
>>>>
>>>> This is the start of the stable review cycle for the 4.19.87 release.
>>>> There are 306 patches in this series, all will be posted as a response
>>>> to this one.  If anyone has any issues with these being applied, please
>>>> let me know.
>>>>
>>>> Responses should be made by Fri, 29 Nov 2019 20:18:09 +0000.
>>>> Anything received after that time might be too late.
>>>>
>>>> The whole patch series can be found in one patch at:
>>>>          
>>>> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.87-rc1.gz 
>>>>
>>>> or in the git tree and branch at:
>>>>          
>>>> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git 
>>>> linux-4.19.y
>>>> and the diffstat can be found below.
>>>>
>>>> thanks,
>>>>
>>>> greg k-h
>>>
>>> Kernel BUG noticed on x86_64 device while booting 4.19.87-rc1 kernel.
>>>
>>> The problematic patch is,
>>>
>>>> Jouni Hogander <jouni.hogander@unikie.com>
>>>>      net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject
>>>
>>> And this kernel panic is been fixed by below patch,
>>>
>>> commit 48a322b6f9965b2f1e4ce81af972f0e287b07ed0
>>> Author: Eric Dumazet <edumazet@google.com>
>>> Date:   Wed Nov 20 19:19:07 2019 -0800
>>>
>>>      net-sysfs: fix netdev_queue_add_kobject() breakage
>>>
>>>      kobject_put() should only be called in error path.
>>>
>>>      Fixes: b8eb718348b8 ("net-sysfs: Fix reference count leak in
>>> rx|netdev_queue_add_kobject")
>>>      Signed-off-by: Eric Dumazet <edumazet@google.com>
>>>      Cc: Jouni Hogander <jouni.hogander@unikie.com>
>>>      Signed-off-by: David S. Miller <davem@davemloft.net>
>>
>> Now queued up, I'll push out -rc2 versions with this fix.
>>
>> greg k-h
>>
> 
> Ran into this on my test system. I will try rc2.
> 

rc2 worked for me.

thanks,
-- Shuah


^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 000/306] 4.19.87-stable review
  2019-11-28  7:36   ` Greg Kroah-Hartman
  2019-11-28 15:56     ` shuah
@ 2019-11-29  5:46     ` Lukas Bulwahn
  2019-11-29  8:58       ` Greg Kroah-Hartman
  2019-11-29  8:54     ` Naresh Kamboju
  2 siblings, 1 reply; 359+ messages in thread
From: Lukas Bulwahn @ 2019-11-29  5:46 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: Naresh Kamboju, open list, Linus Torvalds, Andrew Morton,
	Guenter Roeck, Shuah Khan, patches, Ben Hutchings, lkft-triage,
	linux- stable, Netdev, Al Viro, linux-fsdevel, Eric Dumazet,
	Jouni Högander, David S. Miller

On Thu, Nov 28, 2019 at 8:37 AM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> On Thu, Nov 28, 2019 at 12:23:41PM +0530, Naresh Kamboju wrote:
> > On Thu, 28 Nov 2019 at 02:25, Greg Kroah-Hartman
> > <gregkh@linuxfoundation.org> wrote:
> > >
> > > This is the start of the stable review cycle for the 4.19.87 release.
> > > There are 306 patches in this series, all will be posted as a response
> > > to this one.  If anyone has any issues with these being applied, please
> > > let me know.
> > >
> > > Responses should be made by Fri, 29 Nov 2019 20:18:09 +0000.
> > > Anything received after that time might be too late.
> > >
> > > The whole patch series can be found in one patch at:
> > >         https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.87-rc1.gz
> > > or in the git tree and branch at:
> > >         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> > > and the diffstat can be found below.
> > >
> > > thanks,
> > >
> > > greg k-h
> >
> > Kernel BUG noticed on x86_64 device while booting 4.19.87-rc1 kernel.
> >
> > The problematic patch is,
> >
> > > Jouni Hogander <jouni.hogander@unikie.com>
> > >     net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject
> >
> > And this kernel panic is been fixed by below patch,
> >
> > commit 48a322b6f9965b2f1e4ce81af972f0e287b07ed0
> > Author: Eric Dumazet <edumazet@google.com>
> > Date:   Wed Nov 20 19:19:07 2019 -0800
> >
> >     net-sysfs: fix netdev_queue_add_kobject() breakage
> >
> >     kobject_put() should only be called in error path.
> >
> >     Fixes: b8eb718348b8 ("net-sysfs: Fix reference count leak in
> > rx|netdev_queue_add_kobject")
> >     Signed-off-by: Eric Dumazet <edumazet@google.com>
> >     Cc: Jouni Hogander <jouni.hogander@unikie.com>
> >     Signed-off-by: David S. Miller <davem@davemloft.net>
>
> Now queued up, I'll push out -rc2 versions with this fix.
>
> greg k-h

We have also been informed about another regression these two commits
are causing:

https://lore.kernel.org/lkml/ace19af4-7cae-babd-bac5-cd3505dcd874@I-love.SAKURA.ne.jp/

I suggest to drop these two patches from this queue, and give us a
week to shake out the regressions of the change, and once ready, we
can include the complete set of fixes to stable (probably in a week or
two).

Lukas

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 000/306] 4.19.87-stable review
  2019-11-28 23:57       ` shuah
@ 2019-11-29  6:43         ` Greg Kroah-Hartman
  0 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-29  6:43 UTC (permalink / raw)
  To: shuah
  Cc: Naresh Kamboju, open list, Linus Torvalds, Andrew Morton,
	Guenter Roeck, patches, Ben Hutchings, lkft-triage,
	linux- stable, Netdev, Al Viro, linux-fsdevel, Eric Dumazet,
	jouni.hogander, David S. Miller, lukas.bulwahn

On Thu, Nov 28, 2019 at 04:57:09PM -0700, shuah wrote:
> On 11/28/19 8:56 AM, shuah wrote:
> > On 11/28/19 12:36 AM, Greg Kroah-Hartman wrote:
> > > On Thu, Nov 28, 2019 at 12:23:41PM +0530, Naresh Kamboju wrote:
> > > > On Thu, 28 Nov 2019 at 02:25, Greg Kroah-Hartman
> > > > <gregkh@linuxfoundation.org> wrote:
> > > > > 
> > > > > This is the start of the stable review cycle for the 4.19.87 release.
> > > > > There are 306 patches in this series, all will be posted as a response
> > > > > to this one.  If anyone has any issues with these being applied, please
> > > > > let me know.
> > > > > 
> > > > > Responses should be made by Fri, 29 Nov 2019 20:18:09 +0000.
> > > > > Anything received after that time might be too late.
> > > > > 
> > > > > The whole patch series can be found in one patch at:
> > > > >           https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.87-rc1.gz
> > > > > 
> > > > > or in the git tree and branch at:
> > > > >           git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
> > > > > linux-4.19.y
> > > > > and the diffstat can be found below.
> > > > > 
> > > > > thanks,
> > > > > 
> > > > > greg k-h
> > > > 
> > > > Kernel BUG noticed on x86_64 device while booting 4.19.87-rc1 kernel.
> > > > 
> > > > The problematic patch is,
> > > > 
> > > > > Jouni Hogander <jouni.hogander@unikie.com>
> > > > >      net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject
> > > > 
> > > > And this kernel panic is been fixed by below patch,
> > > > 
> > > > commit 48a322b6f9965b2f1e4ce81af972f0e287b07ed0
> > > > Author: Eric Dumazet <edumazet@google.com>
> > > > Date:   Wed Nov 20 19:19:07 2019 -0800
> > > > 
> > > >      net-sysfs: fix netdev_queue_add_kobject() breakage
> > > > 
> > > >      kobject_put() should only be called in error path.
> > > > 
> > > >      Fixes: b8eb718348b8 ("net-sysfs: Fix reference count leak in
> > > > rx|netdev_queue_add_kobject")
> > > >      Signed-off-by: Eric Dumazet <edumazet@google.com>
> > > >      Cc: Jouni Hogander <jouni.hogander@unikie.com>
> > > >      Signed-off-by: David S. Miller <davem@davemloft.net>
> > > 
> > > Now queued up, I'll push out -rc2 versions with this fix.
> > > 
> > > greg k-h
> > > 
> > 
> > Ran into this on my test system. I will try rc2.
> > 
> 
> rc2 worked for me.

Great, thanks for testing and confirming it.

greg k-h

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 000/306] 4.19.87-stable review
  2019-11-28  7:36   ` Greg Kroah-Hartman
  2019-11-28 15:56     ` shuah
  2019-11-29  5:46     ` Lukas Bulwahn
@ 2019-11-29  8:54     ` Naresh Kamboju
  2 siblings, 0 replies; 359+ messages in thread
From: Naresh Kamboju @ 2019-11-29  8:54 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: open list, Linus Torvalds, Andrew Morton, Guenter Roeck,
	Shuah Khan, patches, Ben Hutchings, lkft-triage, linux- stable,
	Netdev, Al Viro, linux-fsdevel, Eric Dumazet, jouni.hogander,
	David S. Miller, lukas.bulwahn

On Thu, 28 Nov 2019 at 13:07, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:


> Now queued up, I'll push out -rc2 versions with this fix.

Results from Linaro’s test farm.
Regressions detected on i386.

i386 build failed on 4.19 and 4.14

In function 'setup_cpu_entry_area_ptes',
    inlined from 'setup_cpu_entry_areas' at arch/x86/mm/cpu_entry_area.c:209:2:
include/linux/compiler.h:348:38: error: call to
'__compiletime_assert_192' declared with attribute error: BUILD_BUG_ON
failed: (CPU_ENTRY_AREA_PAGES+1)*PAGE_SIZE != CPU_ENTRY_AREA_MAP_SIZE
  _compiletime_assert(condition, msg, __compiletime_assert_, __LINE__)
                                      ^
include/linux/compiler.h:329:4: note: in definition of macro
'__compiletime_assert'
    prefix ## suffix();    \
    ^~~~~~
include/linux/compiler.h:348:2: note: in expansion of macro
'_compiletime_assert'
  _compiletime_assert(condition, msg, __compiletime_assert_, __LINE__)
  ^~~~~~~~~~~~~~~~~~~
include/linux/build_bug.h:45:37: note: in expansion of macro
'compiletime_assert'
 #define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
                                     ^~~~~~~~~~~~~~~~~~

Bisection points to "x86/cpu_entry_area: Add guard page for entry
stack on 32bit" (e50622b4a1, also present in 4.14.y as 880a98c339).


Summary
------------------------------------------------------------------------

kernel: 4.19.87-rc2
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-4.19.y
git commit: 63633b307be0161e7bd6f854a28d7d9fa05f69ef
git describe: v4.19.86-309-g63633b307be0
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-4.19-oe/build/v4.19.86-309-g63633b307be0

Regressions (compared to build v4.19.86)
------------------------------------------------------------------------

i386:
  build:
    * build_process


No fixes (compared to build v4.19.86)


Ran 18913 total tests in the following environments and test suites.

Environments
--------------
- dragonboard-410c - arm64
- hi6220-hikey - arm64
- i386
- juno-r2 - arm64
- qemu_arm
- qemu_arm64
- qemu_x86_64
- x15 - arm
- x86_64

Test Suites
-----------
* build
* install-android-platform-tools-r2600
* kselftest
* libhugetlbfs
* linux-log-parser
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-cpuhotplug-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* perf
* spectre-meltdown-checker-test
* v4l2-compliance
* ltp-fs-tests
* network-basic-tests
* kvm-unit-tests
* ltp-open-posix-tests
* ssuite
* kselftest-vsyscall-mode-native
* kselftest-vsyscall-mode-none

-- 
Linaro LKFT
https://lkft.linaro.org

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 000/306] 4.19.87-stable review
  2019-11-29  5:46     ` Lukas Bulwahn
@ 2019-11-29  8:58       ` Greg Kroah-Hartman
  2020-01-22  7:48         ` Jouni Högander
  0 siblings, 1 reply; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-29  8:58 UTC (permalink / raw)
  To: Lukas Bulwahn
  Cc: Naresh Kamboju, open list, Linus Torvalds, Andrew Morton,
	Guenter Roeck, Shuah Khan, patches, Ben Hutchings, lkft-triage,
	linux- stable, Netdev, Al Viro, linux-fsdevel, Eric Dumazet,
	Jouni Högander, David S. Miller

On Fri, Nov 29, 2019 at 06:46:23AM +0100, Lukas Bulwahn wrote:
> On Thu, Nov 28, 2019 at 8:37 AM Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> >
> > On Thu, Nov 28, 2019 at 12:23:41PM +0530, Naresh Kamboju wrote:
> > > On Thu, 28 Nov 2019 at 02:25, Greg Kroah-Hartman
> > > <gregkh@linuxfoundation.org> wrote:
> > > >
> > > > This is the start of the stable review cycle for the 4.19.87 release.
> > > > There are 306 patches in this series, all will be posted as a response
> > > > to this one.  If anyone has any issues with these being applied, please
> > > > let me know.
> > > >
> > > > Responses should be made by Fri, 29 Nov 2019 20:18:09 +0000.
> > > > Anything received after that time might be too late.
> > > >
> > > > The whole patch series can be found in one patch at:
> > > >         https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.87-rc1.gz
> > > > or in the git tree and branch at:
> > > >         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> > > > and the diffstat can be found below.
> > > >
> > > > thanks,
> > > >
> > > > greg k-h
> > >
> > > Kernel BUG noticed on x86_64 device while booting 4.19.87-rc1 kernel.
> > >
> > > The problematic patch is,
> > >
> > > > Jouni Hogander <jouni.hogander@unikie.com>
> > > >     net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject
> > >
> > > And this kernel panic is been fixed by below patch,
> > >
> > > commit 48a322b6f9965b2f1e4ce81af972f0e287b07ed0
> > > Author: Eric Dumazet <edumazet@google.com>
> > > Date:   Wed Nov 20 19:19:07 2019 -0800
> > >
> > >     net-sysfs: fix netdev_queue_add_kobject() breakage
> > >
> > >     kobject_put() should only be called in error path.
> > >
> > >     Fixes: b8eb718348b8 ("net-sysfs: Fix reference count leak in
> > > rx|netdev_queue_add_kobject")
> > >     Signed-off-by: Eric Dumazet <edumazet@google.com>
> > >     Cc: Jouni Hogander <jouni.hogander@unikie.com>
> > >     Signed-off-by: David S. Miller <davem@davemloft.net>
> >
> > Now queued up, I'll push out -rc2 versions with this fix.
> >
> > greg k-h
> 
> We have also been informed about another regression these two commits
> are causing:
> 
> https://lore.kernel.org/lkml/ace19af4-7cae-babd-bac5-cd3505dcd874@I-love.SAKURA.ne.jp/
> 
> I suggest to drop these two patches from this queue, and give us a
> week to shake out the regressions of the change, and once ready, we
> can include the complete set of fixes to stable (probably in a week or
> two).

Ok, thanks for the information, I've now dropped them from all of the
queues that had them in them.

greg k-h

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 000/306] 4.19.87-stable review
  2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
                   ` (308 preceding siblings ...)
  2019-11-28 16:17 ` Guenter Roeck
@ 2019-11-29 10:37 ` Greg Kroah-Hartman
  2019-11-29 20:15   ` Naresh Kamboju
  309 siblings, 1 reply; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-29 10:37 UTC (permalink / raw)
  To: linux-kernel
  Cc: torvalds, akpm, linux, shuah, patches, ben.hutchings,
	lkft-triage, stable

On Wed, Nov 27, 2019 at 09:27:30PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.19.87 release.
> There are 306 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Fri, 29 Nov 2019 20:18:09 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.87-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y

I have released -rc3 now:
 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.87-rc3.gz

that should have the i386 and all other reported issues fixed.

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 185/306] net: hns3: bugfix for buffer not free problem during resetting
  2019-11-27 20:30 ` [PATCH 4.19 185/306] net: hns3: bugfix for buffer not free problem during resetting Greg Kroah-Hartman
@ 2019-11-29 11:00   ` Pavel Machek
  2019-11-29 14:31     ` Greg Kroah-Hartman
  0 siblings, 1 reply; 359+ messages in thread
From: Pavel Machek @ 2019-11-29 11:00 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, stable, Huazhong Tan, David S. Miller, Sasha Levin

[-- Attachment #1: Type: text/plain, Size: 1267 bytes --]

Hi!

> From: Huazhong Tan <tanhuazhong@huawei.com>
> 
> [ Upstream commit 73b907a083b8a8c1c62cb494bc9fbe6ae086c460 ]
> 
> When hns3_get_ring_config()/hns3_queue_to_ring()/
> hns3_get_vector_ring_chain() failed during resetting, the allocated
> memory has not been freed before these three functions return. So
> this patch adds error handler in these functions to fix it.

Correct me if I'm wrong, but... this introduces use-after-free:

> @@ -2592,6 +2592,16 @@ static int hns3_get_vector_ring_chain(struct hns3_enet_tqp_vector *tqp_vector,
>  	}
>  
>  	return 0;
> +
> +err_free_chain:
> +	cur_chain = head->next;
> +	while (cur_chain) {
> +		chain = cur_chain->next;
> +		devm_kfree(&pdev->dev, chain);
> +		cur_chain = chain;
> +	}

Lets take two iterations:

> +		chain = cur_chain->next;
> +		devm_kfree(&pdev->dev, chain);
chain freed here.
> +		cur_chain = chain;

> +		chain = cur_chain->next;
chain->next accessed here, after free.
> +		devm_kfree(&pdev->dev, chain);
> +		cur_chain = chain;

Should it do devm_kfree(&pdev->dev, cur_chain); ?

Best regards,
									Pavel

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 223/306] net: dsa: bcm_sf2: Turn on PHY to allow successful registration
  2019-11-27 20:31 ` [PATCH 4.19 223/306] net: dsa: bcm_sf2: Turn on PHY to allow successful registration Greg Kroah-Hartman
@ 2019-11-29 13:00   ` Pavel Machek
  0 siblings, 0 replies; 359+ messages in thread
From: Pavel Machek @ 2019-11-29 13:00 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, stable, Florian Fainelli, David S. Miller, Sasha Levin

[-- Attachment #1: Type: text/plain, Size: 1731 bytes --]

Hi!

> From: Florian Fainelli <f.fainelli@gmail.com>
> 
> [ Upstream commit c04a17d2a9ccf1eaba1c5a56f83e997540a70556 ]
> 
> We are binding to the PHY using the SF2 slave MDIO bus that we create,
> binding involves reading the PHY's MII_PHYSID1/2 which won't be possible
> if the PHY is turned off. Temporarily turn it on/off for the bus probing
> to succeeed. This fixes unbind/bind problems where the port connecting
> to that PHY would be in error since it could not connect to it.
> 
> Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
>  drivers/net/dsa/bcm_sf2.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c
> index ca3655d28e00f..17cec68e56b4f 100644
> --- a/drivers/net/dsa/bcm_sf2.c
> +++ b/drivers/net/dsa/bcm_sf2.c
> @@ -1099,12 +1099,16 @@ static int bcm_sf2_sw_probe(struct platform_device *pdev)
>  		return ret;
>  	}
>  
> +	bcm_sf2_gphy_enable_set(priv->dev->ds, true);
> +
>  	ret = bcm_sf2_mdio_register(ds);
>  	if (ret) {
>  		pr_err("failed to register MDIO bus\n");
>  		return ret;
>  	}
>  
> +	bcm_sf2_gphy_enable_set(priv->dev->ds, false);
> +

This fails to turn off the PHY in the error case. Reordering like this
should fix it:

  	ret = bcm_sf2_mdio_register(ds);
 +	bcm_sf2_gphy_enable_set(priv->dev->ds, false);
  	if (ret) {
  		pr_err("failed to register MDIO bus\n");
  		return ret;
  	}
  
Best regards,
									Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 185/306] net: hns3: bugfix for buffer not free problem during resetting
  2019-11-29 11:00   ` Pavel Machek
@ 2019-11-29 14:31     ` Greg Kroah-Hartman
  2019-11-29 22:24       ` Pavel Machek
  0 siblings, 1 reply; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-29 14:31 UTC (permalink / raw)
  To: Pavel Machek
  Cc: linux-kernel, stable, Huazhong Tan, David S. Miller, Sasha Levin

On Fri, Nov 29, 2019 at 12:00:10PM +0100, Pavel Machek wrote:
> Hi!
> 
> > From: Huazhong Tan <tanhuazhong@huawei.com>
> > 
> > [ Upstream commit 73b907a083b8a8c1c62cb494bc9fbe6ae086c460 ]
> > 
> > When hns3_get_ring_config()/hns3_queue_to_ring()/
> > hns3_get_vector_ring_chain() failed during resetting, the allocated
> > memory has not been freed before these three functions return. So
> > this patch adds error handler in these functions to fix it.
> 
> Correct me if I'm wrong, but... this introduces use-after-free:
> 
> > @@ -2592,6 +2592,16 @@ static int hns3_get_vector_ring_chain(struct hns3_enet_tqp_vector *tqp_vector,
> >  	}
> >  
> >  	return 0;
> > +
> > +err_free_chain:
> > +	cur_chain = head->next;
> > +	while (cur_chain) {
> > +		chain = cur_chain->next;
> > +		devm_kfree(&pdev->dev, chain);
> > +		cur_chain = chain;
> > +	}
> 
> Lets take two iterations:
> 
> > +		chain = cur_chain->next;
> > +		devm_kfree(&pdev->dev, chain);
> chain freed here.
> > +		cur_chain = chain;
> 
> > +		chain = cur_chain->next;
> chain->next accessed here, after free.
> > +		devm_kfree(&pdev->dev, chain);
> > +		cur_chain = chain;
> 
> Should it do devm_kfree(&pdev->dev, cur_chain); ?

I think Sasha tried to backport a fix for this patch, but that fix broke
the build :(

If you want to provide a working backport, I'll be glad to take it.

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 000/306] 4.19.87-stable review
  2019-11-29 10:37 ` Greg Kroah-Hartman
@ 2019-11-29 20:15   ` Naresh Kamboju
  0 siblings, 0 replies; 359+ messages in thread
From: Naresh Kamboju @ 2019-11-29 20:15 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: open list, Linus Torvalds, Andrew Morton, Guenter Roeck,
	Shuah Khan, patches, Ben Hutchings, lkft-triage, linux- stable

On Fri, 29 Nov 2019 at 16:07, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> On Wed, Nov 27, 2019 at 09:27:30PM +0100, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 4.19.87 release.
> > There are 306 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Fri, 29 Nov 2019 20:18:09 +0000.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> >       https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.87-rc1.gz
> > or in the git tree and branch at:
> >       git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
>
> I have released -rc3 now:
>         https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.87-rc3.gz
>
> that should have the i386 and all other reported issues fixed.

Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.

Summary
------------------------------------------------------------------------

kernel: 4.19.87-rc3
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-4.19.y
git commit: cc82722f8f1b05c10e62b80951b3950e453fcb88
git describe: v4.19.86-299-gcc82722f8f1b
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-4.19-oe/build/v4.19.86-299-gcc82722f8f1b

No regressions (compared to build v4.19.86)

No fixes (compared to build v4.19.86)


Ran 23167 total tests in the following environments and test suites.

Environments
--------------
- dragonboard-410c - arm64
- hi6220-hikey - arm64
- i386
- juno-r2 - arm64
- qemu_arm
- qemu_arm64
- qemu_i386
- qemu_x86_64
- x15 - arm
- x86_64

Test Suites
-----------
* build
* install-android-platform-tools-r2600
* libhugetlbfs
* linux-log-parser
* kselftest
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-cpuhotplug-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* network-basic-tests
* perf
* spectre-meltdown-checker-test
* v4l2-compliance
* ltp-open-posix-tests
* kvm-unit-tests
* ssuite
* kselftest-vsyscall-mode-native
* kselftest-vsyscall-mode-none

-- 
Linaro LKFT
https://lkft.linaro.org

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 185/306] net: hns3: bugfix for buffer not free problem during resetting
  2019-11-29 14:31     ` Greg Kroah-Hartman
@ 2019-11-29 22:24       ` Pavel Machek
  2019-12-03 12:27         ` Greg Kroah-Hartman
  0 siblings, 1 reply; 359+ messages in thread
From: Pavel Machek @ 2019-11-29 22:24 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: Pavel Machek, linux-kernel, stable, Huazhong Tan,
	David S. Miller, Sasha Levin

[-- Attachment #1: Type: text/plain, Size: 1109 bytes --]

Hi!

> > > From: Huazhong Tan <tanhuazhong@huawei.com>
> > > 
> > > [ Upstream commit 73b907a083b8a8c1c62cb494bc9fbe6ae086c460 ]
> > > 
> > > When hns3_get_ring_config()/hns3_queue_to_ring()/
> > > hns3_get_vector_ring_chain() failed during resetting, the allocated
> > > memory has not been freed before these three functions return. So
> > > this patch adds error handler in these functions to fix it.
> > 
> > Correct me if I'm wrong, but... this introduces use-after-free:
> > Should it do devm_kfree(&pdev->dev, cur_chain); ?
> 
> I think Sasha tried to backport a fix for this patch, but that fix broke
> the build :(
> 
> If you want to provide a working backport, I'll be glad to take it.

Actually it looks like problem originated in mainline, and there was
more than one problem with this patch.

cda69d244585bc4497d3bb878c22fe2b6ad647c1 should fix it; it needs to be
back-ported, too.

Best regards,
								Pavel
								
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 030/306] synclink_gt(): fix compat_ioctl()
  2019-11-27 20:28 ` [PATCH 4.19 030/306] synclink_gt(): fix compat_ioctl() Greg Kroah-Hartman
@ 2019-11-30 10:28   ` Pavel Machek
  0 siblings, 0 replies; 359+ messages in thread
From: Pavel Machek @ 2019-11-30 10:28 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: linux-kernel, stable, Al Viro, Sasha Levin

[-- Attachment #1: Type: text/plain, Size: 1695 bytes --]

Hi!

> From: Al Viro <viro@zeniv.linux.org.uk>
> 
> [ Upstream commit 27230e51349fde075598c1b59d15e1ff802f3f6e ]
> 
> compat_ptr() for pointer-taking ones...
> 
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
> Signed-off-by: Sasha Levin <sashal@kernel.org>

> +++ b/drivers/tty/synclink_gt.c
> @@ -1186,14 +1186,13 @@ static long slgt_compat_ioctl(struct tty_struct *tty,
>  			 unsigned int cmd, unsigned long arg)
>  {
>  	struct slgt_info *info = tty->driver_data;
> -	int rc = -ENOIOCTLCMD;
> +	int rc;
>  
>  	if (sanity_check(info, tty->name, "compat_ioctl"))
>  		return -ENODEV;
>  	DBGINFO(("%s compat_ioctl() cmd=%08X\n", info->device_name, cmd));
>  
>  	switch (cmd) {
> -
>  	case MGSL_IOCSPARAMS32:
>  		rc = set_params32(info, compat_ptr(arg));
>  		break;
> @@ -1213,18 +1212,11 @@ static long slgt_compat_ioctl(struct tty_struct *tty,
>  	case MGSL_IOCWAITGPIO:
>  	case MGSL_IOCGXSYNC:
>  	case MGSL_IOCGXCTRL:
> -	case MGSL_IOCSTXIDLE:
> -	case MGSL_IOCTXENABLE:
> -	case MGSL_IOCRXENABLE:
> -	case MGSL_IOCTXABORT:
> -	case TIOCMIWAIT:
> -	case MGSL_IOCSIF:
> -	case MGSL_IOCSXSYNC:
> -	case MGSL_IOCSXCTRL:
> -		rc = ioctl(tty, cmd, arg);
> +		rc = ioctl(tty, cmd, (unsigned long)compat_ptr(arg));
>  		break;
> +	default:
> +		rc = ioctl(tty, cmd, arg);
>  	}

Ok, so this used to only pass select calls to ioctl() and now it
passes everything thanks to default: marking. I guess that's suitable
for mainline, but is it also suitable for -stable?

Best regards,
									Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 067/306] KVM: nVMX: move check_vmentry_postreqs() call to nested_vmx_enter_non_root_mode()
  2019-11-27 20:28 ` [PATCH 4.19 067/306] KVM: nVMX: move check_vmentry_postreqs() call to nested_vmx_enter_non_root_mode() Greg Kroah-Hartman
@ 2019-12-02 14:40   ` Jack Wang
  2019-12-02 14:51     ` Greg Kroah-Hartman
  2019-12-04 17:50     ` Dan Rue
  0 siblings, 2 replies; 359+ messages in thread
From: Jack Wang @ 2019-12-02 14:40 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, stable, Sean Christopherson, Jim Mattson,
	Paolo Bonzini, Sasha Levin

Greg Kroah-Hartman <gregkh@linuxfoundation.org> 于2019年11月27日周三 下午10:30写道:
>
> From: Sean Christopherson <sean.j.christopherson@intel.com>
>
> [ Upstream commit 7671ce21b13b9596163a29f4712cb2451a9b97dc ]
>
> In preparation of supporting checkpoint/restore for nested state,
> commit ca0bde28f2ed ("kvm: nVMX: Split VMCS checks from nested_vmx_run()")
> modified check_vmentry_postreqs() to only perform the guest EFER
> consistency checks when nested_run_pending is true.  But, in the
> normal nested VMEntry flow, nested_run_pending is only set after
> check_vmentry_postreqs(), i.e. the consistency check is being skipped.
>
> Alternatively, nested_run_pending could be set prior to calling
> check_vmentry_postreqs() in nested_vmx_run(), but placing the
> consistency checks in nested_vmx_enter_non_root_mode() allows us
> to split prepare_vmcs02() and interleave the preparation with
> the consistency checks without having to change the call sites
> of nested_vmx_enter_non_root_mode().  In other words, the rest
> of the consistency check code in nested_vmx_run() will be joining
> the postreqs checks in future patches.
>
> Fixes: ca0bde28f2ed ("kvm: nVMX: Split VMCS checks from nested_vmx_run()")
> Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
> Cc: Jim Mattson <jmattson@google.com>
> Reviewed-by: Jim Mattson <jmattson@google.com>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
>  arch/x86/kvm/vmx.c | 10 +++-------
>  1 file changed, 3 insertions(+), 7 deletions(-)
>
> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
> index fe7fdd666f091..bdf019f322117 100644
> --- a/arch/x86/kvm/vmx.c
> +++ b/arch/x86/kvm/vmx.c
> @@ -12694,6 +12694,9 @@ static int enter_vmx_non_root_mode(struct kvm_vcpu *vcpu, u32 *exit_qual)
>         if (likely(!evaluate_pending_interrupts) && kvm_vcpu_apicv_active(vcpu))
>                 evaluate_pending_interrupts |= vmx_has_apicv_interrupt(vcpu);
>
> +       if (from_vmentry && check_vmentry_postreqs(vcpu, vmcs12, exit_qual))
> +               return EXIT_REASON_INVALID_STATE;
> +
>         enter_guest_mode(vcpu);
>
>         if (!(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS))
> @@ -12836,13 +12839,6 @@ static int nested_vmx_run(struct kvm_vcpu *vcpu, bool launch)
>          */
>         skip_emulated_instruction(vcpu);
>
> -       ret = check_vmentry_postreqs(vcpu, vmcs12, &exit_qual);
> -       if (ret) {
> -               nested_vmx_entry_failure(vcpu, vmcs12,
> -                                        EXIT_REASON_INVALID_STATE, exit_qual);
> -               return 1;
> -       }
> -
>         /*
>          * We're finally done with prerequisite checking, and can start with
>          * the nested entry.
> --
> 2.20.1
>
>
>
Hi all,

This commit caused many kvm-unit-tests regression, cherry-pick
following commits from 4.20 fix the regression:
d63907dc7dd1 ("KVM: nVMX: rename enter_vmx_non_root_mode to
nested_vmx_enter_non_root_mode")
a633e41e7362 ("KVM: nVMX: assimilate nested_vmx_entry_failure() into
nested_vmx_enter_non_root_mode()")

Regards,
Jack Wang
1 & 1 IONOS SE

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 067/306] KVM: nVMX: move check_vmentry_postreqs() call to nested_vmx_enter_non_root_mode()
  2019-12-02 14:40   ` Jack Wang
@ 2019-12-02 14:51     ` Greg Kroah-Hartman
  2019-12-02 15:09       ` Paolo Bonzini
  2019-12-04 17:50     ` Dan Rue
  1 sibling, 1 reply; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-02 14:51 UTC (permalink / raw)
  To: Jack Wang
  Cc: linux-kernel, stable, Sean Christopherson, Jim Mattson,
	Paolo Bonzini, Sasha Levin

On Mon, Dec 02, 2019 at 03:40:04PM +0100, Jack Wang wrote:
> Greg Kroah-Hartman <gregkh@linuxfoundation.org> 于2019年11月27日周三 下午10:30写道:
> >
> > From: Sean Christopherson <sean.j.christopherson@intel.com>
> >
> > [ Upstream commit 7671ce21b13b9596163a29f4712cb2451a9b97dc ]
> >
> > In preparation of supporting checkpoint/restore for nested state,
> > commit ca0bde28f2ed ("kvm: nVMX: Split VMCS checks from nested_vmx_run()")
> > modified check_vmentry_postreqs() to only perform the guest EFER
> > consistency checks when nested_run_pending is true.  But, in the
> > normal nested VMEntry flow, nested_run_pending is only set after
> > check_vmentry_postreqs(), i.e. the consistency check is being skipped.
> >
> > Alternatively, nested_run_pending could be set prior to calling
> > check_vmentry_postreqs() in nested_vmx_run(), but placing the
> > consistency checks in nested_vmx_enter_non_root_mode() allows us
> > to split prepare_vmcs02() and interleave the preparation with
> > the consistency checks without having to change the call sites
> > of nested_vmx_enter_non_root_mode().  In other words, the rest
> > of the consistency check code in nested_vmx_run() will be joining
> > the postreqs checks in future patches.
> >
> > Fixes: ca0bde28f2ed ("kvm: nVMX: Split VMCS checks from nested_vmx_run()")
> > Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
> > Cc: Jim Mattson <jmattson@google.com>
> > Reviewed-by: Jim Mattson <jmattson@google.com>
> > Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> > Signed-off-by: Sasha Levin <sashal@kernel.org>
> > ---
> >  arch/x86/kvm/vmx.c | 10 +++-------
> >  1 file changed, 3 insertions(+), 7 deletions(-)
> >
> > diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
> > index fe7fdd666f091..bdf019f322117 100644
> > --- a/arch/x86/kvm/vmx.c
> > +++ b/arch/x86/kvm/vmx.c
> > @@ -12694,6 +12694,9 @@ static int enter_vmx_non_root_mode(struct kvm_vcpu *vcpu, u32 *exit_qual)
> >         if (likely(!evaluate_pending_interrupts) && kvm_vcpu_apicv_active(vcpu))
> >                 evaluate_pending_interrupts |= vmx_has_apicv_interrupt(vcpu);
> >
> > +       if (from_vmentry && check_vmentry_postreqs(vcpu, vmcs12, exit_qual))
> > +               return EXIT_REASON_INVALID_STATE;
> > +
> >         enter_guest_mode(vcpu);
> >
> >         if (!(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS))
> > @@ -12836,13 +12839,6 @@ static int nested_vmx_run(struct kvm_vcpu *vcpu, bool launch)
> >          */
> >         skip_emulated_instruction(vcpu);
> >
> > -       ret = check_vmentry_postreqs(vcpu, vmcs12, &exit_qual);
> > -       if (ret) {
> > -               nested_vmx_entry_failure(vcpu, vmcs12,
> > -                                        EXIT_REASON_INVALID_STATE, exit_qual);
> > -               return 1;
> > -       }
> > -
> >         /*
> >          * We're finally done with prerequisite checking, and can start with
> >          * the nested entry.
> > --
> > 2.20.1
> >
> >
> >
> Hi all,
> 
> This commit caused many kvm-unit-tests regression, cherry-pick
> following commits from 4.20 fix the regression:
> d63907dc7dd1 ("KVM: nVMX: rename enter_vmx_non_root_mode to
> nested_vmx_enter_non_root_mode")
> a633e41e7362 ("KVM: nVMX: assimilate nested_vmx_entry_failure() into
> nested_vmx_enter_non_root_mode()")

Now queued up, thanks!

greg k-h

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 067/306] KVM: nVMX: move check_vmentry_postreqs() call to nested_vmx_enter_non_root_mode()
  2019-12-02 14:51     ` Greg Kroah-Hartman
@ 2019-12-02 15:09       ` Paolo Bonzini
  2019-12-02 16:06         ` Greg Kroah-Hartman
  2019-12-03  9:21         ` Jack Wang
  0 siblings, 2 replies; 359+ messages in thread
From: Paolo Bonzini @ 2019-12-02 15:09 UTC (permalink / raw)
  To: Greg Kroah-Hartman, Jack Wang
  Cc: linux-kernel, stable, Sean Christopherson, Jim Mattson, Sasha Levin

On 02/12/19 15:51, Greg Kroah-Hartman wrote:
> On Mon, Dec 02, 2019 at 03:40:04PM +0100, Jack Wang wrote:
>> Greg Kroah-Hartman <gregkh@linuxfoundation.org> 于2019年11月27日周三 下午10:30写道:
>>>
>>> From: Sean Christopherson <sean.j.christopherson@intel.com>
>>>
>>> [ Upstream commit 7671ce21b13b9596163a29f4712cb2451a9b97dc ]
>>>
>>> In preparation of supporting checkpoint/restore for nested state,
>>> commit ca0bde28f2ed ("kvm: nVMX: Split VMCS checks from nested_vmx_run()")
>>> modified check_vmentry_postreqs() to only perform the guest EFER
>>> consistency checks when nested_run_pending is true.  But, in the
>>> normal nested VMEntry flow, nested_run_pending is only set after
>>> check_vmentry_postreqs(), i.e. the consistency check is being skipped.
>>>
>>> Alternatively, nested_run_pending could be set prior to calling
>>> check_vmentry_postreqs() in nested_vmx_run(), but placing the
>>> consistency checks in nested_vmx_enter_non_root_mode() allows us
>>> to split prepare_vmcs02() and interleave the preparation with
>>> the consistency checks without having to change the call sites
>>> of nested_vmx_enter_non_root_mode().  In other words, the rest
>>> of the consistency check code in nested_vmx_run() will be joining
>>> the postreqs checks in future patches.
>>>
>>> Fixes: ca0bde28f2ed ("kvm: nVMX: Split VMCS checks from nested_vmx_run()")
>>> Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
>>> Cc: Jim Mattson <jmattson@google.com>
>>> Reviewed-by: Jim Mattson <jmattson@google.com>
>>> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
>>> Signed-off-by: Sasha Levin <sashal@kernel.org>
>>> ---
>>>  arch/x86/kvm/vmx.c | 10 +++-------
>>>  1 file changed, 3 insertions(+), 7 deletions(-)
>>>
>>> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
>>> index fe7fdd666f091..bdf019f322117 100644
>>> --- a/arch/x86/kvm/vmx.c
>>> +++ b/arch/x86/kvm/vmx.c
>>> @@ -12694,6 +12694,9 @@ static int enter_vmx_non_root_mode(struct kvm_vcpu *vcpu, u32 *exit_qual)
>>>         if (likely(!evaluate_pending_interrupts) && kvm_vcpu_apicv_active(vcpu))
>>>                 evaluate_pending_interrupts |= vmx_has_apicv_interrupt(vcpu);
>>>
>>> +       if (from_vmentry && check_vmentry_postreqs(vcpu, vmcs12, exit_qual))
>>> +               return EXIT_REASON_INVALID_STATE;
>>> +
>>>         enter_guest_mode(vcpu);
>>>
>>>         if (!(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS))
>>> @@ -12836,13 +12839,6 @@ static int nested_vmx_run(struct kvm_vcpu *vcpu, bool launch)
>>>          */
>>>         skip_emulated_instruction(vcpu);
>>>
>>> -       ret = check_vmentry_postreqs(vcpu, vmcs12, &exit_qual);
>>> -       if (ret) {
>>> -               nested_vmx_entry_failure(vcpu, vmcs12,
>>> -                                        EXIT_REASON_INVALID_STATE, exit_qual);
>>> -               return 1;
>>> -       }
>>> -
>>>         /*
>>>          * We're finally done with prerequisite checking, and can start with
>>>          * the nested entry.
>>> --
>>> 2.20.1
>>>
>>>
>>>
>> Hi all,
>>
>> This commit caused many kvm-unit-tests regression, cherry-pick
>> following commits from 4.20 fix the regression:
>> d63907dc7dd1 ("KVM: nVMX: rename enter_vmx_non_root_mode to
>> nested_vmx_enter_non_root_mode")
>> a633e41e7362 ("KVM: nVMX: assimilate nested_vmx_entry_failure() into
>> nested_vmx_enter_non_root_mode()")
> 
> Now queued up, thanks!
> 
> greg k-h
> 

Why was it backported anyway?  Can everybody please just stop applying
KVM patches to stable kernels unless CCed to stable@vger.kernel.org?

I thought I had already asked Sasha to opt out of the autoselect
nonsense after catching another bug that would have been introduced.

Paolo


^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 067/306] KVM: nVMX: move check_vmentry_postreqs() call to nested_vmx_enter_non_root_mode()
  2019-12-02 15:09       ` Paolo Bonzini
@ 2019-12-02 16:06         ` Greg Kroah-Hartman
  2019-12-03  9:21         ` Jack Wang
  1 sibling, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-02 16:06 UTC (permalink / raw)
  To: Paolo Bonzini
  Cc: Jack Wang, linux-kernel, stable, Sean Christopherson,
	Jim Mattson, Sasha Levin

On Mon, Dec 02, 2019 at 04:09:33PM +0100, Paolo Bonzini wrote:
> On 02/12/19 15:51, Greg Kroah-Hartman wrote:
> > On Mon, Dec 02, 2019 at 03:40:04PM +0100, Jack Wang wrote:
> >> Greg Kroah-Hartman <gregkh@linuxfoundation.org> 于2019年11月27日周三 下午10:30写道:
> >>>
> >>> From: Sean Christopherson <sean.j.christopherson@intel.com>
> >>>
> >>> [ Upstream commit 7671ce21b13b9596163a29f4712cb2451a9b97dc ]
> >>>
> >>> In preparation of supporting checkpoint/restore for nested state,
> >>> commit ca0bde28f2ed ("kvm: nVMX: Split VMCS checks from nested_vmx_run()")
> >>> modified check_vmentry_postreqs() to only perform the guest EFER
> >>> consistency checks when nested_run_pending is true.  But, in the
> >>> normal nested VMEntry flow, nested_run_pending is only set after
> >>> check_vmentry_postreqs(), i.e. the consistency check is being skipped.
> >>>
> >>> Alternatively, nested_run_pending could be set prior to calling
> >>> check_vmentry_postreqs() in nested_vmx_run(), but placing the
> >>> consistency checks in nested_vmx_enter_non_root_mode() allows us
> >>> to split prepare_vmcs02() and interleave the preparation with
> >>> the consistency checks without having to change the call sites
> >>> of nested_vmx_enter_non_root_mode().  In other words, the rest
> >>> of the consistency check code in nested_vmx_run() will be joining
> >>> the postreqs checks in future patches.
> >>>
> >>> Fixes: ca0bde28f2ed ("kvm: nVMX: Split VMCS checks from nested_vmx_run()")
> >>> Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
> >>> Cc: Jim Mattson <jmattson@google.com>
> >>> Reviewed-by: Jim Mattson <jmattson@google.com>
> >>> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> >>> Signed-off-by: Sasha Levin <sashal@kernel.org>
> >>> ---
> >>>  arch/x86/kvm/vmx.c | 10 +++-------
> >>>  1 file changed, 3 insertions(+), 7 deletions(-)
> >>>
> >>> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
> >>> index fe7fdd666f091..bdf019f322117 100644
> >>> --- a/arch/x86/kvm/vmx.c
> >>> +++ b/arch/x86/kvm/vmx.c
> >>> @@ -12694,6 +12694,9 @@ static int enter_vmx_non_root_mode(struct kvm_vcpu *vcpu, u32 *exit_qual)
> >>>         if (likely(!evaluate_pending_interrupts) && kvm_vcpu_apicv_active(vcpu))
> >>>                 evaluate_pending_interrupts |= vmx_has_apicv_interrupt(vcpu);
> >>>
> >>> +       if (from_vmentry && check_vmentry_postreqs(vcpu, vmcs12, exit_qual))
> >>> +               return EXIT_REASON_INVALID_STATE;
> >>> +
> >>>         enter_guest_mode(vcpu);
> >>>
> >>>         if (!(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS))
> >>> @@ -12836,13 +12839,6 @@ static int nested_vmx_run(struct kvm_vcpu *vcpu, bool launch)
> >>>          */
> >>>         skip_emulated_instruction(vcpu);
> >>>
> >>> -       ret = check_vmentry_postreqs(vcpu, vmcs12, &exit_qual);
> >>> -       if (ret) {
> >>> -               nested_vmx_entry_failure(vcpu, vmcs12,
> >>> -                                        EXIT_REASON_INVALID_STATE, exit_qual);
> >>> -               return 1;
> >>> -       }
> >>> -
> >>>         /*
> >>>          * We're finally done with prerequisite checking, and can start with
> >>>          * the nested entry.
> >>> --
> >>> 2.20.1
> >>>
> >>>
> >>>
> >> Hi all,
> >>
> >> This commit caused many kvm-unit-tests regression, cherry-pick
> >> following commits from 4.20 fix the regression:
> >> d63907dc7dd1 ("KVM: nVMX: rename enter_vmx_non_root_mode to
> >> nested_vmx_enter_non_root_mode")
> >> a633e41e7362 ("KVM: nVMX: assimilate nested_vmx_entry_failure() into
> >> nested_vmx_enter_non_root_mode()")
> > 
> > Now queued up, thanks!
> > 
> > greg k-h
> > 
> 
> Why was it backported anyway?  Can everybody please just stop applying
> KVM patches to stable kernels unless CCed to stable@vger.kernel.org?
> 
> I thought I had already asked Sasha to opt out of the autoselect
> nonsense after catching another bug that would have been introduced.

Sasha, can you add kvm code to the blacklist?  Odds are the fact that
this is burried down in arch/x86/ it didn't get caught by the blacklist.

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 067/306] KVM: nVMX: move check_vmentry_postreqs() call to nested_vmx_enter_non_root_mode()
  2019-12-02 15:09       ` Paolo Bonzini
  2019-12-02 16:06         ` Greg Kroah-Hartman
@ 2019-12-03  9:21         ` Jack Wang
  2019-12-03  9:31           ` Paolo Bonzini
  1 sibling, 1 reply; 359+ messages in thread
From: Jack Wang @ 2019-12-03  9:21 UTC (permalink / raw)
  To: Paolo Bonzini
  Cc: Greg Kroah-Hartman, linux-kernel, stable, Sean Christopherson,
	Jim Mattson, Sasha Levin

Paolo Bonzini <pbonzini@redhat.com> 于2019年12月2日周一 下午4:09写道:
>
> On 02/12/19 15:51, Greg Kroah-Hartman wrote:
> > On Mon, Dec 02, 2019 at 03:40:04PM +0100, Jack Wang wrote:
> >> Greg Kroah-Hartman <gregkh@linuxfoundation.org> 于2019年11月27日周三 下午10:30写道:
> >>>
> >>> From: Sean Christopherson <sean.j.christopherson@intel.com>
> >>>
> >>> [ Upstream commit 7671ce21b13b9596163a29f4712cb2451a9b97dc ]
> >>>
> >>> In preparation of supporting checkpoint/restore for nested state,
> >>> commit ca0bde28f2ed ("kvm: nVMX: Split VMCS checks from nested_vmx_run()")
> >>> modified check_vmentry_postreqs() to only perform the guest EFER
> >>> consistency checks when nested_run_pending is true.  But, in the
> >>> normal nested VMEntry flow, nested_run_pending is only set after
> >>> check_vmentry_postreqs(), i.e. the consistency check is being skipped.
> >>>
> >>> Alternatively, nested_run_pending could be set prior to calling
> >>> check_vmentry_postreqs() in nested_vmx_run(), but placing the
> >>> consistency checks in nested_vmx_enter_non_root_mode() allows us
> >>> to split prepare_vmcs02() and interleave the preparation with
> >>> the consistency checks without having to change the call sites
> >>> of nested_vmx_enter_non_root_mode().  In other words, the rest
> >>> of the consistency check code in nested_vmx_run() will be joining
> >>> the postreqs checks in future patches.
> >>>
> >>> Fixes: ca0bde28f2ed ("kvm: nVMX: Split VMCS checks from nested_vmx_run()")
> >>> Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
> >>> Cc: Jim Mattson <jmattson@google.com>
> >>> Reviewed-by: Jim Mattson <jmattson@google.com>
> >>> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> >>> Signed-off-by: Sasha Levin <sashal@kernel.org>
> >>> ---
> >>>  arch/x86/kvm/vmx.c | 10 +++-------
> >>>  1 file changed, 3 insertions(+), 7 deletions(-)
> >>>
> >>> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
> >>> index fe7fdd666f091..bdf019f322117 100644
> >>> --- a/arch/x86/kvm/vmx.c
> >>> +++ b/arch/x86/kvm/vmx.c
> >>> @@ -12694,6 +12694,9 @@ static int enter_vmx_non_root_mode(struct kvm_vcpu *vcpu, u32 *exit_qual)
> >>>         if (likely(!evaluate_pending_interrupts) && kvm_vcpu_apicv_active(vcpu))
> >>>                 evaluate_pending_interrupts |= vmx_has_apicv_interrupt(vcpu);
> >>>
> >>> +       if (from_vmentry && check_vmentry_postreqs(vcpu, vmcs12, exit_qual))
> >>> +               return EXIT_REASON_INVALID_STATE;
> >>> +
> >>>         enter_guest_mode(vcpu);
> >>>
> >>>         if (!(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS))
> >>> @@ -12836,13 +12839,6 @@ static int nested_vmx_run(struct kvm_vcpu *vcpu, bool launch)
> >>>          */
> >>>         skip_emulated_instruction(vcpu);
> >>>
> >>> -       ret = check_vmentry_postreqs(vcpu, vmcs12, &exit_qual);
> >>> -       if (ret) {
> >>> -               nested_vmx_entry_failure(vcpu, vmcs12,
> >>> -                                        EXIT_REASON_INVALID_STATE, exit_qual);
> >>> -               return 1;
> >>> -       }
> >>> -
> >>>         /*
> >>>          * We're finally done with prerequisite checking, and can start with
> >>>          * the nested entry.
> >>> --
> >>> 2.20.1
> >>>
> >>>
> >>>
> >> Hi all,
> >>
> >> This commit caused many kvm-unit-tests regression, cherry-pick
> >> following commits from 4.20 fix the regression:
> >> d63907dc7dd1 ("KVM: nVMX: rename enter_vmx_non_root_mode to
> >> nested_vmx_enter_non_root_mode")
> >> a633e41e7362 ("KVM: nVMX: assimilate nested_vmx_entry_failure() into
> >> nested_vmx_enter_non_root_mode()")
> >
> > Now queued up, thanks!
> >
> > greg k-h
> >
>
> Why was it backported anyway?  Can everybody please just stop applying
> KVM patches to stable kernels unless CCed to stable@vger.kernel.org?
>
> I thought I had already asked Sasha to opt out of the autoselect
> nonsense after catching another bug that would have been introduced.
>
> Paolo
>
Hi Paolo,

Should we simply revert the patch, maybe also
9fe573d539a8 ("KVM: nVMX: reset cache/shadows when switching loaded VMCS")

Both of them are from one big patchset:
https://patchwork.kernel.org/cover/10616179/

Revert both patches recover the regression I see on kvm-unit-tests.

Thanks,
Jack Wang

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 067/306] KVM: nVMX: move check_vmentry_postreqs() call to nested_vmx_enter_non_root_mode()
  2019-12-03  9:21         ` Jack Wang
@ 2019-12-03  9:31           ` Paolo Bonzini
  2019-12-03 12:27             ` Jack Wang
  0 siblings, 1 reply; 359+ messages in thread
From: Paolo Bonzini @ 2019-12-03  9:31 UTC (permalink / raw)
  To: Jack Wang
  Cc: Greg Kroah-Hartman, linux-kernel, stable, Sean Christopherson,
	Jim Mattson, Sasha Levin

On 03/12/19 10:21, Jack Wang wrote:
> Paolo Bonzini <pbonzini@redhat.com> 于2019年12月2日周一 下午4:09写道:
>>
>> On 02/12/19 15:51, Greg Kroah-Hartman wrote:
>>> On Mon, Dec 02, 2019 at 03:40:04PM +0100, Jack Wang wrote:
>>>> Greg Kroah-Hartman <gregkh@linuxfoundation.org> 于2019年11月27日周三 下午10:30写道:
>>>>>
>>>>> From: Sean Christopherson <sean.j.christopherson@intel.com>
>>>>>
>>>>> [ Upstream commit 7671ce21b13b9596163a29f4712cb2451a9b97dc ]
>>>>>
>>>>> In preparation of supporting checkpoint/restore for nested state,
>>>>> commit ca0bde28f2ed ("kvm: nVMX: Split VMCS checks from nested_vmx_run()")
>>>>> modified check_vmentry_postreqs() to only perform the guest EFER
>>>>> consistency checks when nested_run_pending is true.  But, in the
>>>>> normal nested VMEntry flow, nested_run_pending is only set after
>>>>> check_vmentry_postreqs(), i.e. the consistency check is being skipped.
>>>>>
>>>>> Alternatively, nested_run_pending could be set prior to calling
>>>>> check_vmentry_postreqs() in nested_vmx_run(), but placing the
>>>>> consistency checks in nested_vmx_enter_non_root_mode() allows us
>>>>> to split prepare_vmcs02() and interleave the preparation with
>>>>> the consistency checks without having to change the call sites
>>>>> of nested_vmx_enter_non_root_mode().  In other words, the rest
>>>>> of the consistency check code in nested_vmx_run() will be joining
>>>>> the postreqs checks in future patches.
>>>>>
>>>>> Fixes: ca0bde28f2ed ("kvm: nVMX: Split VMCS checks from nested_vmx_run()")
>>>>> Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
>>>>> Cc: Jim Mattson <jmattson@google.com>
>>>>> Reviewed-by: Jim Mattson <jmattson@google.com>
>>>>> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
>>>>> Signed-off-by: Sasha Levin <sashal@kernel.org>
>>>>> ---
>>>>>  arch/x86/kvm/vmx.c | 10 +++-------
>>>>>  1 file changed, 3 insertions(+), 7 deletions(-)
>>>>>
>>>>> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
>>>>> index fe7fdd666f091..bdf019f322117 100644
>>>>> --- a/arch/x86/kvm/vmx.c
>>>>> +++ b/arch/x86/kvm/vmx.c
>>>>> @@ -12694,6 +12694,9 @@ static int enter_vmx_non_root_mode(struct kvm_vcpu *vcpu, u32 *exit_qual)
>>>>>         if (likely(!evaluate_pending_interrupts) && kvm_vcpu_apicv_active(vcpu))
>>>>>                 evaluate_pending_interrupts |= vmx_has_apicv_interrupt(vcpu);
>>>>>
>>>>> +       if (from_vmentry && check_vmentry_postreqs(vcpu, vmcs12, exit_qual))
>>>>> +               return EXIT_REASON_INVALID_STATE;
>>>>> +
>>>>>         enter_guest_mode(vcpu);
>>>>>
>>>>>         if (!(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS))
>>>>> @@ -12836,13 +12839,6 @@ static int nested_vmx_run(struct kvm_vcpu *vcpu, bool launch)
>>>>>          */
>>>>>         skip_emulated_instruction(vcpu);
>>>>>
>>>>> -       ret = check_vmentry_postreqs(vcpu, vmcs12, &exit_qual);
>>>>> -       if (ret) {
>>>>> -               nested_vmx_entry_failure(vcpu, vmcs12,
>>>>> -                                        EXIT_REASON_INVALID_STATE, exit_qual);
>>>>> -               return 1;
>>>>> -       }
>>>>> -
>>>>>         /*
>>>>>          * We're finally done with prerequisite checking, and can start with
>>>>>          * the nested entry.
>>>>> --
>>>>> 2.20.1
>>>>>
>>>>>
>>>>>
>>>> Hi all,
>>>>
>>>> This commit caused many kvm-unit-tests regression, cherry-pick
>>>> following commits from 4.20 fix the regression:
>>>> d63907dc7dd1 ("KVM: nVMX: rename enter_vmx_non_root_mode to
>>>> nested_vmx_enter_non_root_mode")
>>>> a633e41e7362 ("KVM: nVMX: assimilate nested_vmx_entry_failure() into
>>>> nested_vmx_enter_non_root_mode()")
>>>
>>> Now queued up, thanks!
>>>
>>> greg k-h
>>>
>>
>> Why was it backported anyway?  Can everybody please just stop applying
>> KVM patches to stable kernels unless CCed to stable@vger.kernel.org?
>>
>> I thought I had already asked Sasha to opt out of the autoselect
>> nonsense after catching another bug that would have been introduced.
>>
>> Paolo
>>
> Hi Paolo,
> 
> Should we simply revert the patch, maybe also
> 9fe573d539a8 ("KVM: nVMX: reset cache/shadows when switching loaded VMCS")
> 
> Both of them are from one big patchset:
> https://patchwork.kernel.org/cover/10616179/
> 
> Revert both patches recover the regression I see on kvm-unit-tests.

Greg already included the patches that the bot missed, so it's okay.

Paolo


^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 211/306] media: ov13858: Check for possible null pointer
  2019-11-27 20:31 ` [PATCH 4.19 211/306] media: ov13858: Check for possible null pointer Greg Kroah-Hartman
@ 2019-12-03 10:22   ` Pavel Machek
  2019-12-03 10:31     ` Sakari Ailus
  0 siblings, 1 reply; 359+ messages in thread
From: Pavel Machek @ 2019-12-03 10:22 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, stable, Chiranjeevi Rapolu, Sakari Ailus,
	Mauro Carvalho Chehab, Sasha Levin

[-- Attachment #1: Type: text/plain, Size: 1125 bytes --]

Hi!

> From: Chiranjeevi Rapolu <chiranjeevi.rapolu@intel.com>
> 
> [ Upstream commit 35629182eb8f931b0de6ed38c0efac58e922c801 ]
> 
> Check for possible null pointer to avoid crash.

> diff --git a/drivers/media/i2c/ov13858.c b/drivers/media/i2c/ov13858.c
> index 0e7a85c4996c7..afd66d243403b 100644
> --- a/drivers/media/i2c/ov13858.c
> +++ b/drivers/media/i2c/ov13858.c
> @@ -1612,7 +1612,8 @@ static int ov13858_init_controls(struct ov13858 *ov13858)
>  				OV13858_NUM_OF_LINK_FREQS - 1,
>  				0,
>  				link_freq_menu_items);
> -	ov13858->link_freq->flags |= V4L2_CTRL_FLAG_READ_ONLY;
> +	if (ov13858->link_freq)
> +		ov13858->link_freq->flags |= V4L2_CTRL_FLAG_READ_ONLY;
>  
>  	pixel_rate_max = link_freq_to_pixel_rate(link_freq_menu_items[0]);
>  	pixel_rate_min =

I don't think this is right fix. If ov13858->link_freq initialization
fails, we want to fail the initialization, not present
half-initialized device to userland, no?

									Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 211/306] media: ov13858: Check for possible null pointer
  2019-12-03 10:22   ` Pavel Machek
@ 2019-12-03 10:31     ` Sakari Ailus
  0 siblings, 0 replies; 359+ messages in thread
From: Sakari Ailus @ 2019-12-03 10:31 UTC (permalink / raw)
  To: Pavel Machek
  Cc: Greg Kroah-Hartman, linux-kernel, stable, Chiranjeevi Rapolu,
	Mauro Carvalho Chehab, Sasha Levin

Hi Pavel,

On Tue, Dec 03, 2019 at 11:22:50AM +0100, Pavel Machek wrote:
> Hi!
> 
> > From: Chiranjeevi Rapolu <chiranjeevi.rapolu@intel.com>
> > 
> > [ Upstream commit 35629182eb8f931b0de6ed38c0efac58e922c801 ]
> > 
> > Check for possible null pointer to avoid crash.
> 
> > diff --git a/drivers/media/i2c/ov13858.c b/drivers/media/i2c/ov13858.c
> > index 0e7a85c4996c7..afd66d243403b 100644
> > --- a/drivers/media/i2c/ov13858.c
> > +++ b/drivers/media/i2c/ov13858.c
> > @@ -1612,7 +1612,8 @@ static int ov13858_init_controls(struct ov13858 *ov13858)
> >  				OV13858_NUM_OF_LINK_FREQS - 1,
> >  				0,
> >  				link_freq_menu_items);
> > -	ov13858->link_freq->flags |= V4L2_CTRL_FLAG_READ_ONLY;
> > +	if (ov13858->link_freq)
> > +		ov13858->link_freq->flags |= V4L2_CTRL_FLAG_READ_ONLY;
> >  
> >  	pixel_rate_max = link_freq_to_pixel_rate(link_freq_menu_items[0]);
> >  	pixel_rate_min =
> 
> I don't think this is right fix. If ov13858->link_freq initialization
> fails, we want to fail the initialization, not present
> half-initialized device to userland, no?

The patch fixes the problem. The rest could be debated, but LMML is the
right place for that debate.

-- 
Regard,s

Sakari Ailus

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 067/306] KVM: nVMX: move check_vmentry_postreqs() call to nested_vmx_enter_non_root_mode()
  2019-12-03  9:31           ` Paolo Bonzini
@ 2019-12-03 12:27             ` Jack Wang
  2019-12-03 12:52               ` Paolo Bonzini
  0 siblings, 1 reply; 359+ messages in thread
From: Jack Wang @ 2019-12-03 12:27 UTC (permalink / raw)
  To: Paolo Bonzini
  Cc: Greg Kroah-Hartman, linux-kernel, stable, Sean Christopherson,
	Jim Mattson, Sasha Levin

snip
> >
> > Should we simply revert the patch, maybe also
> > 9fe573d539a8 ("KVM: nVMX: reset cache/shadows when switching loaded VMCS")
> >
> > Both of them are from one big patchset:
> > https://patchwork.kernel.org/cover/10616179/
> >
> > Revert both patches recover the regression I see on kvm-unit-tests.
>
> Greg already included the patches that the bot missed, so it's okay.
>
> Paolo
>
Sorry, I think I gave wrong information initially, it's 9fe573d539a8
("KVM: nVMX: reset cache/shadows when switching loaded VMCS")
which caused regression.

Should we revert or there's following up fix we should backport?

Thanks,
Jack

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 185/306] net: hns3: bugfix for buffer not free problem during resetting
  2019-11-29 22:24       ` Pavel Machek
@ 2019-12-03 12:27         ` Greg Kroah-Hartman
  0 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-03 12:27 UTC (permalink / raw)
  To: Pavel Machek
  Cc: linux-kernel, stable, Huazhong Tan, David S. Miller, Sasha Levin

On Fri, Nov 29, 2019 at 11:24:01PM +0100, Pavel Machek wrote:
> Hi!
> 
> > > > From: Huazhong Tan <tanhuazhong@huawei.com>
> > > > 
> > > > [ Upstream commit 73b907a083b8a8c1c62cb494bc9fbe6ae086c460 ]
> > > > 
> > > > When hns3_get_ring_config()/hns3_queue_to_ring()/
> > > > hns3_get_vector_ring_chain() failed during resetting, the allocated
> > > > memory has not been freed before these three functions return. So
> > > > this patch adds error handler in these functions to fix it.
> > > 
> > > Correct me if I'm wrong, but... this introduces use-after-free:
> > > Should it do devm_kfree(&pdev->dev, cur_chain); ?
> > 
> > I think Sasha tried to backport a fix for this patch, but that fix broke
> > the build :(
> > 
> > If you want to provide a working backport, I'll be glad to take it.
> 
> Actually it looks like problem originated in mainline, and there was
> more than one problem with this patch.
> 
> cda69d244585bc4497d3bb878c22fe2b6ad647c1 should fix it; it needs to be
> back-ported, too.

Yes, that is the one, can you provide a working backport for this?

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 067/306] KVM: nVMX: move check_vmentry_postreqs() call to nested_vmx_enter_non_root_mode()
  2019-12-03 12:27             ` Jack Wang
@ 2019-12-03 12:52               ` Paolo Bonzini
  2019-12-03 19:16                 ` Greg Kroah-Hartman
  0 siblings, 1 reply; 359+ messages in thread
From: Paolo Bonzini @ 2019-12-03 12:52 UTC (permalink / raw)
  To: Jack Wang
  Cc: Greg Kroah-Hartman, linux-kernel, stable, Sean Christopherson,
	Jim Mattson, Sasha Levin

On 03/12/19 13:27, Jack Wang wrote:
>>> Should we simply revert the patch, maybe also
>>> 9fe573d539a8 ("KVM: nVMX: reset cache/shadows when switching loaded VMCS")
>>>
>>> Both of them are from one big patchset:
>>> https://patchwork.kernel.org/cover/10616179/
>>>
>>> Revert both patches recover the regression I see on kvm-unit-tests.
>> Greg already included the patches that the bot missed, so it's okay.
>>
>> Paolo
>>
> Sorry, I think I gave wrong information initially, it's 9fe573d539a8
> ("KVM: nVMX: reset cache/shadows when switching loaded VMCS")
> which caused regression.
> 
> Should we revert or there's following up fix we should backport?

Hmm, let's revert all four.  This one, the two follow-ups and 9fe573d539a8.

Paolo


^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 067/306] KVM: nVMX: move check_vmentry_postreqs() call to nested_vmx_enter_non_root_mode()
  2019-12-03 12:52               ` Paolo Bonzini
@ 2019-12-03 19:16                 ` Greg Kroah-Hartman
  2019-12-04 11:42                   ` Paolo Bonzini
  0 siblings, 1 reply; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-03 19:16 UTC (permalink / raw)
  To: Paolo Bonzini
  Cc: Jack Wang, linux-kernel, stable, Sean Christopherson,
	Jim Mattson, Sasha Levin

On Tue, Dec 03, 2019 at 01:52:47PM +0100, Paolo Bonzini wrote:
> On 03/12/19 13:27, Jack Wang wrote:
> >>> Should we simply revert the patch, maybe also
> >>> 9fe573d539a8 ("KVM: nVMX: reset cache/shadows when switching loaded VMCS")
> >>>
> >>> Both of them are from one big patchset:
> >>> https://patchwork.kernel.org/cover/10616179/
> >>>
> >>> Revert both patches recover the regression I see on kvm-unit-tests.
> >> Greg already included the patches that the bot missed, so it's okay.
> >>
> >> Paolo
> >>
> > Sorry, I think I gave wrong information initially, it's 9fe573d539a8
> > ("KVM: nVMX: reset cache/shadows when switching loaded VMCS")
> > which caused regression.
> > 
> > Should we revert or there's following up fix we should backport?
> 
> Hmm, let's revert all four.  This one, the two follow-ups and 9fe573d539a8.

4?  I see three patches here, the 2 follow-up patches that I applied to
the queue, and the "original" backport of b7031fd40fcc ("KVM: nVMX:
reset cache/shadows when switching loaded VMCS") which showed up in the
4.14.157 and 4.19.87 kernels.

confused,

greg k-h

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 067/306] KVM: nVMX: move check_vmentry_postreqs() call to nested_vmx_enter_non_root_mode()
  2019-12-03 19:16                 ` Greg Kroah-Hartman
@ 2019-12-04 11:42                   ` Paolo Bonzini
  2019-12-05  7:46                     ` Greg Kroah-Hartman
  0 siblings, 1 reply; 359+ messages in thread
From: Paolo Bonzini @ 2019-12-04 11:42 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: Jack Wang, linux-kernel, stable, Sean Christopherson,
	Jim Mattson, Sasha Levin

On 03/12/19 20:16, Greg Kroah-Hartman wrote:
> On Tue, Dec 03, 2019 at 01:52:47PM +0100, Paolo Bonzini wrote:
>> On 03/12/19 13:27, Jack Wang wrote:
>>>>> Should we simply revert the patch, maybe also
>>>>> 9fe573d539a8 ("KVM: nVMX: reset cache/shadows when switching loaded VMCS")
>>>>>
>>>>> Both of them are from one big patchset:
>>>>> https://patchwork.kernel.org/cover/10616179/
>>>>>
>>>>> Revert both patches recover the regression I see on kvm-unit-tests.
>>>> Greg already included the patches that the bot missed, so it's okay.
>>>>
>>>> Paolo
>>>>
>>> Sorry, I think I gave wrong information initially, it's 9fe573d539a8
>>> ("KVM: nVMX: reset cache/shadows when switching loaded VMCS")
>>> which caused regression.
>>>
>>> Should we revert or there's following up fix we should backport?
>>
>> Hmm, let's revert all four.  This one, the two follow-ups and 9fe573d539a8.
> 
> 4?  I see three patches here, the 2 follow-up patches that I applied to
> the queue, and the "original" backport of b7031fd40fcc ("KVM: nVMX:
> reset cache/shadows when switching loaded VMCS") which showed up in the
> 4.14.157 and 4.19.87 kernels.

The fourth is commit 9fe573d539a8 ("KVM: nVMX: reset cache/shadows when
switching loaded VMCS"), which was also autoselected.

Paolo


^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 187/306] net: hns3: bugfix for is_valid_csq_clean_head()
  2019-11-27 20:30 ` [PATCH 4.19 187/306] net: hns3: bugfix for is_valid_csq_clean_head() Greg Kroah-Hartman
@ 2019-12-04 12:38   ` Pavel Machek
  0 siblings, 0 replies; 359+ messages in thread
From: Pavel Machek @ 2019-12-04 12:38 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, stable, Huazhong Tan, David S. Miller, Sasha Levin

[-- Attachment #1: Type: text/plain, Size: 1179 bytes --]

Hi!

> From: Huazhong Tan <tanhuazhong@huawei.com>
> 
> [ Upstream commit 6d71ec6cbf74ac9c2823ef751b1baa5b889bb3ac ]
> 
> The HEAD pointer of the hardware command queue maybe equal to the command
> queue's next_to_use in the driver, so that does not belong to the invalid
> HEAD pointer, since the hardware may not process the command in time,
> causing the HEAD pointer to be too late to update. The variables' name
> in this function is unreadable, so give them a more readable one.
> 

> +++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.c
> @@ -24,15 +24,15 @@ static int hclge_ring_space(struct hclge_cmq_ring *ring)
>  	return ring->desc_num - used - 1;
>  }
>  
> -static int is_valid_csq_clean_head(struct hclge_cmq_ring *ring, int h)
> +static int is_valid_csq_clean_head(struct hclge_cmq_ring *ring, int head)
>  {
...
> -	if (unlikely(h >= ring->desc_num))
> -		return 0;

This sanity check was removed, and it is not mentioned in the
changelog. Is it intended?

Best regards,
							Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 067/306] KVM: nVMX: move check_vmentry_postreqs() call to nested_vmx_enter_non_root_mode()
  2019-12-02 14:40   ` Jack Wang
  2019-12-02 14:51     ` Greg Kroah-Hartman
@ 2019-12-04 17:50     ` Dan Rue
  2019-12-05  9:51       ` Jack Wang
  1 sibling, 1 reply; 359+ messages in thread
From: Dan Rue @ 2019-12-04 17:50 UTC (permalink / raw)
  To: Jack Wang
  Cc: Greg Kroah-Hartman, linux-kernel, stable, Sean Christopherson,
	Jim Mattson, Paolo Bonzini, Sasha Levin

On Mon, Dec 02, 2019 at 03:40:04PM +0100, Jack Wang wrote:
> Greg Kroah-Hartman <gregkh@linuxfoundation.org> 于2019年11月27日周三 下午10:30写道:
> >
> > From: Sean Christopherson <sean.j.christopherson@intel.com>
> >
> > [ Upstream commit 7671ce21b13b9596163a29f4712cb2451a9b97dc ]
> >
> > In preparation of supporting checkpoint/restore for nested state,
> > commit ca0bde28f2ed ("kvm: nVMX: Split VMCS checks from nested_vmx_run()")
> > modified check_vmentry_postreqs() to only perform the guest EFER
> > consistency checks when nested_run_pending is true.  But, in the
> > normal nested VMEntry flow, nested_run_pending is only set after
> > check_vmentry_postreqs(), i.e. the consistency check is being skipped.
> >
> > Alternatively, nested_run_pending could be set prior to calling
> > check_vmentry_postreqs() in nested_vmx_run(), but placing the
> > consistency checks in nested_vmx_enter_non_root_mode() allows us
> > to split prepare_vmcs02() and interleave the preparation with
> > the consistency checks without having to change the call sites
> > of nested_vmx_enter_non_root_mode().  In other words, the rest
> > of the consistency check code in nested_vmx_run() will be joining
> > the postreqs checks in future patches.
> >
> > Fixes: ca0bde28f2ed ("kvm: nVMX: Split VMCS checks from nested_vmx_run()")
> > Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
> > Cc: Jim Mattson <jmattson@google.com>
> > Reviewed-by: Jim Mattson <jmattson@google.com>
> > Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> > Signed-off-by: Sasha Levin <sashal@kernel.org>
> > ---
> >  arch/x86/kvm/vmx.c | 10 +++-------
> >  1 file changed, 3 insertions(+), 7 deletions(-)
> >
> > diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
> > index fe7fdd666f091..bdf019f322117 100644
> > --- a/arch/x86/kvm/vmx.c
> > +++ b/arch/x86/kvm/vmx.c
> > @@ -12694,6 +12694,9 @@ static int enter_vmx_non_root_mode(struct kvm_vcpu *vcpu, u32 *exit_qual)
> >         if (likely(!evaluate_pending_interrupts) && kvm_vcpu_apicv_active(vcpu))
> >                 evaluate_pending_interrupts |= vmx_has_apicv_interrupt(vcpu);
> >
> > +       if (from_vmentry && check_vmentry_postreqs(vcpu, vmcs12, exit_qual))
> > +               return EXIT_REASON_INVALID_STATE;
> > +
> >         enter_guest_mode(vcpu);
> >
> >         if (!(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS))
> > @@ -12836,13 +12839,6 @@ static int nested_vmx_run(struct kvm_vcpu *vcpu, bool launch)
> >          */
> >         skip_emulated_instruction(vcpu);
> >
> > -       ret = check_vmentry_postreqs(vcpu, vmcs12, &exit_qual);
> > -       if (ret) {
> > -               nested_vmx_entry_failure(vcpu, vmcs12,
> > -                                        EXIT_REASON_INVALID_STATE, exit_qual);
> > -               return 1;
> > -       }
> > -
> >         /*
> >          * We're finally done with prerequisite checking, and can start with
> >          * the nested entry.
> > --
> > 2.20.1
> >
> >
> >
> Hi all,
> 
> This commit caused many kvm-unit-tests regression, cherry-pick
> following commits from 4.20 fix the regression:

Hi Jack - can you be more specific about the failing tests? What type of
environment and which tests failed, which version of kvm-unit-tests? Do
you have any logs available? I ask because we do run kvm-unit-tests on
x86 and arm64 but we did not see these regressions.

Thanks,
Dan

> d63907dc7dd1 ("KVM: nVMX: rename enter_vmx_non_root_mode to
> nested_vmx_enter_non_root_mode")
> a633e41e7362 ("KVM: nVMX: assimilate nested_vmx_entry_failure() into
> nested_vmx_enter_non_root_mode()")
> 
> Regards,
> Jack Wang
> 1 & 1 IONOS SE

-- 
Linaro LKFT
https://lkft.linaro.org

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 067/306] KVM: nVMX: move check_vmentry_postreqs() call to nested_vmx_enter_non_root_mode()
  2019-12-04 11:42                   ` Paolo Bonzini
@ 2019-12-05  7:46                     ` Greg Kroah-Hartman
  0 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-05  7:46 UTC (permalink / raw)
  To: Paolo Bonzini
  Cc: Jack Wang, linux-kernel, stable, Sean Christopherson,
	Jim Mattson, Sasha Levin

On Wed, Dec 04, 2019 at 12:42:06PM +0100, Paolo Bonzini wrote:
> On 03/12/19 20:16, Greg Kroah-Hartman wrote:
> > On Tue, Dec 03, 2019 at 01:52:47PM +0100, Paolo Bonzini wrote:
> >> On 03/12/19 13:27, Jack Wang wrote:
> >>>>> Should we simply revert the patch, maybe also
> >>>>> 9fe573d539a8 ("KVM: nVMX: reset cache/shadows when switching loaded VMCS")
> >>>>>
> >>>>> Both of them are from one big patchset:
> >>>>> https://patchwork.kernel.org/cover/10616179/
> >>>>>
> >>>>> Revert both patches recover the regression I see on kvm-unit-tests.
> >>>> Greg already included the patches that the bot missed, so it's okay.
> >>>>
> >>>> Paolo
> >>>>
> >>> Sorry, I think I gave wrong information initially, it's 9fe573d539a8
> >>> ("KVM: nVMX: reset cache/shadows when switching loaded VMCS")
> >>> which caused regression.
> >>>
> >>> Should we revert or there's following up fix we should backport?
> >>
> >> Hmm, let's revert all four.  This one, the two follow-ups and 9fe573d539a8.
> > 
> > 4?  I see three patches here, the 2 follow-up patches that I applied to
> > the queue, and the "original" backport of b7031fd40fcc ("KVM: nVMX:
> > reset cache/shadows when switching loaded VMCS") which showed up in the
> > 4.14.157 and 4.19.87 kernels.
> 
> The fourth is commit 9fe573d539a8 ("KVM: nVMX: reset cache/shadows when
> switching loaded VMCS"), which was also autoselected.

Ah, thanks, I missed that.  Should all now be fixed up here, and in the
4.14.y tree.

greg k-h

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 067/306] KVM: nVMX: move check_vmentry_postreqs() call to nested_vmx_enter_non_root_mode()
  2019-12-04 17:50     ` Dan Rue
@ 2019-12-05  9:51       ` Jack Wang
  2019-12-05 20:52         ` Dan Rue
  0 siblings, 1 reply; 359+ messages in thread
From: Jack Wang @ 2019-12-05  9:51 UTC (permalink / raw)
  To: Jack Wang, Greg Kroah-Hartman, linux-kernel, stable,
	Sean Christopherson, Jim Mattson, Paolo Bonzini, Sasha Levin

Dan Rue <dan.rue@linaro.org> 于2019年12月4日周三 下午6:50写道:
>
> On Mon, Dec 02, 2019 at 03:40:04PM +0100, Jack Wang wrote:
> > Greg Kroah-Hartman <gregkh@linuxfoundation.org> 于2019年11月27日周三 下午10:30写道:
> > >
> > > From: Sean Christopherson <sean.j.christopherson@intel.com>
> > >
> > > [ Upstream commit 7671ce21b13b9596163a29f4712cb2451a9b97dc ]
> > >
> > > In preparation of supporting checkpoint/restore for nested state,
> > > commit ca0bde28f2ed ("kvm: nVMX: Split VMCS checks from nested_vmx_run()")
> > > modified check_vmentry_postreqs() to only perform the guest EFER
> > > consistency checks when nested_run_pending is true.  But, in the
> > > normal nested VMEntry flow, nested_run_pending is only set after
> > > check_vmentry_postreqs(), i.e. the consistency check is being skipped.
> > >
> > > Alternatively, nested_run_pending could be set prior to calling
> > > check_vmentry_postreqs() in nested_vmx_run(), but placing the
> > > consistency checks in nested_vmx_enter_non_root_mode() allows us
> > > to split prepare_vmcs02() and interleave the preparation with
> > > the consistency checks without having to change the call sites
> > > of nested_vmx_enter_non_root_mode().  In other words, the rest
> > > of the consistency check code in nested_vmx_run() will be joining
> > > the postreqs checks in future patches.
> > >
> > > Fixes: ca0bde28f2ed ("kvm: nVMX: Split VMCS checks from nested_vmx_run()")
> > > Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
> > > Cc: Jim Mattson <jmattson@google.com>
> > > Reviewed-by: Jim Mattson <jmattson@google.com>
> > > Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> > > Signed-off-by: Sasha Levin <sashal@kernel.org>
> > > ---
> > >  arch/x86/kvm/vmx.c | 10 +++-------
> > >  1 file changed, 3 insertions(+), 7 deletions(-)
> > >
> > > diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
> > > index fe7fdd666f091..bdf019f322117 100644
> > > --- a/arch/x86/kvm/vmx.c
> > > +++ b/arch/x86/kvm/vmx.c
> > > @@ -12694,6 +12694,9 @@ static int enter_vmx_non_root_mode(struct kvm_vcpu *vcpu, u32 *exit_qual)
> > >         if (likely(!evaluate_pending_interrupts) && kvm_vcpu_apicv_active(vcpu))
> > >                 evaluate_pending_interrupts |= vmx_has_apicv_interrupt(vcpu);
> > >
> > > +       if (from_vmentry && check_vmentry_postreqs(vcpu, vmcs12, exit_qual))
> > > +               return EXIT_REASON_INVALID_STATE;
> > > +
> > >         enter_guest_mode(vcpu);
> > >
> > >         if (!(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS))
> > > @@ -12836,13 +12839,6 @@ static int nested_vmx_run(struct kvm_vcpu *vcpu, bool launch)
> > >          */
> > >         skip_emulated_instruction(vcpu);
> > >
> > > -       ret = check_vmentry_postreqs(vcpu, vmcs12, &exit_qual);
> > > -       if (ret) {
> > > -               nested_vmx_entry_failure(vcpu, vmcs12,
> > > -                                        EXIT_REASON_INVALID_STATE, exit_qual);
> > > -               return 1;
> > > -       }
> > > -
> > >         /*
> > >          * We're finally done with prerequisite checking, and can start with
> > >          * the nested entry.
> > > --
> > > 2.20.1
> > >
> > >
> > >
> > Hi all,
> >
> > This commit caused many kvm-unit-tests regression, cherry-pick
> > following commits from 4.20 fix the regression:
>
> Hi Jack - can you be more specific about the failing tests? What type of
> environment and which tests failed, which version of kvm-unit-tests? Do
> you have any logs available? I ask because we do run kvm-unit-tests on
> x86 and arm64 but we did not see these regressions.
>
> Thanks,
> Dan
>
Hi Dan,

I'm running at kvm-unit-tests commit b1414c5f0142 ("x86: vmx: fix
required alignment for posted interrupt descriptor")

using "run_tests.sh -a -t -j8" with qemu-2.7.1

Left side has only 78 tests ok, and right side has 112 tests ok.
root@ib1:/home/gkim/pb-ltp/install/results# diff
kvm-unit-test--2019_12_02-13h_13m_50s.log
kvm-unit-test--2019_12_02-02h_12m_26s.log
2d1
< ok smptest
6c5
< ok vmexit_vmcall
---
> ok smptest
7a7
> ok vmexit_vmcall
10d9
< ok vmexit_ipi
11a11,12
> ok vmexit_ipi
> ok vmexit_tscdeadline
14d14
< ok vmexit_tscdeadline
16,18c16
< ok vmexit_tscdeadline_immed
< ok pku # SKIP
< ok emulator
---
> ok hypercall
19a18,19
> ok emulator
> ok pku # SKIP
21c21
< ok hypercall
---
> ok vmexit_tscdeadline_immed
27a28
> ok apic
29d29
< ok apic-split
31c31
< ok s3
---
> ok xsave
34d33
< ok xsave
35a35
> ok apic-split
37d36
< ok apic
38a38
> ok s3
40c40
< not ok vmx_null
---
> ok vmx_null
42d41
< not ok vmx
44d42
< ok vmx_test_vmptrld
45a44
> ok vmx_test_vmptrld
48d46
< ok access
50c48
< ok vmx_test_vmcs_lifecycle
---
> ok access
52c50,51
< not ok vmx_vmenter
---
> ok vmx_test_vmcs_lifecycle
> ok vmx_vmenter
54,72c53,72
< not ok vmx_preemption_timer
< not ok vmx_control_field_PAT
< not ok vmx_control_field_EFER
< not ok vmx_CR_shadowing
< not ok vmx_IO_bitmap
< not ok vmx_instruction_intercept
< not ok vmx_EPT_AD_disabled
< not ok vmx_EPT_AD_enabled
< not ok vmx_PML
< not ok vmx_VPID
< not ok vmx_interrupt
< not ok vmx_debug_controls
< not ok vmx_vmmcall
< not ok vmx_MSR_switch
< not ok vmx_disable_RDTSCP
< not ok vmx_int3
< not ok vmx_into
< not ok vmx_exit_monitor_from_l2_test
< not ok vmx_v2
---
> ok vmx_control_field_PAT
> ok vmx_control_field_EFER
> ok vmx_CR_shadowing
> ok vmx_preemption_timer
> ok vmx_IO_bitmap
> ok vmx_instruction_intercept
> ok kvmclock_test
> ok vmx_EPT_AD_disabled
> ok vmx_PML
> ok vmx_EPT_AD_enabled
> ok vmx_VPID
> ok vmx_interrupt
> ok vmx_debug_controls
> ok vmx_MSR_switch
> ok vmx_disable_RDTSCP
> ok vmx_vmmcall
> ok vmx_int3
> ok vmx_into
> ok vmx_v2
> ok vmx_exit_monitor_from_l2_test
80d79
< ok vmx_ept_access_test_reserved_bits # SKIP
82c81
< ok vmx_ept_access_test_paddr_not_present_ad_disabled # SKIP
---
> ok vmx_ept_access_test_reserved_bits # SKIP
85c84
< ok kvmclock_test
---
> ok vmx_ept_access_test_paddr_not_present_ad_disabled # SKIP
87d85
< ok vmx_ept_access_test_paddr_read_write # SKIP
88a87,88
> ok vmx_ept_access_test_paddr_read_write # SKIP
> ok vmx_ept_access_test_paddr_read_execute_ad_enabled # SKIP
91,92d90
< ok vmx_ept_access_test_paddr_read_execute_ad_enabled # SKIP
< ok vmx_ept_access_test_paddr_not_present_page_fault # SKIP
94,95c92,95
< not ok vmx_vmentry_movss_shadow_test
< not ok vmx_cr_load_test
---
> ok vmx_ept_access_test_paddr_not_present_page_fault # SKIP
> ok vmx_vmentry_movss_shadow_test
> ok vmx_cr_load_test
> ok vmx_nm_test
97,104c97,102
< not ok vmx_nm_test
< not ok vmx_pending_event_test
< not ok vmx_pending_event_hlt_test
< not ok vmx_store_tsc_test
< not ok vmx_store_tsc_test
< not ok vmx_db_test
< not ok vmx_nmi_window_test
< not ok vmx_intr_window_test
---
> ok vmx_pending_event_test
> ok vmx_pending_event_hlt_test
> ok vmx_store_tsc_test
> ok vmx_store_tsc_test
> ok vmx_db_test
> ok vmx_nmi_window_test
107,109c105,108
< not ok vmx_apic_passthrough
< not ok vmx_vmcs_shadow_test
< not ok vmx_apic_passthrough_thread
---
> ok vmx_intr_window_test
> ok vmx_apic_passthrough
> ok vmx_apic_passthrough_thread
> not ok vmx_controls
111d109
< not ok intel_iommu
113c111
< not ok vmx_controls
---
> not ok intel_iommu
117a116,117
> not ok vmx
> ok vmx_vmcs_shadow_test

Hope it helps.

Thanks,
Jack

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 067/306] KVM: nVMX: move check_vmentry_postreqs() call to nested_vmx_enter_non_root_mode()
  2019-12-05  9:51       ` Jack Wang
@ 2019-12-05 20:52         ` Dan Rue
  2019-12-06  8:54           ` Jack Wang
  0 siblings, 1 reply; 359+ messages in thread
From: Dan Rue @ 2019-12-05 20:52 UTC (permalink / raw)
  To: Jack Wang
  Cc: Greg Kroah-Hartman, linux-kernel, stable, Sean Christopherson,
	Jim Mattson, Paolo Bonzini, Sasha Levin

On Thu, Dec 05, 2019 at 10:51:18AM +0100, Jack Wang wrote:
> Dan Rue <dan.rue@linaro.org> 于2019年12月4日周三 下午6:50写道:
> >
> > On Mon, Dec 02, 2019 at 03:40:04PM +0100, Jack Wang wrote:
> > > Greg Kroah-Hartman <gregkh@linuxfoundation.org> 于2019年11月27日周三 下午10:30写道:
> > > >
> > > > From: Sean Christopherson <sean.j.christopherson@intel.com>
> > > >
> > > > [ Upstream commit 7671ce21b13b9596163a29f4712cb2451a9b97dc ]
> > > >
> > > > In preparation of supporting checkpoint/restore for nested state,
> > > > commit ca0bde28f2ed ("kvm: nVMX: Split VMCS checks from nested_vmx_run()")
> > > > modified check_vmentry_postreqs() to only perform the guest EFER
> > > > consistency checks when nested_run_pending is true.  But, in the
> > > > normal nested VMEntry flow, nested_run_pending is only set after
> > > > check_vmentry_postreqs(), i.e. the consistency check is being skipped.
> > > >
> > > > Alternatively, nested_run_pending could be set prior to calling
> > > > check_vmentry_postreqs() in nested_vmx_run(), but placing the
> > > > consistency checks in nested_vmx_enter_non_root_mode() allows us
> > > > to split prepare_vmcs02() and interleave the preparation with
> > > > the consistency checks without having to change the call sites
> > > > of nested_vmx_enter_non_root_mode().  In other words, the rest
> > > > of the consistency check code in nested_vmx_run() will be joining
> > > > the postreqs checks in future patches.
> > > >
> > > > Fixes: ca0bde28f2ed ("kvm: nVMX: Split VMCS checks from nested_vmx_run()")
> > > > Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
> > > > Cc: Jim Mattson <jmattson@google.com>
> > > > Reviewed-by: Jim Mattson <jmattson@google.com>
> > > > Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> > > > Signed-off-by: Sasha Levin <sashal@kernel.org>
> > > > ---
> > > >  arch/x86/kvm/vmx.c | 10 +++-------
> > > >  1 file changed, 3 insertions(+), 7 deletions(-)
> > > >
> > > > diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
> > > > index fe7fdd666f091..bdf019f322117 100644
> > > > --- a/arch/x86/kvm/vmx.c
> > > > +++ b/arch/x86/kvm/vmx.c
> > > > @@ -12694,6 +12694,9 @@ static int enter_vmx_non_root_mode(struct kvm_vcpu *vcpu, u32 *exit_qual)
> > > >         if (likely(!evaluate_pending_interrupts) && kvm_vcpu_apicv_active(vcpu))
> > > >                 evaluate_pending_interrupts |= vmx_has_apicv_interrupt(vcpu);
> > > >
> > > > +       if (from_vmentry && check_vmentry_postreqs(vcpu, vmcs12, exit_qual))
> > > > +               return EXIT_REASON_INVALID_STATE;
> > > > +
> > > >         enter_guest_mode(vcpu);
> > > >
> > > >         if (!(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS))
> > > > @@ -12836,13 +12839,6 @@ static int nested_vmx_run(struct kvm_vcpu *vcpu, bool launch)
> > > >          */
> > > >         skip_emulated_instruction(vcpu);
> > > >
> > > > -       ret = check_vmentry_postreqs(vcpu, vmcs12, &exit_qual);
> > > > -       if (ret) {
> > > > -               nested_vmx_entry_failure(vcpu, vmcs12,
> > > > -                                        EXIT_REASON_INVALID_STATE, exit_qual);
> > > > -               return 1;
> > > > -       }
> > > > -
> > > >         /*
> > > >          * We're finally done with prerequisite checking, and can start with
> > > >          * the nested entry.
> > > > --
> > > > 2.20.1
> > > >
> > > >
> > > >
> > > Hi all,
> > >
> > > This commit caused many kvm-unit-tests regression, cherry-pick
> > > following commits from 4.20 fix the regression:
> >
> > Hi Jack - can you be more specific about the failing tests? What type of
> > environment and which tests failed, which version of kvm-unit-tests? Do
> > you have any logs available? I ask because we do run kvm-unit-tests on
> > x86 and arm64 but we did not see these regressions.
> >
> > Thanks,
> > Dan
> >
> Hi Dan,
> 
> I'm running at kvm-unit-tests commit b1414c5f0142 ("x86: vmx: fix
> required alignment for posted interrupt descriptor")
> 
> using "run_tests.sh -a -t -j8" with qemu-2.7.1
> 
> Left side has only 78 tests ok, and right side has 112 tests ok.

Thanks - so we run it with "run_tests.sh -v" and only see 43 passes in
the best case. Besides missing -a, we see a skip for the vmx related
tests because vmx isn't enabled in our environment.

We will fix those problems in LKFT so that we can catch regressions like
this before they are released.

Dan

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 067/306] KVM: nVMX: move check_vmentry_postreqs() call to nested_vmx_enter_non_root_mode()
  2019-12-05 20:52         ` Dan Rue
@ 2019-12-06  8:54           ` Jack Wang
  0 siblings, 0 replies; 359+ messages in thread
From: Jack Wang @ 2019-12-06  8:54 UTC (permalink / raw)
  To: Jack Wang, Greg Kroah-Hartman, linux-kernel, stable,
	Sean Christopherson, Jim Mattson, Paolo Bonzini, Sasha Levin

Dan Rue <dan.rue@linaro.org> 于2019年12月5日周四 下午9:52写道:
>
> On Thu, Dec 05, 2019 at 10:51:18AM +0100, Jack Wang wrote:
> > Dan Rue <dan.rue@linaro.org> 于2019年12月4日周三 下午6:50写道:
> > >
> > > On Mon, Dec 02, 2019 at 03:40:04PM +0100, Jack Wang wrote:
> > > > Greg Kroah-Hartman <gregkh@linuxfoundation.org> 于2019年11月27日周三 下午10:30写道:
> > > > >
> > > > > From: Sean Christopherson <sean.j.christopherson@intel.com>
> > > > >
> > > > > [ Upstream commit 7671ce21b13b9596163a29f4712cb2451a9b97dc ]
> > > > >
> > > > > In preparation of supporting checkpoint/restore for nested state,
> > > > > commit ca0bde28f2ed ("kvm: nVMX: Split VMCS checks from nested_vmx_run()")
> > > > > modified check_vmentry_postreqs() to only perform the guest EFER
> > > > > consistency checks when nested_run_pending is true.  But, in the
> > > > > normal nested VMEntry flow, nested_run_pending is only set after
> > > > > check_vmentry_postreqs(), i.e. the consistency check is being skipped.
> > > > >
> > > > > Alternatively, nested_run_pending could be set prior to calling
> > > > > check_vmentry_postreqs() in nested_vmx_run(), but placing the
> > > > > consistency checks in nested_vmx_enter_non_root_mode() allows us
> > > > > to split prepare_vmcs02() and interleave the preparation with
> > > > > the consistency checks without having to change the call sites
> > > > > of nested_vmx_enter_non_root_mode().  In other words, the rest
> > > > > of the consistency check code in nested_vmx_run() will be joining
> > > > > the postreqs checks in future patches.
> > > > >
> > > > > Fixes: ca0bde28f2ed ("kvm: nVMX: Split VMCS checks from nested_vmx_run()")
> > > > > Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
> > > > > Cc: Jim Mattson <jmattson@google.com>
> > > > > Reviewed-by: Jim Mattson <jmattson@google.com>
> > > > > Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> > > > > Signed-off-by: Sasha Levin <sashal@kernel.org>
> > > > > ---
> > > > >  arch/x86/kvm/vmx.c | 10 +++-------
> > > > >  1 file changed, 3 insertions(+), 7 deletions(-)
> > > > >
> > > > > diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
> > > > > index fe7fdd666f091..bdf019f322117 100644
> > > > > --- a/arch/x86/kvm/vmx.c
> > > > > +++ b/arch/x86/kvm/vmx.c
> > > > > @@ -12694,6 +12694,9 @@ static int enter_vmx_non_root_mode(struct kvm_vcpu *vcpu, u32 *exit_qual)
> > > > >         if (likely(!evaluate_pending_interrupts) && kvm_vcpu_apicv_active(vcpu))
> > > > >                 evaluate_pending_interrupts |= vmx_has_apicv_interrupt(vcpu);
> > > > >
> > > > > +       if (from_vmentry && check_vmentry_postreqs(vcpu, vmcs12, exit_qual))
> > > > > +               return EXIT_REASON_INVALID_STATE;
> > > > > +
> > > > >         enter_guest_mode(vcpu);
> > > > >
> > > > >         if (!(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS))
> > > > > @@ -12836,13 +12839,6 @@ static int nested_vmx_run(struct kvm_vcpu *vcpu, bool launch)
> > > > >          */
> > > > >         skip_emulated_instruction(vcpu);
> > > > >
> > > > > -       ret = check_vmentry_postreqs(vcpu, vmcs12, &exit_qual);
> > > > > -       if (ret) {
> > > > > -               nested_vmx_entry_failure(vcpu, vmcs12,
> > > > > -                                        EXIT_REASON_INVALID_STATE, exit_qual);
> > > > > -               return 1;
> > > > > -       }
> > > > > -
> > > > >         /*
> > > > >          * We're finally done with prerequisite checking, and can start with
> > > > >          * the nested entry.
> > > > > --
> > > > > 2.20.1
> > > > >
> > > > >
> > > > >
> > > > Hi all,
> > > >
> > > > This commit caused many kvm-unit-tests regression, cherry-pick
> > > > following commits from 4.20 fix the regression:
> > >
> > > Hi Jack - can you be more specific about the failing tests? What type of
> > > environment and which tests failed, which version of kvm-unit-tests? Do
> > > you have any logs available? I ask because we do run kvm-unit-tests on
> > > x86 and arm64 but we did not see these regressions.
> > >
> > > Thanks,
> > > Dan
> > >
> > Hi Dan,
> >
> > I'm running at kvm-unit-tests commit b1414c5f0142 ("x86: vmx: fix
> > required alignment for posted interrupt descriptor")
> >
> > using "run_tests.sh -a -t -j8" with qemu-2.7.1
> >
> > Left side has only 78 tests ok, and right side has 112 tests ok.
>
> Thanks - so we run it with "run_tests.sh -v" and only see 43 passes in
> the best case. Besides missing -a, we see a skip for the vmx related
> tests because vmx isn't enabled in our environment.
>
> We will fix those problems in LKFT so that we can catch regressions like
> this before they are released.
>
> Dan
Sounds good.

Thanks,
Jack

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 153/306] block: fix the DISCARD request merge (4.19.87+ crash)
  2019-11-27 20:30 ` [PATCH 4.19 153/306] block: fix the DISCARD request merge Greg Kroah-Hartman
@ 2019-12-14 14:13   ` Andre Tomt
  2019-12-16  7:42     ` Jack Wang
  0 siblings, 1 reply; 359+ messages in thread
From: Andre Tomt @ 2019-12-14 14:13 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: stable, Christoph Hellwig, Ming Lei, Jianchao Wang, Jens Axboe,
	Sasha Levin

On 27.11.2019 21:30, Greg Kroah-Hartman wrote:
> From: Jianchao Wang <jianchao.w.wang@oracle.com>
> 
> [ Upstream commit 69840466086d2248898020a08dda52732686c4e6 ]
> 
> There are two cases when handle DISCARD merge.
> If max_discard_segments == 1, the bios/requests need to be contiguous
> to merge. If max_discard_segments > 1, it takes every bio as a range
> and different range needn't to be contiguous.
> 
> But now, attempt_merge screws this up. It always consider contiguity
> for DISCARD for the case max_discard_segments > 1 and cannot merge
> contiguous DISCARD for the case max_discard_segments == 1, because
> rq_attempt_discard_merge always returns false in this case.
> This patch fixes both of the two cases above.
> 
> Reviewed-by: Christoph Hellwig <hch@lst.de>
> Reviewed-by: Ming Lei <ming.lei@redhat.com>
> Signed-off-by: Jianchao Wang <jianchao.w.wang@oracle.com>
> Signed-off-by: Jens Axboe <axboe@kernel.dk>
> Signed-off-by: Sasha Levin <sashal@kernel.org>

4.19.87, 4.19.88, 4.19.89 all lock up frequently on some of my systems. 
The same systems run 5.4.3 fine, so the newer trees are probably OK.
Reverting this commit on top of 4.19.87 makes everything stable.

To trigger it all I have to do is re-rsyncing a directory tree with some 
changed files churn, it will usually crash in 10 to 30 minutes.

The systems crashing has ext4 filesystem on a two ssd md raid1 mounted 
with the mount option discard. If mounting it without discard, the 
crashes no longer seem to occur.

No oops/panic made it to the ipmi console. I suspect the console is just 
misbehaving and it didnt really livelock. At one point one line of the 
crash made it to the console (kernel BUG at block/blk-core.c:1776), and 
it was enough to pinpoint this commit. Note that the line number might 
be off, as I was attempting a bisect at the time.

This commit also made it to 4.14.x, but I have not tested it.

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 153/306] block: fix the DISCARD request merge (4.19.87+ crash)
  2019-12-14 14:13   ` [PATCH 4.19 153/306] block: fix the DISCARD request merge (4.19.87+ crash) Andre Tomt
@ 2019-12-16  7:42     ` Jack Wang
  2019-12-16  9:18       ` Andre Tomt
  0 siblings, 1 reply; 359+ messages in thread
From: Jack Wang @ 2019-12-16  7:42 UTC (permalink / raw)
  To: Andre Tomt
  Cc: Greg Kroah-Hartman, linux-kernel, stable, Christoph Hellwig,
	Ming Lei, Jianchao Wang, Jens Axboe, Sasha Levin

Andre Tomt <andre@tomt.net> 于2019年12月14日周六 下午3:24写道:
>
> On 27.11.2019 21:30, Greg Kroah-Hartman wrote:
> > From: Jianchao Wang <jianchao.w.wang@oracle.com>
> >
> > [ Upstream commit 69840466086d2248898020a08dda52732686c4e6 ]
> >
> > There are two cases when handle DISCARD merge.
> > If max_discard_segments == 1, the bios/requests need to be contiguous
> > to merge. If max_discard_segments > 1, it takes every bio as a range
> > and different range needn't to be contiguous.
> >
> > But now, attempt_merge screws this up. It always consider contiguity
> > for DISCARD for the case max_discard_segments > 1 and cannot merge
> > contiguous DISCARD for the case max_discard_segments == 1, because
> > rq_attempt_discard_merge always returns false in this case.
> > This patch fixes both of the two cases above.
> >
> > Reviewed-by: Christoph Hellwig <hch@lst.de>
> > Reviewed-by: Ming Lei <ming.lei@redhat.com>
> > Signed-off-by: Jianchao Wang <jianchao.w.wang@oracle.com>
> > Signed-off-by: Jens Axboe <axboe@kernel.dk>
> > Signed-off-by: Sasha Levin <sashal@kernel.org>
>
> 4.19.87, 4.19.88, 4.19.89 all lock up frequently on some of my systems.
> The same systems run 5.4.3 fine, so the newer trees are probably OK.
> Reverting this commit on top of 4.19.87 makes everything stable.
>
> To trigger it all I have to do is re-rsyncing a directory tree with some
> changed files churn, it will usually crash in 10 to 30 minutes.
>
> The systems crashing has ext4 filesystem on a two ssd md raid1 mounted
> with the mount option discard. If mounting it without discard, the
> crashes no longer seem to occur.
>
> No oops/panic made it to the ipmi console. I suspect the console is just
> misbehaving and it didnt really livelock. At one point one line of the
> crash made it to the console (kernel BUG at block/blk-core.c:1776), and
> it was enough to pinpoint this commit. Note that the line number might
> be off, as I was attempting a bisect at the time.
>
> This commit also made it to 4.14.x, but I have not tested it.
Hi Andre,

I noticed one fix is missing for discard merge in 4.19.y
2a5cf35cd6c5 ("block: fix single range discard merge")

Can you try if it helps? just "git cherry-pick 2a5cf35cd6c5"

Thanks
Jack Wang

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 153/306] block: fix the DISCARD request merge (4.19.87+ crash)
  2019-12-16  7:42     ` Jack Wang
@ 2019-12-16  9:18       ` Andre Tomt
  2019-12-16  9:25         ` Jack Wang
  2019-12-16  9:28         ` Greg Kroah-Hartman
  0 siblings, 2 replies; 359+ messages in thread
From: Andre Tomt @ 2019-12-16  9:18 UTC (permalink / raw)
  To: Jack Wang
  Cc: Greg Kroah-Hartman, linux-kernel, stable, Christoph Hellwig,
	Ming Lei, Jianchao Wang, Jens Axboe, Sasha Levin

On 16.12.2019 08:42, Jack Wang wrote:
> Andre Tomt <andre@tomt.net> 于2019年12月14日周六 下午3:24写道:
>>
>> 4.19.87, 4.19.88, 4.19.89 all lock up frequently on some of my systems.
>> The same systems run 5.4.3 fine, so the newer trees are probably OK.
>> Reverting this commit on top of 4.19.87 makes everything stable.
>>
>> To trigger it all I have to do is re-rsyncing a directory tree with some
>> changed files churn, it will usually crash in 10 to 30 minutes.
>>
>> The systems crashing has ext4 filesystem on a two ssd md raid1 mounted
>> with the mount option discard. If mounting it without discard, the
>> crashes no longer seem to occur.
>>
>> No oops/panic made it to the ipmi console. I suspect the console is just
>> misbehaving and it didnt really livelock. At one point one line of the
>> crash made it to the console (kernel BUG at block/blk-core.c:1776), and
>> it was enough to pinpoint this commit. Note that the line number might
>> be off, as I was attempting a bisect at the time.
>>
>> This commit also made it to 4.14.x, but I have not tested it.
> Hi Andre,
> 
> I noticed one fix is missing for discard merge in 4.19.y
> 2a5cf35cd6c5 ("block: fix single range discard merge")
> 
> Can you try if it helps? just "git cherry-pick 2a5cf35cd6c5"

Indeed, adding this commit on top a clean 4.19.89 fixes the issue. So 
far survived about an hour of rsyncing file churn.


^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 153/306] block: fix the DISCARD request merge (4.19.87+ crash)
  2019-12-16  9:18       ` Andre Tomt
@ 2019-12-16  9:25         ` Jack Wang
  2019-12-16  9:28         ` Greg Kroah-Hartman
  1 sibling, 0 replies; 359+ messages in thread
From: Jack Wang @ 2019-12-16  9:25 UTC (permalink / raw)
  To: Andre Tomt, Greg Kroah-Hartman, Sasha Levin
  Cc: linux-kernel, stable, Christoph Hellwig, Ming Lei, Jianchao Wang,
	Jens Axboe

Andre Tomt <andre@tomt.net> 于2019年12月16日周一 上午10:18写道:
>
> On 16.12.2019 08:42, Jack Wang wrote:
> > Andre Tomt <andre@tomt.net> 于2019年12月14日周六 下午3:24写道:
> >>
> >> 4.19.87, 4.19.88, 4.19.89 all lock up frequently on some of my systems.
> >> The same systems run 5.4.3 fine, so the newer trees are probably OK.
> >> Reverting this commit on top of 4.19.87 makes everything stable.
> >>
> >> To trigger it all I have to do is re-rsyncing a directory tree with some
> >> changed files churn, it will usually crash in 10 to 30 minutes.
> >>
> >> The systems crashing has ext4 filesystem on a two ssd md raid1 mounted
> >> with the mount option discard. If mounting it without discard, the
> >> crashes no longer seem to occur.
> >>
> >> No oops/panic made it to the ipmi console. I suspect the console is just
> >> misbehaving and it didnt really livelock. At one point one line of the
> >> crash made it to the console (kernel BUG at block/blk-core.c:1776), and
> >> it was enough to pinpoint this commit. Note that the line number might
> >> be off, as I was attempting a bisect at the time.
> >>
> >> This commit also made it to 4.14.x, but I have not tested it.
> > Hi Andre,
> >
> > I noticed one fix is missing for discard merge in 4.19.y
> > 2a5cf35cd6c5 ("block: fix single range discard merge")
> >
> > Can you try if it helps? just "git cherry-pick 2a5cf35cd6c5"
>
> Indeed, adding this commit on top a clean 4.19.89 fixes the issue. So
> far survived about an hour of rsyncing file churn.
>
Glad to hear it!

Greg, Sasha,

Can you apply the fix 2a5cf35cd6c5 ("block: fix single range discard
merge") for 4.19 tree.

Regards,
Jack Wang

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 153/306] block: fix the DISCARD request merge (4.19.87+ crash)
  2019-12-16  9:18       ` Andre Tomt
  2019-12-16  9:25         ` Jack Wang
@ 2019-12-16  9:28         ` Greg Kroah-Hartman
  1 sibling, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2019-12-16  9:28 UTC (permalink / raw)
  To: Andre Tomt
  Cc: Jack Wang, linux-kernel, stable, Christoph Hellwig, Ming Lei,
	Jianchao Wang, Jens Axboe, Sasha Levin

On Mon, Dec 16, 2019 at 10:18:48AM +0100, Andre Tomt wrote:
> On 16.12.2019 08:42, Jack Wang wrote:
> > Andre Tomt <andre@tomt.net> 于2019年12月14日周六 下午3:24写道:
> > > 
> > > 4.19.87, 4.19.88, 4.19.89 all lock up frequently on some of my systems.
> > > The same systems run 5.4.3 fine, so the newer trees are probably OK.
> > > Reverting this commit on top of 4.19.87 makes everything stable.
> > > 
> > > To trigger it all I have to do is re-rsyncing a directory tree with some
> > > changed files churn, it will usually crash in 10 to 30 minutes.
> > > 
> > > The systems crashing has ext4 filesystem on a two ssd md raid1 mounted
> > > with the mount option discard. If mounting it without discard, the
> > > crashes no longer seem to occur.
> > > 
> > > No oops/panic made it to the ipmi console. I suspect the console is just
> > > misbehaving and it didnt really livelock. At one point one line of the
> > > crash made it to the console (kernel BUG at block/blk-core.c:1776), and
> > > it was enough to pinpoint this commit. Note that the line number might
> > > be off, as I was attempting a bisect at the time.
> > > 
> > > This commit also made it to 4.14.x, but I have not tested it.
> > Hi Andre,
> > 
> > I noticed one fix is missing for discard merge in 4.19.y
> > 2a5cf35cd6c5 ("block: fix single range discard merge")
> > 
> > Can you try if it helps? just "git cherry-pick 2a5cf35cd6c5"
> 
> Indeed, adding this commit on top a clean 4.19.89 fixes the issue. So far
> survived about an hour of rsyncing file churn.
> 

Great!

Thanks Jack for finding the fix and Andre for reporting this.  I'll go
queue this fix up right now.

greg k-h

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 000/306] 4.19.87-stable review
  2019-11-29  8:58       ` Greg Kroah-Hartman
@ 2020-01-22  7:48         ` Jouni Högander
  2020-01-26 11:54           ` Lukas Bulwahn
  2020-01-28 10:28           ` Jouni Högander
  0 siblings, 2 replies; 359+ messages in thread
From: Jouni Högander @ 2020-01-22  7:48 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: Lukas Bulwahn, Naresh Kamboju, open list, Linus Torvalds,
	Andrew Morton, Guenter Roeck, Shuah Khan, patches, Ben Hutchings,
	lkft-triage, linux- stable, Netdev, Al Viro, linux-fsdevel,
	Eric Dumazet, David S. Miller

Greg Kroah-Hartman <gregkh@linuxfoundation.org> writes:
>> > Now queued up, I'll push out -rc2 versions with this fix.
>> >
>> > greg k-h
>> 
>> We have also been informed about another regression these two commits
>> are causing:
>> 
>> https://lore.kernel.org/lkml/ace19af4-7cae-babd-bac5-cd3505dcd874@I-love.SAKURA.ne.jp/
>> 
>> I suggest to drop these two patches from this queue, and give us a
>> week to shake out the regressions of the change, and once ready, we
>> can include the complete set of fixes to stable (probably in a week or
>> two).
>
> Ok, thanks for the information, I've now dropped them from all of the
> queues that had them in them.
>
> greg k-h

I have now run more extensive Syzkaller testing on following patches:

cb626bf566eb net-sysfs: Fix reference count leak
ddd9b5e3e765 net-sysfs: Call dev_hold always in rx_queue_add_kobject
e0b60903b434 net-sysfs: Call dev_hold always in netdev_queue_add_kobje
48a322b6f996 net-sysfs: fix netdev_queue_add_kobject() breakage
b8eb718348b8 net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject

These patches are fixing couple of memory leaks including this one found
by Syzbot: https://syzkaller.appspot.com/bug?extid=ad8ca40ecd77896d51e2

I can reproduce these memory leaks in following stable branches: 4.14,
4.19, and 5.4.

These are all now merged into net/master tree and based on my testing
they are ready to be taken into stable branches as well.

Best Regards,

Jouni Högander

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 000/306] 4.19.87-stable review
  2020-01-22  7:48         ` Jouni Högander
@ 2020-01-26 11:54           ` Lukas Bulwahn
  2020-01-27  8:42             ` Jouni Högander
  2020-01-28 10:28           ` Jouni Högander
  1 sibling, 1 reply; 359+ messages in thread
From: Lukas Bulwahn @ 2020-01-26 11:54 UTC (permalink / raw)
  To: Jouni Högander
  Cc: Greg Kroah-Hartman, Lukas Bulwahn, open list, Linus Torvalds,
	Andrew Morton, Ben Hutchings, linux- stable, Netdev, Al Viro,
	linux-fsdevel, Eric Dumazet, David S. Miller, syzkaller

[-- Attachment #1: Type: text/plain, Size: 3390 bytes --]


On Wed, 22 Jan 2020, Jouni Högander wrote:

> Greg Kroah-Hartman <gregkh@linuxfoundation.org> writes:
> >> > Now queued up, I'll push out -rc2 versions with this fix.
> >> >
> >> > greg k-h
> >> 
> >> We have also been informed about another regression these two commits
> >> are causing:
> >> 
> >> https://lore.kernel.org/lkml/ace19af4-7cae-babd-bac5-cd3505dcd874@I-love.SAKURA.ne.jp/
> >> 
> >> I suggest to drop these two patches from this queue, and give us a
> >> week to shake out the regressions of the change, and once ready, we
> >> can include the complete set of fixes to stable (probably in a week or
> >> two).
> >
> > Ok, thanks for the information, I've now dropped them from all of the
> > queues that had them in them.
> >
> > greg k-h
> 
> I have now run more extensive Syzkaller testing on following patches:
> 
> cb626bf566eb net-sysfs: Fix reference count leak
> ddd9b5e3e765 net-sysfs: Call dev_hold always in rx_queue_add_kobject
> e0b60903b434 net-sysfs: Call dev_hold always in netdev_queue_add_kobje
> 48a322b6f996 net-sysfs: fix netdev_queue_add_kobject() breakage
> b8eb718348b8 net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject
> 
> These patches are fixing couple of memory leaks including this one found
> by Syzbot: https://syzkaller.appspot.com/bug?extid=ad8ca40ecd77896d51e2
> 
> I can reproduce these memory leaks in following stable branches: 4.14,
> 4.19, and 5.4.
> 
> These are all now merged into net/master tree and based on my testing
> they are ready to be taken into stable branches as well.
>

+ syzkaller list
Jouni et. al, please drop Linus in further responses; Linus, it was wrong 
to add you to this thread in the first place (reason is explained below)

Jouni, thanks for investigating.

It raises the following questions and comments:

- Does the memory leak NOT appear on 4.9 and earlier LTS branches (or did 
you not check that)? If it does not appear, can you bisect it with the 
reproducer to the commit between 4.14 and 4.9?

- Do the reproducers you found with your syzkaller testing show the same 
behaviour (same bisection) as the reproducers from syzbot?

- I fear syzbot's automatic bisection on is wrong, and Linus' commit 
0e034f5c4bc4 ("iwlwifi: fix mis-merge that breaks the driver") is not to 
blame here; that commit did not cause the memory leak, but fixed some 
unrelated issue that simply confuses syzbot's automatic bisection.

Just FYI: Dmitry Vyukov's evaluation of the syzbot bisection shows that 
about 50% are wrong, e.g., due to multiple bugs being triggered with one 
reproducer and the difficulty of automatically identifying them of being 
different due to different root causes (despite the smart heuristics of 
syzkaller & syzbot). So, to identify the actual commit on which the memory 
leak first appeared, you need to bisect manually with your own judgement 
if the reported bug stack trace fits to the issue you investigating. Or 
you use syzbot's automatic bisection but then with a reduced kernel config 
that cannot be confused by other issues. You might possibly also hit a 
"beginning of time" in your bisection, where KASAN was simply not 
supported, then the initially causing commit can simply not determined by 
bisection with the reproducer and needs some code inspection and 
archaeology with git. Can you go ahead try to identify the correct commit 
for this issue?


Lukas

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 000/306] 4.19.87-stable review
  2020-01-26 11:54           ` Lukas Bulwahn
@ 2020-01-27  8:42             ` Jouni Högander
  2020-01-27 21:16               ` Lukas Bulwahn
  0 siblings, 1 reply; 359+ messages in thread
From: Jouni Högander @ 2020-01-27  8:42 UTC (permalink / raw)
  To: Lukas Bulwahn
  Cc: Greg Kroah-Hartman, open list, Andrew Morton, Ben Hutchings,
	linux- stable, Netdev, Al Viro, linux-fsdevel, Eric Dumazet,
	David S. Miller, syzkaller

Lukas Bulwahn <lukas.bulwahn@gmail.com> writes:

> On Wed, 22 Jan 2020, Jouni Högander wrote:
>
>> Greg Kroah-Hartman <gregkh@linuxfoundation.org> writes:
>> >> > Now queued up, I'll push out -rc2 versions with this fix.
>> >> >
>> >> > greg k-h
>> >> 
>> >> We have also been informed about another regression these two commits
>> >> are causing:
>> >> 
>> >> https://lore.kernel.org/lkml/ace19af4-7cae-babd-bac5-cd3505dcd874@I-love.SAKURA.ne.jp/
>> >> 
>> >> I suggest to drop these two patches from this queue, and give us a
>> >> week to shake out the regressions of the change, and once ready, we
>> >> can include the complete set of fixes to stable (probably in a week or
>> >> two).
>> >
>> > Ok, thanks for the information, I've now dropped them from all of the
>> > queues that had them in them.
>> >
>> > greg k-h
>> 
>> I have now run more extensive Syzkaller testing on following patches:
>> 
>> cb626bf566eb net-sysfs: Fix reference count leak
>> ddd9b5e3e765 net-sysfs: Call dev_hold always in rx_queue_add_kobject
>> e0b60903b434 net-sysfs: Call dev_hold always in netdev_queue_add_kobje
>> 48a322b6f996 net-sysfs: fix netdev_queue_add_kobject() breakage
>> b8eb718348b8 net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject
>> 
>> These patches are fixing couple of memory leaks including this one found
>> by Syzbot: https://syzkaller.appspot.com/bug?extid=ad8ca40ecd77896d51e2
>> 
>> I can reproduce these memory leaks in following stable branches: 4.14,
>> 4.19, and 5.4.
>> 
>> These are all now merged into net/master tree and based on my testing
>> they are ready to be taken into stable branches as well.
>>
>
> + syzkaller list
> Jouni et. al, please drop Linus in further responses; Linus, it was wrong 
> to add you to this thread in the first place (reason is explained below)
>
> Jouni, thanks for investigating.
>
> It raises the following questions and comments:
>
> - Does the memory leak NOT appear on 4.9 and earlier LTS branches (or did 
> you not check that)? If it does not appear, can you bisect it with the 
> reproducer to the commit between 4.14 and 4.9?

I tested and these memory leaks are not reproucible in 4.9 and earlier.

>
> - Do the reproducers you found with your syzkaller testing show the same 
> behaviour (same bisection) as the reproducers from syzbot?

Yes, they are same.

>
> - I fear syzbot's automatic bisection on is wrong, and Linus' commit 
> 0e034f5c4bc4 ("iwlwifi: fix mis-merge that breaks the driver") is not to 
> blame here; that commit did not cause the memory leak, but fixed some 
> unrelated issue that simply confuses syzbot's automatic bisection.
>
> Just FYI: Dmitry Vyukov's evaluation of the syzbot bisection shows that 
> about 50% are wrong, e.g., due to multiple bugs being triggered with one 
> reproducer and the difficulty of automatically identifying them of being 
> different due to different root causes (despite the smart heuristics of 
> syzkaller & syzbot). So, to identify the actual commit on which the memory 
> leak first appeared, you need to bisect manually with your own judgement 
> if the reported bug stack trace fits to the issue you investigating. Or 
> you use syzbot's automatic bisection but then with a reduced kernel config 
> that cannot be confused by other issues. You might possibly also hit a 
> "beginning of time" in your bisection, where KASAN was simply not 
> supported, then the initially causing commit can simply not determined by 
> bisection with the reproducer and needs some code inspection and 
> archaeology with git. Can you go ahead try to identify the correct commit 
> for this issue?

These two commits (that are not in 4.9 and earlier) are intorducing these leaks:

commit e331c9066901dfe40bea4647521b86e9fb9901bb
Author: YueHaibing <yuehaibing@huawei.com>
Date:   Tue Mar 19 10:16:53 2019 +0800

    net-sysfs: call dev_hold if kobject_init_and_add success
    
    [ Upstream commit a3e23f719f5c4a38ffb3d30c8d7632a4ed8ccd9e ]
    
    In netdev_queue_add_kobject and rx_queue_add_kobject,
    if sysfs_create_group failed, kobject_put will call
    netdev_queue_release to decrease dev refcont, however
    dev_hold has not be called. So we will see this while
    unregistering dev:
    
    unregister_netdevice: waiting for bcsh0 to become free. Usage count = -1
    
    Reported-by: Hulk Robot <hulkci@huawei.com>
    Fixes: d0d668371679 ("net: don't decrement kobj reference count on init fail
ure")
    Signed-off-by: YueHaibing <yuehaibing@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d0d6683716791b2a2761a1bb025c613eb73da6c3
Author: stephen hemminger <stephen@networkplumber.org>
Date:   Fri Aug 18 13:46:19 2017 -0700

    net: don't decrement kobj reference count on init failure
    
    If kobject_init_and_add failed, then the failure path would
    decrement the reference count of the queue kobject whose reference
    count was already zero.
    
    Fixes: 114cf5802165 ("bql: Byte queue limits")
    Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

>
>
> Lukas

BR,

Jouni Högander

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 000/306] 4.19.87-stable review
  2020-01-27  8:42             ` Jouni Högander
@ 2020-01-27 21:16               ` Lukas Bulwahn
  2020-01-28  8:46                 ` Jouni Högander
  0 siblings, 1 reply; 359+ messages in thread
From: Lukas Bulwahn @ 2020-01-27 21:16 UTC (permalink / raw)
  To: Jouni Högander
  Cc: Lukas Bulwahn, Greg Kroah-Hartman, open list, Andrew Morton,
	Ben Hutchings, linux- stable, Netdev, Al Viro, linux-fsdevel,
	Eric Dumazet, David S. Miller, syzkaller

[-- Attachment #1: Type: text/plain, Size: 7514 bytes --]



On Mon, 27 Jan 2020, Jouni Högander wrote:

> Lukas Bulwahn <lukas.bulwahn@gmail.com> writes:
> 
> > On Wed, 22 Jan 2020, Jouni Högander wrote:
> >
> >> Greg Kroah-Hartman <gregkh@linuxfoundation.org> writes:
> >> >> > Now queued up, I'll push out -rc2 versions with this fix.
> >> >> >
> >> >> > greg k-h
> >> >> 
> >> >> We have also been informed about another regression these two commits
> >> >> are causing:
> >> >> 
> >> >> https://lore.kernel.org/lkml/ace19af4-7cae-babd-bac5-cd3505dcd874@I-love.SAKURA.ne.jp/
> >> >> 
> >> >> I suggest to drop these two patches from this queue, and give us a
> >> >> week to shake out the regressions of the change, and once ready, we
> >> >> can include the complete set of fixes to stable (probably in a week or
> >> >> two).
> >> >
> >> > Ok, thanks for the information, I've now dropped them from all of the
> >> > queues that had them in them.
> >> >
> >> > greg k-h
> >> 
> >> I have now run more extensive Syzkaller testing on following patches:
> >> 
> >> cb626bf566eb net-sysfs: Fix reference count leak
> >> ddd9b5e3e765 net-sysfs: Call dev_hold always in rx_queue_add_kobject
> >> e0b60903b434 net-sysfs: Call dev_hold always in netdev_queue_add_kobje
> >> 48a322b6f996 net-sysfs: fix netdev_queue_add_kobject() breakage
> >> b8eb718348b8 net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject
> >> 
> >> These patches are fixing couple of memory leaks including this one found
> >> by Syzbot: https://syzkaller.appspot.com/bug?extid=ad8ca40ecd77896d51e2
> >> 
> >> I can reproduce these memory leaks in following stable branches: 4.14,
> >> 4.19, and 5.4.
> >> 
> >> These are all now merged into net/master tree and based on my testing
> >> they are ready to be taken into stable branches as well.
> >>
> >
> > + syzkaller list
> > Jouni et. al, please drop Linus in further responses; Linus, it was wrong 
> > to add you to this thread in the first place (reason is explained below)
> >
> > Jouni, thanks for investigating.
> >
> > It raises the following questions and comments:
> >
> > - Does the memory leak NOT appear on 4.9 and earlier LTS branches (or did 
> > you not check that)? If it does not appear, can you bisect it with the 
> > reproducer to the commit between 4.14 and 4.9?
> 
> I tested and these memory leaks are not reproucible in 4.9 and earlier.
> 
> >
> > - Do the reproducers you found with your syzkaller testing show the same 
> > behaviour (same bisection) as the reproducers from syzbot?
> 
> Yes, they are same.
> 
> >
> > - I fear syzbot's automatic bisection on is wrong, and Linus' commit 
> > 0e034f5c4bc4 ("iwlwifi: fix mis-merge that breaks the driver") is not to 
> > blame here; that commit did not cause the memory leak, but fixed some 
> > unrelated issue that simply confuses syzbot's automatic bisection.
> >
> > Just FYI: Dmitry Vyukov's evaluation of the syzbot bisection shows that 
> > about 50% are wrong, e.g., due to multiple bugs being triggered with one 
> > reproducer and the difficulty of automatically identifying them of being 
> > different due to different root causes (despite the smart heuristics of 
> > syzkaller & syzbot). So, to identify the actual commit on which the memory 
> > leak first appeared, you need to bisect manually with your own judgement 
> > if the reported bug stack trace fits to the issue you investigating. Or 
> > you use syzbot's automatic bisection but then with a reduced kernel config 
> > that cannot be confused by other issues. You might possibly also hit a 
> > "beginning of time" in your bisection, where KASAN was simply not 
> > supported, then the initially causing commit can simply not determined by 
> > bisection with the reproducer and needs some code inspection and 
> > archaeology with git. Can you go ahead try to identify the correct commit 
> > for this issue?
> 
> These two commits (that are not in 4.9 and earlier) are intorducing these leaks:
> 
> commit e331c9066901dfe40bea4647521b86e9fb9901bb
> Author: YueHaibing <yuehaibing@huawei.com>
> Date:   Tue Mar 19 10:16:53 2019 +0800
> 
>     net-sysfs: call dev_hold if kobject_init_and_add success
>     
>     [ Upstream commit a3e23f719f5c4a38ffb3d30c8d7632a4ed8ccd9e ]
>     
>     In netdev_queue_add_kobject and rx_queue_add_kobject,
>     if sysfs_create_group failed, kobject_put will call
>     netdev_queue_release to decrease dev refcont, however
>     dev_hold has not be called. So we will see this while
>     unregistering dev:
>     
>     unregister_netdevice: waiting for bcsh0 to become free. Usage count = -1
>     
>     Reported-by: Hulk Robot <hulkci@huawei.com>
>     Fixes: d0d668371679 ("net: don't decrement kobj reference count on init fail
> ure")
>     Signed-off-by: YueHaibing <yuehaibing@huawei.com>
>     Signed-off-by: David S. Miller <davem@davemloft.net>
>     Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
> commit d0d6683716791b2a2761a1bb025c613eb73da6c3
> Author: stephen hemminger <stephen@networkplumber.org>
> Date:   Fri Aug 18 13:46:19 2017 -0700
> 
>     net: don't decrement kobj reference count on init failure
>     
>     If kobject_init_and_add failed, then the failure path would
>     decrement the reference count of the queue kobject whose reference
>     count was already zero.
>     
>     Fixes: 114cf5802165 ("bql: Byte queue limits")
>     Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com>
>     Signed-off-by: David S. Miller <davem@davemloft.net>
> 

But, it seems that we now have just a long sequences of fix patches.

This commit from 2011 seems to be the initial buggy one:

commit 114cf5802165ee93e3ab461c9c505cd94a08b800
Author: Tom Herbert <therbert@google.com>
Date:   Mon Nov 28 16:33:09 2011 +0000

    bql: Byte queue limits

And then we just have fixes over fixes:

114cf5802165ee93e3ab461c9c505cd94a08b800
fixed by d0d6683716791b2a2761a1bb025c613eb73da6c3
fixed by a3e23f719f5c4a38ffb3d30c8d7632a4ed8ccd9e
fixed by the sequence of your five patches, mentioned above


If that is right, we should be able to find a reproducer with syzkaller on 
the versions before d0d668371679 ("net: don't decrement kobj reference 
count on init failure") with fault injection enabled or some manually 
injected fault by modifying the source code to always fail on init to 
really trigger the init failure, and see the reference count go below 
zero.

All further issues should also have reproducers found with syzkaller.
If we have a good feeling on the reproducers and this series of fixes 
really fixed the issue now here for all cases, we should suggest to 
backport all of the fixes to 4.4 and 4.9.

We should NOT just have Greg pick up a subset of the patches and backport 
them to 4.4 and 4.9, that will likely break more than it fixes.

Jouni, did you see Greg's bot inform you that he would pick up your latest 
patch for 4.4 and 4.9? Please respond to those emails to make sure a 
complete set of patches is picked up, which we tested with all those 
intermediate reproducers and an extensive syzkaller run hitting the 
net-sysfs interface (e.g., by configuring the corpus and check coverage).

If you cannot do this testing for 4.4 and 4.9 now quickly (you 
potentially have less than 24 hours), we should hold those new patches 
back for 4.4 and 4.9, as none of the fixes seem to be applied at all right 
now and the users have not complained yet on 4.4 and 4.9.
Once testing of the whole fix sequence is done, we request to backport all 
patches at once for 4.4 and 4.9.

Lukas


^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 000/306] 4.19.87-stable review
  2020-01-27 21:16               ` Lukas Bulwahn
@ 2020-01-28  8:46                 ` Jouni Högander
  0 siblings, 0 replies; 359+ messages in thread
From: Jouni Högander @ 2020-01-28  8:46 UTC (permalink / raw)
  To: Lukas Bulwahn
  Cc: Greg Kroah-Hartman, open list, Andrew Morton, Ben Hutchings,
	linux- stable, Netdev, Al Viro, linux-fsdevel, Eric Dumazet,
	David S. Miller, syzkaller

Lukas Bulwahn <lukas.bulwahn@gmail.com> writes:

> On Mon, 27 Jan 2020, Jouni Högander wrote:
>
>> Lukas Bulwahn <lukas.bulwahn@gmail.com> writes:
>> 
>> > On Wed, 22 Jan 2020, Jouni Högander wrote:
>> >
>> >> Greg Kroah-Hartman <gregkh@linuxfoundation.org> writes:
>> >> >> > Now queued up, I'll push out -rc2 versions with this fix.
>> >> >> >
>> >> >> > greg k-h
>> >> >> 
>> >> >> We have also been informed about another regression these two commits
>> >> >> are causing:
>> >> >> 
>> >> >> https://lore.kernel.org/lkml/ace19af4-7cae-babd-bac5-cd3505dcd874@I-love.SAKURA.ne.jp/
>> >> >> 
>> >> >> I suggest to drop these two patches from this queue, and give us a
>> >> >> week to shake out the regressions of the change, and once ready, we
>> >> >> can include the complete set of fixes to stable (probably in a week or
>> >> >> two).
>> >> >
>> >> > Ok, thanks for the information, I've now dropped them from all of the
>> >> > queues that had them in them.
>> >> >
>> >> > greg k-h
>> >> 
>> >> I have now run more extensive Syzkaller testing on following patches:
>> >> 
>> >> cb626bf566eb net-sysfs: Fix reference count leak
>> >> ddd9b5e3e765 net-sysfs: Call dev_hold always in rx_queue_add_kobject
>> >> e0b60903b434 net-sysfs: Call dev_hold always in netdev_queue_add_kobje
>> >> 48a322b6f996 net-sysfs: fix netdev_queue_add_kobject() breakage
>> >> b8eb718348b8 net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject
>> >> 
>> >> These patches are fixing couple of memory leaks including this one found
>> >> by Syzbot: https://syzkaller.appspot.com/bug?extid=ad8ca40ecd77896d51e2
>> >> 
>> >> I can reproduce these memory leaks in following stable branches: 4.14,
>> >> 4.19, and 5.4.
>> >> 
>> >> These are all now merged into net/master tree and based on my testing
>> >> they are ready to be taken into stable branches as well.
>> >>
>> >
>> > + syzkaller list
>> > Jouni et. al, please drop Linus in further responses; Linus, it was wrong 
>> > to add you to this thread in the first place (reason is explained below)
>> >
>> > Jouni, thanks for investigating.
>> >
>> > It raises the following questions and comments:
>> >
>> > - Does the memory leak NOT appear on 4.9 and earlier LTS branches (or did 
>> > you not check that)? If it does not appear, can you bisect it with the 
>> > reproducer to the commit between 4.14 and 4.9?
>> 
>> I tested and these memory leaks are not reproucible in 4.9 and earlier.
>> 
>> >
>> > - Do the reproducers you found with your syzkaller testing show the same 
>> > behaviour (same bisection) as the reproducers from syzbot?
>> 
>> Yes, they are same.
>> 
>> >
>> > - I fear syzbot's automatic bisection on is wrong, and Linus' commit 
>> > 0e034f5c4bc4 ("iwlwifi: fix mis-merge that breaks the driver") is not to 
>> > blame here; that commit did not cause the memory leak, but fixed some 
>> > unrelated issue that simply confuses syzbot's automatic bisection.
>> >
>> > Just FYI: Dmitry Vyukov's evaluation of the syzbot bisection shows that 
>> > about 50% are wrong, e.g., due to multiple bugs being triggered with one 
>> > reproducer and the difficulty of automatically identifying them of being 
>> > different due to different root causes (despite the smart heuristics of 
>> > syzkaller & syzbot). So, to identify the actual commit on which the memory 
>> > leak first appeared, you need to bisect manually with your own judgement 
>> > if the reported bug stack trace fits to the issue you investigating. Or 
>> > you use syzbot's automatic bisection but then with a reduced kernel config 
>> > that cannot be confused by other issues. You might possibly also hit a 
>> > "beginning of time" in your bisection, where KASAN was simply not 
>> > supported, then the initially causing commit can simply not determined by 
>> > bisection with the reproducer and needs some code inspection and 
>> > archaeology with git. Can you go ahead try to identify the correct commit 
>> > for this issue?
>> 
>> These two commits (that are not in 4.9 and earlier) are intorducing these leaks:
>> 
>> commit e331c9066901dfe40bea4647521b86e9fb9901bb
>> Author: YueHaibing <yuehaibing@huawei.com>
>> Date:   Tue Mar 19 10:16:53 2019 +0800
>> 
>>     net-sysfs: call dev_hold if kobject_init_and_add success
>>     
>>     [ Upstream commit a3e23f719f5c4a38ffb3d30c8d7632a4ed8ccd9e ]
>>     
>>     In netdev_queue_add_kobject and rx_queue_add_kobject,
>>     if sysfs_create_group failed, kobject_put will call
>>     netdev_queue_release to decrease dev refcont, however
>>     dev_hold has not be called. So we will see this while
>>     unregistering dev:
>>     
>>     unregister_netdevice: waiting for bcsh0 to become free. Usage count = -1
>>     
>>     Reported-by: Hulk Robot <hulkci@huawei.com>
>>     Fixes: d0d668371679 ("net: don't decrement kobj reference count on init fail
>> ure")
>>     Signed-off-by: YueHaibing <yuehaibing@huawei.com>
>>     Signed-off-by: David S. Miller <davem@davemloft.net>
>>     Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>> 
>> commit d0d6683716791b2a2761a1bb025c613eb73da6c3
>> Author: stephen hemminger <stephen@networkplumber.org>
>> Date:   Fri Aug 18 13:46:19 2017 -0700
>> 
>>     net: don't decrement kobj reference count on init failure
>>     
>>     If kobject_init_and_add failed, then the failure path would
>>     decrement the reference count of the queue kobject whose reference
>>     count was already zero.
>>     
>>     Fixes: 114cf5802165 ("bql: Byte queue limits")
>>     Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com>
>>     Signed-off-by: David S. Miller <davem@davemloft.net>
>> 
>
> But, it seems that we now have just a long sequences of fix patches.
>
> This commit from 2011 seems to be the initial buggy one:
>
> commit 114cf5802165ee93e3ab461c9c505cd94a08b800
> Author: Tom Herbert <therbert@google.com>
> Date:   Mon Nov 28 16:33:09 2011 +0000
>
>     bql: Byte queue limits
>
> And then we just have fixes over fixes:
>
> 114cf5802165ee93e3ab461c9c505cd94a08b800
> fixed by d0d6683716791b2a2761a1bb025c613eb73da6c3
> fixed by a3e23f719f5c4a38ffb3d30c8d7632a4ed8ccd9e
> fixed by the sequence of your five patches, mentioned above
>
>
> If that is right, we should be able to find a reproducer with syzkaller on 
> the versions before d0d668371679 ("net: don't decrement kobj reference 
> count on init failure") with fault injection enabled or some manually 
> injected fault by modifying the source code to always fail on init to 
> really trigger the init failure, and see the reference count go below 
> zero.
>
> All further issues should also have reproducers found with syzkaller.
> If we have a good feeling on the reproducers and this series of fixes 
> really fixed the issue now here for all cases, we should suggest to 
> backport all of the fixes to 4.4 and 4.9.
>
> We should NOT just have Greg pick up a subset of the patches and backport 
> them to 4.4 and 4.9, that will likely break more than it fixes.

Yes, this is the case.

>
> Jouni, did you see Greg's bot inform you that he would pick up your latest 
> patch for 4.4 and 4.9? Please respond to those emails to make sure a 
> complete set of patches is picked up, which we tested with all those 
> intermediate reproducers and an extensive syzkaller run hitting the 
> net-sysfs interface (e.g., by configuring the corpus and check
> coverage).

I already responded to not pick these patches into 4.4 and 4.9. 

>
> If you cannot do this testing for 4.4 and 4.9 now quickly (you 
> potentially have less than 24 hours), we should hold those new patches 
> back for 4.4 and 4.9, as none of the fixes seem to be applied at all right 
> now and the users have not complained yet on 4.4 and 4.9.
> Once testing of the whole fix sequence is done, we request to backport all 
> patches at once for 4.4 and 4.9.

If we want to pick whole set including older patches I think I need more
time for identifying which older patches (apart from these two I
identified causing the memory leak) should be taken in and for testing.

>
> Lukas

BR,

Jouni Högander

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 000/306] 4.19.87-stable review
  2020-01-22  7:48         ` Jouni Högander
  2020-01-26 11:54           ` Lukas Bulwahn
@ 2020-01-28 10:28           ` Jouni Högander
  2020-01-28 13:29             ` Greg Kroah-Hartman
  1 sibling, 1 reply; 359+ messages in thread
From: Jouni Högander @ 2020-01-28 10:28 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: Lukas Bulwahn, Greg Kroah-Hartman, open list, Andrew Morton,
	Ben Hutchings, linux- stable, Netdev, Al Viro, linux-fsdevel,
	Eric Dumazet, David S. Miller, syzkaller

Hello Greg,

jouni.hogander@unikie.com (Jouni Högander) writes:

> Greg Kroah-Hartman <gregkh@linuxfoundation.org> writes:
>>> > Now queued up, I'll push out -rc2 versions with this fix.
>>> >
>>> > greg k-h
>>> 
>>> We have also been informed about another regression these two commits
>>> are causing:
>>> 
>>> https://lore.kernel.org/lkml/ace19af4-7cae-babd-bac5-cd3505dcd874@I-love.SAKURA.ne.jp/
>>> 
>>> I suggest to drop these two patches from this queue, and give us a
>>> week to shake out the regressions of the change, and once ready, we
>>> can include the complete set of fixes to stable (probably in a week or
>>> two).
>>
>> Ok, thanks for the information, I've now dropped them from all of the
>> queues that had them in them.
>>
>> greg k-h
>
> I have now run more extensive Syzkaller testing on following patches:
>
> cb626bf566eb net-sysfs: Fix reference count leak
> ddd9b5e3e765 net-sysfs: Call dev_hold always in rx_queue_add_kobject
> e0b60903b434 net-sysfs: Call dev_hold always in netdev_queue_add_kobje
> 48a322b6f996 net-sysfs: fix netdev_queue_add_kobject() breakage
> b8eb718348b8 net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject
>
> These patches are fixing couple of memory leaks including this one found
> by Syzbot: https://syzkaller.appspot.com/bug?extid=ad8ca40ecd77896d51e2
>
> I can reproduce these memory leaks in following stable branches: 4.14,
> 4.19, and 5.4.
>
> These are all now merged into net/master tree and based on my testing
> they are ready to be taken into stable branches as well.
>
> Best Regards,
>
> Jouni Högander

These four patches are still missing from 4.14 and 4.19 branches:

ddd9b5e3e765 net-sysfs: Call dev_hold always in rx_queue_add_kobject
e0b60903b434 net-sysfs: Call dev_hold always in netdev_queue_add_kobje
48a322b6f996 net-sysfs: fix netdev_queue_add_kobject() breakage
b8eb718348b8 net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject

Could you please consider taking them in or let me know if you want some
further activities from my side?

BR,

Jouni Högander

^ permalink raw reply	[flat|nested] 359+ messages in thread

* Re: [PATCH 4.19 000/306] 4.19.87-stable review
  2020-01-28 10:28           ` Jouni Högander
@ 2020-01-28 13:29             ` Greg Kroah-Hartman
  0 siblings, 0 replies; 359+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:29 UTC (permalink / raw)
  To: Jouni Högander
  Cc: Lukas Bulwahn, open list, Andrew Morton, Ben Hutchings,
	linux- stable, Netdev, Al Viro, linux-fsdevel, Eric Dumazet,
	David S. Miller, syzkaller

On Tue, Jan 28, 2020 at 12:28:15PM +0200, Jouni Högander wrote:
> Hello Greg,
> 
> jouni.hogander@unikie.com (Jouni Högander) writes:
> 
> > Greg Kroah-Hartman <gregkh@linuxfoundation.org> writes:
> >>> > Now queued up, I'll push out -rc2 versions with this fix.
> >>> >
> >>> > greg k-h
> >>> 
> >>> We have also been informed about another regression these two commits
> >>> are causing:
> >>> 
> >>> https://lore.kernel.org/lkml/ace19af4-7cae-babd-bac5-cd3505dcd874@I-love.SAKURA.ne.jp/
> >>> 
> >>> I suggest to drop these two patches from this queue, and give us a
> >>> week to shake out the regressions of the change, and once ready, we
> >>> can include the complete set of fixes to stable (probably in a week or
> >>> two).
> >>
> >> Ok, thanks for the information, I've now dropped them from all of the
> >> queues that had them in them.
> >>
> >> greg k-h
> >
> > I have now run more extensive Syzkaller testing on following patches:
> >
> > cb626bf566eb net-sysfs: Fix reference count leak
> > ddd9b5e3e765 net-sysfs: Call dev_hold always in rx_queue_add_kobject
> > e0b60903b434 net-sysfs: Call dev_hold always in netdev_queue_add_kobje
> > 48a322b6f996 net-sysfs: fix netdev_queue_add_kobject() breakage
> > b8eb718348b8 net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject
> >
> > These patches are fixing couple of memory leaks including this one found
> > by Syzbot: https://syzkaller.appspot.com/bug?extid=ad8ca40ecd77896d51e2
> >
> > I can reproduce these memory leaks in following stable branches: 4.14,
> > 4.19, and 5.4.
> >
> > These are all now merged into net/master tree and based on my testing
> > they are ready to be taken into stable branches as well.
> >
> > Best Regards,
> >
> > Jouni Högander
> 
> These four patches are still missing from 4.14 and 4.19 branches:
> 
> ddd9b5e3e765 net-sysfs: Call dev_hold always in rx_queue_add_kobject
> e0b60903b434 net-sysfs: Call dev_hold always in netdev_queue_add_kobje
> 48a322b6f996 net-sysfs: fix netdev_queue_add_kobject() breakage
> b8eb718348b8 net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject
> 
> Could you please consider taking them in or let me know if you want some
> further activities from my side?

Thanks for the list, I have now queued these all up.

greg k-h

^ permalink raw reply	[flat|nested] 359+ messages in thread

end of thread, other threads:[~2020-01-28 13:29 UTC | newest]

Thread overview: 359+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-27 20:27 [PATCH 4.19 000/306] 4.19.87-stable review Greg Kroah-Hartman
2019-11-27 20:27 ` [PATCH 4.19 001/306] mlxsw: spectrum_router: Fix determining underlay for a GRE tunnel Greg Kroah-Hartman
2019-11-27 20:27 ` [PATCH 4.19 002/306] net/mlx4_en: fix mlx4 ethtool -N insertion Greg Kroah-Hartman
2019-11-27 20:27 ` [PATCH 4.19 003/306] net/mlx4_en: Fix wrong limitation for number of TX rings Greg Kroah-Hartman
2019-11-27 20:27 ` [PATCH 4.19 004/306] net: rtnetlink: prevent underflows in do_setvfinfo() Greg Kroah-Hartman
2019-11-27 20:27 ` [PATCH 4.19 005/306] net/sched: act_pedit: fix WARN() in the traffic path Greg Kroah-Hartman
2019-11-27 20:27 ` [PATCH 4.19 006/306] net: sched: ensure opts_len <= IP_TUNNEL_OPTS_MAX in act_tunnel_key Greg Kroah-Hartman
2019-11-27 20:27 ` [PATCH 4.19 007/306] sfc: Only cancel the PPS workqueue if it exists Greg Kroah-Hartman
2019-11-27 20:27 ` [PATCH 4.19 008/306] net/mlx5e: Fix set vf link state error flow Greg Kroah-Hartman
2019-11-27 20:27 ` [PATCH 4.19 009/306] net/mlxfw: Verify FSM error code translation doesnt exceed array size Greg Kroah-Hartman
2019-11-27 20:27 ` [PATCH 4.19 010/306] net/mlx5: Fix auto group size calculation Greg Kroah-Hartman
2019-11-27 20:27 ` [PATCH 4.19 011/306] vhost/vsock: split packets to send using multiple buffers Greg Kroah-Hartman
2019-11-27 20:27 ` [PATCH 4.19 012/306] gpio: max77620: Fixup debounce delays Greg Kroah-Hartman
2019-11-27 20:27 ` [PATCH 4.19 013/306] tools: gpio: Correctly add make dependencies for gpio_utils Greg Kroah-Hartman
2019-11-27 20:27 ` [PATCH 4.19 014/306] nbd:fix memory leak in nbd_get_socket() Greg Kroah-Hartman
2019-11-27 20:27 ` [PATCH 4.19 015/306] virtio_console: allocate inbufs in add_port() only if it is needed Greg Kroah-Hartman
2019-11-27 20:27 ` [PATCH 4.19 016/306] Revert "fs: ocfs2: fix possible null-pointer dereferences in ocfs2_xa_prepare_entry()" Greg Kroah-Hartman
2019-11-27 20:27 ` [PATCH 4.19 017/306] mm/ksm.c: dont WARN if page is still mapped in remove_stable_node() Greg Kroah-Hartman
2019-11-27 20:27 ` [PATCH 4.19 018/306] drm/amd/powerplay: issue no PPSMC_MSG_GetCurrPkgPwr on unsupported ASICs Greg Kroah-Hartman
2019-11-27 20:27 ` [PATCH 4.19 019/306] drm/i915/pmu: "Frequency" is reported as accumulated cycles Greg Kroah-Hartman
2019-11-27 20:27 ` [PATCH 4.19 020/306] drm/i915/userptr: Try to acquire the page lock around set_page_dirty() Greg Kroah-Hartman
2019-11-27 20:27 ` [PATCH 4.19 021/306] mwifiex: Fix NL80211_TX_POWER_LIMITED Greg Kroah-Hartman
2019-11-27 20:27 ` [PATCH 4.19 022/306] ALSA: isight: fix leak of reference to firewire unit in error path of .probe callback Greg Kroah-Hartman
2019-11-27 20:27 ` [PATCH 4.19 023/306] crypto: testmgr - fix sizeof() on COMP_BUF_SIZE Greg Kroah-Hartman
2019-11-27 20:27 ` [PATCH 4.19 024/306] printk: lock/unlock console only for new logbuf entries Greg Kroah-Hartman
2019-11-27 20:27 ` [PATCH 4.19 025/306] printk: fix integer overflow in setup_log_buf() Greg Kroah-Hartman
2019-11-27 20:27 ` [PATCH 4.19 026/306] pinctrl: madera: Fix uninitialized variable bug in madera_mux_set_mux Greg Kroah-Hartman
2019-11-27 20:27 ` [PATCH 4.19 027/306] PCI: cadence: Write MSI data with 32bits Greg Kroah-Hartman
2019-11-27 20:27 ` [PATCH 4.19 028/306] gfs2: Fix marking bitmaps non-full Greg Kroah-Hartman
2019-11-27 20:27 ` [PATCH 4.19 029/306] pty: fix compat ioctls Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 030/306] synclink_gt(): fix compat_ioctl() Greg Kroah-Hartman
2019-11-30 10:28   ` Pavel Machek
2019-11-27 20:28 ` [PATCH 4.19 031/306] powerpc: Fix signedness bug in update_flash_db() Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 032/306] powerpc/boot: Fix opal console in boot wrapper Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 033/306] powerpc/boot: Disable vector instructions Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 034/306] powerpc/eeh: Fix null deref for devices removed during EEH Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 035/306] powerpc/eeh: Fix use of EEH_PE_KEEP on wrong field Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 036/306] EDAC, thunderx: Fix memory leak in thunderx_l2c_threaded_isr() Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 037/306] mt76: do not store aggregation sequence number for null-data frames Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 038/306] mt76x0: phy: fix restore phase in mt76x0_phy_recalibrate_after_assoc Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 039/306] brcmsmac: AP mode: update beacon when TIM changes Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 040/306] ath10k: set probe request oui during driver start Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 041/306] ath10k: allocate small size dma memory in ath10k_pci_diag_write_mem Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 042/306] skd: fixup usage of legacy IO API Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 043/306] cdrom: dont attempt to fiddle with cdo->capability Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 044/306] spi: sh-msiof: fix deferred probing Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 045/306] mmc: mediatek: fill the actual clock for mmc debugfs Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 046/306] mmc: mediatek: fix cannot receive new request when msdc_cmd_is_ready fail Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 047/306] PCI: mediatek: Fix class type for MT7622 to PCI_CLASS_BRIDGE_PCI Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 048/306] btrfs: defrag: use btrfs_mod_outstanding_extents in cluster_pages_for_defrag Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 049/306] btrfs: handle error of get_old_root Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 050/306] gsmi: Fix bug in append_to_eventlog sysfs handler Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 051/306] misc: mic: fix a DMA pool free failure Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 052/306] w1: IAD Register is yet readable trough iad sys file. Fix snprintf (%u for unsigned, count for max size) Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 053/306] m68k: fix command-line parsing when passed from u-boot Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 054/306] scsi: hisi_sas: Feed back linkrate(max/min) when re-attached Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 055/306] scsi: hisi_sas: Fix the race between IO completion and timeout for SMP/internal IO Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 056/306] scsi: hisi_sas: Free slot later in slot_complete_vx_hw() Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 057/306] RDMA/bnxt_re: Avoid NULL check after accessing the pointer Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 058/306] RDMA/bnxt_re: Fix qp async event reporting Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 059/306] RDMA/bnxt_re: Avoid resource leak in case the NQ registration fails Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 060/306] pinctrl: sunxi: Fix a memory leak in sunxi_pinctrl_build_state() Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 061/306] pwm: lpss: Only set update bit if we are actually changing the settings Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 062/306] amiflop: clean up on errors during setup Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 063/306] qed: Align local and global PTT to propagate through the APIs Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 064/306] scsi: ips: fix missing break in switch Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 065/306] nfp: bpf: protect against mis-initializing atomic counters Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 066/306] KVM: nVMX: reset cache/shadows when switching loaded VMCS Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 067/306] KVM: nVMX: move check_vmentry_postreqs() call to nested_vmx_enter_non_root_mode() Greg Kroah-Hartman
2019-12-02 14:40   ` Jack Wang
2019-12-02 14:51     ` Greg Kroah-Hartman
2019-12-02 15:09       ` Paolo Bonzini
2019-12-02 16:06         ` Greg Kroah-Hartman
2019-12-03  9:21         ` Jack Wang
2019-12-03  9:31           ` Paolo Bonzini
2019-12-03 12:27             ` Jack Wang
2019-12-03 12:52               ` Paolo Bonzini
2019-12-03 19:16                 ` Greg Kroah-Hartman
2019-12-04 11:42                   ` Paolo Bonzini
2019-12-05  7:46                     ` Greg Kroah-Hartman
2019-12-04 17:50     ` Dan Rue
2019-12-05  9:51       ` Jack Wang
2019-12-05 20:52         ` Dan Rue
2019-12-06  8:54           ` Jack Wang
2019-11-27 20:28 ` [PATCH 4.19 068/306] KVM/x86: Fix invvpid and invept register operand size in 64-bit mode Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 069/306] clk: tegra: Fixes for MBIST work around Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 070/306] scsi: isci: Use proper enumerated type in atapi_d2h_reg_frame_handler Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 071/306] scsi: isci: Change sci_controller_start_tasks return type to sci_status Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 072/306] scsi: bfa: Avoid implicit enum conversion in bfad_im_post_vendor_event Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 073/306] scsi: iscsi_tcp: Explicitly cast param in iscsi_sw_tcp_host_get_param Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 074/306] crypto: ccree - avoid implicit enum conversion Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 075/306] nvmet: avoid integer overflow in the discard code Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 076/306] nvmet-fcloop: suppress a compiler warning Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 077/306] nvme-pci: fix hot removal during error handling Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 078/306] PCI: mediatek: Fixup MSI enablement logic by enabling MSI before clocks Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 079/306] clk: mmp2: fix the clock id for sdh2_clk and sdh3_clk Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 080/306] clk: at91: audio-pll: fix audio pmc type Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 081/306] ASoC: tegra_sgtl5000: fix device_node refcounting Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 082/306] scsi: dc395x: fix dma API usage in srb_done Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 083/306] scsi: dc395x: fix DMA API usage in sg_update_list Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 084/306] scsi: zorro_esp: Limit DMA transfers to 65535 bytes Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 085/306] net: dsa: mv88e6xxx: Fix 88E6141/6341 2500mbps SERDES speed Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 086/306] net: fix warning in af_unix Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 087/306] net: ena: Fix Kconfig dependency on X86 Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 088/306] xfs: fix use-after-free race in xfs_buf_rele Greg Kroah-Hartman
2019-11-27 20:28 ` [PATCH 4.19 089/306] xfs: clear ail delwri queued bufs on unmount of shutdown fs Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 090/306] kprobes, x86/ptrace.h: Make regs_get_kernel_stack_nth() not fault on bad stack Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 091/306] ACPI / scan: Create platform device for INT33FE ACPI nodes Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 092/306] PM / Domains: Deal with multiple states but no governor in genpd Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 093/306] ALSA: i2c/cs8427: Fix int to char conversion Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 094/306] macintosh/windfarm_smu_sat: Fix debug output Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 095/306] PCI: vmd: Detach resources after stopping root bus Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 096/306] USB: misc: appledisplay: fix backlight update_status return code Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 097/306] usbip: tools: fix atoi() on non-null terminated string Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 098/306] sctp: use sk_wmem_queued to check for writable space Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 099/306] dm raid: avoid bitmap with raid4/5/6 journal device Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 100/306] selftests/bpf: fix file resource leak in load_kallsyms Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 101/306] SUNRPC: Fix a compile warning for cmpxchg64() Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 102/306] sunrpc: safely reallow resvport min/max inversion Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 103/306] atm: zatm: Fix empty body Clang warnings Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 104/306] s390/perf: Return error when debug_register fails Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 105/306] swiotlb: do not panic on mapping failures Greg Kroah-Hartman
2019-11-28 21:20   ` Pavel Machek
2019-11-27 20:29 ` [PATCH 4.19 106/306] spi: omap2-mcspi: Set FIFO DMA trigger level to word length Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 107/306] x86/intel_rdt: Prevent pseudo-locking from using stale pointers Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 108/306] sparc: Fix parport build warnings Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 109/306] scsi: hisi_sas: Fix NULL pointer dereference Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 110/306] powerpc/pseries: Export raw per-CPU VPA data via debugfs Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 111/306] powerpc/mm/radix: Fix off-by-one in split mapping logic Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 112/306] powerpc/mm/radix: Fix overuse of small pages in splitting logic Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 113/306] powerpc/mm/radix: Fix small page at boundary when splitting Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 114/306] powerpc/64s/radix: Fix radix__flush_tlb_collapsed_pmd double flushing pmd Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 115/306] selftests/bpf: fix return value comparison for tests in test_libbpf.sh Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 116/306] tools: bpftool: fix completion for "bpftool map update" Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 117/306] ceph: fix dentry leak in ceph_readdir_prepopulate Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 118/306] ceph: only allow punch hole mode in fallocate Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 119/306] rtc: s35390a: Change bufs type to u8 in s35390a_init Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 120/306] RISC-V: Avoid corrupting the upper 32-bit of phys_addr_t in ioremap Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 121/306] thermal: armada: fix a test in probe() Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 122/306] f2fs: fix to spread clear_cold_data() Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 123/306] f2fs: spread f2fs_set_inode_flags() Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 124/306] mISDN: Fix type of switch control variable in ctrl_teimanager Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 125/306] qlcnic: fix a return in qlcnic_dcb_get_capability() Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 126/306] net: ethernet: ti: cpsw: unsync mcast entries while switch promisc mode Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 127/306] mfd: arizona: Correct calling of runtime_put_sync Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 128/306] mfd: mc13xxx-core: Fix PMIC shutdown when reading ADC values Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 129/306] mfd: intel_soc_pmic_bxtwc: Chain power button IRQs as well Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 130/306] mfd: max8997: Enale irq-wakeup unconditionally Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 131/306] net: socionext: Stop PHY before resetting netsec Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 132/306] fs/cifs: fix uninitialised variable warnings Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 133/306] spi: uniphier: fix incorrect property items Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 134/306] selftests/ftrace: Fix to test kprobe $comm arg only if available Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 135/306] selftests: watchdog: fix message when /dev/watchdog open fails Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 136/306] selftests: watchdog: Fix error message Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 137/306] selftests: kvm: Fix -Wformat warnings Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 138/306] selftests: fix warning: "_GNU_SOURCE" redefined Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 139/306] thermal: rcar_thermal: fix duplicate IRQ request Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 140/306] thermal: rcar_thermal: Prevent hardware access during system suspend Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 141/306] net: ethernet: cadence: fix socket buffer corruption problem Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 142/306] bpf: devmap: fix wrong interface selection in notifier_call Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 143/306] bpf, btf: fix a missing check bug in btf_parse Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 144/306] powerpc/process: Fix flush_all_to_thread for SPE Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 145/306] sparc64: Rework xchg() definition to avoid warnings Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 146/306] arm64: lib: use C string functions with KASAN enabled Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 147/306] fs/ocfs2/dlm/dlmdebug.c: fix a sleep-in-atomic-context bug in dlm_print_one_mle() Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 148/306] mm/page-writeback.c: fix range_cyclic writeback vs writepages deadlock Greg Kroah-Hartman
2019-11-27 20:29 ` [PATCH 4.19 149/306] tools/testing/selftests/vm/gup_benchmark.c: fix write flag usage Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 150/306] mm: thp: fix MADV_DONTNEED vs migrate_misplaced_transhuge_page race condition Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 151/306] macsec: update operstate when lower device changes Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 152/306] macsec: let the administrator set UP state even if lowerdev is down Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 153/306] block: fix the DISCARD request merge Greg Kroah-Hartman
2019-12-14 14:13   ` [PATCH 4.19 153/306] block: fix the DISCARD request merge (4.19.87+ crash) Andre Tomt
2019-12-16  7:42     ` Jack Wang
2019-12-16  9:18       ` Andre Tomt
2019-12-16  9:25         ` Jack Wang
2019-12-16  9:28         ` Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 154/306] i2c: uniphier-f: make driver robust against concurrency Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 155/306] i2c: uniphier-f: fix occasional timeout error Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 156/306] i2c: uniphier-f: fix race condition when IRQ is cleared Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 157/306] um: Make line/tty semantics use true write IRQ Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 158/306] vfs: avoid problematic remapping requests into partial EOF block Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 159/306] ipv4/igmp: fix v1/v2 switchback timeout based on rfc3376, 8.12 Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 160/306] powerpc/xmon: Relax frame size for clang Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 161/306] selftests/powerpc/ptrace: Fix out-of-tree build Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 162/306] selftests/powerpc/signal: " Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 163/306] selftests/powerpc/switch_endian: " Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 164/306] selftests/powerpc/cache_shape: " Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 165/306] block: call rq_qos_exit() after queue is frozen Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 166/306] mm/gup_benchmark.c: prevent integer overflow in ioctl Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 167/306] linux/bitmap.h: handle constant zero-size bitmaps correctly Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 168/306] linux/bitmap.h: fix type of nbits in bitmap_shift_right() Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 169/306] lib/bitmap.c: fix remaining space computation in bitmap_print_to_pagebuf Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 170/306] hfsplus: fix BUG on bnode parent update Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 171/306] hfs: " Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 172/306] hfsplus: prevent btree data loss on ENOSPC Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 173/306] hfs: " Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 174/306] hfsplus: fix return value of hfsplus_get_block() Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 175/306] hfs: fix return value of hfs_get_block() Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 176/306] hfsplus: update timestamps on truncate() Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 177/306] hfs: update timestamp " Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 178/306] fs/hfs/extent.c: fix array out of bounds read of array extent Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 179/306] kernel/panic.c: do not append newline to the stack protector panic string Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 180/306] mm/memory_hotplug: make add_memory() take the device_hotplug_lock Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 181/306] mm/memory_hotplug: fix online/offline_pages called w.o. mem_hotplug_lock Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 182/306] powerpc/powernv: hold device_hotplug_lock when calling device_online() Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 183/306] igb: shorten maximum PHC timecounter update interval Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 184/306] fm10k: ensure completer aborts are marked as non-fatal after a resume Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 185/306] net: hns3: bugfix for buffer not free problem during resetting Greg Kroah-Hartman
2019-11-29 11:00   ` Pavel Machek
2019-11-29 14:31     ` Greg Kroah-Hartman
2019-11-29 22:24       ` Pavel Machek
2019-12-03 12:27         ` Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 186/306] net: hns3: bugfix for reporting unknown vector0 interrupt repeatly problem Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 187/306] net: hns3: bugfix for is_valid_csq_clean_head() Greg Kroah-Hartman
2019-12-04 12:38   ` Pavel Machek
2019-11-27 20:30 ` [PATCH 4.19 188/306] net: hns3: bugfix for hclge_mdio_write and hclge_mdio_read Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 189/306] ntb_netdev: fix sleep time mismatch Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 190/306] ntb: intel: fix return value for ndev_vec_mask() Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 191/306] irq/matrix: Fix memory overallocation Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 192/306] nvme-pci: fix conflicting p2p resource adds Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 193/306] arm64: makefile fix build of .i file in external module case Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 194/306] tools/power turbosat: fix AMD APIC-id output Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 195/306] mm: handle no memcg case in memcg_kmem_charge() properly Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 196/306] ocfs2: without quota support, avoid calling quota recovery Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 197/306] ocfs2: dont use iocb when EIOCBQUEUED returns Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 198/306] ocfs2: dont put and assigning null to bh allocated outside Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 199/306] ocfs2: fix clusters leak in ocfs2_defrag_extent() Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 200/306] net: do not abort bulk send on BQL status Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 201/306] sched/topology: Fix off by one bug Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 202/306] sched/fair: Dont increase sd->balance_interval on newidle balance Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 203/306] openvswitch: fix linking without CONFIG_NF_CONNTRACK_LABELS Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 204/306] ARM: dts: imx6sx-sdb: Fix enet phy regulator Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 205/306] clk: sunxi-ng: enable so-said LDOs for A64 SoCs pll-mipi clock Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 206/306] soc: bcm: brcmstb: Fix re-entry point with a THUMB2_KERNEL Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 207/306] audit: print empty EXECVE args Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 208/306] sock_diag: fix autoloading of the raw_diag module Greg Kroah-Hartman
2019-11-27 20:30 ` [PATCH 4.19 209/306] net: bpfilter: fix iptables failure if bpfilter_umh is disabled Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 210/306] nds32: Fix bug in bitfield.h Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 211/306] media: ov13858: Check for possible null pointer Greg Kroah-Hartman
2019-12-03 10:22   ` Pavel Machek
2019-12-03 10:31     ` Sakari Ailus
2019-11-27 20:31 ` [PATCH 4.19 212/306] btrfs: avoid link error with CONFIG_NO_AUTO_INLINE Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 213/306] wil6210: fix debugfs memory access alignment Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 214/306] wil6210: fix L2 RX status handling Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 215/306] wil6210: fix RGF_CAF_ICR address for Talyn-MB Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 216/306] wil6210: fix locking in wmi_call Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 217/306] ath10k: snoc: fix unbalanced clock error handling Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 218/306] wlcore: Fix the return value in case of error in wlcore_vendor_cmd_smart_config_start() Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 219/306] rtl8xxxu: Fix missing break in switch Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 220/306] brcmsmac: never log "tid x is not aggable" by default Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 221/306] wireless: airo: potential buffer overflow in sprintf() Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 222/306] rtlwifi: rtl8192de: Fix misleading REG_MCUFWDL information Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 223/306] net: dsa: bcm_sf2: Turn on PHY to allow successful registration Greg Kroah-Hartman
2019-11-29 13:00   ` Pavel Machek
2019-11-27 20:31 ` [PATCH 4.19 224/306] scsi: mpt3sas: Fix Sync cache command failure during driver unload Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 225/306] scsi: mpt3sas: Dont modify EEDPTagMode field setting on SAS3.5 HBA devices Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 226/306] scsi: mpt3sas: Fix driver modifying persistent data in Manufacturing page11 Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 227/306] scsi: megaraid_sas: Fix msleep granularity Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 228/306] scsi: megaraid_sas: Fix goto labels in error handling Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 229/306] scsi: lpfc: fcoe: Fix link down issue after 1000+ link bounces Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 230/306] scsi: lpfc: Fix odd recovery in duplicate FLOGIs in point-to-point Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 231/306] scsi: lpfc: Correct loss of fc4 type on remote port address change Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 232/306] usb: typec: tcpm: charge current handling for sink during hard reset Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 233/306] dlm: fix invalid free Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 234/306] dlm: dont leak kernel pointer to userspace Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 235/306] vrf: mark skb for multicast or link-local as enslaved to VRF Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 236/306] clk: tegra20: Turn EMC clock gate into divider Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 237/306] ACPICA: Use %d for signed int print formatting instead of %u Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 238/306] net: bcmgenet: return correct value ret from bcmgenet_power_down Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 239/306] sock: Reset dst when changing sk_mark via setsockopt Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 240/306] of: unittest: allow base devicetree to have symbol metadata Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 241/306] of: unittest: initialize args before calling of_*parse_*() Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 242/306] tools: bpftool: pass an argument to silence open_obj_pinned() Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 243/306] cfg80211: Prevent regulatory restore during STA disconnect in concurrent interfaces Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 244/306] pinctrl: qcom: spmi-gpio: fix gpio-hog related boot issues Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 245/306] pinctrl: bcm2835: Use define directive for BCM2835_PINCONF_PARAM_PULL Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 246/306] pinctrl: lpc18xx: Use define directive for PIN_CONFIG_GPIO_PIN_INT Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 247/306] pinctrl: zynq: Use define directive for PIN_CONFIG_IO_STANDARD Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 248/306] PCI: keystone: Use quirk to limit MRRS for K2G Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 249/306] nvme-pci: fix surprise removal Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 250/306] spi: omap2-mcspi: Fix DMA and FIFO event trigger size mismatch Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 251/306] i2c: uniphier-f: fix timeout error after reading 8 bytes Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 252/306] mm/memory_hotplug: Do not unlock when fails to take the device_hotplug_lock Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 253/306] ipv6: Fix handling of LLA with VRF and sockets bound to VRF Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 254/306] cfg80211: call disconnect_wk when AP stops Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 255/306] mm/page_io.c: do not free shared swap slots Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 256/306] Bluetooth: Fix invalid-free in bcsp_close() Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 257/306] KVM: MMU: Do not treat ZONE_DEVICE pages as being reserved Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 258/306] ath10k: Fix a NULL-ptr-deref bug in ath10k_usb_alloc_urb_from_pipe Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 259/306] ath9k_hw: fix uninitialized variable data Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 260/306] md/raid10: prevent access of uninitialized resync_pages offset Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 262/306] net: phy: dp83867: fix speed 10 in sgmii mode Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 263/306] net: phy: dp83867: increase SGMII autoneg timer duration Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 264/306] ocfs2: remove ocfs2_is_o2cb_active() Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 265/306] ARM: 8904/1: skip nomap memblocks while finding the lowmem/highmem boundary Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 266/306] ARC: perf: Accommodate big-endian CPU Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 267/306] x86/insn: Fix awk regexp warnings Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 268/306] x86/speculation: Fix incorrect MDS/TAA mitigation status Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 4.19 269/306] x86/speculation: Fix redundant MDS mitigation message Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 4.19 270/306] nbd: prevent memory leak Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 4.19 271/306] x86/doublefault/32: Fix stack canaries in the double fault handler Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 4.19 272/306] x86/pti/32: Size initial_page_table correctly Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 4.19 273/306] x86/cpu_entry_area: Add guard page for entry stack on 32bit Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 4.19 274/306] selftests/x86/mov_ss_trap: Fix the SYSENTER test Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 4.19 275/306] selftests/x86/sigreturn/32: Invalidate DS and ES when abusing the kernel Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 4.19 276/306] x86/pti/32: Calculate the various PTI cpu_entry_area sizes correctly, make the CPU_ENTRY_AREA_PAGES assert precise Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 4.19 277/306] x86/entry/32: Fix FIXUP_ESPFIX_STACK with user CR3 Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 4.19 278/306] y2038: futex: Move compat implementation into futex.c Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 4.19 279/306] futex: Prevent robust futex exit race Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 4.19 280/306] ALSA: usb-audio: Fix NULL dereference at parsing BADD Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 4.19 281/306] nfc: port100: handle command failure cleanly Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 4.19 282/306] net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject Greg Kroah-Hartman
2019-11-28  3:33   ` Nobuhiro Iwamatsu
2019-11-28  7:35     ` Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 4.19 283/306] media: vivid: Set vid_cap_streaming and vid_out_streaming to true Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 4.19 284/306] media: vivid: Fix wrong locking that causes race conditions on streaming stop Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 4.19 285/306] media: usbvision: Fix races among open, close, and disconnect Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 4.19 286/306] cpufreq: Add NULL checks to show() and store() methods of cpufreq Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 4.19 287/306] media: uvcvideo: Fix error path in control parsing failure Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 4.19 288/306] media: b2c2-flexcop-usb: add sanity checking Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 4.19 289/306] media: cxusb: detect cxusb_ctrl_msg error in query Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 4.19 290/306] media: imon: invalid dereference in imon_touch_event Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 4.19 291/306] virtio_ring: fix return code on DMA mapping fails Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 4.19 292/306] USBIP: add config dependency for SGL_ALLOC Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 4.19 293/306] usbip: tools: fix fd leakage in the function of read_attr_usbip_status Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 4.19 294/306] usbip: Fix uninitialized symbol nents in stub_recv_cmd_submit() Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 4.19 295/306] usb-serial: cp201x: support Mark-10 digital force gauge Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 4.19 296/306] USB: chaoskey: fix error case of a timeout Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 4.19 297/306] appledisplay: fix error handling in the scheduled work Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 4.19 298/306] USB: serial: mos7840: add USB ID to support Moxa UPort 2210 Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 4.19 299/306] USB: serial: mos7720: fix remote wakeup Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 4.19 300/306] USB: serial: mos7840: " Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 4.19 301/306] USB: serial: option: add support for DW5821e with eSIM support Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 4.19 302/306] USB: serial: option: add support for Foxconn T77W968 LTE modules Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 4.19 303/306] staging: comedi: usbduxfast: usbduxfast_ai_cmdtest rounding error Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 4.19 304/306] powerpc/64s: support nospectre_v2 cmdline option Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 4.19 305/306] powerpc/book3s64: Fix link stack flush on context switch Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 4.19 306/306] KVM: PPC: Book3S HV: Flush link stack on guest exit to host kernel Greg Kroah-Hartman
2019-11-28  0:27 ` [PATCH 4.19 000/306] 4.19.87-stable review Daniel Díaz
2019-11-28  8:05   ` Greg Kroah-Hartman
2019-11-28  6:53 ` Naresh Kamboju
2019-11-28  7:36   ` Greg Kroah-Hartman
2019-11-28 15:56     ` shuah
2019-11-28 23:57       ` shuah
2019-11-29  6:43         ` Greg Kroah-Hartman
2019-11-29  5:46     ` Lukas Bulwahn
2019-11-29  8:58       ` Greg Kroah-Hartman
2020-01-22  7:48         ` Jouni Högander
2020-01-26 11:54           ` Lukas Bulwahn
2020-01-27  8:42             ` Jouni Högander
2020-01-27 21:16               ` Lukas Bulwahn
2020-01-28  8:46                 ` Jouni Högander
2020-01-28 10:28           ` Jouni Högander
2020-01-28 13:29             ` Greg Kroah-Hartman
2019-11-29  8:54     ` Naresh Kamboju
2019-11-28 10:56 ` Jon Hunter
2019-11-28 16:17 ` Guenter Roeck
2019-11-29 10:37 ` Greg Kroah-Hartman
2019-11-29 20:15   ` Naresh Kamboju

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).