Stable Archive on lore.kernel.org
 help / Atom feed
* [PATCH 4.14 000/205] 4.14.99-stable review
@ 2019-02-11 14:16 Greg Kroah-Hartman
  2019-02-11 14:16 ` [PATCH 4.14 001/205] drm/bufs: Fix Spectre v1 vulnerability Greg Kroah-Hartman
                   ` (208 more replies)
  0 siblings, 209 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	ben.hutchings, lkft-triage, stable

This is the start of the stable review cycle for the 4.14.99 release.
There are 205 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Wed Feb 13 14:17:19 UTC 2019.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.99-rc1.gz
or in the git tree and branch at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 4.14.99-rc1

Peter Zijlstra <peterz@infradead.org>
    perf/x86/intel: Delay memory deallocation until x86_pmu_dead_cpu()

Mike Marciniszyn <mike.marciniszyn@intel.com>
    IB/hfi1: Add limit test for RC/UC send via loopback

J. Bruce Fields <bfields@redhat.com>
    nfsd4: catch some false session retries

J. Bruce Fields <bfields@redhat.com>
    nfsd4: fix cached replies to solo SEQUENCE compounds

Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    serial: 8250_pci: Make PCI class test non fatal

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    serial: fix race between flush_to_ldisc and tty_open

Gustavo A. R. Silva <gustavo@embeddedor.com>
    perf tests evsel-tp-sched: Fix bitwise operator

Mark Rutland <mark.rutland@arm.com>
    perf/core: Don't WARN() for impossible ring-buffer sizes

Tony Luck <tony.luck@intel.com>
    x86/MCE: Initialize mce.bank in the case of a fatal error in mce_no_way_out()

Kan Liang <kan.liang@linux.intel.com>
    perf/x86/intel/uncore: Add Node ID mask

Josh Poimboeuf <jpoimboe@redhat.com>
    cpu/hotplug: Fix "SMT disabled by BIOS" detection for KVM

Peter Shier <pshier@google.com>
    KVM: nVMX: unconditionally cancel preemption timer in free_nested (CVE-2019-7221)

Jann Horn <jannh@google.com>
    kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974)

Paolo Bonzini <pbonzini@redhat.com>
    KVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222)

James Bottomley <James.Bottomley@HansenPartnership.com>
    scsi: aic94xx: fix module loading

Vaibhav Jain <vaibhav@linux.ibm.com>
    scsi: cxlflash: Prevent deadlock when adapter probe fails

Johan Hovold <johan@kernel.org>
    staging: speakup: fix tty-operation NULL derefs

Paul Elder <paul.elder@ideasonboard.com>
    usb: gadget: musb: fix short isoc packets with inventra dma

Gustavo A. R. Silva <gustavo@embeddedor.com>
    usb: gadget: udc: net2272: Fix bitwise and boolean operations

Tejas Joglekar <tejas.joglekar@synopsys.com>
    usb: dwc3: gadget: Handle 0 xfer length for OUT EP

Bin Liu <b-liu@ti.com>
    usb: phy: am335x: fix race condition in _probe

Marc Zyngier <marc.zyngier@arm.com>
    irqchip/gic-v3-its: Plug allocation race for devices sharing a DevID

Thomas Gleixner <tglx@linutronix.de>
    futex: Handle early deadlock return correctly

Leonid Iziumtsev <leonid.iziumtsev@gmail.com>
    dmaengine: imx-dma: fix wrong callback invoke

Lukas Wunner <lukas@wunner.de>
    dmaengine: bcm2835: Fix abort of transactions

Lukas Wunner <lukas@wunner.de>
    dmaengine: bcm2835: Fix interrupt race on RT

Miklos Szeredi <mszeredi@redhat.com>
    fuse: handle zero sized retrieve correctly

Miklos Szeredi <mszeredi@redhat.com>
    fuse: decrement NR_WRITEBACK_TEMP on the right page

Jann Horn <jannh@google.com>
    fuse: call pipe_buf_release() under pipe lock

Takashi Iwai <tiwai@suse.de>
    ALSA: hda - Serialize codec registrations

Charles Keepax <ckeepax@opensource.cirrus.com>
    ALSA: compress: Fix stop handling on compressed capture streams

Rundong Ge <rdong.ge@gmail.com>
    net: dsa: slave: Don't propagate flag changes on down slave interfaces

Cong Wang <xiyou.wangcong@gmail.com>
    net/mlx5e: Force CHECKSUM_UNNECESSARY for short ethernet frames

Florian Fainelli <f.fainelli@gmail.com>
    net: systemport: Fix WoL with password after deep sleep

Eric Dumazet <edumazet@google.com>
    rds: fix refcount bug in rds_sock_addref

Dan Carpenter <dan.carpenter@oracle.com>
    skge: potential memory corruption in skge_get_regs()

Eric Dumazet <edumazet@google.com>
    rxrpc: bad unlock balance in rxrpc_recvmsg

Sebastian Andrzej Siewior <bigeasy@linutronix.de>
    net: dp83640: expire old TX-skb

Govindarajulu Varadarajan <gvaradar@cisco.com>
    enic: fix checksum validation for IPv6

Eric Dumazet <edumazet@google.com>
    dccp: fool proof ccid_hc_[rt]x_parse_options()

Eduardo Valentin <edubezval@gmail.com>
    thermal: hwmon: inline helpers when CONFIG_THERMAL_HWMON is not set

Du Changbin <changbin.du@gmail.com>
    scripts/gdb: fix lx-version string output

Oleg Nesterov <oleg@redhat.com>
    exec: load_script: don't blindly truncate shebang string

Davidlohr Bueso <dave@stgolabs.net>
    fs/epoll: drop ovflist branch prediction

Liu, Chuansheng <chuansheng.liu@intel.com>
    kernel/hung_task.c: force console verbose before panic

Cheng Lin <cheng.lin130@zte.com.cn>
    proc/sysctl: fix return error for proc_doulongvec_minmax()

Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    kernel/hung_task.c: break RCU locks based on jiffies

Benjamin Gordon <bmgordon@google.com>
    fs/proc/base.c: use ns_capable instead of capable for timerslack_ns

Aditya Pakki <pakki001@umn.edu>
    HID: lenovo: Add checks to fix of_led_classdev_register

Bjorn Andersson <bjorn.andersson@linaro.org>
    thermal: generic-adc: Fix adc to temp interpolation

Douglas Anderson <dianders@chromium.org>
    kdb: Don't back trace on a cpu that didn't round up

Matthias Brugger <mbrugger@suse.com>
    thermal: bcm2835: enable hwmon explicitly

Finn Thain <fthain@telegraphics.com.au>
    block/swim3: Fix -EBUSY error when re-opening device after unmount

Scott Wood <oss@buserror.net>
    fsl/fman: Use GFP_ATOMIC in {memac,tgec}_add_hash_mac_address()

Wenwen Wang <wang6495@umn.edu>
    gdrom: fix a memory leak bug

Jia-Ju Bai <baijiaju1990@gmail.com>
    isdn: hisax: hfc_pci: Fix a possible concurrency use-after-free bug in HFCPCI_l1hw()

Larry Chen <lchen@suse.com>
    ocfs2: improve ocfs2 Makefile

Junxiao Bi <junxiao.bi@oracle.com>
    ocfs2: don't clear bh uptodate for block read

Marc Zyngier <marc.zyngier@arm.com>
    scripts/decode_stacktrace: only strip base path when a prefix of the path

Ondrej Mosnacek <omosnace@redhat.com>
    cgroup: fix parsing empty mount option string

Sahitya Tummala <stummala@codeaurora.org>
    f2fs: fix sbi->extent_list corruption issue

Kangjie Lu <kjlu@umn.edu>
    niu: fix missing checks of niu_pci_eeprom_read

Anton Ivanov <anton.ivanov@cambridgegreys.com>
    um: Avoid marking pages with "changed protection"

Ronnie Sahlberg <lsahlber@redhat.com>
    cifs: check ntwrk_buf_start for NULL before dereferencing it

Stefan Roese <sr@denx.de>
    MIPS: ralink: Select CONFIG_CPU_MIPSR2_IRQ_VI on MT7620/8

Nathan Chancellor <natechancellor@gmail.com>
    crypto: ux500 - Use proper enum in hash_set_dma_transfer

Nathan Chancellor <natechancellor@gmail.com>
    crypto: ux500 - Use proper enum in cryp_set_dma_transfer

Michael Ellerman <mpe@ellerman.id.au>
    seq_buf: Make seq_buf_puts() null-terminate the buffer

Kangjie Lu <kjlu@umn.edu>
    hwmon: (lm80) fix a missing check of bus read in lm80 probe

Kangjie Lu <kjlu@umn.edu>
    hwmon: (lm80) fix a missing check of the status of SMBus read

Chris Perl <cperl@janestreet.com>
    NFS: nfs_compare_mount_options always compare auth flavors.

Jim Mattson <jmattson@google.com>
    kvm: Change offset in kvm_write_guest_offset_cached to unsigned

Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
    powerpc/fadump: Do not allow hot-remove memory from fadump reserved area.

Vitaly Kuznetsov <vkuznets@redhat.com>
    KVM: x86: svm: report MSR_IA32_MCG_EXT_CTL as unsupported

Martin Blumenstingl <martin.blumenstingl@googlemail.com>
    pinctrl: meson: meson8b: fix the GPIO function for the GPIOAO pins

Martin Blumenstingl <martin.blumenstingl@googlemail.com>
    pinctrl: meson: meson8: fix the GPIO function for the GPIOAO pins

Christophe Leroy <christophe.leroy@c-s.fr>
    powerpc/mm: Fix reporting of kernel execute faults on the 8xx

Noralf Trønnes <noralf@tronnes.org>
    fbdev: fbcon: Fix unregister crash when more than one framebuffer

Lenny Szubowicz <lszubowi@redhat.com>
    ACPI/APEI: Clear GHES block_status before panic()

Kai-Heng Feng <kai.heng.feng@canonical.com>
    igb: Fix an issue that PME is not enabled during runtime suspend

Konstantin Khorenko <khorenko@virtuozzo.com>
    i40e: define proper net_device::neigh_priv_len

Peter Rosin <peda@axentia.se>
    fbdev: fbmem: behave better with small rotated displays and many CPUs

Guoqing Jiang <gqjiang@suse.com>
    md: fix raid10 hang issue caused by barrier

Alexey Khoroshilov <khoroshilov@ispras.ru>
    video: clps711x-fb: release disp device node in probe()

Nathan Chancellor <natechancellor@gmail.com>
    drbd: Avoid Clang warning about pointless switch statment

Lars Ellenberg <lars.ellenberg@linbit.com>
    drbd: skip spurious timeout (ping-timeo) when failing promote

Lars Ellenberg <lars.ellenberg@linbit.com>
    drbd: disconnect, if the wrong UUIDs are attached on a connected peer

Roland Kammerer <roland.kammerer@linbit.com>
    drbd: narrow rcu_read_lock in drbd_sync_handshake

Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
    powerpc/perf: Fix thresholding counter data for unknown type

Jia-Ju Bai <baijiaju1990@gmail.com>
    cw1200: Fix concurrency use-after-free bugs in cw1200_hw_scan()

Mahesh Rajashekhara <mahesh.rajashekhara@microsemi.com>
    scsi: smartpqi: increase fw status register read timeout

Dave Carroll <david.carroll@microsemi.com>
    scsi: smartpqi: correct volume status

Mahesh Rajashekhara <mahesh.rajashekhara@microsemi.com>
    scsi: smartpqi: correct host serial num for ssa

Ido Schimmel <idosch@mellanox.com>
    mlxsw: spectrum: Properly cleanup LAG uppers when removing port from LAG

Johan Hedberg <johan.hedberg@intel.com>
    Bluetooth: Fix unnecessary error message for HCI request completion

YueHaibing <yuehaibing@huawei.com>
    xfrm6_tunnel: Fix spi check in __xfrm6_tunnel_alloc_spi

Johannes Berg <johannes.berg@intel.com>
    mac80211: fix radiotap vendor presence bitmap handling

Christophe Leroy <christophe.leroy@c-s.fr>
    powerpc/uaccess: fix warning/error with access_ok()

Dennis Zhou <dennis@kernel.org>
    percpu: convert spin_lock_irq to spin_lock_irqsave.

Bin Liu <b-liu@ti.com>
    usb: musb: dsps: fix otg state machine

Mark Rutland <mark.rutland@arm.com>
    arm64: KVM: Skip MMIO insn after emulation

Michael Mueller <mimu@linux.ibm.com>
    KVM: s390: unregister debug feature on failing arch init

Arnaldo Carvalho de Melo <acme@redhat.com>
    perf probe: Fix unchecked usage of strncpy()

Arnaldo Carvalho de Melo <acme@redhat.com>
    perf header: Fix unchecked usage of strncpy()

Adrian Hunter <adrian.hunter@intel.com>
    perf test: Fix perf_event_attr test failure

Beomho Seo <beomho.seo@samsung.com>
    tty: serial: samsung: Properly set flags in autoCTS mode

Adrian Hunter <adrian.hunter@intel.com>
    mmc: sdhci-xenon: Fix timeout checks

Adrian Hunter <adrian.hunter@intel.com>
    mmc: sdhci-of-esdhc: Fix timeout checks

Kai-Heng Feng <kai.heng.feng@canonical.com>
    memstick: Prevent memstick host from getting runtime suspended during card detection

Michal Suchanek <msuchanek@suse.de>
    mmc: bcm2835: reset host on timeout

Phil Elwell <phil@raspberrypi.org>
    mmc: bcm2835: Recover from MMC_SEND_EXT_CSD

Suraj Jitindar Singh <sjitindarsingh@gmail.com>
    KVM: PPC: Book3S: Only report KVM_CAP_SPAPR_TCE_VFIO on powernv machines

Arnd Bergmann <arnd@arndb.de>
    ARM: mmp: fix timer_init calls

Fabio Estevam <festevam@gmail.com>
    ASoC: fsl: Fix SND_SOC_EUKREA_TLV320 build error on i.MX8M

Arnd Bergmann <arnd@arndb.de>
    ARM: pxa: avoid section mismatch warning

Stanislav Fomichev <sdf@google.com>
    selftests/bpf: use __bpf_constant_htons in test_prog.c

Joey Zhang <joey.zhang@microchip.com>
    switchtec: Fix SWITCHTEC_IOCTL_EVENT_IDX_ALL flags overwrite

Jan Kara <jack@suse.cz>
    udf: Fix BUG on corrupted inode

Icenowy Zheng <icenowy@aosc.io>
    phy: sun4i-usb: add support for missing USB PHY index

Adamski, Krzysztof (Nokia - PL/Wroclaw) <krzysztof.adamski@nokia.com>
    i2c-axxia: check for error conditions first

Viresh Kumar <viresh.kumar@linaro.org>
    OPP: Use opp_table->regulators to verify no regulator case

Yangtao Li <tiny.windzz@gmail.com>
    cpuidle: big.LITTLE: fix refcount leak

Anson Huang <anson.huang@nxp.com>
    clk: imx6sl: ensure MMDC CH0 handshake is bypassed

Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
    sata_rcar: fix deferred probing

Will Deacon <will.deacon@arm.com>
    iommu/arm-smmu-v3: Use explicit mb() when moving cons pointer

Vivek Gautam <vivek.gautam@codeaurora.org>
    iommu/arm-smmu: Add support for qcom,smmu-v2 variant

Tejas Joglekar <tejas.joglekar@synopsys.com>
    usb: dwc3: gadget: Disable CSP for stream OUT ep

Wolfram Sang <wsa+renesas@sang-engineering.com>
    watchdog: renesas_wdt: don't set divider while watchdog is running

Dan Carpenter <dan.carpenter@oracle.com>
    tracing: Have trace_stack nr_entries compare not be so subtle

Linus Walleij <linus.walleij@linaro.org>
    ARM: dts: Fix up the D-Link DIR-685 MTD partition info

Philipp Zabel <p.zabel@pengutronix.de>
    media: coda: fix H.264 deblocking filter controls

Jiong Wang <jiong.wang@netronome.com>
    mips: bpf: fix encoding bug for mm_srlv32_op

Russell King - ARM Linux <linux@armlinux.org.uk>
    ARM: dts: Fix OMAP4430 SDP Ethernet startup

Yu Zhao <yuzhao@google.com>
    iommu/amd: Fix amd_iommu=force_isolation

Nicholas Mc Guire <hofrat@osadl.org>
    pinctrl: sx150x: handle failure case of devm_kstrdup

Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    usb: dwc3: trace: add missing break statement to make compiler happy

Kaike Wan <kaike.wan@intel.com>
    IB/hfi1: Unreserve a reserved request when it is completed

Peter Rajnoha <prajnoha@redhat.com>
    kobject: return error code if writing /sys/.../uevent fails

Alexander Duyck <alexander.h.duyck@linux.intel.com>
    driver core: Move async_synchronize_full call

Chen-Yu Tsai <wens@csie.org>
    clk: sunxi-ng: a33: Set CLK_SET_RATE_PARENT for all audio module clocks

Chunfeng Yun <chunfeng.yun@mediatek.com>
    usb: mtu3: fix the issue about SetFeature(U1/U2_Enable)

Bart Van Assche <bvanassche@acm.org>
    timekeeping: Use proper seqcount initializer

Mathias Nyman <mathias.nyman@linux.intel.com>
    usb: hub: delay hub autosuspend if USB3 port is still link training

Anurag Kumar Vulisha <anurag.kumar.vulisha@xilinx.com>
    usb: dwc3: Correct the logic for checking TRB full in __dwc3_prepare_one_trb()

Zoran Markovic <zmarkovic@sierrawireless.com>
    smack: fix access permissions for keyring

Alexey Khoroshilov <khoroshilov@ispras.ru>
    media: DaVinci-VPBE: fix error handling in vpbe_initialize()

Sebastian Andrzej Siewior <bigeasy@linutronix.de>
    x86/fpu: Add might_fault() to user_insn()

Lubomir Rintel <lkundrak@v3.sk>
    ARM: mmp/mmp2: dt: enable the clock

Lubomir Rintel <lkundrak@v3.sk>
    ARM: dts: mmp2: fix TWSI2

Mark Rutland <mark.rutland@arm.com>
    arm64: ftrace: don't adjust the LR value

Harald Freudenberger <freude@linux.ibm.com>
    s390/zcrypt: improve special ap message cmd handling

Arend van Spriel <arend.vanspriel@broadcom.com>
    firmware/efi: Add NULL pointer checks in efivars API functions

Wei Wang <wvw@google.com>
    Thermal: do not clear passive state during system sleep

Will Deacon <will.deacon@arm.com>
    arm64: io: Ensure value passed to __iormb() is held in a 64-bit register

Sean Paul <seanpaul@chromium.org>
    drm: Clear state->acquire_ctx before leaving drm_atomic_helper_commit_duplicated_state()

J. Bruce Fields <bfields@redhat.com>
    nfsd4: fix crash on writing v4_end_grace before nfsd startup

Yangtao Li <tiny.windzz@gmail.com>
    soc: bcm: brcmstb: Don't leak device tree node reference

Young Xiao <YangX92@hotmail.com>
    sunvdc: Do not spin in an infinite loop when vio_ldc_send() returns EAGAIN

Will Deacon <will.deacon@arm.com>
    arm64: io: Ensure calls to delay routines are ordered against prior readX()

Simon Horman <horms+renesas@verge.net.au>
    i2c: sh_mobile: add support for r8a77990 (R-Car E3)

Tiezhu Yang <kernelpatch@126.com>
    f2fs: fix wrong return value of f2fs_acl_create

Sheng Yong <shengyong1@huawei.com>
    f2fs: fix race between write_checkpoint and write_begin

Jaegeuk Kim <jaegeuk@kernel.org>
    f2fs: avoid build warn of fall_through

Yunlei He <heyunlei@huawei.com>
    f2fs: move dir data flush to write checkpoint process

Michael Straube <straube.linux@gmail.com>
    staging: pi433: fix potential null dereference

Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    ACPI: SPCR: Consider baud rate 0 as preconfigured state

Hans Verkuil <hverkuil-cisco@xs4all.nl>
    media: adv*/tc358743/ths8200: fill in min width/height/pixelclock

Hans de Goede <hdegoede@redhat.com>
    iio: accel: kxcjk1013: Add KIOX010A ACPI Hardware-ID

Martin Blumenstingl <martin.blumenstingl@googlemail.com>
    iio: adc: meson-saradc: fix internal clock names

Nicholas Mc Guire <hofrat@osadl.org>
    iio: adc: meson-saradc: check for devm_kasprintf failure

Nathan Chancellor <natechancellor@gmail.com>
    dmaengine: xilinx_dma: Remove __aligned attribute on zynqmp_dma_desc_ll

YueHaibing <yuehaibing@huawei.com>
    ptp: Fix pass zero to ERR_PTR() in ptp_clock_register

Alexey Khoroshilov <khoroshilov@ispras.ru>
    media: mtk-vcodec: Release device nodes in mtk_vcodec_init_enc_pm()

Yangtao Li <tiny.windzz@gmail.com>
    soc/tegra: Don't leak device tree node reference

Pu Wen <puwen@hygon.cn>
    perf tools: Add Hygon Dhyana support

Sami Tolvanen <samitolvanen@google.com>
    modpost: validate symbol names also in find_elf_symbol

Saeed Mahameed <saeedm@mellanox.com>
    net/mlx5: EQ, Use the right place to store/read IRQ affinity hint

Nathan Chancellor <natechancellor@gmail.com>
    ARM: OMAP2+: hwmod: Fix some section annotations

Damian Kos <dkos@cadence.com>
    drm/rockchip: fix for mailbox read size

Ben Dooks <ben.dooks@codethink.co.uk>
    usbnet: smsc95xx: fix rx packet alignment

Renato Lui Geh <renatogeh@gmail.com>
    staging: iio: ad7780: update voltage on read

Brian Norris <briannorris@chromium.org>
    platform/chrome: don't report EC_MKBP_EVENT_SENSOR_FIFO as wakeup

Dexuan Cui <decui@microsoft.com>
    Tools: hv: kvp: Fix a warning of buffer overflow with gcc 8.0.1

Andreas Puhm <puhm@oregano.at>
    fpga: altera-cvp: Fix registration for CvP incapable devices

Matheus Tavares <matheus.bernardino@usp.br>
    staging:iio:ad2s90: Make probe handle spi_setup failure

Paul Burton <paul.burton@mips.com>
    MIPS: Boston: Disable EG20T prefetch

Miroslav Lichvar <mlichvar@redhat.com>
    ptp: check gettime64 return code in PTP_SYS_OFFSET ioctl

Andy Duan <fugang.duan@nxp.com>
    serial: fsl_lpuart: clear parity enable bit when disable parity

Boris Brezillon <boris.brezillon@bootlin.com>
    drm/vc4: ->x_scaling[1] should never be set to VC4_SCALING_NONE

Eric Biggers <ebiggers@google.com>
    crypto: aes_ti - disable interrupts while accessing S-box

Frank Rowand <frank.rowand@sony.com>
    powerpc/pseries: add of_node_put() in dlpar_detach_node()

Colin Ian King <colin.king@canonical.com>
    x86/PCI: Fix Broadcom CNB20LE unintended sign extension (redux)

Bob Peterson <rpeterso@redhat.com>
    dlm: Don't swamp the CPU with callbacks queued during recovery

Yi Wang <wang.yi59@zte.com.cn>
    clk: boston: fix possible memory leak in clk_boston_setup()

Yufen Wang <wangyufen@huawei.com>
    ARM: 8808/1: kexec:offline panic_smp_self_stop CPU

James Smart <jsmart2021@gmail.com>
    scsi: lpfc: Fix LOGO/PLOGI handling when triggerd by ABTS Timeout event

Suganath Prabu <suganath-prabu.subramani@broadcom.com>
    scsi: mpt3sas: Call sas_remove_host before removing the target devices

James Smart <jsmart2021@gmail.com>
    scsi: lpfc: Correct LCB RJT handling

Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
    ath9k: dynack: use authentication messages for 'late' ack

Steve Longerbeam <slongerbeam@gmail.com>
    gpu: ipu-v3: image-convert: Prevent race between run and unprepare

Arnd Bergmann <arnd@arndb.de>
    ASoC: Intel: mrfld: fix uninitialized variable access

Lukas Wunner <lukas@wunner.de>
    pinctrl: bcm2835: Use raw spinlock for RT compatibility

Deepak Sharma <deepak.sharma@amd.com>
    drm/vgem: Fix vgem_init to get drm device available.

Slawomir Stepien <sst@poczta.fm>
    staging: iio: adc: ad7280a: handle error from __ad7280_read32()

Gustavo A. R. Silva <gustavo@embeddedor.com>
    drm/bufs: Fix Spectre v1 vulnerability


-------------

Diffstat:

 Makefile                                           |  4 +-
 arch/arm/boot/dts/gemini-dlink-dir-685.dts         | 16 ++--
 arch/arm/boot/dts/mmp2.dtsi                        |  9 +-
 arch/arm/boot/dts/omap4-sdp.dts                    |  1 +
 arch/arm/kernel/smp.c                              | 15 ++++
 arch/arm/mach-mmp/common.h                         |  2 +-
 arch/arm/mach-mmp/mmp2.c                           |  2 +-
 arch/arm/mach-mmp/pxa168.c                         |  2 +-
 arch/arm/mach-mmp/pxa910.c                         |  2 +-
 arch/arm/mach-mmp/time.c                           | 32 ++++---
 arch/arm/mach-omap2/omap_hwmod.c                   |  6 +-
 arch/arm/mach-pxa/cm-x300.c                        |  2 +-
 arch/arm/mach-pxa/littleton.c                      |  2 +-
 arch/arm/mach-pxa/zeus.c                           |  2 +-
 arch/arm64/include/asm/io.h                        | 32 +++++--
 arch/arm64/kernel/entry-ftrace.S                   |  1 -
 arch/mips/boot/dts/img/boston.dts                  |  6 ++
 arch/mips/include/uapi/asm/inst.h                  |  2 +-
 arch/mips/ralink/Kconfig                           |  1 +
 arch/powerpc/include/asm/fadump.h                  |  2 +-
 arch/powerpc/include/asm/uaccess.h                 |  2 +-
 arch/powerpc/kernel/fadump.c                       | 10 ++-
 arch/powerpc/kvm/powerpc.c                         |  5 +-
 arch/powerpc/mm/fault.c                            |  4 +-
 arch/powerpc/perf/isa207-common.c                  |  7 +-
 arch/powerpc/platforms/pseries/dlpar.c             |  2 +
 arch/powerpc/platforms/pseries/hotplug-memory.c    |  7 +-
 arch/s390/include/uapi/asm/zcrypt.h                |  4 +-
 arch/s390/kvm/kvm-s390.c                           | 17 +++-
 arch/um/include/asm/pgtable.h                      |  9 +-
 arch/x86/events/intel/core.c                       | 10 ++-
 arch/x86/events/intel/uncore_snbep.c               |  4 +-
 arch/x86/include/asm/fpu/internal.h                |  3 +
 arch/x86/kernel/cpu/bugs.c                         |  2 +-
 arch/x86/kernel/cpu/mcheck/mce.c                   |  1 +
 arch/x86/kvm/svm.c                                 |  7 ++
 arch/x86/kvm/vmx.c                                 |  4 +-
 arch/x86/kvm/x86.c                                 |  7 ++
 arch/x86/pci/broadcom_bus.c                        |  4 +-
 crypto/Kconfig                                     |  3 +-
 crypto/aes_ti.c                                    | 18 ++++
 drivers/acpi/apei/ghes.c                           |  2 +
 drivers/acpi/spcr.c                                | 11 +++
 drivers/ata/sata_rcar.c                            |  4 +-
 drivers/base/bus.c                                 | 12 ++-
 drivers/base/core.c                                |  8 +-
 drivers/base/dd.c                                  |  6 +-
 drivers/base/power/opp/core.c                      | 11 ++-
 drivers/block/drbd/drbd_nl.c                       | 15 ++--
 drivers/block/drbd/drbd_receiver.c                 | 13 +--
 drivers/block/sunvdc.c                             |  5 ++
 drivers/block/swim3.c                              |  6 +-
 drivers/cdrom/gdrom.c                              |  1 +
 drivers/clk/imgtec/clk-boston.c                    | 11 ++-
 drivers/clk/imx/clk-imx6sl.c                       |  6 ++
 drivers/clk/sunxi-ng/ccu-sun8i-a33.c               |  6 +-
 drivers/cpuidle/cpuidle-big_little.c               |  7 +-
 drivers/crypto/ux500/cryp/cryp_core.c              |  4 +-
 drivers/crypto/ux500/hash/hash_core.c              |  2 +-
 drivers/dma/bcm2835-dma.c                          | 70 ++++++---------
 drivers/dma/imx-dma.c                              |  8 +-
 drivers/dma/xilinx/zynqmp_dma.c                    |  2 +-
 drivers/firmware/efi/vars.c                        | 99 +++++++++++++++++-----
 drivers/fpga/altera-cvp.c                          |  9 ++
 drivers/gpu/drm/drm_atomic_helper.c                |  8 +-
 drivers/gpu/drm/drm_bufs.c                         |  3 +
 drivers/gpu/drm/rockchip/cdn-dp-reg.c              |  2 +-
 drivers/gpu/drm/vc4/vc4_plane.c                    | 12 +--
 drivers/gpu/drm/vgem/vgem_drv.c                    | 16 ++--
 drivers/gpu/ipu-v3/ipu-image-convert.c             | 10 ++-
 drivers/hid/hid-lenovo.c                           | 10 ++-
 drivers/hwmon/lm80.c                               | 26 ++++--
 drivers/i2c/busses/i2c-axxia.c                     | 32 +++----
 drivers/i2c/busses/i2c-sh_mobile.c                 |  1 +
 drivers/iio/accel/kxcjk-1013.c                     |  1 +
 drivers/iio/adc/meson_saradc.c                     | 14 ++-
 drivers/infiniband/hw/hfi1/rc.c                    |  2 +
 drivers/infiniband/hw/hfi1/ruc.c                   |  7 +-
 drivers/infiniband/hw/qib/qib_ruc.c                |  7 +-
 drivers/iommu/amd_iommu.c                          |  9 +-
 drivers/iommu/arm-smmu-v3.c                        |  8 +-
 drivers/iommu/arm-smmu.c                           |  3 +
 drivers/irqchip/irq-gic-v3-its.c                   | 32 +++++--
 drivers/isdn/hisax/hfc_pci.c                       |  2 +
 drivers/md/raid10.c                                |  4 +
 drivers/media/i2c/ad9389b.c                        |  2 +-
 drivers/media/i2c/adv7511.c                        |  2 +-
 drivers/media/i2c/adv7604.c                        |  4 +-
 drivers/media/i2c/adv7842.c                        |  4 +-
 drivers/media/i2c/tc358743.c                       |  2 +-
 drivers/media/i2c/ths8200.c                        |  2 +-
 drivers/media/platform/coda/coda-bit.c             | 19 ++---
 drivers/media/platform/coda/coda-common.c          | 15 ++--
 drivers/media/platform/coda/coda.h                 |  6 +-
 drivers/media/platform/coda/coda_regs.h            |  2 +-
 drivers/media/platform/davinci/vpbe.c              |  7 +-
 .../media/platform/mtk-vcodec/mtk_vcodec_enc_pm.c  | 10 ++-
 drivers/memstick/core/memstick.c                   |  3 +
 drivers/mmc/host/bcm2835.c                         | 12 +++
 drivers/mmc/host/sdhci-of-esdhc.c                  | 16 +++-
 drivers/mmc/host/sdhci-xenon-phy.c                 | 10 ++-
 drivers/mmc/host/sdhci-xenon.c                     | 10 ++-
 drivers/net/ethernet/broadcom/bcmsysport.c         | 25 +++---
 drivers/net/ethernet/broadcom/bcmsysport.h         |  2 +
 drivers/net/ethernet/cisco/enic/enic_main.c        |  3 +-
 drivers/net/ethernet/freescale/fman/fman_memac.c   |  2 +-
 drivers/net/ethernet/freescale/fman/fman_tgec.c    |  2 +-
 drivers/net/ethernet/intel/i40e/i40e_main.c        |  3 +
 drivers/net/ethernet/intel/igb/igb_main.c          |  8 +-
 drivers/net/ethernet/marvell/skge.c                |  6 +-
 drivers/net/ethernet/mellanox/mlx5/core/en_main.c  |  2 +-
 drivers/net/ethernet/mellanox/mlx5/core/en_rx.c    | 14 +++
 drivers/net/ethernet/mellanox/mlx5/core/main.c     | 14 +--
 drivers/net/ethernet/mellanox/mlxsw/spectrum.c     | 23 +++++
 .../ethernet/mellanox/mlxsw/spectrum_switchdev.c   | 27 +-----
 drivers/net/ethernet/sun/niu.c                     | 10 ++-
 drivers/net/phy/dp83640.c                          | 13 ++-
 drivers/net/usb/smsc95xx.c                         |  1 +
 drivers/net/wireless/ath/ath9k/dynack.c            |  3 +-
 drivers/net/wireless/st/cw1200/scan.c              | 13 ++-
 drivers/pci/switch/switchtec.c                     |  3 +
 drivers/phy/allwinner/phy-sun4i-usb.c              |  7 ++
 drivers/pinctrl/bcm/pinctrl-bcm2835.c              | 16 ++--
 drivers/pinctrl/meson/pinctrl-meson8.c             |  3 +
 drivers/pinctrl/meson/pinctrl-meson8b.c            | 13 +--
 drivers/pinctrl/pinctrl-sx150x.c                   | 11 ++-
 drivers/platform/chrome/cros_ec_proto.c            | 18 +++-
 drivers/ptp/ptp_chardev.c                          |  5 +-
 drivers/ptp/ptp_clock.c                            |  5 +-
 drivers/s390/crypto/zcrypt_error.h                 |  2 +
 drivers/scsi/aic94xx/aic94xx_init.c                |  8 +-
 drivers/scsi/cxlflash/main.c                       |  2 +
 drivers/scsi/lpfc/lpfc_els.c                       | 52 ++++++------
 drivers/scsi/lpfc/lpfc_nportdisc.c                 |  5 ++
 drivers/scsi/mpt3sas/mpt3sas_scsih.c               |  2 +-
 drivers/scsi/mpt3sas/mpt3sas_transport.c           |  7 +-
 drivers/scsi/smartpqi/smartpqi_init.c              |  6 ++
 drivers/scsi/smartpqi/smartpqi_sis.c               |  2 +-
 drivers/soc/bcm/brcmstb/common.c                   |  6 +-
 drivers/soc/tegra/common.c                         |  6 +-
 drivers/staging/iio/adc/ad7280a.c                  | 17 +++-
 drivers/staging/iio/adc/ad7780.c                   |  6 +-
 drivers/staging/iio/resolver/ad2s90.c              |  7 +-
 drivers/staging/pi433/pi433_if.c                   |  4 +
 drivers/staging/speakup/spk_ttyio.c                |  6 +-
 drivers/thermal/broadcom/bcm2835_thermal.c         | 11 +++
 drivers/thermal/thermal-generic-adc.c              | 12 ++-
 drivers/thermal/thermal_core.c                     | 12 ++-
 drivers/thermal/thermal_hwmon.h                    |  4 +-
 drivers/tty/serial/8250/8250_pci.c                 |  9 +-
 drivers/tty/serial/fsl_lpuart.c                    |  4 +
 drivers/tty/serial/samsung.c                       |  3 +
 drivers/tty/serial/serial_core.c                   |  6 ++
 drivers/usb/core/hub.c                             | 10 +++
 drivers/usb/dwc3/gadget.c                          | 16 ++--
 drivers/usb/dwc3/trace.h                           |  2 +
 drivers/usb/gadget/udc/net2272.c                   |  2 +-
 drivers/usb/mtu3/mtu3_core.c                       |  4 +-
 drivers/usb/mtu3/mtu3_gadget_ep0.c                 |  8 +-
 drivers/usb/musb/musb_dsps.c                       |  9 +-
 drivers/usb/musb/musb_gadget.c                     | 13 +--
 drivers/usb/musb/musbhsdma.c                       | 21 ++---
 drivers/usb/phy/phy-am335x.c                       |  5 +-
 drivers/video/fbdev/clps711x-fb.c                  |  5 +-
 drivers/video/fbdev/core/fbcon.c                   |  2 +-
 drivers/video/fbdev/core/fbmem.c                   |  8 +-
 drivers/watchdog/renesas_wdt.c                     |  9 +-
 fs/binfmt_script.c                                 | 10 ++-
 fs/cifs/readdir.c                                  |  9 +-
 fs/dlm/ast.c                                       | 10 +++
 fs/eventpoll.c                                     |  2 +-
 fs/f2fs/acl.c                                      | 14 +--
 fs/f2fs/data.c                                     | 12 ++-
 fs/f2fs/f2fs.h                                     | 12 ++-
 fs/f2fs/file.c                                     |  3 +
 fs/f2fs/shrinker.c                                 |  2 +-
 fs/fuse/dev.c                                      |  4 +-
 fs/fuse/file.c                                     |  2 +-
 fs/nfs/super.c                                     |  3 +-
 fs/nfsd/nfs4state.c                                | 57 +++++++++++--
 fs/nfsd/nfsctl.c                                   |  2 +
 fs/nfsd/state.h                                    |  2 +
 fs/nfsd/xdr4.h                                     | 13 ++-
 fs/ocfs2/Makefile                                  |  2 +-
 fs/ocfs2/buffer_head_io.c                          |  2 -
 fs/ocfs2/dlm/Makefile                              |  2 +-
 fs/ocfs2/dlmfs/Makefile                            |  2 +-
 fs/proc/base.c                                     | 12 ++-
 fs/udf/inode.c                                     |  6 ++
 include/linux/cpu.h                                |  2 -
 include/linux/genl_magic_struct.h                  |  5 +-
 include/linux/kvm_host.h                           |  3 +-
 include/linux/mlx5/driver.h                        |  2 +-
 include/sound/compress_driver.h                    |  6 +-
 kernel/cgroup/cgroup.c                             |  2 +-
 kernel/cpu.c                                       | 33 +-------
 kernel/debug/debug_core.c                          |  4 +
 kernel/debug/kdb/kdb_bt.c                          | 11 ++-
 kernel/debug/kdb/kdb_debugger.c                    |  7 --
 kernel/events/ring_buffer.c                        |  3 +
 kernel/futex.c                                     | 28 +++---
 kernel/hung_task.c                                 | 20 ++---
 kernel/locking/rtmutex.c                           | 37 ++++++--
 kernel/module.c                                    |  6 +-
 kernel/sched/fair.c                                |  1 +
 kernel/smp.c                                       |  2 -
 kernel/sysctl.c                                    |  2 +
 kernel/time/timekeeping.c                          |  4 +-
 kernel/trace/trace_stack.c                         |  2 +-
 lib/seq_buf.c                                      |  6 +-
 mm/percpu-km.c                                     |  5 +-
 net/bluetooth/hci_event.c                          |  6 ++
 net/dccp/ccid.h                                    |  4 +-
 net/dsa/slave.c                                    | 12 ++-
 net/ipv6/xfrm6_tunnel.c                            |  3 +
 net/mac80211/rx.c                                  |  5 +-
 net/rds/bind.c                                     |  6 +-
 net/rxrpc/recvmsg.c                                |  3 +-
 scripts/decode_stacktrace.sh                       |  2 +-
 scripts/gdb/linux/proc.py                          |  2 +-
 scripts/mod/modpost.c                              | 50 +++++------
 security/smack/smack_lsm.c                         | 12 ++-
 sound/pci/hda/hda_bind.c                           |  3 +-
 sound/pci/hda/hda_codec.h                          |  1 +
 sound/pci/hda/hda_intel.c                          |  2 +
 sound/soc/fsl/Kconfig                              |  2 +-
 sound/soc/intel/atom/sst/sst_loader.c              |  8 +-
 tools/hv/hv_kvp_daemon.c                           | 15 +++-
 tools/perf/arch/x86/util/kvm-stat.c                |  2 +-
 tools/perf/tests/attr.py                           |  2 +-
 tools/perf/tests/evsel-tp-sched.c                  |  2 +-
 tools/perf/util/header.c                           |  2 +-
 tools/perf/util/probe-file.c                       |  2 +-
 tools/testing/selftests/bpf/test_progs.c           |  8 +-
 virt/kvm/arm/mmio.c                                | 11 +--
 virt/kvm/kvm_main.c                                |  6 +-
 236 files changed, 1378 insertions(+), 656 deletions(-)



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 001/205] drm/bufs: Fix Spectre v1 vulnerability
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
@ 2019-02-11 14:16 ` Greg Kroah-Hartman
  2019-02-11 14:16 ` [PATCH 4.14 002/205] staging: iio: adc: ad7280a: handle error from __ad7280_read32() Greg Kroah-Hartman
                   ` (207 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gustavo A. R. Silva, Daniel Vetter,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit a37805098900a6e73a55b3a43b7d3bcd987bb3f4 ]

idx can be indirectly controlled by user-space, hence leading to a
potential exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:

drivers/gpu/drm/drm_bufs.c:1420 drm_legacy_freebufs() warn: potential
spectre issue 'dma->buflist' [r] (local cap)

Fix this by sanitizing idx before using it to index dma->buflist

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2

Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20181016095549.GA23586@embeddedor.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/drm_bufs.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/gpu/drm/drm_bufs.c b/drivers/gpu/drm/drm_bufs.c
index 1ee84dd802d4..0f05b8d8fefa 100644
--- a/drivers/gpu/drm/drm_bufs.c
+++ b/drivers/gpu/drm/drm_bufs.c
@@ -36,6 +36,8 @@
 #include <drm/drmP.h>
 #include "drm_legacy.h"
 
+#include <linux/nospec.h>
+
 static struct drm_map_list *drm_find_matching_map(struct drm_device *dev,
 						  struct drm_local_map *map)
 {
@@ -1417,6 +1419,7 @@ int drm_legacy_freebufs(struct drm_device *dev, void *data,
 				  idx, dma->buf_count - 1);
 			return -EINVAL;
 		}
+		idx = array_index_nospec(idx, dma->buf_count);
 		buf = dma->buflist[idx];
 		if (buf->file_priv != file_priv) {
 			DRM_ERROR("Process %d freeing buffer not owned\n",
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 002/205] staging: iio: adc: ad7280a: handle error from __ad7280_read32()
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
  2019-02-11 14:16 ` [PATCH 4.14 001/205] drm/bufs: Fix Spectre v1 vulnerability Greg Kroah-Hartman
@ 2019-02-11 14:16 ` Greg Kroah-Hartman
  2019-02-11 14:16 ` [PATCH 4.14 003/205] drm/vgem: Fix vgem_init to get drm device available Greg Kroah-Hartman
                   ` (206 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Slawomir Stepien, Jonathan Cameron,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 0559ef7fde67bc6c83c6eb6329dbd6649528263e ]

Inside __ad7280_read32(), the spi_sync_transfer() can fail with negative
error code. This change will ensure that this error is being passed up
in the call stack, so it can be handled.

Signed-off-by: Slawomir Stepien <sst@poczta.fm>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/staging/iio/adc/ad7280a.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/drivers/staging/iio/adc/ad7280a.c b/drivers/staging/iio/adc/ad7280a.c
index f85dde9805e0..f17f700ea04f 100644
--- a/drivers/staging/iio/adc/ad7280a.c
+++ b/drivers/staging/iio/adc/ad7280a.c
@@ -256,7 +256,9 @@ static int ad7280_read(struct ad7280_state *st, unsigned int devaddr,
 	if (ret)
 		return ret;
 
-	__ad7280_read32(st, &tmp);
+	ret = __ad7280_read32(st, &tmp);
+	if (ret)
+		return ret;
 
 	if (ad7280_check_crc(st, tmp))
 		return -EIO;
@@ -294,7 +296,9 @@ static int ad7280_read_channel(struct ad7280_state *st, unsigned int devaddr,
 
 	ad7280_delay(st);
 
-	__ad7280_read32(st, &tmp);
+	ret = __ad7280_read32(st, &tmp);
+	if (ret)
+		return ret;
 
 	if (ad7280_check_crc(st, tmp))
 		return -EIO;
@@ -327,7 +331,9 @@ static int ad7280_read_all_channels(struct ad7280_state *st, unsigned int cnt,
 	ad7280_delay(st);
 
 	for (i = 0; i < cnt; i++) {
-		__ad7280_read32(st, &tmp);
+		ret = __ad7280_read32(st, &tmp);
+		if (ret)
+			return ret;
 
 		if (ad7280_check_crc(st, tmp))
 			return -EIO;
@@ -370,7 +376,10 @@ static int ad7280_chain_setup(struct ad7280_state *st)
 		return ret;
 
 	for (n = 0; n <= AD7280A_MAX_CHAIN; n++) {
-		__ad7280_read32(st, &val);
+		ret = __ad7280_read32(st, &val);
+		if (ret)
+			return ret;
+
 		if (val == 0)
 			return n - 1;
 
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 003/205] drm/vgem: Fix vgem_init to get drm device available.
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
  2019-02-11 14:16 ` [PATCH 4.14 001/205] drm/bufs: Fix Spectre v1 vulnerability Greg Kroah-Hartman
  2019-02-11 14:16 ` [PATCH 4.14 002/205] staging: iio: adc: ad7280a: handle error from __ad7280_read32() Greg Kroah-Hartman
@ 2019-02-11 14:16 ` Greg Kroah-Hartman
  2019-02-11 14:16 ` [PATCH 4.14 004/205] pinctrl: bcm2835: Use raw spinlock for RT compatibility Greg Kroah-Hartman
                   ` (205 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Daniel Vetter, Deepak Sharma,
	Sean Paul, Emil Velikov, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit d5c04dff24870ef07ce6453a3f4e1ffd9cf88d27 ]

Modify vgem_init to take platform dev as parent in drm_dev_init.
This will make drm device available at "/sys/devices/platform/vgem"
in x86 chromebook.

v2: rebase, address checkpatch typo and line over 80 characters

Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Deepak Sharma <deepak.sharma@amd.com>
Reviewed-by: Sean Paul <seanpaul@chromium.org>
Signed-off-by: Emil Velikov <emil.velikov@collabora.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20181023163550.15211-1-emil.l.velikov@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/vgem/vgem_drv.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/drivers/gpu/drm/vgem/vgem_drv.c b/drivers/gpu/drm/vgem/vgem_drv.c
index 2524ff116f00..81c7ab10c083 100644
--- a/drivers/gpu/drm/vgem/vgem_drv.c
+++ b/drivers/gpu/drm/vgem/vgem_drv.c
@@ -472,31 +472,31 @@ static int __init vgem_init(void)
 	if (!vgem_device)
 		return -ENOMEM;
 
-	ret = drm_dev_init(&vgem_device->drm, &vgem_driver, NULL);
-	if (ret)
-		goto out_free;
-
 	vgem_device->platform =
 		platform_device_register_simple("vgem", -1, NULL, 0);
 	if (IS_ERR(vgem_device->platform)) {
 		ret = PTR_ERR(vgem_device->platform);
-		goto out_fini;
+		goto out_free;
 	}
 
 	dma_coerce_mask_and_coherent(&vgem_device->platform->dev,
 				     DMA_BIT_MASK(64));
+	ret = drm_dev_init(&vgem_device->drm, &vgem_driver,
+			   &vgem_device->platform->dev);
+	if (ret)
+		goto out_unregister;
 
 	/* Final step: expose the device/driver to userspace */
 	ret  = drm_dev_register(&vgem_device->drm, 0);
 	if (ret)
-		goto out_unregister;
+		goto out_fini;
 
 	return 0;
 
-out_unregister:
-	platform_device_unregister(vgem_device->platform);
 out_fini:
 	drm_dev_fini(&vgem_device->drm);
+out_unregister:
+	platform_device_unregister(vgem_device->platform);
 out_free:
 	kfree(vgem_device);
 	return ret;
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 004/205] pinctrl: bcm2835: Use raw spinlock for RT compatibility
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2019-02-11 14:16 ` [PATCH 4.14 003/205] drm/vgem: Fix vgem_init to get drm device available Greg Kroah-Hartman
@ 2019-02-11 14:16 ` Greg Kroah-Hartman
  2019-02-11 14:16 ` [PATCH 4.14 005/205] ASoC: Intel: mrfld: fix uninitialized variable access Greg Kroah-Hartman
                   ` (204 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mathias Duckeck, Lukas Wunner,
	Julia Cartwright, Linus Walleij, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 3c7b30f704b6f5e53eed6bf89cf2c8d1b38b02c0 ]

The BCM2835 pinctrl driver acquires a spinlock in its ->irq_enable,
->irq_disable and ->irq_set_type callbacks.  Spinlocks become sleeping
locks with CONFIG_PREEMPT_RT_FULL=y, therefore invocation of one of the
callbacks in atomic context may cause a hard lockup if at least two GPIO
pins in the same bank are used as interrupts.  The issue doesn't occur
with just a single interrupt pin per bank because the lock is never
contended.  I'm experiencing such lockups with GPIO 8 and 28 used as
level-triggered interrupts, i.e. with ->irq_disable being invoked on
reception of every IRQ.

The critical section protected by the spinlock is very small (one bitop
and one RMW of an MMIO register), hence converting to a raw spinlock
seems a better trade-off than converting the driver to threaded IRQ
handling (which would increase latency to handle an interrupt).

Cc: Mathias Duckeck <m.duckeck@kunbus.de>
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Acked-by: Julia Cartwright <julia@ni.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/pinctrl/bcm/pinctrl-bcm2835.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/drivers/pinctrl/bcm/pinctrl-bcm2835.c b/drivers/pinctrl/bcm/pinctrl-bcm2835.c
index ff782445dfb7..e72bf2502eca 100644
--- a/drivers/pinctrl/bcm/pinctrl-bcm2835.c
+++ b/drivers/pinctrl/bcm/pinctrl-bcm2835.c
@@ -92,7 +92,7 @@ struct bcm2835_pinctrl {
 	struct gpio_chip gpio_chip;
 	struct pinctrl_gpio_range gpio_range;
 
-	spinlock_t irq_lock[BCM2835_NUM_BANKS];
+	raw_spinlock_t irq_lock[BCM2835_NUM_BANKS];
 };
 
 /* pins are just named GPIO0..GPIO53 */
@@ -471,10 +471,10 @@ static void bcm2835_gpio_irq_enable(struct irq_data *data)
 	unsigned bank = GPIO_REG_OFFSET(gpio);
 	unsigned long flags;
 
-	spin_lock_irqsave(&pc->irq_lock[bank], flags);
+	raw_spin_lock_irqsave(&pc->irq_lock[bank], flags);
 	set_bit(offset, &pc->enabled_irq_map[bank]);
 	bcm2835_gpio_irq_config(pc, gpio, true);
-	spin_unlock_irqrestore(&pc->irq_lock[bank], flags);
+	raw_spin_unlock_irqrestore(&pc->irq_lock[bank], flags);
 }
 
 static void bcm2835_gpio_irq_disable(struct irq_data *data)
@@ -486,12 +486,12 @@ static void bcm2835_gpio_irq_disable(struct irq_data *data)
 	unsigned bank = GPIO_REG_OFFSET(gpio);
 	unsigned long flags;
 
-	spin_lock_irqsave(&pc->irq_lock[bank], flags);
+	raw_spin_lock_irqsave(&pc->irq_lock[bank], flags);
 	bcm2835_gpio_irq_config(pc, gpio, false);
 	/* Clear events that were latched prior to clearing event sources */
 	bcm2835_gpio_set_bit(pc, GPEDS0, gpio);
 	clear_bit(offset, &pc->enabled_irq_map[bank]);
-	spin_unlock_irqrestore(&pc->irq_lock[bank], flags);
+	raw_spin_unlock_irqrestore(&pc->irq_lock[bank], flags);
 }
 
 static int __bcm2835_gpio_irq_set_type_disabled(struct bcm2835_pinctrl *pc,
@@ -594,7 +594,7 @@ static int bcm2835_gpio_irq_set_type(struct irq_data *data, unsigned int type)
 	unsigned long flags;
 	int ret;
 
-	spin_lock_irqsave(&pc->irq_lock[bank], flags);
+	raw_spin_lock_irqsave(&pc->irq_lock[bank], flags);
 
 	if (test_bit(offset, &pc->enabled_irq_map[bank]))
 		ret = __bcm2835_gpio_irq_set_type_enabled(pc, gpio, type);
@@ -606,7 +606,7 @@ static int bcm2835_gpio_irq_set_type(struct irq_data *data, unsigned int type)
 	else
 		irq_set_handler_locked(data, handle_level_irq);
 
-	spin_unlock_irqrestore(&pc->irq_lock[bank], flags);
+	raw_spin_unlock_irqrestore(&pc->irq_lock[bank], flags);
 
 	return ret;
 }
@@ -1021,7 +1021,7 @@ static int bcm2835_pinctrl_probe(struct platform_device *pdev)
 		for_each_set_bit(offset, &events, 32)
 			bcm2835_gpio_wr(pc, GPEDS0 + i * 4, BIT(offset));
 
-		spin_lock_init(&pc->irq_lock[i]);
+		raw_spin_lock_init(&pc->irq_lock[i]);
 	}
 
 	err = gpiochip_add_data(&pc->gpio_chip, pc);
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 005/205] ASoC: Intel: mrfld: fix uninitialized variable access
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2019-02-11 14:16 ` [PATCH 4.14 004/205] pinctrl: bcm2835: Use raw spinlock for RT compatibility Greg Kroah-Hartman
@ 2019-02-11 14:16 ` Greg Kroah-Hartman
  2019-02-11 14:16 ` [PATCH 4.14 006/205] gpu: ipu-v3: image-convert: Prevent race between run and unprepare Greg Kroah-Hartman
                   ` (203 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Pierre-Louis Bossart,
	Mark Brown, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 1539c7f23f256120f89f8b9ec53160790bce9ed2 ]

Randconfig testing revealed a very old bug, with gcc-8:

sound/soc/intel/atom/sst/sst_loader.c: In function 'sst_load_fw':
sound/soc/intel/atom/sst/sst_loader.c:357:5: error: 'fw' may be used uninitialized in this function [-Werror=maybe-uninitialized]
  if (fw == NULL) {
     ^
sound/soc/intel/atom/sst/sst_loader.c:354:25: note: 'fw' was declared here
  const struct firmware *fw;

We must check the return code of request_firmware() before we look at the
pointer result that may be uninitialized when the function fails.

Fixes: 9012c9544eea ("ASoC: Intel: mrfld - Add DSP load and management")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/soc/intel/atom/sst/sst_loader.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/sound/soc/intel/atom/sst/sst_loader.c b/sound/soc/intel/atom/sst/sst_loader.c
index 33917146d9c4..054b1d514e8a 100644
--- a/sound/soc/intel/atom/sst/sst_loader.c
+++ b/sound/soc/intel/atom/sst/sst_loader.c
@@ -354,14 +354,14 @@ static int sst_request_fw(struct intel_sst_drv *sst)
 	const struct firmware *fw;
 
 	retval = request_firmware(&fw, sst->firmware_name, sst->dev);
-	if (fw == NULL) {
-		dev_err(sst->dev, "fw is returning as null\n");
-		return -EINVAL;
-	}
 	if (retval) {
 		dev_err(sst->dev, "request fw failed %d\n", retval);
 		return retval;
 	}
+	if (fw == NULL) {
+		dev_err(sst->dev, "fw is returning as null\n");
+		return -EINVAL;
+	}
 	mutex_lock(&sst->sst_lock);
 	retval = sst_cache_and_parse_fw(sst, fw);
 	mutex_unlock(&sst->sst_lock);
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 006/205] gpu: ipu-v3: image-convert: Prevent race between run and unprepare
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2019-02-11 14:16 ` [PATCH 4.14 005/205] ASoC: Intel: mrfld: fix uninitialized variable access Greg Kroah-Hartman
@ 2019-02-11 14:16 ` Greg Kroah-Hartman
  2019-02-11 14:16 ` [PATCH 4.14 007/205] ath9k: dynack: use authentication messages for late ack Greg Kroah-Hartman
                   ` (202 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Steve Longerbeam, Philipp Zabel, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 819bec35c8c9706185498c9222bd244e0781ad35 ]

Prevent possible race by parallel threads between ipu_image_convert_run()
and ipu_image_convert_unprepare(). This involves setting ctx->aborting
to true unconditionally so that no new job runs can be queued during
unprepare, and holding the ctx->aborting flag until the context is freed.

Note that the "normal" ipu_image_convert_abort() case (e.g. not during
context unprepare) should clear the ctx->aborting flag after aborting
any active run and clearing the context's pending queue. This is because
it should be possible to continue to use the conversion context and queue
more runs after an abort.

Signed-off-by: Steve Longerbeam <slongerbeam@gmail.com>
Tested-by: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/ipu-v3/ipu-image-convert.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/ipu-v3/ipu-image-convert.c b/drivers/gpu/ipu-v3/ipu-image-convert.c
index 524a717ab28e..a5e33d58e02f 100644
--- a/drivers/gpu/ipu-v3/ipu-image-convert.c
+++ b/drivers/gpu/ipu-v3/ipu-image-convert.c
@@ -1518,7 +1518,7 @@ unlock:
 EXPORT_SYMBOL_GPL(ipu_image_convert_queue);
 
 /* Abort any active or pending conversions for this context */
-void ipu_image_convert_abort(struct ipu_image_convert_ctx *ctx)
+static void __ipu_image_convert_abort(struct ipu_image_convert_ctx *ctx)
 {
 	struct ipu_image_convert_chan *chan = ctx->chan;
 	struct ipu_image_convert_priv *priv = chan->priv;
@@ -1545,7 +1545,7 @@ void ipu_image_convert_abort(struct ipu_image_convert_ctx *ctx)
 
 	need_abort = (run_count || active_run);
 
-	ctx->aborting = need_abort;
+	ctx->aborting = true;
 
 	spin_unlock_irqrestore(&chan->irqlock, flags);
 
@@ -1566,7 +1566,11 @@ void ipu_image_convert_abort(struct ipu_image_convert_ctx *ctx)
 		dev_warn(priv->ipu->dev, "%s: timeout\n", __func__);
 		force_abort(ctx);
 	}
+}
 
+void ipu_image_convert_abort(struct ipu_image_convert_ctx *ctx)
+{
+	__ipu_image_convert_abort(ctx);
 	ctx->aborting = false;
 }
 EXPORT_SYMBOL_GPL(ipu_image_convert_abort);
@@ -1580,7 +1584,7 @@ void ipu_image_convert_unprepare(struct ipu_image_convert_ctx *ctx)
 	bool put_res;
 
 	/* make sure no runs are hanging around */
-	ipu_image_convert_abort(ctx);
+	__ipu_image_convert_abort(ctx);
 
 	dev_dbg(priv->ipu->dev, "%s: task %u: removing ctx %p\n", __func__,
 		chan->ic_task, ctx);
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 007/205] ath9k: dynack: use authentication messages for late ack
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2019-02-11 14:16 ` [PATCH 4.14 006/205] gpu: ipu-v3: image-convert: Prevent race between run and unprepare Greg Kroah-Hartman
@ 2019-02-11 14:16 ` Greg Kroah-Hartman
  2019-02-11 14:16 ` [PATCH 4.14 008/205] scsi: lpfc: Correct LCB RJT handling Greg Kroah-Hartman
                   ` (201 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Koen Vandeputte, Lorenzo Bianconi,
	Kalle Valo, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 3831a2a0010c72e3956020cbf1057a1701a2e469 ]

In order to properly support dynack in ad-hoc mode running
wpa_supplicant, take into account authentication frames for
'late ack' detection. This patch has been tested on devices
mounted on offshore high-voltage stations connected through
~24Km link

Reported-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/ath/ath9k/dynack.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ath/ath9k/dynack.c b/drivers/net/wireless/ath/ath9k/dynack.c
index 7334c9b09e82..cc0dc966c512 100644
--- a/drivers/net/wireless/ath/ath9k/dynack.c
+++ b/drivers/net/wireless/ath/ath9k/dynack.c
@@ -187,7 +187,8 @@ void ath_dynack_sample_tx_ts(struct ath_hw *ah, struct sk_buff *skb,
 	/* late ACK */
 	if (ts->ts_status & ATH9K_TXERR_XRETRY) {
 		if (ieee80211_is_assoc_req(hdr->frame_control) ||
-		    ieee80211_is_assoc_resp(hdr->frame_control)) {
+		    ieee80211_is_assoc_resp(hdr->frame_control) ||
+		    ieee80211_is_auth(hdr->frame_control)) {
 			ath_dbg(common, DYNACK, "late ack\n");
 			ath9k_hw_setslottime(ah, (LATEACK_TO - 3) / 2);
 			ath9k_hw_set_ack_timeout(ah, LATEACK_TO);
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 008/205] scsi: lpfc: Correct LCB RJT handling
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2019-02-11 14:16 ` [PATCH 4.14 007/205] ath9k: dynack: use authentication messages for late ack Greg Kroah-Hartman
@ 2019-02-11 14:16 ` Greg Kroah-Hartman
  2019-02-11 14:16 ` [PATCH 4.14 009/205] scsi: mpt3sas: Call sas_remove_host before removing the target devices Greg Kroah-Hartman
                   ` (200 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dick Kennedy, James Smart,
	Hannes Reinecke, Martin K. Petersen, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit b114d9009d386276bfc3352289fc235781ae3353 ]

When LCB's are rejected, if beaconing was already in progress, the
Reason Code Explanation was not being set. Should have been set to
command in progress.

Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
Reviewed-by: Hannes Reinecke <hare@suse.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/lpfc/lpfc_els.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
index 91783dbdf10c..fffe8a643e25 100644
--- a/drivers/scsi/lpfc/lpfc_els.c
+++ b/drivers/scsi/lpfc/lpfc_els.c
@@ -5696,6 +5696,9 @@ error:
 	stat = (struct ls_rjt *)(pcmd + sizeof(uint32_t));
 	stat->un.b.lsRjtRsnCode = LSRJT_UNABLE_TPC;
 
+	if (shdr_add_status == ADD_STATUS_OPERATION_ALREADY_ACTIVE)
+		stat->un.b.lsRjtRsnCodeExp = LSEXP_CMD_IN_PROGRESS;
+
 	elsiocb->iocb_cmpl = lpfc_cmpl_els_rsp;
 	phba->fc_stat.elsXmitLSRJT++;
 	rc = lpfc_sli_issue_iocb(phba, LPFC_ELS_RING, elsiocb, 0);
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 009/205] scsi: mpt3sas: Call sas_remove_host before removing the target devices
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2019-02-11 14:16 ` [PATCH 4.14 008/205] scsi: lpfc: Correct LCB RJT handling Greg Kroah-Hartman
@ 2019-02-11 14:16 ` Greg Kroah-Hartman
  2019-02-11 14:16 ` [PATCH 4.14 010/205] scsi: lpfc: Fix LOGO/PLOGI handling when triggerd by ABTS Timeout event Greg Kroah-Hartman
                   ` (199 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Suganath Prabu, Bjorn Helgaas,
	Andy Shevchenko, Martin K. Petersen, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit dc730212e8a378763cb182b889f90c8101331332 ]

Call sas_remove_host() before removing the target devices in the driver's
.remove() callback function(i.e. during driver unload time).  So that
driver can provide a way to allow SYNC CACHE, START STOP unit commands
etc. (which are issued from SML) to the target drives during driver unload
time.

Once sas_remove_host() is called before removing the target drives then
driver can just clean up the resources allocated for target devices and no
need to call sas_port_delete_phy(), sas_port_delete() API's as these API's
internally called from sas_remove_host().

Signed-off-by: Suganath Prabu <suganath-prabu.subramani@broadcom.com>
Reviewed-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/mpt3sas/mpt3sas_scsih.c     | 2 +-
 drivers/scsi/mpt3sas/mpt3sas_transport.c | 7 +++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
index ae5e579ac473..b28efddab7b1 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
@@ -8260,6 +8260,7 @@ static void scsih_remove(struct pci_dev *pdev)
 
 	/* release all the volumes */
 	_scsih_ir_shutdown(ioc);
+	sas_remove_host(shost);
 	list_for_each_entry_safe(raid_device, next, &ioc->raid_device_list,
 	    list) {
 		if (raid_device->starget) {
@@ -8296,7 +8297,6 @@ static void scsih_remove(struct pci_dev *pdev)
 		ioc->sas_hba.num_phys = 0;
 	}
 
-	sas_remove_host(shost);
 	mpt3sas_base_detach(ioc);
 	spin_lock(&gioc_lock);
 	list_del(&ioc->list);
diff --git a/drivers/scsi/mpt3sas/mpt3sas_transport.c b/drivers/scsi/mpt3sas/mpt3sas_transport.c
index 63dd9bc21ff2..66d9f04c4c0b 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_transport.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_transport.c
@@ -846,10 +846,13 @@ mpt3sas_transport_port_remove(struct MPT3SAS_ADAPTER *ioc, u64 sas_address,
 			    mpt3sas_port->remote_identify.sas_address,
 			    mpt3sas_phy->phy_id);
 		mpt3sas_phy->phy_belongs_to_port = 0;
-		sas_port_delete_phy(mpt3sas_port->port, mpt3sas_phy->phy);
+		if (!ioc->remove_host)
+			sas_port_delete_phy(mpt3sas_port->port,
+						mpt3sas_phy->phy);
 		list_del(&mpt3sas_phy->port_siblings);
 	}
-	sas_port_delete(mpt3sas_port->port);
+	if (!ioc->remove_host)
+		sas_port_delete(mpt3sas_port->port);
 	kfree(mpt3sas_port);
 }
 
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 010/205] scsi: lpfc: Fix LOGO/PLOGI handling when triggerd by ABTS Timeout event
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2019-02-11 14:16 ` [PATCH 4.14 009/205] scsi: mpt3sas: Call sas_remove_host before removing the target devices Greg Kroah-Hartman
@ 2019-02-11 14:16 ` Greg Kroah-Hartman
  2019-02-11 14:16 ` [PATCH 4.14 011/205] ARM: 8808/1: kexec:offline panic_smp_self_stop CPU Greg Kroah-Hartman
                   ` (198 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dick Kennedy, James Smart,
	Hannes Reinecke, Martin K. Petersen, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 30e196cacefdd9a38c857caed23cefc9621bc5c1 ]

After a LOGO in response to an ABTS timeout, a PLOGI wasn't issued to
re-establish the login.  An nlp_type check in the LOGO completion
handler failed to restart discovery for NVME targets.  Revised the
nlp_type check for NVME as well as SCSI.

While reviewing the LOGO handling a few other issues were seen and
were addressed:

- Better lock synchronization around ndlp data types

- When the ABTS times out, unregister the RPI before sending the LOGO
  so that all local exchange contexts are cleared and nothing received
  while awaiting LOGO/PLOGI handling will be accepted.

- LOGO handling optimized to:
   Wait only R_A_TOV for a response.
   It doesn't need to be retried on timeout. If there wasn't a
     response, a PLOGI will be sent, thus an implicit logout
     applies as well when the other port sees it.
   If there is a response, any kind of response is considered "good"
     and the XRI quarantined for a exchange qualifier window.

- PLOGI is issued as soon a LOGO state is resolved.

Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
Reviewed-by: Hannes Reinecke <hare@suse.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/lpfc/lpfc_els.c       | 49 +++++++++++++-----------------
 drivers/scsi/lpfc/lpfc_nportdisc.c |  5 +++
 2 files changed, 26 insertions(+), 28 deletions(-)

diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
index fffe8a643e25..57cddbc4a977 100644
--- a/drivers/scsi/lpfc/lpfc_els.c
+++ b/drivers/scsi/lpfc/lpfc_els.c
@@ -242,6 +242,8 @@ lpfc_prep_els_iocb(struct lpfc_vport *vport, uint8_t expectRsp,
 		icmd->ulpCommand = CMD_ELS_REQUEST64_CR;
 		if (elscmd == ELS_CMD_FLOGI)
 			icmd->ulpTimeout = FF_DEF_RATOV * 2;
+		else if (elscmd == ELS_CMD_LOGO)
+			icmd->ulpTimeout = phba->fc_ratov;
 		else
 			icmd->ulpTimeout = phba->fc_ratov * 2;
 	} else {
@@ -2674,16 +2676,15 @@ lpfc_cmpl_els_logo(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
 		goto out;
 	}
 
+	/* The LOGO will not be retried on failure.  A LOGO was
+	 * issued to the remote rport and a ACC or RJT or no Answer are
+	 * all acceptable.  Note the failure and move forward with
+	 * discovery.  The PLOGI will retry.
+	 */
 	if (irsp->ulpStatus) {
-		/* Check for retry */
-		if (lpfc_els_retry(phba, cmdiocb, rspiocb)) {
-			/* ELS command is being retried */
-			skip_recovery = 1;
-			goto out;
-		}
 		/* LOGO failed */
 		lpfc_printf_vlog(vport, KERN_ERR, LOG_ELS,
-				 "2756 LOGO failure DID:%06X Status:x%x/x%x\n",
+				 "2756 LOGO failure, No Retry DID:%06X Status:x%x/x%x\n",
 				 ndlp->nlp_DID, irsp->ulpStatus,
 				 irsp->un.ulpWord[4]);
 		/* Do not call DSM for lpfc_els_abort'ed ELS cmds */
@@ -2729,7 +2730,8 @@ out:
 	 * For any other port type, the rpi is unregistered as an implicit
 	 * LOGO.
 	 */
-	if ((ndlp->nlp_type & NLP_FCP_TARGET) && (skip_recovery == 0)) {
+	if (ndlp->nlp_type & (NLP_FCP_TARGET | NLP_NVME_TARGET) &&
+	    skip_recovery == 0) {
 		lpfc_cancel_retry_delay_tmo(vport, ndlp);
 		spin_lock_irqsave(shost->host_lock, flags);
 		ndlp->nlp_flag |= NLP_NPR_2B_DISC;
@@ -2762,6 +2764,8 @@ out:
  * will be stored into the context1 field of the IOCB for the completion
  * callback function to the LOGO ELS command.
  *
+ * Callers of this routine are expected to unregister the RPI first
+ *
  * Return code
  *   0 - successfully issued logo
  *   1 - failed to issue logo
@@ -2803,22 +2807,6 @@ lpfc_issue_els_logo(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp,
 		"Issue LOGO:      did:x%x",
 		ndlp->nlp_DID, 0, 0);
 
-	/*
-	 * If we are issuing a LOGO, we may try to recover the remote NPort
-	 * by issuing a PLOGI later. Even though we issue ELS cmds by the
-	 * VPI, if we have a valid RPI, and that RPI gets unreg'ed while
-	 * that ELS command is in-flight, the HBA returns a IOERR_INVALID_RPI
-	 * for that ELS cmd. To avoid this situation, lets get rid of the
-	 * RPI right now, before any ELS cmds are sent.
-	 */
-	spin_lock_irq(shost->host_lock);
-	ndlp->nlp_flag |= NLP_ISSUE_LOGO;
-	spin_unlock_irq(shost->host_lock);
-	if (lpfc_unreg_rpi(vport, ndlp)) {
-		lpfc_els_free_iocb(phba, elsiocb);
-		return 0;
-	}
-
 	phba->fc_stat.elsXmitLOGO++;
 	elsiocb->iocb_cmpl = lpfc_cmpl_els_logo;
 	spin_lock_irq(shost->host_lock);
@@ -2826,7 +2814,6 @@ lpfc_issue_els_logo(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp,
 	ndlp->nlp_flag &= ~NLP_ISSUE_LOGO;
 	spin_unlock_irq(shost->host_lock);
 	rc = lpfc_sli_issue_iocb(phba, LPFC_ELS_RING, elsiocb, 0);
-
 	if (rc == IOCB_ERROR) {
 		spin_lock_irq(shost->host_lock);
 		ndlp->nlp_flag &= ~NLP_LOGO_SND;
@@ -2834,6 +2821,11 @@ lpfc_issue_els_logo(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp,
 		lpfc_els_free_iocb(phba, elsiocb);
 		return 1;
 	}
+
+	spin_lock_irq(shost->host_lock);
+	ndlp->nlp_prev_state = ndlp->nlp_state;
+	spin_unlock_irq(shost->host_lock);
+	lpfc_nlp_set_state(vport, ndlp, NLP_STE_LOGO_ISSUE);
 	return 0;
 }
 
@@ -9483,7 +9475,8 @@ lpfc_sli_abts_recover_port(struct lpfc_vport *vport,
 				"rport in state 0x%x\n", ndlp->nlp_state);
 		return;
 	}
-	lpfc_printf_log(phba, KERN_INFO, LOG_SLI,
+	lpfc_printf_log(phba, KERN_ERR,
+			LOG_ELS | LOG_FCP_ERROR | LOG_NVME_IOERR,
 			"3094 Start rport recovery on shost id 0x%x "
 			"fc_id 0x%06x vpi 0x%x rpi 0x%x state 0x%x "
 			"flags 0x%x\n",
@@ -9496,8 +9489,8 @@ lpfc_sli_abts_recover_port(struct lpfc_vport *vport,
 	 */
 	spin_lock_irqsave(shost->host_lock, flags);
 	ndlp->nlp_fcp_info &= ~NLP_FCP_2_DEVICE;
+	ndlp->nlp_flag |= NLP_ISSUE_LOGO;
 	spin_unlock_irqrestore(shost->host_lock, flags);
-	lpfc_issue_els_logo(vport, ndlp, 0);
-	lpfc_nlp_set_state(vport, ndlp, NLP_STE_LOGO_ISSUE);
+	lpfc_unreg_rpi(vport, ndlp);
 }
 
diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c
index d489f6827cc1..36fb549eb4e8 100644
--- a/drivers/scsi/lpfc/lpfc_nportdisc.c
+++ b/drivers/scsi/lpfc/lpfc_nportdisc.c
@@ -801,7 +801,9 @@ lpfc_disc_set_adisc(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp)
 	struct Scsi_Host *shost = lpfc_shost_from_vport(vport);
 
 	if (!(ndlp->nlp_flag & NLP_RPI_REGISTERED)) {
+		spin_lock_irq(shost->host_lock);
 		ndlp->nlp_flag &= ~NLP_NPR_ADISC;
+		spin_unlock_irq(shost->host_lock);
 		return 0;
 	}
 
@@ -816,7 +818,10 @@ lpfc_disc_set_adisc(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp)
 			return 1;
 		}
 	}
+
+	spin_lock_irq(shost->host_lock);
 	ndlp->nlp_flag &= ~NLP_NPR_ADISC;
+	spin_unlock_irq(shost->host_lock);
 	lpfc_unreg_rpi(vport, ndlp);
 	return 0;
 }
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 011/205] ARM: 8808/1: kexec:offline panic_smp_self_stop CPU
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2019-02-11 14:16 ` [PATCH 4.14 010/205] scsi: lpfc: Fix LOGO/PLOGI handling when triggerd by ABTS Timeout event Greg Kroah-Hartman
@ 2019-02-11 14:16 ` Greg Kroah-Hartman
  2019-02-11 14:16 ` [PATCH 4.14 012/205] clk: boston: fix possible memory leak in clk_boston_setup() Greg Kroah-Hartman
                   ` (197 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yufen Wang, Russell King, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 82c08c3e7f171aa7f579b231d0abbc1d62e91974 ]

In case panic() and panic() called at the same time on different CPUS.
For example:
CPU 0:
  panic()
     __crash_kexec
       machine_crash_shutdown
         crash_smp_send_stop
       machine_kexec
         BUG_ON(num_online_cpus() > 1);

CPU 1:
  panic()
    local_irq_disable
    panic_smp_self_stop

If CPU 1 calls panic_smp_self_stop() before crash_smp_send_stop(), kdump
fails. CPU1 can't receive the ipi irq, CPU1 will be always online.
To fix this problem, this patch split out the panic_smp_self_stop()
and add set_cpu_online(smp_processor_id(), false).

Signed-off-by: Yufen Wang <wangyufen@huawei.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/kernel/smp.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c
index e61af0600133..5e31c62127a0 100644
--- a/arch/arm/kernel/smp.c
+++ b/arch/arm/kernel/smp.c
@@ -691,6 +691,21 @@ void smp_send_stop(void)
 		pr_warn("SMP: failed to stop secondary CPUs\n");
 }
 
+/* In case panic() and panic() called at the same time on CPU1 and CPU2,
+ * and CPU 1 calls panic_smp_self_stop() before crash_smp_send_stop()
+ * CPU1 can't receive the ipi irqs from CPU2, CPU1 will be always online,
+ * kdump fails. So split out the panic_smp_self_stop() and add
+ * set_cpu_online(smp_processor_id(), false).
+ */
+void panic_smp_self_stop(void)
+{
+	pr_debug("CPU %u will stop doing anything useful since another CPU has paniced\n",
+	         smp_processor_id());
+	set_cpu_online(smp_processor_id(), false);
+	while (1)
+		cpu_relax();
+}
+
 /*
  * not supported here
  */
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 012/205] clk: boston: fix possible memory leak in clk_boston_setup()
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2019-02-11 14:16 ` [PATCH 4.14 011/205] ARM: 8808/1: kexec:offline panic_smp_self_stop CPU Greg Kroah-Hartman
@ 2019-02-11 14:16 ` Greg Kroah-Hartman
  2019-02-11 14:16 ` [PATCH 4.14 013/205] dlm: Dont swamp the CPU with callbacks queued during recovery Greg Kroah-Hartman
                   ` (196 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yi Wang, Stephen Boyd, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 46fda5b5067a391912cf73bf3d32c26b6a22ad09 ]

Smatch report warnings:
drivers/clk/imgtec/clk-boston.c:76 clk_boston_setup() warn: possible memory leak of 'onecell'
drivers/clk/imgtec/clk-boston.c:83 clk_boston_setup() warn: possible memory leak of 'onecell'
drivers/clk/imgtec/clk-boston.c:90 clk_boston_setup() warn: possible memory leak of 'onecell'

'onecell' is malloced in clk_boston_setup(), but not be freed
before leaving from the error handling cases.

Signed-off-by: Yi Wang <wang.yi59@zte.com.cn>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/clk/imgtec/clk-boston.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/drivers/clk/imgtec/clk-boston.c b/drivers/clk/imgtec/clk-boston.c
index 15af423cc0c9..f5d54a64d33c 100644
--- a/drivers/clk/imgtec/clk-boston.c
+++ b/drivers/clk/imgtec/clk-boston.c
@@ -73,27 +73,32 @@ static void __init clk_boston_setup(struct device_node *np)
 	hw = clk_hw_register_fixed_rate(NULL, "input", NULL, 0, in_freq);
 	if (IS_ERR(hw)) {
 		pr_err("failed to register input clock: %ld\n", PTR_ERR(hw));
-		return;
+		goto error;
 	}
 	onecell->hws[BOSTON_CLK_INPUT] = hw;
 
 	hw = clk_hw_register_fixed_rate(NULL, "sys", "input", 0, sys_freq);
 	if (IS_ERR(hw)) {
 		pr_err("failed to register sys clock: %ld\n", PTR_ERR(hw));
-		return;
+		goto error;
 	}
 	onecell->hws[BOSTON_CLK_SYS] = hw;
 
 	hw = clk_hw_register_fixed_rate(NULL, "cpu", "input", 0, cpu_freq);
 	if (IS_ERR(hw)) {
 		pr_err("failed to register cpu clock: %ld\n", PTR_ERR(hw));
-		return;
+		goto error;
 	}
 	onecell->hws[BOSTON_CLK_CPU] = hw;
 
 	err = of_clk_add_hw_provider(np, of_clk_hw_onecell_get, onecell);
 	if (err)
 		pr_err("failed to add DT provider: %d\n", err);
+
+	return;
+
+error:
+	kfree(onecell);
 }
 
 /*
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 013/205] dlm: Dont swamp the CPU with callbacks queued during recovery
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2019-02-11 14:16 ` [PATCH 4.14 012/205] clk: boston: fix possible memory leak in clk_boston_setup() Greg Kroah-Hartman
@ 2019-02-11 14:16 ` Greg Kroah-Hartman
  2019-02-11 14:16 ` [PATCH 4.14 014/205] x86/PCI: Fix Broadcom CNB20LE unintended sign extension (redux) Greg Kroah-Hartman
                   ` (195 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bob Peterson, David Teigland, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 216f0efd19b9cc32207934fd1b87a45f2c4c593e ]

Before this patch, recovery would cause all callbacks to be delayed,
put on a queue, and afterward they were all queued to the callback
work queue. This patch does the same thing, but occasionally takes
a break after 25 of them so it won't swamp the CPU at the expense
of other RT processes like corosync.

Signed-off-by: Bob Peterson <rpeterso@redhat.com>
Signed-off-by: David Teigland <teigland@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/dlm/ast.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/fs/dlm/ast.c b/fs/dlm/ast.c
index 07fed838d8fd..15fa4239ae9f 100644
--- a/fs/dlm/ast.c
+++ b/fs/dlm/ast.c
@@ -290,6 +290,8 @@ void dlm_callback_suspend(struct dlm_ls *ls)
 		flush_workqueue(ls->ls_callback_wq);
 }
 
+#define MAX_CB_QUEUE 25
+
 void dlm_callback_resume(struct dlm_ls *ls)
 {
 	struct dlm_lkb *lkb, *safe;
@@ -300,15 +302,23 @@ void dlm_callback_resume(struct dlm_ls *ls)
 	if (!ls->ls_callback_wq)
 		return;
 
+more:
 	mutex_lock(&ls->ls_cb_mutex);
 	list_for_each_entry_safe(lkb, safe, &ls->ls_cb_delay, lkb_cb_list) {
 		list_del_init(&lkb->lkb_cb_list);
 		queue_work(ls->ls_callback_wq, &lkb->lkb_cb_work);
 		count++;
+		if (count == MAX_CB_QUEUE)
+			break;
 	}
 	mutex_unlock(&ls->ls_cb_mutex);
 
 	if (count)
 		log_rinfo(ls, "dlm_callback_resume %d", count);
+	if (count == MAX_CB_QUEUE) {
+		count = 0;
+		cond_resched();
+		goto more;
+	}
 }
 
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 014/205] x86/PCI: Fix Broadcom CNB20LE unintended sign extension (redux)
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2019-02-11 14:16 ` [PATCH 4.14 013/205] dlm: Dont swamp the CPU with callbacks queued during recovery Greg Kroah-Hartman
@ 2019-02-11 14:16 ` Greg Kroah-Hartman
  2019-02-11 14:16 ` [PATCH 4.14 015/205] powerpc/pseries: add of_node_put() in dlpar_detach_node() Greg Kroah-Hartman
                   ` (194 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Colin Ian King, Bjorn Helgaas, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 53bb565fc5439f2c8c57a786feea5946804aa3e9 ]

In the expression "word1 << 16", word1 starts as u16, but is promoted to a
signed int, then sign-extended to resource_size_t, which is probably not
what was intended.  Cast to resource_size_t to avoid the sign extension.

This fixes an identical issue as fixed by commit 0b2d70764bb3 ("x86/PCI:
Fix Broadcom CNB20LE unintended sign extension") back in 2014.

Detected by CoverityScan, CID#138749, 138750 ("Unintended sign extension")

Fixes: 3f6ea84a3035 ("PCI: read memory ranges out of Broadcom CNB20LE host bridge")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Bjorn Helgaas <helgaas@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/pci/broadcom_bus.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/x86/pci/broadcom_bus.c b/arch/x86/pci/broadcom_bus.c
index 526536c81ddc..ca1e8e6dccc8 100644
--- a/arch/x86/pci/broadcom_bus.c
+++ b/arch/x86/pci/broadcom_bus.c
@@ -50,8 +50,8 @@ static void __init cnb20le_res(u8 bus, u8 slot, u8 func)
 	word1 = read_pci_config_16(bus, slot, func, 0xc0);
 	word2 = read_pci_config_16(bus, slot, func, 0xc2);
 	if (word1 != word2) {
-		res.start = (word1 << 16) | 0x0000;
-		res.end   = (word2 << 16) | 0xffff;
+		res.start = ((resource_size_t) word1 << 16) | 0x0000;
+		res.end   = ((resource_size_t) word2 << 16) | 0xffff;
 		res.flags = IORESOURCE_MEM;
 		update_res(info, res.start, res.end, res.flags, 0);
 	}
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 015/205] powerpc/pseries: add of_node_put() in dlpar_detach_node()
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2019-02-11 14:16 ` [PATCH 4.14 014/205] x86/PCI: Fix Broadcom CNB20LE unintended sign extension (redux) Greg Kroah-Hartman
@ 2019-02-11 14:16 ` Greg Kroah-Hartman
  2019-02-11 14:16 ` [PATCH 4.14 016/205] crypto: aes_ti - disable interrupts while accessing S-box Greg Kroah-Hartman
                   ` (193 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alan Tull, Michael Ellerman,
	Frank Rowand, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 5b3f5c408d8cc59b87e47f1ab9803dbd006e4a91 ]

The previous commit, "of: overlay: add missing of_node_get() in
__of_attach_node_sysfs" added a missing of_node_get() to
__of_attach_node_sysfs().  This results in a refcount imbalance
for nodes attached with dlpar_attach_node().  The calling sequence
from dlpar_attach_node() to __of_attach_node_sysfs() is:

   dlpar_attach_node()
      of_attach_node()
         __of_attach_node_sysfs()

For more detailed description of the node refcount, see
commit 68baf692c435 ("powerpc/pseries: Fix of_node_put() underflow
during DLPAR remove").

Tested-by: Alan Tull <atull@kernel.org>
Acked-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Frank Rowand <frank.rowand@sony.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/platforms/pseries/dlpar.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/arch/powerpc/platforms/pseries/dlpar.c b/arch/powerpc/platforms/pseries/dlpar.c
index e9149d05d30b..f4e6565dd7a9 100644
--- a/arch/powerpc/platforms/pseries/dlpar.c
+++ b/arch/powerpc/platforms/pseries/dlpar.c
@@ -284,6 +284,8 @@ int dlpar_detach_node(struct device_node *dn)
 	if (rc)
 		return rc;
 
+	of_node_put(dn);
+
 	return 0;
 }
 
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 016/205] crypto: aes_ti - disable interrupts while accessing S-box
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2019-02-11 14:16 ` [PATCH 4.14 015/205] powerpc/pseries: add of_node_put() in dlpar_detach_node() Greg Kroah-Hartman
@ 2019-02-11 14:16 ` Greg Kroah-Hartman
  2019-02-11 14:16 ` [PATCH 4.14 017/205] drm/vc4: ->x_scaling[1] should never be set to VC4_SCALING_NONE Greg Kroah-Hartman
                   ` (192 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ard Biesheuvel, Eric Biggers,
	Herbert Xu, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 0a6a40c2a8c184a2fb467efacfb1cd338d719e0b ]

In the "aes-fixed-time" AES implementation, disable interrupts while
accessing the S-box, in order to make cache-timing attacks more
difficult.  Previously it was possible for the CPU to be interrupted
while the S-box was loaded into L1 cache, potentially evicting the
cachelines and causing later table lookups to be time-variant.

In tests I did on x86 and ARM, this doesn't affect performance
significantly.  Responsiveness is potentially a concern, but interrupts
are only disabled for a single AES block.

Note that even after this change, the implementation still isn't
necessarily guaranteed to be constant-time; see
https://cr.yp.to/antiforgery/cachetiming-20050414.pdf for a discussion
of the many difficulties involved in writing truly constant-time AES
software.  But it's valuable to make such attacks more difficult.

Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 crypto/Kconfig  |  3 ++-
 crypto/aes_ti.c | 18 ++++++++++++++++++
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/crypto/Kconfig b/crypto/Kconfig
index 5579eb88d460..84f99f8eca4b 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -930,7 +930,8 @@ config CRYPTO_AES_TI
 	  8 for decryption), this implementation only uses just two S-boxes of
 	  256 bytes each, and attempts to eliminate data dependent latencies by
 	  prefetching the entire table into the cache at the start of each
-	  block.
+	  block. Interrupts are also disabled to avoid races where cachelines
+	  are evicted when the CPU is interrupted to do something else.
 
 config CRYPTO_AES_586
 	tristate "AES cipher algorithms (i586)"
diff --git a/crypto/aes_ti.c b/crypto/aes_ti.c
index 03023b2290e8..1ff9785b30f5 100644
--- a/crypto/aes_ti.c
+++ b/crypto/aes_ti.c
@@ -269,6 +269,7 @@ static void aesti_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
 	const u32 *rkp = ctx->key_enc + 4;
 	int rounds = 6 + ctx->key_length / 4;
 	u32 st0[4], st1[4];
+	unsigned long flags;
 	int round;
 
 	st0[0] = ctx->key_enc[0] ^ get_unaligned_le32(in);
@@ -276,6 +277,12 @@ static void aesti_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
 	st0[2] = ctx->key_enc[2] ^ get_unaligned_le32(in + 8);
 	st0[3] = ctx->key_enc[3] ^ get_unaligned_le32(in + 12);
 
+	/*
+	 * Temporarily disable interrupts to avoid races where cachelines are
+	 * evicted when the CPU is interrupted to do something else.
+	 */
+	local_irq_save(flags);
+
 	st0[0] ^= __aesti_sbox[ 0] ^ __aesti_sbox[128];
 	st0[1] ^= __aesti_sbox[32] ^ __aesti_sbox[160];
 	st0[2] ^= __aesti_sbox[64] ^ __aesti_sbox[192];
@@ -300,6 +307,8 @@ static void aesti_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
 	put_unaligned_le32(subshift(st1, 1) ^ rkp[5], out + 4);
 	put_unaligned_le32(subshift(st1, 2) ^ rkp[6], out + 8);
 	put_unaligned_le32(subshift(st1, 3) ^ rkp[7], out + 12);
+
+	local_irq_restore(flags);
 }
 
 static void aesti_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
@@ -308,6 +317,7 @@ static void aesti_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
 	const u32 *rkp = ctx->key_dec + 4;
 	int rounds = 6 + ctx->key_length / 4;
 	u32 st0[4], st1[4];
+	unsigned long flags;
 	int round;
 
 	st0[0] = ctx->key_dec[0] ^ get_unaligned_le32(in);
@@ -315,6 +325,12 @@ static void aesti_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
 	st0[2] = ctx->key_dec[2] ^ get_unaligned_le32(in + 8);
 	st0[3] = ctx->key_dec[3] ^ get_unaligned_le32(in + 12);
 
+	/*
+	 * Temporarily disable interrupts to avoid races where cachelines are
+	 * evicted when the CPU is interrupted to do something else.
+	 */
+	local_irq_save(flags);
+
 	st0[0] ^= __aesti_inv_sbox[ 0] ^ __aesti_inv_sbox[128];
 	st0[1] ^= __aesti_inv_sbox[32] ^ __aesti_inv_sbox[160];
 	st0[2] ^= __aesti_inv_sbox[64] ^ __aesti_inv_sbox[192];
@@ -339,6 +355,8 @@ static void aesti_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
 	put_unaligned_le32(inv_subshift(st1, 1) ^ rkp[5], out + 4);
 	put_unaligned_le32(inv_subshift(st1, 2) ^ rkp[6], out + 8);
 	put_unaligned_le32(inv_subshift(st1, 3) ^ rkp[7], out + 12);
+
+	local_irq_restore(flags);
 }
 
 static struct crypto_alg aes_alg = {
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 017/205] drm/vc4: ->x_scaling[1] should never be set to VC4_SCALING_NONE
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2019-02-11 14:16 ` [PATCH 4.14 016/205] crypto: aes_ti - disable interrupts while accessing S-box Greg Kroah-Hartman
@ 2019-02-11 14:16 ` Greg Kroah-Hartman
  2019-02-11 14:16 ` [PATCH 4.14 018/205] serial: fsl_lpuart: clear parity enable bit when disable parity Greg Kroah-Hartman
                   ` (191 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Boris Brezillon, Eric Anholt, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 0560054da5673b25d56bea6c57c8d069673af73b ]

For the YUV conversion to work properly, ->x_scaling[1] should never
be set to VC4_SCALING_NONE, but vc4_get_scaling_mode() might return
VC4_SCALING_NONE if the horizontal scaling ratio exactly matches the
horizontal subsampling factor. Add a test to turn VC4_SCALING_NONE
into VC4_SCALING_PPF when that happens.

The old ->x_scaling[0] adjustment is dropped as I couldn't find any
mention to this constraint in the spec and it's proven to be
unnecessary (I tested various multi-planar YUV formats with scaling
disabled, and all of them worked fine without this adjustment).

Fixes: fc04023fafec ("drm/vc4: Add support for YUV planes.")
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Reviewed-by: Eric Anholt <eric@anholt.net>
Link: https://patchwork.freedesktop.org/patch/msgid/20181109102633.32603-1-boris.brezillon@bootlin.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/vc4/vc4_plane.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/drivers/gpu/drm/vc4/vc4_plane.c b/drivers/gpu/drm/vc4/vc4_plane.c
index 5bd3c2ef0067..6277a3f2d5d1 100644
--- a/drivers/gpu/drm/vc4/vc4_plane.c
+++ b/drivers/gpu/drm/vc4/vc4_plane.c
@@ -347,12 +347,14 @@ static int vc4_plane_setup_clipping_and_scaling(struct drm_plane_state *state)
 			vc4_get_scaling_mode(vc4_state->src_h[1],
 					     vc4_state->crtc_h);
 
-		/* YUV conversion requires that horizontal scaling be enabled,
-		 * even on a plane that's otherwise 1:1. Looks like only PPF
-		 * works in that case, so let's pick that one.
+		/* YUV conversion requires that horizontal scaling be enabled
+		 * on the UV plane even if vc4_get_scaling_mode() returned
+		 * VC4_SCALING_NONE (which can happen when the down-scaling
+		 * ratio is 0.5). Let's force it to VC4_SCALING_PPF in this
+		 * case.
 		 */
-		if (vc4_state->is_unity)
-			vc4_state->x_scaling[0] = VC4_SCALING_PPF;
+		if (vc4_state->x_scaling[1] == VC4_SCALING_NONE)
+			vc4_state->x_scaling[1] = VC4_SCALING_PPF;
 	} else {
 		vc4_state->is_yuv = false;
 		vc4_state->x_scaling[1] = VC4_SCALING_NONE;
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 018/205] serial: fsl_lpuart: clear parity enable bit when disable parity
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2019-02-11 14:16 ` [PATCH 4.14 017/205] drm/vc4: ->x_scaling[1] should never be set to VC4_SCALING_NONE Greg Kroah-Hartman
@ 2019-02-11 14:16 ` Greg Kroah-Hartman
  2019-02-11 14:16 ` [PATCH 4.14 019/205] ptp: check gettime64 return code in PTP_SYS_OFFSET ioctl Greg Kroah-Hartman
                   ` (190 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lukas Wunner, Andy Duan,
	Fabio Estevam, Uwe Kleine-König, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 397bd9211fe014b347ca8f95a8f4e1017bac1aeb ]

Current driver only enable parity enable bit and never clear it
when user set the termios. The fix clear the parity enable bit when
PARENB flag is not set in termios->c_cflag.

Cc: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Andy Duan <fugang.duan@nxp.com>
Reviewed-by: Fabio Estevam <festevam@gmail.com>
Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/tty/serial/fsl_lpuart.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c
index fd64ac2c1a74..716c33b2a11c 100644
--- a/drivers/tty/serial/fsl_lpuart.c
+++ b/drivers/tty/serial/fsl_lpuart.c
@@ -1482,6 +1482,8 @@ lpuart_set_termios(struct uart_port *port, struct ktermios *termios,
 			else
 				cr1 &= ~UARTCR1_PT;
 		}
+	} else {
+		cr1 &= ~UARTCR1_PE;
 	}
 
 	/* ask the core to calculate the divisor */
@@ -1694,6 +1696,8 @@ lpuart32_set_termios(struct uart_port *port, struct ktermios *termios,
 			else
 				ctrl &= ~UARTCTRL_PT;
 		}
+	} else {
+		ctrl &= ~UARTCTRL_PE;
 	}
 
 	/* ask the core to calculate the divisor */
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 019/205] ptp: check gettime64 return code in PTP_SYS_OFFSET ioctl
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2019-02-11 14:16 ` [PATCH 4.14 018/205] serial: fsl_lpuart: clear parity enable bit when disable parity Greg Kroah-Hartman
@ 2019-02-11 14:16 ` Greg Kroah-Hartman
  2019-02-11 14:16 ` [PATCH 4.14 020/205] MIPS: Boston: Disable EG20T prefetch Greg Kroah-Hartman
                   ` (189 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Richard Cochran, Jacob Keller,
	Miroslav Lichvar, David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 83d0bdc7390b890905634186baaa294475cd6a06 ]

If a gettime64 call fails, return the error and avoid copying data back
to user.

Cc: Richard Cochran <richardcochran@gmail.com>
Cc: Jacob Keller <jacob.e.keller@intel.com>
Signed-off-by: Miroslav Lichvar <mlichvar@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/ptp/ptp_chardev.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c
index a421d6c551b6..ecb41eacd74b 100644
--- a/drivers/ptp/ptp_chardev.c
+++ b/drivers/ptp/ptp_chardev.c
@@ -228,7 +228,9 @@ long ptp_ioctl(struct posix_clock *pc, unsigned int cmd, unsigned long arg)
 			pct->sec = ts.tv_sec;
 			pct->nsec = ts.tv_nsec;
 			pct++;
-			ptp->info->gettime64(ptp->info, &ts);
+			err = ptp->info->gettime64(ptp->info, &ts);
+			if (err)
+				goto out;
 			pct->sec = ts.tv_sec;
 			pct->nsec = ts.tv_nsec;
 			pct++;
@@ -281,6 +283,7 @@ long ptp_ioctl(struct posix_clock *pc, unsigned int cmd, unsigned long arg)
 		break;
 	}
 
+out:
 	kfree(sysoff);
 	return err;
 }
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 020/205] MIPS: Boston: Disable EG20T prefetch
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2019-02-11 14:16 ` [PATCH 4.14 019/205] ptp: check gettime64 return code in PTP_SYS_OFFSET ioctl Greg Kroah-Hartman
@ 2019-02-11 14:16 ` Greg Kroah-Hartman
  2019-02-11 14:16 ` [PATCH 4.14 021/205] staging:iio:ad2s90: Make probe handle spi_setup failure Greg Kroah-Hartman
                   ` (188 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Paul Burton, linux-mips, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 5ec17af7ead09701e23d2065e16db6ce4e137289 ]

The Intel EG20T Platform Controller Hub used on the MIPS Boston
development board supports prefetching memory to optimize DMA transfers.
Unfortunately for unknown reasons this doesn't work well with some MIPS
CPUs such as the P6600, particularly when using an I/O Coherence Unit
(IOCU) to provide cache-coherent DMA. In these systems it is common for
DMA data to be lost, resulting in broken access to EG20T devices such as
the MMC or SATA controllers.

Support for a DT property to configure the prefetching was added a while
back by commit 549ce8f134bd ("misc: pch_phub: Read prefetch value from
device tree if passed") but we never added the DT snippet to make use of
it. Add that now in order to disable the prefetching & fix DMA on the
affected systems.

Signed-off-by: Paul Burton <paul.burton@mips.com>
Patchwork: https://patchwork.linux-mips.org/patch/21068/
Cc: linux-mips@linux-mips.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/mips/boot/dts/img/boston.dts | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/arch/mips/boot/dts/img/boston.dts b/arch/mips/boot/dts/img/boston.dts
index f7aad80c69ab..bebb0fa21369 100644
--- a/arch/mips/boot/dts/img/boston.dts
+++ b/arch/mips/boot/dts/img/boston.dts
@@ -141,6 +141,12 @@
 				#size-cells = <2>;
 				#interrupt-cells = <1>;
 
+				eg20t_phub@2,0,0 {
+					compatible = "pci8086,8801";
+					reg = <0x00020000 0 0 0 0>;
+					intel,eg20t-prefetch = <0>;
+				};
+
 				eg20t_mac@2,0,1 {
 					compatible = "pci8086,8802";
 					reg = <0x00020100 0 0 0 0>;
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 021/205] staging:iio:ad2s90: Make probe handle spi_setup failure
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2019-02-11 14:16 ` [PATCH 4.14 020/205] MIPS: Boston: Disable EG20T prefetch Greg Kroah-Hartman
@ 2019-02-11 14:16 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 022/205] fpga: altera-cvp: Fix registration for CvP incapable devices Greg Kroah-Hartman
                   ` (187 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matheus Tavares, Jonathan Cameron,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit b3a3eafeef769c6982e15f83631dcbf8d1794efb ]

Previously, ad2s90_probe ignored the return code from spi_setup, not
handling its possible failure. This patch makes ad2s90_probe check if
the code is an error code and, if so, do the following:

- Call dev_err with an appropriate error message.
- Return the spi_setup's error code.

Note: The 'return ret' statement could be out of the 'if' block, but
this whole block will be moved up in the function in the patch:
'staging:iio:ad2s90: Move device registration to the end of probe'.

Signed-off-by: Matheus Tavares <matheus.bernardino@usp.br>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/staging/iio/resolver/ad2s90.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/iio/resolver/ad2s90.c b/drivers/staging/iio/resolver/ad2s90.c
index b2270908f26f..cbee9ad00f0d 100644
--- a/drivers/staging/iio/resolver/ad2s90.c
+++ b/drivers/staging/iio/resolver/ad2s90.c
@@ -86,7 +86,12 @@ static int ad2s90_probe(struct spi_device *spi)
 	/* need 600ns between CS and the first falling edge of SCLK */
 	spi->max_speed_hz = 830000;
 	spi->mode = SPI_MODE_3;
-	spi_setup(spi);
+	ret = spi_setup(spi);
+
+	if (ret < 0) {
+		dev_err(&spi->dev, "spi_setup failed!\n");
+		return ret;
+	}
 
 	return 0;
 }
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 022/205] fpga: altera-cvp: Fix registration for CvP incapable devices
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2019-02-11 14:16 ` [PATCH 4.14 021/205] staging:iio:ad2s90: Make probe handle spi_setup failure Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 023/205] Tools: hv: kvp: Fix a warning of buffer overflow with gcc 8.0.1 Greg Kroah-Hartman
                   ` (186 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andreas Puhm, Anatolij Gustschin,
	Moritz Fischer, Alan Tull, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 68f60538daa4bc3da5d0764d46f391916fba20fd ]

The probe function needs to verify the CvP enable bit in order to
properly determine if FPGA Manager functionality can be safely
enabled.

Fixes: 34d1dc17ce97 ("fpga manager: Add Altera CvP driver")
Signed-off-by: Andreas Puhm <puhm@oregano.at>
Signed-off-by: Anatolij Gustschin <agust@denx.de>
Reviewed-by: Moritz Fischer <mdf@kernel.org>
Acked-by: Alan Tull <atull@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/fpga/altera-cvp.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/drivers/fpga/altera-cvp.c b/drivers/fpga/altera-cvp.c
index 00e73d28077c..b7558acd1a66 100644
--- a/drivers/fpga/altera-cvp.c
+++ b/drivers/fpga/altera-cvp.c
@@ -404,6 +404,7 @@ static int altera_cvp_probe(struct pci_dev *pdev,
 {
 	struct altera_cvp_conf *conf;
 	u16 cmd, val;
+	u32 regval;
 	int ret;
 
 	/*
@@ -417,6 +418,14 @@ static int altera_cvp_probe(struct pci_dev *pdev,
 		return -ENODEV;
 	}
 
+	pci_read_config_dword(pdev, VSE_CVP_STATUS, &regval);
+	if (!(regval & VSE_CVP_STATUS_CVP_EN)) {
+		dev_err(&pdev->dev,
+			"CVP is disabled for this device: CVP_STATUS Reg 0x%x\n",
+			regval);
+		return -ENODEV;
+	}
+
 	conf = devm_kzalloc(&pdev->dev, sizeof(*conf), GFP_KERNEL);
 	if (!conf)
 		return -ENOMEM;
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 023/205] Tools: hv: kvp: Fix a warning of buffer overflow with gcc 8.0.1
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 022/205] fpga: altera-cvp: Fix registration for CvP incapable devices Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 024/205] platform/chrome: dont report EC_MKBP_EVENT_SENSOR_FIFO as wakeup Greg Kroah-Hartman
                   ` (185 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dexuan Cui, K. Y. Srinivasan,
	Haiyang Zhang, Stephen Hemminger, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 4fcba7802c3e15a6e56e255871d6c72f829b9dd8 ]

The patch fixes:

hv_kvp_daemon.c: In function 'kvp_set_ip_info':
hv_kvp_daemon.c:1305:2: note: 'snprintf' output between 41 and 4136 bytes
into a destination of size 4096

The "(unsigned int)str_len" is to avoid:

hv_kvp_daemon.c:1309:30: warning: comparison of integer expressions of
different signedness: 'int' and 'long unsigned int' [-Wsign-compare]

Signed-off-by: Dexuan Cui <decui@microsoft.com>
Cc: K. Y. Srinivasan <kys@microsoft.com>
Cc: Haiyang Zhang <haiyangz@microsoft.com>
Cc: Stephen Hemminger <sthemmin@microsoft.com>
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/hv/hv_kvp_daemon.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/tools/hv/hv_kvp_daemon.c b/tools/hv/hv_kvp_daemon.c
index 3965186b375a..62c9a503ae05 100644
--- a/tools/hv/hv_kvp_daemon.c
+++ b/tools/hv/hv_kvp_daemon.c
@@ -1172,6 +1172,7 @@ static int kvp_set_ip_info(char *if_name, struct hv_kvp_ipaddr_value *new_val)
 	FILE *file;
 	char cmd[PATH_MAX];
 	char *mac_addr;
+	int str_len;
 
 	/*
 	 * Set the configuration for the specified interface with
@@ -1295,8 +1296,18 @@ static int kvp_set_ip_info(char *if_name, struct hv_kvp_ipaddr_value *new_val)
 	 * invoke the external script to do its magic.
 	 */
 
-	snprintf(cmd, sizeof(cmd), KVP_SCRIPTS_PATH "%s %s",
-		 "hv_set_ifconfig", if_file);
+	str_len = snprintf(cmd, sizeof(cmd), KVP_SCRIPTS_PATH "%s %s",
+			   "hv_set_ifconfig", if_file);
+	/*
+	 * This is a little overcautious, but it's necessary to suppress some
+	 * false warnings from gcc 8.0.1.
+	 */
+	if (str_len <= 0 || (unsigned int)str_len >= sizeof(cmd)) {
+		syslog(LOG_ERR, "Cmd '%s' (len=%d) may be too long",
+		       cmd, str_len);
+		return HV_E_FAIL;
+	}
+
 	if (system(cmd)) {
 		syslog(LOG_ERR, "Failed to execute cmd '%s'; error: %d %s",
 				cmd, errno, strerror(errno));
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 024/205] platform/chrome: dont report EC_MKBP_EVENT_SENSOR_FIFO as wakeup
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 023/205] Tools: hv: kvp: Fix a warning of buffer overflow with gcc 8.0.1 Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 025/205] staging: iio: ad7780: update voltage on read Greg Kroah-Hartman
                   ` (184 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Brian Norris, Benson Leung, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 6ad16b78a039b45294b1ad5d69c14ac57b2fe706 ]

EC_MKBP_EVENT_SENSOR_FIFO events can be triggered for a variety of
reasons, and there are very few cases in which they should be treated as
wakeup interrupts (particularly, when a certain
MOTIONSENSE_MODULE_FLAG_* is set, but this is not even supported in the
mainline cros_ec_sensor driver yet). Most of the time, they are benign
sensor readings. In any case, the top-level cros_ec device doesn't know
enough to determine that they should wake the system, and so it should
not report the event. This would be the job of the cros_ec_sensors
driver to parse.

This patch adds checks to cros_ec_get_next_event() such that it doesn't
signal 'wakeup' for events of type EC_MKBP_EVENT_SENSOR_FIFO.

This patch is particularly relevant on devices like Scarlet (Rockchip
RK3399 tablet, known as Acer Chromebook Tab 10), where the EC firmware
reports sensor events much more frequently. This was causing
/sys/power/wakeup_count to increase very frequently, often needlessly
interrupting our ability to suspend the system.

Signed-off-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Benson Leung <bleung@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/platform/chrome/cros_ec_proto.c | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/drivers/platform/chrome/cros_ec_proto.c b/drivers/platform/chrome/cros_ec_proto.c
index e7bbdf947bbc..2ac4a7178470 100644
--- a/drivers/platform/chrome/cros_ec_proto.c
+++ b/drivers/platform/chrome/cros_ec_proto.c
@@ -551,6 +551,7 @@ static int get_keyboard_state_event(struct cros_ec_device *ec_dev)
 
 int cros_ec_get_next_event(struct cros_ec_device *ec_dev, bool *wake_event)
 {
+	u8 event_type;
 	u32 host_event;
 	int ret;
 
@@ -570,11 +571,22 @@ int cros_ec_get_next_event(struct cros_ec_device *ec_dev, bool *wake_event)
 		return ret;
 
 	if (wake_event) {
+		event_type = ec_dev->event_data.event_type;
 		host_event = cros_ec_get_host_event(ec_dev);
 
-		/* Consider non-host_event as wake event */
-		*wake_event = !host_event ||
-			      !!(host_event & ec_dev->host_event_wake_mask);
+		/*
+		 * Sensor events need to be parsed by the sensor sub-device.
+		 * Defer them, and don't report the wakeup here.
+		 */
+		if (event_type == EC_MKBP_EVENT_SENSOR_FIFO)
+			*wake_event = false;
+		/* Masked host-events should not count as wake events. */
+		else if (host_event &&
+			 !(host_event & ec_dev->host_event_wake_mask))
+			*wake_event = false;
+		/* Consider all other events as wake events. */
+		else
+			*wake_event = true;
 	}
 
 	return ret;
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 025/205] staging: iio: ad7780: update voltage on read
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 024/205] platform/chrome: dont report EC_MKBP_EVENT_SENSOR_FIFO as wakeup Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 026/205] usbnet: smsc95xx: fix rx packet alignment Greg Kroah-Hartman
                   ` (183 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Renato Lui Geh, Alexandru Ardelean,
	Jonathan Cameron, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 336650c785b62c3bea7c8cf6061c933a90241f67 ]

The ad7780 driver previously did not read the correct device output, as
it read an outdated value set at initialization. It now updates its
voltage on read.

Signed-off-by: Renato Lui Geh <renatogeh@gmail.com>
Acked-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/staging/iio/adc/ad7780.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/iio/adc/ad7780.c b/drivers/staging/iio/adc/ad7780.c
index dec3ba6eba8a..52613f6a9dd8 100644
--- a/drivers/staging/iio/adc/ad7780.c
+++ b/drivers/staging/iio/adc/ad7780.c
@@ -87,12 +87,16 @@ static int ad7780_read_raw(struct iio_dev *indio_dev,
 			   long m)
 {
 	struct ad7780_state *st = iio_priv(indio_dev);
+	int voltage_uv;
 
 	switch (m) {
 	case IIO_CHAN_INFO_RAW:
 		return ad_sigma_delta_single_conversion(indio_dev, chan, val);
 	case IIO_CHAN_INFO_SCALE:
-		*val = st->int_vref_mv * st->gain;
+		voltage_uv = regulator_get_voltage(st->reg);
+		if (voltage_uv < 0)
+			return voltage_uv;
+		*val = (voltage_uv / 1000) * st->gain;
 		*val2 = chan->scan_type.realbits - 1;
 		return IIO_VAL_FRACTIONAL_LOG2;
 	case IIO_CHAN_INFO_OFFSET:
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 026/205] usbnet: smsc95xx: fix rx packet alignment
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 025/205] staging: iio: ad7780: update voltage on read Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 027/205] drm/rockchip: fix for mailbox read size Greg Kroah-Hartman
                   ` (182 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ben Dooks, David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 810eeb1f41a9a272eedc94ca18c072e75678ede4 ]

The smsc95xx driver already takes into account the NET_IP_ALIGN
parameter when setting up the receive packet data, which means
we do not need to worry about aligning the packets in the usbnet
driver.

Adding the EVENT_NO_IP_ALIGN means that the IPv4 header is now
passed to the ip_rcv() routine with the start on an aligned address.

Tested on Raspberry Pi B3.

Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/usb/smsc95xx.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c
index 2f65975a121f..fc48da1c702d 100644
--- a/drivers/net/usb/smsc95xx.c
+++ b/drivers/net/usb/smsc95xx.c
@@ -1295,6 +1295,7 @@ static int smsc95xx_bind(struct usbnet *dev, struct usb_interface *intf)
 		dev->net->features |= NETIF_F_RXCSUM;
 
 	dev->net->hw_features = NETIF_F_IP_CSUM | NETIF_F_RXCSUM;
+	set_bit(EVENT_NO_IP_ALIGN, &dev->flags);
 
 	smsc95xx_init_mac_address(dev);
 
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 027/205] drm/rockchip: fix for mailbox read size
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 026/205] usbnet: smsc95xx: fix rx packet alignment Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 028/205] ARM: OMAP2+: hwmod: Fix some section annotations Greg Kroah-Hartman
                   ` (181 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Damian Kos, Heiko Stuebner, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit fa68d4f8476bea4cdf441062b614b41bb85ef1da ]

Some of the functions (like cdn_dp_dpcd_read, cdn_dp_get_edid_block)
allow to read 64KiB, but the cdn_dp_mailbox_read_receive, that is
used by them, can read only up to 255 bytes at once. Normally, it's
not a big issue as DPCD or EDID reads won't (hopefully) exceed that
value.
The real issue here is the revocation list read during the HDCP
authentication process. (problematic use case:
https://chromium.googlesource.com/chromiumos/third_party/kernel/+/chromeos-4.4/drivers/gpu/drm/rockchip/cdn-dp-reg.c#1152)
The list can reach 127*5+4 bytes (num devs * 5 bytes per ID/Bksv +
4 bytes of an additional info).
In other words - CTSes with HDCP Repeater won't pass without this
fix. Oh, and the driver will most likely stop working (best case
scenario).

Signed-off-by: Damian Kos <dkos@cadence.com>
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Link: https://patchwork.freedesktop.org/patch/msgid/1541518625-25984-1-git-send-email-dkos@cadence.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/rockchip/cdn-dp-reg.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/rockchip/cdn-dp-reg.c b/drivers/gpu/drm/rockchip/cdn-dp-reg.c
index b14d211f6c21..0ed7e91471f6 100644
--- a/drivers/gpu/drm/rockchip/cdn-dp-reg.c
+++ b/drivers/gpu/drm/rockchip/cdn-dp-reg.c
@@ -147,7 +147,7 @@ static int cdn_dp_mailbox_validate_receive(struct cdn_dp_device *dp,
 }
 
 static int cdn_dp_mailbox_read_receive(struct cdn_dp_device *dp,
-				       u8 *buff, u8 buff_size)
+				       u8 *buff, u16 buff_size)
 {
 	u32 i;
 	int ret;
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 028/205] ARM: OMAP2+: hwmod: Fix some section annotations
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 027/205] drm/rockchip: fix for mailbox read size Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 029/205] net/mlx5: EQ, Use the right place to store/read IRQ affinity hint Greg Kroah-Hartman
                   ` (180 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nathan Chancellor, Tony Lindgren,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit c10b26abeb53cabc1e6271a167d3f3d396ce0218 ]

When building the kernel with Clang, the following section mismatch
warnings appears:

WARNING: vmlinux.o(.text+0x2d398): Section mismatch in reference from
the function _setup() to the function .init.text:_setup_iclk_autoidle()
The function _setup() references
the function __init _setup_iclk_autoidle().
This is often because _setup lacks a __init
annotation or the annotation of _setup_iclk_autoidle is wrong.

WARNING: vmlinux.o(.text+0x2d3a0): Section mismatch in reference from
the function _setup() to the function .init.text:_setup_reset()
The function _setup() references
the function __init _setup_reset().
This is often because _setup lacks a __init
annotation or the annotation of _setup_reset is wrong.

WARNING: vmlinux.o(.text+0x2d408): Section mismatch in reference from
the function _setup() to the function .init.text:_setup_postsetup()
The function _setup() references
the function __init _setup_postsetup().
This is often because _setup lacks a __init
annotation or the annotation of _setup_postsetup is wrong.

_setup is used in omap_hwmod_allocate_module, which isn't marked __init
and looks like it shouldn't be, meaning to fix these warnings, those
functions must be moved out of the init section, which this patch does.

Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/mach-omap2/omap_hwmod.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/arm/mach-omap2/omap_hwmod.c b/arch/arm/mach-omap2/omap_hwmod.c
index 2dbd63239c54..45c8f2ef4e23 100644
--- a/arch/arm/mach-omap2/omap_hwmod.c
+++ b/arch/arm/mach-omap2/omap_hwmod.c
@@ -2497,7 +2497,7 @@ static int __init _init(struct omap_hwmod *oh, void *data)
  * a stub; implementing this properly requires iclk autoidle usecounting in
  * the clock code.   No return value.
  */
-static void __init _setup_iclk_autoidle(struct omap_hwmod *oh)
+static void _setup_iclk_autoidle(struct omap_hwmod *oh)
 {
 	struct omap_hwmod_ocp_if *os;
 
@@ -2528,7 +2528,7 @@ static void __init _setup_iclk_autoidle(struct omap_hwmod *oh)
  * reset.  Returns 0 upon success or a negative error code upon
  * failure.
  */
-static int __init _setup_reset(struct omap_hwmod *oh)
+static int _setup_reset(struct omap_hwmod *oh)
 {
 	int r;
 
@@ -2589,7 +2589,7 @@ static int __init _setup_reset(struct omap_hwmod *oh)
  *
  * No return value.
  */
-static void __init _setup_postsetup(struct omap_hwmod *oh)
+static void _setup_postsetup(struct omap_hwmod *oh)
 {
 	u8 postsetup_state;
 
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 029/205] net/mlx5: EQ, Use the right place to store/read IRQ affinity hint
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 028/205] ARM: OMAP2+: hwmod: Fix some section annotations Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 030/205] modpost: validate symbol names also in find_elf_symbol Greg Kroah-Hartman
                   ` (179 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Saeed Mahameed, Leon Romanovsky,
	Tariq Toukan, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 1e86ace4c140fd5a693e266c9b23409358f25381 ]

Currently the cpu affinity hint mask for completion EQs is stored and
read from the wrong place, since reading and storing is done from the
same index, there is no actual issue with that, but internal irq_info
for completion EQs stars at MLX5_EQ_VEC_COMP_BASE offset in irq_info
array, this patch changes the code to use the correct offset to store
and read the IRQ affinity hint.

Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Reviewed-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/mellanox/mlx5/core/en_main.c |  2 +-
 drivers/net/ethernet/mellanox/mlx5/core/main.c    | 14 ++++++++------
 include/linux/mlx5/driver.h                       |  2 +-
 3 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
index bf34264c734b..14bab8a5550d 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
@@ -1605,7 +1605,7 @@ static void mlx5e_close_cq(struct mlx5e_cq *cq)
 
 static int mlx5e_get_cpu(struct mlx5e_priv *priv, int ix)
 {
-	return cpumask_first(priv->mdev->priv.irq_info[ix].mask);
+	return cpumask_first(priv->mdev->priv.irq_info[ix + MLX5_EQ_VEC_COMP_BASE].mask);
 }
 
 static int mlx5e_open_tx_cqs(struct mlx5e_channel *c,
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c
index e99f1382a4f0..558fc6a05e2a 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
@@ -619,18 +619,19 @@ u64 mlx5_read_internal_timer(struct mlx5_core_dev *dev)
 static int mlx5_irq_set_affinity_hint(struct mlx5_core_dev *mdev, int i)
 {
 	struct mlx5_priv *priv  = &mdev->priv;
-	int irq = pci_irq_vector(mdev->pdev, MLX5_EQ_VEC_COMP_BASE + i);
+	int vecidx = MLX5_EQ_VEC_COMP_BASE + i;
+	int irq = pci_irq_vector(mdev->pdev, vecidx);
 
-	if (!zalloc_cpumask_var(&priv->irq_info[i].mask, GFP_KERNEL)) {
+	if (!zalloc_cpumask_var(&priv->irq_info[vecidx].mask, GFP_KERNEL)) {
 		mlx5_core_warn(mdev, "zalloc_cpumask_var failed");
 		return -ENOMEM;
 	}
 
 	cpumask_set_cpu(cpumask_local_spread(i, priv->numa_node),
-			priv->irq_info[i].mask);
+			priv->irq_info[vecidx].mask);
 
 	if (IS_ENABLED(CONFIG_SMP) &&
-	    irq_set_affinity_hint(irq, priv->irq_info[i].mask))
+	    irq_set_affinity_hint(irq, priv->irq_info[vecidx].mask))
 		mlx5_core_warn(mdev, "irq_set_affinity_hint failed, irq 0x%.4x", irq);
 
 	return 0;
@@ -638,11 +639,12 @@ static int mlx5_irq_set_affinity_hint(struct mlx5_core_dev *mdev, int i)
 
 static void mlx5_irq_clear_affinity_hint(struct mlx5_core_dev *mdev, int i)
 {
+	int vecidx = MLX5_EQ_VEC_COMP_BASE + i;
 	struct mlx5_priv *priv  = &mdev->priv;
-	int irq = pci_irq_vector(mdev->pdev, MLX5_EQ_VEC_COMP_BASE + i);
+	int irq = pci_irq_vector(mdev->pdev, vecidx);
 
 	irq_set_affinity_hint(irq, NULL);
-	free_cpumask_var(priv->irq_info[i].mask);
+	free_cpumask_var(priv->irq_info[vecidx].mask);
 }
 
 static int mlx5_irq_set_affinity_hints(struct mlx5_core_dev *mdev)
diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h
index fb677e4f902d..88f0c530fe9c 100644
--- a/include/linux/mlx5/driver.h
+++ b/include/linux/mlx5/driver.h
@@ -1195,7 +1195,7 @@ enum {
 static inline const struct cpumask *
 mlx5_get_vector_affinity_hint(struct mlx5_core_dev *dev, int vector)
 {
-	return dev->priv.irq_info[vector].mask;
+	return dev->priv.irq_info[vector + MLX5_EQ_VEC_COMP_BASE].mask;
 }
 
 #endif /* MLX5_DRIVER_H */
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 030/205] modpost: validate symbol names also in find_elf_symbol
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 029/205] net/mlx5: EQ, Use the right place to store/read IRQ affinity hint Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 031/205] perf tools: Add Hygon Dhyana support Greg Kroah-Hartman
                   ` (178 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sami Tolvanen, Masahiro Yamada, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 5818c683a619c534c113e1f66d24f636defc29bc ]

If an ARM mapping symbol shares an address with a valid symbol,
find_elf_symbol can currently return the mapping symbol instead, as the
symbol is not validated. This can result in confusing warnings:

  WARNING: vmlinux.o(.text+0x18f4028): Section mismatch in reference
  from the function set_reset_devices() to the variable .init.text:$x.0

This change adds a call to is_valid_name to find_elf_symbol, similarly
to how it's already used in find_elf_symbol2.

Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 scripts/mod/modpost.c | 50 ++++++++++++++++++++++---------------------
 1 file changed, 26 insertions(+), 24 deletions(-)

diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
index 18bc8738e989..e36a673833ae 100644
--- a/scripts/mod/modpost.c
+++ b/scripts/mod/modpost.c
@@ -1215,6 +1215,30 @@ static int secref_whitelist(const struct sectioncheck *mismatch,
 	return 1;
 }
 
+static inline int is_arm_mapping_symbol(const char *str)
+{
+	return str[0] == '$' && strchr("axtd", str[1])
+	       && (str[2] == '\0' || str[2] == '.');
+}
+
+/*
+ * If there's no name there, ignore it; likewise, ignore it if it's
+ * one of the magic symbols emitted used by current ARM tools.
+ *
+ * Otherwise if find_symbols_between() returns those symbols, they'll
+ * fail the whitelist tests and cause lots of false alarms ... fixable
+ * only by merging __exit and __init sections into __text, bloating
+ * the kernel (which is especially evil on embedded platforms).
+ */
+static inline int is_valid_name(struct elf_info *elf, Elf_Sym *sym)
+{
+	const char *name = elf->strtab + sym->st_name;
+
+	if (!name || !strlen(name))
+		return 0;
+	return !is_arm_mapping_symbol(name);
+}
+
 /**
  * Find symbol based on relocation record info.
  * In some cases the symbol supplied is a valid symbol so
@@ -1240,6 +1264,8 @@ static Elf_Sym *find_elf_symbol(struct elf_info *elf, Elf64_Sword addr,
 			continue;
 		if (ELF_ST_TYPE(sym->st_info) == STT_SECTION)
 			continue;
+		if (!is_valid_name(elf, sym))
+			continue;
 		if (sym->st_value == addr)
 			return sym;
 		/* Find a symbol nearby - addr are maybe negative */
@@ -1258,30 +1284,6 @@ static Elf_Sym *find_elf_symbol(struct elf_info *elf, Elf64_Sword addr,
 		return NULL;
 }
 
-static inline int is_arm_mapping_symbol(const char *str)
-{
-	return str[0] == '$' && strchr("axtd", str[1])
-	       && (str[2] == '\0' || str[2] == '.');
-}
-
-/*
- * If there's no name there, ignore it; likewise, ignore it if it's
- * one of the magic symbols emitted used by current ARM tools.
- *
- * Otherwise if find_symbols_between() returns those symbols, they'll
- * fail the whitelist tests and cause lots of false alarms ... fixable
- * only by merging __exit and __init sections into __text, bloating
- * the kernel (which is especially evil on embedded platforms).
- */
-static inline int is_valid_name(struct elf_info *elf, Elf_Sym *sym)
-{
-	const char *name = elf->strtab + sym->st_name;
-
-	if (!name || !strlen(name))
-		return 0;
-	return !is_arm_mapping_symbol(name);
-}
-
 /*
  * Find symbols before or equal addr and after addr - in the section sec.
  * If we find two symbols with equal offset prefer one with a valid name.
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 031/205] perf tools: Add Hygon Dhyana support
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 030/205] modpost: validate symbol names also in find_elf_symbol Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 032/205] soc/tegra: Dont leak device tree node reference Greg Kroah-Hartman
                   ` (177 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pu Wen, Borislav Petkov,
	Alexander Shishkin, Jiri Olsa, Namhyung Kim, Peter Zijlstra,
	Thomas Gleixner, Arnaldo Carvalho de Melo, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 4787eff3fa88f62fede6ed7afa06477ae6bf984d ]

The tool perf is useful for the performance analysis on the Hygon Dhyana
platform. But right now there is no Hygon support for it to analyze the
KVM guest os data. So add Hygon Dhyana support to it by checking vendor
string to share the code path of AMD.

Signed-off-by: Pu Wen <puwen@hygon.cn>
Acked-by: Borislav Petkov <bp@suse.de>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/1542008451-31735-1-git-send-email-puwen@hygon.cn
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/perf/arch/x86/util/kvm-stat.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/perf/arch/x86/util/kvm-stat.c b/tools/perf/arch/x86/util/kvm-stat.c
index b32409a0e546..081353d7b095 100644
--- a/tools/perf/arch/x86/util/kvm-stat.c
+++ b/tools/perf/arch/x86/util/kvm-stat.c
@@ -156,7 +156,7 @@ int cpu_isa_init(struct perf_kvm_stat *kvm, const char *cpuid)
 	if (strstr(cpuid, "Intel")) {
 		kvm->exit_reasons = vmx_exit_reasons;
 		kvm->exit_reasons_isa = "VMX";
-	} else if (strstr(cpuid, "AMD")) {
+	} else if (strstr(cpuid, "AMD") || strstr(cpuid, "Hygon")) {
 		kvm->exit_reasons = svm_exit_reasons;
 		kvm->exit_reasons_isa = "SVM";
 	} else
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 032/205] soc/tegra: Dont leak device tree node reference
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 031/205] perf tools: Add Hygon Dhyana support Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 033/205] media: mtk-vcodec: Release device nodes in mtk_vcodec_init_enc_pm() Greg Kroah-Hartman
                   ` (176 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yangtao Li, Jon Hunter,
	Thierry Reding, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 9eb40fa2cd2d1f6829e7b49bb22692f754b9cfe0 ]

of_find_node_by_path() acquires a reference to the node returned by it
and that reference needs to be dropped by its caller. soc_is_tegra()
doesn't do that, so fix it.

Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
Acked-by: Jon Hunter <jonathanh@nvidia.com>
[treding: slightly rewrite to avoid inline comparison]
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/soc/tegra/common.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/soc/tegra/common.c b/drivers/soc/tegra/common.c
index cd8f41351add..7bfb154d6fa5 100644
--- a/drivers/soc/tegra/common.c
+++ b/drivers/soc/tegra/common.c
@@ -22,11 +22,15 @@ static const struct of_device_id tegra_machine_match[] = {
 
 bool soc_is_tegra(void)
 {
+	const struct of_device_id *match;
 	struct device_node *root;
 
 	root = of_find_node_by_path("/");
 	if (!root)
 		return false;
 
-	return of_match_node(tegra_machine_match, root) != NULL;
+	match = of_match_node(tegra_machine_match, root);
+	of_node_put(root);
+
+	return match != NULL;
 }
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 033/205] media: mtk-vcodec: Release device nodes in mtk_vcodec_init_enc_pm()
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 032/205] soc/tegra: Dont leak device tree node reference Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 034/205] ptp: Fix pass zero to ERR_PTR() in ptp_clock_register Greg Kroah-Hartman
                   ` (175 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexey Khoroshilov, Hans Verkuil,
	Mauro Carvalho Chehab, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 8ea0f2ba0fa3f91ea1b8d823a54b042026ada6b3 ]

of_parse_phandle() returns the device node with refcount incremented.
There are two nodes that are used temporary in mtk_vcodec_init_enc_pm(),
but their refcounts are not decremented.

The patch adds one of_node_put() and fixes returning error codes.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_pm.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_pm.c b/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_pm.c
index 3e73e9db781f..7c025045ea90 100644
--- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_pm.c
+++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_pm.c
@@ -41,25 +41,27 @@ int mtk_vcodec_init_enc_pm(struct mtk_vcodec_dev *mtkdev)
 	node = of_parse_phandle(dev->of_node, "mediatek,larb", 0);
 	if (!node) {
 		mtk_v4l2_err("no mediatek,larb found");
-		return -1;
+		return -ENODEV;
 	}
 	pdev = of_find_device_by_node(node);
+	of_node_put(node);
 	if (!pdev) {
 		mtk_v4l2_err("no mediatek,larb device found");
-		return -1;
+		return -ENODEV;
 	}
 	pm->larbvenc = &pdev->dev;
 
 	node = of_parse_phandle(dev->of_node, "mediatek,larb", 1);
 	if (!node) {
 		mtk_v4l2_err("no mediatek,larb found");
-		return -1;
+		return -ENODEV;
 	}
 
 	pdev = of_find_device_by_node(node);
+	of_node_put(node);
 	if (!pdev) {
 		mtk_v4l2_err("no mediatek,larb device found");
-		return -1;
+		return -ENODEV;
 	}
 
 	pm->larbvenclt = &pdev->dev;
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 034/205] ptp: Fix pass zero to ERR_PTR() in ptp_clock_register
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 033/205] media: mtk-vcodec: Release device nodes in mtk_vcodec_init_enc_pm() Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 035/205] dmaengine: xilinx_dma: Remove __aligned attribute on zynqmp_dma_desc_ll Greg Kroah-Hartman
                   ` (174 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, YueHaibing, Richard Cochran,
	David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit aea0a897af9e44c258e8ab9296fad417f1bc063a ]

Fix smatch warning:

drivers/ptp/ptp_clock.c:298 ptp_clock_register() warn:
 passing zero to 'ERR_PTR'

'err' should be set while device_create_with_groups and
pps_register_source fails

Fixes: 85a66e550195 ("ptp: create "pins" together with the rest of attributes")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Acked-by: Richard Cochran <richardcochran@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/ptp/ptp_clock.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/ptp/ptp_clock.c b/drivers/ptp/ptp_clock.c
index 7eacc1c4b3b1..c64903a5978f 100644
--- a/drivers/ptp/ptp_clock.c
+++ b/drivers/ptp/ptp_clock.c
@@ -253,8 +253,10 @@ struct ptp_clock *ptp_clock_register(struct ptp_clock_info *info,
 	ptp->dev = device_create_with_groups(ptp_class, parent, ptp->devid,
 					     ptp, ptp->pin_attr_groups,
 					     "ptp%d", ptp->index);
-	if (IS_ERR(ptp->dev))
+	if (IS_ERR(ptp->dev)) {
+		err = PTR_ERR(ptp->dev);
 		goto no_device;
+	}
 
 	/* Register a new PPS source. */
 	if (info->pps) {
@@ -265,6 +267,7 @@ struct ptp_clock *ptp_clock_register(struct ptp_clock_info *info,
 		pps.owner = info->owner;
 		ptp->pps_source = pps_register_source(&pps, PTP_PPS_DEFAULTS);
 		if (!ptp->pps_source) {
+			err = -EINVAL;
 			pr_err("failed to register pps source\n");
 			goto no_pps;
 		}
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 035/205] dmaengine: xilinx_dma: Remove __aligned attribute on zynqmp_dma_desc_ll
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 034/205] ptp: Fix pass zero to ERR_PTR() in ptp_clock_register Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 036/205] iio: adc: meson-saradc: check for devm_kasprintf failure Greg Kroah-Hartman
                   ` (173 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nick Desaulniers, Nathan Chancellor,
	Vinod Koul, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit aeaebcc17cdf37065d2693865eeb1ff1c7dc5bf3 ]

Clang warns:

drivers/dma/xilinx/zynqmp_dma.c:166:4: warning: attribute 'aligned' is
ignored, place it after "struct" to apply attribute to type declaration
[-Wignored-attributes]
}; __aligned(64)
   ^
./include/linux/compiler_types.h:200:38: note: expanded from macro
'__aligned'
                                               ^
1 warning generated.

As Nick pointed out in the previous version of this patch, the author
likely intended for this struct to be 8-byte (64-bit) aligned, not
64-byte, which is the default. Remove the hanging __aligned attribute.

Fixes: b0cc417c1637 ("dmaengine: Add Xilinx zynqmp dma engine driver support")
Reported-by: Nick Desaulniers <ndesaulniers@google.com>
Suggested-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/dma/xilinx/zynqmp_dma.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/dma/xilinx/zynqmp_dma.c b/drivers/dma/xilinx/zynqmp_dma.c
index 5cc8ed31f26b..6d86d05e53aa 100644
--- a/drivers/dma/xilinx/zynqmp_dma.c
+++ b/drivers/dma/xilinx/zynqmp_dma.c
@@ -159,7 +159,7 @@ struct zynqmp_dma_desc_ll {
 	u32 ctrl;
 	u64 nxtdscraddr;
 	u64 rsvd;
-}; __aligned(64)
+};
 
 /**
  * struct zynqmp_dma_desc_sw - Per Transaction structure
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 036/205] iio: adc: meson-saradc: check for devm_kasprintf failure
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 035/205] dmaengine: xilinx_dma: Remove __aligned attribute on zynqmp_dma_desc_ll Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 037/205] iio: adc: meson-saradc: fix internal clock names Greg Kroah-Hartman
                   ` (172 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nicholas Mc Guire,
	Martin Blumenstingl, Jonathan Cameron, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit aad172b017617994343e36d8659c69e14cd694fd ]

devm_kasprintf() may return NULL on failure of internal allocation thus
the assignments to  init.name  are not safe if not checked. On error
meson_sar_adc_clk_init() returns negative values so -ENOMEM in the
(unlikely) failure case of devm_kasprintf() should be fine here.

Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
Fixes: 3adbf3427330 ("iio: adc: add a driver for the SAR ADC found in Amlogic Meson SoCs")
Acked-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Tested-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/iio/adc/meson_saradc.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/iio/adc/meson_saradc.c b/drivers/iio/adc/meson_saradc.c
index 11484cb38b84..9a52a91166d2 100644
--- a/drivers/iio/adc/meson_saradc.c
+++ b/drivers/iio/adc/meson_saradc.c
@@ -585,6 +585,9 @@ static int meson_sar_adc_clk_init(struct iio_dev *indio_dev,
 
 	init.name = devm_kasprintf(&indio_dev->dev, GFP_KERNEL, "%pOF#adc_div",
 				   indio_dev->dev.of_node);
+	if (!init.name)
+		return -ENOMEM;
+
 	init.flags = 0;
 	init.ops = &clk_divider_ops;
 	clk_parents[0] = __clk_get_name(priv->clkin);
@@ -604,6 +607,9 @@ static int meson_sar_adc_clk_init(struct iio_dev *indio_dev,
 
 	init.name = devm_kasprintf(&indio_dev->dev, GFP_KERNEL, "%pOF#adc_en",
 				   indio_dev->dev.of_node);
+	if (!init.name)
+		return -ENOMEM;
+
 	init.flags = CLK_SET_RATE_PARENT;
 	init.ops = &clk_gate_ops;
 	clk_parents[0] = __clk_get_name(priv->adc_div_clk);
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 037/205] iio: adc: meson-saradc: fix internal clock names
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 036/205] iio: adc: meson-saradc: check for devm_kasprintf failure Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 038/205] iio: accel: kxcjk1013: Add KIOX010A ACPI Hardware-ID Greg Kroah-Hartman
                   ` (171 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin Blumenstingl,
	Jonathan Cameron, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 50314f98b0ac468218e7c9af8c99f215a35436df ]

Before this patch we are registering the internal clocks (for example on
Meson8b, where the SAR ADC IP block implements the divider and gate
clocks) with the following names:
- /soc/cbus@c1100000/adc@8680#adc_div
- /soc/cbus@c1100000/adc@8680#adc_en

This is bad because the common clock framework uses the clock to create
a directory in <debugfs>/clk. With such name, the directory creation
(silently) fails and the debugfs entry ends up being created at the
debugfs root.

With this change, the new clock names are:
- c1108680.adc#adc_div
- c1108680.adc#adc_en

This matches the clock naming scheme used in the PWM, Ethernet and MMC
drivers. It also fixes the problem with debugfs.
The idea is shamelessly taken from commit b96e9eb62841c5 ("pwm: meson:
Fix mux clock names").

Fixes: 3921db46a8c5bc ("iio: Convert to using %pOF instead of full_name")
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/iio/adc/meson_saradc.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/iio/adc/meson_saradc.c b/drivers/iio/adc/meson_saradc.c
index 9a52a91166d2..2515badf8b28 100644
--- a/drivers/iio/adc/meson_saradc.c
+++ b/drivers/iio/adc/meson_saradc.c
@@ -583,8 +583,8 @@ static int meson_sar_adc_clk_init(struct iio_dev *indio_dev,
 	struct clk_init_data init;
 	const char *clk_parents[1];
 
-	init.name = devm_kasprintf(&indio_dev->dev, GFP_KERNEL, "%pOF#adc_div",
-				   indio_dev->dev.of_node);
+	init.name = devm_kasprintf(&indio_dev->dev, GFP_KERNEL, "%s#adc_div",
+				   dev_name(indio_dev->dev.parent));
 	if (!init.name)
 		return -ENOMEM;
 
@@ -605,8 +605,8 @@ static int meson_sar_adc_clk_init(struct iio_dev *indio_dev,
 	if (WARN_ON(IS_ERR(priv->adc_div_clk)))
 		return PTR_ERR(priv->adc_div_clk);
 
-	init.name = devm_kasprintf(&indio_dev->dev, GFP_KERNEL, "%pOF#adc_en",
-				   indio_dev->dev.of_node);
+	init.name = devm_kasprintf(&indio_dev->dev, GFP_KERNEL, "%s#adc_en",
+				   dev_name(indio_dev->dev.parent));
 	if (!init.name)
 		return -ENOMEM;
 
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 038/205] iio: accel: kxcjk1013: Add KIOX010A ACPI Hardware-ID
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 037/205] iio: adc: meson-saradc: fix internal clock names Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 039/205] media: adv*/tc358743/ths8200: fill in min width/height/pixelclock Greg Kroah-Hartman
                   ` (170 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans de Goede, Jonathan Cameron, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 7f6232e69539971cf9eaed07a6c14ab4a2361133 ]

Various 2-in-1's use KIOX010A and KIOX020A as HIDs for 2 KXCJ91008
accelerometers. The KIOX010A HID is for the one in the base and the
KIOX020A for the accelerometer in the keyboard.

Since userspace does not have a way yet to deal with (or ignore) the
accelerometer in the keyboard, this commit just adds the KIOX010A HID
for now so that display rotation will work.

Related: https://github.com/hadess/iio-sensor-proxy/issues/166
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/iio/accel/kxcjk-1013.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/iio/accel/kxcjk-1013.c b/drivers/iio/accel/kxcjk-1013.c
index 3f968c46e667..784636800361 100644
--- a/drivers/iio/accel/kxcjk-1013.c
+++ b/drivers/iio/accel/kxcjk-1013.c
@@ -1393,6 +1393,7 @@ static const struct acpi_device_id kx_acpi_match[] = {
 	{"KXCJ1008", KXCJ91008},
 	{"KXCJ9000", KXCJ91008},
 	{"KIOX000A", KXCJ91008},
+	{"KIOX010A", KXCJ91008}, /* KXCJ91008 inside the display of a 2-in-1 */
 	{"KXTJ1009", KXTJ21009},
 	{"SMO8500",  KXCJ91008},
 	{ },
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 039/205] media: adv*/tc358743/ths8200: fill in min width/height/pixelclock
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 038/205] iio: accel: kxcjk1013: Add KIOX010A ACPI Hardware-ID Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 040/205] ACPI: SPCR: Consider baud rate 0 as preconfigured state Greg Kroah-Hartman
                   ` (169 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans Verkuil, Mauro Carvalho Chehab,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 2912289a518077ddb8214e05336700148e97e235 ]

The v4l2_dv_timings_cap struct is used to do sanity checks when setting and
enumerating DV timings, ensuring that only valid timings as per the HW
capabilities are allowed.

However, many drivers just filled in 0 for the minimum width, height or
pixelclock frequency. This can cause timings with e.g. 0 as width and height
to be accepted, which will in turn lead to a potential division by zero.

Fill in proper values are minimum boundaries. 640x350 was chosen since it is
the smallest resolution in v4l2-dv-timings.h. Same for 13 MHz as the lowest
pixelclock frequency (it's slightly below the minimum of 13.5 MHz in the
v4l2-dv-timings.h header).

Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/i2c/ad9389b.c  | 2 +-
 drivers/media/i2c/adv7511.c  | 2 +-
 drivers/media/i2c/adv7604.c  | 4 ++--
 drivers/media/i2c/adv7842.c  | 4 ++--
 drivers/media/i2c/tc358743.c | 2 +-
 drivers/media/i2c/ths8200.c  | 2 +-
 6 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/drivers/media/i2c/ad9389b.c b/drivers/media/i2c/ad9389b.c
index a056d6cdaaaa..f0b200ae2127 100644
--- a/drivers/media/i2c/ad9389b.c
+++ b/drivers/media/i2c/ad9389b.c
@@ -590,7 +590,7 @@ static const struct v4l2_dv_timings_cap ad9389b_timings_cap = {
 	.type = V4L2_DV_BT_656_1120,
 	/* keep this initialization for compatibility with GCC < 4.4.6 */
 	.reserved = { 0 },
-	V4L2_INIT_BT_TIMINGS(0, 1920, 0, 1200, 25000000, 170000000,
+	V4L2_INIT_BT_TIMINGS(640, 1920, 350, 1200, 25000000, 170000000,
 		V4L2_DV_BT_STD_CEA861 | V4L2_DV_BT_STD_DMT |
 			V4L2_DV_BT_STD_GTF | V4L2_DV_BT_STD_CVT,
 		V4L2_DV_BT_CAP_PROGRESSIVE | V4L2_DV_BT_CAP_REDUCED_BLANKING |
diff --git a/drivers/media/i2c/adv7511.c b/drivers/media/i2c/adv7511.c
index 2817bafc67bf..80c20404334a 100644
--- a/drivers/media/i2c/adv7511.c
+++ b/drivers/media/i2c/adv7511.c
@@ -142,7 +142,7 @@ static const struct v4l2_dv_timings_cap adv7511_timings_cap = {
 	.type = V4L2_DV_BT_656_1120,
 	/* keep this initialization for compatibility with GCC < 4.4.6 */
 	.reserved = { 0 },
-	V4L2_INIT_BT_TIMINGS(0, ADV7511_MAX_WIDTH, 0, ADV7511_MAX_HEIGHT,
+	V4L2_INIT_BT_TIMINGS(640, ADV7511_MAX_WIDTH, 350, ADV7511_MAX_HEIGHT,
 		ADV7511_MIN_PIXELCLOCK, ADV7511_MAX_PIXELCLOCK,
 		V4L2_DV_BT_STD_CEA861 | V4L2_DV_BT_STD_DMT |
 			V4L2_DV_BT_STD_GTF | V4L2_DV_BT_STD_CVT,
diff --git a/drivers/media/i2c/adv7604.c b/drivers/media/i2c/adv7604.c
index f289b8aca1da..d2108aad3c65 100644
--- a/drivers/media/i2c/adv7604.c
+++ b/drivers/media/i2c/adv7604.c
@@ -778,7 +778,7 @@ static const struct v4l2_dv_timings_cap adv7604_timings_cap_analog = {
 	.type = V4L2_DV_BT_656_1120,
 	/* keep this initialization for compatibility with GCC < 4.4.6 */
 	.reserved = { 0 },
-	V4L2_INIT_BT_TIMINGS(0, 1920, 0, 1200, 25000000, 170000000,
+	V4L2_INIT_BT_TIMINGS(640, 1920, 350, 1200, 25000000, 170000000,
 		V4L2_DV_BT_STD_CEA861 | V4L2_DV_BT_STD_DMT |
 			V4L2_DV_BT_STD_GTF | V4L2_DV_BT_STD_CVT,
 		V4L2_DV_BT_CAP_PROGRESSIVE | V4L2_DV_BT_CAP_REDUCED_BLANKING |
@@ -789,7 +789,7 @@ static const struct v4l2_dv_timings_cap adv76xx_timings_cap_digital = {
 	.type = V4L2_DV_BT_656_1120,
 	/* keep this initialization for compatibility with GCC < 4.4.6 */
 	.reserved = { 0 },
-	V4L2_INIT_BT_TIMINGS(0, 1920, 0, 1200, 25000000, 225000000,
+	V4L2_INIT_BT_TIMINGS(640, 1920, 350, 1200, 25000000, 225000000,
 		V4L2_DV_BT_STD_CEA861 | V4L2_DV_BT_STD_DMT |
 			V4L2_DV_BT_STD_GTF | V4L2_DV_BT_STD_CVT,
 		V4L2_DV_BT_CAP_PROGRESSIVE | V4L2_DV_BT_CAP_REDUCED_BLANKING |
diff --git a/drivers/media/i2c/adv7842.c b/drivers/media/i2c/adv7842.c
index 65f34e7e146f..f9c23173c9fa 100644
--- a/drivers/media/i2c/adv7842.c
+++ b/drivers/media/i2c/adv7842.c
@@ -676,7 +676,7 @@ static const struct v4l2_dv_timings_cap adv7842_timings_cap_analog = {
 	.type = V4L2_DV_BT_656_1120,
 	/* keep this initialization for compatibility with GCC < 4.4.6 */
 	.reserved = { 0 },
-	V4L2_INIT_BT_TIMINGS(0, 1920, 0, 1200, 25000000, 170000000,
+	V4L2_INIT_BT_TIMINGS(640, 1920, 350, 1200, 25000000, 170000000,
 		V4L2_DV_BT_STD_CEA861 | V4L2_DV_BT_STD_DMT |
 			V4L2_DV_BT_STD_GTF | V4L2_DV_BT_STD_CVT,
 		V4L2_DV_BT_CAP_PROGRESSIVE | V4L2_DV_BT_CAP_REDUCED_BLANKING |
@@ -687,7 +687,7 @@ static const struct v4l2_dv_timings_cap adv7842_timings_cap_digital = {
 	.type = V4L2_DV_BT_656_1120,
 	/* keep this initialization for compatibility with GCC < 4.4.6 */
 	.reserved = { 0 },
-	V4L2_INIT_BT_TIMINGS(0, 1920, 0, 1200, 25000000, 225000000,
+	V4L2_INIT_BT_TIMINGS(640, 1920, 350, 1200, 25000000, 225000000,
 		V4L2_DV_BT_STD_CEA861 | V4L2_DV_BT_STD_DMT |
 			V4L2_DV_BT_STD_GTF | V4L2_DV_BT_STD_CVT,
 		V4L2_DV_BT_CAP_PROGRESSIVE | V4L2_DV_BT_CAP_REDUCED_BLANKING |
diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c
index e6f5c363ccab..c9647e24a4a3 100644
--- a/drivers/media/i2c/tc358743.c
+++ b/drivers/media/i2c/tc358743.c
@@ -70,7 +70,7 @@ static const struct v4l2_dv_timings_cap tc358743_timings_cap = {
 	/* keep this initialization for compatibility with GCC < 4.4.6 */
 	.reserved = { 0 },
 	/* Pixel clock from REF_01 p. 20. Min/max height/width are unknown */
-	V4L2_INIT_BT_TIMINGS(1, 10000, 1, 10000, 0, 165000000,
+	V4L2_INIT_BT_TIMINGS(640, 1920, 350, 1200, 13000000, 165000000,
 			V4L2_DV_BT_STD_CEA861 | V4L2_DV_BT_STD_DMT |
 			V4L2_DV_BT_STD_GTF | V4L2_DV_BT_STD_CVT,
 			V4L2_DV_BT_CAP_PROGRESSIVE |
diff --git a/drivers/media/i2c/ths8200.c b/drivers/media/i2c/ths8200.c
index 498ad2368cbc..f5ee28058ea2 100644
--- a/drivers/media/i2c/ths8200.c
+++ b/drivers/media/i2c/ths8200.c
@@ -49,7 +49,7 @@ static const struct v4l2_dv_timings_cap ths8200_timings_cap = {
 	.type = V4L2_DV_BT_656_1120,
 	/* keep this initialization for compatibility with GCC < 4.4.6 */
 	.reserved = { 0 },
-	V4L2_INIT_BT_TIMINGS(0, 1920, 0, 1080, 25000000, 148500000,
+	V4L2_INIT_BT_TIMINGS(640, 1920, 350, 1080, 25000000, 148500000,
 		V4L2_DV_BT_STD_CEA861, V4L2_DV_BT_CAP_PROGRESSIVE)
 };
 
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 040/205] ACPI: SPCR: Consider baud rate 0 as preconfigured state
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 039/205] media: adv*/tc358743/ths8200: fill in min width/height/pixelclock Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 041/205] staging: pi433: fix potential null dereference Greg Kroah-Hartman
                   ` (168 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andy Shevchenko, Prarit Bhargava,
	Rafael J. Wysocki, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit b413b1abeb21b4a152c0bf8d1379efa30759b6e3 ]

Since SPCR 1.04 [1] the baud rate of 0 means a preconfigured state of UART.
Assume firmware or bootloader configures console correctly.

[1]: https://docs.microsoft.com/en-us/windows-hardware/drivers/serports/serial-port-console-redirection-table

Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Prarit Bhargava <prarit@redhat.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/acpi/spcr.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/drivers/acpi/spcr.c b/drivers/acpi/spcr.c
index 324b35bfe781..f567fa5f0148 100644
--- a/drivers/acpi/spcr.c
+++ b/drivers/acpi/spcr.c
@@ -148,6 +148,13 @@ int __init parse_spcr(bool earlycon)
 	}
 
 	switch (table->baud_rate) {
+	case 0:
+		/*
+		 * SPCR 1.04 defines 0 as a preconfigured state of UART.
+		 * Assume firmware or bootloader configures console correctly.
+		 */
+		baud_rate = 0;
+		break;
 	case 3:
 		baud_rate = 9600;
 		break;
@@ -196,6 +203,10 @@ int __init parse_spcr(bool earlycon)
 		 * UART so don't attempt to change to the baud rate state
 		 * in the table because driver cannot calculate the dividers
 		 */
+		baud_rate = 0;
+	}
+
+	if (!baud_rate) {
 		snprintf(opts, sizeof(opts), "%s,%s,0x%llx", uart, iotype,
 			 table->serial_port.address);
 	} else {
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 041/205] staging: pi433: fix potential null dereference
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 040/205] ACPI: SPCR: Consider baud rate 0 as preconfigured state Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 042/205] f2fs: move dir data flush to write checkpoint process Greg Kroah-Hartman
                   ` (167 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Michael Straube, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 64c4c4ca6c129a4191e8e1e91b2d5d9b8d08c518 ]

Add a test for successful call to cdev_alloc() to avoid
potential null dereference. Issue reported by smatch.

Signed-off-by: Michael Straube <straube.linux@gmail.com>
Fixes: 874bcba65f9a ("staging: pi433: New driver")
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/staging/pi433/pi433_if.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/staging/pi433/pi433_if.c b/drivers/staging/pi433/pi433_if.c
index 93c01680f016..5be40bdc191b 100644
--- a/drivers/staging/pi433/pi433_if.c
+++ b/drivers/staging/pi433/pi433_if.c
@@ -1210,6 +1210,10 @@ static int pi433_probe(struct spi_device *spi)
 
 	/* create cdev */
 	device->cdev = cdev_alloc();
+	if (!device->cdev) {
+		dev_dbg(device->dev, "allocation of cdev failed");
+		goto cdev_failed;
+	}
 	device->cdev->owner = THIS_MODULE;
 	cdev_init(device->cdev, &pi433_fops);
 	retval = cdev_add(device->cdev, device->devt, 1);
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 042/205] f2fs: move dir data flush to write checkpoint process
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 041/205] staging: pi433: fix potential null dereference Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 043/205] f2fs: avoid build warn of fall_through Greg Kroah-Hartman
                   ` (166 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yunlei He, Jaegeuk Kim, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit b61ac5b720146c619c7cdf17eff2551b934399e5 ]

This patch move dir data flush to write checkpoint process, by
doing this, it may reduce some time for dir fsync.

pre:
	-f2fs_do_sync_file enter
		-file_write_and_wait_range  <- flush & wait
		-write_checkpoint
			-do_checkpoint	    <- wait all
	-f2fs_do_sync_file exit

now:
	-f2fs_do_sync_file enter
		-write_checkpoint
			-block_operations   <- flush dir & no wait
			-do_checkpoint	    <- wait all
	-f2fs_do_sync_file exit

Signed-off-by: Yunlei He <heyunlei@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/f2fs/file.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
index 7d3189f1941c..5f549bc4e097 100644
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -205,6 +205,9 @@ static int f2fs_do_sync_file(struct file *file, loff_t start, loff_t end,
 
 	trace_f2fs_sync_file_enter(inode);
 
+	if (S_ISDIR(inode->i_mode))
+		goto go_write;
+
 	/* if fdatasync is triggered, let's do in-place-update */
 	if (datasync || get_dirty_pages(inode) <= SM_I(sbi)->min_fsync_blocks)
 		set_inode_flag(inode, FI_NEED_IPU);
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 043/205] f2fs: avoid build warn of fall_through
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 042/205] f2fs: move dir data flush to write checkpoint process Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 044/205] f2fs: fix race between write_checkpoint and write_begin Greg Kroah-Hartman
                   ` (165 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stephen Rothwell, Jaegeuk Kim, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit f5d5510e7389fa264337fb524346bac9eb93adc8 ]

After merging the f2fs tree, today's linux-next build
 (x86_64_allmodconfig) produced this warning:

 In file included from fs/f2fs/dir.c:11:
 fs/f2fs/f2fs.h: In function '__mark_inode_dirty_flag':
 fs/f2fs/f2fs.h:2388:6: warning: this statement may fall through [-Wimplicit-fallthrough=]
    if (set)
       ^
 fs/f2fs/f2fs.h:2390:2: note: here
   case FI_DATA_EXIST:
   ^~~~

 Exposed by my use of -Wimplicit-fallthrough

Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/f2fs/f2fs.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
index 3f1a44696036..d2873f227072 100644
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -2014,6 +2014,7 @@ static inline void __mark_inode_dirty_flag(struct inode *inode,
 	case FI_INLINE_DENTRY:
 		if (set)
 			return;
+		/* fall through */
 	case FI_DATA_EXIST:
 	case FI_INLINE_DOTS:
 		f2fs_mark_inode_dirty_sync(inode, true);
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 044/205] f2fs: fix race between write_checkpoint and write_begin
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 043/205] f2fs: avoid build warn of fall_through Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 045/205] f2fs: fix wrong return value of f2fs_acl_create Greg Kroah-Hartman
                   ` (164 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sheng Yong, Chao Yu, Jaegeuk Kim,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 2866fb16d67992195b0526d19e65acb6640fb87f ]

The following race could lead to inconsistent SIT bitmap:

Task A                          Task B
======                          ======
f2fs_write_checkpoint
  block_operations
    f2fs_lock_all
      down_write(node_change)
      down_write(node_write)
      ... sync ...
      up_write(node_change)
                                f2fs_file_write_iter
                                  set_inode_flag(FI_NO_PREALLOC)
                                  ......
                                  f2fs_write_begin(index=0, has inline data)
                                    prepare_write_begin
                                      __do_map_lock(AIO) => down_read(node_change)
                                      f2fs_convert_inline_page => update SIT
                                      __do_map_lock(AIO) => up_read(node_change)
  f2fs_flush_sit_entries <= inconsistent SIT
  finish write checkpoint
  sudden-power-off

If SPO occurs after checkpoint is finished, SIT bitmap will be set
incorrectly.

Signed-off-by: Sheng Yong <shengyong1@huawei.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/f2fs/data.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
index c68b319b07aa..3d37124eb63e 100644
--- a/fs/f2fs/data.c
+++ b/fs/f2fs/data.c
@@ -1880,6 +1880,7 @@ static int prepare_write_begin(struct f2fs_sb_info *sbi,
 	bool locked = false;
 	struct extent_info ei = {0,0,0};
 	int err = 0;
+	int flag;
 
 	/*
 	 * we already allocated all the blocks, so we don't need to get
@@ -1889,9 +1890,15 @@ static int prepare_write_begin(struct f2fs_sb_info *sbi,
 			!is_inode_flag_set(inode, FI_NO_PREALLOC))
 		return 0;
 
+	/* f2fs_lock_op avoids race between write CP and convert_inline_page */
+	if (f2fs_has_inline_data(inode) && pos + len > MAX_INLINE_DATA(inode))
+		flag = F2FS_GET_BLOCK_DEFAULT;
+	else
+		flag = F2FS_GET_BLOCK_PRE_AIO;
+
 	if (f2fs_has_inline_data(inode) ||
 			(pos & PAGE_MASK) >= i_size_read(inode)) {
-		__do_map_lock(sbi, F2FS_GET_BLOCK_PRE_AIO, true);
+		__do_map_lock(sbi, flag, true);
 		locked = true;
 	}
 restart:
@@ -1929,6 +1936,7 @@ restart:
 				f2fs_put_dnode(&dn);
 				__do_map_lock(sbi, F2FS_GET_BLOCK_PRE_AIO,
 								true);
+				WARN_ON(flag != F2FS_GET_BLOCK_PRE_AIO);
 				locked = true;
 				goto restart;
 			}
@@ -1942,7 +1950,7 @@ out:
 	f2fs_put_dnode(&dn);
 unlock_out:
 	if (locked)
-		__do_map_lock(sbi, F2FS_GET_BLOCK_PRE_AIO, false);
+		__do_map_lock(sbi, flag, false);
 	return err;
 }
 
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 045/205] f2fs: fix wrong return value of f2fs_acl_create
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 044/205] f2fs: fix race between write_checkpoint and write_begin Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 046/205] i2c: sh_mobile: add support for r8a77990 (R-Car E3) Greg Kroah-Hartman
                   ` (163 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tiezhu Yang, Chao Yu, Jaegeuk Kim,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit f6176473a0c7472380eef72ebeb330cf9485bf0a ]

When call f2fs_acl_create_masq() failed, the caller f2fs_acl_create()
should return -EIO instead of -ENOMEM, this patch makes it consistent
with posix_acl_create() which has been fixed in commit beaf226b863a
("posix_acl: don't ignore return value of posix_acl_create_masq()").

Fixes: 83dfe53c185e ("f2fs: fix reference leaks in f2fs_acl_create")
Signed-off-by: Tiezhu Yang <kernelpatch@126.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/f2fs/acl.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/fs/f2fs/acl.c b/fs/f2fs/acl.c
index 436b3a1464d9..5e4860b8bbfc 100644
--- a/fs/f2fs/acl.c
+++ b/fs/f2fs/acl.c
@@ -349,12 +349,14 @@ static int f2fs_acl_create(struct inode *dir, umode_t *mode,
 		return PTR_ERR(p);
 
 	clone = f2fs_acl_clone(p, GFP_NOFS);
-	if (!clone)
-		goto no_mem;
+	if (!clone) {
+		ret = -ENOMEM;
+		goto release_acl;
+	}
 
 	ret = f2fs_acl_create_masq(clone, mode);
 	if (ret < 0)
-		goto no_mem_clone;
+		goto release_clone;
 
 	if (ret == 0)
 		posix_acl_release(clone);
@@ -368,11 +370,11 @@ static int f2fs_acl_create(struct inode *dir, umode_t *mode,
 
 	return 0;
 
-no_mem_clone:
+release_clone:
 	posix_acl_release(clone);
-no_mem:
+release_acl:
 	posix_acl_release(p);
-	return -ENOMEM;
+	return ret;
 }
 
 int f2fs_init_acl(struct inode *inode, struct inode *dir, struct page *ipage,
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 046/205] i2c: sh_mobile: add support for r8a77990 (R-Car E3)
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 045/205] f2fs: fix wrong return value of f2fs_acl_create Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 047/205] arm64: io: Ensure calls to delay routines are ordered against prior readX() Greg Kroah-Hartman
                   ` (162 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Simon Horman, Geert Uytterhoeven,
	Wolfram Sang, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 5eb316e636eb298c204f5b368526d4480b63c0ba ]

Add support for the IIC code for the r8a77990 (R-Car E3).

It is not considered compatible with existing fallback bindings
due to the documented absence of automatic transmission registers.

These registers are currently not used by the driver and
thus the provides the same behaviour for "renesas,iic-r8a77990" and
"renesas,rcar-gen3-iic". The point of declaring incompatibility is
to allow for automatic transmission register support to be added to
"renesas,iic-r8a77990" and "renesas,rcar-gen3-iic" in future.

Signed-off-by: Simon Horman <horms+renesas@verge.net.au>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/i2c/busses/i2c-sh_mobile.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/i2c/busses/i2c-sh_mobile.c b/drivers/i2c/busses/i2c-sh_mobile.c
index 6f2aaeb7c4fa..338344e76e02 100644
--- a/drivers/i2c/busses/i2c-sh_mobile.c
+++ b/drivers/i2c/busses/i2c-sh_mobile.c
@@ -836,6 +836,7 @@ static const struct of_device_id sh_mobile_i2c_dt_ids[] = {
 	{ .compatible = "renesas,rcar-gen2-iic", .data = &fast_clock_dt_config },
 	{ .compatible = "renesas,iic-r8a7795", .data = &fast_clock_dt_config },
 	{ .compatible = "renesas,rcar-gen3-iic", .data = &fast_clock_dt_config },
+	{ .compatible = "renesas,iic-r8a77990", .data = &fast_clock_dt_config },
 	{ .compatible = "renesas,iic-sh73a0", .data = &fast_clock_dt_config },
 	{ .compatible = "renesas,rmobile-iic", .data = &default_dt_config },
 	{},
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 047/205] arm64: io: Ensure calls to delay routines are ordered against prior readX()
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 046/205] i2c: sh_mobile: add support for r8a77990 (R-Car E3) Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 048/205] sunvdc: Do not spin in an infinite loop when vio_ldc_send() returns EAGAIN Greg Kroah-Hartman
                   ` (161 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Benjamin Herrenschmidt,
	Arnd Bergmann, Will Deacon, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 6460d32014717686d3b7963595950ba2c6d1bb5e ]

A relatively standard idiom for ensuring that a pair of MMIO writes to a
device arrive at that device with a specified minimum delay between them
is as follows:

	writel_relaxed(42, dev_base + CTL1);
	readl(dev_base + CTL1);
	udelay(10);
	writel_relaxed(42, dev_base + CTL2);

the intention being that the read-back from the device will push the
prior write to CTL1, and the udelay will hold up the write to CTL1 until
at least 10us have elapsed.

Unfortunately, on arm64 where the underlying delay loop is implemented
as a read of the architected counter, the CPU does not guarantee
ordering from the readl() to the delay loop and therefore the delay loop
could in theory be speculated and not provide the desired interval
between the two writes.

Fix this in a similar manner to PowerPC by introducing a dummy control
dependency on the output of readX() which, combined with the ISB in the
read of the architected counter, guarantees that a subsequent delay loop
can not be executed until the readX() has returned its result.

Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm64/include/asm/io.h | 31 +++++++++++++++++++++++--------
 1 file changed, 23 insertions(+), 8 deletions(-)

diff --git a/arch/arm64/include/asm/io.h b/arch/arm64/include/asm/io.h
index 35b2e50f17fb..b2bc7dbc1fa6 100644
--- a/arch/arm64/include/asm/io.h
+++ b/arch/arm64/include/asm/io.h
@@ -106,7 +106,22 @@ static inline u64 __raw_readq(const volatile void __iomem *addr)
 }
 
 /* IO barriers */
-#define __iormb()		rmb()
+#define __iormb(v)							\
+({									\
+	unsigned long tmp;						\
+									\
+	rmb();								\
+									\
+	/*								\
+	 * Create a dummy control dependency from the IO read to any	\
+	 * later instructions. This ensures that a subsequent call to	\
+	 * udelay() will be ordered due to the ISB in get_cycles().	\
+	 */								\
+	asm volatile("eor	%0, %1, %1\n"				\
+		     "cbnz	%0, ."					\
+		     : "=r" (tmp) : "r" (v) : "memory");		\
+})
+
 #define __iowmb()		wmb()
 
 #define mmiowb()		do { } while (0)
@@ -131,10 +146,10 @@ static inline u64 __raw_readq(const volatile void __iomem *addr)
  * following Normal memory access. Writes are ordered relative to any prior
  * Normal memory access.
  */
-#define readb(c)		({ u8  __v = readb_relaxed(c); __iormb(); __v; })
-#define readw(c)		({ u16 __v = readw_relaxed(c); __iormb(); __v; })
-#define readl(c)		({ u32 __v = readl_relaxed(c); __iormb(); __v; })
-#define readq(c)		({ u64 __v = readq_relaxed(c); __iormb(); __v; })
+#define readb(c)		({ u8  __v = readb_relaxed(c); __iormb(__v); __v; })
+#define readw(c)		({ u16 __v = readw_relaxed(c); __iormb(__v); __v; })
+#define readl(c)		({ u32 __v = readl_relaxed(c); __iormb(__v); __v; })
+#define readq(c)		({ u64 __v = readq_relaxed(c); __iormb(__v); __v; })
 
 #define writeb(v,c)		({ __iowmb(); writeb_relaxed((v),(c)); })
 #define writew(v,c)		({ __iowmb(); writew_relaxed((v),(c)); })
@@ -185,9 +200,9 @@ extern void __iomem *ioremap_cache(phys_addr_t phys_addr, size_t size);
 /*
  * io{read,write}{16,32,64}be() macros
  */
-#define ioread16be(p)		({ __u16 __v = be16_to_cpu((__force __be16)__raw_readw(p)); __iormb(); __v; })
-#define ioread32be(p)		({ __u32 __v = be32_to_cpu((__force __be32)__raw_readl(p)); __iormb(); __v; })
-#define ioread64be(p)		({ __u64 __v = be64_to_cpu((__force __be64)__raw_readq(p)); __iormb(); __v; })
+#define ioread16be(p)		({ __u16 __v = be16_to_cpu((__force __be16)__raw_readw(p)); __iormb(__v); __v; })
+#define ioread32be(p)		({ __u32 __v = be32_to_cpu((__force __be32)__raw_readl(p)); __iormb(__v); __v; })
+#define ioread64be(p)		({ __u64 __v = be64_to_cpu((__force __be64)__raw_readq(p)); __iormb(__v); __v; })
 
 #define iowrite16be(v,p)	({ __iowmb(); __raw_writew((__force __u16)cpu_to_be16(v), p); })
 #define iowrite32be(v,p)	({ __iowmb(); __raw_writel((__force __u32)cpu_to_be32(v), p); })
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 048/205] sunvdc: Do not spin in an infinite loop when vio_ldc_send() returns EAGAIN
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 047/205] arm64: io: Ensure calls to delay routines are ordered against prior readX() Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 049/205] soc: bcm: brcmstb: Dont leak device tree node reference Greg Kroah-Hartman
                   ` (160 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Young Xiao, Jens Axboe, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit a11f6ca9aef989b56cd31ff4ee2af4fb31a172ec ]

__vdc_tx_trigger should only loop on EAGAIN a finite
number of times.

See commit adddc32d6fde ("sunvnet: Do not spin in an
infinite loop when vio_ldc_send() returns EAGAIN") for detail.

Signed-off-by: Young Xiao <YangX92@hotmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/block/sunvdc.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/block/sunvdc.c b/drivers/block/sunvdc.c
index ad9749463d4f..ed4d6276e94f 100644
--- a/drivers/block/sunvdc.c
+++ b/drivers/block/sunvdc.c
@@ -41,6 +41,8 @@ MODULE_VERSION(DRV_MODULE_VERSION);
 #define WAITING_FOR_GEN_CMD	0x04
 #define WAITING_FOR_ANY		-1
 
+#define	VDC_MAX_RETRIES	10
+
 static struct workqueue_struct *sunvdc_wq;
 
 struct vdc_req_entry {
@@ -427,6 +429,7 @@ static int __vdc_tx_trigger(struct vdc_port *port)
 		.end_idx		= dr->prod,
 	};
 	int err, delay;
+	int retries = 0;
 
 	hdr.seq = dr->snd_nxt;
 	delay = 1;
@@ -439,6 +442,8 @@ static int __vdc_tx_trigger(struct vdc_port *port)
 		udelay(delay);
 		if ((delay <<= 1) > 128)
 			delay = 128;
+		if (retries++ > VDC_MAX_RETRIES)
+			break;
 	} while (err == -EAGAIN);
 
 	if (err == -ENOTCONN)
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 049/205] soc: bcm: brcmstb: Dont leak device tree node reference
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 048/205] sunvdc: Do not spin in an infinite loop when vio_ldc_send() returns EAGAIN Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 050/205] nfsd4: fix crash on writing v4_end_grace before nfsd startup Greg Kroah-Hartman
                   ` (159 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yangtao Li, Florian Fainelli, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 1861a7f07e02292830a1ca256328d370deefea30 ]

of_find_node_by_path() acquires a reference to the node returned by it
and that reference needs to be dropped by its caller. soc_is_brcmstb()
doesn't do that, so fix it.

[treding: slightly rewrite to avoid inline comparison]

Fixes: d52fad262041 ("soc: add stubs for brcmstb SoC's")
Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/soc/bcm/brcmstb/common.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/soc/bcm/brcmstb/common.c b/drivers/soc/bcm/brcmstb/common.c
index 22e98a90468c..2f5ec424a390 100644
--- a/drivers/soc/bcm/brcmstb/common.c
+++ b/drivers/soc/bcm/brcmstb/common.c
@@ -31,13 +31,17 @@ static const struct of_device_id brcmstb_machine_match[] = {
 
 bool soc_is_brcmstb(void)
 {
+	const struct of_device_id *match;
 	struct device_node *root;
 
 	root = of_find_node_by_path("/");
 	if (!root)
 		return false;
 
-	return of_match_node(brcmstb_machine_match, root) != NULL;
+	match = of_match_node(brcmstb_machine_match, root);
+	of_node_put(root);
+
+	return match != NULL;
 }
 
 static const struct of_device_id sun_top_ctrl_match[] = {
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 050/205] nfsd4: fix crash on writing v4_end_grace before nfsd startup
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 049/205] soc: bcm: brcmstb: Dont leak device tree node reference Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 051/205] drm: Clear state->acquire_ctx before leaving drm_atomic_helper_commit_duplicated_state() Greg Kroah-Hartman
                   ` (158 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Anatoly Trosinenko, J. Bruce Fields,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 62a063b8e7d1db684db3f207261a466fa3194e72 ]

Anatoly Trosinenko reports that this:

1) Checkout fresh master Linux branch (tested with commit e195ca6cb)
2) Copy x84_64-config-4.14 to .config, then enable NFS server v4 and build
3) From `kvm-xfstests shell`:

results in NULL dereference in locks_end_grace.

Check that nfsd has been started before trying to end the grace period.

Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/nfsd/nfsctl.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c
index 6493df6b1bd5..4b8ebcc6b183 100644
--- a/fs/nfsd/nfsctl.c
+++ b/fs/nfsd/nfsctl.c
@@ -1126,6 +1126,8 @@ static ssize_t write_v4_end_grace(struct file *file, char *buf, size_t size)
 		case 'Y':
 		case 'y':
 		case '1':
+			if (nn->nfsd_serv)
+				return -EBUSY;
 			nfsd4_end_grace(nn);
 			break;
 		default:
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 051/205] drm: Clear state->acquire_ctx before leaving drm_atomic_helper_commit_duplicated_state()
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 050/205] nfsd4: fix crash on writing v4_end_grace before nfsd startup Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 052/205] arm64: io: Ensure value passed to __iormb() is held in a 64-bit register Greg Kroah-Hartman
                   ` (157 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Daniel Vetter, Daniel Vetter,
	Sean Paul, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit aa394b0dd68cb00c483e151dcd84713d4d517ed1 ]

drm_atomic_helper_commit_duplicated_state() sets state->acquire_ctx to
the context given in the argument and leaves it in state after it
quits. The lifetime of state and context are not guaranteed to be the
same, so we shouldn't leave that pointer hanging around. This patch
resets the context to NULL to avoid any oopses.

Changes in v2:
- Added to the set

Suggested-by: Daniel Vetter <daniel@ffwll.ch>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Sean Paul <seanpaul@chromium.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20181129150423.239081-1-sean@poorly.run
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/drm_atomic_helper.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c
index 1f08d597b87a..d05ed0521e20 100644
--- a/drivers/gpu/drm/drm_atomic_helper.c
+++ b/drivers/gpu/drm/drm_atomic_helper.c
@@ -2899,7 +2899,7 @@ EXPORT_SYMBOL(drm_atomic_helper_suspend);
 int drm_atomic_helper_commit_duplicated_state(struct drm_atomic_state *state,
 					      struct drm_modeset_acquire_ctx *ctx)
 {
-	int i;
+	int i, ret;
 	struct drm_plane *plane;
 	struct drm_plane_state *new_plane_state;
 	struct drm_connector *connector;
@@ -2918,7 +2918,11 @@ int drm_atomic_helper_commit_duplicated_state(struct drm_atomic_state *state,
 	for_each_new_connector_in_state(state, connector, new_conn_state, i)
 		state->connectors[i].old_state = connector->state;
 
-	return drm_atomic_commit(state);
+	ret = drm_atomic_commit(state);
+
+	state->acquire_ctx = NULL;
+
+	return ret;
 }
 EXPORT_SYMBOL(drm_atomic_helper_commit_duplicated_state);
 
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 052/205] arm64: io: Ensure value passed to __iormb() is held in a 64-bit register
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 051/205] drm: Clear state->acquire_ctx before leaving drm_atomic_helper_commit_duplicated_state() Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 053/205] Thermal: do not clear passive state during system sleep Greg Kroah-Hartman
                   ` (156 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nick Desaulniers, Nathan Chancellor,
	Will Deacon, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 1b57ec8c75279b873639eb44a215479236f93481 ]

As of commit 6460d3201471 ("arm64: io: Ensure calls to delay routines
are ordered against prior readX()"), MMIO reads smaller than 64 bits
fail to compile under clang because we end up mixing 32-bit and 64-bit
register operands for the same data processing instruction:

./include/asm-generic/io.h:695:9: warning: value size does not match register size specified by the constraint and modifier [-Wasm-operand-widths]
        return readb(addr);
               ^
./arch/arm64/include/asm/io.h:147:58: note: expanded from macro 'readb'
                                                                       ^
./include/asm-generic/io.h:695:9: note: use constraint modifier "w"
./arch/arm64/include/asm/io.h:147:50: note: expanded from macro 'readb'
                                                               ^
./arch/arm64/include/asm/io.h:118:24: note: expanded from macro '__iormb'
        asm volatile("eor       %0, %1, %1\n"                           \
                                    ^

Fix the build by casting the macro argument to 'unsigned long' when used
as an input to the inline asm.

Reported-by: Nick Desaulniers <nick.desaulniers@gmail.com>
Reported-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm64/include/asm/io.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/arm64/include/asm/io.h b/arch/arm64/include/asm/io.h
index b2bc7dbc1fa6..49bb9a020a09 100644
--- a/arch/arm64/include/asm/io.h
+++ b/arch/arm64/include/asm/io.h
@@ -119,7 +119,8 @@ static inline u64 __raw_readq(const volatile void __iomem *addr)
 	 */								\
 	asm volatile("eor	%0, %1, %1\n"				\
 		     "cbnz	%0, ."					\
-		     : "=r" (tmp) : "r" (v) : "memory");		\
+		     : "=r" (tmp) : "r" ((unsigned long)(v))		\
+		     : "memory");					\
 })
 
 #define __iowmb()		wmb()
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 053/205] Thermal: do not clear passive state during system sleep
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 052/205] arm64: io: Ensure value passed to __iormb() is held in a 64-bit register Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 054/205] firmware/efi: Add NULL pointer checks in efivars API functions Greg Kroah-Hartman
                   ` (155 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kame Wang, Wei Wang, Zhang Rui, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 964f4843a455d2ffb199512b08be8d5f077c4cac ]

commit ff140fea847e ("Thermal: handle thermal zone device properly
during system sleep") added PM hook to call thermal zone reset during
sleep. However resetting thermal zone will also clear the passive state
and thus cancel the polling queue which leads the passive cooling device
state not being cleared properly after sleep.

thermal_pm_notify => thermal_zone_device_reset set passive to 0
thermal_zone_trip_update will skip update passive as `old_target ==
instance->target'.
monitor_thermal_zone => thermal_zone_device_set_polling will cancel
tz->poll_queue, so the cooling device state will not be changed
afterwards.

Reported-by: Kame Wang <kamewang@google.com>
Signed-off-by: Wei Wang <wvw@google.com>
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/thermal/thermal_core.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c
index 2b1b0ba393a4..17d6079c7642 100644
--- a/drivers/thermal/thermal_core.c
+++ b/drivers/thermal/thermal_core.c
@@ -454,16 +454,20 @@ static void update_temperature(struct thermal_zone_device *tz)
 			tz->last_temperature, tz->temperature);
 }
 
-static void thermal_zone_device_reset(struct thermal_zone_device *tz)
+static void thermal_zone_device_init(struct thermal_zone_device *tz)
 {
 	struct thermal_instance *pos;
-
 	tz->temperature = THERMAL_TEMP_INVALID;
-	tz->passive = 0;
 	list_for_each_entry(pos, &tz->thermal_instances, tz_node)
 		pos->initialized = false;
 }
 
+static void thermal_zone_device_reset(struct thermal_zone_device *tz)
+{
+	tz->passive = 0;
+	thermal_zone_device_init(tz);
+}
+
 void thermal_zone_device_update(struct thermal_zone_device *tz,
 				enum thermal_notify_event event)
 {
@@ -1503,7 +1507,7 @@ static int thermal_pm_notify(struct notifier_block *nb,
 	case PM_POST_SUSPEND:
 		atomic_set(&in_suspend, 0);
 		list_for_each_entry(tz, &thermal_tz_list, node) {
-			thermal_zone_device_reset(tz);
+			thermal_zone_device_init(tz);
 			thermal_zone_device_update(tz,
 						   THERMAL_EVENT_UNSPECIFIED);
 		}
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 054/205] firmware/efi: Add NULL pointer checks in efivars API functions
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 053/205] Thermal: do not clear passive state during system sleep Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 055/205] s390/zcrypt: improve special ap message cmd handling Greg Kroah-Hartman
                   ` (154 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jon Hunter, Arend van Spriel,
	Ard Biesheuvel, Andy Lutomirski, Bhupesh Sharma, Borislav Petkov,
	Dave Hansen, Eric Snowberg, Hans de Goede, Joe Perches,
	Julien Thierry, Linus Torvalds, Marc Zyngier, Matt Fleming,
	Nathan Chancellor, Peter Zijlstra, Sai Praneeth Prakhya,
	Sedat Dilek, Thomas Gleixner, YiFei Zhu, linux-efi, Ingo Molnar,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit ab2180a15ce54739fed381efb4cb12e78dfb1561 ]

Since commit:

   ce2e6db554fa ("brcmfmac: Add support for getting nvram contents from EFI variables")

we have a device driver accessing the efivars API. Several functions in
the efivars API assume __efivars is set, i.e., that they will be accessed
only after efivars_register() has been called. However, the following NULL
pointer access was reported calling efivar_entry_size() from the brcmfmac
device driver:

  Unable to handle kernel NULL pointer dereference at virtual address 00000008
  pgd = 60bfa5f1
  [00000008] *pgd=00000000
  Internal error: Oops: 5 [#1] SMP ARM
  ...
  Hardware name: NVIDIA Tegra SoC (Flattened Device Tree)
  Workqueue: events request_firmware_work_func
  PC is at efivar_entry_size+0x28/0x90
  LR is at brcmf_fw_complete_request+0x3f8/0x8d4 [brcmfmac]
  pc : [<c0c40718>]    lr : [<bf2a3ef4>]    psr: a00d0113
  sp : ede7fe28  ip : ee983410  fp : c1787f30
  r10: 00000000  r9 : 00000000  r8 : bf2b2258
  r7 : ee983000  r6 : c1604c48  r5 : ede7fe88  r4 : edf337c0
  r3 : 00000000  r2 : 00000000  r1 : ede7fe88  r0 : c17712c8
  Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
  Control: 10c5387d  Table: ad16804a  DAC: 00000051

Disassembly showed that the local static variable __efivars is NULL,
which is not entirely unexpected given that it is a non-EFI platform.

So add a NULL pointer check to efivar_entry_size(), and to related
functions while at it. In efivars_register() a couple of sanity checks
are added as well.

Reported-by: Jon Hunter <jonathanh@nvidia.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Bhupesh Sharma <bhsharma@redhat.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Eric Snowberg <eric.snowberg@oracle.com>
Cc: Hans de Goede <hdegoede@redhat.com>
Cc: Joe Perches <joe@perches.com>
Cc: Julien Thierry <julien.thierry@arm.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Marc Zyngier <marc.zyngier@arm.com>
Cc: Matt Fleming <matt@codeblueprint.co.uk>
Cc: Nathan Chancellor <natechancellor@gmail.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
Cc: Sedat Dilek <sedat.dilek@gmail.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: YiFei Zhu <zhuyifei1999@gmail.com>
Cc: linux-efi@vger.kernel.org
Link: http://lkml.kernel.org/r/20181129171230.18699-9-ard.biesheuvel@linaro.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/firmware/efi/vars.c | 99 +++++++++++++++++++++++++++++--------
 1 file changed, 78 insertions(+), 21 deletions(-)

diff --git a/drivers/firmware/efi/vars.c b/drivers/firmware/efi/vars.c
index 9336ffdf6e2c..fceaafd67ec6 100644
--- a/drivers/firmware/efi/vars.c
+++ b/drivers/firmware/efi/vars.c
@@ -318,7 +318,12 @@ EXPORT_SYMBOL_GPL(efivar_variable_is_removable);
 static efi_status_t
 check_var_size(u32 attributes, unsigned long size)
 {
-	const struct efivar_operations *fops = __efivars->ops;
+	const struct efivar_operations *fops;
+
+	if (!__efivars)
+		return EFI_UNSUPPORTED;
+
+	fops = __efivars->ops;
 
 	if (!fops->query_variable_store)
 		return EFI_UNSUPPORTED;
@@ -329,7 +334,12 @@ check_var_size(u32 attributes, unsigned long size)
 static efi_status_t
 check_var_size_nonblocking(u32 attributes, unsigned long size)
 {
-	const struct efivar_operations *fops = __efivars->ops;
+	const struct efivar_operations *fops;
+
+	if (!__efivars)
+		return EFI_UNSUPPORTED;
+
+	fops = __efivars->ops;
 
 	if (!fops->query_variable_store)
 		return EFI_UNSUPPORTED;
@@ -429,13 +439,18 @@ static void dup_variable_bug(efi_char16_t *str16, efi_guid_t *vendor_guid,
 int efivar_init(int (*func)(efi_char16_t *, efi_guid_t, unsigned long, void *),
 		void *data, bool duplicates, struct list_head *head)
 {
-	const struct efivar_operations *ops = __efivars->ops;
+	const struct efivar_operations *ops;
 	unsigned long variable_name_size = 1024;
 	efi_char16_t *variable_name;
 	efi_status_t status;
 	efi_guid_t vendor_guid;
 	int err = 0;
 
+	if (!__efivars)
+		return -EFAULT;
+
+	ops = __efivars->ops;
+
 	variable_name = kzalloc(variable_name_size, GFP_KERNEL);
 	if (!variable_name) {
 		printk(KERN_ERR "efivars: Memory allocation failed.\n");
@@ -583,12 +598,14 @@ static void efivar_entry_list_del_unlock(struct efivar_entry *entry)
  */
 int __efivar_entry_delete(struct efivar_entry *entry)
 {
-	const struct efivar_operations *ops = __efivars->ops;
 	efi_status_t status;
 
-	status = ops->set_variable(entry->var.VariableName,
-				   &entry->var.VendorGuid,
-				   0, 0, NULL);
+	if (!__efivars)
+		return -EINVAL;
+
+	status = __efivars->ops->set_variable(entry->var.VariableName,
+					      &entry->var.VendorGuid,
+					      0, 0, NULL);
 
 	return efi_status_to_err(status);
 }
@@ -607,12 +624,17 @@ EXPORT_SYMBOL_GPL(__efivar_entry_delete);
  */
 int efivar_entry_delete(struct efivar_entry *entry)
 {
-	const struct efivar_operations *ops = __efivars->ops;
+	const struct efivar_operations *ops;
 	efi_status_t status;
 
 	if (down_interruptible(&efivars_lock))
 		return -EINTR;
 
+	if (!__efivars) {
+		up(&efivars_lock);
+		return -EINVAL;
+	}
+	ops = __efivars->ops;
 	status = ops->set_variable(entry->var.VariableName,
 				   &entry->var.VendorGuid,
 				   0, 0, NULL);
@@ -650,13 +672,19 @@ EXPORT_SYMBOL_GPL(efivar_entry_delete);
 int efivar_entry_set(struct efivar_entry *entry, u32 attributes,
 		     unsigned long size, void *data, struct list_head *head)
 {
-	const struct efivar_operations *ops = __efivars->ops;
+	const struct efivar_operations *ops;
 	efi_status_t status;
 	efi_char16_t *name = entry->var.VariableName;
 	efi_guid_t vendor = entry->var.VendorGuid;
 
 	if (down_interruptible(&efivars_lock))
 		return -EINTR;
+
+	if (!__efivars) {
+		up(&efivars_lock);
+		return -EINVAL;
+	}
+	ops = __efivars->ops;
 	if (head && efivar_entry_find(name, vendor, head, false)) {
 		up(&efivars_lock);
 		return -EEXIST;
@@ -687,12 +715,17 @@ static int
 efivar_entry_set_nonblocking(efi_char16_t *name, efi_guid_t vendor,
 			     u32 attributes, unsigned long size, void *data)
 {
-	const struct efivar_operations *ops = __efivars->ops;
+	const struct efivar_operations *ops;
 	efi_status_t status;
 
 	if (down_trylock(&efivars_lock))
 		return -EBUSY;
 
+	if (!__efivars) {
+		up(&efivars_lock);
+		return -EINVAL;
+	}
+
 	status = check_var_size_nonblocking(attributes,
 					    size + ucs2_strsize(name, 1024));
 	if (status != EFI_SUCCESS) {
@@ -700,6 +733,7 @@ efivar_entry_set_nonblocking(efi_char16_t *name, efi_guid_t vendor,
 		return -ENOSPC;
 	}
 
+	ops = __efivars->ops;
 	status = ops->set_variable_nonblocking(name, &vendor, attributes,
 					       size, data);
 
@@ -727,9 +761,13 @@ efivar_entry_set_nonblocking(efi_char16_t *name, efi_guid_t vendor,
 int efivar_entry_set_safe(efi_char16_t *name, efi_guid_t vendor, u32 attributes,
 			  bool block, unsigned long size, void *data)
 {
-	const struct efivar_operations *ops = __efivars->ops;
+	const struct efivar_operations *ops;
 	efi_status_t status;
 
+	if (!__efivars)
+		return -EINVAL;
+
+	ops = __efivars->ops;
 	if (!ops->query_variable_store)
 		return -ENOSYS;
 
@@ -829,13 +867,18 @@ EXPORT_SYMBOL_GPL(efivar_entry_find);
  */
 int efivar_entry_size(struct efivar_entry *entry, unsigned long *size)
 {
-	const struct efivar_operations *ops = __efivars->ops;
+	const struct efivar_operations *ops;
 	efi_status_t status;
 
 	*size = 0;
 
 	if (down_interruptible(&efivars_lock))
 		return -EINTR;
+	if (!__efivars) {
+		up(&efivars_lock);
+		return -EINVAL;
+	}
+	ops = __efivars->ops;
 	status = ops->get_variable(entry->var.VariableName,
 				   &entry->var.VendorGuid, NULL, size, NULL);
 	up(&efivars_lock);
@@ -861,12 +904,14 @@ EXPORT_SYMBOL_GPL(efivar_entry_size);
 int __efivar_entry_get(struct efivar_entry *entry, u32 *attributes,
 		       unsigned long *size, void *data)
 {
-	const struct efivar_operations *ops = __efivars->ops;
 	efi_status_t status;
 
-	status = ops->get_variable(entry->var.VariableName,
-				   &entry->var.VendorGuid,
-				   attributes, size, data);
+	if (!__efivars)
+		return -EINVAL;
+
+	status = __efivars->ops->get_variable(entry->var.VariableName,
+					      &entry->var.VendorGuid,
+					      attributes, size, data);
 
 	return efi_status_to_err(status);
 }
@@ -882,14 +927,19 @@ EXPORT_SYMBOL_GPL(__efivar_entry_get);
 int efivar_entry_get(struct efivar_entry *entry, u32 *attributes,
 		     unsigned long *size, void *data)
 {
-	const struct efivar_operations *ops = __efivars->ops;
 	efi_status_t status;
 
 	if (down_interruptible(&efivars_lock))
 		return -EINTR;
-	status = ops->get_variable(entry->var.VariableName,
-				   &entry->var.VendorGuid,
-				   attributes, size, data);
+
+	if (!__efivars) {
+		up(&efivars_lock);
+		return -EINVAL;
+	}
+
+	status = __efivars->ops->get_variable(entry->var.VariableName,
+					      &entry->var.VendorGuid,
+					      attributes, size, data);
 	up(&efivars_lock);
 
 	return efi_status_to_err(status);
@@ -921,7 +971,7 @@ EXPORT_SYMBOL_GPL(efivar_entry_get);
 int efivar_entry_set_get_size(struct efivar_entry *entry, u32 attributes,
 			      unsigned long *size, void *data, bool *set)
 {
-	const struct efivar_operations *ops = __efivars->ops;
+	const struct efivar_operations *ops;
 	efi_char16_t *name = entry->var.VariableName;
 	efi_guid_t *vendor = &entry->var.VendorGuid;
 	efi_status_t status;
@@ -940,6 +990,11 @@ int efivar_entry_set_get_size(struct efivar_entry *entry, u32 attributes,
 	if (down_interruptible(&efivars_lock))
 		return -EINTR;
 
+	if (!__efivars) {
+		err = -EINVAL;
+		goto out;
+	}
+
 	/*
 	 * Ensure that the available space hasn't shrunk below the safe level
 	 */
@@ -956,6 +1011,8 @@ int efivar_entry_set_get_size(struct efivar_entry *entry, u32 attributes,
 		}
 	}
 
+	ops = __efivars->ops;
+
 	status = ops->set_variable(name, vendor, attributes, *size, data);
 	if (status != EFI_SUCCESS) {
 		err = efi_status_to_err(status);
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 055/205] s390/zcrypt: improve special ap message cmd handling
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 054/205] firmware/efi: Add NULL pointer checks in efivars API functions Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 056/205] arm64: ftrace: dont adjust the LR value Greg Kroah-Hartman
                   ` (153 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Harald Freudenberger,
	Martin Schwidefsky, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit be534791011100d204602e2e0496e9e6ce8edf63 ]

There exist very few ap messages which need to have the 'special' flag
enabled. This flag tells the firmware layer to do some pre- and maybe
postprocessing. However, it may happen that this special flag is
enabled but the firmware is unable to deal with this kind of message
and thus returns with reply code 0x41. For example older firmware may
not know the newest messages triggered by the zcrypt device driver and
thus react with reject and the named reply code. Unfortunately this
reply code is not known to the zcrypt error routines and thus default
behavior is to switch the ap queue offline.

This patch now makes the ap error routine aware of the reply code and
so userspace is informed about the bad processing result but the queue
is not switched to offline state any more.

Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/s390/include/uapi/asm/zcrypt.h | 4 ++--
 drivers/s390/crypto/zcrypt_error.h  | 2 ++
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/arch/s390/include/uapi/asm/zcrypt.h b/arch/s390/include/uapi/asm/zcrypt.h
index 137ef473584e..b9fb42089760 100644
--- a/arch/s390/include/uapi/asm/zcrypt.h
+++ b/arch/s390/include/uapi/asm/zcrypt.h
@@ -161,8 +161,8 @@ struct ica_xcRB {
  * @cprb_len:		CPRB header length [0x0020]
  * @cprb_ver_id:	CPRB version id.   [0x04]
  * @pad_000:		Alignment pad bytes
- * @flags:		Admin cmd [0x80] or functional cmd [0x00]
- * @func_id:		Function id / subtype [0x5434]
+ * @flags:		Admin bit [0x80], Special bit [0x20]
+ * @func_id:		Function id / subtype [0x5434] "T4"
  * @source_id:		Source id [originator id]
  * @target_id:		Target id [usage/ctrl domain id]
  * @ret_code:		Return code
diff --git a/drivers/s390/crypto/zcrypt_error.h b/drivers/s390/crypto/zcrypt_error.h
index 13df60209ed3..9499cd3a05f8 100644
--- a/drivers/s390/crypto/zcrypt_error.h
+++ b/drivers/s390/crypto/zcrypt_error.h
@@ -65,6 +65,7 @@ struct error_hdr {
 #define REP82_ERROR_FORMAT_FIELD	    0x29
 #define REP82_ERROR_INVALID_COMMAND	    0x30
 #define REP82_ERROR_MALFORMED_MSG	    0x40
+#define REP82_ERROR_INVALID_SPECIAL_CMD	    0x41
 #define REP82_ERROR_INVALID_DOMAIN_PRECHECK 0x42
 #define REP82_ERROR_RESERVED_FIELDO	    0x50 /* old value	*/
 #define REP82_ERROR_WORD_ALIGNMENT	    0x60
@@ -103,6 +104,7 @@ static inline int convert_error(struct zcrypt_queue *zq,
 	case REP88_ERROR_MESSAGE_MALFORMD:
 	case REP82_ERROR_INVALID_DOMAIN_PRECHECK:
 	case REP82_ERROR_INVALID_DOMAIN_PENDING:
+	case REP82_ERROR_INVALID_SPECIAL_CMD:
 	//   REP88_ERROR_INVALID_KEY		// '82' CEX2A
 	//   REP88_ERROR_OPERAND		// '84' CEX2A
 	//   REP88_ERROR_OPERAND_EVEN_MOD	// '85' CEX2A
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 056/205] arm64: ftrace: dont adjust the LR value
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 055/205] s390/zcrypt: improve special ap message cmd handling Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 057/205] ARM: dts: mmp2: fix TWSI2 Greg Kroah-Hartman
                   ` (152 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mark Rutland, AKASHI Takahiro,
	Ard Biesheuvel, Catalin Marinas, Torsten Duwe, Will Deacon,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 6e803e2e6e367db9a0d6ecae1bd24bb5752011bd ]

The core ftrace code requires that when it is handed the PC of an
instrumented function, this PC is the address of the instrumented
instruction. This is necessary so that the core ftrace code can identify
the specific instrumentation site. Since the instrumented function will
be a BL, the address of the instrumented function is LR - 4 at entry to
the ftrace code.

This fixup is applied in the mcount_get_pc and mcount_get_pc0 helpers,
which acquire the PC of the instrumented function.

The mcount_get_lr helper is used to acquire the LR of the instrumented
function, whose value does not require this adjustment, and cannot be
adjusted to anything meaningful. No adjustment of this value is made on
other architectures, including arm. However, arm64 adjusts this value by
4.

This patch brings arm64 in line with other architectures and removes the
adjustment of the LR value.

Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: AKASHI Takahiro <takahiro.akashi@linaro.org>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Torsten Duwe <duwe@suse.de>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm64/kernel/entry-ftrace.S | 1 -
 1 file changed, 1 deletion(-)

diff --git a/arch/arm64/kernel/entry-ftrace.S b/arch/arm64/kernel/entry-ftrace.S
index e1be42e11ff5..5a10e3a3e843 100644
--- a/arch/arm64/kernel/entry-ftrace.S
+++ b/arch/arm64/kernel/entry-ftrace.S
@@ -79,7 +79,6 @@
 	.macro mcount_get_lr reg
 	ldr	\reg, [x29]
 	ldr	\reg, [\reg, #8]
-	mcount_adjust_addr	\reg, \reg
 	.endm
 
 	.macro mcount_get_lr_addr reg
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 057/205] ARM: dts: mmp2: fix TWSI2
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 056/205] arm64: ftrace: dont adjust the LR value Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 058/205] ARM: mmp/mmp2: dt: enable the clock Greg Kroah-Hartman
                   ` (151 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lubomir Rintel, Pavel Machek,
	Olof Johansson, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 1147e05ac9fc2ef86a3691e7ca5c2db7602d81dd ]

Marvell keeps their MMP2 datasheet secret, but there are good clues
that TWSI2 is not on 0xd4025000 on that platform, not does it use
IRQ 58. In fact, the IRQ 58 on MMP2 seems to be a signal processor:

   arch/arm/mach-mmp/irqs.h:#define IRQ_MMP2_MSP  58

I'm taking a somewhat educated guess that is probably a copy & paste
error from PXA168 or PXA910 and that the real controller in fact hides
at address 0xd4031000 and uses an interrupt line multiplexed via IRQ 17.

I'm also copying some properties from TWSI1 that were missing or
incorrect.

Tested on a OLPC XO 1.75 machine, where the RTC is on TWSI2.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
Tested-by: Pavel Machek <pavel@ucw.cz>
Signed-off-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/boot/dts/mmp2.dtsi | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/arch/arm/boot/dts/mmp2.dtsi b/arch/arm/boot/dts/mmp2.dtsi
index 766bbb8495b6..47e5b63339d1 100644
--- a/arch/arm/boot/dts/mmp2.dtsi
+++ b/arch/arm/boot/dts/mmp2.dtsi
@@ -220,12 +220,15 @@
 				status = "disabled";
 			};
 
-			twsi2: i2c@d4025000 {
+			twsi2: i2c@d4031000 {
 				compatible = "mrvl,mmp-twsi";
-				reg = <0xd4025000 0x1000>;
-				interrupts = <58>;
+				reg = <0xd4031000 0x1000>;
+				interrupt-parent = <&intcmux17>;
+				interrupts = <0>;
 				clocks = <&soc_clocks MMP2_CLK_TWSI1>;
 				resets = <&soc_clocks MMP2_CLK_TWSI1>;
+				#address-cells = <1>;
+				#size-cells = <0>;
 				status = "disabled";
 			};
 
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 058/205] ARM: mmp/mmp2: dt: enable the clock
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 057/205] ARM: dts: mmp2: fix TWSI2 Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 059/205] x86/fpu: Add might_fault() to user_insn() Greg Kroah-Hartman
                   ` (150 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lubomir Rintel, Pavel Machek,
	Olof Johansson, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit f36797ee43802b367e59f0f9a9805304a4ff0c98 ]

The device-tree booted MMP2 needs to enable the timer clock, otherwise
it would stop ticking when the boot finishes.

It can also use the clock rate from the clk, the non-DT boards need to
keep using the hardcoded rates.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
Acked-by: Pavel Machek <pavel@ucw.cz>
Signed-off-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/mach-mmp/common.h |  2 +-
 arch/arm/mach-mmp/mmp2.c   |  2 +-
 arch/arm/mach-mmp/pxa168.c |  2 +-
 arch/arm/mach-mmp/time.c   | 32 ++++++++++++++++++++------------
 4 files changed, 23 insertions(+), 15 deletions(-)

diff --git a/arch/arm/mach-mmp/common.h b/arch/arm/mach-mmp/common.h
index 7e284d9c429f..5ac2851ef5d3 100644
--- a/arch/arm/mach-mmp/common.h
+++ b/arch/arm/mach-mmp/common.h
@@ -2,7 +2,7 @@
 #include <linux/reboot.h>
 #define ARRAY_AND_SIZE(x)	(x), ARRAY_SIZE(x)
 
-extern void timer_init(int irq);
+extern void timer_init(int irq, unsigned long rate);
 
 extern void __init mmp_map_io(void);
 extern void mmp_restart(enum reboot_mode, const char *);
diff --git a/arch/arm/mach-mmp/mmp2.c b/arch/arm/mach-mmp/mmp2.c
index afba5460cdaf..fb3e7e32c882 100644
--- a/arch/arm/mach-mmp/mmp2.c
+++ b/arch/arm/mach-mmp/mmp2.c
@@ -134,7 +134,7 @@ void __init mmp2_timer_init(void)
 	clk_rst = APBC_APBCLK | APBC_FNCLK | APBC_FNCLKSEL(1);
 	__raw_writel(clk_rst, APBC_TIMERS);
 
-	timer_init(IRQ_MMP2_TIMER1);
+	timer_init(IRQ_MMP2_TIMER1, 6500000);
 }
 
 /* on-chip devices */
diff --git a/arch/arm/mach-mmp/pxa168.c b/arch/arm/mach-mmp/pxa168.c
index 0f5f16fb8c66..77a358165a56 100644
--- a/arch/arm/mach-mmp/pxa168.c
+++ b/arch/arm/mach-mmp/pxa168.c
@@ -79,7 +79,7 @@ void __init pxa168_timer_init(void)
 	/* 3.25MHz, bus/functional clock enabled, release reset */
 	__raw_writel(TIMER_CLK_RST, APBC_TIMERS);
 
-	timer_init(IRQ_PXA168_TIMER1);
+	timer_init(IRQ_PXA168_TIMER1, 6500000);
 }
 
 void pxa168_clear_keypad_wakeup(void)
diff --git a/arch/arm/mach-mmp/time.c b/arch/arm/mach-mmp/time.c
index 96ad1db0b04b..eab0fd8a7343 100644
--- a/arch/arm/mach-mmp/time.c
+++ b/arch/arm/mach-mmp/time.c
@@ -22,6 +22,7 @@
 #include <linux/kernel.h>
 #include <linux/interrupt.h>
 #include <linux/clockchips.h>
+#include <linux/clk.h>
 
 #include <linux/io.h>
 #include <linux/irq.h>
@@ -38,12 +39,6 @@
 #include "cputype.h"
 #include "clock.h"
 
-#ifdef CONFIG_CPU_MMP2
-#define MMP_CLOCK_FREQ		6500000
-#else
-#define MMP_CLOCK_FREQ		3250000
-#endif
-
 #define TIMERS_VIRT_BASE	TIMERS1_VIRT_BASE
 
 #define MAX_DELTA		(0xfffffffe)
@@ -189,19 +184,18 @@ static struct irqaction timer_irq = {
 	.dev_id		= &ckevt,
 };
 
-void __init timer_init(int irq)
+void __init timer_init(int irq, unsigned long rate)
 {
 	timer_config();
 
-	sched_clock_register(mmp_read_sched_clock, 32, MMP_CLOCK_FREQ);
+	sched_clock_register(mmp_read_sched_clock, 32, rate);
 
 	ckevt.cpumask = cpumask_of(0);
 
 	setup_irq(irq, &timer_irq);
 
-	clocksource_register_hz(&cksrc, MMP_CLOCK_FREQ);
-	clockevents_config_and_register(&ckevt, MMP_CLOCK_FREQ,
-					MIN_DELTA, MAX_DELTA);
+	clocksource_register_hz(&cksrc, rate);
+	clockevents_config_and_register(&ckevt, rate, MIN_DELTA, MAX_DELTA);
 }
 
 #ifdef CONFIG_OF
@@ -213,7 +207,9 @@ static const struct of_device_id mmp_timer_dt_ids[] = {
 void __init mmp_dt_init_timer(void)
 {
 	struct device_node *np;
+	struct clk *clk;
 	int irq, ret;
+	unsigned long rate;
 
 	np = of_find_matching_node(NULL, mmp_timer_dt_ids);
 	if (!np) {
@@ -221,6 +217,18 @@ void __init mmp_dt_init_timer(void)
 		goto out;
 	}
 
+	clk = of_clk_get(np, 0);
+	if (!IS_ERR(clk)) {
+		ret = clk_prepare_enable(clk);
+		if (ret)
+			goto out;
+		rate = clk_get_rate(clk) / 2;
+	} else if (cpu_is_pj4()) {
+		rate = 6500000;
+	} else {
+		rate = 3250000;
+	}
+
 	irq = irq_of_parse_and_map(np, 0);
 	if (!irq) {
 		ret = -EINVAL;
@@ -231,7 +239,7 @@ void __init mmp_dt_init_timer(void)
 		ret = -ENOMEM;
 		goto out;
 	}
-	timer_init(irq);
+	timer_init(irq, rate);
 	return;
 out:
 	pr_err("Failed to get timer from device tree with error:%d\n", ret);
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 059/205] x86/fpu: Add might_fault() to user_insn()
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 058/205] ARM: mmp/mmp2: dt: enable the clock Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 060/205] media: DaVinci-VPBE: fix error handling in vpbe_initialize() Greg Kroah-Hartman
                   ` (149 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sebastian Andrzej Siewior,
	Borislav Petkov, Rik van Riel, H. Peter Anvin,
	Jason A. Donenfeld, Andy Lutomirski, Dave Hansen, Ingo Molnar,
	Jann Horn, Paolo Bonzini, Radim Krčmář,
	Thomas Gleixner, kvm ML, x86-ml, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 6637401c35b2f327a35d27f44bda05e327f2f017 ]

Every user of user_insn() passes an user memory pointer to this macro.

Add might_fault() to user_insn() so we can spot users which are using
this macro in sections where page faulting is not allowed.

 [ bp: Space it out to make it more visible. ]

Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Rik van Riel <riel@surriel.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jann Horn <jannh@google.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: kvm ML <kvm@vger.kernel.org>
Cc: x86-ml <x86@kernel.org>
Link: https://lkml.kernel.org/r/20181128222035.2996-6-bigeasy@linutronix.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/include/asm/fpu/internal.h | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/arch/x86/include/asm/fpu/internal.h b/arch/x86/include/asm/fpu/internal.h
index 69dcdf195b61..fa2c93cb42a2 100644
--- a/arch/x86/include/asm/fpu/internal.h
+++ b/arch/x86/include/asm/fpu/internal.h
@@ -106,6 +106,9 @@ extern void fpstate_sanitize_xstate(struct fpu *fpu);
 #define user_insn(insn, output, input...)				\
 ({									\
 	int err;							\
+									\
+	might_fault();							\
+									\
 	asm volatile(ASM_STAC "\n"					\
 		     "1:" #insn "\n\t"					\
 		     "2: " ASM_CLAC "\n"				\
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 060/205] media: DaVinci-VPBE: fix error handling in vpbe_initialize()
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 059/205] x86/fpu: Add might_fault() to user_insn() Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 061/205] smack: fix access permissions for keyring Greg Kroah-Hartman
                   ` (148 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexey Khoroshilov, Hans Verkuil,
	Mauro Carvalho Chehab, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit aa35dc3c71950e3fec3e230c06c27c0fbd0067f8 ]

If vpbe_set_default_output() or vpbe_set_default_mode() fails,
vpbe_initialize() returns error code without releasing resources.

The patch adds error handling for that case.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/platform/davinci/vpbe.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/media/platform/davinci/vpbe.c b/drivers/media/platform/davinci/vpbe.c
index 7f6462562579..1d3c13e36904 100644
--- a/drivers/media/platform/davinci/vpbe.c
+++ b/drivers/media/platform/davinci/vpbe.c
@@ -739,7 +739,7 @@ static int vpbe_initialize(struct device *dev, struct vpbe_device *vpbe_dev)
 	if (ret) {
 		v4l2_err(&vpbe_dev->v4l2_dev, "Failed to set default output %s",
 			 def_output);
-		return ret;
+		goto fail_kfree_amp;
 	}
 
 	printk(KERN_NOTICE "Setting default mode to %s\n", def_mode);
@@ -747,12 +747,15 @@ static int vpbe_initialize(struct device *dev, struct vpbe_device *vpbe_dev)
 	if (ret) {
 		v4l2_err(&vpbe_dev->v4l2_dev, "Failed to set default mode %s",
 			 def_mode);
-		return ret;
+		goto fail_kfree_amp;
 	}
 	vpbe_dev->initialized = 1;
 	/* TBD handling of bootargs for default output and mode */
 	return 0;
 
+fail_kfree_amp:
+	mutex_lock(&vpbe_dev->lock);
+	kfree(vpbe_dev->amp);
 fail_kfree_encoders:
 	kfree(vpbe_dev->encoders);
 fail_dev_unregister:
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 061/205] smack: fix access permissions for keyring
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 060/205] media: DaVinci-VPBE: fix error handling in vpbe_initialize() Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 062/205] usb: dwc3: Correct the logic for checking TRB full in __dwc3_prepare_one_trb() Greg Kroah-Hartman
                   ` (147 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Zoran Markovic, Casey Schaufler,
	James Morris, Serge E. Hallyn, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 5b841bfab695e3b8ae793172a9ff7990f99cc3e2 ]

Function smack_key_permission() only issues smack requests for the
following operations:
 - KEY_NEED_READ (issues MAY_READ)
 - KEY_NEED_WRITE (issues MAY_WRITE)
 - KEY_NEED_LINK (issues MAY_WRITE)
 - KEY_NEED_SETATTR (issues MAY_WRITE)
A blank smack request is issued in all other cases, resulting in
smack access being granted if there is any rule defined between
subject and object, or denied with -EACCES otherwise.

Request MAY_READ access for KEY_NEED_SEARCH and KEY_NEED_VIEW.
Fix the logic in the unlikely case when both MAY_READ and
MAY_WRITE are needed. Validate access permission field for valid
contents.

Signed-off-by: Zoran Markovic <zmarkovic@sierrawireless.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: Casey Schaufler <casey@schaufler-ca.com>
Cc: James Morris <jmorris@namei.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 security/smack/smack_lsm.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index c8fd5c10b7c6..0d5ce7190b17 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4356,6 +4356,12 @@ static int smack_key_permission(key_ref_t key_ref,
 	int request = 0;
 	int rc;
 
+	/*
+	 * Validate requested permissions
+	 */
+	if (perm & ~KEY_NEED_ALL)
+		return -EINVAL;
+
 	keyp = key_ref_to_ptr(key_ref);
 	if (keyp == NULL)
 		return -EINVAL;
@@ -4375,10 +4381,10 @@ static int smack_key_permission(key_ref_t key_ref,
 	ad.a.u.key_struct.key = keyp->serial;
 	ad.a.u.key_struct.key_desc = keyp->description;
 #endif
-	if (perm & KEY_NEED_READ)
-		request = MAY_READ;
+	if (perm & (KEY_NEED_READ | KEY_NEED_SEARCH | KEY_NEED_VIEW))
+		request |= MAY_READ;
 	if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR))
-		request = MAY_WRITE;
+		request |= MAY_WRITE;
 	rc = smk_access(tkp, keyp->security, request, &ad);
 	rc = smk_bu_note("key access", tkp, keyp->security, request, rc);
 	return rc;
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 062/205] usb: dwc3: Correct the logic for checking TRB full in __dwc3_prepare_one_trb()
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (60 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 061/205] smack: fix access permissions for keyring Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 063/205] usb: hub: delay hub autosuspend if USB3 port is still link training Greg Kroah-Hartman
                   ` (146 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Anurag Kumar Vulisha, Thinh Nguyen,
	Tejas Joglekar, Felipe Balbi, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit b7a4fbe2300a8965ea760c7e871507b84aea17f6 ]

Availability of TRB's is calculated using dwc3_calc_trbs_left(), which
determines total available TRB's based on the HWO bit set in a TRB.

In the present code, __dwc3_prepare_one_trb() is called with a TRB which
needs to be prepared for transfer. This __dwc3_prepare_one_trb() calls
dwc3_calc_trbs_left() to determine total available TRBs and set IOC bit
if the total available TRBs are zero. Since the present working TRB (which
is passed as an argument to __dwc3_prepare_one_trb() )  doesn't yet have
the HWO bit set before calling dwc3_calc_trbs_left(), there are chances
that dwc3_calc_trbs_left() wrongly calculates this present working TRB
as free(since the HWO bit is not yet set) and returns the total available
TRBs as greater than zero (including the present working TRB). This could
be a problem.

This patch corrects the above mentioned problem in __dwc3_prepare_one_trb()
by increementing the dep->trb_enqueue at the last (after preparing the TRB)
instead of increementing at the start and setting the IOC bit only if the
total available TRBs returned by dwc3_calc_trbs_left() is 1 . Since we are
increementing the dep->trb_enqueue at the last, the present working TRB is
also considered as available by dwc3_calc_trbs_left() and non zero value is
returned . So, according to the modified logic, when the total available
TRBs is equal to 1 that means the total available TRBs in the pool are 0.

Signed-off-by: Anurag Kumar Vulisha <anurag.kumar.vulisha@xilinx.com>
Reviewed-by: Thinh Nguyen <thinhn@synopsys.com>
Tested-by: Tejas Joglekar <tejas.joglekar@synopsys.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/dwc3/gadget.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
index 727bf3c9f53b..b80eefa355b6 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -890,8 +890,6 @@ static void __dwc3_prepare_one_trb(struct dwc3_ep *dep, struct dwc3_trb *trb,
 	struct usb_gadget	*gadget = &dwc->gadget;
 	enum usb_device_speed	speed = gadget->speed;
 
-	dwc3_ep_inc_enq(dep);
-
 	trb->size = DWC3_TRB_SIZE_LENGTH(length);
 	trb->bpl = lower_32_bits(dma);
 	trb->bph = upper_32_bits(dma);
@@ -970,7 +968,7 @@ static void __dwc3_prepare_one_trb(struct dwc3_ep *dep, struct dwc3_trb *trb,
 	}
 
 	if ((!no_interrupt && !chain) ||
-			(dwc3_calc_trbs_left(dep) == 0))
+			(dwc3_calc_trbs_left(dep) == 1))
 		trb->ctrl |= DWC3_TRB_CTRL_IOC;
 
 	if (chain)
@@ -981,6 +979,8 @@ static void __dwc3_prepare_one_trb(struct dwc3_ep *dep, struct dwc3_trb *trb,
 
 	trb->ctrl |= DWC3_TRB_CTRL_HWO;
 
+	dwc3_ep_inc_enq(dep);
+
 	trace_dwc3_prepare_trb(dep, trb);
 }
 
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 063/205] usb: hub: delay hub autosuspend if USB3 port is still link training
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (61 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 062/205] usb: dwc3: Correct the logic for checking TRB full in __dwc3_prepare_one_trb() Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 064/205] timekeeping: Use proper seqcount initializer Greg Kroah-Hartman
                   ` (145 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mathias Nyman, Alan Stern, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit e86108940e541febf35813402ff29fa6f4a9ac0b ]

When initializing a hub we want to give a USB3 port in link training
the same debounce delay time before autosuspening the hub as already
trained, connected enabled ports.

USB3 ports won't reach the enabled state with "current connect status" and
"connect status change" bits set until the USB3 link training finishes.

Catching the port in link training (polling) and adding the debounce delay
prevents unnecessary failed attempts to autosuspend the hub.

Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/core/hub.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index a073cb5be013..4a4e666a8e09 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -1110,6 +1110,16 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type)
 						   USB_PORT_FEAT_ENABLE);
 		}
 
+		/*
+		 * Add debounce if USB3 link is in polling/link training state.
+		 * Link will automatically transition to Enabled state after
+		 * link training completes.
+		 */
+		if (hub_is_superspeed(hdev) &&
+		    ((portstatus & USB_PORT_STAT_LINK_STATE) ==
+						USB_SS_PORT_LS_POLLING))
+			need_debounce_delay = true;
+
 		/* Clear status-change flags; we'll debounce later */
 		if (portchange & USB_PORT_STAT_C_CONNECTION) {
 			need_debounce_delay = true;
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 064/205] timekeeping: Use proper seqcount initializer
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (62 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 063/205] usb: hub: delay hub autosuspend if USB3 port is still link training Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 065/205] usb: mtu3: fix the issue about SetFeature(U1/U2_Enable) Greg Kroah-Hartman
                   ` (144 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bart Van Assche, Thomas Gleixner,
	peterz, tj, johannes.berg, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit ce10a5b3954f2514af726beb78ed8d7350c5e41c ]

tk_core.seq is initialized open coded, but that misses to initialize the
lockdep map when lockdep is enabled. Lockdep splats involving tk_core seq
consequently lack a name and are hard to read.

Use the proper initializer which takes care of the lockdep map
initialization.

[ tglx: Massaged changelog ]

Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: peterz@infradead.org
Cc: tj@kernel.org
Cc: johannes.berg@intel.com
Link: https://lkml.kernel.org/r/20181128234325.110011-12-bvanassche@acm.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/time/timekeeping.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
index 2cafb49aa65e..1ce7c404d0b0 100644
--- a/kernel/time/timekeeping.c
+++ b/kernel/time/timekeeping.c
@@ -41,7 +41,9 @@
 static struct {
 	seqcount_t		seq;
 	struct timekeeper	timekeeper;
-} tk_core ____cacheline_aligned;
+} tk_core ____cacheline_aligned = {
+	.seq = SEQCNT_ZERO(tk_core.seq),
+};
 
 static DEFINE_RAW_SPINLOCK(timekeeper_lock);
 static struct timekeeper shadow_timekeeper;
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 065/205] usb: mtu3: fix the issue about SetFeature(U1/U2_Enable)
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (63 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 064/205] timekeeping: Use proper seqcount initializer Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 066/205] clk: sunxi-ng: a33: Set CLK_SET_RATE_PARENT for all audio module clocks Greg Kroah-Hartman
                   ` (143 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chunfeng Yun, Felipe Balbi, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit a0678e2eed41e81004308693ac84ea95614b0920 ]

Fix the issue: device doesn't accept LGO_U1/U2:
1. set SW_U1/U2_ACCEPT_ENABLE to eanble controller to accept LGO_U1/U2
    by default;
2. enable/disable controller to initiate requests for transition into
    U1/U2 by SW_U1/U2_REQUEST_ENABLE instead of SW_U1/U2_ACCEPT_ENABLE;

Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/mtu3/mtu3_core.c       | 4 +++-
 drivers/usb/mtu3/mtu3_gadget_ep0.c | 8 ++++----
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/drivers/usb/mtu3/mtu3_core.c b/drivers/usb/mtu3/mtu3_core.c
index 947579842ad7..95978e3b363e 100644
--- a/drivers/usb/mtu3/mtu3_core.c
+++ b/drivers/usb/mtu3/mtu3_core.c
@@ -564,8 +564,10 @@ static void mtu3_regs_init(struct mtu3 *mtu)
 	if (mtu->is_u3_ip) {
 		/* disable LGO_U1/U2 by default */
 		mtu3_clrbits(mbase, U3D_LINK_POWER_CONTROL,
-				SW_U1_ACCEPT_ENABLE | SW_U2_ACCEPT_ENABLE |
 				SW_U1_REQUEST_ENABLE | SW_U2_REQUEST_ENABLE);
+		/* enable accept LGO_U1/U2 link command from host */
+		mtu3_setbits(mbase, U3D_LINK_POWER_CONTROL,
+				SW_U1_ACCEPT_ENABLE | SW_U2_ACCEPT_ENABLE);
 		/* device responses to u3_exit from host automatically */
 		mtu3_clrbits(mbase, U3D_LTSSM_CTRL, SOFT_U3_EXIT_EN);
 		/* automatically build U2 link when U3 detect fail */
diff --git a/drivers/usb/mtu3/mtu3_gadget_ep0.c b/drivers/usb/mtu3/mtu3_gadget_ep0.c
index 958d74dd2b78..7997cf5f06fc 100644
--- a/drivers/usb/mtu3/mtu3_gadget_ep0.c
+++ b/drivers/usb/mtu3/mtu3_gadget_ep0.c
@@ -335,9 +335,9 @@ static int ep0_handle_feature_dev(struct mtu3 *mtu,
 
 		lpc = mtu3_readl(mbase, U3D_LINK_POWER_CONTROL);
 		if (set)
-			lpc |= SW_U1_ACCEPT_ENABLE;
+			lpc |= SW_U1_REQUEST_ENABLE;
 		else
-			lpc &= ~SW_U1_ACCEPT_ENABLE;
+			lpc &= ~SW_U1_REQUEST_ENABLE;
 		mtu3_writel(mbase, U3D_LINK_POWER_CONTROL, lpc);
 
 		mtu->u1_enable = !!set;
@@ -350,9 +350,9 @@ static int ep0_handle_feature_dev(struct mtu3 *mtu,
 
 		lpc = mtu3_readl(mbase, U3D_LINK_POWER_CONTROL);
 		if (set)
-			lpc |= SW_U2_ACCEPT_ENABLE;
+			lpc |= SW_U2_REQUEST_ENABLE;
 		else
-			lpc &= ~SW_U2_ACCEPT_ENABLE;
+			lpc &= ~SW_U2_REQUEST_ENABLE;
 		mtu3_writel(mbase, U3D_LINK_POWER_CONTROL, lpc);
 
 		mtu->u2_enable = !!set;
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 066/205] clk: sunxi-ng: a33: Set CLK_SET_RATE_PARENT for all audio module clocks
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (64 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 065/205] usb: mtu3: fix the issue about SetFeature(U1/U2_Enable) Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 067/205] driver core: Move async_synchronize_full call Greg Kroah-Hartman
                   ` (142 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chen-Yu Tsai, Maxime Ripard, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 6e6da2039c82271dd873b9ad2b902a692a7dd554 ]

All the audio interfaces on Allwinner SoCs need to change their module
clocks during operation, to switch between support for 44.1 kHz and 48
kHz family sample rates. The clock rate for the module clocks is
governed by their upstream audio PLL. The module clocks themselves only
have a gate, and sometimes a divider or mux. Thus any rate changes need
to be propagated upstream.

Set the CLK_SET_RATE_PARENT flag for all audio module clocks to achieve
this.

Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/clk/sunxi-ng/ccu-sun8i-a33.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/clk/sunxi-ng/ccu-sun8i-a33.c b/drivers/clk/sunxi-ng/ccu-sun8i-a33.c
index 13eb5b23c5e7..c40d572a7602 100644
--- a/drivers/clk/sunxi-ng/ccu-sun8i-a33.c
+++ b/drivers/clk/sunxi-ng/ccu-sun8i-a33.c
@@ -366,10 +366,10 @@ static SUNXI_CCU_MP_WITH_MUX_GATE(spi1_clk, "spi1", mod0_default_parents, 0x0a4,
 static const char * const i2s_parents[] = { "pll-audio-8x", "pll-audio-4x",
 					    "pll-audio-2x", "pll-audio" };
 static SUNXI_CCU_MUX_WITH_GATE(i2s0_clk, "i2s0", i2s_parents,
-			       0x0b0, 16, 2, BIT(31), 0);
+			       0x0b0, 16, 2, BIT(31), CLK_SET_RATE_PARENT);
 
 static SUNXI_CCU_MUX_WITH_GATE(i2s1_clk, "i2s1", i2s_parents,
-			       0x0b4, 16, 2, BIT(31), 0);
+			       0x0b4, 16, 2, BIT(31), CLK_SET_RATE_PARENT);
 
 /* TODO: the parent for most of the USB clocks is not known */
 static SUNXI_CCU_GATE(usb_phy0_clk,	"usb-phy0",	"osc24M",
@@ -446,7 +446,7 @@ static SUNXI_CCU_M_WITH_GATE(ve_clk, "ve", "pll-ve",
 static SUNXI_CCU_GATE(ac_dig_clk,	"ac-dig",	"pll-audio",
 		      0x140, BIT(31), CLK_SET_RATE_PARENT);
 static SUNXI_CCU_GATE(ac_dig_4x_clk,	"ac-dig-4x",	"pll-audio-4x",
-		      0x140, BIT(30), 0);
+		      0x140, BIT(30), CLK_SET_RATE_PARENT);
 static SUNXI_CCU_GATE(avs_clk,		"avs",		"osc24M",
 		      0x144, BIT(31), 0);
 
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 067/205] driver core: Move async_synchronize_full call
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (65 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 066/205] clk: sunxi-ng: a33: Set CLK_SET_RATE_PARENT for all audio module clocks Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 068/205] kobject: return error code if writing /sys/.../uevent fails Greg Kroah-Hartman
                   ` (141 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bart Van Assche, Dan Williams,
	Alexander Duyck, Luis Chamberlain, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit c37d721c68ad88925ba0e72f6e14acb829a8c6bb ]

Move the async_synchronize_full call out of __device_release_driver and
into driver_detach.

The idea behind this is that the async_synchronize_full call will only
guarantee that any existing async operations are flushed. This doesn't do
anything to guarantee that a hotplug event that may occur while we are
doing the release of the driver will not be asynchronously scheduled.

By moving this into the driver_detach path we can avoid potential deadlocks
as we aren't holding the device lock at this point and we should not have
the driver we want to flush loaded so the flush will take care of any
asynchronous events the driver we are detaching might have scheduled.

Fixes: 765230b5f084 ("driver-core: add asynchronous probing support for drivers")
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Alexander Duyck <alexander.h.duyck@linux.intel.com>
Reviewed-by: Luis Chamberlain <mcgrof@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/base/dd.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/base/dd.c b/drivers/base/dd.c
index 55fc31f6fe7f..d928cc6d0638 100644
--- a/drivers/base/dd.c
+++ b/drivers/base/dd.c
@@ -813,9 +813,6 @@ static void __device_release_driver(struct device *dev, struct device *parent)
 
 	drv = dev->driver;
 	if (drv) {
-		if (driver_allows_async_probing(drv))
-			async_synchronize_full();
-
 		while (device_links_busy(dev)) {
 			device_unlock(dev);
 			if (parent)
@@ -920,6 +917,9 @@ void driver_detach(struct device_driver *drv)
 	struct device_private *dev_prv;
 	struct device *dev;
 
+	if (driver_allows_async_probing(drv))
+		async_synchronize_full();
+
 	for (;;) {
 		spin_lock(&drv->p->klist_devices.k_lock);
 		if (list_empty(&drv->p->klist_devices.k_list)) {
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 068/205] kobject: return error code if writing /sys/.../uevent fails
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (66 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 067/205] driver core: Move async_synchronize_full call Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 069/205] IB/hfi1: Unreserve a reserved request when it is completed Greg Kroah-Hartman
                   ` (140 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Peter Rajnoha, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit df44b479654f62b478c18ee4d8bc4e9f897a9844 ]

Propagate error code back to userspace if writing the /sys/.../uevent
file fails. Before, the write operation always returned with success,
even if we failed to recognize the input string or if we failed to
generate the uevent itself.

With the error codes properly propagated back to userspace, we are
able to react in userspace accordingly by not assuming and awaiting
a uevent that is not delivered.

Signed-off-by: Peter Rajnoha <prajnoha@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/base/bus.c  | 12 ++++++++----
 drivers/base/core.c |  8 +++++++-
 kernel/module.c     |  6 ++++--
 3 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/drivers/base/bus.c b/drivers/base/bus.c
index 1cf1460f8c90..3464c49dad0d 100644
--- a/drivers/base/bus.c
+++ b/drivers/base/bus.c
@@ -616,8 +616,10 @@ static void remove_probe_files(struct bus_type *bus)
 static ssize_t uevent_store(struct device_driver *drv, const char *buf,
 			    size_t count)
 {
-	kobject_synth_uevent(&drv->p->kobj, buf, count);
-	return count;
+	int rc;
+
+	rc = kobject_synth_uevent(&drv->p->kobj, buf, count);
+	return rc ? rc : count;
 }
 static DRIVER_ATTR_WO(uevent);
 
@@ -833,8 +835,10 @@ static void klist_devices_put(struct klist_node *n)
 static ssize_t bus_uevent_store(struct bus_type *bus,
 				const char *buf, size_t count)
 {
-	kobject_synth_uevent(&bus->p->subsys.kobj, buf, count);
-	return count;
+	int rc;
+
+	rc = kobject_synth_uevent(&bus->p->subsys.kobj, buf, count);
+	return rc ? rc : count;
 }
 static BUS_ATTR(uevent, S_IWUSR, NULL, bus_uevent_store);
 
diff --git a/drivers/base/core.c b/drivers/base/core.c
index fc5bbb2519fe..1c67bf24bc23 100644
--- a/drivers/base/core.c
+++ b/drivers/base/core.c
@@ -991,8 +991,14 @@ out:
 static ssize_t uevent_store(struct device *dev, struct device_attribute *attr,
 			    const char *buf, size_t count)
 {
-	if (kobject_synth_uevent(&dev->kobj, buf, count))
+	int rc;
+
+	rc = kobject_synth_uevent(&dev->kobj, buf, count);
+
+	if (rc) {
 		dev_err(dev, "uevent: failed to send synthetic uevent\n");
+		return rc;
+	}
 
 	return count;
 }
diff --git a/kernel/module.c b/kernel/module.c
index 2a44c515f0d7..94528b891027 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -1201,8 +1201,10 @@ static ssize_t store_uevent(struct module_attribute *mattr,
 			    struct module_kobject *mk,
 			    const char *buffer, size_t count)
 {
-	kobject_synth_uevent(&mk->kobj, buffer, count);
-	return count;
+	int rc;
+
+	rc = kobject_synth_uevent(&mk->kobj, buffer, count);
+	return rc ? rc : count;
 }
 
 struct module_attribute module_uevent =
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 069/205] IB/hfi1: Unreserve a reserved request when it is completed
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (67 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 068/205] kobject: return error code if writing /sys/.../uevent fails Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 070/205] usb: dwc3: trace: add missing break statement to make compiler happy Greg Kroah-Hartman
                   ` (139 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mike Marciniszyn, Kaike Wan,
	Dennis Dalessandro, Jason Gunthorpe, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit ca95f802ef5139722acc8d30aeaab6fe5bbe939e ]

Currently, When a reserved operation is completed, its entry in the send
queue will not be unreserved, which leads to the miscalculation of
qp->s_avail and thus the triggering of a WARN_ON call trace. This patch
fixes the problem by unreserving the reserved operation when it is
completed.

Fixes: 856cc4c237ad ("IB/hfi1: Add the capability for reserved operations")
Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Kaike Wan <kaike.wan@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/infiniband/hw/hfi1/rc.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/infiniband/hw/hfi1/rc.c b/drivers/infiniband/hw/hfi1/rc.c
index 818bac1a4056..d3b8cb92fd6d 100644
--- a/drivers/infiniband/hw/hfi1/rc.c
+++ b/drivers/infiniband/hw/hfi1/rc.c
@@ -1162,6 +1162,7 @@ void hfi1_rc_send_complete(struct rvt_qp *qp, struct hfi1_opa_header *opah)
 		if (cmp_psn(wqe->lpsn, qp->s_sending_psn) >= 0 &&
 		    cmp_psn(qp->s_sending_psn, qp->s_sending_hpsn) <= 0)
 			break;
+		rvt_qp_wqe_unreserve(qp, wqe);
 		s_last = qp->s_last;
 		trace_hfi1_qp_send_completion(qp, wqe, s_last);
 		if (++s_last >= qp->s_size)
@@ -1214,6 +1215,7 @@ static struct rvt_swqe *do_rc_completion(struct rvt_qp *qp,
 		u32 s_last;
 
 		rvt_put_swqe(wqe);
+		rvt_qp_wqe_unreserve(qp, wqe);
 		s_last = qp->s_last;
 		trace_hfi1_qp_send_completion(qp, wqe, s_last);
 		if (++s_last >= qp->s_size)
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 070/205] usb: dwc3: trace: add missing break statement to make compiler happy
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (68 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 069/205] IB/hfi1: Unreserve a reserved request when it is completed Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 071/205] pinctrl: sx150x: handle failure case of devm_kstrdup Greg Kroah-Hartman
                   ` (138 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Felipe Balbi, Andy Shevchenko, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 54d48183d21e03f780053d7129312049cb5dd591 ]

The missed break statement in the outer switch makes the code fall through
always and thus always same value will be printed.

Besides that, compiler warns about missed fall through marker:

drivers/usb/dwc3/./trace.h: In function ‘trace_raw_output_dwc3_log_trb’:
drivers/usb/dwc3/./trace.h:246:4: warning: this statement may fall through [-Wimplicit-fallthrough=]
    switch (pcm) {
    ^~~~~~

Add the missing break statement to work correctly without compilation
warnings.

Fixes: fa8d965d736b ("usb: dwc3: trace: pretty print high-bandwidth transfers too")
Cc: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/dwc3/trace.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/usb/dwc3/trace.h b/drivers/usb/dwc3/trace.h
index 6504b116da04..62ec20a26013 100644
--- a/drivers/usb/dwc3/trace.h
+++ b/drivers/usb/dwc3/trace.h
@@ -262,9 +262,11 @@ DECLARE_EVENT_CLASS(dwc3_log_trb,
 				s = "2x ";
 				break;
 			case 3:
+			default:
 				s = "3x ";
 				break;
 			}
+			break;
 		default:
 			s = "";
 		} s; }),
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 071/205] pinctrl: sx150x: handle failure case of devm_kstrdup
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (69 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 070/205] usb: dwc3: trace: add missing break statement to make compiler happy Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 072/205] iommu/amd: Fix amd_iommu=force_isolation Greg Kroah-Hartman
                   ` (137 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nicholas Mc Guire, Linus Walleij,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit a9d9f6b83f1bb05da849b3540e6d1f70ef1c2343 ]

devm_kstrdup() may return NULL if internal allocation failed.
Thus using  label, name  is unsafe without checking. Therefor
in the unlikely case of allocation failure, sx150x_probe() simply
returns -ENOMEM.

Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
Fixes: 9e80f9064e73 ("pinctrl: Add SX150X GPIO Extender Pinctrl Driver")
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/pinctrl/pinctrl-sx150x.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/drivers/pinctrl/pinctrl-sx150x.c b/drivers/pinctrl/pinctrl-sx150x.c
index 70a0228f4e7f..2d0f4f760326 100644
--- a/drivers/pinctrl/pinctrl-sx150x.c
+++ b/drivers/pinctrl/pinctrl-sx150x.c
@@ -1166,7 +1166,6 @@ static int sx150x_probe(struct i2c_client *client,
 	}
 
 	/* Register GPIO controller */
-	pctl->gpio.label = devm_kstrdup(dev, client->name, GFP_KERNEL);
 	pctl->gpio.base = -1;
 	pctl->gpio.ngpio = pctl->data->npins;
 	pctl->gpio.get_direction = sx150x_gpio_get_direction;
@@ -1180,6 +1179,10 @@ static int sx150x_probe(struct i2c_client *client,
 	pctl->gpio.of_node = dev->of_node;
 #endif
 	pctl->gpio.can_sleep = true;
+	pctl->gpio.label = devm_kstrdup(dev, client->name, GFP_KERNEL);
+	if (!pctl->gpio.label)
+		return -ENOMEM;
+
 	/*
 	 * Setting multiple pins is not safe when all pins are not
 	 * handled by the same regmap register. The oscio pin (present
@@ -1200,13 +1203,15 @@ static int sx150x_probe(struct i2c_client *client,
 
 	/* Add Interrupt support if an irq is specified */
 	if (client->irq > 0) {
-		pctl->irq_chip.name = devm_kstrdup(dev, client->name,
-						   GFP_KERNEL);
 		pctl->irq_chip.irq_mask = sx150x_irq_mask;
 		pctl->irq_chip.irq_unmask = sx150x_irq_unmask;
 		pctl->irq_chip.irq_set_type = sx150x_irq_set_type;
 		pctl->irq_chip.irq_bus_lock = sx150x_irq_bus_lock;
 		pctl->irq_chip.irq_bus_sync_unlock = sx150x_irq_bus_sync_unlock;
+		pctl->irq_chip.name = devm_kstrdup(dev, client->name,
+						   GFP_KERNEL);
+		if (!pctl->irq_chip.name)
+			return -ENOMEM;
 
 		pctl->irq.masked = ~0;
 		pctl->irq.sense = 0;
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 072/205] iommu/amd: Fix amd_iommu=force_isolation
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (70 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 071/205] pinctrl: sx150x: handle failure case of devm_kstrdup Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 073/205] ARM: dts: Fix OMAP4430 SDP Ethernet startup Greg Kroah-Hartman
                   ` (136 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yu Zhao, Joerg Roedel, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit c12b08ebbe16f0d3a96a116d86709b04c1ee8e74 ]

The parameter is still there but it's ignored. We need to check its
value before deciding to go into passthrough mode for AMD IOMMU v2
capable device.

We occasionally use this parameter to force v2 capable device into
translation mode to debug memory corruption that we suspect is
caused by DMA writes.

To address the following comment from Joerg Roedel on the first
version, v2 capability of device is completely ignored.
> This breaks the iommu_v2 use-case, as it needs a direct mapping for the
> devices that support it.

And from Documentation/admin-guide/kernel-parameters.txt:
  This option does not override iommu=pt

Fixes: aafd8ba0ca74 ("iommu/amd: Implement add_device and remove_device")

Signed-off-by: Yu Zhao <yuzhao@google.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/iommu/amd_iommu.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
index efa6cd2500b9..766103ea237e 100644
--- a/drivers/iommu/amd_iommu.c
+++ b/drivers/iommu/amd_iommu.c
@@ -442,7 +442,14 @@ static int iommu_init_device(struct device *dev)
 
 	dev_data->alias = get_alias(dev);
 
-	if (dev_is_pci(dev) && pci_iommuv2_capable(to_pci_dev(dev))) {
+	/*
+	 * By default we use passthrough mode for IOMMUv2 capable device.
+	 * But if amd_iommu=force_isolation is set (e.g. to debug DMA to
+	 * invalid address), we ignore the capability for the device so
+	 * it'll be forced to go into translation mode.
+	 */
+	if ((iommu_pass_through || !amd_iommu_force_isolation) &&
+	    dev_is_pci(dev) && pci_iommuv2_capable(to_pci_dev(dev))) {
 		struct amd_iommu *iommu;
 
 		iommu = amd_iommu_rlookup_table[dev_data->devid];
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 073/205] ARM: dts: Fix OMAP4430 SDP Ethernet startup
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (71 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 072/205] iommu/amd: Fix amd_iommu=force_isolation Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 074/205] mips: bpf: fix encoding bug for mm_srlv32_op Greg Kroah-Hartman
                   ` (135 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Russell King, Peter Ujfalusi,
	Tony Lindgren, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 84fb6c7feb1494ebb7d1ec8b95cfb7ada0264465 ]

It was noticed that unbinding and rebinding the KSZ8851 ethernet
resulted in the driver reporting "failed to read device ID" at probe.
Probing the reset line with a 'scope while repeatedly attempting to
bind the driver in a shell loop revealed that the KSZ8851 RSTN pin is
constantly held at zero, meaning the device is held in reset, and
does not respond on the SPI bus.

Experimentation with the startup delay on the regulator set to 50ms
shows that the reset is positively released after 20ms.

Schematics for this board are not available, and the traces are buried
in the inner layers of the board which makes tracing where the RSTN pin
extremely difficult.  We can only guess that the RSTN pin is wired to a
reset generator chip driven off the ethernet supply, which fits the
observed behaviour.

Include this delay in the regulator startup delay - effectively
treating the reset as a "supply stable" indicator.

This can not be modelled as a delay in the KSZ8851 driver since the
reset generation is board specific - if the RSTN pin had been wired to
a GPIO, reset could be released earlier via the already provided support
in the KSZ8851 driver.

This also got confirmed by Peter Ujfalusi <peter.ujfalusi@ti.com> based
on Blaze schematics that should be very close to SDP4430:

TPS22902YFPR is used as the regulator switch (gpio48 controlled):
Convert arm boot_lock to raw The VOUT is routed to TPS3808G01DBV.
(SCH Note: Threshold set at 90%. Vsense: 0.405V).

According to the TPS3808 data sheet the RESET delay time when Ct is
open (this is the case in the schema): MIN/TYP/MAX: 12/20/28 ms.

Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Reviewed-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
[tony@atomide.com: updated with notes from schematics from Peter]
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/boot/dts/omap4-sdp.dts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/arm/boot/dts/omap4-sdp.dts b/arch/arm/boot/dts/omap4-sdp.dts
index 280d92d42bf1..bfad6aadfe88 100644
--- a/arch/arm/boot/dts/omap4-sdp.dts
+++ b/arch/arm/boot/dts/omap4-sdp.dts
@@ -33,6 +33,7 @@
 		gpio = <&gpio2 16 GPIO_ACTIVE_HIGH>;  /* gpio line 48 */
 		enable-active-high;
 		regulator-boot-on;
+		startup-delay-us = <25000>;
 	};
 
 	vbat: fixedregulator-vbat {
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 074/205] mips: bpf: fix encoding bug for mm_srlv32_op
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (72 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 073/205] ARM: dts: Fix OMAP4430 SDP Ethernet startup Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 075/205] media: coda: fix H.264 deblocking filter controls Greg Kroah-Hartman
                   ` (134 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Markos Chandras, Paul Burton,
	linux-mips, Jakub Kicinski, Song Liu, Jiong Wang,
	Alexei Starovoitov, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 17f6c83fb5ebf7db4fcc94a5be4c22d5a7bfe428 ]

For micro-mips, srlv inside POOL32A encoding space should use 0x50
sub-opcode, NOT 0x90.

Some early version ISA doc describes the encoding as 0x90 for both srlv and
srav, this looks to me was a typo. I checked Binutils libopcode
implementation which is using 0x50 for srlv and 0x90 for srav.

v1->v2:
  - Keep mm_srlv32_op sorted by value.

Fixes: f31318fdf324 ("MIPS: uasm: Add srlv uasm instruction")
Cc: Markos Chandras <markos.chandras@imgtec.com>
Cc: Paul Burton <paul.burton@mips.com>
Cc: linux-mips@vger.kernel.org
Acked-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Acked-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Jiong Wang <jiong.wang@netronome.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/mips/include/uapi/asm/inst.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/mips/include/uapi/asm/inst.h b/arch/mips/include/uapi/asm/inst.h
index c05dcf5ab414..273ef58f4d43 100644
--- a/arch/mips/include/uapi/asm/inst.h
+++ b/arch/mips/include/uapi/asm/inst.h
@@ -369,8 +369,8 @@ enum mm_32a_minor_op {
 	mm_ext_op = 0x02c,
 	mm_pool32axf_op = 0x03c,
 	mm_srl32_op = 0x040,
+	mm_srlv32_op = 0x050,
 	mm_sra_op = 0x080,
-	mm_srlv32_op = 0x090,
 	mm_rotr_op = 0x0c0,
 	mm_lwxs_op = 0x118,
 	mm_addu32_op = 0x150,
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 075/205] media: coda: fix H.264 deblocking filter controls
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (73 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 074/205] mips: bpf: fix encoding bug for mm_srlv32_op Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 076/205] ARM: dts: Fix up the D-Link DIR-685 MTD partition info Greg Kroah-Hartman
                   ` (133 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Philipp Zabel, Hans Verkuil,
	Mauro Carvalho Chehab, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 75fa6e4f83a0923fe753827d354998d448b4fd6a ]

Add support for the third loop filter mode
V4L2_MPEG_VIDEO_H264_LOOP_FILTER_MODE_DISABLED_AT_SLICE_BOUNDARY,
and fix V4L2_CID_MPEG_VIDEO_H264_LOOP_FILTER_ALPHA and
V4L2_CID_MPEG_VIDEO_H264_LOOP_FILTER_BETA controls.

The filter offset controls are signed values in the -6 to 6 range and
are stored into the slice header fields slice_alpha_c0_offset_div2 and
slice_beta_offset_div2. The actual filter offsets FilterOffsetA/B are
double their value, in range of -12 to 12.

Rename variables to more closely match the nomenclature in the H.264
specification.

Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/platform/coda/coda-bit.c    | 19 +++++++++----------
 drivers/media/platform/coda/coda-common.c | 15 +++++++--------
 drivers/media/platform/coda/coda.h        |  6 +++---
 drivers/media/platform/coda/coda_regs.h   |  2 +-
 4 files changed, 20 insertions(+), 22 deletions(-)

diff --git a/drivers/media/platform/coda/coda-bit.c b/drivers/media/platform/coda/coda-bit.c
index 291c40933935..3457a5f1c8a8 100644
--- a/drivers/media/platform/coda/coda-bit.c
+++ b/drivers/media/platform/coda/coda-bit.c
@@ -953,16 +953,15 @@ static int coda_start_encoding(struct coda_ctx *ctx)
 		else
 			coda_write(dev, CODA_STD_H264,
 				   CODA_CMD_ENC_SEQ_COD_STD);
-		if (ctx->params.h264_deblk_enabled) {
-			value = ((ctx->params.h264_deblk_alpha &
-				  CODA_264PARAM_DEBLKFILTEROFFSETALPHA_MASK) <<
-				 CODA_264PARAM_DEBLKFILTEROFFSETALPHA_OFFSET) |
-				((ctx->params.h264_deblk_beta &
-				  CODA_264PARAM_DEBLKFILTEROFFSETBETA_MASK) <<
-				 CODA_264PARAM_DEBLKFILTEROFFSETBETA_OFFSET);
-		} else {
-			value = 1 << CODA_264PARAM_DISABLEDEBLK_OFFSET;
-		}
+		value = ((ctx->params.h264_disable_deblocking_filter_idc &
+			  CODA_264PARAM_DISABLEDEBLK_MASK) <<
+			 CODA_264PARAM_DISABLEDEBLK_OFFSET) |
+			((ctx->params.h264_slice_alpha_c0_offset_div2 &
+			  CODA_264PARAM_DEBLKFILTEROFFSETALPHA_MASK) <<
+			 CODA_264PARAM_DEBLKFILTEROFFSETALPHA_OFFSET) |
+			((ctx->params.h264_slice_beta_offset_div2 &
+			  CODA_264PARAM_DEBLKFILTEROFFSETBETA_MASK) <<
+			 CODA_264PARAM_DEBLKFILTEROFFSETBETA_OFFSET);
 		coda_write(dev, value, CODA_CMD_ENC_SEQ_264_PARA);
 		break;
 	case V4L2_PIX_FMT_JPEG:
diff --git a/drivers/media/platform/coda/coda-common.c b/drivers/media/platform/coda/coda-common.c
index 99d138d3f87f..2e1472fadc2c 100644
--- a/drivers/media/platform/coda/coda-common.c
+++ b/drivers/media/platform/coda/coda-common.c
@@ -1675,14 +1675,13 @@ static int coda_s_ctrl(struct v4l2_ctrl *ctrl)
 		ctx->params.h264_max_qp = ctrl->val;
 		break;
 	case V4L2_CID_MPEG_VIDEO_H264_LOOP_FILTER_ALPHA:
-		ctx->params.h264_deblk_alpha = ctrl->val;
+		ctx->params.h264_slice_alpha_c0_offset_div2 = ctrl->val;
 		break;
 	case V4L2_CID_MPEG_VIDEO_H264_LOOP_FILTER_BETA:
-		ctx->params.h264_deblk_beta = ctrl->val;
+		ctx->params.h264_slice_beta_offset_div2 = ctrl->val;
 		break;
 	case V4L2_CID_MPEG_VIDEO_H264_LOOP_FILTER_MODE:
-		ctx->params.h264_deblk_enabled = (ctrl->val ==
-				V4L2_MPEG_VIDEO_H264_LOOP_FILTER_MODE_ENABLED);
+		ctx->params.h264_disable_deblocking_filter_idc = ctrl->val;
 		break;
 	case V4L2_CID_MPEG_VIDEO_H264_PROFILE:
 		/* TODO: switch between baseline and constrained baseline */
@@ -1764,13 +1763,13 @@ static void coda_encode_ctrls(struct coda_ctx *ctx)
 	v4l2_ctrl_new_std(&ctx->ctrls, &coda_ctrl_ops,
 		V4L2_CID_MPEG_VIDEO_H264_MAX_QP, 0, 51, 1, 51);
 	v4l2_ctrl_new_std(&ctx->ctrls, &coda_ctrl_ops,
-		V4L2_CID_MPEG_VIDEO_H264_LOOP_FILTER_ALPHA, 0, 15, 1, 0);
+		V4L2_CID_MPEG_VIDEO_H264_LOOP_FILTER_ALPHA, -6, 6, 1, 0);
 	v4l2_ctrl_new_std(&ctx->ctrls, &coda_ctrl_ops,
-		V4L2_CID_MPEG_VIDEO_H264_LOOP_FILTER_BETA, 0, 15, 1, 0);
+		V4L2_CID_MPEG_VIDEO_H264_LOOP_FILTER_BETA, -6, 6, 1, 0);
 	v4l2_ctrl_new_std_menu(&ctx->ctrls, &coda_ctrl_ops,
 		V4L2_CID_MPEG_VIDEO_H264_LOOP_FILTER_MODE,
-		V4L2_MPEG_VIDEO_H264_LOOP_FILTER_MODE_DISABLED, 0x0,
-		V4L2_MPEG_VIDEO_H264_LOOP_FILTER_MODE_ENABLED);
+		V4L2_MPEG_VIDEO_H264_LOOP_FILTER_MODE_DISABLED_AT_SLICE_BOUNDARY,
+		0x0, V4L2_MPEG_VIDEO_H264_LOOP_FILTER_MODE_ENABLED);
 	v4l2_ctrl_new_std_menu(&ctx->ctrls, &coda_ctrl_ops,
 		V4L2_CID_MPEG_VIDEO_H264_PROFILE,
 		V4L2_MPEG_VIDEO_H264_PROFILE_BASELINE, 0x0,
diff --git a/drivers/media/platform/coda/coda.h b/drivers/media/platform/coda/coda.h
index c5f504d8cf67..389a882cc3da 100644
--- a/drivers/media/platform/coda/coda.h
+++ b/drivers/media/platform/coda/coda.h
@@ -114,9 +114,9 @@ struct coda_params {
 	u8			h264_inter_qp;
 	u8			h264_min_qp;
 	u8			h264_max_qp;
-	u8			h264_deblk_enabled;
-	u8			h264_deblk_alpha;
-	u8			h264_deblk_beta;
+	u8			h264_disable_deblocking_filter_idc;
+	s8			h264_slice_alpha_c0_offset_div2;
+	s8			h264_slice_beta_offset_div2;
 	u8			h264_profile_idc;
 	u8			h264_level_idc;
 	u8			mpeg4_intra_qp;
diff --git a/drivers/media/platform/coda/coda_regs.h b/drivers/media/platform/coda/coda_regs.h
index 38df5fd9a2fa..546f5762357c 100644
--- a/drivers/media/platform/coda/coda_regs.h
+++ b/drivers/media/platform/coda/coda_regs.h
@@ -292,7 +292,7 @@
 #define		CODA_264PARAM_DEBLKFILTEROFFSETALPHA_OFFSET	8
 #define		CODA_264PARAM_DEBLKFILTEROFFSETALPHA_MASK	0x0f
 #define		CODA_264PARAM_DISABLEDEBLK_OFFSET		6
-#define		CODA_264PARAM_DISABLEDEBLK_MASK		0x01
+#define		CODA_264PARAM_DISABLEDEBLK_MASK		0x03
 #define		CODA_264PARAM_CONSTRAINEDINTRAPREDFLAG_OFFSET	5
 #define		CODA_264PARAM_CONSTRAINEDINTRAPREDFLAG_MASK	0x01
 #define		CODA_264PARAM_CHROMAQPOFFSET_OFFSET		0
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 076/205] ARM: dts: Fix up the D-Link DIR-685 MTD partition info
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (74 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 075/205] media: coda: fix H.264 deblocking filter controls Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 077/205] tracing: Have trace_stack nr_entries compare not be so subtle Greg Kroah-Hartman
                   ` (132 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Linus Walleij, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 738a05e673435afb986b53da43befd83ad87ec3b ]

The vendor firmware was analyzed to get the right idea about
this flash layout. /proc/mtd contains:

dev:    size   erasesize  name
mtd0: 01e7ff40 00020000 "rootfs"
mtd1: 01f40000 00020000 "upgrade"
mtd2: 00040000 00020000 "rgdb"
mtd3: 00020000 00020000 "nvram"
mtd4: 00040000 00020000 "RedBoot"
mtd5: 00020000 00020000 "LangPack"
mtd6: 02000000 00020000 "flash"

Here "flash" is obviously the whole device and we know "rootfs"
is a bogus hack to point to a squashfs rootfs inside of the main
"upgrade partition". We know "RedBoot" is the first 0x40000 of
the flash and the "upgrade" partition follows from 0x40000 to
0x1f8000. So we have mtd0, 1, 4 and 6 covered.

Remains:
mtd2: 00040000 00020000 "rgdb"
mtd3: 00020000 00020000 "nvram"
mtd5: 00020000 00020000 "LangPack"

Inspecting the flash at 0x1f8000 and 0x1fa000 reveals each of
these starting with "RGCFG1" so we assume 0x1f8000-1fbfff is
"rgdb" of 0x40000.

Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/boot/dts/gemini-dlink-dir-685.dts | 16 ++++++----------
 1 file changed, 6 insertions(+), 10 deletions(-)

diff --git a/arch/arm/boot/dts/gemini-dlink-dir-685.dts b/arch/arm/boot/dts/gemini-dlink-dir-685.dts
index e75e2d44371c..d6f752ab07bb 100644
--- a/arch/arm/boot/dts/gemini-dlink-dir-685.dts
+++ b/arch/arm/boot/dts/gemini-dlink-dir-685.dts
@@ -128,20 +128,16 @@
 				read-only;
 			};
 			/*
-			 * Between the boot loader and the rootfs is the kernel
-			 * in a custom Storlink format flashed from the boot
-			 * menu. The rootfs is in squashfs format.
+			 * This firmware image contains the kernel catenated
+			 * with the squashfs root filesystem. For some reason
+			 * this is called "upgrade" on the vendor system.
 			 */
-			partition@1800c0 {
-				label = "rootfs";
-				reg = <0x001800c0 0x01dbff40>;
-				read-only;
-			};
-			partition@1f40000 {
+			partition@40000 {
 				label = "upgrade";
-				reg = <0x01f40000 0x00040000>;
+				reg = <0x00040000 0x01f40000>;
 				read-only;
 			};
+			/* RGDB, Residental Gateway Database? */
 			partition@1f80000 {
 				label = "rgdb";
 				reg = <0x01f80000 0x00040000>;
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 077/205] tracing: Have trace_stack nr_entries compare not be so subtle
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (75 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 076/205] ARM: dts: Fix up the D-Link DIR-685 MTD partition info Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 078/205] watchdog: renesas_wdt: dont set divider while watchdog is running Greg Kroah-Hartman
                   ` (131 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter,
	Steven Rostedt (VMware),
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit ca16b0fbb05242f18da9d810c07d3882ffed831c ]

Dan Carpenter reviewed the trace_stack.c code and figured he found an off by
one bug.

 "From reviewing the code, it seems possible for
  stack_trace_max.nr_entries to be set to .max_entries and in that case we
  would be reading one element beyond the end of the stack_dump_trace[]
  array.  If it's not set to .max_entries then the bug doesn't affect
  runtime."

Although it looks to be the case, it is not. Because we have:

 static unsigned long stack_dump_trace[STACK_TRACE_ENTRIES+1] =
	 { [0 ... (STACK_TRACE_ENTRIES)] = ULONG_MAX };

 struct stack_trace stack_trace_max = {
	.max_entries		= STACK_TRACE_ENTRIES - 1,
	.entries		= &stack_dump_trace[0],
 };

And:

	stack_trace_max.nr_entries = x;
	for (; x < i; x++)
		stack_dump_trace[x] = ULONG_MAX;

Even if nr_entries equals max_entries, indexing with it into the
stack_dump_trace[] array will not overflow the array. But if it is the case,
the second part of the conditional that tests stack_dump_trace[nr_entries]
to ULONG_MAX will always be true.

By applying Dan's patch, it removes the subtle aspect of it and makes the if
conditional slightly more efficient.

Link: http://lkml.kernel.org/r/20180620110758.crunhd5bfep7zuiz@kili.mountain

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/trace/trace_stack.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/trace/trace_stack.c b/kernel/trace/trace_stack.c
index 719a52a4064a..ba662010542c 100644
--- a/kernel/trace/trace_stack.c
+++ b/kernel/trace/trace_stack.c
@@ -282,7 +282,7 @@ __next(struct seq_file *m, loff_t *pos)
 {
 	long n = *pos - 1;
 
-	if (n > stack_trace_max.nr_entries || stack_dump_trace[n] == ULONG_MAX)
+	if (n >= stack_trace_max.nr_entries || stack_dump_trace[n] == ULONG_MAX)
 		return NULL;
 
 	m->private = (void *)n;
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 078/205] watchdog: renesas_wdt: dont set divider while watchdog is running
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (76 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 077/205] tracing: Have trace_stack nr_entries compare not be so subtle Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 079/205] usb: dwc3: gadget: Disable CSP for stream OUT ep Greg Kroah-Hartman
                   ` (130 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wolfram Sang, Fabrizio Castro,
	Guenter Roeck, Wim Van Sebroeck, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit e990e12741877e9bfac402ca468f4007a75f6e2a ]

The datasheet says we must stop the timer before changing the clock
divider. This can happen when the restart handler is called while the
watchdog is running.

Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Reviewed-by: Fabrizio Castro <fabrizio.castro@bp.renesas.com>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/watchdog/renesas_wdt.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/watchdog/renesas_wdt.c b/drivers/watchdog/renesas_wdt.c
index 831ef83f6de1..c4a17d72d025 100644
--- a/drivers/watchdog/renesas_wdt.c
+++ b/drivers/watchdog/renesas_wdt.c
@@ -74,12 +74,17 @@ static int rwdt_init_timeout(struct watchdog_device *wdev)
 static int rwdt_start(struct watchdog_device *wdev)
 {
 	struct rwdt_priv *priv = watchdog_get_drvdata(wdev);
+	u8 val;
 
 	pm_runtime_get_sync(wdev->parent);
 
-	rwdt_write(priv, 0, RWTCSRB);
-	rwdt_write(priv, priv->cks, RWTCSRA);
+	/* Stop the timer before we modify any register */
+	val = readb_relaxed(priv->base + RWTCSRA) & ~RWTCSRA_TME;
+	rwdt_write(priv, val, RWTCSRA);
+
 	rwdt_init_timeout(wdev);
+	rwdt_write(priv, priv->cks, RWTCSRA);
+	rwdt_write(priv, 0, RWTCSRB);
 
 	while (readb_relaxed(priv->base + RWTCSRA) & RWTCSRA_WRFLG)
 		cpu_relax();
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 079/205] usb: dwc3: gadget: Disable CSP for stream OUT ep
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (77 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 078/205] watchdog: renesas_wdt: dont set divider while watchdog is running Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 080/205] iommu/arm-smmu: Add support for qcom,smmu-v2 variant Greg Kroah-Hartman
                   ` (129 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tejas Joglekar, Felipe Balbi, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 244add8ebfb231c39db9e33b204bd0ce8f24f782 ]

In stream mode, when fast-forwarding TRBs, the stream number
is not cleared causing the new stream to not get assigned. So
we don't want controller to carry on transfers when short packet
is received. So disable the CSP for stream capable endpoint.

This is based on the 3.30a Programming guide, where table 3-1
device descriptor structure field definitions says for CSP bit
If this bit is 0, the controller generates an XferComplete event
and remove the stream. So if we keep CSP as 1 then switching between
streams would not happen as in stream mode, when fast-forwarding
TRBs, the stream number is not cleared causing the new stream to not get
assigned.

Signed-off-by: Tejas Joglekar <joglekar@synopsys.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/dwc3/gadget.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
index b80eefa355b6..5b34994b7b08 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -959,9 +959,13 @@ static void __dwc3_prepare_one_trb(struct dwc3_ep *dep, struct dwc3_trb *trb,
 				usb_endpoint_type(dep->endpoint.desc));
 	}
 
-	/* always enable Continue on Short Packet */
+	/*
+	 * Enable Continue on Short Packet
+	 * when endpoint is not a stream capable
+	 */
 	if (usb_endpoint_dir_out(dep->endpoint.desc)) {
-		trb->ctrl |= DWC3_TRB_CTRL_CSP;
+		if (!dep->stream_capable)
+			trb->ctrl |= DWC3_TRB_CTRL_CSP;
 
 		if (short_not_ok)
 			trb->ctrl |= DWC3_TRB_CTRL_ISP_IMI;
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 080/205] iommu/arm-smmu: Add support for qcom,smmu-v2 variant
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (78 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 079/205] usb: dwc3: gadget: Disable CSP for stream OUT ep Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:17 ` [PATCH 4.14 081/205] iommu/arm-smmu-v3: Use explicit mb() when moving cons pointer Greg Kroah-Hartman
                   ` (128 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vivek Gautam, Rob Herring,
	Tomasz Figa, Srinivas Kandagatla, Robin Murphy, Will Deacon,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 89cddc563743cb1e0068867ac97013b2a5bf86aa ]

qcom,smmu-v2 is an arm,smmu-v2 implementation with specific
clock and power requirements.
On msm8996, multiple cores, viz. mdss, video, etc. use this
smmu. On sdm845, this smmu is used with gpu.
Add bindings for the same.

Signed-off-by: Vivek Gautam <vivek.gautam@codeaurora.org>
Reviewed-by: Rob Herring <robh@kernel.org>
Reviewed-by: Tomasz Figa <tfiga@chromium.org>
Tested-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Reviewed-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/iommu/arm-smmu.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/iommu/arm-smmu.c b/drivers/iommu/arm-smmu.c
index 15b5856475fc..01a6a0ea2a4f 100644
--- a/drivers/iommu/arm-smmu.c
+++ b/drivers/iommu/arm-smmu.c
@@ -117,6 +117,7 @@ enum arm_smmu_implementation {
 	GENERIC_SMMU,
 	ARM_MMU500,
 	CAVIUM_SMMUV2,
+	QCOM_SMMUV2,
 };
 
 /* Until ACPICA headers cover IORT rev. C */
@@ -1910,6 +1911,7 @@ ARM_SMMU_MATCH_DATA(smmu_generic_v2, ARM_SMMU_V2, GENERIC_SMMU);
 ARM_SMMU_MATCH_DATA(arm_mmu401, ARM_SMMU_V1_64K, GENERIC_SMMU);
 ARM_SMMU_MATCH_DATA(arm_mmu500, ARM_SMMU_V2, ARM_MMU500);
 ARM_SMMU_MATCH_DATA(cavium_smmuv2, ARM_SMMU_V2, CAVIUM_SMMUV2);
+ARM_SMMU_MATCH_DATA(qcom_smmuv2, ARM_SMMU_V2, QCOM_SMMUV2);
 
 static const struct of_device_id arm_smmu_of_match[] = {
 	{ .compatible = "arm,smmu-v1", .data = &smmu_generic_v1 },
@@ -1918,6 +1920,7 @@ static const struct of_device_id arm_smmu_of_match[] = {
 	{ .compatible = "arm,mmu-401", .data = &arm_mmu401 },
 	{ .compatible = "arm,mmu-500", .data = &arm_mmu500 },
 	{ .compatible = "cavium,smmu-v2", .data = &cavium_smmuv2 },
+	{ .compatible = "qcom,smmu-v2", .data = &qcom_smmuv2 },
 	{ },
 };
 MODULE_DEVICE_TABLE(of, arm_smmu_of_match);
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 081/205] iommu/arm-smmu-v3: Use explicit mb() when moving cons pointer
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (79 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 080/205] iommu/arm-smmu: Add support for qcom,smmu-v2 variant Greg Kroah-Hartman
@ 2019-02-11 14:17 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 082/205] sata_rcar: fix deferred probing Greg Kroah-Hartman
                   ` (127 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Robin Murphy, Will Deacon, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit a868e8530441286342f90c1fd9c5f24de3aa2880 ]

After removing an entry from a queue (e.g. reading an event in
arm_smmu_evtq_thread()) it is necessary to advance the MMIO consumer
pointer to free the queue slot back to the SMMU. A memory barrier is
required here so that all reads targetting the queue entry have
completed before the consumer pointer is updated.

The implementation of queue_inc_cons() relies on a writel() to complete
the previous reads, but this is incorrect because writel() is only
guaranteed to complete prior writes. This patch replaces the call to
writel() with an mb(); writel_relaxed() sequence, which gives us the
read->write ordering which we require.

Cc: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/iommu/arm-smmu-v3.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/iommu/arm-smmu-v3.c b/drivers/iommu/arm-smmu-v3.c
index 26e99c03390f..09eb258a9a7d 100644
--- a/drivers/iommu/arm-smmu-v3.c
+++ b/drivers/iommu/arm-smmu-v3.c
@@ -730,7 +730,13 @@ static void queue_inc_cons(struct arm_smmu_queue *q)
 	u32 cons = (Q_WRP(q, q->cons) | Q_IDX(q, q->cons)) + 1;
 
 	q->cons = Q_OVF(q, q->cons) | Q_WRP(q, cons) | Q_IDX(q, cons);
-	writel(q->cons, q->cons_reg);
+
+	/*
+	 * Ensure that all CPU accesses (reads and writes) to the queue
+	 * are complete before we update the cons pointer.
+	 */
+	mb();
+	writel_relaxed(q->cons, q->cons_reg);
 }
 
 static int queue_sync_prod(struct arm_smmu_queue *q)
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 082/205] sata_rcar: fix deferred probing
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (80 preceding siblings ...)
  2019-02-11 14:17 ` [PATCH 4.14 081/205] iommu/arm-smmu-v3: Use explicit mb() when moving cons pointer Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 083/205] clk: imx6sl: ensure MMDC CH0 handshake is bypassed Greg Kroah-Hartman
                   ` (126 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Simon Horman, Geert Uytterhoeven,
	Sergei Shtylyov, Jens Axboe, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 9f83cfdb1ace3ef268ecc6fda50058d2ec37d603 ]

The driver overrides the error codes returned by platform_get_irq() to
-EINVAL, so if it returns -EPROBE_DEFER, the driver would fail the probe
permanently instead of the deferred probing. Switch to propagating the
error code upstream, still checking/overriding IRQ0 as libata regards it
as "no IRQ" (thus polling) anyway...

Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq")
Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/ata/sata_rcar.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/ata/sata_rcar.c b/drivers/ata/sata_rcar.c
index 537d11869069..3e82a4ac239e 100644
--- a/drivers/ata/sata_rcar.c
+++ b/drivers/ata/sata_rcar.c
@@ -880,7 +880,9 @@ static int sata_rcar_probe(struct platform_device *pdev)
 	int ret = 0;
 
 	irq = platform_get_irq(pdev, 0);
-	if (irq <= 0)
+	if (irq < 0)
+		return irq;
+	if (!irq)
 		return -EINVAL;
 
 	priv = devm_kzalloc(&pdev->dev, sizeof(struct sata_rcar_priv),
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 083/205] clk: imx6sl: ensure MMDC CH0 handshake is bypassed
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (81 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 082/205] sata_rcar: fix deferred probing Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 084/205] cpuidle: big.LITTLE: fix refcount leak Greg Kroah-Hartman
                   ` (125 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Anson Huang, Stephen Boyd, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 0efcc2c0fd2001a83240a8c3d71f67770484917e ]

Same as other i.MX6 SoCs, ensure unused MMDC channel's
handshake is bypassed, this is to make sure no request
signal will be generated when periphe_clk_sel is changed
or SRC warm reset is triggered.

Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/clk/imx/clk-imx6sl.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/clk/imx/clk-imx6sl.c b/drivers/clk/imx/clk-imx6sl.c
index 9642cdf0fb88..c264a744fae8 100644
--- a/drivers/clk/imx/clk-imx6sl.c
+++ b/drivers/clk/imx/clk-imx6sl.c
@@ -17,6 +17,8 @@
 
 #include "clk.h"
 
+#define CCDR				0x4
+#define BM_CCM_CCDR_MMDC_CH0_MASK	(1 << 17)
 #define CCSR			0xc
 #define BM_CCSR_PLL1_SW_CLK_SEL	(1 << 2)
 #define CACRR			0x10
@@ -414,6 +416,10 @@ static void __init imx6sl_clocks_init(struct device_node *ccm_node)
 	clks[IMX6SL_CLK_USDHC3]       = imx_clk_gate2("usdhc3",       "usdhc3_podf",       base + 0x80, 6);
 	clks[IMX6SL_CLK_USDHC4]       = imx_clk_gate2("usdhc4",       "usdhc4_podf",       base + 0x80, 8);
 
+	/* Ensure the MMDC CH0 handshake is bypassed */
+	writel_relaxed(readl_relaxed(base + CCDR) |
+		BM_CCM_CCDR_MMDC_CH0_MASK, base + CCDR);
+
 	imx_check_clocks(clks, ARRAY_SIZE(clks));
 
 	clk_data.clks = clks;
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 084/205] cpuidle: big.LITTLE: fix refcount leak
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (82 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 083/205] clk: imx6sl: ensure MMDC CH0 handshake is bypassed Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 085/205] OPP: Use opp_table->regulators to verify no regulator case Greg Kroah-Hartman
                   ` (124 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yangtao Li, Daniel Lezcano,
	Rafael J. Wysocki, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 9456823c842f346c74265fcd98d008d87a7eb6f5 ]

of_find_node_by_path() acquires a reference to the node
returned by it and that reference needs to be dropped by its caller.
bl_idle_init() doesn't do that, so fix it.

Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
Acked-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/cpuidle/cpuidle-big_little.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/cpuidle/cpuidle-big_little.c b/drivers/cpuidle/cpuidle-big_little.c
index db2ede565f1a..b44476a1b7ad 100644
--- a/drivers/cpuidle/cpuidle-big_little.c
+++ b/drivers/cpuidle/cpuidle-big_little.c
@@ -167,6 +167,7 @@ static int __init bl_idle_init(void)
 {
 	int ret;
 	struct device_node *root = of_find_node_by_path("/");
+	const struct of_device_id *match_id;
 
 	if (!root)
 		return -ENODEV;
@@ -174,7 +175,11 @@ static int __init bl_idle_init(void)
 	/*
 	 * Initialize the driver just for a compliant set of machines
 	 */
-	if (!of_match_node(compatible_machine_match, root))
+	match_id = of_match_node(compatible_machine_match, root);
+
+	of_node_put(root);
+
+	if (!match_id)
 		return -ENODEV;
 
 	if (!mcpm_is_available())
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 085/205] OPP: Use opp_table->regulators to verify no regulator case
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (83 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 084/205] cpuidle: big.LITTLE: fix refcount leak Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 086/205] i2c-axxia: check for error conditions first Greg Kroah-Hartman
                   ` (123 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Quentin Perret, Viresh Kumar, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 90e3577b5feb42bac1269e16bb3d2bdd8f6df40f ]

The value of opp_table->regulator_count is not very consistent right now
and it may end up being 0 while we do have a "opp-microvolt" property in
the OPP table. It was kept that way as we used to check if any
regulators are set with the OPP core for a device or not using value of
regulator_count.

Lets use opp_table->regulators for that purpose as the meaning of
regulator_count is going to change in the later patches.

Reported-by: Quentin Perret <quentin.perret@arm.com>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/base/power/opp/core.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/drivers/base/power/opp/core.c b/drivers/base/power/opp/core.c
index d4862775b9f6..d5e7e8cc4f22 100644
--- a/drivers/base/power/opp/core.c
+++ b/drivers/base/power/opp/core.c
@@ -192,12 +192,12 @@ unsigned long dev_pm_opp_get_max_volt_latency(struct device *dev)
 	if (IS_ERR(opp_table))
 		return 0;
 
-	count = opp_table->regulator_count;
-
 	/* Regulator may not be required for the device */
-	if (!count)
+	if (!opp_table->regulators)
 		goto put_opp_table;
 
+	count = opp_table->regulator_count;
+
 	uV = kmalloc_array(count, sizeof(*uV), GFP_KERNEL);
 	if (!uV)
 		goto put_opp_table;
@@ -921,6 +921,9 @@ static bool _opp_supported_by_regulators(struct dev_pm_opp *opp,
 	struct regulator *reg;
 	int i;
 
+	if (!opp_table->regulators)
+		return true;
+
 	for (i = 0; i < opp_table->regulator_count; i++) {
 		reg = opp_table->regulators[i];
 
@@ -1226,7 +1229,7 @@ static int _allocate_set_opp_data(struct opp_table *opp_table)
 	struct dev_pm_set_opp_data *data;
 	int len, count = opp_table->regulator_count;
 
-	if (WARN_ON(!count))
+	if (WARN_ON(!opp_table->regulators))
 		return -EINVAL;
 
 	/* space for set_opp_data */
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 086/205] i2c-axxia: check for error conditions first
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (84 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 085/205] OPP: Use opp_table->regulators to verify no regulator case Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 087/205] phy: sun4i-usb: add support for missing USB PHY index Greg Kroah-Hartman
                   ` (122 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Krzysztof Adamski,
	Alexander Sverdlin, Wolfram Sang, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 4f5c85fe3a60ace555d09898166af372547f97fc ]

It was observed that when using seqentional mode contrary to the
documentation, the SS bit (which is supposed to only be set if
automatic/sequence command completed normally), is sometimes set
together with NA (NAK in address phase) causing transfer to falsely be
considered successful.

My assumption is that this does not happen during manual mode since the
controller is stopping its work the moment it sets NA/ND bit in status
register. This is not the case in Automatic/Sequentional mode where it
is still working to send STOP condition and the actual status we get
depends on the time when the ISR is run.

This patch changes the order of checking status bits in ISR - error
conditions are checked first and only if none of them occurred, the
transfer may be considered successful. This is required to introduce
using of sequentional mode in next patch.

Signed-off-by: Krzysztof Adamski <krzysztof.adamski@nokia.com>
Reviewed-by: Alexander Sverdlin <alexander.sverdlin@nokia.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/i2c/busses/i2c-axxia.c | 32 ++++++++++++++++----------------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/drivers/i2c/busses/i2c-axxia.c b/drivers/i2c/busses/i2c-axxia.c
index deea13838648..30d80ce0bde3 100644
--- a/drivers/i2c/busses/i2c-axxia.c
+++ b/drivers/i2c/busses/i2c-axxia.c
@@ -296,22 +296,7 @@ static irqreturn_t axxia_i2c_isr(int irq, void *_dev)
 			i2c_int_disable(idev, MST_STATUS_TFL);
 	}
 
-	if (status & MST_STATUS_SCC) {
-		/* Stop completed */
-		i2c_int_disable(idev, ~MST_STATUS_TSS);
-		complete(&idev->msg_complete);
-	} else if (status & MST_STATUS_SNS) {
-		/* Transfer done */
-		i2c_int_disable(idev, ~MST_STATUS_TSS);
-		if (i2c_m_rd(idev->msg) && idev->msg_xfrd < idev->msg->len)
-			axxia_i2c_empty_rx_fifo(idev);
-		complete(&idev->msg_complete);
-	} else if (status & MST_STATUS_TSS) {
-		/* Transfer timeout */
-		idev->msg_err = -ETIMEDOUT;
-		i2c_int_disable(idev, ~MST_STATUS_TSS);
-		complete(&idev->msg_complete);
-	} else if (unlikely(status & MST_STATUS_ERR)) {
+	if (unlikely(status & MST_STATUS_ERR)) {
 		/* Transfer error */
 		i2c_int_disable(idev, ~0);
 		if (status & MST_STATUS_AL)
@@ -328,6 +313,21 @@ static irqreturn_t axxia_i2c_isr(int irq, void *_dev)
 			readl(idev->base + MST_TX_BYTES_XFRD),
 			readl(idev->base + MST_TX_XFER));
 		complete(&idev->msg_complete);
+	} else if (status & MST_STATUS_SCC) {
+		/* Stop completed */
+		i2c_int_disable(idev, ~MST_STATUS_TSS);
+		complete(&idev->msg_complete);
+	} else if (status & MST_STATUS_SNS) {
+		/* Transfer done */
+		i2c_int_disable(idev, ~MST_STATUS_TSS);
+		if (i2c_m_rd(idev->msg) && idev->msg_xfrd < idev->msg->len)
+			axxia_i2c_empty_rx_fifo(idev);
+		complete(&idev->msg_complete);
+	} else if (status & MST_STATUS_TSS) {
+		/* Transfer timeout */
+		idev->msg_err = -ETIMEDOUT;
+		i2c_int_disable(idev, ~MST_STATUS_TSS);
+		complete(&idev->msg_complete);
 	}
 
 out:
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 087/205] phy: sun4i-usb: add support for missing USB PHY index
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (85 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 086/205] i2c-axxia: check for error conditions first Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 088/205] udf: Fix BUG on corrupted inode Greg Kroah-Hartman
                   ` (121 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Icenowy Zheng, Chen-Yu Tsai,
	Kishon Vijay Abraham I, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 2659392e5c08dff626e6db1d739adff58a94604d ]

The new Allwinner H6 SoC's USB2 PHY has two holes -- USB1 (which is a
3.0 port with dedicated PHY) and USB2 (which doesn't exist at all).

Add support for this kind of missing USB PHY index.

Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
Reviewed-by: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/phy/allwinner/phy-sun4i-usb.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/phy/allwinner/phy-sun4i-usb.c b/drivers/phy/allwinner/phy-sun4i-usb.c
index afedb8cd1990..d1ccff527756 100644
--- a/drivers/phy/allwinner/phy-sun4i-usb.c
+++ b/drivers/phy/allwinner/phy-sun4i-usb.c
@@ -125,6 +125,7 @@ struct sun4i_usb_phy_cfg {
 	bool dedicated_clocks;
 	bool enable_pmu_unk1;
 	bool phy0_dual_route;
+	int missing_phys;
 };
 
 struct sun4i_usb_phy_data {
@@ -645,6 +646,9 @@ static struct phy *sun4i_usb_phy_xlate(struct device *dev,
 	if (args->args[0] >= data->cfg->num_phys)
 		return ERR_PTR(-ENODEV);
 
+	if (data->cfg->missing_phys & BIT(args->args[0]))
+		return ERR_PTR(-ENODEV);
+
 	return data->phys[args->args[0]].phy;
 }
 
@@ -740,6 +744,9 @@ static int sun4i_usb_phy_probe(struct platform_device *pdev)
 		struct sun4i_usb_phy *phy = data->phys + i;
 		char name[16];
 
+		if (data->cfg->missing_phys & BIT(i))
+			continue;
+
 		snprintf(name, sizeof(name), "usb%d_vbus", i);
 		phy->vbus = devm_regulator_get_optional(dev, name);
 		if (IS_ERR(phy->vbus)) {
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 088/205] udf: Fix BUG on corrupted inode
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (86 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 087/205] phy: sun4i-usb: add support for missing USB PHY index Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 089/205] switchtec: Fix SWITCHTEC_IOCTL_EVENT_IDX_ALL flags overwrite Greg Kroah-Hartman
                   ` (120 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Anatoly Trosinenko, Jan Kara, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit d288d95842f1503414b7eebce3773bac3390457e ]

When inode is corrupted so that extent type is invalid, some functions
(such as udf_truncate_extents()) will just BUG. Check that extent type
is valid when loading the inode to memory.

Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/udf/inode.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/fs/udf/inode.c b/fs/udf/inode.c
index 8dacf4f57414..28b9d7cca29b 100644
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -1357,6 +1357,12 @@ reread:
 
 	iinfo->i_alloc_type = le16_to_cpu(fe->icbTag.flags) &
 							ICBTAG_FLAG_AD_MASK;
+	if (iinfo->i_alloc_type != ICBTAG_FLAG_AD_SHORT &&
+	    iinfo->i_alloc_type != ICBTAG_FLAG_AD_LONG &&
+	    iinfo->i_alloc_type != ICBTAG_FLAG_AD_IN_ICB) {
+		ret = -EIO;
+		goto out;
+	}
 	iinfo->i_unique = 0;
 	iinfo->i_lenEAttr = 0;
 	iinfo->i_lenExtents = 0;
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 089/205] switchtec: Fix SWITCHTEC_IOCTL_EVENT_IDX_ALL flags overwrite
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (87 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 088/205] udf: Fix BUG on corrupted inode Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 090/205] selftests/bpf: use __bpf_constant_htons in test_prog.c Greg Kroah-Hartman
                   ` (119 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Joey Zhang, Wesley Sheng,
	Bjorn Helgaas, Logan Gunthorpe, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit e4a7dca5de625018b29417ecc39dc5037d9a5a36 ]

In the ioctl_event_ctl() SWITCHTEC_IOCTL_EVENT_IDX_ALL case, we call
event_ctl() several times with the same "ctl" struct.  Each call clobbers
ctl.flags, which leads to the problem that we may not actually enable or
disable all events as the user requested.

Preserve the event flag value with a temporary variable.

Fixes: 52eabba5bcdb ("switchtec: Add IOCTLs to the Switchtec driver")
Signed-off-by: Joey Zhang <joey.zhang@microchip.com>
Signed-off-by: Wesley Sheng <wesley.sheng@microchip.com>
[bhelgaas: changelog]
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Logan Gunthorpe <logang@deltatee.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/pci/switch/switchtec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/pci/switch/switchtec.c b/drivers/pci/switch/switchtec.c
index 620f5b995a12..e3aefdafae89 100644
--- a/drivers/pci/switch/switchtec.c
+++ b/drivers/pci/switch/switchtec.c
@@ -1064,6 +1064,7 @@ static int ioctl_event_ctl(struct switchtec_dev *stdev,
 {
 	int ret;
 	int nr_idxs;
+	unsigned int event_flags;
 	struct switchtec_ioctl_event_ctl ctl;
 
 	if (copy_from_user(&ctl, uctl, sizeof(ctl)))
@@ -1085,7 +1086,9 @@ static int ioctl_event_ctl(struct switchtec_dev *stdev,
 		else
 			return -EINVAL;
 
+		event_flags = ctl.flags;
 		for (ctl.index = 0; ctl.index < nr_idxs; ctl.index++) {
+			ctl.flags = event_flags;
 			ret = event_ctl(stdev, &ctl);
 			if (ret < 0)
 				return ret;
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 090/205] selftests/bpf: use __bpf_constant_htons in test_prog.c
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (88 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 089/205] switchtec: Fix SWITCHTEC_IOCTL_EVENT_IDX_ALL flags overwrite Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 091/205] ARM: pxa: avoid section mismatch warning Greg Kroah-Hartman
                   ` (118 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stanislav Fomichev, Daniel Borkmann,
	Alexei Starovoitov, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit a0517a0f7ef23550b4484c37e2b9c2d32abebf64 ]

For some reason, my older GCC (< 4.8) isn't smart enough to optimize the
!__builtin_constant_p() branch in bpf_htons, I see:
  error: implicit declaration of function '__builtin_bswap16'

Let's use __bpf_constant_htons as suggested by Daniel Borkmann.

I tried to use simple htons, but it produces the following:
  test_progs.c:54:17: error: braced-group within expression allowed only
  inside a function
    .eth.h_proto = htons(ETH_P_IP),

Signed-off-by: Stanislav Fomichev <sdf@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/testing/selftests/bpf/test_progs.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/tools/testing/selftests/bpf/test_progs.c b/tools/testing/selftests/bpf/test_progs.c
index 11ee25cea227..1903fb4f45d8 100644
--- a/tools/testing/selftests/bpf/test_progs.c
+++ b/tools/testing/selftests/bpf/test_progs.c
@@ -43,10 +43,10 @@ static struct {
 	struct iphdr iph;
 	struct tcphdr tcp;
 } __packed pkt_v4 = {
-	.eth.h_proto = bpf_htons(ETH_P_IP),
+	.eth.h_proto = __bpf_constant_htons(ETH_P_IP),
 	.iph.ihl = 5,
 	.iph.protocol = 6,
-	.iph.tot_len = bpf_htons(MAGIC_BYTES),
+	.iph.tot_len = __bpf_constant_htons(MAGIC_BYTES),
 	.tcp.urg_ptr = 123,
 };
 
@@ -56,9 +56,9 @@ static struct {
 	struct ipv6hdr iph;
 	struct tcphdr tcp;
 } __packed pkt_v6 = {
-	.eth.h_proto = bpf_htons(ETH_P_IPV6),
+	.eth.h_proto = __bpf_constant_htons(ETH_P_IPV6),
 	.iph.nexthdr = 6,
-	.iph.payload_len = bpf_htons(MAGIC_BYTES),
+	.iph.payload_len = __bpf_constant_htons(MAGIC_BYTES),
 	.tcp.urg_ptr = 123,
 };
 
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 091/205] ARM: pxa: avoid section mismatch warning
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (89 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 090/205] selftests/bpf: use __bpf_constant_htons in test_prog.c Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 092/205] ASoC: fsl: Fix SND_SOC_EUKREA_TLV320 build error on i.MX8M Greg Kroah-Hartman
                   ` (117 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Olof Johansson, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 88af3209aa0881aa5ffd99664b6080a4be5f24e5 ]

WARNING: vmlinux.o(.text+0x19f90): Section mismatch in reference from the function littleton_init_lcd() to the function .init.text:pxa_set_fb_info()
The function littleton_init_lcd() references
the function __init pxa_set_fb_info().
This is often because littleton_init_lcd lacks a __init
annotation or the annotation of pxa_set_fb_info is wrong.

WARNING: vmlinux.o(.text+0xf824): Section mismatch in reference from the function zeus_register_ohci() to the function .init.text:pxa_set_ohci_info()
The function zeus_register_ohci() references
the function __init pxa_set_ohci_info().
This is often because zeus_register_ohci lacks a __init
annotation or the annotation of pxa_set_ohci_info is wrong.

WARNING: vmlinux.o(.text+0xf95c): Section mismatch in reference from the function cm_x300_init_u2d() to the function .init.text:pxa3xx_set_u2d_info()
The function cm_x300_init_u2d() references
the function __init pxa3xx_set_u2d_info().
This is often because cm_x300_init_u2d lacks a __init
annotation or the annotation of pxa3xx_set_u2d_info is wrong.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/mach-pxa/cm-x300.c   | 2 +-
 arch/arm/mach-pxa/littleton.c | 2 +-
 arch/arm/mach-pxa/zeus.c      | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/arm/mach-pxa/cm-x300.c b/arch/arm/mach-pxa/cm-x300.c
index 868448d2cd82..38ab30869821 100644
--- a/arch/arm/mach-pxa/cm-x300.c
+++ b/arch/arm/mach-pxa/cm-x300.c
@@ -547,7 +547,7 @@ static struct pxa3xx_u2d_platform_data cm_x300_u2d_platform_data = {
 	.exit		= cm_x300_u2d_exit,
 };
 
-static void cm_x300_init_u2d(void)
+static void __init cm_x300_init_u2d(void)
 {
 	pxa3xx_set_u2d_info(&cm_x300_u2d_platform_data);
 }
diff --git a/arch/arm/mach-pxa/littleton.c b/arch/arm/mach-pxa/littleton.c
index fae38fdc8d8e..5cd6b4bd31e0 100644
--- a/arch/arm/mach-pxa/littleton.c
+++ b/arch/arm/mach-pxa/littleton.c
@@ -183,7 +183,7 @@ static struct pxafb_mach_info littleton_lcd_info = {
 	.lcd_conn		= LCD_COLOR_TFT_16BPP,
 };
 
-static void littleton_init_lcd(void)
+static void __init littleton_init_lcd(void)
 {
 	pxa_set_fb_info(NULL, &littleton_lcd_info);
 }
diff --git a/arch/arm/mach-pxa/zeus.c b/arch/arm/mach-pxa/zeus.c
index ecbcaee5a2d5..c293ea0a7eaf 100644
--- a/arch/arm/mach-pxa/zeus.c
+++ b/arch/arm/mach-pxa/zeus.c
@@ -558,7 +558,7 @@ static struct pxaohci_platform_data zeus_ohci_platform_data = {
 	.flags		= ENABLE_PORT_ALL | POWER_SENSE_LOW,
 };
 
-static void zeus_register_ohci(void)
+static void __init zeus_register_ohci(void)
 {
 	/* Port 2 is shared between host and client interface. */
 	UP2OCR = UP2OCR_HXOE | UP2OCR_HXS | UP2OCR_DMPDE | UP2OCR_DPPDE;
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 092/205] ASoC: fsl: Fix SND_SOC_EUKREA_TLV320 build error on i.MX8M
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (90 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 091/205] ARM: pxa: avoid section mismatch warning Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 093/205] ARM: mmp: fix timer_init calls Greg Kroah-Hartman
                   ` (116 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kbuild test robot, Fabio Estevam,
	Shawn Guo, Mark Brown, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit add6883619a9e3bf9658eaff1a547354131bbcd9 ]

eukrea-tlv320.c machine driver runs on non-DT platforms
and include <asm/mach-types.h> header file in order to be able
to use some machine_is_eukrea_xxx() macros.

Building it for ARM64 causes the following build error:

sound/soc/fsl/eukrea-tlv320.c:28:10: fatal error: asm/mach-types.h: No such file or directory

Avoid this error by not allowing to build the SND_SOC_EUKREA_TLV320
driver when ARM64 is selected.

This is needed in preparation for the i.MX8M support.

Reported-by: kbuild test robot <lkp@intel.com>
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Acked-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/soc/fsl/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/soc/fsl/Kconfig b/sound/soc/fsl/Kconfig
index 37f9b6201918..4087deeda7cf 100644
--- a/sound/soc/fsl/Kconfig
+++ b/sound/soc/fsl/Kconfig
@@ -221,7 +221,7 @@ config SND_SOC_PHYCORE_AC97
 
 config SND_SOC_EUKREA_TLV320
 	tristate "Eukrea TLV320"
-	depends on ARCH_MXC && I2C
+	depends on ARCH_MXC && !ARM64 && I2C
 	select SND_SOC_TLV320AIC23_I2C
 	select SND_SOC_IMX_AUDMUX
 	select SND_SOC_IMX_SSI
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 093/205] ARM: mmp: fix timer_init calls
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (91 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 092/205] ASoC: fsl: Fix SND_SOC_EUKREA_TLV320 build error on i.MX8M Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 094/205] KVM: PPC: Book3S: Only report KVM_CAP_SPAPR_TCE_VFIO on powernv machines Greg Kroah-Hartman
                   ` (115 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Olof Johansson, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 12d3a30db4a3b3df5fbadf5974b9cf50544a9950 ]

The change to passing the timer frequency as a function argument
was a good idea, but caused a build failure for one user that
was missed in the update:

arch/arm/mach-mmp/time.c: In function 'mmp_dt_init_timer':
arch/arm/mach-mmp/time.c:242:2: error: implicit declaration of function 'timer_init'; did you mean 'hrtimer_init'? [-Werror=implicit-function-declaration]

Change that as well to fix the build error, and rename the
function to put it into a proper namespace and make it clearer
what is actually going on.

I saw that the high 6500000 HZ frequency was previously only
set with CONFIG_MMP2, but is now also used with MMP (pxa910),
so I'm changing that back here. Please make sure that the
frequencies are all correct now.

Fixes: f36797ee4380 ("ARM: mmp/mmp2: dt: enable the clock")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/mach-mmp/common.h | 2 +-
 arch/arm/mach-mmp/mmp2.c   | 2 +-
 arch/arm/mach-mmp/pxa168.c | 2 +-
 arch/arm/mach-mmp/pxa910.c | 2 +-
 arch/arm/mach-mmp/time.c   | 4 ++--
 5 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/arch/arm/mach-mmp/common.h b/arch/arm/mach-mmp/common.h
index 5ac2851ef5d3..483b8b6d3005 100644
--- a/arch/arm/mach-mmp/common.h
+++ b/arch/arm/mach-mmp/common.h
@@ -2,7 +2,7 @@
 #include <linux/reboot.h>
 #define ARRAY_AND_SIZE(x)	(x), ARRAY_SIZE(x)
 
-extern void timer_init(int irq, unsigned long rate);
+extern void mmp_timer_init(int irq, unsigned long rate);
 
 extern void __init mmp_map_io(void);
 extern void mmp_restart(enum reboot_mode, const char *);
diff --git a/arch/arm/mach-mmp/mmp2.c b/arch/arm/mach-mmp/mmp2.c
index fb3e7e32c882..726c1a642dea 100644
--- a/arch/arm/mach-mmp/mmp2.c
+++ b/arch/arm/mach-mmp/mmp2.c
@@ -134,7 +134,7 @@ void __init mmp2_timer_init(void)
 	clk_rst = APBC_APBCLK | APBC_FNCLK | APBC_FNCLKSEL(1);
 	__raw_writel(clk_rst, APBC_TIMERS);
 
-	timer_init(IRQ_MMP2_TIMER1, 6500000);
+	mmp_timer_init(IRQ_MMP2_TIMER1, 6500000);
 }
 
 /* on-chip devices */
diff --git a/arch/arm/mach-mmp/pxa168.c b/arch/arm/mach-mmp/pxa168.c
index 77a358165a56..cdcf65ace3f9 100644
--- a/arch/arm/mach-mmp/pxa168.c
+++ b/arch/arm/mach-mmp/pxa168.c
@@ -79,7 +79,7 @@ void __init pxa168_timer_init(void)
 	/* 3.25MHz, bus/functional clock enabled, release reset */
 	__raw_writel(TIMER_CLK_RST, APBC_TIMERS);
 
-	timer_init(IRQ_PXA168_TIMER1, 6500000);
+	mmp_timer_init(IRQ_PXA168_TIMER1, 3250000);
 }
 
 void pxa168_clear_keypad_wakeup(void)
diff --git a/arch/arm/mach-mmp/pxa910.c b/arch/arm/mach-mmp/pxa910.c
index 1ccbba9ac495..d30a7d12bc98 100644
--- a/arch/arm/mach-mmp/pxa910.c
+++ b/arch/arm/mach-mmp/pxa910.c
@@ -116,7 +116,7 @@ void __init pxa910_timer_init(void)
 	__raw_writel(APBC_APBCLK | APBC_RST, APBC_TIMERS);
 	__raw_writel(TIMER_CLK_RST, APBC_TIMERS);
 
-	timer_init(IRQ_PXA910_AP1_TIMER1);
+	mmp_timer_init(IRQ_PXA910_AP1_TIMER1, 3250000);
 }
 
 /* on-chip devices */
diff --git a/arch/arm/mach-mmp/time.c b/arch/arm/mach-mmp/time.c
index eab0fd8a7343..f9c295154b94 100644
--- a/arch/arm/mach-mmp/time.c
+++ b/arch/arm/mach-mmp/time.c
@@ -184,7 +184,7 @@ static struct irqaction timer_irq = {
 	.dev_id		= &ckevt,
 };
 
-void __init timer_init(int irq, unsigned long rate)
+void __init mmp_timer_init(int irq, unsigned long rate)
 {
 	timer_config();
 
@@ -239,7 +239,7 @@ void __init mmp_dt_init_timer(void)
 		ret = -ENOMEM;
 		goto out;
 	}
-	timer_init(irq, rate);
+	mmp_timer_init(irq, rate);
 	return;
 out:
 	pr_err("Failed to get timer from device tree with error:%d\n", ret);
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 094/205] KVM: PPC: Book3S: Only report KVM_CAP_SPAPR_TCE_VFIO on powernv machines
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (92 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 093/205] ARM: mmp: fix timer_init calls Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 095/205] mmc: bcm2835: Recover from MMC_SEND_EXT_CSD Greg Kroah-Hartman
                   ` (114 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Suraj Jitindar Singh, Paul Mackerras,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 693ac10a88a2219bde553b2e8460dbec97e594e6 ]

The kvm capability KVM_CAP_SPAPR_TCE_VFIO is used to indicate the
availability of in kernel tce acceleration for vfio. However it is
currently the case that this is only available on a powernv machine,
not for a pseries machine.

Thus make this capability dependent on having the cpu feature
CPU_FTR_HVMODE.

[paulus@ozlabs.org - fixed compilation for Book E.]

Signed-off-by: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/kvm/powerpc.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/arch/powerpc/kvm/powerpc.c b/arch/powerpc/kvm/powerpc.c
index ecb45361095b..a35995a6b34a 100644
--- a/arch/powerpc/kvm/powerpc.c
+++ b/arch/powerpc/kvm/powerpc.c
@@ -540,8 +540,11 @@ int kvm_vm_ioctl_check_extension(struct kvm *kvm, long ext)
 #ifdef CONFIG_PPC_BOOK3S_64
 	case KVM_CAP_SPAPR_TCE:
 	case KVM_CAP_SPAPR_TCE_64:
-		/* fallthrough */
+		r = 1;
+		break;
 	case KVM_CAP_SPAPR_TCE_VFIO:
+		r = !!cpu_has_feature(CPU_FTR_HVMODE);
+		break;
 	case KVM_CAP_PPC_RTAS:
 	case KVM_CAP_PPC_FIXUP_HCALL:
 	case KVM_CAP_PPC_ENABLE_HCALL:
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 095/205] mmc: bcm2835: Recover from MMC_SEND_EXT_CSD
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (93 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 094/205] KVM: PPC: Book3S: Only report KVM_CAP_SPAPR_TCE_VFIO on powernv machines Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 096/205] mmc: bcm2835: reset host on timeout Greg Kroah-Hartman
                   ` (113 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Phil Elwell, Stefan Wahren,
	Eric Anholt, Ulf Hansson, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 07d405769afea5718529fc9e341f0b13b3189b6f ]

If the user issues an "mmc extcsd read", the SD controller receives
what it thinks is a SEND_IF_COND command with an unexpected data block.
The resulting operations leave the FSM stuck in READWAIT, a state which
persists until the MMC framework resets the controller, by which point
the root filesystem is likely to have been unmounted.

A less heavyweight solution is to detect the condition and nudge the
FSM by asserting the (self-clearing) FORCE_DATA_MODE bit.

Link: https://github.com/raspberrypi/linux/issues/2728
Signed-off-by: Phil Elwell <phil@raspberrypi.org>
Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
Acked-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/mmc/host/bcm2835.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/drivers/mmc/host/bcm2835.c b/drivers/mmc/host/bcm2835.c
index 0d3b7473bc21..abf1f3c8b0c3 100644
--- a/drivers/mmc/host/bcm2835.c
+++ b/drivers/mmc/host/bcm2835.c
@@ -772,6 +772,8 @@ static void bcm2835_finish_command(struct bcm2835_host *host)
 
 		if (!(sdhsts & SDHSTS_CRC7_ERROR) ||
 		    (host->cmd->opcode != MMC_SEND_OP_COND)) {
+			u32 edm, fsm;
+
 			if (sdhsts & SDHSTS_CMD_TIME_OUT) {
 				host->cmd->error = -ETIMEDOUT;
 			} else {
@@ -780,6 +782,13 @@ static void bcm2835_finish_command(struct bcm2835_host *host)
 				bcm2835_dumpregs(host);
 				host->cmd->error = -EILSEQ;
 			}
+			edm = readl(host->ioaddr + SDEDM);
+			fsm = edm & SDEDM_FSM_MASK;
+			if (fsm == SDEDM_FSM_READWAIT ||
+			    fsm == SDEDM_FSM_WRITESTART1)
+				/* Kick the FSM out of its wait */
+				writel(edm | SDEDM_FORCE_DATA_MODE,
+				       host->ioaddr + SDEDM);
 			bcm2835_finish_request(host);
 			return;
 		}
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 096/205] mmc: bcm2835: reset host on timeout
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (94 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 095/205] mmc: bcm2835: Recover from MMC_SEND_EXT_CSD Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 097/205] memstick: Prevent memstick host from getting runtime suspended during card detection Greg Kroah-Hartman
                   ` (112 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michal Suchanek, Stefan Wahren,
	Eric Anholt, Ulf Hansson, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit f6000a4eb34e6462bc0dd39809c1bb99f9633269 ]

The bcm2835 mmc host tends to lock up for unknown reason so reset it on
timeout. The upper mmc block layer tries retransimitting with single
blocks which tends to work out after a long wait.

This is better than giving up and leaving the machine broken for no
obvious reason.

Fixes: 660fc733bd74 ("mmc: bcm2835: Add new driver for the sdhost controller.")
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
Acked-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/mmc/host/bcm2835.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/mmc/host/bcm2835.c b/drivers/mmc/host/bcm2835.c
index abf1f3c8b0c3..5301302fb531 100644
--- a/drivers/mmc/host/bcm2835.c
+++ b/drivers/mmc/host/bcm2835.c
@@ -286,6 +286,7 @@ static void bcm2835_reset(struct mmc_host *mmc)
 
 	if (host->dma_chan)
 		dmaengine_terminate_sync(host->dma_chan);
+	host->dma_chan = NULL;
 	bcm2835_reset_internal(host);
 }
 
@@ -846,6 +847,8 @@ static void bcm2835_timeout(struct work_struct *work)
 		dev_err(dev, "timeout waiting for hardware interrupt.\n");
 		bcm2835_dumpregs(host);
 
+		bcm2835_reset(host->mmc);
+
 		if (host->data) {
 			host->data->error = -ETIMEDOUT;
 			bcm2835_finish_data(host);
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 097/205] memstick: Prevent memstick host from getting runtime suspended during card detection
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (95 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 096/205] mmc: bcm2835: reset host on timeout Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 098/205] mmc: sdhci-of-esdhc: Fix timeout checks Greg Kroah-Hartman
                   ` (111 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kai-Heng Feng, Oleksandr Natalenko,
	Ulf Hansson, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit e03e303edf1c63e6dd455ccd568c74e93ef3ba8c ]

We can use MEMSTICK_POWER_{ON,OFF} along with pm_runtime_{get,put}
helpers to let memstick host support runtime pm.

The rpm count may go down to zero before the memstick host powers on, so
the host can be runtime suspended.

So before doing card detection, increment the rpm count to avoid the
host gets runtime suspended. Balance the rpm count after card detection
is done.

Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Tested-by: Oleksandr Natalenko <oleksandr@natalenko.name>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/memstick/core/memstick.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/memstick/core/memstick.c b/drivers/memstick/core/memstick.c
index 76382c858c35..1246d69ba187 100644
--- a/drivers/memstick/core/memstick.c
+++ b/drivers/memstick/core/memstick.c
@@ -18,6 +18,7 @@
 #include <linux/delay.h>
 #include <linux/slab.h>
 #include <linux/module.h>
+#include <linux/pm_runtime.h>
 
 #define DRIVER_NAME "memstick"
 
@@ -436,6 +437,7 @@ static void memstick_check(struct work_struct *work)
 	struct memstick_dev *card;
 
 	dev_dbg(&host->dev, "memstick_check started\n");
+	pm_runtime_get_noresume(host->dev.parent);
 	mutex_lock(&host->lock);
 	if (!host->card) {
 		if (memstick_power_on(host))
@@ -479,6 +481,7 @@ out_power_off:
 		host->set_param(host, MEMSTICK_POWER, MEMSTICK_POWER_OFF);
 
 	mutex_unlock(&host->lock);
+	pm_runtime_put(host->dev.parent);
 	dev_dbg(&host->dev, "memstick_check finished\n");
 }
 
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 098/205] mmc: sdhci-of-esdhc: Fix timeout checks
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (96 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 097/205] memstick: Prevent memstick host from getting runtime suspended during card detection Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 099/205] mmc: sdhci-xenon: " Greg Kroah-Hartman
                   ` (110 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Adrian Hunter, Yangbo Lu,
	Ulf Hansson, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit ea6d027312111c6d96309ad1a684b33cb37e6764 ]

Always check the wait condition before returning timeout.

Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Reviewed-by: Yangbo Lu <yangbo.lu@nxp.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/mmc/host/sdhci-of-esdhc.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/drivers/mmc/host/sdhci-of-esdhc.c b/drivers/mmc/host/sdhci-of-esdhc.c
index 8332f56e6c0d..7b7d077e40fd 100644
--- a/drivers/mmc/host/sdhci-of-esdhc.c
+++ b/drivers/mmc/host/sdhci-of-esdhc.c
@@ -481,8 +481,12 @@ static void esdhc_clock_enable(struct sdhci_host *host, bool enable)
 	/* Wait max 20 ms */
 	timeout = ktime_add_ms(ktime_get(), 20);
 	val = ESDHC_CLOCK_STABLE;
-	while (!(sdhci_readl(host, ESDHC_PRSSTAT) & val)) {
-		if (ktime_after(ktime_get(), timeout)) {
+	while  (1) {
+		bool timedout = ktime_after(ktime_get(), timeout);
+
+		if (sdhci_readl(host, ESDHC_PRSSTAT) & val)
+			break;
+		if (timedout) {
 			pr_err("%s: Internal clock never stabilised.\n",
 				mmc_hostname(host->mmc));
 			break;
@@ -558,8 +562,12 @@ static void esdhc_of_set_clock(struct sdhci_host *host, unsigned int clock)
 
 	/* Wait max 20 ms */
 	timeout = ktime_add_ms(ktime_get(), 20);
-	while (!(sdhci_readl(host, ESDHC_PRSSTAT) & ESDHC_CLOCK_STABLE)) {
-		if (ktime_after(ktime_get(), timeout)) {
+	while (1) {
+		bool timedout = ktime_after(ktime_get(), timeout);
+
+		if (sdhci_readl(host, ESDHC_PRSSTAT) & ESDHC_CLOCK_STABLE)
+			break;
+		if (timedout) {
 			pr_err("%s: Internal clock never stabilised.\n",
 				mmc_hostname(host->mmc));
 			return;
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 099/205] mmc: sdhci-xenon: Fix timeout checks
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (97 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 098/205] mmc: sdhci-of-esdhc: Fix timeout checks Greg Kroah-Hartman
@ 2019-02-11 14:18 ` " Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 100/205] tty: serial: samsung: Properly set flags in autoCTS mode Greg Kroah-Hartman
                   ` (109 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Adrian Hunter, Zhoujie Wu,
	Ulf Hansson, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 0e6e7c2ff397e1bbebc882ca3132148aaaef1ddd ]

Always check the wait condition before returning timeout.

Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Reviewed-by: Zhoujie Wu <zjwu@marvell.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/mmc/host/sdhci-xenon-phy.c | 10 +++++++---
 drivers/mmc/host/sdhci-xenon.c     | 10 +++++++---
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/drivers/mmc/host/sdhci-xenon-phy.c b/drivers/mmc/host/sdhci-xenon-phy.c
index ec8794335241..82051f2b7191 100644
--- a/drivers/mmc/host/sdhci-xenon-phy.c
+++ b/drivers/mmc/host/sdhci-xenon-phy.c
@@ -357,9 +357,13 @@ static int xenon_emmc_phy_enable_dll(struct sdhci_host *host)
 
 	/* Wait max 32 ms */
 	timeout = ktime_add_ms(ktime_get(), 32);
-	while (!(sdhci_readw(host, XENON_SLOT_EXT_PRESENT_STATE) &
-		XENON_DLL_LOCK_STATE)) {
-		if (ktime_after(ktime_get(), timeout)) {
+	while (1) {
+		bool timedout = ktime_after(ktime_get(), timeout);
+
+		if (sdhci_readw(host, XENON_SLOT_EXT_PRESENT_STATE) &
+		    XENON_DLL_LOCK_STATE)
+			break;
+		if (timedout) {
 			dev_err(mmc_dev(host->mmc), "Wait for DLL Lock time-out\n");
 			return -ETIMEDOUT;
 		}
diff --git a/drivers/mmc/host/sdhci-xenon.c b/drivers/mmc/host/sdhci-xenon.c
index 4d0791f6ec23..a0b5089b3274 100644
--- a/drivers/mmc/host/sdhci-xenon.c
+++ b/drivers/mmc/host/sdhci-xenon.c
@@ -34,9 +34,13 @@ static int xenon_enable_internal_clk(struct sdhci_host *host)
 	sdhci_writel(host, reg, SDHCI_CLOCK_CONTROL);
 	/* Wait max 20 ms */
 	timeout = ktime_add_ms(ktime_get(), 20);
-	while (!((reg = sdhci_readw(host, SDHCI_CLOCK_CONTROL))
-			& SDHCI_CLOCK_INT_STABLE)) {
-		if (ktime_after(ktime_get(), timeout)) {
+	while (1) {
+		bool timedout = ktime_after(ktime_get(), timeout);
+
+		reg = sdhci_readw(host, SDHCI_CLOCK_CONTROL);
+		if (reg & SDHCI_CLOCK_INT_STABLE)
+			break;
+		if (timedout) {
 			dev_err(mmc_dev(host->mmc), "Internal clock never stabilised.\n");
 			return -ETIMEDOUT;
 		}
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 100/205] tty: serial: samsung: Properly set flags in autoCTS mode
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (98 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 099/205] mmc: sdhci-xenon: " Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 101/205] perf test: Fix perf_event_attr test failure Greg Kroah-Hartman
                   ` (108 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Beomho Seo, Marek Szyprowski, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 31e933645742ee6719d37573a27cce0761dcf92b ]

Commit 391f93f2ec9f ("serial: core: Rework hw-assited flow control support")
has changed the way the autoCTS mode is handled.

According to that change, serial drivers which enable H/W autoCTS mode must
set UPSTAT_AUTOCTS to prevent the serial core from inadvertently disabling
TX. This patch adds proper handling of UPSTAT_AUTOCTS flag.

Signed-off-by: Beomho Seo <beomho.seo@samsung.com>
[mszyprow: rephrased commit message]
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/tty/serial/samsung.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c
index 57baa84ccf86..f4b8e4e17a86 100644
--- a/drivers/tty/serial/samsung.c
+++ b/drivers/tty/serial/samsung.c
@@ -1343,11 +1343,14 @@ static void s3c24xx_serial_set_termios(struct uart_port *port,
 	wr_regl(port, S3C2410_ULCON, ulcon);
 	wr_regl(port, S3C2410_UBRDIV, quot);
 
+	port->status &= ~UPSTAT_AUTOCTS;
+
 	umcon = rd_regl(port, S3C2410_UMCON);
 	if (termios->c_cflag & CRTSCTS) {
 		umcon |= S3C2410_UMCOM_AFC;
 		/* Disable RTS when RX FIFO contains 63 bytes */
 		umcon &= ~S3C2412_UMCON_AFC_8;
+		port->status = UPSTAT_AUTOCTS;
 	} else {
 		umcon &= ~S3C2410_UMCOM_AFC;
 	}
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 101/205] perf test: Fix perf_event_attr test failure
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (99 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 100/205] tty: serial: samsung: Properly set flags in autoCTS mode Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 102/205] perf header: Fix unchecked usage of strncpy() Greg Kroah-Hartman
                   ` (107 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Adrian Hunter, Jiri Olsa,
	Arnaldo Carvalho de Melo, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 741dad88dde296999da30332157ca47f0543747d ]

Fix inconsistent use of tabs and spaces error:

  # perf test 16 -v
  16: Setup struct perf_event_attr                          :
  --- start ---
  test child forked, pid 20224
    File "/usr/libexec/perf-core/tests/attr.py", line 119
      log.warning("expected %s=%s, got %s" % (t, self[t], other[t]))
                                                                 ^
  TabError: inconsistent use of tabs and spaces in indentation
  test child finished with -1
  ---- end ----
  Setup struct perf_event_attr: FAILED!

Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Link: http://lkml.kernel.org/r/20181122140456.16817-1-adrian.hunter@intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/perf/tests/attr.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/perf/tests/attr.py b/tools/perf/tests/attr.py
index ff9b60b99f52..44090a9a19f3 100644
--- a/tools/perf/tests/attr.py
+++ b/tools/perf/tests/attr.py
@@ -116,7 +116,7 @@ class Event(dict):
             if not self.has_key(t) or not other.has_key(t):
                 continue
             if not data_equal(self[t], other[t]):
-		log.warning("expected %s=%s, got %s" % (t, self[t], other[t]))
+                log.warning("expected %s=%s, got %s" % (t, self[t], other[t]))
 
 # Test file description needs to have following sections:
 # [config]
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 102/205] perf header: Fix unchecked usage of strncpy()
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (100 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 101/205] perf test: Fix perf_event_attr test failure Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 103/205] perf probe: " Greg Kroah-Hartman
                   ` (106 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Adrian Hunter, Jiri Olsa,
	Namhyung Kim, Arnaldo Carvalho de Melo, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 7572588085a13d5db02bf159542189f52fdb507e ]

The strncpy() function may leave the destination string buffer
unterminated, better use strlcpy() that we have a __weak fallback
implementation for systems without it.

This fixes this warning on an Alpine Linux Edge system with gcc 8.2:

  util/header.c: In function 'perf_event__synthesize_event_update_unit':
  util/header.c:3586:2: error: 'strncpy' output truncated before terminating nul copying as many bytes from a string as its length [-Werror=stringop-truncation]
    strncpy(ev->data, evsel->unit, size);
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  util/header.c:3579:16: note: length computed here
    size_t size = strlen(evsel->unit);
                  ^~~~~~~~~~~~~~~~~~~

Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Fixes: a6e5281780d1 ("perf tools: Add event_update event unit type")
Link: https://lkml.kernel.org/n/tip-fiikh5nay70bv4zskw2aa858@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/perf/util/header.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
index 1ceb332575bd..696f2654826b 100644
--- a/tools/perf/util/header.c
+++ b/tools/perf/util/header.c
@@ -3132,7 +3132,7 @@ perf_event__synthesize_event_update_unit(struct perf_tool *tool,
 	if (ev == NULL)
 		return -ENOMEM;
 
-	strncpy(ev->data, evsel->unit, size);
+	strlcpy(ev->data, evsel->unit, size + 1);
 	err = process(tool, (union perf_event *)ev, NULL, NULL);
 	free(ev);
 	return err;
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 103/205] perf probe: Fix unchecked usage of strncpy()
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (101 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 102/205] perf header: Fix unchecked usage of strncpy() Greg Kroah-Hartman
@ 2019-02-11 14:18 ` " Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 104/205] KVM: s390: unregister debug feature on failing arch init Greg Kroah-Hartman
                   ` (105 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Adrian Hunter, Jiri Olsa,
	Masami Hiramatsu, Namhyung Kim, Arnaldo Carvalho de Melo,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit bef0b8970f27da5ca223e522a174d03e2587761d ]

The strncpy() function may leave the destination string buffer
unterminated, better use strlcpy() that we have a __weak fallback
implementation for systems without it.

In this case the 'target' buffer is coming from a list of build-ids that
are expected to have a len of at most (SBUILD_ID_SIZE - 1) chars, so
probably we're safe, but since we're using strncpy() here, use strlcpy()
instead to provide the intended safety checking without the using the
problematic strncpy() function.

This fixes this warning on an Alpine Linux Edge system with gcc 8.2:

  util/probe-file.c: In function 'probe_cache__open.isra.5':
  util/probe-file.c:427:3: error: 'strncpy' specified bound 41 equals destination size [-Werror=stringop-truncation]
     strncpy(sbuildid, target, SBUILD_ID_SIZE);
     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  cc1: all warnings being treated as errors

Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Fixes: 1f3736c9c833 ("perf probe: Show all cached probes")
Link: https://lkml.kernel.org/n/tip-l7n8ggc9kl38qtdlouke5yp5@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/perf/util/probe-file.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/perf/util/probe-file.c b/tools/perf/util/probe-file.c
index cdf8d83a484c..6ab9230ce8ee 100644
--- a/tools/perf/util/probe-file.c
+++ b/tools/perf/util/probe-file.c
@@ -424,7 +424,7 @@ static int probe_cache__open(struct probe_cache *pcache, const char *target,
 
 	if (target && build_id_cache__cached(target)) {
 		/* This is a cached buildid */
-		strncpy(sbuildid, target, SBUILD_ID_SIZE);
+		strlcpy(sbuildid, target, SBUILD_ID_SIZE);
 		dir_name = build_id_cache__linkname(sbuildid, NULL, 0);
 		goto found;
 	}
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 104/205] KVM: s390: unregister debug feature on failing arch init
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (102 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 103/205] perf probe: " Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 105/205] arm64: KVM: Skip MMIO insn after emulation Greg Kroah-Hartman
                   ` (104 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael Mueller, Cornelia Huck,
	Pierre Morel, David Hildenbrand, Christian Borntraeger,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 308c3e6673b012beecb96ef04cc65f4a0e7cdd99 ]

Make sure the debug feature and its allocated resources get
released upon unsuccessful architecture initialization.

A related indication of the issue will be reported as kernel
message.

Signed-off-by: Michael Mueller <mimu@linux.ibm.com>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Reviewed-by: Pierre Morel <pmorel@linux.ibm.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Message-Id: <20181130143215.69496-2-mimu@linux.ibm.com>
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/s390/kvm/kvm-s390.c | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
index 4f6adbea592b..f674a81c8868 100644
--- a/arch/s390/kvm/kvm-s390.c
+++ b/arch/s390/kvm/kvm-s390.c
@@ -361,19 +361,30 @@ static void kvm_s390_cpu_feat_init(void)
 
 int kvm_arch_init(void *opaque)
 {
+	int rc;
+
 	kvm_s390_dbf = debug_register("kvm-trace", 32, 1, 7 * sizeof(long));
 	if (!kvm_s390_dbf)
 		return -ENOMEM;
 
 	if (debug_register_view(kvm_s390_dbf, &debug_sprintf_view)) {
-		debug_unregister(kvm_s390_dbf);
-		return -ENOMEM;
+		rc = -ENOMEM;
+		goto out_debug_unreg;
 	}
 
 	kvm_s390_cpu_feat_init();
 
 	/* Register floating interrupt controller interface. */
-	return kvm_register_device_ops(&kvm_flic_ops, KVM_DEV_TYPE_FLIC);
+	rc = kvm_register_device_ops(&kvm_flic_ops, KVM_DEV_TYPE_FLIC);
+	if (rc) {
+		pr_err("Failed to register FLIC rc=%d\n", rc);
+		goto out_debug_unreg;
+	}
+	return 0;
+
+out_debug_unreg:
+	debug_unregister(kvm_s390_dbf);
+	return rc;
 }
 
 void kvm_arch_exit(void)
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 105/205] arm64: KVM: Skip MMIO insn after emulation
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (103 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 104/205] KVM: s390: unregister debug feature on failing arch init Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 106/205] usb: musb: dsps: fix otg state machine Greg Kroah-Hartman
                   ` (103 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Peter Maydell, Alex Bennée,
	Christoffer Dall, Mark Rutland, Marc Zyngier, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 0d640732dbebed0f10f18526de21652931f0b2f2 ]

When we emulate an MMIO instruction, we advance the CPU state within
decode_hsr(), before emulating the instruction effects.

Having this logic in decode_hsr() is opaque, and advancing the state
before emulation is problematic. It gets in the way of applying
consistent single-step logic, and it prevents us from being able to fail
an MMIO instruction with a synchronous exception.

Clean this up by only advancing the CPU state *after* the effects of the
instruction are emulated.

Cc: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Christoffer Dall <christoffer.dall@arm.com>
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 virt/kvm/arm/mmio.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/virt/kvm/arm/mmio.c b/virt/kvm/arm/mmio.c
index dac7ceb1a677..08443a15e6be 100644
--- a/virt/kvm/arm/mmio.c
+++ b/virt/kvm/arm/mmio.c
@@ -117,6 +117,12 @@ int kvm_handle_mmio_return(struct kvm_vcpu *vcpu, struct kvm_run *run)
 		vcpu_set_reg(vcpu, vcpu->arch.mmio_decode.rt, data);
 	}
 
+	/*
+	 * The MMIO instruction is emulated and should not be re-executed
+	 * in the guest.
+	 */
+	kvm_skip_instr(vcpu, kvm_vcpu_trap_il_is32bit(vcpu));
+
 	return 0;
 }
 
@@ -144,11 +150,6 @@ static int decode_hsr(struct kvm_vcpu *vcpu, bool *is_write, int *len)
 	vcpu->arch.mmio_decode.sign_extend = sign_extend;
 	vcpu->arch.mmio_decode.rt = rt;
 
-	/*
-	 * The MMIO instruction is emulated and should not be re-executed
-	 * in the guest.
-	 */
-	kvm_skip_instr(vcpu, kvm_vcpu_trap_il_is32bit(vcpu));
 	return 0;
 }
 
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 106/205] usb: musb: dsps: fix otg state machine
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (104 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 105/205] arm64: KVM: Skip MMIO insn after emulation Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 107/205] percpu: convert spin_lock_irq to spin_lock_irqsave Greg Kroah-Hartman
                   ` (102 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Bin Liu, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 6010abf2c2c0e382d7e8ee44bd11f343aae90cce ]

Due to lack of ID pin interrupt event on AM335x devices, the musb dsps
driver uses polling to detect usb device attach for dual-role port.

But in the case if a micro-A cable adapter is attached without a USB device
attached to the cable, the musb state machine gets stuck in a_wait_vrise
state waiting for the MUSB_CONNECT interrupt which won't happen due to the
usb device is not attached. The state is stuck in a_wait_vrise even after
the micro-A cable is detached, which could cause VBUS retention if then the
dual-role port is attached to a host port.

To fix the problem, make a_wait_vrise as a transient state, then move the
state to either a_wait_bcon for host port or a_idle state for dual-role
port, if no usb device is attached to the port.

Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/musb/musb_dsps.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/musb/musb_dsps.c b/drivers/usb/musb/musb_dsps.c
index dbb482b7e0ba..b7d460adaa61 100644
--- a/drivers/usb/musb/musb_dsps.c
+++ b/drivers/usb/musb/musb_dsps.c
@@ -242,8 +242,13 @@ static int dsps_check_status(struct musb *musb, void *unused)
 
 	switch (musb->xceiv->otg->state) {
 	case OTG_STATE_A_WAIT_VRISE:
-		dsps_mod_timer_optional(glue);
-		break;
+		if (musb->port_mode == MUSB_HOST) {
+			musb->xceiv->otg->state = OTG_STATE_A_WAIT_BCON;
+			dsps_mod_timer_optional(glue);
+			break;
+		}
+		/* fall through */
+
 	case OTG_STATE_A_WAIT_BCON:
 		/* keep VBUS on for host-only mode */
 		if (musb->port_mode == MUSB_PORT_MODE_HOST) {
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 107/205] percpu: convert spin_lock_irq to spin_lock_irqsave.
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (105 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 106/205] usb: musb: dsps: fix otg state machine Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 108/205] powerpc/uaccess: fix warning/error with access_ok() Greg Kroah-Hartman
                   ` (101 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tejun Heo, Dennis Zhou, Sasha Levin,
	Michael Cree

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 6ab7d47bcbf0144a8cb81536c2cead4cde18acfe ]

>From Michael Cree:
  "Bisection lead to commit b38d08f3181c ("percpu: restructure
   locking") as being the cause of lockups at initial boot on
   the kernel built for generic Alpha.

   On a suggestion by Tejun Heo that:

   So, the only thing I can think of is that it's calling
   spin_unlock_irq() while irq handling isn't set up yet.
   Can you please try the followings?

   1. Convert all spin_[un]lock_irq() to
      spin_lock_irqsave/unlock_irqrestore()."

Fixes: b38d08f3181c ("percpu: restructure locking")
Reported-and-tested-by: Michael Cree <mcree@orcon.net.nz>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Dennis Zhou <dennis@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 mm/percpu-km.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/mm/percpu-km.c b/mm/percpu-km.c
index 0d88d7bd5706..c22d959105b6 100644
--- a/mm/percpu-km.c
+++ b/mm/percpu-km.c
@@ -50,6 +50,7 @@ static struct pcpu_chunk *pcpu_create_chunk(gfp_t gfp)
 	const int nr_pages = pcpu_group_sizes[0] >> PAGE_SHIFT;
 	struct pcpu_chunk *chunk;
 	struct page *pages;
+	unsigned long flags;
 	int i;
 
 	chunk = pcpu_alloc_chunk(gfp);
@@ -68,9 +69,9 @@ static struct pcpu_chunk *pcpu_create_chunk(gfp_t gfp)
 	chunk->data = pages;
 	chunk->base_addr = page_address(pages) - pcpu_group_offsets[0];
 
-	spin_lock_irq(&pcpu_lock);
+	spin_lock_irqsave(&pcpu_lock, flags);
 	pcpu_chunk_populated(chunk, 0, nr_pages, false);
-	spin_unlock_irq(&pcpu_lock);
+	spin_unlock_irqrestore(&pcpu_lock, flags);
 
 	pcpu_stats_chunk_alloc();
 	trace_percpu_create_chunk(chunk->base_addr);
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 108/205] powerpc/uaccess: fix warning/error with access_ok()
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (106 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 107/205] percpu: convert spin_lock_irq to spin_lock_irqsave Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 109/205] mac80211: fix radiotap vendor presence bitmap handling Greg Kroah-Hartman
                   ` (100 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christophe Leroy, Michael Ellerman,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 05a4ab823983d9136a460b7b5e0d49ee709a6f86 ]

With the following piece of code, the following compilation warning
is encountered:

	if (_IOC_DIR(ioc) != _IOC_NONE) {
		int verify = _IOC_DIR(ioc) & _IOC_READ ? VERIFY_WRITE : VERIFY_READ;

		if (!access_ok(verify, ioarg, _IOC_SIZE(ioc))) {

drivers/platform/test/dev.c: In function 'my_ioctl':
drivers/platform/test/dev.c:219:7: warning: unused variable 'verify' [-Wunused-variable]
   int verify = _IOC_DIR(ioc) & _IOC_READ ? VERIFY_WRITE : VERIFY_READ;

This patch fixes it by referencing 'type' in the macro allthough
doing nothing with it.

Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/include/asm/uaccess.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h
index 565cead12be2..cf26e62b268d 100644
--- a/arch/powerpc/include/asm/uaccess.h
+++ b/arch/powerpc/include/asm/uaccess.h
@@ -54,7 +54,7 @@
 #endif
 
 #define access_ok(type, addr, size)		\
-	(__chk_user_ptr(addr),			\
+	(__chk_user_ptr(addr), (void)(type),		\
 	 __access_ok((__force unsigned long)(addr), (size), get_fs()))
 
 /*
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 109/205] mac80211: fix radiotap vendor presence bitmap handling
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (107 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 108/205] powerpc/uaccess: fix warning/error with access_ok() Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 110/205] xfrm6_tunnel: Fix spi check in __xfrm6_tunnel_alloc_spi Greg Kroah-Hartman
                   ` (99 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johannes Berg, Luca Coelho, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit efc38dd7d5fa5c8cdd0c917c5d00947aa0539443 ]

Due to the alignment handling, it actually matters where in the code
we add the 4 bytes for the presence bitmap to the length; the first
field is the timestamp with 8 byte alignment so we need to add the
space for the extra vendor namespace presence bitmap *before* we do
any alignment for the fields.

Move the presence bitmap length accounting to the right place to fix
the alignment for the data properly.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/mac80211/rx.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 9e19ddbcb06e..c7ac1a480b1d 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -141,6 +141,9 @@ ieee80211_rx_radiotap_hdrlen(struct ieee80211_local *local,
 	/* allocate extra bitmaps */
 	if (status->chains)
 		len += 4 * hweight8(status->chains);
+	/* vendor presence bitmap */
+	if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA)
+		len += 4;
 
 	if (ieee80211_have_rx_timestamp(status)) {
 		len = ALIGN(len, 8);
@@ -182,8 +185,6 @@ ieee80211_rx_radiotap_hdrlen(struct ieee80211_local *local,
 	if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
 		struct ieee80211_vendor_radiotap *rtap = (void *)skb->data;
 
-		/* vendor presence bitmap */
-		len += 4;
 		/* alignment for fixed 6-byte vendor data header */
 		len = ALIGN(len, 2);
 		/* vendor data header */
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 110/205] xfrm6_tunnel: Fix spi check in __xfrm6_tunnel_alloc_spi
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (108 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 109/205] mac80211: fix radiotap vendor presence bitmap handling Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 111/205] Bluetooth: Fix unnecessary error message for HCI request completion Greg Kroah-Hartman
                   ` (98 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, YueHaibing, Steffen Klassert, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit fa89a4593b927b3f59c3b69379f31d3b22272e4e ]

gcc warn this:

net/ipv6/xfrm6_tunnel.c:143 __xfrm6_tunnel_alloc_spi() warn:
 always true condition '(spi <= 4294967295) => (0-u32max <= u32max)'

'spi' is u32, which always not greater than XFRM6_TUNNEL_SPI_MAX
because of wrap around. So the second forloop will never reach.

Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ipv6/xfrm6_tunnel.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
index 4e438bc7ee87..c28e3eaad7c2 100644
--- a/net/ipv6/xfrm6_tunnel.c
+++ b/net/ipv6/xfrm6_tunnel.c
@@ -144,6 +144,9 @@ static u32 __xfrm6_tunnel_alloc_spi(struct net *net, xfrm_address_t *saddr)
 		index = __xfrm6_tunnel_spi_check(net, spi);
 		if (index >= 0)
 			goto alloc_spi;
+
+		if (spi == XFRM6_TUNNEL_SPI_MAX)
+			break;
 	}
 	for (spi = XFRM6_TUNNEL_SPI_MIN; spi < xfrm6_tn->spi; spi++) {
 		index = __xfrm6_tunnel_spi_check(net, spi);
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 111/205] Bluetooth: Fix unnecessary error message for HCI request completion
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (109 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 110/205] xfrm6_tunnel: Fix spi check in __xfrm6_tunnel_alloc_spi Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 112/205] mlxsw: spectrum: Properly cleanup LAG uppers when removing port from LAG Greg Kroah-Hartman
                   ` (97 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johan Hedberg,
	Luiz Augusto von Dentz, Marcel Holtmann, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 1629db9c75342325868243d6bca5853017d91cf8 ]

In case a command which completes in Command Status was sent using the
hci_cmd_send-family of APIs there would be a misleading error in the
hci_get_cmd_complete function, since the code would be trying to fetch
the Command Complete parameters when there are none.

Avoid the misleading error and silently bail out from the function in
case the received event is a command status.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Acked-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/bluetooth/hci_event.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 01f211e31f47..363dc85bbc5c 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -5212,6 +5212,12 @@ static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
 		return true;
 	}
 
+	/* Check if request ended in Command Status - no way to retreive
+	 * any extra parameters in this case.
+	 */
+	if (hdr->evt == HCI_EV_CMD_STATUS)
+		return false;
+
 	if (hdr->evt != HCI_EV_CMD_COMPLETE) {
 		BT_DBG("Last event is not cmd complete (0x%2.2x)", hdr->evt);
 		return false;
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 112/205] mlxsw: spectrum: Properly cleanup LAG uppers when removing port from LAG
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (110 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 111/205] Bluetooth: Fix unnecessary error message for HCI request completion Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 113/205] scsi: smartpqi: correct host serial num for ssa Greg Kroah-Hartman
                   ` (96 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ido Schimmel, Petr Machata,
	David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit be2d6f421f680e01d58f7cd452646e0d8586d49b ]

When a LAG device or a VLAN device on top of it is enslaved to a bridge,
the driver propagates the CHANGEUPPER event to the LAG's slaves.

This causes each physical port to increase the reference count of the
internal representation of the bridge port by calling
mlxsw_sp_port_bridge_join().

However, when a port is removed from a LAG, the corresponding leave()
function is not called and the reference count is not decremented. This
leads to ugly hacks such as mlxsw_sp_bridge_port_should_destroy() that
try to understand if the bridge port should be destroyed even when its
reference count is not 0.

Instead, make sure that when a port is unlinked from a LAG it would see
the same events as if the LAG (or its uppers) were unlinked from a
bridge.

The above is achieved by walking the LAG's uppers when a port is
unlinked and calling mlxsw_sp_port_bridge_leave() for each upper that is
enslaved to a bridge.

Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Reviewed-by: Petr Machata <petrm@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 .../net/ethernet/mellanox/mlxsw/spectrum.c    | 23 ++++++++++++++++
 .../mellanox/mlxsw/spectrum_switchdev.c       | 27 +------------------
 2 files changed, 24 insertions(+), 26 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
index cf65b2ee8b95..7892e6b8d2e8 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
@@ -3907,6 +3907,25 @@ void mlxsw_sp_port_dev_put(struct mlxsw_sp_port *mlxsw_sp_port)
 	dev_put(mlxsw_sp_port->dev);
 }
 
+static void
+mlxsw_sp_port_lag_uppers_cleanup(struct mlxsw_sp_port *mlxsw_sp_port,
+				 struct net_device *lag_dev)
+{
+	struct net_device *br_dev = netdev_master_upper_dev_get(lag_dev);
+	struct net_device *upper_dev;
+	struct list_head *iter;
+
+	if (netif_is_bridge_port(lag_dev))
+		mlxsw_sp_port_bridge_leave(mlxsw_sp_port, lag_dev, br_dev);
+
+	netdev_for_each_upper_dev_rcu(lag_dev, upper_dev, iter) {
+		if (!netif_is_bridge_port(upper_dev))
+			continue;
+		br_dev = netdev_master_upper_dev_get(upper_dev);
+		mlxsw_sp_port_bridge_leave(mlxsw_sp_port, upper_dev, br_dev);
+	}
+}
+
 static int mlxsw_sp_lag_create(struct mlxsw_sp *mlxsw_sp, u16 lag_id)
 {
 	char sldr_pl[MLXSW_REG_SLDR_LEN];
@@ -4094,6 +4113,10 @@ static void mlxsw_sp_port_lag_leave(struct mlxsw_sp_port *mlxsw_sp_port,
 
 	/* Any VLANs configured on the port are no longer valid */
 	mlxsw_sp_port_vlan_flush(mlxsw_sp_port);
+	/* Make the LAG and its directly linked uppers leave bridges they
+	 * are memeber in
+	 */
+	mlxsw_sp_port_lag_uppers_cleanup(mlxsw_sp_port, lag_dev);
 
 	if (lag->ref_count == 1)
 		mlxsw_sp_lag_destroy(mlxsw_sp, lag_id);
diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c
index 9052e93e1925..f33fb95c4189 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c
@@ -291,30 +291,6 @@ mlxsw_sp_bridge_port_destroy(struct mlxsw_sp_bridge_port *bridge_port)
 	kfree(bridge_port);
 }
 
-static bool
-mlxsw_sp_bridge_port_should_destroy(const struct mlxsw_sp_bridge_port *
-				    bridge_port)
-{
-	struct net_device *dev = bridge_port->dev;
-	struct mlxsw_sp *mlxsw_sp;
-
-	if (is_vlan_dev(dev))
-		mlxsw_sp = mlxsw_sp_lower_get(vlan_dev_real_dev(dev));
-	else
-		mlxsw_sp = mlxsw_sp_lower_get(dev);
-
-	/* In case ports were pulled from out of a bridged LAG, then
-	 * it's possible the reference count isn't zero, yet the bridge
-	 * port should be destroyed, as it's no longer an upper of ours.
-	 */
-	if (!mlxsw_sp && list_empty(&bridge_port->vlans_list))
-		return true;
-	else if (bridge_port->ref_count == 0)
-		return true;
-	else
-		return false;
-}
-
 static struct mlxsw_sp_bridge_port *
 mlxsw_sp_bridge_port_get(struct mlxsw_sp_bridge *bridge,
 			 struct net_device *brport_dev)
@@ -352,8 +328,7 @@ static void mlxsw_sp_bridge_port_put(struct mlxsw_sp_bridge *bridge,
 {
 	struct mlxsw_sp_bridge_device *bridge_device;
 
-	bridge_port->ref_count--;
-	if (!mlxsw_sp_bridge_port_should_destroy(bridge_port))
+	if (--bridge_port->ref_count != 0)
 		return;
 	bridge_device = bridge_port->bridge_device;
 	mlxsw_sp_bridge_port_destroy(bridge_port);
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 113/205] scsi: smartpqi: correct host serial num for ssa
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (111 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 112/205] mlxsw: spectrum: Properly cleanup LAG uppers when removing port from LAG Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 114/205] scsi: smartpqi: correct volume status Greg Kroah-Hartman
                   ` (95 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Scott Benesh, Ajish Koshy,
	Murthy Bhat, Mahesh Rajashekhara, Dave Carroll, Scott Teel,
	Kevin Barnett, Don Brace, Martin K. Petersen, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit b2346b5030cf9458f30a84028d9fe904b8c942a7 ]

Reviewed-by: Scott Benesh <scott.benesh@microsemi.com>
Reviewed-by: Ajish Koshy <ajish.koshy@microsemi.com>
Reviewed-by: Murthy Bhat <murthy.bhat@microsemi.com>
Reviewed-by: Mahesh Rajashekhara <mahesh.rajashekhara@microsemi.com>
Reviewed-by: Dave Carroll <david.carroll@microsemi.com>
Reviewed-by: Scott Teel <scott.teel@microsemi.com>
Reviewed-by: Kevin Barnett <kevin.barnett@microsemi.com>
Signed-off-by: Mahesh Rajashekhara <mahesh.rajashekhara@microsemi.com>
Signed-off-by: Don Brace <don.brace@microsemi.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/smartpqi/smartpqi_init.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c
index bc15999f1c7c..cc27ae2e8a2d 100644
--- a/drivers/scsi/smartpqi/smartpqi_init.c
+++ b/drivers/scsi/smartpqi/smartpqi_init.c
@@ -653,6 +653,7 @@ struct bmic_host_wellness_driver_version {
 	u8	driver_version_tag[2];
 	__le16	driver_version_length;
 	char	driver_version[32];
+	u8	dont_write_tag[2];
 	u8	end_tag[2];
 };
 
@@ -682,6 +683,8 @@ static int pqi_write_driver_version_to_host_wellness(
 	strncpy(buffer->driver_version, "Linux " DRIVER_VERSION,
 		sizeof(buffer->driver_version) - 1);
 	buffer->driver_version[sizeof(buffer->driver_version) - 1] = '\0';
+	buffer->dont_write_tag[0] = 'D';
+	buffer->dont_write_tag[1] = 'W';
 	buffer->end_tag[0] = 'Z';
 	buffer->end_tag[1] = 'Z';
 
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 114/205] scsi: smartpqi: correct volume status
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (112 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 113/205] scsi: smartpqi: correct host serial num for ssa Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 115/205] scsi: smartpqi: increase fw status register read timeout Greg Kroah-Hartman
                   ` (94 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Murthy Bhat, Mahesh Rajashekhara,
	Scott Teel, Kevin Barnett, Dave Carroll, Don Brace,
	Martin K. Petersen, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 7ff44499bafbd376115f0bb6b578d980f56ee13b ]

- fix race condition when a unit is deleted after an RLL,
  and before we have gotten the LV_STATUS page of the unit.
  - In this case we will get a standard inquiry, rather than
    the desired page.  This will result in a unit presented
    which no longer exists.
  - If we ask for LV_STATUS, insure we get LV_STATUS

Reviewed-by: Murthy Bhat <murthy.bhat@microsemi.com>
Reviewed-by: Mahesh Rajashekhara <mahesh.rajashekhara@microsemi.com>
Reviewed-by: Scott Teel <scott.teel@microsemi.com>
Reviewed-by: Kevin Barnett <kevin.barnett@microsemi.com>
Signed-off-by: Dave Carroll <david.carroll@microsemi.com>
Signed-off-by: Don Brace <don.brace@microsemi.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/smartpqi/smartpqi_init.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c
index cc27ae2e8a2d..5ec2898d21cd 100644
--- a/drivers/scsi/smartpqi/smartpqi_init.c
+++ b/drivers/scsi/smartpqi/smartpqi_init.c
@@ -1184,6 +1184,9 @@ static void pqi_get_volume_status(struct pqi_ctrl_info *ctrl_info,
 	if (rc)
 		goto out;
 
+	if (vpd->page_code != CISS_VPD_LV_STATUS)
+		goto out;
+
 	page_length = offsetof(struct ciss_vpd_logical_volume_status,
 		volume_status) + vpd->page_length;
 	if (page_length < sizeof(*vpd))
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 115/205] scsi: smartpqi: increase fw status register read timeout
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (113 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 114/205] scsi: smartpqi: correct volume status Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 116/205] cw1200: Fix concurrency use-after-free bugs in cw1200_hw_scan() Greg Kroah-Hartman
                   ` (93 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Feng Li, Ajish Koshy, Murthy Bhat,
	Dave Carroll, Kevin Barnett, Mahesh Rajashekhara, Don Brace,
	Martin K. Petersen, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 65111785acccb836ec75263b03b0e33f21e74f47 ]

Problem:
 - during the driver initialization, driver will poll fw
   for KERNEL_UP in a 30 seconds timeout.

 - if the firmware is not ready after 30 seconds,
   driver will not be loaded.

Fix:
 - change timeout from 30 seconds to 3 minutes.

Reported-by: Feng Li <lifeng1519@gmail.com>
Reviewed-by: Ajish Koshy <ajish.koshy@microsemi.com>
Reviewed-by: Murthy Bhat <Murthy.Bhat@microsemi.com>
Reviewed-by: Dave Carroll <david.carroll@microsemi.com>
Reviewed-by: Kevin Barnett <kevin.barnett@microsemi.com>
Signed-off-by: Mahesh Rajashekhara <mahesh.rajashekhara@microsemi.com>
Signed-off-by: Don Brace <don.brace@microsemi.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/smartpqi/smartpqi_sis.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/smartpqi/smartpqi_sis.c b/drivers/scsi/smartpqi/smartpqi_sis.c
index 5141bd4c9f06..ca7dfb3a520f 100644
--- a/drivers/scsi/smartpqi/smartpqi_sis.c
+++ b/drivers/scsi/smartpqi/smartpqi_sis.c
@@ -59,7 +59,7 @@
 
 #define SIS_CTRL_KERNEL_UP			0x80
 #define SIS_CTRL_KERNEL_PANIC			0x100
-#define SIS_CTRL_READY_TIMEOUT_SECS		30
+#define SIS_CTRL_READY_TIMEOUT_SECS		180
 #define SIS_CTRL_READY_RESUME_TIMEOUT_SECS	90
 #define SIS_CTRL_READY_POLL_INTERVAL_MSECS	10
 
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 116/205] cw1200: Fix concurrency use-after-free bugs in cw1200_hw_scan()
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (114 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 115/205] scsi: smartpqi: increase fw status register read timeout Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 117/205] powerpc/perf: Fix thresholding counter data for unknown type Greg Kroah-Hartman
                   ` (92 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jia-Ju Bai, Kalle Valo, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 4f68ef64cd7feb1220232bd8f501d8aad340a099 ]

The function cw1200_bss_info_changed() and cw1200_hw_scan() can be
concurrently executed.
The two functions both access a possible shared variable "frame.skb".

This shared variable is freed by dev_kfree_skb() in cw1200_upload_beacon(),
which is called by cw1200_bss_info_changed(). The free operation is
protected by a mutex lock "priv->conf_mutex" in cw1200_bss_info_changed().

In cw1200_hw_scan(), this shared variable is accessed without the
protection of the mutex lock "priv->conf_mutex".
Thus, concurrency use-after-free bugs may occur.

To fix these bugs, the original calls to mutex_lock(&priv->conf_mutex) and
mutex_unlock(&priv->conf_mutex) are moved to the places, which can
protect the accesses to the shared variable.

Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/st/cw1200/scan.c | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/drivers/net/wireless/st/cw1200/scan.c b/drivers/net/wireless/st/cw1200/scan.c
index cc2ce60f4f09..f22c8ae15ad8 100644
--- a/drivers/net/wireless/st/cw1200/scan.c
+++ b/drivers/net/wireless/st/cw1200/scan.c
@@ -78,6 +78,10 @@ int cw1200_hw_scan(struct ieee80211_hw *hw,
 	if (req->n_ssids > WSM_SCAN_MAX_NUM_OF_SSIDS)
 		return -EINVAL;
 
+	/* will be unlocked in cw1200_scan_work() */
+	down(&priv->scan.lock);
+	mutex_lock(&priv->conf_mutex);
+
 	frame.skb = ieee80211_probereq_get(hw, priv->vif->addr, NULL, 0,
 		req->ie_len);
 	if (!frame.skb)
@@ -86,19 +90,15 @@ int cw1200_hw_scan(struct ieee80211_hw *hw,
 	if (req->ie_len)
 		skb_put_data(frame.skb, req->ie, req->ie_len);
 
-	/* will be unlocked in cw1200_scan_work() */
-	down(&priv->scan.lock);
-	mutex_lock(&priv->conf_mutex);
-
 	ret = wsm_set_template_frame(priv, &frame);
 	if (!ret) {
 		/* Host want to be the probe responder. */
 		ret = wsm_set_probe_responder(priv, true);
 	}
 	if (ret) {
+		dev_kfree_skb(frame.skb);
 		mutex_unlock(&priv->conf_mutex);
 		up(&priv->scan.lock);
-		dev_kfree_skb(frame.skb);
 		return ret;
 	}
 
@@ -120,10 +120,9 @@ int cw1200_hw_scan(struct ieee80211_hw *hw,
 		++priv->scan.n_ssids;
 	}
 
-	mutex_unlock(&priv->conf_mutex);
-
 	if (frame.skb)
 		dev_kfree_skb(frame.skb);
+	mutex_unlock(&priv->conf_mutex);
 	queue_work(priv->workqueue, &priv->scan.work);
 	return 0;
 }
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 117/205] powerpc/perf: Fix thresholding counter data for unknown type
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (115 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 116/205] cw1200: Fix concurrency use-after-free bugs in cw1200_hw_scan() Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 118/205] drbd: narrow rcu_read_lock in drbd_sync_handshake Greg Kroah-Hartman
                   ` (91 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Madhavan Srinivasan,
	Michael Ellerman, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 17cfccc91545682513541924245abb876d296063 ]

MMCRA[34:36] and MMCRA[38:44] expose the thresholding counter value.
Thresholding counter can be used to count latency cycles such as
load miss to reload. But threshold counter value is not relevant
when the sampled instruction type is unknown or reserved. Patch to
fix the thresholding counter value to zero when sampled instruction
type is unknown or reserved.

Fixes: 170a315f41c6('powerpc/perf: Support to export MMCRA[TEC*] field to userspace')
Signed-off-by: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/perf/isa207-common.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/arch/powerpc/perf/isa207-common.c b/arch/powerpc/perf/isa207-common.c
index 2efee3f196f5..cf9c35aa0cf4 100644
--- a/arch/powerpc/perf/isa207-common.c
+++ b/arch/powerpc/perf/isa207-common.c
@@ -228,8 +228,13 @@ void isa207_get_mem_weight(u64 *weight)
 	u64 mmcra = mfspr(SPRN_MMCRA);
 	u64 exp = MMCRA_THR_CTR_EXP(mmcra);
 	u64 mantissa = MMCRA_THR_CTR_MANT(mmcra);
+	u64 sier = mfspr(SPRN_SIER);
+	u64 val = (sier & ISA207_SIER_TYPE_MASK) >> ISA207_SIER_TYPE_SHIFT;
 
-	*weight = mantissa << (2 * exp);
+	if (val == 0 || val == 7)
+		*weight = 0;
+	else
+		*weight = mantissa << (2 * exp);
 }
 
 int isa207_get_constraint(u64 event, unsigned long *maskp, unsigned long *valp)
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 118/205] drbd: narrow rcu_read_lock in drbd_sync_handshake
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (116 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 117/205] powerpc/perf: Fix thresholding counter data for unknown type Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 119/205] drbd: disconnect, if the wrong UUIDs are attached on a connected peer Greg Kroah-Hartman
                   ` (90 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jia-Ju Bai, Lars Ellenberg,
	Roland Kammerer, Jens Axboe, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit d29e89e34952a9ad02c77109c71a80043544296e ]

So far there was the possibility that we called
genlmsg_new(GFP_NOIO)/mutex_lock() while holding an rcu_read_lock().

This included cases like:

drbd_sync_handshake (acquire the RCU lock)
  drbd_asb_recover_1p
    drbd_khelper
      drbd_bcast_event
        genlmsg_new(GFP_NOIO) --> may sleep

drbd_sync_handshake (acquire the RCU lock)
  drbd_asb_recover_1p
    drbd_khelper
      notify_helper
        genlmsg_new(GFP_NOIO) --> may sleep

drbd_sync_handshake (acquire the RCU lock)
  drbd_asb_recover_1p
    drbd_khelper
      notify_helper
        mutex_lock --> may sleep

While using GFP_ATOMIC whould have been possible in the first two cases,
the real fix is to narrow the rcu_read_lock.

Reported-by: Jia-Ju Bai <baijiaju1990@163.com>
Reviewed-by: Lars Ellenberg <lars.ellenberg@linbit.com>
Signed-off-by: Roland Kammerer <roland.kammerer@linbit.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/block/drbd/drbd_receiver.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c
index 796eaf347dc0..143c5a666e25 100644
--- a/drivers/block/drbd/drbd_receiver.c
+++ b/drivers/block/drbd/drbd_receiver.c
@@ -3361,7 +3361,7 @@ static enum drbd_conns drbd_sync_handshake(struct drbd_peer_device *peer_device,
 	enum drbd_conns rv = C_MASK;
 	enum drbd_disk_state mydisk;
 	struct net_conf *nc;
-	int hg, rule_nr, rr_conflict, tentative;
+	int hg, rule_nr, rr_conflict, tentative, always_asbp;
 
 	mydisk = device->state.disk;
 	if (mydisk == D_NEGOTIATING)
@@ -3412,8 +3412,12 @@ static enum drbd_conns drbd_sync_handshake(struct drbd_peer_device *peer_device,
 
 	rcu_read_lock();
 	nc = rcu_dereference(peer_device->connection->net_conf);
+	always_asbp = nc->always_asbp;
+	rr_conflict = nc->rr_conflict;
+	tentative = nc->tentative;
+	rcu_read_unlock();
 
-	if (hg == 100 || (hg == -100 && nc->always_asbp)) {
+	if (hg == 100 || (hg == -100 && always_asbp)) {
 		int pcount = (device->state.role == R_PRIMARY)
 			   + (peer_role == R_PRIMARY);
 		int forced = (hg == -100);
@@ -3452,9 +3456,6 @@ static enum drbd_conns drbd_sync_handshake(struct drbd_peer_device *peer_device,
 			     "Sync from %s node\n",
 			     (hg < 0) ? "peer" : "this");
 	}
-	rr_conflict = nc->rr_conflict;
-	tentative = nc->tentative;
-	rcu_read_unlock();
 
 	if (hg == -100) {
 		/* FIXME this log message is not correct if we end up here
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 119/205] drbd: disconnect, if the wrong UUIDs are attached on a connected peer
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (117 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 118/205] drbd: narrow rcu_read_lock in drbd_sync_handshake Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 120/205] drbd: skip spurious timeout (ping-timeo) when failing promote Greg Kroah-Hartman
                   ` (89 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lars Ellenberg, Jens Axboe, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit b17b59602b6dcf8f97a7dc7bc489a48388d7063a ]

With "on-no-data-accessible suspend-io", DRBD requires the next attach
or connect to be to the very same data generation uuid tag it lost last.

If we first lost connection to the peer,
then later lost connection to our own disk,
we would usually refuse to re-connect to the peer,
because it presents the wrong data set.

However, if the peer first connects without a disk,
and then attached its disk, we accepted that same wrong data set,
which would be "unexpected" by any user of that DRBD
and cause "undefined results" (read: very likely data corruption).

The fix is to forcefully disconnect as soon as we notice that the peer
attached to the "wrong" dataset.

Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/block/drbd/drbd_receiver.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c
index 143c5a666e25..1aad373da50e 100644
--- a/drivers/block/drbd/drbd_receiver.c
+++ b/drivers/block/drbd/drbd_receiver.c
@@ -4139,7 +4139,7 @@ static int receive_uuids(struct drbd_connection *connection, struct packet_info
 	kfree(device->p_uuid);
 	device->p_uuid = p_uuid;
 
-	if (device->state.conn < C_CONNECTED &&
+	if ((device->state.conn < C_CONNECTED || device->state.pdsk == D_DISKLESS) &&
 	    device->state.disk < D_INCONSISTENT &&
 	    device->state.role == R_PRIMARY &&
 	    (device->ed_uuid & ~((u64)1)) != (p_uuid[UI_CURRENT] & ~((u64)1))) {
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 120/205] drbd: skip spurious timeout (ping-timeo) when failing promote
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (118 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 119/205] drbd: disconnect, if the wrong UUIDs are attached on a connected peer Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 121/205] drbd: Avoid Clang warning about pointless switch statment Greg Kroah-Hartman
                   ` (88 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lars Ellenberg, Jens Axboe, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 9848b6ddd8c92305252f94592c5e278574e7a6ac ]

If you try to promote a Secondary while connected to a Primary
and allow-two-primaries is NOT set, we will wait for "ping-timeout"
to give this node a chance to detect a dead primary,
in case the cluster manager noticed faster than we did.

But if we then are *still* connected to a Primary,
we fail (after an additional timeout of ping-timout).

This change skips the spurious second timeout.

Most people won't notice really,
since "ping-timeout" by default is half a second.

But in some installations, ping-timeout may be 10 or 20 seconds or more,
and spuriously delaying the error return becomes annoying.

Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/block/drbd/drbd_nl.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/drivers/block/drbd/drbd_nl.c b/drivers/block/drbd/drbd_nl.c
index a12f77e6891e..ad13ec66c8e4 100644
--- a/drivers/block/drbd/drbd_nl.c
+++ b/drivers/block/drbd/drbd_nl.c
@@ -668,14 +668,15 @@ drbd_set_role(struct drbd_device *const device, enum drbd_role new_role, int for
 		if (rv == SS_TWO_PRIMARIES) {
 			/* Maybe the peer is detected as dead very soon...
 			   retry at most once more in this case. */
-			int timeo;
-			rcu_read_lock();
-			nc = rcu_dereference(connection->net_conf);
-			timeo = nc ? (nc->ping_timeo + 1) * HZ / 10 : 1;
-			rcu_read_unlock();
-			schedule_timeout_interruptible(timeo);
-			if (try < max_tries)
+			if (try < max_tries) {
+				int timeo;
 				try = max_tries - 1;
+				rcu_read_lock();
+				nc = rcu_dereference(connection->net_conf);
+				timeo = nc ? (nc->ping_timeo + 1) * HZ / 10 : 1;
+				rcu_read_unlock();
+				schedule_timeout_interruptible(timeo);
+			}
 			continue;
 		}
 		if (rv < SS_SUCCESS) {
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 121/205] drbd: Avoid Clang warning about pointless switch statment
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (119 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 120/205] drbd: skip spurious timeout (ping-timeo) when failing promote Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 122/205] video: clps711x-fb: release disp device node in probe() Greg Kroah-Hartman
                   ` (87 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lars Ellenberg, Nathan Chancellor,
	Jens Axboe, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit a52c5a16cf19d8a85831bb1b915a221dd4ffae3c ]

There are several warnings from Clang about no case statement matching
the constant 0:

In file included from drivers/block/drbd/drbd_receiver.c:48:
In file included from drivers/block/drbd/drbd_int.h:48:
In file included from ./include/linux/drbd_genl_api.h:54:
In file included from ./include/linux/genl_magic_struct.h:236:
./include/linux/drbd_genl.h:321:1: warning: no case matching constant
switch condition '0'
GENL_struct(DRBD_NLA_HELPER, 24, drbd_helper_info,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./include/linux/genl_magic_struct.h:220:10: note: expanded from macro
'GENL_struct'
        switch (0) {
                ^

Silence this warning by adding a 'case 0:' statement. Additionally,
adjust the alignment of the statements in the ct_assert_unique macro to
avoid a checkpatch warning.

This solution was originally sent by Arnd Bergmann with a default case
statement: https://lore.kernel.org/patchwork/patch/756723/

Link: https://github.com/ClangBuiltLinux/linux/issues/43
Suggested-by: Lars Ellenberg <lars.ellenberg@linbit.com>
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/linux/genl_magic_struct.h | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/include/linux/genl_magic_struct.h b/include/linux/genl_magic_struct.h
index 5972e4969197..eeae59d3ceb7 100644
--- a/include/linux/genl_magic_struct.h
+++ b/include/linux/genl_magic_struct.h
@@ -191,6 +191,7 @@ static inline void ct_assert_unique_operations(void)
 {
 	switch (0) {
 #include GENL_MAGIC_INCLUDE_FILE
+	case 0:
 		;
 	}
 }
@@ -209,6 +210,7 @@ static inline void ct_assert_unique_top_level_attributes(void)
 {
 	switch (0) {
 #include GENL_MAGIC_INCLUDE_FILE
+	case 0:
 		;
 	}
 }
@@ -218,7 +220,8 @@ static inline void ct_assert_unique_top_level_attributes(void)
 static inline void ct_assert_unique_ ## s_name ## _attributes(void)	\
 {									\
 	switch (0) {							\
-		s_fields						\
+	s_fields							\
+	case 0:								\
 			;						\
 	}								\
 }
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 122/205] video: clps711x-fb: release disp device node in probe()
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (120 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 121/205] drbd: Avoid Clang warning about pointless switch statment Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 123/205] md: fix raid10 hang issue caused by barrier Greg Kroah-Hartman
                   ` (86 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexey Khoroshilov, Alexander Shiyan,
	Bartlomiej Zolnierkiewicz, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit fdac751355cd76e049f628afe6acb8ff4b1399f7 ]

clps711x_fb_probe() increments refcnt of disp device node by
of_parse_phandle() and leaves it undecremented on both
successful and error paths.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Cc: Alexander Shiyan <shc_work@mail.ru>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/video/fbdev/clps711x-fb.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/video/fbdev/clps711x-fb.c b/drivers/video/fbdev/clps711x-fb.c
index ff561073ee4e..42f909618f04 100644
--- a/drivers/video/fbdev/clps711x-fb.c
+++ b/drivers/video/fbdev/clps711x-fb.c
@@ -287,14 +287,17 @@ static int clps711x_fb_probe(struct platform_device *pdev)
 	}
 
 	ret = of_get_fb_videomode(disp, &cfb->mode, OF_USE_NATIVE_MODE);
-	if (ret)
+	if (ret) {
+		of_node_put(disp);
 		goto out_fb_release;
+	}
 
 	of_property_read_u32(disp, "ac-prescale", &cfb->ac_prescale);
 	cfb->cmap_invert = of_property_read_bool(disp, "cmap-invert");
 
 	ret = of_property_read_u32(disp, "bits-per-pixel",
 				   &info->var.bits_per_pixel);
+	of_node_put(disp);
 	if (ret)
 		goto out_fb_release;
 
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 123/205] md: fix raid10 hang issue caused by barrier
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (121 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 122/205] video: clps711x-fb: release disp device node in probe() Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 124/205] fbdev: fbmem: behave better with small rotated displays and many CPUs Greg Kroah-Hartman
                   ` (85 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Guoqing Jiang, Shaohua Li,
	Sasha Levin, Siniša Bandin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit e820d55cb99dd93ac2dc949cf486bb187e5cd70d ]

When both regular IO and resync IO happen at the same time,
and if we also need to split regular. Then we can see tasks
hang due to barrier.

1. resync thread
[ 1463.757205] INFO: task md1_resync:5215 blocked for more than 480 seconds.
[ 1463.757207]       Not tainted 4.19.5-1-default #1
[ 1463.757209] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[ 1463.757212] md1_resync      D    0  5215      2 0x80000000
[ 1463.757216] Call Trace:
[ 1463.757223]  ? __schedule+0x29a/0x880
[ 1463.757231]  ? raise_barrier+0x8d/0x140 [raid10]
[ 1463.757236]  schedule+0x78/0x110
[ 1463.757243]  raise_barrier+0x8d/0x140 [raid10]
[ 1463.757248]  ? wait_woken+0x80/0x80
[ 1463.757257]  raid10_sync_request+0x1f6/0x1e30 [raid10]
[ 1463.757265]  ? _raw_spin_unlock_irq+0x22/0x40
[ 1463.757284]  ? is_mddev_idle+0x125/0x137 [md_mod]
[ 1463.757302]  md_do_sync.cold.78+0x404/0x969 [md_mod]
[ 1463.757311]  ? wait_woken+0x80/0x80
[ 1463.757336]  ? md_rdev_init+0xb0/0xb0 [md_mod]
[ 1463.757351]  md_thread+0xe9/0x140 [md_mod]
[ 1463.757358]  ? _raw_spin_unlock_irqrestore+0x2e/0x60
[ 1463.757364]  ? __kthread_parkme+0x4c/0x70
[ 1463.757369]  kthread+0x112/0x130
[ 1463.757374]  ? kthread_create_worker_on_cpu+0x40/0x40
[ 1463.757380]  ret_from_fork+0x3a/0x50

2. regular IO
[ 1463.760679] INFO: task kworker/0:8:5367 blocked for more than 480 seconds.
[ 1463.760683]       Not tainted 4.19.5-1-default #1
[ 1463.760684] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[ 1463.760687] kworker/0:8     D    0  5367      2 0x80000000
[ 1463.760718] Workqueue: md submit_flushes [md_mod]
[ 1463.760721] Call Trace:
[ 1463.760731]  ? __schedule+0x29a/0x880
[ 1463.760741]  ? wait_barrier+0xdd/0x170 [raid10]
[ 1463.760746]  schedule+0x78/0x110
[ 1463.760753]  wait_barrier+0xdd/0x170 [raid10]
[ 1463.760761]  ? wait_woken+0x80/0x80
[ 1463.760768]  raid10_write_request+0xf2/0x900 [raid10]
[ 1463.760774]  ? wait_woken+0x80/0x80
[ 1463.760778]  ? mempool_alloc+0x55/0x160
[ 1463.760795]  ? md_write_start+0xa9/0x270 [md_mod]
[ 1463.760801]  ? try_to_wake_up+0x44/0x470
[ 1463.760810]  raid10_make_request+0xc1/0x120 [raid10]
[ 1463.760816]  ? wait_woken+0x80/0x80
[ 1463.760831]  md_handle_request+0x121/0x190 [md_mod]
[ 1463.760851]  md_make_request+0x78/0x190 [md_mod]
[ 1463.760860]  generic_make_request+0x1c6/0x470
[ 1463.760870]  raid10_write_request+0x77a/0x900 [raid10]
[ 1463.760875]  ? wait_woken+0x80/0x80
[ 1463.760879]  ? mempool_alloc+0x55/0x160
[ 1463.760895]  ? md_write_start+0xa9/0x270 [md_mod]
[ 1463.760904]  raid10_make_request+0xc1/0x120 [raid10]
[ 1463.760910]  ? wait_woken+0x80/0x80
[ 1463.760926]  md_handle_request+0x121/0x190 [md_mod]
[ 1463.760931]  ? _raw_spin_unlock_irq+0x22/0x40
[ 1463.760936]  ? finish_task_switch+0x74/0x260
[ 1463.760954]  submit_flushes+0x21/0x40 [md_mod]

So resync io is waiting for regular write io to complete to
decrease nr_pending (conf->barrier++ is called before waiting).
The regular write io splits another bio after call wait_barrier
which call nr_pending++, then the splitted bio would continue
with raid10_write_request -> wait_barrier, so the splitted bio
has to wait for barrier to be zero, then deadlock happens as
follows.

	resync io		regular io

	raise_barrier
				wait_barrier
				generic_make_request
				wait_barrier

To resolve the issue, we need to call allow_barrier to decrease
nr_pending before generic_make_request since regular IO is not
issued to underlying devices, and wait_barrier is called again
to ensure no internal IO happening.

Fixes: fc9977dd069e ("md/raid10: simplify the splitting of requests.")
Reported-and-tested-by: Siniša Bandin <sinisa@4net.rs>
Signed-off-by: Guoqing Jiang <gqjiang@suse.com>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/md/raid10.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
index 52ddfa0fca94..2ce079a0b0bd 100644
--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
@@ -1190,7 +1190,9 @@ static void raid10_read_request(struct mddev *mddev, struct bio *bio,
 		struct bio *split = bio_split(bio, max_sectors,
 					      gfp, conf->bio_split);
 		bio_chain(split, bio);
+		allow_barrier(conf);
 		generic_make_request(bio);
+		wait_barrier(conf);
 		bio = split;
 		r10_bio->master_bio = bio;
 		r10_bio->sectors = max_sectors;
@@ -1479,7 +1481,9 @@ retry_write:
 		struct bio *split = bio_split(bio, r10_bio->sectors,
 					      GFP_NOIO, conf->bio_split);
 		bio_chain(split, bio);
+		allow_barrier(conf);
 		generic_make_request(bio);
+		wait_barrier(conf);
 		bio = split;
 		r10_bio->master_bio = bio;
 	}
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 124/205] fbdev: fbmem: behave better with small rotated displays and many CPUs
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (122 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 123/205] md: fix raid10 hang issue caused by barrier Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 125/205] i40e: define proper net_device::neigh_priv_len Greg Kroah-Hartman
                   ` (84 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Peter Rosin, Tomi Valkeinen,
	Fabian Frederick, Geert Uytterhoeven, Geoff Levand,
	James Simmons, Bartlomiej Zolnierkiewicz, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit f75df8d4b4fabfad7e3cba2debfad12741c6fde7 ]

Blitting an image with "negative" offsets is not working since there
is no clipping. It hopefully just crashes. For the bootup logo, there
is protection so that blitting does not happen as the image is drawn
further and further to the right (ROTATE_UR) or further and further
down (ROTATE_CW). There is however no protection when drawing in the
opposite directions (ROTATE_UD and ROTATE_CCW).

Add back this protection.

The regression is 20-odd years old but the mindless warning-killing
mentality displayed in commit 34bdb666f4b2 ("fbdev: fbmem: remove
positive test on unsigned values") is also to blame, methinks.

Fixes: 448d479747b8 ("fbdev: fb_do_show_logo() updates")
Signed-off-by: Peter Rosin <peda@axentia.se>
Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>
Cc: Fabian Frederick <ffrederick@users.sourceforge.net>
Cc: Geert Uytterhoeven <geert+renesas@glider.be>
cc: Geoff Levand <geoff@infradead.org>
Cc: James Simmons <jsimmons@users.sf.net>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/video/fbdev/core/fbmem.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
index 11d73b5fc885..302cce7185e3 100644
--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
@@ -435,7 +435,9 @@ static void fb_do_show_logo(struct fb_info *info, struct fb_image *image,
 			image->dx += image->width + 8;
 		}
 	} else if (rotate == FB_ROTATE_UD) {
-		for (x = 0; x < num; x++) {
+		u32 dx = image->dx;
+
+		for (x = 0; x < num && image->dx <= dx; x++) {
 			info->fbops->fb_imageblit(info, image);
 			image->dx -= image->width + 8;
 		}
@@ -447,7 +449,9 @@ static void fb_do_show_logo(struct fb_info *info, struct fb_image *image,
 			image->dy += image->height + 8;
 		}
 	} else if (rotate == FB_ROTATE_CCW) {
-		for (x = 0; x < num; x++) {
+		u32 dy = image->dy;
+
+		for (x = 0; x < num && image->dy <= dy; x++) {
 			info->fbops->fb_imageblit(info, image);
 			image->dy -= image->height + 8;
 		}
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 125/205] i40e: define proper net_device::neigh_priv_len
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (123 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 124/205] fbdev: fbmem: behave better with small rotated displays and many CPUs Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 126/205] igb: Fix an issue that PME is not enabled during runtime suspend Greg Kroah-Hartman
                   ` (83 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Konstantin Khorenko, Andrew Bowers,
	Jeff Kirsher, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 31389b53b3e0b535867af9090a5d19ec64768d55 ]

Out of bound read reported by KASan.

i40iw_net_event() reads unconditionally 16 bytes from
neigh->primary_key while the memory allocated for
"neighbour" struct is evaluated in neigh_alloc() as

  tbl->entry_size + dev->neigh_priv_len

where "dev" is a net_device.

But the driver does not setup dev->neigh_priv_len and
we read beyond the neigh entry allocated memory,
so the patch in the next mail fixes this.

Signed-off-by: Konstantin Khorenko <khorenko@virtuozzo.com>
Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/intel/i40e/i40e_main.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
index 904b42becd45..5d47a51e74eb 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
@@ -9772,6 +9772,9 @@ static int i40e_config_netdev(struct i40e_vsi *vsi)
 	ether_addr_copy(netdev->dev_addr, mac_addr);
 	ether_addr_copy(netdev->perm_addr, mac_addr);
 
+	/* i40iw_net_event() reads 16 bytes from neigh->primary_key */
+	netdev->neigh_priv_len = sizeof(u32) * 4;
+
 	netdev->priv_flags |= IFF_UNICAST_FLT;
 	netdev->priv_flags |= IFF_SUPP_NOFCS;
 	/* Setup netdev TC information */
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 126/205] igb: Fix an issue that PME is not enabled during runtime suspend
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (124 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 125/205] i40e: define proper net_device::neigh_priv_len Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 127/205] ACPI/APEI: Clear GHES block_status before panic() Greg Kroah-Hartman
                   ` (82 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kai-Heng Feng, Aaron Brown,
	Jeff Kirsher, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 1fb3a7a75e2efcc83ef21f2434069cddd6fae6f5 ]

I210 ethernet card doesn't wakeup when a cable gets plugged. It's
because its PME is not set.

Since commit 42eca2302146 ("PCI: Don't touch card regs after runtime
suspend D3"), if the PCI state is saved, pci_pm_runtime_suspend() stops
calling pci_finish_runtime_suspend(), which enables the PCI PME.

To fix the issue, let's not to save PCI states when it's runtime
suspend, to let the PCI subsystem enables PME.

Fixes: 42eca2302146 ("PCI: Don't touch card regs after runtime suspend D3")
Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/intel/igb/igb_main.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
index 1c027f9d9af5..8892ea5cbb01 100644
--- a/drivers/net/ethernet/intel/igb/igb_main.c
+++ b/drivers/net/ethernet/intel/igb/igb_main.c
@@ -7950,9 +7950,11 @@ static int __igb_shutdown(struct pci_dev *pdev, bool *enable_wake,
 	rtnl_unlock();
 
 #ifdef CONFIG_PM
-	retval = pci_save_state(pdev);
-	if (retval)
-		return retval;
+	if (!runtime) {
+		retval = pci_save_state(pdev);
+		if (retval)
+			return retval;
+	}
 #endif
 
 	status = rd32(E1000_STATUS);
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 127/205] ACPI/APEI: Clear GHES block_status before panic()
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (125 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 126/205] igb: Fix an issue that PME is not enabled during runtime suspend Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 128/205] fbdev: fbcon: Fix unregister crash when more than one framebuffer Greg Kroah-Hartman
                   ` (81 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lenny Szubowicz, David Arcari,
	Tyler Baicar, Borislav Petkov, Rafael J. Wysocki, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 98cff8b23ed1c763a029ee81ea300df0d153d07d ]

In __ghes_panic() clear the block status in the APEI generic
error status block for that generic hardware error source before
calling panic() to prevent a second panic() in the crash kernel
for exactly the same fatal error.

Otherwise ghes_probe(), running in the crash kernel, would see
an unhandled error in the APEI generic error status block and
panic again, thereby precluding any crash dump.

Signed-off-by: Lenny Szubowicz <lszubowi@redhat.com>
Signed-off-by: David Arcari <darcari@redhat.com>
Tested-by: Tyler Baicar <baicar.tyler@gmail.com>
Acked-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/acpi/apei/ghes.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c
index f14695e744d0..5889f6407fea 100644
--- a/drivers/acpi/apei/ghes.c
+++ b/drivers/acpi/apei/ghes.c
@@ -675,6 +675,8 @@ static void __ghes_panic(struct ghes *ghes)
 {
 	__ghes_print_estatus(KERN_EMERG, ghes->generic, ghes->estatus);
 
+	ghes_clear_estatus(ghes);
+
 	/* reboot to log the error! */
 	if (!panic_timeout)
 		panic_timeout = ghes_panic_timeout;
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 128/205] fbdev: fbcon: Fix unregister crash when more than one framebuffer
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (126 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 127/205] ACPI/APEI: Clear GHES block_status before panic() Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 129/205] powerpc/mm: Fix reporting of kernel execute faults on the 8xx Greg Kroah-Hartman
                   ` (80 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Noralf Trønnes, Mikulas Patocka,
	Daniel Vetter, Bartlomiej Zolnierkiewicz, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 2122b40580dd9d0620398739c773d07a7b7939d0 ]

When unregistering fbdev using unregister_framebuffer(), any bound
console will unbind automatically. This is working fine if this is the
only framebuffer, resulting in a switch to the dummy console. However if
there is a fb0 and I unregister fb1 having a bound console, I eventually
get a crash. The fastest way for me to trigger the crash is to do a
reboot, resulting in this splat:

[   76.478825] WARNING: CPU: 0 PID: 527 at linux/kernel/workqueue.c:1442 __queue_work+0x2d4/0x41c
[   76.478849] Modules linked in: raspberrypi_hwmon gpio_backlight backlight bcm2835_rng rng_core [last unloaded: tinydrm]
[   76.478916] CPU: 0 PID: 527 Comm: systemd-udevd Not tainted 4.20.0-rc4+ #4
[   76.478933] Hardware name: BCM2835
[   76.478949] Backtrace:
[   76.478995] [<c010d388>] (dump_backtrace) from [<c010d670>] (show_stack+0x20/0x24)
[   76.479022]  r6:00000000 r5:c0bc73be r4:00000000 r3:6fb5bf81
[   76.479060] [<c010d650>] (show_stack) from [<c08e82f4>] (dump_stack+0x20/0x28)
[   76.479102] [<c08e82d4>] (dump_stack) from [<c0120070>] (__warn+0xec/0x12c)
[   76.479134] [<c011ff84>] (__warn) from [<c01201e4>] (warn_slowpath_null+0x4c/0x58)
[   76.479165]  r9:c0eb6944 r8:00000001 r7:c0e927f8 r6:c0bc73be r5:000005a2 r4:c0139e84
[   76.479197] [<c0120198>] (warn_slowpath_null) from [<c0139e84>] (__queue_work+0x2d4/0x41c)
[   76.479222]  r6:d7666a00 r5:c0e918ee r4:dbc4e700
[   76.479251] [<c0139bb0>] (__queue_work) from [<c013a02c>] (queue_work_on+0x60/0x88)
[   76.479281]  r10:c0496bf8 r9:00000100 r8:c0e92ae0 r7:00000001 r6:d9403700 r5:d7666a00
[   76.479298]  r4:20000113
[   76.479348] [<c0139fcc>] (queue_work_on) from [<c0496c28>] (cursor_timer_handler+0x30/0x54)
[   76.479374]  r7:d8a8fabc r6:c0e08088 r5:d8afdc5c r4:d8a8fabc
[   76.479413] [<c0496bf8>] (cursor_timer_handler) from [<c0178744>] (call_timer_fn+0x100/0x230)
[   76.479435]  r4:c0e9192f r3:d758a340
[   76.479465] [<c0178644>] (call_timer_fn) from [<c0178980>] (expire_timers+0x10c/0x12c)
[   76.479495]  r10:40000000 r9:c0e9192f r8:c0e92ae0 r7:d8afdccc r6:c0e19280 r5:c0496bf8
[   76.479513]  r4:d8a8fabc
[   76.479541] [<c0178874>] (expire_timers) from [<c0179630>] (run_timer_softirq+0xa8/0x184)
[   76.479570]  r9:00000001 r8:c0e19280 r7:00000000 r6:c0e08088 r5:c0e1a3e0 r4:c0e19280
[   76.479603] [<c0179588>] (run_timer_softirq) from [<c0102404>] (__do_softirq+0x1ac/0x3fc)
[   76.479632]  r10:c0e91680 r9:d8afc020 r8:0000000a r7:00000100 r6:00000001 r5:00000002
[   76.479650]  r4:c0eb65ec
[   76.479686] [<c0102258>] (__do_softirq) from [<c0124d10>] (irq_exit+0xe8/0x168)
[   76.479716]  r10:d8d1a9b0 r9:d8afc000 r8:00000001 r7:d949c000 r6:00000000 r5:c0e8b3f0
[   76.479734]  r4:00000000
[   76.479764] [<c0124c28>] (irq_exit) from [<c016b72c>] (__handle_domain_irq+0x94/0xb0)
[   76.479793] [<c016b698>] (__handle_domain_irq) from [<c01021dc>] (bcm2835_handle_irq+0x3c/0x48)
[   76.479823]  r8:d8afdebc r7:d8afddfc r6:ffffffff r5:c0e089f8 r4:d8afddc8 r3:d8afddc8
[   76.479851] [<c01021a0>] (bcm2835_handle_irq) from [<c01019f0>] (__irq_svc+0x70/0x98)

The problem is in the console rebinding in fbcon_fb_unbind(). It uses the
virtual console index as the new framebuffer index to bind the console(s)
to. The correct way is to use the con2fb_map lookup table to find the
framebuffer index.

Fixes: cfafca8067c6 ("fbdev: fbcon: console unregistration from unregister_framebuffer")
Signed-off-by: Noralf Trønnes <noralf@tronnes.org>
Reviewed-by: Mikulas Patocka <mpatocka@redhat.com>
Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/video/fbdev/core/fbcon.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index 04612f938bab..85787119bfbf 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -3041,7 +3041,7 @@ static int fbcon_fb_unbind(int idx)
 	for (i = first_fb_vc; i <= last_fb_vc; i++) {
 		if (con2fb_map[i] != idx &&
 		    con2fb_map[i] != -1) {
-			new_idx = i;
+			new_idx = con2fb_map[i];
 			break;
 		}
 	}
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 129/205] powerpc/mm: Fix reporting of kernel execute faults on the 8xx
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (127 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 128/205] fbdev: fbcon: Fix unregister crash when more than one framebuffer Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 130/205] pinctrl: meson: meson8: fix the GPIO function for the GPIOAO pins Greg Kroah-Hartman
                   ` (79 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christophe Leroy, Michael Ellerman,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit ffca395b11c4a5a6df6d6345f794b0e3d578e2d0 ]

On the 8xx, no-execute is set via PPP bits in the PTE. Therefore
a no-exec fault generates DSISR_PROTFAULT error bits,
not DSISR_NOEXEC_OR_G.

This patch adds DSISR_PROTFAULT in the test mask.

Fixes: d3ca587404b3 ("powerpc/mm: Fix reporting of kernel execute faults")
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/mm/fault.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c
index 6e1e39035380..52863deed65d 100644
--- a/arch/powerpc/mm/fault.c
+++ b/arch/powerpc/mm/fault.c
@@ -215,7 +215,9 @@ static int mm_fault_error(struct pt_regs *regs, unsigned long addr, int fault)
 static bool bad_kernel_fault(bool is_exec, unsigned long error_code,
 			     unsigned long address)
 {
-	if (is_exec && (error_code & (DSISR_NOEXEC_OR_G | DSISR_KEYFAULT))) {
+	/* NX faults set DSISR_PROTFAULT on the 8xx, DSISR_NOEXEC_OR_G on others */
+	if (is_exec && (error_code & (DSISR_NOEXEC_OR_G | DSISR_KEYFAULT |
+				      DSISR_PROTFAULT))) {
 		printk_ratelimited(KERN_CRIT "kernel tried to execute"
 				   " exec-protected page (%lx) -"
 				   "exploit attempt? (uid: %d)\n",
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 130/205] pinctrl: meson: meson8: fix the GPIO function for the GPIOAO pins
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (128 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 129/205] powerpc/mm: Fix reporting of kernel execute faults on the 8xx Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 131/205] pinctrl: meson: meson8b: " Greg Kroah-Hartman
                   ` (78 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin Blumenstingl, Linus Walleij,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 42f9b48cc5402be11d2364275eb18c257d2a79e8 ]

The GPIOAO pins (as well as the two exotic GPIO_BSD_EN and GPIO_TEST_N)
only belong to the pin controller in the AO domain. With the current
definition these pins cannot be referred to in .dts files as group
(which is possible on GXBB and GXL for example).

Add a separate "gpio_aobus" function to fix the mapping between the pin
controller and the GPIO pins in the AO domain. This is similar to how
the GXBB and GXL drivers implement this functionality.

Fixes: 9dab1868ec0db4 ("pinctrl: amlogic: Make driver independent from two-domain configuration")
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/pinctrl/meson/pinctrl-meson8.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/pinctrl/meson/pinctrl-meson8.c b/drivers/pinctrl/meson/pinctrl-meson8.c
index 970f6f14502c..591b01657378 100644
--- a/drivers/pinctrl/meson/pinctrl-meson8.c
+++ b/drivers/pinctrl/meson/pinctrl-meson8.c
@@ -808,7 +808,9 @@ static const char * const gpio_groups[] = {
 	"BOOT_5", "BOOT_6", "BOOT_7", "BOOT_8", "BOOT_9",
 	"BOOT_10", "BOOT_11", "BOOT_12", "BOOT_13", "BOOT_14",
 	"BOOT_15", "BOOT_16", "BOOT_17", "BOOT_18",
+};
 
+static const char * const gpio_aobus_groups[] = {
 	"GPIOAO_0", "GPIOAO_1", "GPIOAO_2", "GPIOAO_3",
 	"GPIOAO_4", "GPIOAO_5", "GPIOAO_6", "GPIOAO_7",
 	"GPIOAO_8", "GPIOAO_9", "GPIOAO_10", "GPIOAO_11",
@@ -1030,6 +1032,7 @@ static struct meson_pmx_func meson8_cbus_functions[] = {
 };
 
 static struct meson_pmx_func meson8_aobus_functions[] = {
+	FUNCTION(gpio_aobus),
 	FUNCTION(uart_ao),
 	FUNCTION(remote),
 	FUNCTION(i2c_slave_ao),
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 131/205] pinctrl: meson: meson8b: fix the GPIO function for the GPIOAO pins
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (129 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 130/205] pinctrl: meson: meson8: fix the GPIO function for the GPIOAO pins Greg Kroah-Hartman
@ 2019-02-11 14:18 ` " Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 132/205] KVM: x86: svm: report MSR_IA32_MCG_EXT_CTL as unsupported Greg Kroah-Hartman
                   ` (77 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin Blumenstingl, Linus Walleij,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 2b745ac3cceb8fc1d9985990c8241a821ea97e53 ]

The GPIOAO pins (as well as the two exotic GPIO_BSD_EN and GPIO_TEST_N)
only belong to the pin controller in the AO domain. With the current
definition these pins cannot be referred to in .dts files as group
(which is possible on GXBB and GXL for example).

Add a separate "gpio_aobus" function to fix the mapping between the pin
controller and the GPIO pins in the AO domain. This is similar to how
the GXBB and GXL drivers implement this functionality.

Fixes: 9dab1868ec0db4 ("pinctrl: amlogic: Make driver independent from two-domain configuration")
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/pinctrl/meson/pinctrl-meson8b.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/drivers/pinctrl/meson/pinctrl-meson8b.c b/drivers/pinctrl/meson/pinctrl-meson8b.c
index 71f216b5b0b9..a6fff215e60f 100644
--- a/drivers/pinctrl/meson/pinctrl-meson8b.c
+++ b/drivers/pinctrl/meson/pinctrl-meson8b.c
@@ -649,16 +649,18 @@ static const char * const gpio_groups[] = {
 	"BOOT_10", "BOOT_11", "BOOT_12", "BOOT_13", "BOOT_14",
 	"BOOT_15", "BOOT_16", "BOOT_17", "BOOT_18",
 
-	"GPIOAO_0", "GPIOAO_1", "GPIOAO_2", "GPIOAO_3",
-	"GPIOAO_4", "GPIOAO_5", "GPIOAO_6", "GPIOAO_7",
-	"GPIOAO_8", "GPIOAO_9", "GPIOAO_10", "GPIOAO_11",
-	"GPIOAO_12", "GPIOAO_13", "GPIO_BSD_EN", "GPIO_TEST_N",
-
 	"DIF_0_P", "DIF_0_N", "DIF_1_P", "DIF_1_N",
 	"DIF_2_P", "DIF_2_N", "DIF_3_P", "DIF_3_N",
 	"DIF_4_P", "DIF_4_N"
 };
 
+static const char * const gpio_aobus_groups[] = {
+	"GPIOAO_0", "GPIOAO_1", "GPIOAO_2", "GPIOAO_3",
+	"GPIOAO_4", "GPIOAO_5", "GPIOAO_6", "GPIOAO_7",
+	"GPIOAO_8", "GPIOAO_9", "GPIOAO_10", "GPIOAO_11",
+	"GPIOAO_12", "GPIOAO_13", "GPIO_BSD_EN", "GPIO_TEST_N"
+};
+
 static const char * const sd_a_groups[] = {
 	"sd_d0_a", "sd_d1_a", "sd_d2_a", "sd_d3_a", "sd_clk_a",
 	"sd_cmd_a"
@@ -874,6 +876,7 @@ static struct meson_pmx_func meson8b_cbus_functions[] = {
 };
 
 static struct meson_pmx_func meson8b_aobus_functions[] = {
+	FUNCTION(gpio_aobus),
 	FUNCTION(uart_ao),
 	FUNCTION(uart_ao_b),
 	FUNCTION(i2c_slave_ao),
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 132/205] KVM: x86: svm: report MSR_IA32_MCG_EXT_CTL as unsupported
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (130 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 131/205] pinctrl: meson: meson8b: " Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 133/205] powerpc/fadump: Do not allow hot-remove memory from fadump reserved area Greg Kroah-Hartman
                   ` (76 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vitaly Kuznetsov,
	Radim Krčmář,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit e87555e550cef4941579cd879759a7c0dee24e68 ]

AMD doesn't seem to implement MSR_IA32_MCG_EXT_CTL and svm code in kvm
knows nothing about it, however, this MSR is among emulated_msrs and
thus returned with KVM_GET_MSR_INDEX_LIST. The consequent KVM_GET_MSRS,
of course, fails.

Report the MSR as unsupported to not confuse userspace.

Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/kvm/svm.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
index 4dc79d139810..656ac12f5439 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -5319,6 +5319,13 @@ static bool svm_cpu_has_accelerated_tpr(void)
 
 static bool svm_has_emulated_msr(int index)
 {
+	switch (index) {
+	case MSR_IA32_MCG_EXT_CTL:
+		return false;
+	default:
+		break;
+	}
+
 	return true;
 }
 
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 133/205] powerpc/fadump: Do not allow hot-remove memory from fadump reserved area.
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (131 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 132/205] KVM: x86: svm: report MSR_IA32_MCG_EXT_CTL as unsupported Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 134/205] kvm: Change offset in kvm_write_guest_offset_cached to unsigned Greg Kroah-Hartman
                   ` (75 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mahesh Salgaonkar, Michael Ellerman,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 0db6896ff6332ba694f1e61b93ae3b2640317633 ]

For fadump to work successfully there should not be any holes in reserved
memory ranges where kernel has asked firmware to move the content of old
kernel memory in event of crash. Now that fadump uses CMA for reserved
area, this memory area is now not protected from hot-remove operations
unless it is cma allocated. Hence, fadump service can fail to re-register
after the hot-remove operation, if hot-removed memory belongs to fadump
reserved region. To avoid this make sure that memory from fadump reserved
area is not hot-removable if fadump is registered.

However, if user still wants to remove that memory, he can do so by
manually stopping fadump service before hot-remove operation.

Signed-off-by: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/include/asm/fadump.h               |  2 +-
 arch/powerpc/kernel/fadump.c                    | 10 ++++++++--
 arch/powerpc/platforms/pseries/hotplug-memory.c |  7 +++++--
 3 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/arch/powerpc/include/asm/fadump.h b/arch/powerpc/include/asm/fadump.h
index 1e7a33592e29..15bc07a31c46 100644
--- a/arch/powerpc/include/asm/fadump.h
+++ b/arch/powerpc/include/asm/fadump.h
@@ -200,7 +200,7 @@ struct fad_crash_memory_ranges {
 	unsigned long long	size;
 };
 
-extern int is_fadump_boot_memory_area(u64 addr, ulong size);
+extern int is_fadump_memory_area(u64 addr, ulong size);
 extern int early_init_dt_scan_fw_dump(unsigned long node,
 		const char *uname, int depth, void *data);
 extern int fadump_reserve_mem(void);
diff --git a/arch/powerpc/kernel/fadump.c b/arch/powerpc/kernel/fadump.c
index 5a6470383ca3..62d7ef6508de 100644
--- a/arch/powerpc/kernel/fadump.c
+++ b/arch/powerpc/kernel/fadump.c
@@ -117,13 +117,19 @@ int __init early_init_dt_scan_fw_dump(unsigned long node,
 
 /*
  * If fadump is registered, check if the memory provided
- * falls within boot memory area.
+ * falls within boot memory area and reserved memory area.
  */
-int is_fadump_boot_memory_area(u64 addr, ulong size)
+int is_fadump_memory_area(u64 addr, ulong size)
 {
+	u64 d_start = fw_dump.reserve_dump_area_start;
+	u64 d_end = d_start + fw_dump.reserve_dump_area_size;
+
 	if (!fw_dump.dump_registered)
 		return 0;
 
+	if (((addr + size) > d_start) && (addr <= d_end))
+		return 1;
+
 	return (addr + size) > RMA_START && addr <= fw_dump.boot_memory_size;
 }
 
diff --git a/arch/powerpc/platforms/pseries/hotplug-memory.c b/arch/powerpc/platforms/pseries/hotplug-memory.c
index 1d48ab424bd9..93e09f108ca1 100644
--- a/arch/powerpc/platforms/pseries/hotplug-memory.c
+++ b/arch/powerpc/platforms/pseries/hotplug-memory.c
@@ -441,8 +441,11 @@ static bool lmb_is_removable(struct of_drconf_cell *lmb)
 	phys_addr = lmb->base_addr;
 
 #ifdef CONFIG_FA_DUMP
-	/* Don't hot-remove memory that falls in fadump boot memory area */
-	if (is_fadump_boot_memory_area(phys_addr, block_sz))
+	/*
+	 * Don't hot-remove memory that falls in fadump boot memory area
+	 * and memory that is reserved for capturing old kernel memory.
+	 */
+	if (is_fadump_memory_area(phys_addr, block_sz))
 		return false;
 #endif
 
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 134/205] kvm: Change offset in kvm_write_guest_offset_cached to unsigned
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (132 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 133/205] powerpc/fadump: Do not allow hot-remove memory from fadump reserved area Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 135/205] NFS: nfs_compare_mount_options always compare auth flavors Greg Kroah-Hartman
                   ` (74 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Cfir Cohen, Jim Mattson, Peter Shier,
	Krish Sadhukhan, Sean Christopherson, Radim Krčmář,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 7a86dab8cf2f0fdf508f3555dddfc236623bff60 ]

Since the offset is added directly to the hva from the
gfn_to_hva_cache, a negative offset could result in an out of bounds
write. The existing BUG_ON only checks for addresses beyond the end of
the gfn_to_hva_cache, not for addresses before the start of the
gfn_to_hva_cache.

Note that all current call sites have non-negative offsets.

Fixes: 4ec6e8636256 ("kvm: Introduce kvm_write_guest_offset_cached()")
Reported-by: Cfir Cohen <cfir@google.com>
Signed-off-by: Jim Mattson <jmattson@google.com>
Reviewed-by: Cfir Cohen <cfir@google.com>
Reviewed-by: Peter Shier <pshier@google.com>
Reviewed-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/linux/kvm_host.h | 3 ++-
 virt/kvm/kvm_main.c      | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
index b6962ae6237e..4f7f19c1dc0a 100644
--- a/include/linux/kvm_host.h
+++ b/include/linux/kvm_host.h
@@ -685,7 +685,8 @@ int kvm_write_guest(struct kvm *kvm, gpa_t gpa, const void *data,
 int kvm_write_guest_cached(struct kvm *kvm, struct gfn_to_hva_cache *ghc,
 			   void *data, unsigned long len);
 int kvm_write_guest_offset_cached(struct kvm *kvm, struct gfn_to_hva_cache *ghc,
-			   void *data, int offset, unsigned long len);
+				  void *data, unsigned int offset,
+				  unsigned long len);
 int kvm_gfn_to_hva_cache_init(struct kvm *kvm, struct gfn_to_hva_cache *ghc,
 			      gpa_t gpa, unsigned long len);
 int kvm_clear_guest_page(struct kvm *kvm, gfn_t gfn, int offset, int len);
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index 4f35f0dfe681..bbc34e87d88f 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -1962,7 +1962,8 @@ int kvm_gfn_to_hva_cache_init(struct kvm *kvm, struct gfn_to_hva_cache *ghc,
 EXPORT_SYMBOL_GPL(kvm_gfn_to_hva_cache_init);
 
 int kvm_write_guest_offset_cached(struct kvm *kvm, struct gfn_to_hva_cache *ghc,
-			   void *data, int offset, unsigned long len)
+				  void *data, unsigned int offset,
+				  unsigned long len)
 {
 	struct kvm_memslots *slots = kvm_memslots(kvm);
 	int r;
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 135/205] NFS: nfs_compare_mount_options always compare auth flavors.
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (133 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 134/205] kvm: Change offset in kvm_write_guest_offset_cached to unsigned Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 136/205] hwmon: (lm80) fix a missing check of the status of SMBus read Greg Kroah-Hartman
                   ` (73 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chris Perl, Anna Schumaker, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 594d1644cd59447f4fceb592448d5cd09eb09b5e ]

This patch removes the check from nfs_compare_mount_options to see if a
`sec' option was passed for the current mount before comparing auth
flavors and instead just always compares auth flavors.

Consider the following scenario:

You have a server with the address 192.168.1.1 and two exports /export/a
and /export/b.  The first export supports `sys' and `krb5' security, the
second just `sys'.

Assume you start with no mounts from the server.

The following results in EIOs being returned as the kernel nfs client
incorrectly thinks it can share the underlying `struct nfs_server's:

$ mkdir /tmp/{a,b}
$ sudo mount -t nfs -o vers=3,sec=krb5 192.168.1.1:/export/a /tmp/a
$ sudo mount -t nfs -o vers=3          192.168.1.1:/export/b /tmp/b
$ df >/dev/null
df: ‘/tmp/b’: Input/output error

Signed-off-by: Chris Perl <cperl@janestreet.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/nfs/super.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index 38de09b08e96..3c4aeb83e1c4 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -2401,8 +2401,7 @@ static int nfs_compare_mount_options(const struct super_block *s, const struct n
 		goto Ebusy;
 	if (a->acdirmax != b->acdirmax)
 		goto Ebusy;
-	if (b->auth_info.flavor_len > 0 &&
-	   clnt_a->cl_auth->au_flavor != clnt_b->cl_auth->au_flavor)
+	if (clnt_a->cl_auth->au_flavor != clnt_b->cl_auth->au_flavor)
 		goto Ebusy;
 	return 1;
 Ebusy:
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 136/205] hwmon: (lm80) fix a missing check of the status of SMBus read
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (134 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 135/205] NFS: nfs_compare_mount_options always compare auth flavors Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 137/205] hwmon: (lm80) fix a missing check of bus read in lm80 probe Greg Kroah-Hartman
                   ` (72 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kangjie Lu, Guenter Roeck, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit c9c63915519b1def7043b184680f33c24cd49d7b ]

If lm80_read_value() fails, it returns a negative number instead of the
correct read data. Therefore, we should avoid using the data if it
fails.

The fix checks if lm80_read_value() fails, and if so, returns with the
error number.

Signed-off-by: Kangjie Lu <kjlu@umn.edu>
[groeck: One variable for return values is enough]
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/hwmon/lm80.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/drivers/hwmon/lm80.c b/drivers/hwmon/lm80.c
index 08e3945a6fbf..04f9df0d2341 100644
--- a/drivers/hwmon/lm80.c
+++ b/drivers/hwmon/lm80.c
@@ -360,9 +360,11 @@ static ssize_t set_fan_div(struct device *dev, struct device_attribute *attr,
 	struct i2c_client *client = data->client;
 	unsigned long min, val;
 	u8 reg;
-	int err = kstrtoul(buf, 10, &val);
-	if (err < 0)
-		return err;
+	int rv;
+
+	rv = kstrtoul(buf, 10, &val);
+	if (rv < 0)
+		return rv;
 
 	/* Save fan_min */
 	mutex_lock(&data->update_lock);
@@ -390,8 +392,11 @@ static ssize_t set_fan_div(struct device *dev, struct device_attribute *attr,
 		return -EINVAL;
 	}
 
-	reg = (lm80_read_value(client, LM80_REG_FANDIV) &
-	       ~(3 << (2 * (nr + 1)))) | (data->fan_div[nr] << (2 * (nr + 1)));
+	rv = lm80_read_value(client, LM80_REG_FANDIV);
+	if (rv < 0)
+		return rv;
+	reg = (rv & ~(3 << (2 * (nr + 1))))
+	    | (data->fan_div[nr] << (2 * (nr + 1)));
 	lm80_write_value(client, LM80_REG_FANDIV, reg);
 
 	/* Restore fan_min */
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 137/205] hwmon: (lm80) fix a missing check of bus read in lm80 probe
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (135 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 136/205] hwmon: (lm80) fix a missing check of the status of SMBus read Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 138/205] seq_buf: Make seq_buf_puts() null-terminate the buffer Greg Kroah-Hartman
                   ` (71 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kangjie Lu, Guenter Roeck, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 9aa3aa15f4c2f74f47afd6c5db4b420fadf3f315 ]

In lm80_probe(), if lm80_read_value() fails, it returns a negative
error number which is stored to data->fan[f_min] and will be further
used. We should avoid using the data if the read fails.

The fix checks if lm80_read_value() fails, and if so, returns with the
error number.

Signed-off-by: Kangjie Lu <kjlu@umn.edu>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/hwmon/lm80.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/drivers/hwmon/lm80.c b/drivers/hwmon/lm80.c
index 04f9df0d2341..0e30fa00204c 100644
--- a/drivers/hwmon/lm80.c
+++ b/drivers/hwmon/lm80.c
@@ -628,6 +628,7 @@ static int lm80_probe(struct i2c_client *client,
 	struct device *dev = &client->dev;
 	struct device *hwmon_dev;
 	struct lm80_data *data;
+	int rv;
 
 	data = devm_kzalloc(dev, sizeof(struct lm80_data), GFP_KERNEL);
 	if (!data)
@@ -640,8 +641,14 @@ static int lm80_probe(struct i2c_client *client,
 	lm80_init_client(client);
 
 	/* A few vars need to be filled upon startup */
-	data->fan[f_min][0] = lm80_read_value(client, LM80_REG_FAN_MIN(1));
-	data->fan[f_min][1] = lm80_read_value(client, LM80_REG_FAN_MIN(2));
+	rv = lm80_read_value(client, LM80_REG_FAN_MIN(1));
+	if (rv < 0)
+		return rv;
+	data->fan[f_min][0] = rv;
+	rv = lm80_read_value(client, LM80_REG_FAN_MIN(2));
+	if (rv < 0)
+		return rv;
+	data->fan[f_min][1] = rv;
 
 	hwmon_dev = devm_hwmon_device_register_with_groups(dev, client->name,
 							   data, lm80_groups);
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 138/205] seq_buf: Make seq_buf_puts() null-terminate the buffer
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (136 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 137/205] hwmon: (lm80) fix a missing check of bus read in lm80 probe Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 139/205] crypto: ux500 - Use proper enum in cryp_set_dma_transfer Greg Kroah-Hartman
                   ` (70 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kees Cook, Michael Ellerman,
	Steven Rostedt (VMware),
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 0464ed24380905d640030d368cd84a4e4d1e15e2 ]

Currently seq_buf_puts() will happily create a non null-terminated
string for you in the buffer. This is particularly dangerous if the
buffer is on the stack.

For example:

  char buf[8];
  char secret = "secret";
  struct seq_buf s;

  seq_buf_init(&s, buf, sizeof(buf));
  seq_buf_puts(&s, "foo");
  printk("Message is %s\n", buf);

Can result in:

  Message is fooªªªªªsecret

We could require all users to memset() their buffer to zero before
use. But that seems likely to be forgotten and lead to bugs.

Instead we can change seq_buf_puts() to always leave the buffer in a
null-terminated state.

The only downside is that this makes the buffer 1 character smaller
for seq_buf_puts(), but that seems like a good trade off.

Link: http://lkml.kernel.org/r/20181019042109.8064-1-mpe@ellerman.id.au

Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 lib/seq_buf.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/lib/seq_buf.c b/lib/seq_buf.c
index 11f2ae0f9099..6aabb609dd87 100644
--- a/lib/seq_buf.c
+++ b/lib/seq_buf.c
@@ -144,9 +144,13 @@ int seq_buf_puts(struct seq_buf *s, const char *str)
 
 	WARN_ON(s->size == 0);
 
+	/* Add 1 to len for the trailing null byte which must be there */
+	len += 1;
+
 	if (seq_buf_can_fit(s, len)) {
 		memcpy(s->buffer + s->len, str, len);
-		s->len += len;
+		/* Don't count the trailing null byte against the capacity */
+		s->len += len - 1;
 		return 0;
 	}
 	seq_buf_set_overflow(s);
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 139/205] crypto: ux500 - Use proper enum in cryp_set_dma_transfer
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (137 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 138/205] seq_buf: Make seq_buf_puts() null-terminate the buffer Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 140/205] crypto: ux500 - Use proper enum in hash_set_dma_transfer Greg Kroah-Hartman
                   ` (69 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nathan Chancellor, Nick Desaulniers,
	Herbert Xu, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 9d880c5945c748d8edcac30965f3349a602158c4 ]

Clang warns when one enumerated type is implicitly converted to another:

drivers/crypto/ux500/cryp/cryp_core.c:559:5: warning: implicit
conversion from enumeration type 'enum dma_data_direction' to different
enumeration type 'enum dma_transfer_direction' [-Wenum-conversion]
                                direction, DMA_CTRL_ACK);
                                ^~~~~~~~~
drivers/crypto/ux500/cryp/cryp_core.c:583:5: warning: implicit
conversion from enumeration type 'enum dma_data_direction' to different
enumeration type 'enum dma_transfer_direction' [-Wenum-conversion]
                                direction,
                                ^~~~~~~~~
2 warnings generated.

dmaengine_prep_slave_sg expects an enum from dma_transfer_direction.
Because we know the value of the dma_data_direction enum from the
switch statement, we can just use the proper value from
dma_transfer_direction so there is no more conversion.

DMA_TO_DEVICE = DMA_MEM_TO_DEV = 1
DMA_FROM_DEVICE = DMA_DEV_TO_MEM = 2

Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/crypto/ux500/cryp/cryp_core.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/crypto/ux500/cryp/cryp_core.c b/drivers/crypto/ux500/cryp/cryp_core.c
index 790f7cadc1ed..efebc484e371 100644
--- a/drivers/crypto/ux500/cryp/cryp_core.c
+++ b/drivers/crypto/ux500/cryp/cryp_core.c
@@ -555,7 +555,7 @@ static int cryp_set_dma_transfer(struct cryp_ctx *ctx,
 		desc = dmaengine_prep_slave_sg(channel,
 				ctx->device->dma.sg_src,
 				ctx->device->dma.sg_src_len,
-				direction, DMA_CTRL_ACK);
+				DMA_MEM_TO_DEV, DMA_CTRL_ACK);
 		break;
 
 	case DMA_FROM_DEVICE:
@@ -579,7 +579,7 @@ static int cryp_set_dma_transfer(struct cryp_ctx *ctx,
 		desc = dmaengine_prep_slave_sg(channel,
 				ctx->device->dma.sg_dst,
 				ctx->device->dma.sg_dst_len,
-				direction,
+				DMA_DEV_TO_MEM,
 				DMA_CTRL_ACK |
 				DMA_PREP_INTERRUPT);
 
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 140/205] crypto: ux500 - Use proper enum in hash_set_dma_transfer
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (138 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 139/205] crypto: ux500 - Use proper enum in cryp_set_dma_transfer Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:18 ` [PATCH 4.14 141/205] MIPS: ralink: Select CONFIG_CPU_MIPSR2_IRQ_VI on MT7620/8 Greg Kroah-Hartman
                   ` (68 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nathan Chancellor, Nick Desaulniers,
	Herbert Xu, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 5ac93f808338f4dd465402e91869702eb87db241 ]

Clang warns when one enumerated type is implicitly converted to another:

drivers/crypto/ux500/hash/hash_core.c:169:4: warning: implicit
conversion from enumeration type 'enum dma_data_direction' to different
enumeration type 'enum dma_transfer_direction' [-Wenum-conversion]
                        direction, DMA_CTRL_ACK | DMA_PREP_INTERRUPT);
                        ^~~~~~~~~
1 warning generated.

dmaengine_prep_slave_sg expects an enum from dma_transfer_direction.
We know that the only direction supported by this function is
DMA_TO_DEVICE because of the check at the top of this function so we can
just use the equivalent value from dma_transfer_direction.

DMA_TO_DEVICE = DMA_MEM_TO_DEV = 1

Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/crypto/ux500/hash/hash_core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/crypto/ux500/hash/hash_core.c b/drivers/crypto/ux500/hash/hash_core.c
index 9acccad26928..17c8e2b28c42 100644
--- a/drivers/crypto/ux500/hash/hash_core.c
+++ b/drivers/crypto/ux500/hash/hash_core.c
@@ -165,7 +165,7 @@ static int hash_set_dma_transfer(struct hash_ctx *ctx, struct scatterlist *sg,
 		__func__);
 	desc = dmaengine_prep_slave_sg(channel,
 			ctx->device->dma.sg, ctx->device->dma.sg_len,
-			direction, DMA_CTRL_ACK | DMA_PREP_INTERRUPT);
+			DMA_MEM_TO_DEV, DMA_CTRL_ACK | DMA_PREP_INTERRUPT);
 	if (!desc) {
 		dev_err(ctx->device->dev,
 			"%s: dmaengine_prep_slave_sg() failed!\n", __func__);
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 141/205] MIPS: ralink: Select CONFIG_CPU_MIPSR2_IRQ_VI on MT7620/8
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (139 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 140/205] crypto: ux500 - Use proper enum in hash_set_dma_transfer Greg Kroah-Hartman
@ 2019-02-11 14:18 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 142/205] cifs: check ntwrk_buf_start for NULL before dereferencing it Greg Kroah-Hartman
                   ` (67 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stefan Roese, Paul Burton,
	John Crispin, Daniel Schwierzeck, Ralf Baechle, linux-mips,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 0b15394475e3bcaf35ca4bf22fc55d56df67224e ]

Testing has shown, that when using mainline U-Boot on MT7688 based
boards, the system may hang or crash while mounting the root-fs. The
main issue here is that mainline U-Boot configures EBase to a value
near the end of system memory. And with CONFIG_CPU_MIPSR2_IRQ_VI
disabled, trap_init() will not allocate a new area to place the
exception handler. The original value will be used and the handler
will be copied to this location, which might already be used by some
userspace application.

The MT7688 supports VI - its config3 register is 0x00002420, so VInt
(Bit 5) is set. But without setting CONFIG_CPU_MIPSR2_IRQ_VI this
bit will not be evaluated to result in "cpu_has_vi" being set. This
patch now selects CONFIG_CPU_MIPSR2_IRQ_VI on MT7620/8 which results
trap_init() to allocate some memory for the exception handler.

Please note that this issue was not seen with the Mediatek U-Boot
version, as it does not touch EBase (stays at default of 0x8000.0000).
This is strictly also not correct as the kernel (_text) resides
here.

Signed-off-by: Stefan Roese <sr@denx.de>
[paul.burton@mips.com: s/beeing/being/]
Signed-off-by: Paul Burton <paul.burton@mips.com>
Cc: John Crispin <blogic@openwrt.org>
Cc: Daniel Schwierzeck <daniel.schwierzeck@gmail.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: linux-mips@linux-mips.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/mips/ralink/Kconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/mips/ralink/Kconfig b/arch/mips/ralink/Kconfig
index f26736b7080b..fae36f0371d3 100644
--- a/arch/mips/ralink/Kconfig
+++ b/arch/mips/ralink/Kconfig
@@ -39,6 +39,7 @@ choice
 
 	config SOC_MT7620
 		bool "MT7620/8"
+		select CPU_MIPSR2_IRQ_VI
 		select HW_HAS_PCI
 
 	config SOC_MT7621
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 142/205] cifs: check ntwrk_buf_start for NULL before dereferencing it
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (140 preceding siblings ...)
  2019-02-11 14:18 ` [PATCH 4.14 141/205] MIPS: ralink: Select CONFIG_CPU_MIPSR2_IRQ_VI on MT7620/8 Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 143/205] um: Avoid marking pages with "changed protection" Greg Kroah-Hartman
                   ` (66 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ronnie Sahlberg, Steve French, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 59a63e479ce36a3f24444c3a36efe82b78e4a8e0 ]

RHBZ: 1021460

There is an issue where when multiple threads open/close the same directory
ntwrk_buf_start might end up being NULL, causing the call to smbCalcSize
later to oops with a NULL deref.

The real bug is why this happens and why this can become NULL for an
open cfile, which should not be allowed.
This patch tries to avoid a oops until the time when we fix the underlying
issue.

Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/cifs/readdir.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/fs/cifs/readdir.c b/fs/cifs/readdir.c
index ef24b4527459..68183872bf8b 100644
--- a/fs/cifs/readdir.c
+++ b/fs/cifs/readdir.c
@@ -655,7 +655,14 @@ find_cifs_entry(const unsigned int xid, struct cifs_tcon *tcon, loff_t pos,
 		/* scan and find it */
 		int i;
 		char *cur_ent;
-		char *end_of_smb = cfile->srch_inf.ntwrk_buf_start +
+		char *end_of_smb;
+
+		if (cfile->srch_inf.ntwrk_buf_start == NULL) {
+			cifs_dbg(VFS, "ntwrk_buf_start is NULL during readdir\n");
+			return -EIO;
+		}
+
+		end_of_smb = cfile->srch_inf.ntwrk_buf_start +
 			server->ops->calc_smb_size(
 					cfile->srch_inf.ntwrk_buf_start);
 
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 143/205] um: Avoid marking pages with "changed protection"
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (141 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 142/205] cifs: check ntwrk_buf_start for NULL before dereferencing it Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 144/205] niu: fix missing checks of niu_pci_eeprom_read Greg Kroah-Hartman
                   ` (65 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Anton Ivanov, Richard Weinberger,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 8892d8545f2d0342b9c550defbfb165db237044b ]

Changing protection is a very high cost operation in UML
because in addition to an extra syscall it also interrupts
mmap merge sequences generated by the tlb.

While the condition is not particularly common it is worth
avoiding.

Signed-off-by: Anton Ivanov <anton.ivanov@cambridgegreys.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/um/include/asm/pgtable.h | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/arch/um/include/asm/pgtable.h b/arch/um/include/asm/pgtable.h
index 7485398d0737..9c04562310b3 100644
--- a/arch/um/include/asm/pgtable.h
+++ b/arch/um/include/asm/pgtable.h
@@ -197,12 +197,17 @@ static inline pte_t pte_mkold(pte_t pte)
 
 static inline pte_t pte_wrprotect(pte_t pte)
 { 
-	pte_clear_bits(pte, _PAGE_RW);
+	if (likely(pte_get_bits(pte, _PAGE_RW)))
+		pte_clear_bits(pte, _PAGE_RW);
+	else
+		return pte;
 	return(pte_mknewprot(pte)); 
 }
 
 static inline pte_t pte_mkread(pte_t pte)
 { 
+	if (unlikely(pte_get_bits(pte, _PAGE_USER)))
+		return pte;
 	pte_set_bits(pte, _PAGE_USER);
 	return(pte_mknewprot(pte)); 
 }
@@ -221,6 +226,8 @@ static inline pte_t pte_mkyoung(pte_t pte)
 
 static inline pte_t pte_mkwrite(pte_t pte)	
 {
+	if (unlikely(pte_get_bits(pte,  _PAGE_RW)))
+		return pte;
 	pte_set_bits(pte, _PAGE_RW);
 	return(pte_mknewprot(pte)); 
 }
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 144/205] niu: fix missing checks of niu_pci_eeprom_read
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (142 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 143/205] um: Avoid marking pages with "changed protection" Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 145/205] f2fs: fix sbi->extent_list corruption issue Greg Kroah-Hartman
                   ` (64 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kangjie Lu, Shannon Nelson,
	David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 26fd962bde0b15e54234fe762d86bc0349df1de4 ]

niu_pci_eeprom_read() may fail, so we should check its return value
before using the read data.

Signed-off-by: Kangjie Lu <kjlu@umn.edu>
Acked-by: Shannon Nelson <shannon.lee.nelson@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/sun/niu.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/sun/niu.c b/drivers/net/ethernet/sun/niu.c
index e92f41d20a2c..411a69bea1d4 100644
--- a/drivers/net/ethernet/sun/niu.c
+++ b/drivers/net/ethernet/sun/niu.c
@@ -8119,6 +8119,8 @@ static int niu_pci_vpd_scan_props(struct niu *np, u32 start, u32 end)
 		start += 3;
 
 		prop_len = niu_pci_eeprom_read(np, start + 4);
+		if (prop_len < 0)
+			return prop_len;
 		err = niu_pci_vpd_get_propname(np, start + 5, namebuf, 64);
 		if (err < 0)
 			return err;
@@ -8163,8 +8165,12 @@ static int niu_pci_vpd_scan_props(struct niu *np, u32 start, u32 end)
 			netif_printk(np, probe, KERN_DEBUG, np->dev,
 				     "VPD_SCAN: Reading in property [%s] len[%d]\n",
 				     namebuf, prop_len);
-			for (i = 0; i < prop_len; i++)
-				*prop_buf++ = niu_pci_eeprom_read(np, off + i);
+			for (i = 0; i < prop_len; i++) {
+				err = niu_pci_eeprom_read(np, off + i);
+				if (err >= 0)
+					*prop_buf = err;
+				++prop_buf;
+			}
 		}
 
 		start += len;
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 145/205] f2fs: fix sbi->extent_list corruption issue
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (143 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 144/205] niu: fix missing checks of niu_pci_eeprom_read Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 146/205] cgroup: fix parsing empty mount option string Greg Kroah-Hartman
                   ` (63 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sahitya Tummala, Jaegeuk Kim, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit e4589fa545e0020dbbc3c9bde35f35f949901392 ]

When there is a failure in f2fs_fill_super() after/during
the recovery of fsync'd nodes, it frees the current sbi and
retries again. This time the mount is successful, but the files
that got recovered before retry, still holds the extent tree,
whose extent nodes list is corrupted since sbi and sbi->extent_list
is freed up. The list_del corruption issue is observed when the
file system is getting unmounted and when those recoverd files extent
node is being freed up in the below context.

list_del corruption. prev->next should be fffffff1e1ef5480, but was (null)
<...>
kernel BUG at kernel/msm-4.14/lib/list_debug.c:53!
lr : __list_del_entry_valid+0x94/0xb4
pc : __list_del_entry_valid+0x94/0xb4
<...>
Call trace:
__list_del_entry_valid+0x94/0xb4
__release_extent_node+0xb0/0x114
__free_extent_tree+0x58/0x7c
f2fs_shrink_extent_tree+0xdc/0x3b0
f2fs_leave_shrinker+0x28/0x7c
f2fs_put_super+0xfc/0x1e0
generic_shutdown_super+0x70/0xf4
kill_block_super+0x2c/0x5c
kill_f2fs_super+0x44/0x50
deactivate_locked_super+0x60/0x8c
deactivate_super+0x68/0x74
cleanup_mnt+0x40/0x78
__cleanup_mnt+0x1c/0x28
task_work_run+0x48/0xd0
do_notify_resume+0x678/0xe98
work_pending+0x8/0x14

Fix this by not creating extents for those recovered files if shrinker is
not registered yet. Once mount is successful and shrinker is registered,
those files can have extents again.

Signed-off-by: Sahitya Tummala <stummala@codeaurora.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/f2fs/f2fs.h     | 11 ++++++++++-
 fs/f2fs/shrinker.c |  2 +-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
index d2873f227072..64760314c5f2 100644
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -2295,10 +2295,19 @@ static inline bool is_dot_dotdot(const struct qstr *str)
 
 static inline bool f2fs_may_extent_tree(struct inode *inode)
 {
-	if (!test_opt(F2FS_I_SB(inode), EXTENT_CACHE) ||
+	struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
+
+	if (!test_opt(sbi, EXTENT_CACHE) ||
 			is_inode_flag_set(inode, FI_NO_EXTENT))
 		return false;
 
+	/*
+	 * for recovered files during mount do not create extents
+	 * if shrinker is not registered.
+	 */
+	if (list_empty(&sbi->s_list))
+		return false;
+
 	return S_ISREG(inode->i_mode);
 }
 
diff --git a/fs/f2fs/shrinker.c b/fs/f2fs/shrinker.c
index 5c60fc28ec75..ec71d2e29a15 100644
--- a/fs/f2fs/shrinker.c
+++ b/fs/f2fs/shrinker.c
@@ -138,6 +138,6 @@ void f2fs_leave_shrinker(struct f2fs_sb_info *sbi)
 	f2fs_shrink_extent_tree(sbi, __count_extent_cache(sbi));
 
 	spin_lock(&f2fs_list_lock);
-	list_del(&sbi->s_list);
+	list_del_init(&sbi->s_list);
 	spin_unlock(&f2fs_list_lock);
 }
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 146/205] cgroup: fix parsing empty mount option string
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (144 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 145/205] f2fs: fix sbi->extent_list corruption issue Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 147/205] scripts/decode_stacktrace: only strip base path when a prefix of the path Greg Kroah-Hartman
                   ` (62 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stephen Smalley, Ondrej Mosnacek,
	Tejun Heo, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit e250d91d65750a0c0c62483ac4f9f357e7317617 ]

This fixes the case where all mount options specified are consumed by an
LSM and all that's left is an empty string. In this case cgroupfs should
accept the string and not fail.

How to reproduce (with SELinux enabled):

    # umount /sys/fs/cgroup/unified
    # mount -o context=system_u:object_r:cgroup_t:s0 -t cgroup2 cgroup2 /sys/fs/cgroup/unified
    mount: /sys/fs/cgroup/unified: wrong fs type, bad option, bad superblock on cgroup2, missing codepage or helper program, or other error.
    # dmesg | tail -n 1
    [   31.575952] cgroup: cgroup2: unknown option ""

Fixes: 67e9c74b8a87 ("cgroup: replace __DEVEL__sane_behavior with cgroup2 fs type")
[NOTE: should apply on top of commit 5136f6365ce3 ("cgroup: implement "nsdelegate" mount option"), older versions need manual rebase]
Suggested-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/cgroup/cgroup.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index 109c32c56de7..21bbfc09e395 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -1692,7 +1692,7 @@ static int parse_cgroup_root_flags(char *data, unsigned int *root_flags)
 
 	*root_flags = 0;
 
-	if (!data)
+	if (!data || *data == '\0')
 		return 0;
 
 	while ((token = strsep(&data, ",")) != NULL) {
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 147/205] scripts/decode_stacktrace: only strip base path when a prefix of the path
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (145 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 146/205] cgroup: fix parsing empty mount option string Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 148/205] ocfs2: dont clear bh uptodate for block read Greg Kroah-Hartman
                   ` (61 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marc Zyngier, Will Deacon,
	Andrew Morton, Linus Torvalds, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 67a28de47faa83585dd644bd4c31e5a1d9346c50 ]

Running something like:

	decodecode vmlinux .

leads to interested results where not only the leading "." gets stripped
from the displayed paths, but also anywhere in the string, displaying
something like:

	kvm_vcpu_check_block (arch/arm64/kvm/virt/kvm/kvm_mainc:2141)

which doesn't help further processing.

Fix it by only stripping the base path if it is a prefix of the path.

Link: http://lkml.kernel.org/r/20181210174659.31054-3-marc.zyngier@arm.com
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 scripts/decode_stacktrace.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/decode_stacktrace.sh b/scripts/decode_stacktrace.sh
index 64220e36ce3b..98a7d63a723e 100755
--- a/scripts/decode_stacktrace.sh
+++ b/scripts/decode_stacktrace.sh
@@ -78,7 +78,7 @@ parse_symbol() {
 	fi
 
 	# Strip out the base of the path
-	code=${code//$basepath/""}
+	code=${code//^$basepath/""}
 
 	# In the case of inlines, move everything to same line
 	code=${code//$'\n'/' '}
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 148/205] ocfs2: dont clear bh uptodate for block read
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (146 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 147/205] scripts/decode_stacktrace: only strip base path when a prefix of the path Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 149/205] ocfs2: improve ocfs2 Makefile Greg Kroah-Hartman
                   ` (60 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Junxiao Bi, Changwei Ge, Yiwen Jiang,
	Joel Becker, Joseph Qi, Jun Piao, Mark Fasheh, Andrew Morton,
	Linus Torvalds, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 70306d9dce75abde855cefaf32b3f71eed8602a3 ]

For sync io read in ocfs2_read_blocks_sync(), first clear bh uptodate flag
and submit the io, second wait io done, last check whether bh uptodate, if
not return io error.

If two sync io for the same bh were issued, it could be the first io done
and set uptodate flag, but just before check that flag, the second io came
in and cleared uptodate, then ocfs2_read_blocks_sync() for the first io
will return IO error.

Indeed it's not necessary to clear uptodate flag, as the io end handler
end_buffer_read_sync() will set or clear it based on io succeed or failed.

The following message was found from a nfs server but the underlying
storage returned no error.

[4106438.567376] (nfsd,7146,3):ocfs2_get_suballoc_slot_bit:2780 ERROR: read block 1238823695 failed -5
[4106438.567569] (nfsd,7146,3):ocfs2_get_suballoc_slot_bit:2812 ERROR: status = -5
[4106438.567611] (nfsd,7146,3):ocfs2_test_inode_bit:2894 ERROR: get alloc slot and bit failed -5
[4106438.567643] (nfsd,7146,3):ocfs2_test_inode_bit:2932 ERROR: status = -5
[4106438.567675] (nfsd,7146,3):ocfs2_get_dentry:94 ERROR: test inode bit failed -5

Same issue in non sync read ocfs2_read_blocks(), fixed it as well.

Link: http://lkml.kernel.org/r/20181121020023.3034-4-junxiao.bi@oracle.com
Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
Reviewed-by: Changwei Ge <ge.changwei@h3c.com>
Reviewed-by: Yiwen Jiang <jiangyiwen@huawei.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Joseph Qi <jiangqi903@gmail.com>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Mark Fasheh <mfasheh@versity.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/ocfs2/buffer_head_io.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/fs/ocfs2/buffer_head_io.c b/fs/ocfs2/buffer_head_io.c
index 1d098c3c00e0..9f8250df99f1 100644
--- a/fs/ocfs2/buffer_head_io.c
+++ b/fs/ocfs2/buffer_head_io.c
@@ -152,7 +152,6 @@ int ocfs2_read_blocks_sync(struct ocfs2_super *osb, u64 block,
 #endif
 		}
 
-		clear_buffer_uptodate(bh);
 		get_bh(bh); /* for end_buffer_read_sync() */
 		bh->b_end_io = end_buffer_read_sync;
 		submit_bh(REQ_OP_READ, 0, bh);
@@ -306,7 +305,6 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr,
 				continue;
 			}
 
-			clear_buffer_uptodate(bh);
 			get_bh(bh); /* for end_buffer_read_sync() */
 			if (validate)
 				set_buffer_needs_validate(bh);
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 149/205] ocfs2: improve ocfs2 Makefile
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (147 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 148/205] ocfs2: dont clear bh uptodate for block read Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 150/205] isdn: hisax: hfc_pci: Fix a possible concurrency use-after-free bug in HFCPCI_l1hw() Greg Kroah-Hartman
                   ` (59 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Larry Chen, Andrew Morton,
	Mark Fasheh, Joel Becker, Junxiao Bi, Joseph Qi, Changwei Ge,
	Linus Torvalds, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 9e6aea22802b5684c7e1d69822aeb0844dd01953 ]

Included file path was hard-wired in the ocfs2 makefile, which might
causes some confusion when compiling ocfs2 as an external module.

Say if we compile ocfs2 module as following.
cp -r /kernel/tree/fs/ocfs2 /other/dir/ocfs2
cd /other/dir/ocfs2
make -C /path/to/kernel_source M=`pwd` modules

Acutally, the compiler wil try to find included file in
/kernel/tree/fs/ocfs2, rather than the directory /other/dir/ocfs2.

To fix this little bug, we introduce the var $(src) provided by kbuild.
$(src) means the absolute path of the running kbuild file.

Link: http://lkml.kernel.org/r/20181108085546.15149-1-lchen@suse.com
Signed-off-by: Larry Chen <lchen@suse.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Joseph Qi <jiangqi903@gmail.com>
Cc: Changwei Ge <ge.changwei@h3c.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/ocfs2/Makefile       | 2 +-
 fs/ocfs2/dlm/Makefile   | 2 +-
 fs/ocfs2/dlmfs/Makefile | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/fs/ocfs2/Makefile b/fs/ocfs2/Makefile
index 99ee093182cb..cc9b32b9db7c 100644
--- a/fs/ocfs2/Makefile
+++ b/fs/ocfs2/Makefile
@@ -1,5 +1,5 @@
 # SPDX-License-Identifier: GPL-2.0
-ccflags-y := -Ifs/ocfs2
+ccflags-y := -I$(src)
 
 obj-$(CONFIG_OCFS2_FS) += 	\
 	ocfs2.o			\
diff --git a/fs/ocfs2/dlm/Makefile b/fs/ocfs2/dlm/Makefile
index bd1aab1f49a4..ef2854422a6e 100644
--- a/fs/ocfs2/dlm/Makefile
+++ b/fs/ocfs2/dlm/Makefile
@@ -1,4 +1,4 @@
-ccflags-y := -Ifs/ocfs2
+ccflags-y := -I$(src)/..
 
 obj-$(CONFIG_OCFS2_FS_O2CB) += ocfs2_dlm.o
 
diff --git a/fs/ocfs2/dlmfs/Makefile b/fs/ocfs2/dlmfs/Makefile
index eed3db8c5b49..33431a0296a3 100644
--- a/fs/ocfs2/dlmfs/Makefile
+++ b/fs/ocfs2/dlmfs/Makefile
@@ -1,4 +1,4 @@
-ccflags-y := -Ifs/ocfs2
+ccflags-y := -I$(src)/..
 
 obj-$(CONFIG_OCFS2_FS) += ocfs2_dlmfs.o
 
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 150/205] isdn: hisax: hfc_pci: Fix a possible concurrency use-after-free bug in HFCPCI_l1hw()
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (148 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 149/205] ocfs2: improve ocfs2 Makefile Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 151/205] gdrom: fix a memory leak bug Greg Kroah-Hartman
                   ` (58 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jia-Ju Bai, David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 7418e6520f22a2e35815122fa5a53d5bbfa2c10f ]

In drivers/isdn/hisax/hfc_pci.c, the functions hfcpci_interrupt() and
HFCPCI_l1hw() may be concurrently executed.

HFCPCI_l1hw()
  line 1173: if (!cs->tx_skb)

hfcpci_interrupt()
  line 942: spin_lock_irqsave();
  line 1066: dev_kfree_skb_irq(cs->tx_skb);

Thus, a possible concurrency use-after-free bug may occur
in HFCPCI_l1hw().

To fix these bugs, the calls to spin_lock_irqsave() and
spin_unlock_irqrestore() are added in HFCPCI_l1hw(), to protect the
access to cs->tx_skb.

Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/isdn/hisax/hfc_pci.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/isdn/hisax/hfc_pci.c b/drivers/isdn/hisax/hfc_pci.c
index f9ca35cc32b1..b42d27a4c950 100644
--- a/drivers/isdn/hisax/hfc_pci.c
+++ b/drivers/isdn/hisax/hfc_pci.c
@@ -1169,11 +1169,13 @@ HFCPCI_l1hw(struct PStack *st, int pr, void *arg)
 		if (cs->debug & L1_DEB_LAPD)
 			debugl1(cs, "-> PH_REQUEST_PULL");
 #endif
+		spin_lock_irqsave(&cs->lock, flags);
 		if (!cs->tx_skb) {
 			test_and_clear_bit(FLG_L1_PULL_REQ, &st->l1.Flags);
 			st->l1.l1l2(st, PH_PULL | CONFIRM, NULL);
 		} else
 			test_and_set_bit(FLG_L1_PULL_REQ, &st->l1.Flags);
+		spin_unlock_irqrestore(&cs->lock, flags);
 		break;
 	case (HW_RESET | REQUEST):
 		spin_lock_irqsave(&cs->lock, flags);
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 151/205] gdrom: fix a memory leak bug
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (149 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 150/205] isdn: hisax: hfc_pci: Fix a possible concurrency use-after-free bug in HFCPCI_l1hw() Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 152/205] fsl/fman: Use GFP_ATOMIC in {memac,tgec}_add_hash_mac_address() Greg Kroah-Hartman
                   ` (57 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wenwen Wang, Jens Axboe, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 093c48213ee37c3c3ff1cf5ac1aa2a9d8bc66017 ]

In probe_gdrom(), the buffer pointed by 'gd.cd_info' is allocated through
kzalloc() and is used to hold the information of the gdrom device. To
register and unregister the device, the pointer 'gd.cd_info' is passed to
the functions register_cdrom() and unregister_cdrom(), respectively.
However, this buffer is not freed after it is used, which can cause a
memory leak bug.

This patch simply frees the buffer 'gd.cd_info' in exit_gdrom() to fix the
above issue.

Signed-off-by: Wenwen Wang <wang6495@umn.edu>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/cdrom/gdrom.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/cdrom/gdrom.c b/drivers/cdrom/gdrom.c
index ae3a7537cf0f..72cd96a8eb19 100644
--- a/drivers/cdrom/gdrom.c
+++ b/drivers/cdrom/gdrom.c
@@ -889,6 +889,7 @@ static void __exit exit_gdrom(void)
 	platform_device_unregister(pd);
 	platform_driver_unregister(&gdrom_driver);
 	kfree(gd.toc);
+	kfree(gd.cd_info);
 }
 
 module_init(init_gdrom);
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 152/205] fsl/fman: Use GFP_ATOMIC in {memac,tgec}_add_hash_mac_address()
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (150 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 151/205] gdrom: fix a memory leak bug Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 153/205] block/swim3: Fix -EBUSY error when re-opening device after unmount Greg Kroah-Hartman
                   ` (56 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Scott Wood, David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 0d9c9a238faf925823bde866182c663b6d734f2e ]

These functions are called from atomic context:

[    9.150239] BUG: sleeping function called from invalid context at /home/scott/git/linux/mm/slab.h:421
[    9.158159] in_atomic(): 1, irqs_disabled(): 0, pid: 4432, name: ip
[    9.163128] CPU: 8 PID: 4432 Comm: ip Not tainted 4.20.0-rc2-00169-g63d86876f324 #29
[    9.163130] Call Trace:
[    9.170701] [c0000002e899a980] [c0000000009c1068] .dump_stack+0xa8/0xec (unreliable)
[    9.177140] [c0000002e899aa10] [c00000000007a7b4] .___might_sleep+0x138/0x164
[    9.184440] [c0000002e899aa80] [c0000000001d5bac] .kmem_cache_alloc_trace+0x238/0x30c
[    9.191216] [c0000002e899ab40] [c00000000065ea1c] .memac_add_hash_mac_address+0x104/0x198
[    9.199464] [c0000002e899abd0] [c00000000065a788] .set_multi+0x1c8/0x218
[    9.206242] [c0000002e899ac80] [c0000000006615ec] .dpaa_set_rx_mode+0xdc/0x17c
[    9.213544] [c0000002e899ad00] [c00000000083d2b0] .__dev_set_rx_mode+0x80/0xd4
[    9.219535] [c0000002e899ad90] [c00000000083d334] .dev_set_rx_mode+0x30/0x54
[    9.225271] [c0000002e899ae10] [c00000000083d4a0] .__dev_open+0x148/0x1c8
[    9.230751] [c0000002e899aeb0] [c00000000083d934] .__dev_change_flags+0x19c/0x1e0
[    9.230755] [c0000002e899af60] [c00000000083d9a4] .dev_change_flags+0x2c/0x80
[    9.242752] [c0000002e899aff0] [c0000000008554ec] .do_setlink+0x350/0xf08
[    9.248228] [c0000002e899b170] [c000000000857ad0] .rtnl_newlink+0x588/0x7e0
[    9.253965] [c0000002e899b740] [c000000000852424] .rtnetlink_rcv_msg+0x3e0/0x498
[    9.261440] [c0000002e899b820] [c000000000884790] .netlink_rcv_skb+0x134/0x14c
[    9.267607] [c0000002e899b8e0] [c000000000851840] .rtnetlink_rcv+0x18/0x2c
[    9.274558] [c0000002e899b950] [c000000000883c8c] .netlink_unicast+0x214/0x318
[    9.281163] [c0000002e899ba00] [c000000000884220] .netlink_sendmsg+0x348/0x444
[    9.287076] [c0000002e899bae0] [c00000000080d13c] .sock_sendmsg+0x2c/0x54
[    9.287080] [c0000002e899bb50] [c0000000008106c0] .___sys_sendmsg+0x2d0/0x2d8
[    9.298375] [c0000002e899bd30] [c000000000811a80] .__sys_sendmsg+0x5c/0xb0
[    9.303939] [c0000002e899be20] [c0000000000006b0] system_call+0x60/0x6c

Signed-off-by: Scott Wood <oss@buserror.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/freescale/fman/fman_memac.c | 2 +-
 drivers/net/ethernet/freescale/fman/fman_tgec.c  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/freescale/fman/fman_memac.c b/drivers/net/ethernet/freescale/fman/fman_memac.c
index c0296880feba..75ce773c21a6 100644
--- a/drivers/net/ethernet/freescale/fman/fman_memac.c
+++ b/drivers/net/ethernet/freescale/fman/fman_memac.c
@@ -927,7 +927,7 @@ int memac_add_hash_mac_address(struct fman_mac *memac, enet_addr_t *eth_addr)
 	hash = get_mac_addr_hash_code(addr) & HASH_CTRL_ADDR_MASK;
 
 	/* Create element to be added to the driver hash table */
-	hash_entry = kmalloc(sizeof(*hash_entry), GFP_KERNEL);
+	hash_entry = kmalloc(sizeof(*hash_entry), GFP_ATOMIC);
 	if (!hash_entry)
 		return -ENOMEM;
 	hash_entry->addr = addr;
diff --git a/drivers/net/ethernet/freescale/fman/fman_tgec.c b/drivers/net/ethernet/freescale/fman/fman_tgec.c
index 4b0f3a50b293..e575259d20f4 100644
--- a/drivers/net/ethernet/freescale/fman/fman_tgec.c
+++ b/drivers/net/ethernet/freescale/fman/fman_tgec.c
@@ -551,7 +551,7 @@ int tgec_add_hash_mac_address(struct fman_mac *tgec, enet_addr_t *eth_addr)
 	hash = (crc >> TGEC_HASH_MCAST_SHIFT) & TGEC_HASH_ADR_MSK;
 
 	/* Create element to be added to the driver hash table */
-	hash_entry = kmalloc(sizeof(*hash_entry), GFP_KERNEL);
+	hash_entry = kmalloc(sizeof(*hash_entry), GFP_ATOMIC);
 	if (!hash_entry)
 		return -ENOMEM;
 	hash_entry->addr = addr;
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 153/205] block/swim3: Fix -EBUSY error when re-opening device after unmount
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (151 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 152/205] fsl/fman: Use GFP_ATOMIC in {memac,tgec}_add_hash_mac_address() Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 154/205] thermal: bcm2835: enable hwmon explicitly Greg Kroah-Hartman
                   ` (55 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, linuxppc-dev, Finn Thain, Jens Axboe,
	Sasha Levin, Stan Johnson

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 296dcc40f2f2e402facf7cd26cf3f2c8f4b17d47 ]

When the block device is opened with FMODE_EXCL, ref_count is set to -1.
This value doesn't get reset when the device is closed which means the
device cannot be opened again. Fix this by checking for refcount <= 0
in the release method.

Reported-and-tested-by: Stan Johnson <userm57@yahoo.com>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: linuxppc-dev@lists.ozlabs.org
Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/block/swim3.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/block/swim3.c b/drivers/block/swim3.c
index 0d7527c6825a..2f7acdb830c3 100644
--- a/drivers/block/swim3.c
+++ b/drivers/block/swim3.c
@@ -1027,7 +1027,11 @@ static void floppy_release(struct gendisk *disk, fmode_t mode)
 	struct swim3 __iomem *sw = fs->swim3;
 
 	mutex_lock(&swim3_mutex);
-	if (fs->ref_count > 0 && --fs->ref_count == 0) {
+	if (fs->ref_count > 0)
+		--fs->ref_count;
+	else if (fs->ref_count == -1)
+		fs->ref_count = 0;
+	if (fs->ref_count == 0) {
 		swim3_action(fs, MOTOR_OFF);
 		out_8(&sw->control_bic, 0xff);
 		swim3_select(fs, RELAX);
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 154/205] thermal: bcm2835: enable hwmon explicitly
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (152 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 153/205] block/swim3: Fix -EBUSY error when re-opening device after unmount Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 155/205] kdb: Dont back trace on a cpu that didnt round up Greg Kroah-Hartman
                   ` (54 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matthias Brugger, Stefan Wahren,
	Eduardo Valentin, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit d56c19d07e0bc3ceff366a49b7d7a2440c967b1b ]

By defaul of-based thermal driver do not enable hwmon.
This patch does this explicitly, so that the temperature can be read
through the common hwmon sysfs.

Signed-off-by: Matthias Brugger <mbrugger@suse.com>
Acked-by: Stefan Wahren <stefan.wahren@i2se.com>
Signed-off-by: Eduardo Valentin <edubezval@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/thermal/broadcom/bcm2835_thermal.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/drivers/thermal/broadcom/bcm2835_thermal.c b/drivers/thermal/broadcom/bcm2835_thermal.c
index 23ad4f9f2143..24b006a95142 100644
--- a/drivers/thermal/broadcom/bcm2835_thermal.c
+++ b/drivers/thermal/broadcom/bcm2835_thermal.c
@@ -27,6 +27,8 @@
 #include <linux/platform_device.h>
 #include <linux/thermal.h>
 
+#include "../thermal_hwmon.h"
+
 #define BCM2835_TS_TSENSCTL			0x00
 #define BCM2835_TS_TSENSSTAT			0x04
 
@@ -275,6 +277,15 @@ static int bcm2835_thermal_probe(struct platform_device *pdev)
 
 	platform_set_drvdata(pdev, tz);
 
+	/*
+	 * Thermal_zone doesn't enable hwmon as default,
+	 * enable it here
+	 */
+	tz->tzp->no_hwmon = false;
+	err = thermal_add_hwmon_sysfs(tz);
+	if (err)
+		goto err_tz;
+
 	bcm2835_thermal_debugfs(pdev);
 
 	return 0;
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 155/205] kdb: Dont back trace on a cpu that didnt round up
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (153 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 154/205] thermal: bcm2835: enable hwmon explicitly Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 156/205] thermal: generic-adc: Fix adc to temp interpolation Greg Kroah-Hartman
                   ` (53 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Douglas Anderson, Daniel Thompson,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 162bc7f5afd75b72acbe3c5f3488ef7e64a3fe36 ]

If you have a CPU that fails to round up and then run 'btc' you'll end
up crashing in kdb becaue we dereferenced NULL.  Let's add a check.
It's wise to also set the task to NULL when leaving the debugger so
that if we fail to round up on a later entry into the debugger we
won't backtrace a stale task.

Signed-off-by: Douglas Anderson <dianders@chromium.org>
Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/debug/debug_core.c       |  4 ++++
 kernel/debug/kdb/kdb_bt.c       | 11 ++++++++++-
 kernel/debug/kdb/kdb_debugger.c |  7 -------
 3 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/kernel/debug/debug_core.c b/kernel/debug/debug_core.c
index 65c0f1363788..94aa9ae0007a 100644
--- a/kernel/debug/debug_core.c
+++ b/kernel/debug/debug_core.c
@@ -535,6 +535,8 @@ return_normal:
 				arch_kgdb_ops.correct_hw_break();
 			if (trace_on)
 				tracing_on();
+			kgdb_info[cpu].debuggerinfo = NULL;
+			kgdb_info[cpu].task = NULL;
 			kgdb_info[cpu].exception_state &=
 				~(DCPU_WANT_MASTER | DCPU_IS_SLAVE);
 			kgdb_info[cpu].enter_kgdb--;
@@ -667,6 +669,8 @@ kgdb_restore:
 	if (trace_on)
 		tracing_on();
 
+	kgdb_info[cpu].debuggerinfo = NULL;
+	kgdb_info[cpu].task = NULL;
 	kgdb_info[cpu].exception_state &=
 		~(DCPU_WANT_MASTER | DCPU_IS_SLAVE);
 	kgdb_info[cpu].enter_kgdb--;
diff --git a/kernel/debug/kdb/kdb_bt.c b/kernel/debug/kdb/kdb_bt.c
index 7921ae4fca8d..7e2379aa0a1e 100644
--- a/kernel/debug/kdb/kdb_bt.c
+++ b/kernel/debug/kdb/kdb_bt.c
@@ -186,7 +186,16 @@ kdb_bt(int argc, const char **argv)
 		kdb_printf("btc: cpu status: ");
 		kdb_parse("cpu\n");
 		for_each_online_cpu(cpu) {
-			sprintf(buf, "btt 0x%px\n", KDB_TSK(cpu));
+			void *kdb_tsk = KDB_TSK(cpu);
+
+			/* If a CPU failed to round up we could be here */
+			if (!kdb_tsk) {
+				kdb_printf("WARNING: no task for cpu %ld\n",
+					   cpu);
+				continue;
+			}
+
+			sprintf(buf, "btt 0x%px\n", kdb_tsk);
 			kdb_parse(buf);
 			touch_nmi_watchdog();
 		}
diff --git a/kernel/debug/kdb/kdb_debugger.c b/kernel/debug/kdb/kdb_debugger.c
index 15e1a7af5dd0..53a0df6e4d92 100644
--- a/kernel/debug/kdb/kdb_debugger.c
+++ b/kernel/debug/kdb/kdb_debugger.c
@@ -118,13 +118,6 @@ int kdb_stub(struct kgdb_state *ks)
 	kdb_bp_remove();
 	KDB_STATE_CLEAR(DOING_SS);
 	KDB_STATE_SET(PAGER);
-	/* zero out any offline cpu data */
-	for_each_present_cpu(i) {
-		if (!cpu_online(i)) {
-			kgdb_info[i].debuggerinfo = NULL;
-			kgdb_info[i].task = NULL;
-		}
-	}
 	if (ks->err_code == DIE_OOPS || reason == KDB_REASON_OOPS) {
 		ks->pass_exception = 1;
 		KDB_FLAG_SET(CATASTROPHIC);
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 156/205] thermal: generic-adc: Fix adc to temp interpolation
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (154 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 155/205] kdb: Dont back trace on a cpu that didnt round up Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 157/205] HID: lenovo: Add checks to fix of_led_classdev_register Greg Kroah-Hartman
                   ` (52 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Laxman Dewangan, Bjorn Andersson,
	Eduardo Valentin, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 9d216211fded20fff301d0317af3238d8383634c ]

First correct the edge case to return the last element if we're
outside the range, rather than at the last element, so that
interpolation is not omitted for points between the two last entries in
the table.

Then correct the formula to perform linear interpolation based the two
points surrounding the read ADC value. The indices for temp are kept as
"hi" and "lo" to pair with the adc indices, but there's no requirement
that the temperature is provided in descendent order. mult_frac() is
used to prevent issues with overflowing the int.

Cc: Laxman Dewangan <ldewangan@nvidia.com>
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Eduardo Valentin <edubezval@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/thermal/thermal-generic-adc.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/drivers/thermal/thermal-generic-adc.c b/drivers/thermal/thermal-generic-adc.c
index 73f55d6a1721..ad601e5b4175 100644
--- a/drivers/thermal/thermal-generic-adc.c
+++ b/drivers/thermal/thermal-generic-adc.c
@@ -26,7 +26,7 @@ struct gadc_thermal_info {
 
 static int gadc_thermal_adc_to_temp(struct gadc_thermal_info *gti, int val)
 {
-	int temp, adc_hi, adc_lo;
+	int temp, temp_hi, temp_lo, adc_hi, adc_lo;
 	int i;
 
 	for (i = 0; i < gti->nlookup_table; i++) {
@@ -36,13 +36,17 @@ static int gadc_thermal_adc_to_temp(struct gadc_thermal_info *gti, int val)
 
 	if (i == 0) {
 		temp = gti->lookup_table[0];
-	} else if (i >= (gti->nlookup_table - 1)) {
+	} else if (i >= gti->nlookup_table) {
 		temp = gti->lookup_table[2 * (gti->nlookup_table - 1)];
 	} else {
 		adc_hi = gti->lookup_table[2 * i - 1];
 		adc_lo = gti->lookup_table[2 * i + 1];
-		temp = gti->lookup_table[2 * i];
-		temp -= ((val - adc_lo) * 1000) / (adc_hi - adc_lo);
+
+		temp_hi = gti->lookup_table[2 * i - 2];
+		temp_lo = gti->lookup_table[2 * i];
+
+		temp = temp_hi + mult_frac(temp_lo - temp_hi, val - adc_hi,
+					   adc_lo - adc_hi);
 	}
 
 	return temp;
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 157/205] HID: lenovo: Add checks to fix of_led_classdev_register
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (155 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 156/205] thermal: generic-adc: Fix adc to temp interpolation Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 158/205] fs/proc/base.c: use ns_capable instead of capable for timerslack_ns Greg Kroah-Hartman
                   ` (51 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Aditya Pakki, Jiri Kosina, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 6ae16dfb61bce538d48b7fe98160fada446056c5 ]

In lenovo_probe_tpkbd(), the function of_led_classdev_register() could
return an error value that is unchecked. The fix adds these checks.

Signed-off-by: Aditya Pakki <pakki001@umn.edu>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/hid/hid-lenovo.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/drivers/hid/hid-lenovo.c b/drivers/hid/hid-lenovo.c
index 643b6eb54442..eacc76d2ab96 100644
--- a/drivers/hid/hid-lenovo.c
+++ b/drivers/hid/hid-lenovo.c
@@ -743,7 +743,9 @@ static int lenovo_probe_tpkbd(struct hid_device *hdev)
 	data_pointer->led_mute.brightness_get = lenovo_led_brightness_get_tpkbd;
 	data_pointer->led_mute.brightness_set = lenovo_led_brightness_set_tpkbd;
 	data_pointer->led_mute.dev = dev;
-	led_classdev_register(dev, &data_pointer->led_mute);
+	ret = led_classdev_register(dev, &data_pointer->led_mute);
+	if (ret < 0)
+		goto err;
 
 	data_pointer->led_micmute.name = name_micmute;
 	data_pointer->led_micmute.brightness_get =
@@ -751,7 +753,11 @@ static int lenovo_probe_tpkbd(struct hid_device *hdev)
 	data_pointer->led_micmute.brightness_set =
 		lenovo_led_brightness_set_tpkbd;
 	data_pointer->led_micmute.dev = dev;
-	led_classdev_register(dev, &data_pointer->led_micmute);
+	ret = led_classdev_register(dev, &data_pointer->led_micmute);
+	if (ret < 0) {
+		led_classdev_unregister(&data_pointer->led_mute);
+		goto err;
+	}
 
 	lenovo_features_set_tpkbd(hdev);
 
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 158/205] fs/proc/base.c: use ns_capable instead of capable for timerslack_ns
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (156 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 157/205] HID: lenovo: Add checks to fix of_led_classdev_register Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 159/205] kernel/hung_task.c: break RCU locks based on jiffies Greg Kroah-Hartman
                   ` (50 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Benjamin Gordon, Eric W. Biederman,
	John Stultz, Kees Cook, Serge E. Hallyn, Thomas Gleixner,
	Arjan van de Ven, Oren Laadan, Ruchi Kandoi, Rom Lemarchand,
	Todd Kjos, Colin Cross, Nick Kralevich, Dmitry Shmidt,
	Elliott Hughes, Alexey Dobriyan, Andrew Morton, Linus Torvalds,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 8da0b4f692c6d90b09c91f271517db746a22ff67 ]

Access to timerslack_ns is controlled by a process having CAP_SYS_NICE
in its effective capability set, but the current check looks in the root
namespace instead of the process' user namespace.  Since a process is
allowed to do other activities controlled by CAP_SYS_NICE inside a
namespace, it should also be able to adjust timerslack_ns.

Link: http://lkml.kernel.org/r/20181030180012.232896-1-bmgordon@google.com
Signed-off-by: Benjamin Gordon <bmgordon@google.com>
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: John Stultz <john.stultz@linaro.org>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Arjan van de Ven <arjan@linux.intel.com>
Cc: Oren Laadan <orenl@cellrox.com>
Cc: Ruchi Kandoi <kandoiruchi@google.com>
Cc: Rom Lemarchand <romlem@android.com>
Cc: Todd Kjos <tkjos@google.com>
Cc: Colin Cross <ccross@android.com>
Cc: Nick Kralevich <nnk@google.com>
Cc: Dmitry Shmidt <dimitrysh@google.com>
Cc: Elliott Hughes <enh@google.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/proc/base.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/fs/proc/base.c b/fs/proc/base.c
index 9063738ff1f0..e26155a97afa 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -2374,10 +2374,13 @@ static ssize_t timerslack_ns_write(struct file *file, const char __user *buf,
 		return -ESRCH;
 
 	if (p != current) {
-		if (!capable(CAP_SYS_NICE)) {
+		rcu_read_lock();
+		if (!ns_capable(__task_cred(p)->user_ns, CAP_SYS_NICE)) {
+			rcu_read_unlock();
 			count = -EPERM;
 			goto out;
 		}
+		rcu_read_unlock();
 
 		err = security_task_setscheduler(p);
 		if (err) {
@@ -2410,11 +2413,14 @@ static int timerslack_ns_show(struct seq_file *m, void *v)
 		return -ESRCH;
 
 	if (p != current) {
-
-		if (!capable(CAP_SYS_NICE)) {
+		rcu_read_lock();
+		if (!ns_capable(__task_cred(p)->user_ns, CAP_SYS_NICE)) {
+			rcu_read_unlock();
 			err = -EPERM;
 			goto out;
 		}
+		rcu_read_unlock();
+
 		err = security_task_getscheduler(p);
 		if (err)
 			goto out;
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 159/205] kernel/hung_task.c: break RCU locks based on jiffies
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (157 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 158/205] fs/proc/base.c: use ns_capable instead of capable for timerslack_ns Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 160/205] proc/sysctl: fix return error for proc_doulongvec_minmax() Greg Kroah-Hartman
                   ` (49 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tetsuo Handa, Paul E. McKenney,
	Petr Mladek, Sergey Senozhatsky, Dmitry Vyukov,
	Rafael J. Wysocki, Vitaly Kuznetsov, Andrew Morton,
	Linus Torvalds, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 304ae42739b108305f8d7b3eb3c1aec7c2b643a9 ]

check_hung_uninterruptible_tasks() is currently calling rcu_lock_break()
for every 1024 threads.  But check_hung_task() is very slow if printk()
was called, and is very fast otherwise.

If many threads within some 1024 threads called printk(), the RCU grace
period might be extended enough to trigger RCU stall warnings.
Therefore, calling rcu_lock_break() for every some fixed jiffies will be
safer.

Link: http://lkml.kernel.org/r/1544800658-11423-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Paul E. McKenney <paulmck@linux.ibm.com>
Cc: Petr Mladek <pmladek@suse.com>
Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
Cc: Vitaly Kuznetsov <vkuznets@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/hung_task.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/kernel/hung_task.c b/kernel/hung_task.c
index 32b479468e4d..0cec1241e26f 100644
--- a/kernel/hung_task.c
+++ b/kernel/hung_task.c
@@ -33,7 +33,7 @@ int __read_mostly sysctl_hung_task_check_count = PID_MAX_LIMIT;
  * is disabled during the critical section. It also controls the size of
  * the RCU grace period. So it needs to be upper-bound.
  */
-#define HUNG_TASK_BATCHING 1024
+#define HUNG_TASK_LOCK_BREAK (HZ / 10)
 
 /*
  * Zero means infinite timeout - no checking done:
@@ -164,7 +164,7 @@ static bool rcu_lock_break(struct task_struct *g, struct task_struct *t)
 static void check_hung_uninterruptible_tasks(unsigned long timeout)
 {
 	int max_count = sysctl_hung_task_check_count;
-	int batch_count = HUNG_TASK_BATCHING;
+	unsigned long last_break = jiffies;
 	struct task_struct *g, *t;
 
 	/*
@@ -179,10 +179,10 @@ static void check_hung_uninterruptible_tasks(unsigned long timeout)
 	for_each_process_thread(g, t) {
 		if (!max_count--)
 			goto unlock;
-		if (!--batch_count) {
-			batch_count = HUNG_TASK_BATCHING;
+		if (time_after(jiffies, last_break + HUNG_TASK_LOCK_BREAK)) {
 			if (!rcu_lock_break(g, t))
 				goto unlock;
+			last_break = jiffies;
 		}
 		/* use "==" to skip the TASK_KILLABLE tasks waiting on NFS */
 		if (t->state == TASK_UNINTERRUPTIBLE)
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 160/205] proc/sysctl: fix return error for proc_doulongvec_minmax()
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (158 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 159/205] kernel/hung_task.c: break RCU locks based on jiffies Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 161/205] kernel/hung_task.c: force console verbose before panic Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Cheng Lin, Luis Chamberlain,
	Kees Cook, Alexey Dobriyan, Andrew Morton, Linus Torvalds,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 09be178400829dddc1189b50a7888495dd26aa84 ]

If the number of input parameters is less than the total parameters, an
EINVAL error will be returned.

For example, we use proc_doulongvec_minmax to pass up to two parameters
with kern_table:

{
	.procname       = "monitor_signals",
	.data           = &monitor_sigs,
	.maxlen         = 2*sizeof(unsigned long),
	.mode           = 0644,
	.proc_handler   = proc_doulongvec_minmax,
},

Reproduce:

When passing two parameters, it's work normal.  But passing only one
parameter, an error "Invalid argument"(EINVAL) is returned.

  [root@cl150 ~]# echo 1 2 > /proc/sys/kernel/monitor_signals
  [root@cl150 ~]# cat /proc/sys/kernel/monitor_signals
  1       2
  [root@cl150 ~]# echo 3 > /proc/sys/kernel/monitor_signals
  -bash: echo: write error: Invalid argument
  [root@cl150 ~]# echo $?
  1
  [root@cl150 ~]# cat /proc/sys/kernel/monitor_signals
  3       2
  [root@cl150 ~]#

The following is the result after apply this patch.  No error is
returned when the number of input parameters is less than the total
parameters.

  [root@cl150 ~]# echo 1 2 > /proc/sys/kernel/monitor_signals
  [root@cl150 ~]# cat /proc/sys/kernel/monitor_signals
  1       2
  [root@cl150 ~]# echo 3 > /proc/sys/kernel/monitor_signals
  [root@cl150 ~]# echo $?
  0
  [root@cl150 ~]# cat /proc/sys/kernel/monitor_signals
  3       2
  [root@cl150 ~]#

There are three processing functions dealing with digital parameters,
__do_proc_dointvec/__do_proc_douintvec/__do_proc_doulongvec_minmax.

This patch deals with __do_proc_doulongvec_minmax, just as
__do_proc_dointvec does, adding a check for parameters 'left'.  In
__do_proc_douintvec, its code implementation explicitly does not support
multiple inputs.

static int __do_proc_douintvec(...){
         ...
         /*
          * Arrays are not supported, keep this simple. *Do not* add
          * support for them.
          */
         if (vleft != 1) {
                 *lenp = 0;
                 return -EINVAL;
         }
         ...
}

So, just __do_proc_doulongvec_minmax has the problem.  And most use of
proc_doulongvec_minmax/proc_doulongvec_ms_jiffies_minmax just have one
parameter.

Link: http://lkml.kernel.org/r/1544081775-15720-1-git-send-email-cheng.lin130@zte.com.cn
Signed-off-by: Cheng Lin <cheng.lin130@zte.com.cn>
Acked-by: Luis Chamberlain <mcgrof@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/sysctl.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index d330b1ce3b94..3ad00bf90b3d 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -2708,6 +2708,8 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int
 			bool neg;
 
 			left -= proc_skip_spaces(&p);
+			if (!left)
+				break;
 
 			err = proc_get_long(&p, &left, &val, &neg,
 					     proc_wspace_sep,
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 161/205] kernel/hung_task.c: force console verbose before panic
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (159 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 160/205] proc/sysctl: fix return error for proc_doulongvec_minmax() Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 162/205] fs/epoll: drop ovflist branch prediction Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chuansheng Liu, Petr Mladek,
	Sergey Senozhatsky, Tetsuo Handa, Andrew Morton, Linus Torvalds,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 168e06f7937d96c7222037d8a05565e8a6eb00fe ]

Based on commit 401c636a0eeb ("kernel/hung_task.c: show all hung tasks
before panic"), we could get the call stack of hung task.

However, if the console loglevel is not high, we still can not see the
useful panic information in practice, and in most cases users don't set
console loglevel to high level.

This patch is to force console verbose before system panic, so that the
real useful information can be seen in the console, instead of being
like the following, which doesn't have hung task information.

  INFO: task init:1 blocked for more than 120 seconds.
        Tainted: G     U  W         4.19.0-quilt-2e5dc0ac-g51b6c21d76cc #1
  "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
  Kernel panic - not syncing: hung_task: blocked tasks
  CPU: 2 PID: 479 Comm: khungtaskd Tainted: G     U  W         4.19.0-quilt-2e5dc0ac-g51b6c21d76cc #1
  Call Trace:
   dump_stack+0x4f/0x65
   panic+0xde/0x231
   watchdog+0x290/0x410
   kthread+0x12c/0x150
   ret_from_fork+0x35/0x40
  reboot: panic mode set: p,w
  Kernel Offset: 0x34000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)

Link: http://lkml.kernel.org/r/27240C0AC20F114CBF8149A2696CBE4A6015B675@SHSMSX101.ccr.corp.intel.com
Signed-off-by: Chuansheng Liu <chuansheng.liu@intel.com>
Reviewed-by: Petr Mladek <pmladek@suse.com>
Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/hung_task.c | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/kernel/hung_task.c b/kernel/hung_task.c
index 0cec1241e26f..f9aaf4994062 100644
--- a/kernel/hung_task.c
+++ b/kernel/hung_task.c
@@ -103,8 +103,11 @@ static void check_hung_task(struct task_struct *t, unsigned long timeout)
 
 	trace_sched_process_hang(t);
 
-	if (!sysctl_hung_task_warnings && !sysctl_hung_task_panic)
-		return;
+	if (sysctl_hung_task_panic) {
+		console_verbose();
+		hung_task_show_lock = true;
+		hung_task_call_panic = true;
+	}
 
 	/*
 	 * Ok, the task did not get scheduled for more than 2 minutes,
@@ -126,11 +129,6 @@ static void check_hung_task(struct task_struct *t, unsigned long timeout)
 	}
 
 	touch_nmi_watchdog();
-
-	if (sysctl_hung_task_panic) {
-		hung_task_show_lock = true;
-		hung_task_call_panic = true;
-	}
 }
 
 /*
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 162/205] fs/epoll: drop ovflist branch prediction
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (160 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 161/205] kernel/hung_task.c: force console verbose before panic Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 163/205] exec: load_script: dont blindly truncate shebang string Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Davidlohr Bueso, Andrew Morton,
	Al Viro, Jason Baron, Linus Torvalds, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 76699a67f3041ff4c7af6d6ee9be2bfbf1ffb671 ]

The ep->ovflist is a secondary ready-list to temporarily store events
that might occur when doing sproc without holding the ep->wq.lock.  This
accounts for every time we check for ready events and also send events
back to userspace; both callbacks, particularly the latter because of
copy_to_user, can account for a non-trivial time.

As such, the unlikely() check to see if the pointer is being used, seems
both misleading and sub-optimal.  In fact, we go to an awful lot of
trouble to sync both lists, and populating the ovflist is far from an
uncommon scenario.

For example, profiling a concurrent epoll_wait(2) benchmark, with
CONFIG_PROFILE_ANNOTATED_BRANCHES shows that for a two threads a 33%
incorrect rate was seen; and when incrementally increasing the number of
epoll instances (which is used, for example for multiple queuing load
balancing models), up to a 90% incorrect rate was seen.

Similarly, by deleting the prediction, 3% throughput boost was seen
across incremental threads.

Link: http://lkml.kernel.org/r/20181108051006.18751-4-dave@stgolabs.net
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Jason Baron <jbaron@akamai.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/eventpoll.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index 2fabd19cdeea..c291bf61afb9 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -1167,7 +1167,7 @@ static int ep_poll_callback(wait_queue_entry_t *wait, unsigned mode, int sync, v
 	 * semantics). All the events that happen during that period of time are
 	 * chained in ep->ovflist and requeued later on.
 	 */
-	if (unlikely(ep->ovflist != EP_UNACTIVE_PTR)) {
+	if (ep->ovflist != EP_UNACTIVE_PTR) {
 		if (epi->next == EP_UNACTIVE_PTR) {
 			epi->next = ep->ovflist;
 			ep->ovflist = epi;
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 163/205] exec: load_script: dont blindly truncate shebang string
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (161 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 162/205] fs/epoll: drop ovflist branch prediction Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 164/205] scripts/gdb: fix lx-version string output Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Oleg Nesterov, Kees Cook,
	Michal Hocko, Ben Woodard, Eric W. Biederman, Andrew Morton,
	Linus Torvalds, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 8099b047ecc431518b9bb6bdbba3549bbecdc343 ]

load_script() simply truncates bprm->buf and this is very wrong if the
length of shebang string exceeds BINPRM_BUF_SIZE-2.  This can silently
truncate i_arg or (worse) we can execute the wrong binary if buf[2:126]
happens to be the valid executable path.

Change load_script() to return ENOEXEC if it can't find '\n' or zero in
bprm->buf.  Note that '\0' can come from either
prepare_binprm()->memset() or from kernel_read(), we do not care.

Link: http://lkml.kernel.org/r/20181112160931.GA28463@redhat.com
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Ben Woodard <woodard@redhat.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/binfmt_script.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/fs/binfmt_script.c b/fs/binfmt_script.c
index 7cde3f46ad26..d0078cbb718b 100644
--- a/fs/binfmt_script.c
+++ b/fs/binfmt_script.c
@@ -42,10 +42,14 @@ static int load_script(struct linux_binprm *bprm)
 	fput(bprm->file);
 	bprm->file = NULL;
 
-	bprm->buf[BINPRM_BUF_SIZE - 1] = '\0';
-	if ((cp = strchr(bprm->buf, '\n')) == NULL)
-		cp = bprm->buf+BINPRM_BUF_SIZE-1;
+	for (cp = bprm->buf+2;; cp++) {
+		if (cp >= bprm->buf + BINPRM_BUF_SIZE)
+			return -ENOEXEC;
+		if (!*cp || (*cp == '\n'))
+			break;
+	}
 	*cp = '\0';
+
 	while (cp > bprm->buf) {
 		cp--;
 		if ((*cp == ' ') || (*cp == '\t'))
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 164/205] scripts/gdb: fix lx-version string output
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (162 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 163/205] exec: load_script: dont blindly truncate shebang string Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 165/205] thermal: hwmon: inline helpers when CONFIG_THERMAL_HWMON is not set Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Du Changbin, Kieran Bingham,
	Jan Kiszka, Jason Wessel, Daniel Thompson, Andrew Morton,
	Linus Torvalds, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit b058809bfc8faeb7b7cae047666e23375a060059 ]

A bug is present in GDB which causes early string termination when
parsing variables.  This has been reported [0], but we should ensure
that we can support at least basic printing of the core kernel strings.

For current gdb version (has been tested with 7.3 and 8.1), 'lx-version'
only prints one character.

  (gdb) lx-version
  L(gdb)

This can be fixed by casting 'linux_banner' as (char *).

  (gdb) lx-version
  Linux version 4.19.0-rc1+ (changbin@acer) (gcc version 7.3.0 (Ubuntu 7.3.0-16ubuntu3)) #21 SMP Sat Sep 1 21:43:30 CST 2018

[0] https://sourceware.org/bugzilla/show_bug.cgi?id=20077

[kbingham@kernel.org: add detail to commit message]
Link: http://lkml.kernel.org/r/20181111162035.8356-1-kieran.bingham@ideasonboard.com
Fixes: 2d061d999424 ("scripts/gdb: add version command")
Signed-off-by: Du Changbin <changbin.du@gmail.com>
Signed-off-by: Kieran Bingham <kbingham@kernel.org>
Acked-by: Jan Kiszka <jan.kiszka@siemens.com>
Cc: Jan Kiszka <jan.kiszka@siemens.com>
Cc: Jason Wessel <jason.wessel@windriver.com>
Cc: Daniel Thompson <daniel.thompson@linaro.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 scripts/gdb/linux/proc.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/gdb/linux/proc.py b/scripts/gdb/linux/proc.py
index 086d27223c0c..0aebd7565b03 100644
--- a/scripts/gdb/linux/proc.py
+++ b/scripts/gdb/linux/proc.py
@@ -41,7 +41,7 @@ class LxVersion(gdb.Command):
 
     def invoke(self, arg, from_tty):
         # linux_banner should contain a newline
-        gdb.write(gdb.parse_and_eval("linux_banner").string())
+        gdb.write(gdb.parse_and_eval("(char *)linux_banner").string())
 
 LxVersion()
 
-- 
2.19.1




^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 165/205] thermal: hwmon: inline helpers when CONFIG_THERMAL_HWMON is not set
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (163 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 164/205] scripts/gdb: fix lx-version string output Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 166/205] dccp: fool proof ccid_hc_[rt]x_parse_options() Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Geert Uytterhoeven, Eduardo Valentin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eduardo Valentin <edubezval@gmail.com>

commit 03334ba8b425b2ad275c8f390cf83c7b081c3095 upstream.

Avoid warnings like this:
thermal_hwmon.h:29:1: warning: ‘thermal_remove_hwmon_sysfs’ defined but not used [-Wunused-function]
 thermal_remove_hwmon_sysfs(struct thermal_zone_device *tz)

Fixes: 0dd88793aacd ("thermal: hwmon: move hwmon support to single file")
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Eduardo Valentin <edubezval@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/thermal/thermal_hwmon.h |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/thermal/thermal_hwmon.h
+++ b/drivers/thermal/thermal_hwmon.h
@@ -34,13 +34,13 @@
 int thermal_add_hwmon_sysfs(struct thermal_zone_device *tz);
 void thermal_remove_hwmon_sysfs(struct thermal_zone_device *tz);
 #else
-static int
+static inline int
 thermal_add_hwmon_sysfs(struct thermal_zone_device *tz)
 {
 	return 0;
 }
 
-static void
+static inline void
 thermal_remove_hwmon_sysfs(struct thermal_zone_device *tz)
 {
 }



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 166/205] dccp: fool proof ccid_hc_[rt]x_parse_options()
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (164 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 165/205] thermal: hwmon: inline helpers when CONFIG_THERMAL_HWMON is not set Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 167/205] enic: fix checksum validation for IPv6 Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, syzbot, Gerrit Renker,
	David S. Miller

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit 9b1f19d810e92d6cdc68455fbc22d9f961a58ce1 ]

Similarly to commit 276bdb82dedb ("dccp: check ccid before dereferencing")
it is wise to test for a NULL ccid.

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.0.0-rc3+ #37
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:ccid_hc_tx_parse_options net/dccp/ccid.h:205 [inline]
RIP: 0010:dccp_parse_options+0x8d9/0x12b0 net/dccp/options.c:233
Code: c5 0f b6 75 b3 80 38 00 0f 85 d6 08 00 00 48 b9 00 00 00 00 00 fc ff df 48 8b 45 b8 4c 8b b8 f8 07 00 00 4c 89 f8 48 c1 e8 03 <80> 3c 08 00 0f 85 95 08 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b
kobject: 'loop5' (0000000080f78fc1): kobject_uevent_env
RSP: 0018:ffff8880a94df0b8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8880858ac723 RCX: dffffc0000000000
RDX: 0000000000000100 RSI: 0000000000000007 RDI: 0000000000000001
RBP: ffff8880a94df140 R08: 0000000000000001 R09: ffff888061b83a80
R10: ffffed100c370752 R11: ffff888061b83a97 R12: 0000000000000026
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0defa33518 CR3: 000000008db5e000 CR4: 00000000001406e0
kobject: 'loop5' (0000000080f78fc1): fill_kobj_path: path = '/devices/virtual/block/loop5'
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 dccp_rcv_state_process+0x2b6/0x1af6 net/dccp/input.c:654
 dccp_v4_do_rcv+0x100/0x190 net/dccp/ipv4.c:688
 sk_backlog_rcv include/net/sock.h:936 [inline]
 __sk_receive_skb+0x3a9/0xea0 net/core/sock.c:473
 dccp_v4_rcv+0x10cb/0x1f80 net/dccp/ipv4.c:880
 ip_protocol_deliver_rcu+0xb6/0xa20 net/ipv4/ip_input.c:208
 ip_local_deliver_finish+0x23b/0x390 net/ipv4/ip_input.c:234
 NF_HOOK include/linux/netfilter.h:289 [inline]
 NF_HOOK include/linux/netfilter.h:283 [inline]
 ip_local_deliver+0x1f0/0x740 net/ipv4/ip_input.c:255
 dst_input include/net/dst.h:450 [inline]
 ip_rcv_finish+0x1f4/0x2f0 net/ipv4/ip_input.c:414
 NF_HOOK include/linux/netfilter.h:289 [inline]
 NF_HOOK include/linux/netfilter.h:283 [inline]
 ip_rcv+0xed/0x620 net/ipv4/ip_input.c:524
 __netif_receive_skb_one_core+0x160/0x210 net/core/dev.c:4973
 __netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5083
 process_backlog+0x206/0x750 net/core/dev.c:5923
 napi_poll net/core/dev.c:6346 [inline]
 net_rx_action+0x76d/0x1930 net/core/dev.c:6412
 __do_softirq+0x30b/0xb11 kernel/softirq.c:292
 run_ksoftirqd kernel/softirq.c:654 [inline]
 run_ksoftirqd+0x8e/0x110 kernel/softirq.c:646
 smpboot_thread_fn+0x6ab/0xa10 kernel/smpboot.c:164
 kthread+0x357/0x430 kernel/kthread.c:246
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
Modules linked in:
---[ end trace 58a0ba03bea2c376 ]---
RIP: 0010:ccid_hc_tx_parse_options net/dccp/ccid.h:205 [inline]
RIP: 0010:dccp_parse_options+0x8d9/0x12b0 net/dccp/options.c:233
Code: c5 0f b6 75 b3 80 38 00 0f 85 d6 08 00 00 48 b9 00 00 00 00 00 fc ff df 48 8b 45 b8 4c 8b b8 f8 07 00 00 4c 89 f8 48 c1 e8 03 <80> 3c 08 00 0f 85 95 08 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b
RSP: 0018:ffff8880a94df0b8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8880858ac723 RCX: dffffc0000000000
RDX: 0000000000000100 RSI: 0000000000000007 RDI: 0000000000000001
RBP: ffff8880a94df140 R08: 0000000000000001 R09: ffff888061b83a80
R10: ffffed100c370752 R11: ffff888061b83a97 R12: 0000000000000026
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0defa33518 CR3: 0000000009871000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/dccp/ccid.h |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/net/dccp/ccid.h
+++ b/net/dccp/ccid.h
@@ -202,7 +202,7 @@ static inline void ccid_hc_tx_packet_rec
 static inline int ccid_hc_tx_parse_options(struct ccid *ccid, struct sock *sk,
 					   u8 pkt, u8 opt, u8 *val, u8 len)
 {
-	if (ccid->ccid_ops->ccid_hc_tx_parse_options == NULL)
+	if (!ccid || !ccid->ccid_ops->ccid_hc_tx_parse_options)
 		return 0;
 	return ccid->ccid_ops->ccid_hc_tx_parse_options(sk, pkt, opt, val, len);
 }
@@ -214,7 +214,7 @@ static inline int ccid_hc_tx_parse_optio
 static inline int ccid_hc_rx_parse_options(struct ccid *ccid, struct sock *sk,
 					   u8 pkt, u8 opt, u8 *val, u8 len)
 {
-	if (ccid->ccid_ops->ccid_hc_rx_parse_options == NULL)
+	if (!ccid || !ccid->ccid_ops->ccid_hc_rx_parse_options)
 		return 0;
 	return ccid->ccid_ops->ccid_hc_rx_parse_options(sk, pkt, opt, val, len);
 }



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 167/205] enic: fix checksum validation for IPv6
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (165 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 166/205] dccp: fool proof ccid_hc_[rt]x_parse_options() Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 168/205] net: dp83640: expire old TX-skb Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Govindarajulu Varadarajan, David S. Miller

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Govindarajulu Varadarajan <gvaradar@cisco.com>

[ Upstream commit 7596175e99b3d4bce28022193efd954c201a782a ]

In case of IPv6 pkts, ipv4_csum_ok is 0. Because of this, driver does
not set skb->ip_summed. So IPv6 rx checksum is not offloaded.

Signed-off-by: Govindarajulu Varadarajan <gvaradar@cisco.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/cisco/enic/enic_main.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/net/ethernet/cisco/enic/enic_main.c
+++ b/drivers/net/ethernet/cisco/enic/enic_main.c
@@ -1393,7 +1393,8 @@ static void enic_rq_indicate_buf(struct
 		 * csum is correct or is zero.
 		 */
 		if ((netdev->features & NETIF_F_RXCSUM) && !csum_not_calc &&
-		    tcp_udp_csum_ok && ipv4_csum_ok && outer_csum_ok) {
+		    tcp_udp_csum_ok && outer_csum_ok &&
+		    (ipv4_csum_ok || ipv6)) {
 			skb->ip_summed = CHECKSUM_UNNECESSARY;
 			skb->csum_level = encap;
 		}



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 168/205] net: dp83640: expire old TX-skb
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (166 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 167/205] enic: fix checksum validation for IPv6 Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 169/205] rxrpc: bad unlock balance in rxrpc_recvmsg Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sebastian Andrzej Siewior,
	Kurt Kanzenbach, Richard Cochran, David S. Miller

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>

[ Upstream commit 53bc8d2af08654659abfadfd3e98eb9922ff787c ]

During sendmsg() a cloned skb is saved via dp83640_txtstamp() in
->tx_queue. After the NIC sends this packet, the PHY will reply with a
timestamp for that TX packet. If the cable is pulled at the right time I
don't see that packet. It might gets flushed as part of queue shutdown
on NIC's side.
Once the link is up again then after the next sendmsg() we enqueue
another skb in dp83640_txtstamp() and have two on the list. Then the PHY
will send a reply and decode_txts() attaches it to the first skb on the
list.
No crash occurs since refcounting works but we are one packet behind.
linuxptp/ptp4l usually closes the socket and opens a new one (in such a
timeout case) so those "stale" replies never get there. However it does
not resume normal operation anymore.

Purge old skbs in decode_txts().

Fixes: cb646e2b02b2 ("ptp: Added a clock driver for the National Semiconductor PHYTER.")
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reviewed-by: Kurt Kanzenbach <kurt@linutronix.de>
Acked-by: Richard Cochran <richardcochran@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/phy/dp83640.c |   13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

--- a/drivers/net/phy/dp83640.c
+++ b/drivers/net/phy/dp83640.c
@@ -893,14 +893,14 @@ static void decode_txts(struct dp83640_p
 			struct phy_txts *phy_txts)
 {
 	struct skb_shared_hwtstamps shhwtstamps;
+	struct dp83640_skb_info *skb_info;
 	struct sk_buff *skb;
-	u64 ns;
 	u8 overflow;
+	u64 ns;
 
 	/* We must already have the skb that triggered this. */
-
+again:
 	skb = skb_dequeue(&dp83640->tx_queue);
-
 	if (!skb) {
 		pr_debug("have timestamp but tx_queue empty\n");
 		return;
@@ -915,6 +915,11 @@ static void decode_txts(struct dp83640_p
 		}
 		return;
 	}
+	skb_info = (struct dp83640_skb_info *)skb->cb;
+	if (time_after(jiffies, skb_info->tmo)) {
+		kfree_skb(skb);
+		goto again;
+	}
 
 	ns = phy2txts(phy_txts);
 	memset(&shhwtstamps, 0, sizeof(shhwtstamps));
@@ -1466,6 +1471,7 @@ static bool dp83640_rxtstamp(struct phy_
 static void dp83640_txtstamp(struct phy_device *phydev,
 			     struct sk_buff *skb, int type)
 {
+	struct dp83640_skb_info *skb_info = (struct dp83640_skb_info *)skb->cb;
 	struct dp83640_private *dp83640 = phydev->priv;
 
 	switch (dp83640->hwts_tx_en) {
@@ -1478,6 +1484,7 @@ static void dp83640_txtstamp(struct phy_
 		/* fall through */
 	case HWTSTAMP_TX_ON:
 		skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS;
+		skb_info->tmo = jiffies + SKB_TIMESTAMP_TIMEOUT;
 		skb_queue_tail(&dp83640->tx_queue, skb);
 		break;
 



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 169/205] rxrpc: bad unlock balance in rxrpc_recvmsg
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (167 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 168/205] net: dp83640: expire old TX-skb Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 170/205] skge: potential memory corruption in skge_get_regs() Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, David Howells, syzbot,
	David S. Miller

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit 6dce3c20ac429e7a651d728e375853370c796e8d ]

When either "goto wait_interrupted;" or "goto wait_error;"
paths are taken, socket lock has already been released.

This patch fixes following syzbot splat :

WARNING: bad unlock balance detected!
5.0.0-rc4+ #59 Not tainted
-------------------------------------
syz-executor223/8256 is trying to release lock (sk_lock-AF_RXRPC) at:
[<ffffffff86651353>] rxrpc_recvmsg+0x6d3/0x3099 net/rxrpc/recvmsg.c:598
but there are no more locks to release!

other info that might help us debug this:
1 lock held by syz-executor223/8256:
 #0: 00000000fa9ed0f4 (slock-AF_RXRPC){+...}, at: spin_lock_bh include/linux/spinlock.h:334 [inline]
 #0: 00000000fa9ed0f4 (slock-AF_RXRPC){+...}, at: release_sock+0x20/0x1c0 net/core/sock.c:2798

stack backtrace:
CPU: 1 PID: 8256 Comm: syz-executor223 Not tainted 5.0.0-rc4+ #59
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_unlock_imbalance_bug kernel/locking/lockdep.c:3391 [inline]
 print_unlock_imbalance_bug.cold+0x114/0x123 kernel/locking/lockdep.c:3368
 __lock_release kernel/locking/lockdep.c:3601 [inline]
 lock_release+0x67e/0xa00 kernel/locking/lockdep.c:3860
 sock_release_ownership include/net/sock.h:1471 [inline]
 release_sock+0x183/0x1c0 net/core/sock.c:2808
 rxrpc_recvmsg+0x6d3/0x3099 net/rxrpc/recvmsg.c:598
 sock_recvmsg_nosec net/socket.c:794 [inline]
 sock_recvmsg net/socket.c:801 [inline]
 sock_recvmsg+0xd0/0x110 net/socket.c:797
 __sys_recvfrom+0x1ff/0x350 net/socket.c:1845
 __do_sys_recvfrom net/socket.c:1863 [inline]
 __se_sys_recvfrom net/socket.c:1859 [inline]
 __x64_sys_recvfrom+0xe1/0x1a0 net/socket.c:1859
 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x446379
Code: e8 2c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fe5da89fd98 EFLAGS: 00000246 ORIG_RAX: 000000000000002d
RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 0000000000446379
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c
R13: 0000000000000000 R14: 0000000000000000 R15: 20c49ba5e353f7cf

Fixes: 248f219cb8bc ("rxrpc: Rewrite the data and ack handling code")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: David Howells <dhowells@redhat.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/rxrpc/recvmsg.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/net/rxrpc/recvmsg.c
+++ b/net/rxrpc/recvmsg.c
@@ -588,6 +588,7 @@ error_requeue_call:
 	}
 error_no_call:
 	release_sock(&rx->sk);
+error_trace:
 	trace_rxrpc_recvmsg(call, rxrpc_recvmsg_return, 0, 0, 0, ret);
 	return ret;
 
@@ -596,7 +597,7 @@ wait_interrupted:
 wait_error:
 	finish_wait(sk_sleep(&rx->sk), &wait);
 	call = NULL;
-	goto error_no_call;
+	goto error_trace;
 }
 
 /**



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 170/205] skge: potential memory corruption in skge_get_regs()
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (168 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 169/205] rxrpc: bad unlock balance in rxrpc_recvmsg Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 171/205] rds: fix refcount bug in rds_sock_addref Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dan Carpenter, David S. Miller

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

[ Upstream commit 294c149a209c6196c2de85f512b52ef50f519949 ]

The "p" buffer is 0x4000 bytes long.  B3_RI_WTO_R1 is 0x190.  The value
of "regs->len" is in the 1-0x4000 range.  The bug here is that
"regs->len - B3_RI_WTO_R1" can be a negative value which would lead to
memory corruption and an abrupt crash.

Fixes: c3f8be961808 ("[PATCH] skge: expand ethtool debug register dump")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/marvell/skge.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/net/ethernet/marvell/skge.c
+++ b/drivers/net/ethernet/marvell/skge.c
@@ -152,8 +152,10 @@ static void skge_get_regs(struct net_dev
 	memset(p, 0, regs->len);
 	memcpy_fromio(p, io, B3_RAM_ADDR);
 
-	memcpy_fromio(p + B3_RI_WTO_R1, io + B3_RI_WTO_R1,
-		      regs->len - B3_RI_WTO_R1);
+	if (regs->len > B3_RI_WTO_R1) {
+		memcpy_fromio(p + B3_RI_WTO_R1, io + B3_RI_WTO_R1,
+			      regs->len - B3_RI_WTO_R1);
+	}
 }
 
 /* Wake on Lan only supported on Yukon chips with rev 1 or above */



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 171/205] rds: fix refcount bug in rds_sock_addref
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (169 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 170/205] skge: potential memory corruption in skge_get_regs() Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 172/205] net: systemport: Fix WoL with password after deep sleep Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, syzbot,
	Sowmini Varadhan, Santosh Shilimkar, rds-devel, Cong Wang,
	David S. Miller

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit 6fa19f5637a6c22bc0999596bcc83bdcac8a4fa6 ]

syzbot was able to catch a bug in rds [1]

The issue here is that the socket might be found in a hash table
but that its refcount has already be set to 0 by another cpu.

We need to use refcount_inc_not_zero() to be safe here.

[1]

refcount_t: increment on 0; use-after-free.
WARNING: CPU: 1 PID: 23129 at lib/refcount.c:153 refcount_inc_checked lib/refcount.c:153 [inline]
WARNING: CPU: 1 PID: 23129 at lib/refcount.c:153 refcount_inc_checked+0x61/0x70 lib/refcount.c:151
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 23129 Comm: syz-executor3 Not tainted 5.0.0-rc4+ #53
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1db/0x2d0 lib/dump_stack.c:113
 panic+0x2cb/0x65c kernel/panic.c:214
 __warn.cold+0x20/0x48 kernel/panic.c:571
 report_bug+0x263/0x2b0 lib/bug.c:186
 fixup_bug arch/x86/kernel/traps.c:178 [inline]
 fixup_bug arch/x86/kernel/traps.c:173 [inline]
 do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:271
 do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:290
 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973
RIP: 0010:refcount_inc_checked lib/refcount.c:153 [inline]
RIP: 0010:refcount_inc_checked+0x61/0x70 lib/refcount.c:151
Code: 1d 51 63 c8 06 31 ff 89 de e8 eb 1b f2 fd 84 db 75 dd e8 a2 1a f2 fd 48 c7 c7 60 9f 81 88 c6 05 31 63 c8 06 01 e8 af 65 bb fd <0f> 0b eb c1 90 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 54 49
RSP: 0018:ffff8880a0cbf1e8 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffc90006113000
RDX: 000000000001047d RSI: ffffffff81685776 RDI: 0000000000000005
RBP: ffff8880a0cbf1f8 R08: ffff888097c9e100 R09: ffffed1015ce5021
R10: ffffed1015ce5020 R11: ffff8880ae728107 R12: ffff8880723c20c0
R13: ffff8880723c24b0 R14: dffffc0000000000 R15: ffffed1014197e64
 sock_hold include/net/sock.h:647 [inline]
 rds_sock_addref+0x19/0x20 net/rds/af_rds.c:675
 rds_find_bound+0x97c/0x1080 net/rds/bind.c:82
 rds_recv_incoming+0x3be/0x1430 net/rds/recv.c:362
 rds_loop_xmit+0xf3/0x2a0 net/rds/loop.c:96
 rds_send_xmit+0x1355/0x2a10 net/rds/send.c:355
 rds_sendmsg+0x323c/0x44e0 net/rds/send.c:1368
 sock_sendmsg_nosec net/socket.c:621 [inline]
 sock_sendmsg+0xdd/0x130 net/socket.c:631
 __sys_sendto+0x387/0x5f0 net/socket.c:1788
 __do_sys_sendto net/socket.c:1800 [inline]
 __se_sys_sendto net/socket.c:1796 [inline]
 __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1796
 do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x458089
Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fc266df8c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000000458089
RDX: 0000000000000000 RSI: 00000000204b3fff RDI: 0000000000000005
RBP: 000000000073bf00 R08: 00000000202b4000 R09: 0000000000000010
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc266df96d4
R13: 00000000004c56e4 R14: 00000000004d94a8 R15: 00000000ffffffff

Fixes: cc4dfb7f70a3 ("rds: fix two RCU related problems")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Cc: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Cc: rds-devel@oss.oracle.com
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/rds/bind.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/net/rds/bind.c
+++ b/net/rds/bind.c
@@ -62,10 +62,10 @@ struct rds_sock *rds_find_bound(__be32 a
 
 	rcu_read_lock();
 	rs = rhashtable_lookup(&bind_hash_table, &key, ht_parms);
-	if (rs && !sock_flag(rds_rs_to_sk(rs), SOCK_DEAD))
-		rds_sock_addref(rs);
-	else
+	if (rs && (sock_flag(rds_rs_to_sk(rs), SOCK_DEAD) ||
+		   !refcount_inc_not_zero(&rds_rs_to_sk(rs)->sk_refcnt)))
 		rs = NULL;
+
 	rcu_read_unlock();
 
 	rdsdebug("returning rs %p for %pI4:%u\n", rs, &addr,



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 172/205] net: systemport: Fix WoL with password after deep sleep
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (170 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 171/205] rds: fix refcount bug in rds_sock_addref Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 173/205] net/mlx5e: Force CHECKSUM_UNNECESSARY for short ethernet frames Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Florian Fainelli, David S. Miller

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Fainelli <f.fainelli@gmail.com>

[ Upstream commit 8dfb8d2cceb76b74ad5b58cc65c75994329b4d5e ]

Broadcom STB chips support a deep sleep mode where all register
contents are lost. Because we were stashing the MagicPacket password
into some of these registers a suspend into that deep sleep then a
resumption would not lead to being able to wake-up from MagicPacket with
password again.

Fix this by keeping a software copy of the password and program it
during suspend.

Fixes: 83e82f4c706b ("net: systemport: add Wake-on-LAN support")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/broadcom/bcmsysport.c |   25 ++++++++++---------------
 drivers/net/ethernet/broadcom/bcmsysport.h |    2 ++
 2 files changed, 12 insertions(+), 15 deletions(-)

--- a/drivers/net/ethernet/broadcom/bcmsysport.c
+++ b/drivers/net/ethernet/broadcom/bcmsysport.c
@@ -519,7 +519,6 @@ static void bcm_sysport_get_wol(struct n
 				struct ethtool_wolinfo *wol)
 {
 	struct bcm_sysport_priv *priv = netdev_priv(dev);
-	u32 reg;
 
 	wol->supported = WAKE_MAGIC | WAKE_MAGICSECURE;
 	wol->wolopts = priv->wolopts;
@@ -527,11 +526,7 @@ static void bcm_sysport_get_wol(struct n
 	if (!(priv->wolopts & WAKE_MAGICSECURE))
 		return;
 
-	/* Return the programmed SecureOn password */
-	reg = umac_readl(priv, UMAC_PSW_MS);
-	put_unaligned_be16(reg, &wol->sopass[0]);
-	reg = umac_readl(priv, UMAC_PSW_LS);
-	put_unaligned_be32(reg, &wol->sopass[2]);
+	memcpy(wol->sopass, priv->sopass, sizeof(priv->sopass));
 }
 
 static int bcm_sysport_set_wol(struct net_device *dev,
@@ -547,13 +542,8 @@ static int bcm_sysport_set_wol(struct ne
 	if (wol->wolopts & ~supported)
 		return -EINVAL;
 
-	/* Program the SecureOn password */
-	if (wol->wolopts & WAKE_MAGICSECURE) {
-		umac_writel(priv, get_unaligned_be16(&wol->sopass[0]),
-			    UMAC_PSW_MS);
-		umac_writel(priv, get_unaligned_be32(&wol->sopass[2]),
-			    UMAC_PSW_LS);
-	}
+	if (wol->wolopts & WAKE_MAGICSECURE)
+		memcpy(priv->sopass, wol->sopass, sizeof(priv->sopass));
 
 	/* Flag the device and relevant IRQ as wakeup capable */
 	if (wol->wolopts) {
@@ -2221,12 +2211,17 @@ static int bcm_sysport_suspend_to_wol(st
 	unsigned int timeout = 1000;
 	u32 reg;
 
-	/* Password has already been programmed */
 	reg = umac_readl(priv, UMAC_MPD_CTRL);
 	reg |= MPD_EN;
 	reg &= ~PSW_EN;
-	if (priv->wolopts & WAKE_MAGICSECURE)
+	if (priv->wolopts & WAKE_MAGICSECURE) {
+		/* Program the SecureOn password */
+		umac_writel(priv, get_unaligned_be16(&priv->sopass[0]),
+			    UMAC_PSW_MS);
+		umac_writel(priv, get_unaligned_be32(&priv->sopass[2]),
+			    UMAC_PSW_LS);
 		reg |= PSW_EN;
+	}
 	umac_writel(priv, reg, UMAC_MPD_CTRL);
 
 	/* Make sure RBUF entered WoL mode as result */
--- a/drivers/net/ethernet/broadcom/bcmsysport.h
+++ b/drivers/net/ethernet/broadcom/bcmsysport.h
@@ -11,6 +11,7 @@
 #ifndef __BCM_SYSPORT_H
 #define __BCM_SYSPORT_H
 
+#include <linux/ethtool.h>
 #include <linux/if_vlan.h>
 
 /* Receive/transmit descriptor format */
@@ -754,6 +755,7 @@ struct bcm_sysport_priv {
 	unsigned int		crc_fwd:1;
 	u16			rev;
 	u32			wolopts;
+	u8			sopass[SOPASS_MAX];
 	unsigned int		wol_irq_disabled:1;
 
 	/* MIB related fields */



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 173/205] net/mlx5e: Force CHECKSUM_UNNECESSARY for short ethernet frames
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (171 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 172/205] net: systemport: Fix WoL with password after deep sleep Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 174/205] net: dsa: slave: Dont propagate flag changes on down slave interfaces Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, Tariq Toukan,
	Nikola Ciprich, Cong Wang, Saeed Mahameed

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Cong Wang <xiyou.wangcong@gmail.com>

[ Upstream commit e8c8b53ccaff568fef4c13a6ccaf08bf241aa01a ]

When an ethernet frame is padded to meet the minimum ethernet frame
size, the padding octets are not covered by the hardware checksum.
Fortunately the padding octets are usually zero's, which don't affect
checksum. However, we have a switch which pads non-zero octets, this
causes kernel hardware checksum fault repeatedly.

Prior to:
commit '88078d98d1bb ("net: pskb_trim_rcsum() and CHECKSUM_COMPLETE ...")'
skb checksum was forced to be CHECKSUM_NONE when padding is detected.
After it, we need to keep skb->csum updated, like what we do for RXFCS.
However, fixing up CHECKSUM_COMPLETE requires to verify and parse IP
headers, it is not worthy the effort as the packets are so small that
CHECKSUM_COMPLETE can't save anything.

Fixes: 88078d98d1bb ("net: pskb_trim_rcsum() and CHECKSUM_COMPLETE are friends"),
Cc: Eric Dumazet <edumazet@google.com>
Cc: Tariq Toukan <tariqt@mellanox.com>
Cc: Nikola Ciprich <nikola.ciprich@linuxbox.cz>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/mellanox/mlx5/core/en_rx.c |   14 ++++++++++++++
 1 file changed, 14 insertions(+)

--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
@@ -646,6 +646,8 @@ static u32 mlx5e_get_fcs(const struct sk
 	return __get_unaligned_cpu32(fcs_bytes);
 }
 
+#define short_frame(size) ((size) <= ETH_ZLEN + ETH_FCS_LEN)
+
 static inline void mlx5e_handle_csum(struct net_device *netdev,
 				     struct mlx5_cqe64 *cqe,
 				     struct mlx5e_rq *rq,
@@ -661,6 +663,17 @@ static inline void mlx5e_handle_csum(str
 		return;
 	}
 
+	/* CQE csum doesn't cover padding octets in short ethernet
+	 * frames. And the pad field is appended prior to calculating
+	 * and appending the FCS field.
+	 *
+	 * Detecting these padded frames requires to verify and parse
+	 * IP headers, so we simply force all those small frames to be
+	 * CHECKSUM_UNNECESSARY even if they are not padded.
+	 */
+	if (short_frame(skb->len))
+		goto csum_unnecessary;
+
 	if (is_first_ethertype_ip(skb)) {
 		skb->ip_summed = CHECKSUM_COMPLETE;
 		skb->csum = csum_unfold((__force __sum16)cqe->check_sum);
@@ -672,6 +685,7 @@ static inline void mlx5e_handle_csum(str
 		return;
 	}
 
+csum_unnecessary:
 	if (likely((cqe->hds_ip_ext & CQE_L3_OK) &&
 		   (cqe->hds_ip_ext & CQE_L4_OK))) {
 		skb->ip_summed = CHECKSUM_UNNECESSARY;



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 174/205] net: dsa: slave: Dont propagate flag changes on down slave interfaces
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (172 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 173/205] net/mlx5e: Force CHECKSUM_UNNECESSARY for short ethernet frames Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 175/205] ALSA: compress: Fix stop handling on compressed capture streams Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Rundong Ge, David S. Miller

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Rundong Ge <rdong.ge@gmail.com>

[ Upstream commit 17ab4f61b8cd6f9c38e9d0b935d86d73b5d0d2b5 ]

The unbalance of master's promiscuity or allmulti will happen after ifdown
and ifup a slave interface which is in a bridge.

When we ifdown a slave interface , both the 'dsa_slave_close' and
'dsa_slave_change_rx_flags' will clear the master's flags. The flags
of master will be decrease twice.
In the other hand, if we ifup the slave interface again, since the
slave's flags were cleared the 'dsa_slave_open' won't set the master's
flag, only 'dsa_slave_change_rx_flags' that triggered by 'br_add_if'
will set the master's flags. The flags of master is increase once.

Only propagating flag changes when a slave interface is up makes
sure this does not happen. The 'vlan_dev_change_rx_flags' had the
same problem and was fixed, and changes here follows that fix.

Fixes: 91da11f870f0 ("net: Distributed Switch Architecture protocol support")
Signed-off-by: Rundong Ge <rdong.ge@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/dsa/slave.c |   12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

--- a/net/dsa/slave.c
+++ b/net/dsa/slave.c
@@ -156,10 +156,14 @@ static void dsa_slave_change_rx_flags(st
 	struct dsa_slave_priv *p = netdev_priv(dev);
 	struct net_device *master = dsa_master_netdev(p);
 
-	if (change & IFF_ALLMULTI)
-		dev_set_allmulti(master, dev->flags & IFF_ALLMULTI ? 1 : -1);
-	if (change & IFF_PROMISC)
-		dev_set_promiscuity(master, dev->flags & IFF_PROMISC ? 1 : -1);
+	if (dev->flags & IFF_UP) {
+		if (change & IFF_ALLMULTI)
+			dev_set_allmulti(master,
+					 dev->flags & IFF_ALLMULTI ? 1 : -1);
+		if (change & IFF_PROMISC)
+			dev_set_promiscuity(master,
+					    dev->flags & IFF_PROMISC ? 1 : -1);
+	}
 }
 
 static void dsa_slave_set_rx_mode(struct net_device *dev)



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 175/205] ALSA: compress: Fix stop handling on compressed capture streams
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (173 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 174/205] net: dsa: slave: Dont propagate flag changes on down slave interfaces Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 176/205] ALSA: hda - Serialize codec registrations Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Charles Keepax, Takashi Iwai

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Charles Keepax <ckeepax@opensource.cirrus.com>

commit 4f2ab5e1d13d6aa77c55f4914659784efd776eb4 upstream.

It is normal user behaviour to start, stop, then start a stream
again without closing it. Currently this works for compressed
playback streams but not capture ones.

The states on a compressed capture stream go directly from OPEN to
PREPARED, unlike a playback stream which moves to SETUP and waits
for a write of data before moving to PREPARED. Currently however,
when a stop is sent the state is set to SETUP for both types of
streams. This leaves a capture stream in the situation where a new
start can't be sent as that requires the state to be PREPARED and
a new set_params can't be sent as that requires the state to be
OPEN. The only option being to close the stream, and then reopen.

Correct this issues by allowing snd_compr_drain_notify to set the
state depending on the stream direction, as we already do in
set_params.

Fixes: 49bb6402f1aa ("ALSA: compress_core: Add support for capture streams")
Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/sound/compress_driver.h |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/include/sound/compress_driver.h
+++ b/include/sound/compress_driver.h
@@ -186,7 +186,11 @@ static inline void snd_compr_drain_notif
 	if (snd_BUG_ON(!stream))
 		return;
 
-	stream->runtime->state = SNDRV_PCM_STATE_SETUP;
+	if (stream->direction == SND_COMPRESS_PLAYBACK)
+		stream->runtime->state = SNDRV_PCM_STATE_SETUP;
+	else
+		stream->runtime->state = SNDRV_PCM_STATE_PREPARED;
+
 	wake_up(&stream->runtime->sleep);
 }
 



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 176/205] ALSA: hda - Serialize codec registrations
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (174 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 175/205] ALSA: compress: Fix stop handling on compressed capture streams Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 177/205] fuse: call pipe_buf_release() under pipe lock Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 305a0ade180981686eec1f92aa6252a7c6ebb1cf upstream.

In the current code, the codec registration may happen both at the
codec bind time and the end of the controller probe time.  In a rare
occasion, they race with each other, leading to Oops due to the still
uninitialized card device.

This patch introduces a simple flag to prevent the codec registration
at the codec bind time as long as the controller probe is going on.
The controller probe invokes snd_card_register() that does the whole
registration task, and we don't need to register each piece
beforehand.

Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/hda_bind.c  |    3 ++-
 sound/pci/hda/hda_codec.h |    1 +
 sound/pci/hda/hda_intel.c |    2 ++
 3 files changed, 5 insertions(+), 1 deletion(-)

--- a/sound/pci/hda/hda_bind.c
+++ b/sound/pci/hda/hda_bind.c
@@ -109,7 +109,8 @@ static int hda_codec_driver_probe(struct
 	err = snd_hda_codec_build_controls(codec);
 	if (err < 0)
 		goto error_module;
-	if (codec->card->registered) {
+	/* only register after the bus probe finished; otherwise it's racy */
+	if (!codec->bus->bus_probing && codec->card->registered) {
 		err = snd_card_register(codec->card);
 		if (err < 0)
 			goto error_module;
--- a/sound/pci/hda/hda_codec.h
+++ b/sound/pci/hda/hda_codec.h
@@ -68,6 +68,7 @@ struct hda_bus {
 	unsigned int response_reset:1;	/* controller was reset */
 	unsigned int in_reset:1;	/* during reset operation */
 	unsigned int no_response_fallback:1; /* don't fallback at RIRB error */
+	unsigned int bus_probing :1;	/* during probing process */
 
 	int primary_dig_out_type;	/* primary digital out PCM type */
 	unsigned int mixer_assigned;	/* codec addr for mixer name */
--- a/sound/pci/hda/hda_intel.c
+++ b/sound/pci/hda/hda_intel.c
@@ -2236,6 +2236,7 @@ static int azx_probe_continue(struct azx
 	int val;
 	int err;
 
+	to_hda_bus(bus)->bus_probing = 1;
 	hda->probe_continued = 1;
 
 	/* bind with i915 if needed */
@@ -2341,6 +2342,7 @@ i915_power_fail:
 	if (err < 0)
 		hda->init_failed = 1;
 	complete_all(&hda->probe_wait);
+	to_hda_bus(bus)->bus_probing = 0;
 	return err;
 }
 



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 177/205] fuse: call pipe_buf_release() under pipe lock
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (175 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 176/205] ALSA: hda - Serialize codec registrations Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 178/205] fuse: decrement NR_WRITEBACK_TEMP on the right page Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jann Horn, Miklos Szeredi

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jann Horn <jannh@google.com>

commit 9509941e9c534920ccc4771ae70bd6cbbe79df1c upstream.

Some of the pipe_buf_release() handlers seem to assume that the pipe is
locked - in particular, anon_pipe_buf_release() accesses pipe->tmp_page
without taking any extra locks. From a glance through the callers of
pipe_buf_release(), it looks like FUSE is the only one that calls
pipe_buf_release() without having the pipe locked.

This bug should only lead to a memory leak, nothing terrible.

Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/dev.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -2024,8 +2024,10 @@ static ssize_t fuse_dev_splice_write(str
 
 	ret = fuse_dev_do_write(fud, &cs, len);
 
+	pipe_lock(pipe);
 	for (idx = 0; idx < nbuf; idx++)
 		pipe_buf_release(pipe, &bufs[idx]);
+	pipe_unlock(pipe);
 
 out:
 	kfree(bufs);



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 178/205] fuse: decrement NR_WRITEBACK_TEMP on the right page
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (176 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 177/205] fuse: call pipe_buf_release() under pipe lock Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 179/205] fuse: handle zero sized retrieve correctly Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Miklos Szeredi

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Miklos Szeredi <mszeredi@redhat.com>

commit a2ebba824106dabe79937a9f29a875f837e1b6d4 upstream.

NR_WRITEBACK_TEMP is accounted on the temporary page in the request, not
the page cache page.

Fixes: 8b284dc47291 ("fuse: writepages: handle same page rewrites")
Cc: <stable@vger.kernel.org> # v3.13
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/file.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -1777,7 +1777,7 @@ static bool fuse_writepage_in_flight(str
 		spin_unlock(&fc->lock);
 
 		dec_wb_stat(&bdi->wb, WB_WRITEBACK);
-		dec_node_page_state(page, NR_WRITEBACK_TEMP);
+		dec_node_page_state(new_req->pages[0], NR_WRITEBACK_TEMP);
 		wb_writeout_inc(&bdi->wb);
 		fuse_writepage_free(fc, new_req);
 		fuse_request_free(new_req);



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 179/205] fuse: handle zero sized retrieve correctly
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (177 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 178/205] fuse: decrement NR_WRITEBACK_TEMP on the right page Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 180/205] dmaengine: bcm2835: Fix interrupt race on RT Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+c1e36d30ee3416289cc0, Miklos Szeredi

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Miklos Szeredi <mszeredi@redhat.com>

commit 97e1532ef81acb31c30f9e75bf00306c33a77812 upstream.

Dereferencing req->page_descs[0] will Oops if req->max_pages is zero.

Reported-by: syzbot+c1e36d30ee3416289cc0@syzkaller.appspotmail.com
Tested-by: syzbot+c1e36d30ee3416289cc0@syzkaller.appspotmail.com
Fixes: b2430d7567a3 ("fuse: add per-page descriptor <offset, length> to fuse_req")
Cc: <stable@vger.kernel.org> # v3.9
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/dev.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1691,7 +1691,6 @@ static int fuse_retrieve(struct fuse_con
 	req->in.h.nodeid = outarg->nodeid;
 	req->in.numargs = 2;
 	req->in.argpages = 1;
-	req->page_descs[0].offset = offset;
 	req->end = fuse_retrieve_end;
 
 	index = outarg->offset >> PAGE_SHIFT;
@@ -1706,6 +1705,7 @@ static int fuse_retrieve(struct fuse_con
 
 		this_num = min_t(unsigned, num, PAGE_SIZE - offset);
 		req->pages[req->num_pages] = page;
+		req->page_descs[req->num_pages].offset = offset;
 		req->page_descs[req->num_pages].length = this_num;
 		req->num_pages++;
 



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 180/205] dmaengine: bcm2835: Fix interrupt race on RT
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (178 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 179/205] fuse: handle zero sized retrieve correctly Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 181/205] dmaengine: bcm2835: Fix abort of transactions Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lukas Wunner, Frank Pavlic,
	Martin Sperl, Florian Meier, Clive Messer, Matthias Reichl,
	Stefan Wahren, Florian Kauer, Vinod Koul

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Lukas Wunner <lukas@wunner.de>

commit f7da7782aba92593f7b82f03d2409a1c5f4db91b upstream.

If IRQ handlers are threaded (either because CONFIG_PREEMPT_RT_BASE is
enabled or "threadirqs" was passed on the command line) and if system
load is sufficiently high that wakeup latency of IRQ threads degrades,
SPI DMA transactions on the BCM2835 occasionally break like this:

ks8851 spi0.0: SPI transfer timed out
bcm2835-dma 3f007000.dma: DMA transfer could not be terminated
ks8851 spi0.0 eth2: ks8851_rdfifo: spi_sync() failed

The root cause is an assumption made by the DMA driver which is
documented in a code comment in bcm2835_dma_terminate_all():

/*
 * Stop DMA activity: we assume the callback will not be called
 * after bcm_dma_abort() returns (even if it does, it will see
 * c->desc is NULL and exit.)
 */

That assumption falls apart if the IRQ handler bcm2835_dma_callback() is
threaded: A client may terminate a descriptor and issue a new one
before the IRQ handler had a chance to run. In fact the IRQ handler may
miss an *arbitrary* number of descriptors. The result is the following
race condition:

1. A descriptor finishes, its interrupt is deferred to the IRQ thread.
2. A client calls dma_terminate_async() which sets channel->desc = NULL.
3. The client issues a new descriptor. Because channel->desc is NULL,
   bcm2835_dma_issue_pending() immediately starts the descriptor.
4. Finally the IRQ thread runs and writes BCM2835_DMA_INT to the CS
   register to acknowledge the interrupt. This clears the ACTIVE flag,
   so the newly issued descriptor is paused in the middle of the
   transaction. Because channel->desc is not NULL, the IRQ thread
   finalizes the descriptor and tries to start the next one.

I see two possible solutions: The first is to call synchronize_irq()
in bcm2835_dma_issue_pending() to wait until the IRQ thread has
finished before issuing a new descriptor. The downside of this approach
is unnecessary latency if clients desire rapidly terminating and
re-issuing descriptors and don't have any use for an IRQ callback.
(The SPI TX DMA channel is a case in point.)

A better alternative is to make the IRQ thread recognize that it has
missed descriptors and avoid finalizing the newly issued descriptor.
So first of all, set the ACTIVE flag when acknowledging the interrupt.
This keeps a newly issued descriptor running.

If the descriptor was finished, the channel remains idle despite the
ACTIVE flag being set. However the ACTIVE flag can then no longer be
used to check whether the channel is idle, so instead check whether
the register containing the current control block address is zero
and finalize the current descriptor only if so.

That way, there is no impact on latency and throughput if the client
doesn't care for the interrupt: Only minimal additional overhead is
introduced for non-cyclic descriptors as one further MMIO read is
necessary per interrupt to check for idleness of the channel. Cyclic
descriptors are sped up slightly by removing one MMIO write per
interrupt.

Fixes: 96286b576690 ("dmaengine: Add support for BCM2835")
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Cc: stable@vger.kernel.org # v3.14+
Cc: Frank Pavlic <f.pavlic@kunbus.de>
Cc: Martin Sperl <kernel@martin.sperl.org>
Cc: Florian Meier <florian.meier@koalo.de>
Cc: Clive Messer <clive.m.messer@gmail.com>
Cc: Matthias Reichl <hias@horus.com>
Tested-by: Stefan Wahren <stefan.wahren@i2se.com>
Acked-by: Florian Kauer <florian.kauer@koalo.de>
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/dma/bcm2835-dma.c |   33 ++++++++++++++++++---------------
 1 file changed, 18 insertions(+), 15 deletions(-)

--- a/drivers/dma/bcm2835-dma.c
+++ b/drivers/dma/bcm2835-dma.c
@@ -421,7 +421,12 @@ static int bcm2835_dma_abort(void __iome
 	long int timeout = 10000;
 
 	cs = readl(chan_base + BCM2835_DMA_CS);
-	if (!(cs & BCM2835_DMA_ACTIVE))
+
+	/*
+	 * A zero control block address means the channel is idle.
+	 * (The ACTIVE flag in the CS register is not a reliable indicator.)
+	 */
+	if (!readl(chan_base + BCM2835_DMA_ADDR))
 		return 0;
 
 	/* Write 0 to the active bit - Pause the DMA */
@@ -485,8 +490,15 @@ static irqreturn_t bcm2835_dma_callback(
 
 	spin_lock_irqsave(&c->vc.lock, flags);
 
-	/* Acknowledge interrupt */
-	writel(BCM2835_DMA_INT, c->chan_base + BCM2835_DMA_CS);
+	/*
+	 * Clear the INT flag to receive further interrupts. Keep the channel
+	 * active in case the descriptor is cyclic or in case the client has
+	 * already terminated the descriptor and issued a new one. (May happen
+	 * if this IRQ handler is threaded.) If the channel is finished, it
+	 * will remain idle despite the ACTIVE flag being set.
+	 */
+	writel(BCM2835_DMA_INT | BCM2835_DMA_ACTIVE,
+	       c->chan_base + BCM2835_DMA_CS);
 
 	d = c->desc;
 
@@ -494,11 +506,7 @@ static irqreturn_t bcm2835_dma_callback(
 		if (d->cyclic) {
 			/* call the cyclic callback */
 			vchan_cyclic_callback(&d->vd);
-
-			/* Keep the DMA engine running */
-			writel(BCM2835_DMA_ACTIVE,
-			       c->chan_base + BCM2835_DMA_CS);
-		} else {
+		} else if (!readl(c->chan_base + BCM2835_DMA_ADDR)) {
 			vchan_cookie_complete(&c->desc->vd);
 			bcm2835_dma_start_desc(c);
 		}
@@ -806,11 +814,7 @@ static int bcm2835_dma_terminate_all(str
 	list_del_init(&c->node);
 	spin_unlock(&d->lock);
 
-	/*
-	 * Stop DMA activity: we assume the callback will not be called
-	 * after bcm_dma_abort() returns (even if it does, it will see
-	 * c->desc is NULL and exit.)
-	 */
+	/* stop DMA activity */
 	if (c->desc) {
 		bcm2835_dma_desc_free(&c->desc->vd);
 		c->desc = NULL;
@@ -818,8 +822,7 @@ static int bcm2835_dma_terminate_all(str
 
 		/* Wait for stopping */
 		while (--timeout) {
-			if (!(readl(c->chan_base + BCM2835_DMA_CS) &
-						BCM2835_DMA_ACTIVE))
+			if (!readl(c->chan_base + BCM2835_DMA_ADDR))
 				break;
 
 			cpu_relax();



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 181/205] dmaengine: bcm2835: Fix abort of transactions
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (179 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 180/205] dmaengine: bcm2835: Fix interrupt race on RT Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 182/205] dmaengine: imx-dma: fix wrong callback invoke Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lukas Wunner, Frank Pavlic,
	Martin Sperl, Florian Meier, Clive Messer, Matthias Reichl,
	Stefan Wahren, Florian Kauer, Vinod Koul

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Lukas Wunner <lukas@wunner.de>

commit 9e528c799d17a4ac37d788c81440b50377dd592d upstream.

There are multiple issues with bcm2835_dma_abort() (which is called on
termination of a transaction):

* The algorithm to abort the transaction first pauses the channel by
  clearing the ACTIVE flag in the CS register, then waits for the PAUSED
  flag to clear.  Page 49 of the spec documents the latter as follows:

  "Indicates if the DMA is currently paused and not transferring data.
   This will occur if the active bit has been cleared [...]"
   https://www.raspberrypi.org/app/uploads/2012/02/BCM2835-ARM-Peripherals.pdf

  So the function is entering an infinite loop because it is waiting for
  PAUSED to clear which is always set due to the function having cleared
  the ACTIVE flag.  The only thing that's saving it from itself is the
  upper bound of 10000 loop iterations.

  The code comment says that the intention is to "wait for any current
  AXI transfer to complete", so the author probably wanted to check the
  WAITING_FOR_OUTSTANDING_WRITES flag instead.  Amend the function
  accordingly.

* The CS register is only read at the beginning of the function.  It
  needs to be read again after pausing the channel and before checking
  for outstanding writes, otherwise writes which were issued between
  the register read at the beginning of the function and pausing the
  channel may not be waited for.

* The function seeks to abort the transfer by writing 0 to the NEXTCONBK
  register and setting the ABORT and ACTIVE flags.  Thereby, the 0 in
  NEXTCONBK is sought to be loaded into the CONBLK_AD register.  However
  experimentation has shown this approach to not work:  The CONBLK_AD
  register remains the same as before and the CS register contains
  0x00000030 (PAUSED | DREQ_STOPS_DMA).  In other words, the control
  block is not aborted but merely paused and it will be resumed once the
  next DMA transaction is started.  That is absolutely not the desired
  behavior.

  A simpler approach is to set the channel's RESET flag instead.  This
  reliably zeroes the NEXTCONBK as well as the CS register.  It requires
  less code and only a single MMIO write.  This is also what popular
  user space DMA drivers do, e.g.:
  https://github.com/metachris/RPIO/blob/master/source/c_pwm/pwm.c

  Note that the spec is contradictory whether the NEXTCONBK register
  is writeable at all.  On the one hand, page 41 claims:

  "The value loaded into the NEXTCONBK register can be overwritten so
  that the linked list of Control Block data structures can be
  dynamically altered. However it is only safe to do this when the DMA
  is paused."

  On the other hand, page 40 specifies:

  "Only three registers in each channel's register set are directly
  writeable (CS, CONBLK_AD and DEBUG). The other registers (TI,
  SOURCE_AD, DEST_AD, TXFR_LEN, STRIDE & NEXTCONBK), are automatically
  loaded from a Control Block data structure held in external memory."

Fixes: 96286b576690 ("dmaengine: Add support for BCM2835")
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Cc: stable@vger.kernel.org # v3.14+
Cc: Frank Pavlic <f.pavlic@kunbus.de>
Cc: Martin Sperl <kernel@martin.sperl.org>
Cc: Florian Meier <florian.meier@koalo.de>
Cc: Clive Messer <clive.m.messer@gmail.com>
Cc: Matthias Reichl <hias@horus.com>
Tested-by: Stefan Wahren <stefan.wahren@i2se.com>
Acked-by: Florian Kauer <florian.kauer@koalo.de>
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/dma/bcm2835-dma.c |   41 +++++++++--------------------------------
 1 file changed, 9 insertions(+), 32 deletions(-)

--- a/drivers/dma/bcm2835-dma.c
+++ b/drivers/dma/bcm2835-dma.c
@@ -415,13 +415,11 @@ static void bcm2835_dma_fill_cb_chain_wi
 	}
 }
 
-static int bcm2835_dma_abort(void __iomem *chan_base)
+static int bcm2835_dma_abort(struct bcm2835_chan *c)
 {
-	unsigned long cs;
+	void __iomem *chan_base = c->chan_base;
 	long int timeout = 10000;
 
-	cs = readl(chan_base + BCM2835_DMA_CS);
-
 	/*
 	 * A zero control block address means the channel is idle.
 	 * (The ACTIVE flag in the CS register is not a reliable indicator.)
@@ -433,25 +431,16 @@ static int bcm2835_dma_abort(void __iome
 	writel(0, chan_base + BCM2835_DMA_CS);
 
 	/* Wait for any current AXI transfer to complete */
-	while ((cs & BCM2835_DMA_ISPAUSED) && --timeout) {
+	while ((readl(chan_base + BCM2835_DMA_CS) &
+		BCM2835_DMA_WAITING_FOR_WRITES) && --timeout)
 		cpu_relax();
-		cs = readl(chan_base + BCM2835_DMA_CS);
-	}
 
-	/* We'll un-pause when we set of our next DMA */
+	/* Peripheral might be stuck and fail to signal AXI write responses */
 	if (!timeout)
-		return -ETIMEDOUT;
-
-	if (!(cs & BCM2835_DMA_ACTIVE))
-		return 0;
-
-	/* Terminate the control block chain */
-	writel(0, chan_base + BCM2835_DMA_NEXTCB);
-
-	/* Abort the whole DMA */
-	writel(BCM2835_DMA_ABORT | BCM2835_DMA_ACTIVE,
-	       chan_base + BCM2835_DMA_CS);
+		dev_err(c->vc.chan.device->dev,
+			"failed to complete outstanding writes\n");
 
+	writel(BCM2835_DMA_RESET, chan_base + BCM2835_DMA_CS);
 	return 0;
 }
 
@@ -804,7 +793,6 @@ static int bcm2835_dma_terminate_all(str
 	struct bcm2835_chan *c = to_bcm2835_dma_chan(chan);
 	struct bcm2835_dmadev *d = to_bcm2835_dma_dev(c->vc.chan.device);
 	unsigned long flags;
-	int timeout = 10000;
 	LIST_HEAD(head);
 
 	spin_lock_irqsave(&c->vc.lock, flags);
@@ -818,18 +806,7 @@ static int bcm2835_dma_terminate_all(str
 	if (c->desc) {
 		bcm2835_dma_desc_free(&c->desc->vd);
 		c->desc = NULL;
-		bcm2835_dma_abort(c->chan_base);
-
-		/* Wait for stopping */
-		while (--timeout) {
-			if (!readl(c->chan_base + BCM2835_DMA_ADDR))
-				break;
-
-			cpu_relax();
-		}
-
-		if (!timeout)
-			dev_err(d->ddev.dev, "DMA transfer could not be terminated\n");
+		bcm2835_dma_abort(c);
 	}
 
 	vchan_get_all_descriptors(&c->vc, &head);



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 182/205] dmaengine: imx-dma: fix wrong callback invoke
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (180 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 181/205] dmaengine: bcm2835: Fix abort of transactions Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 183/205] futex: Handle early deadlock return correctly Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Leonid Iziumtsev, Vinod Koul

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Leonid Iziumtsev <leonid.iziumtsev@gmail.com>

commit 341198eda723c8c1cddbb006a89ad9e362502ea2 upstream.

Once the "ld_queue" list is not empty, next descriptor will migrate
into "ld_active" list. The "desc" variable will be overwritten
during that transition. And later the dmaengine_desc_get_callback_invoke()
will use it as an argument. As result we invoke wrong callback.

That behaviour was in place since:
commit fcaaba6c7136 ("dmaengine: imx-dma: fix callback path in tasklet").
But after commit 4cd13c21b207 ("softirq: Let ksoftirqd do its job")
things got worse, since possible delay between tasklet_schedule()
from DMA irq handler and actual tasklet function execution got bigger.
And that gave more time for new DMA request to be submitted and
to be put into "ld_queue" list.

It has been noticed that DMA issue is causing problems for "mxc-mmc"
driver. While stressing the system with heavy network traffic and
writing/reading to/from sd card simultaneously the timeout may happen:

10013000.sdhci: mxcmci_watchdog: read time out (status = 0x30004900)

That often lead to file system corruption.

Signed-off-by: Leonid Iziumtsev <leonid.iziumtsev@gmail.com>
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/dma/imx-dma.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/dma/imx-dma.c
+++ b/drivers/dma/imx-dma.c
@@ -623,7 +623,7 @@ static void imxdma_tasklet(unsigned long
 {
 	struct imxdma_channel *imxdmac = (void *)data;
 	struct imxdma_engine *imxdma = imxdmac->imxdma;
-	struct imxdma_desc *desc;
+	struct imxdma_desc *desc, *next_desc;
 	unsigned long flags;
 
 	spin_lock_irqsave(&imxdma->lock, flags);
@@ -653,10 +653,10 @@ static void imxdma_tasklet(unsigned long
 	list_move_tail(imxdmac->ld_active.next, &imxdmac->ld_free);
 
 	if (!list_empty(&imxdmac->ld_queue)) {
-		desc = list_first_entry(&imxdmac->ld_queue, struct imxdma_desc,
-					node);
+		next_desc = list_first_entry(&imxdmac->ld_queue,
+					     struct imxdma_desc, node);
 		list_move_tail(imxdmac->ld_queue.next, &imxdmac->ld_active);
-		if (imxdma_xfer_desc(desc) < 0)
+		if (imxdma_xfer_desc(next_desc) < 0)
 			dev_warn(imxdma->dev, "%s: channel: %d couldn't xfer desc\n",
 				 __func__, imxdmac->channel);
 	}



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 183/205] futex: Handle early deadlock return correctly
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (181 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 182/205] dmaengine: imx-dma: fix wrong callback invoke Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 184/205] irqchip/gic-v3-its: Plug allocation race for devices sharing a DevID Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Heiko Carstens, Peter Zijlstra,
	Thomas Gleixner, Martin Schwidefsky, linux-s390, Stefan Liebler,
	Sebastian Sewior

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Thomas Gleixner <tglx@linutronix.de>

commit 1a1fb985f2e2b85ec0d3dc2e519ee48389ec2434 upstream.

commit 56222b212e8e ("futex: Drop hb->lock before enqueueing on the
rtmutex") changed the locking rules in the futex code so that the hash
bucket lock is not longer held while the waiter is enqueued into the
rtmutex wait list. This made the lock and the unlock path symmetric, but
unfortunately the possible early exit from __rt_mutex_proxy_start() due to
a detected deadlock was not updated accordingly. That allows a concurrent
unlocker to observe inconsitent state which triggers the warning in the
unlock path.

futex_lock_pi()                         futex_unlock_pi()
  lock(hb->lock)
  queue(hb_waiter)				lock(hb->lock)
  lock(rtmutex->wait_lock)
  unlock(hb->lock)
                                        // acquired hb->lock
                                        hb_waiter = futex_top_waiter()
                                        lock(rtmutex->wait_lock)
  __rt_mutex_proxy_start()
     ---> fail
          remove(rtmutex_waiter);
     ---> returns -EDEADLOCK
  unlock(rtmutex->wait_lock)
                                        // acquired wait_lock
                                        wake_futex_pi()
                                        rt_mutex_next_owner()
					  --> returns NULL
                                          --> WARN

  lock(hb->lock)
  unqueue(hb_waiter)

The problem is caused by the remove(rtmutex_waiter) in the failure case of
__rt_mutex_proxy_start() as this lets the unlocker observe a waiter in the
hash bucket but no waiter on the rtmutex, i.e. inconsistent state.

The original commit handles this correctly for the other early return cases
(timeout, signal) by delaying the removal of the rtmutex waiter until the
returning task reacquired the hash bucket lock.

Treat the failure case of __rt_mutex_proxy_start() in the same way and let
the existing cleanup code handle the eventual handover of the rtmutex
gracefully. The regular rt_mutex_proxy_start() gains the rtmutex waiter
removal for the failure case, so that the other callsites are still
operating correctly.

Add proper comments to the code so all these details are fully documented.

Thanks to Peter for helping with the analysis and writing the really
valuable code comments.

Fixes: 56222b212e8e ("futex: Drop hb->lock before enqueueing on the rtmutex")
Reported-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Co-developed-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: linux-s390@vger.kernel.org
Cc: Stefan Liebler <stli@linux.ibm.com>
Cc: Sebastian Sewior <bigeasy@linutronix.de>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1901292311410.1950@nanos.tec.linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/futex.c           |   28 ++++++++++++++++++----------
 kernel/locking/rtmutex.c |   37 ++++++++++++++++++++++++++++++++-----
 2 files changed, 50 insertions(+), 15 deletions(-)

--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -2811,35 +2811,39 @@ retry_private:
 	 * and BUG when futex_unlock_pi() interleaves with this.
 	 *
 	 * Therefore acquire wait_lock while holding hb->lock, but drop the
-	 * latter before calling rt_mutex_start_proxy_lock(). This still fully
-	 * serializes against futex_unlock_pi() as that does the exact same
-	 * lock handoff sequence.
+	 * latter before calling __rt_mutex_start_proxy_lock(). This
+	 * interleaves with futex_unlock_pi() -- which does a similar lock
+	 * handoff -- such that the latter can observe the futex_q::pi_state
+	 * before __rt_mutex_start_proxy_lock() is done.
 	 */
 	raw_spin_lock_irq(&q.pi_state->pi_mutex.wait_lock);
 	spin_unlock(q.lock_ptr);
+	/*
+	 * __rt_mutex_start_proxy_lock() unconditionally enqueues the @rt_waiter
+	 * such that futex_unlock_pi() is guaranteed to observe the waiter when
+	 * it sees the futex_q::pi_state.
+	 */
 	ret = __rt_mutex_start_proxy_lock(&q.pi_state->pi_mutex, &rt_waiter, current);
 	raw_spin_unlock_irq(&q.pi_state->pi_mutex.wait_lock);
 
 	if (ret) {
 		if (ret == 1)
 			ret = 0;
-
-		spin_lock(q.lock_ptr);
-		goto no_block;
+		goto cleanup;
 	}
 
-
 	if (unlikely(to))
 		hrtimer_start_expires(&to->timer, HRTIMER_MODE_ABS);
 
 	ret = rt_mutex_wait_proxy_lock(&q.pi_state->pi_mutex, to, &rt_waiter);
 
+cleanup:
 	spin_lock(q.lock_ptr);
 	/*
-	 * If we failed to acquire the lock (signal/timeout), we must
+	 * If we failed to acquire the lock (deadlock/signal/timeout), we must
 	 * first acquire the hb->lock before removing the lock from the
-	 * rt_mutex waitqueue, such that we can keep the hb and rt_mutex
-	 * wait lists consistent.
+	 * rt_mutex waitqueue, such that we can keep the hb and rt_mutex wait
+	 * lists consistent.
 	 *
 	 * In particular; it is important that futex_unlock_pi() can not
 	 * observe this inconsistency.
@@ -2963,6 +2967,10 @@ retry:
 		 * there is no point where we hold neither; and therefore
 		 * wake_futex_pi() must observe a state consistent with what we
 		 * observed.
+		 *
+		 * In particular; this forces __rt_mutex_start_proxy() to
+		 * complete such that we're guaranteed to observe the
+		 * rt_waiter. Also see the WARN in wake_futex_pi().
 		 */
 		raw_spin_lock_irq(&pi_state->pi_mutex.wait_lock);
 		spin_unlock(&hb->lock);
--- a/kernel/locking/rtmutex.c
+++ b/kernel/locking/rtmutex.c
@@ -1726,12 +1726,33 @@ void rt_mutex_proxy_unlock(struct rt_mut
 	rt_mutex_set_owner(lock, NULL);
 }
 
+/**
+ * __rt_mutex_start_proxy_lock() - Start lock acquisition for another task
+ * @lock:		the rt_mutex to take
+ * @waiter:		the pre-initialized rt_mutex_waiter
+ * @task:		the task to prepare
+ *
+ * Starts the rt_mutex acquire; it enqueues the @waiter and does deadlock
+ * detection. It does not wait, see rt_mutex_wait_proxy_lock() for that.
+ *
+ * NOTE: does _NOT_ remove the @waiter on failure; must either call
+ * rt_mutex_wait_proxy_lock() or rt_mutex_cleanup_proxy_lock() after this.
+ *
+ * Returns:
+ *  0 - task blocked on lock
+ *  1 - acquired the lock for task, caller should wake it up
+ * <0 - error
+ *
+ * Special API call for PI-futex support.
+ */
 int __rt_mutex_start_proxy_lock(struct rt_mutex *lock,
 			      struct rt_mutex_waiter *waiter,
 			      struct task_struct *task)
 {
 	int ret;
 
+	lockdep_assert_held(&lock->wait_lock);
+
 	if (try_to_take_rt_mutex(lock, task, NULL))
 		return 1;
 
@@ -1749,9 +1770,6 @@ int __rt_mutex_start_proxy_lock(struct r
 		ret = 0;
 	}
 
-	if (unlikely(ret))
-		remove_waiter(lock, waiter);
-
 	debug_rt_mutex_print_deadlock(waiter);
 
 	return ret;
@@ -1763,12 +1781,18 @@ int __rt_mutex_start_proxy_lock(struct r
  * @waiter:		the pre-initialized rt_mutex_waiter
  * @task:		the task to prepare
  *
+ * Starts the rt_mutex acquire; it enqueues the @waiter and does deadlock
+ * detection. It does not wait, see rt_mutex_wait_proxy_lock() for that.
+ *
+ * NOTE: unlike __rt_mutex_start_proxy_lock this _DOES_ remove the @waiter
+ * on failure.
+ *
  * Returns:
  *  0 - task blocked on lock
  *  1 - acquired the lock for task, caller should wake it up
  * <0 - error
  *
- * Special API call for FUTEX_REQUEUE_PI support.
+ * Special API call for PI-futex support.
  */
 int rt_mutex_start_proxy_lock(struct rt_mutex *lock,
 			      struct rt_mutex_waiter *waiter,
@@ -1778,6 +1802,8 @@ int rt_mutex_start_proxy_lock(struct rt_
 
 	raw_spin_lock_irq(&lock->wait_lock);
 	ret = __rt_mutex_start_proxy_lock(lock, waiter, task);
+	if (unlikely(ret))
+		remove_waiter(lock, waiter);
 	raw_spin_unlock_irq(&lock->wait_lock);
 
 	return ret;
@@ -1845,7 +1871,8 @@ int rt_mutex_wait_proxy_lock(struct rt_m
  * @lock:		the rt_mutex we were woken on
  * @waiter:		the pre-initialized rt_mutex_waiter
  *
- * Attempt to clean up after a failed rt_mutex_wait_proxy_lock().
+ * Attempt to clean up after a failed __rt_mutex_start_proxy_lock() or
+ * rt_mutex_wait_proxy_lock().
  *
  * Unless we acquired the lock; we're still enqueued on the wait-list and can
  * in fact still be granted ownership until we're removed. Therefore we can



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 184/205] irqchip/gic-v3-its: Plug allocation race for devices sharing a DevID
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (182 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 183/205] futex: Handle early deadlock return correctly Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 185/205] usb: phy: am335x: fix race condition in _probe Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Zheng Xiang, Marc Zyngier

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Marc Zyngier <marc.zyngier@arm.com>

commit 9791ec7df0e7b4d80706ccea8f24b6542f6059e9 upstream.

On systems or VMs where multiple devices share a single DevID
(because they sit behind a PCI bridge, or because the HW is
broken in funky ways), we reuse the save its_device structure
in order to reflect this.

It turns out that there is a distinct lack of locking when looking
up the its_device, and two device being probed concurrently can result
in double allocations. That's obviously not nice.

A solution for this is to have a per-ITS mutex that serializes device
allocation.

A similar issue exists on the freeing side, which can run concurrently
with the allocation. On top of now taking the appropriate lock, we
also make sure that a shared device is never freed, as we have no way
to currently track the life cycle of such object.

Reported-by: Zheng Xiang <zhengxiang9@huawei.com>
Tested-by: Zheng Xiang <zhengxiang9@huawei.com>
Cc: stable@vger.kernel.org
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/irqchip/irq-gic-v3-its.c |   32 +++++++++++++++++++++++++++-----
 1 file changed, 27 insertions(+), 5 deletions(-)

--- a/drivers/irqchip/irq-gic-v3-its.c
+++ b/drivers/irqchip/irq-gic-v3-its.c
@@ -87,9 +87,14 @@ struct its_baser {
  * The ITS structure - contains most of the infrastructure, with the
  * top-level MSI domain, the command queue, the collections, and the
  * list of devices writing to it.
+ *
+ * dev_alloc_lock has to be taken for device allocations, while the
+ * spinlock must be taken to parse data structures such as the device
+ * list.
  */
 struct its_node {
 	raw_spinlock_t		lock;
+	struct mutex		dev_alloc_lock;
 	struct list_head	entry;
 	void __iomem		*base;
 	phys_addr_t		phys_base;
@@ -138,6 +143,7 @@ struct its_device {
 	void			*itt;
 	u32			nr_ites;
 	u32			device_id;
+	bool			shared;
 };
 
 static struct {
@@ -2109,6 +2115,7 @@ static int its_msi_prepare(struct irq_do
 	struct its_device *its_dev;
 	struct msi_domain_info *msi_info;
 	u32 dev_id;
+	int err = 0;
 
 	/*
 	 * We ignore "dev" entierely, and rely on the dev_id that has
@@ -2131,6 +2138,7 @@ static int its_msi_prepare(struct irq_do
 		return -EINVAL;
 	}
 
+	mutex_lock(&its->dev_alloc_lock);
 	its_dev = its_find_device(its, dev_id);
 	if (its_dev) {
 		/*
@@ -2138,18 +2146,22 @@ static int its_msi_prepare(struct irq_do
 		 * another alias (PCI bridge of some sort). No need to
 		 * create the device.
 		 */
+		its_dev->shared = true;
 		pr_debug("Reusing ITT for devID %x\n", dev_id);
 		goto out;
 	}
 
 	its_dev = its_create_device(its, dev_id, nvec, true);
-	if (!its_dev)
-		return -ENOMEM;
+	if (!its_dev) {
+		err = -ENOMEM;
+		goto out;
+	}
 
 	pr_debug("ITT %d entries, %d bits\n", nvec, ilog2(nvec));
 out:
+	mutex_unlock(&its->dev_alloc_lock);
 	info->scratchpad[0].ptr = its_dev;
-	return 0;
+	return err;
 }
 
 static struct msi_domain_ops its_msi_domain_ops = {
@@ -2252,6 +2264,7 @@ static void its_irq_domain_free(struct i
 {
 	struct irq_data *d = irq_domain_get_irq_data(domain, virq);
 	struct its_device *its_dev = irq_data_get_irq_chip_data(d);
+	struct its_node *its = its_dev->its;
 	int i;
 
 	for (i = 0; i < nr_irqs; i++) {
@@ -2266,8 +2279,14 @@ static void its_irq_domain_free(struct i
 		irq_domain_reset_irq_data(data);
 	}
 
-	/* If all interrupts have been freed, start mopping the floor */
-	if (bitmap_empty(its_dev->event_map.lpi_map,
+	mutex_lock(&its->dev_alloc_lock);
+
+	/*
+	 * If all interrupts have been freed, start mopping the
+	 * floor. This is conditionned on the device not being shared.
+	 */
+	if (!its_dev->shared &&
+	    bitmap_empty(its_dev->event_map.lpi_map,
 			 its_dev->event_map.nr_lpis)) {
 		its_lpi_free_chunks(its_dev->event_map.lpi_map,
 				    its_dev->event_map.lpi_base,
@@ -2279,6 +2298,8 @@ static void its_irq_domain_free(struct i
 		its_free_device(its_dev);
 	}
 
+	mutex_unlock(&its->dev_alloc_lock);
+
 	irq_domain_free_irqs_parent(domain, virq, nr_irqs);
 }
 
@@ -2966,6 +2987,7 @@ static int __init its_probe_one(struct r
 	}
 
 	raw_spin_lock_init(&its->lock);
+	mutex_init(&its->dev_alloc_lock);
 	INIT_LIST_HEAD(&its->entry);
 	INIT_LIST_HEAD(&its->its_device_list);
 	typer = gic_read_typer(its_base + GITS_TYPER);



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 185/205] usb: phy: am335x: fix race condition in _probe
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (183 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 184/205] irqchip/gic-v3-its: Plug allocation race for devices sharing a DevID Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 186/205] usb: dwc3: gadget: Handle 0 xfer length for OUT EP Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Bin Liu, Felipe Balbi

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Bin Liu <b-liu@ti.com>

commit a53469a68eb886e84dd8b69a1458a623d3591793 upstream.

power off the phy should be done before populate the phy. Otherwise,
am335x_init() could be called by the phy owner to power on the phy first,
then am335x_phy_probe() turns off the phy again without the caller knowing
it.

Fixes: 2fc711d76352 ("usb: phy: am335x: Enable USB remote wakeup using PHY wakeup")
Cc: stable@vger.kernel.org # v3.18+
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/phy/phy-am335x.c |    5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

--- a/drivers/usb/phy/phy-am335x.c
+++ b/drivers/usb/phy/phy-am335x.c
@@ -60,9 +60,6 @@ static int am335x_phy_probe(struct platf
 	if (ret)
 		return ret;
 
-	ret = usb_add_phy_dev(&am_phy->usb_phy_gen.phy);
-	if (ret)
-		return ret;
 	am_phy->usb_phy_gen.phy.init = am335x_init;
 	am_phy->usb_phy_gen.phy.shutdown = am335x_shutdown;
 
@@ -81,7 +78,7 @@ static int am335x_phy_probe(struct platf
 	device_set_wakeup_enable(dev, false);
 	phy_ctrl_power(am_phy->phy_ctrl, am_phy->id, am_phy->dr_mode, false);
 
-	return 0;
+	return usb_add_phy_dev(&am_phy->usb_phy_gen.phy);
 }
 
 static int am335x_phy_remove(struct platform_device *pdev)



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 186/205] usb: dwc3: gadget: Handle 0 xfer length for OUT EP
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (184 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 185/205] usb: phy: am335x: fix race condition in _probe Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 187/205] usb: gadget: udc: net2272: Fix bitwise and boolean operations Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Tejas Joglekar, Felipe Balbi

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tejas Joglekar <tejas.joglekar@synopsys.com>

commit 1e19cdc8060227b0802bda6bc0bd22b23679ba32 upstream.

For OUT endpoints, zero-length transfers require MaxPacketSize buffer as
per the DWC_usb3 programming guide 3.30a section 4.2.3.3.

This patch fixes this by explicitly checking zero length
transfer to correctly pad up to MaxPacketSize.

Fixes: c6267a51639b ("usb: dwc3: gadget: align transfers to wMaxPacketSize")
Cc: stable@vger.kernel.org

Signed-off-by: Tejas Joglekar <joglekar@synopsys.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/dwc3/gadget.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -1114,7 +1114,7 @@ static void dwc3_prepare_one_trb_linear(
 	unsigned int maxp = usb_endpoint_maxp(dep->endpoint.desc);
 	unsigned int rem = length % maxp;
 
-	if (rem && usb_endpoint_dir_out(dep->endpoint.desc)) {
+	if ((!length || rem) && usb_endpoint_dir_out(dep->endpoint.desc)) {
 		struct dwc3	*dwc = dep->dwc;
 		struct dwc3_trb	*trb;
 



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 187/205] usb: gadget: udc: net2272: Fix bitwise and boolean operations
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (185 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 186/205] usb: dwc3: gadget: Handle 0 xfer length for OUT EP Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 188/205] usb: gadget: musb: fix short isoc packets with inventra dma Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gustavo A. R. Silva, Felipe Balbi

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Gustavo A. R. Silva <gustavo@embeddedor.com>

commit 07c69f1148da7de3978686d3af9263325d9d60bd upstream.

(!x & y) strikes again.

Fix bitwise and boolean operations by enclosing the expression:

	intcsr & (1 << NET2272_PCI_IRQ)

in parentheses, before applying the boolean operator '!'.

Notice that this code has been there since 2011. So, it would
be helpful if someone can double-check this.

This issue was detected with the help of Coccinelle.

Fixes: ceb80363b2ec ("USB: net2272: driver for PLX NET2272 USB device controller")
Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/gadget/udc/net2272.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/gadget/udc/net2272.c
+++ b/drivers/usb/gadget/udc/net2272.c
@@ -2096,7 +2096,7 @@ static irqreturn_t net2272_irq(int irq,
 #if defined(PLX_PCI_RDK2)
 	/* see if PCI int for us by checking irqstat */
 	intcsr = readl(dev->rdk2.fpga_base_addr + RDK2_IRQSTAT);
-	if (!intcsr & (1 << NET2272_PCI_IRQ)) {
+	if (!(intcsr & (1 << NET2272_PCI_IRQ))) {
 		spin_unlock(&dev->lock);
 		return IRQ_NONE;
 	}



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 188/205] usb: gadget: musb: fix short isoc packets with inventra dma
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (186 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 187/205] usb: gadget: udc: net2272: Fix bitwise and boolean operations Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 189/205] staging: speakup: fix tty-operation NULL derefs Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Paul Elder, Bin Liu

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Paul Elder <paul.elder@ideasonboard.com>

commit c418fd6c01fbc5516a2cd1eaf1df1ec86869028a upstream.

Handling short packets (length < max packet size) in the Inventra DMA
engine in the MUSB driver causes the MUSB DMA controller to hang. An
example of a problem that is caused by this problem is when streaming
video out of a UVC gadget, only the first video frame is transferred.

For short packets (mode-0 or mode-1 DMA), MUSB_TXCSR_TXPKTRDY must be
set manually by the driver. This was previously done in musb_g_tx
(musb_gadget.c), but incorrectly (all csr flags were cleared, and only
MUSB_TXCSR_MODE and MUSB_TXCSR_TXPKTRDY were set). Fixing that problem
allows some requests to be transferred correctly, but multiple requests
were often put together in one USB packet, and caused problems if the
packet size was not a multiple of 4. Instead, set MUSB_TXCSR_TXPKTRDY
in dma_controller_irq (musbhsdma.c), just like host mode transfers.

This topic was originally tackled by Nicolas Boichat [0] [1] and is
discussed further at [2] as part of his GSoC project [3].

[0] https://groups.google.com/forum/?hl=en#!topic/beagleboard-gsoc/k8Azwfp75CU
[1] https://gitorious.org/beagleboard-usbsniffer/beagleboard-usbsniffer-kernel/commit/b0be3b6cc195ba732189b04f1d43ec843c3e54c9?p=beagleboard-usbsniffer:beagleboard-usbsniffer-kernel.git;a=patch;h=b0be3b6cc195ba732189b04f1d43ec843c3e54c9
[2] http://beagleboard-usbsniffer.blogspot.com/2010/07/musb-isochronous-transfers-fixed.html
[3] http://elinux.org/BeagleBoard/GSoC/USBSniffer

Fixes: 550a7375fe72 ("USB: Add MUSB and TUSB support")
Signed-off-by: Paul Elder <paul.elder@ideasonboard.com>
Signed-off-by: Bin Liu <b-liu@ti.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/musb/musb_gadget.c |   13 +------------
 drivers/usb/musb/musbhsdma.c   |   21 +++++++++++----------
 2 files changed, 12 insertions(+), 22 deletions(-)

--- a/drivers/usb/musb/musb_gadget.c
+++ b/drivers/usb/musb/musb_gadget.c
@@ -477,13 +477,10 @@ void musb_g_tx(struct musb *musb, u8 epn
 	}
 
 	if (request) {
-		u8	is_dma = 0;
-		bool	short_packet = false;
 
 		trace_musb_req_tx(req);
 
 		if (dma && (csr & MUSB_TXCSR_DMAENAB)) {
-			is_dma = 1;
 			csr |= MUSB_TXCSR_P_WZC_BITS;
 			csr &= ~(MUSB_TXCSR_DMAENAB | MUSB_TXCSR_P_UNDERRUN |
 				 MUSB_TXCSR_TXPKTRDY | MUSB_TXCSR_AUTOSET);
@@ -501,16 +498,8 @@ void musb_g_tx(struct musb *musb, u8 epn
 		 */
 		if ((request->zero && request->length)
 			&& (request->length % musb_ep->packet_sz == 0)
-			&& (request->actual == request->length))
-				short_packet = true;
+			&& (request->actual == request->length)) {
 
-		if ((musb_dma_inventra(musb) || musb_dma_ux500(musb)) &&
-			(is_dma && (!dma->desired_mode ||
-				(request->actual &
-					(musb_ep->packet_sz - 1)))))
-				short_packet = true;
-
-		if (short_packet) {
 			/*
 			 * On DMA completion, FIFO may not be
 			 * available yet...
--- a/drivers/usb/musb/musbhsdma.c
+++ b/drivers/usb/musb/musbhsdma.c
@@ -320,12 +320,10 @@ static irqreturn_t dma_controller_irq(in
 				channel->status = MUSB_DMA_STATUS_FREE;
 
 				/* completed */
-				if ((devctl & MUSB_DEVCTL_HM)
-					&& (musb_channel->transmit)
-					&& ((channel->desired_mode == 0)
-					    || (channel->actual_len &
-					    (musb_channel->max_packet_sz - 1)))
-				    ) {
+				if (musb_channel->transmit &&
+					(!channel->desired_mode ||
+					(channel->actual_len %
+					    musb_channel->max_packet_sz))) {
 					u8  epnum  = musb_channel->epnum;
 					int offset = musb->io.ep_offset(epnum,
 								    MUSB_TXCSR);
@@ -337,11 +335,14 @@ static irqreturn_t dma_controller_irq(in
 					 */
 					musb_ep_select(mbase, epnum);
 					txcsr = musb_readw(mbase, offset);
-					txcsr &= ~(MUSB_TXCSR_DMAENAB
+					if (channel->desired_mode == 1) {
+						txcsr &= ~(MUSB_TXCSR_DMAENAB
 							| MUSB_TXCSR_AUTOSET);
-					musb_writew(mbase, offset, txcsr);
-					/* Send out the packet */
-					txcsr &= ~MUSB_TXCSR_DMAMODE;
+						musb_writew(mbase, offset, txcsr);
+						/* Send out the packet */
+						txcsr &= ~MUSB_TXCSR_DMAMODE;
+						txcsr |= MUSB_TXCSR_DMAENAB;
+					}
 					txcsr |=  MUSB_TXCSR_TXPKTRDY;
 					musb_writew(mbase, offset, txcsr);
 				}



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 189/205] staging: speakup: fix tty-operation NULL derefs
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (187 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 188/205] usb: gadget: musb: fix short isoc packets with inventra dma Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 190/205] scsi: cxlflash: Prevent deadlock when adapter probe fails Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Okash Khawaja, Samuel Thibault, Johan Hovold

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit a1960e0f1639cb1f7a3d94521760fc73091f6640 upstream.

The send_xchar() and tiocmset() tty operations are optional. Add the
missing sanity checks to prevent user-space triggerable NULL-pointer
dereferences.

Fixes: 6b9ad1c742bf ("staging: speakup: add send_xchar, tiocmset and input functionality for tty")
Cc: stable <stable@vger.kernel.org>     # 4.13
Cc: Okash Khawaja <okash.khawaja@gmail.com>
Cc: Samuel Thibault <samuel.thibault@ens-lyon.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/speakup/spk_ttyio.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/staging/speakup/spk_ttyio.c
+++ b/drivers/staging/speakup/spk_ttyio.c
@@ -246,7 +246,8 @@ static void spk_ttyio_send_xchar(char ch
 		return;
 	}
 
-	speakup_tty->ops->send_xchar(speakup_tty, ch);
+	if (speakup_tty->ops->send_xchar)
+		speakup_tty->ops->send_xchar(speakup_tty, ch);
 	mutex_unlock(&speakup_tty_mutex);
 }
 
@@ -258,7 +259,8 @@ static void spk_ttyio_tiocmset(unsigned
 		return;
 	}
 
-	speakup_tty->ops->tiocmset(speakup_tty, set, clear);
+	if (speakup_tty->ops->tiocmset)
+		speakup_tty->ops->tiocmset(speakup_tty, set, clear);
 	mutex_unlock(&speakup_tty_mutex);
 }
 



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 190/205] scsi: cxlflash: Prevent deadlock when adapter probe fails
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (188 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 189/205] staging: speakup: fix tty-operation NULL derefs Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 191/205] scsi: aic94xx: fix module loading Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Vaibhav Jain, Martin K. Petersen

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vaibhav Jain <vaibhav@linux.ibm.com>

commit bb61b843ffd46978d7ca5095453e572714934eeb upstream.

Presently when an error is encountered during probe of the cxlflash
adapter, a deadlock is seen with cpu thread stuck inside
cxlflash_remove(). Below is the trace of the deadlock as logged by
khungtaskd:

cxlflash 0006:00:00.0: cxlflash_probe: init_afu failed rc=-16
INFO: task kworker/80:1:890 blocked for more than 120 seconds.
       Not tainted 5.0.0-rc4-capi2-kexec+ #2
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
kworker/80:1    D    0   890      2 0x00000808
Workqueue: events work_for_cpu_fn

Call Trace:
 0x4d72136320 (unreliable)
 __switch_to+0x2cc/0x460
 __schedule+0x2bc/0xac0
 schedule+0x40/0xb0
 cxlflash_remove+0xec/0x640 [cxlflash]
 cxlflash_probe+0x370/0x8f0 [cxlflash]
 local_pci_probe+0x6c/0x140
 work_for_cpu_fn+0x38/0x60
 process_one_work+0x260/0x530
 worker_thread+0x280/0x5d0
 kthread+0x1a8/0x1b0
 ret_from_kernel_thread+0x5c/0x80
INFO: task systemd-udevd:5160 blocked for more than 120 seconds.

The deadlock occurs as cxlflash_remove() is called from cxlflash_probe()
without setting 'cxlflash_cfg->state' to STATE_PROBED and the probe thread
starts to wait on 'cxlflash_cfg->reset_waitq'. Since the device was never
successfully probed the 'cxlflash_cfg->state' never changes from
STATE_PROBING hence the deadlock occurs.

We fix this deadlock by setting the variable 'cxlflash_cfg->state' to
STATE_PROBED in case an error occurs during cxlflash_probe() and just
before calling cxlflash_remove().

Cc: stable@vger.kernel.org
Fixes: c21e0bbfc485("cxlflash: Base support for IBM CXL Flash Adapter")
Signed-off-by: Vaibhav Jain <vaibhav@linux.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/cxlflash/main.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/scsi/cxlflash/main.c
+++ b/drivers/scsi/cxlflash/main.c
@@ -3659,6 +3659,7 @@ static int cxlflash_probe(struct pci_dev
 	host->max_cmd_len = CXLFLASH_MAX_CDB_LEN;
 
 	cfg = shost_priv(host);
+	cfg->state = STATE_PROBING;
 	cfg->host = host;
 	rc = alloc_mem(cfg);
 	if (rc) {
@@ -3741,6 +3742,7 @@ out:
 	return rc;
 
 out_remove:
+	cfg->state = STATE_PROBED;
 	cxlflash_remove(pdev);
 	goto out;
 }



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 191/205] scsi: aic94xx: fix module loading
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (189 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 190/205] scsi: cxlflash: Prevent deadlock when adapter probe fails Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 192/205] KVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222) Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, James Bottomley, Martin K. Petersen

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: James Bottomley <James.Bottomley@HansenPartnership.com>

commit 42caa0edabd6a0a392ec36a5f0943924e4954311 upstream.

The aic94xx driver is currently failing to load with errors like

sysfs: cannot create duplicate filename '/devices/pci0000:00/0000:00:03.0/0000:02:00.3/0000:07:02.0/revision'

Because the PCI code had recently added a file named 'revision' to every
PCI device.  Fix this by renaming the aic94xx revision file to
aic_revision.  This is safe to do for us because as far as I can tell,
there's nothing in userspace relying on the current aic94xx revision file
so it can be renamed without breaking anything.

Fixes: 702ed3be1b1b (PCI: Create revision file in sysfs)
Cc: stable@vger.kernel.org
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/aic94xx/aic94xx_init.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/scsi/aic94xx/aic94xx_init.c
+++ b/drivers/scsi/aic94xx/aic94xx_init.c
@@ -281,7 +281,7 @@ static ssize_t asd_show_dev_rev(struct d
 	return snprintf(buf, PAGE_SIZE, "%s\n",
 			asd_dev_rev[asd_ha->revision_id]);
 }
-static DEVICE_ATTR(revision, S_IRUGO, asd_show_dev_rev, NULL);
+static DEVICE_ATTR(aic_revision, S_IRUGO, asd_show_dev_rev, NULL);
 
 static ssize_t asd_show_dev_bios_build(struct device *dev,
 				       struct device_attribute *attr,char *buf)
@@ -478,7 +478,7 @@ static int asd_create_dev_attrs(struct a
 {
 	int err;
 
-	err = device_create_file(&asd_ha->pcidev->dev, &dev_attr_revision);
+	err = device_create_file(&asd_ha->pcidev->dev, &dev_attr_aic_revision);
 	if (err)
 		return err;
 
@@ -500,13 +500,13 @@ err_update_bios:
 err_biosb:
 	device_remove_file(&asd_ha->pcidev->dev, &dev_attr_bios_build);
 err_rev:
-	device_remove_file(&asd_ha->pcidev->dev, &dev_attr_revision);
+	device_remove_file(&asd_ha->pcidev->dev, &dev_attr_aic_revision);
 	return err;
 }
 
 static void asd_remove_dev_attrs(struct asd_ha_struct *asd_ha)
 {
-	device_remove_file(&asd_ha->pcidev->dev, &dev_attr_revision);
+	device_remove_file(&asd_ha->pcidev->dev, &dev_attr_aic_revision);
 	device_remove_file(&asd_ha->pcidev->dev, &dev_attr_bios_build);
 	device_remove_file(&asd_ha->pcidev->dev, &dev_attr_pcba_sn);
 	device_remove_file(&asd_ha->pcidev->dev, &dev_attr_update_bios);



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 192/205] KVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222)
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (190 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 191/205] scsi: aic94xx: fix module loading Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 193/205] kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974) Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Felix Wilhelm, stable, Paolo Bonzini

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Paolo Bonzini <pbonzini@redhat.com>

commit 353c0956a618a07ba4bbe7ad00ff29fe70e8412a upstream.

Bugzilla: 1671930

Emulation of certain instructions (VMXON, VMCLEAR, VMPTRLD, VMWRITE with
memory operand, INVEPT, INVVPID) can incorrectly inject a page fault
when passed an operand that points to an MMIO address.  The page fault
will use uninitialized kernel stack memory as the CR2 and error code.

The right behavior would be to abort the VM with a KVM_EXIT_INTERNAL_ERROR
exit to userspace; however, it is not an easy fix, so for now just
ensure that the error code and CR2 are zero.

Embargoed until Feb 7th 2019.

Reported-by: Felix Wilhelm <fwilhelm@google.com>
Cc: stable@kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kvm/x86.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -4611,6 +4611,13 @@ int kvm_read_guest_virt(struct kvm_vcpu
 {
 	u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0;
 
+	/*
+	 * FIXME: this should call handle_emulation_failure if X86EMUL_IO_NEEDED
+	 * is returned, but our callers are not ready for that and they blindly
+	 * call kvm_inject_page_fault.  Ensure that they at least do not leak
+	 * uninitialized kernel stack memory into cr2 and error code.
+	 */
+	memset(exception, 0, sizeof(*exception));
 	return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, access,
 					  exception);
 }



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 193/205] kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974)
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (191 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 192/205] KVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222) Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 194/205] KVM: nVMX: unconditionally cancel preemption timer in free_nested (CVE-2019-7221) Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, stable, Jann Horn, Paolo Bonzini

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jann Horn <jannh@google.com>

commit cfa39381173d5f969daf43582c95ad679189cbc9 upstream.

kvm_ioctl_create_device() does the following:

1. creates a device that holds a reference to the VM object (with a borrowed
   reference, the VM's refcount has not been bumped yet)
2. initializes the device
3. transfers the reference to the device to the caller's file descriptor table
4. calls kvm_get_kvm() to turn the borrowed reference to the VM into a real
   reference

The ownership transfer in step 3 must not happen before the reference to the VM
becomes a proper, non-borrowed reference, which only happens in step 4.
After step 3, an attacker can close the file descriptor and drop the borrowed
reference, which can cause the refcount of the kvm object to drop to zero.

This means that we need to grab a reference for the device before
anon_inode_getfd(), otherwise the VM can disappear from under us.

Fixes: 852b6d57dc7f ("kvm: add device control API")
Cc: stable@kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 virt/kvm/kvm_main.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -2912,8 +2912,10 @@ static int kvm_ioctl_create_device(struc
 	if (ops->init)
 		ops->init(dev);
 
+	kvm_get_kvm(kvm);
 	ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC);
 	if (ret < 0) {
+		kvm_put_kvm(kvm);
 		mutex_lock(&kvm->lock);
 		list_del(&dev->vm_node);
 		mutex_unlock(&kvm->lock);
@@ -2921,7 +2923,6 @@ static int kvm_ioctl_create_device(struc
 		return ret;
 	}
 
-	kvm_get_kvm(kvm);
 	cd->fd = ret;
 	return 0;
 }



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 194/205] KVM: nVMX: unconditionally cancel preemption timer in free_nested (CVE-2019-7221)
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (192 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 193/205] kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974) Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 195/205] cpu/hotplug: Fix "SMT disabled by BIOS" detection for KVM Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Peter Shier, Jim Mattson,
	Felix Wilhelm, stable, Paolo Bonzini

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Peter Shier <pshier@google.com>

commit ecec76885bcfe3294685dc363fd1273df0d5d65f upstream.

Bugzilla: 1671904

There are multiple code paths where an hrtimer may have been started to
emulate an L1 VMX preemption timer that can result in a call to free_nested
without an intervening L2 exit where the hrtimer is normally
cancelled. Unconditionally cancel in free_nested to cover all cases.

Embargoed until Feb 7th 2019.

Signed-off-by: Peter Shier <pshier@google.com>
Reported-by: Jim Mattson <jmattson@google.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Reported-by: Felix Wilhelm <fwilhelm@google.com>
Cc: stable@kernel.org
Message-Id: <20181011184646.154065-1-pshier@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kvm/vmx.c |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -7708,6 +7708,7 @@ static void free_nested(struct vcpu_vmx
 	if (!vmx->nested.vmxon)
 		return;
 
+	hrtimer_cancel(&vmx->nested.preemption_timer);
 	vmx->nested.vmxon = false;
 	free_vpid(vmx->nested.vpid02);
 	vmx->nested.posted_intr_nv = -1;



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 195/205] cpu/hotplug: Fix "SMT disabled by BIOS" detection for KVM
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (193 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 194/205] KVM: nVMX: unconditionally cancel preemption timer in free_nested (CVE-2019-7221) Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 196/205] perf/x86/intel/uncore: Add Node ID mask Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Igor Mammedov, Josh Poimboeuf,
	Thomas Gleixner, Joe Mario, Jiri Kosina, Peter Zijlstra, kvm

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Josh Poimboeuf <jpoimboe@redhat.com>

commit b284909abad48b07d3071a9fc9b5692b3e64914b upstream.

With the following commit:

  73d5e2b47264 ("cpu/hotplug: detect SMT disabled by BIOS")

... the hotplug code attempted to detect when SMT was disabled by BIOS,
in which case it reported SMT as permanently disabled.  However, that
code broke a virt hotplug scenario, where the guest is booted with only
primary CPU threads, and a sibling is brought online later.

The problem is that there doesn't seem to be a way to reliably
distinguish between the HW "SMT disabled by BIOS" case and the virt
"sibling not yet brought online" case.  So the above-mentioned commit
was a bit misguided, as it permanently disabled SMT for both cases,
preventing future virt sibling hotplugs.

Going back and reviewing the original problems which were attempted to
be solved by that commit, when SMT was disabled in BIOS:

  1) /sys/devices/system/cpu/smt/control showed "on" instead of
     "notsupported"; and

  2) vmx_vm_init() was incorrectly showing the L1TF_MSG_SMT warning.

I'd propose that we instead consider #1 above to not actually be a
problem.  Because, at least in the virt case, it's possible that SMT
wasn't disabled by BIOS and a sibling thread could be brought online
later.  So it makes sense to just always default the smt control to "on"
to allow for that possibility (assuming cpuid indicates that the CPU
supports SMT).

The real problem is #2, which has a simple fix: change vmx_vm_init() to
query the actual current SMT state -- i.e., whether any siblings are
currently online -- instead of looking at the SMT "control" sysfs value.

So fix it by:

  a) reverting the original "fix" and its followup fix:

     73d5e2b47264 ("cpu/hotplug: detect SMT disabled by BIOS")
     bc2d8d262cba ("cpu/hotplug: Fix SMT supported evaluation")

     and

  b) changing vmx_vm_init() to query the actual current SMT state --
     instead of the sysfs control value -- to determine whether the L1TF
     warning is needed.  This also requires the 'sched_smt_present'
     variable to exported, instead of 'cpu_smt_control'.

Fixes: 73d5e2b47264 ("cpu/hotplug: detect SMT disabled by BIOS")
Reported-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Joe Mario <jmario@redhat.com>
Cc: Jiri Kosina <jikos@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: kvm@vger.kernel.org
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/e3a85d585da28cc333ecbc1e78ee9216e6da9396.1548794349.git.jpoimboe@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>


---
 arch/x86/kernel/cpu/bugs.c |    2 +-
 arch/x86/kvm/vmx.c         |    3 ++-
 include/linux/cpu.h        |    2 --
 kernel/cpu.c               |   33 ++++-----------------------------
 kernel/sched/fair.c        |    1 +
 kernel/smp.c               |    2 --
 6 files changed, 8 insertions(+), 35 deletions(-)

--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -68,7 +68,7 @@ void __init check_bugs(void)
 	 * identify_boot_cpu() initialized SMT support information, let the
 	 * core code know.
 	 */
-	cpu_smt_check_topology_early();
+	cpu_smt_check_topology();
 
 	if (!IS_ENABLED(CONFIG_SMP)) {
 		pr_info("CPU: ");
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -27,6 +27,7 @@
 #include <linux/mm.h>
 #include <linux/highmem.h>
 #include <linux/sched.h>
+#include <linux/sched/smt.h>
 #include <linux/moduleparam.h>
 #include <linux/mod_devicetable.h>
 #include <linux/trace_events.h>
@@ -10120,7 +10121,7 @@ static int vmx_vm_init(struct kvm *kvm)
 			 * Warn upon starting the first VM in a potentially
 			 * insecure environment.
 			 */
-			if (cpu_smt_control == CPU_SMT_ENABLED)
+			if (sched_smt_active())
 				pr_warn_once(L1TF_MSG_SMT);
 			if (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_NEVER)
 				pr_warn_once(L1TF_MSG_L1D);
--- a/include/linux/cpu.h
+++ b/include/linux/cpu.h
@@ -188,12 +188,10 @@ enum cpuhp_smt_control {
 #if defined(CONFIG_SMP) && defined(CONFIG_HOTPLUG_SMT)
 extern enum cpuhp_smt_control cpu_smt_control;
 extern void cpu_smt_disable(bool force);
-extern void cpu_smt_check_topology_early(void);
 extern void cpu_smt_check_topology(void);
 #else
 # define cpu_smt_control		(CPU_SMT_ENABLED)
 static inline void cpu_smt_disable(bool force) { }
-static inline void cpu_smt_check_topology_early(void) { }
 static inline void cpu_smt_check_topology(void) { }
 #endif
 
--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -356,9 +356,6 @@ void __weak arch_smt_update(void) { }
 
 #ifdef CONFIG_HOTPLUG_SMT
 enum cpuhp_smt_control cpu_smt_control __read_mostly = CPU_SMT_ENABLED;
-EXPORT_SYMBOL_GPL(cpu_smt_control);
-
-static bool cpu_smt_available __read_mostly;
 
 void __init cpu_smt_disable(bool force)
 {
@@ -376,25 +373,11 @@ void __init cpu_smt_disable(bool force)
 
 /*
  * The decision whether SMT is supported can only be done after the full
- * CPU identification. Called from architecture code before non boot CPUs
- * are brought up.
- */
-void __init cpu_smt_check_topology_early(void)
-{
-	if (!topology_smt_supported())
-		cpu_smt_control = CPU_SMT_NOT_SUPPORTED;
-}
-
-/*
- * If SMT was disabled by BIOS, detect it here, after the CPUs have been
- * brought online. This ensures the smt/l1tf sysfs entries are consistent
- * with reality. cpu_smt_available is set to true during the bringup of non
- * boot CPUs when a SMT sibling is detected. Note, this may overwrite
- * cpu_smt_control's previous setting.
+ * CPU identification. Called from architecture code.
  */
 void __init cpu_smt_check_topology(void)
 {
-	if (!cpu_smt_available)
+	if (!topology_smt_supported())
 		cpu_smt_control = CPU_SMT_NOT_SUPPORTED;
 }
 
@@ -407,18 +390,10 @@ early_param("nosmt", smt_cmdline_disable
 
 static inline bool cpu_smt_allowed(unsigned int cpu)
 {
-	if (topology_is_primary_thread(cpu))
+	if (cpu_smt_control == CPU_SMT_ENABLED)
 		return true;
 
-	/*
-	 * If the CPU is not a 'primary' thread and the booted_once bit is
-	 * set then the processor has SMT support. Store this information
-	 * for the late check of SMT support in cpu_smt_check_topology().
-	 */
-	if (per_cpu(cpuhp_state, cpu).booted_once)
-		cpu_smt_available = true;
-
-	if (cpu_smt_control == CPU_SMT_ENABLED)
+	if (topology_is_primary_thread(cpu))
 		return true;
 
 	/*
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -5651,6 +5651,7 @@ find_idlest_cpu(struct sched_group *grou
 
 #ifdef CONFIG_SCHED_SMT
 DEFINE_STATIC_KEY_FALSE(sched_smt_present);
+EXPORT_SYMBOL_GPL(sched_smt_present);
 
 static inline void set_idle_cores(int cpu, int val)
 {
--- a/kernel/smp.c
+++ b/kernel/smp.c
@@ -584,8 +584,6 @@ void __init smp_init(void)
 		num_nodes, (num_nodes > 1 ? "s" : ""),
 		num_cpus,  (num_cpus  > 1 ? "s" : ""));
 
-	/* Final decision about SMT support */
-	cpu_smt_check_topology();
 	/* Any cleanup work */
 	smp_cpus_done(setup_max_cpus);
 }



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 196/205] perf/x86/intel/uncore: Add Node ID mask
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (194 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 195/205] cpu/hotplug: Fix "SMT disabled by BIOS" detection for KVM Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 197/205] x86/MCE: Initialize mce.bank in the case of a fatal error in mce_no_way_out() Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Song Liu, Kan Liang,
	Peter Zijlstra (Intel),
	Alexander Shishkin, Arnaldo Carvalho de Melo, Jiri Olsa,
	Linus Torvalds, Thomas Gleixner, Ingo Molnar

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kan Liang <kan.liang@linux.intel.com>

commit 9e63a7894fd302082cf3627fe90844421a6cbe7f upstream.

Some PCI uncore PMUs cannot be registered on an 8-socket system (HPE
Superdome Flex).

To understand which Socket the PCI uncore PMUs belongs to, perf retrieves
the local Node ID of the uncore device from CPUNODEID(0xC0) of the PCI
configuration space, and the mapping between Socket ID and Node ID from
GIDNIDMAP(0xD4). The Socket ID can be calculated accordingly.

The local Node ID is only available at bit 2:0, but current code doesn't
mask it. If a BIOS doesn't clear the rest of the bits, an incorrect Node ID
will be fetched.

Filter the Node ID by adding a mask.

Reported-by: Song Liu <songliubraving@fb.com>
Tested-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: <stable@vger.kernel.org> # v3.7+
Fixes: 7c94ee2e0917 ("perf/x86: Add Intel Nehalem and Sandy Bridge-EP uncore support")
Link: https://lkml.kernel.org/r/1548600794-33162-1-git-send-email-kan.liang@linux.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/events/intel/uncore_snbep.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/arch/x86/events/intel/uncore_snbep.c
+++ b/arch/x86/events/intel/uncore_snbep.c
@@ -1221,6 +1221,8 @@ static struct pci_driver snbep_uncore_pc
 	.id_table	= snbep_uncore_pci_ids,
 };
 
+#define NODE_ID_MASK	0x7
+
 /*
  * build pci bus to socket mapping
  */
@@ -1242,7 +1244,7 @@ static int snbep_pci2phy_map_init(int de
 		err = pci_read_config_dword(ubox_dev, nodeid_loc, &config);
 		if (err)
 			break;
-		nodeid = config;
+		nodeid = config & NODE_ID_MASK;
 		/* get the Node ID mapping */
 		err = pci_read_config_dword(ubox_dev, idmap_loc, &config);
 		if (err)



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 197/205] x86/MCE: Initialize mce.bank in the case of a fatal error in mce_no_way_out()
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (195 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 196/205] perf/x86/intel/uncore: Add Node ID mask Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 198/205] perf/core: Dont WARN() for impossible ring-buffer sizes Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tony Luck, Borislav Petkov,
	H. Peter Anvin, Ingo Molnar, Thomas Gleixner, Vishal Verma,
	x86-ml

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tony Luck <tony.luck@intel.com>

commit d28af26faa0b1daf3c692603d46bc4687c16f19e upstream.

Internal injection testing crashed with a console log that said:

  mce: [Hardware Error]: CPU 7: Machine Check Exception: f Bank 0: bd80000000100134

This caused a lot of head scratching because the MCACOD (bits 15:0) of
that status is a signature from an L1 data cache error. But Linux says
that it found it in "Bank 0", which on this model CPU only reports L1
instruction cache errors.

The answer was that Linux doesn't initialize "m->bank" in the case that
it finds a fatal error in the mce_no_way_out() pre-scan of banks. If
this was a local machine check, then this partially initialized struct
mce is being passed to mce_panic().

Fix is simple: just initialize m->bank in the case of a fatal error.

Fixes: 40c36e2741d7 ("x86/mce: Fix incorrect "Machine check from unknown source" message")
Signed-off-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vishal Verma <vishal.l.verma@intel.com>
Cc: x86-ml <x86@kernel.org>
Cc: stable@vger.kernel.org # v4.18 Note pre-v5.0 arch/x86/kernel/cpu/mce/core.c was called arch/x86/kernel/cpu/mcheck/mce.c
Link: https://lkml.kernel.org/r/20190201003341.10638-1-tony.luck@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/cpu/mcheck/mce.c |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/x86/kernel/cpu/mcheck/mce.c
+++ b/arch/x86/kernel/cpu/mcheck/mce.c
@@ -773,6 +773,7 @@ static int mce_no_way_out(struct mce *m,
 			quirk_no_way_out(i, m, regs);
 
 		if (mce_severity(m, mca_cfg.tolerant, &tmp, true) >= MCE_PANIC_SEVERITY) {
+			m->bank = i;
 			mce_read_aux(m, i);
 			*msg = tmp;
 			return 1;



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 198/205] perf/core: Dont WARN() for impossible ring-buffer sizes
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (196 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 197/205] x86/MCE: Initialize mce.bank in the case of a fatal error in mce_no_way_out() Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-13 13:03   ` Rantala, Tommi T. (Nokia - FI/Espoo)
  2019-02-11 14:19 ` [PATCH 4.14 199/205] perf tests evsel-tp-sched: Fix bitwise operator Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  208 siblings, 1 reply; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Julien Thierry, Mark Rutland,
	Peter Zijlstra (Intel),
	Alexander Shishkin, Arnaldo Carvalho de Melo, Jiri Olsa,
	Linus Torvalds, Namhyung Kim, Thomas Gleixner, Ingo Molnar

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mark Rutland <mark.rutland@arm.com>

commit 9dff0aa95a324e262ffb03f425d00e4751f3294e upstream.

The perf tool uses /proc/sys/kernel/perf_event_mlock_kb to determine how
large its ringbuffer mmap should be. This can be configured to arbitrary
values, which can be larger than the maximum possible allocation from
kmalloc.

When this is configured to a suitably large value (e.g. thanks to the
perf fuzzer), attempting to use perf record triggers a WARN_ON_ONCE() in
__alloc_pages_nodemask():

   WARNING: CPU: 2 PID: 5666 at mm/page_alloc.c:4511 __alloc_pages_nodemask+0x3f8/0xbc8

Let's avoid this by checking that the requested allocation is possible
before calling kzalloc.

Reported-by: Julien Thierry <julien.thierry@arm.com>
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Julien Thierry <julien.thierry@arm.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: <stable@vger.kernel.org>
Link: https://lkml.kernel.org/r/20190110142745.25495-1-mark.rutland@arm.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/events/ring_buffer.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/kernel/events/ring_buffer.c
+++ b/kernel/events/ring_buffer.c
@@ -719,6 +719,9 @@ struct ring_buffer *rb_alloc(int nr_page
 	size = sizeof(struct ring_buffer);
 	size += nr_pages * sizeof(void *);
 
+	if (order_base_2(size) >= MAX_ORDER)
+		goto fail;
+
 	rb = kzalloc(size, GFP_KERNEL);
 	if (!rb)
 		goto fail;



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 199/205] perf tests evsel-tp-sched: Fix bitwise operator
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (197 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 198/205] perf/core: Dont WARN() for impossible ring-buffer sizes Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 200/205] serial: fix race between flush_to_ldisc and tty_open Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gustavo A. R. Silva, Jiri Olsa,
	Alexander Shishkin, Namhyung Kim, Peter Zijlstra,
	Arnaldo Carvalho de Melo

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Gustavo A. R. Silva <gustavo@embeddedor.com>

commit 489338a717a0dfbbd5a3fabccf172b78f0ac9015 upstream.

Notice that the use of the bitwise OR operator '|' always leads to true
in this particular case, which seems a bit suspicious due to the context
in which this expression is being used.

Fix this by using bitwise AND operator '&' instead.

This bug was detected with the help of Coccinelle.

Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Acked-by: Jiri Olsa <jolsa@kernel.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: stable@vger.kernel.org
Fixes: 6a6cd11d4e57 ("perf test: Add test for the sched tracepoint format fields")
Link: http://lkml.kernel.org/r/20190122233439.GA5868@embeddedor
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/perf/tests/evsel-tp-sched.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/tools/perf/tests/evsel-tp-sched.c
+++ b/tools/perf/tests/evsel-tp-sched.c
@@ -17,7 +17,7 @@ static int perf_evsel__test_field(struct
 		return -1;
 	}
 
-	is_signed = !!(field->flags | FIELD_IS_SIGNED);
+	is_signed = !!(field->flags & FIELD_IS_SIGNED);
 	if (should_be_signed && !is_signed) {
 		pr_debug("%s: \"%s\" signedness(%d) is wrong, should be %d\n",
 			 evsel->name, name, is_signed, should_be_signed);



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 200/205] serial: fix race between flush_to_ldisc and tty_open
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (198 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 199/205] perf tests evsel-tp-sched: Fix bitwise operator Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:19 ` [PATCH 4.14 201/205] serial: 8250_pci: Make PCI class test non fatal Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Li RongQing, Wang Li, Zhang Yu

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fedb5760648a291e949f2380d383b5b2d2749b5e upstream.

There still is a race window after the commit b027e2298bd588
("tty: fix data race between tty_init_dev and flush of buf"),
and we encountered this crash issue if receive_buf call comes
before tty initialization completes in tty_open and
tty->driver_data may be NULL.

CPU0                                    CPU1
----                                    ----
                                  tty_open
                                   tty_init_dev
                                     tty_ldisc_unlock
                                       schedule
flush_to_ldisc
 receive_buf
  tty_port_default_receive_buf
   tty_ldisc_receive_buf
    n_tty_receive_buf_common
      __receive_buf
       uart_flush_chars
        uart_start
        /*tty->driver_data is NULL*/
                                   tty->ops->open
                                   /*init tty->driver_data*/

it can be fixed by extending ldisc semaphore lock in tty_init_dev
to driver_data initialized completely after tty->ops->open(), but
this will lead to get lock on one function and unlock in some other
function, and hard to maintain, so fix this race only by checking
tty->driver_data when receiving, and return if tty->driver_data
is NULL, and n_tty_receive_buf_common maybe calls uart_unthrottle,
so add the same check.

Because the tty layer knows nothing about the driver associated with the
device, the tty layer can not do anything here, it is up to the tty
driver itself to check for this type of race.  Fix up the serial driver
to correctly check to see if it is finished binding with the device when
being called, and if not, abort the tty calls.

[Description and problem report and testing from Li RongQing, I rewrote
the patch to be in the serial layer, not in the tty core - gregkh]

Reported-by: Li RongQing <lirongqing@baidu.com>
Tested-by: Li RongQing <lirongqing@baidu.com>
Signed-off-by: Wang Li <wangli39@baidu.com>
Signed-off-by: Zhang Yu <zhangyu31@baidu.com>
Signed-off-by: Li RongQing <lirongqing@baidu.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serial/serial_core.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/tty/serial/serial_core.c
+++ b/drivers/tty/serial/serial_core.c
@@ -143,6 +143,9 @@ static void uart_start(struct tty_struct
 	struct uart_port *port;
 	unsigned long flags;
 
+	if (!state)
+		return;
+
 	port = uart_port_lock(state, flags);
 	__uart_start(tty);
 	uart_port_unlock(port, flags);
@@ -2415,6 +2418,9 @@ static void uart_poll_put_char(struct tt
 	struct uart_state *state = drv->state + line;
 	struct uart_port *port;
 
+	if (!state)
+		return;
+
 	port = uart_port_ref(state);
 	if (!port)
 		return;



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 201/205] serial: 8250_pci: Make PCI class test non fatal
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (199 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 200/205] serial: fix race between flush_to_ldisc and tty_open Greg Kroah-Hartman
@ 2019-02-11 14:19 ` Greg Kroah-Hartman
  2019-02-11 14:20 ` [PATCH 4.14 202/205] nfsd4: fix cached replies to solo SEQUENCE compounds Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:19 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Guan Yung Tseng, KHUENY.Gerhard,
	Andy Shevchenko

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>

commit 824d17c57b0abbcb9128fb3f7327fae14761914b upstream.

As has been reported the National Instruments serial cards have broken
PCI class.

The commit 7d8905d06405

  ("serial: 8250_pci: Enable device after we check black list")

made the PCI class check mandatory for the case when device is listed in
a quirk list.

Make PCI class test non fatal to allow broken card be enumerated.

Fixes: 7d8905d06405 ("serial: 8250_pci: Enable device after we check black list")
Cc: stable <stable@vger.kernel.org>
Reported-by: Guan Yung Tseng <guan.yung.tseng@ni.com>
Tested-by: Guan Yung Tseng <guan.yung.tseng@ni.com>
Tested-by: KHUENY.Gerhard <Gerhard.KHUENY@bachmann.info>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serial/8250/8250_pci.c |    9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/drivers/tty/serial/8250/8250_pci.c
+++ b/drivers/tty/serial/8250/8250_pci.c
@@ -3425,6 +3425,11 @@ static int
 serial_pci_guess_board(struct pci_dev *dev, struct pciserial_board *board)
 {
 	int num_iomem, num_port, first_port = -1, i;
+	int rc;
+
+	rc = serial_pci_is_class_communication(dev);
+	if (rc)
+		return rc;
 
 	/*
 	 * Should we try to make guesses for multiport serial devices later?
@@ -3652,10 +3657,6 @@ pciserial_init_one(struct pci_dev *dev,
 
 	board = &pci_boards[ent->driver_data];
 
-	rc = serial_pci_is_class_communication(dev);
-	if (rc)
-		return rc;
-
 	rc = serial_pci_is_blacklisted(dev);
 	if (rc)
 		return rc;



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 202/205] nfsd4: fix cached replies to solo SEQUENCE compounds
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (200 preceding siblings ...)
  2019-02-11 14:19 ` [PATCH 4.14 201/205] serial: 8250_pci: Make PCI class test non fatal Greg Kroah-Hartman
@ 2019-02-11 14:20 ` Greg Kroah-Hartman
  2019-02-11 14:20 ` [PATCH 4.14 203/205] nfsd4: catch some false session retries Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:20 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Olga Kornievskaia, J. Bruce Fields,
	Donald Buczek

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: J. Bruce Fields <bfields@redhat.com>

commit 085def3ade52f2ffe3e31f42e98c27dcc222dd37 upstream.

Currently our handling of 4.1+ requests without "cachethis" set is
confusing and not quite correct.

Suppose a client sends a compound consisting of only a single SEQUENCE
op, and it matches the seqid in a session slot (so it's a retry), but
the previous request with that seqid did not have "cachethis" set.

The obvious thing to do might be to return NFS4ERR_RETRY_UNCACHED_REP,
but the protocol only allows that to be returned on the op following the
SEQUENCE, and there is no such op in this case.

The protocol permits us to cache replies even if the client didn't ask
us to.  And it's easy to do so in the case of solo SEQUENCE compounds.

So, when we get a solo SEQUENCE, we can either return the previously
cached reply or NFSERR_SEQ_FALSE_RETRY if we notice it differs in some
way from the original call.

Currently, we're returning a corrupt reply in the case a solo SEQUENCE
matches a previous compound with more ops.  This actually matters
because the Linux client recently started doing this as a way to recover
from lost replies to idempotent operations in the case the process doing
the original reply was killed: in that case it's difficult to keep the
original arguments around to do a real retry, and the client no longer
cares what the result is anyway, but it would like to make sure that the
slot's sequence id has been incremented, and the solo SEQUENCE assures
that: if the server never got the original reply, it will increment the
sequence id.  If it did get the original reply, it won't increment, and
nothing else that about the reply really matters much.  But we can at
least attempt to return valid xdr!

Tested-by: Olga Kornievskaia <aglo@umich.edu>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Donald Buczek <buczek@molgen.mpg.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/nfsd/nfs4state.c |   20 +++++++++++++++-----
 fs/nfsd/state.h     |    1 +
 fs/nfsd/xdr4.h      |   13 +++++++++++--
 3 files changed, 27 insertions(+), 7 deletions(-)

--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -2331,14 +2331,16 @@ nfsd4_store_cache_entry(struct nfsd4_com
 
 	dprintk("--> %s slot %p\n", __func__, slot);
 
+	slot->sl_flags |= NFSD4_SLOT_INITIALIZED;
 	slot->sl_opcnt = resp->opcnt;
 	slot->sl_status = resp->cstate.status;
 
-	slot->sl_flags |= NFSD4_SLOT_INITIALIZED;
-	if (nfsd4_not_cached(resp)) {
-		slot->sl_datalen = 0;
+	if (!nfsd4_cache_this(resp)) {
+		slot->sl_flags &= ~NFSD4_SLOT_CACHED;
 		return;
 	}
+	slot->sl_flags |= NFSD4_SLOT_CACHED;
+
 	base = resp->cstate.data_offset;
 	slot->sl_datalen = buf->len - base;
 	if (read_bytes_from_xdr_buf(buf, base, slot->sl_data, slot->sl_datalen))
@@ -2365,8 +2367,16 @@ nfsd4_enc_sequence_replay(struct nfsd4_c
 	op = &args->ops[resp->opcnt - 1];
 	nfsd4_encode_operation(resp, op);
 
-	/* Return nfserr_retry_uncached_rep in next operation. */
-	if (args->opcnt > 1 && !(slot->sl_flags & NFSD4_SLOT_CACHETHIS)) {
+	if (slot->sl_flags & NFSD4_SLOT_CACHED)
+		return op->status;
+	if (args->opcnt == 1) {
+		/*
+		 * The original operation wasn't a solo sequence--we
+		 * always cache those--so this retry must not match the
+		 * original:
+		 */
+		op->status = nfserr_seq_false_retry;
+	} else {
 		op = &args->ops[resp->opcnt++];
 		op->status = nfserr_retry_uncached_rep;
 		nfsd4_encode_operation(resp, op);
--- a/fs/nfsd/state.h
+++ b/fs/nfsd/state.h
@@ -174,6 +174,7 @@ struct nfsd4_slot {
 #define NFSD4_SLOT_INUSE	(1 << 0)
 #define NFSD4_SLOT_CACHETHIS	(1 << 1)
 #define NFSD4_SLOT_INITIALIZED	(1 << 2)
+#define NFSD4_SLOT_CACHED	(1 << 3)
 	u8	sl_flags;
 	char	sl_data[];
 };
--- a/fs/nfsd/xdr4.h
+++ b/fs/nfsd/xdr4.h
@@ -651,9 +651,18 @@ static inline bool nfsd4_is_solo_sequenc
 	return resp->opcnt == 1 && args->ops[0].opnum == OP_SEQUENCE;
 }
 
-static inline bool nfsd4_not_cached(struct nfsd4_compoundres *resp)
+/*
+ * The session reply cache only needs to cache replies that the client
+ * actually asked us to.  But it's almost free for us to cache compounds
+ * consisting of only a SEQUENCE op, so we may as well cache those too.
+ * Also, the protocol doesn't give us a convenient response in the case
+ * of a replay of a solo SEQUENCE op that wasn't cached
+ * (RETRY_UNCACHED_REP can only be returned in the second op of a
+ * compound).
+ */
+static inline bool nfsd4_cache_this(struct nfsd4_compoundres *resp)
 {
-	return !(resp->cstate.slot->sl_flags & NFSD4_SLOT_CACHETHIS)
+	return (resp->cstate.slot->sl_flags & NFSD4_SLOT_CACHETHIS)
 		|| nfsd4_is_solo_sequence(resp);
 }
 



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 203/205] nfsd4: catch some false session retries
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (201 preceding siblings ...)
  2019-02-11 14:20 ` [PATCH 4.14 202/205] nfsd4: fix cached replies to solo SEQUENCE compounds Greg Kroah-Hartman
@ 2019-02-11 14:20 ` Greg Kroah-Hartman
  2019-02-11 14:20 ` [PATCH 4.14 204/205] IB/hfi1: Add limit test for RC/UC send via loopback Greg Kroah-Hartman
                   ` (5 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:20 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Olga Kornievskaia, J. Bruce Fields,
	Donald Buczek

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: J. Bruce Fields <bfields@redhat.com>

commit 53da6a53e1d414e05759fa59b7032ee08f4e22d7 upstream.

The spec allows us to return NFS4ERR_SEQ_FALSE_RETRY if we notice that
the client is making a call that matches a previous (slot, seqid) pair
but that *isn't* actually a replay, because some detail of the call
doesn't actually match the previous one.

Catching every such case is difficult, but we may as well catch a few
easy ones.  This also handles the case described in the previous patch,
in a different way.

The spec does however require us to catch the case where the difference
is in the rpc credentials.  This prevents somebody from snooping another
user's replies by fabricating retries.

(But the practical value of the attack is limited by the fact that the
replies with the most sensitive data are READ replies, which are not
normally cached.)

Tested-by: Olga Kornievskaia <aglo@umich.edu>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Donald Buczek <buczek@molgen.mpg.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/nfsd/nfs4state.c |   37 ++++++++++++++++++++++++++++++++++++-
 fs/nfsd/state.h     |    1 +
 2 files changed, 37 insertions(+), 1 deletion(-)

--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -1472,8 +1472,10 @@ free_session_slots(struct nfsd4_session
 {
 	int i;
 
-	for (i = 0; i < ses->se_fchannel.maxreqs; i++)
+	for (i = 0; i < ses->se_fchannel.maxreqs; i++) {
+		free_svc_cred(&ses->se_slots[i]->sl_cred);
 		kfree(ses->se_slots[i]);
+	}
 }
 
 /*
@@ -2334,6 +2336,8 @@ nfsd4_store_cache_entry(struct nfsd4_com
 	slot->sl_flags |= NFSD4_SLOT_INITIALIZED;
 	slot->sl_opcnt = resp->opcnt;
 	slot->sl_status = resp->cstate.status;
+	free_svc_cred(&slot->sl_cred);
+	copy_cred(&slot->sl_cred, &resp->rqstp->rq_cred);
 
 	if (!nfsd4_cache_this(resp)) {
 		slot->sl_flags &= ~NFSD4_SLOT_CACHED;
@@ -3040,6 +3044,34 @@ static bool nfsd4_request_too_big(struct
 	return xb->len > session->se_fchannel.maxreq_sz;
 }
 
+static bool replay_matches_cache(struct svc_rqst *rqstp,
+		 struct nfsd4_sequence *seq, struct nfsd4_slot *slot)
+{
+	struct nfsd4_compoundargs *argp = rqstp->rq_argp;
+
+	if ((bool)(slot->sl_flags & NFSD4_SLOT_CACHETHIS) !=
+	    (bool)seq->cachethis)
+		return false;
+	/*
+	 * If there's an error than the reply can have fewer ops than
+	 * the call.  But if we cached a reply with *more* ops than the
+	 * call you're sending us now, then this new call is clearly not
+	 * really a replay of the old one:
+	 */
+	if (slot->sl_opcnt < argp->opcnt)
+		return false;
+	/* This is the only check explicitly called by spec: */
+	if (!same_creds(&rqstp->rq_cred, &slot->sl_cred))
+		return false;
+	/*
+	 * There may be more comparisons we could actually do, but the
+	 * spec doesn't require us to catch every case where the calls
+	 * don't match (that would require caching the call as well as
+	 * the reply), so we don't bother.
+	 */
+	return true;
+}
+
 __be32
 nfsd4_sequence(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
 		union nfsd4_op_u *u)
@@ -3099,6 +3131,9 @@ nfsd4_sequence(struct svc_rqst *rqstp, s
 		status = nfserr_seq_misordered;
 		if (!(slot->sl_flags & NFSD4_SLOT_INITIALIZED))
 			goto out_put_session;
+		status = nfserr_seq_false_retry;
+		if (!replay_matches_cache(rqstp, seq, slot))
+			goto out_put_session;
 		cstate->slot = slot;
 		cstate->session = session;
 		cstate->clp = clp;
--- a/fs/nfsd/state.h
+++ b/fs/nfsd/state.h
@@ -169,6 +169,7 @@ static inline struct nfs4_delegation *de
 struct nfsd4_slot {
 	u32	sl_seqid;
 	__be32	sl_status;
+	struct svc_cred sl_cred;
 	u32	sl_datalen;
 	u16	sl_opcnt;
 #define NFSD4_SLOT_INUSE	(1 << 0)



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 204/205] IB/hfi1: Add limit test for RC/UC send via loopback
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (202 preceding siblings ...)
  2019-02-11 14:20 ` [PATCH 4.14 203/205] nfsd4: catch some false session retries Greg Kroah-Hartman
@ 2019-02-11 14:20 ` Greg Kroah-Hartman
  2019-02-11 14:20 ` [PATCH 4.14 205/205] perf/x86/intel: Delay memory deallocation until x86_pmu_dead_cpu() Greg Kroah-Hartman
                   ` (4 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:20 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael J. Ruhl, Mike Marciniszyn,
	Dennis Dalessandro, Jason Gunthorpe

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mike Marciniszyn <mike.marciniszyn@intel.com>

commit 09ce351dff8e7636af0beb72cd4a86c3904a0500 upstream.

Fix potential memory corruption and panic in loopback for IB_WR_SEND
variants.

The code blindly assumes the posted length will fit in the fetched rwqe,
which is not a valid assumption.

Fix by adding a limit test, and triggering the appropriate send completion
and putting the QP in an error state.  This mimics the handling for
non-loopback QPs.

Fixes: 15703461533a ("IB/{hfi1, qib, rdmavt}: Move ruc_loopback to rdmavt")
Cc: <stable@vger.kernel.org> #v4.20+
Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>

---
 drivers/infiniband/hw/hfi1/ruc.c    |    7 ++++++-
 drivers/infiniband/hw/qib/qib_ruc.c |    7 ++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

--- a/drivers/infiniband/hw/hfi1/ruc.c
+++ b/drivers/infiniband/hw/hfi1/ruc.c
@@ -440,6 +440,8 @@ send:
 			goto op_err;
 		if (!ret)
 			goto rnr_nak;
+		if (wqe->length > qp->r_len)
+			goto inv_err;
 		break;
 
 	case IB_WR_RDMA_WRITE_WITH_IMM:
@@ -607,7 +609,10 @@ op_err:
 	goto err;
 
 inv_err:
-	send_status = IB_WC_REM_INV_REQ_ERR;
+	send_status =
+		sqp->ibqp.qp_type == IB_QPT_RC ?
+			IB_WC_REM_INV_REQ_ERR :
+			IB_WC_SUCCESS;
 	wc.status = IB_WC_LOC_QP_OP_ERR;
 	goto err;
 
--- a/drivers/infiniband/hw/qib/qib_ruc.c
+++ b/drivers/infiniband/hw/qib/qib_ruc.c
@@ -425,6 +425,8 @@ again:
 			goto op_err;
 		if (!ret)
 			goto rnr_nak;
+		if (wqe->length > qp->r_len)
+			goto inv_err;
 		break;
 
 	case IB_WR_RDMA_WRITE_WITH_IMM:
@@ -585,7 +587,10 @@ op_err:
 	goto err;
 
 inv_err:
-	send_status = IB_WC_REM_INV_REQ_ERR;
+	send_status =
+		sqp->ibqp.qp_type == IB_QPT_RC ?
+			IB_WC_REM_INV_REQ_ERR :
+			IB_WC_SUCCESS;
 	wc.status = IB_WC_LOC_QP_OP_ERR;
 	goto err;
 



^ permalink raw reply	[flat|nested] 215+ messages in thread

* [PATCH 4.14 205/205] perf/x86/intel: Delay memory deallocation until x86_pmu_dead_cpu()
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (203 preceding siblings ...)
  2019-02-11 14:20 ` [PATCH 4.14 204/205] IB/hfi1: Add limit test for RC/UC send via loopback Greg Kroah-Hartman
@ 2019-02-11 14:20 ` Greg Kroah-Hartman
  2019-02-12  6:30 ` [PATCH 4.14 000/205] 4.14.99-stable review Naresh Kamboju
                   ` (3 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-11 14:20 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, He Zhe, Sebastian Andrzej Siewior,
	Alexander Shishkin, Arnaldo Carvalho de Melo, Jiri Olsa,
	Linus Torvalds, Peter Zijlstra, Thomas Gleixner, acme, bp, hpa,
	jolsa, kan.liang, namhyung, Ingo Molnar

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Peter Zijlstra <peterz@infradead.org>

commit 602cae04c4864bb3487dfe4c2126c8d9e7e1614a upstream.

intel_pmu_cpu_prepare() allocated memory for ->shared_regs among other
members of struct cpu_hw_events. This memory is released in
intel_pmu_cpu_dying() which is wrong. The counterpart of the
intel_pmu_cpu_prepare() callback is x86_pmu_dead_cpu().

Otherwise if the CPU fails on the UP path between CPUHP_PERF_X86_PREPARE
and CPUHP_AP_PERF_X86_STARTING then it won't release the memory but
allocate new memory on the next attempt to online the CPU (leaking the
old memory).
Also, if the CPU down path fails between CPUHP_AP_PERF_X86_STARTING and
CPUHP_PERF_X86_PREPARE then the CPU will go back online but never
allocate the memory that was released in x86_pmu_dying_cpu().

Make the memory allocation/free symmetrical in regard to the CPU hotplug
notifier by moving the deallocation to intel_pmu_cpu_dead().

This started in commit:

   a7e3ed1e47011 ("perf: Add support for supplementary event registers").

In principle the bug was introduced in v2.6.39 (!), but it will almost
certainly not backport cleanly across the big CPU hotplug rewrite between v4.7-v4.15...

[ bigeasy: Added patch description. ]
[ mingo: Added backporting guidance. ]

Reported-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> # With developer hat on
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> # With maintainer hat on
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: acme@kernel.org
Cc: bp@alien8.de
Cc: hpa@zytor.com
Cc: jolsa@kernel.org
Cc: kan.liang@linux.intel.com
Cc: namhyung@kernel.org
Cc: <stable@vger.kernel.org>
Fixes: a7e3ed1e47011 ("perf: Add support for supplementary event registers").
Link: https://lkml.kernel.org/r/20181219165350.6s3jvyxbibpvlhtq@linutronix.de
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[ He Zhe: Fixes conflict caused by missing disable_counter_freeze which is
 introduced since v4.20 af3bdb991a5cb. ]
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/events/intel/core.c |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

--- a/arch/x86/events/intel/core.c
+++ b/arch/x86/events/intel/core.c
@@ -3420,6 +3420,11 @@ static void free_excl_cntrs(int cpu)
 
 static void intel_pmu_cpu_dying(int cpu)
 {
+	fini_debug_store_on_cpu(cpu);
+}
+
+static void intel_pmu_cpu_dead(int cpu)
+{
 	struct cpu_hw_events *cpuc = &per_cpu(cpu_hw_events, cpu);
 	struct intel_shared_regs *pc;
 
@@ -3431,8 +3436,6 @@ static void intel_pmu_cpu_dying(int cpu)
 	}
 
 	free_excl_cntrs(cpu);
-
-	fini_debug_store_on_cpu(cpu);
 }
 
 static void intel_pmu_sched_task(struct perf_event_context *ctx,
@@ -3521,6 +3524,7 @@ static __initconst const struct x86_pmu
 	.cpu_prepare		= intel_pmu_cpu_prepare,
 	.cpu_starting		= intel_pmu_cpu_starting,
 	.cpu_dying		= intel_pmu_cpu_dying,
+	.cpu_dead		= intel_pmu_cpu_dead,
 };
 
 static struct attribute *intel_pmu_attrs[];
@@ -3560,6 +3564,8 @@ static __initconst const struct x86_pmu
 	.cpu_prepare		= intel_pmu_cpu_prepare,
 	.cpu_starting		= intel_pmu_cpu_starting,
 	.cpu_dying		= intel_pmu_cpu_dying,
+	.cpu_dead		= intel_pmu_cpu_dead,
+
 	.guest_get_msrs		= intel_guest_get_msrs,
 	.sched_task		= intel_pmu_sched_task,
 };



^ permalink raw reply	[flat|nested] 215+ messages in thread

* Re: [PATCH 4.14 000/205] 4.14.99-stable review
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (204 preceding siblings ...)
  2019-02-11 14:20 ` [PATCH 4.14 205/205] perf/x86/intel: Delay memory deallocation until x86_pmu_dead_cpu() Greg Kroah-Hartman
@ 2019-02-12  6:30 ` Naresh Kamboju
  2019-02-12 10:19 ` Jon Hunter
                   ` (2 subsequent siblings)
  208 siblings, 0 replies; 215+ messages in thread
From: Naresh Kamboju @ 2019-02-12  6:30 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: open list, Linus Torvalds, Andrew Morton, Guenter Roeck,
	Shuah Khan, patches, Ben Hutchings, lkft-triage, linux- stable

On Mon, 11 Feb 2019 at 20:25, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 4.14.99 release.
> There are 205 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed Feb 13 14:17:19 UTC 2019.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
>         https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.99-rc1.gz
> or in the git tree and branch at:
>         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>

Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.

Summary
------------------------------------------------------------------------

kernel: 4.14.99-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-4.14.y
git commit: 151d6387b56840f9daaf468ec2212d2ac9ccc047
git describe: v4.14.98-206-g151d6387b568
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-4.14-oe/build/v4.14.98-206-g151d6387b568

No regressions (compared to build v4.14.98)

No fixes (compared to build v4.14.98)


Ran 22227 total tests in the following environments and test suites.

Environments
--------------
- dragonboard-410c - arm64
- hi6220-hikey - arm64
- i386
- juno-r2 - arm64
- qemu_arm
- qemu_arm64
- qemu_i386
- qemu_x86_64
- x15 - arm
- x86_64

Test Suites
-----------
* boot
* install-android-platform-tools-r2600
* kselftest
* libhugetlbfs
* ltp-cap_bounds-tests
* ltp-containers-tests
* ltp-cpuhotplug-tests
* ltp-cve-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* spectre-meltdown-checker-test
* ltp-timers-tests
* ltp-open-posix-tests
* kselftest-vsyscall-mode-native
* kselftest-vsyscall-mode-none

-- 
Linaro LKFT
https://lkft.linaro.org

^ permalink raw reply	[flat|nested] 215+ messages in thread

* Re: [PATCH 4.14 000/205] 4.14.99-stable review
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (205 preceding siblings ...)
  2019-02-12  6:30 ` [PATCH 4.14 000/205] 4.14.99-stable review Naresh Kamboju
@ 2019-02-12 10:19 ` Jon Hunter
  2019-02-12 18:39   ` Greg Kroah-Hartman
  2019-02-12 15:41 ` shuah
  2019-02-12 16:40 ` Guenter Roeck
  208 siblings, 1 reply; 215+ messages in thread
From: Jon Hunter @ 2019-02-12 10:19 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, shuah, patches, ben.hutchings,
	lkft-triage, stable, linux-tegra


On 11/02/2019 14:16, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.14.99 release.
> There are 205 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed Feb 13 14:17:19 UTC 2019.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.99-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
All tests are passing for Tegra ...

Test results for stable-v4.14:
    8 builds:	8 pass, 0 fail
    16 boots:	16 pass, 0 fail
    14 tests:	14 pass, 0 fail

Linux version:	4.14.99-rc1-g151d638
Boards tested:	tegra124-jetson-tk1, tegra20-ventana,
                tegra210-p2371-2180, tegra30-cardhu-a04

BTW, I did not seem to receive a 'stable review' for v4.4.175-rc1. I am
not sure if it is just me, but that last one I see in the archive for
v4.4 [0] is v4.4-174-rc1.

Cheers
Jon

[0] https://www.spinics.net/lists/stable/

-- 
nvpublic

^ permalink raw reply	[flat|nested] 215+ messages in thread

* Re: [PATCH 4.14 000/205] 4.14.99-stable review
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (206 preceding siblings ...)
  2019-02-12 10:19 ` Jon Hunter
@ 2019-02-12 15:41 ` shuah
  2019-02-12 16:40 ` Guenter Roeck
  208 siblings, 0 replies; 215+ messages in thread
From: shuah @ 2019-02-12 15:41 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, patches, ben.hutchings, lkft-triage,
	stable, shuah

On 2/11/19 7:16 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.14.99 release.
> There are 205 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed Feb 13 14:17:19 UTC 2019.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.99-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

Compiled and booted on my test system. No dmesg regressions.

thanks,
-- Shuah


^ permalink raw reply	[flat|nested] 215+ messages in thread

* Re: [PATCH 4.14 000/205] 4.14.99-stable review
  2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
                   ` (207 preceding siblings ...)
  2019-02-12 15:41 ` shuah
@ 2019-02-12 16:40 ` Guenter Roeck
  208 siblings, 0 replies; 215+ messages in thread
From: Guenter Roeck @ 2019-02-12 16:40 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, shuah, patches, ben.hutchings, lkft-triage, stable

On 2/11/19 6:16 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.14.99 release.
> There are 205 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed Feb 13 14:17:19 UTC 2019.
> Anything received after that time might be too late.
> 

Build results:
	total: 172 pass: 172 fail: 0
Qemu test results:
	total: 328 pass: 328 fail: 0

Guenter

^ permalink raw reply	[flat|nested] 215+ messages in thread

* Re: [PATCH 4.14 000/205] 4.14.99-stable review
  2019-02-12 10:19 ` Jon Hunter
@ 2019-02-12 18:39   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-12 18:39 UTC (permalink / raw)
  To: Jon Hunter
  Cc: linux-kernel, torvalds, akpm, linux, shuah, patches,
	ben.hutchings, lkft-triage, stable, linux-tegra

On Tue, Feb 12, 2019 at 10:19:57AM +0000, Jon Hunter wrote:
> 
> On 11/02/2019 14:16, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 4.14.99 release.
> > There are 205 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Wed Feb 13 14:17:19 UTC 2019.
> > Anything received after that time might be too late.
> > 
> > The whole patch series can be found in one patch at:
> > 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.99-rc1.gz
> > or in the git tree and branch at:
> > 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
> > and the diffstat can be found below.
> > 
> > thanks,
> > 
> > greg k-h
> All tests are passing for Tegra ...
> 
> Test results for stable-v4.14:
>     8 builds:	8 pass, 0 fail
>     16 boots:	16 pass, 0 fail
>     14 tests:	14 pass, 0 fail
> 
> Linux version:	4.14.99-rc1-g151d638
> Boards tested:	tegra124-jetson-tk1, tegra20-ventana,
>                 tegra210-p2371-2180, tegra30-cardhu-a04

Thanks for testing 2 of these.

> BTW, I did not seem to receive a 'stable review' for v4.4.175-rc1. I am
> not sure if it is just me, but that last one I see in the archive for
> v4.4 [0] is v4.4-174-rc1.

No, I didn't do a "real" 4.4-rc just yet, I wanted to get these 4
kernels out first.

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 215+ messages in thread

* Re: [PATCH 4.14 198/205] perf/core: Dont WARN() for impossible ring-buffer sizes
  2019-02-11 14:19 ` [PATCH 4.14 198/205] perf/core: Dont WARN() for impossible ring-buffer sizes Greg Kroah-Hartman
@ 2019-02-13 13:03   ` Rantala, Tommi T. (Nokia - FI/Espoo)
  2019-02-13 13:10     ` Suspected SPAM - " Rantala, Tommi T. (Nokia - FI/Espoo)
  2019-02-13 13:13     ` Peter Zijlstra
  0 siblings, 2 replies; 215+ messages in thread
From: Rantala, Tommi T. (Nokia - FI/Espoo) @ 2019-02-13 13:03 UTC (permalink / raw)
  To: linux-kernel, gregkh
  Cc: mingo, peterz, jolsa, torvalds, tglx, stable, namhyung,
	mark.rutland, acme, alexander.shishkin, julien.thierry

On Mon, 2019-02-11 at 15:19 +0100, Greg Kroah-Hartman wrote:
> 4.14-stable review patch.  If anyone has any objections, please let
> me know.
> 
> ------------------
> 
> From: Mark Rutland <mark.rutland@arm.com>
> 
> commit 9dff0aa95a324e262ffb03f425d00e4751f3294e upstream.
> 
> The perf tool uses /proc/sys/kernel/perf_event_mlock_kb to determine
> how
> large its ringbuffer mmap should be. This can be configured to
> arbitrary
> values, which can be larger than the maximum possible allocation from
> kmalloc.
> 
> When this is configured to a suitably large value (e.g. thanks to the
> perf fuzzer), attempting to use perf record triggers a WARN_ON_ONCE()
> in
> __alloc_pages_nodemask():
> 
>    WARNING: CPU: 2 PID: 5666 at mm/page_alloc.c:4511
> __alloc_pages_nodemask+0x3f8/0xbc8
> 
> Let's avoid this by checking that the requested allocation is
> possible
> before calling kzalloc.

Hi,

Perf tool is broken for me in 4.14.99 (running in x86_64 VM), bisection
points to this patch.

# perf top
Error:
Failed to mmap with 12 (Cannot allocate memory)

# perf trace
Cannot allocate memory

# strace -T -tt -f -y perf top
[...]
14:22:09.829544 openat(AT_FDCWD,
"/proc/sys/kernel/perf_event_mlock_kb", O_RDONLY) =
18</proc/sys/kernel/perf_event_mlock_kb> <0.000015>
14:22:09.829612 read(18</proc/sys/kernel/perf_event_mlock_kb>, "516\n",
64) = 4 <0.000011>
14:22:09.829655 close(18</proc/sys/kernel/perf_event_mlock_kb>) = 0
<0.000008>
14:22:09.829702 mmap(NULL, 528384, PROT_READ|PROT_WRITE, MAP_SHARED,
3<anon_inode:[perf_event]>, 0) = -1 ENOMEM (Cannot allocate memory)
<0.000015>
14:22:09.829763 write(2</dev/pts/0>, "Error:\n", 7) = 7 <0.000009>
14:22:09.829810 write(2</dev/pts/0>, "Failed to mmap with 12 (Cannot
a"..., 48) = 48 <0.000008>


Changing the patch like this fixes it...

-       if (order_base_2(size) >= MAX_ORDER)
+       if (order_base_2(size) > MAX_ORDER)

-Tommi


> Reported-by: Julien Thierry <julien.thierry@arm.com>
> Signed-off-by: Mark Rutland <mark.rutland@arm.com>
> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
> Reviewed-by: Julien Thierry <julien.thierry@arm.com>
> Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
> Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
> Cc: Jiri Olsa <jolsa@redhat.com>
> Cc: Linus Torvalds <torvalds@linux-foundation.org>
> Cc: Namhyung Kim <namhyung@kernel.org>
> Cc: Peter Zijlstra <peterz@infradead.org>
> Cc: Thomas Gleixner <tglx@linutronix.de>
> Cc: <stable@vger.kernel.org>
> Link: 
> https://lkml.kernel.org/r/20190110142745.25495-1-mark.rutland@arm.com
> Signed-off-by: Ingo Molnar <mingo@kernel.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
> ---
>  kernel/events/ring_buffer.c |    3 +++
>  1 file changed, 3 insertions(+)
> 
> --- a/kernel/events/ring_buffer.c
> +++ b/kernel/events/ring_buffer.c
> @@ -719,6 +719,9 @@ struct ring_buffer *rb_alloc(int nr_page
>  	size = sizeof(struct ring_buffer);
>  	size += nr_pages * sizeof(void *);
>  
> +	if (order_base_2(size) >= MAX_ORDER)
> +		goto fail;
> +
>  	rb = kzalloc(size, GFP_KERNEL);
>  	if (!rb)
>  		goto fail;
> 
> 


^ permalink raw reply	[flat|nested] 215+ messages in thread

* Re: Suspected SPAM - Re: [PATCH 4.14 198/205] perf/core: Dont WARN() for impossible ring-buffer sizes
  2019-02-13 13:03   ` Rantala, Tommi T. (Nokia - FI/Espoo)
@ 2019-02-13 13:10     ` " Rantala, Tommi T. (Nokia - FI/Espoo)
  2019-02-13 13:13     ` Peter Zijlstra
  1 sibling, 0 replies; 215+ messages in thread
From: Rantala, Tommi T. (Nokia - FI/Espoo) @ 2019-02-13 13:10 UTC (permalink / raw)
  To: linux-kernel, gregkh
  Cc: mingo, peterz, jolsa, torvalds, tglx, stable, namhyung,
	mark.rutland, acme, alexander.shishkin, julien.thierry

On Wed, 2019-02-13 at 13:03 +0000, Rantala, Tommi T. (Nokia - FI/Espoo)
wrote:
> On Mon, 2019-02-11 at 15:19 +0100, Greg Kroah-Hartman wrote:
> > 4.14-stable review patch.  If anyone has any objections, please let
> > me know.
> > 
> > ------------------
> > 
> > From: Mark Rutland <mark.rutland@arm.com>
> > 
> > commit 9dff0aa95a324e262ffb03f425d00e4751f3294e upstream.
> > 
> > The perf tool uses /proc/sys/kernel/perf_event_mlock_kb to
> > determine
> > how
> > large its ringbuffer mmap should be. This can be configured to
> > arbitrary
> > values, which can be larger than the maximum possible allocation
> > from
> > kmalloc.
> > 
> > When this is configured to a suitably large value (e.g. thanks to
> > the
> > perf fuzzer), attempting to use perf record triggers a
> > WARN_ON_ONCE()
> > in
> > __alloc_pages_nodemask():
> > 
> >    WARNING: CPU: 2 PID: 5666 at mm/page_alloc.c:4511
> > __alloc_pages_nodemask+0x3f8/0xbc8
> > 
> > Let's avoid this by checking that the requested allocation is
> > possible
> > before calling kzalloc.
> 
> Hi,
> 
> Perf tool is broken for me in 4.14.99 (running in x86_64 VM),
> bisection
> points to this patch.

... and I see there's a fix available:

https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=528871b456026e6127d95b1b2bd8e3a003dc1614

-Tommi

> 
> 
> > Reported-by: Julien Thierry <julien.thierry@arm.com>
> > Signed-off-by: Mark Rutland <mark.rutland@arm.com>
> > Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
> > Reviewed-by: Julien Thierry <julien.thierry@arm.com>
> > Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
> > Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
> > Cc: Jiri Olsa <jolsa@redhat.com>
> > Cc: Linus Torvalds <torvalds@linux-foundation.org>
> > Cc: Namhyung Kim <namhyung@kernel.org>
> > Cc: Peter Zijlstra <peterz@infradead.org>
> > Cc: Thomas Gleixner <tglx@linutronix.de>
> > Cc: <stable@vger.kernel.org>
> > Link: 
> > https://lkml.kernel.org/r/20190110142745.25495-1-mark.rutland@arm.com
> > Signed-off-by: Ingo Molnar <mingo@kernel.org>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > 
> > ---
> >  kernel/events/ring_buffer.c |    3 +++
> >  1 file changed, 3 insertions(+)
> > 
> > --- a/kernel/events/ring_buffer.c
> > +++ b/kernel/events/ring_buffer.c
> > @@ -719,6 +719,9 @@ struct ring_buffer *rb_alloc(int nr_page
> >  	size = sizeof(struct ring_buffer);
> >  	size += nr_pages * sizeof(void *);
> >  
> > +	if (order_base_2(size) >= MAX_ORDER)
> > +		goto fail;
> > +
> >  	rb = kzalloc(size, GFP_KERNEL);
> >  	if (!rb)
> >  		goto fail;
> > 
> > 


^ permalink raw reply	[flat|nested] 215+ messages in thread

* Re: [PATCH 4.14 198/205] perf/core: Dont WARN() for impossible ring-buffer sizes
  2019-02-13 13:03   ` Rantala, Tommi T. (Nokia - FI/Espoo)
  2019-02-13 13:10     ` Suspected SPAM - " Rantala, Tommi T. (Nokia - FI/Espoo)
@ 2019-02-13 13:13     ` Peter Zijlstra
  2019-02-13 18:08       ` Linus Torvalds
  1 sibling, 1 reply; 215+ messages in thread
From: Peter Zijlstra @ 2019-02-13 13:13 UTC (permalink / raw)
  To: Rantala, Tommi T. (Nokia - FI/Espoo)
  Cc: linux-kernel, gregkh, mingo, jolsa, torvalds, tglx, stable,
	namhyung, mark.rutland, acme, alexander.shishkin, julien.thierry

On Wed, Feb 13, 2019 at 01:03:39PM +0000, Rantala, Tommi T. (Nokia - FI/Espoo) wrote:
> Changing the patch like this fixes it...
> 
> -       if (order_base_2(size) >= MAX_ORDER)
> +       if (order_base_2(size) > MAX_ORDER)

That's wrong too..

There is this queued:

  http://lkml.kernel.org/r/tip-528871b456026e6127d95b1b2bd8e3a003dc1614@git.kernel.org

^ permalink raw reply	[flat|nested] 215+ messages in thread

* Re: [PATCH 4.14 198/205] perf/core: Dont WARN() for impossible ring-buffer sizes
  2019-02-13 13:13     ` Peter Zijlstra
@ 2019-02-13 18:08       ` Linus Torvalds
  0 siblings, 0 replies; 215+ messages in thread
From: Linus Torvalds @ 2019-02-13 18:08 UTC (permalink / raw)
  To: Peter Zijlstra
  Cc: Rantala, Tommi T. (Nokia - FI/Espoo),
	linux-kernel, gregkh, mingo, jolsa, tglx, stable, namhyung,
	mark.rutland, acme, alexander.shishkin, julien.thierry

On Wed, Feb 13, 2019 at 5:13 AM Peter Zijlstra <peterz@infradead.org> wrote:
>
> There is this queued:
>
>   http://lkml.kernel.org/r/tip-528871b456026e6127d95b1b2bd8e3a003dc1614@git.kernel.org

I think it would likely have been better to just remove the test
entirely, and instead just use __GFP_NOWARN.

This is an allocation essentially done for the user (as part of
mmap(), and we handle the failure case fine. So it doesn't matter
whether the warning is due to being out of memory or being a bad size,
we shouldn't cause a kernel warning.

That said, I think we should *indepdendently* have some sane limit for
"nr_pages", simply because we do that

        ...
        for (i = 0; i < nr_pages; i++) {
                rb->data_pages[i] = perf_mmap_alloc_page(cpu);

thing, which is really really expensive when "nr_pages" is in the
thousands (or millions). The fact that we end up almost _accidentally_
limiting nr_pages simply because the kzmalloc() size is limited is I
think a mistake.

So I'd rather see __GFP_NORWARN _and_ some kind of "don't allow crazy
perf ring buffers" check that is separate and independent from any
kmalloc issue..

For example, right now the maximum size you can allocate is (insanely)
tied to the page size. With a bigger page size, not only do you get a
bigger ring buffer anyway, but you also get more 'nr_pages', so it's
basically quadratic behavior. Does that make sense? It doesn't sound
that way to me.

                  Linus

^ permalink raw reply	[flat|nested] 215+ messages in thread

end of thread, back to index

Thread overview: 215+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-11 14:16 [PATCH 4.14 000/205] 4.14.99-stable review Greg Kroah-Hartman
2019-02-11 14:16 ` [PATCH 4.14 001/205] drm/bufs: Fix Spectre v1 vulnerability Greg Kroah-Hartman
2019-02-11 14:16 ` [PATCH 4.14 002/205] staging: iio: adc: ad7280a: handle error from __ad7280_read32() Greg Kroah-Hartman
2019-02-11 14:16 ` [PATCH 4.14 003/205] drm/vgem: Fix vgem_init to get drm device available Greg Kroah-Hartman
2019-02-11 14:16 ` [PATCH 4.14 004/205] pinctrl: bcm2835: Use raw spinlock for RT compatibility Greg Kroah-Hartman
2019-02-11 14:16 ` [PATCH 4.14 005/205] ASoC: Intel: mrfld: fix uninitialized variable access Greg Kroah-Hartman
2019-02-11 14:16 ` [PATCH 4.14 006/205] gpu: ipu-v3: image-convert: Prevent race between run and unprepare Greg Kroah-Hartman
2019-02-11 14:16 ` [PATCH 4.14 007/205] ath9k: dynack: use authentication messages for late ack Greg Kroah-Hartman
2019-02-11 14:16 ` [PATCH 4.14 008/205] scsi: lpfc: Correct LCB RJT handling Greg Kroah-Hartman
2019-02-11 14:16 ` [PATCH 4.14 009/205] scsi: mpt3sas: Call sas_remove_host before removing the target devices Greg Kroah-Hartman
2019-02-11 14:16 ` [PATCH 4.14 010/205] scsi: lpfc: Fix LOGO/PLOGI handling when triggerd by ABTS Timeout event Greg Kroah-Hartman
2019-02-11 14:16 ` [PATCH 4.14 011/205] ARM: 8808/1: kexec:offline panic_smp_self_stop CPU Greg Kroah-Hartman
2019-02-11 14:16 ` [PATCH 4.14 012/205] clk: boston: fix possible memory leak in clk_boston_setup() Greg Kroah-Hartman
2019-02-11 14:16 ` [PATCH 4.14 013/205] dlm: Dont swamp the CPU with callbacks queued during recovery Greg Kroah-Hartman
2019-02-11 14:16 ` [PATCH 4.14 014/205] x86/PCI: Fix Broadcom CNB20LE unintended sign extension (redux) Greg Kroah-Hartman
2019-02-11 14:16 ` [PATCH 4.14 015/205] powerpc/pseries: add of_node_put() in dlpar_detach_node() Greg Kroah-Hartman
2019-02-11 14:16 ` [PATCH 4.14 016/205] crypto: aes_ti - disable interrupts while accessing S-box Greg Kroah-Hartman
2019-02-11 14:16 ` [PATCH 4.14 017/205] drm/vc4: ->x_scaling[1] should never be set to VC4_SCALING_NONE Greg Kroah-Hartman
2019-02-11 14:16 ` [PATCH 4.14 018/205] serial: fsl_lpuart: clear parity enable bit when disable parity Greg Kroah-Hartman
2019-02-11 14:16 ` [PATCH 4.14 019/205] ptp: check gettime64 return code in PTP_SYS_OFFSET ioctl Greg Kroah-Hartman
2019-02-11 14:16 ` [PATCH 4.14 020/205] MIPS: Boston: Disable EG20T prefetch Greg Kroah-Hartman
2019-02-11 14:16 ` [PATCH 4.14 021/205] staging:iio:ad2s90: Make probe handle spi_setup failure Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 022/205] fpga: altera-cvp: Fix registration for CvP incapable devices Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 023/205] Tools: hv: kvp: Fix a warning of buffer overflow with gcc 8.0.1 Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 024/205] platform/chrome: dont report EC_MKBP_EVENT_SENSOR_FIFO as wakeup Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 025/205] staging: iio: ad7780: update voltage on read Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 026/205] usbnet: smsc95xx: fix rx packet alignment Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 027/205] drm/rockchip: fix for mailbox read size Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 028/205] ARM: OMAP2+: hwmod: Fix some section annotations Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 029/205] net/mlx5: EQ, Use the right place to store/read IRQ affinity hint Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 030/205] modpost: validate symbol names also in find_elf_symbol Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 031/205] perf tools: Add Hygon Dhyana support Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 032/205] soc/tegra: Dont leak device tree node reference Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 033/205] media: mtk-vcodec: Release device nodes in mtk_vcodec_init_enc_pm() Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 034/205] ptp: Fix pass zero to ERR_PTR() in ptp_clock_register Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 035/205] dmaengine: xilinx_dma: Remove __aligned attribute on zynqmp_dma_desc_ll Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 036/205] iio: adc: meson-saradc: check for devm_kasprintf failure Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 037/205] iio: adc: meson-saradc: fix internal clock names Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 038/205] iio: accel: kxcjk1013: Add KIOX010A ACPI Hardware-ID Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 039/205] media: adv*/tc358743/ths8200: fill in min width/height/pixelclock Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 040/205] ACPI: SPCR: Consider baud rate 0 as preconfigured state Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 041/205] staging: pi433: fix potential null dereference Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 042/205] f2fs: move dir data flush to write checkpoint process Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 043/205] f2fs: avoid build warn of fall_through Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 044/205] f2fs: fix race between write_checkpoint and write_begin Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 045/205] f2fs: fix wrong return value of f2fs_acl_create Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 046/205] i2c: sh_mobile: add support for r8a77990 (R-Car E3) Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 047/205] arm64: io: Ensure calls to delay routines are ordered against prior readX() Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 048/205] sunvdc: Do not spin in an infinite loop when vio_ldc_send() returns EAGAIN Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 049/205] soc: bcm: brcmstb: Dont leak device tree node reference Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 050/205] nfsd4: fix crash on writing v4_end_grace before nfsd startup Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 051/205] drm: Clear state->acquire_ctx before leaving drm_atomic_helper_commit_duplicated_state() Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 052/205] arm64: io: Ensure value passed to __iormb() is held in a 64-bit register Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 053/205] Thermal: do not clear passive state during system sleep Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 054/205] firmware/efi: Add NULL pointer checks in efivars API functions Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 055/205] s390/zcrypt: improve special ap message cmd handling Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 056/205] arm64: ftrace: dont adjust the LR value Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 057/205] ARM: dts: mmp2: fix TWSI2 Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 058/205] ARM: mmp/mmp2: dt: enable the clock Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 059/205] x86/fpu: Add might_fault() to user_insn() Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 060/205] media: DaVinci-VPBE: fix error handling in vpbe_initialize() Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 061/205] smack: fix access permissions for keyring Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 062/205] usb: dwc3: Correct the logic for checking TRB full in __dwc3_prepare_one_trb() Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 063/205] usb: hub: delay hub autosuspend if USB3 port is still link training Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 064/205] timekeeping: Use proper seqcount initializer Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 065/205] usb: mtu3: fix the issue about SetFeature(U1/U2_Enable) Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 066/205] clk: sunxi-ng: a33: Set CLK_SET_RATE_PARENT for all audio module clocks Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 067/205] driver core: Move async_synchronize_full call Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 068/205] kobject: return error code if writing /sys/.../uevent fails Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 069/205] IB/hfi1: Unreserve a reserved request when it is completed Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 070/205] usb: dwc3: trace: add missing break statement to make compiler happy Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 071/205] pinctrl: sx150x: handle failure case of devm_kstrdup Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 072/205] iommu/amd: Fix amd_iommu=force_isolation Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 073/205] ARM: dts: Fix OMAP4430 SDP Ethernet startup Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 074/205] mips: bpf: fix encoding bug for mm_srlv32_op Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 075/205] media: coda: fix H.264 deblocking filter controls Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 076/205] ARM: dts: Fix up the D-Link DIR-685 MTD partition info Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 077/205] tracing: Have trace_stack nr_entries compare not be so subtle Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 078/205] watchdog: renesas_wdt: dont set divider while watchdog is running Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 079/205] usb: dwc3: gadget: Disable CSP for stream OUT ep Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 080/205] iommu/arm-smmu: Add support for qcom,smmu-v2 variant Greg Kroah-Hartman
2019-02-11 14:17 ` [PATCH 4.14 081/205] iommu/arm-smmu-v3: Use explicit mb() when moving cons pointer Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 082/205] sata_rcar: fix deferred probing Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 083/205] clk: imx6sl: ensure MMDC CH0 handshake is bypassed Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 084/205] cpuidle: big.LITTLE: fix refcount leak Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 085/205] OPP: Use opp_table->regulators to verify no regulator case Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 086/205] i2c-axxia: check for error conditions first Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 087/205] phy: sun4i-usb: add support for missing USB PHY index Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 088/205] udf: Fix BUG on corrupted inode Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 089/205] switchtec: Fix SWITCHTEC_IOCTL_EVENT_IDX_ALL flags overwrite Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 090/205] selftests/bpf: use __bpf_constant_htons in test_prog.c Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 091/205] ARM: pxa: avoid section mismatch warning Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 092/205] ASoC: fsl: Fix SND_SOC_EUKREA_TLV320 build error on i.MX8M Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 093/205] ARM: mmp: fix timer_init calls Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 094/205] KVM: PPC: Book3S: Only report KVM_CAP_SPAPR_TCE_VFIO on powernv machines Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 095/205] mmc: bcm2835: Recover from MMC_SEND_EXT_CSD Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 096/205] mmc: bcm2835: reset host on timeout Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 097/205] memstick: Prevent memstick host from getting runtime suspended during card detection Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 098/205] mmc: sdhci-of-esdhc: Fix timeout checks Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 099/205] mmc: sdhci-xenon: " Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 100/205] tty: serial: samsung: Properly set flags in autoCTS mode Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 101/205] perf test: Fix perf_event_attr test failure Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 102/205] perf header: Fix unchecked usage of strncpy() Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 103/205] perf probe: " Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 104/205] KVM: s390: unregister debug feature on failing arch init Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 105/205] arm64: KVM: Skip MMIO insn after emulation Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 106/205] usb: musb: dsps: fix otg state machine Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 107/205] percpu: convert spin_lock_irq to spin_lock_irqsave Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 108/205] powerpc/uaccess: fix warning/error with access_ok() Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 109/205] mac80211: fix radiotap vendor presence bitmap handling Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 110/205] xfrm6_tunnel: Fix spi check in __xfrm6_tunnel_alloc_spi Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 111/205] Bluetooth: Fix unnecessary error message for HCI request completion Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 112/205] mlxsw: spectrum: Properly cleanup LAG uppers when removing port from LAG Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 113/205] scsi: smartpqi: correct host serial num for ssa Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 114/205] scsi: smartpqi: correct volume status Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 115/205] scsi: smartpqi: increase fw status register read timeout Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 116/205] cw1200: Fix concurrency use-after-free bugs in cw1200_hw_scan() Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 117/205] powerpc/perf: Fix thresholding counter data for unknown type Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 118/205] drbd: narrow rcu_read_lock in drbd_sync_handshake Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 119/205] drbd: disconnect, if the wrong UUIDs are attached on a connected peer Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 120/205] drbd: skip spurious timeout (ping-timeo) when failing promote Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 121/205] drbd: Avoid Clang warning about pointless switch statment Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 122/205] video: clps711x-fb: release disp device node in probe() Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 123/205] md: fix raid10 hang issue caused by barrier Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 124/205] fbdev: fbmem: behave better with small rotated displays and many CPUs Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 125/205] i40e: define proper net_device::neigh_priv_len Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 126/205] igb: Fix an issue that PME is not enabled during runtime suspend Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 127/205] ACPI/APEI: Clear GHES block_status before panic() Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 128/205] fbdev: fbcon: Fix unregister crash when more than one framebuffer Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 129/205] powerpc/mm: Fix reporting of kernel execute faults on the 8xx Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 130/205] pinctrl: meson: meson8: fix the GPIO function for the GPIOAO pins Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 131/205] pinctrl: meson: meson8b: " Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 132/205] KVM: x86: svm: report MSR_IA32_MCG_EXT_CTL as unsupported Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 133/205] powerpc/fadump: Do not allow hot-remove memory from fadump reserved area Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 134/205] kvm: Change offset in kvm_write_guest_offset_cached to unsigned Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 135/205] NFS: nfs_compare_mount_options always compare auth flavors Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 136/205] hwmon: (lm80) fix a missing check of the status of SMBus read Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 137/205] hwmon: (lm80) fix a missing check of bus read in lm80 probe Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 138/205] seq_buf: Make seq_buf_puts() null-terminate the buffer Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 139/205] crypto: ux500 - Use proper enum in cryp_set_dma_transfer Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 140/205] crypto: ux500 - Use proper enum in hash_set_dma_transfer Greg Kroah-Hartman
2019-02-11 14:18 ` [PATCH 4.14 141/205] MIPS: ralink: Select CONFIG_CPU_MIPSR2_IRQ_VI on MT7620/8 Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 142/205] cifs: check ntwrk_buf_start for NULL before dereferencing it Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 143/205] um: Avoid marking pages with "changed protection" Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 144/205] niu: fix missing checks of niu_pci_eeprom_read Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 145/205] f2fs: fix sbi->extent_list corruption issue Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 146/205] cgroup: fix parsing empty mount option string Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 147/205] scripts/decode_stacktrace: only strip base path when a prefix of the path Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 148/205] ocfs2: dont clear bh uptodate for block read Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 149/205] ocfs2: improve ocfs2 Makefile Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 150/205] isdn: hisax: hfc_pci: Fix a possible concurrency use-after-free bug in HFCPCI_l1hw() Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 151/205] gdrom: fix a memory leak bug Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 152/205] fsl/fman: Use GFP_ATOMIC in {memac,tgec}_add_hash_mac_address() Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 153/205] block/swim3: Fix -EBUSY error when re-opening device after unmount Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 154/205] thermal: bcm2835: enable hwmon explicitly Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 155/205] kdb: Dont back trace on a cpu that didnt round up Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 156/205] thermal: generic-adc: Fix adc to temp interpolation Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 157/205] HID: lenovo: Add checks to fix of_led_classdev_register Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 158/205] fs/proc/base.c: use ns_capable instead of capable for timerslack_ns Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 159/205] kernel/hung_task.c: break RCU locks based on jiffies Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 160/205] proc/sysctl: fix return error for proc_doulongvec_minmax() Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 161/205] kernel/hung_task.c: force console verbose before panic Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 162/205] fs/epoll: drop ovflist branch prediction Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 163/205] exec: load_script: dont blindly truncate shebang string Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 164/205] scripts/gdb: fix lx-version string output Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 165/205] thermal: hwmon: inline helpers when CONFIG_THERMAL_HWMON is not set Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 166/205] dccp: fool proof ccid_hc_[rt]x_parse_options() Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 167/205] enic: fix checksum validation for IPv6 Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 168/205] net: dp83640: expire old TX-skb Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 169/205] rxrpc: bad unlock balance in rxrpc_recvmsg Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 170/205] skge: potential memory corruption in skge_get_regs() Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 171/205] rds: fix refcount bug in rds_sock_addref Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 172/205] net: systemport: Fix WoL with password after deep sleep Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 173/205] net/mlx5e: Force CHECKSUM_UNNECESSARY for short ethernet frames Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 174/205] net: dsa: slave: Dont propagate flag changes on down slave interfaces Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 175/205] ALSA: compress: Fix stop handling on compressed capture streams Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 176/205] ALSA: hda - Serialize codec registrations Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 177/205] fuse: call pipe_buf_release() under pipe lock Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 178/205] fuse: decrement NR_WRITEBACK_TEMP on the right page Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 179/205] fuse: handle zero sized retrieve correctly Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 180/205] dmaengine: bcm2835: Fix interrupt race on RT Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 181/205] dmaengine: bcm2835: Fix abort of transactions Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 182/205] dmaengine: imx-dma: fix wrong callback invoke Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 183/205] futex: Handle early deadlock return correctly Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 184/205] irqchip/gic-v3-its: Plug allocation race for devices sharing a DevID Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 185/205] usb: phy: am335x: fix race condition in _probe Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 186/205] usb: dwc3: gadget: Handle 0 xfer length for OUT EP Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 187/205] usb: gadget: udc: net2272: Fix bitwise and boolean operations Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 188/205] usb: gadget: musb: fix short isoc packets with inventra dma Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 189/205] staging: speakup: fix tty-operation NULL derefs Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 190/205] scsi: cxlflash: Prevent deadlock when adapter probe fails Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 191/205] scsi: aic94xx: fix module loading Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 192/205] KVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222) Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 193/205] kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974) Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 194/205] KVM: nVMX: unconditionally cancel preemption timer in free_nested (CVE-2019-7221) Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 195/205] cpu/hotplug: Fix "SMT disabled by BIOS" detection for KVM Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 196/205] perf/x86/intel/uncore: Add Node ID mask Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 197/205] x86/MCE: Initialize mce.bank in the case of a fatal error in mce_no_way_out() Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 198/205] perf/core: Dont WARN() for impossible ring-buffer sizes Greg Kroah-Hartman
2019-02-13 13:03   ` Rantala, Tommi T. (Nokia - FI/Espoo)
2019-02-13 13:10     ` Suspected SPAM - " Rantala, Tommi T. (Nokia - FI/Espoo)
2019-02-13 13:13     ` Peter Zijlstra
2019-02-13 18:08       ` Linus Torvalds
2019-02-11 14:19 ` [PATCH 4.14 199/205] perf tests evsel-tp-sched: Fix bitwise operator Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 200/205] serial: fix race between flush_to_ldisc and tty_open Greg Kroah-Hartman
2019-02-11 14:19 ` [PATCH 4.14 201/205] serial: 8250_pci: Make PCI class test non fatal Greg Kroah-Hartman
2019-02-11 14:20 ` [PATCH 4.14 202/205] nfsd4: fix cached replies to solo SEQUENCE compounds Greg Kroah-Hartman
2019-02-11 14:20 ` [PATCH 4.14 203/205] nfsd4: catch some false session retries Greg Kroah-Hartman
2019-02-11 14:20 ` [PATCH 4.14 204/205] IB/hfi1: Add limit test for RC/UC send via loopback Greg Kroah-Hartman
2019-02-11 14:20 ` [PATCH 4.14 205/205] perf/x86/intel: Delay memory deallocation until x86_pmu_dead_cpu() Greg Kroah-Hartman
2019-02-12  6:30 ` [PATCH 4.14 000/205] 4.14.99-stable review Naresh Kamboju
2019-02-12 10:19 ` Jon Hunter
2019-02-12 18:39   ` Greg Kroah-Hartman
2019-02-12 15:41 ` shuah
2019-02-12 16:40 ` Guenter Roeck

Stable Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/stable/0 stable/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 stable stable/ https://lore.kernel.org/stable \
		stable@vger.kernel.org stable@archiver.kernel.org
	public-inbox-index stable


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.stable


AGPL code for this site: git clone https://public-inbox.org/ public-inbox