- * [PATCH 4.18 001/145] rcu: Make expedited GPs handle CPU 0 being offline
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
@ 2018-09-07 21:07 ` Greg Kroah-Hartman
  2018-09-07 21:07 ` [PATCH 4.18 002/145] net: 6lowpan: fix reserved space for single frames Greg Kroah-Hartman
                   ` (140 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Boqun Feng, Paul E. McKenney,
	Aneesh Kumar K.V
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Boqun Feng <boqun.feng@gmail.com>
commit fcc63543650150629c8a873cbef3578770acecd9 upstream.
Currently, the parallelized initialization of expedited grace periods uses
the workqueue associated with each rcu_node structure's ->grplo field.
This works fine unless that CPU is offline.  This commit therefore uses
the CPU corresponding to the lowest-numbered online CPU, or just queues
the work on WORK_CPU_UNBOUND if there are no online CPUs corresponding
to this rcu_node structure.
Note that this patch uses cpu_is_offline() instead of the usual approach
of checking bits in the rcu_node structure's ->qsmaskinitnext field.  This
is safe because preemption is disabled across both the cpu_is_offline()
check and the call to queue_work_on().
Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
[ paulmck: Disable preemption to close offline race window. ]
Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
[ paulmck: Apply Peter Zijlstra feedback on CPU selection. ]
Tested-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/rcu/tree_exp.h |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)
--- a/kernel/rcu/tree_exp.h
+++ b/kernel/rcu/tree_exp.h
@@ -472,6 +472,7 @@ retry_ipi:
 static void sync_rcu_exp_select_cpus(struct rcu_state *rsp,
 				     smp_call_func_t func)
 {
+	int cpu;
 	struct rcu_node *rnp;
 
 	trace_rcu_exp_grace_period(rsp->name, rcu_exp_gp_seq_endval(rsp), TPS("reset"));
@@ -492,7 +493,13 @@ static void sync_rcu_exp_select_cpus(str
 			continue;
 		}
 		INIT_WORK(&rnp->rew.rew_work, sync_rcu_exp_select_node_cpus);
-		queue_work_on(rnp->grplo, rcu_par_gp_wq, &rnp->rew.rew_work);
+		preempt_disable();
+		cpu = cpumask_next(rnp->grplo - 1, cpu_online_mask);
+		/* If all offline, queue the work on an unbound CPU. */
+		if (unlikely(cpu > rnp->grphi))
+			cpu = WORK_CPU_UNBOUND;
+		queue_work_on(cpu, rcu_par_gp_wq, &rnp->rew.rew_work);
+		preempt_enable();
 		rnp->exp_need_flush = true;
 	}
 
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 002/145] net: 6lowpan: fix reserved space for single frames
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
  2018-09-07 21:07 ` [PATCH 4.18 001/145] rcu: Make expedited GPs handle CPU 0 being offline Greg Kroah-Hartman
@ 2018-09-07 21:07 ` Greg Kroah-Hartman
  2018-09-07 21:07 ` [PATCH 4.18 003/145] net: mac802154: tx: expand tailroom if necessary Greg Kroah-Hartman
                   ` (139 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David Palma, Rabi Narayan Sahoo,
	Alexander Aring, Stefan Schmidt
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Alexander Aring <aring@mojatatu.com>
commit ac74f87c789af40936a80131c4759f3e72579c3a upstream.
This patch fixes patch add handling to take care tail and headroom for
single 6lowpan frames. We need to be sure we have a skb with the right
head and tailroom for single frames. This patch do it by using
skb_copy_expand() if head and tailroom is not enough allocated by upper
layer.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195059
Reported-by: David Palma <david.palma@ntnu.no>
Reported-by: Rabi Narayan Sahoo <rabinarayans0828@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Alexander Aring <aring@mojatatu.com>
Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ieee802154/6lowpan/tx.c |   21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)
--- a/net/ieee802154/6lowpan/tx.c
+++ b/net/ieee802154/6lowpan/tx.c
@@ -265,9 +265,24 @@ netdev_tx_t lowpan_xmit(struct sk_buff *
 	/* We must take a copy of the skb before we modify/replace the ipv6
 	 * header as the header could be used elsewhere
 	 */
-	skb = skb_unshare(skb, GFP_ATOMIC);
-	if (!skb)
-		return NET_XMIT_DROP;
+	if (unlikely(skb_headroom(skb) < ldev->needed_headroom ||
+		     skb_tailroom(skb) < ldev->needed_tailroom)) {
+		struct sk_buff *nskb;
+
+		nskb = skb_copy_expand(skb, ldev->needed_headroom,
+				       ldev->needed_tailroom, GFP_ATOMIC);
+		if (likely(nskb)) {
+			consume_skb(skb);
+			skb = nskb;
+		} else {
+			kfree_skb(skb);
+			return NET_XMIT_DROP;
+		}
+	} else {
+		skb = skb_unshare(skb, GFP_ATOMIC);
+		if (!skb)
+			return NET_XMIT_DROP;
+	}
 
 	ret = lowpan_header(skb, ldev, &dgram_size, &dgram_offset);
 	if (ret < 0) {
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 003/145] net: mac802154: tx: expand tailroom if necessary
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
  2018-09-07 21:07 ` [PATCH 4.18 001/145] rcu: Make expedited GPs handle CPU 0 being offline Greg Kroah-Hartman
  2018-09-07 21:07 ` [PATCH 4.18 002/145] net: 6lowpan: fix reserved space for single frames Greg Kroah-Hartman
@ 2018-09-07 21:07 ` Greg Kroah-Hartman
  2018-09-07 21:07 ` [PATCH 4.18 004/145] 9p/net: Fix zero-copy path in the 9p virtio transport Greg Kroah-Hartman
                   ` (138 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David Palma, Rabi Narayan Sahoo,
	Alexander Aring, Stefan Schmidt
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Alexander Aring <aring@mojatatu.com>
commit f9c52831133050c6b82aa8b6831c92da2bbf2a0b upstream.
This patch is necessary if case of AF_PACKET or other socket interface
which I am aware of it and didn't allocated the necessary room.
Reported-by: David Palma <david.palma@ntnu.no>
Reported-by: Rabi Narayan Sahoo <rabinarayans0828@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Alexander Aring <aring@mojatatu.com>
Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/mac802154/tx.c |   15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)
--- a/net/mac802154/tx.c
+++ b/net/mac802154/tx.c
@@ -63,8 +63,21 @@ ieee802154_tx(struct ieee802154_local *l
 	int ret;
 
 	if (!(local->hw.flags & IEEE802154_HW_TX_OMIT_CKSUM)) {
-		u16 crc = crc_ccitt(0, skb->data, skb->len);
+		struct sk_buff *nskb;
+		u16 crc;
 
+		if (unlikely(skb_tailroom(skb) < IEEE802154_FCS_LEN)) {
+			nskb = skb_copy_expand(skb, 0, IEEE802154_FCS_LEN,
+					       GFP_ATOMIC);
+			if (likely(nskb)) {
+				consume_skb(skb);
+				skb = nskb;
+			} else {
+				goto err_tx;
+			}
+		}
+
+		crc = crc_ccitt(0, skb->data, skb->len);
 		put_unaligned_le16(crc, skb_put(skb, 2));
 	}
 
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 004/145] 9p/net: Fix zero-copy path in the 9p virtio transport
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2018-09-07 21:07 ` [PATCH 4.18 003/145] net: mac802154: tx: expand tailroom if necessary Greg Kroah-Hartman
@ 2018-09-07 21:07 ` Greg Kroah-Hartman
  2018-09-07 21:07 ` [PATCH 4.18 005/145] spi: davinci: fix a NULL pointer dereference Greg Kroah-Hartman
                   ` (137 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chirantan Ekbote, Greg Kurz,
	Dylan Reid, Guenter Roeck, Dominique Martinet
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Chirantan Ekbote <chirantan@chromium.org>
commit d28c756caee6e414d9ba367d0b92da24145af2a8 upstream.
The zero-copy optimization when reading or writing large chunks of data
is quite useful.  However, the 9p messages created through the zero-copy
write path have an incorrect message size: it should be the size of the
header + size of the data being written but instead it's just the size
of the header.
This only works if the server ignores the size field of the message and
otherwise breaks the framing of the protocol. Fix this by re-writing the
message size field with the correct value.
Tested by running `dd if=/dev/zero of=out bs=4k count=1` inside a
virtio-9p mount.
Link: http://lkml.kernel.org/r/20180717003529.114368-1-chirantan@chromium.org
Signed-off-by: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-by: Greg Kurz <groug@kaod.org>
Tested-by: Greg Kurz <groug@kaod.org>
Cc: Dylan Reid <dgreid@chromium.org>
Cc: Guenter Roeck <groeck@chromium.org>
Cc: stable@vger.kernel.org
Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/9p/trans_virtio.c |    7 +++++++
 1 file changed, 7 insertions(+)
--- a/net/9p/trans_virtio.c
+++ b/net/9p/trans_virtio.c
@@ -406,6 +406,7 @@ p9_virtio_zc_request(struct p9_client *c
 	p9_debug(P9_DEBUG_TRANS, "virtio request\n");
 
 	if (uodata) {
+		__le32 sz;
 		int n = p9_get_mapped_pages(chan, &out_pages, uodata,
 					    outlen, &offs, &need_drop);
 		if (n < 0)
@@ -416,6 +417,12 @@ p9_virtio_zc_request(struct p9_client *c
 			memcpy(&req->tc->sdata[req->tc->size - 4], &v, 4);
 			outlen = n;
 		}
+		/* The size field of the message must include the length of the
+		 * header and the length of the data.  We didn't actually know
+		 * the length of the data until this point so add it in now.
+		 */
+		sz = cpu_to_le32(req->tc->size + outlen);
+		memcpy(&req->tc->sdata[0], &sz, sizeof(sz));
 	} else if (uidata) {
 		int n = p9_get_mapped_pages(chan, &in_pages, uidata,
 					    inlen, &offs, &need_drop);
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 005/145] spi: davinci: fix a NULL pointer dereference
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2018-09-07 21:07 ` [PATCH 4.18 004/145] 9p/net: Fix zero-copy path in the 9p virtio transport Greg Kroah-Hartman
@ 2018-09-07 21:07 ` Greg Kroah-Hartman
  2018-09-07 21:07 ` [PATCH 4.18 006/145] spi: pxa2xx: Add support for Intel Ice Lake Greg Kroah-Hartman
                   ` (136 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:07 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Bartosz Golaszewski, Mark Brown
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bgolaszewski@baylibre.com>
commit 563a53f3906a6b43692498e5b3ae891fac93a4af upstream.
On non-OF systems spi->controlled_data may be NULL. This causes a NULL
pointer derefence on dm365-evm.
Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/spi/spi-davinci.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/spi/spi-davinci.c
+++ b/drivers/spi/spi-davinci.c
@@ -217,7 +217,7 @@ static void davinci_spi_chipselect(struc
 	pdata = &dspi->pdata;
 
 	/* program delay transfers if tx_delay is non zero */
-	if (spicfg->wdelay)
+	if (spicfg && spicfg->wdelay)
 		spidat1 |= SPIDAT1_WDEL;
 
 	/*
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 006/145] spi: pxa2xx: Add support for Intel Ice Lake
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2018-09-07 21:07 ` [PATCH 4.18 005/145] spi: davinci: fix a NULL pointer dereference Greg Kroah-Hartman
@ 2018-09-07 21:07 ` Greg Kroah-Hartman
  2018-09-07 21:07 ` [PATCH 4.18 007/145] spi: spi-fsl-dspi: Fix imprecise abort on VF500 during probe Greg Kroah-Hartman
                   ` (135 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mika Westerberg, Jarkko Nikula,
	Mark Brown
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Mika Westerberg <mika.westerberg@linux.intel.com>
commit 22d71a5097ec7059b6cbbee678a4f88484695941 upstream.
Intel Ice Lake SPI host controller follows the Intel Cannon Lake but the
PCI IDs are different. Add the new PCI IDs to the driver supported
devices list.
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/spi/spi-pxa2xx.c |    4 ++++
 1 file changed, 4 insertions(+)
--- a/drivers/spi/spi-pxa2xx.c
+++ b/drivers/spi/spi-pxa2xx.c
@@ -1391,6 +1391,10 @@ static const struct pci_device_id pxa2xx
 	{ PCI_VDEVICE(INTEL, 0x31c2), LPSS_BXT_SSP },
 	{ PCI_VDEVICE(INTEL, 0x31c4), LPSS_BXT_SSP },
 	{ PCI_VDEVICE(INTEL, 0x31c6), LPSS_BXT_SSP },
+	/* ICL-LP */
+	{ PCI_VDEVICE(INTEL, 0x34aa), LPSS_CNL_SSP },
+	{ PCI_VDEVICE(INTEL, 0x34ab), LPSS_CNL_SSP },
+	{ PCI_VDEVICE(INTEL, 0x34fb), LPSS_CNL_SSP },
 	/* APL */
 	{ PCI_VDEVICE(INTEL, 0x5ac2), LPSS_BXT_SSP },
 	{ PCI_VDEVICE(INTEL, 0x5ac4), LPSS_BXT_SSP },
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 007/145] spi: spi-fsl-dspi: Fix imprecise abort on VF500 during probe
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2018-09-07 21:07 ` [PATCH 4.18 006/145] spi: pxa2xx: Add support for Intel Ice Lake Greg Kroah-Hartman
@ 2018-09-07 21:07 ` Greg Kroah-Hartman
  2018-09-07 21:07 ` [PATCH 4.18 008/145] spi: cadence: Change usleep_range() to udelay(), for atomic context Greg Kroah-Hartman
                   ` (134 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:07 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Krzysztof Kozlowski, Mark Brown
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzk@kernel.org>
commit d8ffee2f551a627ffb7b216e2da322cb9a037f77 upstream.
Registers of DSPI should not be accessed before enabling its clock.  On
Toradex Colibri VF50 on Iris carrier board this could be seen during
bootup as imprecise abort:
    Unhandled fault: imprecise external abort (0x1c06) at 0x00000000
    Internal error: : 1c06 [#1] ARM
    Modules linked in:
    CPU: 0 PID: 1 Comm: swapper Not tainted 4.14.39-dirty #97
    Hardware name: Freescale Vybrid VF5xx/VF6xx (Device Tree)
    Backtrace:
    [<804166a8>] (regmap_write) from [<80466b5c>] (dspi_probe+0x1f0/0x8dc)
    [<8046696c>] (dspi_probe) from [<8040107c>] (platform_drv_probe+0x54/0xb8)
    [<80401028>] (platform_drv_probe) from [<803ff53c>] (driver_probe_device+0x280/0x2f8)
    [<803ff2bc>] (driver_probe_device) from [<803ff674>] (__driver_attach+0xc0/0xc4)
    [<803ff5b4>] (__driver_attach) from [<803fd818>] (bus_for_each_dev+0x70/0xa4)
    [<803fd7a8>] (bus_for_each_dev) from [<803fee74>] (driver_attach+0x24/0x28)
    [<803fee50>] (driver_attach) from [<803fe980>] (bus_add_driver+0x1a0/0x218)
    [<803fe7e0>] (bus_add_driver) from [<803fffe8>] (driver_register+0x80/0x100)
    [<803fff68>] (driver_register) from [<80400fdc>] (__platform_driver_register+0x48/0x50)
    [<80400f94>] (__platform_driver_register) from [<8091cf7c>] (fsl_dspi_driver_init+0x1c/0x20)
    [<8091cf60>] (fsl_dspi_driver_init) from [<8010195c>] (do_one_initcall+0x4c/0x174)
    [<80101910>] (do_one_initcall) from [<80900e8c>] (kernel_init_freeable+0x144/0x1d8)
    [<80900d48>] (kernel_init_freeable) from [<805ff6a8>] (kernel_init+0x10/0x114)
    [<805ff698>] (kernel_init) from [<80107be8>] (ret_from_fork+0x14/0x2c)
Cc: <stable@vger.kernel.org>
Fixes: 5ee67b587a2b ("spi: dspi: clear SPI_SR before enable interrupt")
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/spi/spi-fsl-dspi.c |   24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)
--- a/drivers/spi/spi-fsl-dspi.c
+++ b/drivers/spi/spi-fsl-dspi.c
@@ -1029,31 +1029,31 @@ static int dspi_probe(struct platform_de
 		goto out_master_put;
 	}
 
+	dspi->clk = devm_clk_get(&pdev->dev, "dspi");
+	if (IS_ERR(dspi->clk)) {
+		ret = PTR_ERR(dspi->clk);
+		dev_err(&pdev->dev, "unable to get clock\n");
+		goto out_master_put;
+	}
+	ret = clk_prepare_enable(dspi->clk);
+	if (ret)
+		goto out_master_put;
+
 	dspi_init(dspi);
 	dspi->irq = platform_get_irq(pdev, 0);
 	if (dspi->irq < 0) {
 		dev_err(&pdev->dev, "can't get platform irq\n");
 		ret = dspi->irq;
-		goto out_master_put;
+		goto out_clk_put;
 	}
 
 	ret = devm_request_irq(&pdev->dev, dspi->irq, dspi_interrupt, 0,
 			pdev->name, dspi);
 	if (ret < 0) {
 		dev_err(&pdev->dev, "Unable to attach DSPI interrupt\n");
-		goto out_master_put;
+		goto out_clk_put;
 	}
 
-	dspi->clk = devm_clk_get(&pdev->dev, "dspi");
-	if (IS_ERR(dspi->clk)) {
-		ret = PTR_ERR(dspi->clk);
-		dev_err(&pdev->dev, "unable to get clock\n");
-		goto out_master_put;
-	}
-	ret = clk_prepare_enable(dspi->clk);
-	if (ret)
-		goto out_master_put;
-
 	if (dspi->devtype_data->trans_mode == DSPI_DMA_MODE) {
 		ret = dspi_request_dma(dspi, res->start);
 		if (ret < 0) {
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 008/145] spi: cadence: Change usleep_range() to udelay(), for atomic context
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2018-09-07 21:07 ` [PATCH 4.18 007/145] spi: spi-fsl-dspi: Fix imprecise abort on VF500 during probe Greg Kroah-Hartman
@ 2018-09-07 21:07 ` Greg Kroah-Hartman
  2018-09-07 21:07 ` [PATCH 4.18 009/145] mmc: block: Fix unsupported parallel dispatch of requests Greg Kroah-Hartman
                   ` (133 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:07 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jan Kotas, Mark Brown
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Janek Kotas <jank@cadence.com>
commit 931c4e9a72ae91d59c5332ffb6812911a749da8e upstream.
The path "spi: cadence: Add usleep_range() for
cdns_spi_fill_tx_fifo()" added a usleep_range() function call,
which cannot be used in atomic context.
However the cdns_spi_fill_tx_fifo() function can be called during
an interrupt which may result in a kernel panic:
BUG: scheduling while atomic: grep/561/0x00010002
Modules linked in:
Preemption disabled at:
[<ffffff800858ea28>] wait_for_common+0x48/0x178
CPU: 0 PID: 561 Comm: grep Not tainted 4.17.0 #1
Hardware name: Cadence CSP (DT)
Call trace:
 dump_backtrace+0x0/0x198
 show_stack+0x14/0x20
 dump_stack+0x8c/0xac
 __schedule_bug+0x6c/0xb8
 __schedule+0x570/0x5d8
 schedule+0x34/0x98
 schedule_hrtimeout_range_clock+0x98/0x110
 schedule_hrtimeout_range+0x10/0x18
 usleep_range+0x64/0x98
 cdns_spi_fill_tx_fifo+0x70/0xb0
 cdns_spi_irq+0xd0/0xe0
 __handle_irq_event_percpu+0x9c/0x128
 handle_irq_event_percpu+0x34/0x88
 handle_irq_event+0x48/0x78
 handle_fasteoi_irq+0xbc/0x1b0
 generic_handle_irq+0x24/0x38
 __handle_domain_irq+0x84/0xf8
 gic_handle_irq+0xc4/0x180
This patch replaces the function call with udelay() which can be
used in an atomic context, like an interrupt.
Signed-off-by: Jan Kotas <jank@cadence.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/spi/spi-cadence.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/spi/spi-cadence.c
+++ b/drivers/spi/spi-cadence.c
@@ -319,7 +319,7 @@ static void cdns_spi_fill_tx_fifo(struct
 		 */
 		if (cdns_spi_read(xspi, CDNS_SPI_ISR) &
 		    CDNS_SPI_IXR_TXFULL)
-			usleep_range(10, 20);
+			udelay(10);
 
 		if (xspi->txbuf)
 			cdns_spi_write(xspi, CDNS_SPI_TXD, *xspi->txbuf++);
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 009/145] mmc: block: Fix unsupported parallel dispatch of requests
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2018-09-07 21:07 ` [PATCH 4.18 008/145] spi: cadence: Change usleep_range() to udelay(), for atomic context Greg Kroah-Hartman
@ 2018-09-07 21:07 ` Greg Kroah-Hartman
  2018-09-07 21:07 ` [PATCH 4.18 010/145] mmc: renesas_sdhi_internal_dmac: mask DMAC interrupts Greg Kroah-Hartman
                   ` (132 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:07 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Adrian Hunter, Ulf Hansson
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Adrian Hunter <adrian.hunter@intel.com>
commit 26caddf274cf1e89fd4ce44ab2b8dbc7a7f97681 upstream.
The mmc block driver does not support parallel dispatch of requests. In
normal circumstances, all requests are anyway funneled through a single
work item, so parallel dispatch never happens. However it can happen if
there is no elevator.
Fix that by detecting if a dispatch is in progress and returning busy
(BLK_STS_RESOURCE) in that case
Fixes: 81196976ed94 ("mmc: block: Add blk-mq support")
Cc: stable@vger.kernel.org # v4.16+
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/mmc/core/queue.c |   12 +++++++-----
 drivers/mmc/core/queue.h |    1 +
 2 files changed, 8 insertions(+), 5 deletions(-)
--- a/drivers/mmc/core/queue.c
+++ b/drivers/mmc/core/queue.c
@@ -238,10 +238,6 @@ static void mmc_mq_exit_request(struct b
 	mmc_exit_request(mq->queue, req);
 }
 
-/*
- * We use BLK_MQ_F_BLOCKING and have only 1 hardware queue, which means requests
- * will not be dispatched in parallel.
- */
 static blk_status_t mmc_mq_queue_rq(struct blk_mq_hw_ctx *hctx,
 				    const struct blk_mq_queue_data *bd)
 {
@@ -264,7 +260,7 @@ static blk_status_t mmc_mq_queue_rq(stru
 
 	spin_lock_irq(q->queue_lock);
 
-	if (mq->recovery_needed) {
+	if (mq->recovery_needed || mq->busy) {
 		spin_unlock_irq(q->queue_lock);
 		return BLK_STS_RESOURCE;
 	}
@@ -291,6 +287,9 @@ static blk_status_t mmc_mq_queue_rq(stru
 		break;
 	}
 
+	/* Parallel dispatch of requests is not supported at the moment */
+	mq->busy = true;
+
 	mq->in_flight[issue_type] += 1;
 	get_card = (mmc_tot_in_flight(mq) == 1);
 	cqe_retune_ok = (mmc_cqe_qcnt(mq) == 1);
@@ -333,9 +332,12 @@ static blk_status_t mmc_mq_queue_rq(stru
 		mq->in_flight[issue_type] -= 1;
 		if (mmc_tot_in_flight(mq) == 0)
 			put_card = true;
+		mq->busy = false;
 		spin_unlock_irq(q->queue_lock);
 		if (put_card)
 			mmc_put_card(card, &mq->ctx);
+	} else {
+		WRITE_ONCE(mq->busy, false);
 	}
 
 	return ret;
--- a/drivers/mmc/core/queue.h
+++ b/drivers/mmc/core/queue.h
@@ -81,6 +81,7 @@ struct mmc_queue {
 	unsigned int		cqe_busy;
 #define MMC_CQE_DCMD_BUSY	BIT(0)
 #define MMC_CQE_QUEUE_FULL	BIT(1)
+	bool			busy;
 	bool			use_cqe;
 	bool			recovery_needed;
 	bool			in_recovery;
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 010/145] mmc: renesas_sdhi_internal_dmac: mask DMAC interrupts
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2018-09-07 21:07 ` [PATCH 4.18 009/145] mmc: block: Fix unsupported parallel dispatch of requests Greg Kroah-Hartman
@ 2018-09-07 21:07 ` Greg Kroah-Hartman
  2018-09-07 21:07 ` [PATCH 4.18 011/145] mmc: renesas_sdhi_internal_dmac: fix #define RST_RESERVED_BITS Greg Kroah-Hartman
                   ` (131 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sergei Shtylyov, Wolfram Sang,
	Ulf Hansson
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
commit d2332f887ddfba50fee93b8e1736376517c2df0c upstream.
I have encountered an interrupt storm during the eMMC chip probing (and
the chip finally didn't get detected).  It turned out that U-Boot left
the SDHI DMA interrupts enabled while the Linux driver didn't use those.
Masking those interrupts in renesas_sdhi_internal_dmac_request_dma() gets
rid of both issues...
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Fixes: 2a68ea7896e3 ("mmc: renesas-sdhi: add support for R-Car Gen3 SDHI DMAC")
Cc: stable@vger.kernel.org # v4.14+
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/mmc/host/renesas_sdhi_internal_dmac.c |    8 ++++++++
 1 file changed, 8 insertions(+)
--- a/drivers/mmc/host/renesas_sdhi_internal_dmac.c
+++ b/drivers/mmc/host/renesas_sdhi_internal_dmac.c
@@ -49,10 +49,12 @@
 
 /* DM_CM_INFO1 and DM_CM_INFO1_MASK */
 #define INFO1_CLEAR		0
+#define INFO1_MASK_CLEAR	GENMASK_ULL(31, 0)
 #define INFO1_DTRANEND1		BIT(17)
 #define INFO1_DTRANEND0		BIT(16)
 
 /* DM_CM_INFO2 and DM_CM_INFO2_MASK */
+#define INFO2_MASK_CLEAR	GENMASK_ULL(31, 0)
 #define INFO2_DTRANERR1		BIT(17)
 #define INFO2_DTRANERR0		BIT(16)
 
@@ -236,6 +238,12 @@ renesas_sdhi_internal_dmac_request_dma(s
 {
 	struct renesas_sdhi *priv = host_to_priv(host);
 
+	/* Disable DMAC interrupts, we don't use them */
+	renesas_sdhi_internal_dmac_dm_write(host, DM_CM_INFO1_MASK,
+					    INFO1_MASK_CLEAR);
+	renesas_sdhi_internal_dmac_dm_write(host, DM_CM_INFO2_MASK,
+					    INFO2_MASK_CLEAR);
+
 	/* Each value is set to non-zero to assume "enabling" each DMA */
 	host->chan_rx = host->chan_tx = (void *)0xdeadbeaf;
 
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 011/145] mmc: renesas_sdhi_internal_dmac: fix #define RST_RESERVED_BITS
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2018-09-07 21:07 ` [PATCH 4.18 010/145] mmc: renesas_sdhi_internal_dmac: mask DMAC interrupts Greg Kroah-Hartman
@ 2018-09-07 21:07 ` Greg Kroah-Hartman
  2018-09-07 21:07 ` [PATCH 4.18 012/145] readahead: stricter check for bdi io_pages Greg Kroah-Hartman
                   ` (130 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sergei Shtylyov, Wolfram Sang,
	Ulf Hansson
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
commit 9faf870e559a710c44e747ba20383ea82d8ac5d2 upstream.
The DM_CM_RST register actually has bits 0-31 defaulting to 1s and bits
32-63 defaulting to 0s -- fix off-by-one in #define RST_RESERVED_BITS.
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Fixes: 2a68ea7896e3 ("mmc: renesas-sdhi: add support for R-Car Gen3 SDHI DMAC")
Cc: stable@vger.kernel.org # v4.14+
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/mmc/host/renesas_sdhi_internal_dmac.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/mmc/host/renesas_sdhi_internal_dmac.c
+++ b/drivers/mmc/host/renesas_sdhi_internal_dmac.c
@@ -45,7 +45,7 @@
 /* DM_CM_RST */
 #define RST_DTRANRST1		BIT(9)
 #define RST_DTRANRST0		BIT(8)
-#define RST_RESERVED_BITS	GENMASK_ULL(32, 0)
+#define RST_RESERVED_BITS	GENMASK_ULL(31, 0)
 
 /* DM_CM_INFO1 and DM_CM_INFO1_MASK */
 #define INFO1_CLEAR		0
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 012/145] readahead: stricter check for bdi io_pages
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2018-09-07 21:07 ` [PATCH 4.18 011/145] mmc: renesas_sdhi_internal_dmac: fix #define RST_RESERVED_BITS Greg Kroah-Hartman
@ 2018-09-07 21:07 ` Greg Kroah-Hartman
  2018-09-07 21:07 ` [PATCH 4.18 013/145] block: fix infinite loop if the device loses discard capability Greg Kroah-Hartman
                   ` (129 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:07 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jens Axboe
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Markus Stockhausen <stockhausen@collogia.de>
commit dc30b96ab6d569060741572cf30517d3179429a8 upstream.
ondemand_readahead() checks bdi->io_pages to cap the maximum pages
that need to be processed. This works until the readit section. If
we would do an async only readahead (async size = sync size) and
target is at beginning of window we expand the pages by another
get_next_ra_size() pages. Btrace for large reads shows that kernel
always issues a doubled size read at the beginning of processing.
Add an additional check for io_pages in the lower part of the func.
The fix helps devices that hard limit bio pages and rely on proper
handling of max_hw_read_sectors (e.g. older FusionIO cards). For
that reason it could qualify for stable.
Fixes: 9491ae4a ("mm: don't cap request size based on read-ahead setting")
Cc: stable@vger.kernel.org
Signed-off-by: Markus Stockhausen stockhausen@collogia.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 mm/readahead.c |   12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)
--- a/mm/readahead.c
+++ b/mm/readahead.c
@@ -385,6 +385,7 @@ ondemand_readahead(struct address_space
 {
 	struct backing_dev_info *bdi = inode_to_bdi(mapping->host);
 	unsigned long max_pages = ra->ra_pages;
+	unsigned long add_pages;
 	pgoff_t prev_offset;
 
 	/*
@@ -474,10 +475,17 @@ readit:
 	 * Will this read hit the readahead marker made by itself?
 	 * If so, trigger the readahead marker hit now, and merge
 	 * the resulted next readahead window into the current one.
+	 * Take care of maximum IO pages as above.
 	 */
 	if (offset == ra->start && ra->size == ra->async_size) {
-		ra->async_size = get_next_ra_size(ra, max_pages);
-		ra->size += ra->async_size;
+		add_pages = get_next_ra_size(ra, max_pages);
+		if (ra->size + add_pages <= max_pages) {
+			ra->async_size = add_pages;
+			ra->size += add_pages;
+		} else {
+			ra->size = max_pages;
+			ra->async_size = max_pages >> 1;
+		}
 	}
 
 	return ra_submit(ra, mapping, filp);
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 013/145] block: fix infinite loop if the device loses discard capability
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2018-09-07 21:07 ` [PATCH 4.18 012/145] readahead: stricter check for bdi io_pages Greg Kroah-Hartman
@ 2018-09-07 21:07 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 014/145] block: blk_init_allocated_queue() set q->fq as NULL in the fail case Greg Kroah-Hartman
                   ` (128 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:07 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mikulas Patocka, Jens Axboe
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit b88aef36b87c9787a4db724923ec4f57dfd513f3 upstream.
If __blkdev_issue_discard is in progress and a device mapper device is
reloaded with a table that doesn't support discard,
q->limits.max_discard_sectors is set to zero. This results in infinite
loop in __blkdev_issue_discard.
This patch checks if max_discard_sectors is zero and aborts with
-EOPNOTSUPP.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Tested-by: Zdenek Kabelac <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 block/blk-lib.c |   10 ++++++++++
 1 file changed, 10 insertions(+)
--- a/block/blk-lib.c
+++ b/block/blk-lib.c
@@ -68,6 +68,8 @@ int __blkdev_issue_discard(struct block_
 		 */
 		req_sects = min_t(sector_t, nr_sects,
 					q->limits.max_discard_sectors);
+		if (!req_sects)
+			goto fail;
 		if (req_sects > UINT_MAX >> 9)
 			req_sects = UINT_MAX >> 9;
 
@@ -105,6 +107,14 @@ int __blkdev_issue_discard(struct block_
 
 	*biop = bio;
 	return 0;
+
+fail:
+	if (bio) {
+		submit_bio_wait(bio);
+		bio_put(bio);
+	}
+	*biop = NULL;
+	return -EOPNOTSUPP;
 }
 EXPORT_SYMBOL(__blkdev_issue_discard);
 
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 014/145] block: blk_init_allocated_queue() set q->fq as NULL in the fail case
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2018-09-07 21:07 ` [PATCH 4.18 013/145] block: fix infinite loop if the device loses discard capability Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 015/145] block: really disable runtime-pm for blk-mq Greg Kroah-Hartman
                   ` (127 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ming Lei, Bart Van Assche, xiao jin,
	Jens Axboe
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: xiao jin <jin.xiao@intel.com>
commit 54648cf1ec2d7f4b6a71767799c45676a138ca24 upstream.
We find the memory use-after-free issue in __blk_drain_queue()
on the kernel 4.14. After read the latest kernel 4.18-rc6 we
think it has the same problem.
Memory is allocated for q->fq in the blk_init_allocated_queue().
If the elevator init function called with error return, it will
run into the fail case to free the q->fq.
Then the __blk_drain_queue() uses the same memory after the free
of the q->fq, it will lead to the unpredictable event.
The patch is to set q->fq as NULL in the fail case of
blk_init_allocated_queue().
Fixes: commit 7c94e1c157a2 ("block: introduce blk_flush_queue to drive flush machinery")
Cc: <stable@vger.kernel.org>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com>
Signed-off-by: xiao jin <jin.xiao@intel.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 block/blk-core.c |    1 +
 1 file changed, 1 insertion(+)
--- a/block/blk-core.c
+++ b/block/blk-core.c
@@ -1180,6 +1180,7 @@ out_exit_flush_rq:
 		q->exit_rq_fn(q, q->fq->flush_rq);
 out_free_flush_queue:
 	blk_free_flush_queue(q->fq);
+	q->fq = NULL;
 	return -ENOMEM;
 }
 EXPORT_SYMBOL(blk_init_allocated_queue);
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 015/145] block: really disable runtime-pm for blk-mq
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 014/145] block: blk_init_allocated_queue() set q->fq as NULL in the fail case Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 016/145] blkcg: Introduce blkg_root_lookup() Greg Kroah-Hartman
                   ` (126 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tomas Janousek, Przemek Socha,
	Alan Stern, Bart Van Assche, Christoph Hellwig,
	Patrick Steinhardt, Ming Lei, Jens Axboe
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Ming Lei <ming.lei@redhat.com>
commit b233f127042dba991229e3882c6217c80492f6ef upstream.
Runtime PM isn't ready for blk-mq yet, and commit 765e40b675a9 ("block:
disable runtime-pm for blk-mq") tried to disable it. Unfortunately,
it can't take effect in that way since user space still can switch
it on via 'echo auto > /sys/block/sdN/device/power/control'.
This patch disables runtime-pm for blk-mq really by pm_runtime_disable()
and fixes all kinds of PM related kernel crash.
Cc: Tomas Janousek <tomi@nomi.cz>
Cc: Przemek Socha <soprwa@gmail.com>
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: <stable@vger.kernel.org>
Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Tested-by: Patrick Steinhardt <ps@pks.im>
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 block/blk-core.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)
--- a/block/blk-core.c
+++ b/block/blk-core.c
@@ -3764,9 +3764,11 @@ EXPORT_SYMBOL(blk_finish_plug);
  */
 void blk_pm_runtime_init(struct request_queue *q, struct device *dev)
 {
-	/* not support for RQF_PM and ->rpm_status in blk-mq yet */
-	if (q->mq_ops)
+	/* Don't enable runtime PM for blk-mq until it is ready */
+	if (q->mq_ops) {
+		pm_runtime_disable(dev);
 		return;
+	}
 
 	q->dev = dev;
 	q->rpm_status = RPM_ACTIVE;
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 016/145] blkcg: Introduce blkg_root_lookup()
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 015/145] block: really disable runtime-pm for blk-mq Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 017/145] block: Introduce blk_exit_queue() Greg Kroah-Hartman
                   ` (125 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bart Van Assche, Tejun Heo,
	Christoph Hellwig, Ming Lei, Omar Sandoval, Johannes Thumshirn,
	Alexandru Moise, Joseph Qi, Jens Axboe
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bart.vanassche@wdc.com>
commit 6bad9b210a228d2fe0e0efe26d9b115348529cee upstream.
This new function will be used in a later patch to verify whether a
queue has been dissociated from the cgroup controller before being
released.
Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Ming Lei <ming.lei@redhat.com>
Cc: Omar Sandoval <osandov@fb.com>
Cc: Johannes Thumshirn <jthumshirn@suse.de>
Cc: Alexandru Moise <00moses.alexander00@gmail.com>
Cc: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/blk-cgroup.h |   18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
--- a/include/linux/blk-cgroup.h
+++ b/include/linux/blk-cgroup.h
@@ -296,6 +296,23 @@ static inline struct blkcg_gq *blkg_look
 }
 
 /**
+ * blkg_lookup - look up blkg for the specified request queue
+ * @q: request_queue of interest
+ *
+ * Lookup blkg for @q at the root level. See also blkg_lookup().
+ */
+static inline struct blkcg_gq *blkg_root_lookup(struct request_queue *q)
+{
+	struct blkcg_gq *blkg;
+
+	rcu_read_lock();
+	blkg = blkg_lookup(&blkcg_root, q);
+	rcu_read_unlock();
+
+	return blkg;
+}
+
+/**
  * blkg_to_pdata - get policy private data
  * @blkg: blkg of interest
  * @pol: policy of interest
@@ -737,6 +754,7 @@ struct blkcg_policy {
 #ifdef CONFIG_BLOCK
 
 static inline struct blkcg_gq *blkg_lookup(struct blkcg *blkcg, void *key) { return NULL; }
+static inline struct blkcg_gq *blkg_root_lookup(struct request_queue *q) { return NULL; }
 static inline int blkcg_init_queue(struct request_queue *q) { return 0; }
 static inline void blkcg_drain_queue(struct request_queue *q) { }
 static inline void blkcg_exit_queue(struct request_queue *q) { }
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 017/145] block: Introduce blk_exit_queue()
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 016/145] blkcg: Introduce blkg_root_lookup() Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 018/145] block: Ensure that a request queue is dissociated from the cgroup controller Greg Kroah-Hartman
                   ` (124 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bart Van Assche, Johannes Thumshirn,
	Christoph Hellwig, Ming Lei, Omar Sandoval, Alexandru Moise,
	Joseph Qi, Jens Axboe
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bart.vanassche@wdc.com>
commit 4cf6324b17e96b7b7ab4021c6929500934d46750 upstream.
This patch does not change any functionality.
Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Ming Lei <ming.lei@redhat.com>
Cc: Omar Sandoval <osandov@fb.com>
Cc: Alexandru Moise <00moses.alexander00@gmail.com>
Cc: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 block/blk-core.c |   54 ++++++++++++++++++++++++++++++------------------------
 block/blk.h      |    1 +
 2 files changed, 31 insertions(+), 24 deletions(-)
--- a/block/blk-core.c
+++ b/block/blk-core.c
@@ -715,6 +715,35 @@ void blk_set_queue_dying(struct request_
 }
 EXPORT_SYMBOL_GPL(blk_set_queue_dying);
 
+/* Unconfigure the I/O scheduler and dissociate from the cgroup controller. */
+void blk_exit_queue(struct request_queue *q)
+{
+	/*
+	 * Since the I/O scheduler exit code may access cgroup information,
+	 * perform I/O scheduler exit before disassociating from the block
+	 * cgroup controller.
+	 */
+	if (q->elevator) {
+		ioc_clear_queue(q);
+		elevator_exit(q, q->elevator);
+		q->elevator = NULL;
+	}
+
+	/*
+	 * Remove all references to @q from the block cgroup controller before
+	 * restoring @q->queue_lock to avoid that restoring this pointer causes
+	 * e.g. blkcg_print_blkgs() to crash.
+	 */
+	blkcg_exit_queue(q);
+
+	/*
+	 * Since the cgroup code may dereference the @q->backing_dev_info
+	 * pointer, only decrease its reference count after having removed the
+	 * association with the block cgroup controller.
+	 */
+	bdi_put(q->backing_dev_info);
+}
+
 /**
  * blk_cleanup_queue - shutdown a request queue
  * @q: request queue to shutdown
@@ -780,30 +809,7 @@ void blk_cleanup_queue(struct request_qu
 	 */
 	WARN_ON_ONCE(q->kobj.state_in_sysfs);
 
-	/*
-	 * Since the I/O scheduler exit code may access cgroup information,
-	 * perform I/O scheduler exit before disassociating from the block
-	 * cgroup controller.
-	 */
-	if (q->elevator) {
-		ioc_clear_queue(q);
-		elevator_exit(q, q->elevator);
-		q->elevator = NULL;
-	}
-
-	/*
-	 * Remove all references to @q from the block cgroup controller before
-	 * restoring @q->queue_lock to avoid that restoring this pointer causes
-	 * e.g. blkcg_print_blkgs() to crash.
-	 */
-	blkcg_exit_queue(q);
-
-	/*
-	 * Since the cgroup code may dereference the @q->backing_dev_info
-	 * pointer, only decrease its reference count after having removed the
-	 * association with the block cgroup controller.
-	 */
-	bdi_put(q->backing_dev_info);
+	blk_exit_queue(q);
 
 	if (q->mq_ops)
 		blk_mq_free_queue(q);
--- a/block/blk.h
+++ b/block/blk.h
@@ -130,6 +130,7 @@ void blk_free_flush_queue(struct blk_flu
 int blk_init_rl(struct request_list *rl, struct request_queue *q,
 		gfp_t gfp_mask);
 void blk_exit_rl(struct request_queue *q, struct request_list *rl);
+void blk_exit_queue(struct request_queue *q);
 void blk_rq_bio_prep(struct request_queue *q, struct request *rq,
 			struct bio *bio);
 void blk_queue_bypass_start(struct request_queue *q);
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 018/145] block: Ensure that a request queue is dissociated from the cgroup controller
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 017/145] block: Introduce blk_exit_queue() Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 019/145] apparmor: fix bad debug check in apparmor_secid_to_secctx() Greg Kroah-Hartman
                   ` (123 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexandru Moise, Bart Van Assche,
	Johannes Thumshirn, Tejun Heo, Christoph Hellwig, Ming Lei,
	Joseph Qi, Jens Axboe
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bart.vanassche@wdc.com>
commit 24ecc3585348b616993a3c4d6dc2c6b8007e358c upstream.
Several block drivers call alloc_disk() followed by put_disk() if
something fails before device_add_disk() is called without calling
blk_cleanup_queue(). Make sure that also for this scenario a request
queue is dissociated from the cgroup controller. This patch avoids
that loading the parport_pc, paride and pf drivers triggers the
following kernel crash:
BUG: KASAN: null-ptr-deref in pi_init+0x42e/0x580 [paride]
Read of size 4 at addr 0000000000000008 by task modprobe/744
Call Trace:
dump_stack+0x9a/0xeb
kasan_report+0x139/0x350
pi_init+0x42e/0x580 [paride]
pf_init+0x2bb/0x1000 [pf]
do_one_initcall+0x8e/0x405
do_init_module+0xd9/0x2f2
load_module+0x3ab4/0x4700
SYSC_finit_module+0x176/0x1a0
do_syscall_64+0xee/0x2b0
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Reported-by: Alexandru Moise <00moses.alexander00@gmail.com>
Fixes: a063057d7c73 ("block: Fix a race between request queue removal and the block cgroup controller") # v4.17
Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
Tested-by: Alexandru Moise <00moses.alexander00@gmail.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Cc: Tejun Heo <tj@kernel.org>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Ming Lei <ming.lei@redhat.com>
Cc: Alexandru Moise <00moses.alexander00@gmail.com>
Cc: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 block/blk-sysfs.c |   15 +++++++++++++++
 1 file changed, 15 insertions(+)
--- a/block/blk-sysfs.c
+++ b/block/blk-sysfs.c
@@ -804,6 +804,21 @@ static void __blk_release_queue(struct w
 		blk_stat_remove_callback(q, q->poll_cb);
 	blk_stat_free_callback(q->poll_cb);
 
+	if (!blk_queue_dead(q)) {
+		/*
+		 * Last reference was dropped without having called
+		 * blk_cleanup_queue().
+		 */
+		WARN_ONCE(blk_queue_init_done(q),
+			  "request queue %p has been registered but blk_cleanup_queue() has not been called for that queue\n",
+			  q);
+		blk_exit_queue(q);
+	}
+
+	WARN(blkg_root_lookup(q),
+	     "request queue %p is being released but it has not yet been removed from the blkcg controller\n",
+	     q);
+
 	blk_free_queue_stats(q->stats);
 
 	blk_exit_rl(q, &q->root_rl);
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 019/145] apparmor: fix bad debug check in apparmor_secid_to_secctx()
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 018/145] block: Ensure that a request queue is dissociated from the cgroup controller Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 021/145] libertas: fix suspend and resume for SDIO connected cards Greg Kroah-Hartman
                   ` (122 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+21016130b0580a9de3b5,
	John Johansen
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: John Johansen <john.johansen@canonical.com>
commit edf4e7b7b9104b58fddfcd073bd7dcc1585d5326 upstream.
apparmor_secid_to_secctx() has a bad debug statement tripping on a
condition handle by the code.  When kconfig SECURITY_APPARMOR_DEBUG is
enabled the debug WARN_ON will trip when **secdata is NULL resulting
in the following trace.
------------[ cut here ]------------
AppArmor WARN apparmor_secid_to_secctx: ((!secdata)):
WARNING: CPU: 0 PID: 14826 at security/apparmor/secid.c:82 apparmor_secid_to_secctx+0x2b5/0x2f0 security/apparmor/secid.c:82
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 14826 Comm: syz-executor1 Not tainted 4.19.0-rc1+ #193
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
 panic+0x238/0x4e7 kernel/panic.c:184
 __warn.cold.8+0x163/0x1ba kernel/panic.c:536
 report_bug+0x252/0x2d0 lib/bug.c:186
 fixup_bug arch/x86/kernel/traps.c:178 [inline]
 do_error_trap+0x1fc/0x4d0 arch/x86/kernel/traps.c:296
 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:316
 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:993
RIP: 0010:apparmor_secid_to_secctx+0x2b5/0x2f0 security/apparmor/secid.c:82
Code: c7 c7 40 66 58 87 e8 6a 6d 0f fe 0f 0b e9 6c fe ff ff e8 3e aa 44 fe 48 c7 c6 80 67 58 87 48 c7 c7 a0 65 58 87 e8 4b 6d 0f fe <0f> 0b e9 3f fe ff ff 48 89 df e8 fc a7 83 fe e9 ed fe ff ff bb f4
RSP: 0018:ffff8801ba1bed10 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff8801ba1beed0 RCX: ffffc9000227e000
RDX: 0000000000018482 RSI: ffffffff8163ac01 RDI: 0000000000000001
RBP: ffff8801ba1bed30 R08: ffff8801b80ec080 R09: ffffed003b603eca
R10: ffffed003b603eca R11: ffff8801db01f657 R12: 0000000000000001
R13: 0000000000000000 R14: 0000000000000000 R15: ffff8801ba1beed0
 security_secid_to_secctx+0x63/0xc0 security/security.c:1314
 ctnetlink_secctx_size net/netfilter/nf_conntrack_netlink.c:621 [inline]
 ctnetlink_nlmsg_size net/netfilter/nf_conntrack_netlink.c:659 [inline]
 ctnetlink_conntrack_event+0x303/0x1470 net/netfilter/nf_conntrack_netlink.c:706
 nf_conntrack_eventmask_report+0x55f/0x930 net/netfilter/nf_conntrack_ecache.c:151
 nf_conntrack_event_report include/net/netfilter/nf_conntrack_ecache.h:112 [inline]
 nf_ct_delete+0x33c/0x5d0 net/netfilter/nf_conntrack_core.c:601
 nf_ct_iterate_cleanup+0x48c/0x5e0 net/netfilter/nf_conntrack_core.c:1892
 nf_ct_iterate_cleanup_net+0x23c/0x2d0 net/netfilter/nf_conntrack_core.c:1974
 ctnetlink_flush_conntrack net/netfilter/nf_conntrack_netlink.c:1226 [inline]
 ctnetlink_del_conntrack+0x66c/0x850 net/netfilter/nf_conntrack_netlink.c:1258
 nfnetlink_rcv_msg+0xd88/0x1070 net/netfilter/nfnetlink.c:228
 netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2454
 nfnetlink_rcv+0x1c0/0x4d0 net/netfilter/nfnetlink.c:560
 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
 netlink_unicast+0x5a0/0x760 net/netlink/af_netlink.c:1343
 netlink_sendmsg+0xa18/0xfc0 net/netlink/af_netlink.c:1908
 sock_sendmsg_nosec net/socket.c:621 [inline]
 sock_sendmsg+0xd5/0x120 net/socket.c:631
 ___sys_sendmsg+0x7fd/0x930 net/socket.c:2114
 __sys_sendmsg+0x11d/0x290 net/socket.c:2152
 __do_sys_sendmsg net/socket.c:2161 [inline]
 __se_sys_sendmsg net/socket.c:2159 [inline]
 __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2159
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457089
Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f7bc6e03c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f7bc6e046d4 RCX: 0000000000457089
RDX: 0000000000000000 RSI: 0000000020d65000 RDI: 0000000000000003
RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000004d4588 R14: 00000000004c8d5c R15: 0000000000000000
Dumping ftrace buffer:
   (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
CC: <stable@vger.kernel.org> #4.18
Fixes: c092921219d2 ("apparmor: add support for mapping secids and using secctxes")
Reported-by: syzbot+21016130b0580a9de3b5@syzkaller.appspotmail.com
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 security/apparmor/secid.c |    1 -
 1 file changed, 1 deletion(-)
--- a/security/apparmor/secid.c
+++ b/security/apparmor/secid.c
@@ -79,7 +79,6 @@ int apparmor_secid_to_secctx(u32 secid,
 	struct aa_label *label = aa_secid_to_label(secid);
 	int len;
 
-	AA_BUG(!secdata);
 	AA_BUG(!seclen);
 
 	if (!label)
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 021/145] libertas: fix suspend and resume for SDIO connected cards
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 019/145] apparmor: fix bad debug check in apparmor_secid_to_secctx() Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 022/145] media: Revert "[media] tvp5150: fix pad format frame height" Greg Kroah-Hartman
                   ` (121 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Daniel Mack, Chris Ball, Ulf Hansson,
	Kalle Valo
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Daniel Mack <daniel@zonque.org>
commit 7444a8092906ed44c09459780c56ba57043e39b1 upstream.
Prior to commit 573185cc7e64 ("mmc: core: Invoke sdio func driver's PM
callbacks from the sdio bus"), the MMC core used to call into the power
management functions of SDIO clients itself and removed the card if the
return code was non-zero. IOW, the mmc handled errors gracefully and didn't
upchain them to the pm core.
Since this change, the mmc core relies on generic power management
functions which treat all errors as a reason to cancel the suspend
immediately. This causes suspend attempts to fail when the libertas
driver is loaded.
To fix this, power down the card explicitly in if_sdio_suspend() when we
know we're about to lose power and return success. Also set a flag in these
cases, and power up the card again in if_sdio_resume().
Fixes: 573185cc7e64 ("mmc: core: Invoke sdio func driver's PM callbacks from the sdio bus")
Cc: <stable@vger.kernel.org>
Signed-off-by: Daniel Mack <daniel@zonque.org>
Reviewed-by: Chris Ball <chris@printf.net>
Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/wireless/marvell/libertas/dev.h     |    1 
 drivers/net/wireless/marvell/libertas/if_sdio.c |   30 +++++++++++++++++++-----
 2 files changed, 25 insertions(+), 6 deletions(-)
--- a/drivers/net/wireless/marvell/libertas/dev.h
+++ b/drivers/net/wireless/marvell/libertas/dev.h
@@ -104,6 +104,7 @@ struct lbs_private {
 	u8 fw_ready;
 	u8 surpriseremoved;
 	u8 setup_fw_on_resume;
+	u8 power_up_on_resume;
 	int (*hw_host_to_card) (struct lbs_private *priv, u8 type, u8 *payload, u16 nb);
 	void (*reset_card) (struct lbs_private *priv);
 	int (*power_save) (struct lbs_private *priv);
--- a/drivers/net/wireless/marvell/libertas/if_sdio.c
+++ b/drivers/net/wireless/marvell/libertas/if_sdio.c
@@ -1290,15 +1290,23 @@ static void if_sdio_remove(struct sdio_f
 static int if_sdio_suspend(struct device *dev)
 {
 	struct sdio_func *func = dev_to_sdio_func(dev);
-	int ret;
 	struct if_sdio_card *card = sdio_get_drvdata(func);
+	struct lbs_private *priv = card->priv;
+	int ret;
 
 	mmc_pm_flag_t flags = sdio_get_host_pm_caps(func);
+	priv->power_up_on_resume = false;
 
 	/* If we're powered off anyway, just let the mmc layer remove the
 	 * card. */
-	if (!lbs_iface_active(card->priv))
-		return -ENOSYS;
+	if (!lbs_iface_active(priv)) {
+		if (priv->fw_ready) {
+			priv->power_up_on_resume = true;
+			if_sdio_power_off(card);
+		}
+
+		return 0;
+	}
 
 	dev_info(dev, "%s: suspend: PM flags = 0x%x\n",
 		 sdio_func_id(func), flags);
@@ -1306,9 +1314,14 @@ static int if_sdio_suspend(struct device
 	/* If we aren't being asked to wake on anything, we should bail out
 	 * and let the SD stack power down the card.
 	 */
-	if (card->priv->wol_criteria == EHS_REMOVE_WAKEUP) {
+	if (priv->wol_criteria == EHS_REMOVE_WAKEUP) {
 		dev_info(dev, "Suspend without wake params -- powering down card\n");
-		return -ENOSYS;
+		if (priv->fw_ready) {
+			priv->power_up_on_resume = true;
+			if_sdio_power_off(card);
+		}
+
+		return 0;
 	}
 
 	if (!(flags & MMC_PM_KEEP_POWER)) {
@@ -1321,7 +1334,7 @@ static int if_sdio_suspend(struct device
 	if (ret)
 		return ret;
 
-	ret = lbs_suspend(card->priv);
+	ret = lbs_suspend(priv);
 	if (ret)
 		return ret;
 
@@ -1336,6 +1349,11 @@ static int if_sdio_resume(struct device
 
 	dev_info(dev, "%s: resume: we're back\n", sdio_func_id(func));
 
+	if (card->priv->power_up_on_resume) {
+		if_sdio_power_on(card);
+		wait_event(card->pwron_waitq, card->priv->fw_ready);
+	}
+
 	ret = lbs_resume(card->priv);
 
 	return ret;
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 022/145] media: Revert "[media] tvp5150: fix pad format frame height"
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 021/145] libertas: fix suspend and resume for SDIO connected cards Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 023/145] mailbox: xgene-slimpro: Fix potential NULL pointer dereference Greg Kroah-Hartman
                   ` (120 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Javier Martinez Canillas,
	Hans Verkuil, Mauro Carvalho Chehab
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Javier Martinez Canillas <javierm@redhat.com>
commit 1831af092308aa5a59ae61e47494e441c8be6b93 upstream.
This reverts commit 0866df8dffd514185bfab0d205db76e4c02cf1e4.
The v4l uAPI documentation [0] makes clear that in the case of interlaced
video (i.e: field is V4L2_FIELD_ALTERNATE) the height refers to the number
of lines in the field and not the number of lines in the full frame (which
is twice the field height for interlaced formats).
So the original height calculation was correct, and it shouldn't had been
changed by the mentioned commit.
[0]:https://linuxtv.org/downloads/v4l-dvb-apis/uapi/v4l/subdev-formats.html
Fixes: 0866df8dffd5 ("[media] tvp5150: fix pad format frame height")
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Cc: <stable@vger.kernel.org>      # for v4.12 and up
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/media/i2c/tvp5150.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/i2c/tvp5150.c
+++ b/drivers/media/i2c/tvp5150.c
@@ -872,7 +872,7 @@ static int tvp5150_fill_fmt(struct v4l2_
 	f = &format->format;
 
 	f->width = decoder->rect.width;
-	f->height = decoder->rect.height;
+	f->height = decoder->rect.height / 2;
 
 	f->code = MEDIA_BUS_FMT_UYVY8_2X8;
 	f->field = V4L2_FIELD_ALTERNATE;
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 023/145] mailbox: xgene-slimpro: Fix potential NULL pointer dereference
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 022/145] media: Revert "[media] tvp5150: fix pad format frame height" Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 024/145] Replace magic for trusting the secondary keyring with #define Greg Kroah-Hartman
                   ` (119 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Gustavo A. R. Silva, Jassi Brar
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Gustavo A. R. Silva <gustavo@embeddedor.com>
commit 3512a18cbd8d09e22a790540cb9624c3c49827ba upstream.
There is a potential execution path in which function
platform_get_resource() returns NULL. If this happens,
we will end up having a NULL pointer dereference.
Fix this by replacing devm_ioremap with devm_ioremap_resource,
which has the NULL check and the memory region request.
This code was detected with the help of Coccinelle.
Cc: stable@vger.kernel.org
Fixes: f700e84f417b ("mailbox: Add support for APM X-Gene platform mailbox driver")
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/mailbox/mailbox-xgene-slimpro.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/mailbox/mailbox-xgene-slimpro.c
+++ b/drivers/mailbox/mailbox-xgene-slimpro.c
@@ -195,9 +195,9 @@ static int slimpro_mbox_probe(struct pla
 	platform_set_drvdata(pdev, ctx);
 
 	regs = platform_get_resource(pdev, IORESOURCE_MEM, 0);
-	mb_base = devm_ioremap(&pdev->dev, regs->start, resource_size(regs));
-	if (!mb_base)
-		return -ENOMEM;
+	mb_base = devm_ioremap_resource(&pdev->dev, regs);
+	if (IS_ERR(mb_base))
+		return PTR_ERR(mb_base);
 
 	/* Setup mailbox links */
 	for (i = 0; i < MBOX_CNT; i++) {
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 024/145] Replace magic for trusting the secondary keyring with #define
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 023/145] mailbox: xgene-slimpro: Fix potential NULL pointer dereference Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 025/145] Fix kexec forbidding kernels signed with keys in the secondary keyring to boot Greg Kroah-Hartman
                   ` (118 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yannik Sembritzki, David Howells,
	keyrings, linux-security-module, Linus Torvalds
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Yannik Sembritzki <yannik@sembritzki.me>
commit 817aef260037f33ee0f44c17fe341323d3aebd6d upstream.
Replace the use of a magic number that indicates that verify_*_signature()
should use the secondary keyring with a symbol.
Signed-off-by: Yannik Sembritzki <yannik@sembritzki.me>
Signed-off-by: David Howells <dhowells@redhat.com>
Cc: keyrings@vger.kernel.org
Cc: linux-security-module@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 certs/system_keyring.c                  |    3 ++-
 crypto/asymmetric_keys/pkcs7_key_type.c |    2 +-
 include/linux/verification.h            |    6 ++++++
 3 files changed, 9 insertions(+), 2 deletions(-)
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -15,6 +15,7 @@
 #include <linux/cred.h>
 #include <linux/err.h>
 #include <linux/slab.h>
+#include <linux/verification.h>
 #include <keys/asymmetric-type.h>
 #include <keys/system_keyring.h>
 #include <crypto/pkcs7.h>
@@ -230,7 +231,7 @@ int verify_pkcs7_signature(const void *d
 
 	if (!trusted_keys) {
 		trusted_keys = builtin_trusted_keys;
-	} else if (trusted_keys == (void *)1UL) {
+	} else if (trusted_keys == VERIFY_USE_SECONDARY_KEYRING) {
 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
 		trusted_keys = secondary_trusted_keys;
 #else
--- a/crypto/asymmetric_keys/pkcs7_key_type.c
+++ b/crypto/asymmetric_keys/pkcs7_key_type.c
@@ -63,7 +63,7 @@ static int pkcs7_preparse(struct key_pre
 
 	return verify_pkcs7_signature(NULL, 0,
 				      prep->data, prep->datalen,
-				      (void *)1UL, usage,
+				      VERIFY_USE_SECONDARY_KEYRING, usage,
 				      pkcs7_view_content, prep);
 }
 
--- a/include/linux/verification.h
+++ b/include/linux/verification.h
@@ -13,6 +13,12 @@
 #define _LINUX_VERIFICATION_H
 
 /*
+ * Indicate that both builtin trusted keys and secondary trusted keys
+ * should be used.
+ */
+#define VERIFY_USE_SECONDARY_KEYRING ((struct key *)1UL)
+
+/*
  * The use to which an asymmetric key is being put.
  */
 enum key_being_used_for {
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 025/145] Fix kexec forbidding kernels signed with keys in the secondary keyring to boot
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 024/145] Replace magic for trusting the secondary keyring with #define Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 026/145] powerpc/fadump: handle crash memory ranges array index overflow Greg Kroah-Hartman
                   ` (117 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yannik Sembritzki, David Howells,
	kexec, keyrings, linux-security-module, stable, Linus Torvalds
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Yannik Sembritzki <yannik@sembritzki.me>
commit ea93102f32244e3f45c8b26260be77ed0cc1d16c upstream.
The split of .system_keyring into .builtin_trusted_keys and
.secondary_trusted_keys broke kexec, thereby preventing kernels signed by
keys which are now in the secondary keyring from being kexec'd.
Fix this by passing VERIFY_USE_SECONDARY_KEYRING to
verify_pefile_signature().
Fixes: d3bfe84129f6 ("certs: Add a secondary system keyring that can be added to dynamically")
Signed-off-by: Yannik Sembritzki <yannik@sembritzki.me>
Signed-off-by: David Howells <dhowells@redhat.com>
Cc: kexec@lists.infradead.org
Cc: keyrings@vger.kernel.org
Cc: linux-security-module@vger.kernel.org
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kernel/kexec-bzimage64.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kernel/kexec-bzimage64.c
+++ b/arch/x86/kernel/kexec-bzimage64.c
@@ -532,7 +532,7 @@ static int bzImage64_cleanup(void *loade
 static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
 {
 	return verify_pefile_signature(kernel, kernel_len,
-				       NULL,
+				       VERIFY_USE_SECONDARY_KEYRING,
 				       VERIFYING_KEXEC_PE_SIGNATURE);
 }
 #endif
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 026/145] powerpc/fadump: handle crash memory ranges array index overflow
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 025/145] Fix kexec forbidding kernels signed with keys in the secondary keyring to boot Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 027/145] powerpc/64s: Fix page table fragment refcount race vs speculative references Greg Kroah-Hartman
                   ` (116 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hari Bathini, Mahesh Salgaonkar,
	Michael Ellerman
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Hari Bathini <hbathini@linux.ibm.com>
commit 1bd6a1c4b80a28d975287630644e6b47d0f977a5 upstream.
Crash memory ranges is an array of memory ranges of the crashing kernel
to be exported as a dump via /proc/vmcore file. The size of the array
is set based on INIT_MEMBLOCK_REGIONS, which works alright in most cases
where memblock memory regions count is less than INIT_MEMBLOCK_REGIONS
value. But this count can grow beyond INIT_MEMBLOCK_REGIONS value since
commit 142b45a72e22 ("memblock: Add array resizing support").
On large memory systems with a few DLPAR operations, the memblock memory
regions count could be larger than INIT_MEMBLOCK_REGIONS value. On such
systems, registering fadump results in crash or other system failures
like below:
  task: c00007f39a290010 ti: c00000000b738000 task.ti: c00000000b738000
  NIP: c000000000047df4 LR: c0000000000f9e58 CTR: c00000000010f180
  REGS: c00000000b73b570 TRAP: 0300   Tainted: G          L   X  (4.4.140+)
  MSR: 8000000000009033 <SF,EE,ME,IR,DR,RI,LE>  CR: 22004484  XER: 20000000
  CFAR: c000000000008500 DAR: 000007a450000000 DSISR: 40000000 SOFTE: 0
  ...
  NIP [c000000000047df4] smp_send_reschedule+0x24/0x80
  LR [c0000000000f9e58] resched_curr+0x138/0x160
  Call Trace:
    resched_curr+0x138/0x160 (unreliable)
    check_preempt_curr+0xc8/0xf0
    ttwu_do_wakeup+0x38/0x150
    try_to_wake_up+0x224/0x4d0
    __wake_up_common+0x94/0x100
    ep_poll_callback+0xac/0x1c0
    __wake_up_common+0x94/0x100
    __wake_up_sync_key+0x70/0xa0
    sock_def_readable+0x58/0xa0
    unix_stream_sendmsg+0x2dc/0x4c0
    sock_sendmsg+0x68/0xa0
    ___sys_sendmsg+0x2cc/0x2e0
    __sys_sendmsg+0x5c/0xc0
    SyS_socketcall+0x36c/0x3f0
    system_call+0x3c/0x100
as array index overflow is not checked for while setting up crash memory
ranges causing memory corruption. To resolve this issue, dynamically
allocate memory for crash memory ranges and resize it incrementally,
in units of pagesize, on hitting array size limit.
Fixes: 2df173d9e85d ("fadump: Initialize elfcore header and add PT_LOAD program headers.")
Cc: stable@vger.kernel.org # v3.4+
Signed-off-by: Hari Bathini <hbathini@linux.ibm.com>
Reviewed-by: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
[mpe: Just use PAGE_SIZE directly, fixup variable placement]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/include/asm/fadump.h |    3 -
 arch/powerpc/kernel/fadump.c      |   91 ++++++++++++++++++++++++++++++++------
 2 files changed, 77 insertions(+), 17 deletions(-)
--- a/arch/powerpc/include/asm/fadump.h
+++ b/arch/powerpc/include/asm/fadump.h
@@ -195,9 +195,6 @@ struct fadump_crash_info_header {
 	struct cpumask	online_mask;
 };
 
-/* Crash memory ranges */
-#define INIT_CRASHMEM_RANGES	(INIT_MEMBLOCK_REGIONS + 2)
-
 struct fad_crash_memory_ranges {
 	unsigned long long	base;
 	unsigned long long	size;
--- a/arch/powerpc/kernel/fadump.c
+++ b/arch/powerpc/kernel/fadump.c
@@ -47,8 +47,10 @@ static struct fadump_mem_struct fdm;
 static const struct fadump_mem_struct *fdm_active;
 
 static DEFINE_MUTEX(fadump_mutex);
-struct fad_crash_memory_ranges crash_memory_ranges[INIT_CRASHMEM_RANGES];
+struct fad_crash_memory_ranges *crash_memory_ranges;
+int crash_memory_ranges_size;
 int crash_mem_ranges;
+int max_crash_mem_ranges;
 
 /* Scan the Firmware Assisted dump configuration details. */
 int __init early_init_dt_scan_fw_dump(unsigned long node,
@@ -868,38 +870,88 @@ static int __init process_fadump(const s
 	return 0;
 }
 
-static inline void fadump_add_crash_memory(unsigned long long base,
-					unsigned long long end)
+static void free_crash_memory_ranges(void)
+{
+	kfree(crash_memory_ranges);
+	crash_memory_ranges = NULL;
+	crash_memory_ranges_size = 0;
+	max_crash_mem_ranges = 0;
+}
+
+/*
+ * Allocate or reallocate crash memory ranges array in incremental units
+ * of PAGE_SIZE.
+ */
+static int allocate_crash_memory_ranges(void)
+{
+	struct fad_crash_memory_ranges *new_array;
+	u64 new_size;
+
+	new_size = crash_memory_ranges_size + PAGE_SIZE;
+	pr_debug("Allocating %llu bytes of memory for crash memory ranges\n",
+		 new_size);
+
+	new_array = krealloc(crash_memory_ranges, new_size, GFP_KERNEL);
+	if (new_array == NULL) {
+		pr_err("Insufficient memory for setting up crash memory ranges\n");
+		free_crash_memory_ranges();
+		return -ENOMEM;
+	}
+
+	crash_memory_ranges = new_array;
+	crash_memory_ranges_size = new_size;
+	max_crash_mem_ranges = (new_size /
+				sizeof(struct fad_crash_memory_ranges));
+	return 0;
+}
+
+static inline int fadump_add_crash_memory(unsigned long long base,
+					  unsigned long long end)
 {
 	if (base == end)
-		return;
+		return 0;
+
+	if (crash_mem_ranges == max_crash_mem_ranges) {
+		int ret;
+
+		ret = allocate_crash_memory_ranges();
+		if (ret)
+			return ret;
+	}
 
 	pr_debug("crash_memory_range[%d] [%#016llx-%#016llx], %#llx bytes\n",
 		crash_mem_ranges, base, end - 1, (end - base));
 	crash_memory_ranges[crash_mem_ranges].base = base;
 	crash_memory_ranges[crash_mem_ranges].size = end - base;
 	crash_mem_ranges++;
+	return 0;
 }
 
-static void fadump_exclude_reserved_area(unsigned long long start,
+static int fadump_exclude_reserved_area(unsigned long long start,
 					unsigned long long end)
 {
 	unsigned long long ra_start, ra_end;
+	int ret = 0;
 
 	ra_start = fw_dump.reserve_dump_area_start;
 	ra_end = ra_start + fw_dump.reserve_dump_area_size;
 
 	if ((ra_start < end) && (ra_end > start)) {
 		if ((start < ra_start) && (end > ra_end)) {
-			fadump_add_crash_memory(start, ra_start);
-			fadump_add_crash_memory(ra_end, end);
+			ret = fadump_add_crash_memory(start, ra_start);
+			if (ret)
+				return ret;
+
+			ret = fadump_add_crash_memory(ra_end, end);
 		} else if (start < ra_start) {
-			fadump_add_crash_memory(start, ra_start);
+			ret = fadump_add_crash_memory(start, ra_start);
 		} else if (ra_end < end) {
-			fadump_add_crash_memory(ra_end, end);
+			ret = fadump_add_crash_memory(ra_end, end);
 		}
 	} else
-		fadump_add_crash_memory(start, end);
+		ret = fadump_add_crash_memory(start, end);
+
+	return ret;
 }
 
 static int fadump_init_elfcore_header(char *bufp)
@@ -939,10 +991,11 @@ static int fadump_init_elfcore_header(ch
  * Traverse through memblock structure and setup crash memory ranges. These
  * ranges will be used create PT_LOAD program headers in elfcore header.
  */
-static void fadump_setup_crash_memory_ranges(void)
+static int fadump_setup_crash_memory_ranges(void)
 {
 	struct memblock_region *reg;
 	unsigned long long start, end;
+	int ret;
 
 	pr_debug("Setup crash memory ranges.\n");
 	crash_mem_ranges = 0;
@@ -953,7 +1006,9 @@ static void fadump_setup_crash_memory_ra
 	 * specified during fadump registration. We need to create a separate
 	 * program header for this chunk with the correct offset.
 	 */
-	fadump_add_crash_memory(RMA_START, fw_dump.boot_memory_size);
+	ret = fadump_add_crash_memory(RMA_START, fw_dump.boot_memory_size);
+	if (ret)
+		return ret;
 
 	for_each_memblock(memory, reg) {
 		start = (unsigned long long)reg->base;
@@ -973,8 +1028,12 @@ static void fadump_setup_crash_memory_ra
 		}
 
 		/* add this range excluding the reserved dump area. */
-		fadump_exclude_reserved_area(start, end);
+		ret = fadump_exclude_reserved_area(start, end);
+		if (ret)
+			return ret;
 	}
+
+	return 0;
 }
 
 /*
@@ -1097,6 +1156,7 @@ static int register_fadump(void)
 {
 	unsigned long addr;
 	void *vaddr;
+	int ret;
 
 	/*
 	 * If no memory is reserved then we can not register for firmware-
@@ -1105,7 +1165,9 @@ static int register_fadump(void)
 	if (!fw_dump.reserve_dump_area_size)
 		return -ENODEV;
 
-	fadump_setup_crash_memory_ranges();
+	ret = fadump_setup_crash_memory_ranges();
+	if (ret)
+		return ret;
 
 	addr = be64_to_cpu(fdm.rmr_region.destination_address) + be64_to_cpu(fdm.rmr_region.source_len);
 	/* Initialize fadump crash info header. */
@@ -1183,6 +1245,7 @@ void fadump_cleanup(void)
 	} else if (fw_dump.dump_registered) {
 		/* Un-register Firmware-assisted dump if it was registered. */
 		fadump_unregister_dump(&fdm);
+		free_crash_memory_ranges();
 	}
 }
 
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 027/145] powerpc/64s: Fix page table fragment refcount race vs speculative references
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 026/145] powerpc/fadump: handle crash memory ranges array index overflow Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 028/145] powerpc/pseries: Fix endianness while restoring of r3 in MCE handler Greg Kroah-Hartman
                   ` (115 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Aneesh Kumar K.V, Nicholas Piggin,
	Michael Ellerman
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Nicholas Piggin <npiggin@gmail.com>
commit 4231aba000f5a4583dd9f67057aadb68c3eca99d upstream.
The page table fragment allocator uses the main page refcount racily
with respect to speculative references. A customer observed a BUG due
to page table page refcount underflow in the fragment allocator. This
can be caused by the fragment allocator set_page_count stomping on a
speculative reference, and then the speculative failure handler
decrements the new reference, and the underflow eventually pops when
the page tables are freed.
Fix this by using a dedicated field in the struct page for the page
table fragment allocator.
Fixes: 5c1f6ee9a31c ("powerpc: Reduce PTE table memory wastage")
Cc: stable@vger.kernel.org # v3.10+
Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/mm/mmu_context_book3s64.c |    8 ++++----
 arch/powerpc/mm/pgtable-book3s64.c     |   17 +++++++++++------
 include/linux/mm_types.h               |    5 ++++-
 3 files changed, 19 insertions(+), 11 deletions(-)
--- a/arch/powerpc/mm/mmu_context_book3s64.c
+++ b/arch/powerpc/mm/mmu_context_book3s64.c
@@ -200,9 +200,9 @@ static void pte_frag_destroy(void *pte_f
 	/* drop all the pending references */
 	count = ((unsigned long)pte_frag & ~PAGE_MASK) >> PTE_FRAG_SIZE_SHIFT;
 	/* We allow PTE_FRAG_NR fragments from a PTE page */
-	if (page_ref_sub_and_test(page, PTE_FRAG_NR - count)) {
+	if (atomic_sub_and_test(PTE_FRAG_NR - count, &page->pt_frag_refcount)) {
 		pgtable_page_dtor(page);
-		free_unref_page(page);
+		__free_page(page);
 	}
 }
 
@@ -215,9 +215,9 @@ static void pmd_frag_destroy(void *pmd_f
 	/* drop all the pending references */
 	count = ((unsigned long)pmd_frag & ~PAGE_MASK) >> PMD_FRAG_SIZE_SHIFT;
 	/* We allow PTE_FRAG_NR fragments from a PTE page */
-	if (page_ref_sub_and_test(page, PMD_FRAG_NR - count)) {
+	if (atomic_sub_and_test(PMD_FRAG_NR - count, &page->pt_frag_refcount)) {
 		pgtable_pmd_page_dtor(page);
-		free_unref_page(page);
+		__free_page(page);
 	}
 }
 
--- a/arch/powerpc/mm/pgtable-book3s64.c
+++ b/arch/powerpc/mm/pgtable-book3s64.c
@@ -270,6 +270,8 @@ static pmd_t *__alloc_for_pmdcache(struc
 		return NULL;
 	}
 
+	atomic_set(&page->pt_frag_refcount, 1);
+
 	ret = page_address(page);
 	/*
 	 * if we support only one fragment just return the
@@ -285,7 +287,7 @@ static pmd_t *__alloc_for_pmdcache(struc
 	 * count.
 	 */
 	if (likely(!mm->context.pmd_frag)) {
-		set_page_count(page, PMD_FRAG_NR);
+		atomic_set(&page->pt_frag_refcount, PMD_FRAG_NR);
 		mm->context.pmd_frag = ret + PMD_FRAG_SIZE;
 	}
 	spin_unlock(&mm->page_table_lock);
@@ -308,9 +310,10 @@ void pmd_fragment_free(unsigned long *pm
 {
 	struct page *page = virt_to_page(pmd);
 
-	if (put_page_testzero(page)) {
+	BUG_ON(atomic_read(&page->pt_frag_refcount) <= 0);
+	if (atomic_dec_and_test(&page->pt_frag_refcount)) {
 		pgtable_pmd_page_dtor(page);
-		free_unref_page(page);
+		__free_page(page);
 	}
 }
 
@@ -352,6 +355,7 @@ static pte_t *__alloc_for_ptecache(struc
 			return NULL;
 	}
 
+	atomic_set(&page->pt_frag_refcount, 1);
 
 	ret = page_address(page);
 	/*
@@ -367,7 +371,7 @@ static pte_t *__alloc_for_ptecache(struc
 	 * count.
 	 */
 	if (likely(!mm->context.pte_frag)) {
-		set_page_count(page, PTE_FRAG_NR);
+		atomic_set(&page->pt_frag_refcount, PTE_FRAG_NR);
 		mm->context.pte_frag = ret + PTE_FRAG_SIZE;
 	}
 	spin_unlock(&mm->page_table_lock);
@@ -390,10 +394,11 @@ void pte_fragment_free(unsigned long *ta
 {
 	struct page *page = virt_to_page(table);
 
-	if (put_page_testzero(page)) {
+	BUG_ON(atomic_read(&page->pt_frag_refcount) <= 0);
+	if (atomic_dec_and_test(&page->pt_frag_refcount)) {
 		if (!kernel)
 			pgtable_page_dtor(page);
-		free_unref_page(page);
+		__free_page(page);
 	}
 }
 
--- a/include/linux/mm_types.h
+++ b/include/linux/mm_types.h
@@ -139,7 +139,10 @@ struct page {
 			unsigned long _pt_pad_1;	/* compound_head */
 			pgtable_t pmd_huge_pte; /* protected by page->ptl */
 			unsigned long _pt_pad_2;	/* mapping */
-			struct mm_struct *pt_mm;	/* x86 pgds only */
+			union {
+				struct mm_struct *pt_mm; /* x86 pgds only */
+				atomic_t pt_frag_refcount; /* powerpc */
+			};
 #if ALLOC_SPLIT_PTLOCKS
 			spinlock_t *ptl;
 #else
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 028/145] powerpc/pseries: Fix endianness while restoring of r3 in MCE handler.
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 027/145] powerpc/64s: Fix page table fragment refcount race vs speculative references Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 029/145] powerpc/pkeys: Give all threads control of their key permissions Greg Kroah-Hartman
                   ` (114 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nicholas Piggin, Mahesh Salgaonkar,
	Michael Ellerman
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
commit cd813e1cd7122f2c261dce5b54d1e0c97f80e1a5 upstream.
During Machine Check interrupt on pseries platform, register r3 points
RTAS extended event log passed by hypervisor. Since hypervisor uses r3
to pass pointer to rtas log, it stores the original r3 value at the
start of the memory (first 8 bytes) pointed by r3. Since hypervisor
stores this info and rtas log is in BE format, linux should make
sure to restore r3 value in correct endian format.
Without this patch when MCE handler, after recovery, returns to code that
that caused the MCE may end up with Data SLB access interrupt for invalid
address followed by kernel panic or hang.
  Severe Machine check interrupt [Recovered]
    NIP [d00000000ca301b8]: init_module+0x1b8/0x338 [bork_kernel]
    Initiator: CPU
    Error type: SLB [Multihit]
      Effective address: d00000000ca70000
  cpu 0xa: Vector: 380 (Data SLB Access) at [c0000000fc7775b0]
      pc: c0000000009694c0: vsnprintf+0x80/0x480
      lr: c0000000009698e0: vscnprintf+0x20/0x60
      sp: c0000000fc777830
     msr: 8000000002009033
     dar: a803a30c000000d0
    current = 0xc00000000bc9ef00
    paca    = 0xc00000001eca5c00	 softe: 3	 irq_happened: 0x01
      pid   = 8860, comm = insmod
  vscnprintf+0x20/0x60
  vprintk_emit+0xb4/0x4b0
  vprintk_func+0x5c/0xd0
  printk+0x38/0x4c
  init_module+0x1c0/0x338 [bork_kernel]
  do_one_initcall+0x54/0x230
  do_init_module+0x8c/0x248
  load_module+0x12b8/0x15b0
  sys_finit_module+0xa8/0x110
  system_call+0x58/0x6c
  --- Exception: c00 (System Call) at 00007fff8bda0644
  SP (7fffdfbfe980) is in userspace
This patch fixes this issue.
Fixes: a08a53ea4c97 ("powerpc/le: Enable RTAS events support")
Cc: stable@vger.kernel.org # v3.15+
Reviewed-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/platforms/pseries/ras.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/powerpc/platforms/pseries/ras.c
+++ b/arch/powerpc/platforms/pseries/ras.c
@@ -360,7 +360,7 @@ static struct rtas_error_log *fwnmi_get_
 	}
 
 	savep = __va(regs->gpr[3]);
-	regs->gpr[3] = savep[0];	/* restore original r3 */
+	regs->gpr[3] = be64_to_cpu(savep[0]);	/* restore original r3 */
 
 	/* If it isn't an extended log we can use the per cpu 64bit buffer */
 	h = (struct rtas_error_log *)&savep[1];
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 029/145] powerpc/pkeys: Give all threads control of their key permissions
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 028/145] powerpc/pseries: Fix endianness while restoring of r3 in MCE handler Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 030/145] powerpc/pkeys: Deny read/write/execute by default Greg Kroah-Hartman
                   ` (113 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Florian Weimer, Ram Pai,
	Michael Ellerman
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Ram Pai <linuxram@us.ibm.com>
commit a57a04c76e06822e4377831611364c846b7202ca upstream.
Currently in a multithreaded application, a key allocated by one
thread is not usable by other threads. By "not usable" we mean that
other threads are unable to change the access permissions for that
key for themselves.
When a new key is allocated in one thread, the corresponding UAMOR
bits for that thread get enabled, however the UAMOR bits for that key
for all other threads remain disabled.
Other threads have no way to set permissions on the key, and the
current default permissions are that read/write is enabled for all
keys, which means the key has no effect for other threads. Although
that may be the desired behaviour in some circumstances, having all
threads able to control their permissions for the key is more
flexible.
The current behaviour also differs from the x86 behaviour, which is
problematic for users.
To fix this, enable the UAMOR bits for all keys, at process
creation (in start_thread(), ie exec time). Since the contents of
UAMOR are inherited at fork, all threads are capable of modifying the
permissions on any key.
This is technically an ABI break on powerpc, but pkey support is fairly
new on powerpc and not widely used, and this brings us into
line with x86.
Fixes: cf43d3b26452 ("powerpc: Enable pkey subsystem")
Cc: stable@vger.kernel.org # v4.16+
Tested-by: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Ram Pai <linuxram@us.ibm.com>
[mpe: Reword some of the changelog]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/mm/pkeys.c |   44 ++++++++++++++++++++++++++------------------
 1 file changed, 26 insertions(+), 18 deletions(-)
--- a/arch/powerpc/mm/pkeys.c
+++ b/arch/powerpc/mm/pkeys.c
@@ -15,8 +15,9 @@ bool pkey_execute_disable_supported;
 int  pkeys_total;		/* Total pkeys as per device tree */
 bool pkeys_devtree_defined;	/* pkey property exported by device tree */
 u32  initial_allocation_mask;	/* Bits set for reserved keys */
-u64  pkey_amr_uamor_mask;	/* Bits in AMR/UMOR not to be touched */
+u64  pkey_amr_mask;		/* Bits in AMR not to be touched */
 u64  pkey_iamr_mask;		/* Bits in AMR not to be touched */
+u64  pkey_uamor_mask;		/* Bits in UMOR not to be touched */
 
 #define AMR_BITS_PER_PKEY 2
 #define AMR_RD_BIT 0x1UL
@@ -119,20 +120,26 @@ int pkey_initialize(void)
 #else
 	os_reserved = 0;
 #endif
-	initial_allocation_mask = ~0x0;
-	pkey_amr_uamor_mask = ~0x0ul;
+	initial_allocation_mask  = (0x1 << 0) | (0x1 << 1);
+
+	/* register mask is in BE format */
+	pkey_amr_mask = ~0x0ul;
 	pkey_iamr_mask = ~0x0ul;
-	/*
-	 * key 0, 1 are reserved.
-	 * key 0 is the default key, which allows read/write/execute.
-	 * key 1 is recommended not to be used. PowerISA(3.0) page 1015,
-	 * programming note.
-	 */
-	for (i = 2; i < (pkeys_total - os_reserved); i++) {
-		initial_allocation_mask &= ~(0x1 << i);
-		pkey_amr_uamor_mask &= ~(0x3ul << pkeyshift(i));
+
+	for (i = 0; i < (pkeys_total - os_reserved); i++) {
+		pkey_amr_mask &= ~(0x3ul << pkeyshift(i));
 		pkey_iamr_mask &= ~(0x1ul << pkeyshift(i));
 	}
+
+	pkey_uamor_mask = ~0x0ul;
+	pkey_uamor_mask &= ~(0x3ul << pkeyshift(0));
+
+	/* mark the rest of the keys as reserved and hence unavailable */
+	for (i = (pkeys_total - os_reserved); i < pkeys_total; i++) {
+		initial_allocation_mask |= (0x1 << i);
+		pkey_uamor_mask &= ~(0x3ul << pkeyshift(i));
+	}
+
 	return 0;
 }
 
@@ -289,9 +296,6 @@ void thread_pkey_regs_restore(struct thr
 	if (static_branch_likely(&pkey_disabled))
 		return;
 
-	/*
-	 * TODO: Just set UAMOR to zero if @new_thread hasn't used any keys yet.
-	 */
 	if (old_thread->amr != new_thread->amr)
 		write_amr(new_thread->amr);
 	if (old_thread->iamr != new_thread->iamr)
@@ -305,9 +309,13 @@ void thread_pkey_regs_init(struct thread
 	if (static_branch_likely(&pkey_disabled))
 		return;
 
-	thread->amr = read_amr() & pkey_amr_uamor_mask;
-	thread->iamr = read_iamr() & pkey_iamr_mask;
-	thread->uamor = read_uamor() & pkey_amr_uamor_mask;
+	thread->amr = pkey_amr_mask;
+	thread->iamr = pkey_iamr_mask;
+	thread->uamor = pkey_uamor_mask;
+
+	write_uamor(pkey_uamor_mask);
+	write_amr(pkey_amr_mask);
+	write_iamr(pkey_iamr_mask);
 }
 
 static inline bool pkey_allows_readwrite(int pkey)
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 030/145] powerpc/pkeys: Deny read/write/execute by default
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 029/145] powerpc/pkeys: Give all threads control of their key permissions Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 031/145] powerpc/pkeys: key allocation/deallocation must not change pkey registers Greg Kroah-Hartman
                   ` (112 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ram Pai, Michael Ellerman
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Ram Pai <linuxram@us.ibm.com>
commit de113256f8c1c24d8c79ae388bf2a5abd70f7577 upstream.
Deny all permissions on all keys, with some exceptions. pkey-0 must
allow all permissions, or else everything comes to a screaching halt.
Execute-only key must allow execute permission.
Fixes: cf43d3b26452 ("powerpc: Enable pkey subsystem")
Cc: stable@vger.kernel.org # v4.16+
Signed-off-by: Ram Pai <linuxram@us.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/mm/pkeys.c |    8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)
--- a/arch/powerpc/mm/pkeys.c
+++ b/arch/powerpc/mm/pkeys.c
@@ -124,12 +124,10 @@ int pkey_initialize(void)
 
 	/* register mask is in BE format */
 	pkey_amr_mask = ~0x0ul;
-	pkey_iamr_mask = ~0x0ul;
+	pkey_amr_mask &= ~(0x3ul << pkeyshift(0));
 
-	for (i = 0; i < (pkeys_total - os_reserved); i++) {
-		pkey_amr_mask &= ~(0x3ul << pkeyshift(i));
-		pkey_iamr_mask &= ~(0x1ul << pkeyshift(i));
-	}
+	pkey_iamr_mask = ~0x0ul;
+	pkey_iamr_mask &= ~(0x3ul << pkeyshift(0));
 
 	pkey_uamor_mask = ~0x0ul;
 	pkey_uamor_mask &= ~(0x3ul << pkeyshift(0));
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 031/145] powerpc/pkeys: key allocation/deallocation must not change pkey registers
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 030/145] powerpc/pkeys: Deny read/write/execute by default Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 032/145] powerpc/pkeys: Save the pkey registers before fork Greg Kroah-Hartman
                   ` (111 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thiago Jung Bauermann, Ram Pai,
	Michael Ellerman
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Ram Pai <linuxram@us.ibm.com>
commit 4a4a5e5d2aadc793be95024f454cf511d115b62d upstream.
Key allocation and deallocation has the side effect of programming the
UAMOR/AMR/IAMR registers. This is wrong, since its the responsibility of
the application and not that of the kernel, to modify the permission on
the key.
Do not modify the pkey registers at key allocation/deallocation.
This patch also fixes a bug where a sys_pkey_free() resets the UAMOR
bits of the key, thus making its permissions unmodifiable from user
space. Later if the same key gets reallocated from a different thread
this thread will no longer be able to change the permissions on the key.
Fixes: cf43d3b26452 ("powerpc: Enable pkey subsystem")
Cc: stable@vger.kernel.org # v4.16+
Reviewed-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
Signed-off-by: Ram Pai <linuxram@us.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/include/asm/pkeys.h |   11 -----------
 arch/powerpc/mm/pkeys.c          |   27 ---------------------------
 2 files changed, 38 deletions(-)
--- a/arch/powerpc/include/asm/pkeys.h
+++ b/arch/powerpc/include/asm/pkeys.h
@@ -94,8 +94,6 @@ static inline bool mm_pkey_is_allocated(
 		__mm_pkey_is_allocated(mm, pkey));
 }
 
-extern void __arch_activate_pkey(int pkey);
-extern void __arch_deactivate_pkey(int pkey);
 /*
  * Returns a positive, 5-bit key on success, or -1 on failure.
  * Relies on the mmap_sem to protect against concurrency in mm_pkey_alloc() and
@@ -124,11 +122,6 @@ static inline int mm_pkey_alloc(struct m
 	ret = ffz((u32)mm_pkey_allocation_map(mm));
 	__mm_pkey_allocated(mm, ret);
 
-	/*
-	 * Enable the key in the hardware
-	 */
-	if (ret > 0)
-		__arch_activate_pkey(ret);
 	return ret;
 }
 
@@ -140,10 +133,6 @@ static inline int mm_pkey_free(struct mm
 	if (!mm_pkey_is_allocated(mm, pkey))
 		return -EINVAL;
 
-	/*
-	 * Disable the key in the hardware
-	 */
-	__arch_deactivate_pkey(pkey);
 	__mm_pkey_free(mm, pkey);
 
 	return 0;
--- a/arch/powerpc/mm/pkeys.c
+++ b/arch/powerpc/mm/pkeys.c
@@ -218,33 +218,6 @@ static inline void init_iamr(int pkey, u
 	write_iamr(old_iamr | new_iamr_bits);
 }
 
-static void pkey_status_change(int pkey, bool enable)
-{
-	u64 old_uamor;
-
-	/* Reset the AMR and IAMR bits for this key */
-	init_amr(pkey, 0x0);
-	init_iamr(pkey, 0x0);
-
-	/* Enable/disable key */
-	old_uamor = read_uamor();
-	if (enable)
-		old_uamor |= (0x3ul << pkeyshift(pkey));
-	else
-		old_uamor &= ~(0x3ul << pkeyshift(pkey));
-	write_uamor(old_uamor);
-}
-
-void __arch_activate_pkey(int pkey)
-{
-	pkey_status_change(pkey, true);
-}
-
-void __arch_deactivate_pkey(int pkey)
-{
-	pkey_status_change(pkey, false);
-}
-
 /*
  * Set the access rights in AMR IAMR and UAMOR registers for @pkey to that
  * specified in @init_val.
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 032/145] powerpc/pkeys: Save the pkey registers before fork
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 031/145] powerpc/pkeys: key allocation/deallocation must not change pkey registers Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 033/145] powerpc/pkeys: Fix calculation of total pkeys Greg Kroah-Hartman
                   ` (110 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ram Pai, Michael Ellerman
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Ram Pai <linuxram@us.ibm.com>
commit c76662e825f507b98938dc3bb141c4505bd4968c upstream.
When a thread forks the contents of AMR, IAMR, UAMOR registers in the
newly forked thread are not inherited.
Save the registers before forking, for content of those
registers to be automatically copied into the new thread.
Fixes: cf43d3b26452 ("powerpc: Enable pkey subsystem")
Cc: stable@vger.kernel.org # v4.16+
Signed-off-by: Ram Pai <linuxram@us.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/kernel/process.c |    1 +
 1 file changed, 1 insertion(+)
--- a/arch/powerpc/kernel/process.c
+++ b/arch/powerpc/kernel/process.c
@@ -583,6 +583,7 @@ static void save_all(struct task_struct
 		__giveup_spe(tsk);
 
 	msr_check_and_clear(msr_all_available);
+	thread_pkey_regs_save(&tsk->thread);
 }
 
 void flush_all_to_thread(struct task_struct *tsk)
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 033/145] powerpc/pkeys: Fix calculation of total pkeys.
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 032/145] powerpc/pkeys: Save the pkey registers before fork Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 034/145] powerpc/pkeys: Preallocate execute-only key Greg Kroah-Hartman
                   ` (109 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ram Pai, Michael Ellerman
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Ram Pai <linuxram@us.ibm.com>
commit fe6a2804e65969a574377bdb3605afb79e6091a9 upstream.
Total number of pkeys calculation is off by 1. Fix it.
Fixes: 4fb158f65ac5 ("powerpc: track allocation status of all pkeys")
Cc: stable@vger.kernel.org # v4.16+
Signed-off-by: Ram Pai <linuxram@us.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/mm/pkeys.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/powerpc/mm/pkeys.c
+++ b/arch/powerpc/mm/pkeys.c
@@ -92,7 +92,7 @@ int pkey_initialize(void)
 	 * arch-neutral code.
 	 */
 	pkeys_total = min_t(int, pkeys_total,
-			(ARCH_VM_PKEY_FLAGS >> VM_PKEY_SHIFT));
+			((ARCH_VM_PKEY_FLAGS >> VM_PKEY_SHIFT)+1));
 
 	if (!pkey_mmu_enabled() || radix_enabled() || !pkeys_total)
 		static_branch_enable(&pkey_disabled);
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 034/145] powerpc/pkeys: Preallocate execute-only key
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 033/145] powerpc/pkeys: Fix calculation of total pkeys Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 035/145] powerpc/nohash: fix pte_access_permitted() Greg Kroah-Hartman
                   ` (108 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ram Pai, Michael Ellerman
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Ram Pai <linuxram@us.ibm.com>
commit a4fcc877d4e18b5efe26e93f08f0cfd4e278c7d9 upstream.
execute-only key is allocated dynamically. This is a problem. When a
thread implicitly creates an execute-only key, and resets the UAMOR
for that key, the UAMOR value does not percolate to all the other
threads. Any other thread may ignorantly change the permissions on the
key. This can cause the key to be not execute-only for that thread.
Preallocate the execute-only key and ensure that no thread can change
the permission of the key, by resetting the corresponding bit in
UAMOR.
Fixes: 5586cf61e108 ("powerpc: introduce execute-only pkey")
Cc: stable@vger.kernel.org # v4.16+
Signed-off-by: Ram Pai <linuxram@us.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/mm/pkeys.c |   63 +++++++++++++-----------------------------------
 1 file changed, 18 insertions(+), 45 deletions(-)
--- a/arch/powerpc/mm/pkeys.c
+++ b/arch/powerpc/mm/pkeys.c
@@ -18,6 +18,7 @@ u32  initial_allocation_mask;	/* Bits se
 u64  pkey_amr_mask;		/* Bits in AMR not to be touched */
 u64  pkey_iamr_mask;		/* Bits in AMR not to be touched */
 u64  pkey_uamor_mask;		/* Bits in UMOR not to be touched */
+int  execute_only_key = 2;
 
 #define AMR_BITS_PER_PKEY 2
 #define AMR_RD_BIT 0x1UL
@@ -120,7 +121,8 @@ int pkey_initialize(void)
 #else
 	os_reserved = 0;
 #endif
-	initial_allocation_mask  = (0x1 << 0) | (0x1 << 1);
+	initial_allocation_mask  = (0x1 << 0) | (0x1 << 1) |
+					(0x1 << execute_only_key);
 
 	/* register mask is in BE format */
 	pkey_amr_mask = ~0x0ul;
@@ -128,9 +130,11 @@ int pkey_initialize(void)
 
 	pkey_iamr_mask = ~0x0ul;
 	pkey_iamr_mask &= ~(0x3ul << pkeyshift(0));
+	pkey_iamr_mask &= ~(0x3ul << pkeyshift(execute_only_key));
 
 	pkey_uamor_mask = ~0x0ul;
 	pkey_uamor_mask &= ~(0x3ul << pkeyshift(0));
+	pkey_uamor_mask &= ~(0x3ul << pkeyshift(execute_only_key));
 
 	/* mark the rest of the keys as reserved and hence unavailable */
 	for (i = (pkeys_total - os_reserved); i < pkeys_total; i++) {
@@ -138,6 +142,17 @@ int pkey_initialize(void)
 		pkey_uamor_mask &= ~(0x3ul << pkeyshift(i));
 	}
 
+	if (unlikely((pkeys_total - os_reserved) <= execute_only_key)) {
+		/*
+		 * Insufficient number of keys to support
+		 * execute only key. Mark it unavailable.
+		 * Any AMR, UAMOR, IAMR bit set for
+		 * this key is irrelevant since this key
+		 * can never be allocated.
+		 */
+		execute_only_key = -1;
+	}
+
 	return 0;
 }
 
@@ -148,8 +163,7 @@ void pkey_mm_init(struct mm_struct *mm)
 	if (static_branch_likely(&pkey_disabled))
 		return;
 	mm_pkey_allocation_map(mm) = initial_allocation_mask;
-	/* -1 means unallocated or invalid */
-	mm->context.execute_only_pkey = -1;
+	mm->context.execute_only_pkey = execute_only_key;
 }
 
 static inline u64 read_amr(void)
@@ -301,48 +315,7 @@ static inline bool pkey_allows_readwrite
 
 int __execute_only_pkey(struct mm_struct *mm)
 {
-	bool need_to_set_mm_pkey = false;
-	int execute_only_pkey = mm->context.execute_only_pkey;
-	int ret;
-
-	/* Do we need to assign a pkey for mm's execute-only maps? */
-	if (execute_only_pkey == -1) {
-		/* Go allocate one to use, which might fail */
-		execute_only_pkey = mm_pkey_alloc(mm);
-		if (execute_only_pkey < 0)
-			return -1;
-		need_to_set_mm_pkey = true;
-	}
-
-	/*
-	 * We do not want to go through the relatively costly dance to set AMR
-	 * if we do not need to. Check it first and assume that if the
-	 * execute-only pkey is readwrite-disabled than we do not have to set it
-	 * ourselves.
-	 */
-	if (!need_to_set_mm_pkey && !pkey_allows_readwrite(execute_only_pkey))
-		return execute_only_pkey;
-
-	/*
-	 * Set up AMR so that it denies access for everything other than
-	 * execution.
-	 */
-	ret = __arch_set_user_pkey_access(current, execute_only_pkey,
-					  PKEY_DISABLE_ACCESS |
-					  PKEY_DISABLE_WRITE);
-	/*
-	 * If the AMR-set operation failed somehow, just return 0 and
-	 * effectively disable execute-only support.
-	 */
-	if (ret) {
-		mm_pkey_free(mm, execute_only_pkey);
-		return -1;
-	}
-
-	/* We got one, store it and use it from here on out */
-	if (need_to_set_mm_pkey)
-		mm->context.execute_only_pkey = execute_only_pkey;
-	return execute_only_pkey;
+	return mm->context.execute_only_pkey;
 }
 
 static inline bool vma_is_pkey_exec_only(struct vm_area_struct *vma)
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 035/145] powerpc/nohash: fix pte_access_permitted()
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 034/145] powerpc/pkeys: Preallocate execute-only key Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 036/145] powerpc64/ftrace: Include ftrace.h needed for enable/disable calls Greg Kroah-Hartman
                   ` (107 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christophe Leroy, Aneesh Kumar K.V,
	Michael Ellerman
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Christophe Leroy <christophe.leroy@c-s.fr>
commit 810e9f86f36f59f1d6f6710220c49afe0c705f38 upstream.
Commit 5769beaf180a8 ("powerpc/mm: Add proper pte access check helper
for other platforms") replaced generic pte_access_permitted() by an
arch specific one.
The generic one is defined as
(pte_present(pte) && (!(write) || pte_write(pte)))
The arch specific one is open coded checking that _PAGE_USER and
_PAGE_WRITE (_PAGE_RW) flags are set, but lacking to check that
_PAGE_RO and _PAGE_PRIVILEGED are unset, leading to a useless test
on targets like the 8xx which defines _PAGE_RW and _PAGE_USER as 0.
Commit 5fa5b16be5b31 ("powerpc/mm/hugetlb: Use pte_access_permitted
for hugetlb access check") replaced some tests performed with
pte helpers by a call to pte_access_permitted(), leading to the same
issue.
This patch rewrites powerpc/nohash pte_access_permitted()
using pte helpers.
Fixes: 5769beaf180a8 ("powerpc/mm: Add proper pte access check helper for other platforms")
Fixes: 5fa5b16be5b31 ("powerpc/mm/hugetlb: Use pte_access_permitted for hugetlb access check")
Cc: stable@vger.kernel.org # v4.15+
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/include/asm/nohash/pgtable.h |    9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)
--- a/arch/powerpc/include/asm/nohash/pgtable.h
+++ b/arch/powerpc/include/asm/nohash/pgtable.h
@@ -51,17 +51,14 @@ static inline int pte_present(pte_t pte)
 #define pte_access_permitted pte_access_permitted
 static inline bool pte_access_permitted(pte_t pte, bool write)
 {
-	unsigned long pteval = pte_val(pte);
 	/*
 	 * A read-only access is controlled by _PAGE_USER bit.
 	 * We have _PAGE_READ set for WRITE and EXECUTE
 	 */
-	unsigned long need_pte_bits = _PAGE_PRESENT | _PAGE_USER;
-
-	if (write)
-		need_pte_bits |= _PAGE_WRITE;
+	if (!pte_present(pte) || !pte_user(pte) || !pte_read(pte))
+		return false;
 
-	if ((pteval & need_pte_bits) != need_pte_bits)
+	if (write && !pte_write(pte))
 		return false;
 
 	return true;
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 036/145] powerpc64/ftrace: Include ftrace.h needed for enable/disable calls
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 035/145] powerpc/nohash: fix pte_access_permitted() Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 037/145] powerpc/powernv/pci: Work around races in PCI bridge enabling Greg Kroah-Hartman
                   ` (106 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Luke Dashjr, Michael Ellerman
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Luke Dashjr <luke@dashjr.org>
commit d6ee76d3d37d156c479348821574b6f99d6472a1 upstream.
this_cpu_disable_ftrace and this_cpu_enable_ftrace are inlines in
ftrace.h Without it included, the build fails.
Fixes: a4bc64d305af ("powerpc64/ftrace: Disable ftrace during kvm entry/exit")
Cc: stable@vger.kernel.org # v4.18+
Signed-off-by: Luke Dashjr <luke-jr+git@utopios.org>
Acked-by: Naveen N. Rao <naveen.n.rao at linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/kvm/book3s_hv.c |    1 +
 1 file changed, 1 insertion(+)
--- a/arch/powerpc/kvm/book3s_hv.c
+++ b/arch/powerpc/kvm/book3s_hv.c
@@ -46,6 +46,7 @@
 #include <linux/compiler.h>
 #include <linux/of.h>
 
+#include <asm/ftrace.h>
 #include <asm/reg.h>
 #include <asm/ppc-opcode.h>
 #include <asm/asm-prototypes.h>
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 037/145] powerpc/powernv/pci: Work around races in PCI bridge enabling
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 036/145] powerpc64/ftrace: Include ftrace.h needed for enable/disable calls Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 038/145] cxl: Fix wrong comparison in cxl_adapter_context_get() Greg Kroah-Hartman
                   ` (105 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Benjamin Herrenschmidt,
	Michael Ellerman
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
commit db2173198b9513f7add8009f225afa1f1c79bcc6 upstream.
The generic code is racy when multiple children of a PCI bridge try to
enable it simultaneously.
This leads to drivers trying to access a device through a
not-yet-enabled bridge, and this EEH errors under various
circumstances when using parallel driver probing.
There is work going on to fix that properly in the PCI core but it
will take some time.
x86 gets away with it because (outside of hotplug), the BIOS enables
all the bridges at boot time.
This patch does the same thing on powernv by enabling all bridges that
have child devices at boot time, thus avoiding subsequent races. It's
suitable for backporting to stable and distros, while the proper PCI
fix will probably be significantly more invasive.
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: stable@vger.kernel.org
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/platforms/powernv/pci-ioda.c |   37 ++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
--- a/arch/powerpc/platforms/powernv/pci-ioda.c
+++ b/arch/powerpc/platforms/powernv/pci-ioda.c
@@ -3368,12 +3368,49 @@ static void pnv_pci_ioda_create_dbgfs(vo
 #endif /* CONFIG_DEBUG_FS */
 }
 
+static void pnv_pci_enable_bridge(struct pci_bus *bus)
+{
+	struct pci_dev *dev = bus->self;
+	struct pci_bus *child;
+
+	/* Empty bus ? bail */
+	if (list_empty(&bus->devices))
+		return;
+
+	/*
+	 * If there's a bridge associated with that bus enable it. This works
+	 * around races in the generic code if the enabling is done during
+	 * parallel probing. This can be removed once those races have been
+	 * fixed.
+	 */
+	if (dev) {
+		int rc = pci_enable_device(dev);
+		if (rc)
+			pci_err(dev, "Error enabling bridge (%d)\n", rc);
+		pci_set_master(dev);
+	}
+
+	/* Perform the same to child busses */
+	list_for_each_entry(child, &bus->children, node)
+		pnv_pci_enable_bridge(child);
+}
+
+static void pnv_pci_enable_bridges(void)
+{
+	struct pci_controller *hose;
+
+	list_for_each_entry(hose, &hose_list, list_node)
+		pnv_pci_enable_bridge(hose->bus);
+}
+
 static void pnv_pci_ioda_fixup(void)
 {
 	pnv_pci_ioda_setup_PEs();
 	pnv_pci_ioda_setup_iommu_api();
 	pnv_pci_ioda_create_dbgfs();
 
+	pnv_pci_enable_bridges();
+
 #ifdef CONFIG_EEH
 	pnv_eeh_post_init();
 #endif
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 038/145] cxl: Fix wrong comparison in cxl_adapter_context_get()
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 037/145] powerpc/powernv/pci: Work around races in PCI bridge enabling Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 039/145] ocxl: Fix page fault handler in case of fault on dying process Greg Kroah-Hartman
                   ` (104 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Vaibhav Jain,
	Andrew Donnellan, Frederic Barrat, Michael Ellerman
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Vaibhav Jain <vaibhav@linux.ibm.com>
commit ef6cb5f1a048fdf91ccee6d63d2bfa293338502d upstream.
Function atomic_inc_unless_negative() returns a bool to indicate
success/failure. However cxl_adapter_context_get() wrongly compares
the return value against '>=0' which will always be true. The patch
fixes this comparison to '==0' there by also fixing this compile time
warning:
	drivers/misc/cxl/main.c:290 cxl_adapter_context_get()
	warn: 'atomic_inc_unless_negative(&adapter->contexts_num)' is unsigned
Fixes: 70b565bbdb91 ("cxl: Prevent adapter reset if an active context exists")
Cc: stable@vger.kernel.org # v4.9+
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Vaibhav Jain <vaibhav@linux.ibm.com>
Acked-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
Acked-by: Frederic Barrat <fbarrat@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/misc/cxl/main.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/misc/cxl/main.c
+++ b/drivers/misc/cxl/main.c
@@ -287,7 +287,7 @@ int cxl_adapter_context_get(struct cxl *
 	int rc;
 
 	rc = atomic_inc_unless_negative(&adapter->contexts_num);
-	return rc >= 0 ? 0 : -EBUSY;
+	return rc ? 0 : -EBUSY;
 }
 
 void cxl_adapter_context_put(struct cxl *adapter)
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 039/145] ocxl: Fix page fault handler in case of fault on dying process
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 038/145] cxl: Fix wrong comparison in cxl_adapter_context_get() Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 040/145] IB/mlx5: Honor cnt_set_id_valid flag instead of set_id Greg Kroah-Hartman
                   ` (103 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Frederic Barrat, Alastair DSilva,
	Andrew Donnellan, Michael Ellerman
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Frederic Barrat <fbarrat@linux.ibm.com>
commit d497ebf5fb3a026c0817f8c96cde578787f24093 upstream.
If a process exits without doing proper cleanup, there's a window
where an opencapi device can try to access the memory of the dying
process and may trigger a page fault. That's an expected scenario and
the ocxl driver holds a reference on the mm_struct of the process
until the opencapi device is notified of the process exiting.
However, if mm_users is already at 0, i.e. the address space of the
process has already been destroyed, the driver shouldn't try resolving
the page fault, as it will fail, but it can also try accessing already
freed data.
It is fixed by only calling the bottom half of the page fault handler
if mm_users is greater than 0 and get a reference on mm_users instead
of mm_count. Otherwise, we can safely return a translation fault to
the device, as its associated memory context is being removed. The
opencapi device will be properly cleaned up shortly after when closing
the file descriptors.
Fixes: 5ef3166e8a32 ("ocxl: Driver code for 'generic' opencapi devices")
Cc: stable@vger.kernel.org # v4.16+
Signed-off-by: Frederic Barrat <fbarrat@linux.ibm.com>
Reviewed-By: Alastair D'Silva <alastair@d-silva.org>
Acked-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/misc/ocxl/link.c |   24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)
--- a/drivers/misc/ocxl/link.c
+++ b/drivers/misc/ocxl/link.c
@@ -136,7 +136,7 @@ static void xsl_fault_handler_bh(struct
 	int rc;
 
 	/*
-	 * We need to release a reference on the mm whenever exiting this
+	 * We must release a reference on mm_users whenever exiting this
 	 * function (taken in the memory fault interrupt handler)
 	 */
 	rc = copro_handle_mm_fault(fault->pe_data.mm, fault->dar, fault->dsisr,
@@ -172,7 +172,7 @@ static void xsl_fault_handler_bh(struct
 	}
 	r = RESTART;
 ack:
-	mmdrop(fault->pe_data.mm);
+	mmput(fault->pe_data.mm);
 	ack_irq(spa, r);
 }
 
@@ -184,6 +184,7 @@ static irqreturn_t xsl_fault_handler(int
 	struct pe_data *pe_data;
 	struct ocxl_process_element *pe;
 	int lpid, pid, tid;
+	bool schedule = false;
 
 	read_irq(spa, &dsisr, &dar, &pe_handle);
 	trace_ocxl_fault(spa->spa_mem, pe_handle, dsisr, dar, -1);
@@ -226,14 +227,19 @@ static irqreturn_t xsl_fault_handler(int
 	}
 	WARN_ON(pe_data->mm->context.id != pid);
 
-	spa->xsl_fault.pe = pe_handle;
-	spa->xsl_fault.dar = dar;
-	spa->xsl_fault.dsisr = dsisr;
-	spa->xsl_fault.pe_data = *pe_data;
-	mmgrab(pe_data->mm); /* mm count is released by bottom half */
-
+	if (mmget_not_zero(pe_data->mm)) {
+			spa->xsl_fault.pe = pe_handle;
+			spa->xsl_fault.dar = dar;
+			spa->xsl_fault.dsisr = dsisr;
+			spa->xsl_fault.pe_data = *pe_data;
+			schedule = true;
+			/* mm_users count released by bottom half */
+	}
 	rcu_read_unlock();
-	schedule_work(&spa->xsl_fault.fault_work);
+	if (schedule)
+		schedule_work(&spa->xsl_fault.fault_work);
+	else
+		ack_irq(spa, ADDRESS_ERROR);
 	return IRQ_HANDLED;
 }
 
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 040/145] IB/mlx5: Honor cnt_set_id_valid flag instead of set_id
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 039/145] ocxl: Fix page fault handler in case of fault on dying process Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 041/145] IB/mlx5: Fix leaking stack memory to userspace Greg Kroah-Hartman
                   ` (102 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Parav Pandit, Daniel Jurgens,
	Leon Romanovsky, Jason Gunthorpe
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Parav Pandit <parav@mellanox.com>
commit 921c0f5ba58e4064deb18b4985a202508fc5527f upstream.
It is incorrect to depend on set_id value to know if counters were
allocated or not. set_id_valid field is set to true when counters
were allocated. Therefore, use set_id_valid while deciding to
free counters.
Cc: <stable@vger.kernel.org> # 4.15
Fixes: aac4492ef23a ("IB/mlx5: Update counter implementation for dual port RoCE")
Signed-off-by: Parav Pandit <parav@mellanox.com>
Reviewed-by: Daniel Jurgens <danielj@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/infiniband/hw/mlx5/main.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/infiniband/hw/mlx5/main.c
+++ b/drivers/infiniband/hw/mlx5/main.c
@@ -4694,7 +4694,7 @@ static void mlx5_ib_dealloc_counters(str
 	int i;
 
 	for (i = 0; i < dev->num_ports; i++) {
-		if (dev->port[i].cnts.set_id)
+		if (dev->port[i].cnts.set_id_valid)
 			mlx5_core_dealloc_q_counter(dev->mdev,
 						    dev->port[i].cnts.set_id);
 		kfree(dev->port[i].cnts.names);
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 041/145] IB/mlx5: Fix leaking stack memory to userspace
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 040/145] IB/mlx5: Honor cnt_set_id_valid flag instead of set_id Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 042/145] IB/srpt: Fix srpt_cm_req_recv() error path (1/2) Greg Kroah-Hartman
                   ` (101 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Leon Romanovsky, Jason Gunthorpe
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@mellanox.com>
commit 0625b4ba1a5d4703c7fb01c497bd6c156908af00 upstream.
mlx5_ib_create_qp_resp was never initialized and only the first 4 bytes
were written.
Fixes: 41d902cb7c32 ("RDMA/mlx5: Fix definition of mlx5_ib_create_qp_resp")
Cc: <stable@vger.kernel.org>
Acked-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/infiniband/hw/mlx5/qp.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/infiniband/hw/mlx5/qp.c
+++ b/drivers/infiniband/hw/mlx5/qp.c
@@ -1626,7 +1626,7 @@ static int create_qp_common(struct mlx5_
 	struct mlx5_ib_resources *devr = &dev->devr;
 	int inlen = MLX5_ST_SZ_BYTES(create_qp_in);
 	struct mlx5_core_dev *mdev = dev->mdev;
-	struct mlx5_ib_create_qp_resp resp;
+	struct mlx5_ib_create_qp_resp resp = {};
 	struct mlx5_ib_cq *send_cq;
 	struct mlx5_ib_cq *recv_cq;
 	unsigned long flags;
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 042/145] IB/srpt: Fix srpt_cm_req_recv() error path (1/2)
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 041/145] IB/mlx5: Fix leaking stack memory to userspace Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 043/145] IB/srpt: Fix srpt_cm_req_recv() error path (2/2) Greg Kroah-Hartman
                   ` (100 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Bart Van Assche, Jason Gunthorpe
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bart.vanassche@wdc.com>
commit 847462de3a0aabc5343a1e338537f69a03bb61af upstream.
Once a target session has been allocated, if an error occurs, the session
must be freed. Since it is not safe to call blocking code from the context
of an connection manager callback, trigger target session release in this
case by calling srpt_close_ch().
Fixes: db7683d7deb2 ("IB/srpt: Fix login-related race conditions")
Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/infiniband/ulp/srpt/ib_srpt.c |   17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)
--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
+++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
@@ -2087,7 +2087,7 @@ static int srpt_cm_req_recv(struct srpt_
 		struct rdma_conn_param rdma_cm;
 		struct ib_cm_rep_param ib_cm;
 	} *rep_param = NULL;
-	struct srpt_rdma_ch *ch;
+	struct srpt_rdma_ch *ch = NULL;
 	char i_port_id[36];
 	u32 it_iu_len;
 	int i, ret;
@@ -2234,13 +2234,15 @@ static int srpt_cm_req_recv(struct srpt_
 						TARGET_PROT_NORMAL,
 						i_port_id + 2, ch, NULL);
 	if (IS_ERR_OR_NULL(ch->sess)) {
+		WARN_ON_ONCE(ch->sess == NULL);
 		ret = PTR_ERR(ch->sess);
+		ch->sess = NULL;
 		pr_info("Rejected login for initiator %s: ret = %d.\n",
 			ch->sess_name, ret);
 		rej->reason = cpu_to_be32(ret == -ENOMEM ?
 				SRP_LOGIN_REJ_INSUFFICIENT_RESOURCES :
 				SRP_LOGIN_REJ_CHANNEL_LIMIT_REACHED);
-		goto reject;
+		goto destroy_ib;
 	}
 
 	mutex_lock(&sport->mutex);
@@ -2279,7 +2281,7 @@ static int srpt_cm_req_recv(struct srpt_
 		rej->reason = cpu_to_be32(SRP_LOGIN_REJ_INSUFFICIENT_RESOURCES);
 		pr_err("rejected SRP_LOGIN_REQ because enabling RTR failed (error code = %d)\n",
 		       ret);
-		goto destroy_ib;
+		goto reject;
 	}
 
 	pr_debug("Establish connection sess=%p name=%s ch=%p\n", ch->sess,
@@ -2379,6 +2381,15 @@ reject:
 		ib_send_cm_rej(ib_cm_id, IB_CM_REJ_CONSUMER_DEFINED, NULL, 0,
 			       rej, sizeof(*rej));
 
+	if (ch && ch->sess) {
+		srpt_close_ch(ch);
+		/*
+		 * Tell the caller not to free cm_id since
+		 * srpt_release_channel_work() will do that.
+		 */
+		ret = 0;
+	}
+
 out:
 	kfree(rep_param);
 	kfree(rsp);
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 043/145] IB/srpt: Fix srpt_cm_req_recv() error path (2/2)
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 042/145] IB/srpt: Fix srpt_cm_req_recv() error path (1/2) Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 044/145] IB/srpt: Support HCAs with more than two ports Greg Kroah-Hartman
                   ` (99 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Bart Van Assche, Jason Gunthorpe
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bart.vanassche@wdc.com>
commit 6869e0004fe16184acd6488f0c637e0081a84a8a upstream.
If a login request was received through the RDMA/CM and if an error occurs
during login, clear rdma_cm_id->context instead of ib_cm_id->context.
Fixes: 63cf1a902c9d ("IB/srpt: Add RDMA/CM support")
Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/infiniband/ulp/srpt/ib_srpt.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
+++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
@@ -2360,8 +2360,11 @@ free_ring:
 	srpt_free_ioctx_ring((struct srpt_ioctx **)ch->ioctx_ring,
 			     ch->sport->sdev, ch->rq_size,
 			     ch->max_rsp_size, DMA_TO_DEVICE);
+
 free_ch:
-	if (ib_cm_id)
+	if (rdma_cm_id)
+		rdma_cm_id->context = NULL;
+	else
 		ib_cm_id->context = NULL;
 	kfree(ch);
 	ch = NULL;
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 044/145] IB/srpt: Support HCAs with more than two ports
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 043/145] IB/srpt: Fix srpt_cm_req_recv() error path (2/2) Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 045/145] overflow.h: Add arithmetic shift helper Greg Kroah-Hartman
                   ` (98 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Steve Wise, Bart Van Assche,
	Christoph Hellwig, Jason Gunthorpe
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bart.vanassche@wdc.com>
commit e620ebfc228dcbef7519e3d16f43c6c6f1a1d0cb upstream.
Since there are adapters that have four ports, increase the size of
the srpt_device.port[] array. This patch avoids that the following
warning is hit with quad port Chelsio adapters:
    WARN_ON(sdev->device->phys_port_cnt > ARRAY_SIZE(sdev->port));
Reported-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
Cc: Steve Wise <swise@opengridcomputing.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: <stable@vger.kernel.org>
Reviewed-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/infiniband/ulp/srpt/ib_srpt.c |    5 ++---
 drivers/infiniband/ulp/srpt/ib_srpt.h |    4 ++--
 2 files changed, 4 insertions(+), 5 deletions(-)
--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
+++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
@@ -2983,7 +2983,8 @@ static void srpt_add_one(struct ib_devic
 
 	pr_debug("device = %p\n", device);
 
-	sdev = kzalloc(sizeof(*sdev), GFP_KERNEL);
+	sdev = kzalloc(struct_size(sdev, port, device->phys_port_cnt),
+		       GFP_KERNEL);
 	if (!sdev)
 		goto err;
 
@@ -3037,8 +3038,6 @@ static void srpt_add_one(struct ib_devic
 			      srpt_event_handler);
 	ib_register_event_handler(&sdev->event_handler);
 
-	WARN_ON(sdev->device->phys_port_cnt > ARRAY_SIZE(sdev->port));
-
 	for (i = 1; i <= sdev->device->phys_port_cnt; i++) {
 		sport = &sdev->port[i - 1];
 		INIT_LIST_HEAD(&sport->nexus_list);
--- a/drivers/infiniband/ulp/srpt/ib_srpt.h
+++ b/drivers/infiniband/ulp/srpt/ib_srpt.h
@@ -396,9 +396,9 @@ struct srpt_port {
  * @sdev_mutex:	   Serializes use_srq changes.
  * @use_srq:       Whether or not to use SRQ.
  * @ioctx_ring:    Per-HCA SRQ.
- * @port:          Information about the ports owned by this HCA.
  * @event_handler: Per-HCA asynchronous IB event handler.
  * @list:          Node in srpt_dev_list.
+ * @port:          Information about the ports owned by this HCA.
  */
 struct srpt_device {
 	struct ib_device	*device;
@@ -410,9 +410,9 @@ struct srpt_device {
 	struct mutex		sdev_mutex;
 	bool			use_srq;
 	struct srpt_recv_ioctx	**ioctx_ring;
-	struct srpt_port	port[2];
 	struct ib_event_handler	event_handler;
 	struct list_head	list;
+	struct srpt_port        port[];
 };
 
 #endif				/* IB_SRPT_H */
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 045/145] overflow.h: Add arithmetic shift helper
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 044/145] IB/srpt: Support HCAs with more than two ports Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 046/145] RDMA/mlx5: Fix shift overflow in mlx5_ib_create_wq Greg Kroah-Hartman
                   ` (97 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jason Gunthorpe, Leon Romanovsky,
	Kees Cook
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@mellanox.com>
commit 0c66847793d1982d1083dc6f7adad60fa265ce9c upstream.
Add shift_overflow() helper to assist driver authors in ensuring that
shift operations don't cause overflows or other odd conditions.
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
[kees: tweaked comments and commit log, dropped unneeded assignment]
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/overflow.h |   31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
--- a/include/linux/overflow.h
+++ b/include/linux/overflow.h
@@ -202,6 +202,37 @@
 
 #endif /* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */
 
+/** check_shl_overflow() - Calculate a left-shifted value and check overflow
+ *
+ * @a: Value to be shifted
+ * @s: How many bits left to shift
+ * @d: Pointer to where to store the result
+ *
+ * Computes *@d = (@a << @s)
+ *
+ * Returns true if '*d' cannot hold the result or when 'a << s' doesn't
+ * make sense. Example conditions:
+ * - 'a << s' causes bits to be lost when stored in *d.
+ * - 's' is garbage (e.g. negative) or so large that the result of
+ *   'a << s' is guaranteed to be 0.
+ * - 'a' is negative.
+ * - 'a << s' sets the sign bit, if any, in '*d'.
+ *
+ * '*d' will hold the results of the attempted shift, but is not
+ * considered "safe for use" if false is returned.
+ */
+#define check_shl_overflow(a, s, d) ({					\
+	typeof(a) _a = a;						\
+	typeof(s) _s = s;						\
+	typeof(d) _d = d;						\
+	u64 _a_full = _a;						\
+	unsigned int _to_shift =					\
+		_s >= 0 && _s < 8 * sizeof(*d) ? _s : 0;		\
+	*_d = (_a_full << _to_shift);					\
+	(_to_shift != _s || *_d < 0 || _a < 0 ||			\
+		(*_d >> _to_shift) != _a);				\
+})
+
 /**
  * array_size() - Calculate size of 2-dimensional array.
  *
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 046/145] RDMA/mlx5: Fix shift overflow in mlx5_ib_create_wq
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 045/145] overflow.h: Add arithmetic shift helper Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 047/145] ib_srpt: Fix a use-after-free in srpt_close_ch() Greg Kroah-Hartman
                   ` (96 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzkaller, Noa Osherovich,
	Leon Romanovsky, Kees Cook, Jason Gunthorpe
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Leon Romanovsky <leonro@mellanox.com>
commit 0dfe452241f4904de497aef01ad2f609ccb9be90 upstream.
[   61.182439] UBSAN: Undefined behaviour in drivers/infiniband/hw/mlx5/qp.c:5366:34
[   61.183673] shift exponent 4294967288 is too large for 32-bit type 'unsigned int'
[   61.185530] CPU: 0 PID: 639 Comm: qp Not tainted 4.18.0-rc1-00037-g4aa1d69a9c60-dirty #96
[   61.186981] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-2.fc27 04/01/2014
[   61.188315] Call Trace:
[   61.188661]  dump_stack+0xc7/0x13b
[   61.190427]  ubsan_epilogue+0x9/0x49
[   61.190899]  __ubsan_handle_shift_out_of_bounds+0x1ea/0x22f
[   61.197040]  mlx5_ib_create_wq+0x1c99/0x1d50
[   61.206632]  ib_uverbs_ex_create_wq+0x499/0x820
[   61.213892]  ib_uverbs_write+0x77e/0xae0
[   61.248018]  vfs_write+0x121/0x3b0
[   61.249831]  ksys_write+0xa1/0x120
[   61.254024]  do_syscall_64+0x7c/0x2a0
[   61.256178]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   61.259211] RIP: 0033:0x7f54bab70e99
[   61.262125] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89
[   61.268678] RSP: 002b:00007ffe1541c318 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[   61.271076] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f54bab70e99
[   61.273795] RDX: 0000000000000070 RSI: 0000000020000240 RDI: 0000000000000003
[   61.276982] RBP: 00007ffe1541c330 R08: 00000000200078e0 R09: 0000000000000002
[   61.280035] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004005c0
[   61.283279] R13: 00007ffe1541c420 R14: 0000000000000000 R15: 0000000000000000
Cc: <stable@vger.kernel.org> # 4.7
Fixes: 79b20a6c3014 ("IB/mlx5: Add receive Work Queue verbs")
Cc: syzkaller <syzkaller@googlegroups.com>
Reported-by: Noa Osherovich <noaos@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/infiniband/hw/mlx5/qp.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/infiniband/hw/mlx5/qp.c
+++ b/drivers/infiniband/hw/mlx5/qp.c
@@ -5365,7 +5365,9 @@ static int set_user_rq_size(struct mlx5_
 
 	rwq->wqe_count = ucmd->rq_wqe_count;
 	rwq->wqe_shift = ucmd->rq_wqe_shift;
-	rwq->buf_size = (rwq->wqe_count << rwq->wqe_shift);
+	if (check_shl_overflow(rwq->wqe_count, rwq->wqe_shift, &rwq->buf_size))
+		return -EINVAL;
+
 	rwq->log_rq_stride = rwq->wqe_shift;
 	rwq->log_rq_size = ilog2(rwq->wqe_count);
 	return 0;
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 047/145] ib_srpt: Fix a use-after-free in srpt_close_ch()
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 046/145] RDMA/mlx5: Fix shift overflow in mlx5_ib_create_wq Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 048/145] ib_srpt: Fix a use-after-free in __srpt_close_all_ch() Greg Kroah-Hartman
                   ` (95 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Bart Van Assche, Jason Gunthorpe
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bart.vanassche@wdc.com>
commit 995250959d22fc341b5424e3343b0ce5df672461 upstream.
Avoid that KASAN reports the following:
BUG: KASAN: use-after-free in srpt_close_ch+0x4f/0x1b0 [ib_srpt]
Read of size 4 at addr ffff880151180cb8 by task check/4681
CPU: 15 PID: 4681 Comm: check Not tainted 4.18.0-rc2-dbg+ #4
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
Call Trace:
 dump_stack+0xa4/0xf5
 print_address_description+0x6f/0x270
 kasan_report+0x241/0x360
 __asan_load4+0x78/0x80
 srpt_close_ch+0x4f/0x1b0 [ib_srpt]
 srpt_set_enabled+0xf7/0x1e0 [ib_srpt]
 srpt_tpg_enable_store+0xb8/0x120 [ib_srpt]
 configfs_write_file+0x14e/0x1d0 [configfs]
 __vfs_write+0xd2/0x3b0
 vfs_write+0x101/0x270
 ksys_write+0xab/0x120
 __x64_sys_write+0x43/0x50
 do_syscall_64+0x77/0x230
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
Fixes: aaf45bd83eba ("IB/srpt: Detect session shutdown reliably")
Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/infiniband/ulp/srpt/ib_srpt.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
+++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
@@ -1833,8 +1833,7 @@ static bool srpt_close_ch(struct srpt_rd
 	int ret;
 
 	if (!srpt_set_ch_state(ch, CH_DRAINING)) {
-		pr_debug("%s-%d: already closed\n", ch->sess_name,
-			 ch->qp->qp_num);
+		pr_debug("%s: already closed\n", ch->sess_name);
 		return false;
 	}
 
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 048/145] ib_srpt: Fix a use-after-free in __srpt_close_all_ch()
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 047/145] ib_srpt: Fix a use-after-free in srpt_close_ch() Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 049/145] RDMA/rxe: Set wqe->status correctly if an unexpected response is received Greg Kroah-Hartman
                   ` (94 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Bart Van Assche, Jason Gunthorpe
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bart.vanassche@wdc.com>
commit 14d15c2b278011056482eb015dff89f9cbf2b841 upstream.
BUG: KASAN: use-after-free in srpt_set_enabled+0x1a9/0x1e0 [ib_srpt]
Read of size 4 at addr ffff8801269d23f8 by task check/29726
CPU: 4 PID: 29726 Comm: check Not tainted 4.18.0-rc2-dbg+ #4
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
Call Trace:
 dump_stack+0xa4/0xf5
 print_address_description+0x6f/0x270
 kasan_report+0x241/0x360
 __asan_load4+0x78/0x80
 srpt_set_enabled+0x1a9/0x1e0 [ib_srpt]
 srpt_tpg_enable_store+0xb8/0x120 [ib_srpt]
 configfs_write_file+0x14e/0x1d0 [configfs]
 __vfs_write+0xd2/0x3b0
 vfs_write+0x101/0x270
 ksys_write+0xab/0x120
 __x64_sys_write+0x43/0x50
 do_syscall_64+0x77/0x230
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f235cfe6154
Fixes: aaf45bd83eba ("IB/srpt: Detect session shutdown reliably")
Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/infiniband/ulp/srpt/ib_srpt.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
+++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
@@ -1939,8 +1939,8 @@ static void __srpt_close_all_ch(struct s
 	list_for_each_entry(nexus, &sport->nexus_list, entry) {
 		list_for_each_entry(ch, &nexus->ch_list, list) {
 			if (srpt_disconnect_ch(ch) >= 0)
-				pr_info("Closing channel %s-%d because target %s_%d has been disabled\n",
-					ch->sess_name, ch->qp->qp_num,
+				pr_info("Closing channel %s because target %s_%d has been disabled\n",
+					ch->sess_name,
 					sport->sdev->device->name, sport->port);
 			srpt_close_ch(ch);
 		}
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 049/145] RDMA/rxe: Set wqe->status correctly if an unexpected response is received
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 048/145] ib_srpt: Fix a use-after-free in __srpt_close_all_ch() Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 050/145] 9p: fix multiple NULL-pointer-dereferences Greg Kroah-Hartman
                   ` (93 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bart Van Assche, Yuval Shaia,
	Jason Gunthorpe
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bart.vanassche@wdc.com>
commit 61b717d041b1976530f68f8b539b2e3a7dd8e39c upstream.
Every function that returns COMPST_ERROR must set wqe->status to another
value than IB_WC_SUCCESS before returning COMPST_ERROR. Fix the only code
path for which this is not yet the case.
Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
Cc: <stable@vger.kernel.org>
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/infiniband/sw/rxe/rxe_comp.c |    1 +
 1 file changed, 1 insertion(+)
--- a/drivers/infiniband/sw/rxe/rxe_comp.c
+++ b/drivers/infiniband/sw/rxe/rxe_comp.c
@@ -276,6 +276,7 @@ static inline enum comp_state check_ack(
 	case IB_OPCODE_RC_RDMA_READ_RESPONSE_MIDDLE:
 		if (wqe->wr.opcode != IB_WR_RDMA_READ &&
 		    wqe->wr.opcode != IB_WR_RDMA_READ_WITH_INV) {
+			wqe->status = IB_WC_FATAL_ERR;
 			return COMPST_ERROR;
 		}
 		reset_retry_counters(qp);
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 050/145] 9p: fix multiple NULL-pointer-dereferences
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 049/145] RDMA/rxe: Set wqe->status correctly if an unexpected response is received Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 051/145] fs/9p/xattr.c: catch the error of p9_client_clunk when setting xattr failed Greg Kroah-Hartman
                   ` (92 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tomas Bortoli,
	syzbot+1a262da37d3bead15c39, Dominique Martinet
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Tomas Bortoli <tomasbortoli@gmail.com>
commit 10aa14527f458e9867cf3d2cc6b8cb0f6704448b upstream.
Added checks to prevent GPFs from raising.
Link: http://lkml.kernel.org/r/20180727110558.5479-1-tomasbortoli@gmail.com
Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
Reported-by: syzbot+1a262da37d3bead15c39@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/9p/trans_fd.c     |    5 ++++-
 net/9p/trans_rdma.c   |    3 +++
 net/9p/trans_virtio.c |    3 +++
 net/9p/trans_xen.c    |    3 +++
 4 files changed, 13 insertions(+), 1 deletion(-)
--- a/net/9p/trans_fd.c
+++ b/net/9p/trans_fd.c
@@ -940,7 +940,7 @@ p9_fd_create_tcp(struct p9_client *clien
 	if (err < 0)
 		return err;
 
-	if (valid_ipaddr4(addr) < 0)
+	if (addr == NULL || valid_ipaddr4(addr) < 0)
 		return -EINVAL;
 
 	csocket = NULL;
@@ -990,6 +990,9 @@ p9_fd_create_unix(struct p9_client *clie
 
 	csocket = NULL;
 
+	if (addr == NULL)
+		return -EINVAL;
+
 	if (strlen(addr) >= UNIX_PATH_MAX) {
 		pr_err("%s (%d): address too long: %s\n",
 		       __func__, task_pid_nr(current), addr);
--- a/net/9p/trans_rdma.c
+++ b/net/9p/trans_rdma.c
@@ -644,6 +644,9 @@ rdma_create_trans(struct p9_client *clie
 	struct rdma_conn_param conn_param;
 	struct ib_qp_init_attr qp_attr;
 
+	if (addr == NULL)
+		return -EINVAL;
+
 	/* Parse the transport specific mount options */
 	err = parse_opts(args, &opts);
 	if (err < 0)
--- a/net/9p/trans_virtio.c
+++ b/net/9p/trans_virtio.c
@@ -650,6 +650,9 @@ p9_virtio_create(struct p9_client *clien
 	int ret = -ENOENT;
 	int found = 0;
 
+	if (devname == NULL)
+		return -EINVAL;
+
 	mutex_lock(&virtio_9p_lock);
 	list_for_each_entry(chan, &virtio_chan_list, chan_list) {
 		if (!strncmp(devname, chan->tag, chan->tag_len) &&
--- a/net/9p/trans_xen.c
+++ b/net/9p/trans_xen.c
@@ -94,6 +94,9 @@ static int p9_xen_create(struct p9_clien
 {
 	struct xen_9pfs_front_priv *priv;
 
+	if (addr == NULL)
+		return -EINVAL;
+
 	read_lock(&xen_9pfs_lock);
 	list_for_each_entry(priv, &xen_9pfs_devs, list) {
 		if (!strcmp(priv->tag, addr)) {
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 051/145] fs/9p/xattr.c: catch the error of p9_client_clunk when setting xattr failed
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 050/145] 9p: fix multiple NULL-pointer-dereferences Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 052/145] 9p/virtio: fix off-by-one error in sg list bounds check Greg Kroah-Hartman
                   ` (91 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jun Piao, Eric Van Hensbergen,
	Ron Minnich, Latchesar Ionkov, Andrew Morton, Dominique Martinet
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: piaojun <piaojun@huawei.com>
commit 3111784bee81591ea2815011688d28b65df03627 upstream.
In my testing, v9fs_fid_xattr_set will return successfully even if the
backend ext4 filesystem has no space to store xattr key-value. That will
cause inconsistent behavior between front end and back end. The reason is
that lsetxattr will be triggered by p9_client_clunk, and unfortunately we
did not catch the error. This patch will catch the error to notify upper
caller.
p9_client_clunk (in 9p)
  p9_client_rpc(clnt, P9_TCLUNK, "d", fid->fid);
    v9fs_clunk (in qemu)
      put_fid
        free_fid
          v9fs_xattr_fid_clunk
            v9fs_co_lsetxattr
              s->ops->lsetxattr
                ext4_xattr_user_set (in host ext4 filesystem)
Link: http://lkml.kernel.org/r/5B57EACC.2060900@huawei.com
Signed-off-by: Jun Piao <piaojun@huawei.com>
Cc: Eric Van Hensbergen <ericvh@gmail.com>
Cc: Ron Minnich <rminnich@sandia.gov>
Cc: Latchesar Ionkov <lucho@ionkov.net>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: stable@vger.kernel.org
Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/9p/xattr.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)
--- a/fs/9p/xattr.c
+++ b/fs/9p/xattr.c
@@ -105,7 +105,7 @@ int v9fs_fid_xattr_set(struct p9_fid *fi
 {
 	struct kvec kvec = {.iov_base = (void *)value, .iov_len = value_len};
 	struct iov_iter from;
-	int retval;
+	int retval, err;
 
 	iov_iter_kvec(&from, WRITE | ITER_KVEC, &kvec, 1, value_len);
 
@@ -126,7 +126,9 @@ int v9fs_fid_xattr_set(struct p9_fid *fi
 			 retval);
 	else
 		p9_client_write(fid, 0, &from, &retval);
-	p9_client_clunk(fid);
+	err = p9_client_clunk(fid);
+	if (!retval && err)
+		retval = err;
 	return retval;
 }
 
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 052/145] 9p/virtio: fix off-by-one error in sg list bounds check
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 051/145] fs/9p/xattr.c: catch the error of p9_client_clunk when setting xattr failed Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 053/145] net/9p/client.c: version pointer uninitialized Greg Kroah-Hartman
                   ` (90 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yiwen Jiang, Dan Carpenter, Jun Piao,
	Dominique Martinet
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: jiangyiwen <jiangyiwen@huawei.com>
commit 23cba9cbde0bba05d772b335fe5f66aa82b9ad19 upstream.
Because the value of limit is VIRTQUEUE_NUM, if index is equal to
limit, it will cause sg array out of bounds, so correct the judgement
of BUG_ON.
Link: http://lkml.kernel.org/r/5B63D5F6.6080109@huawei.com
Signed-off-by: Yiwen Jiang <jiangyiwen@huawei.com>
Reported-By: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Jun Piao <piaojun@huawei.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/9p/trans_virtio.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/9p/trans_virtio.c
+++ b/net/9p/trans_virtio.c
@@ -188,7 +188,7 @@ static int pack_sg_list(struct scatterli
 		s = rest_of_page(data);
 		if (s > count)
 			s = count;
-		BUG_ON(index > limit);
+		BUG_ON(index >= limit);
 		/* Make sure we don't terminate early. */
 		sg_unmark_end(&sg[index]);
 		sg_set_buf(&sg[index++], data, s);
@@ -233,6 +233,7 @@ pack_sg_list_p(struct scatterlist *sg, i
 		s = PAGE_SIZE - data_off;
 		if (s > count)
 			s = count;
+		BUG_ON(index >= limit);
 		/* Make sure we don't terminate early. */
 		sg_unmark_end(&sg[index]);
 		sg_set_page(&sg[index++], pdata[i++], s, data_off);
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 053/145] net/9p/client.c: version pointer uninitialized
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 052/145] 9p/virtio: fix off-by-one error in sg list bounds check Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 054/145] net/9p/trans_fd.c: fix race-condition by flushing workqueue before the kfree() Greg Kroah-Hartman
                   ` (89 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tomas Bortoli,
	syzbot+65c6b72f284a39d416b4, Jun Piao, Yiwen Jiang,
	Eric Van Hensbergen, Ron Minnich, Latchesar Ionkov, Andrew Morton,
	Dominique Martinet
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Tomas Bortoli <tomasbortoli@gmail.com>
commit 7913690dcc5e18e235769fd87c34143072f5dbea upstream.
The p9_client_version() does not initialize the version pointer. If the
call to p9pdu_readf() returns an error and version has not been allocated
in p9pdu_readf(), then the program will jump to the "error" label and will
try to free the version pointer. If version is not initialized, free()
will be called with uninitialized, garbage data and will provoke a crash.
Link: http://lkml.kernel.org/r/20180709222943.19503-1-tomasbortoli@gmail.com
Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
Reported-by: syzbot+65c6b72f284a39d416b4@syzkaller.appspotmail.com
Reviewed-by: Jun Piao <piaojun@huawei.com>
Reviewed-by: Yiwen Jiang <jiangyiwen@huawei.com>
Cc: Eric Van Hensbergen <ericvh@gmail.com>
Cc: Ron Minnich <rminnich@sandia.gov>
Cc: Latchesar Ionkov <lucho@ionkov.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Cc: stable@vger.kernel.org
Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/9p/client.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/9p/client.c
+++ b/net/9p/client.c
@@ -958,7 +958,7 @@ static int p9_client_version(struct p9_c
 {
 	int err = 0;
 	struct p9_req_t *req;
-	char *version;
+	char *version = NULL;
 	int msize;
 
 	p9_debug(P9_DEBUG_9P, ">>> TVERSION msize %d protocol %d\n",
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 054/145] net/9p/trans_fd.c: fix race-condition by flushing workqueue before the kfree()
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 053/145] net/9p/client.c: version pointer uninitialized Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 055/145] dm integrity: change suspending variable from bool to int Greg Kroah-Hartman
                   ` (88 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel, Eric Van Hensbergen, Ron Minnich, Latchesar Ionkov
  Cc: Greg Kroah-Hartman, stable, Tomas Bortoli,
	syzbot+39749ed7d9ef6dfb23f6, Yiwen Jiang, Dominique Martinet
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Tomas Bortoli <tomasbortoli@gmail.com>
commit 430ac66eb4c5b5c4eb846b78ebf65747510b30f1 upstream.
The patch adds the flush in p9_mux_poll_stop() as it the function used by
p9_conn_destroy(), in turn called by p9_fd_close() to stop the async
polling associated with the data regarding the connection.
Link: http://lkml.kernel.org/r/20180720092730.27104-1-tomasbortoli@gmail.com
Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
Reported-by: syzbot+39749ed7d9ef6dfb23f6@syzkaller.appspotmail.com
To: Eric Van Hensbergen <ericvh@gmail.com>
To: Ron Minnich <rminnich@sandia.gov>
To: Latchesar Ionkov <lucho@ionkov.net>
Cc: Yiwen Jiang <jiangyiwen@huwei.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/9p/trans_fd.c |    2 ++
 1 file changed, 2 insertions(+)
--- a/net/9p/trans_fd.c
+++ b/net/9p/trans_fd.c
@@ -185,6 +185,8 @@ static void p9_mux_poll_stop(struct p9_c
 	spin_lock_irqsave(&p9_poll_lock, flags);
 	list_del_init(&m->poll_pending_link);
 	spin_unlock_irqrestore(&p9_poll_lock, flags);
+
+	flush_work(&p9_poll_work);
 }
 
 /**
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 055/145] dm integrity: change suspending variable from bool to int
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 054/145] net/9p/trans_fd.c: fix race-condition by flushing workqueue before the kfree() Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 056/145] dm thin: stop no_space_timeout worker when switching to write-mode Greg Kroah-Hartman
                   ` (87 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mikulas Patocka, Mike Snitzer
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit c21b16392701543d61e366dca84e15fe7f0cf0cf upstream.
Early alpha processors can't write a byte or short atomically - they
read 8 bytes, modify the byte or two bytes in registers and write back
8 bytes.
The modification of the variable "suspending" may race with
modification of the variable "failed".  Fix this by changing
"suspending" to an int.
Cc: stable@vger.kernel.org
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/md/dm-integrity.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/md/dm-integrity.c
+++ b/drivers/md/dm-integrity.c
@@ -178,7 +178,7 @@ struct dm_integrity_c {
 	__u8 sectors_per_block;
 
 	unsigned char mode;
-	bool suspending;
+	int suspending;
 
 	int failed;
 
@@ -2210,7 +2210,7 @@ static void dm_integrity_postsuspend(str
 
 	del_timer_sync(&ic->autocommit_timer);
 
-	ic->suspending = true;
+	WRITE_ONCE(ic->suspending, 1);
 
 	queue_work(ic->commit_wq, &ic->commit_work);
 	drain_workqueue(ic->commit_wq);
@@ -2220,7 +2220,7 @@ static void dm_integrity_postsuspend(str
 		dm_integrity_flush_buffers(ic);
 	}
 
-	ic->suspending = false;
+	WRITE_ONCE(ic->suspending, 0);
 
 	BUG_ON(!RB_EMPTY_ROOT(&ic->in_progress));
 
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 056/145] dm thin: stop no_space_timeout worker when switching to write-mode
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 055/145] dm integrity: change suspending variable from bool to int Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 057/145] dm cache metadata: save in-core policy_hint_size to on-disk superblock Greg Kroah-Hartman
                   ` (86 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Hou Tao, Mike Snitzer
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Hou Tao <houtao1@huawei.com>
commit 75294442d896f2767be34f75aca7cc2b0d01301f upstream.
Now both check_for_space() and do_no_space_timeout() will read & write
pool->pf.error_if_no_space.  If these functions run concurrently, as
shown in the following case, the default setting of "queue_if_no_space"
can get lost.
precondition:
    * error_if_no_space = false (aka "queue_if_no_space")
    * pool is in Out-of-Data-Space (OODS) mode
    * no_space_timeout worker has been queued
CPU 0:                          CPU 1:
// delete a thin device
process_delete_mesg()
// check_for_space() invoked by commit()
set_pool_mode(pool, PM_WRITE)
    pool->pf.error_if_no_space = \
     pt->requested_pf.error_if_no_space
				// timeout, pool is still in OODS mode
				do_no_space_timeout
				    // "queue_if_no_space" config is lost
				    pool->pf.error_if_no_space = true
    pool->pf.mode = new_mode
Fix it by stopping no_space_timeout worker when switching to write mode.
Fixes: bcc696fac11f ("dm thin: stay in out-of-data-space mode once no_space_timeout expires")
Cc: stable@vger.kernel.org
Signed-off-by: Hou Tao <houtao1@huawei.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/md/dm-thin.c |    2 ++
 1 file changed, 2 insertions(+)
--- a/drivers/md/dm-thin.c
+++ b/drivers/md/dm-thin.c
@@ -2520,6 +2520,8 @@ static void set_pool_mode(struct pool *p
 	case PM_WRITE:
 		if (old_mode != new_mode)
 			notify_of_pool_mode_change(pool, "write");
+		if (old_mode == PM_OUT_OF_DATA_SPACE)
+			cancel_delayed_work_sync(&pool->no_space_timeout);
 		pool->out_of_data_space = false;
 		pool->pf.error_if_no_space = pt->requested_pf.error_if_no_space;
 		dm_pool_metadata_read_write(pool->pmd);
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 057/145] dm cache metadata: save in-core policy_hint_size to on-disk superblock
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 056/145] dm thin: stop no_space_timeout worker when switching to write-mode Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 058/145] dm cache metadata: set dirty on all cache blocks after a crash Greg Kroah-Hartman
                   ` (85 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mike Snitzer
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Mike Snitzer <snitzer@redhat.com>
commit fd2fa95416188a767a63979296fa3e169a9ef5ec upstream.
policy_hint_size starts as 0 during __write_initial_superblock().  It
isn't until the policy is loaded that policy_hint_size is set in-core
(cmd->policy_hint_size).  But it never got recorded in the on-disk
superblock because __commit_transaction() didn't deal with transfering
the in-core cmd->policy_hint_size to the on-disk superblock.
The in-core cmd->policy_hint_size gets initialized by metadata_open()'s
__begin_transaction_flags() which re-reads all superblock fields.
Because the superblock's policy_hint_size was never properly stored, when
the cache was created, hints_array_available() would always return false
when re-activating a previously created cache.  This means
__load_mappings() always considered the hints invalid and never made use
of the hints (these hints served to optimize).
Another detremental side-effect of this oversight is the cache_check
utility would fail with: "invalid hint width: 0"
Cc: stable@vger.kernel.org
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/md/dm-cache-metadata.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/md/dm-cache-metadata.c
+++ b/drivers/md/dm-cache-metadata.c
@@ -363,7 +363,7 @@ static int __write_initial_superblock(st
 	disk_super->version = cpu_to_le32(cmd->version);
 	memset(disk_super->policy_name, 0, sizeof(disk_super->policy_name));
 	memset(disk_super->policy_version, 0, sizeof(disk_super->policy_version));
-	disk_super->policy_hint_size = 0;
+	disk_super->policy_hint_size = cpu_to_le32(0);
 
 	__copy_sm_root(cmd, disk_super);
 
@@ -701,6 +701,7 @@ static int __commit_transaction(struct d
 	disk_super->policy_version[0] = cpu_to_le32(cmd->policy_version[0]);
 	disk_super->policy_version[1] = cpu_to_le32(cmd->policy_version[1]);
 	disk_super->policy_version[2] = cpu_to_le32(cmd->policy_version[2]);
+	disk_super->policy_hint_size = cpu_to_le32(cmd->policy_hint_size);
 
 	disk_super->read_hits = cpu_to_le32(cmd->stats.read_hits);
 	disk_super->read_misses = cpu_to_le32(cmd->stats.read_misses);
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 058/145] dm cache metadata: set dirty on all cache blocks after a crash
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 057/145] dm cache metadata: save in-core policy_hint_size to on-disk superblock Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 059/145] dm crypt: dont decrease device limits Greg Kroah-Hartman
                   ` (84 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ilya Dryomov, Mike Snitzer
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Ilya Dryomov <idryomov@gmail.com>
commit 5b1fe7bec8a8d0cc547a22e7ddc2bd59acd67de4 upstream.
Quoting Documentation/device-mapper/cache.txt:
  The 'dirty' state for a cache block changes far too frequently for us
  to keep updating it on the fly.  So we treat it as a hint.  In normal
  operation it will be written when the dm device is suspended.  If the
  system crashes all cache blocks will be assumed dirty when restarted.
This got broken in commit f177940a8091 ("dm cache metadata: switch to
using the new cursor api for loading metadata") in 4.9, which removed
the code that consulted cmd->clean_when_opened (CLEAN_SHUTDOWN on-disk
flag) when loading cache blocks.  This results in data corruption on an
unclean shutdown with dirty cache blocks on the fast device.  After the
crash those blocks are considered clean and may get evicted from the
cache at any time.  This can be demonstrated by doing a lot of reads
to trigger individual evictions, but uncache is more predictable:
  ### Disable auto-activation in lvm.conf to be able to do uncache in
  ### time (i.e. see uncache doing flushing) when the fix is applied.
  # xfs_io -d -c 'pwrite -b 4M -S 0xaa 0 1G' /dev/vdb
  # vgcreate vg_cache /dev/vdb /dev/vdc
  # lvcreate -L 1G -n lv_slowdev vg_cache /dev/vdb
  # lvcreate -L 512M -n lv_cachedev vg_cache /dev/vdc
  # lvcreate -L 256M -n lv_metadev vg_cache /dev/vdc
  # lvconvert --type cache-pool --cachemode writeback vg_cache/lv_cachedev --poolmetadata vg_cache/lv_metadev
  # lvconvert --type cache vg_cache/lv_slowdev --cachepool vg_cache/lv_cachedev
  # xfs_io -d -c 'pwrite -b 4M -S 0xbb 0 512M' /dev/mapper/vg_cache-lv_slowdev
  # xfs_io -d -c 'pread -v 254M 512' /dev/mapper/vg_cache-lv_slowdev | head -n 2
  0fe00000:  bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
  0fe00010:  bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
  # dmsetup status vg_cache-lv_slowdev
  0 2097152 cache 8 27/65536 128 8192/8192 1 100 0 0 0 8192 7065 2 metadata2 writeback 2 migration_threshold 2048 smq 0 rw -
                                                            ^^^^
                                7065 * 64k = 441M yet to be written to the slow device
  # echo b >/proc/sysrq-trigger
  # vgchange -ay vg_cache
  # xfs_io -d -c 'pread -v 254M 512' /dev/mapper/vg_cache-lv_slowdev | head -n 2
  0fe00000:  bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
  0fe00010:  bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
  # lvconvert --uncache vg_cache/lv_slowdev
  Flushing 0 blocks for cache vg_cache/lv_slowdev.
  Logical volume "lv_cachedev" successfully removed
  Logical volume vg_cache/lv_slowdev is not cached.
  # xfs_io -d -c 'pread -v 254M 512' /dev/mapper/vg_cache-lv_slowdev | head -n 2
  0fe00000:  aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa  ................
  0fe00010:  aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa  ................
This is the case with both v1 and v2 cache pool metatata formats.
After applying this patch:
  # vgchange -ay vg_cache
  # xfs_io -d -c 'pread -v 254M 512' /dev/mapper/vg_cache-lv_slowdev | head -n 2
  0fe00000:  bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
  0fe00010:  bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
  # lvconvert --uncache vg_cache/lv_slowdev
  Flushing 3724 blocks for cache vg_cache/lv_slowdev.
  ...
  Flushing 71 blocks for cache vg_cache/lv_slowdev.
  Logical volume "lv_cachedev" successfully removed
  Logical volume vg_cache/lv_slowdev is not cached.
  # xfs_io -d -c 'pread -v 254M 512' /dev/mapper/vg_cache-lv_slowdev | head -n 2
  0fe00000:  bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
  0fe00010:  bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
Cc: stable@vger.kernel.org
Fixes: f177940a8091 ("dm cache metadata: switch to using the new cursor api for loading metadata")
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/md/dm-cache-metadata.c |   10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)
--- a/drivers/md/dm-cache-metadata.c
+++ b/drivers/md/dm-cache-metadata.c
@@ -1323,6 +1323,7 @@ static int __load_mapping_v1(struct dm_c
 
 	dm_oblock_t oblock;
 	unsigned flags;
+	bool dirty = true;
 
 	dm_array_cursor_get_value(mapping_cursor, (void **) &mapping_value_le);
 	memcpy(&mapping, mapping_value_le, sizeof(mapping));
@@ -1333,8 +1334,10 @@ static int __load_mapping_v1(struct dm_c
 			dm_array_cursor_get_value(hint_cursor, (void **) &hint_value_le);
 			memcpy(&hint, hint_value_le, sizeof(hint));
 		}
+		if (cmd->clean_when_opened)
+			dirty = flags & M_DIRTY;
 
-		r = fn(context, oblock, to_cblock(cb), flags & M_DIRTY,
+		r = fn(context, oblock, to_cblock(cb), dirty,
 		       le32_to_cpu(hint), hints_valid);
 		if (r) {
 			DMERR("policy couldn't load cache block %llu",
@@ -1362,7 +1365,7 @@ static int __load_mapping_v2(struct dm_c
 
 	dm_oblock_t oblock;
 	unsigned flags;
-	bool dirty;
+	bool dirty = true;
 
 	dm_array_cursor_get_value(mapping_cursor, (void **) &mapping_value_le);
 	memcpy(&mapping, mapping_value_le, sizeof(mapping));
@@ -1373,8 +1376,9 @@ static int __load_mapping_v2(struct dm_c
 			dm_array_cursor_get_value(hint_cursor, (void **) &hint_value_le);
 			memcpy(&hint, hint_value_le, sizeof(hint));
 		}
+		if (cmd->clean_when_opened)
+			dirty = dm_bitset_cursor_get_value(dirty_cursor);
 
-		dirty = dm_bitset_cursor_get_value(dirty_cursor);
 		r = fn(context, oblock, to_cblock(cb), dirty,
 		       le32_to_cpu(hint), hints_valid);
 		if (r) {
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 059/145] dm crypt: dont decrease device limits
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 058/145] dm cache metadata: set dirty on all cache blocks after a crash Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 060/145] dm writecache: fix a crash due to reading past end of dirty_bitmap Greg Kroah-Hartman
                   ` (83 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mikulas Patocka, Mike Snitzer
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit bc9e9cf0401f18e33b78d4c8a518661b8346baf7 upstream.
dm-crypt should only increase device limits, it should not decrease them.
This fixes a bug where the user could creates a crypt device with 1024
sector size on the top of scsi device that had 4096 logical block size.
The limit 4096 would be lost and the user could incorrectly send
1024-I/Os to the crypt device.
Cc: stable@vger.kernel.org
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/md/dm-crypt.c |   10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)
--- a/drivers/md/dm-crypt.c
+++ b/drivers/md/dm-crypt.c
@@ -3069,11 +3069,11 @@ static void crypt_io_hints(struct dm_tar
 	 */
 	limits->max_segment_size = PAGE_SIZE;
 
-	if (cc->sector_size != (1 << SECTOR_SHIFT)) {
-		limits->logical_block_size = cc->sector_size;
-		limits->physical_block_size = cc->sector_size;
-		blk_limits_io_min(limits, cc->sector_size);
-	}
+	limits->logical_block_size =
+		max_t(unsigned short, limits->logical_block_size, cc->sector_size);
+	limits->physical_block_size =
+		max_t(unsigned, limits->physical_block_size, cc->sector_size);
+	limits->io_min = max_t(unsigned, limits->io_min, cc->sector_size);
 }
 
 static struct target_type crypt_target = {
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 060/145] dm writecache: fix a crash due to reading past end of dirty_bitmap
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 059/145] dm crypt: dont decrease device limits Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 062/145] Drivers: hv: vmbus: Fix the offer_in_progress in vmbus_process_offer() Greg Kroah-Hartman
                   ` (82 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, edo.rus, Mikulas Patocka,
	Mike Snitzer
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit 1e1132ea21da6d7be92a72195204379c819cb70b upstream.
wc->dirty_bitmap_size is in bytes so must multiply it by 8, not by
BITS_PER_LONG, to get number of bitmap_bits.
Fixes crash in find_next_bit() that was reported:
https://bugzilla.kernel.org/show_bug.cgi?id=200819
Reported-by: edo.rus@gmail.com
Fixes: 48debafe4f2f ("dm: add writecache target")
Cc: stable@vger.kernel.org # 4.18
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/md/dm-writecache.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/md/dm-writecache.c
+++ b/drivers/md/dm-writecache.c
@@ -457,7 +457,7 @@ static void ssd_commit_flushed(struct dm
 		COMPLETION_INITIALIZER_ONSTACK(endio.c),
 		ATOMIC_INIT(1),
 	};
-	unsigned bitmap_bits = wc->dirty_bitmap_size * BITS_PER_LONG;
+	unsigned bitmap_bits = wc->dirty_bitmap_size * 8;
 	unsigned i = 0;
 
 	while (1) {
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 062/145] Drivers: hv: vmbus: Fix the offer_in_progress in vmbus_process_offer()
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 060/145] dm writecache: fix a crash due to reading past end of dirty_bitmap Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 063/145] Drivers: hv: vmbus: Reset the channel callback in vmbus_onoffer_rescind() Greg Kroah-Hartman
                   ` (81 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dexuan Cui, Stephen Hemminger,
	K. Y. Srinivasan
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Dexuan Cui <decui@microsoft.com>
commit 50229128727f7e11840ca1b2b501f880818d56b6 upstream.
I didn't really hit a real bug, but just happened to spot the bug:
we have decreased the counter at the beginning of vmbus_process_offer(),
so we mustn't decrease it again.
Fixes: 6f3d791f3006 ("Drivers: hv: vmbus: Fix rescind handling issues")
Signed-off-by: Dexuan Cui <decui@microsoft.com>
Cc: stable@vger.kernel.org
Cc: Stephen Hemminger <sthemmin@microsoft.com>
Cc: K. Y. Srinivasan <kys@microsoft.com>
Cc: Stable <stable@vger.kernel.org> # 4.14 and above
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/hv/channel_mgmt.c |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)
--- a/drivers/hv/channel_mgmt.c
+++ b/drivers/hv/channel_mgmt.c
@@ -527,10 +527,8 @@ static void vmbus_process_offer(struct v
 		struct hv_device *dev
 			= newchannel->primary_channel->device_obj;
 
-		if (vmbus_add_channel_kobj(dev, newchannel)) {
-			atomic_dec(&vmbus_connection.offer_in_progress);
+		if (vmbus_add_channel_kobj(dev, newchannel))
 			goto err_free_chan;
-		}
 
 		if (channel->sc_creation_callback != NULL)
 			channel->sc_creation_callback(newchannel);
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 063/145] Drivers: hv: vmbus: Reset the channel callback in vmbus_onoffer_rescind()
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 062/145] Drivers: hv: vmbus: Fix the offer_in_progress in vmbus_process_offer() Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 064/145] iio: sca3000: Fix missing return in switch Greg Kroah-Hartman
                   ` (80 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dexuan Cui, Michael Kelley,
	K. Y. Srinivasan, Stephen Hemminger
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Dexuan Cui <decui@microsoft.com>
commit d3b26dd7cb0e3433bfd3c1d4dcf74c6039bb49fb upstream.
Before setting channel->rescind in vmbus_rescind_cleanup(), we should make
sure the channel callback won't run any more, otherwise a high-level
driver like pci_hyperv, which may be infinitely waiting for the host VSP's
response and notices the channel has been rescinded, can't safely give
up: e.g., in hv_pci_protocol_negotiation() -> wait_for_response(), it's
unsafe to exit from wait_for_response() and proceed with the on-stack
variable "comp_pkt" popped. The issue was originally spotted by
Michael Kelley <mikelley@microsoft.com>.
In vmbus_close_internal(), the patch also minimizes the range protected by
disabling/enabling channel->callback_event: we don't really need that for
the whole function.
Signed-off-by: Dexuan Cui <decui@microsoft.com>
Reviewed-by: Michael Kelley <mikelley@microsoft.com>
Cc: stable@vger.kernel.org
Cc: K. Y. Srinivasan <kys@microsoft.com>
Cc: Stephen Hemminger <sthemmin@microsoft.com>
Cc: Michael Kelley <mikelley@microsoft.com>
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/hv/channel.c      |   40 ++++++++++++++++++++++++----------------
 drivers/hv/channel_mgmt.c |    6 ++++++
 include/linux/hyperv.h    |    2 ++
 3 files changed, 32 insertions(+), 16 deletions(-)
--- a/drivers/hv/channel.c
+++ b/drivers/hv/channel.c
@@ -558,11 +558,8 @@ static void reset_channel_cb(void *arg)
 	channel->onchannel_callback = NULL;
 }
 
-static int vmbus_close_internal(struct vmbus_channel *channel)
+void vmbus_reset_channel_cb(struct vmbus_channel *channel)
 {
-	struct vmbus_channel_close_channel *msg;
-	int ret;
-
 	/*
 	 * vmbus_on_event(), running in the per-channel tasklet, can race
 	 * with vmbus_close_internal() in the case of SMP guest, e.g., when
@@ -572,6 +569,29 @@ static int vmbus_close_internal(struct v
 	 */
 	tasklet_disable(&channel->callback_event);
 
+	channel->sc_creation_callback = NULL;
+
+	/* Stop the callback asap */
+	if (channel->target_cpu != get_cpu()) {
+		put_cpu();
+		smp_call_function_single(channel->target_cpu, reset_channel_cb,
+					 channel, true);
+	} else {
+		reset_channel_cb(channel);
+		put_cpu();
+	}
+
+	/* Re-enable tasklet for use on re-open */
+	tasklet_enable(&channel->callback_event);
+}
+
+static int vmbus_close_internal(struct vmbus_channel *channel)
+{
+	struct vmbus_channel_close_channel *msg;
+	int ret;
+
+	vmbus_reset_channel_cb(channel);
+
 	/*
 	 * In case a device driver's probe() fails (e.g.,
 	 * util_probe() -> vmbus_open() returns -ENOMEM) and the device is
@@ -585,16 +605,6 @@ static int vmbus_close_internal(struct v
 	}
 
 	channel->state = CHANNEL_OPEN_STATE;
-	channel->sc_creation_callback = NULL;
-	/* Stop callback and cancel the timer asap */
-	if (channel->target_cpu != get_cpu()) {
-		put_cpu();
-		smp_call_function_single(channel->target_cpu, reset_channel_cb,
-					 channel, true);
-	} else {
-		reset_channel_cb(channel);
-		put_cpu();
-	}
 
 	/* Send a closing message */
 
@@ -639,8 +649,6 @@ static int vmbus_close_internal(struct v
 		get_order(channel->ringbuffer_pagecount * PAGE_SIZE));
 
 out:
-	/* re-enable tasklet for use on re-open */
-	tasklet_enable(&channel->callback_event);
 	return ret;
 }
 
--- a/drivers/hv/channel_mgmt.c
+++ b/drivers/hv/channel_mgmt.c
@@ -893,6 +893,12 @@ static void vmbus_onoffer_rescind(struct
 	}
 
 	/*
+	 * Before setting channel->rescind in vmbus_rescind_cleanup(), we
+	 * should make sure the channel callback is not running any more.
+	 */
+	vmbus_reset_channel_cb(channel);
+
+	/*
 	 * Now wait for offer handling to complete.
 	 */
 	vmbus_rescind_cleanup(channel);
--- a/include/linux/hyperv.h
+++ b/include/linux/hyperv.h
@@ -1046,6 +1046,8 @@ extern int vmbus_establish_gpadl(struct
 extern int vmbus_teardown_gpadl(struct vmbus_channel *channel,
 				     u32 gpadl_handle);
 
+void vmbus_reset_channel_cb(struct vmbus_channel *channel);
+
 extern int vmbus_recvpacket(struct vmbus_channel *channel,
 				  void *buffer,
 				  u32 bufferlen,
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 064/145] iio: sca3000: Fix missing return in switch
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (60 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 063/145] Drivers: hv: vmbus: Reset the channel callback in vmbus_onoffer_rescind() Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 065/145] iio: ad9523: Fix displayed phase Greg Kroah-Hartman
                   ` (79 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jonathan Cameron, Gustavo A. R. Silva,
	Stable, Jonathan Cameron
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Gustavo A. R. Silva <gustavo@embeddedor.com>
commit c5b974bee9d2ceae4c441ae5a01e498c2674e100 upstream.
The IIO_CHAN_INFO_LOW_PASS_FILTER_3DB_FREQUENCY case is missing a
return and will fall through to the default case and errorenously
return -EINVAL.
Fix this by adding in missing *return ret*.
Fixes: 626f971b5b07 ("staging:iio:accel:sca3000 Add write support to the low pass filter control")
Reported-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/iio/accel/sca3000.c |    1 +
 1 file changed, 1 insertion(+)
--- a/drivers/iio/accel/sca3000.c
+++ b/drivers/iio/accel/sca3000.c
@@ -797,6 +797,7 @@ static int sca3000_write_raw(struct iio_
 		mutex_lock(&st->lock);
 		ret = sca3000_write_3db_freq(st, val);
 		mutex_unlock(&st->lock);
+		return ret;
 	default:
 		return -EINVAL;
 	}
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 065/145] iio: ad9523: Fix displayed phase
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (61 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 064/145] iio: sca3000: Fix missing return in switch Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 066/145] iio: ad9523: Fix return value for ad952x_store() Greg Kroah-Hartman
                   ` (78 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lars-Peter Clausen,
	Alexandru Ardelean, Stable, Jonathan Cameron
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Lars-Peter Clausen <lars@metafoo.de>
commit 5a4e33c1c53ae7d4425f7d94e60e4458a37b349e upstream.
Fix the displayed phase for the ad9523 driver. Currently the most
significant decimal place is dropped and all other digits are shifted one
to the left. This is due to a multiplication by 10, which is not necessary,
so remove it.
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
Fixes: cd1678f9632 ("iio: frequency: New driver for AD9523 SPI Low Jitter Clock Generator")
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/iio/frequency/ad9523.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/frequency/ad9523.c
+++ b/drivers/iio/frequency/ad9523.c
@@ -642,7 +642,7 @@ static int ad9523_read_raw(struct iio_de
 		code = (AD9523_CLK_DIST_DIV_PHASE_REV(ret) * 3141592) /
 			AD9523_CLK_DIST_DIV_REV(ret);
 		*val = code / 1000000;
-		*val2 = (code % 1000000) * 10;
+		*val2 = code % 1000000;
 		return IIO_VAL_INT_PLUS_MICRO;
 	default:
 		return -EINVAL;
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 066/145] iio: ad9523: Fix return value for ad952x_store()
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (62 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 065/145] iio: ad9523: Fix displayed phase Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 067/145] extcon: Release locking when sending the notification of connector state Greg Kroah-Hartman
                   ` (77 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lars-Peter Clausen,
	Alexandru Ardelean, Stable, Jonathan Cameron
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Lars-Peter Clausen <lars@metafoo.de>
commit 9a5094ca29ea9b1da301b31fd377c0c0c4c23034 upstream.
A sysfs write callback function needs to either return the number of
consumed characters or an error.
The ad952x_store() function currently returns 0 if the input value was "0",
this will signal that no characters have been consumed and the function
will be called repeatedly in a loop indefinitely. Fix this by returning
number of supplied characters to indicate that the whole input string has
been consumed.
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
Fixes: cd1678f96329 ("iio: frequency: New driver for AD9523 SPI Low Jitter Clock Generator")
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/iio/frequency/ad9523.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/frequency/ad9523.c
+++ b/drivers/iio/frequency/ad9523.c
@@ -508,7 +508,7 @@ static ssize_t ad9523_store(struct devic
 		return ret;
 
 	if (!state)
-		return 0;
+		return len;
 
 	mutex_lock(&indio_dev->mlock);
 	switch ((u32)this_attr->address) {
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 067/145] extcon: Release locking when sending the notification of connector state
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (63 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 066/145] iio: ad9523: Fix return value for ad952x_store() Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 068/145] eventpoll.h: wrap casts in () properly Greg Kroah-Hartman
                   ` (76 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Roger Quadros, Kishon Vijay Abraham I,
	Chanwoo Choi
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Chanwoo Choi <cw00.choi@samsung.com>
commit 8a9dbb779fe882325b9a0238494a7afaff2eb444 upstream.
Previously, extcon used the spinlock before calling the notifier_call_chain
to prevent the scheduled out of task and to prevent the notification delay.
When spinlock is locked for sending the notification, deadlock issue
occured on the side of extcon consumer device. To fix this issue,
extcon consumer device should always use the work. it is always not
reasonable to use work.
To fix this issue on extcon consumer device, release locking when sending
the notification of connector state.
Fixes: ab11af049f88 ("extcon: Add the synchronization extcon APIs to support the notification")
Cc: stable@vger.kernel.org
Cc: Roger Quadros <rogerq@ti.com>
Cc: Kishon Vijay Abraham I <kishon@ti.com>
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/extcon/extcon.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/extcon/extcon.c
+++ b/drivers/extcon/extcon.c
@@ -433,8 +433,8 @@ int extcon_sync(struct extcon_dev *edev,
 		return index;
 
 	spin_lock_irqsave(&edev->lock, flags);
-
 	state = !!(edev->state & BIT(index));
+	spin_unlock_irqrestore(&edev->lock, flags);
 
 	/*
 	 * Call functions in a raw notifier chain for the specific one
@@ -448,6 +448,7 @@ int extcon_sync(struct extcon_dev *edev,
 	 */
 	raw_notifier_call_chain(&edev->nh_all, state, edev);
 
+	spin_lock_irqsave(&edev->lock, flags);
 	/* This could be in interrupt handler */
 	prop_buf = (char *)get_zeroed_page(GFP_ATOMIC);
 	if (!prop_buf) {
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 068/145] eventpoll.h: wrap casts in () properly
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (64 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 067/145] extcon: Release locking when sending the notification of connector state Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 069/145] vmw_balloon: fix inflation of 64-bit GFNs Greg Kroah-Hartman
                   ` (75 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christopher Ferris, Elliott Hughes,
	Thomas Gleixner, Al Viro
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 45cd74cb5061781e793a098c420a7f548fdc9e7d upstream.
When importing the latest copy of the kernel headers into Bionic,
Christpher and Elliott noticed that the eventpoll.h casts were not
wrapped in ().  As it is, clang complains about macros without
surrounding (), so this makes it a pain for userspace tools.
So fix it up by adding another () pair, and make them line up purty by
using tabs.
Fixes: 65aaf87b3aa2 ("add EPOLLNVAL, annotate EPOLL... and event_poll->event")
Reported-by: Christopher Ferris <cferris@google.com>
Reported-by: Elliott Hughes <enh@google.com>
Cc: stable <stable@vger.kernel.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/uapi/linux/eventpoll.h |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
--- a/include/uapi/linux/eventpoll.h
+++ b/include/uapi/linux/eventpoll.h
@@ -42,7 +42,7 @@
 #define EPOLLRDHUP	(__force __poll_t)0x00002000
 
 /* Set exclusive wakeup mode for the target file descriptor */
-#define EPOLLEXCLUSIVE (__force __poll_t)(1U << 28)
+#define EPOLLEXCLUSIVE	((__force __poll_t)(1U << 28))
 
 /*
  * Request the handling of system wakeup events so as to prevent system suspends
@@ -54,13 +54,13 @@
  *
  * Requires CAP_BLOCK_SUSPEND
  */
-#define EPOLLWAKEUP (__force __poll_t)(1U << 29)
+#define EPOLLWAKEUP	((__force __poll_t)(1U << 29))
 
 /* Set the One Shot behaviour for the target file descriptor */
-#define EPOLLONESHOT (__force __poll_t)(1U << 30)
+#define EPOLLONESHOT	((__force __poll_t)(1U << 30))
 
 /* Set the Edge Triggered behaviour for the target file descriptor */
-#define EPOLLET (__force __poll_t)(1U << 31)
+#define EPOLLET		((__force __poll_t)(1U << 31))
 
 /* 
  * On x86-64 make the 64bit structure have the same alignment as the
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 069/145] vmw_balloon: fix inflation of 64-bit GFNs
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (65 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 068/145] eventpoll.h: wrap casts in () properly Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 070/145] vmw_balloon: do not use 2MB without batching Greg Kroah-Hartman
                   ` (74 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Xavier Deguillard, Nadav Amit
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Nadav Amit <namit@vmware.com>
commit 09755690c6b7c1eabdc4651eb3b276f8feb1e447 upstream.
When balloon batching is not supported by the hypervisor, the guest
frame number (GFN) must fit in 32-bit. However, due to a bug, this check
was mistakenly ignored. In practice, when total RAM is greater than
16TB, the balloon does not work currently, making this bug unlikely to
happen.
Fixes: ef0f8f112984 ("VMware balloon: partially inline vmballoon_reserve_page.")
Cc: stable@vger.kernel.org
Reviewed-by: Xavier Deguillard <xdeguillard@vmware.com>
Signed-off-by: Nadav Amit <namit@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/misc/vmw_balloon.c |   13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)
--- a/drivers/misc/vmw_balloon.c
+++ b/drivers/misc/vmw_balloon.c
@@ -450,7 +450,7 @@ static int vmballoon_send_lock_page(stru
 
 	pfn32 = (u32)pfn;
 	if (pfn32 != pfn)
-		return -1;
+		return -EINVAL;
 
 	STATS_INC(b->stats.lock[false]);
 
@@ -460,7 +460,7 @@ static int vmballoon_send_lock_page(stru
 
 	pr_debug("%s - ppn %lx, hv returns %ld\n", __func__, pfn, status);
 	STATS_INC(b->stats.lock_fail[false]);
-	return 1;
+	return -EIO;
 }
 
 static int vmballoon_send_batched_lock(struct vmballoon *b,
@@ -597,11 +597,12 @@ static int vmballoon_lock_page(struct vm
 
 	locked = vmballoon_send_lock_page(b, page_to_pfn(page), &hv_status,
 								target);
-	if (locked > 0) {
+	if (locked) {
 		STATS_INC(b->stats.refused_alloc[false]);
 
-		if (hv_status == VMW_BALLOON_ERROR_RESET ||
-				hv_status == VMW_BALLOON_ERROR_PPN_NOTNEEDED) {
+		if (locked == -EIO &&
+		    (hv_status == VMW_BALLOON_ERROR_RESET ||
+		     hv_status == VMW_BALLOON_ERROR_PPN_NOTNEEDED)) {
 			vmballoon_free_page(page, false);
 			return -EIO;
 		}
@@ -617,7 +618,7 @@ static int vmballoon_lock_page(struct vm
 		} else {
 			vmballoon_free_page(page, false);
 		}
-		return -EIO;
+		return locked;
 	}
 
 	/* track allocated page */
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 070/145] vmw_balloon: do not use 2MB without batching
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (66 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 069/145] vmw_balloon: fix inflation of 64-bit GFNs Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 071/145] vmw_balloon: VMCI_DOORBELL_SET does not check status Greg Kroah-Hartman
                   ` (73 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Xavier Deguillard, Nadav Amit
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Nadav Amit <namit@vmware.com>
commit 5081efd112560d3febb328e627176235b250d59d upstream.
If the hypervisor sets 2MB batching is on, while batching is cleared,
the balloon code breaks. In this case the legacy mechanism is used with
2MB page. The VM would report a 2MB page is ballooned, and the
hypervisor would only take the first 4KB.
While the hypervisor should not report such settings, make the code more
robust by not enabling 2MB support without batching.
Fixes: 365bd7ef7ec8e ("VMware balloon: Support 2m page ballooning.")
Cc: stable@vger.kernel.org
Reviewed-by: Xavier Deguillard <xdeguillard@vmware.com>
Signed-off-by: Nadav Amit <nadav.amit@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/misc/vmw_balloon.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/misc/vmw_balloon.c
+++ b/drivers/misc/vmw_balloon.c
@@ -341,7 +341,13 @@ static bool vmballoon_send_start(struct
 		success = false;
 	}
 
-	if (b->capabilities & VMW_BALLOON_BATCHED_2M_CMDS)
+	/*
+	 * 2MB pages are only supported with batching. If batching is for some
+	 * reason disabled, do not use 2MB pages, since otherwise the legacy
+	 * mechanism is used with 2MB pages, causing a failure.
+	 */
+	if ((b->capabilities & VMW_BALLOON_BATCHED_2M_CMDS) &&
+	    (b->capabilities & VMW_BALLOON_BATCHED_CMDS))
 		b->supported_page_sizes = 2;
 	else
 		b->supported_page_sizes = 1;
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 071/145] vmw_balloon: VMCI_DOORBELL_SET does not check status
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (67 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 070/145] vmw_balloon: do not use 2MB without batching Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 072/145] vmw_balloon: fix VMCI use when balloon built into kernel Greg Kroah-Hartman
                   ` (72 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Xavier Deguillard, Nadav Amit
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Nadav Amit <namit@vmware.com>
commit ce664331b2487a5d244a51cbdd8cb54f866fbe5d upstream.
When vmballoon_vmci_init() sets a doorbell using VMCI_DOORBELL_SET, for
some reason it does not consider the status and looks at the result.
However, the hypervisor does not update the result - it updates the
status. This might cause VMCI doorbell not to be enabled, resulting in
degraded performance.
Fixes: 48e3d668b790 ("VMware balloon: Enable notification via VMCI")
Cc: stable@vger.kernel.org
Reviewed-by: Xavier Deguillard <xdeguillard@vmware.com>
Signed-off-by: Nadav Amit <namit@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/misc/vmw_balloon.c |   37 +++++++++++++++++++------------------
 1 file changed, 19 insertions(+), 18 deletions(-)
--- a/drivers/misc/vmw_balloon.c
+++ b/drivers/misc/vmw_balloon.c
@@ -1036,29 +1036,30 @@ static void vmballoon_vmci_cleanup(struc
  */
 static int vmballoon_vmci_init(struct vmballoon *b)
 {
-	int error = 0;
+	unsigned long error, dummy;
 
-	if ((b->capabilities & VMW_BALLOON_SIGNALLED_WAKEUP_CMD) != 0) {
-		error = vmci_doorbell_create(&b->vmci_doorbell,
-				VMCI_FLAG_DELAYED_CB,
-				VMCI_PRIVILEGE_FLAG_RESTRICTED,
-				vmballoon_doorbell, b);
-
-		if (error == VMCI_SUCCESS) {
-			VMWARE_BALLOON_CMD(VMCI_DOORBELL_SET,
-					b->vmci_doorbell.context,
-					b->vmci_doorbell.resource, error);
-			STATS_INC(b->stats.doorbell_set);
-		}
-	}
+	if ((b->capabilities & VMW_BALLOON_SIGNALLED_WAKEUP_CMD) == 0)
+		return 0;
 
-	if (error != 0) {
-		vmballoon_vmci_cleanup(b);
+	error = vmci_doorbell_create(&b->vmci_doorbell, VMCI_FLAG_DELAYED_CB,
+				     VMCI_PRIVILEGE_FLAG_RESTRICTED,
+				     vmballoon_doorbell, b);
 
-		return -EIO;
-	}
+	if (error != VMCI_SUCCESS)
+		goto fail;
+
+	error = VMWARE_BALLOON_CMD(VMCI_DOORBELL_SET, b->vmci_doorbell.context,
+				   b->vmci_doorbell.resource, dummy);
+
+	STATS_INC(b->stats.doorbell_set);
+
+	if (error != VMW_BALLOON_SUCCESS)
+		goto fail;
 
 	return 0;
+fail:
+	vmballoon_vmci_cleanup(b);
+	return -EIO;
 }
 
 /*
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 072/145] vmw_balloon: fix VMCI use when balloon built into kernel
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (68 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 071/145] vmw_balloon: VMCI_DOORBELL_SET does not check status Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:08 ` [PATCH 4.18 073/145] rtc: omap: fix resource leak in registration error path Greg Kroah-Hartman
                   ` (71 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Xavier Deguillard, Nadav Amit
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Nadav Amit <namit@vmware.com>
commit c3cc1b0fc27508da53fe955a3b23d03964410682 upstream.
Currently, when all modules, including VMCI and VMware balloon are built
into the kernel, the initialization of the balloon happens before the
VMCI is probed. As a result, the balloon fails to initialize the VMCI
doorbell, which it uses to get asynchronous requests for balloon size
changes.
The problem can be seen in the logs, in the form of the following
message:
	"vmw_balloon: failed to initialize vmci doorbell"
The driver would work correctly but slightly less efficiently, probing
for requests periodically. This patch changes the balloon to be
initialized using late_initcall() instead of module_init() to address
this issue. It does not address a situation in which VMCI is built as a
module and the balloon is built into the kernel.
Fixes: 48e3d668b790 ("VMware balloon: Enable notification via VMCI")
Cc: stable@vger.kernel.org
Reviewed-by: Xavier Deguillard <xdeguillard@vmware.com>
Signed-off-by: Nadav Amit <namit@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/misc/vmw_balloon.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/misc/vmw_balloon.c
+++ b/drivers/misc/vmw_balloon.c
@@ -1297,7 +1297,14 @@ static int __init vmballoon_init(void)
 
 	return 0;
 }
-module_init(vmballoon_init);
+
+/*
+ * Using late_initcall() instead of module_init() allows the balloon to use the
+ * VMCI doorbell even when the balloon is built into the kernel. Otherwise the
+ * VMCI is probed only after the balloon is initialized. If the balloon is used
+ * as a module, late_initcall() is equivalent to module_init().
+ */
+late_initcall(vmballoon_init);
 
 static void __exit vmballoon_exit(void)
 {
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 073/145] rtc: omap: fix resource leak in registration error path
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (69 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 072/145] vmw_balloon: fix VMCI use when balloon built into kernel Greg Kroah-Hartman
@ 2018-09-07 21:08 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 074/145] rtc: omap: fix potential crash on power off Greg Kroah-Hartman
                   ` (70 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexandre Belloni, Johan Hovold,
	Alexandre Belloni
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 551757eb052986ec81cebcc6301cc1c4f8dca938 upstream.
Make sure to deregister the pin controller in case rtc registration
fails.
Fixes: 57072758623f ("rtc: omap: switch to rtc_register_device")
Cc: stable <stable@vger.kernel.org>     # 4.14
Cc: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/rtc/rtc-omap.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/rtc/rtc-omap.c
+++ b/drivers/rtc/rtc-omap.c
@@ -880,12 +880,14 @@ static int omap_rtc_probe(struct platfor
 
 	ret = rtc_register_device(rtc->rtc);
 	if (ret)
-		goto err;
+		goto err_deregister_pinctrl;
 
 	rtc_nvmem_register(rtc->rtc, &omap_rtc_nvmem_config);
 
 	return 0;
 
+err_deregister_pinctrl:
+	pinctrl_unregister(rtc->pctldev);
 err:
 	clk_disable_unprepare(rtc->clk);
 	device_init_wakeup(&pdev->dev, false);
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 074/145] rtc: omap: fix potential crash on power off
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (70 preceding siblings ...)
  2018-09-07 21:08 ` [PATCH 4.18 073/145] rtc: omap: fix resource leak in registration error path Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 075/145] tracing: Do not call start/stop() functions when tracing_on does not change Greg Kroah-Hartman
                   ` (69 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marcin Niestroj, Tony Lindgren,
	Johan Hovold, Alexandre Belloni
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 5c8b84f410b3819d14cb1ebf32e4b3714b5a6e0b upstream.
Do not set the system power-off callback and omap power-off rtc pointer
until we're done setting up our device to avoid leaving stale pointers
around after a late probe error.
Fixes: 97ea1906b3c2 ("rtc: omap: Support ext_wakeup configuration")
Cc: stable <stable@vger.kernel.org>     # 4.9
Cc: Marcin Niestroj <m.niestroj@grinn-global.com>
Cc: Tony Lindgren <tony@atomide.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Tony Lindgren <tony@atomide.com>
Reviewed-by: Marcin Niestroj <m.niestroj@grinn-global.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/rtc/rtc-omap.c |   14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)
--- a/drivers/rtc/rtc-omap.c
+++ b/drivers/rtc/rtc-omap.c
@@ -861,13 +861,6 @@ static int omap_rtc_probe(struct platfor
 			goto err;
 	}
 
-	if (rtc->is_pmic_controller) {
-		if (!pm_power_off) {
-			omap_rtc_power_off_rtc = rtc;
-			pm_power_off = omap_rtc_power_off;
-		}
-	}
-
 	/* Support ext_wakeup pinconf */
 	rtc_pinctrl_desc.name = dev_name(&pdev->dev);
 
@@ -884,6 +877,13 @@ static int omap_rtc_probe(struct platfor
 
 	rtc_nvmem_register(rtc->rtc, &omap_rtc_nvmem_config);
 
+	if (rtc->is_pmic_controller) {
+		if (!pm_power_off) {
+			omap_rtc_power_off_rtc = rtc;
+			pm_power_off = omap_rtc_power_off;
+		}
+	}
+
 	return 0;
 
 err_deregister_pinctrl:
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 075/145] tracing: Do not call start/stop() functions when tracing_on does not change
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (71 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 074/145] rtc: omap: fix potential crash on power off Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 076/145] tracing/blktrace: Fix to allow setting same value Greg Kroah-Hartman
                   ` (68 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Erica Bugden, Steven Rostedt (VMware)
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Steven Rostedt (VMware) <rostedt@goodmis.org>
commit f143641bfef9a4a60c57af30de26c63057e7e695 upstream.
Currently, when one echo's in 1 into tracing_on, the current tracer's
"start()" function is executed, even if tracing_on was already one. This can
lead to strange side effects. One being that if the hwlat tracer is enabled,
and someone does "echo 1 > tracing_on" into tracing_on, the hwlat tracer's
start() function is called again which will recreate another kernel thread,
and make it unable to remove the old one.
Link: http://lkml.kernel.org/r/1533120354-22923-1-git-send-email-erica.bugden@linutronix.de
Cc: stable@vger.kernel.org
Fixes: 2df8f8a6a897e ("tracing: Fix regression with irqsoff tracer and tracing_on file")
Reported-by: Erica Bugden <erica.bugden@linutronix.de>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/trace/trace.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -7628,7 +7628,9 @@ rb_simple_write(struct file *filp, const
 
 	if (buffer) {
 		mutex_lock(&trace_types_lock);
-		if (val) {
+		if (!!val == tracer_tracing_is_on(tr)) {
+			val = 0; /* do nothing */
+		} else if (val) {
 			tracer_tracing_on(tr);
 			if (tr->current_trace->start)
 				tr->current_trace->start(tr);
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 076/145] tracing/blktrace: Fix to allow setting same value
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (72 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 075/145] tracing: Do not call start/stop() functions when tracing_on does not change Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 077/145] printk/tracing: Do not trace printk_nmi_enter() Greg Kroah-Hartman
                   ` (67 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ingo Molnar, Jens Axboe, linux-block,
	Masami Hiramatsu, Steven Rostedt (VMware)
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Steven Rostedt (VMware) <rostedt@goodmis.org>
commit 757d9140072054528b13bbe291583d9823cde195 upstream.
Masami Hiramatsu reported:
  Current trace-enable attribute in sysfs returns an error
  if user writes the same setting value as current one,
  e.g.
    # cat /sys/block/sda/trace/enable
    0
    # echo 0 > /sys/block/sda/trace/enable
    bash: echo: write error: Invalid argument
    # echo 1 > /sys/block/sda/trace/enable
    # echo 1 > /sys/block/sda/trace/enable
    bash: echo: write error: Device or resource busy
  But this is not a preferred behavior, it should ignore
  if new setting is same as current one. This fixes the
  problem as below.
    # cat /sys/block/sda/trace/enable
    0
    # echo 0 > /sys/block/sda/trace/enable
    # echo 1 > /sys/block/sda/trace/enable
    # echo 1 > /sys/block/sda/trace/enable
Link: http://lkml.kernel.org/r/20180816103802.08678002@gandalf.local.home
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: linux-block@vger.kernel.org
Cc: stable@vger.kernel.org
Fixes: cd649b8bb830d ("blktrace: remove sysfs_blk_trace_enable_show/store()")
Reported-by: Masami Hiramatsu <mhiramat@kernel.org>
Tested-by: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/trace/blktrace.c |    4 ++++
 1 file changed, 4 insertions(+)
--- a/kernel/trace/blktrace.c
+++ b/kernel/trace/blktrace.c
@@ -1841,6 +1841,10 @@ static ssize_t sysfs_blk_trace_attr_stor
 	mutex_lock(&q->blk_trace_mutex);
 
 	if (attr == &dev_attr_enable) {
+		if (!!value == !!q->blk_trace) {
+			ret = 0;
+			goto out_unlock_bdev;
+		}
 		if (value)
 			ret = blk_trace_setup_queue(q, bdev);
 		else
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 077/145] printk/tracing: Do not trace printk_nmi_enter()
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (73 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 076/145] tracing/blktrace: Fix to allow setting same value Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 078/145] livepatch: Validate module/old func name length Greg Kroah-Hartman
                   ` (66 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sergey Senozhatsky, Petr Mladek,
	Steven Rostedt (VMware)
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Steven Rostedt (VMware) <rostedt@goodmis.org>
commit d1c392c9e2a301f38998a353f467f76414e38725 upstream.
I hit the following splat in my tests:
------------[ cut here ]------------
IRQs not enabled as expected
WARNING: CPU: 3 PID: 0 at kernel/time/tick-sched.c:982 tick_nohz_idle_enter+0x44/0x8c
Modules linked in: ip6t_REJECT nf_reject_ipv6 ip6table_filter ip6_tables ipv6
CPU: 3 PID: 0 Comm: swapper/3 Not tainted 4.19.0-rc2-test+ #2
Hardware name: MSI MS-7823/CSM-H87M-G43 (MS-7823), BIOS V1.6 02/22/2014
EIP: tick_nohz_idle_enter+0x44/0x8c
Code: ec 05 00 00 00 75 26 83 b8 c0 05 00 00 00 75 1d 80 3d d0 36 3e c1 00
75 14 68 94 63 12 c1 c6 05 d0 36 3e c1 01 e8 04 ee f8 ff <0f> 0b 58 fa bb a0
e5 66 c1 e8 25 0f 04 00 64 03 1d 28 31 52 c1 8b
EAX: 0000001c EBX: f26e7f8c ECX: 00000006 EDX: 00000007
ESI: f26dd1c0 EDI: 00000000 EBP: f26e7f40 ESP: f26e7f38
DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00010296
CR0: 80050033 CR2: 0813c6b0 CR3: 2f342000 CR4: 001406f0
Call Trace:
 do_idle+0x33/0x202
 cpu_startup_entry+0x61/0x63
 start_secondary+0x18e/0x1ed
 startup_32_smp+0x164/0x168
irq event stamp: 18773830
hardirqs last  enabled at (18773829): [<c040150c>] trace_hardirqs_on_thunk+0xc/0x10
hardirqs last disabled at (18773830): [<c040151c>] trace_hardirqs_off_thunk+0xc/0x10
softirqs last  enabled at (18773824): [<c0ddaa6f>] __do_softirq+0x25f/0x2bf
softirqs last disabled at (18773767): [<c0416bbe>] call_on_stack+0x45/0x4b
---[ end trace b7c64aa79e17954a ]---
After a bit of debugging, I found what was happening. This would trigger
when performing "perf" with a high NMI interrupt rate, while enabling and
disabling function tracer. Ftrace uses breakpoints to convert the nops at
the start of functions to calls to the function trampolines. The breakpoint
traps disable interrupts and this makes calls into lockdep via the
trace_hardirqs_off_thunk in the entry.S code. What happens is the following:
  do_idle {
    [interrupts enabled]
    <interrupt> [interrupts disabled]
	TRACE_IRQS_OFF [lockdep says irqs off]
	[...]
	TRACE_IRQS_IRET
	    test if pt_regs say return to interrupts enabled [yes]
	    TRACE_IRQS_ON [lockdep says irqs are on]
	    <nmi>
		nmi_enter() {
		    printk_nmi_enter() [traced by ftrace]
		    [ hit ftrace breakpoint ]
		    <breakpoint exception>
			TRACE_IRQS_OFF [lockdep says irqs off]
			[...]
			TRACE_IRQS_IRET [return from breakpoint]
			   test if pt_regs say interrupts enabled [no]
			   [iret back to interrupt]
	   [iret back to code]
    tick_nohz_idle_enter() {
	lockdep_assert_irqs_enabled() [lockdep say no!]
Although interrupts are indeed enabled, lockdep thinks it is not, and since
we now do asserts via lockdep, it gives a false warning. The issue here is
that printk_nmi_enter() is called before lockdep_off(), which disables
lockdep (for this reason) in NMIs. By simply not allowing ftrace to see
printk_nmi_enter() (via notrace annotation) we keep lockdep from getting
confused.
Cc: stable@vger.kernel.org
Fixes: 42a0bb3f71383 ("printk/nmi: generic solution for safe printk in NMI")
Acked-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Acked-by: Petr Mladek <pmladek@suse.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/printk/printk_safe.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
--- a/kernel/printk/printk_safe.c
+++ b/kernel/printk/printk_safe.c
@@ -306,12 +306,12 @@ static __printf(1, 0) int vprintk_nmi(co
 	return printk_safe_log_store(s, fmt, args);
 }
 
-void printk_nmi_enter(void)
+void notrace printk_nmi_enter(void)
 {
 	this_cpu_or(printk_context, PRINTK_NMI_CONTEXT_MASK);
 }
 
-void printk_nmi_exit(void)
+void notrace printk_nmi_exit(void)
 {
 	this_cpu_and(printk_context, ~PRINTK_NMI_CONTEXT_MASK);
 }
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 078/145] livepatch: Validate module/old func name length
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (74 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 077/145] printk/tracing: Do not trace printk_nmi_enter() Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 079/145] uprobes: Use synchronize_rcu() not synchronize_sched() Greg Kroah-Hartman
                   ` (65 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kamalesh Babulal, Josh Poimboeuf,
	Jiri Kosina
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Kamalesh Babulal <kamalesh@linux.vnet.ibm.com>
commit 6e9df95b76cad18f7b217bdad7bb8a26d63b8c47 upstream.
livepatch module author can pass module name/old function name with more
than the defined character limit. With obj->name length greater than
MODULE_NAME_LEN, the livepatch module gets loaded but waits forever on
the module specified by obj->name to be loaded. It also populates a /sys
directory with an untruncated object name.
In the case of funcs->old_name length greater then KSYM_NAME_LEN, it
would not match against any of the symbol table entries. Instead loop
through the symbol table comparing them against a nonexisting function,
which can be avoided.
The same issues apply, to misspelled/incorrect names. At least gatekeep
the modules with over the limit string length, by checking for their
length during livepatch module registration.
Cc: stable@vger.kernel.org
Signed-off-by: Kamalesh Babulal <kamalesh@linux.vnet.ibm.com>
Acked-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/livepatch/core.c |    6 ++++++
 1 file changed, 6 insertions(+)
--- a/kernel/livepatch/core.c
+++ b/kernel/livepatch/core.c
@@ -678,6 +678,9 @@ static int klp_init_func(struct klp_obje
 	if (!func->old_name || !func->new_func)
 		return -EINVAL;
 
+	if (strlen(func->old_name) >= KSYM_NAME_LEN)
+		return -EINVAL;
+
 	INIT_LIST_HEAD(&func->stack_node);
 	func->patched = false;
 	func->transition = false;
@@ -751,6 +754,9 @@ static int klp_init_object(struct klp_pa
 	if (!obj->funcs)
 		return -EINVAL;
 
+	if (klp_is_module(obj) && strlen(obj->name) >= MODULE_NAME_LEN)
+		return -EINVAL;
+
 	obj->patched = false;
 	obj->mod = NULL;
 
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 079/145] uprobes: Use synchronize_rcu() not synchronize_sched()
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (75 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 078/145] livepatch: Validate module/old func name length Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 080/145] mfd: hi655x: Fix regmap area declared size for hi655x Greg Kroah-Hartman
                   ` (64 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Oleg Nesterov,
	Steven Rostedt (VMware)
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Steven Rostedt (VMware) <rostedt@goodmis.org>
commit 016f8ffc48cb01d1e7701649c728c5d2e737d295 upstream.
While debugging another bug, I was looking at all the synchronize*()
functions being used in kernel/trace, and noticed that trace_uprobes was
using synchronize_sched(), with a comment to synchronize with
{u,ret}_probe_trace_func(). When looking at those functions, the data is
protected with "rcu_read_lock()" and not with "rcu_read_lock_sched()". This
is using the wrong synchronize_*() function.
Link: http://lkml.kernel.org/r/20180809160553.469e1e32@gandalf.local.home
Cc: stable@vger.kernel.org
Fixes: 70ed91c6ec7f8 ("tracing/uprobes: Support ftrace_event_file base multibuffer")
Acked-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/trace/trace_uprobe.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/trace/trace_uprobe.c
+++ b/kernel/trace/trace_uprobe.c
@@ -952,7 +952,7 @@ probe_event_disable(struct trace_uprobe
 
 		list_del_rcu(&link->list);
 		/* synchronize with u{,ret}probe_trace_func */
-		synchronize_sched();
+		synchronize_rcu();
 		kfree(link);
 
 		if (!list_empty(&tu->tp.files))
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 080/145] mfd: hi655x: Fix regmap area declared size for hi655x
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (76 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 079/145] uprobes: Use synchronize_rcu() not synchronize_sched() Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 081/145] ovl: fix wrong use of impure dir cache in ovl_iterate() Greg Kroah-Hartman
                   ` (63 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Rafael David Tinoco, Lee Jones
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Rafael David Tinoco <rafael.tinoco@linaro.org>
commit 6afebb70ee7a4bde106dc1a875e7ac7997248f84 upstream.
Fixes https://bugs.linaro.org/show_bug.cgi?id=3903
LTP Functional tests have caused a bad paging request when triggering
the regmap_read_debugfs() logic of the device PMIC Hi6553 (reading
regmap/f8000000.pmic/registers file during read_all test):
Unable to handle kernel paging request at virtual address ffff0
[ffff00000984e000] pgd=0000000077ffe803, pud=0000000077ffd803,0
Internal error: Oops: 96000007 [#1] SMP
...
Hardware name: HiKey Development Board (DT)
...
Call trace:
 regmap_mmio_read8+0x24/0x40
 regmap_mmio_read+0x48/0x70
 _regmap_bus_reg_read+0x38/0x48
 _regmap_read+0x68/0x170
 regmap_read+0x50/0x78
 regmap_read_debugfs+0x1a0/0x308
 regmap_map_read_file+0x48/0x58
 full_proxy_read+0x68/0x98
 __vfs_read+0x48/0x80
 vfs_read+0x94/0x150
 SyS_read+0x6c/0xd8
 el0_svc_naked+0x30/0x34
Code: aa1e03e0 d503201f f9400280 8b334000 (39400000)
Investigations have showed that, when triggered by debugfs read()
handler, the mmio regmap logic was reading a bigger (16k) register area
than the one mapped by devm_ioremap_resource() during hi655x-pmic probe
time (4k).
This commit changes hi655x's max register, according to HW specs, to be
the same as the one declared in the pmic device in hi6220's dts, fixing
the issue.
Cc: <stable@vger.kernel.org> #v4.9 #v4.14 #v4.16 #v4.17
Signed-off-by: Rafael David Tinoco <rafael.tinoco@linaro.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/mfd/hi655x-pmic.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/mfd/hi655x-pmic.c
+++ b/drivers/mfd/hi655x-pmic.c
@@ -49,7 +49,7 @@ static struct regmap_config hi655x_regma
 	.reg_bits = 32,
 	.reg_stride = HI655X_STRIDE,
 	.val_bits = 8,
-	.max_register = HI655X_BUS_ADDR(0xFFF),
+	.max_register = HI655X_BUS_ADDR(0x400) - HI655X_STRIDE,
 };
 
 static struct resource pwrkey_resources[] = {
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 081/145] ovl: fix wrong use of impure dir cache in ovl_iterate()
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (77 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 080/145] mfd: hi655x: Fix regmap area declared size for hi655x Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 082/145] ACPICA: AML Parser: skip opcodes that open a scope upon parse failure Greg Kroah-Hartman
                   ` (62 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Aditya Kali, Amir Goldstein,
	Miklos Szeredi
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Amir Goldstein <amir73il@gmail.com>
commit 67810693077afc1ebf9e1646af300436cb8103c2 upstream.
Only upper dir can be impure, but if we are in the middle of
iterating a lower real dir, dir could be copied up and marked
impure. We only want the impure cache if we started iterating
a real upper dir to begin with.
Aditya Kali reported that the following reproducer hits the
WARN_ON(!cache->refcount) in ovl_get_cache():
 docker run --rm drupal:8.5.4-fpm-alpine \
    sh -c 'cd /var/www/html/vendor/symfony && \
           chown -R www-data:www-data . && ls -l .'
Reported-by: Aditya Kali <adityakali@google.com>
Tested-by: Aditya Kali <adityakali@google.com>
Fixes: 4edb83bb1041 ('ovl: constant d_ino for non-merge dirs')
Cc: <stable@vger.kernel.org> # v4.14
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/overlayfs/readdir.c |   19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)
--- a/fs/overlayfs/readdir.c
+++ b/fs/overlayfs/readdir.c
@@ -668,6 +668,21 @@ static int ovl_fill_real(struct dir_cont
 	return orig_ctx->actor(orig_ctx, name, namelen, offset, ino, d_type);
 }
 
+static bool ovl_is_impure_dir(struct file *file)
+{
+	struct ovl_dir_file *od = file->private_data;
+	struct inode *dir = d_inode(file->f_path.dentry);
+
+	/*
+	 * Only upper dir can be impure, but if we are in the middle of
+	 * iterating a lower real dir, dir could be copied up and marked
+	 * impure. We only want the impure cache if we started iterating
+	 * a real upper dir to begin with.
+	 */
+	return od->is_upper && ovl_test_flag(OVL_IMPURE, dir);
+
+}
+
 static int ovl_iterate_real(struct file *file, struct dir_context *ctx)
 {
 	int err;
@@ -696,7 +711,7 @@ static int ovl_iterate_real(struct file
 		rdt.parent_ino = stat.ino;
 	}
 
-	if (ovl_test_flag(OVL_IMPURE, d_inode(dir))) {
+	if (ovl_is_impure_dir(file)) {
 		rdt.cache = ovl_cache_get_impure(&file->f_path);
 		if (IS_ERR(rdt.cache))
 			return PTR_ERR(rdt.cache);
@@ -727,7 +742,7 @@ static int ovl_iterate(struct file *file
 		 */
 		if (ovl_xino_bits(dentry->d_sb) ||
 		    (ovl_same_sb(dentry->d_sb) &&
-		     (ovl_test_flag(OVL_IMPURE, d_inode(dentry)) ||
+		     (ovl_is_impure_dir(file) ||
 		      OVL_TYPE_MERGE(ovl_path_type(dentry->d_parent))))) {
 			return ovl_iterate_real(file, ctx);
 		}
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 082/145] ACPICA: AML Parser: skip opcodes that open a scope upon parse failure
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (78 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 081/145] ovl: fix wrong use of impure dir cache in ovl_iterate() Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 083/145] ACPICA: Clear status of all events when entering sleep states Greg Kroah-Hartman
                   ` (61 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jeremy Linton, Erik Schmauss,
	Rafael J. Wysocki
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Erik Schmauss <erik.schmauss@intel.com>
commit 4a7c94c721074eafb27298d93dbcc339aa28e745 upstream.
This change skips the entire length of opcodes that open a scope
(Device, Scope, Processor, etc) if the creation of the op fails. The
failure could be caused by various errors including AE_ALREADY_EXISTS
and AE_NOT_FOUND.
Reported-by: Jeremy Linton <jeremy.linton@arm.com>
Tested-by: Jeremy Linton <jeremy.linton@arm.com>
Signed-off-by: Erik Schmauss <erik.schmauss@intel.com>
Cc: 4.17+ <stable@vger.kernel.org> # 4.17+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/acpi/acpica/psloop.c |   17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)
--- a/drivers/acpi/acpica/psloop.c
+++ b/drivers/acpi/acpica/psloop.c
@@ -22,6 +22,7 @@
 #include "acdispat.h"
 #include "amlcode.h"
 #include "acconvert.h"
+#include "acnamesp.h"
 
 #define _COMPONENT          ACPI_PARSER
 ACPI_MODULE_NAME("psloop")
@@ -527,12 +528,18 @@ acpi_status acpi_ps_parse_loop(struct ac
 				if (ACPI_FAILURE(status)) {
 					return_ACPI_STATUS(status);
 				}
-				if (walk_state->opcode == AML_SCOPE_OP) {
+				if (acpi_ns_opens_scope
+				    (acpi_ps_get_opcode_info
+				     (walk_state->opcode)->object_type)) {
 					/*
-					 * If the scope op fails to parse, skip the body of the
-					 * scope op because the parse failure indicates that the
-					 * device may not exist.
+					 * If the scope/device op fails to parse, skip the body of
+					 * the scope op because the parse failure indicates that
+					 * the device may not exist.
 					 */
+					ACPI_ERROR((AE_INFO,
+						    "Skip parsing opcode %s",
+						    acpi_ps_get_opcode_name
+						    (walk_state->opcode)));
 					walk_state->parser_state.aml =
 					    walk_state->aml + 1;
 					walk_state->parser_state.aml =
@@ -540,8 +547,6 @@ acpi_status acpi_ps_parse_loop(struct ac
 					    (&walk_state->parser_state);
 					walk_state->aml =
 					    walk_state->parser_state.aml;
-					ACPI_ERROR((AE_INFO,
-						    "Skipping Scope block"));
 				}
 
 				continue;
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 083/145] ACPICA: Clear status of all events when entering sleep states
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (79 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 082/145] ACPICA: AML Parser: skip opcodes that open a scope upon parse failure Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 084/145] drivers/block/zram/zram_drv.c: fix bug storing backing_dev Greg Kroah-Hartman
                   ` (60 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Paul Menzel, Rafael J. Wysocki
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
commit f317c7dc12b73eb9d67fdae404563deb907dcfb7 upstream.
Commit fa85015c0d95 (ACPICA: Clear status of all events when entering
S5) made the sleep state entry code in ACPICA clear the status of all
ACPI events when entering S5 to fix a functional regression reported
against commit 18996f2db918 (ACPICA: Events: Stop unconditionally
clearing ACPI IRQs during suspend/resume).  However, it is reported
now that the regression also affects system states other than S5 on
some systems and causes them to wake up from sleep prematurely.
For this reason, make the code in question clear the status of all
ACPI events when entering all sleep states (in addition to S5) to
avoid the premature wakeups (this may cause some wakeup events to
be missed in theory, but the likelihood of that is small and the
change here simply restores the previous behavior of the code).
Fixes: 18996f2db918 (ACPICA: Events: Stop unconditionally clearing ACPI IRQs during suspend/resume)
Reported-by: Paul Menzel <pmenzel@molgen.mpg.de>
Tested-by: Paul Menzel <pmenzel@molgen.mpg.de>
Cc: 4.17+ <stable@vger.kernel.org> # 4.17+: fa85015c0d95 ACPICA: Clear status ...
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/acpi/acpica/hwsleep.c |   11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)
--- a/drivers/acpi/acpica/hwsleep.c
+++ b/drivers/acpi/acpica/hwsleep.c
@@ -56,14 +56,9 @@ acpi_status acpi_hw_legacy_sleep(u8 slee
 	if (ACPI_FAILURE(status)) {
 		return_ACPI_STATUS(status);
 	}
-	/*
-	 * If the target sleep state is S5, clear all GPEs and fixed events too
-	 */
-	if (sleep_state == ACPI_STATE_S5) {
-		status = acpi_hw_clear_acpi_status();
-		if (ACPI_FAILURE(status)) {
-			return_ACPI_STATUS(status);
-		}
+	status = acpi_hw_clear_acpi_status();
+	if (ACPI_FAILURE(status)) {
+		return_ACPI_STATUS(status);
 	}
 	acpi_gbl_system_awake_and_running = FALSE;
 
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 084/145] drivers/block/zram/zram_drv.c: fix bug storing backing_dev
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (80 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 083/145] ACPICA: Clear status of all events when entering sleep states Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 085/145] sched: idle: Avoid retaining the tick when it has been stopped Greg Kroah-Hartman
                   ` (59 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Peter Kalauskas, Minchan Kim,
	Sergey Senozhatsky, Andrew Morton, Linus Torvalds
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Peter Kalauskas <peskal@google.com>
commit c8bd134a4bddafe5917d163eea73873932c15e83 upstream.
The call to strlcpy in backing_dev_store is incorrect. It should take
the size of the destination buffer instead of the size of the source
buffer.  Additionally, ignore the newline character (\n) when reading
the new file_name buffer. This makes it possible to set the backing_dev
as follows:
	echo /dev/sdX > /sys/block/zram0/backing_dev
The reason it worked before was the fact that strlcpy() copies 'len - 1'
bytes, which is strlen(buf) - 1 in our case, so it accidentally didn't
copy the trailing new line symbol.  Which also means that "echo -n
/dev/sdX" most likely was broken.
Signed-off-by: Peter Kalauskas <peskal@google.com>
Link: http://lkml.kernel.org/r/20180813061623.GC64836@rodete-desktop-imager.corp.google.com
Acked-by: Minchan Kim <minchan@kernel.org>
Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Cc: <stable@vger.kernel.org>    [4.14+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/block/zram/zram_drv.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/block/zram/zram_drv.c
+++ b/drivers/block/zram/zram_drv.c
@@ -337,6 +337,7 @@ static ssize_t backing_dev_store(struct
 		struct device_attribute *attr, const char *buf, size_t len)
 {
 	char *file_name;
+	size_t sz;
 	struct file *backing_dev = NULL;
 	struct inode *inode;
 	struct address_space *mapping;
@@ -357,7 +358,11 @@ static ssize_t backing_dev_store(struct
 		goto out;
 	}
 
-	strlcpy(file_name, buf, len);
+	strlcpy(file_name, buf, PATH_MAX);
+	/* ignore trailing newline */
+	sz = strlen(file_name);
+	if (sz > 0 && file_name[sz - 1] == '\n')
+		file_name[sz - 1] = 0x00;
 
 	backing_dev = filp_open(file_name, O_RDWR|O_LARGEFILE, 0);
 	if (IS_ERR(backing_dev)) {
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 085/145] sched: idle: Avoid retaining the tick when it has been stopped
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (81 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 084/145] drivers/block/zram/zram_drv.c: fix bug storing backing_dev Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 086/145] cpuidle: menu: Handle stopped tick more aggressively Greg Kroah-Hartman
                   ` (58 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Peter Zijlstra (Intel),
	Rafael J. Wysocki
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
commit 7059b36636beab57c3c43c62104483e5449bee95 upstream.
If the tick has been stopped already, but the governor has not asked to
stop it (which it can do sometimes), the idle loop should invoke
tick_nohz_idle_stop_tick(), to let tick_nohz_stop_tick() take care
of this case properly.
Fixes: 554c8aa8ecad (sched: idle: Select idle state before stopping the tick)
Cc: 4.17+ <stable@vger.kernel.org> # 4.17+
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/sched/idle.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/sched/idle.c
+++ b/kernel/sched/idle.c
@@ -190,7 +190,7 @@ static void cpuidle_idle_call(void)
 		 */
 		next_state = cpuidle_select(drv, dev, &stop_tick);
 
-		if (stop_tick)
+		if (stop_tick || tick_nohz_tick_stopped())
 			tick_nohz_idle_stop_tick();
 		else
 			tick_nohz_idle_retain_tick();
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 086/145] cpuidle: menu: Handle stopped tick more aggressively
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (82 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 085/145] sched: idle: Avoid retaining the tick when it has been stopped Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 087/145] cpufreq: governor: Avoid accessing invalid governor_data Greg Kroah-Hartman
                   ` (57 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Leo Yan, Peter Zijlstra (Intel),
	Rafael J. Wysocki
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
commit 5ef499cd571c293b74a30d77e7ef512edb6ded6b upstream.
Commit 87c9fe6ee495 (cpuidle: menu: Avoid selecting shallow states
with stopped tick) missed the case when the target residencies of
deep idle states of CPUs are above the tick boundary which may cause
the CPU to get stuck in a shallow idle state for a long time.
Say there are two CPU idle states available: one shallow, with the
target residency much below the tick boundary and one deep, with
the target residency significantly above the tick boundary.  In
that case, if the tick has been stopped already and the expected
next timer event is relatively far in the future, the governor will
assume the idle duration to be equal to TICK_USEC and it will select
the idle state for the CPU accordingly.  However, that will cause the
shallow state to be selected even though it would have been more
energy-efficient to select the deep one.
To address this issue, modify the governor to always use the time
till the closest timer event instead of the predicted idle duration
if the latter is less than the tick period length and the tick has
been stopped already.  Also make it extend the search for a matching
idle state if the tick is stopped to avoid settling on a shallow
state if deep states with target residencies above the tick period
length are available.
In addition, make it always indicate that the tick should be stopped
if it has been stopped already for consistency.
Fixes: 87c9fe6ee495 (cpuidle: menu: Avoid selecting shallow states with stopped tick)
Reported-by: Leo Yan <leo.yan@linaro.org>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: 4.17+ <stable@vger.kernel.org> # 4.17+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/cpuidle/governors/menu.c |   36 ++++++++++++++++++++++++------------
 1 file changed, 24 insertions(+), 12 deletions(-)
--- a/drivers/cpuidle/governors/menu.c
+++ b/drivers/cpuidle/governors/menu.c
@@ -349,14 +349,12 @@ static int menu_select(struct cpuidle_dr
 		 * If the tick is already stopped, the cost of possible short
 		 * idle duration misprediction is much higher, because the CPU
 		 * may be stuck in a shallow idle state for a long time as a
-		 * result of it.  In that case say we might mispredict and try
-		 * to force the CPU into a state for which we would have stopped
-		 * the tick, unless a timer is going to expire really soon
-		 * anyway.
+		 * result of it.  In that case say we might mispredict and use
+		 * the known time till the closest timer event for the idle
+		 * state selection.
 		 */
 		if (data->predicted_us < TICK_USEC)
-			data->predicted_us = min_t(unsigned int, TICK_USEC,
-						   ktime_to_us(delta_next));
+			data->predicted_us = ktime_to_us(delta_next);
 	} else {
 		/*
 		 * Use the performance multiplier and the user-configurable
@@ -381,8 +379,22 @@ static int menu_select(struct cpuidle_dr
 			continue;
 		if (idx == -1)
 			idx = i; /* first enabled state */
-		if (s->target_residency > data->predicted_us)
-			break;
+		if (s->target_residency > data->predicted_us) {
+			if (!tick_nohz_tick_stopped())
+				break;
+
+			/*
+			 * If the state selected so far is shallow and this
+			 * state's target residency matches the time till the
+			 * closest timer event, select this one to avoid getting
+			 * stuck in the shallow one for too long.
+			 */
+			if (drv->states[idx].target_residency < TICK_USEC &&
+			    s->target_residency <= ktime_to_us(delta_next))
+				idx = i;
+
+			goto out;
+		}
 		if (s->exit_latency > latency_req) {
 			/*
 			 * If we break out of the loop for latency reasons, use
@@ -403,14 +415,13 @@ static int menu_select(struct cpuidle_dr
 	 * Don't stop the tick if the selected state is a polling one or if the
 	 * expected idle duration is shorter than the tick period length.
 	 */
-	if ((drv->states[idx].flags & CPUIDLE_FLAG_POLLING) ||
-	    expected_interval < TICK_USEC) {
+	if (((drv->states[idx].flags & CPUIDLE_FLAG_POLLING) ||
+	     expected_interval < TICK_USEC) && !tick_nohz_tick_stopped()) {
 		unsigned int delta_next_us = ktime_to_us(delta_next);
 
 		*stop_tick = false;
 
-		if (!tick_nohz_tick_stopped() && idx > 0 &&
-		    drv->states[idx].target_residency > delta_next_us) {
+		if (idx > 0 && drv->states[idx].target_residency > delta_next_us) {
 			/*
 			 * The tick is not going to be stopped and the target
 			 * residency of the state to be returned is not within
@@ -429,6 +440,7 @@ static int menu_select(struct cpuidle_dr
 		}
 	}
 
+out:
 	data->last_state_idx = idx;
 
 	return data->last_state_idx;
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 087/145] cpufreq: governor: Avoid accessing invalid governor_data
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (83 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 086/145] cpuidle: menu: Handle stopped tick more aggressively Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 088/145] PM / sleep: wakeup: Fix build error caused by missing SRCU support Greg Kroah-Hartman
                   ` (56 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Henry Willard, Rafael J. Wysocki
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Henry Willard <henry.willard@oracle.com>
commit 2a3eb51e30b9ac66fe1b75877627a7e4aaeca24a upstream.
If cppc_cpufreq.ko is deleted at the same time that tuned-adm is
changing profiles, there is a small chance that a race can occur
between cpufreq_dbs_governor_exit() and cpufreq_dbs_governor_limits()
resulting in a system failure when the latter tries to use
policy->governor_data that has been freed by the former.
This patch uses gov_dbs_data_mutex to synchronize access.
Fixes: e788892ba3cc (cpufreq: governor: Get rid of governor events)
Signed-off-by: Henry Willard <henry.willard@oracle.com>
[ rjw: Subject, minor white space adjustment ]
Cc: 4.8+ <stable@vger.kernel.org> # 4.8+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/cpufreq/cpufreq_governor.c |   12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)
--- a/drivers/cpufreq/cpufreq_governor.c
+++ b/drivers/cpufreq/cpufreq_governor.c
@@ -555,12 +555,20 @@ EXPORT_SYMBOL_GPL(cpufreq_dbs_governor_s
 
 void cpufreq_dbs_governor_limits(struct cpufreq_policy *policy)
 {
-	struct policy_dbs_info *policy_dbs = policy->governor_data;
+	struct policy_dbs_info *policy_dbs;
+
+	/* Protect gov->gdbs_data against cpufreq_dbs_governor_exit() */
+	mutex_lock(&gov_dbs_data_mutex);
+	policy_dbs = policy->governor_data;
+	if (!policy_dbs)
+		goto out;
 
 	mutex_lock(&policy_dbs->update_mutex);
 	cpufreq_policy_apply_limits(policy);
 	gov_update_sample_delay(policy_dbs, 0);
-
 	mutex_unlock(&policy_dbs->update_mutex);
+
+out:
+	mutex_unlock(&gov_dbs_data_mutex);
 }
 EXPORT_SYMBOL_GPL(cpufreq_dbs_governor_limits);
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 088/145] PM / sleep: wakeup: Fix build error caused by missing SRCU support
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (84 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 087/145] cpufreq: governor: Avoid accessing invalid governor_data Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 089/145] ALSA: ac97: fix device initialization in the compat layer Greg Kroah-Hartman
                   ` (55 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, zhangyi (F), Rafael J. Wysocki
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: zhangyi (F) <yi.zhang@huawei.com>
commit 3df6f61fff49632492490fb6e42646b803a9958a upstream.
Commit ea0212f40c6 (power: auto select CONFIG_SRCU) made the code in
drivers/base/power/wakeup.c use SRCU instead of RCU, but it forgot to
select CONFIG_SRCU in Kconfig, which leads to the following build
error if CONFIG_SRCU is not selected somewhere else:
drivers/built-in.o: In function `wakeup_source_remove':
(.text+0x3c6fc): undefined reference to `synchronize_srcu'
drivers/built-in.o: In function `pm_print_active_wakeup_sources':
(.text+0x3c7a8): undefined reference to `__srcu_read_lock'
drivers/built-in.o: In function `pm_print_active_wakeup_sources':
(.text+0x3c84c): undefined reference to `__srcu_read_unlock'
drivers/built-in.o: In function `device_wakeup_arm_wake_irqs':
(.text+0x3d1d8): undefined reference to `__srcu_read_lock'
drivers/built-in.o: In function `device_wakeup_arm_wake_irqs':
(.text+0x3d228): undefined reference to `__srcu_read_unlock'
drivers/built-in.o: In function `device_wakeup_disarm_wake_irqs':
(.text+0x3d24c): undefined reference to `__srcu_read_lock'
drivers/built-in.o: In function `device_wakeup_disarm_wake_irqs':
(.text+0x3d29c): undefined reference to `__srcu_read_unlock'
drivers/built-in.o:(.data+0x4158): undefined reference to `process_srcu'
Fix this error by selecting CONFIG_SRCU when PM_SLEEP is enabled.
Fixes: ea0212f40c6 (power: auto select CONFIG_SRCU)
Cc: 4.2+ <stable@vger.kernel.org> # 4.2+
Signed-off-by: zhangyi (F) <yi.zhang@huawei.com>
[ rjw: Minor subject/changelog fixups ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/power/Kconfig |    1 +
 1 file changed, 1 insertion(+)
--- a/kernel/power/Kconfig
+++ b/kernel/power/Kconfig
@@ -105,6 +105,7 @@ config PM_SLEEP
 	def_bool y
 	depends on SUSPEND || HIBERNATE_CALLBACKS
 	select PM
+	select SRCU
 
 config PM_SLEEP_SMP
 	def_bool y
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 089/145] ALSA: ac97: fix device initialization in the compat layer
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (85 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 088/145] PM / sleep: wakeup: Fix build error caused by missing SRCU support Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 090/145] ALSA: ac97: fix check of pm_runtime_get_sync failure Greg Kroah-Hartman
                   ` (54 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lihua Yao, Robert Jarzmik,
	Takashi Iwai
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Lihua Yao <ylhuajnu@163.com>
commit c7b8170790c19293acd835dc50b8247ec207d4a3 upstream.
ac97->dev is an object of 'struct device' type. It should be initialized
via device_initialize() or device_register().
Fixes: 74426fbff66e ("ALSA: ac97: add an ac97 bus")
Signed-off-by: Lihua Yao <ylhuajnu@163.com>
Tested-by: Robert Jarzmik <robert.jarzmik@free.fr>
Acked-by: Robert Jarzmik <robert.jarzmik@free.fr>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/ac97/snd_ac97_compat.c |   19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)
--- a/sound/ac97/snd_ac97_compat.c
+++ b/sound/ac97/snd_ac97_compat.c
@@ -15,6 +15,11 @@
 
 #include "ac97_core.h"
 
+static void compat_ac97_release(struct device *dev)
+{
+	kfree(to_ac97_t(dev));
+}
+
 static void compat_ac97_reset(struct snd_ac97 *ac97)
 {
 	struct ac97_codec_device *adev = to_ac97_device(ac97->private_data);
@@ -65,21 +70,31 @@ static struct snd_ac97_bus compat_soc_ac
 struct snd_ac97 *snd_ac97_compat_alloc(struct ac97_codec_device *adev)
 {
 	struct snd_ac97 *ac97;
+	int ret;
 
 	ac97 = kzalloc(sizeof(struct snd_ac97), GFP_KERNEL);
 	if (ac97 == NULL)
 		return ERR_PTR(-ENOMEM);
 
-	ac97->dev = adev->dev;
 	ac97->private_data = adev;
 	ac97->bus = &compat_soc_ac97_bus;
+
+	ac97->dev.parent = &adev->dev;
+	ac97->dev.release = compat_ac97_release;
+	dev_set_name(&ac97->dev, "%s-compat", dev_name(&adev->dev));
+	ret = device_register(&ac97->dev);
+	if (ret) {
+		put_device(&ac97->dev);
+		return ERR_PTR(ret);
+	}
+
 	return ac97;
 }
 EXPORT_SYMBOL_GPL(snd_ac97_compat_alloc);
 
 void snd_ac97_compat_release(struct snd_ac97 *ac97)
 {
-	kfree(ac97);
+	device_unregister(&ac97->dev);
 }
 EXPORT_SYMBOL_GPL(snd_ac97_compat_release);
 
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 090/145] ALSA: ac97: fix check of pm_runtime_get_sync failure
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (86 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 089/145] ALSA: ac97: fix device initialization in the compat layer Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 091/145] ALSA: ac97: fix unbalanced pm_runtime_enable Greg Kroah-Hartman
                   ` (53 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lihua Yao, Robert Jarzmik,
	Takashi Iwai
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Lihua Yao <ylhuajnu@163.com>
commit d15ec0b482ff502e4e19e43d15aa5072e4290199 upstream.
pm_runtime_get_sync returns negative on failure.
Fixes: 74426fbff66e ("ALSA: ac97: add an ac97 bus")
Signed-off-by: Lihua Yao <ylhuajnu@163.com>
Acked-by: Robert Jarzmik <robert.jarzmik@free.fr>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/ac97/bus.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/ac97/bus.c
+++ b/sound/ac97/bus.c
@@ -503,7 +503,7 @@ static int ac97_bus_remove(struct device
 	int ret;
 
 	ret = pm_runtime_get_sync(dev);
-	if (ret)
+	if (ret < 0)
 		return ret;
 
 	ret = adrv->remove(adev);
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 091/145] ALSA: ac97: fix unbalanced pm_runtime_enable
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (87 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 090/145] ALSA: ac97: fix check of pm_runtime_get_sync failure Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 092/145] i2c: designware: Re-init controllers with pm_disabled set on resume Greg Kroah-Hartman
                   ` (52 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lihua Yao, Robert Jarzmik,
	Takashi Iwai
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Lihua Yao <ylhuajnu@163.com>
commit 250ea7c5f56e350cdafebe6b87478b00db4f7af8 upstream.
Runtime PM is enabled at ac97_bus_probe() and should be disabled
at ac97_bus_remove().
Fixes: 74426fbff66e ("ALSA: ac97: add an ac97 bus")
Signed-off-by: Lihua Yao <ylhuajnu@163.com>
Acked-by: Robert Jarzmik <robert.jarzmik@free.fr>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/ac97/bus.c |    2 ++
 1 file changed, 2 insertions(+)
--- a/sound/ac97/bus.c
+++ b/sound/ac97/bus.c
@@ -511,6 +511,8 @@ static int ac97_bus_remove(struct device
 	if (ret == 0)
 		ac97_put_disable_clk(adev);
 
+	pm_runtime_disable(dev);
+
 	return ret;
 }
 
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 092/145] i2c: designware: Re-init controllers with pm_disabled set on resume
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (88 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 091/145] ALSA: ac97: fix unbalanced pm_runtime_enable Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 093/145] KVM: VMX: fixes for vmentry_l1d_flush module parameter Greg Kroah-Hartman
                   ` (51 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans de Goede, Andy Shevchenko,
	Jarkko Nikula, Wolfram Sang
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
commit 9d9a152ebaa86a9dede4624919566483c955d0a7 upstream.
On Bay Trail and Cherry Trail devices we set the pm_disabled flag for I2C
busses which the OS shares with the PUNIT as these need special handling.
Until now we called dev_pm_syscore_device(dev, true) for I2C controllers
with this flag set to keep these I2C controllers always on.
After commit 12864ff8545f ("ACPI / LPSS: Avoid PM quirks on suspend and
resume from hibernation"), this no longer works. This commit modifies
lpss_iosf_exit_d3_state() to only run if lpss_iosf_enter_d3_state() has ran
before it, so that it does not run on a resume from hibernate (or from S3).
On these systems the conditions for lpss_iosf_enter_d3_state() to run
never become true, so lpss_iosf_exit_d3_state() never gets called and
the 2 LPSS DMA controllers never get forced into D0 mode, instead they
are left in their default automatic power-on when needed mode.
The not forcing of D0 mode for the DMA controllers enables these systems
to properly enter S0ix modes, which is a good thing.
But after entering S0ix modes the I2C controller connected to the PMIC
no longer works, leading to e.g. broken battery monitoring.
The _PS3 method for this I2C controller looks like this:
            Method (_PS3, 0, NotSerialized)  // _PS3: Power State 3
            {
                If ((((PMID == 0x04) || (PMID == 0x05)) || (PMID == 0x06)))
                {
                    Return (Zero)
                }
                PSAT |= 0x03
                Local0 = PSAT /* \_SB_.I2C5.PSAT */
            }
Where PMID = 0x05, so we enter the Return (Zero) path on these systems.
So even if we were to not call dev_pm_syscore_device(dev, true) the
I2C controller will be left in D0 rather then be switched to D3.
Yet on other Bay and Cherry Trail devices S0ix is not entered unless *all*
I2C controllers are in D3 mode. This combined with the I2C controller no
longer working now that we reach S0ix states on these systems leads to me
believing that the PUNIT itself puts the I2C controller in D3 when all
other conditions for entering S0ix states are true.
Since now the I2C controller is put in D3 over a suspend/resume we must
re-initialize it afterwards and that does indeed fix it no longer working.
This commit implements this fix by:
1) Making the suspend_late callback a no-op if pm_disabled is set and
making the resume_early callback skip the clock re-enable (since it now was
not disabled) while still doing the necessary I2C controller re-init.
2) Removing the dev_pm_syscore_device(dev, true) call, so that the suspend
and resume callbacks are actually called. Normally this would cause the
ACPI pm code to call _PS3 putting the I2C controller in D3, wreaking havoc
since it is shared with the PUNIT, but in this special case the _PS3 method
is a no-op so we can safely allow a "fake" suspend / resume.
Fixes: 12864ff8545f ("ACPI / LPSS: Avoid PM quirks on suspend and resume ...")
Link: https://bugzilla.kernel.org/show_bug.cgi?id=200861
Cc: 4.15+ <stable@vger.kernel.org> # 4.15+
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Acked-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/i2c/busses/i2c-designware-master.c  |    1 -
 drivers/i2c/busses/i2c-designware-platdrv.c |    7 ++++++-
 2 files changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/i2c/busses/i2c-designware-master.c
+++ b/drivers/i2c/busses/i2c-designware-master.c
@@ -693,7 +693,6 @@ int i2c_dw_probe(struct dw_i2c_dev *dev)
 	i2c_set_adapdata(adap, dev);
 
 	if (dev->pm_disabled) {
-		dev_pm_syscore_device(dev->dev, true);
 		irq_flags = IRQF_NO_SUSPEND;
 	} else {
 		irq_flags = IRQF_SHARED | IRQF_COND_SUSPEND;
--- a/drivers/i2c/busses/i2c-designware-platdrv.c
+++ b/drivers/i2c/busses/i2c-designware-platdrv.c
@@ -448,6 +448,9 @@ static int dw_i2c_plat_suspend(struct de
 {
 	struct dw_i2c_dev *i_dev = dev_get_drvdata(dev);
 
+	if (i_dev->pm_disabled)
+		return 0;
+
 	i_dev->disable(i_dev);
 	i2c_dw_prepare_clk(i_dev, false);
 
@@ -458,7 +461,9 @@ static int dw_i2c_plat_resume(struct dev
 {
 	struct dw_i2c_dev *i_dev = dev_get_drvdata(dev);
 
-	i2c_dw_prepare_clk(i_dev, true);
+	if (!i_dev->pm_disabled)
+		i2c_dw_prepare_clk(i_dev, true);
+
 	i_dev->init(i_dev);
 
 	return 0;
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 093/145] KVM: VMX: fixes for vmentry_l1d_flush module parameter
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (89 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 092/145] i2c: designware: Re-init controllers with pm_disabled set on resume Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 094/145] KVM: PPC: Book3S: Fix guest DMA when guest partially backed by THP pages Greg Kroah-Hartman
                   ` (50 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Bandan Das, Paolo Bonzini
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Paolo Bonzini <pbonzini@redhat.com>
commit 0027ff2a75f9dcf0537ac0a65c5840b0e21a4950 upstream.
Two bug fixes:
1) missing entries in the l1d_param array; this can cause a host crash
if an access attempts to reach the missing entry. Future-proof the get
function against any overflows as well.  However, the two entries
VMENTER_L1D_FLUSH_EPT_DISABLED and VMENTER_L1D_FLUSH_NOT_REQUIRED must
not be accepted by the parse function, so disable them there.
2) invalid values must be rejected even if the CPU does not have the
bug, so test for them before checking boot_cpu_has(X86_BUG_L1TF)
... and a small refactoring, since the .cmd field is redundant with
the index in the array.
Reported-by: Bandan Das <bsd@redhat.com>
Cc: stable@vger.kernel.org
Fixes: a7b9020b06ec6d7c3f3b0d4ef1a9eba12654f4f7
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/vmx.c |   26 ++++++++++++++++----------
 1 file changed, 16 insertions(+), 10 deletions(-)
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -197,12 +197,14 @@ static enum vmx_l1d_flush_state __read_m
 
 static const struct {
 	const char *option;
-	enum vmx_l1d_flush_state cmd;
+	bool for_parse;
 } vmentry_l1d_param[] = {
-	{"auto",	VMENTER_L1D_FLUSH_AUTO},
-	{"never",	VMENTER_L1D_FLUSH_NEVER},
-	{"cond",	VMENTER_L1D_FLUSH_COND},
-	{"always",	VMENTER_L1D_FLUSH_ALWAYS},
+	[VMENTER_L1D_FLUSH_AUTO]	 = {"auto", true},
+	[VMENTER_L1D_FLUSH_NEVER]	 = {"never", true},
+	[VMENTER_L1D_FLUSH_COND]	 = {"cond", true},
+	[VMENTER_L1D_FLUSH_ALWAYS]	 = {"always", true},
+	[VMENTER_L1D_FLUSH_EPT_DISABLED] = {"EPT disabled", false},
+	[VMENTER_L1D_FLUSH_NOT_REQUIRED] = {"not required", false},
 };
 
 #define L1D_CACHE_ORDER 4
@@ -286,8 +288,9 @@ static int vmentry_l1d_flush_parse(const
 
 	if (s) {
 		for (i = 0; i < ARRAY_SIZE(vmentry_l1d_param); i++) {
-			if (sysfs_streq(s, vmentry_l1d_param[i].option))
-				return vmentry_l1d_param[i].cmd;
+			if (vmentry_l1d_param[i].for_parse &&
+			    sysfs_streq(s, vmentry_l1d_param[i].option))
+				return i;
 		}
 	}
 	return -EINVAL;
@@ -297,13 +300,13 @@ static int vmentry_l1d_flush_set(const c
 {
 	int l1tf, ret;
 
-	if (!boot_cpu_has(X86_BUG_L1TF))
-		return 0;
-
 	l1tf = vmentry_l1d_flush_parse(s);
 	if (l1tf < 0)
 		return l1tf;
 
+	if (!boot_cpu_has(X86_BUG_L1TF))
+		return 0;
+
 	/*
 	 * Has vmx_init() run already? If not then this is the pre init
 	 * parameter parsing. In that case just store the value and let
@@ -323,6 +326,9 @@ static int vmentry_l1d_flush_set(const c
 
 static int vmentry_l1d_flush_get(char *s, const struct kernel_param *kp)
 {
+	if (WARN_ON_ONCE(l1tf_vmx_mitigation >= ARRAY_SIZE(vmentry_l1d_param)))
+		return sprintf(s, "???\n");
+
 	return sprintf(s, "%s\n", vmentry_l1d_param[l1tf_vmx_mitigation].option);
 }
 
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 094/145] KVM: PPC: Book3S: Fix guest DMA when guest partially backed by THP pages
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (90 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 093/145] KVM: VMX: fixes for vmentry_l1d_flush module parameter Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 095/145] xtensa: limit offsets in __loop_cache_{all,page} Greg Kroah-Hartman
                   ` (49 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Paul Mackerras, Michael Ellerman
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Paul Mackerras <paulus@ozlabs.org>
commit 8cfbdbdc24815417a3ab35101ccf706b9a23ff17 upstream.
Commit 76fa4975f3ed ("KVM: PPC: Check if IOMMU page is contained in
the pinned physical page", 2018-07-17) added some checks to ensure
that guest DMA mappings don't attempt to map more than the guest is
entitled to access. However, errors in the logic mean that legitimate
guest requests to map pages for DMA are being denied in some
situations. Specifically, if the first page of the range passed to
mm_iommu_get() is mapped with a normal page, and subsequent pages are
mapped with transparent huge pages, we end up with mem->pageshift ==
0. That means that the page size checks in mm_iommu_ua_to_hpa() and
mm_iommu_up_to_hpa_rm() will always fail for every page in that
region, and thus the guest can never map any memory in that region for
DMA, typically leading to a flood of error messages like this:
  qemu-system-ppc64: VFIO_MAP_DMA: -22
  qemu-system-ppc64: vfio_dma_map(0x10005f47780, 0x800000000000000, 0x10000, 0x7fff63ff0000) = -22 (Invalid argument)
The logic errors in mm_iommu_get() are:
  (a) use of 'ua' not 'ua + (i << PAGE_SHIFT)' in the find_linux_pte()
      call (meaning that find_linux_pte() returns the pte for the
      first address in the range, not the address we are currently up
      to);
  (b) use of 'pageshift' as the variable to receive the hugepage shift
      returned by find_linux_pte() - for a normal page this gets set
      to 0, leading to us setting mem->pageshift to 0 when we conclude
      that the pte returned by find_linux_pte() didn't match the page
      we were looking at;
  (c) comparing 'compshift', which is a page order, i.e. log base 2 of
      the number of pages, with 'pageshift', which is a log base 2 of
      the number of bytes.
To fix these problems, this patch introduces 'cur_ua' to hold the
current user address and uses that in the find_linux_pte() call;
introduces 'pteshift' to hold the hugepage shift found by
find_linux_pte(); and compares 'pteshift' with 'compshift +
PAGE_SHIFT' rather than 'compshift'.
The patch also moves the local_irq_restore to the point after the PTE
pointer returned by find_linux_pte() has been dereferenced because
otherwise the PTE could change underneath us, and adds a check to
avoid doing the find_linux_pte() call once mem->pageshift has been
reduced to PAGE_SHIFT, as an optimization.
Fixes: 76fa4975f3ed ("KVM: PPC: Check if IOMMU page is contained in the pinned physical page")
Cc: stable@vger.kernel.org # v4.12+
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/mm/mmu_context_iommu.c |   17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)
--- a/arch/powerpc/mm/mmu_context_iommu.c
+++ b/arch/powerpc/mm/mmu_context_iommu.c
@@ -129,6 +129,7 @@ long mm_iommu_get(struct mm_struct *mm,
 	long i, j, ret = 0, locked_entries = 0;
 	unsigned int pageshift;
 	unsigned long flags;
+	unsigned long cur_ua;
 	struct page *page = NULL;
 
 	mutex_lock(&mem_list_mutex);
@@ -177,7 +178,8 @@ long mm_iommu_get(struct mm_struct *mm,
 	}
 
 	for (i = 0; i < entries; ++i) {
-		if (1 != get_user_pages_fast(ua + (i << PAGE_SHIFT),
+		cur_ua = ua + (i << PAGE_SHIFT);
+		if (1 != get_user_pages_fast(cur_ua,
 					1/* pages */, 1/* iswrite */, &page)) {
 			ret = -EFAULT;
 			for (j = 0; j < i; ++j)
@@ -196,7 +198,7 @@ long mm_iommu_get(struct mm_struct *mm,
 		if (is_migrate_cma_page(page)) {
 			if (mm_iommu_move_page_from_cma(page))
 				goto populate;
-			if (1 != get_user_pages_fast(ua + (i << PAGE_SHIFT),
+			if (1 != get_user_pages_fast(cur_ua,
 						1/* pages */, 1/* iswrite */,
 						&page)) {
 				ret = -EFAULT;
@@ -210,20 +212,21 @@ long mm_iommu_get(struct mm_struct *mm,
 		}
 populate:
 		pageshift = PAGE_SHIFT;
-		if (PageCompound(page)) {
+		if (mem->pageshift > PAGE_SHIFT && PageCompound(page)) {
 			pte_t *pte;
 			struct page *head = compound_head(page);
 			unsigned int compshift = compound_order(head);
+			unsigned int pteshift;
 
 			local_irq_save(flags); /* disables as well */
-			pte = find_linux_pte(mm->pgd, ua, NULL, &pageshift);
-			local_irq_restore(flags);
+			pte = find_linux_pte(mm->pgd, cur_ua, NULL, &pteshift);
 
 			/* Double check it is still the same pinned page */
 			if (pte && pte_page(*pte) == head &&
-					pageshift == compshift)
-				pageshift = max_t(unsigned int, pageshift,
+			    pteshift == compshift + PAGE_SHIFT)
+				pageshift = max_t(unsigned int, pteshift,
 						PAGE_SHIFT);
+			local_irq_restore(flags);
 		}
 		mem->pageshift = min(mem->pageshift, pageshift);
 		mem->hpas[i] = page_to_pfn(page) << PAGE_SHIFT;
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 095/145] xtensa: limit offsets in __loop_cache_{all,page}
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (91 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 094/145] KVM: PPC: Book3S: Fix guest DMA when guest partially backed by THP pages Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 096/145] xtensa: increase ranges in ___invalidate_{i,d}cache_all Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Max Filippov
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Max Filippov <jcmvbkbc@gmail.com>
commit be75de25251f7cf3e399ca1f584716a95510d24a upstream.
When building kernel for xtensa cores with big cache lines (e.g. 128
bytes or more) __loop_cache_all and __loop_cache_page may generate
assembly instructions with immediate fields that are too big. This
results in the following build errors:
  arch/xtensa/mm/misc.S: Assembler messages:
  arch/xtensa/mm/misc.S:464: Error: operand 2 of 'diwbi' has invalid value '256'
  arch/xtensa/mm/misc.S:464: Error: operand 2 of 'diwbi' has invalid value '384'
  arch/xtensa/kernel/head.S: Assembler messages:
  arch/xtensa/kernel/head.S:172: Error: operand 2 of 'diu' has invalid value '256'
  arch/xtensa/kernel/head.S:172: Error: operand 2 of 'diu' has invalid value '384'
  arch/xtensa/kernel/head.S:176: Error: operand 2 of 'iiu' has invalid value '256'
  arch/xtensa/kernel/head.S:176: Error: operand 2 of 'iiu' has invalid value '384'
  arch/xtensa/kernel/head.S:255: Error: operand 2 of 'diwb' has invalid value '256'
  arch/xtensa/kernel/head.S:255: Error: operand 2 of 'diwb' has invalid value '384'
Add parameter max_immed to these macros and use it to limit values of
immediate operands. Extract common code of these macros into the new
macro __loop_cache_unroll.
Cc: stable@vger.kernel.org
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/xtensa/include/asm/cacheasm.h |   65 ++++++++++++++++++++++---------------
 1 file changed, 40 insertions(+), 25 deletions(-)
--- a/arch/xtensa/include/asm/cacheasm.h
+++ b/arch/xtensa/include/asm/cacheasm.h
@@ -31,16 +31,32 @@
  *
  */
 
-	.macro	__loop_cache_all ar at insn size line_width
 
-	movi	\ar, 0
+	.macro	__loop_cache_unroll ar at insn size line_width max_immed
+
+	.if	(1 << (\line_width)) > (\max_immed)
+	.set	_reps, 1
+	.elseif	(2 << (\line_width)) > (\max_immed)
+	.set	_reps, 2
+	.else
+	.set	_reps, 4
+	.endif
+
+	__loopi	\ar, \at, \size, (_reps << (\line_width))
+	.set	_index, 0
+	.rep	_reps
+	\insn	\ar, _index << (\line_width)
+	.set	_index, _index + 1
+	.endr
+	__endla	\ar, \at, _reps << (\line_width)
+
+	.endm
+
 
-	__loopi	\ar, \at, \size, (4 << (\line_width))
-	\insn	\ar, 0 << (\line_width)
-	\insn	\ar, 1 << (\line_width)
-	\insn	\ar, 2 << (\line_width)
-	\insn	\ar, 3 << (\line_width)
-	__endla	\ar, \at, 4 << (\line_width)
+	.macro	__loop_cache_all ar at insn size line_width max_immed
+
+	movi	\ar, 0
+	__loop_cache_unroll \ar, \at, \insn, \size, \line_width, \max_immed
 
 	.endm
 
@@ -57,14 +73,9 @@
 	.endm
 
 
-	.macro	__loop_cache_page ar at insn line_width
+	.macro	__loop_cache_page ar at insn line_width max_immed
 
-	__loopi	\ar, \at, PAGE_SIZE, 4 << (\line_width)
-	\insn	\ar, 0 << (\line_width)
-	\insn	\ar, 1 << (\line_width)
-	\insn	\ar, 2 << (\line_width)
-	\insn	\ar, 3 << (\line_width)
-	__endla	\ar, \at, 4 << (\line_width)
+	__loop_cache_unroll \ar, \at, \insn, PAGE_SIZE, \line_width, \max_immed
 
 	.endm
 
@@ -72,7 +83,8 @@
 	.macro	___unlock_dcache_all ar at
 
 #if XCHAL_DCACHE_LINE_LOCKABLE && XCHAL_DCACHE_SIZE
-	__loop_cache_all \ar \at diu XCHAL_DCACHE_SIZE XCHAL_DCACHE_LINEWIDTH
+	__loop_cache_all \ar \at diu XCHAL_DCACHE_SIZE \
+		XCHAL_DCACHE_LINEWIDTH 240
 #endif
 
 	.endm
@@ -81,7 +93,8 @@
 	.macro	___unlock_icache_all ar at
 
 #if XCHAL_ICACHE_LINE_LOCKABLE && XCHAL_ICACHE_SIZE
-	__loop_cache_all \ar \at iiu XCHAL_ICACHE_SIZE XCHAL_ICACHE_LINEWIDTH
+	__loop_cache_all \ar \at iiu XCHAL_ICACHE_SIZE \
+		XCHAL_ICACHE_LINEWIDTH 240
 #endif
 
 	.endm
@@ -90,7 +103,8 @@
 	.macro	___flush_invalidate_dcache_all ar at
 
 #if XCHAL_DCACHE_SIZE
-	__loop_cache_all \ar \at diwbi XCHAL_DCACHE_SIZE XCHAL_DCACHE_LINEWIDTH
+	__loop_cache_all \ar \at diwbi XCHAL_DCACHE_SIZE \
+		XCHAL_DCACHE_LINEWIDTH 240
 #endif
 
 	.endm
@@ -99,7 +113,8 @@
 	.macro	___flush_dcache_all ar at
 
 #if XCHAL_DCACHE_SIZE
-	__loop_cache_all \ar \at diwb XCHAL_DCACHE_SIZE XCHAL_DCACHE_LINEWIDTH
+	__loop_cache_all \ar \at diwb XCHAL_DCACHE_SIZE \
+		XCHAL_DCACHE_LINEWIDTH 240
 #endif
 
 	.endm
@@ -109,7 +124,7 @@
 
 #if XCHAL_DCACHE_SIZE
 	__loop_cache_all \ar \at dii __stringify(DCACHE_WAY_SIZE) \
-			 XCHAL_DCACHE_LINEWIDTH
+			 XCHAL_DCACHE_LINEWIDTH 1020
 #endif
 
 	.endm
@@ -119,7 +134,7 @@
 
 #if XCHAL_ICACHE_SIZE
 	__loop_cache_all \ar \at iii __stringify(ICACHE_WAY_SIZE) \
-			 XCHAL_ICACHE_LINEWIDTH
+			 XCHAL_ICACHE_LINEWIDTH 1020
 #endif
 
 	.endm
@@ -166,7 +181,7 @@
 	.macro	___flush_invalidate_dcache_page ar as
 
 #if XCHAL_DCACHE_SIZE
-	__loop_cache_page \ar \as dhwbi XCHAL_DCACHE_LINEWIDTH
+	__loop_cache_page \ar \as dhwbi XCHAL_DCACHE_LINEWIDTH 1020
 #endif
 
 	.endm
@@ -175,7 +190,7 @@
 	.macro ___flush_dcache_page ar as
 
 #if XCHAL_DCACHE_SIZE
-	__loop_cache_page \ar \as dhwb XCHAL_DCACHE_LINEWIDTH
+	__loop_cache_page \ar \as dhwb XCHAL_DCACHE_LINEWIDTH 1020
 #endif
 
 	.endm
@@ -184,7 +199,7 @@
 	.macro	___invalidate_dcache_page ar as
 
 #if XCHAL_DCACHE_SIZE
-	__loop_cache_page \ar \as dhi XCHAL_DCACHE_LINEWIDTH
+	__loop_cache_page \ar \as dhi XCHAL_DCACHE_LINEWIDTH 1020
 #endif
 
 	.endm
@@ -193,7 +208,7 @@
 	.macro	___invalidate_icache_page ar as
 
 #if XCHAL_ICACHE_SIZE
-	__loop_cache_page \ar \as ihi XCHAL_ICACHE_LINEWIDTH
+	__loop_cache_page \ar \as ihi XCHAL_ICACHE_LINEWIDTH 1020
 #endif
 
 	.endm
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 096/145] xtensa: increase ranges in ___invalidate_{i,d}cache_all
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (92 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 095/145] xtensa: limit offsets in __loop_cache_{all,page} Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 097/145] block, bfq: return nbytes and not zero from struct cftype .write() method Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Max Filippov
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Max Filippov <jcmvbkbc@gmail.com>
commit fec3259c9f747c039f90e99570540114c8d81a14 upstream.
Cache invalidation macros use cache line size to iterate over
invalidated cache lines, assuming that all cache ways are invalidated by
single instruction, but xtensa ISA recommends to not assume that for
future compatibility:
  In some implementations all ways at index Addry-1..z are invalidated
  regardless of the specified way, but for future compatibility this
  behavior should not be assumed.
Iterate over all cache ways in ___invalidate_icache_all and
___invalidate_dcache_all.
Cc: stable@vger.kernel.org
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/xtensa/include/asm/cacheasm.h |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/xtensa/include/asm/cacheasm.h
+++ b/arch/xtensa/include/asm/cacheasm.h
@@ -123,7 +123,7 @@
 	.macro	___invalidate_dcache_all ar at
 
 #if XCHAL_DCACHE_SIZE
-	__loop_cache_all \ar \at dii __stringify(DCACHE_WAY_SIZE) \
+	__loop_cache_all \ar \at dii XCHAL_DCACHE_SIZE \
 			 XCHAL_DCACHE_LINEWIDTH 1020
 #endif
 
@@ -133,7 +133,7 @@
 	.macro	___invalidate_icache_all ar at
 
 #if XCHAL_ICACHE_SIZE
-	__loop_cache_all \ar \at iii __stringify(ICACHE_WAY_SIZE) \
+	__loop_cache_all \ar \at iii XCHAL_ICACHE_SIZE \
 			 XCHAL_ICACHE_LINEWIDTH 1020
 #endif
 
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 097/145] block, bfq: return nbytes and not zero from struct cftype .write() method
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (93 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 096/145] xtensa: increase ranges in ___invalidate_{i,d}cache_all Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 098/145] pnfs/blocklayout: off by one in bl_map_stripe() Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Maciej S. Szmigiero, Jens Axboe
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
commit fc8ebd01deeb12728c83381f6ec923e4a192ffd3 upstream.
The value that struct cftype .write() method returns is then directly
returned to userspace as the value returned by write() syscall, so it
should be the number of bytes actually written (or consumed) and not zero.
Returning zero from write() syscall makes programs like /bin/echo or bash
spin.
Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
Fixes: e21b7a0b9887 ("block, bfq: add full hierarchical scheduling and cgroups support")
Cc: stable@vger.kernel.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 block/bfq-cgroup.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
--- a/block/bfq-cgroup.c
+++ b/block/bfq-cgroup.c
@@ -913,7 +913,8 @@ static ssize_t bfq_io_set_weight(struct
 	if (ret)
 		return ret;
 
-	return bfq_io_set_weight_legacy(of_css(of), NULL, weight);
+	ret = bfq_io_set_weight_legacy(of_css(of), NULL, weight);
+	return ret ?: nbytes;
 }
 
 #ifdef CONFIG_DEBUG_BLK_CGROUP
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 098/145] pnfs/blocklayout: off by one in bl_map_stripe()
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (94 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 097/145] block, bfq: return nbytes and not zero from struct cftype .write() method Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 099/145] nfsd: fix leaked file lock with nfs exported overlayfs Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Christoph Hellwig,
	Anna Schumaker
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 0914bb965e38a055e9245637aed117efbe976e91 upstream.
"dev->nr_children" is the number of children which were parsed
successfully in bl_parse_stripe().  It could be all of them and then, in
that case, it is equal to v->stripe.volumes_count.  Either way, the >
should be >= so that we don't go beyond the end of what we're supposed
to.
Fixes: 5c83746a0cf2 ("pnfs/blocklayout: in-kernel GETDEVICEINFO XDR parsing")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Cc: stable@vger.kernel.org # 3.17+
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/nfs/blocklayout/dev.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/nfs/blocklayout/dev.c
+++ b/fs/nfs/blocklayout/dev.c
@@ -204,7 +204,7 @@ static bool bl_map_stripe(struct pnfs_bl
 	chunk = div_u64(offset, dev->chunk_size);
 	div_u64_rem(chunk, dev->nr_children, &chunk_idx);
 
-	if (chunk_idx > dev->nr_children) {
+	if (chunk_idx >= dev->nr_children) {
 		dprintk("%s: invalid chunk idx %d (%lld/%lld)\n",
 			__func__, chunk_idx, offset, dev->chunk_size);
 		/* error, should not happen */
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 099/145] nfsd: fix leaked file lock with nfs exported overlayfs
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (95 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 098/145] pnfs/blocklayout: off by one in bl_map_stripe() Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 100/145] NFSv4 client live hangs after live data migration recovery Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eddie Horng, Jeff Layton,
	Amir Goldstein, J. Bruce Fields
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Amir Goldstein <amir73il@gmail.com>
commit 64bed6cbe38bc95689fb9399872d9ce250192f90 upstream.
nfsd and lockd call vfs_lock_file() to lock/unlock the inode
returned by locks_inode(file).
Many places in nfsd/lockd code use the inode returned by
file_inode(file) for lock manipulation. With Overlayfs, file_inode()
(the underlying inode) is not the same object as locks_inode() (the
overlay inode). This can result in "Leaked POSIX lock" messages
and eventually to a kernel crash as reported by Eddie Horng:
https://marc.info/?l=linux-unionfs&m=153086643202072&w=2
Fix all the call sites in nfsd/lockd that should use locks_inode().
This is a correctness bug that manifested when overlayfs gained
NFS export support in v4.16.
Reported-by: Eddie Horng <eddiehorng.tw@gmail.com>
Tested-by: Eddie Horng <eddiehorng.tw@gmail.com>
Cc: Jeff Layton <jlayton@kernel.org>
Fixes: 8383f1748829 ("ovl: wire up NFS export operations")
Cc: stable@vger.kernel.org
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/lockd/clntlock.c         |    2 +-
 fs/lockd/clntproc.c         |    2 +-
 fs/lockd/svclock.c          |   16 ++++++++--------
 fs/lockd/svcsubs.c          |    4 ++--
 fs/nfsd/nfs4state.c         |    2 +-
 include/linux/lockd/lockd.h |    4 ++--
 6 files changed, 15 insertions(+), 15 deletions(-)
--- a/fs/lockd/clntlock.c
+++ b/fs/lockd/clntlock.c
@@ -187,7 +187,7 @@ __be32 nlmclnt_grant(const struct sockad
 			continue;
 		if (!rpc_cmp_addr(nlm_addr(block->b_host), addr))
 			continue;
-		if (nfs_compare_fh(NFS_FH(file_inode(fl_blocked->fl_file)) ,fh) != 0)
+		if (nfs_compare_fh(NFS_FH(locks_inode(fl_blocked->fl_file)), fh) != 0)
 			continue;
 		/* Alright, we found a lock. Set the return status
 		 * and wake up the caller
--- a/fs/lockd/clntproc.c
+++ b/fs/lockd/clntproc.c
@@ -128,7 +128,7 @@ static void nlmclnt_setlockargs(struct n
 	char *nodename = req->a_host->h_rpcclnt->cl_nodename;
 
 	nlmclnt_next_cookie(&argp->cookie);
-	memcpy(&lock->fh, NFS_FH(file_inode(fl->fl_file)), sizeof(struct nfs_fh));
+	memcpy(&lock->fh, NFS_FH(locks_inode(fl->fl_file)), sizeof(struct nfs_fh));
 	lock->caller  = nodename;
 	lock->oh.data = req->a_owner;
 	lock->oh.len  = snprintf(req->a_owner, sizeof(req->a_owner), "%u@%s",
--- a/fs/lockd/svclock.c
+++ b/fs/lockd/svclock.c
@@ -405,8 +405,8 @@ nlmsvc_lock(struct svc_rqst *rqstp, stru
 	__be32			ret;
 
 	dprintk("lockd: nlmsvc_lock(%s/%ld, ty=%d, pi=%d, %Ld-%Ld, bl=%d)\n",
-				file_inode(file->f_file)->i_sb->s_id,
-				file_inode(file->f_file)->i_ino,
+				locks_inode(file->f_file)->i_sb->s_id,
+				locks_inode(file->f_file)->i_ino,
 				lock->fl.fl_type, lock->fl.fl_pid,
 				(long long)lock->fl.fl_start,
 				(long long)lock->fl.fl_end,
@@ -511,8 +511,8 @@ nlmsvc_testlock(struct svc_rqst *rqstp,
 	__be32			ret;
 
 	dprintk("lockd: nlmsvc_testlock(%s/%ld, ty=%d, %Ld-%Ld)\n",
-				file_inode(file->f_file)->i_sb->s_id,
-				file_inode(file->f_file)->i_ino,
+				locks_inode(file->f_file)->i_sb->s_id,
+				locks_inode(file->f_file)->i_ino,
 				lock->fl.fl_type,
 				(long long)lock->fl.fl_start,
 				(long long)lock->fl.fl_end);
@@ -566,8 +566,8 @@ nlmsvc_unlock(struct net *net, struct nl
 	int	error;
 
 	dprintk("lockd: nlmsvc_unlock(%s/%ld, pi=%d, %Ld-%Ld)\n",
-				file_inode(file->f_file)->i_sb->s_id,
-				file_inode(file->f_file)->i_ino,
+				locks_inode(file->f_file)->i_sb->s_id,
+				locks_inode(file->f_file)->i_ino,
 				lock->fl.fl_pid,
 				(long long)lock->fl.fl_start,
 				(long long)lock->fl.fl_end);
@@ -595,8 +595,8 @@ nlmsvc_cancel_blocked(struct net *net, s
 	int status = 0;
 
 	dprintk("lockd: nlmsvc_cancel(%s/%ld, pi=%d, %Ld-%Ld)\n",
-				file_inode(file->f_file)->i_sb->s_id,
-				file_inode(file->f_file)->i_ino,
+				locks_inode(file->f_file)->i_sb->s_id,
+				locks_inode(file->f_file)->i_ino,
 				lock->fl.fl_pid,
 				(long long)lock->fl.fl_start,
 				(long long)lock->fl.fl_end);
--- a/fs/lockd/svcsubs.c
+++ b/fs/lockd/svcsubs.c
@@ -44,7 +44,7 @@ static inline void nlm_debug_print_fh(ch
 
 static inline void nlm_debug_print_file(char *msg, struct nlm_file *file)
 {
-	struct inode *inode = file_inode(file->f_file);
+	struct inode *inode = locks_inode(file->f_file);
 
 	dprintk("lockd: %s %s/%ld\n",
 		msg, inode->i_sb->s_id, inode->i_ino);
@@ -414,7 +414,7 @@ nlmsvc_match_sb(void *datap, struct nlm_
 {
 	struct super_block *sb = datap;
 
-	return sb == file_inode(file->f_file)->i_sb;
+	return sb == locks_inode(file->f_file)->i_sb;
 }
 
 /**
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -6293,7 +6293,7 @@ check_for_locks(struct nfs4_file *fp, st
 		return status;
 	}
 
-	inode = file_inode(filp);
+	inode = locks_inode(filp);
 	flctx = inode->i_flctx;
 
 	if (flctx && !list_empty_careful(&flctx->flc_posix)) {
--- a/include/linux/lockd/lockd.h
+++ b/include/linux/lockd/lockd.h
@@ -299,7 +299,7 @@ int           nlmsvc_unlock_all_by_ip(st
 
 static inline struct inode *nlmsvc_file_inode(struct nlm_file *file)
 {
-	return file_inode(file->f_file);
+	return locks_inode(file->f_file);
 }
 
 static inline int __nlm_privileged_request4(const struct sockaddr *sap)
@@ -359,7 +359,7 @@ static inline int nlm_privileged_request
 static inline int nlm_compare_locks(const struct file_lock *fl1,
 				    const struct file_lock *fl2)
 {
-	return file_inode(fl1->fl_file) == file_inode(fl2->fl_file)
+	return locks_inode(fl1->fl_file) == locks_inode(fl2->fl_file)
 	     && fl1->fl_pid   == fl2->fl_pid
 	     && fl1->fl_owner == fl2->fl_owner
 	     && fl1->fl_start == fl2->fl_start
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 100/145] NFSv4 client live hangs after live data migration recovery
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (96 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 099/145] nfsd: fix leaked file lock with nfs exported overlayfs Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 101/145] NFSv4: Fix locking in pnfs_generic_recover_commit_reqs Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bill Baker, Chuck Lever, Helen Chao,
	Anna Schumaker
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Bill Baker <Bill.Baker@Oracle.com>
commit 0f90be132cbf1537d87a6a8b9e80867adac892f6 upstream.
After a live data migration event at the NFS server, the client may send
I/O requests to the wrong server, causing a live hang due to repeated
recovery events.  On the wire, this will appear as an I/O request failing
with NFS4ERR_BADSESSION, followed by successful CREATE_SESSION, repeatedly.
NFS4ERR_BADSSESSION is returned because the session ID being used was
issued by the other server and is not valid at the old server.
The failure is caused by async worker threads having cached the transport
(xprt) in the rpc_task structure.  After the migration recovery completes,
the task is redispatched and the task resends the request to the wrong
server based on the old value still present in tk_xprt.
The solution is to recompute the tk_xprt field of the rpc_task structure
so that the request goes to the correct server.
Signed-off-by: Bill Baker <bill.baker@oracle.com>
Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
Tested-by: Helen Chao <helen.chao@oracle.com>
Fixes: fb43d17210ba ("SUNRPC: Use the multipath iterator to assign a ...")
Cc: stable@vger.kernel.org # v4.9+
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/nfs/nfs4proc.c           |    9 ++++++++-
 include/linux/sunrpc/clnt.h |    1 +
 net/sunrpc/clnt.c           |   28 ++++++++++++++++++++--------
 3 files changed, 29 insertions(+), 9 deletions(-)
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -581,8 +581,15 @@ nfs4_async_handle_exception(struct rpc_t
 		ret = -EIO;
 	return ret;
 out_retry:
-	if (ret == 0)
+	if (ret == 0) {
 		exception->retry = 1;
+		/*
+		 * For NFS4ERR_MOVED, the client transport will need to
+		 * be recomputed after migration recovery has completed.
+		 */
+		if (errorcode == -NFS4ERR_MOVED)
+			rpc_task_release_transport(task);
+	}
 	return ret;
 }
 
--- a/include/linux/sunrpc/clnt.h
+++ b/include/linux/sunrpc/clnt.h
@@ -156,6 +156,7 @@ int		rpc_switch_client_transport(struct
 
 void		rpc_shutdown_client(struct rpc_clnt *);
 void		rpc_release_client(struct rpc_clnt *);
+void		rpc_task_release_transport(struct rpc_task *);
 void		rpc_task_release_client(struct rpc_task *);
 
 int		rpcb_create_local(struct net *);
--- a/net/sunrpc/clnt.c
+++ b/net/sunrpc/clnt.c
@@ -965,10 +965,20 @@ out:
 }
 EXPORT_SYMBOL_GPL(rpc_bind_new_program);
 
+void rpc_task_release_transport(struct rpc_task *task)
+{
+	struct rpc_xprt *xprt = task->tk_xprt;
+
+	if (xprt) {
+		task->tk_xprt = NULL;
+		xprt_put(xprt);
+	}
+}
+EXPORT_SYMBOL_GPL(rpc_task_release_transport);
+
 void rpc_task_release_client(struct rpc_task *task)
 {
 	struct rpc_clnt *clnt = task->tk_client;
-	struct rpc_xprt *xprt = task->tk_xprt;
 
 	if (clnt != NULL) {
 		/* Remove from client task list */
@@ -979,12 +989,14 @@ void rpc_task_release_client(struct rpc_
 
 		rpc_release_client(clnt);
 	}
+	rpc_task_release_transport(task);
+}
 
-	if (xprt != NULL) {
-		task->tk_xprt = NULL;
-
-		xprt_put(xprt);
-	}
+static
+void rpc_task_set_transport(struct rpc_task *task, struct rpc_clnt *clnt)
+{
+	if (!task->tk_xprt)
+		task->tk_xprt = xprt_iter_get_next(&clnt->cl_xpi);
 }
 
 static
@@ -992,8 +1004,7 @@ void rpc_task_set_client(struct rpc_task
 {
 
 	if (clnt != NULL) {
-		if (task->tk_xprt == NULL)
-			task->tk_xprt = xprt_iter_get_next(&clnt->cl_xpi);
+		rpc_task_set_transport(task, clnt);
 		task->tk_client = clnt;
 		atomic_inc(&clnt->cl_count);
 		if (clnt->cl_softrtry)
@@ -1512,6 +1523,7 @@ call_start(struct rpc_task *task)
 		clnt->cl_program->version[clnt->cl_vers]->counts[idx]++;
 	clnt->cl_stats->rpccnt++;
 	task->tk_action = call_reserve;
+	rpc_task_set_transport(task, clnt);
 }
 
 /*
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 101/145] NFSv4: Fix locking in pnfs_generic_recover_commit_reqs
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (97 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 100/145] NFSv4 client live hangs after live data migration recovery Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 102/145] NFSv4: Fix a sleep in atomic context in nfs4_callback_sequence() Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jia-Ju Bai, Trond Myklebust,
	Anna Schumaker
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trondmy@gmail.com>
commit d0fbb1d8a194c0ec0180c1d073ad709e45503a43 upstream.
The use of the inode->i_lock was converted to a mutex, but we forgot
to remove the old inode unlock/lock() pair that allowed the layout
segment to be put inside the loop.
Reported-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Fixes: e824f99adaaf1 ("NFSv4: Use a mutex to protect the per-inode commit...")
Cc: stable@vger.kernel.org # v4.14+
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/nfs/pnfs_nfs.c |   16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)
--- a/fs/nfs/pnfs_nfs.c
+++ b/fs/nfs/pnfs_nfs.c
@@ -61,7 +61,7 @@ EXPORT_SYMBOL_GPL(pnfs_generic_commit_re
 
 /* The generic layer is about to remove the req from the commit list.
  * If this will make the bucket empty, it will need to put the lseg reference.
- * Note this must be called holding i_lock
+ * Note this must be called holding nfsi->commit_mutex
  */
 void
 pnfs_generic_clear_request_commit(struct nfs_page *req,
@@ -149,9 +149,7 @@ restart:
 		if (list_empty(&b->written)) {
 			freeme = b->wlseg;
 			b->wlseg = NULL;
-			spin_unlock(&cinfo->inode->i_lock);
 			pnfs_put_lseg(freeme);
-			spin_lock(&cinfo->inode->i_lock);
 			goto restart;
 		}
 	}
@@ -167,7 +165,7 @@ static void pnfs_generic_retry_commit(st
 	LIST_HEAD(pages);
 	int i;
 
-	spin_lock(&cinfo->inode->i_lock);
+	mutex_lock(&NFS_I(cinfo->inode)->commit_mutex);
 	for (i = idx; i < fl_cinfo->nbuckets; i++) {
 		bucket = &fl_cinfo->buckets[i];
 		if (list_empty(&bucket->committing))
@@ -177,12 +175,12 @@ static void pnfs_generic_retry_commit(st
 		list_for_each(pos, &bucket->committing)
 			cinfo->ds->ncommitting--;
 		list_splice_init(&bucket->committing, &pages);
-		spin_unlock(&cinfo->inode->i_lock);
+		mutex_unlock(&NFS_I(cinfo->inode)->commit_mutex);
 		nfs_retry_commit(&pages, freeme, cinfo, i);
 		pnfs_put_lseg(freeme);
-		spin_lock(&cinfo->inode->i_lock);
+		mutex_lock(&NFS_I(cinfo->inode)->commit_mutex);
 	}
-	spin_unlock(&cinfo->inode->i_lock);
+	mutex_unlock(&NFS_I(cinfo->inode)->commit_mutex);
 }
 
 static unsigned int
@@ -222,13 +220,13 @@ void pnfs_fetch_commit_bucket_list(struc
 	struct list_head *pos;
 
 	bucket = &cinfo->ds->buckets[data->ds_commit_index];
-	spin_lock(&cinfo->inode->i_lock);
+	mutex_lock(&NFS_I(cinfo->inode)->commit_mutex);
 	list_for_each(pos, &bucket->committing)
 		cinfo->ds->ncommitting--;
 	list_splice_init(&bucket->committing, pages);
 	data->lseg = bucket->clseg;
 	bucket->clseg = NULL;
-	spin_unlock(&cinfo->inode->i_lock);
+	mutex_unlock(&NFS_I(cinfo->inode)->commit_mutex);
 
 }
 
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 102/145] NFSv4: Fix a sleep in atomic context in nfs4_callback_sequence()
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (98 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 101/145] NFSv4: Fix locking in pnfs_generic_recover_commit_reqs Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 103/145] ARM: tegra: Fix Tegra30 Cardhu PCA954x reset Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jia-Ju Bai, Trond Myklebust,
	Anna Schumaker
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trondmy@gmail.com>
commit 8618289c46556fd4dd259a1af02ccc448032f48d upstream.
We must drop the lock before we can sleep in referring_call_exists().
Reported-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Fixes: 045d2a6d076a ("NFSv4.1: Delay callback processing...")
Cc: stable@vger.kernel.org # v4.9+
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/nfs/callback_proc.c |   14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)
--- a/fs/nfs/callback_proc.c
+++ b/fs/nfs/callback_proc.c
@@ -441,11 +441,14 @@ validate_seqid(const struct nfs4_slot_ta
  * a match.  If the slot is in use and the sequence numbers match, the
  * client is still waiting for a response to the original request.
  */
-static bool referring_call_exists(struct nfs_client *clp,
+static int referring_call_exists(struct nfs_client *clp,
 				  uint32_t nrclists,
-				  struct referring_call_list *rclists)
+				  struct referring_call_list *rclists,
+				  spinlock_t *lock)
+	__releases(lock)
+	__acquires(lock)
 {
-	bool status = false;
+	int status = 0;
 	int i, j;
 	struct nfs4_session *session;
 	struct nfs4_slot_table *tbl;
@@ -468,8 +471,10 @@ static bool referring_call_exists(struct
 
 		for (j = 0; j < rclist->rcl_nrefcalls; j++) {
 			ref = &rclist->rcl_refcalls[j];
+			spin_unlock(lock);
 			status = nfs4_slot_wait_on_seqid(tbl, ref->rc_slotid,
 					ref->rc_sequenceid, HZ >> 1) < 0;
+			spin_lock(lock);
 			if (status)
 				goto out;
 		}
@@ -546,7 +551,8 @@ __be32 nfs4_callback_sequence(void *argp
 	 * related callback was received before the response to the original
 	 * call.
 	 */
-	if (referring_call_exists(clp, args->csa_nrclists, args->csa_rclists)) {
+	if (referring_call_exists(clp, args->csa_nrclists, args->csa_rclists,
+				&tbl->slot_tbl_lock) < 0) {
 		status = htonl(NFS4ERR_DELAY);
 		goto out_unlock;
 	}
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 103/145] ARM: tegra: Fix Tegra30 Cardhu PCA954x reset
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (99 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 102/145] NFSv4: Fix a sleep in atomic context in nfs4_callback_sequence() Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 104/145] ARM: dts: am57xx-idk: Enable dual role for USB2 port Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jon Hunter, Thierry Reding
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Jon Hunter <jonathanh@nvidia.com>
commit 6e1811900b6fe6f2b4665dba6bd6ed32c6b98575 upstream.
On all versions of Tegra30 Cardhu, the reset signal to the NXP PCA9546
I2C mux is connected to the Tegra GPIO BB0. Currently, this pin on the
Tegra is not configured as a GPIO but as a special-function IO (SFIO)
that is multiplexing the pin to an I2S controller. On exiting system
suspend, I2C commands sent to the PCA9546 are failing because there is
no ACK. Although it is not possible to see exactly what is happening
to the reset during suspend, by ensuring it is configured as a GPIO
and driven high, to de-assert the reset, the failures are no longer
seen.
Please note that this GPIO is also used to drive the reset signal
going to the camera connector on the board. However, given that there
is no camera support currently for Cardhu, this should not have any
impact.
Fixes: 40431d16ff11 ("ARM: tegra: enable PCA9546 on Cardhu")
Cc: stable@vger.kernel.org
Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm/boot/dts/tegra30-cardhu.dtsi |    1 +
 1 file changed, 1 insertion(+)
--- a/arch/arm/boot/dts/tegra30-cardhu.dtsi
+++ b/arch/arm/boot/dts/tegra30-cardhu.dtsi
@@ -206,6 +206,7 @@
 			#address-cells = <1>;
 			#size-cells = <0>;
 			reg = <0x70>;
+			reset-gpio = <&gpio TEGRA_GPIO(BB, 0) GPIO_ACTIVE_LOW>;
 		};
 	};
 
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 104/145] ARM: dts: am57xx-idk: Enable dual role for USB2 port
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (100 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 103/145] ARM: tegra: Fix Tegra30 Cardhu PCA954x reset Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 105/145] pwm: omap-dmtimer: Return -EPROBE_DEFER if no dmtimer platform data Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bin Liu, Roger Quadros, Tony Lindgren
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Roger Quadros <rogerq@ti.com>
commit 5f3cc16483d40bbc609a828511ff851296fc62b6 upstream.
Dual-role support was added in v4.12. We should be using
it for USB2 port on the am57xx-idk.
Cc: <stable@vger.kernel.org>        [4.16+]
Reported-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Roger Quadros <rogerq@ti.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm/boot/dts/am571x-idk.dts         |    4 ----
 arch/arm/boot/dts/am572x-idk-common.dtsi |    4 ----
 arch/arm/boot/dts/am57xx-idk-common.dtsi |    7 ++++++-
 3 files changed, 6 insertions(+), 9 deletions(-)
--- a/arch/arm/boot/dts/am571x-idk.dts
+++ b/arch/arm/boot/dts/am571x-idk.dts
@@ -66,10 +66,6 @@
 	};
 };
 
-&omap_dwc3_2 {
-	extcon = <&extcon_usb2>;
-};
-
 &extcon_usb2 {
 	id-gpio = <&gpio5 7 GPIO_ACTIVE_HIGH>;
 	vbus-gpio = <&gpio7 22 GPIO_ACTIVE_HIGH>;
--- a/arch/arm/boot/dts/am572x-idk-common.dtsi
+++ b/arch/arm/boot/dts/am572x-idk-common.dtsi
@@ -57,10 +57,6 @@
 	};
 };
 
-&omap_dwc3_2 {
-	extcon = <&extcon_usb2>;
-};
-
 &extcon_usb2 {
 	id-gpio = <&gpio3 16 GPIO_ACTIVE_HIGH>;
 	vbus-gpio = <&gpio3 26 GPIO_ACTIVE_HIGH>;
--- a/arch/arm/boot/dts/am57xx-idk-common.dtsi
+++ b/arch/arm/boot/dts/am57xx-idk-common.dtsi
@@ -395,8 +395,13 @@
 	dr_mode = "host";
 };
 
+&omap_dwc3_2 {
+	extcon = <&extcon_usb2>;
+};
+
 &usb2 {
-	dr_mode = "peripheral";
+	extcon = <&extcon_usb2>;
+	dr_mode = "otg";
 };
 
 &mmc1 {
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 105/145] pwm: omap-dmtimer: Return -EPROBE_DEFER if no dmtimer platform data
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (101 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 104/145] ARM: dts: am57xx-idk: Enable dual role for USB2 port Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 106/145] mm/tlb: Remove tlb_remove_table() non-concurrent condition Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David Rivshin, Pavel Machek,
	Ladislav Michl, Andreas Kemnade, Thierry Reding
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: David Rivshin <DRivshin@allworx.com>
commit 43725feb593127b16318b871e3a9bf89a96d66cb upstream.
If a pwm-omap-dmtimer is probed before the dmtimer it uses, the platform
data won't be set yet.
Fixes: ac30751df953 ("ARM: OMAP: pdata-quirks: Remove unused timer pdata")
Cc: <stable@vger.kernel.org> # 4.17+
Signed-off-by: David Rivshin <drivshin@allworx.com>
Acked-by: Pavel Machek <pavel@ucw.cz>
Tested-by: Pavel Machek <pavel@ucw.cz>
Acked-by: Ladislav Michl <ladis@linux-mips.org>
Tested-by: Andreas Kemnade <andreas@kemnade.info>
Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/pwm/pwm-omap-dmtimer.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/pwm/pwm-omap-dmtimer.c
+++ b/drivers/pwm/pwm-omap-dmtimer.c
@@ -264,8 +264,9 @@ static int pwm_omap_dmtimer_probe(struct
 
 	timer_pdata = dev_get_platdata(&timer_pdev->dev);
 	if (!timer_pdata) {
-		dev_err(&pdev->dev, "dmtimer pdata structure NULL\n");
-		ret = -EINVAL;
+		dev_dbg(&pdev->dev,
+			 "dmtimer pdata structure NULL, deferring probe\n");
+		ret = -EPROBE_DEFER;
 		goto put;
 	}
 
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 106/145] mm/tlb: Remove tlb_remove_table() non-concurrent condition
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (102 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 105/145] pwm: omap-dmtimer: Return -EPROBE_DEFER if no dmtimer platform data Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 107/145] iommu/ipmmu-vmsa: Dont register as BUS IOMMU if machine doesnt have IPMMU-VMSA Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Will Deacon, Peter Zijlstra (Intel),
	Rik van Riel, Nicholas Piggin, David Miller, Martin Schwidefsky,
	Michael Ellerman, stable, Linus Torvalds
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
commit a6f572084fbee8b30f91465f4a085d7a90901c57 upstream.
Will noted that only checking mm_users is incorrect; we should also
check mm_count in order to cover CPUs that have a lazy reference to
this mm (and could do speculative TLB operations).
If removing this turns out to be a performance issue, we can
re-instate a more complete check, but in tlb_table_flush() eliding the
call_rcu_sched().
Fixes: 267239116987 ("mm, powerpc: move the RCU page-table freeing into generic code")
Reported-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Rik van Riel <riel@surriel.com>
Acked-by: Will Deacon <will.deacon@arm.com>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: David Miller <davem@davemloft.net>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 mm/memory.c |    9 ---------
 1 file changed, 9 deletions(-)
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -391,15 +391,6 @@ void tlb_remove_table(struct mmu_gather
 {
 	struct mmu_table_batch **batch = &tlb->batch;
 
-	/*
-	 * When there's less then two users of this mm there cannot be a
-	 * concurrent page-table walk.
-	 */
-	if (atomic_read(&tlb->mm->mm_users) < 2) {
-		__tlb_remove_table(table);
-		return;
-	}
-
 	if (*batch == NULL) {
 		*batch = (struct mmu_table_batch *)__get_free_page(GFP_NOWAIT | __GFP_NOWARN);
 		if (*batch == NULL) {
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 107/145] iommu/ipmmu-vmsa: Dont register as BUS IOMMU if machine doesnt have IPMMU-VMSA
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (103 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 106/145] mm/tlb: Remove tlb_remove_table() non-concurrent condition Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 108/145] iommu/vt-d: Add definitions for PFSID Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dmitry Osipenko, Joerg Roedel
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Dmitry Osipenko <digetx@gmail.com>
commit 5c5c87411488af3cd082221e567498d813d0fe83 upstream.
This fixes kernel crashing on NVIDIA Tegra if kernel is compiled in
a multiplatform configuration and IPMMU-VMSA driver is enabled.
Cc: <stable@vger.kernel.org> # v3.20+
Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/iommu/ipmmu-vmsa.c |    7 +++++++
 1 file changed, 7 insertions(+)
--- a/drivers/iommu/ipmmu-vmsa.c
+++ b/drivers/iommu/ipmmu-vmsa.c
@@ -1081,12 +1081,19 @@ static struct platform_driver ipmmu_driv
 
 static int __init ipmmu_init(void)
 {
+	struct device_node *np;
 	static bool setup_done;
 	int ret;
 
 	if (setup_done)
 		return 0;
 
+	np = of_find_matching_node(NULL, ipmmu_of_ids);
+	if (!np)
+		return 0;
+
+	of_node_put(np);
+
 	ret = platform_driver_register(&ipmmu_driver);
 	if (ret < 0)
 		return ret;
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 108/145] iommu/vt-d: Add definitions for PFSID
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (104 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 107/145] iommu/ipmmu-vmsa: Dont register as BUS IOMMU if machine doesnt have IPMMU-VMSA Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 109/145] iommu/vt-d: Fix dev iotlb pfsid use Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jacob Pan, Ashok Raj, Lu Baolu,
	Joerg Roedel
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Jacob Pan <jacob.jun.pan@linux.intel.com>
commit 0f725561e168485eff7277d683405c05b192f537 upstream.
When SRIOV VF device IOTLB is invalidated, we need to provide
the PF source ID such that IOMMU hardware can gauge the depth
of invalidation queue which is shared among VFs. This is needed
when device invalidation throttle (DIT) capability is supported.
This patch adds bit definitions for checking and tracking PFSID.
Signed-off-by: Jacob Pan <jacob.jun.pan@linux.intel.com>
Cc: stable@vger.kernel.org
Cc: "Ashok Raj" <ashok.raj@intel.com>
Cc: "Lu Baolu" <baolu.lu@linux.intel.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/iommu/intel-iommu.c |    1 +
 include/linux/intel-iommu.h |    3 +++
 2 files changed, 4 insertions(+)
--- a/drivers/iommu/intel-iommu.c
+++ b/drivers/iommu/intel-iommu.c
@@ -421,6 +421,7 @@ struct device_domain_info {
 	struct list_head global; /* link to global list */
 	u8 bus;			/* PCI bus number */
 	u8 devfn;		/* PCI devfn number */
+	u16 pfsid;		/* SRIOV physical function source ID */
 	u8 pasid_supported:3;
 	u8 pasid_enabled:1;
 	u8 pri_supported:1;
--- a/include/linux/intel-iommu.h
+++ b/include/linux/intel-iommu.h
@@ -114,6 +114,7 @@
  * Extended Capability Register
  */
 
+#define ecap_dit(e)		((e >> 41) & 0x1)
 #define ecap_pasid(e)		((e >> 40) & 0x1)
 #define ecap_pss(e)		((e >> 35) & 0x1f)
 #define ecap_eafs(e)		((e >> 34) & 0x1)
@@ -284,6 +285,7 @@ enum {
 #define QI_DEV_IOTLB_SID(sid)	((u64)((sid) & 0xffff) << 32)
 #define QI_DEV_IOTLB_QDEP(qdep)	(((qdep) & 0x1f) << 16)
 #define QI_DEV_IOTLB_ADDR(addr)	((u64)(addr) & VTD_PAGE_MASK)
+#define QI_DEV_IOTLB_PFSID(pfsid) (((u64)(pfsid & 0xf) << 12) | ((u64)(pfsid & 0xfff) << 52))
 #define QI_DEV_IOTLB_SIZE	1
 #define QI_DEV_IOTLB_MAX_INVS	32
 
@@ -308,6 +310,7 @@ enum {
 #define QI_DEV_EIOTLB_PASID(p)	(((u64)p) << 32)
 #define QI_DEV_EIOTLB_SID(sid)	((u64)((sid) & 0xffff) << 16)
 #define QI_DEV_EIOTLB_QDEP(qd)	((u64)((qd) & 0x1f) << 4)
+#define QI_DEV_EIOTLB_PFSID(pfsid) (((u64)(pfsid & 0xf) << 12) | ((u64)(pfsid & 0xfff) << 52))
 #define QI_DEV_EIOTLB_MAX_INVS	32
 
 #define QI_PGRP_IDX(idx)	(((u64)(idx)) << 55)
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 109/145] iommu/vt-d: Fix dev iotlb pfsid use
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (105 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 108/145] iommu/vt-d: Add definitions for PFSID Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 110/145] sys: dont hold uts_sem while accessing userspace memory Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jacob Pan, Ashok Raj, Lu Baolu,
	Joerg Roedel
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Jacob Pan <jacob.jun.pan@linux.intel.com>
commit 1c48db44924298ad0cb5a6386b88017539be8822 upstream.
PFSID should be used in the invalidation descriptor for flushing
device IOTLBs on SRIOV VFs.
Signed-off-by: Jacob Pan <jacob.jun.pan@linux.intel.com>
Cc: stable@vger.kernel.org
Cc: "Ashok Raj" <ashok.raj@intel.com>
Cc: "Lu Baolu" <baolu.lu@linux.intel.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/iommu/dmar.c        |    6 +++---
 drivers/iommu/intel-iommu.c |   17 ++++++++++++++++-
 include/linux/intel-iommu.h |    5 ++---
 3 files changed, 21 insertions(+), 7 deletions(-)
--- a/drivers/iommu/dmar.c
+++ b/drivers/iommu/dmar.c
@@ -1339,8 +1339,8 @@ void qi_flush_iotlb(struct intel_iommu *
 	qi_submit_sync(&desc, iommu);
 }
 
-void qi_flush_dev_iotlb(struct intel_iommu *iommu, u16 sid, u16 qdep,
-			u64 addr, unsigned mask)
+void qi_flush_dev_iotlb(struct intel_iommu *iommu, u16 sid, u16 pfsid,
+			u16 qdep, u64 addr, unsigned mask)
 {
 	struct qi_desc desc;
 
@@ -1355,7 +1355,7 @@ void qi_flush_dev_iotlb(struct intel_iom
 		qdep = 0;
 
 	desc.low = QI_DEV_IOTLB_SID(sid) | QI_DEV_IOTLB_QDEP(qdep) |
-		   QI_DIOTLB_TYPE;
+		   QI_DIOTLB_TYPE | QI_DEV_IOTLB_PFSID(pfsid);
 
 	qi_submit_sync(&desc, iommu);
 }
--- a/drivers/iommu/intel-iommu.c
+++ b/drivers/iommu/intel-iommu.c
@@ -1502,6 +1502,20 @@ static void iommu_enable_dev_iotlb(struc
 		return;
 
 	pdev = to_pci_dev(info->dev);
+	/* For IOMMU that supports device IOTLB throttling (DIT), we assign
+	 * PFSID to the invalidation desc of a VF such that IOMMU HW can gauge
+	 * queue depth at PF level. If DIT is not set, PFSID will be treated as
+	 * reserved, which should be set to 0.
+	 */
+	if (!ecap_dit(info->iommu->ecap))
+		info->pfsid = 0;
+	else {
+		struct pci_dev *pf_pdev;
+
+		/* pdev will be returned if device is not a vf */
+		pf_pdev = pci_physfn(pdev);
+		info->pfsid = PCI_DEVID(pf_pdev->bus->number, pf_pdev->devfn);
+	}
 
 #ifdef CONFIG_INTEL_IOMMU_SVM
 	/* The PCIe spec, in its wisdom, declares that the behaviour of
@@ -1567,7 +1581,8 @@ static void iommu_flush_dev_iotlb(struct
 
 		sid = info->bus << 8 | info->devfn;
 		qdep = info->ats_qdep;
-		qi_flush_dev_iotlb(info->iommu, sid, qdep, addr, mask);
+		qi_flush_dev_iotlb(info->iommu, sid, info->pfsid,
+				qdep, addr, mask);
 	}
 	spin_unlock_irqrestore(&device_domain_lock, flags);
 }
--- a/include/linux/intel-iommu.h
+++ b/include/linux/intel-iommu.h
@@ -456,9 +456,8 @@ extern void qi_flush_context(struct inte
 			     u8 fm, u64 type);
 extern void qi_flush_iotlb(struct intel_iommu *iommu, u16 did, u64 addr,
 			  unsigned int size_order, u64 type);
-extern void qi_flush_dev_iotlb(struct intel_iommu *iommu, u16 sid, u16 qdep,
-			       u64 addr, unsigned mask);
-
+extern void qi_flush_dev_iotlb(struct intel_iommu *iommu, u16 sid, u16 pfsid,
+			u16 qdep, u64 addr, unsigned mask);
 extern int qi_submit_sync(struct qi_desc *desc, struct intel_iommu *iommu);
 
 extern int dmar_ir_support(void);
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 110/145] sys: dont hold uts_sem while accessing userspace memory
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (106 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 109/145] iommu/vt-d: Fix dev iotlb pfsid use Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 111/145] userns: move user access out of the mutex Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jann Horn, Eric W. Biederman
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
commit 42a0cc3478584d4d63f68f2f5af021ddbea771fa upstream.
Holding uts_sem as a writer while accessing userspace memory allows a
namespace admin to stall all processes that attempt to take uts_sem.
Instead, move data through stack buffers and don't access userspace memory
while uts_sem is held.
Cc: stable@vger.kernel.org
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/alpha/kernel/osf_sys.c      |   51 +++++++++-----------
 arch/sparc/kernel/sys_sparc_32.c |   22 +++++----
 arch/sparc/kernel/sys_sparc_64.c |   20 ++++----
 kernel/sys.c                     |   95 ++++++++++++++++++---------------------
 kernel/utsname_sysctl.c          |   41 ++++++++++------
 5 files changed, 119 insertions(+), 110 deletions(-)
--- a/arch/alpha/kernel/osf_sys.c
+++ b/arch/alpha/kernel/osf_sys.c
@@ -530,24 +530,19 @@ SYSCALL_DEFINE4(osf_mount, unsigned long
 SYSCALL_DEFINE1(osf_utsname, char __user *, name)
 {
 	int error;
+	char tmp[5 * 32];
 
 	down_read(&uts_sem);
-	error = -EFAULT;
-	if (copy_to_user(name + 0, utsname()->sysname, 32))
-		goto out;
-	if (copy_to_user(name + 32, utsname()->nodename, 32))
-		goto out;
-	if (copy_to_user(name + 64, utsname()->release, 32))
-		goto out;
-	if (copy_to_user(name + 96, utsname()->version, 32))
-		goto out;
-	if (copy_to_user(name + 128, utsname()->machine, 32))
-		goto out;
+	memcpy(tmp + 0 * 32, utsname()->sysname, 32);
+	memcpy(tmp + 1 * 32, utsname()->nodename, 32);
+	memcpy(tmp + 2 * 32, utsname()->release, 32);
+	memcpy(tmp + 3 * 32, utsname()->version, 32);
+	memcpy(tmp + 4 * 32, utsname()->machine, 32);
+	up_read(&uts_sem);
 
-	error = 0;
- out:
-	up_read(&uts_sem);	
-	return error;
+	if (copy_to_user(name, tmp, sizeof(tmp)))
+		return -EFAULT;
+	return 0;
 }
 
 SYSCALL_DEFINE0(getpagesize)
@@ -567,18 +562,21 @@ SYSCALL_DEFINE2(osf_getdomainname, char
 {
 	int len, err = 0;
 	char *kname;
+	char tmp[32];
 
-	if (namelen > 32)
+	if (namelen < 0 || namelen > 32)
 		namelen = 32;
 
 	down_read(&uts_sem);
 	kname = utsname()->domainname;
 	len = strnlen(kname, namelen);
-	if (copy_to_user(name, kname, min(len + 1, namelen)))
-		err = -EFAULT;
+	len = min(len + 1, namelen);
+	memcpy(tmp, kname, len);
 	up_read(&uts_sem);
 
-	return err;
+	if (copy_to_user(name, tmp, len))
+		return -EFAULT;
+	return 0;
 }
 
 /*
@@ -739,13 +737,14 @@ SYSCALL_DEFINE3(osf_sysinfo, int, comman
 	};
 	unsigned long offset;
 	const char *res;
-	long len, err = -EINVAL;
+	long len;
+	char tmp[__NEW_UTS_LEN + 1];
 
 	offset = command-1;
 	if (offset >= ARRAY_SIZE(sysinfo_table)) {
 		/* Digital UNIX has a few unpublished interfaces here */
 		printk("sysinfo(%d)", command);
-		goto out;
+		return -EINVAL;
 	}
 
 	down_read(&uts_sem);
@@ -753,13 +752,11 @@ SYSCALL_DEFINE3(osf_sysinfo, int, comman
 	len = strlen(res)+1;
 	if ((unsigned long)len > (unsigned long)count)
 		len = count;
-	if (copy_to_user(buf, res, len))
-		err = -EFAULT;
-	else
-		err = 0;
+	memcpy(tmp, res, len);
 	up_read(&uts_sem);
- out:
-	return err;
+	if (copy_to_user(buf, tmp, len))
+		return -EFAULT;
+	return 0;
 }
 
 SYSCALL_DEFINE5(osf_getsysinfo, unsigned long, op, void __user *, buffer,
--- a/arch/sparc/kernel/sys_sparc_32.c
+++ b/arch/sparc/kernel/sys_sparc_32.c
@@ -197,23 +197,27 @@ SYSCALL_DEFINE5(rt_sigaction, int, sig,
 
 SYSCALL_DEFINE2(getdomainname, char __user *, name, int, len)
 {
- 	int nlen, err;
- 	
+	int nlen, err;
+	char tmp[__NEW_UTS_LEN + 1];
+
 	if (len < 0)
 		return -EINVAL;
 
- 	down_read(&uts_sem);
- 	
+	down_read(&uts_sem);
+
 	nlen = strlen(utsname()->domainname) + 1;
 	err = -EINVAL;
 	if (nlen > len)
-		goto out;
+		goto out_unlock;
+	memcpy(tmp, utsname()->domainname, nlen);
+
+	up_read(&uts_sem);
 
-	err = -EFAULT;
-	if (!copy_to_user(name, utsname()->domainname, nlen))
-		err = 0;
+	if (copy_to_user(name, tmp, nlen))
+		return -EFAULT;
+	return 0;
 
-out:
+out_unlock:
 	up_read(&uts_sem);
 	return err;
 }
--- a/arch/sparc/kernel/sys_sparc_64.c
+++ b/arch/sparc/kernel/sys_sparc_64.c
@@ -519,23 +519,27 @@ asmlinkage void sparc_breakpoint(struct
 
 SYSCALL_DEFINE2(getdomainname, char __user *, name, int, len)
 {
-        int nlen, err;
+	int nlen, err;
+	char tmp[__NEW_UTS_LEN + 1];
 
 	if (len < 0)
 		return -EINVAL;
 
- 	down_read(&uts_sem);
- 	
+	down_read(&uts_sem);
+
 	nlen = strlen(utsname()->domainname) + 1;
 	err = -EINVAL;
 	if (nlen > len)
-		goto out;
+		goto out_unlock;
+	memcpy(tmp, utsname()->domainname, nlen);
+
+	up_read(&uts_sem);
 
-	err = -EFAULT;
-	if (!copy_to_user(name, utsname()->domainname, nlen))
-		err = 0;
+	if (copy_to_user(name, tmp, nlen))
+		return -EFAULT;
+	return 0;
 
-out:
+out_unlock:
 	up_read(&uts_sem);
 	return err;
 }
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1237,18 +1237,19 @@ static int override_release(char __user
 
 SYSCALL_DEFINE1(newuname, struct new_utsname __user *, name)
 {
-	int errno = 0;
+	struct new_utsname tmp;
 
 	down_read(&uts_sem);
-	if (copy_to_user(name, utsname(), sizeof *name))
-		errno = -EFAULT;
+	memcpy(&tmp, utsname(), sizeof(tmp));
 	up_read(&uts_sem);
+	if (copy_to_user(name, &tmp, sizeof(tmp)))
+		return -EFAULT;
 
-	if (!errno && override_release(name->release, sizeof(name->release)))
-		errno = -EFAULT;
-	if (!errno && override_architecture(name))
-		errno = -EFAULT;
-	return errno;
+	if (override_release(name->release, sizeof(name->release)))
+		return -EFAULT;
+	if (override_architecture(name))
+		return -EFAULT;
+	return 0;
 }
 
 #ifdef __ARCH_WANT_SYS_OLD_UNAME
@@ -1257,55 +1258,46 @@ SYSCALL_DEFINE1(newuname, struct new_uts
  */
 SYSCALL_DEFINE1(uname, struct old_utsname __user *, name)
 {
-	int error = 0;
+	struct old_utsname tmp;
 
 	if (!name)
 		return -EFAULT;
 
 	down_read(&uts_sem);
-	if (copy_to_user(name, utsname(), sizeof(*name)))
-		error = -EFAULT;
+	memcpy(&tmp, utsname(), sizeof(tmp));
 	up_read(&uts_sem);
+	if (copy_to_user(name, &tmp, sizeof(tmp)))
+		return -EFAULT;
 
-	if (!error && override_release(name->release, sizeof(name->release)))
-		error = -EFAULT;
-	if (!error && override_architecture(name))
-		error = -EFAULT;
-	return error;
+	if (override_release(name->release, sizeof(name->release)))
+		return -EFAULT;
+	if (override_architecture(name))
+		return -EFAULT;
+	return 0;
 }
 
 SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name)
 {
-	int error;
+	struct oldold_utsname tmp = {};
 
 	if (!name)
 		return -EFAULT;
-	if (!access_ok(VERIFY_WRITE, name, sizeof(struct oldold_utsname)))
-		return -EFAULT;
 
 	down_read(&uts_sem);
-	error = __copy_to_user(&name->sysname, &utsname()->sysname,
-			       __OLD_UTS_LEN);
-	error |= __put_user(0, name->sysname + __OLD_UTS_LEN);
-	error |= __copy_to_user(&name->nodename, &utsname()->nodename,
-				__OLD_UTS_LEN);
-	error |= __put_user(0, name->nodename + __OLD_UTS_LEN);
-	error |= __copy_to_user(&name->release, &utsname()->release,
-				__OLD_UTS_LEN);
-	error |= __put_user(0, name->release + __OLD_UTS_LEN);
-	error |= __copy_to_user(&name->version, &utsname()->version,
-				__OLD_UTS_LEN);
-	error |= __put_user(0, name->version + __OLD_UTS_LEN);
-	error |= __copy_to_user(&name->machine, &utsname()->machine,
-				__OLD_UTS_LEN);
-	error |= __put_user(0, name->machine + __OLD_UTS_LEN);
+	memcpy(&tmp.sysname, &utsname()->sysname, __OLD_UTS_LEN);
+	memcpy(&tmp.nodename, &utsname()->nodename, __OLD_UTS_LEN);
+	memcpy(&tmp.release, &utsname()->release, __OLD_UTS_LEN);
+	memcpy(&tmp.version, &utsname()->version, __OLD_UTS_LEN);
+	memcpy(&tmp.machine, &utsname()->machine, __OLD_UTS_LEN);
 	up_read(&uts_sem);
+	if (copy_to_user(name, &tmp, sizeof(tmp)))
+		return -EFAULT;
 
-	if (!error && override_architecture(name))
-		error = -EFAULT;
-	if (!error && override_release(name->release, sizeof(name->release)))
-		error = -EFAULT;
-	return error ? -EFAULT : 0;
+	if (override_architecture(name))
+		return -EFAULT;
+	if (override_release(name->release, sizeof(name->release)))
+		return -EFAULT;
+	return 0;
 }
 #endif
 
@@ -1319,17 +1311,18 @@ SYSCALL_DEFINE2(sethostname, char __user
 
 	if (len < 0 || len > __NEW_UTS_LEN)
 		return -EINVAL;
-	down_write(&uts_sem);
 	errno = -EFAULT;
 	if (!copy_from_user(tmp, name, len)) {
-		struct new_utsname *u = utsname();
+		struct new_utsname *u;
 
+		down_write(&uts_sem);
+		u = utsname();
 		memcpy(u->nodename, tmp, len);
 		memset(u->nodename + len, 0, sizeof(u->nodename) - len);
 		errno = 0;
 		uts_proc_notify(UTS_PROC_HOSTNAME);
+		up_write(&uts_sem);
 	}
-	up_write(&uts_sem);
 	return errno;
 }
 
@@ -1337,8 +1330,9 @@ SYSCALL_DEFINE2(sethostname, char __user
 
 SYSCALL_DEFINE2(gethostname, char __user *, name, int, len)
 {
-	int i, errno;
+	int i;
 	struct new_utsname *u;
+	char tmp[__NEW_UTS_LEN + 1];
 
 	if (len < 0)
 		return -EINVAL;
@@ -1347,11 +1341,11 @@ SYSCALL_DEFINE2(gethostname, char __user
 	i = 1 + strlen(u->nodename);
 	if (i > len)
 		i = len;
-	errno = 0;
-	if (copy_to_user(name, u->nodename, i))
-		errno = -EFAULT;
+	memcpy(tmp, u->nodename, i);
 	up_read(&uts_sem);
-	return errno;
+	if (copy_to_user(name, tmp, i))
+		return -EFAULT;
+	return 0;
 }
 
 #endif
@@ -1370,17 +1364,18 @@ SYSCALL_DEFINE2(setdomainname, char __us
 	if (len < 0 || len > __NEW_UTS_LEN)
 		return -EINVAL;
 
-	down_write(&uts_sem);
 	errno = -EFAULT;
 	if (!copy_from_user(tmp, name, len)) {
-		struct new_utsname *u = utsname();
+		struct new_utsname *u;
 
+		down_write(&uts_sem);
+		u = utsname();
 		memcpy(u->domainname, tmp, len);
 		memset(u->domainname + len, 0, sizeof(u->domainname) - len);
 		errno = 0;
 		uts_proc_notify(UTS_PROC_DOMAINNAME);
+		up_write(&uts_sem);
 	}
-	up_write(&uts_sem);
 	return errno;
 }
 
--- a/kernel/utsname_sysctl.c
+++ b/kernel/utsname_sysctl.c
@@ -18,7 +18,7 @@
 
 #ifdef CONFIG_PROC_SYSCTL
 
-static void *get_uts(struct ctl_table *table, int write)
+static void *get_uts(struct ctl_table *table)
 {
 	char *which = table->data;
 	struct uts_namespace *uts_ns;
@@ -26,21 +26,9 @@ static void *get_uts(struct ctl_table *t
 	uts_ns = current->nsproxy->uts_ns;
 	which = (which - (char *)&init_uts_ns) + (char *)uts_ns;
 
-	if (!write)
-		down_read(&uts_sem);
-	else
-		down_write(&uts_sem);
 	return which;
 }
 
-static void put_uts(struct ctl_table *table, int write, void *which)
-{
-	if (!write)
-		up_read(&uts_sem);
-	else
-		up_write(&uts_sem);
-}
-
 /*
  *	Special case of dostring for the UTS structure. This has locks
  *	to observe. Should this be in kernel/sys.c ????
@@ -50,13 +38,34 @@ static int proc_do_uts_string(struct ctl
 {
 	struct ctl_table uts_table;
 	int r;
+	char tmp_data[__NEW_UTS_LEN + 1];
+
 	memcpy(&uts_table, table, sizeof(uts_table));
-	uts_table.data = get_uts(table, write);
+	uts_table.data = tmp_data;
+
+	/*
+	 * Buffer the value in tmp_data so that proc_dostring() can be called
+	 * without holding any locks.
+	 * We also need to read the original value in the write==1 case to
+	 * support partial writes.
+	 */
+	down_read(&uts_sem);
+	memcpy(tmp_data, get_uts(table), sizeof(tmp_data));
+	up_read(&uts_sem);
 	r = proc_dostring(&uts_table, write, buffer, lenp, ppos);
-	put_uts(table, write, uts_table.data);
 
-	if (write)
+	if (write) {
+		/*
+		 * Write back the new value.
+		 * Note that, since we dropped uts_sem, the result can
+		 * theoretically be incorrect if there are two parallel writes
+		 * at non-zero offsets to the same sysctl.
+		 */
+		down_write(&uts_sem);
+		memcpy(get_uts(table), tmp_data, sizeof(tmp_data));
+		up_write(&uts_sem);
 		proc_sys_poll_notify(table->poll);
+	}
 
 	return r;
 }
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 111/145] userns: move user access out of the mutex
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (107 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 110/145] sys: dont hold uts_sem while accessing userspace memory Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 112/145] ubifs: Fix memory leak in lprobs self-check Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jann Horn, Christian Brauner,
	Serge Hallyn, Eric W. Biederman
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
commit 5820f140edef111a9ea2ef414ab2428b8cb805b1 upstream.
The old code would hold the userns_state_mutex indefinitely if
memdup_user_nul stalled due to e.g. a userfault region. Prevent that by
moving the memdup_user_nul in front of the mutex_lock().
Note: This changes the error precedence of invalid buf/count/*ppos vs
map already written / capabilities missing.
Fixes: 22d917d80e84 ("userns: Rework the user_namespace adding uid/gid...")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Christian Brauner <christian@brauner.io>
Acked-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/user_namespace.c |   24 ++++++++++--------------
 1 file changed, 10 insertions(+), 14 deletions(-)
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -859,7 +859,16 @@ static ssize_t map_write(struct file *fi
 	unsigned idx;
 	struct uid_gid_extent extent;
 	char *kbuf = NULL, *pos, *next_line;
-	ssize_t ret = -EINVAL;
+	ssize_t ret;
+
+	/* Only allow < page size writes at the beginning of the file */
+	if ((*ppos != 0) || (count >= PAGE_SIZE))
+		return -EINVAL;
+
+	/* Slurp in the user data */
+	kbuf = memdup_user_nul(buf, count);
+	if (IS_ERR(kbuf))
+		return PTR_ERR(kbuf);
 
 	/*
 	 * The userns_state_mutex serializes all writes to any given map.
@@ -895,19 +904,6 @@ static ssize_t map_write(struct file *fi
 	if (cap_valid(cap_setid) && !file_ns_capable(file, ns, CAP_SYS_ADMIN))
 		goto out;
 
-	/* Only allow < page size writes at the beginning of the file */
-	ret = -EINVAL;
-	if ((*ppos != 0) || (count >= PAGE_SIZE))
-		goto out;
-
-	/* Slurp in the user data */
-	kbuf = memdup_user_nul(buf, count);
-	if (IS_ERR(kbuf)) {
-		ret = PTR_ERR(kbuf);
-		kbuf = NULL;
-		goto out;
-	}
-
 	/* Parse the user data */
 	ret = -EINVAL;
 	pos = kbuf;
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 112/145] ubifs: Fix memory leak in lprobs self-check
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (108 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 111/145] userns: move user access out of the mutex Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 113/145] Revert "UBIFS: Fix potential integer overflow in allocation" Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Richard Weinberger
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit eef19816ada3abd56d9f20c88794cc2fea83ebb2 upstream.
Allocate the buffer after we return early.
Otherwise memory is being leaked.
Cc: <stable@vger.kernel.org>
Fixes: 1e51764a3c2a ("UBIFS: add new flash file system")
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/ubifs/lprops.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
--- a/fs/ubifs/lprops.c
+++ b/fs/ubifs/lprops.c
@@ -1089,10 +1089,6 @@ static int scan_check_cb(struct ubifs_in
 		}
 	}
 
-	buf = __vmalloc(c->leb_size, GFP_NOFS, PAGE_KERNEL);
-	if (!buf)
-		return -ENOMEM;
-
 	/*
 	 * After an unclean unmount, empty and freeable LEBs
 	 * may contain garbage - do not scan them.
@@ -1111,6 +1107,10 @@ static int scan_check_cb(struct ubifs_in
 		return LPT_SCAN_CONTINUE;
 	}
 
+	buf = __vmalloc(c->leb_size, GFP_NOFS, PAGE_KERNEL);
+	if (!buf)
+		return -ENOMEM;
+
 	sleb = ubifs_scan(c, lnum, 0, buf, 0);
 	if (IS_ERR(sleb)) {
 		ret = PTR_ERR(sleb);
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 113/145] Revert "UBIFS: Fix potential integer overflow in allocation"
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (109 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 112/145] ubifs: Fix memory leak in lprobs self-check Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 114/145] ubifs: Check data node size before truncate Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kees Cook, Silvio Cesare,
	Richard Weinberger
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit 08acbdd6fd736b90f8d725da5a0de4de2dd6de62 upstream.
This reverts commit 353748a359f1821ee934afc579cf04572406b420.
It bypassed the linux-mtd review process and fixes the issue not as it
should.
Cc: Kees Cook <keescook@chromium.org>
Cc: Silvio Cesare <silvio.cesare@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/ubifs/journal.c |    5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)
--- a/fs/ubifs/journal.c
+++ b/fs/ubifs/journal.c
@@ -1282,11 +1282,10 @@ static int truncate_data_node(const stru
 			      int *new_len)
 {
 	void *buf;
-	int err, compr_type;
-	u32 dlen, out_len, old_dlen;
+	int err, dlen, compr_type, out_len, old_dlen;
 
 	out_len = le32_to_cpu(dn->size);
-	buf = kmalloc_array(out_len, WORST_COMPR_FACTOR, GFP_NOFS);
+	buf = kmalloc(out_len * WORST_COMPR_FACTOR, GFP_NOFS);
 	if (!buf)
 		return -ENOMEM;
 
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 114/145] ubifs: Check data node size before truncate
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (110 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 113/145] Revert "UBIFS: Fix potential integer overflow in allocation" Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 115/145] ubifs: xattr: Dont operate on deleted inodes Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kees Cook, Silvio Cesare,
	Richard Weinberger
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit 95a22d2084d72ea067d8323cc85677dba5d97cae upstream.
Check whether the size is within bounds before using it.
If the size is not correct, abort and dump the bad data node.
Cc: Kees Cook <keescook@chromium.org>
Cc: Silvio Cesare <silvio.cesare@gmail.com>
Cc: stable@vger.kernel.org
Fixes: 1e51764a3c2ac ("UBIFS: add new flash file system")
Reported-by: Silvio Cesare <silvio.cesare@gmail.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/ubifs/journal.c |   11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)
--- a/fs/ubifs/journal.c
+++ b/fs/ubifs/journal.c
@@ -1387,7 +1387,16 @@ int ubifs_jnl_truncate(struct ubifs_info
 		else if (err)
 			goto out_free;
 		else {
-			if (le32_to_cpu(dn->size) <= dlen)
+			int dn_len = le32_to_cpu(dn->size);
+
+			if (dn_len <= 0 || dn_len > UBIFS_BLOCK_SIZE) {
+				ubifs_err(c, "bad data node (block %u, inode %lu)",
+					  blk, inode->i_ino);
+				ubifs_dump_node(c, dn);
+				goto out_free;
+			}
+
+			if (dn_len <= dlen)
 				dlen = 0; /* Nothing to do */
 			else {
 				err = truncate_data_node(c, inode, blk, dn, &dlen);
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 115/145] ubifs: xattr: Dont operate on deleted inodes
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (111 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 114/145] ubifs: Check data node size before truncate Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 116/145] ubifs: Fix directory size calculation for symlinks Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Richard Weinberger
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit 11a6fc3dc743e22fb50f2196ec55bee5140d3c52 upstream.
xattr operations can race with unlink and the following assert triggers:
UBIFS assert failed in ubifs_jnl_change_xattr at 1606 (pid 6256)
Fix this by checking i_nlink before working on the host inode.
Cc: <stable@vger.kernel.org>
Fixes: 1e51764a3c2a ("UBIFS: add new flash file system")
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/ubifs/xattr.c |   24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
--- a/fs/ubifs/xattr.c
+++ b/fs/ubifs/xattr.c
@@ -152,6 +152,12 @@ static int create_xattr(struct ubifs_inf
 	ui->data_len = size;
 
 	mutex_lock(&host_ui->ui_mutex);
+
+	if (!host->i_nlink) {
+		err = -ENOENT;
+		goto out_noent;
+	}
+
 	host->i_ctime = current_time(host);
 	host_ui->xattr_cnt += 1;
 	host_ui->xattr_size += CALC_DENT_SIZE(fname_len(nm));
@@ -184,6 +190,7 @@ out_cancel:
 	host_ui->xattr_size -= CALC_XATTR_BYTES(size);
 	host_ui->xattr_names -= fname_len(nm);
 	host_ui->flags &= ~UBIFS_CRYPT_FL;
+out_noent:
 	mutex_unlock(&host_ui->ui_mutex);
 out_free:
 	make_bad_inode(inode);
@@ -235,6 +242,12 @@ static int change_xattr(struct ubifs_inf
 	mutex_unlock(&ui->ui_mutex);
 
 	mutex_lock(&host_ui->ui_mutex);
+
+	if (!host->i_nlink) {
+		err = -ENOENT;
+		goto out_noent;
+	}
+
 	host->i_ctime = current_time(host);
 	host_ui->xattr_size -= CALC_XATTR_BYTES(old_size);
 	host_ui->xattr_size += CALC_XATTR_BYTES(size);
@@ -256,6 +269,7 @@ static int change_xattr(struct ubifs_inf
 out_cancel:
 	host_ui->xattr_size -= CALC_XATTR_BYTES(size);
 	host_ui->xattr_size += CALC_XATTR_BYTES(old_size);
+out_noent:
 	mutex_unlock(&host_ui->ui_mutex);
 	make_bad_inode(inode);
 out_free:
@@ -482,6 +496,12 @@ static int remove_xattr(struct ubifs_inf
 		return err;
 
 	mutex_lock(&host_ui->ui_mutex);
+
+	if (!host->i_nlink) {
+		err = -ENOENT;
+		goto out_noent;
+	}
+
 	host->i_ctime = current_time(host);
 	host_ui->xattr_cnt -= 1;
 	host_ui->xattr_size -= CALC_DENT_SIZE(fname_len(nm));
@@ -501,6 +521,7 @@ out_cancel:
 	host_ui->xattr_size += CALC_DENT_SIZE(fname_len(nm));
 	host_ui->xattr_size += CALC_XATTR_BYTES(ui->data_len);
 	host_ui->xattr_names += fname_len(nm);
+out_noent:
 	mutex_unlock(&host_ui->ui_mutex);
 	ubifs_release_budget(c, &req);
 	make_bad_inode(inode);
@@ -540,6 +561,9 @@ static int ubifs_xattr_remove(struct ino
 
 	ubifs_assert(inode_is_locked(host));
 
+	if (!host->i_nlink)
+		return -ENOENT;
+
 	if (fname_len(&nm) > UBIFS_MAX_NLEN)
 		return -ENAMETOOLONG;
 
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 116/145] ubifs: Fix directory size calculation for symlinks
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (112 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 115/145] ubifs: xattr: Dont operate on deleted inodes Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 117/145] ubifs: Fix synced_i_size calculation for xattr inodes Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Richard Weinberger
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit 00ee8b60102862f4daf0814d12a2ea2744fc0b9b upstream.
We have to account the name of the symlink and not the target length.
Fixes: ca7f85be8d6c ("ubifs: Add support for encrypted symlinks")
Cc: <stable@vger.kernel.org>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/ubifs/dir.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
--- a/fs/ubifs/dir.c
+++ b/fs/ubifs/dir.c
@@ -1123,8 +1123,7 @@ static int ubifs_symlink(struct inode *d
 	struct ubifs_inode *ui;
 	struct ubifs_inode *dir_ui = ubifs_inode(dir);
 	struct ubifs_info *c = dir->i_sb->s_fs_info;
-	int err, len = strlen(symname);
-	int sz_change = CALC_DENT_SIZE(len);
+	int err, sz_change, len = strlen(symname);
 	struct fscrypt_str disk_link;
 	struct ubifs_budget_req req = { .new_ino = 1, .new_dent = 1,
 					.new_ino_d = ALIGN(len, 8),
@@ -1151,6 +1150,8 @@ static int ubifs_symlink(struct inode *d
 	if (err)
 		goto out_budg;
 
+	sz_change = CALC_DENT_SIZE(fname_len(&nm));
+
 	inode = ubifs_new_inode(c, dir, S_IFLNK | S_IRWXUGO);
 	if (IS_ERR(inode)) {
 		err = PTR_ERR(inode);
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 117/145] ubifs: Fix synced_i_size calculation for xattr inodes
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (113 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 116/145] ubifs: Fix directory size calculation for symlinks Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 118/145] pwm: tiehrpwm: Dont use emulation mode bits to control PWM output Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Richard Weinberger
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit 59965593205fa4044850d35ee3557cf0b7edcd14 upstream.
In ubifs_jnl_update() we sync parent and child inodes to the flash,
in case of xattrs, the parent inode (AKA host inode) has a non-zero
data_len. Therefore we need to adjust synced_i_size too.
This issue was reported by ubifs self tests unter a xattr related work
load.
UBIFS error (ubi0:0 pid 1896): dbg_check_synced_i_size: ui_size is 4, synced_i_size is 0, but inode is clean
UBIFS error (ubi0:0 pid 1896): dbg_check_synced_i_size: i_ino 65, i_mode 0x81a4, i_size 4
Cc: <stable@vger.kernel.org>
Fixes: 1e51764a3c2a ("UBIFS: add new flash file system")
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/ubifs/journal.c |    5 +++++
 1 file changed, 5 insertions(+)
--- a/fs/ubifs/journal.c
+++ b/fs/ubifs/journal.c
@@ -664,6 +664,11 @@ int ubifs_jnl_update(struct ubifs_info *
 	spin_lock(&ui->ui_lock);
 	ui->synced_i_size = ui->ui_size;
 	spin_unlock(&ui->ui_lock);
+	if (xent) {
+		spin_lock(&host_ui->ui_lock);
+		host_ui->synced_i_size = host_ui->ui_size;
+		spin_unlock(&host_ui->ui_lock);
+	}
 	mark_inode_clean(c, ui);
 	mark_inode_clean(c, host_ui);
 	return 0;
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 118/145] pwm: tiehrpwm: Dont use emulation mode bits to control PWM output
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (114 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 117/145] ubifs: Fix synced_i_size calculation for xattr inodes Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 119/145] pwm: tiehrpwm: Fix disabling of output of PWMs Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Vignesh R, Thierry Reding
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Vignesh R <vigneshr@ti.com>
commit aa49d628f6e016bcec8c6f8e704b9b18ee697329 upstream.
As per AM335x TRM SPRUH73P "15.2.2.11 ePWM Behavior During Emulation",
TBCTL[15:14] only have effect during emulation suspend events (IOW,
to stop PWM when debugging using a debugger). These bits have no effect
on PWM output during normal running of system. Hence, remove code
accessing these bits as they have no role in enabling/disabling PWMs.
Fixes: 19891b20e7c2 ("pwm: pwm-tiehrpwm: PWM driver support for EHRPWM")
Cc: stable@vger.kernel.org
Signed-off-by: Vignesh R <vigneshr@ti.com>
Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/pwm/pwm-tiehrpwm.c |   12 +-----------
 1 file changed, 1 insertion(+), 11 deletions(-)
--- a/drivers/pwm/pwm-tiehrpwm.c
+++ b/drivers/pwm/pwm-tiehrpwm.c
@@ -33,10 +33,6 @@
 #define TBCTL			0x00
 #define TBPRD			0x0A
 
-#define TBCTL_RUN_MASK		(BIT(15) | BIT(14))
-#define TBCTL_STOP_NEXT		0
-#define TBCTL_STOP_ON_CYCLE	BIT(14)
-#define TBCTL_FREE_RUN		(BIT(15) | BIT(14))
 #define TBCTL_PRDLD_MASK	BIT(3)
 #define TBCTL_PRDLD_SHDW	0
 #define TBCTL_PRDLD_IMDT	BIT(3)
@@ -360,7 +356,7 @@ static int ehrpwm_pwm_enable(struct pwm_
 	/* Channels polarity can be configured from action qualifier module */
 	configure_polarity(pc, pwm->hwpwm);
 
-	/* Enable TBCLK before enabling PWM device */
+	/* Enable TBCLK */
 	ret = clk_enable(pc->tbclk);
 	if (ret) {
 		dev_err(chip->dev, "Failed to enable TBCLK for %s: %d\n",
@@ -368,9 +364,6 @@ static int ehrpwm_pwm_enable(struct pwm_
 		return ret;
 	}
 
-	/* Enable time counter for free_run */
-	ehrpwm_modify(pc->mmio_base, TBCTL, TBCTL_RUN_MASK, TBCTL_FREE_RUN);
-
 	return 0;
 }
 
@@ -400,9 +393,6 @@ static void ehrpwm_pwm_disable(struct pw
 	/* Disabling TBCLK on PWM disable */
 	clk_disable(pc->tbclk);
 
-	/* Stop Time base counter */
-	ehrpwm_modify(pc->mmio_base, TBCTL, TBCTL_RUN_MASK, TBCTL_STOP_NEXT);
-
 	/* Disable clock on PWM disable */
 	pm_runtime_put_sync(chip->dev);
 }
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 119/145] pwm: tiehrpwm: Fix disabling of output of PWMs
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (115 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 118/145] pwm: tiehrpwm: Dont use emulation mode bits to control PWM output Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 120/145] fb: fix lost console when the user unplugs a USB adapter Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Vignesh R, Thierry Reding
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Vignesh R <vigneshr@ti.com>
commit 38dabd91ff0bde33352ca3cc65ef515599b77a05 upstream.
pwm-tiehrpwm driver disables PWM output by putting it in low output
state via active AQCSFRC register in ehrpwm_pwm_disable(). But, the
AQCSFRC shadow register is not updated. Therefore, when shadow AQCSFRC
register is re-enabled in ehrpwm_pwm_enable() (say to enable second PWM
output), previous settings are lost as shadow register value is loaded
into active register. This results in things like PWMA getting enabled
automatically, when PWMB is enabled and vice versa. Fix this by
updating AQCSFRC shadow register as well during ehrpwm_pwm_disable().
Fixes: 19891b20e7c2 ("pwm: pwm-tiehrpwm: PWM driver support for EHRPWM")
Cc: stable@vger.kernel.org
Signed-off-by: Vignesh R <vigneshr@ti.com>
Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/pwm/pwm-tiehrpwm.c |    2 ++
 1 file changed, 2 insertions(+)
--- a/drivers/pwm/pwm-tiehrpwm.c
+++ b/drivers/pwm/pwm-tiehrpwm.c
@@ -381,6 +381,8 @@ static void ehrpwm_pwm_disable(struct pw
 		aqcsfrc_mask = AQCSFRC_CSFA_MASK;
 	}
 
+	/* Update shadow register first before modifying active register */
+	ehrpwm_modify(pc->mmio_base, AQCSFRC, aqcsfrc_mask, aqcsfrc_val);
 	/*
 	 * Changes to immediate action on Action Qualifier. This puts
 	 * Action Qualifier control on PWM output from next TBCLK
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 120/145] fb: fix lost console when the user unplugs a USB adapter
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (116 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 119/145] pwm: tiehrpwm: Fix disabling of output of PWMs Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 121/145] udlfb: fix semaphore value leak Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mikulas Patocka, Dave Airlie,
	Bernie Thompson, Ladislav Michl, Bartlomiej Zolnierkiewicz
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit 8c5b044299951acd91e830a688dd920477ea1eda upstream.
I have a USB display adapter using the udlfb driver and I use it on an ARM
board that doesn't have any graphics card. When I plug the adapter in, the
console is properly displayed, however when I unplug and re-plug the
adapter, the console is not displayed and I can't access it until I reboot
the board.
The reason is this:
When the adapter is unplugged, dlfb_usb_disconnect calls
unlink_framebuffer, then it waits until the reference count drops to zero
and then it deallocates the framebuffer. However, the console that is
attached to the framebuffer device keeps the reference count non-zero, so
the framebuffer device is never destroyed. When the USB adapter is plugged
again, it creates a new device /dev/fb1 and the console is not attached to
it.
This patch fixes the bug by unbinding the console from unlink_framebuffer.
The code to unbind the console is moved from do_unregister_framebuffer to
a function unbind_console. When the console is unbound, the reference
count drops to zero and the udlfb driver frees the framebuffer. When the
adapter is plugged back, a new framebuffer is created and the console is
attached to it.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: Dave Airlie <airlied@redhat.com>
Cc: Bernie Thompson <bernie@plugable.com>
Cc: Ladislav Michl <ladis@linux-mips.org>
Cc: stable@vger.kernel.org
[b.zolnierkie: preserve old behavior for do_unregister_framebuffer()]
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/video/fbdev/core/fbmem.c |   38 ++++++++++++++++++++++++++++++++------
 1 file changed, 32 insertions(+), 6 deletions(-)
--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
@@ -1704,12 +1704,12 @@ static int do_register_framebuffer(struc
 	return 0;
 }
 
-static int do_unregister_framebuffer(struct fb_info *fb_info)
+static int unbind_console(struct fb_info *fb_info)
 {
 	struct fb_event event;
-	int i, ret = 0;
+	int ret;
+	int i = fb_info->node;
 
-	i = fb_info->node;
 	if (i < 0 || i >= FB_MAX || registered_fb[i] != fb_info)
 		return -EINVAL;
 
@@ -1724,17 +1724,29 @@ static int do_unregister_framebuffer(str
 	unlock_fb_info(fb_info);
 	console_unlock();
 
+	return ret;
+}
+
+static int __unlink_framebuffer(struct fb_info *fb_info);
+
+static int do_unregister_framebuffer(struct fb_info *fb_info)
+{
+	struct fb_event event;
+	int ret;
+
+	ret = unbind_console(fb_info);
+
 	if (ret)
 		return -EINVAL;
 
 	pm_vt_switch_unregister(fb_info->dev);
 
-	unlink_framebuffer(fb_info);
+	__unlink_framebuffer(fb_info);
 	if (fb_info->pixmap.addr &&
 	    (fb_info->pixmap.flags & FB_PIXMAP_DEFAULT))
 		kfree(fb_info->pixmap.addr);
 	fb_destroy_modelist(&fb_info->modelist);
-	registered_fb[i] = NULL;
+	registered_fb[fb_info->node] = NULL;
 	num_registered_fb--;
 	fb_cleanup_device(fb_info);
 	event.info = fb_info;
@@ -1747,7 +1759,7 @@ static int do_unregister_framebuffer(str
 	return 0;
 }
 
-int unlink_framebuffer(struct fb_info *fb_info)
+static int __unlink_framebuffer(struct fb_info *fb_info)
 {
 	int i;
 
@@ -1759,6 +1771,20 @@ int unlink_framebuffer(struct fb_info *f
 		device_destroy(fb_class, MKDEV(FB_MAJOR, i));
 		fb_info->dev = NULL;
 	}
+
+	return 0;
+}
+
+int unlink_framebuffer(struct fb_info *fb_info)
+{
+	int ret;
+
+	ret = __unlink_framebuffer(fb_info);
+	if (ret)
+		return ret;
+
+	unbind_console(fb_info);
+
 	return 0;
 }
 EXPORT_SYMBOL(unlink_framebuffer);
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 121/145] udlfb: fix semaphore value leak
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (117 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 120/145] fb: fix lost console when the user unplugs a USB adapter Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 122/145] udlfb: fix display corruption of the last line Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mikulas Patocka,
	Bartlomiej Zolnierkiewicz
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit 9d0aa601e4cd9c0892f90d36e8488d79b72f4073 upstream.
I observed that the performance of the udl fb driver degrades over time.
On a freshly booted machine, it takes 6 seconds to do "ls -la /usr/bin";
after some time of use, the same operation takes 14 seconds.
The reason is that the value of "limit_sem" decays over time.
The udl driver uses a semaphore "limit_set" to specify how many free urbs
are there on dlfb->urbs.list. If the count is zero, the "down" operation
will sleep until some urbs are added to the freelist.
In order to avoid some hypothetical deadlock, the driver will not call
"up" immediately, but it will offload it to a workqueue. The problem is
that if we call "schedule_delayed_work" on the same work item multiple
times, the work item may only be executed once.
This is happening:
* some urb completes
* dlfb_urb_completion adds it to the free list
* dlfb_urb_completion calls schedule_delayed_work to schedule the function
  dlfb_release_urb_work to increase the semaphore count
* as the urb is on the free list, some other task grabs it and submits it
* the submitted urb completes, dlfb_urb_completion is called again
* dlfb_urb_completion calls schedule_delayed_work, but the work is already
  scheduled, so it does nothing
* finally, dlfb_release_urb_work is called, it increases the semaphore
  count by 1, although it should increase it by 2
So, the semaphore count is decreasing over time, and this causes gradual
performance degradation.
Note that in the current kernel, the "up" function may be called from
interrupt and it may race with the "down" function called by another
thread, so we don't have to offload the call of "up" to a workqueue at
all. This patch removes the workqueue code. The patch also changes
"down_interruptible" to "down" in dlfb_free_urb_list, so that we will
clean up the driver properly even if a signal arrives.
With this patch, the performance of udlfb no longer degrades.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
[b.zolnierkie: fix immediatelly -> immediately typo]
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/video/fbdev/udlfb.c |   27 ++-------------------------
 include/video/udlfb.h       |    1 -
 2 files changed, 2 insertions(+), 26 deletions(-)
--- a/drivers/video/fbdev/udlfb.c
+++ b/drivers/video/fbdev/udlfb.c
@@ -922,14 +922,6 @@ static void dlfb_free(struct kref *kref)
 	kfree(dlfb);
 }
 
-static void dlfb_release_urb_work(struct work_struct *work)
-{
-	struct urb_node *unode = container_of(work, struct urb_node,
-					      release_urb_work.work);
-
-	up(&unode->dlfb->urbs.limit_sem);
-}
-
 static void dlfb_free_framebuffer(struct dlfb_data *dlfb)
 {
 	struct fb_info *info = dlfb->info;
@@ -1789,14 +1781,7 @@ static void dlfb_urb_completion(struct u
 	dlfb->urbs.available++;
 	spin_unlock_irqrestore(&dlfb->urbs.lock, flags);
 
-	/*
-	 * When using fb_defio, we deadlock if up() is called
-	 * while another is waiting. So queue to another process.
-	 */
-	if (fb_defio)
-		schedule_delayed_work(&unode->release_urb_work, 0);
-	else
-		up(&dlfb->urbs.limit_sem);
+	up(&dlfb->urbs.limit_sem);
 }
 
 static void dlfb_free_urb_list(struct dlfb_data *dlfb)
@@ -1805,16 +1790,11 @@ static void dlfb_free_urb_list(struct dl
 	struct list_head *node;
 	struct urb_node *unode;
 	struct urb *urb;
-	int ret;
 	unsigned long flags;
 
 	/* keep waiting and freeing, until we've got 'em all */
 	while (count--) {
-
-		/* Getting interrupted means a leak, but ok at disconnect */
-		ret = down_interruptible(&dlfb->urbs.limit_sem);
-		if (ret)
-			break;
+		down(&dlfb->urbs.limit_sem);
 
 		spin_lock_irqsave(&dlfb->urbs.lock, flags);
 
@@ -1854,9 +1834,6 @@ static int dlfb_alloc_urb_list(struct dl
 			break;
 		unode->dlfb = dlfb;
 
-		INIT_DELAYED_WORK(&unode->release_urb_work,
-			  dlfb_release_urb_work);
-
 		urb = usb_alloc_urb(0, GFP_KERNEL);
 		if (!urb) {
 			kfree(unode);
--- a/include/video/udlfb.h
+++ b/include/video/udlfb.h
@@ -20,7 +20,6 @@ struct dloarea {
 struct urb_node {
 	struct list_head entry;
 	struct dlfb_data *dlfb;
-	struct delayed_work release_urb_work;
 	struct urb *urb;
 };
 
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 122/145] udlfb: fix display corruption of the last line
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (118 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 121/145] udlfb: fix semaphore value leak Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 123/145] udlfb: dont switch if we are switching to the same videomode Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mikulas Patocka,
	Bartlomiej Zolnierkiewicz
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit 4e705e17ce3409a1f492cfd5dadcf6a4f6075842 upstream.
The displaylink hardware has such a peculiarity that it doesn't render a
command until next command is received. This produces occasional
corruption, such as when setting 22x11 font on the console, only the first
line of the cursor will be blinking if the cursor is located at some
specific columns.
When we end up with a repeating pixel, the driver has a bug that it leaves
one uninitialized byte after the command (and this byte is enough to flush
the command and render it - thus it fixes the screen corruption), however
whe we end up with a non-repeating pixel, there is no byte appended and
this results in temporary screen corruption.
This patch fixes the screen corruption by always appending a byte 0xAF at
the end of URB. It also removes the uninitialized byte.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/video/fbdev/udlfb.c |   30 ++++++++++++++++++++----------
 1 file changed, 20 insertions(+), 10 deletions(-)
--- a/drivers/video/fbdev/udlfb.c
+++ b/drivers/video/fbdev/udlfb.c
@@ -27,6 +27,7 @@
 #include <linux/slab.h>
 #include <linux/prefetch.h>
 #include <linux/delay.h>
+#include <asm/unaligned.h>
 #include <video/udlfb.h>
 #include "edid.h"
 
@@ -450,17 +451,17 @@ static void dlfb_compress_hline(
 		raw_pixels_count_byte = cmd++; /*  we'll know this later */
 		raw_pixel_start = pixel;
 
-		cmd_pixel_end = pixel + min(MAX_CMD_PIXELS + 1,
-			min((int)(pixel_end - pixel),
-			    (int)(cmd_buffer_end - cmd) / BPP));
+		cmd_pixel_end = pixel + min3(MAX_CMD_PIXELS + 1UL,
+					(unsigned long)(pixel_end - pixel),
+					(unsigned long)(cmd_buffer_end - 1 - cmd) / BPP);
 
-		prefetch_range((void *) pixel, (cmd_pixel_end - pixel) * BPP);
+		prefetch_range((void *) pixel, (u8 *)cmd_pixel_end - (u8 *)pixel);
 
 		while (pixel < cmd_pixel_end) {
 			const uint16_t * const repeating_pixel = pixel;
 
-			*cmd++ = *pixel >> 8;
-			*cmd++ = *pixel;
+			put_unaligned_be16(*pixel, cmd);
+			cmd += 2;
 			pixel++;
 
 			if (unlikely((pixel < cmd_pixel_end) &&
@@ -486,13 +487,16 @@ static void dlfb_compress_hline(
 		if (pixel > raw_pixel_start) {
 			/* finalize last RAW span */
 			*raw_pixels_count_byte = (pixel-raw_pixel_start) & 0xFF;
+		} else {
+			/* undo unused byte */
+			cmd--;
 		}
 
 		*cmd_pixels_count_byte = (pixel - cmd_pixel_start) & 0xFF;
-		dev_addr += (pixel - cmd_pixel_start) * BPP;
+		dev_addr += (u8 *)pixel - (u8 *)cmd_pixel_start;
 	}
 
-	if (cmd_buffer_end <= MIN_RLX_CMD_BYTES + cmd) {
+	if (cmd_buffer_end - MIN_RLX_CMD_BYTES <= cmd) {
 		/* Fill leftover bytes with no-ops */
 		if (cmd_buffer_end > cmd)
 			memset(cmd, 0xAF, cmd_buffer_end - cmd);
@@ -610,8 +614,11 @@ static int dlfb_handle_damage(struct dlf
 	}
 
 	if (cmd > (char *) urb->transfer_buffer) {
+		int len;
+		if (cmd < (char *) urb->transfer_buffer + urb->transfer_buffer_length)
+			*cmd++ = 0xAF;
 		/* Send partial buffer remaining before exiting */
-		int len = cmd - (char *) urb->transfer_buffer;
+		len = cmd - (char *) urb->transfer_buffer;
 		ret = dlfb_submit_urb(dlfb, urb, len);
 		bytes_sent += len;
 	} else
@@ -735,8 +742,11 @@ static void dlfb_dpy_deferred_io(struct
 	}
 
 	if (cmd > (char *) urb->transfer_buffer) {
+		int len;
+		if (cmd < (char *) urb->transfer_buffer + urb->transfer_buffer_length)
+			*cmd++ = 0xAF;
 		/* Send partial buffer remaining before exiting */
-		int len = cmd - (char *) urb->transfer_buffer;
+		len = cmd - (char *) urb->transfer_buffer;
 		dlfb_submit_urb(dlfb, urb, len);
 		bytes_sent += len;
 	} else
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 123/145] udlfb: dont switch if we are switching to the same videomode
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (119 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 122/145] udlfb: fix display corruption of the last line Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 124/145] udlfb: set optimal write delay Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mikulas Patocka,
	Bartlomiej Zolnierkiewicz
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit 564f1807379298dfdb12ed0d5b25fcb89c238527 upstream.
The udlfb driver reprograms the hardware everytime the user switches the
console, that makes quite unusable when working on the console.
This patch makes the driver remember the videomode we are in and avoid
reprogramming the hardware if we switch to the same videomode.
We mask the "activate" field and the "FB_VMODE_SMOOTH_XPAN" flag when
comparing the videomode, because they cause spurious switches when
switching to and from the Xserver.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/video/fbdev/udlfb.c |   18 ++++++++++++++++--
 include/video/udlfb.h       |    1 +
 2 files changed, 17 insertions(+), 2 deletions(-)
--- a/drivers/video/fbdev/udlfb.c
+++ b/drivers/video/fbdev/udlfb.c
@@ -1041,10 +1041,24 @@ static int dlfb_ops_set_par(struct fb_in
 	int result;
 	u16 *pix_framebuffer;
 	int i;
+	struct fb_var_screeninfo fvs;
+
+	/* clear the activate field because it causes spurious miscompares */
+	fvs = info->var;
+	fvs.activate = 0;
+	fvs.vmode &= ~FB_VMODE_SMOOTH_XPAN;
+
+	if (!memcmp(&dlfb->current_mode, &fvs, sizeof(struct fb_var_screeninfo)))
+		return 0;
 
 	result = dlfb_set_video_mode(dlfb, &info->var);
 
-	if ((result == 0) && (dlfb->fb_count == 0)) {
+	if (result)
+		return result;
+
+	dlfb->current_mode = fvs;
+
+	if (dlfb->fb_count == 0) {
 
 		/* paint greenscreen */
 
@@ -1056,7 +1070,7 @@ static int dlfb_ops_set_par(struct fb_in
 				   info->screen_base);
 	}
 
-	return result;
+	return 0;
 }
 
 /* To fonzi the jukebox (e.g. make blanking changes take effect) */
--- a/include/video/udlfb.h
+++ b/include/video/udlfb.h
@@ -56,6 +56,7 @@ struct dlfb_data {
 	atomic_t bytes_identical; /* saved effort with backbuffer comparison */
 	atomic_t bytes_sent; /* to usb, after compression including overhead */
 	atomic_t cpu_kcycles_used; /* transpired during pixel processing */
+	struct fb_var_screeninfo current_mode;
 };
 
 #define NR_USB_REQUEST_I2C_SUB_IO 0x02
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 124/145] udlfb: set optimal write delay
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (120 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 123/145] udlfb: dont switch if we are switching to the same videomode Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 125/145] udlfb: make a local copy of fb_ops Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mikulas Patocka,
	Bartlomiej Zolnierkiewicz
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit bb24153a3f13dd0dbc1f8055ad97fe346d598f66 upstream.
The default delay 5 jiffies is too much when the kernel is compiled with
HZ=100 - it results in jumpy cursor in Xwindow.
In order to find out the optimal delay, I benchmarked the driver on
1280x720x30fps video. I found out that with HZ=1000, 10ms is acceptable,
but with HZ=250 or HZ=300, we need 4ms, so that the video is played
without any frame skips.
This patch changes the delay to this value.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/video/udlfb.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/include/video/udlfb.h
+++ b/include/video/udlfb.h
@@ -87,7 +87,7 @@ struct dlfb_data {
 #define MIN_RAW_PIX_BYTES	2
 #define MIN_RAW_CMD_BYTES	(RAW_HEADER_BYTES + MIN_RAW_PIX_BYTES)
 
-#define DL_DEFIO_WRITE_DELAY    5 /* fb_deferred_io.delay in jiffies */
+#define DL_DEFIO_WRITE_DELAY    msecs_to_jiffies(HZ <= 300 ? 4 : 10) /* optimal value for 720p video */
 #define DL_DEFIO_WRITE_DISABLE  (HZ*60) /* "disable" with long delay */
 
 /* remove these once align.h patch is taken into kernel */
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 125/145] udlfb: make a local copy of fb_ops
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (121 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 124/145] udlfb: set optimal write delay Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 126/145] udlfb: handle allocation failure Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mikulas Patocka,
	Bartlomiej Zolnierkiewicz
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit 2c29cfc3eaf11779176bf41475cfca49bccba11c upstream.
The defio subsystem overwrites the method fb_osp->mmap. That method is
stored in module's static data - and that means that if we have multiple
diplaylink adapters, they will over write each other's method.
In order to avoid interference between multiple adapters, we copy the
fb_ops structure to a device-local memory.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/video/fbdev/udlfb.c |    3 ++-
 include/video/udlfb.h       |    1 +
 2 files changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/video/fbdev/udlfb.c
+++ b/drivers/video/fbdev/udlfb.c
@@ -1665,7 +1665,8 @@ static void dlfb_init_framebuffer_work(s
 	dlfb->info = info;
 	info->par = dlfb;
 	info->pseudo_palette = dlfb->pseudo_palette;
-	info->fbops = &dlfb_ops;
+	dlfb->ops = dlfb_ops;
+	info->fbops = &dlfb->ops;
 
 	retval = fb_alloc_cmap(&info->cmap, 256, 0);
 	if (retval < 0) {
--- a/include/video/udlfb.h
+++ b/include/video/udlfb.h
@@ -51,6 +51,7 @@ struct dlfb_data {
 	int base8;
 	u32 pseudo_palette[256];
 	int blank_mode; /*one of FB_BLANK_ */
+	struct fb_ops ops;
 	/* blit-only rendering path metrics, exposed through sysfs */
 	atomic_t bytes_rendered; /* raw pixel-bytes driver asked to render */
 	atomic_t bytes_identical; /* saved effort with backbuffer comparison */
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 126/145] udlfb: handle allocation failure
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (122 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 125/145] udlfb: make a local copy of fb_ops Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 127/145] udlfb: set line_length in dlfb_ops_set_par Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mikulas Patocka,
	Bartlomiej Zolnierkiewicz
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit 080fb5240bdcabed7387b814139c3ea172d59fc5 upstream.
Allocations larger than PAGE_ALLOC_COSTLY_ORDER are unreliable and they
may fail anytime. This patch fixes the udlfb driver so that when a large
alloactions fails, it tries to do multiple smaller allocations.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/video/fbdev/udlfb.c |   26 +++++++++++++++++---------
 1 file changed, 17 insertions(+), 9 deletions(-)
--- a/drivers/video/fbdev/udlfb.c
+++ b/drivers/video/fbdev/udlfb.c
@@ -1843,17 +1843,22 @@ static void dlfb_free_urb_list(struct dl
 
 static int dlfb_alloc_urb_list(struct dlfb_data *dlfb, int count, size_t size)
 {
-	int i = 0;
 	struct urb *urb;
 	struct urb_node *unode;
 	char *buf;
+	size_t wanted_size = count * size;
 
 	spin_lock_init(&dlfb->urbs.lock);
 
+retry:
 	dlfb->urbs.size = size;
 	INIT_LIST_HEAD(&dlfb->urbs.list);
 
-	while (i < count) {
+	sema_init(&dlfb->urbs.limit_sem, 0);
+	dlfb->urbs.count = 0;
+	dlfb->urbs.available = 0;
+
+	while (dlfb->urbs.count * size < wanted_size) {
 		unode = kzalloc(sizeof(*unode), GFP_KERNEL);
 		if (!unode)
 			break;
@@ -1866,11 +1871,16 @@ static int dlfb_alloc_urb_list(struct dl
 		}
 		unode->urb = urb;
 
-		buf = usb_alloc_coherent(dlfb->udev, MAX_TRANSFER, GFP_KERNEL,
+		buf = usb_alloc_coherent(dlfb->udev, size, GFP_KERNEL,
 					 &urb->transfer_dma);
 		if (!buf) {
 			kfree(unode);
 			usb_free_urb(urb);
+			if (size > PAGE_SIZE) {
+				size /= 2;
+				dlfb_free_urb_list(dlfb);
+				goto retry;
+			}
 			break;
 		}
 
@@ -1881,14 +1891,12 @@ static int dlfb_alloc_urb_list(struct dl
 
 		list_add_tail(&unode->entry, &dlfb->urbs.list);
 
-		i++;
+		up(&dlfb->urbs.limit_sem);
+		dlfb->urbs.count++;
+		dlfb->urbs.available++;
 	}
 
-	sema_init(&dlfb->urbs.limit_sem, i);
-	dlfb->urbs.count = i;
-	dlfb->urbs.available = i;
-
-	return i;
+	return dlfb->urbs.count;
 }
 
 static struct urb *dlfb_get_urb(struct dlfb_data *dlfb)
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 127/145] udlfb: set line_length in dlfb_ops_set_par
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (123 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 126/145] udlfb: handle allocation failure Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 128/145] getxattr: use correct xattr length Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mikulas Patocka,
	Bartlomiej Zolnierkiewicz
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit 0ac319b7af1bb24a33365d0ec82a2f56a59b2a78 upstream.
Set the variable "line_length" in the function dlfb_ops_set_par. Without
this, we get garbage if we select different videomode with fbset.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/video/fbdev/udlfb.c |    1 +
 1 file changed, 1 insertion(+)
--- a/drivers/video/fbdev/udlfb.c
+++ b/drivers/video/fbdev/udlfb.c
@@ -1057,6 +1057,7 @@ static int dlfb_ops_set_par(struct fb_in
 		return result;
 
 	dlfb->current_mode = fvs;
+	info->fix.line_length = info->var.xres * (info->var.bits_per_pixel / 8);
 
 	if (dlfb->fb_count == 0) {
 
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 128/145] getxattr: use correct xattr length
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (124 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 127/145] udlfb: set line_length in dlfb_ops_set_par Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 129/145] libnvdimm: Use max contiguous area for namespace size Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Colin Watson, Christian Brauner,
	Serge Hallyn, Eric W. Biederman
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Christian Brauner <christian@brauner.io>
commit 82c9a927bc5df6e06b72d206d24a9d10cced4eb5 upstream.
When running in a container with a user namespace, if you call getxattr
with name = "system.posix_acl_access" and size % 8 != 4, then getxattr
silently skips the user namespace fixup that it normally does resulting in
un-fixed-up data being returned.
This is caused by posix_acl_fix_xattr_to_user() being passed the total
buffer size and not the actual size of the xattr as returned by
vfs_getxattr().
This commit passes the actual length of the xattr as returned by
vfs_getxattr() down.
A reproducer for the issue is:
  touch acl_posix
  setfacl -m user:0:rwx acl_posix
and the compile:
  #define _GNU_SOURCE
  #include <errno.h>
  #include <stdio.h>
  #include <stdlib.h>
  #include <string.h>
  #include <sys/types.h>
  #include <unistd.h>
  #include <attr/xattr.h>
  /* Run in user namespace with nsuid 0 mapped to uid != 0 on the host. */
  int main(int argc, void **argv)
  {
          ssize_t ret1, ret2;
          char buf1[128], buf2[132];
          int fret = EXIT_SUCCESS;
          char *file;
          if (argc < 2) {
                  fprintf(stderr,
                          "Please specify a file with "
                          "\"system.posix_acl_access\" permissions set\n");
                  _exit(EXIT_FAILURE);
          }
          file = argv[1];
          ret1 = getxattr(file, "system.posix_acl_access",
                          buf1, sizeof(buf1));
          if (ret1 < 0) {
                  fprintf(stderr, "%s - Failed to retrieve "
                                  "\"system.posix_acl_access\" "
                                  "from \"%s\"\n", strerror(errno), file);
                  _exit(EXIT_FAILURE);
          }
          ret2 = getxattr(file, "system.posix_acl_access",
                          buf2, sizeof(buf2));
          if (ret2 < 0) {
                  fprintf(stderr, "%s - Failed to retrieve "
                                  "\"system.posix_acl_access\" "
                                  "from \"%s\"\n", strerror(errno), file);
                  _exit(EXIT_FAILURE);
          }
          if (ret1 != ret2) {
                  fprintf(stderr, "The value of \"system.posix_acl_"
                                  "access\" for file \"%s\" changed "
                                  "between two successive calls\n", file);
                  _exit(EXIT_FAILURE);
          }
          for (ssize_t i = 0; i < ret2; i++) {
                  if (buf1[i] == buf2[i])
                          continue;
                  fprintf(stderr,
                          "Unexpected different in byte %zd: "
                          "%02x != %02x\n", i, buf1[i], buf2[i]);
                  fret = EXIT_FAILURE;
          }
          if (fret == EXIT_SUCCESS)
                  fprintf(stderr, "Test passed\n");
          else
                  fprintf(stderr, "Test failed\n");
          _exit(fret);
  }
and run:
  ./tester acl_posix
On a non-fixed up kernel this should return something like:
  root@c1:/# ./t
  Unexpected different in byte 16: ffffffa0 != 00
  Unexpected different in byte 17: ffffff86 != 00
  Unexpected different in byte 18: 01 != 00
and on a fixed kernel:
  root@c1:~# ./t
  Test passed
Cc: stable@vger.kernel.org
Fixes: 2f6f0654ab61 ("userns: Convert vfs posix_acl support to use kuids and kgids")
Link: https://bugzilla.kernel.org/show_bug.cgi?id=199945
Reported-by: Colin Watson <cjwatson@ubuntu.com>
Signed-off-by: Christian Brauner <christian@brauner.io>
Acked-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/xattr.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -539,7 +539,7 @@ getxattr(struct dentry *d, const char __
 	if (error > 0) {
 		if ((strcmp(kname, XATTR_NAME_POSIX_ACL_ACCESS) == 0) ||
 		    (strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0))
-			posix_acl_fix_xattr_to_user(kvalue, size);
+			posix_acl_fix_xattr_to_user(kvalue, error);
 		if (size && copy_to_user(value, kvalue, error))
 			error = -EFAULT;
 	} else if (error == -ERANGE && size >= XATTR_SIZE_MAX) {
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 129/145] libnvdimm: Use max contiguous area for namespace size
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (125 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 128/145] getxattr: use correct xattr length Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 130/145] libnvdimm: fix ars_status output length calculation Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Keith Busch, Vishal Verma, Dave Jiang
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Keith Busch <keith.busch@intel.com>
commit 12e3129e29b406c41bc89231092a20d79dbf802c upstream.
This patch will find the max contiguous area to determine the largest
pmem namespace size that can be created. If the requested size exceeds
the largest available, ENOSPC error will be returned.
This fixes the allocation underrun error and wrong error return code
that have otherwise been observed as the following kernel warning:
  WARNING: CPU: <CPU> PID: <PID> at drivers/nvdimm/namespace_devs.c:913 size_store
Fixes: a1f3e4d6a0c3 ("libnvdimm, region: update nd_region_available_dpa() for multi-pmem support")
Cc: <stable@vger.kernel.org>
Signed-off-by: Keith Busch <keith.busch@intel.com>
Reviewed-by: Vishal Verma <vishal.l.verma@intel.com>
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/nvdimm/dimm_devs.c      |   31 +++++++++++++++++++++++++++++++
 drivers/nvdimm/namespace_devs.c |    6 +++---
 drivers/nvdimm/nd-core.h        |    8 ++++++++
 drivers/nvdimm/region_devs.c    |   24 ++++++++++++++++++++++++
 4 files changed, 66 insertions(+), 3 deletions(-)
--- a/drivers/nvdimm/dimm_devs.c
+++ b/drivers/nvdimm/dimm_devs.c
@@ -537,6 +537,37 @@ resource_size_t nd_blk_available_dpa(str
 }
 
 /**
+ * nd_pmem_max_contiguous_dpa - For the given dimm+region, return the max
+ *			   contiguous unallocated dpa range.
+ * @nd_region: constrain available space check to this reference region
+ * @nd_mapping: container of dpa-resource-root + labels
+ */
+resource_size_t nd_pmem_max_contiguous_dpa(struct nd_region *nd_region,
+					   struct nd_mapping *nd_mapping)
+{
+	struct nvdimm_drvdata *ndd = to_ndd(nd_mapping);
+	struct nvdimm_bus *nvdimm_bus;
+	resource_size_t max = 0;
+	struct resource *res;
+
+	/* if a dimm is disabled the available capacity is zero */
+	if (!ndd)
+		return 0;
+
+	nvdimm_bus = walk_to_nvdimm_bus(ndd->dev);
+	if (__reserve_free_pmem(&nd_region->dev, nd_mapping->nvdimm))
+		return 0;
+	for_each_dpa_resource(ndd, res) {
+		if (strcmp(res->name, "pmem-reserve") != 0)
+			continue;
+		if (resource_size(res) > max)
+			max = resource_size(res);
+	}
+	release_free_pmem(nvdimm_bus, nd_mapping);
+	return max;
+}
+
+/**
  * nd_pmem_available_dpa - for the given dimm+region account unallocated dpa
  * @nd_mapping: container of dpa-resource-root + labels
  * @nd_region: constrain available space check to this reference region
--- a/drivers/nvdimm/namespace_devs.c
+++ b/drivers/nvdimm/namespace_devs.c
@@ -799,7 +799,7 @@ static int merge_dpa(struct nd_region *n
 	return 0;
 }
 
-static int __reserve_free_pmem(struct device *dev, void *data)
+int __reserve_free_pmem(struct device *dev, void *data)
 {
 	struct nvdimm *nvdimm = data;
 	struct nd_region *nd_region;
@@ -836,7 +836,7 @@ static int __reserve_free_pmem(struct de
 	return 0;
 }
 
-static void release_free_pmem(struct nvdimm_bus *nvdimm_bus,
+void release_free_pmem(struct nvdimm_bus *nvdimm_bus,
 		struct nd_mapping *nd_mapping)
 {
 	struct nvdimm_drvdata *ndd = to_ndd(nd_mapping);
@@ -1032,7 +1032,7 @@ static ssize_t __size_store(struct devic
 
 		allocated += nvdimm_allocated_dpa(ndd, &label_id);
 	}
-	available = nd_region_available_dpa(nd_region);
+	available = nd_region_allocatable_dpa(nd_region);
 
 	if (val > available + allocated)
 		return -ENOSPC;
--- a/drivers/nvdimm/nd-core.h
+++ b/drivers/nvdimm/nd-core.h
@@ -100,6 +100,14 @@ struct nd_region;
 struct nvdimm_drvdata;
 struct nd_mapping;
 void nd_mapping_free_labels(struct nd_mapping *nd_mapping);
+
+int __reserve_free_pmem(struct device *dev, void *data);
+void release_free_pmem(struct nvdimm_bus *nvdimm_bus,
+		       struct nd_mapping *nd_mapping);
+
+resource_size_t nd_pmem_max_contiguous_dpa(struct nd_region *nd_region,
+					   struct nd_mapping *nd_mapping);
+resource_size_t nd_region_allocatable_dpa(struct nd_region *nd_region);
 resource_size_t nd_pmem_available_dpa(struct nd_region *nd_region,
 		struct nd_mapping *nd_mapping, resource_size_t *overlap);
 resource_size_t nd_blk_available_dpa(struct nd_region *nd_region);
--- a/drivers/nvdimm/region_devs.c
+++ b/drivers/nvdimm/region_devs.c
@@ -389,6 +389,30 @@ resource_size_t nd_region_available_dpa(
 	return available;
 }
 
+resource_size_t nd_region_allocatable_dpa(struct nd_region *nd_region)
+{
+	resource_size_t available = 0;
+	int i;
+
+	if (is_memory(&nd_region->dev))
+		available = PHYS_ADDR_MAX;
+
+	WARN_ON(!is_nvdimm_bus_locked(&nd_region->dev));
+	for (i = 0; i < nd_region->ndr_mappings; i++) {
+		struct nd_mapping *nd_mapping = &nd_region->mapping[i];
+
+		if (is_memory(&nd_region->dev))
+			available = min(available,
+					nd_pmem_max_contiguous_dpa(nd_region,
+								   nd_mapping));
+		else if (is_nd_blk(&nd_region->dev))
+			available += nd_blk_available_dpa(nd_region);
+	}
+	if (is_memory(&nd_region->dev))
+		return available * nd_region->ndr_mappings;
+	return available;
+}
+
 static ssize_t available_size_show(struct device *dev,
 		struct device_attribute *attr, char *buf)
 {
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 130/145] libnvdimm: fix ars_status output length calculation
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (126 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 129/145] libnvdimm: Use max contiguous area for namespace size Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 131/145] bcache: release dc->writeback_lock properly in bch_writeback_thread() Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dave Jiang, Keith Busch, Lukasz Dorau,
	Dan Williams, Vishal Verma
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Vishal Verma <vishal.l.verma@intel.com>
commit 286e87718103acdf85f4ed323a37e4839a8a7c05 upstream.
Commit efda1b5d87cb ("acpi, nfit, libnvdimm: fix / harden ars_status output length handling")
Introduced additional hardening for ambiguity in the ACPI spec for
ars_status output sizing. However, it had a couple of cases mixed up.
Where it should have been checking for (and returning) "out_field[1] -
4" it was using "out_field[1] - 8" and vice versa.
This caused a four byte discrepancy in the buffer size passed on to
the command handler, and in some cases, this caused memory corruption
like:
  ./daxdev-errors.sh: line 76: 24104 Aborted   (core dumped) ./daxdev-errors $busdev $region
  malloc(): memory corruption
  Program received signal SIGABRT, Aborted.
  [...]
  #5  0x00007ffff7865a2e in calloc () from /lib64/libc.so.6
  #6  0x00007ffff7bc2970 in ndctl_bus_cmd_new_ars_status (ars_cap=ars_cap@entry=0x6153b0) at ars.c:136
  #7  0x0000000000401644 in check_ars_status (check=0x7fffffffdeb0, bus=0x604c20) at daxdev-errors.c:144
  #8  test_daxdev_clear_error (region_name=<optimized out>, bus_name=<optimized out>)
      at daxdev-errors.c:332
Cc: <stable@vger.kernel.org>
Cc: Dave Jiang <dave.jiang@intel.com>
Cc: Keith Busch <keith.busch@intel.com>
Cc: Lukasz Dorau <lukasz.dorau@intel.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Fixes: efda1b5d87cb ("acpi, nfit, libnvdimm: fix / harden ars_status output length handling")
Signed-off-by: Vishal Verma <vishal.l.verma@intel.com>
Reviewed-by: Keith Busch <keith.busch@intel.com>
Signed-of-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/nvdimm/bus.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/nvdimm/bus.c
+++ b/drivers/nvdimm/bus.c
@@ -812,9 +812,9 @@ u32 nd_cmd_out_size(struct nvdimm *nvdim
 		 * overshoots the remainder by 4 bytes, assume it was
 		 * including 'status'.
 		 */
-		if (out_field[1] - 8 == remainder)
+		if (out_field[1] - 4 == remainder)
 			return remainder;
-		return out_field[1] - 4;
+		return out_field[1] - 8;
 	} else if (cmd == ND_CMD_CALL) {
 		struct nd_cmd_pkg *pkg = (struct nd_cmd_pkg *) in_field;
 
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 131/145] bcache: release dc->writeback_lock properly in bch_writeback_thread()
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (127 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 130/145] libnvdimm: fix ars_status output length calculation Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 132/145] kconfig: fix "Cant open ..." in parallel build Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Shan Hai, Coly Li, Shenghui Wang,
	Jens Axboe
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Shan Hai <shan.hai@oracle.com>
commit 3943b040f11ed0cc6d4585fd286a623ca8634547 upstream.
The writeback thread would exit with a lock held when the cache device
is detached via sysfs interface, fix it by releasing the held lock
before exiting the while-loop.
Fixes: fadd94e05c02 (bcache: quit dc->writeback_thread when BCACHE_DEV_DETACHING is set)
Signed-off-by: Shan Hai <shan.hai@oracle.com>
Signed-off-by: Coly Li <colyli@suse.de>
Tested-by: Shenghui Wang <shhuiw@foxmail.com>
Cc: stable@vger.kernel.org #4.17+
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/md/bcache/writeback.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/md/bcache/writeback.c
+++ b/drivers/md/bcache/writeback.c
@@ -645,8 +645,10 @@ static int bch_writeback_thread(void *ar
 			 * data on cache. BCACHE_DEV_DETACHING flag is set in
 			 * bch_cached_dev_detach().
 			 */
-			if (test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags))
+			if (test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags)) {
+				up_write(&dc->writeback_lock);
 				break;
+			}
 		}
 
 		up_write(&dc->writeback_lock);
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 132/145] kconfig: fix "Cant open ..." in parallel build
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (128 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 131/145] bcache: release dc->writeback_lock properly in bch_writeback_thread() Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:09 ` [PATCH 4.18 133/145] cap_inode_getsecurity: use d_find_any_alias() instead of d_find_alias() Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Borislav Petkov, Masahiro Yamada
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Masahiro Yamada <yamada.masahiro@socionext.com>
commit 98a4afbfafd226636cd6bb6a1208b3693daff2b1 upstream.
If you run "make menuconfig" or "make nconfig" with -j<N> option in a
fresh source tree, you will see several "Can't open ..." messages:
  $ make -j8 menuconfig
    HOSTCC  scripts/basic/fixdep
    YACC    scripts/kconfig/zconf.tab.c
    LEX     scripts/kconfig/zconf.lex.c
  /bin/sh: 1: .: Can't open scripts/kconfig/.mconf-cfg
  /bin/sh: 1: .: Can't open scripts/kconfig/.mconf-cfg
  /bin/sh: 1: .: Can't open scripts/kconfig/.mconf-cfg
  /bin/sh: 1: .:   HOSTCC  scripts/kconfig/lxdialog/checklist.o
  Can't open scripts/kconfig/.mconf-cfg
  /bin/sh: 1: .: Can't open scripts/kconfig/.mconf-cfg
  /bin/sh: 1: .: Can't open scripts/kconfig/.mconf-cfg
  /bin/sh: 1: .: Can't open scripts/kconfig/.mconf-cfg
    HOSTCC  scripts/kconfig/lxdialog/inputbox.o
  /bin/sh: 1: .: Can't open scripts/kconfig/.mconf-cfg
  /bin/sh: 1: .: Can't open scripts/kconfig/.mconf-cfg
  /bin/sh: 1: .: Can't open scripts/kconfig/.mconf-cfg
    UPD     scripts/kconfig/.mconf-cfg
  /bin/sh: 1: .: Can't open scripts/kconfig/.mconf-cfg
    HOSTCC  scripts/kconfig/lxdialog/menubox.o
    HOSTCC  scripts/kconfig/lxdialog/textbox.o
    HOSTCC  scripts/kconfig/lxdialog/util.o
    HOSTCC  scripts/kconfig/lxdialog/yesno.o
    HOSTCC  scripts/kconfig/mconf.o
    HOSTCC  scripts/kconfig/zconf.tab.o
    HOSTLD  scripts/kconfig/mconf
Correct dependencies to fix this problem.
Fixes: 1c5af5cf9308 ("kconfig: refactor ncurses package checks for building mconf and nconf")
Cc: linux-stable <stable@vger.kernel.org> # v4.18
Reported-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Tested-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 scripts/kconfig/Makefile |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
--- a/scripts/kconfig/Makefile
+++ b/scripts/kconfig/Makefile
@@ -173,7 +173,7 @@ HOSTLOADLIBES_nconf	= $(shell . $(obj)/.
 HOSTCFLAGS_nconf.o	= $(shell . $(obj)/.nconf-cfg && echo $$cflags)
 HOSTCFLAGS_nconf.gui.o	= $(shell . $(obj)/.nconf-cfg && echo $$cflags)
 
-$(obj)/nconf.o: $(obj)/.nconf-cfg
+$(obj)/nconf.o $(obj)/nconf.gui.o: $(obj)/.nconf-cfg
 
 # mconf: Used for the menuconfig target based on lxdialog
 hostprogs-y	+= mconf
@@ -184,7 +184,8 @@ HOSTLOADLIBES_mconf = $(shell . $(obj)/.
 $(foreach f, mconf.o $(lxdialog), \
   $(eval HOSTCFLAGS_$f = $$(shell . $(obj)/.mconf-cfg && echo $$$$cflags)))
 
-$(addprefix $(obj)/, mconf.o $(lxdialog)): $(obj)/.mconf-cfg
+$(obj)/mconf.o: $(obj)/.mconf-cfg
+$(addprefix $(obj)/lxdialog/, $(lxdialog)): $(obj)/.mconf-cfg
 
 # qconf: Used for the xconfig target based on Qt
 hostprogs-y	+= qconf
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 133/145] cap_inode_getsecurity: use d_find_any_alias() instead of d_find_alias()
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (129 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 132/145] kconfig: fix "Cant open ..." in parallel build Greg Kroah-Hartman
@ 2018-09-07 21:09 ` Greg Kroah-Hartman
  2018-09-07 21:10 ` [PATCH 4.18 135/145] perf auxtrace: Fix queue resize Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Amir Goldstein, Serge E. Hallyn,
	Eddie Horng, Eric W. Biederman
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Eddie.Horng <eddie.horng@mediatek.com>
commit 355139a8dba446cc11a424cddbf7afebc3041ba1 upstream.
The code in cap_inode_getsecurity(), introduced by commit 8db6c34f1dbc
("Introduce v3 namespaced file capabilities"), should use
d_find_any_alias() instead of d_find_alias() do handle unhashed dentry
correctly. This is needed, for example, if execveat() is called with an
open but unlinked overlayfs file, because overlayfs unhashes dentry on
unlink.
This is a regression of real life application, first reported at
https://www.spinics.net/lists/linux-unionfs/msg05363.html
Below reproducer and setup can reproduce the case.
  const char* exec="echo";
  const char *newargv[] = { "echo", "hello", NULL};
  const char *newenviron[] = { NULL };
  int fd, err;
  fd = open(exec, O_PATH);
  unlink(exec);
  err = syscall(322/*SYS_execveat*/, fd, "", newargv, newenviron,
AT_EMPTY_PATH);
  if(err<0)
    fprintf(stderr, "execveat: %s\n", strerror(errno));
gcc compile into ~/test/a.out
mount -t overlay -orw,lowerdir=/mnt/l,upperdir=/mnt/u,workdir=/mnt/w
none /mnt/m
cd /mnt/m
cp /bin/echo .
~/test/a.out
Expected result:
hello
Actually result:
execveat: Invalid argument
dmesg:
Invalid argument reading file caps for /dev/fd/3
The 2nd reproducer and setup emulates similar case but for
regular filesystem:
  const char* exec="echo";
  int fd, err;
  char buf[256];
  fd = open(exec, O_RDONLY);
  unlink(exec);
  err = fgetxattr(fd, "security.capability", buf, 256);
  if(err<0)
    fprintf(stderr, "fgetxattr: %s\n", strerror(errno));
gcc compile into ~/test_fgetxattr
cd /tmp
cp /bin/echo .
~/test_fgetxattr
Result:
fgetxattr: Invalid argument
On regular filesystem, for example, ext4 read xattr from
disk and return to execveat(), will not trigger this issue, however,
the overlay attr handler pass real dentry to vfs_getxattr() will.
This reproducer calls fgetxattr() with an unlinked fd, involkes
vfs_getxattr() then reproduced the case that d_find_alias() in
cap_inode_getsecurity() can't find the unlinked dentry.
Suggested-by: Amir Goldstein <amir73il@gmail.com>
Acked-by: Amir Goldstein <amir73il@gmail.com>
Acked-by: Serge E. Hallyn <serge@hallyn.com>
Fixes: 8db6c34f1dbc ("Introduce v3 namespaced file capabilities")
Cc: <stable@vger.kernel.org> # v4.14
Signed-off-by: Eddie Horng <eddie.horng@mediatek.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 security/commoncap.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -388,7 +388,7 @@ int cap_inode_getsecurity(struct inode *
 	if (strcmp(name, "capability") != 0)
 		return -EOPNOTSUPP;
 
-	dentry = d_find_alias(inode);
+	dentry = d_find_any_alias(inode);
 	if (!dentry)
 		return -EINVAL;
 
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 135/145] perf auxtrace: Fix queue resize
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (130 preceding siblings ...)
  2018-09-07 21:09 ` [PATCH 4.18 133/145] cap_inode_getsecurity: use d_find_any_alias() instead of d_find_alias() Greg Kroah-Hartman
@ 2018-09-07 21:10 ` Greg Kroah-Hartman
  2018-09-07 21:10 ` [PATCH 4.18 136/145] crypto: vmx - Fix sleep-in-atomic bugs Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Adrian Hunter, Jiri Olsa,
	Arnaldo Carvalho de Melo
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Adrian Hunter <adrian.hunter@intel.com>
commit 99cbbe56eb8bede625f410ab62ba34673ffa7d21 upstream.
When the number of queues grows beyond 32, the array of queues is
resized but not all members were being copied. Fix by also copying
'tid', 'cpu' and 'set'.
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: stable@vger.kernel.org
Fixes: e502789302a6e ("perf auxtrace: Add helpers for queuing AUX area tracing data")
Link: http://lkml.kernel.org/r/20180814084608.6563-1-adrian.hunter@intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 tools/perf/util/auxtrace.c |    3 +++
 1 file changed, 3 insertions(+)
--- a/tools/perf/util/auxtrace.c
+++ b/tools/perf/util/auxtrace.c
@@ -202,6 +202,9 @@ static int auxtrace_queues__grow(struct
 	for (i = 0; i < queues->nr_queues; i++) {
 		list_splice_tail(&queues->queue_array[i].head,
 				 &queue_array[i].head);
+		queue_array[i].tid = queues->queue_array[i].tid;
+		queue_array[i].cpu = queues->queue_array[i].cpu;
+		queue_array[i].set = queues->queue_array[i].set;
 		queue_array[i].priv = queues->queue_array[i].priv;
 	}
 
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 136/145] crypto: vmx - Fix sleep-in-atomic bugs
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (131 preceding siblings ...)
  2018-09-07 21:10 ` [PATCH 4.18 135/145] perf auxtrace: Fix queue resize Greg Kroah-Hartman
@ 2018-09-07 21:10 ` Greg Kroah-Hartman
  2018-09-07 21:10 ` [PATCH 4.18 137/145] crypto: aesni - Use unaligned loads from gcm_context_data Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:10 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ondrej Mosnacek, Herbert Xu
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Ondrej Mosnacek <omosnace@redhat.com>
commit 0522236d4f9c5ab2e79889cb020d1acbe5da416e upstream.
This patch fixes sleep-in-atomic bugs in AES-CBC and AES-XTS VMX
implementations. The problem is that the blkcipher_* functions should
not be called in atomic context.
The bugs can be reproduced via the AF_ALG interface by trying to
encrypt/decrypt sufficiently large buffers (at least 64 KiB) using the
VMX implementations of 'cbc(aes)' or 'xts(aes)'. Such operations then
trigger BUG in crypto_yield():
[  891.863680] BUG: sleeping function called from invalid context at include/crypto/algapi.h:424
[  891.864622] in_atomic(): 1, irqs_disabled(): 0, pid: 12347, name: kcapi-enc
[  891.864739] 1 lock held by kcapi-enc/12347:
[  891.864811]  #0: 00000000f5d42c46 (sk_lock-AF_ALG){+.+.}, at: skcipher_recvmsg+0x50/0x530
[  891.865076] CPU: 5 PID: 12347 Comm: kcapi-enc Not tainted 4.19.0-0.rc0.git3.1.fc30.ppc64le #1
[  891.865251] Call Trace:
[  891.865340] [c0000003387578c0] [c000000000d67ea4] dump_stack+0xe8/0x164 (unreliable)
[  891.865511] [c000000338757910] [c000000000172a58] ___might_sleep+0x2f8/0x310
[  891.865679] [c000000338757990] [c0000000006bff74] blkcipher_walk_done+0x374/0x4a0
[  891.865825] [c0000003387579e0] [d000000007e73e70] p8_aes_cbc_encrypt+0x1c8/0x260 [vmx_crypto]
[  891.865993] [c000000338757ad0] [c0000000006c0ee0] skcipher_encrypt_blkcipher+0x60/0x80
[  891.866128] [c000000338757b10] [c0000000006ec504] skcipher_recvmsg+0x424/0x530
[  891.866283] [c000000338757bd0] [c000000000b00654] sock_recvmsg+0x74/0xa0
[  891.866403] [c000000338757c10] [c000000000b00f64] ___sys_recvmsg+0xf4/0x2f0
[  891.866515] [c000000338757d90] [c000000000b02bb8] __sys_recvmsg+0x68/0xe0
[  891.866631] [c000000338757e30] [c00000000000bbe4] system_call+0x5c/0x70
Fixes: 8c755ace357c ("crypto: vmx - Adding CBC routines for VMX module")
Fixes: c07f5d3da643 ("crypto: vmx - Adding support for XTS")
Cc: stable@vger.kernel.org
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/crypto/vmx/aes_cbc.c |   30 ++++++++++++++----------------
 drivers/crypto/vmx/aes_xts.c |   21 ++++++++++++++-------
 2 files changed, 28 insertions(+), 23 deletions(-)
--- a/drivers/crypto/vmx/aes_cbc.c
+++ b/drivers/crypto/vmx/aes_cbc.c
@@ -107,24 +107,23 @@ static int p8_aes_cbc_encrypt(struct blk
 		ret = crypto_skcipher_encrypt(req);
 		skcipher_request_zero(req);
 	} else {
-		preempt_disable();
-		pagefault_disable();
-		enable_kernel_vsx();
-
 		blkcipher_walk_init(&walk, dst, src, nbytes);
 		ret = blkcipher_walk_virt(desc, &walk);
 		while ((nbytes = walk.nbytes)) {
+			preempt_disable();
+			pagefault_disable();
+			enable_kernel_vsx();
 			aes_p8_cbc_encrypt(walk.src.virt.addr,
 					   walk.dst.virt.addr,
 					   nbytes & AES_BLOCK_MASK,
 					   &ctx->enc_key, walk.iv, 1);
+			disable_kernel_vsx();
+			pagefault_enable();
+			preempt_enable();
+
 			nbytes &= AES_BLOCK_SIZE - 1;
 			ret = blkcipher_walk_done(desc, &walk, nbytes);
 		}
-
-		disable_kernel_vsx();
-		pagefault_enable();
-		preempt_enable();
 	}
 
 	return ret;
@@ -147,24 +146,23 @@ static int p8_aes_cbc_decrypt(struct blk
 		ret = crypto_skcipher_decrypt(req);
 		skcipher_request_zero(req);
 	} else {
-		preempt_disable();
-		pagefault_disable();
-		enable_kernel_vsx();
-
 		blkcipher_walk_init(&walk, dst, src, nbytes);
 		ret = blkcipher_walk_virt(desc, &walk);
 		while ((nbytes = walk.nbytes)) {
+			preempt_disable();
+			pagefault_disable();
+			enable_kernel_vsx();
 			aes_p8_cbc_encrypt(walk.src.virt.addr,
 					   walk.dst.virt.addr,
 					   nbytes & AES_BLOCK_MASK,
 					   &ctx->dec_key, walk.iv, 0);
+			disable_kernel_vsx();
+			pagefault_enable();
+			preempt_enable();
+
 			nbytes &= AES_BLOCK_SIZE - 1;
 			ret = blkcipher_walk_done(desc, &walk, nbytes);
 		}
-
-		disable_kernel_vsx();
-		pagefault_enable();
-		preempt_enable();
 	}
 
 	return ret;
--- a/drivers/crypto/vmx/aes_xts.c
+++ b/drivers/crypto/vmx/aes_xts.c
@@ -116,32 +116,39 @@ static int p8_aes_xts_crypt(struct blkci
 		ret = enc? crypto_skcipher_encrypt(req) : crypto_skcipher_decrypt(req);
 		skcipher_request_zero(req);
 	} else {
+		blkcipher_walk_init(&walk, dst, src, nbytes);
+
+		ret = blkcipher_walk_virt(desc, &walk);
+
 		preempt_disable();
 		pagefault_disable();
 		enable_kernel_vsx();
 
-		blkcipher_walk_init(&walk, dst, src, nbytes);
-
-		ret = blkcipher_walk_virt(desc, &walk);
 		iv = walk.iv;
 		memset(tweak, 0, AES_BLOCK_SIZE);
 		aes_p8_encrypt(iv, tweak, &ctx->tweak_key);
 
+		disable_kernel_vsx();
+		pagefault_enable();
+		preempt_enable();
+
 		while ((nbytes = walk.nbytes)) {
+			preempt_disable();
+			pagefault_disable();
+			enable_kernel_vsx();
 			if (enc)
 				aes_p8_xts_encrypt(walk.src.virt.addr, walk.dst.virt.addr,
 						nbytes & AES_BLOCK_MASK, &ctx->enc_key, NULL, tweak);
 			else
 				aes_p8_xts_decrypt(walk.src.virt.addr, walk.dst.virt.addr,
 						nbytes & AES_BLOCK_MASK, &ctx->dec_key, NULL, tweak);
+			disable_kernel_vsx();
+			pagefault_enable();
+			preempt_enable();
 
 			nbytes &= AES_BLOCK_SIZE - 1;
 			ret = blkcipher_walk_done(desc, &walk, nbytes);
 		}
-
-		disable_kernel_vsx();
-		pagefault_enable();
-		preempt_enable();
 	}
 	return ret;
 }
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 137/145] crypto: aesni - Use unaligned loads from gcm_context_data
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (132 preceding siblings ...)
  2018-09-07 21:10 ` [PATCH 4.18 136/145] crypto: vmx - Fix sleep-in-atomic bugs Greg Kroah-Hartman
@ 2018-09-07 21:10 ` Greg Kroah-Hartman
  2018-09-07 21:10 ` [PATCH 4.18 138/145] crypto: arm64/sm4-ce - check for the right CPU feature bit Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mauro Rossi, Dave Watson, Herbert Xu
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Dave Watson <davejwatson@fb.com>
commit e5b954e8d11fdde55eed35017370a3a0d8837754 upstream.
A regression was reported bisecting to 1476db2d12
"Move HashKey computation from stack to gcm_context".  That diff
moved HashKey computation from the stack, which was explicitly aligned
in the asm, to a struct provided from the C code, depending on
AESNI_ALIGN_ATTR for alignment.   It appears some compilers may not
align this struct correctly, resulting in a crash on the movdqa
instruction when attempting to encrypt or decrypt data.
Fix by using unaligned loads for the HashKeys.  On modern
hardware there is no perf difference between the unaligned and
aligned loads.  All other accesses to gcm_context_data already use
unaligned loads.
Reported-by: Mauro Rossi <issor.oruam@gmail.com>
Fixes: 1476db2d12 ("Move HashKey computation from stack to gcm_context")
Cc: <stable@vger.kernel.org>
Signed-off-by: Dave Watson <davejwatson@fb.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/crypto/aesni-intel_asm.S |   66 +++++++++++++++++++-------------------
 1 file changed, 33 insertions(+), 33 deletions(-)
--- a/arch/x86/crypto/aesni-intel_asm.S
+++ b/arch/x86/crypto/aesni-intel_asm.S
@@ -223,34 +223,34 @@ ALL_F:      .octa 0xffffffffffffffffffff
 	pcmpeqd TWOONE(%rip), \TMP2
 	pand	POLY(%rip), \TMP2
 	pxor	\TMP2, \TMP3
-	movdqa	\TMP3, HashKey(%arg2)
+	movdqu	\TMP3, HashKey(%arg2)
 
 	movdqa	   \TMP3, \TMP5
 	pshufd	   $78, \TMP3, \TMP1
 	pxor	   \TMP3, \TMP1
-	movdqa	   \TMP1, HashKey_k(%arg2)
+	movdqu	   \TMP1, HashKey_k(%arg2)
 
 	GHASH_MUL  \TMP5, \TMP3, \TMP1, \TMP2, \TMP4, \TMP6, \TMP7
 # TMP5 = HashKey^2<<1 (mod poly)
-	movdqa	   \TMP5, HashKey_2(%arg2)
+	movdqu	   \TMP5, HashKey_2(%arg2)
 # HashKey_2 = HashKey^2<<1 (mod poly)
 	pshufd	   $78, \TMP5, \TMP1
 	pxor	   \TMP5, \TMP1
-	movdqa	   \TMP1, HashKey_2_k(%arg2)
+	movdqu	   \TMP1, HashKey_2_k(%arg2)
 
 	GHASH_MUL  \TMP5, \TMP3, \TMP1, \TMP2, \TMP4, \TMP6, \TMP7
 # TMP5 = HashKey^3<<1 (mod poly)
-	movdqa	   \TMP5, HashKey_3(%arg2)
+	movdqu	   \TMP5, HashKey_3(%arg2)
 	pshufd	   $78, \TMP5, \TMP1
 	pxor	   \TMP5, \TMP1
-	movdqa	   \TMP1, HashKey_3_k(%arg2)
+	movdqu	   \TMP1, HashKey_3_k(%arg2)
 
 	GHASH_MUL  \TMP5, \TMP3, \TMP1, \TMP2, \TMP4, \TMP6, \TMP7
 # TMP5 = HashKey^3<<1 (mod poly)
-	movdqa	   \TMP5, HashKey_4(%arg2)
+	movdqu	   \TMP5, HashKey_4(%arg2)
 	pshufd	   $78, \TMP5, \TMP1
 	pxor	   \TMP5, \TMP1
-	movdqa	   \TMP1, HashKey_4_k(%arg2)
+	movdqu	   \TMP1, HashKey_4_k(%arg2)
 .endm
 
 # GCM_INIT initializes a gcm_context struct to prepare for encoding/decoding.
@@ -271,7 +271,7 @@ ALL_F:      .octa 0xffffffffffffffffffff
 	movdqu %xmm0, CurCount(%arg2) # ctx_data.current_counter = iv
 
 	PRECOMPUTE \SUBKEY, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7,
-	movdqa HashKey(%arg2), %xmm13
+	movdqu HashKey(%arg2), %xmm13
 
 	CALC_AAD_HASH %xmm13, \AAD, \AADLEN, %xmm0, %xmm1, %xmm2, %xmm3, \
 	%xmm4, %xmm5, %xmm6
@@ -997,7 +997,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6
 	pshufd	  $78, \XMM5, \TMP6
 	pxor	  \XMM5, \TMP6
 	paddd     ONE(%rip), \XMM0		# INCR CNT
-	movdqa	  HashKey_4(%arg2), \TMP5
+	movdqu	  HashKey_4(%arg2), \TMP5
 	PCLMULQDQ 0x11, \TMP5, \TMP4           # TMP4 = a1*b1
 	movdqa    \XMM0, \XMM1
 	paddd     ONE(%rip), \XMM0		# INCR CNT
@@ -1016,7 +1016,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6
 	pxor	  (%arg1), \XMM2
 	pxor	  (%arg1), \XMM3
 	pxor	  (%arg1), \XMM4
-	movdqa	  HashKey_4_k(%arg2), \TMP5
+	movdqu	  HashKey_4_k(%arg2), \TMP5
 	PCLMULQDQ 0x00, \TMP5, \TMP6           # TMP6 = (a1+a0)*(b1+b0)
 	movaps 0x10(%arg1), \TMP1
 	AESENC	  \TMP1, \XMM1              # Round 1
@@ -1031,7 +1031,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6
 	movdqa	  \XMM6, \TMP1
 	pshufd	  $78, \XMM6, \TMP2
 	pxor	  \XMM6, \TMP2
-	movdqa	  HashKey_3(%arg2), \TMP5
+	movdqu	  HashKey_3(%arg2), \TMP5
 	PCLMULQDQ 0x11, \TMP5, \TMP1           # TMP1 = a1 * b1
 	movaps 0x30(%arg1), \TMP3
 	AESENC    \TMP3, \XMM1              # Round 3
@@ -1044,7 +1044,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6
 	AESENC	  \TMP3, \XMM2
 	AESENC	  \TMP3, \XMM3
 	AESENC	  \TMP3, \XMM4
-	movdqa	  HashKey_3_k(%arg2), \TMP5
+	movdqu	  HashKey_3_k(%arg2), \TMP5
 	PCLMULQDQ 0x00, \TMP5, \TMP2           # TMP2 = (a1+a0)*(b1+b0)
 	movaps 0x50(%arg1), \TMP3
 	AESENC	  \TMP3, \XMM1              # Round 5
@@ -1058,7 +1058,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6
 	movdqa	  \XMM7, \TMP1
 	pshufd	  $78, \XMM7, \TMP2
 	pxor	  \XMM7, \TMP2
-	movdqa	  HashKey_2(%arg2), \TMP5
+	movdqu	  HashKey_2(%arg2), \TMP5
 
         # Multiply TMP5 * HashKey using karatsuba
 
@@ -1074,7 +1074,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6
 	AESENC	  \TMP3, \XMM2
 	AESENC	  \TMP3, \XMM3
 	AESENC	  \TMP3, \XMM4
-	movdqa	  HashKey_2_k(%arg2), \TMP5
+	movdqu	  HashKey_2_k(%arg2), \TMP5
 	PCLMULQDQ 0x00, \TMP5, \TMP2           # TMP2 = (a1+a0)*(b1+b0)
 	movaps 0x80(%arg1), \TMP3
 	AESENC	  \TMP3, \XMM1             # Round 8
@@ -1092,7 +1092,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6
 	movdqa	  \XMM8, \TMP1
 	pshufd	  $78, \XMM8, \TMP2
 	pxor	  \XMM8, \TMP2
-	movdqa	  HashKey(%arg2), \TMP5
+	movdqu	  HashKey(%arg2), \TMP5
 	PCLMULQDQ 0x11, \TMP5, \TMP1          # TMP1 = a1*b1
 	movaps 0x90(%arg1), \TMP3
 	AESENC	  \TMP3, \XMM1            # Round 9
@@ -1121,7 +1121,7 @@ aes_loop_par_enc_done\@:
 	AESENCLAST \TMP3, \XMM2
 	AESENCLAST \TMP3, \XMM3
 	AESENCLAST \TMP3, \XMM4
-	movdqa    HashKey_k(%arg2), \TMP5
+	movdqu    HashKey_k(%arg2), \TMP5
 	PCLMULQDQ 0x00, \TMP5, \TMP2          # TMP2 = (a1+a0)*(b1+b0)
 	movdqu	  (%arg4,%r11,1), \TMP3
 	pxor	  \TMP3, \XMM1                 # Ciphertext/Plaintext XOR EK
@@ -1205,7 +1205,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6
 	pshufd	  $78, \XMM5, \TMP6
 	pxor	  \XMM5, \TMP6
 	paddd     ONE(%rip), \XMM0		# INCR CNT
-	movdqa	  HashKey_4(%arg2), \TMP5
+	movdqu	  HashKey_4(%arg2), \TMP5
 	PCLMULQDQ 0x11, \TMP5, \TMP4           # TMP4 = a1*b1
 	movdqa    \XMM0, \XMM1
 	paddd     ONE(%rip), \XMM0		# INCR CNT
@@ -1224,7 +1224,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6
 	pxor	  (%arg1), \XMM2
 	pxor	  (%arg1), \XMM3
 	pxor	  (%arg1), \XMM4
-	movdqa	  HashKey_4_k(%arg2), \TMP5
+	movdqu	  HashKey_4_k(%arg2), \TMP5
 	PCLMULQDQ 0x00, \TMP5, \TMP6           # TMP6 = (a1+a0)*(b1+b0)
 	movaps 0x10(%arg1), \TMP1
 	AESENC	  \TMP1, \XMM1              # Round 1
@@ -1239,7 +1239,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6
 	movdqa	  \XMM6, \TMP1
 	pshufd	  $78, \XMM6, \TMP2
 	pxor	  \XMM6, \TMP2
-	movdqa	  HashKey_3(%arg2), \TMP5
+	movdqu	  HashKey_3(%arg2), \TMP5
 	PCLMULQDQ 0x11, \TMP5, \TMP1           # TMP1 = a1 * b1
 	movaps 0x30(%arg1), \TMP3
 	AESENC    \TMP3, \XMM1              # Round 3
@@ -1252,7 +1252,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6
 	AESENC	  \TMP3, \XMM2
 	AESENC	  \TMP3, \XMM3
 	AESENC	  \TMP3, \XMM4
-	movdqa	  HashKey_3_k(%arg2), \TMP5
+	movdqu	  HashKey_3_k(%arg2), \TMP5
 	PCLMULQDQ 0x00, \TMP5, \TMP2           # TMP2 = (a1+a0)*(b1+b0)
 	movaps 0x50(%arg1), \TMP3
 	AESENC	  \TMP3, \XMM1              # Round 5
@@ -1266,7 +1266,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6
 	movdqa	  \XMM7, \TMP1
 	pshufd	  $78, \XMM7, \TMP2
 	pxor	  \XMM7, \TMP2
-	movdqa	  HashKey_2(%arg2), \TMP5
+	movdqu	  HashKey_2(%arg2), \TMP5
 
         # Multiply TMP5 * HashKey using karatsuba
 
@@ -1282,7 +1282,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6
 	AESENC	  \TMP3, \XMM2
 	AESENC	  \TMP3, \XMM3
 	AESENC	  \TMP3, \XMM4
-	movdqa	  HashKey_2_k(%arg2), \TMP5
+	movdqu	  HashKey_2_k(%arg2), \TMP5
 	PCLMULQDQ 0x00, \TMP5, \TMP2           # TMP2 = (a1+a0)*(b1+b0)
 	movaps 0x80(%arg1), \TMP3
 	AESENC	  \TMP3, \XMM1             # Round 8
@@ -1300,7 +1300,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6
 	movdqa	  \XMM8, \TMP1
 	pshufd	  $78, \XMM8, \TMP2
 	pxor	  \XMM8, \TMP2
-	movdqa	  HashKey(%arg2), \TMP5
+	movdqu	  HashKey(%arg2), \TMP5
 	PCLMULQDQ 0x11, \TMP5, \TMP1          # TMP1 = a1*b1
 	movaps 0x90(%arg1), \TMP3
 	AESENC	  \TMP3, \XMM1            # Round 9
@@ -1329,7 +1329,7 @@ aes_loop_par_dec_done\@:
 	AESENCLAST \TMP3, \XMM2
 	AESENCLAST \TMP3, \XMM3
 	AESENCLAST \TMP3, \XMM4
-	movdqa    HashKey_k(%arg2), \TMP5
+	movdqu    HashKey_k(%arg2), \TMP5
 	PCLMULQDQ 0x00, \TMP5, \TMP2          # TMP2 = (a1+a0)*(b1+b0)
 	movdqu	  (%arg4,%r11,1), \TMP3
 	pxor	  \TMP3, \XMM1                 # Ciphertext/Plaintext XOR EK
@@ -1405,10 +1405,10 @@ TMP7 XMM1 XMM2 XMM3 XMM4 XMMDst
 	movdqa	  \XMM1, \TMP6
 	pshufd	  $78, \XMM1, \TMP2
 	pxor	  \XMM1, \TMP2
-	movdqa	  HashKey_4(%arg2), \TMP5
+	movdqu	  HashKey_4(%arg2), \TMP5
 	PCLMULQDQ 0x11, \TMP5, \TMP6       # TMP6 = a1*b1
 	PCLMULQDQ 0x00, \TMP5, \XMM1       # XMM1 = a0*b0
-	movdqa	  HashKey_4_k(%arg2), \TMP4
+	movdqu	  HashKey_4_k(%arg2), \TMP4
 	PCLMULQDQ 0x00, \TMP4, \TMP2       # TMP2 = (a1+a0)*(b1+b0)
 	movdqa	  \XMM1, \XMMDst
 	movdqa	  \TMP2, \XMM1              # result in TMP6, XMMDst, XMM1
@@ -1418,10 +1418,10 @@ TMP7 XMM1 XMM2 XMM3 XMM4 XMMDst
 	movdqa	  \XMM2, \TMP1
 	pshufd	  $78, \XMM2, \TMP2
 	pxor	  \XMM2, \TMP2
-	movdqa	  HashKey_3(%arg2), \TMP5
+	movdqu	  HashKey_3(%arg2), \TMP5
 	PCLMULQDQ 0x11, \TMP5, \TMP1       # TMP1 = a1*b1
 	PCLMULQDQ 0x00, \TMP5, \XMM2       # XMM2 = a0*b0
-	movdqa	  HashKey_3_k(%arg2), \TMP4
+	movdqu	  HashKey_3_k(%arg2), \TMP4
 	PCLMULQDQ 0x00, \TMP4, \TMP2       # TMP2 = (a1+a0)*(b1+b0)
 	pxor	  \TMP1, \TMP6
 	pxor	  \XMM2, \XMMDst
@@ -1433,10 +1433,10 @@ TMP7 XMM1 XMM2 XMM3 XMM4 XMMDst
 	movdqa	  \XMM3, \TMP1
 	pshufd	  $78, \XMM3, \TMP2
 	pxor	  \XMM3, \TMP2
-	movdqa	  HashKey_2(%arg2), \TMP5
+	movdqu	  HashKey_2(%arg2), \TMP5
 	PCLMULQDQ 0x11, \TMP5, \TMP1       # TMP1 = a1*b1
 	PCLMULQDQ 0x00, \TMP5, \XMM3       # XMM3 = a0*b0
-	movdqa	  HashKey_2_k(%arg2), \TMP4
+	movdqu	  HashKey_2_k(%arg2), \TMP4
 	PCLMULQDQ 0x00, \TMP4, \TMP2       # TMP2 = (a1+a0)*(b1+b0)
 	pxor	  \TMP1, \TMP6
 	pxor	  \XMM3, \XMMDst
@@ -1446,10 +1446,10 @@ TMP7 XMM1 XMM2 XMM3 XMM4 XMMDst
 	movdqa	  \XMM4, \TMP1
 	pshufd	  $78, \XMM4, \TMP2
 	pxor	  \XMM4, \TMP2
-	movdqa	  HashKey(%arg2), \TMP5
+	movdqu	  HashKey(%arg2), \TMP5
 	PCLMULQDQ 0x11, \TMP5, \TMP1	    # TMP1 = a1*b1
 	PCLMULQDQ 0x00, \TMP5, \XMM4       # XMM4 = a0*b0
-	movdqa	  HashKey_k(%arg2), \TMP4
+	movdqu	  HashKey_k(%arg2), \TMP4
 	PCLMULQDQ 0x00, \TMP4, \TMP2       # TMP2 = (a1+a0)*(b1+b0)
 	pxor	  \TMP1, \TMP6
 	pxor	  \XMM4, \XMMDst
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 138/145] crypto: arm64/sm4-ce - check for the right CPU feature bit
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (133 preceding siblings ...)
  2018-09-07 21:10 ` [PATCH 4.18 137/145] crypto: aesni - Use unaligned loads from gcm_context_data Greg Kroah-Hartman
@ 2018-09-07 21:10 ` Greg Kroah-Hartman
  2018-09-07 21:10 ` [PATCH 4.18 142/145] fs/quota: Fix spectre gadget in do_quotactl Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:10 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ard Biesheuvel, Herbert Xu
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
commit 7fa885e2a22fd0f91a2c23d9275f5021f618ff5a upstream.
ARMv8.2 specifies special instructions for the SM3 cryptographic hash
and the SM4 symmetric cipher. While it is unlikely that a core would
implement one and not the other, we should only use SM4 instructions
if the SM4 CPU feature bit is set, and we currently check the SM3
feature bit instead. So fix that.
Fixes: e99ce921c468 ("crypto: arm64 - add support for SM4...")
Cc: <stable@vger.kernel.org>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/crypto/sm4-ce-glue.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm64/crypto/sm4-ce-glue.c
+++ b/arch/arm64/crypto/sm4-ce-glue.c
@@ -69,5 +69,5 @@ static void __exit sm4_ce_mod_fini(void)
 	crypto_unregister_alg(&sm4_ce_alg);
 }
 
-module_cpu_feature_match(SM3, sm4_ce_mod_init);
+module_cpu_feature_match(SM4, sm4_ce_mod_init);
 module_exit(sm4_ce_mod_fini);
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 142/145] fs/quota: Fix spectre gadget in do_quotactl
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (134 preceding siblings ...)
  2018-09-07 21:10 ` [PATCH 4.18 138/145] crypto: arm64/sm4-ce - check for the right CPU feature bit Greg Kroah-Hartman
@ 2018-09-07 21:10 ` Greg Kroah-Hartman
  2018-09-07 21:10 ` [PATCH 4.18 143/145] udf: Fix mounting of Win7 created UDF filesystems Greg Kroah-Hartman
                   ` (5 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Josh Poimboeuf, Jeremy Cline,
	Jan Kara
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Jeremy Cline <jcline@redhat.com>
commit 7b6924d94a60c6b8c1279ca003e8744e6cd9e8b1 upstream.
'type' is user-controlled, so sanitize it after the bounds check to
avoid using it in speculative execution. This covers the following
potential gadgets detected with the help of smatch:
* fs/ext4/super.c:5741 ext4_quota_read() warn: potential spectre issue
  'sb_dqopt(sb)->files' [r]
* fs/ext4/super.c:5778 ext4_quota_write() warn: potential spectre issue
  'sb_dqopt(sb)->files' [r]
* fs/f2fs/super.c:1552 f2fs_quota_read() warn: potential spectre issue
  'sb_dqopt(sb)->files' [r]
* fs/f2fs/super.c:1608 f2fs_quota_write() warn: potential spectre issue
  'sb_dqopt(sb)->files' [r]
* fs/quota/dquot.c:412 mark_info_dirty() warn: potential spectre issue
  'sb_dqopt(sb)->info' [w]
* fs/quota/dquot.c:933 dqinit_needed() warn: potential spectre issue
  'dquots' [r]
* fs/quota/dquot.c:2112 dquot_commit_info() warn: potential spectre
  issue 'dqopt->ops' [r]
* fs/quota/dquot.c:2362 vfs_load_quota_inode() warn: potential spectre
  issue 'dqopt->files' [w] (local cap)
* fs/quota/dquot.c:2369 vfs_load_quota_inode() warn: potential spectre
  issue 'dqopt->ops' [w] (local cap)
* fs/quota/dquot.c:2370 vfs_load_quota_inode() warn: potential spectre
  issue 'dqopt->info' [w] (local cap)
* fs/quota/quota.c:110 quota_getfmt() warn: potential spectre issue
  'sb_dqopt(sb)->info' [r]
* fs/quota/quota_v2.c:84 v2_check_quota_file() warn: potential spectre
  issue 'quota_magics' [w]
* fs/quota/quota_v2.c:85 v2_check_quota_file() warn: potential spectre
  issue 'quota_versions' [w]
* fs/quota/quota_v2.c:96 v2_read_file_info() warn: potential spectre
  issue 'dqopt->info' [r]
* fs/quota/quota_v2.c:172 v2_write_file_info() warn: potential spectre
  issue 'dqopt->info' [r]
Additionally, a quick inspection indicates there are array accesses with
'type' in quota_on() and quota_off() functions which are also addressed
by this.
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jeremy Cline <jcline@redhat.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/quota/quota.c |    2 ++
 1 file changed, 2 insertions(+)
--- a/fs/quota/quota.c
+++ b/fs/quota/quota.c
@@ -18,6 +18,7 @@
 #include <linux/quotaops.h>
 #include <linux/types.h>
 #include <linux/writeback.h>
+#include <linux/nospec.h>
 
 static int check_quotactl_permission(struct super_block *sb, int type, int cmd,
 				     qid_t id)
@@ -703,6 +704,7 @@ static int do_quotactl(struct super_bloc
 
 	if (type >= (XQM_COMMAND(cmd) ? XQM_MAXQUOTAS : MAXQUOTAS))
 		return -EINVAL;
+	type = array_index_nospec(type, MAXQUOTAS);
 	/*
 	 * Quota not supported on this fs? Check this before s_quota_types
 	 * since they needn't be set if quota is not supported at all.
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 143/145] udf: Fix mounting of Win7 created UDF filesystems
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (135 preceding siblings ...)
  2018-09-07 21:10 ` [PATCH 4.18 142/145] fs/quota: Fix spectre gadget in do_quotactl Greg Kroah-Hartman
@ 2018-09-07 21:10 ` Greg Kroah-Hartman
  2018-09-07 21:10 ` [PATCH 4.18 144/145] cpuidle: menu: Retain tick when shallow state is selected Greg Kroah-Hartman
                   ` (4 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:10 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jan Kara
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit ee4af50ca94f58afc3532662779b9cf80bbe27c8 upstream.
Win7 is creating UDF filesystems with single partition with number 8192.
Current partition descriptor scanning code does not handle this well as
it incorrectly assumes that partition numbers will form mostly contiguous
space of small numbers. This results in unmountable media due to errors
like:
UDF-fs: error (device dm-1): udf_read_tagged: tag version 0x0000 != 0x0002 || 0x0003, block 0
UDF-fs: warning (device dm-1): udf_fill_super: No fileset found
Fix the problem by handling partition descriptors in a way that sparse
partition numbering does not matter.
Reported-and-tested-by: jean-luc malet <jeanluc.malet@gmail.com>
CC: stable@vger.kernel.org
Fixes: 7b78fd02fb19530fd101ae137a1f46aa466d9bb6
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/udf/super.c |   31 +++++++++++++++++++------------
 1 file changed, 19 insertions(+), 12 deletions(-)
--- a/fs/udf/super.c
+++ b/fs/udf/super.c
@@ -1570,10 +1570,16 @@ static void udf_load_logicalvolint(struc
  */
 #define PART_DESC_ALLOC_STEP 32
 
+struct part_desc_seq_scan_data {
+	struct udf_vds_record rec;
+	u32 partnum;
+};
+
 struct desc_seq_scan_data {
 	struct udf_vds_record vds[VDS_POS_LENGTH];
 	unsigned int size_part_descs;
-	struct udf_vds_record *part_descs_loc;
+	unsigned int num_part_descs;
+	struct part_desc_seq_scan_data *part_descs_loc;
 };
 
 static struct udf_vds_record *handle_partition_descriptor(
@@ -1582,10 +1588,14 @@ static struct udf_vds_record *handle_par
 {
 	struct partitionDesc *desc = (struct partitionDesc *)bh->b_data;
 	int partnum;
+	int i;
 
 	partnum = le16_to_cpu(desc->partitionNumber);
-	if (partnum >= data->size_part_descs) {
-		struct udf_vds_record *new_loc;
+	for (i = 0; i < data->num_part_descs; i++)
+		if (partnum == data->part_descs_loc[i].partnum)
+			return &(data->part_descs_loc[i].rec);
+	if (data->num_part_descs >= data->size_part_descs) {
+		struct part_desc_seq_scan_data *new_loc;
 		unsigned int new_size = ALIGN(partnum, PART_DESC_ALLOC_STEP);
 
 		new_loc = kcalloc(new_size, sizeof(*new_loc), GFP_KERNEL);
@@ -1597,7 +1607,7 @@ static struct udf_vds_record *handle_par
 		data->part_descs_loc = new_loc;
 		data->size_part_descs = new_size;
 	}
-	return &(data->part_descs_loc[partnum]);
+	return &(data->part_descs_loc[data->num_part_descs++].rec);
 }
 
 
@@ -1647,6 +1657,7 @@ static noinline int udf_process_sequence
 
 	memset(data.vds, 0, sizeof(struct udf_vds_record) * VDS_POS_LENGTH);
 	data.size_part_descs = PART_DESC_ALLOC_STEP;
+	data.num_part_descs = 0;
 	data.part_descs_loc = kcalloc(data.size_part_descs,
 				      sizeof(*data.part_descs_loc),
 				      GFP_KERNEL);
@@ -1658,7 +1669,6 @@ static noinline int udf_process_sequence
 	 * are in it.
 	 */
 	for (; (!done && block <= lastblock); block++) {
-
 		bh = udf_read_tagged(sb, block, block, &ident);
 		if (!bh)
 			break;
@@ -1730,13 +1740,10 @@ static noinline int udf_process_sequence
 	}
 
 	/* Now handle prevailing Partition Descriptors */
-	for (i = 0; i < data.size_part_descs; i++) {
-		if (data.part_descs_loc[i].block) {
-			ret = udf_load_partdesc(sb,
-						data.part_descs_loc[i].block);
-			if (ret < 0)
-				return ret;
-		}
+	for (i = 0; i < data.num_part_descs; i++) {
+		ret = udf_load_partdesc(sb, data.part_descs_loc[i].rec.block);
+		if (ret < 0)
+			return ret;
 	}
 
 	return 0;
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 144/145] cpuidle: menu: Retain tick when shallow state is selected
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (136 preceding siblings ...)
  2018-09-07 21:10 ` [PATCH 4.18 143/145] udf: Fix mounting of Win7 created UDF filesystems Greg Kroah-Hartman
@ 2018-09-07 21:10 ` Greg Kroah-Hartman
  2018-09-07 21:10 ` [PATCH 4.18 145/145] arm64: mm: always enable CONFIG_HOLES_IN_ZONE Greg Kroah-Hartman
                   ` (3 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:10 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Leo Yan, Rafael J. Wysocki
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
commit 757ab15c3f4968b5a29caf3fe8b67660ce84c3cd upstream.
The case addressed by commit 5ef499cd571c (cpuidle: menu: Handle
stopped tick more aggressively) in the stopped tick case is present
when the tick has not been stopped yet too.  Namely, if only two CPU
idle states, shallow state A with target residency significantly
below the tick boundary and deep state B with target residency
significantly above it, are available and the predicted idle
duration is above the tick boundary, but below the target residency
of state B, state A will be selected and the CPU may spend indefinite
amount of time in it, which is not quite energy-efficient.
However, if the tick has not been stopped yet and the governor is
about to select a shallow idle state for the CPU even though the idle
duration predicted by it is above the tick boundary, it should be
fine to wake up the CPU early, so the tick can be retained then and
the governor will have a chance to select a deeper state when it runs
next time.
[Note that when this really happens, it will make the idle duration
 predictor believe that the CPU might be idle longer than predicted,
 which will make it more likely to predict longer idle durations going
 forward, but that will also cause deeper idle states to be selected
 going forward, on average, which is what's needed here.]
Fixes: 87c9fe6ee495 (cpuidle: menu: Avoid selecting shallow states with stopped tick)
Reported-by: Leo Yan <leo.yan@linaro.org>
Cc: 4.17+ <stable@vger.kernel.org> # 4.17+: 5ef499cd571c (cpuidle: menu: Handle ...)
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/cpuidle/governors/menu.c |   13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)
--- a/drivers/cpuidle/governors/menu.c
+++ b/drivers/cpuidle/governors/menu.c
@@ -380,9 +380,20 @@ static int menu_select(struct cpuidle_dr
 		if (idx == -1)
 			idx = i; /* first enabled state */
 		if (s->target_residency > data->predicted_us) {
-			if (!tick_nohz_tick_stopped())
+			if (data->predicted_us < TICK_USEC)
 				break;
 
+			if (!tick_nohz_tick_stopped()) {
+				/*
+				 * If the state selected so far is shallow,
+				 * waking up early won't hurt, so retain the
+				 * tick in that case and let the governor run
+				 * again in the next iteration of the loop.
+				 */
+				expected_interval = drv->states[idx].target_residency;
+				break;
+			}
+
 			/*
 			 * If the state selected so far is shallow and this
 			 * state's target residency matches the time till the
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * [PATCH 4.18 145/145] arm64: mm: always enable CONFIG_HOLES_IN_ZONE
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (137 preceding siblings ...)
  2018-09-07 21:10 ` [PATCH 4.18 144/145] cpuidle: menu: Retain tick when shallow state is selected Greg Kroah-Hartman
@ 2018-09-07 21:10 ` Greg Kroah-Hartman
  2018-09-08 21:16 ` [PATCH 4.18 000/145] 4.18.7-stable review Guenter Roeck
                   ` (2 subsequent siblings)
  141 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-07 21:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ard Biesheuvel, Mikulas Patocka,
	Pavel Tatashin, James Morse, Will Deacon
4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: James Morse <james.morse@arm.com>
commit f52bb98f5aded4c43e52f5ce19fb83f7261e9e73 upstream.
Commit 6d526ee26ccd ("arm64: mm: enable CONFIG_HOLES_IN_ZONE for NUMA")
only enabled HOLES_IN_ZONE for NUMA systems because the NUMA code was
choking on the missing zone for nomap pages. This problem doesn't just
apply to NUMA systems.
If the architecture doesn't set HAVE_ARCH_PFN_VALID, pfn_valid() will
return true if the pfn is part of a valid sparsemem section.
When working with multiple pages, the mm code uses pfn_valid_within()
to test each page it uses within the sparsemem section is valid. On
most systems memory comes in MAX_ORDER_NR_PAGES chunks which all
have valid/initialised struct pages. In this case pfn_valid_within()
is optimised out.
Systems where this isn't true (e.g. due to nomap) should set
HOLES_IN_ZONE and provide HAVE_ARCH_PFN_VALID so that mm tests each
page as it works with it.
Currently non-NUMA arm64 systems can't enable HOLES_IN_ZONE, leading to
a VM_BUG_ON():
| page:fffffdff802e1780 is uninitialized and poisoned
| raw: ffffffffffffffff ffffffffffffffff ffffffffffffffff ffffffffffffffff
| raw: ffffffffffffffff ffffffffffffffff ffffffffffffffff ffffffffffffffff
| page dumped because: VM_BUG_ON_PAGE(PagePoisoned(p))
| ------------[ cut here ]------------
| kernel BUG at include/linux/mm.h:978!
| Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
[...]
| CPU: 1 PID: 25236 Comm: dd Not tainted 4.18.0 #7
| Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
| pstate: 40000085 (nZcv daIf -PAN -UAO)
| pc : move_freepages_block+0x144/0x248
| lr : move_freepages_block+0x144/0x248
| sp : fffffe0071177680
[...]
| Process dd (pid: 25236, stack limit = 0x0000000094cc07fb)
| Call trace:
|  move_freepages_block+0x144/0x248
|  steal_suitable_fallback+0x100/0x16c
|  get_page_from_freelist+0x440/0xb20
|  __alloc_pages_nodemask+0xe8/0x838
|  new_slab+0xd4/0x418
|  ___slab_alloc.constprop.27+0x380/0x4a8
|  __slab_alloc.isra.21.constprop.26+0x24/0x34
|  kmem_cache_alloc+0xa8/0x180
|  alloc_buffer_head+0x1c/0x90
|  alloc_page_buffers+0x68/0xb0
|  create_empty_buffers+0x20/0x1ec
|  create_page_buffers+0xb0/0xf0
|  __block_write_begin_int+0xc4/0x564
|  __block_write_begin+0x10/0x18
|  block_write_begin+0x48/0xd0
|  blkdev_write_begin+0x28/0x30
|  generic_perform_write+0x98/0x16c
|  __generic_file_write_iter+0x138/0x168
|  blkdev_write_iter+0x80/0xf0
|  __vfs_write+0xe4/0x10c
|  vfs_write+0xb4/0x168
|  ksys_write+0x44/0x88
|  sys_write+0xc/0x14
|  el0_svc_naked+0x30/0x34
| Code: aa1303e0 90001a01 91296421 94008902 (d4210000)
| ---[ end trace 1601ba47f6e883fe ]---
Remove the NUMA dependency.
Link: https://www.spinics.net/lists/arm-kernel/msg671851.html
Cc: <stable@vger.kernel.org>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reported-by: Mikulas Patocka <mpatocka@redhat.com>
Reviewed-by: Pavel Tatashin <pavel.tatashin@microsoft.com>
Tested-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: James Morse <james.morse@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/Kconfig |    1 -
 1 file changed, 1 deletion(-)
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -754,7 +754,6 @@ config NEED_PER_CPU_EMBED_FIRST_CHUNK
 
 config HOLES_IN_ZONE
 	def_bool y
-	depends on NUMA
 
 source kernel/Kconfig.preempt
 source kernel/Kconfig.hz
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * Re: [PATCH 4.18 000/145] 4.18.7-stable review
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (138 preceding siblings ...)
  2018-09-07 21:10 ` [PATCH 4.18 145/145] arm64: mm: always enable CONFIG_HOLES_IN_ZONE Greg Kroah-Hartman
@ 2018-09-08 21:16 ` Guenter Roeck
  2018-09-09  8:35   ` Greg Kroah-Hartman
  2018-09-09  4:22 ` Naresh Kamboju
  2018-09-10 15:48 ` Shuah Khan
  141 siblings, 1 reply; 145+ messages in thread
From: Guenter Roeck @ 2018-09-08 21:16 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, shuah, patches, ben.hutchings, lkft-triage,
	stable
On 09/07/2018 02:07 PM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.18.7 release.
> There are 145 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Sun Sep  9 21:08:26 UTC 2018.
> Anything received after that time might be too late.
> 
Build results:
	total: 137 pass: 137 fail: 0
Qemu test results:
	total: 314 pass: 314 fail: 0
Details are available at https://kerneltests.org/builders/.
Guenter
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * Re: [PATCH 4.18 000/145] 4.18.7-stable review
  2018-09-08 21:16 ` [PATCH 4.18 000/145] 4.18.7-stable review Guenter Roeck
@ 2018-09-09  8:35   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-09  8:35 UTC (permalink / raw)
  To: Guenter Roeck
  Cc: linux-kernel, torvalds, akpm, shuah, patches, ben.hutchings,
	lkft-triage, stable
On Sat, Sep 08, 2018 at 02:16:40PM -0700, Guenter Roeck wrote:
> On 09/07/2018 02:07 PM, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 4.18.7 release.
> > There are 145 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Sun Sep  9 21:08:26 UTC 2018.
> > Anything received after that time might be too late.
> > 
> 
> Build results:
> 	total: 137 pass: 137 fail: 0
> Qemu test results:
> 	total: 314 pass: 314 fail: 0
> 
> Details are available at https://kerneltests.org/builders/.
Yeah, one worked!  :)
I'll go work on fixing up the others now, thanks for the test-builds.
greg k-h
^ permalink raw reply	[flat|nested] 145+ messages in thread 
 
- * Re: [PATCH 4.18 000/145] 4.18.7-stable review
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (139 preceding siblings ...)
  2018-09-08 21:16 ` [PATCH 4.18 000/145] 4.18.7-stable review Guenter Roeck
@ 2018-09-09  4:22 ` Naresh Kamboju
  2018-09-10 15:48 ` Shuah Khan
  141 siblings, 0 replies; 145+ messages in thread
From: Naresh Kamboju @ 2018-09-09  4:22 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: open list, Linus Torvalds, Andrew Morton, Guenter Roeck,
	Shuah Khan, patches, Ben Hutchings, lkft-triage, linux- stable
On 8 September 2018 at 02:37, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
> This is the start of the stable review cycle for the 4.18.7 release.
> There are 145 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sun Sep  9 21:08:26 UTC 2018.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
>         https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.18.7-rc1.gz
> or in the git tree and branch at:
>         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.18.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64 and i386.
Summary
------------------------------------------------------------------------
kernel: 4.18.7-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-4.18.y
git commit: 778167eee1b92f5bc2405840b2110af2f6bb9723
git describe: v4.18.5-270-g778167eee1b9
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-4.18-oe/build/v4.18.5-270-g778167eee1b9
No regressions (compared to build v4.18.5-124-ga6a229cf7e7f)
Boards, architectures and test suites:
-------------------------------------
dragonboard-410c - arm64
* boot - pass: 20, fail: 1
* kselftest - pass: 59, skip: 45, fail: 8
* libhugetlbfs - pass: 88, skip: 1, fail: 2
* ltp-cap_bounds-tests - pass: 2,
* ltp-containers-tests - pass: 80, skip: 1,
* ltp-cve-tests - pass: 26, skip: 9,
* ltp-fcntl-locktests-tests - pass: 2,
* ltp-fs-tests - pass: 60, skip: 6,
* ltp-fs_bind-tests - pass: 2,
* ltp-fs_perms_simple-tests - pass: 19,
* ltp-fsx-tests - pass: 2,
* ltp-hugetlb-tests - pass: 21, skip: 1,
* ltp-io-tests - pass: 3,
* ltp-ipc-tests - pass: 9,
* ltp-math-tests - pass: 11,
* ltp-nptl-tests - pass: 2,
* ltp-pty-tests - pass: 4,
* ltp-sched-tests - pass: 14,
* ltp-securebits-tests - pass: 4,
* ltp-syscalls-tests - pass: 1016, skip: 133,
* ltp-timers-tests - pass: 13,
hi6220-hikey - arm64
* boot - pass: 21,
* kselftest - pass: 63, skip: 39, fail: 7
* libhugetlbfs - pass: 89, skip: 1, fail: 1
* ltp-cap_bounds-tests - pass: 2,
* ltp-containers-tests - pass: 80, skip: 1,
* ltp-cve-tests - pass: 27, skip: 8,
* ltp-fcntl-locktests-tests - pass: 2,
* ltp-filecaps-tests - pass: 2,
* ltp-fs_bind-tests - pass: 2,
* ltp-fs_perms_simple-tests - pass: 19,
* ltp-fsx-tests - pass: 2,
* ltp-hugetlb-tests - pass: 21, skip: 1,
* ltp-io-tests - pass: 3,
* ltp-ipc-tests - pass: 9,
* ltp-math-tests - pass: 11,
* ltp-nptl-tests - pass: 2,
* ltp-pty-tests - pass: 4,
* ltp-sched-tests - pass: 10, skip: 4,
* ltp-securebits-tests - pass: 4,
* ltp-syscalls-tests - pass: 1015, skip: 134,
* ltp-timers-tests - pass: 13,
i386
* boot - pass: 22,
* kselftest - pass: 82, skip: 40, fail: 5
* libhugetlbfs - pass: 1,
* ltp-cap_bounds-tests - pass: 2,
* ltp-containers-tests - pass: 80, skip: 1,
* ltp-cve-tests - pass: 27, skip: 4, fail: 4
* ltp-fcntl-locktests-tests - pass: 2,
* ltp-filecaps-tests - pass: 2,
* ltp-fs-tests - pass: 60, skip: 6,
* ltp-fs_bind-tests - pass: 2,
* ltp-fs_perms_simple-tests - pass: 18,
* ltp-fsx-tests - pass: 2,
* ltp-hugetlb-tests - pass: 21, skip: 1,
* ltp-io-tests - pass: 3,
* ltp-ipc-tests - pass: 8,
* ltp-math-tests - pass: 11,
* ltp-nptl-tests - pass: 2,
* ltp-open-posix-tests - pass: 1688, skip: 40, fail: 5
* ltp-pty-tests - pass: 4,
* ltp-sched-tests - pass: 10, skip: 4,
* ltp-securebits-tests - pass: 4,
* ltp-syscalls-tests - pass: 1087, skip: 59, fail: 2
* ltp-timers-tests - pass: 13,
juno-r2 - arm64
* boot - pass: 22,
* libhugetlbfs - pass: 89, skip: 1, fail: 1
* ltp-containers-tests - pass: 80, skip: 1,
* ltp-cve-tests - pass: 26, skip: 9,
* ltp-filecaps-tests - pass: 2,
* ltp-fsx-tests - pass: 2,
* ltp-hugetlb-tests - pass: 22,
* ltp-io-tests - pass: 3,
* ltp-math-tests - pass: 11,
* ltp-open-posix-tests - pass: 1689, skip: 41, fail: 5
* ltp-pty-tests - pass: 4,
* ltp-sched-tests - pass: 10, skip: 4,
* ltp-securebits-tests - pass: 4,
* ltp-timers-tests - pass: 13,
qemu_arm
* boot - pass: 21,
* kselftest - pass: 50, skip: 53, fail: 5
* libhugetlbfs - pass: 86, skip: 1, fail: 1
* ltp-cap_bounds-tests - pass: 2,
* ltp-containers-tests - pass: 79, skip: 2,
* ltp-cve-tests - pass: 23, skip: 12,
* ltp-fcntl-locktests-tests - pass: 2,
* ltp-filecaps-tests - pass: 2,
* ltp-fs-tests - pass: 61, skip: 5,
* ltp-fs_bind-tests - pass: 2,
* ltp-fs_perms_simple-tests - pass: 19,
* ltp-fsx-tests - pass: 2,
* ltp-hugetlb-tests - pass: 21, skip: 1,
* ltp-io-tests - pass: 3,
* ltp-ipc-tests - pass: 9,
* ltp-nptl-tests - pass: 2,
* ltp-pty-tests - pass: 4,
* ltp-sched-tests - pass: 8, skip: 6,
* ltp-securebits-tests - pass: 4,
* ltp-syscalls-tests - pass: 1050, skip: 99,
* ltp-timers-tests - pass: 13,
qemu_arm64
* boot - pass: 21,
* kselftest - pass: 57, skip: 47, fail: 8
* libhugetlbfs - pass: 89, skip: 1, fail: 1
* ltp-cap_bounds-tests - pass: 2,
* ltp-containers-tests - pass: 80, skip: 1,
* ltp-cve-tests - pass: 25, skip: 10,
* ltp-fcntl-locktests-tests - pass: 2,
* ltp-filecaps-tests - pass: 2,
* ltp-fs-tests - pass: 60, skip: 6,
* ltp-fs_bind-tests - pass: 2,
* ltp-fs_perms_simple-tests - pass: 19,
* ltp-fsx-tests - pass: 2,
* ltp-hugetlb-tests - pass: 22,
* ltp-io-tests - pass: 3,
* ltp-ipc-tests - pass: 9,
* ltp-math-tests - pass: 11,
* ltp-nptl-tests - pass: 2,
* ltp-pty-tests - pass: 4,
* ltp-sched-tests - pass: 8, skip: 6,
* ltp-securebits-tests - pass: 4,
* ltp-syscalls-tests - pass: 992, skip: 157,
* ltp-timers-tests - pass: 13,
qemu_i386
* boot - pass: 21,
* kselftest - pass: 82, skip: 45, fail: 4
* libhugetlbfs - pass: 86, skip: 1, fail: 1
* ltp-cap_bounds-tests - pass: 2,
* ltp-containers-tests - pass: 80, skip: 1,
* ltp-cve-tests - pass: 28, skip: 5, fail: 2
* ltp-fcntl-locktests-tests - pass: 2,
* ltp-filecaps-tests - pass: 2,
* ltp-fs-tests - pass: 60, skip: 6,
* ltp-fs_bind-tests - pass: 2,
* ltp-fs_perms_simple-tests - pass: 19,
* ltp-fsx-tests - pass: 2,
* ltp-hugetlb-tests - pass: 21, skip: 1,
* ltp-io-tests - pass: 3,
* ltp-ipc-tests - pass: 9,
* ltp-math-tests - pass: 11,
* ltp-nptl-tests - pass: 2,
* ltp-pty-tests - pass: 4,
* ltp-sched-tests - pass: 14,
* ltp-securebits-tests - pass: 4,
* ltp-syscalls-tests - pass: 1058, skip: 91,
* ltp-timers-tests - pass: 13,
qemu_x86_64
* boot - pass: 21,
* kselftest - pass: 77, skip: 48,
* libhugetlbfs - pass: 89, skip: 1, fail: 1
* ltp-cap_bounds-tests - pass: 2,
* ltp-containers-tests - pass: 80, skip: 1,
* ltp-cve-tests - pass: 30, skip: 5,
* ltp-fcntl-locktests-tests - pass: 2,
* ltp-filecaps-tests - pass: 2,
* ltp-fs-tests - pass: 60, skip: 6,
* ltp-fs_bind-tests - pass: 2,
* ltp-fs_perms_simple-tests - pass: 19,
* ltp-fsx-tests - pass: 2,
* ltp-hugetlb-tests - pass: 22,
* ltp-io-tests - pass: 3,
* ltp-ipc-tests - pass: 9,
* ltp-math-tests - pass: 11,
* ltp-nptl-tests - pass: 2,
* ltp-pty-tests - pass: 4,
* ltp-sched-tests - pass: 14,
* ltp-securebits-tests - pass: 4,
* ltp-syscalls-tests - pass: 993, skip: 156,
* ltp-timers-tests - pass: 13,
x15 - arm
* boot - pass: 20,
* libhugetlbfs - pass: 86, skip: 1, fail: 1
* ltp-cap_bounds-tests - pass: 2,
* ltp-cve-tests - pass: 25, skip: 10,
* ltp-fcntl-locktests-tests - pass: 2,
* ltp-filecaps-tests - pass: 2,
* ltp-fs-tests - pass: 61, skip: 5,
* ltp-fs_bind-tests - pass: 2,
* ltp-fs_perms_simple-tests - pass: 19,
* ltp-fsx-tests - pass: 2,
* ltp-hugetlb-tests - pass: 20, skip: 2,
* ltp-io-tests - pass: 3,
* ltp-ipc-tests - pass: 9,
* ltp-math-tests - pass: 11,
* ltp-nptl-tests - pass: 2,
* ltp-open-posix-tests - pass: 1690, skip: 40, fail: 5
* ltp-pty-tests - pass: 4,
* ltp-sched-tests - pass: 14,
* ltp-securebits-tests - pass: 4,
* ltp-syscalls-tests - pass: 1071, skip: 78,
* ltp-timers-tests - pass: 13,
x86_64
* boot - pass: 24,
* kselftest - pass: 83, skip: 41,
* kselftest-vsyscall-mode-native - pass: 83, skip: 43,
* kselftest-vsyscall-mode-none - pass: 82, skip: 43,
* libhugetlbfs - pass: 88, skip: 1, fail: 1
* ltp-cap_bounds-tests - pass: 2,
* ltp-containers-tests - pass: 80, skip: 1,
* ltp-cve-tests - pass: 30, skip: 5,
* ltp-fcntl-locktests-tests - pass: 2,
* ltp-filecaps-tests - pass: 2,
* ltp-fs-tests - pass: 61, skip: 5,
* ltp-fs_bind-tests - pass: 2,
* ltp-fs_perms_simple-tests - pass: 19,
* ltp-fsx-tests - pass: 2,
* ltp-hugetlb-tests - pass: 22,
* ltp-io-tests - pass: 3,
* ltp-ipc-tests - pass: 9,
* ltp-math-tests - pass: 11,
* ltp-nptl-tests - pass: 2,
* ltp-open-posix-tests - pass: 1688, skip: 42, fail: 5
* ltp-pty-tests - pass: 4,
* ltp-sched-tests - pass: 10, skip: 4,
* ltp-securebits-tests - pass: 4,
* ltp-syscalls-tests - pass: 1031, skip: 118,
* ltp-timers-tests - pass: 13,
-- 
Linaro QA (BETA)
https://qa-reports.linaro.org
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * Re: [PATCH 4.18 000/145] 4.18.7-stable review
  2018-09-07 21:07 [PATCH 4.18 000/145] 4.18.7-stable review Greg Kroah-Hartman
                   ` (140 preceding siblings ...)
  2018-09-09  4:22 ` Naresh Kamboju
@ 2018-09-10 15:48 ` Shuah Khan
  2018-09-10 15:56   ` Greg Kroah-Hartman
  141 siblings, 1 reply; 145+ messages in thread
From: Shuah Khan @ 2018-09-10 15:48 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, patches, ben.hutchings, lkft-triage,
	stable, Shuah Khan
On 09/07/2018 03:07 PM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.18.7 release.
> There are 145 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Sun Sep  9 21:08:26 UTC 2018.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.18.7-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.18.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 
Compiled and booted on my test system. No dmesg regressions.
thanks,
-- Shuah
^ permalink raw reply	[flat|nested] 145+ messages in thread
- * Re: [PATCH 4.18 000/145] 4.18.7-stable review
  2018-09-10 15:48 ` Shuah Khan
@ 2018-09-10 15:56   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2018-09-10 15:56 UTC (permalink / raw)
  To: Shuah Khan
  Cc: linux-kernel, torvalds, akpm, linux, patches, ben.hutchings,
	lkft-triage, stable
On Mon, Sep 10, 2018 at 09:48:47AM -0600, Shuah Khan wrote:
> On 09/07/2018 03:07 PM, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 4.18.7 release.
> > There are 145 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Sun Sep  9 21:08:26 UTC 2018.
> > Anything received after that time might be too late.
> > 
> > The whole patch series can be found in one patch at:
> > 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.18.7-rc1.gz
> > or in the git tree and branch at:
> > 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.18.y
> > and the diffstat can be found below.
> > 
> > thanks,
> > 
> > greg k-h
> > 
> 
> Compiled and booted on my test system. No dmesg regressions.
Thanks for testing all of these and letting me know.
greg k-h
^ permalink raw reply	[flat|nested] 145+ messages in thread