commit a988ccdea68969e7894398d8953476d2afdaa508 Author: Greg Kroah-Hartman Date: Thu Jun 21 04:01:47 2018 +0900 Linux 4.16.17 commit c37444eb0f399cb81fce70e13966e771c34af93c Author: Russell King Date: Fri Apr 13 00:22:47 2018 +0100 ARM: fix kill( ,SIGFPE) breakage [ Upstream commit 92d44a42af81e850a038c38278ff4f434b2871df ] Commit 7771c6645700 ("signal/arm: Document conflicts with SI_USER and SIGFPE") broke the siginfo structure for userspace triggered signals, causing the strace testsuite to regress. Fix this by eliminating the FPE_FIXME definition (which is at the root of the breakage) and use FPE_FLTINV instead for the case where the hardware appears to be reporting nonsense. Fixes: 7771c6645700 ("signal/arm: Document conflicts with SI_USER and SIGFPE") Suggested-by: Linus Torvalds Signed-off-by: Russell King Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit d18e7c46980f5e10c1f5bf19d3ac983f1c7aa451 Author: Russell King Date: Mon Apr 16 13:21:54 2018 +0100 ARM: replace unnecessary perl with sed and the shell $(( )) operator [ Upstream commit 6cea14f55474ec71f1098228e0ae5dd2a8f22c0a ] You can build a kernel in a cross compiling environment that doesn't have perl in the $PATH. Commit 429f7a062e3b broke that for 32 bit ARM. Fix it. As reported by Stephen Rothwell, it appears that the symbols can be either part of the BSS section or absolute symbols depending on the binutils version. When they're an absolute symbol, the $(( )) operator errors out and the build fails. Fix this as well. Fixes: 429f7a062e3b ("ARM: decompressor: fix BSS size calculation") Reported-by: Rob Landley Reported-by: Stephen Rothwell Acked-by: Rob Landley Signed-off-by: Russell King Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 64a2a8a02278f1475acfdac13b1d2f4486fb87ea Author: Russell King Date: Wed Apr 11 18:24:01 2018 +0100 ARM: kexec: fix kdump register saving on panic() [ Upstream commit 2d7b3c64431245c95b05a441669c074da10db943 ] When a panic() occurs, the kexec code uses smp_send_stop() to stop the other CPUs, but this results in the CPU register state not being saved, and gdb is unable to inspect the state of other CPUs. Commit 0ee59413c967 ("x86/panic: replace smp_send_stop() with kdump friendly version in panic path") addressed the issue on x86, but ignored other architectures. Address the issue on ARM by splitting out the crash stop implementation to crash_smp_send_stop() and adding the necessary protection. Signed-off-by: Russell King Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 1927684e75126db44000ba77ddf426bcd2a8ad2e Author: Łukasz Stelmach Date: Wed Apr 4 08:46:58 2018 +0100 ARM: 8758/1: decompressor: restore r1 and r2 just before jumping to the kernel [ Upstream commit f2ae9de019e4e2807d812ec4fe1df7c34788a0a0 ] The hypervisor setup before __enter_kernel destroys the value sotred in r1. The value needs to be restored just before the jump. Fixes: 6b52f7bdb888 ("ARM: hyp-stub: Use r1 for the soft-restart address") Signed-off-by: Łukasz Stelmach Signed-off-by: Russell King Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 0d9bc54a1e1a928fd3ac60ac1a6d30c632a47c8d Author: Łukasz Stelmach Date: Tue Apr 3 09:04:57 2018 +0100 ARM: 8753/1: decompressor: add a missing parameter to the addruart macro [ Upstream commit e07e3c33b9c0b5751ade624f44325c9bf2487ea6 ] In commit 639da5ee374b ("ARM: add an extra temp register to the low level debugging addruart macro") an additional temporary register was added to the addruart macro, but the decompressor code wasn't updated. Fixes: 639da5ee374b ("ARM: add an extra temp register to the low level debugging addruart macro") Signed-off-by: Łukasz Stelmach Signed-off-by: Russell King Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 2d54e37cc8523fb69507c48b091e37d1f00736ce Author: Mark Rutland Date: Fri May 18 16:08:41 2018 +0200 efi/libstub/arm64: Handle randomized TEXT_OFFSET [ Upstream commit 4f74d72aa7067e75af92fbab077e6d7d0210be66 ] When CONFIG_RANDOMIZE_TEXT_OFFSET=y, TEXT_OFFSET is an arbitrary multiple of PAGE_SIZE in the interval [0, 2MB). The EFI stub does not account for the potential misalignment of TEXT_OFFSET relative to EFI_KIMG_ALIGN, and produces a randomized physical offset which is always a round multiple of EFI_KIMG_ALIGN. This may result in statically allocated objects whose alignment exceeds PAGE_SIZE to appear misaligned in memory. This has been observed to result in spurious stack overflow reports and failure to make use of the IRQ stacks, and theoretically could result in a number of other issues. We can OR in the low bits of TEXT_OFFSET to ensure that we have the necessary offset (and hence preserve the misalignment of TEXT_OFFSET relative to EFI_KIMG_ALIGN), so let's do that. Reported-by: Kim Phillips Tested-by: Kim Phillips [ardb: clarify comment and commit log, drop unneeded parens] Signed-off-by: Mark Rutland Signed-off-by: Ard Biesheuvel Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: linux-efi@vger.kernel.org Fixes: 6f26b3671184c36d ("arm64: kaslr: increase randomization granularity") Link: http://lkml.kernel.org/r/20180518140841.9731-2-ard.biesheuvel@linaro.org Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit d1f6a917b1bcfef176137cda494eef142d218849 Author: Darren Hart Date: Sat May 12 12:10:07 2018 -0700 platform/x86: DELL_WMI use depends on instead of select for DELL_SMBIOS [ Upstream commit 54940fa60ad3728c592f62dadb558165495a6938 ] If DELL_WMI "select"s DELL_SMBIOS, the DELL_SMBIOS dependencies are ignored and it is still possible to end up with unmet direct dependencies. Change the select to a depends on. Tested-by: Randy Dunlap Signed-off-by: Darren Hart (VMware) Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit ce841083dc4d1c9188738bd6ccd176593a068e9e Author: Helge Deller Date: Fri May 18 16:12:12 2018 +0200 parisc: Move setup_profiling_timer() out of init section [ Upstream commit 01f56832cfb6fcc204e7203f46841b6185ebd574 ] No other architecture has setup_profiling_timer() in the init section, thus on parisc we face this section mismatch warning: Reference from the function devm_device_add_group() to the function .init.text:setup_profiling_timer() Signed-off-by: Helge Deller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit e788ba20efbb6ace554276f538eead05dc51db6c Author: Mathieu Malaterre Date: Wed May 16 22:09:02 2018 +0200 sched/deadline: Make the grub_reclaim() function static [ Upstream commit 3febfc8a219a036633b57a34c6678e21b6a0580d ] Since the grub_reclaim() function can be made static, make it so. Silences the following GCC warning (W=1): kernel/sched/deadline.c:1120:5: warning: no previous prototype for ‘grub_reclaim’ [-Wmissing-prototypes] Signed-off-by: Mathieu Malaterre Acked-by: Peter Zijlstra Cc: Linus Torvalds Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/20180516200902.959-1-malat@debian.org Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit bb5375db2439cd2959e2361e9319e4575d918fcd Author: Mathieu Malaterre Date: Wed May 16 21:53:47 2018 +0200 sched/debug: Move the print_rt_rq() and print_dl_rq() declarations to kernel/sched/sched.h [ Upstream commit f6a3463063f42d9fb2c78f386437a822e0ad1792 ] In the following commit: 6b55c9654fcc ("sched/debug: Move print_cfs_rq() declaration to kernel/sched/sched.h") the print_cfs_rq() prototype was added to , right next to the prototypes for print_cfs_stats(), print_rt_stats() and print_dl_stats(). Finish this previous commit and also move related prototypes for print_rt_rq() and print_dl_rq(). Remove existing extern declarations now that they not needed anymore. Silences the following GCC warning, triggered by W=1: kernel/sched/debug.c:573:6: warning: no previous prototype for ‘print_rt_rq’ [-Wmissing-prototypes] kernel/sched/debug.c:603:6: warning: no previous prototype for ‘print_dl_rq’ [-Wmissing-prototypes] Signed-off-by: Mathieu Malaterre Acked-by: Peter Zijlstra Cc: Linus Torvalds Cc: Srikar Dronamraju Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/20180516195348.30426-1-malat@debian.org Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit f6327d8039c7eeb686f8b3e06a8ce46f3c6e5db0 Author: Dan Carpenter Date: Wed May 16 17:00:26 2018 +0300 drm/dumb-buffers: Integer overflow in drm_mode_create_ioctl() [ Upstream commit 2b6207291b7b277a5df9d1aab44b56815a292dba ] There is a comment here which says that DIV_ROUND_UP() and that's where the problem comes from. Say you pick: args->bpp = UINT_MAX - 7; args->width = 4; args->height = 1; The integer overflow in DIV_ROUND_UP() means "cpp" is UINT_MAX / 8 and because of how we picked args->width that means cpp < UINT_MAX / 4. I've fixed it by preventing the integer overflow in DIV_ROUND_UP(). I removed the check for !cpp because it's not possible after this change. I also changed all the 0xffffffffU references to U32_MAX. Signed-off-by: Dan Carpenter Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/20180516140026.GA19340@mwanda Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 2a164534b2ba7a13abc1e95e5abf3201885adc59 Author: Waiman Long Date: Tue May 15 17:49:51 2018 -0400 locking/percpu-rwsem: Annotate rwsem ownership transfer by setting RWSEM_OWNER_UNKNOWN [ Upstream commit 5a817641f68a6399a5fac8b7d2da67a73698ffed ] The filesystem freezing code needs to transfer ownership of a rwsem embedded in a percpu-rwsem from the task that does the freezing to another one that does the thawing by calling percpu_rwsem_release() after freezing and percpu_rwsem_acquire() before thawing. However, the new rwsem debug code runs afoul with this scheme by warning that the task that releases the rwsem isn't the one that acquires it, as reported by Amir Goldstein: DEBUG_LOCKS_WARN_ON(sem->owner != get_current()) WARNING: CPU: 1 PID: 1401 at /home/amir/build/src/linux/kernel/locking/rwsem.c:133 up_write+0x59/0x79 Call Trace: percpu_up_write+0x1f/0x28 thaw_super_locked+0xdf/0x120 do_vfs_ioctl+0x270/0x5f1 ksys_ioctl+0x52/0x71 __x64_sys_ioctl+0x16/0x19 do_syscall_64+0x5d/0x167 entry_SYSCALL_64_after_hwframe+0x49/0xbe To work properly with the rwsem debug code, we need to annotate that the rwsem ownership is unknown during the tranfer period until a brave soul comes forward to acquire the ownership. During that period, optimistic spinning will be disabled. Reported-by: Amir Goldstein Tested-by: Amir Goldstein Signed-off-by: Waiman Long Acked-by: Peter Zijlstra Cc: Andrew Morton Cc: Davidlohr Bueso Cc: Jan Kara Cc: Linus Torvalds Cc: Matthew Wilcox Cc: Oleg Nesterov Cc: Paul E. McKenney Cc: Theodore Y. Ts'o Cc: Thomas Gleixner Cc: Will Deacon Cc: linux-fsdevel@vger.kernel.org Link: http://lkml.kernel.org/r/1526420991-21213-3-git-send-email-longman@redhat.com Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit efc1d435c7d7477e1ea79ce005c8cdb4c635d831 Author: Waiman Long Date: Tue May 15 17:49:50 2018 -0400 locking/rwsem: Add a new RWSEM_ANONYMOUSLY_OWNED flag [ Upstream commit d7d760efad70c7a030725499bf9f342f04af24dd ] There are use cases where a rwsem can be acquired by one task, but released by another task. In thess cases, optimistic spinning may need to be disabled. One example will be the filesystem freeze/thaw code where the task that freezes the filesystem will acquire a write lock on a rwsem and then un-owns it before returning to userspace. Later on, another task will come along, acquire the ownership, thaw the filesystem and release the rwsem. Bit 0 of the owner field was used to designate that it is a reader owned rwsem. It is now repurposed to mean that the owner of the rwsem is not known. If only bit 0 is set, the rwsem is reader owned. If bit 0 and other bits are set, it is writer owned with an unknown owner. One such value for the latter case is (-1L). So we can set owner to 1 for reader-owned, -1 for writer-owned. The owner is unknown in both cases. To handle transfer of rwsem ownership, the higher level code should set the owner field to -1 to indicate a write-locked rwsem with unknown owner. Optimistic spinning will be disabled in this case. Once the higher level code figures who the new owner is, it can then set the owner field accordingly. Tested-by: Amir Goldstein Signed-off-by: Waiman Long Acked-by: Peter Zijlstra Cc: Andrew Morton Cc: Davidlohr Bueso Cc: Jan Kara Cc: Linus Torvalds Cc: Matthew Wilcox Cc: Oleg Nesterov Cc: Paul E. McKenney Cc: Theodore Y. Ts'o Cc: Thomas Gleixner Cc: Will Deacon Cc: linux-fsdevel@vger.kernel.org Link: http://lkml.kernel.org/r/1526420991-21213-2-git-send-email-longman@redhat.com Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 1d740f58174f516dc71a25b12fae41b489b18570 Author: Stefan Agner Date: Wed Apr 18 14:49:08 2018 +0200 clk: imx6ull: use OSC clock during AXI rate change [ Upstream commit 2e5be528ab0182ad4b42b9feea3b80f85f37179b ] On i.MX6 ULL using PLL3 seems to cause a freeze when setting the parent to IMX6UL_CLK_PLL3_USB_OTG. This only seems to appear since commit 6f9575e55632 ("clk: imx: Add CLK_IS_CRITICAL flag for busy divider and busy mux"), probably because the clock is now forced to be on. Fixes: 6f9575e55632("clk: imx: Add CLK_IS_CRITICAL flag for busy divider and busy mux") Signed-off-by: Stefan Agner Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 4c04217c2661d1a7c3eee38df2851ad0d61d6c71 Author: Geert Uytterhoeven Date: Mon May 14 12:49:37 2018 +0200 mtd: rawnand: Fix return type of __DIVIDE() when called with 32-bit [ Upstream commit 9f825e74d761c13b0cfaa5f65344d64ff970e252 ] The __DIVIDE() macro checks whether it is called with a 32-bit or 64-bit dividend, to select the appropriate divide-and-round-up routine. As the check uses the ternary operator, the result will always be promoted to a type that can hold both results, i.e. unsigned long long. When using this result in a division on a 32-bit system, this may lead to link errors like: ERROR: "__udivdi3" [drivers/mtd/nand/raw/nand.ko] undefined! Fix this by casting the result of the division to the type of the dividend. Fixes: 8878b126df769831 ("mtd: nand: add ->exec_op() implementation") Signed-off-by: Geert Uytterhoeven Signed-off-by: Boris Brezillon Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit f882b432dd4da459473002dede4632ce24a28999 Author: Wanpeng Li Date: Sat May 5 04:02:32 2018 -0700 KVM: X86: Lower the default timer frequency limit to 200us [ Upstream commit 4c27625b7a67eb9006963ed2bcf8e53b259b43af ] Anthoine reported: The period used by Windows change over time but it can be 1 milliseconds or less. I saw the limit_periodic_timer_frequency print so 500 microseconds is sometimes reached. As suggested by Paolo, lower the default timer frequency limit to a smaller interval of 200 us (5000 Hz) to leave some headroom. This is required due to Windows 10 changing the scheduler tick limit from 1024 Hz to 2048 Hz. Reported-by: Anthoine Bourgeois Suggested-by: Paolo Bonzini Reviewed-by: Darren Kenny Cc: Paolo Bonzini Cc: Radim Krčmář Cc: Anthoine Bourgeois Cc: Darren Kenny Cc: Jan Kiszka Signed-off-by: Wanpeng Li Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit fca8af7b722dac14b548376c0be8d145695ea336 Author: Sekhar Nori Date: Fri May 11 20:51:36 2018 +0530 ARM: davinci: board-dm646x-evm: set VPIF capture card name [ Upstream commit bb7298a7e87cf3430eb62be8746e5d7a07ca9d7c ] VPIF capture driver expects card name to be set since it uses it without checking for NULL. The commit which introduced VPIF display and capture support added card name only for display, not for capture. Set it in platform data to probe driver successfully. While at it, also fix the display card name to something more appropriate. Fixes: 85609c1ccda6 ("DaVinci: DM646x - platform changes for vpif capture and display drivers") Signed-off-by: Sekhar Nori Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit ae7151af409820e28b699d7eeb282f5cbb51d985 Author: Sekhar Nori Date: Fri May 11 20:51:35 2018 +0530 ARM: davinci: board-dm646x-evm: pass correct I2C adapter id for VPIF [ Upstream commit 7d46899d57f8b61eb28701d9a4043b71e3392c26 ] commit a16cb91ad9c4 ("[media] media: vpif: use a configurable i2c_adapter_id for vpif display") removed hardcoded I2C adaptor setting in VPIF driver, but missed updating platform data passed from DM646x board. Fix it. Fixes: a16cb91ad9c4 ("[media] media: vpif: use a configurable i2c_adapter_id for vpif display") Signed-off-by: Sekhar Nori Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 1246b7d158264e3a8de9acef59c84f73b52a901f Author: Sekhar Nori Date: Fri May 11 20:51:34 2018 +0530 ARM: davinci: dm646x: fix timer interrupt generation [ Upstream commit 73d4337ed9ceddef4b2f0e226634d5f985aa2d1c ] commit b38434145b34 ("ARM: davinci: irqs: Correct McASP1 TX interrupt definition for DM646x") inadvertently removed priority setting for timer0_12 (bottom half of timer0). This timer is used as clockevent. When INTPRIn register setting for an interrupt is left at 0, it is mapped to FIQ by the AINTC causing the timer interrupt to not get generated. Fix it by including an entry for timer0_12 in interrupt priority map array. While at it, move the clockevent comment to the right place. Fixes: b38434145b34 ("ARM: davinci: irqs: Correct McASP1 TX interrupt definition for DM646x") Signed-off-by: Sekhar Nori Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 41807aab14f0bddbedef7d8d7882392501439456 Author: Peter Rosin Date: Wed May 9 21:47:48 2018 +0200 i2c: viperboard: return message count on master_xfer success [ Upstream commit 35cd67a0caf767aba472452865dcb4471fcce2b1 ] Returning zero is wrong in this case. Signed-off-by: Peter Rosin Signed-off-by: Wolfram Sang Fixes: 174a13aa8669 ("i2c: Add viperboard i2c master driver") Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 9849645e0df5df8c98b9bebff772561c0bc5332c Author: Peter Rosin Date: Wed May 9 21:46:30 2018 +0200 i2c: pmcmsp: fix error return from master_xfer [ Upstream commit 12d9bbc5a7f347eaa65ff2a9d34995cadc05eb1b ] Returning -1 (-EPERM) is not appropriate here, go with -EIO. Signed-off-by: Peter Rosin Signed-off-by: Wolfram Sang Fixes: 1b144df1d7d6 ("i2c: New PMC MSP71xx TWI bus driver") Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 5b83b169fbb1a1842b5e0cb878b0352f6616c218 Author: Peter Rosin Date: Wed May 9 21:46:29 2018 +0200 i2c: pmcmsp: return message count on master_xfer success [ Upstream commit de9a8634f1cb4560a35696d472cc7f1383d9b866 ] Returning zero is wrong in this case. Signed-off-by: Peter Rosin Signed-off-by: Wolfram Sang Fixes: 1b144df1d7d6 ("i2c: New PMC MSP71xx TWI bus driver") Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit ab2a617afada2c5077f77cb9e8f699794db562cb Author: Russell King Date: Thu May 10 14:24:20 2018 +0100 ARM: keystone: fix platform_domain_notifier array overrun [ Upstream commit 9954b80b8c0e8abc98e17bba0fccd9876211ceaa ] platform_domain_notifier contains a variable sized array, which the pm_clk_notify() notifier treats as a NULL terminated array: for (con_id = clknb->con_ids; *con_id; con_id++) pm_clk_add(dev, *con_id); Omitting the initialiser for con_ids means that the array is zero sized, and there is no NULL terminator. This leads to pm_clk_notify() overrunning into what ever structure follows, which may not be NULL. This leads to an oops: Unable to handle kernel NULL pointer dereference at virtual address 0000008c pgd = c0003000 [0000008c] *pgd=80000800004003c, *pmd=00000000c Internal error: Oops: 206 [#1] PREEMPT SMP ARM Modules linked in:c CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.16.0+ #9 Hardware name: Keystone PC is at strlen+0x0/0x34 LR is at kstrdup+0x18/0x54 pc : [] lr : [] psr: 20000013 sp : eec73dc0 ip : eed780c0 fp : 00000001 r10: 00000000 r9 : 00000000 r8 : eed71e10 r7 : 0000008c r6 : 0000008c r5 : 014000c0 r4 : c03a6ff4 r3 : c09445d0 r2 : 00000000 r1 : 014000c0 r0 : 0000008c Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 30c5387d Table: 00003000 DAC: fffffffd Process swapper/0 (pid: 1, stack limit = 0xeec72210) Stack: (0xeec73dc0 to 0xeec74000) ... [] (strlen) from [] (kstrdup+0x18/0x54) [] (kstrdup) from [] (__pm_clk_add+0x58/0x120) [] (__pm_clk_add) from [] (pm_clk_notify+0x64/0xa8) [] (pm_clk_notify) from [] (notifier_call_chain+0x44/0x84) [] (notifier_call_chain) from [] (__blocking_notifier_call_chain+0x48/0x60) [] (__blocking_notifier_call_chain) from [] (blocking_notifier_call_chain+0x18/0x20) [] (blocking_notifier_call_chain) from [] (device_add+0x36c/0x534) [] (device_add) from [] (of_platform_device_create_pdata+0x70/0xa4) [] (of_platform_device_create_pdata) from [] (of_platform_bus_create+0xf0/0x1ec) [] (of_platform_bus_create) from [] (of_platform_populate+0x5c/0xac) [] (of_platform_populate) from [] (of_platform_default_populate_init+0x8c/0xa8) [] (of_platform_default_populate_init) from [] (do_one_initcall+0x3c/0x164) [] (do_one_initcall) from [] (kernel_init_freeable+0x10c/0x1d0) [] (kernel_init_freeable) from [] (kernel_init+0x8/0xf0) [] (kernel_init) from [] (ret_from_fork+0x14/0x3c) Exception stack(0xeec73fb0 to 0xeec73ff8) 3fa0: 00000000 00000000 00000000 00000000 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 Code: e3520000 1afffff7 e12fff1e c0801730 (e5d02000) ---[ end trace cafa8f148e262e80 ]--- Fix this by adding the necessary initialiser. Fixes: fc20ffe1213b ("ARM: keystone: add PM domain support for clock management") Signed-off-by: Russell King Acked-by: Santosh Shilimkar Signed-off-by: Olof Johansson Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 86c7d837a0bd3d231486203532f835907c3d2e35 Author: Daniel Glöckner Date: Mon May 14 09:40:05 2018 -0500 usb: musb: fix remote wakeup racing with suspend [ Upstream commit ebc3dd688cd988754a304147753b13e58de1b5a1 ] It has been observed that writing 0xF2 to the power register while it reads as 0xF4 results in the register having the value 0xF0, i.e. clearing RESUME and setting SUSPENDM in one go does not work. It might also violate the USB spec to transition directly from resume to suspend, especially when not taking T_DRSMDN into account. But this is what happens when a remote wakeup occurs between SetPortFeature USB_PORT_FEAT_SUSPEND on the root hub and musb_bus_suspend being called. This commit returns -EBUSY when musb_bus_suspend is called while remote wakeup is signalled and thus avoids to reset the RESUME bit. Ignoring this error when musb_port_suspend is called from musb_hub_control is ok. Signed-off-by: Daniel Glöckner Signed-off-by: Bin Liu Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 4af0e3bdbbac789d5a7a62ac52c438377b88637e Author: David Howells Date: Thu May 10 23:10:40 2018 +0100 afs: Fix the non-encryption of calls [ Upstream commit 4776cab43fd3111618112737a257dc3ef368eddd ] Some AFS servers refuse to accept unencrypted traffic, so can't be accessed with kAFS. Set the AF_RXRPC security level to encrypt client calls to deal with this. Note that incoming service calls are set by the remote client and so aren't affected by this. This requires an AF_RXRPC patch to pass the value set by setsockopt to calls begun by the kernel. Signed-off-by: David Howells Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit fc83d865d73cb788561b3fdc5c24649516024477 Author: Marc Dionne Date: Fri May 11 21:35:06 2018 -0300 afs: Fix afs_find_server search loop [ Upstream commit f9c1bba3d392843f046d2ee27b4dfcec989d8a4b ] The code that looks up servers by addresses makes the assumption that the list of addresses for a server is sorted. It exits the loop if it finds that the target address is larger than the current candidate. As the list is not currently sorted, this can lead to a failure to find a matching server, which can cause callbacks from that server to be ignored. Remove the early exit case so that the complete list is searched. Fixes: d2ddc776a458 ("afs: Overhaul volume and server record caching and fileserver rotation") Signed-off-by: Marc Dionne Signed-off-by: David Howells Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 97d8137763df271fb65c01b3b9e4db0202129ac7 Author: David Howells Date: Fri May 11 23:21:35 2018 +0100 afs: Fix the handling of CB.InitCallBackState3 to find the server by UUID [ Upstream commit 001ab5a67ee5d191c64aebf4b4ef8c7a0dcfd2bc ] Fix the handling of the CB.InitCallBackState3 service call to find the record of a server that we're using by looking it up by the UUID passed as the parameter rather than by its address (of which it might have many, and which may change). Fixes: c35eccb1f614 ("[AFS]: Implement the CB.InitCallBackState3 operation.") Signed-off-by: David Howells Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 5167bb2a074497fba3a3991f8dcc4f406d46dda4 Author: David Howells Date: Fri May 11 22:55:59 2018 +0100 afs: Fix VNOVOL handling in address rotation [ Upstream commit 3d9fa91161387ee629e7a07c47934d119910c8ae ] If a volume location record lists multiple file servers for a volume, then it's possible that due to a misconfiguration or a changing configuration that one of the file servers doesn't know about it yet and will abort VNOVOL. Currently, the rotation algorithm will stop with EREMOTEIO. Fix this by moving on to try the next server if VNOVOL is returned. Once all the servers have been tried and the record rechecked, the algorithm will stop with EREMOTEIO or ENOMEDIUM. Fixes: d2ddc776a458 ("afs: Overhaul volume and server record caching and fileserver rotation") Reported-by: Marc Dionne Signed-off-by: David Howells Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 1e49bbe9240726359165c4648d44aba369d1c440 Author: Ben Hutchings Date: Thu May 10 19:20:54 2018 +0100 mtd: Fix comparison in map_word_andequal() [ Upstream commit ea739a287f4f16d6250bea779a1026ead79695f2 ] Commit 9e343e87d2c4 ("mtd: cfi: convert inline functions to macros") changed map_word_andequal() into a macro, but also changed the right hand side of the comparison from val3 to val2. Change it back to use val3 on the right hand side. Thankfully this did not cause a regression because all callers currently pass the same argument for val2 and val3. Fixes: 9e343e87d2c4 ("mtd: cfi: convert inline functions to macros") Signed-off-by: Ben Hutchings Signed-off-by: Boris Brezillon Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 2f8735f7e492ff288b1c9d57c27434badfa304f2 Author: David Howells Date: Thu May 10 14:22:38 2018 +0100 afs: Fix server rotation's handling of fileserver probe failure [ Upstream commit ec5a3b4b507efca903d848518dcf2ebf7b04b466 ] The server rotation algorithm just gives up if it fails to probe a fileserver. Fix this by rotating to the next fileserver instead. Fixes: d2ddc776a458 ("afs: Overhaul volume and server record caching and fileserver rotation") Signed-off-by: David Howells Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 350c1869e9adc3b2881b9c1575937bbc0f31f353 Author: David Howells Date: Thu May 10 08:43:04 2018 +0100 afs: Fix refcounting in callback registration [ Upstream commit d4a96bec7a7362834ef5c31d7b2cc9bf36eb0570 ] The refcounting on afs_cb_interest struct objects in afs_register_server_cb_interest() is wrong as it uses the server list entry's call back interest pointer without regard for the fact that it might be replaced at any time and the object thrown away. Fix this by: (1) Put a lock on the afs_server_list struct that can be used to mediate access to the callback interest pointers in the servers array. (2) Keep a ref on the callback interest that we get from the entry. (3) Dropping the old reference held by vnode->cb_interest if we replace the pointer. Fixes: c435ee34551e ("afs: Overhaul the callback handling") Signed-off-by: David Howells Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 5d18c2b0548b7755514dde6a6bbd90d32fccc7ca Author: David Howells Date: Wed May 9 22:03:18 2018 +0100 afs: Fix address list parsing [ Upstream commit 01fd79e6de74a447c5657913a335d9ce6508cdb1 ] The parsing of port specifiers in the address list obtained from the DNS resolution upcall doesn't work as in4_pton() and in6_pton() will fail on encountering an unexpected delimiter (in this case, the '+' marking the port number). However, in*_pton() can't be given multiple specifiers. Fix this by finding the delimiter in advance and not relying on in*_pton() to find the end of the address for us. Fixes: 8b2a464ced77 ("afs: Add an address list concept") Signed-off-by: David Howells Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 2f6eac1639acab33594f059636c789c6943e83a9 Author: Dave Hansen Date: Wed May 9 10:13:56 2018 -0700 x86/pkeys/selftests: Add a test for pkey 0 [ Upstream commit 3488a600d90bcaf061b104dbcfbdc8d99b398312 ] Protection key 0 is the default key for all memory and will not normally come back from pkey_alloc(). But, you might still want pass it to mprotect_pkey(). This check ensures that you can use pkey 0. Signed-off-by: Dave Hansen Cc: Andrew Morton Cc: Dave Hansen Cc: Linus Torvalds Cc: Michael Ellermen Cc: Peter Zijlstra Cc: Ram Pai Cc: Shuah Khan Cc: Thomas Gleixner Cc: linux-mm@kvack.org Link: http://lkml.kernel.org/r/20180509171356.9E40B254@viggo.jf.intel.com Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit fb637b977caa0ae86142c8cb1d1f2005b137ff6f Author: Dave Hansen Date: Wed May 9 10:13:54 2018 -0700 x86/pkeys/selftests: Save off 'prot' for allocations [ Upstream commit acb25d761d6f2f64e785ccefc71e54f244f1eda4 ] This makes it possible to to tell what 'prot' a given allocation is supposed to have. That way, if we want to change just the pkey, we know what 'prot' to pass to mprotect_pkey(). Also, keep a record of the most recent allocation so the tests can easily find it. Signed-off-by: Dave Hansen Cc: Andrew Morton Cc: Dave Hansen Cc: Linus Torvalds Cc: Michael Ellermen Cc: Peter Zijlstra Cc: Ram Pai Cc: Shuah Khan Cc: Thomas Gleixner Cc: linux-mm@kvack.org Link: http://lkml.kernel.org/r/20180509171354.AA23E228@viggo.jf.intel.com Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit d413589c9e8fcef67ede4740c7082ee880214a38 Author: Dave Hansen Date: Wed May 9 10:13:52 2018 -0700 x86/pkeys/selftests: Fix pointer math [ Upstream commit 3d64f4ed15c3c53dba4c514bf59c334464dee373 ] We dump out the entire area of the siginfo where the si_pkey_ptr is supposed to be. But, we do some math on the poitner, which is a u32. We intended to do byte math, not u32 math on the pointer. Cast it over to a u8* so it works. Also, move this block of code to below th si_code check. It doesn't hurt anything, but the si_pkey field is gibberish for other signal types. Signed-off-by: Dave Hansen Cc: Andrew Morton Cc: Dave Hansen Cc: Linus Torvalds Cc: Michael Ellermen Cc: Peter Zijlstra Cc: Ram Pai Cc: Shuah Khan Cc: Thomas Gleixner Cc: linux-mm@kvack.org Link: http://lkml.kernel.org/r/20180509171352.9BE09819@viggo.jf.intel.com Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit cdb66f24390c870404dbc68e610ee94d55331ca5 Author: Dave Hansen Date: Wed May 9 10:13:50 2018 -0700 x86/pkeys/selftests: Fix pkey exhaustion test off-by-one [ Upstream commit f50b4878329ab61d8e05796f655adeb6f5fb57c6 ] In our "exhaust all pkeys" test, we make sure that there is the expected number available. Turns out that the test did not cover the execute-only key, but discussed it anyway. It did *not* discuss the test-allocated key. Now that we have a test for the mprotect(PROT_EXEC) case, this off-by-one issue showed itself. Correct the off-by- one and add the explanation for the case we missed. Signed-off-by: Dave Hansen Cc: Andrew Morton Cc: Dave Hansen Cc: Linus Torvalds Cc: Michael Ellermen Cc: Peter Zijlstra Cc: Ram Pai Cc: Shuah Khan Cc: Thomas Gleixner Cc: linux-mm@kvack.org Link: http://lkml.kernel.org/r/20180509171350.E1656B95@viggo.jf.intel.com Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 2402ad2cd04c21d63c0e32806d1242789a308fa9 Author: Dave Hansen Date: Wed May 9 10:13:48 2018 -0700 x86/pkeys/selftests: Add PROT_EXEC test [ Upstream commit 6af17cf89e99b64cf1f660bf848755442ab2f047 ] Under the covers, implement executable-only memory with protection keys when userspace calls mprotect(PROT_EXEC). But, we did not have a selftest for that. Now we do. Signed-off-by: Dave Hansen Cc: Andrew Morton Cc: Dave Hansen Cc: Linus Torvalds Cc: Michael Ellermen Cc: Peter Zijlstra Cc: Ram Pai Cc: Shuah Khan Cc: Thomas Gleixner Cc: linux-mm@kvack.org Link: http://lkml.kernel.org/r/20180509171348.9EEE4BEF@viggo.jf.intel.com Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit d38bd22cc1bbc3166223053e3f3567102ee19aa5 Author: Dave Hansen Date: Wed May 9 10:13:47 2018 -0700 x86/pkeys/selftests: Factor out "instruction page" [ Upstream commit 3fcd2b2d928904cbf30b01e2c5e4f1dd2f9ab262 ] We currently have an execute-only test, but it is for the explicit mprotect_pkey() interface. We will soon add a test for the implicit mprotect(PROT_EXEC) enterface. We need this code in both tests. Signed-off-by: Dave Hansen Cc: Andrew Morton Cc: Dave Hansen Cc: Linus Torvalds Cc: Michael Ellermen Cc: Peter Zijlstra Cc: Ram Pai Cc: Shuah Khan Cc: Thomas Gleixner Cc: linux-mm@kvack.org Link: http://lkml.kernel.org/r/20180509171347.C64AB733@viggo.jf.intel.com Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit e4229aaac5e79194aa2505ccd80fcf1c7ec33317 Author: Dave Hansen Date: Wed May 9 10:13:46 2018 -0700 x86/pkeys/selftests: Allow faults on unknown keys [ Upstream commit 7e7fd67ca39335a49619729821efb7cbdd674eb0 ] The exec-only pkey is allocated inside the kernel and userspace is not told what it is. So, allow PK faults to occur that have an unknown key. Signed-off-by: Dave Hansen Cc: Andrew Morton Cc: Dave Hansen Cc: Linus Torvalds Cc: Michael Ellermen Cc: Peter Zijlstra Cc: Ram Pai Cc: Shuah Khan Cc: Thomas Gleixner Cc: linux-mm@kvack.org Link: http://lkml.kernel.org/r/20180509171345.7FC7DA00@viggo.jf.intel.com Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit c023d2ec7179a5f7e5c356af05915c84b6b0b360 Author: Dave Hansen Date: Wed May 9 10:13:44 2018 -0700 x86/pkeys/selftests: Avoid printf-in-signal deadlocks [ Upstream commit caf9eb6b4c82fc6cbd03697052ff22d97b0c377b ] printf() and friends are unusable in signal handlers. They deadlock. The pkey selftest does not do any normal printing in signal handlers, only extra debugging. So, just print the format string so we get *some* output when debugging. Signed-off-by: Dave Hansen Cc: Andrew Morton Cc: Dave Hansen Cc: Linus Torvalds Cc: Michael Ellermen Cc: Peter Zijlstra Cc: Ram Pai Cc: Shuah Khan Cc: Thomas Gleixner Cc: linux-mm@kvack.org Link: http://lkml.kernel.org/r/20180509171344.C53FD2F3@viggo.jf.intel.com Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 3e5a8034be52e52bfa4b53bfee4fee7b1b3eff13 Author: Dave Hansen Date: Wed May 9 10:13:42 2018 -0700 x86/pkeys/selftests: Remove dead debugging code, fix dprint_in_signal [ Upstream commit a50093d60464dd51d1ae0c2267b0abe9e1de77f3 ] There is some noisy debug code at the end of the signal handler. It was disabled by an early, unconditional "return". However, that return also hid a dprint_in_signal=0, which kept dprint_in_signal=1 and effectively locked us into permanent dprint_in_signal=1 behavior. Remove the return and the dead code, fixing dprint_in_signal. Signed-off-by: Dave Hansen Cc: Andrew Morton Cc: Dave Hansen Cc: Linus Torvalds Cc: Michael Ellermen Cc: Peter Zijlstra Cc: Ram Pai Cc: Shuah Khan Cc: Thomas Gleixner Cc: linux-mm@kvack.org Link: http://lkml.kernel.org/r/20180509171342.846B9B2E@viggo.jf.intel.com Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 3229a6b3a5e515882be6d5b987d382a8b4890d4b Author: Dave Hansen Date: Wed May 9 10:13:40 2018 -0700 x86/pkeys/selftests: Stop using assert() [ Upstream commit 86b9eea230edf4c67d4d4a70fba9b74505867a25 ] If we use assert(), the program "crashes". That can be scary to users, so stop doing it. Just exit with a >0 exit code instead. Signed-off-by: Dave Hansen Cc: Andrew Morton Cc: Dave Hansen Cc: Linus Torvalds Cc: Michael Ellermen Cc: Peter Zijlstra Cc: Ram Pai Cc: Shuah Khan Cc: Thomas Gleixner Cc: linux-mm@kvack.org Link: http://lkml.kernel.org/r/20180509171340.E63EF7DA@viggo.jf.intel.com Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 03fb829602efc92cb4dabac2453a5244ed7a9de4 Author: Dave Hansen Date: Wed May 9 10:13:38 2018 -0700 x86/pkeys/selftests: Give better unexpected fault error messages [ Upstream commit 55556b0b2016806b2e16a20b62d143383983a34a ] do_not_expect_pk_fault() is a helper that we call when we do not expect a PK fault to have occurred. But, it is a function, which means that it obscures the line numbers from pkey_assert(). It also gives no details. Replace it with an implementation that gives nice line numbers and also lets callers pass in a more descriptive message about what happened that caused the unexpected fault. Signed-off-by: Dave Hansen Cc: Andrew Morton Cc: Dave Hansen Cc: Linus Torvalds Cc: Michael Ellermen Cc: Peter Zijlstra Cc: Ram Pai Cc: Shuah Khan Cc: Thomas Gleixner Cc: linux-mm@kvack.org Link: http://lkml.kernel.org/r/20180509171338.55D13B64@viggo.jf.intel.com Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit ed2b5589457b708795f79bcf4697a170482a2512 Author: Andy Lutomirski Date: Tue May 8 10:28:35 2018 -0700 x86/selftests: Add mov_to_ss test [ Upstream commit 59c2a7226fc5130032021c99f05ad5c0a56551cd ] This exercises a nasty corner case of the x86 ISA. Signed-off-by: Andy Lutomirski Cc: Borislav Petkov Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/67e08b69817171da8026e0eb3af0214b06b4d74f.1525800455.git.luto@kernel.org Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit b38d658c031db927a201905d652696c66100adb7 Author: Ingo Molnar Date: Mon May 14 10:59:08 2018 +0200 x86/mpx/selftests: Adjust the self-test to fresh distros that export the MPX ABI [ Upstream commit 73bb4d6cd192b8629c5125aaada9892d9fc986b6 ] Fix this warning: mpx-mini-test.c:422:0: warning: "SEGV_BNDERR" redefined Cc: Dave Hansen Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: akpm@linux-foundation.org Cc: dave.hansen@intel.com Cc: linux-mm@kvack.org Cc: linuxram@us.ibm.com Cc: mpe@ellerman.id.au Cc: shakeelb@google.com Cc: shuah@kernel.org Link: http://lkml.kernel.org/r/20180514085908.GA12798@gmail.com Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit bfff950168b3249b08bf1183438f8629017ab793 Author: Ingo Molnar Date: Mon May 14 10:56:23 2018 +0200 x86/pkeys/selftests: Adjust the self-test to fresh distros that export the pkeys ABI [ Upstream commit 0fb96620dce351608aa82eed5942e2f58b07beda ] Ubuntu 18.04 started exporting pkeys details in header files, resulting in build failures and warnings in the pkeys self-tests: protection_keys.c:232:0: warning: "SEGV_BNDERR" redefined protection_keys.c:387:5: error: conflicting types for ‘pkey_get’ protection_keys.c:409:5: error: conflicting types for ‘pkey_set’ ... Fix these namespace conflicts and double definitions, plus also clean up the ABI definitions to make it all a bit more readable ... Cc: Dave Hansen Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: akpm@linux-foundation.org Cc: dave.hansen@intel.com Cc: linux-mm@kvack.org Cc: linuxram@us.ibm.com Cc: mpe@ellerman.id.au Cc: shakeelb@google.com Cc: shuah@kernel.org Link: http://lkml.kernel.org/r/20180514085623.GB7094@gmail.com Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 96ffaee0f918e0b6a111247c7b5c13d0dd75e91b Author: Ingo Molnar Date: Mon May 14 10:15:54 2018 +0200 objtool, kprobes/x86: Sync the latest header with tools/objtool/arch/x86/include/asm/insn.h [ Upstream commit 4fe875e4bd3cae85ae6f6eaf77f63fabe613b66e ] The following commit: ee6a7354a362: kprobes/x86: Prohibit probing on exception masking instructions Modified , adding the insn_masking_exception() function. Sync the tooling version of the header to it, to fix this warning: Warning: synced file at 'tools/objtool/arch/x86/include/asm/insn.h' differs from latest kernel version at 'arch/x86/include/asm/insn.h' Cc: Peter Zijlstra Cc: Josh Poimboeuf Cc: Masami Hiramatsu Cc: Thomas Gleixner Cc: Ricardo Neri Cc: Francis Deslauriers Cc: Oleg Nesterov Cc: Alexei Starovoitov Cc: Steven Rostedt Cc: Andy Lutomirski Cc: "H . Peter Anvin" Cc: Yonghong Song Cc: Borislav Petkov Cc: Linus Torvalds Cc: "David S . Miller" Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 8ba3c060e4e0a6eb785f4612f51b270afbd7e5b3 Author: Masami Hiramatsu Date: Wed May 9 21:58:45 2018 +0900 uprobes/x86: Prohibit probing on MOV SS instruction [ Upstream commit 13ebe18c94f5b0665c01ae7fad2717ae959f4212 ] Since MOV SS and POP SS instructions will delay the exceptions until the next instruction is executed, single-stepping on it by uprobes must be prohibited. uprobe already rejects probing on POP SS (0x1f), but allows probing on MOV SS (0x8e and reg == 2). This checks the target instruction and if it is MOV SS or POP SS, returns -ENOTSUPP to reject probing. Signed-off-by: Masami Hiramatsu Signed-off-by: Thomas Gleixner Acked-by: Oleg Nesterov Cc: Ricardo Neri Cc: Francis Deslauriers Cc: Alexei Starovoitov Cc: Steven Rostedt Cc: Andy Lutomirski Cc: "H . Peter Anvin" Cc: Yonghong Song Cc: Borislav Petkov Cc: Linus Torvalds Cc: "David S . Miller" Link: https://lkml.kernel.org/r/152587072544.17316.5950935243917346341.stgit@devbox Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit e9a3372d8611a82a03dee9b8329cb67cd0d8030b Author: Masami Hiramatsu Date: Wed May 9 21:58:15 2018 +0900 kprobes/x86: Prohibit probing on exception masking instructions [ Upstream commit ee6a7354a3629f9b65bc18dbe393503e9440d6f5 ] Since MOV SS and POP SS instructions will delay the exceptions until the next instruction is executed, single-stepping on it by kprobes must be prohibited. However, kprobes usually executes those instructions directly on trampoline buffer (a.k.a. kprobe-booster), except for the kprobes which has post_handler. Thus if kprobe user probes MOV SS with post_handler, it will do single-stepping on the MOV SS. This means it is safe that if it is used via ftrace or perf/bpf since those don't use the post_handler. Anyway, since the stack switching is a rare case, it is safer just rejecting kprobes on such instructions. Signed-off-by: Masami Hiramatsu Signed-off-by: Thomas Gleixner Cc: Ricardo Neri Cc: Francis Deslauriers Cc: Oleg Nesterov Cc: Alexei Starovoitov Cc: Steven Rostedt Cc: Andy Lutomirski Cc: "H . Peter Anvin" Cc: Yonghong Song Cc: Borislav Petkov Cc: Linus Torvalds Cc: "David S . Miller" Link: https://lkml.kernel.org/r/152587069574.17316.3311695234863248641.stgit@devbox Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit a3a3ae0015e7a4c162b9f945e5d24377a1dc5bb2 Author: Ashish Samant Date: Fri May 11 16:02:07 2018 -0700 ocfs2: take inode cluster lock before moving reflinked inode from orphan dir [ Upstream commit e4383029201470523c3ffe339bd7d57e9b4a7d65 ] While reflinking an inode, we create a new inode in orphan directory, then take EX lock on it, reflink the original inode to orphan inode and release EX lock. Once the lock is released another node could request it in EX mode from ocfs2_recover_orphans() which causes downconvert of the lock, on this node, to NL mode. Later we attempt to initialize security acl for the orphan inode and move it to the reflink destination. However, while doing this we dont take EX lock on the inode. This could potentially cause problems because we could be starting transaction, accessing journal and modifying metadata of the inode while holding NL lock and with another node holding EX lock on the inode. Fix this by taking orphan inode cluster lock in EX mode before initializing security and moving orphan inode to reflink destination. Use the __tracker variant while taking inode lock to avoid recursive locking in the ocfs2_init_security_and_acl() call chain. Link: http://lkml.kernel.org/r/1523475107-7639-1-git-send-email-ashish.samant@oracle.com Signed-off-by: Ashish Samant Reviewed-by: Joseph Qi Reviewed-by: Junxiao Bi Acked-by: Jun Piao Cc: Mark Fasheh Cc: Joel Becker Cc: Changwei Ge Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 6586309398f9eec86c36cfdb2b06a6c427f85eb2 Author: Laura Abbott Date: Fri May 11 16:01:57 2018 -0700 proc/kcore: don't bounds check against address 0 [ Upstream commit 3955333df9a50e8783d115613a397ae55d905080 ] The existing kcore code checks for bad addresses against __va(0) with the assumption that this is the lowest address on the system. This may not hold true on some systems (e.g. arm64) and produce overflows and crashes. Switch to using other functions to validate the address range. It's currently only seen on arm64 and it's not clear if anyone wants to use that particular combination on a stable release. So this is not urgent for stable. Link: http://lkml.kernel.org/r/20180501201143.15121-1-labbott@redhat.com Signed-off-by: Laura Abbott Tested-by: Dave Anderson Cc: Kees Cook Cc: Ard Biesheuvel Cc: Ingo Molnar Cc: Andi Kleen Cc: Alexey Dobriyan a Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit a3a0a24a9bfae8b537e51d08fa06d8643efa63ef Author: Jeffrey Hugo Date: Fri May 11 16:01:42 2018 -0700 init: fix false positives in W+X checking [ Upstream commit ae646f0b9ca135b87bc73ff606ef996c3029780a ] load_module() creates W+X mappings via __vmalloc_node_range() (from layout_and_allocate()->move_module()->module_alloc()) by using PAGE_KERNEL_EXEC. These mappings are later cleaned up via "call_rcu_sched(&freeinit->rcu, do_free_init)" from do_init_module(). This is a problem because call_rcu_sched() queues work, which can be run after debug_checkwx() is run, resulting in a race condition. If hit, the race results in a nasty splat about insecure W+X mappings, which results in a poor user experience as these are not the mappings that debug_checkwx() is intended to catch. This issue is observed on multiple arm64 platforms, and has been artificially triggered on an x86 platform. Address the race by flushing the queued work before running the arch-defined mark_rodata_ro() which then calls debug_checkwx(). Link: http://lkml.kernel.org/r/1525103946-29526-1-git-send-email-jhugo@codeaurora.org Fixes: e1a58320a38d ("x86/mm: Warn on W^X mappings") Signed-off-by: Jeffrey Hugo Reported-by: Timur Tabi Reported-by: Jan Glauber Acked-by: Kees Cook Acked-by: Ingo Molnar Acked-by: Will Deacon Acked-by: Laura Abbott Cc: Mark Rutland Cc: Ard Biesheuvel Cc: Catalin Marinas Cc: Stephen Smalley Cc: Thomas Gleixner Cc: Peter Zijlstra Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit b5e2b10d79679ce83d787d8aa609b8116a3bd8e9 Author: Yury Norov Date: Fri May 11 16:01:39 2018 -0700 lib/find_bit_benchmark.c: avoid soft lockup in test_find_first_bit() [ Upstream commit 4ba281d5bd9907355e6b79fb72049c9ed50cc670 ] test_find_first_bit() is intentionally sub-optimal, and may cause soft lockup due to long time of run on some systems. So decrease length of bitmap to traverse to avoid lockup. With the change below, time of test execution doesn't exceed 0.2 seconds on my testing system. Link: http://lkml.kernel.org/r/20180420171949.15710-1-ynorov@caviumnetworks.com Fixes: 4441fca0a27f5 ("lib: test module for find_*_bit() functions") Signed-off-by: Yury Norov Reviewed-by: Andrew Morton Reported-by: Fengguang Wu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit b4f970ec80a6cb135648189c48247060422dfedb Author: Roman Mashak Date: Fri May 11 10:55:09 2018 -0400 net sched actions: fix invalid pointer dereferencing if skbedit flags missing [ Upstream commit af5d01842fe1fbfb9f5e1c1d957ba02ab6f4569a ] When application fails to pass flags in netlink TLV for a new skbedit action, the kernel results in the following oops: [ 8.307732] BUG: unable to handle kernel paging request at 0000000000021130 [ 8.309167] PGD 80000000193d1067 P4D 80000000193d1067 PUD 180e0067 PMD 0 [ 8.310595] Oops: 0000 [#1] SMP PTI [ 8.311334] Modules linked in: kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd glue_helper serio_raw [ 8.314190] CPU: 1 PID: 397 Comm: tc Not tainted 4.17.0-rc3+ #357 [ 8.315252] RIP: 0010:__tcf_idr_release+0x33/0x140 [ 8.316203] RSP: 0018:ffffa0718038f840 EFLAGS: 00010246 [ 8.317123] RAX: 0000000000000001 RBX: 0000000000021100 RCX: 0000000000000000 [ 8.319831] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000021100 [ 8.321181] RBP: 0000000000000000 R08: 000000000004adf8 R09: 0000000000000122 [ 8.322645] R10: 0000000000000000 R11: ffffffff9e5b01ed R12: 0000000000000000 [ 8.324157] R13: ffffffff9e0d3cc0 R14: 0000000000000000 R15: 0000000000000000 [ 8.325590] FS: 00007f591292e700(0000) GS:ffff8fcf5bc40000(0000) knlGS:0000000000000000 [ 8.327001] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 8.327987] CR2: 0000000000021130 CR3: 00000000180e6004 CR4: 00000000001606a0 [ 8.329289] Call Trace: [ 8.329735] tcf_skbedit_init+0xa7/0xb0 [ 8.330423] tcf_action_init_1+0x362/0x410 [ 8.331139] ? try_to_wake_up+0x44/0x430 [ 8.331817] tcf_action_init+0x103/0x190 [ 8.332511] tc_ctl_action+0x11a/0x220 [ 8.333174] rtnetlink_rcv_msg+0x23d/0x2e0 [ 8.333902] ? _cond_resched+0x16/0x40 [ 8.334569] ? __kmalloc_node_track_caller+0x5b/0x2c0 [ 8.335440] ? rtnl_calcit.isra.31+0xf0/0xf0 [ 8.336178] netlink_rcv_skb+0xdb/0x110 [ 8.336855] netlink_unicast+0x167/0x220 [ 8.337550] netlink_sendmsg+0x2a7/0x390 [ 8.338258] sock_sendmsg+0x30/0x40 [ 8.338865] ___sys_sendmsg+0x2c5/0x2e0 [ 8.339531] ? pagecache_get_page+0x27/0x210 [ 8.340271] ? filemap_fault+0xa2/0x630 [ 8.340943] ? page_add_file_rmap+0x108/0x200 [ 8.341732] ? alloc_set_pte+0x2aa/0x530 [ 8.342573] ? finish_fault+0x4e/0x70 [ 8.343332] ? __handle_mm_fault+0xbc1/0x10d0 [ 8.344337] ? __sys_sendmsg+0x53/0x80 [ 8.345040] __sys_sendmsg+0x53/0x80 [ 8.345678] do_syscall_64+0x4f/0x100 [ 8.346339] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 8.347206] RIP: 0033:0x7f591191da67 [ 8.347831] RSP: 002b:00007fff745abd48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 8.349179] RAX: ffffffffffffffda RBX: 00007fff745abe70 RCX: 00007f591191da67 [ 8.350431] RDX: 0000000000000000 RSI: 00007fff745abdc0 RDI: 0000000000000003 [ 8.351659] RBP: 000000005af35251 R08: 0000000000000001 R09: 0000000000000000 [ 8.352922] R10: 00000000000005f1 R11: 0000000000000246 R12: 0000000000000000 [ 8.354183] R13: 00007fff745afed0 R14: 0000000000000001 R15: 00000000006767c0 [ 8.355400] Code: 41 89 d4 53 89 f5 48 89 fb e8 aa 20 fd ff 85 c0 0f 84 ed 00 00 00 48 85 db 0f 84 cf 00 00 00 40 84 ed 0f 85 cd 00 00 00 45 84 e4 <8b> 53 30 74 0d 85 d2 b8 ff ff ff ff 0f 8f b3 00 00 00 8b 43 2c [ 8.358699] RIP: __tcf_idr_release+0x33/0x140 RSP: ffffa0718038f840 [ 8.359770] CR2: 0000000000021130 [ 8.360438] ---[ end trace 60c66be45dfc14f0 ]--- The caller calls action's ->init() and passes pointer to "struct tc_action *a", which later may be initialized to point at the existing action, otherwise "struct tc_action *a" is still invalid, and therefore dereferencing it is an error as happens in tcf_idr_release, where refcnt is decremented. So in case of missing flags tcf_idr_release must be called only for existing actions. v2: - prepare patch for net tree Fixes: 5e1567aeb7fe ("net sched: skbedit action fix late binding") Signed-off-by: Roman Mashak Acked-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 829bde6761732a81ef6dc3c83b6a0c533ef7807a Author: Colin Ian King Date: Wed May 9 14:58:48 2018 +0100 ixgbe: fix memory leak on ipsec allocation [ Upstream commit c89ebb968f04c71e16e86c91caeacb045dc8f908 ] The error clean up path kfree's adapter->ipsec and should be instead kfree'ing ipsec. Fix this. Also, the err1 error exit path does not need to kfree ipsec because this failure path was for the failed allocation of ipsec. Detected by CoverityScan, CID#146424 ("Resource Leak") Fixes: 63a67fe229ea ("ixgbe: add ipsec offload add and remove SA") Signed-off-by: Colin Ian King Acked-by: Shannon Nelson Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit a50c3a7139544192a73784fb3ad4d618400b2c99 Author: Emil Tantilov Date: Thu Apr 19 17:06:57 2018 -0700 ixgbe: return error on unsupported SFP module when resetting [ Upstream commit bbb2707623f3ccc48695da2433f06d7c38193451 ] Add check for unsupported module and return the error code. This fixes a Coverity hit due to unused return status from setup_sfp. Signed-off-by: Emil Tantilov Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 42aa0ba07d072431297b9698b4f80ff953286e64 Author: Rob Herring Date: Fri May 11 08:45:59 2018 -0500 sh: switch to NO_BOOTMEM [ Upstream commit ac21fc2dcb405cf250ad3f1228f64f64930d9211 ] Commit 0fa1c579349f ("of/fdt: use memblock_virt_alloc for early alloc") inadvertently switched the DT unflattening allocations from memblock to bootmem which doesn't work because the unflattening happens before bootmem is initialized. Swapping the order of bootmem init and unflattening could also fix this, but removing bootmem is desired. So enable NO_BOOTMEM on SH like other architectures have done. Fixes: 0fa1c579349f ("of/fdt: use memblock_virt_alloc for early alloc") Reported-by: Rich Felker Cc: Yoshinori Sato Signed-off-by: Rob Herring Signed-off-by: Rich Felker Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 7d1884ee250b0e179d73682b8ccaf9ac3e1a53d0 Author: Leo Yan Date: Thu May 10 12:01:59 2018 +0800 perf cs-etm: Support unknown_thread in cs_etm_auxtrace [ Upstream commit 46d53620044f7b574c0f3216f8b4f2ce3559ce31 ] CoreSight doesn't allocate thread structure for unknown_thread in ETM auxtrace, so unknown_thread is NULL pointer. If the perf data doesn't contain valid tid and then cs_etm__mem_access() uses unknown_thread instead as thread handler, this results in a segmentation fault when thread__find_addr_map() accesses the thread handler. This commit creates a new thread data which is used by unknown_thread, so CoreSight tracing can roll back to use unknown_thread if perf data doesn't include valid thread info. This commit also releases thread data for initialization failure case and for normal auxtrace free flow. Signed-off-by: Leo Yan Acked-by: Mathieu Poirier Cc: Alexander Shishkin Cc: Jiri Olsa Cc: Namhyung Kim Cc: Peter Zijlstra Cc: linux-arm-kernel@lists.infradead.org Link: http://lkml.kernel.org/r/1525924920-4381-1-git-send-email-leo.yan@linaro.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 9332f10ed8ff01b20bfb25af59ebde534c9edf4d Author: Marian Rotariu Date: Mon Apr 30 12:23:01 2018 +0300 x86: Delay skip of emulated hypercall instruction [ Upstream commit 6356ee0c9602004e0a3b4b2dad68ee2ee9385b17 ] The IP increment should be done after the hypercall emulation, after calling the various handlers. In this way, these handlers can accurately identify the the IP of the VMCALL if they need it. This patch keeps the same functionality for the Hyper-V handler which does not use the return code of the standard kvm_skip_emulated_instruction() call. Signed-off-by: Marian Rotariu [Hyper-V hypercalls also need kvm_skip_emulated_instruction() - Paolo] Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 922d8611bec3851a3a9deeef05d1b42a29683849 Author: Wanpeng Li Date: Thu Apr 26 17:55:03 2018 -0700 KVM: Extend MAX_IRQ_ROUTES to 4096 for all archs [ Upstream commit ddc9cfb79c1096a0855839631c091aa7e9602052 ] Our virtual machines make use of device assignment by configuring 12 NVMe disks for high I/O performance. Each NVMe device has 129 MSI-X Table entries: Capabilities: [50] MSI-X: Enable+ Count=129 Masked-Vector table: BAR=0 offset=00002000 The windows virtual machines fail to boot since they will map the number of MSI-table entries that the NVMe hardware reported to the bus to msi routing table, this will exceed the 1024. This patch extends MAX_IRQ_ROUTES to 4096 for all archs, in the future this might be extended again if needed. Reviewed-by: Cornelia Huck Cc: Paolo Bonzini Cc: Radim KrÄmář Cc: Cornelia Huck Cc: Christian Borntraeger Signed-off-by: Wanpeng Li Signed-off-by: Tonny Lu Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 8473c9b67b940b98676c3579bcb74dc829c74b6a Author: Nikita Yushchenko Date: Mon May 7 16:53:09 2018 +0300 ARM: dts: imx51-zii-rdu1: fix touchscreen bindings [ Upstream commit 6d3299aef7df7225ecff653feedafb5d1646998b ] This fixes errors in RDU1 device tree that cause touch screens not working. Fixes: ceef0396f367 ("ARM: dts: imx: add ZII RDU1 board") Signed-off-by: Nikita Yushchenko Reviewed-by: Fabio Estevam Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit ad96b6fcd10378db1208fe099e59e3ce27c0c53a Author: David Howells Date: Thu May 10 23:26:01 2018 +0100 rxrpc: Fix the min security level for kernel calls [ Upstream commit 93864fc3ffcc4bf70e96cfb5cc6e941630419ad0 ] Fix the kernel call initiation to set the minimum security level for kernel initiated calls (such as from kAFS) from the sockopt value. Fixes: 19ffa01c9c45 ("rxrpc: Use structs to hold connection params and protocol info") Signed-off-by: David Howells Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit e41489e6e9f0a9e98461be11644f9b5a6706a4b0 Author: David Howells Date: Thu May 10 23:26:00 2018 +0100 rxrpc: Fix error reception on AF_INET6 sockets [ Upstream commit f2aeed3a591ff29a82495eeaa92ac4780bad7487 ] AF_RXRPC tries to turn on IP_RECVERR and IP_MTU_DISCOVER on the UDP socket it just opened for communications with the outside world, regardless of the type of socket. Unfortunately, this doesn't work with an AF_INET6 socket. Fix this by turning on IPV6_RECVERR and IPV6_MTU_DISCOVER instead if the socket is of the AF_INET6 family. Without this, kAFS server and address rotation doesn't work correctly because the algorithm doesn't detect received network errors. Fixes: 75b54cb57ca3 ("rxrpc: Add IPv6 support") Signed-off-by: David Howells Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 4a72e716693b9d8aa56ff51d96049ee7daed487d Author: David Howells Date: Thu May 10 23:26:00 2018 +0100 rxrpc: Fix missing start of call timeout [ Upstream commit c54e43d752c7187595c8c62a231e0b0d53c7fded ] The expect_rx_by call timeout is supposed to be set when a call is started to indicate that we need to receive a packet by that point. This is currently put back every time we receive a packet, but it isn't started when we first send a packet. Without this, the call may wait forever if the server doesn't deign to reply. Fix this by setting the timeout upon a successful UDP sendmsg call for the first DATA packet. The timeout is initiated only for initial transmission and not for subsequent retries as we don't want the retry mechanism to extend the timeout indefinitely. Fixes: a158bdd3247b ("rxrpc: Fix call timeouts") Reported-by: Marc Dionne Signed-off-by: David Howells Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 82fa283f7889d586b05383a5103b2ffe95d74bb9 Author: Ganesh Goudar Date: Wed May 9 19:00:35 2018 +0530 cxgb4: copy mbox log size to PF0-3 adap instances [ Upstream commit aca06eafd09f48ca4d97f3c0b2a12c8d631116f0 ] copy mbox size to adapter instances of PF0-3 to avoid mbox log overflow. This fixes the possible protection fault. Fixes: baf5086840ab ("cxgb4: restructure VF mgmt code") Signed-off-by: Casey Leedom Signed-off-by: Ganesh Goudar Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 1388be9f0a3a98b9e3ca9c407d4f9d126098e132 Author: Michal Kalderon Date: Tue May 8 21:29:19 2018 +0300 qede: Fix gfp flags sent to rdma event node allocation [ Upstream commit 090477e4acb31c5dd674940c7c01d4f16bd1ac41 ] A previous commit 4609adc27175 ("qede: Fix qedr link update") added a flow that could allocate rdma event objects from an interrupt path (link notification). Therefore the kzalloc call should be done with GFP_ATOMIC. fixes: 4609adc27175 ("qede: Fix qedr link update") Signed-off-by: Michal Kalderon Signed-off-by: Sudarsana Kalluru Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 4972987f48c2d6d70999268b219784b17fc3b85c Author: Michal Kalderon Date: Tue May 8 21:29:18 2018 +0300 qed: Fix l2 initializations over iWARP personality [ Upstream commit af6858ee423a309d93054c361c61099b8eb12bbf ] If qede driver was loaded on a device configured for iWARP the l2 mutex wouldn't be allocated, and some l2 related resources wouldn't be freed. fixes: c851a9dc4359 ("qed: Introduce iWARP personality") Signed-off-by: Michal Kalderon Signed-off-by: Sudarsana Kalluru Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 16489f2c87caa2b2e799972f661f603b1646aed0 Author: Ying Xue Date: Tue May 8 21:44:06 2018 +0800 tipc: eliminate KMSAN uninit-value in strcmp complaint [ Upstream commit 94f6a80c0c11828cb7b3d79294459dd8d761ca89 ] When we get link properties through netlink interface with tipc_nl_node_get_link(), we don't validate TIPC_NLA_LINK_NAME attribute at all, instead we directly use it. As a consequence, KMSAN detected the TIPC_NLA_LINK_NAME attribute was an uninitialized value, and then posted the following complaint: ================================================================== BUG: KMSAN: uninit-value in strcmp+0xf7/0x160 lib/string.c:329 CPU: 1 PID: 4527 Comm: syz-executor655 Not tainted 4.16.0+ #87 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683 strcmp+0xf7/0x160 lib/string.c:329 tipc_nl_node_get_link+0x220/0x6f0 net/tipc/node.c:1881 genl_family_rcv_msg net/netlink/genetlink.c:599 [inline] genl_rcv_msg+0x1686/0x1810 net/netlink/genetlink.c:624 netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2447 genl_rcv+0x63/0x80 net/netlink/genetlink.c:635 netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline] netlink_unicast+0x166b/0x1740 net/netlink/af_netlink.c:1337 netlink_sendmsg+0x1048/0x1310 net/netlink/af_netlink.c:1900 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg net/socket.c:640 [inline] ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046 __sys_sendmsg net/socket.c:2080 [inline] SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091 SyS_sendmsg+0x54/0x80 net/socket.c:2087 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x445589 RSP: 002b:00007fb7ee66cdb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00000000006dac24 RCX: 0000000000445589 RDX: 0000000000000000 RSI: 0000000020023000 RDI: 0000000000000003 RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fffa2bf3f3f R14: 00007fb7ee66d9c0 R15: 0000000000000001 Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321 slab_post_alloc_hook mm/slab.h:445 [inline] slab_alloc_node mm/slub.c:2737 [inline] __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369 __kmalloc_reserve net/core/skbuff.c:138 [inline] __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206 alloc_skb include/linux/skbuff.h:984 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1183 [inline] netlink_sendmsg+0x9a6/0x1310 net/netlink/af_netlink.c:1875 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg net/socket.c:640 [inline] ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046 __sys_sendmsg net/socket.c:2080 [inline] SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091 SyS_sendmsg+0x54/0x80 net/socket.c:2087 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 ================================================================== To quiet the complaint, TIPC_NLA_LINK_NAME attribute has been validated in tipc_nl_node_get_link() before it's used. Reported-by: syzbot+df0257c92ffd4fcc58cd@syzkaller.appspotmail.com Signed-off-by: Ying Xue Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 461adb75f2bb196ca57d773d1c4cf8d14b5a2967 Author: Mathieu Malaterre Date: Sat May 5 21:54:05 2018 +0200 agp: uninorth: make two functions static [ Upstream commit dec60f3a9b7251f2657d743d96ba9a83dca02351 ] Both ‘uninorth_remove_memory’ and ‘null_cache_flush’ can be made static. So make them. Silence the following gcc warning (W=1): drivers/char/agp/uninorth-agp.c:198:5: warning: no previous prototype for ‘uninorth_remove_memory’ [-Wmissing-prototypes] and drivers/char/agp/uninorth-agp.c:473:6: warning: no previous prototype for ‘null_cache_flush’ [-Wmissing-prototypes] Signed-off-by: Mathieu Malaterre Signed-off-by: Dave Airlie Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 24a1c86ab822b7ba3db7c895fcb38405dfc8b675 Author: Andrey Grodzovsky Date: Mon Apr 30 10:04:42 2018 -0400 drm/amdgpu: Switch to interruptable wait to recover from ring hang. [ Upstream commit e6a5b9f9aee145c2f2c24431d84edfbb0d49eea5 ] v2: Use dma_fence_wait instead of dma_fence_wait_timeout(...,MAX_SCHEDULE_TIMEOUT) Avoid printing error message for ERESTARTSYS Originally-by: David Panariti Signed-off-by: Andrey Grodzovsky Reviewed-by: Christian König Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 6e2daada467e845e3927c030f394d0b204bbb08f Author: Paulo Alcantara Date: Fri May 4 11:25:26 2018 -0300 cifs: smb2ops: Fix listxattr() when there are no EAs [ Upstream commit ae2cd7fb478b8da707906ee1706ae1379968a8f9 ] As per listxattr(2): On success, a nonnegative number is returned indicating the size of the extended attribute name list. On failure, -1 is returned and errno is set appropriately. In SMB1, when the server returns an empty EA list through a listxattr(), it will correctly return 0 as there are no EAs for the given file. However, in SMB2+, it returns -ENODATA in listxattr() which is wrong since the request and response were sent successfully, although there's no actual EA for the given file. This patch fixes listxattr() for SMB2+ by returning 0 in cifs_listxattr() when the server returns an empty list of EAs. Signed-off-by: Paulo Alcantara Reviewed-by: Aurelien Aptel Signed-off-by: Steve French Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit dbb2f7b3c978e9c233cb6186350cf8abd09919e2 Author: Long Li Date: Wed Apr 25 11:30:04 2018 -0700 cifs: Allocate validate negotiation request through kmalloc [ Upstream commit 2796d303e3c5ec213c578ed3a66872205c126eb8 ] The data buffer allocated on the stack can't be DMA'ed, ib_dma_map_page will return an invalid DMA address for a buffer on stack. Even worse, this incorrect address can't be detected by ib_dma_mapping_error. Sending data from this address to hardware will not fail, but the remote peer will get junk data. Fix this by allocating the request on the heap in smb3_validate_negotiate. Changes in v2: Removed duplicated code on freeing buffers on function exit. (Thanks to Parav Pandit ) Fixed typo in the patch title. Changes in v3: Added "Fixes" to the patch. Changed several sizeof() to use *pointer in place of struct. Changes in v4: Added detailed comments on the failure through RDMA. Allocate request buffer using GPF_NOFS. Fixed possible memory leak. Changes in v5: Removed variable ret for checking return value. Changed to use pneg_inbuf->Dialects[0] to calculate unused space in pneg_inbuf. Fixes: ff1c038addc4 ("Check SMB3 dialects against downgrade attacks") Signed-off-by: Long Li Signed-off-by: Steve French Reviewed-by: Ronnie Sahlberg Reviewed-by: Tom Talpey Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 0b4995fb5c93ad683f70bc92968259c6a836b929 Author: David Gilhooley Date: Tue May 8 15:49:42 2018 -0700 arm64: Add MIDR encoding for NVIDIA CPUs [ Upstream commit 1b06bd8dd95f7a19ab33fdf0f477c94950822ab3 ] This patch adds the MIDR encodings for NVIDIA as well as the Denver and Carmel CPUs used in Tegra SoCs. Signed-off-by: David Gilhooley Signed-off-by: Will Deacon Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit d80f99690c691d161b426a0123f2eddbcbfcb6d1 Author: Hans de Goede Date: Thu May 3 11:32:33 2018 +0200 HID: i2c-hid: Add RESEND_REPORT_DESCR quirk for Toshiba Click Mini L9W-B [ Upstream commit 070b9637dd8fa85c3ba7ecc60fe57fa4da9c2d1d ] The 0457:10fb touchscreen found on the Toshiba Click Mini L9W-B needs to have a report-decriptors command send to it on resume in order for the touchscreen to start generating events again on resume. Signed-off-by: Hans de Goede Acked-by: Benjamin Tissoires Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit b40b95fae4c7a4087c82024346b11ae8ce1b7d93 Author: Jakob Unterwurzacher Date: Wed Apr 18 16:10:03 2018 +0200 can: dev: increase bus-off message severity [ Upstream commit 71c23a821c6bcacba71a094efe49ee689605906b ] bus-off is usually caused by hardware malfunction or configuration error (baud rate mismatch) and causes a complete loss of communication. Increase the "bus-off" message's severity from netdev_dbg() to netdev_info() to make it visible to the user. A can interface going into bus-off is similar in severity to ethernet's "Link is Down" message, which is also printed at info level. It is debatable whether the the "restarted" message should also be changed to netdev_info() to make the interface state changes comprehensible from the kernel log. I have chosen to keep the "restarted" message at dbg for now as the "bus-off" message should be enough for the user to notice and investigate the problem. Signed-off-by: Jakob Unterwurzacher Cc: linux-can@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 46628ff72559f5853d4dd3198d686cc4daf67284 Author: Michael Ellerman Date: Tue May 8 14:59:56 2018 +1000 powerpc/pseries: Fix CONFIG_NUMA=n build [ Upstream commit 6c0a8f6b5a45ac892a763b6299bd3c5324fc5e02 ] The build is failing with CONFIG_NUMA=n and some compiler versions: arch/powerpc/platforms/pseries/hotplug-cpu.o: In function `dlpar_online_cpu': hotplug-cpu.c:(.text+0x12c): undefined reference to `timed_topology_update' arch/powerpc/platforms/pseries/hotplug-cpu.o: In function `dlpar_cpu_remove': hotplug-cpu.c:(.text+0x400): undefined reference to `timed_topology_update' Fix it by moving the empty version of timed_topology_update() into the existing #ifdef block, which has the right guard of SPLPAR && NUMA. Fixes: cee5405da402 ("powerpc/hotplug: Improve responsiveness of hotplug change") Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 1a33c67f5681b9efcfcf5f81260e214a4ae9f2d6 Author: Colin Ian King Date: Thu Jun 7 17:54:37 2018 -0400 net: aquantia: fix unsigned numvecs comparison with less than zero commit 58d813afbe89658a5972747460a5fe19dec4dbcb upstream. This was originally mistakenly submitted to net-next. Resubmitting to net. The comparison of numvecs < 0 is always false because numvecs is a u32 and hence the error return from a failed call to pci_alloc_irq_vectores is never detected. Fix this by using the signed int ret to handle the error return and assign numvecs to err. Detected by CoverityScan, CID#1468650 ("Unsigned compared against 0") Fixes: a09bd81b5413 ("net: aquantia: Limit number of vectors to actually allocated irqs") Signed-off-by: Colin Ian King Signed-off-by: Igor Russkikh Signed-off-by: David S. Miller Cc: Holger Hoffstätte Signed-off-by: Greg Kroah-Hartman commit 5947b8b81e99b52fa6e9550cc92fb6b7b1ccd9b7 Author: Igor Russkikh Date: Mon May 7 16:10:39 2018 +0300 net: aquantia: Limit number of vectors to actually allocated irqs [ Upstream commit a09bd81b5413d1b4d705c6c5303b5d311069da22 ] Driver should use pci_alloc_irq_vectors return value to correct number of allocated vectors and napi instances. Otherwise it'll panic later in pci_irq_vector. Driver also should allow more than one MSI vectors to be allocated. Error return path from pci_alloc_irq_vectors is also fixed to revert resources in a correct sequence when error happens. Reported-by: Long, Nicholas Fixes: 23ee07a ("net: aquantia: Cleanup pci functions module") Signed-off-by: Igor Russkikh Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit a1c56a5fa95a615411a9b6ba37cdf291ac98d78d Author: Igor Russkikh Date: Mon May 7 16:10:38 2018 +0300 net: aquantia: driver should correctly declare vlan_features bits [ Upstream commit 8c61ab7f111a2b29d051348b9cb9a39804ebf1f8 ] In particular, not reporting SG forced skbs to be linear for vlan interfaces over atlantic NIC. With this fix it is possible to enable SG feature on device and therefore optimize performance. Reported-by: Ma Yuying Signed-off-by: Igor Russkikh Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 95ddc690b45accf611ae6e0a3dca7cf1abb00eae Author: van der Linden, Frank Date: Fri May 4 16:11:00 2018 -0400 x86/xen: Reset VCPU0 info pointer after shared_info remap [ Upstream commit d1ecfa9d1f402366b1776fbf84e635678a51414f ] This patch fixes crashes during boot for HVM guests on older (pre HVM vector callback) Xen versions. Without this, current kernels will always fail to boot on those Xen versions. Sample stack trace: BUG: unable to handle kernel paging request at ffffffffff200000 IP: __xen_evtchn_do_upcall+0x1e/0x80 PGD 1e0e067 P4D 1e0e067 PUD 1e10067 PMD 235c067 PTE 0 Oops: 0002 [#1] SMP PTI Modules linked in: CPU: 0 PID: 512 Comm: kworker/u2:0 Not tainted 4.14.33-52.13.amzn1.x86_64 #1 Hardware name: Xen HVM domU, BIOS 3.4.3.amazon 11/11/2016 task: ffff88002531d700 task.stack: ffffc90000480000 RIP: 0010:__xen_evtchn_do_upcall+0x1e/0x80 RSP: 0000:ffff880025403ef0 EFLAGS: 00010046 RAX: ffffffff813cc760 RBX: ffffffffff200000 RCX: ffffc90000483ef0 RDX: ffff880020540a00 RSI: ffff880023c78000 RDI: 000000000000001c RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff880025403f5c R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff880025400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffff200000 CR3: 0000000001e0a000 CR4: 00000000000006f0 Call Trace: do_hvm_evtchn_intr+0xa/0x10 __handle_irq_event_percpu+0x43/0x1a0 handle_irq_event_percpu+0x20/0x50 handle_irq_event+0x39/0x60 handle_fasteoi_irq+0x80/0x140 handle_irq+0xaf/0x120 do_IRQ+0x41/0xd0 common_interrupt+0x7d/0x7d During boot, the HYPERVISOR_shared_info page gets remapped to make it work with KASLR. This means that any pointer derived from it needs to be adjusted. The only value that this applies to is the vcpu_info pointer for VCPU 0. For PV and HVM with the callback vector feature, this gets done via the smp_ops prepare_boot_cpu callback. Older Xen versions do not support the HVM callback vector, so there is no Xen-specific smp_ops set up in that scenario. So, the vcpu_info pointer for VCPU 0 never gets set to the proper value, and the first reference of it will be bad. Fix this by resetting it immediately after the remap. Signed-off-by: Frank van der Linden Reviewed-by: Eduardo Valentin Reviewed-by: Alakesh Haloi Reviewed-by: Vallish Vaidyeshwara Reviewed-by: Boris Ostrovsky Cc: Juergen Gross Cc: Boris Ostrovsky Cc: xen-devel@lists.xenproject.org Signed-off-by: Boris Ostrovsky Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 0f2a2c5d4962a315c1c6be875d91a756d3c8df7e Author: Sara Sharon Date: Fri Apr 20 13:49:19 2018 +0300 mac80211: use timeout from the AddBA response instead of the request [ Upstream commit 914eac248d876f9c00cd1792ffec3d182c863f13 ] 2016 spec, section 10.24.2 specifies that the block ack timeout in the ADD BA request is advisory. That means we should check the value in the response and act upon it (same as buffer size). Signed-off-by: Sara Sharon Signed-off-by: Luca Coelho Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit a00136314c980f5c8f082fedfe45d7fd512bad95 Author: Clément Péron Date: Thu May 3 17:32:07 2018 +0200 ARM: dts: cygnus: fix irq type for arm global timer [ Upstream commit 675c7215aacf54242b2e8bc64bab698abbe764db ] As per ARM documentation PPI(0) ID27 - global timer interrupt is rising-edge sensitive. set IRQ triggering type to IRQ_TYPE_EDGE_RISING for ARM Global timers. Fixes: c9ad7bc5fe3 ("ARM: dts: Enable Broadcom Cygnus SoC") Signed-off-by: Clément Péron Signed-off-by: Florian Fainelli Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 9a9dea8b8a89dbaf2f64b5c42118afb3e4ad53c2 Author: Mathieu Malaterre Date: Sat May 5 22:00:37 2018 +0200 driver core: add __printf verification to __ata_ehi_pushv_desc [ Upstream commit 0d74d872c3f8b9cb3d096fb932a063b43b37f188 ] __printf is useful to verify format and arguments. Remove the following warning (with W=1): drivers/ata/libata-eh.c:183:10: warning: function might be possible candidate for ‘gnu_printf’ format attribute [-Wsuggest-attribute=format] Signed-off-by: Mathieu Malaterre Signed-off-by: Tejun Heo Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 706daa8c49ad9ed6a62edd9fe0f482ff0d03e17b Author: Jianchao Wang Date: Fri May 4 16:01:57 2018 +0800 nvme: fix use-after-free in nvme_free_ns_head [ Upstream commit 12d9f07022dcde261ad16e9a11f45096dc68b03c ] Currently only nvme_ctrl will take a reference counter of nvme_subsystem, nvme_ns_head also needs it. Otherwise nvme_free_ns_head will access the nvme_subsystem.ns_ida which has been freed by __nvme_release_subsystem after all the reference of nvme_subsystem have been released by nvme_free_ctrl. This could cause memory corruption. BUG: KASAN: use-after-free in radix_tree_next_chunk+0x9f/0x4b0 Read of size 8 at addr ffff88036494d2e8 by task fio/1815 CPU: 1 PID: 1815 Comm: fio Kdump: loaded Tainted: G W 4.17.0-rc1+ #18 Hardware name: LENOVO 10MLS0E339/3106, BIOS M1AKT22A 06/27/2017 Call Trace: dump_stack+0x91/0xeb print_address_description+0x6b/0x290 kasan_report+0x261/0x360 radix_tree_next_chunk+0x9f/0x4b0 ida_remove+0x8b/0x180 ida_simple_remove+0x26/0x40 nvme_free_ns_head+0x58/0xc0 __blkdev_put+0x30a/0x3a0 blkdev_close+0x44/0x50 __fput+0x184/0x380 task_work_run+0xaf/0xe0 do_exit+0x501/0x1440 do_group_exit+0x89/0x140 __x64_sys_exit_group+0x28/0x30 do_syscall_64+0x72/0x230 Signed-off-by: Jianchao Wang Reviewed-by: Christoph Hellwig Signed-off-by: Keith Busch Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit e944793bf3c50c48cbf05d085eaf8a0f3c52ca3b Author: Tomi Valkeinen Date: Wed May 2 12:11:59 2018 +0300 drm/omap: handle alloc failures in omap_connector [ Upstream commit 47aaaec818dfd1009d1358974a2931f05dd57203 ] Handle memory allocation failures in omap_connector to avoid NULL derefs. Signed-off-by: Tomi Valkeinen Link: https://patchwork.freedesktop.org/patch/msgid/20180502091159.7071-5-tomi.valkeinen@ti.com Reviewed-by: Benoit Parrot Reviewed-by: Peter Ujfalusi Signed-off-by: Sean Paul Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 990be68e9cb6303ab2bc43f6ccf977da8dcaaa84 Author: Tomi Valkeinen Date: Wed May 2 12:11:56 2018 +0300 drm/omap: check return value from soc_device_match [ Upstream commit 4d6cb5e2fee52af17001e92950f0894304706ee4 ] soc_device_match() can return NULL, so add a check and fail if soc_device_match() fails. Signed-off-by: Tomi Valkeinen Link: https://patchwork.freedesktop.org/patch/msgid/20180502091159.7071-2-tomi.valkeinen@ti.com Reviewed-by: Benoit Parrot Reviewed-by: Peter Ujfalusi Signed-off-by: Sean Paul Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 45c8a7c03cbdff9da0cda16db1ecec2f221c0e5c Author: Tomi Valkeinen Date: Thu Mar 29 13:40:37 2018 +0300 drm/omap: fix possible NULL ref issue in tiler_reserve_2d [ Upstream commit 6a0f0c55619f0b82a677cab72e77c3444a5eee58 ] tiler_reserve_2d allocates memory but does not check if it got the memory. Add the check and return ENOMEM on failure. Signed-off-by: Tomi Valkeinen Link: https://patchwork.freedesktop.org/patch/msgid/20180329104038.29154-2-tomi.valkeinen@ti.com Reviewed-by: Emil Velikov Reviewed-by: Laurent Pinchart Signed-off-by: Sean Paul Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 93a3017c56999a285e7198f64240937b899a838b Author: Tomi Valkeinen Date: Thu Mar 29 13:40:36 2018 +0300 drm/omap: fix uninitialized ret variable [ Upstream commit 77eeac24b10fc84d3ffd5b11a897dff88dde244d ] audio_config function for both HDMI4 and HDMI5 return uninitialized value as the error code if the display is not currently enabled. For some reason this has not caused any issues. Signed-off-by: Tomi Valkeinen Link: https://patchwork.freedesktop.org/patch/msgid/20180329104038.29154-1-tomi.valkeinen@ti.com Reviewed-by: Emil Velikov Reviewed-by: Laurent Pinchart Signed-off-by: Sean Paul Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit f98f02728b5bcd0894852778a131500d94455ca4 Author: Dan Carpenter Date: Wed Apr 18 17:29:37 2018 +0300 drm/omap: silence unititialized variable warning [ Upstream commit 4a9fbfcab19d3f71ad2bf0bcb653c4ee84e69c7f ] Smatch complains that "area_free" could be used without being initialized. This code is several years old and premusably works fine so this can't be a very serious bug. But it's easy enough to silence the warning. If "area_free" is false at the end of the function then we return -ENOMEM. Signed-off-by: Dan Carpenter Signed-off-by: Tomi Valkeinen Link: https://patchwork.freedesktop.org/patch/msgid/20180418142937.GA13828@mwanda Signed-off-by: Sean Paul Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 53aadc82693dfc582a5a6c2908617a3371321471 Author: Eric Anholt Date: Fri Mar 9 15:32:56 2018 -0800 drm/vc4: Fix oops dereferencing DPI's connector since panel_bridge. [ Upstream commit 164c2416dd40770aba5814f93da835e8a9f7196d ] In the cleanup, I didn't notice that we needed to dereference the connector for the bus_format. Fix the regression by looking up the first (and only) connector attached to us, and assume that its bus_format is what we want. Some day it would be good to have that part of display_info attached to the bridge, instead. v2: Fix stray whitespace change Signed-off-by: Eric Anholt Fixes: 7b1298e05310 ("drm/vc4: Switch DPI to using the panel-bridge helper.") Link: https://patchwork.freedesktop.org/patch/msgid/20180309233256.1667-1-eric@anholt.net Reviewed-by: Sean Paul Reviewed-by: Boris Brezillon Signed-off-by: Sean Paul Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit f239d48baf915aa0882b6f60d82311d95cd42a8a Author: Ilan Peer Date: Fri Apr 20 13:49:20 2018 +0300 mac80211: Adjust SAE authentication timeout [ Upstream commit 407879b690ba3a6bf29be896d02dad63463bd1c0 ] The IEEE P802.11-REVmd D1.0 specification updated the SAE authentication timeout to be 2000 milliseconds (see dot11RSNASAERetransPeriod). Update the SAE timeout setting accordingly. While at it, reduce some code duplication in the timeout configuration. Signed-off-by: Ilan Peer Signed-off-by: Luca Coelho Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit c6735890bcdf6256b8f89c1dcfd7e61c43e6db38 Author: Etienne Carriere Date: Sun Apr 29 14:22:29 2018 +0200 tee: check shm references are consistent in offset/size [ Upstream commit ab9d3db5b320a052452b9cd035599ee3c84bbee9 ] This change prevents userland from referencing TEE shared memory outside the area initially allocated by its owner. Prior this change an application could not reference or access memory it did not own but it could reference memory not explicitly allocated by owner but still allocated to the owner due to the memory allocation granule. Reported-by: Alexandre Jutras Signed-off-by: Etienne Carriere Signed-off-by: Jens Wiklander Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 33602c920837c49779a69d0e0b64fc4209c6832a Author: Rich Felker Date: Sat May 5 16:40:23 2018 -0400 sh: fix build failure for J2 cpu with SMP disabled [ Upstream commit 6cb465972c4eb6741b3094a58a65e527fc63c100 ] The sh asm/smp.h defines a fallback hard_smp_processor_id macro for the !SMP case, but linux/smp.h never includes asm/smp.h in the !SMP case. Signed-off-by: Rich Felker Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 94a2af3bc3d150e914f133c624eb16443eb58c90 Author: Masahiro Yamada Date: Fri Apr 13 14:06:10 2018 +0900 gcc-plugins: fix build condition of SANCOV plugin [ Upstream commit 642ef99be932c4071274b28eaf3d3d85bbb6e78c ] Since commit d677a4d60193 ("Makefile: support flag -fsanitizer-coverage=trace-cmp"), you miss to build the SANCOV plugin under some circumstances. CONFIG_KCOV=y CONFIG_KCOV_ENABLE_COMPARISONS=y Your compiler does not support -fsanitize-coverage=trace-pc Your compiler does not support -fsanitize-coverage=trace-cmp Under this condition, $(CFLAGS_KCOV) is not empty but contains a space, so the following ifeq-conditional is false. ifeq ($(CFLAGS_KCOV),) Then, scripts/Makefile.gcc-plugins misses to add sancov_plugin.so to gcc-plugin-y while the SANCOV plugin is necessary as an alternative means. Fixes: d677a4d60193 ("Makefile: support flag -fsanitizer-coverage=trace-cmp") Signed-off-by: Masahiro Yamada Acked-by: Kees Cook Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 07e8264717e447cab496b3053171d03c550f3d81 Author: Bhadram Varka Date: Wed May 2 20:43:58 2018 +0530 net: phy: broadcom: add support for BCM89610 PHY [ Upstream commit 23b8392201e0681b76630c4cea68e1a2e1821ec6 ] It adds support for BCM89610 (Single-Port 10/100/1000BASE-T) transceiver which is used in P3310 Tegra186 platform. Signed-off-by: Bhadram Varka Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit e93d112700952f2d4b93e62eb7c16e36b4199785 Author: Peter Zijlstra Date: Mon Apr 30 14:51:01 2018 +0200 sched/core: Introduce set_special_state() [ Upstream commit b5bf9a90bbebffba888c9144c5a8a10317b04064 ] Gaurav reported a perceived problem with TASK_PARKED, which turned out to be a broken wait-loop pattern in __kthread_parkme(), but the reported issue can (and does) in fact happen for states that do not do condition based sleeps. When the 'current->state = TASK_RUNNING' store of a previous (concurrent) try_to_wake_up() collides with the setting of a 'special' sleep state, we can loose the sleep state. Normal condition based wait-loops are immune to this problem, but for sleep states that are not condition based are subject to this problem. There already is a fix for TASK_DEAD. Abstract that and also apply it to TASK_STOPPED and TASK_TRACED, both of which are also without condition based wait-loop. Reported-by: Gaurav Kohli Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Oleg Nesterov Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 0d17af4038bb8a54d160b8a4e0993ec9a6375672 Author: Daniel Borkmann Date: Fri May 4 02:13:57 2018 +0200 bpf: use array_index_nospec in find_prog_type [ Upstream commit d0f1a451e33d9ca834422622da30aa68daade56b ] Commit 9ef09e35e521 ("bpf: fix possible spectre-v1 in find_and_alloc_map()") converted find_and_alloc_map() over to use array_index_nospec() to sanitize map type that user space passes on map creation, and this patch does an analogous conversion for progs in find_prog_type() as it's also passed from user space when loading progs as attr->prog_type. Signed-off-by: Daniel Borkmann Cc: Mark Rutland Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit d072dc76c0ebd16748b18a375af7857e8bd7f11f Author: Tobias Jakobi Date: Fri Feb 2 16:11:23 2018 +0100 drm/exynos: mixer: avoid Oops in vp_video_buffer() [ Upstream commit 0ccc1c8f0282e237a0bd6dca7cdac4ed5e318ee7 ] If an interlaced video mode is selected, a IOMMU pagefault is triggered by vp_video_buffer(). Fix the most apparent bugs: - pitch value for chroma plane - divide by two of height and vpos of source and destination Signed-off-by: Tobias Jakobi [ a.hajda: Halved also destination height and vpos, updated commit message ] Signed-off-by: Andrzej Hajda Signed-off-by: Inki Dae Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit d3180bbbae7d1d1e6e0e54e716c998cb6212e032 Author: Andrzej Hajda Date: Fri Feb 2 16:11:22 2018 +0100 drm/exynos/mixer: fix synchronization check in interlaced mode [ Upstream commit 2eced8e917b060587fc8ed46df41c364957a5050 ] In case of interlace mode video processor registers and mixer config register must be check to ensure internal state is in sync with shadow registers. This patch fixes page-faults in interlaced mode. Signed-off-by: Andrzej Hajda Signed-off-by: Inki Dae Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit c76193d5871e6db11f964853a78ddd8247a385ac Author: Mark Rutland Date: Thu May 3 17:04:59 2018 +0100 bpf: fix possible spectre-v1 in find_and_alloc_map() [ Upstream commit 9ef09e35e521bf0df5325cc9cffa726a8f5f3c1b ] It's possible for userspace to control attr->map_type. Sanitize it when using it as an array index to prevent an out-of-bounds value being used under speculation. Found by smatch. Signed-off-by: Mark Rutland Cc: Alexei Starovoitov Cc: Dan Carpenter Cc: Daniel Borkmann Cc: Peter Zijlstra Cc: netdev@vger.kernel.org Acked-by: David S. Miller Signed-off-by: Daniel Borkmann Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 495ccec45228670fda080aae8a152179c1cce915 Author: Rob Herring Date: Thu May 3 13:09:44 2018 -0500 spi: bcm2835aux: ensure interrupts are enabled for shared handler [ Upstream commit bc519d9574618e47a0c788000fb78da95e18d953 ] The BCM2835 AUX SPI has a shared interrupt line (with AUX UART). Downstream fixes this with an AUX irqchip to demux the IRQ sources and a DT change which breaks compatibility with older kernels. The AUX irqchip was already rejected for upstream[1] and the DT change would break working systems if the DTB is updated to a newer one. The latter issue was brought to my attention by Alex Graf. The root cause however is a bug in the shared handler. Shared handlers must check that interrupts are actually enabled before servicing the interrupt. Add a check that the TXEMPTY or IDLE interrupts are enabled. [1] https://patchwork.kernel.org/patch/9781221/ Cc: Alexander Graf Cc: Marc Zyngier Cc: Mark Brown Cc: Eric Anholt Cc: Stefan Wahren Cc: Florian Fainelli Cc: Ray Jui Cc: Scott Branden Cc: bcm-kernel-feedback-list@broadcom.com Cc: linux-spi@vger.kernel.org Cc: linux-rpi-kernel@lists.infradead.org Cc: linux-arm-kernel@lists.infradead.org Signed-off-by: Rob Herring Reviewed-by: Eric Anholt Signed-off-by: Mark Brown Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit da3c24015fa92476d5bd3343c8c0f56b4e928021 Author: Parav Pandit Date: Wed May 2 13:18:59 2018 +0300 RDMA/cma: Do not query GID during QP state transition to RTR [ Upstream commit 9aa169213d1166d30ae357a44abbeae93459339d ] When commit [1] was added, SGID was queried to derive the SMAC address. Then, later on during a refactor [2], SMAC was no longer needed. However, the now useless GID query remained. Then during additional code changes later on, the GID query was being done in such a way that it caused iWARP queries to start breaking. Remove the useless GID query and resolve the iWARP breakage at the same time. This is discussed in [3]. [1] commit dd5f03beb4f7 ("IB/core: Ethernet L2 attributes in verbs/cm structures") [2] commit 5c266b2304fb ("IB/cm: Remove the usage of smac and vid of qp_attr and cm_av") [3] https://www.spinics.net/lists/linux-rdma/msg63951.html Suggested-by: Shiraz Saleem Signed-off-by: Parav Pandit Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 000fcf06055b9fc59ad005a4919a06d2277afd50 Author: Jack Morgenstein Date: Wed May 2 13:04:25 2018 +0300 IB/mlx4: Fix integer overflow when calculating optimal MTT size [ Upstream commit b03bcde962606d2ee59a4e9dd470db9ad53c5418 ] When the kernel was compiled using the UBSAN option, we saw the following stack trace: [ 1184.827917] UBSAN: Undefined behaviour in drivers/infiniband/hw/mlx4/mr.c:349:27 [ 1184.828114] signed integer overflow: [ 1184.828247] -2147483648 - 1 cannot be represented in type 'int' The problem was caused by calling round_up in procedure mlx4_ib_umem_calc_optimal_mtt_size (on line 349, as noted in the stack trace) with the second parameter (1 << block_shift) (which is an int). The second parameter should have been (1ULL << block_shift) (which is an unsigned long long). (1 << block_shift) is treated by the compiler as an int (because 1 is an integer). Now, local variable block_shift is initialized to 31. If block_shift is 31, 1 << block_shift is 1 << 31 = 0x80000000=-214748368. This is the most negative int value. Inside the round_up macro, there is a cast applied to ((1 << 31) - 1). However, this cast is applied AFTER ((1 << 31) - 1) is calculated. Since (1 << 31) is treated as an int, we get the negative overflow identified by UBSAN in the process of calculating ((1 << 31) - 1). The fix is to change (1 << block_shift) to (1ULL << block_shift) on line 349. Fixes: 9901abf58368 ("IB/mlx4: Use optimal numbers of MTT entries") Signed-off-by: Jack Morgenstein Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit d047fef7eb1321939af74e10a5cb603e20cd19f6 Author: Sebastian Sanchez Date: Tue May 1 05:36:13 2018 -0700 IB/hfi1: Fix memory leak in exception path in get_irq_affinity() [ Upstream commit 59482a14918b282ca2a98f38c69da5ebeb1107d2 ] When IRQ affinity is set and the interrupt type is unknown, a cpu mask allocated within the function is never freed. Fix this memory leak by allocating memory within the scope where it is used. Reviewed-by: Mike Marciniszyn Reviewed-by: Michael J. Ruhl Signed-off-by: Sebastian Sanchez Signed-off-by: Dennis Dalessandro Signed-off-by: Doug Ledford Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 3566fe0f196ea7d1d189a0437e7b0a7c3eed05e3 Author: Sebastian Sanchez Date: Tue May 1 05:36:06 2018 -0700 IB/{hfi1, rdmavt}: Fix memory leak in hfi1_alloc_devdata() upon failure [ Upstream commit e9777ad4399c26c70318c4945f94efac2ed95391 ] When allocating device data, if there's an allocation failure, the already allocated memory won't be freed such as per-cpu counters. Fix memory leaks in exception path by creating a common reentrant clean up function hfi1_clean_devdata() to be used at driver unload time and device data allocation failure. To accomplish this, free_platform_config() and clean_up_i2c() are changed to be reentrant to remove dependencies when they are called in different order. This helps avoid NULL pointer dereferences introduced by this patch if those two functions weren't reentrant. In addition, set dd->int_counter, dd->rcv_limit, dd->send_schedule and dd->tx_opstats to NULL after they're freed in hfi1_clean_devdata(), so that hfi1_clean_devdata() is fully reentrant. Reviewed-by: Mike Marciniszyn Reviewed-by: Michael J. Ruhl Signed-off-by: Sebastian Sanchez Signed-off-by: Dennis Dalessandro Signed-off-by: Doug Ledford Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit eca2f76b1d13c2dedc24e3b405389018866ed76b Author: Michael J. Ruhl Date: Tue May 1 05:35:43 2018 -0700 IB/hfi1 Use correct type for num_user_context [ Upstream commit 5da9e742be44d9b7c68b1bf6e1aaf46a1aa7a52b ] The module parameter num_user_context is defined as 'int' and defaults to -1. The module_param_named() says that it is uint. Correct module_param_named() type information and update the modinfo text to reflect the default value. Reviewed-by: Dennis Dalessandro Signed-off-by: Michael J. Ruhl Signed-off-by: Dennis Dalessandro Signed-off-by: Doug Ledford Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 1a767e7368d277c10e673844dfa69713e66b9b8c Author: Stefan Raspl Date: Thu May 3 17:57:39 2018 +0200 smc: fix sendpage() call [ Upstream commit bda27ff5c4526f80a7620a94ecfe8dca153e3696 ] The sendpage() call grabs the sock lock before calling the default implementation - which tries to grab it once again. Signed-off-by: Stefan Raspl Signed-off-by: Ursula Braun < Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 3859ef2e35925ebf0a01e3badba0db4f08620acb Author: Heikki Krogerus Date: Wed Apr 25 17:22:09 2018 +0300 usb: typec: tps6598x: handle block reads separately with plain-I2C adapters [ Upstream commit 1a2f474d328f292ee706414824ec4ca690cdf5ba ] If the I2C adapter that the PD controller is attached to does not support SMBus protocol, the driver needs to handle block reads separately. The first byte returned in block read protocol will show the total number of bytes. It needs to be stripped away. This is handled separately in the driver only because right now we have no way of requesting the used protocol with regmap-i2c. This is in practice a workaround for what is really a problem in regmap-i2c. The other option would have been to register custom regmap, or not use regmap at all, however, since the solution is very simple, I choose to use it in this case for convenience. It is easy to remove once we figure out how to handle this kind of cases in regmap-i2c. Fixes: 0a4c005bd171 ("usb: typec: driver for TI TPS6598x USB Power Delivery controllers") Reviewed-by: Guenter Roeck Signed-off-by: Heikki Krogerus Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 5f9aa3410ce7004f402b74ee5326cd6ff16fd3aa Author: Graeme Smecher Date: Wed May 2 17:32:36 2018 -0700 ARM: dts: correct missing "compatible" entry for ti81xx SoCs [ Upstream commit 647efef69de483f1dd7944ede31b4cae16acb124 ] The missing "compatible" entries are needed by drivers/clk/ti/clkctrl.c, and without them the structures initialized in drivers/clk/ti/clk-814x.c are not passed to configuration code. The result is a "not found from clkctrl data" error message, although boot proceeds anyway. The reason why the compatible is not found is because the board specific files override the SoC compatible without including it. This did not cause any issues until with the clkctrl nodes got introduced. Very lightly tested on a (lurching) AM3874 design that's in the middle of a kernel upgrade from TI's abandoned 2.6.37 tree. Also tested on j5eco-evm and hp-t410 to verify the clkctrl clocks are found. Fixes: bb30465b5902 ("ARM: dts: dm814x: add clkctrl nodes") Fixes: 80a06c0d8357 ("ARM: dts: dm816x: add clkctrl nodes") Signed-off-by: Graeme Smecher [tony: updated to fix for 8168-evm, updated comments] Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 4e2d6ec42039d928cfc4ae40fbcb07867fbcb6ce Author: Janusz Krzysztofik Date: Wed May 2 20:32:03 2018 +0200 ARM: OMAP1: ams-delta: fix deferred_fiq handler [ Upstream commit baf64250b4a513bf4ac226fd938692dc1836f4f6 ] The deferred_fiq handler used to limit hardware operations to IRQ unmask only, relying on gpio-omap assigned handler performing the ACKs. Since commit 80ac93c27441 ("gpio: omap: Fix lost edge interrupts") this is no longer the case as handle_edge_irq() has been replaced with handle_simmple_irq() which doesn't touch the hardware. Add single ACK operation per each active IRQ pin to the handler. While being at it, move unmask operation out of irq_counter loop so it is also called only once for each active IRQ pin. Fixes: 80ac93c27441 ("gpio: omap: Fix lost edge interrupts") Signed-off-by: Janusz Krzysztofik Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 38c3d8237d45bdb8aa0dea3ff96ca50fbac056ff Author: Keith Busch Date: Thu Apr 26 14:22:41 2018 -0600 nvme/multipath: Fix multipath disabled naming collisions [ Upstream commit a785dbccd95c37606c720580714f5a7a8b3255f1 ] When CONFIG_NVME_MULTIPATH is set, but we're not using nvme to multipath, namespaces with multiple paths were not creating unique names due to reusing the same instance number from the namespace's head. This patch fixes this by falling back to the non-multipath naming method when the parameter disabled using multipath. Reported-by: Mike Snitzer Signed-off-by: Keith Busch Reviewed-by: Christoph Hellwig Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 44ac74871de3ad04f73149f463a4be484cdee84a Author: Keith Busch Date: Thu Apr 26 14:24:29 2018 -0600 nvme/multipath: Disable runtime writable enabling parameter [ Upstream commit 5cadde8019a6a80550fdde92d5a3327565974eab ] We can't allow the user to change multipath settings at runtime, as this will create naming conflicts due to the different naming schemes used for each mode. Signed-off-by: Keith Busch Reviewed-by: Christoph Hellwig Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit b6e47b0da4563504367396f7740cae79dcd22620 Author: Keith Busch Date: Tue Apr 17 14:42:44 2018 -0600 nvme: Set integrity flag for user passthrough commands [ Upstream commit f31a21103c03bb62846409fdc60cc9faf2398cfb ] If the command a separate metadata buffer attached, the request needs to have the integrity flag set so the driver knows to map it. Signed-off-by: Keith Busch Reviewed-by: Martin K. Petersen Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 3e9138e6e9cceb16642e372253cd77335c0d9892 Author: Chengguang Xu Date: Sat Apr 14 20:06:19 2018 +0800 nvme: fix potential memory leak in option parsing [ Upstream commit 59a2f3f00fd744dbad22593f47552037d3154ca6 ] When specifying same string type option several times, current option parsing may cause memory leak. Hence, call kfree for previous one in this case. Signed-off-by: Chengguang Xu Reviewed-by: Christoph Hellwig Reviewed-by: Sagi Grimberg Signed-off-by: Keith Busch Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit b4deb74d6480443de0f282cb69081ab67715e450 Author: Changbin Du Date: Fri Apr 20 13:29:55 2018 +0800 iommu/vt-d: fix shift-out-of-bounds in bug checking [ Upstream commit 0dfc0c792d691f8056f38b5c30789f504be0e467 ] It allows to flush more than 4GB of device TLBs. So the mask should be 64bit wide. UBSAN captured this fault as below. [ 3.760024] ================================================================================ [ 3.768440] UBSAN: Undefined behaviour in drivers/iommu/dmar.c:1348:3 [ 3.774864] shift exponent 64 is too large for 32-bit type 'int' [ 3.780853] CPU: 2 PID: 0 Comm: swapper/2 Tainted: G U 4.17.0-rc1+ #89 [ 3.788661] Hardware name: Dell Inc. OptiPlex 7040/0Y7WYT, BIOS 1.2.8 01/26/2016 [ 3.796034] Call Trace: [ 3.798472] [ 3.800479] dump_stack+0x90/0xfb [ 3.803787] ubsan_epilogue+0x9/0x40 [ 3.807353] __ubsan_handle_shift_out_of_bounds+0x10e/0x170 [ 3.812916] ? qi_flush_dev_iotlb+0x124/0x180 [ 3.817261] qi_flush_dev_iotlb+0x124/0x180 [ 3.821437] iommu_flush_dev_iotlb+0x94/0xf0 [ 3.825698] iommu_flush_iova+0x10b/0x1c0 [ 3.829699] ? fq_ring_free+0x1d0/0x1d0 [ 3.833527] iova_domain_flush+0x25/0x40 [ 3.837448] fq_flush_timeout+0x55/0x160 [ 3.841368] ? fq_ring_free+0x1d0/0x1d0 [ 3.845200] ? fq_ring_free+0x1d0/0x1d0 [ 3.849034] call_timer_fn+0xbe/0x310 [ 3.852696] ? fq_ring_free+0x1d0/0x1d0 [ 3.856530] run_timer_softirq+0x223/0x6e0 [ 3.860625] ? sched_clock+0x5/0x10 [ 3.864108] ? sched_clock+0x5/0x10 [ 3.867594] __do_softirq+0x1b5/0x6f5 [ 3.871250] irq_exit+0xd4/0x130 [ 3.874470] smp_apic_timer_interrupt+0xb8/0x2f0 [ 3.879075] apic_timer_interrupt+0xf/0x20 [ 3.883159] [ 3.885255] RIP: 0010:poll_idle+0x60/0xe7 [ 3.889252] RSP: 0018:ffffb1b201943e30 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 [ 3.896802] RAX: 0000000080200000 RBX: 000000000000008e RCX: 000000000000001f [ 3.903918] RDX: 0000000000000000 RSI: 000000002819aa06 RDI: 0000000000000000 [ 3.911031] RBP: ffff9e93c6b33280 R08: 00000010f717d567 R09: 000000000010d205 [ 3.918146] R10: ffffb1b201943df8 R11: 0000000000000001 R12: 00000000e01b169d [ 3.925260] R13: 0000000000000000 R14: ffffffffb12aa400 R15: 0000000000000000 [ 3.932382] cpuidle_enter_state+0xb4/0x470 [ 3.936558] do_idle+0x222/0x310 [ 3.939779] cpu_startup_entry+0x78/0x90 [ 3.943693] start_secondary+0x205/0x2e0 [ 3.947607] secondary_startup_64+0xa5/0xb0 [ 3.951783] ================================================================================ Signed-off-by: Changbin Du Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 40e8133ab76349252a131828457cb1f67f4c2b31 Author: Jagannathan Raman Date: Tue Mar 6 17:39:41 2018 -0500 iommu/vt-d: Fix usage of force parameter in intel_ir_reconfigure_irte() [ Upstream commit aa7528fe3576d11f4a10237178a723a1f080a547 ] It was noticed that the IRTE configured for guest OS kernel was over-written while the guest was running. As a result, vt-d Posted Interrupts configured for the guest are not being delivered directly, and instead bounces off the host. Every interrupt delivery takes a VM Exit. It was noticed that the following stack is doing the over-write: [ 147.463177] modify_irte+0x171/0x1f0 [ 147.463405] intel_ir_set_affinity+0x5c/0x80 [ 147.463641] msi_domain_set_affinity+0x32/0x90 [ 147.463881] irq_do_set_affinity+0x37/0xd0 [ 147.464125] irq_set_affinity_locked+0x9d/0xb0 [ 147.464374] __irq_set_affinity+0x42/0x70 [ 147.464627] write_irq_affinity.isra.5+0xe1/0x110 [ 147.464895] proc_reg_write+0x38/0x70 [ 147.465150] __vfs_write+0x36/0x180 [ 147.465408] ? handle_mm_fault+0xdf/0x200 [ 147.465671] ? _cond_resched+0x15/0x30 [ 147.465936] vfs_write+0xad/0x1a0 [ 147.466204] SyS_write+0x52/0xc0 [ 147.466472] do_syscall_64+0x74/0x1a0 [ 147.466744] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 reversing the sense of force check in intel_ir_reconfigure_irte() restores proper posted interrupt functionality Signed-off-by: Jagannathan Raman Fixes: d491bdff888e ('iommu/vt-d: Reevaluate vector configuration on activate()') Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit f41c7444f3583f6cbf20c5fdab599773887c1c6e Author: Bhadram Varka Date: Wed May 2 20:44:40 2018 +0530 arm64: tegra: Make BCM89610 PHY interrupt as active low [ Upstream commit 9df50ba76ac1485b844beffa1f3f5d9659d9cdaf ] Need to configure PHY interrupt as active low for P3310 Tegra186 platform otherwise it results in spurious interrupts. This issue wasn't seen before because the generic PHY driver without interrupt support was used. Signed-off-by: Bhadram Varka Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 0ad11385532e11cfd541621b3c097f6df33bf467 Author: Peter Zijlstra Date: Tue May 1 18:14:45 2018 +0200 kthread, sched/wait: Fix kthread_parkme() completion issue [ Upstream commit 85f1abe0019fcb3ea10df7029056cf42702283a8 ] Even with the wait-loop fixed, there is a further issue with kthread_parkme(). Upon hotplug, when we do takedown_cpu(), smpboot_park_threads() can return before all those threads are in fact blocked, due to the placement of the complete() in __kthread_parkme(). When that happens, sched_cpu_dying() -> migrate_tasks() can end up migrating such a still runnable task onto another CPU. Normally the task will have hit schedule() and gone to sleep by the time we do kthread_unpark(), which will then do __kthread_bind() to re-bind the task to the correct CPU. However, when we loose the initial TASK_PARKED store to the concurrent wakeup issue described previously, do the complete(), get migrated, it is possible to either: - observe kthread_unpark()'s clearing of SHOULD_PARK and terminate the park and set TASK_RUNNING, or - __kthread_bind()'s wait_task_inactive() to observe the competing TASK_RUNNING store. Either way the WARN() in __kthread_bind() will trigger and fail to correctly set the CPU affinity. Fix this by only issuing the complete() when the kthread has scheduled out. This does away with all the icky 'still running' nonsense. The alternative is to promote TASK_PARKED to a special state, this guarantees wait_task_inactive() cannot observe a 'stale' TASK_RUNNING and we'll end up doing the right thing, but this preserves the whole icky business of potentially migating the still runnable thing. Reported-by: Gaurav Kohli Signed-off-by: Peter Zijlstra (Intel) Cc: Linus Torvalds Cc: Oleg Nesterov Cc: Peter Zijlstra Cc: Thomas Gleixner Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 7a1b71fa0c4b433f8d1c7922812b2e79c9c3f7ee Author: Peter Zijlstra Date: Mon Apr 30 14:50:22 2018 +0200 kthread, sched/wait: Fix kthread_parkme() wait-loop [ Upstream commit 741a76b350897604c48fb12beff1c9b77724dc96 ] Gaurav reported a problem with __kthread_parkme() where a concurrent try_to_wake_up() could result in competing stores to ->state which, when the TASK_PARKED store got lost bad things would happen. The comment near set_current_state() actually mentions this competing store, but only mentions the case against TASK_RUNNING. This same store, with different timing, can happen against a subsequent !RUNNING store. This normally is not a problem, because as per that same comment, the !RUNNING state store is inside a condition based wait-loop: for (;;) { set_current_state(TASK_UNINTERRUPTIBLE); if (!need_sleep) break; schedule(); } __set_current_state(TASK_RUNNING); If we loose the (first) TASK_UNINTERRUPTIBLE store to a previous (concurrent) wakeup, the schedule() will NO-OP and we'll go around the loop once more. The problem here is that the TASK_PARKED store is not inside the KTHREAD_SHOULD_PARK condition wait-loop. There is a genuine issue with sleeps that do not have a condition; this is addressed in a subsequent patch. Reported-by: Gaurav Kohli Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Oleg Nesterov Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit f2cb0d5b02aca3ba55306821d8a6a28ca102b81b Author: Peter Zijlstra Date: Fri Apr 20 11:50:05 2018 +0200 stop_machine, sched: Fix migrate_swap() vs. active_balance() deadlock [ Upstream commit 0b26351b910fb8fe6a056f8a1bbccabe50c0e19f ] Matt reported the following deadlock: CPU0 CPU1 schedule(.prev=migrate/0) pick_next_task() ... idle_balance() migrate_swap() active_balance() stop_two_cpus() spin_lock(stopper0->lock) spin_lock(stopper1->lock) ttwu(migrate/0) smp_cond_load_acquire() -- waits for schedule() stop_one_cpu(1) spin_lock(stopper1->lock) -- waits for stopper lock Fix this deadlock by taking the wakeups out from under stopper->lock. This allows the active_balance() to queue the stop work and finish the context switch, which in turn allows the wakeup from migrate_swap() to observe the context and complete the wakeup. Signed-off-by: Peter Zijlstra (Intel) Reported-by: Matt Fleming Signed-off-by: Peter Zijlstra (Intel) Acked-by: Matt Fleming Cc: Linus Torvalds Cc: Michal Hocko Cc: Mike Galbraith Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/20180420095005.GH4064@hirez.programming.kicks-ass.net Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit c3a28e6c556ec735c682d37dc6d047b7259cd126 Author: Helge Deller Date: Fri Apr 20 23:19:17 2018 +0200 parisc: drivers.c: Fix section mismatches [ Upstream commit b819439fea305a0bfd6ca23a7994fd1a8847c0d8 ] Fix two section mismatches in drivers.c: 1) Section mismatch in reference from the function alloc_tree_node() to the function .init.text:create_tree_node(). 2) Section mismatch in reference from the function walk_native_bus() to the function .init.text:alloc_pa_dev(). Signed-off-by: Helge Deller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 002be03e4421dfd0c33f76db0a38eab925a1b994 Author: Daniel Borkmann Date: Wed May 2 20:12:23 2018 +0200 bpf, x64: fix memleak when not converging on calls [ Upstream commit 39f56ca945af86112753646316c4c92dcd4acd82 ] The JIT logic in jit_subprogs() is as follows: for all subprogs we allocate a bpf_prog_alloc(), populate it (prog->is_func = 1 here), and pass it to bpf_int_jit_compile(). If a failure occurred during JIT and prog->jited is not set, then we bail out from attempting to JIT the whole program, and punt to the interpreter instead. In case JITing went successful, we fixup BPF call offsets and do another pass to bpf_int_jit_compile() (extra_pass is true at that point) to complete JITing calls. Given that requires to pass JIT context around addrs and jit_data from x86 JIT are freed in the extra_pass in bpf_int_jit_compile() when calls are involved (if not, they can be freed immediately). However, if in the original pass, the JIT image didn't converge then we leak addrs and jit_data since image itself is NULL, the prog->is_func is set and extra_pass is false in that case, meaning both will become unreachable and are never cleaned up, therefore we need to free as well on !image. Only x64 JIT is affected. Fixes: 1c2a088a6626 ("bpf: x64: add JIT support for multi-function programs") Signed-off-by: Daniel Borkmann Acked-by: Alexei Starovoitov Acked-by: David S. Miller Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 1065c60b56780ed27386fcab54b39f6bfbb8c718 Author: Daniel Borkmann Date: Wed May 2 20:12:22 2018 +0200 bpf, x64: fix memleak when not converging after image [ Upstream commit 3aab8884c9eb99189a3569ac4e6b205371c9ac0b ] While reviewing x64 JIT code, I noticed that we leak the prior allocated JIT image in the case where proglen != oldproglen during the JIT passes. Prior to the commit e0ee9c12157d ("x86: bpf_jit: fix two bugs in eBPF JIT compiler") we would just break out of the loop, and using the image as the JITed prog since it could only shrink in size anyway. After e0ee9c12157d, we would bail out to out_addrs label where we free addrs and jit_data but not the image coming from bpf_jit_binary_alloc(). Fixes: e0ee9c12157d ("x86: bpf_jit: fix two bugs in eBPF JIT compiler") Signed-off-by: Daniel Borkmann Acked-by: Alexei Starovoitov Acked-by: David S. Miller Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 89d6f84a4b3dea39b8236774513e7d6fb8d3b437 Author: Ladislav Michl Date: Wed May 2 12:41:32 2018 +0200 mtd: onenand: omap2: Disable DMA for HIGHMEM buffers [ Upstream commit 6732cfd4cac514b556f36b518670af91c8bdf19a ] dma_map_single does not work for vmalloc-ed buffers, so disable DMA in this case. Signed-off-by: Ladislav Michl Reported-by: "H. Nikolaus Schaller" Tested-by: "H. Nikolaus Schaller" Reviewed-by: Peter Ujfalusi Signed-off-by: Boris Brezillon Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit b2f7c8ae33dea0ddfa1d2285d0a91e4575465f57 Author: Mika Westerberg Date: Wed Apr 25 13:32:11 2018 +0300 pinctrl: cherryview: Associate IRQ descriptors to irqdomain [ Upstream commit 83b9dc11312f48a561594a895672abb6cb2a2250 ] When we dropped the custom Linux GPIO translation it resulted that the IRQ numbers changed slightly as well. Normally this would be fine because everyone is expected to use controller relative GPIO numbers and ACPI GpioIo/GpioInt resources. However, there is a certain set of Intel_Strago based Chromebooks where i8042 keyboard controller IRQ number is hardcoded be 182 (this is corrected with newer coreboot but the older ones still have the hardcoded Linux IRQ number). Because of this hardcoded IRQ number keyboard on those systems accidentally broke again. Fix this by iteratively associating IRQ descriptors to the chip irqdomain so that there are no gaps on those systems. Other systems are not affected. Fixes: 03c4749dd6c7 ("gpio / ACPI: Drop unnecessary ACPI GPIO to Linux GPIO translation") Link: https://bugzilla.kernel.org/show_bug.cgi?id=199463 Reported-by: Sultan Alsawaf Signed-off-by: Mika Westerberg Reviewed-by: Andy Shevchenko Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 15a3c509fab20e69317a67f01d80003984949d1d Author: Yixun Lan Date: Tue Apr 17 17:08:24 2018 +0000 pinctrl: meson-axg: fix the range of aobus bank [ Upstream commit b84e54616a946f24eeeca8762cb70a9074b045e7 ] The GPIOAO bank is range from GPIOAO_0 to GPIOAO_13. Fixes: 83c566806a68 ("pinctrl: meson-axg: Add new pinctrl driver for Meson AXG SoC") Reported-by: Xingyu Chen Signed-off-by: Yixun Lan Acked-by: Kevin Hilman Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit ea1808501e56bdb4b2cac2fcf8decce9f1c1084f Author: Sekhar Nori Date: Wed Apr 18 15:02:46 2018 +0530 ARM: davinci: fix GPIO lookup for I2C [ Upstream commit 9411ac07cd764be34bbd7ff09125a6b7b9175d4c ] The GPIO chip is called davinci_gpio.0 in legacy mode. Fix it, so that I2C can correctly lookup the recovery gpios. Note that it is the gpio-davinci driver that sets the gpiochip label to davinci_gpio.0. Also, the I2C device uses an id of 1 on DM644x and DM355. While at it, convert to using GPIO_TO_PIN() for referring to GPIO pin numbers, like it is done in rest of the board support files. Fixes: e53537653791 ("i2c/ARM: davinci: Deep refactoring of I2C recovery") Reviewed-by: David Lechner Signed-off-by: Sekhar Nori Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 98a09f6a7e1340c7ddadcea5de9cf40549cbec90 Author: Jim Gill Date: Fri Apr 20 19:04:47 2018 -0700 scsi: vmw-pvscsi: return DID_BUS_BUSY for adapter-initated aborts [ Upstream commit f4b024271ae3e9786e5d6f1c05b01b57a74e1d6d ] The vmw_pvscsi driver returns DID_ABORT for commands aborted internally by the adapter, leading to the filesystem going read-only. Change the result to DID_BUS_BUSY, causing the kernel to retry the command. Signed-off-by: Jim Gill Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit a4abbfd192e011904113db1cdac257611776049b Author: Arnd Bergmann Date: Fri Apr 6 16:28:23 2018 +0200 hexagon: export csum_partial_copy_nocheck [ Upstream commit 330e261c35dfb969c48f996dbbc8b334b5ee8d9d ] This is needed to link ipv6 as a loadable module, which in turn happens in allmodconfig. Signed-off-by: Arnd Bergmann Signed-off-by: Richard Kuo Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit d29bf795ec282230a30029c83e3b5752a67caaeb Author: Arnd Bergmann Date: Fri Apr 6 16:28:22 2018 +0200 hexagon: add memset_io() helper [ Upstream commit a57ab96ef9dde231d4d46edba4d5f73720edc16a ] We already have memcpy_toio(), but not memset_io(), so let's add the obvious version to allow building an allmodconfig kernel without errors like drivers/gpu/drm/ttm/ttm_bo_util.c: In function 'ttm_bo_move_memcpy': drivers/gpu/drm/ttm/ttm_bo_util.c:390:3: error: implicit declaration of function 'memset_io' [-Werror=implicit-function-declaration] Signed-off-by: Arnd Bergmann Signed-off-by: Richard Kuo Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit dfc35b9041e5ac26c19e1bbe95d5f131f6a956b7 Author: Nick Dyer Date: Tue May 1 11:40:18 2018 -0700 Input: atmel_mxt_ts - fix the firmware update [ Upstream commit 068bdb67ef74df0ad1627b7247a163e3e252ac11 ] The automatic update mechanism will trigger an update if the info block CRCs are different between maxtouch configuration file (maxtouch.cfg) and chip. The driver compared the CRCs without retrieving the chip CRC, resulting always in a failure and firmware flashing action triggered. Fix this issue by retrieving the chip info block CRC before the check. Note that this solution has the benefit that by reading the information block and the object table into a contiguous region of memory, we can verify the checksum at probe time. This means we make sure that we are indeed talking to a chip that supports object protocol correctly. Using this patch on a kevin chromebook, the touchscreen and touchpad drivers are able to match the CRC: atmel_mxt_ts 3-004b: Family: 164 Variant: 14 Firmware V2.3.AA Objects: 40 atmel_mxt_ts 5-004a: Family: 164 Variant: 17 Firmware V2.0.AA Objects: 31 atmel_mxt_ts 3-004b: Resetting device atmel_mxt_ts 5-004a: Resetting device atmel_mxt_ts 3-004b: Config CRC 0x573E89: OK atmel_mxt_ts 3-004b: Touchscreen size X4095Y2729 input: Atmel maXTouch Touchscreen as /devices/platform/ff130000.i2c/i2c-3/3-004b/input/input5 atmel_mxt_ts 5-004a: Config CRC 0x0AF6BA: OK atmel_mxt_ts 5-004a: Touchscreen size X1920Y1080 input: Atmel maXTouch Touchpad as /devices/platform/ff140000.i2c/i2c-5/5-004a/input/input6 Signed-off-by: Nick Dyer Acked-by: Benson Leung [Ezequiel: minor patch massage] Signed-off-by: Ezequiel Garcia Tested-by: Sebastian Reichel Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit bd7a712b35ea2003e53551bf75aade46aff28996 Author: Chuck Lever Date: Tue May 1 11:37:14 2018 -0400 xprtrdma: Fix list corruption / DMAR errors during MR recovery [ Upstream commit 054f155721d7af1f343ed52bea246626d8450ca8 ] The ro_release_mr methods check whether mr->mr_list is empty. Therefore, be sure to always use list_del_init when removing an MR linked into a list using that field. Otherwise, when recovering from transport failures or device removal, list corruption can result, or MRs can get mapped or unmapped an odd number of times, resulting in IOMMU-related failures. In general this fix is appropriate back to v4.8. However, code changes since then make it impossible to apply this patch directly to stable kernels. The fix would have to be applied by hand or reworked for kernels earlier than v4.16. Backport guidance -- there are several cases: - When creating an MR, initialize mr_list so that using list_empty on an as-yet-unused MR is safe. - When an MR is being handled by the remote invalidation path, ensure that mr_list is reinitialized when it is removed from rl_registered. - When an MR is being handled by rpcrdma_destroy_mrs, it is removed from mr_all, but it may still be on an rl_registered list. In that case, the MR needs to be removed from that list before being released. - Other cases are covered by using list_del_init in rpcrdma_mr_pop. Fixes: 9d6b04097882 ('xprtrdma: Place registered MWs on a ... ') Signed-off-by: Chuck Lever Signed-off-by: Anna Schumaker Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 32775f26b34844d7b00719f7c60ab1bd68ddfdf1 Author: Adam Ford Date: Tue May 1 08:58:53 2018 -0500 ARM: dts: logicpd-som-lv: Fix Audio Mute [ Upstream commit 95e59fc3c3fa3187a07a75f40b21637deb4bd12d ] The Audio has worked, but the mute pin has a weak pulldown which alows some of the audio signal to pass very quietly. This patch fixes that so the mute pin is actively driven high for mute or low for normal operation. Fixes: ab8dd3aed011 ("ARM: DTS: Add minimal Support for Logic PD DM3730 SOM-LV") Signed-off-by: Adam Ford Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit af31d711681dd949ee80a225deee685eec09a249 Author: Adam Ford Date: Mon Apr 30 18:24:34 2018 -0500 ARM: dts: logicpd-som-lv: Fix WL127x Startup Issues [ Upstream commit 189822cbcbf3ea37c26a15612d8f922c440bc0e0 ] The VAUX3 rail from the PMIC powers a clock driver which clocks the WL127x. This corrects a bug which did not correctly associate the vin-supply with the proper power rail. This also fixes a typo in the pinmuxing to properly configure the interrupt pin. Fixes: ab8dd3aed011 ("ARM: DTS: Add minimal Support for Logic PD DM3730 SOM-LV") Signed-off-by: Adam Ford Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 071fad901f27ea2cc70ccd636db9c9a0ae9118ce Author: Tero Kristo Date: Fri Mar 9 11:50:20 2018 +0200 ARM: OMAP2+: powerdomain: use raw_smp_processor_id() for trace [ Upstream commit 33e9572483031a79ad0a4468064675144d9269ec ] smp_processor_id() checks preemption if CONFIG_DEBUG_PREEMPT is enabled, causing a warning dump during boot: [ 5.042377] BUG: using smp_processor_id() in preemptible [00000000] code: swapper/0/1 [ 5.050281] caller is pwrdm_set_next_pwrst+0x48/0x88 [ 5.055330] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.14.24-g57341df0b4 #1 Use the raw_smp_processor_id() for the trace instead, this value does not need to be perfectly correct. The alternative of disabling preempt is too heavy weight operation to be applied in PM hot path for just tracing purposes. Signed-off-by: Tero Kristo Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit a84cb68033e06228254fdcf6f37b8c900fd94ed8 Author: Geert Uytterhoeven Date: Wed Apr 25 09:49:38 2018 +0200 dt-bindings: panel: lvds: Fix path to display timing bindings [ Upstream commit f130307054a59ca21d2396f386be77ebd2e8ca96 ] Fixes: 14da3ed8dd08c581 ("devicetree/bindings: display: Document common panel properties") Signed-off-by: Geert Uytterhoeven Reviewed-by: Laurent Pinchart Signed-off-by: Rob Herring Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit e496c6b11bc03023f2e34bf689b9bb94849825e2 Author: Sekhar Nori Date: Wed Apr 25 14:53:23 2018 +0530 ARM: davinci: board-dm355-evm: fix broken networking [ Upstream commit 5c054de228dd6d97bf8e38962bd118953b66e5a0 ] Since commit 09f3756bb9a8 ("dm9000: Return an ERR_PTR() in all error conditions of dm9000_parse_dt()"), passing either non-NULL platform data or device-tree for dm9000 driver to probe is mandatory. DM335 board was using none, so networking failed to initialize. Fix it by passing non-NULL (but empty) platform data. Fixes: 09f3756bb9a8 ("dm9000: Return an ERR_PTR() in all error conditions of dm9000_parse_dt()") Signed-off-by: Sekhar Nori Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 5ebca90cc69a918448154b19ae42b30aface83f8 Author: Sekhar Nori Date: Tue Apr 24 20:05:06 2018 +0530 ARM: davinci: board-omapl138-hawk: fix GPIO numbers for MMC/SD lookup [ Upstream commit d45622c0eaa5992a1a2248cbe93e1ff7a2da7be4 ] commit c4dc56be7e26 ("ARM: davinci: fix the GPIO lookup for omapl138-hawk") fixed the GPIO chip name for look-up of MMC/SD CD and WP pins, but forgot to change the GPIO numbers passed. The GPIO numbers are not offsets from within a 32 GPIO bank. Fix the GPIO numbers as well as remove the misleading comment. Fixes: c4dc56be7e26 ("ARM: davinci: fix the GPIO lookup for omapl138-hawk") Reviewed-by: David Lechner Signed-off-by: Sekhar Nori Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 2082d10e199ef06e7fdf10016d5dd8d4e1fef7e9 Author: Sekhar Nori Date: Tue Apr 24 20:05:04 2018 +0530 ARM: davinci: board-da850-evm: fix GPIO lookup for MMC/SD [ Upstream commit 67c6b6ff221f807180aea6dd597246f87e1dd98a ] The GPIO chip is called davinci_gpio.0 in legacy mode. Fix it, so that mmc can correctly lookup the wp and cp gpios. Also fix the GPIO numbers as they are not offsets within a bank. Note that it is the gpio-davinci driver that sets the gpiochip label to davinci_gpio.0. Fixes: bdf0e8364fd3 ("ARM: davinci: da850-evm: use gpio descriptor for mmc pins") Reviewed-by: David Lechner Signed-off-by: Sekhar Nori Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit dd7806ea54d62b741081f5e570852e36db5e6ac7 Author: Sekhar Nori Date: Tue Apr 24 20:05:03 2018 +0530 ARM: davinci: board-da830-evm: fix GPIO lookup for MMC/SD [ Upstream commit 51e9f12163223546bd3aa9f7af6817931f980da8 ] The GPIO chip is called davinci_gpio.0 in legacy mode. Fix it, so that mmc can correctly lookup the wp and cp gpios. Also fix the GPIO numbers as they are not offsets within a bank. Note that it is the gpio-davinci driver that sets the gpiochip label to davinci_gpio.0. Fixes: b5e1438cf98a ("ARM: davinci: da830-evm: use gpio descriptor for mmc pins") Reported-by: David Lechner Reviewed-by: David Lechner Signed-off-by: Sekhar Nori Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit c8f440664dac4a8c2727445d3c7d65c14c9e0e67 Author: Håkon Bugge Date: Wed Apr 18 16:24:50 2018 +0200 IB/core: Make ib_mad_client_id atomic [ Upstream commit db82476f37413eaeff5f836a9d8b022d6544accf ] Currently, the kernel protects access to the agent ID allocator on a per port basis using a spinlock, so it is impossible for two apps/threads on the same port to get the same TID, but it is entirely possible for two threads on different ports to end up with the same TID. As this can be confusing (regardless of it being legal according to the IB Spec 1.3, C13-18.1.1, in section 13.4.6.4 - TransactionID usage), and as the rdma-core user space API for /dev/umad devices implies unique TIDs even across ports, make the TID an atomic type so that no two allocations, regardless of port number, will be the same. Signed-off-by: Håkon Bugge Reviewed-by: Jack Morgenstein Reviewed-by: Ira Weiny Reviewed-by: Zhu Yanjun Signed-off-by: Doug Ledford Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit c11fbb3aaad09acf0838ed3392cf0aff279a5ac4 Author: Amir Goldstein Date: Mon Feb 5 19:32:18 2018 +0200 : fix end_name_hash() for 64bit long [ Upstream commit 19b9ad67310ed2f685062a00aec602bec33835f0 ] The comment claims that this helper will try not to loose bits, but for 64bit long it looses the high bits before hashing 64bit long into 32bit int. Use the helper hash_long() to do the right thing for 64bit long. For 32bit long, there is no change. All the callers of end_name_hash() either assign the result to qstr->hash, which is u32 or return the result as an int value (e.g. full_name_hash()). Change the helper return type to int to conform to its users. [ It took me a while to apply this, because my initial reaction to it was - incorrectly - that it could make for slower code. After having looked more at it, I take back all my complaints about the patch, Amir was right and I was mis-reading things or just being stupid. I also don't worry too much about the possible performance impact of this on 64-bit, since most architectures that actually care about performance end up not using this very much (the dcache code is the most performance-critical, but the word-at-a-time case uses its own hashing anyway). So this ends up being mostly used for filesystems that do their own degraded hashing (usually because they want a case-insensitive comparison function). A _tiny_ worry remains, in that not everybody uses DCACHE_WORD_ACCESS, and then this potentially makes things more expensive on 64-bit architectures with slow or lacking multipliers even for the normal case. That said, realistically the only such architecture I can think of is PA-RISC. Nobody really cares about performance on that, it's more of a "look ma, I've got warts^W an odd machine" platform. So the patch is fine, and all my initial worries were just misplaced from not looking at this properly. - Linus ] Signed-off-by: Amir Goldstein Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit e0d8d5f26052a19db9065609f4a456d2bd34a1f1 Author: oulijun Date: Thu Apr 26 14:46:23 2018 +0800 RDMA/hns: Submit bad wr [ Upstream commit 137ae3208416278aabef3b71e0ea1052940ca362 ] When generated bad work reqeust, it needs to report to user. This patch mainly fixes it. Signed-off-by: Lijun Ou Signed-off-by: Doug Ledford Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit f9c774acd2954f47fc4b003c8881c36eddf275ab Author: oulijun Date: Thu Apr 26 14:46:17 2018 +0800 RDMA/hns: Fix the qp context state diagram [ Upstream commit 6e1a70943cecdca9bb13b601b1a9772a7bdcc2c3 ] According to RoCE protocol, it is possible to transition from error to error state for modifying qp in hip08. This patch fix it. Signed-off-by: Lijun Ou Signed-off-by: Doug Ledford Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 9ec2e6cb0201fa8442b978fd03be2a83c9500298 Author: oulijun Date: Thu Apr 26 14:46:16 2018 +0800 RDMA/hns: Intercept illegal RDMA operation when use inline data [ Upstream commit 328d405b3d4c8dd1f06bfd77f498e23281ae348c ] RDMA read operation is not supported inline data. If user cofigures issue a RDMA read and use inline data, it will happen a hardware error. Signed-off-by: Lijun Ou Signed-off-by: Doug Ledford Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 2c87269995e14f56be301be2e460f5f7338b4dbb Author: oulijun Date: Thu Apr 26 14:46:15 2018 +0800 RDMA/hns: Bugfix for init hem table [ Upstream commit 215a8c09e5e2aa6ae1fbcef87f8f27d65d5d1ca4 ] During init hem table, type should be used instead of table->type which is finally initializaed with type. Signed-off-by: Lijun Ou Signed-off-by: Yixian Liu Signed-off-by: Doug Ledford Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit beb00d1fc8f4510d07e336cb981a9d937bb45094 Author: Zhu Yanjun Date: Thu Apr 26 00:41:10 2018 -0400 IB/rxe: avoid double kfree_skb [ Upstream commit 9fd4350ba8953804f05215999e11a6cfb7b41f2b ] When skb is sent, it will pass the following functions in soft roce. rxe_send [rdma_rxe] ip_local_out __ip_local_out ip_output ip_finish_output ip_finish_output2 dev_queue_xmit __dev_queue_xmit dev_hard_start_xmit In the above functions, if error occurs in the above functions or iptables rules drop skb after ip_local_out, kfree_skb will be called. So it is not necessary to call kfree_skb in soft roce module again. Or else crash will occur. The steps to reproduce: server client --------- --------- |1.1.1.1|<----rxe-channel--->|1.1.1.2| --------- --------- On server: rping -s -a 1.1.1.1 -v -C 10000 -S 512 On client: rping -c -a 1.1.1.1 -v -C 10000 -S 512 The kernel configs CONFIG_DEBUG_KMEMLEAK and CONFIG_DEBUG_OBJECTS are enabled on both server and client. When rping runs, run the following command in server: iptables -I OUTPUT -p udp --dport 4791 -j DROP Without this patch, crash will occur. CC: Srinivas Eeda CC: Junxiao Bi Signed-off-by: Zhu Yanjun Reviewed-by: Yuval Shaia Signed-off-by: Doug Ledford Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 34f51b7e68a7f25e36dba844bb4c23769369ad0b Author: Jianchao Wang Date: Thu Apr 26 11:52:39 2018 +0800 IB/rxe: add RXE_START_MASK for rxe_opcode IB_OPCODE_RC_SEND_ONLY_INV [ Upstream commit 2da36d44a9d54a2c6e1f8da1f7ccc26b0bc6cfec ] w/o RXE_START_MASK, the last_psn of IB_OPCODE_RC_SEND_ONLY_INV will not be updated in update_wqe_psn, and the corresponding wqe will not be acked in rxe_completer due to its last_psn is zero. Finally, the other wqe will also not be able to be acked, because the wqe of IB_OPCODE_RC_SEND_ONLY_INV with last_psn 0 is still there. This causes large amount of io timeout when nvmeof is over rxe. Add RXE_START_MASK for IB_OPCODE_RC_SEND_ONLY_INV to fix this. Signed-off-by: Jianchao Wang Reviewed-by: Zhu Yanjun Signed-off-by: Doug Ledford Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 8c672f4be2de1d46a65bc1843235fe69c32050d0 Author: Colin Ian King Date: Wed Apr 25 17:24:04 2018 +0100 RDMA/iwpm: fix memory leak on map_info [ Upstream commit f96416cea7bce9afe619c15e87fced70f93f9098 ] In the cases where iwpm_hash_bucket is NULL and where function get_mapinfo_hash_bucket returns NULL then the map_info is never added to hash_bucket_head and hence there is a leak of map_info. Fix this by nullifying hash_bucket_head and if that is null we know that that map_info was not added to hash_bucket_head and hence map_info should be free'd. Detected by CoverityScan, CID#1222481 ("Resource Leak") Fixes: 30dc5e63d6a5 ("RDMA/core: Add support for iWARP Port Mapper user space service") Signed-off-by: Colin Ian King Signed-off-by: Doug Ledford Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit d0202c9dedbc0a2e14e59c2f2e9669e2150b2d0c Author: Parav Pandit Date: Tue Apr 24 20:13:45 2018 +0300 RDMA/cma: Fix use after destroy access to net namespace for IPoIB [ Upstream commit 2918c1a900252b4a0c730715ec205437c7daf79d ] There are few issues with validation of netdevice and listen id lookup for IB (IPoIB) while processing incoming CM request as below. 1. While performing lookup of bind_list in cma_ps_find(), net namespace of the netdevice can get deleted in cma_exit_net(), resulting in use after free access of idr and/or net namespace structures. This lookup occurs from the workqueue context (and not userspace context where net namespace is always valid). CPU0 CPU1 ==== ==== bind_list = cma_ps_find(); move netdevice to new namespace delete net namespace cma_exit_net() idr_destroy(idr); [..] cma_find_listener(bind_list, ..); 2. While netdevice is validated for IP address in given net namespace, netdevice's net namespace and/or ifindex can change in cma_get_net_dev() and cma_match_net_dev(). Above issues are overcome by using rcu lock along with netdevice UP/DOWN state as described below. When a net namespace is getting deleted, netdevice is closed and shutdown before moving it back to init_net namespace. change_net_namespace() synchronizes with any existing use of netdevice before changing the netdev properties such as net or ifindex. Once netdevice IFF_UP flags is cleared, such fields are not guaranteed to be valid. Therefore, rcu lock along with netdevice state check ensures that, while route lookup and cm_id lookup is in progress, netdevice of interest won't migrate to any other net namespace. This ensures that associated net namespace of netdevice won't get deleted while rcu lock is held for netdevice which is in IFF_UP state. Fixes: fa20105e09e9 ("IB/cma: Add support for network namespaces") Fixes: 4be74b42a6d0 ("IB/cma: Separate port allocation to network namespaces") Fixes: f887f2ac87c2 ("IB/cma: Validate routing of incoming requests") Signed-off-by: Parav Pandit Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit bf4f03b6e65bddf15e1ed97792e6d265411e9769 Author: Matan Barak Date: Tue Apr 24 08:15:20 2018 +0000 IB/uverbs: Fix validating mandatory attributes [ Upstream commit f604db645a66b7ba4f21c426fe73253928dada41 ] Previously, if a method contained mandatory attributes in a namespace that wasn't given by the user, these attributes weren't validated. Fixing this by iterating over all specification namespaces. Fixes: fac9658cabb9 ("IB/core: Add new ioctl interface") Signed-off-by: Matan Barak Signed-off-by: Doug Ledford Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit cf70b9d07d0f75e95ea89daeb2e1b5e43cc9f13b Author: Junaid Shahid Date: Thu Apr 26 13:09:50 2018 -0700 kvm: apic: Flush TLB after APIC mode/address change if VPIDs are in use [ Upstream commit a468f2dbf921d02f5107378501693137a812999b ] Currently, KVM flushes the TLB after a change to the APIC access page address or the APIC mode when EPT mode is enabled. However, even in shadow paging mode, a TLB flush is needed if VPIDs are being used, as specified in the Intel SDM Section 29.4.5. So replace vmx_flush_tlb_ept_only() with vmx_flush_tlb(), which will flush if either EPT or VPIDs are in use. Signed-off-by: Junaid Shahid Reviewed-by: Jim Mattson Signed-off-by: Radim Krčmář Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit bb7819a5a33bb694407996a934b1d91cdc86f490 Author: Maxime Chevallier Date: Wed Apr 25 20:21:16 2018 +0200 net: mvpp2: Fix clk error path in mvpp2_probe [ Upstream commit 45f972adb7f4db2d7f02af728ccd104113336074 ] When clk_prepare_enable fails for the axi_clk, the mg_clk isn't properly cleaned up. Add another jump label to handle that case, and make sure we jump to it in the later error cases. Fixes: 4792ea04bcd0 ("net: mvpp2: Fix clock resource by adding an optional bus clock") Signed-off-by: Maxime Chevallier Acked-by: Gregory CLEMENT Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit ca23e6da83c1bf820b58808e5d838c68d659882e Author: Greg Thelen Date: Thu Apr 26 11:19:35 2018 -0700 IB: make INFINIBAND_ADDR_TRANS configurable [ Upstream commit f7cb7b85be55a4906b4b4b30596db1043dae6335 ] Allow INFINIBAND without INFINIBAND_ADDR_TRANS because fuzzing has been finding fair number of CM bugs. So provide option to disable it. Signed-off-by: Greg Thelen Cc: Tarick Bedeir Reviewed-by: Bart Van Assche Signed-off-by: Doug Ledford Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 9747ef7960d8419c020f430a3e48a0dcbc1394ec Author: Greg Thelen Date: Thu Apr 26 11:19:34 2018 -0700 ib_srp: depend on INFINIBAND_ADDR_TRANS [ Upstream commit 5a3bc8a4abbd2d553430218d3a320400dce811b7 ] INFINIBAND_SRP code depends on INFINIBAND_ADDR_TRANS provided symbols. So declare the kconfig dependency. This is necessary to allow for enabling INFINIBAND without INFINIBAND_ADDR_TRANS. Signed-off-by: Greg Thelen Cc: Tarick Bedeir Reviewed-by: Bart Van Assche Signed-off-by: Doug Ledford Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 7166236e145bfa35ce1c139b02cb264a7e00c88e Author: Greg Thelen Date: Thu Apr 26 11:19:33 2018 -0700 cifs: smbd: depend on INFINIBAND_ADDR_TRANS [ Upstream commit 3c6b03d18df657d677808d7090b4d03bc6026efd ] CIFS_SMB_DIRECT code depends on INFINIBAND_ADDR_TRANS provided symbols. So declare the kconfig dependency. This is necessary to allow for enabling INFINIBAND without INFINIBAND_ADDR_TRANS. Signed-off-by: Greg Thelen Cc: Tarick Bedeir Reviewed-by: Long Li Signed-off-by: Doug Ledford Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit d50fefde27203e6ffab82ef6193f911080bbae2b Author: Greg Thelen Date: Thu Apr 26 11:19:32 2018 -0700 ib_srpt: depend on INFINIBAND_ADDR_TRANS [ Upstream commit 346a47b65d10e450778ec0d21e4a9409f25daaa8 ] INFINIBAND_SRPT code depends on INFINIBAND_ADDR_TRANS provided symbols. So declare the kconfig dependency. This is necessary to allow for enabling INFINIBAND without INFINIBAND_ADDR_TRANS. Signed-off-by: Greg Thelen Cc: Tarick Bedeir Reviewed-by: Bart Van Assche Signed-off-by: Doug Ledford Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 5c8d8ad154edcda306ca246cb1aa770592fd3d92 Author: Greg Thelen Date: Thu Apr 26 11:19:31 2018 -0700 nvmet-rdma: depend on INFINIBAND_ADDR_TRANS [ Upstream commit d6fc6a22fc7d3df987666725496ed5dd2dd30f23 ] NVME_TARGET_RDMA code depends on INFINIBAND_ADDR_TRANS provided symbols. So declare the kconfig dependency. This is necessary to allow for enabling INFINIBAND without INFINIBAND_ADDR_TRANS. Signed-off-by: Greg Thelen Cc: Tarick Bedeir Signed-off-by: Doug Ledford Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 4634790584c106d2037fd549b360e09c1ba9a32c Author: Greg Thelen Date: Thu Apr 26 11:19:30 2018 -0700 nvme: depend on INFINIBAND_ADDR_TRANS [ Upstream commit 3af7a156bdc356946098e13180be66b6420619bf ] NVME_RDMA code depends on INFINIBAND_ADDR_TRANS provided symbols. So declare the kconfig dependency. This is necessary to allow for enabling INFINIBAND without INFINIBAND_ADDR_TRANS. Signed-off-by: Greg Thelen Cc: Tarick Bedeir Signed-off-by: Doug Ledford Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 0c625137c8f213d4042e8d3d572d1a7640b45671 Author: Jakub Kicinski Date: Wed Apr 25 11:21:08 2018 -0700 nfp: don't depend on eth_tbl being available [ Upstream commit c55ca688ed99a9cb79367aee2ed2ff6cb80fc039 ] For very very old generation of the management FW Ethernet port information table may theoretically not be available. This in turn will cause the nfp_port structures to not be allocated. Make sure we don't crash the kernel when there is no eth_tbl: RIP: 0010:nfp_net_pci_probe+0xf2/0xb40 [nfp] ... Call Trace: nfp_pci_probe+0x6de/0xab0 [nfp] local_pci_probe+0x47/0xa0 work_for_cpu_fn+0x1a/0x30 process_one_work+0x1de/0x3e0 Found while working with broken/development version of management FW. Fixes: a5950182c00e ("nfp: map mac_stats and vf_cfg BARs") Fixes: 93da7d9660ee ("nfp: provide nfp_port to of nfp_net_get_mac_addr()") Signed-off-by: Jakub Kicinski Reviewed-by: Dirk van der Merwe Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit d7ca5f59e5c1e90430d4b39ccb10b5b153e3a160 Author: Jon Maloy Date: Wed Apr 25 18:29:25 2018 +0200 tipc: fix bug in function tipc_nl_node_dump_monitor [ Upstream commit 7dbc73e6124ce4d0cfbdd6166de388e9367c47ad ] Commit 36a50a989ee8 ("tipc: fix infinite loop when dumping link monitor summary") intended to fix a problem with user tool looping when max number of bearers are enabled. Unfortunately, the wrong version of the commit was posted, so the problem was not solved at all. This commit adds the missing part. Fixes: 36a50a989ee8 ("tipc: fix infinite loop when dumping link monitor summary") Signed-off-by: Jon Maloy Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 2d4204ee6bf0727dfab7e77e5c09aa14e57ccd77 Author: Leon Romanovsky Date: Mon Apr 23 17:01:56 2018 +0300 RDMA/mlx5: Properly check return value of mlx5_get_uars_page [ Upstream commit 444261ca6ff201fa03de97a5041237e67a9d8d31 ] Starting from commit 72f36be06138 ("net/mlx5: Fix mlx5_get_uars_page to return error code") the mlx5_get_uars_page() call returns error in case of failure, but it was mistakenly overlooked in the merge commit. Fixes: e7996a9a77fc ("Merge tag v4.15 of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux-2.6.git") Reported-by: Alaa Hleihel Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 0e346fbcac02055115c9bd22d284c3dbf30952d3 Author: Baolin Wang Date: Mon Apr 9 14:40:55 2018 +0800 i2c: sprd: Fix the i2c count issue [ Upstream commit 2a010461207cc96bee5ab81748325dec1972976f ] We found the I2C controller count register is unreliable sometimes, that will cause I2C to lose data. Thus we can read the data count from 'i2c_dev->count' instead of the I2C controller count register. Signed-off-by: Baolin Wang Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit c685750e832821c6206f96acbbdf068745cc7f5c Author: Baolin Wang Date: Mon Apr 9 14:40:54 2018 +0800 i2c: sprd: Prevent i2c accesses after suspend is called [ Upstream commit da33aa03fa34c918faf2c371ebda0dd961d7ccb2 ] Add one flag to indicate if the i2c controller has been in suspend state, which can prevent i2c accesses after i2c controller is suspended following system suspend. Signed-off-by: Baolin Wang Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit d039942e595eae3923d80e1c3cd66cb7cb8ed239 Author: Masahiro Yamada Date: Thu Apr 12 11:16:10 2018 +0900 reset: uniphier: fix USB clock line for LD20 [ Upstream commit e6914365fd280fce303a89b8a8d4529af5a2e0f9 ] For LD20, the bit 5 of the offset 0x200c turned out to be a USB3 reset. The hardware document says it is the GIO reset despite LD20 has no GIO bus, confusingly. Also, fix confusing comments for PXs3. Signed-off-by: Masahiro Yamada Signed-off-by: Philipp Zabel Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 1f653501cdf57e76372b7a9f4751872a1342baa5 Author: Laurentiu Tudor Date: Thu Apr 26 15:33:19 2018 +0300 powerpc/kvm/booke: Fix altivec related build break [ Upstream commit b2d7ecbe355698010a6b7a15eb179e09eb3d6a34 ] Add missing "altivec unavailable" interrupt injection helper thus fixing the linker error below: arch/powerpc/kvm/emulate_loadstore.o: In function `kvmppc_check_altivec_disabled': arch/powerpc/kvm/emulate_loadstore.c: undefined reference to `.kvmppc_core_queue_vec_unavail' Fixes: 09f984961c137c4b ("KVM: PPC: Book3S: Add MMIO emulation for VMX instructions") Signed-off-by: Laurentiu Tudor Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit a066bee00d43b4c5f0ed4fd19f287eeab70599b5 Author: Stefano Brivio Date: Thu Apr 26 19:39:09 2018 +0200 vti6: Change minimum MTU to IPV4_MIN_MTU, vti6 can carry IPv4 too [ Upstream commit b4331a681822b420511b3258f1c3db35001fde48 ] A vti6 interface can carry IPv4 as well, so it makes no sense to enforce a minimum MTU of IPV6_MIN_MTU. If the user sets an MTU below IPV6_MIN_MTU, IPv6 will be disabled on the interface, courtesy of addrconf_notify(). Reported-by: Xin Long Fixes: b96f9afee4eb ("ipv4/6: use core net MTU range checking") Fixes: c6741fbed6dc ("vti6: Properly adjust vti6 MTU from MTU of lower device") Fixes: 53c81e95df17 ("ip6_vti: adjust vti mtu according to mtu of lower device") Signed-off-by: Stefano Brivio Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit dc76b125f2cfba40f4b8ad0c6c698b15e0411f3f Author: John Fastabend Date: Wed Apr 25 15:08:53 2018 -0700 bpf: fix uninitialized variable in bpf tools [ Upstream commit 815425567dea6c54494e85050631d6bdda907c5d ] Here the variable cont is used as the saved_pointer for a call to strtok_r(). It is safe to use the value uninitialized in this context however and the later reference is only ever used if the strtok_r is successful. But, 'gcc-5' at least doesn't have all this knowledge so initialize cont to NULL. Additionally, do the natural NULL check before accessing just for completness. The warning is the following: ./bpf/tools/bpf/bpf_dbg.c: In function ‘cmd_load’: ./bpf/tools/bpf/bpf_dbg.c:1077:13: warning: ‘cont’ may be used uninitialized in this function [-Wmaybe-uninitialized] } else if (matches(subcmd, "pcap") == 0) { Fixes: fd981e3c321a "filter: bpf_dbg: add minimal bpf debugger" Signed-off-by: John Fastabend Signed-off-by: Daniel Borkmann Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 83a951a8ed3c5c9b57d8c7a648bdcf7bc2ae881c Author: jacek.tomaka@poczta.fm Date: Tue Apr 24 00:14:25 2018 +0800 x86/cpu/intel: Add missing TLB cpuid values [ Upstream commit b837913fc2d9061bf9b8c0dd6bf2d24e2f98b84a ] Make kernel print the correct number of TLB entries on Intel Xeon Phi 7210 (and others) Before: [ 0.320005] Last level dTLB entries: 4KB 0, 2MB 0, 4MB 0, 1GB 0 After: [ 0.320005] Last level dTLB entries: 4KB 256, 2MB 128, 4MB 128, 1GB 16 The entries do exist in the official Intel SMD but the type column there is incorrect (states "Cache" where it should read "TLB"), but the entries for the values 0x6B, 0x6C and 0x6D are correctly described as 'Data TLB'. Signed-off-by: Jacek Tomaka Signed-off-by: Thomas Gleixner Link: https://lkml.kernel.org/r/20180423161425.24366-1-jacekt@dugeo.com Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 56507accdeda7619a6644115cacff044b5d2355d Author: Evan Wang Date: Fri Apr 13 12:32:31 2018 +0800 ata: ahci: mvebu: override ahci_stop_engine for mvebu AHCI [ Upstream commit daa2e3bdbb0b3e691cf20a042350817310cb8cb5 ] There is an issue(Errata Ref#226) that the SATA can not be detected via SATA Port-MultiPlayer(PMP) with following error log: ata1.15: PMP product ID mismatch ata1.15: SATA link up 6.0 Gbps (SStatus 133 SControl 300) ata1.15: Port Multiplier vendor mismatch '0x1b4b'!='0x0' ata1.15: PMP revalidation failed (errno=-19) After debugging, the reason is found that the value Port-x FIS-based Switching Control(PxFBS@0x40) become wrong. According to design, the bits[11:8, 0] of register PxFBS are cleared when Port Command and Status (0x18) bit[0] changes its value from 1 to 0, i.e. falling edge of Port Command and Status bit[0] sends PULSE that resets PxFBS bits[11:8; 0]. So it needs a mvebu SATA WA to save the port PxFBS register before PxCMD ST write and restore it afterwards. This patch implements the WA in a separate function of ahci_mvebu_stop_engine to override ahci_stop_gngine. Signed-off-by: Evan Wang Cc: Ofer Heifetz Cc: Tejun Heo Cc: Thomas Petazzoni Signed-off-by: Tejun Heo Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 7a2c7b8da041bc69cd5acbf13e8312327c2b5f7f Author: Evan Wang Date: Fri Apr 13 12:32:30 2018 +0800 libahci: Allow drivers to override stop_engine [ Upstream commit fa89f53bd7288d6aa7a982841119e7123faf5a53 ] Marvell armada37xx, armada7k and armada8k share the same AHCI sata controller IP, and currently there is an issue (Errata Ref#226)that the SATA can not be detected via SATA Port-MultiPlayer(PMP). After debugging, the reason is found that the value of Port-x FIS-based Switching Control (PxFBS@0x40) became wrong. According to design, the bits[11:8, 0] of register PxFBS are cleared when Port Command and Status (0x18) bit[0] changes its value from 1 to 0, i.e. falling edge of Port Command and Status bit[0] sends PULSE that resets PxFBS bits[11:8; 0]. So it needs save the port PxFBS register before PxCMD ST write and restore the port PxFBS register afterwards in ahci_stop_engine(). This commit allows drivers to override ahci_stop_engine behavior for use by the Marvell AHCI driver(and potentially other drivers in the future). Signed-off-by: Evan Wang Cc: Ofer Heifetz Cc: Tejun Heo Cc: Thomas Petazzoni Signed-off-by: Tejun Heo Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 56b6ae130149f9108ecff7701e1fde1532e6a4b4 Author: Mark Rutland Date: Wed Apr 25 17:13:42 2018 +0100 KVM: arm/arm64: vgic: fix possible spectre-v1 in vgic_mmio_read_apr() [ Upstream commit 5e1ca5e23b167987d5b6d8b08f2d5b7dd2d13f49 ] It's possible for userspace to control n. Sanitize n when using it as an array index. Note that while it appears that n must be bound to the interval [0,3] due to the way it is extracted from addr, we cannot guarantee that compiler transformations (and/or future refactoring) will ensure this is the case, and given this is a slow path it's better to always perform the masking. Found by smatch. Signed-off-by: Mark Rutland Acked-by: Christoffer Dall Acked-by: Marc Zyngier Cc: kvmarm@lists.cs.columbia.edu Signed-off-by: Will Deacon Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 1f22c288b9d833d6c04f9adacf5a03b03d3d1484 Author: Mark Rutland Date: Wed Apr 25 17:13:40 2018 +0100 arm64: fix possible spectre-v1 in ptrace_hbp_get_event() [ Upstream commit 19791a7ca674fb3009bb068260e852a2f05b605c ] It's possible for userspace to control idx. Sanitize idx when using it as an array index. Found by smatch. Signed-off-by: Mark Rutland Cc: Catalin Marinas Cc: Will Deacon Signed-off-by: Will Deacon Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit b6e09ae50e7388970e02763abd15ee0c1f709183 Author: Omar Sandoval Date: Thu Apr 26 00:21:59 2018 -0700 blk-mq: fix sysfs inflight counter [ Upstream commit bf0ddaba65ddbb2715af97041da8e7a45b2d8628 ] When the blk-mq inflight implementation was added, /proc/diskstats was converted to use it, but /sys/block/$dev/inflight was not. Fix it by adding another helper to count in-flight requests by data direction. Fixes: f299b7c7a9de ("blk-mq: provide internal in-flight variant") Signed-off-by: Omar Sandoval Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 9b07b0a7c7d4953279be4c177acb06e82830655c Author: Arvind Yadav Date: Fri Mar 30 16:56:10 2018 +0530 HID: intel-ish-hid: use put_device() instead of kfree() [ Upstream commit a4eb490a41a0da3b1275fc7427084cf9ae2c3c1c ] Never directly free @dev after calling device_register(), even if it returned an error. Always use put_device() to give up the reference initialized. Signed-off-by: Arvind Yadav Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 49f5f2605b985d261229d20225923c4a6d7864cc Author: Ramon Fried Date: Fri Mar 23 00:09:12 2018 -0400 rpmsg: added MODULE_ALIAS for rpmsg_char [ Upstream commit 93dd4e73c0d9cc32f835d76a54257020b0bfc75a ] Added "rpmsg:rpmsg_chrdev" MODULE_ALIAS to autoload rpmg_chrdev module automatically. Signed-off-by: Ramon Fried Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 4b76ce3c466a4457f6198afbe86b03d319b3ba9b Author: Tobias Jordan Date: Thu Feb 15 16:12:55 2018 +0100 remoteproc: qcom: Fix potential device node leaks [ Upstream commit 278d744c46fd4f1925aec77752d18a0e4a9cbec3 ] Add missing of_node_put()s at two places for device nodes returned by of_parse_phandle(). Fixes: 051fb70fd4ea ("remoteproc: qcom: Driver for the self-authenticating Hexagon v5") Signed-off-by: Tobias Jordan Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit f26a3e96d290ecf6aa142fa2f82d147af0f67d73 Author: Kan Liang Date: Wed Apr 25 14:57:17 2018 -0400 perf/x86/intel: Don't enable freeze-on-smi for PerfMon V1 [ Upstream commit 4e949e9b9d1e3edcdab3b54656c5851bd9e49c67 ] The SMM freeze feature was introduced since PerfMon V2. But the current code unconditionally enables the feature for all platforms. It can generate #GP exception, if the related FREEZE_WHILE_SMM bit is set for the machine with PerfMon V1. To disable the feature for PerfMon V1, perf needs to - Remove the freeze_on_smi sysfs entry by moving intel_pmu_attrs to intel_pmu, which is only applied to PerfMon V2 and later. - Check the PerfMon version before flipping the SMM bit when starting CPU Fixes: 6089327f5424 ("perf/x86: Add sysfs entry to freeze counters on SMI") Signed-off-by: Kan Liang Signed-off-by: Thomas Gleixner Acked-by: Peter Zijlstra (Intel) Cc: ak@linux.intel.com Cc: eranian@google.com Cc: acme@redhat.com Link: https://lkml.kernel.org/r/1524682637-63219-1-git-send-email-kan.liang@linux.intel.com Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 0a964d124bf77bde59bc027e2d21d4e495a44643 Author: Dag Moxnes Date: Wed Apr 25 13:22:01 2018 +0200 rds: ib: Fix missing call to rds_ib_dev_put in rds_ib_setup_qp [ Upstream commit 91a825290ca4eae88603bc811bf74a45f94a3f46 ] The function rds_ib_setup_qp is calling rds_ib_get_client_data and should correspondingly call rds_ib_dev_put. This call was lost in the non-error path with the introduction of error handling done in commit 3b12f73a5c29 ("rds: ib: add error handle") Signed-off-by: Dag Moxnes Reviewed-by: Håkon Bugge Acked-by: Santosh Shilimkar Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 1a4e6a02f12dc98fde7d190566ca54d4cc29e7ec Author: Gianluca Borello Date: Wed Apr 25 05:42:16 2018 +0000 bpf, x64: fix JIT emission for dead code [ Upstream commit 1612a981b76688c598dc944bbfbe29a2b33e3973 ] Commit 2a5418a13fcf ("bpf: improve dead code sanitizing") replaced dead code with a series of ja-1 instructions, for safety. That made JIT compilation much more complex for some BPF programs. One instance of such programs is, for example: bool flag = false ... /* A bunch of other code */ ... if (flag) do_something() In some cases llvm is not able to remove at compile time the code for do_something(), so the generated BPF program ends up with a large amount of dead instructions. In one specific real life example, there are two series of ~500 and ~1000 dead instructions in the program. When the verifier replaces them with a series of ja-1 instructions, it causes an interesting behavior at JIT time. During the first pass, since all the instructions are estimated at 64 bytes, the ja-1 instructions end up being translated as 5 bytes JMP instructions (0xE9), since the jump offsets become increasingly large (> 127) as each instruction gets discovered to be 5 bytes instead of the estimated 64. Starting from the second pass, the first N instructions of the ja-1 sequence get translated into 2 bytes JMPs (0xEB) because the jump offsets become <= 127 this time. In particular, N is defined as roughly 127 / (5 - 2) ~= 42. So, each further pass will make the subsequent N JMP instructions shrink from 5 to 2 bytes, making the image shrink every time. This means that in order to have the entire program converge, there need to be, in the real example above, at least ~1000 / 42 ~= 24 passes just for translating the dead code. If we add this number to the passes needed to translate the other non dead code, it brings such program to 40+ passes, and JIT doesn't complete. Ultimately the userspace loader fails because such BPF program was supposed to be part of a prog array owner being JITed. While it is certainly possible to try to refactor such programs to help the compiler remove dead code, the behavior is not really intuitive and it puts further burden on the BPF developer who is not expecting such behavior. To make things worse, such programs are working just fine in all the kernel releases prior to the ja-1 fix. A possible approach to mitigate this behavior consists into noticing that for ja-1 instructions we don't really need to rely on the estimated size of the previous and current instructions, we know that a -1 BPF jump offset can be safely translated into a 0xEB instruction with a jump offset of -2. Such fix brings the BPF program in the previous example to complete again in ~9 passes. Fixes: 2a5418a13fcf ("bpf: improve dead code sanitizing") Signed-off-by: Gianluca Borello Acked-by: Alexei Starovoitov Signed-off-by: Daniel Borkmann Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 3268c5f99c36d47557f072bae8c15dea3d36a727 Author: Masami Hiramatsu Date: Thu Apr 5 18:29:12 2018 +0900 selftests: ftrace: Add a testcase for multiple actions on trigger [ Upstream commit 25aa50e0ca397a5e5d4d6fcecefa8107877d1dd0 ] Add a testcase for multiple actions with different parameters on an event trigger, which has been fixed by commit 192c283e93bd ("tracing: Add action comparisons when testing matching hist triggers"). Link: http://lkml.kernel.org/r/152292055227.15769.6327959816123227152.stgit@devbox Reviewed-by: Tom Zanussi Tested-by: Tom Zanussi Signed-off-by: Masami Hiramatsu Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 70bd57c72d1ce97c28b29f3c0857f2043a00e406 Author: Arvind Yadav Date: Tue Apr 24 13:33:03 2018 +0530 HID: wacom: Release device resource data obtained by devres_alloc() [ Upstream commit 097b8f62dd793e08f1732fc74dbb64596c7fbff9 ] Free device resource data, if __wacom_devm_sysfs_create_group is not successful. Signed-off-by: Arvind Yadav Reviewed-by: Benjamin Tissoires Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 5466cdd5db9f0a15f41426a4fd124b282ba6f8c4 Author: pgzh Date: Thu Apr 12 19:36:47 2018 +0200 HID: lenovo: Add support for IBM/Lenovo Scrollpoint mice [ Upstream commit a230cd52b8a2be39cd6e9a13b3e62af57f21372a ] The IBM/Lenovo Scrollpoint mice feature a trackpoint-like stick instead of a scrolling wheel capable of 2-D (vertical+horizontal) scrolling. hid-generic does only expose 1-D (vertical) scrolling functionality for these mice. This patch adds support for horizontal scrolling for the IBM/Lenovo Scrollpoint mice to hid-lenovo. [jkosina@suse.cz: remove change versioning from git changelog] Signed-off-by: Peter Ganzhorn Reviewed-by: Benjamin Tissoires Signed-off-by: Peter De Wachter Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 35f4a5ae3c32e36c61ae345f32c33c59322cfe92 Author: Kan Liang Date: Tue Apr 24 11:20:10 2018 -0700 perf pmu: Fix core PMU alias list for X86 platform [ Upstream commit 292c34c10249c64a70def442f0d977bf9d466ed7 ] When counting uncore event with alias, core event is mistakenly involved, for example: perf stat --no-merge -e "unc_m_cas_count.all" -C0 sleep 1 Performance counter stats for 'CPU(s) 0': 0 unc_m_cas_count.all [uncore_imc_4] 0 unc_m_cas_count.all [uncore_imc_2] 0 unc_m_cas_count.all [uncore_imc_0] 153,640 unc_m_cas_count.all [cpu] 0 unc_m_cas_count.all [uncore_imc_5] 25,026 unc_m_cas_count.all [uncore_imc_3] 0 unc_m_cas_count.all [uncore_imc_1] 1.001447890 seconds time elapsed The reason is that current implementation doesn't check PMU name of a event when adding its alias into the alias list for core PMU. The uncore event aliases are mistakenly added. This bug was introduced in: commit 14b22ae028de ("perf pmu: Add helper function is_pmu_core to detect PMU CORE devices") Checking the PMU name for all PMUs on X86 and other architectures except ARM. There is no behavior change for ARM. Signed-off-by: Kan Liang Tested-by: Arnaldo Carvalho de Melo Cc: Agustin Vega-Frias Cc: Andi Kleen Cc: Ganapatrao Kulkarni Cc: Jin Yao Cc: Jiri Olsa Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Shaokun Zhang Cc: Will Deacon Fixes: 14b22ae028de ("perf pmu: Add helper function is_pmu_core to detect PMU CORE devices") Link: http://lkml.kernel.org/r/1524594014-79243-1-git-send-email-kan.liang@linux.intel.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 80bedc03675f8887deffd54759eb279ee839fc1f Author: Mark Rutland Date: Tue Apr 3 11:22:51 2018 +0100 arm64: only advance singlestep for user instruction traps [ Upstream commit 9478f1927e6ef9ef5e1ad761af1c98aa8e40b7f5 ] Our arm64_skip_faulting_instruction() helper advances the userspace singlestep state machine, but this is also called by the kernel BRK handler, as used for WARN*(). Thus, if we happen to hit a WARN*() while the user singlestep state machine is in the active-no-pending state, we'll advance to the active-pending state without having executed a user instruction, and will take a step exception earlier than expected when we return to userspace. Let's fix this by only advancing the state machine when skipping a user instruction. Signed-off-by: Mark Rutland Cc: Andrey Konovalov Cc: Catalin Marinas Cc: Will Deacon Signed-off-by: Will Deacon Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 9548678530b8db850959c46b66e5e012ba62d8a5 Author: Mark Rutland Date: Tue Apr 24 13:11:22 2018 +0100 arm64: ptrace: remove addr_limit manipulation [ Upstream commit 59275a0c037ed6fabd6354730f1e3104264ab719 ] We transiently switch to KERNEL_DS in compat_ptrace_gethbpregs() and compat_ptrace_sethbpregs(), but in either case this is pointless as we don't perform any uaccess during this window. let's rip out the redundant addr_limit manipulation. Acked-by: Catalin Marinas Signed-off-by: Mark Rutland Cc: Will Deacon Signed-off-by: Will Deacon Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 313890fc5e8548d34bcc78736a5d8c4512e39d4b Author: Aurelien Jarno Date: Wed Mar 21 22:26:31 2018 +0100 RISC-V: build vdso-dummy.o with -no-pie [ Upstream commit 85602bea297fc4e5223adbf7006dcce9aa694f17 ] Debian toolcahin defaults to PIE, and I guess that will also be the case of most distributions. This causes the following build failure: AS arch/riscv/kernel/vdso/getcpu.o AS arch/riscv/kernel/vdso/flush_icache.o VDSOLD arch/riscv/kernel/vdso/vdso.so.dbg OBJCOPY arch/riscv/kernel/vdso/vdso.so AS arch/riscv/kernel/vdso/vdso.o VDSOLD arch/riscv/kernel/vdso/vdso-dummy.o LD arch/riscv/kernel/vdso/vdso-syms.o riscv64-linux-gnu-ld: attempted static link of dynamic object `arch/riscv/kernel/vdso/vdso-dummy.o' make[2]: *** [arch/riscv/kernel/vdso/Makefile:43: arch/riscv/kernel/vdso/vdso-syms.o] Error 1 make[1]: *** [scripts/Makefile.build:575: arch/riscv/kernel/vdso] Error 2 make: *** [Makefile:1018: arch/riscv/kernel] Error 2 While the root Makefile correctly passes "-fno-PIE" to build individual object files, the RISC-V kernel also builds vdso-dummy.o as an executable, which is therefore linked as PIE. Fix that by updating this specific link rule to also include "-no-pie". Signed-off-by: Aurelien Jarno Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 827c90886d907cf78d68f66a6397c7beaf02d007 Author: Christoph Hellwig Date: Mon Apr 16 14:53:51 2018 +0200 riscv: select DMA_DIRECT_OPS instead of redefining it [ Upstream commit 86e11757d8b28d8266065beaa9d391d49426797b ] DMA_DIRECT_OPS is defined in lib/Kconfig, so don't duplicate it in arch/riscv/Kconfig. Signed-off-by: Christoph Hellwig Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 94477de044d5bc928b03aa27c22fe5016f1bfeb9 Author: Florian Fainelli Date: Mon Apr 23 15:51:38 2018 -0700 net: ethtool: Add missing kernel doc for FEC parameters [ Upstream commit d805c5209350ae725e3a1ee0204ba27d9e75ce3e ] While adding support for ethtool::get_fecparam and set_fecparam, kernel doc for these functions was missed, add those. Fixes: 1a5f3da20bd9 ("net: ethtool: add support for forward error correction modes") Signed-off-by: Florian Fainelli Acked-by: Roopa Prabhu Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit ae818c5f1dda14f5fbb5820c3339e25462e52df2 Author: Vinicius Costa Gomes Date: Fri Mar 30 17:06:52 2018 -0700 igb: Fix the transmission mode of queue 0 for Qav mode [ Upstream commit 2707df9773cd2cb8b0f35b8592431b301da9d352 ] When Qav mode is enabled, queue 0 should be kept on Stream Reservation mode. From the i210 datasheet, section 8.12.19: "Note: Queue0 QueueMode must be set to 1b when TransmitMode is set to Qav." ("QueueMode 1b" represents the Stream Reservation mode) The solution is to give queue 0 the all the credits it might need, so it has priority over queue 1. A situation where this can happen is when cbs is "installed" only on queue 1, leaving queue 0 alone. For example: $ tc qdisc replace dev enp2s0 handle 100: parent root mqprio num_tc 3 \ map 2 2 1 0 2 2 2 2 2 2 2 2 2 2 2 2 queues 1@0 1@1 2@2 hw 0 $ tc qdisc replace dev enp2s0 parent 100:2 cbs locredit -1470 \ hicredit 30 sendslope -980000 idleslope 20000 offload 1 Signed-off-by: Vinicius Costa Gomes Tested-by: Aaron Brown Signed-off-by: Jeff Kirsher Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit f3517ef1aa0be09ef891cb597e99a308e61e4fd0 Author: Masahiro Yamada Date: Thu Apr 12 11:31:31 2018 +0900 arm64: dts: uniphier: fix input delay value for legacy mode of eMMC [ Upstream commit f4e5200fc0d7dad75c688e7ccc0652481a916df5 ] The property of the legacy mode for the eMMC PHY turned out to be wrong. Some eMMC devices are unstable due to the set-up/hold timing violation. Correct the delay value. Signed-off-by: Masahiro Yamada Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 137545fbb0840599a5e7c342edb2de046891345f Author: Steve French Date: Sun Apr 22 10:24:19 2018 -0500 CIFS: set *resp_buf_type to NO_BUFFER on error [ Upstream commit 117e3b7fed552eba96ae0b3b92312fe8c5b0bfdd ] Dan Carpenter had pointed this out a while ago, but the code around this had changed so wasn't causing any problems since that field was not used in this error path. Still, it is cleaner to always initialize this field, so changing the error path to set it. Reviewed-by: Ronnie Sahlberg CC: Dan Carpenter Signed-off-by: Steve French Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit ab68702463690e6a1e9290bb30b7cba93e6b0dca Author: Hans de Goede Date: Sun Apr 22 19:56:17 2018 +0200 thermal: int3403_thermal: Fix NULL pointer deref on module load / probe [ Upstream commit 13b86f50eaaddaea4bdd2fe476fd12e6a0951add ] Starting with kernel 4.17 thermal_cooling_device_register() will call the get_max_state() op during register. Since we deref priv->priv in int3403_get_max_state() this means we must set priv->priv before calling thermal_cooling_device_register(). Signed-off-by: Hans de Goede Signed-off-by: Zhang Rui Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 42b0029bada451f2fcbf5245fe2bf720f85c8b59 Author: Markus Mayer Date: Wed Apr 18 08:56:42 2018 -0700 cpufreq: brcmstb-avs-cpufreq: remove development debug support [ Upstream commit ee53a65dc766384aaf1a26e3c43dd13456170b69 ] This debug code was helpful while developing the driver, but it isn't being used for anything anymore. Signed-off-by: Markus Mayer Acked-by: Viresh Kumar Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 06a4a914fa754ad56f13e7e2842a4b2c4bcef991 Author: Andres Rodriguez Date: Tue Apr 10 17:32:33 2018 -0400 drm/amdkfd: fix clock counter retrieval for node without GPU [ Upstream commit 1cf6cc74bbeb85bb87c3ca3f3df97a283c3aa737 ] Currently if a user requests clock counters for a node without a GPU resource we will always return EINVAL. Instead if no GPU resource is attached, fill the gpu_clock_counter argument with zeroes so that we may proceed and return valid CPU counters. Signed-off-by: Andres Rodriguez Signed-off-by: Felix Kuehling Reviewed-by: Oded Gabbay Signed-off-by: Oded Gabbay Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 50326a691df6130c317449b3e3c0561a689b8e89 Author: Mika Westerberg Date: Mon Apr 23 14:16:03 2018 +0300 ACPI / watchdog: Prefer iTCO_wdt on Lenovo Z50-70 [ Upstream commit a0a37862a4e1844793d39aca9ccb8fecbdcb8659 ] WDAT table on Lenovo Z50-70 is using RTC SRAM (ports 0x70 and 0x71) to store state of the timer. This conflicts with Linux RTC driver (rtc-cmos.c) who fails to reserve those ports for itself preventing RTC from functioning. In addition the WDAT table seems not to be fully functional because it does not reset the system when the watchdog times out. On this system iTCO_wdt works just fine so we simply prefer to use it instead of WDAT. This makes RTC working again and also results working watchdog via iTCO_wdt. Reported-by: Peter Milley Link: https://bugzilla.kernel.org/show_bug.cgi?id=199033 Signed-off-by: Mika Westerberg Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 2eb5603287575af61bbbd556238b0a3a13f16a7a Author: Sekhar Nori Date: Tue Apr 17 18:06:00 2018 +0530 ARM: dts: da850: fix W=1 warnings with pinmux node [ Upstream commit 94a82284ad4711b7f9fd78981fdc7a1cb645030b ] Remove unused #address-cells and #size-cells from pinmux node. This fixes W=1 warnings of the type: arch/arm/boot/dts/da850-lcdk.dtb: Warning (avoid_unnecessary_addr_size): /soc@1c00000/pinmux@14120: unnecessary #address-cells/#size-cells without "ranges" or child "reg" property Tested on DA850 LCDK by checking output of: /sys/kernel/debug/pinctrl/1c14120.pinmux-pinctrl-single/pins before and after the change. Reviewed-by: David Lechner Signed-off-by: Sekhar Nori Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 7601b611e70b8e27cb0baeb941a4d10b363809fc Author: Jingju Hou Date: Mon Apr 23 15:22:49 2018 +0800 net: phy: marvell: clear wol event before setting it [ Upstream commit b6a930fa88083b41d26ddf1cab95cbd740936c22 ] If WOL event happened once, the LED[2] interrupt pin will not be cleared unless we read the CSISR register. If interrupts are in use, the normal interrupt handling will clear the WOL event. Let's clear the WOL event before enabling it if !phy_interrupt_is_valid(). Signed-off-by: Jingju Hou Signed-off-by: Jisheng Zhang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit b8ce8426548d28ee8a6a6142ffd42c5b7ce7df98 Author: Balbir Singh Date: Fri Apr 6 15:24:24 2018 +1000 powerpc/powernv/memtrace: Let the arch hotunplug code flush cache [ Upstream commit 7fd6641de28fe9b5bce0c38d2adee0a72a72619e ] Don't do this via custom code, instead now that we have support in the arch hotplug/hotunplug code, rely on those routines to do the right thing. The existing flush doesn't work because it uses ppc64_caches.l1d.size instead of ppc64_caches.l1d.line_size. Fixes: 9d5171a8f248 ("powerpc/powernv: Enable removal of memory for in memory tracing") Signed-off-by: Balbir Singh Reviewed-by: Rashmica Gupta Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 1c07e8c37b73855fef1e8b2a619ad5eeba003a94 Author: Geert Uytterhoeven Date: Mon Apr 23 09:35:16 2018 +0200 dt-bindings: mvebu-uart: DT fix s/interrupts-names/interrupt-names/ [ Upstream commit 17a16542b88e753cc3bd54cf30b74df3d547421e ] Signed-off-by: Geert Uytterhoeven Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 181b94b31f2b1329f10c90aa8be4b42cede92e74 Author: Geert Uytterhoeven Date: Mon Apr 23 09:32:40 2018 +0200 dt-bindings: meson-uart: DT fix s/clocks-names/clock-names/ [ Upstream commit 34df2466b48dfe258e14fe2a7bc4641416575ade ] Signed-off-by: Geert Uytterhoeven Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 78abf949986b045b1e21f78ae3c46fbb9c7c6407 Author: Mika Westerberg Date: Thu Apr 19 13:08:37 2018 +0300 ACPI / scan: Initialize watchdog before PNP [ Upstream commit cc6a0e315a68e5db85bea347b0c5b0fe4a9a5904 ] At least on one Dell system the PNP motherboard resources device includes resources used by WDAT table. Since PNP gets initialized before WDAT it results following error and no watchdog: platform wdat_wdt: failed to claim resource 3: [io 0x046a-0x046c] ACPI: watchdog: Device creation failed: -16 Now, the PNP system driver is already accustomed with the situation that it cannot reserve all those motherboard resources because drivers using those might have reserved them already. In addition putting WDAT table resources under motherboard resources device makes sense in general. Fix this by initializing WDAT right before PNP. This allows WDAT to reserve all its resources and still keeps PNP system driver happy. Reported-by: Shubhrata.Priyadarsh@dell.com Reported-by: Takashi Iwai Signed-off-by: Mika Westerberg Acked-by: Guenter Roeck Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 1d907d5375730f33ddfb8df589fcd1c14c0fb0b7 Author: Chen Yu Date: Tue Apr 10 23:07:51 2018 +0800 ACPI / PM: Blacklist Low Power S0 Idle _DSM for ThinkPad X1 Tablet(2016) [ Upstream commit 855c1c2fce8bdbd796cba1d1456ca8f0e876c2f1 ] ThinkPad X1 Tablet(2016) is reported to have issues with the Low Power S0 Idle _DSM interface and since this machine model generally can do ACPI S3 just fine, and user would like to use S3 as default sleep model, add a blacklist entry to disable that interface for ThinkPad X1 Tablet(2016). Link: https://bugzilla.kernel.org/show_bug.cgi?id=199057 Reported-and-tested-by: Robin Lee Signed-off-by: Chen Yu Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 8f82287a33a8cfc9b65788127c83e4d4725da15a Author: Julian Wiedmann Date: Thu Apr 19 12:52:10 2018 +0200 s390/qeth: fix request-side race during cmd IO timeout [ Upstream commit db71bbbd11a4d314f0fa3fbf3369b71cf33ce33c ] Submitting a cmd IO request (usually on the WRITE device, but for IDX also on the READ device) is currently done with ccw_device_start() and a manual timeout in the caller. On timeout, the caller cleans up the related resources (eg. IO buffer). But 1) the IO might still be active and utilize those resources, and 2) when the IO completes, qeth_irq() will attempt to clean up the same resources again. Instead of introducing additional resource locking, switch to ccw_device_start_timeout() to ensure IO termination after timeout, and let the IRQ handler alone deal with cleaning up after a request. This also removes a stray write->irq_pending reset from clear_ipacmd_list(). The routine doesn't terminate any pending IO on the WRITE device, so this should be handled properly via IO timeout in the IRQ handler. Signed-off-by: Julian Wiedmann Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 739ab75915106f05be75f2c071445f0e00b573a1 Author: Tobias Regnery Date: Tue Apr 10 10:38:06 2018 +0200 usb: typec: ucsi: fix tracepoint related build error [ Upstream commit 2f860691c2d2e3af1404ffeb2d22dd5c3dbca811 ] There is the following build error with CONFIG_TYPEC_UCSI=m, CONFIG_FTRACE=y and CONFIG_TRACING=n: ERROR: "__tracepoint_ucsi_command" [drivers/usb/typec/ucsi/typec_ucsi.ko] undefined! ERROR: "__tracepoint_ucsi_register_port" [drivers/usb/typec/ucsi/typec_ucsi.ko] undefined! ERROR: "__tracepoint_ucsi_notify" [drivers/usb/typec/ucsi/typec_ucsi.ko] undefined! ERROR: "__tracepoint_ucsi_reset_ppm" [drivers/usb/typec/ucsi/typec_ucsi.ko] undefined! ERROR: "__tracepoint_ucsi_run_command" [drivers/usb/typec/ucsi/typec_ucsi.ko] undefined! ERROR: "__tracepoint_ucsi_ack" [drivers/usb/typec/ucsi/typec_ucsi.ko] undefined! ERROR: "__tracepoint_ucsi_connector_change" [drivers/usb/typec/ucsi/typec_ucsi.ko] undefined! This compination is quite hard to create because CONFIG_TRACING gets selected only in rare cases without CONFIG_FTRACE. The build failure is caused by conditionally compiling trace.c depending on the wrong option CONFIG_FTRACE. Change this to depend on CONFIG_TRACING like other users of tracepoints do. Fixes: c1b0bc2dabfa ("usb: typec: Add support for UCSI interface") Signed-off-by: Tobias Regnery Acked-by: Heikki Krogerus Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 4b24bef01f0a8fa09220818397bf1ae68eb6adb7 Author: Minchan Kim Date: Fri Apr 20 14:56:17 2018 -0700 mm: memcg: add __GFP_NOWARN in __memcg_schedule_kmem_cache_create() [ Upstream commit c892fd82cc0632d425ae011a4dd75eb59e9f84ee ] If there is heavy memory pressure, page allocation with __GFP_NOWAIT fails easily although it's order-0 request. I got below warning 9 times for normal boot. : page allocation failure: order:0, mode:0x2200000(GFP_NOWAIT|__GFP_NOTRACK) .. snip .. Call trace: dump_backtrace+0x0/0x4 dump_stack+0xa4/0xc0 warn_alloc+0xd4/0x15c __alloc_pages_nodemask+0xf88/0x10fc alloc_slab_page+0x40/0x18c new_slab+0x2b8/0x2e0 ___slab_alloc+0x25c/0x464 __kmalloc+0x394/0x498 memcg_kmem_get_cache+0x114/0x2b8 kmem_cache_alloc+0x98/0x3e8 mmap_region+0x3bc/0x8c0 do_mmap+0x40c/0x43c vm_mmap_pgoff+0x15c/0x1e4 sys_mmap+0xb0/0xc8 el0_svc_naked+0x24/0x28 Mem-Info: active_anon:17124 inactive_anon:193 isolated_anon:0 active_file:7898 inactive_file:712955 isolated_file:55 unevictable:0 dirty:27 writeback:18 unstable:0 slab_reclaimable:12250 slab_unreclaimable:23334 mapped:19310 shmem:212 pagetables:816 bounce:0 free:36561 free_pcp:1205 free_cma:35615 Node 0 active_anon:68496kB inactive_anon:772kB active_file:31592kB inactive_file:2851820kB unevictable:0kB isolated(anon):0kB isolated(file):220kB mapped:77240kB dirty:108kB writeback:72kB shmem:848kB writeback_tmp:0kB unstable:0kB all_unreclaimable? no DMA free:142188kB min:3056kB low:3820kB high:4584kB active_anon:10052kB inactive_anon:12kB active_file:312kB inactive_file:1412620kB unevictable:0kB writepending:0kB present:1781412kB managed:1604728kB mlocked:0kB slab_reclaimable:3592kB slab_unreclaimable:876kB kernel_stack:400kB pagetables:52kB bounce:0kB free_pcp:1436kB local_pcp:124kB free_cma:142492kB lowmem_reserve[]: 0 1842 1842 Normal free:4056kB min:4172kB low:5212kB high:6252kB active_anon:58376kB inactive_anon:760kB active_file:31348kB inactive_file:1439040kB unevictable:0kB writepending:180kB present:2000636kB managed:1923688kB mlocked:0kB slab_reclaimable:45408kB slab_unreclaimable:92460kB kernel_stack:9680kB pagetables:3212kB bounce:0kB free_pcp:3392kB local_pcp:688kB free_cma:0kB lowmem_reserve[]: 0 0 0 DMA: 0*4kB 0*8kB 1*16kB (C) 0*32kB 0*64kB 0*128kB 1*256kB (C) 1*512kB (C) 0*1024kB 1*2048kB (C) 34*4096kB (C) = 142096kB Normal: 228*4kB (UMEH) 172*8kB (UMH) 23*16kB (UH) 24*32kB (H) 5*64kB (H) 1*128kB (H) 0*256kB 0*512kB 0*1024kB 0*2048kB 0*4096kB = 3872kB 721350 total pagecache pages 0 pages in swap cache Swap cache stats: add 0, delete 0, find 0/0 Free swap = 0kB Total swap = 0kB 945512 pages RAM 0 pages HighMem/MovableOnly 63408 pages reserved 51200 pages cma reserved __memcg_schedule_kmem_cache_create() tries to create a shadow slab cache and the worker allocation failure is not really critical because we will retry on the next kmem charge. We might miss some charges but that shouldn't be critical. The excessive allocation failure report is not very helpful. [mhocko@kernel.org: changelog update] Link: http://lkml.kernel.org/r/20180418022912.248417-1-minchan@kernel.org Signed-off-by: Minchan Kim Acked-by: Johannes Weiner Reviewed-by: Andrew Morton Cc: Michal Hocko Cc: Vladimir Davydov Cc: Minchan Kim Cc: Matthew Wilcox Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 1d1adde292a504bf26514c0b65eba03cf93a3400 Author: Dave Young Date: Fri Apr 20 14:56:10 2018 -0700 kexec_file: do not add extra alignment to efi memmap [ Upstream commit a841aa83dff0af75c88aa846ba610a8af4c5ee21 ] Chun-Yi reported a kernel warning message below: WARNING: CPU: 0 PID: 0 at ../mm/early_ioremap.c:182 early_iounmap+0x4f/0x12c() early_iounmap(ffffffffff200180, 00000118) [0] size not consistent 00000120 The problem is x86 kexec_file_load adds extra alignment to the efi memmap: in bzImage64_load(): efi_map_sz = efi_get_runtime_map_size(); efi_map_sz = ALIGN(efi_map_sz, 16); And __efi_memmap_init maps with the size including the alignment bytes but efi_memmap_unmap use nr_maps * desc_size which does not include the extra bytes. The alignment in kexec code is only needed for the kexec buffer internal use Actually kexec should pass exact size of the efi memmap to 2nd kernel. Link: http://lkml.kernel.org/r/20180417083600.GA1972@dhcp-128-65.nay.redhat.com Signed-off-by: Dave Young Reported-by: joeyli Tested-by: Randy Wright Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 12cfbc11566d1db61099ad761d1138beba529f89 Author: Alexey Dobriyan Date: Fri Apr 20 14:56:06 2018 -0700 proc: fix /proc/loadavg regression [ Upstream commit 9a1015b32faa7cebfe19663c886b0cfe90be1d49 ] Commit 95846ecf9dac ("pid: replace pid bitmap implementation with IDR API") changed last field of /proc/loadavg (last pid allocated) to be off by one: # unshare -p -f --mount-proc cat /proc/loadavg 0.00 0.00 0.00 1/60 2 <=== It should be 1 after first fork into pid namespace. This is formally a regression but given how useless this field is I don't think anyone is affected. Bug was found by /proc testsuite! Link: http://lkml.kernel.org/r/20180413175408.GA27246@avx2 Fixes: 95846ecf9dac508 ("pid: replace pid bitmap implementation with IDR API") Signed-off-by: Alexey Dobriyan Cc: "Eric W. Biederman" Cc: Gargi Sharma Cc: Oleg Nesterov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 3582e7991ba29458b2f63ad939d64934dd62736f Author: Alexey Dobriyan Date: Fri Apr 20 14:56:03 2018 -0700 proc: revalidate kernel thread inodes to root:root [ Upstream commit 2e0ad552f5f8cd0fda02bc45fcd2b89821c62fd1 ] task_dump_owner() has the following code: mm = task->mm; if (mm) { if (get_dumpable(mm) != SUID_DUMP_USER) { uid = ... } } Check for ->mm is buggy -- kernel thread might be borrowing mm and inode will go to some random uid:gid pair. Link: http://lkml.kernel.org/r/20180412220109.GA20978@avx2 Signed-off-by: Alexey Dobriyan Cc: "Eric W. Biederman" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit f7a0fbef7eec4eb32505a1dee2b7390f585ade48 Author: Huang Ying Date: Fri Apr 20 14:55:38 2018 -0700 mm, pagemap: fix swap offset value for PMD migration entry [ Upstream commit 88c28f2469151b031f8cea9b28ed5be1b74a4172 ] The swap offset reported by /proc//pagemap may be not correct for PMD migration entries. If addr passed into pagemap_pmd_range() isn't aligned with PMD start address, the swap offset reported doesn't reflect this. And in the loop to report information of each sub-page, the swap offset isn't increased accordingly as that for PFN. This may happen after opening /proc//pagemap and seeking to a page whose address doesn't align with a PMD start address. I have verified this with a simple test program. BTW: migration swap entries have PFN information, do we need to restrict whether to show them? [akpm@linux-foundation.org: fix typo, per Huang, Ying] Link: http://lkml.kernel.org/r/20180408033737.10897-1-ying.huang@intel.com Signed-off-by: "Huang, Ying" Cc: Michal Hocko Cc: "Kirill A. Shutemov" Cc: Andrei Vagin Cc: Dan Williams Cc: "Jerome Glisse" Cc: Daniel Colascione Cc: Zi Yan Cc: Naoya Horiguchi Cc: Alexey Dobriyan Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit dfb1bb02c5a37c6a3f59c8ad752cd8e46d10ad4b Author: Colin Ian King Date: Fri Apr 20 10:57:16 2018 +0100 scsi: isci: Fix infinite loop in while loop [ Upstream commit 4bc83b3f272fe8f36450f9c003df49cf07ffe5fd ] In the case when the phy_mask is bitwise anded with the phy_index bit is zero the continue statement currently jumps to the next iteration of the while loop and phy_index is never actually incremented, potentially causing an infinite loop if phy_index is less than SCI_MAX_PHS. Fix this by turning the while loop into a for loop. Signed-off-by: Colin Ian King Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 13cd95296c111d8e303514b5b4c716ebe1fe9155 Author: Long Li Date: Thu Mar 22 14:47:18 2018 -0700 scsi: storvsc: Set up correct queue depth values for IDE devices [ Upstream commit f286299c1d0ba5e2ca0377610307b370fe178767 ] Unlike SCSI and FC, we don't use multiple channels for IDE. Also fix the calculation for sub-channels. Signed-off-by: Long Li Reviewed-by: Michael Kelley Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 26251fb91cf85aa17ed24ed4fa833d6ec70fb67a Author: Baolin Wang Date: Thu Apr 19 14:51:03 2018 +0800 parisc: time: Convert read_persistent_clock() to read_persistent_clock64() [ Upstream commit f76cdd00ef0e39d880139b074e3b247594dff95a ] The read_persistent_clock() uses a timespec, which is not year 2038 safe on 32bit systems. On parisc architecture, we have implemented generic RTC drivers that can be used to compensate the system suspend time, but the RTC time can not represent the nanosecond resolution, so this patch just converts to read_persistent_clock64() with timespec64. Signed-off-by: Baolin Wang Acked-by: Arnd Bergmann Signed-off-by: Helge Deller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit b883dbf7067a9cc12276aa0ca4fe3014e903fb94 Author: David Howells Date: Fri Apr 20 13:35:02 2018 +0100 vfs: Undo an overly zealous MS_RDONLY -> SB_RDONLY conversion [ Upstream commit a9e5b73288cf1595ac2e05cf1acd1924ceea05fa ] In do_mount() when the MS_* flags are being converted to MNT_* flags, MS_RDONLY got accidentally convered to SB_RDONLY. Undo this change. Fixes: e462ec50cb5f ("VFS: Differentiate mount flags (MS_*) from internal superblock flags") Signed-off-by: David Howells Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 55a67804e66f25ab61e300ee1a2742182c34cf25 Author: David Howells Date: Wed Apr 18 09:38:34 2018 +0100 afs: Fix server record deletion [ Upstream commit 660625922b3d9fcb376e5870299bc5c1086e1d32 ] AFS server records get removed from the net->fs_servers tree when they're deleted, but not from the net->fs_addresses{4,6} lists, which can lead to an oops in afs_find_server() when a server record has been removed, for instance during rmmod. Fix this by deleting the record from the by-address lists before posting it for RCU destruction. The reason this hasn't been noticed before is that the fileserver keeps probing the local cache manager, thereby keeping the service record alive, so the oops would only happen when a fileserver eventually gets bored and stops pinging or if the module gets rmmod'd and a call comes in from the fileserver during the window between the server records being destroyed and the socket being closed. The oops looks something like: BUG: unable to handle kernel NULL pointer dereference at 000000000000001c ... Workqueue: kafsd afs_process_async_call [kafs] RIP: 0010:afs_find_server+0x271/0x36f [kafs] ... Call Trace: afs_deliver_cb_init_call_back_state3+0x1f2/0x21f [kafs] afs_deliver_to_call+0x1ee/0x5e8 [kafs] afs_process_async_call+0x5b/0xd0 [kafs] process_one_work+0x2c2/0x504 worker_thread+0x1d4/0x2ac kthread+0x11f/0x127 ret_from_fork+0x24/0x30 Fixes: d2ddc776a458 ("afs: Overhaul volume and server record caching and fileserver rotation") Signed-off-by: David Howells Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit f6c743ff3ab157e81924de881e810545470ae7b8 Author: dann frazier Date: Wed Apr 18 21:55:41 2018 -0600 net: hns: Avoid action name truncation [ Upstream commit f4ea89110df237da6fbcaab76af431e85f07d904 ] When longer interface names are used, the action names exposed in /proc/interrupts and /proc/irq/* maybe truncated. For example, when using the predictable name algorithm in systemd on a HiSilicon D05, I see: ubuntu@d05-3:~$ grep enahisic2i0-tx /proc/interrupts | sed 's/.* //' enahisic2i0-tx0 enahisic2i0-tx1 [...] enahisic2i0-tx8 enahisic2i0-tx9 enahisic2i0-tx1 enahisic2i0-tx1 enahisic2i0-tx1 enahisic2i0-tx1 enahisic2i0-tx1 enahisic2i0-tx1 Increase the max ring name length to allow for an interface name of IFNAMSIZE. After this change, I now see: $ grep enahisic2i0-tx /proc/interrupts | sed 's/.* //' enahisic2i0-tx0 enahisic2i0-tx1 enahisic2i0-tx2 [...] enahisic2i0-tx8 enahisic2i0-tx9 enahisic2i0-tx10 enahisic2i0-tx11 enahisic2i0-tx12 enahisic2i0-tx13 enahisic2i0-tx14 enahisic2i0-tx15 Signed-off-by: dann frazier Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 72f31b04fec481717574f4bf042e15e295e2ec7d Author: Jiang Biao Date: Thu Apr 19 12:06:09 2018 +0800 blkcg: init root blkcg_gq under lock [ Upstream commit 901932a3f9b2b80352896be946c6d577c0a9652c ] The initializing of q->root_blkg is currently outside of queue lock and rcu, so the blkg may be destroied before the initializing, which may cause dangling/null references. On the other side, the destroys of blkg are protected by queue lock or rcu. Put the initializing inside the queue lock and rcu to make it safer. Signed-off-by: Jiang Biao Signed-off-by: Wen Yang CC: Tejun Heo CC: Jens Axboe Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 878ea376993ee9048ddebeb80ffa5ac893babf3a Author: Emil Velikov Date: Wed Mar 28 17:22:16 2018 +0100 drm/msm: don't deref error pointer in the msm_fbdev_create error path [ Upstream commit 789d4c300e10eb2096ee83c3497118e67ccc951e ] Currently the error pointer returned by msm_alloc_stolen_fb gets passed to drm_framebuffer_remove. The latter handles only NULL pointers, thus a nasty crash will occur. Drop the unnecessary fail label and the associated checks - both err and fb will be set at this stage. Cc: Rob Clark Cc: linux-arm-msm@vger.kernel.org Cc: dri-devel@lists.freedesktop.org Cc: freedreno@lists.freedesktop.org Signed-off-by: Emil Velikov Signed-off-by: Rob Clark Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit eef49a06aa6ff481ac29902f7927ad1763f05174 Author: Stefan Agner Date: Mon Mar 19 22:26:32 2018 +0100 drm/msm/dsi: use correct enum in dsi_get_cmd_fmt [ Upstream commit a4af89286f8fc382459308764ea05935dc477cdc ] The function dsi_get_cmd_fmt returns enum dsi_cmd_dst_format, use the correct enum value also for MIPI_DSI_FMT_RGB666/_PACKED. This has been discovered using clang: drivers/gpu/drm/msm/dsi/dsi_host.c:743:35: warning: implicit conversion from enumeration type 'enum dsi_vid_dst_format' to different enumeration type 'enum dsi_cmd_dst_format' [-Wenum-conversion] case MIPI_DSI_FMT_RGB666: return VID_DST_FORMAT_RGB666; ~~~~~~ ^~~~~~~~~~~~~~~~~~~~~ Signed-off-by: Stefan Agner Reviewed-by: Archit Taneja Signed-off-by: Rob Clark Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 186019a4b12aad8b7309c7ba317a2c1449cbc361 Author: Ben Hutchings Date: Tue Apr 3 23:38:45 2018 +0100 drm/msm: Fix possible null dereference on failure of get_pages() [ Upstream commit 3976626ea3d2011f8fd3f3a47070a8b792018253 ] Commit 62e3a3e342af changed get_pages() to initialise msm_gem_object::pages before trying to initialise msm_gem_object::sgt, so that put_pages() would properly clean up pages in the failure case. However, this means that put_pages() now needs to check that msm_gem_object::sgt is not null before trying to clean it up, and this check was only applied to part of the cleanup code. Move it all into the conditional block. (Strictly speaking we don't need to make the kfree() conditional, but since we can't avoid checking for null ourselves we may as well do so.) Fixes: 62e3a3e342af ("drm/msm: fix leak in failed get_pages") Signed-off-by: Ben Hutchings Reviewed-by: Jordan Crouse Signed-off-by: Rob Clark Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 5ac02cd3209940ee72445445db851131f908d899 Author: Srinivas Kandagatla Date: Wed Apr 18 18:46:37 2018 +0100 ASoC: msm8916-wcd-analog: use threaded context for mbhc events [ Upstream commit a8419a0cd98ddf628a9e38a92110af7cc650dde7 ] As snd_soc_jack_report() can sleep, move handling of mbhc events to a thread context rather than in interrupt context. Fixes: de66b3455023 ('ASoC: codecs: msm8916-wcd-analog: add MBHC support') Reported-by: Bjorn Andersson Signed-off-by: Srinivas Kandagatla Signed-off-by: Mark Brown Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 45b6fa7d75711caa344a533ae03d087b3d5af04d Author: Taehee Yoo Date: Wed Apr 18 23:35:34 2018 +0900 netfilter: nf_tables: fix out-of-bounds in nft_chain_commit_update [ Upstream commit d71efb599ad42ef1e564c652d8084252bdc85edf ] When chain name is changed, nft_chain_commit_update is called. In the nft_chain_commit_update, trans->ctx.chain->name has old chain name and nft_trans_chain_name(trans) has new chain name. If new chain name is longer than old chain name, KASAN warns slab-out-of-bounds. [ 175.015012] BUG: KASAN: slab-out-of-bounds in strcpy+0x9e/0xb0 [ 175.022735] Write of size 1 at addr ffff880114e022da by task iptables-compat/1458 [ 175.031353] CPU: 0 PID: 1458 Comm: iptables-compat Not tainted 4.16.0-rc7+ #146 [ 175.031353] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 07/08/2015 [ 175.031353] Call Trace: [ 175.031353] dump_stack+0x68/0xa0 [ 175.031353] print_address_description+0xd0/0x260 [ 175.031353] ? strcpy+0x9e/0xb0 [ 175.031353] kasan_report+0x234/0x350 [ 175.031353] __asan_report_store1_noabort+0x1c/0x20 [ 175.031353] strcpy+0x9e/0xb0 [ 175.031353] nf_tables_commit+0x1ccc/0x2990 [ 175.031353] nfnetlink_rcv+0x141e/0x16c0 [ 175.031353] ? nfnetlink_net_init+0x150/0x150 [ 175.031353] ? lock_acquire+0x370/0x370 [ 175.031353] ? lock_acquire+0x370/0x370 [ 175.031353] netlink_unicast+0x444/0x640 [ 175.031353] ? netlink_attachskb+0x700/0x700 [ 175.031353] ? _copy_from_iter_full+0x180/0x740 [ 175.031353] ? kasan_check_write+0x14/0x20 [ 175.031353] ? _copy_from_user+0x9b/0xd0 [ 175.031353] netlink_sendmsg+0x845/0xc70 [ ... ] Steps to reproduce: iptables-compat -N 1 iptables-compat -E 1 aaaaaaaaa Signed-off-by: Taehee Yoo Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit ab2361f1dc75e801746f7f6532dd8b3f9462181b Author: Pablo Neira Ayuso Date: Wed Apr 18 12:23:39 2018 +0200 netfilter: nf_tables: NAT chain and extensions require NF_TABLES [ Upstream commit 39f2ff0816e5421476c2bc538b68b4bb0708a78e ] Move these options inside the scope of the 'if' NF_TABLES and NF_TABLES_IPV6 dependencies. This patch fixes: net/ipv6/netfilter/nft_chain_nat_ipv6.o: In function `nft_nat_do_chain': >> net/ipv6/netfilter/nft_chain_nat_ipv6.c:37: undefined reference to `nft_do_chain' net/ipv6/netfilter/nft_chain_nat_ipv6.o: In function `nft_chain_nat_ipv6_exit': >> net/ipv6/netfilter/nft_chain_nat_ipv6.c:94: undefined reference to `nft_unregister_chain_type' net/ipv6/netfilter/nft_chain_nat_ipv6.o: In function `nft_chain_nat_ipv6_init': >> net/ipv6/netfilter/nft_chain_nat_ipv6.c:87: undefined reference to `nft_register_chain_type' that happens with: CONFIG_NF_TABLES=m CONFIG_NFT_CHAIN_NAT_IPV6=y Fixes: 02c7b25e5f54 ("netfilter: nf_tables: build-in filter chain type") Reported-by: kbuild test robot Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 2ceebf50923d2c1d0985f4b08413bc4777978d29 Author: Ming Lei Date: Mon Apr 16 17:48:41 2018 +0800 scsi: target: fix crash with iscsi target and dvd [ Upstream commit 8e1ceafe50ec4d1bcfae154dd70e7cb6946a6177 ] When the current page can't be added to bio, one new bio should be created for adding this page again, instead of ignoring this page. This patch fixes kernel crash with iscsi target and dvd, as reported by Wakko. Cc: Wakko Warner Cc: Bart Van Assche Cc: target-devel@vger.kernel.org Cc: linux-scsi@vger.kernel.org Cc: "Nicholas A. Bellinger" Cc: Christoph Hellwig Fixes: 84c8590646d5b35804 ("target: avoid accessing .bi_vcnt directly") Signed-off-by: Ming Lei Reviewed-by: Christoph Hellwig Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit c867132ead6611a4dba99de3258d8b48d6f5ba31 Author: Vinson Lee Date: Wed Mar 21 21:04:12 2018 +0000 scsi: megaraid_sas: Do not log an error if FW successfully initializes. [ Upstream commit fb1633d56b0025233ed3dc49b44544748d509d9d ] Fixes: 2d2c2331673c ("scsi: megaraid_sas: modified few prints in OCR and IOC INIT path") Signed-off-by: Vinson Lee Acked-by: Shivasharan S Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit dfb110aa453978392d6b49c59c465db246960535 Author: Chris Leech Date: Mon Apr 9 15:15:28 2018 -0700 scsi: iscsi: respond to netlink with unicast when appropriate [ Upstream commit af17092810a887178195276255b7b31f8fbe7dbe ] Instead of always multicasting responses, send a unicast netlink message directed at the correct pid. This will be needed if we ever want to support multiple userspace processes interacting with the kernel over iSCSI netlink simultaneously. Limitations can currently be seen if you attempt to run multiple iscsistart commands in parallel. We've fixed up the userspace issues in iscsistart that prevented multiple instances from running, so now attempts to speed up booting by bringing up multiple iscsi sessions at once in the initramfs are just running into misrouted responses that this fixes. Signed-off-by: Chris Leech Reviewed-by: Lee Duncan Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 3f59d9f8310304ae643de041aa60f4e2953a6e76 Author: Srinath Mannam Date: Wed Apr 18 14:11:29 2018 +0530 arm64: dts: correct SATA addresses for Stingray [ Upstream commit 4555a5021fe88fc4f19ff53d1e58b410cf30a49a ] Correct all SATA ahci and phy controller register addresses and interrupt lines to proper values. Fixes: 344a2e514182 ("arm64: dts: Add SATA DT nodes for Stingray SoC") Signed-off-by: Srinath Mannam Reviewed-by: Ray Jui Reviewed-by: Scott Branden Reviewed-by: Andrew Gospodarek Signed-off-by: Florian Fainelli Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit dd574712bccc23c8f3f2d0815988f191459bdeae Author: Tung Nguyen Date: Tue Apr 17 21:58:27 2018 +0200 tipc: fix infinite loop when dumping link monitor summary [ Upstream commit 36a50a989ee8267588de520b8704b85f045a3220 ] When configuring the number of used bearers to MAX_BEARER and issuing command "tipc link monitor summary", the command enters infinite loop in user space. This issue happens because function tipc_nl_node_dump_monitor() returns the wrong 'prev_bearer' value when all potential monitors have been scanned. The correct behavior is to always try to scan all monitors until either the netlink message is full, in which case we return the bearer identity of the affected monitor, or we continue through the whole bearer array until we can return MAX_BEARERS. This solution also caters for the case where there may be gaps in the bearer array. Signed-off-by: Tung Nguyen Signed-off-by: Jon Maloy Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 50acab9d78d51cfb6bba1fad515b72c24bcb5662 Author: Martin Blumenstingl Date: Mon Mar 26 23:17:48 2018 +0200 ARM64: dts: meson-gxm-khadas-vim2: enable the USB controller [ Upstream commit 4b7b0d7b25538d2ad421a1041267d5208d3425bc ] The Khadas VIM2 board connects the dwc3 controller to an internal 4-port USB hub which. Two of these ports are accessible directly soldered to the board, while the other two are accessible through the 40-pin "GPIO" header. Signed-off-by: Martin Blumenstingl Signed-off-by: Kevin Hilman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit a9848d7da620ddd4fa841dfeb525c940b78e8374 Author: Martin Blumenstingl Date: Mon Mar 26 23:17:47 2018 +0200 ARM64: dts: meson-gxl-nexbox-a95x: enable the USB controller [ Upstream commit 55ef32249bb647c6b64adcf943918d302a0020a7 ] The Nexbox A95X provides two USB ports. Enable the SoC's USB controller on this board to make these USB ports usable. Signed-off-by: Martin Blumenstingl Signed-off-by: Kevin Hilman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit e6816c514e1a4e016453c68650f6b0293673156c Author: Martin Blumenstingl Date: Mon Mar 26 23:17:46 2018 +0200 ARM64: dts: meson-gxl-s905x-libretech-cc: enable the USB controller [ Upstream commit b83687f359d9b4128073f06ab7a06489eb04aa7c ] The LibreTech CC ("Le Potato") board provides four USB connectors. These are provided by a hub which is connected to the SoC's USB controller. Enable the SoC's USB controller to make the USB ports usable. Also turn on the HDMI_5V regulator when powering on the PHY because (even though it's not shown in the schematics) HDMI_5V also supplies the USB VBUS. Signed-off-by: Martin Blumenstingl Signed-off-by: Kevin Hilman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 41c37654c10de8f1aa16119925665a37cdc3cd8c Author: Martin Blumenstingl Date: Mon Mar 26 23:17:45 2018 +0200 ARM64: dts: meson-gx-p23x-q20x: enable the USB controller [ Upstream commit 972cd12a027256061c19c164021f2a771e860438 ] All S905D (GXL) and S912 (GXM) reference boards (namely these are P230, P231, Q200 and Q201) provide USB connectors. This enables the USB controller on these boards to make the USB ports actually usable. Signed-off-by: Martin Blumenstingl Signed-off-by: Kevin Hilman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 528c094235ff1f92b52c6a3b241a847c92e04802 Author: Martin Blumenstingl Date: Mon Mar 26 23:17:44 2018 +0200 ARM64: dts: meson-gxl-s905x-p212: enable the USB controller [ Upstream commit b9f07cb4f41fccbe7616482015d28e6e26aec3a3 ] All boards based on the P212 reference design (the P212 reference board itself and the Khadas VIM) have USB connectors (in case of the Khadas VIM the first port is exposed through the USB Type-C connector, the second port is connected to a 4-port USB hub). This enables the USB controller on these boards to make the USB ports actually usable. Signed-off-by: Martin Blumenstingl Signed-off-by: Kevin Hilman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 603cf588cf9f0367f356ac47f08a68fb02015a0a Author: Martin Blumenstingl Date: Mon Mar 26 23:17:43 2018 +0200 ARM64: dts: meson-gxm: add GXM specific USB host configuration [ Upstream commit 458baa95c86406c81c6ebac0a98d1689075a3ec4 ] The USB configuration on GXM is slightly different than on GXL. The dwc3 controller's internal hub has three USB2 ports (instead of 2 on GXL) along with a dedicated USB2 PHY for this port. However, it seems that there are no pins on GXM which would allow connecting the third port to a physical USB port. Passing the third PHY is required though, because without it none of the other USB ports is working (this seems to be a limitation of how the internal USB hub works, if one PHY is disabled then no USB port works). Signed-off-by: Martin Blumenstingl Signed-off-by: Kevin Hilman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 53e809d0bae3cbf7fa333b2f4f4de09912cd5219 Author: Martin Blumenstingl Date: Mon Mar 26 23:17:42 2018 +0200 ARM64: dts: meson-gxl: add USB host support [ Upstream commit 8aec5fc1d4d881fe446addb94309efb39d4e5b23 ] This adds USB host support to the Meson GXL SoC. A dwc3 controller is used for host-mode, while a dwc2 controller (not added in this patch because I could not get it working) is used for device-mode only. The dwc3 controller's internal roothub has two USB2 ports enabled but no USB3 port. Each of the ports is supplied by a separate PHY. The USB pins are connected to the SoC's USBHOST_A and USBOTG_B pins. Due to the way the roothub works internally the USB PHYs are left enabled. When the dwc3 controller is disabled the PHY is never powered on so it does not draw any extra power. However, when the dwc3 host controller is enabled then all PHYs also have to be enabled, otherwise USB devices will not be detected (regardless of whether they are plugged into an enabled port or not). This means that only the dwc3 controller has to be enabled on boards with USB support (instead of requiring all boards to enable the PHYs additionally with the chance of forgetting to enable one and breaking all other ports with that as well). This also adds the USB3 PHY which currently only does some basic initialization. That however is required because without it high-speed devices (like USB thumb drives) do not work on some devices (probably because the bootloader does not configure the USB3 PHY registers). Signed-off-by: Martin Blumenstingl Signed-off-by: Kevin Hilman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 3ca6e949b751fa3dfbf475ce635364cef543738b Author: Jiang Biao Date: Wed Apr 18 08:37:18 2018 -0600 blkcg: don't hold blkcg lock when deactivating policy [ Upstream commit 946b81da114b8ba5c74bb01e57c0c6eca2bdc801 ] As described in the comment of blkcg_activate_policy(), *Update of each blkg is protected by both queue and blkcg locks so that holding either lock and testing blkcg_policy_enabled() is always enough for dereferencing policy data.* with queue lock held, there is no need to hold blkcg lock in blkcg_deactivate_policy(). Similar case is in blkcg_activate_policy(), which has removed holding of blkcg lock in commit 4c55f4f9ad3001ac1fefdd8d8ca7641d18558e23. Signed-off-by: Jiang Biao Signed-off-by: Wen Yang CC: Tejun Heo Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit f72b0945dc88cd5f679b8dcd6bef3a8a80d869a4 Author: sxauwsk Date: Tue Apr 17 04:01:27 2018 +0800 spi: cadence: Add usleep_range() for cdns_spi_fill_tx_fifo() [ Upstream commit 49530e6411789c1b9ea3ebc58e520c19d1c3752f ] In case of xspi work in busy condition, may send bytes failed. once something wrong, spi controller did't work any more My test found this situation appear in both of read/write process. so when TX FIFO is full, add one byte delay before send data; Signed-off-by: sxauwsk Signed-off-by: Mark Brown Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 7a028aa38b8b4cb132936ccb9637a05c8937d861 Author: Liam Girdwood Date: Tue Mar 27 14:30:44 2018 +0100 ASoC: topology: Check widget kcontrols before deref. [ Upstream commit 05bdcf12905533b8628627b6634608cd3b57c607 ] Validate the topology input before we dereference the pointer. Signed-off-by: Liam Girdwood Signed-off-by: Mark Brown Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 4086d5ee4894c3c38b7c7818bff0fb55d82c9a56 Author: Mark Rutland Date: Mon Apr 16 14:44:41 2018 +0100 arm64: kasan: avoid pfn_to_nid() before page array is initialized [ Upstream commit 800cb2e553d44541b83aa3ec45d9839385fe8ab6 ] In arm64's kasan_init(), we use pfn_to_nid() to find the NUMA node a span of memory is in, hoping to allocate shadow from the same NUMA node. However, at this point, the page array has not been initialized, and thus this is bogus. Since commit: f165b378bbdf6c8a ("mm: uninitialized struct page poisoning sanity") ... accessing fields of the page array results in a boot time Oops(), highlighting this problem: [ 0.000000] Unable to handle kernel paging request at virtual address dfff200000000000 [ 0.000000] Mem abort info: [ 0.000000] ESR = 0x96000004 [ 0.000000] Exception class = DABT (current EL), IL = 32 bits [ 0.000000] SET = 0, FnV = 0 [ 0.000000] EA = 0, S1PTW = 0 [ 0.000000] Data abort info: [ 0.000000] ISV = 0, ISS = 0x00000004 [ 0.000000] CM = 0, WnR = 0 [ 0.000000] [dfff200000000000] address between user and kernel address ranges [ 0.000000] Internal error: Oops: 96000004 [#1] PREEMPT SMP [ 0.000000] Modules linked in: [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.16.0-07317-gf165b378bbdf #42 [ 0.000000] Hardware name: ARM Juno development board (r1) (DT) [ 0.000000] pstate: 80000085 (Nzcv daIf -PAN -UAO) [ 0.000000] pc : __asan_load8+0x8c/0xa8 [ 0.000000] lr : __dump_page+0x3c/0x3b8 [ 0.000000] sp : ffff2000099b7ca0 [ 0.000000] x29: ffff2000099b7ca0 x28: ffff20000a1762c0 [ 0.000000] x27: ffff7e0000000000 x26: ffff2000099dd000 [ 0.000000] x25: ffff200009a3f960 x24: ffff200008f9c38c [ 0.000000] x23: ffff20000a9d3000 x22: ffff200009735430 [ 0.000000] x21: fffffffffffffffe x20: ffff7e0001e50420 [ 0.000000] x19: ffff7e0001e50400 x18: 0000000000001840 [ 0.000000] x17: ffffffffffff8270 x16: 0000000000001840 [ 0.000000] x15: 0000000000001920 x14: 0000000000000004 [ 0.000000] x13: 0000000000000000 x12: 0000000000000800 [ 0.000000] x11: 1ffff0012d0f89ff x10: ffff10012d0f89ff [ 0.000000] x9 : 0000000000000000 x8 : ffff8009687c5000 [ 0.000000] x7 : 0000000000000000 x6 : ffff10000f282000 [ 0.000000] x5 : 0000000000000040 x4 : fffffffffffffffe [ 0.000000] x3 : 0000000000000000 x2 : dfff200000000000 [ 0.000000] x1 : 0000000000000005 x0 : 0000000000000000 [ 0.000000] Process swapper (pid: 0, stack limit = 0x (ptrval)) [ 0.000000] Call trace: [ 0.000000] __asan_load8+0x8c/0xa8 [ 0.000000] __dump_page+0x3c/0x3b8 [ 0.000000] dump_page+0xc/0x18 [ 0.000000] kasan_init+0x2e8/0x5a8 [ 0.000000] setup_arch+0x294/0x71c [ 0.000000] start_kernel+0xdc/0x500 [ 0.000000] Code: aa0403e0 9400063c 17ffffee d343fc00 (38e26800) [ 0.000000] ---[ end trace 67064f0e9c0cc338 ]--- [ 0.000000] Kernel panic - not syncing: Attempted to kill the idle task! [ 0.000000] ---[ end Kernel panic - not syncing: Attempted to kill the idle task! ]--- Let's fix this by using early_pfn_to_nid(), as other architectures do in their kasan init code. Note that early_pfn_to_nid acquires the nid from the memblock array, which we iterate over in kasan_init(), so this should be fine. Signed-off-by: Mark Rutland Fixes: 39d114ddc6822302 ("arm64: add KASAN support") Cc: Will Deacon Signed-off-by: Catalin Marinas Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit dc0833e84f1e14c7ae32980292b3e3b2c0a1eb01 Author: Simon Gaiser Date: Thu Mar 15 04:08:03 2018 +0100 xen: xenbus_dev_frontend: Really return response string [ Upstream commit ebf04f331fa15a966262341a7dc6b1a0efd633e4 ] xenbus_command_reply() did not actually copy the response string and leaked stack content instead. Fixes: 9a6161fe73bd ("xen: return xenstore command failures via response instead of rc") Signed-off-by: Simon Gaiser Reviewed-by: Juergen Gross Signed-off-by: Boris Ostrovsky Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit d93d91951fe8c5de7e3d0444fe17a4744ddec78c Author: Andre Przywara Date: Tue Apr 17 11:23:49 2018 +0100 KVM: arm/arm64: vgic: Kick new VCPU on interrupt migration [ Upstream commit bf9a41377d14f565764022470e14aae72559589a ] When vgic_prune_ap_list() finds an interrupt that needs to be migrated to a new VCPU, we should notify this VCPU of the pending interrupt, since it requires immediate action. Kick this VCPU once we have added the new IRQ to the list, but only after dropping the locks. Reported-by: Stefano Stabellini Reviewed-by: Christoffer Dall Signed-off-by: Andre Przywara Signed-off-by: Marc Zyngier Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit cca7949e4b865c63fe37d73247c338f80418813b Author: Yan Wang Date: Mon Mar 26 16:48:00 2018 +0100 ASoC: topology: Fix bugs of freeing soc topology [ Upstream commit feb12f0cd8d7b1e8df2e6fce19fc9a026a468cc2 ] In snd_soc_tplg_component_remove(), it should compare index and not dobj->index with SND_SOC_TPLG_INDEX_ALL for removing all topology objects. Signed-off-by: Yan Wang Signed-off-by: Liam Girdwood Signed-off-by: Mark Brown Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit b319a489889726d4d84fbb85f8ab670b0747a52d Author: Loic Poulain Date: Tue Apr 3 11:19:01 2018 +0200 PCI: kirin: Fix reset gpio name [ Upstream commit 5db8f8d1099bd93a64a80b609dbcce887327ffc8 ] As documented in the devicetree bindings (pci/kirin-pcie.txt) and the reset gpio name must be 'reset-gpios'. However, current driver erroneously looks for a 'reset-gpio' resource which makes the driver probe fail. Fix it. Fixes: fc5165db245a ("PCI: kirin: Add HiSilicon Kirin SoC PCIe controller driver") Signed-off-by: Loic Poulain [lorenzo.pieralisi@arm.com: updated the commit log] Signed-off-by: Lorenzo Pieralisi Acked-by: Xiaowei Song Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 5aeca10ed106e7a69e5b76b0585aa7c7f37f8f21 Author: Madhavan Srinivasan Date: Thu Jan 18 00:33:36 2018 +0530 powerpc/64s: Default l1d_size to 64K in RFI fallback flush [ Upstream commit 9dfbf78e4114fcaf4ef61c49885c3ab5bad40d0b ] If there is no d-cache-size property in the device tree, l1d_size could be zero. We don't actually expect that to happen, it's only been seen on mambo (simulator) in some configurations. A zero-size l1d_size leads to the loop in the asm wrapping around to 2^64-1, and then walking off the end of the fallback area and eventually causing a page fault which is fatal. Just default to 64K which is correct on some CPUs, and sane enough to not cause a crash on others. Fixes: aa8a5e0062ac9 ('powerpc/64s: Add support for RFI flush of L1-D cache') Signed-off-by: Madhavan Srinivasan [mpe: Rewrite comment and change log] Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 14652cdf93477be002f2c5fbba4806a283e35201 Author: Geert Uytterhoeven Date: Sun Apr 8 11:05:15 2018 +0200 soc: bcm2835: Make !RASPBERRYPI_FIRMWARE dummies return failure [ Upstream commit 144345a4a8c3b497a3f60d3af9d6071a37660186 ] If CONFIG_RASPBERRYPI_FIRMWARE=n: drivers/gpio/gpio-raspberrypi-exp.c: In function ‘rpi_exp_gpio_get_polarity’: drivers/gpio/gpio-raspberrypi-exp.c:71: warning: ‘get.polarity’ is used uninitialized in this function drivers/gpio/gpio-raspberrypi-exp.c: In function ‘rpi_exp_gpio_get_direction’: drivers/gpio/gpio-raspberrypi-exp.c:150: warning: ‘get.direction’ is used uninitialized in this function The dummy firmware interface functions return 0, which means success, causing subsequent code to make use of the never initialized output parameter. Fix this by making the dummy functions return an error code (-ENOSYS) instead. Note that this assumes the firmware always fills in the requested data in the CONFIG_RASPBERRYPI_FIRMWARE=y case. Fixes: d45f1a563b92dac7 ("staging: vc04_services: fix up rpi firmware functions") Signed-off-by: Geert Uytterhoeven Reviewed-by: Eric Anholt Signed-off-by: Florian Fainelli Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit c30076776ef3ef82ee031ded9c3e8cbd3ece5b61 Author: Florian Fainelli Date: Sun Apr 1 09:42:25 2018 -0700 soc: bcm: raspberrypi-power: Fix use of __packed [ Upstream commit 0a12e80ce4230434c2ed66ad0d65af0b7ccecea8 ] Commit a09cd356586d ("ARM: bcm2835: add rpi power domain driver") attempted to annotate the structure rpi_power_domain_packet with __packed but introduced a typo and made it named __packet instead. Just drop the annotation since the structure is naturally aligned already. Fixes: a09cd356586d ("ARM: bcm2835: add rpi power domain driver") Signed-off-by: Florian Fainelli Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit d567cb6770a823738c166e8dd01235f147e71c5c Author: Tyler Hicks Date: Wed Mar 28 23:41:52 2018 +0000 eCryptfs: don't pass up plaintext names when using filename encryption [ Upstream commit e86281e700cca8a773f9a572fa406adf2784ba5c ] Both ecryptfs_filldir() and ecryptfs_readlink_lower() use ecryptfs_decode_and_decrypt_filename() to translate lower filenames to upper filenames. The function correctly passes up lower filenames, unchanged, when filename encryption isn't in use. However, it was also passing up lower filenames when the filename wasn't encrypted or when decryption failed. Since 88ae4ab9802e, eCryptfs refuses to lookup lower plaintext names when filename encryption is enabled so this resulted in a situation where userspace would see lower plaintext filenames in calls to getdents(2) but then not be able to lookup those filenames. An example of this can be seen when enabling filename encryption on an eCryptfs mount at the root directory of an Ext4 filesystem: $ ls -1i /lower 12 ECRYPTFS_FNEK_ENCRYPTED.FWYZD8TcW.5FV-TKTEYOHsheiHX9a-w.NURCCYIMjI8pn5BDB9-h3fXwrE-- 11 lost+found $ ls -1i /upper ls: cannot access '/upper/lost+found': No such file or directory ? lost+found 12 test With this change, the lower lost+found dentry is ignored: $ ls -1i /lower 12 ECRYPTFS_FNEK_ENCRYPTED.FWYZD8TcW.5FV-TKTEYOHsheiHX9a-w.NURCCYIMjI8pn5BDB9-h3fXwrE-- 11 lost+found $ ls -1i /upper 12 test Additionally, some potentially noisy error/info messages in the related code paths are turned into debug messages so that the logs can't be easily filled. Fixes: 88ae4ab9802e ("ecryptfs_lookup(): try either only encrypted or plaintext name") Reported-by: Guenter Roeck Cc: Al Viro Signed-off-by: Tyler Hicks Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit bdf257a75d78c8216e4e8fc12ad6f831c5c44a36 Author: Tony Lindgren Date: Mon Apr 16 10:01:04 2018 -0700 ARM: dts: Fix cm2 and prm sizes for omap4 [ Upstream commit bc8a3ef1940c9a6dfa316b31e063fdd4fbab0add ] The size of these modules is 0x2000, not 0x3000. The extra 0x1000 after 0x2000 is for the interconnect target agent which is a separate device. Fixes: 7415b0b4c645 ("ARM: dts: omap4: add minimal l4 bus layout with control module support") Cc: Tero Kristo Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 3784cd192941c00b711a510983a012562a2e70c5 Author: oder_chiou@realtek.com Date: Fri Mar 30 15:41:55 2018 +0800 ASoC: rt5514: Add the missing register in the readable table [ Upstream commit 5ef5ac8de125fe6b4b23293bee026ca7ea1529b9 ] The patch adds the missing register in the readable table. Signed-off-by: Oder Chiou Signed-off-by: Mark Brown Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit ebbb62483b0ca7a009eb57ef349d09090d4849c8 Author: Jerome Brunet Date: Mon Apr 9 15:59:20 2018 +0200 clk: honor CLK_MUX_ROUND_CLOSEST in generic clk mux [ Upstream commit 4ad69b80e886a845f56ce0a3d10211208693d92b ] CLK_MUX_ROUND_CLOSEST is part of the clk_mux documentation but clk_mux directly calls __clk_mux_determine_rate(), which overrides the flag. As result, if clk_mux is instantiated with CLK_MUX_ROUND_CLOSEST, the flag will be ignored and the clock rounded down. To solve this, this patch expose clk_mux_determine_rate_flags() in the clk-provider API and uses it in the determine_rate() callback of clk_mux. Fixes: 15a02c1f6dd7 ("clk: Add __clk_mux_determine_rate_closest") Signed-off-by: Jerome Brunet Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 20cddb963158fbc43c8f06b47653964105a6f8ba Author: Paolo Bonzini Date: Fri Apr 13 11:38:35 2018 +0200 kvm: x86: move MSR_IA32_TSC handling to x86.c [ Upstream commit dd259935e4eec844dc3e5b8a7cd951cd658b4fb6 ] This is not specific to Intel/AMD anymore. The TSC offset is available in vcpu->arch.tsc_offset. Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 5abeefab1aa453aeaccb231d56bca45b777d1c60 Author: KarimAllah Ahmed Date: Sat Apr 14 05:10:52 2018 +0200 X86/KVM: Properly update 'tsc_offset' to represent the running guest [ Upstream commit e79f245ddec17bbd89d73cd0169dba4be46c9b55 ] Update 'tsc_offset' on vmentry/vmexit of L2 guests to ensure that it always captures the TSC_OFFSET of the running guest whether it is the L1 or L2 guest. Cc: Paolo Bonzini Cc: Radim Krčmář Cc: kvm@vger.kernel.org Cc: linux-kernel@vger.kernel.org Reviewed-by: Jim Mattson Suggested-by: Paolo Bonzini Signed-off-by: KarimAllah Ahmed [AMD changes, fix update_ia32_tsc_adjust_msr. - Paolo] Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 6143483b0a9f3e3929d8cdd37f3acda80aee432e Author: Jacopo Mondi Date: Mon Apr 16 15:56:08 2018 +0200 dt-bindings: dmaengine: rcar-dmac: document R8A77965 support [ Upstream commit b89bc283286b105e50aab9ab35992c0237ac77d8 ] Add documentation for r8a77965 compatible string to rcar-dmac device tree bindings documentation. Signed-off-by: Jacopo Mondi Reviewed-by: Geert Uytterhoeven Reviewed-by: Simon Horman Signed-off-by: Rob Herring Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 9dad1c0ab759dcabdcf7fdfbb4660ac9de57e2e6 Author: Jacopo Mondi Date: Mon Apr 16 15:55:28 2018 +0200 dt-bindings: serial: sh-sci: Add support for r8a77965 (H)SCIF [ Upstream commit 7de5b7e5f6a67c285b86d1478e8e150929c93482 ] Add documentation for r8a77965 compatible string to Renesas sci-serial device tree bindings documentation. Signed-off-by: Jacopo Mondi Reviewed-by: Geert Uytterhoeven Signed-off-by: Rob Herring Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit ee03d81004bf3579705271145006cc8dff13bf0b Author: Jacopo Mondi Date: Mon Apr 16 15:55:17 2018 +0200 dt-bindings: net: ravb: Add support for r8a77965 SoC [ Upstream commit 1a862488729a6ea9cfd285d2c90f8738949ae7d2 ] Add documentation for r8a77965 compatible string to renesas ravb device tree bindings documentation. Signed-off-by: Jacopo Mondi Reviewed-by: Geert Uytterhoeven Reviewed-by: Simon Horman Acked-by: Sergei Shtylyov Signed-off-by: Rob Herring Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit a123516358abf27828d102b05427f0a5b584960e Author: Matheus Castello Date: Wed Apr 11 01:17:03 2018 -0400 dt-bindings: pinctrl: sunxi: Fix reference to driver [ Upstream commit b614e905a0bc8fc5d4fa72665ac26ae00c874a4e ] Bindings describe hardware, not drivers. Use reference to hardware Allwinner A1X Pin Controller instead driver. Signed-off-by: Matheus Castello Signed-off-by: Rob Herring Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit a72e38bf6d3ecd88027fb1528aaf3340d5d4d174 Author: Lukasz Majewski Date: Wed Apr 4 09:52:04 2018 +0200 doc: Add vendor prefix for Kieback & Peter GmbH [ Upstream commit 99bf8f27f3f94d2a37291354b8dc83f13728f75f ] The 'kiebackpeter' entry has been added to vendor-prefixes.txt to indicate products from Kieback & Peter GmbH. Signed-off-by: Lukasz Majewski Signed-off-by: Rob Herring Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 1ad8cea72935094e11f2106f60db2c905c007b6d Author: Vladimir Zapolskiy Date: Fri Apr 13 15:44:16 2018 +0300 spi: sh-msiof: Fix bit field overflow writes to TSCR/RSCR [ Upstream commit 10b4640833e95eeacaef8060bc1b35e636df3218 ] The change fixes a bit field overflow which allows to write to higher bits while calculating SPI transfer clock and setting BRPS and BRDV bit fields, the problem is reproduced if 'parent_rate' to 'spi_hz' ratio is greater than 1024, for instance p->min_div = 2, MSO rate = 33333333, SPI device rate = 10000 results in k = 5, i.e. BRDV = 0b100 or 1/32 prescaler output, BRPS = 105, TSCR value = 0x6804, thus MSSEL and MSIMM bit fields are non-zero. Fixes: 65d5665bb260 ("spi: sh-msiof: Update calculation of frequency dividing") Signed-off-by: Vladimir Zapolskiy Signed-off-by: Mark Brown Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit e43c410db3feb58515988d05174cecb4eea42dc5 Author: Matt Redfearn Date: Fri Apr 13 09:50:44 2018 +0100 MIPS: dts: Boston: Fix PCI bus dtc warnings: [ Upstream commit 2c2bf522ed8cbfaac666f7dc65cfd38de2b89f0f ] dtc recently (v1.4.4-8-g756ffc4f52f6) added PCI bus checks. Fix the warnings now emitted: arch/mips/boot/dts/img/boston.dtb: Warning (pci_bridge): /pci@10000000: missing bus-range for PCI bridge arch/mips/boot/dts/img/boston.dtb: Warning (pci_bridge): /pci@12000000: missing bus-range for PCI bridge arch/mips/boot/dts/img/boston.dtb: Warning (pci_bridge): /pci@14000000: missing bus-range for PCI bridge Signed-off-by: Matt Redfearn Cc: Ralf Baechle Cc: Paul Burton Cc: Rob Herring Cc: Mark Rutland Cc: linux-mips@linux-mips.org Cc: devicetree@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/19070/ Signed-off-by: James Hogan Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit ec37b9ab61c0d01d5fea1e934454e93f21ca594e Author: Chengguang Xu Date: Sat Apr 14 20:16:06 2018 +0800 isofs: fix potential memory leak in mount option parsing [ Upstream commit 4f34a5130a471f32f2fe7750769ab4057dc3eaa0 ] When specifying string type mount option (e.g., iocharset) several times in a mount, current option parsing may cause memory leak. Hence, call kfree for previous one in this case. Meanwhile, check memory allocation result for it. Signed-off-by: Chengguang Xu Signed-off-by: Jan Kara Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit f57b08ea7a43916bba69c2ab0bc8478cf99773e3 Author: Martin Schwidefsky Date: Tue Apr 3 11:08:52 2018 +0200 s390/smsgiucv: disable SMSG on module unload [ Upstream commit 760dd0eeaec1689430243ead14e5a429613d8c52 ] The module exit function of the smsgiucv module uses the incorrect CP command to disable SMSG messages. The correct command is "SET SMSG OFF". Use it. Signed-off-by: Martin Schwidefsky Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit d485337ac5518b1825549755fe0bfd899b435359 Author: Sinan Kaya Date: Thu Apr 12 22:30:44 2018 -0400 MIPS: io: Add barrier after register read in readX() [ Upstream commit a1cc7034e33d12dc17d13fbcd7d597d552889097 ] While a barrier is present in the writeX() functions before the register write, a similar barrier is missing in the readX() functions after the register read. This could allow memory accesses following readX() to observe stale data. Signed-off-by: Sinan Kaya Reported-by: Arnd Bergmann Cc: Ralf Baechle Cc: Paul Burton Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/19069/ [jhogan@kernel.org: Tidy commit message] Signed-off-by: James Hogan Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit f890c2f78476ccdf5b4e2a75db315af22cd6e552 Author: Amir Goldstein Date: Thu Apr 5 16:18:03 2018 +0300 fsnotify: fix ignore mask logic in send_to_group() [ Upstream commit 92183a42898dc400b89da35685d1814ac6acd3d8 ] The ignore mask logic in send_to_group() does not match the logic in fanotify_should_send_event(). In the latter, a vfsmount mark ignore mask precedes an inode mark mask and in the former, it does not. That difference may cause events to be sent to fanotify backend for no reason. Fix the logic in send_to_group() to match that of fanotify_should_send_event(). Signed-off-by: Amir Goldstein Signed-off-by: Jan Kara Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 8e84be290bab700f6d923531acf67819989b940b Author: Arnaldo Carvalho de Melo Date: Thu Apr 12 14:58:24 2018 -0300 perf report: Fix switching to another perf.data file [ Upstream commit 7b366142a50ad79e48de8e67c5b3e8cfb9fa82dd ] In the TUI the 's' hotkey can be used to switch to another perf.data file in the current directory, but that got broken in Fixes: b01141f4f59c ("perf annotate: Initialize the priv are in symbol__new()"), that would show this once another file was chosen: ┌─Fatal Error─────────────────────────────────────┐ │Annotation needs to be init before symbol__init()│ │ │ │ │ │Press any key... │ └─────────────────────────────────────────────────┘ Fix it by just silently bailing out if symbol__annotation_init() was already called, just like is done with symbol__init(), i.e. they are done just once at session start, not when switching to a new perf.data file. Cc: Adrian Hunter Cc: Andi Kleen Cc: David Ahern Cc: Jin Yao Cc: Jiri Olsa Cc: Martin Liška Cc: Namhyung Kim Cc: Ravi Bangoria Cc: Thomas Richter Cc: Wang Nan Fixes: b01141f4f59c ("perf annotate: Initialize the priv are in symbol__new()") Link: https://lkml.kernel.org/n/tip-ogppdtpzfax7y1h6gjdv5s6u@git.kernel.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 5f8436142c48e5b06da0e423695ebfdeaee4b796 Author: Pieter Jansen van Vuuren Date: Wed Apr 11 16:47:38 2018 -0700 nfp: flower: split and limit cmsg skb lists [ Upstream commit cf2cbadc20f5651c3dde9f5ac2ee52fb43aa4ddd ] Introduce a second skb list for handling control messages and limit the number of allowed messages. Some control messages are considered more crucial than others, resulting in the need for a second skb list. By splitting the list into a separate high and low priority list we can ensure that messages on the high list get added to the head of the list that gets processed, this however has no functional impact. Previously there was no limit on the number of messages allowed on the queue, this could result in the queue growing boundlessly and eventually the host running out of memory. Fixes: b985f870a5f0 ("nfp: process control messages in workqueue in flower app") Signed-off-by: Pieter Jansen van Vuuren Reviewed-by: Jakub Kicinski Reviewed-by: Simon Horman Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 1375760b9bc89eb002fee10076fac32118dae5de Author: Jakub Kicinski Date: Wed Apr 11 16:47:35 2018 -0700 nfp: ignore signals when communicating with management FW [ Upstream commit 5496295aefe86995e41398b0f76de601308fc3f5 ] We currently allow signals to interrupt the wait for management FW commands. Exiting the wait should not cause trouble, the FW will just finish executing the command in the background and new commands will wait for the old one to finish. However, this may not be what users expect (Ctrl-C not actually stopping the command). Moreover some systems routinely request link information with signals pending (Ubuntu 14.04 runs a landscape-sysinfo python tool from MOTD) worrying users with errors like these: nfp 0000:04:00.0: nfp_nsp: Error -512 waiting for code 0x0007 to start nfp 0000:04:00.0: nfp: reading port table failed -512 Make the wait for management FW responses non-interruptible. Fixes: 1a64821c6af7 ("nfp: add support for service processor access") Signed-off-by: Jakub Kicinski Reviewed-by: Dirk van der Merwe Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit dc255cbd76a7f9b03cecf300a9529c548a707438 Author: Nathan Fontenot Date: Wed Apr 11 10:09:38 2018 -0500 ibmvnic: Do not notify peers on parameter change resets [ Upstream commit ebc701b796a67a5785399dcbc83d90e3b5f1e02f ] When attempting to change the driver parameters, such as the MTU value or number of queues, do not call netdev_notify_peers(). Doing so will deadlock on the rtnl_lock. Signed-off-by: Nathan Fontenot Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit c514d60a07c4af5d87ca809ecaf6de90a7cce591 Author: Raghuram Chary J Date: Wed Apr 11 20:36:36 2018 +0530 lan78xx: PHY DSP registers initialization to address EEE link drop issues with long cables [ Upstream commit 1c2734b31d72316e3faaad88c0c9c46fa92a4b20 ] The patch is to configure DSP registers of PHY device to handle Gbe-EEE failures with >40m cable length. Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver") Signed-off-by: Raghuram Chary J Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit e83c7c2d452a51c8b2c6c51aaef2df3ef9719bb1 Author: Sinan Kaya Date: Tue Apr 3 08:55:03 2018 -0400 MIPS: io: Prevent compiler reordering writeX() [ Upstream commit f6b7aeee8f167409195fbf1364d02988fecad1d0 ] writeX() has strong ordering semantics with respect to memory updates. In the absence of a write barrier or a compiler barrier, the compiler can reorder register and memory update instructions. This breaks the writeX() API. Signed-off-by: Sinan Kaya Cc: Arnd Bergmann Cc: Ralf Baechle Cc: Paul Burton Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/18997/ [jhogan@kernel.org: Tidy commit message] Signed-off-by: James Hogan Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 840b23eb8a5bb737077c7d4c54cd69a6444b7aa1 Author: Krish Sadhukhan Date: Wed Apr 11 01:10:16 2018 -0400 x86: Add check for APIC access address for vmentry of L2 guests [ Upstream commit f0f4cf5b306620282db0c59ff963012e1973e025 ] According to the sub-section titled 'VM-Execution Control Fields' in the section titled 'Basic VM-Entry Checks' in Intel SDM vol. 3C, the following vmentry check must be enforced: If the 'virtualize APIC-accesses' VM-execution control is 1, the APIC-access address must satisfy the following checks: - Bits 11:0 of the address must be 0. - The address should not set any bits beyond the processor's physical-address width. This patch adds the necessary check to conform to this rule. If the check fails, we cause the L2 VMENTRY to fail which is what the associated unit test (following patch) expects. Reviewed-by: Mihai Carabas Reviewed-by: Konrad Rzeszutek Wilk Reviewed-by: Jim Mattson Reviewed-by: Wanpeng Li Signed-off-by: Krish Sadhukhan Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit aeb28bfb22f583f13dd4ab151ec2419a42b8247e Author: Pierre-Louis Bossart Date: Mon Apr 2 12:06:14 2018 -0500 ASoC: Intel: atom: fix ACPI/PCI Kconfig [ Upstream commit 90619eb1dc4f19357fef5e9c13c6c9beead0fd80 ] The split between ACPI and PCI platforms generated issues with randconfig: with SND_SST_ATOM_HIFI2_PLATFORM_PCI=y and SND_SST_ATOM_HIFI2_PLATFORM=m, we get this module link failure: ERROR: "sst_context_init" [sound/soc/intel/atom/sst/snd-intel-sst-acpi.ko] undefined! ERROR: "sst_context_cleanup" [sound/soc/intel/atom/sst/snd-intel-sst-acpi.ko] undefined! ERROR: "sst_alloc_drv_context" [sound/soc/intel/atom/sst/snd-intel-sst-acpi.ko] undefined! ERROR: "intel_sst_pm" [sound/soc/intel/atom/sst/snd-intel-sst-acpi.ko] undefined! ERROR: "sst_configure_runtime_pm" [sound/soc/intel/atom/sst/snd-intel-sst-acpi.ko] undefined! To keep things simple, let's expose two configs for SND_SST_ATOM_HIFI2_PLATFORM_PCI and SND_SST_ATOM_HIFI2_PLATFORM_ACPI, which select a common SND_SST_ATOM_HIFI2_PLATFORM option. To avoid breaking existing solutions with the semantics change, SND_SST_ATOM_HIFI2_PLATFORM_ACPI uses "default ACPI" so that "make oldnoconfig" and "make olddefconfig" still work as expected. Also remove mentions of Medfield while we are at it since it was removed recently. Reported-by: Arnd Bergmann Fixes: 4772c16ede52 ("ASoC: Intel: Kconfig: Simplify-clarify ACPI/PCI dependencies") Signed-off-by: Pierre-Louis Bossart Reviewed-by: Andy Shevchenko Acked-By: Vinod Koul Signed-off-by: Mark Brown Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit f970fe650fa05eac1ef9f6e9238a66cf57b04f86 Author: hu huajun Date: Wed Apr 11 15:16:40 2018 +0800 KVM: X86: fix incorrect reference of trace_kvm_pi_irte_update [ Upstream commit 2698d82e519413c6ad287e6f14b29e0373ed37f8 ] In arch/x86/kvm/trace.h, this function is declared as host_irq the first input, and vcpu_id the second, instead of otherwise. Signed-off-by: hu huajun Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 65019a2e209d332270614301f6f2007acb9726ec Author: Christophe JAILLET Date: Fri Apr 6 15:36:11 2018 -0700 Input: synaptics-rmi4 - fix an unchecked out of memory error path [ Upstream commit 839c42273617787318da7baf6151d553108f5e17 ] When extending the rmi_spi buffers, we must check that no out of memory error occurs, otherwise we may access data above the currently allocated memory. Propagate the error code returned by 'rmi_spi_manage_pools()' instead. Signed-off-by: Christophe JAILLET Reviewed-by: Andrew Duggan Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit d7564580d60eef208bf15e324c8289f65a399465 Author: Anson Huang Date: Wed Mar 28 11:22:37 2018 +0800 clocksource/drivers/imx-tpm: Correct some registers operation flow [ Upstream commit 506a7be93ff773d5d4cf75a59f342865605b4910 ] According to i.MX7ULP reference manual, TPM_SC_CPWMS can ONLY be written when counter is disabled, TPM_SC_TOF is write-1-clear, TPM_C0SC_CHF is also write-1-clear, correct these registers initialization flow; Signed-off-by: Anson Huang Signed-off-by: Daniel Lezcano Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman