commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 Author: Linus Torvalds Date: Sun Jul 7 15:41:56 2019 -0700 Linux 5.2 commit 46713c3d2f8da5e3d8ddd2249bcb1d9974fb5d28 Merge: bcc0e65f47de 7e41c3c9b6ce Author: Linus Torvalds Date: Sat Jul 6 11:48:39 2019 -0700 Merge tag 'for-linus-20190706' of git://git.kernel.dk/linux-block Pull block fix from Jens Axboe: "Just a single fix for a patch from Greg KH, which reportedly break block debugfs locations for certain setups. Trivial enough that I think we should include it now, rather than wait and release 5.2 with it, since it's a regression in this series" * tag 'for-linus-20190706' of git://git.kernel.dk/linux-block: blk-mq: fix up placement of debugfs directory of queue files commit bcc0e65f47def010d8d1c4cf09bdc698fe061b77 Merge: 2692982b0800 f2ff671f8941 Author: Linus Torvalds Date: Sat Jul 6 10:32:12 2019 -0700 Merge tag 'mips_fixes_5.2_2' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux Pull MIPS fixes from Paul Burton: "A few more MIPS fixes: - Fix a silly typo in virt_addr_valid which led to completely bogus behavior (that happened to stop tripping up hardened usercopy despite being broken). - Fix UART parity setup on AR933x systems. - A build fix for non-Linux build machines. - Have the 'all' make target build DTBs, primarily to fit in with the behavior of scripts/package/builddeb. - Handle an execution hazard in TLB exceptions that use KScratch registers, which could inadvertently clobber the $1 register on some generally higher-end out-of-order CPUs. - A MAINTAINERS update to fix the path to the NAND driver for Ingenic systems" * tag 'mips_fixes_5.2_2' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux: MAINTAINERS: Correct path to moved files MIPS: Add missing EHB in mtc0 -> mfc0 sequence. MIPS: have "plain" make calls build dtbs for selected platforms MIPS: fix build on non-linux hosts MIPS: ath79: fix ar933x uart parity mode MIPS: Fix bounds check virt_addr_valid commit 2692982b0800c6f6446e9edd4743239666e69f2e Merge: 4f8b49092c37 f6034225442c Author: Linus Torvalds Date: Sat Jul 6 10:06:37 2019 -0700 Merge tag 'dmaengine-fix-5.2' of git://git.infradead.org/users/vkoul/slave-dma Pull dmaengine fixes from Vinod Koul: - bam_dma fix for completed descriptor count - fix for imx-sdma remove BD_INTR for channel0 and use-after-free on probe error path - endian bug fix in jz4780 IRQ handler * tag 'dmaengine-fix-5.2' of git://git.infradead.org/users/vkoul/slave-dma: dmaengine: qcom: bam_dma: Fix completed descriptors count dmaengine: imx-sdma: remove BD_INTR for channel0 dmaengine: imx-sdma: fix use-after-free on probe error path dmaengine: jz4780: Fix an endian bug in IRQ handler commit 4f8b49092c37cf0c87c43bb2698d43c71cf0e4e5 Merge: ceacbc0e145e 5dd6c4933912 Author: Linus Torvalds Date: Sat Jul 6 09:56:20 2019 -0700 Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI fixes from James Bottomley: "Two iscsi fixes. One for an oops in the client which can be triggered by the server authentication protocol and the other in the target code which causes data corruption" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: iscsi: set auth_protocol back to NULL if CHAP_A value is not supported scsi: target/iblock: Fix overrun in WRITE SAME emulation commit ceacbc0e145e3b27d8b12eecb881f9d87702765a Merge: 69bf4b6b54fb 75f2d86b20bf Author: Linus Torvalds Date: Sat Jul 6 09:53:08 2019 -0700 Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull vfs fixlet from Al Viro: "Fix bogus default y in Kconfig (VALIDATE_FS_PARSER) That thing should not be turned on by default, especially since it's not quiet in case it finds no problems. Geert has sent the obvious fix quite a few times, but it fell through the cracks" * 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: fs: VALIDATE_FS_PARSER should default to n commit 7e41c3c9b6ceb2da52ba9d2b328d1851f269a48e Author: Greg Kroah-Hartman Date: Sat Jul 6 17:50:32 2019 +0200 blk-mq: fix up placement of debugfs directory of queue files When the blk-mq debugfs file creation logic was "cleaned up" it was cleaned up too much, causing the queue file to not be created in the correct location. Turns out the check for the directory being present is needed as if that has not happened yet, the files should not be created, and the function will be called later on in the initialization code so that the files can be created in the correct location. Fixes: 6cfc0081b046 ("blk-mq: no need to check return value of debugfs_create functions") Reported-by: Stephen Rothwell Cc: linux-block@vger.kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Jens Axboe commit 69bf4b6b54fb7f52b7ea9ce28d4a360cd5ec956d Author: Linus Torvalds Date: Fri Jul 5 19:55:18 2019 -0700 Revert "mm: page cache: store only head pages in i_pages" This reverts commit 5fd4ca2d84b249f0858ce28cf637cf25b61a398f. Mikhail Gavrilov reports that it causes the VM_BUG_ON_PAGE() in __delete_from_swap_cache() to trigger: page:ffffd6d34dff0000 refcount:1 mapcount:1 mapping:ffff97812323a689 index:0xfecec363 anon flags: 0x17fffe00080034(uptodate|lru|active|swapbacked) raw: 0017fffe00080034 ffffd6d34c67c508 ffffd6d3504b8d48 ffff97812323a689 raw: 00000000fecec363 0000000000000000 0000000100000000 ffff978433ace000 page dumped because: VM_BUG_ON_PAGE(entry != page) page->mem_cgroup:ffff978433ace000 ------------[ cut here ]------------ kernel BUG at mm/swap_state.c:170! invalid opcode: 0000 [#1] SMP NOPTI CPU: 1 PID: 221 Comm: kswapd0 Not tainted 5.2.0-0.rc2.git0.1.fc31.x86_64 #1 Hardware name: System manufacturer System Product Name/ROG STRIX X470-I GAMING, BIOS 2202 04/11/2019 RIP: 0010:__delete_from_swap_cache+0x20d/0x240 Code: 30 65 48 33 04 25 28 00 00 00 75 4a 48 83 c4 38 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 c7 c6 2f dc 0f 8a 48 89 c7 e8 93 1b fd ff <0f> 0b 48 c7 c6 a8 74 0f 8a e8 85 1b fd ff 0f 0b 48 c7 c6 a8 7d 0f RSP: 0018:ffffa982036e7980 EFLAGS: 00010046 RAX: 0000000000000021 RBX: 0000000000000040 RCX: 0000000000000006 RDX: 0000000000000000 RSI: 0000000000000086 RDI: ffff97843d657900 RBP: 0000000000000001 R08: ffffa982036e7835 R09: 0000000000000535 R10: ffff97845e21a46c R11: ffffa982036e7835 R12: ffff978426387120 R13: 0000000000000000 R14: ffffd6d34dff0040 R15: ffffd6d34dff0000 FS: 0000000000000000(0000) GS:ffff97843d640000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00002cba88ef5000 CR3: 000000078a97c000 CR4: 00000000003406e0 Call Trace: delete_from_swap_cache+0x46/0xa0 try_to_free_swap+0xbc/0x110 swap_writepage+0x13/0x70 pageout.isra.0+0x13c/0x350 shrink_page_list+0xc14/0xdf0 shrink_inactive_list+0x1e5/0x3c0 shrink_node_memcg+0x202/0x760 shrink_node+0xe0/0x470 balance_pgdat+0x2d1/0x510 kswapd+0x220/0x420 kthread+0xfb/0x130 ret_from_fork+0x22/0x40 and it's not immediately obvious why it happens. It's too late in the rc cycle to do anything but revert for now. Link: https://lore.kernel.org/lkml/CABXGCsN9mYmBD-4GaaeW_NrDu+FDXLzr_6x+XNxfmFV6QkYCDg@mail.gmail.com/ Reported-and-bisected-by: Mikhail Gavrilov Suggested-by: Jan Kara Cc: Michal Hocko Cc: Vlastimil Babka Cc: Matthew Wilcox Cc: Kirill Shutemov Cc: William Kucharski Cc: Andrew Morton Signed-off-by: Linus Torvalds commit 9fdb86c8cf9ae201d97334ecc2d1918800cac424 Merge: 0e63665a1bfd e644fa18e2ff Author: Linus Torvalds Date: Fri Jul 5 19:13:24 2019 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm Pull kvm fixes from Paolo Bonzini: "x86 bugfix patches and one compilation fix for ARM" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: KVM: arm64/sve: Fix vq_present() macro to yield a bool KVM: LAPIC: Fix pending interrupt in IRR blocked by software disable LAPIC KVM: nVMX: Change KVM_STATE_NESTED_EVMCS to signal vmcs12 is copied from eVMCS KVM: nVMX: Allow restore nested-state to enable eVMCS when vCPU in SMM KVM: x86: degrade WARN to pr_warn_ratelimited commit 0e63665a1bfd606f538da90473648ca5b827d60f Merge: 881ed91f7db5 c7a87ceb17ae Author: Linus Torvalds Date: Fri Jul 5 19:07:57 2019 -0700 Merge tag 'mtd/fixes-for-5.2-final' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux Pull mtf fixes from Miquel Raynal: - Fix the memory organization structure of a Macronix SPI-NAND chip. - Fix a build dependency wrongly described. - Fix the sunxi NAND driver for A23/A33 SoCs by (a) reverting the faulty commit introducing broken DMA support and (b) applying another commit bringing working DMA support. * tag 'mtd/fixes-for-5.2-final' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux: mtd: rawnand: sunxi: Add A23/A33 DMA support with extra MBUS configuration Revert "mtd: rawnand: sunxi: Add A23/A33 DMA support" mtd: rawnand: ingenic: Fix ingenic_ecc dependency mtd: spinand: Fix max_bad_eraseblocks_per_lun info in memorg commit 881ed91f7db58fcbe8fdca056907991c3c9d8f2d Merge: a8f46b5afe1c f3a3ea28edd9 Author: Linus Torvalds Date: Fri Jul 5 19:04:57 2019 -0700 Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux Pull i2c fixlet from Wolfram Sang: "I2C has a MAINTAINERS update which will be benfitial for developers, so let's add it right away" * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux: i2c: tegra: Add Dmitry as a reviewer commit a8f46b5afe1c0a83c3013a339e6aeccc2f37342d Merge: 3f9c4dc63309 3b2d4dcf71c4 Author: Linus Torvalds Date: Fri Jul 5 19:00:37 2019 -0700 Merge tag 'nfsd-5.2-2' of git://linux-nfs.org/~bfields/linux Pull nfsd fixes from Bruce Fields: "Two more quick bugfixes for nfsd: fixing a regression causing mount failures on high-memory machines and fixing the DRC over RDMA" * tag 'nfsd-5.2-2' of git://linux-nfs.org/~bfields/linux: nfsd: Fix overflow causing non-working mounts on 1 TB machines svcrdma: Ignore source port when computing DRC hash commit c7a87ceb17aee9222c069a97aee4647260c7b3a6 Author: Miquel Raynal Date: Mon Apr 8 09:41:46 2019 +0200 mtd: rawnand: sunxi: Add A23/A33 DMA support with extra MBUS configuration Allwinner NAND controllers can make use of DMA to enhance the I/O throughput thanks to ECC pipelining. DMA handling with A23/A33 NAND IP is a bit different than with the older SoCs, hence the introduction of a new compatible to handle: * the differences between register offsets, * the burst length change from 4 to minimum 8, * manage SRAM accesses through MBUS with extra configuration. Fixes: c49836f05aa1 ("mtd: rawnand: sunxi: Add A23/A33 DMA support") Signed-off-by: Miquel Raynal commit 4f032640bf5751ce792b69d2abdf18e0f379b3ce Author: Miquel Raynal Date: Fri Jul 5 11:25:29 2019 +0200 Revert "mtd: rawnand: sunxi: Add A23/A33 DMA support" This reverts commit c49836f05aa15282f7280e06ede3f6f8a6324833. The commit is wrong and its approach actually does not work. Let's revert it in order to add the feature with a clean patch. Fixes: c49836f05aa1 ("mtd: rawnand: sunxi: Add A23/A33 DMA support") Signed-off-by: Miquel Raynal commit f3a3ea28edd9a17588fede4ff53bc02d986cf4d1 Author: Dmitry Osipenko Date: Sun Jun 23 20:46:55 2019 +0300 i2c: tegra: Add Dmitry as a reviewer I'm contributing to Tegra's upstream development in general and happened to review the Tegra's I2C patches for awhile because I'm actively using upstream kernel on all of my Tegra-powered devices and initially some of the submitted patches were getting my attention since they were causing problems. Recently Wolfram Sang asked whether I'm interested in becoming a reviewer for the driver and I don't mind at all. Signed-off-by: Dmitry Osipenko [wsa: ack was expressed by Thierry Reding in a mail thread] Signed-off-by: Wolfram Sang commit 75f2d86b20bf6aec0392d6dd2ae3ffff26d2ae0e Author: Geert Uytterhoeven Date: Mon Apr 1 13:53:57 2019 +0200 fs: VALIDATE_FS_PARSER should default to n CONFIG_VALIDATE_FS_PARSER is a debugging tool to check that the parser tables are vaguely sane. It was set to default to 'Y' for the moment to catch errors in upcoming fs conversion development. Make sure it is not enabled by default in the final release of v5.1. Fixes: 31d921c7fb969172 ("vfs: Add configuration parser helpers") Signed-off-by: Geert Uytterhoeven Signed-off-by: Al Viro commit e644fa18e2ffc8895ca30dade503ae10128573a6 Author: Zhang Lei Date: Wed Jul 3 18:42:50 2019 +0100 KVM: arm64/sve: Fix vq_present() macro to yield a bool The original implementation of vq_present() relied on aggressive inlining in order for the compiler to know that the code is correct, due to some const-casting issues. This was causing sparse and clang to complain, while GCC compiled cleanly. Commit 0c529ff789bc addressed this problem, but since vq_present() is no longer a function, there is now no implicit casting of the returned value to the return type (bool). In set_sve_vls(), this uncast bit value is compared against a bool, and so may spuriously compare as unequal when both are nonzero. As a result, KVM may reject valid SVE vector length configurations as invalid, and vice versa. Fix it by forcing the returned value to a bool. Signed-off-by: Zhang Lei Fixes: 0c529ff789bc ("KVM: arm64: Implement vq_present() as a macro") Signed-off-by: Dave Martin [commit message rewrite] Cc: Viresh Kumar Signed-off-by: Paolo Bonzini commit f6034225442c4a87906d36e975fd9e99a8f95487 Author: Sricharan R Date: Fri Jun 28 17:39:46 2019 +0530 dmaengine: qcom: bam_dma: Fix completed descriptors count One space is left unused in circular FIFO to differentiate 'full' and 'empty' cases. So take that in to account while counting for the descriptors completed. Fixes the issue reported here, https://lkml.org/lkml/2019/6/18/669 Cc: stable@vger.kernel.org Reported-by: Srinivas Kandagatla Signed-off-by: Sricharan R Tested-by: Srinivas Kandagatla Signed-off-by: Vinod Koul commit 3f93a4f297961c12bb17aa16cb3a4d1291823cae Author: Robin Gong Date: Fri Jun 21 16:23:06 2019 +0800 dmaengine: imx-sdma: remove BD_INTR for channel0 It is possible for an irq triggered by channel0 to be received later after clks are disabled once firmware loaded during sdma probe. If that happens then clearing them by writing to SDMA_H_INTR won't work and the kernel will hang processing infinite interrupts. Actually, don't need interrupt triggered on channel0 since it's pollling SDMA_H_STATSTOP to know channel0 done rather than interrupt in current code, just clear BD_INTR to disable channel0 interrupt to avoid the above case. This issue was brought by commit 1d069bfa3c78 ("dmaengine: imx-sdma: ack channel 0 IRQ in the interrupt handler") which didn't take care the above case. Fixes: 1d069bfa3c78 ("dmaengine: imx-sdma: ack channel 0 IRQ in the interrupt handler") Cc: stable@vger.kernel.org #5.0+ Signed-off-by: Robin Gong Reported-by: Sven Van Asbroeck Tested-by: Sven Van Asbroeck Reviewed-by: Michael Olbrich Signed-off-by: Vinod Koul commit 2b8066c3deb9140fdf258417a51479b2aeaa7622 Author: Sven Van Asbroeck Date: Mon Jun 24 10:07:31 2019 -0400 dmaengine: imx-sdma: fix use-after-free on probe error path If probe() fails anywhere beyond the point where sdma_get_firmware() is called, then a kernel oops may occur. Problematic sequence of events: 1. probe() calls sdma_get_firmware(), which schedules the firmware callback to run when firmware becomes available, using the sdma instance structure as the context 2. probe() encounters an error, which deallocates the sdma instance structure 3. firmware becomes available, firmware callback is called with deallocated sdma instance structure 4. use after free - kernel oops ! Solution: only attempt to load firmware when we're certain that probe() will succeed. This guarantees that the firmware callback's context will remain valid. Note that the remove() path is unaffected by this issue: the firmware loader will increment the driver module's use count, ensuring that the module cannot be unloaded while the firmware callback is pending or running. Signed-off-by: Sven Van Asbroeck Reviewed-by: Robin Gong [vkoul: fixed braces for if condition] Signed-off-by: Vinod Koul commit 4c89cc73d1da42ae48b5c5dfbfd12304d0b86786 Author: Dan Carpenter Date: Mon Jun 24 16:49:40 2019 +0300 dmaengine: jz4780: Fix an endian bug in IRQ handler The "pending" variable was a u32 but we cast it to an unsigned long pointer when we do the for_each_set_bit() loop. The problem is that on big endian 64bit systems that results in an out of bounds read. Fixes: 4e4106f5e942 ("dmaengine: jz4780: Fix transfers being ACKed too soon") Signed-off-by: Dan Carpenter Signed-off-by: Vinod Koul commit 3f9c4dc63309286a6513a86aac35ffc445cb9d1a Merge: ee39d46dcaf8 a0b2cf792ac9 Author: Linus Torvalds Date: Fri Jul 5 14:10:30 2019 +0900 Merge tag 'drm-fixes-2019-07-05-1' of git://anongit.freedesktop.org/drm/drm Pull drm fixes from Dave Airlie: "I skipped last week because there wasn't much worth doing, this week got a few more fixes in. amdgpu: - default register value change - runpm regression fix - fan control fix i915: - fix Ironlake regression panfrost: - fix a double free virtio: - fix a locking bug imx: - crtc disable fixes" * tag 'drm-fixes-2019-07-05-1' of git://anongit.freedesktop.org/drm/drm: drm/imx: only send event on crtc disable if kept disabled drm/imx: notify drm core before sending event during crtc disable drm/i915/ringbuffer: EMIT_INVALIDATE *before* switch context drm/amdgpu/gfx9: use reset default for PA_SC_FIFO_SIZE drm/amdgpu: Don't skip display settings in hwmgr_resume() drm/amd/powerplay: use hardware fan control if no powerplay fan table drm/panfrost: Fix a double-free error drm/etnaviv: add missing failure path to destroy suballoc drm/virtio: move drm_connector_update_edid_property() call commit a0b2cf792ac9db7bb73e599e516adfb9dca8e60b Merge: b5252bdf099a 5aeab2bfc9ff Author: Dave Airlie Date: Fri Jul 5 12:54:48 2019 +1000 Merge tag 'imx-drm-fixes-2019-07-04' of git://git.pengutronix.de/git/pza/linux into drm-fixes drm/imx: fix stale vblank timestamp after a modeset This series fixes stale vblank timestamps in the first event sent after a crtc was disabled. The core now is notified via drm_crtc_vblank_off before sending the last pending event in atomic_disable. If the crtc is reenabled right away during to a modeset, the event is not sent at all, as the next vblank will take care of it. Signed-off-by: Dave Airlie From: Philipp Zabel Link: https://patchwork.freedesktop.org/patch/msgid/1562237119.6641.16.camel@pengutronix.de commit ee39d46dcaf8f25894f13236d3d984d9a4d2fd3e Merge: a5fff14a0c79 21d4120ec6f5 Author: Linus Torvalds Date: Fri Jul 5 13:31:19 2019 +0900 Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 Pull crypto fixes from Herbert Xu: "This fixes two memory leaks and a list corruption bug" * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: crypto: user - prevent operating on larval algorithms crypto: cryptd - Fix skcipher instance memory leak lib/mpi: Fix karactx leak in mpi_powm commit a5fff14a0c7989fbc8316a43f52aed1804f02ddd Merge: ecbe5086adc2 875185309199 Author: Linus Torvalds Date: Fri Jul 5 11:39:56 2019 +0900 Merge branch 'akpm' (patches from Andrew) Merge more fixes from Andrew Morton: "5 fixes" * emailed patches from Andrew Morton : swap_readpage(): avoid blk_wake_io_task() if !synchronous devres: allow const resource arguments mm/vmscan.c: prevent useless kswapd loops fs/userfaultfd.c: disable irqs for fault_pending and event locks mm/page_alloc.c: fix regression with deferred struct page init commit ecbe5086adc2876b22c898987d8a20f932de87a9 Merge: cde357c392e9 2659dc8d225c Author: Linus Torvalds Date: Fri Jul 5 11:35:45 2019 +0900 Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc Pull ARM SoC fixes from Olof Johansson: "Likely our final small batch of fixes for 5.2: - Some fixes for USB on davinci, regressions were due to the recent conversion of the OCHI driver to use GPIO regulators - A fixup of kconfig dependencies for a TI irq controller - A switch of armada-38x to avoid dropped characters on uart, caused by switch of base inherited platform description earlier this year" * tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: ARM: davinci: da830-evm: fix GPIO lookup for OHCI ARM: davinci: omapl138-hawk: add missing regulator constraints for OHCI ARM: davinci: da830-evm: add missing regulator constraints for OHCI soc: ti: fix irq-ti-sci link error ARM: dts: armada-xp-98dx3236: Switch to armada-38x-uart serial node commit cde357c392e93aa7fcfc019403e0d1792081d634 Merge: 2cd7cdc7e420 1571c029a2ff Author: Linus Torvalds Date: Fri Jul 5 11:32:11 2019 +0900 Merge tag 'dax-fix-5.2-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm Pull dax fix from Dan Williams: "A single dax fix that has been soaking awaiting other fixes under discussion to join it. As it is getting late in the cycle lets proceed with this fix and save follow-on changes for post-v5.3-rc1. - Fix xarray entry association for mixed mappings" * tag 'dax-fix-5.2-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm: dax: Fix xarray entry association for mixed mappings commit 2cd7cdc7e420a343743db781484e801fd784a1f1 Merge: c212ddaee2fd 570d7a98e7d6 Author: Linus Torvalds Date: Fri Jul 5 11:21:36 2019 +0900 Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull do_move_mount() fix from Al Viro: "Regression fix" * 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: vfs: move_mount: reject moving kernel internal mounts commit 8751853091998cd31e9e5f1e8206280155af8921 Author: Oleg Nesterov Date: Thu Jul 4 15:14:49 2019 -0700 swap_readpage(): avoid blk_wake_io_task() if !synchronous swap_readpage() sets waiter = bio->bi_private even if synchronous = F, this means that the caller can get the spurious wakeup after return. This can be fatal if blk_wake_io_task() does set_current_state(TASK_RUNNING) after the caller does set_special_state(), in the worst case the kernel can crash in do_task_dead(). Link: http://lkml.kernel.org/r/20190704160301.GA5956@redhat.com Fixes: 0619317ff8baa2d ("block: add polled wakeup task helper") Signed-off-by: Oleg Nesterov Reported-by: Qian Cai Acked-by: Hugh Dickins Reviewed-by: Jens Axboe Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit eef778c99c0239ed0a0696ddf22ae3673f28a489 Author: Arnd Bergmann Date: Thu Jul 4 15:14:45 2019 -0700 devres: allow const resource arguments devm_ioremap_resource() does not currently take 'const' arguments, which results in a warning from the first driver trying to do it anyway: drivers/gpio/gpio-amd-fch.c: In function 'amd_fch_gpio_probe': drivers/gpio/gpio-amd-fch.c:171:49: error: passing argument 2 of 'devm_ioremap_resource' discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers] priv->base = devm_ioremap_resource(&pdev->dev, &amd_fch_gpio_iores); ^~~~~~~~~~~~~~~~~~~ Change the prototype to allow it, as there is no real reason not to. Link: http://lkml.kernel.org/r/20190628150049.1108048-1-arnd@arndb.de Fixes: 9bb2e0452508 ("gpio: amd: Make resource struct const") Signed-off-by: Arnd Bergmann Acked-by: Greg Kroah-Hartman Reviewed-by: Enrico Weigelt Reviewed-by: Andrew Morton Cc: Greg Kroah-Hartman Cc: Linus Walleij Cc: Arnd Bergmann Cc: "Rafael J. Wysocki" Cc: Ulf Hansson Cc: Andy Shevchenko Cc: Heikki Krogerus Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit dffcac2cb88e4ec5906235d64a83d802580b119e Author: Shakeel Butt Date: Thu Jul 4 15:14:42 2019 -0700 mm/vmscan.c: prevent useless kswapd loops In production we have noticed hard lockups on large machines running large jobs due to kswaps hoarding lru lock within isolate_lru_pages when sc->reclaim_idx is 0 which is a small zone. The lru was couple hundred GiBs and the condition (page_zonenum(page) > sc->reclaim_idx) in isolate_lru_pages() was basically skipping GiBs of pages while holding the LRU spinlock with interrupt disabled. On further inspection, it seems like there are two issues: (1) If kswapd on the return from balance_pgdat() could not sleep (i.e. node is still unbalanced), the classzone_idx is unintentionally set to 0 and the whole reclaim cycle of kswapd will try to reclaim only the lowest and smallest zone while traversing the whole memory. (2) Fundamentally isolate_lru_pages() is really bad when the allocation has woken kswapd for a smaller zone on a very large machine running very large jobs. It can hoard the LRU spinlock while skipping over 100s of GiBs of pages. This patch only fixes (1). (2) needs a more fundamental solution. To fix (1), in the kswapd context, if pgdat->kswapd_classzone_idx is invalid use the classzone_idx of the previous kswapd loop otherwise use the one the waker has requested. Link: http://lkml.kernel.org/r/20190701201847.251028-1-shakeelb@google.com Fixes: e716f2eb24de ("mm, vmscan: prevent kswapd sleeping prematurely due to mismatched classzone_idx") Signed-off-by: Shakeel Butt Reviewed-by: Yang Shi Acked-by: Mel Gorman Cc: Johannes Weiner Cc: Michal Hocko Cc: Vlastimil Babka Cc: Hillf Danton Cc: Roman Gushchin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit cbcfa130a911c613a1d9d921af2eea171c414172 Author: Eric Biggers Date: Thu Jul 4 15:14:39 2019 -0700 fs/userfaultfd.c: disable irqs for fault_pending and event locks When IOCB_CMD_POLL is used on a userfaultfd, aio_poll() disables IRQs and takes kioctx::ctx_lock, then userfaultfd_ctx::fd_wqh.lock. This may have to wait for userfaultfd_ctx::fd_wqh.lock to be released by userfaultfd_ctx_read(), which in turn can be waiting for userfaultfd_ctx::fault_pending_wqh.lock or userfaultfd_ctx::event_wqh.lock. But elsewhere the fault_pending_wqh and event_wqh locks are taken with IRQs enabled. Since the IRQ handler may take kioctx::ctx_lock, lockdep reports that a deadlock is possible. Fix it by always disabling IRQs when taking the fault_pending_wqh and event_wqh locks. Commit ae62c16e105a ("userfaultfd: disable irqs when taking the waitqueue lock") didn't fix this because it only accounted for the fd_wqh lock, not the other locks nested inside it. Link: http://lkml.kernel.org/r/20190627075004.21259-1-ebiggers@kernel.org Fixes: bfe4037e722e ("aio: implement IOCB_CMD_POLL") Signed-off-by: Eric Biggers Reported-by: syzbot+fab6de82892b6b9c6191@syzkaller.appspotmail.com Reported-by: syzbot+53c0b767f7ca0dc0c451@syzkaller.appspotmail.com Reported-by: syzbot+a3accb352f9c22041cfa@syzkaller.appspotmail.com Reviewed-by: Andrew Morton Cc: Christoph Hellwig Cc: Andrea Arcangeli Cc: [4.19+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit b9705d8778e7adc97de38f405f835a2426e14d84 Author: Juergen Gross Date: Thu Jul 4 15:14:36 2019 -0700 mm/page_alloc.c: fix regression with deferred struct page init Commit 0e56acae4b4d ("mm: initialize MAX_ORDER_NR_PAGES at a time instead of doing larger sections") is causing a regression on some systems when the kernel is booted as Xen dom0. The system will just hang in early boot. Reason is an endless loop in get_page_from_freelist() in case the first zone looked at has no free memory. deferred_grow_zone() is always returning true due to the following code snipplet: /* If the zone is empty somebody else may have cleared out the zone */ if (!deferred_init_mem_pfn_range_in_zone(&i, zone, &spfn, &epfn, first_deferred_pfn)) { pgdat->first_deferred_pfn = ULONG_MAX; pgdat_resize_unlock(pgdat, &flags); return true; } This in turn results in the loop as get_page_from_freelist() is assuming forward progress can be made by doing some more struct page initialization. Link: http://lkml.kernel.org/r/20190620160821.4210-1-jgross@suse.com Fixes: 0e56acae4b4d ("mm: initialize MAX_ORDER_NR_PAGES at a time instead of doing larger sections") Signed-off-by: Juergen Gross Suggested-by: Alexander Duyck Acked-by: Alexander Duyck Cc: Michal Hocko Cc: Pavel Tatashin Cc: Mike Rapoport Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit c212ddaee2fd21e8d756dbc3c6119e3259b38fd0 Merge: 6994eefb0053 3450121997ce Author: Linus Torvalds Date: Fri Jul 5 02:03:50 2019 +0900 Merge tag 'sound-5.2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "Here are a collection of small fixes for: - A race with ASoC HD-audio registration - LINE6 usb-audio memory overwrite by malformed descriptor - FireWire MIDI handling - Missing cast for bit shifts in a few USB-audio quirks - The wrong function calls in minor OSS sequencer code paths - A couple of HD-audio quirks" * tag 'sound-5.2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: ALSA: line6: Fix write on zero-sized buffer ALSA: hda: Fix widget_mutex incomplete protection ALSA: firewire-lib/fireworks: fix miss detection of received MIDI messages ALSA: seq: fix incorrect order of dest_client/dest_ports arguments ALSA: hda/realtek - Change front mic location for Lenovo M710q ALSA: usb-audio: fix sign unintended sign extension on left shifts ALSA: hda/realtek: Add quirks for several Clevo notebook barebones commit 6994eefb0053799d2e07cd140df6c2ea106c41ee Author: Jann Horn Date: Thu Jul 4 17:32:23 2019 +0200 ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME Fix two issues: When called for PTRACE_TRACEME, ptrace_link() would obtain an RCU reference to the parent's objective credentials, then give that pointer to get_cred(). However, the object lifetime rules for things like struct cred do not permit unconditionally turning an RCU reference into a stable reference. PTRACE_TRACEME records the parent's credentials as if the parent was acting as the subject, but that's not the case. If a malicious unprivileged child uses PTRACE_TRACEME and the parent is privileged, and at a later point, the parent process becomes attacker-controlled (because it drops privileges and calls execve()), the attacker ends up with control over two processes with a privileged ptrace relationship, which can be abused to ptrace a suid binary and obtain root privileges. Fix both of these by always recording the credentials of the process that is requesting the creation of the ptrace relationship: current_cred() can't change under us, and current is the proper subject for access control. This change is theoretically userspace-visible, but I am not aware of any code that it will actually break. Fixes: 64b875f7ac8a ("ptrace: Capture the ptracer's creds not PT_PTRACE_CAP") Signed-off-by: Jann Horn Acked-by: Oleg Nesterov Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 5aeab2bfc9ffa72d3ca73416635cb3785dfc076f Author: Robert Beckett Date: Tue Jun 25 18:59:15 2019 +0100 drm/imx: only send event on crtc disable if kept disabled The event will be sent as part of the vblank enable during the modeset if the crtc is not being kept disabled. Fixes: 5f2f911578fb ("drm/imx: atomic phase 3 step 1: Use atomic configuration") Signed-off-by: Robert Beckett Reviewed-by: Daniel Vetter Signed-off-by: Philipp Zabel commit 78c68e8f5cd24bd32ba4ca1cdfb0c30cf0642685 Author: Robert Beckett Date: Tue Jun 25 18:59:13 2019 +0100 drm/imx: notify drm core before sending event during crtc disable Notify drm core before sending pending events during crtc disable. This fixes the first event after disable having an old stale timestamp by having drm_crtc_vblank_off update the timestamp to now. This was seen while debugging weston log message: Warning: computed repaint delay is insane: -8212 msec This occurred due to: 1. driver starts up 2. fbcon comes along and restores fbdev, enabling vblank 3. vblank_disable_fn fires via timer disabling vblank, keeping vblank seq number and time set at current value (some time later) 4. weston starts and does a modeset 5. atomic commit disables crtc while it does the modeset 6. ipu_crtc_atomic_disable sends vblank with old seq number and time Fixes: a474478642d5 ("drm/imx: fix crtc vblank state regression") Signed-off-by: Robert Beckett Reviewed-by: Daniel Vetter Signed-off-by: Philipp Zabel commit 550d1f5bda33fa3b203d8cf8df1396825dbfd213 Merge: 179c96d9f715 074376ac0e1d Author: Linus Torvalds Date: Thu Jul 4 10:26:17 2019 +0900 Merge tag 'trace-v5.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace Pull tracing fixes from Steven Rostedt: "This includes three fixes: - Fix a deadlock from a previous fix to keep module loading and function tracing text modifications from stepping on each other (this has a few patches to help document the issue in comments) - Fix a crash when the snapshot buffer gets out of sync with the main ring buffer - Fix a memory leak when reading the memory logs" * tag 'trace-v5.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace: ftrace/x86: Anotate text_mutex split between ftrace_arch_code_modify_post_process() and ftrace_arch_code_modify_prepare() tracing/snapshot: Resize spare buffer if size changed tracing: Fix memory leak in tracing_err_log_open() ftrace/x86: Add a comment to why we take text_mutex in ftrace_arch_code_modify_prepare() ftrace/x86: Remove possible deadlock between register_kprobe() and ftrace_run_update_code() commit b5252bdf099a465e6b707e7cf11b7ef0b1e4cf09 Merge: a956c56b6ad3 be132e1375c1 Author: Dave Airlie Date: Thu Jul 4 11:19:23 2019 +1000 Merge branch 'etnaviv/fixes' of https://git.pengutronix.de/git/lst/linux into drm-fixes Fix a kernel nullptr deref on module unload when any etnaviv GPU failed to initialize properly. Signed-off-by: Dave Airlie From: Lucas Stach Link: https://patchwork.freedesktop.org/patch/msgid/1561974148.2321.1.camel@pengutronix.de commit a956c56b6ad3c2812cf6158eaa579c4f4012e7ab Merge: 5ee5d30a814d 2f040d27080d Author: Dave Airlie Date: Thu Jul 4 11:17:44 2019 +1000 Merge tag 'drm-misc-fixes-2019-07-03' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes panfrost- Avoid double free by deleting GEM handle in create_bo failure path (Boris) Cc: Boris Brezillon Signed-off-by: Dave Airlie From: Sean Paul Link: https://patchwork.freedesktop.org/patch/msgid/20190704001302.GA260390@art_vandelay commit 5ee5d30a814d1310276cc023df1cf503d4c8d10f Merge: c84c9029d782 25f09f858835 Author: Dave Airlie Date: Thu Jul 4 11:17:23 2019 +1000 Merge tag 'drm-fixes-5.2-2019-07-02' of git://people.freedesktop.org/~agd5f/linux into drm-fixes drm-fixes-5.2-2019-07-02: Fixes for stable amdgpu: - stability fix for gfx9 - regression fix for HG on some polaris boards - crash fix for some new OEM boards Signed-off-by: Dave Airlie From: Alex Deucher Link: https://patchwork.freedesktop.org/patch/msgid/20190703015705.3162-1-alexander.deucher@amd.com commit 179c96d9f715a619811ded5dcbd35b1fee8caf69 Merge: eca94432934f fbbf145a0e0a Author: Linus Torvalds Date: Thu Jul 4 09:59:08 2019 +0900 Merge tag 'gpio-v5.2-4' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio Pull GPIO fix from Linus Walleij: "A single fixup for the SPI CS gpios that regressed in the current kernel cycle" * tag 'gpio-v5.2-4' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio: gpio/spi: Fix spi-gpio regression on active high CS commit 3b2d4dcf71c4a91b420f835e52ddea8192300a3b Author: Paul Menzel Date: Wed Jul 3 13:28:15 2019 +0200 nfsd: Fix overflow causing non-working mounts on 1 TB machines Since commit 10a68cdf10 (nfsd: fix performance-limiting session calculation) (Linux 5.1-rc1 and 4.19.31), shares from NFS servers with 1 TB of memory cannot be mounted anymore. The mount just hangs on the client. The gist of commit 10a68cdf10 is the change below. -avail = clamp_t(int, avail, slotsize, avail/3); +avail = clamp_t(int, avail, slotsize, total_avail/3); Here are the macros. #define min_t(type, x, y) __careful_cmp((type)(x), (type)(y), <) #define clamp_t(type, val, lo, hi) min_t(type, max_t(type, val, lo), hi) `total_avail` is 8,434,659,328 on the 1 TB machine. `clamp_t()` casts the values to `int`, which for 32-bit integers can only hold values −2,147,483,648 (−2^31) through 2,147,483,647 (2^31 − 1). `avail` (in the function signature) is just 65536, so that no overflow was happening. Before the commit the assignment would result in 21845, and `num = 4`. When using `total_avail`, it is causing the assignment to be 18446744072226137429 (printed as %lu), and `num` is then 4164608182. My next guess is, that `nfsd_drc_mem_used` is then exceeded, and the server thinks there is no memory available any more for this client. Updating the arguments of `clamp_t()` and `min_t()` to `unsigned long` fixes the issue. Now, `avail = 65536` (before commit 10a68cdf10 `avail = 21845`), but `num = 4` remains the same. Fixes: c54f24e338ed (nfsd: fix performance-limiting session calculation) Cc: stable@vger.kernel.org Signed-off-by: Paul Menzel Signed-off-by: J. Bruce Fields commit 21d4120ec6f5b5992b01b96ac484701163917b63 Author: Eric Biggers Date: Tue Jul 2 14:17:00 2019 -0700 crypto: user - prevent operating on larval algorithms Michal Suchanek reported [1] that running the pcrypt_aead01 test from LTP [2] in a loop and holding Ctrl-C causes a NULL dereference of alg->cra_users.next in crypto_remove_spawns(), via crypto_del_alg(). The test repeatedly uses CRYPTO_MSG_NEWALG and CRYPTO_MSG_DELALG. The crash occurs when the instance that CRYPTO_MSG_DELALG is trying to unregister isn't a real registered algorithm, but rather is a "test larval", which is a special "algorithm" added to the algorithms list while the real algorithm is still being tested. Larvals don't have initialized cra_users, so that causes the crash. Normally pcrypt_aead01 doesn't trigger this because CRYPTO_MSG_NEWALG waits for the algorithm to be tested; however, CRYPTO_MSG_NEWALG returns early when interrupted. Everything else in the "crypto user configuration" API has this same bug too, i.e. it inappropriately allows operating on larval algorithms (though it doesn't look like the other cases can cause a crash). Fix this by making crypto_alg_match() exclude larval algorithms. [1] https://lkml.kernel.org/r/20190625071624.27039-1-msuchanek@suse.de [2] https://github.com/linux-test-project/ltp/blob/20190517/testcases/kernel/crypto/pcrypt_aead01.c Reported-by: Michal Suchanek Fixes: a38f7907b926 ("crypto: Add userspace configuration API") Cc: # v3.2+ Cc: Steffen Klassert Signed-off-by: Eric Biggers Signed-off-by: Herbert Xu commit 1a0fad630e0b7cff38e7691b28b0517cfbb0633f Author: Vincent Whitchurch Date: Tue Jul 2 09:53:25 2019 +0200 crypto: cryptd - Fix skcipher instance memory leak cryptd_skcipher_free() fails to free the struct skcipher_instance allocated in cryptd_create_skcipher(), leading to a memory leak. This is detected by kmemleak on bootup on ARM64 platforms: unreferenced object 0xffff80003377b180 (size 1024): comm "cryptomgr_probe", pid 822, jiffies 4294894830 (age 52.760s) backtrace: kmem_cache_alloc_trace+0x270/0x2d0 cryptd_create+0x990/0x124c cryptomgr_probe+0x5c/0x1e8 kthread+0x258/0x318 ret_from_fork+0x10/0x1c Fixes: 4e0958d19bd8 ("crypto: cryptd - Add support for skcipher") Cc: Signed-off-by: Vincent Whitchurch Signed-off-by: Herbert Xu commit c8ea9fce2baf7b643384f36f29e4194fa40d33a6 Author: Herbert Xu Date: Mon Jun 24 18:32:26 2019 +0800 lib/mpi: Fix karactx leak in mpi_powm Sometimes mpi_powm will leak karactx because a memory allocation failure causes a bail-out that skips the freeing of karactx. This patch moves the freeing of karactx to the end of the function like everything else so that it can't be skipped. Reported-by: syzbot+f7baccc38dcc1e094e77@syzkaller.appspotmail.com Fixes: cdec9cb5167a ("crypto: GnuPG based MPI lib - source files...") Cc: Signed-off-by: Herbert Xu Reviewed-by: Eric Biggers Signed-off-by: Herbert Xu commit eca94432934fe5f141d084f2e36ee2c0e614cc04 Author: Matias Karhumaa Date: Tue Jul 2 16:35:09 2019 +0200 Bluetooth: Fix faulty expression for minimum encryption key size check Fix minimum encryption key size check so that HCI_MIN_ENC_KEY_SIZE is also allowed as stated in the comment. This bug caused connection problems with devices having maximum encryption key size of 7 octets (56-bit). Fixes: 693cd8ce3f88 ("Bluetooth: Fix regression with minimum encryption key size alignment") Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=203997 Signed-off-by: Matias Karhumaa Cc: stable@vger.kernel.org Signed-off-by: Marcel Holtmann Signed-off-by: Linus Torvalds commit 6e692c3b721f30485a9124f93e27a0cb6569116c Merge: 8d68d9325522 5de254dca87a Author: Linus Torvalds Date: Wed Jul 3 16:06:36 2019 +0800 Merge tag '5.2-rc6-smb3-fix' of git://git.samba.org/sfrench/cifs-2.6 Pull cifs fix from Steve French: "SMB3 fix (for stable as well) for crash mishandling one of the Windows reparse point symlink tags" * tag '5.2-rc6-smb3-fix' of git://git.samba.org/sfrench/cifs-2.6: cifs: fix crash querying symlinks stored as reparse-points commit 8d68d93255227da660c63b9162f7001e2f5d470a Merge: 4b1fe9b58e9d 28dd29c06d0d Author: Linus Torvalds Date: Wed Jul 3 16:00:21 2019 +0800 Merge tag 'for-linus-20190701' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux Pull pidfd fork() fix from Christian Brauner: "A single small fix for copy_process() in kernel/fork.c: With Al's removal of ksys_close() from cleanup paths in copy_process() a bug was introduced. When anon_inode_getfile() failed the cleanup was correctly performed but the error code was not propagated to callers of copy_process() causing them to operate on a nonsensical pointer. The fix is a simple on-liner which makes sure that a proper negative error code is returned from copy_process(). syzkaller has also verified that the bug is not reproducible with this fix" * tag 'for-linus-20190701' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux: fork: return proper negative error code commit 4b1fe9b58e9d20f23f6b07d1c2e0dbd921da67bf Merge: 6fbc7275c7a9 aa69fb62bea1 Author: Linus Torvalds Date: Wed Jul 3 15:57:30 2019 +0800 Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux Pull arm64 fixes from Will Deacon: "Fix a build failure with the LLVM linker and a module allocation failure when KASLR is active: - Fix module allocation when running with KASLR enabled - Fix broken build due to bug in LLVM linker (ld.lld)" * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: arm64/efi: Mark __efistub_stext_offset as an absolute symbol explicitly arm64: kaslr: keep modules inside module region when KASAN is enabled commit 2659dc8d225c956b91d8a8e4ef05d91b2e985c02 Merge: 521a503f5247 4f2fe6467707 Author: Olof Johansson Date: Tue Jul 2 15:13:20 2019 -0700 Merge tag 'davinci-fixes-for-v5.2-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/nsekhar/linux-davinci into arm/fixes This set of patches fixes regressions introduced in v5.2 kernel when DA8xx OHCI driver was converted over to use GPIO regulators. * tag 'davinci-fixes-for-v5.2-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/nsekhar/linux-davinci: ARM: davinci: da830-evm: fix GPIO lookup for OHCI ARM: davinci: omapl138-hawk: add missing regulator constraints for OHCI ARM: davinci: da830-evm: add missing regulator constraints for OHCI + Linux 5.2-rc7 Signed-off-by: Olof Johansson commit 5dd6c49339126c2c8df2179041373222362d6e49 Author: Maurizio Lombardi Date: Wed Jun 26 19:27:34 2019 +0200 scsi: iscsi: set auth_protocol back to NULL if CHAP_A value is not supported If the CHAP_A value is not supported, the chap_server_open() function should free the auth_protocol pointer and set it to NULL, or we will leave a dangling pointer around. [ 66.010905] Unsupported CHAP_A value [ 66.011660] Security negotiation failed. [ 66.012443] iSCSI Login negotiation failed. [ 68.413924] general protection fault: 0000 [#1] SMP PTI [ 68.414962] CPU: 0 PID: 1562 Comm: targetcli Kdump: loaded Not tainted 4.18.0-80.el8.x86_64 #1 [ 68.416589] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 [ 68.417677] RIP: 0010:__kmalloc_track_caller+0xc2/0x210 Signed-off-by: Maurizio Lombardi Reviewed-by: Chris Leech Signed-off-by: Martin K. Petersen commit 5676234f20fef02f6ca9bd66c63a8860fce62645 Author: Roman Bolshakov Date: Tue Jul 2 22:16:38 2019 +0300 scsi: target/iblock: Fix overrun in WRITE SAME emulation WRITE SAME corrupts data on the block device behind iblock if the command is emulated. The emulation code issues (M - 1) * N times more bios than requested, where M is the number of 512 blocks per real block size and N is the NUMBER OF LOGICAL BLOCKS specified in WRITE SAME command. So, for a device with 4k blocks, 7 * N more LBAs gets written after the requested range. The issue happens because the number of 512 byte sectors to be written is decreased one by one while the real bios are typically from 1 to 8 512 byte sectors per bio. Fixes: c66ac9db8d4a ("[SCSI] target: Add LIO target core v4.0.0-rc6") Cc: Signed-off-by: Roman Bolshakov Reviewed-by: Bart Van Assche Signed-off-by: Martin K. Petersen commit fbbf145a0e0a0177e089c52275fbfa55763e7d1d Author: Linus Walleij Date: Tue Jul 2 21:39:59 2019 +0200 gpio/spi: Fix spi-gpio regression on active high CS I ran into an intriguing bug caused by commit ""spi: gpio: Don't request CS GPIO in DT use-case" affecting all SPI GPIO devices with an active high chip select line. The commit switches the CS gpio handling over to the GPIO core, which will parse and handle "cs-gpios" from the OF node without even calling down to the driver to get the job done. However the GPIO core handles the standard bindings in Documentation/devicetree/bindings/spi/spi-controller.yaml that specifies that active high CS needs to be specified using "spi-cs-high" in the DT node. The code in drivers/spi/spi-gpio.c never respected this and never tried to inspect subnodes to see if they contained "spi-cs-high" like the gpiolib OF quirks does. Instead the only way to get an active high CS was to tag it in the device tree using the flags cell such as cs-gpios = <&gpio 4 GPIO_ACTIVE_HIGH>; This alters the quirks to not inspect the subnodes of SPI masters on "spi-gpio" for the standard attribute "spi-cs-high", making old device trees work as expected. This semantic is a bit ambigous, but just allowing the flags on the GPIO descriptor to modify polarity is what the kernel at large mostly uses so let's encourage that. Fixes: 249e2632dcd0 ("spi: gpio: Don't request CS GPIO in DT use-case") Cc: Andrey Smirnov Cc: linux-gpio@vger.kernel.org Cc: linux-spi@vger.kernel.org Signed-off-by: Linus Walleij commit 074376ac0e1d1fcd4fafebca86ee6158e7c20680 Author: Jiri Kosina Date: Sat Jun 29 23:22:33 2019 +0200 ftrace/x86: Anotate text_mutex split between ftrace_arch_code_modify_post_process() and ftrace_arch_code_modify_prepare() ftrace_arch_code_modify_prepare() is acquiring text_mutex, while the corresponding release is happening in ftrace_arch_code_modify_post_process(). This has already been documented in the code, but let's also make the fact that this is intentional clear to the semantic analysis tools such as sparse. Link: http://lkml.kernel.org/r/nycvar.YFH.7.76.1906292321170.27227@cbobk.fhfr.pm Fixes: 39611265edc1a ("ftrace/x86: Add a comment to why we take text_mutex in ftrace_arch_code_modify_prepare()") Fixes: d5b844a2cf507 ("ftrace/x86: Remove possible deadlock between register_kprobe() and ftrace_run_update_code()") Signed-off-by: Jiri Kosina Signed-off-by: Steven Rostedt (VMware) commit 3450121997ce872eb7f1248417225827ea249710 Author: Takashi Iwai Date: Tue Jul 2 20:07:21 2019 +0200 ALSA: line6: Fix write on zero-sized buffer LINE6 drivers allocate the buffers based on the value returned from usb_maxpacket() calls. The manipulated device may return zero for this, and this results in the kmalloc() with zero size (and it may succeed) while the other part of the driver code writes the packet data with the fixed size -- which eventually overwrites. This patch adds a simple sanity check for the invalid buffer size for avoiding that problem. Reported-by: syzbot+219f00fb49874dcaea17@syzkaller.appspotmail.com Cc: Signed-off-by: Takashi Iwai commit bb34e690e9340bc155ebed5a3d75fc63ff69e082 Author: Wanpeng Li Date: Tue Jul 2 17:25:02 2019 +0800 KVM: LAPIC: Fix pending interrupt in IRR blocked by software disable LAPIC Thomas reported that: | Background: | | In preparation of supporting IPI shorthands I changed the CPU offline | code to software disable the local APIC instead of just masking it. | That's done by clearing the APIC_SPIV_APIC_ENABLED bit in the APIC_SPIV | register. | | Failure: | | When the CPU comes back online the startup code triggers occasionally | the warning in apic_pending_intr_clear(). That complains that the IRRs | are not empty. | | The offending vector is the local APIC timer vector who's IRR bit is set | and stays set. | | It took me quite some time to reproduce the issue locally, but now I can | see what happens. | | It requires apicv_enabled=0, i.e. full apic emulation. With apicv_enabled=1 | (and hardware support) it behaves correctly. | | Here is the series of events: | | Guest CPU | | goes down | | native_cpu_disable() | | apic_soft_disable(); | | play_dead() | | .... | | startup() | | if (apic_enabled()) | apic_pending_intr_clear() <- Not taken | | enable APIC | | apic_pending_intr_clear() <- Triggers warning because IRR is stale | | When this happens then the deadline timer or the regular APIC timer - | happens with both, has fired shortly before the APIC is disabled, but the | interrupt was not serviced because the guest CPU was in an interrupt | disabled region at that point. | | The state of the timer vector ISR/IRR bits: | | ISR IRR | before apic_soft_disable() 0 1 | after apic_soft_disable() 0 1 | | On startup 0 1 | | Now one would assume that the IRR is cleared after the INIT reset, but this | happens only on CPU0. | | Why? | | Because our CPU0 hotplug is just for testing to make sure nothing breaks | and goes through an NMI wakeup vehicle because INIT would send it through | the boots-trap code which is not really working if that CPU was not | physically unplugged. | | Now looking at a real world APIC the situation in that case is: | | ISR IRR | before apic_soft_disable() 0 1 | after apic_soft_disable() 0 1 | | On startup 0 0 | | Why? | | Once the dying CPU reenables interrupts the pending interrupt gets | delivered as a spurious interupt and then the state is clear. | | While that CPU0 hotplug test case is surely an esoteric issue, the APIC | emulation is still wrong, Even if the play_dead() code would not enable | interrupts then the pending IRR bit would turn into an ISR .. interrupt | when the APIC is reenabled on startup. From SDM 10.4.7.2 Local APIC State After It Has Been Software Disabled * Pending interrupts in the IRR and ISR registers are held and require masking or handling by the CPU. In Thomas's testing, hardware cpu will not respect soft disable LAPIC when IRR has already been set or APICv posted-interrupt is in flight, so we can skip soft disable APIC checking when clearing IRR and set ISR, continue to respect soft disable APIC when attempting to set IRR. Reported-by: Rong Chen Reported-by: Feng Tang Reported-by: Thomas Gleixner Tested-by: Thomas Gleixner Cc: Paolo Bonzini Cc: Radim Krčmář Cc: Thomas Gleixner Cc: Rong Chen Cc: Feng Tang Cc: stable@vger.kernel.org Signed-off-by: Wanpeng Li Signed-off-by: Paolo Bonzini commit 323d73a8ecad22bf3284f11112a7cce576ade6af Author: Liran Alon Date: Wed Jun 26 16:09:27 2019 +0300 KVM: nVMX: Change KVM_STATE_NESTED_EVMCS to signal vmcs12 is copied from eVMCS Currently KVM_STATE_NESTED_EVMCS is used to signal that eVMCS capability is enabled on vCPU. As indicated by vmx->nested.enlightened_vmcs_enabled. This is quite bizarre as userspace VMM should make sure to expose same vCPU with same CPUID values in both source and destination. In case vCPU is exposed with eVMCS support on CPUID, it is also expected to enable KVM_CAP_HYPERV_ENLIGHTENED_VMCS capability. Therefore, KVM_STATE_NESTED_EVMCS is redundant. KVM_STATE_NESTED_EVMCS is currently used on restore path (vmx_set_nested_state()) only to enable eVMCS capability in KVM and to signal need_vmcs12_sync such that on next VMEntry to guest nested_sync_from_vmcs12() will be called to sync vmcs12 content into eVMCS in guest memory. However, because restore nested-state is rare enough, we could have just modified vmx_set_nested_state() to always signal need_vmcs12_sync. From all the above, it seems that we could have just removed the usage of KVM_STATE_NESTED_EVMCS. However, in order to preserve backwards migration compatibility, we cannot do that. (vmx_get_nested_state() needs to signal flag when migrating from new kernel to old kernel). Returning KVM_STATE_NESTED_EVMCS when just vCPU have eVMCS enabled have a bad side-effect of userspace VMM having to send nested-state from source to destination as part of migration stream. Even if guest have never used eVMCS as it doesn't even run a nested hypervisor workload. This requires destination userspace VMM and KVM to support setting nested-state. Which make it more difficult to migrate from new host to older host. To avoid this, change KVM_STATE_NESTED_EVMCS to signal eVMCS is not only enabled but also active. i.e. Guest have made some eVMCS active via an enlightened VMEntry. i.e. vmcs12 is copied from eVMCS and therefore should be restored into eVMCS resident in memory (by copy_vmcs12_to_enlightened()). Reviewed-by: Vitaly Kuznetsov Reviewed-by: Maran Wilson Reviewed-by: Krish Sadhukhan Signed-off-by: Liran Alon Signed-off-by: Paolo Bonzini commit 65b712f1560abdd9ebec005e9bd17c21ecacc849 Author: Liran Alon Date: Tue Jun 25 14:26:42 2019 +0300 KVM: nVMX: Allow restore nested-state to enable eVMCS when vCPU in SMM As comment in code specifies, SMM temporarily disables VMX so we cannot be in guest mode, nor can VMLAUNCH/VMRESUME be pending. However, code currently assumes that these are the only flags that can be set on kvm_state->flags. This is not true as KVM_STATE_NESTED_EVMCS can also be set on this field to signal that eVMCS should be enabled. Therefore, fix code to check for guest-mode and pending VMLAUNCH/VMRESUME explicitly. Reviewed-by: Joao Martins Signed-off-by: Liran Alon Signed-off-by: Paolo Bonzini commit 3f16a5c318392cbb5a0c7a3d19dff8c8ef3c38ee Author: Paolo Bonzini Date: Wed Jun 26 14:16:13 2019 +0200 KVM: x86: degrade WARN to pr_warn_ratelimited This warning can be triggered easily by userspace, so it should certainly not cause a panic if panic_on_warn is set. Reported-by: syzbot+c03f30b4f4c46bdf8575@syzkaller.appspotmail.com Suggested-by: Alexander Potapenko Acked-by: Alexander Potapenko Signed-off-by: Paolo Bonzini commit 4f2fe646770774d02d52a514849c181c9e0970f6 Author: Bartosz Golaszewski Date: Tue Jun 25 17:16:12 2019 +0200 ARM: davinci: da830-evm: fix GPIO lookup for OHCI The fixed regulator driver doesn't specify any con_id for gpio lookup so it must be NULL in the table entry. Fixes: 274e4c336192 ("ARM: davinci: da830-evm: add a fixed regulator for ohci-da8xx") Cc: stable@vger.kernel.org Signed-off-by: Bartosz Golaszewski Signed-off-by: Sekhar Nori commit ed667776d6e652819f3f44d28cd79bdffac15141 Author: Bartosz Golaszewski Date: Tue Jun 25 18:49:15 2019 +0200 ARM: davinci: omapl138-hawk: add missing regulator constraints for OHCI We need to enable status changes for the fixed power supply for the USB controller. Fixes: 1d272894ec4f ("ARM: davinci: omapl138-hawk: add a fixed regulator for ohci-da8xx") Signed-off-by: Bartosz Golaszewski Signed-off-by: Sekhar Nori commit 018ad0523208ad86ec85d47ebb59abd91d3f0d8b Author: Bartosz Golaszewski Date: Tue Jun 25 18:49:14 2019 +0200 ARM: davinci: da830-evm: add missing regulator constraints for OHCI We need to enable status changes for the fixed power supply for the USB controller. Fixes: 274e4c336192 ("ARM: davinci: da830-evm: add a fixed regulator for ohci-da8xx") Signed-off-by: Bartosz Golaszewski Signed-off-by: Sekhar Nori commit c84c9029d782a3a0d2a7f0522ecb907314d43e2c Author: Chris Wilson Date: Fri Apr 19 12:17:47 2019 +0100 drm/i915/ringbuffer: EMIT_INVALIDATE *before* switch context Despite what I think the prm recommends, commit f2253bd9859b ("drm/i915/ringbuffer: EMIT_INVALIDATE after switch context") turned out to be a huge mistake when enabling Ironlake contexts as the GPU would hang on either a MI_FLUSH or PIPE_CONTROL immediately following the MI_SET_CONTEXT of an active mesa context (more vanilla contexts, e.g. simple rendercopies with igt, do not suffer). Ville found the following clue, "[DevCTG+]: For the invalidate operation of the pipe control, the following pointers are affected. The invalidate operation affects the restore of these packets. If the pipe control invalidate operation is completed before the context save, the indirect pointers will not be restored from memory. 1. Pipeline State Pointer 2. Media State Pointer 3. Constant Buffer Packet" which suggests by us emitting the INVALIDATE prior to the MI_SET_CONTEXT, we prevent the context-restore from chasing the dangling pointers within the image, and explains why this likely prevents the GPU hang. Signed-off-by: Chris Wilson Reviewed-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20190419111749.3910-1-chris@chris-wilson.co.uk (cherry picked from commit 928f8f42310f244501a7c70daac82c196112c190 in drm-intel-next) Cc: stable@vger.kernel.org Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=111014 Fixes: f2253bd9859b ("drm/i915/ringbuffer: EMIT_INVALIDATE after switch context") Signed-off-by: Daniel Vetter commit 521a503f5247de9a5cbc381f15c466a6c6f2793c Author: Arnd Bergmann Date: Mon Jun 17 15:01:05 2019 +0200 soc: ti: fix irq-ti-sci link error The irqchip driver depends on the SoC specific driver, but we want to be able to compile-test it elsewhere: WARNING: unmet direct dependencies detected for TI_SCI_INTA_MSI_DOMAIN Depends on [n]: SOC_TI [=n] Selected by [y]: - TI_SCI_INTA_IRQCHIP [=y] && TI_SCI_PROTOCOL [=y] drivers/irqchip/irq-ti-sci-inta.o: In function `ti_sci_inta_irq_domain_probe': irq-ti-sci-inta.c:(.text+0x204): undefined reference to `ti_sci_inta_msi_create_irq_domain' Rearrange the Kconfig and Makefile so we build the soc driver whenever its users are there, regardless of the SOC_TI option. Fixes: 49b323157bf1 ("soc: ti: Add MSI domain bus support for Interrupt Aggregator") Fixes: f011df6179bd ("irqchip/ti-sci-inta: Add msi domain support") Signed-off-by: Arnd Bergmann Reviewed-by: Lokesh Vutla Acked-by: Santosh Shilimkar Signed-off-by: Olof Johansson commit 180ae5095246402ed47d57568d8c31568c3c4f18 Merge: e73f65930f88 80031361747a Author: Olof Johansson Date: Mon Jul 1 15:14:09 2019 -0700 Merge tag 'mvebu-fixes-5.2-2' of git://git.infradead.org/linux-mvebu into arm/fixes mvebu fixes for 5.2 (part 2) Use the armada-38x-uart compatible strings for Armada XP 98dx3236 SoCs in order to not loose character anymore. * tag 'mvebu-fixes-5.2-2' of git://git.infradead.org/linux-mvebu: ARM: dts: armada-xp-98dx3236: Switch to armada-38x-uart serial node Signed-off-by: Olof Johansson commit 98482377dc7295d0c70e251925b7cc14aff4c5ac Author: Evan Green Date: Mon Jul 1 10:30:30 2019 -0700 ALSA: hda: Fix widget_mutex incomplete protection The widget_mutex was introduced to serialize callers to hda_widget_sysfs_{re}init. However, its protection of the sysfs widget array is incomplete. For example, it is acquired around the call to hda_widget_sysfs_reinit(), which actually creates the new array, but isn't still acquired when codec->num_nodes and codec->start_nid is updated. So the lock ensures one thread sets up the new array at a time, but doesn't ensure which thread's value will end up in codec->num_nodes. If a larger num_nodes wins but a smaller array was set up, the next call to refresh_widgets() will touch free memory as it iterates over codec->num_nodes that aren't there. The widget_lock really protects both the tree as well as codec->num_nodes, start_nid, and end_nid, so make sure it's held across that update. It should also be held during snd_hdac_get_sub_nodes(), so that a very old read from that function doesn't end up clobbering a later update. Fixes: ed180abba7f1 ("ALSA: hda: Fix race between creating and refreshing sysfs entries") Signed-off-by: Evan Green Signed-off-by: Takashi Iwai commit 25f09f858835b0e9a06213811031190a17d8ab78 Author: Alex Deucher Date: Mon Jul 1 08:38:12 2019 -0500 drm/amdgpu/gfx9: use reset default for PA_SC_FIFO_SIZE Recommended by the hw team. Reviewed-and-Tested-by: Huang Rui Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit 7fbd1753b64eafe21cf842348a40a691d0dee440 Author: Takashi Sakamoto Date: Mon Jul 1 23:43:53 2019 +0900 ALSA: firewire-lib/fireworks: fix miss detection of received MIDI messages In IEC 61883-6, 8 MIDI data streams are multiplexed into single MIDI conformant data channel. The index of stream is calculated by modulo 8 of the value of data block counter. In fireworks, the value of data block counter in CIP header has a quirk with firmware version v5.0.0, v5.7.3 and v5.8.0. This brings ALSA IEC 61883-1/6 packet streaming engine to miss detection of MIDI messages. This commit fixes the miss detection to modify the value of data block counter for the modulo calculation. For maintainers, this bug exists since a commit 18f5ed365d3f ("ALSA: fireworks/firewire-lib: add support for recent firmware quirk") in Linux kernel v4.2. There're many changes since the commit. This fix can be backported to Linux kernel v4.4 or later. I tagged a base commit to the backport for your convenience. Besides, my work for Linux kernel v5.3 brings heavy code refactoring and some structure members are renamed in 'sound/firewire/amdtp-stream.h'. The content of this patch brings conflict when merging -rc tree with this patch and the latest tree. I request maintainers to solve the conflict to replace 'tx_first_dbc' with 'ctx_data.tx.first_dbc'. Fixes: df075feefbd3 ("ALSA: firewire-lib: complete AM824 data block processing layer") Cc: # v4.4+ Signed-off-by: Takashi Sakamoto Signed-off-by: Takashi Iwai commit 570d7a98e7d6d5d8706d94ffd2d40adeaa318332 Author: Eric Biggers Date: Sat Jun 29 13:27:44 2019 -0700 vfs: move_mount: reject moving kernel internal mounts sys_move_mount() crashes by dereferencing the pointer MNT_NS_INTERNAL, a.k.a. ERR_PTR(-EINVAL), if the old mount is specified by fd for a kernel object with an internal mount, such as a pipe or memfd. Fix it by checking for this case and returning -EINVAL. [AV: what we want is is_mounted(); use that instead of making the condition even more convoluted] Reproducer: #include #define __NR_move_mount 429 #define MOVE_MOUNT_F_EMPTY_PATH 0x00000004 int main() { int fds[2]; pipe(fds); syscall(__NR_move_mount, fds[0], "", -1, "/", MOVE_MOUNT_F_EMPTY_PATH); } Reported-by: syzbot+6004acbaa1893ad013f0@syzkaller.appspotmail.com Fixes: 2db154b3ea8e ("vfs: syscall: Add move_mount(2) to move mounts around") Signed-off-by: Eric Biggers Signed-off-by: Al Viro commit 28dd29c06d0dede4b32b2c559cff21955a830928 Author: Christian Brauner Date: Mon Jul 1 16:01:46 2019 +0200 fork: return proper negative error code Make sure to return a proper negative error code from copy_process() when anon_inode_getfile() fails with CLONE_PIDFD. Otherwise _do_fork() will not detect an error and get_task_pid() will operator on a nonsensical pointer: R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c R13: 00007ffc15fbb0ff R14: 00007ff07e47e9c0 R15: 0000000000000000 kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 7990 Comm: syz-executor290 Not tainted 5.2.0-rc6+ #9 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__read_once_size include/linux/compiler.h:194 [inline] RIP: 0010:get_task_pid+0xe1/0x210 kernel/pid.c:372 Code: 89 ff e8 62 27 5f 00 49 8b 07 44 89 f1 4c 8d bc c8 90 01 00 00 eb 0c e8 0d fe 25 00 49 81 c7 38 05 00 00 4c 89 f8 48 c1 e8 03 <80> 3c 18 00 74 08 4c 89 ff e8 31 27 5f 00 4d 8b 37 e8 f9 47 12 00 RSP: 0018:ffff88808a4a7d78 EFLAGS: 00010203 RAX: 00000000000000a7 RBX: dffffc0000000000 RCX: ffff888088180600 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff88808a4a7d90 R08: ffffffff814fb3a8 R09: ffffed1015d66bf8 R10: ffffed1015d66bf8 R11: 1ffff11015d66bf7 R12: 0000000000041ffc R13: 1ffff11011494fbc R14: 0000000000000000 R15: 000000000000053d FS: 00007ff07e47e700(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000004b5100 CR3: 0000000094df2000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: _do_fork+0x1b9/0x5f0 kernel/fork.c:2360 __do_sys_clone kernel/fork.c:2454 [inline] __se_sys_clone kernel/fork.c:2448 [inline] __x64_sys_clone+0xc1/0xd0 kernel/fork.c:2448 do_syscall_64+0xfe/0x140 arch/x86/entry/common.c:301 entry_SYSCALL_64_after_hwframe+0x49/0xbe Link: https://lore.kernel.org/lkml/000000000000e0dc0d058c9e7142@google.com Reported-and-tested-by: syzbot+002e636502bc4b64eb5c@syzkaller.appspotmail.com Fixes: 6fd2fe494b17 ("copy_process(): don't use ksys_close() on cleanups") Cc: Jann Horn Cc: Al Viro Signed-off-by: Christian Brauner commit 688f3d1ebedffa310b6591bd1b63fa0770d945fe Author: Lyude Paul Date: Thu Jun 20 19:21:26 2019 -0400 drm/amdgpu: Don't skip display settings in hwmgr_resume() I'm not entirely sure why this is, but for some reason: 921935dc6404 ("drm/amd/powerplay: enforce display related settings only on needed") Breaks runtime PM resume on the Radeon PRO WX 3100 (Lexa) in one the pre-production laptops I have. The issue manifests as the following messages in dmesg: [drm] UVD and UVD ENC initialized successfully. amdgpu 0000:3b:00.0: [drm:amdgpu_ring_test_helper [amdgpu]] *ERROR* ring vce1 test failed (-110) [drm:amdgpu_device_ip_resume_phase2 [amdgpu]] *ERROR* resume of IP block failed -110 [drm:amdgpu_device_resume [amdgpu]] *ERROR* amdgpu_device_ip_resume failed (-110). And happens after about 6-10 runtime PM suspend/resume cycles (sometimes sooner, if you're lucky!). Unfortunately I can't seem to pin down precisely which part in psm_adjust_power_state_dynamic that is causing the issue, but not skipping the display setting setup seems to fix it. Hopefully if there is a better fix for this, this patch will spark discussion around it. Fixes: 921935dc6404 ("drm/amd/powerplay: enforce display related settings only on needed") Cc: Evan Quan Cc: Alex Deucher Cc: Huang Rui Cc: Rex Zhu Cc: Likun Gao Cc: # v5.1+ Signed-off-by: Lyude Paul Signed-off-by: Alex Deucher commit f78c581e22d4b33359ac3462e8d0504735df01f4 Author: Evan Quan Date: Thu Jun 27 11:01:04 2019 +0800 drm/amd/powerplay: use hardware fan control if no powerplay fan table Otherwise, you may get divided-by-zero error or corrput the SMU fan control feature. Signed-off-by: Evan Quan Reviewed-by: Alex Deucher Tested-by: Slava Abramov Acked-by: Slava Abramov Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit c403ec33b613a15d9fd8dde37f246b79cd56b5df Author: Paul Cercueil Date: Sat Jun 29 03:22:48 2019 +0200 mtd: rawnand: ingenic: Fix ingenic_ecc dependency If MTD_NAND_JZ4780 is y and MTD_NAND_JZ4780_BCH is m, which select CONFIG_MTD_NAND_INGENIC_ECC to m, building fails: drivers/mtd/nand/raw/ingenic/ingenic_nand.o: In function `ingenic_nand_remove': ingenic_nand.c:(.text+0x177): undefined reference to `ingenic_ecc_release' drivers/mtd/nand/raw/ingenic/ingenic_nand.o: In function `ingenic_nand_ecc_correct': ingenic_nand.c:(.text+0x2ee): undefined reference to `ingenic_ecc_correct' To fix that, the ingenic_nand and ingenic_ecc modules have been fused into one single module. - The ingenic_ecc.c code is now compiled in only if $(CONFIG_MTD_NAND_INGENIC_ECC) is set. This is now a boolean instead of tristate. - To avoid changing the module name, the ingenic_nand.c file is moved to ingenic_nand_drv.c. Then the module name is still ingenic_nand. - Since ingenic_ecc.c is no more a module, the module-specific macros have been dropped, and the functions are no more exported for use by the ingenic_nand driver. Fixes: 15de8c6efd0e ("mtd: rawnand: ingenic: Separate top-level and SoC specific code") Signed-off-by: Paul Cercueil Reported-by: Arnd Bergmann Reported-by: Hulk Robot Cc: YueHaibing Cc: stable@vger.kernel.org Signed-off-by: Miquel Raynal commit a126483e82957172b8a93ebb1d30fb2b1df3cbbc Author: Frieder Schrempf Date: Thu Jun 6 17:07:55 2019 +0000 mtd: spinand: Fix max_bad_eraseblocks_per_lun info in memorg The 1Gb Macronix chip can have a maximum of 20 bad blocks, while the 2Gb version has twice as many blocks and therefore the maximum number of bad blocks is 40. The 4Gb GigaDevice GD5F4GQ4xA has twice as many blocks as its 2Gb counterpart and therefore a maximum of 80 bad blocks. Fixes: 377e517b5fa5 ("mtd: nand: Add max_bad_eraseblocks_per_lun info to memorg") Reported-by: Emil Lenngren Signed-off-by: Frieder Schrempf Signed-off-by: Miquel Raynal commit 6fbc7275c7a9ba97877050335f290341a1fd8dbf Author: Linus Torvalds Date: Sun Jun 30 11:25:36 2019 +0800 Linux 5.2-rc7 commit 39132f746eceed6beecb16c7b79600fb54eb8b2b Merge: 7c15f41e8743 e13e7cd4c0c1 Author: Linus Torvalds Date: Sun Jun 30 11:20:52 2019 +0800 Merge tag 'powerpc-5.2-7' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull powerpc fix from Michael Ellerman: "One fix for a regression in my commit adding KUAP (Kernel User Access Prevention) on Radix, which incorrectly touched the AMR in the early machine check handler. Thanks to Nicholas Piggin" * tag 'powerpc-5.2-7' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc/64s/exception: Fix machine check early corrupting AMR commit 7c15f41e8743df676f6cb0615e74e8ba30994d6a Merge: 728254541ebc 33d4a5a7a5b4 Author: Linus Torvalds Date: Sun Jun 30 11:19:17 2019 +0800 Merge branch 'smp-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull SMP fixes from Thomas Gleixner: "Two small changes for the cpu hotplug code: - Prevent out of bounds access which actually might crash the machine caused by a missing bounds check in the fail injection code - Warn about unsupported migitation mode command line arguments to make people aware that they typoed the paramater. Not necessarily a fix but quite some people tripped over that" * 'smp-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: cpu/hotplug: Fix out-of-bounds read when setting fail state cpu/speculation: Warn on unsupported mitigations= parameter commit 728254541ebcc7fee869c3c4c3f36f96be791edb Merge: 57103eb7c6ca ae6a45a08689 Author: Linus Torvalds Date: Sat Jun 29 19:42:30 2019 +0800 Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fixes from Ingo Molnar: "Misc fixes all over the place: - might_sleep() atomicity fix in the microcode loader - resctrl boundary condition fix - APIC arithmethics bug fix for frequencies >= 4.2 GHz - three 5-level paging crash fixes - two speculation fixes - a perf/stacktrace fix" * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/unwind/orc: Fall back to using frame pointers for generated code perf/x86: Always store regs->ip in perf_callchain_kernel() x86/speculation: Allow guests to use SSBD even if host does not x86/mm: Handle physical-virtual alignment mismatch in phys_p4d_init() x86/boot/64: Add missing fixup_pointer() for next_early_pgt access x86/boot/64: Fix crash if kernel image crosses page table boundary x86/apic: Fix integer overflow on 10 bit left shift of cpu_khz x86/resctrl: Prevent possible overrun during bitmap operations x86/microcode: Fix the microcode load on CPU hotplug for real commit 57103eb7c6cad04c0611b7a5767a381b34b8b0ab Merge: eed7d30e126d 8b12b812f536 Author: Linus Torvalds Date: Sat Jun 29 19:39:17 2019 +0800 Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull perf fixes from Ingo Molnar: "Various fixes, most of them related to bugs perf fuzzing found in the x86 code" * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: perf/x86/regs: Use PERF_REG_EXTENDED_MASK perf/x86: Remove pmu->pebs_no_xmm_regs perf/x86: Clean up PEBS_XMM_REGS perf/x86/regs: Check reserved bits perf/x86: Disable extended registers for non-supported PMUs perf/ioctl: Add check for the sample_period value perf/core: Fix perf_sample_regs_user() mm check commit eed7d30e126dc5b883b77f3e26bbca6c5b0f4222 Merge: a7211bc9f3d5 a52548dd0491 Author: Linus Torvalds Date: Sat Jun 29 19:36:53 2019 +0800 Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull irq fixes from Ingo Molnar: "Diverse irqchip driver fixes" * 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: irqchip/gic-v3-its: Fix command queue pointer comparison bug irqchip/mips-gic: Use the correct local interrupt map registers irqchip/ti-sci-inta: Fix kernel crash if irq_create_fwspec_mapping fail irqchip/irq-csky-mpintc: Support auto irq deliver to all cpus commit a7211bc9f3d50d77efe77c332b269458a94fcfd2 Merge: 2407e486066b 48c7d73b2362 Author: Linus Torvalds Date: Sat Jun 29 19:32:09 2019 +0800 Merge branch 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull EFI fixes from Ingo Molnar: "Four fixes: - fix a kexec crash on arm64 - fix a reboot crash on some Android platforms - future-proof the code for upcoming ACPI 6.2 changes - fix a build warning on x86" * 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: efibc: Replace variable set function in notifier call x86/efi: fix a -Wtype-limits compilation warning efi/bgrt: Drop BGRT status field reserved bits check efi/memreserve: deal with memreserve entries in unmapped memory commit 2407e486066b8ce00dabd7e2b3a2cbcc59ea6186 Merge: 01305db842e1 471a739a47aa Author: Linus Torvalds Date: Sat Jun 29 19:29:45 2019 +0800 Merge tag 'pm-5.2-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull power management fix from Rafael Wysocki: "Avoid skipping bus-level PCI power management during system resume for PCIe ports left in D0 during the preceding suspend transition on platforms where the power states of those ports can change out of the PCI layer's control" * tag 'pm-5.2-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: PCI: PM: Avoid skipping bus-level PM on platforms without ACPI commit 01305db842e1e637944090a3de7e4259c4a3a029 Merge: 0839c537628d 12fd2aee6db7 Author: Linus Torvalds Date: Sat Jun 29 17:14:57 2019 +0800 Merge tag 'xarray-5.2-rc6' of git://git.infradead.org/users/willy/linux-dax Pull XArray fixes from Matthew Wilcox: - Account XArray nodes for the page cache to the appropriate cgroup (Johannes Weiner) - Fix idr_get_next() when called under the RCU lock (Matthew Wilcox) - Add a test for xa_insert() (Matthew Wilcox) * tag 'xarray-5.2-rc6' of git://git.infradead.org/users/willy/linux-dax: XArray tests: Add check_insert idr: Fix idr_get_next race with idr_remove mm: fix page cache convergence regression commit 0839c537628df5a3b713d0f619b2dcc8469f08c0 Merge: f8b5c7222761 8f9fab480c7a Author: Linus Torvalds Date: Sat Jun 29 17:11:01 2019 +0800 Merge branch 'akpm' (patches from Andrew) Merge misc fixes from Andrew Morton: "15 fixes" * emailed patches from Andrew Morton : linux/kernel.h: fix overflow for DIV_ROUND_UP_ULL mm, swap: fix THP swap out fork,memcg: alloc_thread_stack_node needs to set tsk->stack MAINTAINERS: add CLANG/LLVM BUILD SUPPORT info mm/vmalloc.c: avoid bogus -Wmaybe-uninitialized warning mm/page_idle.c: fix oops because end_pfn is larger than max_pfn initramfs: fix populate_initrd_image() section mismatch mm/oom_kill.c: fix uninitialized oc->constraint mm: hugetlb: soft-offline: dissolve_free_huge_page() return zero on !PageHuge mm: soft-offline: return -EBUSY if set_hwpoison_free_buddy_page() fails signal: remove the wrong signal_pending() check in restore_user_sigmask() fs/binfmt_flat.c: make load_flat_shared_library() work mm/mempolicy.c: fix an incorrect rebind node in mpol_rebind_nodemask fs/proc/array.c: allow reporting eip/esp for all coredumping threads mm/dev_pfn: exclude MEMORY_DEVICE_PRIVATE while computing virtual address commit f8b5c72227618780f49e53fb77b0e7ddb2996552 Merge: c57582adfda3 ec9b4feb1e41 Author: Linus Torvalds Date: Sat Jun 29 17:05:58 2019 +0800 Merge tag 'arc-5.2-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc Pull ARC fixes from Vineet Gupta: - hsdk platform unifying apertures - build system CROSS_COMPILE prefix * tag 'arc-5.2-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc: ARC: [plat-hsdk]: unify memory apertures configuration ARC: build: Try to guess CROSS_COMPILE with cc-cross-prefix commit c57582adfda3e7026796fbde81e951ea72edbb66 Merge: c949c30b2640 0db7f5cd4aeb Author: Linus Torvalds Date: Sat Jun 29 17:04:21 2019 +0800 Merge tag 'riscv-for-v5.2/fixes-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux Pull RISC-V fixes from Paul Walmsley: "Minor RISC-V fixes and one defconfig update. The fixes have no functional impact: - Fix some comment text in the memory management vmalloc_fault path. - Fix some warnings from the DT compiler in our newly-added DT files. - Change the newly-added DT bindings such that SoC IP blocks with external I/O are marked as "disabled" by default, then enable them explicitly in board DT files when the devices are used on the board. This aligns the bindings with existing upstream practice. - Add the MIT license as an option for a minor header file, at the request of one of the U-Boot maintainers. The RISC-V defconfig update builds the SiFive SPI driver and the MMC-SPI driver by default. The intention here is to make v5.2 more usable for testers and users with RISC-V hardware" * tag 'riscv-for-v5.2/fixes-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux: riscv: mm: Fix code comment dt-bindings: clock: sifive: add MIT license as an option for the header file dt-bindings: riscv: resolve 'make dt_binding_check' warnings riscv: dts: Re-organize the DT nodes RISC-V: defconfig: enable MMC & SPI for RISC-V commit c949c30b2640e52b580e1a230e3561d1662195ba Merge: 43251dbd6ac2 68f461593f76 Author: Linus Torvalds Date: Sat Jun 29 17:02:22 2019 +0800 Merge tag 'nfs-for-5.2-4' of git://git.linux-nfs.org/projects/anna/linux-nfs Pull two more NFS client fixes from Anna Schumaker: "These are both stable fixes. One to calculate the correct client message length in the case of partial transmissions. And the other to set the proper TCP timeout for flexfiles" * tag 'nfs-for-5.2-4' of git://git.linux-nfs.org/projects/anna/linux-nfs: NFS/flexfiles: Use the correct TCP timeout for flexfiles I/O SUNRPC: Fix up calculation of client message length commit 43251dbd6ac278a8bdaaee43ec5e299c1a5dafdd Merge: 5b607ba862f3 d6b8bd679c9c Author: Linus Torvalds Date: Sat Jun 29 17:01:02 2019 +0800 Merge tag 'ceph-for-5.2-rc7' of git://github.com/ceph/ceph-client Pull ceph fix from Ilya Dryomov: "A small fix for a potential -rc1 regression from Jeff" * tag 'ceph-for-5.2-rc7' of git://github.com/ceph/ceph-client: ceph: fix ceph_mdsc_build_path to not stop on first component commit 5b607ba862f30364aef0b0d40cab8afccf339616 Merge: 9dda12b6fa0e 240b4cc8fd5d Author: Linus Torvalds Date: Sat Jun 29 16:59:45 2019 +0800 Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI fix from James Bottomley: "One simple fix for a driver use after free" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: vmw_pscsi: Fix use-after-free in pvscsi_queue_lck() commit 9dda12b6fa0eba6b1fd32399b599d05765893dae Merge: 061913712d6a e6feaf215f07 Author: Linus Torvalds Date: Sat Jun 29 16:58:35 2019 +0800 Merge tag 'for-linus-20190628' of git://git.kernel.dk/linux-block Pull block fixes from Jens Axboe: "Just two small fixes. One from Paolo, fixing a silly mistake in BFQ. The other one is from me, ensuring that we have ->file cleared in the io_uring request a bit earlier. That avoids a use-before-free, if we encounter an error before ->file is assigned" * tag 'for-linus-20190628' of git://git.kernel.dk/linux-block: block, bfq: fix operator in BFQQ_TOTALLY_SEEKY io_uring: ensure req->file is cleared on allocation commit 061913712d6ab77c77192584912afdbd8267c54c Merge: 556e2f6020bf 9d957a959bc8 Author: Linus Torvalds Date: Sat Jun 29 16:51:10 2019 +0800 Merge tag 'pinctrl-v5.2-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl Pull pin control fixes from Linus Walleij: "Sorry to bomb in fixes this late. Maybe I can comfort you by saying it is only driver fixes, and mostly IRQ handling which is something GPIO and pin control drivers never get right. You think it works and then it doesn't. Summary: - Fix IRQ setup in the MCP23s08. - Fix pin setup on pins > 31 in the Ocelot driver. - Fix IRQs in the Mediatek driver" * tag 'pinctrl-v5.2-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl: pinctrl: mediatek: Update cur_mask in mask/mask ops pinctrl: mediatek: Ignore interrupts that are wake only during resume pinctrl: ocelot: fix pinmuxing for pins after 31 pinctrl: ocelot: fix gpio direction for pins after 31 pinctrl: mcp23s08: Fix add_data and irqchip_add_nested call order commit 8f9fab480c7a87b10bb5440b5555f370272a5d59 Author: Vinod Koul Date: Fri Jun 28 12:07:21 2019 -0700 linux/kernel.h: fix overflow for DIV_ROUND_UP_ULL DIV_ROUND_UP_ULL adds the two arguments and then invokes DIV_ROUND_DOWN_ULL. But on a 32bit system the addition of two 32 bit values can overflow. DIV_ROUND_DOWN_ULL does it correctly and stashes the addition into a unsigned long long so cast the result to unsigned long long here to avoid the overflow condition. [akpm@linux-foundation.org: DIV_ROUND_UP_ULL must be an rval] Link: http://lkml.kernel.org/r/20190625100518.30753-1-vkoul@kernel.org Signed-off-by: Vinod Koul Reviewed-by: Andrew Morton Cc: Bjorn Andersson Cc: Randy Dunlap Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 1a5f439c7c02837d943e528d46501564d4226757 Author: Huang Ying Date: Fri Jun 28 12:07:18 2019 -0700 mm, swap: fix THP swap out 0-Day test system reported some OOM regressions for several THP (Transparent Huge Page) swap test cases. These regressions are bisected to 6861428921b5 ("block: always define BIO_MAX_PAGES as 256"). In the commit, BIO_MAX_PAGES is set to 256 even when THP swap is enabled. So the bio_alloc(gfp_flags, 512) in get_swap_bio() may fail when swapping out THP. That causes the OOM. As in the patch description of 6861428921b5 ("block: always define BIO_MAX_PAGES as 256"), THP swap should use multi-page bvec to write THP to swap space. So the issue is fixed via doing that in get_swap_bio(). BTW: I remember I have checked the THP swap code when 6861428921b5 ("block: always define BIO_MAX_PAGES as 256") was merged, and thought the THP swap code needn't to be changed. But apparently, I was wrong. I should have done this at that time. Link: http://lkml.kernel.org/r/20190624075515.31040-1-ying.huang@intel.com Fixes: 6861428921b5 ("block: always define BIO_MAX_PAGES as 256") Signed-off-by: "Huang, Ying" Reviewed-by: Ming Lei Cc: Michal Hocko Cc: Johannes Weiner Cc: Hugh Dickins Cc: Minchan Kim Cc: Rik van Riel Cc: Daniel Jordan Cc: Jens Axboe Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 1bf4580e00a248a2c86269125390eb3648e1877c Author: Andrea Arcangeli Date: Fri Jun 28 12:07:14 2019 -0700 fork,memcg: alloc_thread_stack_node needs to set tsk->stack Commit 5eed6f1dff87 ("fork,memcg: fix crash in free_thread_stack on memcg charge fail") corrected two instances, but there was a third instance of this bug. Without setting tsk->stack, if memcg_charge_kernel_stack fails, it'll execute free_thread_stack() on a dangling pointer. Enterprise kernels are compiled with VMAP_STACK=y so this isn't critical, but custom VMAP_STACK=n builds should have some performance advantage, with the drawback of risking to fail fork because compaction didn't succeed. So as long as VMAP_STACK=n is a supported option it's worth fixing it upstream. Link: http://lkml.kernel.org/r/20190619011450.28048-1-aarcange@redhat.com Fixes: 9b6f7e163cd0 ("mm: rework memcg kernel stack accounting") Signed-off-by: Andrea Arcangeli Reviewed-by: Rik van Riel Acked-by: Roman Gushchin Acked-by: Michal Hocko Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 8708e13c6a0600625eea3aebd027c0715a5d2bb2 Author: Nick Desaulniers Date: Fri Jun 28 12:07:12 2019 -0700 MAINTAINERS: add CLANG/LLVM BUILD SUPPORT info Add keyword support so that our mailing list gets cc'ed for clang/llvm patches. We're pretty active on our mailing list so far as code review. There are numerous Googlers like myself that are paid to support building the Linux kernel with Clang and LLVM. Link: http://lkml.kernel.org/r/20190620001907.255803-1-ndesaulniers@google.com Signed-off-by: Nick Desaulniers Reviewed-by: Nathan Chancellor Cc: Joe Perches Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 2c9292336a09f7bf019689580ceea9a2d116b999 Author: Arnd Bergmann Date: Fri Jun 28 12:07:09 2019 -0700 mm/vmalloc.c: avoid bogus -Wmaybe-uninitialized warning gcc gets confused in pcpu_get_vm_areas() because there are too many branches that affect whether 'lva' was initialized before it gets used: mm/vmalloc.c: In function 'pcpu_get_vm_areas': mm/vmalloc.c:991:4: error: 'lva' may be used uninitialized in this function [-Werror=maybe-uninitialized] insert_vmap_area_augment(lva, &va->rb_node, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ &free_vmap_area_root, &free_vmap_area_list); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ mm/vmalloc.c:916:20: note: 'lva' was declared here struct vmap_area *lva; ^~~ Add an intialization to NULL, and check whether this has changed before the first use. [akpm@linux-foundation.org: tweak comments] Link: http://lkml.kernel.org/r/20190618092650.2943749-1-arnd@arndb.de Fixes: 68ad4a330433 ("mm/vmalloc.c: keep track of free blocks for vmap allocation") Signed-off-by: Arnd Bergmann Reviewed-by: Uladzislau Rezki (Sony) Cc: Joel Fernandes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 7298e3b0a149c91323b3205d325e942c3b3b9ef6 Author: Colin Ian King Date: Fri Jun 28 12:07:05 2019 -0700 mm/page_idle.c: fix oops because end_pfn is larger than max_pfn Currently the calcuation of end_pfn can round up the pfn number to more than the actual maximum number of pfns, causing an Oops. Fix this by ensuring end_pfn is never more than max_pfn. This can be easily triggered when on systems where the end_pfn gets rounded up to more than max_pfn using the idle-page stress-ng stress test: sudo stress-ng --idle-page 0 BUG: unable to handle kernel paging request at 00000000000020d8 #PF error: [normal kernel read fault] PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI CPU: 1 PID: 11039 Comm: stress-ng-idle- Not tainted 5.0.0-5-generic #6-Ubuntu Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 RIP: 0010:page_idle_get_page+0xc8/0x1a0 Code: 0f b1 0a 75 7d 48 8b 03 48 89 c2 48 c1 e8 33 83 e0 07 48 c1 ea 36 48 8d 0c 40 4c 8d 24 88 49 c1 e4 07 4c 03 24 d5 00 89 c3 be <49> 8b 44 24 58 48 8d b8 80 a1 02 00 e8 07 d5 77 00 48 8b 53 08 48 RSP: 0018:ffffafd7c672fde8 EFLAGS: 00010202 RAX: 0000000000000005 RBX: ffffe36341fff700 RCX: 000000000000000f RDX: 0000000000000284 RSI: 0000000000000275 RDI: 0000000001fff700 RBP: ffffafd7c672fe00 R08: ffffa0bc34056410 R09: 0000000000000276 R10: ffffa0bc754e9b40 R11: ffffa0bc330f6400 R12: 0000000000002080 R13: ffffe36341fff700 R14: 0000000000080000 R15: ffffa0bc330f6400 FS: 00007f0ec1ea5740(0000) GS:ffffa0bc7db00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000020d8 CR3: 0000000077d68000 CR4: 00000000000006e0 Call Trace: page_idle_bitmap_write+0x8c/0x140 sysfs_kf_bin_write+0x5c/0x70 kernfs_fop_write+0x12e/0x1b0 __vfs_write+0x1b/0x40 vfs_write+0xab/0x1b0 ksys_write+0x55/0xc0 __x64_sys_write+0x1a/0x20 do_syscall_64+0x5a/0x110 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Link: http://lkml.kernel.org/r/20190618124352.28307-1-colin.king@canonical.com Fixes: 33c3fc71c8cf ("mm: introduce idle page tracking") Signed-off-by: Colin Ian King Reviewed-by: Andrew Morton Acked-by: Vladimir Davydov Cc: Michal Hocko Cc: Mike Rapoport Cc: Mel Gorman Cc: Stephen Rothwell Cc: Andrey Ryabinin Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 4ada1e810038e9dbc20e40b524e05ee1a9d31f98 Author: Geert Uytterhoeven Date: Fri Jun 28 12:07:03 2019 -0700 initramfs: fix populate_initrd_image() section mismatch With gcc-4.6.3: WARNING: vmlinux.o(.text.unlikely+0x140): Section mismatch in reference from the function populate_initrd_image() to the variable .init.ramfs.info:__initramfs_size The function populate_initrd_image() references the variable __init __initramfs_size. This is often because populate_initrd_image lacks a __init annotation or the annotation of __initramfs_size is wrong. WARNING: vmlinux.o(.text.unlikely+0x14c): Section mismatch in reference from the function populate_initrd_image() to the function .init.text:unpack_to_rootfs() The function populate_initrd_image() references the function __init unpack_to_rootfs(). This is often because populate_initrd_image lacks a __init annotation or the annotation of unpack_to_rootfs is wrong. WARNING: vmlinux.o(.text.unlikely+0x198): Section mismatch in reference from the function populate_initrd_image() to the function .init.text:xwrite() The function populate_initrd_image() references the function __init xwrite(). This is often because populate_initrd_image lacks a __init annotation or the annotation of xwrite is wrong. Indeed, if the compiler decides not to inline populate_initrd_image(), a warning is generated. Fix this by adding the missing __init annotations. Link: http://lkml.kernel.org/r/20190617074340.12779-1-geert@linux-m68k.org Fixes: 7c184ecd262fe64f ("initramfs: factor out a helper to populate the initrd image") Signed-off-by: Geert Uytterhoeven Reviewed-by: Christoph Hellwig Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 432b1de0de02a83f64695e69a2d83cbee10c236f Author: Yafang Shao Date: Fri Jun 28 12:06:59 2019 -0700 mm/oom_kill.c: fix uninitialized oc->constraint In dump_oom_summary() oc->constraint is used to show oom_constraint_text, but it hasn't been set before. So the value of it is always the default value 0. We should inititialize it before. Bellow is the output when memcg oom occurs, before this patch: oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null), cpuset=/,mems_allowed=0,oom_memcg=/foo,task_memcg=/foo,task=bash,pid=7997,uid=0 after this patch: oom-kill:constraint=CONSTRAINT_MEMCG,nodemask=(null), cpuset=/,mems_allowed=0,oom_memcg=/foo,task_memcg=/foo,task=bash,pid=13681,uid=0 Link: http://lkml.kernel.org/r/1560522038-15879-1-git-send-email-laoar.shao@gmail.com Fixes: ef8444ea01d7 ("mm, oom: reorganize the oom report in dump_header") Signed-off-by: Yafang Shao Acked-by: Michal Hocko Cc: Wind Yu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit faf53def3b143df11062d87c12afe6afeb6f8cc7 Author: Naoya Horiguchi Date: Fri Jun 28 12:06:56 2019 -0700 mm: hugetlb: soft-offline: dissolve_free_huge_page() return zero on !PageHuge madvise(MADV_SOFT_OFFLINE) often returns -EBUSY when calling soft offline for hugepages with overcommitting enabled. That was caused by the suboptimal code in current soft-offline code. See the following part: ret = migrate_pages(&pagelist, new_page, NULL, MPOL_MF_MOVE_ALL, MIGRATE_SYNC, MR_MEMORY_FAILURE); if (ret) { ... } else { /* * We set PG_hwpoison only when the migration source hugepage * was successfully dissolved, because otherwise hwpoisoned * hugepage remains on free hugepage list, then userspace will * find it as SIGBUS by allocation failure. That's not expected * in soft-offlining. */ ret = dissolve_free_huge_page(page); if (!ret) { if (set_hwpoison_free_buddy_page(page)) num_poisoned_pages_inc(); } } return ret; Here dissolve_free_huge_page() returns -EBUSY if the migration source page was freed into buddy in migrate_pages(), but even in that case we actually has a chance that set_hwpoison_free_buddy_page() succeeds. So that means current code gives up offlining too early now. dissolve_free_huge_page() checks that a given hugepage is suitable for dissolving, where we should return success for !PageHuge() case because the given hugepage is considered as already dissolved. This change also affects other callers of dissolve_free_huge_page(), which are cleaned up together. [n-horiguchi@ah.jp.nec.com: v3] Link: http://lkml.kernel.org/r/1560761476-4651-3-git-send-email-n-horiguchi@ah.jp.nec.comLink: http://lkml.kernel.org/r/1560154686-18497-3-git-send-email-n-horiguchi@ah.jp.nec.com Fixes: 6bc9b56433b76 ("mm: fix race on soft-offlining") Signed-off-by: Naoya Horiguchi Reported-by: Chen, Jerry T Tested-by: Chen, Jerry T Reviewed-by: Mike Kravetz Reviewed-by: Oscar Salvador Cc: Michal Hocko Cc: Xishi Qiu Cc: "Chen, Jerry T" Cc: "Zhuo, Qiuxu" Cc: [4.19+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit b38e5962f8ed0d2a2b28a887fc2221f7f41db119 Author: Naoya Horiguchi Date: Fri Jun 28 12:06:53 2019 -0700 mm: soft-offline: return -EBUSY if set_hwpoison_free_buddy_page() fails The pass/fail of soft offline should be judged by checking whether the raw error page was finally contained or not (i.e. the result of set_hwpoison_free_buddy_page()), but current code do not work like that. It might lead us to misjudge the test result when set_hwpoison_free_buddy_page() fails. Without this fix, there are cases where madvise(MADV_SOFT_OFFLINE) may not offline the original page and will not return an error. Link: http://lkml.kernel.org/r/1560154686-18497-2-git-send-email-n-horiguchi@ah.jp.nec.com Signed-off-by: Naoya Horiguchi Fixes: 6bc9b56433b76 ("mm: fix race on soft-offlining") Reviewed-by: Mike Kravetz Reviewed-by: Oscar Salvador Cc: Michal Hocko Cc: Xishi Qiu Cc: "Chen, Jerry T" Cc: "Zhuo, Qiuxu" Cc: [4.19+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 97abc889ee296faf95ca0e978340fb7b942a3e32 Author: Oleg Nesterov Date: Fri Jun 28 12:06:50 2019 -0700 signal: remove the wrong signal_pending() check in restore_user_sigmask() This is the minimal fix for stable, I'll send cleanups later. Commit 854a6ed56839 ("signal: Add restore_user_sigmask()") introduced the visible change which breaks user-space: a signal temporary unblocked by set_user_sigmask() can be delivered even if the caller returns success or timeout. Change restore_user_sigmask() to accept the additional "interrupted" argument which should be used instead of signal_pending() check, and update the callers. Eric said: : For clarity. I don't think this is required by posix, or fundamentally to : remove the races in select. It is what linux has always done and we have : applications who care so I agree this fix is needed. : : Further in any case where the semantic change that this patch rolls back : (aka where allowing a signal to be delivered and the select like call to : complete) would be advantage we can do as well if not better by using : signalfd. : : Michael is there any chance we can get this guarantee of the linux : implementation of pselect and friends clearly documented. The guarantee : that if the system call completes successfully we are guaranteed that no : signal that is unblocked by using sigmask will be delivered? Link: http://lkml.kernel.org/r/20190604134117.GA29963@redhat.com Fixes: 854a6ed56839a40f6b5d02a2962f48841482eec4 ("signal: Add restore_user_sigmask()") Signed-off-by: Oleg Nesterov Reported-by: Eric Wong Tested-by: Eric Wong Acked-by: "Eric W. Biederman" Acked-by: Arnd Bergmann Acked-by: Deepa Dinamani Cc: Michael Kerrisk Cc: Jens Axboe Cc: Davidlohr Bueso Cc: Jason Baron Cc: Thomas Gleixner Cc: Al Viro Cc: David Laight Cc: [5.0+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 867bfa4a5fcee66f2b25639acae718e8b28b25a5 Author: Jann Horn Date: Fri Jun 28 12:06:46 2019 -0700 fs/binfmt_flat.c: make load_flat_shared_library() work load_flat_shared_library() is broken: It only calls load_flat_file() if prepare_binprm() returns zero, but prepare_binprm() returns the number of bytes read - so this only happens if the file is empty. Instead, call into load_flat_file() if the number of bytes read is non-negative. (Even if the number of bytes is zero - in that case, load_flat_file() will see nullbytes and return a nice -ENOEXEC.) In addition, remove the code related to bprm creds and stop using prepare_binprm() - this code is loading a library, not a main executable, and it only actually uses the members "buf", "file" and "filename" of the linux_binprm struct. Instead, call kernel_read() directly. Link: http://lkml.kernel.org/r/20190524201817.16509-1-jannh@google.com Fixes: 287980e49ffc ("remove lots of IS_ERR_VALUE abuses") Signed-off-by: Jann Horn Cc: Alexander Viro Cc: Kees Cook Cc: Nicolas Pitre Cc: Arnd Bergmann Cc: Geert Uytterhoeven Cc: Russell King Cc: Greg Ungerer Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 29b190fa774dd1b72a1a6f19687d55dc72ea83be Author: zhong jiang Date: Fri Jun 28 12:06:43 2019 -0700 mm/mempolicy.c: fix an incorrect rebind node in mpol_rebind_nodemask mpol_rebind_nodemask() is called for MPOL_BIND and MPOL_INTERLEAVE mempoclicies when the tasks's cpuset's mems_allowed changes. For policies created without MPOL_F_STATIC_NODES or MPOL_F_RELATIVE_NODES, it works by remapping the policy's allowed nodes (stored in v.nodes) using the previous value of mems_allowed (stored in w.cpuset_mems_allowed) as the domain of map and the new mems_allowed (passed as nodes) as the range of the map (see the comment of bitmap_remap() for details). The result of remapping is stored back as policy's nodemask in v.nodes, and the new value of mems_allowed should be stored in w.cpuset_mems_allowed to facilitate the next rebind, if it happens. However, 213980c0f23b ("mm, mempolicy: simplify rebinding mempolicies when updating cpusets") introduced a bug where the result of remapping is stored in w.cpuset_mems_allowed instead. Thus, a mempolicy's allowed nodes can evolve in an unexpected way after a series of rebinding due to cpuset mems_allowed changes, possibly binding to a wrong node or a smaller number of nodes which may e.g. overload them. This patch fixes the bug so rebinding again works as intended. [vbabka@suse.cz: new changlog] Link: http://lkml.kernel.org/r/ef6a69c6-c052-b067-8f2c-9d615c619bb9@suse.cz Link: http://lkml.kernel.org/r/1558768043-23184-1-git-send-email-zhongjiang@huawei.com Fixes: 213980c0f23b ("mm, mempolicy: simplify rebinding mempolicies when updating cpusets") Signed-off-by: zhong jiang Reviewed-by: Vlastimil Babka Cc: Oscar Salvador Cc: Anshuman Khandual Cc: Michal Hocko Cc: Mel Gorman Cc: Andrea Arcangeli Cc: Ralph Campbell Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit cb8f381f1613cafe3aec30809991cd56e7135d92 Author: John Ogness Date: Fri Jun 28 12:06:40 2019 -0700 fs/proc/array.c: allow reporting eip/esp for all coredumping threads 0a1eb2d474ed ("fs/proc: Stop reporting eip and esp in /proc/PID/stat") stopped reporting eip/esp and fd7d56270b52 ("fs/proc: Report eip/esp in /prod/PID/stat for coredumping") reintroduced the feature to fix a regression with userspace core dump handlers (such as minicoredumper). Because PF_DUMPCORE is only set for the primary thread, this didn't fix the original problem for secondary threads. Allow reporting the eip/esp for all threads by checking for PF_EXITING as well. This is set for all the other threads when they are killed. coredump_wait() waits for all the tasks to become inactive before proceeding to invoke a core dumper. Link: http://lkml.kernel.org/r/87y32p7i7a.fsf@linutronix.de Link: http://lkml.kernel.org/r/20190522161614.628-1-jlu@pengutronix.de Fixes: fd7d56270b526ca3 ("fs/proc: Report eip/esp in /prod/PID/stat for coredumping") Signed-off-by: John Ogness Reported-by: Jan Luebbe Tested-by: Jan Luebbe Cc: Alexey Dobriyan Cc: Andy Lutomirski Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 36d6cb73d5e60cdb2724c21ccba93c964e6a16f9 Author: Anshuman Khandual Date: Fri Jun 28 12:06:37 2019 -0700 mm/dev_pfn: exclude MEMORY_DEVICE_PRIVATE while computing virtual address The presence of struct page does not guarantee linear mapping for the pfn physical range. Device private memory which is non-coherent is excluded from linear mapping during devm_memremap_pages() though they will still have struct page coverage. Change pfn_t_to_virt() to just check for device private memory before giving out virtual address for a given pfn. pfn_t_to_virt() actually has no callers. Let's fix it for the 5.2 kernel and remove it in 5.3. Link: http://lkml.kernel.org/r/1558089514-25067-1-git-send-email-anshuman.khandual@arm.com Signed-off-by: Anshuman Khandual Cc: Dan Williams Cc: Jérôme Glisse Cc: Laurent Dufour Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 2f040d27080ddfffecff2be1a77107c494d0e4f4 Author: Boris Brezillon Date: Thu Jun 27 19:24:14 2019 +0200 drm/panfrost: Fix a double-free error drm_gem_shmem_create_with_handle() returns a GEM object and attach a handle to it. When the user closes the DRM FD, the core releases all GEM handles along with their backing GEM objs, which can lead to a double-free issue if panfrost_ioctl_create_bo() failed and went through the err_free path where drm_gem_object_put_unlocked() is called without deleting the associate handle. Replace this drm_gem_object_put_unlocked() call by a drm_gem_handle_delete() one to fix that. Fixes: f3ba91228e8e ("drm/panfrost: Add initial panfrost driver") Cc: Signed-off-by: Boris Brezillon Signed-off-by: Rob Herring Link: https://patchwork.freedesktop.org/patch/msgid/20190627172414.27231-1-boris.brezillon@collabora.com commit 46cc0b44428d0f0e81f11ea98217fc0edfbeab07 Author: Eiichi Tsukata Date: Tue Jun 25 10:29:10 2019 +0900 tracing/snapshot: Resize spare buffer if size changed Current snapshot implementation swaps two ring_buffers even though their sizes are different from each other, that can cause an inconsistency between the contents of buffer_size_kb file and the current buffer size. For example: # cat buffer_size_kb 7 (expanded: 1408) # echo 1 > events/enable # grep bytes per_cpu/cpu0/stats bytes: 1441020 # echo 1 > snapshot // current:1408, spare:1408 # echo 123 > buffer_size_kb // current:123, spare:1408 # echo 1 > snapshot // current:1408, spare:123 # grep bytes per_cpu/cpu0/stats bytes: 1443700 # cat buffer_size_kb 123 // != current:1408 And also, a similar per-cpu case hits the following WARNING: Reproducer: # echo 1 > per_cpu/cpu0/snapshot # echo 123 > buffer_size_kb # echo 1 > per_cpu/cpu0/snapshot WARNING: WARNING: CPU: 0 PID: 1946 at kernel/trace/trace.c:1607 update_max_tr_single.part.0+0x2b8/0x380 Modules linked in: CPU: 0 PID: 1946 Comm: bash Not tainted 5.2.0-rc6 #20 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014 RIP: 0010:update_max_tr_single.part.0+0x2b8/0x380 Code: ff e8 dc da f9 ff 0f 0b e9 88 fe ff ff e8 d0 da f9 ff 44 89 ee bf f5 ff ff ff e8 33 dc f9 ff 41 83 fd f5 74 96 e8 b8 da f9 ff <0f> 0b eb 8d e8 af da f9 ff 0f 0b e9 bf fd ff ff e8 a3 da f9 ff 48 RSP: 0018:ffff888063e4fca0 EFLAGS: 00010093 RAX: ffff888066214380 RBX: ffffffff99850fe0 RCX: ffffffff964298a8 RDX: 0000000000000000 RSI: 00000000fffffff5 RDI: 0000000000000005 RBP: 1ffff1100c7c9f96 R08: ffff888066214380 R09: ffffed100c7c9f9b R10: ffffed100c7c9f9a R11: 0000000000000003 R12: 0000000000000000 R13: 00000000ffffffea R14: ffff888066214380 R15: ffffffff99851060 FS: 00007f9f8173c700(0000) GS:ffff88806d000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000714dc0 CR3: 0000000066fa6000 CR4: 00000000000006f0 Call Trace: ? trace_array_printk_buf+0x140/0x140 ? __mutex_lock_slowpath+0x10/0x10 tracing_snapshot_write+0x4c8/0x7f0 ? trace_printk_init_buffers+0x60/0x60 ? selinux_file_permission+0x3b/0x540 ? tracer_preempt_off+0x38/0x506 ? trace_printk_init_buffers+0x60/0x60 __vfs_write+0x81/0x100 vfs_write+0x1e1/0x560 ksys_write+0x126/0x250 ? __ia32_sys_read+0xb0/0xb0 ? do_syscall_64+0x1f/0x390 do_syscall_64+0xc1/0x390 entry_SYSCALL_64_after_hwframe+0x49/0xbe This patch adds resize_buffer_duplicate_size() to check if there is a difference between current/spare buffer sizes and resize a spare buffer if necessary. Link: http://lkml.kernel.org/r/20190625012910.13109-1-devel@etsukata.com Cc: stable@vger.kernel.org Fixes: ad909e21bbe69 ("tracing: Add internal tracing_snapshot() functions") Signed-off-by: Eiichi Tsukata Signed-off-by: Steven Rostedt (VMware) commit d122ed6288d9821b405b0f84a3937955b9df545f Author: Takeshi Misawa Date: Fri Jun 28 19:56:40 2019 +0900 tracing: Fix memory leak in tracing_err_log_open() When tracing_err_log_open() calls seq_open(), allocated memory is not freed. kmemleak report: unreferenced object 0xffff92c0781d1100 (size 128): comm "tail", pid 15116, jiffies 4295163855 (age 22.704s) hex dump (first 32 bytes): 00 f0 08 e5 c0 92 ff ff 00 10 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<000000000d0687d5>] kmem_cache_alloc+0x11f/0x1e0 [<000000003e3039a8>] seq_open+0x2f/0x90 [<000000008dd36b7d>] tracing_err_log_open+0x67/0x140 [<000000005a431ae2>] do_dentry_open+0x1df/0x3a0 [<00000000a2910603>] vfs_open+0x2f/0x40 [<0000000038b0a383>] path_openat+0x2e8/0x1690 [<00000000fe025bda>] do_filp_open+0x9b/0x110 [<00000000483a5091>] do_sys_open+0x1ba/0x260 [<00000000c558b5fd>] __x64_sys_openat+0x20/0x30 [<000000006881ec07>] do_syscall_64+0x5a/0x130 [<00000000571c2e94>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fix this by calling seq_release() in tracing_err_log_fops.release(). Link: http://lkml.kernel.org/r/20190628105640.GA1863@DESKTOP Fixes: 8a062902be725 ("tracing: Add tracing error log") Reviewed-by: Tom Zanussi Signed-off-by: Takeshi Misawa Signed-off-by: Steven Rostedt (VMware) commit 39611265edc1af3d574178202e19c31e187e7cf2 Author: Steven Rostedt (VMware) Date: Thu Jun 27 21:18:19 2019 -0400 ftrace/x86: Add a comment to why we take text_mutex in ftrace_arch_code_modify_prepare() Taking the text_mutex in ftrace_arch_code_modify_prepare() is to fix a race against module loading and live kernel patching that might try to change the text permissions while ftrace has it as read/write. This really needs to be documented in the code. Add a comment that does such. Link: http://lkml.kernel.org/r/20190627211819.5a591f52@gandalf.local.home Suggested-by: Josh Poimboeuf Reviewed-by: Josh Poimboeuf Reviewed-by: Petr Mladek Signed-off-by: Steven Rostedt (VMware) commit d5b844a2cf507fc7642c9ae80a9d585db3065c28 Author: Petr Mladek Date: Thu Jun 27 10:13:34 2019 +0200 ftrace/x86: Remove possible deadlock between register_kprobe() and ftrace_run_update_code() The commit 9f255b632bf12c4dd7 ("module: Fix livepatch/ftrace module text permissions race") causes a possible deadlock between register_kprobe() and ftrace_run_update_code() when ftrace is using stop_machine(). The existing dependency chain (in reverse order) is: -> #1 (text_mutex){+.+.}: validate_chain.isra.21+0xb32/0xd70 __lock_acquire+0x4b8/0x928 lock_acquire+0x102/0x230 __mutex_lock+0x88/0x908 mutex_lock_nested+0x32/0x40 register_kprobe+0x254/0x658 init_kprobes+0x11a/0x168 do_one_initcall+0x70/0x318 kernel_init_freeable+0x456/0x508 kernel_init+0x22/0x150 ret_from_fork+0x30/0x34 kernel_thread_starter+0x0/0xc -> #0 (cpu_hotplug_lock.rw_sem){++++}: check_prev_add+0x90c/0xde0 validate_chain.isra.21+0xb32/0xd70 __lock_acquire+0x4b8/0x928 lock_acquire+0x102/0x230 cpus_read_lock+0x62/0xd0 stop_machine+0x2e/0x60 arch_ftrace_update_code+0x2e/0x40 ftrace_run_update_code+0x40/0xa0 ftrace_startup+0xb2/0x168 register_ftrace_function+0x64/0x88 klp_patch_object+0x1a2/0x290 klp_enable_patch+0x554/0x980 do_one_initcall+0x70/0x318 do_init_module+0x6e/0x250 load_module+0x1782/0x1990 __s390x_sys_finit_module+0xaa/0xf0 system_call+0xd8/0x2d0 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(text_mutex); lock(cpu_hotplug_lock.rw_sem); lock(text_mutex); lock(cpu_hotplug_lock.rw_sem); It is similar problem that has been solved by the commit 2d1e38f56622b9b ("kprobes: Cure hotplug lock ordering issues"). Many locks are involved. To be on the safe side, text_mutex must become a low level lock taken after cpu_hotplug_lock.rw_sem. This can't be achieved easily with the current ftrace design. For example, arm calls set_all_modules_text_rw() already in ftrace_arch_code_modify_prepare(), see arch/arm/kernel/ftrace.c. This functions is called: + outside stop_machine() from ftrace_run_update_code() + without stop_machine() from ftrace_module_enable() Fortunately, the problematic fix is needed only on x86_64. It is the only architecture that calls set_all_modules_text_rw() in ftrace path and supports livepatching at the same time. Therefore it is enough to move text_mutex handling from the generic kernel/trace/ftrace.c into arch/x86/kernel/ftrace.c: ftrace_arch_code_modify_prepare() ftrace_arch_code_modify_post_process() This patch basically reverts the ftrace part of the problematic commit 9f255b632bf12c4dd7 ("module: Fix livepatch/ftrace module text permissions race"). And provides x86_64 specific-fix. Some refactoring of the ftrace code will be needed when livepatching is implemented for arm or nds32. These architectures call set_all_modules_text_rw() and use stop_machine() at the same time. Link: http://lkml.kernel.org/r/20190627081334.12793-1-pmladek@suse.com Fixes: 9f255b632bf12c4dd7 ("module: Fix livepatch/ftrace module text permissions race") Acked-by: Thomas Gleixner Reported-by: Miroslav Benes Reviewed-by: Miroslav Benes Reviewed-by: Josh Poimboeuf Signed-off-by: Petr Mladek [ As reviewed by Miroslav Benes , removed return value of ftrace_run_update_code() as it is a void function. ] Signed-off-by: Steven Rostedt (VMware) commit 68f461593f76bd5f17e87cdd0bea28f4278c7268 Author: Trond Myklebust Date: Tue Jun 25 16:41:16 2019 -0400 NFS/flexfiles: Use the correct TCP timeout for flexfiles I/O Fix a typo where we're confusing the default TCP retrans value (NFS_DEF_TCP_RETRANS) for the default TCP timeout value. Fixes: 15d03055cf39f ("pNFS/flexfiles: Set reasonable default ...") Cc: stable@vger.kernel.org # 4.8+ Signed-off-by: Trond Myklebust Signed-off-by: Anna Schumaker commit 7e3d3620974b743b91b1f9d0660061b1de20174c Author: Trond Myklebust Date: Mon Jun 24 19:15:44 2019 -0400 SUNRPC: Fix up calculation of client message length In the case where a record marker was used, xs_sendpages() needs to return the length of the payload + record marker so that we operate correctly in the case of a partial transmission. When the callers check return value, they therefore need to take into account the record marker length. Fixes: 06b5fc3ad94e ("Merge tag 'nfs-rdma-for-5.1-1'...") Cc: stable@vger.kernel.org # 5.1+ Signed-off-by: Trond Myklebust Signed-off-by: Anna Schumaker commit c3ea60c231446663afd6ea1054da6b7f830855ca Author: Colin Ian King Date: Fri Jun 28 10:54:29 2019 +0100 ALSA: seq: fix incorrect order of dest_client/dest_ports arguments There are two occurrances of a call to snd_seq_oss_fill_addr where the dest_client and dest_port arguments are in the wrong order. Fix this by swapping them around. Addresses-Coverity: ("Arguments in wrong order") Signed-off-by: Colin Ian King Cc: Signed-off-by: Takashi Iwai commit bef33e19203dde434bcdf21c449e3fb4f06c2618 Author: Dennis Wassenberg Date: Fri Jun 28 10:54:53 2019 +0200 ALSA: hda/realtek - Change front mic location for Lenovo M710q On M710q Lenovo ThinkCentre machine, there are two front mics, we change the location for one of them to avoid conflicts. Signed-off-by: Dennis Wassenberg Cc: Signed-off-by: Takashi Iwai commit be132e1375c1fffe48801296279079f8a59a9ed3 Author: Lucas Stach Date: Thu Jun 27 16:42:00 2019 +0200 drm/etnaviv: add missing failure path to destroy suballoc When something goes wrong in the GPU init after the cmdbuf suballocator has been constructed, we fail to destroy it properly. This causes havok later when the GPU is unbound due to a module unload or similar. Fixes: e66774dd6f6a (drm/etnaviv: add cmdbuf suballocator) Signed-off-by: Lucas Stach Tested-by: Russell King commit 2acf5a3e6e9371e63c9e4ff54d84d08f630467a0 Author: Colin Ian King Date: Thu Jun 27 17:43:08 2019 +0100 ALSA: usb-audio: fix sign unintended sign extension on left shifts There are a couple of left shifts of unsigned 8 bit values that first get promoted to signed ints and hence get sign extended on the shift if the top bit of the 8 bit values are set. Fix this by casting the 8 bit values to unsigned ints to stop the unintentional sign extension. Addresses-Coverity: ("Unintended sign extension") Signed-off-by: Colin Ian King Cc: Signed-off-by: Takashi Iwai commit 5de254dca87ab614b9c058246ee94c58a840e358 Author: Ronnie Sahlberg Date: Thu Jun 27 14:57:02 2019 +1000 cifs: fix crash querying symlinks stored as reparse-points We never parsed/returned any data from .get_link() when the object is a windows reparse-point containing a symlink. This results in the VFS layer oopsing accessing an uninitialized buffer: ... [ 171.407172] Call Trace: [ 171.408039] readlink_copy+0x29/0x70 [ 171.408872] vfs_readlink+0xc1/0x1f0 [ 171.409709] ? readlink_copy+0x70/0x70 [ 171.410565] ? simple_attr_release+0x30/0x30 [ 171.411446] ? getname_flags+0x105/0x2a0 [ 171.412231] do_readlinkat+0x1b7/0x1e0 [ 171.412938] ? __ia32_compat_sys_newfstat+0x30/0x30 ... Fix this by adding code to handle these buffers and make sure we do return a valid buffer to .get_link() CC: Stable Signed-off-by: Ronnie Sahlberg Signed-off-by: Steve French commit 556e2f6020bf90f63c5dd65e9a2254be6db3185b Merge: 65ee21eb633c 74684cce5ebd Author: Linus Torvalds Date: Fri Jun 28 08:50:09 2019 +0800 Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux Pull clk fixes from Stephen Boyd: "A handful of clk driver fixes and one core framework fix - Do a DT/firmware lookup in clk_core_get() even when the DT index is a nonsensical value - Fix some clk data typos in the Amlogic DT headers/code - Avoid returning junk in the TI clk driver when an invalid clk is looked for - Fix dividers for the emac clks on Stratix10 SoCs - Fix default HDA rates on Tegra210 to correct distorted audio" * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux: clk: socfpga: stratix10: fix divider entry for the emac clocks clk: Do a DT parent lookup even when index < 0 clk: tegra210: Fix default rates for HDA clocks clk: ti: clkctrl: Fix returning uninitialized data clk: meson: meson8b: fix a typo in the VPU parent names array variable clk: meson: fix MPLL 50M binding id typo commit 65ee21eb633c644501185502d51831c4dee22c7b Merge: 7a702b4e82d8 2eba4e640b2c Author: Linus Torvalds Date: Fri Jun 28 08:48:21 2019 +0800 Merge tag 'for-5.2/dm-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm Pull device mapper fixes from Mike Snitzer: - Fix incorrect uses of kstrndup and DM logging macros in DM's early init code. - Fix DM log-writes target's handling of super block sectors so updates are made in order through use of completion. - Fix DM core's argument splitting code to avoid undefined behaviour reported as a side-effect of UBSAN analysis on ppc64le. - Fix DM verity target to limit the amount of error messages that can result from a corrupt block being found. * tag 'for-5.2/dm-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm: dm verity: use message limit for data block corruption message dm table: don't copy from a NULL pointer in realloc_argv() dm log writes: make sure super sector log updates are written in order dm init: remove trailing newline from calls to DMERR() and DMINFO() dm init: fix incorrect uses of kstrndup() commit 7a702b4e82d8730d6964bfd98b3b024c126e9846 Merge: 763cf1f2d9bf 30d158b143b6 Author: Linus Torvalds Date: Fri Jun 28 08:41:18 2019 +0800 Merge tag 'for-linus-20190627' of gitolite.kernel.org:pub/scm/linux/kernel/git/brauner/linux Pull pidfd fixes from Christian Brauner: "Userspace tools and libraries such as strace or glibc need a cheap and reliable way to tell whether CLONE_PIDFD is supported. The easiest way is to pass an invalid fd value in the return argument, perform the syscall and verify the value in the return argument has been changed to a valid fd. However, if CLONE_PIDFD is specified we currently check if pidfd == 0 and return EINVAL if not. The check for pidfd == 0 was originally added to enable us to abuse the return argument for passing additional flags along with CLONE_PIDFD in the future. However, extending legacy clone this way would be a terrible idea and with clone3 on the horizon and the ability to reuse CLONE_DETACHED with CLONE_PIDFD there's no real need for this clutch. So remove the pidfd == 0 check and help userspace out. Also, accordig to Al, anon_inode_getfd() should only be used past the point of no failure and ksys_close() should not be used at all since it is far too easy to get wrong. Al's motto being "basically, once it's in descriptor table, it's out of your control". So Al's patch switches back to what we already had in v1 of the original patchset and uses a anon_inode_getfile() + put_user() + fd_install() sequence in the success path and a fput() + put_unused_fd() in the failure path. The other two changes should be trivial" * tag 'for-linus-20190627' of gitolite.kernel.org:pub/scm/linux/kernel/git/brauner/linux: proc: remove useless d_is_dir() check copy_process(): don't use ksys_close() on cleanups samples: make pidfd-metadata fail gracefully on older kernels fork: don't check parent_tidptr with CLONE_PIDFD commit 763cf1f2d9bfc8349c5791689074c8c17edf660d Merge: fe2da896fd94 b12bbdc5dd88 Author: Linus Torvalds Date: Fri Jun 28 08:39:18 2019 +0800 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid Pull HID fixes from Jiri Kosina: - fix for one corner case in HID++ protocol with respect to handling very long reports, from Hans de Goede - power management fix in Intel-ISH driver, from Hyungwoo Yang - use-after-free fix in Intel-ISH driver, from Dan Carpenter - a couple of new device IDs/quirks from Kai-Heng Feng, Kyle Godbey and Oleksandr Natalenko * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid: HID: intel-ish-hid: fix wrong driver_data usage HID: multitouch: Add pointstick support for ALPS Touchpad HID: logitech-dj: Fix forwarding of very long HID++ reports HID: uclogic: Add support for Huion HS64 tablet HID: chicony: add another quirk for PixArt mouse HID: intel-ish-hid: Fix a use after free in load_fw_from_host() commit fe2da896fd9469317ff693fb08a86d9c435e101a Merge: cd0f3aaebc5b e73f65930f88 Author: Linus Torvalds Date: Fri Jun 28 08:37:04 2019 +0800 Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc Pull ARM SoC fixes from Olof Johansson: "A smaller batch of fixes, nothing that stands out as risky or scary. Mostly DTS tweaks for a few issues: - GPU fixlets for Meson - CPU idle fix for LS1028A - PWM interrupt fixes for i.MX6UL Also, enable a driver (FSL_EDMA) on arm64 defconfig, and a warning and two MAINTAINER tweaks" * tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: ARM: dts: imx6ul: fix PWM[1-4] interrupts ARM: omap2: remove incorrect __init annotation ARM: dts: gemini Fix up DNS-313 compatible string ARM: dts: Blank D-Link DIR-685 console arm64: defconfig: Enable FSL_EDMA driver arm64: dts: ls1028a: Fix CPU idle fail. MAINTAINERS: BCM53573: Add internal Broadcom mailing list MAINTAINERS: BCM2835: Add internal Broadcom mailing list ARM: dts: meson8b: fix the operating voltage of the Mali GPU ARM: dts: meson8b: drop undocumented property from the Mali GPU node ARM: dts: meson8: fix GPU interrupts and drop an undocumented property commit cd0f3aaebc5b17e0ccb1b9ef9ae43042d075d767 Merge: 139ca2580550 2cd42d19cffa Author: Linus Torvalds Date: Fri Jun 28 08:34:12 2019 +0800 Merge tag 'afs-fixes-20190620' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs Pull AFS fixes from David Howells: "The in-kernel AFS client has been undergoing testing on opendev.org on one of their mirror machines. They are using AFS to hold data that is then served via apache, and Ian Wienand had reported seeing oopses, spontaneous machine reboots and updates to volumes going missing. This patch series appears to have fixed the problem, very probably due to patch (2), but it's not 100% certain. (1) Fix the printing of the "vnode modified" warning to exclude checks on files for which we don't have a callback promise from the server (and so don't expect the server to tell us when it changes). Without this, for every file or directory for which we still have an in-core inode that gets changed on the server, we may get a message logged when we next look at it. This can happen in bulk if, for instance, someone does "vos release" to update a R/O volume from a R/W volume and a whole set of files are all changed together. We only really want to log a message if the file changed and the server didn't tell us about it or we failed to track the state internally. (2) Fix accidental corruption of either afs_vlserver struct objects or the the following memory locations (which could hold anything). The issue is caused by a union that points to two different structs in struct afs_call (to save space in the struct). The call cleanup code assumes that it can simply call the cleanup for one of those structs if not NULL - when it might be actually pointing to the other struct. This means that every Volume Location RPC op is going to corrupt something. (3) Fix an uninitialised spinlock. This isn't too bad, it just causes a one-off warning if lockdep is enabled when "vos release" is called, but the spinlock still behaves correctly. (4) Fix the setting of i_block in the inode. This causes du, for example, to produce incorrect results, but otherwise should not be dangerous to the kernel" * tag 'afs-fixes-20190620' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs: afs: Fix setting of i_blocks afs: Fix uninitialised spinlock afs_volume::cb_break_lock afs: Fix vlserver record corruption afs: Fix over zealous "vnode modified" warnings commit 139ca258055057e64d59ec92b6fd1ad3ca3a9fbc Merge: c84afab02c31 19e5e2ae9c88 Author: Linus Torvalds Date: Fri Jun 28 08:31:57 2019 +0800 Merge tag 'csky-for-linus-5.2-fixup-gcc-unwind' of git://github.com/c-sky/csky-linux Pull arch/csky fixup from Guo Ren: "A fixup patch for rt_sigframe in signal.c" * tag 'csky-for-linus-5.2-fixup-gcc-unwind' of git://github.com/c-sky/csky-linux: csky: Fixup libgcc unwind error commit c84afab02c311b08b5cb8ea758cc177f81c95d11 Merge: 249155c20f9b 89ed5b519004 Author: Linus Torvalds Date: Fri Jun 28 08:24:37 2019 +0800 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net Pull networking fixes from David Miller: 1) Fix ppp_mppe crypto soft dependencies, from Takashi Iawi. 2) Fix TX completion to be finite, from Sergej Benilov. 3) Use register_pernet_device to avoid a dst leak in tipc, from Xin Long. 4) Double free of TX cleanup in Dirk van der Merwe. 5) Memory leak in packet_set_ring(), from Eric Dumazet. 6) Out of bounds read in qmi_wwan, from Bjørn Mork. 7) Fix iif used in mcast/bcast looped back packets, from Stephen Suryaputra. 8) Fix neighbour resolution on raw ipv6 sockets, from Nicolas Dichtel. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (25 commits) af_packet: Block execution of tasks waiting for transmit to complete in AF_PACKET sctp: change to hold sk after auth shkey is created successfully ipv6: fix neighbour resolution with raw socket ipv6: constify rt6_nexthop() net: dsa: microchip: Use gpiod_set_value_cansleep() net: aquantia: fix vlans not working over bridged network ipv4: reset rt_iif for recirculated mcast/bcast out pkts team: Always enable vlan tx offload net/smc: Fix error path in smc_init net/smc: hold conns_lock before calling smc_lgr_register_conn() bonding: Always enable vlan tx offload net/ipv6: Fix misuse of proc_dointvec "skip_notify_on_dev_down" ipv4: Use return value of inet_iif() for __raw_v4_lookup in the while loop qmi_wwan: Fix out-of-bounds read tipc: check msg->req data len in tipc_nl_compat_bearer_disable net: macb: do not copy the mac address if NULL net/packet: fix memory leak in packet_set_ring() net/tls: fix page double free on TX cleanup net/sched: cbs: Fix error path of cbs_module_init tipc: change to use register_pernet_device ... commit ae6a45a0868986f69039a2150d3b2b9ca294c378 Author: Josh Poimboeuf Date: Wed Jun 26 19:33:55 2019 -0500 x86/unwind/orc: Fall back to using frame pointers for generated code The ORC unwinder can't unwind through BPF JIT generated code because there are no ORC entries associated with the code. If an ORC entry isn't available, try to fall back to frame pointers. If BPF and other generated code always do frame pointer setup (even with CONFIG_FRAME_POINTERS=n) then this will allow ORC to unwind through most generated code despite there being no corresponding ORC entries. Fixes: d15d356887e7 ("perf/x86: Make perf callchains work without CONFIG_FRAME_POINTER") Reported-by: Song Liu Signed-off-by: Josh Poimboeuf Signed-off-by: Thomas Gleixner Acked-by: Peter Zijlstra (Intel) Cc: Kairui Song Cc: Steven Rostedt Cc: Borislav Petkov Link: https://lkml.kernel.org/r/b6f69208ddff4343d56b7bfac1fc7cfcd62689e8.1561595111.git.jpoimboe@redhat.com commit 83f44ae0f8afcc9da659799db8693f74847e66b3 Author: Song Liu Date: Wed Jun 26 19:33:52 2019 -0500 perf/x86: Always store regs->ip in perf_callchain_kernel() The stacktrace_map_raw_tp BPF selftest is failing because the RIP saved by perf_arch_fetch_caller_regs() isn't getting saved by perf_callchain_kernel(). This was broken by the following commit: d15d356887e7 ("perf/x86: Make perf callchains work without CONFIG_FRAME_POINTER") With that change, when starting with non-HW regs, the unwinder starts with the current stack frame and unwinds until it passes up the frame which called perf_arch_fetch_caller_regs(). So regs->ip needs to be saved deliberately. Fixes: d15d356887e7 ("perf/x86: Make perf callchains work without CONFIG_FRAME_POINTER") Signed-off-by: Song Liu Signed-off-by: Josh Poimboeuf Signed-off-by: Thomas Gleixner Acked-by: Peter Zijlstra (Intel) Cc: Kairui Song Cc: Steven Rostedt Cc: Borislav Petkov Link: https://lkml.kernel.org/r/3975a298fa52b506fea32666d8ff6a13467eee6d.1561595111.git.jpoimboe@redhat.com commit d6b8bd679c9c8856fa04b80490765c43a4cb613b Author: Jeff Layton Date: Thu May 9 07:58:38 2019 -0400 ceph: fix ceph_mdsc_build_path to not stop on first component When ceph_mdsc_build_path is handed a positive dentry, it will return a zero-length path string with the base set to that dentry. This is not what we want. Always include at least one path component in the string. ceph_mdsc_build_path has behaved this way for a long time but it didn't matter until recent d_name handling rework. Fixes: 964fff7491e4 ("ceph: use ceph_mdsc_build_path instead of clone_dentry_name") Signed-off-by: Jeff Layton Reviewed-by: "Yan, Zheng" Signed-off-by: Ilya Dryomov commit 80031361747aec92163464f2ee08870fec33bcb0 Author: Joshua Scott Date: Wed Jun 26 10:11:08 2019 +1200 ARM: dts: armada-xp-98dx3236: Switch to armada-38x-uart serial node Switch to the "marvell,armada-38x-uart" driver variant to empty the UART buffer before writing to the UART_LCR register. Signed-off-by: Joshua Scott Tested-by: Andrew Lunn Acked-by: Gregory CLEMENT . Cc: stable@vger.kernel.org Fixes: 43e28ba87708 ("ARM: dts: Use armada-370-xp as a base for armada-xp-98dx3236") Signed-off-by: Gregory CLEMENT commit 9d957a959bc8c3dfe37572ac8e99affb5a885965 Author: Nicolas Boichat Date: Wed Jun 26 11:54:45 2019 +0800 pinctrl: mediatek: Update cur_mask in mask/mask ops During suspend/resume, mtk_eint_mask may be called while wake_mask is active. For example, this happens if a wake-source with an active interrupt handler wakes the system: irq/pm.c:irq_pm_check_wakeup would disable the interrupt, so that it can be handled later on in the resume flow. However, this may happen before mtk_eint_do_resume is called: in this case, wake_mask is loaded, and cur_mask is restored from an older copy, re-enabling the interrupt, and causing an interrupt storm (especially for level interrupts). Step by step, for a line that has both wake and interrupt enabled: 1. cur_mask[irq] = 1; wake_mask[irq] = 1; EINT_EN[irq] = 1 (interrupt enabled at hardware level) 2. System suspends, resumes due to that line (at this stage EINT_EN == wake_mask) 3. irq_pm_check_wakeup is called, and disables the interrupt => EINT_EN[irq] = 0, but we still have cur_mask[irq] = 1 4. mtk_eint_do_resume is called, and restores EINT_EN = cur_mask, so it reenables EINT_EN[irq] = 1 => interrupt storm as the driver is not yet ready to handle the interrupt. This patch fixes the issue in step 3, by recording all mask/unmask changes in cur_mask. This also avoids the need to read the current mask in eint_do_suspend, and we can remove mtk_eint_chip_read_mask function. The interrupt will be re-enabled properly later on, sometimes after mtk_eint_do_resume, when the driver is ready to handle it. Fixes: 58a5e1b64bb0 ("pinctrl: mediatek: Implement wake handler and suspend resume") Signed-off-by: Nicolas Boichat Acked-by: Sean Wang Signed-off-by: Linus Walleij commit 30d158b143b6575261ab610ae7b1b4f7fe3830b3 Author: Christian Brauner Date: Thu Jun 27 11:35:14 2019 +0200 proc: remove useless d_is_dir() check Remove the d_is_dir() check from tgid_pidfd_to_pid(). It is pointless since you should never get &proc_tgid_base_operations for f_op on a non-directory. Suggested-by: Al Viro Signed-off-by: Christian Brauner commit 6fd2fe494b17bf2dec37b610d23a43a72b16923a Author: Al Viro Date: Wed Jun 26 22:22:09 2019 -0400 copy_process(): don't use ksys_close() on cleanups anon_inode_getfd() should be used *ONLY* in situations when we are guaranteed to be past the last failure point (including copying the descriptor number to userland, at that). And ksys_close() should not be used for cleanups at all. anon_inode_getfile() is there for all nontrivial cases like that. Just use that... Fixes: b3e583825266 ("clone: add CLONE_PIDFD") Signed-off-by: Al Viro Reviewed-by: Jann Horn Signed-off-by: Christian Brauner commit 33d4a5a7a5b4d02915d765064b2319e90a11cbde Author: Eiichi Tsukata Date: Thu Jun 27 11:47:32 2019 +0900 cpu/hotplug: Fix out-of-bounds read when setting fail state Setting invalid value to /sys/devices/system/cpu/cpuX/hotplug/fail can control `struct cpuhp_step *sp` address, results in the following global-out-of-bounds read. Reproducer: # echo -2 > /sys/devices/system/cpu/cpu0/hotplug/fail KASAN report: BUG: KASAN: global-out-of-bounds in write_cpuhp_fail+0x2cd/0x2e0 Read of size 8 at addr ffffffff89734438 by task bash/1941 CPU: 0 PID: 1941 Comm: bash Not tainted 5.2.0-rc6+ #31 Call Trace: write_cpuhp_fail+0x2cd/0x2e0 dev_attr_store+0x58/0x80 sysfs_kf_write+0x13d/0x1a0 kernfs_fop_write+0x2bc/0x460 vfs_write+0x1e1/0x560 ksys_write+0x126/0x250 do_syscall_64+0xc1/0x390 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f05e4f4c970 The buggy address belongs to the variable: cpu_hotplug_lock+0x98/0xa0 Memory state around the buggy address: ffffffff89734300: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 ffffffff89734380: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 >ffffffff89734400: 00 00 00 00 fa fa fa fa 00 00 00 00 fa fa fa fa ^ ffffffff89734480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffffff89734500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Add a sanity check for the value written from user space. Fixes: 1db49484f21ed ("smp/hotplug: Hotplug state fail injection") Signed-off-by: Eiichi Tsukata Signed-off-by: Thomas Gleixner Cc: peterz@infradead.org Link: https://lkml.kernel.org/r/20190627024732.31672-1-devel@etsukata.com commit 89ed5b519004a7706f50b70f611edbd3aaacff2c Author: Neil Horman Date: Tue Jun 25 17:57:49 2019 -0400 af_packet: Block execution of tasks waiting for transmit to complete in AF_PACKET When an application is run that: a) Sets its scheduler to be SCHED_FIFO and b) Opens a memory mapped AF_PACKET socket, and sends frames with the MSG_DONTWAIT flag cleared, its possible for the application to hang forever in the kernel. This occurs because when waiting, the code in tpacket_snd calls schedule, which under normal circumstances allows other tasks to run, including ksoftirqd, which in some cases is responsible for freeing the transmitted skb (which in AF_PACKET calls a destructor that flips the status bit of the transmitted frame back to available, allowing the transmitting task to complete). However, when the calling application is SCHED_FIFO, its priority is such that the schedule call immediately places the task back on the cpu, preventing ksoftirqd from freeing the skb, which in turn prevents the transmitting task from detecting that the transmission is complete. We can fix this by converting the schedule call to a completion mechanism. By using a completion queue, we force the calling task, when it detects there are no more frames to send, to schedule itself off the cpu until such time as the last transmitted skb is freed, allowing forward progress to be made. Tested by myself and the reporter, with good results Change Notes: V1->V2: Enhance the sleep logic to support being interruptible and allowing for honoring to SK_SNDTIMEO (Willem de Bruijn) V2->V3: Rearrage the point at which we wait for the completion queue, to avoid needing to check for ph/skb being null at the end of the loop. Also move the complete call to the skb destructor to avoid needing to modify __packet_set_status. Also gate calling complete on packet_read_pending returning zero to avoid multiple calls to complete. (Willem de Bruijn) Move timeo computation within loop, to re-fetch the socket timeout since we also use the timeo variable to record the return code from the wait_for_complete call (Neil Horman) V3->V4: Willem has requested that the control flow be restored to the previous state. Doing so lets us eliminate the need for the po->wait_on_complete flag variable, and lets us get rid of the packet_next_frame function, but introduces another complexity. Specifically, but using the packet pending count, we can, if an applications calls sendmsg multiple times with MSG_DONTWAIT set, each set of transmitted frames, when complete, will cause tpacket_destruct_skb to issue a complete call, for which there will never be a wait_on_completion call. This imbalance will lead to any future call to wait_for_completion here to return early, when the frames they sent may not have completed. To correct this, we need to re-init the completion queue on every call to tpacket_snd before we enter the loop so as to ensure we wait properly for the frames we send in this iteration. Change the timeout and interrupted gotos to out_put rather than out_status so that we don't try to free a non-existant skb Clean up some extra newlines (Willem de Bruijn) Reviewed-by: Willem de Bruijn Signed-off-by: Neil Horman Reported-by: Matteo Croce Signed-off-by: David S. Miller commit 25bff6d5478b2a02368097015b7d8eb727c87e16 Author: Xin Long Date: Tue Jun 25 00:21:45 2019 +0800 sctp: change to hold sk after auth shkey is created successfully Now in sctp_endpoint_init(), it holds the sk then creates auth shkey. But when the creation fails, it doesn't release the sk, which causes a sk defcnf leak, Here to fix it by only holding the sk when auth shkey is created successfully. Fixes: a29a5bd4f5c3 ("[SCTP]: Implement SCTP-AUTH initializations.") Reported-by: syzbot+afabda3890cc2f765041@syzkaller.appspotmail.com Reported-by: syzbot+276ca1c77a19977c0130@syzkaller.appspotmail.com Signed-off-by: Xin Long Acked-by: Neil Horman Signed-off-by: David S. Miller commit 665d6d4e32313a7952bb3339647f74c3a6b0d78a Merge: 4b972a01a7da 41de4be6f6ef Author: Dave Airlie Date: Thu Jun 27 11:31:56 2019 +1000 Merge tag 'drm-misc-fixes-2019-06-26' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes virtio- Don't call drm_connector_update_edid_property() while holding spinlock Cc: Gerd Hoffmann Signed-off-by: Dave Airlie From: Sean Paul Link: https://patchwork.freedesktop.org/patch/msgid/20190626205615.GA123489@art_vandelay commit 0db7f5cd4aeba4cc63d0068598b3350eba8bb4cd Author: ShihPo Hung Date: Tue Jun 18 17:39:15 2019 +0800 riscv: mm: Fix code comment Fix the comment since vmalloc_fault doesn't reach flush_tlb_fix_spurious_fault. Signed-off-by: ShihPo Hung Cc: Palmer Dabbelt Cc: Albert Ou Cc: Paul Walmsley Cc: linux-riscv@lists.infradead.org Reviewed-by: Palmer Dabbelt Signed-off-by: Paul Walmsley commit e3f9dada0abe1864bf467e84d201144eddb9ef88 Author: Paul Walmsley Date: Fri Jun 21 13:45:42 2019 -0700 dt-bindings: clock: sifive: add MIT license as an option for the header file At Bin Meng's request, add the MIT license as an option for the SiFive FU540 PRCI header file. Signed-off-by: Paul Walmsley Cc: Bin Meng commit 471a739a47aa7d582f0cdf9d392957d04632bae2 Author: Rafael J. Wysocki Date: Wed Jun 26 00:20:23 2019 +0200 PCI: PM: Avoid skipping bus-level PM on platforms without ACPI There are platforms that do not call pm_set_suspend_via_firmware(), so pm_suspend_via_firmware() returns 'false' on them, but the power states of PCI devices (PCIe ports in particular) are changed as a result of powering down core platform components during system-wide suspend. Thus the pm_suspend_via_firmware() checks in pci_pm_suspend_noirq() and pci_pm_resume_noirq() introduced by commit 3e26c5feed2a ("PCI: PM: Skip devices in D0 for suspend-to- idle") are not sufficient to determine that devices left in D0 during suspend will remain in D0 during resume and so the bus-level power management can be skipped for them. For this reason, introduce a new global suspend flag, PM_SUSPEND_FLAG_NO_PLATFORM, set it for suspend-to-idle only and replace the pm_suspend_via_firmware() checks mentioned above with checks against this flag. Fixes: 3e26c5feed2a ("PCI: PM: Skip devices in D0 for suspend-to-idle") Reported-by: Jon Hunter Tested-by: Jon Hunter Signed-off-by: Rafael J. Wysocki Tested-by: Mika Westerberg Reviewed-by: Mika Westerberg commit 13696531dc90d2bd54d143aabcb766d228240e06 Merge: 22e72b5e049b 2c6b55f45d53 Author: David S. Miller Date: Wed Jun 26 13:26:08 2019 -0700 Merge branch 'ipv6-fix-neighbour-resolution-with-raw-socket' Nicolas Dichtel says: ==================== ipv6: fix neighbour resolution with raw socket The first patch prepares the fix, it constify rt6_nexthop(). The detail of the bug is explained in the second patch. v1 -> v2: - fix compilation warnings - split the initial patch ==================== Signed-off-by: David S. Miller commit 2c6b55f45d53420d8310d41310e0e2cd41fe073f Author: Nicolas Dichtel Date: Mon Jun 24 16:01:09 2019 +0200 ipv6: fix neighbour resolution with raw socket The scenario is the following: the user uses a raw socket to send an ipv6 packet, destinated to a not-connected network, and specify a connected nh. Here is the corresponding python script to reproduce this scenario: import socket IPPROTO_RAW = 255 send_s = socket.socket(socket.AF_INET6, socket.SOCK_RAW, IPPROTO_RAW) # scapy # p = IPv6(src='fd00:100::1', dst='fd00:200::fa')/ICMPv6EchoRequest() # str(p) req = b'`\x00\x00\x00\x00\x08:@\xfd\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xfd\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x80\x00\x81\xc0\x00\x00\x00\x00' send_s.sendto(req, ('fd00:175::2', 0, 0, 0)) fd00:175::/64 is a connected route and fd00:200::fa is not a connected host. With this scenario, the kernel starts by sending a NS to resolve fd00:175::2. When it receives the NA, it flushes its queue and try to send the initial packet. But instead of sending it, it sends another NS to resolve fd00:200::fa, which obvioulsy fails, thus the packet is dropped. If the user sends again the packet, it now uses the right nh (fd00:175::2). The problem is that ip6_dst_lookup_neigh() uses the rt6i_gateway, which is :: because the associated route is a connected route, thus it uses the dst addr of the packet. Let's use rt6_nexthop() to choose the right nh. Signed-off-by: Nicolas Dichtel Signed-off-by: David S. Miller commit 9b1c1ef13b35fa35051b635ca9fbda39fe6bbc70 Author: Nicolas Dichtel Date: Mon Jun 24 16:01:08 2019 +0200 ipv6: constify rt6_nexthop() There is no functional change in this patch, it only prepares the next one. rt6_nexthop() will be used by ip6_dst_lookup_neigh(), which uses const variables. Signed-off-by: Nicolas Dichtel Reported-by: kbuild test robot Acked-by: Nick Desaulniers Signed-off-by: David S. Miller commit 22e72b5e049b95789b34a4cef316c791e7c2fed5 Author: Marek Vasut Date: Sun Jun 23 17:12:57 2019 +0200 net: dsa: microchip: Use gpiod_set_value_cansleep() Replace gpiod_set_value() with gpiod_set_value_cansleep(), as the switch reset GPIO can be connected to e.g. I2C GPIO expander and it is perfectly fine for the kernel to sleep for a bit in ksz_switch_register(). Signed-off-by: Marek Vasut Cc: Andrew Lunn Cc: Florian Fainelli Cc: Linus Walleij Cc: Tristram Ha Cc: Woojung Huh Reviewed-by: Andrew Lunn Reviewed-by: Linus Walleij Signed-off-by: David S. Miller commit 48dd73d08d4dda47ee31cc8611fb16840fc16803 Author: Dmitry Bogdanov Date: Sat Jun 22 08:46:37 2019 +0000 net: aquantia: fix vlans not working over bridged network In configuration of vlan over bridge over aquantia device it was found that vlan tagged traffic is dropped on chip. The reason is that bridge device enables promisc mode, but in atlantic chip vlan filters will still apply. So we have to corellate promisc settings with vlan configuration. The solution is to track in a separate state variable the need of vlan forced promisc. And also consider generic promisc configuration when doing vlan filter config. Fixes: 7975d2aff5af ("net: aquantia: add support of rx-vlan-filter offload") Signed-off-by: Dmitry Bogdanov Signed-off-by: Igor Russkikh Signed-off-by: David S. Miller commit 5b18f1289808fee5d04a7e6ecf200189f41a4db6 Author: Stephen Suryaputra Date: Wed Jun 26 02:21:16 2019 -0400 ipv4: reset rt_iif for recirculated mcast/bcast out pkts Multicast or broadcast egress packets have rt_iif set to the oif. These packets might be recirculated back as input and lookup to the raw sockets may fail because they are bound to the incoming interface (skb_iif). If rt_iif is not zero, during the lookup, inet_iif() function returns rt_iif instead of skb_iif. Hence, the lookup fails. v2: Make it non vrf specific (David Ahern). Reword the changelog to reflect it. Signed-off-by: Stephen Suryaputra Reviewed-by: David Ahern Signed-off-by: David S. Miller commit 3cdb0157884344c7b40998f31ce43c4ded593cdd Author: Paul Walmsley Date: Wed Jun 26 08:19:29 2019 -0700 dt-bindings: riscv: resolve 'make dt_binding_check' warnings Rob pointed out that one of the examples in the RISC-V 'cpus' YAML schema results in warnings from 'make dt_binding_check'. Fix these. While here, make the whitespace in the second example consistent with the first example. Signed-off-by: Paul Walmsley Cc: Rob Herring Reviewed-by: Rob Herring # for fixing the dtc warnings commit 45b03df2864aa4c67f6a648f0a7951116e1ef069 Author: Yash Shah Date: Tue Jun 25 15:01:31 2019 +0530 riscv: dts: Re-organize the DT nodes As per the convention for any SOC device with external connection, define only device DT node in SOC DTSi file with status = "disabled" and enable device in Board DTS file with status = "okay" Reported-by: Anup Patel Signed-off-by: Yash Shah Signed-off-by: Paul Walmsley commit ff8391e1b7d2f04aa3e520b3e839fd202de7d9b3 Author: Atish Patra Date: Tue Jun 25 15:56:36 2019 -0700 RISC-V: defconfig: enable MMC & SPI for RISC-V Currently, riscv upstream defconfig doesn't let you boot through userspace if rootfs is on the SD card. Let's enable MMC & SPI drivers as well so that one can boot to the user space using default config in upstream kernel. While here, enable automatic mounting of devtmpfs to simplify kernel testing with minimal root filesystems. (pjw) Signed-off-by: Atish Patra Reviewed-by: Palmer Dabbelt [paul.walmsley@sifive.com: mention the DEVTMPFS_MOUNT change in the patch description] Signed-off-by: Paul Walmsley commit ee4297420d56a0033a8593e80b33fcc93fda8509 Author: YueHaibing Date: Thu Jun 27 00:03:39 2019 +0800 team: Always enable vlan tx offload We should rather have vlan_tci filled all the way down to the transmitting netdevice and let it do the hw/sw vlan implementation. Suggested-by: Jiri Pirko Signed-off-by: YueHaibing Signed-off-by: David S. Miller commit 8a53058bd9bae9a4381209a8122c60ac346622ef Merge: 30d8177e8ac7 8c33bf1b0a96 Author: David S. Miller Date: Wed Jun 26 10:10:16 2019 -0700 Merge branch 'smc-fixes' Ursula Braun says: ==================== net/smc: fixes 2019-06-26 here are 2 small smc fixes for the net tree. ==================== Signed-off-by: David S. Miller commit 8c33bf1b0a9663d1742cb19ee71da46a1d8670dd Author: YueHaibing Date: Wed Jun 26 17:47:50 2019 +0200 net/smc: Fix error path in smc_init If register_pernet_subsys success in smc_init, we should cleanup it in case any other error. Fixes: 64e28b52c7a6 (net/smc: add pnet table namespace support") Signed-off-by: YueHaibing Signed-off-by: Ursula Braun Signed-off-by: David S. Miller commit 4480879251fb89b1c5585112b1ccc8c3333b41af Author: Huaping Zhou Date: Wed Jun 26 17:47:49 2019 +0200 net/smc: hold conns_lock before calling smc_lgr_register_conn() After smc_lgr_create(), the newly created link group is added to smc_lgr_list, thus is accessible from other context. Although link group creation is serialized by smc_create_lgr_pending, the new link group may still be accessed concurrently. For example, if ib_device is no longer active, smc_ib_port_event_work() will call smc_port_terminate(), which in turn will call __smc_lgr_terminate() on every link group of this device. So conns_lock is required here. Signed-off-by: Huaping Zhou Signed-off-by: Ursula Braun Signed-off-by: David S. Miller commit 30d8177e8ac776d89d387fad547af6a0f599210e Author: YueHaibing Date: Wed Jun 26 16:08:44 2019 +0800 bonding: Always enable vlan tx offload We build vlan on top of bonding interface, which vlan offload is off, bond mode is 802.3ad (LACP) and xmit_hash_policy is BOND_XMIT_POLICY_ENCAP34. Because vlan tx offload is off, vlan tci is cleared and skb push the vlan header in validate_xmit_vlan() while sending from vlan devices. Then in bond_xmit_hash, __skb_flow_dissect() fails to get information from protocol headers encapsulated within vlan, because 'nhoff' is points to IP header, so bond hashing is based on layer 2 info, which fails to distribute packets across slaves. This patch always enable bonding's vlan tx offload, pass the vlan packets to the slave devices with vlan tci, let them to handle vlan implementation. Fixes: 278339a42a1b ("bonding: propogate vlan_features to bonding master") Suggested-by: Jiri Pirko Signed-off-by: YueHaibing Acked-by: Jiri Pirko Signed-off-by: David S. Miller commit 1bf72720281770162c87990697eae1ba2f1d917a Author: Geert Uytterhoeven Date: Thu May 16 09:09:35 2019 +0200 cpu/speculation: Warn on unsupported mitigations= parameter Currently, if the user specifies an unsupported mitigation strategy on the kernel command line, it will be ignored silently. The code will fall back to the default strategy, possibly leaving the system more vulnerable than expected. This may happen due to e.g. a simple typo, or, for a stable kernel release, because not all mitigation strategies have been backported. Inform the user by printing a message. Fixes: 98af8452945c5565 ("cpu/speculation: Add 'mitigations=' cmdline option") Signed-off-by: Geert Uytterhoeven Signed-off-by: Thomas Gleixner Acked-by: Josh Poimboeuf Cc: Peter Zijlstra Cc: Jiri Kosina Cc: Greg Kroah-Hartman Cc: Ben Hutchings Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/20190516070935.22546-1-geert@linux-m68k.org commit c1f7fec1eb6a2c86d01bc22afce772c743451d88 Author: Alejandro Jimenez Date: Mon Jun 10 13:20:10 2019 -0400 x86/speculation: Allow guests to use SSBD even if host does not The bits set in x86_spec_ctrl_mask are used to calculate the guest's value of SPEC_CTRL that is written to the MSR before VMENTRY, and control which mitigations the guest can enable. In the case of SSBD, unless the host has enabled SSBD always on mode (by passing "spec_store_bypass_disable=on" in the kernel parameters), the SSBD bit is not set in the mask and the guest can not properly enable the SSBD always on mitigation mode. This has been confirmed by running the SSBD PoC on a guest using the SSBD always on mitigation mode (booted with kernel parameter "spec_store_bypass_disable=on"), and verifying that the guest is vulnerable unless the host is also using SSBD always on mode. In addition, the guest OS incorrectly reports the SSB vulnerability as mitigated. Always set the SSBD bit in x86_spec_ctrl_mask when the host CPU supports it, allowing the guest to use SSBD whether or not the host has chosen to enable the mitigation in any of its modes. Fixes: be6fcb5478e9 ("x86/bugs: Rework spec_ctrl base and mask logic") Signed-off-by: Alejandro Jimenez Signed-off-by: Thomas Gleixner Reviewed-by: Liam Merwick Reviewed-by: Mark Kanda Reviewed-by: Paolo Bonzini Cc: bp@alien8.de Cc: rkrcmar@redhat.com Cc: kvm@vger.kernel.org Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/1560187210-11054-1-git-send-email-alejandro.j.jimenez@oracle.com commit 35594bc7cecf3a78504b590e350570e8f4d7779e Author: Nicolas Boichat Date: Mon Apr 29 11:55:14 2019 +0800 pinctrl: mediatek: Ignore interrupts that are wake only during resume Before suspending, mtk-eint would set the interrupt mask to the one in wake_mask. However, some of these interrupts may not have a corresponding interrupt handler, or the interrupt may be disabled. On resume, the eint irq handler would trigger nevertheless, and irq/pm.c:irq_pm_check_wakeup would be called, which would try to call irq_disable. However, if the interrupt is not enabled (irqd_irq_disabled(&desc->irq_data) is true), the call does nothing, and the interrupt is left enabled in the eint driver. Especially for level-sensitive interrupts, this will lead to an interrupt storm on resume. If we detect that an interrupt is only in wake_mask, but not in cur_mask, we can just mask it out immediately (as mtk_eint_resume would do anyway at a later stage in the resume sequence, when restoring cur_mask). Fixes: bf22ff45bed6 ("genirq: Avoid unnecessary low level irq function calls") Signed-off-by: Nicolas Boichat Acked-by: Sean Wang Signed-off-by: Linus Walleij commit b12bbdc5dd883f6575f57e529af26cd2c521b320 Author: Hyungwoo Yang Date: Wed Jun 5 21:52:27 2019 -0700 HID: intel-ish-hid: fix wrong driver_data usage Currently, in suspend() and resume(), ishtp client drivers are using driver_data to get "struct ishtp_cl_device" object which is set by bus driver. It's wrong since the driver_data should not be owned bus. driver_data should be owned by the corresponding ishtp client driver. Due to this, some ishtp client driver like cros_ec_ishtp which uses its driver_data to transfer its data to its child doesn't work correctly. So this patch removes setting driver_data in bus drier and instead of using driver_data to get "struct ishtp_cl_device", since "struct device" is embedded in "struct ishtp_cl_device", we introduce a helper function that returns "struct ishtp_cl_device" from "struct device". Signed-off-by: Hyungwoo Yang Acked-by: Srinivas Pandruvada Signed-off-by: Jiri Kosina commit 0a95fc733da375de0688d0f1fd3a2869a1c1d499 Author: Kai-Heng Feng Date: Fri Jun 14 16:56:55 2019 +0800 HID: multitouch: Add pointstick support for ALPS Touchpad There's a new ALPS touchpad/pointstick combo device that requires MT_CLS_WIN_8_DUAL to make its pointsitck work as a mouse. The device can be found on HP ZBook 17 G5. Signed-off-by: Kai-Heng Feng Signed-off-by: Jiri Kosina commit 3a9a2c86ce6e06dda23fb1e7f7745acaf6d5d0eb Author: Hans de Goede Date: Fri Jun 14 10:20:27 2019 +0200 HID: logitech-dj: Fix forwarding of very long HID++ reports The HID++ spec also defines very long HID++ reports, with a reportid of 0x12. The MX5000 and MX5500 keyboards use 0x12 output reports for sending messages to display on their buildin LCD. Userspace (libmx5000) supports this, in order for this to work when talking to the HID devices instantiated for the keyboard by hid-logitech-dj, we need to properly forward these reports to the device. This commit fixes logi_dj_ll_raw_request not forwarding these reports. Fixes: f2113c3020ef ("HID: logitech-dj: add support for Logitech Bluetooth Mini-Receiver") Signed-off-by: Hans de Goede Signed-off-by: Jiri Kosina commit 315ffcc9a1e054bb460f9203058b52dc26b1173d Author: Kyle Godbey Date: Sat Jun 15 18:15:06 2019 -0500 HID: uclogic: Add support for Huion HS64 tablet Add support for Huion HS64 drawing tablet to hid-uclogic Signed-off-by: Kyle Godbey Signed-off-by: Jiri Kosina commit dcf768b0ac868630e7bdb6f2f1c9fe72788012fa Author: Oleksandr Natalenko Date: Fri Jun 21 11:17:36 2019 +0200 HID: chicony: add another quirk for PixArt mouse I've spotted another Chicony PixArt mouse in the wild, which requires HID_QUIRK_ALWAYS_POLL quirk, otherwise it disconnects each minute. USB ID of this device is 0x04f2:0x0939. We've introduced quirks like this for other models before, so lets add this mouse too. Link: https://github.com/sriemer/fix-linux-mouse#usb-mouse-disconnectsreconnects-every-minute-on-linux Signed-off-by: Oleksandr Natalenko Acked-by: Sebastian Parschauer Signed-off-by: Jiri Kosina commit 21acee4ecf9c3d9eff545f50e79c321a0c35d9b3 Author: Dan Carpenter Date: Wed Jun 26 13:10:41 2019 +0300 HID: intel-ish-hid: Fix a use after free in load_fw_from_host() We have to print the filename first before we can kfree it. Fixes: 91b228107da3 ("HID: intel-ish-hid: ISH firmware loader client driver") Signed-off-by: Dan Carpenter Signed-off-by: Jiri Kosina commit aa69fb62bea15126e744af2e02acc0d6cf3ed4da Author: Nathan Chancellor Date: Tue Jun 25 21:20:17 2019 -0700 arm64/efi: Mark __efistub_stext_offset as an absolute symbol explicitly After r363059 and r363928 in LLVM, a build using ld.lld as the linker with CONFIG_RANDOMIZE_BASE enabled fails like so: ld.lld: error: relocation R_AARCH64_ABS32 cannot be used against symbol __efistub_stext_offset; recompile with -fPIC Fangrui and Peter figured out that ld.lld is incorrectly considering __efistub_stext_offset as a relative symbol because of the order in which symbols are evaluated. _text is treated as an absolute symbol and stext is a relative symbol, making __efistub_stext_offset a relative symbol. Adding ABSOLUTE will force ld.lld to evalute this expression in the right context and does not change ld.bfd's behavior. ld.lld will need to be fixed but the developers do not see a quick or simple fix without some research (see the linked issue for further explanation). Add this simple workaround so that ld.lld can continue to link kernels. Link: https://github.com/ClangBuiltLinux/linux/issues/561 Link: https://github.com/llvm/llvm-project/commit/025a815d75d2356f2944136269aa5874721ec236 Link: https://github.com/llvm/llvm-project/commit/249fde85832c33f8b06c6b4ac65d1c4b96d23b83 Acked-by: Ard Biesheuvel Debugged-by: Fangrui Song Debugged-by: Peter Smith Suggested-by: Fangrui Song Signed-off-by: Nathan Chancellor [will: add comment] Signed-off-by: Will Deacon commit 6f496a555d93db7a11d4860b9220d904822f586a Author: Ard Biesheuvel Date: Tue Jun 25 19:08:54 2019 +0200 arm64: kaslr: keep modules inside module region when KASAN is enabled When KASLR and KASAN are both enabled, we keep the modules where they are, and randomize the placement of the kernel so it is within 2 GB of the module region. The reason for this is that putting modules in the vmalloc region (like we normally do when KASLR is enabled) is not possible in this case, given that the entire vmalloc region is already backed by KASAN zero shadow pages, and so allocating dedicated KASAN shadow space as required by loaded modules is not possible. The default module allocation window is set to [_etext - 128MB, _etext] in kaslr.c, which is appropriate for KASLR kernels booted without a seed or with 'nokaslr' on the command line. However, as it turns out, it is not quite correct for the KASAN case, since it still intersects the vmalloc region at the top, where attempts to allocate shadow pages will collide with the KASAN zero shadow pages, causing a WARN() and all kinds of other trouble. So cap the top end to MODULES_END explicitly when running with KASAN. Cc: # 4.9+ Acked-by: Catalin Marinas Tested-by: Catalin Marinas Signed-off-by: Ard Biesheuvel Signed-off-by: Will Deacon commit 41de4be6f6efa4132b29af51158cd672d93f2543 Author: Gerd Hoffmann Date: Fri Apr 5 06:46:02 2019 +0200 drm/virtio: move drm_connector_update_edid_property() call drm_connector_update_edid_property can sleep, we must not call it while holding a spinlock. Move the callsite. Fixes: b4b01b4995fb ("drm/virtio: add edid support") Reported-by: Max Filippov Signed-off-by: Gerd Hoffmann Tested-by: Max Filippov Tested-by: Cornelia Huck Acked-by: Cornelia Huck Link: http://patchwork.freedesktop.org/patch/msgid/20190405044602.2334-1-kraxel@redhat.com commit 19e5e2ae9c883f5651eaaeab2f258e2c4b78fda3 Author: Guo Ren Date: Wed Jun 26 11:27:03 2019 +0800 csky: Fixup libgcc unwind error The struct rt_sigframe is also defined in libgcc/config/csky/linux-unwind.h of gcc. Although there is no use for the first three word space, we must keep them the same with linux-unwind.h for member position. The BUG is found in glibc test with the tst-cancel02. The BUG is from commit:bf2416829362 of linux-5.2-rc1 merge window. Signed-off-by: Guo Ren Signed-off-by: Mao Han Cc: Arnd Bergmann commit 432c833218dd0f75e7b56bd5e8658b72073158d2 Author: Kirill A. Shutemov Date: Mon Jun 24 15:31:50 2019 +0300 x86/mm: Handle physical-virtual alignment mismatch in phys_p4d_init() Kyle has reported occasional crashes when booting a kernel in 5-level paging mode with KASLR enabled: WARNING: CPU: 0 PID: 0 at arch/x86/mm/init_64.c:87 phys_p4d_init+0x1d4/0x1ea RIP: 0010:phys_p4d_init+0x1d4/0x1ea Call Trace: __kernel_physical_mapping_init+0x10a/0x35c kernel_physical_mapping_init+0xe/0x10 init_memory_mapping+0x1aa/0x3b0 init_range_memory_mapping+0xc8/0x116 init_mem_mapping+0x225/0x2eb setup_arch+0x6ff/0xcf5 start_kernel+0x64/0x53b ? copy_bootdata+0x1f/0xce x86_64_start_reservations+0x24/0x26 x86_64_start_kernel+0x8a/0x8d secondary_startup_64+0xb6/0xc0 which causes later: BUG: unable to handle page fault for address: ff484d019580eff8 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page BAD Oops: 0000 [#1] SMP NOPTI RIP: 0010:fill_pud+0x13/0x130 Call Trace: set_pte_vaddr_p4d+0x2e/0x50 set_pte_vaddr+0x6f/0xb0 __native_set_fixmap+0x28/0x40 native_set_fixmap+0x39/0x70 register_lapic_address+0x49/0xb6 early_acpi_boot_init+0xa5/0xde setup_arch+0x944/0xcf5 start_kernel+0x64/0x53b Kyle bisected the issue to commit b569c1843498 ("x86/mm/KASLR: Reduce randomization granularity for 5-level paging to 1GB") Before this commit PAGE_OFFSET was always aligned to P4D_SIZE when booting 5-level paging mode. But now only PUD_SIZE alignment is guaranteed. In the case I was able to reproduce the following vaddr/paddr values were observed in phys_p4d_init(): Iteration vaddr paddr 1 0xff4228027fe00000 0x033fe00000 2 0xff42287f40000000 0x8000000000 'vaddr' in both cases belongs to the same p4d entry. But due to the original assumption that PAGE_OFFSET is aligned to P4D_SIZE this overlap cannot be handled correctly. The code assumes strictly aligned entries and unconditionally increments the index into the P4D table, which creates false duplicate entries. Once the index reaches the end, the last entry in the page table is missing. Aside of that the 'paddr >= paddr_end' condition can evaluate wrong which causes an P4D entry to be cleared incorrectly. Change the loop in phys_p4d_init() to walk purely based on virtual addresses like __kernel_physical_mapping_init() does. This makes it work correctly with unaligned virtual addresses. Fixes: b569c1843498 ("x86/mm/KASLR: Reduce randomization granularity for 5-level paging to 1GB") Reported-by: Kyle Pelton Signed-off-by: Kirill A. Shutemov Signed-off-by: Thomas Gleixner Tested-by: Kyle Pelton Acked-by: Baoquan He Cc: Borislav Petkov Cc: "H. Peter Anvin" Cc: Dave Hansen Cc: Andy Lutomirski Cc: Peter Zijlstra Link: https://lkml.kernel.org/r/20190624123150.920-1-kirill.shutemov@linux.intel.com commit c1887159eb48ba40e775584cfb2a443962cf1a05 Author: Kirill A. Shutemov Date: Thu Jun 20 14:24:22 2019 +0300 x86/boot/64: Add missing fixup_pointer() for next_early_pgt access __startup_64() uses fixup_pointer() to access global variables in a position-independent fashion. Access to next_early_pgt was wrapped into the helper, but one instance in the 5-level paging branch was missed. GCC generates a R_X86_64_PC32 PC-relative relocation for the access which doesn't trigger the issue, but Clang emmits a R_X86_64_32S which leads to an invalid memory access and system reboot. Fixes: 187e91fe5e91 ("x86/boot/64/clang: Use fixup_pointer() to access 'next_early_pgt'") Signed-off-by: Kirill A. Shutemov Signed-off-by: Thomas Gleixner Cc: Borislav Petkov Cc: "H. Peter Anvin" Cc: Dave Hansen Cc: Andy Lutomirski Cc: Peter Zijlstra Cc: Alexander Potapenko Link: https://lkml.kernel.org/r/20190620112422.29264-1-kirill.shutemov@linux.intel.com commit 81c7ed296dcd02bc0b4488246d040e03e633737a Author: Kirill A. Shutemov Date: Thu Jun 20 14:23:45 2019 +0300 x86/boot/64: Fix crash if kernel image crosses page table boundary A kernel which boots in 5-level paging mode crashes in a small percentage of cases if KASLR is enabled. This issue was tracked down to the case when the kernel image unpacks in a way that it crosses an 1G boundary. The crash is caused by an overrun of the PMD page table in __startup_64() and corruption of P4D page table allocated next to it. This particular issue is not visible with 4-level paging as P4D page tables are not used. But the P4D and the PUD calculation have similar problems. The PMD index calculation is wrong due to operator precedence, which fails to confine the PMDs in the PMD array on wrap around. The P4D calculation for 5-level paging and the PUD calculation calculate the first index correctly, but then blindly increment it which causes the same issue when a kernel image is located across a 512G and for 5-level paging across a 46T boundary. This wrap around mishandling was introduced when these parts moved from assembly to C. Restore it to the correct behaviour. Fixes: c88d71508e36 ("x86/boot/64: Rewrite startup_64() in C") Signed-off-by: Kirill A. Shutemov Signed-off-by: Thomas Gleixner Cc: Borislav Petkov Cc: "H. Peter Anvin" Cc: Dave Hansen Cc: Andy Lutomirski Cc: Peter Zijlstra Link: https://lkml.kernel.org/r/20190620112345.28833-1-kirill.shutemov@linux.intel.com commit 74684cce5ebd567b01e9bc0e9a1945c70a32f32f Author: Dinh Nguyen Date: Fri Jun 7 10:12:46 2019 -0500 clk: socfpga: stratix10: fix divider entry for the emac clocks The fixed dividers for the emac clocks should be 2 not 4. Cc: stable@vger.kernel.org Signed-off-by: Dinh Nguyen Signed-off-by: Stephen Boyd commit b8e8a86337c25941cb06e9a1c8ee01ab9aab0cc2 Author: Eiichi Tsukata Date: Tue Jun 25 12:08:01 2019 +0900 net/ipv6: Fix misuse of proc_dointvec "skip_notify_on_dev_down" /proc/sys/net/ipv6/route/skip_notify_on_dev_down assumes given value to be 0 or 1. Use proc_dointvec_minmax instead of proc_dointvec. Fixes: 7c6bb7d2faaf ("net/ipv6: Add knob to skip DELROUTE message ondevice down") Signed-off-by: Eiichi Tsukata Signed-off-by: David S. Miller commit 38c73529de13e1e10914de7030b659a2f8b01c3b Author: Stephen Suryaputra Date: Mon Jun 24 20:14:06 2019 -0400 ipv4: Use return value of inet_iif() for __raw_v4_lookup in the while loop In commit 19e4e768064a8 ("ipv4: Fix raw socket lookup for local traffic"), the dif argument to __raw_v4_lookup() is coming from the returned value of inet_iif() but the change was done only for the first lookup. Subsequent lookups in the while loop still use skb->dev->ifIndex. Fixes: 19e4e768064a8 ("ipv4: Fix raw socket lookup for local traffic") Signed-off-by: Stephen Suryaputra Reviewed-by: David Ahern Signed-off-by: David S. Miller commit 2eba4e640b2c4161e31ae20090a53ee02a518657 Author: Milan Broz Date: Thu Jun 20 13:00:19 2019 +0200 dm verity: use message limit for data block corruption message DM verity should also use DMERR_LIMIT to limit repeat data block corruption messages. Signed-off-by: Milan Broz Signed-off-by: Mike Snitzer commit a0651926553cfe7992166432e418987760882652 Author: Jerome Marchand Date: Wed Jun 12 18:22:26 2019 +0200 dm table: don't copy from a NULL pointer in realloc_argv() For the first call to realloc_argv() in dm_split_args(), old_argv is NULL and size is zero. Then memcpy is called, with the NULL old_argv as the source argument and a zero size argument. AFAIK, this is undefined behavior and generates the following warning when compiled with UBSAN on ppc64le: In file included from ./arch/powerpc/include/asm/paca.h:19, from ./arch/powerpc/include/asm/current.h:16, from ./include/linux/sched.h:12, from ./include/linux/kthread.h:6, from drivers/md/dm-core.h:12, from drivers/md/dm-table.c:8: In function 'memcpy', inlined from 'realloc_argv' at drivers/md/dm-table.c:565:3, inlined from 'dm_split_args' at drivers/md/dm-table.c:588:9: ./include/linux/string.h:345:9: error: argument 2 null where non-null expected [-Werror=nonnull] return __builtin_memcpy(p, q, size); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/md/dm-table.c: In function 'dm_split_args': ./include/linux/string.h:345:9: note: in a call to built-in function '__builtin_memcpy' Signed-off-by: Jerome Marchand Signed-off-by: Mike Snitzer commit 211ad4b733037f66f9be0a79eade3da7ab11cbb8 Author: zhangyi (F) Date: Wed Jun 5 21:27:08 2019 +0800 dm log writes: make sure super sector log updates are written in order Currently, although we submit super bios in order (and super.nr_entries is incremented by each logged entry), submit_bio() is async so each super sector may not be written to log device in order and then the final nr_entries may be smaller than it should be. This problem can be reproduced by the xfstests generic/455 with ext4: QA output created by 455 -Silence is golden +mark 'end' does not exist Fix this by serializing submission of super sectors to make sure each is written to the log disk in order. Fixes: 0e9cebe724597 ("dm: add log writes target") Cc: stable@vger.kernel.org Signed-off-by: zhangyi (F) Suggested-by: Josef Bacik Reviewed-by: Josef Bacik Signed-off-by: Mike Snitzer commit 10c9c8e7c09b4d32b31df1bd14673bd6dbfc50be Author: Stephen Boyd Date: Tue Jun 4 18:27:29 2019 -0700 dm init: remove trailing newline from calls to DMERR() and DMINFO() These printing macros already add a trailing newline, so having another one here just makes for blank lines when these prints are enabled. Remove these needless newlines. Fixes: 6bbc923dfcf5 ("dm: add support to directly boot to a mapped device") Signed-off-by: Stephen Boyd Signed-off-by: Mike Snitzer commit e6feaf215f07dd98d03ee783c9dd4c7f7e55b74d Author: Paolo Valente Date: Sat Jun 22 22:44:16 2019 +0200 block, bfq: fix operator in BFQQ_TOTALLY_SEEKY By mistake, there is a '&' instead of a '==' in the definition of the macro BFQQ_TOTALLY_SEEKY. This commit replaces the wrong operator with the correct one. Fixes: 7074f076ff15 ("block, bfq: do not tag totally seeky queues as soft rt") Signed-off-by: Paolo Valente Signed-off-by: Jens Axboe commit dec7e6494e1aea6bf676223da3429cd17ce0af79 Author: Gen Zhang Date: Wed May 29 09:33:20 2019 +0800 dm init: fix incorrect uses of kstrndup() Fix 2 kstrndup() calls with incorrect argument order. Fixes: 6bbc923dfcf5 ("dm: add support to directly boot to a mapped device") Cc: stable@vger.kernel.org # v5.1 Signed-off-by: Gen Zhang Signed-off-by: Mike Snitzer commit 4b36082e2e09c2769710756390d54cfca563ed96 Author: Alexandre Belloni Date: Thu Jun 20 20:30:37 2019 +0200 pinctrl: ocelot: fix pinmuxing for pins after 31 The actual layout for OCELOT_GPIO_ALT[01] when there are more than 32 pins is interleaved, i.e. OCELOT_GPIO_ALT0[0], OCELOT_GPIO_ALT1[0], OCELOT_GPIO_ALT0[1], OCELOT_GPIO_ALT1[1]. Introduce a new REG_ALT macro to facilitate the register offset calculation and use it where necessary. Fixes: da801ab56ad8 pinctrl: ocelot: add MSCC Jaguar2 support Signed-off-by: Alexandre Belloni Signed-off-by: Linus Walleij commit f2818ba3a0125670cb9999bb5a65ebb631a8da2f Author: Alexandre Belloni Date: Thu Jun 20 20:30:36 2019 +0200 pinctrl: ocelot: fix gpio direction for pins after 31 The third argument passed to REG is not the correct one and ocelot_gpio_set_direction is not working for pins after 31. Fix that by passing the pin number instead of the modulo 32 value. Fixes: da801ab56ad8 pinctrl: ocelot: add MSCC Jaguar2 support Signed-off-by: Alexandre Belloni Signed-off-by: Linus Walleij commit 6dbc6e6f58556369bf999cd7d9793586f1b0e4b4 Author: Phil Reid Date: Thu Jun 13 12:10:23 2019 +0800 pinctrl: mcp23s08: Fix add_data and irqchip_add_nested call order Currently probing of the mcp23s08 results in an error message "detected irqchip that is shared with multiple gpiochips: please fix the driver" This is due to the following: Call to mcp23s08_irqchip_setup() with call hierarchy: mcp23s08_irqchip_setup() gpiochip_irqchip_add_nested() gpiochip_irqchip_add_key() gpiochip_set_irq_hooks() Call to devm_gpiochip_add_data() with call hierarchy: devm_gpiochip_add_data() gpiochip_add_data_with_key() gpiochip_add_irqchip() gpiochip_set_irq_hooks() The gpiochip_add_irqchip() returns immediately if there isn't a irqchip but we added a irqchip due to the previous mcp23s08_irqchip_setup() call. So it calls gpiochip_set_irq_hooks() a second time. Fix this by moving the call to devm_gpiochip_add_data before the call to mcp23s08_irqchip_setup Fixes: 02e389e63e35 ("pinctrl: mcp23s08: fix irq setup order") Suggested-by: Marco Felsch Signed-off-by: Phil Reid Signed-off-by: Linus Walleij commit 503d90b30602a3295978e46d844ccc8167400fe6 Author: Richard Sailer Date: Wed Jun 19 13:33:11 2019 +0200 ALSA: hda/realtek: Add quirks for several Clevo notebook barebones This adds 4 SND_PCI_QUIRK(...) lines for several barebone models of the ODM Clevo. The model names are written in regex syntax to describe/match all clevo models that are similar enough and use the same PCI SSID that this fixup works for them. Additionally the lines regarding SSID 0x96e1 and 0x97e1 didn't fix audio for the all our Clevo notebooks using these SSIDs (models Clevo P960* and P970*) since ALC1220_FIXP_CLEVO_PB51ED_PINS swapped pins that are not necesarry to be swapped. This patch initiates ALC1220_FIXUP_CLEVO_P950 instead for these model and fixes the audio. Fixes: 80690a276f44 ("ALSA: hda/realtek - Add quirk for Tuxedo XC 1509") Signed-off-by: Richard Sailer Cc: Signed-off-by: Takashi Iwai commit e73f65930f8880fafaccf2cc1e5c44272e9523ec Merge: 4232db2e2abe 3cf10132ac8d Author: Olof Johansson Date: Tue Jun 25 04:20:08 2019 -0700 Merge tag 'imx-fixes-5.2-3' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux into arm/fixes i.MX fixes for 5.2, round 3: - A recent testing by Sébastien discovers that the PWM interrupts of i.MX6UL were wrongly coded in device tree. It's a fix for it. * tag 'imx-fixes-5.2-3' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux: ARM: dts: imx6ul: fix PWM[1-4] interrupts Signed-off-by: Olof Johansson commit 4232db2e2abed8bfec318031e0754b6b631eb0eb Merge: 2f7da158cc79 26d65140e92a Author: Olof Johansson Date: Tue Jun 25 04:19:26 2019 -0700 Merge tag 'amlogic-fixes' of https://git.kernel.org/pub/scm/linux/kernel/git/khilman/linux-amlogic into arm/fixes ARM: dts: Amlogic fixes for v5.2-rc - fix GPU interrupts and operating voltage * tag 'amlogic-fixes' of https://git.kernel.org/pub/scm/linux/kernel/git/khilman/linux-amlogic: ARM: dts: meson8b: fix the operating voltage of the Mali GPU ARM: dts: meson8b: drop undocumented property from the Mali GPU node ARM: dts: meson8: fix GPU interrupts and drop an undocumented property Signed-off-by: Olof Johansson commit e13e7cd4c0c1cc9984d9b6a8663e10d76b53f2aa Author: Nicholas Piggin Date: Sat Jun 22 08:55:54 2019 +1000 powerpc/64s/exception: Fix machine check early corrupting AMR The early machine check runs in real mode, so locking is unnecessary. Worse, the windup does not restore AMR, so this can result in a false KUAP fault after a recoverable machine check hits inside a user copy operation. Fix this similarly to HMI by just avoiding the kuap lock in the early machine check handler (it will be set by the late handler that runs in virtual mode if that runs). If the virtual mode handler is reached, it will lock and restore the AMR. Fixes: 890274c2dc4c0 ("powerpc/64s: Implement KUAP for Radix MMU") Cc: Russell Currey Signed-off-by: Nicholas Piggin Signed-off-by: Michael Ellerman commit 249155c20f9b0754bc1b932a33344cfb4e0c2101 Merge: c88e40e07cd9 d2ba3b1714d7 Author: Linus Torvalds Date: Tue Jun 25 05:52:31 2019 +0800 Merge branch 'parisc-5.2-4' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux Pull parisc fix from Helge Deller: "Add missing PCREL64 relocation in module loader to fix module load errors when the static branch and JUMP_LABEL feature is enabled on a 64-bit kernel" * 'parisc-5.2-4' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux: parisc: Fix module loading error with JUMP_LABEL feature commit f2ff671f894151a611eae246a1f25b61d6c0354b Author: Paul Cercueil Date: Mon Jun 24 23:27:51 2019 +0200 MAINTAINERS: Correct path to moved files The driver was moved in commit 1838a7b31fcb ("mtd: rawnand: Move drivers for Ingenic SoCs to subfolder"). Signed-off-by: Paul Cercueil Signed-off-by: Paul Burton Cc: Greg Kroah-Hartman Cc: linux-kernel@vger.kernel.org Cc: linux-mips@vger.kernel.org commit 0b24cae4d535045f4c9e177aa228d4e97bad212c Author: Dmitry Korotin Date: Mon Jun 24 19:05:27 2019 +0000 MIPS: Add missing EHB in mtc0 -> mfc0 sequence. Add a missing EHB (Execution Hazard Barrier) in mtc0 -> mfc0 sequence. Without this execution hazard barrier it's possible for the value read back from the KScratch register to be the value from before the mtc0. Reproducible on P5600 & P6600. The hazard is documented in the MIPS Architecture Reference Manual Vol. III: MIPS32/microMIPS32 Privileged Resource Architecture (MD00088), rev 6.03 table 8.1 which includes: Producer | Consumer | Hazard ----------|----------|---------------------------- mtc0 | mfc0 | any coprocessor 0 register Signed-off-by: Dmitry Korotin [paul.burton@mips.com: - Commit message tweaks. - Add Fixes tags. - Mark for stable back to v3.15 where P5600 support was introduced.] Signed-off-by: Paul Burton Fixes: 3d8bfdd03072 ("MIPS: Use C0_KScratch (if present) to hold PGD pointer.") Fixes: 829dcc0a956a ("MIPS: Add MIPS P5600 probe support") Cc: linux-mips@vger.kernel.org Cc: stable@vger.kernel.org # v3.15+ commit c88e40e07cd967dcdf37321a63ab6e8b0d881100 Merge: 39071cf828b4 63b2de12b7ee Author: Linus Torvalds Date: Tue Jun 25 03:41:03 2019 +0800 Merge tag 'mfd-fixes-5.2-1' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd Pull mfd bugfix from Lee Jones. Fix stmfx type confusion between regmap_read() (which takes an "u32") and the bitmap operations (which take an "unsigned long" array). * tag 'mfd-fixes-5.2-1' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd: mfd: stmfx: Fix an endian bug in stmfx_irq_handler() mfd: stmfx: Uninitialized variable in stmfx_irq_handler() commit 8b12b812f5367c2469fb937da7e28dd321ad8d7b Author: Kan Liang Date: Tue May 28 15:08:34 2019 -0700 perf/x86/regs: Use PERF_REG_EXTENDED_MASK Use the macro defined in kernel ABI header to replace the local name. No functional change. Signed-off-by: Kan Liang Signed-off-by: Peter Zijlstra (Intel) Cc: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vince Weaver Link: https://lkml.kernel.org/r/1559081314-9714-5-git-send-email-kan.liang@linux.intel.com Signed-off-by: Ingo Molnar commit cd6b984f6d8cd615755b5404a51b7efe45215f28 Author: Kan Liang Date: Tue May 28 15:08:33 2019 -0700 perf/x86: Remove pmu->pebs_no_xmm_regs We don't need pmu->pebs_no_xmm_regs anymore, the capabilities PERF_PMU_CAP_EXTENDED_REGS can be used to check if XMM registers collection is supported. Signed-off-by: Kan Liang Signed-off-by: Peter Zijlstra (Intel) Cc: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vince Weaver Link: https://lkml.kernel.org/r/1559081314-9714-4-git-send-email-kan.liang@linux.intel.com Signed-off-by: Ingo Molnar commit dce86ac75d772047e9bc606154704aa73bfd4c83 Author: Kan Liang Date: Tue May 28 15:08:32 2019 -0700 perf/x86: Clean up PEBS_XMM_REGS Use generic macro PERF_REG_EXTENDED_MASK to replace PEBS_XMM_REGS to avoid duplication. Signed-off-by: Kan Liang Signed-off-by: Peter Zijlstra (Intel) Cc: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vince Weaver Link: https://lkml.kernel.org/r/1559081314-9714-3-git-send-email-kan.liang@linux.intel.com Signed-off-by: Ingo Molnar commit 90d424915ab6550826d297fd62df8ee255345b95 Author: Kan Liang Date: Tue May 28 15:08:31 2019 -0700 perf/x86/regs: Check reserved bits The perf fuzzer triggers a warning which map to: if (WARN_ON_ONCE(idx >= ARRAY_SIZE(pt_regs_offset))) return 0; The bits between XMM registers and generic registers are reserved. But perf_reg_validate() doesn't check these bits. Add PERF_REG_X86_RESERVED for reserved bits on X86. Check the reserved bits in perf_reg_validate(). Reported-by: Vince Weaver Signed-off-by: Kan Liang Signed-off-by: Peter Zijlstra (Intel) Cc: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Fixes: 878068ea270e ("perf/x86: Support outputting XMM registers") Link: https://lkml.kernel.org/r/1559081314-9714-2-git-send-email-kan.liang@linux.intel.com Signed-off-by: Ingo Molnar commit e321d02db87af7840da29ef833a2a71fc0eab198 Author: Kan Liang Date: Tue May 28 15:08:30 2019 -0700 perf/x86: Disable extended registers for non-supported PMUs The perf fuzzer caused Skylake machine to crash: [ 9680.085831] Call Trace: [ 9680.088301] [ 9680.090363] perf_output_sample_regs+0x43/0xa0 [ 9680.094928] perf_output_sample+0x3aa/0x7a0 [ 9680.099181] perf_event_output_forward+0x53/0x80 [ 9680.103917] __perf_event_overflow+0x52/0xf0 [ 9680.108266] ? perf_trace_run_bpf_submit+0xc0/0xc0 [ 9680.113108] perf_swevent_hrtimer+0xe2/0x150 [ 9680.117475] ? check_preempt_wakeup+0x181/0x230 [ 9680.122091] ? check_preempt_curr+0x62/0x90 [ 9680.126361] ? ttwu_do_wakeup+0x19/0x140 [ 9680.130355] ? try_to_wake_up+0x54/0x460 [ 9680.134366] ? reweight_entity+0x15b/0x1a0 [ 9680.138559] ? __queue_work+0x103/0x3f0 [ 9680.142472] ? update_dl_rq_load_avg+0x1cd/0x270 [ 9680.147194] ? timerqueue_del+0x1e/0x40 [ 9680.151092] ? __remove_hrtimer+0x35/0x70 [ 9680.155191] __hrtimer_run_queues+0x100/0x280 [ 9680.159658] hrtimer_interrupt+0x100/0x220 [ 9680.163835] smp_apic_timer_interrupt+0x6a/0x140 [ 9680.168555] apic_timer_interrupt+0xf/0x20 [ 9680.172756] The XMM registers can only be collected by PEBS hardware events on the platforms with PEBS baseline support, e.g. Icelake, not software/probe events. Add capabilities flag PERF_PMU_CAP_EXTENDED_REGS to indicate the PMU which support extended registers. For X86, the extended registers are XMM registers. Add has_extended_regs() to check if extended registers are applied. The generic code define the mask of extended registers as 0 if arch headers haven't overridden it. Originally-by: Peter Zijlstra (Intel) Reported-by: Vince Weaver Signed-off-by: Kan Liang Signed-off-by: Peter Zijlstra (Intel) Cc: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Fixes: 878068ea270e ("perf/x86: Support outputting XMM registers") Link: https://lkml.kernel.org/r/1559081314-9714-1-git-send-email-kan.liang@linux.intel.com Signed-off-by: Ingo Molnar commit 913a90bc5a3a06b1f04c337320e9aeee2328dd77 Author: Ravi Bangoria Date: Tue Jun 4 09:59:53 2019 +0530 perf/ioctl: Add check for the sample_period value perf_event_open() limits the sample_period to 63 bits. See: 0819b2e30ccb ("perf: Limit perf_event_attr::sample_period to 63 bits") Make ioctl() consistent with it. Also on PowerPC, negative sample_period could cause a recursive PMIs leading to a hang (reported when running perf-fuzzer). Signed-off-by: Ravi Bangoria Signed-off-by: Peter Zijlstra (Intel) Cc: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vince Weaver Cc: acme@kernel.org Cc: linuxppc-dev@lists.ozlabs.org Cc: maddy@linux.vnet.ibm.com Cc: mpe@ellerman.id.au Fixes: 0819b2e30ccb ("perf: Limit perf_event_attr::sample_period to 63 bits") Link: https://lkml.kernel.org/r/20190604042953.914-1-ravi.bangoria@linux.ibm.com Signed-off-by: Ingo Molnar commit 904d88d743b0c94092c5117955eab695df8109e8 Author: Bjørn Mork Date: Mon Jun 24 18:45:11 2019 +0200 qmi_wwan: Fix out-of-bounds read The syzbot reported Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xca/0x13e lib/dump_stack.c:113 print_address_description+0x67/0x231 mm/kasan/report.c:188 __kasan_report.cold+0x1a/0x32 mm/kasan/report.c:317 kasan_report+0xe/0x20 mm/kasan/common.c:614 qmi_wwan_probe+0x342/0x360 drivers/net/usb/qmi_wwan.c:1417 usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361 really_probe+0x281/0x660 drivers/base/dd.c:509 driver_probe_device+0x104/0x210 drivers/base/dd.c:670 __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:777 bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454 Caused by too many confusing indirections and casts. id->driver_info is a pointer stored in a long. We want the pointer here, not the address of it. Thanks-to: Hillf Danton Reported-by: syzbot+b68605d7fadd21510de1@syzkaller.appspotmail.com Cc: Kristian Evensen Fixes: e4bf63482c30 ("qmi_wwan: Add quirk for Quectel dynamic config") Signed-off-by: Bjørn Mork Signed-off-by: David S. Miller commit 4f07b80c973348a99b5d2a32476a2e7877e94a05 Author: Xin Long Date: Tue Jun 25 00:28:19 2019 +0800 tipc: check msg->req data len in tipc_nl_compat_bearer_disable This patch is to fix an uninit-value issue, reported by syzbot: BUG: KMSAN: uninit-value in memchr+0xce/0x110 lib/string.c:981 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x191/0x1f0 lib/dump_stack.c:113 kmsan_report+0x130/0x2a0 mm/kmsan/kmsan.c:622 __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:310 memchr+0xce/0x110 lib/string.c:981 string_is_valid net/tipc/netlink_compat.c:176 [inline] tipc_nl_compat_bearer_disable+0x2a1/0x480 net/tipc/netlink_compat.c:449 __tipc_nl_compat_doit net/tipc/netlink_compat.c:327 [inline] tipc_nl_compat_doit+0x3ac/0xb00 net/tipc/netlink_compat.c:360 tipc_nl_compat_handle net/tipc/netlink_compat.c:1178 [inline] tipc_nl_compat_recv+0x1b1b/0x27b0 net/tipc/netlink_compat.c:1281 TLV_GET_DATA_LEN() may return a negtive int value, which will be used as size_t (becoming a big unsigned long) passed into memchr, cause this issue. Similar to what it does in tipc_nl_compat_bearer_enable(), this fix is to return -EINVAL when TLV_GET_DATA_LEN() is negtive in tipc_nl_compat_bearer_disable(), as well as in tipc_nl_compat_link_stat_dump() and tipc_nl_compat_link_reset_stats(). v1->v2: - add the missing Fixes tags per Eric's request. Fixes: 0762216c0ad2 ("tipc: fix uninit-value in tipc_nl_compat_bearer_enable") Fixes: 8b66fee7f8ee ("tipc: fix uninit-value in tipc_nl_compat_link_reset_stats") Reported-by: syzbot+30eaa8bf392f7fafffaf@syzkaller.appspotmail.com Signed-off-by: Xin Long Signed-off-by: David S. Miller commit 2bf4ecbcc7d837903c5967c9274f41b1ad29d530 Author: Antoine Tenart Date: Fri Jun 21 17:26:35 2019 +0200 net: macb: do not copy the mac address if NULL This patch fixes the MAC address setup in the probe. The MAC address retrieved using of_get_mac_address was checked for not containing an error, but it may also be NULL which wasn't tested. Fix it by replacing IS_ERR with IS_ERR_OR_NULL. Fixes: 541ddc66d665 ("net: macb: support of_get_mac_address new ERR_PTR error") Signed-off-by: Antoine Tenart Acked-by: Nicolas Ferre Signed-off-by: David S. Miller commit 55655e3d1197fff16a7a05088fb0e5eba50eac55 Author: Eric Dumazet Date: Mon Jun 24 02:38:20 2019 -0700 net/packet: fix memory leak in packet_set_ring() syzbot found we can leak memory in packet_set_ring(), if user application provides buggy parameters. Fixes: 7f953ab2ba46 ("af_packet: TX_RING support for TPACKET_V3") Signed-off-by: Eric Dumazet Cc: Sowmini Varadhan Reported-by: syzbot Signed-off-by: David S. Miller commit 9354544cbccf68da1b047f8fb7b47630e3c8a59d Author: Dirk van der Merwe Date: Sun Jun 23 21:26:58 2019 -0700 net/tls: fix page double free on TX cleanup With commit 94850257cf0f ("tls: Fix tls_device handling of partial records") a new path was introduced to cleanup partial records during sk_proto_close. This path does not handle the SW KTLS tx_list cleanup. This is unnecessary though since the free_resources calls for both SW and offload paths will cleanup a partial record. The visible effect is the following warning, but this bug also causes a page double free. WARNING: CPU: 7 PID: 4000 at net/core/stream.c:206 sk_stream_kill_queues+0x103/0x110 RIP: 0010:sk_stream_kill_queues+0x103/0x110 RSP: 0018:ffffb6df87e07bd0 EFLAGS: 00010206 RAX: 0000000000000000 RBX: ffff8c21db4971c0 RCX: 0000000000000007 RDX: ffffffffffffffa0 RSI: 000000000000001d RDI: ffff8c21db497270 RBP: ffff8c21db497270 R08: ffff8c29f4748600 R09: 000000010020001a R10: ffffb6df87e07aa0 R11: ffffffff9a445600 R12: 0000000000000007 R13: 0000000000000000 R14: ffff8c21f03f2900 R15: ffff8c21f03b8df0 Call Trace: inet_csk_destroy_sock+0x55/0x100 tcp_close+0x25d/0x400 ? tcp_check_oom+0x120/0x120 tls_sk_proto_close+0x127/0x1c0 inet_release+0x3c/0x60 __sock_release+0x3d/0xb0 sock_close+0x11/0x20 __fput+0xd8/0x210 task_work_run+0x84/0xa0 do_exit+0x2dc/0xb90 ? release_sock+0x43/0x90 do_group_exit+0x3a/0xa0 get_signal+0x295/0x720 do_signal+0x36/0x610 ? SYSC_recvfrom+0x11d/0x130 exit_to_usermode_loop+0x69/0xb0 do_syscall_64+0x173/0x180 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x7fe9b9abc10d RSP: 002b:00007fe9b19a1d48 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: fffffffffffffe00 RBX: 0000000000000006 RCX: 00007fe9b9abc10d RDX: 0000000000000002 RSI: 0000000000000080 RDI: 00007fe948003430 RBP: 00007fe948003410 R08: 00007fe948003430 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00005603739d9080 R13: 00007fe9b9ab9f90 R14: 00007fe948003430 R15: 0000000000000000 Fixes: 94850257cf0f ("tls: Fix tls_device handling of partial records") Signed-off-by: Dirk van der Merwe Signed-off-by: Jakub Kicinski Signed-off-by: David S. Miller commit 63b2de12b7eeacfb2edbe005f5c3cff17a2a02e2 Author: Dan Carpenter Date: Mon Jun 17 22:06:05 2019 +0300 mfd: stmfx: Fix an endian bug in stmfx_irq_handler() It's not okay to cast a "u32 *" to "unsigned long *" when you are doing a for_each_set_bit() loop because that will break on big endian systems. Fixes: 386145601b82 ("mfd: stmfx: Uninitialized variable in stmfx_irq_handler()") Reported-by: Linus Torvalds Signed-off-by: Dan Carpenter Tested-by: Amelie Delaunay Signed-off-by: Lee Jones commit bee19cd8f241ab3cd1bf79e03884e5371f9ef514 Author: Dmitry V. Levin Date: Sun Jun 23 14:28:00 2019 +0300 samples: make pidfd-metadata fail gracefully on older kernels Initialize pidfd to an invalid descriptor, to fail gracefully on those kernels that do not implement CLONE_PIDFD and leave pidfd unchanged. Signed-off-by: Dmitry V. Levin Signed-off-by: Christian Brauner commit 9014143bab2f3bc0b9e5db3bc8d00e2a43e50fbd Author: Dmitry V. Levin Date: Sun Jun 23 14:27:17 2019 +0300 fork: don't check parent_tidptr with CLONE_PIDFD Give userspace a cheap and reliable way to tell whether CLONE_PIDFD is supported by the kernel or not. The easiest way is to pass an invalid file descriptor value in parent_tidptr, perform the syscall and verify that parent_tidptr has been changed to a valid file descriptor value. CLONE_PIDFD uses parent_tidptr to return pidfds. CLONE_PARENT_SETTID will use parent_tidptr to return the tid of the parent. The two flags cannot be used together. Old kernels that only support CLONE_PARENT_SETTID will not verify the value pointed to by parent_tidptr. This behavior is unchanged even with the introduction of CLONE_PIDFD. However, if CLONE_PIDFD is specified the kernel will currently check the value pointed to by parent_tidptr before placing the pidfd in the memory pointed to. EINVAL will be returned if the value in parent_tidptr is not 0. If CLONE_PIDFD is supported and fd 0 is closed, then the returned pidfd can and likely will be 0 and parent_tidptr will be unchanged. This means userspace must either check CLONE_PIDFD support beforehand or check that fd 0 is not closed when invoking CLONE_PIDFD. The check for pidfd == 0 was introduced during the v5.2 merge window by commit b3e583825266 ("clone: add CLONE_PIDFD") to ensure that CLONE_PIDFD could be potentially extended by passing in flags through the return argument. However, that extension would look horrible, and with the upcoming introduction of the clone3 syscall in v5.3 there is no need to extend legacy clone syscall this way. (Even if it would need to be extended, CLONE_DETACHED can be reused with CLONE_PIDFD.) So remove the pidfd == 0 check. Userspace that needs to be portable to kernels without CLONE_PIDFD support can then be advised to initialize pidfd to -1 and check the pidfd value returned by CLONE_PIDFD. Fixes: b3e583825266 ("clone: add CLONE_PIDFD") Signed-off-by: Dmitry V. Levin Signed-off-by: Christian Brauner commit 39071cf828b42fa62336849dc910d7b74c905698 Merge: 26df62aaae9f 191f5c2ed4b6 Author: Linus Torvalds Date: Mon Jun 24 21:23:55 2019 +0800 Merge tag 'mtd/fixes-for-5.2-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux Pull mtd fixes from Miquel Raynal: - Set the raw NAND number of targets to the right value - Fix a bug uncovered by a recent patch on Spansion SPI-NOR flashes * tag 'mtd/fixes-for-5.2-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux: mtd: spi-nor: use 16-bit WRR command when QE is set on spansion flashes mtd: rawnand: initialize ntargets with maxchips commit 26df62aaae9f85e900cd5f1a5c28e44488f60de6 Merge: 9216514602ac 65565a68c582 Author: Linus Torvalds Date: Mon Jun 24 21:20:39 2019 +0800 Merge tag 'powerpc-5.2-6' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull powerpc fixes from Michael Ellerman: "One fix for a bug in our context id handling on 64-bit hash CPUs, which can lead to unrelated processes being able to read/write to each other's virtual memory. See the commit for full details. That is the fix for CVE-2019-12817. This also adds a kernel selftest for the bug" * tag 'powerpc-5.2-6' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: selftests/powerpc: Add test of fork with mapping above 512TB powerpc/mm/64s/hash: Reallocate context ids on fork commit 3cf10132ac8d536565f2c02f60a3aeb315863a52 Author: Sébastien Szymanski Date: Tue Jun 18 17:58:34 2019 +0200 ARM: dts: imx6ul: fix PWM[1-4] interrupts According to the i.MX6UL/L RM, table 3.1 "ARM Cortex A7 domain interrupt summary", the interrupts for the PWM[1-4] go from 83 to 86. Fixes: b9901fe84f02 ("ARM: dts: imx6ul: add pwm[1-4] nodes") Signed-off-by: Sébastien Szymanski Reviewed-by: Fabio Estevam Signed-off-by: Shawn Guo commit 9216514602ac436c116664ac9eaf18127ccf34df Merge: 4b972a01a7da f4bb1f895aa0 Author: Linus Torvalds Date: Mon Jun 24 21:11:01 2019 +0800 Merge tag 'auxdisplay-for-linus-v5.2-rc7' of git://github.com/ojeda/linux Pull auxdisplay cleanup from Miguel Ojeda: "A cleanup for two drivers in auxdisplay: convert them to use vm_map_pages_zero() (Souptick Joarder)" * tag 'auxdisplay-for-linus-v5.2-rc7' of git://github.com/ojeda/linux: auxdisplay/ht16k33.c: Convert to use vm_map_pages_zero() auxdisplay/cfag12864bfb.c: Convert to use vm_map_pages_zero() commit 45d5cb137c3638b3a310f41b31d8e79daf647f14 Author: YueHaibing Date: Fri Jun 21 21:44:37 2019 +0800 net/sched: cbs: Fix error path of cbs_module_init If register_qdisc fails, we should unregister netdevice notifier. Reported-by: Hulk Robot Fixes: e0a7683d30e9 ("net/sched: cbs: fix port_rate miscalculation") Signed-off-by: YueHaibing Signed-off-by: David S. Miller commit 191f5c2ed4b6fabacf1f3500242047bd844d0c3a Author: Tudor Ambarus Date: Mon Jun 10 06:24:04 2019 +0000 mtd: spi-nor: use 16-bit WRR command when QE is set on spansion flashes SPI memory devices from different manufacturers have widely different configurations for Status, Control and Configuration registers. JEDEC 216C defines a new map for these common register bits and their functions, and describes how the individual bits may be accessed for a specific device. For the JEDEC 216B compliant flashes, we can partially deduce Status and Configuration registers functions by inspecting the 16th DWORD of BFPT. Older flashes that don't declare the SFDP tables (SPANSION FL512SAIFG1 311QQ063 A ©11 SPANSION) let the software decide how to interact with these registers. The commit dcb4b22eeaf4 ("spi-nor: s25fl512s supports region locking") uncovered a probe error for s25fl512s, when the Quad Enable bit CR[1] was set to one in the bootloader. When this bit is one, only the Write Status (01h) command with two data byts may be used, the 01h command with one data byte is not recognized and hence the error when trying to clear the block protection bits. Fix the above by using the Write Status (01h) command with two data bytes when the Quad Enable bit is one. Backward compatibility should be fine. The newly introduced spi_nor_spansion_clear_sr_bp() is tightly coupled with the spansion_quad_enable() function. Both assume that the Write Register with 16 bits, together with the Read Configuration Register (35h) instructions are supported. Fixes: dcb4b22eeaf44f91 ("spi-nor: s25fl512s supports region locking") Reported-by: Geert Uytterhoeven Signed-off-by: Tudor Ambarus Tested-by: Jonas Bonn Tested-by: Geert Uytterhoeven Reviewed-by: Vignesh Raghavendra Tested-by: Vignesh Raghavendra Signed-off-by: Miquel Raynal commit c492d4c74dd3f87559883ffa0f94a8f1ae3fe5f5 Author: Xin Long Date: Thu Jun 20 18:39:28 2019 +0800 tipc: change to use register_pernet_device This patch is to fix a dst defcnt leak, which can be reproduced by doing: # ip net a c; ip net a s; modprobe tipc # ip net e s ip l a n eth1 type veth peer n eth1 netns c # ip net e c ip l s lo up; ip net e c ip l s eth1 up # ip net e s ip l s lo up; ip net e s ip l s eth1 up # ip net e c ip a a 1.1.1.2/8 dev eth1 # ip net e s ip a a 1.1.1.1/8 dev eth1 # ip net e c tipc b e m udp n u1 localip 1.1.1.2 # ip net e s tipc b e m udp n u1 localip 1.1.1.1 # ip net d c; ip net d s; rmmod tipc and it will get stuck and keep logging the error: unregister_netdevice: waiting for lo to become free. Usage count = 1 The cause is that a dst is held by the udp sock's sk_rx_dst set on udp rx path with udp_early_demux == 1, and this dst (eventually holding lo dev) can't be released as bearer's removal in tipc pernet .exit happens after lo dev's removal, default_device pernet .exit. "There are two distinct types of pernet_operations recognized: subsys and device. At creation all subsys init functions are called before device init functions, and at destruction all device exit functions are called before subsys exit function." So by calling register_pernet_device instead to register tipc_net_ops, the pernet .exit() will be invoked earlier than loopback dev's removal when a netns is being destroyed, as fou/gue does. Note that vxlan and geneve udp tunnels don't have this issue, as the udp sock is released in their device ndo_stop(). This fix is also necessary for tipc dst_cache, which will hold dsts on tx path and I will introduce in my next patch. Reported-by: Li Shuang Signed-off-by: Xin Long Acked-by: Jon Maloy Signed-off-by: David S. Miller commit 8ac8a01092b2added0749ef937037bf1912e13e3 Author: Sergej Benilov Date: Thu Jun 20 11:02:18 2019 +0200 sis900: fix TX completion Since commit 605ad7f184b60cfaacbc038aa6c55ee68dee3c89 "tcp: refine TSO autosizing", outbound throughput is dramatically reduced for some connections, as sis900 is doing TX completion within idle states only. Make TX completion happen after every transmitted packet. Test: netperf before patch: > netperf -H remote -l -2000000 -- -s 1000000 MIGRATED TCP STREAM TEST from 0.0.0.0 () port 0 AF_INET to 95.223.112.76 () port 0 AF_INET : demo Recv Send Send Socket Socket Message Elapsed Size Size Size Time Throughput bytes bytes bytes secs. 10^6bits/sec 87380 327680 327680 253.44 0.06 after patch: > netperf -H remote -l -10000000 -- -s 1000000 MIGRATED TCP STREAM TEST from 0.0.0.0 () port 0 AF_INET to 95.223.112.76 () port 0 AF_INET : demo Recv Send Send Socket Socket Message Elapsed Size Size Size Time Throughput bytes bytes bytes secs. 10^6bits/sec 87380 327680 327680 5.38 14.89 Thx to Dave Miller and Eric Dumazet for helpful hints Signed-off-by: Sergej Benilov Signed-off-by: David S. Miller commit d0bb82fd60183868f46c8ccc595a3d61c3334a18 Author: Roland Hii Date: Wed Jun 19 22:41:48 2019 +0800 net: stmmac: set IC bit when transmitting frames with HW timestamp When transmitting certain PTP frames, e.g. SYNC and DELAY_REQ, the PTP daemon, e.g. ptp4l, is polling the driver for the frame transmit hardware timestamp. The polling will most likely timeout if the tx coalesce is enabled due to the Interrupt-on-Completion (IC) bit is not set in tx descriptor for those frames. This patch will ignore the tx coalesce parameter and set the IC bit when transmitting PTP frames which need to report out the frame transmit hardware timestamp to user space. Fixes: f748be531d70 ("net: stmmac: Rework coalesce timer and fix multi-queue races") Signed-off-by: Roland Hii Signed-off-by: Ong Boon Leong Signed-off-by: Voon Weifeng Signed-off-by: David S. Miller commit a1e5388b4d5fc78688e5e9ee6641f779721d6291 Author: Roland Hii Date: Wed Jun 19 22:13:48 2019 +0800 net: stmmac: fixed new system time seconds value calculation When ADDSUB bit is set, the system time seconds field is calculated as the complement of the seconds part of the update value. For example, if 3.000000001 seconds need to be subtracted from the system time, this field is calculated as 2^32 - 3 = 4294967296 - 3 = 0x100000000 - 3 = 0xFFFFFFFD Previously, the 0x100000000 is mistakenly written as 100000000. This is further simplified from sec = (0x100000000ULL - sec); to sec = -sec; Fixes: ba1ffd74df74 ("stmmac: fix PTP support for GMAC4") Signed-off-by: Roland Hii Signed-off-by: Ong Boon Leong Signed-off-by: Voon Weifeng Signed-off-by: David S. Miller commit 4b972a01a7da614b4796475f933094751a295a2f Author: Linus Torvalds Date: Sat Jun 22 16:01:36 2019 -0700 Linux 5.2-rc6 commit 6698a71a1e360d89514aafcea15ccff837f59038 Merge: b253d5f3ecc9 0aafc8ae665f Author: Linus Torvalds Date: Sat Jun 22 14:08:47 2019 -0700 Merge tag 'iommu-fix-v5.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu Pull iommu fix from Joerg Roedel: "Revert a commit from the previous pile of fixes which causes new lockdep splats. It is better to revert it for now and work on a better and more well tested fix" * tag 'iommu-fix-v5.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu: Revert "iommu/vt-d: Fix lock inversion between iommu->lock and device_domain_lock" commit 0aafc8ae665f89b9031a914f80f5e58825b33021 Author: Peter Xu Date: Fri Jun 21 10:32:05 2019 +0800 Revert "iommu/vt-d: Fix lock inversion between iommu->lock and device_domain_lock" This reverts commit 7560cc3ca7d9d11555f80c830544e463fcdb28b8. With 5.2.0-rc5 I can easily trigger this with lockdep and iommu=pt: ====================================================== WARNING: possible circular locking dependency detected 5.2.0-rc5 #78 Not tainted ------------------------------------------------------ swapper/0/1 is trying to acquire lock: 00000000ea2b3beb (&(&iommu->lock)->rlock){+.+.}, at: domain_context_mapping_one+0xa5/0x4e0 but task is already holding lock: 00000000a681907b (device_domain_lock){....}, at: domain_context_mapping_one+0x8d/0x4e0 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (device_domain_lock){....}: _raw_spin_lock_irqsave+0x3c/0x50 dmar_insert_one_dev_info+0xbb/0x510 domain_add_dev_info+0x50/0x90 dev_prepare_static_identity_mapping+0x30/0x68 intel_iommu_init+0xddd/0x1422 pci_iommu_init+0x16/0x3f do_one_initcall+0x5d/0x2b4 kernel_init_freeable+0x218/0x2c1 kernel_init+0xa/0x100 ret_from_fork+0x3a/0x50 -> #0 (&(&iommu->lock)->rlock){+.+.}: lock_acquire+0x9e/0x170 _raw_spin_lock+0x25/0x30 domain_context_mapping_one+0xa5/0x4e0 pci_for_each_dma_alias+0x30/0x140 dmar_insert_one_dev_info+0x3b2/0x510 domain_add_dev_info+0x50/0x90 dev_prepare_static_identity_mapping+0x30/0x68 intel_iommu_init+0xddd/0x1422 pci_iommu_init+0x16/0x3f do_one_initcall+0x5d/0x2b4 kernel_init_freeable+0x218/0x2c1 kernel_init+0xa/0x100 ret_from_fork+0x3a/0x50 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(device_domain_lock); lock(&(&iommu->lock)->rlock); lock(device_domain_lock); lock(&(&iommu->lock)->rlock); *** DEADLOCK *** 2 locks held by swapper/0/1: #0: 00000000033eb13d (dmar_global_lock){++++}, at: intel_iommu_init+0x1e0/0x1422 #1: 00000000a681907b (device_domain_lock){....}, at: domain_context_mapping_one+0x8d/0x4e0 stack backtrace: CPU: 2 PID: 1 Comm: swapper/0 Not tainted 5.2.0-rc5 #78 Hardware name: LENOVO 20KGS35G01/20KGS35G01, BIOS N23ET50W (1.25 ) 06/25/2018 Call Trace: dump_stack+0x85/0xc0 print_circular_bug.cold.57+0x15c/0x195 __lock_acquire+0x152a/0x1710 lock_acquire+0x9e/0x170 ? domain_context_mapping_one+0xa5/0x4e0 _raw_spin_lock+0x25/0x30 ? domain_context_mapping_one+0xa5/0x4e0 domain_context_mapping_one+0xa5/0x4e0 ? domain_context_mapping_one+0x4e0/0x4e0 pci_for_each_dma_alias+0x30/0x140 dmar_insert_one_dev_info+0x3b2/0x510 domain_add_dev_info+0x50/0x90 dev_prepare_static_identity_mapping+0x30/0x68 intel_iommu_init+0xddd/0x1422 ? printk+0x58/0x6f ? lockdep_hardirqs_on+0xf0/0x180 ? do_early_param+0x8e/0x8e ? e820__memblock_setup+0x63/0x63 pci_iommu_init+0x16/0x3f do_one_initcall+0x5d/0x2b4 ? do_early_param+0x8e/0x8e ? rcu_read_lock_sched_held+0x55/0x60 ? do_early_param+0x8e/0x8e kernel_init_freeable+0x218/0x2c1 ? rest_init+0x230/0x230 kernel_init+0xa/0x100 ret_from_fork+0x3a/0x50 domain_context_mapping_one() is taking device_domain_lock first then iommu lock, while dmar_insert_one_dev_info() is doing the reverse. That should be introduced by commit: 7560cc3ca7d9 ("iommu/vt-d: Fix lock inversion between iommu->lock and device_domain_lock", 2019-05-27) So far I still cannot figure out how the previous deadlock was triggered (I cannot find iommu lock taken before calling of iommu_flush_dev_iotlb()), however I'm pretty sure that that change should be incomplete at least because it does not fix all the places so we're still taking the locks in different orders, while reverting that commit is very clean to me so far that we should always take device_domain_lock first then the iommu lock. We can continue to try to find the real culprit mentioned in 7560cc3ca7d9, but for now I think we should revert it to fix current breakage. CC: Joerg Roedel CC: Lu Baolu CC: dave.jiang@intel.com Signed-off-by: Peter Xu Tested-by: Chris Wilson Signed-off-by: Joerg Roedel commit b253d5f3ecc95c2b4e8d4a525fd754c9e32b0f6e Merge: f4102766463a 6dbbd053e6ae Author: Linus Torvalds Date: Sat Jun 22 09:42:29 2019 -0700 Merge tag 'pci-v5.2-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci Pull PCI fix from Bjorn Helgaas: "If an IOMMU is present, ignore the P2PDMA whitelist we added for v5.2 because we don't yet know how to support P2PDMA in that case (Logan Gunthorpe)" * tag 'pci-v5.2-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci: PCI/P2PDMA: Ignore root complex whitelist when an IOMMU is present commit f4102766463a66026bd4af6c30cbbd01f10e6c42 Merge: a8282bf087bc 5589b08e5be4 Author: Linus Torvalds Date: Sat Jun 22 09:39:03 2019 -0700 Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI fixes from James Bottomley: "Three driver fixes (and one version number update): a suspend hang in ufs, a qla hard lock on module removal and a qedi panic during discovery" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: qla2xxx: Fix hardlockup in abort command during driver remove scsi: ufs: Avoid runtime suspend possibly being blocked forever scsi: qedi: update driver version to 8.37.0.20 scsi: qedi: Check targetname while finding boot target information commit a8282bf087bcfb348ad97c8ed1f457bc11fd9709 Merge: 693cd8ce3f88 500871125920 Author: Linus Torvalds Date: Sat Jun 22 09:09:42 2019 -0700 Merge tag 'powerpc-5.2-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull powerpc fixes from Michael Ellerman: "This is a frustratingly large batch at rc5. Some of these were sent earlier but were missed by me due to being distracted by other things, and some took a while to track down due to needing manual bisection on old hardware. But still we clearly need to improve our testing of KVM, and of 32-bit, so that we catch these earlier. Summary: seven fixes, all for bugs introduced this cycle. - The commit to add KASAN support broke booting on 32-bit SMP machines, due to a refactoring that moved some setup out of the secondary CPU path. - A fix for another 32-bit SMP bug introduced by the fast syscall entry implementation for 32-bit BOOKE. And a build fix for the same commit. - Our change to allow the DAWR to be force enabled on Power9 introduced a bug in KVM, where we clobber r3 leading to a host crash. - The same commit also exposed a previously unreachable bug in the nested KVM handling of DAWR, which could lead to an oops in a nested host. - One of the DMA reworks broke the b43legacy WiFi driver on some people's powermacs, fix it by enabling a 30-bit ZONE_DMA on 32-bit. - A fix for TLB flushing in KVM introduced a new bug, as it neglected to also flush the ERAT, this could lead to memory corruption in the guest. Thanks to: Aaro Koskinen, Christoph Hellwig, Christophe Leroy, Larry Finger, Michael Neuling, Suraj Jitindar Singh" * tag 'powerpc-5.2-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: KVM: PPC: Book3S HV: Invalidate ERAT when flushing guest TLB entries powerpc: enable a 30-bit ZONE_DMA for 32-bit pmac KVM: PPC: Book3S HV: Only write DAWR[X] when handling h_set_dawr in real mode KVM: PPC: Book3S HV: Fix r3 corruption in h_set_dabr() powerpc/32: fix build failure on book3e with KVM powerpc/booke: fix fast syscall entry on SMP powerpc/32s: fix initial setup of segment registers on secondary CPU commit 693cd8ce3f882524a5d06f7800dd8492411877b3 Author: Marcel Holtmann Date: Sat Jun 22 15:47:01 2019 +0200 Bluetooth: Fix regression with minimum encryption key size alignment When trying to align the minimum encryption key size requirement for Bluetooth connections, it turns out doing this in a central location in the HCI connection handling code is not possible. Original Bluetooth version up to 2.0 used a security model where the L2CAP service would enforce authentication and encryption. Starting with Bluetooth 2.1 and Secure Simple Pairing that model has changed into that the connection initiator is responsible for providing an encrypted ACL link before any L2CAP communication can happen. Now connecting Bluetooth 2.1 or later devices with Bluetooth 2.0 and before devices are causing a regression. The encryption key size check needs to be moved out of the HCI connection handling into the L2CAP channel setup. To achieve this, the current check inside hci_conn_security() has been moved into l2cap_check_enc_key_size() helper function and then called from four decisions point inside L2CAP to cover all combinations of Secure Simple Pairing enabled devices and device using legacy pairing and legacy service security model. Fixes: d5bb334a8e17 ("Bluetooth: Align minimum encryption key size for LE and BR/EDR connections") Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=203643 Signed-off-by: Marcel Holtmann Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit aad1dcc4f011ea409850e040363dff1e59aa4175 Author: Takashi Iwai Date: Wed Jun 19 15:34:07 2019 +0200 ppp: mppe: Add softdep to arc4 The arc4 crypto is mandatory at ppp_mppe probe time, so let's put a softdep line, so that the corresponding module gets prepared gracefully. Without this, a simple inclusion to initrd via dracut failed due to the missing dependency, for example. Signed-off-by: Takashi Iwai Signed-off-by: David S. Miller commit 2e5db6eb3c23e5dc8171eb8f6af7a97ef9fcf3a9 Author: Petr Oros Date: Wed Jun 19 14:29:42 2019 +0200 be2net: fix link failure after ethtool offline test Certain cards in conjunction with certain switches need a little more time for link setup that results in ethtool link test failure after offline test. Patch adds a loop that waits for a link setup finish. Changes in v2: - added fixes header Fixes: 4276e47e2d1c ("be2net: Add link test to list of ethtool self tests.") Signed-off-by: Petr Oros Reviewed-by: Ivan Vecera Signed-off-by: David S. Miller commit ea136a112d89bade596314a1ae49f748902f4727 Author: Colin Ian King Date: Wed Jun 19 19:14:46 2019 +0100 x86/apic: Fix integer overflow on 10 bit left shift of cpu_khz The left shift of unsigned int cpu_khz will overflow for large values of cpu_khz, so cast it to a long long before shifting it to avoid overvlow. For example, this can happen when cpu_khz is 4194305, i.e. ~4.2 GHz. Addresses-Coverity: ("Unintentional integer overflow") Fixes: 8c3ba8d04924 ("x86, apic: ack all pending irqs when crashed/on kexec") Signed-off-by: Colin Ian King Signed-off-by: Thomas Gleixner Cc: Borislav Petkov Cc: "H . Peter Anvin" Cc: kernel-janitors@vger.kernel.org Link: https://lkml.kernel.org/r/20190619181446.13635-1-colin.king@canonical.com commit 48c7d73b2362ce61503551ad70052617b3e8857d Merge: 88447c5b93d9 975a6166a858 Author: Thomas Gleixner Date: Sat Jun 22 11:16:25 2019 +0200 Merge tag 'efi-urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi into efi/urgent Pull another handful of EFI fixes for v5.2 from Arnd: - Fix a potential crash after kexec on arm64 with GICv3 - Fix a build warning on x86 - Stop policing the BGRT feature flags - Use a non-blocking version of SetVariable() in the boot control driver commit 975a6166a8584ee4a1b8bd93098e49dc101d7171 Author: Tian Baofeng Date: Wed Jun 12 16:18:10 2019 +0800 efibc: Replace variable set function in notifier call Replace the variable set function from "efivar_entry_set" to "efivar_entry_set_safe" in efibc panic notifier. In safe function parameter "block" will set to false and will call "efivar_entry_set_nonblocking"to set efi variables. efivar_entry_set_nonblocking is guaranteed to not block and is suitable for calling from crash/panic handlers. In UEFI android platform, when warm reset happens, with this change, efibc will not block the reboot process. Otherwise, set variable will call queue work and send to other offlined cpus then cause another panic, finally will cause reboot failure. Signed-off-by: Tian Baofeng Signed-off-by: Luo XinanX Signed-off-by: Ard Biesheuvel commit c356dc4b540edd6c02b409dd8cf3208ba2804c38 Merge: 121bddf39a8e b6653b3629e5 Author: Linus Torvalds Date: Fri Jun 21 22:23:35 2019 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net Pull networking fixes from David Miller: 1) Fix leak of unqueued fragments in ipv6 nf_defrag, from Guillaume Nault. 2) Don't access the DDM interface unless the transceiver implements it in bnx2x, from Mauro S. M. Rodrigues. 3) Don't double fetch 'len' from userspace in sock_getsockopt(), from JingYi Hou. 4) Sign extension overflow in lio_core, from Colin Ian King. 5) Various netem bug fixes wrt. corrupted packets from Jakub Kicinski. 6) Fix epollout hang in hvsock, from Sunil Muthuswamy. 7) Fix regression in default fib6_type, from David Ahern. 8) Handle memory limits in tcp_fragment more appropriately, from Eric Dumazet. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (24 commits) tcp: refine memory limit test in tcp_fragment() inet: clear num_timeout reqsk_alloc() net: mvpp2: debugfs: Add pmap to fs dump ipv6: Default fib6_type to RTN_UNICAST when not set net: hns3: Fix inconsistent indenting net/af_iucv: always register net_device notifier net/af_iucv: build proper skbs for HiperTransport net/af_iucv: remove GFP_DMA restriction for HiperTransport net: dsa: mv88e6xxx: fix shift of FID bits in mv88e6185_g1_vtu_loadpurge() hvsock: fix epollout hang from race condition net/udp_gso: Allow TX timestamp with UDP GSO net: netem: fix use after free and double free with packet corruption net: netem: fix backlog accounting for corrupted GSO frames net: lio_core: fix potential sign-extension overflow on large shift tipc: pass tunnel dev as NULL to udp_tunnel(6)_xmit_skb ip6_tunnel: allow not to count pkts on tstats by passing dev as NULL ip_tunnel: allow not to count pkts on tstats by setting skb's dev to NULL tun: wake up waitqueues after IFF_UP is set net: remove duplicate fetch in sock_getsockopt tipc: fix issues with early FAILOVER_MSG from peer ... commit b6653b3629e5b88202be3c9abc44713973f5c4b4 Author: Eric Dumazet Date: Fri Jun 21 06:09:55 2019 -0700 tcp: refine memory limit test in tcp_fragment() tcp_fragment() might be called for skbs in the write queue. Memory limits might have been exceeded because tcp_sendmsg() only checks limits at full skb (64KB) boundaries. Therefore, we need to make sure tcp_fragment() wont punish applications that might have setup very low SO_SNDBUF values. Fixes: f070ef2ac667 ("tcp: tcp_fragment() should apply sane memory limits") Signed-off-by: Eric Dumazet Reported-by: Christoph Paasch Tested-by: Christoph Paasch Signed-off-by: David S. Miller commit 121bddf39a8e39baf0df9ef1d688392c179935cd Merge: c036f7dabc34 7a5834e456f7 Author: Linus Torvalds Date: Fri Jun 21 14:47:09 2019 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma Pull rdma fixes from Doug Ledford: "This is probably our last -rc pull request. We don't have anything else outstanding at the moment anyway, and with the summer months on us and people taking trips, I expect the next weeks leading up to the merge window to be pretty calm and sedate. This has two simple, no brainer fixes for the EFA driver. Then it has ten not quite so simple fixes for the hfi1 driver. The problem with them is that they aren't simply one liner typo fixes. They're still fixes, but they're more complex issues like livelock under heavy load where the answer was to change work queue usage and spinlock usage to resolve the problem, or issues with orphaned requests during certain types of failures like link down which required some more complex work to fix too. They all look like legitimate fixes to me, they just aren't small like I wish they were. Summary: - 2 minor EFA fixes - 10 hfi1 fixes related to scaling issues" * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma: RDMA/efa: Handle mmap insertions overflow RDMA/efa: Fix success return value in case of error IB/hfi1: Handle port down properly in pio IB/hfi1: Handle wakeup of orphaned QPs for pio IB/hfi1: Wakeup QPs orphaned on wait list after flush IB/hfi1: Use aborts to trigger RC throttling IB/hfi1: Create inline to get extended headers IB/hfi1: Silence txreq allocation warnings IB/hfi1: Avoid hardlockup with flushlist_lock IB/hfi1: Correct tid qp rcd to match verbs context IB/hfi1: Close PSM sdma_progress sleep window IB/hfi1: Validate fault injection opcode user input commit c036f7dabc34ff14fb8a4a04cf3d53afb435715a Merge: ff17bbe0bb40 19d55046cd82 Author: Linus Torvalds Date: Fri Jun 21 13:45:41 2019 -0700 Merge tag 'nfs-for-5.2-3' of git://git.linux-nfs.org/projects/anna/linux-nfs Pull more NFS client fixes from Anna Schumaker: "These are mostly refcounting issues that people have found recently. The revert fixes a suspend recovery performance issue. - SUNRPC: Fix a credential refcount leak - Revert "SUNRPC: Declare RPC timers as TIMER_DEFERRABLE" - SUNRPC: Fix xps refcount imbalance on the error path - NFS4: Only set creation opendata if O_CREAT" * tag 'nfs-for-5.2-3' of git://git.linux-nfs.org/projects/anna/linux-nfs: SUNRPC: Fix a credential refcount leak Revert "SUNRPC: Declare RPC timers as TIMER_DEFERRABLE" net :sunrpc :clnt :Fix xps refcount imbalance on the error path NFS4: Only set creation opendata if O_CREAT commit ff17bbe0bb405ad8b36e55815d381841f9fdeebc Author: Andy Lutomirski Date: Fri Jun 21 08:43:04 2019 -0700 x86/vdso: Prevent segfaults due to hoisted vclock reads GCC 5.5.0 sometimes cleverly hoists reads of the pvclock and/or hvclock pages before the vclock mode checks. This creates a path through vclock_gettime() in which no vclock is enabled at all (due to disabled TSC on old CPUs, for example) but the pvclock or hvclock page nevertheless read. This will segfault on bare metal. This fixes commit 459e3a21535a ("gcc-9: properly declare the {pv,hv}clock_page storage") in the sense that, before that commit, GCC didn't seem to generate the offending code. There was nothing wrong with that commit per se, and -stable maintainers should backport this to all supported kernels regardless of whether the offending commit was present, since the same crash could just as easily be triggered by the phase of the moon. On GCC 9.1.1, this doesn't seem to affect the generated code at all, so I'm not too concerned about performance regressions from this fix. Cc: stable@vger.kernel.org Cc: x86@kernel.org Cc: Borislav Petkov Reported-by: Duncan Roe Signed-off-by: Andy Lutomirski Signed-off-by: Linus Torvalds commit 60c112b0ada09826cc4ae6a4e55df677f76f1313 Author: Jens Axboe Date: Fri Jun 21 10:20:18 2019 -0600 io_uring: ensure req->file is cleared on allocation Stephen reports: I hit the following General Protection Fault when testing io_uring via the io_uring engine in fio. This was on a VM running 5.2-rc5 and the latest version of fio. The issue occurs for both null_blk and fake NVMe drives. I have not tested bare metal or real NVMe SSDs. The fio script used is given below. [io_uring] time_based=1 runtime=60 filename=/dev/nvme2n1 (note /dev/nullb0 also fails) ioengine=io_uring bs=4k rw=readwrite direct=1 fixedbufs=1 sqthread_poll=1 sqthread_poll_cpu=0 general protection fault: 0000 [#1] SMP PTI CPU: 0 PID: 872 Comm: io_uring-sq Not tainted 5.2.0-rc5-cpacket-io-uring #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 RIP: 0010:fput_many+0x7/0x90 Code: 01 48 85 ff 74 17 55 48 89 e5 53 48 8b 1f e8 a0 f9 ff ff 48 85 db 48 89 df 75 f0 5b 5d f3 c3 0f 1f 40 00 0f 1f 44 00 00 89 f6 48 29 77 38 74 01 c3 55 48 89 e5 53 48 89 fb 65 48 \ RSP: 0018:ffffadeb817ebc50 EFLAGS: 00010246 RAX: 0000000000000004 RBX: ffff8f46ad477480 RCX: 0000000000001805 RDX: 0000000000000000 RSI: 0000000000000001 RDI: f18b51b9a39552b5 RBP: ffffadeb817ebc58 R08: ffff8f46b7a318c0 R09: 000000000000015d R10: ffffadeb817ebce8 R11: 0000000000000020 R12: ffff8f46ad4cd000 R13: 00000000fffffff7 R14: ffffadeb817ebe30 R15: 0000000000000004 FS: 0000000000000000(0000) GS:ffff8f46b7a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055828f0bbbf0 CR3: 0000000232176004 CR4: 00000000003606f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? fput+0x13/0x20 io_free_req+0x20/0x40 io_put_req+0x1b/0x20 io_submit_sqe+0x40a/0x680 ? __switch_to_asm+0x34/0x70 ? __switch_to_asm+0x40/0x70 io_submit_sqes+0xb9/0x160 ? io_submit_sqes+0xb9/0x160 ? __switch_to_asm+0x40/0x70 ? __switch_to_asm+0x34/0x70 ? __schedule+0x3f2/0x6a0 ? __switch_to_asm+0x34/0x70 io_sq_thread+0x1af/0x470 ? __switch_to_asm+0x34/0x70 ? wait_woken+0x80/0x80 ? __switch_to+0x85/0x410 ? __switch_to_asm+0x40/0x70 ? __switch_to_asm+0x34/0x70 ? __schedule+0x3f2/0x6a0 kthread+0x105/0x140 ? io_submit_sqes+0x160/0x160 ? kthread+0x105/0x140 ? io_submit_sqes+0x160/0x160 ? kthread_destroy_worker+0x50/0x50 ret_from_fork+0x35/0x40 which occurs because using a kernel side submission thread isn't valid without using fixed files (registered through io_uring_register()). This causes io_uring to put the request after logging an error, but before the file field is set in the request. If it happens to be non-zero, we attempt to fput() garbage. Fix this by ensuring that req->file is initialized when the request is allocated. Cc: stable@vger.kernel.org # 5.1+ Reported-by: Stephen Bates Tested-by: Stephen Bates Signed-off-by: Jens Axboe commit 19d55046cd824baab53534ba7e7f99945c6fdcb1 Author: Trond Myklebust Date: Thu Jun 20 10:47:40 2019 -0400 SUNRPC: Fix a credential refcount leak All callers of __rpc_clone_client() pass in a value for args->cred, meaning that the credential gets assigned and referenced in the call to rpc_new_client(). Reported-by: Ido Schimmel Fixes: 79caa5fad47c ("SUNRPC: Cache cred of process creating the rpc_client") Signed-off-by: Trond Myklebust Tested-by: Ido Schimmel Signed-off-by: Anna Schumaker commit 502980e84e4025d82e81f7d9684a708a3b31bcde Author: Anna Schumaker Date: Tue Jun 18 14:57:33 2019 -0400 Revert "SUNRPC: Declare RPC timers as TIMER_DEFERRABLE" Jon Hunter reports: "I have been noticing intermittent failures with a system suspend test on some of our machines that have a NFS mounted root file-system. Bisecting this issue points to your commit 431235818bc3 ("SUNRPC: Declare RPC timers as TIMER_DEFERRABLE") and reverting this on top of v5.2-rc3 does appear to resolve the problem. The cause of the suspend failure appears to be a long delay observed sometimes when resuming from suspend, and this is causing our test to timeout." This reverts commit 431235818bc3a919ca7487500c67c3144feece80. Reported-by: Jon Hunter Signed-off-by: Anna Schumaker commit b96226148491505318228ac52624956bd98f9e0c Author: Lin Yi Date: Mon Jun 10 10:16:56 2019 +0800 net :sunrpc :clnt :Fix xps refcount imbalance on the error path rpc_clnt_add_xprt take a reference to struct rpc_xprt_switch, but forget to release it before return, may lead to a memory leak. Signed-off-by: Lin Yi Signed-off-by: Anna Schumaker commit 909105199a682cb09c500acd443d34b182846c9c Author: Benjamin Coddington Date: Fri Jun 7 06:37:30 2019 -0400 NFS4: Only set creation opendata if O_CREAT We can end up in nfs4_opendata_alloc during task exit, in which case current->fs has already been cleaned up. This leads to a crash in current_umask(). Fix this by only setting creation opendata if we are actually doing an open with O_CREAT. We can drop the check for NULL nfs4_open_createattrs, since O_CREAT will never be set for the recovery path. Suggested-by: Trond Myklebust Signed-off-by: Benjamin Coddington Signed-off-by: Anna Schumaker commit a4c33bbb660b89fc7f21957386fb3a0b38e43f98 Merge: 0728f6c3cab1 c5d0e49e8d8f Author: Linus Torvalds Date: Fri Jun 21 11:11:30 2019 -0700 Merge tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm Pull ARM fix from Russell King: "Just one ARM fix this time around for Jason Donenfeld, fixing a problem with the VDSO generation on big endian" * tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm: ARM: 8867/1: vdso: pass --be8 to linker if necessary commit 0728f6c3cab107f0aab2c8ded1292dd2cc41a228 Merge: db54615e2141 5eab9cf87b6c Author: Linus Torvalds Date: Fri Jun 21 11:03:33 2019 -0700 Merge tag 'drm-fixes-2019-06-21' of git://anongit.freedesktop.org/drm/drm Pull drm fixes from Dave Airlie: "Just catching up on the week since back from holidays, everything seems quite sane. core: - copy_to_user fix for really legacy codepaths. vmwgfx: - two dma fixes - one virt hw interaction fix i915: - modesetting fix - gvt fix panfrost: - BO unmapping fix imx: - image converter fixes" * tag 'drm-fixes-2019-06-21' of git://anongit.freedesktop.org/drm/drm: drm/i915: Don't clobber M/N values during fastset check drm: return -EFAULT if copy_to_user() fails drm/panfrost: Make sure a BO is only unmapped when appropriate drm/i915/gvt: ignore unexpected pvinfo write gpu: ipu-v3: image-convert: Fix image downsize coefficients gpu: ipu-v3: image-convert: Fix input bytesperline for packed formats gpu: ipu-v3: image-convert: Fix input bytesperline width/height align drm/vmwgfx: fix a warning due to missing dma_parms drm/vmwgfx: Honor the sg list segment size limitation drm/vmwgfx: Use the backdoor port if the HB port is not available commit db54615e21419c3cb4d699a0b0aa16cc44d0e9da Merge: b7b8a44f3aba 9b9410766f54 Author: Linus Torvalds Date: Fri Jun 21 10:20:19 2019 -0700 Merge tag 'staging-5.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging Pull staging/IIO/counter fixes from Greg KH: "Here are some small driver bugfixes for some staging/iio/counter drivers. Staging and IIO have been lumped together for a while, as those subsystems cross the areas a log, and counter is used by IIO, so that's why they are all in one pull request here. These are small fixes for reported issues in some iio drivers, the erofs filesystem, and a build issue for counter code. All have been in linux-next with no reported issues" * tag 'staging-5.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: staging: erofs: add requirements field in superblock counter/ftm-quaddec: Add missing dependencies in Kconfig staging: iio: adt7316: Fix build errors when GPIOLIB is not set iio: temperature: mlx90632 Relax the compatibility check iio: imu: st_lsm6dsx: fix PM support for st_lsm6dsx i2c controller staging:iio:ad7150: fix threshold mode config bit commit b7b8a44f3abab51cc2772c5ced2fe2f51a1ad2b8 Merge: cf24242189b9 6f828c55e267 Author: Linus Torvalds Date: Fri Jun 21 10:18:16 2019 -0700 Merge tag 'char-misc-5.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc Pull char/misc driver fixes from Greg KH: "Here are a number of small driver fixes for 5.2-rc6 Nothing major, just fixes for reported issues: - soundwire fixes - thunderbolt fixes - MAINTAINERS update for fpga maintainer change - binder bugfix - habanalabs 64bit pointer fix - documentation updates All of these have been in linux-next with no reported issues" * tag 'char-misc-5.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: habanalabs: use u64_to_user_ptr() for reading user pointers doc: fix documentation about UIO_MEM_LOGICAL using MAINTAINERS / Documentation: Thorsten Scherer is the successor of Gavin Schenk docs: fb: Add TER16x32 to the available font names MAINTAINERS: fpga: hand off maintainership to Moritz thunderbolt: Implement CIO reset correctly for Titan Ridge binder: fix possible UAF when freeing buffer thunderbolt: Make sure device runtime resume completes before taking domain lock soundwire: intel: set dai min and max channels correctly soundwire: stream: fix bad unlock balance soundwire: stream: fix out of boundary access on port properties commit cf24242189b935826a88feedb64761cbf483e42c Merge: c884d8ac7ffc d28bdaff5e26 Author: Linus Torvalds Date: Fri Jun 21 10:16:41 2019 -0700 Merge tag 'usb-5.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb Pull USB fixes from Greg KH: "Here are four small USB fixes for 5.2-rc6. They include two xhci bugfixes, a chipidea fix, and a small dwc2 fix. Nothing major, just nice things to get resolved for reported issues. All have been in linux-next with no reported issues" * tag 'usb-5.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: xhci: detect USB 3.2 capable host controllers correctly usb: xhci: Don't try to recover an endpoint if port is in error state. usb: dwc2: Use generic PHY width in params setup usb: chipidea: udc: workaround for endpoint conflict issue commit c884d8ac7ffccc094e9674a3eb3be90d3b296c0a Merge: 05512b0f4652 c891f3b97964 Author: Linus Torvalds Date: Fri Jun 21 09:58:42 2019 -0700 Merge tag 'spdx-5.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/spdx Pull still more SPDX updates from Greg KH: "Another round of SPDX updates for 5.2-rc6 Here is what I am guessing is going to be the last "big" SPDX update for 5.2. It contains all of the remaining GPLv2 and GPLv2+ updates that were "easy" to determine by pattern matching. The ones after this are going to be a bit more difficult and the people on the spdx list will be discussing them on a case-by-case basis now. Another 5000+ files are fixed up, so our overall totals are: Files checked: 64545 Files with SPDX: 45529 Compared to the 5.1 kernel which was: Files checked: 63848 Files with SPDX: 22576 This is a huge improvement. Also, we deleted another 20000 lines of boilerplate license crud, always nice to see in a diffstat" * tag 'spdx-5.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/spdx: (65 commits) treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 507 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 506 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 505 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 504 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 503 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 502 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 501 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 499 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 498 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 497 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 496 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 495 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 491 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 490 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 489 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 488 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 487 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 486 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 485 ... commit 05512b0f46526c4e248b1da9386d73a84b7d327b Merge: 4ae004a9bca8 61cabc7b0a5c Author: Linus Torvalds Date: Fri Jun 21 09:51:44 2019 -0700 Merge tag '5.2-rc5-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6 Pull cifs fixes from Steve French: "Four small SMB3 fixes, all for stable" * tag '5.2-rc5-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6: cifs: fix GlobalMid_Lock bug in cifs_reconnect SMB3: retry on STATUS_INSUFFICIENT_RESOURCES instead of failing write cifs: add spinlock for the openFileList to cifsInodeInfo cifs: fix panic in smb2_reconnect commit 919aef44d73d5d0c04213cb1bc31149cc074e65e Author: Qian Cai Date: Wed Jun 19 13:47:44 2019 -0400 x86/efi: fix a -Wtype-limits compilation warning Compiling a kernel with W=1 generates this warning, arch/x86/platform/efi/quirks.c:731:16: warning: comparison of unsigned expression >= 0 is always true [-Wtype-limits] Fixes: 3425d934fc03 ("efi/x86: Handle page faults occurring while running ...") Signed-off-by: Qian Cai Acked-by: "Prakhya, Sai Praneeth" Signed-off-by: Ard Biesheuvel commit 5eab9cf87b6c261f4e2f6c7623171cc2f5ea1a9c Merge: 91cbf5d2365c 912bbf7e9ca4 Author: Dave Airlie Date: Fri Jun 21 11:44:20 2019 +1000 Merge tag 'imx-drm-fixes-2019-06-20' of git://git.pengutronix.de/git/pza/linux into drm-fixes drm/imx: ipu-v3 image converter fixes This series fixes input buffer alignment and downsizer configuration to adhere to IPU mem2mem CSC/scaler hardware restrictions in certain downscaling ratios. Signed-off-by: Dave Airlie From: Philipp Zabel Link: https://patchwork.freedesktop.org/patch/msgid/1561040798.14349.20.camel@pengutronix.de commit 91cbf5d2365c980b0abdd0924f7fdd38bbf55c78 Merge: ea37e1a35c88 475df5d0f3eb Author: Dave Airlie Date: Fri Jun 21 11:39:14 2019 +1000 Merge tag 'drm-intel-fixes-2019-06-20' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes drm/i915 fixes for v5.2-rc6: - GVT: Fix reserved PVINFO register write (Weinan) - Avoid clobbering M/N values in fastset fuzzy checks (Ville) Signed-off-by: Dave Airlie From: Jani Nikula Link: https://patchwork.freedesktop.org/patch/msgid/87pnn8sbdp.fsf@intel.com commit ea37e1a35c88923837f7c03a3ee17da81dccda67 Merge: 47e3c4c96460 74b67efa8d7b Author: Dave Airlie Date: Fri Jun 21 11:35:12 2019 +1000 Merge tag 'drm-misc-fixes-2019-06-19' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes panfrost- Only unmap BO's if they're mapped (Boris) core- Handle buffer desc copy_to_user failure properly (Dan) Cc: Boris Brezillon Cc: Dan Carpenter Signed-off-by: Dave Airlie From: Sean Paul Link: https://patchwork.freedesktop.org/patch/msgid/20190619192745.GA145841@art_vandelay commit 47e3c4c96460073120577869f17b274264ca9788 Merge: 9e0babf2c06c 39916897cd81 Author: Dave Airlie Date: Fri Jun 21 11:26:59 2019 +1000 Merge branch 'vmwgfx-fixes-5.2' of git://people.freedesktop.org/~thomash/linux into drm-fixes A couple of fixes for vmwgfx. Two fixes for a DMA sg-list debug warning message. These are not cc'd stable since there is no evidence of actual breakage. On fix for the high-bandwidth backdoor port which is cc'd stable due to upcoming hardware, on which the code would otherwise break. Signed-off-by: Dave Airlie From: Thomas Hellstrom Link: https://patchwork.freedesktop.org/patch/msgid/20190618072255.2720-1-thomas@shipmail.org commit 637dfa0fad6d91a9a709dc70549a6d20fa77f615 Author: Cedric Hombourger Date: Thu Jun 13 10:52:50 2019 +0200 MIPS: have "plain" make calls build dtbs for selected platforms scripts/package/builddeb calls "make dtbs_install" after executing a plain make (i.e. no build targets specified). It will fail if dtbs were not built beforehand. Match the arm64 architecture where DTBs get built by the "all" target. Signed-off-by: Cedric Hombourger [paul.burton@mips.com: s/builddep/builddeb] Signed-off-by: Paul Burton Cc: linux-mips@vger.kernel.org Cc: stable@vger.kernel.org # v4.1+ commit c5d0e49e8d8f1a23034fdf8e935afc0c8f7ae27d Author: Jason A. Donenfeld Date: Mon Jun 17 13:29:19 2019 +0100 ARM: 8867/1: vdso: pass --be8 to linker if necessary The commit fe00e50b2db8 ("ARM: 8858/1: vdso: use $(LD) instead of $(CC) to link VDSO") removed the passing of CFLAGS, since ld doesn't take those directly. However, prior, big-endian ARM was relying on gcc to translate its -mbe8 option into ld's --be8 option. Lacking this, ld generated be32 code, making the VDSO generate SIGILL when called by userspace. This commit passes --be8 if CONFIG_CPU_ENDIAN_BE8 is enabled. Signed-off-by: Jason A. Donenfeld Cc: Masahiro Yamada Cc: Arnd Bergmann Cc: Ard Biesheuvel Signed-off-by: Russell King commit 4ae004a9bca8bef118c2b4e76ee31c7df4514f18 Merge: b910f6a7ccab 6dde1e42f497 Author: Linus Torvalds Date: Thu Jun 20 14:19:34 2019 -0700 Merge tag 'ovl-fixes-5.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs Pull overlayfs fixes from Miklos Szeredi: "Fix two regressions in this cycle, and a couple of older bugs" * tag 'ovl-fixes-5.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs: ovl: make i_ino consistent with st_ino in more cases ovl: fix typo in MODULE_PARM_DESC ovl: fix bogus -Wmaybe-unitialized warning ovl: don't fail with disconnected lower NFS ovl: fix wrong flags check in FS_IOC_FS[SG]ETXATTR ioctls commit b910f6a7ccab60b4d930b438a97a265bb2b33135 Merge: b3e978337b25 766741fcaa1f Author: Linus Torvalds Date: Thu Jun 20 14:16:16 2019 -0700 Merge tag 'fuse-fixes-5.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse Pull fuse fix from Miklos Szeredi: "Just a single revert, fixing a regression in -rc1" * tag 'fuse-fixes-5.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse: Revert "fuse: require /dev/fuse reads to have enough buffer capacity" commit b3e978337b25b042aa653652a029e3d798814c12 Merge: e929387449cf b21e31b25304 Author: Linus Torvalds Date: Thu Jun 20 13:50:37 2019 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm Pull kvm fixes from Paolo Bonzini: "Fixes for ARM and x86, plus selftest patches and nicer structs for nested state save/restore" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: KVM: nVMX: reorganize initial steps of vmx_set_nested_state KVM: arm/arm64: Fix emulated ptimer irq injection tests: kvm: Check for a kernel warning kvm: tests: Sort tests in the Makefile alphabetically KVM: x86/mmu: Allocate PAE root array when using SVM's 32-bit NPT KVM: x86: Modify struct kvm_nested_state to have explicit fields for data KVM: fix typo in documentation KVM: nVMX: use correct clean fields when copying from eVMCS KVM: arm/arm64: vgic: Fix kvm_device leak in vgic_its_destroy KVM: arm64: Filter out invalid core register IDs in KVM_GET_REG_LIST KVM: arm64: Implement vq_present() as a macro commit 240b4cc8fd5db138b675297d4226ec46594d9b3b Author: Jan Kara Date: Wed Jun 19 09:05:41 2019 +0200 scsi: vmw_pscsi: Fix use-after-free in pvscsi_queue_lck() Once we unlock adapter->hw_lock in pvscsi_queue_lck() nothing prevents just queued scsi_cmnd from completing and freeing the request. Thus cmd->cmnd[0] dereference can dereference already freed request leading to kernel crashes or other issues (which one of our customers observed). Store cmd->cmnd[0] in a local variable before unlocking adapter->hw_lock to fix the issue. CC: Signed-off-by: Jan Kara Reviewed-by: Ewan D. Milne Signed-off-by: Martin K. Petersen commit e929387449cf631e96840296a01922be1ef3c832 Merge: a409de616259 615c48ad8f42 Author: Linus Torvalds Date: Thu Jun 20 12:04:57 2019 -0700 Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux Pull arm64 fixes from Will Deacon: "This is mainly a couple of email address updates to MAINTAINERS, but we've also fixed a UAPI build issue with musl libc and an accidental double-initialisation of our pgd_cache due to a naming conflict with a weak symbol. There are a couple of outstanding issues that have been reported, but it doesn't look like they're new and we're still a long way off from fully debugging them. Summary: - Fix use of #include in UAPI headers for compatability with musl libc - Update email addresses in MAINTAINERS - Fix initialisation of pgd_cache due to name collision with weak symbol" * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: arm64/mm: don't initialize pgd_cache twice MAINTAINERS: Update my email address arm64/sve: should not depend on arm64: ssbd: explicitly depend on MAINTAINERS: Update my email address to use @kernel.org commit a409de616259c520cc864f3a2bba69dde208c8be Merge: d72558b2b331 11aff183225c Author: Linus Torvalds Date: Thu Jun 20 12:03:41 2019 -0700 Merge tag 's390-5.2-5' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux Pull s390 fixes from Heiko Carstens: - Disable address-of-packed-member warning in s390 specific boot code to get rid of a gcc9 warning which otherwise is already disabled for the whole kernel. - Fix yet another compiler error seen with CONFIG_OPTIMIZE_INLINING enabled. - Fix memory leak in vfio-ccw code on module exit. * tag 's390-5.2-5' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux: vfio-ccw: Destroy kmem cache region on module exit s390/ctl_reg: mark __ctl_set_bit and __ctl_clear_bit as __always_inline s390/boot: disable address-of-packed-member warning commit d72558b2b33128363e5af7f57c59766a256e8434 Merge: 6331d118ac61 c285a2f01d69 Author: Linus Torvalds Date: Thu Jun 20 10:12:53 2019 -0700 Merge tag 'for_v5.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs Pull two misc vfs fixes from Jan Kara: "One small quota fix fixing spurious EDQUOT errors and one fanotify fix fixing a bug in the new fanotify FID reporting code" * tag 'for_v5.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs: fanotify: update connector fsid cache on add mark quota: fix a problem about transfer quota commit 2cd42d19cffa0ec3dfb57b1b3e1a07a9bf4ed80a Author: David Howells Date: Thu Jun 20 18:12:02 2019 +0100 afs: Fix setting of i_blocks The setting of i_blocks, which is calculated from i_size, has got accidentally misordered relative to the setting of i_size when initially setting up an inode. Further, i_blocks isn't updated by afs_apply_status() when the size is updated. To fix this, break the i_size/i_blocks setting out into a helper function and call it from both places. Fixes: a58823ac4589 ("afs: Fix application of status and callback to be under same lock") Signed-off-by: David Howells commit 6331d118ac61454ee52d5f9be098e9ddab6d6572 Merge: 41a247d896d2 83293386bc95 Author: Linus Torvalds Date: Thu Jun 20 10:08:38 2019 -0700 Merge tag 'mmc-v5.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc Pull MMC fixes from Ulf Hansson: "Here's quite a few MMC fixes intended for v5.2-rc6. This time it also contains fixes for a WiFi driver, which device is attached to the SDIO interface. Patches for the WiFi driver have been acked by the corresponding maintainers. Summary: MMC core: - Make switch to eMMC HS400 more robust for some controllers - Add two SDIO func API to manage re-tuning constraints - Prevent processing SDIO IRQs when the card is suspended MMC host: - sdhi: Disallow broken HS400 for M3-W ES1.2, RZ/G2M and V3H - mtk-sd: Fixup support for SDIO IRQs - sdhci-pci-o2micro: Fixup support for tuning Wireless BRCMFMAC (SDIO): - Deal with expected transmission errors related to the idle states (handled by the Always-On-Subsystem or AOS) on the SDIO-based WiFi on rk3288-veyron-minnie, rk3288-veyron-speedy and rk3288-veyron-mickey" * tag 'mmc-v5.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc: mmc: core: Prevent processing SDIO IRQs when the card is suspended mmc: sdhci: sdhci-pci-o2micro: Correctly set bus width when tuning brcmfmac: sdio: Don't tune while the card is off mmc: core: Add sdio_retune_hold_now() and sdio_retune_release() brcmfmac: sdio: Disable auto-tuning around commands expected to fail mmc: core: API to temporarily disable retuning for SDIO CRC errors Revert "brcmfmac: disable command decode in sdio_aos" mmc: mediatek: fix SDIO IRQ detection issue mmc: mediatek: fix SDIO IRQ interrupt handle flow mmc: core: complete HS400 before checking status mmc: sdhi: disallow HS400 for M3-W ES1.2, RZ/G2M, and V3H commit 41a247d896d20b2b7c73ec40523d7caf058c0698 Merge: 241e39004581 440078db7a55 Author: Linus Torvalds Date: Thu Jun 20 09:58:35 2019 -0700 Merge tag 'for-linus-20190620' of git://git.kernel.dk/linux-block Pull block fixes from Jens Axboe: "Three fixes that should go into this series. One is a set of two patches from Christoph, fixing a page leak on same page merges. Boiled down version of a bigger fix, but this one is more appropriate for this late in the cycle (and easier to backport to stable). The last patch is for a divide error in MD, from Mariusz (via Song)" * tag 'for-linus-20190620' of git://git.kernel.dk/linux-block: md: fix for divide error in status_resync block: fix page leak when merging to same page block: return from __bio_try_merge_page if merging occured in the same page commit b21e31b253048b7f9768ca7cc270e67765fd6ba2 Merge: 9fd588772636 e4e5a865e9a9 Author: Paolo Bonzini Date: Thu Jun 20 18:24:18 2019 +0200 Merge tag 'kvmarm-fixes-for-5.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm into HEAD KVM/arm fixes for 5.2, take #2 - SVE cleanup killing a warning with ancient GCC versions - Don't report non-existent system registers to userspace - Fix memory leak when freeing the vgic ITS - Properly lower the interrupt on the emulated physical timer commit 9fd588772636bcbe48669d880efa2e1cc0575ebd Author: Paolo Bonzini Date: Wed Jun 19 16:52:27 2019 +0200 KVM: nVMX: reorganize initial steps of vmx_set_nested_state Commit 332d079735f5 ("KVM: nVMX: KVM_SET_NESTED_STATE - Tear down old EVMCS state before setting new state", 2019-05-02) broke evmcs_test because the eVMCS setup must be performed even if there is no VMXON region defined, as long as the eVMCS bit is set in the assist page. While the simplest possible fix would be to add a check on kvm_state->flags & KVM_STATE_NESTED_EVMCS in the initial "if" that covers kvm_state->hdr.vmx.vmxon_pa == -1ull, that is quite ugly. Instead, this patch moves checks earlier in the function and conditionalizes them on kvm_state->hdr.vmx.vmxon_pa, so that vmx_set_nested_state always goes through vmx_leave_nested and nested_enable_evmcs. Fixes: 332d079735f5 ("KVM: nVMX: KVM_SET_NESTED_STATE - Tear down old EVMCS state before setting new state") Cc: Aaron Lewis Reviewed-by: Vitaly Kuznetsov Signed-off-by: Paolo Bonzini commit 90fa9b64523a645a97edc0bdcf2d74759957eeee Author: David Howells Date: Thu Jun 20 16:49:35 2019 +0100 afs: Fix uninitialised spinlock afs_volume::cb_break_lock Fix the cb_break_lock spinlock in afs_volume struct by initialising it when the volume record is allocated. Also rename the lock to cb_v_break_lock to distinguish it from the lock of the same name in the afs_server struct. Without this, the following trace may be observed when a volume-break callback is received: INFO: trying to register non-static key. the code is fine but needs lockdep annotation. turning off the locking correctness validator. CPU: 2 PID: 50 Comm: kworker/2:1 Not tainted 5.2.0-rc1-fscache+ #3045 Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014 Workqueue: afs SRXAFSCB_CallBack Call Trace: dump_stack+0x67/0x8e register_lock_class+0x23b/0x421 ? check_usage_forwards+0x13c/0x13c __lock_acquire+0x89/0xf73 lock_acquire+0x13b/0x166 ? afs_break_callbacks+0x1b2/0x3dd _raw_write_lock+0x2c/0x36 ? afs_break_callbacks+0x1b2/0x3dd afs_break_callbacks+0x1b2/0x3dd ? trace_event_raw_event_afs_server+0x61/0xac SRXAFSCB_CallBack+0x11f/0x16c process_one_work+0x2c5/0x4ee ? worker_thread+0x234/0x2ac worker_thread+0x1d8/0x2ac ? cancel_delayed_work_sync+0xf/0xf kthread+0x11f/0x127 ? kthread_park+0x76/0x76 ret_from_fork+0x24/0x30 Fixes: 68251f0a6818 ("afs: Fix whole-volume callback handling") Signed-off-by: David Howells commit a6853b9ce81a8f32f3c13c30ae951bb6830a896a Author: David Howells Date: Thu Jun 20 16:49:35 2019 +0100 afs: Fix vlserver record corruption Because I made the afs_call struct share pointers to an afs_server object and an afs_vlserver object to save space, afs_put_call() calls afs_put_server() on afs_vlserver object (which is only meant for the afs_server object) because it sees that call->server isn't NULL. This means that the afs_vlserver object gets unpredictably and randomly modified, depending on what config options are set (such as lockdep). Fix this by getting rid of the union and having two non-overlapping pointers in the afs_call struct. Fixes: ffba718e9354 ("afs: Get rid of afs_call::reply[]") Signed-off-by: David Howells commit 3647e42b55dcbf3b93457eb750660676e8df5010 Author: David Howells Date: Wed Jun 19 10:56:03 2019 +0100 afs: Fix over zealous "vnode modified" warnings Occasionally, warnings like this: vnode modified 2af7 on {10000b:1} [exp 2af2] YFS.FetchStatus(vnode) are emitted into the kernel log. This indicates that when we were applying the updated vnode (file) status retrieved from the server to an inode we saw that the data version number wasn't what we were expecting (in this case it's 0x2af7 rather than 0x2af2). We've usually received a callback from the server prior to this point - or the callback promise has lapsed - so the warning is merely informative and the state is to be expected. Fix this by only emitting the warning if the we still think that we have a valid callback promise and haven't received a callback. Also change the format slightly so so that the new data version doesn't look like part of the text, the like is prefixed with "kAFS: " and the message is ranked as a warning. Fixes: 31143d5d515e ("AFS: implement basic file write support") Reported-by: Ian Wienand Signed-off-by: David Howells commit 32f010deab575199df4ebe7b6aec20c17bb7eccd Author: Reinette Chatre Date: Wed Jun 19 13:27:16 2019 -0700 x86/resctrl: Prevent possible overrun during bitmap operations While the DOC at the beginning of lib/bitmap.c explicitly states that "The number of valid bits in a given bitmap does _not_ need to be an exact multiple of BITS_PER_LONG.", some of the bitmap operations do indeed access BITS_PER_LONG portions of the provided bitmap no matter the size of the provided bitmap. For example, if find_first_bit() is provided with an 8 bit bitmap the operation will access BITS_PER_LONG bits from the provided bitmap. While the operation ensures that these extra bits do not affect the result, the memory is still accessed. The capacity bitmasks (CBMs) are typically stored in u32 since they can never exceed 32 bits. A few instances exist where a bitmap_* operation is performed on a CBM by simply pointing the bitmap operation to the stored u32 value. The consequence of this pattern is that some bitmap_* operations will access out-of-bounds memory when interacting with the provided CBM. This same issue has previously been addressed with commit 49e00eee0061 ("x86/intel_rdt: Fix out-of-bounds memory access in CBM tests") but at that time not all instances of the issue were fixed. Fix this by using an unsigned long to store the capacity bitmask data that is passed to bitmap functions. Fixes: e651901187ab ("x86/intel_rdt: Introduce "bit_usage" to display cache allocations details") Fixes: f4e80d67a527 ("x86/intel_rdt: Resctrl files reflect pseudo-locked information") Fixes: 95f0b77efa57 ("x86/intel_rdt: Initialize new resource group with sane defaults") Signed-off-by: Reinette Chatre Signed-off-by: Borislav Petkov Cc: Fenghua Yu Cc: "H. Peter Anvin" Cc: Ingo Molnar Cc: stable Cc: Thomas Gleixner Cc: Tony Luck Cc: x86-ml Link: https://lkml.kernel.org/r/58c9b6081fd9bf599af0dfc01a6fdd335768efef.1560975645.git.reinette.chatre@intel.com commit f4bb1f895aa07dfcb96169192ff7c9154620df87 Author: Souptick Joarder Date: Sun May 26 21:41:10 2019 +0530 auxdisplay/ht16k33.c: Convert to use vm_map_pages_zero() While using mmap, the incorrect values of length and vm_pgoff are ignored and this driver goes ahead with mapping fbdev.buffer to user vma. Convert vm_insert_pages() to use vm_map_pages_zero(). We could later "fix" these drivers to behave according to the normal vm_pgoff offsetting simply by removing the _zero suffix on the function name and if that causes regressions, it gives us an easy way to revert. Signed-off-by: Souptick Joarder Acked-by: Robin van der Gracht Signed-off-by: Miguel Ojeda commit 461e274b2821901ca9c084f43074ad099848199f Author: Souptick Joarder Date: Sun May 26 21:40:27 2019 +0530 auxdisplay/cfag12864bfb.c: Convert to use vm_map_pages_zero() While using mmap, the incorrect values of length and vm_pgoff are ignored and this driver goes ahead with mapping cfag12864b_buffer to user vma. Convert vm_insert_pages() to use vm_map_pages_zero(). We could later "fix" these drivers to behave according to the normal vm_pgoff offsetting simply by removing the _zero suffix on the function name and if that causes regressions, it gives us an easy way to revert. Signed-off-by: Souptick Joarder Signed-off-by: Miguel Ojeda commit 50087112592016a3fc10b394a55f1f1a1bde6908 Author: Suraj Jitindar Singh Date: Thu Jun 20 11:46:49 2019 +1000 KVM: PPC: Book3S HV: Invalidate ERAT when flushing guest TLB entries When a guest vcpu moves from one physical thread to another it is necessary for the host to perform a tlb flush on the previous core if another vcpu from the same guest is going to run there. This is because the guest may use the local form of the tlb invalidation instruction meaning stale tlb entries would persist where it previously ran. This is handled on guest entry in kvmppc_check_need_tlb_flush() which calls flush_guest_tlb() to perform the tlb flush. Previously the generic radix__local_flush_tlb_lpid_guest() function was used, however the functionality was reimplemented in flush_guest_tlb() to avoid the trace_tlbie() call as the flushing may be done in real mode. The reimplementation in flush_guest_tlb() was missing an erat invalidation after flushing the tlb. This lead to observable memory corruption in the guest due to the caching of stale translations. Fix this by adding the erat invalidation. Fixes: 70ea13f6e609 ("KVM: PPC: Book3S HV: Flush TLB on secondary radix threads") Signed-off-by: Suraj Jitindar Singh Signed-off-by: Michael Ellerman commit 6f828c55e26769666e0ae56b037f948dc26fe0d4 Merge: 6ad805b82dc5 f99bc332c713 Author: Greg Kroah-Hartman Date: Thu Jun 20 13:30:47 2019 +0200 Merge tag 'misc-habanalabs-fixes-2019-06-20' of git://people.freedesktop.org/~gabbayo/linux into char-misc-linus Oded writes: This tag contains the following fix: - Casting warning of a 64-bit integer in 32-bit architecture. Use the macro that was defined for this purpose. * tag 'misc-habanalabs-fixes-2019-06-20' of git://people.freedesktop.org/~gabbayo/linux: habanalabs: use u64_to_user_ptr() for reading user pointers commit d28bdaff5e260852621d45edd3af017cc5d16925 Merge: ddd57980a0fd 42de8afc40c9 Author: Greg Kroah-Hartman Date: Thu Jun 20 11:56:35 2019 +0200 Merge tag 'fixes-for-v5.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-linus Felipe writes: usb: fixes for v5.2-rc5 A single fix to take into account the PHY width during initialization of dwc2 driver. This change allows deviceTree to pass PHY width if necessary. Signed-off-by: Felipe Balbi * tag 'fixes-for-v5.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb: usb: dwc2: Use generic PHY width in params setup commit f99bc332c713b7672bad5236060b02f0c41c7242 Author: Arnd Bergmann Date: Mon Jun 17 14:41:33 2019 +0200 habanalabs: use u64_to_user_ptr() for reading user pointers We cannot cast a 64-bit integer to a pointer on 32-bit architectures without a warning: drivers/misc/habanalabs/habanalabs_ioctl.c: In function 'debug_coresight': drivers/misc/habanalabs/habanalabs_ioctl.c:143:23: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast] input = memdup_user((const void __user *) args->input_ptr, Use the macro that was defined for this purpose. Fixes: 315bc055ed56 ("habanalabs: add new IOCTL for debug, tracing and profiling") Signed-off-by: Arnd Bergmann Reviewed-by: Oded Gabbay Signed-off-by: Oded Gabbay commit 241e39004581475b2802cd63c111fec43bb0123e Author: J. Bruce Fields Date: Wed Jun 19 17:06:24 2019 -0400 nfsd: replace Jeff by Chuck as nfsd co-maintainer Jeff's picking up more responsibilities elsewhere, and Chuck's agreed to take over. For now, as before, nothing's changing day-to-day, but I want to have a co-maintainer if only for bus factor. Acked-by: Jeff Layton Signed-off-by: J. Bruce Fields Signed-off-by: Linus Torvalds commit 1196364f21ffe5d1e6d83cafd6a2edb89404a3ae Author: Kevin Darbyshire-Bryant Date: Wed Jun 19 15:08:18 2019 +0100 MIPS: fix build on non-linux hosts calc_vmlinuz_load_addr.c requires SZ_64K to be defined for alignment purposes. It included "../../../../include/linux/sizes.h" to define that size, however "sizes.h" tries to include which assumes linux system headers. These may not exist eg. the following error was encountered when building Linux for OpenWrt under macOS: In file included from arch/mips/boot/compressed/calc_vmlinuz_load_addr.c:16: arch/mips/boot/compressed/../../../../include/linux/sizes.h:11:10: fatal error: 'linux/const.h' file not found ^~~~~~~~~~ Change makefile to force building on local linux headers instead of system headers. Also change eye-watering relative reference in include file spec. Thanks to Jo-Philip Wich & Petr Štetiar for assistance in tracking this down & fixing. Suggested-by: Jo-Philipp Wich Signed-off-by: Petr Štetiar Signed-off-by: Kevin Darbyshire-Bryant Signed-off-by: Paul Burton Cc: linux-mips@vger.kernel.org commit 85f9aa7565bd79b039325f2c01af7ffa717924df Author: Eric Dumazet Date: Wed Jun 19 09:38:38 2019 -0700 inet: clear num_timeout reqsk_alloc() KMSAN caught uninit-value in tcp_create_openreq_child() [1] This is caused by a recent change, combined by the fact that TCP cleared num_timeout, num_retrans and sk fields only when a request socket was about to be queued. Under syncookie mode, a temporary request socket is used, and req->num_timeout could contain garbage. Lets clear these three fields sooner, there is really no point trying to defer this and risk other bugs. [1] BUG: KMSAN: uninit-value in tcp_create_openreq_child+0x157f/0x1cc0 net/ipv4/tcp_minisocks.c:526 CPU: 1 PID: 13357 Comm: syz-executor591 Not tainted 5.2.0-rc4+ #3 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x191/0x1f0 lib/dump_stack.c:113 kmsan_report+0x162/0x2d0 mm/kmsan/kmsan.c:611 __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:304 tcp_create_openreq_child+0x157f/0x1cc0 net/ipv4/tcp_minisocks.c:526 tcp_v6_syn_recv_sock+0x761/0x2d80 net/ipv6/tcp_ipv6.c:1152 tcp_get_cookie_sock+0x16e/0x6b0 net/ipv4/syncookies.c:209 cookie_v6_check+0x27e0/0x29a0 net/ipv6/syncookies.c:252 tcp_v6_cookie_check net/ipv6/tcp_ipv6.c:1039 [inline] tcp_v6_do_rcv+0xf1c/0x1ce0 net/ipv6/tcp_ipv6.c:1344 tcp_v6_rcv+0x60b7/0x6a30 net/ipv6/tcp_ipv6.c:1554 ip6_protocol_deliver_rcu+0x1433/0x22f0 net/ipv6/ip6_input.c:397 ip6_input_finish net/ipv6/ip6_input.c:438 [inline] NF_HOOK include/linux/netfilter.h:305 [inline] ip6_input+0x2af/0x340 net/ipv6/ip6_input.c:447 dst_input include/net/dst.h:439 [inline] ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline] NF_HOOK include/linux/netfilter.h:305 [inline] ipv6_rcv+0x683/0x710 net/ipv6/ip6_input.c:272 __netif_receive_skb_one_core net/core/dev.c:4981 [inline] __netif_receive_skb net/core/dev.c:5095 [inline] process_backlog+0x721/0x1410 net/core/dev.c:5906 napi_poll net/core/dev.c:6329 [inline] net_rx_action+0x738/0x1940 net/core/dev.c:6395 __do_softirq+0x4ad/0x858 kernel/softirq.c:293 do_softirq_own_stack+0x49/0x80 arch/x86/entry/entry_64.S:1052 do_softirq kernel/softirq.c:338 [inline] __local_bh_enable_ip+0x199/0x1e0 kernel/softirq.c:190 local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32 rcu_read_unlock_bh include/linux/rcupdate.h:682 [inline] ip6_finish_output2+0x213f/0x2670 net/ipv6/ip6_output.c:117 ip6_finish_output+0xae4/0xbc0 net/ipv6/ip6_output.c:150 NF_HOOK_COND include/linux/netfilter.h:294 [inline] ip6_output+0x5d3/0x720 net/ipv6/ip6_output.c:167 dst_output include/net/dst.h:433 [inline] NF_HOOK include/linux/netfilter.h:305 [inline] ip6_xmit+0x1f53/0x2650 net/ipv6/ip6_output.c:271 inet6_csk_xmit+0x3df/0x4f0 net/ipv6/inet6_connection_sock.c:135 __tcp_transmit_skb+0x4076/0x5b40 net/ipv4/tcp_output.c:1156 tcp_transmit_skb net/ipv4/tcp_output.c:1172 [inline] tcp_write_xmit+0x39a9/0xa730 net/ipv4/tcp_output.c:2397 __tcp_push_pending_frames+0x124/0x4e0 net/ipv4/tcp_output.c:2573 tcp_send_fin+0xd43/0x1540 net/ipv4/tcp_output.c:3118 tcp_close+0x16ba/0x1860 net/ipv4/tcp.c:2403 inet_release+0x1f7/0x270 net/ipv4/af_inet.c:427 inet6_release+0xaf/0x100 net/ipv6/af_inet6.c:470 __sock_release net/socket.c:601 [inline] sock_close+0x156/0x490 net/socket.c:1273 __fput+0x4c9/0xba0 fs/file_table.c:280 ____fput+0x37/0x40 fs/file_table.c:313 task_work_run+0x22e/0x2a0 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:185 [inline] exit_to_usermode_loop arch/x86/entry/common.c:168 [inline] prepare_exit_to_usermode+0x39d/0x4d0 arch/x86/entry/common.c:199 syscall_return_slowpath+0x90/0x5c0 arch/x86/entry/common.c:279 do_syscall_64+0xe2/0xf0 arch/x86/entry/common.c:305 entry_SYSCALL_64_after_hwframe+0x63/0xe7 RIP: 0033:0x401d50 Code: 01 f0 ff ff 0f 83 40 0d 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 83 3d dd 8d 2d 00 00 75 14 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 14 0d 00 00 c3 48 83 ec 08 e8 7a 02 00 00 RSP: 002b:00007fff1cf58cf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000401d50 RDX: 000000000000001c RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00000000004a9050 R08: 0000000020000040 R09: 000000000000001c R10: 0000000020004004 R11: 0000000000000246 R12: 0000000000402ef0 R13: 0000000000402f80 R14: 0000000000000000 R15: 0000000000000000 Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:201 [inline] kmsan_internal_poison_shadow+0x53/0xa0 mm/kmsan/kmsan.c:160 kmsan_kmalloc+0xa4/0x130 mm/kmsan/kmsan_hooks.c:177 kmem_cache_alloc+0x534/0xb00 mm/slub.c:2781 reqsk_alloc include/net/request_sock.h:84 [inline] inet_reqsk_alloc+0xa8/0x600 net/ipv4/tcp_input.c:6384 cookie_v6_check+0xadb/0x29a0 net/ipv6/syncookies.c:173 tcp_v6_cookie_check net/ipv6/tcp_ipv6.c:1039 [inline] tcp_v6_do_rcv+0xf1c/0x1ce0 net/ipv6/tcp_ipv6.c:1344 tcp_v6_rcv+0x60b7/0x6a30 net/ipv6/tcp_ipv6.c:1554 ip6_protocol_deliver_rcu+0x1433/0x22f0 net/ipv6/ip6_input.c:397 ip6_input_finish net/ipv6/ip6_input.c:438 [inline] NF_HOOK include/linux/netfilter.h:305 [inline] ip6_input+0x2af/0x340 net/ipv6/ip6_input.c:447 dst_input include/net/dst.h:439 [inline] ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline] NF_HOOK include/linux/netfilter.h:305 [inline] ipv6_rcv+0x683/0x710 net/ipv6/ip6_input.c:272 __netif_receive_skb_one_core net/core/dev.c:4981 [inline] __netif_receive_skb net/core/dev.c:5095 [inline] process_backlog+0x721/0x1410 net/core/dev.c:5906 napi_poll net/core/dev.c:6329 [inline] net_rx_action+0x738/0x1940 net/core/dev.c:6395 __do_softirq+0x4ad/0x858 kernel/softirq.c:293 do_softirq_own_stack+0x49/0x80 arch/x86/entry/entry_64.S:1052 do_softirq kernel/softirq.c:338 [inline] __local_bh_enable_ip+0x199/0x1e0 kernel/softirq.c:190 local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32 rcu_read_unlock_bh include/linux/rcupdate.h:682 [inline] ip6_finish_output2+0x213f/0x2670 net/ipv6/ip6_output.c:117 ip6_finish_output+0xae4/0xbc0 net/ipv6/ip6_output.c:150 NF_HOOK_COND include/linux/netfilter.h:294 [inline] ip6_output+0x5d3/0x720 net/ipv6/ip6_output.c:167 dst_output include/net/dst.h:433 [inline] NF_HOOK include/linux/netfilter.h:305 [inline] ip6_xmit+0x1f53/0x2650 net/ipv6/ip6_output.c:271 inet6_csk_xmit+0x3df/0x4f0 net/ipv6/inet6_connection_sock.c:135 __tcp_transmit_skb+0x4076/0x5b40 net/ipv4/tcp_output.c:1156 tcp_transmit_skb net/ipv4/tcp_output.c:1172 [inline] tcp_write_xmit+0x39a9/0xa730 net/ipv4/tcp_output.c:2397 __tcp_push_pending_frames+0x124/0x4e0 net/ipv4/tcp_output.c:2573 tcp_send_fin+0xd43/0x1540 net/ipv4/tcp_output.c:3118 tcp_close+0x16ba/0x1860 net/ipv4/tcp.c:2403 inet_release+0x1f7/0x270 net/ipv4/af_inet.c:427 inet6_release+0xaf/0x100 net/ipv6/af_inet6.c:470 __sock_release net/socket.c:601 [inline] sock_close+0x156/0x490 net/socket.c:1273 __fput+0x4c9/0xba0 fs/file_table.c:280 ____fput+0x37/0x40 fs/file_table.c:313 task_work_run+0x22e/0x2a0 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:185 [inline] exit_to_usermode_loop arch/x86/entry/common.c:168 [inline] prepare_exit_to_usermode+0x39d/0x4d0 arch/x86/entry/common.c:199 syscall_return_slowpath+0x90/0x5c0 arch/x86/entry/common.c:279 do_syscall_64+0xe2/0xf0 arch/x86/entry/common.c:305 entry_SYSCALL_64_after_hwframe+0x63/0xe7 Fixes: 336c39a03151 ("tcp: undo init congestion window on false SYNACK timeout") Signed-off-by: Eric Dumazet Cc: Yuchung Cheng Cc: Neal Cardwell Cc: Soheil Hassas Yeganeh Reported-by: syzbot Acked-by: Soheil Hassas Yeganeh Acked-by: Yuchung Cheng Signed-off-by: David S. Miller commit 6dbbd053e6aea827abde89ac9b9d6855dab1a66b Author: Logan Gunthorpe Date: Wed Jun 19 12:56:26 2019 -0600 PCI/P2PDMA: Ignore root complex whitelist when an IOMMU is present Presently, there is no path to DMA map P2PDMA memory, so if a TLP targeting this memory hits the root complex and an IOMMU is present, the IOMMU will reject the transaction, even if the RC would support P2PDMA. So until the kernel knows to map these DMA addresses in the IOMMU, we should not enable the whitelist when an IOMMU is present. Link: https://lore.kernel.org/linux-pci/20190522201252.2997-1-logang@deltatee.com/ Fixes: 0f97da831026 ("PCI/P2PDMA: Allow P2P DMA between any devices under AMD ZEN Root Complex") Signed-off-by: Logan Gunthorpe Reviewed-by: Christian König Signed-off-by: Bjorn Helgaas Cc: Christoph Hellwig commit 8110a7a7d295b08433dfa7e692e347a43e63f475 Author: Nathan Huckleberry Date: Wed Jun 19 11:17:15 2019 -0700 net: mvpp2: debugfs: Add pmap to fs dump There was an unused variable 'mvpp2_dbgfs_prs_pmap_fops' Added a usage consistent with other fops to dump pmap to userspace. Cc: clang-built-linux@googlegroups.com Link: https://github.com/ClangBuiltLinux/linux/issues/529 Signed-off-by: Nathan Huckleberry Tested-by: Nick Desaulniers Reviewed-by: Nick Desaulniers Signed-off-by: David S. Miller commit c7036d97acd2527cef145b5ef9ad1a37ed21bbe6 Author: David Ahern Date: Wed Jun 19 10:50:24 2019 -0700 ipv6: Default fib6_type to RTN_UNICAST when not set A user reported that routes are getting installed with type 0 (RTN_UNSPEC) where before the routes were RTN_UNICAST. One example is from accel-ppp which apparently still uses the ioctl interface and does not set rtmsg_type. Another is the netlink interface where ipv6 does not require rtm_type to be set (v4 does). Prior to the commit in the Fixes tag the ipv6 stack converted type 0 to RTN_UNICAST, so restore that behavior. Fixes: e8478e80e5a7 ("net/ipv6: Save route type in rt6_info") Signed-off-by: David Ahern Signed-off-by: David S. Miller commit 1e091c3bbf51d34d5d96337a59ce5ab2ac3ba2cc Author: Chuck Lever Date: Tue Jun 11 11:01:16 2019 -0400 svcrdma: Ignore source port when computing DRC hash The DRC appears to be effectively empty after an RPC/RDMA transport reconnect. The problem is that each connection uses a different source port, which defeats the DRC hash. Clients always have to disconnect before they send retransmissions to reset the connection's credit accounting, thus every retransmit on NFS/RDMA will miss the DRC. An NFS/RDMA client's IP source port is meaningless for RDMA transports. The transport layer typically sets the source port value on the connection to a random ephemeral port. The server already ignores it for the "secure port" check. See commit 16e4d93f6de7 ("NFSD: Ignore client's source port on RDMA transports"). The Linux NFS server's DRC resolves XID collisions from the same source IP address by using the checksum of the first 200 bytes of the RPC call header. Signed-off-by: Chuck Lever Cc: stable@vger.kernel.org # v4.14+ Signed-off-by: J. Bruce Fields commit db13a5ba2732755cf13320f3987b77cf2a71e790 Author: Stefan Hellermann Date: Mon Jun 17 15:43:59 2019 +0200 MIPS: ath79: fix ar933x uart parity mode While trying to get the uart with parity working I found setting even parity enabled odd parity insted. Fix the register settings to match the datasheet of AR9331. A similar patch was created by 8devices, but not sent upstream. https://github.com/8devices/openwrt-8devices/commit/77c5586ade3bb72cda010afad3f209ed0c98ea7c Signed-off-by: Stefan Hellermann Signed-off-by: Paul Burton Cc: linux-mips@vger.kernel.org commit bf6de2315362473e14817ccbdbd00ade6de2756e Author: Krzysztof Kozlowski Date: Tue Jun 18 20:54:22 2019 +0200 net: hns3: Fix inconsistent indenting Fix wrong indentation of goto return. Signed-off-by: Krzysztof Kozlowski Signed-off-by: David S. Miller commit 99838e602bc8e96e452319d4ad2b4fbd7b7a1e3c Merge: 48620e341659 06996c1d4088 Author: David S. Miller Date: Wed Jun 19 16:26:33 2019 -0400 Merge branch 'af_iucv-fixes' Julian Wiedmann says: ==================== net/af_iucv: fixes 2019-06-18 I spent a few cycles on transmit problems for af_iucv over regular netdevices - please apply the following fixes to -net. The first patch allows for skb allocations outside of GFP_DMA, while the second patch respects that drivers might use skb_cow_head() and/or want additional dev->needed_headroom. Patch 3 is for a separate issue, where we didn't setup some of the netdevice-specific infrastructure when running as a z/VM guest. ==================== Signed-off-by: David S. Miller commit 06996c1d4088a0d5f3e7789d7f96b4653cc947cc Author: Julian Wiedmann Date: Tue Jun 18 20:43:01 2019 +0200 net/af_iucv: always register net_device notifier Even when running as VM guest (ie pr_iucv != NULL), af_iucv can still open HiperTransport-based connections. For robust operation these connections require the af_iucv_netdev_notifier, so register it unconditionally. Also handle any error that register_netdevice_notifier() returns. Fixes: 9fbd87d41392 ("af_iucv: handle netdev events") Signed-off-by: Julian Wiedmann Reviewed-by: Ursula Braun Signed-off-by: David S. Miller commit 238965b71b968dc5b3c0fe430e946f488322c4b5 Author: Julian Wiedmann Date: Tue Jun 18 20:43:00 2019 +0200 net/af_iucv: build proper skbs for HiperTransport The HiperSockets-based transport path in af_iucv is still too closely entangled with qeth. With commit a647a02512ca ("s390/qeth: speed-up L3 IQD xmit"), the relevant xmit code in qeth has begun to use skb_cow_head(). So to avoid unnecessary skb head expansions, af_iucv must learn to 1) respect dev->needed_headroom when allocating skbs, and 2) drop the header reference before cloning the skb. While at it, also stop hard-coding the LL-header creation stage and just use the appropriate helper. Fixes: a647a02512ca ("s390/qeth: speed-up L3 IQD xmit") Signed-off-by: Julian Wiedmann Signed-off-by: David S. Miller commit fdbf6326912d578a31ac4ca0933c919eadf1d54c Author: Julian Wiedmann Date: Tue Jun 18 20:42:59 2019 +0200 net/af_iucv: remove GFP_DMA restriction for HiperTransport af_iucv sockets over z/VM IUCV require that their skbs are allocated in DMA memory. This restriction doesn't apply to connections over HiperSockets. So only set this limit for z/VM IUCV sockets, thereby increasing the likelihood that the large (and linear!) allocations for HiperTransport messages succeed. Fixes: 3881ac441f64 ("af_iucv: add HiperSockets transport") Signed-off-by: Julian Wiedmann Reviewed-by: Ursula Braun Reviewed-by: Hendrik Brueckner Signed-off-by: David S. Miller commit abf02e2964b3aaf1d5197c5d7c671e771b0e109e Merge: c3c0d546d73a 3e26c5feed2a Author: Linus Torvalds Date: Wed Jun 19 11:44:04 2019 -0700 Merge tag 'pm-5.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull power management fix from Rafael Wysocki: "Prevent PCI bridges in general (and PCIe ports in particular) from being put into low-power states during system-wide suspend transitions if there are any devices in D0 below them and refine the handling of PCI devices in D0 during suspend-to-idle cycles" * tag 'pm-5.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: PCI: PM: Skip devices in D0 for suspend-to-idle commit c3c0d546d73ad53c85789154872b8c92d1f96ba1 Merge: 4b6920ba26e1 156e42996bd8 Author: Linus Torvalds Date: Wed Jun 19 11:39:00 2019 -0700 Merge tag 'apparmor-pr-2019-06-18' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor Pull apparmor bug fixes from John Johansen: - fix PROFILE_MEDIATES for untrusted input - enforce nullbyte at end of tag string - reset pos on failure to unpack for various functions * tag 'apparmor-pr-2019-06-18' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: apparmor: reset pos on failure to unpack for various functions apparmor: enforce nullbyte at end of tag string apparmor: fix PROFILE_MEDIATES for untrusted input commit 4b6920ba26e1f24b949b9ca3bb782c7fac8be633 Merge: bed3c0d84e7e 9843f3e08e21 Author: Linus Torvalds Date: Wed Jun 19 11:26:09 2019 -0700 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input Pull input updates from Dmitry Torokhov: "Just a few small fixups and switching a couple of Thinkpads to SMBus for touchpads as PS/2 emulation is not working well" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: Input: synaptics - enable SMBus on ThinkPad E480 and E580 Input: imx_keypad - make sure keyboard can always wake up system Input: iqs5xx - get axis info before calling input_mt_init_slots() Input: uinput - add compat ioctl number translation for UI_*_FF_UPLOAD Input: silead - add MSSL0017 to acpi_device_id Input: elantech - enable middle button support on 2 ThinkPads Input: elan_i2c - increment wakeup count if wake source commit 6ad805b82dc5fc0ffd2de1d1f0de47214a050278 Author: Yang Yingliang Date: Sat Jun 15 17:41:29 2019 +0800 doc: fix documentation about UIO_MEM_LOGICAL using After commit d4fc5069a394 ("mm: switch s_mem and slab_cache in struct page") page->mapping will be re-used by slab allocations and page->mapping->host will be used in balance_dirty_pages_ratelimited() as an inode member but it's not an inode in fact and leads an oops. [ 159.906493] Unable to handle kernel paging request at virtual address ffff200012d90be8 [ 159.908029] Mem abort info: [ 159.908552] ESR = 0x96000007 [ 159.909138] Exception class = DABT (current EL), IL = 32 bits [ 159.910155] SET = 0, FnV = 0 [ 159.910690] EA = 0, S1PTW = 0 [ 159.911241] Data abort info: [ 159.911846] ISV = 0, ISS = 0x00000007 [ 159.912567] CM = 0, WnR = 0 [ 159.913105] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000042acd000 [ 159.914269] [ffff200012d90be8] pgd=000000043ffff003, pud=000000043fffe003, pmd=000000043fffa003, pte=0000000000000000 [ 159.916280] Internal error: Oops: 96000007 [#1] SMP [ 159.917195] Dumping ftrace buffer: [ 159.917845] (ftrace buffer empty) [ 159.918521] Modules linked in: uio_dev(OE) [ 159.919276] CPU: 1 PID: 295 Comm: uio_test Tainted: G OE 5.2.0-rc4+ #46 [ 159.920859] Hardware name: linux,dummy-virt (DT) [ 159.921815] pstate: 60000005 (nZCv daif -PAN -UAO) [ 159.922809] pc : balance_dirty_pages_ratelimited+0x68/0xc38 [ 159.923965] lr : fault_dirty_shared_page.isra.8+0xe4/0x100 [ 159.925134] sp : ffff800368a77ae0 [ 159.925824] x29: ffff800368a77ae0 x28: 1ffff0006d14ce1a [ 159.926906] x27: ffff800368a670d0 x26: ffff800368a67120 [ 159.927985] x25: 1ffff0006d10f5fe x24: ffff200012d90be8 [ 159.929089] x23: ffff200013732000 x22: ffff80036ec03200 [ 159.930172] x21: ffff200012d90bc0 x20: 1fffe400025b217d [ 159.931253] x19: ffff80036ec03200 x18: 0000000000000000 [ 159.932348] x17: 0000000000000000 x16: 0ffffe0000010208 [ 159.933439] x15: 0000000000000000 x14: 0000000000000000 [ 159.934518] x13: 0000000000000000 x12: 0000000000000000 [ 159.935596] x11: 1fffefc001b452c0 x10: ffff0fc001b452c0 [ 159.936697] x9 : dfff200000000000 x8 : dfff200000000001 [ 159.937781] x7 : ffff7e000da29607 x6 : ffff0fc001b452c1 [ 159.938859] x5 : ffff0fc001b452c1 x4 : ffff0fc001b452c1 [ 159.939944] x3 : ffff200010523ad4 x2 : 1fffe400026e659b [ 159.941065] x1 : dfff200000000000 x0 : ffff200013732cd8 [ 159.942205] Call trace: [ 159.942732] balance_dirty_pages_ratelimited+0x68/0xc38 [ 159.943797] fault_dirty_shared_page.isra.8+0xe4/0x100 [ 159.944867] do_fault+0x608/0x1250 [ 159.945571] __handle_mm_fault+0x93c/0xfb8 [ 159.946412] handle_mm_fault+0x1c0/0x360 [ 159.947224] do_page_fault+0x358/0x8d0 [ 159.947993] do_translation_fault+0xf8/0x124 [ 159.948884] do_mem_abort+0x70/0x190 [ 159.949624] el0_da+0x24/0x28 According another commit 5e901d0b15c0 ("scsi: qedi: Fix bad pte call trace when iscsiuio is stopped."), using kmalloc also cause other problem. But the documentation about UIO_MEM_LOGICAL allows using kmalloc(), remove and don't allow using kmalloc() in documentation. Signed-off-by: Yang Yingliang Signed-off-by: Greg Kroah-Hartman commit 75d7627f49c54e2eed4b785112d0104e2954d27c Author: Gavin Schenk Date: Tue Jun 18 08:04:12 2019 +0200 MAINTAINERS / Documentation: Thorsten Scherer is the successor of Gavin Schenk Due to new challenges in my life I can no longer take care of SIOX. Thorsten takes over my SIOX tasks. Signed-off-by: Gavin Schenk Acked-by: Thorsten Scherer Signed-off-by: Uwe Kleine-König Signed-off-by: Greg Kroah-Hartman commit fce677d7e8f0cab84864674d7fc74d1f389eee6f Author: Takashi Iwai Date: Wed Jun 19 07:39:43 2019 +0200 docs: fb: Add TER16x32 to the available font names The new font is available since recently. Signed-off-by: Takashi Iwai Acked-by: Randy Dunlap Signed-off-by: Greg Kroah-Hartman commit c61802ee54f2275c0adcce6a17bb06cd5baf991d Merge: 7c464359be81 0d53827d7c17 Author: Greg Kroah-Hartman Date: Wed Jun 19 19:02:52 2019 +0200 Merge tag 'thunderbolt-fixes-for-v5.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/westeri/thunderbolt into char-misc-linus Mika writes: thunderbolt: Fixes for v5.2-rc6 This includes two fixes for issues found during the current release cycle: - Fix runtime PM regression when device is authorized after the controller is runtime suspended. - Correct CIO reset flow for Titan Ridge. * tag 'thunderbolt-fixes-for-v5.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/westeri/thunderbolt: thunderbolt: Implement CIO reset correctly for Titan Ridge thunderbolt: Make sure device runtime resume completes before taking domain lock commit 2f7da158cc79444ddcd221ed0bcf567a2e3a5190 Merge: 27e23d897527 64f35709d573 Author: Olof Johansson Date: Wed Jun 19 09:11:04 2019 -0700 Merge tag 'arm-soc/for-5.3/maintainers' of https://github.com/Broadcom/stblinux into arm/fixes This pull request contains MAINTAINERS file updates for Broadcom SoCs entries for 5.3, please pull the following: - Florian adds the Broadcom internal mailing-list which has a patchwork instance behind for the BCM2835 and BCM53573 SoCs entries * tag 'arm-soc/for-5.3/maintainers' of https://github.com/Broadcom/stblinux: MAINTAINERS: BCM53573: Add internal Broadcom mailing list MAINTAINERS: BCM2835: Add internal Broadcom mailing list Signed-off-by: Olof Johansson commit 7c464359be81f9f4628d2d965812d9e2c2908e6b Author: Alan Tull Date: Sun Jun 16 22:11:13 2019 -0500 MAINTAINERS: fpga: hand off maintainership to Moritz I'm moving on to a new position and stepping down as FPGA subsystem maintainer. Moritz has graciously agreed to take over the maintainership. Signed-off-by: Alan Tull Acked-by: Moritz Fischer Signed-off-by: Greg Kroah-Hartman commit c891f3b97964a07c5797569126c90a3865a6ba18 Author: Thomas Gleixner Date: Tue Jun 4 10:11:40 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 507 Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of version 2 of the gnu general public license as published by the free software foundation this program is distributed in the hope that it will be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose see the gnu general public license for more details you should have received a copy of the gnu general public license along with this program if not write to the free software foundation inc 59 temple place suite 330 boston ma 02111 1307 usa the full gnu general public license is included in this distribution in the file called license extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 8 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Kate Stewart Reviewed-by: Allison Randal Reviewed-by: Enrico Weigelt Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081207.801261482@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 4cb2acc0df04cfad7bd9d7b01a205234cc5f9a2a Author: Thomas Gleixner Date: Tue Jun 4 10:11:39 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 506 Based on 1 normalized pattern(s): this software program is licensed subject to the gnu general public license gpl version 2 june 1991 available at http www fsf org copyleft gpl html extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 4 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Kate Stewart Reviewed-by: Allison Randal Reviewed-by: Enrico Weigelt Reviewed-by: Daniel German Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081207.687420463@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 7f904d7e1f3ec7c2de47c024a5a5c30988b54703 Author: Thomas Gleixner Date: Tue Jun 4 10:11:38 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 505 Based on 1 normalized pattern(s): gplv2 extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 58 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Enrico Weigelt Reviewed-by: Allison Randal Reviewed-by: Kate Stewart Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081207.556988620@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 775c8a3d7187b82e15ebfdae486d8ab32e017b4b Author: Thomas Gleixner Date: Tue Jun 4 10:11:37 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 504 Based on 1 normalized pattern(s): this file is free software you can redistribute it and or modify it under the terms of version 2 of the gnu general public license as published by the free software foundation this program is distributed in the hope that it will be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose see the gnu general public license for more details you should have received a copy of the gnu general public license along with this program if not write to the free software foundation inc 51 franklin st fifth floor boston ma 02110 1301 usa extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 8 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Allison Randal Reviewed-by: Enrico Weigelt Reviewed-by: Kate Stewart Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081207.443595178@linutronix.de Signed-off-by: Greg Kroah-Hartman commit cd93f165c9f15f17944daf00a404b5964cc3cd29 Author: Thomas Gleixner Date: Tue Jun 4 10:11:36 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 503 Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license as published by the free software foundation either version 2 of the license this program is distributed in the hope that it will be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose see the gnu general public license for more details you should have received a copy of the gnu general public license along with this program if not write to the free software foundation 51 franklin street fifth floor boston ma 02110 1301 usa extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 1 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Kate Stewart Reviewed-by: Allison Randal Reviewed-by: Enrico Weigelt Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081207.308909165@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 0e0869949666286aa441ada8e65ab51a1b95d8aa Author: Thomas Gleixner Date: Tue Jun 4 10:11:35 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 502 Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license as published by the free software foundation version 2 of the license this program is distributed in the hope that it will be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose see the gnu general public license for more details you should have received a copy of the gnu general public license along with this program if not write to the free software foundation inc 51 franklin st fifth floor boston ma 02110 1301 usa extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 1 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Kate Stewart Reviewed-by: Enrico Weigelt Reviewed-by: Allison Randal Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081207.195075312@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 21042e414273280d151359deded226548e6b4828 Author: Thomas Gleixner Date: Tue Jun 4 10:11:34 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 501 Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license version 2 as published by the free software foundation see readme and copying for more details extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 9 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Kate Stewart Reviewed-by: Enrico Weigelt Reviewed-by: Allison Randal Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081207.060259192@linutronix.de Signed-off-by: Greg Kroah-Hartman commit d2912cb15bdda8ba4a5dd73396ad62641af2f520 Author: Thomas Gleixner Date: Tue Jun 4 10:11:33 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 Based on 2 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license version 2 as published by the free software foundation this program is free software you can redistribute it and or modify it under the terms of the gnu general public license version 2 as published by the free software foundation # extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 4122 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Enrico Weigelt Reviewed-by: Kate Stewart Reviewed-by: Allison Randal Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081206.933168790@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 20c8ccb1975b8d5639789d1025ad6ada38bd6f48 Author: Thomas Gleixner Date: Tue Jun 4 10:11:32 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 499 Based on 1 normalized pattern(s): this work is licensed under the terms of the gnu gpl version 2 see the copying file in the top level directory extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 35 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Kate Stewart Reviewed-by: Enrico Weigelt Reviewed-by: Allison Randal Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081206.797835076@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 0c94efabe00ed97415c48361b5fecaa2f2117d57 Author: Thomas Gleixner Date: Tue Jun 4 10:11:31 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 498 Based on 1 normalized pattern(s): gplv2 only extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 4 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Kate Stewart Reviewed-by: Enrico Weigelt Reviewed-by: Armijn Hemel Reviewed-by: Allison Randal Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081206.666840552@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 97873a3daf611594a7f92cc88bd8c5c8c526e1a3 Author: Thomas Gleixner Date: Tue Jun 4 10:11:30 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 497 Based on 1 normalized pattern(s): this file is part of the linux kernel and is made available under the terms of the gnu general public license version 2 extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 28 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Enrico Weigelt Reviewed-by: Allison Randal Reviewed-by: Kate Stewart Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081206.534229504@linutronix.de Signed-off-by: Greg Kroah-Hartman commit f8a889172d52d00baf6c28587324aea0f9f11250 Author: Thomas Gleixner Date: Tue Jun 4 10:11:29 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 496 Based on 1 normalized pattern(s): licensed under gpl v2 extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 1 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Enrico Weigelt Reviewed-by: Allison Randal Reviewed-by: Armijn Hemel Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081206.395945938@linutronix.de Signed-off-by: Greg Kroah-Hartman commit aaa7cb268cc4255ffdfbe60e63bf7cf4a6a511f7 Author: Thomas Gleixner Date: Tue Jun 4 10:11:28 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 495 Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the version 2 of the gnu general public license as published by the free software foundation this program is distributed in the hope that it will be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose see the gnu general public license for more details extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 10 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Allison Randal Reviewed-by: Enrico Weigelt Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081206.259525894@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 4c3dd9cd769b5d15ea92d443cc23b3d13932cce2 Author: Thomas Gleixner Date: Tue Jun 4 10:11:24 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 491 Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms and conditions of the gnu general public license version 2 as published by the free software foundation this program is distributed in the hope that it will be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose see the gnu general public license for more details extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 3 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Enrico Weigelt Reviewed-by: Allison Randal Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081205.739216165@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 47d7195dbcef6efe81967bedc47d84474baf0cfb Author: Thomas Gleixner Date: Tue Jun 4 10:11:23 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 490 Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license as version 2 as published by the free software foundation this program is distributed in the hope that it will be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose see the gnu general public license for more details extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 13 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Allison Randal Reviewed-by: Enrico Weigelt Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081205.608593891@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 81c9859b5129448544c4c73ec100e92b856eead0 Author: Thomas Gleixner Date: Tue Jun 4 10:11:22 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 489 Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license version 2 gpl v2 as published by the free software foundation this program is distributed in the hope that it will be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose see the gnu general public license for more details extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 1 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Allison Randal Reviewed-by: Enrico Weigelt Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081205.495444859@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 0a151468f9ca375bdc574e0888e28d0e9f018fda Author: Thomas Gleixner Date: Tue Jun 4 10:11:21 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 488 Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license version 2 as published by the free software foundation this program is distributed in the hope it will be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose see the gnu general public license for more details extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 1 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Enrico Weigelt Reviewed-by: Allison Randal Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081205.379537898@linutronix.de Signed-off-by: Greg Kroah-Hartman commit e84acbaec7d47a5713b3e41731fdafb78ee2cec0 Author: Thomas Gleixner Date: Tue Jun 4 10:11:20 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 487 Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license version 2 as published by the free software foundation this program is distributed in the hope that it will be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose see http www gnu org licenses gpl 2 0 html for more details extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 2 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Allison Randal Reviewed-by: Enrico Weigelt Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081205.243665028@linutronix.de Signed-off-by: Greg Kroah-Hartman commit f2e3bd9a5a03da45ed45b513e76298187a0a96b6 Author: Thomas Gleixner Date: Tue Jun 4 10:11:19 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 486 Based on 1 normalized pattern(s): this package is free software you can redistribute it and or modify it under the terms of the gnu general public license version 2 as published by the free software foundation this program is distributed in the hope that it will be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose see the gnu general public license for more details extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 3 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Enrico Weigelt Reviewed-by: Allison Randal Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081205.116017757@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 910751a782b54dabc3e00a72e5912fcb9af2f602 Author: Thomas Gleixner Date: Tue Jun 4 10:11:18 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 485 Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license version 2 as published by the free software foundation this program is distributed in the hope that it would be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 1 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Allison Randal Reviewed-by: Enrico Weigelt Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081204.982710800@linutronix.de Signed-off-by: Greg Kroah-Hartman commit f361c4dc5e2fb14a4441b08b29520864a74078f6 Author: Thomas Gleixner Date: Tue Jun 4 10:11:17 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 484 Based on 1 normalized pattern(s): this source code is licensed under general public license version 2 extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 5 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Allison Randal Reviewed-by: Enrico Weigelt Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081204.871734026@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 7a338472f225f18694cc4d9ad1f6f9428f4a88d0 Author: Thomas Gleixner Date: Tue Jun 4 10:11:15 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 482 Based on 1 normalized pattern(s): this work is licensed under the terms of the gnu gpl version 2 extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 48 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Allison Randal Reviewed-by: Enrico Weigelt Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081204.624030236@linutronix.de Signed-off-by: Greg Kroah-Hartman commit e500db3fa2d58f7091280db35d6bf6d4b717f20e Author: Thomas Gleixner Date: Tue Jun 4 10:11:14 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 481 Based on 1 normalized pattern(s): use of this source code is governed by the gplv2 license extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 2 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Enrico Weigelt Reviewed-by: Allison Randal Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081204.507272547@linutronix.de Signed-off-by: Greg Kroah-Hartman commit b15f321b9f27389f427ab572da5d50a223294b15 Author: Thomas Gleixner Date: Tue Jun 4 10:11:13 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 480 Based on 1 normalized pattern(s): adapted from oprofile gplv2 support extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to add the SPDX license identifier to 1 file(s) Signed-off-by: Thomas Gleixner Reviewed-by: Allison Randal Reviewed-by: Enrico Weigelt Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081204.397687630@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 6d8a639adefe1766155662c615ad0d4cf05f543d Author: Thomas Gleixner Date: Tue Jun 4 10:11:12 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 479 Based on 1 normalized pattern(s): released under the gpl v2 based on gplv2 source code extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 1 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Allison Randal Reviewed-by: Enrico Weigelt Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081204.281377867@linutronix.de Signed-off-by: Greg Kroah-Hartman commit f9724741de5bcc2f788a1abfd104b162533c8f31 Author: Thomas Gleixner Date: Tue Jun 4 10:11:10 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 477 Based on 1 normalized pattern(s): subject to gplv2 extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 1 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Enrico Weigelt Reviewed-by: Allison Randal Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081204.018005938@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 7268a4f81d67e7cc31d78426227f8c8b16f490b2 Author: Thomas Gleixner Date: Tue Jun 4 10:11:08 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 475 Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license version 2 as published by the free software foudation extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 1 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Allison Randal Reviewed-by: Enrico Weigelt Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081203.770334822@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 3f520cd2de7e9b77effcbd44e46caf297a2e66ab Author: Thomas Gleixner Date: Tue Jun 4 10:11:07 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 474 Based on 1 normalized pattern(s): subject to the gnu public license v 2 no warranty of any kind extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 2 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Enrico Weigelt Reviewed-by: Allison Randal Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081203.641025917@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 4e5b937a3287008cc827fd2a4d6169096ee06783 Author: Thomas Gleixner Date: Tue Jun 4 10:11:06 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 473 Based on 1 normalized pattern(s): this file is subject to the terms and conditions of the gnu general public license v2 extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 1 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Allison Randal Reviewed-by: Enrico Weigelt Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081203.508532280@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 63307d015b91e626c97bb82e88054af3d0b74643 Author: Thomas Gleixner Date: Tue Jun 4 10:11:05 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 472 Based on 1 normalized pattern(s): released under the terms of the gpl v2 extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 5 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Allison Randal Reviewed-by: Enrico Weigelt Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081203.398003637@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 714c29cf98be844578c922e8bb202210600e0cb0 Author: Thomas Gleixner Date: Tue Jun 4 10:11:04 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 471 Based on 1 normalized pattern(s): released under the gplv2 only spdx license identifier gpl 2 0 extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 3 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Allison Randal Reviewed-by: Enrico Weigelt Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081203.262169268@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 6b99076ceda935f3032d023bbab7c1c966c2cbbd Author: Thomas Gleixner Date: Tue Jun 4 10:11:02 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 469 Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license version 2 as published by the free software foundation this program is distributed in the hope that it will be useful but without any warranty without even the implied warranty of mergchantability or fitness for a particular purpose see the gnu general public license for more details extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 2 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Allison Randal Reviewed-by: Enrico Weigelt Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081202.997941624@linutronix.de Signed-off-by: Greg Kroah-Hartman commit fc7669c6594fb85f048edc36a057b10282c46620 Author: Thomas Gleixner Date: Tue Jun 4 10:11:01 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 468 Based on 1 normalized pattern(s): based on gpl code from [dibcom] which has [copyright] [c] [2004] [amaury] [demol] [for] [dibcom] this program is free software you can redistribute it and or modify it under the terms of the gnu general public license as published by the free software foundation version 2 extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 4 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Enrico Weigelt Reviewed-by: Allison Randal Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081202.886876323@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 957ec138d7666a96fc1e06ae4038dfc9e1f1bed2 Author: Thomas Gleixner Date: Tue Jun 4 10:11:00 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 467 Based on 1 normalized pattern(s): licensed under version 2 of the gnu general public licence extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 1 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Allison Randal Reviewed-by: Enrico Weigelt Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081202.750147367@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 6c8f392ce8dac61bbb59f737dfc092752c480ece Author: Thomas Gleixner Date: Tue Jun 4 10:10:59 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 466 Based on 1 normalized pattern(s): license__ = gpl version 2 extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to add the SPDX identifier to this file. Signed-off-by: Thomas Gleixner Reviewed-by: Allison Randal Reviewed-by: Enrico Weigelt Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081202.640009675@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 912d0f0bd6f4d97793b681383a0e221a179f3aeb Author: Thomas Gleixner Date: Tue Jun 4 10:10:58 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 465 Based on 1 normalized pattern(s): released under the gpl version 2 only extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 4 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Allison Randal Reviewed-by: Enrico Weigelt Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081202.506564860@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 1f67b599f8b8f976d2ea1a447c0f5e768a78ae8e Author: Thomas Gleixner Date: Tue Jun 4 10:10:57 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 464 Based on 1 normalized pattern(s): license terms gnu general public license version 2 extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 11 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Allison Randal Reviewed-by: Enrico Weigelt Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081202.373849232@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 38cf0d46f42ed90acc74d2139d7bae8a9451888f Author: Thomas Gleixner Date: Tue Jun 4 10:10:56 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 463 Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of version 2 of the gnu general public license as published by the free software foundation this program is distributed in the hope that it will be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose see the gnu general public license for more details you should have received a copy of the gnu general public license along with this program if not see http www gnu org licenses the full gnu general public license is included in this distribution in the file called copying extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 4 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Allison Randal Reviewed-by: Enrico Weigelt Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081202.258730266@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 887490a7618650f673cf6877641d20a6548fe766 Author: Thomas Gleixner Date: Tue Jun 4 10:10:55 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 462 Based on 1 normalized pattern(s): license gpl v2 extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 1 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Allison Randal Reviewed-by: Enrico Weigelt Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081202.146070292@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 89ee7f4f33ad6bb993b605cf73c4b914c81ef3e8 Author: Thomas Gleixner Date: Tue Jun 4 10:10:54 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 461 Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license version 2 only as published by the free software foundation this program is distributed in the hope that it will be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose see the gnu general public license for more details to obtain the license point your browser to http www gnu org copyleft gpl html extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 12 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Allison Randal Reviewed-by: Enrico Weigelt Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081202.028166291@linutronix.de Signed-off-by: Greg Kroah-Hartman commit acee2e8d66f50a0e7ac780c5b06f46bf33f84d59 Author: Thomas Gleixner Date: Tue Jun 4 10:10:53 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 460 Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license version 2 as published by the free software foundation http www opensource org licenses gpl license html http www gnu org copyleft gpl html extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 3 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Enrico Weigelt Reviewed-by: Allison Randal Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081201.897982733@linutronix.de Signed-off-by: Greg Kroah-Hartman commit cb849fc5f0c7a09e9033cad6c42efe40ce85545a Author: Thomas Gleixner Date: Tue Jun 4 10:10:52 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 459 Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license version 2 as published by the free software foundation the gpl this program is distributed in the hope that it will be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose see the gnu general public license version 2 gplv2 for more details you should have received a copy of the gnu general public license version 2 gplv2 along with this source code extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 16 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Enrico Weigelt Reviewed-by: Allison Randal Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081201.771169395@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 071fb96b83f6ff6e04e5a82b3d372d391dc43337 Author: Thomas Gleixner Date: Tue Jun 4 10:10:51 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 457 Based on 2 normalized pattern(s): this file is licensed under gplv2 this file is part of the [aic94xx] driver the [aic94xx] driver is free software you can redistribute it and or modify it under the terms of the gnu general public license as published by the free software foundation version 2 of the license the [aic94xx] driver is distributed in the hope that it will be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose see the gnu general public license for more details you should have received a copy of the gnu general public license along with [aic94xx] driver if not write to the free software foundation inc 51 franklin st fifth floor boston ma 02110 1301 usa this file is licensed under gplv2 this file is part of the [88se64xx] [88se94xx] driver the [88se64xx] [88se94xx] driver is free software you can redistribute it and or modify it under the terms of the gnu general public license as published by the free software foundation version 2 of the license the [88se64xx] [88se94xx] driver is distributed in the hope that it will be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose see the gnu general public license for more details you should have received a copy of the gnu general public license along with [88se64xx] [88se94xx] driver if not write to the free software foundation inc 51 franklin st fifth floor boston ma 02110 1301 usa extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 2 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Allison Randal Reviewed-by: Enrico Weigelt Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081201.638289549@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 023b915e1f6985f2c21edca9c898a6cf49154b22 Author: Thomas Gleixner Date: Tue Jun 4 10:10:50 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 456 Based on 1 normalized pattern(s): driver is free software you can redistribute it and or modify it under the terms of the gnu general public license as published by the free software foundation version 2 the [audiowerk2] [alsa] driver is distributed in the hope that it will be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose see the gnu general public license for more details you should have received a copy of the gnu general public license along with the [audiowerk2] [alsa] driver if not write to the free software foundation inc 51 franklin street fifth floor boston ma 02110 1301 usa extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 5 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Enrico Weigelt Reviewed-by: Allison Randal Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081201.505559553@linutronix.de Signed-off-by: Greg Kroah-Hartman commit f71e7375c9cbe52720bcf38f71f3d82d29d5db8a Author: Thomas Gleixner Date: Tue Jun 4 10:10:49 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 455 Based on 1 normalized pattern(s): this package is free software you can redistribute it and or modify it under the terms of the gnu general public license version 2 and only version 2 as published by the free software foundation extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 1 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Allison Randal Reviewed-by: Enrico Weigelt Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081201.371541790@linutronix.de Signed-off-by: Greg Kroah-Hartman commit ea65cc9bfb678aabd4a066883963aa9c8a6d4338 Author: Thomas Gleixner Date: Tue Jun 4 10:10:48 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 454 Based on 1 normalized pattern(s): this program is free software you can distribute it and or modify it under the terms of the gnu general public license as published by the free software foundation version 2 of the license extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 8 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Allison Randal Reviewed-by: Enrico Weigelt Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081201.231815901@linutronix.de Signed-off-by: Greg Kroah-Hartman commit d690ec537163a384aa1ff25b2be37df6a582412c Author: Thomas Gleixner Date: Tue Jun 4 10:10:46 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 452 Based on 1 normalized pattern(s): this program is free software void you can redistribute it and or modify it under the terms of the gnu general public license version 2 as published by the free software foundation this program is distributed in the hope that it will be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose see the gnu general public license for more details you should have received a copy of the gnu general public license along with this program if not see http void www gnu org licenses extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 1 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Allison Randal Reviewed-by: Enrico Weigelt Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081201.003433009@linutronix.de Signed-off-by: Greg Kroah-Hartman commit f85d208658468b1a298f31daddb05a7684969cd4 Author: Thomas Gleixner Date: Tue Jun 4 10:10:45 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 451 Based on 1 normalized pattern(s): this file is subject to the terms and conditions of version 2 of the gnu general public license see the file copying in the main directory of the linux distribution for more details extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 5 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Enrico Weigelt Reviewed-by: Allison Randal Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081200.872755311@linutronix.de Signed-off-by: Greg Kroah-Hartman commit d6869352cb3c3cf3450637a52349e2e87c1354aa Author: Thomas Gleixner Date: Mon Jun 3 07:45:06 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 250 Based on 1 normalized pattern(s): gpl v2 can be found in copying extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 20 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Allison Randal Reviewed-by: Alexios Zavras Reviewed-by: Enrico Weigelt Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190602204655.283615864@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 8092f73c51567470bd79472c6eb25d2e1841fac3 Author: Thomas Gleixner Date: Mon Jun 3 07:45:04 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 248 Based on 1 normalized pattern(s): this file is released under the gpl v2 extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 3 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Alexios Zavras Reviewed-by: Allison Randal Reviewed-by: Armijn Hemel Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190602204655.103854853@linutronix.de Signed-off-by: Greg Kroah-Hartman commit ddceed9d11ee097f95b7a7d02fcce0d5e4b71df3 Author: Thomas Gleixner Date: Mon Jun 3 07:45:03 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 247 Based on 1 normalized pattern(s): gnu gpl v2 extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 5 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Allison Randal Reviewed-by: Alexios Zavras Reviewed-by: Enrico Weigelt Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190602204655.013483115@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 2c162f9b41722a87b13723cec435f0f4d33a3dbb Author: Thomas Gleixner Date: Mon Jun 3 07:45:02 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 246 Based on 1 normalized pattern(s): released under the term of the gnu gpl v2 extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 16 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Allison Randal Reviewed-by: Enrico Weigelt Reviewed-by: Alexios Zavras Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190602204654.922331175@linutronix.de Signed-off-by: Greg Kroah-Hartman commit d82444d2a9d010c08c423bf5c6102d43a14b8739 Author: Thomas Gleixner Date: Mon Jun 3 07:45:01 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 245 Based on 1 normalized pattern(s): gpl v2 only extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 1 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Alexios Zavras Reviewed-by: Allison Randal Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190602204654.833758402@linutronix.de Signed-off-by: Greg Kroah-Hartman commit e311edbc45de6163a278fd5a8be0dabe2efd9b9b Author: Thomas Gleixner Date: Mon Jun 3 07:45:00 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 244 Based on 1 normalized pattern(s): this file is rleased under the gpl v2 extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 1 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Allison Randal Reviewed-by: Alexios Zavras Reviewed-by: Enrico Weigelt Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190602204654.725819457@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 82c73e0a3868e580da56b559d4940c9be8359c06 Author: Thomas Gleixner Date: Mon Jun 3 07:44:59 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 243 Based on 1 normalized pattern(s): this file is licensed under the gpl v2 extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 3 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Alexios Zavras Reviewed-by: Allison Randal Reviewed-by: Armijn Hemel Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190602204654.634736654@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 077e6e51c889ca13982b82218612cfe5f94f7cc4 Author: Thomas Gleixner Date: Mon Jun 3 07:44:55 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 239 Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license version 2 as published by the free software foundation you should have received a copy of the gnu general public license along with this program if not write to the free software foundation inc 675 mass ave cambridge ma 02139 usa extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 1 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Enrico Weigelt Reviewed-by: Alexios Zavras Reviewed-by: Allison Randal Reviewed-by: Armijn Hemel Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190602204654.276825629@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 4ba774edce179a885edc23762cd0a44ea2c8107a Author: Thomas Gleixner Date: Mon Jun 3 07:44:54 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 238 Based on 2 normalized pattern(s): the original driver s license is gpl as declared with module_license this program is free software you can redistribute it and or modify it under the terms of the gnu general public license as published by the free software foundation under version 2 of the license this program is distributed in the hope that it will be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose see the gnu general public license for more details the original driver s license is gpl as declared with module_license [copyright] [c] [2010] [2012] [mauro] [carvalho] [chehab] [driver] [modified] [by] [in] [order] [to] [work] [with] [upstream] [drxk] [driver] [and] [tons] [of] [bugs] [got] [fixed] [and] [converted] [to] [use] [dvb] [usb] [v2] this program is free software you can redistribute it and or modify it under the terms of the gnu general public license as published by the free software foundation under version 2 of the license this program is distributed in the hope that it will be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose see the gnu general public license for more details extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 2 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Allison Randal Reviewed-by: Enrico Weigelt Reviewed-by: Alexios Zavras Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190602204654.186977917@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 77512baaea9ae397ec36767b9cd3e3a3920bb6d3 Author: Thomas Gleixner Date: Mon Jun 3 07:44:53 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 237 Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license as published by the free software foundation either version 2 extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 8 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Enrico Weigelt Reviewed-by: Alexios Zavras Reviewed-by: Allison Randal Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190602204654.096873163@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 2504ba9f5970299a33ca7802c60359f849146d78 Author: Thomas Gleixner Date: Mon Jun 3 07:44:51 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 235 Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license as published by the free software foundation either version 2 of the license this program is distributed in the hope that it will be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose see the gnu general public license for more details extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 53 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Allison Randal Reviewed-by: Alexios Zavras Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190602204653.904365654@linutronix.de Signed-off-by: Greg Kroah-Hartman commit caab277b1de0a22b675c4c95fc7b285ec2eb5bf5 Author: Thomas Gleixner Date: Mon Jun 3 07:44:50 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 234 Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license version 2 as published by the free software foundation this program is distributed in the hope that it will be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose see the gnu general public license for more details you should have received a copy of the gnu general public license along with this program if not see http www gnu org licenses extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 503 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Alexios Zavras Reviewed-by: Allison Randal Reviewed-by: Enrico Weigelt Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190602204653.811534538@linutronix.de Signed-off-by: Greg Kroah-Hartman commit ac1dc6b2e7d34dd608d082d1735e5c95f42beb77 Author: Thomas Gleixner Date: Mon Jun 3 07:44:49 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 233 Based on 1 normalized pattern(s): this software is licensed under the terms of the gnu general public license version 2 as published by the free software foundation and may be copied distributed and modified under those terms extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 6 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Alexios Zavras Reviewed-by: Allison Randal Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190602204653.720704315@linutronix.de Signed-off-by: Greg Kroah-Hartman commit a7d7a39274654d404857c2b2982793eded0e3130 Author: Thomas Gleixner Date: Mon Jun 3 07:44:48 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 232 Based on 1 normalized pattern(s): licensed under the gnu general public license version 2 0 gplv2 extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 3 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Armijn Hemel Reviewed-by: Alexios Zavras Reviewed-by: Allison Randal Reviewed-by: Enrico Weigelt Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190602204653.630925848@linutronix.de Signed-off-by: Greg Kroah-Hartman commit b6a3d1b71a326e1194202f67b9989335c07498b4 Author: Thomas Gleixner Date: Mon Jun 3 07:44:47 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 231 Based on 1 normalized pattern(s): this library is free software you can redistribute it and or modify it under the terms of the gnu general public license v2 as published by the free software foundation this library is distributed in the hope that it will be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose see the gnu lesser general public license for more details you should have received a copy of the gnu lesser general public license along with this library if not write to the free software foundation inc 59 temple place suite 330 boston ma 02111 1307 usa extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 2 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Alexios Zavras Reviewed-by: Allison Randal Reviewed-by: Enrico Weigelt Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190602204653.539286961@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 40b0b3f8fb2d8f55d13ceed41593d46689a6b496 Author: Thomas Gleixner Date: Mon Jun 3 07:44:46 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 230 Based on 2 normalized pattern(s): this source code is licensed under the gnu general public license version 2 see the file copying for more details this source code is licensed under general public license version 2 see extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 52 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Enrico Weigelt Reviewed-by: Allison Randal Reviewed-by: Alexios Zavras Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190602204653.449021192@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 33eea064b2b183a8eb351fe867db49c3dbcee545 Author: Thomas Gleixner Date: Mon Jun 3 07:44:42 2019 +0200 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 226 Based on 1 normalized pattern(s): licensed under the terms of the gplv2 extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 1 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Enrico Weigelt Reviewed-by: Allison Randal Reviewed-by: Alexios Zavras Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190602204653.087533673@linutronix.de Signed-off-by: Greg Kroah-Hartman commit e4e5a865e9a9e8e47ac1959b629e9f3ae3b062f2 Author: Andrew Jones Date: Mon May 27 13:46:19 2019 +0200 KVM: arm/arm64: Fix emulated ptimer irq injection The emulated ptimer needs to track the level changes, otherwise the the interrupt will never get deasserted, resulting in the guest getting stuck in an interrupt storm if it enables ptimer interrupts. This was found with kvm-unit-tests; the ptimer tests hung as soon as interrupts were enabled. Typical Linux guests don't have a problem as they prefer using the virtual timer. Fixes: bee038a674875 ("KVM: arm/arm64: Rework the timer code to use a timer_map") Signed-off-by: Andrew Jones [Simplified the patch to res we only care about emulated timers here] Signed-off-by: Marc Zyngier commit 27e23d8975270df6999f8b5b3156fc0c04927451 Author: Arnd Bergmann Date: Wed Jun 19 15:04:54 2019 +0200 ARM: omap2: remove incorrect __init annotation omap3xxx_prm_enable_io_wakeup() is marked __init, but its caller is not, so we get a warning with clang-8: WARNING: vmlinux.o(.text+0x343c8): Section mismatch in reference from the function omap3xxx_prm_late_init() to the function .init.text:omap3xxx_prm_enable_io_wakeup() The function omap3xxx_prm_late_init() references the function __init omap3xxx_prm_enable_io_wakeup(). This is often because omap3xxx_prm_late_init lacks a __init annotation or the annotation of omap3xxx_prm_enable_io_wakeup is wrong. When building with gcc, omap3xxx_prm_enable_io_wakeup() is always inlined, so we never noticed in the past. Signed-off-by: Arnd Bergmann Reviewed-by: Nathan Chancellor Acked-by: Tony Lindgren Reviewed-by: Andrew Murray Signed-off-by: Olof Johansson commit ef51ea44a96f6d7a770a4210a04d93ec820df077 Merge: c91476761094 36558020128b Author: Olof Johansson Date: Wed Jun 19 07:26:35 2019 -0700 Merge tag 'gemini-dts-v5.2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-nomadik into arm/fixes This fixes up two issues with the Gemini DTS files: - Blank console after a while on the DIR-685 so as not to waste power - Fix up the erroneous compatible string on the DNS-313 * tag 'gemini-dts-v5.2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-nomadik: ARM: dts: gemini Fix up DNS-313 compatible string ARM: dts: Blank D-Link DIR-685 console Signed-off-by: Olof Johansson commit c914767610946845bd3054341f4636b702fd7632 Merge: cd3967bee004 a019ab406797 Author: Olof Johansson Date: Wed Jun 19 07:26:01 2019 -0700 Merge tag 'imx-fixes-5.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux into arm/fixes i.MX fixes for 5.2, round 2: - A fix on LS1028A device tree CPU state to get CPU idle work. - Enable FSL_EDMA driver support in defconfig to fix a indefinite deferring probe on Layerscape platforms. * tag 'imx-fixes-5.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux: arm64: defconfig: Enable FSL_EDMA driver arm64: dts: ls1028a: Fix CPU idle fail. Signed-off-by: Olof Johansson commit 48620e341659f6e4b978ec229f6944dabe6df709 Author: Rasmus Villemoes Date: Wed Jun 19 10:02:13 2019 +0000 net: dsa: mv88e6xxx: fix shift of FID bits in mv88e6185_g1_vtu_loadpurge() The comment is correct, but the code ends up moving the bits four places too far, into the VTUOp field. Fixes: 11ea809f1a74 (net: dsa: mv88e6xxx: support 256 databases) Signed-off-by: Rasmus Villemoes Signed-off-by: David S. Miller commit 9dba988edb31d013003b7f00e82dd56f01db70c3 Author: Aaron Lewis Date: Fri May 31 14:14:52 2019 +0000 tests: kvm: Check for a kernel warning When running with /sys/module/kvm_intel/parameters/unrestricted_guest=N, test that a kernel warning does not occur informing us that vcpu->mmio_needed=1. This can happen when KVM_RUN is called after a triple fault. This test was made to detect a bug that was reported by Syzkaller (https://groups.google.com/forum/#!topic/syzkaller/lHfau8E3SOE) and fixed with commit bbeac2830f4de ("KVM: X86: Fix residual mmio emulation request to userspace"). Signed-off-by: Aaron Lewis Reviewed-by: Jim Mattson Reviewed-by: Peter Shier Signed-off-by: Paolo Bonzini commit 61cfcd545e4291d3130022e6f5f684b5d011374b Author: Aaron Lewis Date: Tue May 21 17:13:58 2019 +0000 kvm: tests: Sort tests in the Makefile alphabetically Signed-off-by: Aaron Lewis Reviewed-by: Peter Shier Signed-off-by: Paolo Bonzini commit b6b80c78af838bef17501416d5d383fedab0010a Author: Sean Christopherson Date: Thu Jun 13 10:22:23 2019 -0700 KVM: x86/mmu: Allocate PAE root array when using SVM's 32-bit NPT SVM's Nested Page Tables (NPT) reuses x86 paging for the host-controlled page walk. For 32-bit KVM, this means PAE paging is used even when TDP is enabled, i.e. the PAE root array needs to be allocated. Fixes: ee6268ba3a68 ("KVM: x86: Skip pae_root shadow allocation if tdp enabled") Cc: stable@vger.kernel.org Reported-by: Jiri Palecek Signed-off-by: Sean Christopherson Signed-off-by: Paolo Bonzini commit 6ca00dfafda731d6eafdc164326e7336cdf42d74 Author: Liran Alon Date: Sun Jun 16 15:03:10 2019 +0300 KVM: x86: Modify struct kvm_nested_state to have explicit fields for data Improve the KVM_{GET,SET}_NESTED_STATE structs by detailing the format of VMX nested state data in a struct. In order to avoid changing the ioctl values of KVM_{GET,SET}_NESTED_STATE, there is a need to preserve sizeof(struct kvm_nested_state). This is done by defining the data struct as "data.vmx[0]". It was the most elegant way I found to preserve struct size while still keeping struct readable and easy to maintain. It does have a misfortunate side-effect that now it has to be accessed as "data.vmx[0]" rather than just "data.vmx". Because we are already modifying these structs, I also modified the following: * Define the "format" field values as macros. * Rename vmcs_pa to vmcs12_pa for better readability. Signed-off-by: Liran Alon [Remove SVM stubs, add KVM_STATE_NESTED_VMX_VMCS12_SIZE. - Paolo] Reviewed-by: Liran Alon Signed-off-by: Paolo Bonzini commit c285a2f01d692ef48d7243cf1072897bbd237407 Author: Amir Goldstein Date: Wed Jun 19 13:34:44 2019 +0300 fanotify: update connector fsid cache on add mark When implementing connector fsid cache, we only initialized the cache when the first mark added to object was added by FAN_REPORT_FID group. We forgot to update conn->fsid when the second mark is added by FAN_REPORT_FID group to an already attached connector without fsid cache. Reported-and-tested-by: syzbot+c277e8e2f46414645508@syzkaller.appspotmail.com Fixes: 77115225acc6 ("fanotify: cache fsid in fsnotify_mark_connector") Signed-off-by: Amir Goldstein Signed-off-by: Jan Kara commit c6d9c35d16f1bafd3fec64b865e569e48cbcb514 Author: yangerkun Date: Tue Mar 26 22:00:02 2019 +0800 quota: fix a problem about transfer quota Run below script as root, dquot_add_space will return -EDQUOT since __dquot_transfer call dquot_add_space with flags=0, and dquot_add_space think it's a preallocation. Fix it by set flags as DQUOT_SPACE_WARN. mkfs.ext4 -O quota,project /dev/vdb mount -o prjquota /dev/vdb /mnt setquota -P 23 1 1 0 0 /dev/vdb dd if=/dev/zero of=/mnt/test-file bs=4K count=1 chattr -p 23 test-file Fixes: 7b9ca4c61bc2 ("quota: Reduce contention on dq_data_lock") Signed-off-by: yangerkun Signed-off-by: Jan Kara commit 475df5d0f3eb2d031e4505f84d8fba75baaf2e80 Author: Ville Syrjälä Date: Wed Jun 19 15:09:29 2019 +0300 drm/i915: Don't clobber M/N values during fastset check We're now calling intel_pipe_config_compare(..., true) uncoditionally which means we're always going clobber the calculated M/N values with the old values if the fuzzy M/N check passes. That causes problems because the fuzzy check allows for a huge difference in the values. I'm actually tempted to just make the M/N checks exact, but that might prevent fastboot from kicking in when people want it. So for now let's overwrite the computed values with the old values only if decide to skip the modeset. v2: Copy has_drrs along with M/N M2/N2 values Cc: stable@vger.kernel.org Cc: Blubberbub@protonmail.com Cc: Maarten Lankhorst Cc: Hans de Goede Tested-by: Blubberbub@protonmail.com Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=110782 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=110675 Fixes: d19f958db23c ("drm/i915: Enable fastset for non-boot modesets.") Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20190612172423.25231-1-ville.syrjala@linux.intel.com Reviewed-by: Imre Deak (cherry picked from commit f0521558a2a89d58a08745e225025d338572e60a) Signed-off-by: Jani Nikula Link: https://patchwork.freedesktop.org/patch/msgid/20190619120929.4057-1-ville.syrjala@linux.intel.com commit 9739ab7eda459f0669ec9807e0d9be5020bab88c Author: Christoph Hellwig Date: Thu Jun 13 10:24:46 2019 +0200 powerpc: enable a 30-bit ZONE_DMA for 32-bit pmac With the strict dma mask checking introduced with the switch to the generic DMA direct code common wifi chips on 32-bit powerbooks stopped working. Add a 30-bit ZONE_DMA to the 32-bit pmac builds to allow them to reliably allocate dma coherent memory. Fixes: 65a21b71f948 ("powerpc/dma: remove dma_nommu_dma_supported") Reported-by: Aaro Koskinen Signed-off-by: Christoph Hellwig Tested-by: Larry Finger Acked-by: Larry Finger Tested-by: Aaro Koskinen Signed-off-by: Michael Ellerman commit 36558020128b1a48b7bddd5792ee70e3f64b04b0 Author: Linus Walleij Date: Sun Jun 16 23:40:13 2019 +0200 ARM: dts: gemini Fix up DNS-313 compatible string It's a simple typo in the DNS file, which was pretty serious. No scripts were working properly. Fix it up. Signed-off-by: Linus Walleij commit cf18ea7593adbfe68b594e45467379d4ee8ca8ba Author: Linus Walleij Date: Mon Aug 27 00:10:39 2018 +0200 ARM: dts: Blank D-Link DIR-685 console Leaving this NAS with display and backlight on heats it up and dissipates power. Turn off the screen after 4 minutes, it comes back on when a user touches the keys. Signed-off-by: Linus Walleij commit 5423f5ce5ca410b3646f355279e4e937d452e622 Author: Thomas Gleixner Date: Tue Jun 18 22:31:40 2019 +0200 x86/microcode: Fix the microcode load on CPU hotplug for real A recent change moved the microcode loader hotplug callback into the early startup phase which is running with interrupts disabled. It missed that the callbacks invoke sysfs functions which might sleep causing nice 'might sleep' splats with proper debugging enabled. Split the callbacks and only load the microcode in the early startup phase and move the sysfs handling back into the later threaded and preemptible bringup phase where it was before. Fixes: 78f4e932f776 ("x86/microcode, cpuhotplug: Add a microcode loader CPU hotplug callback") Signed-off-by: Thomas Gleixner Signed-off-by: Borislav Petkov Cc: "H. Peter Anvin" Cc: Ingo Molnar Cc: stable@vger.kernel.org Cc: x86-ml Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1906182228350.1766@nanos.tec.linutronix.de commit 6dde1e42f497b2d4e22466f23019016775607947 Author: Amir Goldstein Date: Sun Jun 9 19:03:44 2019 +0300 ovl: make i_ino consistent with st_ino in more cases Relax the condition that overlayfs supports nfs export, to require that i_ino is consistent with st_ino/d_ino. It is enough to require that st_ino and d_ino are consistent. This fixes the failure of xfstest generic/504, due to mismatch of st_ino to inode number in the output of /proc/locks. Fixes: 12574a9f4c9c ("ovl: consistent i_ino for non-samefs with xino") Cc: # v4.19 Signed-off-by: Amir Goldstein Signed-off-by: Miklos Szeredi commit f5633efcedb43b87b9fa81695335feb7b2e20f3c Merge: 9e0babf2c06c 971afec3a537 Author: Jani Nikula Date: Wed Jun 19 09:59:58 2019 +0300 Merge tag 'gvt-fixes-2019-06-19' of https://github.com/intel/gvt-linux into drm-intel-fixes gvt-fixes-2019-06-19 - Fix reserved PVINFO register write (Weinan) Signed-off-by: Jani Nikula From: Zhenyu Wang Link: https://patchwork.freedesktop.org/patch/msgid/20190619062240.GM9684@zhen-hp.sh.intel.com commit 5589b08e5be47e426158f659a892153b4a831921 Author: Arun Easi Date: Fri Jun 14 07:36:27 2019 -0700 scsi: qla2xxx: Fix hardlockup in abort command during driver remove [436194.555537] NMI watchdog: Watchdog detected hard LOCKUP on cpu 5 [436194.555558] RIP: 0010:native_queued_spin_lock_slowpath+0x63/0x1e0 [436194.555563] Call Trace: [436194.555564] _raw_spin_lock_irqsave+0x30/0x40 [436194.555564] qla24xx_async_abort_command+0x29/0xd0 [qla2xxx] [436194.555565] qla24xx_abort_command+0x208/0x2d0 [qla2xxx] [436194.555565] __qla2x00_abort_all_cmds+0x16b/0x290 [qla2xxx] [436194.555565] qla2x00_abort_all_cmds+0x42/0x60 [qla2xxx] [436194.555566] qla2x00_abort_isp_cleanup+0x2bd/0x3a0 [qla2xxx] [436194.555566] qla2x00_remove_one+0x1ad/0x360 [qla2xxx] [436194.555566] pci_device_remove+0x3b/0xb0 Fixes: 219d27d7147e (scsi: qla2xxx: Fix race conditions in the code for aborting SCSI commands) Cc: stable@vger.kernel.org # 5.2 Signed-off-by: Arun Easi Signed-off-by: Himanshu Madhani Reviewed-by: Bart Van Assche Signed-off-by: Martin K. Petersen commit 24e2e7a19f7e4b83d0d5189040d997bce3596473 Author: Stanley Chu Date: Wed Jun 12 23:19:05 2019 +0800 scsi: ufs: Avoid runtime suspend possibly being blocked forever UFS runtime suspend can be triggered after pm_runtime_enable() is invoked in ufshcd_pltfrm_init(). However if the first runtime suspend is triggered before binding ufs_hba structure to ufs device structure via platform_set_drvdata(), then UFS runtime suspend will be no longer triggered in the future because its dev->power.runtime_error was set in the first triggering and does not have any chance to be cleared. To be more clear, dev->power.runtime_error is set if hba is NULL in ufshcd_runtime_suspend() which returns -EINVAL to rpm_callback() where dev->power.runtime_error is set as -EINVAL. In this case, any future rpm_suspend() for UFS device fails because rpm_check_suspend_allowed() fails due to non-zero dev->power.runtime_error. To resolve this issue, make sure the first UFS runtime suspend get valid "hba" in ufshcd_runtime_suspend(): Enable UFS runtime PM only after hba is successfully bound to UFS device structure. Fixes: 62694735ca95 ([SCSI] ufs: Add runtime PM support for UFS host controller driver) Cc: stable@vger.kernel.org Signed-off-by: Stanley Chu Reviewed-by: Avri Altman Signed-off-by: Martin K. Petersen commit 8cf4c5403aeb8d3921c174ad1c72c9753cfb5f5f Author: Nilesh Javali Date: Wed Jun 12 01:05:42 2019 -0700 scsi: qedi: update driver version to 8.37.0.20 Update qedi driver version to 8.37.0.20 Signed-off-by: Nilesh Javali Reviewed-by: Lee Duncan Reviewed-by: Chris Leech Signed-off-by: Martin K. Petersen commit 1ac3549ed58cdfdaf43bbf31ac260e2381cc0dae Author: Nilesh Javali Date: Wed Jun 12 01:05:41 2019 -0700 scsi: qedi: Check targetname while finding boot target information The kernel panic was observed during iSCSI discovery via offload with below call trace, [ 2115.646901] BUG: unable to handle kernel NULL pointer dereference at (null) [ 2115.646909] IP: [] strncmp+0xc/0x60 [ 2115.646927] PGD 0 [ 2115.646932] Oops: 0000 [#1] SMP [ 2115.647107] CPU: 24 PID: 264 Comm: kworker/24:1 Kdump: loaded Tainted: G OE ------------ 3.10.0-957.el7.x86_64 #1 [ 2115.647133] Workqueue: slowpath-13:00. qed_slowpath_task [qed] [ 2115.647135] task: ffff8d66af80b0c0 ti: ffff8d66afb80000 task.ti: ffff8d66afb80000 [ 2115.647136] RIP: 0010:[] [] strncmp+0xc/0x60 [ 2115.647141] RSP: 0018:ffff8d66afb83c68 EFLAGS: 00010206 [ 2115.647143] RAX: 0000000000000001 RBX: 0000000000000007 RCX: 000000000000000a [ 2115.647144] RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffff8d632b3ba040 [ 2115.647145] RBP: ffff8d66afb83c68 R08: 0000000000000000 R09: 000000000000ffff [ 2115.647147] R10: 0000000000000007 R11: 0000000000000800 R12: ffff8d66a30007a0 [ 2115.647148] R13: ffff8d66747a3c10 R14: ffff8d632b3ba000 R15: ffff8d66747a32f8 [ 2115.647149] FS: 0000000000000000(0000) GS:ffff8d66aff00000(0000) knlGS:0000000000000000 [ 2115.647151] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 2115.647152] CR2: 0000000000000000 CR3: 0000000509610000 CR4: 00000000007607e0 [ 2115.647153] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 2115.647154] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 2115.647155] PKRU: 00000000 [ 2115.647157] Call Trace: [ 2115.647165] [] qedi_get_protocol_tlv_data+0x2c5/0x510 [qedi] [ 2115.647184] [] ? qed_mfw_process_tlv_req+0x245/0xbe0 [qed] [ 2115.647195] [] qed_mfw_fill_tlv_data+0x4b/0xb0 [qed] [ 2115.647206] [] qed_mfw_process_tlv_req+0x261/0xbe0 [qed] [ 2115.647215] [] ? dequeue_task_fair+0x41e/0x660 [ 2115.647221] [] ? __switch_to+0xce/0x580 [ 2115.647230] [] qed_slowpath_task+0xa3/0x160 [qed] [ 2115.647278] RIP [] strncmp+0xc/0x60 Fix kernel panic by validating the session targetname before providing TLV data and confirming the presence of boot targets. Signed-off-by: Nilesh Javali Reviewed-by: Lee Duncan Reviewed-by: Chris Leech Signed-off-by: Martin K. Petersen commit d470e720ef27786d97b18e7cf50230610e4e6b17 Merge: cb359b604167 8a3dca632538 Author: David S. Miller Date: Tue Jun 18 21:43:40 2019 -0400 Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf Pablo Neira Ayuso says: ==================== Netfilter fixes for net 1) Module autoload for masquerade and redirection does not work. 2) Leak in unqueued packets in nf_ct_frag6_queue(). Ignore duplicated fragments, pretend they are placed into the queue. Patches from Guillaume Nault. ==================== Signed-off-by: David S. Miller commit cb359b60416701c8bed82fec79de25a144beb893 Author: Sunil Muthuswamy Date: Mon Jun 17 19:26:25 2019 +0000 hvsock: fix epollout hang from race condition Currently, hvsock can enter into a state where epoll_wait on EPOLLOUT will not return even when the hvsock socket is writable, under some race condition. This can happen under the following sequence: - fd = socket(hvsocket) - fd_out = dup(fd) - fd_in = dup(fd) - start a writer thread that writes data to fd_out with a combination of epoll_wait(fd_out, EPOLLOUT) and - start a reader thread that reads data from fd_in with a combination of epoll_wait(fd_in, EPOLLIN) - On the host, there are two threads that are reading/writing data to the hvsocket stack: hvs_stream_has_space hvs_notify_poll_out vsock_poll sock_poll ep_poll Race condition: check for epollout from ep_poll(): assume no writable space in the socket hvs_stream_has_space() returns 0 check for epollin from ep_poll(): assume socket has some free space < HVS_PKT_LEN(HVS_SEND_BUF_SIZE) hvs_stream_has_space() will clear the channel pending send size host will not notify the guest because the pending send size has been cleared and so the hvsocket will never mark the socket writable Now, the EPOLLOUT will never return even if the socket write buffer is empty. The fix is to set the pending size to the default size and never change it. This way the host will always notify the guest whenever the writable space is bigger than the pending size. The host is already optimized to *only* notify the guest when the pending size threshold boundary is crossed and not everytime. This change also reduces the cpu usage somewhat since hv_stream_has_space() is in the hotpath of send: vsock_stream_sendmsg()->hv_stream_has_space() Earlier hv_stream_has_space was setting/clearing the pending size on every call. Signed-off-by: Sunil Muthuswamy Reviewed-by: Dexuan Cui Signed-off-by: David S. Miller commit 76e21533a48bb42d1fa894f93f6233bf4554f45e Author: Fred Klassen Date: Mon Jun 17 12:05:07 2019 -0700 net/udp_gso: Allow TX timestamp with UDP GSO Fixes an issue where TX Timestamps are not arriving on the error queue when UDP_SEGMENT CMSG type is combined with CMSG type SO_TIMESTAMPING. This can be illustrated with an updated updgso_bench_tx program which includes the '-T' option to test for this condition. It also introduces the '-P' option which will call poll() before reading the error queue. ./udpgso_bench_tx -4ucTPv -S 1472 -l2 -D 172.16.120.18 poll timeout udp tx: 0 MB/s 1 calls/s 1 msg/s The "poll timeout" message above indicates that TX timestamp never arrived. This patch preserves tx_flags for the first UDP GSO segment. Only the first segment is timestamped, even though in some cases there may be benefital in timestamping both the first and last segment. Factors in deciding on first segment timestamp only: - Timestamping both first and last segmented is not feasible. Hardware can only have one outstanding TS request at a time. - Timestamping last segment may under report network latency of the previous segments. Even though the doorbell is suppressed, the ring producer counter has been incremented. - Timestamping the first segment has the upside in that it reports timestamps from the application's view, e.g. RTT. - Timestamping the first segment has the downside that it may underreport tx host network latency. It appears that we have to pick one or the other. And possibly follow-up with a config flag to choose behavior. v2: Remove tests as noted by Willem de Bruijn Moving tests from net to net-next v3: Update only relevant tx_flag bits as per Willem de Bruijn v4: Update comments and commit message as per Willem de Bruijn Fixes: ee80d1ebe5ba ("udp: add udp gso") Signed-off-by: Fred Klassen Acked-by: Willem de Bruijn Signed-off-by: David S. Miller commit e11e1007a177fe4abc12b620dcf9e36eb8027f40 Merge: 9476274093a0 3e14c383de34 Author: David S. Miller Date: Tue Jun 18 21:30:39 2019 -0400 Merge branch 'net-netem-fix-issues-with-corrupting-GSO-frames' Jakub Kicinski says: ==================== net: netem: fix issues with corrupting GSO frames Corrupting GSO frames currently leads to crashes, due to skb use after free. These stem from the skb list handling - the segmented skbs come back on a list, and this list is not properly unlinked before enqueuing the segments. Turns out this condition is made very likely to occur because of another bug - in backlog accounting. Segments are counted twice, which means qdisc's limit gets reached leading to drops and making the use after free very likely to happen. The bugs are fixed in order in which they were added to the tree. ==================== Signed-off-by: David S. Miller commit 3e14c383de349a86895b8c6c410b9222646574f6 Author: Jakub Kicinski Date: Mon Jun 17 11:11:11 2019 -0700 net: netem: fix use after free and double free with packet corruption Brendan reports that the use of netem's packet corruption capability leads to strange crashes. This seems to be caused by commit d66280b12bd7 ("net: netem: use a list in addition to rbtree") which uses skb->next pointer to construct a fast-path queue of in-order skbs. Packet corruption code has to invoke skb_gso_segment() in case of skbs in need of GSO. skb_gso_segment() returns a list of skbs. If next pointers of the skbs on that list do not get cleared fast path list may point to freed skbs or skbs which are also on the RB tree. Let's say skb gets segmented into 3 frames: A -> B -> C A gets hooked to the t_head t_tail list by tfifo_enqueue(), but it's next pointer didn't get cleared so we have: h t |/ A -> B -> C Now if B and C get also get enqueued successfully all is fine, because tfifo_enqueue() will overwrite the list in order. IOW: Enqueue B: h t | | A -> B C Enqueue C: h t | | A -> B -> C But if B and C get reordered we may end up with: h t RB tree |/ | A -> B -> C B \ C Or if they get dropped just: h t |/ A -> B -> C where A and B are already freed. To reproduce either limit has to be set low to cause freeing of segs or reorders have to happen (due to delay jitter). Note that we only have to mark the first segment as not on the list, "finish_segs" handling of other frags already does that. Another caveat is that qdisc_drop_all() still has to free all segments correctly in case of drop of first segment, therefore we re-link segs before calling it. v2: - re-link before drop, v1 was leaking non-first segs if limit was hit at the first seg - better commit message which lead to discovering the above :) Reported-by: Brendan Galloway Fixes: d66280b12bd7 ("net: netem: use a list in addition to rbtree") Signed-off-by: Jakub Kicinski Reviewed-by: Dirk van der Merwe Acked-by: Cong Wang Signed-off-by: David S. Miller commit 177b8007463c4f36c9a2c7ce7aa9875a4cad9bd5 Author: Jakub Kicinski Date: Mon Jun 17 11:11:10 2019 -0700 net: netem: fix backlog accounting for corrupted GSO frames When GSO frame has to be corrupted netem uses skb_gso_segment() to produce the list of frames, and re-enqueues the segments one by one. The backlog length has to be adjusted to account for new frames. The current calculation is incorrect, leading to wrong backlog lengths in the parent qdisc (both bytes and packets), and incorrect packet backlog count in netem itself. Parent backlog goes negative, netem's packet backlog counts all non-first segments twice (thus remaining non-zero even after qdisc is emptied). Move the variables used to count the adjustment into local scope to make 100% sure they aren't used at any stage in backports. Fixes: 6071bd1aa13e ("netem: Segment GSO packets on enqueue") Signed-off-by: Jakub Kicinski Reviewed-by: Dirk van der Merwe Acked-by: Cong Wang Signed-off-by: David S. Miller commit 9476274093a0e79b905f4cd6cf6d149f65e02c17 Author: Colin Ian King Date: Mon Jun 17 17:12:49 2019 +0100 net: lio_core: fix potential sign-extension overflow on large shift Left shifting the signed int value 1 by 31 bits has undefined behaviour and the shift amount oq_no can be as much as 63. Fix this by using BIT_ULL(oq_no) instead. Addresses-Coverity: ("Bad shift operation") Fixes: f21fb3ed364b ("Add support of Cavium Liquidio ethernet adapters") Signed-off-by: Colin Ian King Reviewed-by: Dan Carpenter Signed-off-by: David S. Miller commit 55458d2f4074307c2aa787300c9272ff668a3ac3 Merge: 72b319dc08b4 c3bcde026684 Author: David S. Miller Date: Tue Jun 18 20:48:45 2019 -0400 Merge branch 'net-fix-quite-a-few-dst_cache-crashes-reported-by-syzbot' Xin Long says: ==================== net: fix quite a few dst_cache crashes reported by syzbot There are two kinds of crashes reported many times by syzbot with no reproducer. Call Traces are like: BUG: KASAN: slab-out-of-bounds in rt_cache_valid+0x158/0x190 net/ipv4/route.c:1556 rt_cache_valid+0x158/0x190 net/ipv4/route.c:1556 __mkroute_output net/ipv4/route.c:2332 [inline] ip_route_output_key_hash_rcu+0x819/0x2d50 net/ipv4/route.c:2564 ip_route_output_key_hash+0x1ef/0x360 net/ipv4/route.c:2393 __ip_route_output_key include/net/route.h:125 [inline] ip_route_output_flow+0x28/0xc0 net/ipv4/route.c:2651 ip_route_output_key include/net/route.h:135 [inline] ... or: kasan: GPF could be caused by NULL-ptr deref or user memory access RIP: 0010:dst_dev_put+0x24/0x290 net/core/dst.c:168 rt_fibinfo_free_cpus net/ipv4/fib_semantics.c:200 [inline] free_fib_info_rcu+0x2e1/0x490 net/ipv4/fib_semantics.c:217 __rcu_reclaim kernel/rcu/rcu.h:240 [inline] rcu_do_batch kernel/rcu/tree.c:2437 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2716 [inline] rcu_process_callbacks+0x100a/0x1ac0 kernel/rcu/tree.c:2697 ... They were caused by the fib_nh_common percpu member 'nhc_pcpu_rth_output' overwritten by another percpu variable 'dev->tstats' access overflow in tipc udp media xmit path when counting packets on a non tunnel device. The fix is to make udp tunnel work with no tunnel device by allowing not to count packets on the tstats when the tunnel dev is NULL in Patches 1/3 and 2/3, then pass a NULL tunnel dev in tipc_udp_tunnel() in Patch 3/3. ==================== Signed-off-by: David S. Miller commit c3bcde026684c62d7a2b6f626dc7cf763833875c Author: Xin Long Date: Mon Jun 17 21:34:15 2019 +0800 tipc: pass tunnel dev as NULL to udp_tunnel(6)_xmit_skb udp_tunnel(6)_xmit_skb() called by tipc_udp_xmit() expects a tunnel device to count packets on dev->tstats, a perpcu variable. However, TIPC is using udp tunnel with no tunnel device, and pass the lower dev, like veth device that only initializes dev->lstats(a perpcu variable) when creating it. Later iptunnel_xmit_stats() called by ip(6)tunnel_xmit() thinks the dev as a tunnel device, and uses dev->tstats instead of dev->lstats. tstats' each pointer points to a bigger struct than lstats, so when tstats->tx_bytes is increased, other percpu variable's members could be overwritten. syzbot has reported quite a few crashes due to fib_nh_common percpu member 'nhc_pcpu_rth_output' overwritten, call traces are like: BUG: KASAN: slab-out-of-bounds in rt_cache_valid+0x158/0x190 net/ipv4/route.c:1556 rt_cache_valid+0x158/0x190 net/ipv4/route.c:1556 __mkroute_output net/ipv4/route.c:2332 [inline] ip_route_output_key_hash_rcu+0x819/0x2d50 net/ipv4/route.c:2564 ip_route_output_key_hash+0x1ef/0x360 net/ipv4/route.c:2393 __ip_route_output_key include/net/route.h:125 [inline] ip_route_output_flow+0x28/0xc0 net/ipv4/route.c:2651 ip_route_output_key include/net/route.h:135 [inline] ... or: kasan: GPF could be caused by NULL-ptr deref or user memory access RIP: 0010:dst_dev_put+0x24/0x290 net/core/dst.c:168 rt_fibinfo_free_cpus net/ipv4/fib_semantics.c:200 [inline] free_fib_info_rcu+0x2e1/0x490 net/ipv4/fib_semantics.c:217 __rcu_reclaim kernel/rcu/rcu.h:240 [inline] rcu_do_batch kernel/rcu/tree.c:2437 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2716 [inline] rcu_process_callbacks+0x100a/0x1ac0 kernel/rcu/tree.c:2697 ... The issue exists since tunnel stats update is moved to iptunnel_xmit by Commit 039f50629b7f ("ip_tunnel: Move stats update to iptunnel_xmit()"), and here to fix it by passing a NULL tunnel dev to udp_tunnel(6)_xmit_skb so that the packets counting won't happen on dev->tstats. Reported-by: syzbot+9d4c12bfd45a58738d0a@syzkaller.appspotmail.com Reported-by: syzbot+a9e23ea2aa21044c2798@syzkaller.appspotmail.com Reported-by: syzbot+c4c4b2bb358bb936ad7e@syzkaller.appspotmail.com Reported-by: syzbot+0290d2290a607e035ba1@syzkaller.appspotmail.com Reported-by: syzbot+a43d8d4e7e8a7a9e149e@syzkaller.appspotmail.com Reported-by: syzbot+a47c5f4c6c00fc1ed16e@syzkaller.appspotmail.com Fixes: 039f50629b7f ("ip_tunnel: Move stats update to iptunnel_xmit()") Signed-off-by: Xin Long Signed-off-by: David S. Miller commit 6f6a8622057c92408930c31698394fae1557b188 Author: Xin Long Date: Mon Jun 17 21:34:14 2019 +0800 ip6_tunnel: allow not to count pkts on tstats by passing dev as NULL A similar fix to Patch "ip_tunnel: allow not to count pkts on tstats by setting skb's dev to NULL" is also needed by ip6_tunnel. Signed-off-by: Xin Long Signed-off-by: David S. Miller commit 5684abf7020dfc5f0b6ba1d68eda3663871fce52 Author: Xin Long Date: Mon Jun 17 21:34:13 2019 +0800 ip_tunnel: allow not to count pkts on tstats by setting skb's dev to NULL iptunnel_xmit() works as a common function, also used by a udp tunnel which doesn't have to have a tunnel device, like how TIPC works with udp media. In these cases, we should allow not to count pkts on dev's tstats, so that udp tunnel can work with no tunnel device safely. Signed-off-by: Xin Long Signed-off-by: David S. Miller commit 156e42996bd84eccb6acf319f19ce0cb140d00e3 Author: Mike Salvatore Date: Wed Jun 12 14:55:14 2019 -0700 apparmor: reset pos on failure to unpack for various functions Each function that manipulates the aa_ext struct should reset it's "pos" member on failure. This ensures that, on failure, no changes are made to the state of the aa_ext struct. There are paths were elements are optional and the error path is used to indicate the optional element is not present. This means instead of just aborting on error the unpack stream can become unsynchronized on optional elements, if using one of the affected functions. Cc: stable@vger.kernel.org Fixes: 736ec752d95e ("AppArmor: policy routines for loading and unpacking policy") Signed-off-by: Mike Salvatore Signed-off-by: John Johansen commit 8404d7a674c49278607d19726e0acc0cae299357 Author: Jann Horn Date: Tue May 28 17:32:26 2019 +0200 apparmor: enforce nullbyte at end of tag string A packed AppArmor policy contains null-terminated tag strings that are read by unpack_nameX(). However, unpack_nameX() uses string functions on them without ensuring that they are actually null-terminated, potentially leading to out-of-bounds accesses. Make sure that the tag string is null-terminated before passing it to strcmp(). Cc: stable@vger.kernel.org Fixes: 736ec752d95e ("AppArmor: policy routines for loading and unpacking policy") Signed-off-by: Jann Horn Signed-off-by: John Johansen commit 23375b13f98c5464c2b4d15f983cc062940f1f4e Author: John Johansen Date: Sun May 26 06:42:23 2019 -0700 apparmor: fix PROFILE_MEDIATES for untrusted input While commit 11c236b89d7c2 ("apparmor: add a default null dfa") ensure every profile has a policy.dfa it does not resize the policy.start[] to have entries for every possible start value. Which means PROFILE_MEDIATES is not safe to use on untrusted input. Unforunately commit b9590ad4c4f2 ("apparmor: remove POLICY_MEDIATES_SAFE") did not take into account the start value usage. The input string in profile_query_cb() is user controlled and is not properly checked to be within the limited start[] entries, even worse it can't be as userspace policy is allowed to make us of entries types the kernel does not know about. This mean usespace can currently cause the kernel to access memory up to 240 entries beyond the start array bounds. Cc: stable@vger.kernel.org Fixes: b9590ad4c4f2 ("apparmor: remove POLICY_MEDIATES_SAFE") Signed-off-by: John Johansen commit 7a5834e456f7fb3eca9b63af2a6bc7f460ae482f Author: Gal Pressman Date: Tue Jun 18 16:07:32 2019 +0300 RDMA/efa: Handle mmap insertions overflow When inserting a new mmap entry to the xarray we should check for 'mmap_page' overflow as it is limited to 32 bits. Fixes: 40909f664d27 ("RDMA/efa: Add EFA verbs implementation") Signed-off-by: Gal Pressman Signed-off-by: Doug Ledford commit 440078db7a5539b36bd780a826cb6e2cf2cce0d0 Merge: 456918049560 9642fa73d073 Author: Jens Axboe Date: Tue Jun 18 13:53:06 2019 -0600 Merge branch 'md-fixes' of https://github.com/liu-song-6/linux into for-linus Pull MD fix from Song. * 'md-fixes' of https://github.com/liu-song-6/linux: md: fix for divide error in status_resync commit bed3c0d84e7e25c8e0964d297794f4c215b01f33 Merge: 7b306892cc57 3763771cf602 Author: Linus Torvalds Date: Tue Jun 18 11:20:24 2019 -0700 Merge tag 'for-5.2-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux Pull btrfs fixes from David Sterba: - regression where properties stored as xattrs are not properly persisted - a small readahead fix (the fstests testcase for that fix hangs on unpatched kernel, so we'd like get it merged to ease future testing) - fix a race during block group creation and deletion * tag 'for-5.2-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux: Btrfs: fix failure to persist compression property xattr deletion on fsync btrfs: start readahead also in seed devices Btrfs: fix race between block group removal and block group allocation commit 7b306892cc57e27959b5232c1b8415cf09b7571c Merge: 915ed9320cba cd3967bee004 Author: Linus Torvalds Date: Tue Jun 18 10:59:59 2019 -0700 Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc Pull ARM SoC fixes from Olof Johansson: "I've been bad at collecting fixes this release cycle, so this is a fairly large batch that's been trickling in for a while. It's the usual mix, more or less. Some of the bigger things fixed: - Voltage fix for MMC on TI DRA7 that sometimes would overvoltage cards - Regression fixes for D_CAN on am355x - i.MX6SX cpuidle fix to deal with wakeup latency (dropped uart chars) - DT fixes for some DRA7 variants that don't share the superset of blocks on the chip plus the usual mix of stuff: minor build/warning fixes, Kconfig dependencies, and some DT fixlets" * tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: (28 commits) soc: ixp4xx: npe: Fix an IS_ERR() vs NULL check in probe ARM: ixp4xx: include irqs.h where needed ARM: ixp4xx: mark ixp4xx_irq_setup as __init ARM: ixp4xx: don't select SERIAL_OF_PLATFORM firmware: trusted_foundations: add ARMv7 dependency MAINTAINERS: Change QCOM repo location ARM: davinci: da8xx: specify dma_coherent_mask for lcdc ARM: davinci: da850-evm: call regulator_has_full_constraints() ARM: mvebu_v7_defconfig: fix Ethernet on Clearfog ARM: dts: am335x phytec boards: Fix cd-gpios active level ARM: dts: dra72x: Disable usb4_tm target module arm64: arch_k3: Fix kconfig dependency warning ARM: dts: Drop bogus CLKSEL for timer12 on dra7 MAINTAINERS: Update Stefan Wahren email address ARM: dts: bcm: Add missing device_type = "memory" property soc: bcm: brcmstb: biuctrl: Register writes require a barrier soc: brcmstb: Fix error path for unsupported CPUs ARM: dts: dra71x: Disable usb4_tm target module ARM: dts: dra71x: Disable rtc target module ARM: dts: dra76x: Disable usb4_tm target module ... commit 72b319dc08b4924a29f5e2560ef6d966fa54c429 Author: Fei Li Date: Mon Jun 17 21:26:36 2019 +0800 tun: wake up waitqueues after IFF_UP is set Currently after setting tap0 link up, the tun code wakes tx/rx waited queues up in tun_net_open() when .ndo_open() is called, however the IFF_UP flag has not been set yet. If there's already a wait queue, it would fail to transmit when checking the IFF_UP flag in tun_sendmsg(). Then the saving vhost_poll_start() will add the wq into wqh until it is waken up again. Although this works when IFF_UP flag has been set when tun_chr_poll detects; this is not true if IFF_UP flag has not been set at that time. Sadly the latter case is a fatal error, as the wq will never be waken up in future unless later manually setting link up on purpose. Fix this by moving the wakeup process into the NETDEV_UP event notifying process, this makes sure IFF_UP has been set before all waited queues been waken up. Signed-off-by: Fei Li Acked-by: Jason Wang Signed-off-by: David S. Miller commit 915ed9320cba9ddb5da3f3ee49a8ceeed85fb5cc Merge: 29f785ff76b6 8c30d32b1a32 Author: Linus Torvalds Date: Tue Jun 18 10:42:08 2019 -0700 Merge tag 'meminit-v5.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux Pull stack init fix from Kees Cook: "This is a small update to the stack auto-initialization self-test code to deal with the Clang initialization pattern. It's been in linux-next for a couple weeks; I had waited a bit wondering if anything more substantial was going to show up, but nothing has, so I'm sending this now before it gets too late" * tag 'meminit-v5.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: lib/test_stackinit: Handle Clang auto-initialization pattern commit 74b67efa8d7b4f90137f0ab9a80dd319da050350 Author: Dan Carpenter Date: Tue Jun 18 16:18:43 2019 +0300 drm: return -EFAULT if copy_to_user() fails The copy_from_user() function returns the number of bytes remaining to be copied but we want to return a negative error code. Otherwise the callers treat it as a successful copy. Signed-off-by: Dan Carpenter Signed-off-by: Sean Paul Link: https://patchwork.freedesktop.org/patch/msgid/20190618131843.GA29463@mwanda commit d0bae4a0e3d8c5690a885204d7eb2341a5b4884d Author: JingYi Hou Date: Mon Jun 17 14:56:05 2019 +0800 net: remove duplicate fetch in sock_getsockopt In sock_getsockopt(), 'optlen' is fetched the first time from userspace. 'len < 0' is then checked. Then in condition 'SO_MEMINFO', 'optlen' is fetched the second time from userspace. If change it between two fetches may cause security problems or unexpected behaivor, and there is no reason to fetch it a second time. To fix this, we need to remove the second fetch. Signed-off-by: JingYi Hou Signed-off-by: David S. Miller commit d0f84d0856c11fbafadae3d580f6a9c98d818ccd Author: Tuong Lien Date: Mon Jun 17 11:56:12 2019 +0700 tipc: fix issues with early FAILOVER_MSG from peer It appears that a FAILOVER_MSG can come from peer even when the failure link is resetting (i.e. just after the 'node_write_unlock()'...). This means the failover procedure on the node has not been started yet. The situation is as follows: node1 node2 linkb linka linka linkb | | | | | | x failure | | | RESETTING | | | | | | x failure RESET | | RESETTING FAILINGOVER | | | (FAILOVER_MSG) | | |<-------------------------------------------------| | *FAILINGOVER | | | | | (dummy FAILOVER_MSG) | | |------------------------------------------------->| | RESET | | FAILOVER_END | FAILINGOVER RESET | . . . . . . . . . . . . Once this happens, the link failover procedure will be triggered wrongly on the receiving node since the node isn't in FAILINGOVER state but then another link failover will be carried out. The consequences are: 1) A peer might get stuck in FAILINGOVER state because the 'sync_point' was set, reset and set incorrectly, the criteria to end the failover would not be met, it could keep waiting for a message that has already received. 2) The early FAILOVER_MSG(s) could be queued in the link failover deferdq but would be purged or not pulled out because the 'drop_point' was not set correctly. 3) The early FAILOVER_MSG(s) could be dropped too. 4) The dummy FAILOVER_MSG could make the peer leaving FAILINGOVER state shortly, but later on it would be restarted. The same situation can also happen when the link is in PEER_RESET state and a FAILOVER_MSG arrives. The commit resolves the issues by forcing the link down immediately, so the failover procedure will be started normally (which is the same as when receiving a FAILOVER_MSG and the link is in up state). Also, the function "tipc_node_link_failover()" is toughen to avoid such a situation from happening. Acked-by: Jon Maloy Signed-off-by: Tuong Lien Signed-off-by: David S. Miller commit cf18cecca911c0db96b868072665347efe6df46f Author: Mauro S. M. Rodrigues Date: Thu Jun 13 16:25:40 2019 -0300 bnx2x: Check if transceiver implements DDM before access Some transceivers may comply with SFF-8472 even though they do not implement the Digital Diagnostic Monitoring (DDM) interface described in the spec. The existence of such area is specified by the 6th bit of byte 92, set to 1 if implemented. Currently, without checking this bit, bnx2x fails trying to read sfp module's EEPROM with the follow message: ethtool -m enP5p1s0f1 Cannot get Module EEPROM data: Input/output error Because it fails to read the additional 256 bytes in which it is assumed to exist the DDM data. This issue was noticed using a Mellanox Passive DAC PN 01FT738. The EEPROM data was confirmed by Mellanox as correct and similar to other Passive DACs from other manufacturers. Signed-off-by: Mauro S. M. Rodrigues Acked-by: Sudarsana Reddy Kalluru Signed-off-by: David S. Miller commit ddd57980a0fde30f7b5d14b888a2cc84d01610e8 Author: Mathias Nyman Date: Tue Jun 18 17:27:48 2019 +0300 xhci: detect USB 3.2 capable host controllers correctly USB 3.2 capability in a host can be detected from the xHCI Supported Protocol Capability major and minor revision fields. If major is 0x3 and minor 0x20 then the host is USB 3.2 capable. For USB 3.2 capable hosts set the root hub lane count to 2. The Major Revision and Minor Revision fields contain a BCD version number. The value of the Major Revision field is JJh and the value of the Minor Revision field is MNh for version JJ.M.N, where JJ = major revision number, M - minor version number, N = sub-minor version number, e.g. version 3.1 is represented with a value of 0310h. Also fix the extra whitespace printed out when announcing regular SuperSpeed hosts. Cc: # v4.18+ Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit b8c3b718087bf7c3c8e388eb1f72ac1108a4926e Author: Mathias Nyman Date: Tue Jun 18 17:27:47 2019 +0300 usb: xhci: Don't try to recover an endpoint if port is in error state. A USB3 device needs to be reset and re-enumarated if the port it connects to goes to a error state, with link state inactive. There is no use in trying to recover failed transactions by resetting endpoints at this stage. Tests show that in rare cases, after multiple endpoint resets of a roothub port the whole host controller might stop completely. Several retries to recover from transaction error can happen as it can take a long time before the hub thread discovers the USB3 port error and inactive link. We can't reliably detect the port error from slot or endpoint context due to a limitation in xhci, see xhci specs section 4.8.3: "There are several cases where the EP State field in the Output Endpoint Context may not reflect the current state of an endpoint" and "Software should maintain an accurate value for EP State, by tracking it with an internal variable that is driven by Events and Doorbell accesses" Same appears to be true for slot state. set a flag to the corresponding slot if a USB3 roothub port link goes inactive to prevent both queueing new URBs and resetting endpoints. Reported-by: Rapolu Chiranjeevi Tested-by: Rapolu Chiranjeevi Cc: Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit 76e3bcdb61cad2c58ad88b2e4c70c69769026d37 Author: Dennis Restle Date: Tue Apr 30 01:01:49 2019 +0200 KVM: fix typo in documentation The documentation mentions a non-existing capability KVM_CAP_USER_MEM.s The right name is KVM_CAP_USER_MEMORY. Signed-off-by: Dennis Restle Signed-off-by: Paolo Bonzini commit 9870dc39dc53c0ab0534e1d8311a4abed7db570e Author: Boris Brezillon Date: Tue Jun 18 10:13:43 2019 +0200 drm/panfrost: Make sure a BO is only unmapped when appropriate mmu_ops->unmap() will fail when called on a BO that has not been previously mapped, and the error path in panfrost_ioctl_create_bo() can call drm_gem_object_put_unlocked() (which in turn calls panfrost_mmu_unmap()) on a BO that has not been mapped yet. Keep track of the mapped/unmapped state to avoid such issues. Fixes: f3ba91228e8e ("drm/panfrost: Add initial panfrost driver") Cc: Signed-off-by: Boris Brezillon Signed-off-by: Rob Herring Link: https://patchwork.freedesktop.org/patch/msgid/20190618081343.16927-1-boris.brezillon@collabora.com commit 9642fa73d073527b0cbc337cc17a47d545d82cd2 Author: Mariusz Tkaczyk Date: Thu Jun 13 16:11:41 2019 +0200 md: fix for divide error in status_resync Stopping external metadata arrays during resync/recovery causes retries, loop of interrupting and starting reconstruction, until it hit at good moment to stop completely. While these retries curr_mark_cnt can be small- especially on HDD drives, so subtraction result can be smaller than 0. However it is casted to uint without checking. As a result of it the status bar in /proc/mdstat while stopping is strange (it jumps between 0% and 99%). The real problem occurs here after commit 72deb455b5ec ("block: remove CONFIG_LBDAF"). Sector_div() macro has been changed, now the divisor is casted to uint32. For db = -8 the divisior(db/32-1) becomes 0. Check if db value can be really counted and replace these macro by div64_u64() inline. Signed-off-by: Mariusz Tkaczyk Signed-off-by: Song Liu commit cd3967bee004bcbd142403698d658166fa618c9e Author: Dan Carpenter Date: Tue Jun 18 14:54:10 2019 +0300 soc: ixp4xx: npe: Fix an IS_ERR() vs NULL check in probe The devm_ioremap_resource() function doesn't return NULL, it returns error pointers. Fixes: 0b458d7b10f8 ("soc: ixp4xx: npe: Pass addresses as resources") Signed-off-by: Dan Carpenter Reviewed-by: Linus Walleij Signed-off-by: Olof Johansson commit 615c48ad8f4275b4d39fa57df68d4015078be201 Author: Mike Rapoport Date: Tue Jun 18 10:32:29 2019 +0300 arm64/mm: don't initialize pgd_cache twice When PGD_SIZE != PAGE_SIZE, arm64 uses kmem_cache for allocation of PGD memory. That cache was initialized twice: first through pgtable_cache_init() alias and then as an override for weak pgd_cache_init(). Remove the alias from pgtable_cache_init() and keep the only pgd_cache initialization in pgd_cache_init(). Fixes: caa841360134 ("x86/mm: Initialize PGD cache during mm initialization") Signed-off-by: Mike Rapoport Signed-off-by: Will Deacon commit 2a081968b1e5b69e8181f926b0b6c9ca4830cf86 Author: Hanjun Guo Date: Mon Jun 17 19:02:15 2019 +0800 MAINTAINERS: Update my email address The @linaro.org address is not working and bonucing, so update the references. Signed-off-by: Hanjun Guo Signed-off-by: Will Deacon commit 35341ca0614ab13e1ef34ad4f29a39e15ef31fa8 Author: Anisse Astier Date: Mon Jun 17 15:22:22 2019 +0200 arm64/sve: should not depend on Pulling linux/prctl.h into asm/ptrace.h in the arm64 UAPI headers causes userspace build issues for any program (e.g. strace and qemu) that includes both and when using musl libc: | error: redefinition of 'struct prctl_mm_map' | struct prctl_mm_map { See https://github.com/foundriesio/meta-lmp/commit/6d4a106e191b5d79c41b9ac78fd321316d3013c0 for a public example of people working around this issue. Although it's a bit grotty, fix this breakage by duplicating the prctl constant definitions. Since these are part of the kernel ABI, they cannot be changed in future and so it's not the end of the world to have them open-coded. Fixes: 43d4da2c45b2 ("arm64/sve: ptrace and ELF coredump support") Cc: stable@vger.kernel.org Acked-by: Dave Martin Signed-off-by: Anisse Astier Signed-off-by: Will Deacon commit 253e7483391190c93696bc9710a31b2db9b63d77 Author: Nicolas Schier Date: Mon Jun 17 09:39:00 2019 +0200 ovl: fix typo in MODULE_PARM_DESC Change first argument to MODULE_PARM_DESC() calls, that each of them matched the actual module parameter name. The matching results in changing (the 'parm' section from) the output of `modinfo overlay` from: parm: ovl_check_copy_up:Obsolete; does nothing parm: redirect_max:ushort parm: ovl_redirect_max:Maximum length of absolute redirect xattr value parm: redirect_dir:bool parm: ovl_redirect_dir_def:Default to on or off for the redirect_dir feature parm: redirect_always_follow:bool parm: ovl_redirect_always_follow:Follow redirects even if redirect_dir feature is turned off parm: index:bool parm: ovl_index_def:Default to on or off for the inodes index feature parm: nfs_export:bool parm: ovl_nfs_export_def:Default to on or off for the NFS export feature parm: xino_auto:bool parm: ovl_xino_auto_def:Auto enable xino feature parm: metacopy:bool parm: ovl_metacopy_def:Default to on or off for the metadata only copy up feature into: parm: check_copy_up:Obsolete; does nothing parm: redirect_max:Maximum length of absolute redirect xattr value (ushort) parm: redirect_dir:Default to on or off for the redirect_dir feature (bool) parm: redirect_always_follow:Follow redirects even if redirect_dir feature is turned off (bool) parm: index:Default to on or off for the inodes index feature (bool) parm: nfs_export:Default to on or off for the NFS export feature (bool) parm: xino_auto:Auto enable xino feature (bool) parm: metacopy:Default to on or off for the metadata only copy up feature (bool) Signed-off-by: Nicolas Schier Signed-off-by: Miklos Szeredi commit 1dac6f5b0ed2601be21bb4e27a44b0c3e667b7f4 Author: Arnd Bergmann Date: Mon Jun 17 14:39:29 2019 +0200 ovl: fix bogus -Wmaybe-unitialized warning gcc gets a bit confused by the logic in ovl_setup_trap() and can't figure out whether the local 'trap' variable in the caller was initialized or not: fs/overlayfs/super.c: In function 'ovl_fill_super': fs/overlayfs/super.c:1333:4: error: 'trap' may be used uninitialized in this function [-Werror=maybe-uninitialized] iput(trap); ^~~~~~~~~~ fs/overlayfs/super.c:1312:17: note: 'trap' was declared here Reword slightly to make it easier for the compiler to understand. Fixes: 146d62e5a586 ("ovl: detect overlapping layers") Signed-off-by: Arnd Bergmann Signed-off-by: Miklos Szeredi commit 9179c21dc6ed1c993caa5fe4da876a6765c26af7 Author: Miklos Szeredi Date: Tue Jun 18 15:06:16 2019 +0200 ovl: don't fail with disconnected lower NFS NFS mounts can be disconnected from fs root. Don't fail the overlapping layer check because of this. The check is not authoritative anyway, since topology can change during or after the check. Reported-by: Antti Antinoja Signed-off-by: Miklos Szeredi Fixes: 146d62e5a586 ("ovl: detect overlapping layers") commit 83293386bc95cf5e9f0c0175794455835bd1cb4a Author: Ulf Hansson Date: Tue Jun 18 14:05:17 2019 +0200 mmc: core: Prevent processing SDIO IRQs when the card is suspended Processing of SDIO IRQs must obviously be prevented while the card is system suspended, otherwise we may end up trying to communicate with an uninitialized SDIO card. Reports throughout the years shows that this is not only a theoretical problem, but a real issue. So, let's finally fix this problem, by keeping track of the state for the card and bail out before processing the SDIO IRQ, in case the card is suspended. Cc: stable@vger.kernel.org Reported-by: Douglas Anderson Tested-by: Douglas Anderson Signed-off-by: Ulf Hansson commit 0f7b79a44e7d7dd3ef1f59758c1a341f217ff5e5 Author: Raul E Rangel Date: Mon Jun 17 14:10:12 2019 -0600 mmc: sdhci: sdhci-pci-o2micro: Correctly set bus width when tuning The O2Micro controller only supports tuning at 4-bits. So the host driver needs to change the bus width while tuning and then set it back when done. There was a bug in the original implementation in that mmc->ios.bus_width also wasn't updated. Thus setting the incorrect blocksize in sdhci_send_tuning which results in a tuning failure. Signed-off-by: Raul E Rangel Fixes: 0086fc217d5d7 ("mmc: sdhci: Add support for O2 hardware tuning") Acked-by: Adrian Hunter Cc: stable@vger.kernel.org Signed-off-by: Ulf Hansson commit 65dade6044079a5c206fd1803642ff420061417a Author: Douglas Anderson Date: Mon Jun 17 10:56:53 2019 -0700 brcmfmac: sdio: Don't tune while the card is off When Broadcom SDIO cards are idled they go to sleep and a whole separate subsystem takes over their SDIO communication. This is the Always-On-Subsystem (AOS) and it can't handle tuning requests. Specifically, as tested on rk3288-veyron-minnie (which reports having BCM4354/1 in dmesg), if I force a retune in brcmf_sdio_kso_control() when "on = 1" (aka we're transition from sleep to wake) by whacking: bus->sdiodev->func1->card->host->need_retune = 1 ...then I can often see tuning fail. In this case dw_mmc reports "All phases bad!"). Note that I don't get 100% failure, presumably because sometimes the card itself has already transitioned away from the AOS itself by the time we try to wake it up. If I force retuning when "on = 0" (AKA force retuning right before sending the command to go to sleep) then retuning is always OK. NOTE: we need _both_ this patch and the patch to avoid triggering tuning due to CRC errors in the sleep/wake transition, AKA ("brcmfmac: sdio: Disable auto-tuning around commands expected to fail"). Though both patches handle issues with Broadcom's AOS, the problems are distinct: 1. We want to defer (but not ignore) asynchronous (like timer-requested) tuning requests till the card is awake. However, we want to ignore CRC errors during the transition, we don't want to queue deferred tuning request. 2. You could imagine that the AOS could implement retuning but we could still get errors while transitioning in and out of the AOS. Similarly you could imagine a seamless transition into and out of the AOS (with no CRC errors) even if the AOS couldn't handle tuning. ALSO NOTE: presumably there is never a desperate need to retune in order to wake up the card, since doing so is impossible. Luckily the only way the card can get into sleep state is if we had a good enough tuning to send it the command to put it into sleep, so presumably that "good enough" tuning is enough to wake us up, at least with a few retries. Cc: stable@vger.kernel.org #v4.18+ Signed-off-by: Douglas Anderson Acked-by: Adrian Hunter Reviewed-by: Arend van Spriel Acked-by: Kalle Valo Signed-off-by: Ulf Hansson commit b4c9f938d542d5f88c501744d2d12fad4fd2915f Author: Douglas Anderson Date: Mon Jun 17 10:56:52 2019 -0700 mmc: core: Add sdio_retune_hold_now() and sdio_retune_release() We want SDIO drivers to be able to temporarily stop retuning when the driver knows that the SDIO card is not in a state where retuning will work (maybe because the card is asleep). We'll move the relevant functions to a place where drivers can call them. Cc: stable@vger.kernel.org #v4.18+ Signed-off-by: Douglas Anderson Acked-by: Adrian Hunter Acked-by: Kalle Valo Signed-off-by: Ulf Hansson commit 2de0b42da263c97d330d276f5ccf7c4470e3324f Author: Douglas Anderson Date: Mon Jun 17 10:56:51 2019 -0700 brcmfmac: sdio: Disable auto-tuning around commands expected to fail There are certain cases, notably when transitioning between sleep and active state, when Broadcom SDIO WiFi cards will produce errors on the SDIO bus. This is evident from the source code where you can see that we try commands in a loop until we either get success or we've tried too many times. The comment in the code reinforces this by saying "just one write attempt may fail" Unfortunately these failures sometimes end up causing an "-EILSEQ" back to the core which triggers a retuning of the SDIO card and that blocks all traffic to the card until it's done. Let's disable retuning around the commands we expect might fail. Cc: stable@vger.kernel.org #v4.18+ Signed-off-by: Douglas Anderson Acked-by: Adrian Hunter Reviewed-by: Arend van Spriel Acked-by: Kalle Valo Signed-off-by: Ulf Hansson commit 0a55f4ab9678413a01e740c86e9367ba0c612b36 Author: Douglas Anderson Date: Mon Jun 17 10:56:50 2019 -0700 mmc: core: API to temporarily disable retuning for SDIO CRC errors Normally when the MMC core sees an "-EILSEQ" error returned by a host controller then it will trigger a retuning of the card. This is generally a good idea. However, if a command is expected to sometimes cause transfer errors then these transfer errors shouldn't cause a re-tuning. This re-tuning will be a needless waste of time. One example case where a transfer is expected to cause errors is when transitioning between idle (sometimes referred to as "sleep" in Broadcom code) and active state on certain Broadcom WiFi SDIO cards. Specifically if the card was already transitioning between states when the command was sent it could cause an error on the SDIO bus. Let's add an API that the SDIO function drivers can call that will temporarily disable the auto-tuning functionality. Then we can add a call to this in the Broadcom WiFi driver and any other driver that might have similar needs. NOTE: this makes the assumption that the card is already tuned well enough that it's OK to disable the auto-retuning during one of these error-prone situations. Presumably the driver code performing the error-prone transfer knows how to recover / retry from errors. ...and after we can get back to a state where transfers are no longer error-prone then we can enable the auto-retuning again. If we truly find ourselves in a case where the card needs to be retuned sometimes to handle one of these error-prone transfers then we can always try a few transfers first without auto-retuning and then re-try with auto-retuning if the first few fail. Without this change on rk3288-veyron-minnie I periodically see this in the logs of a machine just sitting there idle: dwmmc_rockchip ff0d0000.dwmmc: Successfully tuned phase to XYZ Cc: stable@vger.kernel.org #v4.18+ Signed-off-by: Douglas Anderson Acked-by: Adrian Hunter Acked-by: Kalle Valo Signed-off-by: Ulf Hansson commit abdd5dcc00207e7c38680f3754d1bfffafff1093 Author: Douglas Anderson Date: Mon Jun 17 10:56:49 2019 -0700 Revert "brcmfmac: disable command decode in sdio_aos" This reverts commit 29f6589140a10ece8c1d73f58043ea5b3473ab3e. After that patch landed I find that my kernel log on rk3288-veyron-minnie and rk3288-veyron-speedy is filled with: brcmfmac: brcmf_sdio_bus_sleep: error while changing bus sleep state -110 This seems to happen every time the Broadcom WiFi transitions out of sleep mode. Reverting the commit fixes the problem for me, so that's what this patch does. Note that, in general, the justification in the original commit seemed a little weak. It looked like someone was testing on a SD card controller that would sometimes die if there were CRC errors on the bus. This used to happen back in early days of dw_mmc (the controller on my boards), but we fixed it. Disabling a feature on all boards just because one SD card controller is broken seems bad. Fixes: 29f6589140a1 ("brcmfmac: disable command decode in sdio_aos") Cc: Wright Feng Cc: Double Lo Cc: Madhan Mohan R Cc: Chi-Hsien Lin Signed-off-by: Douglas Anderson Cc: stable@vger.kernel.org Acked-by: Kalle Valo Signed-off-by: Ulf Hansson commit 140d90098fed269eac61551b4e84fdbcc917843e Author: Arnd Bergmann Date: Mon Jun 17 14:24:32 2019 +0200 ARM: ixp4xx: include irqs.h where needed Multiple ixp4xx specific files require macros from irqs.h that were moved out from mach/irqs.h, e.g.: arch/arm/mach-ixp4xx/vulcan-pci.c:41:19: error: this function declaration is not a prototype [-Werror,-Wstrict-prototypes] arch/arm/mach-ixp4xx/vulcan-pci.c:49:10: error: implicit declaration of function 'IXP4XX_GPIO_IRQ' [-Werror,-Wimplicit-function-declaration] return IXP4XX_GPIO_IRQ(INTA); Include this header in all files that failed to build because of that. Fixes: dc8ef8cd3a05 ("ARM: ixp4xx: Convert to SPARSE_IRQ") Signed-off-by: Arnd Bergmann Signed-off-by: Olof Johansson commit 4ea10150ea00ec4b111b441797199a177fbd05f4 Author: Arnd Bergmann Date: Mon Jun 17 14:24:31 2019 +0200 ARM: ixp4xx: mark ixp4xx_irq_setup as __init Kbuild complains about ixp4xx_irq_setup not being __init itself in some configurations: WARNING: vmlinux.o(.text+0x85bae4): Section mismatch in reference from the function ixp4xx_irq_setup() to the function .init.text:set_handle_irq() The function ixp4xx_irq_setup() references the function __init set_handle_irq(). This is often because ixp4xx_irq_setup lacks a __init annotation or the annotation of set_handle_irq is wrong. I suspect it normally gets inlined, so we get no such warning, but clang makes this obvious when the function is left out of line. Signed-off-by: Arnd Bergmann Signed-off-by: Olof Johansson commit 6d8df60218416d6919c174b87786e4c3b06323ce Author: Arnd Bergmann Date: Mon Jun 17 14:24:30 2019 +0200 ARM: ixp4xx: don't select SERIAL_OF_PLATFORM Platforms should not normally select all the device drivers, leave that up to the user and the defconfig file. In this case, we get a warning for randconfig builds: WARNING: unmet direct dependencies detected for SERIAL_OF_PLATFORM Depends on [n]: TTY [=y] && HAS_IOMEM [=y] && SERIAL_8250 [=n] && OF [=y] Selected by [y]: - MACH_IXP4XX_OF [=y] && ARCH_IXP4XX [=y] Fixes: 9540724ca29d ("ARM: ixp4xx: Add device tree boot support") Signed-off-by: Arnd Bergmann Signed-off-by: Olof Johansson commit cad47b322da0b67d864180b6fc8e92561890ccec Author: Arnd Bergmann Date: Mon Jun 17 14:33:23 2019 +0200 firmware: trusted_foundations: add ARMv7 dependency The "+sec" extension is invalid for older ARM architectures, but the code can now be built on any ARM configuration: /tmp/trusted_foundations-2d0882.s: Assembler messages: /tmp/trusted_foundations-2d0882.s:194: Error: architectural extension `sec' is not allowed for the current base architecture /tmp/trusted_foundations-2d0882.s:201: Error: selected processor does not support `smc #0' in ARM mode /tmp/trusted_foundations-2d0882.s:213: Error: architectural extension `sec' is not allowed for the current base architecture /tmp/trusted_foundations-2d0882.s:220: Error: selected processor does not support `smc #0' in ARM mode Add a dependency on ARMv7 for the build. Fixes: 4cb5d9eca143 ("firmware: Move Trusted Foundations support") Signed-off-by: Arnd Bergmann Signed-off-by: Olof Johansson commit 42de8afc40c97002fceb500e2331f6a722be3c14 Author: Jules Maselbas Date: Thu May 9 11:15:28 2019 +0200 usb: dwc2: Use generic PHY width in params setup Setting params.phy_utmi_width in dwc2_lowlevel_hw_init() is pointless since it's value will be overwritten by dwc2_init_params(). This change make sure to take in account the generic PHY width information during paraminitialisation, done in dwc2_set_param_phy_utmi_width(). By doing so, the phy_utmi_width params can still be overrided by devicetree specific params and will also be checked against hardware capabilities. Fixes: 707d80f0a3c5 ("usb: dwc2: gadget: Replace phyif with phy_utmi_width") Acked-by: Minas Harutyunyan Tested-by: Marek Szyprowski Signed-off-by: Jules Maselbas Signed-off-by: Felipe Balbi commit a019ab40679715ea680cc8561a02888be70bc4e9 Author: Li Yang Date: Mon Apr 22 13:30:56 2019 -0500 arm64: defconfig: Enable FSL_EDMA driver Enables the FSL EDMA driver by default. This also works around an issue that imx-i2c driver keeps deferring the probe because of the DMA is not ready. And currently the DMA engine framework can not correctly tell if the DMA channels will truly become available later (it will never be available if the DMA driver is not enabled). This will cause indefinite messages like below: [ 3.335829] imx-i2c 2180000.i2c: can't get pinctrl, bus recovery not supported [ 3.344455] ina2xx 0-0040: power monitor ina220 (Rshunt = 1000 uOhm) [ 3.350917] lm90 0-004c: 0-004c supply vcc not found, using dummy regulator [ 3.362089] imx-i2c 2180000.i2c: can't get pinctrl, bus recovery not supported [ 3.370741] ina2xx 0-0040: power monitor ina220 (Rshunt = 1000 uOhm) [ 3.377205] lm90 0-004c: 0-004c supply vcc not found, using dummy regulator [ 3.388455] imx-i2c 2180000.i2c: can't get pinctrl, bus recovery not supported ..... Signed-off-by: Li Yang Signed-off-by: Shawn Guo commit 529254340c7f16d59b928e36568597c603bae917 Author: Gal Pressman Date: Wed Jun 12 10:28:41 2019 +0300 RDMA/efa: Fix success return value in case of error Existing code would mistakenly return success in case of error instead of a proper return value. Fixes: e9c6c5373088 ("RDMA/efa: Add common command handlers") Reviewed-by: Firas JahJah Reviewed-by: Yossi Leybovich Signed-off-by: Gal Pressman Signed-off-by: Doug Ledford commit 942a899335707fc9cfc97cb382a60734b2ff4e03 Author: Mike Marciniszyn Date: Fri Jun 14 12:33:06 2019 -0400 IB/hfi1: Handle port down properly in pio The call to sc_buffer_alloc currently returns NULL (no buffer) or a buffer descriptor. There is a third case when the port is down. Currently that returns NULL and this prevents the caller from properly handling the sc_buffer_alloc() failure. A verbs code link test after the call is racy so the indication needs to come from the state check inside the allocation routine to be valid. Fix by encoding the ECOMM failure like SDMA. IS_ERR_OR_NULL() tests are added at all call sites. For verbs send, this needs to treat any error by returning a completion without any MMIO copy. Fixes: 7724105686e7 ("IB/hfi1: add driver files") Reviewed-by: Dennis Dalessandro Signed-off-by: Mike Marciniszyn Signed-off-by: Dennis Dalessandro Signed-off-by: Doug Ledford commit 099a884ba4c00145cef283d36e050726311c2e95 Author: Mike Marciniszyn Date: Fri Jun 14 12:33:00 2019 -0400 IB/hfi1: Handle wakeup of orphaned QPs for pio Once a send context is taken down due to a link failure, any QPs waiting for pio credits will stay on the waitlist indefinitely. Fix by wakeing up all QPs linked to piowait list. Fixes: 7724105686e7 ("IB/hfi1: add driver files") Reviewed-by: Dennis Dalessandro Signed-off-by: Mike Marciniszyn Signed-off-by: Dennis Dalessandro Signed-off-by: Doug Ledford commit f972775b1cc0441ae22c9f8d06dd16b118463632 Author: Mike Marciniszyn Date: Fri Jun 14 12:32:50 2019 -0400 IB/hfi1: Wakeup QPs orphaned on wait list after flush Once an SDMA engine is taken down due to a link failure, any waiting QPs that do not have outstanding descriptors in the ring will stay on the dmawait list as long as the port is down. Since there is no timer running, they will stay there for a long time. The fix is to wake up all iowaits linked to dmawait. The send engine will build and post packets that get flushed back. Fixes: 7724105686e7 ("IB/hfi1: add driver files") Reviewed-by: Kaike Wan Signed-off-by: Mike Marciniszyn Signed-off-by: Dennis Dalessandro Signed-off-by: Doug Ledford commit 4bb02e9572af1383038d83ad196d7166c515f2ee Author: Mike Marciniszyn Date: Fri Jun 14 12:32:44 2019 -0400 IB/hfi1: Use aborts to trigger RC throttling SDMA and pio flushes will cause a lot of packets to be transmitted after a link has gone down, using a lot of CPU to retransmit packets. Fix for RC QPs by recognizing the flush status and: - Forcing a timer start - Putting the QP into a "send one" mode Fixes: 7724105686e7 ("IB/hfi1: add driver files") Reviewed-by: Kaike Wan Signed-off-by: Mike Marciniszyn Signed-off-by: Dennis Dalessandro Signed-off-by: Doug Ledford commit 9755f72496664eec70bc804104118b5797b6bf63 Author: Mike Marciniszyn Date: Fri Jun 14 12:32:38 2019 -0400 IB/hfi1: Create inline to get extended headers This paves the way for another patch that reacts to a flush sdma completion for RC. Fixes: 81cd3891f021 ("IB/hfi1: Add support for 16B Management Packets") Reviewed-by: Dennis Dalessandro Signed-off-by: Mike Marciniszyn Signed-off-by: Dennis Dalessandro Signed-off-by: Doug Ledford commit 3230f4a8d44e4a0bb7afea814b280b5129521f52 Author: Mike Marciniszyn Date: Fri Jun 14 12:32:32 2019 -0400 IB/hfi1: Silence txreq allocation warnings The following warning can happen when a memory shortage occurs during txreq allocation: [10220.939246] SLUB: Unable to allocate memory on node -1, gfp=0xa20(GFP_ATOMIC) [10220.939246] Hardware name: Intel Corporation S2600WT2R/S2600WT2R, BIOS SE5C610.86B.01.01.0018.C4.072020161249 07/20/2016 [10220.939247] cache: mnt_cache, object size: 384, buffer size: 384, default order: 2, min order: 0 [10220.939260] Workqueue: hfi0_0 _hfi1_do_send [hfi1] [10220.939261] node 0: slabs: 1026568, objs: 43115856, free: 0 [10220.939262] Call Trace: [10220.939262] node 1: slabs: 820872, objs: 34476624, free: 0 [10220.939263] dump_stack+0x5a/0x73 [10220.939265] warn_alloc+0x103/0x190 [10220.939267] ? wake_all_kswapds+0x54/0x8b [10220.939268] __alloc_pages_slowpath+0x86c/0xa2e [10220.939270] ? __alloc_pages_nodemask+0x2fe/0x320 [10220.939271] __alloc_pages_nodemask+0x2fe/0x320 [10220.939273] new_slab+0x475/0x550 [10220.939275] ___slab_alloc+0x36c/0x520 [10220.939287] ? hfi1_make_rc_req+0x90/0x18b0 [hfi1] [10220.939299] ? __get_txreq+0x54/0x160 [hfi1] [10220.939310] ? hfi1_make_rc_req+0x90/0x18b0 [hfi1] [10220.939312] __slab_alloc+0x40/0x61 [10220.939323] ? hfi1_make_rc_req+0x90/0x18b0 [hfi1] [10220.939325] kmem_cache_alloc+0x181/0x1b0 [10220.939336] hfi1_make_rc_req+0x90/0x18b0 [hfi1] [10220.939348] ? hfi1_verbs_send_dma+0x386/0xa10 [hfi1] [10220.939359] ? find_prev_entry+0xb0/0xb0 [hfi1] [10220.939371] hfi1_do_send+0x1d9/0x3f0 [hfi1] [10220.939372] process_one_work+0x171/0x380 [10220.939374] worker_thread+0x49/0x3f0 [10220.939375] kthread+0xf8/0x130 [10220.939377] ? max_active_store+0x80/0x80 [10220.939378] ? kthread_bind+0x10/0x10 [10220.939379] ret_from_fork+0x35/0x40 [10220.939381] SLUB: Unable to allocate memory on node -1, gfp=0xa20(GFP_ATOMIC) The shortage is handled properly so the message isn't needed. Silence by adding the no warn option to the slab allocation. Fixes: 45842abbb292 ("staging/rdma/hfi1: move txreq header code") Cc: Reviewed-by: Dennis Dalessandro Signed-off-by: Mike Marciniszyn Signed-off-by: Dennis Dalessandro Signed-off-by: Doug Ledford commit cf131a81967583ae737df6383a0893b9fee75b4e Author: Mike Marciniszyn Date: Fri Jun 14 12:32:26 2019 -0400 IB/hfi1: Avoid hardlockup with flushlist_lock Heavy contention of the sde flushlist_lock can cause hard lockups at extreme scale when the flushing logic is under stress. Mitigate by replacing the item at a time copy to the local list with an O(1) list_splice_init() and using the high priority work queue to do the flushes. Fixes: 7724105686e7 ("IB/hfi1: add driver files") Cc: Reviewed-by: Dennis Dalessandro Signed-off-by: Mike Marciniszyn Signed-off-by: Dennis Dalessandro Signed-off-by: Doug Ledford commit 84b028243ef07a3f65c1857343ada2b1022f8bed Author: Suraj Jitindar Singh Date: Mon Jun 17 17:16:19 2019 +1000 KVM: PPC: Book3S HV: Only write DAWR[X] when handling h_set_dawr in real mode The hcall H_SET_DAWR is used by a guest to set the data address watchpoint register (DAWR). This hcall is handled in the host in kvmppc_h_set_dawr() which can be called in either real mode on the guest exit path from hcall_try_real_mode() in book3s_hv_rmhandlers.S, or in virtual mode when called from kvmppc_pseries_do_hcall() in book3s_hv.c. The function kvmppc_h_set_dawr() updates the dawr and dawrx fields in the vcpu struct accordingly and then also writes the respective values into the DAWR and DAWRX registers directly. It is necessary to write the registers directly here when calling the function in real mode since the path to re-enter the guest won't do this. However when in virtual mode the host DAWR and DAWRX values have already been restored, and so writing the registers would overwrite these. Additionally there is no reason to write the guest values here as these will be read from the vcpu struct and written to the registers appropriately the next time the vcpu is run. This also avoids the case when handling h_set_dawr for a nested guest where the guest hypervisor isn't able to write the DAWR and DAWRX registers directly and must rely on the real hypervisor to do this for it when it calls H_ENTER_NESTED. Fixes: c1fe190c0672 ("powerpc: Add force enable of DAWR on P9 option") Signed-off-by: Suraj Jitindar Singh Signed-off-by: Michael Ellerman commit fabb2efcf0846e28b4910fc20bdc203d3d0170af Author: Michael Neuling Date: Mon Jun 17 17:16:18 2019 +1000 KVM: PPC: Book3S HV: Fix r3 corruption in h_set_dabr() Commit c1fe190c0672 ("powerpc: Add force enable of DAWR on P9 option") screwed up some assembler and corrupted a pointer in r3. This resulted in crashes like the below: BUG: Kernel NULL pointer dereference at 0x000013bf Faulting instruction address: 0xc00000000010b044 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Radix MMU=Hash SMP NR_CPUS=2048 NUMA pSeries CPU: 8 PID: 1771 Comm: qemu-system-ppc Kdump: loaded Not tainted 5.2.0-rc4+ #3 NIP: c00000000010b044 LR: c0080000089dacf4 CTR: c00000000010aff4 REGS: c00000179b397710 TRAP: 0300 Not tainted (5.2.0-rc4+) MSR: 800000000280b033 CR: 42244842 XER: 00000000 CFAR: c00000000010aff8 DAR: 00000000000013bf DSISR: 42000000 IRQMASK: 0 GPR00: c0080000089dd6bc c00000179b3979a0 c008000008a04300 ffffffffffffffff GPR04: 0000000000000000 0000000000000003 000000002444b05d c0000017f11c45d0 ... NIP kvmppc_h_set_dabr+0x50/0x68 LR kvmppc_pseries_do_hcall+0xa3c/0xeb0 [kvm_hv] Call Trace: 0xc0000017f11c0000 (unreliable) kvmppc_vcpu_run_hv+0x694/0xec0 [kvm_hv] kvmppc_vcpu_run+0x34/0x48 [kvm] kvm_arch_vcpu_ioctl_run+0x2f4/0x400 [kvm] kvm_vcpu_ioctl+0x460/0x850 [kvm] do_vfs_ioctl+0xe4/0xb40 ksys_ioctl+0xc4/0x110 sys_ioctl+0x28/0x80 system_call+0x5c/0x70 Instruction dump: 4082fff4 4c00012c 38600000 4e800020 e96280c0 896b0000 2c2b0000 3860ffff 4d820020 50852e74 508516f6 78840724 f8a313c8 7c942ba6 7cbc2ba6 Fix the bug by only changing r3 when we are returning immediately. Fixes: c1fe190c0672 ("powerpc: Add force enable of DAWR on P9 option") Signed-off-by: Michael Neuling Signed-off-by: Suraj Jitindar Singh Reported-by: Cédric Le Goater Signed-off-by: Michael Ellerman commit 29f785ff76b65696800b75c3d8e0b58e603bb1d0 Merge: da0f38202986 d728cf79164b Author: Linus Torvalds Date: Mon Jun 17 16:28:28 2019 -0700 Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull vfs fixes from Al Viro: "MS_MOVE regression fix + breakage in fsmount(2) (also introduced in this cycle, along with fsmount(2) itself). I'm still digging through the piles of mail, so there might be more fixes to follow, but these two are obvious and self-contained, so there's no point delaying those..." * 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: fs/namespace: fix unprivileged mount propagation vfs: fsmount: add missing mntget() commit da0f382029868806e88c046eb2560fdee7a9457c Merge: eb7c825bf747 4fddbf8a99ee Author: Linus Torvalds Date: Mon Jun 17 15:55:34 2019 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net Pull networking fixes from David Miller: "Lots of bug fixes here: 1) Out of bounds access in __bpf_skc_lookup, from Lorenz Bauer. 2) Fix rate reporting in cfg80211_calculate_bitrate_he(), from John Crispin. 3) Use after free in psock backlog workqueue, from John Fastabend. 4) Fix source port matching in fdb peer flow rule of mlx5, from Raed Salem. 5) Use atomic_inc_not_zero() in fl6_sock_lookup(), from Eric Dumazet. 6) Network header needs to be set for packet redirect in nfp, from John Hurley. 7) Fix udp zerocopy refcnt, from Willem de Bruijn. 8) Don't assume linear buffers in vxlan and geneve error handlers, from Stefano Brivio. 9) Fix TOS matching in mlxsw, from Jiri Pirko. 10) More SCTP cookie memory leak fixes, from Neil Horman. 11) Fix VLAN filtering in rtl8366, from Linus Walluij. 12) Various TCP SACK payload size and fragmentation memory limit fixes from Eric Dumazet. 13) Use after free in pneigh_get_next(), also from Eric Dumazet. 14) LAPB control block leak fix from Jeremy Sowden" * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (145 commits) lapb: fixed leak of control-blocks. tipc: purge deferredq list for each grp member in tipc_group_delete ax25: fix inconsistent lock state in ax25_destroy_timer neigh: fix use-after-free read in pneigh_get_next tcp: fix compile error if !CONFIG_SYSCTL hv_sock: Suppress bogus "may be used uninitialized" warnings be2net: Fix number of Rx queues used for flow hashing net: handle 802.1P vlan 0 packets properly tcp: enforce tcp_min_snd_mss in tcp_mtu_probing() tcp: add tcp_min_snd_mss sysctl tcp: tcp_fragment() should apply sane memory limits tcp: limit payload size of sacked skbs Revert "net: phylink: set the autoneg state in phylink_phy_change" bpf: fix nested bpf tracepoints with per-cpu data bpf: Fix out of bounds memory access in bpf_sk_storage vsock/virtio: set SOCK_DONE on peer shutdown net: dsa: rtl8366: Fix up VLAN filtering net: phylink: set the autoneg state in phylink_phy_change net: add high_order_alloc_disable sysctl/static key tcp: add tcp_tx_skb_cache sysctl ... commit d728cf79164bb38e9628d15276e636539f857ef1 Author: Christian Brauner Date: Mon Jun 17 23:22:14 2019 +0200 fs/namespace: fix unprivileged mount propagation When propagating mounts across mount namespaces owned by different user namespaces it is not possible anymore to move or umount the mount in the less privileged mount namespace. Here is a reproducer: sudo mount -t tmpfs tmpfs /mnt sudo --make-rshared /mnt # create unprivileged user + mount namespace and preserve propagation unshare -U -m --map-root --propagation=unchanged # now change back to the original mount namespace in another terminal: sudo mkdir /mnt/aaa sudo mount -t tmpfs tmpfs /mnt/aaa # now in the unprivileged user + mount namespace mount --move /mnt/aaa /opt Unfortunately, this is a pretty big deal for userspace since this is e.g. used to inject mounts into running unprivileged containers. So this regression really needs to go away rather quickly. The problem is that a recent change falsely locked the root of the newly added mounts by setting MNT_LOCKED. Fix this by only locking the mounts on copy_mnt_ns() and not when adding a new mount. Fixes: 3bd045cc9c4b ("separate copying and locking mount tree on cross-userns copies") Cc: Linus Torvalds Cc: Al Viro Cc: Tested-by: Christian Brauner Acked-by: Christian Brauner Signed-off-by: "Eric W. Biederman" Signed-off-by: Christian Brauner Signed-off-by: Al Viro commit 1b0b9cc8d3793e31b313e6c9685513b08cd883c4 Author: Eric Biggers Date: Wed Jun 12 11:43:13 2019 -0700 vfs: fsmount: add missing mntget() sys_fsmount() needs to take a reference to the new mount when adding it to the anonymous mount namespace. Otherwise the filesystem can be unmounted while it's still in use, as found by syzkaller. Reported-by: Mark Rutland Reported-by: syzbot+99de05d099a170867f22@syzkaller.appspotmail.com Reported-by: syzbot+7008b8b8ba7df475fdc8@syzkaller.appspotmail.com Fixes: 93766fbd2696 ("vfs: syscall: Add fsmount() to create a mount for a superblock") Signed-off-by: Eric Biggers Signed-off-by: Al Viro commit 61cabc7b0a5cf0d3c532cfa96594c801743fe7f6 Author: Ronnie Sahlberg Date: Fri Jun 14 13:02:29 2019 +1000 cifs: fix GlobalMid_Lock bug in cifs_reconnect We can not hold the GlobalMid_Lock spinlock during the dfs processing in cifs_reconnect since it invokes things that may sleep and thus trigger : BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:23 Thus we need to drop the spinlock during this code block. RHBZ: 1716743 Cc: stable@vger.kernel.org Signed-off-by: Ronnie Sahlberg Acked-by: Pavel Shilovsky Signed-off-by: Steve French commit 8d526d62db907e786fd88948c75d1833d82bd80e Author: Steve French Date: Mon Jun 17 14:49:07 2019 -0500 SMB3: retry on STATUS_INSUFFICIENT_RESOURCES instead of failing write Some servers such as Windows 10 will return STATUS_INSUFFICIENT_RESOURCES as the number of simultaneous SMB3 requests grows (even though the client has sufficient credits). Return EAGAIN on STATUS_INSUFFICIENT_RESOURCES so that we can retry writes which fail with this status code. This (for example) fixes large file copies to Windows 10 on fast networks. Signed-off-by: Steve French CC: Stable Reviewed-by: Ronnie Sahlberg Reviewed-by: Pavel Shilovsky commit 9b9410766f5422d1e736783dc0c3a053eefedac4 Merge: d7a5417b8947 5efe5137f05b Author: Greg Kroah-Hartman Date: Mon Jun 17 22:59:28 2019 +0200 Merge branch 'erofs_fix' into staging-linus A branch is needed here to get the fix into staging-next as well. Signed-off-by: Greg Kroah-Hartman commit 5efe5137f05bbb4688890620934538c005e7d1d6 Author: Gao Xiang Date: Thu Jun 13 16:35:41 2019 +0800 staging: erofs: add requirements field in superblock There are some backward incompatible features pending for months, mainly due to on-disk format expensions. However, we should ensure that it cannot be mounted with old kernels. Otherwise, it will causes unexpected behaviors. Fixes: ba2b77a82022 ("staging: erofs: add super block operations") Cc: # 4.19+ Reviewed-by: Chao Yu Signed-off-by: Gao Xiang Signed-off-by: Greg Kroah-Hartman commit d7a5417b89470d353118a451630ed71f119f58b8 Merge: f2c7c76c5d0a 0c75376fa395 Author: Greg Kroah-Hartman Date: Mon Jun 17 22:28:29 2019 +0200 Merge tag 'iio-fixes-for-5.2b' of git://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-linus Jonathan writes: Second set of IIO fixes for the 5.2 cycle. * ad7150 - sense of bit for controlling adaptive vs fixed threshold was flipped. * adt7316 - Fix a build issue due to wrong headers for gpio usage. * lsm6dsx - correctly suspend / resume i2c slaves when the host goes to sleep. * mlx90632 - relax a compatability check to allow for newer devices. Also one counters fix * counter/ftm-quaddec - missing dependencies in Kconfig. * tag 'iio-fixes-for-5.2b' of git://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio: counter/ftm-quaddec: Add missing dependencies in Kconfig staging: iio: adt7316: Fix build errors when GPIOLIB is not set iio: temperature: mlx90632 Relax the compatibility check iio: imu: st_lsm6dsx: fix PM support for st_lsm6dsx i2c controller staging:iio:ad7150: fix threshold mode config bit commit 4fddbf8a99ee5a65bdd31b3ebbf5a84b9395d496 Merge: 6be8e297f9bc 967c05aee439 Author: David S. Miller Date: Mon Jun 17 10:39:56 2019 -0700 Merge branch 'tcp-fixes' Eric Dumazet says: ==================== tcp: make sack processing more robust Jonathan Looney brought to our attention multiple problems in TCP stack at the sender side. SACK processing can be abused by malicious peers to either cause overflows, or increase of memory usage. First two patches fix the immediate problems. Since the malicious peers abuse senders by advertizing a very small MSS in their SYN or SYNACK packet, the last two patches add a new sysctl so that admins can chose a higher limit for MSS clamping. ==================== Signed-off-by: David S. Miller commit adeaa21a4b6954e878f3f7d1c5659ed9c1fe567a Author: Anisse Astier Date: Mon Jun 17 15:22:21 2019 +0200 arm64: ssbd: explicitly depend on Fix ssbd.c which depends implicitly on asm/ptrace.h including linux/prctl.h (through for example linux/compat.h, then linux/time.h, linux/seqlock.h, linux/spinlock.h and linux/irqflags.h), and uses PR_SPEC* defines. This is an issue since we'll soon be removing the include from asm/ptrace.h. Fixes: 9cdc0108baa8 ("arm64: ssbd: Add prctl interface for per-thread mitigation") Cc: stable@vger.kernel.org Signed-off-by: Anisse Astier Signed-off-by: Will Deacon commit eb7c825bf74755a9ea975b7a463c6d13ffa7f447 Merge: 9e0babf2c06c 259931fd3b96 Author: Linus Torvalds Date: Mon Jun 17 10:34:03 2019 -0700 Merge tag 'riscv-for-v5.2/fixes-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux Pull RISC-V fixes from Paul Walmsley: "This contains fixes, defconfig, and DT data changes for the v5.2-rc series. The fixes are relatively straightforward: - Addition of a TLB fence in the vmalloc_fault path, so the CPU doesn't enter an infinite page fault loop - Readdition of the pm_power_off export, so device drivers that reassign it can now be built as modules - A udelay() fix for RV32, fixing a miscomputation of the delay time - Removal of deprecated smp_mb__*() barriers This also adds initial DT data infrastructure for arch/riscv, along with initial data for the SiFive FU540-C000 SoC and the corresponding HiFive Unleashed board. We also update the RV64 defconfig to include some core drivers for the FU540 in the build" * tag 'riscv-for-v5.2/fixes-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux: riscv: remove unused barrier defines riscv: mm: synchronize MMU after pte change riscv: dts: add initial board data for the SiFive HiFive Unleashed riscv: dts: add initial support for the SiFive FU540-C000 SoC dt-bindings: riscv: convert cpu binding to json-schema dt-bindings: riscv: sifive: add YAML documentation for the SiFive FU540 arch: riscv: add support for building DTB files from DT source data riscv: Fix udelay in RV32. riscv: export pm_power_off again RISC-V: defconfig: enable clocks, serial console commit 4569180495600ac59f5cd27f67242a6cb51254f3 Author: Christoph Hellwig Date: Mon Jun 17 11:14:12 2019 +0200 block: fix page leak when merging to same page When multiple iovecs reference the same page, each get_user_page call will add a reference to the page. But once we've created the bio that information gets lost and only a single reference will be dropped after I/O completion. Use the same_page information returned from __bio_try_merge_page to drop additional references to pages that were already present in the bio. Based on a patch from Ming Lei. Link: https://lkml.org/lkml/2019/4/23/64 Fixes: 576ed913 ("block: use bio_add_page in bio_iov_iter_get_pages") Reported-by: David Gibson Signed-off-by: Christoph Hellwig Reviewed-by: Ming Lei Signed-off-by: Jens Axboe commit ff896738be381efa6e50ba9a3b6cdc94f69ada42 Author: Christoph Hellwig Date: Mon Jun 17 11:14:11 2019 +0200 block: return from __bio_try_merge_page if merging occured in the same page We currently have an input same_page parameter to __bio_try_merge_page to prohibit merging in the same page. The rationale for that is that some callers need to account for every page added to a bio. Instead of letting these callers call twice into the merge code to account for the new vs existing page cases, just turn the paramter into an output one that returns if a merge in the same page occured and let them act accordingly. Signed-off-by: Christoph Hellwig Reviewed-by: Ming Lei Signed-off-by: Jens Axboe commit 3763771cf60236caaf7ccc79cea244c63d7c49a0 Author: Filipe Manana Date: Wed Jun 12 15:14:11 2019 +0100 Btrfs: fix failure to persist compression property xattr deletion on fsync After the recent series of cleanups in the properties and xattrs modules that landed in the 5.2 merge window, we ended up with a regression where after deleting the compression xattr property through the setflags ioctl, we don't set the BTRFS_INODE_COPY_EVERYTHING flag in the inode anymore. As a consequence, if the inode was fsync'ed when it had the compression property set, after deleting the compression property through the setflags ioctl and fsync'ing again the inode, the log will still contain the compression xattr, because the inode did not had that bit set, which made the fsync not delete all xattrs from the log and copy all xattrs from the subvolume tree to the log tree. This regression happens due to the fact that that series of cleanups made btrfs_set_prop() call the old function do_setxattr() (which is now named btrfs_setxattr()), and not the old version of btrfs_setxattr(), which is now called btrfs_setxattr_trans(). Fix this by setting the BTRFS_INODE_COPY_EVERYTHING bit in the current btrfs_setxattr() function and remove it from everywhere else, including its setup at btrfs_ioctl_setflags(). This is cleaner, avoids similar regressions in the future, and centralizes the setup of the bit. After all, the need to setup this bit should only be in the xattrs module, since it is an implementation of xattrs. Fixes: 04e6863b19c722 ("btrfs: split btrfs_setxattr calls regarding transaction") CC: stable@vger.kernel.org # 4.4+ Signed-off-by: Filipe Manana Signed-off-by: David Sterba commit c8edb316b9bb6149193436dfbd240994733e27be Author: Stephen Boyd Date: Fri Jun 14 10:46:06 2019 -0700 clk: Do a DT parent lookup even when index < 0 We want to allow the parent lookup to happen even if the index is some value less than 0. This may be the case if a clk provider only specifies the .name member to match a string in the "clock-names" DT property. We shouldn't require that the index be >= 0 to make this use case work. Fixes: 601b6e93304a ("clk: Allow parents to be specified via clkspec index") Reported-by: Alexandre Mergnat Cc: Jerome Brunet Cc: Chen-Yu Tsai Reviewed-by: Chen-Yu Tsai Signed-off-by: Stephen Boyd commit 259931fd3b96e4386b361b7f80c1d89b266234c8 Author: Rolf Eike Beer Date: Mon Jun 17 14:25:59 2019 +0200 riscv: remove unused barrier defines They were introduced in commit fab957c11efe ("RISC-V: Atomic and Locking Code") long after commit 2e39465abc4b ("locking: Remove deprecated smp_mb__() barriers") removed the remnants of all previous instances from the tree. Signed-off-by: Rolf Eike Beer [paul.walmsley@sifive.com: stripped spurious mbox header from patch description; fixed commit references in patch header] Signed-off-by: Paul Walmsley commit c19dffc0a9511a7d7493ec21019aefd97e9a111b Author: Peter Chen Date: Mon Jun 17 09:49:07 2019 +0800 usb: chipidea: udc: workaround for endpoint conflict issue An endpoint conflict occurs when the USB is working in device mode during an isochronous communication. When the endpointA IN direction is an isochronous IN endpoint, and the host sends an IN token to endpointA on another device, then the OUT transaction may be missed regardless the OUT endpoint number. Generally, this occurs when the device is connected to the host through a hub and other devices are connected to the same hub. The affected OUT endpoint can be either control, bulk, isochronous, or an interrupt endpoint. After the OUT endpoint is primed, if an IN token to the same endpoint number on another device is received, then the OUT endpoint may be unprimed (cannot be detected by software), which causes this endpoint to no longer respond to the host OUT token, and thus, no corresponding interrupt occurs. There is no good workaround for this issue, the only thing the software could do is numbering isochronous IN from the highest endpoint since we have observed most of device number endpoint from the lowest. Cc: #v3.14+ Cc: Fabio Estevam Cc: Greg KH Cc: Sergei Shtylyov Cc: Jun Li Signed-off-by: Peter Chen Signed-off-by: Greg Kroah-Hartman commit 4b576d15df5c8cbe9cf427093c1c0f5f58fbf8fa Author: Andy Gross Date: Fri Jun 7 14:44:51 2019 -0500 MAINTAINERS: Change QCOM repo location This patch updates the Qualcomm SoC repo to a new location. Signed-off-by: Andy Gross Reviewed-by: Bjorn Andersson Signed-off-by: Olof Johansson commit 20314ce30af197963b0c239f0952db6aaef73f99 Author: jjian zhou Date: Mon Jun 17 19:04:08 2019 +0800 mmc: mediatek: fix SDIO IRQ detection issue If cmd19 timeout or response crcerr occurs during execute_tuning(), it need invoke msdc_reset_hw(). Otherwise SDIO IRQ can't be detected. Signed-off-by: jjian zhou Signed-off-by: Chaotian Jing Signed-off-by: Yong Mao Fixes: 5215b2e952f3 ("mmc: mediatek: Add MMC_CAP_SDIO_IRQ support") Cc: stable@vger.kernel.org Signed-off-by: Ulf Hansson commit 8a5df8ac628f4febea1e6cd3044bff2d536dd096 Author: jjian zhou Date: Mon Jun 17 19:04:07 2019 +0800 mmc: mediatek: fix SDIO IRQ interrupt handle flow SDIO IRQ is triggered by low level. It need disable SDIO IRQ detected function. Otherwise the interrupt register can't be cleared. It will process the interrupt more. Signed-off-by: Jjian Zhou Signed-off-by: Chaotian Jing Signed-off-by: Yong Mao Fixes: 5215b2e952f3 ("mmc: mediatek: Add MMC_CAP_SDIO_IRQ support") Cc: stable@vger.kernel.org Signed-off-by: Ulf Hansson commit b0e370b95a3b231d0fb5d1958cce85ef57196fe6 Author: Wolfram Sang Date: Tue Jun 11 22:03:43 2019 +0200 mmc: core: complete HS400 before checking status We don't have a reproducible error case, yet our BSP team suggested that the mmc_switch_status() command in mmc_select_hs400() should come after the callback into the driver completing HS400 setup. It makes sense to me because we want the status of a fully setup HS400, so it will increase the reliability of the mmc_switch_status() command. Reported-by: Yoshihiro Shimoda Signed-off-by: Wolfram Sang Fixes: ba6c7ac3a2f4 ("mmc: core: more fine-grained hooks for HS400 tuning") Signed-off-by: Ulf Hansson commit bf587caae305ae3b4393077fb22c98478ee55755 Author: ShihPo Hung Date: Mon Jun 17 12:26:17 2019 +0800 riscv: mm: synchronize MMU after pte change Because RISC-V compliant implementations can cache invalid entries in TLB, an SFENCE.VMA is necessary after changes to the page table. This patch adds an SFENCE.vma for the vmalloc_fault path. Signed-off-by: ShihPo Hung [paul.walmsley@sifive.com: reversed tab->whitespace conversion, wrapped comment lines] Signed-off-by: Paul Walmsley Cc: Palmer Dabbelt Cc: Albert Ou Cc: Paul Walmsley Cc: linux-riscv@lists.infradead.org Cc: stable@vger.kernel.org commit c584b1202f2d0a04eaa66c29aaee9f6c172b5aa3 Author: Will Deacon Date: Fri May 31 12:59:15 2019 +0100 MAINTAINERS: Update my email address to use @kernel.org My @arm.com address will stop working at the end of August, so update to my @kernel.org address where you'll still be able to reach me. When I say "stop working" I really mean "will go to my line manager", so send patches there at your peril because they may reply with roadmaps and spreadsheets. You have been warned. Cc: Will Deacon Cc: Catalin Marinas Cc: Marc Zyngier Cc: Russell King Cc: "Paul E . McKenney" Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Bjorn Helgaas Cc: Andrew Morton Cc: Stephen Rothwell Cc: Greg Kroah-Hartman Cc: Linus Torvalds Cc: Joerg Roedel Cc: arm-soc Signed-off-by: Will Deacon commit 085ebfe937d7a7a5df1729f35a12d6d655fea68c Author: Peter Zijlstra Date: Wed May 29 14:37:24 2019 +0200 perf/core: Fix perf_sample_regs_user() mm check perf_sample_regs_user() uses 'current->mm' to test for the presence of userspace, but this is insufficient, consider use_mm(). A better test is: '!(current->flags & PF_KTHREAD)', exec() clears PF_KTHREAD after it sets the new ->mm but before it drops to userspace for the first time. Possibly obsoletes: bf05fc25f268 ("powerpc/perf: Fix oops when kthread execs user process") Reported-by: Ravi Bangoria Reported-by: Young Xiao <92siuyang@gmail.com> Signed-off-by: Peter Zijlstra (Intel) Acked-by: Will Deacon Cc: Arnaldo Carvalho de Melo Cc: Frederic Weisbecker Cc: Jiri Olsa Cc: Linus Torvalds Cc: Michael Ellerman Cc: Naveen N. Rao Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Fixes: 4018994f3d87 ("perf: Add ability to attach user level registers dump to sample") Signed-off-by: Ingo Molnar commit cd49b84d61b2dfc0360c76d9e6be49f5116ba1a5 Author: Dan Carpenter Date: Thu Jun 6 15:41:27 2019 +0300 mfd: stmfx: Uninitialized variable in stmfx_irq_handler() The problem is that on 64bit systems then we don't clear the higher bits of the "pending" variable. So when we do: ack = pending & ~BIT(STMFX_REG_IRQ_SRC_EN_GPIO); if (ack) { the if (ack) condition relies on uninitialized data. The fix it that I've changed "pending" from an unsigned long to a u32. I changed "n" as well, because that's a number in the 0-10 range and it fits easily inside an int. We do need to add a cast to "pending" when we use it in the for_each_set_bit() loop, but that doesn't cause a problem, it's fine. Fixes: 06252ade9156 ("mfd: Add ST Multi-Function eXpander (STMFX) core driver") Signed-off-by: Dan Carpenter Acked-by: Amelie Delaunay Signed-off-by: Lee Jones commit c35f1b87fc595807ff15d2834d241f9771497205 Author: Paul Walmsley Date: Mon May 20 09:19:41 2019 -0700 riscv: dts: add initial board data for the SiFive HiFive Unleashed Add initial board data for the SiFive HiFive Unleashed A00. Currently the data populated in this DT file describes the board DRAM configuration and the external clock sources that supply the PRCI. Signed-off-by: Paul Walmsley Signed-off-by: Paul Walmsley Tested-by: Loys Ollivier Tested-by: Kevin Hilman Cc: Rob Herring Cc: Mark Rutland Cc: Palmer Dabbelt Cc: Albert Ou Cc: Antony Pavlov Cc: devicetree@vger.kernel.org Cc: linux-riscv@lists.infradead.org Cc: linux-kernel@vger.kernel.org commit 72296bde4f4207566872ee355950a59cbc29f852 Author: Paul Walmsley Date: Mon May 27 23:34:09 2019 -0700 riscv: dts: add initial support for the SiFive FU540-C000 SoC Add initial support for the SiFive FU540-C000 SoC. This is a 28nm SoC based around the SiFive U54-MC core complex and a TileLink interconnect. This file is expected to grow as more device drivers are added to the kernel. This patch includes a fix to the QSPI memory map due to a documentation bug, found by ShihPo Hung , adds entries for the I2C controller, and merges all DT changes that formerly were made dynamically by the riscv-pk BBL proxy kernel. Signed-off-by: Paul Walmsley Signed-off-by: Paul Walmsley Tested-by: Loys Ollivier Tested-by: Kevin Hilman Cc: Rob Herring Cc: Mark Rutland Cc: Palmer Dabbelt Cc: Albert Ou Cc: ShihPo Hung Cc: devicetree@vger.kernel.org Cc: linux-riscv@lists.infradead.org Cc: linux-kernel@vger.kernel.org commit 4fd669a8c4873b6ad54e77bc45aa37b03edc5587 Author: Paul Walmsley Date: Mon May 20 09:19:40 2019 -0700 dt-bindings: riscv: convert cpu binding to json-schema At Rob's request, we're starting to migrate our DT binding documentation to json-schema YAML format. Start by converting our cpu binding documentation. While doing so, document more properties and nodes. This includes adding binding documentation support for the E51 and U54 CPU cores ("harts") that are present on this SoC. These cores are described in: https://static.dev.sifive.com/FU540-C000-v1.0.pdf This cpus.yaml file is intended to be a starting point and to evolve over time. It passes dt-doc-validate as of the yaml-bindings commit 4c79d42e9216. This patch was originally based on the ARM json-schema binding documentation as added by commit 672951cbd1b7 ("dt-bindings: arm: Convert cpu binding to json-schema"). Signed-off-by: Paul Walmsley Signed-off-by: Paul Walmsley Reviewed-by: Rob Herring Cc: Mark Rutland Cc: Lorenzo Pieralisi Cc: devicetree@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: linux-riscv@lists.infradead.org commit c7af55981789299547c51caf5db38e6872e7841f Author: Paul Walmsley Date: Mon May 20 09:19:40 2019 -0700 dt-bindings: riscv: sifive: add YAML documentation for the SiFive FU540 Add YAML DT binding documentation for the SiFive FU540 SoC. This SoC is documented at: https://static.dev.sifive.com/FU540-C000-v1.0.pdf Passes dt-doc-validate, as of yaml-bindings commit 4c79d42e9216. Signed-off-by: Paul Walmsley Signed-off-by: Paul Walmsley Reviewed-by: Rob Herring Cc: Rob Herring Cc: Mark Rutland Cc: Palmer Dabbelt Cc: Albert Ou Cc: devicetree@vger.kernel.org Cc: linux-riscv@lists.infradead.org Cc: linux-kernel@vger.kernel.org commit 8d4e048d60bd03c29ce6bb9615a18f08b8eb5c89 Author: Paul Walmsley Date: Mon May 20 09:19:40 2019 -0700 arch: riscv: add support for building DTB files from DT source data Similar to ARM64, add support for building DTB files from DT source data for RISC-V boards. This patch starts with the infrastructure needed for SiFive boards. Boards from other vendors would add support here in a similar form. Signed-off-by: Paul Walmsley Signed-off-by: Paul Walmsley Tested-by: Loys Ollivier Tested-by: Kevin Hilman Cc: Palmer Dabbelt Cc: Albert Ou commit 971afec3a5373f96684ad899579f6a4d51462410 Author: Weinan Li Date: Fri Jun 14 09:35:19 2019 +0800 drm/i915/gvt: ignore unexpected pvinfo write There is pvinfo writing come from vgpu might be unexpected, like writing to one unknown address, GVT-g should do as reserved register to discard any invalid write. Now GVT-g lets it write to the vreg without prompt error message, should ignore the unexpected pvinfo write access and leave the vreg as the default value. For possible guest query GVT-g host feature, this returned proper value instead of wrong guest setting. v2: ignore unexpected pvinfo write instead of return predefined value Fixes: e39c5add3221 ("drm/i915/gvt: vGPU MMIO virtualization") Cc: Zhenyu Wang Reviewed-by: Zhenyu Wang Signed-off-by: Weinan Li Signed-off-by: Zhenyu Wang commit 6be8e297f9bcea666ea85ac7a6cd9d52d6deaf92 Author: Jeremy Sowden Date: Sun Jun 16 16:54:37 2019 +0100 lapb: fixed leak of control-blocks. lapb_register calls lapb_create_cb, which initializes the control- block's ref-count to one, and __lapb_insert_cb, which increments it when adding the new block to the list of blocks. lapb_unregister calls __lapb_remove_cb, which decrements the ref-count when removing control-block from the list of blocks, and calls lapb_put itself to decrement the ref-count before returning. However, lapb_unregister also calls __lapb_devtostruct to look up the right control-block for the given net_device, and __lapb_devtostruct also bumps the ref-count, which means that when lapb_unregister returns the ref-count is still 1 and the control-block is leaked. Call lapb_put after __lapb_devtostruct to fix leak. Reported-by: syzbot+afb980676c836b4a0afa@syzkaller.appspotmail.com Signed-off-by: Jeremy Sowden Signed-off-by: David S. Miller commit 5cf02612b33f104fe1015b2dfaf1758ad3675588 Author: Xin Long Date: Sun Jun 16 17:24:07 2019 +0800 tipc: purge deferredq list for each grp member in tipc_group_delete Syzbot reported a memleak caused by grp members' deferredq list not purged when the grp is be deleted. The issue occurs when more(msg_grp_bc_seqno(hdr), m->bc_rcv_nxt) in tipc_group_filter_msg() and the skb will stay in deferredq. So fix it by calling __skb_queue_purge for each member's deferredq in tipc_group_delete() when a tipc sk leaves the grp. Fixes: b87a5ea31c93 ("tipc: guarantee group unicast doesn't bypass group broadcast") Reported-by: syzbot+78fbe679c8ca8d264a8d@syzkaller.appspotmail.com Signed-off-by: Xin Long Acked-by: Ying Xue Signed-off-by: David S. Miller commit d6ed083f5cc621e15c15b56c3b585fd524dbcb0f Author: Hauke Mehrtens Date: Mon Jun 17 00:30:39 2019 +0200 MIPS: Fix bounds check virt_addr_valid The bounds check used the uninitialized variable vaddr, it should use the given parameter kaddr instead. When using the uninitialized value the compiler assumed it to be 0 and optimized this function to just return 0 in all cases. This should make the function check the range of the given address and only do the page map check in case it is in the expected range of virtual addresses. Fixes: 074a1e1167af ("MIPS: Bounds check virt_addr_valid") Cc: stable@vger.kernel.org # v4.12+ Cc: Paul Burton Signed-off-by: Hauke Mehrtens Signed-off-by: Paul Burton Cc: ralf@linux-mips.org Cc: jhogan@kernel.org Cc: f4bug@amsat.org Cc: linux-mips@vger.kernel.org Cc: ysu@wavecomp.com Cc: jcristau@debian.org commit a52548dd0491a544558e971cd5963501e1a2024d Merge: fb4e0592654a a050fa5476d4 Author: Thomas Gleixner Date: Mon Jun 17 00:40:01 2019 +0200 Merge tag 'irqchip-5.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/maz/arm-platforms into irq/urgent Pull irqchip fixes for 5.2 from Marc Zyngier: - CSky mpintc: allow interrupts to be broadcast - TI sci-inta: fix error handling - MIPS GIC: Fix local interrupt mapping - ITS: Fix command queue wrapping commit d4d5d8e83c9616aeef28a2869cea49cc3fb35526 Author: Eric Dumazet Date: Sat Jun 15 16:40:52 2019 -0700 ax25: fix inconsistent lock state in ax25_destroy_timer Before thread in process context uses bh_lock_sock() we must disable bh. sysbot reported : WARNING: inconsistent lock state 5.2.0-rc3+ #32 Not tainted inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage. blkid/26581 [HC0[0]:SC1[1]:HE1:SE0] takes: 00000000e0da85ee (slock-AF_AX25){+.?.}, at: spin_lock include/linux/spinlock.h:338 [inline] 00000000e0da85ee (slock-AF_AX25){+.?.}, at: ax25_destroy_timer+0x53/0xc0 net/ax25/af_ax25.c:275 {SOFTIRQ-ON-W} state was registered at: lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:4303 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:338 [inline] ax25_rt_autobind+0x3ca/0x720 net/ax25/ax25_route.c:429 ax25_connect.cold+0x30/0xa4 net/ax25/af_ax25.c:1221 __sys_connect+0x264/0x330 net/socket.c:1834 __do_sys_connect net/socket.c:1845 [inline] __se_sys_connect net/socket.c:1842 [inline] __x64_sys_connect+0x73/0xb0 net/socket.c:1842 do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301 entry_SYSCALL_64_after_hwframe+0x49/0xbe irq event stamp: 2272 hardirqs last enabled at (2272): [] trace_hardirqs_on_thunk+0x1a/0x1c hardirqs last disabled at (2271): [] trace_hardirqs_off_thunk+0x1a/0x1c softirqs last enabled at (1522): [] __do_softirq+0x654/0x94c kernel/softirq.c:320 softirqs last disabled at (2267): [] invoke_softirq kernel/softirq.c:374 [inline] softirqs last disabled at (2267): [] irq_exit+0x180/0x1d0 kernel/softirq.c:414 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(slock-AF_AX25); lock(slock-AF_AX25); *** DEADLOCK *** 1 lock held by blkid/26581: #0: 0000000010fd154d ((&ax25->dtimer)){+.-.}, at: lockdep_copy_map include/linux/lockdep.h:175 [inline] #0: 0000000010fd154d ((&ax25->dtimer)){+.-.}, at: call_timer_fn+0xe0/0x720 kernel/time/timer.c:1312 stack backtrace: CPU: 1 PID: 26581 Comm: blkid Not tainted 5.2.0-rc3+ #32 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 print_usage_bug.cold+0x393/0x4a2 kernel/locking/lockdep.c:2935 valid_state kernel/locking/lockdep.c:2948 [inline] mark_lock_irq kernel/locking/lockdep.c:3138 [inline] mark_lock+0xd46/0x1370 kernel/locking/lockdep.c:3513 mark_irqflags kernel/locking/lockdep.c:3391 [inline] __lock_acquire+0x159f/0x5490 kernel/locking/lockdep.c:3745 lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:4303 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:338 [inline] ax25_destroy_timer+0x53/0xc0 net/ax25/af_ax25.c:275 call_timer_fn+0x193/0x720 kernel/time/timer.c:1322 expire_timers kernel/time/timer.c:1366 [inline] __run_timers kernel/time/timer.c:1685 [inline] __run_timers kernel/time/timer.c:1653 [inline] run_timer_softirq+0x66f/0x1740 kernel/time/timer.c:1698 __do_softirq+0x25c/0x94c kernel/softirq.c:293 invoke_softirq kernel/softirq.c:374 [inline] irq_exit+0x180/0x1d0 kernel/softirq.c:414 exiting_irq arch/x86/include/asm/apic.h:536 [inline] smp_apic_timer_interrupt+0x13b/0x550 arch/x86/kernel/apic/apic.c:1068 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:806 RIP: 0033:0x7f858d5c3232 Code: 8b 61 08 48 8b 84 24 d8 00 00 00 4c 89 44 24 28 48 8b ac 24 d0 00 00 00 4c 8b b4 24 e8 00 00 00 48 89 7c 24 68 48 89 4c 24 78 <48> 89 44 24 58 8b 84 24 e0 00 00 00 89 84 24 84 00 00 00 8b 84 24 RSP: 002b:00007ffcaf0cf5c0 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff13 RAX: 00007f858d7d27a8 RBX: 00007f858d7d8820 RCX: 00007f858d3940d8 RDX: 00007ffcaf0cf798 RSI: 00000000f5e616f3 RDI: 00007f858d394fee RBP: 0000000000000000 R08: 00007ffcaf0cf780 R09: 00007f858d7db480 R10: 0000000000000000 R11: 0000000009691a75 R12: 0000000000000005 R13: 00000000f5e616f3 R14: 0000000000000000 R15: 00007ffcaf0cf798 Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller commit f3e92cb8e2eb8c27d109e6fd73d3a69a8c09e288 Author: Eric Dumazet Date: Sat Jun 15 16:28:48 2019 -0700 neigh: fix use-after-free read in pneigh_get_next Nine years ago, I added RCU handling to neighbours, not pneighbours. (pneigh are not commonly used) Unfortunately I missed that /proc dump operations would use a common entry and exit point : neigh_seq_start() and neigh_seq_stop() We need to read_lock(tbl->lock) or risk use-after-free while iterating the pneigh structures. We might later convert pneigh to RCU and revert this patch. sysbot reported : BUG: KASAN: use-after-free in pneigh_get_next.isra.0+0x24b/0x280 net/core/neighbour.c:3158 Read of size 8 at addr ffff888097f2a700 by task syz-executor.0/9825 CPU: 1 PID: 9825 Comm: syz-executor.0 Not tainted 5.2.0-rc4+ #32 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188 __kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317 kasan_report+0x12/0x20 mm/kasan/common.c:614 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132 pneigh_get_next.isra.0+0x24b/0x280 net/core/neighbour.c:3158 neigh_seq_next+0xdb/0x210 net/core/neighbour.c:3240 seq_read+0x9cf/0x1110 fs/seq_file.c:258 proc_reg_read+0x1fc/0x2c0 fs/proc/inode.c:221 do_loop_readv_writev fs/read_write.c:714 [inline] do_loop_readv_writev fs/read_write.c:701 [inline] do_iter_read+0x4a4/0x660 fs/read_write.c:935 vfs_readv+0xf0/0x160 fs/read_write.c:997 kernel_readv fs/splice.c:359 [inline] default_file_splice_read+0x475/0x890 fs/splice.c:414 do_splice_to+0x127/0x180 fs/splice.c:877 splice_direct_to_actor+0x2d2/0x970 fs/splice.c:954 do_splice_direct+0x1da/0x2a0 fs/splice.c:1063 do_sendfile+0x597/0xd00 fs/read_write.c:1464 __do_sys_sendfile64 fs/read_write.c:1525 [inline] __se_sys_sendfile64 fs/read_write.c:1511 [inline] __x64_sys_sendfile64+0x1dd/0x220 fs/read_write.c:1511 do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4592c9 Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f4aab51dc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000004592c9 RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000005 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000080000000 R11: 0000000000000246 R12: 00007f4aab51e6d4 R13: 00000000004c689d R14: 00000000004db828 R15: 00000000ffffffff Allocated by task 9827: save_stack+0x23/0x90 mm/kasan/common.c:71 set_track mm/kasan/common.c:79 [inline] __kasan_kmalloc mm/kasan/common.c:489 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:462 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:503 __do_kmalloc mm/slab.c:3660 [inline] __kmalloc+0x15c/0x740 mm/slab.c:3669 kmalloc include/linux/slab.h:552 [inline] pneigh_lookup+0x19c/0x4a0 net/core/neighbour.c:731 arp_req_set_public net/ipv4/arp.c:1010 [inline] arp_req_set+0x613/0x720 net/ipv4/arp.c:1026 arp_ioctl+0x652/0x7f0 net/ipv4/arp.c:1226 inet_ioctl+0x2a0/0x340 net/ipv4/af_inet.c:926 sock_do_ioctl+0xd8/0x2f0 net/socket.c:1043 sock_ioctl+0x3ed/0x780 net/socket.c:1194 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:509 [inline] do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:696 ksys_ioctl+0xab/0xd0 fs/ioctl.c:713 __do_sys_ioctl fs/ioctl.c:720 [inline] __se_sys_ioctl fs/ioctl.c:718 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718 do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 9824: save_stack+0x23/0x90 mm/kasan/common.c:71 set_track mm/kasan/common.c:79 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:451 kasan_slab_free+0xe/0x10 mm/kasan/common.c:459 __cache_free mm/slab.c:3432 [inline] kfree+0xcf/0x220 mm/slab.c:3755 pneigh_ifdown_and_unlock net/core/neighbour.c:812 [inline] __neigh_ifdown+0x236/0x2f0 net/core/neighbour.c:356 neigh_ifdown+0x20/0x30 net/core/neighbour.c:372 arp_ifdown+0x1d/0x21 net/ipv4/arp.c:1274 inetdev_destroy net/ipv4/devinet.c:319 [inline] inetdev_event+0xa14/0x11f0 net/ipv4/devinet.c:1544 notifier_call_chain+0xc2/0x230 kernel/notifier.c:95 __raw_notifier_call_chain kernel/notifier.c:396 [inline] raw_notifier_call_chain+0x2e/0x40 kernel/notifier.c:403 call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1749 call_netdevice_notifiers_extack net/core/dev.c:1761 [inline] call_netdevice_notifiers net/core/dev.c:1775 [inline] rollback_registered_many+0x9b9/0xfc0 net/core/dev.c:8178 rollback_registered+0x109/0x1d0 net/core/dev.c:8220 unregister_netdevice_queue net/core/dev.c:9267 [inline] unregister_netdevice_queue+0x1ee/0x2c0 net/core/dev.c:9260 unregister_netdevice include/linux/netdevice.h:2631 [inline] __tun_detach+0xd8a/0x1040 drivers/net/tun.c:724 tun_detach drivers/net/tun.c:741 [inline] tun_chr_close+0xe0/0x180 drivers/net/tun.c:3451 __fput+0x2ff/0x890 fs/file_table.c:280 ____fput+0x16/0x20 fs/file_table.c:313 task_work_run+0x145/0x1c0 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:185 [inline] exit_to_usermode_loop+0x273/0x2c0 arch/x86/entry/common.c:168 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline] syscall_return_slowpath arch/x86/entry/common.c:279 [inline] do_syscall_64+0x58e/0x680 arch/x86/entry/common.c:304 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff888097f2a700 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes inside of 64-byte region [ffff888097f2a700, ffff888097f2a740) The buggy address belongs to the page: page:ffffea00025fca80 refcount:1 mapcount:0 mapping:ffff8880aa400340 index:0x0 flags: 0x1fffc0000000200(slab) raw: 01fffc0000000200 ffffea000250d548 ffffea00025726c8 ffff8880aa400340 raw: 0000000000000000 ffff888097f2a000 0000000100000020 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888097f2a600: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff888097f2a680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff888097f2a700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ^ ffff888097f2a780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff888097f2a800: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc Fixes: 767e97e1e0db ("neigh: RCU conversion of struct neighbour") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller commit 2e05fcae83c41eb2df10558338dc600dc783af47 Author: Eric Dumazet Date: Sat Jun 15 13:19:55 2019 -0700 tcp: fix compile error if !CONFIG_SYSCTL tcp_tx_skb_cache_key and tcp_rx_skb_cache_key must be available even if CONFIG_SYSCTL is not set. Fixes: 0b7d7f6b2208 ("tcp: add tcp_tx_skb_cache sysctl") Fixes: ede61ca474a0 ("tcp: add tcp_rx_skb_cache sysctl") Signed-off-by: Eric Dumazet Reported-by: Willem de Bruijn Signed-off-by: David S. Miller commit d424a2afd7da136a98e9485bfd6c5d5506bd77f8 Author: Dexuan Cui Date: Sat Jun 15 05:00:57 2019 +0000 hv_sock: Suppress bogus "may be used uninitialized" warnings gcc 8.2.0 may report these bogus warnings under some condition: warning: ‘vnew’ may be used uninitialized in this function warning: ‘hvs_new’ may be used uninitialized in this function Actually, the 2 pointers are only initialized and used if the variable "conn_from_host" is true. The code is not buggy here. Signed-off-by: Dexuan Cui Signed-off-by: David S. Miller commit 718f4a2537089ea41903bf357071306163bc7c04 Author: Ivan Vecera Date: Fri Jun 14 17:48:36 2019 +0200 be2net: Fix number of Rx queues used for flow hashing Number of Rx queues used for flow hashing returned by the driver is incorrect and this bug prevents user to use the last Rx queue in indirection table. Let's say we have a NIC with 6 combined queues: [root@sm-03 ~]# ethtool -l enp4s0f0 Channel parameters for enp4s0f0: Pre-set maximums: RX: 5 TX: 5 Other: 0 Combined: 6 Current hardware settings: RX: 0 TX: 0 Other: 0 Combined: 6 Default indirection table maps all (6) queues equally but the driver reports only 5 rings available. [root@sm-03 ~]# ethtool -x enp4s0f0 RX flow hash indirection table for enp4s0f0 with 5 RX ring(s): 0: 0 1 2 3 4 5 0 1 8: 2 3 4 5 0 1 2 3 16: 4 5 0 1 2 3 4 5 24: 0 1 2 3 4 5 0 1 ... Now change indirection table somehow: [root@sm-03 ~]# ethtool -X enp4s0f0 weight 1 1 [root@sm-03 ~]# ethtool -x enp4s0f0 RX flow hash indirection table for enp4s0f0 with 6 RX ring(s): 0: 0 0 0 0 0 0 0 0 ... 64: 1 1 1 1 1 1 1 1 ... Now it is not possible to change mapping back to equal (default) state: [root@sm-03 ~]# ethtool -X enp4s0f0 equal 6 Cannot set RX flow hash configuration: Invalid argument Fixes: 594ad54a2c3b ("be2net: Add support for setting and getting rx flow hash options") Reported-by: Tianhao Signed-off-by: Ivan Vecera Signed-off-by: David S. Miller commit 36b2f61a42c29add695f3bd192ce44d5c113c1eb Author: Govindarajulu Varadarajan Date: Fri Jun 14 06:13:54 2019 -0700 net: handle 802.1P vlan 0 packets properly When stack receives pkt: [802.1P vlan 0][802.1AD vlan 100][IPv4], vlan_do_receive() returns false if it does not find vlan_dev. Later __netif_receive_skb_core() fails to find packet type handler for skb->protocol 801.1AD and drops the packet. 801.1P header with vlan id 0 should be handled as untagged packets. This patch fixes it by checking if vlan_id is 0 and processes next vlan header. Signed-off-by: Govindarajulu Varadarajan Signed-off-by: David S. Miller commit 80d1d46525459df73b670b72328d04e9f8d7e0da Merge: d5d3652af157 8a0098c05a27 Author: Olof Johansson Date: Sun Jun 16 13:33:51 2019 -0700 Merge tag 'omap-for-v5.2/fixes-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap into fixes Fixes for omap variants Three fixes mostly for dra7 SoC variants that have some devices disabled compared to the base SoC. These got broken by the change of making devices probe with ti-sysc interconnect target module and went unnnoticed for a while. And there is no clkcel bit for timer12 unlike timer1. Also included is a GPIO direction fix for phytec SDIO card detection. * tag 'omap-for-v5.2/fixes-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap: ARM: dts: am335x phytec boards: Fix cd-gpios active level ARM: dts: dra72x: Disable usb4_tm target module ARM: dts: Drop bogus CLKSEL for timer12 on dra7 Signed-off-by: Olof Johansson commit d5d3652af15704cda84036d69076c1107a2f4bcf Merge: 75d91ba4750e 68f2515bb31a Author: Olof Johansson Date: Sun Jun 16 13:33:13 2019 -0700 Merge tag 'davinci-fixes-for-v5.2' of git://git.kernel.org/pub/scm/linux/kernel/git/nsekhar/linux-davinci into fixes DaVinci fixes for v5.2 kernel. This addresses an issue with probe of IO expander on DA850 EVM. There is also a WARN_ON() fix on DA850 and DA830 devices. * tag 'davinci-fixes-for-v5.2' of git://git.kernel.org/pub/scm/linux/kernel/git/nsekhar/linux-davinci: ARM: davinci: da8xx: specify dma_coherent_mask for lcdc ARM: davinci: da850-evm: call regulator_has_full_constraints() Signed-off-by: Olof Johansson commit 75d91ba4750ee036204e985e2568e10cbc88869d Merge: 5a55a1612373 cc538ca43083 Author: Olof Johansson Date: Sun Jun 16 13:32:47 2019 -0700 Merge tag 'mvebu-fixes-5.2-1' of git://git.infradead.org/linux-mvebu into fixes mvebu fixes for 5.2 (part 1) Fixing defconfig allowing to use Ethernet again on Armada 38x based boards * tag 'mvebu-fixes-5.2-1' of git://git.infradead.org/linux-mvebu: ARM: mvebu_v7_defconfig: fix Ethernet on Clearfog Signed-off-by: Olof Johansson commit 5a55a16123734d44eac907a41b0b80a7840b2d3b Merge: 9f22081ea221 a6b112b04355 Author: Olof Johansson Date: Sun Jun 16 13:30:30 2019 -0700 Merge tag 'am654-fixes-for-v5.2' of git://git.kernel.org/pub/scm/linux/kernel/git/kristo/linux into fixes Texas Instruments AM65x fixes for v5.2 - Fix up a Kbuild warning when SOC_TI is not set * tag 'am654-fixes-for-v5.2' of git://git.kernel.org/pub/scm/linux/kernel/git/kristo/linux: arm64: arch_k3: Fix kconfig dependency warning Signed-off-by: Olof Johansson commit 9f22081ea221554d2ed8bb7f2abdbd312fce6436 Merge: 6515a2ceac76 e8bd76dccd79 Author: Olof Johansson Date: Sun Jun 16 13:29:08 2019 -0700 Merge tag 'arm-soc/for-5.2/devicetree-fixes' of https://github.com/Broadcom/stblinux into fixes This pull request contains Broadcom ARM-based SoCs Device Tree fixes for 5.2-rc1, please pull the following: - Florian fixes the remaining Broadcom DTS files to have a valid device_type = "memory" property which was missed during the removal of skeleton.dtsi * tag 'arm-soc/for-5.2/devicetree-fixes' of https://github.com/Broadcom/stblinux: ARM: dts: bcm: Add missing device_type = "memory" property Signed-off-by: Olof Johansson commit 6515a2ceac76aa557ac91c7cb315a6f153870dfe Merge: 4bded299838f 4ee23cd76c0c Author: Olof Johansson Date: Sun Jun 16 13:27:36 2019 -0700 Merge tag 'omap-for-v5.2/fixes-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap into fixes Fixes for omap variants for dra7 mmc voltage and boot issues This series contains dra7 mmc voltage fixes, and fixes to the recent changes to probe devices with device tree data insteas of legacy platform data: - Two fixes for dra7 mmc that needs 1.8V mode disabled as in case of a reset, the bootrom will try to access the mmc card at 3.3V potentially damaging the card - Two regression fixes for am335x d_can. We must allow devices with no control registers for ti-sysc interconnect target module driver for at least d_can, and we remove the incorrect control registers for d_can. And we must configure the osc clock for d_can as otherwise register access may fail depending on the bootloader version - Four regression fixes for dra7 variant dts files to tag rtc and usb4 as disabled for dra71x and dra76x. These SoC variants do not have these devices, and got accidentally enabled when the L4 interconnect got defined in the dra7-l4.dtsi for the dra7 SoC family * tag 'omap-for-v5.2/fixes-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap: ARM: dts: dra71x: Disable usb4_tm target module ARM: dts: dra71x: Disable rtc target module ARM: dts: dra76x: Disable usb4_tm target module ARM: dts: dra76x: Disable rtc target module ARM: dts: dra76x: Update MMC2_HS200_MANUAL1 iodelay values ARM: dts: am57xx-idk: Remove support for voltage switching for SD card bus: ti-sysc: Handle devices with no control registers ARM: dts: Configure osc clock for d_can on am335x Signed-off-by: Olof Johansson commit 4bded299838ffb2735b73598ed5a008bd03023f3 Merge: 9925a6d9b794 b25af2ff7c07 Author: Olof Johansson Date: Sun Jun 16 13:26:55 2019 -0700 Merge tag 'imx-fixes-5.2' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux into fixes i.MX fixes for 5.2: - A build fix for soc-imx8 driver which needs SOC_BUS support. To avoid dealing with the dependency for every single i.MX SoC bus driver, we selects at from architecture level. - A fix on i.MX SCU firmware driver to ensure SCU irq is enabled only after IPC is ready. - A regression fix on cpuidle-imx6sx driver, which causes some characters loss on serial communication. * tag 'imx-fixes-5.2' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux: ARM: imx: cpuidle-imx6sx: Restrict the SW2ISO increase to i.MX6SX firmware: imx: SCU irq should ONLY be enabled after SCU IPC is ready arm64: imx: Fix build error without CONFIG_SOC_BUS Signed-off-by: Olof Johansson commit 9925a6d9b794a67db360c1be300a598fa8a83470 Merge: c1d6f4adf465 b2279bcffa72 Author: Olof Johansson Date: Sun Jun 16 13:25:50 2019 -0700 Merge tag 'arm-soc/for-5.2/maintainers' of https://github.com/Broadcom/stblinux into fixes This pull request contains MAINTAINERS file update for Broadcom ARM/ARM64 SoCs, please pull the following: - Stefan updates his email address under the BCM2835 entry * tag 'arm-soc/for-5.2/maintainers' of https://github.com/Broadcom/stblinux: MAINTAINERS: Update Stefan Wahren email address Signed-off-by: Olof Johansson commit c1d6f4adf46592e825b77c43408cd929a80e9aba Merge: 9e0babf2c06c 6b23af0783a5 Author: Olof Johansson Date: Sun Jun 16 13:24:59 2019 -0700 Merge tag 'arm-soc/for-5.2/drivers-fixes' of https://github.com/Broadcom/stblinux into fixes This pull request contains Broadcom ARM/ARM64/MIPS SoCs device drivers fixes for 5.2-rc1, please pull the following: - Florian fixes the biuctrl driver not to create an error condition/path upon unsupported CPU and also fixes the biuctrl driver writes to used a data barrier which is necessary given the HW block design * tag 'arm-soc/for-5.2/drivers-fixes' of https://github.com/Broadcom/stblinux: soc: bcm: brcmstb: biuctrl: Register writes require a barrier soc: brcmstb: Fix error path for unsupported CPUs Signed-off-by: Olof Johansson commit 9e0babf2c06c73cda2c0cd37a1653d823adb40ec Author: Linus Torvalds Date: Sun Jun 16 08:49:45 2019 -1000 Linux 5.2-rc5 commit 963172d9c7e862654d3d24cbcafb33f33ae697a8 Merge: efba92d58fa3 78f4e932f776 Author: Linus Torvalds Date: Sun Jun 16 07:28:14 2019 -1000 Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fixes from Thomas Gleixner: "The accumulated fixes from this and last week: - Fix vmalloc TLB flush and map range calculations which lead to stale TLBs, spurious faults and other hard to diagnose issues. - Use fault_in_pages_writable() for prefaulting the user stack in the FPU code as it's less fragile than the current solution - Use the PF_KTHREAD flag when checking for a kernel thread instead of current->mm as the latter can give the wrong answer due to use_mm() - Compute the vmemmap size correctly for KASLR and 5-Level paging. Otherwise this can end up with a way too small vmemmap area. - Make KASAN and 5-level paging work again by making sure that all invalid bits are masked out when computing the P4D offset. This worked before but got broken recently when the LDT remap area was moved. - Prevent a NULL pointer dereference in the resource control code which can be triggered with certain mount options when the requested resource is not available. - Enforce ordering of microcode loading vs. perf initialization on secondary CPUs. Otherwise perf tries to access a non-existing MSR as the boot CPU marked it as available. - Don't stop the resource control group walk early otherwise the control bitmaps are not updated correctly and become inconsistent. - Unbreak kgdb by returning 0 on success from kgdb_arch_set_breakpoint() instead of an error code. - Add more Icelake CPU model defines so depending changes can be queued in other trees" * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/microcode, cpuhotplug: Add a microcode loader CPU hotplug callback x86/kasan: Fix boot with 5-level paging and KASAN x86/fpu: Don't use current->mm to check for a kthread x86/kgdb: Return 0 from kgdb_arch_set_breakpoint() x86/resctrl: Prevent NULL pointer dereference when local MBM is disabled x86/resctrl: Don't stop walking closids when a locksetup group is found x86/fpu: Update kernel's FPU state before using for the fsave header x86/mm/KASLR: Compute the size of the vmemmap section properly x86/fpu: Use fault_in_pages_writeable() for pre-faulting x86/CPU: Add more Icelake model numbers mm/vmalloc: Avoid rare case of flushing TLB with weird arguments mm/vmalloc: Fix calculation of direct map addr range commit efba92d58fa37d714d665deddb5cc6458b39bb88 Merge: f763cf8e47d3 e3ff9c3678b4 Author: Linus Torvalds Date: Sun Jun 16 07:22:56 2019 -1000 Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull timer fixes from Thomas Gleixner: "A set of small fixes: - Repair the ktime_get_coarse() functions so they actually deliver what they are supposed to: tick granular time stamps. The current code missed to add the accumulated nanoseconds part of the timekeeper so the resulting granularity was 1 second. - Prevent the tracer from infinitely recursing into time getter functions in the arm architectured timer by marking these functions notrace - Fix a trivial compiler warning caused by wrong qualifier ordering" * 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: timekeeping: Repair ktime_get_coarse*() granularity clocksource/drivers/arm_arch_timer: Don't trace count reader functions clocksource/drivers/timer-ti-dm: Change to new style declaration commit f763cf8e47d3aa4b081e0537d060c12818de8d0f Merge: e01e060fe00d 0ade0b6240c4 Author: Linus Torvalds Date: Sun Jun 16 07:19:15 2019 -1000 Merge branch 'ras-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull RAS fixes from Thomas Gleixner: "Two small fixes for RAS: - Use a proper search algorithm to find the correct element in the CEC array. The replacement was a better choice than fixing the crash causes by the original search function with horrible duct tape. - Move the timer based decay function into thread context so it can actually acquire the mutex which protects the CEC array to prevent corruption" * 'ras-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: RAS/CEC: Convert the timer callback to a workqueue RAS/CEC: Fix binary search function commit 967c05aee439e6e5d7d805e195b3a20ef5c433d6 Author: Eric Dumazet Date: Sat Jun 8 10:22:49 2019 -0700 tcp: enforce tcp_min_snd_mss in tcp_mtu_probing() If mtu probing is enabled tcp_mtu_probing() could very well end up with a too small MSS. Use the new sysctl tcp_min_snd_mss to make sure MSS search is performed in an acceptable range. CVE-2019-11479 -- tcp mss hardcoded to 48 Signed-off-by: Eric Dumazet Reported-by: Jonathan Lemon Cc: Jonathan Looney Acked-by: Neal Cardwell Cc: Yuchung Cheng Cc: Tyler Hicks Cc: Bruce Curtis Signed-off-by: David S. Miller commit 5f3e2bf008c2221478101ee72f5cb4654b9fc363 Author: Eric Dumazet Date: Thu Jun 6 09:15:31 2019 -0700 tcp: add tcp_min_snd_mss sysctl Some TCP peers announce a very small MSS option in their SYN and/or SYN/ACK messages. This forces the stack to send packets with a very high network/cpu overhead. Linux has enforced a minimal value of 48. Since this value includes the size of TCP options, and that the options can consume up to 40 bytes, this means that each segment can include only 8 bytes of payload. In some cases, it can be useful to increase the minimal value to a saner value. We still let the default to 48 (TCP_MIN_SND_MSS), for compatibility reasons. Note that TCP_MAXSEG socket option enforces a minimal value of (TCP_MIN_MSS). David Miller increased this minimal value in commit c39508d6f118 ("tcp: Make TCP_MAXSEG minimum more correct.") from 64 to 88. We might in the future merge TCP_MIN_SND_MSS and TCP_MIN_MSS. CVE-2019-11479 -- tcp mss hardcoded to 48 Signed-off-by: Eric Dumazet Suggested-by: Jonathan Looney Acked-by: Neal Cardwell Cc: Yuchung Cheng Cc: Tyler Hicks Cc: Bruce Curtis Cc: Jonathan Lemon Signed-off-by: David S. Miller commit f070ef2ac66716357066b683fb0baf55f8191a2e Author: Eric Dumazet Date: Sat May 18 05:12:05 2019 -0700 tcp: tcp_fragment() should apply sane memory limits Jonathan Looney reported that a malicious peer can force a sender to fragment its retransmit queue into tiny skbs, inflating memory usage and/or overflow 32bit counters. TCP allows an application to queue up to sk_sndbuf bytes, so we need to give some allowance for non malicious splitting of retransmit queue. A new SNMP counter is added to monitor how many times TCP did not allow to split an skb if the allowance was exceeded. Note that this counter might increase in the case applications use SO_SNDBUF socket option to lower sk_sndbuf. CVE-2019-11478 : tcp_fragment, prevent fragmenting a packet when the socket is already using more than half the allowed space Signed-off-by: Eric Dumazet Reported-by: Jonathan Looney Acked-by: Neal Cardwell Acked-by: Yuchung Cheng Reviewed-by: Tyler Hicks Cc: Bruce Curtis Cc: Jonathan Lemon Signed-off-by: David S. Miller commit 3b4929f65b0d8249f19a50245cd88ed1a2f78cff Author: Eric Dumazet Date: Fri May 17 17:17:22 2019 -0700 tcp: limit payload size of sacked skbs Jonathan Looney reported that TCP can trigger the following crash in tcp_shifted_skb() : BUG_ON(tcp_skb_pcount(skb) < pcount); This can happen if the remote peer has advertized the smallest MSS that linux TCP accepts : 48 An skb can hold 17 fragments, and each fragment can hold 32KB on x86, or 64KB on PowerPC. This means that the 16bit witdh of TCP_SKB_CB(skb)->tcp_gso_segs can overflow. Note that tcp_sendmsg() builds skbs with less than 64KB of payload, so this problem needs SACK to be enabled. SACK blocks allow TCP to coalesce multiple skbs in the retransmit queue, thus filling the 17 fragments to maximal capacity. CVE-2019-11477 -- u16 overflow of TCP_SKB_CB(skb)->tcp_gso_segs Fixes: 832d11c5cd07 ("tcp: Try to restore large SKBs while SACK processing") Signed-off-by: Eric Dumazet Reported-by: Jonathan Looney Acked-by: Neal Cardwell Reviewed-by: Tyler Hicks Cc: Yuchung Cheng Cc: Bruce Curtis Cc: Jonathan Lemon Signed-off-by: David S. Miller commit 1eb4169c1e6b3c95f3a99c2c7f91b10e6c98e848 Merge: 5db2e7c7917f 9594dc3c7e71 Author: David S. Miller Date: Sat Jun 15 18:19:47 2019 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf Alexei Starovoitov says: ==================== pull-request: bpf 2019-06-15 The following pull-request contains BPF updates for your *net* tree. The main changes are: 1) fix stack layout of JITed x64 bpf code, from Alexei. 2) fix out of bounds memory access in bpf_sk_storage, from Arthur. 3) fix lpm trie walk, from Jonathan. 4) fix nested bpf_perf_event_output, from Matt. 5) and several other fixes. ==================== Signed-off-by: David S. Miller commit 5db2e7c7917f40236a021959893121c4e496f609 Author: David S. Miller Date: Sat Jun 15 18:10:30 2019 -0700 Revert "net: phylink: set the autoneg state in phylink_phy_change" This reverts commit ef7bfa84725d891bbdb88707ed55b2cbf94942bb. Russell King espressed some strong opposition to this change, explaining that this is trying to make phylink behave outside of how it has been designed. Signed-off-by: David S. Miller commit 9594dc3c7e71b9f52bee1d7852eb3d4e3aea9e99 Author: Matt Mullins Date: Tue Jun 11 14:53:04 2019 -0700 bpf: fix nested bpf tracepoints with per-cpu data BPF_PROG_TYPE_RAW_TRACEPOINTs can be executed nested on the same CPU, as they do not increment bpf_prog_active while executing. This enables three levels of nesting, to support - a kprobe or raw tp or perf event, - another one of the above that irq context happens to call, and - another one in nmi context (at most one of which may be a kprobe or perf event). Fixes: 20b9d7ac4852 ("bpf: avoid excessive stack usage for perf_sample_data") Signed-off-by: Matt Mullins Acked-by: Andrii Nakryiko Acked-by: Daniel Borkmann Signed-off-by: Alexei Starovoitov commit 85749218e3a6a1ab4fb3c698394f40f07b80be5e Author: Arthur Fabre Date: Sat Jun 15 14:36:27 2019 -0700 bpf: Fix out of bounds memory access in bpf_sk_storage bpf_sk_storage maps use multiple spin locks to reduce contention. The number of locks to use is determined by the number of possible CPUs. With only 1 possible CPU, bucket_log == 0, and 2^0 = 1 locks are used. When updating elements, the correct lock is determined with hash_ptr(). Calling hash_ptr() with 0 bits is undefined behavior, as it does: x >> (64 - bits) Using the value results in an out of bounds memory access. In my case, this manifested itself as a page fault when raw_spin_lock_bh() is called later, when running the self tests: ./tools/testing/selftests/bpf/test_verifier 773 775 [ 16.366342] BUG: unable to handle page fault for address: ffff8fe7a66f93f8 Force the minimum number of locks to two. Signed-off-by: Arthur Fabre Fixes: 6ac99e8f23d4 ("bpf: Introduce bpf sk local storage") Acked-by: Andrii Nakryiko Signed-off-by: Alexei Starovoitov commit 42f5cda5eaf4396a939ae9bb43bb8d1d09c1b15c Author: Stephen Barber Date: Fri Jun 14 23:42:37 2019 -0700 vsock/virtio: set SOCK_DONE on peer shutdown Set the SOCK_DONE flag to match the TCP_CLOSING state when a peer has shut down and there is nothing left to read. This fixes the following bug: 1) Peer sends SHUTDOWN(RDWR). 2) Socket enters TCP_CLOSING but SOCK_DONE is not set. 3) read() returns -ENOTCONN until close() is called, then returns 0. Signed-off-by: Stephen Barber Signed-off-by: David S. Miller commit 760c80b70bed2cd01630e8595d1bbde910339f31 Author: Linus Walleij Date: Fri Jun 14 00:25:20 2019 +0200 net: dsa: rtl8366: Fix up VLAN filtering We get this regression when using RTL8366RB as part of a bridge with OpenWrt: WARNING: CPU: 0 PID: 1347 at net/switchdev/switchdev.c:291 switchdev_port_attr_set_now+0x80/0xa4 lan0: Commit of attribute (id=7) failed. (...) realtek-smi switch lan0: failed to initialize vlan filtering on this port This is because it is trying to disable VLAN filtering on VLAN0, as we have forgot to add 1 to the port number to get the right VLAN in rtl8366_vlan_filtering(): when we initialize the VLAN we associate VLAN1 with port 0, VLAN2 with port 1 etc, so we need to add 1 to the port offset. Fixes: d8652956cf37 ("net: dsa: realtek-smi: Add Realtek SMI driver") Signed-off-by: Linus Walleij Signed-off-by: David S. Miller commit ef7bfa84725d891bbdb88707ed55b2cbf94942bb Author: Ioana Ciornei Date: Thu Jun 13 09:37:51 2019 +0300 net: phylink: set the autoneg state in phylink_phy_change The phy_state field of phylink should carry only valid information especially when this can be passed to the .mac_config callback. Update the an_enabled field with the autoneg state in the phylink_phy_change function. Fixes: 9525ae83959b ("phylink: add phylink infrastructure") Signed-off-by: Ioana Ciornei Signed-off-by: David S. Miller commit e01e060fe00dca46959bbf055b75d9f57ba6e7be Merge: ff39074b1d4e 8c2eb7b6468a Author: Linus Torvalds Date: Sat Jun 15 07:38:54 2019 -1000 Merge tag 'platform-drivers-x86-v5.2-3' of git://git.infradead.org/linux-platform-drivers-x86 Pull x86 platform driver fixes from Andy Shevchenko: - fix a couple of Mellanox driver enumeration issues - fix ASUS laptop regression with backlight - fix Dell computers that got a wrong mode (tablet versus laptop) after resume * tag 'platform-drivers-x86-v5.2-3' of git://git.infradead.org/linux-platform-drivers-x86: platform/mellanox: mlxreg-hotplug: Add devm_free_irq call to remove flow platform/x86: mlx-platform: Fix parent device in i2c-mux-reg device registration platform/x86: intel-vbtn: Report switch events when event wakes device platform/x86: asus-wmi: Only Tell EC the OS will handle display hotkeys from asus_nb_wmi commit ff39074b1d4e727c299ccfd1588f9cca17a59c86 Merge: fa1827d7731a 5f54a85db5df Author: Linus Torvalds Date: Sat Jun 15 07:34:23 2019 -1000 Merge tag 'usb-5.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb Pull USB fixes from Greg KH: "Here are some small USB driver fixes for 5.2-rc5 Nothing major, just some small gadget fixes, usb-serial new device ids, a few new quirks, and some small fixes for some regressions that have been found after the big 5.2-rc1 merge. All of these have been in linux-next for a while with no reported issues" * tag 'usb-5.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: usb: typec: Make sure an alt mode exist before getting its partner usb: gadget: udc: lpc32xx: fix return value check in lpc32xx_udc_probe() usb: gadget: dwc2: fix zlp handling usb: dwc2: Set actual frame number for completed ISOC transfer for none DDMA usb: gadget: udc: lpc32xx: allocate descriptor with GFP_ATOMIC usb: gadget: fusb300_udc: Fix memory leak of fusb300->ep[i] usb: phy: mxs: Disable external charger detect in mxs_phy_hw_init() usb: dwc2: Fix DMA cache alignment issues usb: dwc2: host: Fix wMaxPacketSize handling (fix webcam regression) USB: Fix chipmunk-like voice when using Logitech C270 for recording audio. USB: usb-storage: Add new ID to ums-realtek usb: typec: ucsi: ccg: fix memory leak in do_flash USB: serial: option: add Telit 0x1260 and 0x1261 compositions USB: serial: pl2303: add Allied Telesis VT-Kit3 USB: serial: option: add support for Simcom SIM7500/SIM7600 RNDIS mode commit fa1827d7731ac24f44309ddc2ca806650912bf0e Merge: 6a71398c6aea c21f5a9ed85c Author: Linus Torvalds Date: Sat Jun 15 07:29:32 2019 -1000 Merge tag 'powerpc-5.2-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull powerpc fixes from Michael Ellerman: "One fix for a regression introduced by our 32-bit KASAN support, which broke booting on machines with "bootx" early debugging enabled. A fix for a bug which broke kexec on 32-bit, introduced by changes to the 32-bit STRICT_KERNEL_RWX support in v5.1. Finally two fixes going to stable for our THP split/collapse handling, discovered by Nick. The first fixes random crashes and/or corruption in guests under sufficient load. Thanks to: Nicholas Piggin, Christophe Leroy, Aaro Koskinen, Mathieu Malaterre" * tag 'powerpc-5.2-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc/32s: fix booting with CONFIG_PPC_EARLY_DEBUG_BOOTX powerpc/64s: __find_linux_pte() synchronization vs pmdp_invalidate() powerpc/64s: Fix THP PMD collapse serialisation powerpc: Fix kexec failure on book3s/32 commit 6a71398c6aead255efe445ea96d52b33f0d5f0b2 Merge: 0011572c8830 04e03d9a616c Author: Linus Torvalds Date: Sat Jun 15 07:24:11 2019 -1000 Merge tag 'trace-v5.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace Pull tracing fixes from Steven Rostedt: - Out of range read of stack trace output - Fix for NULL pointer dereference in trace_uprobe_create() - Fix to a livepatching / ftrace permission race in the module code - Fix for NULL pointer dereference in free_ftrace_func_mapper() - A couple of build warning clean ups * tag 'trace-v5.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace: ftrace: Fix NULL pointer dereference in free_ftrace_func_mapper() module: Fix livepatch/ftrace module text permissions race tracing/uprobe: Fix obsolete comment on trace_uprobe_create() tracing/uprobe: Fix NULL pointer dereference in trace_uprobe_create() tracing: Make two symbols static tracing: avoid build warning with HAVE_NOP_MCOUNT tracing: Fix out-of-range read in trace_stack_print() commit 82f6e266f8123d7938713c0e10c03aa655b3e68a Author: Christophe Leroy Date: Thu May 23 08:39:27 2019 +0000 powerpc/32: fix build failure on book3e with KVM Build failure was introduced by the commit identified below, due to missed macro expension leading to wrong called function's name. arch/powerpc/kernel/head_fsl_booke.o: In function `SystemCall': arch/powerpc/kernel/head_fsl_booke.S:416: undefined reference to `kvmppc_handler_BOOKE_INTERRUPT_SYSCALL_SPRN_SRR1' Makefile:1052: recipe for target 'vmlinux' failed The called function should be kvmppc_handler_8_0x01B(). This patch fixes it. Reported-by: Paul Mackerras Fixes: 1a4b739bbb4f ("powerpc/32: implement fast entry for syscalls on BOOKE") Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman commit e8732ffa2e096d433c3f2349b871d43ed0d39f5c Author: Christophe Leroy Date: Thu Jun 13 13:52:30 2019 +0000 powerpc/booke: fix fast syscall entry on SMP Use r10 instead of r9 to calculate CPU offset as r9 contains the value from SRR1 which is used later. Fixes: 1a4b739bbb4f ("powerpc/32: implement fast entry for syscalls on BOOKE") Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman commit b7f8b440f3001cc1775c028f0a783786113c2ae3 Author: Christophe Leroy Date: Tue Jun 11 15:47:20 2019 +0000 powerpc/32s: fix initial setup of segment registers on secondary CPU The patch referenced below moved the loading of segment registers out of load_up_mmu() in order to do it earlier in the boot sequence. However, the secondary CPU still needs it to be done when loading up the MMU. Reported-by: Erhard F. Fixes: 215b823707ce ("powerpc/32s: set up an early static hash table for KASAN") Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman commit 78f4e932f7760d965fb1569025d1576ab77557c5 Author: Borislav Petkov Date: Thu Jun 13 15:49:02 2019 +0200 x86/microcode, cpuhotplug: Add a microcode loader CPU hotplug callback Adric Blake reported the following warning during suspend-resume: Enabling non-boot CPUs ... x86: Booting SMP configuration: smpboot: Booting Node 0 Processor 1 APIC 0x2 unchecked MSR access error: WRMSR to 0x10f (tried to write 0x0000000000000000) \ at rIP: 0xffffffff8d267924 (native_write_msr+0x4/0x20) Call Trace: intel_set_tfa intel_pmu_cpu_starting ? x86_pmu_dead_cpu x86_pmu_starting_cpu cpuhp_invoke_callback ? _raw_spin_lock_irqsave notify_cpu_starting start_secondary secondary_startup_64 microcode: sig=0x806ea, pf=0x80, revision=0x96 microcode: updated to revision 0xb4, date = 2019-04-01 CPU1 is up The MSR in question is MSR_TFA_RTM_FORCE_ABORT and that MSR is emulated by microcode. The log above shows that the microcode loader callback happens after the PMU restoration, leading to the conjecture that because the microcode hasn't been updated yet, that MSR is not present yet, leading to the #GP. Add a microcode loader-specific hotplug vector which comes before the PERF vectors and thus executes earlier and makes sure the MSR is present. Fixes: 400816f60c54 ("perf/x86/intel: Implement support for TSX Force Abort") Reported-by: Adric Blake Signed-off-by: Borislav Petkov Reviewed-by: Thomas Gleixner Cc: Peter Zijlstra Cc: Cc: x86@kernel.org Link: https://bugzilla.kernel.org/show_bug.cgi?id=203637 commit 0011572c883082a95e02d47f45fc4a42dc0e8634 Merge: 6aa7a22b9790 d477f8c202d1 Author: Linus Torvalds Date: Fri Jun 14 17:46:14 2019 -1000 Merge branch 'for-5.2-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup Pull cgroup fixes from Tejun Heo: "This has an unusually high density of tricky fixes: - task_get_css() could deadlock when it races against a dying cgroup. - cgroup.procs didn't list thread group leaders with live threads. This could mislead readers to think that a cgroup is empty when it's not. Fixed by making PROCS iterator include dead tasks. I made a couple mistakes making this change and this pull request contains a couple follow-up patches. - When cpusets run out of online cpus, it updates cpusmasks of member tasks in bizarre ways. Joel improved the behavior significantly" * 'for-5.2-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup: cpuset: restore sanity to cpuset_cpus_allowed_fallback() cgroup: Fix css_task_iter_advance_css_set() cset skip condition cgroup: css_task_iter_skip()'d iterators must be advanced before accessed cgroup: Include dying leaders with live threads in PROCS iterations cgroup: Implement css_task_iter_skip() cgroup: Call cgroup_release() before __exit_signal() docs cgroups: add another example size for hugetlb cgroup: Use css_tryget() instead of css_tryget_online() in task_get_css() commit 6aa7a22b97907851972d7f39aae79dc105eba78b Merge: 406652440172 e14c5873d2a3 Author: Linus Torvalds Date: Fri Jun 14 17:34:45 2019 -1000 Merge tag 'drm-fixes-2019-06-14' of git://anongit.freedesktop.org/drm/drm Pull drm fixes from Daniel Vetter: "Nothing unsettling here, also not aware of anything serious still pending. The edid override regression fix took a bit longer since this seems to be an area with an overabundance of bad options. But the fix we have now seems like a good path forward. Next week it should be back to Dave. Summary: - fix regression on amdgpu on SI - fix edid override regression - driver fixes: amdgpu, i915, mediatek, meson, panfrost - fix writecombine for vmap in gem-shmem helper (used by panfrost) - add more panel quirks" * tag 'drm-fixes-2019-06-14' of git://anongit.freedesktop.org/drm/drm: (25 commits) drm/amdgpu: return 0 by default in amdgpu_pm_load_smu_firmware drm/amdgpu: Fix bounds checking in amdgpu_ras_is_supported() drm: add fallback override/firmware EDID modes workaround drm/edid: abstract override/firmware EDID retrieval drm/i915/perf: fix whitelist on Gen10+ drm/i915/sdvo: Implement proper HDMI audio support for SDVO drm/i915: Fix per-pixel alpha with CCS drm/i915/dmc: protect against reading random memory drm/i915/dsi: Use a fuzzy check for burst mode clock check drm/amdgpu/{uvd,vcn}: fetch ring's read_ptr after alloc drm/panfrost: Require the simple_ondemand governor drm/panfrost: make devfreq optional again drm/gem_shmem: Use a writecombine mapping for ->vaddr drm: panel-orientation-quirks: Add quirk for GPD MicroPC drm: panel-orientation-quirks: Add quirk for GPD pocket2 drm/meson: fix G12A primary plane disabling drm/meson: fix primary plane disabling drm/meson: fix G12A HDMI PLL settings for 4K60 1000/1001 variations drm/mediatek: call mtk_dsi_stop() after mtk_drm_crtc_atomic_disable() drm/mediatek: clear num_pipes when unbind driver ... commit 4066524401724babc5710b0a6be88021a081874a Merge: 1ed1fa5f9c31 2741b6723bf6 Author: Linus Torvalds Date: Fri Jun 14 17:27:12 2019 -1000 Merge tag 'gfs2-v5.2.fixes2' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2 Pull gfs2 fix from Andreas Gruenbacher: "Fix rounding error in gfs2_iomap_page_prepare" * tag 'gfs2-v5.2.fixes2' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2: gfs2: Fix rounding error in gfs2_iomap_page_prepare commit 35fc07aee8f6d55aeacdbfdccc425e684737f741 Merge: 9a33629ba6b2 ce27ec60648d Author: David S. Miller Date: Fri Jun 14 20:18:28 2019 -0700 Merge branch 'tcp-add-three-static-keys' Eric Dumazet says: ==================== tcp: add three static keys Recent addition of per TCP socket rx/tx cache brought regressions for some workloads, as reported by Feng Tang. It seems better to make them opt-in, before we adopt better heuristics. The last patch adds high_order_alloc_disable sysctl to ask TCP sendmsg() to exclusively use order-0 allocations, as mm layer has specific optimizations. ==================== Signed-off-by: David S. Miller commit ce27ec60648d8e066227cb2f58b1d3d4f7253d08 Author: Eric Dumazet Date: Fri Jun 14 16:22:21 2019 -0700 net: add high_order_alloc_disable sysctl/static key >From linux-3.7, (commit 5640f7685831 "net: use a per task frag allocator") TCP sendmsg() has preferred using order-3 allocations. While it gives good results for most cases, we had reports that heavy uses of TCP over loopback were hitting a spinlock contention in page allocations/freeing. This commits adds a sysctl so that admins can opt-in for order-0 allocations. Hopefully mm layer might optimize order-3 allocations in the future since it could give us a nice boost (see 8 lines of following benchmark) The following benchmark shows a win when more than 8 TCP_STREAM threads are running (56 x86 cores server in my tests) for thr in {1..30} do sysctl -wq net.core.high_order_alloc_disable=0 T0=`./super_netperf $thr -H 127.0.0.1 -l 15` sysctl -wq net.core.high_order_alloc_disable=1 T1=`./super_netperf $thr -H 127.0.0.1 -l 15` echo $thr:$T0:$T1 done 1: 49979: 37267 2: 98745: 76286 3: 141088: 110051 4: 177414: 144772 5: 197587: 173563 6: 215377: 208448 7: 241061: 234087 8: 267155: 263373 9: 295069: 297402 10: 312393: 335213 11: 340462: 368778 12: 371366: 403954 13: 412344: 443713 14: 426617: 473580 15: 474418: 507861 16: 503261: 538539 17: 522331: 563096 18: 532409: 567084 19: 550824: 605240 20: 525493: 641988 21: 564574: 665843 22: 567349: 690868 23: 583846: 710917 24: 588715: 736306 25: 603212: 763494 26: 604083: 792654 27: 602241: 796450 28: 604291: 797993 29: 611610: 833249 30: 577356: 841062 Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller commit 0b7d7f6b22084a3156f267c85303908a8f4c9a08 Author: Eric Dumazet Date: Fri Jun 14 16:22:20 2019 -0700 tcp: add tcp_tx_skb_cache sysctl Feng Tang reported a performance regression after introduction of per TCP socket tx/rx caches, for TCP over loopback (netperf) There is high chance the regression is caused by a change on how well the 32 KB per-thread page (current->task_frag) can be recycled, and lack of pcp caches for order-3 pages. I could not reproduce the regression myself, cpus all being spinning on the mm spinlocks for page allocs/freeing, regardless of enabling or disabling the per tcp socket caches. It seems best to disable the feature by default, and let admins enabling it. MM layer either needs to provide scalable order-3 pages allocations, or could attempt a trylock on zone->lock if the caller only attempts to get a high-order page and is able to fallback to order-0 ones in case of pressure. Tests run on a 56 cores host (112 hyper threads) - 35.49% netperf [kernel.vmlinux] [k] queued_spin_lock_slowpath - 35.49% queued_spin_lock_slowpath - 18.18% get_page_from_freelist - __alloc_pages_nodemask - 18.18% alloc_pages_current skb_page_frag_refill sk_page_frag_refill tcp_sendmsg_locked tcp_sendmsg inet_sendmsg sock_sendmsg __sys_sendto __x64_sys_sendto do_syscall_64 entry_SYSCALL_64_after_hwframe __libc_send + 17.31% __free_pages_ok + 31.43% swapper [kernel.vmlinux] [k] intel_idle + 9.12% netperf [kernel.vmlinux] [k] copy_user_enhanced_fast_string + 6.53% netserver [kernel.vmlinux] [k] copy_user_enhanced_fast_string + 0.69% netserver [kernel.vmlinux] [k] queued_spin_lock_slowpath + 0.68% netperf [kernel.vmlinux] [k] skb_release_data + 0.52% netperf [kernel.vmlinux] [k] tcp_sendmsg_locked 0.46% netperf [kernel.vmlinux] [k] _raw_spin_lock_irqsave Fixes: 472c2e07eef0 ("tcp: add one skb cache for tx") Signed-off-by: Eric Dumazet Reported-by: Feng Tang Signed-off-by: David S. Miller commit ede61ca474a0348b975d9824565b66c7595461de Author: Eric Dumazet Date: Fri Jun 14 16:22:19 2019 -0700 tcp: add tcp_rx_skb_cache sysctl Instead of relying on rps_needed, it is safer to use a separate static key, since we do not want to enable TCP rx_skb_cache by default. This feature can cause huge increase of memory usage on hosts with millions of sockets. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller commit a8e11e5c5611a9f70470aebeb2c1dd6132f609d7 Author: Eric Dumazet Date: Fri Jun 14 16:22:18 2019 -0700 sysctl: define proc_do_static_key() Convert proc_dointvec_minmax_bpf_stats() into a more generic helper, since we are going to use jump labels more often. Note that sysctl_bpf_stats_enabled is removed, since it is no longer needed/used. Signed-off-by: Eric Dumazet Acked-by: Alexei Starovoitov Signed-off-by: David S. Miller commit 9a33629ba6b26caebd73e3c581ba1e6068c696a7 Author: Haiyang Zhang Date: Thu Jun 13 21:06:53 2019 +0000 hv_netvsc: Set probe mode to sync For better consistency of synthetic NIC names, we set the probe mode to PROBE_FORCE_SYNCHRONOUS. So the names can be aligned with the vmbus channel offer sequence. Fixes: af0a5646cb8d ("use the new async probing feature for the hyperv drivers") Signed-off-by: Haiyang Zhang Signed-off-by: David S. Miller commit 99815f5031db36414178f45e3009fb5f0e219dd4 Author: Vlad Buslov Date: Thu Jun 13 17:54:04 2019 +0300 net: sched: flower: don't call synchronize_rcu() on mask creation Current flower mask creating code assumes that temporary mask that is used when inserting new filter is stack allocated. To prevent race condition with data patch synchronize_rcu() is called every time fl_create_new_mask() replaces temporary stack allocated mask. As reported by Jiri, this increases runtime of creating 20000 flower classifiers from 4 seconds to 163 seconds. However, this design is no longer necessary since temporary mask was converted to be dynamically allocated by commit 2cddd2014782 ("net/sched: cls_flower: allocate mask dynamically in fl_change()"). Remove synchronize_rcu() calls from mask creation code. Instead, refactor fl_change() to always deallocate temporary mask with rcu grace period. Fixes: 195c234d15c9 ("net: sched: flower: handle concurrent mask insertion") Reported-by: Jiri Pirko Signed-off-by: Vlad Buslov Tested-by: Jiri Pirko Acked-by: Jiri Pirko Signed-off-by: David S. Miller commit f0c03ee0ec664e07e0ec1ead7091cbe53f0f321c Author: Anders Roxell Date: Thu Jun 13 13:35:03 2019 +0200 net: dsa: fix warning same module names When building with CONFIG_NET_DSA_REALTEK_SMI and CONFIG_REALTEK_PHY enabled as loadable modules, we see the following warning: warning: same module names found: drivers/net/phy/realtek.ko drivers/net/dsa/realtek.ko Rework so the driver name is realtek-smi instead of realtek. Reviewed-by: Linus Walleij Reviewed-by: Andrew Lunn Signed-off-by: Anders Roxell Signed-off-by: David S. Miller commit ce950f1050cece5e406a5cde723c69bba60e1b26 Author: Neil Horman Date: Thu Jun 13 06:35:59 2019 -0400 sctp: Free cookie before we memdup a new one Based on comments from Xin, even after fixes for our recent syzbot report of cookie memory leaks, its possible to get a resend of an INIT chunk which would lead to us leaking cookie memory. To ensure that we don't leak cookie memory, free any previously allocated cookie first. Change notes v1->v2 update subsystem tag in subject (davem) repeat kfree check for peer_random and peer_hmacs (xin) v2->v3 net->sctp also free peer_chunks v3->v4 fix subject tags v4->v5 remove cut line Signed-off-by: Neil Horman Reported-by: syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com CC: Marcelo Ricardo Leitner CC: Xin Long CC: "David S. Miller" CC: netdev@vger.kernel.org Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller commit 6bb9e376c2a4cc5120c3bf5fd3048b9a0a6ec1f8 Author: Robert Hancock Date: Wed Jun 12 14:33:32 2019 -0600 net: dsa: microchip: Don't try to read stats for unused ports If some of the switch ports were not listed in the device tree, due to being unused, the ksz_mib_read_work function ended up accessing a NULL dp->slave pointer and causing an oops. Skip checking statistics for any unused ports. Fixes: 7c6ff470aa867f53 ("net: dsa: microchip: add MIB counter reading support") Signed-off-by: Robert Hancock Reviewed-by: Vivien Didelot Reviewed-by: Andrew Lunn Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller commit 2309f51797106b3643b22abced39ff443df2407d Merge: 2a2af5e6e6f5 36815b416fa4 Author: David S. Miller Date: Fri Jun 14 19:05:58 2019 -0700 Merge branch 'qmi_wwan-fix-QMAP-handling' Reinhard Speyerer says: ==================== qmi_wwan: fix QMAP handling This series addresses the following issues observed when using the QMAP support of the qmi_wwan driver: 1. The QMAP code in the qmi_wwan driver is based on the CodeAurora GobiNet driver ([1], [2]) which does not process QMAP padding in the RX path correctly. This causes qmimux_rx_fixup() to pass incorrect data to the IP stack when padding is used. 2. qmimux devices currently lack proper network device usage statistics. 3. RCU stalls on device disconnect with QMAP activated like this # echo Y > /sys/class/net/wwan0/qmi/raw_ip # echo 1 > /sys/class/net/wwan0/qmi/add_mux # echo 2 > /sys/class/net/wwan0/qmi/add_mux # echo 3 > /sys/class/net/wwan0/qmi/add_mux have been observed in certain setups: [ 2273.676593] option1 ttyUSB16: GSM modem (1-port) converter now disconnected from ttyUSB16 [ 2273.676617] option 6-1.2:1.0: device disconnected [ 2273.676774] WARNING: CPU: 1 PID: 141 at kernel/rcu/tree_plugin.h:342 rcu_note_context_switch+0x2a/0x3d0 [ 2273.676776] Modules linked in: option qmi_wwan cdc_mbim cdc_ncm qcserial cdc_wdm usb_wwan sierra sierra_net usbnet mii edd coretemp iptable_mangle ip6_tables iptable_filter ip_tables cdc_acm dm_mod dax iTCO_wdt evdev iTCO_vendor_support sg ftdi_sio usbserial e1000e ptp pps_core i2c_i801 ehci_pci button lpc_ich i2c_core mfd_core uhci_hcd ehci_hcd rtc_cmos usbcore usb_common sd_mod fan ata_piix thermal [ 2273.676817] CPU: 1 PID: 141 Comm: kworker/1:1 Not tainted 4.19.38-rsp-1 #1 [ 2273.676819] Hardware name: Not Applicable Not Applicable /CX-GS/GM45-GL40 , BIOS V1.11 03/23/2011 [ 2273.676828] Workqueue: usb_hub_wq hub_event [usbcore] [ 2273.676832] EIP: rcu_note_context_switch+0x2a/0x3d0 [ 2273.676834] Code: 55 89 e5 57 56 89 c6 53 83 ec 14 89 45 f0 e8 5d ff ff ff 89 f0 64 8b 3d 24 a6 86 c0 84 c0 8b 87 04 02 00 00 75 7a 85 c0 7e 7a <0f> 0b 80 bf 08 02 00 00 00 0f 84 87 00 00 00 e8 b2 e2 ff ff bb dc [ 2273.676836] EAX: 00000001 EBX: f614bc00 ECX: 00000001 EDX: c0715b81 [ 2273.676838] ESI: 00000000 EDI: f18beb40 EBP: f1a3dc20 ESP: f1a3dc00 [ 2273.676840] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00010002 [ 2273.676842] CR0: 80050033 CR2: b7e97230 CR3: 2f9c4000 CR4: 000406b0 [ 2273.676843] Call Trace: [ 2273.676847] ? preempt_count_add+0xa5/0xc0 [ 2273.676852] __schedule+0x4e/0x4f0 [ 2273.676855] ? __queue_work+0xf1/0x2a0 [ 2273.676858] ? _raw_spin_lock_irqsave+0x14/0x40 [ 2273.676860] ? preempt_count_add+0x52/0xc0 [ 2273.676862] schedule+0x33/0x80 [ 2273.676865] _synchronize_rcu_expedited+0x24e/0x280 [ 2273.676867] ? rcu_accelerate_cbs_unlocked+0x70/0x70 [ 2273.676871] ? wait_woken+0x70/0x70 [ 2273.676873] ? rcu_accelerate_cbs_unlocked+0x70/0x70 [ 2273.676875] ? _synchronize_rcu_expedited+0x280/0x280 [ 2273.676877] synchronize_rcu_expedited+0x22/0x30 [ 2273.676881] synchronize_net+0x25/0x30 [ 2273.676885] dev_deactivate_many+0x133/0x230 [ 2273.676887] ? preempt_count_add+0xa5/0xc0 [ 2273.676890] __dev_close_many+0x4d/0xc0 [ 2273.676892] ? skb_dequeue+0x40/0x50 [ 2273.676895] dev_close_many+0x5d/0xd0 [ 2273.676898] rollback_registered_many+0xbf/0x4c0 [ 2273.676901] ? raw_notifier_call_chain+0x1a/0x20 [ 2273.676904] ? call_netdevice_notifiers_info+0x23/0x60 [ 2273.676906] ? netdev_master_upper_dev_get+0xe/0x70 [ 2273.676908] rollback_registered+0x1f/0x30 [ 2273.676911] unregister_netdevice_queue+0x47/0xb0 [ 2273.676915] qmimux_unregister_device+0x1f/0x30 [qmi_wwan] [ 2273.676917] qmi_wwan_disconnect+0x5d/0x90 [qmi_wwan] ... [ 2273.677001] ---[ end trace 0fcc5f88496b485a ]--- [ 2294.679136] rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: [ 2294.679140] rcu: Tasks blocked on level-0 rcu_node (CPUs 0-1): P141 [ 2294.679144] rcu: (detected by 0, t=21002 jiffies, g=265857, q=8446) [ 2294.679148] kworker/1:1 D 0 141 2 0x80000000 In addition the permitted QMAP mux_id value range is extended for compatibility with ip(8) and the rmnet driver. Reinhard [1]: https://portland.source.codeaurora.org/patches/quic/gobi [2]: https://portland.source.codeaurora.org/quic/qsdk/oss/lklm/gobinet/ ==================== Tested-by: Daniele Palmas Acked-by: Bjørn Mork Signed-off-by: David S. Miller commit 36815b416fa48766ac5a98e4b2dc3ebc5887222e Author: Reinhard Speyerer Date: Wed Jun 12 19:03:50 2019 +0200 qmi_wwan: extend permitted QMAP mux_id value range Permit mux_id values up to 254 to be used in qmimux_register_device() for compatibility with ip(8) and the rmnet driver. Fixes: c6adf77953bc ("net: usb: qmi_wwan: add qmap mux protocol support") Cc: Daniele Palmas Signed-off-by: Reinhard Speyerer Signed-off-by: David S. Miller commit a8fdde1cb830e560208af42b6c10750137f53eb3 Author: Reinhard Speyerer Date: Wed Jun 12 19:03:15 2019 +0200 qmi_wwan: avoid RCU stalls on device disconnect when in QMAP mode Switch qmimux_unregister_device() and qmi_wwan_disconnect() to use unregister_netdevice_queue() and unregister_netdevice_many() instead of unregister_netdevice(). This avoids RCU stalls which have been observed on device disconnect in certain setups otherwise. Fixes: c6adf77953bc ("net: usb: qmi_wwan: add qmap mux protocol support") Cc: Daniele Palmas Signed-off-by: Reinhard Speyerer Signed-off-by: David S. Miller commit 44f82312fe9113bab6642f4d0eab6b1b7902b6e1 Author: Reinhard Speyerer Date: Wed Jun 12 19:02:46 2019 +0200 qmi_wwan: add network device usage statistics for qmimux devices Add proper network device usage statistics for qmimux devices instead of reporting all-zero values for them. Fixes: c6adf77953bc ("net: usb: qmi_wwan: add qmap mux protocol support") Cc: Daniele Palmas Signed-off-by: Reinhard Speyerer Signed-off-by: David S. Miller commit 61356088ace1866a847a727d4d40da7bf00b67fc Author: Reinhard Speyerer Date: Wed Jun 12 19:02:13 2019 +0200 qmi_wwan: add support for QMAP padding in the RX path The QMAP code in the qmi_wwan driver is based on the CodeAurora GobiNet driver which does not process QMAP padding in the RX path correctly. Add support for QMAP padding to qmimux_rx_fixup() according to the description of the rmnet driver. Fixes: c6adf77953bc ("net: usb: qmi_wwan: add qmap mux protocol support") Cc: Daniele Palmas Signed-off-by: Reinhard Speyerer Signed-off-by: David S. Miller commit 1ed1fa5f9c311a74f031cabb18a415b4defdfa03 Merge: 7b10315128c6 625d7d351887 Author: Linus Torvalds Date: Fri Jun 14 15:52:51 2019 -1000 Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI fix from James Bottomley: "A single bug fix for hpsa. The user visible consequences aren't clear, but the ioaccel2 raid acceleration may misfire on the malformed request assuming the payload is big enough to require chaining (more than 31 sg entries)" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: hpsa: correct ioaccel2 chaining commit 7b10315128c697b32c3a920cd79a8301c7466637 Merge: 5dcedf4600f8 1d0c06513bd4 Author: Linus Torvalds Date: Fri Jun 14 15:41:18 2019 -1000 Merge tag 'for-linus-20190614' of git://git.kernel.dk/linux-block Pull block fixes from Jens Axboe: - Remove references to old schedulers for the scheduler switching and blkio controller documentation (Andreas) - Kill duplicate check for report zone for null_blk (Chaitanya) - Two bcache fixes (Coly) - Ensure that mq-deadline is selected if zoned block device is enabled, as we need that to support them (Damien) - Fix io_uring memory leak (Eric) - ps3vram fallout from LBDAF removal (Geert) - Redundant blk-mq debugfs debugfs_create return check cleanup (Greg) - Extend NOPLM quirk for ST1000LM024 drives (Hans) - Remove error path warning that can now trigger after the queue removal/addition fixes (Ming) * tag 'for-linus-20190614' of git://git.kernel.dk/linux-block: block/ps3vram: Use %llu to format sector_t after LBDAF removal libata: Extend quirks for the ST1000LM024 drives with NOLPM quirk bcache: only set BCACHE_DEV_WB_RUNNING when cached device attached bcache: fix stack corruption by PRECEDING_KEY() blk-mq: remove WARN_ON(!q->elevator) from blk_mq_sched_free_requests blkio-controller.txt: Remove references to CFQ block/switching-sched.txt: Update to blk-mq schedulers null_blk: remove duplicate check for report zone blk-mq: no need to check return value of debugfs_create functions io_uring: fix memory leak of UNIX domain socket inode block: force select mq-deadline for zoned block devices commit 5dcedf4600f8708150b89485d25cead88bff08a4 Merge: 6e7739fc938c a0cac264a86f Author: Linus Torvalds Date: Fri Jun 14 15:25:27 2019 -1000 Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux Pull i2c fixes from Wolfram Sang: "I2C has two simple but wanted driver fixes for you" * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux: i2c: pca-platform: Fix GPIO lookup code i2c: acorn: fix i2c warning commit fe8d9571dc50232b569242fac7ea6332a654f186 Author: Alexei Starovoitov Date: Fri Jun 14 15:43:28 2019 -0700 bpf, x64: fix stack layout of JITed bpf code Since commit 177366bf7ceb the %rbp stopped pointing to %rbp of the previous stack frame. That broke frame pointer based stack unwinding. This commit is a partial revert of it. Note that the location of tail_call_cnt is fixed, since the verifier enforces MAX_BPF_STACK stack size for programs with tail calls. Fixes: 177366bf7ceb ("bpf: change x86 JITed program stack layout") Signed-off-by: Alexei Starovoitov commit 6e7739fc938c1ec58d321f70ea41d9548a4cca0f Author: Casey Schaufler Date: Fri May 31 11:53:33 2019 +0100 Smack: Restore the smackfsdef mount option and add missing prefixes The 5.1 mount system rework changed the smackfsdef mount option to smackfsdefault. This fixes the regression by making smackfsdef treated the same way as smackfsdefault. Also fix the smack_param_specs[] to have "smack" prefixes on all the names. This isn't visible to a user unless they either: (a) Try to mount a filesystem that's converted to the internal mount API and that implements the ->parse_monolithic() context operation - and only then if they call security_fs_context_parse_param() rather than security_sb_eat_lsm_opts(). There are no examples of this upstream yet, but nfs will probably want to do this for nfs2 or nfs3. (b) Use fsconfig() to configure the filesystem - in which case security_fs_context_parse_param() will be called. This issue is that smack_sb_eat_lsm_opts() checks for the "smack" prefix on the options, but smack_fs_context_parse_param() does not. Fixes: c3300aaf95fb ("smack: get rid of match_token()") Fixes: 2febd254adc4 ("smack: Implement filesystem context security hooks") Cc: stable@vger.kernel.org Reported-by: Jose Bollo Signed-off-by: Casey Schaufler Signed-off-by: David Howells Tested-by: Casey Schaufler Signed-off-by: Linus Torvalds commit 86723c8640633bee4b4588d3c7784ee7a0032f65 Author: Toshiaki Makita Date: Fri Jun 14 17:20:15 2019 +0900 bpf, devmap: Add missing RCU read lock on flush .ndo_xdp_xmit() assumes it is called under RCU. For example virtio_net uses RCU to detect it has setup the resources for tx. The assumption accidentally broke when introducing bulk queue in devmap. Fixes: 5d053f9da431 ("bpf: devmap prepare xdp frames for bulking") Reported-by: David Ahern Signed-off-by: Toshiaki Makita Signed-off-by: Daniel Borkmann commit edabf4d9dd905acd60048ea1579943801e3a4876 Author: Toshiaki Makita Date: Fri Jun 14 17:20:14 2019 +0900 bpf, devmap: Add missing bulk queue free dev_map_free() forgot to free bulk queue when freeing its entries. Fixes: 5d053f9da431 ("bpf: devmap prepare xdp frames for bulking") Signed-off-by: Toshiaki Makita Acked-by: Jesper Dangaard Brouer Signed-off-by: Daniel Borkmann commit d4dd153d551634683fccf8881f606fa9f3dfa1ef Author: Toshiaki Makita Date: Fri Jun 14 17:20:13 2019 +0900 bpf, devmap: Fix premature entry free on destroying map dev_map_free() waits for flush_needed bitmap to be empty in order to ensure all flush operations have completed before freeing its entries. However the corresponding clear_bit() was called before using the entries, so the entries could be used after free. All access to the entries needs to be done before clearing the bit. It seems commit a5e2da6e9787 ("bpf: netdev is never null in __dev_map_flush") accidentally changed the clear_bit() and memory access order. Note that the problem happens only in __dev_map_flush(), not in dev_map_flush_old(). dev_map_flush_old() is called only after nulling out the corresponding netdev_map entry, so dev_map_free() never frees the entry thus no such race happens there. Fixes: a5e2da6e9787 ("bpf: netdev is never null in __dev_map_flush") Signed-off-by: Toshiaki Makita Signed-off-by: Daniel Borkmann commit 04e03d9a616c19a47178eaca835358610e63a1dd Author: Wei Li Date: Thu Jun 6 11:17:54 2019 +0800 ftrace: Fix NULL pointer dereference in free_ftrace_func_mapper() The mapper may be NULL when called from register_ftrace_function_probe() with probe->data == NULL. This issue can be reproduced as follow (it may be covered by compiler optimization sometime): / # cat /sys/kernel/debug/tracing/set_ftrace_filter #### all functions enabled #### / # echo foo_bar:dump > /sys/kernel/debug/tracing/set_ftrace_filter [ 206.949100] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 206.952402] Mem abort info: [ 206.952819] ESR = 0x96000006 [ 206.955326] Exception class = DABT (current EL), IL = 32 bits [ 206.955844] SET = 0, FnV = 0 [ 206.956272] EA = 0, S1PTW = 0 [ 206.956652] Data abort info: [ 206.957320] ISV = 0, ISS = 0x00000006 [ 206.959271] CM = 0, WnR = 0 [ 206.959938] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000419f3a000 [ 206.960483] [0000000000000000] pgd=0000000411a87003, pud=0000000411a83003, pmd=0000000000000000 [ 206.964953] Internal error: Oops: 96000006 [#1] SMP [ 206.971122] Dumping ftrace buffer: [ 206.973677] (ftrace buffer empty) [ 206.975258] Modules linked in: [ 206.976631] Process sh (pid: 281, stack limit = 0x(____ptrval____)) [ 206.978449] CPU: 10 PID: 281 Comm: sh Not tainted 5.2.0-rc1+ #17 [ 206.978955] Hardware name: linux,dummy-virt (DT) [ 206.979883] pstate: 60000005 (nZCv daif -PAN -UAO) [ 206.980499] pc : free_ftrace_func_mapper+0x2c/0x118 [ 206.980874] lr : ftrace_count_free+0x68/0x80 [ 206.982539] sp : ffff0000182f3ab0 [ 206.983102] x29: ffff0000182f3ab0 x28: ffff8003d0ec1700 [ 206.983632] x27: ffff000013054b40 x26: 0000000000000001 [ 206.984000] x25: ffff00001385f000 x24: 0000000000000000 [ 206.984394] x23: ffff000013453000 x22: ffff000013054000 [ 206.984775] x21: 0000000000000000 x20: ffff00001385fe28 [ 206.986575] x19: ffff000013872c30 x18: 0000000000000000 [ 206.987111] x17: 0000000000000000 x16: 0000000000000000 [ 206.987491] x15: ffffffffffffffb0 x14: 0000000000000000 [ 206.987850] x13: 000000000017430e x12: 0000000000000580 [ 206.988251] x11: 0000000000000000 x10: cccccccccccccccc [ 206.988740] x9 : 0000000000000000 x8 : ffff000013917550 [ 206.990198] x7 : ffff000012fac2e8 x6 : ffff000012fac000 [ 206.991008] x5 : ffff0000103da588 x4 : 0000000000000001 [ 206.991395] x3 : 0000000000000001 x2 : ffff000013872a28 [ 206.991771] x1 : 0000000000000000 x0 : 0000000000000000 [ 206.992557] Call trace: [ 206.993101] free_ftrace_func_mapper+0x2c/0x118 [ 206.994827] ftrace_count_free+0x68/0x80 [ 206.995238] release_probe+0xfc/0x1d0 [ 206.995555] register_ftrace_function_probe+0x4a8/0x868 [ 206.995923] ftrace_trace_probe_callback.isra.4+0xb8/0x180 [ 206.996330] ftrace_dump_callback+0x50/0x70 [ 206.996663] ftrace_regex_write.isra.29+0x290/0x3a8 [ 206.997157] ftrace_filter_write+0x44/0x60 [ 206.998971] __vfs_write+0x64/0xf0 [ 206.999285] vfs_write+0x14c/0x2f0 [ 206.999591] ksys_write+0xbc/0x1b0 [ 206.999888] __arm64_sys_write+0x3c/0x58 [ 207.000246] el0_svc_common.constprop.0+0x408/0x5f0 [ 207.000607] el0_svc_handler+0x144/0x1c8 [ 207.000916] el0_svc+0x8/0xc [ 207.003699] Code: aa0003f8 a9025bf5 aa0103f5 f946ea80 (f9400303) [ 207.008388] ---[ end trace 7b6d11b5f542bdf1 ]--- [ 207.010126] Kernel panic - not syncing: Fatal exception [ 207.011322] SMP: stopping secondary CPUs [ 207.013956] Dumping ftrace buffer: [ 207.014595] (ftrace buffer empty) [ 207.015632] Kernel Offset: disabled [ 207.017187] CPU features: 0x002,20006008 [ 207.017985] Memory Limit: none [ 207.019825] ---[ end Kernel panic - not syncing: Fatal exception ]--- Link: http://lkml.kernel.org/r/20190606031754.10798-1-liwei391@huawei.com Signed-off-by: Wei Li Signed-off-by: Steven Rostedt (VMware) commit 9f255b632bf12c4dd7fc31caee89aa991ef75176 Author: Josh Poimboeuf Date: Thu Jun 13 20:07:22 2019 -0500 module: Fix livepatch/ftrace module text permissions race It's possible for livepatch and ftrace to be toggling a module's text permissions at the same time, resulting in the following panic: BUG: unable to handle page fault for address: ffffffffc005b1d9 #PF: supervisor write access in kernel mode #PF: error_code(0x0003) - permissions violation PGD 3ea0c067 P4D 3ea0c067 PUD 3ea0e067 PMD 3cc13067 PTE 3b8a1061 Oops: 0003 [#1] PREEMPT SMP PTI CPU: 1 PID: 453 Comm: insmod Tainted: G O K 5.2.0-rc1-a188339ca5 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-20181126_142135-anatol 04/01/2014 RIP: 0010:apply_relocate_add+0xbe/0x14c Code: fa 0b 74 21 48 83 fa 18 74 38 48 83 fa 0a 75 40 eb 08 48 83 38 00 74 33 eb 53 83 38 00 75 4e 89 08 89 c8 eb 0a 83 38 00 75 43 <89> 08 48 63 c1 48 39 c8 74 2e eb 48 83 38 00 75 32 48 29 c1 89 08 RSP: 0018:ffffb223c00dbb10 EFLAGS: 00010246 RAX: ffffffffc005b1d9 RBX: 0000000000000000 RCX: ffffffff8b200060 RDX: 000000000000000b RSI: 0000004b0000000b RDI: ffff96bdfcd33000 RBP: ffffb223c00dbb38 R08: ffffffffc005d040 R09: ffffffffc005c1f0 R10: ffff96bdfcd33c40 R11: ffff96bdfcd33b80 R12: 0000000000000018 R13: ffffffffc005c1f0 R14: ffffffffc005e708 R15: ffffffff8b2fbc74 FS: 00007f5f447beba8(0000) GS:ffff96bdff900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffc005b1d9 CR3: 000000003cedc002 CR4: 0000000000360ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: klp_init_object_loaded+0x10f/0x219 ? preempt_latency_start+0x21/0x57 klp_enable_patch+0x662/0x809 ? virt_to_head_page+0x3a/0x3c ? kfree+0x8c/0x126 patch_init+0x2ed/0x1000 [livepatch_test02] ? 0xffffffffc0060000 do_one_initcall+0x9f/0x1c5 ? kmem_cache_alloc_trace+0xc4/0xd4 ? do_init_module+0x27/0x210 do_init_module+0x5f/0x210 load_module+0x1c41/0x2290 ? fsnotify_path+0x3b/0x42 ? strstarts+0x2b/0x2b ? kernel_read+0x58/0x65 __do_sys_finit_module+0x9f/0xc3 ? __do_sys_finit_module+0x9f/0xc3 __x64_sys_finit_module+0x1a/0x1c do_syscall_64+0x52/0x61 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The above panic occurs when loading two modules at the same time with ftrace enabled, where at least one of the modules is a livepatch module: CPU0 CPU1 klp_enable_patch() klp_init_object_loaded() module_disable_ro() ftrace_module_enable() ftrace_arch_code_modify_post_process() set_all_modules_text_ro() klp_write_object_relocations() apply_relocate_add() *patches read-only code* - BOOM A similar race exists when toggling ftrace while loading a livepatch module. Fix it by ensuring that the livepatch and ftrace code patching operations -- and their respective permissions changes -- are protected by the text_mutex. Link: http://lkml.kernel.org/r/ab43d56ab909469ac5d2520c5d944ad6d4abd476.1560474114.git.jpoimboe@redhat.com Reported-by: Johannes Erdfelt Fixes: 444d13ff10fb ("modules: add ro_after_init support") Acked-by: Jessica Yu Reviewed-by: Petr Mladek Reviewed-by: Miroslav Benes Signed-off-by: Josh Poimboeuf Signed-off-by: Steven Rostedt (VMware) commit a4158345ec5acb44cc0a9ef4381e0784c1bc7722 Author: Eiichi Tsukata Date: Fri Jun 14 16:40:26 2019 +0900 tracing/uprobe: Fix obsolete comment on trace_uprobe_create() Commit 0597c49c69d5 ("tracing/uprobes: Use dyn_event framework for uprobe events") cleaned up the usage of trace_uprobe_create(), and the function has been no longer used for removing uprobe/uretprobe. Link: http://lkml.kernel.org/r/20190614074026.8045-2-devel@etsukata.com Reviewed-by: Srikar Dronamraju Signed-off-by: Eiichi Tsukata Signed-off-by: Steven Rostedt (VMware) commit f01098c74b5219f3969d4750eeed1a36bfc038e3 Author: Eiichi Tsukata Date: Fri Jun 14 16:40:25 2019 +0900 tracing/uprobe: Fix NULL pointer dereference in trace_uprobe_create() Just like the case of commit 8b05a3a7503c ("tracing/kprobes: Fix NULL pointer dereference in trace_kprobe_create()"), writing an incorrectly formatted string to uprobe_events can trigger NULL pointer dereference. Reporeducer: # echo r > /sys/kernel/debug/tracing/uprobe_events dmesg: BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 8000000079d12067 P4D 8000000079d12067 PUD 7b7ab067 PMD 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 1903 Comm: bash Not tainted 5.2.0-rc3+ #15 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014 RIP: 0010:strchr+0x0/0x30 Code: c0 eb 0d 84 c9 74 18 48 83 c0 01 48 39 d0 74 0f 0f b6 0c 07 3a 0c 06 74 ea 19 c0 83 c8 01 c3 31 c0 c3 0f 1f 84 00 00 00 00 00 <0f> b6 07 89 f2 40 38 f0 75 0e eb 13 0f b6 47 01 48 83 c RSP: 0018:ffffb55fc0403d10 EFLAGS: 00010293 RAX: ffff993ffb793400 RBX: 0000000000000000 RCX: ffffffffa4852625 RDX: 0000000000000000 RSI: 000000000000002f RDI: 0000000000000000 RBP: ffffb55fc0403dd0 R08: ffff993ffb793400 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff993ff9cc1668 R14: 0000000000000001 R15: 0000000000000000 FS: 00007f30c5147700(0000) GS:ffff993ffda00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000007b628000 CR4: 00000000000006f0 Call Trace: trace_uprobe_create+0xe6/0xb10 ? __kmalloc_track_caller+0xe6/0x1c0 ? __kmalloc+0xf0/0x1d0 ? trace_uprobe_create+0xb10/0xb10 create_or_delete_trace_uprobe+0x35/0x90 ? trace_uprobe_create+0xb10/0xb10 trace_run_command+0x9c/0xb0 trace_parse_run_command+0xf9/0x1eb ? probes_open+0x80/0x80 __vfs_write+0x43/0x90 vfs_write+0x14a/0x2a0 ksys_write+0xa2/0x170 do_syscall_64+0x7f/0x200 entry_SYSCALL_64_after_hwframe+0x49/0xbe Link: http://lkml.kernel.org/r/20190614074026.8045-1-devel@etsukata.com Cc: stable@vger.kernel.org Fixes: 0597c49c69d5 ("tracing/uprobes: Use dyn_event framework for uprobe events") Reviewed-by: Srikar Dronamraju Signed-off-by: Eiichi Tsukata Signed-off-by: Steven Rostedt (VMware) commit ff585c5b9a27e64084c84e2ddf24fd00bf8dcfc1 Author: YueHaibing Date: Fri Jun 14 23:32:10 2019 +0800 tracing: Make two symbols static Fix sparse warnings: kernel/trace/trace.c:6927:24: warning: symbol 'get_tracing_log_err' was not declared. Should it be static? kernel/trace/trace.c:8196:15: warning: symbol 'trace_instance_dir' was not declared. Should it be static? Link: http://lkml.kernel.org/r/20190614153210.24424-1-yuehaibing@huawei.com Acked-by: Tom Zanussi Reported-by: Hulk Robot Signed-off-by: YueHaibing Signed-off-by: Steven Rostedt (VMware) commit cbdaeaf050b730ea02e9ab4ff844ce54d85dbe1d Author: Vasily Gorbik Date: Wed Jun 5 13:11:58 2019 +0200 tracing: avoid build warning with HAVE_NOP_MCOUNT Selecting HAVE_NOP_MCOUNT enables -mnop-mcount (if gcc supports it) and sets CC_USING_NOP_MCOUNT. Reuse __is_defined (which is suitable for testing CC_USING_* defines) to avoid conditional compilation and fix the following gcc 9 warning on s390: kernel/trace/ftrace.c:2514:1: warning: ‘ftrace_code_disable’ defined but not used [-Wunused-function] Link: http://lkml.kernel.org/r/patch.git-1a82d13f33ac.your-ad-here.call-01559732716-ext-6629@work.hours Fixes: 2f4df0017baed ("tracing: Add -mcount-nop option support") Signed-off-by: Vasily Gorbik Signed-off-by: Steven Rostedt (VMware) commit becf33f694dc50656766e0fde8883437d5c8d4b4 Author: Eiichi Tsukata Date: Mon Jun 10 13:00:16 2019 +0900 tracing: Fix out-of-range read in trace_stack_print() Puts range check before dereferencing the pointer. Reproducer: # echo stacktrace > trace_options # echo 1 > events/enable # cat trace > /dev/null KASAN report: ================================================================== BUG: KASAN: use-after-free in trace_stack_print+0x26b/0x2c0 Read of size 8 at addr ffff888069d20000 by task cat/1953 CPU: 0 PID: 1953 Comm: cat Not tainted 5.2.0-rc3+ #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014 Call Trace: dump_stack+0x8a/0xce print_address_description+0x60/0x224 ? trace_stack_print+0x26b/0x2c0 ? trace_stack_print+0x26b/0x2c0 __kasan_report.cold+0x1a/0x3e ? trace_stack_print+0x26b/0x2c0 kasan_report+0xe/0x20 trace_stack_print+0x26b/0x2c0 print_trace_line+0x6ea/0x14d0 ? tracing_buffers_read+0x700/0x700 ? trace_find_next_entry_inc+0x158/0x1d0 s_show+0xea/0x310 seq_read+0xaa7/0x10e0 ? seq_escape+0x230/0x230 __vfs_read+0x7c/0x100 vfs_read+0x16c/0x3a0 ksys_read+0x121/0x240 ? kernel_write+0x110/0x110 ? perf_trace_sys_enter+0x8a0/0x8a0 ? syscall_slow_exit_work+0xa9/0x410 do_syscall_64+0xb7/0x390 ? prepare_exit_to_usermode+0x165/0x200 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f867681f910 Code: b6 fe ff ff 48 8d 3d 0f be 08 00 48 83 ec 08 e8 06 db 01 00 66 0f 1f 44 00 00 83 3d f9 2d 2c 00 00 75 10 b8 00 00 00 00 04 RSP: 002b:00007ffdabf23488 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f867681f910 RDX: 0000000000020000 RSI: 00007f8676cde000 RDI: 0000000000000003 RBP: 00007f8676cde000 R08: ffffffffffffffff R09: 0000000000000000 R10: 0000000000000871 R11: 0000000000000246 R12: 00007f8676cde000 R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000000ec0 Allocated by task 1214: save_stack+0x1b/0x80 __kasan_kmalloc.constprop.0+0xc2/0xd0 kmem_cache_alloc+0xaf/0x1a0 getname_flags+0xd2/0x5b0 do_sys_open+0x277/0x5a0 do_syscall_64+0xb7/0x390 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 1214: save_stack+0x1b/0x80 __kasan_slab_free+0x12c/0x170 kmem_cache_free+0x8a/0x1c0 putname+0xe1/0x120 do_sys_open+0x2c5/0x5a0 do_syscall_64+0xb7/0x390 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff888069d20000 which belongs to the cache names_cache of size 4096 The buggy address is located 0 bytes inside of 4096-byte region [ffff888069d20000, ffff888069d21000) The buggy address belongs to the page: page:ffffea0001a74800 refcount:1 mapcount:0 mapping:ffff88806ccd1380 index:0x0 compound_mapcount: 0 flags: 0x100000000010200(slab|head) raw: 0100000000010200 dead000000000100 dead000000000200 ffff88806ccd1380 raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888069d1ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888069d1ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888069d20000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888069d20080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888069d20100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Link: http://lkml.kernel.org/r/20190610040016.5598-1-devel@etsukata.com Fixes: 4285f2fcef80 ("tracing: Remove the ULONG_MAX stack trace hackery") Signed-off-by: Eiichi Tsukata Signed-off-by: Steven Rostedt (VMware) commit 9caec6620f25b6d15646bbdb93062c872ba3b56f Author: Jon Hunter Date: Wed Jun 5 15:01:39 2019 +0100 clk: tegra210: Fix default rates for HDA clocks Currently the default clock rates for the HDA and HDA2CODEC_2X clocks are both 19.2MHz. However, the default rates for these clocks should actually be 51MHz and 48MHz, respectively. The current clock settings results in a distorted output during audio playback. Correct the default clock rates for these clocks by specifying them in the clock init table for Tegra210. Cc: stable@vger.kernel.org Signed-off-by: Jon Hunter Acked-by: Thierry Reding Signed-off-by: Stephen Boyd commit 2741b6723bf6f7d92d07c44bd6a09c6e37f3f949 Author: Andreas Gruenbacher Date: Sat Jun 8 13:09:02 2019 +0100 gfs2: Fix rounding error in gfs2_iomap_page_prepare The pos and len arguments to the iomap page_prepare callback are not block aligned, so we need to take that into account when computing the number of blocks. Fixes: d0a22a4b03b8 ("gfs2: Fix iomap write page reclaim deadlock") Signed-off-by: Andreas Gruenbacher commit 2a2af5e6e6f55e8ec381f710b8765ffe2838e313 Merge: 4add700968c7 b65842025335 Author: David S. Miller Date: Fri Jun 14 09:36:51 2019 -0700 Merge tag 'mac80211-for-davem-2019-06-14' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211 Johannes Berg says: ==================== Various fixes, all over: * a few memory leaks * fixes for management frame protection security and A2/A3 confusion (affecting TDLS as well) * build fix for certificates * etc. ==================== Signed-off-by: David S. Miller commit 4add700968c7761acba88e70a0aa3f44e5ad359d Author: Russell King - ARM Linux admin Date: Fri Jun 14 11:37:49 2019 +0100 net: phylink: further mac_config documentation improvements While reviewing the DPAA2 work, it has become apparent that we need better documentation about which members of the phylink link state structure are valid in the mac_config call. Improve this documentation. Signed-off-by: Russell King Signed-off-by: David S. Miller commit 72a20cee5d99d231809ee4d3d2c09a96a25451e2 Merge: fd6b99fa41dd 41040cf7c5f0 Author: Linus Torvalds Date: Fri Jun 14 06:16:47 2019 -1000 Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux Pull arm64 fixes from Will Deacon: "Here are some arm64 fixes for -rc5. The only non-trivial change (in terms of the diffstat) is fixing our SVE ptrace API for big-endian machines, but the majority of this is actually the addition of much-needed comments and updates to the documentation to try to avoid this mess biting us again in future. There are still a couple of small things on the horizon, but nothing major at this point. Summary: - Fix broken SVE ptrace API when running in a big-endian configuration - Fix performance regression due to off-by-one in TLBI range checking - Fix build regression when using Clang" * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: arm64/sve: Fix missing SVE/FPSIMD endianness conversions arm64: tlbflush: Ensure start/end of address range are aligned to stride arm64: Don't unconditionally add -Wno-psabi to KBUILD_CFLAGS commit fd6b99fa41ddee9699cff1d0e04e90afa452b24d Merge: c78ad1be4b4d 50f44ee7248a Author: Linus Torvalds Date: Fri Jun 14 06:08:46 2019 -1000 Merge branch 'akpm' (patches from Andrew) Merge misc fixes from Andrew Morton: "16 fixes" * emailed patches from Andrew Morton : mm/devm_memremap_pages: fix final page put race PCI/P2PDMA: track pgmap references per resource, not globally lib/genalloc: introduce chunk owners PCI/P2PDMA: fix the gen_pool_add_virt() failure path mm/devm_memremap_pages: introduce devm_memunmap_pages drivers/base/devres: introduce devm_release_action() mm/vmscan.c: fix trying to reclaim unevictable LRU page coredump: fix race condition between collapse_huge_page() and core dumping mm/mlock.c: change count_mm_mlocked_page_nr return type mm: mmu_gather: remove __tlb_reset_range() for force flush fs/ocfs2: fix race in ocfs2_dentry_attach_lock() mm/vmscan.c: fix recent_rotated history mm/mlock.c: mlockall error for flag MCL_ONFAULT scripts/decode_stacktrace.sh: prefix addr2line with $CROSS_COMPILE mm/list_lru.c: fix memory leak in __memcg_init_list_lru_node mm: memcontrol: don't batch updates of local VM stats and events commit e14c5873d2a311e1fb78572b3aefa3880100bc9c Merge: 744ed8cb8a47 f3a5231c8f14 Author: Daniel Vetter Date: Fri Jun 14 17:46:54 2019 +0200 Merge branch 'drm-fixes-5.2' of git://people.freedesktop.org/~agd5f/linux into drm-fixes Fixes for 5.2: - Extend previous vce fix for resume to uvd and vcn - Fix bounds checking in ras debugfs interface - Fix a regression on SI using amdgpu Signed-off-by: Daniel Vetter From: Alex Deucher Link: https://patchwork.freedesktop.org/patch/msgid/20190613021856.3307-1-alexander.deucher@amd.com commit c78ad1be4b4d65eb214421b90a788abf3c85c3ea Merge: 7617c9a087d2 4e4abae311e4 Author: Linus Torvalds Date: Fri Jun 14 05:49:35 2019 -1000 Merge tag 'iommu-fixes-v5.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu Pull iommu fixes from Joerg Roedel: - three fixes for Intel VT-d to fix a potential dead-lock, a formatting fix and a bit setting fix - one fix for the ARM-SMMU to make it work on some platforms with sub-optimal SMMU emulation * tag 'iommu-fixes-v5.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu: iommu/arm-smmu: Avoid constant zero in TLBI writes iommu/vt-d: Set the right field for Page Walk Snoop iommu/vt-d: Fix lock inversion between iommu->lock and device_domain_lock iommu: Add missing new line for dma type commit 7617c9a087d2036e12e1524a03d064884730f4a1 Merge: bcb46a0e0e5c 3b00691cc46a Author: Linus Torvalds Date: Fri Jun 14 05:48:29 2019 -1000 Merge tag 'gpio-v5.2-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio Pull GPIO fix from Linus Walleij: "A single fix for the PCA953x driver affecting some fringe variants of the chip" * tag 'gpio-v5.2-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio: gpio: pca953x: hack to fix 24 bit gpio expanders commit 385097a3675749cbc9e97c085c0e5dfe4269ca51 Author: Young Xiao <92siuyang@gmail.com> Date: Fri Jun 14 15:13:02 2019 +0800 nfc: Ensure presence of required attributes in the deactivate_target handler Check that the NFC_ATTR_TARGET_INDEX attributes (in addition to NFC_ATTR_DEVICE_INDEX) are provided by the netlink client prior to accessing them. This prevents potential unhandled NULL pointer dereference exceptions which can be triggered by malicious user-mode programs, if they omit one or both of these attributes. Signed-off-by: Young Xiao <92siuyang@gmail.com> Signed-off-by: David S. Miller commit bcb46a0e0e5c79291ffbc1e4b5d1d3d119e0f984 Merge: c11fb13a117e 17d304604a88 Author: Linus Torvalds Date: Fri Jun 14 05:37:06 2019 -1000 Merge tag 'sound-5.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "It might feel like deja vu to receive a bulk of changes at rc5, and it happens again; we've got a collection of fixes for ASoC. Most of fixes are targeted for the newly merged SOF (Sound Open Firmware) stuff and the relevant fixes for Intel platforms. Other than that, there are a few regression fixes for the recent ASoC core changes and HD-audio quirk, as well as a couple of FireWire fixes and for other ASoC codecs" * tag 'sound-5.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (54 commits) Revert "ALSA: hda/realtek - Improve the headset mic for Acer Aspire laptops" ALSA: ice1712: Check correct return value to snd_i2c_sendbytes (EWS/DMX 6Fire) ALSA: oxfw: allow PCM capture for Stanton SCS.1m ALSA: firewire-motu: fix destruction of data for isochronous resources ASoC: Intel: sst: fix kmalloc call with wrong flags ASoC: core: Fix deadlock in snd_soc_instantiate_card() SoC: rt274: Fix internal jack assignment in set_jack callback ALSA: hdac: fix memory release for SST and SOF drivers ASoC: SOF: Intel: hda: use the defined ppcap functions ASoC: core: move DAI pre-links initiation to snd_soc_instantiate_card ASoC: Intel: cht_bsw_rt5672: fix kernel oops with platform_name override ASoC: Intel: cht_bsw_nau8824: fix kernel oops with platform_name override ASoC: Intel: bytcht_es8316: fix kernel oops with platform_name override ASoC: Intel: cht_bsw_max98090: fix kernel oops with platform_name override ASoC: sun4i-i2s: Add offset to RX channel select ASoC: sun4i-i2s: Fix sun8i tx channel offset mask ASoC: max98090: remove 24-bit format support if RJ is 0 ASoC: da7219: Fix build error without CONFIG_I2C ASoC: SOF: Intel: hda: Fix COMPILE_TEST build error ASoC: SOF: fix DSP oops definitions in FW ABI ... commit c4e0540d0ad49c8ceab06cceed1de27c4fe29f6e Author: Naohiro Aota Date: Thu Jun 6 16:54:44 2019 +0900 btrfs: start readahead also in seed devices Currently, btrfs does not consult seed devices to start readahead. As a result, if readahead zone is added to the seed devices, btrfs_reada_wait() indefinitely wait for the reada_ctl to finish. You can reproduce the hung by modifying btrfs/163 to have larger initial file size (e.g. xfs_io pwrite 4M instead of current 256K). Fixes: 7414a03fbf9e ("btrfs: initial readahead code and prototypes") Cc: stable@vger.kernel.org # 3.2+: ce7791ffee1e: Btrfs: fix race between readahead and device replace/removal Cc: stable@vger.kernel.org # 3.2+ Reviewed-by: Filipe Manana Signed-off-by: Naohiro Aota Signed-off-by: David Sterba commit f3176ec9420de0c385023afa3e4970129444ac2f Author: Andrey Ryabinin Date: Fri Jun 14 17:31:49 2019 +0300 x86/kasan: Fix boot with 5-level paging and KASAN Since commit d52888aa2753 ("x86/mm: Move LDT remap out of KASLR region on 5-level paging") kernel doesn't boot with KASAN on 5-level paging machines. The bug is actually in early_p4d_offset() and introduced by commit 12a8cc7fcf54 ("x86/kasan: Use the same shadow offset for 4- and 5-level paging") early_p4d_offset() tries to convert pgd_val(*pgd) value to a physical address. This doesn't make sense because pgd_val() already contains the physical address. It did work prior to commit d52888aa2753 because the result of "__pa_nodebug(pgd_val(*pgd)) & PTE_PFN_MASK" was the same as "pgd_val(*pgd) & PTE_PFN_MASK". __pa_nodebug() just set some high bits which were masked out by applying PTE_PFN_MASK. After the change of the PAGE_OFFSET offset in commit d52888aa2753 __pa_nodebug(pgd_val(*pgd)) started to return a value with more high bits set and PTE_PFN_MASK wasn't enough to mask out all of them. So it returns a wrong not even canonical address and crashes on the attempt to dereference it. Switch back to pgd_val() & PTE_PFN_MASK to cure the issue. Fixes: 12a8cc7fcf54 ("x86/kasan: Use the same shadow offset for 4- and 5-level paging") Reported-by: Kirill A. Shutemov Signed-off-by: Andrey Ryabinin Signed-off-by: Thomas Gleixner Cc: Borislav Petkov Cc: "H. Peter Anvin" Cc: Alexander Potapenko Cc: Dmitry Vyukov Cc: kasan-dev@googlegroups.com Cc: stable@vger.kernel.org Cc: Link: https://lkml.kernel.org/r/20190614143149.2227-1-aryabinin@virtuozzo.com commit b65842025335711e2a0259feb4dbadb0c9ffb6d9 Author: Avraham Stern Date: Wed May 29 15:25:28 2019 +0300 cfg80211: report measurement start TSF correctly Instead of reporting the AP's TSF, host time was reported. Fix it. Signed-off-by: Avraham Stern Signed-off-by: Luca Coelho Signed-off-by: Johannes Berg commit 4f488fbca2a86cc7714a128952eead92cac279ab Author: Eric Biggers Date: Mon Jun 10 13:02:19 2019 -0700 cfg80211: fix memory leak of wiphy device name In wiphy_new_nm(), if an error occurs after dev_set_name() and device_initialize() have already been called, it's necessary to call put_device() (via wiphy_free()) to avoid a memory leak. Reported-by: syzbot+7fddca22578bc67c3fe4@syzkaller.appspotmail.com Fixes: 1f87f7d3a3b4 ("cfg80211: add rfkill support") Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers Signed-off-by: Johannes Berg commit 1a473d6092d5d182914bea854ce0b21e6d12519d Author: Mordechay Goodstein Date: Wed May 29 15:25:31 2019 +0300 cfg80211: util: fix bit count off by one The bits of Rx MCS Map in VHT capability were enumerated with index transform - index i -> (i + 1) bit => nss i. BUG! while it should be - index i -> (i + 1) bit => (i + 1) nss. The bug was exposed in commit a53b2a0b1245 ("iwlwifi: mvm: implement VHT extended NSS support in rs.c"), where iwlwifi started using the function. Signed-off-by: Mordechay Goodstein Fixes: b0aa75f0b1b2 ("ieee80211: add new VHT capability fields/parsing") Signed-off-by: Luca Coelho Signed-off-by: Johannes Berg commit f8891461a277ec0afc493fd30cd975a38048a038 Author: Naftali Goldstein Date: Wed May 29 15:25:30 2019 +0300 mac80211: do not start any work during reconfigure flow It is not a good idea to try to perform any work (e.g. send an auth frame) during reconfigure flow. Prevent this from happening, and at the end of the reconfigure flow requeue all the works. Signed-off-by: Naftali Goldstein Signed-off-by: Luca Coelho Signed-off-by: Johannes Berg commit ebb3ca3b4477bbc118976c77fe1913507df718ec Author: Luca Coelho Date: Wed May 29 15:25:29 2019 +0300 cfg80211: use BIT_ULL in cfg80211_parse_mbssid_data() The seen_indices variable is u64 and in other parts of the code we assume mbssid_index_ie[2] can be up to 45, so we should use the 64-bit versions of BIT, namely, BIT_ULL(). Reported-by: Dan Carpented Signed-off-by: Luca Coelho Signed-off-by: Johannes Berg commit 563572340173865a9a356e6bb02579e6998a876d Author: Yibo Zhao Date: Fri Jun 14 19:01:52 2019 +0800 mac80211: only warn once on chanctx_conf being NULL In multiple SSID cases, it takes time to prepare every AP interface to be ready in initializing phase. If a sta already knows everything it needs to join one of the APs and sends authentication to the AP which is not fully prepared at this point of time, AP's channel context could be NULL. As a result, warning message occurs. Even worse, if the AP is under attack via tools such as MDK3 and massive authentication requests are received in a very short time, console will be hung due to kernel warning messages. WARN_ON_ONCE() could be a better way for indicating warning messages without duplicate messages to flood the console. Johannes: We still need to address the underlying problem, but we don't really have a good handle on it yet. Suppress the worst side-effects for now. Signed-off-by: Zhi Chen Signed-off-by: Yibo Zhao [johannes: add note, change subject] Signed-off-by: Johannes Berg commit 588f7d39b3592a36fb7702ae3b8bdd9be4621e2f Author: Johannes Berg Date: Wed Feb 13 15:13:30 2019 +0100 mac80211: drop robust management frames from unknown TA When receiving a robust management frame, drop it if we don't have rx->sta since then we don't have a security association and thus couldn't possibly validate the frame. Cc: stable@vger.kernel.org Signed-off-by: Johannes Berg commit 912bbf7e9ca422099935dd69d3ff0fd62db24882 Author: Steve Longerbeam Date: Tue Jun 11 18:16:57 2019 -0700 gpu: ipu-v3: image-convert: Fix image downsize coefficients The output of the IC downsizer unit in both dimensions must be <= 1024 before being passed to the IC resizer unit. This was causing corrupted images when: input_dim > 1024, and input_dim / 2 < output_dim < input_dim Some broken examples were 1920x1080 -> 1024x768 and 1920x1080 -> 1280x1080. Fixes: 70b9b6b3bcb21 ("gpu: ipu-v3: image-convert: calculate per-tile resize coefficients") Signed-off-by: Steve Longerbeam Signed-off-by: Philipp Zabel commit bca4d70cf1b8f6478a711c448a3a1e47b794b162 Author: Steve Longerbeam Date: Tue Jun 11 18:16:56 2019 -0700 gpu: ipu-v3: image-convert: Fix input bytesperline for packed formats The input bytesperline calculation for packed pixel formats was incorrect. The min/max clamping values must be multiplied by the packed bits-per-pixel. This was causing corrupted converted images when the input format was RGB4 (probably also other input packed formats). Fixes: d966e23d61a2c ("gpu: ipu-v3: image-convert: fix bytesperline adjustment") Reported-by: Harsha Manjula Mallikarjun Suggested-by: Harsha Manjula Mallikarjun Signed-off-by: Steve Longerbeam Signed-off-by: Philipp Zabel commit ff391ecd65a1b8324c49046c3db98d9c8ab29af9 Author: Steve Longerbeam Date: Tue Jun 11 18:16:55 2019 -0700 gpu: ipu-v3: image-convert: Fix input bytesperline width/height align The output width and height alignment values were being used in the input bytesperline calculation. Fix by separating local vars w_align and h_align into w_align_in, h_align_in, w_align_out, and h_align_out. Fixes: d966e23d61a2c ("gpu: ipu-v3: image-convert: fix bytesperline adjustment") Signed-off-by: Steve Longerbeam Signed-off-by: Philipp Zabel commit 0d53827d7c172f1345140f7638fe658bda1bb25d Author: Mika Westerberg Date: Fri May 31 13:31:54 2019 +0300 thunderbolt: Implement CIO reset correctly for Titan Ridge When starting ICM firmware on Apple systems we need to perform CIO reset as part of the flow. However, it turns out that the reset register has changed to another location in Titan Ridge. Fix this by introducing ->cio_reset() callback with corresponding implementations for Alpine and Titan Ridge. Fixes: c4630d6ae6e3 ("thunderbolt: Start firmware on Titan Ridge Apple systems") Reported-by: Peter Bowen Signed-off-by: Mika Westerberg commit 68f2515bb31a664ba3e2bc1eb78dd9f529b10067 Author: Bartosz Golaszewski Date: Fri Jun 7 16:33:50 2019 +0200 ARM: davinci: da8xx: specify dma_coherent_mask for lcdc The lcdc device is missing the dma_coherent_mask definition causing the following warning on da850-evm: da8xx_lcdc da8xx_lcdc.0: found Sharp_LK043T1DG01 panel ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1 at kernel/dma/mapping.c:247 dma_alloc_attrs+0xc8/0x110 Modules linked in: CPU: 0 PID: 1 Comm: swapper Not tainted 5.2.0-rc3-00077-g16d72dd4891f #18 Hardware name: DaVinci DA850/OMAP-L138/AM18x EVM [] (unwind_backtrace) from [] (show_stack+0x10/0x14) [] (show_stack) from [] (__warn+0xec/0x114) [] (__warn) from [] (warn_slowpath_null+0x3c/0x48) [] (warn_slowpath_null) from [] (dma_alloc_attrs+0xc8/0x110) [] (dma_alloc_attrs) from [] (fb_probe+0x228/0x5a8) [] (fb_probe) from [] (platform_drv_probe+0x48/0x9c) [] (platform_drv_probe) from [] (really_probe+0x1d8/0x2d4) [] (really_probe) from [] (driver_probe_device+0x5c/0x168) [] (driver_probe_device) from [] (device_driver_attach+0x58/0x60) [] (device_driver_attach) from [] (__driver_attach+0x80/0xbc) [] (__driver_attach) from [] (bus_for_each_dev+0x64/0xb4) [] (bus_for_each_dev) from [] (bus_add_driver+0xe4/0x1d8) [] (bus_add_driver) from [] (driver_register+0x78/0x10c) [] (driver_register) from [] (do_one_initcall+0x48/0x1bc) [] (do_one_initcall) from [] (kernel_init_freeable+0x10c/0x1d8) [] (kernel_init_freeable) from [] (kernel_init+0x8/0xf4) [] (kernel_init) from [] (ret_from_fork+0x14/0x34) Exception stack(0xc6837fb0 to 0xc6837ff8) 7fa0: 00000000 00000000 00000000 00000000 7fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 7fe0: 00000000 00000000 00000000 00000000 00000013 00000000 ---[ end trace 8a8073511be81dd2 ]--- Add a 32-bit mask to the platform device's definition. Signed-off-by: Bartosz Golaszewski Signed-off-by: Sekhar Nori commit 0c0c9b5753cd04601b17de09da1ed2885a3b42fe Author: Bartosz Golaszewski Date: Fri Jun 7 11:02:01 2019 +0200 ARM: davinci: da850-evm: call regulator_has_full_constraints() The BB expander at 0x21 i2c bus 1 fails to probe on da850-evm because the board doesn't set has_full_constraints to true in the regulator API. Call regulator_has_full_constraints() at the end of board registration just like we do in da850-lcdk and da830-evm. Reviewed-by: Linus Walleij Signed-off-by: Bartosz Golaszewski Signed-off-by: Sekhar Nori commit e3ff9c3678b4d80e22d2557b68726174578eaf52 Author: Thomas Gleixner Date: Thu Jun 13 21:40:45 2019 +0200 timekeeping: Repair ktime_get_coarse*() granularity Jason reported that the coarse ktime based time getters advance only once per second and not once per tick as advertised. The code reads only the monotonic base time, which advances once per second. The nanoseconds are accumulated on every tick in xtime_nsec up to a second and the regular time getters take this nanoseconds offset into account, but the ktime_get_coarse*() implementation fails to do so. Add the accumulated xtime_nsec value to the monotonic base time to get the proper per tick advancing coarse tinme. Fixes: b9ff604cff11 ("timekeeping: Add ktime_get_coarse_with_offset") Reported-by: Jason A. Donenfeld Signed-off-by: Thomas Gleixner Tested-by: Jason A. Donenfeld Cc: Arnd Bergmann Cc: Peter Zijlstra Cc: Clemens Ladisch Cc: Sultan Alsawaf Cc: Waiman Long Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1906132136280.1791@nanos.tec.linutronix.de commit 744ed8cb8a4707f04a79904a45cf8f951a28abd6 Merge: febe80307d2c 48eaeb7664c7 Author: Daniel Vetter Date: Thu Jun 13 22:44:21 2019 +0200 Merge tag 'drm-misc-fixes-2019-06-13' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes Sean writes: meson: A few G12A fixes across the driver (Neil) quirks: A couple quirks for GPD devices (Hans) gem_shmem: Use writecombine when vmapping non-dmabuf BOs (Boris) panfrost: A couple tweaks to requiring devfreq (Neil & Ezequiel) edid: Ensure we return the override mode when ddc probe fails (Jani) Cc: Hans de Goede Cc: Neil Armstrong Cc: Boris Brezillon Cc: Ezequiel Garcia Cc: Jani Nikula Signed-off-by: Daniel Vetter From: Sean Paul Link: https://patchwork.freedesktop.org/patch/msgid/20190613143946.GA24233@art_vandelay commit 17d304604a88cf20c8dfd2c95d3decb9c4f8bca4 Author: Hui Wang Date: Fri Jun 14 16:44:12 2019 +0800 Revert "ALSA: hda/realtek - Improve the headset mic for Acer Aspire laptops" This reverts commit 9cb40eb184c4220d244a532bd940c6345ad9dbd9. This patch introduces noise and headphone playback issue after rebooting or suspending/resuming. Let us revert it. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=203831 Fixes: 9cb40eb184c4 ("ALSA: hda/realtek - Improve the headset mic for Acer Aspire laptops") Cc: Signed-off-by: Hui Wang Signed-off-by: Takashi Iwai commit 50f44ee7248ad2f7984ef081974a6ecd09724b3e Author: Dan Williams Date: Thu Jun 13 15:56:33 2019 -0700 mm/devm_memremap_pages: fix final page put race Logan noticed that devm_memremap_pages_release() kills the percpu_ref drops all the page references that were acquired at init and then immediately proceeds to unplug, arch_remove_memory(), the backing pages for the pagemap. If for some reason device shutdown actually collides with a busy / elevated-ref-count page then arch_remove_memory() should be deferred until after that reference is dropped. As it stands the "wait for last page ref drop" happens *after* devm_memremap_pages_release() returns, which is obviously too late and can lead to crashes. Fix this situation by assigning the responsibility to wait for the percpu_ref to go idle to devm_memremap_pages() with a new ->cleanup() callback. Implement the new cleanup callback for all devm_memremap_pages() users: pmem, devdax, hmm, and p2pdma. Link: http://lkml.kernel.org/r/155727339156.292046.5432007428235387859.stgit@dwillia2-desk3.amr.corp.intel.com Fixes: 41e94a851304 ("add devm_memremap_pages") Signed-off-by: Dan Williams Reported-by: Logan Gunthorpe Reviewed-by: Ira Weiny Reviewed-by: Logan Gunthorpe Cc: Bjorn Helgaas Cc: "Jérôme Glisse" Cc: Christoph Hellwig Cc: Greg Kroah-Hartman Cc: "Rafael J. Wysocki" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 1570175abd164b32ea1cc677f9dfd2dc6bd093f5 Author: Dan Williams Date: Thu Jun 13 15:56:30 2019 -0700 PCI/P2PDMA: track pgmap references per resource, not globally In preparation for fixing a race between devm_memremap_pages_release() and the final put of a page from the device-page-map, allocate a percpu-ref per p2pdma resource mapping. Link: http://lkml.kernel.org/r/155727338646.292046.9922678317501435597.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: Dan Williams Reviewed-by: Ira Weiny Reviewed-by: Logan Gunthorpe Cc: Bjorn Helgaas Cc: Christoph Hellwig Cc: Greg Kroah-Hartman Cc: "Jérôme Glisse" Cc: "Rafael J. Wysocki" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 795ee30648c708502da9df637f83c33361d68dcc Author: Dan Williams Date: Thu Jun 13 15:56:27 2019 -0700 lib/genalloc: introduce chunk owners The p2pdma facility enables a provider to publish a pool of dma addresses for a consumer to allocate. A genpool is used internally by p2pdma to collect dma resources, 'chunks', to be handed out to consumers. Whenever a consumer allocates a resource it needs to pin the 'struct dev_pagemap' instance that backs the chunk selected by pci_alloc_p2pmem(). Currently that reference is taken globally on the entire provider device. That sets up a lifetime mismatch whereby the p2pdma core needs to maintain hacks to make sure the percpu_ref is not released twice. This lifetime mismatch also stands in the way of a fix to devm_memremap_pages() whereby devm_memremap_pages_release() must wait for the percpu_ref ->release() callback to complete before it can proceed to teardown pages. So, towards fixing this situation, introduce the ability to store a 'chunk owner' at gen_pool_add() time, and a facility to retrieve the owner at gen_pool_{alloc,free}() time. For p2pdma this will be used to store and recall individual dev_pagemap reference counter instances per-chunk. Link: http://lkml.kernel.org/r/155727338118.292046.13407378933221579644.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: Dan Williams Reviewed-by: Ira Weiny Reviewed-by: Logan Gunthorpe Cc: Bjorn Helgaas Cc: "Jérôme Glisse" Cc: Christoph Hellwig Cc: Greg Kroah-Hartman Cc: "Rafael J. Wysocki" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit e615a191216e3fb4e9c0d239007f2b0cd48f28bf Author: Dan Williams Date: Thu Jun 13 15:56:24 2019 -0700 PCI/P2PDMA: fix the gen_pool_add_virt() failure path The pci_p2pdma_add_resource() implementation immediately frees the pgmap if gen_pool_add_virt() fails. However, that means that when @dev triggers a devres release devm_memremap_pages_release() will crash trying to access the freed @pgmap. Use the new devm_memunmap_pages() to manually free the mapping in the error path. Link: http://lkml.kernel.org/r/155727337603.292046.13101332703665246702.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: Dan Williams Fixes: 52916982af48 ("PCI/P2PDMA: Support peer-to-peer memory") Reviewed-by: Ira Weiny Acked-by: Bjorn Helgaas Reviewed-by: Logan Gunthorpe Cc: Christoph Hellwig Cc: Greg Kroah-Hartman Cc: "Jérôme Glisse" Cc: "Rafael J. Wysocki" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 2e3f139e8ecebf177fe01299285a56855e93fb84 Author: Dan Williams Date: Thu Jun 13 15:56:21 2019 -0700 mm/devm_memremap_pages: introduce devm_memunmap_pages Use the new devm_release_action() facility to allow devm_memremap_pages_release() to be manually triggered. Link: http://lkml.kernel.org/r/155727337088.292046.5774214552136776763.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: Dan Williams Reviewed-by: Ira Weiny Reviewed-by: Logan Gunthorpe Cc: Bjorn Helgaas Cc: Christoph Hellwig Cc: Greg Kroah-Hartman Cc: "Jérôme Glisse" Cc: "Rafael J. Wysocki" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 2374b682255184d7ef75fcb507ce5af4995ead32 Author: Dan Williams Date: Thu Jun 13 15:56:18 2019 -0700 drivers/base/devres: introduce devm_release_action() Patch series "mm/devm_memremap_pages: Fix page release race", v2. Logan audited the devm_memremap_pages() shutdown path and noticed that it was possible to proceed to arch_remove_memory() before all potential page references have been reaped. Introduce a new ->cleanup() callback to do the work of waiting for any straggling page references and then perform the percpu_ref_exit() in devm_memremap_pages_release() context. For p2pdma this involves some deeper reworks to reference count resources on a per-instance basis rather than a per pci-device basis. A modified genalloc api is introduced to convey a driver-private pointer through gen_pool_{alloc,free}() interfaces. Also, a devm_memunmap_pages() api is introduced since p2pdma does not auto-release resources on a setup failure. The dax and pmem changes pass the nvdimm unit tests, and the p2pdma changes should now pass testing with the pci_p2pdma_release() fix. Jrme, how does this look for HMM? This patch (of 6): The devm_add_action() facility allows a resource allocation routine to add custom devm semantics. One such user is devm_memremap_pages(). There is now a need to manually trigger devm_memremap_pages_release(). Introduce devm_release_action() so the release action can be triggered via a new devm_memunmap_pages() api in a follow-on change. Link: http://lkml.kernel.org/r/155727336530.292046.2926860263201336366.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: Dan Williams Reviewed-by: Ira Weiny Reviewed-by: Logan Gunthorpe Cc: Bjorn Helgaas Cc: Christoph Hellwig Cc: Greg Kroah-Hartman Cc: "Rafael J. Wysocki" Cc: "Jérôme Glisse" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit a58f2cef26e1ca44182c8b22f4f4395e702a5795 Author: Minchan Kim Date: Thu Jun 13 15:56:15 2019 -0700 mm/vmscan.c: fix trying to reclaim unevictable LRU page There was the below bug report from Wu Fangsuo. On the CMA allocation path, isolate_migratepages_range() could isolate unevictable LRU pages and reclaim_clean_page_from_list() can try to reclaim them if they are clean file-backed pages. page:ffffffbf02f33b40 count:86 mapcount:84 mapping:ffffffc08fa7a810 index:0x24 flags: 0x19040c(referenced|uptodate|arch_1|mappedtodisk|unevictable|mlocked) raw: 000000000019040c ffffffc08fa7a810 0000000000000024 0000005600000053 raw: ffffffc009b05b20 ffffffc009b05b20 0000000000000000 ffffffc09bf3ee80 page dumped because: VM_BUG_ON_PAGE(PageLRU(page) || PageUnevictable(page)) page->mem_cgroup:ffffffc09bf3ee80 ------------[ cut here ]------------ kernel BUG at /home/build/farmland/adroid9.0/kernel/linux/mm/vmscan.c:1350! Internal error: Oops - BUG: 0 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 7125 Comm: syz-executor Tainted: G S 4.14.81 #3 Hardware name: ASR AQUILAC EVB (DT) task: ffffffc00a54cd00 task.stack: ffffffc009b00000 PC is at shrink_page_list+0x1998/0x3240 LR is at shrink_page_list+0x1998/0x3240 pc : [] lr : [] pstate: 60400045 sp : ffffffc009b05940 .. shrink_page_list+0x1998/0x3240 reclaim_clean_pages_from_list+0x3c0/0x4f0 alloc_contig_range+0x3bc/0x650 cma_alloc+0x214/0x668 ion_cma_allocate+0x98/0x1d8 ion_alloc+0x200/0x7e0 ion_ioctl+0x18c/0x378 do_vfs_ioctl+0x17c/0x1780 SyS_ioctl+0xac/0xc0 Wu found it's due to commit ad6b67041a45 ("mm: remove SWAP_MLOCK in ttu"). Before that, unevictable pages go to cull_mlocked so that we can't reach the VM_BUG_ON_PAGE line. To fix the issue, this patch filters out unevictable LRU pages from the reclaim_clean_pages_from_list in CMA. Link: http://lkml.kernel.org/r/20190524071114.74202-1-minchan@kernel.org Fixes: ad6b67041a45 ("mm: remove SWAP_MLOCK in ttu") Signed-off-by: Minchan Kim Reported-by: Wu Fangsuo Debugged-by: Wu Fangsuo Tested-by: Wu Fangsuo Reviewed-by: Andrew Morton Acked-by: Michal Hocko Cc: Pankaj Suryawanshi Cc: [4.12+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 59ea6d06cfa9247b586a695c21f94afa7183af74 Author: Andrea Arcangeli Date: Thu Jun 13 15:56:11 2019 -0700 coredump: fix race condition between collapse_huge_page() and core dumping When fixing the race conditions between the coredump and the mmap_sem holders outside the context of the process, we focused on mmget_not_zero()/get_task_mm() callers in 04f5866e41fb70 ("coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping"), but those aren't the only cases where the mmap_sem can be taken outside of the context of the process as Michal Hocko noticed while backporting that commit to older -stable kernels. If mmgrab() is called in the context of the process, but then the mm_count reference is transferred outside the context of the process, that can also be a problem if the mmap_sem has to be taken for writing through that mm_count reference. khugepaged registration calls mmgrab() in the context of the process, but the mmap_sem for writing is taken later in the context of the khugepaged kernel thread. collapse_huge_page() after taking the mmap_sem for writing doesn't modify any vma, so it's not obvious that it could cause a problem to the coredump, but it happens to modify the pmd in a way that breaks an invariant that pmd_trans_huge_lock() relies upon. collapse_huge_page() needs the mmap_sem for writing just to block concurrent page faults that call pmd_trans_huge_lock(). Specifically the invariant that "!pmd_trans_huge()" cannot become a "pmd_trans_huge()" doesn't hold while collapse_huge_page() runs. The coredump will call __get_user_pages() without mmap_sem for reading, which eventually can invoke a lockless page fault which will need a functional pmd_trans_huge_lock(). So collapse_huge_page() needs to use mmget_still_valid() to check it's not running concurrently with the coredump... as long as the coredump can invoke page faults without holding the mmap_sem for reading. This has "Fixes: khugepaged" to facilitate backporting, but in my view it's more a bug in the coredump code that will eventually have to be rewritten to stop invoking page faults without the mmap_sem for reading. So the long term plan is still to drop all mmget_still_valid(). Link: http://lkml.kernel.org/r/20190607161558.32104-1-aarcange@redhat.com Fixes: ba76149f47d8 ("thp: khugepaged") Signed-off-by: Andrea Arcangeli Reported-by: Michal Hocko Acked-by: Michal Hocko Acked-by: Kirill A. Shutemov Cc: Oleg Nesterov Cc: Jann Horn Cc: Hugh Dickins Cc: Mike Rapoport Cc: Mike Kravetz Cc: Peter Xu Cc: Jason Gunthorpe Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 0874bb49bb21bf24deda853e8bf61b8325e24bcb Author: swkhack Date: Thu Jun 13 15:56:08 2019 -0700 mm/mlock.c: change count_mm_mlocked_page_nr return type On a 64-bit machine the value of "vma->vm_end - vma->vm_start" may be negative when using 32 bit ints and the "count >> PAGE_SHIFT"'s result will be wrong. So change the local variable and return value to unsigned long to fix the problem. Link: http://lkml.kernel.org/r/20190513023701.83056-1-swkhack@gmail.com Fixes: 0cf2f6f6dc60 ("mm: mlock: check against vma for actual mlock() size") Signed-off-by: swkhack Acked-by: Michal Hocko Reviewed-by: Andrew Morton Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 7a30df49f63ad92318ddf1f7498d1129a77dd4bd Author: Yang Shi Date: Thu Jun 13 15:56:05 2019 -0700 mm: mmu_gather: remove __tlb_reset_range() for force flush A few new fields were added to mmu_gather to make TLB flush smarter for huge page by telling what level of page table is changed. __tlb_reset_range() is used to reset all these page table state to unchanged, which is called by TLB flush for parallel mapping changes for the same range under non-exclusive lock (i.e. read mmap_sem). Before commit dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap"), the syscalls (e.g. MADV_DONTNEED, MADV_FREE) which may update PTEs in parallel don't remove page tables. But, the forementioned commit may do munmap() under read mmap_sem and free page tables. This may result in program hang on aarch64 reported by Jan Stancek. The problem could be reproduced by his test program with slightly modified below. ---8<--- static int map_size = 4096; static int num_iter = 500; static long threads_total; static void *distant_area; void *map_write_unmap(void *ptr) { int *fd = ptr; unsigned char *map_address; int i, j = 0; for (i = 0; i < num_iter; i++) { map_address = mmap(distant_area, (size_t) map_size, PROT_WRITE | PROT_READ, MAP_SHARED | MAP_ANONYMOUS, -1, 0); if (map_address == MAP_FAILED) { perror("mmap"); exit(1); } for (j = 0; j < map_size; j++) map_address[j] = 'b'; if (munmap(map_address, map_size) == -1) { perror("munmap"); exit(1); } } return NULL; } void *dummy(void *ptr) { return NULL; } int main(void) { pthread_t thid[2]; /* hint for mmap in map_write_unmap() */ distant_area = mmap(0, DISTANT_MMAP_SIZE, PROT_WRITE | PROT_READ, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0); munmap(distant_area, (size_t)DISTANT_MMAP_SIZE); distant_area += DISTANT_MMAP_SIZE / 2; while (1) { pthread_create(&thid[0], NULL, map_write_unmap, NULL); pthread_create(&thid[1], NULL, dummy, NULL); pthread_join(thid[0], NULL); pthread_join(thid[1], NULL); } } ---8<--- The program may bring in parallel execution like below: t1 t2 munmap(map_address) downgrade_write(&mm->mmap_sem); unmap_region() tlb_gather_mmu() inc_tlb_flush_pending(tlb->mm); free_pgtables() tlb->freed_tables = 1 tlb->cleared_pmds = 1 pthread_exit() madvise(thread_stack, 8M, MADV_DONTNEED) zap_page_range() tlb_gather_mmu() inc_tlb_flush_pending(tlb->mm); tlb_finish_mmu() if (mm_tlb_flush_nested(tlb->mm)) __tlb_reset_range() __tlb_reset_range() would reset freed_tables and cleared_* bits, but this may cause inconsistency for munmap() which do free page tables. Then it may result in some architectures, e.g. aarch64, may not flush TLB completely as expected to have stale TLB entries remained. Use fullmm flush since it yields much better performance on aarch64 and non-fullmm doesn't yields significant difference on x86. The original proposed fix came from Jan Stancek who mainly debugged this issue, I just wrapped up everything together. Jan's testing results: v5.2-rc2-24-gbec7550cca10 -------------------------- mean stddev real 37.382 2.780 user 1.420 0.078 sys 54.658 1.855 v5.2-rc2-24-gbec7550cca10 + "mm: mmu_gather: remove __tlb_reset_range() for force flush" ---------------------------------------------------------------------------------------_ mean stddev real 37.119 2.105 user 1.548 0.087 sys 55.698 1.357 [akpm@linux-foundation.org: coding-style fixes] Link: http://lkml.kernel.org/r/1558322252-113575-1-git-send-email-yang.shi@linux.alibaba.com Fixes: dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap") Signed-off-by: Yang Shi Signed-off-by: Jan Stancek Reported-by: Jan Stancek Tested-by: Jan Stancek Suggested-by: Will Deacon Tested-by: Will Deacon Acked-by: Will Deacon Cc: Peter Zijlstra Cc: Nick Piggin Cc: "Aneesh Kumar K.V" Cc: Nadav Amit Cc: Minchan Kim Cc: Mel Gorman Cc: [4.20+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit be99ca2716972a712cde46092c54dee5e6192bf8 Author: Wengang Wang Date: Thu Jun 13 15:56:01 2019 -0700 fs/ocfs2: fix race in ocfs2_dentry_attach_lock() ocfs2_dentry_attach_lock() can be executed in parallel threads against the same dentry. Make that race safe. The race is like this: thread A thread B (A1) enter ocfs2_dentry_attach_lock, seeing dentry->d_fsdata is NULL, and no alias found by ocfs2_find_local_alias, so kmalloc a new ocfs2_dentry_lock structure to local variable "dl", dl1 ..... (B1) enter ocfs2_dentry_attach_lock, seeing dentry->d_fsdata is NULL, and no alias found by ocfs2_find_local_alias so kmalloc a new ocfs2_dentry_lock structure to local variable "dl", dl2. ...... (A2) set dentry->d_fsdata with dl1, call ocfs2_dentry_lock() and increase dl1->dl_lockres.l_ro_holders to 1 on success. ...... (B2) set dentry->d_fsdata with dl2 call ocfs2_dentry_lock() and increase dl2->dl_lockres.l_ro_holders to 1 on success. ...... (A3) call ocfs2_dentry_unlock() and decrease dl2->dl_lockres.l_ro_holders to 0 on success. .... (B3) call ocfs2_dentry_unlock(), decreasing dl2->dl_lockres.l_ro_holders, but see it's zero now, panic Link: http://lkml.kernel.org/r/20190529174636.22364-1-wen.gang.wang@oracle.com Signed-off-by: Wengang Wang Reported-by: Daniel Sobe Tested-by: Daniel Sobe Reviewed-by: Changwei Ge Reviewed-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Gang He Cc: Jun Piao Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit b17f18aff2876ceb3f1fde580c96cd489babf28e Author: Kirill Tkhai Date: Thu Jun 13 15:55:58 2019 -0700 mm/vmscan.c: fix recent_rotated history Johannes pointed out that after commit 886cf1901db9 ("mm: move recent_rotated pages calculation to shrink_inactive_list()") we lost all zone_reclaim_stat::recent_rotated history. This fixes it. Link: http://lkml.kernel.org/r/155905972210.26456.11178359431724024112.stgit@localhost.localdomain Fixes: 886cf1901db9 ("mm: move recent_rotated pages calculation to shrink_inactive_list()") Signed-off-by: Kirill Tkhai Reported-by: Johannes Weiner Acked-by: Michal Hocko Acked-by: Johannes Weiner Cc: Daniel Jordan Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit dedca63504a204dc8410d98883fdc16dffa8cb80 Author: Potyra, Stefan Date: Thu Jun 13 15:55:55 2019 -0700 mm/mlock.c: mlockall error for flag MCL_ONFAULT If mlockall() is called with only MCL_ONFAULT as flag, it removes any previously applied lockings and does nothing else. This behavior is counter-intuitive and doesn't match the Linux man page. For mlockall(): EINVAL Unknown flags were specified or MCL_ONFAULT was specified without either MCL_FUTURE or MCL_CURRENT. Consequently, return the error EINVAL, if only MCL_ONFAULT is passed. That way, applications will at least detect that they are calling mlockall() incorrectly. Link: http://lkml.kernel.org/r/20190527075333.GA6339@er01809n.ebgroup.elektrobit.com Fixes: b0f205c2a308 ("mm: mlock: add mlock flags to enable VM_LOCKONFAULT usage") Signed-off-by: Stefan Potyra Reviewed-by: Daniel Jordan Acked-by: Michal Hocko Acked-by: Vlastimil Babka Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit c04e32e911653442fc834be6e92e072aeebe01a1 Author: Manuel Traut Date: Thu Jun 13 15:55:52 2019 -0700 scripts/decode_stacktrace.sh: prefix addr2line with $CROSS_COMPILE At least for ARM64 kernels compiled with the crosstoolchain from Debian/stretch or with the toolchain from kernel.org the line number is not decoded correctly by 'decode_stacktrace.sh': $ echo "[ 136.513051] f1+0x0/0xc [kcrash]" | \ CROSS_COMPILE=/opt/gcc-8.1.0-nolibc/aarch64-linux/bin/aarch64-linux- \ ./scripts/decode_stacktrace.sh /scratch/linux-arm64/vmlinux \ /scratch/linux-arm64 \ /nfs/debian/lib/modules/4.20.0-devel [ 136.513051] f1 (/linux/drivers/staging/kcrash/kcrash.c:68) kcrash If addr2line from the toolchain is used the decoded line number is correct: [ 136.513051] f1 (/linux/drivers/staging/kcrash/kcrash.c:57) kcrash Link: http://lkml.kernel.org/r/20190527083425.3763-1-manut@linutronix.de Signed-off-by: Manuel Traut Acked-by: Konstantin Khlebnikov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 3510955b327176fd4cbab5baa75b449f077722a2 Author: Shakeel Butt Date: Thu Jun 13 15:55:49 2019 -0700 mm/list_lru.c: fix memory leak in __memcg_init_list_lru_node Syzbot reported following memory leak: ffffffffda RBX: 0000000000000003 RCX: 0000000000441f79 BUG: memory leak unreferenced object 0xffff888114f26040 (size 32): comm "syz-executor626", pid 7056, jiffies 4294948701 (age 39.410s) hex dump (first 32 bytes): 40 60 f2 14 81 88 ff ff 40 60 f2 14 81 88 ff ff @`......@`...... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: slab_post_alloc_hook mm/slab.h:439 [inline] slab_alloc mm/slab.c:3326 [inline] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553 kmalloc include/linux/slab.h:547 [inline] __memcg_init_list_lru_node+0x58/0xf0 mm/list_lru.c:352 memcg_init_list_lru_node mm/list_lru.c:375 [inline] memcg_init_list_lru mm/list_lru.c:459 [inline] __list_lru_init+0x193/0x2a0 mm/list_lru.c:626 alloc_super+0x2e0/0x310 fs/super.c:269 sget_userns+0x94/0x2a0 fs/super.c:609 sget+0x8d/0xb0 fs/super.c:660 mount_nodev+0x31/0xb0 fs/super.c:1387 fuse_mount+0x2d/0x40 fs/fuse/inode.c:1236 legacy_get_tree+0x27/0x80 fs/fs_context.c:661 vfs_get_tree+0x2e/0x120 fs/super.c:1476 do_new_mount fs/namespace.c:2790 [inline] do_mount+0x932/0xc50 fs/namespace.c:3110 ksys_mount+0xab/0x120 fs/namespace.c:3319 __do_sys_mount fs/namespace.c:3333 [inline] __se_sys_mount fs/namespace.c:3330 [inline] __x64_sys_mount+0x26/0x30 fs/namespace.c:3330 do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301 entry_SYSCALL_64_after_hwframe+0x44/0xa9 This is a simple off by one bug on the error path. Link: http://lkml.kernel.org/r/20190528043202.99980-1-shakeelb@google.com Fixes: 60d3fd32a7a9 ("list_lru: introduce per-memcg lists") Reported-by: syzbot+f90a420dfe2b1b03cb2c@syzkaller.appspotmail.com Signed-off-by: Shakeel Butt Acked-by: Michal Hocko Reviewed-by: Kirill Tkhai Cc: [4.0+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 815744d75152078cde5391fc1e3c2d4424323fb6 Author: Johannes Weiner Date: Thu Jun 13 15:55:46 2019 -0700 mm: memcontrol: don't batch updates of local VM stats and events The kernel test robot noticed a 26% will-it-scale pagefault regression from commit 42a300353577 ("mm: memcontrol: fix recursive statistics correctness & scalabilty"). This appears to be caused by bouncing the additional cachelines from the new hierarchical statistics counters. We can fix this by getting rid of the batched local counters instead. Originally, there were *only* group-local counters, and they were fully maintained per cpu. A reader of a stats file high up in the cgroup tree would have to walk the entire subtree and collect each level's per-cpu counters to get the recursive view. This was prohibitively expensive, and so we switched to per-cpu batched updates of the local counters during a983b5ebee57 ("mm: memcontrol: fix excessive complexity in memory.stat reporting"), reducing the complexity from nr_subgroups * nr_cpus to nr_subgroups. With growing machines and cgroup trees, the tree walk itself became too expensive for monitoring top-level groups, and this is when the culprit patch added hierarchy counters on each cgroup level. When the per-cpu batch size would be reached, both the local and the hierarchy counters would get batch-updated from the per-cpu delta simultaneously. This makes local and hierarchical counter reads blazingly fast, but it unfortunately makes the write-side too cache line intense. Since local counter reads were never a problem - we only centralized them to accelerate the hierarchy walk - and use of the local counters are becoming rarer due to replacement with hierarchical views (ongoing rework in the page reclaim and workingset code), we can make those local counters unbatched per-cpu counters again. The scheme will then be as such: when a memcg statistic changes, the writer will: - update the local counter (per-cpu) - update the batch counter (per-cpu). If the batch is full: - spill the batch into the group's atomic_t - spill the batch into all ancestors' atomic_ts - empty out the batch counter (per-cpu) when a local memcg counter is read, the reader will: - collect the local counter from all cpus when a hiearchy memcg counter is read, the reader will: - read the atomic_t We might be able to simplify this further and make the recursive counters unbatched per-cpu counters as well (batch upward propagation, but leave per-cpu collection to the readers), but that will require a more in-depth analysis and testing of all the callsites. Deal with the immediate regression for now. Link: http://lkml.kernel.org/r/20190521151647.GB2870@cmpxchg.org Fixes: 42a300353577 ("mm: memcontrol: fix recursive statistics correctness & scalabilty") Signed-off-by: Johannes Weiner Reported-by: kernel test robot Tested-by: kernel test robot Cc: Michal Hocko Cc: Shakeel Butt Cc: Roman Gushchin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 3e26c5feed2add218046ecf91bab3cfa9bf762a6 Author: Rafael J. Wysocki Date: Thu Jun 13 23:59:45 2019 +0200 PCI: PM: Skip devices in D0 for suspend-to-idle Commit d491f2b75237 ("PCI: PM: Avoid possible suspend-to-idle issue") attempted to avoid a problem with devices whose drivers want them to stay in D0 over suspend-to-idle and resume, but it did not go as far as it should with that. Namely, first of all, the power state of a PCI bridge with a downstream device in D0 must be D0 (based on the PCI PM spec r1.2, sec 6, table 6-1, if the bridge is not in D0, there can be no PCI transactions on its secondary bus), but that is not actively enforced during system-wide PM transitions, so use the skip_bus_pm flag introduced by commit d491f2b75237 for that. Second, the configuration of devices left in D0 (whatever the reason) during suspend-to-idle need not be changed and attempting to put them into D0 again by force is pointless, so explicitly avoid doing that. Fixes: d491f2b75237 ("PCI: PM: Avoid possible suspend-to-idle issue") Reported-by: Kai-Heng Feng Signed-off-by: Rafael J. Wysocki Reviewed-by: Mika Westerberg Tested-by: Kai-Heng Feng commit 09f6ac2c31f391f754a7bd382e4c0a378662f998 Merge: 0e265747491c 758f2046ea04 Author: Daniel Borkmann Date: Thu Jun 13 23:07:01 2019 +0200 Merge branch 'bpf-ppc-div-fix' Naveen N. Rao says: ==================== The first patch updates DIV64 overflow tests to properly detect error conditions. The second patch fixes powerpc64 JIT to generate the proper unsigned division instruction for BPF_ALU64. ==================== Acked-by: Sandipan Das Signed-off-by: Daniel Borkmann commit 758f2046ea040773ae8ea7f72dd3bbd8fa984501 Author: Naveen N. Rao Date: Thu Jun 13 00:21:40 2019 +0530 powerpc/bpf: use unsigned division instruction for 64-bit operations BPF_ALU64 div/mod operations are currently using signed division, unlike BPF_ALU32 operations. Fix the same. DIV64 and MOD64 overflow tests pass with this fix. Fixes: 156d0e290e969c ("powerpc/ebpf/jit: Implement JIT compiler for extended BPF") Cc: stable@vger.kernel.org # v4.8+ Signed-off-by: Naveen N. Rao Signed-off-by: Daniel Borkmann commit 3e0682695199bad51dd898fe064d1564637ff77a Author: Naveen N. Rao Date: Thu Jun 13 00:21:39 2019 +0530 bpf: fix div64 overflow tests to properly detect errors If the result of the division is LLONG_MIN, current tests do not detect the error since the return value is truncated to a 32-bit value and ends up being 0. Signed-off-by: Naveen N. Rao Signed-off-by: Daniel Borkmann commit 0e265747491cb182429adfbef7d002164566f25c Author: Martynas Pumputis Date: Wed Jun 12 18:05:41 2019 +0200 bpf: sync BPF_FIB_LOOKUP flag changes with BPF uapi Sync the changes to the flags made in "bpf: simplify definition of BPF_FIB_LOOKUP related flags" with the BPF UAPI headers. Doing in a separate commit to ease syncing of github/libbpf. Signed-off-by: Martynas Pumputis Acked-by: Andrii Nakryiko Signed-off-by: Daniel Borkmann commit b1d6c15b9d824a58c5415673f374fac19e8eccdf Author: Martynas Pumputis Date: Wed Jun 12 18:05:40 2019 +0200 bpf: simplify definition of BPF_FIB_LOOKUP related flags Previously, the BPF_FIB_LOOKUP_{DIRECT,OUTPUT} flags in the BPF UAPI were defined with the help of BIT macro. This had the following issues: - In order to use any of the flags, a user was required to depend on . - No other flag in bpf.h uses the macro, so it seems that an unwritten convention is to use (1 << (nr)) to define BPF-related flags. Fixes: 87f5fc7e48dd ("bpf: Provide helper to do forwarding lookups in kernel FIB table") Signed-off-by: Martynas Pumputis Acked-by: Andrii Nakryiko Signed-off-by: Daniel Borkmann commit 487317c99477d00f22370625d53be3239febabbe Author: Ronnie Sahlberg Date: Wed Jun 5 10:38:38 2019 +1000 cifs: add spinlock for the openFileList to cifsInodeInfo We can not depend on the tcon->open_file_lock here since in multiuser mode we may have the same file/inode open via multiple different tcons. The current code is race prone and will crash if one user deletes a file at the same time a different user opens/create the file. To avoid this we need to have a spinlock attached to the inode and not the tcon. RHBZ: 1580165 CC: Stable Signed-off-by: Ronnie Sahlberg Signed-off-by: Steve French Reviewed-by: Pavel Shilovsky commit 0ff2b018b02f89da26a616e0148582321a00fd99 Author: Ronnie Sahlberg Date: Wed Jun 5 10:15:34 2019 +1000 cifs: fix panic in smb2_reconnect RH Bugzilla: 1702264 We need to protect so that the call to smb2_reconnect() in smb2_reconnect_server() does not end up freeing the session because it can lead to a use after free and crash. Reviewed-by: Aurelien Aptel Cc: Signed-off-by: Ronnie Sahlberg Signed-off-by: Steve French Reviewed-by: Pavel Shilovsky commit 8d3289f2fa1e0c7e2f72c7352f1efb75d2ad7c76 Author: Christoph Hellwig Date: Tue Jun 4 19:54:12 2019 +0200 x86/fpu: Don't use current->mm to check for a kthread current->mm can be non-NULL if a kthread calls use_mm(). Check for PF_KTHREAD instead to decide when to store user mode FP state. Fixes: 2722146eb784 ("x86/fpu: Remove fpu->initialized") Reported-by: Peter Zijlstra Signed-off-by: Christoph Hellwig Signed-off-by: Borislav Petkov Acked-by: Sebastian Andrzej Siewior Cc: Aubrey Li Cc: Dave Hansen Cc: "H. Peter Anvin" Cc: Ingo Molnar Cc: Jann Horn Cc: Nicolai Stange Cc: Rik van Riel Cc: Thomas Gleixner Cc: x86-ml Link: https://lkml.kernel.org/r/20190604175411.GA27477@lst.de commit 6cb3dd75b00e987f5aaa515a4977d3f3ffd0b651 Merge: 4dde821e4296 5d6168fc61b7 Author: Thomas Gleixner Date: Thu Jun 13 18:34:54 2019 +0200 Merge tag 'timers-v5.2-rc1' of https://git.linaro.org/people/daniel.lezcano/linux into timers/urgent Pull timer fixes from Daniel Lezcano: - Fix missing notrace leading to deadlock on arch_arm_timer (Julien Thierry) - Fix compilation warning on timer-ti-dm (Philippe Mazenauer) commit c11fb13a117e5a6736481c779cb971249ed96016 Merge: b076173a309e 3ed224e273ac Author: Linus Torvalds Date: Thu Jun 13 05:59:05 2019 -1000 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid Pull HID fixes from Jiri Kosina: - regression fixes (reverts) for module loading changes that turned out to be incompatible with some userspace, from Benjamin Tissoires - regression fix for special Logitech unifiying receiver 0xc52f, from Hans de Goede - a few device ID additions to logitech driver, from Hans de Goede - fix for Bluetooth support on 2nd-gen Wacom Intuos Pro, from Jason Gerecke * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid: HID: logitech-dj: Fix 064d:c52f receiver support Revert "HID: core: Call request_module before doing device_add" Revert "HID: core: Do not call request_module() in async context" Revert "HID: Increase maximum report size allowed by hid_field_extract()" HID: a4tech: fix horizontal scrolling HID: hyperv: Add a module description line HID: logitech-hidpp: Add support for the S510 remote control HID: multitouch: handle faulty Elo touch device HID: wacom: Sync INTUOSP2_BT touch state after each frame if necessary HID: wacom: Correct button numbering 2nd-gen Intuos Pro over Bluetooth HID: wacom: Send BTN_TOUCH in response to INTUOSP2_BT eraser contact HID: wacom: Don't report anything prior to the tool entering range HID: wacom: Don't set tool type until we're in range HID: rmi: Use SET_REPORT request on control endpoint for Acer Switch 3 and 5 HID: logitech-hidpp: add support for the MX5500 keyboard HID: logitech-dj: add support for the Logitech MX5500's Bluetooth Mini-Receiver HID: i2c-hid: add iBall Aer3 to descriptor override commit 84396d141894c52f55c1276630587862f5ced7dd Merge: 352bcae97f9b 3da428ff2aa5 Author: Takashi Iwai Date: Thu Jun 13 17:33:34 2019 +0200 Merge tag 'asoc-fix-v5.2-rc4' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus ASoC: Fixes for v5.2 There's an awful lot of fixes here, almost all for the newly introduced SoF DSP drivers (including a few things it turned up in shared code). This is a large and complex piece of code so it's not surprising that there have been quite a few issues here, fortunately things seem to have mostly calmed down now. Otherwise there's just a smattering of small fixes. commit f9bc5227652df4900eff12a9b8b38e9a8c7c78ea Author: Vitaly Kuznetsov Date: Thu Jun 13 13:35:02 2019 +0200 KVM: nVMX: use correct clean fields when copying from eVMCS Unfortunately, a couple of mistakes were made while implementing Enlightened VMCS support, in particular, wrong clean fields were used in copy_enlightened_to_vmcs12(): - exception_bitmap is covered by CONTROL_EXCPN; - vm_exit_controls/pin_based_vm_exec_control/secondary_vm_exec_control are covered by CONTROL_GRP1. Fixes: 945679e301ea0 ("KVM: nVMX: add enlightened VMCS state") Signed-off-by: Vitaly Kuznetsov Signed-off-by: Paolo Bonzini commit 11aff183225c5cf48fae074cd99d8f18ba84ed34 Author: Farhan Ali Date: Mon Jun 3 11:42:47 2019 -0400 vfio-ccw: Destroy kmem cache region on module exit Free the vfio_ccw_cmd_region on module exit. Fixes: d5afd5d135c8 ("vfio-ccw: add handling for async channel instructions") Signed-off-by: Farhan Ali Message-Id: Signed-off-by: Cornelia Huck Signed-off-by: Heiko Carstens commit febe80307d2ca42157a346507c10d9a81fc28abf Merge: 76509d6b103b c5cc0bf870cf Author: Daniel Vetter Date: Thu Jun 13 11:49:15 2019 +0200 Merge tag 'drm-intel-fixes-2019-06-13' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes drm/i915 fixes for v5.2-rc5: - Fix DMC firmware input validation to avoid buffer overflow - Fix perf register access whitelist for userspace - Fix DSI panel on GPD MicroPC - Fix per-pixel alpha with CCS - Fix HDMI audio for SDVO Signed-off-by: Daniel Vetter From: Jani Nikula Link: https://patchwork.freedesktop.org/patch/msgid/87y325x22w.fsf@intel.com commit 1d0c06513bd44e724f572ef9c932d0c889d183c6 Author: Geert Uytterhoeven Date: Thu Jun 13 09:30:06 2019 +0200 block/ps3vram: Use %llu to format sector_t after LBDAF removal The removal of CONFIG_LBDAF changed the type of sector_t from "unsigned long" to "u64" aka "unsigned long long" on 64-bit platforms, leading to a compiler warning regression: drivers/block/ps3vram.c: In function ‘ps3vram_probe’: drivers/block/ps3vram.c:770:23: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 4 has type ‘sector_t {aka long long unsigned int}’ [-Wformat=] Fix this by using "%llu" instead. Fixes: 72deb455b5ec619f ("block: remove CONFIG_LBDAF") Signed-off-by: Geert Uytterhoeven Signed-off-by: Jens Axboe commit 31f6264e225fb92cf6f4b63031424f20797c297d Author: Hans de Goede Date: Tue Jun 11 16:32:59 2019 +0200 libata: Extend quirks for the ST1000LM024 drives with NOLPM quirk We've received a bugreport that using LPM with ST1000LM024 drives leads to system lockups. So it seems that these models are buggy in more then 1 way. Add NOLPM quirk to the existing quirks entry for BROKEN_FPDMA_AA. BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1571330 Cc: stable@vger.kernel.org Reviewed-by: Martin K. Petersen Signed-off-by: Hans de Goede Signed-off-by: Jens Axboe commit 1f0ffa67349c56ea54c03ccfd1e073c990e7411e Author: Coly Li Date: Mon Jun 10 06:13:35 2019 +0800 bcache: only set BCACHE_DEV_WB_RUNNING when cached device attached When people set a writeback percent via sysfs file, /sys/block/bcache/bcache/writeback_percent current code directly sets BCACHE_DEV_WB_RUNNING to dc->disk.flags and schedules kworker dc->writeback_rate_update. If there is no cache set attached to, the writeback kernel thread is not running indeed, running dc->writeback_rate_update does not make sense and may cause NULL pointer deference when reference cache set pointer inside update_writeback_rate(). This patch checks whether the cache set point (dc->disk.c) is NULL in sysfs interface handler, and only set BCACHE_DEV_WB_RUNNING and schedule dc->writeback_rate_update when dc->disk.c is not NULL (it means the cache device is attached to a cache set). This problem might be introduced from initial bcache commit, but commit 3fd47bfe55b0 ("bcache: stop dc->writeback_rate_update properly") changes part of the original code piece, so I add 'Fixes: 3fd47bfe55b0' to indicate from which commit this patch can be applied. Fixes: 3fd47bfe55b0 ("bcache: stop dc->writeback_rate_update properly") Reported-by: Bjørn Forsman Signed-off-by: Coly Li Reviewed-by: Bjørn Forsman Cc: stable@vger.kernel.org Signed-off-by: Jens Axboe commit 31b90956b124240aa8c63250243ae1a53585c5e2 Author: Coly Li Date: Mon Jun 10 06:13:34 2019 +0800 bcache: fix stack corruption by PRECEDING_KEY() Recently people report bcache code compiled with gcc9 is broken, one of the buggy behavior I observe is that two adjacent 4KB I/Os should merge into one but they don't. Finally it turns out to be a stack corruption caused by macro PRECEDING_KEY(). See how PRECEDING_KEY() is defined in bset.h, 437 #define PRECEDING_KEY(_k) \ 438 ({ \ 439 struct bkey *_ret = NULL; \ 440 \ 441 if (KEY_INODE(_k) || KEY_OFFSET(_k)) { \ 442 _ret = &KEY(KEY_INODE(_k), KEY_OFFSET(_k), 0); \ 443 \ 444 if (!_ret->low) \ 445 _ret->high--; \ 446 _ret->low--; \ 447 } \ 448 \ 449 _ret; \ 450 }) At line 442, _ret points to address of a on-stack variable combined by KEY(), the life range of this on-stack variable is in line 442-446, once _ret is returned to bch_btree_insert_key(), the returned address points to an invalid stack address and this address is overwritten in the following called bch_btree_iter_init(). Then argument 'search' of bch_btree_iter_init() points to some address inside stackframe of bch_btree_iter_init(), exact address depends on how the compiler allocates stack space. Now the stack is corrupted. Fixes: 0eacac22034c ("bcache: PRECEDING_KEY()") Signed-off-by: Coly Li Reviewed-by: Rolf Fokkens Reviewed-by: Pierre JUHEN Tested-by: Shenghui Wang Tested-by: Pierre JUHEN Cc: Kent Overstreet Cc: Nix Cc: stable@vger.kernel.org Signed-off-by: Jens Axboe commit 41040cf7c5f0f26c368bc5d3016fed3a9ca6dba4 Author: Dave Martin Date: Wed Jun 12 17:00:32 2019 +0100 arm64/sve: Fix missing SVE/FPSIMD endianness conversions The in-memory representation of SVE and FPSIMD registers is different: the FPSIMD V-registers are stored as single 128-bit host-endian values, whereas SVE registers are stored in an endianness-invariant byte order. This means that the two representations differ when running on a big-endian host. But we blindly copy data from one representation to another when converting between the two, resulting in the register contents being unintentionally byteswapped in certain situations. Currently this can be triggered by the first SVE instruction after a syscall, for example (though the potential trigger points may vary in future). So, fix the conversion functions fpsimd_to_sve(), sve_to_fpsimd() and sve_sync_from_fpsimd_zeropad() to swab where appropriate. There is no common swahl128() or swab128() that we could use here. Maybe it would be worth making this generic, but for now add a simple local hack. Since the byte order differences are exposed in ABI, also clarify the documentation. Cc: Alex Bennée Cc: Peter Maydell Cc: Alan Hayward Cc: Julien Grall Fixes: bc0ee4760364 ("arm64/sve: Core task context handling") Fixes: 8cd969d28fd2 ("arm64/sve: Signal handling support") Fixes: 43d4da2c45b2 ("arm64/sve: ptrace and ELF coredump support") Signed-off-by: Dave Martin [will: Fix typos in comments and docs spotted by Julien] Signed-off-by: Will Deacon commit c326f846ebc2a30eca386b85dffba96e23803d81 Author: Ming Lei Date: Tue Jun 11 17:31:53 2019 +0800 blk-mq: remove WARN_ON(!q->elevator) from blk_mq_sched_free_requests blk_mq_sched_free_requests() may be called in failure path in which q->elevator may not be setup yet, so remove WARN_ON(!q->elevator) from blk_mq_sched_free_requests for avoiding the false positive. This function is actually safe to call in case of !q->elevator because hctx->sched_tags is checked. Cc: Bart Van Assche Cc: Christoph Hellwig Cc: Yi Zhang Fixes: c3e2219216c9 ("block: free sched's request pool in blk_cleanup_queue") Reported-by: syzbot+b9d0d56867048c7bcfde@syzkaller.appspotmail.com Signed-off-by: Ming Lei Signed-off-by: Jens Axboe commit fb5772cbfe48575711bf789767d561582376f7f1 Author: Andreas Herrmann Date: Wed Jun 12 08:17:32 2019 +0200 blkio-controller.txt: Remove references to CFQ CFQ is gone. No need anymore to document its "proportional weight time based division of disk policy". Signed-off-by: Andreas Herrmann Signed-off-by: Jens Axboe commit 8614b0085d98482a065f0a308d715b9d4212aebf Author: Andreas Herrmann Date: Wed Jun 12 08:50:09 2019 +0200 block/switching-sched.txt: Update to blk-mq schedulers Remove references to CFQ and legacy block layer which are gone. Update example with what's available under blk-mq. Signed-off-by: Andreas Herrmann Signed-off-by: Jens Axboe commit 154085ffdcc6875851b80a5d2bd759bbf687b001 Author: Chaitanya Kulkarni Date: Tue Jun 11 15:10:17 2019 -0700 null_blk: remove duplicate check for report zone This patch removes the check in the null_blk_zoned for report zone command, where it checks for the dev-,>zoned before executing the report zone. The null_zone_report() function is a block_device operation callback which is initialized in the null_blk_main.c and gets called as a part of blkdev for report zone IOCTL (BLKREPORTZONE). blkdev_ioctl() blkdev_report_zones_ioctl() blkdev_report_zones() blk_report_zones() disk->fops->report_zones() nullb_zone_report(); The null_zone_report() will never get executed on the non-zoned block device, in the non zoned block device blk_queue_is_zoned() will always be false which is first check the blkdev_report_zones_ioctl() before actual low level driver report zone callback is executed. Here is the detailed scenario:- 1. modprobe null_blk null_init null_alloc_dev dev->zoned = 0 null_add_dev dev->zoned == 0 so we don't set the q->limits.zoned = BLK_ZONED_HR 2. blkzone report /dev/nullb0 blkdev_ioctl() blkdev_report_zones_ioctl() blk_queue_is_zoned() blk_queue_is_zoned q->limits.zoned == 0 return false if (!blk_queue_is_zoned(q)) <--- true return -ENOTTY; Reviewed-by: Damien Le Moal Reviewed-by: Bob Liu Signed-off-by: Chaitanya Kulkarni Signed-off-by: Jens Axboe commit 6cfc0081b046ebf50dd38c38e688c8de143614f3 Author: Greg Kroah-Hartman Date: Wed Jun 12 14:30:19 2019 +0200 blk-mq: no need to check return value of debugfs_create functions When calling debugfs functions, there is no need to ever check the return value. The function can work or not, but the code logic should never do something different based on this. When all of these checks are cleaned up, lots of the functions used in the blk-mq-debugfs code can now return void, as no need to check the return value of them either. Overall, this ends up cleaning up the code and making it smaller, always a nice win. Cc: Jens Axboe Cc: linux-block@vger.kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Jens Axboe commit 355e8d26f719c207aa2e00e6f3cfab3acf21769b Author: Eric Biggers Date: Wed Jun 12 14:58:43 2019 -0700 io_uring: fix memory leak of UNIX domain socket inode Opening and closing an io_uring instance leaks a UNIX domain socket inode. This is because the ->file of the io_uring instance's internal UNIX domain socket is set to point to the io_uring file, but then sock_release() sees the non-NULL ->file and assumes the inode reference is held by the file so doesn't call iput(). That's not the case here, since the reference is still meant to be held by the socket; the actual inode of the io_uring file is different. Fix this leak by NULL-ing out ->file before releasing the socket. Reported-by: syzbot+111cb28d9f583693aefa@syzkaller.appspotmail.com Fixes: 2b188cc1bb85 ("Add io_uring IO interface") Cc: # v5.1+ Signed-off-by: Eric Biggers Signed-off-by: Jens Axboe commit b9aef63aca772a25ffcfaedf4bd29fb36b919a93 Author: Damien Le Moal Date: Tue Jun 4 16:23:40 2019 +0900 block: force select mq-deadline for zoned block devices In most use cases of zoned block devices (aka SMR disks), the mq-deadline scheduler is mandatory as it implements sequential write command processing guarantees with zone write locking. So make sure that this scheduler is always enabled if CONFIG_BLK_DEV_ZONED is selected. Tested-by: Chaitanya Kulkarni Reviewed-by: Chaitanya Kulkarni Signed-off-by: Damien Le Moal Reviewed-by: Ming Lei Signed-off-by: Jens Axboe commit a370003cc301d4361bae20c9ef615f89bf8d1e8a Author: Todd Kjos Date: Wed Jun 12 13:29:27 2019 -0700 binder: fix possible UAF when freeing buffer There is a race between the binder driver cleaning up a completed transaction via binder_free_transaction() and a user calling binder_ioctl(BC_FREE_BUFFER) to release a buffer. It doesn't matter which is first but they need to be protected against running concurrently which can result in a UAF. Signed-off-by: Todd Kjos Cc: stable Signed-off-by: Greg Kroah-Hartman commit 65565a68c582fec2f2a8f5aaa399118ab1209103 Merge: c21f5a9ed85c 16391bfc8623 Author: Michael Ellerman Date: Thu Jun 13 15:00:34 2019 +1000 Merge branch 'context-id-fix' into fixes This merges a fix for a bug in our context id handling on 64-bit hash CPUs. The fix was written against v5.1 to ease backporting to stable releases. Here we are merging it up to a v5.2-rc2 base, which involves a bit of manual resolution. It also adds a test case for the bug. Signed-off-by: Michael Ellerman commit b076173a309e2ceae84257d1d52cd3cc53b00e39 Merge: 35110e38e6c5 fec6375320c6 Author: Linus Torvalds Date: Wed Jun 12 16:10:57 2019 -1000 Merge tag 'selinux-pr-20190612' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux Pull selinux fixes from Paul Moore: "Three patches for v5.2. One fixes a problem where we weren't correctly logging raw SELinux labels, the other two fix problems where we weren't properly checking calls to kmemdup()" * tag 'selinux-pr-20190612' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: selinux: fix a missing-check bug in selinux_sb_eat_lsm_opts() selinux: fix a missing-check bug in selinux_add_mnt_opt( ) selinux: log raw contexts as untrusted strings commit 16391bfc862342f285195013b73c1394fab28b97 Author: Michael Ellerman Date: Thu Jun 13 12:07:59 2019 +1000 selftests/powerpc: Add test of fork with mapping above 512TB This tests that when a process with a mapping above 512TB forks we correctly separate the parent and child address spaces. This exercises the bug in the context id handling fixed in the previous commit. Signed-off-by: Michael Ellerman commit f3a5231c8f14acd42845e9e60f506b4e948f0e68 Author: Alex Deucher Date: Tue Jun 11 09:45:51 2019 -0500 drm/amdgpu: return 0 by default in amdgpu_pm_load_smu_firmware Fixes SI cards running on amdgpu. Fixes: 1929059893022 ("drm/amd/amdgpu: add RLC firmware to support raven1 refresh") Bug: https://bugs.freedesktop.org/show_bug.cgi?id=110883 Reviewed-by: Evan Quan Signed-off-by: Alex Deucher commit 99f304beb82a86713dc4bc1fd65b8dfda25b1f5e Author: Dan Carpenter Date: Sat Jun 8 12:23:57 2019 +0300 drm/amdgpu: Fix bounds checking in amdgpu_ras_is_supported() The "block" variable can be set by the user through debugfs, so it can be quite large which leads to shift wrapping here. This means we report a "block" as supported when it's not, and that leads to array overflows later on. This bug is not really a security issue in real life, because debugfs is generally root only. Fixes: 36ea1bd2d084 ("drm/amdgpu: add debugfs ctrl node") Signed-off-by: Dan Carpenter Signed-off-by: Alex Deucher commit f18d43046ad2d14ea62b0b4c2b47dd48453cf446 Merge: 41b3588dba6e 3ff46efbcd90 Author: Stephen Boyd Date: Wed Jun 12 15:58:11 2019 -0700 Merge tag 'clk-meson-5.2-1-fixes' of https://github.com/BayLibre/clk-meson into clk-fixes Pull Meson clk driver fixes from Jerome Brunet: - MPLL50M DT bindings typo fix - Meson9 VPU typo fixes * tag 'clk-meson-5.2-1-fixes' of https://github.com/BayLibre/clk-meson: clk: meson: meson8b: fix a typo in the VPU parent names array variable clk: meson: fix MPLL 50M binding id typo commit 9843f3e08e2144724be7148e08d77a195dea257a Author: Alexander Mikhaylenko Date: Wed Jun 12 14:59:46 2019 -0700 Input: synaptics - enable SMBus on ThinkPad E480 and E580 They are capable of using intertouch and it works well with psmouse.synaptics_intertouch=1, so add them to the list. Without it, scrolling and gestures are jumpy, three-finger pinch gesture doesn't work and three- or four-finger swipes sometimes get stuck. Signed-off-by: Alexander Mikhaylenko Reviewed-by: Benjamin Tissoires Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov commit b8003cef2e639fbf462a05ff739aae524d72ca3c Merge: 1d63f0e3274f 6b7a3430c163 Author: David S. Miller Date: Wed Jun 12 11:12:58 2019 -0700 Merge branch 'net-mvpp2-prs-Fixes-for-VID-filtering' Maxime Chevallier says: ==================== net: mvpp2: prs: Fixes for VID filtering This series fixes some issues with VID filtering offload, mainly due to the wrong ranges being used in the TCAM header parser. The first patch fixes a bug where removing a VLAN from a port's whitelist would also remove it from other port's, if they are on the same PPv2 instance. The second patch makes so that we don't invalidate the wrong TCAM entries when clearing the whole whitelist. ==================== Signed-off-by: David S. Miller commit 6b7a3430c163455cf8a514d636bda52b04654972 Author: Maxime Chevallier Date: Tue Jun 11 11:51:43 2019 +0200 net: mvpp2: prs: Use the correct helpers when removing all VID filters When removing all VID filters, the mvpp2_prs_vid_entry_remove would be called with the TCAM id incorrectly used as a VID, causing the wrong TCAM entries to be invalidated. Fix this by directly invalidating entries in the VID range. Fixes: 56beda3db602 ("net: mvpp2: Add hardware offloading for VLAN filtering") Suggested-by: Yuri Chipchev Signed-off-by: Maxime Chevallier Signed-off-by: David S. Miller commit 46b0090a6636cf34c0e856f15dd03e15ba4cdda6 Author: Maxime Chevallier Date: Tue Jun 11 11:51:42 2019 +0200 net: mvpp2: prs: Fix parser range for VID filtering VID filtering is implemented in the Header Parser, with one range of 11 vids being assigned for each no-loopback port. Make sure we use the per-port range when looking for existing entries in the Parser. Since we used a global range instead of a per-port one, this causes VIDs to be removed from the whitelist from all ports of the same PPv2 instance. Fixes: 56beda3db602 ("net: mvpp2: Add hardware offloading for VLAN filtering") Suggested-by: Yuri Chipchev Signed-off-by: Maxime Chevallier Signed-off-by: David S. Miller commit 1d63f0e3274f54e41d2fe35af3076891761e4371 Merge: 648ee6cea7dd 4b14cc313f07 Author: David S. Miller Date: Wed Jun 12 11:08:15 2019 -0700 Merge branch 'mlxsw-Various-fixes' Ido Schimmel says: ==================== mlxsw: Various fixes This patchset contains various fixes for mlxsw. Patch #1 fixes an hash polarization problem when a nexthop device is a LAG device. This is caused by the fact that the same seed is used for the LAG and ECMP hash functions. Patch #2 fixes an issue in which the driver fails to refresh a nexthop neighbour after it becomes dead. This prevents the nexthop from ever being written to the adjacency table and used to forward traffic. Patch Patch #4 fixes a wrong extraction of TOS value in flower offload code. Patch #5 is a test case. Patch #6 works around a buffer issue in Spectrum-2 by reducing the default sizes of the shared buffer pools. Patch #7 prevents prio-tagged packets from entering the switch when PVID is removed from the bridge port. Please consider patches #2, #4 and #6 for 5.1.y ==================== Signed-off-by: David S. Miller commit 4b14cc313f076c37b646cee06a85f0db59cf216c Author: Ido Schimmel Date: Tue Jun 11 10:19:46 2019 +0300 mlxsw: spectrum: Disallow prio-tagged packets when PVID is removed When PVID is removed from a bridge port, the Linux bridge drops both untagged and prio-tagged packets. Align mlxsw with this behavior. Fixes: 148f472da5db ("mlxsw: reg: Add the Switch Port Acceptable Frame Types register") Acked-by: Jiri Pirko Signed-off-by: Ido Schimmel Signed-off-by: David S. Miller commit e891ce1dd2a54c41a3b70d822cd832735c03b892 Author: Petr Machata Date: Tue Jun 11 10:19:45 2019 +0300 mlxsw: spectrum_buffers: Reduce pool size on Spectrum-2 Due to an issue on Spectrum-2, in front-panel ports split four ways, 2 out of 32 port buffers cannot be used. To work around this, the next FW release will mark them as unused, and will report correspondingly lower total shared buffer size. mlxsw will pick up the new value through a query to cap_total_buffer_size resource. However the initial size for shared buffer pool 0 is hard-coded and therefore needs to be updated. Thus reduce the pool size by 2.7 MiB (which corresponds to 2/32 of the total size of 42 MiB), and round down to the whole number of cells. Fixes: fe099bf682ab ("mlxsw: spectrum_buffers: Add Spectrum-2 shared buffer configuration") Signed-off-by: Petr Machata Acked-by: Jiri Pirko Signed-off-by: Ido Schimmel Signed-off-by: David S. Miller commit 0b0c0098348f61e864d85269614bce15f6bbfde7 Author: Jiri Pirko Date: Tue Jun 11 10:19:44 2019 +0300 selftests: tc_flower: Add TOS matching test Signed-off-by: Jiri Pirko Signed-off-by: Ido Schimmel Signed-off-by: David S. Miller commit e49f9adffb28c5acbaea46ddfe2d17b1373c2473 Author: Jiri Pirko Date: Tue Jun 11 10:19:43 2019 +0300 mlxsw: spectrum_flower: Fix TOS matching The TOS value was not extracted correctly. Fix it. Fixes: 87996f91f739 ("mlxsw: spectrum_flower: Add support for ip tos") Reported-by: Alexander Petrovskiy Signed-off-by: Jiri Pirko Signed-off-by: Ido Schimmel Signed-off-by: David S. Miller commit 45a69b70f54854a043530cc0f86fc30d77bc9620 Author: Ido Schimmel Date: Tue Jun 11 10:19:42 2019 +0300 selftests: mlxsw: Test nexthop offload indication Test that IPv4 and IPv6 nexthops are correctly marked with offload indication in response to neighbour events. Signed-off-by: Ido Schimmel Signed-off-by: David S. Miller commit 83d5782681cc12b3d485a83cb34c46b2445f510c Author: Ido Schimmel Date: Tue Jun 11 10:19:41 2019 +0300 mlxsw: spectrum_router: Refresh nexthop neighbour when it becomes dead The driver tries to periodically refresh neighbours that are used to reach nexthops. This is done by periodically calling neigh_event_send(). However, if the neighbour becomes dead, there is nothing we can do to return it to a connected state and the above function call is basically a NOP. This results in the nexthop never being written to the device's adjacency table and therefore never used to forward packets. Fix this by dropping our reference from the dead neighbour and associating the nexthop with a new neigbhour which we will try to refresh. Fixes: a7ff87acd995 ("mlxsw: spectrum_router: Implement next-hop routing") Signed-off-by: Ido Schimmel Reported-by: Alex Veber Tested-by: Alex Veber Acked-by: Jiri Pirko Signed-off-by: David S. Miller commit ee02c26993262c96cc39d0f831f7589b10a44fd7 Author: Ido Schimmel Date: Tue Jun 11 10:19:40 2019 +0300 mlxsw: spectrum: Use different seeds for ECMP and LAG hash The same hash function and seed are used for both ECMP and LAG hash. Therefore, when a LAG device is used as a nexthop device as part of an ECMP group, hash polarization can occur and all the traffic will be hashed to a single LAG slave. Fix this by using a different seed for the LAG hash. Fixes: fa73989f2697 ("mlxsw: spectrum: Use a stable ECMP/LAG seed") Signed-off-by: Ido Schimmel Reported-by: Alex Veber Tested-by: Alex Veber Acked-by: Jiri Pirko Signed-off-by: David S. Miller commit 648ee6cea7dde4a5cdf817e5d964fd60b22006a4 Author: John Fastabend Date: Wed Jun 12 17:23:57 2019 +0000 net: tls, correctly account for copied bytes with multiple sk_msgs tls_sw_do_sendpage needs to return the total number of bytes sent regardless of how many sk_msgs are allocated. Unfortunately, copied (the value we return up the stack) is zero'd before each new sk_msg is allocated so we only return the copied size of the last sk_msg used. The caller (splice, etc.) of sendpage will then believe only part of its data was sent and send the missing chunks again. However, because the data actually was sent the receiver will get multiple copies of the same data. To reproduce this do multiple sendfile calls with a length close to the max record size. This will in turn call splice/sendpage, sendpage may use multiple sk_msg in this case and then returns the incorrect number of bytes. This will cause splice to resend creating duplicate data on the receiver. Andre created a C program that can easily generate this case so we will push a similar selftest for this to bpf-next shortly. The fix is to _not_ zero the copied field so that the total sent bytes is returned. Reported-by: Steinar H. Gunderson Reported-by: Andre Tomt Tested-by: Andre Tomt Fixes: d829e9c4112b ("tls: convert to generic sk_msg interface") Signed-off-by: John Fastabend Signed-off-by: David S. Miller commit e1ae5c2ea4783b1fd87be250f9fcc9d9e1a6ba3f Author: Stephen Suryaputra Date: Mon Jun 10 10:32:50 2019 -0400 vrf: Increment Icmp6InMsgs on the original netdev Get the ingress interface and increment ICMP counters based on that instead of skb->dev when the the dev is a VRF device. This is a follow up on the following message: https://www.spinics.net/lists/netdev/msg560268.html v2: Avoid changing skb->dev since it has unintended effect for local delivery (David Ahern). Signed-off-by: Stephen Suryaputra Reviewed-by: David Ahern Signed-off-by: David S. Miller commit d477f8c202d1f0d4791ab1263ca7657bbe5cf79e Author: Joel Savitz Date: Wed Jun 12 11:50:48 2019 -0400 cpuset: restore sanity to cpuset_cpus_allowed_fallback() In the case that a process is constrained by taskset(1) (i.e. sched_setaffinity(2)) to a subset of available cpus, and all of those are subsequently offlined, the scheduler will set tsk->cpus_allowed to the current value of task_cs(tsk)->effective_cpus. This is done via a call to do_set_cpus_allowed() in the context of cpuset_cpus_allowed_fallback() made by the scheduler when this case is detected. This is the only call made to cpuset_cpus_allowed_fallback() in the latest mainline kernel. However, this is not sane behavior. I will demonstrate this on a system running the latest upstream kernel with the following initial configuration: # grep -i cpu /proc/$$/status Cpus_allowed: ffffffff,fffffff Cpus_allowed_list: 0-63 (Where cpus 32-63 are provided via smt.) If we limit our current shell process to cpu2 only and then offline it and reonline it: # taskset -p 4 $$ pid 2272's current affinity mask: ffffffffffffffff pid 2272's new affinity mask: 4 # echo off > /sys/devices/system/cpu/cpu2/online # dmesg | tail -3 [ 2195.866089] process 2272 (bash) no longer affine to cpu2 [ 2195.872700] IRQ 114: no longer affine to CPU2 [ 2195.879128] smpboot: CPU 2 is now offline # echo on > /sys/devices/system/cpu/cpu2/online # dmesg | tail -1 [ 2617.043572] smpboot: Booting Node 0 Processor 2 APIC 0x4 We see that our current process now has an affinity mask containing every cpu available on the system _except_ the one we originally constrained it to: # grep -i cpu /proc/$$/status Cpus_allowed: ffffffff,fffffffb Cpus_allowed_list: 0-1,3-63 This is not sane behavior, as the scheduler can now not only place the process on previously forbidden cpus, it can't even schedule it on the cpu it was originally constrained to! Other cases result in even more exotic affinity masks. Take for instance a process with an affinity mask containing only cpus provided by smt at the moment that smt is toggled, in a configuration such as the following: # taskset -p f000000000 $$ # grep -i cpu /proc/$$/status Cpus_allowed: 000000f0,00000000 Cpus_allowed_list: 36-39 A double toggle of smt results in the following behavior: # echo off > /sys/devices/system/cpu/smt/control # echo on > /sys/devices/system/cpu/smt/control # grep -i cpus /proc/$$/status Cpus_allowed: ffffff00,ffffffff Cpus_allowed_list: 0-31,40-63 This is even less sane than the previous case, as the new affinity mask excludes all smt-provided cpus with ids less than those that were previously in the affinity mask, as well as those that were actually in the mask. With this patch applied, both of these cases end in the following state: # grep -i cpu /proc/$$/status Cpus_allowed: ffffffff,ffffffff Cpus_allowed_list: 0-63 The original policy is discarded. Though not ideal, it is the simplest way to restore sanity to this fallback case without reinventing the cpuset wheel that rolls down the kernel just fine in cgroup v2. A user who wishes for the previous affinity mask to be restored in this fallback case can use that mechanism instead. This patch modifies scheduler behavior by instead resetting the mask to task_cs(tsk)->cpus_allowed by default, and cpu_possible mask in legacy mode. I tested the cases above on both modes. Note that the scheduler uses this fallback mechanism if and only if _every_ other valid avenue has been traveled, and it is the last resort before calling BUG(). Suggested-by: Waiman Long Suggested-by: Phil Auld Signed-off-by: Joel Savitz Acked-by: Phil Auld Acked-by: Waiman Long Acked-by: Peter Zijlstra (Intel) Signed-off-by: Tejun Heo commit f0d2ca1531377e7da888913e277eefac05a59b6f Author: Maxime Chevallier Date: Wed Jun 12 17:18:38 2019 +0200 net: ethtool: Allow matching on vlan DEI bit Using ethtool, users can specify a classification action matching on the full vlan tag, which includes the DEI bit (also previously called CFI). However, when converting the ethool_flow_spec to a flow_rule, we use dissector keys to represent the matching patterns. Since the vlan dissector key doesn't include the DEI bit, this information was silently discarded when translating the ethtool flow spec in to a flow_rule. This commit adds the DEI bit into the vlan dissector key, and allows propagating the information to the driver when parsing the ethtool flow spec. Fixes: eca4205f9ec3 ("ethtool: add ethtool_rx_flow_spec to flow_rule structure translator") Reported-by: Michał Mirosław Signed-off-by: Maxime Chevallier Signed-off-by: David S. Miller commit bb2e05e0c8dcc2c93a97410ce362da998b83155f Author: Masanari Iida Date: Wed Jun 12 21:29:34 2019 +0900 linux-next: DOC: RDS: Fix a typo in rds.txt This patch fixes a spelling typo in rds.txt Signed-off-by: Masanari Iida Acked-by: Santosh Shilimkar Signed-off-by: David S. Miller commit 71ab8323cc357c68985a2d6fc6cfc22b1dbbc1c3 Author: Matt Mullins Date: Fri May 31 12:47:54 2019 -0700 x86/kgdb: Return 0 from kgdb_arch_set_breakpoint() err must be nonzero in order to reach text_poke(), which caused kgdb to fail to set breakpoints: (gdb) break __x64_sys_sync Breakpoint 1 at 0xffffffff81288910: file ../fs/sync.c, line 124. (gdb) c Continuing. Warning: Cannot insert breakpoint 1. Cannot access memory at address 0xffffffff81288910 Command aborted. Fixes: 86a22057127d ("x86/kgdb: Avoid redundant comparison of patched code") Signed-off-by: Matt Mullins Signed-off-by: Borislav Petkov Reviewed-by: Nadav Amit Cc: Andy Lutomirski Cc: Christophe Leroy Cc: Daniel Thompson Cc: Douglas Anderson Cc: "Gustavo A. R. Silva" Cc: "H. Peter Anvin" Cc: Ingo Molnar Cc: "Peter Zijlstra (Intel)" Cc: Rick Edgecombe Cc: Thomas Gleixner Cc: x86-ml Link: https://lkml.kernel.org/r/20190531194755.6320-1-mmullins@fb.com commit ec66854c832c95f612756192d42ac1158593800f Author: Matteo Croce Date: Wed Jun 12 11:50:37 2019 +0200 mpls: fix af_mpls dependencies for real Randy reported that selecting MPLS_ROUTING without PROC_FS breaks the build, because since commit c1a9d65954c6 ("mpls: fix af_mpls dependencies"), MPLS_ROUTING selects PROC_SYSCTL, but Kconfig's select doesn't recursively handle dependencies. Change the select into a dependency. Fixes: c1a9d65954c6 ("mpls: fix af_mpls dependencies") Reported-by: Randy Dunlap Signed-off-by: Matteo Croce Signed-off-by: David S. Miller commit fec6375320c6399c708fa9801f8cfbf950fee623 Author: Gen Zhang Date: Wed Jun 12 21:55:38 2019 +0800 selinux: fix a missing-check bug in selinux_sb_eat_lsm_opts() In selinux_sb_eat_lsm_opts(), 'arg' is allocated by kmemdup_nul(). It returns NULL when fails. So 'arg' should be checked. And 'mnt_opts' should be freed when error. Signed-off-by: Gen Zhang Fixes: 99dbbb593fe6 ("selinux: rewrite selinux_sb_eat_lsm_opts()") Cc: Signed-off-by: Paul Moore commit 76509d6b103b8cbbbb4021be3a024efa23e01cf2 Merge: d1fdb6d8f6a4 2458d9d6d94b Author: Daniel Vetter Date: Wed Jun 12 18:22:28 2019 +0200 Merge branch 'mediatek-drm-fixes-5.2' of https://github.com/ckhu-mediatek/linux.git-tags into drm-fixes CK writes: This include unbind error fix, clock control flow refinement, and PRIME mmap with page offset. Signed-off-by: Daniel Vetter From: CK Hu Link: https://patchwork.freedesktop.org/patch/msgid/1560325868.3259.6.camel@mtksdaap41 commit 35110e38e6c59b0db9618701d75c7c2a36f98d55 Merge: aa7235483a83 a200c721956c Author: Linus Torvalds Date: Wed Jun 12 05:57:05 2019 -1000 Merge tag 'media/v5.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media Pull media fixes from Mauro Carvalho Chehab: - a debug warning for satellite tuning at dvb core was producing too much noise - a regression at hfi_parser on Venus driver * tag 'media/v5.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: media: venus: hfi_parser: fix a regression in parser media: dvb: warning about dvb frequency limits produces too much noise commit e2e0e09758a6f7597de0f9b819647addfb71b6bd Author: Gen Zhang Date: Wed Jun 12 21:28:21 2019 +0800 selinux: fix a missing-check bug in selinux_add_mnt_opt( ) In selinux_add_mnt_opt(), 'val' is allocated by kmemdup_nul(). It returns NULL when fails. So 'val' should be checked. And 'mnt_opts' should be freed when error. Signed-off-by: Gen Zhang Fixes: 757cbe597fe8 ("LSM: new method: ->sb_add_mnt_opt()") Cc: [PM: fixed some indenting problems] Signed-off-by: Paul Moore commit 01d57485fcdb9f9101a10a18e32d5f8b023cab86 Author: Will Deacon Date: Tue Jun 11 12:47:34 2019 +0100 arm64: tlbflush: Ensure start/end of address range are aligned to stride Since commit 3d65b6bbc01e ("arm64: tlbi: Set MAX_TLBI_OPS to PTRS_PER_PTE"), we resort to per-ASID invalidation when attempting to perform more than PTRS_PER_PTE invalidation instructions in a single call to __flush_tlb_range(). Whilst this is beneficial, the mmu_gather code does not ensure that the end address of the range is rounded-up to the stride when freeing intermediate page tables in pXX_free_tlb(), which defeats our range checking. Align the bounds passed into __flush_tlb_range(). Cc: Catalin Marinas Cc: Peter Zijlstra Reported-by: Hanjun Guo Tested-by: Hanjun Guo Reviewed-by: Hanjun Guo Signed-off-by: Will Deacon commit 5f54a85db5df67df8161739a4b2f9c2b7ab219fe Author: Heikki Krogerus Date: Wed Jun 12 17:15:40 2019 +0300 usb: typec: Make sure an alt mode exist before getting its partner Adding check to typec_altmode_get_partner() to prevent potential NULL pointer dereference. Reported-by: Vladimir Yerilov Fixes: ad74b8649bea ("usb: typec: ucsi: Preliminary support for alternate modes") Signed-off-by: Heikki Krogerus Signed-off-by: Greg Kroah-Hartman commit 4729ec8c1e1145234aeeebad5d96d77f4ccbb00a Author: Dave Martin Date: Thu Jun 6 11:58:07 2019 +0100 KVM: arm/arm64: vgic: Fix kvm_device leak in vgic_its_destroy kvm_device->destroy() seems to be supposed to free its kvm_device struct, but vgic_its_destroy() is not currently doing this, resulting in a memory leak, resulting in kmemleak reports such as the following: unreferenced object 0xffff800aeddfe280 (size 128): comm "qemu-system-aar", pid 13799, jiffies 4299827317 (age 1569.844s) [...] backtrace: [<00000000a08b80e2>] kmem_cache_alloc+0x178/0x208 [<00000000dcad2bd3>] kvm_vm_ioctl+0x350/0xbc0 Fix it. Cc: Andre Przywara Fixes: 1085fdc68c60 ("KVM: arm64: vgic-its: Introduce new KVM ITS device") Signed-off-by: Dave Martin Signed-off-by: Marc Zyngier commit df205b5c63281e4f32caac22adda18fd68795e80 Author: Dave Martin Date: Wed Jun 12 13:44:49 2019 +0100 KVM: arm64: Filter out invalid core register IDs in KVM_GET_REG_LIST Since commit d26c25a9d19b ("arm64: KVM: Tighten guest core register access from userspace"), KVM_{GET,SET}_ONE_REG rejects register IDs that do not correspond to a single underlying architectural register. KVM_GET_REG_LIST was not changed to match however: instead, it simply yields a list of 32-bit register IDs that together cover the whole kvm_regs struct. This means that if userspace tries to use the resulting list of IDs directly to drive calls to KVM_*_ONE_REG, some of those calls will now fail. This was not the intention. Instead, iterating KVM_*_ONE_REG over the list of IDs returned by KVM_GET_REG_LIST should be guaranteed to work. This patch fixes the problem by splitting validate_core_offset() into a backend core_reg_size_from_offset() which does all of the work except for checking that the size field in the register ID matches, and kvm_arm_copy_reg_indices() and num_core_regs() are converted to use this to enumerate the valid offsets. kvm_arm_copy_reg_indices() now also sets the register ID size field appropriately based on the value returned, so the register ID supplied to userspace is fully qualified for use with the register access ioctls. Cc: stable@vger.kernel.org Fixes: d26c25a9d19b ("arm64: KVM: Tighten guest core register access from userspace") Signed-off-by: Dave Martin Reviewed-by: Andrew Jones Tested-by: Andrew Jones Signed-off-by: Marc Zyngier commit 0c529ff789bc7a3efbc732753e0b0fd9f4d9a4a4 Author: Viresh Kumar Date: Mon Jun 10 15:30:03 2019 +0530 KVM: arm64: Implement vq_present() as a macro This routine is a one-liner and doesn't really need to be function and can be implemented as a macro. Suggested-by: Dave Martin Reviewed-by: Dave Martin Signed-off-by: Viresh Kumar Signed-off-by: Marc Zyngier commit 01d76b5317003e019ace561a9b775f51aafdfdc4 Author: Ilya Maximets Date: Fri Jun 7 20:27:32 2019 +0300 xdp: check device pointer before clearing We should not call 'ndo_bpf()' or 'dev_put()' with NULL argument. Fixes: c9b47cc1fabc ("xsk: fix bug when trying to use both copy and zero-copy on one queue id") Signed-off-by: Ilya Maximets Acked-by: Jonathan Lemon Signed-off-by: Daniel Borkmann commit f12dd75959b0138f94da8ddcf43f2f3cf277216d Author: Martin KaFai Lau Date: Tue Jun 11 14:45:57 2019 -0700 bpf: net: Set sk_bpf_storage back to NULL for cloned sk The cloned sk should not carry its parent-listener's sk_bpf_storage. This patch fixes it by setting it back to NULL. Fixes: 6ac99e8f23d4 ("bpf: Introduce bpf sk local storage") Signed-off-by: Martin KaFai Lau Acked-by: Andrii Nakryiko Signed-off-by: Daniel Borkmann commit 8eaf40c0e24e98899a0f3ac9d25a33aafe13822a Author: Filipe Manana Date: Wed Jun 12 11:05:42 2019 +0100 Btrfs: fix race between block group removal and block group allocation If a task is removing the block group that currently has the highest start offset amongst all existing block groups, there is a short time window where it races with a concurrent block group allocation, resulting in a transaction abort with an error code of EEXIST. The following diagram explains the race in detail: Task A Task B btrfs_remove_block_group(bg offset X) remove_extent_mapping(em offset X) -> removes extent map X from the tree of extent maps (fs_info->mapping_tree), so the next call to find_next_chunk() will return offset X btrfs_alloc_chunk() find_next_chunk() --> returns offset X __btrfs_alloc_chunk(offset X) btrfs_make_block_group() btrfs_create_block_group_cache() --> creates btrfs_block_group_cache object with a key corresponding to the block group item in the extent, the key is: (offset X, BTRFS_BLOCK_GROUP_ITEM_KEY, 1G) --> adds the btrfs_block_group_cache object to the list new_bgs of the transaction handle btrfs_end_transaction(trans handle) __btrfs_end_transaction() btrfs_create_pending_block_groups() --> sees the new btrfs_block_group_cache in the new_bgs list of the transaction handle --> its call to btrfs_insert_item() fails with -EEXIST when attempting to insert the block group item key (offset X, BTRFS_BLOCK_GROUP_ITEM_KEY, 1G) because task A has not removed that key yet --> aborts the running transaction with error -EEXIST btrfs_del_item() -> removes the block group's key from the extent tree, key is (offset X, BTRFS_BLOCK_GROUP_ITEM_KEY, 1G) A sample transaction abort trace: [78912.403537] ------------[ cut here ]------------ [78912.403811] BTRFS: Transaction aborted (error -17) [78912.404082] WARNING: CPU: 2 PID: 20465 at fs/btrfs/extent-tree.c:10551 btrfs_create_pending_block_groups+0x196/0x250 [btrfs] (...) [78912.405642] CPU: 2 PID: 20465 Comm: btrfs Tainted: G W 5.0.0-btrfs-next-46 #1 [78912.405941] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.2-0-gf9626ccb91-prebuilt.qemu-project.org 04/01/2014 [78912.406586] RIP: 0010:btrfs_create_pending_block_groups+0x196/0x250 [btrfs] (...) [78912.407636] RSP: 0018:ffff9d3d4b7e3b08 EFLAGS: 00010282 [78912.407997] RAX: 0000000000000000 RBX: ffff90959a3796f0 RCX: 0000000000000006 [78912.408369] RDX: 0000000000000007 RSI: 0000000000000001 RDI: ffff909636b16860 [78912.408746] RBP: ffff909626758a58 R08: 0000000000000000 R09: 0000000000000000 [78912.409144] R10: ffff9095ff462400 R11: 0000000000000000 R12: ffff90959a379588 [78912.409521] R13: ffff909626758ab0 R14: ffff9095036c0000 R15: ffff9095299e1158 [78912.409899] FS: 00007f387f16f700(0000) GS:ffff909636b00000(0000) knlGS:0000000000000000 [78912.410285] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [78912.410673] CR2: 00007f429fc87cbc CR3: 000000014440a004 CR4: 00000000003606e0 [78912.411095] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [78912.411496] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [78912.411898] Call Trace: [78912.412318] __btrfs_end_transaction+0x5b/0x1c0 [btrfs] [78912.412746] btrfs_inc_block_group_ro+0xcf/0x160 [btrfs] [78912.413179] scrub_enumerate_chunks+0x188/0x5b0 [btrfs] [78912.413622] ? __mutex_unlock_slowpath+0x100/0x2a0 [78912.414078] btrfs_scrub_dev+0x2ef/0x720 [btrfs] [78912.414535] ? __sb_start_write+0xd4/0x1c0 [78912.414963] ? mnt_want_write_file+0x24/0x50 [78912.415403] btrfs_ioctl+0x17fb/0x3120 [btrfs] [78912.415832] ? lock_acquire+0xa6/0x190 [78912.416256] ? do_vfs_ioctl+0xa2/0x6f0 [78912.416685] ? btrfs_ioctl_get_supported_features+0x30/0x30 [btrfs] [78912.417116] do_vfs_ioctl+0xa2/0x6f0 [78912.417534] ? __fget+0x113/0x200 [78912.417954] ksys_ioctl+0x70/0x80 [78912.418369] __x64_sys_ioctl+0x16/0x20 [78912.418812] do_syscall_64+0x60/0x1b0 [78912.419231] entry_SYSCALL_64_after_hwframe+0x49/0xbe [78912.419644] RIP: 0033:0x7f3880252dd7 (...) [78912.420957] RSP: 002b:00007f387f16ed68 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [78912.421426] RAX: ffffffffffffffda RBX: 000055f5becc1df0 RCX: 00007f3880252dd7 [78912.421889] RDX: 000055f5becc1df0 RSI: 00000000c400941b RDI: 0000000000000003 [78912.422354] RBP: 0000000000000000 R08: 00007f387f16f700 R09: 0000000000000000 [78912.422790] R10: 00007f387f16f700 R11: 0000000000000246 R12: 0000000000000000 [78912.423202] R13: 00007ffda49c266f R14: 0000000000000000 R15: 00007f388145e040 [78912.425505] ---[ end trace eb9bfe7c426fc4d3 ]--- Fix this by calling remove_extent_mapping(), at btrfs_remove_block_group(), only at the very end, after removing the block group item key from the extent tree (and removing the free space tree entry if we are using the free space tree feature). Fixes: 04216820fe83d5 ("Btrfs: fix race between fs trimming and block group remove/allocation") CC: stable@vger.kernel.org # 4.4+ Signed-off-by: Filipe Manana Signed-off-by: David Sterba commit 5d6168fc61b7f13baf27ae5567be7ea1fccb463e Author: Julien Thierry Date: Fri May 24 10:10:25 2019 +0100 clocksource/drivers/arm_arch_timer: Don't trace count reader functions With v5.2-rc1, The ftrace functions_graph tracer locks up whenever it is enabled on arm64. Since commit 0ea415390cd3 ("clocksource/arm_arch_timer: Use arch_timer_read_counter to access stable counters") a function pointer is consistently used to read the counter instead of potentially referencing an inlinable function. The graph tracers relies on accessing the timer counters to compute the time spent in functions which causes the lockup when attempting to trace these code paths. Annotate the arm arch timer counter accessors as notrace. Fixes: 0ea415390cd3 ("clocksource/arm_arch_timer: Use arch_timer_read_counter to access stable counters") Signed-off-by: Julien Thierry Cc: Marc Zyngier Cc: Mark Rutland Cc: Daniel Lezcano Cc: Thomas Gleixner Cc: Steven Rostedt Acked-by: Marc Zyngier Signed-off-by: Daniel Lezcano commit ca72d88378b2f2444d3ec145dd442d449d3fefbc Author: Michael Ellerman Date: Wed Jun 12 23:35:07 2019 +1000 powerpc/mm/64s/hash: Reallocate context ids on fork When using the Hash Page Table (HPT) MMU, userspace memory mappings are managed at two levels. Firstly in the Linux page tables, much like other architectures, and secondly in the SLB (Segment Lookaside Buffer) and HPT. It's the SLB and HPT that are actually used by the hardware to do translations. As part of the series adding support for 4PB user virtual address space using the hash MMU, we added support for allocating multiple "context ids" per process, one for each 512TB chunk of address space. These are tracked in an array called extended_id in the mm_context_t of a process that has done a mapping above 512TB. If such a process forks (ie. clone(2) without CLONE_VM set) it's mm is copied, including the mm_context_t, and then init_new_context() is called to reinitialise parts of the mm_context_t as appropriate to separate the address spaces of the two processes. The key step in ensuring the two processes have separate address spaces is to allocate a new context id for the process, this is done at the beginning of hash__init_new_context(). If we didn't allocate a new context id then the two processes would share mappings as far as the SLB and HPT are concerned, even though their Linux page tables would be separate. For mappings above 512TB, which use the extended_id array, we neglected to allocate new context ids on fork, meaning the parent and child use the same ids and therefore share those mappings even though they're supposed to be separate. This can lead to the parent seeing writes done by the child, which is essentially memory corruption. There is an additional exposure which is that if the child process exits, all its context ids are freed, including the context ids that are still in use by the parent for mappings above 512TB. One or more of those ids can then be reallocated to a third process, that process can then read/write to the parent's mappings above 512TB. Additionally if the freed id is used for the third process's primary context id, then the parent is able to read/write to the third process's mappings *below* 512TB. All of these are fundamental failures to enforce separation between processes. The only mitigating factor is that the bug only occurs if a process creates mappings above 512TB, and most applications still do not create such mappings. Only machines using the hash page table MMU are affected, eg. PowerPC 970 (G5), PA6T, Power5/6/7/8/9. By default Power9 bare metal machines (powernv) use the Radix MMU and are not affected, unless the machine has been explicitly booted in HPT mode (using disable_radix on the kernel command line). KVM guests on Power9 may be affected if the host or guest is configured to use the HPT MMU. LPARs under PowerVM on Power9 are affected as they always use the HPT MMU. Kernels built with PAGE_SIZE=4K are not affected. The fix is relatively simple, we need to reallocate context ids for all extended mappings on fork. Fixes: f384796c40dc ("powerpc/mm: Add support for handling > 512TB address in SLB miss") Cc: stable@vger.kernel.org # v4.17+ Signed-off-by: Michael Ellerman commit a0cac264a86fbf4d6cb201fbbb73c1d335e3248a Author: Linus Walleij Date: Thu May 30 22:24:24 2019 +0200 i2c: pca-platform: Fix GPIO lookup code The devm_gpiod_request_gpiod() call will add "-gpios" to any passed connection ID before looking it up. I do not think the reset GPIO on this platform is named "reset-gpios-gpios" but rather "reset-gpios" in the device tree, so fix this up so that we get a proper reset GPIO handle. Also drop the inclusion of the legacy GPIO header. Fixes: 0e8ce93bdceb ("i2c: pca-platform: add devicetree awareness") Signed-off-by: Linus Walleij Reviewed-by: Chris Packham Signed-off-by: Wolfram Sang commit 4f7c2e0d8765a0266b920c66ffc495fde44c1ec8 Author: Mika Westerberg Date: Tue May 28 18:56:20 2019 +0300 thunderbolt: Make sure device runtime resume completes before taking domain lock When a device is authorized from userspace by writing to authorized attribute we first take the domain lock and then runtime resume the device in question. There are two issues with this. First is that the device connected notifications are blocked during this time which means we get them only after the authorization operation is complete. Because of this the authorization needed flag from the firmware notification is not reflecting the real authorization status anymore. So what happens is that the "authorized" keeps returning 0 even if the device was already authorized properly. Second issue is that each time the controller is runtime resumed the connection_id field of device connected notification may be different than in the previous resume. We need to use the latest connection_id otherwise the firmware rejects the authorization command. Fix these by moving runtime resume operations to happen before the domain lock is taken, and waiting for the updated device connected notification from the firmware before we allow runtime resume of a device to complete. While there add missing locking to tb_switch_nvm_read(). Fixes: 09f11b6c99fe ("thunderbolt: Take domain lock in switch sysfs attribute callbacks") Reported-by: Pengfei Xu Signed-off-by: Mika Westerberg commit 48eaeb7664c76139438724d520a1ea4a84a3ed92 Author: Jani Nikula Date: Mon Jun 10 12:30:54 2019 +0300 drm: add fallback override/firmware EDID modes workaround We've moved the override and firmware EDID (simply "override EDID" from now on) handling to the low level drm_do_get_edid() function in order to transparently use the override throughout the stack. The idea is that you get the override EDID via the ->get_modes() hook. Unfortunately, there are scenarios where the DDC probe in drm_get_edid() called via ->get_modes() fails, although the preceding ->detect() succeeds. In the case reported by Paul Wise, the ->detect() hook, intel_crt_detect(), relies on hotplug detect, bypassing the DDC. In the case reported by Ilpo Järvinen, there is no ->detect() hook, which is interpreted as connected. The subsequent DDC probe reached via ->get_modes() fails, and we don't even look at the override EDID, resulting in no modes being added. Because drm_get_edid() is used via ->detect() all over the place, we can't trivially remove the DDC probe, as it leads to override EDID effectively meaning connector forcing. The goal is that connector forcing and override EDID remain orthogonal. Generally, the underlying problem here is the conflation of ->detect() and ->get_modes() via drm_get_edid(). The former should just detect, and the latter should just get the modes, typically via reading the EDID. As long as drm_get_edid() is used in ->detect(), it needs to retain the DDC probe. Or such users need to have a separate DDC probe step first. The EDID caching between ->detect() and ->get_modes() done by some drivers is a further complication that prevents us from making drm_do_get_edid() adapt to the two cases. Work around the regression by falling back to a separate attempt at getting the override EDID at drm_helper_probe_single_connector_modes() level. With a working DDC and override EDID, it'll never be called; the override EDID will come via ->get_modes(). There will still be a failing DDC probe attempt in the cases that require the fallback. v2: - Call drm_connector_update_edid_property (Paul) - Update commit message about EDID caching (Daniel) Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=107583 Reported-by: Paul Wise Cc: Paul Wise References: http://mid.mail-archive.com/alpine.DEB.2.20.1905262211270.24390@whs-18.cs.helsinki.fi Reported-by: Ilpo Järvinen Cc: Ilpo Järvinen Suggested-by: Daniel Vetter References: 15f080f08d48 ("drm/edid: respect connector force for drm_get_edid ddc probe") Fixes: 53fd40a90f3c ("drm: handle override and firmware EDID at drm_do_get_edid() level") Cc: # v4.15+ 56a2b7f2a39a drm/edid: abstract override/firmware EDID retrieval Cc: # v4.15+ Cc: Daniel Vetter Cc: Ville Syrjälä Cc: Harish Chegondi Tested-by: Paul Wise Reviewed-by: Daniel Vetter Signed-off-by: Jani Nikula Link: https://patchwork.freedesktop.org/patch/msgid/20190610093054.28445-1-jani.nikula@intel.com commit ca21f851cc9643af049226d57fabc3c883ea648e Author: Russell King Date: Tue Jun 11 17:48:18 2019 +0100 i2c: acorn: fix i2c warning The Acorn i2c driver (for RiscPC) triggers the "i2c adapter has no name" warning in the I2C core driver, resulting in the RTC being inaccessible. Fix this. Fixes: 2236baa75f70 ("i2c: Sanity checks on adapter registration") Signed-off-by: Russell King Signed-off-by: Wolfram Sang Cc: stable@kernel.org commit fa63da2ab046b885a7f70291aafc4e8ce015429b Author: Nathan Chancellor Date: Tue Jun 11 10:19:32 2019 -0700 arm64: Don't unconditionally add -Wno-psabi to KBUILD_CFLAGS This is a GCC only option, which warns about ABI changes within GCC, so unconditionally adding it breaks Clang with tons of: warning: unknown warning option '-Wno-psabi' [-Wunknown-warning-option] and link time failures: ld.lld: error: undefined symbol: __efistub___stack_chk_guard >>> referenced by arm-stub.c:73 (/home/nathan/cbl/linux/drivers/firmware/efi/libstub/arm-stub.c:73) >>> arm-stub.stub.o:(__efistub_install_memreserve_table) in archive ./drivers/firmware/efi/libstub/lib.a These failures come from the lack of -fno-stack-protector, which is added via cc-option in drivers/firmware/efi/libstub/Makefile. When an unknown flag is added to KBUILD_CFLAGS, clang will noisily warn that it is ignoring the option like above, unlike gcc, who will just error. $ echo "int main() { return 0; }" > tmp.c $ clang -Wno-psabi tmp.c; echo $? warning: unknown warning option '-Wno-psabi' [-Wunknown-warning-option] 1 warning generated. 0 $ gcc -Wsometimes-uninitialized tmp.c; echo $? gcc: error: unrecognized command line option ‘-Wsometimes-uninitialized’; did you mean ‘-Wmaybe-uninitialized’? 1 For cc-option to work properly with clang and behave like gcc, -Werror is needed, which was done in commit c3f0d0bc5b01 ("kbuild, LLVMLinux: Add -Werror to cc-option to support clang"). $ clang -Werror -Wno-psabi tmp.c; echo $? error: unknown warning option '-Wno-psabi' [-Werror,-Wunknown-warning-option] 1 As a consequence of this, when an unknown flag is unconditionally added to KBUILD_CFLAGS, it will cause cc-option to always fail and those flags will never get added: $ clang -Werror -Wno-psabi -fno-stack-protector tmp.c; echo $? error: unknown warning option '-Wno-psabi' [-Werror,-Wunknown-warning-option] 1 This can be seen when compiling the whole kernel as some warnings that are normally disabled (see below) show up. The full list of flags missing from drivers/firmware/efi/libstub are the following (gathered from diffing .arm64-stub.o.cmd): -fno-delete-null-pointer-checks -Wno-address-of-packed-member -Wframe-larger-than=2048 -Wno-unused-const-variable -fno-strict-overflow -fno-merge-all-constants -fno-stack-check -Werror=date-time -Werror=incompatible-pointer-types -ffreestanding -fno-stack-protector Use cc-disable-warning so that it gets disabled for GCC and does nothing for Clang. Fixes: ebcc5928c5d9 ("arm64: Silence gcc warnings about arch ABI drift") Link: https://github.com/ClangBuiltLinux/linux/issues/511 Reported-by: Qian Cai Acked-by: Dave Martin Reviewed-by: Nick Desaulniers Signed-off-by: Nathan Chancellor Signed-off-by: Will Deacon commit 56a2b7f2a39a8d4b16a628e113decde3d7400879 Author: Jani Nikula Date: Fri Jun 7 14:05:12 2019 +0300 drm/edid: abstract override/firmware EDID retrieval Abstract the debugfs override and the firmware EDID retrieval function. We'll be needing it in the follow-up. No functional changes. Cc: Daniel Vetter Cc: Harish Chegondi Reviewed-by: Daniel Vetter Tested-by: Tested-by: Paul Wise Signed-off-by: Jani Nikula Link: https://patchwork.freedesktop.org/patch/msgid/20190607110513.12072-1-jani.nikula@intel.com commit 8c2eb7b6468ad4aa5600aed01aa0715f921a3f8b Author: Vadim Pasternak Date: Thu May 23 16:41:52 2019 +0000 platform/mellanox: mlxreg-hotplug: Add devm_free_irq call to remove flow Add devm_free_irq() call to mlxreg-hotplug remove() for clean release of devices irq resource. Fix debugobjects warning triggered by rmmod It prevents of use-after-free memory, related to mlxreg_hotplug_work_handler. Issue has been reported as debugobjects warning triggered by 'rmmod mlxtreg-hotplug' flow, while running kernel with CONFIG_DEBUG_OBJECTS* options. [ 2489.623551] ODEBUG: free active (active state 0) object type: work_struct hint: mlxreg_hotplug_work_handler+0x0/0x7f0 [mlxreg_hotplug] [ 2489.637097] WARNING: CPU: 5 PID: 3924 at lib/debugobjects.c:328 debug_print_object+0xfe/0x180 [ 2489.637165] RIP: 0010:debug_print_object+0xfe/0x180 ? [ 2489.637214] Call Trace: [ 2489.637225] __debug_check_no_obj_freed+0x25e/0x320 [ 2489.637231] kfree+0x82/0x110 [ 2489.637238] release_nodes+0x33c/0x4e0 [ 2489.637242] ? devres_remove_group+0x1b0/0x1b0 [ 2489.637247] device_release_driver_internal+0x146/0x270 [ 2489.637251] driver_detach+0x73/0xe0 [ 2489.637254] bus_remove_driver+0xa1/0x170 [ 2489.637261] __x64_sys_delete_module+0x29e/0x320 [ 2489.637265] ? __ia32_sys_delete_module+0x320/0x320 [ 2489.637268] ? blkcg_exit_queue+0x20/0x20 [ 2489.637273] ? task_work_run+0x7d/0x100 [ 2489.637278] ? exit_to_usermode_loop+0x5b/0xf0 [ 2489.637281] do_syscall_64+0x73/0x160 [ 2489.637287] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 2489.637290] RIP: 0033:0x7f95c3596fd7 The difference in release flow with and with no devm_free_irq is listed below: bus: 'platform': remove driver mlxreg-hotplug mlxreg_hotplug_remove(start) -> devm_free_irq (with new code) mlxreg_hotplug_remove (end) release_nodes (start) mlxreg-hotplug: DEVRES REL devm_hwmon_release (8 bytes) device: 'hwmon3': device_unregister PM: Removing info for No Bus:hwmon3 mlxreg-hotplug: DEVRES REL devm_kzalloc_release (88 bytes) mlxreg-hotplug: DEVRES REL devm_kzalloc_release (6 bytes) mlxreg-hotplug: DEVRES REL devm_kzalloc_release (5 bytes) mlxreg-hotplug: DEVRES REL devm_kzalloc_release (5 bytes) mlxreg-hotplug: DEVRES REL devm_kzalloc_release (5 bytes) mlxreg-hotplug: DEVRES REL devm_kzalloc_release (5 bytes) mlxreg-hotplug: DEVRES REL devm_kzalloc_release (5 bytes) mlxreg-hotplug: DEVRES REL devm_kzalloc_release (5 bytes) mlxreg-hotplug: DEVRES REL devm_kzalloc_release (5 bytes) mlxreg-hotplug: DEVRES REL devm_kzalloc_release (5 bytes) mlxreg-hotplug: DEVRES REL devm_kzalloc_release (5 bytes) mlxreg-hotplug: DEVRES REL devm_kzalloc_release (5 bytes) mlxreg-hotplug: DEVRES REL devm_irq_release (16 bytes) (no new code) mlxreg-hotplug: DEVRES REL devm_kzalloc_release (1376 bytes) ------------[ cut here ]------------ (no new code): ODEBUG: free active (active state 0) object type: work_struct hint: mlxreg_hotplug_work_handler release_nodes(end) driver: 'mlxreg-hotplug': driver_release Fixes: 1f976f6978bf ("platform/x86: Move Mellanox platform hotplug driver to platform/mellanox") Signed-off-by: Vadim Pasternak Signed-off-by: Andy Shevchenko commit 160da20b254dd4bfc5828f12c208fa831ad4be6c Author: Vadim Pasternak Date: Wed Jun 5 07:51:03 2019 +0000 platform/x86: mlx-platform: Fix parent device in i2c-mux-reg device registration Fix the issue found while running kernel with the option CONFIG_DEBUG_TEST_DRIVER_REMOVE. Driver 'mlx-platform' registers 'i2c_mlxcpld' device and then registers few underlying 'i2c-mux-reg' devices: priv->pdev_i2c = platform_device_register_simple("i2c_mlxcpld", nr, NULL, 0); ... for (i = 0; i < ARRAY_SIZE(mlxplat_mux_data); i++) { priv->pdev_mux[i] = platform_device_register_resndata( &mlxplat_dev->dev, "i2c-mux-reg", i, NULL, 0, &mlxplat_mux_data[i], sizeof(mlxplat_mux_data[i])); But actual parent of "i2c-mux-reg" device is priv->pdev_i2c->dev and not mlxplat_dev->dev. Patch fixes parent device parameter in a call to platform_device_register_resndata() for "i2c-mux-reg". It solves the race during initialization flow while 'i2c_mlxcpld.1' is removing after probe, while 'i2c-mux-reg.0' is still in probing flow: 'i2c_mlxcpld.1' flow: probe -> remove -> probe. 'i2c-mux-reg.0' flow: probe -> ... [ 12:621096] Registering platform device 'i2c_mlxcpld.1'. Parent at platform [ 12:621117] device: 'i2c_mlxcpld.1': device_add [ 12:621155] bus: 'platform': add device i2c_mlxcpld.1 [ 12:621384] Registering platform device 'i2c-mux-reg.0'. Parent at mlxplat [ 12:621395] device: 'i2c-mux-reg.0': device_add [ 12:621425] bus: 'platform': add device i2c-mux-reg.0 [ 12:621806] Registering platform device 'i2c-mux-reg.1'. Parent at mlxplat [ 12:621828] device: 'i2c-mux-reg.1': device_add [ 12:621892] bus: 'platform': add device i2c-mux-reg.1 [ 12:621906] bus: 'platform': add driver i2c_mlxcpld [ 12:621996] bus: 'platform': driver_probe_device: matched device i2c_mlxcpld.1 with driver i2c_mlxcpld [ 12:622003] bus: 'platform': really_probe: probing driver i2c_mlxcpld with device i2c_mlxcpld.1 [ 12:622100] i2c_mlxcpld i2c_mlxcpld.1: no default pinctrl state [ 12:622293] device: 'i2c-1': device_add [ 12:627280] bus: 'i2c': add device i2c-1 [ 12:627692] device: 'i2c-1': device_add [ 12.629639] bus: 'platform': add driver i2c-mux-reg [ 12.629718] bus: 'platform': driver_probe_device: matched device i2c-mux-reg.0 with driver i2c-mux-reg [ 12.629723] bus: 'platform': really_probe: probing driver i2c-mux-reg with device i2c-mux-reg.0 [ 12.629818] i2c-mux-reg i2c-mux-reg.0: no default pinctrl state [ 12.629981] platform i2c-mux-reg.0: Driver i2c-mux-reg requests probe deferral [ 12.629986] platform i2c-mux-reg.0: Added to deferred list [ 12.629992] bus: 'platform': driver_probe_device: matched device i2c-mux-reg.1 with driver i2c-mux-reg [ 12.629997] bus: 'platform': really_probe: probing driver i2c-mux-reg with device i2c-mux-reg.1 [ 12.630091] i2c-mux-reg i2c-mux-reg.1: no default pinctrl state [ 12.630247] platform i2c-mux-reg.1: Driver i2c-mux-reg requests probe deferral [ 12.630252] platform i2c-mux-reg.1: Added to deferred list [ 12.640892] devices_kset: Moving i2c-mux-reg.0 to end of list [ 12.640900] platform i2c-mux-reg.0: Retrying from deferred list [ 12.640911] bus: 'platform': driver_probe_device: matched device i2c-mux-reg.0 with driver i2c-mux-reg [ 12.640919] bus: 'platform': really_probe: probing driver i2c-mux-reg with device i2c-mux-reg.0 [ 12.640999] i2c-mux-reg i2c-mux-reg.0: no default pinctrl state [ 12.641177] platform i2c-mux-reg.0: Driver i2c-mux-reg requests probe deferral [ 12.641187] platform i2c-mux-reg.0: Added to deferred list [ 12.641198] devices_kset: Moving i2c-mux-reg.1 to end of list [ 12.641219] platform i2c-mux-reg.1: Retrying from deferred list [ 12.641237] bus: 'platform': driver_probe_device: matched device i2c-mux-reg.1 with driver i2c-mux-reg [ 12.641247] bus: 'platform': really_probe: probing driver i2c-mux-reg with device i2c-mux-reg.1 [ 12.641331] i2c-mux-reg i2c-mux-reg.1: no default pinctrl state [ 12.641465] platform i2c-mux-reg.1: Driver i2c-mux-reg requests probe deferral [ 12.641469] platform i2c-mux-reg.1: Added to deferred list [ 12.646427] device: 'i2c-1': device_add [ 12.646647] bus: 'i2c': add device i2c-1 [ 12.647104] device: 'i2c-1': device_add [ 12.669231] devices_kset: Moving i2c-mux-reg.0 to end of list [ 12.669240] platform i2c-mux-reg.0: Retrying from deferred list [ 12.669258] bus: 'platform': driver_probe_device: matched device i2c-mux-reg.0 with driver i2c-mux-reg [ 12.669263] bus: 'platform': really_probe: probing driver i2c-mux-reg with device i2c-mux-reg.0 [ 12.669343] i2c-mux-reg i2c-mux-reg.0: no default pinctrl state [ 12.669585] device: 'i2c-2': device_add [ 12.669795] bus: 'i2c': add device i2c-2 [ 12.670201] device: 'i2c-2': device_add [ 12.671427] i2c i2c-1: Added multiplexed i2c bus 2 [ 12.671514] device: 'i2c-3': device_add [ 12.671724] bus: 'i2c': add device i2c-3 [ 12.672136] device: 'i2c-3': device_add [ 12.673378] i2c i2c-1: Added multiplexed i2c bus 3 [ 12.673472] device: 'i2c-4': device_add [ 12.673676] bus: 'i2c': add device i2c-4 [ 12.674060] device: 'i2c-4': device_add [ 12.675861] i2c i2c-1: Added multiplexed i2c bus 4 [ 12.675941] device: 'i2c-5': device_add [ 12.676150] bus: 'i2c': add device i2c-5 [ 12.676550] device: 'i2c-5': device_add [ 12.678103] i2c i2c-1: Added multiplexed i2c bus 5 [ 12.678193] device: 'i2c-6': device_add [ 12.678395] bus: 'i2c': add device i2c-6 [ 12.678774] device: 'i2c-6': device_add [ 12.679969] i2c i2c-1: Added multiplexed i2c bus 6 [ 12.680065] device: 'i2c-7': device_add [ 12.680275] bus: 'i2c': add device i2c-7 [ 12.680913] device: 'i2c-7': device_add [ 12.682506] i2c i2c-1: Added multiplexed i2c bus 7 [ 12.682600] device: 'i2c-8': device_add [ 12.682808] bus: 'i2c': add device i2c-8 [ 12.683189] device: 'i2c-8': device_add [ 12.683907] device: 'i2c-1': device_unregister [ 12.683945] device: 'i2c-1': device_unregister [ 12.684387] device: 'i2c-1': device_create_release [ 12.684536] bus: 'i2c': remove device i2c-1 [ 12.686019] i2c i2c-8: Failed to create compatibility class link [ 12.686086] ------------[ cut here ]------------ [ 12.686087] can't create symlink to mux device [ 12.686224] Workqueue: events deferred_probe_work_func [ 12.686135] WARNING: CPU: 7 PID: 436 at drivers/i2c/i2c-mux.c:416 i2c_mux_add_adapter+0x729/0x7d0 [i2c_mux] [ 12.686232] RIP: 0010:i2c_mux_add_adapter+0x729/0x7d0 [i2c_mux] [ 0x190/0x190 [i2c_mux] [ 12.686300] ? i2c_mux_alloc+0xac/0x110 [i2c_mux] [ 12.686306] ? i2c_mux_reg_set+0x200/0x200 [i2c_mux_reg] [ 12.686313] i2c_mux_reg_probe+0x22c/0x731 [i2c_mux_reg] [ 12.686322] ? i2c_mux_reg_deselect+0x60/0x60 [i2c_mux_reg] [ 12.686346] platform_drv_probe+0xa8/0x110 [ 12.686351] really_probe+0x185/0x720 [ 12.686358] driver_probe_device+0xdf/0x1f0 ... [ 12.686522] i2c i2c-1: Added multiplexed i2c bus 8 [ 12.686621] device: 'i2c-9': device_add [ 12.686626] kobject_add_internal failed for i2c-9 (error: -2 parent: i2c-1) [ 12.694729] i2c-core: adapter 'i2c-1-mux (chan_id 8)': can't register device (-2) [ 12.705726] i2c i2c-1: failed to add mux-adapter 8 as bus 9 (error=-2) [ 12.714494] device: 'i2c-8': device_unregister [ 12.714537] device: 'i2c-8': device_unregister Fixes: 6613d18e9038 ("platform/x86: mlx-platform: Move module from arch/x86") Signed-off-by: Vadim Pasternak Signed-off-by: Andy Shevchenko commit cb1921b17adbe6509538098ac431033378cd7165 Author: Mathew King Date: Mon May 20 16:41:24 2019 -0600 platform/x86: intel-vbtn: Report switch events when event wakes device When a switch event, such as tablet mode/laptop mode or docked/undocked, wakes a device make sure that the value of the swich is reported. Without when a device is put in tablet mode from laptop mode when it is suspended or vice versa the device will wake up but mode will be incorrect. Tested by suspending a device in laptop mode and putting it in tablet mode, the device resumes and is in tablet mode. When suspending the device in tablet mode and putting it in laptop mode the device resumes and is in laptop mode. Signed-off-by: Mathew King Reviewed-by: Jett Rink Reviewed-by: Mario Limonciello Signed-off-by: Andy Shevchenko commit 401fee8195d401b2b94dee57383f627050724d5b Author: Hans de Goede Date: Wed Jun 12 09:02:02 2019 +0200 platform/x86: asus-wmi: Only Tell EC the OS will handle display hotkeys from asus_nb_wmi Commit 78f3ac76d9e5 ("platform/x86: asus-wmi: Tell the EC the OS will handle the display off hotkey") causes the backlight to be permanently off on various EeePC laptop models using the eeepc-wmi driver (Asus EeePC 1015BX, Asus EeePC 1025C). The asus_wmi_set_devstate(ASUS_WMI_DEVID_BACKLIGHT, 2, NULL) call added by that commit is made conditional in this commit and only enabled in the quirk_entry structs in the asus-nb-wmi driver fixing the broken display / backlight on various EeePC laptop models. Cc: João Paulo Rechi Vita Fixes: 78f3ac76d9e5 ("platform/x86: asus-wmi: Tell the EC the OS will handle the display off hotkey") Signed-off-by: Hans de Goede Signed-off-by: Andy Shevchenko commit cc538ca4308372e81b824be08561c466b1d73b72 Author: Jan Kundrát Date: Fri May 17 17:01:42 2019 +0200 ARM: mvebu_v7_defconfig: fix Ethernet on Clearfog Compared to kernel 5.0, patches merged for 5.1 added support for A38x' PHY guarded by a config option which was not enabled by default. As a result, there was no eth1 and eth2 on a Solid Run Clearfog Base. Ensure that A38x PHY is enabled on mvebu. [gregory: issue appeared in 5.1 not in 5.2 and added Fixes tag] Signed-off-by: Jan Kundrát Cc: Baruch Siach Cc: Gregory CLEMENT Cc: Russell King Cc: David S. Miller Cc: Maxime Chevallier Fixes: a10c1c8191e0 ("net: marvell: neta: add comphy support") Cc: stable@kernel.org Signed-off-by: Gregory CLEMENT commit c7563e62a6d720aa3b068e26ddffab5f0df29263 Author: Prarit Bhargava Date: Mon Jun 10 13:15:44 2019 -0400 x86/resctrl: Prevent NULL pointer dereference when local MBM is disabled Booting with kernel parameter "rdt=cmt,mbmtotal,memlocal,l3cat,mba" and executing "mount -t resctrl resctrl -o mba_MBps /sys/fs/resctrl" results in a NULL pointer dereference on systems which do not have local MBM support enabled.. BUG: kernel NULL pointer dereference, address: 0000000000000020 PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI CPU: 0 PID: 722 Comm: kworker/0:3 Not tainted 5.2.0-0.rc3.git0.1.el7_UNSUPPORTED.x86_64 #2 Workqueue: events mbm_handle_overflow RIP: 0010:mbm_handle_overflow+0x150/0x2b0 Only enter the bandwith update loop if the system has local MBM enabled. Fixes: de73f38f7680 ("x86/intel_rdt/mba_sc: Feedback loop to dynamically update mem bandwidth") Signed-off-by: Prarit Bhargava Signed-off-by: Thomas Gleixner Cc: Fenghua Yu Cc: Reinette Chatre Cc: Borislav Petkov Cc: "H. Peter Anvin" Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/20190610171544.13474-1-prarit@redhat.com commit 87d3aa28f345bea77c396855fa5d5fec4c24461f Author: James Morse Date: Mon Jun 3 18:25:31 2019 +0100 x86/resctrl: Don't stop walking closids when a locksetup group is found When a new control group is created __init_one_rdt_domain() walks all the other closids to calculate the sets of used and unused bits. If it discovers a pseudo_locksetup group, it breaks out of the loop. This means any later closid doesn't get its used bits added to used_b. These bits will then get set in unused_b, and added to the new control group's configuration, even if they were marked as exclusive for a later closid. When encountering a pseudo_locksetup group, we should continue. This is because "a resource group enters 'pseudo-locked' mode after the schemata is written while the resource group is in 'pseudo-locksetup' mode." When we find a pseudo_locksetup group, its configuration is expected to be overwritten, we can skip it. Fixes: dfe9674b04ff6 ("x86/intel_rdt: Enable entering of pseudo-locksetup mode") Signed-off-by: James Morse Signed-off-by: Thomas Gleixner Acked-by: Reinette Chatre Cc: Fenghua Yu Cc: Borislav Petkov Cc: H Peter Avin Cc: Link: https://lkml.kernel.org/r/20190603172531.178830-1-james.morse@arm.com commit 4e4abae311e4b44aaf61f18a826fd7136037f199 Author: Robin Murphy Date: Mon Jun 3 14:15:37 2019 +0200 iommu/arm-smmu: Avoid constant zero in TLBI writes Apparently, some Qualcomm arm64 platforms which appear to expose their SMMU global register space are still, in fact, using a hypervisor to mediate it by trapping and emulating register accesses. Sadly, some deployed versions of said trapping code have bugs wherein they go horribly wrong for stores using r31 (i.e. XZR/WZR) as the source register. While this can be mitigated for GCC today by tweaking the constraints for the implementation of writel_relaxed(), to avoid any potential arms race with future compilers more aggressively optimising register allocation, the simple way is to just remove all the problematic constant zeros. For the write-only TLB operations, the actual value is irrelevant anyway and any old nearby variable will provide a suitable GPR to encode. The one point at which we really do need a zero to clear a context bank happens before any of the TLB maintenance where crashes have been reported, so is apparently not a problem... :/ Reported-by: AngeloGioacchino Del Regno Tested-by: Marc Gonzalez Signed-off-by: Robin Murphy Signed-off-by: Marc Gonzalez Acked-by: Will Deacon Cc: stable@vger.kernel.org Signed-off-by: Joerg Roedel commit c5cc0bf870cfb80b27899e916b4397ce11c61d96 Author: Lionel Landwerlin Date: Sun Jun 2 01:58:45 2019 +0300 drm/i915/perf: fix whitelist on Gen10+ Gen10 added an additional NOA_WRITE register (high bits) and we forgot to whitelist it for userspace. Fixes: 95690a02fb5d96 ("drm/i915/perf: enable perf support on CNL") Signed-off-by: Lionel Landwerlin Reviewed-by: Kenneth Graunke Link: https://patchwork.freedesktop.org/patch/msgid/20190601225845.12600-1-lionel.g.landwerlin@intel.com (cherry picked from commit bf210f6c9e6fd8dc0d154ad18f741f20e64a3fce) Signed-off-by: Jani Nikula commit d74408f528261f900dddb9778f61b5c5a7a6249c Author: Ville Syrjälä Date: Tue Apr 9 17:40:49 2019 +0300 drm/i915/sdvo: Implement proper HDMI audio support for SDVO Our SDVO audio support is pretty bogus. We can't push audio over the SDVO bus, so trying to enable audio in the SDVO control register doesn't do anything. In fact it looks like the SDVO encoder will always mix in the audio coming over HDA, and there's no (at least documented) way to disable that from our side. So HDMI audio does work currently on gen4 but only by luck really. On gen3 it got broken by the referenced commit. And what has always been missing on every platform is the ELD. To pass the ELD to the audio driver we need to write it to magic buffer in the SDVO encoder hardware which then gets pulled out via HDA in the other end. Ie. pretty much the same thing we had for native HDMI before we started to just pass the ELD between the drivers. This sort of explains why we even have that silly hardware buffer with native HDMI. $ cat /proc/asound/card0/eld#1.0 -monitor_present 0 -eld_valid 0 +monitor_present 1 +eld_valid 1 +monitor_name LG TV +connection_type HDMI +... This also fixes our state readout since we can now query the SDVO encoder about the state of the "ELD valid" and "presence detect" bits. As mentioned those don't actually control whether audio gets sent over the HDMI cable, but it's the best we can do. And with the state checker appeased we can re-enable HDMI audio for gen3. Cc: stable@vger.kernel.org Cc: Daniel Vetter Cc: zardam@gmail.com Tested-by: zardam@gmail.com Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=108976 Fixes: de44e256b92c ("drm/i915/sdvo: Shut up state checker with hdmi cards on gen3") Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20190409144054.24561-3-ville.syrjala@linux.intel.com Reviewed-by: Imre Deak (cherry picked from commit dc49a56bd43bb04982e64b44436831da801d0237) Signed-off-by: Jani Nikula commit 77ce94dbe586c1a6a26cf021c08109c9ce71b3e0 Author: Ville Syrjälä Date: Mon Jun 3 17:25:00 2019 +0300 drm/i915: Fix per-pixel alpha with CCS We forgot to set .has_alpha=true for the A+CCS formats when the code started to consult .has_alpha. This manifests as A+CCS being treated as X+CCS which means no per-pixel alpha blending. Fix the format list appropriately. Cc: stable@vger.kernel.org Cc: Maarten Lankhorst Cc: Matt Roper Cc: Heinrich Fink Reported-by: Heinrich Fink Tested-by: Heinrich Fink Fixes: b20815255693 ("drm/i915: Add plane alpha blending support, v2.") Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20190603142500.25680-1-ville.syrjala@linux.intel.com Reviewed-by: Maarten Lankhorst (cherry picked from commit 38f300410f3e15b6fec76c8d8baed7111b5ea4e4) Signed-off-by: Jani Nikula commit 326fb6dd1483c985a6ef47db3fa8788bb99e8b83 Author: Lucas De Marchi Date: Wed Jun 5 16:55:35 2019 -0700 drm/i915/dmc: protect against reading random memory While loading the DMC firmware we were double checking the headers made sense, but in no place we checked that we were actually reading memory we were supposed to. This could be wrong in case the firmware file is truncated or malformed. Before this patch: # ls -l /lib/firmware/i915/icl_dmc_ver1_07.bin -rw-r--r-- 1 root root 25716 Feb 1 12:26 icl_dmc_ver1_07.bin # truncate -s 25700 /lib/firmware/i915/icl_dmc_ver1_07.bin # modprobe i915 # dmesg| grep -i dmc [drm:intel_csr_ucode_init [i915]] Loading i915/icl_dmc_ver1_07.bin [drm] Finished loading DMC firmware i915/icl_dmc_ver1_07.bin (v1.7) i.e. it loads random data. Now it fails like below: [drm:intel_csr_ucode_init [i915]] Loading i915/icl_dmc_ver1_07.bin [drm:csr_load_work_fn [i915]] *ERROR* Truncated DMC firmware, rejecting. i915 0000:00:02.0: Failed to load DMC firmware i915/icl_dmc_ver1_07.bin. Disabling runtime power management. i915 0000:00:02.0: DMC firmware homepage: https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/i915 Before reading any part of the firmware file, validate the input first. Fixes: eb805623d8b1 ("drm/i915/skl: Add support to load SKL CSR firmware.") Cc: stable@vger.kernel.org Signed-off-by: Lucas De Marchi Reviewed-by: Rodrigo Vivi Link: https://patchwork.freedesktop.org/patch/msgid/20190605235535.17791-1-lucas.demarchi@intel.com (cherry picked from commit bc7b488b1d1c71dc4c5182206911127bc6c410d6) Signed-off-by: Jani Nikula commit f9a99131ce18d9dddcaa14ec2c436e42f0bbee5e Author: Hans de Goede Date: Fri May 24 19:40:27 2019 +0200 drm/i915/dsi: Use a fuzzy check for burst mode clock check Prior to this commit we fail to init the DSI panel on the GPD MicroPC: https://www.indiegogo.com/projects/gpd-micropc-6-inch-handheld-industry-laptop#/ The problem is intel_dsi_vbt_init() failing with the following error: *ERROR* Burst mode freq is less than computed The pclk in the VBT panel modeline is 70000, together with 24 bpp and 4 lines this results in a bitrate value of 70000 * 24 / 4 = 420000. But the target_burst_mode_freq in the VBT is 418000. This commit works around this problem by adding an intel_fuzzy_clock_check when target_burst_mode_freq < bitrate and setting target_burst_mode_freq to bitrate when that checks succeeds, fixing the panel not working. Cc: stable@vger.kernel.org Reviewed-by: Ville Syrjälä Signed-off-by: Hans de Goede Link: https://patchwork.freedesktop.org/patch/msgid/20190524174028.21659-2-hdegoede@redhat.com (cherry picked from commit 2c1c55252647abd989b94f725b190c700312d053) Signed-off-by: Jani Nikula commit 53f2ac9d3aa881ed419054076042898b77c27ee4 Author: Ran Wang Date: Fri May 17 12:57:53 2019 +0800 arm64: dts: ls1028a: Fix CPU idle fail. PSCI spec define 1st parameter's bit 16 of function CPU_SUSPEND to indicate CPU State Type: 0 for standby, 1 for power down. In this case, we want to select standby for CPU idle feature. But current setting wrongly select power down and cause CPU SUSPEND fail every time. Need this fix. Fixes: 8897f3255c9c ("arm64: dts: Add support for NXP LS1028A SoC") Signed-off-by: Ran Wang Signed-off-by: Shawn Guo commit 64f35709d5735ddbf8ab52d60ab3d62550b544d7 Author: Florian Fainelli Date: Tue Mar 12 10:45:29 2019 -0700 MAINTAINERS: BCM53573: Add internal Broadcom mailing list There is a patchwork instance behind bcm-kernel-feedback-list that is helpful to track submissions, add this list for the Broadcom BCM53573 architecture. Signed-off-by: Florian Fainelli commit 9c8434516bd96062266232c62343c32b99160d51 Author: Florian Fainelli Date: Tue Mar 12 10:43:30 2019 -0700 MAINTAINERS: BCM2835: Add internal Broadcom mailing list There is a patchwork instance behind bcm-kernel-feedback-list that is helpful to track submissions for the Broadcom ARM-SoC maintainers and make sure there are no patches missed, add this list for the Broadcom BCM2835 architecture. Signed-off-by: Florian Fainelli commit aa7235483a838be79b7c22a86b0dc4cb12ee5dd6 Merge: 4d8f5f91b8a6 f6581f5b5514 Author: Linus Torvalds Date: Tue Jun 11 15:44:45 2019 -1000 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace Pull ptrace fixes from Eric Biederman: "This is just two very minor fixes: - prevent ptrace from reading unitialized kernel memory found twice by syzkaller - restore a missing smp_rmb in ptrace_may_access and add comment tp it so it is not removed by accident again. Apologies for being a little slow about getting this to you, I am still figuring out how to develop with a little baby in the house" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: ptrace: restore smp_rmb() in __ptrace_may_access() signal/ptrace: Don't leak unitialized kernel memory with PTRACE_PEEK_SIGINFO commit 4d8f5f91b8a608980b173ef3382913c7405f82c3 Merge: c23b07125f8a 4e7372e0dc5d Author: Linus Torvalds Date: Tue Jun 11 15:38:34 2019 -1000 Merge branch 'stable/for-linus-5.2' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/swiotlb Pull swiotlb fix from Konrad Rzeszutek Wilk: "One tiny fix for ARM64 where we could allocate the SWIOTLB twice" * 'stable/for-linus-5.2' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/swiotlb: xen/swiotlb: don't initialize swiotlb twice on arm64 commit c23b07125f8aebf8b39fffa325145826098f7d8f Merge: 6fa425a26515 5715c4dd66a3 Author: Linus Torvalds Date: Tue Jun 11 15:27:57 2019 -1000 Merge tag 'vfio-v5.2-rc5' of git://github.com/awilliam/linux-vfio Pull VFIO fixes from Alex Williamson: "Fix mdev device create/remove paths to provide initialized device for parent driver create callback and correct ordering of device removal from bus prior to initiating removal by parent. Also resolve races between parent removal and device create/remove paths (all from Parav Pandit)" * tag 'vfio-v5.2-rc5' of git://github.com/awilliam/linux-vfio: vfio/mdev: Synchronize device create/remove with parent removal vfio/mdev: Avoid creating sysfs remove file on stale device removal vfio/mdev: Improve the create/remove sequence commit 6fa425a2651515f8d262f2c1d972c6632e7c941d Merge: 01ccc3ad4413 8103d10b7161 Author: Linus Torvalds Date: Tue Jun 11 15:10:15 2019 -1000 Merge tag 'for-5.2-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux Pull btrfs fix from David Sterba: "One regression fix to TRIM ioctl. The range cannot be used as its meaning can be confusing regarding physical and logical addresses. This confusion in code led to potential corruptions when the range overlapped data. The original patch made it to several stable kernels and was promptly reverted, the version for master branch is different due to additional changes but the change is effectively the same" * tag 'for-5.2-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux: btrfs: Always trim all unallocated space in btrfs_trim_free_extents commit ce9a53eb3dbca89e7ad86673d94ab886e9bea704 Author: Anson Huang Date: Tue Jun 11 17:50:44 2019 -0700 Input: imx_keypad - make sure keyboard can always wake up system There are several scenarios that keyboard can NOT wake up system from suspend, e.g., if a keyboard is depressed between system device suspend phase and device noirq suspend phase, the keyboard ISR will be called and both keyboard depress and release interrupts will be disabled, then keyboard will no longer be able to wake up system. Another scenario would be, if a keyboard is kept depressed, and then system goes into suspend, the expected behavior would be when keyboard is released, system will be waked up, but current implementation can NOT achieve that, because both depress and release interrupts are disabled in ISR, and the event check is still in progress. To fix these issues, need to make sure keyboard's depress or release interrupt is enabled after noirq device suspend phase, this patch moves the suspend/resume callback to noirq suspend/resume phase, and enable the corresponding interrupt according to current keyboard status. Signed-off-by: Anson Huang Signed-off-by: Dmitry Torokhov commit aff7ed4851680d0d28ad9f52cd2f99213e1371b2 Author: Ondrej Mosnacek Date: Tue Jun 11 10:07:19 2019 +0200 selinux: log raw contexts as untrusted strings These strings may come from untrusted sources (e.g. file xattrs) so they need to be properly escaped. Reproducer: # setenforce 0 # touch /tmp/test # setfattr -n security.selinux -v 'kuřecí řízek' /tmp/test # runcon system_u:system_r:sshd_t:s0 cat /tmp/test (look at the generated AVCs) Actual result: type=AVC [...] trawcon=kuřecí řízek Expected result: type=AVC [...] trawcon=6B75C5996563C3AD20C599C3AD7A656B Fixes: fede148324c3 ("selinux: log invalid contexts in AVCs") Cc: stable@vger.kernel.org # v5.1+ Signed-off-by: Ondrej Mosnacek Acked-by: Richard Guy Briggs Signed-off-by: Paul Moore commit f6581f5b55141a95657ef5742cf6a6bfa20a109f Author: Jann Horn Date: Wed May 29 13:31:57 2019 +0200 ptrace: restore smp_rmb() in __ptrace_may_access() Restore the read memory barrier in __ptrace_may_access() that was deleted a couple years ago. Also add comments on this barrier and the one it pairs with to explain why they're there (as far as I understand). Fixes: bfedb589252c ("mm: Add a user_ns owner to mm_struct and fix ptrace permission checks") Cc: stable@vger.kernel.org Acked-by: Kees Cook Acked-by: Oleg Nesterov Signed-off-by: Jann Horn Signed-off-by: Eric W. Biederman commit cc78076af14e1478c1a8fb18997674b5f8cbe3c8 Author: Mike Marciniszyn Date: Mon Jun 10 12:28:18 2019 -0400 IB/hfi1: Correct tid qp rcd to match verbs context The qp priv rcd pointer doesn't match the context being used for verbs causing issues when 9B and kdeth packets are processed by different receive contexts and hence different CPUs. When running on different CPUs the following panic can occur: WARNING: CPU: 3 PID: 2584 at lib/list_debug.c:59 __list_del_entry+0xa1/0xd0 list_del corruption. prev->next should be ffff9a7ac31f7a30, but was ffff9a7c3bc89230 CPU: 3 PID: 2584 Comm: z_wr_iss Kdump: loaded Tainted: P OE ------------ 3.10.0-862.2.3.el7_lustre.x86_64 #1 Call Trace: [] dump_stack+0x19/0x1b [] __warn+0xd8/0x100 [] warn_slowpath_fmt+0x5f/0x80 [] __list_del_entry+0xa1/0xd0 [] process_rcv_qp_work+0xb5/0x160 [hfi1] [] handle_receive_interrupt_nodma_rtail+0x20b/0x2b0 [hfi1] [] receive_context_interrupt+0x23/0x40 [hfi1] [] __handle_irq_event_percpu+0x44/0x1c0 [] handle_irq_event_percpu+0x32/0x80 [] handle_irq_event+0x3c/0x60 [] handle_edge_irq+0x7f/0x150 [] handle_irq+0xe4/0x1a0 [] do_IRQ+0x4d/0xf0 [] common_interrupt+0x162/0x162 [] ? memcpy+0x6/0x110 [] ? abd_copy_from_buf_off_cb+0x1d/0x30 [zfs] [] ? abd_copy_to_buf_off_cb+0x30/0x30 [zfs] [] abd_iterate_func+0x97/0x120 [zfs] [] abd_copy_from_buf_off+0x39/0x60 [zfs] [] arc_write_ready+0x178/0x300 [zfs] [] ? mutex_lock+0x12/0x2f [] ? mutex_lock+0x12/0x2f [] zio_ready+0x65/0x3d0 [zfs] [] ? tsd_get_by_thread+0x2e/0x50 [spl] [] ? taskq_member+0x18/0x30 [spl] [] zio_execute+0xa2/0x100 [zfs] [] taskq_thread+0x2ac/0x4f0 [spl] [] ? wake_up_state+0x20/0x20 [] ? zio_taskq_member.isra.7.constprop.10+0x80/0x80 [zfs] [] ? taskq_thread_spawn+0x60/0x60 [spl] [] kthread+0xd1/0xe0 [] ? insert_kthread_work+0x40/0x40 [] ret_from_fork_nospec_begin+0x21/0x21 [] ? insert_kthread_work+0x40/0x40 Fix by reading the map entry in the same manner as the hardware so that the kdeth and verbs contexts match. Cc: Fixes: 5190f052a365 ("IB/hfi1: Allow the driver to initialize QP priv struct") Reviewed-by: Kaike Wan Signed-off-by: Mike Marciniszyn Signed-off-by: Dennis Dalessandro Signed-off-by: Jason Gunthorpe commit da9de5f8527f4b9efc82f967d29a583318c034c7 Author: Mike Marciniszyn Date: Fri Jun 7 08:25:31 2019 -0400 IB/hfi1: Close PSM sdma_progress sleep window The call to sdma_progress() is called outside the wait lock. In this case, there is a race condition where sdma_progress() can return false and the sdma_engine can idle. If that happens, there will be no more sdma interrupts to cause the wakeup and the user_sdma xmit will hang. Fix by moving the lock to enclose the sdma_progress() call. Also, delete busycount. The need for this was removed by: commit bcad29137a97 ("IB/hfi1: Serve the most starved iowait entry first") Cc: Fixes: 7724105686e7 ("IB/hfi1: add driver files") Reviewed-by: Gary Leshner Signed-off-by: Mike Marciniszyn Signed-off-by: Dennis Dalessandro Signed-off-by: Jason Gunthorpe commit 5f90677ed31963abb184ee08ebee4a4a68225dd8 Author: Kaike Wan Date: Fri Jun 7 08:25:25 2019 -0400 IB/hfi1: Validate fault injection opcode user input The opcode range for fault injection from user should be validated before it is applied to the fault->opcodes[] bitmap to avoid out-of-bound error. Cc: Fixes: a74d5307caba ("IB/hfi1: Rework fault injection machinery") Reported-by: Dan Carpenter Reviewed-by: Mike Marciniszyn Signed-off-by: Kaike Wan Signed-off-by: Dennis Dalessandro Signed-off-by: Jason Gunthorpe commit 93c65f83f25bd5e072a42c9659a85fdc4fb47c27 Merge: 309b66970ee2 eccc73a6b2cb Author: David S. Miller Date: Tue Jun 11 12:07:33 2019 -0700 Merge branch 'vxlan-geneve-linear' Stefano Brivio says: ==================== Don't assume linear buffers in error handlers for VXLAN and GENEVE Guillaume noticed the same issue fixed by commit 26fc181e6cac ("fou, fou6: do not assume linear skbs") for fou and fou6 is also present in VXLAN and GENEVE error handlers: we can't assume linear buffers there, we need to use pskb_may_pull() instead. ==================== Acked-by: Guillaume Nault Signed-off-by: David S. Miller commit eccc73a6b2cb6c04bfbc40a0769f3c428dfba232 Author: Stefano Brivio Date: Tue Jun 11 00:27:06 2019 +0200 geneve: Don't assume linear buffers in error handler In commit a07966447f39 ("geneve: ICMP error lookup handler") I wrongly assumed buffers from icmp_socket_deliver() would be linear. This is not the case: icmp_socket_deliver() only guarantees we have 8 bytes of linear data. Eric fixed this same issue for fou and fou6 in commits 26fc181e6cac ("fou, fou6: do not assume linear skbs") and 5355ed6388e2 ("fou, fou6: avoid uninit-value in gue_err() and gue6_err()"). Use pskb_may_pull() instead of checking skb->len, and take into account the fact we later access the GENEVE header with udp_hdr(), so we also need to sum skb_transport_header() here. Reported-by: Guillaume Nault Fixes: a07966447f39 ("geneve: ICMP error lookup handler") Signed-off-by: Stefano Brivio Signed-off-by: David S. Miller commit 8399a6930d12f5965230f4ff058228a4cc80c0b9 Author: Stefano Brivio Date: Tue Jun 11 00:27:05 2019 +0200 vxlan: Don't assume linear buffers in error handler In commit c3a43b9fec8a ("vxlan: ICMP error lookup handler") I wrongly assumed buffers from icmp_socket_deliver() would be linear. This is not the case: icmp_socket_deliver() only guarantees we have 8 bytes of linear data. Eric fixed this same issue for fou and fou6 in commits 26fc181e6cac ("fou, fou6: do not assume linear skbs") and 5355ed6388e2 ("fou, fou6: avoid uninit-value in gue_err() and gue6_err()"). Use pskb_may_pull() instead of checking skb->len, and take into account the fact we later access the VXLAN header with udp_hdr(), so we also need to sum skb_transport_header() here. Reported-by: Guillaume Nault Fixes: c3a43b9fec8a ("vxlan: ICMP error lookup handler") Signed-off-by: Stefano Brivio Signed-off-by: David S. Miller commit 309b66970ee2abf721ecd0876a48940fa0b99a35 Author: Taehee Yoo Date: Sun Jun 9 23:26:21 2019 +0900 net: openvswitch: do not free vport if register_netdevice() is failed. In order to create an internal vport, internal_dev_create() is used and that calls register_netdevice() internally. If register_netdevice() fails, it calls dev->priv_destructor() to free private data of netdev. actually, a private data of this is a vport. Hence internal_dev_create() should not free and use a vport after failure of register_netdevice(). Test command ovs-dpctl add-dp bonding_masters Splat looks like: [ 1035.667767] kasan: GPF could be caused by NULL-ptr deref or user memory access [ 1035.675958] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI [ 1035.676916] CPU: 1 PID: 1028 Comm: ovs-vswitchd Tainted: G B 5.2.0-rc3+ #240 [ 1035.676916] RIP: 0010:internal_dev_create+0x2e5/0x4e0 [openvswitch] [ 1035.676916] Code: 48 c1 ea 03 80 3c 02 00 0f 85 9f 01 00 00 4c 8b 23 48 b8 00 00 00 00 00 fc ff df 49 8d bc 24 60 05 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 86 01 00 00 49 8b bc 24 60 05 00 00 e8 e4 68 f4 [ 1035.713720] RSP: 0018:ffff88810dcb7578 EFLAGS: 00010206 [ 1035.713720] RAX: dffffc0000000000 RBX: ffff88810d13fe08 RCX: ffffffff84297704 [ 1035.713720] RDX: 00000000000000ac RSI: 0000000000000000 RDI: 0000000000000560 [ 1035.713720] RBP: 00000000ffffffef R08: fffffbfff0d3b881 R09: fffffbfff0d3b881 [ 1035.713720] R10: 0000000000000001 R11: fffffbfff0d3b880 R12: 0000000000000000 [ 1035.768776] R13: 0000607ee460b900 R14: ffff88810dcb7690 R15: ffff88810dcb7698 [ 1035.777709] FS: 00007f02095fc980(0000) GS:ffff88811b400000(0000) knlGS:0000000000000000 [ 1035.777709] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1035.777709] CR2: 00007ffdf01d2f28 CR3: 0000000108258000 CR4: 00000000001006e0 [ 1035.777709] Call Trace: [ 1035.777709] ovs_vport_add+0x267/0x4f0 [openvswitch] [ 1035.777709] new_vport+0x15/0x1e0 [openvswitch] [ 1035.777709] ovs_vport_cmd_new+0x567/0xd10 [openvswitch] [ 1035.777709] ? ovs_dp_cmd_dump+0x490/0x490 [openvswitch] [ 1035.777709] ? __kmalloc+0x131/0x2e0 [ 1035.777709] ? genl_family_rcv_msg+0xa54/0x1030 [ 1035.777709] genl_family_rcv_msg+0x63a/0x1030 [ 1035.777709] ? genl_unregister_family+0x630/0x630 [ 1035.841681] ? debug_show_all_locks+0x2d0/0x2d0 [ ... ] Fixes: cf124db566e6 ("net: Fix inconsistent teardown and release of private netdev state.") Signed-off-by: Taehee Yoo Reviewed-by: Greg Rose Signed-off-by: David S. Miller commit ec9b4feb1e41587c15d43d237844193318389dc3 Author: Eugeniy Paltsev Date: Wed Jun 5 20:32:50 2019 +0300 ARC: [plat-hsdk]: unify memory apertures configuration HSDK SoC has memory bridge which allows to configure memory map for different AXI masters in runtime. As of today we adjust memory apertures configuration in U-boot so we have different configuration in case of loading kernel via U-boot and JTAG. It isn't really critical in case of existing platform configuration as configuration differs for unused address space regions or unused AXI masters. However we may face with this issue when we'll bringup new peripherals or touch their address space. Fix that by perform full configuration of memory bridge in HSDK platform code. Basically we simply copy memory bridge configuration code from U-boot. Acked-by: Alexey Brodkin Signed-off-by: Eugeniy Paltsev Signed-off-by: Vineet Gupta commit 2bc42bfba9b247abd93991195b71f35a484531d1 Author: Alexey Brodkin Date: Mon Jun 3 09:31:19 2019 +0300 ARC: build: Try to guess CROSS_COMPILE with cc-cross-prefix For a long time we used to hard-code CROSS_COMPILE prefix for ARC until it started to cause problems, so we decided to solely rely on CROSS_COMPILE externally set by a user: commit 40660f1fcee8 ("ARC: build: Don't set CROSS_COMPILE in arch's Makefile"). While it works perfectly fine for build-systems where the prefix gets defined anyways for us human beings it's quite an annoying requirement especially given most of time the same one prefix "arc-linux-" is all what we need. It looks like finally we're getting the best of both worlds: 1. W/o cross-toolchain we still may install headers, build .dtb etc 2. W/ cross-toolchain get the kerne built with only ARCH=arc Inspired by [1] & [2]. [1] http://lists.infradead.org/pipermail/linux-snps-arc/2019-May/005788.html [2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fc2b47b55f17 A side note: even though "cc-cross-prefix" does its job it pollutes console with output of "which" for all the prefixes it didn't manage to find a matching cross-compiler for like that: | # ARCH=arc make defconfig | which: no arceb-linux-gcc in (~/.local/bin:~/bin:/usr/bin:/usr/sbin) | *** Default configuration is based on 'nsim_hs_defconfig' Suggested-by: Vineet Gupta Reviewed-by: Masahiro Yamada Signed-off-by: Alexey Brodkin Signed-off-by: Vineet Gupta commit 522924b583082f51b8a2406624a2f27c22119b20 Author: Willem de Bruijn Date: Fri Jun 7 17:57:48 2019 -0400 net: correct udp zerocopy refcnt also when zerocopy only on append The below patch fixes an incorrect zerocopy refcnt increment when appending with MSG_MORE to an existing zerocopy udp skb. send(.., MSG_ZEROCOPY | MSG_MORE); // refcnt 1 send(.., MSG_ZEROCOPY | MSG_MORE); // refcnt still 1 (bar frags) But it missed that zerocopy need not be passed at the first send. The right test whether the uarg is newly allocated and thus has extra refcnt 1 is not !skb, but !skb_zcopy. send(.., MSG_MORE); // send(.., MSG_ZEROCOPY); // refcnt 1 Fixes: 100f6d8e09905 ("net: correct zerocopy refcnt with udp MSG_MORE") Reported-by: syzbot Signed-off-by: Willem de Bruijn Signed-off-by: David S. Miller commit 517b91f4cde3043d77b2178548473e8545ef07cb Author: Shirish S Date: Tue Jun 4 21:25:03 2019 +0530 drm/amdgpu/{uvd,vcn}: fetch ring's read_ptr after alloc [What] readptr read always returns zero, since most likely these blocks are either power or clock gated. [How] fetch rptr after amdgpu_ring_alloc() which informs the power management code that the block is about to be used and hence the gating is turned off. Signed-off-by: Louis Li Signed-off-by: Shirish S Reviewed-by: Christian König Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit 941d935ac7636911a3fd8fa80e758e52b0b11e20 Author: Amir Goldstein Date: Tue Jun 11 18:09:28 2019 +0300 ovl: fix wrong flags check in FS_IOC_FS[SG]ETXATTR ioctls The ioctl argument was parsed as the wrong type. Fixes: b21d9c435f93 ("ovl: support the FS_IOC_FS[SG]ETXATTR ioctls") Signed-off-by: Amir Goldstein Signed-off-by: Miklos Szeredi commit d0e1f2110a5eeb6e410b2dd37d98bc5b30da7bc7 Author: Nick Hu Date: Thu May 30 15:01:17 2019 +0800 riscv: Fix udelay in RV32. In RV32, udelay would delay the wrong cycle. When it shifts right "UDELAY_SHIFT" bits, it either delays 0 cycle or 1 cycle. It only works correctly in RV64. Because the 'ucycles' always needs to be 64 bits variable. Signed-off-by: Nick Hu Reviewed-by: Palmer Dabbelt [paul.walmsley@sifive.com: fixed minor spelling error] Signed-off-by: Paul Walmsley commit 39916897cd815a0ee07ba1f6820cf88a63e459fc Author: Qian Cai Date: Mon Jun 3 16:44:15 2019 -0400 drm/vmwgfx: fix a warning due to missing dma_parms Booting up with DMA_API_DEBUG_SG=y generates a warning due to the driver forgot to set dma_parms appropriately. Set it just after vmw_dma_masks() in vmw_driver_load(). DMA-API: vmwgfx 0000:00:0f.0: mapping sg segment longer than device claims to support [len=2097152] [max=65536] WARNING: CPU: 2 PID: 261 at kernel/dma/debug.c:1232 debug_dma_map_sg+0x360/0x480 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/13/2018 RIP: 0010:debug_dma_map_sg+0x360/0x480 Call Trace: vmw_ttm_map_dma+0x3b1/0x5b0 [vmwgfx] vmw_bo_map_dma+0x25/0x30 [vmwgfx] vmw_otables_setup+0x2a8/0x750 [vmwgfx] vmw_request_device_late+0x78/0xc0 [vmwgfx] vmw_request_device+0xee/0x4e0 [vmwgfx] vmw_driver_load.cold+0x757/0xd84 [vmwgfx] drm_dev_register+0x1ff/0x340 [drm] drm_get_pci_dev+0x110/0x290 [drm] vmw_probe+0x15/0x20 [vmwgfx] local_pci_probe+0x7a/0xc0 pci_device_probe+0x1b9/0x290 really_probe+0x1b5/0x630 driver_probe_device+0xa3/0x1a0 device_driver_attach+0x94/0xa0 __driver_attach+0xdd/0x1c0 bus_for_each_dev+0xfe/0x150 driver_attach+0x2d/0x40 bus_add_driver+0x290/0x350 driver_register+0xdc/0x1d0 __pci_register_driver+0xda/0xf0 vmwgfx_init+0x34/0x1000 [vmwgfx] do_one_initcall+0xe5/0x40a do_init_module+0x10f/0x3a0 load_module+0x16a5/0x1a40 __se_sys_finit_module+0x183/0x1c0 __x64_sys_finit_module+0x43/0x50 do_syscall_64+0xc8/0x606 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: fb1d9738ca05 ("drm/vmwgfx: Add DRM driver for VMware Virtual GPU") Co-developed-by: Thomas Hellstrom Signed-off-by: Qian Cai Signed-off-by: Thomas Hellstrom commit 405945588feedac8d7609113de9c62e72575a0ef Author: Andreas Schwab Date: Tue Jun 11 12:28:40 2019 +0200 riscv: export pm_power_off again Commit bf0102a0fdd9 ("riscv: call pm_power_off from machine_halt / machine_power_off") removed the export of pm_power_off, but it is used by several modules: ERROR: "pm_power_off" [drivers/mfd/rk808.ko] undefined! ERROR: "pm_power_off" [drivers/mfd/max8907.ko] undefined! ERROR: "pm_power_off" [drivers/mfd/axp20x.ko] undefined! ERROR: "pm_power_off" [drivers/char/ipmi/ipmi_poweroff.ko] undefined! Signed-off-by: Andreas Schwab Fixes: bf0102a0fdd9 ("riscv: call pm_power_off from machine_halt / machine_power_off") Signed-off-by: Paul Walmsley commit bde15555ba61c7f664f40fd3c6fdbdb63f784c9b Author: Thomas Hellstrom Date: Tue Jun 4 13:54:26 2019 +0200 drm/vmwgfx: Honor the sg list segment size limitation When building sg tables, honor the device sg list segment size limitation. Signed-off-by: Thomas Hellstrom Reviewed-by: Deepak Rawat commit 3b025f2bc98973f181d926192b0ceb6ced0f86d2 Author: Kevin Hilman Date: Wed Jun 5 10:50:42 2019 -0700 RISC-V: defconfig: enable clocks, serial console Enable PRCI clock driver and serial console by default, so the default upstream defconfig is bootable to a serial console. Signed-off-by: Kevin Hilman Reviewed-by: Christoph Hellwig Signed-off-by: Paul Walmsley commit cc0ba0d8624f210995924bb57a8b181ce8976606 Author: Thomas Hellstrom Date: Wed May 29 08:15:19 2019 +0200 drm/vmwgfx: Use the backdoor port if the HB port is not available The HB port may not be available for various reasons. Either it has been disabled by a config option or by the hypervisor for other reasons. In that case, make sure we have a backup plan and use the backdoor port instead with a performance penalty. Cc: stable@vger.kernel.org Fixes: 89da76fde68d ("drm/vmwgfx: Add VMWare host messaging capability") Signed-off-by: Thomas Hellstrom Reviewed-by: Deepak Rawat commit a483fcab38b43fb34a7f12ab1daadd3907f150e2 Author: Hans de Goede Date: Wed May 29 15:28:28 2019 +0200 efi/bgrt: Drop BGRT status field reserved bits check Starting with ACPI 6.2 bits 1 and 2 of the BGRT status field are no longer reserved. These bits are now used to indicate if the image needs to be rotated before being displayed. The first device using these bits has now shown up (the GPD MicroPC) and the reserved bits check causes us to reject the valid BGRT table on this device. Rather then changing the reserved bits check, allowing only the 2 new bits, instead just completely remove it so that we do not end up with a similar problem when more bits are added in the future. Signed-off-by: Hans de Goede Signed-off-by: Ard Biesheuvel commit 18df7577adae6c6c778bf774b3aebcacbc1fb439 Author: Ard Biesheuvel Date: Sun Jun 9 20:17:44 2019 +0200 efi/memreserve: deal with memreserve entries in unmapped memory Ensure that the EFI memreserve entries can be accessed, even if they are located in memory that the kernel (e.g., a crashkernel) omits from the linear map. Fixes: 80424b02d42b ("efi: Reduce the amount of memblock reservations ...") Cc: # 5.0+ Reported-by: Jonathan Richardson Reviewed-by: Jonathan Richardson Tested-by: Jonathan Richardson Signed-off-by: Ard Biesheuvel commit da2577fdd0932ea4eefe73903f1130ee366767d2 Author: Jonathan Lemon Date: Sat Jun 8 12:54:19 2019 -0700 bpf: lpm_trie: check left child of last leftmost node for NULL If the leftmost parent node of the tree has does not have a child on the left side, then trie_get_next_key (and bpftool map dump) will not look at the child on the right. This leads to the traversal missing elements. Lookup is not affected. Update selftest to handle this case. Reproducer: bpftool map create /sys/fs/bpf/lpm type lpm_trie key 6 \ value 1 entries 256 name test_lpm flags 1 bpftool map update pinned /sys/fs/bpf/lpm key 8 0 0 0 0 0 value 1 bpftool map update pinned /sys/fs/bpf/lpm key 16 0 0 0 0 128 value 2 bpftool map dump pinned /sys/fs/bpf/lpm Returns only 1 element. (2 expected) Fixes: b471f2f1de8b ("bpf: implement MAP_GET_NEXT_KEY command for LPM_TRIE") Signed-off-by: Jonathan Lemon Acked-by: Martin KaFai Lau Signed-off-by: Daniel Borkmann commit 766741fcaa1fe5da2cb1e33ae458a5630ff7f667 Author: Miklos Szeredi Date: Tue Jun 11 13:35:22 2019 +0200 Revert "fuse: require /dev/fuse reads to have enough buffer capacity" This reverts commit d4b13963f217dd947da5c0cabd1569e914d21699. The commit introduced a regression in glusterfs-fuse. Reported-by: Sander Eikelenboom Signed-off-by: Miklos Szeredi commit 352bcae97f9ba87801f497571cdec20af190efe1 Author: Rui Nuno Capela Date: Fri Jun 7 15:13:37 2019 +0100 ALSA: ice1712: Check correct return value to snd_i2c_sendbytes (EWS/DMX 6Fire) Check for exact and correct return value to snd_i2c_sendbytes call for EWS/DMX 6Fire (snd_ice1712). Fixes a systemic error on every boot starting from kernel 5.1 onwards to snd_ice1712 driver ("cannot send pca") on Terratec EWS/DMX 6Fire PCI soundcards. Check for exact and correct return value to snd_i2c_sendbytes call for EWS/DMX 6Fire (snd_ice1712). Fixes a systemic error on every boot to snd_ice1712 driver ("cannot send pca") on Terratec EWS/DMX 6Fire PCI soundcards. Fixes: c99776cc4018 ("ALSA: ice1712: fix a missing check of snd_i2c_sendbytes") Signed-off-by: Rui Nuno Capela Cc: Signed-off-by: Takashi Iwai commit d8fa87c368f5b4096c4746894fdcc195da285df1 Author: Takashi Sakamoto Date: Sun Jun 9 19:29:12 2019 +0900 ALSA: oxfw: allow PCM capture for Stanton SCS.1m Stanton SCS.1m can transfer isochronous packet with Multi Bit Linear Audio data channels, therefore it allows software to capture PCM substream. However, ALSA oxfw driver doesn't. This commit changes the driver to add one PCM substream for capture direction. Fixes: de5126cc3c0b ("ALSA: oxfw: add stream format quirk for SCS.1 models") Cc: # v4.5+ Signed-off-by: Takashi Sakamoto Signed-off-by: Takashi Iwai commit 0e3fb6995bfabb23c172e8b883bf5ac57102678e Author: Takashi Sakamoto Date: Sat Jun 1 12:08:01 2019 +0900 ALSA: firewire-motu: fix destruction of data for isochronous resources The data for isochronous resources is not destroyed in expected place. This commit fixes the bug. Cc: # v4.12+ Fixes: 9b2bb4f2f4a2 ("ALSA: firewire-motu: add stream management functionality") Signed-off-by: Takashi Sakamoto Signed-off-by: Takashi Iwai commit 93c2f55ffc89247079e4eb616c70ecc3c9614b05 Author: Guenter Roeck Date: Sun Jun 9 13:35:44 2019 -0700 s390/ctl_reg: mark __ctl_set_bit and __ctl_clear_bit as __always_inline s390:tinyconfig fails to build with gcc 8.3.0. arch/s390/include/asm/ctl_reg.h:52:2: error: impossible constraint in 'asm' asm volatile( \ ^~~ arch/s390/include/asm/ctl_reg.h:62:2: note: in expansion of macro '__ctl_store' __ctl_store(reg, cr, cr); ^~~~~~~~~~~ s390/include/asm/ctl_reg.h:41:2: error: impossible constraint in 'asm' asm volatile( \ ^~~ arch/s390/include/asm/ctl_reg.h:64:2: note: in expansion of macro '__ctl_load' __ctl_load(reg, cr, cr); ^~~~~~~~~~ Marking __ctl_set_bit and __ctl_clear_bit as __always_inline fixes the problem. Fixes: 9012d011660e ("compiler: allow all arches to enable CONFIG_OPTIMIZE_INLINING") Signed-off-by: Guenter Roeck Signed-off-by: Heiko Carstens commit f9364df30420987e77599c4789ec0065c609a507 Author: Heiko Carstens Date: Tue Jun 4 13:10:51 2019 +0200 s390/boot: disable address-of-packed-member warning Get rid of gcc9 warnings like this: arch/s390/boot/ipl_report.c: In function 'find_bootdata_space': arch/s390/boot/ipl_report.c:42:26: warning: taking address of packed member of 'struct ipl_rb_components' may result in an unaligned pointer value [-Waddress-of-packed-member] 42 | for_each_rb_entry(comp, comps) | ^~~~~ This is effectively the s390 variant of commit 20c6c1890455 ("x86/boot: Disable the address-of-packed-member compiler warning"). Reviewed-by: Vasily Gorbik Signed-off-by: Heiko Carstens commit 01ccc3ad44130458769646204449e2e4124f15da Merge: 5e3b6b8ecc53 cf8929885de3 Author: Linus Torvalds Date: Mon Jun 10 07:43:30 2019 -1000 Merge tag 'for-linus-20190610' of git://git.kernel.dk/linux-block Pull block cgroup symlink revert from Jens Axboe: "I talked to Tejun about this offline, and he's not a huge fan of the symlink. So let's revert this for now, and Paolo can do this properly for 5.3 instead" * tag 'for-linus-20190610' of git://git.kernel.dk/linux-block: cgroup/bfq: revert bfq.weight symlink change commit 5e3b6b8ecc53ffec9472ce5468307061072a5ded Merge: e59bf4282c8b 7d293f564561 Author: Linus Torvalds Date: Mon Jun 10 07:35:55 2019 -1000 Merge tag 'regulator-fix-v5.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator Pull regulator fix from Mark Brown: "Just one driver specific fix here, for a boot regression introduced during some modernization work on the tps6507x driver" * tag 'regulator-fix-v5.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator: regulator: tps6507x: Fix boot regression due to testing wrong init_data pointer commit e59bf4282c8b0abd27cc4d550e20ec5b85ccaa19 Merge: d1fdb6d8f6a4 f3440d9a0da2 Author: Linus Torvalds Date: Mon Jun 10 07:19:56 2019 -1000 Merge tag 'spi-fix-v5.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi Pull spi fixes from Mark Brown: "A small set of fixes here. One core fix for error handling when we fail to set up the hardware before initiating a transfer and another one reverting a change in the core which broke Raspberry Pi in common use cases as part of some optimization work. There's also a couple of driver specific fixes" * tag 'spi-fix-v5.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi: spi: abort spi_sync if failed to prepare_transfer_hardware spi: spi-fsl-spi: call spi_finalize_current_message() at the end spi: bitbang: Fix NULL pointer dereference in spi_unregister_master spi: Fix Raspberry Pi breakage commit c596687a008b579c503afb7a64fcacc7270fae9e Author: Tejun Heo Date: Mon Jun 10 09:08:27 2019 -0700 cgroup: Fix css_task_iter_advance_css_set() cset skip condition While adding handling for dying task group leaders c03cd7738a83 ("cgroup: Include dying leaders with live threads in PROCS iterations") added an inverted cset skip condition to css_task_iter_advance_css_set(). It should skip cset if it's completely empty but was incorrectly testing for the inverse condition for the dying_tasks list. Fix it. Signed-off-by: Tejun Heo Fixes: c03cd7738a83 ("cgroup: Include dying leaders with live threads in PROCS iterations") Reported-by: syzbot+d4bba5ccd4f9a2a68681@syzkaller.appspotmail.com commit b7108486d2d60357dec274276e2f69128f29dcdc Merge: d1fdb6d8f6a4 39194128701b Author: Greg Kroah-Hartman Date: Mon Jun 10 18:07:39 2019 +0200 Merge tag 'soundwire-5.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/soundwire into char-misc-linus Vinod writes: soundwire fixes for v5.2-rc4 Srinivas Kandagatla fixed by bunch of issues, two in core for locking and out of bound access and one in intel driver copy-paste * tag 'soundwire-5.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/soundwire: soundwire: intel: set dai min and max channels correctly soundwire: stream: fix bad unlock balance soundwire: stream: fix out of boundary access on port properties commit de060de333eff20c1c2dad0139983f19150f776b Author: Ezequiel Garcia Date: Wed Jun 5 15:48:59 2019 -0300 drm/panfrost: Require the simple_ondemand governor Panfrost depends on the simple_ondemand governor, and therefore it's a required configuration. Select it. Fixes: f3617b449d0b ("drm/panfrost: Select devfreq") Signed-off-by: Ezequiel Garcia Reviewed-by: Tomeu Vizoso Signed-off-by: Rob Herring Link: https://patchwork.freedesktop.org/patch/msgid/20190605184859.9432-1-ezequiel@collabora.com commit 1c3b526e559deada4506732acec4af1879fc1fa0 Author: Neil Armstrong Date: Wed Jun 5 17:02:33 2019 +0200 drm/panfrost: make devfreq optional again Devfreq runtime usage was made mandatory, thus making panfrost fail to probe on Amlogic S912 SoCs missing the "operating-points-v2" property. Make it optional again, leaving PM_DEVFREQ selected by default. Fixes: f3617b449d0b ("drm/panfrost: Select devfreq") Signed-off-by: Neil Armstrong Reviewed-by: Ezequiel Garcia Signed-off-by: Rob Herring Link: https://patchwork.freedesktop.org/patch/msgid/20190605150233.32722-1-narmstrong@baylibre.com commit be7d9f05c53e6fc88525f8e55cf2dae937761799 Author: Boris Brezillon Date: Wed May 29 08:51:21 2019 +0200 drm/gem_shmem: Use a writecombine mapping for ->vaddr Right now, the BO is mapped as a cached region when ->vmap() is called and the underlying object is not a dmabuf. Doing that makes cache management a bit more complicated (you'd need to call dma_map/unmap_sg() on the ->sgt field everytime the BO is about to be passed to the GPU/CPU), so let's map the BO with writecombine attributes instead (as done in most drivers). Fixes: 2194a63a818d ("drm: Add library for shmem backed GEM objects") Signed-off-by: Boris Brezillon Reviewed-by: Daniel Vetter Reviewed-by: Eric Anholt Signed-off-by: Rob Herring Link: https://patchwork.freedesktop.org/patch/msgid/20190529065121.13485-1-boris.brezillon@collabora.com commit 97bf85b6ec9e6597ce81c79b26a28f7918fc4eaf Author: Wolfram Sang Date: Thu Jun 6 13:35:35 2019 +0200 mmc: sdhi: disallow HS400 for M3-W ES1.2, RZ/G2M, and V3H Our HW engineers informed us that HS400 is not working on these SoC revisions. Fixes: 0f4e2054c971 ("mmc: renesas_sdhi: disable HS400 on H3 ES1.x and M3-W ES1.[012]") Signed-off-by: Wolfram Sang Reviewed-by: Geert Uytterhoeven Reviewed-by: Fabrizio Castro Reviewed-by: Niklas Söderlund Cc: stable@vger.kernel.org Signed-off-by: Ulf Hansson commit 3da428ff2aa5a5191ba2f1630eea75f03242f3f2 Author: Alex Levin Date: Fri Jun 7 15:19:11 2019 -0700 ASoC: Intel: sst: fix kmalloc call with wrong flags When calling kmalloc with GFP_KERNEL in case CONFIG_SLOB is unset, kmem_cache_alloc_trace is called. In case CONFIG_TRACING is set, kmem_cache_alloc_trace will ball slab_alloc, which will call slab_pre_alloc_hook which might_sleep_if. The context in which it is called in this case, the intel_sst_interrupt_mrfld, calling a sleeping kmalloc generates a BUG(): Fixes: 972b0d456e64 ("ASoC: Intel: remove GFP_ATOMIC, use GFP_KERNEL") [ 20.250671] BUG: sleeping function called from invalid context at mm/slab.h:422 [ 20.250683] in_atomic(): 1, irqs_disabled(): 1, pid: 1791, name: Chrome_IOThread [ 20.250690] CPU: 0 PID: 1791 Comm: Chrome_IOThread Tainted: G W 4.19.43 #61 [ 20.250693] Hardware name: GOOGLE Kefka, BIOS Google_Kefka.7287.337.0 03/02/2017 [ 20.250697] Call Trace: [ 20.250704] [ 20.250716] dump_stack+0x7e/0xc3 [ 20.250725] ___might_sleep+0x12a/0x140 [ 20.250731] kmem_cache_alloc_trace+0x53/0x1c5 [ 20.250736] ? update_cfs_rq_load_avg+0x17e/0x1aa [ 20.250740] ? cpu_load_update+0x6c/0xc2 [ 20.250746] sst_create_ipc_msg+0x2d/0x88 [ 20.250752] intel_sst_interrupt_mrfld+0x12a/0x22c [ 20.250758] __handle_irq_event_percpu+0x133/0x228 [ 20.250764] handle_irq_event_percpu+0x35/0x7a [ 20.250768] handle_irq_event+0x36/0x55 [ 20.250773] handle_fasteoi_irq+0xab/0x16c [ 20.250779] handle_irq+0xd9/0x11e [ 20.250785] do_IRQ+0x54/0xe0 [ 20.250791] common_interrupt+0xf/0xf [ 20.250795] [ 20.250800] RIP: 0010:__lru_cache_add+0x4e/0xad [ 20.250806] Code: 00 01 48 c7 c7 b8 df 01 00 65 48 03 3c 25 28 f1 00 00 48 8b 48 08 48 89 ca 48 ff ca f6 c1 01 48 0f 44 d0 f0 ff 42 34 0f b6 0f <89> ca fe c2 88 17 48 89 44 cf 08 80 fa 0f 74 0e 48 8b 08 66 85 c9 [ 20.250809] RSP: 0000:ffffa568810bfd98 EFLAGS: 00000202 ORIG_RAX: ffffffffffffffd6 [ 20.250814] RAX: ffffd3b904eb1940 RBX: ffffd3b904eb1940 RCX: 0000000000000004 [ 20.250817] RDX: ffffd3b904eb1940 RSI: ffffa10ee5c47450 RDI: ffffa10efba1dfb8 [ 20.250821] RBP: ffffa568810bfda8 R08: ffffa10ef9c741c1 R09: dead000000000100 [ 20.250824] R10: 0000000000000000 R11: 0000000000000000 R12: ffffa10ee8d52a40 [ 20.250827] R13: ffffa10ee8d52000 R14: ffffa10ee5c47450 R15: 800000013ac65067 [ 20.250835] lru_cache_add_active_or_unevictable+0x4e/0xb8 [ 20.250841] handle_mm_fault+0xd98/0x10c4 [ 20.250848] __do_page_fault+0x235/0x42d [ 20.250853] ? page_fault+0x8/0x30 [ 20.250858] do_page_fault+0x3d/0x17a [ 20.250862] ? page_fault+0x8/0x30 [ 20.250866] page_fault+0x1e/0x30 [ 20.250872] RIP: 0033:0x7962fdea9304 [ 20.250875] Code: 0f 11 4c 17 f0 c3 48 3b 15 f1 26 31 00 0f 83 e2 00 00 00 48 39 f7 72 0f 74 12 4c 8d 0c 16 4c 39 cf 0f 82 63 01 00 00 48 89 d1 a4 c3 80 fa 08 73 12 80 fa 04 73 1e 80 fa 01 77 26 72 05 0f b6 [ 20.250879] RSP: 002b:00007962f4db5468 EFLAGS: 00010206 [ 20.250883] RAX: 00003c8cc9d47008 RBX: 0000000000000000 RCX: 0000000000001b48 [ 20.250886] RDX: 0000000000002b40 RSI: 00003c8cc9551000 RDI: 00003c8cc9d48000 [ 20.250890] RBP: 00007962f4db5820 R08: 0000000000000000 R09: 00003c8cc9552b48 [ 20.250893] R10: 0000562dd1064d30 R11: 00003c8cc825b908 R12: 00003c8cc966d3c0 [ 20.250896] R13: 00003c8cc9e280c0 R14: 0000000000000000 R15: 0000000000000000 Signed-off-by: Alex Levin Signed-off-by: Mark Brown commit 495f926c68ddb905a7a0192963096138c6a934e1 Author: Ranjani Sridharan Date: Fri Jun 7 22:07:06 2019 -0700 ASoC: core: Fix deadlock in snd_soc_instantiate_card() Move the client_mutex lock to snd_soc_unbind_card() before removing link components. This prevents the deadlock in the error path in snd_soc_instantiate_card(). Fixes: 34ac3c3eb8 (ASoC: core: lock client_mutex while removing link components) Reported-by: kernelci.org bot Signed-off-by: Ranjani Sridharan Signed-off-by: Mark Brown commit c2ed3d474fac61ab46468c5365f84f59dc6e173f Merge: 01fb49ff124a f3dfd4072c3e Author: Greg Kroah-Hartman Date: Mon Jun 10 16:30:56 2019 +0200 Merge tag 'usb-serial-5.2-rc5' of https://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-linus Johan writes: USB-serial fixes for 5.2-rc5 Here are some new device ids for option and pl2303. All have been in linux-next with no reported issues. Signed-off-by: Johan Hovold * tag 'usb-serial-5.2-rc5' of https://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial: USB: serial: option: add Telit 0x1260 and 0x1261 compositions USB: serial: pl2303: add Allied Telesis VT-Kit3 USB: serial: option: add support for Simcom SIM7500/SIM7600 RNDIS mode commit cf8929885de318c0bf73438c9e5dde59d6536f7c Author: Jens Axboe Date: Mon Jun 10 03:35:41 2019 -0600 cgroup/bfq: revert bfq.weight symlink change There's some discussion on how to do this the best, and Tejun prefers that BFQ just create the file itself instead of having cgroups support a symlink feature. Hence revert commit 54b7b868e826 and 19e9da9e86c4 for 5.2, and this can be done properly for 5.3. Signed-off-by: Jens Axboe commit 8a0098c05a272c9a68f6885e09755755b612459c Author: Teresa Remmet Date: Fri May 24 15:19:57 2019 +0200 ARM: dts: am335x phytec boards: Fix cd-gpios active level Active level of the mmc1 cd gpio needs to be low instead of high. Fix PCM-953 and phyBOARD-WEGA. Signed-off-by: Teresa Remmet Signed-off-by: Tony Lindgren commit cbdce1418894c4da804fd89555376863aa956a12 Author: Keerthy Date: Tue Jun 4 11:43:35 2019 +0530 ARM: dts: dra72x: Disable usb4_tm target module usb4_tm is unsed on dra72 and accessing the module with ti,sysc is causing a boot crash hence disable its target module. Fixes: 549fce068a3112 ("ARM: dts: dra7: Add l4 interconnect hierarchy and ti-sysc data") Reported-by: Vignesh Raghavendra Signed-off-by: Keerthy Signed-off-by: Tony Lindgren commit dce5ccccd1231c6eaec5ede80bce85f2ae536826 Author: John Hurley Date: Sat Jun 8 17:48:03 2019 -0700 nfp: ensure skb network header is set for packet redirect Packets received at the NFP driver may be redirected to egress of another netdev (e.g. in the case of OvS internal ports). On the egress path, some processes, like TC egress hooks, may expect the network header offset field in the skb to be correctly set. If this is not the case there is potential for abnormal behaviour and even the triggering of BUG() calls. Set the skb network header field before the mac header pull when doing a packet redirect. Fixes: 27f54b582567 ("nfp: allow fallback packets from non-reprs") Signed-off-by: John Hurley Reviewed-by: Jakub Kicinski Signed-off-by: David S. Miller commit fcc2202a9d6e4578aca1af4f1954f61dc986ef74 Author: Yuchung Cheng Date: Fri Jun 7 18:26:33 2019 -0700 tcp: fix undo spurious SYNACK in passive Fast Open Commit 794200d66273 ("tcp: undo cwnd on Fast Open spurious SYNACK retransmit") may cause tcp_fastretrans_alert() to warn about pending retransmission in Open state. This is triggered when the Fast Open server both sends data and has spurious SYNACK retransmission during the handshake, and the data packets were lost or reordered. The root cause is a bit complicated: (1) Upon receiving SYN-data: a full socket is created with snd_una = ISN + 1 by tcp_create_openreq_child() (2) On SYNACK timeout the server/sender enters CA_Loss state. (3) Upon receiving the final ACK to complete the handshake, sender does not mark FLAG_SND_UNA_ADVANCED since (1) Sender then calls tcp_process_loss since state is CA_loss by (2) (4) tcp_process_loss() does not invoke undo operations but instead mark REXMIT_LOST to force retransmission (5) tcp_rcv_synrecv_state_fastopen() calls tcp_try_undo_loss(). It changes state to CA_Open but has positive tp->retrans_out (6) Next ACK triggers the WARN_ON in tcp_fastretrans_alert() The step that goes wrong is (4) where the undo operation should have been invoked because the ACK successfully acknowledged the SYN sequence. This fixes that by specifically checking undo when the SYN-ACK sequence is acknowledged. Then after tcp_process_loss() the state would be further adjusted based in tcp_fastretrans_alert() to avoid triggering the warning in (6). Fixes: 794200d66273 ("tcp: undo cwnd on Fast Open spurious SYNACK retransmit") Signed-off-by: Yuchung Cheng Signed-off-by: Neal Cardwell Signed-off-by: David S. Miller commit c1a9d65954c68e13a6adc0225b0d38188fff68ca Author: Matteo Croce Date: Sat Jun 8 14:50:19 2019 +0200 mpls: fix af_mpls dependencies MPLS routing code relies on sysctl to work, so let it select PROC_SYSCTL. Reported-by: Randy Dunlap Suggested-by: David Ahern Signed-off-by: Matteo Croce Signed-off-by: David S. Miller commit 7f0b44a42e22edc15f8f189f8dc12b867b1bef04 Merge: 4172eadb0864 7c940b1a5291 Author: David S. Miller Date: Sun Jun 9 19:51:28 2019 -0700 Merge branch 'ibmvnic-Fixes-for-device-reset-handling' Thomas Falcon says: ==================== ibmvnic: Fixes for device reset handling This series contains three unrelated fixes to issues seen during device resets. The first patch fixes an error when the driver requests to deactivate the link of an uninitialized device, resulting in a failure to reset. Next, a patch to fix multicast transmission failures seen after a driver reset. The final patch fixes mishandling of memory allocation failures during device initialization, which caused a kernel oops. ==================== Signed-off-by: David S. Miller commit 7c940b1a5291e5069d561f5b8f0e51db6b7a259a Author: Thomas Falcon Date: Fri Jun 7 16:03:55 2019 -0500 ibmvnic: Fix unchecked return codes of memory allocations The return values for these memory allocations are unchecked, which may cause an oops if the driver does not handle them after a failure. Fix by checking the function's return code. Signed-off-by: Thomas Falcon Signed-off-by: David S. Miller commit be32a24372cf162e825332da1a7ccef058d4f20b Author: Thomas Falcon Date: Fri Jun 7 16:03:54 2019 -0500 ibmvnic: Refresh device multicast list after reset It was observed that multicast packets were no longer received after a device reset. The fix is to resend the current multicast list to the backing device after recovery. Signed-off-by: Thomas Falcon Signed-off-by: David S. Miller commit 1f94608b0ce141be5286dde31270590bdf35b86a Author: Thomas Falcon Date: Fri Jun 7 16:03:53 2019 -0500 ibmvnic: Do not close unopened driver during reset Check driver state before halting it during a reset. If the driver is not running, do nothing. Otherwise, a request to deactivate a down link can cause an error and the reset will fail. Signed-off-by: Thomas Falcon Signed-off-by: David S. Miller commit 4172eadb086407ac571f5e5be640b07b1a66ae87 Merge: 62f42a114b92 45e7d4c0c172 Author: David S. Miller Date: Sun Jun 9 19:45:54 2019 -0700 Merge tag 'mlx5-fixes-2019-06-07' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux Saeed Mahameed says: ==================== Mellanox, mlx5 fixes 2019-06-07 This series introduces some fixes to mlx5 driver. Please pull and let me know if there is any problem. For -stable v4.17 ('net/mlx5: Avoid reloading already removed devices') For -stable v5.0 ('net/mlx5e: Avoid detaching non-existing netdev under switchdev mode') For -stable v5.1 ('net/mlx5e: Fix source port matching in fdb peer flow rule') ('net/mlx5e: Support tagged tunnel over bond') ('net/mlx5e: Add ndo_set_feature for uplink representor') ('net/mlx5: Update pci error handler entries and command translation') ==================== Signed-off-by: David S. Miller commit 62f42a114b920548bbb536b3a8363bc1310f3cd7 Merge: 2f3f7d1fa0d1 fd704bd5ee74 Author: David S. Miller Date: Sun Jun 9 19:44:01 2019 -0700 Merge tag 'linux-can-fixes-for-5.2-20190607' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can Marc Kleine-Budde says: ==================== pull-request: can 2019-06-07 this is a pull reqeust of 9 patches for net/master. The first patch is by Alexander Dahl and removes a duplicate menu entry from the Kconfig. The next patch by Joakim Zhang fixes the timeout in the flexcan driver when setting small bit rates. Anssi Hannula's patch for the xilinx_can driver fixes the bittiming_const for CAN FD core. The two patches by Sean Nyekjaer bring mcp25625 to the existing mcp251x driver. The patch by Eugen Hristev implements an errata for the m_can driver. YueHaibing's patch fixes the error handling ing can_init(). The patch by Fabio Estevam for the flexcan driver removes an unneeded registration message during flexcan_probe(). And the last patch is by Willem de Bruijn and adds the missing purging the socket error queue on sock destruct. ==================== Signed-off-by: David S. Miller commit 2f3f7d1fa0d1039b24a55d127ed190f196fc3e79 Author: George Wilkie Date: Fri Jun 7 11:49:41 2019 +0100 mpls: fix warning with multi-label encap If you configure a route with multiple labels, e.g. ip route add 10.10.3.0/24 encap mpls 16/100 via 10.10.2.2 dev ens4 A warning is logged: kernel: [ 130.561819] netlink: 'ip': attribute type 1 has an invalid length. This happens because mpls_iptunnel_policy has set the type of MPLS_IPTUNNEL_DST to fixed size NLA_U32. Change it to a minimum size. nla_get_labels() does the remaining validation. Fixes: e3e4712ec096 ("mpls: ip tunnel support") Signed-off-by: George Wilkie Reviewed-by: David Ahern Signed-off-by: David S. Miller commit a9520543b123bbd7275a0ab8d0375a5412683b41 Author: Michael Schmitz Date: Fri Jun 7 17:37:34 2019 +1200 net: phy: rename Asix Electronics PHY driver [Resent to net instead of net-next - may clash with Anders Roxell's patch series addressing duplicate module names] Commit 31dd83b96641 ("net-next: phy: new Asix Electronics PHY driver") introduced a new PHY driver drivers/net/phy/asix.c that causes a module name conflict with a pre-existiting driver (drivers/net/usb/asix.c). The PHY driver is used by the X-Surf 100 ethernet card driver, and loaded by that driver via its PHY ID. A rename of the driver looks unproblematic. Rename PHY driver to ax88796b.c in order to resolve name conflict. Signed-off-by: Michael Schmitz Tested-by: Michael Schmitz Fixes: 31dd83b96641 ("net-next: phy: new Asix Electronics PHY driver") Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller commit 65a3c497c0e965a552008db8bc2653f62bc925a1 Author: Eric Dumazet Date: Thu Jun 6 14:32:34 2019 -0700 ipv6: flowlabel: fl6_sock_lookup() must use atomic_inc_not_zero Before taking a refcount, make sure the object is not already scheduled for deletion. Same fix is needed in ipv6_flowlabel_opt() Fixes: 18367681a10b ("ipv6 flowlabel: Convert np->ipv6_fl_list to RCU.") Signed-off-by: Eric Dumazet Cc: Willem de Bruijn Signed-off-by: David S. Miller commit c3fee640bcf52c34a25b767f2b0eda82e97a1f3b Author: Enrico Weigelt Date: Thu Jun 6 16:43:17 2019 +0200 net: ipv4: fib_semantics: fix uninitialized variable fix an uninitialized variable: CC net/ipv4/fib_semantics.o net/ipv4/fib_semantics.c: In function 'fib_check_nh_v4_gw': net/ipv4/fib_semantics.c:1027:12: warning: 'err' may be used uninitialized in this function [-Wmaybe-uninitialized] if (!tbl || err) { ^~ Signed-off-by: Enrico Weigelt Signed-off-by: David S. Miller commit a876697b0ad1cba4d56c72395b330691aafa1593 Author: Jeff LaBundy Date: Sun Jun 9 10:16:51 2019 -0700 Input: iqs5xx - get axis info before calling input_mt_init_slots() Calling input_mt_init_slots() copies ABS_MT_POSITION_X to ABS_X and so on, but doing so before calling touchscreen_parse_properties() leaves ABS_X min = max = 0 which may prompt an X server to ignore the device. To solve this problem, wait to call input_mt_init_slots() until all absolute axis information has been resolved (whether that's through device tree via touchscreen_parse_properties() or from reading from the device directly). Signed-off-by: Jeff LaBundy Signed-off-by: Dmitry Torokhov commit d1fdb6d8f6a4109a4263176c84b899076a5f8008 Author: Linus Torvalds Date: Sat Jun 8 20:24:46 2019 -0700 Linux 5.2-rc4 commit 2759e05cdb2577a0e8970a9fa80a7f5ff092596f Merge: 8e61f6f7c308 7b2f936fc828 Author: Linus Torvalds Date: Sat Jun 8 15:57:35 2019 -0700 Merge tag 'ceph-for-5.2-rc4' of git://github.com/ceph/ceph-client Pull ceph fixes from Ilya Dryomov: "A change to call iput() asynchronously to avoid a possible deadlock when iput_final() needs to wait for in-flight I/O (e.g. readahead) and a fixup for a cleanup that went into -rc1" * tag 'ceph-for-5.2-rc4' of git://github.com/ceph/ceph-client: ceph: fix error handling in ceph_get_caps() ceph: avoid iput_final() while holding mutex or in dispatch thread ceph: single workqueue for inode related works commit 8e61f6f7c308a828f8402db6651f6e38ba66c009 Merge: 3d4645bf7a76 1d5c76e66433 Author: Linus Torvalds Date: Sat Jun 8 13:16:05 2019 -0700 Merge tag 'for-linus-5.2b-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip Pull xen fix from Juergen Gross: "Just one fix for the Xen block frontend driver avoiding allocations with order > 0" * tag 'for-linus-5.2b-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip: xen-blkfront: switch kcalloc to kvcalloc for large array allocation commit 3d4645bf7a76886c70a482a1c6742bac98553f47 Merge: d0cc617affbf 0ab0d7ac2090 Author: Linus Torvalds Date: Sat Jun 8 13:12:54 2019 -0700 Merge tag 's390-5.2-4' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux Pull s390 fixes from Heiko Carstens: - fix stack unwinder: the stack unwinder rework has on off-by-one bug which prevents following stack backchains over more than one context (e.g. irq -> process). - fix address space detection in exception handler: if user space switches to access register mode, which is not supported anymore, the exception handler may resolve to the wrong address space. * tag 's390-5.2-4' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux: s390/unwind: correct stack switching during unwind s390/mm: fix address space detection in exception handling commit d0cc617affbf2e31696adf37d153c550c5bef662 Merge: 9331b6740f86 f532beeeff0c Author: Linus Torvalds Date: Sat Jun 8 13:09:31 2019 -0700 Merge tag 'mips_fixes_5.2_1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux Pull MIPS fixes from Paul Burton: - Declare ginvt() __always_inline due to its use of an argument as an inline asm immediate. - A VDSO build fix following Kbuild changes made this cycle. - A fix for boot failures on txx9 systems following memory initialization changes made this cycle. - Bounds check virt_addr_valid() to prevent it spuriously indicating that bogus addresses are valid, in turn fixing hardened usercopy failures that have been present since v4.12. - Build uImage.gz for pistachio systems by default, since this is the image we need in order to actually boot on a board. - Remove an unused variable in our uprobes code. * tag 'mips_fixes_5.2_1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux: MIPS: uprobes: remove set but not used variable 'epc' MIPS: pistachio: Build uImage.gz by default MIPS: Make virt_addr_valid() return bool MIPS: Bounds check virt_addr_valid MIPS: TXx9: Fix boot crash in free_initmem() MIPS: remove a space after -I to cope with header search paths for VDSO MIPS: mark ginvt() as __always_inline commit 9331b6740f86163908de69f4008e434fe0c27691 Merge: 1ce2c85137b1 d925da5c7b09 Author: Linus Torvalds Date: Sat Jun 8 12:52:42 2019 -0700 Merge tag 'spdx-5.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core Pull yet more SPDX updates from Greg KH: "Another round of SPDX header file fixes for 5.2-rc4 These are all more "GPL-2.0-or-later" or "GPL-2.0-only" tags being added, based on the text in the files. We are slowly chipping away at the 700+ different ways people tried to write the license text. All of these were reviewed on the spdx mailing list by a number of different people. We now have over 60% of the kernel files covered with SPDX tags: $ ./scripts/spdxcheck.py -v 2>&1 | grep Files Files checked: 64533 Files with SPDX: 40392 Files with errors: 0 I think the majority of the "easy" fixups are now done, it's now the start of the longer-tail of crazy variants to wade through" * tag 'spdx-5.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core: (159 commits) treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 450 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 449 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 448 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 446 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 445 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 444 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 443 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 442 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 440 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 438 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 437 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 436 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 435 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 434 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 433 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 432 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 431 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 430 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 429 ... commit 1ce2c85137b1db5b0e4158d558cb93dcff7674df Merge: 902b2edfca34 e7bf2ce83747 Author: Linus Torvalds Date: Sat Jun 8 12:50:36 2019 -0700 Merge tag 'char-misc-5.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc Pull char/misc driver fixes from Greg KH: "Here are some small char and misc driver fixes for 5.2-rc4 to resolve a number of reported issues. The most "notable" one here is the kernel headers in proc^Wsysfs fixes. Those changes move the header file info into sysfs and fixes the build issues that you reported. Other than that, a bunch of small habanalabs driver fixes, some fpga driver fixes, and a few other tiny driver fixes. All of these have been in linux-next for a while with no reported issues" * tag 'char-misc-5.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: habanalabs: Read upper bits of trace buffer from RWPHI habanalabs: Fix virtual address access via debugfs for 2MB pages fpga: zynqmp-fpga: Correctly handle error pointer habanalabs: fix bug in checking huge page optimization habanalabs: Avoid using a non-initialized MMU cache mutex habanalabs: fix debugfs code uapi/habanalabs: add opcode for enable/disable device debug mode habanalabs: halt debug engines on user process close test_firmware: Use correct snprintf() limit genwqe: Prevent an integer overflow in the ioctl parport: Fix mem leak in parport_register_dev_model fpga: dfl: expand minor range when registering chrdev region fpga: dfl: Add lockdep classes for pdata->lock fpga: dfl: afu: Pass the correct device to dma_mapping_error() fpga: stratix10-soc: fix use-after-free on s10_init() w1: ds2408: Fix typo after 49695ac46861 (reset on output_write retry with readback) kheaders: Do not regenerate archive if config is not changed kheaders: Move from proc to sysfs lkdtm/bugs: Adjust recursion test to avoid elision lkdtm/usercopy: Moves the KERNEL_DS test to non-canonical commit 902b2edfca34f88b04b86e605087e200e7e79880 Merge: 66b59f2b5e48 8f77293cca1f Author: Linus Torvalds Date: Sat Jun 8 12:48:49 2019 -0700 Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux Pull i2c fixes from Wolfram Sang: "I2C has a driver bugfix and a MAINTAINERS fix" * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux: MAINTAINERS: Karthikeyan Ramasubramanian is MIA i2c: xiic: Add max_read_len quirk commit 66b59f2b5e48969de862908c2d32c8b3d3724738 Merge: 8d72e5bd86cb 9bb9fe0cfbe0 Author: Linus Torvalds Date: Sat Jun 8 12:46:31 2019 -0700 Merge tag 'dmaengine-fix-5.2-rc4' of git://git.infradead.org/users/vkoul/slave-dma Pull dmaengine fixes from Vinod Koul: - jz4780 transfer fix for acking descriptors early - fsl-qdma: clean registers on error - dw-axi-dmac: null pointer dereference fix - mediatek-cqdma: fix sleeping in atomic context - tegra210-adma: fix bunch os issues like crashing in driver probe, channel FIFO configuration etc. - sprd: Fixes for possible crash on descriptor status, block length overflow. For 2-stage transfer fix incorrect start, configuration and interrupt handling. * tag 'dmaengine-fix-5.2-rc4' of git://git.infradead.org/users/vkoul/slave-dma: dmaengine: sprd: Add interrupt support for 2-stage transfer dmaengine: sprd: Fix the right place to configure 2-stage transfer dmaengine: sprd: Fix block length overflow dmaengine: sprd: Fix the incorrect start for 2-stage destination channels dmaengine: sprd: Add validation of current descriptor in irq handler dmaengine: sprd: Fix the possible crash when getting descriptor status dmaengine: tegra210-adma: Fix spelling dmaengine: tegra210-adma: Fix channel FIFO configuration dmaengine: tegra210-adma: Fix crash during probe dmaengine: mediatek-cqdma: sleeping in atomic context dmaengine: dw-axi-dmac: fix null dereference when pointer first is null dmaengine: fsl-qdma: Add improvement dmaengine: jz4780: Fix transfers being ACKed too soon commit 8d72e5bd86cb405d8d8b9e92905d8cfffd08dde8 Merge: 1b02caa319cf 6c70f899b808 Author: Linus Torvalds Date: Sat Jun 8 12:12:11 2019 -0700 Merge tag 'for-linus-20190608' of git://git.kernel.dk/linux-block Pull block fixes from Jens Axboe: - Allow symlink from the bfq.weight cgroup parameter to the general weight (Angelo) - Damien is new skd maintainer (Bart) - NVMe pull request from Sagi, with a few small fixes. - Ensure we set DMA segment size properly, dma-debug is now tripping on these (Christoph) - Remove useless debugfs_create() return check (Greg) - Remove redundant unlikely() check on IS_ERR() (Kefeng) - Fixup request freeing on exit (Ming) * tag 'for-linus-20190608' of git://git.kernel.dk/linux-block: block, bfq: add weight symlink to the bfq.weight cgroup parameter cgroup: let a symlink too be created with a cftype file block: free sched's request pool in blk_cleanup_queue nvme-rdma: use dynamic dma mapping per command nvme: Fix u32 overflow in the number of namespace list calculation mmc: also set max_segment_size in the device mtip32xx: also set max_segment_size in the device rsxx: don't call dma_set_max_seg_size nvme-pci: don't limit DMA segement size block: Drop unlikely before IS_ERR(_OR_NULL) block: aoe: no need to check return value of debugfs_create functions nvmet: fix data_len to 0 for bdev-backed write_zeroes MAINTAINERS: Hand over skd maintainership nvme-tcp: fix queue mapping when queue count is limited nvme-rdma: fix queue mapping when queue count is limited commit 1b02caa319cf73ae89aced8714066a3a5bbe648b Merge: 0ad43e29b6e8 cc8f52609bb4 Author: Linus Torvalds Date: Sat Jun 8 11:54:17 2019 -0700 Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI fixes from James Bottomley: "Two bug fixes, both for fairly serious problems; the UFS one looks like it could be used to exfiltrate data from the kernel, although probably only a privileged user has access to the command management interface and the missing unlock in smartpqi is long standing and probably a little used error path" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: smartpqi: unlock on error in pqi_submit_raid_request_synchronous() scsi: ufs: Check that space was properly alloced in copy_query_response commit d2ba3b1714d754f190ac0527713f9b44513b5857 Author: Helge Deller Date: Sat Jun 8 20:04:46 2019 +0200 parisc: Fix module loading error with JUMP_LABEL feature Commit 62217beb394e ("parisc: Add static branch and JUMP_LABEL feature") missed to add code to handle PCREL64 relocations which are generated when creating a jump label on a 64-bit kernel. This patch fixes module load errors like this one: # modprobe -v ipv6 insmod /lib/modules/5.2.0-rc1-JeR/kernel/net/ipv6/ipv6.ko modprobe: ERROR: could not insert 'ipv6': Exec format error dmesg reports: module ipv6: Unknown relocation: 72 Reported-by: Jeroen Roovers Tested-by: Jeroen Roovers Fixes: 62217beb394e ("parisc: Add static branch and JUMP_LABEL feature") Signed-off-by: Helge Deller commit 0ad43e29b6e845758f0ceb80e3c1d1a9cebfad06 Merge: 79c3ba3206c7 e2e88325f4bc Author: Linus Torvalds Date: Sat Jun 8 10:57:32 2019 -0700 Merge tag 'linux-kselftest-5.2-rc4-2' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest Pull Kselftest fix from Shuah Khan: "This consists of a single fix for a vm test build failure regression when it is built by itself" * tag 'linux-kselftest-5.2-rc4-2' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest: selftests: vm: Fix test build failure when built by itself commit 652b8b086538c8a10de5aa5cbdaef79333b46358 Author: Hans de Goede Date: Fri May 24 14:57:59 2019 +0200 drm: panel-orientation-quirks: Add quirk for GPD MicroPC GPD has done it again, make a nice device (good), use way too generic DMI strings (bad) and use a portrait screen rotated 90 degrees (ugly). Because of the too generic DMI strings this entry is also doing bios-date matching, so the gpd_micropc data struct may very well need to be updated with some extra bios-dates in the future. Acked-by: Maxime Ripard Signed-off-by: Hans de Goede Link: https://patchwork.freedesktop.org/patch/msgid/20190524125759.14131-2-hdegoede@redhat.com (cherry picked from commit f2f2bb60d998abde10de7e483ef9e17639892450) commit 15abc7110a77555d3bf72aaef46d1557db0a4ac5 Author: Hans de Goede Date: Fri May 24 14:57:58 2019 +0200 drm: panel-orientation-quirks: Add quirk for GPD pocket2 GPD has done it again, make a nice device (good), use way too generic DMI strings (bad) and use a portrait screen rotated 90 degrees (ugly). Because of the too generic DMI strings this entry is also doing bios-date matching, so the gpd_pocket2 data struct may very well need to be updated with some extra bios-dates in the future. Changes in v2: -Add one more known BIOS date to the list of BIOS dates Cc: Jurgen Kramer Reported-by: Jurgen Kramer Acked-by: Maxime Ripard Signed-off-by: Hans de Goede Link: https://patchwork.freedesktop.org/patch/msgid/20190524125759.14131-1-hdegoede@redhat.com (cherry picked from commit 6dab9102dd7b144e5723915438e0d6c473018cd0) commit 0c75376fa3950b9875559dd79f73c36a5498a969 Author: Patrick Havelange Date: Tue Jun 4 16:03:26 2019 +0200 counter/ftm-quaddec: Add missing dependencies in Kconfig This driver uses devm_ioremap and of* functions. This fixes a linking failure with e.g. ARCH=um. Reported-by: kbuild test robot Signed-off-by: Patrick Havelange Fixes: a3b9a99 ("counter: add FlexTimer Module Quadrature decoder counter driver") Signed-off-by: William Breathitt Gray Signed-off-by: Jonathan Cameron commit 767e52f045e1fc080e81a754cc31a39b6cf47b99 Author: Fabio Estevam Date: Wed Jun 5 23:05:32 2019 -0300 staging: iio: adt7316: Fix build errors when GPIOLIB is not set On x86_64 when GPIOLIB is not set the following build errors are seen: drivers/staging/iio/addac/adt7316.c:947:3: error: implicit declaration of function 'gpiod_set_value' [-Werror=implicit-function-declaration] drivers/staging/iio/addac/adt7316.c:1805:2: error: implicit declaration of function 'irqd_get_trigger_type' [-Werror=implicit-function-declaration] These functions are provided by the and headers, so include them to fix these build errors. While at it, remove as this driver is a GPIO consumer and not a GPIO driver. Reported-by: Randy Dunlap Signed-off-by: Fabio Estevam Acked-by: Randy Dunlap # build-tested Signed-off-by: Jonathan Cameron commit aab8445c4e1cceeb3f739352041ec1c2586bc923 Author: Sebastian Andrzej Siewior Date: Fri Jun 7 16:29:16 2019 +0200 x86/fpu: Update kernel's FPU state before using for the fsave header In commit 39388e80f9b0c ("x86/fpu: Don't save fxregs for ia32 frames in copy_fpstate_to_sigframe()") I removed the statement | if (ia32_fxstate) | copy_fxregs_to_kernel(fpu); and argued that it was wrongly merged because the content was already saved in kernel's state. This was wrong: It is required to write it back because it is only saved on the user-stack and save_fsave_header() reads it from task's FPU-state. I missed that part… Save x87 FPU state unless thread's FPU registers are already up to date. Fixes: 39388e80f9b0c ("x86/fpu: Don't save fxregs for ia32 frames in copy_fpstate_to_sigframe()") Reported-by: Eric Biggers Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Borislav Petkov Tested-by: Eric Biggers Cc: Andy Lutomirski Cc: Dave Hansen Cc: "H. Peter Anvin" Cc: Hugh Dickins Cc: Ingo Molnar Cc: Jann Horn Cc: "Jason A. Donenfeld" Cc: kvm ML Cc: Paolo Bonzini Cc: Radim Krčmář Cc: Rik van Riel Cc: Thomas Gleixner Cc: x86-ml Link: https://lkml.kernel.org/r/20190607142915.y52mfmgk5lvhll7n@linutronix.de commit 01fb49ff124a5117b5bfe8e9443a5f26101f014f Merge: bd21f0222ada 42cc68868ce9 Author: Greg Kroah-Hartman Date: Sat Jun 8 11:40:41 2019 +0200 Merge tag 'fixes-for-v5.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-linus Felipe writes: USB: fixes for v5.2-rc4 DWC2 gets a fix for zlp handling which allows DWC2 to pass USBCV MSC tests. A memory leak in fusb300 was plugged. DWC2 also got a fix for wMaxPacketSize handling while acting as host which fixes a regression with USB Cameras. Apart from these, the usual set of minor fixes. Signed-off-by: Felipe Balbi * tag 'fixes-for-v5.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb: usb: gadget: udc: lpc32xx: fix return value check in lpc32xx_udc_probe() usb: gadget: dwc2: fix zlp handling usb: dwc2: Set actual frame number for completed ISOC transfer for none DDMA usb: gadget: udc: lpc32xx: allocate descriptor with GFP_ATOMIC usb: gadget: fusb300_udc: Fix memory leak of fusb300->ep[i] usb: phy: mxs: Disable external charger detect in mxs_phy_hw_init() usb: dwc2: Fix DMA cache alignment issues usb: dwc2: host: Fix wMaxPacketSize handling (fix webcam regression) commit 79c3ba3206c7680027f61fd4e3d6956a4154bf31 Merge: d4425649c630 671e2ee5ee21 Author: Linus Torvalds Date: Fri Jun 7 17:39:31 2019 -0700 Merge tag 'drm-fixes-2019-06-07-1' of git://anongit.freedesktop.org/drm/drm Pull drm fixes from Dave Airlie: "A small bit more lively this week but not majorly so. I'm away in Japan next week for family holiday, so I'll be pretty disconnected, I've asked Daniel to do fixes for the week while I'm out. The nouveau firmware changes are a bit large, but they address a big problem where a whole set of boards don't load with the driver, and the new firmware fixes that, so I think it's worth trying to land it now. core: - Allow fb changes in async commits (drivers as well) udmabuf: - Unmap scatterlist when unmapping udmabuf nouveau: - firmware loading fixes for secboot firmware on new GPU revision. komeda: - oops, dma mapping and warning fixes arm-hdlcd: - clock fixes - mode validation fix i915: - Add a missing Icelake workaround - GVT - DMA map fault fix and enforcement fixes amdgpu: - DCE resume fix - New raven variation updates" * tag 'drm-fixes-2019-06-07-1' of git://anongit.freedesktop.org/drm/drm: (33 commits) drm/nouveau/secboot/gp10[2467]: support newer FW to fix SEC2 failures on some boards drm/nouveau/secboot: enable loading of versioned LS PMU/SEC2 ACR msgqueue FW drm/nouveau/secboot: split out FW version-specific LS function pointers drm/nouveau/secboot: pass max supported FW version to LS load funcs drm/nouveau/core: support versioned firmware loading drm/nouveau/core: pass subdev into nvkm_firmware_get, rather than device drm/komeda: Potential error pointer dereference drm/komeda: remove set but not used variable 'kcrtc' drm/amd/amdgpu: add RLC firmware to support raven1 refresh drm/amd/powerplay: add set_power_profile_mode for raven1_refresh drm/amdgpu: fix ring test failure issue during s3 in vce 3.0 (V2) udmabuf: actually unmap the scatterlist drm/arm/hdlcd: Allow a bit of clock tolerance drm/arm/hdlcd: Actually validate CRTC modes drm/arm/mali-dp: Add a loop around the second set CVAL and try 5 times drm/komeda: fixing of DMA mapping sg segment warning drm: don't block fb changes for async plane updates drm/vc4: fix fb references in async update drm/msm: fix fb references in async update drm/amd: fix fb references in async update ... commit 8f77293cca1f5116edc98d7a0e36c6da3917fc08 Author: Wolfram Sang Date: Mon May 27 21:45:45 2019 +0200 MAINTAINERS: Karthikeyan Ramasubramanian is MIA A mail just bounced back with "user unknown": 550 5.1.1 User doesn't exist I also couldn't find a more recent address in git history. So, remove this stale entry. Signed-off-by: Wolfram Sang commit 49b809586730a77b57ce620b2f9689de765d790b Author: Robert Hancock Date: Tue Jun 4 15:55:51 2019 -0600 i2c: xiic: Add max_read_len quirk This driver does not support reading more than 255 bytes at once because the register for storing the number of bytes to read is only 8 bits. Add a max_read_len quirk to enforce this. This was found when using this driver with the SFP driver, which was previously reading all 256 bytes in the SFP EEPROM in one transaction. This caused a bunch of hard-to-debug errors in the xiic driver since the driver/logic was treating the number of bytes to read as zero. Rejecting transactions that aren't supported at least allows the problem to be diagnosed more easily. Signed-off-by: Robert Hancock Reviewed-by: Michal Simek Signed-off-by: Wolfram Sang Cc: stable@kernel.org commit 3b00691cc46a4089368a008b30655a8343411715 Author: H. Nikolaus Schaller Date: Tue Jun 4 14:35:58 2019 +0200 gpio: pca953x: hack to fix 24 bit gpio expanders 24 bit expanders use REG_ADDR_AI in combination with register addressing. This conflicts with regmap which takes this bit as part of the register number, i.e. a second cache entry is defined for accessed with REG_ADDR_AI being set although on the chip it is the same register as with REG_ADDR_AI being cleared. The problem was introduced by commit b32cecb46bdc ("gpio: pca953x: Extract the register address mangling to single function") but only became visible by commit 8b9f9d4dc511 ("regmap: verify if register is writeable before writing operations") because before, the regmap size was effectively ignored and pca953x_writeable_register() did know to ignore REG_ADDR_AI. Still, there were two separate cache entries created. Since the use of REG_ADDR_AI seems to be static we can work around this issue by simply increasing the size of the regmap to cover the "virtual" registers with REG_ADDR_AI being set. This only means that half of the regmap buffer will be unused. Reported-by: H. Nikolaus Schaller Suggested-by: Linus Walleij Signed-off-by: H. Nikolaus Schaller Signed-off-by: Linus Walleij commit 38e406f600a2b6dca9c262603f6e2a31cfb792b8 Merge: c7e3c93abbc1 4aeba328019a Author: David S. Miller Date: Fri Jun 7 14:46:47 2019 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf Daniel Borkmann says: ==================== pull-request: bpf 2019-06-07 The following pull-request contains BPF updates for your *net* tree. The main changes are: 1) Fix several bugs in riscv64 JIT code emission which forgot to clear high 32-bits for alu32 ops, from Björn and Luke with selftests covering all relevant BPF alu ops from Björn and Jiong. 2) Two fixes for UDP BPF reuseport that avoid calling the program in case of __udp6_lib_err and UDP GRO which broke reuseport_select_sock() assumption that skb->data is pointing to transport header, from Martin. 3) Two fixes for BPF sockmap: a use-after-free from sleep in psock's backlog workqueue, and a missing restore of sk_write_space when psock gets dropped, from Jakub and John. 4) Fix unconnected UDP sendmsg hook API which is insufficient as-is since it breaks standard applications like DNS if reverse NAT is not performed upon receive, from Daniel. 5) Fix an out-of-bounds read in __bpf_skc_lookup which in case of AF_INET6 fails to verify that the length of the tuple is long enough, from Lorenz. 6) Fix libbpf's libbpf__probe_raw_btf to return an fd instead of 0/1 (for {un,}successful probe) as that is expected to be propagated as an fd to load_sk_storage_btf() and thus closing the wrong descriptor otherwise, from Michal. 7) Fix bpftool's JSON output for the case when a lookup fails, from Krzesimir. 8) Minor misc fixes in docs, samples and selftests, from various others. ==================== Signed-off-by: David S. Miller commit 45e7d4c0c1727d362012a62eb57254ea71a2d591 Author: Eli Britstein Date: Sun Jun 2 13:47:59 2019 +0000 net/mlx5e: Support tagged tunnel over bond Stacked devices like bond interface may have a VLAN device on top of them. Detect lag state correctly under this condition, and return the correct routed net device, according to it the encap header is built. Fixes: e32ee6c78efa ("net/mlx5e: Support tunnel encap over tagged Ethernet") Signed-off-by: Eli Britstein Reviewed-by: Roi Dayan Signed-off-by: Saeed Mahameed commit 47c9d2c99ddeecca61c97618857b70fc7901658b Author: Alaa Hleihel Date: Sun May 26 11:56:27 2019 +0300 net/mlx5e: Avoid detaching non-existing netdev under switchdev mode After introducing dedicated uplink representor, the netdev instance set over the esw manager vport (PF) became no longer in use, so it was removed in the cited commit once we're on switchdev mode. However, the mlx5e_detach function was not updated accordingly, and it still tries to detach a non-existing netdev, causing a kernel crash. This patch fixes this issue. Fixes: aec002f6f82c ("net/mlx5e: Uninstantiate esw manager vport netdev on switchdev mode") Signed-off-by: Alaa Hleihel Reviewed-by: Roi Dayan Signed-off-by: Saeed Mahameed commit b83c0730167c7ea6c03bffceefb86ae710ab30e2 Author: Raed Salem Date: Sun Jun 2 12:04:08 2019 +0300 net/mlx5e: Fix source port matching in fdb peer flow rule The cited commit changed the initialization placement of the eswitch attributes so it is done prior to parse tc actions function call, including among others the in_rep and in_mdev fields which are mistakenly reassigned inside the parse actions function. This breaks the source port matching criteria of the peer redirect rule. Fix by removing the now redundant reassignment of the already initialized fields. Fixes: 988ab9c7363a ("net/mlx5e: Introduce mlx5e_flow_esw_attr_init() helper") Signed-off-by: Raed Salem Reviewed-by: Roi Dayan Signed-off-by: Saeed Mahameed commit 57c70d8740f740498a52f9c0c0d7295829b944de Author: Shay Agroskin Date: Sun Apr 28 10:14:23 2019 +0300 net/mlx5e: Replace reciprocal_scale in TX select queue function The TX queue index returned by the fallback function ranges between [0,NUM CHANNELS - 1] if QoS isn't set and [0, (NUM CHANNELS)*(NUM TCs) -1] otherwise. Our HW uses different TC mapping than the fallback function (which is denoted as 'up', user priority) so we only need to extract a channel number out of the returned value. Since (NUM CHANNELS)*(NUM TCs) is a relatively small number, using reciprocal scale almost always returns zero. We instead access the 'txq2sq' table to extract the sq (and with it the channel number) associated with the tx queue, thus getting a more evenly distributed channel number. Perf: Rx/Tx side with Intel(R) Xeon(R) Silver 4108 CPU @ 1.80GHz and ConnectX-5. Used 'iperf' UDP traffic, 10 threads, and priority 5. Before: 0.566Mpps After: 2.37Mpps As expected, releasing the existing bottleneck of steering all traffic to TX queue zero significantly improves transmission rates. Fixes: 7ccdd0841b30 ("net/mlx5e: Fix select queue callback") Signed-off-by: Shay Agroskin Reviewed-by: Tariq Toukan Signed-off-by: Saeed Mahameed commit d3cbd4254df881777e2efb68ee10ede0d9dc0647 Author: Chris Mi Date: Thu May 16 17:36:43 2019 +0800 net/mlx5e: Add ndo_set_feature for uplink representor After we have a dedicated uplink representor, the new netdev ops doesn't support ndo_set_feature. Because of that, we can't change some features, eg. rxvlan. Now add it back. In this patch, I also do a cleanup for the features flag handling, eg. remove duplicate NETIF_F_HW_TC flag setting. Fixes: aec002f6f82c ("net/mlx5e: Uninstantiate esw manager vport netdev on switchdev mode") Signed-off-by: Chris Mi Reviewed-by: Roi Dayan Reviewed-by: Vlad Buslov Signed-off-by: Saeed Mahameed commit dd80857bf388abd0c64dd3aa4fbf7d407deba819 Author: Alaa Hleihel Date: Sun May 19 11:11:49 2019 +0300 net/mlx5: Avoid reloading already removed devices Prior to reloading a device we must first verify that it was not already removed. Otherwise, the attempt to remove the device will do nothing, and in that case we will end up proceeding with adding an new device that no one was expecting to remove, leaving behind used resources such as EQs that causes a failure to destroy comp EQs and syndrome (0x30f433). Fix that by making sure that we try to remove and add a device (based on a protocol) only if the device is already added. Fixes: c5447c70594b ("net/mlx5: E-Switch, Reload IB interface when switching devlink modes") Signed-off-by: Alaa Hleihel Signed-off-by: Saeed Mahameed commit 6a6fabbfa3e8c656ff906ae999fb6856410fa4cd Author: Edward Srouji Date: Thu May 23 19:45:38 2019 +0300 net/mlx5: Update pci error handler entries and command translation Add missing entries for create/destroy UCTX and UMEM commands. This could get us wrong "unknown FW command" error in flows where we unbind the device or reset the driver. Also the translation of these commands from opcodes to string was missing. Fixes: 6e3722baac04 ("IB/mlx5: Use the correct commands for UMEM and UCTX allocation") Signed-off-by: Edward Srouji Signed-off-by: Saeed Mahameed commit 0ade0b6240c4853cf9725924c46c10f4251639d7 Author: Cong Wang Date: Tue Apr 16 14:33:51 2019 -0700 RAS/CEC: Convert the timer callback to a workqueue cec_timer_fn() is a timer callback which reads ce_arr.array[] and updates its decay values. However, it runs in interrupt context and the mutex protection the CEC uses for that array, is inadequate. Convert the used timer to a workqueue to keep the tasks the CEC performs preemptible and thus low-prio. [ bp: Rewrite commit message. s/timer/decay/gi to make it agnostic as to what facility is used. ] Fixes: 011d82611172 ("RAS: Add a Corrected Errors Collector") Signed-off-by: Cong Wang Signed-off-by: Borislav Petkov Cc: Thomas Gleixner Cc: Tony Luck Cc: linux-edac Cc: Link: https://lkml.kernel.org/r/20190416213351.28999-2-xiyou.wangcong@gmail.com commit f3c74b38a55aefe1004200d15a83f109b510068c Author: Borislav Petkov Date: Sat Apr 20 13:27:51 2019 +0200 RAS/CEC: Fix binary search function Switch to using Donald Knuth's binary search algorithm (The Art of Computer Programming, vol. 3, section 6.2.1). This should've been done from the very beginning but the author must've been smoking something very potent at the time. The problem with the current one was that it would return the wrong element index in certain situations: https://lkml.kernel.org/r/CAM_iQpVd02zkVJ846cj-Fg1yUNuz6tY5q1Vpj4LrXmE06dPYYg@mail.gmail.com and the noodling code after the loop was fishy at best. So switch to using Knuth's binary search. The final result is much cleaner and straightforward. Fixes: 011d82611172 ("RAS: Add a Corrected Errors Collector") Reported-by: Cong Wang Signed-off-by: Borislav Petkov Cc: Tony Luck Cc: linux-edac Cc: commit 00e5a2bbcc31d5fea853f8daeba0f06c1c88c3ff Author: Baoquan He Date: Thu May 23 10:57:44 2019 +0800 x86/mm/KASLR: Compute the size of the vmemmap section properly The size of the vmemmap section is hardcoded to 1 TB to support the maximum amount of system RAM in 4-level paging mode - 64 TB. However, 1 TB is not enough for vmemmap in 5-level paging mode. Assuming the size of struct page is 64 Bytes, to support 4 PB system RAM in 5-level, 64 TB of vmemmap area is needed: 4 * 1000^5 PB / 4096 bytes page size * 64 bytes per page struct / 1000^4 TB = 62.5 TB. This hardcoding may cause vmemmap to corrupt the following cpu_entry_area section, if KASLR puts vmemmap very close to it and the actual vmemmap size is bigger than 1 TB. So calculate the actual size of the vmemmap region needed and then align it up to 1 TB boundary. In 4-level paging mode it is always 1 TB. In 5-level it's adjusted on demand. The current code reserves 0.5 PB for vmemmap on 5-level. With this change, the space can be saved and thus used to increase entropy for the randomization. [ bp: Spell out how the 64 TB needed for vmemmap is computed and massage commit message. ] Fixes: eedb92abb9bb ("x86/mm: Make virtual memory layout dynamic for CONFIG_X86_5LEVEL=y") Signed-off-by: Baoquan He Signed-off-by: Borislav Petkov Reviewed-by: Kees Cook Acked-by: Kirill A. Shutemov Cc: Andy Lutomirski Cc: Dave Hansen Cc: "H. Peter Anvin" Cc: Ingo Molnar Cc: kirill.shutemov@linux.intel.com Cc: Peter Zijlstra Cc: stable Cc: Thomas Gleixner Cc: x86-ml Link: https://lkml.kernel.org/r/20190523025744.3756-1-bhe@redhat.com commit fd704bd5ee749d560e86c4f1fd2ef486d8abf7cf Author: Willem de Bruijn Date: Fri Jun 7 16:46:07 2019 -0400 can: purge socket error queue on sock destruct CAN supports software tx timestamps as of the below commit. Purge any queued timestamp packets on socket destroy. Fixes: 51f31cabe3ce ("ip: support for TX timestamps on UDP and RAW sockets") Reported-by: syzbot+a90604060cb40f5bdd16@syzkaller.appspotmail.com Signed-off-by: Willem de Bruijn Cc: linux-stable Signed-off-by: Marc Kleine-Budde commit eb503004a7e563d543c9cb869907156de7efe720 Author: Fabio Estevam Date: Tue Jun 4 15:49:42 2019 -0300 can: flexcan: Remove unneeded registration message Currently the following message is observed when the flexcan driver is probed: flexcan 2090000.flexcan: device registered (reg_base=(ptrval), irq=23) The reason for printing 'ptrval' is explained at Documentation/core-api/printk-formats.rst: "Pointers printed without a specifier extension (i.e unadorned %p) are hashed to prevent leaking information about the kernel memory layout. This has the added benefit of providing a unique identifier. On 64-bit machines the first 32 bits are zeroed. The kernel will print ``(ptrval)`` until it gathers enough entropy." Instead of passing %pK, which can print the correct address, simply remove the entire message as it is not really that useful. Signed-off-by: Fabio Estevam Signed-off-by: Marc Kleine-Budde commit c5a3aed1cd3152429348ee1fe5cdcca65fe901ce Author: YueHaibing Date: Thu May 16 22:36:26 2019 +0800 can: af_can: Fix error path of can_init() This patch add error path for can_init() to avoid possible crash if some error occurs. Fixes: 0d66548a10cb ("[CAN]: Add PF_CAN core module") Signed-off-by: YueHaibing Acked-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde commit 3e82f2f34c930a2a0a9e69fdc2de2f2f1388b442 Author: Eugen Hristev Date: Mon Mar 4 14:44:13 2019 +0000 can: m_can: implement errata "Needless activation of MRAF irq" During frame reception while the MCAN is in Error Passive state and the Receive Error Counter has thevalue MCAN_ECR.REC = 127, it may happen that MCAN_IR.MRAF is set although there was no Message RAM access failure. If MCAN_IR.MRAF is enabled, an interrupt to the Host CPU is generated. Work around: The Message RAM Access Failure interrupt routine needs to check whether MCAN_ECR.RP = '1' and MCAN_ECR.REC = '127'. In this case, reset MCAN_IR.MRAF. No further action is required. This affects versions older than 3.2.0 Errata explained on Sama5d2 SoC which includes this hardware block: http://ww1.microchip.com/downloads/en/DeviceDoc/SAMA5D2-Family-Silicon-Errata-and-Data-Sheet-Clarification-DS80000803B.pdf chapter 6.2 Reproducibility: If 2 devices with m_can are connected back to back, configuring different bitrate on them will lead to interrupt storm on the receiving side, with error "Message RAM access failure occurred". Another way is to have a bad hardware connection. Bad wire connection can lead to this issue as well. This patch fixes the issue according to provided workaround. Signed-off-by: Eugen Hristev Reviewed-by: Ludovic Desroches Signed-off-by: Marc Kleine-Budde commit 35b7fa4d07c43ad79b88e6462119e7140eae955c Author: Sean Nyekjaer Date: Tue May 7 11:34:36 2019 +0200 can: mcp251x: add support for mcp25625 Fully compatible with mcp2515, the mcp25625 have integrated transceiver. This patch adds support for the mcp25625 to the existing mcp251x driver. Signed-off-by: Sean Nyekjaer Signed-off-by: Marc Kleine-Budde commit 0df82dcd55832a99363ab7f9fab954fcacdac3ae Author: Sean Nyekjaer Date: Tue May 7 11:34:37 2019 +0200 dt-bindings: can: mcp251x: add mcp25625 support Fully compatible with mcp2515, the mcp25625 have integrated transceiver. This patch add the mcp25625 to the device tree bindings documentation. Signed-off-by: Sean Nyekjaer Signed-off-by: Marc Kleine-Budde commit 904044dd8fff43e289c11a2f90fa532e946a1d8b Author: Anssi Hannula Date: Tue Sep 11 14:47:46 2018 +0300 can: xilinx_can: use correct bittiming_const for CAN FD core Commit 9e5f1b273e6a ("can: xilinx_can: add support for Xilinx CAN FD core") added a new can_bittiming_const structure for CAN FD cores that support larger values for tseg1, tseg2, and sjw than previous Xilinx CAN cores, but the commit did not actually take that into use. Fix that. Tested with CAN FD core on a ZynqMP board. Fixes: 9e5f1b273e6a ("can: xilinx_can: add support for Xilinx CAN FD core") Reported-by: Shubhrajyoti Datta Signed-off-by: Anssi Hannula Cc: Michal Simek Reviewed-by: Shubhrajyoti Datta Cc: linux-stable Signed-off-by: Marc Kleine-Budde commit 247e5356a709eb49a0d95ff2a7f07dac05c8252c Author: Joakim Zhang Date: Thu Jan 31 09:37:22 2019 +0000 can: flexcan: fix timeout when set small bitrate Current we can meet timeout issue when setting a small bitrate like 10000 as follows on i.MX6UL EVK board (ipg clock = 66MHZ, per clock = 30MHZ): | root@imx6ul7d:~# ip link set can0 up type can bitrate 10000 A link change request failed with some changes committed already. Interface can0 may have been left with an inconsistent configuration, please check. | RTNETLINK answers: Connection timed out It is caused by calling of flexcan_chip_unfreeze() timeout. Originally the code is using usleep_range(10, 20) for unfreeze operation, but the patch (8badd65 can: flexcan: avoid calling usleep_range from interrupt context) changed it into udelay(10) which is only a half delay of before, there're also some other delay changes. After double to FLEXCAN_TIMEOUT_US to 100 can fix the issue. Meanwhile, Rasmus Villemoes reported that even with a timeout of 100, flexcan_probe() fails on the MPC8309, which requires a value of at least 140 to work reliably. 250 works for everyone. Signed-off-by: Joakim Zhang Reviewed-by: Dong Aisheng Cc: linux-stable Signed-off-by: Marc Kleine-Budde commit 0ed89d777dd6ed3110f1c64c898f84b4ce685e57 Author: Alexander Dahl Date: Tue Jan 22 14:55:42 2019 +0100 can: usb: Kconfig: Remove duplicate menu entry This seems to have slipped in by accident when sorting the entries. Fixes: ffbdd9172ee2f53020f763574b4cdad8d9760a4f Signed-off-by: Alexander Dahl Signed-off-by: Marc Kleine-Budde commit d4425649c63018e96e5402807c9e7bc5272f7b3b Merge: 893a7d32e8e0 4a60570dce65 Author: Linus Torvalds Date: Fri Jun 7 13:38:53 2019 -0700 Merge tag 'hwmon-for-v5.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging Pull hwmon fixes from Guenter Roeck: - Fix a couple of inconsistencies and locking problems in pmbus driver - Register with thermal subsystem only on systems supporting devicetree * tag 'hwmon-for-v5.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging: hwmon: (pmbus/core) Treat parameters as paged if on multiple pages hwmon: (pmbus/core) mutex_lock write in pmbus_set_samples hwmon: (core) add thermal sensors only if dev->of_node is present commit 893a7d32e8e04ca4d6c882336b26ed660ca0a48d Author: Jan Glauber Date: Wed Jun 5 15:48:49 2019 +0200 lockref: Limit number of cmpxchg loop retries The lockref cmpxchg loop is unbound as long as the spinlock is not taken. Depending on the hardware implementation of compare-and-swap a high number of loop retries might happen. Add an upper bound to the loop to force the fallback to spinlocks after some time. A retry value of 100 should not impact any hardware that does not have this issue. With the retry limit the performance of an open-close testcase improved between 60-70% on ThunderX2. Suggested-by: Linus Torvalds Signed-off-by: Jan Glauber Signed-off-by: Linus Torvalds commit d93445225cd3c8eb0bf1350c04875576428b45b4 Author: Andrey Konovalov Date: Tue Jun 4 14:04:47 2019 +0200 uaccess: add noop untagged_addr definition Architectures that support memory tagging have a need to perform untagging (stripping the tag) in various parts of the kernel. This patch adds an untagged_addr() macro, which is defined as noop for architectures that do not support memory tagging. The oncoming patch series will define it at least for sparc64 and arm64. Acked-by: Catalin Marinas Reviewed-by: Khalid Aziz Signed-off-by: Andrey Konovalov Signed-off-by: Linus Torvalds commit d18c7e9d6e4e0ba358459e812bf115b4ccef54ce Merge: 33de0d1c68a5 adefd051a670 Author: Linus Torvalds Date: Fri Jun 7 13:06:00 2019 -0700 Merge tag 'xtensa-20190607' of git://github.com/jcmvbkbc/linux-xtensa Pull xtensa fix from Max Filippov: "Fix a section mismatch between memblock_reserve and mem_reserve. This fixes tinyconfig xtensa builds" * tag 'xtensa-20190607' of git://github.com/jcmvbkbc/linux-xtensa: xtensa: Fix section mismatch between memblock_reserve and mem_reserve commit 6c70f899b8089ae23cdb4aa63050e3df4e20c71e Merge: 19e9da9e86c4 62f99b62e5e3 Author: Jens Axboe Date: Fri Jun 7 14:04:28 2019 -0600 Merge branch 'nvme-5.2-rc-next' of git://git.infradead.org/nvme into for-linus Pull NVMe fixes from Sagi. * 'nvme-5.2-rc-next' of git://git.infradead.org/nvme: nvme-rdma: use dynamic dma mapping per command nvme: Fix u32 overflow in the number of namespace list calculation nvmet: fix data_len to 0 for bdev-backed write_zeroes nvme-tcp: fix queue mapping when queue count is limited nvme-rdma: fix queue mapping when queue count is limited commit c7e3c93abbc1382923c7f4fe5ba9ea6aa0fa8d0e Merge: 1e1d92636954 69ae4f6aac15 Author: David S. Miller Date: Fri Jun 7 12:16:26 2019 -0700 Merge tag 'wireless-drivers-for-davem-2019-06-07' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers Kalle Valo says: ==================== wireless-drivers fixes for 5.2 First set of fixes for 5.2. Most important here are buffer overflow fixes for mwifiex. rtw88 * fix out of bounds compiler warning * fix rssi handling to get 4x more throughput * avoid circular locking rsi * fix unitilised data warning, these are hopefully the last ones so that the warning can be enabled by default mwifiex * fix buffer overflows iwlwifi * remove not used debugfs file * various fixes ==================== Signed-off-by: David S. Miller commit 33de0d1c68a5127e923363349c349d90c7da06a1 Merge: 91f152e75bcd 913ab9780fc0 Author: Linus Torvalds Date: Fri Jun 7 11:59:20 2019 -0700 Merge tag 'kbuild-fixes-v5.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild Pull more Kbuild fixes from Masahiro Yamada: - fix kselftest-merge to find config fragments in deeper directories - fix kconfig unit test, which was broken by SPDX tag addition - add + prefix to buildtar to suppress jobserver unavailable warning - fix checkstack.pl to recognize arch=arm64 - suppress noisy warning from cc-cross-prefix * tag 'kbuild-fixes-v5.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild: kbuild: use more portable 'command -v' for cc-cross-prefix scripts/checkstack.pl: Fix arm64 wrong or unknown architecture kbuild: tar-pkg: enable communication with jobserver kconfig: tests: fix recursive inclusion unit test kbuild: teach kselftest-merge to find nested config files commit 91f152e75bcdba95130ec5fdb1010e91a48d9a11 Merge: a373ec23ab52 739799314587 Author: Linus Torvalds Date: Fri Jun 7 11:52:31 2019 -0700 Merge tag 'mmc-v5.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc Pull MMC fixes from Ulf Hansson: "Here's a couple of MMC and MEMSTICK fixes: MMC host: - sdhci: Fix SDIO IRQ thread deadlock - sdhci-tegra: Fix a warning message - sdhci_am654: Fix SLOTTYPE write - meson-gx: Fix IRQ ack - tmio: Fix SCC error handling to avoid false positive CRC error MEMSTICK core: - mspro_block: Fix returning a correct error code" * tag 'mmc-v5.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc: mmc: sdhci_am654: Fix SLOTTYPE write mmc: sdhci: Fix SDIO IRQ thread deadlock mmc: meson-gx: fix irq ack mmc: tmio: fix SCC error handling to avoid false positive CRC error mmc: tegra: Fix a warning message memstick: mspro_block: Fix an error code in mspro_block_issue_req() commit a373ec23ab527c3202eb05e4f9d0eba2d83a7b27 Merge: de9f869616dd a964d23c94e8 Author: Linus Torvalds Date: Fri Jun 7 11:36:17 2019 -0700 Merge tag 'pm-5.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull power management fixes from Rafael Wysocki: "These fix a crash during resume from hibernation introduced during the 4.19 cycle, cause the new Performance and Energy Bias Hint (EPB) code to be built only if CONFIG_PM is set and add a few missing kerneldoc comments. Specifics: - Fix a crash that occurs when a kernel with 'nosmt' in the command line is used to resume the system from hibernation (as the "restore" kernel), because memory mapping differences between the restore and image kernels cause SMT siblings to be woken up from idle states and subsequently they try to fetch instructions from incorrect memory locations (Jiri Kosina). - Cause the new Performance and Energy Bias Hint (EPB) code to be built only if CONFIG_PM is set, because that code is not really necessary otherwise (Rafael Wysocki). - Add kerneldoc comments to documents some helper functions related to system-wide suspend to avoid possible confusion regarding their purpose (Rafael Wysocki)" * tag 'pm-5.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: x86/power: Fix 'nosmt' vs hibernation triple fault during resume PM: sleep: Add kerneldoc comments to some functions x86: intel_epb: Do not build when CONFIG_PM is unset commit de9f869616dd95e95c00bdd6b0fcd3421e8a4323 Author: Jann Horn Date: Sun Jun 2 03:15:58 2019 +0200 x86/insn-eval: Fix use-after-free access to LDT entry get_desc() computes a pointer into the LDT while holding a lock that protects the LDT from being freed, but then drops the lock and returns the (now potentially dangling) pointer to its caller. Fix it by giving the caller a copy of the LDT entry instead. Fixes: 670f928ba09b ("x86/insn-eval: Add utility function to get segment descriptor") Cc: stable@vger.kernel.org Signed-off-by: Jann Horn Signed-off-by: Linus Torvalds commit 1e1d926369545ea09c98c6c7f5d109aa4ee0cd0b Merge: 6e38335dcc70 720f1de4021f Author: Linus Torvalds Date: Fri Jun 7 09:29:14 2019 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net Pull networking fixes from David Miller: 1) Free AF_PACKET po->rollover properly, from Willem de Bruijn. 2) Read SFP eeprom in max 16 byte increments to avoid problems with some SFP modules, from Russell King. 3) Fix UDP socket lookup wrt. VRF, from Tim Beale. 4) Handle route invalidation properly in s390 qeth driver, from Julian Wiedmann. 5) Memory leak on unload in RDS, from Zhu Yanjun. 6) sctp_process_init leak, from Neil HOrman. 7) Fix fib_rules rule insertion semantic change that broke Android, from Hangbin Liu. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (33 commits) pktgen: do not sleep with the thread lock held. net: mvpp2: Use strscpy to handle stat strings net: rds: fix memory leak in rds_ib_flush_mr_pool ipv6: fix EFAULT on sendto with icmpv6 and hdrincl ipv6: use READ_ONCE() for inet->hdrincl as in ipv4 Revert "fib_rules: return 0 directly if an exactly same rule exists when NLM_F_EXCL not supplied" net: aquantia: fix wol configuration not applied sometimes ethtool: fix potential userspace buffer overflow Fix memory leak in sctp_process_init net: rds: fix memory leak when unload rds_rdma ipv6: fix the check before getting the cookie in rt6_get_cookie ipv4: not do cache for local delivery if bc_forwarding is enabled s390/qeth: handle error when updating TX queue count s390/qeth: fix VLAN attribute in bridge_hostnotify udev event s390/qeth: check dst entry before use s390/qeth: handle limited IPv4 broadcast in L3 TX path net: fix indirect calls helpers for ptype list hooks. net: ipvlan: Fix ipvlan device tso disabled while NETIF_F_IP_CSUM is set udp: only choose unbound UDP socket for multicast when not in a VRF net/tls: replace the sleeping lock around RX resync with a bit lock ... commit 6e38335dcc70f03faba26bf1260ee024d930afe1 Merge: a02a532c2a6c 4f240dfec6bc Author: Linus Torvalds Date: Fri Jun 7 09:25:27 2019 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma Pull rdma fixes from Jason Gunthorpe: "Things are looking pretty quiet here in RDMA, not too many bug fixes rolling in right now. The usual driver bug fixes and fixes for a couple of regressions introduced in 5.2: - Fix a race on bootup with RDMA device renaming and srp. SRP also needs to rename its internal sys files - Fix a memory leak in hns - Don't leak resources in efa on certain error unwinds - Don't panic in certain error unwinds in ib_register_device - Various small user visible bug fix patches for the hfi and efa drivers - Fix the 32 bit compilation break" * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma: RDMA/efa: Remove MAYEXEC flag check from mmap flow mlx5: avoid 64-bit division IB/hfi1: Validate page aligned for a given virtual address IB/{qib, hfi1, rdmavt}: Correct ibv_devinfo max_mr value IB/hfi1: Insure freeze_work work_struct is canceled on shutdown IB/rdmavt: Fix alloc_qpn() WARN_ON() RDMA/core: Fix panic when port_data isn't initialized RDMA/uverbs: Pass udata on uverbs error unwind RDMA/core: Clear out the udata before error unwind RDMA/hns: Fix PD memory leak for internal allocation RDMA/srp: Rename SRP sysfs name after IB device rename trigger commit a02a532c2a6c79a898cd6c430fe3ad011d9aece3 Merge: 16d72dd4891f ebcc5928c5d9 Author: Linus Torvalds Date: Fri Jun 7 09:21:48 2019 -0700 Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux Pull arm64 fixes from Will Deacon: "Another round of mostly-benign fixes, the exception being a boot crash on SVE2-capable CPUs (although I don't know where you'd find such a thing, so maybe it's benign too). We're in the process of resolving some big-endian ptrace breakage, so I'll probably have some more for you next week. Summary: - Fix boot crash on platforms with SVE2 due to missing register encoding - Fix architected timer accessors when CONFIG_OPTIMIZE_INLINING=y - Move cpu_logical_map into smp.h for use by upcoming irqchip drivers - Trivial typo fix in comment - Disable some useless, noisy warnings from GCC 9" * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: arm64: Silence gcc warnings about arch ABI drift ARM64: trivial: s/TIF_SECOMP/TIF_SECCOMP/ comment typo fix arm64: arch_timer: mark functions as __always_inline arm64: smp: Moved cpu_logical_map[] to smp.h arm64: cpufeature: Fix missing ZFR0 in __read_sysreg_by_encoding() commit 913ab9780fc021298949cc5514d6255a008e69f9 Author: Masahiro Yamada Date: Thu Jun 6 13:13:58 2019 +0900 kbuild: use more portable 'command -v' for cc-cross-prefix To print the pathname that will be used by shell in the current environment, 'command -v' is a standardized way. [1] 'which' is also often used in scripts, but it is less portable. When I worked on commit bd55f96fa9fc ("kbuild: refactor cc-cross-prefix implementation"), I was eager to use 'command -v' but it did not work. (The reason is explained below.) I kept 'which' as before but got rid of '> /dev/null 2>&1' as I thought it was no longer needed. Sorry, I was wrong. It works well on my Ubuntu machine, but Alexey Brodkin reports noisy warnings on CentOS7 when 'which' fails to find the given command in the PATH environment. $ which foo which: no foo in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin) Given that behavior of 'which' depends on system (and it may not be installed by default), I want to try 'command -v' once again. The specification [1] clearly describes the behavior of 'command -v' when the given command is not found: Otherwise, no output shall be written and the exit status shall reflect that the name was not found. However, we need a little magic to use 'command -v' from Make. $(shell ...) passes the argument to a subshell for execution, and returns the standard output of the command. Here is a trick. GNU Make may optimize this by executing the command directly instead of forking a subshell, if no shell special characters are found in the command and omitting the subshell will not change the behavior. In this case, no shell special character is used. So, Make will try to run it directly. However, 'command' is a shell-builtin command, then Make would fail to find it in the PATH environment: $ make ARCH=m68k defconfig make: command: Command not found make: command: Command not found make: command: Command not found In fact, Make has a table of shell-builtin commands because it must ask the shell to execute them. Until recently, 'command' was missing in the table. This issue was fixed by the following commit: | commit 1af314465e5dfe3e8baa839a32a72e83c04f26ef | Author: Paul Smith | Date: Sun Nov 12 18:10:28 2017 -0500 | | * job.c: Add "command" as a known shell built-in. | | This is not a POSIX shell built-in but it's common in UNIX shells. | Reported by Nick Bowler . Because the latest release is GNU Make 4.2.1 in 2016, this commit is not included in any released versions. (But some distributions may have back-ported it.) We need to trick Make to spawn a subshell. There are various ways to do so: 1) Use a shell special character '~' as dummy $(shell : ~; command -v $(c)gcc) 2) Use a variable reference that always expands to the empty string (suggested by David Laight) $(shell command$${x:+} -v $(c)gcc) 3) Use redirect $(shell command -v $(c)gcc 2>/dev/null) I chose 3) to not confuse people. The stderr would not be polluted anyway, but it will provide extra safety, and is easy to understand. Tested on Make 3.81, 3.82, 4.0, 4.1, 4.2, 4.2.1 [1] http://pubs.opengroup.org/onlinepubs/9699919799/utilities/command.html Fixes: bd55f96fa9fc ("kbuild: refactor cc-cross-prefix implementation") Cc: linux-stable # 5.1 Reported-by: Alexey Brodkin Signed-off-by: Masahiro Yamada Tested-by: Alexey Brodkin commit 0ab0d7ac2090eae30f1c0b01ae981bb7a368f598 Author: Vasily Gorbik Date: Thu Jun 6 16:58:45 2019 +0200 s390/unwind: correct stack switching during unwind Adjust conditions in on_stack function. That fixes backchain unwinder which was unable to read pt_regs at the very bottom of the stack and hence couldn't follow stacks (e.g. from async stack to a task stack). Fixes: 78c98f907413 ("s390/unwind: introduce stack unwind API") Reported-by: Julian Wiedmann Reviewed-by: Heiko Carstens Signed-off-by: Vasily Gorbik Signed-off-by: Heiko Carstens commit 625d7d3518875c4d303c652a198feaa13d9f52d9 Author: Don Brace Date: Mon Jun 3 16:43:29 2019 -0500 scsi: hpsa: correct ioaccel2 chaining - set ioaccel2_sg_element member 'chain_indicator' to IOACCEL2_LAST_SG for the last s/g element. - set ioaccel2_sg_element member 'chain_indicator' to IOACCEL2_CHAIN when chaining. Reviewed-by: Bader Ali - Saleh Reviewed-by: Scott Teel Reviewed-by: Matt Perricone Signed-off-by: Don Brace Signed-off-by: Martin K. Petersen commit 8103d10b71610aa65a65d6611cd3ad3f3bd7beeb Author: Nikolay Borisov Date: Mon Jun 3 13:06:00 2019 +0300 btrfs: Always trim all unallocated space in btrfs_trim_free_extents This patch removes support for range parameters of FITRIM ioctl when trimming unallocated space on devices. This is necessary since ranges passed from user space are generally interpreted as logical addresses, whereas btrfs_trim_free_extents used to interpret them as device physical extents. This could result in counter-intuitive behavior for users so it's best to remove that support altogether. Additionally, the existing range support had a bug where if an offset was passed to FITRIM which overflows u64 e.g. -1 (parsed as u64 18446744073709551615) then wrong data was fed into btrfs_issue_discard, which in turn leads to wrap-around when aligning the passed range and results in wrong regions being discarded which leads to data corruption. Fixes: c2d1b3aae336 ("btrfs: Honour FITRIM range constraints during free space trim") Reviewed-by: Qu Wenruo Signed-off-by: Nikolay Borisov Signed-off-by: David Sterba commit 8a3dca632538c550930ce8bafa8c906b130d35cf Author: Guillaume Nault Date: Thu Jun 6 18:04:00 2019 +0200 netfilter: ipv6: nf_defrag: accept duplicate fragments again When fixing the skb leak introduced by the conversion to rbtree, I forgot about the special case of duplicate fragments. The condition under the 'insert_error' label isn't effective anymore as nf_ct_frg6_gather() doesn't override the returned value anymore. So duplicate fragments now get NF_DROP verdict. To accept duplicate fragments again, handle them specially as soon as inet_frag_queue_insert() reports them. Return -EINPROGRESS which will translate to NF_STOLEN verdict, like any accepted fragment. However, such packets don't carry any new information and aren't queued, so we just drop them immediately. Fixes: a0d56cb911ca ("netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments") Signed-off-by: Guillaume Nault Signed-off-by: Pablo Neira Ayuso commit c21f5a9ed85ca3e914ca11f421677ae9ae0d04b0 Author: Christophe Leroy Date: Mon Jun 3 13:00:51 2019 +0000 powerpc/32s: fix booting with CONFIG_PPC_EARLY_DEBUG_BOOTX When booting through OF, setup_disp_bat() does nothing because disp_BAT are not set. By change, it used to work because BOOTX buffer is mapped 1:1 at address 0x81000000 by the bootloader, and btext_setup_display() sets virt addr same as phys addr. But since commit 215b823707ce ("powerpc/32s: set up an early static hash table for KASAN."), a temporary page table overrides the bootloader mapping. This 0x81000000 is also problematic with the newly implemented Kernel Userspace Access Protection (KUAP) because it is within user address space. This patch fixes those issues by properly setting disp_BAT through a call to btext_prepare_BAT(), allowing setup_disp_bat() to properly setup BAT3 for early bootx screen buffer access. Reported-by: Mathieu Malaterre Fixes: 215b823707ce ("powerpc/32s: set up an early static hash table for KASAN.") Signed-off-by: Christophe Leroy Tested-by: Mathieu Malaterre Signed-off-by: Michael Ellerman commit a964d23c94e8177c501fc9a37dcf1f0dd2750527 Merge: a61373476127 ec527c318036 Author: Rafael J. Wysocki Date: Fri Jun 7 10:48:57 2019 +0200 Merge branch 'pm-x86' * pm-x86: x86/power: Fix 'nosmt' vs hibernation triple fault during resume x86: intel_epb: Do not build when CONFIG_PM is unset commit 0b84933db7f2d1349d77d6db2d6ba17f06da1208 Author: Neil Armstrong Date: Wed Jun 5 16:12:53 2019 +0200 drm/meson: fix G12A primary plane disabling The G12A Primary plane was disabled by writing in the OSD1 configuration registers, but this caused the plane blender to stall instead of continuing to blend only the overlay plane. Fix this by disabling the OSD1 plane in the blender registers, and also enabling it back using the same register. Fixes: 490f50c109d1 ("drm/meson: Add G12A support for OSD1 Plane") Signed-off-by: Neil Armstrong Reviewed-by: Kevin Hilman [narmstrong: fixed nit in commit log] Link: https://patchwork.freedesktop.org/patch/msgid/20190605141253.24165-3-narmstrong@baylibre.com commit c03ea50e27ec44c2ed6adda48f2a495ce424ce46 Author: Neil Armstrong Date: Wed Jun 5 16:12:52 2019 +0200 drm/meson: fix primary plane disabling The primary plane disable logic is flawed, when the primary plane is disabled, it is re-enabled in the vsync irq when another plane is updated. Handle the plane disabling correctly by handling the primary plane enable flag in the primary plane update & disable callbacks. Fixes: 490f50c109d1 ("drm/meson: Add G12A support for OSD1 Plane") Signed-off-by: Neil Armstrong Reviewed-by: Kevin Hilman Link: https://patchwork.freedesktop.org/patch/msgid/20190605141253.24165-2-narmstrong@baylibre.com commit e98c7952db1a832c671ef70d00bfe0365069e5ff Author: Neil Armstrong Date: Wed Jun 5 14:53:20 2019 +0200 drm/meson: fix G12A HDMI PLL settings for 4K60 1000/1001 variations The Amlogic G12A HDMI PLL needs some specific settings to lock with different fractional values for the 5,4GHz mode. Handle the 1000/1001 variation fractional case here to avoid having the PLL in an non lockable state. Fixes: 202b9808f8ed ("drm/meson: Add G12A Video Clock setup") Signed-off-by: Neil Armstrong Reviewed-by: Kevin Hilman Link: https://patchwork.freedesktop.org/patch/msgid/20190605125320.8708-1-narmstrong@baylibre.com commit 19e9da9e86c43687ed6a56bd39a52c6649973a35 Author: Angelo Ruocco Date: Tue May 21 10:01:55 2019 +0200 block, bfq: add weight symlink to the bfq.weight cgroup parameter Many userspace tools and services use the proportional-share policy of the blkio/io cgroups controller. The CFQ I/O scheduler implemented this policy for the legacy block layer. To modify the weight of a group in case CFQ was in charge, the 'weight' parameter of the group must be modified. On the other hand, the BFQ I/O scheduler implements the same policy in blk-mq, but, with BFQ, the parameter to modify has a different name: bfq.weight (forced choice until legacy block was present, because two different policies cannot share a common parameter in cgroups). Due to CFQ legacy, most if not all userspace configurations still use the parameter 'weight', and for the moment do not seem likely to be changed. But, when CFQ went away with legacy block, such a parameter ceased to exist. So, a simple workaround has been proposed [1] to make all configurations work: add a symlink, named weight, to bfq.weight. This commit adds such a symlink. [1] https://lkml.org/lkml/2019/4/8/555 Suggested-by: Johannes Thumshirn Signed-off-by: Angelo Ruocco Signed-off-by: Paolo Valente Signed-off-by: Jens Axboe commit 54b7b868e826b294687c439b68ec55fe20cafe5b Author: Angelo Ruocco Date: Tue May 21 10:01:54 2019 +0200 cgroup: let a symlink too be created with a cftype file This commit enables a cftype to have a symlink (of any name) that points to the file associated with the cftype. Signed-off-by: Angelo Ruocco Signed-off-by: Paolo Valente Signed-off-by: Jens Axboe commit 671e2ee5ee2127179ca884b439ab6001a623edd6 Merge: e659b4122cf9 ab4bec16d4bc Author: Dave Airlie Date: Fri Jun 7 17:14:19 2019 +1000 Merge branch 'linux-5.2' of git://github.com/skeggsb/linux into drm-fixes " This is a bit more than I'd like to be pushing at this point in a cycle, but it's a fairly important issue. There's been numerous reports of more recent GP10[2467] boards failing to load, and I've worked with NVIDIA FW engineers and tracked this down to the FW we've been using not properly supporting the boards in question. I've pushed an update to linux-firmware with the new FW version, which unfortunately contains API changes vs the older firmware. This series teaches the ACR subsystem inside nouveau enough to be able to deal with supporting multiple incompatible FW revisions, and adds support to the relevant chipsets for loading the newer FW revision, if it's available." Signed-off-by: Dave Airlie From: Ben Skeggs Link: https://patchwork.freedesktop.org/patch/msgid/CACAvsv7pG+vur0Kn_TyU3ainnkvJVw07upnnaQNOToF+kzQtDQ@mail.gmail.com commit a00196a272161338d4b1d66ec69e3d57c6b280e0 Author: Nicholas Piggin Date: Fri Jun 7 13:56:36 2019 +1000 powerpc/64s: __find_linux_pte() synchronization vs pmdp_invalidate() The change to pmdp_invalidate() to mark the pmd with _PAGE_INVALID broke the synchronisation against lock free lookups, __find_linux_pte()'s pmd_none() check no longer returns true for such cases. Fix this by adding a check for this condition as well. Fixes: da7ad366b497 ("powerpc/mm/book3s: Update pmd_present to look at _PAGE_PRESENT bit") Cc: stable@vger.kernel.org # v4.20+ Suggested-by: Aneesh Kumar K.V Signed-off-by: Nicholas Piggin Reviewed-by: Aneesh Kumar K.V Signed-off-by: Michael Ellerman commit 33258a1db165cf43a9e6382587ad06e9b7f8187c Author: Nicholas Piggin Date: Fri Jun 7 13:56:35 2019 +1000 powerpc/64s: Fix THP PMD collapse serialisation Commit 1b2443a547f9 ("powerpc/book3s64: Avoid multiple endian conversion in pte helpers") changed the actual bitwise tests in pte_access_permitted by using pte_write() and pte_present() helpers rather than raw bitwise testing _PAGE_WRITE and _PAGE_PRESENT bits. The pte_present() change now returns true for PTEs which are !_PAGE_PRESENT and _PAGE_INVALID, which is the combination used by pmdp_invalidate() to synchronize access from lock-free lookups. pte_access_permitted() is used by pmd_access_permitted(), so allowing GUP lock free access to proceed with such PTEs breaks this synchronisation. This bug has been observed on a host using the hash page table MMU, with random crashes and corruption in guests, usually together with bad PMD messages in the host. Fix this by adding an explicit check in pmd_access_permitted(), and documenting the condition explicitly. The pte_write() change should be okay, and would prevent GUP from falling back to the slow path when encountering savedwrite PTEs, which matches what x86 (that does not implement savedwrite) does. Fixes: 1b2443a547f9 ("powerpc/book3s64: Avoid multiple endian conversion in pte helpers") Cc: stable@vger.kernel.org # v4.20+ Signed-off-by: Nicholas Piggin Reviewed-by: Aneesh Kumar K.V Signed-off-by: Michael Ellerman commit 6c284228eb356a1ec62a704b4d2329711831eaed Author: Christophe Leroy Date: Mon Jun 3 08:20:28 2019 +0000 powerpc: Fix kexec failure on book3s/32 In the old days, _PAGE_EXEC didn't exist on 6xx aka book3s/32. Therefore, allthough __mapin_ram_chunk() was already mapping kernel text with PAGE_KERNEL_TEXT and the rest with PAGE_KERNEL, the entire memory was executable. Part of the memory (first 512kbytes) was mapped with BATs instead of page table, but it was also entirely mapped as executable. In commit 385e89d5b20f ("powerpc/mm: add exec protection on powerpc 603"), we started adding exec protection to some 6xx, namely the 603, for pages mapped via pagetables. Then, in commit 63b2bc619565 ("powerpc/mm/32s: Use BATs for STRICT_KERNEL_RWX"), the exec protection was extended to BAT mapped memory, so that really only the kernel text could be executed. The problem here is that kexec is based on copying some code into upper part of memory then executing it from there in order to install a fresh new kernel at its definitive location. However, the code is position independant and first part of it is just there to deactivate the MMU and jump to the second part. So it is possible to run this first part inplace instead of running the copy. Once the MMU is off, there is no protection anymore and the second part of the code will just run as before. Reported-by: Aaro Koskinen Fixes: 63b2bc619565 ("powerpc/mm/32s: Use BATs for STRICT_KERNEL_RWX") Cc: stable@vger.kernel.org # v5.1+ Signed-off-by: Christophe Leroy Tested-by: Aaro Koskinen Signed-off-by: Michael Ellerman commit 1571c029a2ff289683ddb0a32253850363bcb8a7 Author: Jan Kara Date: Thu Jun 6 11:10:28 2019 +0200 dax: Fix xarray entry association for mixed mappings When inserting entry into xarray, we store mapping and index in corresponding struct pages for memory error handling. When it happened that one process was mapping file at PMD granularity while another process at PTE granularity, we could wrongly deassociate PMD range and then reassociate PTE range leaving the rest of struct pages in PMD range without mapping information which could later cause missed notifications about memory errors. Fix the problem by calling the association / deassociation code if and only if we are really going to update the xarray (deassociating and associating zero or empty entries is just no-op so there's no reason to complicate the code with trying to avoid the calls for these cases). Cc: Fixes: d2c997c0f145 ("fs, dax: use page->mapping to warn if truncate...") Signed-off-by: Jan Kara Signed-off-by: Dan Williams commit ab4bec16d4bc21e7b500e519c90e82b063c0df15 Author: Ben Skeggs Date: Thu Jun 6 16:28:35 2019 +1000 drm/nouveau/secboot/gp10[2467]: support newer FW to fix SEC2 failures on some boards Some newer boards with these chipsets aren't compatible with the prior version of the SEC2 FW, and fail to load as a result. This newer FW is actually the one we already use on >=GP108. Unfortunately, there are interface differences in GP108's FW, making it impossible to simply move files around in linux-firmware to solve this. We need to be able to keep compatibility with all linux-firmware/kernel combinations, which means supporting both firmwares. Signed-off-by: Ben Skeggs commit 9352ce3775123603119419f8c44a6afe4c44e27e Author: Ben Skeggs Date: Thu Jun 6 16:32:31 2019 +1000 drm/nouveau/secboot: enable loading of versioned LS PMU/SEC2 ACR msgqueue FW Some chipsets will be switching to updated SEC2 LS firmware, so we need to plumb that through. Signed-off-by: Ben Skeggs commit 5f0f8b573a792805b9ea326cd4a81f6414f7ddc5 Author: Ben Skeggs Date: Thu Jun 6 15:57:14 2019 +1000 drm/nouveau/secboot: split out FW version-specific LS function pointers It's not enough to have per-falcon structures anymore, we have multiple versions of some firmware now that have interface differences. Signed-off-by: Ben Skeggs commit c26f3061fe514d4fa27e9ef33a3da799deb3930a Author: Ben Skeggs Date: Thu Jun 6 15:38:25 2019 +1000 drm/nouveau/secboot: pass max supported FW version to LS load funcs Will be passed to the FW loader function as an upper bound on the supported FW version to attempt to load. Signed-off-by: Ben Skeggs commit 475cf02b834599c8a7a21a1e2d11449b7217d856 Author: Ben Skeggs Date: Wed May 22 16:15:54 2019 +1000 drm/nouveau/core: support versioned firmware loading We have a need for this now with updated SEC2 LS FW images that have an incompatible interface from the previous version. Signed-off-by: Ben Skeggs commit 8854eed1a4f588d75b96ae13c38d41156dbd3e54 Author: Ben Skeggs Date: Thu Jun 6 17:08:12 2019 +1000 drm/nouveau/core: pass subdev into nvkm_firmware_get, rather than device It'd be nice to have FW loading debug messages to appear for the relevant subsystem, when enabled. Signed-off-by: Ben Skeggs commit c3e2219216c92919a6bd1711f340f5faa98695e6 Author: Ming Lei Date: Tue Jun 4 21:08:02 2019 +0800 block: free sched's request pool in blk_cleanup_queue In theory, IO scheduler belongs to request queue, and the request pool of sched tags belongs to the request queue too. However, the current tags allocation interfaces are re-used for both driver tags and sched tags, and driver tags is definitely host wide, and doesn't belong to any request queue, same with its request pool. So we need tagset instance for freeing request of sched tags. Meantime, blk_mq_free_tag_set() often follows blk_cleanup_queue() in case of non-BLK_MQ_F_TAG_SHARED, this way requires that request pool of sched tags to be freed before calling blk_mq_free_tag_set(). Commit 47cdee29ef9d94e ("block: move blk_exit_queue into __blk_release_queue") moves blk_exit_queue into __blk_release_queue for simplying the fast path in generic_make_request(), then causes oops during freeing requests of sched tags in __blk_release_queue(). Fix the above issue by move freeing request pool of sched tags into blk_cleanup_queue(), this way is safe becasue queue has been frozen and no any in-queue requests at that time. Freeing sched tags has to be kept in queue's release handler becasue there might be un-completed dispatch activity which might refer to sched tags. Cc: Bart Van Assche Cc: Christoph Hellwig Fixes: 47cdee29ef9d94e485eb08f962c74943023a5271 ("block: move blk_exit_queue into __blk_release_queue") Tested-by: Yi Zhang Reported-by: kernel test robot Signed-off-by: Ming Lei Signed-off-by: Jens Axboe commit e659b4122cf9e0938b80215de6c06823fb4cf796 Merge: bcc9d0e346f9 fa2eb819ddf9 Author: Dave Airlie Date: Fri Jun 7 10:41:32 2019 +1000 Merge tag 'drm-intel-fixes-2019-06-06' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes - Include gvt-fixes-2019-06-05 Signed-off-by: Dave Airlie From: Joonas Lahtinen Link: https://patchwork.freedesktop.org/patch/msgid/20190606120401.GA16071@jlahtine-desk.ger.corp.intel.com commit 4aeba328019ab9fbaad725b923b4c11c3725b24e Merge: 1884c066579a b714560f7b38 Author: Alexei Starovoitov Date: Thu Jun 6 16:53:13 2019 -0700 Merge branch 'fix-unconnected-udp' Daniel Borkmann says: ==================== Please refer to the patch 1/6 as the main patch with the details on the current sendmsg hook API limitations and proposal to fix it in order to work with basic applications like DNS. Remaining patches are the usual uapi and tooling updates as well as test cases. Thanks a lot! v2 -> v3: - Add attach types to test_section_names.c and libbpf (Andrey) - Added given Acks, rest as-is v1 -> v2: - Split off uapi header sync and bpftool bits (Martin, Alexei) - Added missing bpftool doc and bash completion as well ==================== Signed-off-by: Alexei Starovoitov commit b714560f7b38de9f03b8670890ba130d4cc5604e Author: Daniel Borkmann Date: Fri Jun 7 01:49:02 2019 +0200 bpf: expand section tests for test_section_names Add cgroup/recvmsg{4,6} to test_section_names as well. Test run output: # ./test_section_names libbpf: failed to guess program type based on ELF section name 'InvAliD' libbpf: supported section(type) names are: [...] libbpf: failed to guess attach type based on ELF section name 'InvAliD' libbpf: attachable section(type) names are: [...] libbpf: failed to guess program type based on ELF section name 'cgroup' libbpf: supported section(type) names are: [...] libbpf: failed to guess attach type based on ELF section name 'cgroup' libbpf: attachable section(type) names are: [...] Summary: 38 PASSED, 0 FAILED Signed-off-by: Daniel Borkmann Signed-off-by: Alexei Starovoitov commit 1812291e7661673cc29f52b38d9cc39540dee08e Author: Daniel Borkmann Date: Fri Jun 7 01:49:01 2019 +0200 bpf: more msg_name rewrite tests to test_sock_addr Extend test_sock_addr for recvmsg test cases, bigger parts of the sendmsg code can be reused for this. Below are the strace view of the recvmsg rewrites; the sendmsg side does not have a BPF prog connected to it for the context of this test: IPv4 test case: [pid 4846] bpf(BPF_PROG_ATTACH, {target_fd=3, attach_bpf_fd=4, attach_type=0x13 /* BPF_??? */, attach_flags=BPF_F_ALLOW_OVERRIDE}, 112) = 0 [pid 4846] socket(AF_INET, SOCK_DGRAM, IPPROTO_IP) = 5 [pid 4846] bind(5, {sa_family=AF_INET, sin_port=htons(4444), sin_addr=inet_addr("127.0.0.1")}, 128) = 0 [pid 4846] socket(AF_INET, SOCK_DGRAM, IPPROTO_IP) = 6 [pid 4846] sendmsg(6, {msg_name={sa_family=AF_INET, sin_port=htons(4444), sin_addr=inet_addr("127.0.0.1")}, msg_namelen=128, msg_iov=[{iov_base="a", iov_len=1}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 1 [pid 4846] select(6, [5], NULL, NULL, {tv_sec=2, tv_usec=0}) = 1 (in [5], left {tv_sec=1, tv_usec=999995}) [pid 4846] recvmsg(5, {msg_name={sa_family=AF_INET, sin_port=htons(4040), sin_addr=inet_addr("192.168.1.254")}, msg_namelen=128->16, msg_iov=[{iov_base="a", iov_len=64}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 1 [pid 4846] close(6) = 0 [pid 4846] close(5) = 0 [pid 4846] bpf(BPF_PROG_DETACH, {target_fd=3, attach_type=0x13 /* BPF_??? */}, 112) = 0 IPv6 test case: [pid 4846] bpf(BPF_PROG_ATTACH, {target_fd=3, attach_bpf_fd=4, attach_type=0x14 /* BPF_??? */, attach_flags=BPF_F_ALLOW_OVERRIDE}, 112) = 0 [pid 4846] socket(AF_INET6, SOCK_DGRAM, IPPROTO_IP) = 5 [pid 4846] bind(5, {sa_family=AF_INET6, sin6_port=htons(6666), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=htonl(0), sin6_scope_id=0}, 128) = 0 [pid 4846] socket(AF_INET6, SOCK_DGRAM, IPPROTO_IP) = 6 [pid 4846] sendmsg(6, {msg_name={sa_family=AF_INET6, sin6_port=htons(6666), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=htonl(0), sin6_scope_id=0}, msg_namelen=128, msg_iov=[{iov_base="a", iov_len=1}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 1 [pid 4846] select(6, [5], NULL, NULL, {tv_sec=2, tv_usec=0}) = 1 (in [5], left {tv_sec=1, tv_usec=999996}) [pid 4846] recvmsg(5, {msg_name={sa_family=AF_INET6, sin6_port=htons(6060), inet_pton(AF_INET6, "face:b00c:1234:5678::abcd", &sin6_addr), sin6_flowinfo=htonl(0), sin6_scope_id=0}, msg_namelen=128->28, msg_iov=[{iov_base="a", iov_len=64}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 1 [pid 4846] close(6) = 0 [pid 4846] close(5) = 0 [pid 4846] bpf(BPF_PROG_DETACH, {target_fd=3, attach_type=0x14 /* BPF_??? */}, 112) = 0 test_sock_addr run w/o strace view: # ./test_sock_addr.sh [...] Test case: recvmsg4: return code ok .. [PASS] Test case: recvmsg4: return code !ok .. [PASS] Test case: recvmsg6: return code ok .. [PASS] Test case: recvmsg6: return code !ok .. [PASS] Test case: recvmsg4: rewrite IP & port (asm) .. [PASS] Test case: recvmsg6: rewrite IP & port (asm) .. [PASS] [...] Signed-off-by: Daniel Borkmann Acked-by: Andrey Ignatov Acked-by: Martin KaFai Lau Signed-off-by: Alexei Starovoitov commit 000aa1250d572171807b47fb9cd3fadfbcc36ad0 Author: Daniel Borkmann Date: Fri Jun 7 01:49:00 2019 +0200 bpf, bpftool: enable recvmsg attach types Trivial patch to bpftool in order to complete enabling attaching programs to BPF_CGROUP_UDP{4,6}_RECVMSG. Signed-off-by: Daniel Borkmann Acked-by: Andrey Ignatov Acked-by: Martin KaFai Lau Signed-off-by: Alexei Starovoitov commit 9bb59ac1f6c362f14b58187bc56e737780c52c19 Author: Daniel Borkmann Date: Fri Jun 7 01:48:59 2019 +0200 bpf, libbpf: enable recvmsg attach types Another trivial patch to libbpf in order to enable identifying and attaching programs to BPF_CGROUP_UDP{4,6}_RECVMSG by section name. Signed-off-by: Daniel Borkmann Signed-off-by: Alexei Starovoitov commit 3dbc6adac1f3b83fd4c39899c747da7b417e3ffc Author: Daniel Borkmann Date: Fri Jun 7 01:48:58 2019 +0200 bpf: sync tooling uapi header Sync BPF uapi header in order to pull in BPF_CGROUP_UDP{4,6}_RECVMSG attach types. This is done and preferred as an extra patch in order to ease sync of libbpf. Signed-off-by: Daniel Borkmann Acked-by: Andrey Ignatov Acked-by: Martin KaFai Lau Signed-off-by: Alexei Starovoitov commit 983695fa676568fc0fe5ddd995c7267aabc24632 Author: Daniel Borkmann Date: Fri Jun 7 01:48:57 2019 +0200 bpf: fix unconnected udp hooks Intention of cgroup bind/connect/sendmsg BPF hooks is to act transparently to applications as also stated in original motivation in 7828f20e3779 ("Merge branch 'bpf-cgroup-bind-connect'"). When recently integrating the latter two hooks into Cilium to enable host based load-balancing with Kubernetes, I ran into the issue that pods couldn't start up as DNS got broken. Kubernetes typically sets up DNS as a service and is thus subject to load-balancing. Upon further debugging, it turns out that the cgroupv2 sendmsg BPF hooks API is currently insufficient and thus not usable as-is for standard applications shipped with most distros. To break down the issue we ran into with a simple example: # cat /etc/resolv.conf nameserver 147.75.207.207 nameserver 147.75.207.208 For the purpose of a simple test, we set up above IPs as service IPs and transparently redirect traffic to a different DNS backend server for that node: # cilium service list ID Frontend Backend 1 147.75.207.207:53 1 => 8.8.8.8:53 2 147.75.207.208:53 1 => 8.8.8.8:53 The attached BPF program is basically selecting one of the backends if the service IP/port matches on the cgroup hook. DNS breaks here, because the hooks are not transparent enough to applications which have built-in msg_name address checks: # nslookup 1.1.1.1 ;; reply from unexpected source: 8.8.8.8#53, expected 147.75.207.207#53 ;; reply from unexpected source: 8.8.8.8#53, expected 147.75.207.208#53 ;; reply from unexpected source: 8.8.8.8#53, expected 147.75.207.207#53 [...] ;; connection timed out; no servers could be reached # dig 1.1.1.1 ;; reply from unexpected source: 8.8.8.8#53, expected 147.75.207.207#53 ;; reply from unexpected source: 8.8.8.8#53, expected 147.75.207.208#53 ;; reply from unexpected source: 8.8.8.8#53, expected 147.75.207.207#53 [...] ; <<>> DiG 9.11.3-1ubuntu1.7-Ubuntu <<>> 1.1.1.1 ;; global options: +cmd ;; connection timed out; no servers could be reached For comparison, if none of the service IPs is used, and we tell nslookup to use 8.8.8.8 directly it works just fine, of course: # nslookup 1.1.1.1 8.8.8.8 1.1.1.1.in-addr.arpa name = one.one.one.one. In order to fix this and thus act more transparent to the application, this needs reverse translation on recvmsg() side. A minimal fix for this API is to add similar recvmsg() hooks behind the BPF cgroups static key such that the program can track state and replace the current sockaddr_in{,6} with the original service IP. From BPF side, this basically tracks the service tuple plus socket cookie in an LRU map where the reverse NAT can then be retrieved via map value as one example. Side-note: the BPF cgroups static key should be converted to a per-hook static key in future. Same example after this fix: # cilium service list ID Frontend Backend 1 147.75.207.207:53 1 => 8.8.8.8:53 2 147.75.207.208:53 1 => 8.8.8.8:53 Lookups work fine now: # nslookup 1.1.1.1 1.1.1.1.in-addr.arpa name = one.one.one.one. Authoritative answers can be found from: # dig 1.1.1.1 ; <<>> DiG 9.11.3-1ubuntu1.7-Ubuntu <<>> 1.1.1.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 51550 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;1.1.1.1. IN A ;; AUTHORITY SECTION: . 23426 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2019052001 1800 900 604800 86400 ;; Query time: 17 msec ;; SERVER: 147.75.207.207#53(147.75.207.207) ;; WHEN: Tue May 21 12:59:38 UTC 2019 ;; MSG SIZE rcvd: 111 And from an actual packet level it shows that we're using the back end server when talking via 147.75.207.20{7,8} front end: # tcpdump -i any udp [...] 12:59:52.698732 IP foo.42011 > google-public-dns-a.google.com.domain: 18803+ PTR? 1.1.1.1.in-addr.arpa. (38) 12:59:52.698735 IP foo.42011 > google-public-dns-a.google.com.domain: 18803+ PTR? 1.1.1.1.in-addr.arpa. (38) 12:59:52.701208 IP google-public-dns-a.google.com.domain > foo.42011: 18803 1/0/0 PTR one.one.one.one. (67) 12:59:52.701208 IP google-public-dns-a.google.com.domain > foo.42011: 18803 1/0/0 PTR one.one.one.one. (67) [...] In order to be flexible and to have same semantics as in sendmsg BPF programs, we only allow return codes in [1,1] range. In the sendmsg case the program is called if msg->msg_name is present which can be the case in both, connected and unconnected UDP. The former only relies on the sockaddr_in{,6} passed via connect(2) if passed msg->msg_name was NULL. Therefore, on recvmsg side, we act in similar way to call into the BPF program whenever a non-NULL msg->msg_name was passed independent of sk->sk_state being TCP_ESTABLISHED or not. Note that for TCP case, the msg->msg_name is ignored in the regular recvmsg path and therefore not relevant. For the case of ip{,v6}_recv_error() paths, picked up via MSG_ERRQUEUE, the hook is not called. This is intentional as it aligns with the same semantics as in case of TCP cgroup BPF hooks right now. This might be better addressed in future through a different bpf_attach_type such that this case can be distinguished from the regular recvmsg paths, for example. Fixes: 1cedee13d25a ("bpf: Hooks for sys_sendmsg") Signed-off-by: Daniel Borkmann Acked-by: Andrey Ignatov Acked-by: Martin KaFai Lau Acked-by: Martynas Pumputis Signed-off-by: Alexei Starovoitov commit bcc9d0e346f9fc0b6d4463ccc9dc76ef2fcedecc Merge: dbd9f78ed237 6d10dc617b41 Author: Dave Airlie Date: Fri Jun 7 07:31:49 2019 +1000 Merge branch 'malidp-fixes' of git://linux-arm.org/linux-ld into drm-fixes Assorted set of patches for Arm DRM drivers that I maintain in my tree. Signed-off-by: Dave Airlie From: Liviu Dudau Link: https://patchwork.freedesktop.org/patch/msgid/20190604144205.GO15316@e110455-lin.cambridge.arm.com commit 16d72dd4891fecc1e1bf7ca193bb7d5b9804c038 Merge: ae8766042bee 527a1d1ede98 Author: Linus Torvalds Date: Thu Jun 6 13:13:09 2019 -0700 Merge branch 'parisc-5.2-3' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux Pull parisc fixes from Helge Deller: - Fix crashes when accessing PCI devices on some machines like C240 and J5000. The crashes were triggered because we replaced cache flushes by nops in the alternative coding where we shouldn't for some machines. - Dave fixed a race in the usage of the sr1 space register when used to load the coherence index. - Use the hardware lpa instruction to to load the physical address of kernel virtual addresses in the iommu driver code. - The kernel may fail to link when CONFIG_MLONGCALLS isn't set. Solve that by rearranging functions in the final vmlinux executeable. - Some defconfig cleanups and removal of compiler warnings. * 'parisc-5.2-3' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux: parisc: Fix crash due alternative coding for NP iopdir_fdc bit parisc: Use lpa instruction to load physical addresses in driver code parisc: configs: Remove useless UEVENT_HELPER_PATH parisc: Use implicit space register selection for loading the coherence index of I/O pdirs parisc: Fix compiler warnings in float emulation code parisc/slab: cleanup after /proc/slab_allocators removal parisc: Allow building 64-bit kernel without -mlong-calls compiler option parisc: Kconfig: remove ARCH_DISCARD_MEMBLOCK commit ae8766042beee814c9e16e9ae1e84cd6eaa7ffaa Merge: 01047631df81 7829a0c1cb9c Author: Linus Torvalds Date: Thu Jun 6 13:10:49 2019 -0700 Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 Pull crypto fixes from Herbert Xu: "This fixes a regression that breaks the jitterentropy RNG and a potential memory leak in hmac" * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: crypto: hmac - fix memory leak in hmac_init_tfm() crypto: jitterentropy - change back to module_init() commit 01047631df813f6247185547c3778c80af088a20 Merge: dc8ca9cc6e23 025197ebb08a Author: Linus Torvalds Date: Thu Jun 6 12:36:54 2019 -0700 Merge tag 'xfs-5.2-fixes-2' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux Pull xfs fixes from Darrick Wong: "Here are a couple more bug fixes for 5.2. Changes since last update: - Fix some forgotten strings in a log debugging function - Fix incorrect unit conversion in online fsck code" * tag 'xfs-5.2-fixes-2' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux: xfs: inode btree scrubber should calculate im_boffset correctly xfs: fix broken log reservation debugging commit dc8ca9cc6e23054eb85599c9417ef2416848e7e8 Merge: 5d6b501fe542 638803d45681 Author: Linus Torvalds Date: Thu Jun 6 12:33:52 2019 -0700 Merge tag 'gfs2-v5.2.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2 Pull gfs2 fix from Andreas Gruenbacher: "A revert for a patch that turned out to be broken" * tag 'gfs2-v5.2.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2: Revert "gfs2: Replace gl_revokes with a GLF flag" commit 5d6b501fe5421c5df662e2935f55f5e3d2b5e012 Merge: 211758573b01 5d3211b651a0 Author: Linus Torvalds Date: Thu Jun 6 12:31:15 2019 -0700 Merge tag 'ovl-fixes-5.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs Pull overlayfs fixes from Miklos Szeredi: "Here's one fix for a class of bugs triggered by syzcaller, and one that makes xfstests fail less" * tag 'ovl-fixes-5.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs: ovl: doc: add non-standard corner cases ovl: detect overlapping layers ovl: support the FS_IOC_FS[SG]ETXATTR ioctls commit 211758573b01f4cd27308464573d112ef85e0e1a Merge: 459aa077a2f2 26eb3bae5003 Author: Linus Torvalds Date: Thu Jun 6 12:25:56 2019 -0700 Merge tag 'fuse-fixes-5.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse Pull fuse fixes from Miklos Szeredi: "This fixes a leaked inode lock in an error cleanup path and a data consistency issue with copy_file_range(). It also adds a new flag for the WRITE request that allows userspace filesystems to clear suid/sgid bits on the file if necessary" * tag 'fuse-fixes-5.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse: fuse: extract helper for range writeback fuse: fix copy_file_range() in the writeback case fuse: add FUSE_WRITE_KILL_PRIV fuse: fallocate: fix return with locked inode commit 459aa077a2f21e21bb0849007bc6909b0d20b1f6 Merge: 44e843eb5cc3 ba851a39c970 Author: Linus Torvalds Date: Thu Jun 6 12:19:37 2019 -0700 Merge tag 'nfs-for-5.2-2' of git://git.linux-nfs.org/projects/anna/linux-nfs Pull NFS client fixes from Anna Schumaker: "These are mostly stable bugfixes found during testing, many during the recent NFS bake-a-thon. Stable bugfixes: - SUNRPC: Fix regression in umount of a secure mount - SUNRPC: Fix a use after free when a server rejects the RPCSEC_GSS credential - NFSv4.1: Again fix a race where CB_NOTIFY_LOCK fails to wake a waiter - NFSv4.1: Fix bug only first CB_NOTIFY_LOCK is handled Other bugfixes: - xprtrdma: Use struct_size() in kzalloc()" * tag 'nfs-for-5.2-2' of git://git.linux-nfs.org/projects/anna/linux-nfs: NFSv4.1: Fix bug only first CB_NOTIFY_LOCK is handled NFSv4.1: Again fix a race where CB_NOTIFY_LOCK fails to wake a waiter SUNRPC: Fix a use after free when a server rejects the RPCSEC_GSS credential SUNRPC fix regression in umount of a secure mount xprtrdma: Use struct_size() in kzalloc() commit 5715c4dd66a315515eedef3fc4cbe1bf4620f009 Author: Parav Pandit Date: Thu Jun 6 10:52:33 2019 -0600 vfio/mdev: Synchronize device create/remove with parent removal In following sequences, child devices created while removing mdev parent device can be left out, or it may lead to race of removing half initialized child mdev devices. issue-1: -------- cpu-0 cpu-1 ----- ----- mdev_unregister_device() device_for_each_child() mdev_device_remove_cb() mdev_device_remove() create_store() mdev_device_create() [...] device_add() parent_remove_sysfs_files() /* BUG: device added by cpu-0 * whose parent is getting removed * and it won't process this mdev. */ issue-2: -------- Below crash is observed when user initiated remove is in progress and mdev_unregister_driver() completes parent unregistration. cpu-0 cpu-1 ----- ----- remove_store() mdev_device_remove() active = false; mdev_unregister_device() parent device removed. [...] parents->ops->remove() /* * BUG: Accessing invalid parent. */ This is similar race like create() racing with mdev_unregister_device(). BUG: unable to handle kernel paging request at ffffffffc0585668 PGD e8f618067 P4D e8f618067 PUD e8f61a067 PMD 85adca067 PTE 0 Oops: 0000 [#1] SMP PTI CPU: 41 PID: 37403 Comm: bash Kdump: loaded Not tainted 5.1.0-rc6-vdevbus+ #6 Hardware name: Supermicro SYS-6028U-TR4+/X10DRU-i+, BIOS 2.0b 08/09/2016 RIP: 0010:mdev_device_remove+0xfa/0x140 [mdev] Call Trace: remove_store+0x71/0x90 [mdev] kernfs_fop_write+0x113/0x1a0 vfs_write+0xad/0x1b0 ksys_write+0x5a/0xe0 do_syscall_64+0x5a/0x210 entry_SYSCALL_64_after_hwframe+0x49/0xbe Therefore, mdev core is improved as below to overcome above issues. Wait for any ongoing mdev create() and remove() to finish before unregistering parent device. This continues to allow multiple create and remove to progress in parallel for different mdev devices as most common case. At the same time guard parent removal while parent is being accessed by create() and remove() callbacks. create()/remove() and unregister_device() are synchronized by the rwsem. Refactor device removal code to mdev_device_remove_common() to avoid acquiring unreg_sem of the parent. Fixes: 7b96953bc640 ("vfio: Mediated device Core driver") Signed-off-by: Parav Pandit Reviewed-by: Cornelia Huck Signed-off-by: Alex Williamson commit 26c9e3988eec6b858c08b0fc352d8eb13832d828 Author: Parav Pandit Date: Thu Jun 6 10:52:33 2019 -0600 vfio/mdev: Avoid creating sysfs remove file on stale device removal If device is removal is initiated by two threads as below, mdev core attempts to create a syfs remove file on stale device. During this flow, below [1] call trace is observed. cpu-0 cpu-1 ----- ----- mdev_unregister_device() device_for_each_child mdev_device_remove_cb mdev_device_remove user_syscall remove_store() mdev_device_remove() [..] unregister device(); /* not found in list or * active=false. */ sysfs_create_file() ..Call trace Now that mdev core follows correct device removal sequence of the linux bus model, remove shouldn't fail in normal cases. If it fails, there is no point of creating a stale file or checking for specific error status. kernel: WARNING: CPU: 2 PID: 9348 at fs/sysfs/file.c:327 sysfs_create_file_ns+0x7f/0x90 kernel: CPU: 2 PID: 9348 Comm: bash Kdump: loaded Not tainted 5.1.0-rc6-vdevbus+ #6 kernel: Hardware name: Supermicro SYS-6028U-TR4+/X10DRU-i+, BIOS 2.0b 08/09/2016 kernel: RIP: 0010:sysfs_create_file_ns+0x7f/0x90 kernel: Call Trace: kernel: remove_store+0xdc/0x100 [mdev] kernel: kernfs_fop_write+0x113/0x1a0 kernel: vfs_write+0xad/0x1b0 kernel: ksys_write+0x5a/0xe0 kernel: do_syscall_64+0x5a/0x210 kernel: entry_SYSCALL_64_after_hwframe+0x49/0xbe Reviewed-by: Cornelia Huck Signed-off-by: Parav Pandit Signed-off-by: Alex Williamson commit 720f1de4021f09898b8c8443f3b3e995991b6e3a Author: Paolo Abeni Date: Thu Jun 6 15:45:03 2019 +0200 pktgen: do not sleep with the thread lock held. Currently, the process issuing a "start" command on the pktgen procfs interface, acquires the pktgen thread lock and never release it, until all pktgen threads are completed. The above can blocks indefinitely any other pktgen command and any (even unrelated) netdevice removal - as the pktgen netdev notifier acquires the same lock. The issue is demonstrated by the following script, reported by Matteo: ip -b - <<'EOF' link add type dummy link add type veth link set dummy0 up EOF modprobe pktgen echo reset >/proc/net/pktgen/pgctrl { echo rem_device_all echo add_device dummy0 } >/proc/net/pktgen/kpktgend_0 echo count 0 >/proc/net/pktgen/dummy0 echo start >/proc/net/pktgen/pgctrl & sleep 1 rmmod veth Fix the above releasing the thread lock around the sleep call. Additionally we must prevent racing with forcefull rmmod - as the thread lock no more protects from them. Instead, acquire a self-reference before waiting for any thread. As a side effect, running rmmod pktgen while some thread is running now fails with "module in use" error, before this patch such command hanged indefinitely. Note: the issue predates the commit reported in the fixes tag, but this fix can't be applied before the mentioned commit. v1 -> v2: - no need to check for thread existence after flipping the lock, pktgen threads are freed only at net exit time - Fixes: 6146e6a43b35 ("[PKTGEN]: Removes thread_{un,}lock() macros.") Reported-and-tested-by: Matteo Croce Signed-off-by: Paolo Abeni Signed-off-by: David S. Miller commit 41b3588dba6ef4b7995735a97e47ff0aeea6c276 Author: Tony Lindgren Date: Wed May 29 23:55:57 2019 -0700 clk: ti: clkctrl: Fix returning uninitialized data If we do a clk_get() for a clock that does not exists, we have _ti_omap4_clkctrl_xlate() return uninitialized data if no match is found. This can be seen in some cases with SLAB_DEBUG enabled: Unable to handle kernel paging request at virtual address 5a5a5a5a ... clk_hw_create_clk.part.33 sysc_notifier_call notifier_call_chain blocking_notifier_call_chain device_add Let's fix this by setting a found flag only when we find a match. Reported-by: Tomi Valkeinen Fixes: 88a172526c32 ("clk: ti: add support for clkctrl clocks") Signed-off-by: Tony Lindgren Tested-by: Peter Ujfalusi Tested-by: Tomi Valkeinen Signed-off-by: Stephen Boyd commit 44e843eb5cc383fe58fc8ec17dba0ab1dc45db2d Merge: 156c05917e09 fc722a0429f4 Author: Linus Torvalds Date: Thu Jun 6 11:02:54 2019 -0700 Merge tag 'for-rc-adfs' of git://git.armlinux.org.uk/~rmk/linux-arm Pull ADFS cleanups/fixes from Russell King: "As a result of some of Al Viro's great work, here are a few cleanups with fixes for adfs: - factor out filename comparison, so we can be sure that adfs_compare() (used for namei compare) and adfs_match() (used for lookup) have the same behaviour. - factor out filename lowering (which is not the same as tolower() which will lower top-bit-set characters) to ensure that we have the same behaviour when comparing filenames as when we hash them. - factor out the object fixups, so we are applying all fixups to directory objects in the same way, independent of the disk format. - factor out the object name fixup (into the previously factored out function) to ensure that filenames are appropriately translated - for example, adfs allows '/' in filenames, which being the Unix path separator, need to be translated to a different character, which is normally '.' (DOS 8.3 filenames represent the . as a / on adfs, so this is the expected reverse translation.) - remove filename truncation; Al asked about this and apparently the decision is to remove it. In any case, adfs's truncation was buggy, so this rids us of that bug by removing the truncation feature. - we now have only one location which adds the "filetype" suffix to the filename, so there's no point that code being out of line. - since we translate '/' into '.', an adfs filename of "/" or "//" would end up being translated to "." and ".." which have special meanings. In this case, change the first character to "^" to avoid these special directory names being abused" * tag 'for-rc-adfs' of git://git.armlinux.org.uk/~rmk/linux-arm: fs/adfs: fix filename fixup handling for "/" and "//" names fs/adfs: move append_filetype_suffix() into adfs_object_fixup() fs/adfs: remove truncated filename hashing fs/adfs: factor out filename fixup fs/adfs: factor out object fixups fs/adfs: factor out filename case lowering fs/adfs: factor out filename comparison commit d37acd5aa99c57505b64913e0e2624ec3daed8c5 Author: Maxime Chevallier Date: Thu Jun 6 10:42:56 2019 +0200 net: mvpp2: Use strscpy to handle stat strings Use a safe strscpy call to copy the ethtool stat strings into the relevant buffers, instead of a memcpy that will be accessing out-of-bound data. Fixes: 118d6298f6f0 ("net: mvpp2: add ethtool GOP statistics") Signed-off-by: Maxime Chevallier Signed-off-by: David S. Miller commit 85cb928787eab6a2f4ca9d2a798b6f3bed53ced1 Author: Zhu Yanjun Date: Thu Jun 6 04:00:03 2019 -0400 net: rds: fix memory leak in rds_ib_flush_mr_pool When the following tests last for several hours, the problem will occur. Server: rds-stress -r 1.1.1.16 -D 1M Client: rds-stress -r 1.1.1.14 -s 1.1.1.16 -D 1M -T 30 The following will occur. " Starting up.... tsks tx/s rx/s tx+rx K/s mbi K/s mbo K/s tx us/c rtt us cpu % 1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00 1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00 1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00 1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00 " >From vmcore, we can find that clean_list is NULL. >From the source code, rds_mr_flushd calls rds_ib_mr_pool_flush_worker. Then rds_ib_mr_pool_flush_worker calls " rds_ib_flush_mr_pool(pool, 0, NULL); " Then in function " int rds_ib_flush_mr_pool(struct rds_ib_mr_pool *pool, int free_all, struct rds_ib_mr **ibmr_ret) " ibmr_ret is NULL. In the source code, " ... list_to_llist_nodes(pool, &unmap_list, &clean_nodes, &clean_tail); if (ibmr_ret) *ibmr_ret = llist_entry(clean_nodes, struct rds_ib_mr, llnode); /* more than one entry in llist nodes */ if (clean_nodes->next) llist_add_batch(clean_nodes->next, clean_tail, &pool->clean_list); ... " When ibmr_ret is NULL, llist_entry is not executed. clean_nodes->next instead of clean_nodes is added in clean_list. So clean_nodes is discarded. It can not be used again. The workqueue is executed periodically. So more and more clean_nodes are discarded. Finally the clean_list is NULL. Then this problem will occur. Fixes: 1bc144b62524 ("net, rds, Replace xlist in net/rds/xlist.h with llist") Signed-off-by: Zhu Yanjun Acked-by: Santosh Shilimkar Signed-off-by: David S. Miller commit 8d037f92de5f34b44312c4df6c115c6df92d7085 Merge: 4970b42d5c36 b9aa52c4cb45 Author: David S. Miller Date: Thu Jun 6 10:29:21 2019 -0700 Merge branch 'ipv6-fix-EFAULT-on-sendto-with-icmpv6-and-hdrincl' Olivier Matz says: ==================== ipv6: fix EFAULT on sendto with icmpv6 and hdrincl The following code returns EFAULT (Bad address): s = socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6); setsockopt(s, SOL_IPV6, IPV6_HDRINCL, 1); sendto(ipv6_icmp6_packet, addr); /* returns -1, errno = EFAULT */ The problem is fixed in the second patch. The first one aligns the code to ipv4, to avoid a race condition in the second patch. ==================== Signed-off-by: David S. Miller commit b9aa52c4cb457e7416cc0c95f475e72ef4a61336 Author: Olivier Matz Date: Thu Jun 6 09:15:19 2019 +0200 ipv6: fix EFAULT on sendto with icmpv6 and hdrincl The following code returns EFAULT (Bad address): s = socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6); setsockopt(s, SOL_IPV6, IPV6_HDRINCL, 1); sendto(ipv6_icmp6_packet, addr); /* returns -1, errno = EFAULT */ The IPv4 equivalent code works. A workaround is to use IPPROTO_RAW instead of IPPROTO_ICMPV6. The failure happens because 2 bytes are eaten from the msghdr by rawv6_probe_proto_opt() starting from commit 19e3c66b52ca ("ipv6 equivalent of "ipv4: Avoid reading user iov twice after raw_probe_proto_opt""), but at that time it was not a problem because IPV6_HDRINCL was not yet introduced. Only eat these 2 bytes if hdrincl == 0. Fixes: 715f504b1189 ("ipv6: add IPV6_HDRINCL option for raw sockets") Signed-off-by: Olivier Matz Acked-by: Nicolas Dichtel Signed-off-by: David S. Miller commit 59e3e4b52663a9d97efbce7307f62e4bc5c9ce91 Author: Olivier Matz Date: Thu Jun 6 09:15:18 2019 +0200 ipv6: use READ_ONCE() for inet->hdrincl as in ipv4 As it was done in commit 8f659a03a0ba ("net: ipv4: fix for a race condition in raw_sendmsg") and commit 20b50d79974e ("net: ipv4: emulate READ_ONCE() on ->hdrincl bit-field in raw_sendmsg()") for ipv4, copy the value of inet->hdrincl in a local variable, to avoid introducing a race condition in the next commit. Signed-off-by: Olivier Matz Signed-off-by: David S. Miller commit 39194128701bf2af9bbc420ffe6e3cb5d2c16061 Author: Srinivas Kandagatla Date: Thu Jun 6 12:23:04 2019 +0100 soundwire: intel: set dai min and max channels correctly Looks like there is a copy paste error. This patch fixes it! Signed-off-by: Srinivas Kandagatla Signed-off-by: Vinod Koul commit 9315d904c7e8f38886e2820fa6cb8d0fa723ea21 Author: Srinivas Kandagatla Date: Thu Jun 6 12:22:22 2019 +0100 soundwire: stream: fix bad unlock balance the msg lock is taken for multi-link cases only but released unconditionally, leading to an unlock balance warning for single-link usages This patch fixes this. ===================================== WARNING: bad unlock balance detected! 5.1.0-16506-gc1c383a6f0a2-dirty #1523 Tainted: G W ------------------------------------- aplay/2954 is trying to release lock (&bus->msg_lock) at: do_bank_switch+0x21c/0x480 but there are no more locks to release! Signed-off-by: Srinivas Kandagatla Acked-by: Pierre-Louis Bossart Acked-by: Sanyog Kale [vkoul: edited the change log as suggested by Pierre] Signed-off-by: Vinod Koul commit b81ff1013eb8eef2934ca7e8cf53d553c1029e84 Author: Hugh Dickins Date: Wed May 29 09:25:40 2019 +0200 x86/fpu: Use fault_in_pages_writeable() for pre-faulting Since commit d9c9ce34ed5c8 ("x86/fpu: Fault-in user stack if copy_fpstate_to_sigframe() fails") get_user_pages_unlocked() pre-faults user's memory if a write generates a page fault while the handler is disabled. This works in general and uncovered a bug as reported by Mike Rapoport¹. It has been pointed out that this function may be fragile and a simple pre-fault as in fault_in_pages_writeable() would be a better solution. Better as in taste and simplicity: that write (as performed by the alternative function) performs exactly the same faulting of memory as before. This was suggested by Hugh Dickins and Andrew Morton. Use fault_in_pages_writeable() for pre-faulting user's stack. [ bigeasy: Write commit message. ] [ bp: Massage some. ] ¹ https://lkml.kernel.org/r/1557844195-18882-1-git-send-email-rppt@linux.ibm.com Fixes: d9c9ce34ed5c8 ("x86/fpu: Fault-in user stack if copy_fpstate_to_sigframe() fails") Suggested-by: Andrew Morton Signed-off-by: Hugh Dickins Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Borislav Petkov Tested-by: Chris Wilson Cc: Andrea Arcangeli Cc: Andrew Morton Cc: Dave Hansen Cc: "H. Peter Anvin" Cc: Ingo Molnar Cc: Jann Horn Cc: linux-mm Cc: Mike Rapoport Cc: Pavel Machek Cc: Rik van Riel Cc: Thomas Gleixner Cc: x86-ml Link: https://lkml.kernel.org/r/20190529072540.g46j4kfeae37a3iu@linutronix.de Link: https://lkml.kernel.org/r/1557844195-18882-1-git-send-email-rppt@linux.ibm.com commit 62f99b62e5e3b88d23b6ced4380199e8386965af Author: Max Gurtovoy Date: Thu Jun 6 12:27:36 2019 +0300 nvme-rdma: use dynamic dma mapping per command Commit 87fd125344d6 ("nvme-rdma: remove redundant reference between ib_device and tagset") caused a kernel panic when disconnecting from an inaccessible controller (disconnect during re-connection). -- nvme nvme0: Removing ctrl: NQN "testnqn1" nvme_rdma: nvme_rdma_exit_request: hctx 0 queue_idx 1 BUG: unable to handle kernel paging request at 0000000080000228 PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI ... Call Trace: blk_mq_exit_hctx+0x5c/0xf0 blk_mq_exit_queue+0xd4/0x100 blk_cleanup_queue+0x9a/0xc0 nvme_rdma_destroy_io_queues+0x52/0x60 [nvme_rdma] nvme_rdma_shutdown_ctrl+0x3e/0x80 [nvme_rdma] nvme_do_delete_ctrl+0x53/0x80 [nvme_core] nvme_sysfs_delete+0x45/0x60 [nvme_core] kernfs_fop_write+0x105/0x180 vfs_write+0xad/0x1a0 ksys_write+0x5a/0xd0 do_syscall_64+0x55/0x110 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7fa215417154 -- The reason for this crash is accessing an already freed ib_device for performing dma_unmap during exit_request commands. The root cause for that is that during re-connection all the queues are destroyed and re-created (and the ib_device is reference counted by the queues and freed as well) but the tagset stays alive and all the DMA mappings (that we perform in init_request) kept in the request context. The original commit fixed a different bug that was introduced during bonding (aka nic teaming) tests that for some scenarios change the underlying ib_device and caused memory leakage and possible segmentation fault. This commit is a complementary commit that also changes the wrong DMA mappings that were saved in the request context and making the request sqe dma mappings dynamic with the command lifetime (i.e. mapped in .queue_rq and unmapped in .complete). It also fixes the above crash of accessing freed ib_device during destruction of the tagset. Fixes: 87fd125344d6 ("nvme-rdma: remove redundant reference between ib_device and tagset") Reported-by: Jim Harris Suggested-by: Sagi Grimberg Tested-by: Jim Harris Reviewed-by: Christoph Hellwig Signed-off-by: Max Gurtovoy Signed-off-by: Sagi Grimberg commit c8e8c77b3bdbade6e26e8e76595f141ede12b692 Author: Jaesoo Lee Date: Mon Jun 3 16:42:28 2019 -0700 nvme: Fix u32 overflow in the number of namespace list calculation The Number of Namespaces (nn) field in the identify controller data structure is defined as u32 and the maximum allowed value in NVMe specification is 0xFFFFFFFEUL. This change fixes the possible overflow of the DIV_ROUND_UP() operation used in nvme_scan_ns_list() by casting the nn to u64. Signed-off-by: Jaesoo Lee Reviewed-by: Christoph Hellwig Signed-off-by: Sagi Grimberg commit 522ecce08ab20b57342d65b05601818e0f95fb2c Author: Parav Pandit Date: Thu Jun 6 10:52:32 2019 -0600 vfio/mdev: Improve the create/remove sequence This patch addresses below two issues and prepares the code to address 3rd issue listed below. 1. mdev device is placed on the mdev bus before it is created in the vendor driver. Once a device is placed on the mdev bus without creating its supporting underlying vendor device, mdev driver's probe() gets triggered. However there isn't a stable mdev available to work on. create_store() mdev_create_device() device_register() ... vfio_mdev_probe() [...] parent->ops->create() vfio_ap_mdev_create() mdev_set_drvdata(mdev, matrix_mdev); /* Valid pointer set above */ Due to this way of initialization, mdev driver who wants to use the mdev, doesn't have a valid mdev to work on. 2. Current creation sequence is, parent->ops_create() groups_register() Remove sequence is, parent->ops->remove() groups_unregister() However, remove sequence should be exact mirror of creation sequence. Once this is achieved, all users of the mdev will be terminated first before removing underlying vendor device. (Follow standard linux driver model). At that point vendor's remove() ops shouldn't fail because taking the device off the bus should terminate any usage. 3. When remove operation fails, mdev sysfs removal attempts to add the file back on already removed device. Following call trace [1] is observed. [1] call trace: kernel: WARNING: CPU: 2 PID: 9348 at fs/sysfs/file.c:327 sysfs_create_file_ns+0x7f/0x90 kernel: CPU: 2 PID: 9348 Comm: bash Kdump: loaded Not tainted 5.1.0-rc6-vdevbus+ #6 kernel: Hardware name: Supermicro SYS-6028U-TR4+/X10DRU-i+, BIOS 2.0b 08/09/2016 kernel: RIP: 0010:sysfs_create_file_ns+0x7f/0x90 kernel: Call Trace: kernel: remove_store+0xdc/0x100 [mdev] kernel: kernfs_fop_write+0x113/0x1a0 kernel: vfs_write+0xad/0x1b0 kernel: ksys_write+0x5a/0xe0 kernel: do_syscall_64+0x5a/0x210 kernel: entry_SYSCALL_64_after_hwframe+0x49/0xbe Therefore, mdev core is improved in following ways. 1. Split the device registration/deregistration sequence so that some things can be done between initialization of the device and hooking it up to the bus respectively after deregistering it from the bus but before giving up our final reference. In particular, this means invoking the ->create() and ->remove() callbacks in those new windows. This gives the vendor driver an initialized mdev device to work with during creation. At the same time, a bus driver who wish to bind to mdev driver also gets initialized mdev device. This follows standard Linux kernel bus and device model. 2. During remove flow, first remove the device from the bus. This ensures that any bus specific devices are removed. Once device is taken off the mdev bus, invoke remove() of mdev from the vendor driver. 3. The driver core device model provides way to register and auto unregister the device sysfs attribute groups at dev->groups. Make use of dev->groups to let core create the groups and eliminate code to avoid explicit groups creation and removal. To ensure, that new sequence is solid, a below stack dump of a process is taken who attempts to remove the device while device is in use by vfio driver and user application. This stack dump validates that vfio driver guards against such device removal when device is in use. cat /proc/21962/stack [<0>] vfio_del_group_dev+0x216/0x3c0 [vfio] [<0>] mdev_remove+0x21/0x40 [mdev] [<0>] device_release_driver_internal+0xe8/0x1b0 [<0>] bus_remove_device+0xf9/0x170 [<0>] device_del+0x168/0x350 [<0>] mdev_device_remove_common+0x1d/0x50 [mdev] [<0>] mdev_device_remove+0x8c/0xd0 [mdev] [<0>] remove_store+0x71/0x90 [mdev] [<0>] kernfs_fop_write+0x113/0x1a0 [<0>] vfs_write+0xad/0x1b0 [<0>] ksys_write+0x5a/0xe0 [<0>] do_syscall_64+0x5a/0x210 [<0>] entry_SYSCALL_64_after_hwframe+0x49/0xbe [<0>] 0xffffffffffffffff This prepares the code to eliminate calling device_create_file() in subsequent patch. Reviewed-by: Cornelia Huck Signed-off-by: Parav Pandit Signed-off-by: Alex Williamson commit 04268bf2757a125616b6c2140e6250f43b7b737a Author: Amadeusz Sławiński Date: Wed Jun 5 15:45:52 2019 +0200 SoC: rt274: Fix internal jack assignment in set_jack callback When we call snd_soc_component_set_jack(component, NULL, NULL) we should set rt274->jack to passed jack, so when interrupt is triggered it calls snd_soc_jack_report(rt274->jack, ...) with proper value. This fixes problem in machine where in register, we call snd_soc_register(component, &headset, NULL), which just calls rt274_mic_detect via callback. Now when machine driver is removed "headset" will be gone, so we need to tell codec driver that it's gone with: snd_soc_register(component, NULL, NULL), but we also need to be able to handle NULL jack argument here gracefully. If we don't set it to NULL, next time the rt274_irq runs it will call snd_soc_jack_report with first argument being invalid pointer and there will be Oops. Signed-off-by: Amadeusz Sławiński Signed-off-by: Mark Brown commit 6d647b736a6b1cbf2f8deab0e6a94c34a6ea9d60 Author: Amadeusz Sławiński Date: Wed May 22 11:21:41 2019 -0500 ALSA: hdac: fix memory release for SST and SOF drivers During the integration of HDaudio support, we changed the way in which we get hdev in snd_hdac_ext_bus_device_init() to use one preallocated with devm_kzalloc(), however it still left kfree(hdev) in snd_hdac_ext_bus_device_exit(). It leads to oopses when trying to rmmod and modprobe. Fix it, by just removing kfree call. SOF also uses some of the snd_hdac_ functions for HDAudio support but allocated the memory with kzalloc. A matching fix is provided separately to align all users of the snd_hdac_ library. Fixes: 6298542fa33b ("ALSA: hdac: remove memory allocation from snd_hdac_ext_bus_device_init") Reviewed-by: Takashi Iwai Signed-off-by: Amadeusz Sławiński Signed-off-by: Pierre-Louis Bossart Signed-off-by: Mark Brown commit 1f5253b08e06bc798e5254ede22d4238e9a52af8 Author: Zhu Yingjiang Date: Wed May 22 11:21:40 2019 -0500 ASoC: SOF: Intel: hda: use the defined ppcap functions There are already defined ppcap and ppcap interrupt functions, use the already defined functions for easy code read. Fixes: 8a300c8fb17 ("ASoC: SOF: Intel: Add HDA controller for Intel DSP") Reviewed-by: Takashi Iwai Signed-off-by: Zhu Yingjiang Signed-off-by: Pierre-Louis Bossart Signed-off-by: Mark Brown commit 70fc53734e71ce51f46dfcfd1a1c319e1cfe080c Author: Tzung-Bi Shih Date: Tue Jun 4 11:31:02 2019 +0800 ASoC: core: move DAI pre-links initiation to snd_soc_instantiate_card Kernel crashes when an ASoC component rebinding. The dai_link->platforms has been reset to NULL by soc_cleanup_platform() in soc_cleanup_card_resources() when un-registering component. However, it has no chance to re-allocate the dai_link->platforms when registering the component again. Move the DAI pre-links initiation from snd_soc_register_card() to snd_soc_instantiate_card() to make sure all DAI pre-links get initiated when component rebinding. As an example, by using the following commands: - echo -n max98357a > /sys/bus/platform/drivers/max98357a/unbind - echo -n max98357a > /sys/bus/platform/drivers/max98357a/bind Got the error message: "Unable to handle kernel NULL pointer dereference at virtual address". The call trace: snd_soc_is_matching_component+0x30/0x6c soc_bind_dai_link+0x16c/0x240 snd_soc_bind_card+0x1e4/0xb10 snd_soc_add_component+0x270/0x300 snd_soc_register_component+0x54/0x6c Signed-off-by: Tzung-Bi Shih Signed-off-by: Mark Brown commit 9bbc799318a34061703f2a980e2b6df7fc6760f0 Author: Pierre-Louis Bossart Date: Tue Jun 4 15:08:58 2019 -0500 ASoC: Intel: cht_bsw_rt5672: fix kernel oops with platform_name override The platform override code uses devm_ functions to allocate memory for the new name but the card device is not initialized. Fix by moving the init earlier. Fixes: f403906da05cd ("ASoC: Intel: cht_bsw_rt5672: platform name fixup support") Signed-off-by: Pierre-Louis Bossart Signed-off-by: Mark Brown commit 096701e8131425044d2054a0c210d6ea24ee7386 Author: Pierre-Louis Bossart Date: Tue Jun 4 15:08:57 2019 -0500 ASoC: Intel: cht_bsw_nau8824: fix kernel oops with platform_name override The platform override code uses devm_ functions to allocate memory for the new name but the card device is not initialized. Fix by moving the init earlier. Fixes: 4506db8043341 ("ASoC: Intel: cht_bsw_nau8824: platform name fixup support") Signed-off-by: Pierre-Louis Bossart Signed-off-by: Mark Brown commit 79136a016add1acb690fe8d96be50dd22a143d26 Author: Pierre-Louis Bossart Date: Tue Jun 4 15:08:56 2019 -0500 ASoC: Intel: bytcht_es8316: fix kernel oops with platform_name override The platform override code uses devm_ functions to allocate memory for the new name but the card device is not initialized. Fix by moving the init earlier. Fixes: e4bc6b1195f64 ("ASoC: Intel: bytcht_es8316: platform name fixup support") Signed-off-by: Pierre-Louis Bossart Signed-off-by: Mark Brown commit fb54555134b9b17835545e4d096b5550c27eed64 Author: Pierre-Louis Bossart Date: Tue Jun 4 15:08:55 2019 -0500 ASoC: Intel: cht_bsw_max98090: fix kernel oops with platform_name override The platform override code uses devm_ functions to allocate memory for the new name but the card device is not initialized. Fix by moving the init earlier. Fixes: 7e7e24d7c7ff0 ("ASoC: Intel: cht_bsw_max98090_ti: platform name fixup support") Signed-off-by: Pierre-Louis Bossart Signed-off-by: Mark Brown commit 638803d4568121d73a266e440530f880ffa2dacc Author: Bob Peterson Date: Thu Jun 6 07:33:38 2019 -0500 Revert "gfs2: Replace gl_revokes with a GLF flag" Commit 73118ca8baf7 introduced a glock reference counting bug in gfs2_trans_remove_revoke. Given that, replacing gl_revokes with a GLF flag is no longer useful, so revert that commit. Signed-off-by: Bob Peterson Signed-off-by: Andreas Gruenbacher commit e7bf2ce837475445bfd44ac1193ced0684a70d96 Merge: 8aa75b72e3e6 1f65105ffc47 Author: Greg Kroah-Hartman Date: Thu Jun 6 15:13:22 2019 +0200 Merge tag 'misc-habanalabs-fixes-2019-06-06' of git://people.freedesktop.org/~gabbayo/linux into char-misc-linus Oded writes: This tag contains the following fixes: - Fix the code that checks whether we can use 2MB page size when mapping memory in the ASIC's MMU. The current code had a "hole" which happened in architectures other then x86-64. - Fix the debugfs interface to read/write from/to the device using device virtual addresses. There was a bug in the translation regarding addresses that were mapped using 2MB page size. - Fix a bug in the debug/profiling code, where the code didn't read the full address but only the lower 32-bits of the address. * tag 'misc-habanalabs-fixes-2019-06-06' of git://people.freedesktop.org/~gabbayo/linux: habanalabs: Read upper bits of trace buffer from RWPHI habanalabs: Fix virtual address access via debugfs for 2MB pages habanalabs: fix bug in checking huge page optimization commit ebcc5928c5d925b1c8d968d9c89cdb0d0186db17 Author: Dave Martin Date: Thu Jun 6 11:33:43 2019 +0100 arm64: Silence gcc warnings about arch ABI drift Since GCC 9, the compiler warns about evolution of the platform-specific ABI, in particular relating for the marshaling of certain structures involving bitfields. The kernel is a standalone binary, and of course nobody would be so stupid as to expose structs containing bitfields as function arguments in ABI. (Passing a pointer to such a struct, however inadvisable, should be unaffected by this change. perf and various drivers rely on that.) So these warnings do more harm than good: turn them off. We may miss warnings about future ABI drift, but that's too bad. Future ABI breaks of this class will have to be debugged and fixed the traditional way unless the compiler evolves finer-grained diagnostics. Signed-off-by: Dave Martin Signed-off-by: Will Deacon commit 527a1d1ede98479bf90c31a64822107ac7e6d276 Author: Helge Deller Date: Mon May 27 21:20:00 2019 +0200 parisc: Fix crash due alternative coding for NP iopdir_fdc bit According to the found documentation, data cache flushes and sync instructions are needed on the PCX-U+ (PA8200, e.g. C200/C240) platforms, while PCX-W (PA8500, e.g. C360) platforms aparently don't need those flushes when changing the IO PDIR data structures. We have no documentation for PCX-W+ (PA8600) and PCX-W2 (PA8700) CPUs, but Carlo Pisani reported that his C3600 machine (PA8600, PCX-W+) fails when the fdc instructions were removed. His firmware didn't set the NIOP bit, so one may assume it's a firmware bug since other C3750 machines had the bit set. Even if documentation (as mentioned above) states that PCX-W (PA8500, e.g. J5000) does not need fdc flushes, Sven could show that an Adaptec 29320A PCI-X SCSI controller reliably failed on a dd command during the first five minutes in his J5000 when fdc flushes were missing. Going forward, we will now NOT replace the fdc and sync assembler instructions by NOPS if: a) the NP iopdir_fdc bit was set by firmware, or b) we find a CPU up to and including a PCX-W+ (PA8600). This fixes the HPMC crashes on a C240 and C36XX machines. For other machines we rely on the firmware to set the bit when needed. In case one finds HPMC issues, people could try to boot their machines with the "no-alternatives" kernel option to turn off any alternative patching. Reported-by: Sven Schnelle Reported-by: Carlo Pisani Tested-by: Sven Schnelle Fixes: 3847dab77421 ("parisc: Add alternative coding infrastructure") Signed-off-by: Helge Deller Cc: stable@vger.kernel.org # 5.0+ commit 116d753308cf032159c7b7aa87c9605bb5354784 Author: John David Anglin Date: Sun Jun 2 19:12:40 2019 -0400 parisc: Use lpa instruction to load physical addresses in driver code Most I/O in the kernel is done using the kernel offset mapping. However, there is one API that uses aliased kernel address ranges: > The final category of APIs is for I/O to deliberately aliased address > ranges inside the kernel. Such aliases are set up by use of the > vmap/vmalloc API. Since kernel I/O goes via physical pages, the I/O > subsystem assumes that the user mapping and kernel offset mapping are > the only aliases. This isn't true for vmap aliases, so anything in > the kernel trying to do I/O to vmap areas must manually manage > coherency. It must do this by flushing the vmap range before doing > I/O and invalidating it after the I/O returns. For this reason, we should use the hardware lpa instruction to load the physical address of kernel virtual addresses in the driver code. I believe we only use the vmap/vmalloc API with old PA 1.x processors which don't have a sba, so we don't hit this problem. Tested on c3750, c8000 and rp3440. Signed-off-by: John David Anglin Signed-off-by: Helge Deller commit ec13c82d261b5a10e6f6e3273b60329d1146edbb Author: Krzysztof Kozlowski Date: Tue Jun 4 09:57:39 2019 +0200 parisc: configs: Remove useless UEVENT_HELPER_PATH Remove the CONFIG_UEVENT_HELPER_PATH because: 1. It is disabled since commit 1be01d4a5714 ("driver: base: Disable CONFIG_UEVENT_HELPER by default") as its dependency (UEVENT_HELPER) was made default to 'n', 2. It is not recommended (help message: "This should not be used today [...] creates a high system load") and was kept only for ancient userland, 3. Certain userland specifically requests it to be disabled (systemd README: "Legacy hotplug slows down the system and confuses udev"). Signed-off-by: Krzysztof Kozlowski Acked-by: Geert Uytterhoeven Signed-off-by: Helge Deller commit 63923d2c3800919774f5c651d503d1dd2adaddd5 Author: John David Anglin Date: Mon May 27 20:15:14 2019 -0400 parisc: Use implicit space register selection for loading the coherence index of I/O pdirs We only support I/O to kernel space. Using %sr1 to load the coherence index may be racy unless interrupts are disabled. This patch changes the code used to load the coherence index to use implicit space register selection. This saves one instruction and eliminates the race. Tested on rp3440, c8000 and c3750. Signed-off-by: John David Anglin Cc: stable@vger.kernel.org Signed-off-by: Helge Deller commit 42cc68868ce9d5f5277f561bb17b4746a332bb28 Author: Wei Yongjun Date: Sat May 4 07:04:07 2019 +0000 usb: gadget: udc: lpc32xx: fix return value check in lpc32xx_udc_probe() In case of error, the function devm_ioremap_resource() returns ERR_PTR() and never returns NULL. The NULL test in the return value check should be replaced with IS_ERR(). This issue was detected by using the Coccinelle software. Fixes: 408b56ca5c8e ("usb: gadget: udc: lpc32xx: simplify probe") Acked-by: Sylvain Lemieux Acked-by: Vladimir Zapolskiy Signed-off-by: Wei Yongjun Signed-off-by: Felipe Balbi commit 066cfd0770aba8a9ac79b59d99530653885d919d Author: Andrzej Pietrasiewicz Date: Mon Apr 1 12:50:45 2019 +0200 usb: gadget: dwc2: fix zlp handling The patch 10209abe87f5ebfd482a00323f5236d6094d0865 usb: dwc2: gadget: Add scatter-gather mode avoided a NULL pointer dereference (hs_ep->req == NULL) by calling dwc2_gadget_fill_nonisoc_xfer_dma_one() directly instead of through the dwc2_gadget_config_nonisoc_xfer_ddma() wrapper, which unconditionally dereferenced the said pointer. However, this was based on an incorrect assumption that in the context of dwc2_hsotg_program_zlp() the pointer is always NULL, which is not the case. The result were SB CV MSC tests failing starting from Test Case 6. Instead, this patch reverts to calling the wrapper and adds a check for the pointer being NULL inside the wrapper. Fixes: 10209abe87f5 (usb: dwc2: gadget: Add scatter-gather mode) Acked-by: Minas Harutyunyan Signed-off-by: Andrzej Pietrasiewicz Signed-off-by: Felipe Balbi commit 4faf3b36553a0a5304f58ee3a620e659739a2e20 Author: Minas Harutyunyan Date: Mon Apr 29 15:23:43 2019 +0400 usb: dwc2: Set actual frame number for completed ISOC transfer for none DDMA On ISOC OUT transfer completion, in none DDMA mode, set actual frame number returning to function driver in usb_request. Signed-off-by: Minas Harutyunyan Signed-off-by: Felipe Balbi commit fbc318afadd6e7ae2252d6158cf7d0c5a2132f7d Author: Alexandre Belloni Date: Wed May 22 14:07:36 2019 +0200 usb: gadget: udc: lpc32xx: allocate descriptor with GFP_ATOMIC Gadget drivers may queue request in interrupt context. This would lead to a descriptor allocation in that context. In that case we would hit BUG_ON(in_interrupt()) in __get_vm_area_node. Also remove the unnecessary cast. Acked-by: Sylvain Lemieux Tested-by: James Grant Signed-off-by: Alexandre Belloni Signed-off-by: Felipe Balbi commit 62fd0e0a24abeebe2c19fce49dd5716d9b62042d Author: Young Xiao <92siuyang@gmail.com> Date: Tue May 28 20:17:54 2019 +0800 usb: gadget: fusb300_udc: Fix memory leak of fusb300->ep[i] There is no deallocation of fusb300->ep[i] elements, allocated at fusb300_probe. The patch adds deallocation of fusb300->ep array elements. Signed-off-by: Young Xiao <92siuyang@gmail.com> Signed-off-by: Felipe Balbi commit b5bbe22353614d6a4d7a4b33f326e3009ec38052 Author: Andrey Smirnov Date: Tue May 28 23:59:48 2019 -0700 usb: phy: mxs: Disable external charger detect in mxs_phy_hw_init() Since this driver already handles changer detction state, copy the workaround code currently residing in arch/arm/mach-imx/anatop.c into this drier to consolidate the places modifying it. Signed-off-by: Andrey Smirnov Cc: Chris Healy Cc: Felipe Balbi Cc: Shawn Guo Cc: Fabio Estevam Cc: NXP Linux Team Cc: linux-usb@vger.kernel.org Cc: linux-arm-kernel@lists.infradead.org Cc: linux-kernel@vger.kernel.org Reviewed-by: Peter Chen Signed-off-by: Felipe Balbi commit 4a4863bf2e7932e584a3a462d3c6daf891142ddc Author: Martin Schiller Date: Mon Feb 18 07:37:30 2019 +0100 usb: dwc2: Fix DMA cache alignment issues Insert a padding between data and the stored_xfer_buffer pointer to ensure they are not on the same cache line. Otherwise, the stored_xfer_buffer gets corrupted for IN URBs on non-cache-coherent systems. (In my case: Lantiq xRX200 MIPS) Fixes: 3bc04e28a030 ("usb: dwc2: host: Get aligned DMA in a more supported way") Fixes: 56406e017a88 ("usb: dwc2: Fix DMA alignment to start at allocated boundary") Cc: Tested-by: Douglas Anderson Reviewed-by: Douglas Anderson Acked-by: Minas Harutyunyan Signed-off-by: Martin Schiller Signed-off-by: Felipe Balbi commit babd183915e91a64e976b9e8ab682bb56624df76 Author: Douglas Anderson Date: Fri May 31 13:04:12 2019 -0700 usb: dwc2: host: Fix wMaxPacketSize handling (fix webcam regression) In commit abb621844f6a ("usb: ch9: make usb_endpoint_maxp() return only packet size") the API to usb_endpoint_maxp() changed. It used to just return wMaxPacketSize but after that commit it returned wMaxPacketSize with the high bits (the multiplier) masked off. If you wanted to get the multiplier it was now up to your code to call the new usb_endpoint_maxp_mult() which was introduced in commit 541b6fe63023 ("usb: add helper to extract bits 12:11 of wMaxPacketSize"). Prior to the API change most host drivers were updated, but no update was made to dwc2. Presumably it was assumed that dwc2 was too simplistic to use the multiplier and thus just didn't support a certain class of USB devices. However, it turns out that dwc2 did use the multiplier and many devices using it were working quite nicely. That means that many USB devices have been broken since the API change. One such device is a Logitech HD Pro Webcam C920. Specifically, though dwc2 didn't directly call usb_endpoint_maxp(), it did call usb_maxpacket() which in turn called usb_endpoint_maxp(). Let's update dwc2 to work properly with the new API. Fixes: abb621844f6a ("usb: ch9: make usb_endpoint_maxp() return only packet size") Cc: stable@vger.kernel.org Acked-by: Minas Harutyunyan Reviewed-by: Matthias Kaehlcke Signed-off-by: Douglas Anderson Signed-off-by: Felipe Balbi commit 2b55d83e9a8ca36ab9e108dab52902a67f573f6f Author: George G. Davis Date: Wed Jun 5 16:30:09 2019 -0400 ARM64: trivial: s/TIF_SECOMP/TIF_SECCOMP/ comment typo fix Fix a s/TIF_SECOMP/TIF_SECCOMP/ comment typo Cc: Jiri Kosina Reviewed-by: Kees Cook Signed-off-by: Will Deacon commit 6d10dc617b4128c06fc2a88b47fda0a183ffe36c Author: Dan Carpenter Date: Fri May 3 15:25:25 2019 +0300 drm/komeda: Potential error pointer dereference We need to check whether drm_atomic_get_crtc_state() returns an error pointer before dereferencing "crtc_st". Fixes: 9e5603094176 ("drm/komeda: Add komeda_plane/plane_helper_funcs") Signed-off-by: Dan Carpenter Reviewed-by: "james qian wang (Arm Technology China)" Signed-off-by: Liviu Dudau commit 7cb8bec205258601af2810f4f1998a207340e73c Author: YueHaibing Date: Sat Apr 27 00:42:02 2019 +0800 drm/komeda: remove set but not used variable 'kcrtc' Fixes gcc '-Wunused-but-set-variable' warning: drivers/gpu/drm/arm/display/komeda/komeda_plane.c: In function komeda_plane_atomic_check: drivers/gpu/drm/arm/display/komeda/komeda_plane.c:49:22: warning: variable kcrtc set but not used [-Wunused-but-set-variable] It is never used since introduction in commit 9e5603094176 ("drm/komeda: Add komeda_plane/plane_helper_funcs") Signed-off-by: YueHaibing Reviewed-by: James Qian Wang (Arm Technology China) Signed-off-by: Liviu Dudau commit e35faeb64146f2015f2aec14b358ae508e4066db Author: Kan Liang Date: Mon Jun 3 06:41:20 2019 -0700 x86/CPU: Add more Icelake model numbers Add the CPUID model numbers of Icelake (ICL) desktop and server processors to the Intel family list. [ Qiuxu: Sort the macros by model number. ] Signed-off-by: Kan Liang Signed-off-by: Borislav Petkov Cc: "H. Peter Anvin" Cc: Andy Shevchenko Cc: Ingo Molnar Cc: Peter Zijlstra Cc: Qiuxu Zhuo Cc: Rajneesh Bhardwaj Cc: rui.zhang@intel.com Cc: Thomas Gleixner Cc: Tony Luck Cc: x86-ml Link: https://lkml.kernel.org/r/20190603134122.13853-1-kan.liang@linux.intel.com commit dbd9f78ed23746e9708f773224eec2c8b33206e7 Merge: 75cb3776fdff 283f1e383e91 Author: Dave Airlie Date: Thu Jun 6 11:56:00 2019 +1000 Merge tag 'drm-misc-fixes-2019-06-05' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes - Allow fb changes in async commits (fixes igt failures) (Helen) - Actually unmap the scatterlist when unmapping udmabuf (Lucas) Cc: Lucas Stach Cc: Helen Koike Signed-off-by: Dave Airlie From: Sean Paul Link: https://patchwork.freedesktop.org/patch/msgid/20190605210335.GA35431@art_vandelay commit 75cb3776fdffa94b424406aeb0efb76b122990f5 Merge: 351212f69dc6 192905989302 Author: Dave Airlie Date: Thu Jun 6 11:53:13 2019 +1000 Merge branch 'drm-fixes-5.2' of git://people.freedesktop.org/~agd5f/linux into drm-fixes - A fix to make VCE resume more reliable - Updates for new raven variants Signed-off-by: Dave Airlie From: Alex Deucher Link: https://patchwork.freedesktop.org/patch/msgid/20190605182332.4073-1-alexander.deucher@amd.com commit 351212f69dc6be69228567d0e954a7e97d0e4e04 Merge: f2c7c76c5d0a afb286bcae85 Author: Dave Airlie Date: Thu Jun 6 11:46:08 2019 +1000 Merge tag 'drm-intel-fixes-2019-06-03' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes - Add missing Icelake W/A to disable GPU hang on cache ECC error - GVT a fix for recently seen arbitrary DMA map fault and more enforcement fixes. Signed-off-by: Dave Airlie From: Joonas Lahtinen Link: https://patchwork.freedesktop.org/patch/msgid/20190603132928.GA4866@jlahtine-desk.ger.corp.intel.com commit 4a60570dce658e3f8885bbcf852430b99f65aca5 Author: Robert Hancock Date: Wed Jun 5 13:49:00 2019 -0600 hwmon: (pmbus/core) Treat parameters as paged if on multiple pages Some chips have attributes which exist on more than one page but the attribute is not presently marked as paged. This causes the attributes to be generated with the same label, which makes it impossible for userspace to tell them apart. Marking all such attributes as paged would result in the page suffix being added regardless of whether they were present on more than one page or not, which might break existing setups. Therefore, we add a second check which treats the attribute as paged, even if not marked as such, if it is present on multiple pages. Fixes: b4ce237b7f7d ("hwmon: (pmbus) Introduce infrastructure to detect sensors and limit registers") Signed-off-by: Robert Hancock Signed-off-by: Guenter Roeck commit 38463721ec3c39acdabed3a89016ce6bb32a7543 Author: Adamski, Krzysztof (Nokia - PL/Wroclaw) Date: Wed May 29 14:33:52 2019 +0000 hwmon: (pmbus/core) mutex_lock write in pmbus_set_samples update_lock is a mutex intended to protect write operations. It was not taken, however, when _pmbus_write_word_data is called from pmbus_set_samples() function which may cause problems especially when some PMBUS_VIRT_* operation is implemented as a read-modify-write cycle. This patch makes sure the lock is held during the operation. Fixes: 49c4455dccf2 ("hwmon: (pmbus) Introduce PMBUS_VIRT_*_SAMPLES registers") Signed-off-by: Krzysztof Adamski Reviewed-by: Alexander Sverdlin [groeck: Declared and initialized missing 'data' variable] Signed-off-by: Guenter Roeck commit c41dd48e21fae3e55b3670ccf2eb562fc1f6a67d Author: Eduardo Valentin Date: Wed May 29 19:56:04 2019 -0700 hwmon: (core) add thermal sensors only if dev->of_node is present Drivers may register to hwmon and request for also registering with the thermal subsystem (HWMON_C_REGISTER_TZ). However, some of these driver, e.g. marvell phy, may be probed from Device Tree or being dynamically allocated, and in the later case, it will not have a dev->of_node entry. Registering with hwmon without the dev->of_node may result in different outcomes depending on the device tree, which may be a bit misleading. If the device tree blob has no 'thermal-zones' node, the *hwmon_device_register*() family functions are going to gracefully succeed, because of-thermal, *thermal_zone_of_sensor_register() return -ENODEV in this case, and the hwmon error path handles this error code as success to cover for the case where CONFIG_THERMAL_OF is not set. However, if the device tree blob has the 'thermal-zones' entry, the *hwmon_device_register*() will always fail on callers with no dev->of_node, propagating -EINVAL. If dev->of_node is not present, calling of-thermal does not make sense. For this reason, this patch checks first if the device has a of_node before going over the process of registering with the thermal subsystem of-thermal interface. And in this case, when a caller of *hwmon_device_register*() with HWMON_C_REGISTER_TZ and no dev->of_node will still register with hwmon, but not with the thermal subsystem. If all the hwmon part bits are in place, the registration will succeed. Fixes: d560168b5d0f ("hwmon: (core) New hwmon registration API") Cc: Jean Delvare Cc: Guenter Roeck Cc: linux-hwmon@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Eduardo Valentin Signed-off-by: Guenter Roeck commit 4970b42d5c362bf873982db7d93245c5281e58f4 Author: Hangbin Liu Date: Wed Jun 5 12:27:14 2019 +0800 Revert "fib_rules: return 0 directly if an exactly same rule exists when NLM_F_EXCL not supplied" This reverts commit e9919a24d3022f72bcadc407e73a6ef17093a849. Nathan reported the new behaviour breaks Android, as Android just add new rules and delete old ones. If we return 0 without adding dup rules, Android will remove the new added rules and causing system to soft-reboot. Fixes: e9919a24d302 ("fib_rules: return 0 directly if an exactly same rule exists when NLM_F_EXCL not supplied") Reported-by: Nathan Chancellor Reported-by: Yaro Slav Reported-by: Maciej Żenczykowski Signed-off-by: Hangbin Liu Reviewed-by: Nathan Chancellor Tested-by: Nathan Chancellor Signed-off-by: David S. Miller commit 930b9a0543385d4eb8ef887e88cf84d95a844577 Author: Nikita Danilov Date: Tue Jun 4 13:23:49 2019 +0000 net: aquantia: fix wol configuration not applied sometimes WoL magic packet configuration sometimes does not work due to couple of leakages found. Mainly there was a regression introduced during readx_poll refactoring. Next, fw request waiting time was too small. Sometimes that caused sleep proxy config function to return with an error and to skip WoL configuration. At last, WoL data were passed to FW from not clean buffer. That could cause FW to accept garbage as a random configuration data. Fixes: 6a7f2277313b ("net: aquantia: replace AQ_HW_WAIT_FOR with readx_poll_timeout_atomic") Signed-off-by: Nikita Danilov Signed-off-by: Igor Russkikh Signed-off-by: David S. Miller commit 0ee4e76937d69128a6a66861ba393ebdc2ffc8a2 Author: Vivien Didelot Date: Mon Jun 3 16:57:13 2019 -0400 ethtool: fix potential userspace buffer overflow ethtool_get_regs() allocates a buffer of size ops->get_regs_len(), and pass it to the kernel driver via ops->get_regs() for filling. There is no restriction about what the kernel drivers can or cannot do with the open ethtool_regs structure. They usually set regs->version and ignore regs->len or set it to the same size as ops->get_regs_len(). But if userspace allocates a smaller buffer for the registers dump, we would cause a userspace buffer overflow in the final copy_to_user() call, which uses the regs.len value potentially reset by the driver. To fix this, make this case obvious and store regs.len before calling ops->get_regs(), to only copy as much data as requested by userspace, up to the value returned by ops->get_regs_len(). While at it, remove the redundant check for non-null regbuf. Signed-off-by: Vivien Didelot Reviewed-by: Michal Kubecek Signed-off-by: David S. Miller commit 0a8dd9f67cd0da7dc284f48b032ce00db1a68791 Author: Neil Horman Date: Mon Jun 3 16:32:59 2019 -0400 Fix memory leak in sctp_process_init syzbot found the following leak in sctp_process_init BUG: memory leak unreferenced object 0xffff88810ef68400 (size 1024): comm "syz-executor273", pid 7046, jiffies 4294945598 (age 28.770s) hex dump (first 32 bytes): 1d de 28 8d de 0b 1b e3 b5 c2 f9 68 fd 1a 97 25 ..(........h...% 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000a02cebbd>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline] [<00000000a02cebbd>] slab_post_alloc_hook mm/slab.h:439 [inline] [<00000000a02cebbd>] slab_alloc mm/slab.c:3326 [inline] [<00000000a02cebbd>] __do_kmalloc mm/slab.c:3658 [inline] [<00000000a02cebbd>] __kmalloc_track_caller+0x15d/0x2c0 mm/slab.c:3675 [<000000009e6245e6>] kmemdup+0x27/0x60 mm/util.c:119 [<00000000dfdc5d2d>] kmemdup include/linux/string.h:432 [inline] [<00000000dfdc5d2d>] sctp_process_init+0xa7e/0xc20 net/sctp/sm_make_chunk.c:2437 [<00000000b58b62f8>] sctp_cmd_process_init net/sctp/sm_sideeffect.c:682 [inline] [<00000000b58b62f8>] sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1384 [inline] [<00000000b58b62f8>] sctp_side_effects net/sctp/sm_sideeffect.c:1194 [inline] [<00000000b58b62f8>] sctp_do_sm+0xbdc/0x1d60 net/sctp/sm_sideeffect.c:1165 [<0000000044e11f96>] sctp_assoc_bh_rcv+0x13c/0x200 net/sctp/associola.c:1074 [<00000000ec43804d>] sctp_inq_push+0x7f/0xb0 net/sctp/inqueue.c:95 [<00000000726aa954>] sctp_backlog_rcv+0x5e/0x2a0 net/sctp/input.c:354 [<00000000d9e249a8>] sk_backlog_rcv include/net/sock.h:950 [inline] [<00000000d9e249a8>] __release_sock+0xab/0x110 net/core/sock.c:2418 [<00000000acae44fa>] release_sock+0x37/0xd0 net/core/sock.c:2934 [<00000000963cc9ae>] sctp_sendmsg+0x2c0/0x990 net/sctp/socket.c:2122 [<00000000a7fc7565>] inet_sendmsg+0x64/0x120 net/ipv4/af_inet.c:802 [<00000000b732cbd3>] sock_sendmsg_nosec net/socket.c:652 [inline] [<00000000b732cbd3>] sock_sendmsg+0x54/0x70 net/socket.c:671 [<00000000274c57ab>] ___sys_sendmsg+0x393/0x3c0 net/socket.c:2292 [<000000008252aedb>] __sys_sendmsg+0x80/0xf0 net/socket.c:2330 [<00000000f7bf23d1>] __do_sys_sendmsg net/socket.c:2339 [inline] [<00000000f7bf23d1>] __se_sys_sendmsg net/socket.c:2337 [inline] [<00000000f7bf23d1>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2337 [<00000000a8b4131f>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:3 The problem was that the peer.cookie value points to an skb allocated area on the first pass through this function, at which point it is overwritten with a heap allocated value, but in certain cases, where a COOKIE_ECHO chunk is included in the packet, a second pass through sctp_process_init is made, where the cookie value is re-allocated, leaking the first allocation. Fix is to always allocate the cookie value, and free it when we are done using it. Signed-off-by: Neil Horman Reported-by: syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com CC: Marcelo Ricardo Leitner CC: "David S. Miller" CC: netdev@vger.kernel.org Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller commit b50e058746ba29f517e27299447831ab3d93f896 Author: Zhu Yanjun Date: Mon Jun 3 08:48:19 2019 -0400 net: rds: fix memory leak when unload rds_rdma When KASAN is enabled, after several rds connections are created, then "rmmod rds_rdma" is run. The following will appear. " BUG rds_ib_incoming (Not tainted): Objects remaining in rds_ib_incoming on __kmem_cache_shutdown() Call Trace: dump_stack+0x71/0xab slab_err+0xad/0xd0 __kmem_cache_shutdown+0x17d/0x370 shutdown_cache+0x17/0x130 kmem_cache_destroy+0x1df/0x210 rds_ib_recv_exit+0x11/0x20 [rds_rdma] rds_ib_exit+0x7a/0x90 [rds_rdma] __x64_sys_delete_module+0x224/0x2c0 ? __ia32_sys_delete_module+0x2c0/0x2c0 do_syscall_64+0x73/0x190 entry_SYSCALL_64_after_hwframe+0x44/0xa9 " This is rds connection memory leak. The root cause is: When "rmmod rds_rdma" is run, rds_ib_remove_one will call rds_ib_dev_shutdown to drop the rds connections. rds_ib_dev_shutdown will call rds_conn_drop to drop rds connections as below. " rds_conn_path_drop(&conn->c_path[0], false); " In the above, destroy is set to false. void rds_conn_path_drop(struct rds_conn_path *cp, bool destroy) { atomic_set(&cp->cp_state, RDS_CONN_ERROR); rcu_read_lock(); if (!destroy && rds_destroy_pending(cp->cp_conn)) { rcu_read_unlock(); return; } queue_work(rds_wq, &cp->cp_down_w); rcu_read_unlock(); } In the above function, destroy is set to false. rds_destroy_pending is called. This does not move rds connections to ib_nodev_conns. So destroy is set to true to move rds connections to ib_nodev_conns. In rds_ib_unregister_client, flush_workqueue is called to make rds_wq finsh shutdown rds connections. The function rds_ib_destroy_nodev_conns is called to shutdown rds connections finally. Then rds_ib_recv_exit is called to destroy slab. void rds_ib_recv_exit(void) { kmem_cache_destroy(rds_ib_incoming_slab); kmem_cache_destroy(rds_ib_frag_slab); } The above slab memory leak will not occur again. >From tests, 256 rds connections [root@ca-dev14 ~]# time rmmod rds_rdma real 0m16.522s user 0m0.000s sys 0m8.152s 512 rds connections [root@ca-dev14 ~]# time rmmod rds_rdma real 0m32.054s user 0m0.000s sys 0m15.568s To rmmod rds_rdma with 256 rds connections, about 16 seconds are needed. And with 512 rds connections, about 32 seconds are needed. >From ftrace, when one rds connection is destroyed, " 19) | rds_conn_destroy [rds]() { 19) 7.782 us | rds_conn_path_drop [rds](); 15) | rds_shutdown_worker [rds]() { 15) | rds_conn_shutdown [rds]() { 15) 1.651 us | rds_send_path_reset [rds](); 15) 7.195 us | } 15) + 11.434 us | } 19) 2.285 us | rds_cong_remove_conn [rds](); 19) * 24062.76 us | } " So if many rds connections will be destroyed, this function rds_ib_destroy_nodev_conns uses most of time. Suggested-by: Håkon Bugge Signed-off-by: Zhu Yanjun Signed-off-by: David S. Miller commit b7999b07726c16974ba9ca3bb9fe98ecbec5f81c Author: Xin Long Date: Sun Jun 2 19:10:46 2019 +0800 ipv6: fix the check before getting the cookie in rt6_get_cookie In Jianlin's testing, netperf was broken with 'Connection reset by peer', as the cookie check failed in rt6_check() and ip6_dst_check() always returned NULL. It's caused by Commit 93531c674315 ("net/ipv6: separate handling of FIB entries from dst based routes"), where the cookie can be got only when 'c1'(see below) for setting dst_cookie whereas rt6_check() is called when !'c1' for checking dst_cookie, as we can see in ip6_dst_check(). Since in ip6_dst_check() both rt6_dst_from_check() (c1) and rt6_check() (!c1) will check the 'from' cookie, this patch is to remove the c1 check in rt6_get_cookie(), so that the dst_cookie can always be set properly. c1: (rt->rt6i_flags & RTF_PCPU || unlikely(!list_empty(&rt->rt6i_uncached))) Fixes: 93531c674315 ("net/ipv6: separate handling of FIB entries from dst based routes") Reported-by: Jianlin Shi Signed-off-by: Xin Long